Elephants Do Not Forget: Differential Privacy with State Continuity for Privacy Budget
Authors: 
Jiankai Jin, Chitchanok Chuengsatiansup, Toby Murray, Benjamin I. P. Rubinstein, Yuval Yarom, Olga OhrimenkoAuthors Info & Claims
Jiankai Jin, Chitchanok Chuengsatiansup, Toby Murray, Benjamin I. P. Rubinstein, Yuval Yarom, Olga OhrimenkoAuthors Info & ClaimsPages 1909 - 1923
Abstract
Current implementations of differentially-private (DP) systems either lack support to track the global privacy budget consumed on a dataset, or fail to faithfully maintain the state continuity of this budget. We show that failure to maintain a privacy budget enables an adversary to mount replay, rollback and fork attacks --- obtaining answers to many more queries than what a secure system would allow. As a result the attacker can reconstruct secret data that DP aims to protect --- even if DP code runs in a Trusted Execution Environment (TEE). We propose ElephantDP, a system that aims to provide the same guarantees as a trusted curator in the global DP model would, albeit set in an untrusted environment. Our system relies on a state continuity module to provide protection for the privacy budget and a TEE to faithfully execute DP code and update the budget. To provide security, our protocol makes several design choices including the content of the persistent state and the order between budget updates and query answers. We prove that ElephantDP provides liveness (i.e., the protocol can restart from a correct state and respond to queries as long as the budget is not exceeded) and DP confidentiality (i.e., an attacker learns about a dataset as much as it would from interacting with a trusted curator). Our implementation and evaluation of the protocol use Intel SGX as a TEE to run the DP code and a network of TEEs to maintain state continuity. Compared to an insecure baseline, we observe 1.1--3.2× overheads and lower relative overheads for complex DP queries.
References
[1]
Joshua Allen, Bolin Ding, Janardhan Kulkarni, Harsha Nori, Olga Ohrimenko, and Sergey Yekhanin. 2019. An algorithmic framework for differentially private data analysis on trusted processors. Advances in Neural Information Processing Systems, Vol. 32 (2019).
[2]
Marc Andrysco, David Kohlbrenner, Keaton Mowery, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2015. On subnormal floating point and abnormal timing. In 2015 IEEE Symposium on Security and Privacy. IEEE, 623--639.
[3]
Sebastian Angel, Aditya Basu, Weidong Cui, Trent Jaeger, Stella Lau, Srinath Setty, and Sudheesh Singanamalla. 2023. Nimble: Rollback protection for confidential cloud services. In 17th USENIX Symposium on Operating Systems Design and Implementation (OSDI 23). 193--208.
[4]
Panagiotis Antonopoulos, Arvind Arasu, Kunal D. Singh, Ken Eguro, Nitish Gupta, Rajat Jain, Raghav Kaushik, Hanuma Kodavalla, Donald Kossmann, Nikolas Ogg, Ravi Ramamurthy, Jakub Szymaszek, Jeffrey Trimmer, Kapil Vaswani, Ramarathnam Venkatesan, and Mike Zwilling. 2020. Azure SQL Database Always Encrypted. In Proceedings of the 2020 ACM SIGMOD International Conference on Management of Data. Association for Computing Machinery, 1511--1525.
[5]
Victor Balcer and Salil P. Vadhan. 2018. Differential privacy on finite computers. In 9th Innovations in Theoretical Computer Science Conference, ITCS 2018, January 11--14, 2018, Cambridge, MA, USA (LIPIcs, Vol. 94), Anna R. Karlin (Ed.). Schloss Dagstuhl - Leibniz-Zentrum für Informatik, 43:1--43:21.
[6]
Borja Balle, James Bell, Adrià Gascón, and Kobbi Nissim. 2019. The privacy blanket of the shuffle model. In Advances in Cryptology--CRYPTO 2019: 39th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18--22, 2019, Proceedings, Part II 39. Springer, 638--667.
[7]
Skye Berghel, Philip Bohannon, Damien Desfontaines, Charles Estes, Sam Haney, Luke Hartman, Michael Hay, Ashwin Machanavajjhala, Tom Magerlein, Gerome Miklau, et al. 2022. Tumult Analytics: A robust, easy-to-use, scalable, and expressive framework for differential privacy. arXiv preprint arXiv:2212.04133 (2022).
[8]
Andrea Bittau, Úlfar Erlingsson, Petros Maniatis, Ilya Mironov, Ananth Raghunathan, David Lie, Mitch Rudominer, Ushasree Kode, Julien Tinnes, and Bernhard Seefeld. 2017. Prochlo: Strong privacy for analytics in the crowd. In Proceedings of the 26th Symposium on Operating Systems Principles. 441--459.
[9]
Marcus Brandenburger, Christian Cachin, Matthias Lorenz, and Rüdiger Kapitza. 2017. Rollback and forking detection for trusted execution environments using lightweight collective memory. In 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 157--168.
[10]
Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure: SGX cache attacks are practical. In 11th USENIX Workshop on Offensive Technologies.
[11]
Eric A. Brewer. 2000. Towards robust distributed systems (abstract). In Proceedings of the 19th Annual ACM Symposium on Principles of Distributed Computing. 7.
[12]
Christian Cachin, Rachid Guerraoui, and Luís Rodrigues. 2011. Introduction to reliable and secure distributed programming. Springer Science & Business Media.
[13]
Clément L Canonne, Gautam Kamath, and Thomas Steinke. 2020. The discrete gaussian for differential privacy. Advances in Neural Information Processing Systems, Vol. 33 (2020), 15676--15688.
[14]
Sílvia Casacuberta, Michael Shoemate, Salil Vadhan, and Connor Wagaman. 2022. Widespread underestimation of sensitivity in differentially private libraries and how to fix it. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 471--484.
[15]
Victor Costan and Srinivas Devadas. 2016. Intel SGX explained. Cryptology ePrint Archive (2016).
[16]
Irit Dinur and Kobbi Nissim. 2003. Revealing information while preserving privacy. In Proceedings of the twenty-second ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems. 202--210.
[17]
Cynthia Dwork, Frank McSherry, Kobbi Nissim, and Adam Smith. 2006. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography: Third Theory of Cryptography Conference, TCC 2006. Springer, 265--284.
[18]
Cynthia Dwork, Aaron Roth, et al. 2014. The algorithmic foundations of differential privacy. Foundations and Trends® in Theoretical Computer Science, Vol. 9, 3--4 (2014), 211--407.
[19]
Cynthia Dwork, Guy N Rothblum, and Salil Vadhan. 2010. Boosting and differential privacy. In Symposium on Foundations of Computer Science (FOCS). 51--60.
[20]
Google. 2024. Google's differential privacy libraries. https://github.com/google/differential-privacy. [Online; accessed 17-Jan-2024].
[21]
Google. 2024. Privacy Sandbox. Private advertising: Aggregation Service overview. https://developers.google.com/privacy-sandbox/relevance/aggregation-service. [Online; accessed 26-Jun-2024].
[22]
Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. 2017. Cache attacks on Intel SGX. In Proceedings of the 10th European Workshop on Systems Security. 1--6.
[23]
Alexey Gribov, Dhinakaran Vinayagamurthy, and Sergey Gorbunov. 2019. StealthDB: a Scalable Encrypted Database with Full SQL Query Support. Proceedings on Privacy Enhancing Technologies (2019).
[24]
Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan. 2011. Differential privacy under fire. In 20th USENIX Security Symposium (USENIX Security 11). USENIX Association, San Francisco, CA.
[25]
Samuel Haney, Damien Desfontaines, Luke Hartman, Ruchit Shrestha, and Michael Hay. 2022. Precision-based attacks and interval refining: How to break, then fix, differential privacy on finite computers. Journal of Privacy and Confidentiality (2022).
[26]
Michael Hay, Marco Gaboardi, and Salil Vadhan. 2020. A programming framework for OpenDP. In 6th Workshop on the Theory and Practice of Differential Privacy.
[27]
Matthew Hoekstra, Reshma Lal, Pradeep Pappachan, Vinay Phegade, and Juan Del Cuvillo. 2013. Using innovative instructions to create trustworthy software solutions. In Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy. Article 11, 1 pages.
[28]
Naoise Holohan and Stefano Braghin. 2021. Secure random sampling in differential privacy. In Computer Security--ESORICS 2021: 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4--8, 2021, Proceedings, Part II 26. Springer, 523--542.
[29]
HUAWEI. 2020. 2020 DIGIX Advertisement CTR Prediction. https://www.kaggle.com/datasets/louischen7/2020-digix-advertisement-ctr-prediction/. [Online; accessed 01-Jan-2024].
[30]
Mohit Kumar Jangid, Guoxing Chen, Yinqian Zhang, and Zhiqiang Lin. 2021. Towards formal verification of state continuity for enclave programs. In 30th USENIX Security Symposium (USENIX Security 21). 573--590.
[31]
Jiankai Jin, Chitchanok Chuengsatiansup, Toby Murray, Benjamin IP Rubinstein, Yuval Yarom, and Olga Ohrimenko. 2024. Elephants Do Not Forget: Differential Privacy with State Continuity for Privacy Budget. arXiv preprint arXiv:2401.17628 (2024).
[32]
Jiankai Jin, Eleanor McMurtry, Benjamin IP Rubinstein, and Olga Ohrimenko. 2022. Are we there yet timing and floating-point attacks on differential privacy systems. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 473--488.
[33]
Peter Kairouz, Sewoong Oh, and Pramod Viswanath. 2015. The composition theorem for differential privacy. In International Conference on Machine Learning (ICML). PMLR, 1376--1385.
[34]
Nicolas Küchler, Emanuel Opel, Hidde Lycklama, Alexander Viand, and Anwar Hithnawi. 2024. Cohere: Managing Differential Privacy in Large Scale Systems. In IEEE Symposium on Security and Privacy (S&P). IEEE Computer Society, 121--121.
[35]
Sinisa Matetic, Mansoor Ahmed, Kari Kostiainen, Aritra Dhar, David Sommer, Arthur Gervais, Ari Juels, and Srdjan Capkun. 2017. ROTE: Rollback protection for trusted execution. In 26th USENIX Security Symposium (USENIX Security 17). 1289--1306.
[36]
Frank D McSherry. 2009. Privacy integrated queries: An extensible platform for privacy-preserving data analysis. In Proceedings of the 2009 ACM SIGMOD International Conference on Management of data. 19--30.
[37]
Ilya Mironov. 2012. On significance of the least significant bits for differential privacy. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. 650--661.
[38]
Phillip Nguyen, Alex Silence, David Darais, and Joseph P Near. 2020. DuetSGX: Differential privacy with secure hardware. In Theory and Practice of Differential Privacy (TPDP).
[39]
Jianyu Niu, Wei Peng, Xiaokuan Zhang, and Yinqian Zhang. 2022. Narrator: Secure and practical state continuity for trusted execution in the cloud. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2385--2399.
[40]
Olga Ohrimenko, Felix Schuster, Cédric Fournet, Aastha Mehta, Sebastian Nowozin, Kapil Vaswani, and Manuel Costa. 2016. Oblivious Multi-Party Machine Learning on Trusted Processors. In USENIX Security Symposium, Thorsten Holz and Stefan Savage (Eds.). USENIX Association, 619--636.
[41]
OpenDP. 2022. DP Test Datasets. https://github.com/opendp/dp-test-datasets. [Online; accessed 17-Jan-2024].
[42]
OpenDP. 2024. OpenDP Library. https://github.com/opendp/opendp. [Online; accessed 17-Jan-2024].
[43]
Bryan Parno, Jacob R Lorch, John R Douceur, James Mickens, and Jonathan M McCune. 2011. Memoir: Practical state continuity for protected modules. In 2011 IEEE Symposium on Security and Privacy. IEEE, 379--394.
[44]
Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. 2011. CryptDB: protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (SOSP '11). Association for Computing Machinery, 85--100.
[45]
Christian Priebe, Kapil Vaswani, and Manuel Costa. 2018. EnclaveDB: A Secure Database Using SGX. In 2018 IEEE Symposium on Security and Privacy (SP). 264--278.
[46]
Michael K Reiter. 1994. Secure agreement protocols: Reliable and atomic group multicast in Rampart. In Proceedings of the 2nd ACM Conference on Computer and Communications Security. 68--80.
[47]
Mark Russinovich, Edward Ashton, Christine Avanessians, Miguel Castro, Amaury Chamayou, Sylvan Clebsch, Manuel Costa, Cédric Fournet, Matthew Kerner, Sid Krishna, Julien Maffre, Thomas Moscibroda, Kartik Nayak, Olga Ohrimenko, Felix Schuster, Roy Schwartz, Alex Shamis, Olga Vrousgou, and Christoph M. Wintersteiger. 2019. CCF: A Framework for Building Confidential Verifiable Replicated Services. Technical Report MSR-TR-2019--16. Microsoft.
[48]
Raoul Strackx and Frank Piessens. 2016. Ariadne: A minimal approach to state continuity. In 25th USENIX Security Symposium (USENIX Security 16). 875--892.
[49]
Jun Tang, Aleksandra Korolova, Xiaolong Bai, Xueqiang Wang, and Xiaofeng Wang. 2017. Privacy loss in Apple's implementation of differential privacy on MacOS 10.12. arXiv preprint arXiv:1709.02753 (2017).
[50]
Uber. 2019. Uber: Differentially private SQL. https://github.com/uber-archive/sql-differential-privacy. [Online; accessed 10-Jan-2024].
[51]
U.S. Census Bureau. 2020. Census Bureau sets key parameters to protect privacy in 2020 Census results. https://www.census.gov/newsroom/press-releases/
[52]
Shufan Zhang and Xi He. 2023. DProvDB: Differentially Private Query Processing with Multi-Analyst Provenance. Proceedings of the ACM on Management of Data, Vol. 1, 4 (2023), 267:1--267:27. https://doi.org/10.1145/3626761
[53]
Alexander Ziller, Andrew Trask, Antonio Lopardo, Benjamin Szymkow, Bobby Wagner, Emma Bluemke, Jean-Mickael Nounahon, Jonathan Passerat-Palmbach, Kritika Prakash, Nick Rose, et al. 2021. Pysyft: A library for easy federated learning. Federated learning systems: Towards next-generation AI (2021), 111--139.
Index Terms
- Elephants Do Not Forget: Differential Privacy with State Continuity for Privacy Budget
Recommendations
A privacy framework: indistinguishable privacy
EDBT '13: Proceedings of the Joint EDBT/ICDT 2013 WorkshopsIn this paper we illustrate a privacy framework named Indistinguishable Privacy. Indistinguishable privacy could be deemed as the formalization of the existing privacy definitions in privacy preserving data publishing as well as secure multi-party ...
An Emerging Strategy for Privacy Preserving Databases: Differential Privacy
HCI for Cybersecurity, Privacy and TrustAbstractData De-identification and Differential Privacy are two possible approaches for providing data security and user privacy. Data de-identification is the process where the personal identifiable information of individuals is extracted to create ...
Sensitive Disclosures under Differential Privacy Guarantees
BIGDATACONGRESS '15: Proceedings of the 2015 IEEE International Congress on Big DataNon-independent reasoning (NIR) refers to learning the information of one record from other records, under the assumption that these records share the same underlying distribution. Accurate NIR could disclose private information of an individual. An ...
Comments
Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-NoDerivatives International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- The Joint CATCH MURI-AUSMURI
- The ARC Discovery Project
- The University of Melbourne Research Scholarship
- Deutsche Forschungsgemeinschaft
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 95Total Downloads
- Downloads (Last 12 months)95
- Downloads (Last 6 weeks)95
Reflects downloads up to 15 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in