File Download
There are no files associated with this item.
Links for fulltext
(May Require Subscription)
- Publisher Website: 10.1007/978-3-031-30620-4_1
- Scopus: eid_2-s2.0-85161622844
Supplementary
-
Citations:
- Scopus: 0
- Appears in Collections:
Conference Paper: A Theory of Composition for Differential Obliviousness
| Title | A Theory of Composition for Differential Obliviousness |
|---|---|
| Authors | |
| Issue Date | 15-Apr-2023 |
| Publisher | Springer |
| Abstract | Differential obliviousness (DO) is a privacy notion which guarantees that the access patterns of a program satisfies differential privacy. Differential obliviousness was studied in a sequence of recent works as a relaxation of full obliviousness. Earlier works showed that DO not only allows us to circumvent the logarithmic-overhead barrier of fully oblivious algorithms, in many cases, it also allows us to achieve polynomial speedup over full obliviousness, since it avoids “padding to the worst-case” behavior of fully oblivious algorithms. Despite the promises of differential obliviousness (DO), a significant barrier that hinders its broad application is the lack of composability. In particular, when we apply one DO algorithm to the output of another DO algorithm, the composed algorithm may no longer be DO (with reasonable parameters). Specifically, the outputs of the first DO algorithm on two neighboring inputs may no longer be neighboring, and thus we cannot directly benefit from the DO guarantee of the second algorithm. In this work, we are the first to explore a theory of composition for differentially oblivious algorithms. We propose a refinement of the DO notion called (�,�)-neighbor-preserving-DO, or (�,�)-NPDO for short, and we prove that our new notion indeed provides nice compositional guarantees. In this way, the algorithm designer can easily track the privacy loss when composing multiple DO algorithms. We give several example applications to showcase the power and expressiveness of our new NPDO notion. One of these examples is a result of independent interest: we use the compositional framework to prove an optimal privacy amplification theorem for the differentially oblivious shuffle model. In other words, we show that for a class of distributed differentially private mechanisms in the shuffle-model, one can replace the perfectly secure shuffler with a DO shuffler, and nonetheless enjoy almost the same privacy amplification enabled by a shuffler. |
| Persistent Identifier | http://hdl.handle.net/10722/338123 |
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Zhou, M | - |
| dc.contributor.author | Shi, E | - |
| dc.contributor.author | Chan, TH | - |
| dc.contributor.author | Maimon, S | - |
| dc.date.accessioned | 2024-03-11T10:26:25Z | - |
| dc.date.available | 2024-03-11T10:26:25Z | - |
| dc.date.issued | 2023-04-15 | - |
| dc.identifier.uri | http://hdl.handle.net/10722/338123 | - |
| dc.description.abstract | <p>Differential obliviousness (DO) is a privacy notion which guarantees that the access patterns of a program satisfies differential privacy. Differential obliviousness was studied in a sequence of recent works as a relaxation of full obliviousness. Earlier works showed that DO not only allows us to circumvent the logarithmic-overhead barrier of fully oblivious algorithms, in many cases, it also allows us to achieve polynomial speedup over full obliviousness, since it avoids “padding to the worst-case” behavior of fully oblivious algorithms.</p><p>Despite the promises of differential obliviousness (DO), a significant barrier that hinders its broad application is the lack of composability. In particular, when we apply one DO algorithm to the output of another DO algorithm, the composed algorithm may no longer be DO (with reasonable parameters). Specifically, the outputs of the first DO algorithm on two neighboring inputs may no longer be neighboring, and thus we cannot directly benefit from the DO guarantee of the second algorithm.</p><p>In this work, we are the first to explore a theory of composition for differentially oblivious algorithms. We propose a refinement of the DO notion called (�,�)-neighbor-preserving-DO, or (�,�)-NPDO for short, and we prove that our new notion indeed provides nice compositional guarantees. In this way, the algorithm designer can easily track the privacy loss when composing multiple DO algorithms.</p><p>We give several example applications to showcase the power and expressiveness of our new NPDO notion. One of these examples is a result of independent interest: we use the compositional framework to prove an optimal privacy amplification theorem for the differentially oblivious shuffle model. In other words, we show that for a class of distributed differentially private mechanisms in the shuffle-model, one can replace the perfectly secure shuffler with a DO shuffler, and nonetheless enjoy almost the same privacy amplification enabled by a shuffler.</p> | - |
| dc.language | eng | - |
| dc.publisher | Springer | - |
| dc.relation.ispartof | EUROCRYPT 2023 (23/04/2023-27/04/2023, Lyon) | - |
| dc.title | A Theory of Composition for Differential Obliviousness | - |
| dc.type | Conference_Paper | - |
| dc.identifier.doi | 10.1007/978-3-031-30620-4_1 | - |
| dc.identifier.scopus | eid_2-s2.0-85161622844 | - |
| dc.identifier.volume | 14006 | - |
| dc.identifier.spage | 3 | - |
| dc.identifier.epage | 34 | - |