research-article

Probabilistic relational reasoning for differential privacy

Authors:

Federico Olmedo,

Santiago Zanella BéguelinAuthors Info & Claims

ACM SIGPLAN Notices, Volume 47, Issue 1

Pages 97 - 110

https://doi.org/10.1145/2103621.2103670

Published: 25 January 2012 Publication History

Abstract

Differential privacy is a notion of confidentiality that protects the privacy of individuals while allowing useful computations on their private data. Deriving differential privacy guarantees for real programs is a difficult and error-prone task that calls for principled approaches and tool support. Approaches based on linear types and static analysis have recently emerged; however, an increasing number of programs achieve privacy using techniques that cannot be analyzed by these approaches. Examples include programs that aim for weaker, approximate differential privacy guarantees, programs that use the Exponential mechanism, and randomized programs that achieve differential privacy without using any standard mechanism. Providing support for reasoning about the privacy of such programs has been an open problem.

We report on CertiPriv, a machine-checked framework for reasoning about differential privacy built on top of the Coq proof assistant. The central component of CertiPriv is a quantitative extension of a probabilistic relational Hoare logic that enables one to derive differential privacy guarantees for programs from first principles. We demonstrate the expressiveness of CertiPriv using a number of examples whose formal analysis is out of the reach of previous techniques. In particular, we provide the first machine-checked proofs of correctness of the Laplacian and Exponential mechanisms and of the privacy of randomized and streaming algorithms from the recent literature.

Supplementary Material

JPG File (popl_2a_2.jpg)

Download
21.60 KB

MP4 File (popl_2a_2.mp4)

Download
227.23 MB

References

[1]

P. Audebaud and C. Paulin-Mohring. Proofs of randomized algorithms in Coq. Sci. Comput. Program., 74 (8): 568--589, 2009.

Digital Library

[2]

G. Barthe and B. Köpf. Information-theoretic bounds for differentially private mechanisms. In 24rd IEEE Computer Security Foundations Symposium, CSF 2011, pages 191--204, Los Alamitos, 2011. IEEE Computer Society.

Digital Library

[3]

G. Barthe, B. Grégoire, and S. Zanella Béguelin. Formal certification of code-based cryptographic proofs. In 36th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, POPL 2009, pages 90--101, New York, 2009. ACM.

Digital Library

[4]

G. Barthe, B. Grégoire, S. Heraud, and S. Zanella Béguelin. Computer-aided security proofs for the working cryptographer. In Advances in Cryptology -- CRYPTO 2011, volume 6841 of Lecture Notes in Computer Science, pages 71--90, Heidelberg, 2011. Springer.

Digital Library

[5]

A. Beimel, K. Nissim, and E. Omri. Distributed private data analysis: Simultaneously solving how and what. In Advances in Cryptology -- CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pages 451--468, Heidelberg, 2008. Springer.

Digital Library

[6]

M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. In Advances in Cryptology -- EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 409--426, Heidelberg, 2006. Springer.

Digital Library

[7]

N. Benton. Simple relational correctness proofs for static analyses and program transformations. In 31st ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, POPL 2004, pages 14--25, New York, 2004. ACM.

Digital Library

[8]

T.-H. H. Chan, E. Shi, and D. Song. Private and continual release of statistics. In 37th International colloquium on Automata, Languages and Programming, ICALP 2010, volume 6199 of Lecture Notes in Computer Science, pages 405--417, Heidelberg, 2010. Springer.

Digital Library

[9]

S. Chaudhuri, S. Gulwani, R. Lublinerman, and S. Navidpour. Proving programs robust. In 8th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE '11. ACM, 2011.

Digital Library

[10]

D. Clark, S. Hunt, and P. Malacaria. A static analysis for quantifying information flow in a simple imperative language. Journal of Computer Security, 15 (3): 321--371, 2007.

Digital Library

[11]

M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18 (6): 1157--1210, 2010.

Digital Library

[12]

J. Desharnais, F. Laviolette, and M. Tracol. Approximate analysis of probabilistic processes: Logic, simulation and games. In 5th International Conference on Quantitative Evaluation of Systems, QEST 2008, pages 264--273. IEEE Computer Society, 2008.

Digital Library

[13]

C. Dwork. Differential privacy. In 33rd International Colloquium on Automata, Languages and Programming, ICALP 2006, volume 4052 of Lecture Notes in Computer Science, pages 1--12, Heidelberg, 2006. Springer.

Digital Library

[14]

C. Dwork. Differential privacy: A survey of results. In Theory and Applications of Models of Computation, volume 4978 of Lecture Notes in Computer Science, pages 1--19, Heidelberg, 2008. Springer.

Digital Library

[15]

C. Dwork. A firm foundation for private data analysis. Commun. ACM, 54 (1): 86--95, January 2011.

Digital Library

[16]

C. Dwork, K. Kenthapadi, F. McSherry, I. Mironov, and M. Naor. Our data, ourselves: Privacy via distributed noise generation. In Advances in Cryptology -- EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages 486--503, Heidelberg, 2006. Springer.

Digital Library

[17]

C. Dwork, F. McSherry, K. Nissim, and A. Smith. Calibrating noise to sensitivity in private data analysis. In 3rd Theory of Cryptography Conference, TCC 2006, volume 3876 of Lecture Notes in Computer Science, pages 265--284, Heidelberg, 2006. Springer.

Digital Library

[18]

A. Gupta, K. Ligett, F. McSherry, A. Roth, and K. Talwar. Differentially private combinatorial optimization. In 21st Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2010, pages 1106--1125. SIAM, 2010.

Digital Library

[19]

J. Hurd, A. McIver, and C. Morgan. Probabilistic guarded commands mechanized in HOL. Theor. Comput. Sci., 346 (1): 96--112, 2005.

Digital Library

[20]

B. Jonsson, W. Yi, and K. G. Larsen. Probabilistic extensions of process algebras. In J. Bergstra, A. Ponse, and S. Smolka, editors, Handbook of Process Algebra, pages 685--710. Elsevier, Amsterdam, 2001.

[21]

S. P. Kasiviswanathan and A. Smith. A note on differential privacy: Defining resistance to arbitrary side information. Cryptology ePrint Archive, Report 2008/144, 2008.

[22]

D. Kifer and A. Machanavajjhala. No free lunch in data privacy. In ph2011 International conference on Management of Data, SIGMOD '11, pages 193--204. ACM Press, 2011.

Digital Library

[23]

F. McSherry and K. Talwar. Mechanism design via differential privacy. In 48th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2007, pages 94--103, Washington, 2007. IEEE Computer Society.

Digital Library

[24]

F. D. McSherry. Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In 35th SIGMOD international conference on Management of Data, SIGMOD 2009, pages 19--30, New York, 2009. ACM.

Digital Library

[25]

I. Mironov, O. Pandey, O. Reingold, and S. Vadhan. Computational differential privacy. In Advances in Cryptology -- CRYPTO 2009, volume 5677 of Lecture Notes in Computer Science, pages 126--142, Heidelberg, 2009. Springer.

Digital Library

[26]

A. D. Pierro, C. Hankin, and H. Wiklicky. Approximate non-interference. Journal of Computer Security, 12 (1): 37--82, 2004.

Digital Library

[27]

L. Pitt. A simple probabilistic approximation algorithm for vertex cover. Technical Report TR-404, Yale University, 1985.

[28]

N. Ramsey and A. Pfeffer. Stochastic lambda calculus and monads of probability distributions. In 29th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, POPL 2002, pages 154--165, New York, 2002. ACM.

Digital Library

[29]

J. Reed and B. C. Pierce. Distance makes the types grow stronger: a calculus for differential privacy. In 15th ACM SIGPLAN international conference on Functional programming, ICFP 2010, pages 157--168, New York, 2010. ACM.

Digital Library

[30]

I. Roy, S. T. V. Setty, A. Kilzer, V. Shmatikov, and E. Witchel. Airavat: security and privacy for MapReduce. In 7th USENIX conference on Networked Systems Design and Implementation, NSDI 2010, pages 297--312, Berkeley, 2010. USENIX Association.

Digital Library

[31]

A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In 13th IEEE workshop on Computer Security Foundations, CSFW 2000, pages 200--215, Los Alamitos, 2000. IEEE Computer Society.

Digital Library

[32]

R. Segala and A. Turrini. Approximated computationally bounded simulation relations for probabilistic automata. In 20th IEEE Computer Security Foundations symposium, CSF 2007, pages 140--156, 2007.

Digital Library

[33]

T. Terauchi and A. Aiken. Secure information flow as a safety problem. In 12th International Symposium on Static Analysis, SAS 2005, volume 3672 of Lecture Notes in Computer Science, pages 352--367, Heidelberg, 2005. Springer.

Digital Library

[34]

The Coq development team. The Coq Proof Assistant Reference Manual Version 8.3. Online -- http://coq.inria.fr, 2010.

[35]

M. C. Tschantz, D. Kaynar, and A. Datta. Formal verification of differential privacy for interactive systems. Electronic Notes in Theoretical Computer Science, 276: 61--79, 2011.

Digital Library

Cited By

Pillutla KAndrew GKairouz PMcMahan HOprea AOh SOh ANaumann TGloberson ASaenko KHardt MLevine S(2023)Unleashing the power of randomization in auditing differentially private MLProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3669012(66201-66238)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3666122.3669012
Liu DWang BFu CZhang L(2023)Model checking differentially private propertiesTheoretical Computer Science10.1016/j.tcs.2022.10.002943(153-170)Online publication date: Jan-2023
https://doi.org/10.1016/j.tcs.2022.10.002
Bun MGaboardi MGlinskih L(2022)The Complexity of Verifying Boolean Programs as Differentially Private2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919653(396-411)Online publication date: Aug-2022
https://doi.org/10.1109/CSF54842.2022.9919653
Show More Cited By

Index Terms

Probabilistic relational reasoning for differential privacy
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
2. Theory of computation

Recommendations

Probabilistic Relational Reasoning for Differential Privacy

Differential privacy is a notion of confidentiality that allows useful computations on sensible data while protecting the privacy of individuals. Proving differential privacy is a difficult and error-prone task that calls for principled approaches and ...
Probabilistic relational reasoning for differential privacy
POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Differential privacy is a notion of confidentiality that protects the privacy of individuals while allowing useful computations on their private data. Deriving differential privacy guarantees for real programs is a difficult and error-prone task that ...
Advanced Probabilistic Couplings for Differential Privacy
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Differential privacy is a promising formal approach to data privacy, which provides a quantitative bound on the privacy cost of an algorithm that operates on sensitive information. Several tools have been developed for the formal verification of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 47, Issue 1

POPL '12

January 2012

569 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/2103621

Issue’s Table of Contents

POPL '12: Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2012
602 pages
ISBN:9781450310833
DOI:10.1145/2103656
General Chair:
John Field
Google, USA
,
Program Chair:
Michael Hicks
University of Maryland, College Park, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 January 2012

Published in SIGPLAN Volume 47, Issue 1

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

131
Total Citations
View Citations
1,025
Total Downloads

Downloads (Last 12 months)26
Downloads (Last 6 weeks)4

Reflects downloads up to 16 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pillutla KAndrew GKairouz PMcMahan HOprea AOh SOh ANaumann TGloberson ASaenko KHardt MLevine S(2023)Unleashing the power of randomization in auditing differentially private MLProceedings of the 37th International Conference on Neural Information Processing Systems10.5555/3666122.3669012(66201-66238)Online publication date: 10-Dec-2023
https://dl.acm.org/doi/10.5555/3666122.3669012
Liu DWang BFu CZhang L(2023)Model checking differentially private propertiesTheoretical Computer Science10.1016/j.tcs.2022.10.002943(153-170)Online publication date: Jan-2023
https://doi.org/10.1016/j.tcs.2022.10.002
Bun MGaboardi MGlinskih L(2022)The Complexity of Verifying Boolean Programs as Differentially Private2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919653(396-411)Online publication date: Aug-2022
https://doi.org/10.1109/CSF54842.2022.9919653
Niu BZhou ZChen YCao JLi F(2022)DP-Opt: Identify High Differential Privacy Violation by OptimizationWireless Algorithms, Systems, and Applications10.1007/978-3-031-19214-2_34(406-416)Online publication date: 17-Nov-2022
https://doi.org/10.1007/978-3-031-19214-2_34
Liu DWang BZhang L(2022)Verifying Pufferfish Privacy in Hidden Markov ModelsVerification, Model Checking, and Abstract Interpretation10.1007/978-3-030-94583-1_9(174-196)Online publication date: 16-Jan-2022
https://dl.acm.org/doi/10.1007/978-3-030-94583-1_9
Farina GChong SGaboardi M(2021)Coupled Relational Symbolic Execution for Differential PrivacyProgramming Languages and Systems10.1007/978-3-030-72019-3_8(207-233)Online publication date: 23-Mar-2021
https://doi.org/10.1007/978-3-030-72019-3_8
Gopinathan KSergey I(2020)Certifying Certainty and Uncertainty in Approximate Membership Query StructuresComputer Aided Verification10.1007/978-3-030-53291-8_16(279-303)Online publication date: 14-Jul-2020
https://doi.org/10.1007/978-3-030-53291-8_16
Liu XOh SWallach HLarochelle HBeygelzimer Ad'Alché-Buc FFox E(2019)Minimax optimal estimation of approximate differential privacy on neighboring databasesProceedings of the 33rd International Conference on Neural Information Processing Systems10.5555/3454287.3454504(2417-2428)Online publication date: 8-Dec-2019
https://dl.acm.org/doi/10.5555/3454287.3454504
Balle BBell JGascón ANissim K(2019)The Privacy Blanket of the Shuffle ModelAdvances in Cryptology – CRYPTO 201910.1007/978-3-030-26951-7_22(638-667)Online publication date: 1-Aug-2019
https://doi.org/10.1007/978-3-030-26951-7_22
GILBERT AMCMILLAN A(2018)Property Testing For Differential Privacy2018 56th Annual Allerton Conference on Communication, Control, and Computing (Allerton)10.1109/ALLERTON.2018.8636068(249-258)Online publication date: 2-Oct-2018
https://dl.acm.org/doi/10.1109/ALLERTON.2018.8636068
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents