TY - GEN
T1 - Comparing systems
T2 - 32nd IEEE Computer Security Foundations Symposium, CSF 2019
AU - Chatzikokolakis, Konstantinos
AU - Fernandes, Natasha
AU - Palamidessi, Catuscia
PY - 2019
Y1 - 2019
N2 - Quantitative Information Flow (QIF) and Differential Privacy (DP) are both concerned with the protection of sensitive information, but they are rather different approaches. In particular, QIF considers the expected probability of a successful attack, while DP (in both its standard and local versions) is a max-case measure, in the sense that it is compromised by the existence of a possible attack, regardless of its probability. Comparing systems is a fundamental task in these areas: one wishes to guarantee that replacing a system A by a system B is a safe operation, that is the privacy of B is no-worse than that of A. In QIF, a refinement order provides strong such guarantees, while in DP mechanisms are typically compared (w.r.t. privacy) based on the ϵ privacy parameter that they provide. In this paper we explore a variety of refinement orders, inspired by the one of QIF, providing precise guarantees for max-case leakage. We study simple structural ways of characterising them, the relation between them, efficient methods for verifying them and their lattice properties. Moreover, we apply these orders in the task of comparing DP mechanisms, raising the question of whether the order based on ϵ provides strong privacy guarantees. We show that, while it is often the case for mechanisms of the same 'family' (geometric, randomised response, etc.), it rarely holds across different families.
AB - Quantitative Information Flow (QIF) and Differential Privacy (DP) are both concerned with the protection of sensitive information, but they are rather different approaches. In particular, QIF considers the expected probability of a successful attack, while DP (in both its standard and local versions) is a max-case measure, in the sense that it is compromised by the existence of a possible attack, regardless of its probability. Comparing systems is a fundamental task in these areas: one wishes to guarantee that replacing a system A by a system B is a safe operation, that is the privacy of B is no-worse than that of A. In QIF, a refinement order provides strong such guarantees, while in DP mechanisms are typically compared (w.r.t. privacy) based on the ϵ privacy parameter that they provide. In this paper we explore a variety of refinement orders, inspired by the one of QIF, providing precise guarantees for max-case leakage. We study simple structural ways of characterising them, the relation between them, efficient methods for verifying them and their lattice properties. Moreover, we apply these orders in the task of comparing DP mechanisms, raising the question of whether the order based on ϵ provides strong privacy guarantees. We show that, while it is often the case for mechanisms of the same 'family' (geometric, randomised response, etc.), it rarely holds across different families.
KW - Differential privacy
KW - Quantitative information flow
UR - http://www.scopus.com/inward/record.url?scp=85072623375&partnerID=8YFLogxK
U2 - 10.1109/CSF.2019.00037
DO - 10.1109/CSF.2019.00037
M3 - Conference proceeding contribution
AN - SCOPUS:85072623375
T3 - Proceedings IEEE Computer Security Foundations Symposium
SP - 442
EP - 457
BT - Proceedings of 2019 IEEE 32nd Computer Security Foundations Symposium
PB - Institute of Electrical and Electronics Engineers (IEEE)
Y2 - 25 June 2019 through 28 June 2019
ER -