Abstract
We want assurances that sensitive information will not be disclosed when aggregate data derived from a database is published. Differential privacy offers a strong statistical guarantee that the effect of the presence of any individual in a database will be negligible, even when an adversary has auxiliary knowledge. Much of the prior work in this area consists of proving algorithms to be differentially private one at a time; we propose to streamline this process with a functional language whose type system automatically guarantees differential privacy, allowing the programmer to write complex privacy-safe query programs in a flexible and compositional way.
The key novelty is the way our type system captures function sensitivity, a measure of how much a function can magnify the distance between similar inputs: well-typed programs not only can't go wrong, they can't go too far on nearby inputs. Moreover, by introducing a monad for random computations, we can show that the established definition of differential privacy falls out naturally as a special case of this soundness principle. We develop examples including known differentially private algorithms, privacy-aware variants of standard functional programming idioms, and compositionality principles for differential privacy.
Supplemental Material
- }}A. Ahmed. Step-indexed syntactic logical relations for recursive and quantified types. In of Lecture Notes in Computer Science, volume 3924, pages 69--83, 2006. Google Scholar
Digital Library
- }}M. Ajtai, J. Komlós, and E. Szemerédi. Sorting in c log n parallel steps. Combinatorica, 3 (1): 1--19, March 1983. ISSN 0209-9683. Google Scholar
Digital Library
- }}A. W. Appel and D. McAllester. An indexed model of recursive types for foundational proof-carrying code. ACM Trans. Program. Lang. Syst., 23 (5): 657--683, 2001. ISSN 0164-0925. Google Scholar
Digital Library
- }}A. Barber. Dual intuitionistic linear logic. Technical Report ECS-LFCS-96-347, University of Edinburgh, 1996.Google Scholar
- }}K. E. Batcher. Sorting networks and their applications. In AFIPS '68 (Spring): Proceedings of the April 30-May 2, 1968, spring joint computer conference, pages 307--314, New York, NY, USA, 1968. ACM. Google Scholar
Digital Library
- }}A. Blum, C. Dwork, F. McSherry, and K. Nissim. Practical privacy: the sulq framework. In PODS '05: Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pages 128--138, New York, NY, USA, 2005. ACM. Google Scholar
Digital Library
- }}A. Blum, K. Ligett, and A. Roth. A learning theory approach to non-interactive database privacy. In STOC '08: Proceedings of the 40th annual ACM symposium on Theory of computing, pages 609--618, New York, NY, USA, 2008. ACM. Google Scholar
Digital Library
- }}P. Buneman, S. Khanna, and T. Wang-Chiew. Why and where: A characterization of data provenance. In J. Bussche and V. Vianu, editors, Database Theory ICDT 2001, volume 1973 of Lecture Notes in Computer Science, chapter 20, pages 316--330. Springer Berlin Heidelberg, Berlin, Heidelberg, October 2001. Google Scholar
Digital Library
- }}T.-H. H. Chan, E. Shi, and D. Song. Private and continual release of statistics. Cryptology ePrint Archive, Report 2010/076, 2010. http://eprint.iacr.org/.Google Scholar
- }}S. Chaudhuri, S. Gulwani, and R. Lublinerman. Continuity analysis of programs. SIGPLAN Not., 45 (1): 57--70, 2010. ISSN 0362-1340. Google Scholar
Digital Library
- }}N. Dalvi, C. Ré, and D. Suciu. Probabilistic databases: diamonds in the dirt. Commun. ACM, 52 (7): 86--94, 2009. Google Scholar
Digital Library
- }}C. Dwork. The differential privacy frontier (extended abstract). In Theory of Cryptography, Lecture Notes in Computer Science, chapter 29, pages 496--502. 2009. Google Scholar
Digital Library
- }}C. Dwork. Differential privacy: A survey of results. 5th International Conference on Theory and Applications of Models of Computation, pages 1--19, 2008. Google Scholar
Digital Library
- }}C. Dwork. Differential privacy. In Proceedings of ICALP (Part, volume 2, pages 1--12, 2006. Google Scholar
Digital Library
- }}C. Dwork, F. Mcsherry, K. Nissim, and A. Smith. Calibrating noise to sensitivity in private data analysis. In Theory of Cryptography Conference, 2006. Google Scholar
Digital Library
- }}J. Girard. Linear logic. Theoretical Computer Science, 50 (1): 1--102, 1987. Google Scholar
Digital Library
- }}T. J. Green, G. Karvounarakis, and V. Tannen. Provenance semirings. In PODS '07: Proceedings of the twenty-sixth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, pages 31--40, New York, NY, USA, 2007. ACM. Google Scholar
Digital Library
- }}A. Gupta, K. Ligett, F. McSherry, A. Roth, and K. Talwar. Differentially private combinatorial optimization. Nov 2009.Google Scholar
- }}J. Ketonen. A decidable fragment of predicate calculus. Theoretical Computer Science, 32 (3): 297--307, 1984. ISSN 03043975.Google Scholar
Cross Ref
- }}J. Lambek. The mathematics of sentence structure. American Mathematical Monthly, 65 (3): 154--170, 1958.Google Scholar
Cross Ref
- }}G. Lowe. Quantifying information flow. In In Proc. IEEE Computer Security Foundations Workshop, pages 18--31, 2002. Google Scholar
Digital Library
- }}A. Machanavajjhala, D. Kifer, J. Abowd, J. Gehrke, and L. Vilhuber. Privacy: Theory meets practice on the map. In ICDE '08: Proceedings of the 2008 IEEE 24th International Conference on Data Engineering, pages 277--286, Washington, DC, USA, 2008. IEEE Computer Society. Google Scholar
Digital Library
- }}S. McCamant and M. D. Ernst. Quantitative information flow as network flow capacity. In PLDI '08: Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, pages 193--205, New York, NY, USA, 2008. ACM. Google Scholar
Digital Library
- }}F. McSherry and K. Talwar. Mechanism design via differential privacy. In FOCS '07: Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science, pages 94--103, Washington, DC, USA, 2007. IEEE Computer Society. Google Scholar
Digital Library
- }}F. D. McSherry. Privacy integrated queries: an extensible platform for privacy-preserving data analysis. In SIGMOD '09: Proceedings of the 35th SIGMOD international conference on Management of data, pages 19--30, New York, NY, USA, 2009. ACM. Google Scholar
Digital Library
- }}A. Narayanan and V. Shmatikov. Robust de-anonymization of large sparse datasets. In SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 111--125, Washington, DC, USA, 2008. IEEE Computer Society. ISBN 978-0-7695-3168-7. http://dx.doi.org/10.1109/SP.2008.33. Google Scholar
Digital Library
- }}K. Nissim, S. Raskhodnikova, and A. Smith. Smooth sensitivity and sampling in private data analysis. In STOC '07: Proceedings of the thirty-ninth annual ACM symposium on Theory of computing, pages 75--84, New York, NY, USA, 2007. ACM. Google Scholar
Digital Library
- }}P. O'Hearn and D. Pym. The logic of bunched implications. Bulletin of Symbolic Logic, 5 (2): 215--244, 1999.Google Scholar
Cross Ref
- }}S. Park, F. Pfenning, and S. Thrun. A monadic probabilistic language. In In Proceedings of the 2003 ACM SIGPLAN international workshop on Types in languages design and implementation, pages 38--49. ACM Press, 2003.Google Scholar
- }}N. Ramsey and A. Pfeffer. Stochastic lambda calculus and monads of probability distributions. In In 29th ACM POPL, pages 154--165. ACM Press, 2002. Google Scholar
Digital Library
- }}A. Roth and T. Roughgarden. The median mechanism: Interactive and efficient privacy with multiple queries, 2010. To appear in STOC 2010.Google Scholar
- }}D. Wright and C. Baker-Finch. Usage Analysis with Natural Reduction Types. In Proceedings of the Third International Workshop on Static Analysis, pages 254--266. Springer-Verlag London, UK, 1993. Google Scholar
Digital Library
Index Terms
Distance makes the types grow stronger: a calculus for differential privacy
Recommendations
Distance makes the types grow stronger: a calculus for differential privacy
ICFP '10: Proceedings of the 15th ACM SIGPLAN international conference on Functional programmingWe want assurances that sensitive information will not be disclosed when aggregate data derived from a database is published. Differential privacy offers a strong statistical guarantee that the effect of the presence of any individual in a database will ...
Linear dependent types for differential privacy
POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesDifferential privacy offers a way to answer queries about sensitive information while providing strong, provable privacy guarantees, ensuring that the presence or absence of a single individual in the database has a negligible statistical effect on the ...
Linear dependent types for differential privacy
POPL '13Differential privacy offers a way to answer queries about sensitive information while providing strong, provable privacy guarantees, ensuring that the presence or absence of a single individual in the database has a negligible statistical effect on the ...







Comments