Elephants Do Not Forget: Differential Privacy with State Continuity for Privacy Budget

当前实现差分隐私（DP）系统的方法要么缺乏跟踪数据集上消耗的全局隐私预算的支持，要么无法忠实地维护该预算的状态连续性。我们表明，如果无法维护隐私预算，攻击者就可以发起重放、回滚和分叉攻击——获得比安全系统允许的更多查询答案。因此，即使DP代码在受信任的执行环境（TEE）中运行，攻击者也可以重构DP旨在保护的秘密数据。我们提出了ElephantDP，一个系统，旨在提供与全局DP模型中受信任的策展人相同的保证，尽管设置在不受信任的环境中。我们的系统依赖于状态连续模块来提供隐私预算的保护，以及TEE来忠实地执行DP代码和更新预算。为了提供安全性，我们的协议做出了几个设计选择，包括持久状态的内容和预算更新与查询答案之间的顺序。我们证明ElephantDP提供了活性（即，只要预算没有超支，协议可以从正确状态重新启动并响应查询）和DP机密性（即，攻击者了解数据集的程度与与受信任策展人交互时相同）。我们的协议实现和评估使用Intel SGX作为TEE来运行DP代码，并使用TEE网络来维护状态连续性。与不安全的基线相比，我们观察到仅有1.1-2倍的开销，并且对于更大的数据集和复杂的DP查询，相对开销更低。

ElephantDP: A Stateful and Scalable Differential Privacy Framework for Distributed Data Processing

The key idea of the paper is to provide a stateful and scalable differential privacy framework for distributed data processing that maintains the privacy budget and prevents replay, rollback, and fork attacks, even in an untrusted environment.

The paper proposes ElephantDP, a system that aims to provide the same guarantees as a trusted curator in the global DP model would, albeit set in an untrusted environment. The system relies on a state continuity module to provide protection for the privacy budget and a TEE to faithfully execute DP code and update the budget. The protocol provides liveness and DP confidentiality. The implementation and evaluation of the protocol use Intel SGX as a TEE to run the DP code and a network of TEEs to maintain state continuity. The overheads are only 1.1-2x compared to an insecure baseline and lower for larger datasets and complex DP queries.

Related work includes other differential privacy frameworks such as DP-SGD, TensorFlow Privacy, and DP-Oracle. Other relevant papers include 'The Algorithmic Foundations of Differential Privacy', 'Differential Privacy: A Survey of Results', and 'Differential Privacy: From Theory to Practice'.