5 research outputs found
Recommended from our members
Differential Privacy with Imperfect Randomness
In this work we revisit the question of basing cryptogra- phy on imperfect randomness. Bosley and Dodis (TCC’07) showed that if a source of randomness R is “good enough” to generate a secret key capable of encrypting k bits, then one can deterministically extract nearly k almost uniform bits from R, suggesting that traditional privacy notions (namely, indistinguishability of encryption) requires an “extractable” source of randomness. Other, even stronger impossibility results are known for achieving privacy under specific “non-extractable” sources of randomness, such as the γ-Santha-Vazirani (SV) source, where each next bit has fresh entropy, but is allowed to have a small bias γ < 1 (possibly depending on prior bits).
We ask whether similar negative results also hold for a more recent notion of privacy called differential privacy (Dwork et al., TCC’06), concentrating, in particular, on achieving differential privacy with the Santha-Vazirani source. We show that the answer is no. Specifically, we give a differentially private mechanism for approximating arbitrary “low sensitivity” functions that works even with randomness coming from a γ-Santha-Vazirani source, for any γ < 1. This provides a somewhat surprising “separation” between traditional privacy and differential privacy with respect to imperfect randomness.
Interestingly, the design of our mechanism is quite different from the traditional “additive-noise” mechanisms (e.g., Laplace mechanism) successfully utilized to achieve differential privacy with perfect randomness. Indeed, we show that any (non-trivial) “SV-robust” mechanism for our problem requires a demanding property called consistent sampling, which is strictly stronger than differential privacy, and cannot be satisfied by any additive-noise mechanism.Engineering and Applied Science
Randomness Concerns When Deploying Differential Privacy
The U.S. Census Bureau is using differential privacy (DP) to protect
confidential respondent data collected for the 2020 Decennial Census of
Population & Housing. The Census Bureau's DP system is implemented in the
Disclosure Avoidance System (DAS) and requires a source of random numbers. We
estimate that the 2020 Census will require roughly 90TB of random bytes to
protect the person and household tables. Although there are critical
differences between cryptography and DP, they have similar requirements for
randomness. We review the history of random number generation on deterministic
computers, including von Neumann's "middle-square" method, Mersenne Twister
(MT19937) (previously the default NumPy random number generator, which we
conclude is unacceptable for use in production privacy-preserving systems), and
the Linux /dev/urandom device. We also review hardware random number generator
schemes, including the use of so-called "Lava Lamps" and the Intel Secure Key
RDRAND instruction. We finally present our plan for generating random bits in
the Amazon Web Services (AWS) environment using AES-CTR-DRBG seeded by mixing
bits from /dev/urandom and the Intel Secure Key RDSEED instruction, a
compromise of our desire to rely on a trusted hardware implementation, the
unease of our external reviewers in trusting a hardware-only implementation,
and the need to generate so many random bits.Comment: 12 pages plus 2 pages bibliograph
Differential Privacy with Imperfect Randomness
In this work we revisit the question of basing cryptography on imperfect randomness. Bosley and Dodis (TCC’07) showed that if a source of randomness R is “good enough ” to generate a secret key capable of encrypting k bits, then one can deterministically extract nearly k almost uniform bits from R, suggesting that traditional privacy notions (namely, indistinguishability of encryption) requires an “extractable ” source of randomness. Other, even stronger impossibility results are known for achieving privacy under specific “non-extractable ” sources of randomness, such as the γ-Santha-Vazirani (SV) source, where each next bit has fresh entropy, but is allowed to have a small bias γ < 1 (possibly depending on prior bits). We ask whether similar negative results also hold for a more recent notion of privacy called differential privacy (Dwork et al., TCC’06), concentrating, in particular, on achieving differential privacy with the Santha-Vazirani source. We show that the answer is no. Specifically, we give a differentially private mechanism for approximating arbitrary “low sensitivity ” functions that works even with randomness coming from a γ-Santha-Vazirani source, for any γ < 1. This provides a somewhat surprising “separation ” between traditional privacy and differential privacy with respec