18,063 research outputs found
On Communication Protocols that Compute Almost Privately
A traditionally desired goal when designing auction mechanisms is incentive
compatibility, i.e., ensuring that bidders fare best by truthfully reporting
their preferences. A complementary goal, which has, thus far, received
significantly less attention, is to preserve privacy, i.e., to ensure that
bidders reveal no more information than necessary. We further investigate and
generalize the approximate privacy model for two-party communication recently
introduced by Feigenbaum et al.[8]. We explore the privacy properties of a
natural class of communication protocols that we refer to as "dissection
protocols". Dissection protocols include, among others, the bisection auction
in [9,10] and the bisection protocol for the millionaires problem in [8].
Informally, in a dissection protocol the communicating parties are restricted
to answering simple questions of the form "Is your input between the values
\alpha and \beta (under a predefined order over the possible inputs)?".
We prove that for a large class of functions, called tiling functions, which
include the 2nd-price Vickrey auction, there always exists a dissection
protocol that provides a constant average-case privacy approximation ratio for
uniform or "almost uniform" probability distributions over inputs. To establish
this result we present an interesting connection between the approximate
privacy framework and basic concepts in computational geometry. We show that
such a good privacy approximation ratio for tiling functions does not, in
general, exist in the worst case. We also discuss extensions of the basic setup
to more than two parties and to non-tiling functions, and provide calculations
of privacy approximation ratios for two functions of interest.Comment: to appear in Theoretical Computer Science (series A
Private Graphon Estimation for Sparse Graphs
We design algorithms for fitting a high-dimensional statistical model to a
large, sparse network without revealing sensitive information of individual
members. Given a sparse input graph , our algorithms output a
node-differentially-private nonparametric block model approximation. By
node-differentially-private, we mean that our output hides the insertion or
removal of a vertex and all its adjacent edges. If is an instance of the
network obtained from a generative nonparametric model defined in terms of a
graphon , our model guarantees consistency, in the sense that as the number
of vertices tends to infinity, the output of our algorithm converges to in
an appropriate version of the norm. In particular, this means we can
estimate the sizes of all multi-way cuts in .
Our results hold as long as is bounded, the average degree of grows
at least like the log of the number of vertices, and the number of blocks goes
to infinity at an appropriate rate. We give explicit error bounds in terms of
the parameters of the model; in several settings, our bounds improve on or
match known nonprivate results.Comment: 36 page
On the Complexity of -Closeness Anonymization and Related Problems
An important issue in releasing individual data is to protect the sensitive
information from being leaked and maliciously utilized. Famous privacy
preserving principles that aim to ensure both data privacy and data integrity,
such as -anonymity and -diversity, have been extensively studied both
theoretically and empirically. Nonetheless, these widely-adopted principles are
still insufficient to prevent attribute disclosure if the attacker has partial
knowledge about the overall sensitive data distribution. The -closeness
principle has been proposed to fix this, which also has the benefit of
supporting numerical sensitive attributes. However, in contrast to
-anonymity and -diversity, the theoretical aspect of -closeness has
not been well investigated.
We initiate the first systematic theoretical study on the -closeness
principle under the commonly-used attribute suppression model. We prove that
for every constant such that , it is NP-hard to find an optimal
-closeness generalization of a given table. The proof consists of several
reductions each of which works for different values of , which together
cover the full range. To complement this negative result, we also provide exact
and fixed-parameter algorithms. Finally, we answer some open questions
regarding the complexity of -anonymity and -diversity left in the
literature.Comment: An extended abstract to appear in DASFAA 201
- …