Page 472 - Invited Paper Session (IPS) - Volume 1
P. 472
IPS177 F. Ricciato et al.
mechanism called "cell key method" is adopted to ensure that the injected
perturbations are consistent across multiple queries. This approach is robust
to differential attacks that, instead, represent the main limitation of pure
randomized systems (where noise varies across queries). The cell key method
is recommended for protection of European census 2021 round [13]. It is
expected that it will ensure consistent protection of the census data in view of
making them available via various channels and access systems.
4. Solution approaches to Input Privacy problem
When the input data are held by multiple IPs, and the computation cannot
be factorized into independent (sequential or parallel) components, one
possible solution approach to the input privacy problem is given by Secure
Multi-Party Computation (SMC) methods based on the principle of secret
sharing. In a nutshell, with SMC every individual input data element is
transformed into a set of so-called secret shares that are passed to a set of
(three or more) intermediate ‘computing parties’ (CP). The CPs form
collectively the SMC infrastructure. The secret shares are produced in a way
that yields two important properties. First, under certain conditions, defined
by the applicable attack model, secret shares do not reveal anything about the
input source data to the individual CPs (non-invertibility). Second, they allow
to compute exactly the correct output that would be obtained by a direct
computation on the clear input (homomorphism). A general introduction to
SMC and secret sharing can be found in [6] while examples of practical
applications are found in [7, 8].
1
To preserve confidentiality, each CP must not disclose the received secret
shares to other CPs, i.e., CPs must not collude among themselves to break the
confidentiality of IP data. SMC can be tuned to be robust against a subset of
colluding CPs. In other words, the system preserves input confidentiality as far
as at least one CP does not collude with the others. That means, the CPs must
be trusted collectively, not individually. Then the problem of ensuring be
trusted collectively, not individually. Then the problem of ensuring
confidentiality moves up to an institutional level, and translates into the task
of identifying a suitable set of CP. An important property of SMC plays in our
favour: in practical deployment, the same institution can play multiple roles.
For example, one data holder serving as IP can at the same time host one CP
instance – obviously he would never collude with other CPs against himself.
Also, one entity (e.g., the SO) can play contemporarily the roles of IP, OP and
CP.
1 The relationship between SMC and personal data protection legislation presents some
open issues that go beyond the scope of the present contribution, see e.g. the discussion in
[15].
461 | I S I W S C 2 0 1 9