A Constraint Satisfaction Cryptanalysis of Bloom Filters in Private Record Linkage

Kuzu, Mehmet; Kantarcıoğlu, Murat; Durham, Elizabeth; Malin, Bradley

doi:10.1007/978-3-642-22263-4_13

Cited by 91 publications

(103 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…All attacks will be described shortly. Kuzu et al (2011) sampled 20,000 records from a voter registration list and encrypted the bigrams of forenames (with k = 15 and l = 500). The authors formulated their attack as a constraint satisfaction problem (CSP) which defines a set of variables, which have to satisfy certain constraints.…”

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

“…Usually special programs called CSP solvers are used for this. To limit the problem size given to the CSP solver, Kuzu et al (2011) used a frequency analysis of the identifiers from the voter registration list and of the Bloom filters encodings. For assigning possible names to the Bloom filters, generated frequency intervals for the forenames in the voting list and for the Bloom filters were applied.…”

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

“…By using information on the joint distribution of q-grams in unencrypted quasi-identifiers in combination with the joint frequency distribution of bit patterns, assignments of q-grams to bit patterns can be checked with an automated procedure. Many different ways of setting up such a system are possible, obvious candidates are generic algorithms (Haupt & Haipt 2004, for a cryptographic application, see Morelli & Walde 2003) or constrained satisfaction problems solvers (Marriott & Stuckey 1999, for an application to Bloom filters see Kuzu et al 2011). If the constraints or optimization criteria of such automatic assignment systems depend on deterministic rules, such attacks can be made much harder, if random noise is added to the bit-patterns.…”

Section: Random Bitsmentioning

confidence: 99%

See 2 more Smart Citations

Privacy‐preserving record linkage

Schnell

2015

Methodological Developments in Data Linkage

View full text Add to dashboard Cite

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

Section: Attacks On Bloom Filtersmentioning

confidence: 99%

Section: Random Bitsmentioning

confidence: 99%

See 1 more Smart Citation

Privacy‐preserving record linkage

Schnell

2015

Methodological Developments in Data Linkage

View full text Add to dashboard Cite

“…Bloom filters are then compared for similarity, instead of the n-grams. Kuzu et al recently demonstrated an attack that can utilize a global dataset with demographic data (often available publicly) to determine what input strings were used to create the Bloom filter encodings [26]. In a follow up study, the authors demonstrated that the attack is feasible in practice, but the speed and precision of the attack may be worse than theoretical predictions [27].…”

Section: Related Workmentioning

confidence: 99%

Linking Health Records for Federated Query Processing

Dewri

Ong

Thurimella

2016

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

A federated query portal in an electronic health record infrastructure enables large epidemiology studies by combining data from geographically dispersed medical institutions. However, an individual's health record has been found to be distributed across multiple carrier databases in local settings. Privacy regulations may prohibit a data source from revealing clear text identifiers, thereby making it non-trivial for a query aggregator to determine which records correspond to the same underlying individual. In this paper, we explore this problem of privately detecting and tracking the health records of an individual in a distributed infrastructure. We begin with a secure set intersection protocol based on commutative encryption, and show how to make it practical on comparison spaces as large as 10 10 pairs. Using bigram matching, precomputed tables, and data parallelism, we successfully reduced the execution time to a matter of minutes, while retaining a high degree of accuracy even in records with data entry errors. We also propose techniques to prevent the inference of identifier information when knowledge of underlying data distributions is known to an adversary. Finally, we discuss how records can be tracked utilizing the detection results during query processing.

show abstract

“…Two partially successful attacks on Bloom filters using a Constraint Satisfaction Solver have been reported by [42], [43]. In the more recent study, the authors used combined Bloom filters (a CLK variant).…”

Section: A Security Of Bloom Filter-based Approachesmentioning

confidence: 99%

Building a National Perinatal Data Base without the Use of Unique Personal Identifiers

Schnell

Borgs

2015

2015 IEEE International Conference on Data Mining Workshop (ICDMW)

View full text Add to dashboard Cite

Abstract-To assess the quality of hospital care, national databases of standard medical procedures are common. A widely known example are national databases of births. If unique personal identification numbers are available (as in Scandinavian countries), the construction of such databases is trivial from a computational point of view. However, due to privacy legislation, such identifiers are not available in all countries. Given such constraints, the construction of a national perinatal database has to rely on other patient identifiers, such as names and dates of birth. These kind of identifiers are prone to errors. Furthermore, some jurisdictions require the encryption of personal identifiers. The resulting problem is therefore an example of Privacy Preserving Record Linkage (PPRL). This contribution describes the design considerations for a national perinatal database using data of about 600,000 births in about 1,000 hospitals. Based on simulations, recommendations for parameter settings of Bloom filter based PPRL are given for this real world application. I. BACKGROUNDFor the medical assessment of German hospitals, a federal institution (GBA) 1 is obliged by law to link administrative records of more than 600,000 births yearly. The records are scattered across about 1,000 independent perinatal and neonatal units. The linked data is used for monitoring hospital performance and epidemiological analyses like spatial prevalence of very low birth weights. Due to privacy regulations, patient databases of hospitals are not linked by an electronic network. The hospitals use different electronic medical record systems, but have to use the same data exchange format. All details of the data exchange are part of a mandatory regulation. Because the German health insurance system has no common unique personal identifier number, other patient identifiers have to be used. Since the current regulations do not allow names in any form, encrypted or not, current linkage is based on different combinations of health insurance numbers, birth weight and hospital identifiers. Given the described constraints, only about 80% of the records can be linked [1].From a statistical point of view, non-linked records might cause a missing data problem [2]. If the fact, that a true link is missed, depends on variables of interest, this is referred to as differential linkage error [3], [4]. This might result in biased estimates of causal effects and population parameters [5], [6]. Concerning our field of application, evidence of bias caused by differences between linked and non-linked maternal data sets has been published [7], [8]. The easiest way to 1 For details, see www.english.g-ba.de.reduce differential linkage bias is improving the linkage rate. Therefore, using additional identifiers has been proposed to the regulatory authority [9]. As previous research has shown [10] [30]. In this paper, we will describe the design of a national perinatal database using Bloom filters for PPRL. 2 We are not aware of any published attack against encryp...

show abstract

A Constraint Satisfaction Cryptanalysis of Bloom Filters in Private Record Linkage

Cited by 91 publications

References 26 publications

Privacy‐preserving record linkage

Privacy‐preserving record linkage

Linking Health Records for Federated Query Processing

Building a National Perinatal Data Base without the Use of Unique Personal Identifiers

Contact Info

Product

Resources

About