Cardinality Estimators do not Preserve Privacy

Desfontaines, Damien; Lochbihler, Andreas; Basin, David

doi:10.2478/popets-2019-0018

Cited by 44 publications

(53 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As an aside, our privacy risk analysis differs considerably from Desfontaines, et al (2018), who argue that "cardinality estimators do not preserve privacy." However, their threat model includes an adversary who has incremental access to the sketches as they are being generated, rather than only a single sketch per hospital for a query.…”

Section: B Privacy Risk Score --Anonymitymentioning

confidence: 97%

Federated queries of clinical data repositories: balancing accuracy and privacy

Weber

2019

Preprint

View full text Add to dashboard Cite

Researchers use large federated clinical data networks that connect dozens of healthcare organizations to access data on millions of patients. However, because patients often receive care from multiple sites in the network, queries frequently double-count patients. Using the probabilistic streaming algorithm HyperLogLog and adding obfuscation, we developed a scalable method for estimating the number of distinct lives that match a query, which balances accuracy and privacy in a "tunable" way.

show abstract

Section: B Privacy Risk Score --Anonymitymentioning

confidence: 97%

Federated queries of clinical data repositories: balancing accuracy and privacy

Weber

2019

Preprint

View full text Add to dashboard Cite

show abstract

“…To the authors' best knowledge, there is no previous work on the security of HLL. The closest works focus on the privacy implications of HLL [11] or on attacks on data structures like Bloom filters or the Count-Min sketch [12].…”

Section: Arxiv:200206463v1 [Cscr] 15 Feb 2020mentioning

confidence: 99%

“…This would make harder for the attacker to identify which elements modify the cardinality estimation. However, it seems that the attacker could still get that information [11]. This can be done by testing different combinations of elements repeatedly.…”

Section: Existing Techniquesmentioning

confidence: 99%

Security of HyperLogLog (HLL) Cardinality Estimation: Vulnerabilities and Protection

Reviriego

Ting

2020

IEEE Commun. Lett.

View full text Add to dashboard Cite

Count distinct or cardinality estimates are widely used in network monitoring for security. They can be used, for example, to detect the malware spread, network scans, or a denial of service attack. There are many algorithms to estimate cardinality. Among those, HyperLogLog (HLL) has been one of the most widely adopted. HLL is simple, provides good cardinality estimates over a wide range of values, requires a small amount of memory, and allows merging of estimates from different sources. However, as HLL is increasingly used to detect attacks, it can itself become the target of attackers that want to avoid being detected. To the best of our knowledge, the security of HLL has not been studied before. In this letter, we take an initial step in its study by first exposing a vulnerability of HLL that allows an attacker to manipulate its estimate. This shows the importance of designing secure HLL implementations. In the second part of the letter, we propose an efficient protection technique to detect and avoid the HLL manipulation. The results presented strongly suggest that the security of HLL should be further studied given that it is widely adopted in many networking and computing applications.

show abstract

“…Recently, Desfontaines et al [18] considered privacy of cardinality estimators from a different angle. In particular, they assumed an insider risk scenario where the adversary has access to the actual sketch (rather than the output statistic) and showed that no noiseless sketch can be differentially private.…”

Section: Secure Statisticsmentioning

confidence: 99%

“…Recently, a seemingly contradictory result has been published. In particular, Desfontaines et al [18] showed that the LogLog sketch does not protect privacy from the inside attacker who has access to the sketch. Their result is not in conflict with our result in this section, since they assumed that the inside attacker also knows the hash key whereas our result assumes the private hash function.…”

Section: A Single-party Protocolmentioning

confidence: 99%

Differentially-Private Multi-Party Sketching for Large-Scale Statistics

Choi

Dachman-Soled

Kulkarni

et al. 2020

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

We consider a scenario where multiple organizations holding large amounts of sensitive data from their users wish to compute aggregate statistics on this data while protecting the privacy of individual users. To support large-scale analytics we investigate how this privacy can be provided for the case of sketching algorithms running in time sub-linear of the input size.We begin with the well-known LogLog sketch for computing the number of unique elements in a data stream. We show that this algorithm already achieves differential privacy (even without adding any noise) when computed using a private hash function by a trusted curator. Next, we show how to eliminate this requirement of a private hash function by injecting a small amount of noise, allowing us to instantiate an efficient LogLog protocol for the multi-party setting. To demonstrate the practicality of this approach, we run extensive experimentation on multiple data sets, including the publicly available IP address data set from University of Michigan’s scans of internet IPv4 space, to determine the trade-offs among efficiency, privacy and accuracy of our implementation for varying numbers of parties and input sizes.Finally, we generalize our approach for the LogLog sketch and obtain a general framework for constructing multi-party differentially private protocols for several other sketching algorithms.

show abstract

Cardinality Estimators do not Preserve Privacy

Cited by 44 publications

References 39 publications

Federated queries of clinical data repositories: balancing accuracy and privacy

Federated queries of clinical data repositories: balancing accuracy and privacy

Security of HyperLogLog (HLL) Cardinality Estimation: Vulnerabilities and Protection

Differentially-Private Multi-Party Sketching for Large-Scale Statistics

Contact Info

Product

Resources

About