Tsz On Li,Jianyu Jiang,Ji Qi,Chi Chiu So,Jiacheng Ma,Xusheng Chen,Tianxiang Shen,Heming Cui,Yuexuan Wang,Peng Wang

DOI: https://doi.org/10.1109/dsn48063.2020.00064

2020-01-01

Abstract:In the era of big-data, individuals and institutions store their sensitive data on clouds, and these data are often analyzed and computed by MapReduce frameworks (e.g., Spark). However, releasing the computation result on these data may leak privacy. Differential Privacy (DP) is a powerful method to preserve the privacy of an individual data record from a computation result. Given an input dataset and a query, DP typically perturbs an output value with noise proportional to sensitivity, the greatest change on an output value when a record is added to or removed from the input dataset. Unfortunately, directly computing the sensitivity value for a query and an input dataset is computationally infeasible, because it requires adding or removing every record from the dataset and repeatedly running the same query on the dataset: a dataset of one million input records requires running the same query for more than one million times. This paper presents UPA, the first automated, accurate, and efficient sensitivity inferring approach for big-data mining applications. Our key observation is that MapReduce operators often have commutative and associative properties in order to enable parallelism and fault tolerance among computers. Therefore, UPA can greatly reduce the repeated computations at runtime while computing a precise sensitivity value automatically for general big-data queries. We compared UPA with FLEX, the most relevant work that does static analysis on queries to infer sensitivity values. Based on an extensive evaluation on nine diverse Spark queries, UPA supports all the nine evaluated queries, while FLEX supports only five of the nine queries. For the five queries which both UPA and FLEX can support, UPA enforces DP with five orders of magnitude more accurate sensitivity values than FLEX. UPA has reasonable performance overhead compared to native Spark. UPA's source code is available on https://github.com/hku-systems/UPA.

Teng Wang,Jun Zhao,Zhi Hu,Xinyu Yang,Xuebin Ren,Kwok-Yan Lam

DOI: https://doi.org/10.1016/j.neucom.2020.09.073

IF: 6

2021-02-01

Neurocomputing

Abstract:<p>Local Differential Privacy (LDP) can provide each user with strong privacy guarantees under untrusted data curators while ensuring accurate statistics derived from privatized data. Due to its powerfulness, LDP has been widely adopted to protect privacy in various tasks (e.g., heavy hitters discovery, probability estimation) and systems (e.g., Google Chrome, Apple iOS). In particular, <span class="math"><math>(∊,δ)</math></span>-LDP has been studied in related statistical tasks like private learning and hypothesis testing, but is mainly achieved by using Gaussian mechanism, leading to the limited data utility. In this paper, we investigate several novel mechanisms that achieve <span class="math"><math>(∊,δ)</math></span>-LDP with higher data utility in collecting and analyzing users' data. Specifically, we first design two <span class="math"><math>(∊,δ)</math></span>-LDP algorithms for mean estimations on multi-dimensional numeric data, which can ensure higher accuracy than the optimal Gaussian mechanism. Then, we investigate different local protocols for frequency estimations on categorical attributes under <span class="math"><math>(∊,δ)</math></span>-LDP. Based on the proposed mechanisms, we further study on <span class="math"><math>(∊,δ)</math></span>-LDP-compliant stochastic gradient descent algorithms for machine learning models. Besides, the theoretical analysis of the error bound and the variance of the proposed algorithms are also presented in the paper. We have conducted extensive experiments on both real-world and synthetic datasets and demonstrated the high data utility of our proposed algorithms in the perspectives of simple data statistics tasks and complex machine learning tasks. The experimental results have shown that our proposed algorithms can effectively improve the data utility in different tasks while alleviating the privacy concerns of each individual.</p>

computer science, artificial intelligence

Teng Wang,Xuefeng Zhang,Jingyu Feng,Xinyu Yang

DOI: https://doi.org/10.3390/s20247030

IF: 3.9

2020-12-08

Sensors

Abstract:Collecting and analyzing massive data generated from smart devices have become increasingly pervasive in crowdsensing, which are the building blocks for data-driven decision-making. However, extensive statistics and analysis of such data will seriously threaten the privacy of participating users. Local differential privacy (LDP) was proposed as an excellent and prevalent privacy model with distributed architecture, which can provide strong privacy guarantees for each user while collecting and analyzing data. LDP ensures that each user’s data is locally perturbed first in the client-side and then sent to the server-side, thereby protecting data from privacy leaks on both the client-side and server-side. This survey presents a comprehensive and systematic overview of LDP with respect to privacy models, research tasks, enabling mechanisms, and various applications. Specifically, we first provide a theoretical summarization of LDP, including the LDP model, the variants of LDP, and the basic framework of LDP algorithms. Then, we investigate and compare the diverse LDP mechanisms for various data statistics and analysis tasks from the perspectives of frequency estimation, mean estimation, and machine learning. Furthermore, we also summarize practical LDP-based application scenarios. Finally, we outline several future research directions under LDP.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Chengkun Wei,Minghu Zhao,Zhikun Zhang,Min Chen,Wenlong Meng,Bo Liu,Yuan Fan,Wenzhi Chen

DOI: https://doi.org/10.1145/3576915.3616593

2023-01-01

Abstract:Differential privacy (DP), as a rigorous mathematical definition quantifying privacy leakage, has become a well-accepted standard for privacy protection. Combined with powerful machine learning (ML) techniques, differentially private machine learning (DPML) is increasingly important. As the most classic DPML algorithm, DP-SGD incurs a significant loss of utility, which hinders DPML's deployment in practice. Many studies have recently proposed improved algorithms based on DP-SGD to mitigate utility loss. However, these studies are isolated and cannot comprehensively measure the performance of improvements proposed in algorithms. More importantly, there is a lack of comprehensive research to compare improvements in these DPML algorithms across utility, defensive capabilities, and generalizability. We fill this gap by performing a holistic measurement of improved DPML algorithms on utility and defense capability against membership inference attacks (MIAs) on image classification tasks. We first present a taxonomy of where improvements are located in the ML life cycle. Based on our taxonomy, we jointly perform an extensive measurement study of the improved DPML algorithms, over twelve algorithms, four model architectures, four datasets, two attacks, and various privacy budget configurations. We also cover state-of-the-art label differential privacy (Label DP) algorithms in the evaluation. According to our empirical results, DP can effectively defend against MIAs, and sensitivity-bounding techniques such as per-sample gradient clipping play an important role in defense. We also explore some improvements that can maintain model utility and defend against MIAs more effectively. Experiments show that Label DP algorithms achieve less utility loss but are fragile to MIAs. ML practitioners may benefit from these evaluations to select appropriate algorithms. To support our evaluation, we implement a modular re-usable software, DPMLBench,(1) which enables sensitive data owners to deploy DPML algorithms and serves as a benchmark tool for researchers and practitioners.

Badih Ghazi,Ravi Kumar,Pasin Manurangsi,Thomas Steinke

DOI: https://doi.org/10.48550/arXiv.2209.04053

2022-09-08

Cryptography and Security

Abstract:Differential privacy is often applied with a privacy parameter that is larger than the theory suggests is ideal; various informal justifications for tolerating large privacy parameters have been proposed. In this work, we consider partial differential privacy (DP), which allows quantifying the privacy guarantee on a per-attribute basis. In this framework, we study several basic data analysis and learning tasks, and design algorithms whose per-attribute privacy parameter is smaller that the best possible privacy parameter for the entire record of a person (i.e., all the attributes).

Shaowei Wang,Liusheng Huang,Yiwen Nie,Pengzhan Wang,Hongli Xu,Wei Yang

DOI: https://doi.org/10.1109/infocom.2018.8486234

2018-01-01

Abstract:Set-valued data is useful for representing a rich family of information in numerous areas, such as market basket data of online shopping, apps on mobile phones and web browsing history. By analyzing set-valued data that are collected from users, service providers could learn the demographics of the users, the patterns of their usages, and finally, improve the quality of services for them. However, privacy has been an increasing concern in collecting and analyzing users' set-valued data, since these data may reveal sensitive information (e.g., identities, preferences and diseases) about individuals. In this work, we propose a privacy preserving aggregation mechanism for set-valued data: PrivSet. It provides rigorous data privacy protection locally (e.g., on mobile phones or wearable devices) and efficiently (its computational overhead is linear to the item domain size) for each user, and meanwhile allowing effective statistical analyses (e.g., distribution estimation of items, distribution estimation of set cardinality) on set-valued data for service providers. More specifically, in PrivSet, within the constraints of local E-differential privacy, each user independently responses with a subset of the set-valued data domain with calibrated probabilities, hence the true positive/false positive rate of each item is balanced and the performance of distribution estimation is optimized. Besides presenting theoretical error bounds of PrivSet and proving its optimality over existing approaches, we experimentally validate the mechanism, the experimental results illustrate that the estimation error in PrivSet has been reduced by half when compared to state-of-the-art approaches.

Honglu Jiang,Yifeng Gao,S M Sarwar,Luis GarzaPerez,Mahmudul Robin

DOI: https://doi.org/10.48550/arXiv.2112.01704

2021-12-03

Abstract:Differential privacy (DP) has become the de facto standard of privacy preservation due to its strong protection and sound mathematical foundation, which is widely adopted in different applications such as big data analysis, graph data process, machine learning, deep learning, and federated learning. Although DP has become an active and influential area, it is not the best remedy for all privacy problems in different scenarios. Moreover, there are also some misunderstanding, misuse, and great challenges of DP in specific applications. In this paper, we point out a series of limits and open challenges of corresponding research areas. Besides, we offer potentially new insights and avenues on combining differential privacy with other effective dimension reduction techniques and secure multiparty computing to clearly define various privacy models.

Cryptography and Security

Chengyi Yang,Jiayin Qi,Aimin Zhou

2024-01-23

Abstract:Differential privacy (DP) has achieved remarkable results in the field of privacy-preserving machine learning. However, existing DP frameworks do not satisfy all the conditions for becoming metrics, which prevents them from deriving better basic private properties and leads to exaggerated values on privacy budgets. We propose Wasserstein differential privacy (WDP), an alternative DP framework to measure the risk of privacy leakage, which satisfies the properties of symmetry and triangle inequality. We show and prove that WDP has 13 excellent properties, which can be theoretical supports for the better performance of WDP than other DP frameworks. In addition, we derive a general privacy accounting method called Wasserstein accountant, which enables WDP to be applied in stochastic gradient descent (SGD) scenarios containing sub-sampling. Experiments on basic mechanisms, compositions and deep learning show that the privacy budgets obtained by Wasserstein accountant are relatively stable and less influenced by order. Moreover, the overestimation on privacy budgets can be effectively alleviated. The code is available at

Machine Learning,Cryptography and Security

Rachel Cummings,Damien Desfontaines,David Evans,Roxana Geambasu,Yangsibo Huang,Matthew Jagielski,Peter Kairouz,Gautam Kamath,Sewoong Oh,Olga Ohrimenko,Nicolas Papernot,Ryan Rogers,Milan Shen,Shuang Song,Weijie Su,Andreas Terzis,Abhradeep Thakurta,Sergei Vassilvitskii,Yu-Xiang Wang,Li Xiong,Sergey Yekhanin,Da Yu,Huanyu Zhang,Wanrong Zhang

DOI: https://doi.org/10.48550/arXiv.2304.06929

2024-03-13

Abstract:In this article, we present a detailed review of current practices and state-of-the-art methodologies in the field of differential privacy (DP), with a focus of advancing DP's deployment in real-world applications. Key points and high-level contents of the article were originated from the discussions from "Differential Privacy (DP): Challenges Towards the Next Frontier," a workshop held in July 2022 with experts from industry, academia, and the public sector seeking answers to broad questions pertaining to privacy and its implications in the design of industry-grade systems. This article aims to provide a reference point for the algorithmic and design decisions within the realm of privacy, highlighting important challenges and potential research directions. Covering a wide spectrum of topics, this article delves into the infrastructure needs for designing private systems, methods for achieving better privacy/utility trade-offs, performing privacy attacks and auditing, as well as communicating privacy with broader audiences and stakeholders.

Cryptography and Security

Shuya Feng,Meisam Mohammady,Han Wang,Xiaochen Li,Zhan Qin,Yuan Hong

2024-07-20

Abstract:Streaming data, crucial for applications like crowdsourcing analytics, behavior studies, and real-time monitoring, faces significant privacy risks due to the large and diverse data linked to individuals. In particular, recent efforts to release data streams, using the rigorous privacy notion of differential privacy (DP), have encountered issues with unbounded privacy leakage. This challenge limits their applicability to only a finite number of time slots (''finite data stream'') or relaxation to protecting the events (''event or $w$-event DP'') rather than all the records of users. A persistent challenge is managing the sensitivity of outputs to inputs in situations where users contribute many activities and data distributions evolve over time. In this paper, we present a novel technique for Differentially Private data streaming over Infinite disclosure (DPI) that effectively bounds the total privacy leakage of each user in infinite data streams while enabling accurate data collection and analysis. Furthermore, we also maximize the accuracy of DPI via a novel boosting mechanism. Finally, extensive experiments across various streaming applications and real datasets (e.g., COVID-19, Network Traffic, and USDA Production), show that DPI maintains high utility for infinite data streams in diverse settings. Code for DPI is available at <a class="link-external link-https" href="https://github.com/ShuyaFeng/DPI" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security

Hao Wang,Xiao Peng,Yihang Xiao,Zhengquan Xu,Xian Chen

DOI: https://doi.org/10.1007/s40747-021-00550-3

2021-10-09

Abstract:Abstract Privacy preserving methods supporting for data aggregating have attracted the attention of researchers in multidisciplinary fields. Among the advanced methods, differential privacy (DP) has become an influential privacy mechanism owing to its rigorous privacy guarantee and high data utility. But DP has no limitation on the bound of noise, leading to a low-level utility. Recently, researchers investigate how to preserving rigorous privacy guarantee while limiting the relative error to a fixed bound. However, these schemes destroy the statistical properties, including the mean, variance and MSE, which are the foundational elements for data aggregating and analyzing. In this paper, we explore the optimal privacy preserving solution, including novel definitions and implementing mechanisms, to maintain the statistical properties while satisfying DP with a fixed relative error bound. Experimental evaluation demonstrates that our mechanism outperforms current schemes in terms of security and utility for large quantities of queries.

computer science, artificial intelligence

Qian Wang,Yan Zhang,Xiao Lu,Zhibo Wang,Zhan Qin,Kui Ren

DOI: https://doi.org/10.1109/tdsc.2016.2599873

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Nowadays gigantic crowd-sourced data collected from mobile phone users have become widely available, which enables the possibility of many important data mining applications to improve the quality of our daily lives. While providing tremendous benefits, the release of these data to the public will pose a considerable threat to mobile users' privacy. To solve this problem, the notion of differential privacy has been proposed to provide privacy with theoretical guarantee, and recently it has been applied in streaming data publishing. However, most of the existing literature focus on either event-level privacy on infinite streams or user-level privacy on finite streams. In this paper, we investigate the problem of real-time spatiotemporal crowd-sourced data publishing with privacy preservation. Specifically, we consider continuous publication of population statistics for monitoring purposes and design RescueDP-an online aggregate monitoring scheme over infinite streams with privacy guarantee. RescueDP's key components include adaptive sampling, adaptive budget allocation, dynamic grouping, perturbation and filtering, which are seamlessly integrated as a whole to provide privacy-preserving statistics publishing on infinite time stamps. We show that RescueDP can achieve w-event privacy over data generated and published periodically by crowd users. We evaluate our scheme with real-world as well as synthetic datasets and compare it with two w-event privacy-assured representative benchmarks. Experimental results show that our solution outperforms the existing methods and improves the utility with strong privacy guarantee.

Xingxing Xiong,Shubo Liu,Dan Li,Zhaohui Cai,Xiaoguang Niu

DOI: https://doi.org/10.1016/j.jisa.2020.102633

IF: 4.96

2020-12-01

Journal of Information Security and Applications

Abstract:<p>Technology and usage advances in wireless communication and smart mobile devices with localization capabilities enable a large number of emerging applications of location-based services, e.g. mobile crowdsourcing applications, which are facilitating our daily life. However, collecting and sharing location data to service providers of applications will give rise to mobile users' concerns on their privacy, especially location privacy. In this paper, we investigate the problem of real-time spatio-temporal data aggregation with privacy preservation in the local setting. In response to this, we propose a systematic solution based on stringent local differential privacy preservation technique to deal with the problem. Firstly, we introduce a novel definition of (ε,  δ)-local differential privacy with the ability to capture the temporal correlation in spatio-temporal data and provide differential privacy preservation. Secondly, we develop an efficient framework of generalized randomized response (GRR) based real-time and private spatio-temporal data aggregation with an untrusted server. Finally, we conduct experiments on two real-world datasets to evaluate our framework. The results show that our GRR based framework significantly outperforms that based on PIM and LRM in data utility and demonstrate its superiority to achieve better trade-off of privacy and utility for real-time spatio-temporal data aggregation with stringent privacy preservation.</p>

computer science, information systems

Raksha Ramakrishna,Anna Scaglione,Tong Wu,Nikhil Ravi,Sean Peisert

2023-06-09

Abstract:In this paper, we present a notion of differential privacy (DP) for data that comes from different classes. Here, the class-membership is private information that needs to be protected. The proposed method is an output perturbation mechanism that adds noise to the release of query response such that the analyst is unable to infer the underlying class-label. The proposed DP method is capable of not only protecting the privacy of class-based data but also meets quality metrics of accuracy and is computationally efficient and practical. We illustrate the efficacy of the proposed method empirically while outperforming the baseline additive Gaussian noise mechanism. We also examine a real-world application and apply the proposed DP method to the autoregression and moving average (ARMA) forecasting method, protecting the privacy of the underlying data source. Case studies on the real-world advanced metering infrastructure (AMI) measurements of household power consumption validate the excellent performance of the proposed DP method while also satisfying the accuracy of forecasted power consumption measurements.

Signal Processing,Cryptography and Security

Aiping Xiong,Tianhao Wang,Ninghui Li,Somesh Jha

DOI: https://doi.org/10.48550/arXiv.2003.13922

2020-03-31

Abstract:Differential privacy protects an individual's privacy by perturbing data on an aggregated level (DP) or individual level (LDP). We report four online human-subject experiments investigating the effects of using different approaches to communicate differential privacy techniques to laypersons in a health app data collection setting. Experiments 1 and 2 investigated participants' data disclosure decisions for low-sensitive and high-sensitive personal information when given different DP or LDP descriptions. Experiments 3 and 4 uncovered reasons behind participants' data sharing decisions, and examined participants' subjective and objective comprehensions of these DP or LDP descriptions. When shown descriptions that explain the implications instead of the definition/processes of DP or LDP technique, participants demonstrated better comprehension and showed more willingness to share information with LDP than with DP, indicating their understanding of LDP's stronger privacy guarantee compared with DP.

Cryptography and Security,Databases,Human-Computer Interaction

Ben Niu,Yahong Chen,Boyang Wang,Zhibo Wang,Fenghua Li,Jin Cao

DOI: https://doi.org/10.1109/infocom42981.2021.9488825

2021-01-01

Abstract:Users usually have different privacy demands when they contribute individual data to a dataset that is maintained and queried by others. To tackle this problem, several personalized differential privacy (PDP) mechanisms have been proposed to render statistical information of the entire dataset without revealing individual privacy. However, existing mechanisms produce query results with low accuracy, which leads to poor data utility. This is primarily because (1) some users are over protected; (2) utility is not explicitly included in the design objective. Poor data utility impedes the adoption of PDP in the real-world applications. In this paper, we present an adaptive personalized differential privacy framework, called AdaPDP. Specifically, to maximize data utility in different cases, AdaPDP adaptively selects underlying noise generation algorithms and calculates the corresponding parameters based on the type of query functions, data distributions and privacy settings. In addition, AdaPDP performs multiple rounds of utility-aware sampling to satisfy different privacy requirements for users. Our privacy analysis shows that the proposed framework renders rigorous privacy guarantee. We conduct extensive experiments on synthetic and real-world datasets to demonstrate the much less utility losses of the proposed framework over various query functions.

Haina Song,Hua Shen,Nan Zhao,Zhangqing He,Minghu Wu,Wei Xiong,Mingwu Zhang

DOI: https://doi.org/10.1016/j.cose.2023.103517

IF: 5.105

2024-01-01

Computers & Security

Abstract:Local differential privacy (LDP) enables terminal participants to share their private data safely while controlling the privacy disclosure at the source. In the majority of current works, they assumed that the privacy preservation parameter is totally determined by the data collector and then dispatched to all participants in mobile crowdsensing. However, in the real world, due to different privacy preferences of participants, it is inelegant and unpromising for all participants to accept the same privacy preservation level during data collection. To address such issue, an adaptive personalized local differential privacy (APLDP) data collection scheme is proposed to realize personalized privacy preservation while achieving higher data utility, in which two different LDP perturbation methods (basic RAPPOR and k-RR) are adaptively chosen by the participants according to their different privacy preferences, as well as the best perturbation probability is adaptively adopted by the participants to perturb their private data. In such case, the adaptive boundary based on the minimum mean square error (MSE) is theoretically derived to allow the participant to adaptively choose the best perturbation method, and meanwhile, it allows the participant to adaptively choose the best perturbation probability. Then, two estimation mergence methods named the direct combination (DC) and the weighted combination (WC) are demonstrated to do efficient data aggregation. Experiments on both synthetic and real data sets show that the proposed APLDP scheme performs better than previous non-personalized proposals in terms of the MSE and the average error rate (AER), especially using WC estimation method.

computer science, information systems

Yaxuan Huang,Kaiping Xue,Bin Zhu,David S. L. Wei,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/tifs.2024.3423657

IF: 7.231

2024-07-26

IEEE Transactions on Information Forensics and Security

Abstract:Set-valued data are commonly used to represent subsets of a universal set and are frequently utilized in online services, such as online shopping preferences, website browsing records, and recently visited places. By collecting set-valued data from users, service providers can perform statistical analysis to obtain a joint distribution of service usage data and subsequently learn the association between different kinds of set-valued data to improve the quality of service. However, collecting set-valued data raises privacy concerns about the potential misuse of records to infer individuals' identities and preferences. Although some privacy-preserving aggregation mechanisms for set-valued data have been proposed, they have not yet achieved joint distribution analysis with high accuracy. In this paper, we propose a joint distribution analysis method for set-valued data with local differential privacy (LDP). We design a scalable perturbation mechanism under -LDP by limiting the range of users' responses in the collection process and cyclically shifting the set-valued data in an encoded uniform format, ensuring that the size of the universal set does not influence the accuracy of the results. Based on the perturbation method, we develop an analysis method to efficiently obtain association information between two sets. By performing specific bitwise operations on the perturbed data matrices, the computational overhead is linear with respect to the cardinality of the item set. In addition to theoretically analyzing the error bound and proving the security of our work, extensive experimental results on synthetic and real-world datasets demonstrate that our scheme achieves better utility than existing state-of-the-art approaches.

computer science, theory & methods,engineering, electrical & electronic

Mengmeng Yang,Lingjuan Lyu,Jun Zhao,Tianqing Zhu,Kwok-Yan Lam

DOI: https://doi.org/10.48550/arXiv.2008.03686

2020-08-09

Abstract:With the fast development of Information Technology, a tremendous amount of data have been generated and collected for research and analysis purposes. As an increasing number of users are growing concerned about their personal information, privacy preservation has become an urgent problem to be solved and has attracted significant attention. Local differential privacy (LDP), as a strong privacy tool, has been widely deployed in the real world in recent years. It breaks the shackles of the trusted third party, and allows users to perturb their data locally, thus providing much stronger privacy protection. This survey provides a comprehensive and structured overview of the local differential privacy technology. We summarise and analyze state-of-the-art research in LDP and compare a range of methods in the context of answering a variety of queries and training different machine learning models. We discuss the practical deployment of local differential privacy and explore its application in various domains. Furthermore, we point out several research gaps, and discuss promising future research directions.

Cryptography and Security

Royce J Wilson,Celia Yuxin Zhang,William Lam,Damien Desfontaines,Daniel Simmons-Marengo,Bryant Gipson

DOI: https://doi.org/10.2478/popets-2020-0025

2020-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract Differential privacy (DP) provides formal guarantees that the output of a database query does not reveal too much information about any individual present in the database. While many differentially private algorithms have been proposed in the scientific literature, there are only a few end-to-end implementations of differentially private query engines. Crucially, existing systems assume that each individual is associated with at most one database record, which is unrealistic in practice. We propose a generic and scalable method to perform differentially private aggregations on databases, even when individuals can each be associated with arbitrarily many rows. We express this method as an operator in relational algebra, and implement it in an SQL engine. To validate this system, we test the utility of typical queries on industry benchmarks, and verify its correctness with a stochastic test framework we developed. We highlight the promises and pitfalls learned when deploying such a system in practice, and we publish its core components as open-source software.

English Else