Jianqing Liu,Na Gong,Hritom Das

2024-03-26

Abstract:The software-based implementation of differential privacy mechanisms has been shown to be neither friendly for lightweight devices nor secure against side-channel attacks. In this work, we aim to develop a hardware-based technique to achieve differential privacy by design. In contrary to the conventional software-based noise generation and injection process, our design realizes local differential privacy (LDP) by harnessing the inherent hardware noise into controlled LDP noise when data is stored in the memory. Specifically, the noise is tamed through a novel memory design and power downscaling technique, which leads to double-faceted gains in privacy and power efficiency. A well-round study that consists of theoretical design and analysis and chip implementation and experiments is presented. The results confirm that the developed technique is differentially private, saves 88.58% system power, speeds up software-based DP mechanisms by more than 10^6 times, while only incurring 2.46% chip overhead and 7.81% estimation errors in data recovery.

Cryptography and Security

Zhengyan Zhou,Hanze Chen,Lingfei Chen,Dong Zhang,Chunming Wu,Xuan Liu,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tgcn.2024.3432781

2024-01-01

IEEE Transactions on Green Communications and Networking

Abstract:Radio access network (RAN) enables large-scale collection of sensitive data. Privacy-preserving techniques aim to learn knowledge from sensitive data to improve services without compromising privacy. However, as the data scale increases, enforcing privacy-preserving techniques on sensitive data may consume a considerable amount of system resources and impose performance penalties. To reduce system resource consumption, we present NetDP, an in-network architecture for privacy-preserving techniques by leveraging programmable switches to improve resource efficiency (i.e., CPU cycles, network bandwidth, and privacy budgets). The key idea of NetDP is to accommodate and exploit cryptographic operators to reduce resource consumption rather than repetitively and exhaustively suppressing the impact of these techniques. To the best of our knowledge, this is the first time that privacy-preserving techniques in a large-scale data processing system have been enforced on programmable switches. Our experiments based on Tofino switches indicate that NetDP significantly reduces computation latency (e.g., 40.2%-55.8% latency in computations) without impacting fidelity.

Mpoki Mwaisela

2024-09-25

Abstract:Privacy-preserving computation techniques like homomorphic encryption (HE) and secure multi-party computation (SMPC) enhance data security by enabling processing on encrypted data. However, the significant computational and CPU-DRAM data movement overhead resulting from the underlying cryptographic algorithms impedes the adoption of these techniques in practice. Existing approaches focus on improving computational overhead using specialized hardware like GPUs and FPGAs, but these methods still suffer from the same processor-DRAM overhead. Novel hardware technologies that support in-memory processing have the potential to address this problem. Memory-centric computing, or processing-in-memory (PIM), brings computation closer to data by introducing low-power processors called data processing units (DPUs) into memory. Besides its in-memory computation capability, PIM provides extensive parallelism, resulting in significant performance improvement over state-of-the-art approaches. We propose a framework that uses recently available PIM hardware to achieve efficient privacy-preserving computation. Our design consists of a four-layer architecture: (1) an application layer that decouples privacy-preserving applications from the underlying protocols and hardware; (2) a protocol layer that implements existing secure computation protocols (HE and MPC); (3) a data orchestration layer that leverages data compression techniques to mitigate the data transfer overhead between DPUs and host memory; (4) a computation layer which implements DPU kernels on which secure computation algorithms are built.

Cryptography and Security,Hardware Architecture,Distributed, Parallel, and Cluster Computing

Jiankai Jin,Chitchanok Chuengsatiansup,Toby Murray,Benjamin I. P. Rubinstein,Yuval Yarom,Olga Ohrimenko

2024-08-14

Abstract:Current implementations of differentially-private (DP) systems either lack support to track the global privacy budget consumed on a dataset, or fail to faithfully maintain the state continuity of this budget. We show that failure to maintain a privacy budget enables an adversary to mount replay, rollback and fork attacks - obtaining answers to many more queries than what a secure system would allow. As a result the attacker can reconstruct secret data that DP aims to protect - even if DP code runs in a Trusted Execution Environment (TEE). We propose ElephantDP, a system that aims to provide the same guarantees as a trusted curator in the global DP model would, albeit set in an untrusted environment. Our system relies on a state continuity module to provide protection for the privacy budget and a TEE to faithfully execute DP code and update the budget. To provide security, our protocol makes several design choices including the content of the persistent state and the order between budget updates and query answers. We prove that ElephantDP provides liveness (i.e., the protocol can restart from a correct state and respond to queries as long as the budget is not exceeded) and DP confidentiality (i.e., an attacker learns about a dataset as much as it would from interacting with a trusted curator). Our implementation and evaluation of the protocol use Intel SGX as a TEE to run the DP code and a network of TEEs to maintain state continuity. Compared to an insecure baseline, we observe 1.1-3.2$\times$ overheads and lower relative overheads for complex DP queries.

Cryptography and Security

Zachary Ratliff,Salil Vadhan

DOI: https://doi.org/10.48550/arXiv.2409.05623

2024-09-09

Abstract:The standard definition of differential privacy (DP) ensures that a mechanism's output distribution on adjacent datasets is indistinguishable. However, real-world implementations of DP can, and often do, reveal information through their runtime distributions, making them susceptible to timing attacks. In this work, we establish a general framework for ensuring differential privacy in the presence of timing side channels. We define a new notion of timing privacy, which captures programs that remain differentially private to an adversary that observes the program's runtime in addition to the output. Our framework enables chaining together component programs that are timing-stable followed by a random delay to obtain DP programs that achieve timing privacy. Importantly, our definitions allow for measuring timing privacy and output privacy using different privacy measures. We illustrate how to instantiate our framework by giving programs for standard DP computations in the RAM and Word RAM models of computation. Furthermore, we show how our framework can be realized in code through a natural extension of the OpenDP Programming Framework.

Cryptography and Security

Mohammad Nasim Imtiaz Khan,Swaroop Ghosh

DOI: https://doi.org/10.3390/jlpea11040036

2021-09-24

Journal of Low Power Electronics and Applications

Abstract:Several promising non-volatile memories (NVMs) such as magnetic RAM (MRAM), spin-transfer torque RAM (STTRAM), ferroelectric RAM (FeRAM), resistive RAM (RRAM), and phase-change memory (PCM) are being investigated to keep the static leakage within a tolerable limit. These new technologies offer high density and consume zero leakage power and can bridge the gap between processor and memory. The desirable properties of emerging NVMs make them suitable candidates for several applications including replacement of conventional memories. However, their unique characteristics introduce new data privacy and security issues. Some of them are already available in the market as discrete chips or a part of full system implementation. They are considered to become ubiquitous in future computing devices. Therefore, it is important to ensure their security/privacy issues. Note that these NVMs can be considered for cache, main memory, or storage application. They are also suitable to implement in-memory computation which increases system throughput and eliminates von Neumann bottleneck. Compute-capable NVMs impose new security and privacy challenges that are fundamentally different than their storage counterpart. This work identifies NVM vulnerabilities and attack vectors originating from the device level all the way to circuits and systems, considering both storage and compute applications. We also summarize the circuit/system-level countermeasures to make the NVMs robust against security and privacy issues.

English Else

Chengkun Wei,Minghu Zhao,Zhikun Zhang,Min Chen,Wenlong Meng,Bo Liu,Yuan Fan,Wenzhi Chen

DOI: https://doi.org/10.1145/3576915.3616593

2023-01-01

Abstract:Differential privacy (DP), as a rigorous mathematical definition quantifying privacy leakage, has become a well-accepted standard for privacy protection. Combined with powerful machine learning (ML) techniques, differentially private machine learning (DPML) is increasingly important. As the most classic DPML algorithm, DP-SGD incurs a significant loss of utility, which hinders DPML's deployment in practice. Many studies have recently proposed improved algorithms based on DP-SGD to mitigate utility loss. However, these studies are isolated and cannot comprehensively measure the performance of improvements proposed in algorithms. More importantly, there is a lack of comprehensive research to compare improvements in these DPML algorithms across utility, defensive capabilities, and generalizability. We fill this gap by performing a holistic measurement of improved DPML algorithms on utility and defense capability against membership inference attacks (MIAs) on image classification tasks. We first present a taxonomy of where improvements are located in the ML life cycle. Based on our taxonomy, we jointly perform an extensive measurement study of the improved DPML algorithms, over twelve algorithms, four model architectures, four datasets, two attacks, and various privacy budget configurations. We also cover state-of-the-art label differential privacy (Label DP) algorithms in the evaluation. According to our empirical results, DP can effectively defend against MIAs, and sensitivity-bounding techniques such as per-sample gradient clipping play an important role in defense. We also explore some improvements that can maintain model utility and defend against MIAs more effectively. Experiments show that Label DP algorithms achieve less utility loss but are fragile to MIAs. ML practitioners may benefit from these evaluations to select appropriate algorithms. To support our evaluation, we implement a modular re-usable software, DPMLBench,(1) which enables sensitive data owners to deploy DPML algorithms and serves as a benchmark tool for researchers and practitioners.

Shuning Zhang,Lyumanshan Ye,Xin Yi,Jingyu Tang,Bo Shui,Haobin Xing,Pengfei Liu,Hewu Li

2024-10-19

Abstract:Memories, encompassing past inputs in context window and retrieval-augmented generation (RAG), frequently surface during human-LLM interactions, yet users are often unaware of their presence and the associated privacy risks. To address this, we propose MemoAnalyzer, a system for identifying, visualizing, and managing private information within memories. A semi-structured interview (N=40) revealed that low privacy awareness was the primary challenge, while proactive privacy control emerged as the most common user need. MemoAnalyzer uses a prompt-based method to infer and identify sensitive information from aggregated past inputs, allowing users to easily modify sensitive content. Background color temperature and transparency are mapped to inference confidence and sensitivity, streamlining privacy adjustments. A 5-day evaluation (N=36) comparing MemoAnalyzer with the default GPT setting and a manual modification baseline showed MemoAnalyzer significantly improved privacy awareness and protection without compromising interaction speed. Our study contributes to privacy-conscious LLM design, offering insights into privacy protection for Human-AI interactions.

Human-Computer Interaction

Yusheng Zhao,Hui Zhong,Xinyue Zhang,Yuqing Li,Chi Zhang,Miao Pan

2024-08-14

Abstract:While quantum computing has strong potential in data-driven fields, the privacy issue of sensitive or valuable information involved in the quantum algorithm should be considered. Differential privacy (DP), which is a fundamental privacy tool widely used in the classical scenario, has been extended to the quantum domain, i.e., quantum differential privacy (QDP). QDP may become one of the most promising approaches toward privacy-preserving quantum computing since it is not only compatible with classical DP mechanisms but also achieves privacy protection by exploiting unavoidable quantum noise in noisy intermediate-scale quantum (NISQ) devices. This paper provides an overview of the various implementations of QDP and their performance in terms of privacy parameters under the DP setting. Specifically, we propose a taxonomy of QDP techniques, categorizing the literature on whether internal or external randomization is used as a source to achieve QDP and how these implementations are applied to each phase of the quantum algorithm. We also discuss challenges and future directions for QDP. By summarizing recent advancements, we hope to provide a comprehensive, up-to-date review for researchers venturing into this field.

Quantum Physics,Cryptography and Security

Jiankai Jin,Eleanor McMurtry,Benjamin I. P. Rubinstein,Olga Ohrimenko

2024-09-11

Abstract:Differential privacy is a de facto privacy framework that has seen adoption in practice via a number of mature software platforms. Implementation of differentially private (DP) mechanisms has to be done carefully to ensure end-to-end security guarantees. In this paper we study two implementation flaws in the noise generation commonly used in DP systems. First we examine the Gaussian mechanism's susceptibility to a floating-point representation attack. The premise of this first vulnerability is similar to the one carried out by Mironov in 2011 against the Laplace mechanism. Our experiments show attack's success against DP algorithms, including deep learning models trained using differentially-private stochastic gradient descent. In the second part of the paper we study discrete counterparts of the Laplace and Gaussian mechanisms that were previously proposed to alleviate the shortcomings of floating-point representation of real numbers. We show that such implementations unfortunately suffer from another side channel: a novel timing attack. An observer that can measure the time to draw (discrete) Laplace or Gaussian noise can predict the noise magnitude, which can then be used to recover sensitive attributes. This attack invalidates differential privacy guarantees of systems implementing such mechanisms. We demonstrate that several commonly used, state-of-the-art implementations of differential privacy are susceptible to these attacks. We report success rates up to 92.56% for floating-point attacks on DP-SGD, and up to 99.65% for end-to-end timing attacks on private sum protected with discrete Laplace. Finally, we evaluate and suggest partial mitigations.

Cryptography and Security

Haoran Geng,Jianqiao Mo,Dayane Reis,Jonathan Takeshita,Taeho Jung,Brandon Reagen,Michael Niemier,Xiaobo Sharon Hu

2023-08-11

Abstract:Privacy has rapidly become a major concern/design consideration. Homomorphic Encryption (HE) and Garbled Circuits (GC) are privacy-preserving techniques that support computations on encrypted data. HE and GC can complement each other, as HE is more efficient for linear operations, while GC is more effective for non-linear operations. Together, they enable complex computing tasks, such as machine learning, to be performed exactly on ciphertexts. However, HE and GC introduce two major bottlenecks: an elevated computational overhead and high data transfer costs. This paper presents PPIMCE, an in-memory computing (IMC) fabric designed to mitigate both computational overhead and data transfer issues. Through the use of multiple IMC cores for high parallelism, and by leveraging in-SRAM IMC for data management, PPIMCE offers a compact, energy-efficient solution for accelerating HE and GC. PPIMCE achieves a 107X speedup against a CPU implementation of GC. Additionally, PPIMCE achieves a 1,500X and 800X speedup compared to CPU and GPU implementations of CKKS-based HE multiplications. For privacy-preserving machine learning inference, PPIMCE attains a 1,000X speedup compared to CPU and a 12X speedup against CraterLake, the state-of-art privacy preserving computation accelerator.

Cryptography and Security,Hardware Architecture

Valentin Hartmann,Vincent Bindschaedler,Alexander Bentkamp,Robert West

DOI: https://doi.org/10.56553/popets-2022-0070

2023-06-20

Abstract:Differential privacy (DP) is a widely used notion for reasoning about privacy when publishing aggregate data. In this paper, we observe that certain DP mechanisms are amenable to a posteriori privacy analysis that exploits the fact that some outputs leak less information about the input database than others. To exploit this phenomenon, we introduce output differential privacy (ODP) and a new composition experiment, and leverage these new constructs to obtain significant privacy budget savings and improved privacy-utility tradeoffs under composition. All of this comes at no cost in terms of privacy; we do not weaken the privacy guarantee. To demonstrate the applicability of our a posteriori privacy analysis techniques, we analyze two well-known mechanisms: the Sparse Vector Technique and the Propose-Test-Release framework. We then show how our techniques can be used to save privacy budget in more general contexts: when a differentially private iterative mechanism terminates before its maximal number of iterations is reached, and when the output of a DP mechanism provides unsatisfactory utility. Examples of the former include iterative optimization algorithms, whereas examples of the latter include training a machine learning model with a large generalization error. Our techniques can be applied beyond the current paper to refine the analysis of existing DP mechanisms or guide the design of future mechanisms.

Cryptography and Security

Bo Jiang,Jian Du,Sagar Sharma,Qiang Yan

2024-07-13

Abstract:Differential Privacy (DP) mechanisms usually {force} reduction in data utility by producing "out-of-bound" noisy results for a tight privacy budget. We introduce the Budget Recycling Differential Privacy (BR-DP) framework, designed to provide soft-bounded noisy outputs for a broad range of existing DP mechanisms. By "soft-bounded," we refer to the mechanism's ability to release most outputs within a predefined error boundary, thereby improving utility and maintaining privacy simultaneously. The core of BR-DP consists of two components: a DP kernel responsible for generating a noisy answer per iteration, and a recycler that probabilistically recycles/regenerates or releases the noisy answer. We delve into the privacy accounting of BR-DP, culminating in the development of a budgeting principle that optimally sub-allocates the available budget between the DP kernel and the recycler. Furthermore, we introduce algorithms for tight BR-DP accounting in composition scenarios, and our findings indicate that BR-DP achieves reduced privacy leakage post-composition compared to DP. Additionally, we explore the concept of privacy amplification via subsampling within the BR-DP framework and propose optimal sampling rates for BR-DP across various queries. We experiment with real data, and the results demonstrate BR-DP's effectiveness in lifting the utility-privacy tradeoff provided by DP mechanisms.

Cryptography and Security,Data Structures and Algorithms,Signal Processing

Jingyan Fu,Zhiheng Liao,Jianqing Liu,Scott C. Smith,Jinhui Wang

DOI: https://doi.org/10.1109/jiot.2020.3023623

IF: 10.6

2021-06-15

IEEE Internet of Things Journal

Abstract:Edge artificial intelligence (AI) achieves real-time local data analysis for IoT systems, enabling low-power and high-speed operation, but comes with privacy-preserving requirements. The memristor-based computing system is a promising solution for edge AI, but it needs a low-cost privacy protection mechanism due to limited resources. In this article, we propose a noise distribution normalization (NDN) method to add Gaussian distributed noise through hardware implementation, thereby achieving differential privacy in edge AI. Instead of using traditional algorithmic noise-insertion methods, we take advantage of inherent cycle-to-cycle variations of memristors during the weight-update process as the noise source, which does not incur extra software or hardware overhead. In one case study, the proposed method realizes ultralow-cost differentially private stochastic gradient descent (DP-SGD) for edge AI in IoT systems, achieving a 3.5%–15.5% average recognition accuracy improvement under different noise levels, as compared with a baseline mechanism.

computer science, information systems,telecommunications,engineering, electrical & electronic

Fan Yao,Guru Venkataramani

DOI: https://doi.org/10.48550/arXiv.1902.03518

2019-02-10

Abstract:DRAM-based main memory and its associated components increasingly account for a significant portion of application performance bottlenecks and power budget demands inside the computing ecosystem. To alleviate the problems of storage density and power constraints associated with DRAM, system architects are investigating alternative non-volatile memory technologies such as Phase Change Memory (PCM) to either replace or be used alongside DRAM memory. While such alternative memory types offer many promises to overcome the DRAM-related issues, they present a significant security threat to the users due to persistence of memory data even after power down. In this paper, we investigate smart mechanisms to obscure the data left in non-volatile memory after power down. In particular, we analyze the effect of using a single encryption algorithm versus differentiated encryption based on the security needs of the application phases. We also explore the effect of encryption on a hybrid main memory that has a DRAM buffer cache plus PCM main memory. Our mechanism takes into account the limited write endurance problem associated with several non-volatile memory technologies including PCM, and avoids any additional writes beyond those originally issued by the applications. We evaluate using Gem5 simulator and SPEC 2006 applications, and show the performance and power overheads of our proposed design.

Cryptography and Security,Hardware Architecture

Jingyan Fu,Zhiheng Liao,Jinhui Wang

DOI: https://doi.org/10.1109/tvlsi.2019.2923722

2019-12-01

IEEE Transactions on Very Large Scale Integration (VLSI) Systems

Abstract:Because of collecting a large amount of personal data, when the artificial neural network (ANN) is used in human-related topics, it has raised great concerns on privacy preservation. A robust solution is to introduce a noise injection mechanism as differential privacy that promises strong theoretical privacy guarantees. However, privacy-preserving ANN with noisy input data has a substantial risk of reducing the recognition accuracy. Therefore, it is urgently needed to have technologies that can make users' data applied to neural networks while strictly protecting sensitive information. In this paper, a linear optimization (LO) method is proposed to address this accuracy degradation by optimizing the performance of memristor in weight updating processes. Instead of complying with the traditional hardware and algorithm, the LO method calculates update parameters along a piecewise line by using different input pulses. The proposed method can mitigate the nonlinear problem of memristor without prereading the precise current conductance each time, thereby avoiding complex peripheral circuits. The effectiveness of the proposed LO method with two-segment, three-segment, and four-segment models is investigated, respectively. The results show that under different nonlinearity and different perturbation noise required by differential privacy theory, the LO method can increase the recognition accuracy of Modified National Institute of Standards and Technology (MNIST) handwriting digits by 39.67% on average, which provides more space and margin for privacy-preserving technology.

engineering, electrical & electronic,computer science, hardware & architecture

Honglu Jiang,Yifeng Gao,S M Sarwar,Luis GarzaPerez,Mahmudul Robin

DOI: https://doi.org/10.48550/arXiv.2112.01704

2021-12-03

Abstract:Differential privacy (DP) has become the de facto standard of privacy preservation due to its strong protection and sound mathematical foundation, which is widely adopted in different applications such as big data analysis, graph data process, machine learning, deep learning, and federated learning. Although DP has become an active and influential area, it is not the best remedy for all privacy problems in different scenarios. Moreover, there are also some misunderstanding, misuse, and great challenges of DP in specific applications. In this paper, we point out a series of limits and open challenges of corresponding research areas. Besides, we offer potentially new insights and avenues on combining differential privacy with other effective dimension reduction techniques and secure multiparty computing to clearly define various privacy models.

Cryptography and Security

Raksha Ramakrishna,Anna Scaglione,Tong Wu,Nikhil Ravi,Sean Peisert

2023-06-09

Abstract:In this paper, we present a notion of differential privacy (DP) for data that comes from different classes. Here, the class-membership is private information that needs to be protected. The proposed method is an output perturbation mechanism that adds noise to the release of query response such that the analyst is unable to infer the underlying class-label. The proposed DP method is capable of not only protecting the privacy of class-based data but also meets quality metrics of accuracy and is computationally efficient and practical. We illustrate the efficacy of the proposed method empirically while outperforming the baseline additive Gaussian noise mechanism. We also examine a real-world application and apply the proposed DP method to the autoregression and moving average (ARMA) forecasting method, protecting the privacy of the underlying data source. Case studies on the real-world advanced metering infrastructure (AMI) measurements of household power consumption validate the excellent performance of the proposed DP method while also satisfying the accuracy of forecasted power consumption measurements.

Signal Processing,Cryptography and Security

Chengyi Yang,Jiayin Qi,Aimin Zhou

2024-01-23

Abstract:Differential privacy (DP) has achieved remarkable results in the field of privacy-preserving machine learning. However, existing DP frameworks do not satisfy all the conditions for becoming metrics, which prevents them from deriving better basic private properties and leads to exaggerated values on privacy budgets. We propose Wasserstein differential privacy (WDP), an alternative DP framework to measure the risk of privacy leakage, which satisfies the properties of symmetry and triangle inequality. We show and prove that WDP has 13 excellent properties, which can be theoretical supports for the better performance of WDP than other DP frameworks. In addition, we derive a general privacy accounting method called Wasserstein accountant, which enables WDP to be applied in stochastic gradient descent (SGD) scenarios containing sub-sampling. Experiments on basic mechanisms, compositions and deep learning show that the privacy budgets obtained by Wasserstein accountant are relatively stable and less influenced by order. Moreover, the overestimation on privacy budgets can be effectively alleviated. The code is available at

Machine Learning,Cryptography and Security