geo indistinguishability a principled approach to
play

Geo-indistinguishability: A Principled Approach to Location Privacy - PowerPoint PPT Presentation

Dec 30, 2023 •28 likes •478 views

Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS, INRIA, LIX Ecole Polytechnique joint work with Miguel Andr es, Nicol as Bordenabe, Catuscia Palamidessi, Marco Stronati PRINCESS QIF Day,

  1. Geo-indistinguishability: A Principled Approach to Location Privacy Kostas Chatzikokolakis CNRS, INRIA, LIX Ecole Polytechnique joint work with Miguel Andr´ es, Nicol´ as Bordenabe, Catuscia Palamidessi, Marco Stronati PRINCESS QIF Day, Dec 16, 2014

  2. Location-Based Systems A location-based system is a system that uses geographical information in order to provide a service. ‣ Retrieval of Points of Interest (POIs). ‣ Mapping Applications. ‣ Deals and discounts applications. ‣ Location-Aware Social Networks. 2

  3. Location-Based Systems ‣ Location information is sensitive. (it can be linked to home, work, religion, political views, etc). ‣ Ideally: we want to hide our true location . ‣ Reality: we need to disclose some information . 3

  4. Example ‣ Find restaurants within 300 meters. ‣ Hide location, not identity . ‣ Provide approximate location . 4

  5. Obfuscation area of interest 7

  6. Obfuscation area of interest reported position 7

  7. Obfuscation area of retrieval area of interest 7

  8. Obfuscation area of retrieval area of interest 7

  9. Obfuscation area of interest 7

  10. The Goals ‣ We want an obfuscation mechanism . ‣ Formal privacy definition, independent from prior information . ‣ Easy to compute , independently of the number of locations. ‣ No need of a trusted third-party. 9

  11. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. 14

  12. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, indistinguishable the more indistinguishable they should be. 14

  13. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish distinguishable location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. 14

  14. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. mildly distinguishable 14

  15. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. 15

  16. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. 15

  17. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. 15

  18. Towards a Definition ‣ Secrets are locations . ‣ Attacker’s goal: distinguish location x from x’. ‣ The closer two locations are, the more indistinguishable they should be. 15

  19. Geo-Indistinguishability ‣ We can consider the set of possible locations as the set of secrets, and the Euclidian distance as the metric. A location obfuscation mechanism M provides ϵ -geo-indistinguishability if: D P (M(x), M(x’)) ≤ ϵ d(x,x’) ∀ x, x’ Where d(x,x’) is the Euclidean distance between x and x’. [ Pierce et al., ICFP 2010 ] [ Chatzikokolakis et al, PETS 2013 ] 16

  20. Line of work [PETS’13] privacy under general metrics [CCS’13] application to location privacy, planar Laplace [CCS’14] mechanisms of optimal utility [PETS’14] protecting location traces [ongoing] privacy metrics adapted to the semantics of the map

  21. The Planar Laplace Mechanism A way to achieve geo-indistinguishability is to add noise from a 2- dimensional Laplace distribution. Computationally e ffi cient. Scales very well. Independent from the set of locations and the user. Utility may not be optimal.

  22. Utility of a mechanism We measure the (inverse of) utility as the “Quality Loss”: π : user’s prior d Q : quality metric Utility measure: QL( K ) = Expected distance of K (wrt π and d Q ) Utility depends on the user!

  23. Goal Guarantee geo-indistinguishability. Pre- fi xed privacy level ϵ . • Independent from the user and adversary’s prior. • Optimize utility. For a given set of locations. • Depends on the user’s prior π . •

  24. The d X -optimal mechanism K is O PT QL wrt ϵ , π , d X and d Q iff: From all mechanisms that provide geo-indistinguishability with level at least ϵ , K is the one with the best utility.

  25. The d X -optimal mechanism We get K by solving a linear optimization problem: | X | 3 constraints! Choose: K To minimize: QL( K ) Subject to: ϵ d X ( x,x’ ) ∀ x,x’,z ( d X -privacy) k xz ≤ e k x’z Because we need to consider the privacy constraints for all x , x’ .

  26. Spanners δ = 10 δ = 3 δ = 1.5 δ = 1.25 Images from “Geometric Spanner Networks”, by G. Narasimhan and M. Smid

  27. Protecting location traces ◮ Secrets are now tuples x = ( x 1 , . . . , x n ) ◮ Distance between tuples: d ∞ ( x , x ′ ) = max d ( x i , x ′ i ) i ◮ Use ǫ d ∞ -privacy

  28. Independent Mechanism apply noise to each point n ǫ N d ∞ -private ◮ works on any trace (including random teleporting) ◮ budget is linear on n

  29. Predictive Mechanism prediction function ◮ based on public info ◮ obtain point ˜ z i is ˜ z i close to x i ? ◮ yes: report ˜ z i ◮ no: add new noise to x i

  30. Predictive Mechanism prediction function ◮ based on public info ◮ obtain point ˜ z i is ˜ z i close to x i ? ◮ yes: report ˜ z i ◮ no: add new noise to x i

  31. Predictive Mechanism prediction function ◮ based on public info ◮ obtain point ˜ z i is ˜ z i close to x i ? ◮ yes: report ˜ z i ◮ no: add new noise to x i

  32. Predictive Mechanism prediction function ◮ based on public info ◮ obtain point ˜ z i is ˜ z i close to x i ? ◮ yes: report ˜ z i ◮ no: add new noise to x i

  33. Testing the prediction Deterministic test breaks privacy

  34. Testing the prediction Deterministic test breaks privacy

  35. Testing the prediction Deterministic test breaks privacy D-Private test use a noisy border for the test

  36. Testing the prediction Deterministic test breaks privacy D-Private test use a noisy border for the test Budget used at each step ǫ θ (successful prediction) or ǫ θ + ǫ N (new noise)

  37. (In)Distinguishability Metric What is it that you want to be similar to? ( and how much? )

  38. Euclidean Metric ◮ space provides privacy ◮ scaled by ǫ

  39. Euclidean Metric ◮ space provides privacy ◮ scaled by ǫ but... ◮ space is not equally valuable everywhere ◮ POI/population/... also provide privacy ◮ we can achieve better privacy/utility by adapting the noise to the map

  40. Building a custom metric ◮ divide the space in cells (eg grid 100m x 100m) ◮ privacy weight of each cell ◮ from POI/population/... (eg by querying OSM) ◮ from the cell’s area ◮ build a metric d satisfying the requirement f : weight ( B d r ( x )) ≥ f ( r ) x , r

  41. Building a custom metric ◮ divide the space in cells (eg grid 100m x 100m) ◮ privacy weight of each cell ◮ from POI/population/... (eg by querying OSM) ◮ from the cell’s area ◮ build a metric d satisfying the requirement f : weight ( B d r ( x )) ≥ f ( r ) x , r Exponential Mechanism constructed from any metric d

  42. Privacy weights

  43. Obtained Mechanism

  44. Location Guard for Chrome and Firefox https://github.com/chatziko/location-guard 4700+ daily users

  45. Future work Privacy guarantees under (un)correlation conditions between the points in the trace. Questions?

Recommend

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the

The Demo / Kemo corpus A principled approach to the study of cross-cultural differences in the vocal expression and perception of emotion Martijn Goudbeek Mirjam Broersma University of Tilburg MPI for Psycholinguistics LREC, Valetta, 19-21

646 views • 20 slides
Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic

Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques Fabio Pagani and Davide Balzarotti Usenix Security 19 Memory Forensics - Introduction Infected Machine Memory Dump Analysis

648 views • 47 slides
A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June

A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June

A Principled Approach to Ornamentation in ML Thomas Williams , Didier Rmy Inria - Gallium June 15, 2018 1 Motivation In a statically-typed programming language with ADTs. Imagine we wrote an evaluator for a simple language: type expr = let

550 views • 53 slides
A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum

A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum

A principled approach to REPL interpreters applied to eFLINT L. Thomas van Binsbergen 1 1 Centrum Wiskunde & Informatica l.t.van.binsbergen@cwi.nl April 2020 Section 1 REPL theory Language implementations often provide an interpreter with a

759 views • 51 slides
A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together

A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together

A principled approach: Solution 3: Journaling Transactions (write ahead logging) Group together actions so that they are Turns multiple disk updates into a single disk write Atomic: either all happen or none write ahead a short note to a

481 views • 4 slides
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh Mark Zhandry Stanford University {dabo, zhandry}@cs.stanford.edu Abstract In this work, we show how to use indistinguishability

780 views • 49 slides
Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34 Introduction Motivation

1.06k views • 76 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the Power of iO Limits on the Power of Indistinguishability Obfuscation (and Functional Encryption) FOCS 2015 On Constructing One-Way

841 views • 47 slides
Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to stateful AE Phillip Rogaway Yusi (James) Zhang University of California, Davis, USA C RYPTO 2018 1. Introduction 2. IND|C 3. Examples 1

523 views • 20 slides
Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations

Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations

Deciding Indistinguishability: A Decision Result for a Set of Cryptographic Game Transformations Adrien Koutsos March 13, 2018 Adrien Koutsos Deciding Indistinguishability March 13, 2018 1 / 37 Introduction 1 The Model 2 Game

746 views • 73 slides
PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse prpare au sein du LSV, ENS Paris-Saclay September 27, 2019 Introduction Motivation Security Protocols Distributed programs which aim at providing some

1.55k views • 142 slides
Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov Gil Segev Hebrew University This Talk A framework for proving impossibility results for commonly-used non-black-box techniques Limits on

596 views • 22 slides
P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

CIKM Applied Research Paper P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju Junhen eng g Hao , Tong Zhao, Jin Li, Xin Luna Dong, Christos Faloutsos, Yizhou Sun, Wei Wang Oct. 19-23, 2020 | Online

684 views • 24 slides
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

649 views • 39 slides
Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release

Voice-Indistinguishability Protecting Voiceprint in Privacy-Preserving Speech Data Release Yaowei Han, Sheng Li, Yang Cao, Qiang Ma, Masatoshi Yoshikawa Department of Social Informatics, Kyoto University, Kyoto, Japan 1 National Institute of

611 views • 27 slides
Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS,

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS,

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS, France November 16th, 2016 VIP in a nutshell V erifiation of I ndistinguishability P roperties Projet JCJC Jeunes Chercheuses Jeunes Chercheurs

488 views • 31 slides
The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle | Definitions Principle: A rule or standard, especially of good behavior Software: (...) and symbolic languages that control the

600 views • 32 slides
A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e

A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e

A Principled Intermediate Language for JavaScript Verification Daiva Naud zi unien e Imperial College London Resource Reasoning Meeting 1/40 The Team Thomas Philippa Gareth Smith Wood Gardner Petar Jos e Fragoso Maksimovi

645 views • 40 slides
The Digital Services Tax: A Principled Proposal for the Future of International Taxation Wei Cui

The Digital Services Tax: A Principled Proposal for the Future of International Taxation Wei Cui

The Digital Services Tax: A Principled Proposal for the Future of International Taxation Wei Cui University of British Columbia, Allard School of Law National Tax Association Spring Symposium May 17, 2019 Main Claims Digital services tax

567 views • 29 slides
INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh

INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh

INDISTINGUISHABILITY OBFUSCATION Mark Zhandry Stanford University * Joint work with Dan Boneh Program Obfuscation Intuition: Mangle a program Same functionality as original Hides all implementation details Potential uses: IP

295 views • 28 slides
Principled Learning Method for Wasserstein Distributionally Robust Optimization with Local

Principled Learning Method for Wasserstein Distributionally Robust Optimization with Local

Principled Learning Method for Wasserstein Distributionally Robust Optimization with Local Perturbations Yongchan Kwon 1 Wonyoung Kim 2 Joong-Ho Won 2 Myunghee Cho Paik 2 1 Department of Biomedical Data Science, Stanford University 2 Department of

937 views • 18 slides
and principled contributors within local and global communities. Inquirer Open-Minded

and principled contributors within local and global communities. Inquirer Open-Minded

Fosters student inquiry to develop skilled, knowledgeable, compassionate, and principled contributors within local and global communities. Inquirer Open-Minded Knowledgeable Caring Thinker Risk-Taker Communicator

532 views • 18 slides
A Principled Look at the Utility of Feedback in Congestion Control Mohit P. Tahiliani, Vishal

A Principled Look at the Utility of Feedback in Congestion Control Mohit P. Tahiliani, Vishal

A Principled Look at the Utility of Feedback in Congestion Control Mohit P. Tahiliani, Vishal Misra and K. K. Ramakrishnan National Institute of Technology Karnataka, India, Columbia University NY, University of California, Riverside, CA

391 views • 24 slides

More recommend