A logical characterization of differential privacy

被引:4
作者
Castiglioni, Valentina [1 ,2 ]
Chatzikokolakis, Konstantinos [3 ,4 ]
Palamidessi, Catuscia [1 ,4 ]
机构
[1] INRIA Saclay, Ile De France, France
[2] Reykjavik Univ, Menntavegur 1, IS-101 Reykjavik, Iceland
[3] CNRS, Paris, France
[4] LIX Ecole Polytech, Palaiseau, France
基金
欧洲研究理事会;
关键词
Differential privacy; Metric semantics; Logical characterization; Nondeterministic probabilistic processes; Labeled Markov chains; FORMAL VERIFICATION; METRICS; BISIMULATION; SEMANTICS; SYSTEMS;
D O I
10.1016/j.scico.2019.102388
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Differential privacy is a formal definition of privacy ensuring that sensitive information relative to individuals cannot be inferred by querying a database. In this paper, we exploit a modeling of this framework via labeled Markov Chains (LMCs) to provide a logical characterization of differential privacy: we consider a probabilistic variant of the Hennessy-Milner logic and we define a syntactic distance on formulae in it measuring their syntactic disparities. Then, we define a trace distance on LMCs in terms of the syntactic distance between the sets of formulae satisfied by them. We prove that such distance corresponds to the level of privacy of the LMCs. Moreover, we use the distance on formulae to define a real-valued semantics for them, from which we obtain a logical characterization of weak anonymity: the level of anonymity is measured in terms of the formulae distinguishing the considered LMCs. Then, we focus on bisimulation semantics on nondeterministic probabilistic processes and we provide a logical characterization of generalized bisimulation metrics, namely those defined via the generalized Kantorovich lifting. Our characterization is based on the notion of mimicking formula of a process and the syntactic distance on formulae, where the former captures the observable behavior of the corresponding process and allows us to characterize bisimilarity. We show that the generalized bisimulation distance on processes is equal to the syntactic distance on their mimicking formulae. Moreover, we use the distance on mimicking formulae to obtain bounds on differential privacy. (C) 2020 Elsevier B.V. All rights reserved.
引用
收藏
页数:29
相关论文
共 59 条
[1]   Characteristic formulae for fixed-point semantics: a general framework [J].
Aceto, Luca ;
Ingolfsdottir, Anna ;
Levy, Paul Blain ;
Sack, Joshua .
MATHEMATICAL STRUCTURES IN COMPUTER SCIENCE, 2012, 22 (02) :125-173
[2]  
[Anonymous], [No title captured]
[3]  
[Anonymous], [No title captured]
[4]  
[Anonymous], 1995, Thesis
[5]   Converging from Branching to Linear Metrics on Markov Chains [J].
Bacci, Giorgio ;
Bacci, Giovanni ;
Larsen, Kim G. ;
Mardare, Radu .
THEORETICAL ASPECTS OF COMPUTING - ICTAC 2015, 2015, 9399 :349-367
[6]  
Baier Christel, 1998, THESIS
[7]   Proving Differential Privacy via Probabilistic Couplings [J].
Barthe, Gilles ;
Gaboardi, Marco ;
Gregoire, Benjamin ;
Hsu, Justin ;
Strub, Pierre-Yves .
PROCEEDINGS OF THE 31ST ANNUAL ACM-IEEE SYMPOSIUM ON LOGIC IN COMPUTER SCIENCE (LICS 2016), 2016, :749-758
[8]   Proving differential privacy in Hoare logic [J].
Barthe, Gilles ;
Gaboardi, Marco ;
Arias, Emilio Jesus Gallego ;
Hsu, Justin ;
Kunz, Cesar ;
Strub, Pierre-Yves .
2014 IEEE 27TH COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF), 2014, :411-424
[9]   REVISITING TRACE AND TESTING EQUIVALENCES FOR NONDETERMINISTIC AND PROBABILISTIC PROCESSES [J].
Bernardo, Marco ;
De Nicola, Rocco ;
Loreti, Michele .
LOGICAL METHODS IN COMPUTER SCIENCE, 2014, 10 (01)
[10]  
Bloom B., 2004, ACM Transactions on Computational Logic, V5, P26, DOI 10.1145/963927.963929