RELATED WORK 1.1 Our Contributions PROBLEM FORMULATIONS

Transcription

1 Privay-Enhaning k-anonymization of Customer Data Sheng Zhong 1,2 Zhiqiang Yang 1 Rebea N. Wright 1 1 Computer Siene Department, Stevens Institute of Tehnology, Hoboken, NJ 07030, USA 2 DIMACS Center, Rutgers University, Pisataway, NJ 08854, USA {sz38 zyang rwright}@s.stevens.edu ABSTRACT In order to protet individuals privay, the tehnique of k- anonymization has been proposed to de-assoiate sensitive attributes from the orresponding identifiers. In this paper, we provide privay-enhaning methods for reating k-anonymous tables in a distributed senario. Speifially, we onsider a setting in whih there is a set of ustomers, eah of whom has a row of a table, and a miner, who wants to mine the entire table. Our obetive is to design protools that allow the miner to obtain a k-anonymous table representing the ustomer data, in suh a way that does not reveal any extra information that an be used to link sensitive attributes to orresponding identifiers, and without requiring a entral authority who has aess to all the original data. We give two different formulations of this problem, with provably private solutions. Our solutions enhane the privay of k-anonymization in the distributed senario by maintaining end-to-end privay from the original ustomer data to the final k-anonymous results. 1. INTRODUCTION In today s information soiety, given the unpreedented ease of finding and aessing information, protetion of privay has beome a very important onern. In partiular, large databases that inlude sensitive information (e.g., health information) have often been available to publi aess, frequently with identifiers stripped off in an attempt to protet privay. However, if suh information an be assoiated with the orresponding people s identifiers, perhaps using other publily available databases, then privay an be seriously violated. For example, Sweeney [32] pointed out that one an find out who has what disease using a publi database and voter lists. To solve suh problems, Samarati and Sweeney [27] have proposed a tehnique alled k- anonymization. In this paper, we study how to enhane privay in arrying out the proess of k-anonymization. This work was supported by the National Siene Foundation under grant number CCR Permission to make digital or hard opies of all or part of this work for personal or lassroom use is granted without fee provided that opies are not made or distributed for profit or ommerial advantage, and that opies bear this notie and the full itation on the first page. To opy otherwise, to republish, to post on servers or to redistribute to lists, requires prior speifi permission and/or a fee. PODS 2005 June 13-15, 2005, Baltimore, Maryland. Copyright 2005 ACM /05/06... $5.00. Consider a table that provides health information of patients for medial studies, as shown in Table 1. Eah row of the table onsists of a patient s date of birth, zip ode, allergy, and history of illness. Although the identifier of eah patient does not expliitly appear in this table, a dediated adversary may be able to derive the identifiers of some patients using the ombinations of date of birth and zip ode. For example, he may be able to find that his roommate is the patient of the first row, who has allergy to peniillin and a history of pharyngitis. Date of Zip Allergy History of Birth Code Illness Peniillin Pharyngitis No Allergy Stroke No Allergy Polio Sulfur Diphtheria No Allergy Colitis Table 1: A Table of Health Data In this example, the set of attributes {date of birth, zip ode} is alled a quasi-identifier [12, 32], beause these attributes in ombination an be used to identify an individual with a signifiant probability. In this paper, we say an attribute is a quasi-identifier attribute if it is in the quasi-identifier. The attributes like allergy and history of illness are alled sensitive attributes. (There may be other attributes in a table besides the quasi-identifier attributes and the sensitive attributes; we ignore them in this paper sine they are not relevant to our investigation.) The privay threat we onsider here is that an adversary may be able to link the sensitive attributes of some rows to the orresponding identifiers using the information provided in the quasi-identifiers. A proposed strategy to solve this problem is to make the table k-anonymous [27]. Date of Zip Allergy History of Birth Code Illness Peniillin Pharyngitis No Allergy Stroke No Allergy Polio Sulfur Diphtheria No Allergy Colitis Table 2: 2-Anonymized Table of Health Data In a k-anonymous table, eah value of the quasi-identifier appears at least k times. Therefore, if the adversary only uses

2 the quasi-identifiers to link sensitive attributes to the identifiers, then eah involved entity (patient in our example) is hidden in at least k peers. The proedure of making a table k-anonymous is alld k-anonymization. It an be ahieved by suppression (i.e., replaing some entries with ) or generalization (e.g., replaing some or all ourrenes of and with 0702 ). Table 2 shows the result of 2- anonymization on Table 1. Several algorithmi methods have been proposed desribing how a entral authority an k-anonymize a table before it is released to the publi (e.g. [30, 27, 26, 32, 31, 24, 8]). In this paper, we onsider a related but different senario: distributed ustomers holding their own data interat with a miner and use k-anonymization in this proess to protet their own privay. For example, imagine the above mentioned health data are olleted from ustomers by a medial researher. The ustomers will feel more omfortable if the medial researher does not need to be trusted and only sees a k-anonymized version of their data. To ahieve this, we show methods by whih k-anonymization an be ointly performed by the involved parties in a private manner suh that no single partiipant, inluding the miner, learns extra information that ould be used to link sensitive attributes to orresponding identifiers. 1.1 Our Contributions We give privay-enhaning methods for reating k-anonymous tables in a distributed senario. Our methods do not require a entral authority who has aess to all the original data, nor do they require ustomers to share their data with eah other. Speifially, we onsider a setting in whih there is a set of ustomers, eah of whom has a row of a table, and a miner, who wants to mine the entire table. Our obetive is to design protools that allow the miner to obtain a k-anonymous table representing the ustomer data in suh a way that does not reveal any extra information that an be used to link sensitive attributes to orresponding identifiers. We give two different formulations of this problem: In the first formulation, given a table, the protool needs to extrat the k-anonymous part (i.e., the maximum subset of rows that is already k-anonymous) from it. The privay requirement is that the sensitive attributes outside the k-anonymous part should be hidden from any individual partiipant inluding the miner. This formulation is suitable if the original table is already lose to k-anonymous. In the seond formulation, given a table, the protool needs to suppress some entries of the quasi-identifier attributes, so that the entire table is k-anonymized. The privay requirement is that the suppressed entries should be hidden from any individual partiipant. This formulation is suitable even if the original table is not lose to k-anonymous. We present effiient solutions to both problem formulations. Our solutions use ryptography to obtain provable guarantees of their privay properties, relative to standard ryptographi assumptions. Our solution to the first problem formulation does not reveal any information about the sensitive attributes outside the k-anonymous part. Our solution to the seond problem formulation is not fully private, in that it reveals the k-anonymous result as well as the distanes between eah pair of rows in the original table. We prove that it does not reveal any additional information. Our protools enhane the privay of k-anonymization by maintaining endto-end privay from the original ustomer data to the final k-anonymous results. We briefly overview related work in Setion 2. In Setion 3, we formalize our two problem formulations. Our solutions are presented in Setions 4 and 5, respetively. We onlude in Setion RELATED WORK As a strategy to prevent identity dislosure in mirodata release, k-anonymization was first proposed and analyzed by Samarati and Sweeney [30, 27, 26, 32, 31]. Meyerson and Williams [24] formally studied how to minimize the number of suppressed entries in k-anonymization and showed that it is NP-hard; they then gave approximation algorithms for this problem. Aggarwal et al. [4] showed that the problem is NP-hard even if the attributes are ternary-valued; they also gave algorithms with improved approximation ratios. Bayardo and Agrawal [8] studied optimal k-anonymization with more ost metris and proposed a pratial solution. The researh area of statistial databases has studied how to protet individual privay while supporting information sharing. There is a rih literature on privay in statistial databases; interested readers an refer to surveys [2, 29]. Proposed methods an be ategorized into query restrition (e.g., [22, 11]) and data perturbation (e.g., [25, 33, 9, 1]). In partiular, the tradeoff between privay and utility in statistial databases was investigated by Dinur and Nissim [14]. Another related area is privay-preserving data mining, whih also onsiders protetion of sensitive data while maintaining data utility. Representative work in this area inludes, among others, [6, 5, 17, 16, 21, 23, 34, 35, 20]. In addition, Aggarwal and Yu propose an approah alled ondensation [3] to produe publishable data that protets privay yet provides utility for data mining appliations. Their approah ondenses data in groups, where the minimum size of a group is predetermined. The reords in a group are all randomized suh that only a few statisti properties of these reords are kept. Privay is studied extensively in various aspets of ryptography. General results on ryptographi protools are summarized in [19]. However, as mentioned in [19], the onstrutions presented in the proofs of these results annot be diretly applied in general, partiularly for large amounts of input data (in our ase, a large number of ustomers), beause they are prohibitively expensive. 3. PROBLEM FORMULATIONS Consider a table with m quasi-identifier attributes, (s 1,..., s m ), and n sensitive attributes, (a 1,..., a n ). Without loss of generality, we assume that there are no other attributes exept these m+n. Suppose that there are N +1 involved parties: N ustomers and one miner, and that all these parties are polynomial-time bounded. For onveniene, the miner assigns indies 1 through N to the ustomers; in the sequel, by ustomer i we mean the ustomer with index i. Note that the indies are not identifiers beause they are arbitrar-

3 ily assigned by the miner, who does not know the identifiers of the ustomers. Eah ustomer i has a row of the table, whih is denoted by R i = (s (i) 1,..., s(i) m, a (i) 1,..., a(i) n ). We assume there are private unidentified hannels between eah ustomer and the miner. That is, the hannels are untappable and the miner has no information about whih ustomer is using whih hannel, but eah hannel is used by exatly one ustomer. (These properties an be provided using standard ryptographi tehniques.) We rigorously define our privay requirement by adapting the standard definition of privay [19] for ryptographi protools in the semi-honest model to our setting. In the semihonest model, eah party is assumed to follow the protool but parties may attempt to derive extra information to violate privay of other parties. This model has been extensively studied in ryptography (f. [19]) and widely applied to privay problems with large-size data (e.g., [23, 20]). Although the semi-honest model plaes a strong restrition on partiipants behavior, there are at least two reasons for studying our problem in this model. First, deviating from the protool requires a onsiderable amount of effort (to hak the omputer program). In an appliation like olleting health data from ustomers, it may be reasonable to assume that the partiipants are not willing or able to invest that amount of effort on violating others privay. Seond, it has been shown that any protool private in the semi-honest model an be translated to one seure in the fully maliious model in whih parties may deviate arbitrarily from their speified protools [19], though at a substantial inrease in the ost of the solution. If we modify this translated protool to improve effiieny, we may be able to obtain a pratial solution in the maliious model as well. In defining our privay requirement, we assume that before the protool starts, there exists a global private key for a publi key ryptosystem 1, whih is shared among the ustomers in the sense of seret sharing [28]. Eah ustomer is preloaded with up to a onstant number of shares. Together, the shares form the global private key: Eah share is only known to its owner; no ustomer knows the atual global key. (Suh a situation an be established without a entral authority by a distributed key generation protool suh as [18].) Our overall obetive is to enable the miner to obtain a k- anonymized table in a private manner (so that he an mine the table). As mentioned in Setion 1, this an be ahieved in two ways, desribed in detail in Setions 3.1 and 3.2: either we enable the miner to extrat the k-anonymous part of the table, or we enable him to obtain a k-anonymized table in whih some entries of the quasi-identifier attributes are suppressed. 3.1 Formulation 1: Private Extration of k- Anonymous Part In the first problem formulation, the miner extrats the k- anonymous part of the table (i.e., the maximum subset of rows that is k-anonymous), but does not learn extra information about the sensitive attributes of the rows outside the 1 Throughout this paper, by key we mean a ryptographi key. To avoid onfusion, we do not use the term key in the sense of a database key attribute. k-anonymous part. Consequently, the miner annot link the sensitive attributes of any row to the orresponding identifiers. Intuitively, our privay requirement states that, for eah party (miner or ustomer), the view of the protool seen by that party an be simulated by an algorithm that has no knowledge of the sensitive attributes outside the k-anonymous part. This aptures the requirement that any individual party annot learn any extra information about these sensitive attributes by virtue of engaging in the protool. To formalize this requirement, we must first define the view of eah party: during an exeution of the protool, a party s view onsists of this party s data and preloaded key shares (if any), all the oin flips of this party, and all the messages this party reeives. We denote by view miner (T ) (view i (T ), resp.) the view of the miner (ustomer i, resp.) during an exeution with the table T def = {R i : i [1, N]} = {(s (i) 1,..., s(i) m, a (i) 1,..., a(i) n ) : i [1, N]}. In the sequel, we denote by K(T ) the k-anonymous part of the table T. The notation denotes omputational indistinguishability of probability ensembles. Readers an refer to, e.g., [19], for the definitions of probability ensembles and omputational indistinguishability. Definition 1. A protool for extrating K(T ) is ideally private if there exist N + 1 probabilisti polynomial-time algorithms M, M 1,..., M N suh that {M(keys miner, K(T ), {(s (i) 1,..., s(i) m ) : i [1, N]})} T {view miner (T )} T, and that, for any i [1, N], {M i (keys i, R i, K(T ), {(s (i) 1,..., s(i) m ) : i [1, N]})} T {view i(t )} T, where keys miner (keys i, resp.) denotes the miner s (ustomer i s, resp.) preloaded key shares (if any). The algorithms M and M i for i [1, N] are alled simulators (for the miner and ustomer i, respetively). 3.2 Formulation 2: k-anonymization by Privately Suppressing Entries One method for k-anonymizing a table is to suppress entries ideally suppressing as few as possible [24, 4]. Our seond problem formulation supports suppression in our distributed setting. Let Anonymized(T ) denote the output (whih is a k-anonymized table) of a protool that k-anonymizes the table T by suppressing entries. We have an analogous privay requirement in this ase as in Formulation 1, exept that the privay is relative to Anonymized(T ) instead of K(T ) and the quasi-identifier: Definition 2. A protool for k-anonymization by suppressing entries is ideally private if there exist N + 1 probabilisti polynomial-time algorithms (alled simulators) M, M 1,..., M N suh that {M(keys miner, Anonymized(T ))} T {viewminer (T )} T,

4 and that, for any i [1, N], {M i (keys i, R i, Anonymized(T ))} T {viewi (T )} T, where keys miner (keys i, resp.) denotes the miner s (ustomer i s, resp.) preloaded key shares (if any). In our solution for Formulation 2, we are unable to satisfy the ideal privay of Definition 2. (General ryptographi solutions exist that ould provide ideal privay, but at muh greater omputation and ommuniation osts.) Instead, we ahieve a relaxed, but well-defined, notion of privay in whih a speified (and presumably small) amount of information is revealed. Formally: Definition 3. Let F(T ) be a funtion of the table T. A protool for k-anonymization by suppressing entries leaks only F(T ) if there exist probabilisti polynomial-time algorithms (alled simulators) M and M 1,..., M N suh that {M(keys miner, Anonymized(T ), F(T ))} T {viewminer (T )} T, and that, for any i [1, N], {M i(keys i, R i, Anonymized(T ), F(T ))} T {viewi(t )} T, where keys miner (keys i, resp.) denotes the miner s (ustomer i s, resp.) preloaded key shares (if any). 4. OUR SOLUTION FOR FORMULATION 1 In this setion, we solve the first formulation of the problem. That is, we design a protool that privately extrats the k- anonymous part of a table. The basi idea of our design is that eah ustomer enrypts her sensitive attributes using an enryption key that an be derived if and only if there are at least k rows whose quasi-identifiers are equal. Speifially, the key to enrypt the sensitive attributes (a (i) 1,..., a(i) n ) is a funtion of the orresponding quasi-identifier (s (i) 1,..., s(i) m ) and it is shared among the ustomers with threshold k in the sense of seret sharing (see below for explanation of seret sharing). Eah ustomer submits to the miner one share of the key(s) orresponding to her quasi-identifier. As a result, if and only if there are at least k ustomers whose quasiidentifiers are equal, the miner is able to reover the appropriate deryption key. The remaining tehnial question is how eah ustomer selets the key. On the one hand, we do not want every ustomer with the same quasi-identifier to selet the same key in fat, we do not even want them to know eah other s keys beause then a ustomer would be able to derypt the sensitive attributes of some other ustomers, whih is undesirable. On the other hand, we must ensure that the key share provided by a ustomer an be used in the reovery of the key of every ustomer having the same quasi-identifier. We resolve this dilemma by assuming a (2N, k)-shamir seret sharing [28] of a seed key x, where eah ustomer i has two shares x 2i 1 and x 2i of the seed key. (Note the meaning of the two parameters of Shamir seret sharing: 2N is the overall number of shares and k is the threshold number of shares needed to reover x.) Speifially, there exists a degree-(k 1) polynomial P() suh that P(0) = x. The shares owned by ustomer i are x 2i 1 = P(2i 1) and x 2i = P(2i). A very useful property of Shamir seret sharing is that with k or more shares one an easily derive all other shares using Lagrange interpolation, while with fewer than k shares one has no information about any other shares at all. The key that we use to enrypt the sensitive attributes (a (i) 1,..., a (i) n ) is H(s (i) 1,..., s(i) m ) x 2i 1, where H is a ryptographi hash funtion. Clearly, this key an be derived if and only if for k or more values of, H(s (i) 1,..., s(i) m ) x is available. The key share submitted by ustomer i is H(s (i) 1,..., s(i) m ) x 2i. Consequently, this submitted key share an atually be used in the reovery of any keys used to enrypt the sensitive attributes where the quasi-identifiers are equal to (s (i) 1,..., s(i) m ). These key an be reovered suessfully if and only if there are at least k ustomers with quasi-identifier equal to (s (i) 1,..., s (i) m ). Furthermore, even the ustomers having the same quasi-identifier annot figure out eah other s key beause they do not know other ustomers shares of the seed key. 4.1 The Protool Let S be a seurity parameter, let p, q be two S-bit primes suh that p = 2q + 1, let G q be the quadrati residue subgroup of Z p (the multipliative group mod p), and let H be a ryptographi hash funtion with range G q. Before the protool starts, we assume that a seed key x [0, q 1] is shared among ustomers using (2N, k)-shamir seret sharing and that eah ustomer i has two shares, x 2i 1 and x 2i. Speifially, there exists a degree-(k 1) polynomial P() suh that x = P(0) and i [1, 2N], x i = P(i). Data Submission. Customer i enrypts (a (i) 1,..., a(i) n ) using y 2i 1 = H(s (i) 1,..., s(i) m ) x 2i 1 as a symmetri key. Then she sends the miner the iphertext together with (s (i) 1,..., s(i) m ) and y 2i = H(s (i) 1,..., s(i) m ) x 2i. Data Proessing. When the miner has olleted all ustomers messages, he ounts the number of rows (ustomers) for eah different value of (s 1,..., s m). If for a value of (s 1,..., s m) there are k or more rows, then he derypts the sensitive attributes of these rows as follows: let I be a subset of k suh rows; the miner omputes ustomer s symmetri key using y 2 1 = l i,l I y (2 1 2l)/(2i 2l) 2i. i I Then the miner derypts the sensitive attributes of these rows using the omputed keys. 4.2 Privay Analysis We show our privay guarantee under a standard ryptographi assumption, the Deisional Diffie-Hellman (DDH) assumption. (See [10] for a survey of DDH.) Theorem 4. Under the DDH assumption and in the random orale model 2, the protool for extrating K(T ) is ideally private. 2 The random orale model is a methodology frequently used in proofs of seurity for systems using hash funtions. Effetively it makes the assumption that the use of the hash funtion does not introdue any inseurity.

5 Proof. We only need to onstrut a simulator M for the miner, beause the ustomers do not reeive any messages from the miner (and therefore the simulator that simply outputs the party s data, preloaded key shares if any, and oin flips (and no messages) is a valid simulator). M piks x [0, q 1] uniformly at random and omputes 2N Shamir shares of x : x 1,..., x 2N. If ustomer i s row is in K(T ), then M omputes y 2i 1 = H(s (i) 1,..., s(i) m ) x 2i 1, y 2i = H(s (i) 1,..., s(i) m ) x 2i, and enrypts (a (i) 1,..., a(i) n ) using symmetri key y 2i 1. M simulates ustomer i s message with the above symmetri enryptions, (s (i) 1,..., s(i) m ), and y 2i. If ustomer i s row is not in K(T ), then M still omputes y 2i = H(s (i) 1,..., s(i) m ) x 2i. M simulates ustomer i s message with a random iphertext in the symmetri enryption sheme, (s (i) 1,..., s(i) m ), and y 2i. The proof of omputational indistinguishability is notationally too ompliated to be inluded in this paper. However, we prove a simplified version of the indistinguishability result as Lemma 5. It is oneptually trivial (though notationally hallenging) to extend Lemma 5 to the indistinguishability needed here. Below is a simplified version of the indistinguishability result needed in the proof of Theorem 4. Lemma 5. Under the DDH assumption, {g 1, g 2, g 3, g e 1 2, g αe 1+βe 2 3 } q {g 1, g 2, g 3, g e 1 2, g e 3 3 } q, where g 1, g 2, g 3 are piked uniformly and independently from G q, and e 1, e 2, e 3 are piked uniformly and independently from [0, q 1]. Proof. Suppose by way of ontradition that the above indistinguishability result does not hold. Then there exist a probabilisti polynomial-time algorithm D and a polynomial f() suh that, for infinitely many q, Pr[D(g 1, g 2, g 3, g e 1 2, g αe 1+βe 2 3, q) = 1] Pr[D(g 1, g 2, g 3, g e 1 2, g e 3 3, q) = 1] 1/f(S). Thus we onstrut another polynomial-time algorithm D () suh that D (E 1, E 2, E 3, q, g) def = D(g, E e 2, g e, E 1/α 1, E e /β 3, 1, q), where e, e are piked uniformly and independently from [0, q 1]. Then learly, for ê 1, ê 2 uniformly and independently piked from [0, q 1], we have D (gê1 1, gê2 1, gê1ê 2 1, q, g 1 ) = D(g 1, gê2e 1, g1 e, gê1/α 1, g ê 1ê 2 e /β 1, 1, q), = D(g 1, gê2e 1, g1 e, gê1/α 1, (gê2e 1 ) ê1/β, (g1 e ) 0, q) = D(g 1, g 2, g 3, gê1/α 1, g ê 1/β 2, g3, 0 q). The last identity holds beause g e 2e 1 and g1 e are independent and uniform and we an rename them as g 2 and g 3. We then further rename ê 1 /α and ê 1 /β as e 1 and e 2 and get D (gê1 1, gê2 1, gê1ê 2 1, q, g 1 ) = D(g 1, g 2, g 3, g e 1 2, g αe 1+βe 2 3, q). Similarly, we an get, for ê 1, ê 2, ê 3 uniformly and independently piked from [0, q 1], D (gê1 1, gê2 1, gê3 1, q, g 1) = D(g 1, g 2, g 3, g e 1 2, g e 3 3, q). Therefore, Pr[D (gê1 1, gê2 1, gê1ê 2 1, q, g 1 ) = 1] Pr[D (gê1 1, gê2 1, gê3 1, q, g 1 ) = 1] 1/f(S), an obvious ontradition to DDH. 5. OUR SOLUTION FOR FORMULATION 2 In this setion, we solve the seond formulation of the problem. Speifially, we provide a protool that privately k- anonymizes a table by suppressing entries. Our protool is based on Meyerson and Williams s algorithm (whih we refer to as MW) for k-anonymizing a database [24]. Our solution an be viewed as a distributed, privay-preserving, version of their algorithm. Our protool provides quantifiable, though not ideal, privay. Namely, it keeps all information about the suppressed entries private from eah individual party, exept revealing the distane between eah pair of rows. Our protool onsists of three phases. In the first phase, the protool allows the miner to ompute the distane between eah pair of rows. In the seond phase, the miner uses the MW algorithm to ompute a k-partition of the table. (A k- partition is a olletion of disoint subsets of rows in whih eah subset ontains at least k rows and the union of these subsets is the entire table.) In the third phase, the protool allows the miner to ompute the k-anonymized table. The seond phase is a diret omputation of part of MW (whih relies only on the inter-row distanes already known to the miner). We now overview the more omplex first and third phases; we desribe all three phases in omplete detail in Setion 5.1. Design of Phase 1 Reall that the distane between two rows is the number of quasi-identifier attributes in whih the rows have different values [24]. If we define { σ (i,i ) = 1 if s (i) = s (i ) r if s (i) s (i ) (where r is a random element uniformly piked from an exponentially large prime-order yli group), then with all but negligible probability the distane between the ith and i th rows equals { : σ (i,i ) 1, [1, m]} (beause the the probability of r = 1 is negligible). To ompute this number, the miner first omputes enryptions of σ (i,i ) s from enryptions of quasi-identifier attributes; then, a ustomer rerandomizes and repermutes these enryptions (so that the miner does not learn the value of any speifi σ (i,i ) when they are derypted); finally, the ustomers ointly help the miner to derypt the σ (i,i ) s. To allow the miner to ompute enryptions of σ (i,i ) s, we use the fat that, sine the yli group mentioned above is of a

6 prime order, σ (i,i ) = (s (i) /s(i ) ) e i,i,, (1) where e i,i, is a uniformly random exponent. This tehnique was first used in [7]. (Equation (1) holds beause, if s (i) s (i ), then s (i) ) /s(i 1. Any element of a primeorder yli group not equal to 1 is a generator; and a generator raised to a uniformly random exponent must be a uniformly random element of the yli group.) When all quasi-identifier attributes are enrypted using a multipliatively homomorphi enryption sheme (where an enryption of the produt of multiple elements an be omputed from the enryptions of these elements), it is easy for the miner to ompute the enryption of σ (i,i ) s using the enryptions of the quasi-identifier attributes. Speifially, in our protool, we use the ElGamal enryption sheme [15]: an enryption of plaintext M G q is C = (My r, g r ), where g is a generator of G q, y = g x is the publi key (and x is the private key), and r is piked uniformly at random from [0, q 1]. To derypt an ElGamal iphertext, one simply divides its first omponent by its seond omponent raised to the seret key. The remaining question is how the ustomers ointly help the miner to derypt iphertexts of σ (i,i ) s. We use a threshold ryptography tehnique similar to that of Desmedt and Frankel [13]. Assume that the private key is shared among the ustomers using a (N, t)-shamir seret sharing [28], where t is an arbitrary threshold. (We disuss how to hoose t in Setion 6.) Then a ustomer an ompute a partial deryption by raising the seond omponent of an ElGamal iphertext to her share of the private key. To ompute the plaintext, the miner only needs to take t partial deryptions and interpolate them. Design of Phase 3 Let P be the k-partition omputed in the seond phase. Let P l P. Suppose that ith row is in P l. Aording to MW, ustomer i should replae s (i) with if and only if i P l, s (i) s (i ). With high probability, this is equivalent to σ (i,i ) 1. i P l,i i Beause ElGamal is multipliatively homomorphi, it is easy to ompute an enryption of ) i P l,i i σ(i,i. Hene the remaining tehnial question is how other ustomers ointly help ustomer i to derypt it. To ahieve this goal, we again use the tehnique of partial deryptions in the first phase; the main differene is that ustomer i only needs the help of t 1 other ustomers, beause ustomer i herself already has a share of the private key. 5.1 The Protool We now give a detailed desription of the entire protool. Suppose that S is a seurity parameter, that p, q are S-bit primes suh that p = 2q + 1, and that G q is the quadrati residue subgroup of Z p. Let t [2, N 1] be a threshold. In this setion, we assume that N ustomers share a private key x [0, q 1] using (N, t)-shamir seret sharing, where ustomer i s share is denoted by x i. Speifially, there exists a degree-(t 1) polynomial P() suh that x = P(0) and i [1, N], x i = P(i). We also assume that the orresponding publi key y = g x (where g is a generator of G q ) is known to all involved parties (ustomers and the miner) Phase 1 In this phase, the miner omputes the distane between every pair of rows, following the method overviewed above. Submission of Enrypted Quasi-identifier Attributes. Eah ustomer i enrypts eah of her quasi-identifier attributes using ElGamal with publi key y (for = 1 to m): s (i) = (s (i) yr i, g r i ), where r i is piked uniformly at random from [0, q 1]. Then the ustomers send all these enryptions to the miner. The iphertext s (i) above has two omponents; we denote the first and the seond omponents by s (i) 1 and s(i) 2 respetively. Computing Enryptions of σ (i,i ). For eah pair (i, i ), the miner omputes the quotients of their orresponding quasiidentifier attributes: (for = 1 to m) q (i,i ) = (s (i) ) 1 /s(i 1, s (i) ) 2 /s(i 2 ). Then the miner raises the quotients to random powers: (for = 1 to m) p (i,i ) = ((q (i,i ) 1 ) e i,i,, (q (i,i ) 2 ) e i,i, ), where e i,i, is piked uniformly at random from [0, q 1]. {p (i,i ) Rerandomization and Repermutation. The miner sends : i, i [1, N], i i, [1, m]} to an arbitrary ustomer i 0. Customer i 0 rerandomizes eah p (i,i ) and repermutes (p (i,i ) 1,..., p (i,i ) m ) for eah pair (i, i ). Denote the result of the above rerandomization and repermutation operations by {u (i,i ) : i, i [1, N], i i, [1, m]}. Then ustomer i 0 sends {u (i,i ) : i, i [1, N], i i, [1, m]} bak to the miner. Derypting σ (i,i ). Consider a set I of t ustomers, where i 0 I. To eah of these t ustomers, the miner sends {u (i,i ) 2 : i, i [1, N], i i, [1, m]}. Eah of the piked ustomer i I raises all elements she reeives to the x i th power: (for eah (i, i, ) suh that i, i [1, N], i i, [1, m]) Then she sends {v (i,i ),i to the miner. Finally, the miner omputes ˆσ (i,i ) = u (i,i ) 1 / v (i,i ),i = (u (i,i ) 2 ) x i. : i, i [1, N], i i, [1, m]} bak i I (v (i,i ),i ) l i,l I l/(l i ). Note that ˆσ (i,i ) 1,..., ˆσ (i,i ) m are nothing but a permutation of σ (i,i ) 1,..., σ (i,i ) m ; thus { : σ (i,i ) 1, [1, m]} = { :

7 ˆσ (i,i ) 1, [1, m]}. For eah pair (i, i ), the miner ounts { : ˆσ (i,i ) 1, [1, m]}. The distane between the ith and i th rows is equal to this number Phase 2 In this phase, knowing the pairwise distanes of the rows, the miner follows the first part of the MW algorithm to ompute a k-partition P = {P 1,..., P L} Phase 3 In this phase, the miner omputes the k-anonymized table with the help of the ustomers, as overviewed above. Computing Enryptions of ) i P l,i i σ(i,i. For eah P l P, eah i P l, eah [1, m], the miner omputes p (i) = ( i P l,i i p (i,i ) 1, i P l,i i p (i,i ) 2 ). Derypting ) i P l,i i σ(i,i. Then, for eah P l, let I l be a set of t 1 ustomers suh that i 0 I l and I l P l =. The miner sends {p (i) 2 : i P l, [1, m]} to every ustomer in I l. Eah ustomer i I l omputes (for eah i P l and eah [1, m]) and sends {w (i,i ) w (i,i ) = (p (i) 2 )x i, : i P l, [1, m]} bak to the miner. The miner omputes (for eah P l, eah i P l and eah [1, m]) z (i) = p (i) 1 / (w (i,i ) i ) I l,i i i /(i i ). i I l He sends {z (i) : [1, m]}, {p (i) 2 : [1, m]}, and P l to eah ustomer i. For eah [1, m], eah ustomer i( P l ) omputes ẑ (i) and ompares ẑ (i) i sets ŝ (i) = s (i) = p (i) 2 x i i I l,i i i /(i i), with z (i). If they are equal, then ustomer ; otherwise, ustomer i sets ŝ(i) =. Finally, ustomer i sends the miner (ŝ (i) 1,..., ŝ(i) m, a (i) 1,..., a(i) n ). 5.2 Privay Analysis Our protool leaks only the distane between eah pair of rows. Let Distane(T, i, i ) denote the distane between the ith and i th rows of table T. Theorem 6. The protool of k-anonymization by suppressing entries leaks only {Distane(T, i, i ) : i, i [1, N], i i }, under the DDH assumption. Proof. We first onstrut a simulator M for the miner. For the phase of omputing pairwise distanes, M simulates the first-round messages the miner reeives using mn random ElGamal iphertexts. For the seond-round messages the miner reeives (whih are from i 0 ), M simulates eah u (i,i ) using a random ElGamal iphertext u (i,i ). Then, M piks i 0 I; for eah i i 0, i I, M simulates the third round message v (i,i ),i using a random element v (i,i ),i of G q. To simulates v (i,i ), M first sets the values of σ (i,i ) : for eah,i 0 pair (i, i ), the m variables {σ (i,i ) : [1, m]} have exatly m Distane(T, i, i ) 1 s; M randomly piks this number of variables and sets them to 1 and then sets all the remaining variables randomly. After that, M simulates v (i,i ) using,i 0 v (i,i ),i 0 = σ (i,i ) i I,i i 0 u (i,i ) 1 (v (i,i ),i ) l i,l I. l l i For the phase of omputing anonymized data, M simulates the first-round messages the miner reeives using Nm(t 1) independent random elements of G q. M simulates the lastround messages using the rows in Anonymized(T ). The omputational indistinguishability follows from the semanti seurity of ElGamal enryption, whih is well known to hold under DDH [10]. Now we onstrut a simulator M i for ustomer i. If i = i 0, then M i simulates the messages reeived by i 0 using N(N 1)m random ElGamal iphertexts. If i I, then M i simulates the messages reeived by i in the phase of omputing pairwise distanes using N(N 1)m independent random elements of G q. If i I l, then M i simulates the first-round messages reeived by i in the phase of omputing anonymized data using independent random elements of G q. For any ustomer i, for the last-round messages ustomer i reeives, M i simulates eah p (i) 2 using an independent random element p (i) of G q ; if the (i, )-entry of the anonymized sensitive at- simulates z (i) using an independent tributes is, then M i random element of G q as well; otherwise, M i simulates z (i) using z (i) = (p (i) )x i i I l,i i i /(i i). The omputational indistinguishability follows immediately from the semanti seurity of ElGamal enryption. 6. DISCUSSION In this paper, we studied methods for reating k-anonymous tables in a distributed senario without the need for a entral authority and while maintaining ustomer privay. We formulate the problem in two ways. For the first problem formulation, a protool must extrat the k-anonymous part of a table. The maor advantage of our protool is that it is non-interative eah ustomer only sends a single flow of ommuniation to the miner. Therefore, ustomers an submit data and go. Another advantage is that the solution is very effiient. The dominating omputational overhead of eah ustomer is two modular exponentiations; the dominating omputational overhead of the miner is kn k modular exponentiations, where N k is the number of rows in the k-anonymous part of the table. The limitation of this problem formulation is that it is suitable only if the original table is already lose to k-anonymous, as otherwise

8 the subset of the table learned by the miner may not be of suffiient utility. For the seond problem formulation, a protool k-anonymizes a table by suppressing entries. The advantage of this approah is that it an produe useful results even when the original table is not lose to k-anonymous. Our solution to this problem formulation leaks a small amount of information beyond the k-anonymous result namely, the distane between eah pair of rows. Consequently, this approah is a good hoie for the appliations in whih revealing the distanes between rows an be tolerated. We have shown that our solutions protet privay against any individual party involved. The solutions an also be extended to provide privay even if some parties ollude and pool their information: up to k 1 (for the first protool) or t 1 (for the seond protool). In the seond protool, this requires a slight hange so that the task of ustomer i 0 is distributed among t ustomers. The hoie of threshold t is subet to a trade-off: the greater the value of t, the more olluding parties the protool an work against, but the more expensive the protool is. In a pratial appliation, an appropriate value of t must be hosen aording to the appliation s requirements of privay and effiieny. 7. REFERENCES [1] J. O. Ahugbue and F. Y. Chin. The effetiveness of output modifiation by rounding for protetion of statistial databases. INFOR, 17(3): , [2] N. Adam and J. Worthmann. Seurity-ontrol methods for statistial databases: a omparative study. ACM Computing Survey, 21(4): , [3] C. C. Aggarwal and P. S. Yu. A ondensation approah to privay preserving data mining. In Proeedings of 9th International Conferene on Extending Database tehnology. Springer, [4] G. Aggarwal, T. Feder, K. Kenthapadi, R. Motwani, R. Panigrahy, D. Thomas, and A. Zhu. k-anonymity: Algorithms and hardness. Under review, [5] D. Agrawal and C. Aggarwal. On the design and quantifiation of privay preserving data mining algorithms. In Proeedings of 20th ACM SIGMOD-SIGACT-SIGART Symposium on Priniples of Database Systems, pages , [6] R. Agrawal and R. Srikant. Privay-preserving data mining. In Proeedings of 19th ACM SIGMOD Conferene on Management of Data, pages ACM Press, May [7] W. Aiello, Y. Ishai, and O. Reingold. Pried oblivious transfer: How to sell digital goods. In Advanes in Cryptology - Proeedings of EUROCRYPT 2001, volume 2045 of Leture Notes in Computer Siene, pages Springer-Verlag, [8] R. J. Bayardo and R. Agrawal. Data privay through optimal k-anonymization. In Proeedings of 21st International Conferene on Data Engineering, [9] L. L. Bek. A seurity mehanism for statistial databases. ACM Transations on Database Systems, 5(3): , September [10] D. Boneh. The deision Diffie-Hellman problem. In Algorithmi Number Theory, Third International Symposium, volume 1423 of Leture Notes in Computer Siene, pages Springer-Verlag, [11] F. Y. Chin and G. Ozsoyoglu. Auditing and inferene ontrol in statistial databases. IEEE Transations on Software Engineering, SE-8(6): , April [12] T. Dalenius. Finding a needle in a haystak or identifying anonymous ensus reord. Journal of Offiial Statistis, 2(3): , [13] Y. Desmedt and Y. Frankel. Threshold ryptosystems. In Advanes in Cryptology - Proeedings of CRYPTO 89, volume 435 of Leture Notes in Computer Siene, pages Springer-Verlag, [14] I. Dinur and K. Nissim. Revealing information while preserving privay. In Proeedings of 22nd ACM SIGMOD-SIGACT-SIGART Symposium on Priniples of Database Systems, pages ACM Press, [15] T. ElGamal. A publi key ryptosystem and a signature sheme based on disrete logarithms. In Advanes in Cryptology - Proeedings of CRYPTO 84, pages 10 18, [16] A. Evfimievski, J. Gehrke, and R. Srikant. Limiting privay breahes in privay preserving data mining. In Proeedings of 22nd ACM SIGMOD-SIGACT-SIGART Symposium on Priniples of Database Systems, pages ACM Press, [17] A. Evfimievski, R. Srikant, R. Agrawal, and J. Gehrke. Privay preserving mining of assoiation rules. In Proeedings of 8th ACM SIGKDD International Conferene on Knowledge Disovery and Data Mining, pages ACM Press, [18] R. Gennaro, S. Jareki, H. Krawzyk, and T. Rabin. Seure appliations of Pedersen s distributed key generation protool. In CT-RSA 2003, volume 2612 of Leture Notes in Computer Siene, pages , [19] O. Goldreih. Foundations of Cryptography, volume 2. Cambridge University Press, [20] M. Kantarioglu and C. Clifton. Privay preserving distributed mining of assoiation rules on horizontally partitioned data. In ACM SIGMOD Workshop on Researh Issues in Data Mining and Knowledge Disovery, pages ACM, [21] H. Kargupta, S. Datta, Q. Wang, and K. Sivakumar. On the privay preserving properties of random data perturbation tehniques. In Proeedings of 3rd IEEE International Conferene on Data Mining, Florida, Nov [22] J. M. Kleinberg, C. H. Papadimitriou, and P. Raghavan. Auditing boolean attributes. In Proeedings of 19th ACM SIGMOD-SIGACT-SIGART Symposium on Priniples of Database Systems, pages 86 91, [23] Y. Lindell and B. Pinkas. Privay preserving data mining. Journal of Cryptology, 15(3): , 2002.

9 [24] A. Meyerson and R. Williams. On the omplexity of optimal k-anonymity. In Proeedings of 22nd ACM SIGMOD-SIGACT-SIGART Symposium on Priniples of Database Systems, Paris, Frane, June [25] S. Reiss. Pratial data swapping: The first steps. ACM Transations on Database Systems, 9(1):20 37, [26] P. Samarati. Proteting respondent s privay in mirodata release. IEEE Transations on Knowledge and Data Engineering, 13(6): , [27] P. Samarati and L. Sweeney. Generalizing data to provide anonymity when dislosing information (abstrat). In Proeedings of 17th ACM SIGACT-SIGMOD-SIGART Symposium on Priniples of Database Systems, page 188. ACM Press, [28] A. Shamir. How to share a seret. Communiations of the ACM, 22(11): , [29] A. Shoshani. Statistial databases: Charateristis, problems and some solutions. In Proeedings of 8th International Conferene on Very Large Data Bases, pages , [30] L. Sweeney. Guaranteeing anonymity when sharing medial data, the datafly system. In Proeedings, Journal of the Amerian Medial Informatis Assoiation, [31] L. Sweeney. Ahieving k-anonymity privay protetion using generalization and suppression. Int. J. Unertain. Fuzziness Knowl.-Based Syst., 10(5): , [32] L. Sweeney. k-anonymity: a model for proteting privay. Int. J. Unertain. Fuzziness Knowl.-Based Syst., 10(5): , [33] J. Traub, Y. Yemini, and H. Wozniakowksi. The statistial seurity of a statistial database. ACM Transations on Database Systems, 9(4): , [34] J. Vaidya and C. Clifton. Privay preserving assoiation rule mining in vertially partitioned data. In Proeedings of 8th ACM SIGKDD International Conferene on Knowledge Disovery and Data Mining, pages , [35] J. Vaidya and C. Clifton. Privay-preserving k-means lustering over vertially partitioned data. In Proeedings of 9th ACM SIGKDD International Conferene on Knowledge Disovery and Data Mining, pages ACM Press, 2003.