Differential privacy (DP) offers strong theoretical privacy guarantees, but implementations of DP mechanisms may be vulnerable to side-channel attacks, such as timing attacks. When sampling methods such as MCMC or rejection sampling are used to implement a mechanism, the runtime can leak private information. We characterize the additional privacy cost due to the runtime of a rejection sampler in terms of both $(\epsilon,\delta)$-DP as well as $f$-DP. We also show that unless the acceptance probability is constant across databases, the runtime of a rejection sampler does not satisfy $\epsilon$-DP for any $\epsilon$. We show that there is a similar breakdown in privacy with adaptive rejection samplers. We propose three modifications to the rejection sampling algorithm, with varying assumptions, to protect against timing attacks by making the runtime independent of the data. The modification with the weakest assumptions is an approximate sampler, introducing a small increase in the privacy cost, whereas the other modifications give perfect samplers. We also use our techniques to develop an adaptive rejection sampler for log-H\"{o}lder densities, which also has data-independent runtime. We give several examples of DP mechanisms that fit the assumptions of our methods and can thus be implemented using our samplers.
翻译:不同的隐私(DP)提供了强有力的理论隐私保障,但DP机制的实施可能易受侧道攻击(如时间攻击)的伤害。当使用诸如MCMC或拒绝取样等抽样方法来实施机制时,运行时间会泄漏私人信息。我们用(epsilon,\delta)$-DP和美元-DP来描述拒绝采样者运行时间造成的额外隐私费用。我们还表明,除非各数据库的接受概率保持不变,拒绝采样者的运行时间不能满足美元-DP。当使用诸如MCMC或拒绝采样等采样方法来实施机制时,我们发现与适应性拒绝采样者类似的隐私崩溃。我们建议对拒绝采样算法进行三次修改,并采用不同的假设,通过使运行时间与数据独立来防止时间攻击。最弱的假设是近似的采样者,因此隐私费用略有增加,而其他的修改则提供了完美的采样者。我们还使用技术开发了对日志-H{older_DP的适应性采样器。我们也可以使用若干次独立的方法来进行数据。