Analysis and Prevention of Averaging Attacks Against Obfuscation Protocols

Abstract

Verification and traceability of supply-chain data is a common example for public analysis of confidential data. Finding the correct balance between confidentiality and utility often is anything but trivial. In order to ensure confidentiality and thus protect companies’ competitive advantages, existing approaches employ probabilistic output obfuscation. However, it is known that this form of obfuscation might render a system subject to averaging attacks. In these attacks, an adversary repeatedly queries for the same analysis and combines the probabilistic outputs, thus implementing an estimator that eliminates the obfuscation. A clear picture on the performance of such attacks is missing, information that is crucial for mitigating averaging attacks.

Our contributions are threefold: First, using an existing supply-chain verification protocol (RVP) as a particularly efficient example of protocols with output obfuscation, we extensively analyze the risk posed by averaging attacks. We prove rigorously that such attacks perform exceptionally well if obfuscation is based on random values sampled independently in every query. We generalize our analysis to all protocols that employ probabilistic output obfuscation. Second, we propose the paradigm of data-dependent deterministic obfuscation (D\({^3}\)O) to prevent such attacks. Third, we present mRVP, a D\({^3}\)O-based version of RVP, and empirically demonstrate practicality and effectiveness of D\({^3}\)O. The results show that our mitigations add negligible runtime overhead, do not affect accuracy, and effectively retain confidentiality.

A Appendix

1.1 A.1 Local Differential Privacy

Local differential privacy (LDP) [14] is an adaptation of differential privacy (DP) to a local anonymization scenario, where individuals do not fully trust the data controller and, therefore, anonymize their data locally, on their own, before handing it to the controller. The setting is as follows. Consider a set of data providers each wishing to protect private data \(X_i\in \mathscr {X}\) on their own. A randomized anonymization mechanism \(\mathcal {A}\) is a mechanism that maps \(X_i\) randomly to \(Y_i\), where the \(Y_i\)’s are the anonymized versions of \(X_i\)’s, the data each individual will send to the controller. For any pair of input values \(x,x^\prime \in \mathscr {X}\), and for all \(\mathcal {O}\subseteq \) range(\(\mathcal {A}\)), we say \(\mathcal {A}\) satisfies \(\varepsilon \)-LDP with \(\varepsilon >0\), if

$$\begin{aligned} \mathbb {P}\left[ \mathcal {A}(x)\in \mathcal {O}\right] \leqslant \text {exp}(\varepsilon )\,\mathbb {P}\left[ \mathcal {A}(x')\in \mathcal {O}\right] . \end{aligned}$$

(8)

One of the primary approaches to designing LDP mechanisms is through the addition of Laplace noise [15]. The Laplace mechanism \(\mathcal {A_L}\) masks the actual private data x by adding noise L distributed according to a Laplace distribution, and then it returns the randomized response \(\mathcal {A_L}(x) = x + L\).

1.2 A.2 Averaging Attacks Against Obfuscation Protocols: Formalization of the Special Case

Recall that the outputs of RVP are two values \(x_1,x_2\) that are multiplicatively blinded with \(r_1\) and additively blinded with \(r_2\), i.e.,

$$\begin{aligned} \begin{aligned}&x_1 \cdot r_1 + r_2\\&x_2 \cdot r_1 + r_2 \end{aligned} \end{aligned}$$

They are used for computing the target function

$$\begin{aligned} \rho = \frac{x_1 \cdot r_1 + r_2}{x_2 \cdot r_1 + r_2} \end{aligned}$$

where \(0<r_2\ll r_1\) ensures

$$\begin{aligned} \rho \approx \frac{x_1}{x_2}. \end{aligned}$$

Given that both the dividend and the divisor are additively blinded with the same \(r_2\), an adversary can subtract one from the other in order for \(r_2\) to cancel out, as follows.

$$\begin{aligned} \begin{aligned}&(x_1 \cdot r_1 + r_2)-(x_2 \cdot r_1 + r_2)\\&=x_1 \cdot r_1 + r_2 - x_2 \cdot r_1 - r_2\\&=x_1 \cdot r_1 - x_2 \cdot r_1\\&=r_1 (x_1 - x_2) \end{aligned} \end{aligned}$$

This causes a reduction to multiplicative blinding and renders the quotient subject to factorization in order to obtain

$$\begin{aligned} \delta = x_1 - x_2. \end{aligned}$$

Consequently, \(\delta =x_1-x_2\) and \(\rho \approx \frac{x_1}{x_2}\) together yield \(x_1\) and \(x_2\) as follows.

$$\begin{aligned} \begin{aligned} x_1&\approx \rho \cdot x_2\\ \delta&\approx \rho \cdot x_2 - x_2\\ \delta&\approx x_2 \cdot (\rho -1)\\ x_2&\approx \frac{\delta }{\rho -1} \end{aligned} \end{aligned}$$

Given that \(r_1\) is exponentially larger than \(r_2\), the computed values are close approximations with negligible deviation.

1.3 A.3 Averaging Attacks Against Obfuscation Protocols: Omitted Statement

The precise concentration bounds are given below. The proof can be found in [35].

Theorem 3

Let \(X_1, \dots , X_\kappa \) be a sequence of independent random variables with, for \(k \in [\kappa ]\), expected value \(\mathbb {E}\left[ X_k\right] \) equal to \(\mu _k\). Further, let X be the random variable \(X= \kappa ^{-1} \cdot \sum _{k=1}^{\kappa } (X_k - \mu _k)\).

1. 1.

   If for every \(k\in [\kappa ]\) the random variable \(X_k\) is sub-Gaussian with parameter \(\sigma _k\), then

   $$\begin{aligned} \mathbb {P}\left[ |X| \geqslant t \right] \leqslant 2 \cdot \exp \left( - \frac{t^2 \cdot \kappa ^2}{2 \cdot \sum _{k=1}^\kappa \sigma _k^2}\right) . \end{aligned}$$
2. 2.

   If for every \(k\in [\kappa ]\) the random variable \(X_k\) is sub-exponential with parameters \((\nu _k, b_k)\), then with

   $$\begin{aligned} \nu _*= \sqrt{\sum _{k=1}^\kappa \frac{\nu _k^2}{\kappa }} \quad \text {and} \quad b_*= \max _{k \in [\kappa ]} b_k \end{aligned}$$

   it holds

   $$ \mathbb {P}\left[ |X| \geqslant t\right] \leqslant {\left\{ \begin{array}{ll} 2\cdot \exp \left( - \frac{t^2 \cdot \kappa }{2 \cdot \nu _*^2}\right) , &{} \text { if } 0 \leqslant t \leqslant \frac{\nu _*^2}{b_*}; \\ 2\cdot \exp \left( - \frac{t \cdot \kappa }{2 \cdot b_*}\right) , &{} \text { for } t \geqslant \frac{\nu _*^2 }{b_*}. \end{array}\right. } $$