Skip to Main content Skip to Navigation

Formal Verification of Differential Privacy in Concurrent Systems

Lili Xu 1
1 COMETE - Concurrency, Mobility and Transactions
Inria Saclay - Ile de France, LIX - Laboratoire d'informatique de l'École polytechnique [Palaiseau]
Abstract : The verification of systems for protecting sensitive and confidential information is becoming an increasingly important issue in the modern world. Many protocols for protecting confidential information have used randomized mechanisms, to obfuscate the link between the secret and the public information. Typical examples are DCNets, Crowds, Onion Routing, Freenet and Tor. Another common denominator of them is that various entities involved in the system to verify occur as concurrent processes, and present typically nondeterministic behavior. This dissertation is devoted to the development of novel reasoning techniques for verifying differential privacy in concurrent systems. Differential privacy is a promising notion of privacy originated from the community of statistical databases, and now widely adopted in various models of computation. We use the principle of differential privacy as a criterion to measure the level of privacy that a concurrent system satisfies. The first part of the present thesis is focused on modular reasoning about differential privacy in a probabilistic variant of Robin Milner’s Calculus of Communicating Systems (CCS). We show that the calculus operators such as non-deterministic choice, probabilistic choice, restriction and a restricted form of parallel composition are safe, in the sense that combining components with these operators does not compromise the privacy of the entire system. The second part focuses on the applicability of bisimulation - a fundamental technique in Concurrency Theory - for characterizing differentially private behavior. We borrow the idea of amortisation, which was initially applied on some bisimulations with cost-based actions, and coin an amortised probabilistic bisimulation. We show that it allows us to verify differential privacy and it is a more liberal notion than the work of Tschantz et al. In the third part the focus is shifted to the development of proof systems - an axiomatic way for proving properties of concurrent systems. We provide sound and complete proof systems for our amortised bisimulation and its weak counterpart. The proof systems make it possible to reason about long-term (observable) differentially private behavior by syntactic manipulation. The last part presents an extension of the bisimulation metric based on the Kantorovich distance. This is a metric that has become very popular in Concurrency Theory, thanks to its principled and solid mathematical foundations. While the standard notion is additive in nature and therefore not suitable to prove the property of differential privacy (which is multiplicative), the extension developed in the thesis is parametric with respect to the underlying distance, and therefore suitable to capture a vast range of properties, including differential privacy.
Document type :
Complete list of metadata

Cited literature [91 references]  Display  Hide  Download
Contributor : Konstantinos Chatzikokolakis <>
Submitted on : Tuesday, October 25, 2016 - 10:18:54 AM
Last modification on : Tuesday, December 8, 2020 - 9:42:27 AM


  • HAL Id : tel-01384363, version 1



Lili Xu. Formal Verification of Differential Privacy in Concurrent Systems. Cryptography and Security [cs.CR]. Ecole Polytechnique (Palaiseau, France), 2015. English. ⟨tel-01384363⟩



Record views


Files downloads