Differential privacy (DP) has become the gold standard for preserving individual privacy in data analysis. However, an implicit yet fundamental assumption underlying these rigorous privacy guarantees is the correct implementation and execution of DP mechanisms. Several incidents of unintended privacy loss have occurred due to numerical issues and inappropriate configurations of DP software, which have been successfully exploited in privacy attacks. To better understand the seriousness of defective DP software, we ask the following question: is it possible to elevate these passive defects into active privacy attacks while maintaining covertness? To address this question, we present the Gaussian pancake mechanism (GPM), a novel mechanism that is computationally indistinguishable from the widely used Gaussian mechanism (GM), yet exhibits arbitrarily weaker statistical DP guarantees. This unprecedented separation enables a new class of backdoor attacks: by indistinguishably passing off as the authentic GM, GPM can covertly degrade statistical privacy. Unlike the unintentional privacy loss caused by GM's numerical issues, GPM is an adversarial yet undetectable backdoor attack against data privacy. We formally prove GPM's covertness, characterize its statistical leakage, and demonstrate a concrete distinguishing attack that can achieve near-perfect success rates under suitable parameter choices, both theoretically and empirically. Our results underscore the importance of using transparent, open-source DP libraries and highlight the need for rigorous scrutiny and formal verification of DP implementations to prevent subtle, undetectable privacy compromises in real-world systems.

翻译：差分隐私（DP）已成为数据分析中保护个体隐私的黄金标准。然而，这些严格隐私保证背后隐含的一个基本假设是DP机制的正确实现与执行。由于数值问题及DP软件配置不当，已发生多起非故意的隐私泄露事件，并已被隐私攻击成功利用。为更好地理解缺陷DP软件的严重性，我们提出以下问题：能否在保持隐蔽性的同时，将这些被动缺陷升级为主动隐私攻击？针对该问题，我们提出了高斯煎饼机制（GPM）——一种在计算上与广泛使用的高斯机制（GM）不可区分，却展现出任意更弱统计DP保证的新型机制。这种前所未有的分离性催生了一类新型后门攻击：通过以不可区分的方式伪装为真实GM，GPM可隐蔽地降低统计隐私保护强度。与GM数值问题导致的非故意隐私泄露不同，GPM是针对数据隐私的对抗性且不可检测的后门攻击。我们形式化证明了GPM的隐蔽性，刻画了其统计泄漏特性，并通过理论与实验验证，展示了在适当参数选择下可实现近乎完美成功率的具体区分攻击。我们的研究结果强调了使用透明开源DP库的重要性，并凸显了对DP实现进行严格审查与形式化验证的必要性，以防止现实世界系统中出现微妙且不可检测的隐私泄露。