The standard definition of differential privacy (DP) ensures that a mechanism's output distribution on adjacent datasets is indistinguishable. However, real-world implementations of DP can, and often do, reveal information through their runtime distributions, making them susceptible to timing attacks. In this work, we establish a general framework for ensuring differential privacy in the presence of timing side channels. We define a new notion of timing privacy, which captures programs that remain differentially private to an adversary that observes the program's runtime in addition to the output. Our framework enables chaining together component programs that are timing-stable followed by a random delay to obtain DP programs that achieve timing privacy. Importantly, our definitions allow for measuring timing privacy and output privacy using different privacy measures. We illustrate how to instantiate our framework by giving programs for standard DP computations in the RAM and Word RAM models of computation. Furthermore, we show how our framework can be realized in code through a natural extension of the OpenDP Programming Framework.

翻译：差分隐私（DP）的标准定义确保机制在相邻数据集上的输出分布是不可区分的。然而，差分隐私的实际实现可能且常常会通过其运行时间分布泄露信息，使其容易受到时序攻击。在本工作中，我们建立了一个通用框架，用于在存在时序侧信道的情况下确保差分隐私。我们定义了一种新的时序隐私概念，该概念刻画了即使敌手在观察程序输出的同时还能观测其运行时间，程序仍能保持差分隐私的特性。我们的框架支持将时序稳定的组件程序与随机延迟串联起来，从而获得具备时序隐私的差分隐私程序。重要的是，我们的定义允许使用不同的隐私度量来衡量时序隐私和输出隐私。我们通过给出在RAM和Word RAM计算模型中执行标准差分隐私计算的程序，展示了如何实例化该框架。此外，我们还说明了如何通过OpenDP编程框架的自然扩展在代码中实现该框架。