Current implementations of differentially-private (DP) systems either lack support to track the global privacy budget consumed on a dataset, or fail to faithfully maintain the state continuity of this budget. We show that failure to maintain a privacy budget enables an adversary to mount replay, rollback and fork attacks - obtaining answers to many more queries than what a secure system would allow. As a result the attacker can reconstruct secret data that DP aims to protect - even if DP code runs in a Trusted Execution Environment (TEE). We propose ElephantDP, a system that aims to provide the same guarantees as a trusted curator in the global DP model would, albeit set in an untrusted environment. Our system relies on a state continuity module to provide protection for the privacy budget and a TEE to faithfully execute DP code and update the budget. To provide security, our protocol makes several design choices including the content of the persistent state and the order between budget updates and query answers. We prove that ElephantDP provides liveness (i.e., the protocol can restart from a correct state and respond to queries as long as the budget is not exceeded) and DP confidentiality (i.e., an attacker learns about a dataset as much as it would from interacting with a trusted curator). Our implementation and evaluation of the protocol use Intel SGX as a TEE to run the DP code and a network of TEEs to maintain state continuity. Compared to an insecure baseline, we observe only 1.1-2$\times$ overheads and lower relative overheads for larger datasets and complex DP queries.

翻译：当前的差分隐私系统实现在跟踪数据集上消耗的全局隐私预算方面要么缺乏支持，要么无法忠实维护该预算的状态连续性。我们证明，隐私预算维护的失效使攻击者能够实施重放、回滚和分叉攻击——获得比安全系统所允许的多得多的查询答案。结果，即使差分隐私代码在可信执行环境（TEE）中运行，攻击者仍可重建差分隐私旨在保护的秘密数据。我们提出ElephantDP系统，其目标是在非可信环境中提供与全局差分隐私模型中的可信策展人相同的保障。该系统依赖状态连续性模块保护隐私预算，并依赖TEE忠实执行差分隐私代码及更新预算。为提供安全性，我们的协议在持久状态内容、预算更新与查询答案的先后顺序等多个设计选择上做出决策。我们证明ElephantDP提供了活性（即协议可从正确状态重启并在预算未超限前响应查询）和差分隐私机密性（即攻击者从数据集学习到的信息与同可信策展人交互时相当）。我们使用Intel SGX作为TEE运行差分隐私代码，并构建TEE网络维护状态连续性，对协议进行了实现与评估。与不安全的基线相比，我们仅观察到1.1-2倍的额外开销，且对于更大数据集和更复杂的差分隐私查询，相对开销更低。