Widespread Underestimation of Sensitivity in Differentially Private Libraries and How to Fix It

TL;DR

This paper reveals that many differential privacy libraries underestimate sensitivity due to finite data type arithmetic discrepancies, leading to privacy breaches, and proposes fixes to ensure proper privacy guarantees.

Contribution

It identifies a widespread vulnerability in differential privacy implementations caused by finite data type arithmetic and offers practical solutions to correct sensitivity estimation.

Findings

Most libraries underestimate sensitivity due to finite data type issues.

Underestimation enables potential privacy attacks extracting individual data.

Proposed fixes restore correct sensitivity bounds and privacy guarantees.

Abstract

We identify a new class of vulnerabilities in implementations of differential privacy. Specifically, they arise when computing basic statistics such as sums, thanks to discrepancies between the implemented arithmetic using finite data types (namely, ints or floats) and idealized arithmetic over the reals or integers. These discrepancies cause the sensitivity of the implemented statistics (i.e., how much one individual's data can affect the result) to be much larger than the sensitivity we expect. Consequently, essentially all differential privacy libraries fail to introduce enough noise to meet the requirements of differential privacy, and we show that this may be exploited in realistic attacks that can extract individual-level information from private query systems. In addition to presenting these vulnerabilities, we also provide a number of solutions, which modify or constrain the way in which the sum is implemented in order to recover the idealized or near-idealized bounds on sensitivity.