A Framework for Differential Privacy Against Timing Attacks

TL;DR

This paper introduces a comprehensive framework to ensure differential privacy against timing attacks by defining timing privacy, enabling the creation of programs that are resistant to runtime-based information leaks.

Contribution

The authors develop a new notion of timing privacy, extend differential privacy definitions to include timing side channels, and demonstrate how to implement timing-private programs in standard computational models.

Findings

Framework for timing privacy in differential privacy

Methods to chain timing-stable components with delays

Implementation in OpenDP Programming Framework

Abstract

The standard definition of differential privacy (DP) ensures that a mechanism's output distribution on adjacent datasets is indistinguishable. However, real-world implementations of DP can, and often do, reveal information through their runtime distributions, making them susceptible to timing attacks. In this work, we establish a general framework for ensuring differential privacy in the presence of timing side channels. We define a new notion of timing privacy, which captures programs that remain differentially private to an adversary that observes the program's runtime in addition to the output. Our framework enables chaining together component programs that are timing-stable followed by a random delay to obtain DP programs that achieve timing privacy. Importantly, our definitions allow for measuring timing privacy and output privacy using different privacy measures. We illustrate how to instantiate our framework by giving programs for standard DP computations in the RAM and Word RAM models of computation. Furthermore, we show how our framework can be realized in code through a natural extension of the OpenDP Programming Framework.