PrivacyGo: Privacy-Preserving Ad Measurement with Multidimensional Intersection

TL;DR

PrivacyGo introduces a cryptographic framework that enables secure, privacy-preserving multi-identifier user profile matching for ad measurement, combining cryptography and differential privacy to prevent linkages and protect user data.

Contribution

It presents a novel cryptographic protocol with differential privacy for multi-identifier matching, enhancing privacy and scalability in ad measurement.

Findings

Supports large-scale, privacy-preserving ad conversion tracking

Achieves strong privacy guarantees with efficient cryptographic protocols

Mitigates membership inference risks through differential privacy

Abstract

This paper tackles the challenging and practical problem of multi-identifier private user profile matching for privacy-preserving ad measurement, a cornerstone of modern advertising analytics. We introduce a comprehensive cryptographic framework leveraging reversed Oblivious Pseudorandom Functions (OPRF) and novel blind key rotation techniques to support secure matching across multiple identifiers. Our design prevents cross-identifier linkages and includes a differentially private mechanism to obfuscate intersection sizes, mitigating risks such as membership inference attacks. We present a concrete construction of our protocol that achieves both strong privacy guarantees and high efficiency. It scales to large datasets, offering a practical and scalable solution for privacy-centric applications like secure ad conversion tracking. By combining rigorous cryptographic principles with differential privacy, our work addresses a critical need in the advertising industry, setting a new standard for privacy-preserving ad measurement frameworks.