Publicly accessible databases are an indispensable resource for retrieving up to date information. But they also pose a significant risk to the privacy of the user, since a curious database operator can follow the user's queries and infer what the user is after. Indeed, in cases where the users ' intentions are to be kept secret, users are often cautious about accessing the database. It can be shown that when accessing a single database, to completely guarantee the privacy of the user, the whole database should be downloaded, namely n bits should be communicated (where n is the number of bits in the database). In this work, we investigate whether by replicating the database, more efficient solutions to the private retrieval problem can be obtained. We describe schemes that enable a user to access k replicated copies of a database (k * 2) and privately retrieve information stored in the database. This means that each individual database gets no information on the identity of the item retrieved by the user. Our schemes use the replication to gain substantial saving. In particular, we have ffl A two database scheme with communication complexity of O(n1=3). ffl A scheme for a constant number, k, of databases with communication complexity O(n1=k). ffl A scheme for 13 log2 n databases with polylogarithmic (in n) communication complexity.

We construct a scheme for private information retrieval with k databases and communication complexity O(n 1=(2k\Gamma1) ). 1 Introduction Much attention has been given to the problem of protecting a database from the user that tries to retrieve the information that he is not allowed to access[2, 8, 12]. In some scenarios, the opposite problem can appear: a user wishes to retrieve some infomation from a database without revealing to the database what information he needs. For example[7], an investor wishes to receive information about certain stock but he does not wishe others (even the database) to know in which particular stock he is interesed. However, there is only one way to reach complete privacy: the user should ask for the copy of entire database. Otherwise, the database will get some information what the user wishes to know. This is not a good solution because it requires much time and much communiction from the database to the user. If there are several identical copies ...

Private information retrieval #PIR# schemes provide a user with information from a database while keeping his query secret from the database manager. We propose a new model for PIR, utilizing auxiliary random servers providing privacy services for database access. The principal database initially engages in a preprocessing setup computation with the random servers, followed by the on-line stage with the users.

In this paper, we introduce a new privacy protection property called p-sensitive k-anonymity. The existing k-anonymity property protects against identity disclosure, but it fails to protect against attribute disclosure. The new introduced privacy model avoids this shortcoming. Two necessary conditions to achieve p-sensitive k-anonymity property are presented, and used in developing algorithms to create masked microdata with p-sensitive k-anonymity property using generalization and suppression. 1.

Database systems have enjoyed a tremendous market because they have served many applications really well – transaction processing in the beginning, and then decision support. Today, with over 200 % cumulative growth rate in certain segments of E-Commerce, it is clear that this new class of applications will be a strong driver for databases to grow, commercially, as well as from a Research perspective. This paper outlines some of the issues that I have learnt in dealing with E-Commerce applications that may well be the focus of some of the research in database systems over the course of next few years. 1.

Abstract—Microaggregation is a technique used by statistical agencies to limit disclosure of sensitive microdata. Noting that no polynomial algorithms are known to microaggregate optimally, Domingo-Ferrer and Mateo-Sanz have presented heuristic microaggregation methods. This paper is the first to present an efficient polynomial algorithm for optimal univariate microaggregation. Optimal partitions are shown to correspond to shortest paths in a network. Index Terms—Statistical databases, microdata protection, microaggregation, clustering, shortest path, information loss. 1

Abstract—This paper presents a clustering algorithm for partitioning a minimum spanning tree with a constraint on minimum group size. The problem is motivated by microaggregation, a disclosure limitation technique in which similar records are aggregated into groups containing a minimum of k records. Heuristic clustering methods are needed since the minimum information loss microaggregation problem is NP-hard. Our MST partitioning algorithm for microaggregation is sufficiently efficient to be practical for large data sets and yields results that are comparable to the best available heuristic methods for microaggregation. For data that contain pronounced clustering effects, our method results in significantly lower information loss. Our algorithm is general enough to accommodate different measures of information loss and can be used for other clustering applications that have a constraint on minimum group size. Index Terms—Clustering, partitioning, minimum spanning tree, microdata protection, disclosure control. 1

We consider the setting of hiding information through the use of multiple databases that do not interact with one another. In this setting, there are k 2 "databases" which can be accessed by some "users". Users do not keep any state information, but wish to access O(n) bits of "data". Previously, in this setting solutions for retrieval of data in the efficient manner were given, where a user achieves this by interacting with all the databases. We consider the case of both writing and reading . While the case of reading was well studied before, the case of writing was previously completely open. In this paper, we show how to implement both read and write operations, with the following strong security guarantees: all the information about the read/write operation is information-theoretically hidden from all the databases (i.e. both the value of the bit and the address of the bit). As in the previous papers, we measure, as a function of k and n the amount of communication ...

Abstract. In response to queries asked to a statistical database, the query system should avoid releasing summary statistics that could lead to the disclosure of confidential individual data. Attacks to the security of a statistical database may be direct or indirect, and in order to repel them, the query system should audit queries by controlling the amount of information released by their responses. The paper focuses on sumqueries with a response variable of nonnegative real type and proposes a compact representation of answered sum-queries, called an information model in “normal form”, which allows the query system to decide whether the value of a new sum-query can or cannot be safely answered. If it cannot, then the query system will issue the range of feasible values of the new sum-query consistent with previously answered sum-queries. Both the management of the information model and the answering procedure require solving linear-programming problems and, since standard linear-programming algorithms are not polynomially bounded (despite their good performances in practice), effective procedures that make a parsimonious use of them are stated for the general case. Moreover, in the special case that the information model is “graphical”, then it is shown that the answering procedure can be implemented in polynomial time. 1 1

In this paper, we first introduce minimal, maximal and weighted disclosure risk measures for microaggregation disclosure control method. Our disclosure risk measures are more applicable to reallife situations, compute the overall disclosure risk, and are not linked to a target individual. After defining those disclosure risk measures, we then introduce an information loss measure for microaggregation. The minimal disclosure risk measure represents the percentage of records, which can be correctly identified by an intruder based on prior knowledge of key attribute values. The maximal disclosure risk measure considers the risk associated with probabilistic record linkage for records that are not unique in the masked microdata. The weighted disclosure risk measure allows the data owner to compute the risk of disclosure based on weights associated with different clusters of records. Information loss measure, introduced in this paper, extends the existing measure proposed by Domingo-Ferrer, and captures the loss of information at record level as well as from the statistical integrity point of view. Using simulated medical data in our experiments, we show that the proposed disclosure risk and information loss measures perform as expected in real-life situations..