Results 1  10
of
28
Differential privacy: A survey of results
 In Theory and Applications of Models of Computation
, 2008
"... Abstract. Over the past five years a new approach to privacypreserving ..."
Abstract

Cited by 123 (0 self)
 Add to MetaCart
Abstract. Over the past five years a new approach to privacypreserving
Toward privacy in public databases
 In TCC
, 2005
"... Abstract. We initiate a theoretical study of the census problem. Informally, in a census individual respondents give private information to a trusted party (the census bureau), who publishes a sanitized version of the data. There are two fundamentally conflicting requirements: privacy for the respon ..."
Abstract

Cited by 89 (12 self)
 Add to MetaCart
Abstract. We initiate a theoretical study of the census problem. Informally, in a census individual respondents give private information to a trusted party (the census bureau), who publishes a sanitized version of the data. There are two fundamentally conflicting requirements: privacy for the respondents and utility of the sanitized data. Unlike in the study of secure function evaluation, in which privacy is preserved to the extent possible given a specific functionality goal, in the census problem privacy is paramount; intuitively, things that cannot be learned “safely ” should not be learned at all. An important contribution of this work is a definition of privacy (and privacy compromise) for statistical databases, together with a method for describing and comparing the privacy offered by specific sanitization techniques. We obtain several privacy results using two different sanitization techniques, and then show how to combine them via cross training. We also obtain two utility results involving clustering. 1
The complexity of threeway statistical tables
 SIAM J. COMPUT
, 2004
"... Multiway tables with specified marginals arise in a variety of applications in statistics and operations research. We provide a comprehensive complexity classification of three fundamental computational problems on tables: existence, counting, and entrysecurity. One outcome of our work is that eac ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
Multiway tables with specified marginals arise in a variety of applications in statistics and operations research. We provide a comprehensive complexity classification of three fundamental computational problems on tables: existence, counting, and entrysecurity. One outcome of our work is that each of the following problems is intractable already for “slim” 3tables, with constant number 3 of rows: (1) deciding existence of 3tables with specified 2marginals; (2) counting all 3tables with specified 2marginals; (3) deciding whether a specified value is attained in a specified entry by at least one of the 3tables having the same 2marginals as a given table. This implies that a characterization of feasible marginals for such slim tables, sought by much recent research, is unlikely to exist. Another consequence of our study is a systematic efficient way of embedding the set of 3tables satisfying any given 1marginals and entry upper bounds in a set of slim 3tables satisfying suitable 2marginals with no entry bounds. This provides a valuable tool for studying multiindex transportation problems and multiindex transportation polytopes. Remarkably, it enables us to automatically recover a famous example due to Vlach of a “realfeasible integerinfeasible ” collection of 2marginals for 3tables of smallest possible size (3, 4, 6).
On the Utility of PrivacyPreserving Histograms
 In 21st Conference on Uncertainty in Artificial Intelligence (UAI
, 2005
"... In a census, individual respondents give private information to a trusted party (the census bureau), who publishes a sanitized version of the data. There are two fundamentally conflicting requirements: privacy for the respondents and utility of the sanitized data. Note that this framework is inheren ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
In a census, individual respondents give private information to a trusted party (the census bureau), who publishes a sanitized version of the data. There are two fundamentally conflicting requirements: privacy for the respondents and utility of the sanitized data. Note that this framework is inherently noninteractive. Recently, Chawla et al. (TCC’2005) initiated a theoretical study of the census problem and presented an intuitively appealing definition of privacy breach, called isolation, together with a formal specification of what is required from a data sanitization algorithm: access to the sanitized data should not increase an adversary’s ability to isolate any individual. They also showed that if the data are drawn uniformly from a highdimensional hypercube then recursive histogram sanitization can preserve privacy with a high probability. We extend these results in several ways. First, we develop a method for computing a privacypreserving histogram sanitization of “round ” distributions, such as the uniform distribution over a highdimensional ball or sphere. This problem is quite challenging because, unlike for the hypercube, the natural histogram over such a distribution may have long and thin cells that hurt the proof of privacy. We then develop techniques for randomizing the histogram constructions both for the hypercube and the hypersphere. These permit us to apply known results for approximating various quantities of interest (e.g., cost of the minimum spanning tree, or the cost of an optimal solution to the facility location problem over the data points) from histogram counts – in a privacypreserving fashion. 1
Differential privacy for statistics: What we know and what we want to learn
 In Proceedings of the 33rd International Colloquium on Automata, Languages and Programming, volume 4052 of LECTURE NOTES IN COMPUTER SCIENCE
"... Abstract. We motivate and review the definition of differential privacy, survey some results on differentially private statistical estimators, and outline a research agenda. This survey is based on two presentations given by the authors at an NCHS/CDC sponsored workshop on data privacy in May 2008. ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
Abstract. We motivate and review the definition of differential privacy, survey some results on differentially private statistical estimators, and outline a research agenda. This survey is based on two presentations given by the authors at an NCHS/CDC sponsored workshop on data privacy in May 2008. 1
All rational polytopes are transportation polytopes and all polytopal integer sets are contingency tables
 PROC. 10TH
, 2004
"... We show that any rational polytope is polynomialtime representable as a “slim ” r × c × 3 threeway linesum transportation polytope. This universality theorem has important consequences for linear and integer programming and for confidential statistical data disclosure. It provides polynomialtime ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
We show that any rational polytope is polynomialtime representable as a “slim ” r × c × 3 threeway linesum transportation polytope. This universality theorem has important consequences for linear and integer programming and for confidential statistical data disclosure. It provides polynomialtime embedding of arbitrary linear programs and integer programs in such slim transportation programs and in bipartite biflow programs. It resolves several standing problems on 3way transportation polytopes. It demonstrates that the range of values an entry can attain in any slim 3way contingency table with specified 2margins can contain arbitrary gaps, suggesting that disclosure of kmargins of dtables for 2 ≤ k<dis confidential. Our construction also provides a powerful tool in studying concrete questions about transportation polytopes and contingency tables; remarkably, it enables to automatically recover the famous “realfeasible integerinfeasible” 6×4×3 transportation polytope of M. Vlach, and to produce the first example of 2margins for 6 × 4 × 3 contingency tables where the range of values a specified entry can attain has a gap.
An ad omnia approach to defining and achieving private data analysis
 In Proceedings of the 1st ACM SIGKDD international conference on Privacy, security, and trust in KDD
, 2007
"... Abstract. We briefly survey several privacy compromises in published datasets, some historical and some on paper. An inspection of these suggests that the problem lies with the nature of the privacymotivated promises in question. These are typically syntactic, rather than semantic. They are also ad ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
Abstract. We briefly survey several privacy compromises in published datasets, some historical and some on paper. An inspection of these suggests that the problem lies with the nature of the privacymotivated promises in question. These are typically syntactic, rather than semantic. They are also ad hoc, with insufficient argument that fulfilling these syntactic and ad hoc conditions yields anything like what most people would regard as privacy. We examine two comprehensive, or ad omnia, guarantees for privacy in statistical databases discussed in the literature, note that one is unachievable, and describe implementations of the other. In this note we survey a body of work, developed over the past five years, addressing the problem known variously as statistical disclosure control, inference control, privacypreserving datamining, and private data analysis. Our principal motivating scenario is a statistical database. A statistic is a quantity computed from a sample. Suppose a trusted and trustworthy curator gathers sensitive information from a large number of respondents (the sample), with the goal of learning (and releasing to the public) statistical facts about the underlying population. The problem is to release statistical information without compromising the privacy of the individual respondents. There are two settings: in the noninteractive setting the curator computes and publishes some statistics, and the data are not used further. Privacy concerns may affect the precise answers released by the curator, or even the set of statistics released. Note that since the data will never be used again the curator can destroy the data (and himself) once the statistics have been published. In the interactive setting the curator sits between the users and the database. Queries posed by the users, and/or the responses to these queries, may be modified by the curator in order to protect the privacy of the respondents. The data cannot be destroyed, and the curator must remain present throughout the lifetime of the database. There is a rich literature on this problem, principally from the satistics community
ALL LINEAR AND INTEGER PROGRAMS ARE SLIM 3WAY TRANSPORTATION PROGRAMS
, 2006
"... We show that any rational convex polytope is polynomialtime representable as a 3way linesum transportation polytope of “slim” (r, c, 3) format. This universality theorem has important consequences for linear and integer programming and for confidential statistical data disclosure. We provide a po ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
We show that any rational convex polytope is polynomialtime representable as a 3way linesum transportation polytope of “slim” (r, c, 3) format. This universality theorem has important consequences for linear and integer programming and for confidential statistical data disclosure. We provide a polynomialtime embedding of arbitrary linear programs and integer programs in such slim transportation programs and in bitransportation programs. Our construction resolves several standing problems on 3way transportation polytopes. For example, it demonstrates that, unlike the case of 2way contingency tables, the range of values an entry can attain in any slim 3way contingency table with specified 2margins can contain arbitrary gaps. Our smallest such example has format (6, 4, 3). Our construction provides a powerful automatic tool for studying concrete questions about transportation polytopes and contingency tables. For example, it automatically provides new proofs for some classical results, including a wellknown “realfeasible but integerinfeasible” (6, 4, 3)transportation polytope of M. Vlach, and bitransportation programs where any feasible bitransportation must have an arbitrarily large prescribed denominator.
On Enumerating All Minimal Solutions of Feedback Problems
"... We present an alg orithm thatg enerates all (inclusionwise) minimal feedback vertex sets of a directedg raph G =(V,E). The feedback vertex sets of G areg enerated with a polynomial delay of O # V  2 (V  + E) # . We further show that the underlying technique can be tailored tog enerate all ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
We present an alg orithm thatg enerates all (inclusionwise) minimal feedback vertex sets of a directedg raph G =(V,E). The feedback vertex sets of G areg enerated with a polynomial delay of O # V  2 (V  + E) # . We further show that the underlying technique can be tailored tog enerate all minimal solutions for the undirected case and the directed feedback arc set problem, both with a polynomial delay of O # V E (V  + E) # . Finally we prove that computing the number of minimal feedback arc sets is #Phard.
The Table Layout Problem
 In Proc. 15th SoCG
, 1999
"... In this paper we study a geometric problem arising in typography: the problem of laying out a two dimensional table. Each cell of the table has content associated with it. We may have choices on the geometry of cells (e.g., number of rows to use for the text in a cell.) The problem is to choose conf ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
In this paper we study a geometric problem arising in typography: the problem of laying out a two dimensional table. Each cell of the table has content associated with it. We may have choices on the geometry of cells (e.g., number of rows to use for the text in a cell.) The problem is to choose configurations for the cells to optimize an objective function such as minimum table height given a fixed width for the table. We formulate a combinatorial version of the table layout problem, where the objective is to choose cell geometry to minimize table size. The table layout problem is NPcomplete, even for very restricted instances. One of our main results is an algorithm for computing the convex hull of the set of feasible table configurations, which gives a heuristic algorithm for table layout. We establish a connection between the fractional (LP) solution to the table layout problem and generalized network flow. We also present experimental results comparing the performance of heuristic...