Accessing Data while Preserving Privacy

As organizations struggle with vast amounts of data, outsourcing sensitive data to third parties becomes a necessity. To protect the data, various cryptographic techniques are used in outsourced database systems to ensure data privacy, while allowing efficient querying. Recent attacks on such systems (e.g., [37, 30]) demonstrate that outsourced database systems must trade-off efficiency and privacy. Towards designing systems that strike a good balance between these two aspects, we present a new model of differentially private outsourced database systems, where differential privacy [19] is preserved at the record level even against an untrusted server that controls data and queries. Beginning with an atomic storage model where the server can observe both the memory access pattern and communication volume, we provide upperand lower-bounds on the efficiency of differentially private outsourced database systems. Our lower-bounds motivate the examination of models where the memory access pattern is kept hidden from the server. Combining oblivious RAM [22] with differentially private sanitizers [8], we present a generic construction of differentially private outsourced databases. We have implemented our constructions and report on their efficiency.