Distributed Privacy-Preserving Methods for Statistical Disclosure Control

  • Javier Herranz
  • Jordi Nin
  • Vicenç Torra
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5939)


Statistical disclosure control (SDC) methods aim to protect privacy of the confidential information included in some databases, for example by perturbing the non-confidential parts of the original databases. Such methods are commonly used by statistical agencies before publishing the perturbed data, which must ensure privacy at the same time as it preserves as much as possible the statistical information of the original data.

In this paper we consider the problem of designing distributed privacy-preserving versions of these perturbation methods: each part of the original database is owned by a different entity, and they want to jointly compute the perturbed version of the global database, without leaking any sensitive information on their individual parts of the original data. We show that some perturbation methods do not allow a private distributed extension, whereas other methods do. Among the methods that allow a distributed privacy-preserving version, we can list noise addition, resampling and a new protection method, rank shuffling, which is described and analyzed here for the first time.


Statistical disclosure control privacy homomorphic encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bunn, P., Ostrovsky, R.: Secure two-party k-means clustering. In: Proc. of CCS 2007, pp. 486–497. ACM Press, New York (2007)CrossRefGoogle Scholar
  2. 2.
    CASC: Computational Aspects of Statistical Confidentiality, European Project IST-2000-25069,
  3. 3.
    Cramer, R., Damgård, I.B., Nielsen, J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 280–299. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Dalenius, T., Reiss, S.P.: Data-swapping: a technique for disclosure control. Journal of Statistical Planning and Inference 6, 73–85 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Damgård, I.B., Fitzi, M., Kiltz, E., Nielsen, J.B., Toft, T.: Unconditionally secure constant-rounds multi-party computation for equality, comparison, bits and exponentiation. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 285–304. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  6. 6.
    Defays, D., Anwar, M.N.: Micro-aggregation: a generic method. In: Proc. of the 2nd International Seminar on Statistical Confidentiality, pp. 69–78 (1995)Google Scholar
  7. 7.
    Data Extraction System, U.S. Census Bureau,
  8. 8.
    Domingo-Ferrer, J., Torra, V.: Disclosure control methods and information loss for microdata. In: [10], pp. 91–110 (2001)Google Scholar
  9. 9.
    Domingo-Ferrer, J., Torra, V.: A quantitative comparison of disclosure control methods for microdata. In: [10], pp. 111–133 (2001)Google Scholar
  10. 10.
    Doyle, P., Lane, J., Theeuwes, J., Zayatz, L. (eds.): Confidentiality, disclosure, and data access: theory and practical applications for statistical agencies. Elsevier Science, Amsterdam (2001)Google Scholar
  11. 11.
    Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Dwork, C., Yekhanin, S.: New efficient attacks on statistical disclosure control mechanisms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 469–480. Springer, Heidelberg (2008)Google Scholar
  13. 13.
    Fouque, P.A., Poupard, G., Stern, J.: Sharing decryption in the context of voting or lotteries. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 90–104. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Heer, G.R.: A bootstrap procedure to preserve statistical confidentiality in contingency tables. In: Proc. of the 1st International Seminar on Statistical Confidentiality, pp. 261–71 (1993)Google Scholar
  15. 15.
    Jagannathan, G., Wright, R.: Privacy-preserving distributed k- means clustering over arbitrarily partitioned data. In: Proc. of KDD 2005, pp. 593–599 (2005)Google Scholar
  16. 16.
    Kim, J.J.: A method for limiting disclosure in microdata based on random noise and transformation. In: Proc. of the ASA Section on Survey Research Methodology, pp. 303–308 (1986)Google Scholar
  17. 17.
    Lane, J., Heus, P., Mulcahy, T.: Data access in a cyber world: making use of cyberinfrastructure. Transactions on Data Privacy 1(1), 2–16 (2008)Google Scholar
  18. 18.
    Nin, J., Herranz, J., Torra, V.: Rethinking rank swapping to decrease disclosure risk. Data & Knowledge Engineering 64(1), 346–364 (2008)CrossRefGoogle Scholar
  19. 19.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  20. 20.
    Schoenmakers, B., Tuyls, P.: Efficient binary conversion for Paillier encrypted values. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 522–537. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Javier Herranz
    • 1
  • Jordi Nin
    • 2
  • Vicenç Torra
    • 3
  1. 1.Dept. Matemàtica Aplicada IVUniversitat Politècnica de CatalunyaBarcelonaSpain
  2. 2.LAAS, Laboratoire d’Analyse et d’Architecture des Systèmes, CNRS, Centre National de la Recherche ScientifiqueToulouseFrance
  3. 3.IIIA, Artificial Intelligence Research InstituteCSIC, Spanish National Research CouncilBellaterraSpain

Personalised recommendations