Are We There Yet? Timing and Floating-Point Attacks on Differential Privacy Systems
Jiankai Jin, Eleanor McMurtry, Benjamin I. P. Rubinstein, Olga Ohrimenko
TL;DR
This work shows that common DP noise implementations are vulnerable to two practical side channels: floating-point representation errors in Gaussian sampling and timing leaks in discrete distribution samplers. It develops FP attacks that adapt Mironov’s Laplace attack to Gaussian samplers (Polar and Ziggurat) and demonstrates feasibility across NumPy, PyTorch, and Go implementations, including DP-SGD in Opacus. It also reveals timing side-channels in discrete Laplace and Gaussian samplers (and Google's approximate Laplace), showing that DP guarantees can be violated in end-to-end systems. The paper proposes mitigations such as constant-time sampling, batching/offline sampling, and cautious use of discretized variants, highlighting the ongoing need to align practical DP deployments with their theoretical guarantees. Overall, the findings stress careful, implementation-level validation of DP systems to preserve privacy in real-world settings.
Abstract
Differential privacy is a de facto privacy framework that has seen adoption in practice via a number of mature software platforms. Implementation of differentially private (DP) mechanisms has to be done carefully to ensure end-to-end security guarantees. In this paper we study two implementation flaws in the noise generation commonly used in DP systems. First we examine the Gaussian mechanism's susceptibility to a floating-point representation attack. The premise of this first vulnerability is similar to the one carried out by Mironov in 2011 against the Laplace mechanism. Our experiments show attack's success against DP algorithms, including deep learning models trained using differentially-private stochastic gradient descent. In the second part of the paper we study discrete counterparts of the Laplace and Gaussian mechanisms that were previously proposed to alleviate the shortcomings of floating-point representation of real numbers. We show that such implementations unfortunately suffer from another side channel: a novel timing attack. An observer that can measure the time to draw (discrete) Laplace or Gaussian noise can predict the noise magnitude, which can then be used to recover sensitive attributes. This attack invalidates differential privacy guarantees of systems implementing such mechanisms. We demonstrate that several commonly used, state-of-the-art implementations of differential privacy are susceptible to these attacks. We report success rates up to 92.56% for floating-point attacks on DP-SGD, and up to 99.65% for end-to-end timing attacks on private sum protected with discrete Laplace. Finally, we evaluate and suggest partial mitigations.
