Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Privacy-Preserving Epidemiological Modeling on Mobile Graphs

Daniel Günther, Marco Holz, Benjamin Judkewitz, Helen Möllering, Benny Pinkas, Thomas Schneider, Ajith Suresh

TL;DR

RIPPLE provides a privacy-preserving approach to epidemiological simulations on real-world contact graphs by keeping encounter data on-device and aggregating only the necessary statistics. It offers two instantiations, RIPPLE TEE (TEE-based local computation) and RIPPLE PIR (PIR-based computation with anonymous channels), and introduces PIR-SUM to securely sum multiple entries without exposing individual values. The framework is evaluated via a proof-of-concept demonstrating scalable performance (e.g., $2$-week simulations over hundreds of thousands to millions of participants) with modest per-user communication, and it includes an open-source implementation. By combining anonymous communication, secure aggregation, and novel cryptographic primitives, RIPPLE advances privacy-preserving epidemiology, enabling policymakers to evaluate interventions without compromising individual privacy.

Abstract

The latest pandemic COVID-19 brought governments worldwide to use various containment measures to control its spread, such as contact tracing, social distance regulations, and curfews. Epidemiological simulations are commonly used to assess the impact of those policies before they are implemented. Unfortunately, the scarcity of relevant empirical data, specifically detailed social contact graphs, hampered their predictive accuracy. As this data is inherently privacy-critical, a method is urgently needed to perform powerful epidemiological simulations on real-world contact graphs without disclosing any sensitive~information. In this work, we present RIPPLE, a privacy-preserving epidemiological modeling framework enabling standard models for infectious disease on a population's real contact graph while keeping all contact information locally on the participants' devices. As a building block of independent interest, we present PIR-SUM, a novel extension to private information retrieval for secure download of element sums from a database. Our protocols are supported by a proof-of-concept implementation, demonstrating a 2-week simulation over half a million participants completed in 7 minutes, with each participant communicating less than 50 KB.

Privacy-Preserving Epidemiological Modeling on Mobile Graphs

TL;DR

RIPPLE provides a privacy-preserving approach to epidemiological simulations on real-world contact graphs by keeping encounter data on-device and aggregating only the necessary statistics. It offers two instantiations, RIPPLE TEE (TEE-based local computation) and RIPPLE PIR (PIR-based computation with anonymous channels), and introduces PIR-SUM to securely sum multiple entries without exposing individual values. The framework is evaluated via a proof-of-concept demonstrating scalable performance (e.g., -week simulations over hundreds of thousands to millions of participants) with modest per-user communication, and it includes an open-source implementation. By combining anonymous communication, secure aggregation, and novel cryptographic primitives, RIPPLE advances privacy-preserving epidemiology, enabling policymakers to evaluate interventions without compromising individual privacy.

Abstract

The latest pandemic COVID-19 brought governments worldwide to use various containment measures to control its spread, such as contact tracing, social distance regulations, and curfews. Epidemiological simulations are commonly used to assess the impact of those policies before they are implemented. Unfortunately, the scarcity of relevant empirical data, specifically detailed social contact graphs, hampered their predictive accuracy. As this data is inherently privacy-critical, a method is urgently needed to perform powerful epidemiological simulations on real-world contact graphs without disclosing any sensitive~information. In this work, we present RIPPLE, a privacy-preserving epidemiological modeling framework enabling standard models for infectious disease on a population's real contact graph while keeping all contact information locally on the participants' devices. As a building block of independent interest, we present PIR-SUM, a novel extension to private information retrieval for secure download of element sums from a database. Our protocols are supported by a proof-of-concept implementation, demonstrating a 2-week simulation over half a million participants completed in 7 minutes, with each participant communicating less than 50 KB.
Paper Structure (62 sections, 1 theorem, 3 equations, 15 figures, 7 tables)

This paper contains 62 sections, 1 theorem, 3 equations, 15 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work & Background Information
  3. Cryptography-based Solutions in the Context of Infectious Diseases
  4. Contact Tracing
  5. Epidemiological Modeling
  6. Disease Modeling
  7. Contact Tracing for Privacy-Preserving Epidemiological Modeling
  8. The RIPPLE Framework
  9. System and Threat Model
  10. Phases of RIPPLE
  11. Privacy Requirements
  12. Linking Identities Attacks
  13. Sybil Attack
  14. Inference Attacks
  15. Instantiating $\mathcal{F}_{{\sf esim}}$
  16. ...and 47 more sections

Key Result

Lemma 1

Protocol $\mathsf{PIR_{sum}}$ (Fig. fig:pir-sum-protocol-main) securely realises the $\mathcal{F}_{{\sf pirsum}}$ ideal functionality (Fig. fig:funcpirsumBmain) for the case of malicious participants in the $\{\mathcal{F}^{\sf 2S}_{\sf pir}, \mathcal{F}_{{\sf vrfy}}\}$-hybrid model.

Figures (15)

  • Figure 1: Overview of RIPPLE Framework.
  • Figure 2: RIPPLE Framework (for one simulation setting).
  • Figure 4: Linking Identities Attack. Alice and Bob had several encounters, but Alice and Charlie only had one.
  • Figure 5: Sybil Attack.
  • Figure 6: RIPPLE TEE Overview. Messages in red denote additional steps needed for malicious participants.
  • ...and 10 more figures

Theorems & Definitions (3)

  • Lemma 1
  • proof
  • Definition 1