Understanding Information Disclosure from Secure Computation Output: A Study of Average Salary Computation

TL;DR

The paper tackles information leakage from the output of secure multi-party computations for average salary, framing leakage with entropy-based metrics and focusing on both discrete and continuous input distributions, including log-normal salaries. It develops closed-form insights for single and multi-execution settings, showing that leakage is largely independent of the attacker’s inputs and can be mitigated by increasing spectator participants; it also analyzes how repeated executions and participant overlaps shape disclosure, offering concrete guidelines (e.g., ~50% overlap for two runs, ~1/3 overlap for three/four runs) to minimize information loss. The contributions include formal leakage analysis under normal and log-normal models, min-entropy comparisons, mixed-distribution scenarios, and a comprehensive empirical validation that informs real-world secure-evaluation setups. These results provide actionable recommendations for practitioners to balance accuracy and privacy when computing sums and averages on private data in practice.

Abstract

Secure multi-party computation has seen substantial performance improvements in recent years and is being increasingly used in commercial products. While a significant amount of work was dedicated to improving its efficiency under standard security models, the threat models do not account for information leakage from the output of secure function evaluation. Quantifying information disclosure about private inputs from observing the function outcome is the subject of this work. Motivated by the City of Boston gender pay gap studies, in this work we focus on the computation of the average of salaries and quantify information disclosure about private inputs of one or more participants (the target) to an adversary via information-theoretic techniques. We study a number of distributions including log-normal, which is typically used for modeling salaries. We consequently evaluate information disclosure after repeated evaluation of the average function on overlapping inputs, as was done in the Boston gender pay study that ran multiple times, and provide recommendations for using the sum and average functions in secure computation applications. Our goal is to develop mechanisms that lower information disclosure about participants' inputs to a desired level and provide guidelines for setting up real-world secure evaluation of this function.

Figures (13)

• Figure 1: The $\text{twae}(\vec{x}_T)$ and $\text{awae}(\vec{x}_A)$ using inputs over $\mathcal{U} \left(0,15\right)$ with a different number of spectators $\left\lvert S\right\rvert$.
• Figure 2: Analysis of target's entropy loss using the Poisson distribution with $\text{Pois}(\lambda)$, and varying $\lambda$ with $|T| = 1$.
• Figure 3: Analysis of target's entropy loss using the uniform distribution with $\mathcal{U}\left(0,N-1\right)$, and varying $N$ with $|T| = 1$.
• Figure 4: Analysis of target's entropy loss using the normal distribution with $\mathcal{N}(0,\sigma^2)$, and varying $\sigma^2$ with $|T| = 1$.
• Figure 5: Analysis of target's entropy loss using the log-normal distribution with $\log\mathcal{N}(1.6702,0.145542)$ and $|T| = 1$.

Theorems & Definitions (14)

• Definition 1: ah2017secure
• Definition 2: ah2017secure
• Definition 3: ah2017secure
• Claim 1
• Claim 2
• Definition 4: Vulnerability, smith2009foundations
• Definition 5
• Definition 6
• Conjecture 1
• Claim 3