Section: New Results

Tamper-resistant data management

Participants : Tristan Allard, Nicolas Anciaux, Mehdi Benzine, Luc Bouganim, Philippe Pucheral.

We have extended the work done in the context of GhostDB [2] to tackle aggregate computations performed on a mix of hidden sensitive data (kept on a tamper-resistant device) and of public data (available on a public server). The goal is to produce aggregates to data warehouses for OLAP purposes, and to reveal exactly what is desired, neither more nor less. This work has been published in [12] . More general work on tamper-resistant data management has been published in [24] .

In 2009, we started a new study related to Privacy Preserving Data Publishing (PPDP), where personal data sets are anonymized before being published to serve statistical analysis purpose. Most work conducted so far on PPDP considers a model where the data publisher is trusted. Considering the vulnerability of database servers against external and internal attacks, we consider in this study an untrusted PPDP model. In the proposed model, private data is not uploaded onto a central data publisher. Instead, individuals store their personal data in smart tokens, under their control. When needed, these tokens collaborate to anonymize the data and submit the result to a data publisher. The problem becomes how to publish an anonymized version of a dataset horizontally partitioned in a large number of smart tokens. This must be done without compromising data privacy while the computing and communication infrastructure linking the smart tokens is untrusted. The fact that each smart token contains the data of a single individual, the tamper-resistance of the smart tokens and their low availability combined with an untrusted but highly available infrastructure make the problem fundamentally different from any previously studied PPDP problem we are aware of. A first solution as been designed to solve this problem with acceptable performance but the work is still at a preliminary stage.