查看文章

Many types of analytics on personal data can be made differentially private, thus alleviating concerns about the privacy of individuals. However, no platform currently exists that can technically prevent data leakage and misuse with minimal trust assumptions; as a result, analytics that would be in the public interest are not done in liberal societies. To bridge this gap, we present secure selective analytics (SSA), where data sources can a priori restrict the use of their data to a pre-defined set of privacy-preserving analytics queries performed by a specific group of analysts, and for a limited period. Furthermore, we show that a scalable SSA platform can be built in a strong threat model based on minimal trust. Technically, our SSA platform, CoVault, relies on a minimal trust implementation of functional encryption (FE), using a combination of secret sharing, secure multi-party computation (MPC), and trusted execution environments (TEEs). CoVault tolerates the compromise of a subset of TEE implementations as well as side channels. Despite the high cost of MPC, we show that CoVault scales to very large databases using map-reduce-based query parallelization. For example, we show that CoVault can perform queries relevant to epidemic analytics for a country of 80M using about 8000 cores, which is tolerable given the high value of such analytics.