pith. sign in

arxiv: 2506.05290 · v3 · pith:LXSLZKMJnew · submitted 2025-06-05 · 💻 cs.CR

Big Bird: Resilient Privacy Budgeting Across Untrusted Web Domains

Pierre Tholoniat , Alison Caulfield , Giorgio Cavicchioli , Mark Chen , Benjamin Case , Asaf Cidon , Roxana Geambasu , Mathias L\'ecuyer
show 1 more author
Martin Thomson
This is my paper

Pith reviewed 2026-05-19 10:41 UTC · model grok-4.3

classification 💻 cs.CR
keywords differential privacyattribution APIprivacy budgetingweb domainsSybil attacksadvertising measurementindividual differential privacycross-domain privacy
0
0 comments X

The pith

Big Bird enforces global device-epoch individual differential privacy for advertising attribution by tying budgets to genuine user actions across domains.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The W3C Attribution API currently applies individual differential privacy separately per domain, but this breaks under realistic conditions where queriers share data or when many fake domains coordinate. Big Bird instead manages a single shared privacy budget on the device for all domains at once. It does so by recognizing that normal advertising creates potential privacy loss at impression sites and realizes that loss at conversion sites. Quotas based on those steps plus a cap on actions per user prevent attackers from draining the budget with fabricated domains. The system keeps the privacy guarantee sound while still letting legitimate measurement queries succeed.

Core claim

Big Bird is a privacy-budget manager that achieves global device-epoch IDP by enforcing privacy-loss-based quotas on impression and conversion sites together with a per-user-action cap, thereby providing formal resilience to depletion attacks by Sybil domains while preserving utility for benign queriers.

What carries the argument

The stock-and-flow structure of benign Attribution workloads, where impressions create potential privacy loss and conversions realize it, enforced across untrusted domains via privacy-loss-based quotas and per-user-action caps.

If this is right

  • Global device-epoch IDP becomes enforceable jointly across domains without the unsoundness that arises from cross-querier data adaptivity.
  • Adversarial impact from creating many fake domains is limited to the scale of genuine user interactions rather than the number of domains.
  • Benign advertising measurement retains practical utility even when the system is under depletion attack.
  • The mechanism can be integrated directly into existing browser Attribution prototypes without changing the on-device accounting model itself.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar quota structures could be applied to other multi-domain web privacy budgets such as analytics or content measurement.
  • The stock-and-flow idea suggests a general pattern for preventing budget exhaustion in any setting where costs are created by one event type and realized by another.
  • Empirical evaluation on additional ad datasets would help quantify how often the assumed structure appears in real traffic.

Load-bearing premise

Benign Attribution workloads exhibit a reliable stock-and-flow structure in which impressions create potential privacy loss and conversions realize it, and this structure can be observed and enforced across untrusted domains without new leaks or excessive false positives on legitimate traffic.

What would settle it

Deploy Big Bird in a browser prototype and have many Sybil domains issue queries without matching user impressions or conversions; measure whether the global privacy-loss bound is violated or whether benign queriers lose all utility.

Figures

Figures reproduced from arXiv: 2506.05290 by Alison Caulfield, Asaf Cidon, Benjamin Case, Giorgio Cavicchioli, Mark Chen, Martin Thomson, Mathias L\'ecuyer, Pierre Tholoniat, Roxana Geambasu.

Figure 1
Figure 1. Figure 1: PPA overview. a measurement service that allows shoes.ex to compare the performance of its creatives within their respective networks. 1 When a user visits blog.ex, r1.ex displays the colorful ad and registers the impression by calling saveImpression() with the parameters shown in the figure. 2 Later, the user vis￾its news.ex, where r2.ex displays the black-and-white ad and registers it by also calling sav… view at source ↗
Figure 2
Figure 2. Figure 2: Big Bird architecture. Changes vs. PPA ( [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Quota system evaluation. (a), (b): Query error and its root causes in a benign case. (c), (d): Benign-query error and root causes under attack. 0 1 2 3 4 5 6 7 8 0 0.2 0.4 0.6 0.8 1 Online Big Bird (p50) Online Big Bird (p99) Batched Big Bird (p50) Batched Big Bird (p99) PPA (p50) PPA (p99) imp-quota capacity RMSRE (lower is better) (a) Error, normal workload 0 1 2 3 4 5 6 7 8 0 0.2 0.4 0.6 0.8 1 Online Bi… view at source ↗
Figure 4
Figure 4. Figure 4: Batched algorithm evaluation. PPA w/ global filter lacks protection from X, so its tail error rises sharply under attack. Big Bird with a well-configured quota (e.g., 𝜖imp-quota = 4 per p95 in Tab. 2) fully isolates honest queriers, matching the error levels of PPA w/o global filter. As before, a too-small quota harms utility even without an attacker. But under attack, too-large quota (𝜖imp-quota ≥ 7) lets… view at source ↗
Figure 5
Figure 5. Figure 5: Firefox privacy loss dashboard [PITH_FULL_IMAGE:figures/full_fig_p028_5.png] view at source ↗
read the original abstract

The W3C Attribution API is an emerging standard for privacy-preserving advertising measurement. Its current privacy architecture enforces individual differential privacy (IDP) independently for each domain (e.g., an advertiser) issuing queries. We show that this guarantee is unsound under realistic system behavior: it fails under cross-querier data adaptivity and can also fail when shared limits are enforced across queriers. The issue is not the on-device accounting model itself -- device-epoch IDP -- but treating each querying domain in isolation. We propose Big Bird, a privacy-budget manager that makes global device-epoch IDP -- enforced jointly across all domains -- both sound and deployable for Attribution. Big Bird addresses the main obstacle to global enforcement in open multi-querier systems: denial-of-service depletion of a shared global budget by Sybil web domains. Its key insight is that benign Attribution workloads have a stock-and-flow structure: impressions create potential privacy loss, conversions realize it, and meaningful budget consumption should be tied to genuine user actions across distinct web domains. Big Bird enforces this structure with privacy-loss-based quotas on impression and conversion sites and a per-user-action cap on how many quotas can be activated, ensuring that adversarial impact scales with genuine user interactions rather than with the number of Sybil domains. We implement Big Bird in Rust, integrate it into Firefox's Attribution prototype, and evaluate it theoretically and empirically on real ad-tech data. We show that Big Bird provides rigorous global device-epoch IDP, formal resilience to depletion attacks, and utility for benign queriers under attack.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper identifies that the W3C Attribution API's per-domain individual differential privacy (IDP) enforcement is unsound under cross-querier data adaptivity and shared limits. It proposes Big Bird, a privacy-budget manager that achieves global device-epoch IDP across untrusted domains by enforcing a stock-and-flow structure of benign workloads (impressions create potential privacy loss; conversions realize it) via privacy-loss-based quotas on impression and conversion sites together with a per-user-action cap. This bounds adversarial impact to scale with genuine user interactions rather than Sybil domains. The system is implemented in Rust, integrated into Firefox's Attribution prototype, and evaluated both theoretically and empirically on real ad-tech data, claiming rigorous global IDP, formal resilience to depletion attacks, and preserved utility for benign queriers.

Significance. If the formal resilience to depletion attacks holds and the stock-and-flow enforcement introduces neither new privacy leaks nor excessive false positives on legitimate traffic, the result would be significant for practical deployment of global privacy budgeting in open multi-querier web advertising systems. The approach of tying budget consumption to observable genuine actions across domains offers a concrete mechanism to make global IDP deployable where isolated per-domain accounting fails.

major comments (3)
  1. [§3] §3 (Threat Model and Design): The central resilience claim rests on the assumption that impression/conversion signals cannot be adversarially inflated without corresponding genuine user actions that trigger the per-user-action cap. The manuscript must explicitly show how the cap is enforced across untrusted domains without requiring additional cross-domain data flows that themselves create privacy leaks or observable side channels.
  2. [§4] §4 (Formal Analysis): The claim of rigorous global device-epoch IDP requires a proof sketch or reduction showing that the quota activation and cap together preserve the IDP definition when the stock-and-flow structure is enforced. Without this, it is unclear whether the global guarantee reduces to the on-device accounting model or introduces new composition issues.
  3. [Evaluation] Evaluation section (empirical results): The reported utility for benign queriers under attack should include the false-positive rate at which legitimate impression-to-conversion flows are incorrectly quota-blocked; if this rate is high, it undermines the claim that utility is preserved while resisting depletion.
minor comments (2)
  1. [Abstract] Abstract: The phrase 'rigorous global device-epoch IDP' should be qualified by the key workload-structure assumption to avoid overstatement for readers who stop at the abstract.
  2. [Notation] Notation: Ensure consistent use of privacy-loss parameters (e.g., ε per impression vs. per conversion) across the formal model and implementation sections.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the thoughtful and constructive comments, which help clarify key aspects of our threat model, formal claims, and evaluation. We address each major comment below and will incorporate revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [§3] §3 (Threat Model and Design): The central resilience claim rests on the assumption that impression/conversion signals cannot be adversarially inflated without corresponding genuine user actions that trigger the per-user-action cap. The manuscript must explicitly show how the cap is enforced across untrusted domains without requiring additional cross-domain data flows that themselves create privacy leaks or observable side channels.

    Authors: We agree that explicit clarification is warranted. The per-user-action cap is enforced entirely on-device within the browser using local state that tracks distinct user actions (impressions and conversions) per device-epoch. No cross-domain data flows or additional communication between untrusted domains are required for enforcement; the browser locally counts qualifying actions and applies the cap before quota activation. This design introduces no new privacy leaks or observable side channels, as enforcement relies solely on existing local Attribution state. We will revise §3 to include a dedicated paragraph detailing this local mechanism and its security properties. revision: yes

  2. Referee: [§4] §4 (Formal Analysis): The claim of rigorous global device-epoch IDP requires a proof sketch or reduction showing that the quota activation and cap together preserve the IDP definition when the stock-and-flow structure is enforced. Without this, it is unclear whether the global guarantee reduces to the on-device accounting model or introduces new composition issues.

    Authors: We appreciate the request for a clearer formal argument. The global device-epoch IDP guarantee is preserved because the stock-and-flow quotas and per-user-action cap are enforced locally on-device, bounding total privacy loss across all queriers to the standard device-epoch budget without introducing extra composition terms. The structure ensures adversarial budget consumption cannot exceed that of genuine user actions, reducing directly to the base IDP definition. We will add a concise proof sketch in §4 that formalizes this reduction and addresses potential composition concerns. revision: yes

  3. Referee: [Evaluation] Evaluation section (empirical results): The reported utility for benign queriers under attack should include the false-positive rate at which legitimate impression-to-conversion flows are incorrectly quota-blocked; if this rate is high, it undermines the claim that utility is preserved while resisting depletion.

    Authors: We agree that reporting the false-positive rate on legitimate flows is important for a complete utility analysis. Our current empirical results on real ad-tech data indicate that the per-user-action cap aligns closely with natural user behavior, resulting in low blocking rates for benign impression-to-conversion flows even under depletion attacks. To make this explicit, we will augment the Evaluation section with direct measurements of the false-positive rate under the simulated attack scenarios. revision: yes

Circularity Check

0 steps flagged

No significant circularity; central claims rest on independent design insight and enforcement mechanism

full rationale

The paper's derivation introduces Big Bird as a new privacy-budget manager whose global device-epoch IDP and depletion resilience are obtained by enforcing an observed stock-and-flow structure (impressions create potential loss, conversions realize it) via privacy-loss-based quotas and per-user-action caps. This structure is presented as an empirical key insight about benign Attribution workloads rather than a quantity fitted from the target result or derived by self-citation. No equations or steps reduce the claimed formal guarantees to previously fitted parameters, self-citations, or ansatzes imported from the authors' prior work; the on-device accounting model is explicitly distinguished from the cross-domain enforcement layer. The design is therefore self-contained against external benchmarks of stock-and-flow behavior in ad-tech data.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 0 invented entities

The design rests on the assumption that real workloads follow a stock-and-flow pattern that can be observed without additional privacy cost; no explicit free parameters or invented entities are named in the abstract, but quota thresholds and the per-user-action cap are likely tuned values.

free parameters (2)
  • impression and conversion quota thresholds
    Values that bound privacy loss per site type; must be chosen to balance attack resistance and utility, likely fitted or set by hand.
  • per-user-action cap
    Limit on how many quotas a single user action can activate; chosen to scale attack cost with genuine interactions.
axioms (1)
  • domain assumption Benign Attribution workloads exhibit a stock-and-flow structure where impressions create potential privacy loss and conversions realize it.
    Invoked to justify tying budget consumption to genuine user actions across domains.

pith-pipeline@v0.9.0 · 5847 in / 1574 out tokens · 43287 ms · 2026-05-19T10:41:20.139349+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

37 extracted references · 37 canonical work pages

  1. [1]

    The 2020 Census Disclosure Avoidance System TopDown Algorithm

    John M. Abowd et al. “The 2020 Census Disclosure Avoidance System TopDown Algorithm”. In:Harvard Data Science Review Special Issue 2 (June 2022)

    work page 2020

  2. [2]

    Summary Reports Optimization in the Privacy Sandbox Attribution Reporting API

    Hidayet Aksu et al. “Summary Reports Optimization in the Privacy Sandbox Attribution Reporting API”. In: Proc. Priv. Enhancing Technol.2024.4 (2024), pp. 605–

    work page 2024

  3. [3]

    URL: https://doi.org/10.56553/popets-2024-0132

    DOI: 10.56553/POPETS-2024-0132 . URL: https://doi.org/10.56553/popets-2024-0132

    work page doi:10.56553/popets-2024-0132 2024

  4. [4]

    Distributed, Private, Sparse His- tograms in the Two-Server Model

    James Bell et al. “Distributed, Private, Sparse His- tograms in the Two-Server Model”. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security . CCS ’22. Los Ange- les, CA, USA: Association for Computing Machin- ery, 2022, pp. 307–321. ISBN : 9781450394505. DOI: 10.1145/3548606.3559383. URL: https://doi.org/ 10.1145/35486...

    work page doi:10.1145/3548606.3559383 2022

  5. [5]

    Prio: Pri- vate, Robust, and Scalable Computation of Aggre- gate Statistics

    Henry Corrigan-Gibbs and Dan Boneh. “Prio: Pri- vate, Robust, and Scalable Computation of Aggre- gate Statistics”. In: 14th USENIX Symposium on Net- worked Systems Design and Implementation (NSDI 17). Boston, MA: USENIX Association, Mar. 2017, pp. 259–282. ISBN : 978-1-931971-37-9. URL: https: //www.usenix.org/conference/nsdi17/technical- sessions/present...

    work page 2017

  6. [6]

    Verifiable Distributed Aggre- gation Functions

    Hannah Davis et al. “Verifiable Distributed Aggre- gation Functions”. In: Proc. Priv. Enhancing Tech- nol. 2023.4 (2023), pp. 578–592. DOI: 10.56553/ POPETS- 2023- 0126. URL: https://doi.org/10. 56553/popets-2023-0126

    work page 2023

  7. [7]

    Comment: Appeared at AdKDD 2023 workshop; Final proceedings version

    Matthew Dawson et al.Optimizing Hierarchical Queries for the Attribution Reporting API. Comment: Appeared at AdKDD 2023 workshop; Final proceedings version. Nov. 27, 2023. arXiv: 2308.13510 [cs]

    work page arXiv 2023

  8. [8]

    Practical Differen- tially Private Top-k Selection with Pay-what-you-get Composition

    David Durfee and Ryan M Rogers. “Practical Differen- tially Private Top-k Selection with Pay-what-you-get Composition”. In: Advances in Neural Information Processing Systems. Ed. by H. Wallach et al. V ol. 32. Curran Associates, Inc., 2019

    work page 2019

  9. [9]

    Differential Privacy: Now It’s Getting Personal

    Hamid Ebadi, David Sands, and Gerardo Schneider. “Differential Privacy: Now It’s Getting Personal”. In: Proceedings of the 42nd Annual ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages. POPL ’15: The 42nd Annual ACM SIG- PLAN SIGACT Symposium on Principles of Program- ming Languages. Mumbai India: ACM, Jan. 14, 2015, pp. 69–81. ISBN : ...

    work page arXiv 2015

  10. [10]

    https://github.com/mozilla/explainers/ tree/main/ppa-experiment

    Experiment: Privacy-Preserving Attribution Measure- ment API. https://github.com/mozilla/explainers/ tree/main/ppa-experiment. 2024

    work page 2024

  11. [11]

    Individual Privacy Accounting via a Rényi Filter

    Vitaly Feldman and Tijana Zrnic. “Individual Privacy Accounting via a Rényi Filter”. In:Advances in Neural Information Processing Systems. Ed. by M. Ranzato et al. V ol. 34. Curran Associates, Inc., 2021, pp. 28080– 28091

    work page 2021

  12. [12]

    On the Differential Privacy and Interactivity of Privacy Sandbox Reports

    Badih Ghazi et al. On the Differential Privacy and Interactivity of Privacy Sandbox Reports. 2024. arXiv: 2412.16916 [cs.CR]

    work page arXiv 2024

  13. [13]

    Dominant resource fairness: fair allocation of multiple resource types

    Ali Ghodsi et al. “Dominant resource fairness: fair allocation of multiple resource types”. In: Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation. NSDI’11. Boston, MA: USENIX Association, 2011, pp. 323–336

    work page 2011

  14. [14]

    https://github.com/patcg-individual- drafts/hybrid-proposal

    Hybrid Proposal. https://github.com/patcg-individual- drafts/hybrid-proposal. 2024

    work page 2024

  15. [15]

    https://github

    Interoperable Private Attribution (IPA)). https://github. com/patcg-individual-drafts/ipa. 2022

    work page 2022

  16. [16]

    Cohere: Privacy Management in Large Scale Systems

    Nicolas Küchler et al. “Cohere: Privacy Management in Large Scale Systems”. In: CoRR abs/2301.08517 (2023). DOI: 10.48550/ARXIV.2301.08517. arXiv: 2301.08517. URL: https://doi.org/10.48550/arXiv. 2301.08517

    work page doi:10.48550/arxiv.2301.08517 2023

  17. [17]

    Practical Privacy Filters and Odome- ters with Rényi Differential Privacy and Applications to Differentially Private Deep Learning

    Mathias Lécuyer. Practical Privacy Filters and Odome- ters with Rényi Differential Privacy and Applications to Differentially Private Deep Learning. 2021. arXiv: 2103.01379 [stat.ML]. URL: https://arxiv.org/ abs/2103.01379

    work page arXiv 2021

  18. [18]

    Optimizing linear counting queries un- der differential privacy

    Chao Li et al. “Optimizing linear counting queries un- der differential privacy”. In:Proceedings of the Twenty- Ninth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems. PODS ’10. Indianapo- lis, Indiana, USA: Association for Computing Machin- ery, 2010, pp. 123–134. ISBN : 9781450300339. DOI: 14 10.1145/1807085.1807104. URL: https://doi...

    work page doi:10.1145/1807085.1807104 2010

  19. [19]

    Privacy Budget Scheduling

    Tao Luo et al. “Privacy Budget Scheduling”. In:15th USENIX Symposium on Operating Systems Design and Implementation (OSDI 21) . USENIX Associa- tion, July 2021, pp. 55–74. ISBN : 978-1-939133-22-9. URL: https://www.usenix.org/conference/osdi21/ presentation/luo

    work page 2021

  20. [20]

    AIM: an adaptive and iterative mechanism for differentially private synthetic data

    Ryan McKenna et al. “AIM: an adaptive and iterative mechanism for differentially private synthetic data”. In: Proc. VLDB Endow.15.11 (July 2022), pp. 2599–2612. ISSN : 2150-8097. DOI: 10.14778/3551793.3551817. URL: https://doi.org/10.14778/3551793.3551817

    work page doi:10.14778/3551793.3551817 2022

  21. [21]

    https://w3c

    Privacy-Preserving Attribution: Level 1. https://w3c. github.io/ppa/. 2024

    work page 2024

  22. [22]

    https://github.com/ patcg-individual-drafts/private-ad-measurement

    Private Ad Measurement (PAM). https://github.com/ patcg-individual-drafts/private-ad-measurement . 2023

    work page 2023

  23. [23]

    https: //www.w3.org/groups/wg/pat/

    Private Advertising Technology Working Group. https: //www.w3.org/groups/wg/pat/. 2024

    work page 2024

  24. [24]

    Budget sharing for multi-analyst differential privacy

    David Pujol et al. “Budget sharing for multi-analyst differential privacy”. In: Proc. VLDB Endow. 14.10 (June 2021), pp. 1805–1817. ISSN : 2150-8097. DOI: 10.14778/3467861.3467870. URL: https://doi.org/ 10.14778/3467861.3467870

    work page doi:10.14778/3467861.3467870 2021

  25. [25]

    Multi-Analyst Differential Privacy for Online Query Answering

    David Pujol et al. “Multi-Analyst Differential Privacy for Online Query Answering”. In: Proc. VLDB Endow. 16.4 (Dec. 1, 2022), pp. 816–828. ISSN : 2150-8097. DOI: 10.14778/3574245.3574265

    work page doi:10.14778/3574245.3574265 2022

  26. [26]

    Privacy odometers and filters: pay- as-you-go composition

    Ryan Rogers et al. “Privacy odometers and filters: pay- as-you-go composition”. In:Proceedings of the 30th In- ternational Conference on Neural Information Process- ing Systems. NIPS’16. Barcelona, Spain: Curran Asso- ciates Inc., 2016, pp. 1929–1937.ISBN : 9781510838819

    work page 2016

  27. [27]

    Privacy Odometers and Filters: Pay-as-you-go Composition

    Ryan M Rogers et al. “Privacy Odometers and Filters: Pay-as-you-go Composition”. In: Advances in Neural Information Processing Systems. Ed. by D. Lee et al. V ol. 29. Curran Associates, Inc., 2016

    work page 2016

  28. [28]

    CriteoPrivateAd: A Real-World Bidding Dataset to Design Private Advertising Systems

    Mehdi Sebbar et al. CriteoPrivateAd: A Real-World Bidding Dataset to Design Private Advertising Systems

    work page

  29. [29]

    12103[cs.CR]

    arXiv: 2502 . 12103[cs.CR]. URL: https : //arxiv.org/abs/2502.12103

    work page arXiv

  30. [30]

    Cookie Monster: Efficient On- Device Budgeting for Differentially-Private Ad-Measurement Systems

    Pierre Tholoniat et al. “Cookie Monster: Efficient On- Device Budgeting for Differentially-Private Ad-Measurement Systems”. In: Proceedings of the ACM SIGOPS 30th Symposium on Operating Systems Principles . SOSP ’24. New York, NY , USA: Association for Comput- ing Machinery, Nov. 15, 2024, pp. 693–708. ISBN : 9798400712517. DOI: 10.1145/3694715.3695965

    work page doi:10.1145/3694715.3695965 2024

  31. [31]

    InProceedings of the Twentieth European Conference on Computer Systems (EuroSys)

    Pierre Tholoniat et al. “DPack: Efficiency-Oriented Privacy Budget Scheduling”. In: Proceedings of the Twentieth European Conference on Computer Systems. EuroSys ’25. Rotterdam, Netherlands: Association for Computing Machinery, 2025, pp. 1194–1209. ISBN : 9798400711961. DOI: 10.1145/3689031.3696096. URL: https://doi.org/10.1145/3689031.3696096

    work page doi:10.1145/3689031.3696096 2025

  32. [32]

    DProvDB: Differentially Private Query Processing with Multi-Analyst Prove- nance

    Shufan Zhang and Xi He. “DProvDB: Differentially Private Query Processing with Multi-Analyst Prove- nance”. In: Proc. ACM Manag. Data 1.4 (Dec. 2023). DOI: 10.1145/3626761 . URL: https://doi.org/10. 1145/3626761

    work page doi:10.1145/3626761 2023

  33. [33]

    Ibex: Privacy-preserving Ad Conversion Tracking and Bid- ding

    Ke Zhong, Yiping Ma, and Sebastian Angel. “Ibex: Privacy-preserving Ad Conversion Tracking and Bid- ding”. In: Proceedings of the 2022 ACM SIGSAC Con- ference on Computer and Communications Security . CCS ’22. Los Angeles, CA, USA: Association for Computing Machinery, 2022, pp. 3223–3237. ISBN : 9781450394505. DOI: 10.1145/3548606.3560651. URL: https://do...

    work page doi:10.1145/3548606.3560651 2022

  34. [34]

    Addax: A fast, private, and account- able ad exchange infrastructure

    Ke Zhong et al. “Addax: A fast, private, and account- able ad exchange infrastructure”. In: 20th USENIX Symposium on Networked Systems Design and Imple- mentation (NSDI 23). Boston, MA: USENIX Associa- tion, Apr. 2023, pp. 825–848. ISBN : 978-1-939133-33-

    work page 2023

  35. [35]

    ∑︁ 𝑟 ∈𝑅𝑡 𝜌𝑟 (𝐷 ′; F𝑡,𝑟 ) + 𝑋𝑡 = 𝑣𝑡 # , (25) where 𝑋𝑡 is the Laplace noise added at time 𝑡. This equality is a direct quantification of “QueryAnswer

    URL: https://www.usenix.org/conference/nsdi23/ presentation/zhong. 15 A API changes for per-site semantic (Gap 1) This section formalizes API changes to clarify the per-site semantics. Starting from Cookie Monster’s formalism, we adapt it to capture Big Bird’s notion of beneficiaries. While this section does not present a standalone result, its formalism ...

    work page

  36. [36]

    Epoch-level Consistency Property: exactly the same amount of budget 𝜖𝑡 𝑥 is consumed by the per-site filter, global filter, and conversion-site quota-filter for that query

    work page

  37. [37]

    𝑐𝑠 ∈ badc

    Epoch-site-level Consistency Property: exactly 𝜖𝑖 𝑥 [𝑖] is consumed by the impression-site quota filter, which represents the device-epoch-𝑖𝑚𝑝𝑟𝑒𝑠𝑠𝑖𝑜𝑛𝑠𝑖𝑡𝑒 -level indi- vidual privacy loss. Proof. We can prove both properties at the same time. Fix an arbitrary individual report request, let’s denote it by𝑘 for con- sistency within this proof, for which pass...

    work page