Let’s say that I have a private dataset of my employee’s ages. I allow someone to use my private data to perform a computation without releasing the data itself (either encrypting it with the enclave’s public key or using MPC.
The person who uses my (private) data could simply add 1 to every age value, receive the computed result, and then subtract 1, thus resulting in the original dataset.
How are these attacks mitigated? Does anyone know papers/books that explore these types of attacks?
In order to do a computation you would have to sign and encrypt your private dataset, and an authorisation that you allow SGX to run the function (X+1) on the input (private dataset).
So you would have to check the code before allowing and even giving away the data.
The canonical way to prevent this kind of things is to apply Differential Privacy on the results (before releasing them). Differential privacy essentially checks the distribution of the outputs compared to the inputs. In your example, it’s clear that the outputs are distributed similarly to the inputs, which would be detected. Using DP, there are several options to handle this situation:
On top of all of this, @david’s note is also correct - you would need to voluntary sign an input going to a computation that leaks your data. Since the secret contract code is public (by design), it would be fairly obvious to everyone that this is the case.