Differential privacy (DP) offers strong theoretical privacy guarantees, but implementations of DP mechanisms may be vulnerable to side-channel attacks, such as timing attacks. When sampling methods such as MCMC or rejection sampling are used to implement a mechanism, the runtime can leak privacy. We characterize the additional privacy cost due to the runtime of a rejection sampler in terms of both $(\epsilon,\delta)$-DP as well as $f$-DP. We also show that unless the acceptance probability is constant across databases, the runtime of a rejection sampler does not satisfy $\epsilon$-DP for any $\epsilon$. We show that there is a similar breakdown in privacy with adaptive rejection samplers. We propose three modifications to the rejection sampling algorithm, with varying assumptions, to protect against timing attacks by making the runtime independent of the data. The modification with the weakest assumptions is an approximate sampler, introducing a small increase in the privacy cost, whereas the other modifications give perfect samplers. We also use our techniques to develop an adaptive rejection sampler for log-H\"{o}lder densities, which also has data-independent runtime. We give several examples of DP mechanisms that fit the assumptions of our methods and can thus be implemented using our samplers.

中文翻译：

---

隐私感知拒绝抽样

差分隐私 (DP) 提供了强大的理论隐私保证，但 DP 机制的实现可能容易受到侧信道攻击，例如定时攻击。当使用 MCMC 或拒绝采样等采样方法来实现机制时，运行时可能会泄露隐私。我们用 $(\epsilon,\delta)$-DP 和 $f$-DP 来描述由于拒绝采样器的运行时间而导致的额外隐私成本。我们还表明，除非接受概率跨数据库是恒定的，否则拒绝采样器的运行时间不满足任何 $\epsilon$ 的 $\epsilon$-DP。我们表明，自适应拒绝采样器在隐私方面也存在类似的故障。我们对拒绝采样算法提出了三种修改，具有不同的假设，通过使运行时独立于数据来防止时序攻击。具有最弱假设的修改是近似采样器，引入了隐私成本的小幅增加，而其他修改则提供了完美的采样器。我们还使用我们的技术为 log-H\"{o}lder 密度开发了一个自适应拒绝采样器，它也具有与数据无关的运行时。我们给出了几个符合我们方法假设的 DP 机制示例，因此可以实现使用我们的采样器。它还具有独立于数据的运行时。我们给出了几个符合我们方法假设的 DP 机制示例，因此可以使用我们的采样器来实现。它还具有独立于数据的运行时。我们给出了几个符合我们方法假设的 DP 机制示例，因此可以使用我们的采样器来实现。