On Distributed k-Anonymization

When a database owner needs to disclose her data, she can k-anonymize her data to protect the involved individuals’ privacy. However, if the data is distributed between two owners, then it is an open question whether the two owners can jointly k-anonymize the union of their data, such that the information suppressed in one owner’s data is not revealed to the other owner. In this paper, we study this problem of distributed k-anonymization. We have two major results: First, it is impossible to design an unconditionally private protocol that implements any normal k-anonymization function, where normal k-anonymization functions are a very broad class of kanonymization functions, including the k-anonymization functions implemented by all existing k-anonymization algorithms. Second, we give an efficent protocol that implements a normal kanonymization function and show that it is private against polynomial-time adversaries. This protocol is ID-based, which means the two data owners don’t need to have a priori knowledge of each other’s public key. Our results have many potential applications and can be extended to three or more parties.