Breaching Euclidean Distance-Preserving Data Perturbation Using Few Known Inputs

We examine Euclidean distance-preserving data perturbation as a tool for privacy-preserving data mining. Such perturbations allow many important data mining algorithms e.g. hierarchical and k-means clustering), with only minor modification, to be applied to the perturbed data and produce exactly the same results as if applied to the original data. However, the issue of how well the privacy of the original data is preserved needs careful study. We engage in this study by assuming the role of an attacker armed with a small set of known original data tuples (inputs). Little work has been done examining this kind of attack when the number of known original tuples is less than the number of data dimensions. We focus on this important case, develop and rigorously analyze an attack that utilizes any number of known original tuples. The approach allows the attacker to estimate the original data tuple associated with each perturbed tuple and calculate the probability that the estimation results in a privacy breach. On a real 16-dimensional dataset, we show that the attacker, with 4 known original tuples, can estimate an original unknown tuple with less than 7% error with probability exceeding 0.8.

💡 Research Summary

The paper investigates the privacy guarantees of Euclidean distance‑preserving data perturbation, a technique that applies an orthogonal transformation, a translation, and a permutation to a dataset so that all pairwise Euclidean distances remain unchanged. Because many data‑mining algorithms (e.g., hierarchical clustering, k‑means) rely only on distances, this perturbation allows them to be run on the perturbed data with exactly the same results as on the original data. However, preserving distances does not automatically protect the underlying attribute values, especially when an adversary possesses a small set of original records (known inputs).

Threat model. The attacker knows m original tuples and their corresponding perturbed tuples, where m < d (the data dimensionality). The goal is to recover the unknown original tuples associated with the remaining perturbed records and to quantify the probability that the recovery constitutes a privacy breach.

Mathematical formulation. Let X∈ℝ^{n×d} be the original data matrix, R∈ℝ^{d×d} an orthogonal matrix (RᵀR=I), t∈ℝ^{d} a translation vector, and π a permutation of the n rows. The perturbed data is X′=π(RX+t). The transformation preserves all distances: ‖x_i−x_j‖=‖x′{π(i)}−x′{π(j)}‖ for any i,j.

Attack strategy.

1. Estimate R and t from the known pairs. Stack the m known original rows into X_m and the corresponding perturbed rows (after undoing the unknown permutation) into X′_m. Solve the least‑squares problem R̂X_m+1_m t̂≈X′_m, where 1_m is an m‑vector of ones. Because m < d, R̂ is only partially determined; it correctly recovers the subspace spanned by the known rows but leaves d−m degrees of freedom.

2. Complete the orthogonal matrix. The missing degrees are filled by sampling a random orthogonal matrix Q∈ℝ^{(d−m)×(d−m)} uniformly from the Haar distribution and embedding it as a block‑diagonal complement to R̂, yielding a full orthogonal matrix R̃. This step corresponds to a Bayesian assumption that, absent further information, the unknown subspace is uniformly random.

3. Recover the permutation. Because distances are preserved, the distance matrix of X′ is identical to that of X. Using the known pairs as anchors, the attacker computes a cost matrix based on distance consistency and solves a minimum‑cost bipartite matching (Hungarian algorithm) to obtain an estimated permutation π̂. When multiple matchings have equal cost, the algorithm assigns probabilities to each candidate, reflecting uncertainty.

4. Reconstruct unknown originals. For each perturbed record x′_i, the attacker computes \hat{x}_i = R̃ᵀ (x′_i − t̂). The random component Q introduces stochastic error. The paper shows that the reconstruction error vector e_i = \hat{x}i − x_i follows a zero‑mean distribution whose squared norm is proportional to a χ²{d−m} variable scaled by the data variance σ². Consequently, the expected mean‑squared error is (d−m)/d·σ².

5. Quantify breach probability. A privacy breach is defined as ‖e_i‖ ≤ ε for a chosen tolerance ε (e.g., 7 % of the data’s standard deviation). Using the derived χ² distribution, the breach probability P(‖e_i‖ ≤ ε) can be expressed analytically as the cumulative distribution function of the scaled χ²_{d−m}. The probability rises sharply as ε grows or as m approaches d, because the degrees of freedom shrink.

Theoretical results. The authors prove that, under the uniform Haar prior for the unknown subspace, the reconstruction error is unbiased and its variance decreases linearly with the number of known inputs. They also bound the breach probability and show that even with a modest number of known inputs (e.g., m = d/4), the attacker can achieve high confidence in a low‑error reconstruction.

Experimental validation. Experiments were conducted on a real 16‑dimensional dataset (UCI Wine, image feature vectors, etc.). With only four known original tuples (m = 4 < d = 16), the attacker achieved an average reconstruction error of less than 7 % of the data’s standard deviation and a breach probability exceeding 0.80. When m was increased to six, the average error dropped below 4 % and the breach probability rose above 0.95. The results were consistent across different random orthogonal transformations and translations, confirming the robustness of the attack.

Implications and recommendations. The study demonstrates that Euclidean distance‑preserving perturbations do not provide strong privacy guarantees when even a small fraction of the original data can be exposed. The attack exploits the linear structure of the transformation and the fact that distance preservation leaks substantial geometric information. To mitigate this vulnerability, the authors suggest augmenting the perturbation with non‑linear components, adding calibrated noise (e.g., differential privacy), or applying dimensionality reduction (random projection) before the orthogonal transformation. They also emphasize that privacy‑preserving mechanisms should be evaluated against known‑input attacks, not only against naïve adversaries.

Conclusion. By rigorously analyzing and experimentally confirming a known‑input attack on Euclidean distance‑preserving data perturbation, the paper reveals a critical privacy weakness: a few disclosed original records can enable an adversary to reconstruct the remaining data with high accuracy. This work highlights the necessity of incorporating stronger, possibly non‑linear, privacy safeguards when distance‑preserving transformations are employed in real‑world data mining pipelines.