Known Vulnerabilities

This page describes known vulnerabilities in Tumult Core that we intend to fix.

Stability imprecision bug

Tumult Core is susceptible to the class of vulnerabilities described in Section 6 of [Mir12]. In particular, when summing floating point numbers, the claimed sensitivity may be smaller than the true sensitivity. This vulnerability affects the Sum transformation when the domain of the measure_column is SparkFloatColumnDescriptor. Measurements that involve a Sum transformation on floating point numbers may have a privacy loss that is larger than the claimed privacy loss.

Floating point overflow/underflow

Tumult Core is susceptible to privacy leakage from floating point overflow and underflow. Users should not perform operations that may cause overflow/underflow.

Tumult Core does have some basic measures to protect users from certain floating point overflow and underflow vulnerabilities: for Sum aggregations, values must be clamped to \([-2^{970}, 2^{970}]\), so an overflow or underflow can only happen when the number of values summed is more than \(2^{52}\). We expect users to hit performance bottlenecks before this happens.