A conceptual framework for secrecy-preserving reasoning in knowledge bases

In many applications, Knowledge Bases (KBs) contain confidential or private information (secrets). The KB should be able to use this secret information in its reasoning process but in answering user queries care must be exercised so that secrets are not revealed to unauthorized users.We consider this problem under the OpenWorld Assumption (OWA) in a setting with multiple querying agents M₁,.,M_m that can pose queries against the KB κ and selectively share answers that they receive from κ with one or more other querying agents. We assume that for each M_i, the KB has a prespecified set of secrets S_i that need to be protected from M_i. Communication between querying agents is modeled by a communication graph, a directed graph with self-loops. We introduce a general framework and propose an approach to secrecy-preserving query answering based on sound and complete proof systems. The idea is to hide the truthful answer from a querying agent M_i by feigning ignorance without lying (i.e., to provide the answer 'Unknown' to a query q if it needs to be protected. Under the OWA, a querying agent cannot distinguish between the case that q is being protected (for reasons of secrecy) and the case that it cannot be inferred from κ. In the pre-query stage we compute a set of envelopes E₁,., E_m (restricted to a finite subset of the set of formulae that are entailed by κ) so that S_i ⊆ E_i, and a query α posed by agent M_i can be answered truthfully whenever α ∉ E_i and ¬α ∉ E_i. After the pre-query stage, the envelope is updated as needed. We illustrate this approach with two simple cases: the Propositional Horn KBs and the Description Logic AL KBs.