Bayesian Advantage of Re-Identification Attack in the Shuffle Model

TL;DR

This paper systematically analyzes the Bayesian advantage in re-identification attacks within the shuffle model, deriving exact formulas, asymptotic behaviors, and bounds, including the first upper bound in the context of shuffle differential privacy.

Contribution

It provides the first analytical and asymptotic characterization of Bayesian re-identification advantage in the shuffle model, along with bounds applicable to differential privacy settings.

Findings

Exact expressions for re-identification success probability.

Asymptotic analysis of Bayesian advantage.

Upper bound on re-identification probability in shuffle differential privacy.

Abstract

The shuffle model, which anonymizes data by randomly permuting user messages, has been widely adopted in both cryptography and differential privacy. In this work, we present the first systematic study of the Bayesian advantage in re-identifying a user's message under the shuffle model. We begin with a basic setting: one sample is drawn from a distribution $P$, and $n - 1$ samples are drawn from a distribution $Q$, after which all $n$ samples are randomly shuffled. We define $\beta_n(P, Q)$ as the success probability of a Bayes-optimal adversary in identifying the sample from $P$, and define the additive and multiplicative Bayesian advantages as $\mathsf{Adv}_n^{+}(P, Q) = \beta_n(P,Q) - \frac{1}{n}$ and $\mathsf{Adv}_n^{\times}(P, Q) = n \cdot \beta_n(P,Q)$, respectively. We derive exact analytical expressions and asymptotic characterizations of $\beta_n(P, Q)$, along with evaluations in several representative scenarios. Furthermore, we establish (nearly) tight mutual bounds between the additive Bayesian advantage and the total variation distance. Finally, we extend our analysis beyond the basic setting and present, for the first time, an upper bound on the success probability of Bayesian attacks in shuffle differential privacy. Specifically, when the outputs of $n$ users -- each processed through an $\varepsilon$-differentially private local randomizer -- are shuffled, the probability that an attacker successfully re-identifies any target user's message is at most $e^{\varepsilon}/n$.