RAIN: Secure and Robust Aggregation under Shuffle Model of Differential Privacy

TL;DR

RAIN introduces a unified framework combining privacy, robustness, and verifiability for secure aggregation in differential privacy systems, effectively defending against adversarial attacks while maintaining high efficiency and accuracy.

Contribution

It proposes novel secret-shared protocols for shuffling and aggregation that ensure privacy, robustness, and malicious security with minimal overhead.

Findings

Maintains strong privacy guarantees under Shuffle-DP.

Robust against poisoning attacks with negligible accuracy loss.

Achieves up to 90x lower communication cost and 10x faster aggregation.

Abstract

Secure aggregation is a foundational building block of privacy-preserving learning, yet achieving robustness under adversarial behavior remains challenging. Modern systems increasingly adopt the shuffle model of differential privacy (Shuffle-DP) to locally perturb client updates and globally anonymize them via shuffling for enhanced privacy protection. However, these perturbations and anonymization distort gradient geometry and remove identity linkage, leaving systems vulnerable to adversarial poisoning attacks. Moreover, the shuffler, typically a third party, can be compromised, undermining security against malicious adversaries. To address these challenges, we present Robust Aggregation in Noise (RAIN), a unified framework that reconciles privacy, robustness, and verifiability under Shuffle-DP. At its core, RAIN adopts sign-space aggregation to robustly measure update consistency and limit malicious influence under noise and anonymization. Specifically, we design two novel secret-shared protocols for shuffling and aggregation that operate directly on additive shares and preserve Shuffle-DP's tight privacy guarantee. In each round, the aggregated result is verified to ensure correct aggregation and detect any selective dropping, achieving malicious security with minimal overhead. Extensive experiments across comprehensive benchmarks show that RAIN maintains strong privacy guarantees under Shuffle-DP and remains robust to poisoning attacks with negligible degradation in accuracy and convergence. It further provides real-time integrity verification with complete tampering detection, while achieving up to 90x lower communication cost and 10x faster aggregation compared with prior work.