Defense against Poisoning Attacks under Shuffle-DP

TL;DR

This paper introduces a universal defense framework for shuffle-DP protocols that protects against poisoning attacks across various query types while maintaining high utility and efficiency.

Contribution

It presents the first general method to make shuffle-DP protocols resilient to poisoning attacks for all union-preserving queries, extending beyond frequency estimation.

Findings

The framework retains asymptotic error in attack-free scenarios.

It incurs only polylogarithmic error increase with a constant number of attackers.

Experimental results show effective defense with maintained utility and efficiency.

Abstract

Differential Privacy (DP) has become the gold standard for protecting individual privacy in data analytics, and the shuffle-DP model has attracted significant attention from both academia and industry due to its favorable balance between privacy and utility. However, existing shuffle-DP protocols rely on a strong assumption: all users behave honestly. In real-world scenarios, adversarial users can exploit this vulnerability through poisoning attacks, compromising both privacy guarantees and the utility of analytical results. While defending against poisoning attacks in the shuffle-DP model has recently gained interest, existing solutions are limited to frequency estimation tasks. To address this issue, we propose the first general defense framework for all union-preserving queries, capable of transforming any shuffle-DP protocol into a version resilient to poisoning attacks. Beyond robust defense against poisoning attacks, our framework achieves high utility of analytical results. Compared to the original shuffle-DP protocol, it retains asymptotically equivalent error in attack-free settings and incurs only a polylogarithmic increase in error when a constant number of attackers are present. We demonstrate the generality of our framework on several common queries, including summation, frequency estimation, and range counting. Experimental results confirm that our approach effectively defends against poisoning attacks while maintaining strong utility and communication efficiency.