Efficient Verifiable Differential Privacy with Input Authenticity in the Local and Shuffle Model

TL;DR

This paper tackles the vulnerability of local differential privacy to input and output manipulation by introducing verifiable LDP (VLDP) with authenticated raw inputs. It develops three concrete schemes—Base (local), Expand (randomness expansion), and Shuffle (shuffle-model VLDP)—each enabling verifiable, input-authenticated LDP with minimal interaction. The Shuffle scheme is the first VLDP construction in that model, and all schemes are shown to resist input and output manipulation attacks while remaining efficient in practice (client <2s, server <7ms per client). Experimental results on GPS and smart-meter datasets demonstrate practicality, including modest communication overhead (200–485 bytes per client value) and scalable computation. The work thus provides a practical path to secure, verifiable DP in distributed settings without heavy reliance on blockchain or multi-round interaction.

Abstract

Local differential privacy (LDP) enables the efficient release of aggregate statistics without having to trust the central server (aggregator), as in the central model of differential privacy, and simultaneously protects a client's sensitive data. The shuffle model with LDP provides an additional layer of privacy, by disconnecting the link between clients and the aggregator. However, LDP has been shown to be vulnerable to malicious clients who can perform both input and output manipulation attacks, i.e., before and after applying the LDP mechanism, to skew the aggregator's results. In this work, we show how to prevent malicious clients from compromising LDP schemes. Our only realistic assumption is that the initial raw input is authenticated; the rest of the processing pipeline, e.g., formatting the input and applying the LDP mechanism, may be under adversarial control. We give several real-world examples where this assumption is justified. Our proposed schemes for verifiable LDP (VLDP), prevent both input and output manipulation attacks against generic LDP mechanisms, requiring only one-time interaction between client and server, unlike existing alternatives [37, 43]. Most importantly, we are the first to provide an efficient scheme for VLDP in the shuffle model. We describe, and prove security of, two schemes for VLDP in the local model, and one in the shuffle model. We show that all schemes are highly practical, with client run times of less than 2 seconds, and server run times of 5-7 milliseconds per client.

Figures (13)

• Figure 1: LDP randomizers for reals and histograms.
• Figure 2: Algorithms for approximately sampling from the Bernoulli and Discrete Uniform distribution.
• Figure 3: System model for the VLDPPipeline. For multiple time steps $j$, the clients reiterate the steps as explained further on. When using the 'regular' local model, the shuffler is removed and the messages of step 3 are sent directly to the server instead.
• Figure 4: Base scheme: VLDP with one server and $n$ clients.
• Figure 5: Expand scheme: only one call to GenRand per client.

Theorems & Definitions (16)

• Definition 1: Differential Privacy dworkCalibratingNoiseSensitivity2006
• Lemma 1: Post-processing dworkCalibratingNoiseSensitivity2006
• Lemma 2: Sequential composition dworkBoostingDifferentialPrivacy2010
• Definition 2: DP in the Shuffle Model cheuDistributedDifferentialPrivacy2019
• Definition 3: Local Differential Privacy
• Definition 4: VLDP Scheme
• Definition 5: Completeness
• Definition 6: Soundness
• Definition 7: Zero-knowledge
• Definition 8: Shuffle indistinguishability