Revisiting Locally Differentially Private Protocols: Towards Better Trade-offs in Privacy, Utility, and Attack Resistance

TL;DR

The paper tackles the challenge of balancing privacy, utility, and attack resistance in locally differentially private frequency estimation. It introduces a general multi-objective optimization framework that jointly minimizes Attacker Success Rate (ASR) under data reconstruction attacks and Mean Squared Error (MSE) for utility, while preserving $\varepsilon$-LDP. By refining eight existing LDP protocols into adaptive variants (ASS, AUE, ALH, ATHE), it demonstrates substantial reductions in ASR with manageable MSE costs, bringing practical deployments closer to the ASR-MSE Pareto frontier. The results provide closed-form ASR and MSE analyses, extensive experiments, and a tunable framework that practitioners can tailor to different privacy and robustness requirements, with extensibility to other attacks and efficiency goals.

Abstract

Local Differential Privacy (LDP) offers strong privacy protection, especially in settings in which the server collecting the data is untrusted. However, designing LDP mechanisms that achieve an optimal trade-off between privacy, utility and robustness to adversarial inference attacks remains challenging. In this work, we introduce a general multi-objective optimization framework for refining LDP protocols, enabling the joint optimization of privacy and utility under various adversarial settings. While our framework is flexible to accommodate multiple privacy and security attacks as well as utility metrics, in this paper, we specifically optimize for Attacker Success Rate (ASR) under \emph{data reconstruction attack} as a concrete measure of privacy leakage and Mean Squared Error (MSE) as a measure of utility. More precisely, we systematically revisit these trade-offs by analyzing eight state-of-the-art LDP protocols and proposing refined counterparts that leverage tailored optimization techniques. Experimental results demonstrate that our proposed adaptive mechanisms consistently outperform their non-adaptive counterparts, achieving substantial reductions in ASR while preserving utility, and pushing closer to the ASR-MSE Pareto frontier. By bridging the gap between theoretical guarantees and real-world vulnerabilities, our framework enables modular and context-aware deployment of LDP mechanisms with tunable privacy-utility trade-offs.

Figures (15)

• Figure 1: Comparison of data reconstruction attack (i.e., ASR) vs. variance (i.e., MSE) for four state-of-the-art LDP protocols (SS wang2016mutualMin2018, OUE tianhao2017, OLH tianhao2017, THE tianhao2017) and our newly proposed adaptive versions (ASS, AUE, ALH, ATHE). Each subplot considers a range of privacy budgets $\varepsilon \in (2, 10)$ and a fixed domain size $k = 100$. Our adaptive protocols (indicated by $\circ$ markers) yield substantially lower ASR at the same or close levels of MSE when compared to their original counterparts (indicated by $\square$ markers). This improvement is reflected in the adaptive protocols’ proximity to the Pareto frontier, indicating a more favorable privacy-utility trade-off and reduced vulnerability to privacy attacks.
• Figure 2: Attacker Success Rate (ASR) vs. privacy budget ($\varepsilon$) for different LDP frequency estimation protocols across varying domain sizes ($k$). The plots compare state-of-the-art LDP protocols, including GRR, SUE, BLH, OUE, OLH, SS, SHE and THE, against our newly proposed adaptive protocols (ASS, AUE, ALH and ATHE). Each curve represents a different domain size, with $k$ ranging from $25$ to $10000$. The figure highlights the trade-offs between privacy and adversarial resilience for each protocol, showing how ASR evolves as the privacy budget and domain size change.
• Figure 3: Variance (MSE) vs. privacy budget ($\varepsilon$) for the state-of-the-art LDP protocols (UE-, LH-, and HE-based) and our adaptive versions (AUE, ALH, and ATHE) across various domain sizes $k$. For our adaptive protocols, each curve represents a distinct domain size, illustrating how each protocol balances estimation accuracy with privacy as $\varepsilon$ changes.
• Figure 4: Variance (MSE) vs. privacy budget ($\varepsilon$) for the state-of-the-art SS protocol and our adaptive version ASS across various domain sizes $k$. Each curve represents a distinct domain size, illustrating how each protocol balances estimation accuracy with privacy as $\varepsilon$ changes.
• Figure 5: Attacker Success Rate (ASR) vs. Variance (MSE) for numerous LDP frequency estimation protocols. Each plot shows how each protocol performs under varying privacy budgets $\varepsilon$ and domain sizes ($k$), illustrating the trade-off between adversarial success rate (ASR) and utility (MSE). State-of-the-art LDP protocols (i.e., GRR, SUE, BLH, SHE, SS, OUE, OLH and THE) are compared against our adaptive counterparts (i.e., ASS, AUE, ALH and ATHE). Each point represents a different configuration of $\varepsilon$ (in medium to low privacy regimes) and $k$ (small domain), with colors indicating the privacy budget level.

Theorems & Definitions (2)

• Definition 1: $\varepsilon$-Local Differential Privacy
• Definition 2: Pure LDP Protocols tianhao2017