Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

How to Securely Shuffle? A survey about Secure Shufflers for privacy-preserving computations

Marc Damie, Florian Hahn, Andreas Peter, Jan Ramon

TL;DR

This survey comprehensively analyzes secure shufflers as practical building blocks for privacy-preserving computations, moving beyond abstract models to compare 26 concrete protocols across six design families. It formalizes core security properties (anonymity, correctness, disruption resistance) and provides a taxonomy of de-anonymization attacks, enabling fair cross-protocol comparisons. The work connects shufflers to a broad set of applications, from private statistics and Shuffle DP to federated learning and secure aggregation, and offers practical guidelines for selecting shufflers based on scalability, message size, and trust assumptions. It also highlights key challenges, including robustness to data poisoning and side-channel risks in TEEs, and outlines future directions for formalizing imperfect shuffles and expanding shuffling-based private computations.

Abstract

Ishai et al. (FOCS'06) introduced secure shuffling as an efficient building block for private data aggregation. Recently, the field of differential privacy has revived interest in secure shufflers by highlighting the privacy amplification they can provide in various computations. Although several works argue for the utility of secure shufflers, they often treat them as black boxes; overlooking the practical vulnerabilities and performance trade-offs of existing implementations. This leaves a central question open: what makes a good secure shuffler? This survey addresses that question by identifying, categorizing, and comparing 26 secure protocols that realize the necessary shuffling functionality. To enable a meaningful comparison, we adapt and unify existing security definitions into a consistent set of properties. We also present an overview of privacy-preserving technologies that rely on secure shufflers, offer practical guidelines for selecting appropriate protocols, and outline promising directions for future work.

How to Securely Shuffle? A survey about Secure Shufflers for privacy-preserving computations

TL;DR

This survey comprehensively analyzes secure shufflers as practical building blocks for privacy-preserving computations, moving beyond abstract models to compare 26 concrete protocols across six design families. It formalizes core security properties (anonymity, correctness, disruption resistance) and provides a taxonomy of de-anonymization attacks, enabling fair cross-protocol comparisons. The work connects shufflers to a broad set of applications, from private statistics and Shuffle DP to federated learning and secure aggregation, and offers practical guidelines for selecting shufflers based on scalability, message size, and trust assumptions. It also highlights key challenges, including robustness to data poisoning and side-channel risks in TEEs, and outlines future directions for formalizing imperfect shuffles and expanding shuffling-based private computations.

Abstract

Ishai et al. (FOCS'06) introduced secure shuffling as an efficient building block for private data aggregation. Recently, the field of differential privacy has revived interest in secure shufflers by highlighting the privacy amplification they can provide in various computations. Although several works argue for the utility of secure shufflers, they often treat them as black boxes; overlooking the practical vulnerabilities and performance trade-offs of existing implementations. This leaves a central question open: what makes a good secure shuffler? This survey addresses that question by identifying, categorizing, and comparing 26 secure protocols that realize the necessary shuffling functionality. To enable a meaningful comparison, we adapt and unify existing security definitions into a consistent set of properties. We also present an overview of privacy-preserving technologies that rely on secure shufflers, offer practical guidelines for selecting appropriate protocols, and outline promising directions for future work.

Paper Structure

This paper contains 87 sections, 4 equations, 8 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Our contributions
  3. Background
  4. Terminology
  5. Differential Privacy
  6. Cryptographic building blocks
  7. Encryption schemes
  8. Secret Sharing
  9. Multi-party computation (MPC)
  10. Zero-knowledge proofs (ZKP)
  11. Trusted Execution Environment (TEE)
  12. Basic shuffling-based data aggregation
  13. Secure shuffler definition
  14. Threat models
  15. Shuffler definition
  16. ...and 72 more sections

Figures (8)

  • Figure 1: Abstract shuffler design: (1) The senders pre-process their messages using $\mathcal{P}$, (2) They send their preprocessed messages to the mixer $\mathcal{M}$, (3) The mixer outputs a permutation of the messages, and (4) an analyser can use the shuffled messages in a privacy-preserving computation.
  • Figure 2: Mix networks
  • Figure 3: Dining Cryptographers problem
  • Figure 4: Classic verifiable shufflers
  • Figure 5: MPC-based secure shufflers ($\pi$: an MPC protocol)
  • ...and 3 more figures

Theorems & Definitions (10)

  • definition 1: Differential Privacy
  • definition 2
  • definition 3
  • definition 4
  • definition 5
  • definition 6
  • definition 7
  • definition 8
  • definition 9
  • definition 10