Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

RAIN: Secure and Robust Aggregation under Shuffle Model of Differential Privacy

Yuhang Li, Yajie Wang, Xiangyun Tang, Peng Jiang, Yu-an Tan, Liehuang Zhu

TL;DR

Robust Aggregation in Noise (RAIN), a unified framework that reconciles privacy, robustness, and verifiability under Shuffle-DP, designs two novel secret-shared protocols for shuffling and aggregation that operate directly on additive shares and preserve Shuffle-DP's tight privacy guarantee.

Abstract

Secure aggregation is a foundational building block of privacy-preserving learning, yet achieving robustness under adversarial behavior remains challenging. Modern systems increasingly adopt the shuffle model of differential privacy (Shuffle-DP) to locally perturb client updates and globally anonymize them via shuffling for enhanced privacy protection. However, these perturbations and anonymization distort gradient geometry and remove identity linkage, leaving systems vulnerable to adversarial poisoning attacks. Moreover, the shuffler, typically a third party, can be compromised, undermining security against malicious adversaries. To address these challenges, we present Robust Aggregation in Noise (RAIN), a unified framework that reconciles privacy, robustness, and verifiability under Shuffle-DP. At its core, RAIN adopts sign-space aggregation to robustly measure update consistency and limit malicious influence under noise and anonymization. Specifically, we design two novel secret-shared protocols for shuffling and aggregation that operate directly on additive shares and preserve Shuffle-DP's tight privacy guarantee. In each round, the aggregated result is verified to ensure correct aggregation and detect any selective dropping, achieving malicious security with minimal overhead. Extensive experiments across comprehensive benchmarks show that RAIN maintains strong privacy guarantees under Shuffle-DP and remains robust to poisoning attacks with negligible degradation in accuracy and convergence. It further provides real-time integrity verification with complete tampering detection, while achieving up to 90x lower communication cost and 10x faster aggregation compared with prior work.

RAIN: Secure and Robust Aggregation under Shuffle Model of Differential Privacy

TL;DR

Robust Aggregation in Noise (RAIN), a unified framework that reconciles privacy, robustness, and verifiability under Shuffle-DP, designs two novel secret-shared protocols for shuffling and aggregation that operate directly on additive shares and preserve Shuffle-DP's tight privacy guarantee.

Abstract

Secure aggregation is a foundational building block of privacy-preserving learning, yet achieving robustness under adversarial behavior remains challenging. Modern systems increasingly adopt the shuffle model of differential privacy (Shuffle-DP) to locally perturb client updates and globally anonymize them via shuffling for enhanced privacy protection. However, these perturbations and anonymization distort gradient geometry and remove identity linkage, leaving systems vulnerable to adversarial poisoning attacks. Moreover, the shuffler, typically a third party, can be compromised, undermining security against malicious adversaries. To address these challenges, we present Robust Aggregation in Noise (RAIN), a unified framework that reconciles privacy, robustness, and verifiability under Shuffle-DP. At its core, RAIN adopts sign-space aggregation to robustly measure update consistency and limit malicious influence under noise and anonymization. Specifically, we design two novel secret-shared protocols for shuffling and aggregation that operate directly on additive shares and preserve Shuffle-DP's tight privacy guarantee. In each round, the aggregated result is verified to ensure correct aggregation and detect any selective dropping, achieving malicious security with minimal overhead. Extensive experiments across comprehensive benchmarks show that RAIN maintains strong privacy guarantees under Shuffle-DP and remains robust to poisoning attacks with negligible degradation in accuracy and convergence. It further provides real-time integrity verification with complete tampering detection, while achieving up to 90x lower communication cost and 10x faster aggregation compared with prior work.
Paper Structure (32 sections, 1 theorem, 30 equations, 7 figures, 3 tables, 2 algorithms)

This paper contains 32 sections, 1 theorem, 30 equations, 7 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Privacy-Preserving Federated Learning
  4. Robust Aggregation in Federated Learning
  5. Preliminaries
  6. Differential Privacy
  7. Cryptographic Foundations
  8. Problem Statement
  9. System Model
  10. Threat Model and Assumptions
  11. The Design of RAIN
  12. Overview
  13. Robust Aggregation in Noise
  14. Secret-shared Shuffle and Aggregation
  15. Streaming Integrity Verification
  16. ...and 17 more sections

Key Result

Lemma 1

Let $g_i$ be a scalar component of a clipped gradient with sensitivity $\Delta_g$, and $\tilde{b}_i = \mathrm{sign}(g_i + \eta_i)$ its privatized sign under the Sign-Gaussian mechanism, where $\eta_i \sim \mathcal{N}(0,\sigma^2)$. If $\sigma > \tfrac{4\Delta_g}{\varepsilon}$, the mechanism preserves Hence, RAIN achieves both strict differential privacy and stable robust aggregation.This lemma anal

Figures (7)

  • Figure 1: Effect of Shuffle-DP on aggregation robustness. Existing robust aggregation fails under Shuffle-DP: local noise distorts gradient geometry, anonymization removes identity continuity, and they are further vulnerable to tampering by the shuffler. RAIN preserves robustness under the same Shuffle-DP setting without relying on a trusted shuffler.
  • Figure 2: Overview of the RAIN framework. Each client $C_i$ locally adds DP noise and sign-encodes its update into a binary vector, then sends secret shares to two non-colluding servers $S_0$ and $S_1$. The servers execute a verifiable shuffle to anonymize message origins, perform MAC-based integrity checks to reject dropped or tampered messages, and compute Hamming-distance consistency over the shuffled sign vectors. RAIN then aggregates the verified updates in the arithmetic domain and reconstructs the global model $\tilde{\mathbf{W}}$.
  • Figure 3: Convergence of RAIN under Shuffle-DP ($\rho = 0$). Model accuracy (MA) over training iterations on FMNIST,and MNIST. RAIN achieves convergence comparable to FedAvg while significantly outperforming SignSGD in terms of stability and final accuracy across all datasets.
  • Figure 4: Privacy–Robustness Trade-off of RAIN. As the privacy budget $\varepsilon$ decreases, stronger DP noise slightly reduces model accuracy but also lowers the attack success rate (ASR).
  • Figure 5: Failure of existing robust aggregation methods under Shuffle-DP Geometry-based methods (Krum, Trim-Mean, FLOD, FLAME, etc.) and reputation-based methods (FLTrust, FoolsGold, DnC, CONTRA, FLARE, etc.) are evaluated under the adaptive Attack-DPFL across three datasets.
  • ...and 2 more figures

Theorems & Definitions (5)

  • Definition 1: Central Differential Privacy
  • Definition 2: Local Differential Privacy
  • Definition 3: Shuffled Differential Privacy
  • Lemma 1: Noise–Robustness Trade-off of RAIN
  • proof