ML Security PapersRAIN: Secure and Robust Aggregation under Shuffle Model of Differential Privacy
Yuhang Li 1, Yajie Wang 1, Xiangyun Tang 2, Peng Jiang 1, Yu-an Tan 1, Liehuang Zhu 1
Published on arXiv
2603.03108
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
RAIN achieves up to 90x lower communication cost and 10x faster aggregation than prior Byzantine-robust FL methods while maintaining robustness against poisoning attacks with negligible accuracy degradation under Shuffle-DP.
RAIN (Robust Aggregation in Noise)
Novel technique introduced
Secure aggregation is a foundational building block of privacy-preserving learning, yet achieving robustness under adversarial behavior remains challenging. Modern systems increasingly adopt the shuffle model of differential privacy (Shuffle-DP) to locally perturb client updates and globally anonymize them via shuffling for enhanced privacy protection. However, these perturbations and anonymization distort gradient geometry and remove identity linkage, leaving systems vulnerable to adversarial poisoning attacks. Moreover, the shuffler, typically a third party, can be compromised, undermining security against malicious adversaries. To address these challenges, we present Robust Aggregation in Noise (RAIN), a unified framework that reconciles privacy, robustness, and verifiability under Shuffle-DP. At its core, RAIN adopts sign-space aggregation to robustly measure update consistency and limit malicious influence under noise and anonymization. Specifically, we design two novel secret-shared protocols for shuffling and aggregation that operate directly on additive shares and preserve Shuffle-DP's tight privacy guarantee. In each round, the aggregated result is verified to ensure correct aggregation and detect any selective dropping, achieving malicious security with minimal overhead. Extensive experiments across comprehensive benchmarks show that RAIN maintains strong privacy guarantees under Shuffle-DP and remains robust to poisoning attacks with negligible degradation in accuracy and convergence. It further provides real-time integrity verification with complete tampering detection, while achieving up to 90x lower communication cost and 10x faster aggregation compared with prior work.
Key Contributions
- Sign-space aggregation protocol that robustly measures update consistency and limits malicious influence even when Shuffle-DP distorts gradient geometry and removes client identity linkage
- Two novel secret-shared cryptographic protocols for shuffling and aggregation that operate directly on additive shares while preserving Shuffle-DP's tight privacy guarantee
- Per-round verifiable aggregation that detects selective dropping and tampering by a potentially compromised shuffler with negligible overhead, achieving up to 90x lower communication cost and 10x faster aggregation than prior work
🛡️ Threat Analysis
The core security contribution is defending against adversarial poisoning from malicious federated learning clients (Byzantine attacks) that send corrupted gradient updates to degrade the global model. RAIN proposes robust aggregation (sign-space aggregation) that is explicitly Byzantine-fault-tolerant under the Shuffle-DP setting, and defends against a compromised shuffler selectively dropping or tampering with client updates — a supply-chain integrity threat specific to the FL aggregation pipeline.