- The paper presents a rigorous FODP framework for frequency estimation that defends against TEE side-channel attacks while ensuring (ε,δ)-DP guarantees.
- It details three instantiations (FOUD, FOLNF, FOLNF*) with tight accuracy bounds, robust performance, and efficient runtime compared to prior work.
- It demonstrates practical feasibility on Intel SGX, closing gaps in deployable privacy-preserving analytics under realistic threat models.
Fully Oblivious Differential Privacy in the Augmented Shuffle Model with Trusted Execution Environments
Introduction
This paper proposes a rigorous framework—Fully Oblivious Differential Privacy (FODP)—for frequency estimation under Differential Privacy (DP) in the augmented shuffle model when the shuffler is implemented inside a Trusted Execution Environment (TEE). The motivation arises from the residual trust and robustness issues in existing shuffle-based DP protocols, especially their vulnerability to both collusion and sophisticated side-channel attacks against TEEs. The authors deliver the first practical FODP constructions, presenting algorithms that achieve strong privacy and efficiency guarantees even under these threat models and demonstrating robust empirical performance and theoretical bounds.
Background and Context
The shuffle model was introduced to address the drawbacks of the classical local and central DP models, specifically the accuracy-privacy trade-off and excessive trust in a single collector, respectively. In the augmented shuffle model, the shuffler further introduces random sampling and dummies, boosting robustness against user-data collector collusion. However, the implementation assumption that the shuffler is fully trustworthy is problematic—its compromise, especially in the form of side-channel leakage or collusion, severely imperils privacy.
Deployment in TEEs (e.g., Intel SGX) is a natural approach for constraining shuffler trust; yet state-of-the-art side-channel attacks targeting access patterns and internal control flow break prior guarantees. The paper's contribution is in systematizing defense against these capabilities.
FODP: Notion and Implications
The core theoretical advance is the FODP definition, which strengthens (ε,δ)-DP to encompass all observable traces: output, external/internal memory access patterns, and instruction traces. This is parameterized for defense against "internal" adversaries with access to TEE side channels, as opposed to "external" adversaries who only see the released output.
This formalization is strictly stronger than prior primitives (including ODP and differential obliviousness), enabling it to subsume all relevant side-channels. The authors also prove the sufficiency of combining standard DP with "full obliviousness" for single-user secrets to achieve FODP, providing both compositionality and a systematic construction path.
FODP Algorithmic Framework
The authors instantiate their framework in the context of frequency estimation, a canonical high-sensitivity statistical query. The key is to design the TEE shuffler so that all observable behavior—memory allocation sizes, control flows, access sequences—are data-independent, except (inevitably) through the total domain size and public constants.
The general mechanism incorporates:
- Input randomization via fixed-probability subsampling (sampling probability β)
- Dummy injection via a DP-compliant count distribution, with dummy and bot counts obfuscated to constants or DP noise
- Fully oblivious processing of dummies, including allocation, initialization, and swap control, shielding all access and instruction traces
- Final fully oblivious shuffling (via ORShuffle or WaksShuffle circuits)
- Post-sanitization estimation outside the TEE
Three instantiations are constructed:
- FOUD: Fully Oblivious Uniform Dummies, an adaptation of the UD protocol with no local user noise.
- FOLNF: Fully Oblivious Local-Noise-Free, adapting the LNF protocol, where bot counts are set to deterministic constants.
- FOLNF*: An efficiency-optimized variant where bot counts are synthesized by adding DP noise to the number of injected dummies, using a novel joint asymmetric geometric distribution.
Theoretical Properties
Each instantiation is shown to satisfy both (ε,δ)-DP and (ε,δ)-FODP, with the following highlights:
- Robustness: All constructions are robust to collusion between users and the data collector, i.e., the privacy budget remains unchanged even if an adversary compromises an arbitrary subset of users.
- Defenses against poisoning: Because all noise is injected inside the TEE, input and output poisoning by users is strictly limited to fidelity tampering of their submitted values.
- Tight accuracy bounds: The authors provide explicit analytical lâ‚‚ and additive error guarantees, usually strictly improving upon prior state-of-the-art (as in [24,33,76]). For FOLNF*, the use of joint asymmetric geometric noise compresses runtime without significant accuracy loss.
- Efficiency: The general framework achieves O~(n+d) time for core operations, outperforming prior fully oblivious central DP emulation (which has O~(nd) complexity).
For large-domain settings, the count-min sketch is incorporated, with careful privacy loss accounting and a new error analysis which remains non-trivial even for aggressive sketching.
Experimental Evaluation
The methods are benchmarked on Intel SGX hardware (implementing ORShuffle without stack depth bottlenecks) over both small and massive categorical domains. The key findings:
- Accuracy: FOLNF and FOLNF* (particularly using the asymmetric geometric dummy distribution) achieve MSE orders of magnitude lower than previous shuffle/central DP protocols at matched privacy parameters, and their performance is consistently close for all n, d regimes.
- Efficiency: The largest evaluated instantiation (n=d=108) runs in under 16 hours even with strongest FODP parameters—a central DP histogram in TEE would require over 270 days for the same inputs.
- Trade-offs: FOLNF* reduces the expected number of bots by up to one-third relative to FOLNF at the same privacy level, translating to faster runtimes and lower memory usage.
Additionally, the communication and computational overhead is significantly lower than the recent FME protocol, with the further advantage of requiring only one communication round.
Implications and Future Directions
Practically, this work closes essential gaps in deployable, single-server privacy-preserving analytics. It demonstrates that it is possible to achieve robustness to user collusion and all-realistic TEE adversaries—currently a major bottleneck to the adoption of shuffle model DP in production.
Theoretically, the compositional FODP construction enables principled design of algorithms for broader classes of functions, and the tight composition and analysis machinery can be applied to other shuffle or TEE-based DP primitives. The developed joint asymmetric geometric mechanism could see further application in other privacy-preserving tasks and potentially yield new bounds on utility-privacy fronts.
Limitations include current inapplicability to timing attacks (potentially mitigated by constant-time implementation tweaks suggested in the paper), and per-TEE memory constraints, which may be addressed by future enclave architectures. Extensions to richer tasks such as private reporting of complex statistics, graph algorithms, and federated learning models are promising lines for investigation.
Conclusion
The work provides a rigorous, side-channel-resilient DP mechanism for frequency estimation in a single-server setting using TEEs, and is the first to combine robustness to collusion, complete obliviousness, strong accuracy, and practical runtime in this context. The FODP framework and associated algorithms serve as a blueprint for future work targeting practical, high-assurance privacy-preserving analytics in adversarial environments.