Robust Estimation Method against Poisoning Attacks for Key-Value Data with Local Differential Privacy

Abstract

Local differential privacy (LDP) protects user information from potential threats by randomizing data on individual devices before transmission to untrusted collectors. This method enables collectors to derive user statistics by analyzing randomized data, thereby presenting a promising avenue for privacy-preserving data collection. In the context of key–value data, in which discrete and continuous values coexist, PrivKV has been introduced as an LDP protocol to ensure secure collection. However, this framework is susceptible to poisoning attacks. To address this vulnerability, we propose an expectation maximization (EM)-based algorithm combined with a cryptographic protocol to facilitate secure random sampling. Our LDP protocol, known as emPrivKV, exhibits two key advantages: it improves the accuracy of statistical information estimation from randomized data, and enhances resilience against the manipulation of statistics, that is, poisoning attacks. These attacks involve malicious users manipulating the analysis results without detection. This study presents the empirical results of applying the emPrivKV protocol to both synthetic and open datasets, highlighting a notable improvement in the precision of statistical value estimation and robustness against poisoning attacks. As a result, emPrivKV improved the frequency and the mean gains by $17.1\%$ and $25.9\%$, respectively, compared to PrivKV, with the number of fake users being $0.1$ of the genuine users. Our findings contribute to the ongoing discourse on refining LDP protocols for key–value data in scenarios involving privacy-sensitive information.

1. Introduction

Wearable devices are seamlessly integrated into our daily lives and capture various key–value data that span health metrics, physical activity tracking, sleep patterns, location data, biometric identifiers, and environmental conditions. For example, consider the key–value data generated from smartphone app usage, where the key represents the application name and the corresponding value indicates the time spent on each app, e.g., “a user may spend 2 h on YouTube, 1 h on Twitter, and 0.5 h on Instagram”. In this scenario, “app name” serves as the key, while the respective durations constitute the values. This key–value pair not only provides a snapshot of the digital behavior of the user, but also unveils insights into their preferences and social interactions. Although such data are valuable for personalization and app optimization, they raise privacy concerns relating to tracking the online activities of individuals. The aggregation of these seemingly benign key–value pairs could enable the inference of aspects of a user’s lifestyle, underscoring the need for carefully considering privacy implications.

Local differential privacy (LDP) is a privacy-enhanced technique for mitigating privacy challenges. In this approach, individual users locally perturb their personal data before transmission to an untrusted server. Various LDP protocols have been introduced to address distinct data types. Erlingsson et al. proposed the LDP framework RAPPOR [1], which represents a significant advancement in privacy-preserving techniques. Ye et al. presented PrivKV [2], which is an LDP scheme that is tailored for the secure collection of key–value data and is characterized by a two-dimensional structure accommodating both discrete and continuous values. The landscape of LDP protocols for key–value data has been further enriched by the introduction of several alternative schemes [3,4], reflecting the ongoing exploration within the realm of LDP.

However, the localized nature of perturbation in LDP protocols introduces a vulnerability to “poisoning attacks”. In such attacks, malicious entities introduce fake users who transmit counterfeit data for a specific key with the intention of manipulating the analytical outcomes of the server, such as altering the frequency of particular keys or their mean reputation scores. If a fraudulent user submits the fabricated key and value data in a predetermined LDP protocol, the server cannot detect these data because of the privacy guarantee offered by LDP. Cao et al. [5] studied a family of poisoning attacks on LDP schemes. Furthermore, Wu et al. [6] identified three distinct types of poisoning attacks that specifically target PrivKV, demonstrating its vulnerability. They proposed defense mechanisms against these poisoning attacks; however, these defenses necessitate the prolonged observation of data collection for optimal efficacy.

In this study, we investigate the vulnerability of the LDP protocol for key–value data to poisoning attacks. First, we introduce a cryptographic protocol known as oblivious transfer (OT) [7] to mitigate intentional key selection by fake users. In contrast to the conventional approach of conducting random sampling locally, our protocol involves the server collaboratively in the secure sampling process, providing proactive security, as opposed to the reactive methods that were employed in prior studies. Second, we demonstrate the vulnerability of PrivKV to poisoning attacks using its estimation algorithm. Because the reliance of estimation depends on a single frequency for a key, it is vulnerable to manipulation, particularly when dealing with a limited number of targeted keys. To address this limitation, we propose integrating an expectation maximization (EM) algorithm [8]. By iteratively estimating posterior probabilities, the EM algorithm enhances consistency across all observed values, thereby improving accuracy even in scenarios with a large user base.

We performed empirical investigations using synthetic data and common open datasets to assess the robustness of the proposed protocol against various types of poisoning attacks. The outcomes of these experiments provided a basis for comparative analysis, allowing us to evaluate the efficacy of our proposed scheme compared with conventional approaches such as PrivKV and PrivKVM. This examination aims to elucidate the resilience and performance of the protocol under varying conditions, thereby providing valuable insights into the discourse on privacy-preserving data collection methodologies.

Our contributions are as follows.

• Novel LDP Algorithm: We introduce a novel LDP algorithm that is designed to enhance robustness against specific types of poisoning attacks. This newly proposed algorithm leverages an iterative process involving Bayesian posterior probabilities, thereby improving the accuracy of the estimates while maintaining resilience against the impact of poisoning data.
• Experimental Validation: The proposed protocol was empirically validated through a series of experiments employing both synthetic and publicly available open datasets. The experimental results demonstrate the robustness of the proposed algorithm. Comparative analyses reveal superior performance in terms of the estimation accuracy and resistance to poisoning attacks compared with the PrivKV protocol. These findings substantiate the efficacy and practical applicability of the proposed method in the context of privacy-preserving data collection frameworks.

The preliminary version of this work was presented at Modeling Decisions for Artificial Intelligence (MDAI) 2023 [9]. This paper includes three additional points: related works and their comparison, experimental results and costs with OT protocol, and experimental results using synthetic data.

2. Related Works

2.1. Privacy Preservation for Key–Value Data

Differential privacy (DP) was proposed by Dwork [10]. DP is a central model that theoretically guarantees the privacy of statistical information publications [11,12] and machine learning models [13,14]. Duchi et al. proposed LDP [15], which does not require trustworthiness of the collectors. Academic research has been conducted on LDP owing to its stronger privacy guarantees. Kairouz et al. [16] proposed an LDP protocol for discrete values using randomized response (RR) [17]. Elingson et al. proposed an LDP protocol known as RAPPOR [1] using a Bloom filter [18] and RR to improve the estimation accuracy. Duchi et al. proposed the LDP protocol stochastic rounding (SR) [19] and Nguyên et al. proposed the LDP protocol Harmony [20] for continuous values. Wang et al. [21] proposed the piecewise mechanism (PM) and hybrid mechanism to improve the estimation accuracy for continuous values. LDP protocols including PrivKV, PrivKVM [2], PCKV [3], and PrivKVM* [4] have been proposed for key–value data that consist of a combination of discrete and continuous values.

In addition, advanced methods have been proposed to improve the estimation accuracy. Ren et al. [22] and Fanti et al. [23] proposed a method that applies the EM algorithm [8] and LASSO regression [24] to the LDP protocol RAPPOR. Li et al. proposed the EM with a smoothing algorithm [25] that applies the EM algorithm to SR and PM.

The LDP protocol is vulnerable to poisoning attacks that manipulate the estimated values by intentionally modifying the protocol [26]. Poisoning attacks have been studied for several LDP protocols [5,6,27].

Cao et al. [5] evaluated the robustness of discrete-value LDP protocols against poisoning attacks and demonstrated that attackers could increase the estimated frequency of specific target items by injecting fake users into the system. Wu et al. [6] studied the robustness of LDP protocols for key–value data such as PrivKV and PCKV against poisoning attacks. Du et al. [27] studied targeted poisoning attacks on LDP protocols to estimate the mean and variance of the numerical data.

Furthermore, prior works [28,29,30] studied poisoning attacks on LDP protocols for specific use cases. Wang et al. [28] investigated poisoning attacks on multidimensional preference data, including both implicit preference data, such as the item list bought by a user, and explicit preference data, such as ranking data over candidates. Imola et al. [29] studied poisoning attacks on LDP protocols for degree estimation in graphs. Sasada et al. [30] considered targeted poisoning attacks on LDP protocols for location data estimation.

Previous studies  [31,32,33] investigated poisoning attacks against machine learning models employing DP or LDP. Machine learning models against data poisoning attacks involve the manipulation of a poisoned training dataset to change the models to a desired one. Borgnia et al. [31] demonstrated that differential private data augmentation can mitigate poisoning attacks. Ma et al. [32] investigated the impact of poisoning attacks on a machine learning model trained using differential private algorithms. Naseri et al. [33] investigated the robustness against poisoning attacks in federated learning using DP and LDP.

Several simple countermeasures against poisoning attacks on LDP have been proposed in existing studies. Wu et al. [6] developed one-class classification (OCC) [34] using an isolation forest [35] and a method based on an anomaly score for detecting fake users. Similarly, Li et al. [27] proposed a sampling-then-clustering (STC) method [36] using k-means clustering. Li et al. [37] proposed an optimization method for setting parameters that are robust against poisoning attacks on LDP.

A straightforward approach is to apply a standard randomized response mechanism, such as that in [17,38], to each coordinate, which incurs a large communication cost proportional to the size of the range of items. Some prior studies [39,40,41] assumed that each user holds exactly one item from a large range of items. However, this assumption is too strong to generalize the problem. Zhou et al. [41] combined the sparse scheme with a new random binning and achieved an optimal communication cost of $O(klogk)$, where k is the maximum number of non-zeros independent of the range size, and optimal accuracy.

To detect fake users, Wu et al. [6] proposed two methods: (1) OCC-based detection, where observations of multiple rounds for each user provide the feature vector used for outlier detection, which distinguishes between genuine and fake groups, and (2) anomaly score-based detection, where the anomalous behavior of sending the same key in multiple rounds is detected based on the frequencies of keys in multiple rounds for each user. They reported that these defense methods are effective when the number of targeted keys is small. Li et al. [27] proposed a clustering-based method in which multiple subsets of users are sampled and clustering algorithms such as k-means are used to detect attackers. However, these methods assume that each user sends data over multiple rounds, implying that real-time detection is not feasible.

2.2. Novelty of This Research

In this paper, we propose an estimation method using the EM algorithm for the perturbation method, similar to the LDP protocol PrivKV [2]. Some studies have leveraged attacker detection [6,27] and parameter optimization [37] to improve the robustness against poisoning attacks on LDP. However, to the best of our knowledge, no studies have evaluated the robustness of these estimation methods against poisoning attacks on LDP. We also propose defense methods using the OT protocol against poisoning attacks. OT is a proactive measure, whereas methodologies such as OCC [6] and STC [27] are reactive. This is the greatest difference between our study and the previous works. In our approach, random item selection in LDP is performed in collaboration between the user and server; hence, no malicious user sends fake data to manipulate the estimation. This is an ideal countermeasure under the assumption that the building blocks are secure. In contrast, OCC and STC are probabilistic measures that allow small fake data to be sent to the LDP. By combining EM and OT, we aim to improve the estimation accuracy and robustness to poisoning attacks.

Why propose a method that applies the EM algorithm to fixed-length vectors containing missing values? Rather than estimating the key frequency and average value independently in maximum likelihood estimation (MLE), the marginal probability of the intermediate set is estimated from the output using the EM algorithm, resulting in a more robust combination estimation. Therefore, we propose an EM algorithm application method that is specific to PrivKV and attempt to improve the estimation accuracy of the statistical values.

We also report the effects of the estimated value manipulation by poisoning attacks on the LDP protocol of the proposed method.

3. Local Differential Privacy

3.1. Fundamental Definition

LDP is a privacy-preserving technique in which individual users randomize their own data before submitting them to a service provider. This randomization process helps to protect the privacy of each user’s data while allowing accurate computation of the aggregate statistics. LDP ensures that sensitive information remains confidential at the local level, providing a decentralized solution for data privacy. LDP is defined as follows:

Definition 1. 

A randomized algorithm Q satisfies ϵ-LDP if for all pairs of values v and $v^{\prime }$ of domain V and for all subsets S of range Z ($S\subset Z$), and for $ϵ\ge 0$, the following inequality always holds:   

$$Pr[Q\left(v\right)\in S]\le e^{ϵ}Pr[Q\left(v^{\prime }\right)\in S].$$

3.2. PrivKV

PrivKV takes input data in the key–value form, which is a two-dimensional data structure of discrete (“key”) and continuous (“value”) variables. For the sample, the key–values are {$\langle YouTube,2\rangle$, $\langle Twitter,1\rangle$, $\langle Instagram,0.5\rangle$}, which represent the pair of each app and the time spent on that app. PrivKV estimates the frequency and mean values of each key. The PrivKV approach combines two LDP protocols: RR [16] for randomizing keys and the value perturbation protocol (VPP) [20] for perturbing values. Although the number of dimensions is restricted to two, the key–value is a primitive data structure that is commonly used in several applications. PrivKV consists of three steps for frequency and mean estimation: sampling, perturbation, and estimation.

3.2.1. Sampling

Suppose that n users exist and let $S_i$ be a set of key–value tuples $\langle k,v\rangle$ possessed by the i-th user. In PrivKV, the set of tuples is transformed into a d-dimensional vector. Here, d represents the cardinality of key domain K, and the missing key is denoted as $\langle k,v\rangle =\langle 0,0\rangle$. For instance, a set of key–values $S_i=\{\langle k_1,v_1\rangle ,\langle k_4,v_4\rangle ,\langle k_5,v_5\rangle \}$ is converted into a $d=5$ dimensional vector $S_i=\left(\langle 1,v_1\rangle ,\langle 0,0\rangle ,\langle 0,0\rangle ,\langle 1,v_4\rangle ,\langle 1,v_5\rangle \right)$. In this case, keys $k_1$, $k_4$, and $k_5$ are implicitly indicated by the presence of 1 in the corresponding position. PrivKV employs a 1-out-of-d random sampling method to select one element $\langle k_a,v_a\rangle$ from the d-dimensional vector $S_i$ of the key–value data.

3.2.2. Perturbation

This process consists of two steps: perturbing the values and perturbing the keys. It uses the VPP used in Harmony [20] for the selected tuple. The value $v_a$ in the key–value pair is discretized as

$$v_a^{\prime }=\left\{\begin{array}{ccc}1\hfill & \mathrm{w}/\mathrm{p}.\hfill & {\displaystyle \frac{1+v_a}{2}},\hfill \\ -1\hfill & \mathrm{w}/\mathrm{p}.\hfill & {\displaystyle \frac{1-v_a}{2}}.\hfill \end{array}\right.$$

(1)

The discretized value $v_a^{\prime }$ of the tuple $\langle 1,v_a\rangle$ is perturbed to yield ${v^{+}}_a=VPP(v_a^{\prime },{ϵ}_2)$, which is defined as

$$v_a^{+}=\left\{\begin{array}{ccc}{v}_a^{\prime }\hfill & \mathrm{w}/\mathrm{p}.\hfill & p_2={\displaystyle \frac{e^{{ϵ}_2}}{(1+e^{{ϵ}_2})}},\hfill \\ -v_a^{\prime }\hfill & \mathrm{w}/\mathrm{p}.\hfill & q_2={\displaystyle \frac{1}{(1+e^{{ϵ}_2})}},\hfill \end{array}\right.$$

(2)

where ${ϵ}_2$ is the privacy budget for values. Based on Equations (1) and (2), the value of the “missing” tuple $\langle 0,0\rangle$ is replaced by ${v^{+}}_a=VPP(v_a^{\prime },{ϵ}_2)$, where $v_a$ is selected uniformly from $[-1,1]$.

A key is perturbed by the RR scheme [16] as

$$\langle k_a^{*},v_a^{+}\rangle =\left\{\begin{array}{ccc}\langle 1,v_a^{+}\rangle \hfill & \mathrm{w}/\mathrm{p}.\hfill & p_1={\displaystyle \frac{e^{{ϵ}_1}}{1+e^{{ϵ}_1}}},\hfill \\ \langle 0,0\rangle \hfill & \mathrm{w}/\mathrm{p}.\hfill & q_1={\displaystyle \frac{1}{1+e^{{ϵ}_1}}},\hfill \end{array}\right.$$

(3)

where $v_a^{+}$ is perturbed as described above. A “missing” tuple $\langle 0,0\rangle$ is randomized as

$$\langle k_a^{*},v_a^{+}\rangle =\left\{\begin{array}{ccc}\langle 0,0\rangle \hfill & \mathrm{w}/\mathrm{p}.\hfill & p_1={\displaystyle \frac{e^{{ϵ}_1}}{1+e^{{ϵ}_1}}},\hfill \\ \langle 1,v_a^{+}\rangle \hfill & \mathrm{w}/\mathrm{p}.\hfill & q_1={\displaystyle \frac{1}{1+e^{{ϵ}_1}}}.\hfill \end{array}\right.$$

(4)

Each user submits the perturbed tuple $\langle k_a^{*},v_a^{+}\rangle$ together with the index a of the tuple.

3.2.3. Estimating

Let $f_i$ be the true frequency of key $k_i$ and let $f_i^{\prime }$ be the observed key frequencies among the perturbed vectors, for which $k_i$ = 1. The frequency estimation using MLE is as follows:

$${\widehat{f}}_i={\displaystyle \frac{n(p_1-1)+f_i^{\prime }}{2p_1-1}},$$

(5)

where

$$p_1={\displaystyle \frac{e^{{ϵ}_1}}{1+e^{{ϵ}_1}}}.$$

(6)

Let $m_i$ be the true mean of key $k_i$. Let $n_i^{\left(1\right)}$ and $n_i^{(-1)}$ be the counts of $v_i=1$ and $v_i=-1$ in the perturbed vectors. $n_i^{\left(1\right)}$ and $n_i^{(-1)}$ are calculated as ${\widehat{n}}_i^{\left(1\right)}$ and ${\widehat{n}}_i^{(-1)}$ in the same manner as in Equation (5).

$$\begin{array}{ccc}\hfill {\widehat{n}}_i^{\left(1\right)}& =& {\displaystyle \frac{n(p_2-1)+n_i^{\left(1\right)}}{2p_2-1}},\hfill \end{array}$$

(7)

$$\begin{array}{ccc}\hfill {\widehat{n}}_i^{(-1)}& =& {\displaystyle \frac{n(p_2-1)+n_i^{(-1)}}{2p_2-1}},\hfill \end{array}$$

(8)

where

$$\begin{array}{c}\hfill p_2={\displaystyle \frac{e^{{ϵ}_2}}{1+e^{{ϵ}_2}}}.\end{array}$$

(9)

Therefore, the mean estimation using Maximum Likelihood Estimation (MLE) is as follows:

$${\widehat{m}}_i={\displaystyle \frac{{\widehat{n}}_i^{\left(1\right)}-{\widehat{n}}_i^{(-1)}}{n}}.$$

(10)

According to the composition theorem of DP [10], the sequential composition of randomization algorithms with privacy budgets ${ϵ}_1$ (for keys) and ${ϵ}_2$ (for values) results in $({ϵ}_1+{ϵ}_2,0)$-DP.

3.2.4. PrivKVM

The weakness of PrivKV is its accuracy. Because it samples only one tuple out of d candidates, the estimated mean tends to 0 as the domain size d increases. To improve the performance, Ye et al. proposed an iterative improvement of PrivKV known as PrivKVM [2].

Instead of assigning a uniform random value $v_a^{\prime }$ for the “missing” tuple $\langle 0,0\rangle$, privKVM uses the first estimation for the second iteration. The updated frequencies are estimated by repeating the iteration until the predetermined times. Privacy budgets are assigned optimally as ${ϵ}_{11}={ϵ}_1$, ${ϵ}_{12}={ϵ}_{13}=\cdots ={ϵ}_{1c}=0$ and ${ϵ}_{21}={ϵ}_{22}=\cdots ={ϵ}_{2c}={ϵ}_2/c$, where c is the number of iterations.

3.3. Poisoning Attack

A poisoning attacks in LDP [5,6,27] involves an attacker injecting fake users into the system and manipulating the analytics results of the server via sending carefully crafted data from the fake users to the server.

Figure 1 shows the framework of a poisoning attack. We assume that attackers can inject m fake users into the system. They have access to public information regarding the targeted LDP scheme, such as the privacy budget $ϵ$ and perturbation procedures. Within a set of n genuine users, the server estimates the frequency and mean of r targeted keys among $n+m$ users. The attacker intentionally manipulates the estimated frequency and mean value of a set of targeted keys. We assume that the attacker targets r keys out of d, aiming for manipulation of the frequencies and mean values.

Wu et al. [6] proposed three types of poisoning attacks:

• Maximum gain attack (M2GA): All fake users generate optimal fake outputs for perturbation messages to maximize the gains of the frequency and mean. That is, they select a targeted key k (selected randomly from r targeted keys) and send $\langle 1,1\rangle$ to the server.
• Random message attack (RMA): Each fake user uniformly selects a message from the domain and sends $\langle 0,0\rangle$, $\langle 1,-1\rangle$, and $\langle 1,1\rangle$ with probabilities $1/2$, $1/4$, and $1/4$, respectively.
• Random key–value pair attack (RKVA): Each fake user randomly selects a key k from the target key set with a specified value 1 and perturbs $\langle 1,1\rangle$ according to the protocol.

4. Proposed Algorithm

4.1. Concept

To prevent fake key–value data poisoning attacks, we propose two defense methods: perturbation using Oblivious OT (refer to Section 4.2) and EM estimation of the frequency and mean (refer to Section 4.3).

Figure 2 shows the framework of the proposed protocol, which is adapted based on the OT protocol. First, attempts to increase the frequency of the target keys are thwarted by deliberately selecting keys without random sampling. Therefore, the attempts fail when the server conducts random sampling of fake user actions. Even if the server selects random keys, no information regarding the key–value data is leaked. Note that the privacy budget (${ϵ}_1$ and ${ϵ}_2$) is used solely for perturbation of the keys and values. Thus, we ensure secure sampling using encryption protocols (OT).

Next, we consider why the estimation may be vulnerable to poisoning attacks. The MLE used in PrivKV is claimed to have a low estimation accuracy for biased distributions because it is based on a single frequency of keys. Therefore, it is vulnerable when the number of targeted keys is small. Instead, we attempt to resolve this limitation using the EM algorithm. EM iteratively estimates the posterior probabilities and can improve the accuracy when the number of users n is large and ample observation data are available, providing estimates that match all observed values.

Table 1. Comparison of defenses approaches.

Step	PrivKV [2]	Our Work
1 Pre-sampling	1-out-of-d sampling	–
2 Perturbing	Value VPP$(v,{ϵ}_2)$
	Key RR$(k,{ϵ}_1)$
3 Post-sampling	–	1-out-of-d OT
4 Estimating	MLE	EM

summarizes the approach for each step in PrivKV, namely sampling, perturbation, and estimation.

4.2. Oblivious Transfer

OT is a cryptographic protocol in which a sender transfers one of multiple pieces of information to a receiver without knowing which piece is sent. Naor and Pinkas [7] introduced a 1-out-of-N OT protocol using a 1-out-of-2 OT as the building block, as shown in Algorithm 1.

Our objective is to thwart M2GA attacks, in which fake users deliberately select target keys (or sets of keys) to increase the frequency and mean value of those specific keys. To achieve this, we replace the 1-out-of-d random sampling of PrivKV with the 1-out-of-d OT protocol between the user (A in OT) with d key–value pairs and the server (B), which selects one element $\langle k_a,v_a\rangle$. However, the server cannot perform subsequent perturbation steps, as it must remain unaware of whether the user has key $k_a$ or the private value $v_a\in [0,1]$. Therefore, we rearrange the steps such that users perturb the keys and values before the server randomly selects a key–value pair via OT.

Algorithm 2 outlines the proposed perturbation process using the OT protocol for sampling. The perturbed key–value pairs are used to estimate the frequency and mean for the keys. With the step reordering, users must perturb key–value pairs for all d keys, leading to an increased computational cost on the user side by a factor of d. However, we consider this increase in the computational cost to be negligible because the perturbation is lightweight compared to the cryptographic cost of the 1-out-of-d OT. This algorithm proves robust against poisoning attacks.

Algorithm 1 1-out-of-N OT [7]

Suppose A has N messages $m_0,\dots ,m_N\in {\{0,1\}}^n$, where $N=2^{\ell }-1$

A generates $2\ell$ secret key pairs $(K_1^0,K_1^1),\dots ,(K_{\ell }^0,K_{\ell }^1)$. A sends to B the ciphertexts $C_0,\dots ,C_N$, where $C_I=m_I\oplus F_{K_1^{I_1}}\left(I\right)\oplus \cdots \oplus F_{K_{\ell }^{I_{\ell }}}\left(I\right)$ and I is the ℓ-bit string $I_1\dots I_{\ell }\in {\{0,1\}}^2$ and $F_K$ is a pseudo-random function. A and B perform ℓ 1-out-of-2 OT ($K_i^0,K_i^1)$ so that B learns $K_1^{t_1},\dots ,K_{\ell }^{t_{\ell }}$ where t is the index that B chooses from N messages such that $t=1_1\dots t_i\in {\{0,1\}}^{\ell }$. B decrypts $C_t$ using $K_1^{t_1},\dots ,K_{\ell }^{t_{\ell }}$ to obtain $m_t$.

Proposition 1. 

An M2GA poisoning attack against the PrivKV scheme with 1-out-of-d OT for sampling key–value pairs has frequency and the mean gains as large as an RMA poisoning attack has.

Proof of Proposition. 

Using an OT protocol, the fake users in the M2GA attack are not able to intentionally select the targeted keys. They may craft an arbitrary value but the server can detect invalid pairs other than the valid perturbed pairs $\langle 0,0\rangle$, $\langle 1,-1\rangle$, and $\langle 1,1\rangle$. Therefore, they can prepare the valid perturbed pairs with arbitrary fractions, which is equivalent to an RMA attack. Therefore, the frequency and the mean gains will be less than or equal to those of an RMA attack.    □

Algorithm 2 Perturbation of key–value pairs with OT

$S_1,\dots ,S_n\leftarrow$ key–value data for n users. for all $u\in \{1,\dots ,n\}$ do perturbs all $\langle k_a,v_a\rangle \in S_u$     $v_a^{+}\leftarrow VPP(v_a^{\prime },{ϵ}_2)$ and $k_a^{*}\leftarrow RR(k_a^{\prime },{ϵ}_1)$     u with $\langle v_1^{+},k_1^{*}\rangle ,\dots ,\langle v_d^{+},k_d^{*}\rangle$ performs 1-out-of-d OT with a server. end for return The server has n perturbed key–value pairs.

4.3. EM Estimation for Key–Value Data

The EM algorithm operates through iterative steps, in which the posterior probabilities are refined using Bayes’ theorem [8]. We propose employing the EM algorithm to estimate the frequency and mean values from key–value data that are perturbed in PrivKV.

Algorithm 3 outlines the overall procedure for the proposed EM algorithm, which is tasked with estimating the frequency and means of the key–value data. Given n perturbed values $z_1,\dots ,z_n$, we iterate the estimation of posterior probabilities for $x_1,\dots ,x_d$ as ${\Theta }^{\left(t\right)}=({{\theta }_1}^{\left(t\right)},{{\theta }_2}^{\left(t\right)},\dots ,{{\theta }_d}^{\left(t\right)})$ until convergence.

Algorithm 3 EM algorithm for PrivKV

$\langle v^{+},k^{*}\rangle \dots \leftarrow$ the perturbed key–value pair for n users. ${\Theta }^{\left(0\right)}\leftarrow$ a uniform probability for $X=\{\langle 1,1\rangle ,\langle 1,-1\rangle ,\langle 0,1\rangle ,\langle 0,-1\rangle \}$. repeat(E-step)     $t\leftarrow 1$     Estimate posterior probability ${{\widehat{\theta }}_{u,i}}^{\left(t\right)}\leftarrow Pr\left[x_i\right|z_u]={\displaystyle \frac{Pr\left[z_u\right|x_i]{{\theta }_i}^{(t-1)}}{{\sum }_{s=1}^{\left|X\right|}Pr\left[z_u\right|x_s]{{\theta }_s}^{(t-1)}}},$     (M-step) Update marginal probability ${\theta }^{\left(t\right)}\leftarrow {\displaystyle \frac{1}{n}}{\sum }_{u=1}^n{{\widehat{\theta }}_u}^{(t-1)}.$ until  $|{\theta }_i^{(t+1)}-{\theta }_i^{\left(t\right)}|\le \eta$ for all $a\in K$ do estimate     $\widehat{f_a}\leftarrow n({\theta }_{\langle 1,1\rangle }^{\left(t\right)}+{\theta }_{\langle 1,-1\rangle }^{\left(t\right)})$ and ${\widehat{m}}_a\leftarrow {\displaystyle \frac{{\theta }_{\langle 1,1\rangle }^{\left(t\right)}-{\theta }_{\langle 1,-1\rangle }^{\left(t\right)}}{{\theta }_{\langle 1,1\rangle }^{\left(t\right)}+{\theta }_{\langle 1,-1\rangle }^{\left(t\right)}}}$ end for return  $\widehat{f_1},\widehat{m_1},\dots ,\widehat{f_d},\widehat{m_d}$

5. Evaluation

5.1. Data

In this study, experiments were conducted using synthetic data from two open datasets. An overview of each dataset is presented in

Table 2. Open datasets.

Item	Synthetic Data (Gauss)	MoveiLens [42]	Clothing [43]
Ratings	5,000,000	10,000,054	192,544
Users (n)	100,000	69,877	9657
Items (d)	100	10,677	3183
Value range	$[-1$, $1]$	$[0.5$, $5]$	$[1$, $10]$

. For the synthetic data, we synthesized the data such that the number of each key held by the user and value of each key depended on the Gaussian distribution $(\mu =0,\sigma =10)$. The MovieLens dataset [42] and Clothing Fit dataset [43] were used in addition to synthetic data.

5.2. Metrics

5.2.1. Accuracy Metrics

Given a dataset of key–value pairs provided by n users, we employ emPrivKV, PrivKV, and PrivKVM (c = 3) to estimate the frequency $\widehat{f}k$ and mean value $\widehat{m}k$ for key k. The mean square error (MSE) of these estimates is defined as follows:

$$\begin{array}{ccc}\hfill MSEf& =& {\displaystyle \frac{1}{\left|K\right|}}\sum _{i=1}^{\left|K\right|}{({\widehat{f}}_i-f_i)}^2,\hfill \end{array}$$

(11)

$$\begin{array}{ccc}\hfill MSEm& =& {\displaystyle \frac{1}{\left|K\right|}}\sum _{i=1}^{\left|K\right|}{({\widehat{m}}_i-m_i)}^2,\hfill \end{array}$$

(12)

where $f_k$ and $m_k$ represent the actual frequency and mean of key k. After repeating each estimation 10 times, we assess the accuracy of the estimations.

5.2.2. Robustness Metrics

The robustness of the estimation algorithm is determined by its ability to withstand poisoning attacks, in which a poisoning attempt fails to alter the estimation outcomes. We measured this robustness using the concept of “frequency gain”, which is defined as the cumulative difference between the estimated and poisoned frequencies for the targeted keys. Formally, the frequency gain is expressed as

$$\begin{array}{c}\hfill G_f\left(Y\right)=\sum _{k\in T}E[\Delta {\widehat{f}}_k],\end{array}$$

(13)

where $\Delta {\widehat{f}}_k={\tilde{f}}_k-{\widehat{f}}_k$ represents the distance between the estimated and poisoned frequencies for key k, in which ${\tilde{f}}_k$ is the estimated frequency when key k is targeted by a poisoning attack.

Similarly, the “mean gain” is calculated as the aggregate difference between the estimated and poisoned values:

$$\begin{array}{c}\hfill G_m\left(Y\right)=\sum _{k\in T}E[\Delta {\widehat{m}}_k].\end{array}$$

(14)

Here, $\Delta {\widehat{m}}_k={\tilde{m}}_k-{\widehat{m}}_k$, with ${\tilde{m}}_k$ representing the estimated mean value when key k is subjected to a poisoning attack.

5.3. Experimental Results

5.3.1. MSE with Respect to $ϵ$

Figure 3a–c show the estimation accuracy with respect to the privacy budget $ϵ$ as the MSE distributions of frequencies for the synthetic data and open datasets, MovieLens and Clothing, respectively. Note that the MSE values for emPrivKV were the minimum for both datasets and all $ϵ$. The MSE values of the estimated frequencies for the synthetic data and open datasets, MovieLens, and Clothing were 44.1%, 0.5%, and 0.5% of that of PrivKV, respectively, where $ϵ$ was 0.1.

Similarly, the MSE of the mean estimation is shown in Figure 4a–c. The MSE values of the estimated mean values for the synthetic data, MovieLens, and Clothing were 24.8%, 0.2%, and 0.2% of that of PrivKV, respectively, where $ϵ$ was 0.1.

5.3.2. Frequency Gain

Figure 5 shows the frequency gain distributions concerning the fraction of malicious users b, privacy budget $ϵ$, and number of target keys r for the three types of poisoning attacks (M2GA, RMA, and RKVA) using synthetic data (Gaussian distribution).

Notably, M2GA (Figure 5a) yielded the highest gains across all poisoning schemes. This outcome is unsurprising given that M2GA assumes the most potent control over the output by malicious users, thus posing the most significant threat to LDP schemes.

The emPrivKV results consistently exhibited the lowest gains for all poisoning attack types and parameter settings of b, $ϵ$, and r. As the proportion of malicious users b escalated, the gains for PrivKV increased accordingly (as shown in Figure 5a). In contrast, the gain of emPrivKV remained stable at $0.5$. For instance, at $b=0.25$, emPrivKV achieved $70.25\%$ of the gain of PrivKV, highlighting its superior resilience against the most severe poisoning attack (M2GA).

Figure 6 shows the frequency gains for the MovieLens dataset. The gain distributions were similar to those obtained using the Gaussian synthetic data, except for the effect of the fraction of malicious users parameter b (see Figure 6a,c). The gain did not depend on b for M2GA (Figure 6a) and was unstable for RKVA (Figure 6c).

The MovieLens data yielded greater gains than the synthetic data (by a factor of 2–5), primarily because of the different distributions of keys and the presence of numerous low-frequency keys (e.g., minor movie titles with minimal audiences). These low-frequency keys are more susceptible to low-resource poisoning attacks. Moreover, with an equivalent number of malicious users, the manipulated keys were already saturated in the MovieLens dataset, resulting in greater gains compared to the synthetic data scenario.

5.3.3. Mean Gain

Figure 7 shows the mean gains for the MovieLens dataset. emPrivKV always had a smaller gain than PrivKV and PrivKVM. For example, the gain for emPrivKV at $b=0.2$ was stable around $1.0$, which was $1/3$ of that for PrivKV and $1/10$ of that for PrivKVM. We observed similar results for the three LDP schemes using the MovieLens dataset (Figure 8a). Here, PrivKVM was considered to be the most vulnerable to poisoning attacks.

Furthermore, emPrivKV exhibited the smallest gain concerning the privacy budget $ϵ$, as depicted in Figure 8a. While the mean gains increased for PrivKV and PrivKVM with decreasing $ϵ$, emPrivKV maintained low gains, indicating minimal susceptibility to poisoning attacks. This underscores the robustness of emPrivKV.

Moreover, the gain exhibited a linear increase with the number of targeted keys r, as shown in Figure 8a,c. Notably, emPrivKV exhibited the lowest coefficient among all of the LDP schemes.

Interestingly, the LDP schemes did not exhibit significant differences in terms of RMA poisoning. Figure 8b shows that the differences in the gain escalated with an increase in the fraction of malicious users b.

5.3.4. Gains with OT

Figure 9 and Figure 10 show the frequency and mean gains using the OT protocol. The gains from poisoning attacks on the proposed protocol could be estimated as the maximum gains for RMA and RKVA attacks. We summarize the results of this frequency and mean gains in

Table 3. Gains of emPrivKV for the PrivKV with respect to b (MovieLens).

Fraction of malicious users b	0.001	0.005	0.01	0.05	0.1	0.15	0.2
Frequency gain [%]	66.7	20.8	18.6	19.3	17.1	16.7	15.8
Mean gain [%]	18.2	20.4	24.5	30.6	25.9	21.4	27.8

,

Table 4. Gains of emPrivKV for the PrivKV with respect to $ϵ$ (MovieLens).

privacy budget $ϵ$	0.1	0.5	1	2	3	4	5
Frequency gain [%]	0.6	4.8	90.0	41.7	50.0	55.6	66.7
Mean gain [%]	1.6	14.6	15.5	36.2	40.1	41.3	44.8

and

Table 5. Gains of emPrivKV for the PrivKV with respect to r (MovieLens).

The number of target keys r	1	3	5	7	9	11	13	15
Frequency gain [%]	0.7	18.8	17.8	21.2	18.2	16.3	15.8	15.2
Mean gain [%]	20.8	13.5	21.8	30.2	25.8	27.7	25.9	25.5

. Our experiments using the MovieLens dataset, with the ratio of fake users to genuine users being 1 to 10, demonstrated that the proposed emPrivKV improved the frequency and mean gains by $17.1\%$ and $25.9\%$ of those of PrivKV, respectively, where the number of fake users was $0.1$ of genuine users (Table 3). When the privacy budget $ϵ$ was $0.1$ to 5, our experiments demonstrated that the proposed emPrivKV improved the frequency and mean gains by $0.6\%$ and $1.6\%$ of those of PrivKV, respectively, where $ϵ$ was $0.1$ (Table 4). When the number of target keys was 1 to 15, our experiments demonstrated that the proposed emPrivKV improved the frequency and mean gains by $0.7\%$ and $20.8\%$ of those of PrivKV, respectively, where the number of target keys was 1 (Table 5).

We conclude that our approach is effective for data that are perturbed using the LDP algorithm.

5.3.5. The Cost with OT Protocol

We estimated the overhead of the OT protocol using standard assumptions.

Calculation cost: When there are d keys, $2\ell$ encryptions are performed, where $d=2^{\ell }-1$. If decoding one encryption key costs $0.1s$, the computational cost is $0.1s·2\ell$. The computational cost with respect to the number of keys is shown in Figure 11a.

Communication cost: Assuming that the communication amount of one cipher text is N, the user sends the server $2\ell ·N$ data. The server returns $\ell ·N$ data to the user. Finally, the user sends $2\ell ·N$ of cipher text to the server.

The total communication cost is $5\ell N$. If $N=2048$ [bit] and communication speed is 100 Mbps, the communication will be $5\ell ·2048/(100·{10}^6)$. The communication cost are shown in Figure 11b.

5.4. Discussion

A comparison of previous studies relating to LDP using the proposed method is presented in

Table 6. Comparison with previous research, where fake users are 0.1 of genuine users.

	PrivKV [2]	PrivKVM [2]	Wu et al. [6]	Proposed Method
Defense method	N/A	N/A	OCC	OT
Estimation method	MLE	MLE	MLE	EM
Frequency gain	2.5	2.5	–	0.4
Mean gain	10.5	30.2	–	2.9

. We show the results of the robustness against poisoning attacks in terms of the frequency and mean gains. The frequency and value gains for PrivKV and PrivKVM without defensive measures were 2.5 and 2.5, respectively, and 10.5 and 30.2, respectively. However, the frequency and value gains of the proposed method, which applies OT for defense and EM for estimation, were 0.4 and 2.9, respectively.

In this study, we did not evaluate the frequency and mean gains with the defense method applying OCC. In our approach, random item selection in LDP is performed in collaboration between the user and server; hence, no malicious user sends fake data to manipulate the estimation. This is an ideal countermeasure under the assumption that the building blocks are secure. On the other hand, OCC is a probabilistic measure that allows small amounts of fake data to be sent in LDP. Therefore, we consider the proposed protocol to be more resilient than OCC.

The experimental findings highlight the superior robustness of the emPrivKV scheme compared with other LDP schemes. Several factors contribute to this observation.

First, PrivKV relies on MLE, where the single highest frequency determines the expected value of the perturbation. Consequently, the manipulation of the highest frequency can significantly impact the scheme. In contrast, the EM algorithm iteratively adjusts the probabilities based on all observed frequencies. Therefore, even if the highest frequency is manipulated, the involvement of other elements helps to mitigate the manipulation of frequency.

Second, our estimation of the mean value incorporates not only positive statistics ($v_k^{\prime }=1$) but also both positive and negative statistics ($v_k^{\prime }=1$ and 0). This renders the estimation more resilient to poisoning attacks, thereby explaining why emPrivKV exhibits smaller mean gains.

Finally, by extrapolating our experimental gain results, we can gauge the overall robustness of the proposed protocol. According to Proposition 1, the M2GA becomes irrelevant when a perturbation with the OT protocol is employed.

6. Conclusions

We have studied the privacy preservation of key–value data using the LDP algorithm PrivKV. Our proposed emPrivKV scheme uses the OT protocol to prevent the intentional sampling of target keys and uses the EM algorithm for estimation. This improves the accuracy of statistical information estimation from randomized data. In our experiments using the MovieLens dataset, the MSE of the estimated frequencies and mean values improved by $0.5\%$ and $0.2\%$ of that of PrivKV, respectively, where $ϵ$ was $0.1$. In addition, the frequency and mean of the keys were robust against fake data poisoning attacks. Our proposed emPrivKV improved the frequency and mean gains by $17.1\%$ and $25.9\%$ of those of PrivKV, respectively, where the number of fake users was $0.1$ of genuine users, when using the MovieLens dataset.

The main future challenges raised in this paper can be summarized as follows. First, the robustness of poisoning attacks on machine learning models depends on the dataset [44]. We plan to conduct comprehensive experiments using multiple datasets to evaluate the robustness. Second, the computational resources for users are generally limited [45], and it is necessary to explore an effective method against poisoning attacks with less computational overhead. Finally, it is challenging to set an appropriate level of protection for sensitive data [46]. In our results, as we collect data more privately, our protocol tends to become more vulnerable to poisoning attacks. From the perspective of both privacy and security against poisoning attacks, it is essential to determine the proper levels of protection.