NDSS 2025 – On the Robustness Of LDP Protocols For Numerical Attributes Under Data Poisoning Attacks

Local differential privacy (LDP) has become a cornerstone for collecting user data while preserving anonymity, powering analytics in mobile apps, IoT devices, and large‑scale surveys. By perturbing each individual's record before transmission, LDP promises strong privacy guarantees without requiring trusted aggregators. However, as organizations increasingly rely on LDP for compliance and competitive insight, adversaries have begun exploiting its statistical properties. Recent research demonstrates that a modest fraction of compromised clients can inject crafted values, skewing aggregate estimates and undermining the very purpose of privacy‑preserving analytics.

The NDSS 2025 paper conducts the first systematic, attack‑driven evaluation of state‑of‑the‑art LDP protocols for numerical attributes. Using newly defined cross‑protocol attack gain metrics, the authors compare categorical frequency oracles (CFOs) with binning, consistency mechanisms, and distribution reconstruction methods. Findings reveal that Square Wave and server‑side CFO implementations resist poisoning better than user‑side CFO variants. Moreover, the study uncovers a previously hidden design factor: the hash domain size in local‑hashing LDP schemes dramatically influences robustness, independent of utility trade‑offs.

Beyond diagnosis, the authors propose a zero‑shot detection technique that exploits the rich reconstructed distribution to flag anomalous submissions without prior training data. Experiments show this approach outperforms existing defenses, reliably identifying manipulation even under tight adversarial budgets. For enterprises deploying LDP, the work signals a need to reassess protocol choices, tune hash parameters, and integrate real‑time detection pipelines. As privacy regulations tighten, such proactive safeguards will be essential to maintain data integrity while honoring user confidentiality.