Existing shuffle-DP protocols assume fully honest users and are thus vulnerable to malicious poisoning attacks, which can compromise privacy and degrade utility. This work proposes the first general-purpose defense framework against such attacks, applicable to all union-preserving queries and capable of transforming any shuffle-DP protocol into a robust variant. By integrating differential privacy, the shuffle model, robust statistics, and query transformation techniques, the framework achieves asymptotically equivalent error to the original protocol in the absence of attacks, while incurring only polylogarithmic additional error even when a constant fraction of users are malicious. Empirical evaluations demonstrate that the approach maintains high accuracy, communication efficiency, and strong robustness across tasks including summation, frequency estimation, and range counting.

Differential Privacy (DP) has become the gold standard for protecting individual privacy in data analytics, and the shuffle-DP model has attracted significant attention from both academia and industry due to its favorable balance between privacy and utility. However, existing shuffle-DP protocols rely on a strong assumption: all users behave honestly. In real-world scenarios, adversarial users can exploit this vulnerability through poisoning attacks, compromising both privacy guarantees and the utility of analytical results. While defending against poisoning attacks in the shuffle-DP model has recently gained interest, existing solutions are limited to frequency estimation tasks. To address this issue, we propose the first general defense framework for all union-preserving queries, capable of transforming any shuffle-DP protocol into a version resilient to poisoning attacks. Beyond robust defense against poisoning attacks, our framework achieves high utility of analytical results. Compared to the original shuffle-DP protocol, it retains asymptotically equivalent error in attack-free settings and incurs only a polylogarithmic increase in error when a constant number of attackers are present. We demonstrate the generality of our framework on several common queries, including summation, frequency estimation, and range counting. Experimental results confirm that our approach effectively defends against poisoning attacks while maintaining strong utility and communication efficiency.