Differentially Private Summation with Multi-Message Shuffling
share
In recent work, Cheu et al. (Eurocrypt 2019) proposed a protocol for n-party real summation in the shuffle model of differential privacy with O_ϵ, δ(1) error and Θ(ϵ√(n)) one-bit messages per party. In contrast, every local model protocol for real summation must incur error Ω(1/√(n)), and there exist protocols matching this lower bound which require just one bit of communication per party. Whether this gap in number of messages is necessary was left open by Cheu et al. In this note we show a protocol with O_ϵ, δ(1) error and O_ϵ, δ((n)) messages of size O((n)). This protocol is based on the work of Ishai et al. (FOCS 2006) showing how to implement distributed summation from secure shuffling, and the observation that this allows simulating the Laplace mechanism in the shuffle model.
READ FULL TEXT