Private Summation in the Multi-Message Shuffle Model

by   Borja Balle, et al.

The shuffle model of differential privacy (Erlingsson et al. SODA 2019; Cheu et al. EUROCRYPT 2019) and its close relative encode-shuffle-analyze (Bittau et al. SOSP 2017) provide a fertile middle ground between the well-known local and central models. Similarly to the local model, the shuffle model assumes an untrusted data collector who receives privatized messages from users, but in this case a secure shuffler is used to transmit messages from users to the collector in a way that hides which messages came from which user. An interesting feature of the shuffle model is that increasing the amount of messages sent by each user can lead to protocols with accuracies comparable to the ones achievable in the central model. In particular, for the problem of privately computing the sum of n bounded real values held by n different users, Cheu et al. showed that O(√(n)) messages per user suffice to achieve O(1) error (the optimal rate in the central model), while Balle et al. (CRYPTO 2019) recently showed that a single message per user leads to Θ(n^1/3) MSE (mean squared error), a rate strictly in-between what is achievable in the local and central models. This paper introduces two new protocols for summation in the shuffle model with improved accuracy and communication trade-offs. Our first contribution is a recursive construction based on the protocol from Balle et al. mentioned above, providing poly(loglog n) error with O(loglog n) messages per user. The second contribution is a protocol with O(1) error and O(1) messages per user based on a novel analysis of the reduction from secure summation to shuffling introduced by Ishai et al. (FOCS 2006) (the original reduction required O(log n) messages per user).


page 1

page 2

page 3

page 4


The Privacy Blanket of the Shuffle Model

This work studies differential privacy in the context of the recently pr...

Instability of backoff protocols with arbitrary arrival rates

In contention resolution, multiple processors are trying to coordinate t...

Private Counting from Anonymous Messages: Near-Optimal Accuracy with Vanishing Communication Overhead

Differential privacy (DP) is a formal notion for quantifying the privacy...

Private Protocols for U-Statistics in the Local Model and Beyond

In this paper, we study the problem of computing U-statistics of degree ...

Improved Summation from Shuffling

A protocol by Ishai et al. (FOCS 2006) showing how to implement distribu...

Why Older Adults (Don't) Use Password Managers

Password managers (PMs) are considered highly effective tools for increa...

A Tight Parallel Repetition Theorem for Partially Simulatable Interactive Arguments via Smooth KL-Divergence

Hardness amplification is a central problem in the study of interactive ...