Indifferential Privacy: A New Paradigm and Its Applications to Optimal Matching in Dark Pool Auctions

TL;DR

This work tackles privacy concerns in dark pools by introducing indifferential privacy (IDP), a relaxed privacy notion tailored to continuous double auctions. The approach combines IDP with lightweight encryption, injecting fake orders to obfuscate true quantities while maintaining the ability to achieve the maximum matching size $|M^*|$. The authors provide an end-to-end implementation and show through ABIDES-based experiments that throughput ($600$–$850$ orders/sec) and overhead are practical, significantly outperforming fully homomorphic encryption and secure MPC approaches. The key contribution is a privacy framework that preserves fair, optimal matching in untrusted auction settings and suggests broader applicability of IDP to other privacy-sensitive, high-velocity trading contexts.

Abstract

Public exchanges like the New York Stock Exchange and NASDAQ act as auctioneers in a public double auction system, where buyers submit their highest bids and sellers offer their lowest asking prices, along with the number of shares (volume) they wish to trade. The auctioneer matches compatible orders and executes the trades when a match is found. However, auctioneers involved in high-volume exchanges, such as dark pools, may not always be reliable. They could exploit their position by engaging in practices like front-running or face significant conflicts of interest, i.e., ethical breaches that have frequently resulted in hefty fines and regulatory scrutiny within the financial industry. Previous solutions, based on the use of fully homomorphic encryption (Asharov et al., AAMAS 2020), encrypt orders ensuring that information is revealed only when a match occurs. However, this approach introduces significant computational overhead, making it impractical for high-frequency trading environments such as dark pools. In this work, we propose a new system based on differential privacy combined with lightweight encryption, offering an efficient and practical solution that mitigates the risks of an untrustworthy auctioneer. Specifically, we introduce a new concept called Indifferential Privacy, which can be of independent interest, where a user is indifferent to whether certain information is revealed after some special event, unlike standard differential privacy. For example, in an auction, it's reasonable to disclose the true volume of a trade once all of it has been matched. Moreover, our new concept of Indifferential Privacy allows for maximum matching, which is impossible with conventional differential privacy.

Figures (4)

• Figure 1: Maximum Matching Example.The figure illustrates a bipartite graph and its maximum matching where nodes are first sorted by price, followed by the user's genuine orders and then their fake orders. This arrangement ensures optimal matching, maximizing the number of successful pairings according to algorithm \ref{['alg:matching']}.
• Figure 2: Refinement Pair.The figure shows an example of a bipartite graph $(\Omega_0, \Omega_1; \mathcal{F})$, where each node has a probability mass. Each subfigure shows the probability distribution refinement on each side.
• Figure 3: Comparison of Time Taken Across Different Settings.
• Figure 4: Extended runtime tables for larger number of clients and orders

Theorems & Definitions (16)

• Definition 2.1: Neighboring Input Configurations
• Definition 2.2: Symmetric Hockey-Stick Divergence
• Remark 2.3
• Definition 2.4: Differential Privacy
• Definition 2.6: Refinement
• Definition 2.7: Closest Refinement Pair
• Remark 2.8
• Definition 2.10: Indifference Relation
• Definition 2.11: Indifferential Privacy (IDP)
• Definition 2.12: Computational IDP (CIDP)