Decomposition-Based Optimal Bounds for Privacy Amplification via Shuffling

TL;DR

This work unifies and strengthens the analysis of privacy amplification via shuffling by introducing the general clone framework, showing that the privacy blanket achieves the optimal decomposition among all decompositions. It then delivers a fast FFT-based algorithm leveraging the Generalized Privacy Amplification Random Variable (GPARV) to compute tight upper bounds, and extends the results to joint and parallel compositions under the single-message shuffle model. Empirical results demonstrate that the computed upper bounds nearly match lower bounds across diverse local randomizers, yielding substantial improvements over prior generic and clone-based bounds. The approach enables tighter privacy-utility trade-offs in practical shuffle-DP deployments and provides a scalable tool for evaluating complex compositions and subsampling scenarios.

Abstract

Shuffling has been shown to amplify differential privacy guarantees, enabling a more favorable privacy-utility trade-off. To characterize and compute this amplification, two fundamental analytical frameworks have been proposed: the \emph{privacy blanket} by Balle et al. (CRYPTO 2019) and the \emph{clone}--including both the standard and stronger variant--by Feldman et al. (FOCS 2021, SODA 2023). These frameworks share a common foundation: decomposing local randomizers into structured components for analysis. In this work, we introduce a unified analytical framework--the general clone paradigm--which subsumes all possible decompositions, with the clone and blanket decompositions arising as special cases. Within this framework, we identify the optimal decomposition, which is precisely the one used by the privacy blanket. Moreover, we develop a simple and efficient algorithm based on the Fast Fourier Transform (FFT) to compute optimal privacy amplification bounds. Experimental results show that our computed upper bounds nearly match the lower bounds, demonstrating the tightness of our method. Building on this method, we also derive optimal amplification bounds for both \emph{joint} and \emph{parallel} compositions of LDP mechanisms in the shuffle model.

Figures (8)

• Figure 1: Hierarchy among decomposition-based methods. The Standard clone is horizontal (generic bound), while the Blanket curve varies with the randomizer (specific bound).
• Figure 2: Experimental Results: RR, BLH and RAPPOR
• Figure 3: Experimental Results: OUE and Laplace
• Figure 4: Experimental Results: Parallel Composition
• Figure 5: Upper Bounds for RAPPOR with Varying Domain Size $D$

Theorems & Definitions (47)

• Definition 1: Hockey-Stick Divergence
• Definition 2: Differential Privacy
• Definition 3: Local Differential Privacy
• Definition 4: Differential Privacy in the Shuffle Model
• Definition 5: Standard Clone Reduction Pair (Intuitive) Feldman2021
• Lemma 1: KOV15
• Theorem 1: Standard Clone Reduction Feldman2021
• proof
• Definition 6: Privacy Blanket Reduction Pair Balle2019 (Restated)
• Theorem 2: Privacy Blanket Reduction Balle2019 (Restated)