## Abstract

The shuffle model of differential privacy [Bittau et al. SOSP 2017; Erlingsson et al. SODA 2019; Cheu et al. EUROCRYPT 2019] was proposed as a viable model for performing distributed differentially private computations. Informally, the model consists of an untrusted analyzer that receives messages sent by participating parties via a shuffle functionality, the latter potentially disassociates messages from their senders. Prior work focused on one-round differentially private shuffle model protocols, demonstrating that functionalities such as addition and histograms can be performed in this model with accuracy levels similar to that of the curator model of differential privacy, where the computation is performed by a fully trusted party. A model closely related to the shuffle model was presented in the seminal work of Ishai et al. on establishing cryptography from anonymous communication [FOCS 2006].

Focusing on the round complexity of the shuffle model, we ask in this work what can be computed in the shuffle model of differential privacy with two rounds. Ishai et al. showed how to use one round of the shuffle to establish secret keys between every two parties. Using this primitive to simulate a general secure multi-party protocol increases its round complexity by one. We show how two parties can use one round of the shuffle to send secret messages without having to first establish a secret key, hence retaining round complexity. Combining this primitive with the two-round semi-honest protocol of Applebaum, Brakerski, and Tsabary [TCC 2018], we obtain that every randomized functionality can be computed in the shuffle model with an honest majority, in merely two rounds. This includes any differentially private computation.

We hence move to examine differentially private computations in the shuffle model that (i) do not require the assumption of an honest majority, or (ii) do not admit one-round protocols, even with an honest majority. For that, we introduce two computational tasks: *common element*, and *nested common element with parameter* \(\alpha \). For the common element problem we show that for large enough input domains, no one-round differentially private shuffle protocol exists with constant message complexity and negligible \(\delta \), whereas a two-round protocol exists where every party sends a single message in every round. For the nested common element we show that no one-round differentially private protocol exists for this problem with adversarial coalition size \(\alpha n\). However, we show that it can be privately computed in two rounds against coalitions of size *cn* for every \(c<1\). This yields a separation between one-round and two-round protocols. We further show a one-round protocol for the nested common element problem that is differentially private with coalitions of size smaller than *cn* for all \(0<c<\alpha <1/2\).

### Keywords

- Shuffle model
- Differential privacy
- Secure multiparty computation

This is a preview of subscription content, access via your institution.

## Buying options

## Notes

- 1.
Curator model computations returning real numbers, such as those resulting by adding Laplace or Gaussian noise, would need to be carefully truncated to finite precision.

- 2.
An alternative construction was given by Garg et al. [22]; the communication complexity of their protocol is exponential in the number of parties.

- 3.
- 4.
Bun et al. [13] have considered a related problem, however their technique applies also to this task.

- 5.
We add the prefix

*i*,*j*to the messages sent by \(P_i\) and \(P_j\) to enable all pairs of parties to exchange keys in parallel. It is essential that both \(P_i\) and \(P_j\) list the identities*i*,*j*in the same order (e.g., lexicographic order).

## References

Applebaum, B., Brakerski, Z., Tsabary, R.: Perfect secure computation in two rounds. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 152–174. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_6

Balcer, V., Cheu, A.: Separating local & shuffled differential privacy via histograms. In: Kalai, Y.T., Smith, A.D., Wichs, D. (eds.) 1st Conference on Information-Theoretic Cryptography, ITC 2020. LIPIcs, vol. 163, pp. 1:1–1:14. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020). https://doi.org/10.4230/LIPIcs.ITC.2020.1

Balcer, V., Cheu, A., Joseph, M., Mao, J.: Connecting robust shuffle privacy and pan-privacy. CoRR abs/2004.09481 (2020)

Balle, B., Bell, J., Gascón, A., Nissim, K.: Differentially private summation with multi-message shuffling. CoRR abs/1906.09116 (2019)

Balle, B., Bell, J., Gascón, A., Nissim, K.: The privacy blanket of the shuffle model. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 638–667. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_22

Balle, B., Bell, J., Gascón, A., Nissim, K.: Private summation in the multi-message shuffle model. CoRR abs/2002.00817 (2020)

Bassily, R., Nissim, K., Stemmer, U., Thakurta, A.G.: Practical locally private heavy hitters. In: Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, pp. 2285–2293 (2017)

Bassily, R., Smith, A.D.: Local, private, efficient protocols for succinct histograms. In: Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, pp. 127–135 (2015)

Beimel, A., Brenner, H., Kasiviswanathan, S.P., Nissim, K.: Bounds on the sample complexity for private learning and private data release. Mach. Learn.

**94**(3), 401–437 (2013). https://doi.org/10.1007/s10994-013-5404-1Beimel, A., Nissim, K., Omri, E.: Distributed private data analysis: simultaneously solving how and what. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 451–468. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_25

Bittau, A., et al.: Prochlo: strong privacy for analytics in the crowd. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 441–459. ACM (2017). https://doi.org/10.1145/3132747.3132769

Bun, M., Nelson, J., Stemmer, U.: Heavy hitters and the structure of local privacy. ACM Trans. Algorithms

**15**(4), 51:1–51:40 (2019). https://doi.org/10.1145/3344722Bun, M., Ullman, J., Vadhan, S.P.: Fingerprinting codes and the price of approximate differential privacy. In: Symposium on Theory of Computing, STOC 2014, pp. 1–10 (2014)

Bun, M., Ullman, J., Vadhan, S.P.: Fingerprinting codes and the price of approximate differential privacy. SIAM J. Comput.

**47**(5), 1888–1938 (2018). https://doi.org/10.1137/15M1033587Chen, L., Ghazi, B., Kumar, R., Manurangsi, P.: On distributed differential privacy and counting distinct elements. CoRR abs/2009.09604 (2020), https://arxiv.org/abs/2009.09604

Cheu, A., Smith, A., Ullman, J., Zeber, D., Zhilyaev, M.: Distributed differential privacy via shuffling. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 375–403. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_13

Cheu, A., Ullman, J.: The limits of pan privacy and shuffle privacy for learning and estimation. CoRR abs/2009.08000 (2020)

Dwork, C., Kenthapadi, K., McSherry, F., Mironov, I., Naor, M.: Our data, ourselves: privacy via distributed noise generation. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 486–503. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_29

Dwork, C., McSherry, F., Nissim, K., Smith, A.: Calibrating noise to sensitivity in private data analysis. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 265–284. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_14

Dwork, C., Naor, M., Pitassi, T., Rothblum, G.N., Yekhanin, S.: Pan-private streaming algorithms. In: Yao, A.C. (ed.) Innovations in Computer Science - ICS 2010, pp. 66–80. Tsinghua University Press (2010)

Erlingsson, Ú., Feldman, V., Mironov, I., Raghunathan, A., Talwar, K., Thakurta, A.: Amplification by shuffling: from local to central differential privacy via anonymity. In: Chan, T.M. (ed.) Proceedings of the Thirtieth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2019, pp. 2468–2479. SIAM (2019). https://doi.org/10.1137/1.9781611975482.151

Garg, S., Ishai, Y., Srinivasan, A.: Two-round MPC: information-theoretic and black-box. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 123–151. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03807-6_5

Ghazi, B., Golowich, N., Kumar, R., Pagh, R., Velingker, A.: On the power of multiple anonymous messages. IACR Cryptol. ePrint Arch.

**2019**, 1382 (2019)Ghazi, B., Manurangsi, P., Pagh, R., Velingker, A.: Private aggregation from fewer anonymous messages. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 798–827. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_27

Ghazi, B., Pagh, R., Velingker, A.: Scalable and differentially private distributed aggregation in the shuffled model. CoRR abs/1906.08320 (2019)

Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput.

**28**(4), 1364–1396 (1999). https://doi.org/10.1137/S0097539793244708Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography from anonymity. In: 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp. 239–248. IEEE Computer Society (2006). https://doi.org/10.1109/FOCS.2006.25

Kasiviswanathan, S.P., Lee, H.K., Nissim, K., Raskhodnikova, S., Smith, A.D.: What can we learn privately? SIAM J. Comput.

**40**(3), 793–826 (2011)Vadhan, S.: The complexity of differential privacy. Tutorials on the Foundations of Cryptography. ISC, pp. 347–450. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57048-8_7

## Acknowledgments

The authors thank Rachel Cummings and Naty Peter for discussions of the shuffle model at an early stage of this research. Work of A. B. and K. N. was supported by NSF grant No. 1565387 TWC: Large: Collaborative: Computing Over Distributed Sensitive Data. This work was done when A. B. was hosted by Georgetown University. Work of A. B. was also supported by Israel Science Foundation grant no. 152/17, a grant from the Cyber Security Research Center at Ben-Gurion University, and ERC grant 742754 (project NTSC). I. H. is the director of the Check Point Institute for Information Security. His research is supported by ERC starting grant 638121 and Israel Science Foundation grant no. 666/19. Work of U. S. was supported in part by the Israel Science Foundation (grant 1871/19), and by the Cyber Security Research Center at Ben-Gurion University of the Negev.

## Author information

### Authors and Affiliations

### Corresponding author

## Editor information

### Editors and Affiliations

## Additional Preliminaries from Differential Privacy

### Additional Preliminaries from Differential Privacy

The following theorem bounds the mutual information between the input and the output of a differentially private algorithm (that operates on a database of size 1).

### Theorem A.1

**(**[8]**).** Let *X* be uniformly distributed over \(\mathcal{X}\). Let \(\mathcal {A}\) be an \((\varepsilon ,\delta )\)-differentially private algorithm that operates on a single input (i.e., a database of size 1) from \(\mathcal{X}\). Let *Z* denote \(\mathcal {A}(X)\). Then,

In our protocols we will use the following protocol in the local model for computing histograms.

### Theorem A.2

**(Histogram protocol** [7, 8, 12]**).** Let \(\beta ,\varepsilon \le 1\) and \(\mathcal{X}\) be some finite domain. There exists a 1-round \((\varepsilon ,0)\)-differentially private protocol in the local model for *n* parties with message complexity 1, in which the input of each agent is a single element from \(\mathcal{X}\) and the outcome is a data structure \(D:\mathcal{X}\rightarrow [n]\) such that for every input to the protocol \(\varvec{x}\in \mathcal{X}^n\), with probability at least \(1 - \beta \), for every input vector \(x=(x_1,\dots ,x_n)\in \mathcal{X}\) we have

We next recall the sub-sampling technique from [9, 28].

### Theorem A.3

**(Sub-sampling** [9, 28]**).** Let \(\mathcal {A}_1\) be an \((\varepsilon ^*,\delta )\)-differentially private algorithm operating on databases of size *n*. Fix \(\varepsilon \le 1\), and denote \(t=\frac{n}{\varepsilon }(3+\exp (\varepsilon ^*))\). Construct an algorithm \(\mathcal {A}_2\) that on input a database \(D=(z_i)_{i=1}^t\) uniformly at random selects a subset \(T\subseteq \{1,2,...,t\}\) of size *n*, and runs \(\mathcal {A}_1\) on the multiset \(D_T=(z_i)_{i\in T}\). Then, \(\mathcal {A}_2\) is \(\left( \varepsilon ,\frac{4\varepsilon }{3+\exp (\varepsilon ^*)}\delta \right) \)-differentially private.

**Secure Addition Protocols in the Shuffle Model.** Ishai et al. [27] gave a protocol where \(n\ge 2\) parties communicate with an analyzer (as in Remark 2.8) to compute the sum of their inputs in a finite group *G*, in the semi-honest setting and in the presence of a coalition including the analyzer and up to \(n-1\) parties. In their protocol, each participating party splits their input into \(\ell =O(\log |G| + \log n + \sigma )\) shares and sends each share in a separate message through the shuffle. Upon receiving the \(n\ell \) shuffled messages, the analyzer adds them up (in *G*) to compute the sum. Recent work by Ghazi et al. [24] and Balle et al. [6] improved the dependency of the number of messages on the number of participating parties to \(\ell =O\left( 1+(\log |G| + \sigma )/\log n\right) \).

### Theorem A.4

**(**[6, 24, 27]**).** Let *G* be a finite group. There exist a one-round shuffle model summation protocol with *n* parties holding inputs \(x_i\in G\) and an analyzer. The protocol is secure in the semi-honest model, and in the presence of coalitions including the analyzer and up to \(n-1\) parties.

## Rights and permissions

## Copyright information

© 2020 International Association for Cryptologic Research

## About this paper

### Cite this paper

Beimel, A., Haitner, I., Nissim, K., Stemmer, U. (2020). On the Round Complexity of the Shuffle Model. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham. https://doi.org/10.1007/978-3-030-64378-2_24

### Download citation

DOI: https://doi.org/10.1007/978-3-030-64378-2_24

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-030-64377-5

Online ISBN: 978-3-030-64378-2

eBook Packages: Computer ScienceComputer Science (R0)