Shuffle Model of Differential Privacy: Numerical Composition for Federated Learning

Abstract

In decentralized scenarios without fully trustable parties (e.g., in mobile edge computing or IoT environments), the shuffle model has recently emerged as a promising paradigm for differentially private federated learning. Despite many efforts of privacy accounting for federated learning with many sequential rounds in the shuffle model, they suffer from generality and tightness. For example, existing accounting methods are targeted to single-message shuffle protocols (which have intrinsic utility barriers compared to multi-message ones), and are untight for the commonly used vector randomized response randomizer. As countermeasures, we first present a tight total variation characterization of vector randomized response randomizers in the shuffle model, which demonstrates over 20% budget conservation. We then unify the representation of single-message and multi-message shuffle protocols and derive their privacy loss distribution (PLD). The PLDs are finally composed by Fourier analysis to obtain the overall privacy loss of many sequential rounds in the shuffle model. Through simulations in federated decision tree building and federated deep learning, we show that our approach saves up to 80% budget when compared to existing methods.

1. Introduction

Federated analytics and federated learning leverage data from multiple sources (e.g., individuals and organizations) to empower data mining and learning applications. They do not access the raw data to alleviate privacy concerns, allowing participants to contribute only summary statistics or intermediate information (e.g., gradient vectors). However, recent studies have demonstrated that summary statistics might still reveal sensitive attributes [1], and that the intermediate gradient vectors can be used to reconstruct raw data with high precision [2]. As a countermeasure, it is necessary to incorporate federated analytics and learning with theoretically rigorous notions of privacy protection (e.g., the de facto standard of differential privacy [3]).

In federated settings, the shuffle model has emerged as one of the most appealing paradigms of differential privacy, showing excellent privacy–utility–complexity trade-offs and attracting much attention from both academia and industry [4,5]. In the shuffle model, messages from users are first randomized locally, then anonymized and permuted by a shuffler, which can be implemented by anonymous channels, edge servers, or a set of non-colluding assisting parties. Since the server or statistician only observes shuffled messages, participants benefit from privacy amplification via shuffling [6]. That is, although the messages from each participant have low privacy protection (with little randomization noise), anonymously hiding among shuffled messages ensures stronger privacy protection. For example, shuffled ${ϵ}_0$-LDP messages from n users satisfy $(O(\sqrt{exp({ϵ}_0)log(1/\delta )/n}),\delta )$-DP [7].

Much effort has been devoted to one-round privacy amplification analyses in the shuffle model (e.g., [6,7,8,9]), which is a key ingredient for achieving excellent privacy–utility–complexity trade-offs in one-time data queries (e.g., distribution estimation and numerical value summation). Meanwhile, in federated analytics and learning tasks, there are normally multiple queries, and many depend on previous querying results, such as in frequent itemset mining, decision trees, and federated deep learning. It is urgent to derive tight sequential composition in the shuffle model (to obtain desirable privacy–utility trade-offs), but this can be challenging as the noise distributions involved can be sophisticated. The work of [10] resorts to Rényi differential privacy to approximate the Rényi divergence bound in the shuffle model with LDP messages. However, Rényi DP itself may not be tight under composition [11], and the Rényi divergence bound is overestimated for the noise distributions in shuffle protocols. A more recent work directly numerically analyzes the approximate privacy loss distribution of the shuffled LDP messages and derives tighter composition bounds via Fourier analysis, based on the clone reduction [8] of LDP messages. Nevertheless, their analysis is restricted to the single-message shuffle protocols (i.e., shuffled LDP messages), which suffer utility limitations compared to the more general multi-message protocols [12]. Furthermore, their analysis is not tight for prevalent local randomizers (e.g., vector randomized response), as their one-round reduction is not tight for them.

In this work, we aim to numerically deduce tight sequential composition for both single-message and multi-message shuffle protocols. To this end, we first derive a tight total variation bound and reduce the privacy loss into parameterized binomial counts for the vector randomized response, which is prevalent in SOTA base shuffle protocols for numerical summation. For generalized and possibly heterogeneous binomial counts reductions that arise in multi-round single-message/multi-message protocols, we then derive the approximate privacy loss distribution (PLD) for them and employ Fourier composition on the PLDs from multiple rounds. Our approximation requires only $\tilde{O}\left(n\right)$ computational cost, similar to [13] that works for single-message protocols. The contributions of this work are as follows:

• We provide a tight privacy parameter characterization of vector randomized response in the shuffle model.
• We deduce an efficient strategy to numerically approximate the privacy loss distribution for both single-message and multi-message shuffle protocols, which is key to deriving tight sequential composition for federated analytics and learning in the shuffle model.
• Through simulation experiments, we demonstrate that our privacy characterization for vector randomized response saves about $20\%$ of the privacy budget shuffle model. For the multi-message shuffle protocols that enjoy higher utility, our numerical sequential composition saves $80\%$ of the privacy budget.

The remainder of this paper is organized as follows. Section 2 reviews related work. Section 3 provides preliminary knowledge about the shuffle model and sequential composition. Section 4 formulates the sequential composition problem in the single-message or multi-message shuffle model. Section 5 provides a tight privacy characterization of vector randomized response and then provides a general dominating pair in the shuffle model. Section 6 deduces an $\tilde{O}\left(n\right)$-complexity strategy for approximating the privacy loss distribution of the general dominating pair. Section 7 discusses federated analytics and learning tasks in the shuffle model and shows how to fit them into our sequential composition framework. Section 8 presents the experimental results. Finally, Section 9 concludes the paper.

2. Related Work

2.1. Shuffle Model of Differential Privacy

Due to its excellent balance between privacy, utility, and computation/communication costs, the shuffle model [14] has attracted much attention. Numerous protocols have been designed in the shuffle model, covering applications from basic statistical queries (e.g., distribution estimation [14] and mean estimation [15]), data mining (e.g., frequent itemset mining [16] and clustering [17]), to online bandits [18] and deep learning [19]. These applications benefit from a line of work analyzing the privacy amplification effects in the shuffle model, such as the analytical bound in [6] based on privacy amplification via subsampling, the blanket framework in [20] that decomposes a common probability mass from other users’ LDP messages as the privacy blanket, the clone reduction in [7,8] that treats other users’ messages as clones and summarizes dominating pairs as several binomial counts, and the tighter variation–ratio reduction in [9] that parameterizes the total variation and ratio bounds of local randomizers, then decomposes them into mixture components and derives a new dominating pair for both single-message and multi-message shuffle protocols.

2.2. Sequential Composition in the Shuffle Model

Most privacy amplification analyses in the literature (such as those mentioned in the previous part) focus on a one-round randomize-and-shuffle procedure, which is adequate for basic statistical queries. However, for more complex federated analytics and learning tasks that involve multiple sequential randomize-and-shuffle rounds, although one can upper-bound the overall privacy loss through the classical advanced composition rule of DP [3], it significantly overestimates privacy losses. Resorting to the composition-friendly framework of Rényi DP, the work [10] analyzed the Rényi divergence bounds of shuffled LDP messages. The work of [13] further improved tightness by numerically computing the PLD of the shuffled LDP messages’ dominating pair in the clone framework [8], and used fast Fourier transformation to tightly compose the PLDs across multiple rounds. Despite these efforts, they are limited to single-message shuffle protocols that are based on LDP randomizers, which often have a significant utility gap compared to multi-message protocols [12]. Additionally, even for commonly used LDP randomizers like vector randomized response in the shuffle model, existing one-round and composition analyses are not tight in privacy characterization, resulting in significant overestimation in privacy accounting.

3. Preliminaries

A list of notations used throughout this paper can be found in

Table 1. List of notations.

Notation	Description
1-2 $\left[i\right]$	$\{1,2,\dots ,i\}$
$[i,j]$	$\{i,i+1,\dots ,j\}$
1-2 $\mathcal{S}$	the shuffling procedure
$\mathcal{R}$	the randomization algorithm
d	the dimensionality of user data
$k_j$	the number of categories in j-th dimension ($j\in \left[d_c\right]$)
n	the number of users
$\mathbb{X}$	the domain of user data
$\mathbb{Y}$	the domain of a sanitized message
1-2 ${ϵ}_0$	the local privacy budget (level)

.

3.1. Differential Privacy

Definition 1

(Hockey-stick divergence). The Hockey-stick divergence between two random variables P and Q is:

$$D_{e^{ϵ}}(P\parallel Q)=\mathit{\int }max\{0,P\left(x\right)-e^{ϵ}Q\left(x\right)\}\mathrm{d}x,$$

where P and Q denote both the random variables and their probability density functions.

Two variables P and Q are $(ϵ,\delta )$-indistinguishable if $max\{D_{e^{ϵ}}(P\parallel Q),D_{e^{ϵ}}(Q\parallel P)\}\le \delta$. For two datasets of equal size that differ only by a single individual’s data, they are referred to as neighboring datasets. Differential privacy limits the divergence of query results on neighboring datasets (see Definition 2). Similarly, in the local setting that accepts a single individual’s data as input, we introduce the local $(ϵ,\delta )$-differential privacy in Definition 3. When $\delta =0$, the concept is abbreviated as $ϵ$-LDP.

Definition 2

(Differential privacy [3]). A protocol $\mathcal{R}:{\mathbb{X}}^n\mapsto \mathbb{Z}$ satisfies $(ϵ,\delta )$-differential privacy if, for all neighboring datasets $X,X^{\prime }\in {\mathbb{X}}^n$, $\mathcal{R}\left(X\right)$ and $\mathcal{R}\left(X^{\prime }\right)$ are $(ϵ,\delta )$-indistinguishable.

Definition 3

(Local differential privacy [21]). A protocol $\mathcal{R}:\mathbb{X}\mapsto \mathbb{Y}$ satisfies local $(ϵ,\delta )$-differential privacy if, for all $x,x^{\prime }\in \mathbb{X}$, $\mathcal{R}\left(x\right)$ and $\mathcal{R}\left(x^{\prime }\right)$ are $(ϵ,\delta )$-indistinguishable.

Data-processing inequality. The data processing inequality is a key feature of distance measures (e.g., Hockey-stick divergence) used for data privacy. It asserts that the privacy guarantee cannot be weakened by further analysis of a mechanism’s output.

Definition 4

(Data processing inequality). A distance measure $D:\Delta \left(\mathcal{S}\right)\times \Delta \left(\mathcal{S}\right)\to [0,\infty ]$ on the space of probability distributions satisfies the data processing inequality if, for all distributions P and Q in $\Delta \left(\mathcal{S}\right)$ and for all (possibly randomized) functions $g:\mathcal{S}\to {\mathcal{S}}^{\prime }$,

$$D\left(g\right(P)\parallel g(Q\left)\right)\le D(P\parallel Q).$$

3.2. The Shuffle Model of Differential Privacy

Following conventions in the shuffle model based on randomize-then-shuffle [20,22], we define a shuffle protocol $\mathcal{P}$ to be a list of algorithms $\mathcal{P}=({\left\{{\mathcal{R}}_i\right\}}_{i\in \left[n\right]},\mathcal{A})$, where ${\mathcal{R}}_i:\mathbb{X}\to {\mathbb{Y}}^{\ast }$ is the local randomizer of user i, and $\mathcal{A}:{\mathbb{Y}}^{\ast }\to \mathbb{Z}$ the analyzer in the data collector’s side. In a single-message shuffle protocol, each ${\mathcal{R}}_i$ produces one message; in a multi-message protocol, the randomizer might produce multiple messages each over domain $\mathbb{Y}$. The overall protocol implements a mechanism $\mathcal{P}:{\mathbb{X}}^n\to \mathbb{Z}$ as follows. Each user i holds a data record $x_i$ and a local randomizer ${\mathcal{R}}_i$, then computes message(s) $y_i={\mathcal{R}}_i\left(x_i\right)$. The messages $y_1\cup \cdots \cup y_n$ are then shuffled and submitted to the analyzer. We write $\mathcal{S}(y_1\cup \cdots \cup y_n)$ to denote the random shuffling step, where $\mathcal{S}:{\mathbb{Y}}^{\ast }\to {\mathbb{Y}}^{\ast }$ is a shuffler that applies a uniform-random permutation to its inputs. In summary, the output of $\mathcal{P}(x_1,\dots ,x_n)$ is denoted by $\mathcal{A}\circ \mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}\left(X\right)=\mathcal{A}\left(\mathcal{S}({\mathcal{R}}_1\left(x_1\right)\cup \cdots \cup {\mathcal{R}}_n\left(x_n\right))\right)$.

Security model. The shuffle model assumes that all parties involved in the protocol follow it faithfully and there is no collusion between them. From a privacy perspective, the goal is to ensure the differential privacy of the output $\mathcal{P}(x_1,\dots ,x_n)$ for any analyzer $\mathcal{A}$. By leveraging the post-processing property of the Hockey-stick divergence, it suffices to ensure that the shuffled messages $\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}\left(X\right)=\mathcal{S}({\mathcal{R}}_1\left(x_1\right)\cup \cdots \cup {\mathcal{R}}_n\left(x_n\right))$ are differentially private. In the context of multi-round federated machine learning, we consider a stronger adversarial model. Specifically: (1) Adversary capabilities: The server is considered as an active adversary that can strategically specify the current model parameters or contaminate the aggregated gradient. It can also eavesdrop on shuffled messages and observe outputs. However, direct linking of queries to users remains infeasible due to the anonymization provided by the shuffle protocol. (2) Available information to attackers: The adversary has access to all shuffled messages in each round and knows the number of participants. However, it cannot access the raw data of individual users. (3) Defended attack vectors: The protocol defends against linkability attacks, correlation between queries, and inference of individual user data through repeated interactions. These protections are achieved through differential privacy mechanisms and the anonymization properties of the shuffle protocol. We formally define differential privacy in the shuffle model in Definition 5.

Definition 5

(Differential privacy in the shuffle model). A protocol $\mathcal{P}=({\left\{{\mathcal{R}}_i\right\}}_{i\in \left[n\right]},\mathcal{A})$ satisfies $(ϵ,\delta )$-differential privacy in the shuffle model iff for all neighboring datasets $X,X^{\prime }\in {\mathbb{X}}^n$, the $\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}\left(X\right)$ and $\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}\left(X^{\prime }\right)$ are $(ϵ,\delta )$-indistinguishable.

Anonymization intermediary in practice. The privacy amplification guarantee in the shuffle model fundamentally relies on the shuffler’s capability to execute independent operations without collusion with the analysis server—a persistent challenge in practical implementations. Existing solutions address this through distinct architectural paradigms: [23] implements basic shuffling via Tor’s low-latency anonymous channels, while the ESA framework [24] achieves enterprise-grade efficiency through SGX-enabled oblivious shuffling with verifiable isolation. A security-focused alternative in [25] employs lightweight secret-sharing techniques across three parties, integrating real-time malicious behavior detection and abort protocols to enforce non-collusion guarantees. Each approach strategically balances performance, scalability, and verifiable trust assumptions inherent to shuffle model deployments. Building on these advancements, this work assumes access to a semi-honest shuffle service.

Key advantages over secure aggregation protocols. The shuffle model in differential privacy provides key advantages over secure aggregation. First, it ensures information-theoretic privacy—resilient to quantum attacks—unlike secure aggregation’s computational guarantees. Second, it avoids heavy cryptographic protocols (e.g., MPC or HE), reducing client computation and communication overhead. Third, it requires only single-round client–server interaction, eliminating multi-round coordination and lowering latency. These features make the shuffle model scalable and practical for privacy-critical applications, such as federated learning, IoT applications, or large-scale data analytics.

Key advantages over alternative DP models. Classical differential privacy (DP) frameworks face a fundamental trust–efficiency trade-off. The centralized model assumes a trusted curator that collects raw user data and applies calibrated noise to final outputs—an idealized but often impractical requirement. Local DP (LDP) eliminates this trust assumption by having users sanitize their data before submission, yet incurs substantial utility loss due to extreme noise amplification. The shuffle model reconciles this tension through a novel trust architecture: by introducing a cryptographically anonymized shuffler between users and analysts, it enables (1) formal privacy amplification via distributed noise injection, (2) removal of the omnipotent trusted curator, and (3) near-central-DP utility guarantees. This paradigm shift establishes the shuffler as a minimal trust anchor—sufficient to break the direct linkage between individual inputs and outputs, yet insufficient to reconstruct user-specific behavior—thereby achieving an operational sweet spot between LDP’s distrust and central DP’s oversimplified trust model.

3.3. Privacy Loss Variables for Sequential Composition

This part retrospects instrumental tools (i.e., dominating pairs, privacy loss variables [26]) for numerical privacy composition, which aims to tightly derive the overall privacy guarantees of multiple sequential invokes of DP mechanisms.

Dominating pair [11]. We call variables $(P,Q)$ as the dominating pair of a mechanism $\mathcal{M}:{\mathbb{X}}^n\mapsto {\mathbb{R}}^{\ast }$ if for any distance measure D that satisfies the data processing inequality, $D(\mathcal{M}\left(X\right)\parallel \mathcal{M}\left(X^{\prime }\right))\le D(P\parallel Q)$ holds for any neighboring datasets $X,X^{\prime }\in {\mathbb{X}}^n$.

The notion of privacy loss random variables (PRVs) is a unique way to assign a pair $(X,Y)$ for a dominating pair such that $D(P\parallel Q)=D(X\parallel Y)$. PRVs allow us to compute the composition of two or more mechanisms via summing random variables (see Lemma 1). Equivalently, convolving their distributions via Fourier transformation (see Lemma 2 from [11,13]). Thus, PRVs can be thought of as a reparametrization of Hockey-stick divergence curves where composition becomes convolution.

Let $\overline{\mathbb{R}}=\mathbb{R}\cup \{-\infty ,\infty \}$ be the extended real line where we define $\infty +x=\infty$ and $-\infty +x=-\infty$ for $x\in \mathbb{R}.$

Definition 6

(Privacy loss random variables (PRVs) [26]). Given a dominating pair $(P,Q)$, we say that $(X,Y)$ are privacy loss random variables for $(P,Q)$, if they satisfy the following conditions:

• $X,Y$ are supported on $\overline{\mathbb{R}}$,
• $D_{e^{ϵ}}(X\parallel Y)\equiv D_{e^{ϵ}}(P\parallel Q)$ for all $ϵ\in \mathbb{R}$,
• $Y\left(t\right)=e^{t}X\left(t\right)$ for every $t\in \mathbb{R}$ and
• $Y(-\infty )=0$ and $X(\infty )=0,$

• where $X\left(t\right),Y\left(t\right)$ are probability density functions of $X,Y$, respectively.

We analyze discrete-valued distributions, which means that a dominating pair of distributions $(P,Q)$ can be described by generalized probability mass functions as

$$\begin{array}{cc}\hfill & P\left(v\right)={\sum }_z\mathbb{P}[P=z]·{\delta }_z\left(v\right),\hfill \\ \hfill & Q\left(v\right)={\sum }_z\mathbb{P}[Q=z]·{\delta }_z\left(v\right),\hfill \end{array}$$

(1)

where $z,v\in {\mathbb{R}}^{\ast }$, and ${\delta }_z(·)$ denotes the Dirac delta function centered at z, and $\mathbb{P}[P=z],\mathbb{P}[Q=z]\ge 0$ denotes the probability masses at z of P and Q, respectively. The PLD determined by a dominating pair $(P,Q)$ is defined as follows:

Definition 7

(PLD). Let P and Q be generalized probability mass functions as defined by (1). We define the generalized privacy loss distribution (PLD) ${\omega }_{P/Q}$ as:

$$\begin{array}{cc}\hfill {\omega }_{P/Q}\left(u\right)& =\sum _{z\in {\overline{\mathbb{R}}}^{\ast }}\mathbb{P}[P=z]·\delta s_z\left(u\right),\hfill \end{array}$$

where $s_z=log\left({\displaystyle \frac{\mathbb{P}[P=z]}{\mathbb{P}[Q=z]}}\right)$.

Lemma 1

(Composite PRVs [27]). Let $(P_1,Q_1),(P_2,Q_2)$ be two dominating pairs with PRVs $(X_1,Y_1)$ and $(X_2,Y_2)$, respectively. Then the PRVs for the joint dominating pair $((P_1,P_2),(Q_1,Q_2))$ are given by $(X_1+X_2,Y_1+Y_2)$. In particular,

$$D_{e^{ϵ}}(P_1,P_2\parallel Q_1,Q_2)=D_{e^{ϵ}}(X_1+X_2\parallel Y_1+Y_2)$$

holds for all $ϵ\in \mathbb{R}$.

Lemma 2

(Composition via Convolution [11,13]). Consider a K-fold adaptive composition with corresponding dominating pairs $(P_1,Q_2),\dots ,(P_K,Q_K)$, then for $ϵ>0$:

$$\begin{array}{cc}\hfill & D_{e^{ϵ}}(P_1,\dots ,P_K\parallel Q_1,\dots ,Q_K)\hfill \\ \hfill \le & 1-{\Pi }_{k\in \left[K\right]}\left(1-{\omega }_{P_k/Q_k}(\infty )\right)+{\mathit{\int }}_{ϵ}^{\infty }(1-e^{ϵ-s})\left({\omega }_{P_1/Q_1}\ast \dots \ast {\omega }_{P_K/Q_K}\right)\left(s\right)\mathrm{d}s,\hfill \end{array}$$

(2)

where ${\omega }_{P/Q}(\infty )={\sum }_{\{z:\mathbb{P}(Q=z)=0\}}\mathbb{P}(P=z)$, and ${\omega }_{P_k/Q_k}\ast {\omega }_{P_{k^{\prime }}/Q_{k^{\prime }}}$ denotes the convolution of the generalized mass functions.

4. Problem Formulation

Considering K sequential (and possibly adaptive) queries over a dataset $X\in {\mathbb{X}}^n$ in the shuffle model, there are K rounds of randomization and shuffling, and the shuffling is independent across rounds. Figure 1 provides a detailed visual representation of the K-round shuffle model, highlighting the flow from user input to local randomizers, through shufflers, and finally to the cumulative outputs across K rounds. This complements the mathematical framework described below. Let ${\mathcal{R}}_{\left[n\right]}^k=\{{\mathcal{R}}_1^k,\dots ,{\mathcal{R}}_n^k\}$ denote the local randomizers used in the k-th round, where ${\mathcal{R}}_i^k:\mathbb{X}\times {\mathbb{Y}}^{n\times (k-1)}\mapsto \mathbb{Y}$ takes the data $x_i$ and the outputs of the previous $(k-1)$ rounds ${\{\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{k^{\prime }}\left(X\right)\}}_{k^{\prime }\in [k-1]}$ as input. We use $\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^k\left(X\right)$ to denote the query result of the k-th round and $\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[k\right]}\left(X\right)$ to denote the outputs during 1 to k rounds:

$$\{\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^1\left(X\right),\dots ,\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^k\left(X\right)\}.$$

Assuming that the dominating pair of the k-th round is $(P_k,Q_k)$, that is,

$$D(\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[k\right]}(X)\parallel \mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[k\right]}(X^{\prime }))\le D(P_k\parallel Q_k)$$

holds for any neighboring datasets $X,X^{\prime }\in {\mathbb{X}}^n$ and for any distance measure D that satisfy the data processing inequality. Then, using the following lemma from [11] (Theorem 10) and [13] (Corollary 8), we can conclude that the divergence of K-wise sequential composition, $D(\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[K\right]}\left(X\right)\parallel \mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[K\right]}(X^{\prime }))$, is dominated by

$$D(P_1,\dots ,P_K\parallel Q_1,\dots ,Q_K).$$

For simplicity, we use $P_{\left[K\right]}$ to denote variables $P_1,\dots ,P_K$, and $Q_{\left[K\right]}$ to denote variables $Q_1,\dots ,Q_K$.

Lemma 3

(Reduction of sequential composition [13]). Given any distance measure D that satisfies the data processing inequality, if $D(\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^k\left(X\right)\parallel \mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^k(X^{\prime }))\le D(P_k\parallel Q_k)$ holds for all $k\in \left[K\right]$ and for all neighboring datasets X and $X^{\prime }$, then

$$\begin{array}{ccc}& D(\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[K\right]}\left(X\right)\parallel \mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}^{\left[K\right]}(X^{\prime }))\le \hfill & \hfill D(P_{\left[K\right]}\parallel Q_{\left[K\right]}).\end{array}$$

(3)

Goal of numerical composition of differential privacy for multi-message shuffle protocols. We aim to upper-bound the overall differential privacy consumption of shuffle protocols with K sequential rounds, having broad applications to iterative gradient aggregation in federated learning and various data mining tasks (e.g., building decision tree/forest and a-priori-based frequent itemset mining that compose several sequential steps). Specifically, we analyze the divergence and indistinguishable level of the joint dominating pair:

$$(P_1,\dots ,P_K\parallel Q_1,\dots ,Q_K).$$

5. A Tight Characterization of Vector Randomized Response

In this work, we adopt variation–ratio reduction [9] for tightly characterizing a vector randomized response, a prevalent randomizer in shuffle protocols (e.g., in [15,19]). Considering two neighboring datasets X and $X^{\prime }$ that differ only in the v-th user’s data (i.e., $X{\sim }_v{X}^{\prime }$, $v\in \left[n\right]$, the v-th user is considered as the victim in DP), i.e., $X=\{x_1,\dots ,x_v,\dots ,x_n\}$ and $X^{\prime }=\{x_1,\dots ,x_v^{\prime },\dots ,x_n\}$, where $x_1,\dots ,x_v,x_v^{\prime },\dots ,x_n\in \mathbb{X}$. One can define the following properties on (independent) local randomizers ${\left\{R_i\right\}}_{i\in [n]}$ with some parameters $p>1$, $\beta \in [0,{\displaystyle \frac{p-1}{p+1}}]$, and $q\ge 1$:

I.

$(p,\beta )$-variation property: we say that the $(p,\beta )$-variation property holds if $D_p(R_v\left(x_v\right)\parallel R_v\left(x_v^{\prime }\right))=0$ and $D_1(R_v\left(x_v\right)\parallel R_v\left(x_v^{\prime }\right))\le \beta$ for all possible $x_v,x_v^{\prime }\in \mathbb{X}$.

II.

q-ratio property: we say that the q-ratio property holds if $D_q(R_v\left(x_v\right)\parallel R_i\left(x_i\right))=0$ and $D_q(R_v\left(x_v^{\prime }\right)\parallel R_i\left(x_i\right))=0$ hold for all possible ${\left\{x_i\right\}}_{i\in \left[n\right]\setminus \left\{v\right\}}\in {\mathbb{X}}^{n-1}$ and all ${\left\{R_i\right\}}_{i\in \left[n\right]\setminus \left\{v\right\}}$.

The parameter $\beta$ represents the pairwise total variation bound of the randomizer $R_v$, and implies that the randomizer $R_v$ satisfies $(0,\beta )$-LDP. Let ${\mathcal{R}}_{\left[n\right]}\left(X\right)$ denote the sanitized messages of X by ${\left\{R_i\right\}}_{i\in \left[n\right]}$, and the variation–ratio analyses [9] reduce the privacy amplification problem into a divergence bound between two binomial counts (see Lemma 4).

Lemma 4

(Variation–ratio reduction [9]). For $p>1,\beta \in [0,{\displaystyle \frac{p-1}{p+1}}],q\ge 1$, let $C\sim Binomial(n-1,{\displaystyle \frac{2\beta p}{(p-1)q}})$, $A\sim Binomial(C,1/2)$ and ${\Delta }_1\sim Bernoulli({\displaystyle \frac{\beta p}{p-1}})$ and ${\Delta }_2\sim Binomial(1-{\Delta }_1,{\displaystyle \frac{\beta }{p-1-\beta p}})$; let $P_{p,\beta }^{q,n}$ denote $(A+{\Delta }_1,C-A+{\Delta }_2)$ and $Q_{p,\beta }^{q,n}$ denote $(A+{\Delta }_2,C-A+{\Delta }_1)$. If randomizers ${\left\{R_i\right\}}_{i\in \left[n\right]}$ satisfy the $(p,\beta )$-variation property and the q-ratio property for all possible $X,X^{\prime }\in {\mathbb{X}}^n$ that $X{\sim }_v{X}^{\prime }$ ($v\in \left[n\right]$), then for any measurement D satisfying the data-processing inequality:

$$\begin{array}{cc}& D(\mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}\left(X\right)\parallel \mathcal{S}\circ {\mathcal{R}}_{\left[n\right]}\left(X^{\prime }\right))\le D(P_{p,\beta }^{q,n}\parallel Q_{p,\beta }^{q,n}).\hfill \end{array}$$

Many prevalent multi-message shuffle protocols can be reduced to the dominating pair $(P_{p,\beta }^{q,n},Q_{p,\beta }^{q,n})$ with varying $p,\beta ,q,n$ parameters, including the optimal privacy–utility–communication protocols of [19,28] that are based on randomized response on each bit, the SOTA message–complexity–efficient frequency oracle of [14] based on binary vector randomized response, and the communication efficient frequency oracle of [16,29].

In the protocol of [16,29], the corresponding $p,\beta ,q,n$ parameters are obvious, and the variation–ratio reduction is essentially tight (i.e., there are neighboring datasets that reach the dominating pair). Meanwhile, in the vector-randomized-response-based numerical gradient summation protocol [19] designated for federated learning, computing the total variation bound parameter $\beta$ is non-trivial. Specifically, the protocol first samples s dimensions from d dimensions and then sanitizes each dimension using a randomized response. Due to the vast applications of such vector randomized responses in shuffle protocols (also seen in the recursive protocol in [15]), we derive tight total variation bound and a dominating pair for them in Theorem 1.

Theorem 1

(Reduction of Shuffled Sampled Vector Randomized Response Messages). Given a d-dimension binary vector input domain ${\{0,1\}}^d$, define a randomized response mechanism $\mathcal{R}$ that outputs s dimensions $S\subseteq \left[d\right]$ with some probability distribution $p_S\in {\Delta }_{{\left[d\right]}^s}$, and for each dimension $j\in \left[S\right]$, outputs the input $x_{i,j}\in \{0,1\}$ with probability r (with $r\ge 0.5$), otherwise outputs $1-x_{i,j}$. Then, for all possible $X=\{x_1^0,x_2\dots ,x_n\},X^{\prime }=\{x_1^1,x_2\dots ,x_n\}\in {\{0,1\}}^{d\times n}$ and any measurement D satisfying the data-processing inequality:

$$\begin{array}{cc}& D(\mathcal{S}(\mathcal{R}\left(x_1^0\right),\mathcal{R}\left(x_2\right),\dots ,\mathcal{R}\left(x_n\right))\parallel \mathcal{S}(\mathcal{R}\left(x_1^1\right),\mathcal{R}\left(x_2\right),\dots ,\mathcal{R}\left(x_n\right)))\hfill \\ \hfill \le & D(P_{p,\beta }^{q,n}\parallel Q_{p,\beta }^{q,n}),\hfill \end{array}$$

with $p={\displaystyle \frac{r^s}{{(1-r)}^s}}$, $q=p$, and $\beta ={(1-r)}^s{\sum }_{k=⌊{\displaystyle \frac{s}{2}}⌋+1}^s\left({\displaystyle \genfrac{}{}{0pt}{}{s}{k}}\right)\left({(r/(1-r))}^k-{(r/(1-r))}^{s-k}\right)$.

Proof. 

Recall that the randomizer outputs selected dimensions $S\subseteq \left[d\right]$ and sanitized binary values on these dimensions. We denote the output as $\mathcal{R}\left(x_i\right)=(S,{\left\{\mathsf{RR}\left(x_{i,j}\right)\right\}}_{j\in S})$, where $\mathsf{RR}$ denotes the base randomized response randomizer that flips $x_{i,j}$ with probability $1-r$. Since the dimensions are selected using a public distribution $p_S$ (and are uncorrelated with the input’s value), it is obvious that $\mathcal{R}$ satisfies $s·log\left({\displaystyle \frac{r}{1-r}}\right)$-LDP; thus, the p and q parameter are bounded by ${\displaystyle \frac{r^s}{{(1-r)}^s}}$.

As for the total variation parameter $\beta$, we firstly consider a fixed value of S. For any possible $x_1^0,x_1^0\in {\{0,1\}}^d$, the total variation $D_1({\{\mathsf{RR}(x_{1,j}^0)\}}_{j\in S}\parallel {\{\mathsf{RR}(x_{1,j}^1)\}}_{j\in S})$ is maximized when $x_1^0$ and $x_1^1$ differ at every bit on dimensions S. Without loss of generality, we assume $x_1^0$ take values of 0s on these dimensions, and $x_1^1$ take values of 1s on these dimensions. Then, for a output value $t\in {\{0,1\}}^s$ of ${\left\{\mathsf{RR}\left(x_{i,j}\right)\right\}}_{j\in S}$, if t have more zeros than ones, $\mathbb{P}[{\left\{\mathsf{RR}\left(x_{1,j}^0\right)\right\}}_{j\in S}=t]\ge \mathbb{P}[{\left\{\mathsf{RR}\left(x_{1,j}^1\right)\right\}}_{j\in S}=t]$. Let k denote the number of zeros in t, we have:

$$\begin{array}{cc}& D_1({\{\mathsf{RR}(x_{1,j}^0)\}}_{j\in S}\parallel {\{\mathsf{RR}(x_{1,j}^1)\}}_{j\in S})\hfill \\ \hfill \le & \sum _{t\in {\{0,1\}}^s}max\left\{0,\mathbb{P}[{\{\mathsf{RR}(x_{1,j}^0)\}}_{j\in S}=t]-\mathbb{P}[{\{\mathsf{RR}(x_{1,j}^1)\}}_{j\in S}=t]\right\}\hfill \\ \hfill \le & \sum _{k\in [\lfloor s/2\rfloor +1,s]}\left({\displaystyle \genfrac{}{}{0pt}{}{s}{k}}\right)·\left(r^k{(1-r)}^{s-k}-r^{s-k}{(1-r)}^k\right)\hfill \\ \hfill \le & {(1-r)}^s\sum _{k=⌊{\displaystyle \frac{s}{2}}⌋+1}^s\left({\displaystyle \genfrac{}{}{0pt}{}{s}{k}}\right)\left({(r/(1-r))}^k-{(r/(1-r))}^{s-k}\right).\hfill \end{array}$$

Now enumerating all possible S, we have the total variation bound as:

$$\begin{array}{cc}& D_1(\mathcal{R}\left(x_1^0\right)\parallel \mathcal{R}\left(x_1^1\right))\hfill \\ \hfill \le & \sum _{S\in {\left[d\right]}^s}{p}_S\left(S\right)·D_1({\{\mathsf{RR}(x_{1,j}^0)\}}_{j\in S}\parallel {\{\mathsf{RR}(x_{1,j}^1)\}}_{j\in S})\hfill \\ \hfill \le & {(1-r)}^s\sum _{k=⌊{\displaystyle \frac{s}{2}}⌋+1}^s\left({\displaystyle \genfrac{}{}{0pt}{}{s}{k}}\right)\left({(r/(1-r))}^k-{(r/(1-r))}^{s-k}\right).\hfill \end{array}$$

Finally, utilizing the variation–ratio reduction in Lemma 4, we have the conclusion.    □

6. Privacy Loss Distribution of Generalized Dominating Pairs

Generalized dominating pair for shuffle protocols. To cover the more general case and derive numerical composition bounds for various shuffle protocols (e.g., for both single-message and multi-message protocols), the aim of this work is to numerically derive the DP guarantee of the following K-wise composition of the dominating pair as follows:

$$(P_1,\dots ,P_K\parallel Q_1,\dots ,Q_K),$$

where $P_k=P_{p^{\left(k\right)},{\beta }^{\left(k\right)}}^{q^{\left(k\right)},n^{\left(k\right)}}$ and $Q_k=Q_{p^{\left(k\right)},{\beta }^{\left(k\right)}}^{q^{\left(k\right)},n^{\left(k\right)}}$ is the binomial variable defined as in Lemma 4 (and also in Theorem 1) with possibly heterogeneous parameters $p^{\left(k\right)}>0$, ${\beta }^{\left(k\right)}\le (p^{\left(k\right)}-1)/(p^{\left(k\right)}+1)$, $n^{\left(k\right)}\in {\mathbb{Z}}^{+}$, and $q^{\left(k\right)}\ge 1$.

Following the privacy composition methods in [13,27], the privacy loss distribution (PLD) represents the distribution of the logarithm of probability ratios between a dominating pair of distributions. By constructing the PLD, we can use Fast Fourier Transform (FFT) to compose privacy losses and derive the overall privacy consumption.

To approximate the PLD for each round’s shuffle protocol, we consider the generalized binomial counts that tightly dominate many shuffle protocols: $P_{p,\beta }^{q,n},Q_{p,\beta }^{q,n}$, defined as

$$P_{p,\beta }^{q,n}=(A+{\Delta }_1,C-A+{\Delta }_2),Q_{p,\beta }^{q,n}=(A+{\Delta }_2,C-A+{\Delta }_1),$$

where

• $C\sim \mathrm{Binomial}(n-1,{\displaystyle \frac{2\beta p}{(p-1)q}})$,
• $A\sim \mathrm{Binomial}\left(C,{\displaystyle \frac{1}{2}}\right)$,
• ${\Delta }_1\sim \mathrm{Bernoulli}\left({\displaystyle \frac{\beta p}{p-1}}\right)$,
• ${\Delta }_2\sim \mathrm{Binomial}\left(1-{\Delta }_1,{\displaystyle \frac{\beta }{p-1-\beta p}}\right)$.

• Here, C represents the number of other users whose outputs are indistinguishable “clones” of the two users, and A denotes the random split between these clones.

The formula of probabilities and their ratios. The PLD measures the distribution of probability ratios. To analyze the probability ratios, we first consider $P=(A,C-A)$, $P_0=(A+1,C-A)$ and $P_1=(A,C-A+1)$. Let $s={\displaystyle \frac{2\beta p}{(p-1)q}}$, then based on the above sampling process, we have:

$$\begin{array}{cc}\hfill {\displaystyle \frac{\mathbb{P}[P_1=(a,b)]}{\mathbb{P}[P_0=(a,b)]}}& ={\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{n-1}{a+b-1}\right)s^{a+b-1}{(1-s)}^{n-a-b}\left(\genfrac{}{}{0pt}{}{a+b-1}{a}\right){(1/2)}^{a+b-1}}{\left(\genfrac{}{}{0pt}{}{n-1}{a+b-1}\right)s^{a+b-1}{(1-s)}^{n-a-b}\left(\genfrac{}{}{0pt}{}{a+b-1}{a-1}\right){(1/2)}^{a+b-1}}}\hfill \\ & ={\displaystyle \frac{b}{a}},\hfill \end{array}$$

$$\begin{array}{cc}\hfill {\displaystyle \frac{\mathbb{P}[P=(a,b\left)\right]}{\mathbb{P}[P_0=(a,b)]}}& ={\displaystyle \frac{\left(\genfrac{}{}{0pt}{}{n-1}{a+b}\right)s^{a+b}{(1-s)}^{n-a-b-1}\left(\genfrac{}{}{0pt}{}{a+b}{a}\right){(1/2)}^{a+b}}{\left(\genfrac{}{}{0pt}{}{n-1}{a+b-1}\right)s^{a+b-1}{(1-s)}^{n-a-b}\left(\genfrac{}{}{0pt}{}{a+b-1}{a-1}\right){(1/2)}^{a+b-1}}}\hfill \\ & ={\displaystyle \frac{n-a-b}{2a}}·{\displaystyle \frac{s}{1-s}},\hfill \end{array}$$

Now let $\alpha =\beta /(p-1)$, then the ratio of probabilities on point $(a,b)\in {[0,n]}^2$ (with $a+b\le n$) is given by:

$$\begin{array}{cc}\hfill & {\displaystyle \frac{\mathbb{P}[P_{p,\beta }^{q,n}=(a,b)]}{\mathbb{P}[Q_{p,\beta }^{q,n}=(a,b)]}}\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill =& {\displaystyle \frac{p\alpha \mathbb{P}[P_0=(a,b)]+\alpha \mathbb{P}[P_1=(a,b)]+(1-\alpha (p+1))\mathbb{P}[P=(a,b)]}{\alpha \mathbb{P}[P_0=(a,b)]+p\alpha \mathbb{P}[P_1=(a,b)]+(1-\alpha (p+1))\mathbb{P}[P=(a,b)]}}\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill =& {\displaystyle \frac{2p\alpha ·a+2\alpha ·b+(1-\alpha (p+1\left)\right)(n-a-b)·s/(1-s)}{2\alpha ·a+2p\alpha ·b+(1-\alpha (p+1\left)\right)(n-a-b)·s/(1-s)}},\hfill \end{array}$$

(6)

We denote this probability ratio as $R_{a,b}$.

Due to symmetry, the PLDs of $P_{p,\beta }^{p,n},Q_{p,\beta }^{p,n}$ and $Q_{p,\beta }^{p,n},P_{p,\beta }^{p,n}$ (e.g., these from Lemma 4 or Theorem 1) are the same. Computing the PLD directly involves iterating over a two-dimensional domain of size $\Omega \left(n^2\right)$, which is impractical for large n. Following the approach in [13], we use Hoeffding’s tail bounds for the binomial distributions to limit our computation to regions where the probability mass is significant, neglecting negligible probabilities and adding their total mass to ${\omega }_{P/Q}(logp)$ or ${\omega }_{P/Q}(\infty )$. By applying Hoeffding’s inequality to both C and A, we focus on subsets $S_n$ and ${\widehat{S}}_c$ containing most of the mass, reducing the terms to $\mathcal{O}(nlog(1/\tau \left)\right)$, where $\tau$ is a small tolerance.

Theorem 2.

Given a dominating pair $P_{p,\beta }^{q,n},Q_{p,\beta }^{q,n}$ (shorted as $P,Q$), $\tau \in (0,1]$ and define the set

$$S_n=\left[max\left(0,({\displaystyle \frac{2\beta p}{(p-1)q}}-v_n)(n-1-m)\right),min\left(n-1,({\displaystyle \frac{2\beta p}{(p-1)q}}+v_n)(n-1-m)\right)\right],$$

where $v_n=\sqrt{{\displaystyle \frac{log(4/\tau )}{2(n-1)}}}$. For each $c\in S_n$, define

$$S_c=\left[max\left(0,\left(t-{\widehat{v}}_c\right)c\right),min\left(c,\left(t+{\widehat{v}}_c\right)c\right)\right],$$

with ${\widehat{v}}_c=\sqrt{{\displaystyle \frac{log(4/\tau )}{2c}}}$. Then, the approximated PLD ${\tilde{\omega }}_{P/Q}$ defined by

$${\tilde{\omega }}_{P/Q}\left(u\right)=\sum _{c\in S_n}\sum _{a\in S_c}\mathbb{P}\left(P=(a+{\Delta }_1,c-a+{\Delta }_2)\right)·{\delta }_{s_{a,b}}\left(u\right),$$

(7)

where $s_{a,b}=log\left(R_{a,b}\right)=log({\displaystyle \frac{\mathbb{P}[P_{p,\beta }^{q,n}=(a,b)]}{\mathbb{P}[Q_{p,\beta }^{q,n}=(a,b)]}})$, differs from the true PLD ${\omega }_{P/Q}$ by at most mass τ and contains $\mathcal{O}(nlog(1/\tau \left)\right)$ terms.

Proof. 

We apply Hoeffding’s inequality to the binomial random variable $C\sim \mathrm{Binomial}(n-1,{\displaystyle \frac{2\beta p}{(p-1)q}})$. For any $v>0$, the inequality provides the following bounds:

$$\mathbb{P}\left(C\le m+({\displaystyle \frac{2\beta p}{(p-1)q}}-v)(n-1)\right)\le exp\left(-2(n-1)v^2\right),$$

$$\mathbb{P}\left(C\ge ({\displaystyle \frac{2\beta p}{(p-1)q}}+v)(n-1)\right)\le exp\left(-2(n-1)v^2\right).$$

To ensure that the total probability does not exceed $\tau /2$, we impose the condition:

$2exp\left(-2(n-1)v^2\right)\le {\displaystyle \frac{\tau }{2}}$. Solving for v, we obtain

$$v\ge \sqrt{{\displaystyle \frac{log(4/\tau )}{2(n-1)}}}.$$

This yields expressions for $v_n$ and $S_n$. Similarly, we apply Hoeffding’s inequality to $A\sim \mathrm{Binomial}(C,1/2)$ to derive expressions for ${\widehat{v}}_i$ and ${\widehat{S}}_i$. The total neglected mass is bounded by $\tau /2+\tau /2=\tau$.

Next, we estimate the number of terms in $S_n$. The set $S_n$ contains at most $2v_n(n-1)=\sqrt{n-1}·\sqrt{2log(4/\tau )}$ terms. For each i, the set ${\widehat{S}}_i$ contains at most

$$2{\widehat{v}}_i·i=\sqrt{i}·\sqrt{2log(4/\tau )}\le \sqrt{n-1}·\sqrt{2log(4/\tau )}$$

terms. Hence, the number of terms in ${\tilde{\omega }}_{P/Q}$ is at most $\mathcal{O}(nlog(4/\tau \left)\right)$.

Finally, we derive the conclusion by performing the change of variables $a=j+1$ and $b=i-j$.    □

In practice, when computing the PLD of $(P_{p,\beta }^{q,n},Q_{p,\beta }^{q,n})$, we finitely grid the domain of the PLD (i.e., the values of u) and ensure the neglected mass is below a prescribed tolerance $\tau$ (e.g., $\tau =2^{-30}$) and add it to ${\delta }_{P/Q}(\infty )$. The overall procedure is summarized in Algorithm 1. This approximation significantly reduces computational complexity, and when composing privacy losses, the FFT computation in Lemma 2—dependent only on the number $n_u$ of grid points—becomes the dominant factor.

Comparison with existing accounting approaches. Several works employ the Rényi differential privacy for composition, such as in [8]. However, the Rényi differential privacy is far from tight for the random noises in the shuffle model. The work of [13] proposes numerical composition for LDP randomizers in the shuffle model, though it is applicable to only single-message protocols (corresponding to $q\equiv p$ and $\beta \equiv (p-1)/(p+1)$ in our dominating pair). Commonly used local randomizers (e.g., the vector binary randomized response in [19], see Theorem 1) often have much lower values of total variation bound $\beta$. Moreover, the single-message protocols are known to have limited utility [12] for common statistical queries (e.g., histogram estimation, numerical vector aggregation), when compared to multi-message shuffle protocols (e.g., in [14,16]).

Algorithm 1 PLD Computation of $(P_{p,\beta }^{q,n},Q_{p,\beta }^{q,n})$
Input: $n,p,\beta ,q,n_u,L,\tau$
Output: The PLD of $(P_{p,\beta }^{q,n},Q_{p,\beta }^{q,n})$ over $n_u$-grid range $[-L,L]$ with tolerance $\tau$
1:	$\alpha \leftarrow \beta /(p-1)$
2:	$s\leftarrow 2\beta p/\left(\right(p-1\left)q\right)$
3:	$\mathrm{tol}\leftarrow log(1/\tau )$
4:	${\mathrm{lowerc}}_i\leftarrow max(0,\lfloor (n-1)(s-\sqrt{log(1/\tau )/\left(2\right(n-1\left)\right)})\rfloor )$
5:	${\mathrm{upperc}}_i\leftarrow min(n-1,\lceil (n-1)(s+\sqrt{log(1/\tau )/\left(2\right(n-1\left)\right)})\rceil )$
6:	$d_l\leftarrow 2L/n_u$
7:	$\tilde{\omega }\leftarrow \mathrm{zeros}\left(n_u\right)$           ▷ initializes the PLD with a list of zeros
8:	for $i\leftarrow {\mathrm{lowerc}}_i$ to ${\mathrm{upperc}}_i$ do
9:	${\mathrm{lower}}_j\leftarrow max(0,\lfloor i/2-\sqrt{log(1/\tau )/\left(2\right(i+1\left)\right)})\rfloor )$
10:	${\mathrm{upper}}_j\leftarrow min(i,\lceil i/2+\sqrt{log(1/\tau )/\left(2\right(i+1\left)\right)})\rceil )$
11:	for $j\leftarrow {\mathrm{lower}}_j$ to ${\mathrm{upper}}_j$ do
12:	$P_0[j-1,i-j]\leftarrow \left({\displaystyle \genfrac{}{}{0pt}{}{n-1}{i}}\right)s^i{(1-s)}^{n-1-i}\left({\displaystyle \genfrac{}{}{0pt}{}{i}{j}}\right){(1/2)}^i$
13:	$R_{j+1,i-j}\leftarrow {\displaystyle \frac{2p\alpha ·(j+1)+2\alpha ·(i-j)+(1-\alpha (p+1\left)\right)(n-1-i)·s/(1-s)}{2\alpha ·(j+1)+2\alpha ·(i-j)+(1-\alpha (p+1\left)\right)(n-1-i)·s/(1-s)}}$
14:	if $log{R}_{j+1,i-j}>-L$ and $log{R}_{j+1,i-j}<L$ then
15:	$ii\leftarrow min(n_u-1,\lceil (log{R}_{j+1,i-j}+L)/d_l\rceil )$
16:	$\tilde{\omega }\left[ii\right]\leftarrow \tilde{\omega }\left[ii\right]+P_0[j-1,i-j]$
17:	end if
18:	end for
19:	end for
20:	return $\tilde{\omega }$

7. Applications to Federated Learning

7.1. Building Decision Tree/Forest

Decision trees [30] are hierarchical models used for classification and regression tasks, where data are recursively partitioned based on feature values to maximize a purity metric such as information gain or Gini impurity. At each node, the algorithm evaluates possible splits by considering thresholds over features and selects the one that optimally separates the data. Random forests extend this concept by constructing an ensemble of decision trees, each trained on a bootstrap sample of the data and a random subset of features, thereby improving generalization through bagging and feature randomness.

In federated learning settings, where data are distributed across multiple clients with privacy constraints, the traditional centralized approach is infeasible. To address this, the model-building process can be transformed into multiple rounds of histogram estimation. Each client computes local histograms $H_f^{\left(k\right)}$ for feature f, aggregating the frequencies of feature values within predefined bins. These set-valued frequency estimations are securely aggregated and sent to a central server, which combines them to approximate the global data distribution: $H_f={\sum }_{k=1}^K{H}_f^{\left(k\right)}$. The server then determines optimal split points based on the aggregated histograms without accessing raw data, enabling the collaborative construction of decision trees and forests while preserving data privacy.

For each histogram frequency query, one can adopt a SOTA shuffle protocol from [14,16,29]. For every one of them, the $p,\beta$ and $q,n$ parameters can be easily computed (see Section 8 for detail).

7.2. Building Deep Learning Models

Deep learning models, such as neural networks, are powerful tools for learning complex patterns from data. In federated settings, where data are distributed across multiple clients with privacy constraints, training deep learning models requires a collaborative approach that avoids sharing raw data. Federated learning enables this by allowing each client to train a local model on their data and then share model updates (e.g., gradients) with a central server. The server aggregates these updates to improve a global model, iteratively refining it over multiple communication rounds.

To preserve privacy and ensure robustness, the model building process can be transformed into multiple rounds of gradient aggregation with clipping and randomization. After computing local gradients, each client applies gradient clipping to bound the influence of any single update: ${\tilde{g}}^{\left(k\right)}=\mathrm{Clip}(g^{\left(k\right)},C)$, where $g^{\left(k\right)}$ is the local gradient and C is the clipping threshold. Clients then randomize and contribute their clipped gradients using the shuffle model of DP. The central server observes privatized gradients from the shuffler, and then aggregates them to update the global model: $g={\displaystyle \frac{1}{K}}{\sum }_{k=1}^K{\widehat{g}}^{\left(k\right)}$. By iterating this process, the federated system collaboratively trains a deep learning model while protecting individual client data.

For each gradient aggregation query, one can adopt the SOTA shuffle protocol for numerical vector summation from [19]. In their protocol, each message is computed from s uniform-randomly selected bits from d dimensions, and each bit is flipped with probability $1-r$. The corresponding $p,\beta$ and $q,n$ parameters can be computed using Theorem 1.

7.3. Machine Learning

Many machine learning algorithms naturally align with the multi-round paradigm considered in this work. For example, Isolation Forest for anomaly detection [31] relies on iterative data partitioning to isolate anomalies. This process can be adapted to federated learning using the shuffle model, ensuring privacy during intermediate computations. Similarly, iterative clustering algorithms, such as K-means [32], refine cluster centroids over multiple rounds of aggregation and adjustment. Differential privacy techniques, including the shuffle model, have been shown to effectively protect privacy in these settings. The shuffle model’s privacy amplification effect is particularly beneficial for such iterative computations, enabling secure aggregation of intermediate results like histogram updates or centroid adjustments [6]. This integration extends the applicability of federated learning to tasks such as anomaly detection, clustering, and other iterative machine learning methods in privacy-sensitive scenarios.

8. Experiments

We evaluate the privacy composition results of our proposal on two typical federated learning tasks within the shuffle model: decision trees and deep learning. We simulate shuffle protocols for these learning tasks, and measure their overall privacy consumption. The implementation code is made publicly available at https://github.com/wangsw/PrivacyAmplification/tree/main/sequentialComposition (accessed on 31 January 2025).

8.1. Federated Deep Learning Simulation

We assume a general deep learning procedure in the shuffle model, where there are K iterative gradient aggregation rounds, and each round collects a gradient vector from n users. Assuming the local budget as ${ϵ}_0$, according to optimal numerical vector aggregation protocol [19], each user will send $s=\lceil {ϵ}_0\rceil$ bits in each message. Each bit is sanitized using a randomized response with flipping probability $1/(exp(1)+1)$. Overall, the procedure is equivalent to K rounds of shuffle protocols, each using sampled vector $\{0,1\}$-randomized response as the local randomizer with n users. In order to cover extensive scenarios, we vary the number of iterations T from 2 to 256, vary the local budget ${ϵ}_0$ in $\{2,4\}$, and vary the number of users from ${10}^4$ to ${10}^5$.

The work of [13] for privacy composition of single-message LDP shuffling protocols is applicable to such a scenario, as the sampled vector $\{0,1\}$-randomized response with flipping probability $1/(exp({ϵ}_0/s)+1)$ satisfies ${ϵ}_0$-LDP. We compare our proposal in Theorem 1 with the numerical approach in [13], which had the tightest so far composition bounds (compared to the Rényi DP-based approaches in [8,10]). We present the experimental results in Figure 2. Since our proposal in Theorem 1 provides a provably tighter dominating pair for vector $\{0,1\}$-randomized response, it consistently reduces about $20\%$ privacy consumption when compared to [13].

8.2. Federated Decision Tree/Forest Simulation

Recall that decision trees select splitting attributes at each node of the decision tree. At the h-th level (deem the root node as the 0-th level), there are $2^h$ nodes to choose from, each being chosen from $d-h$ candidate attributes. Since each node at the same level is a subpopulation, it is enough to launch $d-h$ histogram queries for all $2^h$ nodes. Therefore, to build a decision with H levels, there are a total of ${\displaystyle \frac{H(d+d-H)}{2}}={\sum }_{h\in [0,H]}(d-h)$ histogram queries. Assuming each attribute has 2 categories, then each histogram query in the h-th level will have $2^{h+1}$ categories. We will use the SOTA multi-message histogram estimation protocol of [16] within the shuffle model, where each histogram query will employ the full n-size population. In each histogram protocol in the h-th level, the parameters $p=+\infty$, $\beta =1$, and $q=2^{h+1}$.

As each round employs the multi-message protocol [16], while [8,13] (which are constrained on single-message protocols) are not applicable, we compare our approach with the basic and advanced privacy composition bound from [3], where each round’s privacy loss is numerically computed using the SOTA variation–ratio reduction [9]. In the histogram estimation protocol, we assume each user contributes m messages: one message for the true category, and $m-1$ messages each as a uniform random category from the domain. Let $d_h$ denote the domain size (number of categories) at the h-th level, and the dominating pair of the protocol has parameters $p=+\infty$, $\beta =1$, $q=d_h$. We vary the number of messages per user from 2 to 6, vary the number of users from ${10}^4$ to ${10}^5$, vary the number of tree levels H from 5 to 8, and vary the number of attributes d from 8 to 32.

Our proposal is also applicable to decision forest, where multiple decision trees are either created in parallel (e.g., in random forest) or sequentially (e.g., in gradient-boosted decision trees). For illustration, we assume that we build $S=1$ or $S=5$ trees sequentially, covering many practical scenarios. Compared to the single decision tree, decision forest requires more number of privacy compositions. In Figure 3 and Figure 4, we present the experimental results with varying number of messages per user (in the x-axis) and with tree height $H=5$ and $H=8$, respectively. Compared to basic or advanced composition, our proposal saves remarkably $80\%$ budget.

9. Conclusions

We have presented a numerical composition method for the shuffle model of differential privacy, covering both single-message shuffle protocols and multi-message shuffle protocols, having broad applications to federated analytics and federated learning (e.g., decision tree/forest and deep learning). Specifically, for single-message shuffle protocols that are based on vector randomized response, we provide privacy parameter characterization. For unified dominating pair reduction of single-message/multi-message shuffle protocols, we present an efficient and tight approach for K-wise sequential composition within $\tilde{O}(n·K)$ computational complexity. Through simulations of federated learning in the shuffle model, we show that our proposals save $20\%$ budget for single-message shuffle protocols, and $80\%$ budget for multi-message shuffle protocols.

Nevertheless, several limitations are present in our study. The communication overhead inherent in the shuffling process, particularly in systems with a large number of participants, presents considerable challenges related to scalability and operational efficiency. In the context of a joint learning framework, the additional computational burden imposed by the execution of the shuffling protocol may negatively impact the overall system performance, especially in scenarios characterized by resource limitations or uneven data distribution.

Future Directions: (i) Future research could explore the integration of the shuffle model with complementary privacy-preserving techniques such as homomorphic encryption or secure multi-party computation (SMPC). Such hybrid approaches would enable stronger privacy guarantees for tasks that involve highly sensitive data, such as financial or healthcare data analysis. (ii) Another direction is to investigate the privacy–utility trade-offs in non-numerical tasks, such as text, image, or multimedia analysis, which could expand the shuffle model’s applicability to fields like natural language processing and computer vision.