Connecting Robust Shuffle Privacy and Pan-Privacy

TL;DR

This paper explores the connection between shuffle privacy and pan-privacy models, providing protocols, lower bounds, and demonstrating their implications for differential privacy tasks like counting and testing.

Contribution

It establishes a formal link between robust shuffle privacy and pan-privacy, introducing new protocols and bounds for key privacy-preserving data analysis problems.

Findings

Robust shuffle privacy and pan-privacy have additive error rom or counting distinct elements.

A robust approximate shuffle private protocol for uniformity testing with sample complexity or domain size k.

Lower bounds for these problems derived from pan-private lower bounds.

Abstract

In the \emph{shuffle model} of differential privacy, data-holding users send randomized messages to a secure shuffler, the shuffler permutes the messages, and the resulting collection of messages must be differentially private with regard to user data. In the \emph{pan-private} model, an algorithm processes a stream of data while maintaining an internal state that is differentially private with regard to the stream data. We give evidence connecting these two apparently different models. Our results focus on \emph{robustly} shuffle private protocols, whose privacy guarantees are not greatly affected by malicious users. First, we give robustly shuffle private protocols and upper bounds for counting distinct elements and uniformity testing. Second, we use pan-private lower bounds to prove robustly shuffle private lower bounds for both problems. Focusing on the dependence on the domain size $k$, we find that robust approximate shuffle privacy and approximate pan-privacy have additive error $\Theta(\sqrt{k})$ for counting distinct elements. For uniformity testing, we give a robust approximate shuffle private protocol with sample complexity $\tilde O(k^{2/3})$ and show that an $\Omega(k^{2/3})$ dependence is necessary for any robust pure shuffle private tester. Finally, we show that this connection is useful in both directions: we give a pan-private adaptation of recent work on shuffle private histograms and use it to recover further separations between pan-privacy and interactive local privacy.