Differential Privacy in the Shuffle Model: A Survey of Separations

TL;DR

This survey reviews the shuffle model of differential privacy, highlighting protocols, theoretical limits, and the potential of interactivity to achieve high accuracy with minimal trust assumptions.

Contribution

It provides a comprehensive overview of shuffle protocols, lower bounds, and the role of interactivity in the shuffle model of differential privacy.

Findings

Shuffle protocols achieve high accuracy with mild trust assumptions.

Lower bounds define the limits of the shuffle model.

Interactivity enhances privacy-utility trade-offs.

Abstract

Differential privacy is often studied in one of two models. In the central model, a single analyzer has the responsibility of performing a privacy-preserving computation on data. But in the local model, each data owner ensures their own privacy. Although it removes the need to trust the analyzer, local privacy comes at a price: a locally private protocol is less accurate than a centrally private counterpart when solving many learning and estimation problems. Protocols in the shuffle model are designed to attain the best of both worlds: recent work has shown high accuracy is possible with only a mild trust assumption. This survey paper gives an overview of novel shuffle protocols, along with lower bounds that establish the limits of the new model. We also summarize work that show the promise of interactivity in the shuffle model.