In decentralized settings, the shuffle model of differential privacy has emerged as a promising alternative to the classical local model. Analyzing privacy amplification via shuffling is a critical component in both single-message and multi-message shuffle protocols. However, current methods used in these two areas are distinct and specific, making them less convenient for protocol designers and practitioners. In this work, we introduce variation-ratio reduction as a unified framework for privacy amplification analyses in the shuffle model. This framework utilizes total variation bounds of local messages and probability ratio bounds of other users' blanket messages, converting them to indistinguishable levels. Our results indicate that the framework yields tighter bounds for both single-message and multi-message encoders (e.g., with local DP, local metric DP, or multi-message randomizers). Specifically, for a broad range of local randomizers having extremal probability design, our amplification bounds are precisely tight. We also demonstrate that variation-ratio reduction is well-suited for parallel composition in the shuffle model and results in stricter privacy accounting for common sampling-based local randomizers. Our experimental findings show that, compared to existing amplification bounds, our numerical amplification bounds can save up to $30\%$ of the budget for single-message protocols, $75\%$ of the budget for multi-message protocols, and $75\%$-$95\%$ of the budget for parallel composition. Additionally, our implementation for numerical amplification bounds has only $\tilde{O}(n)$ complexity and is highly efficient in practice, taking just $10$ seconds for $n=10^8$ users. The code for our implementation can be found at \url{https://github.com/wangsw/PrivacyAmplification}.

翻译：在去中心化场景中，差分隐私的混洗模型已作为经典本地模型的有前景替代方案出现。分析经由混洗的隐私放大，是单消息和多消息混洗协议中的关键组成部分。然而，当前这两个领域所采用的方法彼此不同且具有特异性，这使得协议设计者和实践者使用起来不够便利。在本工作中，我们引入变分比缩减作为混洗模型中隐私放大分析的统一框架。该框架利用本地消息的总变分界和其他用户"毯式消息"的概率比界，将其转化为不可区分性水平。我们的结果表明，该框架能为单消息和多消息编码器（例如，采用本地DP、本地度量DP或多消息随机化器）生成更紧的界。具体而言，对于一大类具有极值概率设计的本地随机化器，我们的放大界是精确紧致的。我们还证明了变分比缩减非常适用于混洗模型中的并行组合，并为常见的基于采样的本地随机化器带来更严格的隐私核算。我们的实验结果表明，与现有放大界相比，我们的数值放大界能为单消息协议节省最多30%的预算，为多消息协议节省75%的预算，为并行组合节省75%-95%的预算。此外，我们的数值放大界实现仅具有$\tilde{O}(n)$复杂度，在实际中高效运行，对于$n=10^8$个用户仅需10秒。我们实现的代码可在\url{https://github.com/wangsw/PrivacyAmplification}获取。