The shuffle model of differential privacy (DP) offers compelling privacy-utility trade-offs in decentralized settings (e.g., internet of things, mobile edge networks). Particularly, the multi-message shuffle model, where each user may contribute multiple messages, has shown that accuracy can approach that of the central model of DP. However, existing studies typically assume a uniform privacy protection level for all users, which may deter conservative users from participating and prevent liberal users from contributing more information, thereby reducing the overall data utility, such as the accuracy of aggregated statistics. In this work, we pioneer the study of segmented private data aggregation within the multi-message shuffle model of DP, introducing flexible privacy protection for users and enhanced utility for the aggregation server. Our framework not only protects users' data but also anonymizes their privacy level choices to prevent potential data leakage from these choices. To optimize the privacy-utility-communication trade-offs, we explore approximately optimal configurations for the number of blanket messages and conduct almost tight privacy amplification analyses within the shuffle model. Through extensive experiments, we demonstrate that our segmented multi-message shuffle framework achieves a reduction of about 50\% in estimation error compared to existing approaches, significantly enhancing both privacy and utility.

翻译：差分隐私（DP）的洗牌模型在去中心化场景（如物联网、移动边缘网络）中提供了引人注目的隐私-效用权衡。特别是多消息洗牌模型，其中每个用户可贡献多条消息，已证明其准确性可接近中心化差分隐私模型的水平。然而，现有研究通常假设所有用户采用统一的隐私保护级别，这可能阻碍保守用户参与，并限制开放用户贡献更多信息，从而降低整体数据效用，例如聚合统计的准确性。在本工作中，我们率先研究了差分隐私多消息洗牌模型中的分段式私有数据聚合，为用户引入了灵活的隐私保护机制，并为聚合服务器提升了数据效用。我们的框架不仅保护用户数据，还对其隐私级别选择进行匿名化处理，以防止这些选择可能引发的潜在数据泄露。为优化隐私-效用-通信的权衡，我们探索了覆盖消息数量的近似最优配置，并在洗牌模型内进行了近乎紧致的隐私放大分析。通过大量实验，我们证明相较于现有方法，我们的分段多消息洗牌框架能将估计误差降低约50%，显著提升了隐私保护与数据效用。