The shuffle model of differential privacy (DP) offers compelling privacy-utility trade-offs in decentralized settings (e.g., internet of things, mobile edge networks). Particularly, the multi-message shuffle model, where each user may contribute multiple messages, has shown that accuracy can approach that of the central model of DP. However, existing studies typically assume a uniform privacy protection level for all users, which may deter conservative users from participating and prevent liberal users from contributing more information, thereby reducing the overall data utility, such as the accuracy of aggregated statistics. In this work, we pioneer the study of segmented private data aggregation within the multi-message shuffle model of DP, introducing flexible privacy protection for users and enhanced utility for the aggregation server. Our framework not only protects users' data but also anonymizes their privacy level choices to prevent potential data leakage from these choices. To optimize the privacy-utility-communication trade-offs, we explore approximately optimal configurations for the number of blanket messages and conduct almost tight privacy amplification analyses within the shuffle model. Through extensive experiments, we demonstrate that our segmented multi-message shuffle framework achieves a reduction of about 50\% in estimation error compared to existing approaches, significantly enhancing both privacy and utility.

翻译：差分隐私（DP）的混洗模型在去中心化场景（如物联网、移动边缘网络）中提供了极具吸引力的隐私-效用权衡。特别是多消息混洗模型，允许每个用户贡献多条消息，其精度已证明可接近中心化差分隐私模型的水平。然而，现有研究通常假设所有用户采用统一的隐私保护级别，这可能阻碍保守型用户参与，并限制开放型用户贡献更多信息，从而降低整体数据效用，例如聚合统计量的准确性。本研究首次在差分隐私的多消息混洗模型中探索分段式私有数据聚合，为用户提供灵活的隐私保护，并为聚合服务器提升数据效用。我们的框架不仅保护用户数据，还对其隐私级别选择进行匿名化处理，以防止这些选择本身可能导致的数据泄露。为优化隐私-效用-通信的权衡，我们探索了覆盖消息数量的近似最优配置，并在混洗模型内进行了近乎紧致的隐私放大分析。通过大量实验，我们证明相较于现有方法，我们的分段式多消息混洗框架能将估计误差降低约50%，显著提升了隐私保护与数据效用。