In decentralized settings, the shuffle model of differential privacy has emerged as a promising alternative to the classical local model. Analyzing privacy amplification via shuffling is a critical component in both single-message and multi-message shuffle protocols. However, current methods used in these two areas are distinct and specific, making them less convenient for protocol designers and practitioners. In this work, we introduce variation-ratio reduction as a unified framework for privacy amplification analyses in the shuffle model. This framework utilizes total variation bounds of local messages and probability ratio bounds of other users' blanket messages, converting them to indistinguishable levels. Our results indicate that the framework yields tighter bounds for both single-message and multi-message encoders (e.g., with local DP, local metric DP, or general multi-message randomizers). Specifically, for a broad range of local randomizers having extremal probability design, our amplification bounds are precisely tight. We also demonstrate that variation-ratio reduction is well-suited for parallel composition in the shuffle model and results in stricter privacy accounting for common sampling-based local randomizers. Our experimental findings show that, compared to existing amplification bounds, our numerical amplification bounds can save up to $30\%$ of the budget for single-message protocols, $75\%$ of the budget for multi-message protocols, and $75\%$-$95\%$ of the budget for parallel composition. Additionally, our implementation for numerical amplification bounds has only $\tilde{O}(n)$ complexity and is highly efficient in practice, taking just $2$ minutes for $n=10^8$ users. The code for our implementation can be found at \url{https://github.com/wangsw/PrivacyAmplification}.

翻译：在去中心化场景中，差分隐私的混洗模型已成为经典本地模型的有前景替代方案。分析通过混洗实现的隐私放大是单消息与多消息混洗协议中的关键组成部分。然而，当前在这两个领域中采用的方法截然不同且具有特殊性，这使得协议设计者和实践者难以便捷使用。在本工作中，我们引入变异-比率缩减作为混洗模型中隐私放大分析的统一框架。该框架利用本地消息的总变差界以及其他用户"毯式"消息的概率比界，将其转化为不可区分性水平。我们的结果表明，该框架能为单消息和多消息编码器（例如结合本地差分隐私、本地度量差分隐私或通用多消息随机化器）提供更紧的边界。具体而言，对于具有极值概率设计的一类广泛本地随机化器，我们的放大边界达到精确最优。我们同时证明，变异-比率缩减完美适用于混洗模型中的并行组合，并能对基于采样的常见本地随机化器产生更严格的隐私核算。实验结果显示，与现有放大边界相比，我们的数值放大边界可为单消息协议节省高达30%的隐私预算，为多消息协议节省75%的预算，为并行组合节省75%-95%的预算。此外，我们数值放大边界的实现仅需$\tilde{O}(n)$复杂度，实际运行高度高效，处理$n=10^8$用户仅需2分钟。实现代码见\url{https://github.com/wangsw/PrivacyAmplification}。