Multi-user virtual reality enables immersive interaction. However, rendering avatars for numerous participants on each headset incurs prohibitive computational overhead, limiting scalability. We introduce a framework, Privatar, to offload avatar reconstruction from headset to untrusted devices within the same local network while safeguarding attacks against adversaries capable of intercepting offloaded data. Privatar's key insight is that domain-specific knowledge of avatar reconstruction enables provably private offloading at minimal cost. (1) System level. We observe avatar reconstruction is frequency-domain decomposable via BDCT with negligible quality drop, and propose Horizontal Partitioning (HP) to keep high-energy frequency components on-device and offloads only low-energy components. HP offloads local computation while reducing information leakage to low-energy subsets only. (2) Privacy level. For individually offloaded, multi-dimensional signals without aggregation, worst-case local Differential Privacy requires prohibitive noise, ruining utility. We observe users' expression statistical distribution are slowly changing over time and trackable online, and hence propose Distribution-Aware Minimal Perturbation. DAMP minimizes noise based on each user's expression distribution to significantly reduce its effects on utility, retaining formal privacy guarantee. Combined, HP provides empirical privacy against expression identification attacks. DAMP further augments it to offer a formal guarantee against arbitrary adversaries. On a Meta Quest Pro, Privatar supports 2.37x more concurrent users at 6.5% higher reconstruction loss and 9% energy overhead, providing a better throughout-loss Pareto frontier over quantization, sparsity and local construction baselines. Privatar provides both provable privacy guarantee and stays robust against both empirical and NN-based attacks.

翻译：多用户虚拟现实技术可实现沉浸式交互，但为每个头戴式设备渲染众多参与者的虚拟化身会带来巨量计算开销，从而限制可扩展性。我们提出Privatar框架，将虚拟化身重建任务从头戴设备卸载至同一本地网络中的非可信设备，同时抵御能够截获卸载数据的攻击者。Privatar的核心洞见在于：利用虚拟化身重建的领域特定知识，能以最小代价实现可证明的隐私保护卸载。（1）系统层面：我们观察到通过BDCT可对虚拟化身重建进行频域分解且质量损失可忽略，并提出水平分割（HP）方法，将高能频域分量保留在设备端，仅卸载低能分量。HP在实现本地计算卸载的同时，将信息泄露限制在低能量子集范围内。（2）隐私层面：对于独立卸载的多维信号（无聚合机制），最坏情况下的本地差分隐私需要添加不可接受的噪声，从而破坏效用性。我们观察到用户表情统计分布随时间缓慢变化且可在线追踪，因此提出分布感知最小扰动（DAMP）方法。DAMP基于每个用户的表情分布最小化噪声添加量，显著降低噪声对效用性的影响，同时保留形式化隐私保证。综合而言，HP针对表情识别攻击提供经验性隐私保护，DAMP则进一步强化该保护，可针对任意攻击者提供形式化保证。在Meta Quest Pro上，Privatar支持并发用户数提升2.37倍，重建损失仅增加6.5%，能耗上升9%，相比量化、稀疏化和本地重建基线方法，实现了更优的吞吐-损失帕累托边界。Privatar既提供可证明的隐私保证，又能抵御经验性攻击与基于神经网络的攻击。