In decentralized settings, the shuffle model of differential privacy has emerged as a promising alternative to the classical local model. Analyzing privacy amplification via shuffling is a critical component in both single-message and multi-message shuffle protocols. However, current methods used in these two areas are distinct and specific, making them less convenient for protocol designers and practitioners. In this work, we introduce variation-ratio reduction as a unified framework for privacy amplification analyses in the shuffle model. This framework utilizes total variation bounds of local messages and probability ratio bounds of other users' blanket messages, converting them to indistinguishable levels. Our results indicate that the framework yields tighter bounds for both single-message and multi-message encoders (e.g., with local DP, local metric DP, or general multi-message randomizers). Specifically, for a broad range of local randomizers having extremal probability design, our amplification bounds are precisely tight. We also demonstrate that variation-ratio reduction is well-suited for parallel composition in the shuffle model and results in stricter privacy accounting for common sampling-based local randomizers. Our experimental findings show that, compared to existing amplification bounds, our numerical amplification bounds can save up to $30\%$ of the budget for single-message protocols, $75\%$ of the budget for multi-message protocols, and $75\%$-$95\%$ of the budget for parallel composition. Additionally, our implementation for numerical amplification bounds has only $\tilde{O}(n)$ complexity and is highly efficient in practice, taking just $2$ minutes for $n=10^8$ users. The code for our implementation can be found at \url{https://github.com/wangsw/PrivacyAmplification}.

翻译：在去中心化场景中，差分隐私的洗牌模型已成为经典本地模型的一种有前景的替代方案。分析通过洗牌实现的隐私放大，是单消息和多消息洗牌协议中的关键组成部分。然而，当前这两个领域采用的方法各不相同且具有特定性，给协议设计者和实践者带来了不便。本文提出将变分比缩减作为洗牌模型中隐私放大分析的统一框架。该框架利用本地消息的总变分界限和其他用户掩蔽消息的概率比界限，将其转化为不可区分水平。我们的结果表明，该框架为单消息和多消息编码器（例如，采用本地DP、本地度量DP或通用多消息随机化器）提供了更紧的界限。具体而言，对于具有极值概率设计的一类广泛本地随机化器，我们的放大界限达到精确紧致。我们还证明了变分比缩减非常适合洗牌模型中的并行组合，并能为基于采样的常见本地随机化器带来更严格的隐私核算。实验结果表明，与现有放大界限相比，我们的数值放大界限可为单消息协议节省高达30%的隐私预算，为多消息协议节省高达75%的隐私预算，并为并行组合节省75%-95%的预算。此外，我们用于数值放大界限的实现仅具有$\tilde{O}(n)$复杂度，在实际中高效运行——处理$n=10^8$个用户仅需2分钟。实现代码可在\url{https://github.com/wangsw/PrivacyAmplification}获取。