Papers
Topics
Authors
Recent
Search
2000 character limit reached

Augmented Shuffle Model

Updated 6 July 2026
  • The augmented shuffle model is a differential privacy framework that enhances anonymity by combining standard shuffling with extra random dummy data or sampling.
  • It integrates both user-side mechanisms, like DUMP protocols, and shuffler-side strategies to reduce communication overhead while mitigating collusion and poisoning attacks.
  • Advanced analyses using Rényi DP and mutual information measures demonstrate its robustness in large-domain applications and federated learning scenarios.

The augmented shuffle model is a family of shuffle-based differential privacy constructions in which privacy is strengthened not only by anonymous permutation of messages but also by additional message-generation or transformation steps. In the literature, “augmentation” appears in two closely related senses. One line augments the standard shuffle architecture by having users inject uniformly random dummy points that enlarge the anonymity set after shuffling (Li et al., 2020). Another line uses the term more specifically for protocols in which the shuffler does more than permute, typically by performing random sampling and dummy data addition before release (Murakami et al., 10 Apr 2025). Across both senses, the common objective is to improve privacy–utility tradeoffs relative to pure local randomization, and, in more recent work, to improve robustness against collusion, poisoning, large-domain costs, and side-channel leakage (Murakami et al., 2 Sep 2025, Murakami et al., 8 Jun 2026).

1. Scope, formalization, and architectural variants

A standard formalization of the shuffle model uses the Encode–Shuffle–Analyze architecture. Users apply an encoder or local randomizer RR, a shuffler SS uniformly permutes uploaded messages, and an analyst AA estimates a target statistic from the shuffled multiset. For histogram estimation over a categorical domain D={1,2,,k}\mathbb D=\{1,2,\dots,k\}, the target is the frequency vector

$\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$

In this formulation, privacy against a curious analyst is expressed as central (ϵ,δ)(\epsilon,\delta)-DP for the end-to-end protocol, while collusion between analyst and shuffler reduces protection to the user-side local guarantee (Li et al., 2020).

The later augmented-shuffle literature sharpens the system model by distinguishing a pure shuffle model, in which the shuffler only randomly permutes messages, from an augmented shuffle model, in which the shuffler can also perform random sampling and dummy data addition (Murakami et al., 10 Apr 2025). This distinction is operationally important because it moves part of the privacy mechanism from the users to the shuffler. A related strand studies generalized shuffle-based privacy frameworks with personalized local privacy budgets, arbitrary local randomizers, and refined amplification analyses; these works do not always adopt the phrase “augmented shuffle model,” but they analyze mechanisms that are directly relevant to such settings (Liu et al., 2024, Chen et al., 2024).

Augmentation locus Representative protocols Operations beyond basic shuffle
User side DUMP, pureDUMP, mixDUMP Users add uniformly random dummy points
Shuffler side SBin-Shuffle, SAGeo-Shuffle, S1Geo-Shuffle, FME, FOUD, FOLNF, FOLNF* Random sampling, dummy data addition, filtering, oblivious execution
Channel or mechanism design Augmented GRR A fraction of users send aggressive GRR; others send a null symbol

This taxonomy suggests that the topic is best understood as a design space rather than a single protocol. What remains invariant is that anonymity from shuffling is combined with an additional source of uncertainty, either user-generated, shuffler-generated, or mechanism-structural.

2. User-generated augmentation: dummy blankets and DUMP

The earliest explicit augmentation idea in the supplied corpus is the DUMP framework, introduced for histogram estimation in the shuffle model. Its conceptual contribution is the dummy blanket, which generalizes the earlier privacy-blanket viewpoint. Instead of relying only on randomization of true data to produce a uniform blanket, users directly inject uniformly random dummy points; after shuffling, the analyst observes a multiset of genuine inputs and dummy points, and privacy is driven by the total number of dummy points rather than by whether uniform messages originated from randomized true data or explicit fakes (Li et al., 2020).

DUMP instantiates this idea with two protocols. In pureDUMP, each user keeps the true value xix_i, samples ss dummy points uniformly from [k][k], and sends the multiset

Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.

The analyst estimates frequencies by counting occurrences and subtracting the expected dummy contribution. The protocol is unbiased, and its mean-squared error is

SS0

The privacy analysis shows that privacy improves with the dummy multiset size SS1, and the paper also derives an LDP-style guarantee against a colluding shuffler that improves with SS2 (Li et al., 2020).

In mixDUMP, users first apply GRR and then add the same SS3 uniform dummy points. The GRR decomposition is written as

SS4

The point of the construction is that privacy now comes from both the local randomizer and the dummy blanket. The MSE contains a GRR term and a dummy term,

SS5

Empirically, DUMP was positioned against single-message and multi-message shuffle protocols such as privacy-amplification/GRR, SOLH, truncation-based methods, private-coin and public-coin methods, and correlated-noise mechanisms. Under the same privacy guarantee, the paper reports that pureDUMP and mixDUMP improve communication efficiency over all existing multi-message protocols by at least SS6 orders of magnitude, while maintaining competitive utility; on the Ratings dataset with SS7, pureDUMP and mixDUMP required about SS8 and SS9 expected extra messages per user, whereas some competitors required AA0, AA1, or AA2 extra messages (Li et al., 2020).

3. Shuffler-side augmentation: local-noise-free protocols

A later and more explicit formulation defines the augmented shuffle model by allowing the shuffler itself to perform random sampling and dummy data addition before shuffling (Murakami et al., 10 Apr 2025). In the generalized local-noise-free framework AA3, each user sends encrypted raw input AA4 with no local noise. The shuffler then samples each received item independently with probability AA5, generates dummy counts AA6 for each item AA7 from a chosen distribution AA8, adds AA9 encrypted dummy items of type D={1,2,,k}\mathbb D=\{1,2,\dots,k\}0, shuffles everything, and sends the result to the collector. The collector computes histogram counts D={1,2,,k}\mathbb D=\{1,2,\dots,k\}1 and estimates frequencies by

D={1,2,,k}\mathbb D=\{1,2,\dots,k\}2

The framework reduces privacy analysis to the binary-input mechanism

D={1,2,,k}\mathbb D=\{1,2,\dots,k\}3

where D={1,2,,k}\mathbb D=\{1,2,\dots,k\}4 and D={1,2,,k}\mathbb D=\{1,2,\dots,k\}5. If this binary mechanism satisfies D={1,2,,k}\mathbb D=\{1,2,\dots,k\}6-DP, then the full protocol satisfies DP and is robust to collusion with users (Murakami et al., 10 Apr 2025). The estimator is unbiased,

D={1,2,,k}\mathbb D=\{1,2,\dots,k\}7

and the expected D={1,2,,k}\mathbb D=\{1,2,\dots,k\}8 loss is

D={1,2,,k}\mathbb D=\{1,2,\dots,k\}9

where $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$0 is the variance of $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$1. Against local data poisoning under the Maximum Gain Attack, the framework yields

$\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$2

which is independent of $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$3. This independence is the paper’s formal expression of robustness not deteriorating as privacy becomes stronger (Murakami et al., 10 Apr 2025).

Three concrete protocols were proposed in this framework. SBin-Shuffle uses binomial dummy counts $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$4. SAGeo-Shuffle uses a novel asymmetric two-sided geometric distribution

$\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$5

S1Geo-Shuffle is the special case $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$6, for which $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$7, $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$8, and the dummy distribution becomes one-sided geometric, providing pure $\vec z[j] = \frac{1}{n}\sum_{i=1}^n \mathbbm{1}_{x_i=j}.$9-DP (Murakami et al., 10 Apr 2025).

The reported empirical pattern is sharp. SBin-Shuffle beats all seven existing shuffle protocols in MSE. SAGeo-Shuffle beats SBin-Shuffle by (ϵ,δ)(\epsilon,\delta)0–(ϵ,δ)(\epsilon,\delta)1 orders of magnitude and prior shuffle protocols by (ϵ,δ)(\epsilon,\delta)2–(ϵ,δ)(\epsilon,\delta)3 orders of magnitude in squared error. S1Geo-Shuffle provides pure DP with very low communication cost (Murakami et al., 10 Apr 2025). These results materially differentiate shuffler-side augmentation from user-side dummy blankets: the former is designed not only for accuracy but also for poisoning robustness and collusion robustness.

4. Privacy amplification, Rényi analysis, and mutual-information leakage

The augmented shuffle model is built on the same amplification principle as the ordinary shuffle model: shuffling destroys user-to-message linkage and thereby strengthens privacy relative to the ordered local transcript. The sharpest analyses in the supplied corpus are formulated in Rényi DP, approximate DP, (ϵ,δ)(\epsilon,\delta)4-DP, and mutual information rather than in augmentation-specific syntax (Feldman et al., 2022, Su et al., 19 Nov 2025).

For approximate DP and RDP, one major result is that shuffled outputs of (ϵ,δ)(\epsilon,\delta)5-LDP local randomizers admit stronger amplification bounds than earlier analyses. A general reduction theorem reduces privacy analysis of adaptive shuffled protocols to comparing low-dimensional distributions built from counts. In the high-(ϵ,δ)(\epsilon,\delta)6 regime, the strengthened RDP amplification rate is asymptotically optimal up to constants, with

(ϵ,δ)(\epsilon,\delta)7

in the notation of the paper, and a corresponding asymptotic bound

(ϵ,δ)(\epsilon,\delta)8

for any (ϵ,δ)(\epsilon,\delta)9 was later derived without restrictions on xix_i0 (Feldman et al., 2022, Chen et al., 2024). These results are directly relevant to augmented settings because augmentation is still mediated by the same shuffled anonymity channel.

A complementary information-theoretic analysis studies the single-message shuffle model through the shuffled sequence xix_i1 and the position variable xix_i2. In the shuffle-DP regime, where each user applies an xix_i3-LDP mechanism before shuffling, the paper proves

xix_i4

and

xix_i5

The key technical bridge is the blanket decomposition, which reduces shuffled leakage analysis to a simpler mixture model with one signal sample and xix_i6 blanket samples (Su et al., 19 Nov 2025). In a shuffle-only configuration, the same paper shows that unsupported symbols create a non-vanishing leakage term and can even induce a xix_i7 contribution in position leakage. This is important for augmented-shuffle protocols that rely on dummy distributions or filtering: output support matters.

Personalized local privacy introduces further heterogeneity. In that setting, each user xix_i8 has its own xix_i9-LDP randomizer. A refined analysis computes clone-generating probabilities ss0 by hypothesis testing on the actual output distributions rather than by worst-case randomized-response reduction, and then compares shuffled distributions using ss1-DP tradeoff functions. The reported consequence is a tighter central privacy bound for arbitrary local randomizers under heterogeneous privacy budgets, with theoretical and numerical results that “remarkably” outperform prior work; the experiments report bounds up to ss2 smaller in ss3 than prior SOTA (Liu et al., 2024).

5. Robustness, large-domain protocols, and trusted execution

A major motivation for the augmented shuffle model is that pure shuffle protocols are vulnerable to two attacks: local data poisoning and collusion between the data collector and users. In the standard shuffle setting, if the collector colludes with a subset ss4 of users and learns their noisy messages, the privacy amplification is reduced as if only ss5 users participated. Formally, if the original privacy budget is ss6, then the colluding version provides

ss7

This is the formal statement that collusion increases the effective privacy budget (Murakami et al., 10 Apr 2025).

Large-domain categorical and key-value data make shuffler-side augmentation substantially harder because naive dummy insertion scales linearly in both ss8 and ss9. The FME protocol, “Filtering-with-Multiple-Encryption,” addresses this by using a hash function to filter out unpopular items and then applying LNF-style augmented shuffle only to selected items, all within one interaction round by means of multiple encryption (Murakami et al., 2 Sep 2025). Users send both [k][k]0 and [k][k]1. The shuffler samples with probability [k][k]2, adds dummy hash buckets from [k][k]3, the collector filters popular hashes, the shuffler removes hash dummies and adds selected-item dummies from [k][k]4, and the final estimator for selected items is

[k][k]5

If [k][k]6 and [k][k]7 provide [k][k]8-DP and [k][k]9-DP, respectively, then the protocol provides

Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.0

and remains robust to collusion with users (Murakami et al., 2 Sep 2025).

FME also extends to key-value data through TKV-FK, which transforms KV pairs, filters at the key level rather than the KV-pair level, and adds dummy values to both Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.1 and Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.2 for selected keys. For categorical data with Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.3, the paper contrasts the baseline LNF cost of about Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.4 Terabits and about Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.5 years runtime with FME’s about Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.6 Gigabits and about Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.7 day (Murakami et al., 2 Sep 2025).

Trusted execution environments introduce a different trust boundary. In the augmented shuffle model with TEEs, the enclave acts as the shuffler and the server outside the enclave acts as collector. The main new issue is side-channel leakage through external memory access patterns, internal memory access patterns, and instruction traces. To address this, the literature introduces Fully Oblivious DP (FODP), which requires the joint distribution of output, memory trace, and instruction trace to satisfy an Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.8-style bound on neighboring databases (Murakami et al., 8 Jun 2026). The general framework uses memory-size obfuscation and yields three concrete algorithms: FOUD, FOLNF, and FOLNF*. FOLNF* further randomizes bot counts through a joint binary input mechanism

Yi={xi,yi,1,,yi,s}.Y_i=\{x_i,y_{i,1},\dots,y_{i,s}\}.9

and the large-domain versions use count-min sketch. On Intel SGX, reported runtimes include about SS00 hours for FOLNF with asymmetric geometric noise, about SS01 hours for FOLNF*, about SS02 minutes for FOLNF with one-sided geometric noise, and about SS03 minutes for FOLNF*; for SS04, the paper reports less than one day for the proposed methods versus about SS05 days for a central-DP histogram in a TEE (Murakami et al., 8 Jun 2026).

6. Structured aggregation, mechanism design, and conceptual limits

Although histogram and frequency estimation dominate the augmented-shuffle literature, the same privacy-amplification logic extends to richer data types. A shuffle-model protocol for vector aggregation in SS06 combines coordinate subsampling, fixed-point quantization, randomized response, and advanced composition in a single-message setting. The resulting mechanism is unbiased and achieves

SS07

with the bound minimized at SS08 (Scott et al., 2021). The paper frames this as a path toward matrices and higher-dimensional tensors via linearization, which is relevant to augmented-shuffle systems intended to support federated learning and secure aggregation workloads.

A separate line of work studies how shuffled privacy and estimation behave as the alphabet size grows. The central result is that growing alphabets do not automatically amplify shuffle privacy. For neighboring shuffle experiments built from SS09-LDP channels SS10, the released histogram experiment depends only on the pushforward law of the pairwise likelihood ratio under the null row, via the exact identity

SS11

The same paper proves the universal bound

SS12

constructs explicit obstruction families whose exact shuffled privacy curve coincides with binary randomized response for all SS13, and establishes a sharp diluting/persistent dichotomy (Shvets, 18 Mar 2026). This directly corrects the misconception that larger domains are intrinsically favorable for shuffle privacy.

The most distinctive mechanism-design result in that work is that calibrated GRR is not generally optimal under a canonical pairwise SS14 budget. In the low-budget regime, the optimal permutation-equivariant mechanism is an augmented GRR in which a fraction SS15 of users applies aggressive GRR with

SS16

while the rest send a null symbol. The paper calls this a thinning principle and states that it is specific to shuffle and has no local-DP counterpart (Shvets, 18 Mar 2026). This is an especially strong indication that augmentation is not merely an implementation detail but a distinct mechanism-design principle: one can concentrate informative reports on a subset of users and rely on shuffling to hide them in the crowd.

Taken together, these developments suggest a mature view of the augmented shuffle model. It is not reducible to a single protocol template; rather, it is a broader program for using additional randomness, structure, or trusted preprocessing around the shuffler to reshape the privacy channel. In that program, the most persistent themes are dummy-generated anonymity, shuffler-side random sampling, robustness to adversarial participation, information-theoretic leakage control, and mechanism design that is specific to the anonymity geometry of shuffling (Li et al., 2020, Murakami et al., 10 Apr 2025, Shvets, 18 Mar 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Augmented Shuffle Model.