Open Message Amplification

• Open message amplification is a decentralized protocol that enhances differential privacy by using randomized message exchanges and short random walks on network graphs.
• The protocol achieves privacy bounds equivalent to centralized shuffle models by ensuring messages mix thoroughly, independent of the network topology except for mixing time via the spectral gap.
• Incorporating decentralized Poisson subsampling further reduces privacy loss while eliminating trusted intermediaries, making it suitable for peer-to-peer and federated applications.

Open message amplification is a fully decentralized protocol for privacy amplification in differential privacy (DP), wherein clients replace the traditional trusted shuffler by randomized message exchanges, specifically using short random walks on a network graph to mix their locally randomized reports. This construction asymptotically matches the privacy amplification bounds previously attainable only in centralized shuffle models, but without reliance on any trusted entity. The protocol and its analysis unify local DP, shuffling, and privacy amplification via random walks, and admit further improvements with decentralized Poisson subsampling (Wu et al., 2022).

1. Differential Privacy Models and Amplification Frameworks

In the local model of DP, each of $n$ users with data $x_u \in X$ applies a randomized mapping $R: X \rightarrow Y$ satisfying $\epsilon_0$-DP: $\forall x, x', \forall S \subset Y, \Pr[R(x) \in S] \leq e^{\epsilon_0} \cdot \Pr[R(x') \in S}.$ This guarantees privacy without trusting the aggregator, but generally requires high noise to mask each user’s datum.

The shuffle model introduces a trusted shuffler that aggregates the $n$ randomized reports and applies a uniformly random permutation, obscuring source–report linkage and amplifying privacy. With each local randomizer $\epsilon_0$-DP, Feldman et al. (2021) establish that the shuffled mechanism achieves: $$\epsilon = O\left( (1-e^{-\epsilon_0}) \sqrt{ \frac{e^{\epsilon_0}}{n} \ln\left( \frac{1}{\delta} \right) } \right), \quad \delta = O(\delta_0 \cdot n + \delta)$$ where $\delta_0$ is the slack in local DP. For pure local DP ($\delta_0=0$), the global privacy amplification is strictly better than in the local model.

2. Decentralized Random Walk Protocol for Message Mixing

Open message amplification generalizes shuffling to the fully decentralized setting via a network shuffle model. Here, each client passes their locally randomized message along a short random walk on a connected, undirected graph $G$ with $n$ nodes. After $T$ rounds (synchronous message exchanges), every node reports its message multiset to the aggregator, discarding arrival order.

With an appropriately chosen $$T = \Theta( \frac{1}{\alpha} \ln(n^{4.5}/\epsilon_0) )$$, where $\alpha$ is the spectral gap of $G$, the protocol yields a mechanism $A$ achieving

$$\epsilon = O\left((1-e^{-\epsilon_0}) \sqrt{ \frac{e^{\epsilon_0}}{n} \ln\left(\frac{1}{\delta}\right) } \right), \quad \delta' = O(\delta + n \delta_0 e^{\epsilon_0})$$

for $\epsilon_0 \leq \ln(n/(16 \ln(2/\delta)))$. This matches the best-known amplification in the centralized shuffle model, up to constant factors.

The construction leverages two key analytical steps:

• Infinite-walk reduction: As $T \to \infty$, each message endpoint converges to the stationary distribution $\pi$ of the random walk. Assigning each report independently according to $\pi$ is a post-processing of the centralized shuffle, thus inheriting its amplification guarantees.
• Finite-walk correction: For sufficiently large but finite $T$, mixing-time analysis shows the assignment distribution remains pointwise within $e^{\pm \epsilon_0/(2n)}$ of the stationary distribution, ensuring the DP guarantees essentially remain unchanged.

3. Topology-Independence and State-of-the-Art Bounds

Unlike previous decentralized shuffling approaches where amplification bounds depend heavily on network topology (e.g., spectral properties, stationary distribution norms), the above protocol achieves bounds independent of the underlying graph structure except for the mixing-time requirement for $T$. Specifically, $\epsilon$ depends only on $n$, $\epsilon_0$, and $\delta$.

As $\epsilon_0 \to 0$, the bound simplifies to $$\epsilon^* \approx \epsilon_0 \sqrt{ \ln(1/\delta) / n }$$, precisely matching the best-known (centralized) shuffle results (Cheu et al., 2019; Feldman et al., 2021). This closes the performance gap between decentralized and centralized privacy amplification.

4. Privacy Amplification via Decentralized Poisson Subsampling

Further amplification is realized by subsampling: users participate independently with probability $p$, achieved by each client flipping a $p$-coin prior to random walk injection. No central sampler is required.

The synthesis of privacy amplification by subsampling (Balle & Goyal, 2018) and the above network shuffle yields, for small enough $\delta$,

$$\epsilon(p) = O\left( (1-e^{-\epsilon_0}) \sqrt{ \frac{p \, e^{\epsilon_0}}{n} \ln\left( \frac{1}{\delta} \right) } \right),$$

$$\delta' = \delta + O\left( (p+\sqrt{ p(1-p)/n }) e^{\epsilon_0} n \delta_0 \right),$$

producing a reduction in $\epsilon$ by a $\sqrt{p}$ factor. This matches the “shuffle + subsampling’’ bounds of centralized protocols in a fully peer-to-peer implementation.

5. Protocol Implementation and Practical Considerations

The protocol operates by running $O((1/\alpha)\ln(n/\epsilon_0))$ synchronous rounds of pairwise message exchanges; for expander graphs with constant $\alpha$, $T = O(\log n)$. Message complexity is $O(nT)$—practical for large networks.

Unique practical aspects include:

• No trusted shuffler: Privacy amplification is achieved “openly” via protocol design, eliminating reliance on any centralized mixer.
• Communication overhead: While message complexity scales with $nT$, the size is strictly $|Y|$—that of the randomizer output.
• Limitations: The analysis presumes synchrony, static peer set, and honest execution; addressing asynchrony, churn, adversarial nodes, and optimization of constants in the DP bounds remains open. Generalizing to higher-dimensional data (e.g., federated learning gradient sharing) is an active research direction.

6. Summary Table: Privacy Amplification Mechanisms

Model	Trusted Party	Privacy Amplification Bound
Local DP	None	No amplification; noise per user must be large
Centralized Shuffle	Yes	$$\epsilon = O((1-e^{-\epsilon_0})\sqrt{e^{\epsilon_0}/n\,\ln(1/\delta)})$$
Network Shuffle	None	Same as centralized, with random-walk mixing and $T=\Theta(1/\alpha\ln(n^{4.5}/\epsilon_0))$

7. Research Implications and Future Directions

The open message amplification protocol demonstrates that fully decentralized privacy amplification can match centralized shuffle model bounds with random walk-based mixing. This result highlights the feasibility of secure, privacy-preserving computation in untrusted distributed systems. Remaining challenges include robustifying against asynchrony and adversarial behavior, and extending amplification techniques to more general analytic workflows (e.g., distributed learning, multi-dimensional aggregation) (Wu et al., 2022).

A plausible implication is the applicability of these techniques to real-world peer-to-peer networks, large-scale federated learning, and edge aggregation settings where trust assumptions are minimal. The intersection of network mixing, differential privacy, and distributed protocols remains an active research area with significant theoretical and practical implications.