Single-Message Shuffle Model

Updated 26 November 2025

The single-message shuffle model is a privacy-enhancing framework where each user sends one randomized message that is then shuffled to anonymize its origin.
It provides a middle ground between local and central differential privacy, enabling improved accuracy for statistical tasks like binary summation and frequency estimation.
Practical protocols, such as shuffled randomized response, demonstrate its efficiency while also revealing inherent lower bounds and separations from multi-message systems.

The single-message shuffle model is a non-interactive, distributed privacy framework in which each user submits exactly one message, typically produced by local randomization, to a trusted shuffler that permutes messages before analysis. This model provides a middle ground between the purely local and central models of differential privacy, reducing the required trust in the data aggregator while allowing for substantially improved accuracy over local-model protocols for many statistical tasks. The single-message restriction emphasizes protocols and lower bounds achievable without allowing users to communicate multiple or interactive messages.

1. Formal Definition and Protocol Anatomy

In the single-message shuffle model, $n$ users each hold data $x_i \in \mathcal X$ . Each user applies a (possibly randomized) local randomizer $R: \mathcal X \to \mathcal Y$ , emitting a single message $y_i = R(x_i)$ . All messages are sent to a trusted shuffler $S$ , which outputs a uniformly random permutation $S(y_1, ..., y_n)$ of the messages (or equivalently, the multiset $\{y_1, ..., y_n\}$ ). The shuffled sequence is public and analyzed by an (untrusted) analyzer $A: \mathcal Y^n \to \mathcal Z$ , possibly probabilistically. The composition $M = A \circ S \circ R^n$ is the full mechanism from data to output (Cheu, 2021).

The privacy definition parallels differential privacy: for all neighboring datasets $x, x'$ differing on one user, and for all measurable $T\subseteq \mathcal Z$ ,

$\Pr[M(x)\in T] \leq e^\varepsilon \Pr[M(x')\in T] + \delta.$

This "shuffle DP" is stronger than local DP (directly releasing $R(x_i)$ to the analyzer), but weaker than central DP (where $A$ sees the raw $x_i$ 's).

2. Privacy Amplification and Information-Theoretic Analysis

The shuffle model leverages privacy amplification: the shuffling step enhances privacy compared to the local model by anonymizing the source of each message. For a local randomizer $R$ which is $(\varepsilon_0, 0)$ -LDP, the shuffled mechanism achieves

$\varepsilon = O\left(\varepsilon_0 e^{\varepsilon_0} \sqrt{\tfrac{\log(1/\delta)}{n}} \right)$

for suitable $\varepsilon_0=O(\log n)$ (Balle et al., 2019, Wang et al., 2023). Blanket-decomposition techniques and variation–ratio parameters (total variation and likelihood ratio bounds) enable tight or exact privacy amplification characterizations (Wang et al., 2023).

Recent work provides a rigorous mutual information theory for the single-message shuffle model, bounding position leakage $I(K; \boldsymbol{Z})$ and average-case input leakage $I(X_1; \boldsymbol{Z} \mid \boldsymbol{X}_{-1})$ :

In the shuffle-only regime (no local noise), $I(Y_1; \boldsymbol Z) = O(1/n)$ and $I(K; \boldsymbol Z) = O(1/n)$ , unless $P \not\ll Q$ ; then explicit $\Theta(\log n)$ leakage can occur.
With $\varepsilon_0$ -LDP local randomizer, position information leakage $I(K; \boldsymbol Z) \le 2\varepsilon_0$ and input leakage $I(X_1; \boldsymbol Z \mid \boldsymbol X_{-1}) \le (e^{\varepsilon_0}-1)/(2n) + O(n^{-3/2})$ (Su et al., 19 Nov 2025).

Moreover, the Bayes-optimal re-identification attack against a single-message shuffle of $n$ users (with one target drawn from $P$ and $n-1$ from $Q$ ) achieves success probability $\beta_n(P, Q)$ bounded by

$\beta_n(P, Q) = f(+\infty) + \int_0^M f(t) G(t)^{n-1}\,dt$

with $f(t), G(t)$ the densities of the likelihood ratio under $P$ and $Q$ , respectively, yielding asymptotic decay $O(1/n)$ for mutually absolutely continuous $P, Q$ (Su et al., 5 Nov 2025).

3. Representative Protocols and Accuracy Boundaries

A canonical protocol is "shuffled randomized response" for binary summation, where $R_{rr}(x)$ emits the true bit $x$ with probability $1-p$ and a fair coin with probability $p$ : $y = \begin{cases} \text{Bernoulli}(1/2) & \text{with probability } p \ x & \text{with probability } 1-p. \end{cases}$ The analyzer debiases by

$\widehat{A} = \frac{Y - n p/2}{1-p}$

where $Y = \sum_i y_i$ (Cheu, 2021). Setting $p = \Theta((1/(\varepsilon^2 n)) \log(1/\delta))$ , this produces $(\varepsilon,\delta)$ -DP with error $O((1/\varepsilon)\sqrt{\log(1/\delta)})$ , which is optimal for this task in the single-message regime and beats $\ell_2$ -error $\Omega((1/\varepsilon)\sqrt{n})$ of local DP.

For bounded-sum queries over $[0,1]$ , the optimal mean-squared error for any single-message protocol is $\Theta(n^{1/3})$ ; in contrast, central Laplace or discrete Laplace mechanisms achieve $O(1/\varepsilon^2)$ (Balle et al., 2019, Cheu, 2021).

More generally, for frequency estimation over domain size $B$ , the best single-message error is

$\tilde{\Omega}\left( \min\{ n^{1/4}, \sqrt{B} \} \right)$

for $\ell_\infty$ -loss (Ghazi et al., 2019, Cheu, 2021). For vector mean estimation in $d$ dimensions, the optimal error is

$\Theta\left( d n^{d/(d+2)} \right)$

whereas the central model achieves $O(d/n)$ (Asi et al., 16 Apr 2024). This establishes a strict power gap between single-message and multi-message protocols: the latter achieve (poly)logarithmic error rates with polylogarithmic messages per user as soon as more than one message per user is permitted.

4. Capabilities, Separations, and Limitations

The single-message shuffle model allows:

Curator-level accuracy for binary sums under approximate $(\varepsilon, \delta)$ -DP, with error independent of $n$ and tight privacy–utility tradeoffs for appropriate tasks (binary sum, histograms for moderate $d$ ) (Cheu, 2021).
For frequency estimation, the model provides error $\tilde{\Omega}(n^{1/4})$ , unachievable in local DP but separating from central DP and multi-message shuffle (Ghazi et al., 2019, Luo et al., 2021).

However, strong lower bounds show:

For bounded-value sums under pure DP, the error is at least $\Omega(n^{1/3})$ , strictly worse than central DP and matching known upper bounds (Balle et al., 2019, Cheu, 2021).
For histogram estimation, the error scales as $\Omega((1/\varepsilon)\sqrt{n \log d})$ , offering no asymptotic improvement over local DP for large $d$ (Cheu, 2021).
"Search"-type or combinatorial tasks (e.g., common-element, nested common-element) cannot be solved in one round without $\Omega(\log |\mathcal X|)$ messages per party, highlighting an intrinsic barrier for single-message protocols (Beimel et al., 2020).

Crucially, relaxing the single-message constraint by allowing $1+o(1)$ messages per user yields a sharp phase transition: frequency estimation and related tasks approach central model accuracy with only a vanishing extra message cost (Luo et al., 2021, Ghazi et al., 2021).

5. Extensions and Connections to Cryptography

The single-message shuffle model also underpins related abstractions in cryptography and distributed computation:

In secure multi-party computation, the "single-shuffle full-open" card-based model exactly reduces to the Private Simultaneous Message (PSM) model, in which each party sends a single (possibly randomized) message to a referee and the output leaks at most the value of $f(x_1,...,x_n)$ . Every Boolean function admits a secure single-shuffle full-open protocol, with explicit compilers from PSM to card-based protocols and vice versa (Eriguchi et al., 20 Oct 2025).
These reductions provide generic constructions, tradeoffs in card-complexity and shuffle complexity, and match classic communication complexity and randomness lower bounds established in the PSM literature.

6. Connections to Information Flow and Leakage

Information-theoretic studies of the single-message shuffle model characterize privacy guarantees not only via differential privacy but also via other leakage metrics:

Mutual information directly quantifies the average-case reduction in uncertainty about individual user input or position after shuffling and possible local randomization (Su et al., 19 Nov 2025).
In the quantitative information flow (QIF) framework, shuffle protocols measured via Bayes vulnerability provide closed-form expressions for privacy loss against uninformed adversaries, establishing sharp distinctions compared to local-model-only schemes. In the $k$ -ary randomized response case, per-user vulnerability rapidly approaches the prior baseline $1/k$ as $n$ increases, outperforming pure-local randomized response (Jurado et al., 2023).
Bayesian re-identification success can be precisely bounded. For $\varepsilon$ -LDP randomizers, shuffling ensures the optimal adversarial re-identification rate is at most $e^{\varepsilon}/n$ , with asymptotic decay $O(1/n)$ for absolutely continuous message distributions (Su et al., 5 Nov 2025).

7. Practical Implications, Model Variants, and Future Prospects

The single-message shuffle model formalizes and explains numerous deployed data-collection architectures and motivates efficient protocols for practical distributed learning. Its main attributes are:

Efficiency: Each user sends only one short randomized message, making the communication overhead minimal.
Accuracy: The model achieves error scaling $O((1/\varepsilon)\sqrt{\log(1/\delta)})$ for binary sums, and sharply intermediate error rates between local and central models in higher-dimensional or more complex tasks (Cheu, 2021).
Mild trust: Requires only a trusted shuffler for anonymization, avoiding full-trust in analyzers but going beyond purely local solutions.
Fundamental limitations: For certain statistical and combinatorial tasks, one round and one message per user provably cannot achieve central-level accuracy, establishing a strict (often exponential) separation between single-message and multi-message protocols (Ghazi et al., 2019, Beimel et al., 2020).

Relaxing the single-message constraint or permitting carefully controlled multi-message protocols (e.g., frequency estimation with $1+o(1)$ messages) leads to rapid convergence to central DP performance (Luo et al., 2021, Ghazi et al., 2021). This reveals an emergent phase transition in the privacy–utility frontier, guiding the design of future privacy-preserving data aggregation systems.