Multi-Central Differential Privacy
This work addresses the trade-off between trust and utility in differential privacy, offering a potential intermediate solution for privacy-preserving data analysis, though it appears incremental as it builds on existing models like shuffled and pan privacy.
The authors proposed the multi-central model for differential privacy, which uses multiple non-colluding aggregators to relax trust requirements compared to the central model while avoiding the high utility costs of the local model, and they developed simple and efficient algorithms for it.
Differential privacy is typically studied in the central model where a trusted "aggregator" holds the sensitive data of all the individuals and is responsible for protecting their privacy. A popular alternative is the local model in which the aggregator is untrusted and instead each individual is responsible for their own privacy. The decentralized privacy guarantee of the local model comes at a high price in statistical utility or computational complexity. Thus intermediate models such as the shuffled model and pan privacy have been studied in an attempt to attain the best of both worlds. In this note, we propose an intermediate trust model for differential privacy, which we call the multi-central model. Here there are multiple aggregators and we only assume that they do not collude nefariously. This model relaxes the trust requirements of the central model while avoiding the price of the local model. We motivate this model and provide some simple and efficient algorithms for it. We argue that this model is a promising direction for further research.