Doppio: Communication-Efficient and Secure Multi-Party Shuffle Differential Privacy

Modern database ecosystems increasingly process large-scale distributed user data, heightening the intrinsic tension between analytical utility and individual privacy. Shuffle differential privacy ( shuffle DP ) has recently emerged as a promising paradigm between the local and central models, offering favorable privacy-utility tradeoffs by introducing a centralized, trusted shuffler. However, this architectural shift also poses new challenges in trust assumptions, system overhead, security risks, and workload limitations. To address them, we propose the augmented multi-party shuffle DP (AMP-SDP) model, which re-architects the data pipeline with a lightweight, versatile secret-shared intermediary layer. AMP-SDP (1) decentralizes trust while minimizing online communication costs; (2) provides structural security hardening against both shuffler compromise and user-side poisoning risks; and (3) augments shuffle DP for broader, more flexible workloads. Atop this model, we instantiate Doppio, a privacy-preserving crowdsourcing and data analytics framework. Our results show Doppio outperforms the state-of-the-art decentralized shuffle DP mechanism (Network Shuffling, SIGMOD'22) across many key metrics, affirming its effectiveness and efficiency in modern privacy-aware data management.