VDDP: Verifiable Distributed Differential Privacy under the Client-Server-Verifier Setup

Although differential privacy (DP) is widely regarded as the de facto standard for data privacy, its implementation remains vulnerable to unfaithful execution by servers, particularly in distributed settings. In such cases, servers may sample noise from incorrect distributions or generate correlated noise while appearing to follow established protocols. This work addresses these malicious behaviours in a distributed client-server-verifier setup, under Verifiable Distributed Differential Privacy (VDDP), a novel framework for the verifiable execution of distributed DP mechanisms. We systematically capture end-to-end security and privacy guarantees against potentially colluding adversarial behaviours of clients, servers, and verifiers by characterizing the connections and distinctions between VDDP and zero-knowledge proofs (ZKPs).We develop three novel and efficient instantiations of VDDP: (1) the Verifiable Distributed Discrete Laplace Mechanism (VDDLM), which achieves up to a 400,000x improvement in proof generation efficiency with only 0.1--0.2x error compared with the previous state-of-the-art verifiable differentially private mechanism and includes a tight privacy analysis that accounts for all additional privacy losses due to numerical imprecisions, applicable to other secure computation protocols for DP mechanisms based on cryptography; (2) the Verifiable Distributed Discrete Gaussian Mechanism (VDDGM), an extension of VDDLM that incurs limited overhead in real-world applications; and (3) an improved solution to Verifiable Randomized Response (VRR) under local DP, as a special case of VDDP, achieving up to a 5,000x reduction in communication costs and verifier overhead.