The shuffle model of differential privacy was proposed as a viable model for
performing distributed differentially private computations. Informally, the
model consists of an untrusted analyzer that receives messages sent by
participating parties via a shuffle functionality, the latter potentially
disassociates messages from their senders. Prior work focused on one-round
differentially private shuffle model protocols, demonstrating that
functionalities such as addition and histograms can be performed in this model
with accuracy levels similar to that of the curator model of differential
privacy, where the computation is performed by a fully trusted party.
Focusing on the round complexity of the shuffle model, we ask in this work
what can be computed in the shuffle model of differential privacy with two
rounds. Ishai et al. [FOCS 2006] showed how to use one round of the shuffle to
establish secret keys between every two parties. Using this primitive to
simulate a general secure multi-party protocol increases its round complexity
by one. We show how two parties can use one round of the shuffle to send secret
messages without having to first establish a secret key, hence retaining round
complexity. Combining this primitive with the two-round semi-honest protocol of
Applebaun et al. [TCC 2018], we obtain that every randomized functionality can
be computed in the shuffle model with an honest majority, in merely two rounds.
This includes any differentially private computation. We then move to examine
differentially private computations in the shuffle model that (i) do not
require the assumption of an honest majority, or (ii) do not admit one-round
protocols, even with an honest majority. For that, we introduce two
computational tasks: the common-element problem and the nested-common-element
problem, for which we show separations between one-round and two-round
protocols