A Differential Privacy Framework with Adjustable Efficiency–Utility Trade-Offs for Data Collection

Abstract

The widespread use of mobile devices has led to the continuous collection of vast amounts of user-generated data, supporting data-driven decisions across a variety of fields. However, the growing volume of these data raises significant privacy concerns, especially when they include personal information vulnerable to misuse. Differential privacy (DP) has emerged as a prominent solution to these concerns, enabling the collection of user-generated data for data-driven decision-making while protecting user privacy. Despite their strengths, existing DP-based data collection frameworks are often faced with a trade-off between the utility of the data and the computational overhead. To address these challenges, we propose the differentially private fractional coverage model (DPFCM), a DP-based framework that adaptively balances data utility and computational overhead according to the requirements of data-driven decisions. DPFCM introduces two parameters, α and β, which control the fractions of collected data elements and user data, respectively, to ensure both data diversity and representative user coverage. In addition, we propose two probability-based methods for effectively determining the minimum data each user should provide to satisfy the DPFCM requirements. Experimental results on real-world datasets validate the effectiveness of DPFCM, demonstrating its high data utility and computational efficiency, especially for applications requiring real-time decision-making.

1. Introduction

The widespread use of mobile devices has led to the continuous generation and collection of a vast amount of diverse data. When such user-generated data are collected, they can be used to make data-driven decisions across a wide range of applications. These data enable improved decision-making processes, allowing systems to respond to real-time information and improve services in a variety of areas, including transportation, healthcare, retail, and urban planning [1,2,3,4]. For example, in transportation, real-time data from users allow digital map applications to monitor traffic patterns and suggest alternative routes [5]. In healthcare, wearable devices collect data on users’ physical activity, heart rate, and other health metrics [6]. Healthcare providers then use this information to remotely monitor patients and make personalized recommendations. This approach promotes preventive care, ultimately leading to better patient outcomes and a more responsive healthcare system.

As the collection of data from users has become more prevalent, concerns about data privacy have increased. Including sensitive information in these datasets increases the risk of privacy breaches, as unauthorized access or misuse can have serious consequences for individuals [7,8]. In response to these challenges, significant efforts have been made to protect user privacy through various techniques. Among these, differential privacy (DP) [9] has emerged as a leading standard. DP adds controlled noise to real datasets, allowing analysts to derive insights without exposing individual data points, thereby protecting personal information.

There are two primary frameworks for collecting sensitive data from users using DP: local differential privacy (LDP) [10,11] and distributed differential privacy (DDP) [12,13]. Both frameworks are designed to operate in environments with untrusted servers, adding noise to the data locally, before they are transmitted to a central server. This approach protects individual privacy by ensuring that the raw data are never directly exposed. LDP has the advantage of relatively low computational overhead; however, the added noise can result in significant data distortion, which can reduce the utility of the collected data. In contrast, DDP provides greater data utility but requires significantly more computational resources, largely due to the use of complex cryptographic techniques.

The utility requirements of collected data vary significantly based on the specific objectives and operational needs of each application. Some applications require highly accurate, comprehensive datasets for accurate analysis and reliable results. For these applications, data completeness is critical to delivering results that satisfy strict performance criteria. In contrast, other applications are more flexible in their data needs, capable of extracting meaningful insights even from partial or incomplete datasets. For these applications, identifying general patterns or trends in real-time is often more important than perfect accuracy, allowing them to perform effectively even with incomplete data.

This variability in utility requirements plays a crucial role in the design of data collection and privacy mechanisms. Applications that do not require exhaustive datasets can benefit from approaches that emphasize efficiency over complete data collection. Motivated by this need, we propose a novel DP-based data collection framework that exploits the adequacy of partial data collection for certain applications, particularly those that require efficiency for real-time decision-making. In particular, the contribution of this paper can be summarized as follows:

• We introduce the differentially private fractional coverage model (DPFCM), which is designed to meet the needs of applications that can operate effectively with partial data collection. DPFCM specifies two parameters, $\alpha$ and $\beta$, which are determined by the specific purpose of the application. $(\alpha ,\beta )$-DPFCM aims to collect at least a fraction $\alpha$ of the total data elements, with the requirement that for each of these collected elements, data are also collected from at least a fraction $\beta$ of the users. This method guarantees that both the breadth of data elements and the depth of user representation are maintained, supporting robust data utility even when only partial data are collected.
• We propose two different probability-based approaches that effectively determine the minimum number of data elements the server should collect from each user to satisfy the requirements of an $(\alpha ,\beta )$-DPFCM. These approaches establish precise lower bounds on data collection, ensuring that the utility requirements of the model are satisfied while optimizing for efficiency.
• Finally, we validate the effectiveness of our proposed framework through experiments on real-world datasets, demonstrating that DPFCM achieves high data utility with reduced data collection requirements. Our results show that DPFCM maintains high data utility and computational efficiency, confirming its practical value in real-world applications.

The rest of this paper is structured as follows: Section 2 reviews the related work, and Section 3 presents the necessary background information. Section 4 formally defines the problem addressed in this paper and discusses existing approaches. Section 5 details the proposed $(\alpha ,\beta )$-DPFCM framework. Section 6 evaluates the proposed approach through experiments conducted on real-world datasets and Section 7 presents the conclusions of the paper.

2. Related Work

DP has been widely used to protect sensitive data in various data collection scenarios. One of the most representative models is LDP, in which each user independently perturbs his or her data prior to transmission. Depending on the type of sensitive data being collected, existing LDP mechanisms can be broadly divided into two groups: methods designed for categorical data and those tailored for numerical data. For categorical data, the randomized response technique is often used to ensure privacy while allowing accurate frequency estimation. RAPPOR [10] was developed to collect user data, such as the default home page of their browser, in Google Chrome while maintaining privacy. The frequency estimation scheme proposed by Bassily and Smith [14] builds on randomized response techniques, optimizing communication efficiency by encoding user responses into a compact bit representation before transmission. Optimal local hashing [11] further improves frequency estimation under LDP by using a hash-based encoding scheme. For numerical data, various perturbation mechanisms, including Laplace, Gaussian, and staircase noise, are commonly used. Among them, the staircase mechanism [15] is recognized as an optimal noise-adding method, achieving lower expected error than the Laplace mechanism in specific scenarios. Although LDP ensures privacy by adding noise at the user level, it often results in significant utility loss due to the high noise required to meet privacy guarantees.

DDP-based data collection is primarily categorized into two main approaches. The first category integrates DP with secure aggregation to enable privacy-preserving data collection in distributed environments [12,13]. Early works in this category focused on secure data collection in distributed systems. For instance, Lyu et al. [16] applied DP with secure aggregation to collect smart grid data in a fog computing architecture. More recently, this approach has received considerable attention in federated learning, where DP is used to protect local model updates prior to aggregation [17]. Truex et al. [18] leveraged homomorphic encryption alongside DP to securely collect local learning parameters from participating users in federated learning. Much of the research in this area has been dedicated to improving scalability and computational efficiency for large-scale learning [19,20]. Bell et al. [20] introduced an efficient secure aggregation method for federated learning, where the overhead scales logarithmically with the number of participating users. We note that the proposed framework in this paper is general enough to incorporate such advanced secure aggregation techniques.

The second main approach to DDP-based data collection utilizes the shuffle model [13,21], where an additional untrusted server, known as the shuffler, is introduced between users and the data collector. Users independently randomize their data before sending it to the shuffler, which then aggregates and randomly reorders the data before forwarding it to the data collector. The shuffle model has been widely explored, leading to various enhancements in aggregation and privacy amplification techniques [22,23,24]. However, a major limitation is its reliance on an untrusted shuffler, which introduces deployment challenges and potential vulnerabilities. In many real-world applications, the availability and trustworthiness of a shuffler cannot be guaranteed, making the model impractical for certain data collection scenarios.

Geo-indistinguishability (Geo-Ind) extends DP with a distance-based privacy metric [25,26,27,28]. The most commonly used mechanisms in Geo-Ind for data collection are the planar Laplace mechanism and the perturbation function-based mechanism. The Laplace mechanism perturbs a user’s true location by adding noise from a 2D Laplace distribution before sending it to the server [25]. In contrast, the perturbation function-based mechanism pre-calculates an obfuscation function on the server and distributes it to users, who then apply the received function to perturb their data before uploading it to the server [29,30,31,32]. Unlike DP, which enforces a consistent privacy guarantee regardless of data values, Geo-Ind allows privacy loss to increase with distance, making it vulnerable to attacks that exploit spatial correlations. Consequently, this approach is unsuitable for direct application to our problem, where strong and consistent privacy protection is required over all data points.

3. Preliminary

DP is a mathematical framework that provides probabilistic privacy protection even against attackers with arbitrary background knowledge [9]. It guarantees that an attacker cannot confidently identify an individual’s inclusion in a dataset. Formally, an algorithm $\mathcal{A}$ satisfies $(ϵ,\delta )$-DP if, for any two neighboring datasets $D_1$ and $D_2$ differing by one record, and for any output O of $\mathcal{A}$, the following probability condition holds:

$$Pr[\mathcal{A}(D_1)=O]\le e^{ϵ}\times Pr[\mathcal{A}(D_2)=O]+\delta .$$

(1)

Here, the privacy budget, $ϵ$, controls the privacy strength.

The Gaussian mechanism is commonly used to achieve $(ϵ,\delta )$-DP. For a given function f, the Gaussian mechanism $\mathcal{A}$ produces a differentially private output by adding random noise drawn from a Gaussian distribution with mean 0 and variance ${\sigma }^2$ [9].

$$\mathcal{A}(D)=f(D)+\mathcal{N}(0,{\sigma }^2)$$

(2)

The standard deviation $\sigma$ is calculated as $\sigma ={\displaystyle \frac{\Delta f·\sqrt{2ln(1.25/\delta )}}{ϵ}}$, where $\Delta f$ (global sensitivity) is the maximum change in the output of the function f when a single record in the dataset is modified.

Local Differential Privacy (LDP) In traditional DP settings, a trusted server collects original data from individuals, applies noise to the aggregated data, and shares the data in a privacy-preserving manner. However, real-world scenarios do not always allow for such a trusted server. LDP addresses this limitation by allowing each data owner to independently apply noise to their data before sharing it with an untrusted server [10,11]. Formally, a randomized algorithm $\mathcal{A}$ satisfies ($ϵ$, $\delta$)-LDP if, for any two data values $v_a$ and $v_b$, and any output O of $\mathcal{A}$, the following condition holds:

$$Pr[\mathcal{A}(v_a)=O]\le e^{ϵ}\times Pr[\mathcal{A}(v_b)=O]+\delta .$$

(3)

The above equation ensures that the aggregator cannot confidently determine whether the output of $\mathcal{A}$ was generated from $v_a$ or $v_b$, and thus guarantees the privacy of the individual’s input. This property prevents the inference of sensitive information by ensuring that any two inputs, $v_a$ and $v_b$, produce outputs that are statistically indistinguishable within the bounds defined by the privacy parameters.

Distribute Differential Privacy (DDP) Like LDP, DDP enables privacy in data collection without relying on a trusted central server. In DDP, each user i adds independent noise to their data $x_i$, resulting in locally randomized data $x_i+\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{n}})$. Here, $\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{n}})$ represents noise drawn from a Gaussian distribution with mean 0 and variance ${\displaystyle \frac{{\sigma }^2}{n}}$, where n is the total number of users. When all n users’ contributions are aggregated by the untrusted server, the result is the following:   

$$\sum _{i=1}^n\left(x_i+\mathcal{N}\left(0,{\displaystyle \frac{{\sigma }^2}{n}}\right)\right)=\sum _{i=1}^n{x}_i+\mathcal{N}(0,{\sigma }^2),$$

(4)

where $\mathcal{N}(0,{\sigma }^2)$ represents the combined noise. Thus, DP is satisfied for the aggregated result, ${\sum }_{i=1}^n{x}_i$, rather than for each individual user’s data. By adding noise collaboratively across all users, the model ensures that the aggregated result satisfies $(ϵ,\delta )$-DP for the entire dataset while minimizing the noise that each individual must add. However, since individual data do not satisfy DP, computationally intensive cryptographic techniques are necessary to ensure that individual contributions remain protected during the aggregation process.

4. Problem Definition and Baseline Approaches

4.1. Problem Definition

In this section, we formally define the problem addressed in this paper. Let us assume that a set of users is defined as $U=\{u_1,u_2,\cdots ,u_n\}$. Let $E=\{e_1,e_2,\cdots ,e_m\}$ be the set of all possible data elements. Each user $u_t\in U$ has a set of data elements, represented by $D_t=\left\{(e_k,f_{t,k})\right|k=1,2,\dots ,m\}$, where $f_{t,k}$ denotes the value associated with data element $e_k$ for user $u_t$. In many real-world applications, the number of data elements m is large, and thus $f_{t,k}$ is often zero, resulting in a sparse representation of $D_t$. For example, in location-based services, each $e_k$ might represent a unique point of interest (PoI), and $f_{t,k}$ might indicate the frequency of visits by user $u_t$ to that PoI. In this case, since there are many PoIs and most users visit only a small number of them, the data are very sparse.

In this paper, we assume that for each $u_t\in U$, the value $f_{t,k}$ corresponds to sensitive data that could reveal user preferences. Therefore, it is necessary to protect this information when sharing it with external parties. The goal of the service provider (i.e., the central server) is to collect the values $(e_k,f_{t,k})$ from all users in U. However, since $f_{t,k}$ represents sensitive information, it is necessary to apply DP to protect the sensitive information of individual users. Specifically, for each data element $e_k\in E$, the service provider aims to compute the aggregate sum ${\sum }_{t=1}^n{f}_{t,k}$ across all users, while ensuring that each user’s privacy is preserved.

4.2. Baseline Approaches

Algorithm 1 represents the baseline approach using LDP to the problem addressed in this paper. This pseudocode corresponds to the procedure for the t-th participating user, which is applied identically to all other users. Algorithm 1 ensures privacy by perturbing each user’s non-zero data values before reporting them to the central server. We assume that reporting only non-zero data does not significantly reveal sensitive information, as the sparsity of real-world datasets often limits the risk of identification from missing values alone. Each user initializes an empty list, $R_t$, and iterates through all data elements, adding Gaussian noise, $\mathcal{N}(0,{\sigma }^2)$, to non-zero values $f_{t,k}$ (line 2–6). The noisy values are stored in $R_t$, which is then sent to the server.

Algorithm 1 Baseline Approach Based on LDP (Each Participating User Processing)

1: Initialize $R_t$ as an empty list 2: for each $k\in \{1,2,\dots ,m\}$ do 3:   if $f_{t,k}>0$ then 4:    Append $(e_k,f_{t,k}+\mathcal{N}(0,{\sigma }^2))$ to $R_t$ 5:   end if 6: end for 7: Report $R_t$ to the central server

In Algorithm 1, each user independently perturbs their data to satisfy ($ϵ$,$\delta$)-DP locally. However, since the goal of this work is to compute the sum of all users’ data for each element, adding noise locally at the user level leads to excessive noise in the aggregated result. For example, consider a data element $e_l$ where h users have non-zero values. The aggregated result at the server would contain noise $\mathcal{N}(0,h{\sigma }^2)$, which increases with the number of contributing users h. Instead, adding the noise directly to the aggregated sum would only require $\mathcal{N}(0,{\sigma }^2)$, significantly improving the utility of the result while still satisfying ($ϵ$,$\delta$)-DP.

Algorithm 2 presents a DDP-based baseline approach to the problem addressed in this paper. In this approach, each participating user iterates through all data elements, adding noise from a Gaussian distribution, $\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{n}})$, where n is the total number of participating users (line 3). The noisy values are then encrypted using a threshold-based homomorphic encryption scheme (line 4). These encrypted noisy values are appended to $R_t$, which is then sent to the server for decryption and aggregation.

Algorithm 2 Baseline Approach Based on DDP (Each Participating User Processing)

1: Initialize $R_t$ as an empty list 2: for each $k\in \{1,2,\dots ,m\}$ do 3:   $noise\_f_{t,k}\leftarrow f_{t,k}+\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{n}})$ 4:   $enc\_noise\_f_{t,k}=En{c}_{pk}(noise\_f_{t,k})$ 5:   Append $(e_k,enc\_noise\_f_{t,k})$ to $R_t$ 6: end for 7: Upload $R_t$ to the central server

Although in Algorithm 2, the noise added by each user does not satisfy $ϵ$-DP for individual local data, the aggregated noise across all users ensures that the final aggregated result satisfies ($ϵ$,$\delta$)-DP [12,13]. For instance, for the k-th data element, the aggregated value across all users is computed as ${\sum }_{t=1}^n(f_{t,k}+\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{n}}))={\sum }_{t=1}^n{f}_{t,k}+n·\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{n}})={\sum }_{t=1}^n{f}_{t,k}+\mathcal{N}(0,{\sigma }^2)$, which satisfies the ($ϵ$,$\delta$)-DP for the aggregated data. As a result, compared to the LDP-based solution, the DDP-based approach achieves better data utility in the aggregated results. However, in Algorithm 2, since $ϵ$-DP is not satisfied for each user’s individual local data, it is essential to ensure that the server can only access the aggregated results and cannot access individual user data. This requires cryptographic techniques such as homomorphic encryption [17,18] and multi-party aggregation [19,20], which allow the server to process only the aggregated results while preventing access to individual user contributions. However, these techniques are widely recognized for their computational overheads, which can significantly increase overall system complexity.

5. Proposed Approach

Although the DDP-based approach presents a promising solution by reducing noise relative to the LDP-based approach, it is not directly applicable to the problem addressed in this paper. In particular, two key challenges prevent the straightforward application of DDP to our problem:

• Impracticality of Applying DDP to All Data. The DDP-based baseline approach in Algorithm 2 is highly inefficient because it requires cryptographic techniques to be applied to all m data elements across n users. In real-world scenarios, where m (the number of data elements) is extremely large, the computational overhead of cryptographic techniques becomes prohibitive, especially when n is also large. The complexity of these techniques scales with both the number of users and the size of the dataset [17,20]. As a result, applying DDP to all data elements in scenarios with a large number of users is highly inefficient due to the significant computational cost.
• Non-Zero Data Variability. An alternative solution is to apply DDP only to data elements with non-zero values, similar to the LDP-based approach in Algorithm 1. In this approach, each user i perturbs its data by adding independent noise $\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{h}})$, where h represents the total number of users contributing to the aggregation for a specific data element. However, this solution is not feasible for sparse datasets, as each user typically has a different set of non-zero data elements. Since h depends on the number of users contributing non-zero values for a given data element $e_k\in E$, the server cannot determine h for each element without knowing the users’ individual non-zero data. Consequently, the noise variance $\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{h}})$ cannot be accurately calibrated, resulting in the failure to satisfy ($ϵ$,$\delta$)-DP globally.

These challenges highlight the limitations of directly applying DDP to our problem, and the need for an alternative approach. In this section, we propose the $(\alpha ,\beta )$-DPFCM framework, which builds on DDP to balance data utility and efficiency while adapting to the specific requirements of the application.

5.1. Definition of $(\alpha ,\beta )$-DPFCM

In this subsection, we formally define the proposed $(\alpha ,\beta )$-DPFCM.

Definition 1

($(\alpha ,\beta )$-DPFCM). A data collection process satisfies $(\alpha ,\beta )$-DPFCM if it satisfies the following two conditions for the given set of users $U=\{u_1,u_2,\cdots ,u_n\}$ and data elements $E=\{e_1,e_2,\cdots ,e_m\}$:

$$|E_c|\ge \alpha ·m,$$

(5)

where $E_c\subseteq E$ is the set of collected data elements, and $0\le \alpha \le 1$, and 

$$\forall e_k\in E_c,\left|U_k\right|\ge \beta ·n,$$

(6)

where $U_k\subseteq U$ is the set of users contributing to data element $e_k$, and $0\le \beta \le 1$.

The $(\alpha ,\beta )$-DPFCM framework introduces two key parameters, $\alpha$ and $\beta$, which control the breadth and depth of data collection, respectively. $\alpha$ specifies the minimum fraction of the total data elements that must be collected to ensure sufficient diversity in the dataset. For example, if $\alpha =0.9$ and the total number of items is $m=1000$, at least 900 items must be included in the collection process. On the other hand, $\beta$ determines the minimum fraction of users who must contribute data for each collected element, ensuring reliable user representation. For instance, if $\beta =0.6$ and the total number of users $n=500$, at least 300 users must provide data for each selected element.

Figure 1 shows an example of $(0.8,0.8)$-DPFCM applied to a scenario with five users and 10 data elements. This example satisfies the $(0.8,0.8)$-DPFCM requirements because the set $E_c=\{e_1,e_2,e_4,e_5,e_6,e_7,e_8,e_{10}\}$ consists of data elements for which at least four users contribute their data to the server, thereby meeting the specified thresholds for both $\alpha$ and $\beta$. We note that by adjusting $\alpha$ and $\beta$, the framework can balance the trade-off between the diversity of data elements and the robustness of user contributions, supporting efficient and utility-driven data collection in real-world applications.

5.2. Overview of $(\alpha ,\beta )$-DPFCM Framework

Figure 2 shows an overview of the proposed $(\alpha ,\beta )$-DPFCM framework, which consists of three phases.

• Computing minimum user contributions: The data collection server calculates the minimum number of data elements, $\tau$, that each user must contribute to the server to satisfy the requirements of the $(\alpha ,\beta )$-DPFCM framework, and then distributes it to all users (Section 5.3).
• Contributing data using DDP: Each user employs a DDP-based mechanism to report at least $\tau$ data elements to the server (Section 5.4).
• Secure aggregation: The server aggregates encrypted contributions for each data element, verifies that the threshold $\beta$ is satisfied, and securely decrypts the noisy values for qualifying elements (Section 5.5).

In the next subsections, we will present the detailed descriptions of each step in the proposed $(\alpha ,\beta )$-DPFCM framework.

5.3. Computing Minimum User Contributions for $(\alpha ,\beta )$-DPFCM

The requirement of the $(\alpha ,\beta )$-DPFCM cannot be satisfied if each user sends only its non-zero data elements to the server, as in the LDP-based approach described in Algorithm 1. To address this, it is necessary to determine the minimum number of data elements that each user must contribute to the central server in order to satisfy the requirement of the $(\alpha ,\beta )$-DPFCM. In this subsection, we propose two different probability-based approaches.

5.3.1. Binomial Model-Based Approach

To determine the minimum number of data elements each user must send to satisfy $(\alpha ,\beta )$-DPFCM, we represent the selection process using a binomial distribution. Let us assume that each user randomly selects $\tau$ data elements from a total of m available data elements. The probability that any specific data element $e_t$ is selected by a user is given by $p_t={\displaystyle \frac{\tau }{m}}$.

We then model the number of users selecting a specific data element $e_t$ as a random variable X. Since each user’s selection is independent of others, X follows a binomial distribution,

$$X\sim \mathrm{Binomial}(n,p_t),$$

(7)

where n is the total number of users and $p_t$ is the probability of a user selecting $e_t$. This distribution effectively captures the likelihood of a specific data element being selected by a given number of users.

The probability that the number of users selecting $e_t$ is greater than or equal to the threshold specified in Equation (6) is represented as $Pr(X\ge \beta ·n)$. Moreover, according to the condition in Equation (5), at least a fraction $\alpha$ of the total data elements must be collected. This implies that $\alpha$ can be interpreted as the confidence level required to satisfy $Pr(X\ge \beta ·n)$. This condition can be expressed using the cumulative distribution function (CDF) of the binomial distribution:

$$\begin{array}{c}Pr(X\ge \beta ·n)=1-Pr(X\le \beta ·n-1)\ge \alpha \hfill \\ \Rightarrow Pr(X\le \beta ·n-1)\le 1-\alpha \hfill \end{array}$$

(8)

Finally, we compute the cumulative probability $Pr(X\le \beta ·n-1)$ using the CDF of the binomial distribution as follows:

$$Pr(X\le \beta ·n-1)=\sum _{k=0}^{\beta ·n-1}\left({\displaystyle \genfrac{}{}{0pt}{}{n}{k}}\right)p_t^k{(1-p_t)}^{n-k}=\sum _{k=0}^{\beta ·n-1}\left({\displaystyle \genfrac{}{}{0pt}{}{n}{k}}\right){({\displaystyle \frac{\tau }{m}})}^k{(1-{\displaystyle \frac{\tau }{m}})}^{n-k}\le 1-\alpha$$

(9)

We need to compute the minimum value of $\tau$ that satisfies the above equation, which provides a probabilistic guarantee that at least $\alpha ·m$ data elements are selected, each with contributions from at least $\beta ·n$ users.

5.3.2. Chernoff Bound-Based Approach

The next approach for computing the minimum $\tau$ to satisfy $(\alpha ,\beta )$-DPFCM is to use the Chernoff bound. The Chernoff bound provides an exponential bound on the tail probabilities of a random variable and is particularly useful for bounding the sum of independent random variables. For a random variable X with expectation $\mathbb{E}\left[X\right]$, the lower bound of the Chernoff bound is defined as follows:

$$P(X\le (1-\gamma )\mathbb{E}\left[X\right])\le exp\left(-{\displaystyle \frac{{\gamma }^2}{2}}\mathbb{E}\left[X\right]\right),\mathrm{for}0<\gamma \le 1.$$

(10)

This bound provides an exponential decay rate for the probability that X is less than $(1-\gamma )\mathbb{E}\left[X\right]$. By applying this Chernoff lower bound, we can determine the minimum threshold $\tau$ such that the probability of X being greater than or equal to $\beta ·n$ is at least $\alpha$.

As in the case of Section 5.3.1, let us assume that each user randomly selects $\tau$ data elements from a total of m available data elements. Thus, the probability that any specific data element $e_t$ is selected is $p_t={\displaystyle \frac{\tau }{m}}$. We model the number of users selecting a specific data element $e_t$ as a random variable X. The expected value of X, denoted as $\mathbb{E}\left[X\right]$, is computed as follows:

$$\mathbb{E}\left[X\right]=n·p_t=n·{\displaystyle \frac{\tau }{m}}$$

(11)

To satisfy the $(\alpha ,\beta )$-DPFCM requirements, we need to ensure that the probability of X being greater than or equal to $\beta ·n$ is at least $\alpha$. This requirement can be rewritten as follows:

$$Pr(X\ge \beta ·n)\ge \alpha \Rightarrow Pr(X\le \beta ·n)\le 1-\alpha .$$

(12)

To apply the Chernoff bound in this context, we define $\gamma$ such that $\gamma =1-{\displaystyle \frac{\beta ·n}{\mathbb{E}\left[X\right]}}$. Substituting this into the Chernoff bound in Equation (10), we obtain

$$Pr(X\le \beta ·n)\le exp\left(-{\displaystyle \frac{{\gamma }^2}{2}}\mathbb{E}\left[X\right]\right).$$

(13)

By rearranging the terms, the inequality becomes

$$exp\left(-{\displaystyle \frac{{\gamma }^2}{2}}\mathbb{E}\left[X\right]\right)\le 1-\alpha .$$

(14)

By taking the natural logarithm on both sides, we derive

$${\displaystyle \frac{{\gamma }^2\mathbb{E}\left[X\right]}{2}}\ge -ln(1-\alpha ).$$

(15)

By substituting $\mathbb{E}\left[X\right]$ and $\gamma$, the inequality becomes

$${\displaystyle \frac{{\left(1-\frac{\beta ·m}{\tau }\right)}^2·n·\frac{\tau }{m}}{2}}\ge -ln(1-\alpha ).$$

(16)

To further simplify, we multiply both sides of the equation by ${\displaystyle \frac{2m}{n}}$:

$${\left(1-{\displaystyle \frac{\beta ·m}{\tau }}\right)}^2·\tau \ge {\displaystyle \frac{-2mln(1-\alpha )}{n}}.$$

(17)

We need to compute the minimum value of $\tau$ that satisfies the above inequality, thereby ensuring that the $(\alpha ,\beta )$-DPFCM requirements are satisfied.

The choice between the binomial model-based approach and the Chernoff bound-based approach determines how the minimum required user contribution $\tau$ is calculated. The binomial approach tends to produce a lower $\tau$, optimizing efficiency by reducing computational overhead. However, this efficiency comes with a trade-off. That is, there is a small probability that the $(\alpha ,\beta )$-DPFCM condition may not be fully satisfied. In contrast, the Chernoff approach slightly overestimates $\tau$, which guarantees that the $(\alpha ,\beta )$-DPFCM condition is always satisfied, but leads to a higher computational cost due to the increased number of reported data elements. The experimental results in Section 6 confirm this trade-off, demonstrating that while the binomial model-based approach minimizes computational overhead, the Chernoff bound-based approach is preferable when strict satisfaction of $(\alpha ,\beta )$-DPFCM is the priority.

5.3.3. Algorithm for Computing Minimum User Contribution

Since deriving a closed-form solution for Equations (9) and (17) is not feasible, we use an iterative method to compute the minimum $\tau$ efficiently. Algorithm 3 provides the pseudocode for this iterative approach. The algorithm begins by initializing $\tau$ to the smallest possible value, $\lceil \beta ·m\rceil$. The algorithm iteratively increments $\tau$ by one and checks whether the specified condition (Binomial or Chernoff) is satisfied based on the chosen method. The BinomialCondition procedure checks whether the condition specified in Equation (9) is satisfied (lines 16–19), while the ChernoffCondition procedure checks whether the Chernoff bound-based inequality in Equation (17) holds (lines 20–24). The algorithm continues until a valid $\tau$ is found.

Algorithm 3 Pseudocode for Computing Minimum $\tau$

1: procedure ComputeTau($n,m,\alpha ,\beta ,\mathrm{method}$)   2:   $\tau \leftarrow \lceil \beta ·m\rceil$   3:   while $\tau \le m$ do   4:     if $\mathrm{method}=“\mathrm{binomial}”$ then   5:       if BinomialCondition($\tau ,n,m,\alpha ,\beta$) then   6:         return $\tau$   7:       end if   8:     else if $\mathrm{method}=“\mathrm{chernoff}”$ then   9:       if ChernoffCondition($\tau ,n,m,\alpha ,\beta$) then 10:         return $\tau$ 11:       end if 12:      end if 13:      $\tau \leftarrow \tau +1$ 14:    end while 15: end procedure 16: procedure BinomialCondition($\tau ,n,m,\alpha ,\beta$) 17:    $P\leftarrow \mathrm{BinomialCDF}(\beta ·n-1,n,{\displaystyle \frac{\tau }{m}})$ 18:    return $P\le 1-\alpha$ 19: end procedure 20: procedure ChernoffCondition($\tau ,n,m,\alpha ,\beta$) 21:    $\mathrm{LHS}\leftarrow {\left(1-{\displaystyle \frac{\beta ·m}{\tau }}\right)}^2·\tau$ 22:    $\mathrm{RHS}\leftarrow {\displaystyle \frac{-2·m·ln(1-\alpha )}{n}}$ 23:    return $\mathrm{LHS}\ge \mathrm{RHS}$ 24: end procedure

By restricting each user to uploading $\tau$ data elements, as determined by Algorithm 3, we effectively address the two key challenges previously identified: the impracticality of applying DDP to all data and non-zero data variability. To address the impracticality of applying DDP to all data, the proposed framework allows each user to upload only a subset of data elements, significantly reducing computational overhead. By selecting and reporting only a subset of data elements rather than the entire dataset, the computational overhead is significantly reduced, enabling scalability for large datasets. For non-zero data variability, the proposed framework ensures that each user sends at least $\tau$ data elements to the server. The value of $\tau$ is determined using either the proposed binomial model-based approach or the Chernoff bounds-based approach. By ensuring that each user contributes $\tau$ data elements, the $(\alpha ,\beta )$-DPFCM condition is satisfied, enabling DDP-based data collection regardless of variations in non-zero data across users.

5.4. Contributing Data Using DDP

After calculating the minimum $\tau$, the server distributes this value to all participating users. Each user is then required to select at least $\tau$ of data elements from their available dataset. These selected data elements are then sent back to the server. Algorithm 4 provides the pseudocode for the user-side processing of the proposed $(\alpha ,\beta )$-DPFCM algorithm. This algorithm is based on the principles of DDP, but introduces a novel approach to reduce the computational overhead associated with DDP-based schemes. Unlike existing DDP methods, which require users to report all data elements to the server for our problem, the proposed algorithm allows each user to report only a subset of data elements, specified by $\tau$. By limiting the number of reported elements to $\tau$, the algorithm significantly reduces the computational overhead associated with DDP.

Algorithm 4 Pseudocode for the User-Side Processing of $(\alpha ,\beta )$-DPFCM

1: Initialize $R_t$ as an empty list   2: for each $k\in \{1,2,\dots ,m\}$ do   3:   if $f_{t,k}>0$ then   4:    $noise\_f_{t,k}\leftarrow f_{t,k}+\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{\beta ·n}})$   5:    Append $(e_k,En{c}_{pk}(noise\_f_{t,k}))$ to $R_t$   6:   end if   7: end for   8: while size($R_t$) $<\tau$ do   9:   Randomly select i that is not in $R_t$ 10:    $noise\_f_{t,i}\leftarrow f_{t,i}+\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{\beta ·n}})$ 11:    Append $(e_i,En{c}_{pk}(noise\_f_{t,i}))$ to $R_t$ 12: end while 13: Upload $R_t$ to the central server

The algorithm begins by initializing an empty list, $R_t$, and then iterates over all data elements, adding Gaussian noise with variance $\mathcal{N}(0,{\displaystyle \frac{{\sigma }^2}{\beta ·n}})$ to non-zero values (line 4). The noisy values are encrypted using a homomorphic encryption scheme with a given threshold, such as that given in [33] (line 5). The noisy and encrypted values are appended to $R_t$. If the size of $R_t$ is less than the required threshold $\tau$, the user randomly selects additional indices whose corresponding data element value is zero, applies the same noise addition and encryption steps, and appends the results to $R_t$ (lines 8–12). Finally, the encrypted list $R_t$ is sent to the server for aggregation.

5.5. Secure Aggregation of User Contributions

After receiving the encrypted data from users, the server aggregates the contributions for each data element, checks whether the number of contributions meets the threshold $\beta$, and securely decrypts the noisy aggregated values for elements that qualify. Algorithm 5 provides the pseudocode for the server-side processing of the proposed $(\alpha ,\beta )$-DPFCM algorithm. Upon receiving $R_1,R_2,\cdots ,R_n$ from n users, the server first aggregates the data for each data element (line 1). Let assume that ${\left\{(U_k,{\left\{En{c}_{pk}(noise\_f_{t,k})\right\}}_{t\in U_k})\right\}}_{k=1}^m$ represents the aggregated results for all data elements, where $U_k\subseteq U$ denotes the set of users who uploaded $(e_k,En{c}_{pk}(f_{t,k}))$ to the server.

The server then uses the homomorphic properties of the encryption scheme to securely aggregate these encrypted values. If the number of users who submitted encrypted noisy values for a specific data element k satisfies the condition $|U_k|\ge \beta$, the server computes the encrypted aggregated noisy value $En{c}_{pk}(noise\_f_k)$ by multiplying the encrypted values provided by all contributing users in $U_k$, leveraging the additive homomorphic property of the encryption scheme (line 5). Next, the server initiates the threshold decryption process (line 6–10). It randomly selects a subset of users, $U_{dec}\subseteq U_k$, such that $|U_{dec}|=\beta$, to collaboratively decrypt the aggregated value. The server queries each user in $U_{dec}$ with $En{c}_{pk}(noise\_f_k)$. Each user computes a partial decryption of the encrypted value using their share of the private key and sends the result back to the server. The server then combines the partial decryptions to compute the final aggregated noisy value, $noise\_f_k$. Finally, the server stores the result $(e_k,noise\_f_k)$ in the result set, $ResultSet$, and repeats the process for all data elements that satisfy the condition $|U_k|\ge \beta$.

Algorithm 5 Pseudocode for the Sever-Side Processing of $(\alpha ,\beta )$-DPFCM

1: ${\left\{(U_k,{\left\{En{c}_{pk}(noise\_f_{t,k})\right\}}_{t\in U_k})\right\}}_{k=1}^m\mathrm{are}\mathrm{the}\mathrm{aggregated}\mathrm{results}$   2: Initialize an empty set $ResultSet\leftarrow \varnothing$   3: for $k\leftarrow 1$ to m do   4:   if $|U_k|\ge \beta$ then   5:    $En{c}_{pk}(noise\_f_k)\leftarrow {\prod }_{t\in U_k}En{c}_{pk}(noise\_f_{t,k})$   6:    Select $U_{dec}\subseteq U_k$ such that $|U_{dec}|=\beta$   7:    for $u_j\in U_{dec}$ do   8:      Query $u_j$ with $En{c}_{pk}(noise\_f_k)$   9:      Receive partial decryption of $noise\_f_k$ from $u_j$ 10:      end for 11:      Compute $noise\_f_k$ from partial decryptions 12:    end if 13:    $ResultSet\leftarrow ResultSet\cup \left\{(e_k,noise\_f_k)\right\}$ 14: end for

5.6. Analysis of Effect of $\alpha$ and $\beta$ on $\tau$

In the $(\alpha ,\beta )$-DPFCM framework, the parameters $\alpha$ and $\beta$ play a critical role in determining the minimum number of data elements, $\tau$, that each user must contribute. The value of $\tau$ has a direct impact on the overall efficiency of the framework, affecting both user-side processing, as described in Algorithm 4, and server-side processing, as described in Algorithm 5. A higher value of $\tau$ increases the utility of the collected dataset. However, this comes at the cost of higher computational requirements. On the other hand, a smaller $\tau$ reduces the computational overhead, improving the scalability and efficiency of the system. However, it may compromise the utility of the collected data. Thus, in this subsection, we analyze the effect of $\alpha$ and $\beta$ on $\tau$ based on the previously proposed binomial model-based and Chernoff bound-based approaches.

5.6.1. Effect of $\alpha$ on $\tau$

The parameter $\alpha$ specifies the fraction of data elements that must meet the contribution threshold of at least $\beta ·n$ users. A higher $\alpha$ implies stricter requirements as a larger proportion of data elements must satisfy this condition.

• Binomial Model-Based Approach: Using the condition from Equation (9), an increase in $\alpha$ decreases $1-\alpha$, tightening the inequality. To satisfy this tighter condition, the cumulative probability $Pr(X\le \beta ·n-1)$ must decrease. This requires an increase in $\tau$, as increasing $\tau$ increases the probability that more users will select each data element, thus shifting the probability mass of the binomial towards higher values of X.
• Chernoff Bound-Based Approach: From Equation (17), an increase in $\alpha$ results in a larger $-ln(1-\alpha )$ on the right-hand side. To maintain the inequality, $\tau$ must be increased to ensure that the left-hand side remains greater than or equal to the right-hand side. Specifically, a larger $\tau$ compensates by increasing both the quadratic term ${\left(1-{\displaystyle \frac{\beta ·m}{\tau }}\right)}^2$ and the overall product with $\tau$.

In summary, for both approaches, as $\alpha$ increases, $\tau$ must also increase to satisfy the stricter condition that a larger proportion of data elements meet the required contribution threshold.

5.6.2. Effect of $\beta$ on $\tau$

The parameter $\beta$ represents the fraction of users, $\beta ·n$, that must contribute to each data element for it to qualify. A higher $\beta$ increases the required number of contributions for each data element.

• Binomial Model-Based Approach: From Equation (9), the inequality involves a summation up to $\beta ·n-1$. Increasing $\beta$ raises this upper limit, requiring the binomial probability mass to shift toward higher values of X. To achieve this, $\tau$ must increase, as a higher $\tau$ ensures that more users contribute to each data element, thereby meeting the increased threshold.
• Chernoff Bound-Based Approach: From Equation (17), an increase in $\beta$ raises the term ${\displaystyle \frac{\beta ·m}{\tau }}$, which reduces the factor ${\left(1-{\displaystyle \frac{\beta ·m}{\tau }}\right)}^2$ on the left-hand side. To restore balance, $\tau$ must be increased to ensure that the left side satisfies the inequality.

Therefore, for both approaches, as $\beta$ increases, $\tau$ must also increase to satisfy the stricter condition requiring more user contributions for each data element.

5.6.3. Discussion on Selecting Appropriate Values for $\alpha$ and $\beta$

In the $(\alpha ,\beta )$-DPFCM framework, the parameters $\alpha$ and $\beta$ significantly influence the minimum value of $\tau$, which determines the number of data elements that each user must contribute. If either $\alpha$ or $\beta$ increases, $\tau$ must also increase to satisfy the stricter requirements imposed by these parameters. Higher values of $\alpha$ demand that a larger proportion of data elements meet the contribution threshold, while higher values of $\beta$ require more users to contribute to each data element. As a result, increasing $\alpha$ and $\beta$ increases the utility of the collected dataset by collecting more comprehensive and representative data.

However, this improvement in utility comes at a cost. An increased value of $\tau$ directly results in higher computational overhead due to the DDP mechanism. Users must process and transmit more data elements, and the server must handle more contributions, increasing the complexity of secure aggregation and decryption. Therefore, the balance between utility and efficiency becomes critical.

The proposed approach allows for dynamic adjustment of the efficiency–utility trade-offs for data collection by carefully selecting the values of $\alpha$ and $\beta$ based on the intended data analysis objectives and available computational resources. For applications that prioritize high utility, larger values of $\alpha$ and $\beta$ can be chosen to ensure a more comprehensive and representative dataset. On the other hand, for scenarios where efficiency and scalability are critical due to resource constraints, smaller values of $\alpha$ and $\beta$ can be chosen to minimize the computational overhead, thereby optimizing the use of available resources.

6. Experiments

In this section, we evaluate the proposed scheme using real datasets. We first describe the experimental setup and then present a discussion of the results.

6.1. Experimental Setup

Datasets: In this study, we evaluate the performance of the proposed method using real-world data to demonstrate its practical applicability. The T-Drive dataset [34], which consists of GPS-based driving records of 10,357 taxis operating in Beijing, was used for our experiments. To generate a PoI dataset from the T-Drive data, we employed the following process: First, the entire geographic region was divided into 10,000 equally sized zones, and the location of each taxi was mapped to its corresponding zone. Second, in order to focus on areas of significant activity, the 1000 most frequently visited zones were identified and considered as PoIs. The number of visits to each zone was used as the value associated with the PoI. Finally, to simulate different dataset sizes, we randomly selected two subsets of taxis from the 10,357 available taxis, consisting of 1000 and 3000 taxis, respectively. In this setup, each taxi was considered as a user, the PoIs were treated as a set of data elements (E), and the frequency of each taxi’s visits to a PoI was used as the value ($f_{t,k}$) associated with the data element $e_k\in E$.

Baseline: For the proposed $(\alpha ,\beta )$-DPFCM framework, we implemented two different methods: the binomial model-based approach ($DPFC{M}_{bi}$) and the Chernoff bound-based approach ($DPFC{M}_{ch}$). To evaluate the effectiveness of our framework, we conducted a comparative evaluation against the LDP-based method using the staircase mechanism [15] ($LD{P}_{SM}$), which introduces less noise into the original data compared to the Gaussian and Laplace mechanisms, as well as the DDP-based approach ($DDP$) from [18].

Evaluation Metrics: In our experiments, we used mean absolute error (MAE) and Jensen–Shannon divergence (JSD) as evaluation metrics for comparative analysis. MAE is defined as follows:

$$MAE={\displaystyle \frac{1}{m}}\times \sum _{k=1}^m|a{f}_k-a{f}_k^{\prime }|$$

(18)

Here, $a{f}_k$ represents the true aggregated frequency value for the data element $e_k$, computed as the sum of all individual contributions over n users, expressed as $a{f}_k={\sum }_{t=1}^n{f}_{t,k}$. On the other hand, $a{f}_k^{\prime }$ denotes the noisy aggregated frequency value computed using the DP mechanism.

Furthermore, JSD is defined as follows:

$$JSD={\displaystyle \frac{D_{KL}(D(P)||D(P^{\prime }))+D_{KL}(D(P^{\prime })\left|\right|D(P))}{2}}$$

(19)

Here, $D_{KL}$ represents the Kullback–Leibler divergence, P denotes the true probability distribution of the aggregated frequency values derived by normalizing $a{f}_k$ across all data elements, and $P^{\prime }$ corresponds to the noisy probability distribution obtained by normalizing the DP private noisy aggregated values $a{f}_k^{\prime }$.

6.2. Evaluation of $\tau$ Computation Methods in $(\alpha ,\beta )$-DPFCM Framework

Before presenting the experimental results on the utility of the collected data, we first evaluate the effectiveness of the proposed binomial model-based and Chernoff bound-based approaches for computing $\tau$. Figure 3 shows the differences in $\tau$ computed using the Chernoff bound-based approach and the binomial model-based approach under varying values of $\alpha$ and $\beta$. As shown in the figure, the $\tau$ values computed using the Chernoff bound-based approach are consistently higher than those derived from the binomial model-based approach. This is because the Chernoff bound provides a conservative estimate by bounding the tail probabilities with an exponential decay term, providing a stronger guarantee that the desired confidence level $\alpha$ is met. The squared deviation factor, ${(1-\gamma )}^2$, in the Chernoff inequality amplifies deviations, leading to an overestimation of $\tau$. In contrast, the binomial model-based approach directly computes the exact probabilities using the CDF of the binomial distribution. This results in accurate $\tau$ values that are sufficient to meet the requirements without unnecessary overestimation.

Table 1. Failure rate of $(\alpha ,\beta )$-DPFCM requirements for binomial model-based and Chernoff bound-based approaches.

$\mathit{\beta }$	${\mathit{DPFCM}}_{\mathit{bi}}$					${\mathit{DPFCM}}_{\mathit{ch}}$
	$\mathit{\alpha }=\mathbf{0.5}$	$\mathit{\alpha }=\mathbf{0.6}$	$\mathit{\alpha }=\mathbf{0.7}$	$\mathit{\alpha }=\mathbf{0.8}$	$\mathit{\alpha }=\mathbf{0.9}$	$\mathit{\alpha }=\mathbf{0.5}$	$\mathit{\alpha }=\mathbf{0.6}$	$\mathit{\alpha }=\mathbf{0.7}$	$\mathit{\alpha }=\mathbf{0.8}$	$\mathit{\alpha }=\mathbf{0.9}$
0.1	0	0	0	0	0	0	0	0	0	0
0.2	0.010	0.026	0.028	0.075	0.025	0	0	0	0	0
0.3	0.015	0.035	0.030	0.085	0.080	0	0	0	0	0
0.4	0.035	0.075	0.086	0.095	0.105	0	0	0	0	0
0.5	0.055	0.075	0.090	0.100	0.120	0	0	0	0	0

shows the failure rate of $(\alpha ,\beta )$-DPFCM requirements for the binomial model-based ($DPFC{M}_{bi}$) and the Chernoff bound-based ($DPFC{M}_{ch}$) approaches. The failure rate is defined as the proportion of experiments in which the $(\alpha ,\beta )$-DPFCM requirement was not satisfied:

$$\mathrm{Failure}\mathrm{Rate}={\displaystyle \frac{\mathrm{Number}\mathrm{of}\mathrm{experiments}\mathrm{not}\mathrm{satisfying}(\alpha ,\beta )\text{-}\mathrm{DPFCM}\mathrm{requirements}}{\mathrm{Total}\mathrm{number}\mathrm{of}\mathrm{experiments}}}.$$

In this experiment, the total number of experiments conducted is 200. The failure rate provides a measure of the effectiveness of each approach in satisfying the $(\alpha ,\beta )$-DPFCM requirement under varying values of $\alpha$ and $\beta$.

As shown in Table 1, the $DPFC{M}_{bi}$ approach has zero failure rates for lower $\beta$ values. However, it tends to increase the failure rate as $\alpha$ and $\beta$ increase. On the contrary, the $DPFC{M}_{ch}$ approach consistently achieves a zero failure rate across all parameter settings, indicating that it satisfies the $(\alpha ,\beta )$-DPFCM requirement in all experiments, regardless of the values of $\alpha$ and $\beta$.

The experimental results in this subsection regarding the computation of $\tau$ highlight distinct trade-offs between the two approaches, as explained in Section 5.3. The binomial model-based approach ($DPFC{M}_{bi}$) utilizes tighter $\tau$ values, making it highly effective in reducing the computational overhead of using DDP, as fewer data elements need to be processed by both users and the server. However, this efficiency comes at the cost of occasional failure to satisfy the $(\alpha ,\beta )$-DPFCM requirement. In contrast, the approach based on the Chernoff bound ($DPFC{M}_{ch}$) uses slightly overestimated $\tau$ values, which results in a slightly higher computational overhead. However, this ensures that the $(\alpha ,\beta )$-DPFCM requirement is always satisfied. Thus, it is desirable to use $DPFC{M}_{bi}$ for applications where efficiency and scalability are critical, even with occasional failures in meeting data collection requirements. On the other hand, $DPFC{M}_{ch}$ is better suited for applications where satisfying data collection requirements is paramount and sufficient computing resources are available.

Figure 4 presents a comparison of the number of data elements sent by each user to the server in the DDP-based approaches (i.e., the proposed $DPFC{M}_{bi}$ and $DPFC{M}_{ch}$ methods, and DDP). The experiments were conducted with two different user sizes (1000 and 3000). As shown in the figure, compared to DDP where users must send all data elements to the server, the proposed approaches require users to send only $\tau$ selected data elements. This results in a significant reduction in the number of data elements sent to the server, thereby significantly reducing the overhead associated with cryptographic operations in the DDP-based approach. This reduction highlights the efficiency of the proposed framework, particularly in scenarios where minimizing computational overhead is critical.

Scalability and Computational Considerations

As demonstrated in the experimental results, $(\alpha ,\beta )$-DPFCM effectively reduces the number of transmitted data elements compared to DDP-based approaches, enhancing scalability for large-scale applications. However, since secure aggregation is employed to protect user data during collection, it introduces additional computational costs, which increase with the number of participating users.

Recent advances in secure aggregation techniques, particularly in federated learning, have introduced efficient cryptographic protocols that significantly reduce communication complexity and computational overhead while maintaining strong privacy guarantees. Protocols such as those proposed in [19,20] utilize optimized masking techniques and dropout-resistant aggregation mechanisms, ensuring that secure aggregation remains scalable even as the number of users increases. With these protocols, $(\alpha ,\beta )$-DPFCM remains computationally viable for large-scale applications. In addition, reducing the number of transmitted data elements further mitigates the cryptographic overhead introduced by secure aggregation.

6.3. Evaluation Results on Data Utility

In this subsection, we present the evaluation results for the data utility of the collected data. Figure 5 and Figure 6 illustrate the impact of the privacy budget, $ϵ$, on MAE and JSD, respectively. The experiments were conducted using two different values of $\alpha$, specifically 0.6 and 0.9, while varying $\beta$ from 0.1 to 0.5. The number of users was fixed at 1000, while $ϵ$ was varied from 0.25 to 1.0. Note that in Figure 5 and Figure 6, some results for $LD{P}_{SM}$ are presented with text annotations on the bars, as the $LD{P}_{SM}$ results differ significantly from those of the other approaches.

As the privacy budget $ϵ$ decreases, both MAE and JSD increase consistently across all evaluated methods. This behavior reflects the inherent trade-off in DP-based approaches: achieving stronger privacy guarantees (lower $ϵ$) necessitates adding more noise to the data, which consequently reduces the utility of the aggregated results. This trade-off is a fundamental characteristic of DP, where greater privacy protection comes at the expense of accuracy in data analysis. Among the evaluated methods, $LD{P}_{SM}$ shows the worst performance in terms of both MAE and JSD. This is mainly due to the significant noise added at the local level for each user’s data, which significantly distorts the aggregated results. The localized noise addition of $LD{P}_{SM}$, while enhancing privacy, leads to excessive obfuscation that severely impacts data utility. Given that $LD{P}_{SM}$ is a more optimized approach compared to the Gaussian and Laplace mechanisms, these results highlight the fundamental limitations of LDP-based methods in data collection. As a result, LDP-based methods are unsuitable for scenarios requiring high data utility, particularly in applications where precise statistical analysis or accurate pattern recognition is essential.

The proposed $(\alpha ,\beta )$-DPFCM framework, including $DPFC{M}_{bi}$ and $DPFC{M}_{ch}$, significantly outperforms the $LD{P}_{SM}$ method in both MAE and JSD metrics. Furthermore, the results achieved by the proposed framework are comparable to those of DDP-based approaches, which are characterized by significantly higher computational overhead. This increased overhead in DDP is due to the requirement that each user sends all DP-noised data elements to the server, which then processes the encrypted data for decryption. As shown in the experimental results in Figure 4, the proposed $(\alpha ,\beta )$-DPFCM framework significantly reduces the computational burden by requiring users to send only $\tau$ selected data elements, while still maintaining utility comparable to DDP-based methods.

Figure 5 and Figure 6 also illustrate the impact of $\beta$ on the data utility of the collected data. As $\beta$ increases, both MAE and JSD show a decreasing trend. This is because a higher $\beta$ ensures that more users contribute to each data element, thereby improving the accuracy in the aggregated results. In particular, there is a significant decrease in both MAE and JSD when $\beta$ is increased from 0.1 to 0.2. Beyond this point, the improvements in MAE and JSD become marginal. This observation confirms that, even with a small value of $\beta$, which significantly reduces the number of data elements transmitted to the server compared to DDP, the proposed $(\alpha ,\beta )$-DPFCM framework achieves performance comparable to that of DDP.

The experimental results in this subsection verify that the proposed $(\alpha ,\beta )$-DPFCM framework significantly outperforms $LD{P}_{SM}$ in terms of data utility, while achieving results comparable to DDP. Furthermore, it significantly reduces the number of data elements transmitted to the server, making $(\alpha ,\beta )$-DPFCM an effective solution for applications that prioritize both utility and efficiency.

7. Conclusions and Future Work

In this paper, we addressed the challenge of balancing data utility and computational efficiency in privacy-preserving data collection frameworks. Motivated by the variability in data utility requirements across applications, we proposed the $(\alpha ,\beta )$-DPFCM framework, which provides a flexible solution for applications that can effectively operate with partial data collection. DPFCM introduces two key parameters, $\alpha$ and $\beta$, which allow the framework to control the breadth of data elements collected and the depth of user representation, respectively. To satisfy the $(\alpha ,\beta )$-DPFCM requirements, we developed two probability-based methods—binomial model-based and Chernoff bound-based approaches—that determine the minimum data contribution required from each user.

The experimental results validate the practicality and effectiveness of DPFCM. Using real-world datasets, we verified that the proposed framework achieves comparable data utility to DDP, which is known for its high computational cost. At the same time, DPFCM significantly reduces computational overhead by requiring users to contribute only a fraction of their data. This efficiency is particularly valuable for applications requiring real-time decision-making, where responsiveness is critical.

While this work focuses primarily on the efficiency-utility trade-offs in privacy-preserving data collection, an important aspect for future research is the impact of high-frequency collisions on aggregate results. In scenarios where multiple users report the same data elements, such collisions can affect the statistical properties of the collected dataset. Investigating mitigation strategies for such effects will be an important direction for future research.