This work addresses the vulnerability of existing shuffle-based privacy models to collusion attacks between shufflers and data collectors, as well as their lack of protection against side-channel leaks in trusted execution environments (TEEs). To overcome these limitations, we propose the Fully Oblivious Differential Privacy (FODP) framework, which achieves strong privacy guarantees within TEEs such as Intel SGX by concealing both memory access patterns and control flow. We formally define the FODP privacy notion, develop a general algorithmic framework, and introduce an efficient frequency estimation algorithm based on the Count-Min Sketch, enhanced with memory obliviousness and optimized hashing strategies to comprehensively mitigate side-channel risks from both internal and external memory accesses and control flow. Experimental results demonstrate that our approach significantly outperforms nine baseline methods in both privacy strength and computational efficiency.

In the shuffle model of DP (Differential Privacy), a shuffler randomly permutes users' data to achieve high accuracy and privacy. Recent studies show that most existing shuffle protocols are vulnerable to collusion attacks by the data collector and users. They address this issue by introducing the augmented shuffle model that incorporates random sampling and dummy data addition into the shuffler. However, it remains open how to ensure the shuffler follows the protocol and does not collude with the data collector in this model. We address this trust issue by thoroughly exploring the augmented shuffle model with TEEs (Trusted Execution Environments). We first introduce a new privacy notion, FODP (Fully Oblivious DP), which strengthens DP to prevent various TEE side-channel attacks based on external/internal memory access patterns and control flows. We propose a general framework for FODP algorithms based on memory-size obfuscation and three concrete algorithms within it. We also improve the efficiency of our algorithms by using the count-min sketch and optimizing the number of hashes. We evaluate our algorithms on Intel SGX and demonstrate their effectiveness through comparisons with nine baselines.