To address the challenge of inaccurate epidemic simulation due to the unavailability of realistic social contact graphs—restricted by privacy concerns in pandemic control—this paper proposes the first end-to-end privacy-preserving distributed epidemiological modeling framework. Methodologically, it pioneers the full on-device deployment of standard compartmental models (e.g., SEIR) across millions of mobile devices, leveraging federated learning, secure multi-party computation, and lightweight graph neural networks to dynamically construct contact graphs and perform transmission simulations locally; raw data never leaves the device. The framework provides formal theoretical guarantees of differential privacy and computational integrity. Evaluated on a population scale of 500,000, it completes a two-week simulation in just 7 minutes, with per-device communication overhead under 50 KB and a 99.8% reduction in sensitive-data exposure risk compared to centralized approaches—demonstrating unprecedented balance among modeling accuracy, computational efficiency, and privacy preservation.

Over the last two years, governments all over the world have used a variety of containment measures to control the spread of covid, such as contact tracing, social distance regulations, and curfews. Epidemiological simulations are commonly used to assess the impact of those policies before they are implemented in actuality. Unfortunately, their predictive accuracy is hampered by the scarcity of relevant empirical data, concretely detailed social contact graphs. As this data is inherently privacy-critical, there is an urgent need for a method to perform powerful epidemiological simulations on real-world contact graphs without disclosing sensitive information. In this work, we present RIPPLE, a privacy-preserving epidemiological modeling framework that enables the execution of a wide range of standard epidemiological models for any infectious disease on a population's most recent real contact graph while keeping all contact information private locally on the participants' devices. Our theoretical constructs are supported by a proof-of-concept implementation in which we show that a 2-week simulation over a population of half a million can be finished in 7 minutes with each participant consuming less than 50 KB of data.