This work addresses the challenges of high computational overhead and poor scalability in multi-user virtual reality systems, where head-mounted displays must locally render numerous avatars, while offloading computation to untrusted devices risks leaking sensitive facial expression data. To reconcile efficiency and privacy, the authors propose a co-design framework that decomposes avatar expressions in the frequency domain via block discrete cosine transform, offloads only low-energy components through a horizontal partitioning scheme, and integrates a distribution-aware minimal perturbation (DAMP) mechanism. DAMP adaptively injects minimal noise calibrated to the real-time empirical distribution of user expressions, achieving local differential privacy with minimal utility loss. Evaluations on the Meta Quest Pro demonstrate that the approach supports 2.37× more concurrent users, incurs only 6.5% higher reconstruction loss and 9% additional energy consumption, outperforms existing baselines in throughput–accuracy trade-offs, and remains robust against both empirical and neural-network-based inference attacks.

Multi-user virtual reality enables immersive interaction. However, rendering avatars for numerous participants on each headset incurs prohibitive computational overhead, limiting scalability. We introduce a framework, Privatar, to offload avatar reconstruction from headset to untrusted devices within the same local network while safeguarding attacks against adversaries capable of intercepting offloaded data. Privatar's key insight is that domain-specific knowledge of avatar reconstruction enables provably private offloading at minimal cost. (1) System level. We observe avatar reconstruction is frequency-domain decomposable via BDCT with negligible quality drop, and propose Horizontal Partitioning (HP) to keep high-energy frequency components on-device and offloads only low-energy components. HP offloads local computation while reducing information leakage to low-energy subsets only. (2) Privacy level. For individually offloaded, multi-dimensional signals without aggregation, worst-case local Differential Privacy requires prohibitive noise, ruining utility. We observe users' expression statistical distribution are slowly changing over time and trackable online, and hence propose Distribution-Aware Minimal Perturbation. DAMP minimizes noise based on each user's expression distribution to significantly reduce its effects on utility, retaining formal privacy guarantee. Combined, HP provides empirical privacy against expression identification attacks. DAMP further augments it to offer a formal guarantee against arbitrary adversaries. On a Meta Quest Pro, Privatar supports 2.37x more concurrent users at 6.5% higher reconstruction loss and 9% energy overhead, providing a better throughout-loss Pareto frontier over quantization, sparsity and local construction baselines. Privatar provides both provable privacy guarantee and stays robust against both empirical and NN-based attacks.