Untrusted market makers in dark pool auctions introduce front-running and conflicts of interest; existing fully homomorphic encryption (FHE)-based private matching schemes are impractical due to prohibitive computational overhead. Method: We propose the first framework balancing rigorous privacy guarantees with real-time matching efficiency. It introduces *event-triggered indifferential privacy*—a novel variant enabling secure disclosure of sensitive information only upon well-defined events (e.g., full order execution)—thereby achieving optimal matching under differential privacy for the first time. Instead of FHE, the framework integrates lightweight cryptography with a purpose-built differential privacy mechanism. Results: Experiments demonstrate 10–100× reductions in both communication and computation overhead, enabling millisecond-scale, provably private high-frequency order matching.

Public exchanges like the New York Stock Exchange and NASDAQ act as auctioneers in a public double auction system, where buyers submit their highest bids and sellers offer their lowest asking prices, along with the number of shares (volume) they wish to trade. The auctioneer matches compatible orders and executes the trades when a match is found. However, auctioneers involved in high-volume exchanges, such as dark pools, may not always be reliable. They could exploit their position by engaging in practices like front-running or face significant conflicts of interest, i.e., ethical breaches that have frequently resulted in hefty fines and regulatory scrutiny within the financial industry. Previous solutions, based on the use of fully homomorphic encryption (Asharov et al., AAMAS 2020), encrypt orders ensuring that information is revealed only when a match occurs. However, this approach introduces significant computational overhead, making it impractical for high-frequency trading environments such as dark pools. In this work, we propose a new system based on differential privacy combined with lightweight encryption, offering an efficient and practical solution that mitigates the risks of an untrustworthy auctioneer. Specifically, we introduce a new concept called Indifferential Privacy, which can be of independent interest, where a user is indifferent to whether certain information is revealed after some special event, unlike standard differential privacy. For example, in an auction, it's reasonable to disclose the true volume of a trade once all of it has been matched. Moreover, our new concept of Indifferential Privacy allows for maximum matching, which is impossible with conventional differential privacy.