<jats:title>Abstract</jats:title><jats:p>Current solutions for privacy-preserving data sharing among multiple parties either depend on a centralized authority that must be trusted and provides only weakest-link security (e.g., the entity that manages private/secret cryptographic keys), or leverage on decentralized but impractical approaches (e.g., secure multi-party computation). When the data to be shared are of a sensitive nature and the number of data providers is high, these solutions are not appropriate. Therefore, we present U<jats:sc>n</jats:sc>L<jats:sc>ynx</jats:sc>, a new decentralized system for efficient privacy-preserving data sharing. We consider<jats:italic>m</jats:italic>servers that constitute a collective authority whose goal is to verifiably compute on data sent from<jats:italic>n</jats:italic>data providers. U<jats:sc>n</jats:sc>L<jats:sc>ynx</jats:sc>guarantees the confidentiality, unlinkability between data providers and their data, privacy of the end result and the correctness of computations by the servers. Furthermore, to support differentially private queries, U<jats:sc>n</jats:sc>L<jats:sc>ynx</jats:sc>can collectively add noise under encryption. All of this is achieved through a combination of a set of new distributed and secure protocols that are based on homomorphic cryptography, verifiable shuffling and zero-knowledge proofs. U<jats:sc>n</jats:sc>L<jats:sc>ynx</jats:sc>is highly parallelizable and modular by design as it enables multiple security/privacy vs. runtime tradeoffs. Our evaluation shows that U<jats:sc>n</jats:sc>L<jats:sc>ynx</jats:sc>can execute a secure survey on 400,000 personal data records containing 5 encrypted attributes, distributed over 20 independent databases, for a total of 2,000,000 ciphertexts, in 24 minutes.</jats:p>