IETF Logo Mail Archive

Re: [CFRG] [Ppm] Next steps for heavy hitters with VDAFs

Christopher Patton <cpatton@cloudflare.com> Wed, 20 March 2024 02:46 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A50EC151082 for <cfrg@ietfa.amsl.com>; Tue, 19 Mar 2024 19:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2fpbGyO--po for <cfrg@ietfa.amsl.com>; Tue, 19 Mar 2024 19:46:18 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E974C151071 for <cfrg@irtf.org>; Tue, 19 Mar 2024 19:46:18 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-42a029c8e76so46543391cf.2 for <cfrg@irtf.org>; Tue, 19 Mar 2024 19:46:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1710902777; x=1711507577; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9rJ1KHDf9n8jM2RqS9H39XqeoN8qIXb+sY5dorOxlXs=; b=RQp1oKn7Z2ZuRyFxlKQg0W8sqa9D3sow5IzAD3JJvXzq5Gdz/s2xNQmr79+x8CvYKo biXbgEbfJJ3baoleiOlF0rHoegu+6cGp88y5v3rwpdyvc1txOK30F70GrOfnjc2T4JuS sYwwvsV+cNIW6tOwZaTtHI9BMO58qWUI92IeX3p/tyyZI/DENytkPwmrWR3gbHs6kaeB tZch6j9TbEz+lon8Q9C6BulNcFYmFyufSzZxdEiJCXQzH3BCVeXWuD6kySG9hq6RrP2u grMBfDK7ND8UOxtA7LMgza769y/Uwb41bHlq7NfyHHy9KkYvzLIaC6vW7TPQJ+NuRjl5 bgsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710902777; x=1711507577; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9rJ1KHDf9n8jM2RqS9H39XqeoN8qIXb+sY5dorOxlXs=; b=lRr/2JUecP9Ov5rbjPYQViNwNHWmrZBKfW0Jr2eFjsj13sGT2lHbZ9+sjsJVcMi//E hFXmMwuiYvsphxNEEdJGEb3TMzkCwiFzW/o8UmEzfnsTLpt5psqFdCnPnlPRanED5Tqv 4S5Cb2ci6uPmFP7aATCZqD7YBEOhs+K880HdHippCJJUz6ALDWAtTlz9dqR08NfRSYDf Rq6ft9sCHN6ItnvG0q0qzHlKvhPJZMTLwc1S+JGb8lz43vsawktGwchMJMrk6IcHzh1n 9WXr85zjfUCdslSP2pj/zzO1jmvdRBEwZk8p96BoXFNR9BL8zk28q3fYKgFatzJRfp4n nQpA==
X-Forwarded-Encrypted: i=1; AJvYcCWwc/XjfznpPOjqiE+Y4BdW6R5tXkNITZ+Jg9U0tY4nWmXLdJyowDDDnvCm0namc9eqtiPdCBeSdztjV90W
X-Gm-Message-State: AOJu0YxlBFFbbM/ypTYaoKKFgGvKvf4qYzOd2fIlQy+DKJ3d37D5CAD6 el/+aW7KfprAhXxq1kzHc6yyC22t5AShJfkImEqHdt0WI3DE4SCYwvxXzJ8o91/K6Q/QgQ0czbX NBJ1WycD7Zbinhrn0LaD5PptQxKBBQZnXe57P7Q==
X-Google-Smtp-Source: AGHT+IHRV4Nok7+BD5AmEOPrktqZ2yFJW7F2o0X73wWFNACJPd/4CKOR4P2+4XLbRTlKlqnhvhEy4fZ9VuLPzXbisH8=
X-Received: by 2002:a05:622a:54d:b0:42e:78b9:84ef with SMTP id m13-20020a05622a054d00b0042e78b984efmr22377608qtx.8.1710902776798; Tue, 19 Mar 2024 19:46:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi23iR68MTLnW-onPhfq4rKmeYqgdsE4h_nem2iWFrVLqdw@mail.gmail.com> <CAG2Zi231jVNBvN7vZ6Uz2uTLd7JyS2-hpERUYrkQf1w-KxJtCQ@mail.gmail.com> <23E40649-8967-445D-91AC-EAEA4EDFCB40@apple.com> <CAG2Zi23uD_dcGtetFehBVmUPbG5ygr3VAwscfCp5qcWm9+BfHQ@mail.gmail.com> <CABcZeBN=ko0KiOUA2YEzqxbSx63wuaEwLp7UWwNRgJyxFa_wkQ@mail.gmail.com> <CAG2Zi20e=B-pXC_qVBC5ubJKYnJnPfaKoaZDE_1G1383SNx9+Q@mail.gmail.com>
In-Reply-To: <CAG2Zi20e=B-pXC_qVBC5ubJKYnJnPfaKoaZDE_1G1383SNx9+Q@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Tue, 19 Mar 2024 19:46:06 -0700
Message-ID: <CAG2Zi23i0u_hcAFtBaS-AcM9b6GHiCfBPQD8u953ZbFkPFbRWg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Shan Wang <shan_wang@apple.com>, ppm <ppm@ietf.org>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000041bc9b06140e98b7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/4da91fqiLC02xg_jfydK1TJ5G3w>
Subject: Re: [CFRG] [Ppm] Next steps for heavy hitters with VDAFs
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://mailman.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://mailman.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Mar 2024 02:46:22 -0000

There wasn't any productive discussion about this at CFRG. Currently the
consensus is to seek adoption of the Mastic draft and consider dropping
Poplar1 later. We can bring it up for discussion at the next PPM meeting,
but if no one strongly objects, we'll ask the chairs to do an adoption call
of the next draft.

Thanks again everyone who chimed in.
Chris P.

On Thu, Mar 14, 2024 at 12:14 PM Christopher Patton <cpatton@cloudflare.com>
wrote:

> Hi folks, I'll be giving and update on Mastic at CFRG on Monday:
>
> https://datatracker.ietf.org/meeting/119/materials/slides-119-cfrg-next-steps-for-draft-mouris-cfrg-mastic
>
> We'll spend some time discussing this question.
> Chris P.
>
> On Mon, Mar 4, 2024 at 6:58 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Mon, Mar 4, 2024 at 5:20 PM Christopher Patton <cpatton=
>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>
>>> Thanks PPM and CFRG, this has been helpful.
>>>
>>> So far it seems like there is a plurality in favor of adopting a
>>> separate draft for Mastic and only consider dropping Poplar1 once we're
>>> more certain about the trade-offs. It would be nice to hear from anyone who
>>> is strongly opposed to this plan.
>>>
>>
>> To restate what I think you said, I think it's fine to adopt Mastic. I
>> would defer a decision on Poplar until after we know more.
>>
>> -Ekr
>>
>>>
>>> One concern that's been brought up is the editorial effort required to
>>> maintain both. Speaking as an editor of both Mastic and Poplar1, I think
>>> there is likely to be some duplicative effort here: most of the low level
>>> algorithmic bits these protocols have in common (i.e., IDPF) have been
>>> stable for some time, but there are also some evolving security
>>> considerations that apply to both (around safe usage of IDPF). I also
>>> expect there to be some security considerations that apply to Poplar1, but
>>> not Mastic.
>>>
>>> Chris P.
>>>
>>> On Mon, Mar 4, 2024 at 2:33 PM Shan Wang <shan_wang=
>>> 40apple.com@dmarc.ietf.org> wrote:
>>>
>>>> I'm in favour of either
>>>> 1. Replace Poplar1 with Mastic in the base VDAF draft
>>>> (draft-irtf-cfrg-vdaf).
>>>> Or
>>>> 4. Refactor the base draft so that it spells only the VDAF framework,
>>>> adopt the Mastic draft, and adopt a new draft for Prio3.
>>>>
>>>> If we do 4. The we can cut an individual Poplar RFC too and anyone have
>>>> implemented Poplar1 can refer to that standard.
>>>>
>>>> In my opinion, VDAF should define a common framework. We will have more
>>>> algorithms in the future and they should be cut as individual drafts that's
>>>> compatible with VDAF, rather than part of the VDAF text itself.
>>>>
>>>> Shan
>>>>
>>>>
>>>> On 4 Mar 2024, at 16:13, Christopher Patton <cpatton=
>>>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>>>
>>>> Hi all, I'm cross-posting this message to the CFRG mailing list in the
>>>> hopes that folks who would like to implement heavy hitters in DAP will
>>>> weigh in. We definitely end to hear from implementers and potential
>>>> adopters.
>>>>
>>>> Thanks,
>>>> Chris P.
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: Christopher Patton <cpatton@cloudflare.com>
>>>> Date: Mon, Mar 4, 2024 at 8:07 AM
>>>> Subject: Next steps for heavy hitters with VDAFs
>>>> To: CFRG <cfrg@irtf.org>
>>>>
>>>>
>>>> Hi CFRG,
>>>>
>>>> I've asked the chairs to spend some time at 119 discussing next steps
>>>> for Mastic:
>>>> https://datatracker.ietf.org/doc/html/draft-mouris-cfrg-mastic-02
>>>>
>>>> The ideal outcome may not be to adopt this draft directly, but to merge
>>>> it with the existing VDAF draft (draft-irtf-cfrg-vdaf). Our goal for
>>>> 119 is to find consensus on a path forward.
>>>>
>>>> Last time (118) we presented Mastic, a new VDAF that we pitched as a
>>>> drop-in replacement for Poplar1 (
>>>> https://datatracker.ietf.org/meeting/118/materials/slides-118-cfrg-mastic-vdaf).
>>>> Since the meeting we have been working on security analysis for Mastic.
>>>> The theorems in this paper claim that Mastic's composition of its
>>>> primitives (VIDPF, an extension of IDPF from draft-irtf-cfrg-vdaf) and
>>>> FLP (from draft-irtf-cfrg-vdaf) into a VDAF is secure. The concrete
>>>> parameters of VIDPF and FLP are subject to change as analysis continues,
>>>> but the overall composition seems to be sound:
>>>> https://eprint.iacr.org/2024/221
>>>>
>>>> Mastic is also more efficient in terms of round complexity, is easier
>>>> to implement securely, and addresses use cases identified in the PPM WG for
>>>> which Poplar1 falls short. Overall, Mastic reflects improvements that have
>>>> been made to this paradigm (i.e., function secret sharing for heavy
>>>> hitters) since the Poplar paper appeared three years ago (
>>>> https://eprint.iacr.org/2021/017). The only potential advantage of
>>>> Poplar1 is that, once we finalize the parameters of VIDPF, it may end up
>>>> having a lower bandwidth cost (at most 50% more, I suspect). However,
>>>> speaking as an implementer, the lower round complexity of Mastic over
>>>> Poplar1 makes it the far better option.
>>>>
>>>> We (the Mastic designers) would like the CFRG to consider the
>>>> following outcomes:
>>>> 1. Replace Poplar1 with Mastic in the base VDAF draft (draft-irtf-cfrg
>>>> -vdaf).
>>>> 2. Adopt the Mastic draft (draft-mourics-cfrg-mastic) and remove
>>>> Poplar1 from the base draft.
>>>> 3. Adopt the Mastic draft, but keep Poplar1 in the base draft.
>>>> 4. Refactor the base draft so that it spells only the VDAF framework,
>>>> adopt the Mastic draft, and adopt a new draft for Prio3. Note that there is
>>>> one primitive (FLP) that would be shared by both Mastic and Prio3.
>>>>
>>>> Here are the main considerations we've heard while getting feedback on
>>>> this question.
>>>> a. Since the PPM WG can't finish its work until the base VDAF draft is
>>>> done, we should do everything we can to minimize time to RFC.
>>>> b. Recommending two protocols (Poplar1 and Mastic) for the same use
>>>> case (heavy hitters) is probably not a good idea, especially if one is
>>>> clearly superior to the other.
>>>> c. If we remove Poplar1, then we could consider restricting the VDAF
>>>> syntax to 1 round for preparation.
>>>> d. The base draft should use all features of the VDAF framework.
>>>> e. Poplar1 involves an MPC paradigm called "arithmetic sketching" (
>>>> https://eprint.iacr.org/2023/1012) that may be useful for future VDAFs
>>>> and thus worth specifying.
>>>>
>>>> Thanks for your time and we're looking forward to 119,
>>>> Chris P.
>>>> --
>>>> Ppm mailing list
>>>> Ppm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ppm
>>>>
>>>>
>>>> --
>>>> Ppm mailing list
>>>> Ppm@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/ppm
>>>>
>>> _______________________________________________
>>> CFRG mailing list
>>> CFRG@irtf.org
>>> https://mailman.irtf.org/mailman/listinfo/cfrg
>>>
>>

v2.23.0 | Report a Bug | By Email