IETF Logo Mail Archive

Re: [Ppm] [CFRG] Next steps for heavy hitters with VDAFs

Christopher Patton <cpatton@cloudflare.com> Thu, 14 March 2024 19:14 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73D3DC14F5E7 for <ppm@ietfa.amsl.com>; Thu, 14 Mar 2024 12:14:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yeioxK3LqBdz for <ppm@ietfa.amsl.com>; Thu, 14 Mar 2024 12:14:17 -0700 (PDT)
Received: from mail-oi1-x230.google.com (mail-oi1-x230.google.com [IPv6:2607:f8b0:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 432D4C14F68D for <ppm@ietf.org>; Thu, 14 Mar 2024 12:14:17 -0700 (PDT)
Received: by mail-oi1-x230.google.com with SMTP id 5614622812f47-3bd72353d9fso755998b6e.3 for <ppm@ietf.org>; Thu, 14 Mar 2024 12:14:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1710443656; x=1711048456; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2aqtGEI4D/wi9VJckDY5GU8U7ABs4Ro6WG44ZDOVc84=; b=ShivFaO0hXQnudaPhHFHNmshjqBgewHNm6hOpwmoZESVG1Dv6kbTvBj2Z9U9zlgEnf mwXfJbzy9B/4L9BsIyTLBazvVVZtjymc6M0eQQ0p0tTbKVjmzvtOUTKCFRfLUnsCKvJ8 xZI+GhghHrPz9FCjnqWMr21NfuwRGN0NK3z8Jzz8Ko7LqIQ076oHzk2W8cS2LROW1iS5 hxRTBWnRgKFcGu2/QpCoMYbN/0rq5Qm7tO2uUOIGtiNqoenyNZkNOGOFSV8/GCPbdGQi woazck/k42q8XuQ0miA/izoxqFCKzggHbUP8URiSCgnIn4quBTf7MAh1C4UG1k1Ms3uZ 170g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710443656; x=1711048456; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=2aqtGEI4D/wi9VJckDY5GU8U7ABs4Ro6WG44ZDOVc84=; b=lubn9z9dqTEZepn6rRgueMIhzoU5VVW7Z5XGjYtiKhMm0YRR54vDN6NZfUg7D0qOpM pzstRCJXW+H4SeJrf6yAJKY+dLFU4scsX/izPjQD+ZSkxs+/SNxZLazy/qvlyGac2hc5 ZdFRRBUKvgV2tZqbqP9C+xENzxe/wCzXaUfp+dwGYqxhkfLgf1k+zRn1cOgQHgoCkCh5 iapnCyU7rTkRCHH97Ampo24aTdLrIDQCQV9gPH1H1pBAm+KM06ZD6JPvXSBeT5XEFEBm PN+JxbgHHD3lah5Ngp1WmyPVP9x8bUiGFmS3EBn4ab/Hap/tnvWCJkKLVahdCrq4cjik ToLQ==
X-Forwarded-Encrypted: i=1; AJvYcCX6y7w/hizMSwDEL+P5BG8zeqFpiESdmPIp6DA3Tc7nCaD6YQfkdDdZEU3FpmUVqkdm365EgOhSWLjtIJE=
X-Gm-Message-State: AOJu0YwhgUb8Tw/lsMhVz4FZ7ugbMQOh5V+pPEmIy78s0BSpnpwMc1Zn 0NQa9sxtq4NAcx6calQBupKq/EtzBj9JMYxAmq3Y/zih/6DYG/BvoVRdUsCAJOyzi6ww5jUP3ZQ zxHMzbSVYnADCgSXJi5c5CX6dc4XBrWFMahjCOGfmxyIeuQ2Sq8o=
X-Google-Smtp-Source: AGHT+IFdmhSQNdBQFBZJePCRxxP0ZR5en9GBBDapqbcGDMSoEacTfr2VPnRNCMyKfSEYRCqEdqurYr34vIngGGt+i+s=
X-Received: by 2002:aca:1702:0:b0:3c1:f37e:1ab6 with SMTP id j2-20020aca1702000000b003c1f37e1ab6mr2422054oii.13.1710443655896; Thu, 14 Mar 2024 12:14:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAG2Zi23iR68MTLnW-onPhfq4rKmeYqgdsE4h_nem2iWFrVLqdw@mail.gmail.com> <CAG2Zi231jVNBvN7vZ6Uz2uTLd7JyS2-hpERUYrkQf1w-KxJtCQ@mail.gmail.com> <23E40649-8967-445D-91AC-EAEA4EDFCB40@apple.com> <CAG2Zi23uD_dcGtetFehBVmUPbG5ygr3VAwscfCp5qcWm9+BfHQ@mail.gmail.com> <CABcZeBN=ko0KiOUA2YEzqxbSx63wuaEwLp7UWwNRgJyxFa_wkQ@mail.gmail.com>
In-Reply-To: <CABcZeBN=ko0KiOUA2YEzqxbSx63wuaEwLp7UWwNRgJyxFa_wkQ@mail.gmail.com>
From: Christopher Patton <cpatton@cloudflare.com>
Date: Thu, 14 Mar 2024 12:14:04 -0700
Message-ID: <CAG2Zi20e=B-pXC_qVBC5ubJKYnJnPfaKoaZDE_1G1383SNx9+Q@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Shan Wang <shan_wang@apple.com>, ppm <ppm@ietf.org>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="00000000000084d5010613a3b261"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/-DBlZI_dBN84af0Gt5iFJBOkvdk>
Subject: Re: [Ppm] [CFRG] Next steps for heavy hitters with VDAFs
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 19:14:21 -0000

Hi folks, I'll be giving and update on Mastic at CFRG on Monday:
https://datatracker.ietf.org/meeting/119/materials/slides-119-cfrg-next-steps-for-draft-mouris-cfrg-mastic

We'll spend some time discussing this question.
Chris P.

On Mon, Mar 4, 2024 at 6:58 PM Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Mon, Mar 4, 2024 at 5:20 PM Christopher Patton <cpatton=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
>> Thanks PPM and CFRG, this has been helpful.
>>
>> So far it seems like there is a plurality in favor of adopting a separate
>> draft for Mastic and only consider dropping Poplar1 once we're more certain
>> about the trade-offs. It would be nice to hear from anyone who is strongly
>> opposed to this plan.
>>
>
> To restate what I think you said, I think it's fine to adopt Mastic. I
> would defer a decision on Poplar until after we know more.
>
> -Ekr
>
>>
>> One concern that's been brought up is the editorial effort required to
>> maintain both. Speaking as an editor of both Mastic and Poplar1, I think
>> there is likely to be some duplicative effort here: most of the low level
>> algorithmic bits these protocols have in common (i.e., IDPF) have been
>> stable for some time, but there are also some evolving security
>> considerations that apply to both (around safe usage of IDPF). I also
>> expect there to be some security considerations that apply to Poplar1, but
>> not Mastic.
>>
>> Chris P.
>>
>> On Mon, Mar 4, 2024 at 2:33 PM Shan Wang <shan_wang=
>> 40apple.com@dmarc.ietf.org> wrote:
>>
>>> I'm in favour of either
>>> 1. Replace Poplar1 with Mastic in the base VDAF draft
>>> (draft-irtf-cfrg-vdaf).
>>> Or
>>> 4. Refactor the base draft so that it spells only the VDAF framework,
>>> adopt the Mastic draft, and adopt a new draft for Prio3.
>>>
>>> If we do 4. The we can cut an individual Poplar RFC too and anyone have
>>> implemented Poplar1 can refer to that standard.
>>>
>>> In my opinion, VDAF should define a common framework. We will have more
>>> algorithms in the future and they should be cut as individual drafts that's
>>> compatible with VDAF, rather than part of the VDAF text itself.
>>>
>>> Shan
>>>
>>>
>>> On 4 Mar 2024, at 16:13, Christopher Patton <cpatton=
>>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>>
>>> Hi all, I'm cross-posting this message to the CFRG mailing list in the
>>> hopes that folks who would like to implement heavy hitters in DAP will
>>> weigh in. We definitely end to hear from implementers and potential
>>> adopters.
>>>
>>> Thanks,
>>> Chris P.
>>>
>>> ---------- Forwarded message ---------
>>> From: Christopher Patton <cpatton@cloudflare.com>
>>> Date: Mon, Mar 4, 2024 at 8:07 AM
>>> Subject: Next steps for heavy hitters with VDAFs
>>> To: CFRG <cfrg@irtf.org>
>>>
>>>
>>> Hi CFRG,
>>>
>>> I've asked the chairs to spend some time at 119 discussing next steps
>>> for Mastic:
>>> https://datatracker.ietf.org/doc/html/draft-mouris-cfrg-mastic-02
>>>
>>> The ideal outcome may not be to adopt this draft directly, but to merge
>>> it with the existing VDAF draft (draft-irtf-cfrg-vdaf). Our goal for
>>> 119 is to find consensus on a path forward.
>>>
>>> Last time (118) we presented Mastic, a new VDAF that we pitched as a
>>> drop-in replacement for Poplar1 (
>>> https://datatracker.ietf.org/meeting/118/materials/slides-118-cfrg-mastic-vdaf).
>>> Since the meeting we have been working on security analysis for Mastic.
>>> The theorems in this paper claim that Mastic's composition of its
>>> primitives (VIDPF, an extension of IDPF from draft-irtf-cfrg-vdaf) and
>>> FLP (from draft-irtf-cfrg-vdaf) into a VDAF is secure. The concrete
>>> parameters of VIDPF and FLP are subject to change as analysis continues,
>>> but the overall composition seems to be sound:
>>> https://eprint.iacr.org/2024/221
>>>
>>> Mastic is also more efficient in terms of round complexity, is easier to
>>> implement securely, and addresses use cases identified in the PPM WG for
>>> which Poplar1 falls short. Overall, Mastic reflects improvements that have
>>> been made to this paradigm (i.e., function secret sharing for heavy
>>> hitters) since the Poplar paper appeared three years ago (
>>> https://eprint.iacr.org/2021/017). The only potential advantage of
>>> Poplar1 is that, once we finalize the parameters of VIDPF, it may end up
>>> having a lower bandwidth cost (at most 50% more, I suspect). However,
>>> speaking as an implementer, the lower round complexity of Mastic over
>>> Poplar1 makes it the far better option.
>>>
>>> We (the Mastic designers) would like the CFRG to consider the following
>>> outcomes:
>>> 1. Replace Poplar1 with Mastic in the base VDAF draft (draft-irtf-cfrg
>>> -vdaf).
>>> 2. Adopt the Mastic draft (draft-mourics-cfrg-mastic) and remove
>>> Poplar1 from the base draft.
>>> 3. Adopt the Mastic draft, but keep Poplar1 in the base draft.
>>> 4. Refactor the base draft so that it spells only the VDAF framework,
>>> adopt the Mastic draft, and adopt a new draft for Prio3. Note that there is
>>> one primitive (FLP) that would be shared by both Mastic and Prio3.
>>>
>>> Here are the main considerations we've heard while getting feedback on
>>> this question.
>>> a. Since the PPM WG can't finish its work until the base VDAF draft is
>>> done, we should do everything we can to minimize time to RFC.
>>> b. Recommending two protocols (Poplar1 and Mastic) for the same use case
>>> (heavy hitters) is probably not a good idea, especially if one is clearly
>>> superior to the other.
>>> c. If we remove Poplar1, then we could consider restricting the VDAF
>>> syntax to 1 round for preparation.
>>> d. The base draft should use all features of the VDAF framework.
>>> e. Poplar1 involves an MPC paradigm called "arithmetic sketching" (
>>> https://eprint.iacr.org/2023/1012) that may be useful for future VDAFs
>>> and thus worth specifying.
>>>
>>> Thanks for your time and we're looking forward to 119,
>>> Chris P.
>>> --
>>> Ppm mailing list
>>> Ppm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ppm
>>>
>>>
>>> --
>>> Ppm mailing list
>>> Ppm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ppm
>>>
>> _______________________________________________
>> CFRG mailing list
>> CFRG@irtf.org
>> https://mailman.irtf.org/mailman/listinfo/cfrg
>>
>

v2.23.0 | Report a Bug | By Email