Re: [Ppm] [CFRG] Next steps for heavy hitters with VDAFs
Eric Rescorla <ekr@rtfm.com> Tue, 05 March 2024 02:58 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD7F4C180B4A for <ppm@ietfa.amsl.com>; Mon, 4 Mar 2024 18:58:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUCa_7T0udD2 for <ppm@ietfa.amsl.com>; Mon, 4 Mar 2024 18:58:07 -0800 (PST)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D991C180B57 for <ppm@ietf.org>; Mon, 4 Mar 2024 18:58:07 -0800 (PST)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-6096ab005c0so48051647b3.1 for <ppm@ietf.org>; Mon, 04 Mar 2024 18:58:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1709607486; x=1710212286; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6eiR00Zi0BScqjg8tcVDBpVwmWTAcD/7ItUOIfM5XxA=; b=D2tQj5sA4RWajEM+jy0GmQz3u/11MmxKHbo6S7Dk0xVsbJrCYTt7iP29PycMdq2jV2 XwY1qBhSeHQzeWhKq2I2LCwcl+jjBFT3W8H5M/Io/6J/1l1Ir++wllI/8KE1W+zfXzer KId3mZKVupZPI+I+x5W8Csw9+sYycOBJXc9VWcJpjN2D5Ax4mDnl77xxSccqRn3r0M53 PdybJYki97YCnukMgxjpBmxHK9Rmm67Fpql3z57Jdwb1b68t6+/bsegaTB+RNsCECY/h 2hxfLYLqt7s7WkUTmULvEEFZM4d8p1w50Q+Z0kYCeD9KyGTR3GSoGagSnOSZSP21cbM4 kSaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709607486; x=1710212286; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6eiR00Zi0BScqjg8tcVDBpVwmWTAcD/7ItUOIfM5XxA=; b=OeNp/0wdSqh/BVG/Z+IKGY2g0zBEuqlMVWHwssugvbD3+fGco0Vi0gu/zb371Cf5BO cEG1Uu7SmMzEMMmXgMdk/9WwMqjDoAOOWANU9wNAi4z0WhPm6D72uxd6C3Xk/uXhu7Zn D92BxgZTGyi/cqqaBuDCtywnGv13KIZNcgp8zReMjR0NDsp7BojizRe3ZDsgXwlEpg5D oLL5aRmZIhXONHwIiwp+jbnEy5mLQWdMGk8WXn4TKNOMnEJND4EADbVrtU0v1X+tFewl yFB4QVFqj7O7IftshKcAk7EgkhxAVYtmdSnECBUERUFa+K9ptJheXZpmxHgtuDvCDWA6 7oIA==
X-Forwarded-Encrypted: i=1; AJvYcCVARpQrdznEmIp+4M15FD+BwWliefuGfWAPvF+4v4HFr/I+kTRcWaAN6mryyRohRX+5lbVcgPyCLogLVqg=
X-Gm-Message-State: AOJu0YzK6y7tXQEtjNO8NJ7rmwicsyjwYw+tCvUU/WgC1+9U16DkGO23 aRGWPGZ9eAccejBK20xGND/9e/c5eOHmzgAPn9aFKR5sEXdhglhrYJVOV0PAR8Bs5jotC8zQW8A XrXXD/ylAhgIbg+qC87+p7Rr6rho0VGW6k/KpXQ==
X-Google-Smtp-Source: AGHT+IFycy4SOHtl94j9I6j+X9EXK40DN/NIqFbPbKPmLh2L7hvqzlSrb9sig2TTkhhh7JChOHttLNsk7or05O6rER8=
X-Received: by 2002:a5b:48d:0:b0:dcc:fea7:7f7b with SMTP id n13-20020a5b048d000000b00dccfea77f7bmr8660415ybp.11.1709607486027; Mon, 04 Mar 2024 18:58:06 -0800 (PST)
MIME-Version: 1.0
References: <CAG2Zi23iR68MTLnW-onPhfq4rKmeYqgdsE4h_nem2iWFrVLqdw@mail.gmail.com> <CAG2Zi231jVNBvN7vZ6Uz2uTLd7JyS2-hpERUYrkQf1w-KxJtCQ@mail.gmail.com> <23E40649-8967-445D-91AC-EAEA4EDFCB40@apple.com> <CAG2Zi23uD_dcGtetFehBVmUPbG5ygr3VAwscfCp5qcWm9+BfHQ@mail.gmail.com>
In-Reply-To: <CAG2Zi23uD_dcGtetFehBVmUPbG5ygr3VAwscfCp5qcWm9+BfHQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 04 Mar 2024 18:57:29 -0800
Message-ID: <CABcZeBN=ko0KiOUA2YEzqxbSx63wuaEwLp7UWwNRgJyxFa_wkQ@mail.gmail.com>
To: Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>
Cc: Shan Wang <shan_wang=40apple.com@dmarc.ietf.org>, ppm <ppm@ietf.org>, cfrg@irtf.org
Content-Type: multipart/alternative; boundary="000000000000e916750612e1026c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/M7HOT-s1rR2OvoFjGX0zXZ9Itng>
Subject: Re: [Ppm] [CFRG] Next steps for heavy hitters with VDAFs
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 02:58:11 -0000
On Mon, Mar 4, 2024 at 5:20 PM Christopher Patton <cpatton= 40cloudflare.com@dmarc.ietf.org> wrote: > Thanks PPM and CFRG, this has been helpful. > > So far it seems like there is a plurality in favor of adopting a separate > draft for Mastic and only consider dropping Poplar1 once we're more certain > about the trade-offs. It would be nice to hear from anyone who is strongly > opposed to this plan. > To restate what I think you said, I think it's fine to adopt Mastic. I would defer a decision on Poplar until after we know more. -Ekr > > One concern that's been brought up is the editorial effort required to > maintain both. Speaking as an editor of both Mastic and Poplar1, I think > there is likely to be some duplicative effort here: most of the low level > algorithmic bits these protocols have in common (i.e., IDPF) have been > stable for some time, but there are also some evolving security > considerations that apply to both (around safe usage of IDPF). I also > expect there to be some security considerations that apply to Poplar1, but > not Mastic. > > Chris P. > > On Mon, Mar 4, 2024 at 2:33 PM Shan Wang <shan_wang= > 40apple.com@dmarc.ietf.org> wrote: > >> I'm in favour of either >> 1. Replace Poplar1 with Mastic in the base VDAF draft >> (draft-irtf-cfrg-vdaf). >> Or >> 4. Refactor the base draft so that it spells only the VDAF framework, >> adopt the Mastic draft, and adopt a new draft for Prio3. >> >> If we do 4. The we can cut an individual Poplar RFC too and anyone have >> implemented Poplar1 can refer to that standard. >> >> In my opinion, VDAF should define a common framework. We will have more >> algorithms in the future and they should be cut as individual drafts that's >> compatible with VDAF, rather than part of the VDAF text itself. >> >> Shan >> >> >> On 4 Mar 2024, at 16:13, Christopher Patton <cpatton= >> 40cloudflare.com@dmarc.ietf.org> wrote: >> >> Hi all, I'm cross-posting this message to the CFRG mailing list in the >> hopes that folks who would like to implement heavy hitters in DAP will >> weigh in. We definitely end to hear from implementers and potential >> adopters. >> >> Thanks, >> Chris P. >> >> ---------- Forwarded message --------- >> From: Christopher Patton <cpatton@cloudflare.com> >> Date: Mon, Mar 4, 2024 at 8:07 AM >> Subject: Next steps for heavy hitters with VDAFs >> To: CFRG <cfrg@irtf.org> >> >> >> Hi CFRG, >> >> I've asked the chairs to spend some time at 119 discussing next steps for >> Mastic: >> https://datatracker.ietf.org/doc/html/draft-mouris-cfrg-mastic-02 >> >> The ideal outcome may not be to adopt this draft directly, but to merge >> it with the existing VDAF draft (draft-irtf-cfrg-vdaf). Our goal for 119 >> is to find consensus on a path forward. >> >> Last time (118) we presented Mastic, a new VDAF that we pitched as a >> drop-in replacement for Poplar1 ( >> https://datatracker.ietf.org/meeting/118/materials/slides-118-cfrg-mastic-vdaf). >> Since the meeting we have been working on security analysis for Mastic. >> The theorems in this paper claim that Mastic's composition of its >> primitives (VIDPF, an extension of IDPF from draft-irtf-cfrg-vdaf) and >> FLP (from draft-irtf-cfrg-vdaf) into a VDAF is secure. The concrete >> parameters of VIDPF and FLP are subject to change as analysis continues, >> but the overall composition seems to be sound: >> https://eprint.iacr.org/2024/221 >> >> Mastic is also more efficient in terms of round complexity, is easier to >> implement securely, and addresses use cases identified in the PPM WG for >> which Poplar1 falls short. Overall, Mastic reflects improvements that have >> been made to this paradigm (i.e., function secret sharing for heavy >> hitters) since the Poplar paper appeared three years ago ( >> https://eprint.iacr.org/2021/017). The only potential advantage of >> Poplar1 is that, once we finalize the parameters of VIDPF, it may end up >> having a lower bandwidth cost (at most 50% more, I suspect). However, >> speaking as an implementer, the lower round complexity of Mastic over >> Poplar1 makes it the far better option. >> >> We (the Mastic designers) would like the CFRG to consider the following >> outcomes: >> 1. Replace Poplar1 with Mastic in the base VDAF draft (draft-irtf-cfrg >> -vdaf). >> 2. Adopt the Mastic draft (draft-mourics-cfrg-mastic) and remove Poplar1 >> from the base draft. >> 3. Adopt the Mastic draft, but keep Poplar1 in the base draft. >> 4. Refactor the base draft so that it spells only the VDAF framework, >> adopt the Mastic draft, and adopt a new draft for Prio3. Note that there is >> one primitive (FLP) that would be shared by both Mastic and Prio3. >> >> Here are the main considerations we've heard while getting feedback on >> this question. >> a. Since the PPM WG can't finish its work until the base VDAF draft is >> done, we should do everything we can to minimize time to RFC. >> b. Recommending two protocols (Poplar1 and Mastic) for the same use case >> (heavy hitters) is probably not a good idea, especially if one is clearly >> superior to the other. >> c. If we remove Poplar1, then we could consider restricting the VDAF >> syntax to 1 round for preparation. >> d. The base draft should use all features of the VDAF framework. >> e. Poplar1 involves an MPC paradigm called "arithmetic sketching" ( >> https://eprint.iacr.org/2023/1012) that may be useful for future VDAFs >> and thus worth specifying. >> >> Thanks for your time and we're looking forward to 119, >> Chris P. >> -- >> Ppm mailing list >> Ppm@ietf.org >> https://www.ietf.org/mailman/listinfo/ppm >> >> >> -- >> Ppm mailing list >> Ppm@ietf.org >> https://www.ietf.org/mailman/listinfo/ppm >> > _______________________________________________ > CFRG mailing list > CFRG@irtf.org > https://mailman.irtf.org/mailman/listinfo/cfrg >
- [Ppm] Fwd: Next steps for heavy hitters with VDAFs Christopher Patton
- Re: [Ppm] Fwd: Next steps for heavy hitters with … Brandon Pitman
- Re: [Ppm] Fwd: Next steps for heavy hitters with … Simon Friedberger
- Re: [Ppm] Fwd: Next steps for heavy hitters with … Syed Suleman Ahmad
- Re: [Ppm] Fwd: Next steps for heavy hitters with … Eric Rescorla
- Re: [Ppm] Fwd: Next steps for heavy hitters with … Christopher Patton
- Re: [Ppm] Next steps for heavy hitters with VDAFs Shan Wang
- Re: [Ppm] Next steps for heavy hitters with VDAFs Christopher Patton
- Re: [Ppm] [CFRG] Next steps for heavy hitters wit… Eric Rescorla
- Re: [Ppm] [CFRG] Next steps for heavy hitters wit… Christopher Patton
- Re: [Ppm] [CFRG] Next steps for heavy hitters wit… Christopher Patton