[Ppm] Some clarifications about draft-dss-star-01
Alex Davidson <alex.davidson92@gmail.com> Thu, 28 July 2022 08:17 UTC
Return-Path: <alex.davidson92@gmail.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF3FC159484; Thu, 28 Jul 2022 01:17:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxPHTzAWABFA; Thu, 28 Jul 2022 01:17:54 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8537C13C21C; Thu, 28 Jul 2022 01:17:54 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id e69so887793iof.5; Thu, 28 Jul 2022 01:17:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=8RS2Nc5+Ex5dPnydDjISDhFBuJu9z2WAeT62XXPDiFw=; b=cLwP/fP2gmN1ivzWJ/C6Bn6RxY3p7ofItpa0ohkWa6/R1ZvhNyLTifyYVAfHOqLif4 yIdm2VXwzJHv3A1awX7LPjctRs7WrHLF31JyQHIltHgvInrtkSXk9209n4QxS7IDgk1f 5ZEqvUDqBxypyBaK4cAzakYrNGAmSSLHwSOW9ufuv/nZLo1E1NBZpLxgsW4RYhRo/cZd 66MxAeMoh+dUfbvs6pu1INaj6ATtjjgvikoWet8t4ZLamDHl09+2gHo5nKkl5/q0KWp+ 8pWwt6ePcTxQ/HIRs1xI8p8x/oZnY8MfMR6AZZnKqFGMMlHFZehYuPW4PML4v9wOrm47 8LGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=8RS2Nc5+Ex5dPnydDjISDhFBuJu9z2WAeT62XXPDiFw=; b=vjwzOnCVJRNRYOLllMHj/dyV9OUWLM7LRcNbY7KhD49vMfORsJdyWcjDnhX98wqQBe QZ+w02VZpYUe5MCFBHto1EO309mW2mjfEAYXbmhIZ135KqhoPBGSvFgrI8H3hDpNIFTm AbJ9wPmXkq9ONwJs6ZWHmZE0qEP3x4g/cAzq3ItOdmCYDL1Dq0uRd9CAEqtlsH1w0oXz /jEhUIQzsCi/zF3FNIit4vNxpp9xyXRbpMm6KLPKUC/uoyi4zSajROt3wvaas3cF02dR M4xWVbjxxyNPXUdhJ9HSGfk2rEnmhifnhzS70YOwjwfyULKVlb0FJIPGpjpaQQnlzPyg xaQA==
X-Gm-Message-State: AJIora9hwTa77gaX4RP+U/jljp+/VXx/vzGHsvyr1eI772qjw6womx7l CWp9DJ1uALAxvUaN7IBEWfonCH+vQhtJR0vNc/kp/ifUrA==
X-Google-Smtp-Source: AGRyM1sDp7mTuC0AUQ0zn3ELNNwKOua/BcXCmd5Jn3fpMN5IEDZyVgqEPtNDcwKydFDc4C2KL5ecr6kJH+a02dY6DTg=
X-Received: by 2002:a05:6638:2042:b0:341:566f:1422 with SMTP id t2-20020a056638204200b00341566f1422mr10208902jaj.168.1658996274139; Thu, 28 Jul 2022 01:17:54 -0700 (PDT)
MIME-Version: 1.0
From: Alex Davidson <alex.davidson92@gmail.com>
Date: Thu, 28 Jul 2022 09:17:43 +0100
Message-ID: <CAD5V+fNjvb88+XvjY-bQij9jjW8w2OBXd-H8hsO6yQMBo-EZjQ@mail.gmail.com>
To: ppm@ietf.org
Cc: draft-dss-star@ietf.org, Christopher Wood <caw@heapingbits.net>
Content-Type: multipart/alternative; boundary="0000000000009a939c05e4d92b00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/mNI9g7fFCzly4sdKYv39eR6sF1M>
Subject: [Ppm] Some clarifications about draft-dss-star-01
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 08:17:59 -0000
Hi all, I just wanted to summarise a discussion for the mailing list between the authors of draft-dss-star-01 and Christopher Wood, related to devising implementations of STAR. - Implementation of secret sharing. The STAR paper (https://arxiv.org/abs/2109.10074) and existing implementation (https://github.com/brave/sta-rs/) uses a specific secret sharing framework known as adept secret sharing, that uses traditional Shamir secret sharing under the hood. This is to smooth out some aspects of the security proof in the paper. However, adept secret sharing adds some overheads, and we can probably use traditional secret sharing without any problems. - What are the parameters of the field for Shamir's scheme? Currently, we use a fixed modulus in the implementation for either a 129-bit or 255-bit field. The field size does not impact security rather correctness, and we can probably get away with using a 128-bit prime field that will provide roughly 1/2^64 chance of correctness errors. A future version of the draft will hardcode a specific modulus that can be used in all implementations. - Does this require a key-committing AEAD so that the same ciphertext can't be decrypted to two different plaintexts? This is something that could be useful, and we can specify that the symmetric encryption used in STAR uses such an AEAD. - What happens when the aggregation server decrypts and discovers that one of the values does not match all the others? This is something that seems difficult to solve, and a slight discrepancy between STAR and other DAPs. Overall, the client must encrypt their measurement as a plaintext value in their message, but if they encrypt a different value we need a good way to recover. One possibility is just to throw out batches where client plaintext measurements do not agree (but where the deterministic tags do). However, this may make it easy for clients to poison batches. The aggregation server could similarly use majority vote and throw out differing plaintexts, but this may also be vulnerable to poisoning. An alternative possibility is to have a short crossover period where the randomness server still tolerates queries to their VOPRF key, so that if the aggregation server uncovers differing plaintext measurements, they are able to check which is the correct one. However, this may harm client privacy, see next question. - What information is leaked through the common tag? (If threshold is not reached, you still learn when two clients sent the same measurement value, you just don't learn what it is. Does this help brute force attacks?) Common tags can be brute-forced in the window that the VOPRF keypair is in action for. As long as the keypair is rotated before clients actually send their messages for aggregation, then the aggregation server must launch the brute-force attack without seeing any leakage from client messages. However, if client measurements are inherently predictable, even before they are received, then the aggregation server can learn things. Keeping the keypair window as short as possible is the best way of ensuring client privacy. Ideally clients would construct message on day i, and then send them on day i+1 after the key rotation occurs. If you need some sort of cross-over between periods then things may become more complicated, since you may need to keep track of multiple keys at once. But having a crossover period may allow the aggregation server to launch brute-force attacks with the additional leakage that is present in the messages, which may make the attacks more efficient. - How do you prevent Sybil attacks from the aggregation server? Sybil attacks are possible against all DAPs, STAR does not have any specific mechanism for dealing with them. - Is an OPRF sufficient here? If the randomness server changes its key it will just disrupt the ability for clients to reach the threshold. An OPRF is probably sufficient, the VOPRF is useful for showing to the clients that the randomness server is acting honestly. In the OPRF case, the randomness server could simply respond with random values. This will not harm privacy provided the two servers are non-colluding, but will poison the aggregation. - When will the sta-rs implementation move to an OPRF/VOPRF instead of the PPOPRF? The current STAR implementation uses a non-standard version of an oblivious pseudorandom function, for devising interoperable implementations we will probably aim to write an implementation with a CFRG-based (V)OPRF in the near future. Thanks, Alex (on behalf of the authors of draft-dss-star-01)
- [Ppm] Some clarifications about draft-dss-star-01 Alex Davidson
- Re: [Ppm] Some clarifications about draft-dss-sta… Christopher Wood