IETF Logo Mail Archive

Re: [Ppm] Fwd: Next steps for heavy hitters with VDAFs

Eric Rescorla <ekr@rtfm.com> Mon, 04 March 2024 20:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ppm@ietfa.amsl.com
Delivered-To: ppm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45692C17C8BA for <ppm@ietfa.amsl.com>; Mon, 4 Mar 2024 12:03:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5bQaR4SjI18 for <ppm@ietfa.amsl.com>; Mon, 4 Mar 2024 12:03:44 -0800 (PST)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B661C18DBBC for <ppm@ietf.org>; Mon, 4 Mar 2024 12:02:46 -0800 (PST)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-607c5679842so49104767b3.2 for <ppm@ietf.org>; Mon, 04 Mar 2024 12:02:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1709582565; x=1710187365; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qG1gtwWykWHywFU/FuS6+yfbHADvnAYfqYw/9LPlvZw=; b=ycjSoKMTRGWuFCURfL2jThhJLxtWypyKC7efz0m/uFgwWRiUPy/zj9KQuypiacQTb1 J4vuh3am80XoR2Qo0WPOnrnqwdd3w4dbq+jXNVCSQ1decUEVraIzMGhSUZ6xcjeZklU8 LYEzT5kOQN1jKi8AV2g9dFKFf4AAQO174jWaSBJV4ONmgHg1qhS26lheZMcmzbpAl1gj L6hPFDIQHGOXA3lzDxZrvR8PwDwZxgL5nB6V0AiOfi5V3RMjzKdgRYtryjt9AVDedpBh tP5DKmDbOQjGn/1CrMOxDS3XiI0PdET5ievAy8bVMyR3SJjdVX129g2JmTLzQAOLrnEN yowg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709582565; x=1710187365; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qG1gtwWykWHywFU/FuS6+yfbHADvnAYfqYw/9LPlvZw=; b=NiR1StItEGOjZcXdW7StT/au8SCH9T/O/fqoakx/xx0024v4hfdfOS5Q+I8Ltitnam qX2zgOllNV1nF4V14DlCeI3agbGxJi0lVAQwGQHQveen0q0w6PudThXQGzYLRcti4WJM aEwjWiz4+sSPDdGBqG699F1HWdfZXfD2A+R1T1m4+9ynRBV8RhBZ1UwroY1UZ8UTcLL5 W1+TR2g58fnf7YRIAZYT7BN6lxH5iHulohLkNC755qOiEMQwYfXiYqX2OXCK8L/uzAg6 gPHcGED1wfVt8pNQGwc7TxcSU9W5m5JtQ2goFsqFBvnjODR34MNiBSGyswa6f2Cc+M+w DUYA==
X-Forwarded-Encrypted: i=1; AJvYcCWom3940/DSGzB5OXU/i8LiYvObN9BYk8w3h+LUDS6R97ukLrhidsormVPStX/EHJeXVMNFt46/f0u+ixE=
X-Gm-Message-State: AOJu0YyCZBfuydwNsFIrHfSWclELoNaVtBULCyDWVh30z2/HIW9G9V6r ENMIGFR/eoBfCYShWFAjyomJJ2AX1i+WhGS96Ymn69nKW1JHT42d0EkHALT5C9Czjg98pO1b+wa Za+RLuuA9MVTx4uIEhd8ZDKZLxPZkdujqw7l68faf1xmS3Oq2
X-Google-Smtp-Source: AGHT+IEzKfdCgeoYb6dCTlzlcLXT41dJ6p2lsr/bJjnVaj5iobTWKSjvDox6OtXTcUbWT3CgOPFKRKx8rWE4FNDL9nc=
X-Received: by 2002:a25:842:0:b0:dc2:2895:6c79 with SMTP id 63-20020a250842000000b00dc228956c79mr7223196ybi.23.1709582565306; Mon, 04 Mar 2024 12:02:45 -0800 (PST)
MIME-Version: 1.0
References: <CAG2Zi23iR68MTLnW-onPhfq4rKmeYqgdsE4h_nem2iWFrVLqdw@mail.gmail.com> <CAG2Zi231jVNBvN7vZ6Uz2uTLd7JyS2-hpERUYrkQf1w-KxJtCQ@mail.gmail.com> <CALbTCT3W=JJFSZBOjs2pwiSnyUEwS4ur8roknRrbQUAf8QQG9w@mail.gmail.com> <CAGkoAS05FqFgSyXXH4cgzs98ASgP0b91-YSWZTHeKK-1Xer8qw@mail.gmail.com>
In-Reply-To: <CAGkoAS05FqFgSyXXH4cgzs98ASgP0b91-YSWZTHeKK-1Xer8qw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 04 Mar 2024 12:02:09 -0800
Message-ID: <CABcZeBNB6AELwH4MM408SrppqCod8ztWQQj7J8sY68rrZQn7wg@mail.gmail.com>
To: Simon Friedberger <simon@mozilla.com>
Cc: Brandon Pitman <bran=40divviup.org@dmarc.ietf.org>, Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, ppm <ppm@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008506b30612db3505"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ppm/vcq48zk_kYAntmxcmNFVuLVi0UM>
Subject: Re: [Ppm] Fwd: Next steps for heavy hitters with VDAFs
X-BeenThere: ppm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Privacy Preserving Measurement technologies <ppm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppm>, <mailto:ppm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppm/>
List-Post: <mailto:ppm@ietf.org>
List-Help: <mailto:ppm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppm>, <mailto:ppm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 20:03:45 -0000

On Mon, Mar 4, 2024 at 11:14 AM Simon Friedberger <simon@mozilla.com> wrote:

> I am, of course, in favor of reducing complexity, however I am weakly
> against dropping it. My main concerns are:
>
>    1. The texts are written and the protocols are implemented. We can
>    reduce the complexity but we would also be throwing away a lot of effort
>    which already went into this.
>    2. We don't really know how Poplar and Mastic compare. 50% report size
>    overhead would be quite a lot given the scale that these things are
>    designed for. I think we should do some benchmarking before making this
>    decision.
>    3. Similarly, we don't have a good grasp on what we can do with VDAFs
>    and DAP and how much power we would lose by reducing preparation to one
>    round. Is Prio+ better for some use-cases? We certainly could do much more
>    powerful MPC with multiple rounds.
>
> We should leave the standards as is until we have better evidence to
> support a decision.
> If implementations want to remove the code they can always do so anyway.
>

I agree with Simon.

I would also note that this is not really a decision for CFRG, whose job,
at some level, is to deliver what the IETF needs. I see PPM is CCed on this
e-mail, so I'd encourage there to be a discussion in the PPM meeting

-Ekr


>
> So, I'm with Tim.
>
> MfG,
> Simon
>
>
>
> On Mon, Mar 4, 2024 at 6:36 PM Brandon Pitman <bran=
> 40divviup.org@dmarc.ietf.org> wrote:
>
>> As a DAP implementor, I am in favor of simplifying DAP/VDAF as much as
>> possible. With that in mind, I am in favor of removing Poplar1 in favor of
>> Mastic (i.e. any of outcomes #1, #2, or #4 -- I am agnostic on which of
>> these is the better course, but I suppose #2 is likely to require the least
>> amount of editorial work, though it might be useful to maintain one or
>> multiple concrete VDAFs in the VDAF draft itself). I do not see a reason to
>> maintain two VDAFs which solve roughly the same problem if one of them is
>> superior to the other, and I agree that lowered round complexity is a
>> compelling argument for Mastic. If we can conclude that Mastic is
>> practically superior to Poplar1, IMO we should remove Poplar1.
>>
>> Also:
>> > c. If we remove Poplar1, then we could consider restricting the VDAF
>> syntax to 1 round for preparation.
>>
>> I agree; the DAP specification & DAP implementations would be
>> considerably simplified if we were to restrict to 1-round VDAFs. There is
>> quite a bit of state-tracking complexity involved in multi-round VDAF
>> handling which could be dropped entirely in a single-round world. Unless
>> there is a concrete multi-round VDAF providing a great deal of value to the
>> DAP/VDAF ecosystem, I think this would be a very worthwhile change. If
>> restricting VDAF to a single round is considered controversial, another
>> option would be to restrict DAP to single-round VDAFs instead.
>>
>> Thanks,
>> Brandon
>>
>> On Mon, Mar 4, 2024 at 8:14 AM Christopher Patton <cpatton=
>> 40cloudflare.com@dmarc.ietf.org> wrote:
>>
>>> Hi all, I'm cross-posting this message to the CFRG mailing list in the
>>> hopes that folks who would like to implement heavy hitters in DAP will
>>> weigh in. We definitely end to hear from implementers and potential
>>> adopters.
>>>
>>> Thanks,
>>> Chris P.
>>>
>>> ---------- Forwarded message ---------
>>> From: Christopher Patton <cpatton@cloudflare.com>
>>> Date: Mon, Mar 4, 2024 at 8:07 AM
>>> Subject: Next steps for heavy hitters with VDAFs
>>> To: CFRG <cfrg@irtf.org>
>>>
>>>
>>> Hi CFRG,
>>>
>>> I've asked the chairs to spend some time at 119 discussing next steps
>>> for Mastic:
>>> https://datatracker.ietf.org/doc/html/draft-mouris-cfrg-mastic-02
>>>
>>> The ideal outcome may not be to adopt this draft directly, but to merge
>>> it with the existing VDAF draft (draft-irtf-cfrg-vdaf). Our goal for
>>> 119 is to find consensus on a path forward.
>>>
>>> Last time (118) we presented Mastic, a new VDAF that we pitched as a
>>> drop-in replacement for Poplar1 (
>>> https://datatracker.ietf.org/meeting/118/materials/slides-118-cfrg-mastic-vdaf).
>>> Since the meeting we have been working on security analysis for Mastic.
>>> The theorems in this paper claim that Mastic's composition of its
>>> primitives (VIDPF, an extension of IDPF from draft-irtf-cfrg-vdaf) and
>>> FLP (from draft-irtf-cfrg-vdaf) into a VDAF is secure. The concrete
>>> parameters of VIDPF and FLP are subject to change as analysis continues,
>>> but the overall composition seems to be sound:
>>> https://eprint.iacr.org/2024/221
>>>
>>> Mastic is also more efficient in terms of round complexity, is easier to
>>> implement securely, and addresses use cases identified in the PPM WG for
>>> which Poplar1 falls short. Overall, Mastic reflects improvements that have
>>> been made to this paradigm (i.e., function secret sharing for heavy
>>> hitters) since the Poplar paper appeared three years ago (
>>> https://eprint.iacr.org/2021/017). The only potential advantage of
>>> Poplar1 is that, once we finalize the parameters of VIDPF, it may end up
>>> having a lower bandwidth cost (at most 50% more, I suspect). However,
>>> speaking as an implementer, the lower round complexity of Mastic over
>>> Poplar1 makes it the far better option.
>>>
>>> We (the Mastic designers) would like the CFRG to consider the following
>>> outcomes:
>>> 1. Replace Poplar1 with Mastic in the base VDAF draft (draft-irtf-cfrg
>>> -vdaf).
>>> 2. Adopt the Mastic draft (draft-mourics-cfrg-mastic) and remove
>>> Poplar1 from the base draft.
>>> 3. Adopt the Mastic draft, but keep Poplar1 in the base draft.
>>> 4. Refactor the base draft so that it spells only the VDAF framework,
>>> adopt the Mastic draft, and adopt a new draft for Prio3. Note that there is
>>> one primitive (FLP) that would be shared by both Mastic and Prio3.
>>>
>>> Here are the main considerations we've heard while getting feedback on
>>> this question.
>>> a. Since the PPM WG can't finish its work until the base VDAF draft is
>>> done, we should do everything we can to minimize time to RFC.
>>> b. Recommending two protocols (Poplar1 and Mastic) for the same use case
>>> (heavy hitters) is probably not a good idea, especially if one is clearly
>>> superior to the other.
>>> c. If we remove Poplar1, then we could consider restricting the VDAF
>>> syntax to 1 round for preparation.
>>> d. The base draft should use all features of the VDAF framework.
>>> e. Poplar1 involves an MPC paradigm called "arithmetic sketching" (
>>> https://eprint.iacr.org/2023/1012) that may be useful for future VDAFs
>>> and thus worth specifying.
>>>
>>> Thanks for your time and we're looking forward to 119,
>>> Chris P.
>>> --
>>> Ppm mailing list
>>> Ppm@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ppm
>>>
>> --
>> Ppm mailing list
>> Ppm@ietf.org
>> https://www.ietf.org/mailman/listinfo/ppm
>>
> --
> Ppm mailing list
> Ppm@ietf.org
> https://www.ietf.org/mailman/listinfo/ppm
>

v2.23.0 | Report a Bug | By Email