IETF Logo Mail Archive

Re: [Privacy-pass] Details about PrivateStats

Ananth Raghunathan <ananthr@cs.stanford.edu> Sat, 27 February 2021 19:51 UTC

Return-Path: <ananthr1987@gmail.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D70D03A131F for <privacy-pass@ietfa.amsl.com>; Sat, 27 Feb 2021 11:51:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZQtV8Bj7JB9C for <privacy-pass@ietfa.amsl.com>; Sat, 27 Feb 2021 11:51:03 -0800 (PST)
Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BE43A131D for <privacy-pass@ietf.org>; Sat, 27 Feb 2021 11:51:02 -0800 (PST)
Received: by mail-lf1-f52.google.com with SMTP id v5so19062910lft.13 for <privacy-pass@ietf.org>; Sat, 27 Feb 2021 11:51:02 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6nl1xpkxY4m1bN2Jg9cEqiNacmeeAcGk3qjfaL2dCHE=; b=YeOHVUr0Y4ilBT9kEuttZgBbl9p4Pt0Qnc/fBuGCDZy1iHQmTBJkxHyXZQVaiWbj7o zQQZPIjrjvzLAO5/dJhOYkqvylQmaK+bDLtfTrSCmT44IHcXZmNuoioC96W9vqWVUG/V abUlryPbAErZ6/b8IJ7KE4NbtgS2Tx9sXIkTcgebgtoE6e0YcfzTjvJxn4q6UJ9mUyUX NW5/YbDO7mwjhl8mk0T88h/INQ+a86XZztKvG48Iwha+I/Y/gVJ5Rm2O15sU73nVAsGI E4WAJaoItTJ0HV5MDByfKC+xE2Ol73v4unszJ+GKTcsFWr9rSkIGRCFdff9EcOCpY14b kxbw==
X-Gm-Message-State: AOAM533fh3mXxwRxQWtigasrC8U8Sd9yO65yOE+k+OBvut96MsU5+XmD rCcDkxF/vkTFrHSGkDVgwBBSAUef1G7vEArENyg=
X-Google-Smtp-Source: ABdhPJzq/h/hNGTz03qfjZjBnqSzo+1ho2/4Oz9KH7tgUhI4l5yxRG3hbNafVh54Eee5CRSzbqacU4GAxT7VInc9f9c=
X-Received: by 2002:a19:c14a:: with SMTP id r71mr5115657lff.358.1614455460803; Sat, 27 Feb 2021 11:51:00 -0800 (PST)
MIME-Version: 1.0
References: <mailman.84.1610740810.31869.privacy-pass@ietf.org> <B7836D6D-73E0-4FDB-9EE7-7CF630DF3E0F@ntnu.no>
In-Reply-To: <B7836D6D-73E0-4FDB-9EE7-7CF630DF3E0F@ntnu.no>
From: Ananth Raghunathan <ananthr@cs.stanford.edu>
Date: Sat, 27 Feb 2021 11:50:49 -0800
Message-ID: <CABbWz8D9LjUm0QK4dHScO9FvU3dv-tN-BqVoy-32icqS3Xm1iw@mail.gmail.com>
To: Tjerand Silde <tjerand.silde@ntnu.no>
Cc: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003f3a7705bc56b404"
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/2JGrFTeHkR1PlDgrMlZty5D-C_8>
Subject: Re: [Privacy-pass] Details about PrivateStats
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2021 19:51:05 -0000

Tjerand, I'm excited to see the extension with public metadata -- looking
forward to it. At a first glance, the idea of generating all attribute keys
and committing to them through a Merkle tree seems to make sense and might
offer a better tradeoff. I think where our construction is useful is when
the domain is much larger (2^64 onwards, say). I do wonder though if there
are ways to generate public keys (and corresponding secret keys)
dynamically that can be "committed to" ahead of time with a Merkle
tree-like construction. Do ideas from stateless hash-based signatures or
HIBE constructions apply here?

Ananth



On Sat, 27 Feb 2021 at 08:53, Tjerand Silde <tjerand.silde@ntnu.no> wrote:

> Dear Subodh, everyone:
>
> Thank you for sharing your research, I find the AT-VOPRF to be a very nice
> construction and of independent interest. I watched your talk at RWC, but
> only recently had time to look at the details.
>
> With regards to concrete efficiency in your situation, would it not be
> more efficient to combine Privacy Pass with a Merkle-tree to reduce
> communication?
>
> Say, for simplicity, that you rotate keys every day in a year, then you
> could represent all attributes with N = ceil(log_2 365) = 9 bits. In my
> understanding, the public key then consists of 11 group elements (+ public
> parameters like group and generator which I ignore here) and the daily key
> + proof of correctness consists of 9 group elements and 9 Chaum-Pedersen
> proofs (+ the normal signature and C-H proof of correctness for the token).
> This gives you a public key of size 11*257=2827 bits and AT-VOPRF of size
> 9*(257+2*256) = 6921 bits when using X25519.
>
> For the same situation, if we use a master seed to generate each daily
> signing key k_i = KDF(seed, date) and build a Merkle-tree with the daily
> keys K_i = [k_i] G as leaves, the public key is only the root of the tree
> of size 256 bits. The daily key can be sent over together with the path of
> hashes to prove that it is the correct key, and this will be of size 1
> group element and 9 hashes, that is, 257+9*256 = 2561 bits. This could even
> be more optimized as most of the hashes in the path of two consecutive keys
> will be the same.
>
> Best,
> Tjerand
>
> PS! In a joint work with Martin Stand we have designed an extension of
> Privacy Pass that includes public metadata that has exactly the same
> communication cost as plain Privacy Pass. We will email this list as soon
> as the ePrint is available (we uploaded on Wednesday).
>
> On 15 Jan 2021, at 21:00, privacy-pass-request@ietf.org wrote:
>
> *From: *Subodh Iyengar <subodh@fb.com>
> *Subject: **[Privacy-pass] Details about PrivateStats*
> *Date: *15 January 2021 at 16:20:37 CET
> *To: *"privacy-pass@ietf.org" <privacy-pass@ietf.org>
>
>
> We presented the PrivateStats system at Real World Crypto yesterday we've
> been experimenting with at Facebook.
>
> Here's a link to the paper https://research.fb.com/privatestats and also
> a link to the talk
> https://www.youtube.com/watch?t=48&v=4eKwlSqGUi4&feature=youtu.be
>
> The paper and talk details some of the challenges productionizing a
> PrivacyPass style VOPRF.
> We also introduce a new construction to derive an attribute based VOPRF
> which is compatible with PrivacyPass VOPRFs.
>
> TL;DR: we change the way we derive the public key for the underlying
> VOPRF. An attribute (eg. a day or anything) is mapped -> {bit vector}. Then
> an attribute specific key is derived from the bit vector. The public key
> can be used directly in the VOPRF. Someone could later check that the
> public key was correctly derived from the attribute.
>
> An attribute based VOPRF might be a good addition to privacypass and allow
> binding attributes to the Public Keys used for PrivacyPass VOPRFs, and
> would love to chat more about developing this
>
> Thanks,
> Subodh
>
>
>
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass
>
>
> --
> Privacy-pass mailing list
> Privacy-pass@ietf.org
> https://www.ietf.org/mailman/listinfo/privacy-pass
>

v2.23.0 | Report a Bug | By Email