IETF Logo Mail Archive

Re: [Privacy-pass] Details about PrivateStats

Tjerand Silde <tjerand.silde@ntnu.no> Thu, 11 March 2021 23:09 UTC

Return-Path: <tjerand.silde@ntnu.no>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9E893A12C8 for <privacy-pass@ietfa.amsl.com>; Thu, 11 Mar 2021 15:09:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U18smXU5oPLQ for <privacy-pass@ietfa.amsl.com>; Thu, 11 Mar 2021 15:08:59 -0800 (PST)
Received: from mailgw02.it.ntnu.no (mailgw02.it.ntnu.no [IPv6:2001:700:300:3::175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90E473A12C7 for <privacy-pass@ietf.org>; Thu, 11 Mar 2021 15:08:58 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailgw02.it.ntnu.no (Postfix) with ESMTP id 00F398028FE; Fri, 12 Mar 2021 00:08:51 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mailgw02.it.ntnu.no
Received: from mailgw02.it.ntnu.no ([127.0.0.1]) by localhost (mailgw02.it.ntnu.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WnNxL7eLF6v3; Fri, 12 Mar 2021 00:08:48 +0100 (CET)
Received: from it-ex20.win.ntnu.no (it-ex20.it.ntnu.no [IPv6:2001:700:300:3::43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailgw02.it.ntnu.no (Postfix) with ESMTPS id B74AE8028F8; Fri, 12 Mar 2021 00:08:48 +0100 (CET)
Received: from it-ex18.win.ntnu.no (129.241.56.12) by it-ex20.win.ntnu.no (129.241.56.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 12 Mar 2021 00:08:48 +0100
Received: from it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb]) by it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb%17]) with mapi id 15.02.0792.010; Fri, 12 Mar 2021 00:08:48 +0100
From: Tjerand Silde <tjerand.silde@ntnu.no>
To: Subodh Iyengar <subodh@fb.com>
CC: Ananth Raghunathan <ananthr@cs.stanford.edu>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Thread-Topic: [Privacy-pass] Details about PrivateStats
Thread-Index: AQHXDSkUw53UAKq7HEKbeVOTJOHqV6psWJuAgALxzoCAACNagIAMmLmAgANTAACAABJqAA==
Date: Thu, 11 Mar 2021 23:08:48 +0000
Message-ID: <3133CD94-1F2F-497E-815D-4F0443B72B5A@ntnu.no>
References: <mailman.84.1610740810.31869.privacy-pass@ietf.org> <B7836D6D-73E0-4FDB-9EE7-7CF630DF3E0F@ntnu.no> <CABbWz8D9LjUm0QK4dHScO9FvU3dv-tN-BqVoy-32icqS3Xm1iw@mail.gmail.com> <MW3PR15MB3881FD1FC196A4559883611CB69A9@MW3PR15MB3881.namprd15.prod.outlook.com> <18694625-A7BA-4EB7-85D3-8AB147F243B2@ntnu.no> <CABbWz8CkL0_sQ83Z-RO5PZK8QugxEieZvDn1WBdmEQaFuEiq7A@mail.gmail.com> <MW3PR15MB38811011EBAF86A67F90A605B6909@MW3PR15MB3881.namprd15.prod.outlook.com>
In-Reply-To: <MW3PR15MB38811011EBAF86A67F90A605B6909@MW3PR15MB3881.namprd15.prod.outlook.com>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.60.0.2.21)
X-Ntnu-xOriginatingIp: [129.241.34.190]
Content-Type: multipart/alternative; boundary="_000_3133CD941F2F497E815D4F0443B72B5Antnuno_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/3uyolP7BaYFiHTT4BeDzOAl-7Bc>
Subject: Re: [Privacy-pass] Details about PrivateStats
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Mar 2021 23:09:03 -0000

Dear Ananth, Subodh, all:

I agree with Ananth that the underlying assumptions are a bit different, and that the q-hardness requirement would impact the parameters. I see that Privacy Pass are standardising curve options with 192 bits of security instead of 128 bits to deal with this issue, and we might have to update our parameters accordingly in the final version of the paper.

The new construction with public metadata use the exact same DLEQ proof as earlier, but with updated public key and changed order of T’ and W’ to prove the correct relation. So I would say that the structure and communication is the same, but with some small differences in computation. We had to do some slightly bigger changes in the protocol with both public and private metadata, where we have to do two AND-proofs and publish two group elements before we can compute the OR-proof as in the original protocol.

Best,
Tjerand

On 11 Mar 2021, at 23:02, Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:

Thank Tjerand, read your paper and it's quite clever in its use of the DLEQ proof. In addition to Ananth's questions, if I understand correctly, this new construction will change the DLEQ proof in the existing l VOPRF evaluation as well. Is that correct?

Subodh
________________________________
From: Ananth Raghunathan <ananthr@cs.stanford.edu<mailto:ananthr@cs.stanford.edu>>
Sent: Tuesday, March 9, 2021 11:17 AM
To: Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>>
Cc: Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>>; privacy-pass@ietf.org<mailto:privacy-pass@ietf.org> <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>>
Subject: Re: [Privacy-pass] Details about PrivateStats

Thanks Tjerand! I read the paper and I think the idea of using the Dodis-Yampolskiy PRF construction with f(x) = g^(1/(sk+x)) on the attributes is a really neat idea. One thing to think about comparing different constructions is the relative strength of the hardness of the underlying assumptions. If I'm not mistaken, in this construction there is a q-hardness requirement from the Diffie-Hellman inversion problem where q is the # of attribute queries, whereas the Naor-Reingold construction can get away with a n-hardness requirement from the Diffie-Hellman exponent problem where n is the log (size of attribute set). I think there are some selective-security and full-security notions that also need discussion but it's nice to see these alternatives with compact sizes.

Best,
Ananth

On Mon, 1 Mar 2021 at 10:55, Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>> wrote:
Dear Ananth, Subodh, all:

I agree that the AT-VOPRF is more useful for large domains, and that it guarantees fresh and unpredictable keys for each attribute. As I mentioned earlier, I like the construction a lot, and this is just a comment on the concrete efficiency in PrivateStats.

I also agree that one must publicly agree on which attribute is the correct one in each situation, for example by going through the leaf nodes in sequence left to right from a given date. But as far as I can understand, this is also needed in the AT-VOPRF construction. When you prove inclusion in the three you at the same time prove at which leaf node the public key is placed, and this would avoid the attack you mention.

The attribute public keys does indeed not have to be generated from the same master key, this is just to make it easier to store private keys on the server side. It does, as far as I can see, not affect security in any way.

It definitely makes sense to look into hash-based signatures and HIBE to see if the Merkle-tree approach can be extended to large domains, without having to generate all keys in advance. Very interesting idea.

Our paper is now available on ePrint, see new thread about the topic.

Best,
Tjerand

On 1 Mar 2021, at 17:48, Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:

I'm excited to read this paper as well. Please do share the eprint when it is available.

Putting the attribute keys on a merkle tree does make sense. One thing we need to be careful about is at least having 1 unique key per attribute on the merkle tree and not just proving inclusion in the tree.
For example, one could give (K1, attr1) to a user1 and (K2, attr1) to user2 in a regular tree. One nice part of having the AB-VOPRF as a PRF in privatestats is that we inherently get that property.

One open question, which I'm not sure whether it affects the security of the protocol itself, and could use further analysis,
is that having all attribute keys grouped in a merkle tree does prove that they are all related to the root, however, doesn't prove that they are derived from the master key.  However, that
might or might not matter to the security of privacypass, vs the security of the VOPRF.  Very interesting indeed.

Subodh
________________________________
From: Privacy-pass <privacy-pass-bounces@ietf.org<mailto:privacy-pass-bounces@ietf.org>> on behalf of Ananth Raghunathan <ananthr@cs.stanford.edu<mailto:ananthr@cs.stanford.edu>>
Sent: Saturday, February 27, 2021 11:50 AM
To: Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>>
Cc: privacy-pass@ietf.org<mailto:privacy-pass@ietf.org> <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>>
Subject: Re: [Privacy-pass] Details about PrivateStats

Tjerand, I'm excited to see the extension with public metadata -- looking forward to it. At a first glance, the idea of generating all attribute keys and committing to them through a Merkle tree seems to make sense and might offer a better tradeoff. I think where our construction is useful is when the domain is much larger (2^64 onwards, say). I do wonder though if there are ways to generate public keys (and corresponding secret keys) dynamically that can be "committed to" ahead of time with a Merkle tree-like construction. Do ideas from stateless hash-based signatures or HIBE constructions apply here?

Ananth



On Sat, 27 Feb 2021 at 08:53, Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>> wrote:
Dear Subodh, everyone:

Thank you for sharing your research, I find the AT-VOPRF to be a very nice construction and of independent interest. I watched your talk at RWC, but only recently had time to look at the details.

With regards to concrete efficiency in your situation, would it not be more efficient to combine Privacy Pass with a Merkle-tree to reduce communication?

Say, for simplicity, that you rotate keys every day in a year, then you could represent all attributes with N = ceil(log_2 365) = 9 bits. In my understanding, the public key then consists of 11 group elements (+ public parameters like group and generator which I ignore here) and the daily key + proof of correctness consists of 9 group elements and 9 Chaum-Pedersen proofs (+ the normal signature and C-H proof of correctness for the token). This gives you a public key of size 11*257=2827 bits and AT-VOPRF of size 9*(257+2*256) = 6921 bits when using X25519.

For the same situation, if we use a master seed to generate each daily signing key k_i = KDF(seed, date) and build a Merkle-tree with the daily keys K_i = [k_i] G as leaves, the public key is only the root of the tree of size 256 bits. The daily key can be sent over together with the path of hashes to prove that it is the correct key, and this will be of size 1 group element and 9 hashes, that is, 257+9*256 = 2561 bits. This could even be more optimized as most of the hashes in the path of two consecutive keys will be the same.

Best,
Tjerand

PS! In a joint work with Martin Stand we have designed an extension of Privacy Pass that includes public metadata that has exactly the same communication cost as plain Privacy Pass. We will email this list as soon as the ePrint is available (we uploaded on Wednesday).

On 15 Jan 2021, at 21:00, privacy-pass-request@ietf.org<mailto:privacy-pass-request@ietf.org> wrote:

From: Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>>
Subject: [Privacy-pass] Details about PrivateStats
Date: 15 January 2021 at 16:20:37 CET
To: "privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>" <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>>


We presented the PrivateStats system at Real World Crypto yesterday we've been experimenting with at Facebook.

Here's a link to the paper https://research.fb.com/privatestats and also a link to the talk https://www.youtube.com/watch?t=48&v=4eKwlSqGUi4&feature=youtu.be

The paper and talk details some of the challenges productionizing a PrivacyPass style VOPRF.
We also introduce a new construction to derive an attribute based VOPRF which is compatible with PrivacyPass VOPRFs.

TL;DR: we change the way we derive the public key for the underlying VOPRF. An attribute (eg. a day or anything) is mapped -> {bit vector}. Then an attribute specific key is derived from the bit vector. The public key can be used directly in the VOPRF. Someone could later check that the public key was correctly derived from the attribute.

An attribute based VOPRF might be a good addition to privacypass and allow binding attributes to the Public Keys used for PrivacyPass VOPRFs, and would love to chat more about developing this

Thanks,
Subodh



Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass

--
Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email