Re: [Privacy-pass] Details about PrivateStats
Tjerand Silde <tjerand.silde@ntnu.no> Sat, 27 February 2021 16:53 UTC
Return-Path: <tjerand.silde@ntnu.no>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296763A0E04 for <privacy-pass@ietfa.amsl.com>; Sat, 27 Feb 2021 08:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3wpsJvjHxT0 for <privacy-pass@ietfa.amsl.com>; Sat, 27 Feb 2021 08:53:39 -0800 (PST)
Received: from mailgw03.it.ntnu.no (mailgw03.it.ntnu.no [IPv6:2001:700:300:3::29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79F13A0E03 for <privacy-pass@ietf.org>; Sat, 27 Feb 2021 08:53:38 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailgw03.it.ntnu.no (Postfix) with ESMTP id 277F01C1744 for <privacy-pass@ietf.org>; Sat, 27 Feb 2021 17:53:36 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mailgw03.it.ntnu.no
Received: from mailgw03.it.ntnu.no ([127.0.0.1]) by localhost (mailgw03.it.ntnu.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJNARYmZdbJA for <privacy-pass@ietf.org>; Sat, 27 Feb 2021 17:53:33 +0100 (CET)
Received: from it-ex16.win.ntnu.no (it-ex16.it.ntnu.no [IPv6:2001:700:300:3::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailgw03.it.ntnu.no (Postfix) with ESMTPS id 6E57F1C0867 for <privacy-pass@ietf.org>; Sat, 27 Feb 2021 17:53:33 +0100 (CET)
Received: from it-ex18.win.ntnu.no (2001:700:300:3::12) by it-ex16.win.ntnu.no (2001:700:300:3::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Sat, 27 Feb 2021 17:53:31 +0100
Received: from it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb]) by it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb%17]) with mapi id 15.02.0792.005; Sat, 27 Feb 2021 17:53:31 +0100
From: Tjerand Silde <tjerand.silde@ntnu.no>
To: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Thread-Topic: [Privacy-pass] Details about PrivateStats
Thread-Index: AQHXDSkUCjjV6pXmxk6nEr0CxbKI+Q==
Date: Sat, 27 Feb 2021 16:53:31 +0000
Message-ID: <B7836D6D-73E0-4FDB-9EE7-7CF630DF3E0F@ntnu.no>
References: <mailman.84.1610740810.31869.privacy-pass@ietf.org>
In-Reply-To: <mailman.84.1610740810.31869.privacy-pass@ietf.org>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.60.0.2.21)
X-Ntnu-xOriginatingIp: [129.241.34.190]
Content-Type: multipart/alternative; boundary="_000_B7836D6D73E04FDB9EE77CF630DF3E0Fntnuno_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/BS7Fg3Ui2VtAmgtIJ1y5MI_D5dw>
Subject: Re: [Privacy-pass] Details about PrivateStats
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Feb 2021 16:53:42 -0000
Dear Subodh, everyone: Thank you for sharing your research, I find the AT-VOPRF to be a very nice construction and of independent interest. I watched your talk at RWC, but only recently had time to look at the details. With regards to concrete efficiency in your situation, would it not be more efficient to combine Privacy Pass with a Merkle-tree to reduce communication? Say, for simplicity, that you rotate keys every day in a year, then you could represent all attributes with N = ceil(log_2 365) = 9 bits. In my understanding, the public key then consists of 11 group elements (+ public parameters like group and generator which I ignore here) and the daily key + proof of correctness consists of 9 group elements and 9 Chaum-Pedersen proofs (+ the normal signature and C-H proof of correctness for the token). This gives you a public key of size 11*257=2827 bits and AT-VOPRF of size 9*(257+2*256) = 6921 bits when using X25519. For the same situation, if we use a master seed to generate each daily signing key k_i = KDF(seed, date) and build a Merkle-tree with the daily keys K_i = [k_i] G as leaves, the public key is only the root of the tree of size 256 bits. The daily key can be sent over together with the path of hashes to prove that it is the correct key, and this will be of size 1 group element and 9 hashes, that is, 257+9*256 = 2561 bits. This could even be more optimized as most of the hashes in the path of two consecutive keys will be the same. Best, Tjerand PS! In a joint work with Martin Stand we have designed an extension of Privacy Pass that includes public metadata that has exactly the same communication cost as plain Privacy Pass. We will email this list as soon as the ePrint is available (we uploaded on Wednesday). On 15 Jan 2021, at 21:00, privacy-pass-request@ietf.org<mailto:privacy-pass-request@ietf.org> wrote: From: Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> Subject: [Privacy-pass] Details about PrivateStats Date: 15 January 2021 at 16:20:37 CET To: "privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>" <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>> We presented the PrivateStats system at Real World Crypto yesterday we've been experimenting with at Facebook. Here's a link to the paper https://research.fb.com/privatestats and also a link to the talk https://www.youtube.com/watch?t=48&v=4eKwlSqGUi4&feature=youtu.be The paper and talk details some of the challenges productionizing a PrivacyPass style VOPRF. We also introduce a new construction to derive an attribute based VOPRF which is compatible with PrivacyPass VOPRFs. TL;DR: we change the way we derive the public key for the underlying VOPRF. An attribute (eg. a day or anything) is mapped -> {bit vector}. Then an attribute specific key is derived from the bit vector. The public key can be used directly in the VOPRF. Someone could later check that the public key was correctly derived from the attribute. An attribute based VOPRF might be a good addition to privacypass and allow binding attributes to the Public Keys used for PrivacyPass VOPRFs, and would love to chat more about developing this Thanks, Subodh Privacy-pass mailing list Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org> https://www.ietf.org/mailman/listinfo/privacy-pass
- [Privacy-pass] Details about PrivateStats Subodh Iyengar
- Re: [Privacy-pass] Details about PrivateStats Tjerand Silde
- Re: [Privacy-pass] Details about PrivateStats Ananth Raghunathan
- Re: [Privacy-pass] Details about PrivateStats Subodh Iyengar
- Re: [Privacy-pass] Details about PrivateStats Tjerand Silde
- Re: [Privacy-pass] Details about PrivateStats Ananth Raghunathan
- Re: [Privacy-pass] Details about PrivateStats Subodh Iyengar
- Re: [Privacy-pass] Details about PrivateStats Tjerand Silde