IETF Logo Mail Archive

Re: [Privacy-pass] Details about PrivateStats

Subodh Iyengar <subodh@fb.com> Mon, 01 March 2021 16:49 UTC

Return-Path: <prvs=2694bc65b7=subodh@fb.com>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E6983A1F67 for <privacy-pass@ietfa.amsl.com>; Mon, 1 Mar 2021 08:49:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7P8NKcuahJYr for <privacy-pass@ietfa.amsl.com>; Mon, 1 Mar 2021 08:49:02 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C5D3A1F69 for <privacy-pass@ietf.org>; Mon, 1 Mar 2021 08:49:02 -0800 (PST)
Received: from pps.filterd (m0109333.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 121Ge8M9012643; Mon, 1 Mar 2021 08:48:58 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=AZmBmxZMsNlrAe60eyE6ck0Xnq1uzku54sC/02uiBo4=; b=mYvAKmrDNHbg/ojHo2eve1XjdLois9QoEeoGXvmZVNNf1TfN4ptXekpYGCazPvvTjTSl GyZ3v+PzY44pq+8gET/Bsp1LefEiBudSfsRQaeBKo60xXaL8yW+stOIYEpDw3/+O6ZA2 0zrD8OnlKx/GpPU+MKn2713Zp2CsI8dWq7E=
Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com with ESMTP id 3706m7ny1w-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Mon, 01 Mar 2021 08:48:58 -0800
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (100.104.31.183) by o365-in.thefacebook.com (100.104.35.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Mon, 1 Mar 2021 08:48:49 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ORdglxCMnhB5j+XFh44ikCo8uo6wmt2Db/zrQNMiADaYzN6ZBPMoGgvhsBo+DiYFQA8f989YexT+3oY90ZkG/i2skNJMHRD1mb71azi9l6VP4kzCkJa6fg2eiOiZ9+QDTkISxHh9QbqIoecU1etCdLMZoott74vPbw66FaehfYF1ZPJE6IA42tOj+1X4cpnr/jnEK4C56KeZUQuUt1TuyVU/x9UdR0eZQhTzCXuB0369lf8x7NXcu3GXXbSolpI4bex5ZoHH4PforRx6sLQHl4a/N9gGpa0rZnNhVXZ0t34NcpX9bpZfJI6hIePQPDBbH8UzGjleS1bOLpvRIUaAbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DWNty0xmZ/ZTM2p7Mlt7sIhmHiZ0bxHgAsyekGi1iRY=; b=lPDOa1Snzd8VCcAh8GO/ZXbAdCf7tW6TZxG9clHHj4zJmuuq28fzDPdfiF3fAGKncjJjeVpE+NO81ZY2ReWKawUV/qIr08I97839ZrA3pW5AXFMIuGHG1JpaO+5MkHvus+xAma5ZdHrjP0MIHX5cjDY4pBw7gS57DWc8vikrRAXX1pjdhAOv6h/aJY202o0NNU8bxqlk6W6xT6EzmQtSmDhPZk/bmLpTWrY0vq/xQ4JoG9AMK6+0XMqpanSwL4r6do58vtlpiLqB7gedPU9zr0Rc5tQoX/x/B5IRDQUznUC0Xbghc6YvEMb3Asz+0VfnnBHb3sMcCX29QeuzK0vfkQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=fb.com; dmarc=pass action=none header.from=fb.com; dkim=pass header.d=fb.com; arc=none
Received: from MW3PR15MB3881.namprd15.prod.outlook.com (2603:10b6:303:4a::23) by MWHPR15MB1149.namprd15.prod.outlook.com (2603:10b6:320:24::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.23; Mon, 1 Mar 2021 16:48:47 +0000
Received: from MW3PR15MB3881.namprd15.prod.outlook.com ([fe80::f165:51d:320a:3f7c]) by MW3PR15MB3881.namprd15.prod.outlook.com ([fe80::f165:51d:320a:3f7c%5]) with mapi id 15.20.3890.028; Mon, 1 Mar 2021 16:48:47 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Ananth Raghunathan <ananthr@cs.stanford.edu>, Tjerand Silde <tjerand.silde@ntnu.no>
CC: "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Thread-Topic: [Privacy-pass] Details about PrivateStats
Thread-Index: AQHXDSkUCjjV6pXmxk6nEr0CxbKI+apsaV+AgALplqo=
Date: Mon, 01 Mar 2021 16:48:47 +0000
Message-ID: <MW3PR15MB3881FD1FC196A4559883611CB69A9@MW3PR15MB3881.namprd15.prod.outlook.com>
References: <mailman.84.1610740810.31869.privacy-pass@ietf.org> <B7836D6D-73E0-4FDB-9EE7-7CF630DF3E0F@ntnu.no>, <CABbWz8D9LjUm0QK4dHScO9FvU3dv-tN-BqVoy-32icqS3Xm1iw@mail.gmail.com>
In-Reply-To: <CABbWz8D9LjUm0QK4dHScO9FvU3dv-tN-BqVoy-32icqS3Xm1iw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cs.stanford.edu; dkim=none (message not signed) header.d=none;cs.stanford.edu; dmarc=none action=none header.from=fb.com;
x-originating-ip: [2600:1700:5430:29ef:1803:fdc0:40f6:e5d0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 07df802f-f397-4f0e-ab7f-08d8dcd1e286
x-ms-traffictypediagnostic: MWHPR15MB1149:
x-ms-exchange-minimumurldomainage: youtube.com#5858
x-microsoft-antispam-prvs: <MWHPR15MB11496725359364E47091ABD0B69A9@MWHPR15MB1149.namprd15.prod.outlook.com>
x-fb-source: Internal
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9+z0BHh4mnPDN8M4RKi6DvU8oQ89cYKIMzDek3fVVDMC/pZhyn1EQaGyUzoQZ7cC2uiU+7zbidpKC2YIQukOKs7+88udoJo8Xit4rP1PuGnOR7PEFZHg5AUeE4No+8aEHDsjD8FJD9uugK67Tge2dFmjGaSdbIfpkJVWp3h57C+iUKjIpafcGOcPvqgV1FIRGuyXRFhKu3c8wGik3f58gVhtcRc276pypiLc+/FpyKejPUjGq2h9S1M6lDuVGaW34iqnIkpFvyhnmiwPCesfre424t90CaO1P140OYFas4onQOvRUn0HJBYYf8o9E+2BzhpYRdnAFexKG+5EP9h5EVlyhRyxEnoHo0lfEC4U45mkJud1ems6HeFAnThuFmrr1pqaMtVkuRUWrpFRqnO1Pb4XMqd2cr+9FQ+EFOsyglAJexyxfhBo5+gHArJczyBcZh82wTukK43LJzQssvem8ylReNnFUlRwVv9u2jh0SO10e/dl7mc3oxFyVD7/v7KJM2nS3T16XlGQICeN/DgDJjDGtgkJtcEWrTdzKYndsStMrYtSGB0BqMm6w3XYwtZRAQpQ8+IWLynU77SL/qA8Tk4XK7dIPAgFMyKLT93herU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MW3PR15MB3881.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(39860400002)(366004)(136003)(396003)(33656002)(91956017)(8936002)(19627405001)(9686003)(5660300002)(53546011)(8676002)(55016002)(110136005)(76116006)(316002)(86362001)(2906002)(66556008)(66476007)(7696005)(966005)(186003)(83380400001)(478600001)(71200400001)(166002)(6506007)(52536014)(64756008)(66946007)(66446008)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 1Na6UUsQmI+IYlCm1Geg/ObyVCTXJgVIaB9SUUWKCtmsakDpQ+6cT+Af02rqqyFN6FcIJCwYrd6fUfZlkEhM66xplAeZGls8fxOu5jZKPWATT3AsWeytwy2JkV3FXotedaz4EdghYPdsl4yM5AjmbjCAVaCWJXPCk/zs5XKfsxQxRGfko4aH0AtVU52BqnsZ/IUlYelmWU0aJ1cT6IpOu+flOVcxcue1QLFTu7gWUmtOVQLmfFTjrKPL1T6c7MM9q8b+SbMJtUABUP71X8jaybTeVsEHkoXw7FH2Upi7opmcuMZdXwnQo1Qc+q01J44BARLuqT0rNlpT5A0si/P+Rx9NvzNbjawP70ViMmXMJc6L0C5eK5PXW/XJMFsZb8Gn82qWQT/sBMntlzgS7bUdVmuuMr9gTDbRM8BheqL3c/4eoQEG5pauYLIqN9JwabGDG5Q/Br4JdcwqpCYLBFFNdGp6YiuDTGtJMPxUQjRbVIilelohhnB4IV80545RLtgG3utKd94tmmchYtiSY1ygy/yc+gHUy5+yxoGN6qmlsHtCAiDYFDQairxwv/OB58Yt6BR4zTqgkTwp+Iudsmwr5+fJ1H0DK/fQ9KQmwZReVzB+KBzDaXG18YkImRQyH5ILUsqv8ncTkwINVorraNsRAKD2YLFXlHrYqWkCk3WcSZJIrZLXPR7dAM+U4EjFEOy7aupzIP4Bo+tQY9qRz3yiThgM57b9Fg9KSGkCnBwOTAca00RQbI4+J4mSeYhMtBDF0q77RORXbl/bg4uY42mYq3C+NlD+DIR0ASGSo4R1sLOF3jisbkN63x1cnKO4WLB/WuYKvMDFGNz2bQgLEOgd7FFmcRBJCSUTtuyUq7j4SMW8ysb37YBPr5t2nRderYXw+rFZVS1ldylMym7NlK7qwrNzlvLakN8UbejjploHfPOQYIZ1vhlo4ItJXtryWSqIb4n58kTPwoEZrE2spk6xq2u9nWZoj89LoBFTE4V1OikifvIvoHKuniBDDkoiZT0EEnXaMCKgiDun07wm9Ae9qoiriGSWtm0lHwfwG5DZa9e5qFOduNly2U8yKlDZe8pZYoDpK6b5H8lY5L3SQIA9lb84JF1704CA/AOU7Xqw8XIUg896IOyBruiD5ejRSoK9QMtgNzf4uD2r0EbpBr9ON/R9PAu0jB9o0tJHyTI0Vn3Bw9d3Ay3UT/DTzm+J90qR5g19tt2iyaxEzNd/fTM+wGRhjJ70NqdzdkFZaHXQEKdP+MH/oUWk0NGB6Fs6YzXKh9UcWwDOyLJ15wF5chga+xaIn/Zfe2ZpzhidzxRe14J9s4h9lRn97v7Q9tJJdW3bf1Yv4nXKVdEBJfkUQEytNDzl3gUqCddG35ZO3/C8dQU=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW3PR15MB3881FD1FC196A4559883611CB69A9MW3PR15MB3881namp_"
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW3PR15MB3881.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 07df802f-f397-4f0e-ab7f-08d8dcd1e286
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2021 16:48:47.8920 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ta3xGXDoT6F2WZsVF4BVeFD9k0GQLBSyFp/Dp7BCBqzIX3R/8ShKIM5m3V/ux9+q
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1149
X-OriginatorOrg: fb.com
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-03-01_11:2021-03-01, 2021-03-01 signatures=0
X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 clxscore=1011 impostorscore=0 mlxscore=0 spamscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 adultscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2103010136
X-FB-Internal: deliver
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/QW9BorVPzlm5r_ePHfvatGX1e4g>
Subject: Re: [Privacy-pass] Details about PrivateStats
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 16:49:05 -0000

I'm excited to read this paper as well. Please do share the eprint when it is available.

Putting the attribute keys on a merkle tree does make sense. One thing we need to be careful about is at least having 1 unique key per attribute on the merkle tree and not just proving inclusion in the tree.
For example, one could give (K1, attr1) to a user1 and (K2, attr1) to user2 in a regular tree. One nice part of having the AB-VOPRF as a PRF in privatestats is that we inherently get that property.

One open question, which I'm not sure whether it affects the security of the protocol itself, and could use further analysis,
is that having all attribute keys grouped in a merkle tree does prove that they are all related to the root, however, doesn't prove that they are derived from the master key.  However, that
might or might not matter to the security of privacypass, vs the security of the VOPRF.  Very interesting indeed.

Subodh
________________________________
From: Privacy-pass <privacy-pass-bounces@ietf.org> on behalf of Ananth Raghunathan <ananthr@cs.stanford.edu>
Sent: Saturday, February 27, 2021 11:50 AM
To: Tjerand Silde <tjerand.silde@ntnu.no>
Cc: privacy-pass@ietf.org <privacy-pass@ietf.org>
Subject: Re: [Privacy-pass] Details about PrivateStats

Tjerand, I'm excited to see the extension with public metadata -- looking forward to it. At a first glance, the idea of generating all attribute keys and committing to them through a Merkle tree seems to make sense and might offer a better tradeoff. I think where our construction is useful is when the domain is much larger (2^64 onwards, say). I do wonder though if there are ways to generate public keys (and corresponding secret keys) dynamically that can be "committed to" ahead of time with a Merkle tree-like construction. Do ideas from stateless hash-based signatures or HIBE constructions apply here?

Ananth



On Sat, 27 Feb 2021 at 08:53, Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>> wrote:
Dear Subodh, everyone:

Thank you for sharing your research, I find the AT-VOPRF to be a very nice construction and of independent interest. I watched your talk at RWC, but only recently had time to look at the details.

With regards to concrete efficiency in your situation, would it not be more efficient to combine Privacy Pass with a Merkle-tree to reduce communication?

Say, for simplicity, that you rotate keys every day in a year, then you could represent all attributes with N = ceil(log_2 365) = 9 bits. In my understanding, the public key then consists of 11 group elements (+ public parameters like group and generator which I ignore here) and the daily key + proof of correctness consists of 9 group elements and 9 Chaum-Pedersen proofs (+ the normal signature and C-H proof of correctness for the token). This gives you a public key of size 11*257=2827 bits and AT-VOPRF of size 9*(257+2*256) = 6921 bits when using X25519.

For the same situation, if we use a master seed to generate each daily signing key k_i = KDF(seed, date) and build a Merkle-tree with the daily keys K_i = [k_i] G as leaves, the public key is only the root of the tree of size 256 bits. The daily key can be sent over together with the path of hashes to prove that it is the correct key, and this will be of size 1 group element and 9 hashes, that is, 257+9*256 = 2561 bits. This could even be more optimized as most of the hashes in the path of two consecutive keys will be the same.

Best,
Tjerand

PS! In a joint work with Martin Stand we have designed an extension of Privacy Pass that includes public metadata that has exactly the same communication cost as plain Privacy Pass. We will email this list as soon as the ePrint is available (we uploaded on Wednesday).

On 15 Jan 2021, at 21:00, privacy-pass-request@ietf.org<mailto:privacy-pass-request@ietf.org> wrote:

From: Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>>
Subject: [Privacy-pass] Details about PrivateStats
Date: 15 January 2021 at 16:20:37 CET
To: "privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>" <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>>


We presented the PrivateStats system at Real World Crypto yesterday we've been experimenting with at Facebook.

Here's a link to the paper https://research.fb.com/privatestats and also a link to the talk https://www.youtube.com/watch?t=48&v=4eKwlSqGUi4&feature=youtu.be

The paper and talk details some of the challenges productionizing a PrivacyPass style VOPRF.
We also introduce a new construction to derive an attribute based VOPRF which is compatible with PrivacyPass VOPRFs.

TL;DR: we change the way we derive the public key for the underlying VOPRF. An attribute (eg. a day or anything) is mapped -> {bit vector}. Then an attribute specific key is derived from the bit vector. The public key can be used directly in the VOPRF. Someone could later check that the public key was correctly derived from the attribute.

An attribute based VOPRF might be a good addition to privacypass and allow binding attributes to the Public Keys used for PrivacyPass VOPRFs, and would love to chat more about developing this

Thanks,
Subodh



Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass<https://www.ietf.org/mailman/listinfo/privacy-pass>

--
Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass<https://www.ietf.org/mailman/listinfo/privacy-pass>

v2.23.0 | Report a Bug | By Email