IETF Logo Mail Archive

Re: [Privacy-pass] Details about PrivateStats

Tjerand Silde <tjerand.silde@ntnu.no> Mon, 01 March 2021 18:55 UTC

Return-Path: <tjerand.silde@ntnu.no>
X-Original-To: privacy-pass@ietfa.amsl.com
Delivered-To: privacy-pass@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B02883A2105 for <privacy-pass@ietfa.amsl.com>; Mon, 1 Mar 2021 10:55:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dkiC-azNgDty for <privacy-pass@ietfa.amsl.com>; Mon, 1 Mar 2021 10:55:28 -0800 (PST)
Received: from mailgw02.it.ntnu.no (mailgw02.it.ntnu.no [IPv6:2001:700:300:3::175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0325A3A2142 for <privacy-pass@ietf.org>; Mon, 1 Mar 2021 10:55:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailgw02.it.ntnu.no (Postfix) with ESMTP id 6D1C0802984; Mon, 1 Mar 2021 19:55:22 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mailgw02.it.ntnu.no
Received: from mailgw02.it.ntnu.no ([127.0.0.1]) by localhost (mailgw02.it.ntnu.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GdMBwOwvI1BE; Mon, 1 Mar 2021 19:55:20 +0100 (CET)
Received: from it-ex22.win.ntnu.no (it-ex22.it.ntnu.no [IPv6:2001:700:300:3::45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailgw02.it.ntnu.no (Postfix) with ESMTPS id 7AE7B8028D6; Mon, 1 Mar 2021 19:55:20 +0100 (CET)
Received: from it-ex18.win.ntnu.no (2001:700:300:3::12) by it-ex22.win.ntnu.no (2001:700:300:3::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Mon, 1 Mar 2021 19:55:20 +0100
Received: from it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb]) by it-ex18.win.ntnu.no ([fe80::fd58:84f4:9f5c:97bb%17]) with mapi id 15.02.0792.005; Mon, 1 Mar 2021 19:55:20 +0100
From: Tjerand Silde <tjerand.silde@ntnu.no>
To: Subodh Iyengar <subodh@fb.com>
CC: Ananth Raghunathan <ananthr@cs.stanford.edu>, "privacy-pass@ietf.org" <privacy-pass@ietf.org>
Thread-Topic: [Privacy-pass] Details about PrivateStats
Thread-Index: AQHXDSkUw53UAKq7HEKbeVOTJOHqV6psWJuAgALxzoCAACNagA==
Date: Mon, 01 Mar 2021 18:55:20 +0000
Message-ID: <18694625-A7BA-4EB7-85D3-8AB147F243B2@ntnu.no>
References: <mailman.84.1610740810.31869.privacy-pass@ietf.org> <B7836D6D-73E0-4FDB-9EE7-7CF630DF3E0F@ntnu.no> <CABbWz8D9LjUm0QK4dHScO9FvU3dv-tN-BqVoy-32icqS3Xm1iw@mail.gmail.com> <MW3PR15MB3881FD1FC196A4559883611CB69A9@MW3PR15MB3881.namprd15.prod.outlook.com>
In-Reply-To: <MW3PR15MB3881FD1FC196A4559883611CB69A9@MW3PR15MB3881.namprd15.prod.outlook.com>
Accept-Language: nb-NO, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3654.60.0.2.21)
X-Ntnu-xOriginatingIp: [129.241.34.190]
Content-Type: multipart/alternative; boundary="_000_18694625A7BA4EB785D38AB147F243B2ntnuno_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/privacy-pass/VpWcoCIZa4xxuSecgcAPnMifgo8>
Subject: Re: [Privacy-pass] Details about PrivateStats
X-BeenThere: privacy-pass@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <privacy-pass.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/privacy-pass/>
List-Post: <mailto:privacy-pass@ietf.org>
List-Help: <mailto:privacy-pass-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/privacy-pass>, <mailto:privacy-pass-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 18:55:32 -0000

Dear Ananth, Subodh, all:

I agree that the AT-VOPRF is more useful for large domains, and that it guarantees fresh and unpredictable keys for each attribute. As I mentioned earlier, I like the construction a lot, and this is just a comment on the concrete efficiency in PrivateStats.

I also agree that one must publicly agree on which attribute is the correct one in each situation, for example by going through the leaf nodes in sequence left to right from a given date. But as far as I can understand, this is also needed in the AT-VOPRF construction. When you prove inclusion in the three you at the same time prove at which leaf node the public key is placed, and this would avoid the attack you mention.

The attribute public keys does indeed not have to be generated from the same master key, this is just to make it easier to store private keys on the server side. It does, as far as I can see, not affect security in any way.

It definitely makes sense to look into hash-based signatures and HIBE to see if the Merkle-tree approach can be extended to large domains, without having to generate all keys in advance. Very interesting idea.

Our paper is now available on ePrint, see new thread about the topic.

Best,
Tjerand

On 1 Mar 2021, at 17:48, Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:

I'm excited to read this paper as well. Please do share the eprint when it is available.

Putting the attribute keys on a merkle tree does make sense. One thing we need to be careful about is at least having 1 unique key per attribute on the merkle tree and not just proving inclusion in the tree.
For example, one could give (K1, attr1) to a user1 and (K2, attr1) to user2 in a regular tree. One nice part of having the AB-VOPRF as a PRF in privatestats is that we inherently get that property.

One open question, which I'm not sure whether it affects the security of the protocol itself, and could use further analysis,
is that having all attribute keys grouped in a merkle tree does prove that they are all related to the root, however, doesn't prove that they are derived from the master key.  However, that
might or might not matter to the security of privacypass, vs the security of the VOPRF.  Very interesting indeed.

Subodh
________________________________
From: Privacy-pass <privacy-pass-bounces@ietf.org<mailto:privacy-pass-bounces@ietf.org>> on behalf of Ananth Raghunathan <ananthr@cs.stanford.edu<mailto:ananthr@cs.stanford.edu>>
Sent: Saturday, February 27, 2021 11:50 AM
To: Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>>
Cc: privacy-pass@ietf.org<mailto:privacy-pass@ietf.org> <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>>
Subject: Re: [Privacy-pass] Details about PrivateStats

Tjerand, I'm excited to see the extension with public metadata -- looking forward to it. At a first glance, the idea of generating all attribute keys and committing to them through a Merkle tree seems to make sense and might offer a better tradeoff. I think where our construction is useful is when the domain is much larger (2^64 onwards, say). I do wonder though if there are ways to generate public keys (and corresponding secret keys) dynamically that can be "committed to" ahead of time with a Merkle tree-like construction. Do ideas from stateless hash-based signatures or HIBE constructions apply here?

Ananth



On Sat, 27 Feb 2021 at 08:53, Tjerand Silde <tjerand.silde@ntnu.no<mailto:tjerand.silde@ntnu.no>> wrote:
Dear Subodh, everyone:

Thank you for sharing your research, I find the AT-VOPRF to be a very nice construction and of independent interest. I watched your talk at RWC, but only recently had time to look at the details.

With regards to concrete efficiency in your situation, would it not be more efficient to combine Privacy Pass with a Merkle-tree to reduce communication?

Say, for simplicity, that you rotate keys every day in a year, then you could represent all attributes with N = ceil(log_2 365) = 9 bits. In my understanding, the public key then consists of 11 group elements (+ public parameters like group and generator which I ignore here) and the daily key + proof of correctness consists of 9 group elements and 9 Chaum-Pedersen proofs (+ the normal signature and C-H proof of correctness for the token). This gives you a public key of size 11*257=2827 bits and AT-VOPRF of size 9*(257+2*256) = 6921 bits when using X25519.

For the same situation, if we use a master seed to generate each daily signing key k_i = KDF(seed, date) and build a Merkle-tree with the daily keys K_i = [k_i] G as leaves, the public key is only the root of the tree of size 256 bits. The daily key can be sent over together with the path of hashes to prove that it is the correct key, and this will be of size 1 group element and 9 hashes, that is, 257+9*256 = 2561 bits. This could even be more optimized as most of the hashes in the path of two consecutive keys will be the same.

Best,
Tjerand

PS! In a joint work with Martin Stand we have designed an extension of Privacy Pass that includes public metadata that has exactly the same communication cost as plain Privacy Pass. We will email this list as soon as the ePrint is available (we uploaded on Wednesday).

On 15 Jan 2021, at 21:00, privacy-pass-request@ietf.org<mailto:privacy-pass-request@ietf.org> wrote:

From: Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>>
Subject: [Privacy-pass] Details about PrivateStats
Date: 15 January 2021 at 16:20:37 CET
To: "privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>" <privacy-pass@ietf.org<mailto:privacy-pass@ietf.org>>


We presented the PrivateStats system at Real World Crypto yesterday we've been experimenting with at Facebook.

Here's a link to the paper https://research.fb.com/privatestats and also a link to the talk https://www.youtube.com/watch?t=48&v=4eKwlSqGUi4&feature=youtu.be

The paper and talk details some of the challenges productionizing a PrivacyPass style VOPRF.
We also introduce a new construction to derive an attribute based VOPRF which is compatible with PrivacyPass VOPRFs.

TL;DR: we change the way we derive the public key for the underlying VOPRF. An attribute (eg. a day or anything) is mapped -> {bit vector}. Then an attribute specific key is derived from the bit vector. The public key can be used directly in the VOPRF. Someone could later check that the public key was correctly derived from the attribute.

An attribute based VOPRF might be a good addition to privacypass and allow binding attributes to the Public Keys used for PrivacyPass VOPRFs, and would love to chat more about developing this

Thanks,
Subodh



Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass

--
Privacy-pass mailing list
Privacy-pass@ietf.org<mailto:Privacy-pass@ietf.org>
https://www.ietf.org/mailman/listinfo/privacy-pass

v2.23.0 | Report a Bug | By Email