[{"author": "dkg", "text": "ppm@jabber.ietf.org
", "time": "2022-03-25T11:29:58Z"}, {"author": "Chris Lemmons", "text": "It's very, very morning around here, but it's Friday, so I'm calling it a good one. :D
", "time": "2022-03-25T11:30:05Z"}, {"author": "Christopher Patton", "text": "Every morning is a good morning to get out of the way of user data
", "time": "2022-03-25T11:30:28Z"}, {"author": "Jonathan Lennox", "text": "It's afternoon in Vienna!
", "time": "2022-03-25T11:30:31Z"}, {"author": "Richard Barnes", "text": "sun has finally risen here!
", "time": "2022-03-25T11:30:38Z"}, {"author": "npd", "text": "ha, had just mistyped before, thank you dkg for confirming
", "time": "2022-03-25T11:30:41Z"}, {"author": "Richard Barnes", "text": "https://www.youtube.com/watch?v=-rh8gMvzPw0
", "time": "2022-03-25T11:31:00Z"}, {"author": "jhoyla", "text": "The door needs a keycard to close
", "time": "2022-03-25T11:31:03Z"}, {"author": "jhoyla", "text": "Even though it's a firedoor
", "time": "2022-03-25T11:31:08Z"}, {"author": "mnot", "text": "someone has a fair amount of background noise
", "time": "2022-03-25T11:31:14Z"}, {"author": "mnot", "text": "ben perhaps
", "time": "2022-03-25T11:31:25Z"}, {"author": "Joseph Salowey", "text": "The room door is open
", "time": "2022-03-25T11:32:10Z"}, {"author": "Joseph Salowey", "text": "working on getting it closed
", "time": "2022-03-25T11:32:20Z"}, {"author": "Christopher Patton", "text": "I hear Ben's gchat blowin' up
", "time": "2022-03-25T11:33:21Z"}, {"author": "Eric Orth", "text": "I think I'm finally now at the end of the week starting to get used to these early hours.  Means I'll now be super jetlagged all weekend and into next week.
", "time": "2022-03-25T11:33:22Z"}, {"author": "sftcd", "text": "the note well's not legally binding, it's about legally binding stuff
", "time": "2022-03-25T11:34:58Z"}, {"author": "mnot", "text": "and policies that are not legally binding, but may have consequences for your participation
", "time": "2022-03-25T11:35:26Z"}, {"author": "Christopher Patton", "text": "Looking forward to the STAR draft!
", "time": "2022-03-25T11:36:17Z"}, {"author": "Suzanne Woolf", "text": "OK so maybe just call it \"stuff you'll be held accountable for knowing, legally or otherwise, as appropriate\"?
", "time": "2022-03-25T11:36:30Z"}, {"author": "Tommy Jensen", "text": "@eric relatable.
", "time": "2022-03-25T11:37:11Z"}, {"author": "Sean Turner", "text": "@EricO: yep and I never left the house ;)
", "time": "2022-03-25T11:37:25Z"}, {"author": "Rich Salz", "text": "Jetlag at hoome is the best kind of jetlag
", "time": "2022-03-25T11:41:53Z"}, {"author": "Robin Wilton", "text": "It's useful to complete the slide title (or Slide 4), IMO: \"This information is very useful...\" to some stakeholders that may or may not include the data subject...
", "time": "2022-03-25T11:42:47Z"}, {"author": "Robin Wilton", "text": "*on, not \"or\"
", "time": "2022-03-25T11:43:04Z"}, {"author": "Christopher Patton", "text": "(... but we would like to be able support ML apps :)
", "time": "2022-03-25T11:45:23Z"}, {"author": "sftcd", "text": "Is it really acceptable for random internet entities to be interested in measuring \"user interests\"? IMO it's none of their business
", "time": "2022-03-25T11:48:02Z"}, {"author": "Christopher Patton", "text": "I'd argue they're doing this anyway, so we should make it as convenient as possible to allow them to do it in a privacy preserving way
", "time": "2022-03-25T11:49:08Z"}, {"author": "Dan McArdle", "text": "Does any browser actually pay attention to rage clicking or was that just an example?
", "time": "2022-03-25T11:49:25Z"}, {"author": "Chris Lemmons", "text": "Yeah, in a lot of ways this seems to be an attempt at harm reduction.
", "time": "2022-03-25T11:49:31Z"}, {"author": "dkg", "text": "harm reduction only works if the other methods are *also* not used
", "time": "2022-03-25T11:49:47Z"}, {"author": "Alissa Cooper", "text": "it's not going to stop whether ppm exists or not, and it might be improved via ppm's existence
", "time": "2022-03-25T11:49:48Z"}, {"author": "sftcd", "text": "@chrisP: I disagree
", "time": "2022-03-25T11:49:48Z"}, {"author": "sftcd", "text": "I do like the idea of ppm, but, while it's v. tricky, if we ever have a choice, we ought veer towards only supporting sensible (non-intrusive) measurements
", "time": "2022-03-25T11:50:50Z"}, {"author": "npd", "text": "gathering a list of sites that are running fingerprinting scripts doesn't seem like it especially needs aggregation
", "time": "2022-03-25T11:51:16Z"}, {"author": "Samuel Weiler", "text": "npd: we still want to avoid knowing which users went to those sites.
", "time": "2022-03-25T11:51:43Z"}, {"author": "Shivan Sahib", "text": "why can't that just be done by a crawler
", "time": "2022-03-25T11:52:03Z"}, {"author": "npd", "text": "@weiler: sure! but that might suggest a different set of possible solutions (ohai, proxies, etc.)
", "time": "2022-03-25T11:52:28Z"}, {"author": "Samuel Weiler", "text": "shivan: possibly, because of the VW emissions scandal.  sites doing FP might try to dadge detection
", "time": "2022-03-25T11:52:32Z"}, {"author": "npd", "text": "(ha, ekr's slides have caught up with my suggestion)
", "time": "2022-03-25T11:53:00Z"}, {"author": "Samuel Weiler", "text": "*dodge.  Not Dodge, though that might be appropriate, too.
", "time": "2022-03-25T11:53:42Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Doge?
", "time": "2022-03-25T11:54:36Z"}, {"author": "Robin Wilton", "text": "Removing technical obstacles to better (more privacy-respecting) practice raises the \"best practice\" bar, but doesn't force anyone to adopt best practice. That needs motivations other than  the availability of a technical solution.
", "time": "2022-03-25T11:57:02Z"}, {"author": "Christopher Patton", "text": "well said.
", "time": "2022-03-25T11:57:20Z"}, {"author": "sftcd", "text": "this slide should win a prize for most optimistic slide-title:-)
", "time": "2022-03-25T11:57:27Z"}, {"author": "Robin Wilton", "text": "(In that sense, PPM is either a necessary but insufficient condition of better behaviour, or if you're more cynical, an unnecessary and insufficient condition of better behaviour.)
", "time": "2022-03-25T11:58:24Z"}, {"author": "Christopher Patton", "text": "I think the same can be said for TLS/HTTPS adoption
", "time": "2022-03-25T11:58:57Z"}, {"author": "Christopher Patton", "text": "Recall where we were in 2013
", "time": "2022-03-25T11:59:16Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "mathbb{F}_p is maybe not elementary-school math...
", "time": "2022-03-25T12:00:07Z"}, {"author": "Rich Salz", "text": "I think theres a difference, TLS is direct user-server; this has  vaguer involvement from the user
", "time": "2022-03-25T12:00:10Z"}, {"author": "Tommy Pauly", "text": "Yeah it doesn't look like what I did in my elementary school classes =)
", "time": "2022-03-25T12:00:35Z"}, {"author": "Christopher Patton", "text": "True enough. Where I think they're analogous is that there were barriers to adopt TLS that were non-technical.
", "time": "2022-03-25T12:00:47Z"}, {"author": "Robin Wilton", "text": "@sftcs Yes, its optimistic, but at least it hints at the reality, which is that the trust relationships between client-proxy, proxy-target, and client-target are not identical - which is a really important starting point.
", "time": "2022-03-25T12:00:48Z"}, {"author": "Jonathan Lennox", "text": "But the fact that it's a finite field isn't actually necessary, you can just use the integers.  The finite field just gives you bounds.
", "time": "2022-03-25T12:00:49Z"}, {"author": "dkg", "text": "Naranayan's talk a few IETFs ago pointed out that moderate technical improvements can still be powerful when they are backed by social norms or regulatory pressure.
", "time": "2022-03-25T12:00:52Z"}, {"author": "Christopher Patton", "text": "@Jonathan Lennox, a finite field is necessary for \"input validation\", which EKR will describe soon (I think)
", "time": "2022-03-25T12:01:34Z"}, {"author": "Christopher Patton", "text": "... and here we are
", "time": "2022-03-25T12:02:01Z"}, {"author": "Rich Salz", "text": "@dkg ++
", "time": "2022-03-25T12:02:04Z"}, {"author": "dkg", "text": "the most idealistic scenario for this would be if the presence of this protocol were to give regulators a reason to formally deprecate or penalize non-ppm collection
", "time": "2022-03-25T12:02:08Z"}, {"author": "Christopher Patton", "text": "+1
", "time": "2022-03-25T12:02:24Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Hmm, I wonder how effective a proxy it is to reject <100cm height and
get as a side effect no data from people under 13.
", "time": "2022-03-25T12:03:42Z"}, {"author": "Robin Wilton", "text": "@dkg +1 (twice)
", "time": "2022-03-25T12:04:08Z"}, {"author": "Christopher Patton", "text": "Poplar [BBCG+21] -> https://eprint.iacr.org/2021/017
", "time": "2022-03-25T12:05:29Z"}, {"author": "Samuel Weiler", "text": "setting bounds seems fraught.
", "time": "2022-03-25T12:06:55Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I guess that sounds like it's \"don't learn (trust us)\" the long-tail
URLs, rather than \"can't learn\" by virtue of math.
", "time": "2022-03-25T12:07:20Z"}, {"author": "npd", "text": "the presence/timing of a report might be revealing, for some cases like errors
", "time": "2022-03-25T12:07:23Z"}, {"author": "Shivan Sahib", "text": "npd: you can batch reports
", "time": "2022-03-25T12:08:00Z"}, {"author": "Tim Geoghegan", "text": "@npd that's right, which is why clients should upload reports on a consistent cadence, and report the absence of an event as well as the presence of one
", "time": "2022-03-25T12:08:29Z"}, {"author": "Martin Thomson", "text": "minimum batch sizes don't help much if you allow multiple queries (sybil attacks count)
", "time": "2022-03-25T12:08:35Z"}, {"author": "npd", "text": "Shivan Sahib_web_853: +1. just reminding myself that we'll need those protections (and analysis of which works when)
", "time": "2022-03-25T12:08:49Z"}, {"author": "Christopher Patton", "text": ":clap: :clap:
", "time": "2022-03-25T12:09:31Z"}, {"author": "npd", "text": "thanks ekr for that, very useful overview
", "time": "2022-03-25T12:10:04Z"}, {"author": "Dan McArdle", "text": "Excellent presentation, thank you, ekr!
", "time": "2022-03-25T12:10:16Z"}, {"author": "Robin Wilton", "text": "Unbatched reports would probably give privacy-eroding data about timezones/traffic patterns. Even batched reports night imply something about when the client system thinks it's a good time to do a batch task (e.g. 2am every Tuesday...)
", "time": "2022-03-25T12:10:54Z"}, {"author": "Robin Wilton", "text": "+1 EKR; thanks - this was good at the BoF, and a refresher is very useful indeed.
", "time": "2022-03-25T12:11:17Z"}, {"author": "Sean Turner", "text": "+1 to Dan
", "time": "2022-03-25T12:12:58Z"}, {"author": "Sean Turner", "text": "no this is clear!
", "time": "2022-03-25T12:15:03Z"}, {"author": "dkg", "text": "fwiw, this is also slide 23 of the previous presentation: https://datatracker.ietf.org/meeting/113/materials/slides-113-ppm-ppm-overview/
", "time": "2022-03-25T12:15:08Z"}, {"author": "Dan McArdle", "text": "Why are Leader and Helper both blue?
", "time": "2022-03-25T12:15:08Z"}, {"author": "sftcd", "text": "can a client ever get to pick it's preferred leader?
", "time": "2022-03-25T12:15:11Z"}, {"author": "Christopher Wood", "text": "@Dan they're both aggregators
", "time": "2022-03-25T12:15:18Z"}, {"author": "ekr@jabber.org", "text": "@sftcd: no, that won't work
", "time": "2022-03-25T12:15:32Z"}, {"author": "Dan McArdle", "text": "Ah, both aggregators, but not the same real-life entities?
", "time": "2022-03-25T12:15:36Z"}, {"author": "Martin Thomson", "text": "my expectation is that servers will be configured/chosen/etc in pairs.
", "time": "2022-03-25T12:15:40Z"}, {"author": "Christopher Wood", "text": "Right
", "time": "2022-03-25T12:15:40Z"}, {"author": "ekr@jabber.org", "text": "Precisely
", "time": "2022-03-25T12:16:47Z"}, {"author": "npd", "text": "I think there are necessarily multiple non-colluding helpers, not just 1 leader and 1 helper, right?
", "time": "2022-03-25T12:17:01Z"}, {"author": "sftcd", "text": "@ekr: I need to think about it, but not sure I agree with \"won't work\" (I do agree that it'd be harder and maybe too unreliable)
", "time": "2022-03-25T12:17:25Z"}, {"author": "Robin Wilton", "text": "@Martin I think one would also expect a pairwise relationship between them in terms of terms of service, contracts, liability etc..
", "time": "2022-03-25T12:17:38Z"}, {"author": "dkg", "text": "npd: yes, there are multiple helpers
", "time": "2022-03-25T12:17:41Z"}, {"author": "Tim Geoghegan", "text": "At the moment the specification supports two aggregators, one leader plus one helper. More helpers means lower probability of every aggregator defecting and hence \"more\" privacy, but more helpers is also much harder to coordinate.
", "time": "2022-03-25T12:18:01Z"}, {"author": "David Oliver", "text": "so in reality client trust also has to extend to helper, yes?
", "time": "2022-03-25T12:18:08Z"}, {"author": "Sean Turner", "text": "We should add a (s) to the box
", "time": "2022-03-25T12:18:08Z"}, {"author": "Christopher Wood", "text": "@npd Some VDAFs only work with two aggregators
", "time": "2022-03-25T12:18:10Z"}, {"author": "Christopher Wood", "text": "like Poplar
", "time": "2022-03-25T12:18:14Z"}, {"author": "jhoyla", "text": "Don't worry @ChrisP, ekr's questions can stump me even in the middle of the day ;)
", "time": "2022-03-25T12:18:28Z"}, {"author": "dkg", "text": "Tim: there is no \"aggregator\" in the current slide
", "time": "2022-03-25T12:18:36Z"}, {"author": "ekr@jabber.org", "text": "@sftcd: the leader doesn't have any special powers from the user's perspective
", "time": "2022-03-25T12:18:38Z"}, {"author": "npd", "text": "ah, so the leader counts as an aggregator itself, it doesn't just distribute it to multiple other helper aggregators?
", "time": "2022-03-25T12:18:38Z"}, {"author": "Samuel Weiler", "text": "The client will know the identity of the helper(s), even if they don't get to choose them, though, right?
", "time": "2022-03-25T12:18:45Z"}, {"author": "Christopher Wood", "text": "@dkg blue entities on this slide are aggregators
", "time": "2022-03-25T12:18:54Z"}, {"author": "ekr@jabber.org", "text": "@Samuel: correct
", "time": "2022-03-25T12:18:54Z"}, {"author": "dkg", "text": "ekr: sure the leader does : they can hold out the user's data from some peer, right?
", "time": "2022-03-25T12:19:00Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "The client has to encrypt to the helpers, so it knows something about
", "time": "2022-03-25T12:19:06Z"}, {"author": "ekr@jabber.org", "text": "@dkg: sorry, yes, that's a good point.
", "time": "2022-03-25T12:19:16Z"}, {"author": "Jonathan Lennox", "text": "How can helpers validate that the client is sending the correlating values to each helper?  I.e. I can see how I can verify that if I'm sending x+R to H1, and x-R to H2, that 100<=x<=200, but how do you validate that I haven't sent x+R1 to H1, and x-R2 to H2, thus poisoning the aggregate with (R1-R2)?
", "time": "2022-03-25T12:19:17Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Hopefully none of the slides will have aggravators on them
", "time": "2022-03-25T12:19:24Z"}, {"author": "ekr@jabber.org", "text": "@Jonathan: that's how the ZKP works
", "time": "2022-03-25T12:19:33Z"}, {"author": "Jonathan Lennox", "text": "So the aggregators have to correlate their ZKPs?
", "time": "2022-03-25T12:19:49Z"}, {"author": "Tim Geoghegan", "text": "The client encrypts report shares to public keys advertised by each aggregator. Even if report shares are transmitted through the helper, there's an authenticated+confidential channel from client to helper.
", "time": "2022-03-25T12:20:01Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "The aggregators have to collaborate to validate the ZKP of each
", "time": "2022-03-25T12:20:20Z"}, {"author": "jhoyla", "text": "@Jonathan IIUC they run an MPC protocol to verify the ZKP.
", "time": "2022-03-25T12:20:20Z"}, {"author": "Tim Geoghegan", "text": "*tranmitted through the leader
", "time": "2022-03-25T12:20:20Z"}, {"author": "ekr@jabber.org", "text": "@Lennox: they each get a share of the ZKP. The ZKP verification demonstrates that S1 + S2 is correct
", "time": "2022-03-25T12:20:21Z"}, {"author": "Phillipp Schoppmann", "text": "@Jonathan that's what the VDAF draft in the CFRG specifies: verification protocols for the helpers to jointly check that the client submission is well-formed
", "time": "2022-03-25T12:20:22Z"}, {"author": "Samuel Weiler", "text": "@Kaduk: that's a terrible name for an adversary.  We should so totally use it, eh?
", "time": "2022-03-25T12:20:28Z"}, {"author": "Massimiliano Pala", "text": "Can the client know which type of aggregation is being done and then \"pre-mix\" noise to the measurement to allow for a LWE type of approach, i.e. signal + noise <--- still in the acceptable range but already w/ randomness added
", "time": "2022-03-25T12:20:31Z"}, {"author": "ekr@jabber.org", "text": "@Max: yes.
", "time": "2022-03-25T12:20:38Z"}, {"author": "Christopher Wood", "text": "@dkg see above in chat -- blue entities are aggregators
", "time": "2022-03-25T12:20:46Z"}, {"author": "ekr@jabber.org", "text": "In fact, the client has to know to properly encode the data
", "time": "2022-03-25T12:21:04Z"}, {"author": "Jonathan Lennox", "text": "I assume either the leader individually or the aggregators jointly also jointly do things like validating that someone isn't bogusly contributing 100 million data points?
", "time": "2022-03-25T12:21:55Z"}, {"author": "Mariana Raykova", "text": "I did't mean just this option
", "time": "2022-03-25T12:22:28Z"}, {"author": "jhoyla", "text": "@Jonathan I think the document talks about Sybil attacks
", "time": "2022-03-25T12:22:30Z"}, {"author": "ekr@jabber.org", "text": "@Jonathan: yes, the leader has to do this
", "time": "2022-03-25T12:22:33Z"}, {"author": "Christopher Wood", "text": "@Jonathan that's a sybil attack -- the protocol will have accommodations for that
", "time": "2022-03-25T12:22:34Z"}, {"author": "Mariana Raykova", "text": "I also meant an option where the party collecting the reports is different from the two aggregators
", "time": "2022-03-25T12:23:07Z"}, {"author": "Tim Geoghegan", "text": "Deployments could also have some kind of proxy in between clients and the leader that could do things like rate limiting or verifying client authentication or attestation to increase confidence that reports are genuine.
", "time": "2022-03-25T12:23:18Z"}, {"author": "Mirja K\u00fchlewind", "text": "So the leader also has all the same capabilities as a helper but in addition redirects data to other helpers?
", "time": "2022-03-25T12:23:22Z"}, {"author": "Richard Barnes", "text": "yeah, i think Leader = Aggregator + coordination
", "time": "2022-03-25T12:23:41Z"}, {"author": "Tim Geoghegan", "text": "@Mirja yes
", "time": "2022-03-25T12:23:43Z"}, {"author": "ekr@jabber.org", "text": "Mirja: well that's the topic at hand. The leader orchestrates the measurement
", "time": "2022-03-25T12:23:43Z"}, {"author": "Martin Thomson", "text": "Mirja, yes, it acts as a proxy for the other aggregator(s)
", "time": "2022-03-25T12:23:50Z"}, {"author": "ekr@jabber.org", "text": "Well, it may not need to have the actual data
", "time": "2022-03-25T12:24:00Z"}, {"author": "Mirja K\u00fchlewind", "text": "got it. thanks!
", "time": "2022-03-25T12:24:02Z"}, {"author": "David Oliver", "text": "Is helper a process or a separate partner organization?
", "time": "2022-03-25T12:24:21Z"}, {"author": "sftcd", "text": "@ekr: what's current thinking for who picks the leader? is it browser or web-site or collector?
", "time": "2022-03-25T12:24:31Z"}, {"author": "Richard Barnes", "text": "to be clear, in the Leader-Upload world, the report to the Helper is through-encrypted
", "time": "2022-03-25T12:24:33Z"}, {"author": "Tim Geoghegan", "text": "@David Separate organization from the leader
", "time": "2022-03-25T12:24:40Z"}, {"author": "Richard Barnes", "text": "@David -- Non-colluding with the leader
", "time": "2022-03-25T12:24:45Z"}, {"author": "ekr@jabber.org", "text": "The collector and the aggregators collectively
", "time": "2022-03-25T12:24:53Z"}, {"author": "David Oliver", "text": "since separate org, can helper \"hire\" other sub-helpers?
", "time": "2022-03-25T12:25:29Z"}, {"author": "Tim Geoghegan", "text": "The Prio paper does envision settings where one org runs two aggregator to for instance reduce the damage from a single server being compromised by an attacker but the cases we envision are two distinct organizations
", "time": "2022-03-25T12:25:30Z"}, {"author": "Jonathan Lennox", "text": "I wonder if it might be architecturally cleaner to describe different roles for the coordinator and the aggregators, with the understanding that the coordinator can also act as one of the aggregators
", "time": "2022-03-25T12:25:42Z"}, {"author": "Jonathan Lennox", "text": "I guess that's what's on this slide. :-)
", "time": "2022-03-25T12:26:05Z"}, {"author": "dkg", "text": "Jonathon: i agree that this would be clearer/cleaner, if it maps to the underlying protocol flow
", "time": "2022-03-25T12:26:08Z"}, {"author": "ekr@jabber.org", "text": "sort of yeah
", "time": "2022-03-25T12:26:09Z"}, {"author": "dkg", "text": "no, this slide distinguishes ingestion from coordination
", "time": "2022-03-25T12:26:23Z"}, {"author": "Dan McArdle", "text": "Does the ingestor receive encrypted shares?
", "time": "2022-03-25T12:26:37Z"}, {"author": "Christopher Wood", "text": "@Dan yeah, it would
", "time": "2022-03-25T12:26:46Z"}, {"author": "Tim Geoghegan", "text": "Yes, shares are encrypted on the client device/user-agent
", "time": "2022-03-25T12:26:46Z"}, {"author": "Martin Thomson", "text": "dkg: right, this slide shows the ingestor as untrusted
", "time": "2022-03-25T12:26:47Z"}, {"author": "Shivan Sahib", "text": "Do we have a sense of how expensive either option would be egress cost wise?
", "time": "2022-03-25T12:26:57Z"}, {"author": "Martin Thomson", "text": "shivan, yes, there are some calculations on issues
", "time": "2022-03-25T12:27:10Z"}, {"author": "Mirja K\u00fchlewind", "text": "if you have an ingestor, isn't the leader just a helper? Or is there still any coordination between the helpers needed?
", "time": "2022-03-25T12:27:15Z"}, {"author": "Martin Thomson", "text": "it's not cheap
", "time": "2022-03-25T12:27:18Z"}, {"author": "Shivan Sahib", "text": "Martin, is that in the draft?
", "time": "2022-03-25T12:27:25Z"}, {"author": "Shivan Sahib", "text": "oh did you mean GitHub issues
", "time": "2022-03-25T12:27:41Z"}, {"author": "Tim Geoghegan", "text": "Even in the presence of an ingestor, the leader still coordinates the execution of the proof verification
", "time": "2022-03-25T12:27:41Z"}, {"author": "Jonathan Lennox", "text": "Mirja: the helpers need to colletively perform the VDAF validation
", "time": "2022-03-25T12:27:42Z"}, {"author": "Martin Thomson", "text": "shivan: right
", "time": "2022-03-25T12:27:51Z"}, {"author": "Mirja K\u00fchlewind", "text": "okay
", "time": "2022-03-25T12:27:58Z"}, {"author": "ekr@jabber.org", "text": "They could be split out, yes.
", "time": "2022-03-25T12:28:33Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "The video feed suggests that there's maybe 12 people physically in the
room in Vienna, does that seem about right to anyone there?
", "time": "2022-03-25T12:28:48Z"}, {"author": "dkg", "text": "Martin Thomson: the ingestor is still trusted in the sense that they can withhold data from the aggregators
", "time": "2022-03-25T12:28:55Z"}, {"author": "ekr@jabber.org", "text": "@dkg: that's correct.
", "time": "2022-03-25T12:29:02Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Right, the ingestor can easily DoS a given submission (or all
", "time": "2022-03-25T12:29:13Z"}, {"author": "Mirja K\u00fchlewind", "text": "I counted 22
", "time": "2022-03-25T12:29:15Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Thanks, Mirja!
", "time": "2022-03-25T12:29:23Z"}, {"author": "Jonathan Lennox", "text": "I count 24 including the chair
", "time": "2022-03-25T12:29:24Z"}, {"author": "Martin Thomson", "text": "some info on costs: https://github.com/abetterinternet/ppm-specification/issues/130
", "time": "2022-03-25T12:29:31Z"}, {"author": "Shivan Sahib", "text": "I think I found it https://github.com/abetterinternet/ppm-specification/issues/130
", "time": "2022-03-25T12:29:34Z"}, {"author": "Shivan Sahib", "text": "damn beaten to it
", "time": "2022-03-25T12:29:41Z"}, {"author": "Mirja K\u00fchlewind", "text": "(I didn't count the chair and someone just enter)
", "time": "2022-03-25T12:29:43Z"}, {"author": "Martin Thomson", "text": "haha :)
", "time": "2022-03-25T12:29:46Z"}, {"author": "Martin Thomson", "text": "it's hard to find.  poor titles
", "time": "2022-03-25T12:29:57Z"}, {"author": "Christopher Patton", "text": "+1 ekr
", "time": "2022-03-25T12:30:09Z"}, {"author": "Massimiliano Pala", "text": "Non technical, but the main issue with such architecture is always who controls the Leader/Helpers ... typically, I would expect that to be a single entities (i.e., deploying the system to collect data for my organization). It would be interesting to investigate if computation could be performed over some homomorphic encryption scheme where collusion of aggregators might be less of a concern... maybe... ? It is a very hard problem to solve...
", "time": "2022-03-25T12:30:18Z"}, {"author": "David Oliver", "text": "@mirja we could just say 8% of onsite attendees, in order to aggregate the value
", "time": "2022-03-25T12:30:19Z"}, {"author": "ekr@jabber.org", "text": "I don't think I understand: this is a homomorphic encryption scheme
", "time": "2022-03-25T12:30:49Z"}, {"author": "Jonathan Lennox", "text": "I don't think there's any way you could prevent aggregator collusion, fundamentally a collection over a single data point reveals that data point's value.
", "time": "2022-03-25T12:31:48Z"}, {"author": "ekr@jabber.org", "text": "@
", "time": "2022-03-25T12:32:08Z"}, {"author": "Jonathan Lennox", "text": "(Prevent cryptographically I mean)
", "time": "2022-03-25T12:32:10Z"}, {"author": "Martin Thomson", "text": "jonathan: standard models assume n-1/n or 1/n honest parties
", "time": "2022-03-25T12:32:14Z"}, {"author": "Jonathan Lennox", "text": "Right, exactly.
", "time": "2022-03-25T12:32:30Z"}, {"author": "ekr@jabber.org", "text": "@Lennox: the best I know of is that the client adds DP noise, but that has a very detrimental effect on accuracy
", "time": "2022-03-25T12:32:30Z"}, {"author": "npd", "text": "both Request and Response are requests?
", "time": "2022-03-25T12:33:01Z"}, {"author": "Martin Thomson", "text": "the problem with clients adding noise is that the total amount of noise is proportional to the number of clients; with an aggregated system, the total amount of noise is fixed (so it is much lower)
", "time": "2022-03-25T12:33:04Z"}, {"author": "Christopher Patton", "text": "DP is a privacy/utility trade off. It's possible to get pretty good utility w/ good DP
", "time": "2022-03-25T12:33:07Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "[expanding \"differential privacy\" just in case it didn't get expanded
", "time": "2022-03-25T12:33:44Z"}, {"author": "ekr@jabber.org", "text": "@MT: Precisely
", "time": "2022-03-25T12:33:49Z"}, {"author": "Martin Thomson", "text": "question: can the same client contribute multiple samples/measurements into the same aggregation run?
", "time": "2022-03-25T12:35:17Z"}, {"author": "David Oliver", "text": "is it NECESSARY that collector drives the request cycle?  Can aggregators just produce at window boundaries?
", "time": "2022-03-25T12:35:38Z"}, {"author": "Christopher Patton", "text": "@MT that's not constrained so far
", "time": "2022-03-25T12:35:53Z"}, {"author": "Tim Geoghegan", "text": "@MT I think yes, because there's no way in some settings for the aggregators to know that two reports came from the same client
", "time": "2022-03-25T12:36:01Z"}, {"author": "Christopher Patton", "text": "@David the reason it's necessary is to accommodate protocols like Poplar
", "time": "2022-03-25T12:36:11Z"}, {"author": "Martin Thomson", "text": "cjpatton: that's problematic for DP purposes
", "time": "2022-03-25T12:36:14Z"}, {"author": "Christopher Patton", "text": "@MT agreed
", "time": "2022-03-25T12:36:24Z"}, {"author": "jhoyla", "text": "@David in addition to ChrisP's answer, the issue on the next slide shows why you can't do that.
", "time": "2022-03-25T12:36:43Z"}, {"author": "Mariana Raykova", "text": "If we are using only min_batch_size for privacy, then we should be thinking about the possibility of someone injecting fake reports as well
", "time": "2022-03-25T12:37:28Z"}, {"author": "Massimiliano Pala", "text": "wouldn
", "time": "2022-03-25T12:37:38Z"}, {"author": "Christopher Patton", "text": "(@David, more detail about Poplar: The input shares are \"queried\" on candidate prefixes over a number of round.)
", "time": "2022-03-25T12:37:41Z"}, {"author": "David Oliver", "text": "@jhoyla got it
", "time": "2022-03-25T12:37:44Z"}, {"author": "jhoyla", "text": "@MT the CollectRequest just gets rejected.
", "time": "2022-03-25T12:38:06Z"}, {"author": "Massimiliano Pala", "text": "wouldn't the possibility to request arbitrary extended queries potentially expose diffs driven by < min_batch_size ?
", "time": "2022-03-25T12:38:32Z"}, {"author": "Tim Geoghegan", "text": "@MT if the collector requests aggregate shares and gets told \"sorry, not enough reports, can't service your request\", then it can query again with a bigger batch interval
", "time": "2022-03-25T12:38:41Z"}, {"author": "Martin Thomson", "text": "I'm not a huge fan of this sort of arrangement; is this because the collector isn't allowed to know the number of submitted reports?
", "time": "2022-03-25T12:38:45Z"}, {"author": "jhoyla", "text": "@Mariana That's a variant of the Sybil attack, which we are def. thinking about.
", "time": "2022-03-25T12:38:46Z"}, {"author": "npd", "text": "so the collector can also learn something by probing/failing requests
", "time": "2022-03-25T12:38:50Z"}, {"author": "David Oliver", "text": "@jhoyla as this window slides forward, suddenly will hit min_batch limit and thus result invalid OR reduce privacy
", "time": "2022-03-25T12:38:52Z"}, {"author": "Martin Thomson", "text": "Timg: that would leak information; so why not let it know how many reports were received?
", "time": "2022-03-25T12:39:13Z"}, {"author": "Christopher Patton", "text": "@MT I don't think it would be a problem for the Leader to tell the Collector how many reports have been aggregated so far
", "time": "2022-03-25T12:39:29Z"}, {"author": "Martin Thomson", "text": "Also, if we're going to use centralized DP (we should), this minimum batch size requirement doesn't make sense.
", "time": "2022-03-25T12:39:34Z"}, {"author": "jhoyla", "text": "@David exactly. I have some suggestions about how to deal with this, but before we get there ChrisW is going to ask if we actually want to deal with the problem.
", "time": "2022-03-25T12:39:40Z"}, {"author": "Massimiliano Pala", "text": "Possible solution - do not allow overlapping requests.
", "time": "2022-03-25T12:39:57Z"}, {"author": "jhoyla", "text": "And what our underlying assumptions should be.
", "time": "2022-03-25T12:40:02Z"}, {"author": "Mariana Raykova", "text": "I agree with Martin that if we introduce DP then we do not necessarily need the batch size enforcement
", "time": "2022-03-25T12:40:17Z"}, {"author": "Mariana Raykova", "text": "but we will need to handle enforcement of DP budgets
", "time": "2022-03-25T12:40:44Z"}, {"author": "sftcd", "text": "oddly this time/space concept isn't the same a chris' time/space concept in privacypass  ;-)
", "time": "2022-03-25T12:40:48Z"}, {"author": "Christopher Patton", "text": "I don't think DP should be required for all PPM deployments.
", "time": "2022-03-25T12:40:49Z"}, {"author": "Jonathan Lennox", "text": "It's not clear to me how DP would work for heavy-hitter metrics though
", "time": "2022-03-25T12:40:54Z"}, {"author": "David Oliver", "text": "@jhoyla you seem to always know what WILL happen! <head exploding>
", "time": "2022-03-25T12:41:01Z"}, {"author": "Christopher Patton", "text": "@Jonathan Lennox, DP composition with Poplar is discussed in the paper
", "time": "2022-03-25T12:41:19Z"}, {"author": "Jonathan Lennox", "text": "Or anything where the metric being measured is something like a boolean
", "time": "2022-03-25T12:41:19Z"}, {"author": "Jonathan Lennox", "text": "Ok
", "time": "2022-03-25T12:41:25Z"}, {"author": "jhoyla", "text": "@David upside of looking at the slides in advance ;)
", "time": "2022-03-25T12:41:28Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "How does having centralized DP affect the trust model?
Are we now trusting the collector/leader more?
", "time": "2022-03-25T12:41:30Z"}, {"author": "Christopher Patton", "text": "We definitely need to figure out the story for composing DP with the protocol :)
", "time": "2022-03-25T12:42:09Z"}, {"author": "Martin Thomson", "text": "random reports don't help here
", "time": "2022-03-25T12:42:47Z"}, {"author": "ekr@jabber.org", "text": "Each aggregator can add their own DP
", "time": "2022-03-25T12:42:52Z"}, {"author": "Martin Thomson", "text": "what you need is DP with a bound on the contribution of any single client
", "time": "2022-03-25T12:42:55Z"}, {"author": "ekr@jabber.org", "text": "because it's homomorphic
", "time": "2022-03-25T12:42:58Z"}, {"author": "ekr@jabber.org", "text": "At least for prio
", "time": "2022-03-25T12:43:08Z"}, {"author": "Martin Thomson", "text": "yes, DP is easy to add, but you have to bound the contributions you are looking to protect
", "time": "2022-03-25T12:43:22Z"}, {"author": "Christopher Patton", "text": "yup
", "time": "2022-03-25T12:43:32Z"}, {"author": "Benjamin Schwartz", "text": "sam: Presumably clients authenticate with a durable high-cost identity in every report
", "time": "2022-03-25T12:43:32Z"}, {"author": "npd", "text": "can't the Collector decrease the genuine batch size by colluding with some clients to submit some reports for which it controls the data?
", "time": "2022-03-25T12:43:34Z"}, {"author": "Mariana Raykova", "text": "I agree that Sybil attacks are very intertwined with the questions at hand
", "time": "2022-03-25T12:43:36Z"}, {"author": "sftcd", "text": "\"space\" isn't really right here I think
", "time": "2022-03-25T12:43:37Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Ben: oof
", "time": "2022-03-25T12:43:45Z"}, {"author": "Benjamin Schwartz", "text": "kaduk: Not a problem ... so long as there's no collusion
", "time": "2022-03-25T12:44:00Z"}, {"author": "dkg", "text": "\"space\" isn't well-defined at all
", "time": "2022-03-25T12:44:11Z"}, {"author": "Martin Thomson", "text": "if you don't (and the sybil protections here seem weak; plus there is no real guidance on how clients contribute reports), then we're off into either infinite noise or easy attacks on privacy
", "time": "2022-03-25T12:44:16Z"}, {"author": "sftcd", "text": "is sam in the queue still?
", "time": "2022-03-25T12:44:22Z"}, {"author": "Benjamin Schwartz", "text": "kaduk: If that makes you nervous then use PRIVACYPASS :)
", "time": "2022-03-25T12:44:23Z"}, {"author": "Christopher Patton", "text": "+1
", "time": "2022-03-25T12:44:33Z"}, {"author": "Jonathan Lennox", "text": "I feel like the protections you want against sybil attacks may depend a lot on the threat model?  Is poisoning the statistics just griefing, or does it gain something for the attacker?
", "time": "2022-03-25T12:45:20Z"}, {"author": "npd", "text": "physical space is also not a single dimension ;)
", "time": "2022-03-25T12:45:23Z"}, {"author": "jhoyla", "text": "Space is being used to describe the possible set of all dimensions.
", "time": "2022-03-25T12:45:42Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "and yet we can have one-dimensional space-filling curves :)
", "time": "2022-03-25T12:45:47Z"}, {"author": "jhoyla", "text": "As distinct from time.
", "time": "2022-03-25T12:45:56Z"}, {"author": "Martin Thomson", "text": "jonathan: if you think of attacks on legitimate clients whereby they submit too many *valid* reports, that makes it ...tricky
", "time": "2022-03-25T12:46:00Z"}, {"author": "Samuel Weiler", "text": "@Jonathan: I think we'll need to address both, and they're different.
", "time": "2022-03-25T12:46:11Z"}, {"author": "Mariana Raykova", "text": "a sybil attack can be about poisoning the statistics but also about violating privacy
", "time": "2022-03-25T12:46:16Z"}, {"author": "dkg", "text": "Mariana +1
", "time": "2022-03-25T12:46:26Z"}, {"author": "Massimiliano Pala", "text": "Maybe a safer query would be \"Give me the reports produced from here to here\" and reports are produced at defined intervals, but never on overlapping data.
", "time": "2022-03-25T12:46:26Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "+1 Mariana yes
", "time": "2022-03-25T12:46:40Z"}, {"author": "dkg", "text": "maybe distinguish between the two kinds of sybil attacks as a sybil attack against the collector (stats poisoning), vs. a sybil attack against a reporting client (privacy violation)
", "time": "2022-03-25T12:47:10Z"}, {"author": "npd", "text": "+1 dkg
", "time": "2022-03-25T12:47:23Z"}, {"author": "ekr@jabber.org", "text": "@dkg: yes, that's a good point
", "time": "2022-03-25T12:47:26Z"}, {"author": "Samuel Weiler", "text": "e.g. the collector itself submitting enough fake reports of known values to get over the min report threshold, and then being able to subtract out its own known values.  Oh, and targeting only one \"real\" client for the measurement.
", "time": "2022-03-25T12:48:00Z"}, {"author": "Jonathan Lennox", "text": "MT: yeah, the scary case for me is the use case (presented at the bof, but not here) where the statistic you're accumulating is \"how many people saw the ad and then bought the product?\"  Obviously a lot of motivation to submit multiple fake-but-valid reports
", "time": "2022-03-25T12:48:16Z"}, {"author": "ekr@jabber.org", "text": "I think we're pretty confident about (1) because we already hae that problem
", "time": "2022-03-25T12:48:16Z"}, {"author": "ekr@jabber.org", "text": "@Jonathan: yeah, there's been a lot of work ont hat
", "time": "2022-03-25T12:48:29Z"}, {"author": "npd", "text": "yes, +1 sam and thanks for raising/explaining that threat
", "time": "2022-03-25T12:48:34Z"}, {"author": "Christopher Patton", "text": "VDAF -> https://datatracker.ietf.org/doc/draft-patton-cfrg-vdaf/
", "time": "2022-03-25T12:48:52Z"}, {"author": "Christopher Patton", "text": "There will be a call for adoption in the CFRG soon. Please have a look if you want to support this work!
", "time": "2022-03-25T12:49:19Z"}, {"author": "Martin Thomson", "text": "jonathan: I spent all of next week looking at that problem; we have a good story for sybil attacks and a bunch of things, but we found an attack that we're working through
", "time": "2022-03-25T12:49:23Z"}, {"author": "Martin Thomson", "text": "but that is not relative to this work, it's related work
", "time": "2022-03-25T12:49:38Z"}, {"author": "David Oliver", "text": "is it imagined that the set of functions to be performed by the aggregators will be defined and exposed to (available to) clients?  That is, is there disclosure on what the aggregators are doing?
", "time": "2022-03-25T12:49:54Z"}, {"author": "Martin Thomson", "text": "sorry, that is not *this* draft, but it's a similar sort of thing
", "time": "2022-03-25T12:49:55Z"}, {"author": "jhoyla", "text": "@MT you spent all of next week already? You're in time debt!
", "time": "2022-03-25T12:50:02Z"}, {"author": "Martin Thomson", "text": "yep, I spent it last week, which explains why my brain is much
", "time": "2022-03-25T12:50:23Z"}, {"author": "Dan McArdle", "text": "@MT is a time lord
", "time": "2022-03-25T12:50:27Z"}, {"author": "ekr@jabber.org", "text": "@David: yes, it has to be
", "time": "2022-03-25T12:50:35Z"}, {"author": "Jonathan Lennox", "text": "He spent next week already, that's what happens when you're in Australia
", "time": "2022-03-25T12:50:36Z"}, {"author": "Martin Thomson", "text": "it's 10 minutes from Saturday already
", "time": "2022-03-25T12:50:48Z"}, {"author": "ekr@jabber.org", "text": "@David: the way this works is that there's only one really useful thing to do with the data (for Prio, compute sum).
", "time": "2022-03-25T12:51:12Z"}, {"author": "David Oliver", "text": "@ekr working with Clean Insights group, among goals there is disclosure and consent
", "time": "2022-03-25T12:51:14Z"}, {"author": "ekr@jabber.org", "text": "And so if you want to for instance, compute Geometric Mean, you need the client to encode the data specially so that computing sum actually computes geometric mean
", "time": "2022-03-25T12:51:49Z"}, {"author": "David Oliver", "text": "@ekr that'd be a big change, that the use of the data on aggregate is pre-defined rather than open-ended.
", "time": "2022-03-25T12:51:55Z"}, {"author": "David Oliver", "text": "https://cleaninsights.org
", "time": "2022-03-25T12:52:05Z"}, {"author": "ekr@jabber.org", "text": "This doesn't define, for instance, what sorts of crosstabs are being computed, however.
", "time": "2022-03-25T12:52:22Z"}, {"author": "David Oliver", "text": "@ekr, agreed I misspoke
", "time": "2022-03-25T12:53:00Z"}, {"author": "Jonathan Lennox", "text": "I feel like you have to assume that crosstabs can be computed on any provided metadata, subject to batch sizes.
", "time": "2022-03-25T12:53:01Z"}, {"author": "ekr@jabber.org", "text": "@Jonathan: yeah, based on whatever demographics you provide
", "time": "2022-03-25T12:53:29Z"}, {"author": "Jonathan Lennox", "text": "For broad definitions of \"provide\", too (e.g. client IP if you're not doing OHAI or the like)
", "time": "2022-03-25T12:54:29Z"}, {"author": "ekr@jabber.org", "text": "@Jonathan: correct.
", "time": "2022-03-25T12:54:38Z"}, {"author": "npd", "text": "@jonathan, @ekr, so we need to distinguish when talking about this that some data values are encrypted/distributed and some values are provided in cleartext to the aggregators?
", "time": "2022-03-25T12:55:32Z"}, {"author": "Martin Thomson", "text": "\"we\" don't see anything.  that's an eye chart
", "time": "2022-03-25T12:55:44Z"}, {"author": "jhoyla", "text": "@MT in person it's somehow worse, because the colours haven't really come out.
", "time": "2022-03-25T12:56:14Z"}, {"author": "ekr@jabber.org", "text": "@npd: yes. I actually don't think we have a way to provide anything with cleartext
", "time": "2022-03-25T12:56:21Z"}, {"author": "ekr@jabber.org", "text": "Though of course IP is already available
", "time": "2022-03-25T12:56:31Z"}, {"author": "Martin Thomson", "text": "encoding artefacts ate the words
", "time": "2022-03-25T12:56:33Z"}, {"author": "ekr@jabber.org", "text": "And we'd need to add something
", "time": "2022-03-25T12:56:35Z"}, {"author": "dkg", "text": "are the two helper instances distinct parties in the MPC?  or just different daemons behind a load balancer in a single \"helper\" identity?
", "time": "2022-03-25T12:56:59Z"}, {"author": "Jonathan Lennox", "text": "Well, helpers wouldn't see client IP
", "time": "2022-03-25T12:56:59Z"}, {"author": "Christopher Wood", "text": "Yeah, that's my thinking as well. Each report would carry a \"space\" parameter.
", "time": "2022-03-25T12:57:06Z"}, {"author": "ekr@jabber.org", "text": "@dkg: distinct parties.
", "time": "2022-03-25T12:57:16Z"}, {"author": "Christopher Wood", "text": "e.g., 8 bits, and the collector determines how to use those 8 bits
", "time": "2022-03-25T12:57:17Z"}, {"author": "ekr@jabber.org", "text": "Though of course, you might have multiple elements in each helper
", "time": "2022-03-25T12:57:40Z"}, {"author": "sftcd", "text": "@chrisW: every report having a freeform \"space\" parameter seems a bit leaky
", "time": "2022-03-25T12:58:34Z"}, {"author": "Christopher Wood", "text": "It would have to be constrained -- not unbounded
", "time": "2022-03-25T12:58:52Z"}, {"author": "Christopher Wood", "text": "(I think)
", "time": "2022-03-25T12:59:09Z"}, {"author": "sftcd", "text": "yeah, not sure how doable that might be though
", "time": "2022-03-25T12:59:21Z"}, {"author": "sftcd", "text": "e.g. the examples you had on slides were UA-string & location, seems hard to me to know how such searches could be supported without the space param being v. leaky
", "time": "2022-03-25T13:00:05Z"}, {"author": "Jonathan Lennox", "text": "The value of your finite group doesn't actually have to be a prime, right?  This is just addition, so 2^64 would work fine
", "time": "2022-03-25T13:01:46Z"}, {"author": "ekr@jabber.org", "text": "It has to be prime in order to make the proofs work
", "time": "2022-03-25T13:02:46Z"}, {"author": "Martin Thomson", "text": "it needs to be prime for the multiplication, I think
", "time": "2022-03-25T13:03:06Z"}, {"author": "ekr@jabber.org", "text": "Yeah, the multiplication is part of the proofs, IIRC
", "time": "2022-03-25T13:03:32Z"}, {"author": "Christopher Patton", "text": "well, multiplicative inverse :)
", "time": "2022-03-25T13:03:34Z"}, {"author": "Massimiliano Pala", "text": "Is it a commutative group?
", "time": "2022-03-25T13:03:42Z"}, {"author": "ekr@jabber.org", "text": "to make the circuits work
", "time": "2022-03-25T13:03:44Z"}, {"author": "ekr@jabber.org", "text": "It's just Z_p
", "time": "2022-03-25T13:03:53Z"}, {"author": "Christopher Patton", "text": "@Massimiliano you need a field
", "time": "2022-03-25T13:03:54Z"}, {"author": "Christopher Patton", "text": "validity is defined via an arithmetic circuit
", "time": "2022-03-25T13:04:03Z"}, {"author": "Christopher Patton", "text": "https://datatracker.ietf.org/doc/html/draft-patton-cfrg-vdaf-01#section-6.3.1
", "time": "2022-03-25T13:04:32Z"}, {"author": "Christopher Wood", "text": "@sftcd I wouldn't worry too much about leakiness -- if we do our job right, the protocol will never reveal individual reports.
", "time": "2022-03-25T13:04:44Z"}, {"author": "Martin Thomson", "text": "dss* is what I heard
", "time": "2022-03-25T13:05:26Z"}, {"author": "ekr@jabber.org", "text": "DSS-STAR
", "time": "2022-03-25T13:05:32Z"}, {"author": "dkg", "text": "yes, we can hear you
", "time": "2022-03-25T13:05:35Z"}, {"author": "Martin Thomson", "text": "yes, we can hear you
", "time": "2022-03-25T13:05:36Z"}, {"author": "sftcd", "text": "@chrisw: sorry, I gotta worry:-) if the protocol carries UA-string values then I'll worry more
", "time": "2022-03-25T13:05:56Z"}, {"author": "sftcd", "text": "sorry if I missed it but what are the \"shared, secret\" params from last of tim's slides?
", "time": "2022-03-25T13:06:08Z"}, {"author": "Christopher Patton", "text": "IN order to validate inputs, the Aggregators use a shared secret.
", "time": "2022-03-25T13:06:37Z"}, {"author": "Sean Turner", "text": "also STAR: https://datatracker.ietf.org/doc/rfc8739/
", "time": "2022-03-25T13:06:39Z"}, {"author": "Samuel Weiler", "text": "@sftcd, if it helps, much work seems to be afoot to make UA-strings less useful, e.g. locking them down.
", "time": "2022-03-25T13:06:44Z"}, {"author": "Tim Geoghegan", "text": "@sftcd VDAF discusses a \"verification parameter\" which is a secret shared between aggregators (leader and helper)
", "time": "2022-03-25T13:07:02Z"}, {"author": "ekr@jabber.org", "text": "As a general matter, it's possible to infer quite a bit of information about UAs just from externally visible behavior
", "time": "2022-03-25T13:07:14Z"}, {"author": "Christopher Wood", "text": "@sftcd what is the concern, though? If no collector ever sees an individual report with a UA string, what is the risk?
", "time": "2022-03-25T13:07:30Z"}, {"author": "Christopher Wood", "text": "(Genuinely curious)
", "time": "2022-03-25T13:07:34Z"}, {"author": "ekr@jabber.org", "text": "Like Chromium versus Gecko and in many cases engine version
", "time": "2022-03-25T13:07:37Z"}, {"author": "Tim Geoghegan", "text": "What the verification parameter is depends on the VDAF but in prio3 IIRC it's a shared PRG seed
", "time": "2022-03-25T13:07:59Z"}, {"author": "Martin Thomson", "text": "you have to trust the randomness server, here; I'm interested in what sorts of attack are possible if one or other server is bad
", "time": "2022-03-25T13:08:02Z"}, {"author": "sftcd", "text": "concern: if each report can be accompanied by a ~~100 byte string then it seems like the protocol could be abused to carry lots of things, better (if possible) if that's not possible
", "time": "2022-03-25T13:08:35Z"}, {"author": "Tim Geoghegan", "text": "Beyond that, in the interop target, we have a shared HMAC key for message authentication (which I didn't have time to discuss and may or may not survive into the spec)
", "time": "2022-03-25T13:08:48Z"}, {"author": "Christopher Wood", "text": "Hmm... what is the abuse, exactly?
", "time": "2022-03-25T13:09:17Z"}, {"author": "Samuel Weiler", "text": "Why are we even calling this \"randomness\"?  It seems like it's more of an \"opaque deterministic function\".  which sounds an awful lot like \"a hash function\"
", "time": "2022-03-25T13:09:22Z"}, {"author": "ekr@jabber.org", "text": "@MT: if the randomness server is bad, then the main server can dictionary attack the values
", "time": "2022-03-25T13:09:28Z"}, {"author": "Martin Thomson", "text": "sam: it's a PRF (R = random)
", "time": "2022-03-25T13:09:38Z"}, {"author": "Martin Thomson", "text": "that slide was too fast
", "time": "2022-03-25T13:10:46Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "fortunately the slides are posted
", "time": "2022-03-25T13:11:20Z"}, {"author": "npd", "text": "I'm also confused by the meaning of \"randomness\" here
", "time": "2022-03-25T13:11:37Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "(https://datatracker.ietf.org/meeting/113/materials/slides-113-ppm-dss-star-01)
", "time": "2022-03-25T13:11:46Z"}, {"author": "Martin Thomson", "text": "so I understand how this works already, but the slide made it worse
", "time": "2022-03-25T13:11:52Z"}, {"author": "ekr@jabber.org", "text": "https://educatedguesswork.org/posts/ppm-heavy-hitters/
", "time": "2022-03-25T13:11:52Z"}, {"author": "ekr@jabber.org", "text": "This helps explain how this works
", "time": "2022-03-25T13:11:56Z"}, {"author": "ekr@jabber.org", "text": "Yes, the term randomness is very confusing.
", "time": "2022-03-25T13:12:04Z"}, {"author": "ekr@jabber.org", "text": "The basic intuition is that you have some string S and then you compute K_s = H(S). You then encrypt E(K_s, S) and send that.
", "time": "2022-03-25T13:12:57Z"}, {"author": "ekr@jabber.org", "text": "You also send a Shamir secret share of K_s with threshold t
", "time": "2022-03-25T13:13:09Z"}, {"author": "Shivan Sahib", "text": "npd: like ekr said, if the input space for measurements is not sufficiently distributed, it would be easy for the server to search for all possible values
", "time": "2022-03-25T13:13:20Z"}, {"author": "ekr@jabber.org", "text": "Because the encryption is deterministic, once you have |k| >t measurements you can recover K_s and then decrypt
", "time": "2022-03-25T13:13:45Z"}, {"author": "ekr@jabber.org", "text": "But then this has a dictionary attack on S
", "time": "2022-03-25T13:13:55Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "The encryption is deterministic but the shamir share is not?
", "time": "2022-03-25T13:14:03Z"}, {"author": "ekr@jabber.org", "text": "@kaduk: correct
", "time": "2022-03-25T13:14:09Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "thanks for the \"basic intuition\" bit :)
", "time": "2022-03-25T13:14:28Z"}, {"author": "Christopher Wood", "text": "Does the POPRF actually need to be puncturable? Can you not just pick a new key?
", "time": "2022-03-25T13:14:35Z"}, {"author": "Martin Thomson", "text": "rainbow tables!
", "time": "2022-03-25T13:14:48Z"}, {"author": "ekr@jabber.org", "text": "And the randomness server is an OPRF(S) but consistent, so it removes the dictionary attacj
", "time": "2022-03-25T13:15:10Z"}, {"author": "Martin Thomson", "text": "the puncturable thing is so that you can't rewind time, isn't it?
", "time": "2022-03-25T13:15:13Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "linking the subset of messages that hide the same measurement feels
like it would be very damaging for certain types of measurement
", "time": "2022-03-25T13:15:17Z"}, {"author": "ekr@jabber.org", "text": "@CAW: yes, the POPRF is fancy crypto
", "time": "2022-03-25T13:15:29Z"}, {"author": "ekr@jabber.org", "text": "but you could just delete keys
", "time": "2022-03-25T13:15:35Z"}, {"author": "Christopher Wood", "text": "@MT but isn't that achieved also by rotating the key?
", "time": "2022-03-25T13:15:36Z"}, {"author": "Christopher Wood", "text": "POPRF isn't fancy =)
", "time": "2022-03-25T13:15:39Z"}, {"author": "Martin Thomson", "text": "ekr: presumably if this is something like a browser as a client, then the attacker could just make a bunch of clients essentially for free
", "time": "2022-03-25T13:15:55Z"}, {"author": "ekr@jabber.org", "text": "I shoud have said \"hipster crypto\" a la MT
", "time": "2022-03-25T13:16:01Z"}, {"author": "Christopher Wood", "text": "Hah
", "time": "2022-03-25T13:16:05Z"}, {"author": "Martin Thomson", "text": "Chris: I'm not defending this.
", "time": "2022-03-25T13:16:11Z"}, {"author": "Martin Thomson", "text": "just trying to understand what they are trying to achieve
", "time": "2022-03-25T13:16:28Z"}, {"author": "ekr@jabber.org", "text": "@MT, yes, but that doesn't help because you need them to have S
", "time": "2022-03-25T13:16:29Z"}, {"author": "Christopher Wood", "text": "Understood, I'm just trying to understand the puncturable functionality
", "time": "2022-03-25T13:16:43Z"}, {"author": "Martin Thomson", "text": "ekr: presumably if you have some values of S you are interested in, those can be retrieved
", "time": "2022-03-25T13:16:52Z"}, {"author": "ekr@jabber.org", "text": "@MT: so the point of the randomness server is to force each of those checks to involve a query to the randomness server
", "time": "2022-03-25T13:17:25Z"}, {"author": "ekr@jabber.org", "text": "To make offline attacks impossible
", "time": "2022-03-25T13:17:34Z"}, {"author": "npd", "text": "without ohai, this would mean that my data could be revealed, but only if my report was the same as k others?
", "time": "2022-03-25T13:17:36Z"}, {"author": "Martin Thomson", "text": "sure, you've taken the impossible problem and replaced with another impossible problem
", "time": "2022-03-25T13:17:48Z"}, {"author": "ekr@jabber.org", "text": "@npd: precisely
", "time": "2022-03-25T13:17:51Z"}, {"author": "Shivan Sahib", "text": "npd: yes, this requires something like OHAI
", "time": "2022-03-25T13:18:01Z"}, {"author": "npd", "text": "thank you, I am glad that I understood it
", "time": "2022-03-25T13:18:17Z"}, {"author": "Martin Thomson", "text": "this is not a vdaf as described; and that shouldn't be a goal
", "time": "2022-03-25T13:18:32Z"}, {"author": "Martin Thomson", "text": "vdaf is a convenience
", "time": "2022-03-25T13:18:46Z"}, {"author": "Christopher Patton", "text": "I agree that STAR is not a VDAF. That doesn't mean it doesn't fit into the WG charter :)
", "time": "2022-03-25T13:18:46Z"}, {"author": "Shivan Sahib", "text": "I think part of STAR's attractiveness is that it doesn't require the heavy cost of PPM
", "time": "2022-03-25T13:19:07Z"}, {"author": "Christopher Patton", "text": "I imagine it's comparable to Prio. Definitely wayyyyy faster than Poplar
", "time": "2022-03-25T13:19:27Z"}, {"author": "Shivan Sahib", "text": "I think it fits into the WG charter! I tried to make sure it does :)
", "time": "2022-03-25T13:19:28Z"}, {"author": "Martin Thomson", "text": "yeah, I think that there are things that STAR does a lot better
", "time": "2022-03-25T13:19:36Z"}, {"author": "Martin Thomson", "text": "the leakage is a bit of a concern though
", "time": "2022-03-25T13:19:43Z"}, {"author": "ekr@jabber.org", "text": "I think these are comparable
", "time": "2022-03-25T13:19:52Z"}, {"author": "Shivan Sahib", "text": "yes
", "time": "2022-03-25T13:19:53Z"}, {"author": "ekr@jabber.org", "text": "Sorry, complementary
", "time": "2022-03-25T13:19:59Z"}, {"author": "David Oliver", "text": "does draft adoption of PPM preclude future adoption of STAR?
", "time": "2022-03-25T13:20:35Z"}, {"author": "Martin Thomson", "text": "within its narrow applicability, this looks quite good, but it trades on a bunch of operational challenges
", "time": "2022-03-25T13:20:36Z"}, {"author": "ekr@jabber.org", "text": "No, it does not
", "time": "2022-03-25T13:20:40Z"}, {"author": "ekr@jabber.org", "text": "Ugh, I somehow got out of the queue
", "time": "2022-03-25T13:21:10Z"}, {"author": "Christopher Patton", "text": "+1 Mariana
", "time": "2022-03-25T13:21:15Z"}, {"author": "Christopher Patton", "text": "FWIW I would like to see development of the STAR protocol continue.
", "time": "2022-03-25T13:22:36Z"}, {"author": "Ira McDonald", "text": "poll for priv-ppm adoption please?
", "time": "2022-03-25T13:22:39Z"}, {"author": "Tim Geoghegan", "text": "re: STAR: the name does collide with RFC 8739 https://datatracker.ietf.org/doc/rfc8739/
", "time": "2022-03-25T13:22:41Z"}, {"author": "Christopher Patton", "text": "*STAR spec
", "time": "2022-03-25T13:22:42Z"}, {"author": "Tommy Pauly", "text": "If we're asking about adoption, can we take a poll on it?
", "time": "2022-03-25T13:22:54Z"}, {"author": "npd", "text": "so STAR would require non-collusion, but the client could pick from any 'randomness' servers rather than a pre-determined subset?
", "time": "2022-03-25T13:23:01Z"}, {"author": "Samuel Weiler", "text": "@Ira, if there's opposition to adoption, I'd like to hear it, not merely poll for it
", "time": "2022-03-25T13:23:11Z"}, {"author": "ekr@jabber.org", "text": "@npd: yes, but I don't think that helps, because the randomness servers have the same key
", "time": "2022-03-25T13:23:39Z"}, {"author": "ekr@jabber.org", "text": "So having >1 randomness server mostly just makes the situation worse
", "time": "2022-03-25T13:23:57Z"}, {"author": "Christopher Patton", "text": "To me, the main advantage of STAR is that it solves heavy hitters w/o lots of interaction among the Aggregators. It's privacy considerations are somewhat different, however.
", "time": "2022-03-25T13:23:58Z"}, {"author": "Alex Davidson", "text": "@npd, that is correct, but the clients would need to agree on the randomness server
", "time": "2022-03-25T13:24:28Z"}, {"author": "ekr@jabber.org", "text": "I think they would be different protocols
", "time": "2022-03-25T13:25:14Z"}, {"author": "Shivan Sahib", "text": "I think they would be two different protocols
", "time": "2022-03-25T13:25:20Z"}, {"author": "Christopher Patton", "text": "+1
", "time": "2022-03-25T13:25:32Z"}, {"author": "Martin Thomson", "text": "I would like different protocols, the fact that the gpew draft has two protocols in it is a problem, not a feature
", "time": "2022-03-25T13:25:40Z"}, {"author": "Martin Thomson", "text": "I think that burying the complexity in the VDAF spec is unwise.
", "time": "2022-03-25T13:26:55Z"}, {"author": "Christopher Patton", "text": "Very well summarized @Chris W.
", "time": "2022-03-25T13:26:59Z"}, {"author": "Martin Thomson", "text": "unnecessary generality
", "time": "2022-03-25T13:27:14Z"}, {"author": "Christopher Patton", "text": "@MT It's certainly not our intention to bury complexity.
", "time": "2022-03-25T13:27:20Z"}, {"author": "ekr@jabber.org", "text": "The collusion risk here is that the aggregation server can then do dictionary attacks
", "time": "2022-03-25T13:27:53Z"}, {"author": "ekr@jabber.org", "text": "Basically, STAR without the randomness server can only be used with high entropy inputs
", "time": "2022-03-25T13:28:10Z"}, {"author": "Martin Thomson", "text": "I'm not saying that you are doing it intentionally, but I think that it would be much easier if there were two primitives.
", "time": "2022-03-25T13:28:10Z"}, {"author": "Christopher Patton", "text": "The point of the VDAF doc is that there is no \"one-size-fits-all\" for private aggregation tasks. We antiicpate not having just Prio and Poplar, but a variety of VDAFs in the future.
", "time": "2022-03-25T13:28:12Z"}, {"author": "npd", "text": "speak up please
", "time": "2022-03-25T13:28:24Z"}, {"author": "ekr@jabber.org", "text": "But with the randomness server, you can measure low entropy inputs
", "time": "2022-03-25T13:28:31Z"}, {"author": "jhoyla", "text": "Wait, what\u203d David Schinazi isn't a PPM enthusiast?
", "time": "2022-03-25T13:28:48Z"}, {"author": "ekr@jabber.org", "text": "he's too tired to be an enthusiast
", "time": "2022-03-25T13:28:57Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I was just thinking the same thing!
", "time": "2022-03-25T13:29:00Z"}, {"author": "Sean Turner", "text": "+1 to what David said to adopting ppm
", "time": "2022-03-25T13:29:01Z"}, {"author": "ekr@jabber.org", "text": "I have read the draft
", "time": "2022-03-25T13:29:16Z"}, {"author": "Sean Turner", "text": "I have read it
", "time": "2022-03-25T13:29:21Z"}, {"author": "dkg", "text": "i have read the draft
", "time": "2022-03-25T13:29:22Z"}, {"author": "jhoyla", "text": "I've read the PPM drafts
", "time": "2022-03-25T13:29:22Z"}, {"author": "Christopher Patton", "text": "i have read the draft
", "time": "2022-03-25T13:29:23Z"}, {"author": "Christopher Wood", "text": "+1 read
", "time": "2022-03-25T13:29:23Z"}, {"author": "Tim Geoghegan", "text": "I have read the draft
", "time": "2022-03-25T13:29:30Z"}, {"author": "Martin Thomson", "text": "I skimmed it
", "time": "2022-03-25T13:29:31Z"}, {"author": "Alex Davidson", "text": "+1 read
", "time": "2022-03-25T13:29:37Z"}, {"author": "David Schinazi", "text": "I am so tired I forgot I was an enthusiast
", "time": "2022-03-25T13:29:40Z"}, {"author": "Martin Thomson", "text": "read the previous version
", "time": "2022-03-25T13:29:47Z"}, {"author": "Sean Turner", "text": "@DavidS and a manager ;)
", "time": "2022-03-25T13:29:53Z"}, {"author": "Mirja K\u00fchlewind", "text": "read parts of it...
", "time": "2022-03-25T13:29:58Z"}, {"author": "Michael B", "text": "+1 read
", "time": "2022-03-25T13:30:09Z"}, {"author": "Mariana Raykova", "text": "+1
", "time": "2022-03-25T13:30:20Z"}, {"author": "David Schinazi", "text": "I've also read most parts of the draft
", "time": "2022-03-25T13:30:23Z"}, {"author": "Nick Sullivan", "text": "+1 read an earlier version
", "time": "2022-03-25T13:30:27Z"}, {"author": "Sean Turner", "text": "excellent
", "time": "2022-03-25T13:30:36Z"}, {"author": "Christopher Patton", "text": "thank you all
", "time": "2022-03-25T13:30:37Z"}, {"author": "npd", "text": "I have skimmed the ppm draft
", "time": "2022-03-25T13:30:37Z"}, {"author": "Eric Orth", "text": "I have only skimmed so far.
", "time": "2022-03-25T13:30:37Z"}, {"author": "Martin Thomson", "text": "it would be really good if those people who read it would also review it
", "time": "2022-03-25T13:30:38Z"}, {"author": "jhoyla", "text": "Thanks everyone for a great IETF
", "time": "2022-03-25T13:31:07Z"}, {"author": "Christopher Patton", "text": ":clap: :clap: thanks Ben/Samuel
", "time": "2022-03-25T13:31:22Z"}, {"author": "ekr@jabber.org", "text": "Indeed. Thank you!
", "time": "2022-03-25T13:31:30Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "And thanks Joe for standing ready at the front of the room to handle
any excitement (fortunately none happened)!
", "time": "2022-03-25T13:31:31Z"}, {"author": "Tim Geoghegan", "text": "+1 thanks to the chairs and dkg for note-taking!
", "time": "2022-03-25T13:31:32Z"}, {"author": "jhoyla", "text": "Also thanks @Joe Salowey for being chair for, as far as I can tell, everything.
", "time": "2022-03-25T13:31:37Z"}, {"author": "Robin Wilton", "text": "+1 Thanks everyone
", "time": "2022-03-25T13:31:38Z"}, {"author": "npd", "text": "thank you scribe, chairs and editors
", "time": "2022-03-25T13:31:39Z"}, {"author": "Sean Turner", "text": "thanks!
", "time": "2022-03-25T13:31:41Z"}, {"author": "Mirja K\u00fchlewind", "text": "thanks!
", "time": "2022-03-25T13:31:46Z"}, {"author": "Roman Danyliw", "text": "Thanks Joe!
", "time": "2022-03-25T13:31:51Z"}, {"author": "Sean Turner", "text": "everybody get rest!
", "time": "2022-03-25T13:31:54Z"}, {"author": "David Oliver", "text": "Thank you all, very informative!
", "time": "2022-03-25T13:31:55Z"}, {"author": "dkg", "text": "thanks y'all
", "time": "2022-03-25T13:31:59Z"}, {"author": "npd", "text": "next steps on adoption decisions/polling will happen on the list?
", "time": "2022-03-25T13:32:13Z"}, {"author": "ekr@jabber.org", "text": "correct
", "time": "2022-03-25T13:32:54Z"}, {"author": "npd", "text": "thanks
", "time": "2022-03-25T13:33:02Z"}]