Skip to content

Commit

Permalink
Rename "secure sketch" to "arithmetic sketch" per {{BBCGGI23}}
Browse files Browse the repository at this point in the history
{{BCCGI23}} generalizes the idea from {{BBCGGI21}} for checking one
hotness of the output shares for Poplar. The generalization, called
"arithmetic sketching", allows for checking richer properties of the
output shares.
  • Loading branch information
cjpatton committed Jun 18, 2024
1 parent f028280 commit d4f5db6
Showing 1 changed file with 20 additions and 6 deletions.
26 changes: 20 additions & 6 deletions draft-irtf-cfrg-vdaf.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,18 @@ informative:
seriesinfo: IEEE S&P 2021
target: https://ia.cr/2021/017

BBCGGI23:
title: "Arithmetic Sketching"
author:
- ins: D. Boneh
- ins: E. Boyle
- ins: H. Corrigan-Gibbs
- ins: N. Gilboa
- ins: Y. Ishai
date: 2023
seriesinfo: CRYPTO 2023
target: https://ia.cr/2023/1012

CGB17:
title: "Prio: Private, Robust, and Scalable Computation of Aggregate Statistics"
author:
Expand Down Expand Up @@ -3776,10 +3788,12 @@ extract the heavy hitters from the leaves of this tree. (Note that the prefix
tree may leak more information about the set than the heavy hitters themselves;
see {{agg-param-privacy}} for details.)

Poplar1 composes an IDPF with the "secure sketching" protocol of {{BBCGGI21}}.
Poplar1 composes an IDPF with the arithmetic sketch of {{BBCGGI21}}, Section
4.2. (The paper calls this a "secure sketch", but the underlying technique was
later generalized in {{BBCGGI23}}, where it is called "arithmetic sketching".)
This protocol ensures that evaluating a set of input shares on a unique set of
candidate prefixes results in shares of a "one-hot" vector, i.e., a vector that
is zero everywhere except for one element, which is equal to one.
is zero everywhere except for at most one element, which is equal to one.

The remainder of this section is structured as follows. IDPFs are defined in
{{idpf}}; a concrete instantiation is given {{idpf-poplar}}. The Poplar1 VDAF is
Expand Down Expand Up @@ -3960,7 +3974,7 @@ subsections. These methods make use of constants defined in {{poplar1-const}}.
The Client's measurement is an IDPF index, denoted `alpha`. (See
{{poplar1-idpf-index-encoding}} for guidelines on index encoding.) The
programmed IDPF values are pairs of field elements `(1, k)` where each `k` is
chosen at random. This random value is used as part of the secure sketching
chosen at random. This random value is used as part of the arithmetic sketching
protocol of {{BBCGGI21}}, Appendix C.4. After evaluating their IDPF key shares
on a given sequence of candidate prefixes, the sketching protocol is used by
the Aggregators to verify that they hold shares of a one-hot vector. In
Expand Down Expand Up @@ -4889,10 +4903,10 @@ heavy-hitter type applications.

### Safe Usage of IDPF Outputs

The secure sketch described in {{poplar1}} is used by the Aggregators to check
The arithmetic sketch described in {{poplar1}} is used by the Aggregators to check
that the shares of the vector obtained by evaluating a Client's IDPF at a
sequence of candidate prefixes has at most one non-zero value, and that the
non-zero value is `1`. Depending on how the values are used, the secure sketch
non-zero value is `1`. Depending on how the values are used, the arithmetic sketch
on its own may not be sufficient for robustness of the application. In
particular, a malicious Client may attempt to influence the computation by
choosing an IDPF that evaluates to `1` at more than one node at a given
Expand All @@ -4911,7 +4925,7 @@ the inner nodes.) For intermediate levels, it is feasible for a client to
produce IDPF shares with two controlled non-zero nodes.

This is not an issue for running heavy hitters, since (1) each node in the
prefix tree is a child of a previously traversed node, (2) the secure sketch
prefix tree is a child of a previously traversed node, (2) the arithmetic sketch
would detect double voting at every level of the prefix tree, and (3) the IDPF
is extractable at the last level of the tree. However, the lack of
extractability at intermediate levels may result in attacks on the robustness
Expand Down

0 comments on commit d4f5db6

Please sign in to comment.