-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Tighten language around replay protection
At the moment, we have very little normative/informative language around replay protection. The only normative language is buried in the "input share validation" subsection: > 1. Check if the report has been previously aggregated. If so, the input share > MUST be marked as invalid with the error `report_replayed`. A report is > considered aggregated if its contribution would be included in a relevant > collection job. Another problem is that we never say explicitly to record the IDs of aggregated reports. Here the Aggregator has a choice: it can avoid excess computation by storing the ID of every report it sees in an aggregation job, thereby ensuring reports that are rejected for some other reason aren't processed again; or it can avoid excess storage by only storing the IDs of output shares it wants to aggregate. This change has several parts to it: 1. Add a section to the protocol overview about replay protection (why/how) and a paragraph to the aggregation sub-protocol overview. 1. Remove the replay check from the "input share validation" section. 1. Have the Leader check for replays right after it has picked a candidate set of reports. Have it to store the IDs either before initialization or after completion of the aggregation job. 1. Have the Helper resolve replays (reject replays and update the stored set) either at the beginning of an aggregation job or just before completing it. 3. Be explicit about the use of report IDs for replay protection. This only impacts an implementation note, which envisions multiple schemes for replay protection, like hashing the report. This note has been moved from the "input share validation" section to operational considerations.
- Loading branch information
Showing
1 changed file
with
110 additions
and
38 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters