Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update security considerations #235

Merged
merged 1 commit into from
May 10, 2022
Merged

Conversation

cjpatton
Copy link
Collaborator

@cjpatton cjpatton commented May 2, 2022

Closes #211.

This change is primarily editorial and includes the following changes:

  • Replace references to "Prio" with references to a generic VDAF. (This
    section was written long ago when we had Prio in mind.)
  • Elaborate on known issues for collect requests.
  • Discuss Sybil attacks, including enumerating the different types
    (Sybil attack distinction #211).

@cjpatton cjpatton requested review from ekr, chris-wood and tgeoghegan May 2, 2022 16:28
@cjpatton cjpatton changed the title Cjpatotn/editorial sec cons Update security considerations May 2, 2022
@cjpatton cjpatton force-pushed the cjpatotn/editorial-sec-cons branch 2 times, most recently from cd843b5 to 8fc3d2b Compare May 2, 2022 21:44
draft-gpew-priv-ppm.md Outdated Show resolved Hide resolved
draft-gpew-priv-ppm.md Outdated Show resolved Hide resolved
draft-gpew-priv-ppm.md Outdated Show resolved Hide resolved
information to the aggregators and collector beyond what follows from the
heavy hitters themselves. Note that this leakage can be mitigated using
differential privacy. [OPEN ISSUE: We have yet not specified how to add DP.]
1. The core PPM spec does not defend against Sybil attacks. In this type of
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does "core" mean a deployment that doesn't use report extensions or any kind of client authentication mechanism?

Copy link
Contributor

@csharrison csharrison May 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beyond the protocol extensions it is also the case that some VDAFs have Sybil protections (against privacy) built-in e.g. with noise addition / differential privacy. DAP could enforce that the aggregation function provide this kind of privacy but we choose not to.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tgeoghegan "core" refers to the bits of the spec that apply to all implementations. In particular, not every implementation will be required to interpret extensions the same way.

@csharrison It's not clear to me that DP always provides adequate protection against Sybil attacks. I think it ultimately depends on how you define privacy. That said, requiring DP is totally on the table, but before doing this I think we should start by spelling out what this would look like as an optional feature of the protocol. I think the first question to ask is whether this mechanism lives here or in the underlying VDAF. I would love to have your help on this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@csharrison It's not clear to me that DP always provides adequate protection against Sybil attacks. I think it ultimately depends on how you define privacy. That said, requiring DP is totally on the table, but before doing this I think we should start by spelling out what this would look like as an optional feature of the protocol. I think the first question to ask is whether this mechanism lives here or in the underlying VDAF. I would love to have your help on this.

I think if you can prove that the system achieves user-level DP you should be able to show that even with worst-case Sybil attacks, a user's privacy is still protected to some degree. That being said, this is a property of the whole system, not just the VDAF.

I am fairly sure that DAP / PPM does not want to require DP in its deployments. This brings on a lot of baggage, and for instances where these kinds of attacks are truly not a problem (e.g. with airtight client authentication) it might not be that useful. The main point here is that we might want to call out that the particular VDAF used may mitigate some of the risks of Sybil.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If achievable, I think specifying an optional, generic DP mechanism here (perhaps for some class of VDAFs with a specific property) would have significant advantages. IIUC, tuning and enforcing the privacy budget will require knowledge of how measurements are generated by clients over time. This is something that will be dictated by the deployment, and I think it would be best to avoid bleeding deployment details into VDAF wherever possible.

That said, VDAF may need to at least say something about how/when to add noise into an input or aggregate share.

Copy link
Contributor

@csharrison csharrison May 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If achievable, I think specifying an optional, generic DP mechanism here (perhaps for some class of VDAFs with a specific property) would have significant advantages

I think this is possible. We can probably have some tunable, exposed property of a VDAF that is a necessary but not sufficient condition for achieving DP. We can describe the rest of the conditions needed in the DAP deployment to get the rest of the way there.

This will not be super easy to do, but I am happy to help think through what it will take (maybe in a separate issue).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kicking off an issue is probably a good way forward. I'm happy to help with the protocol design, but will need to lean on you to make sure we have all the plumbing we need to implement. A couple seed questions to start:

  1. Who adds noise and when? Do we want to support local DP, centralized DP, or both? Also would be helpful to define these (and point to references where needed).
  2. What syntactic changes are necessary for VDAF?

Once you create the issue, it would also be helpful to ping the list with a brief description of the issue and a link.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

commented on #19, I doesn't answer all the questions but it's a start :)

@cjpatton cjpatton requested a review from tgeoghegan May 4, 2022 14:33
@cjpatton cjpatton force-pushed the cjpatotn/editorial-sec-cons branch from b78edc4 to 9e8c636 Compare May 4, 2022 14:35
draft-ietf-ppm-dap.md Outdated Show resolved Hide resolved
draft-ietf-ppm-dap.md Outdated Show resolved Hide resolved
@cjpatton cjpatton force-pushed the cjpatotn/editorial-sec-cons branch from f9f8062 to 601699b Compare May 4, 2022 18:10
Copy link
Collaborator

@chris-wood chris-wood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The list of attacks is really a list of things we ought to fix in the protocol, so I would not even bother including them in the security considerations. If we want to use this as an opportunity to identify open issues that need to be addressed before we consider the protocol secure, I would simply list the open issues and keep discussion in GitHub. (That is, the text here seems redundant with the issue 🤷 )

draft-ietf-ppm-dap.md Outdated Show resolved Hide resolved
This change is primarily editorial and includes the followg changes:

* Replace references to "Prio" with references to a generic VDAF. (This
  section was written long ago when we had Prio in mind.)
* Elaborate on known issues for collect requests.
* Discuss Sybil attacks, including enumerating the different types
  (#211).

Co-authored-by: Tim Geoghegan <[email protected]>
Co-authored-by: Christopher Wood <[email protected]>
@cjpatton cjpatton force-pushed the cjpatotn/editorial-sec-cons branch from 8fdf922 to edea17e Compare May 9, 2022 23:58
@chris-wood chris-wood merged commit 92bb26e into main May 10, 2022
@cjpatton cjpatton deleted the cjpatotn/editorial-sec-cons branch September 16, 2022 00:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Sybil attack distinction
4 participants