Skip to content

Commit

Permalink
Tweak nonce requirements
Browse files Browse the repository at this point in the history 
- Clarify that aggregators must verify that nonces are never re-used.
  Since VDAF aims to provide privacy in the face of malicious clients,
  it doesn't suffice to say clients MUST generate nonces using a CSPRNG;
  we have to account for malicious clients by adding a MUST for the
  aggregator. This lines up with the behavior DAP has specified for a
  long time now.

- In the second paragraph, clarify that over exposing a *report* is the
  risk, not a *measurement*. It's always possible for the same
  measurement to occur many times (for instance, in `Prio3Count`, most
  measurements are 1), but we want the enclosing *report* to be unique.

See ietf-wg-ppm/draft-ietf-ppm-dap#558 for
discussion
  • Loading branch information
@tgeoghegan
tgeoghegan committed May 1, 2024
1 parent 82389a8 commit 1c0f966
Showing 1 changed file with 7 additions and 8 deletions.
15 changes: 7 additions & 8 deletions draft-irtf-cfrg-vdaf.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4562,17 +4562,16 @@ scheme would not allow key rotation over the lifetime of a task.
## Requirements for the Nonce {#nonce-requirements}

The sharding and preparation steps of VDAF execution depend on a nonce
associated with the Client's report. To ensure privacy of the underlying
measurement, the Client MUST generate this nonce using a CSPRNG. This is
required in order to leverage security analysis for the privacy definition of
{{DPRS23}}, which assumes the nonce is chosen at random prior to generating the
report.
associated with the Client's report. To leverage the security analysis for the
privacy definition of {{DPRS23}}, which assumes the nonce is chosen at random
prior to generating the report, the client MUST generate this nonce using a
CSPRNG and the aggregators MUST verify that nonces are never re-used.

Other security considerations may require the nonce to be non-repeating. For
example, to achieve differential privacy it is necessary to avoid "over
exposing" a measurement by including it too many times in a single batch or
across multiple batches. It is RECOMMENDED that the nonce generated by the
Client be used by the Aggregators for replay protection.
exposing" a report by including it too many times in a single batch or across
multiple batches. It is RECOMMENDED that the nonce generated by the Client be
used by the Aggregators for replay protection.

## Requirements for the Aggregation Parameters

Expand Down

0 comments on commit 1c0f966

Please sign in to comment.