Skip to content

Commit

Permalink
Prio3: Double the length of the joint randomness seed (*)
Browse files Browse the repository at this point in the history 
A robustness attacker can try to find two distinct reports that derive
the joint randomness seed by an offline birthday attack. By increasing
the seed size from 16 to 32 bytes, we ensure this probability is
negligible (in the random oracle model) even when the attacker can do a
lot of computation (make many random oracle queries).
  • Loading branch information
@cjpatton
cjpatton committed Aug 20, 2024
1 parent bad646d commit 0e241f9
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 51 deletions.
15 changes: 8 additions & 7 deletions draft-irtf-cfrg-vdaf.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2731,7 +2731,8 @@ The joint randomness computation involves the following steps:

1. Compute a "joint randomness part" from each measurement share and blind
1. Compute a "joint randomness seed" from the joint randomness parts
1. Compute the joint randomness for each proof evaluation from the joint randomness seed
1. Compute the joint randomness for each proof evaluation from the joint
randomness seed

This three-step process is designed to ensure that the joint randomness does
not leak the measurement to the Aggregators while preventing a malicious Client
Expand Down Expand Up @@ -2760,8 +2761,8 @@ Aggregator a "hint" consisting of the joint randomness parts. This leaves open
the possibility that the Client cheated by, say, forcing the Aggregators to use
joint randomness that biases the proof check procedure some way in its favor.
To mitigate this, the Aggregators also check that they have all computed the
same joint randomness seed before accepting their output shares. To do so, they
exchange their parts of the joint randomness along with their shares of
same joint randomness seed before accepting their output shares. To do so,
they exchange their parts of the joint randomness along with their shares of
verifier(s).

Implementation note: the preparation state for Prio3 includes the output share
Expand Down Expand Up @@ -3004,19 +3005,19 @@ def joint_rand_part(

def joint_rand_seed(self, k_joint_rand_parts: list[bytes]) -> bytes:
"""Derive the joint randomness seed from its parts."""
return self.xof.derive_seed(
return self.xof(
zeros(self.xof.SEED_SIZE),
self.domain_separation_tag(USAGE_JOINT_RAND_SEED),
concat(k_joint_rand_parts),
)
).next(2*self.xof.SEED_SIZE)

def joint_rands(self, k_joint_rand_seed: bytes) -> list[F]:
"""Derive the joint randomness from its seed."""
return self.xof.expand_into_vec(
self.flp.field,
k_joint_rand_seed,
zeros(self.xof.SEED_SIZE),
self.domain_separation_tag(USAGE_JOINT_RANDOMNESS),
byte(self.PROOFS),
k_joint_rand_seed + byte(self.PROOFS),
self.flp.JOINT_RAND_LEN * self.PROOFS,
)
~~~
Expand Down
8 changes: 4 additions & 4 deletions poc/vdaf_poc/vdaf_prio3.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,19 +481,19 @@ def joint_rand_part(

def joint_rand_seed(self, k_joint_rand_parts: list[bytes]) -> bytes:
"""Derive the joint randomness seed from its parts."""
return self.xof.derive_seed(
return self.xof(
zeros(self.xof.SEED_SIZE),
self.domain_separation_tag(USAGE_JOINT_RAND_SEED),
concat(k_joint_rand_parts),
)
).next(2*self.xof.SEED_SIZE)

def joint_rands(self, k_joint_rand_seed: bytes) -> list[F]:
"""Derive the joint randomness from its seed."""
return self.xof.expand_into_vec(
self.flp.field,
k_joint_rand_seed,
zeros(self.xof.SEED_SIZE),
self.domain_separation_tag(USAGE_JOINT_RANDOMNESS),
byte(self.PROOFS),
k_joint_rand_seed + byte(self.PROOFS),
self.flp.JOINT_RAND_LEN * self.PROOFS,
)

Expand Down
8 changes: 4 additions & 4 deletions test_vec/12/Prio3Histogram_0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"prep": [
{
"input_shares": [
"6c2583213d4c8044b72040e25fb673a78d8d5715c3d8747ed5f4049eec8bc0de14a54de00550288675b8193b4a34ef9ec7ea5d2ae1f4236cd6aa3cd4284d93d52f3671e5f6298640f1eebe0fb60c87b003bbcccf4bfe24c465b797d4ef362d829c641b348da7f0d3f87fc282d1a2a99a370a93ec56f3972f43efd2bfba80fa6180aa72b0e6d4e2f49aa13bd2d199879c4b32211410418aefa60fb398dc92cc6d70c925cb36fb5ef2f8a287b079f5a7235ccc02a0b5b07301622c24c40a68dfdb58e970ba56cb8b213fefe0ad54050b39d5336d7a6253b0ded89cae319e04a92afb765fc1692c1b9a70c996427231bd96303132333435363738393a3b3c3d3e3f",
"6c2583213d4c8044b72040e25fb673a78d8d5715c3d8747ed5f4049eec8bc0de14a54de00550288675b8193b4a34ef9ec7ea5d2ae1f4236cd6aa3cd4284d93d52f3671e5f6298640f1eebe0fb60c87b003bbcccf4bfe24c465b797d4ef362d829c641b348da7f0d3f87fc282d1a2a99a370a93ec56f3972f43efd2bfba80fa61974351c76191661f3ea55dce25448823dda3dd0b6fdf98495473877c4365ca22f2a4da0905151aeff015530f7d9479785ccc02a0b5b07301622c24c40a68dfdb415092a3db0e08f79bebbeb1005b0ab243c2b08203b5a1842b39da4d3732ab75799baa829b12609d7856cbe36e92eb41303132333435363738393a3b3c3d3e3f",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f"
],
"measurement": 2,
Expand All @@ -35,12 +35,12 @@
]
],
"prep_messages": [
"d307ca7e34030158f94c1c71721d8bed"
"d307ca7e34030158f94c1c71721d8bedb566e5437d4594041636b8e54411adf1"
],
"prep_shares": [
[
"a2c657a8c8eceaa4bd325ab96ac04328263c85eebe91da2f22239e923a040771821bdb334ad2dbd7e260f1adeb28e7dd873369157aaf72a6a83ecf31a547bff42c4a2287942feded543fc90db3aa68cc0b915a5ac0b713c4a1cea3b5e9badc516595a33d22f55b5cd209dacd57611bda",
"5f39a8573713155b26cda546953fbcd7c532d56986b04a02ba056d488ce351df64e112ea49775e2e902083738615cc0a6adb1b52df903df7759adfca289d7689a43598d54b0d6d143d51cb13a67ba7a2744ab56e63506d495a9089a400800a1aa975e65b48c56738451e92401898de32"
"909b2bfc73f4869d4045236c982e6ff69350e9a277869a6fc47407210c6369d2821bdb334ad2dbd7e260f1adeb28e7ddd38fdfbab21f29e1b7c1a87d9e9b79782c4a2287942feded543fc90db3aa68cc3c8a0bd3dbb8288220614d3d377307c26595a33d22f55b5cd209dacd57611bda",
"7164d4038c0b7962a3badc9367d190096d321029f398cf628f4f445bd87d922264e112ea49775e2e902083738615cc0a1d7fa5aca62087bc8217067f2f49bc05a43598d54b0d6d143d51cb13a67ba7a2744ab56e63506d495a9089a400800a1aa975e65b48c56738451e92401898de32"
]
],
"public_share": "6595a33d22f55b5cd209dacd57611bdaa975e65b48c56738451e92401898de32",
Expand Down
10 changes: 5 additions & 5 deletions test_vec/12/Prio3Histogram_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
"prep": [
{
"input_shares": [
"b0259d7b532d9ee22e6041c5f38c39ea0aae603edbee23ba367afe368c488bef9cfad2aedcca00aa234243e3a44b0f61dc88ed124e63b3061ff153cd0170cfd43fe66811a1a87bf4c791097202c38c001ef99a88c89e51e1cb9e40156596f71841d1d8ca9e4afc013c2306c8560f680a1beb1e3aab33c5ab4e21d0ff7d3daf095953faf3efc2616c2cfb73d7b88ef503806a5fde9ba0dc21bd575fcdd98bd371fb8a5b13d7a356b1b28e0f0e746c1894da28eeda7dcda12ba681cfac88802d22d10e3e3a9608a2caafad02a2dd42b16be3963747963221c579aafeaaf9429d2ce4d4f31d21f1f3a7c48a23f5c91d46f2afd5200d4ed2c3ab5a741e0de080d33ae2b08bc0a489112b5ece53afdbf61ee35cfa7e1656e20e9f7ca4f825fad492df9f22d2018f9f227ab16fd94175bef936d3c7295beb3bda477eb8d9279c85f111e94e3db6fd1260c90b745d9cc0750321a01e6df3da007abb1c73528d61a56e27521845eaca99de5235fb1f9f708d8c1b464440d97defd82fa5489109dd441322b43b1cab51c39f83b36c69526f727c751a574e99c117a62a92a1783f5d42d15ce45c047fa5de566d5e3e368b079bc600963fbaac51789c109ff2ba9b2be3eec3d2e60157e7cd846546aa4c3f0a85bbb0cbaa5c8e52d3f1a019d2286787192aa34d198a38e22a279ed4e19ff83f341341594f1a0b0bd07d8c091a6f3e93c86e11606162636465666768696a6b6c6d6e6f",
"b0259d7b532d9ee22e6041c5f38c39ea0aae603edbee23ba367afe368c488bef9cfad2aedcca00aa234243e3a44b0f61dc88ed124e63b3061ff153cd0170cfd43fe66811a1a87bf4c791097202c38c001ef99a88c89e51e1cb9e40156596f71841d1d8ca9e4afc013c2306c8560f680a1beb1e3aab33c5ab4e21d0ff7d3daf095953faf3efc2616c2cfb73d7b88ef503806a5fde9ba0dc21bd575fcdd98bd371fb8a5b13d7a356b1b28e0f0e746c1894da28eeda7dcda12ba681cfac88802d22d10e3e3a9608a2caafad02a2dd42b16be3963747963221c579aafeaaf9429d2ce4d4f31d21f1f3a7c48a23f5c91d46f2afd5200d4ed2c3ab5a741e0de080d33ae2b08bc0a489112b5ece53afdbf61ee3fed48ef4ec41ce4583ac53dc737418c66b4d245704577bcfb9682d9f379991e6545052312c74b06602426e06bf3f68906c41bc8ee7e7061390b2c5c34721fc81fd7eb053ad6a1402ffb7bedda7c17ec8e76601dbab0f2fbff056b43d951ad1dbc499b2e1aa9b69578321e4e5316ca69cb43b1cab51c39f83b36c69526f727c75787c3ebb2ab8e6838b991d89e3a24b761932b2293027fe173a45e22d45c02e5115b791d61040c6f11a6926bd082978454ff4827efdf8dd1bc26be41783d9c24f6e4a192e8069575a378dbc1641fd1902b9cacd4701b5d631fd850b5a1ba7ce80dcf9a702de23ed640f411c623ea1db96606162636465666768696a6b6c6d6e6f",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f",
"303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"
],
Expand Down Expand Up @@ -71,13 +71,13 @@
]
],
"prep_messages": [
"65b4766fdb2e80ffce625b6f9dc064ff"
"65b4766fdb2e80ffce625b6f9dc064ff1ac93f8c311292df45691fa7b51d3a3a"
],
"prep_shares": [
[
"1a5e78efb752158bb97c60769f41abc1b742c4ef3cc98106e5c55460d9597f2c78dfb0854ed71e3ce2c5ffcf441d591f21640ed39b6297a148ec60575b3f02bfebbc0a2dc948eb161c54d763d3b18ad2c24b67181e57b77036fbcd826825ed6b2c46bb713d5f75167765f06a319f1078a955c2a27dd8ae89fffd2b7359a41b88d5ebe5da772711f319d9c274bc87e4ae",
"9a1848375ba69a6259be7e94af531e11ff131f6eccf7aa34502e59d4fb85c8dc7f9f3ce479472fb26abc0082031450e8a71a250710b2bafe081fa7802b670caccf668b7f8328535525bf9404e1a1f72e1b8757aad90a5067923b27ec944a3c0d9be6f81ab08738da18d94704558b05abeeb11c5768bc4f53fc6d8ccf11ef5fbc175b1ddca08ec75746ae7cfad1494d6b",
"4d893fd9ec065012d1c420f5b06a362d1943c93a674afa5542234e64f24efe1fdc84b0d0891400178bffe99323216160aa650ace7ac9da178d9fdda87834217e2308c3c05f45e5f0715a4f544b13a5b7195e0f6a3846bb9ff827942ed8bb2d7c425dd68ced0498ff272c8c6c27a7f1d70f1c180754ebde22aa219e4cbb38609538537eed20340a6df79e06201b27d7dd"
"101b5cedd7492d7a897e5cca9b4655deec9af2be8c684927239f9657e08465bb78dfb0854ed71e3ce2c5ffcf441d591fc4f57edcb0c9d68a929bc6283cf31760ebbc0a2dc948eb161c54d763d3b18ad2a663f92f9ae767408587ab857a5f50b82c46bb713d5f75167765f06a319f1078fd86aeaa2d603838634eb43a6346d0b0d5ebe5da772711f319d9c274bc87e4ae",
"61a97cb91b0ba5f757ce70a0061b6d857b440abfb1fc4ef475a1d0e106b4dfda7f9f3ce479472fb26abc0082031450e8d0bee37386c3336f5910e1a3353ccc90cf668b7f8328535525bf9404e1a1f72e5451dc1831ea337729e5c72b239c97f49be6f81ab08738da18d94704558b05abeeb11c5768bc4f53fc6d8ccf11ef5fbc175b1ddca08ec75746ae7cfad1494d6b",
"913b27590cab2d8ee6b232955d9e3d9c69baaf1a32a68e75c2d6945fe0f50093dc84b0d0891400178bffe99323216160de2fdb57ef5022bef2fe3db48dab4bf82308c3c05f45e5f0715a4f544b13a5b7922c4449fc5fa1fbbcf9d8677ff601a7425dd68ced0498ff272c8c6c27a7f1d70f1c180754ebde22aa219e4cbb38609538537eed20340a6df79e06201b27d7dd"
]
],
"public_share": "d5ebe5da772711f319d9c274bc87e4ae175b1ddca08ec75746ae7cfad1494d6b38537eed20340a6df79e06201b27d7dd",
Expand Down
8 changes: 4 additions & 4 deletions test_vec/12/Prio3MultihotCountVec_0.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
"prep": [
{
"input_shares": [
"3328c5d840a2524d02570b8dd7262f90914bd6b86810c0933a062e285bc8769510c0cd59a7f162db0113ed7d9d1be1be35afcb42314df09d6ea9a588af7e8e0efe4f93a3266e501b318713d23fc7509ceadc31fcd23163828ddbeb8c70aca7674922d0d645d7e33bb341a6cd0086f1a943fabfe5c4c462a23e313f9fd59119c68f60fe97c43c1c73ca310f38e3dfc873a779b8c6c0d1316113baea6b25535b4f5d7f68884a34db22f2e867fc6b58b90304e3cef3c2c86f5ed0768631bb710e25856446b5724c114eb21c2cf6e1db86c7dd103b055a4a4264b8145696a8fd2cd6013658dab5edc3613187e39e0139185288dda07ea5ec672892a8222806d42e51cafdc50f6ae3eb117f0946bd0007cd48303132333435363738393a3b3c3d3e3f",
"3328c5d840a2524d02570b8dd7262f90914bd6b86810c0933a062e285bc8769510c0cd59a7f162db0113ed7d9d1be1be35afcb42314df09d6ea9a588af7e8e0efe4f93a3266e501b318713d23fc7509ceadc31fcd23163828ddbeb8c70aca7674922d0d645d7e33bb341a6cd0086f1a943fabfe5c4c462a23e313f9fd59119c68f60fe97c43c1c73ca310f38e3dfc873a779b8c6c0d1316113baea6b25535b4f4db1a57e085341f235deff6925ad7f18ca3a6526bb9eb980a7f1743a819e7373a8c87053a7745a61483fa3074195eb22dd103b055a4a4264b8145696a8fd2cd611041be4f7ce5d92ed914b3148e4513dc2850a4cad161e06bb2d341f40a7c902a7999b7135bba2fee8e6ceaba14d68ed303132333435363738393a3b3c3d3e3f",
"000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f"
],
"measurement": [
Expand All @@ -41,12 +41,12 @@
]
],
"prep_messages": [
"190692018e7a0b2529c82634429fb294"
"190692018e7a0b2529c82634429fb29428f56cdebf2e881e879f369fd0fabae7"
],
"prep_shares": [
[
"d3df0961d03e46ae60ff9b6c188a57229ad60e135d9e81ffe700d9dcf111b43a51e0250d2875555336ee432ace6a60d548b5910ed93880f8534d7f979ae2701b991ffc180ef4383f172c48190d35e3b0a4ca23823315a32d9093a26fe37e56ffc7ca3300226ad2b425ce938642482b04",
"2e20f69e2fc1b95183006493e775a8dd43a5b612e3502a57beeec17025bfb6555f6faf25d445453d13b55dedf4682c231285ee5914117c8347b0b74466c681d29cfe21f0fecd081c9457e7d8e5c9c7bc492cedc003d51d550003371b47fba15c507bf9521cf5e01a8de65df3e46e31e2"
"85cf941f0fcc71d625ee4583010c7ae0e2fb17b242c954621e4822e0dc96644251e0250d2875555336ee432ace6a60d570409c2e965c440ac262f65891f76850991ffc180ef4383f172c48190d35e3b0318e83ae0826650c4ad453f999c80f28c7ca3300226ad2b425ce938642482b04",
"7c306be0f0338e29be11ba7cfef3851fd30139baca76ce051cbc568d612d10f95f6faf25d445453d13b55dedf4682c236d7dfbb8875bf66fcffcd6dcaf20c46d9cfe21f0fecd081c9457e7d8e5c9c7bc492cedc003d51d550003371b47fba15c507bf9521cf5e01a8de65df3e46e31e2"
]
],
"public_share": "c7ca3300226ad2b425ce938642482b04507bf9521cf5e01a8de65df3e46e31e2",
Expand Down
Loading

0 comments on commit 0e241f9

Please sign in to comment.