Add checks that prefix counts are consistent across multiple VDAF executions

draft-irtf-cfrg-vdaf.md

@@ -1180,7 +1180,7 @@ been used with the same input share.
 
 VDAFs MUST implement the following function:
 
-* `Vdaf.is_valid(agg_param: AggParam, previous_agg_params: set[AggParam]) ->
+* `Vdaf.is_valid(agg_param: AggParam, previous_agg_params: list[AggParam]) ->
   Bool`: Checks if the `agg_param` is compatible with all elements of
   `previous_agg_params`.
 
@@ -2573,7 +2573,7 @@ Every input share MUST only be used once, regardless of the aggregation
 parameters used.
 
 ~~~
-def is_valid(agg_param, previous_agg_params):
+def is_valid(Prio3, agg_param, previous_agg_params):
     return len(previous_agg_params) == 0
 ~~~
 {: #prio3-validity-scope title="Validity of aggregation parameters for Prio3."}
@@ -3975,15 +3975,36 @@ def prep_shares_to_prep(Poplar1, agg_param, prep_shares):
 Aggregation parameters are valid for a given input share if no aggregation
 parameter with the same level has been used with the same input share before.
 The whole preparation phase MUST NOT be run more than once for a given
-combination of input share and level.
+combination of input share and level. This function checks that levels are
+increasing between calls, and also enforces that the prefixes at each level are
+suffixes of the previous level's prefixes.
 
 ~~~
-def is_valid(agg_param, previous_agg_params):
-    (level, _) = agg_param
-    return all(
-        level != other_level
-        for (other_level, _) in previous_agg_params
-    )
+def get_ancestor(Poplar1, input, this_level, last_level):
+    # Helper function to determine the prefix of `input` at `last_level`.
+    return input >> (this_level - last_level)
+
+def is_valid(Poplar1, agg_param, previous_agg_params):
+    # Exit early if this is the first time.
+    if len(previous_agg_params) < 1:
+      return True
+
+    (level, prefixes) = agg_param
+    (last_level, last_prefixes) = previous_agg_params[-1]
+    # The empty prefix 0 is always there.
+    last_prefixes_set = set(list(last_prefixes) + [0])
+
+    # Check that level increased.
+    if level <= last_level
+      return False
+
+    # Check that prefixes are suffixes of the last level's prefixes.
+    for prefix in prefixes:
+      last_prefix = get_ancestor(prefix, level, last_level)
+      if last_prefix not in last_prefixes_set:
+        return False  # Current prefix not a suffix of last level's prefixes.
+
+    return True
 ~~~
 {: #poplar1-validity-scope title="Validity of aggregation parameters for
 Poplar1."}
@@ -3995,6 +4016,8 @@ Aggregation involves simply adding up the output shares.
 ~~~
 def aggregate(Poplar1, agg_param, out_shares):
     (level, prefixes) = agg_param
+    if sum(prefix_counts) > len(out_shares):
+      return ERR_VERIFY
     Field = Poplar1.Idpf.current_field(level)
     agg_share = Field.zeros(len(prefixes))
     for out_share in out_shares:
@@ -4603,8 +4626,15 @@ perhaps unlikely) for a large set of non-heavy-hitter values to share a common
 prefix, which would be leaked by a prefix tree with a sufficiently small
 threshold.
 
-The only known, general-purpose approach to mitigating this leakage is via
-differential privacy.
+A malicious adversary controlling the Collector and one of the Aggregators can
+further turn arbitrary non-heavy prefixes into heavy ones by tampering with the
+IDPF output at any position. While our construction ensures that the sum of all
+nodes evaluated at a level cannot exceed the value at the parent nodes, this
+still may allow an adversary to discover individual non-heavy strings.
+
+The only practical, general-purpose approach to mitigating these leakages is via
+differential privacy, which is RECOMMENDED for all protocols using Poplar1 for
+heavy-hitter type applications.
 
 > TODO(issue #94) Describe (or point to some description of) the central DP
 > mechanism for Poplar described in {{BBCGGI21}}.

poc/tests/test_vdaf_poplar1.py

@@ -70,9 +70,15 @@ def test_is_valid(self):
         # Test `is_valid` returns False on repeated levels, and True otherwise.
         cls = Poplar1.with_bits(256)
         agg_params = [(0, ()), (1, (0,)), (1, (0, 1))]
-        assert cls.is_valid(agg_params[0], set([]))
-        assert cls.is_valid(agg_params[1], set(agg_params[:1]))
-        assert not cls.is_valid(agg_params[2], set(agg_params[:2]))
+        assert cls.is_valid(agg_params[0], list([]))
+        assert cls.is_valid(agg_params[1], list(agg_params[:1]))
+        assert not cls.is_valid(agg_params[2], list(agg_params[:2]))
+
+        # Test `is_valid` accepts level jumps.
+        agg_params = [(0, ()), (2, (0, 1)), (3, (0, 5))]
+        assert cls.is_valid(agg_params[1], list(agg_params[:1]))
+        # Test `is_valid` rejects unconnected prefixes.
+        assert not cls.is_valid(agg_params[2], list(agg_params[:2]))
 
     def test_aggregation_parameter_encoding(self):
         # Test aggregation parameter encoding.

poc/vdaf_poplar1.py

@@ -151,16 +151,39 @@ def shard(Poplar1, measurement, nonce, rand):
         input_shares = list(zip(keys, corr_seed, corr_inner, corr_leaf))
         return (public_share, input_shares)
 
-    def is_valid(agg_param, previous_agg_params):
+    @classmethod
+    def get_ancestor(Poplar1, input, this_level, last_level):
         """
-        Checks if the level of `agg_param` appears anywhere in
-        `previous_agg_params`. Returns `False` if it does, and `True` otherwise.
+        Helper function to determine the prefix of `input` at `last_level`.
         """
-        (level, _) = agg_param
-        return all(
-            level != other_level
-            for (other_level, _) in previous_agg_params
-        )
+        return input >> (this_level - last_level)
+
+    @classmethod
+    def is_valid(Poplar1, agg_param, previous_agg_params):
+        """
+        Checks that levels are increasing between calls, and also enforces that
+        the prefixes at each level are suffixes of the previous level's
+        prefixes.
+        """
+        if len(previous_agg_params) < 1:
+            return True
+
+        (level, prefixes) = agg_param
+        (last_level, last_prefixes) = previous_agg_params[-1]
+        # The empty prefix 0 is always there.
+        last_prefixes_set = set(list(last_prefixes) + [0])
+
+        # Check that level increased.
+        if level <= last_level:
+            return False
+
+        # Check that prefixes are suffixes of the last level's prefixes.
+        for (i, prefix) in enumerate(prefixes):
+            last_prefix = Poplar1.get_ancestor(prefix, level, last_level)
+            if last_prefix not in last_prefixes_set:
+                # Current prefix not a suffix of last level's prefixes.
+                return False
+        return True
 
     @classmethod
     def prep_init(Poplar1, verify_key, agg_id, agg_param,