adding differential privacy to FixedPointBoundedL2VecSum

[ooovi]

As announced in #440, we added a feature for our fixed point vector type to add discrete gaussian noise to the aggregation result.

Changes to prio code that is not part of our type, currently all hidden behind the experimental feature flag:

• The Type trait got an add_noise function that's the identity unless overridden.
• The Aggregator trait got a postprocess function that's the identity unless overridden. The Aggregator implementation for Prio3 overrides it calling the add_noise function
• There's an FlpError for errors happening during noising.

Our type overrides the default implementation of add_noise, and adds noise obtained using our sampler implementation.

Looking forward to your comments! :)

Co-Authored-By: Olivia ovi@posteo.de
Co-Authored-By: Maxim Urschumzew u.maxim@live.de

[cjpatton]

Some high level comments to start! By the way I agree with the assessment that some sort of posprocessing step is needed, since in both DAP implementations (Janus/Daphne) aggregate() is not used directly to aggregate things (an accumulator is used instead).

[MxmUrw]

I think Tim's proposal of moving the parameter for differential privacy into an associated type on Aggregator is quite sensible, in particular since currently we have to use our zero_privacy_parameter() to pass a dummy (or default) parameter to a new vdaf instance in places where there is no notion of noising, such as most tests or the initialization of Client.

I have gone ahead and updated the code as suggested, applying some of the renaming-suggestions as well (ad81ed5).

[cjpatton]

Hey @ooovi, @MxmUrw: We met to discuss this PR today and decided that merging the discrete Gaussian stuff is the best option. (See inline comments.) The main concern right now is getting the API changes right. At a high level our requirements are:

1. Decouple the primitives from the VDAF implementation. Eventually what we would like to see is a module containing a variety of primitives suitable for building different DP mechanisms (client-side, server-side, usw.).
2. Make the primitives as generic as possible. Ideally the Gaussian sampler would take as input the $\epsilon$, $\delta$, sensitivity, and whatever other parameters are required and output a vector that can be added to an aggregate share. The same primitive should be useful for any VDAF for which it is compatible.
3. Ideally it would be possible for a user to use any DP mechanism they want (or none at all), so long as it's compatible with the given VDAF. Right now Prio3FixedPointBoundedL2VecSum can only be used with one DP mechanism (central-DP w/ discrete Gaussian).

I think the next thing to do is figure out the API changes for VDAF, in a separate PR. We sketched something in our meeting today and we plan to put up a PR soon. Would you please take a look when it's ready? Once it's merged, we can rebase this PR on top of it. Does that sound like a plan?

[MxmUrw]

Hi, we are wondering about what the best way for dealing with randomness seeds is:

We want the add_noise_to_agg_share function for our FixedPointBoundedL2VecSum type to be deterministic, in order to allow for testing.

There are multiple options:

1. Write a local deterministic function (let's call it f) which takes an rng: Rng and does what add_noise_to_agg_share should do. Then in the actual implementation of add_noise_to_agg_share use system randomness to create rng: Rng and pass it to f.
2. Add an rng: Rng argument to the add_noise_to_agg_share in AggregatorWithNoise. Then janus is responsible for passing in a seed.
3. Leave the AggregatorWithNoise trait as is, but add an rng: Rng argument to the add_noise_to_agg_share in TypeWithNoise. (This options seems strange in so far as it is unclear why Prio3 should be responsible for creating the rng)

[divergentdave]

Hi, we are wondering about what the best way for dealing with randomness seeds is:

We want the add_noise_to_agg_share function for our FixedPointBoundedL2VecSum type to be deterministic, in order to allow for testing.

There are multiple options:

1. Write a local deterministic function (let's call it `f`) which takes an `rng: Rng` and does what `add_noise_to_agg_share` should do. Then in the actual implementation of `add_noise_to_agg_share` use system randomness to create `rng: Rng` and pass it to `f`.

2. Add an `rng: Rng` argument to the `add_noise_to_agg_share` in `AggregatorWithNoise`. Then janus is responsible for passing in a seed.

3. Leave the `AggregatorWithNoise` trait as is, but add an `rng: Rng` argument to the `add_noise_to_agg_share` in `TypeWithNoise`. (This options seems strange in so far as it is unclear why `Prio3` should be responsible for creating the `rng`)

The first option sounds good, we do effectively the same thing for sharding, except passing in seeds themselves.

[MxmUrw]

Hello again, we have rebased our PR, and are ready to discuss!

There are quite a few changes, so here is a summary:

1. The DifferentialPrivacyStrategy trait now contains associated types for the type of budget, type of distribution and type of sensitivity. It furthermore requires from_budget() and create_distribution() methods. This might be controversial, see below for a further elaboration wrt. the previous discussion.

2. We imported the rational type Ratio<> from num_rational. This makes the implementation of the sampler more readable and closer to the reference implementation by hiding arithmetic with fractions. Furthermore, it is only used internally, so concerns regarding exposing this in the public interface of prio should not apply.

3. We now use Ratio<BigUInt> for the epsilon parameter in ZCdpBudget. The field is not public, instead a constructor taking the custom Rational type is provided. Additionally we provide a constructor accepting f32 values. Concerns regarding imprecision of this conversion (either because of privacy considerations or the need for test-vectors) should not apply, since the immediate internal conversion from f32 to Ratio<BigUint> can be done losslessly. (It might fail, however, since budgets are not allowed to be negative.)

4. We use Ratio<BigUint> for the sensitivity of ZCdpDiscreteGaussian strategy. The reason for using BigUints is that the sensitivity of our type is, depending on configuration, up to $2^{64}$ and thus does not fit into u32. We consider this to not be part of the public interface, as this value is going to be created inside the VDAF's AggregatorWithNoise implementation, and not by the user. Using BigUints is the most future-proof solution. On the other hand, one might argue that the sensitivity is in fact public; this highly depends on the definition of the DifferentialPrivacyStrategy trait. In such a case, one might want to use Rational (but with u128 values) instead.

5. We implemented the rand::RngCore and rand::SeedableRng traits for SeedStreamSha3. Someone should definitely look over that and check if we did it right.

---

Concerning (1):

• I think that the main concern of @divergentdave was that at the time the additional type parameters of the trait would become infective for all occurrences of that trait. Instead of type parameters, we use associated types now, which alleviates this issue.
• The main advantage of actually encoding the interface of a "dp strategy", instead of having an empty marker trait, is that code can be written generically in places where it makes sense to do so. It also serves as an implementation pattern, guiding the implementation of new strategies.
• Another concern was that the proposed interface might not be general enough for instances where e.g. two different gaussian distributions are required in a VDAF, for example noising sums and squares of inputs separately. I claim that now the interface covers this use case, and I believe that it now covers a very broad range of use cases. This is arguably up to discussion.
• To illustrate the previous point, I have implemented such a "double gaussian strategy" in the dp/experimental_strategy.rs. In fact, the current version of the trait allowed me to implement a generic ProductDpStrategy combinator which combines two arbitrary strategies into a new one. Such a combinator might be of interest by itself. The "double gaussian strategy" is simply an instance of applying this combinator to two ZCdpDiscreteGaussian strategies.
• The dp/experimental_strategy.rs file is not necessarily intended as part of this PR, it exists mostly as an input for this discussion.
• On a further note though, the current definition of this trait means that setting type Sensitivity = Ratio<BigUint> for ZCdpDiscreteGaussian could be interpreted as exposing the BigUint type to the public interface. The user does not have to deal with this, because he is not expected to call the create_distribution() method, which takes a Sensitivity argument, by himself. I do agree that this state of affairs might not be ideal. Possible solutions are:
  1. Remove the expressiveness of the DifferentialPrivacyStrategy trait, reverting it to the pure marker trait which it was in API changes for Aggregator-side differential privacy #607.
  2. Use URational<u128> for the sensitivity as noted in (5.).
  3. Reintroduce a further market trait which is intended for the public interface, while keeping this trait to be used internally.

EDIT: Would reviewing be easier if we closed this, and opened a new PR?

[cjpatton]

1. How do the various DP traits relate to one another? It might be useful to put together little diagram and an explanation of it in the module documentation for dp.
2. I'm not sure that the implementation of add_noise_to_agg_share for FixedPointBoundedL2VecSum is correct, but I might be misunderstanding the code.
3. Regarding experimental_strategy module: What exactly is this demonstrating? In other words, could the use case that @divergentdave mentions be addressed differently?

[MxmUrw]

• How do the various DP traits relate to one another?

The general architecture comes from #607, there are three traits:

• DifferentialPrivacyBudget: Implementors should be types of budgets for DP-mechanisms. Examples: zCDP, ApproximateDP (Epsilon-Delta), PureDP
• DifferentialPrivacyDistribution: Distribution from which noise is sampled. Examples: DiscreteGaussian, DiscreteLaplace
• DifferentialPrivacyStrategy: This is a combination of choices for budget and distribution. Examples: zCDP-DiscreteGaussian, EpsilonDelta-DiscreteGaussian

Directly, the public interface only mentions the strategy. Originally in @tholop's PR, all three were pure marker traits (didn't require anything for implementation). I am of the opinion that it would be useful to actually axiomatize what a "strategy" is (i.e. require references to the distribution and budget, as well as methods connecting them).

It might be useful to put together little diagram and an explanation of it in the module documentation for dp.

Sure, though I would prefer to do so when it is clear whether my proposal is going to be adopted (and with which changes), or we revert back to the previous state.

• Regarding experimental_strategy module: What exactly is this demonstrating? In other words, could the use case that @divergentdave mentions be addressed differently?

Yes of course it could! The goal of my idea is that common patterns, i.e., the idea of what a "strategy" is, to be actually encoded in the trait interface. It is possible to skip this, and implement the noising for every Prio3 type individually for every strategy which it intends to support. The cost of code duplication probably wouldn't even be too much, as there is not too much infrastructural moving around of data happening.

My opinion is that all invariants and expectations of behaviour for a given set of objects (in this case implementors of a trait), which can be encoded statically in the type system, should be. In the sense of "code is the best documentation", as it can be checked by the compiler.

Thus what the experimental_strategy shows is that, assuming we make the Strategy trait as explicit as it currently is, that then the one thing which @divergentdave doubted would be possible, is still possible. In case you don't operate on the same assumption as stated above in italic, my addition probably does not have advantages besides making slightly more generic code possible. I could make an example which shows how generic noising for the simpler prio types could be implemented with my version of the trait.

• I'm not sure that the implementation of add_noise_to_agg_share for FixedPointBoundedL2VecSum is correct, but I might be misunderstanding the code.

Do you have specific pointers why these doubts come up?

[cjpatton]

• How do the various DP traits relate to one another?

The general architecture comes from #607, there are three traits:

* `DifferentialPrivacyBudget`: Implementors should be types of budgets for DP-mechanisms. Examples: zCDP, ApproximateDP (Epsilon-Delta), PureDP

* `DifferentialPrivacyDistribution`: Distribution from which noise is sampled. Examples: DiscreteGaussian, DiscreteLaplace

* `DifferentialPrivacyStrategy`: This is a combination of choices for budget _and_ distribution. Examples: zCDP-DiscreteGaussian, EpsilonDelta-DiscreteGaussian

Directly, the public interface only mentions the strategy. Originally in @tholop's PR, all three were pure marker traits (didn't require anything for implementation). I am of the opinion that it would be useful to actually axiomatize what a "strategy" is (i.e. require references to the distribution and budget, as well as methods connecting them).

That works for me. I would just dump this explanation in the dp module's docucomment.

Quick question: If DifferentialPrivacyStrategy actually needed? From your description it sounds like its functionality is already implied by a choice of DifferentialPrivacyBudget and DifferentialPrivacyDistribution. I'm sure I'm missing something obvious ...

It might be useful to put together little diagram and an explanation of it in the module documentation for dp.

Sure, though I would prefer to do so when it is clear whether my proposal is going to be adopted (and with which changes), or we revert back to the previous state.

Ack.

• Regarding experimental_strategy module: What exactly is this demonstrating? In other words, could the use case that @divergentdave mentions be addressed differently?

Yes of course it could! The goal of my idea is that common patterns, i.e., the idea of what a "strategy" is, to be actually encoded in the trait interface. It is possible to skip this, and implement the noising for every Prio3 type individually for every strategy which it intends to support. The cost of code duplication probably wouldn't even be too much, as there is not too much infrastructural moving around of data happening.

My opinion is that all invariants and expectations of behaviour for a given set of objects (in this case implementors of a trait), which can be encoded statically in the type system, should be. In the sense of "code is the best documentation", as it can be checked by the compiler.

I agree in principle, but from practical experience there is a degree to which adding too many trait bounds becomes cumbersome. Either way I think we're in a good place with the traits we already have (Budget, Distribution, Strategy (although see my question above).

Thus what the experimental_strategy shows is that, assuming we make the Strategy trait as explicit as it currently is, that then the one thing which @divergentdave doubted would be possible, is still possible. In case you don't operate on the same assumption as stated above in italic, my addition probably does not have advantages besides making slightly more generic code possible. I could make an example which shows how generic noising for the simpler prio types could be implemented with my version of the trait.

Sounds good. Unless we intend to use it for this PR, I think we should remove the experimental_strategy.rs module. Better to only check in code we intend to use!

• I'm not sure that the implementation of add_noise_to_agg_share for FixedPointBoundedL2VecSum is correct, but I might be misunderstanding the code.

Do you have specific pointers why these doubts come up?

I've already commented in-line but it seems that they've gotten lost somehow. I'll follow up.

[tholop]

I only reviewed distribution.rs. My biggest worry is that the OpenDP implementation doesn't follow the CKS20 pseudocode line-by-line, so it's hard to assess its correctness. I left some comments for parts that I don't understand.

[MxmUrw]

Quick question: If DifferentialPrivacyStrategy actually needed? From your description it sounds like its functionality is already implied by a choice of DifferentialPrivacyBudget and DifferentialPrivacyDistribution. I'm sure I'm missing something obvious ...

The DifferentialPrivacyStrategy trait actually allows us to tackle the "too many trait bounds" problem: in the AggregatorWithNoise trait, only this trait is mentioned, thus reducing the number of trait bounds from 2 to 1. Additionally, it houses the logic which expresses how a privacy budget can be turned into a distribution.

Unless we intend to use it for this PR, I think we should remove the experimental_strategy.rs module. Better to only check in code we intend to use!

I agree. Once the design is accepted, I'll remove it. I'm kind of waiting for @divergentdave's opinion.

[MxmUrw]

I think there might be an issue with the caching of cargo vet? Locally cargo vet --locked succeeds...

[divergentdave]

The new exemptions and num-iter imported audit were removed by PR #688, (because of running cargo vet prune on that branch) so the merge commit that CI is run against is missing exemptions, even though your branch isn't. I think you'll need to rebase, add the exemptions back to supply-chain/config.toml, and run cargo vet to pull in the import again.

[MxmUrw]

I think you'll need to rebase, add the exemptions back to supply-chain/config.toml, and run cargo vet to pull in the import again.

Thanks, I did, and I also ran cargo vet prune because it asked me to.

And, we're green!

[MxmUrw]

@divergentdave, I was a little bit unsure about the rebase onto 87d4a65, it looks like this now:

#[cfg(all(feature = "prio2", feature = "experimental"))]
criterion_group!(benches, poplar1, prio3, prio2, poly_mul, prng, idpf, dp_noise);
#[cfg(all(not(feature = "prio2"), feature = "experimental"))]
criterion_group!(benches, poplar1, prio3, poly_mul, prng, idpf, dp_noise);
#[cfg(all(feature = "prio2", not(feature = "experimental")))]
criterion_group!(benches, prio3, prio2, prng, poly_mul);
#[cfg(all(not(feature = "prio2"), not(feature = "experimental")))]
criterion_group!(benches, prio3, prng, poly_mul);

[MxmUrw]

@cjpatton , @tgeoghegan is there something left we need to do to get this merged?

[tgeoghegan]

If Chris and David are happy with the change, then I think we can take it.

[cjpatton]

@tgeoghegan I just wanted to flag #578 (review) in case you wanted to double check that the licensing is good to go.

[divergentdave]

We discussed the licensing internally and we're satisfied with it; merging now.