``` Filename: 288-privcount-with-shamir.txt Title: Privacy-Preserving Statistics with Privcount in Tor (Shamir version) Author: Nick Mathewson, Tim Wilson-Brown, Aaron Johnson Created: 1-Dec-2017 Supercedes: 280 Status: Reserve 0. Acknowledgments Tariq Elahi, George Danezis, and Ian Goldberg designed and implemented the PrivEx blinding scheme. Rob Jansen and Aaron Johnson extended PrivEx's differential privacy guarantees to multiple counters in PrivCount: https://github.com/privcount/privcount/blob/master/README.markdown#research-background Rob Jansen and Tim Wilson-Brown wrote the majority of the experimental PrivCount code, based on the PrivEx secret-sharing variant. This implementation includes contributions from the PrivEx authors, and others: https://github.com/privcount/privcount/blob/master/CONTRIBUTORS.markdown This research was supported in part by NSF grants CNS-1111539, CNS-1314637, CNS-1526306, CNS-1619454, and CNS-1640548. The use of a Shamir secret-sharing-based approach is due to a suggestion by Aaron Johnson (iirc); Carolin Zöbelein did some helpful analysis here. Aaron Johnson and Tim Wilson-Brown made improvements to the draft proposal. 1. Introduction and scope PrivCount is a privacy-preserving way to collect aggregate statistics about the Tor network without exposing the statistics from any single Tor relay. This document describes the behavior of the in-Tor portion of the PrivCount system. It DOES NOT describe the counter configurations, or any other parts of the system. (These will be covered in separate proposals.) 2. PrivCount overview Here follows an oversimplified summary of PrivCount, with enough information to explain the Tor side of things. The actual operation of the non-Tor components is trickier than described below. In PrivCount, a Data Collector (DC, in this case a Tor relay) shares numeric data with N different Tally Reporters (TRs). (A Tally Reporter performs the summing and unblinding roles of the Tally Server and Share Keeper from experimental PrivCount.) All N Tally Reporters together can reconstruct the original data, but no (N-1)-sized subset of the Tally Reporters can learn anything about the data. (In reality, the Tally Reporters don't reconstruct the original data at all! Instead, they will reconstruct a _sum_ of the original data across all participating relays.) In brief, the system works as follow: To share data, for each counter value V to be shared, the Data Collector first adds Gaussian noise to V in order to produce V', uses (K,N) Shamir secret-sharing to generate N shares of V' (K<=N, K being the reconstruction threshold), encrypts each share to a different Tally Reporter, and sends each encrypted share to the Tally Reporter it is encrypted for. The Tally Reporters then agree on the set S of Data Collectors that sent data to all of them, and each Tally Reporter forms a share of the aggregate value by decrypting the shares it received from the Data Collectors in S and adding them together. The Tally Reporters then, collectively, perform secret reconstruction, thereby learning the sum of all the different values V'. The use of Shamir secret sharing lets us survive up to N-K crashing TRs. Waiting until the end to agree on a set S of surviving relays lets us survive an arbitrary number of crashing DCs. In order to prevent bogus data from corrupting the tally, the Tally Reporters can perform the aggregation step multiple times, each time proceeding with a different subset of S and taking the median of the resulting values. Relay subsets should be chosen at random to avoid relays manipulating their subset membership(s). If an shared random value is required, all relays must submit their results, and then the next revealed shared random value can be used to select relay subsets. (Tor's shared random value can be calculated as soon as all commits have been revealed. So all relay results must be received *before* any votes are cast in the reveal phase for that shared random value.) Below we describe the algorithm in more detail, and describe the data format to use. 3. The algorithm All values below are B-bit integers modulo some prime P; we suggest B=62 and P = 2**62 - 2**30 - 1 (hex 0x3fffffffbfffffff). The size of this field is an upper limit on the largest sum we can calculate; it is not a security parameter. There are N Tally Reporters: every participating relay must agree on which N exist, and on their current public keys. We suggest listing them in the consensus networkstatus document. All parties must also agree on some ordering the Tally Reporters. Similarly, all parties must also agree on some value K<=N. There are a number of well-known "counters", identified known by ASCII identifiers. Each counter is a value that the participating relays will know how to count. Let C be the number of counters. 3.1. Data Collector (DC) side At the start of each period, every Data Collector ("client" below) initializes their state as follows 1. For every Tally Reporter with index i, the client constructs a random 32-byte random value SEED_i. The client then generates a pseudorandom bitstream of using the SHAKE-256 XOF with SEED_i as its input, and divides this stream into C values, with the c'th value denoted by MASK(i, c). [To divide the stream into values, consider the stream 8 bytes at a time as unsigned integers in network (big-endian) order. For each such integer, clear the top (64-B) bits. If the result is less than P, then include the integer as one of the MASK(i, .) values. Otherwise, discard this 8-byte segment and proceed to the next value.] 2. The client encrypts SEED_i using the public key of Tally Reporter i, and remembers this encrypted value. It discards SEED_i. 3. For every counter c, the client generates a noise value Z_c from an appropriate Gaussian distribution. If the noise value is negative, the client adds P to bring Z_c into the range 0...(P-1). (The noise MUST be sampled using the procedure in Appendix C.) The client then uses Shamir secret sharing to generate N shares (x,y) of Z_c, 1 <= x <= N, with the x'th share to be used by the x'th Tally Reporter. See Appendix A for more on Shamir secret sharing. See Appendix B for another idea about X coordinates. The client picks a random value CTR_c and stores it in the counter, which serves to locally blind the counter. The client then subtracts (MASK(x, c)+CTR_c) from y, giving "encrypted shares" of (x, y0) where y0 = y-CTR_c. The client then discards all MASK values, all CTR values, and all original shares (x,y), all CTR and the noise value Z_c. For each counter c, it remembers CTR_c, and N shares of the form (x, y). To increment a counter by some value "inc": 1. The client adds "inc" to counter value, modulo P. (This step is chosen to be optimal, since it will happen more frequently than any other step in the computation.) Aggregate counter values that are close to P/2 MUST be scaled to avoid overflow. See Appendix D for more information. (We do not think that any counters on the current Tor network will require scaling.) To publish the counter values: 1. The client publishes, in the format described below: The list of counters it knows about The list of TRs it knows about For each TR: For each counter c: A list of (i, y-CTR_c-MASK(x,c)), which corresponds to the share for the i'th TR of counter c. SEED_i as encrypted earlier to the i'th TR's public key. 3.2. Tally Reporter (TR) side This section is less completely specified than the Data Collector's behavior: I expect that the TRs will be easier to update as we proceed. (Each TR has a long-term identity key (ed25519). It also has a sequence of short-term curve25519 keys, each associated with a single round of data collection.) 1. When a group of TRs receives information from the Data Collectors, they collectively chose a set S of DCs and a set of counters such that every TR in the group has a valid entry for every counter, from every DC in the set. To be valid, an entry must not only be well-formed, but must also have the x coordinate in its shares corresponding to the TR's position in the list of TRs. 2. For each Data Collector's report, the i'th TR decrypts its part of the client's report using its curve25519 key. It uses SEED_i and SHAKE-256 to regenerate MASK(0) through MASK(C-1). Then for each share (x, y-CTR_c-MASK(x,c)) (note that x=i), the TR reconstructs the true share of the value for that DC and counter c by adding V+MASK(x,c) to the y coordinate to yield the share (x, y_final). 3. For every counter in the set, each TR computes the sum of the y_final values from all clients. 4. For every counter in the set, each TR publishes its a share of the sum as (x, SUM(y_final)). 5. If at least K TRs publish correctly, then the sum can be reconstructed using Lagrange polynomial interpolation. (See Appendix A). 6. If the reconstructed sum is greater than P/2, it is probably a negative value. The value can be obtained by subtracting P from the sum. (Negative values are generated when negative noise is added to small signals.) 7. If scaling has been applied, the sum is scaled by the scaling factor. (See Appendix D.) 4. The document format 4.1. The counters document. This document format builds on the line-based directory format used for other tor documents, described in Tor's dir-spec.txt. Using this format, we describe a "counters" document that publishes the shares collected by a given DC, for a single TR. The "counters" document has these elements: "privctr-dump-format" SP VERSION SP SigningKey [At start, exactly once] Describes the version of the dump format, and provides an ed25519 signing key to identify the relay. The signing key is encoded in base64 with padding stripped. VERSION is "alpha" now, but should be "1" once this document is finalized. "starting-at" SP IsoTime [Exactly once] The start of the time period when the statistics here were collected. "ending-at" SP IsoTime [Exactly once] The end of the time period when the statistics here were collected. "share-parameters" SP Number SP Number [Exactly once] The number of shares needed to reconstruct the client's measurements (K), and the number of shares produced (N), respectively. "tally-reporter" SP Identifier SP Integer SP Key [At least twice] The curve25519 public key of each Tally Reporter that the relay believes in. (If the list does not match the list of participating Tally Reporters, they won't be able to find the relay's values correctly.) The identifiers are non-space, non-nul character sequences. The Key values are encoded in base64 with padding stripped; they must be unique within each counters document. The Integer values are the X coordinate of the shares associated with each Tally Reporter. "encrypted-to-key" SP Key [Exactly once] The curve25519 public key to which the report below is encrypted. Note that it must match one of the Tally Reporter options above. "report" NL "----- BEGIN ENCRYPTED MESSAGE-----" NL Base64Data "----- END ENCRYPTED MESSAGE-----" NL [Exactly once] An encrypted document, encoded in base64. The plaintext format is described in section 4.2. below. The encryption is as specified in section 5 below, with STRING_CONSTANT set to "privctr-shares-v1". "signature" SP Signature [At end, exactly once] The Ed25519 signature of all the fields in the document, from the first byte, up to but not including the "signature" keyword here. The signature is encoded in base64 with padding stripped. 4.2. The encrypted "shares" document. The shares document is sent, encrypted, in the "report" element above. Its plaintext contents include these fields: "encrypted-seed" NL "----- BEGIN ENCRYPTED MESSAGE-----" NL Base64Data "----- END ENCRYPTED MESSAGE-----" NL [At start, exactly once.] An encrypted document, encoded in base64. The plaintext value is the 32-byte value SEED_i for this TR. The encryption is as specified in section 5 below, with STRING_CONSTANT set to "privctr-seed-v1". "d" SP Keyword SP Integer [Any number of times] For each counter, the name of the counter, and the obfuscated Y coordinate of this TR's share for that counter. (The Y coordinate is calculated as y-CTR_c as in 3.1 above.) The order of counters must correspond to the order used when generating the MASK() values; different clients do not need to choose the same order. 5. Hybrid encryption This scheme is taken from rend-spec-v3.txt, section 2.5.3, replacing "secret_input" and "STRING_CONSTANT". It is a hybrid encryption method for encrypting a message to a curve25519 public key PK. We generate a new curve25519 keypair (sk,pk). We run the algorithm of rend-spec-v3.txt 2.5.3, replacing "secret_input" with Curve25519(sk,PK) | SigningKey, where SigningKey is the DC's signing key. (Including the DC's SigningKey here prevents one DC from replaying another one's data.) We transmit the encrypted data as in rend-spec-v3.txt 2.5.3, prepending pk. Appendix A. Shamir secret sharing for the impatient In Shamir secret sharing, you want to split a value in a finite field into N shares, such that any K of the N shares can reconstruct the original value, but K-1 shares give you no information at all. The key insight here is that you can reconstruct a K-degree polynomial given K+1 distinct points on its curve, but not given K points. So, to split a secret, we going to generate a (K-1)-degree polynomial. We'll make the Y intercept of the polynomial be our secret, and choose all the other coefficients at random from our field. Then we compute the (x,y) coordinates for x in [1, N]. Now we have N points, any K of which can be used to find the original polynomial. Moreover, we can do what PrivCount wants here, because adding the y coordinates of N shares gives us shares of the sum: If P1 is the polynomial made to share secret A and P2 is the polynomial made to share secret B, and if (x,y1) is on P1 and (x,y2) is on P2, then (x,y1+y2) will be on P1+P2 ... and moreover, the y intercept of P1+P2 will be A+B. To reconstruct a secret from a set of shares, you have to either go learn about Lagrange polynomials, or just blindly copy a formula from your favorite source. Here is such a formula, as pseudocode^Wpython, assuming that each share is an object with a _x field and a _y field. def interpolate(shares): for sh in shares: product_num = FE(1) product_denom = FE(1) for sh2 in shares: if sh2 is sh: continue product_num *= sh2._x product_denom *= (sh2._x - sh._x) accumulator += (sh._y * product_num) / product_denom return accumulator Appendix B. An alternative way to pick X coordinates Above we describe a system where everybody knows the same TRs and puts them in the same order, and then does Shamir secret sharing using "x" as the x coordinate for the x'th TR. But what if we remove that requirement by having x be based on a hash of the public key of the TR? Everything would still work, so long as all users chose the same K value. It would also let us migrate TR sets a little more gracefully. Appendix C. Sampling floating-point Gaussian noise for differential privacy Background: When we add noise to a counter value (signal), we want the added noise to protect all of the bits in the signal, to ensure differential privacy. But because noise values are generated from random double(s) using floating-point calculations, the resulting low bits are not distributed evenly enough to ensure differential privacy. As implemented in the C "double" type, IEEE 754 double-precision floating-point numbers contain 53 significant bits in their mantissa. This means that noise calculated using doubles can not ensure differential privacy for client activity larger than 2**53: * if the noise is scaled to the magnitude of the signal using multiplication, then the low bits are unprotected, * if the noise is not scaled, then the high bits are unprotected. But the operations in the noise transform also suffer from floating-point inaccuracy, further affecting the low bits in the mantissa. So we can only protect client activity up to 2**46 with Laplacian noise. (We assume that the limit for Gaussian noise is similar.) Our noise generation procedure further reduces this limit to 2**42. For byte counters, 2**42 is 4 Terabytes, or the observed bandwidth of a 1 Gbps relay running at full speed for 9 hours. It may be several years before we want to protect this much client activity. However, since the mitigation is relatively simple, we specify that it MUST be implemented. Procedure: Data collectors MUST sample noise as follows: 1. Generate random double(s) in [0, 1] that are integer multiples of 2**-53. TODO: the Gaussian transform in step 2 may require open intervals 2. Generate a Gaussian floating-point noise value at random with sigma 1, using the random double(s) generated in step 1. 3. Multiply the floating-point noise by the floating-point sigma value. 4. Truncate the scaled noise to an integer to remove the fractional bits. (These bits can never correspond to signal bits, because PrivCount only collects integer counters.) 5. If the floating-point sigma value from step 3 is large enough that any noise value could be greater than or equal to 2**46, we need to randomise the low bits of the integer scaled noise value. (This ensures that the low bits of the signal are always hidden by the noise.) If we use the sample_unit_gaussian() transform in nickm/privcount_nm: A. The maximum r value is sqrt(-2.0*ln(2**-53)) ~= 8.57, and the maximal sin(theta) values are +/- 1.0. Therefore, the generated noise values can be greater than or equal to 2**46 when the sigma value is greater than 2**42. B. Therefore, the number of low bits that need to be randomised is: N = floor(sigma / 2**42) C. We randomise the lowest N bits of the integer noise by replacing them with a uniformly distributed N-bit integer value in 0...(2**N)-1. 6. Add the integer noise to the integer counter, before the counter is incremented in response to events. (This ensures that the signal value is always protected.) This procedure is security-sensitive: changing the order of multiplications, truncations, or bit replacements can expose the low or high bits of the signal or noise. As long as the noise is sampled using this procedure, the low bits of the signal are protected. So we do not need to "bin" any signals. The impact of randomising more bits than necessary is minor, but if we fail to randomise an unevenly distributed bit, client activity can be exposed. Therefore, we choose to randomise all bits that could potentially be affected by floating-point inaccuracy. Justification: Although this analysis applies to Laplacian noise, we assume a similar analysis applies to Gaussian noise. (If we add Laplacian noise on DCs, the total ends up with a Gaussian distribution anyway.) TODO: check that the 2**46 limit applies to Gaussian noise. This procedure results in a Gaussian distribution for the higher ~42 bits of the noise. We can safely ignore the value of the lower bits of the noise, because they are insignificant for our reporting. This procedure is based on section 5.2 of: "On Significance of the Least Significant Bits For Differential Privacy" Ilya Mironov, ACM CCS 2012 https://www.microsoft.com/en-us/research/wp-content/uploads/2012/10/lsbs.pdf We believe that this procedure is safe, because we neither round nor smooth the noise values. The truncation in step 4 has the same effect as Mironov's "safe snapping" procedure. Randomising the low bits removes the 2**46 limit on the sigma value, at the cost of departing slightly from the ideal infinite-precision Gaussian distribution. (But we already know that these bits are distributed poorly, due to floating-point inaccuracy.) Mironov's analysis assumes that a clamp() function is available to clamp large signal and noise values to an infinite floating-point value. Instead of clamping, PrivCount's arithmetic wraps modulo P. We believe that this is safe, because any reported values this large will be meaningless modulo P. And they will not expose any client activity, because "modulo P" is an arithmetic transform of the summed noised signal value. Alternatives: We could round the encrypted value to the nearest multiple of the unprotected bits. But this relies on the MASK() value being a uniformly distributed random value, and it is less generic. We could also simply fail when we reach the 2**42 limit on the sigma value, but we do not want to design a system with a limit that low. We could use a pure-integer transform to create Gaussian noise, and avoid floating-point issues entirely. But we have not been able to find an efficient pure-integer Gaussian or Laplacian noise transform. Nor do we know if such a transform can be used to ensure differential privacy. Appendix D. Scaling large counters We do not believe that scaling will be necessary to collect PrivCount statistics in Tor. As of November 2017, the Tor network advertises a capacity of 200 Gbps, or 2**51 bytes per day. We can measure counters as large as ~2**61 before reaching the P/2 counter limit. If scaling becomes necessary, we can scale event values (and noise sigmas) by a scaling factor before adding them to the counter. Scaling may introduce a bias in the final result, but this should be insignificant for reporting. Appendix Z. Remaining client-side uncertainties [These are the uncertainties at the client side. I'm not considering TR-only operations here unless they affect clients.] Should we do a multi-level thing for the signing keys? That is, have an identity key for each TR and each DC, and use those to sign short-term keys? How to tell the DCs the parameters of the system, including: - who the TRs are, and what their keys are? - what the counters are, and how much noise to add to each? - how do we impose a delay when the noise parameters change? (this delay ensures differential privacy even when the old and new counters are compared) - or should we try to monotonically increase counter noise? - when the collection intervals start and end? - what happens in networks where some relays report some counters, and other relays report other counters? - do we just pick the latest counter version, as long as enough relays support it? (it's not safe to report multiple copies of counters) How the TRs agree on which DCs' counters to collect? How data is uploaded to DCs? What to say about persistence on the DC side? ```