From 1e1a18f46992b56a1a2c559197594bb52f020559 Mon Sep 17 00:00:00 2001 From: Christopher Patton Date: Wed, 24 Jul 2024 12:28:37 -0700 Subject: [PATCH 1/8] nit: "increase" -> "decrease" --- draft-case-ppm-binomial-dp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-case-ppm-binomial-dp.md b/draft-case-ppm-binomial-dp.md index cd64dc9..da8b54a 100644 --- a/draft-case-ppm-binomial-dp.md +++ b/draft-case-ppm-binomial-dp.md @@ -132,7 +132,7 @@ present. In two-party MPC, each party has to assume the other is dishonest, so each adds the entire noise quantity, ultimately doubling the overall noise that is added. In a three-party honest majority MPC, each party can add half of the required noise on the assumption that one other party is honest, resulting in a -50% increase in the amount of noise. +50% decrease in the amount of noise. Finally, an MPC protocol can be executed to add noise. The primary drawback of this approach is that there is an increased cost to generating the noise in MPC. From 9276a14cc49475f406728e5e411670abac039797 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 24 Jul 2024 13:01:36 -0700 Subject: [PATCH 2/8] Minor edits --- draft-case-ppm-binomial-dp.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/draft-case-ppm-binomial-dp.md b/draft-case-ppm-binomial-dp.md index cd64dc9..4dadd53 100644 --- a/draft-case-ppm-binomial-dp.md +++ b/draft-case-ppm-binomial-dp.md @@ -203,12 +203,12 @@ sensitivity, {{compute-n}} describes how to determine the number of Bernoulli samples needed. To count the number of successes across these `N` trials, the MPC helpers simply -run an aggregation circuit over the secret shared results of the `N` Bernoulli -trials, each or which is either 0 or 1. The result of this sum is a sample from -a `Bin(N, p)` distribution. This binomial noise value is then added to the -output inside the MPC and then the final noised result revealed to the -appropriate output parties. That is, if the MPC computes `f(D)`, it outputs -shares of the result `f(D) + Bin(N,p)`. +add the secret shared results of the `N` Bernoulli trials, each or which is +either 0 or 1. The result of this sum is a sample from a `Bin(N, p)` +distribution. This binomial noise value is then added to the output inside the +MPC and then the final noised result revealed to the appropriate output parties. +That is, if the MPC computes `f(D)`, it outputs shares of the result `f(D) + +Bin(N,p)`. The party receiving the output can then postprocess this output to get an unbiased estimate for `f(D)` by subtracting the mean of the `Bin(N,p)` @@ -264,7 +264,7 @@ o = f(D) / s + X For an MPC system, the output of the system is shares of this scaled and biased value. The recipient can reconstruct the an unbiased, unscaled, noised value by: -* Adding the shares it receives: `o = sum(o_i, o_2, …)` +* Adding the shares it receives: `o = sum(o_1, o_2, …)` * Correcting for bias: `o - N\*p` * Scaling the value: `f′(D) = s * (o - N\*p)` @@ -299,7 +299,7 @@ For `f(D)` that produces output that is a `d`-dimensional vector of integer values, the `p`-norms of interest for use with the binomial mechanism is the L1, L2, and L∞ (or Linfty) norms. -The L1 norm of `x∊ℤd` is: +The L1 norm of `x` (where x∊ℤd) is: ~~~ pseudocode sensitivity\_1 = ||x||1 = sum(i=1..d, |x_i|) From 4d3c3c462332c1da8da56c1537e4ad17b40ed9bc Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 25 Jul 2024 19:09:42 -0700 Subject: [PATCH 3/8] Some minor cleanups --- draft-savage-ppm-3phm-mpc.md | 10 +++++----- fix-sub.py | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/draft-savage-ppm-3phm-mpc.md b/draft-savage-ppm-3phm-mpc.md index c562b2c..b75c90d 100644 --- a/draft-savage-ppm-3phm-mpc.md +++ b/draft-savage-ppm-3phm-mpc.md @@ -528,7 +528,7 @@ dot-product of two vectors, one of which is known to both `P_=` and Rearranging terms: ~~~ pseudocode -x_-·y_+ ⊕ (x_-·y_- ⊕ z_- ⊕ r_- ) ⊕ x_+·y_- ⊕ r_+ = 0 +x_-·y_+ ⊕ (x_-·y_- ⊕ z_- ⊕ r_-) ⊕ x_+·y_- ⊕ r_+ = 0 ~~~ Define: @@ -540,7 +540,7 @@ e_- = x_-·y_- ⊕ z_- ⊕ r_- Then: ~~~ pseudocode -(x_-·y_+ ⊕ e_- ) ⊕ (x_+·y_- ⊕ r_+) = 0 +(x_-·y_+ ⊕ e_-) ⊕ (x_+·y_- ⊕ r_+) = 0 ~~~ Using: `x ⊕ y = x·(1 - 2·y) + y` @@ -597,9 +597,9 @@ From this point, each party can compute the vectors that they are able to. `P_=` and `P_-` both compute `g_i` as follows: ~~~ pseudocode -g_1 = -2·x_-·y_-·(1 - 2·e_- ) -g_2 = y_-·(1 - 2·e_- ) -g_3 = x_-·(1 - 2·e_- ) +g_1 = -2·x_-·y_-·(1 - 2·e_-) +g_2 = y_-·(1 - 2·e_-) +g_3 = x_-·(1 - 2·e_-) g_4 = -½(1 - 2·e_-) ~~~ diff --git a/fix-sub.py b/fix-sub.py index 3d3a953..60c487e 100755 --- a/fix-sub.py +++ b/fix-sub.py @@ -10,8 +10,8 @@ blockcode = re.compile(r"^(~~~~*) *(\w+)$") inlinecode = re.compile(r"(?:^|(?<=[^\\]))`") -sub = re.compile(r"(?:([" + chars + r"]+)|(?<=\w)_([" + chars + r"]))") -sup = re.compile(r"(?:([" + chars + r"]+)|(?<=\w)\^([" + chars + r"]))") +sub = re.compile(r"(?:([" + chars + r"]+)|(?<=[\w\)])_([" + chars + r"]))") +sup = re.compile(r"(?:([" + chars + r"]+)|(?<=[\w\)])\^([" + chars + r"]))") def warn(msg, **kwargs): print(msg, file=sys.stderr, **kwargs) From c3c6aa07c4b540a2a36fd9be0c8a8c2f48cce2e9 Mon Sep 17 00:00:00 2001 From: Christopher Patton Date: Mon, 29 Jul 2024 08:04:33 -0700 Subject: [PATCH 4/8] Update draft-case-ppm-binomial-dp.md Co-authored-by: Martin Thomson --- draft-case-ppm-binomial-dp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-case-ppm-binomial-dp.md b/draft-case-ppm-binomial-dp.md index da8b54a..73edbf1 100644 --- a/draft-case-ppm-binomial-dp.md +++ b/draft-case-ppm-binomial-dp.md @@ -132,7 +132,7 @@ present. In two-party MPC, each party has to assume the other is dishonest, so each adds the entire noise quantity, ultimately doubling the overall noise that is added. In a three-party honest majority MPC, each party can add half of the required noise on the assumption that one other party is honest, resulting in a -50% decrease in the amount of noise. +50% increase in the amount of noise relative to the ideal. Finally, an MPC protocol can be executed to add noise. The primary drawback of this approach is that there is an increased cost to generating the noise in MPC. From 5fc39c050889fc418692626f2baccf0bd2859e47 Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 1 Aug 2024 16:30:27 -0500 Subject: [PATCH 5/8] Copyediting --- draft-case-ppm-binomial-dp.md | 4 ++-- draft-savage-ppm-3phm-mpc.md | 4 ++-- draft-thomson-ppm-prss.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/draft-case-ppm-binomial-dp.md b/draft-case-ppm-binomial-dp.md index bc38d84..5f2051a 100644 --- a/draft-case-ppm-binomial-dp.md +++ b/draft-case-ppm-binomial-dp.md @@ -107,7 +107,7 @@ can be made about the amount of privacy loss that applies to any given input. There are multiple methods for applying noise to aggregates, but the one that offers the lowest amount of noise — and therefore the most useful outputs — is one where a single entity samples and adds noise, known as central -DP. Alternatives include local DP, where each noise is added to each input to +DP. Alternatives include local DP, where noise is added to each input to the aggregation, or shuffle DP, which reduces noise requirements for local DP by shuffling inputs. @@ -376,7 +376,7 @@ The `epsilon_delta_constraint` is a function of epsilon, delta, `s`, `d`, more complicated formula. -For the `epsilon_delta constraint`, {{CPSGD}} defines some intermediate +For the `epsilon_delta_constraint`, {{CPSGD}} defines some intermediate functions of the success probability, `p`. For `p = 0.5`, these become fixed constants: diff --git a/draft-savage-ppm-3phm-mpc.md b/draft-savage-ppm-3phm-mpc.md index b75c90d..8797d83 100644 --- a/draft-savage-ppm-3phm-mpc.md +++ b/draft-savage-ppm-3phm-mpc.md @@ -65,7 +65,7 @@ are never revealed to any single entity. MPC executes an agreed function, revealing only the output of that function. This makes MPC well-suited to handling data that is sensitive or private. MPC in -a three-party honest majority setting, is broadly recognized as being extremely +a three-party honest majority setting is broadly recognized as being extremely efficient: * Addition and subtraction have zero communication cost and negligible @@ -1018,7 +1018,7 @@ AES-128-GCM is RECOMMENDED, with the same KDF being used for PRSS and AES-128 as the PRP. For validation, the prime field used is modulo the Mersenne prime -261-1 validation. Any sufficiently large prime can be used, but this +261-1. Any sufficiently large prime can be used, but this value provides both good performance on 64-bit hardware and useful security margins for typical batch sizes; see TODO/below for an analysis of the batch size requirements and security properties that can be obtained by using this diff --git a/draft-thomson-ppm-prss.md b/draft-thomson-ppm-prss.md index 1de13bb..4557962 100644 --- a/draft-thomson-ppm-prss.md +++ b/draft-thomson-ppm-prss.md @@ -447,7 +447,7 @@ fixed range of values. The total randomness available is limited by the entropy from the chosen KEM, KDF, and PRF. Each KEM is only able to convey a maximum amount of entropy. -Similarly, each KDF is limited in the amount of entropy it only able to retain. +Similarly, each KDF is limited in the amount of entropy it is able to retain. Finally, each PRF also has limits that might further reduce the maximum entropy available. From 5e61a1647c85be66be76167d42e670a24d3ef06e Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 1 Aug 2024 16:30:41 -0500 Subject: [PATCH 6/8] Remove redundant section heading --- draft-savage-ppm-3phm-mpc.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/draft-savage-ppm-3phm-mpc.md b/draft-savage-ppm-3phm-mpc.md index 8797d83..cd2aa4c 100644 --- a/draft-savage-ppm-3phm-mpc.md +++ b/draft-savage-ppm-3phm-mpc.md @@ -484,8 +484,6 @@ the proof. Since the two verifiers possess all of this information distributed amongst themselves, this approach is referred to as "Distributed Zero Knowledge Proofs". -## Distributed Zero Knowledge Proofs - {{?FLPCP=DOI.10.1007/978-3-030-26954-8_3}} describes a system of zero-knowledge proofs that rely on linear operations. This is expanded in {{?BOYLE=DOI.10.1007/978-3-030-64840-4_9}} to apply to three-party From 7ec36a266de10a8946a77f8004f5cc535141a80c Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 1 Aug 2024 16:30:55 -0500 Subject: [PATCH 7/8] `enc` is an encapsulated secret, not public key --- draft-thomson-ppm-prss.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-thomson-ppm-prss.md b/draft-thomson-ppm-prss.md index 4557962..adb3936 100644 --- a/draft-thomson-ppm-prss.md +++ b/draft-thomson-ppm-prss.md @@ -185,7 +185,7 @@ def ss, enc = Send(kem, pk_bytes): ss, enc = kem.Encap(pk) ~~~ -The sender then sends the encapsulated public key, `enc`, to the receiver. The +The sender then sends the encapsulated secret, `enc`, to the receiver. The receiver decapsulates this value to obtain the shared secret, `secret`: ~~~ pseudocode From e7d0047c4e301d8a36046f37bb1def9cc74a4d95 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Tue, 6 Aug 2024 16:02:50 +1000 Subject: [PATCH 8/8] fixup --- draft-thomson-ppm-prss.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/draft-thomson-ppm-prss.md b/draft-thomson-ppm-prss.md index adb3936..de791fe 100644 --- a/draft-thomson-ppm-prss.md +++ b/draft-thomson-ppm-prss.md @@ -471,7 +471,8 @@ Binary sampling produces uniformly random values with the only drawback being the constraint on its output range. For small values of `n`, the same PRF invocation could be used to produce -multiple values, depending on the value of `Mo` for the chosen PRF. +multiple values, depending on the value of `Mo` for the chosen PRF. For large +values of `n`, multiple invocations of the PRF can be used. ## Rejection Sampling {#rejection} @@ -564,7 +565,7 @@ most `2\^((k-a)/2)`, where `a` is the desired attacker advantage in bits (that is, advantage is at most 2-a). Using that value for `q` and an advantage of `(2^a)/2` for the second component -leads to a limit for `p` of `2^(b-(k+a)/2-2)`. For example, to obtain 40 bits +leads to a limit for `p` of `2\^(b-(k+a)/2-2)`. For example, to obtain 40 bits of security, the value of `p` for AES-128 is limited to 242, which assumes a value of `q` no more than 244.