jpfeiffe
commented
3 years ago This is currently a problem, yes -- we hadn't considered it explicitly with this draft. We've thought a bit and the only solution that was proposed included having a shared SK between the pairs of helpers. This is (in our view) too strong of an assumption that none of the helpers would share SK with the ad server.
Given the importance here, we will need to probably incorporate this in the next iteration of the proposal.
In the MaskedLARK proposal, there is a claim that helpers do not need to communicate. I think this opens up attacks that can be done by dishonest clients sending invalid secret shares that don’t sum up to proper ranges (binary, etc). Adding interaction can prevent this bad outcome (via more complex MPC) and reduce the “blast radius” of a single corrupted record.
I think this should be considered as an extension to the proposal.