Closed tgeoghegan closed 2 months ago
I don't quite see how the text we landed doesn't square with David's analysis. Is it that "the Aggregators MUST verify" sounds like there needs to be some explicit procedure, like exchanging the hash? As David explains, explicit verification is not necessary: in DAP, the Leader is supposed to copy the public share from the report into the Helper's report share. This provides the property we need, just implicitly.
Perhaps "the Aggregators MUST ensure they hold the same public share"?
Note that including the the public share in the HPKE AAD is not strictly necessary, either for privacy or robustness. We do this just for defense-in-depth.
All that said, your suggestion sounds fine -- feel free to send a PR.
The VDAF security model just stipulates secure channels between protocol participants, so part of what's going on is just DAP's implementation decisions regarding instantiating the secure channel from the Client to Leader and Client to Helper. Splitting the report, encrypting part of it, and committing to the other part is complicated, but it saves some communication cost by avoiding duplicate data. (I think DAP does need to include the public share in the HPKE AAD in order to maintain integrity of the whole report while tunneling through the maybe-malicious Leader.)
I don't think we should say anything about the relationship between robustness and the Aggregators having the same public share, because that could then become a new requirement on VDAFs, depending on how it's phrased. Rephrasing it to make it clear an extra explicit check isn't necessary sounds good.
Is it that "the Aggregators MUST verify" sounds like there needs to be some explicit procedure, like exchanging the hash?
Yeah, that's what concerns me. Saying "MUST ensure" sounds like a good way to resolve this.
in DAP, the Leader is supposed to copy the public share from the report into the Helper's report share. This provides the property we need, just implicitly.
Oh, this is the part I was missing: the honest leader does get to enforce that the public shares match.
With all this understood, I'd be comfortable with changing "MUST verify" to "MUST ensure", but I'd also be OK with doing nothing and closing this without any change.
PR up: @tgeoghegan please take a look!
I think I'm being fussy but I want to make sure we don't slip up here. Continuing from #336:
_Originally posted by @divergentdave in https://github.com/cfrg/draft-irtf-cfrg-vdaf/pull/336#discussion_r1591715132_
I think I agree with that analysis, but it's hard to square with the MUST added by #336, which reads:
Perhaps this paragraph should say something like "In order to protect robustness, the Aggregators MUST verify...". That would give "permission" to a higher level protocol like DAP to apply David's analysis and opt out of doing something like an explicit exchange of the public share. I also wonder if David's analysis should be incorporated into the text of DAP.