tgeoghegan
commented
2 days ago I support this change and the corresponding changes in DAP (https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/581). However I am concerned about the potential for type confusion here. In Prio3, it so happens that output shares, aggregate shares and aggregate results have the same "shape" and thus can be summed together naively to yield semantically meaningful and useful results. But we shouldn't bake that assumption into the abstract VDAF interface, because I don't think it will hold for all VDAFs. Indeed, for Poplar1, aggregate shares and aggregate results already have a different type (FieldVec and list[int], respectively 1).
So I propose adding a little bit more to the VDAF interface to accommodate VDAFs that don't work like Prio3 and to steer implementations away from type confusion.
vdaf.aggregate_init(agg_param: AggParam) -> IntermediateAggSharereturns an empty intermediate aggregate share.IntermediateAggShareis an associated type on the VDAF distinct fromOutShareorAggShare.vdaf.accumulate(agg_param: AggParam, intermediate: IntermediateAggShare, out_share: OutShare) -> IntermediateAggShareaccumulates an output share into an intermediate aggregate share.vdaf.merge(agg_param: AggParam, intermediates: list[IntermediateAggShare]) -> AggSharemerges one or more intermediate aggregate shares into an aggregate share. Aggregate shares may then be unsharded into an aggregate result using the existingvdaf.unshardfunction.
Some discussion:
- I believe all these associated functions need to take the aggregation parameter, as
vdaf.aggregateandvdaf.unshardalready do. - An intermediate aggregate share is what DAP implementations would construct for each "batch bucket", as discussed in https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/581.
- I use the verb "accumulate" instead of "update". I think it's more specific and descriptive, and matches the existing API in
libprio. - The verb "merge" also matches the existing
libprioAPI. - We could do away with
vdaf.aggregateif we do the rest of this stuff, but we could also keep it for use cases besides streaming DAP.
Finally, I don't think the "editorial" label is appropriate here: we're discussing some changes to VDAF that would result in changes to implementations.
cjpatton
The current aggregation API takes a sequence of output shares and returns an aggregate share. This envisions VDAFs for which the aggregate result depends on the order in which output shares are aggregated, but so far this isn't true of anything we've come up with. In fact, DAP (implicitly?) requires a VDAF for which output shares can be aggregated in any order. (The Leader and Helper may not aggregate output shares in the same order.)
One problem with the current API is that it doesn't align well with practice. Normally what we expect Aggregators to do is aggregate in a "streaming" fashion, meaning output shares are not stored individually, but accumulated into an existing aggregate share as soon as they're ready to be aggregated.
In fact, we'd like to make this "streaming aggregation" normative in DAP: https://github.com/ietf-wg-ppm/draft-ietf-ppm-dap/issues/581.
However in order to do this, we'll need to modify the VDAF syntax. There's a few things we could do, but probably the simplest is to split
vdaf.aggregate()into the following functions:vdaf.agg_init() -> AggShare: returns an empty aggregate share.vdaf.agg_update(agg_share: AggShare, out_share) -> AggShare: updates an aggregate share with the incoming output share.