Implementing differential privacy for the bounded-norm vector type

[MxmUrw]

We are now at the point where we would like to add differential privacy to our bounded-norm fixed-point vector type. As was pointed out to us, there has been some discussion about the best way to integrate dp with VDAF / DAP here and here.

Have there been any further developments with regards to dp since those two issues?

It looks like the simplest way to achieve our version of DP (each of the aggregators adds a pre-configured amount of noise to the aggregate share) would be by doing the following:

• Extend the Prio3 Type trait to require an additional function add_noise(&self, aggregate_share: Vec<Field>) -> Vec<Field>.
• Call this function in the Aggregator::aggregate() implementation for Prio3 on the resulting aggregate share.
• In the implementation of add_noise for our vector type, do add the (discrete gaussian) noise as required by our encoding.
• Add a default implementation for add_noise() that is the identity function, so other prio types do not need to be changed.

This approach seems to be the most straight-forward to us, but it possibly disregards the proposed solutions in the above-mentioned threads. We would like to discuss about how best to align our efforts with the future specification of dp in VDAF (if such a thing is indeed going to be specified).

[MxmUrw]

UPDATE: It looks like the proposed solution above is not enough if we want to use janus as aggregator; the Aggregator::aggregate() function is not used in janus, its functionality is (re-)implemented in aggregator/accumulator.rs.

As it currently stands, we need to use a custom fork of both janus and prio to get dp working for our type. We do have a working (and hacky) prototype which does what we want, but are posed with the following question:

Is the implementation of differential privacy in prio types already up for discussion? Or should we continue to develop on our fork(s) on a works-for-us basis?