search

jimouris / draft-mouris-cfrg-mastic

Specification of the Mastic Verifiable Distributed Aggregation Function (VDAF)
https://datatracker.ietf.org/doc/draft-mouris-cfrg-mastic/
Other
1 stars 1 forks source link

Avoid operating on serialized correction words #81

Open cjpatton opened 1 month ago

cjpatton commented 1 month ago

The FLP joint randomness computation binds to the VIDPF correction words and keys generated by the client. This means the aggregators have to either store the encoded correction words or re-encode them on the fly. Neither is desirable from an implementation perspective.

Two options:

  1. Replace the encoded correction words in the binder with a hash of the correction words, which the aggregator could compute while decoding.
  2. In @hannahdaviscrypto's implementation (https://github.com/divviup/libprio-rs/blob/dea0456ec4e0af8a3c1fed26db6bf7d776f195ad/src/flp/szk.rs#L459-L474), we bind only to the measurement shares. We suspect this is sufficient, and in fact it's implicit in the syntax of the paper.