The threat model currently says collusion between aggregators is out of scope for the threat model.
By explicitly considering collusion as part of the threat model, we can address the potential mitigations that are likely to be deployed and make sure any protocols or proposals enable those mitigations.
For example, discovery, selection, identity of and authentication of the aggregators will all be significant for enabling mitigations to collusion by aggregators. Addressing collusion is also important in choosing between protocols that protect privacy against different levels of collusion (at least one honest vs. majority honest).
npdoty
commented
2 years ago
The threat model currently says collusion between aggregators is out of scope for the threat model.
By explicitly considering collusion as part of the threat model, we can address the potential mitigations that are likely to be deployed and make sure any protocols or proposals enable those mitigations.
For example, discovery, selection, identity of and authentication of the aggregators will all be significant for enabling mitigations to collusion by aggregators. Addressing collusion is also important in choosing between protocols that protect privacy against different levels of collusion (at least one honest vs. majority honest).