-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement draft-irtf-cfrg-vdaf-13 #1122
Comments
@divergentdave looking at the entry:
Is this already reflected in the code? Specifically in Lines 184 to 190 in d2fe428
The output is a single field element, rather than a vector, so this is already done. Am I missing something? |
The fundamental difference is that we want to, for example, combine the range check and sum check values in the Histogram circuit via a random linear combination with query randomness values, rather joint randomness values. The way we've divided this up between abstraction layers in the spec is that we changed the circuit interface to return a vector of field elements, instead of a single field element, and then added the optional compression with query randomness values in the query algorithm of the FLP we define. (note that query randomness is passed to |
Ah ok, will do |
Is there a nontrivial relation between Lines 446 to 447 in d2fe428
And later it is assumed that the number of eval elements is 1: Lines 480 to 491 in d2fe428
This means that self.verifier_len() should probably be self.eval_output_len() + A where A is the sum of the gadget arities, rather than just 1 + A , right?
|
Here's the definition of verifier length in draft-10: https://www.ietf.org/archive/id/draft-irtf-cfrg-vdaf-10.html#figure-22. The overall breakdown of the verifier is one field element for the whole output vector, then for each gadget, as many field elements as the arity of the gadget for evaluations of the wire polynomials at a query randomness point, plus one more field element for the evaluation of the gadget polynomial at the same point. (so |
Ah, so to be clear: the thing to do here is to replace the |
I think you're right that this is moot. The libprio-rs/src/vdaf/poplar1.rs Lines 1167 to 1172 in a8e48e7
where Poplar1PrepareMessage is:libprio-rs/src/vdaf/poplar1.rs Lines 512 to 521 in a8e48e7
|
Separate question: does the current codebase validate aggregation parameters at all? I'm trying to impl the draft-09 changes, but can't even find where the basic level replay check is done. |
No, that isn't implemented at all currently. See #1133. |
Is there any change here outside of the FLP |
Yes, we also changed circuits using the |
Design question. I'm adding
If that's a fair description of the scenario, then I'm pro option 2. What do you think? |
The only objection to #2 that I can think of: a DAP implementation might currently cache a VDAF instantiation keyed on the VDAF & parameters for cross-task use. Since the application context string used by DAP is task-specific, this implementation strategy would be disallowed if we took implementation strategy #2. That said, none of the DAP implementations I'm aware of do this, and all the VDAF instantiations I'm aware of are cheap enough to instantiate that I don't think we necessarily need to support this use-case. Barring other objections, I like #2. |
Understood, that makes sense. Okay I’ll go with 2 for now. |
Hmm, the collector's operation (roughly, calling |
Ah, yeah. And also thinking about it more, it seems that this ctx would be the only state that these structs carry, aside from num_shares. Maybe this isn’t ideal |
Here's a summary of what we'll need to implement, based on the changelog.
is_valid()
now checks that the current candidate prefixes are descendents of previous candidate prefixes. (draft-09)Prio3MutlihotCountVec
#1123)Vec<F>
rather than a singleF
#1132)Vec<F>
rather than a singleF
#1132)max_measurement
field toPrio3Sum
type #1150)Vec<F>
rather than a singleF
#1132)ctx
string to DPF computation #1146)IdpfInput
methods make sense when compared to new draft. (draft-12)ctx
string to DPF computation #1146 and Align XofTurboShake128 with VDAF-13 #1165)AggregateShare
identity element #569. (draft-13) (Add aggegation initialization method #1172)VERSION
constant in domain separation tags. (Update constants #1152)This will also be a good opportunity for other breaking changes we want to make.
The text was updated successfully, but these errors were encountered: