From 88022605a7f3ca95b8f97c9c56b426dd3a44e084 Mon Sep 17 00:00:00 2001 From: Benjamin Case Date: Wed, 2 Oct 2024 17:43:41 -0400 Subject: [PATCH 1/5] flush out aggregation section --- api.bs | 52 +++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 9 deletions(-) diff --git a/api.bs b/api.bs index 7a246be..fbd225a 100644 --- a/api.bs +++ b/api.bs @@ -6,6 +6,7 @@ URL: https://private-attribution.github.io/api/ Editor: Martin Thomson, w3cid 68503, Mozilla https://mozilla.org/, mt@mozilla.com Editor: Andy Leiserson, w3cid 147715, Mozilla https://mozilla.org/, aleiserson@mozilla.com Editor: Benjamin Savage, w3cid 114877, Meta https://www.meta.com/, btsavage@meta.com +Editor: Benjamin Case, w3cid 128082, Meta https://www.meta.com/, bmcase@meta.com Abstract: This specifies a browser API for the measurement of advertising performance. The goal is to produce aggregate statistics about how advertising leads to conversions, without creating a risk to the privacy of individual web users. This API collates information about people from multiple web origins, which could be a significant risk to their privacy. To manage this risk, the information that is gathered is aggregated using an aggregation service that is chosen by websites and trusted to perform aggregation within strict limits. Noise is added to the aggregates produced by this service to provide differential privacy. Status Text: This specification is a proposal that is intended to be migrated to the W3C standards track. It is not a standard. Text Macro: LICENSE W3C Software and Document License @@ -612,7 +613,7 @@ The arguments to measureConversion() are as
The maximum [=conversion value=] across all contributions included in the aggregation. Together with epsilon, this is used to calibrate the distribution of random noise that - will be added to the outcome. It is also used to determine the amount of [=privacy budget=] + will be added to the outcome. It is also used to determine the amount of [=privacy budget=] to expend on this [=conversion report=].
lookbackDays
@@ -623,8 +624,8 @@ The arguments to measureConversion() are as
A list of impression sites. Only [=impressions=] recorded where the top-level site is on this list are eligible to match this [=conversion=].
intermediarySites
- A list of sites which called the saveImpression() API. - Only [=impressions=] recorded by scripts originating from one of the intermediary sites + A list of sites which called the saveImpression() API. + Only [=impressions=] recorded by scripts originating from one of the intermediary sites are eligible to match this [=conversion=].
@@ -868,13 +869,24 @@ if the user has opted out of collection of diagnostic data. An aggregation service takes multiple pieces of attribution information and produces an aggregate metric. -Each browser will have different requirements for aggregation. +Each browser will have different requirements for aggregation. The two aggregation service backends considered here +are for using a two-party Multi-Party Computation (MPC) or a Trusted Execution Environment (TEE). In either case the +Advertiser server (or their delegate) will collect a batch of conversion reports and submit them for aggreation (e.g. +when a sufficient number of conversion reports have been added to the batch or at a particular time when the metric is needed). ## Multi-Party Computation Aggregation ## {#mpc} -TODO + The aggregation service using a two-party MPC is based on [[DAP]] (Distributed Aggregation Protocol) + with a simple [[VDAF]] (Verifiable Distributed Aggregation function) + which enables aggregation of constant length vectors. It also supplies a guarantee that the p-norm contribution of any one + report to the histogram is bounded. + + The device generates additive secret shares of the histogram contribution and encrypts each set of secret shares under the public + key of one of the two Helper Parties running the aggreation service. The device also generates a zero-knowledge proof that the p-norm + of the histogram contrbiution is less than the `query_global_sensitivity`. +TODO: more details on how we integrate with DAP. ## Trusted Execution Environments ## {#tee} @@ -883,13 +895,17 @@ TODO ## Conversion Report Encryption ## {#encryption} -TODO +In addition to encrypting the histogram contribution, some data is bound to the report as authenticated data. The authenticated data includes +1. The `requested_epsilon` and the `query_global_sensitivity` and the `p-norm` used to enforced the sensitivity. +2. TODO... + ## Anti-Replay Requirements ## {#anti-replay} [=Conversion reports=] generated by browsers are bound to the amount of [=privacy budget=] -that was expended by the site that requested the report. +that was expended by the site that requested the report. We cannot allow a conversion report to be aggregated more than once; + otherwise, this would correspond to spending more privacy budget than was accounted for on the device. TODO @@ -1169,11 +1185,17 @@ a safety limit to be exceeded. ## Differential Privacy Mechanisms ## {#dp-mechanism} -The specific mechanisms that are used -depend on the type of [=aggregation service=]. + The two main DP mechanisms support are the Laplace and Gaussian mechanisms. + For supporting the Laplace mechanism the reports in a query will have all specified the same +`requested_epsilon`, `query_global_sensitivity` and have `p-norm = 1-norm`. This data is included in +the authenticated data (link) of the reports. The aggregation service adds independent samples of Laplace noise to +every histogram bin where the samples are take from a `Lap(query_global_sensitivity / requested_epsilon)`. +The specific mechanisms that are used +depend on the type of [=aggregation service=]. + # Security Considerations # {#security} @@ -1488,6 +1510,18 @@ spec:infra; type:dfn; text:user agent "href": "https://arxiv.org/abs/2405.16719", "title": "Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems", "publisher": "SOSP'24" + }, + "dap": { + "authors": [ + "Tim Geoghegan", + "Christopher Patton", + "Brandon Pitman", + "Eric Rescorla", + "Christopher A. Wood", + ], + "href": "https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/", + "title": "Distributed Aggregation Protocol for Privacy Preserving Measurement", + "publisher": "IETF Draft" } } From fa1f6d4b6c1b679810d195760211f5b4efc4ec6b Mon Sep 17 00:00:00 2001 From: Benjamin Case Date: Wed, 2 Oct 2024 17:59:10 -0400 Subject: [PATCH 2/5] bib fixes --- api.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api.bs b/api.bs index fbd225a..7b1da70 100644 --- a/api.bs +++ b/api.bs @@ -1511,7 +1511,7 @@ spec:infra; type:dfn; text:user agent "title": "Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems", "publisher": "SOSP'24" }, - "dap": { + "dap": { "authors": [ "Tim Geoghegan", "Christopher Patton", From 2353cb4ba025fb328c56d3b191ab32f80051fc1b Mon Sep 17 00:00:00 2001 From: Benjamin Case Date: Thu, 3 Oct 2024 21:54:09 -0400 Subject: [PATCH 3/5] L1-norm instead of p-norm and other feedback --- api.bs | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/api.bs b/api.bs index 7b1da70..666cac4 100644 --- a/api.bs +++ b/api.bs @@ -870,20 +870,20 @@ An aggregation service takes multiple pieces of attribution informati and produces an aggregate metric. Each browser will have different requirements for aggregation. The two aggregation service backends considered here -are for using a two-party Multi-Party Computation (MPC) or a Trusted Execution Environment (TEE). In either case the -Advertiser server (or their delegate) will collect a batch of conversion reports and submit them for aggreation (e.g. -when a sufficient number of conversion reports have been added to the batch or at a particular time when the metric is needed). +are for using a two-party [[#mpc|Multi-Party Computation (MPC)]] or a [[#tee|Trusted Execution Environment (TEE)]]. In either case the +Advertiser server (or their delegate) will collect a batch of conversion reports and submit them for aggreation, such as +when a sufficient number of conversion reports have been added to the batch or at a particular time when the metric is needed. ## Multi-Party Computation Aggregation ## {#mpc} The aggregation service using a two-party MPC is based on [[DAP]] (Distributed Aggregation Protocol) with a simple [[VDAF]] (Verifiable Distributed Aggregation function) - which enables aggregation of constant length vectors. It also supplies a guarantee that the p-norm contribution of any one + which enables aggregation of constant length vectors. It also supplies a guarantee that the L1-norm contribution of any one report to the histogram is bounded. The device generates additive secret shares of the histogram contribution and encrypts each set of secret shares under the public - key of one of the two Helper Parties running the aggreation service. The device also generates a zero-knowledge proof that the p-norm + key of one of the two Helper Parties running the aggreation service. The device also generates a zero-knowledge proof that the L1-norm of the histogram contrbiution is less than the `query_global_sensitivity`. TODO: more details on how we integrate with DAP. @@ -896,7 +896,7 @@ TODO ## Conversion Report Encryption ## {#encryption} In addition to encrypting the histogram contribution, some data is bound to the report as authenticated data. The authenticated data includes -1. The `requested_epsilon` and the `query_global_sensitivity` and the `p-norm` used to enforced the sensitivity. +1. The `requested_epsilon` and the `query_global_sensitivity` which will be used to add the correct amount of noise. 2. TODO... @@ -1185,11 +1185,11 @@ a safety limit to be exceeded. ## Differential Privacy Mechanisms ## {#dp-mechanism} - The two main DP mechanisms support are the Laplace and Gaussian mechanisms. + Currently the only DP mechanism supported is the Laplace mechanism. For supporting the Laplace mechanism the reports in a query will have all specified the same -`requested_epsilon`, `query_global_sensitivity` and have `p-norm = 1-norm`. This data is included in -the authenticated data (link) of the reports. The aggregation service adds independent samples of Laplace noise to +`requested_epsilon` and `query_global_sensitivity`. This data is included in +the authenticated data of the reports. The aggregation service adds independent samples of Laplace noise to every histogram bin where the samples are take from a `Lap(query_global_sensitivity / requested_epsilon)`. From 79d791c81fd74c035037dbd37cc79a6f2d76946a Mon Sep 17 00:00:00 2001 From: Benjamin Case Date: Thu, 3 Oct 2024 21:55:13 -0400 Subject: [PATCH 4/5] fmt --- api.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api.bs b/api.bs index 666cac4..f034ebd 100644 --- a/api.bs +++ b/api.bs @@ -1187,7 +1187,7 @@ a safety limit to be exceeded. Currently the only DP mechanism supported is the Laplace mechanism. - For supporting the Laplace mechanism the reports in a query will have all specified the same +For supporting the Laplace mechanism the reports in a query will have all specified the same `requested_epsilon` and `query_global_sensitivity`. This data is included in the authenticated data of the reports. The aggregation service adds independent samples of Laplace noise to every histogram bin where the samples are take from a `Lap(query_global_sensitivity / requested_epsilon)`. From 1bc085134ca142801fe805cfd5da1a4b8360a0e6 Mon Sep 17 00:00:00 2001 From: Benjamin Case Date: Thu, 3 Oct 2024 22:01:29 -0400 Subject: [PATCH 5/5] don't modify abstract --- api.bs | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/api.bs b/api.bs index f034ebd..242127b 100644 --- a/api.bs +++ b/api.bs @@ -7,7 +7,14 @@ Editor: Martin Thomson, w3cid 68503, Mozilla https://mozilla.org/, mt@mozilla.co Editor: Andy Leiserson, w3cid 147715, Mozilla https://mozilla.org/, aleiserson@mozilla.com Editor: Benjamin Savage, w3cid 114877, Meta https://www.meta.com/, btsavage@meta.com Editor: Benjamin Case, w3cid 128082, Meta https://www.meta.com/, bmcase@meta.com -Abstract: This specifies a browser API for the measurement of advertising performance. The goal is to produce aggregate statistics about how advertising leads to conversions, without creating a risk to the privacy of individual web users. This API collates information about people from multiple web origins, which could be a significant risk to their privacy. To manage this risk, the information that is gathered is aggregated using an aggregation service that is chosen by websites and trusted to perform aggregation within strict limits. Noise is added to the aggregates produced by this service to provide differential privacy. +Abstract: This specifies a browser API for the measurement of advertising performance. +The goal is to produce aggregate statistics about how advertising leads to conversions, + without creating a risk to the privacy of individual web users. This API collates information + about people from multiple web origins, which could be a significant risk to their privacy. + To manage this risk, the information that is gathered is aggregated using an aggregation service + that is trusted by the user-agent to perform aggregation within strict limits. Noise is added to + the aggregates produced by this service to provide differential privacy. Websites may select an + aggregation service from the list of approved aggregation services provided by the user-agent. Status Text: This specification is a proposal that is intended to be migrated to the W3C standards track. It is not a standard. Text Macro: LICENSE W3C Software and Document License Complain About: accidental-2119 yes, missing-example-ids yes