Flush out aggregation section

api.bs

@@ -6,7 +6,15 @@ URL: https://private-attribution.github.io/api/
 Editor: Martin Thomson, w3cid 68503, Mozilla https://mozilla.org/, [email protected]
 Editor: Andy Leiserson, w3cid 147715, Mozilla https://mozilla.org/, [email protected]
 Editor: Benjamin Savage, w3cid 114877, Meta https://www.meta.com/, [email protected]
-Abstract: This specifies a browser API for the measurement of advertising performance.  The goal is to produce aggregate statistics about how advertising leads to conversions, without creating a risk to the privacy of individual web users.  This API collates information about people from multiple web origins, which could be a significant risk to their privacy.  To manage this risk, the information that is gathered is aggregated using an aggregation service that is trusted by the user-agent to perform aggregation within strict limits.  Noise is added to the aggregates produced by this service to provide differential privacy. Websites may select an aggregation service from the list of approved aggregation services provided by the user-agent.
+Editor: Benjamin Case, w3cid 128082, Meta https://www.meta.com/, [email protected]
+Abstract: This specifies a browser API for the measurement of advertising performance.
+The goal is to produce aggregate statistics about how advertising leads to conversions,
+ without creating a risk to the privacy of individual web users. This API collates information
+ about people from multiple web origins, which could be a significant risk to their privacy.
+  To manage this risk, the information that is gathered is aggregated using an aggregation service
+  that is trusted by the user-agent to perform aggregation within strict limits. Noise is added to
+  the aggregates produced by this service to provide differential privacy. Websites may select an
+  aggregation service from the list of approved aggregation services provided by the user-agent.
 Status Text: This specification is a proposal that is intended to be migrated to the W3C standards track. It is not a standard.
 Text Macro: LICENSE <a href=http://www.w3.org/Consortium/Legal/2015/copyright-software-and-document>W3C Software and Document License</a>
 Complain About: accidental-2119 yes, missing-example-ids yes
@@ -612,7 +620,7 @@ The arguments to <a method for=PrivateAttribution>measureConversion()</a> are as
   <dd>
     The maximum [=conversion value=] across all contributions included in the aggregation.
     Together with epsilon, this is used to calibrate the distribution of random noise that
-    will be added to the outcome. It is also used to determine the amount of [=privacy budget=] 
+    will be added to the outcome. It is also used to determine the amount of [=privacy budget=]
     to expend on this [=conversion report=].
   </dd>
   <dt><dfn>lookbackDays</dfn></dt>
@@ -623,8 +631,8 @@ The arguments to <a method for=PrivateAttribution>measureConversion()</a> are as
   <dd>A list of impression sites. Only [=impressions=] recorded where the top-level site is on this list are eligible to match this [=conversion=].</dd>
   <dt><dfn>intermediarySites</dfn></dt>
   <dd>
-    A list of sites which called the <a method for=PrivateAttribution>saveImpression()</a> API. 
-    Only [=impressions=] recorded by scripts originating from one of the intermediary sites 
+    A list of sites which called the <a method for=PrivateAttribution>saveImpression()</a> API.
+    Only [=impressions=] recorded by scripts originating from one of the intermediary sites
     are eligible to match this [=conversion=].
   </dd>
 </dl>
@@ -868,13 +876,24 @@ if the user has opted out of collection of diagnostic data.
 An <dfn>aggregation service</dfn> takes multiple pieces of attribution information
 and produces an aggregate metric.
 
-Each browser will have different requirements for aggregation.
+Each browser will have different requirements for aggregation.  The two aggregation service backends considered here
+are for using a two-party [[#mpc|Multi-Party Computation (MPC)]] or a [[#tee|Trusted Execution Environment (TEE)]].  In either case the
+Advertiser server (or their delegate) will collect a batch of conversion reports and submit them for aggreation, such as
+when a sufficient number of conversion reports have been added to the batch or at a particular time when the metric is needed.
 
 
 ## Multi-Party Computation Aggregation ## {#mpc}
 
-TODO
+ The aggregation service using a two-party MPC is based on [[DAP]] (Distributed Aggregation Protocol)
+ with a simple [[VDAF]] (Verifiable Distributed Aggregation function)
+ which enables aggregation of constant length vectors.  It also supplies a guarantee that the L1-norm contribution of any one
+ report to the histogram is bounded.
+
+ The device generates additive secret shares of the histogram contribution and encrypts each set of secret shares under the public
+ key of one of the two Helper Parties running the aggreation service. The device also generates a zero-knowledge proof that the L1-norm
+ of the histogram contrbiution is less than the `query_global_sensitivity`.
 
+TODO: more details on how we integrate with DAP.
 
 ## Trusted Execution Environments ## {#tee}
 
@@ -883,13 +902,17 @@ TODO
 
 ## Conversion Report Encryption ## {#encryption}
 
-TODO
+In addition to encrypting the histogram contribution, some data is bound to the report as authenticated data.  The authenticated data includes
+1.  The `requested_epsilon` and the `query_global_sensitivity` which will be used to add the correct amount of noise.
+2.  TODO...
+
 
 ## Anti-Replay Requirements ## {#anti-replay}
 
 [=Conversion reports=] generated by browsers are bound
 to the amount of [=privacy budget=]
-that was expended by the site that requested the report.
+that was expended by the site that requested the report.  We cannot allow a conversion report to be aggregated more than once;
+ otherwise, this would correspond to spending more privacy budget than was accounted for on the device.
 
 TODO
 
@@ -1169,11 +1192,17 @@ a safety limit to be exceeded.
 
 ## Differential Privacy Mechanisms ## {#dp-mechanism}
 
-The specific mechanisms that are used
-depend on the type of [=aggregation service=].
+ Currently the only DP mechanism supported is the Laplace mechanism.
 
+For supporting the Laplace mechanism the reports in a query will have all specified the same
+`requested_epsilon` and `query_global_sensitivity`.  This data is included in
+the authenticated data of the reports.  The aggregation service adds independent samples of Laplace noise to
+every histogram bin where the samples are take from a `Lap(query_global_sensitivity / requested_epsilon)`.
 
 
+The specific mechanisms that are used
+depend on the type of [=aggregation service=].
+
 # Security Considerations # {#security}
 
 
@@ -1488,6 +1517,18 @@ spec:infra; type:dfn; text:user agent
     "href": "https://arxiv.org/abs/2405.16719",
     "title": "Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems",
     "publisher": "SOSP'24"
+  },
+  "dap": {
+    "authors": [
+      "Tim Geoghegan",
+      "Christopher Patton",
+      "Brandon Pitman",
+      "Eric Rescorla",
+      "Christopher A. Wood",
+    ],
+    "href": "https://datatracker.ietf.org/doc/draft-ietf-ppm-dap/",
+    "title": "Distributed Aggregation Protocol for Privacy Preserving Measurement",
+    "publisher": "IETF Draft"
   }
 }
 </pre>