diff --git a/api.bs b/api.bs
index 9c5b4a9..9501b88 100644
--- a/api.bs
+++ b/api.bs
@@ -328,7 +328,7 @@ At [=conversion=] time, a [=conversion report=] is created.
A conversion report is an encrypted histogram contribution
that includes information from any [=impressions=] that the browser previously stored.
-The measureConversion method accepts a simple query that is used
+The measureConversion() method accepts a simple query that is used
to tell the browser how to construct a [=conversion report=].
That includes a simple query that selects from the [=impressions=]
that the browser has stored,
@@ -392,20 +392,12 @@ select a supported [=aggregation service=].
The page may select any of the supported services found in
aggregationServices.
The name of the selected service must be supplied as
-the `aggregator` member of the
+the {{PrivateAttributionConversionOptions/aggregator}} member of the
{{PrivateAttributionConversionOptions}} dictionary when calling the
measureConversion() method.
-
-This section needs to be more precise about [=site=] vs. [=origin=].
-
## Finding a Supported Aggregation Service ## {#find-aggregation-service}
-
Is any additional information required in the
-{{PrivateAttributionAggregationService}} dictionary? Do we want
-to rename `apiVersion` to `protocol`? And we should definitely
-define an enum for it.
-
The aggregationServices attribute
contains a list of aggregation services supported by the [=user agent=]. The page
must select and specify one of these services when calling the
@@ -416,14 +408,21 @@ but that is not required,
and impressions are not scoped to a single aggregation service.
+enum PrivateAttributionProtocol { "dap-11", "tee-00" };
+
dictionary PrivateAttributionAggregationService {
- required DOMString name;
- required DOMString apiVersion;
+ required DOMString url;
+ required DOMString protocol;
+};
+
+[SecureContext, Exposed=Window]
+interface PrivateAttributionAggregationServices {
+ readonly setlike;
};
[SecureContext, Exposed=Window]
interface PrivateAttribution {
- attribute FrozenArray aggregationServices;
+ readonly attribute PrivateAttributionAggregationServices aggregators;
};
@@ -431,21 +430,33 @@ The aggregationServices attribute
contains the following information about each supported aggregation service:
- - name
+ - url
-
- Name of the aggregation service. This is passed as the `aggregator`
- parameter to measureConversion().
+ A URL that identifies an [=aggregation service=].
+ This value is passed as the {{PrivateAttributionConversionOptions/aggregator}} parameter
+ to measureConversion() to select the identified aggregation service.
- - apiVersion
+ - protocol
-
- Version of the Private Attribution API supported by this aggregator. Even if
- an aggregator supports multiple versions of the API, it is expected to
- assign a unique aggregation service name for each supported version.
- Thus, the API version is implicit in the aggregator selection
- and does not need to be passed to measureConversion().
+ The {{PrivateAttributionProtocol|protocol}} that the [=aggregation service=] uses.
+ Different versions of the same protocol will be use different values.
+ Even if a single service provider supports multiple protocols,
+ each needs to use a different URL.
+ This ensures that each can be uniquely identified by URL
+ without also specifying the choice of protocol.
+The PrivateAttributionProtocol describes the submission protocol
+used by different [=aggregation services=]. This document defines two protocols:
+
+
+ - dap-11
+ - A DAP-based protocol [[DAP]] that uses [=MPC=]; see [[#s-mpc]].
+ - tee-00
+ - A protocol for submission to a [=TEE=]; see [[#s-tee]].
+
+
## Saving Impressions ## {#save-impression-api}
The saveImpression() method requests
@@ -591,7 +602,7 @@ The arguments to measureConversion() are as
aggregator
A selection from the [=aggregation services=] that can be found in aggregationServices.
+ attribute for=PrivateAttribution>aggregators.
epsilon
The amount of [=privacy budget=] to expend on this [=conversion report=].
@@ -612,7 +623,7 @@ The arguments to measureConversion() are as
The maximum [=conversion value=] across all contributions included in the aggregation.
Together with epsilon, this is used to calibrate the distribution of random noise that
- will be added to the outcome. It is also used to determine the amount of [=privacy budget=]
+ will be added to the outcome. It is also used to determine the amount of [=privacy budget=]
to expend on this [=conversion report=].
lookbackDays
@@ -623,8 +634,8 @@ The arguments to measureConversion() are as
A list of impression sites. Only [=impressions=] recorded where the top-level site is on this list are eligible to match this [=conversion=].
intermediarySites
- A list of sites which called the saveImpression() API.
- Only [=impressions=] recorded by scripts originating from one of the intermediary sites
+ A list of sites which called the saveImpression() API.
+ Only [=impressions=] recorded by scripts originating from one of the intermediary sites
are eligible to match this [=conversion=].
@@ -871,12 +882,27 @@ and produces an aggregate metric.
Each browser will have different requirements for aggregation.
-## Multi-Party Computation Aggregation ## {#mpc}
+## Multi-Party Computation Aggregation ## {#s-mpc}
+
+A Multi-Party Computation (MPC) system is one that
+involves multiple independent entities
+that cooperatively compute an agreed function.
+
+This specification uses an MPC system based on Prio [[PRIO]]
+and the Distributed Aggregation Protocol (DAP) [[DAP]].
+This is a two-party MPC system that is characterized by
+its reliance on client-provided proofs of correctness for inputs.
+This allows for very efficient MPC operation
+at a modest cost in the size of submissions to the system.
TODO
-## Trusted Execution Environments ## {#tee}
+## Trusted Execution Environments ## {#s-tee}
+
+A Trusted Execution Environment (TEE) uses specialized hardware
+to ensure that computation is isolated
+from other programs that run on the same hardware.
TODO
@@ -1422,6 +1448,18 @@ spec:infra; type:dfn; text:user agent
"href": "https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4430334",
"date": "2024-03-14"
},
+ "dap": {
+ "authors": [
+ "Tim Geoghegan",
+ "Christopher Patton",
+ "Brandon Pitman",
+ "Eric Rescorla",
+ "Christopher A. Wood"
+ ],
+ "href": "https://datatracker.ietf.org/doc/html/draft-ietf-ppm-dap-11",
+ "title": "Distributed Aggregation Protocol for Privacy Preserving Measurement",
+ "publisher": "IETF Draft"
+ },
"dp": {
"authors": [
"Cynthia Dwork",
@@ -1488,6 +1526,15 @@ spec:infra; type:dfn; text:user agent
"href": "https://arxiv.org/abs/2405.16719",
"title": "Cookie Monster: Efficient On-device Budgeting for Differentially-Private Ad-Measurement Systems",
"publisher": "SOSP'24"
+ },
+ "prio": {
+ "authors": [
+ "Henry Corrigan-Gibbs",
+ "Dan Boneh"
+ ],
+ "title": "Prio: Private, Robust, and Scalable Computation of Aggregate Statistics",
+ "href": "https://crypto.stanford.edu/prio/paper.pdf",
+ "date": "2017-03-17"
}
}