Crate sta_rs

Source
Expand description

This module provides the implementation of the STAR (distributed Secret-sharing for Threshold AggRegation of data) protocol. The STAR protocol provides the ability for clients to report secret measurements to servers, whilst maintaining k-anonymity-like guarantees.

In essence, such measurements are only revealed if a threshold number of clients all send the same message. Clients are permitted to also send relevant, arbitrary associated data that can also be revealed.

In STAR, clients derive randomness from a separate server that implements a puncturable partially oblivious pseudorandom function (PPOPRF) protocol. In STARLite, clients derive randomness used for hiding their measurements locally from the measurement itself. The PPOPRF protocol takes in the client measurement, a server secret key, and the current epoch metadata tag as input, and outputs a random (deterministic) value.

In the case of STARLite, the design is simpler than in STAR, but security is ONLY maintained in the case where client measurements are sampled from a high-entropy domain. In the case of STAR, client security guarantees hold even for low-entropy inputs, as long as the randomness is only revealed after the epoch metadata tag has been punctured from the randomness server’s secret key.

See the full paper for more details.

§Example (client)

The following example shows how to generate a message triple of (ciphertext, share, tag). This message can then be sent to the aggregation server.

let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);

let Message {
  ciphertext,
  share,
  tag,
} = Message::generate(&mg, &mut rnd, None)
    .expect("Could not generate message triplet");

§Example (WASM client)

The following example shows how to generate a triple of (key, share, tag) for each client in the STARLite protocol, which is used in the existing WASM integration. The STAR protocol is not yet supported.

In the WASM integration the key MUST then be used to encrypt the measurement and associated data into a ciphertext in the higher-level application. The message triple (ciphertext, share, tag) is then sent to the server.

let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);
let WASMSharingMaterial {
  key,
  share,
  tag,
} = mg.share_with_local_randomness().unwrap();

§Example (server)

Once over threshold shares are recovered from clients, it is possible to recover the randomness encoded in each of the shares


let value = share_recover(&shares).unwrap().get_message();

// derive key for decrypting payload data in client message
let mut enc_key = vec![0u8; 16];
derive_ske_key(&value, epoch.as_bytes(), &mut enc_key);

Structs§

AssociatedData
Ciphertext
InternalShare
The Share struct holds the necessary data that is encoded in a single secret share. A share itself reveals nothing about the encoded secret data until it is grouped with a set of shares that satisfy the policy in the associated AccessStructure.
Message
MessageGenerator
Share
SingleMeasurement
WASMSharingMaterial

Constants§

AES_BLOCK_LEN
DIGEST_LEN

Functions§

derive_ske_key
load_bytes
Parse the next data chunk out of a byte slice
share_recover
store_bytes
Append a chunk of data
strobe_digest