Expand description
This module provides the implementation of the STAR (distributed Secret-sharing for Threshold AggRegation of data) protocol. The STAR protocol provides the ability for clients to report secret measurements to servers, whilst maintaining k-anonymity-like guarantees.
In essence, such measurements are only revealed if a threshold
number of clients all send the same message. Clients are permitted
to also send relevant, arbitrary associated data that can also be
revealed.
In STAR, clients derive randomness from a separate server that implements a puncturable partially oblivious pseudorandom function (PPOPRF) protocol. In STARLite, clients derive randomness used for hiding their measurements locally from the measurement itself. The PPOPRF protocol takes in the client measurement, a server secret key, and the current epoch metadata tag as input, and outputs a random (deterministic) value.
In the case of STARLite, the design is simpler than in STAR, but security is ONLY maintained in the case where client measurements are sampled from a high-entropy domain. In the case of STAR, client security guarantees hold even for low-entropy inputs, as long as the randomness is only revealed after the epoch metadata tag has been punctured from the randomness server’s secret key.
See the full paper for more details.
§Example (client)
The following example shows how to generate a message triple of (ciphertext, share, tag). This message can then be sent to the aggregation server.
let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);
let Message {
ciphertext,
share,
tag,
} = Message::generate(&mg, &mut rnd, None)
.expect("Could not generate message triplet");§Example (WASM client)
The following example shows how to generate a triple of (key, share, tag) for each client in the STARLite protocol, which is used
in the existing WASM integration. The STAR protocol is not yet
supported.
In the WASM integration the key MUST then be used to encrypt the
measurement and associated data into a ciphertext in the
higher-level application. The message triple (ciphertext, share, tag) is then sent to the server.
let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);
let WASMSharingMaterial {
key,
share,
tag,
} = mg.share_with_local_randomness().unwrap();§Example (server)
Once over threshold shares are recovered from clients, it is
possible to recover the randomness encoded in each of the shares
let value = share_recover(&shares).unwrap().get_message();
// derive key for decrypting payload data in client message
let mut enc_key = vec![0u8; 16];
derive_ske_key(&value, epoch.as_bytes(), &mut enc_key);Structs§
- Associated
Data - Ciphertext
- Internal
Share - The
Sharestruct holds the necessary data that is encoded in a single secret share. A share itself reveals nothing about the encoded secret data until it is grouped with a set of shares that satisfy the policy in the associatedAccessStructure. - Message
- Message
Generator - Share
- Single
Measurement - WASM
Sharing Material
Constants§
Functions§
- derive_
ske_ key - load_
bytes - Parse the next data chunk out of a byte slice
- share_
recover - store_
bytes - Append a chunk of data
- strobe_
digest