Pr Privacy cy-pre prese servi rving ng Fir Firef efox x - - PowerPoint PPT Presentation
Pr Privacy cy-pre prese servi rving ng Fir Firef efox x telem elemet etry wit ith Pr Prio Henry Corrigan-Gibbs (EPFL MIT CSAIL) In In c collabora ration wi with: Dan Boneh (Stanford), Gary Chen, Steven Englehardt, Robert
Pr Privacy cy-pre prese servi rving ng Fir Firef efox x telem elemet etry wit ith Pr Prio
Henry Corrigan-Gibbs (EPFL → MIT CSAIL) In In c collabora ration wi with: Dan Boneh (Stanford), Gary Chen, Steven Englehardt, Robert Helmer, Chris Hutten-Czapski, Anthony Miyaguchi, Eric Rescorla, and Peter Saint-Andre (Mozilla)
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
51
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
52
Mozilla wants to know: “H “How many y Fir iref efox x user ers blocked ked a a trac racki king g cooki
e from rom fb fb.co .com?” ?”
53
à Single point of failure.
1 1
“58,329 Firefox users blocked an fb.com cookie.”
Software vendors often answer these questions by collecting se sensi sitive usage data directly.
54
à Single point of failure.
– Theft by attackers – Abuse by malicious insiders – Snooping by governments
Software vendors often answer these questions by collecting se sensi sitive usage data directly.
“58,329 Firefox users blocked an fb.com cookie.”
1 1
Pr Prio: : Aggregate data without the privacy risks
wi withou
y single user’s data.
–Proofs on secret-shared data
–In pilot phase: Enabled by default in Firefox’s “Nightly” build –Largest deployment of technology based on PCPs
(probabilistically checkable proofs)
55
C-G and Boneh (NSDI 2017)
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
– Bit is “1” iff user 𝑗’s browser ever blocked cookies from domain.com – These bits are se sensi nsitive – reveal user’s browsing history
56
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Do Domain 𝒐
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
57
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Do Domain 𝒐
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
58
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Do Domain 𝒐
SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
59
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Do Domain 𝒐
How many users blocked fb.com cookies via tracking protection SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
60
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Do Domain 𝒐
SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
61
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Do Domain 𝒐
SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50
𝑦' 𝑦( 𝑦) Σ+,'
) 𝑦+
Us User 1 <1 0 1 0 1 0 1 0 0 0 0 0 0 … 1> Us User 2 <1 1 1 0 1 0 1 0 0 1 0 0 1 … 0> Us User 2 … … Us User 𝑽 <0 0 0 0 1 0 1 0 0 0 0 1 0 … 0>
Runni Running ng e exa xample ple:
Measuring effectiveness of tracking protection
62
fb fb.com
kut. t.com
ru ru4.co com
eu nu nugg.ad xa xa.net po po.st st sa sas. s.com cam cams.co com ta tapit. it.com
uc ucoz.ae gm gmail il.com
ib ibm.com
Do Domain 𝒐
SU SUM M 31, 91, 6, 0, 8, 29, 81, 0, 0, 88, 10, 5, 59, …, 50
𝑦' 𝑦( 𝑦) Σ+,'
) 𝑦+
We run the system many times in parallel to compute the statistics for all domains
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
63
𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
64
𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Attacker must compromise all servers to learn private data.
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
65
𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
66
𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
67
𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
68
𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
69
𝑦' 𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
Prio: System goals
1.
Correc ectnes
are honest, servers learn Σ+𝑦+
Extension: Maintain correctness in spite of server faults
2.
compromise all servers to learn more than Σ+𝑦+
Extension: Differential privacy [DMNS06]
3.
srupt ption resi sist stan ance. The worst that a malicious client can do is lie about her input. 4.
submissions per server per hour
70
𝑦' 𝑦( 𝑦. 𝑦) Σ+,'
)
𝑦+
71
Re Relax ax corre
𝑦 + noise Re Relax ax privac rivacy mod
Re Relax ax dis isru ruption ion re resis istan ance 𝑦 𝑦 garbage Enc(𝑦) Re Relax ax effic icie iency
Randomized response: [W65], [DMNS06], [DJW13], [BS15] RAPPOR (2014, 2016), Wang et al. (2017), Ding et al. (2017)… Tor: PrivStats (2011), ANONIZE (2014), … SGX: Prochlo (2017), SGX-BigMatrix (2017), … Honest but curious: PDDP (2012), SplitX (2013), … Private metering (2011), PrivEx-S2 (2014), PrivCount (2016), Federated ML (2016, 2017), … P4P (2010), Grid aggregation (2011), Haze (2013), PrivEx-D2 (2014), Succinct sketches (2016), HisTor𝜗 (2017), … General MPC [GMW87], [BGW88]: FairPlay (2004), FairplayMP (2008), SEPIA (2010), Private matrix factorization (2013), UnLynx (2017), Private ridge regression (2018), Shuffle model (2017, 2019), …
Server A Server B Server C
𝑦' = 𝟐
73
[C88], [BGW88], … [KDK11] [DFKZ13] [PrivEx14] …
St Straw-man man scheme me
Private sums without disruption resistance
Server A
Pick three random “shares” that sum to 𝑦' = 𝟐. 𝟐 = 15 + −12 + − 2 (mod 𝑞) Send one share to each server.
Server B Server C
𝑦' = 𝟐
74
[C88], [BGW88], … [KDK11] [DFKZ13] [PrivEx14] …
St Straw-man man scheme me
Private sums without disruption resistance
Server A
Pick three random “shares” that sum to 𝑦' = 𝟐. 𝟐 = 15 + −12 + − 2 (mod 𝑞) Send one share to each server.
Server B Server C
𝑦' = 𝟐
75
[C88], [BGW88], … [KDK11] [DFKZ13] [PrivEx14] …
St Straw-man man scheme me
Private sums without disruption resistance
Server A
Pick three random “shares” that sum to 𝑦' = 𝟐. 𝟐 = 15 + −12 + − 2 (mod 𝑞) Send one share to each server.
Server B Server C
15 −12 −2 𝑦' = 𝟐
76
[C88], [BGW88], … [KDK11] [DFKZ13] [PrivEx14] …
St Straw-man man scheme me
Private sums without disruption resistance
Server A Server B Server C
15 −12 −2 𝑦' = 𝟐
77
St Straw-man man scheme me
Private sums without disruption resistance Pick three random “shares” that sum to 𝑦' = 𝟐. 𝟐 = 15 + −12 + − 2 (mod 𝑞) Send one share to each server.
Server A
15
Server B
−12
Server C
−2
𝑦' = 𝟐
78
St Straw-man man scheme me
Private sums without disruption resistance Pick three random “shares” that sum to 𝑦' = 𝟐. 𝟐 = 15 + −12 + − 2 (mod 𝑞) Send one share to each server.
Server A
15
Server B
−12
Server C
−2
𝑦( = 𝟏
79
St Straw-man man scheme me
Private sums without disruption resistance
Server A
15
Server B
−12
Server C
−2
𝑦( = 𝟏
80
St Straw-man man scheme me
Private sums without disruption resistance
Server A
15
Server B
−12
Server C
−2
−10 7 3
= ( ) + +
𝑦( = 𝟏
81
St Straw-man man scheme me
Private sums without disruption resistance
Server A
15
Server B
−12
Server C
−2
−10 7 3 𝑦( = 𝟏
82
St Straw-man man scheme me
Private sums without disruption resistance
Server A
15 − 10
Server B
−12 + 7
Server C
−2 + 3
𝑦( = 𝟏
83
St Straw-man man scheme me
Private sums without disruption resistance
Server A Server B Server C
15 − 10
−12 + 7
−2 + 3
84
St Straw-man man scheme me
Private sums without disruption resistance
Server A Server B Server C
15 − 10
−12 + 7
−2 + 3
85
St Straw-man man scheme me
Private sums without disruption resistance
Server A Server B Server C
𝑇>
𝑇?
𝑇P
86
St Straw-man man scheme me
Private sums without disruption resistance
Server A Server B Server C
𝑇>
𝑇?
𝑇P
15 − 10 + ⋯ + −12 + 7 + ⋯ + −2 + 3 + ⋯ = 𝑦' + 𝑦( + 𝑦. + ⋯
Servers learn the sum of the clients’ values and nothing else.
87
St Straw-man man scheme me
Private sums without disruption resistance
Server A Server B Server C
𝑇>
𝑇?
𝑇P
15 − 10 + ⋯ + −12 + 7 + ⋯ + −2 + 3 + ⋯ = 𝑦' + 𝑦( + 𝑦. + ⋯
Servers learn the sum of the clients’ values and nothing else.
88
St Straw-man man scheme me
Private sums without disruption resistance
e.g., learn that 58,329 users blocked trackers from fb.com… don don’t learn which users did
Private sums: Straw-man scheme
Co Correct ctness. Servers learn the sum of the 𝑦+s 𝒈-Priv Privacy. y. Attacker must compromise all servers to learn more than sum of 𝑦+s Ef Efficiency. No heavy cryptographic operations Di Disrup uption On One mal alici cious cl client t can can re resis istance. co corrupt t th the outp tput. t.
89
Server A
15
Server B
−12
Server C
−2
𝒚𝟑 = −𝟔𝟒
90
St Straw-man man scheme me
One malicious client can corrupt output Should be a value in the set {0,1} Evil ad network
= + +
Server A
15
Server B
−12
Server C
−2
−19 −16 −18 𝒚𝟑 = −𝟔𝟒
91
St Straw-man man scheme me
One malicious client can corrupt output Should be a value in the set {0,1} Evil ad network
Server A
15
Server B
−12
Server C
−2
−19 −16 −18 𝒚𝟑 = −𝟔𝟒
92
St Straw-man man scheme me
One malicious client can corrupt output Should be a value in the set {0,1} Evil ad network
Server A garbage Server B garbage Server C garbage
One malicious client can corrupt the output.
93
St Straw-man man scheme me
One malicious client can corrupt output Evil ad network
Powerful but costly tools…
94
Multiparty computation
[GMW87], [BGW88]
Powerful but costly tools…
95
Multiparty computation Traditional zero-knowledge proofs
[GMW87], [BGW88] [GMR89]
Powerful but costly tools…
96
Multiparty computation Traditional zero-knowledge proofs Ne New w to tool: Pro roof f on se secret-sh shared data
[GMW87], [BGW88] [GMR89]
Techniques for providing disruption resistance
97
Pu Public-key key ops. Commun Communic ication ion Sl Slow- dow down Client Server C-to-S S-to-S Dishonest-maj. MPC
5,000×
at server
GGPR-style zkSNARK
500×
at client
Discrete-log-based NIZK
50×
at server
Pr Prio
(latest version)
1×
(Table hides log factors.)
] 𝑃(1) ] 𝑃(1) _ Θ(𝑜) ] 𝑃(1) _ Θ(𝑜) _ Θ(𝑜) _ Θ(𝑜) _ Θ(𝑜) _ Θ(𝑜)
Testing that a length-𝑜 vector (e.g., data for 𝑜 trackers) consists of secret-shared 0/1 integers.
] 𝑃(1) ] 𝑃(1) _ Θ(𝑜)
Techniques for providing disruption resistance
98
Pu Public-key key ops. Commun Communic ication ion Sl Slow- dow down Client Server C-to-S S-to-S Dishonest-maj. MPC
5,000×
at server
GGPR-style zkSNARK
500×
at client
Discrete-log-based NIZK
50×
at server
Pr Prio
(latest version)
1×
(Table hides log factors.)
] 𝑃(1) ] 𝑃(1) _ Θ(𝑜) ] 𝑃(1) _ Θ(𝑜) _ Θ(𝑜) _ Θ(𝑜) _ Θ(𝑜) _ Θ(𝑜)
Testing that a length-𝑜 vector (e.g., data for 𝑜 trackers) consists of secret-shared 0/1 integers.
] 𝑃(1) ] 𝑃(1) _ Θ(𝑜)
Server A Server B Server C
99
Con Contribution
Prevent disruption using proofs on secret-shared data
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Dimension-𝑜 vectors
(i.e., in ℤf
b)
Server A Server B Server C
100
Con Contribution
Prevent disruption using proofs on secret-shared data
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Server A Server B Server C
101
Con Contribution
Prevent disruption using proofs on secret-shared data
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Want to be convinced that 𝐲 = [𝐲]> + [𝐲]?+[𝐲]P ∈ 0,1 b ∈ ℤf
b
Server A Server B Server C
102
Con Contribution
Prevent disruption using proofs on secret-shared data
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Want to be convinced that 𝐲 = [𝐲]> + [𝐲]?+[𝐲]P ∈ 0,1 b ∈ ℤf
b
More generally, that Valid(𝐲) holds, for some predicate Valid
Server A Server B Server C
,[𝜌]> ,[𝜌]? ,[𝜌]P
103
Con Contribution
Prevent disruption using proofs on secret-shared data
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Valid(x) holds
– For our example, Va Valid x = “x ∈ 0,1 b” – Servers exchange 𝑃(1) bytes to check proof
– Servers reject invalid client submissions
Server A Server B Server C
,[𝜌]> ,[𝜌]? ,[𝜌]P
104
Con Contribution
Prevent disruption using proofs on secret-shared data
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Valid(x) holds
– For our example, Va Valid x = “x ∈ 0,1 b” – Servers exchange 𝑃(1) bytes to check proof
– Servers reject invalid client submissions
𝑃(1) 𝑃(1) 𝑃(1)
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta*
*s *simplifi fied
Server A Server B Server C
105
[𝐲]> [𝐲]? [𝐲]P
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta*
*s *simplifi fied
Server A Server B Server C
106
Could use secure multi-party computation to check that Va Valid x holds
[GMW87], [BGW88], …
[𝐲]> [𝐲]? [𝐲]P
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta*
*s *simplifi fied
Server A Server B Server C
107
Could use secure multi-party computation to check that Va Valid x holds
[GMW87], [BGW88], …
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
[𝐲]> [𝐲]? [𝐲]P 𝐲 ∈ 0,1 b
Data for 𝑜 domains
Server A Server B Server C
108
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta
[𝐲]> [𝐲]? [𝐲]P
Idea Idea: Client generates transcripts that servers would have observed in a multi-party computation of Va Valid x .
See also [IKOS07]
Server A Server B Server C
109
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta
𝜌> 𝜌? 𝜌P 𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Server A Server B Server C
110
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta
𝜌> 𝜌? 𝜌P
Servers check that their transcripts are valid and consistent
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Server A Server B Server C
111
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta
𝜌> 𝜌? 𝜌P
Servers check that their transcripts are valid and consistent Checking a transcript is mu much easi sier than generating one.
𝐲 ∈ 0,1 b
Data for 𝑜 domains
[𝐲]> [𝐲]? [𝐲]P
Server A Server B Server C
112
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta
𝜌> 𝜌? 𝜌P
𝑬𝑩 𝑬𝑪 𝑬𝑫
“Randomized digest” of transcripts
(Leak nothing about client's value 𝑦)
[𝐲]> [𝐲]? [𝐲]P
Server A Server B Server C
If 𝑦 is well formed: 𝐸
> + 𝐸? + 𝐸P = 0
If 𝑦 is malformed: 𝐸
> + 𝐸? + 𝐸P ≠ 0 with high probability
Servers publish 𝐸
>, 𝐸?, 𝐸P and check that they sum to 0.
→ Servers accept 𝑦 if so.
113
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta 𝑬𝑩 𝑬𝑪 𝑬𝑫
Server A Server B Server C
If 𝑦 is well formed: 𝐸
> + 𝐸? + 𝐸P = 0
If 𝑦 is malformed: 𝐸
> + 𝐸? + 𝐸P ≠ 0 with high probability
Servers publish 𝐸
>, 𝐸?, 𝐸P and check that they sum to 0.
→ Servers accept 𝑦 if so.
114
Ho How to w to c constr nstruct a a proof roof on
se secret-sha shared data ta 𝑬𝑩 𝑬𝑪 𝑬𝑫
𝑃(1) 𝑃(1) 𝑃(1)
115
24 26 28 210 212 214 216 Submission length
(values/submission)
10 100 1000 10000 Throughput
(submissions/sec.)
General zero knowledge Baseline (no privacy)
Five-server cluster in five Amazon data centers.
B e t t e r
116
24 26 28 210 212 214 216 Submission length
(values/submission)
10 100 1000 10000 Throughput
(submissions/sec.)
Prio General zero knowledge Baseline (no privacy)
Five-server cluster in five Amazon data centers.
B e t t e r
117
24 26 28 210 212 214 216 Submission length
(values/submission)
10 100 1000 10000 Throughput
(submissions/sec.)
Prio General zero knowledge Baseline (no privacy)
50x
Five-server cluster in five Amazon data centers.
B e t t e r
118
24 26 28 210 212 214 216 Submission length
(values/submission)
10 100 1000 10000 Throughput
(submissions/sec.)
Prio General zero knowledge Baseline (no privacy)
50x 10x
Five-server cluster in five Amazon data centers.
B e t t e r
Prio supports a range of aggregation functions
Average
Variance
Most p popul ular r (approx.)
Min and ma max (approx.)
Quality of arbitrary re regre gressio ion m mode del (R2)
Least-squ squares es reg egressi ession
Gradie dient de descent s step
[BIKMMPRSS17]
119
[PBBL11] [MDD16]
121
Firefox deployment
Uses libprio, a C library we wrote that implements Prio
– github.com/mozilla/libprio – 3.5k LoC
– Encoding a length-1024 data packet: 35ms in Firefox browser (more optimizations possible) – Python bindings to simplify server-side data analysis
Pilot phase, 11/2018-now
– Implemented in Firefox, but Mozilla currently runs all servers – Enabled by default only in the “Nightly” build
Next step: Mo
Move se second se server to to exte ternal org. . (In progress)
122
skB
123
pkA, pkB skA
Firefox deployment
skB
124
~160 bytes
(AES key encrypted for server B)
36𝑜+160 bytes
to collect 𝑜 ints pkA, pkB skA
Firefox deployment
125
In Firefox, set preference devtools.chrome.enabled, then in browser console…
126
In Nightly, set pref. telemetry.origin_telemetry_test_mode.enabled, browse for a while, then visit about:telemetry.
127
128
https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/collection/origin.html
129
130
Deployment stats
fb.com, google-analytics.com, adwords.google.com, …
– Submission from client every 24h or on shutdown = Tens of gigabytes of data per day to the second server
131
The second server
– by independent organizations, – on independent infrastructure (not both on AWS), and – in different countries (under independent legal jurisdictions).
– Infrastructure costs are modest – ∃ multiple candidate orgs with privacy-centric mission – If Org2 uses Prio, Mozilla can be the “second server” for Org2
→ Mozilla is working to sign up a partner org in 2020.
132
You can help!
github.com/ github.com/mozilla mozilla/libprio libprio/
Small things
–Add support for aggregating a wider range of data types –Implement client- and server-side optimizations –Implement differential-privacy features
Big things
–Rewrite parts of libprio in Rust –Be the external org that runs the second server
→ Eligible for Mozilla’s bug-bounty program. ←
133
Conclusion
the browser’s new tracking-protection feature
– Ask if you’re interested in helping out.
He Henry ry Corri rrigan an-Gi Gibbs (EPFL & MIT CSAIL), henrycg@csail.mit.edu Dan Boneh (Stanford), Gary Chen, Steven Englehardt, Robert Helmer, Chris Hutten-Czapski, Anthony Miyaguchi, Eric Rescorla, and Peter Saint-Andre (Mozilla) Details: bugzilla.mozilla.org/show_bug.cgi?id=1543712 Code: github.com/mozilla/libprio/ Paper: crypto.stanford.edu/prio/
134
Conclusion
the browser’s new tracking-protection feature
– Ask if you’re interested in helping out.
He Henry ry Corri rrigan an-Gi Gibbs (EPFL & MIT CSAIL), henrycg@csail.mit.edu Dan Boneh (Stanford), Gary Chen, Steven Englehardt, Robert Helmer, Chris Hutten-Czapski, Anthony Miyaguchi, Eric Rescorla, and Peter Saint-Andre (Mozilla) Details: bugzilla.mozilla.org/show_bug.cgi?id=1543712 Code: github.com/mozilla/libprio/ Paper: crypto.stanford.edu/prio/
135
Th Thank y you!
136