Specify how PrivCount will work with Tor
PrivCount is an experimental statistics collection protocol, which provides secure aggregation of a differentially private set of statistics.
We need to work out which parts of the experimental protocol are useful, and how they could work on tor relays, and provide results to Tor metrics.
Activity
changed milestone to %Tor: 0.3.3.x-final
I started some work here as prop280, and gotten some feedback. Carolin Zöbelein has also written some outlines for a Shamir-based protocol. I've taken a shot at a variation of a Shamir-based protocol at https://github.com/nmathewson/privcount_shamir , where it appears as a python prototype.
Current open question: does Shamir-style secret sharing actually do anything to help with the case where some Data Collectors are misbehaving? So far as I can tell, it only really helps us handle malfunctioning Tally Reporters.
Trac:
Owner: N/A to nickm
Status: new to accepted
Keywords: N/A deleted, prop280 added
Cc: N/A to teor, robgjansen, amj703-
I've put a draft proposal in the doc directory of https://github.com/nmathewson/privcount_shamir ; I'll send it to tor-dev next week, but I think teor wanted to add some stuff first.
An answer to Nick's question: secret sharing only helps deal with failures of Tally Reporters. Handling failures (i.e. crashes/dropouts) of DCs can be done simply by having the TRs agree on all the DCs they have data from before adding their individual shares from those DCs. Handling malicious inputs can be mitigated somewhat by choosing multiple different DC subsets, aggregating each one, and taking the median of the resulting values.
Also, I would be interested to hear cypherpunks' concerns in more detail.
I opened #25153 (moved) for follow-up: "Specify how PrivCount in Tor statistics are configured and interpreted"
moved to tpo/core/tor#22955 (closed)