Bulk Report Submission for Distributed Aggregation Protocol (DAP)

Bulk Report Submission for Distributed Aggregation Protocol (DAP) Mozilla

mt@lowentropy.net

Meta

koshelev@meta.com

Security Privacy Preserving Measurement next generation unicorn sparkling distributed ledger A bulk report submission endpoint and format are described for the Distributed Aggregation Protocol (DAP). This provides modest, but meaningful, efficiency benefits over the core protocol for cases where an intermediary is able to collect large numbers of reports. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Privacy Preserving Measurement Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The Distributed Aggregation Protocol (DAP) accepts reports from many clients and aggregates them in a manner that protects individual contributions. The core protocol requires that each report be submitted to the DAP leader. The assumption implicit in this design is that reports are submitted directly by clients. This is not necessary for security reasons due to the encryption used (this encryption is necessary for the portion of reports that is intended for DAP helpers). Clients could instead pass their reports to an intermediary for forwarding. Use of an intermediary reduces the availability requirements of aggregators and might remove the need for anonymizing proxy to protect client identity from the server (such as the use of Oblivious HTTP as described in ). It also creates an opportunity to amortize the overheads involved in report submission. This document defines a bulk submissions endpoint for DAP and defines a report submission format for use with that endpoint.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Bulk Submissions Endpoint DAP defines the {leader}/tasks/{task-id}/reports resource for report submission for a task. This document extends DAP to define the {leader}/tasks/{task-id}/reports/bulk resource for bulk report submission for a task. Clients can send a HTTP POST request to this resource with a payload in the bulk submission format (). A bulk request is equivalent to multiple separate submissions. A DAP leader MAY accept bulk submissions at the regular "reports" resource.

Bulk Submission Format The "application/dap-bulk-report" format contains a header that encodes extensions that are common to all reports. The header is followed by any number of reports, from which those shared fields are removed.

Bulk Report Format ; Report report[REPORT_COUNT]; } BulkReport; ]]> The common_extensions field contains common extensions that are added to the set of public report extensions in each report that follows. Reports that include values for any common extension override the value in the common extension. The header is followed by any number of reports, which are encoded exactly as described in , except as noted in . The use of REPORT_COUNT in is a small abuse of the TLS syntax to signify that any number of reports are included. This "value" could be any positive integer. Unlike a variable-length field, as denoted with < and >, this format does not require that the size of all included reports be known before constructing a request.

Necessary Changes to DAP Report Formats DAP currently encodes report extensions in the plaintext of shares. For extensions that contain public information this is inefficient for a couple of reasons:

Multiple copies of the data is included.
The use of per-record encryption prevents compression.

This document recommends the addition of a new public report extensions field to the ReportMetadata structure. This would be modified to include extensions that are public, as shown in .

Proposed Report Metadata Format ; /* new */ } ReportMetadata; ]]> This would be sufficient for many extensions, such as those that are defined in . As with the current design (), unknown extensions would result in the report being rejected. The primary difference being that the leader can determine this before initiating the preparation phase.

Optional Removal of Existing Report Extensions The existing report extensions could also potentially be removed, as shown in .

Proposed Plaintext Share Format ; /* the old format, for reference: struct { Extension extensions<0..2^16-1>; opaque payload<0..2^32-1>; } PlaintextInputShare; */ ]]> These private extensions currently have no defined purpose and add two bytes per aggregator to every report. The risk of removing them is that a purpose for a generic extension is discovered at some point in the future. Though specific VDAF instantiations might define their own extension container, this decision might limit the availability of extensions that apply to any VDAF.

Security Considerations Report metadata, which would include the extensions if the recommendations in are adopted, are included in the additional associated data for every report. Bulk submission is therefore strictly a performance optimization as far as the operation of DAP is concerned. The potential for a single client to generate large amounts of work for a DAP service is a serious threat to service availability. Any DAP leader SHOULD implement measures to defend against resource exhaustion attacks through this interface. This might include strong authentication of the requester. The logical entity to make this request is a collector, which is likely to be known to the leader. The addition of public extensions exposes more information to the leader. This might be used by a malicious leader to selectively remove reports. A leader is already able to do this without helper awareness, but the added information might allow this to be more selective.

IANA Considerations IANA is requested to register at time of publication the "application/dap-bulk-report" media type in the "Media Types" registry at , following the procedures of . That registration includes the following:

Type name:

application

Subtype name:

dap-bulk-report

Required parameters:

N/A

Optional parameters:

N/A

Encoding considerations:

"binary"

Security considerations:

See

Interoperability considerations:

N/A

Published specification:

this document

Applications that use this media type:

This type identifies a bulk report submission for the Distributed Aggregation Protocol.

Fragment identifier considerations:

N/A

Additional information:

Magic number(s):: N/A
Deprecated alias names for this type:: N/A
File extension(s):: N/A
Macintosh file type code(s):: N/A

Person and email address to contact for further information:

See Authors' Addresses section

Intended usage:

COMMON

Restrictions on usage:

N/A

Author:

See Authors' Addresses section

Change controller:

IETF

References Normative References Distributed Aggregation Protocol for Privacy Preserving Measurement ISRG Cloudflare ISRG Independent Cloudflare There are many situations in which it is desirable to take measurements of data which people consider sensitive. In these cases, the entity taking the measurement is usually not interested in people's individual responses but rather in aggregated data. Conventional methods require collecting individual responses and then aggregating them, thus representing a threat to user privacy and rendering many such measurements difficult and impractical. This document describes a multi-party distributed aggregation protocol (DAP) for privacy preserving measurement (PPM) which can be used to collect aggregate data without revealing any individual user's data. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Media Type Specifications and Registration Procedures This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice. Informative References Oblivious HTTP This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages. Distributed Aggregation Protocol (DAP) Extensions for Improved Application of Differential Privacy Mozilla The Distributed Aggregation Protocol (DAP) can be a key component of a system that provides differentially-private guarantees for participants. Extensions to DAP are defined to support these guarantees. This includes bindings of reports to specific options, so that the aggregation service can better implement privacy budgeting and replay protections.

Acknowledgments TODO acknowledge.