[tor-bugs] #23414 [Core Tor/Tor]: rep_hist_format_hs_stats() should add noise, then round

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 6 00:30:37 UTC 2017

#23414: rep_hist_format_hs_stats() should add noise, then round
     Reporter:  teor     |      Owner:  (none)
         Type:  defect   |     Status:  new
     Priority:  Medium   |  Milestone:  Tor: 0.3.2.x-final
    Component:  Core     |    Version:  Tor:
  Tor/Tor                |   Keywords:  tor-relay, security-low, privcount,
     Severity:  Normal   |  031-backport, 030-backport, 029-backport, 028
                         |  -backport-maybe, 026-backport-maybe
Actual Points:           |  Parent ID:  #23061
       Points:  0.5      |   Reviewer:
      Sponsor:           |
 In order to guarantee differential privacy, we need to:
 * sample at the scale of the noise (not unit scale)
 * add the noise to the signal
 * round the noisy signal

 This is the "snapping" mitigation from "On Significance of the Least
 Significant Bits For Differential Privacy" by Ilya Mironov

 rep_hist_format_hs_stats() rounds once to the bin size, then adds noise
 which has been rounded to the nearest integer. This isn't ideal, because
 it makes the least significant bits of the noise meaningless.

 Instead, we should:
 * round the noise to integer precision
 * add the signal to the noise
 * round the noisy signal to the bin size

 I think this was introduced in 14e83e6.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23414>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list