[tor-dev] Proposal 280: Privacy-Preseving Statistics with Privcount in Tor

teor teor2345 at gmail.com
Wed Sep 13 02:11:46 UTC 2017


Hi Karsten and metrics,

> On 13 Sep 2017, at 04:27, Karsten Loesing <karsten at torproject.org> wrote:
> 
> Hi Tim,
> 
> unfortunately, nobody from the metrics team can attend today's proposal
> 280 discussion in a few hours.

We turned on meetbot!

The meeting action items are:

	• write a k-of-n secret sharing spec
	• revise prop280 to use k-of-n secret sharing
	• update the proposal to deal with post-submission shared-random-based relay subset selection
	• increase the noise added in the spec for each subset of relays that produces a result
	• specify how to estimate sensitivity and expected values for each counter, and how to turn that into a set of sigmas
	• specify how to safely change the set of counters that is collected (or the noise on those counters) as new tor versions that support new counters are added to the network (and old versions leave)
	• specify the privacy budget parameter that we need to turn into consensus parameters
	• specify how to maintain privacy guarantees when the set of statistics changes, probably by reducing accuracy

Here is a log of the meeting:
http://meetbot.debian.net/tor-dev/2017/tor-dev.2017-09-13-00.16.html

> That's why we decided to provide some written feedback here.
> 
> We didn't find anything problematic in the proposal from the view of Tor
> metrics.
> 
> This is due to the narrow scope covering only the communication protocol
> between tally servers and relays, as we understand it.
> 
> All topics related to deriving counts, calculating final results, and
> anything else that could affect currently running metrics code are
> explicitly excluded or not mentioned.

We mentioned a few of these topics in the meeting.

In particular, we talked about splitting relays into multiple subsets for
fault-tolerance. This would give us one result per counter per subset.

We'd appreciate your feedback on these parts of the meeting.

> If we misunderstood the scope and there is actually a part that covers
> current or future metrics code, please let us know, and we'll check that
> again.

We plan to write these specs separately.
We will also make updates to the current prop280 spec.

> Thanks for working on privacy-preserving statistics in Tor!

Looking forward to working with you on this.

T
--
Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B
ricochet:ekmygaiu4rzgsk6n
------------------------------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170913/9d768865/attachment.sig>


More information about the tor-dev mailing list