[tor-dev] PrivCount - Draft of secret-sharing specification

Aaron Johnson aaron.m.johnson at nrl.navy.mil
Thu Sep 28 15:48:36 UTC 2017


This appears to be a sketch of Shamir secret sharing, which will be just one tool used in the PrivCount system. For example, it is missing how relays (aka Data Collectors) maintain counters, how aggregators (aka Share Keepers) aggregate counters, and how secret sharing is used among those entities to provide fault tolerance for the aggregation process.

The grammar and writing style need improvement. They are at a level that makes the proposal hard to understand at times.

There are many important missing details even in the secret sharing component:
  - How is p determined?
  - How is N determined?
  - Who plays the roles of the SK, SHs, and SR? How do these relate to the parties in PrivCount?

Some minor notes I kept before it became clearer that higher-level comments would be more useful:
- Sec. 1: Description of secret sharing is incorrect. Strict subsets of shares in a simple additive secret-sharing scheme do not leak information.
- Sec. 1: Variable capitalization (e.g. K vs. k, N vs. n) should be consistent.
- Sec. 3.2: I could not understand what notation was being introduced through a, b, c, and d.
- Sec. 3.2: SUM and PRODUCT variable notation is inconsistent ("i=" missing from PRODUCT).
- Sec. 3.2: "Secret Keeper (SK)" has an unfortunate collision with the acronym for Share Keeper, which is a different role in the PrivCount paper.
- Sec. 4, Step 2: The prime need not be random. It can be fixed and public.
- Sec. 4, Step 3: Specify how the coefficients are determined.


> On Sep 27, 2017, at 11:20 PM, Carolin Zöbelein <contact at carolin-zoebelein.de> wrote:
> Hi,
>> Hi,
>> This looks like a great overview of the Shamir secret-sharing
>> protocol.
>> We talked about instantiating it with unsigned 64-bit integers on
>> IRC.
>> It would be easier for me to understand it (and for someone to code
>> it).
>> This would also help us define an interchange format, or modify the
>> prop 280 interchange format to support secret sharing.
>> For hints about how this works, look at proposal 280, which also uses
>> unsigned 64 bit integers.
>> Tim
> I will work on this and the long list of still open TODOs in the
> proposal, the next days. Hence please have a look at
> https://github.com/Samdney/28X-k-of-n-secret-sharing
> for changes, from time to time.
> I will be around at irc, too ;).
> Btw, should I also create a ticket for this proposal for important
> topic discussions?
> Bye,
> Carolin
> -- 
> -----------------------------------------------------------------------
> Carolin Zöbelein / Nick: Samdney
> PGP: D4A7 35E8 D47F 801F 2CF6 2BA7 927A FD3C DE47 E13B
> -----------------------------------------------------------------------
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

More information about the tor-dev mailing list