#secret #analytics #privacy #protocols #data-security

sta-rs

Distributed Secret-Sharing for Threshold Aggregation Reporting

4 releases

0.3.1 Oct 11, 2024
0.3.0 Nov 27, 2023
0.2.2 Aug 8, 2023
0.2.1 Aug 3, 2023

#641 in Cryptography

44 downloads per month
Used in star-constellation

MPL-2.0 license

74KB
1.5K SLoC

sta-rs crate

Rust implementation of the STAR protocol. Consists of client API functions for generating STAR messages, and server aggregation functions.

Disclaimer

WARNING the libraries present in this workspace have not been audited, use at your own risk! This code is under active development and may change substantially in future versions.

Quickstart

Build & test:

cargo build
cargo test

Benchmarks:

cargo bench

Open local copy of documentation:

cargo doc --open --no-deps

lib.rs:

This module provides the implementation of the STAR (distributed Secret-sharing for Threshold AggRegation of data) protocol. The STAR protocol provides the ability for clients to report secret measurements to servers, whilst maintaining k-anonymity-like guarantees.

In essence, such measurements are only revealed if a threshold number of clients all send the same message. Clients are permitted to also send relevant, arbitrary associated data that can also be revealed.

In STAR, clients derive randomness from a separate server that implements a puncturable partially oblivious pseudorandom function (PPOPRF) protocol. In STARLite, clients derive randomness used for hiding their measurements locally from the measurement itself. The PPOPRF protocol takes in the client measurement, a server secret key, and the current epoch metadata tag as input, and outputs a random (deterministic) value.

In the case of STARLite, the design is simpler than in STAR, but security is ONLY maintained in the case where client measurements are sampled from a high-entropy domain. In the case of STAR, client security guarantees hold even for low-entropy inputs, as long as the randomness is only revealed after the epoch metadata tag has been punctured from the randomness server's secret key.

See the full paper for more details.

Example (client)

The following example shows how to generate a message triple of (ciphertext, share, tag). This message can then be sent to the aggregation server.

let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);

let Message {
  ciphertext,
  share,
  tag,
} = Message::generate(&mg, &mut rnd, None)
    .expect("Could not generate message triplet");

Example (WASM client)

The following example shows how to generate a triple of (key, share, tag) for each client in the STARLite protocol, which is used in the existing WASM integration. The STAR protocol is not yet supported.

In the WASM integration the key MUST then be used to encrypt the measurement and associated data into a ciphertext in the higher-level application. The message triple (ciphertext, share, tag) is then sent to the server.

let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);
let WASMSharingMaterial {
  key,
  share,
  tag,
} = mg.share_with_local_randomness().unwrap();

Example (server)

Once over threshold shares are recovered from clients, it is possible to recover the randomness encoded in each of the shares


let value = share_recover(&shares).unwrap().get_message();

// derive key for decrypting payload data in client message
let mut enc_key = vec![0u8; 16];
derive_ske_key(&value, epoch.as_bytes(), &mut enc_key);

Dependencies

~4–5.5MB
~120K SLoC