4 releases
0.3.1 | Oct 11, 2024 |
---|---|
0.3.0 | Nov 27, 2023 |
0.2.2 | Aug 8, 2023 |
0.2.1 | Aug 3, 2023 |
#640 in Cryptography
255 downloads per month
Used in star-constellation
74KB
1.5K
SLoC
sta-rs crate
Rust implementation of the STAR protocol. Consists of client API functions for generating STAR messages, and server aggregation functions.
Disclaimer
WARNING the libraries present in this workspace have not been audited, use at your own risk! This code is under active development and may change substantially in future versions.
Quickstart
Build & test:
cargo build
cargo test
Benchmarks:
cargo bench
Open local copy of documentation:
cargo doc --open --no-deps
lib.rs
:
This module provides the implementation of the STAR (distributed Secret-sharing for Threshold AggRegation of data) protocol. The STAR protocol provides the ability for clients to report secret measurements to servers, whilst maintaining k-anonymity-like guarantees.
In essence, such measurements are only revealed if a threshold
number of clients all send the same message. Clients are permitted
to also send relevant, arbitrary associated data that can also be
revealed.
In STAR, clients derive randomness from a separate server that implements a puncturable partially oblivious pseudorandom function (PPOPRF) protocol. In STARLite, clients derive randomness used for hiding their measurements locally from the measurement itself. The PPOPRF protocol takes in the client measurement, a server secret key, and the current epoch metadata tag as input, and outputs a random (deterministic) value.
In the case of STARLite, the design is simpler than in STAR, but security is ONLY maintained in the case where client measurements are sampled from a high-entropy domain. In the case of STAR, client security guarantees hold even for low-entropy inputs, as long as the randomness is only revealed after the epoch metadata tag has been punctured from the randomness server's secret key.
See the full paper for more details.
Example (client)
The following example shows how to generate a message triple of (ciphertext, share, tag)
. This message can then be sent to the aggregation server.
let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);
let Message {
ciphertext,
share,
tag,
} = Message::generate(&mg, &mut rnd, None)
.expect("Could not generate message triplet");
Example (WASM client)
The following example shows how to generate a triple of (key, share, tag)
for each client in the STARLite protocol, which is used
in the existing WASM integration. The STAR protocol is not yet
supported.
In the WASM integration the key
MUST then be used to encrypt the
measurement and associated data into a ciphertext
in the
higher-level application. The message triple (ciphertext, share, tag)
is then sent to the server.
let measurement = SingleMeasurement::new("hello world".as_bytes());
let mg = MessageGenerator::new(measurement, threshold, epoch.as_bytes());
let mut rnd = [0u8; 32];
// NOTE: this is for STARLite. Randomness must be sampled from a
// randomness server in order to implement the full STAR protocol.
mg.sample_local_randomness(&mut rnd);
let WASMSharingMaterial {
key,
share,
tag,
} = mg.share_with_local_randomness().unwrap();
Example (server)
Once over threshold
shares are recovered from clients, it is
possible to recover the randomness encoded in each of the shares
let value = share_recover(&shares).unwrap().get_message();
// derive key for decrypting payload data in client message
let mut enc_key = vec![0u8; 16];
derive_ske_key(&value, epoch.as_bytes(), &mut enc_key);
Dependencies
~4–5.5MB
~119K SLoC