draft07: Add agg param to agg share encryption AAD

cloudflare · Nov 22, 2023 · 23b2263 · 23b2263
1 parent 0197439
commit 23b2263
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 13 deletions.
diff --git a/daphne/dapf/src/bin/dapf.rs b/daphne/dapf/src/bin/dapf.rs
@@ -268,6 +268,7 @@ async fn main() -> Result<()> {
                     &task_id,
                     &batch_selector,
                     collect_resp.report_count,
+                    &[],
                     collect_resp.encrypted_agg_shares.to_vec(),
                     version,
                 )

diff --git a/daphne/src/messages/mod.rs b/daphne/src/messages/mod.rs
@@ -995,8 +995,6 @@ impl ParameterizedDecode<DapVersion> for AggregateShareReq {
 }
 
 /// An aggregate-share response.
-//
-// TODO Add serialization tests.
 #[derive(Debug)]
 pub struct AggregateShare {
     pub encrypted_agg_share: HpkeCiphertext,

diff --git a/daphne/src/roles/helper.rs b/daphne/src/roles/helper.rs
@@ -393,6 +393,7 @@ pub trait DapHelper<S>: DapAggregator<S> {
             &task_config.collector_hpke_config,
             task_id,
             &agg_share_req.batch_sel,
+            &agg_share_req.agg_param,
             &agg_share,
             task_config.version,
         )?;

diff --git a/daphne/src/roles/leader.rs b/daphne/src/roles/leader.rs
@@ -481,6 +481,7 @@ pub trait DapLeader<S>: DapAuthorizedSender<S> + DapAggregator<S> {
             &task_config.collector_hpke_config,
             task_id,
             &batch_selector,
+            &collect_req.agg_param,
             &leader_agg_share,
             task_config.version,
         )?;

diff --git a/daphne/src/testing.rs b/daphne/src/testing.rs
@@ -354,6 +354,7 @@ impl AggregationJobTest {
     pub fn produce_leader_encrypted_agg_share(
         &self,
         batch_selector: &BatchSelector,
+        agg_param: &[u8],
         agg_share: &DapAggregateShare,
     ) -> HpkeCiphertext {
         self.task_config
@@ -362,6 +363,7 @@ impl AggregationJobTest {
                 &self.task_config.collector_hpke_config,
                 &self.task_id,
                 batch_selector,
+                agg_param,
                 agg_share,
                 self.task_config.version,
             )
@@ -372,6 +374,7 @@ impl AggregationJobTest {
     pub fn produce_helper_encrypted_agg_share(
         &self,
         batch_selector: &BatchSelector,
+        agg_param: &[u8],
         agg_share: &DapAggregateShare,
     ) -> HpkeCiphertext {
         self.task_config
@@ -380,6 +383,7 @@ impl AggregationJobTest {
                 &self.task_config.collector_hpke_config,
                 &self.task_id,
                 batch_selector,
+                agg_param,
                 agg_share,
                 self.task_config.version,
             )
@@ -391,6 +395,7 @@ impl AggregationJobTest {
         &self,
         batch_selector: &BatchSelector,
         report_count: u64,
+        agg_param: &[u8],
         enc_agg_shares: Vec<HpkeCiphertext>,
     ) -> DapAggregateResult {
         self.task_config
@@ -400,6 +405,7 @@ impl AggregationJobTest {
                 &self.task_id,
                 batch_selector,
                 report_count,
+                agg_param,
                 enc_agg_shares,
                 self.task_config.version,
             )
@@ -409,6 +415,7 @@ impl AggregationJobTest {
 
     /// Generate a set of reports, aggregate them, and unshard the result.
     pub async fn roundtrip(&mut self, measurements: Vec<DapMeasurement>) -> DapAggregateResult {
+        let agg_param = &[];
         let batch_selector = BatchSelector::TimeInterval {
             batch_interval: Interval {
                 start: self.now,
@@ -461,16 +468,20 @@ impl AggregationJobTest {
         // Leader: Aggregation
         let leader_agg_share = leader_agg_span.collapsed();
         let leader_encrypted_agg_share =
-            self.produce_leader_encrypted_agg_share(&batch_selector, &leader_agg_share);
+            self.produce_leader_encrypted_agg_share(&batch_selector, agg_param, &leader_agg_share);
 
         // Helper: Aggregation
-        let helper_encrypted_agg_share =
-            self.produce_helper_encrypted_agg_share(&batch_selector, &helper_agg_span.collapsed());
+        let helper_encrypted_agg_share = self.produce_helper_encrypted_agg_share(
+            &batch_selector,
+            agg_param,
+            &helper_agg_span.collapsed(),
+        );
 
         // Collector: Unshard
         self.consume_encrypted_agg_shares(
             &batch_selector,
             report_count,
+            agg_param,
             vec![leader_encrypted_agg_share, helper_encrypted_agg_share],
         )
         .await

diff --git a/daphne/src/vdaf/mod.rs b/daphne/src/vdaf/mod.rs
@@ -182,7 +182,6 @@ impl<'req> EarlyReportStateConsumed<'req> {
         let mut aad = Vec::with_capacity(58);
         task_id.encode(&mut aad);
         metadata.encode_with_param(&task_config.version, &mut aad);
-        // TODO spec: Consider folding the public share into a field called "header".
         encode_u32_bytes(&mut aad, public_share.as_ref());
 
         let encoded_input_share = match decrypter
@@ -1578,10 +1577,19 @@ impl VdafConfig {
         hpke_config: &HpkeConfig,
         task_id: &TaskId,
         batch_sel: &BatchSelector,
+        agg_param: &[u8],
         agg_share: &DapAggregateShare,
         version: DapVersion,
     ) -> Result<HpkeCiphertext, DapAbort> {
-        produce_encrypted_agg_share(true, hpke_config, task_id, batch_sel, agg_share, version)
+        produce_encrypted_agg_share(
+            true,
+            hpke_config,
+            task_id,
+            batch_sel,
+            agg_param,
+            agg_share,
+            version,
+        )
     }
 
     /// Like [`produce_leader_encrypted_agg_share`](Self::produce_leader_encrypted_agg_share) but run by the Helper in response to an
@@ -1591,10 +1599,19 @@ impl VdafConfig {
         hpke_config: &HpkeConfig,
         task_id: &TaskId,
         batch_sel: &BatchSelector,
+        agg_param: &[u8],
         agg_share: &DapAggregateShare,
         version: DapVersion,
     ) -> Result<HpkeCiphertext, DapAbort> {
-        produce_encrypted_agg_share(false, hpke_config, task_id, batch_sel, agg_share, version)
+        produce_encrypted_agg_share(
+            false,
+            hpke_config,
+            task_id,
+            batch_sel,
+            agg_param,
+            agg_share,
+            version,
+        )
     }
 
     /// Decrypt and unshard a sequence of aggregate shares. This method is run by the Collector
@@ -1612,14 +1629,14 @@ impl VdafConfig {
     /// Aggregators. The first encrypted aggregate shares must be the Leader's.
     ///
     /// * `version` is the `DapVersion` to use.
-    //
-    // TODO spec: Allow the collector to have multiple HPKE public keys (the way Aggregators do).
+    #[allow(clippy::too_many_arguments)]
     pub async fn consume_encrypted_agg_shares(
         &self,
         decrypter: &impl HpkeDecrypter,
         task_id: &TaskId,
         batch_sel: &BatchSelector,
         report_count: u64,
+        agg_param: &[u8],
         encrypted_agg_shares: Vec<HpkeCiphertext>,
         version: DapVersion,
     ) -> Result<DapAggregateResult, DapError> {
@@ -1641,6 +1658,9 @@ impl VdafConfig {
 
         let mut aad = Vec::with_capacity(40);
         task_id.encode(&mut aad);
+        if version != DapVersion::Draft02 {
+            encode_u32_bytes(&mut aad, agg_param);
+        }
         batch_sel.encode(&mut aad);
 
         let mut agg_shares = Vec::with_capacity(encrypted_agg_shares.len());
@@ -1680,6 +1700,7 @@ fn produce_encrypted_agg_share(
     hpke_config: &HpkeConfig,
     task_id: &TaskId,
     batch_sel: &BatchSelector,
+    agg_param: &[u8],
     agg_share: &DapAggregateShare,
     version: DapVersion,
 ) -> Result<HpkeCiphertext, DapAbort> {
@@ -1703,9 +1724,11 @@ fn produce_encrypted_agg_share(
     }); // Sender role
     info.push(CTX_ROLE_COLLECTOR); // Receiver role
 
-    // TODO spec: Consider adding agg param to AAD.
     let mut aad = Vec::with_capacity(40);
     task_id.encode(&mut aad);
+    if version != DapVersion::Draft02 {
+        encode_u32_bytes(&mut aad, agg_param);
+    }
     batch_sel.encode(&mut aad);
 
     let (enc, payload) = hpke_config
@@ -2499,13 +2522,14 @@ mod test {
             },
         };
         let leader_encrypted_agg_share =
-            t.produce_leader_encrypted_agg_share(&batch_selector, &leader_agg_share);
+            t.produce_leader_encrypted_agg_share(&batch_selector, &[], &leader_agg_share);
         let helper_encrypted_agg_share =
-            t.produce_helper_encrypted_agg_share(&batch_selector, &helper_agg_share);
+            t.produce_helper_encrypted_agg_share(&batch_selector, &[], &helper_agg_share);
         let agg_res = t
             .consume_encrypted_agg_shares(
                 &batch_selector,
                 50,
+                &[],
                 vec![leader_encrypted_agg_share, helper_encrypted_agg_share],
             )
             .await;

diff --git a/daphne_worker_test/tests/e2e/e2e.rs b/daphne_worker_test/tests/e2e/e2e.rs
@@ -645,6 +645,7 @@ async fn leader_collect_ok(version: DapVersion) {
                 batch_interval: batch_interval.clone(),
             },
             collection.report_count,
+            &collect_req.agg_param,
             collection.encrypted_agg_shares.to_vec(),
             version,
         )
@@ -1164,6 +1165,7 @@ async fn fixed_size(version: DapVersion, use_current: bool) {
             &t.task_id,
             &BatchSelector::FixedSizeByBatchId { batch_id },
             collection.report_count,
+            &collect_req.agg_param,
             collection.encrypted_agg_shares.to_vec(),
             version,
         )
@@ -1393,6 +1395,7 @@ async fn leader_collect_taskprov_ok(version: DapVersion) {
                 batch_interval: batch_interval.clone(),
             },
             collection.report_count,
+            &collect_req.agg_param,
             collection.encrypted_agg_shares.to_vec(),
             version,
         )