- From: Erik Taubeneck via GitHub <sysbot+gh@w3.org>
- Date: Fri, 06 May 2022 20:58:34 +0000
- To: public-patcg@w3.org
@csharrison agreed that this is underspecified, and this would be a great area to get more clarity on. [Administrative side note, I opened a [request](https://github.com/patcg-individual-drafts/admin/issues/1) to get a repo specifically for IPA so we can have issues to dedicated topics, and even put together pull requests for docs outline more details in these areas as they emerge.] A few thoughts specific to to this question: > One attack I didn't see mentioned is malicious parties crafting fake data in the hope of stealing budget from the 1P, by pretending to query on behalf of the 1P. In the case where the 3P has actual `source_events` and `trigger_events`, this could be possible without even generating fake data. We allow for individual events to be used in multiple queries, within the privacy budget, so this could be used to exhaust it. In this case, I don't think that making the match key space high entropy would actually work. In the case where the 3P doesn't have actual events, but is just trying to disrupt some 1P's budget, the high entropy match key space would work. > I don't know if we want to design something more robust such that e.g. 1Ps need to attest to working with certain 3Ps up front. In the first scenario, it should be possible for the 1P to prevent a 3P from getting actual events by not sending them or installing their "pixel" code. In the second scenario, it seems like a high entropy match key is enough (say 64-bit) where it would be far too expensive to run a query that would actually have meaningful impact. Let's suppose (very conservatively) that it only takes 1ms to generate a fake event - to cover 0.4% (1/256) of the space it would take over 2M years of compute time to generate all those events. And that's not even starting to think about actually running that query... That said, if a 1P wants to work with more than one 3P, then we do probably need a way for that 1P to assign specific portions of its budget across those different 3Ps, which may necessitate the attestation design you mention. -- GitHub Notification of comment by eriktaubeneck Please view or discuss this issue at https://github.com/patcg/private-measurement/issues/9#issuecomment-1120003305 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 6 May 2022 20:58:36 UTC