Add back DpConfig and the length prefixes in VdafConfig and `Quer…

…yConfig` A previous commit f8cedf1, the `DpConfig` structure was replaced with an opaque byte string that the parties are meant to ignore. We don't want the parties to ignore unrecognized parameters: they should opt out instead. This change specifies that the content should be a `DpConfig`. We also remove the length prefix from that structure, since it's no longer needed. The same commit removed the length prefixes from `VdafConfig` and `QueryConfig`. This is a regression because it means the encoding of the `TaskConfig` is no longer self-describing. In particular, it forces to conflate opt-out due to unrecognized variants (an unimplemented VDAF, say) with serialization errors. Solve this by adding back the length prefixes.
ietf-wg-ppm · Jan 17, 2024 · e88fdd6 · e88fdd6
1 parent 2d800b2
commit e88fdd6
Showing 1 changed file with 24 additions and 6 deletions.
diff --git a/draft-wang-ppm-dap-taskprov.md b/draft-wang-ppm-dap-taskprov.md
@@ -183,13 +183,17 @@ struct {
     uint16 max_batch_query_count;
     uint32 min_batch_size;
     QueryType query_type;
+    uint16 query_type_param_len; /* length of the remainder */
     select (QueryConfig.query_type) {
         case time_interval: Empty;
         case fixed_size:    uint32 max_batch_size;
     };
 } QueryConfig;
 ~~~
 
+The value `query_type_param_len` field MUST match length of the remainder of
+the structure.
+
 The maximum batch size for `fixed_size` query is optional. If `query_type` is
 `fixed_size` and `max_batch_size` is 0, Aggregator should provision the task
 without maximum batch size limit. Which means during batch validation
@@ -213,6 +217,7 @@ enum {
 struct {
     opaque dp_config<1..2^16-1>;  /* Encoded differential privacy parameters */
     VdafType vdaf_type;
+    uint16 vdaf_type_param_len; /* length of the remainder */
     select (VdafConfig.vdaf_type) {
         case prio3_count:
             Empty;
@@ -231,13 +236,26 @@ struct {
 } VdafConfig;
 ~~~
 
-An extension of this draft may define additional VDAF codepoints in `VdafType`,
-but if an Aggregator doesn't recognize a VDAF codepoint, it MUST opt out of the
-task.
+The value `vdaf_type_param_len` field MUST match length of the remainder of
+the structure.
+
+Apart from the VDAF-specific parameters, this structure includes a mechanism for
+differential privacy (DP). The opaaque `dp_config` contains the following structure:
+
+~~~
+enum {
+    reserved(0), /* Reserved for testing purposes */
+    none(1),
+    (255)
+} DpMechanism;
 
-Apart from the VDAF-specific parameters, this structure includes an opaque
-field `dp_config` to encode differential privacy (DP) parameters. This draft
-doesn't mandate the underlying structure for this field yet.
+struct {
+    DpMechanism dp_mechanism;
+    select (DpConfig.dp_mechanism) {
+        case none: Empty;
+    };
+} DpConfig;
+~~~
 
 > OPEN ISSUE: Should spell out definition of `DpConfig` for various differential
 > privacy mechanisms and parameters. See draft