Prio
Private, Robust, and Scalable Computation of Aggregate Statistics

Background

Prio is a privacy-preserving system for the collection of aggregate statistics. Each Prio client holds a private data value (e.g., its current location), and a small set of servers compute statistical functions over the values of all clients (e.g., the most popular location). As long as at least one server is honest, the Prio servers learn nearly nothing about the clients’ private data, except what they can infer from the aggregate statistics that the system computes.

To protect functionality in the face of faulty or malicious clients, Prio uses secret-shared non-interactive proofs (SNIPs), a new cryptographic technique that yields a hundred-fold performance improvement over conventional zero-knowledge approaches. Prio extends classic private aggregation techniques to enable the collection of a large class of useful statistics. For example, Prio can perform a least-squares regression on high-dimensional client-provided data without ever seeing the data in the clear.

Prio provides a number of desirable properties:
Privacy
As long as at least one of the Prio servers is honest, the system leaks nearly nothing (in a precise sense) about the clients' private data.
Robustness
Evil clients cannot corrupt the aggregate that the system computes, beyond lying about their private data values.
Scalability
Prio is fast: it uses no public-key cryptographic primitives (except to established encrypted and authenticated channels), so it puts a minimal load on the client and servers.

Materials

Resarch paper
The extended version of our NSDI 2017 paper, which introduces the design and implementation of Prio.
A post about Prio on the Mozilla blog (June 2019)
An update on how Mozilla is planning to roll out Prio to collect data to improve the browser's "Content Blocking" fature.
A post about Prio on the Mozilla's "Hacks" blog (October 2018)
Mozilla piloted Prio in the "Nightly" build of the Firefox browser.
Mozilla's libprio library
A C library implementing a subset of Prio.
Prototype code (NOT safe for production use)
An implementation of Prio in the Go language.

People

Henry Corrigan-Gibbs, Stanford University
Dan Boneh, Stanford University