Private, Robust, and Scalable Computation of Aggregate Statistics


Prio is a privacy-preserving system for the collection of aggregate statistics. Each Prio client holds a private data value (e.g., its current location), and a small set of servers compute statistical functions over the values of all clients (e.g., the most popular location). As long as at least one server is honest, the Prio servers learn nearly nothing about the clients’ private data, except what they can infer from the aggregate statistics that the system computes.

To protect functionality in the face of faulty or malicious clients, Prio uses secret-shared non-interactive proofs (SNIPs), a new cryptographic technique that yields a hundred-fold performance improvement over conventional zero-knowledge approaches. Prio extends classic private aggregation techniques to enable the collection of a large class of useful statistics. For example, Prio can perform a least-squares regression on high-dimensional client-provided data without ever seeing the data in the clear.

Prio provides a number of desirable properties:
As long as at least one of the Prio servers is honest, the system leaks nearly nothing (in a precise sense) about the clients' private data.
Evil clients cannot corrupt the aggregate that the system computes, beyond lying about their private data values.
Prio is fast: it uses no public-key cryptographic primitives (except to established encrypted and authenticated channels), so it puts a minimal load on the client and servers.


Henry Corrigan-Gibbs, Stanford University
Dan Boneh, Stanford University