[WIP] Breakdown Reveal Aggregation

[cberkhoff]

This PR is a work in progress to enable Breakdown Reveal Aggregation (aka Improved Aggregation). Aggregation steps happen after attribution. The input to aggregation is a stream of tuples of (attributed breakdown key, attributed trigger value). The output of aggregation is a Histogram. Breakdown Keys and Trigger Values are assigned by the advertiser and sent in the input of IPA. Breakdown Keys values are expected to be dense. How breakdown keys and trigger values are defined is out-of-scope.

High level explanation of the protocol:

1. Add fake attribution outputs.
2. Shuffle.
3. Reveal Breakdown Keys. By having shuffled and adding fake entries we protected the identities of individuals. Trigger values are not revealed.
4. Aggregation of Trigger Value by Breakdown Key (Think of group by).

DP noise to histogram buckets will be added by the caller of this function. This because adding noise is really unrelated to how things are added up.

Following are the improvements to be done before merging in no particular order:

• TODO: Use sharded shuffle.
• TODO: For aggregation, we pad TV with zeroes until size of HV and add them together. Expanding bits only as needed.
• TODO: seq_join (see quicksort). First reveal, create futures for the remainder.
• TODO: Add vectorization + chunks. Change TotalRecords::Indeterminate. "Merge-sort".
• TODO: Add sharding.

[codecov]

Codecov Report

Attention: Patch coverage is 99.56897% with 1 line in your changes missing coverage. Please review.

Project coverage is 92.84%. Comparing base (23202a2) to head (47569e4).
Report is 7 commits behind head on main.

Files	Patch %	Lines
...c/protocol/ipa_prf/aggregation/breakdown_reveal.rs	99.23%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1172      +/-   ##
==========================================
+ Coverage   92.79%   92.84%   +0.04%     
==========================================
  Files         197      197              
  Lines       30523    30735     +212     
==========================================
+ Hits        28325    28535     +210     
- Misses       2198     2200       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[danielmasny]

I have left a couple of comments. I think we need to think more about a strategy of how to vectorize the aggregation efficiently.

[danielmasny]

How do you do the aggregation, will you sort the records by breakdown? I think that might be expensive for many breakdowns. I think it would make sense to chunk the list of records into smaller parts and only sort within these chunks. Vectorization should still be efficient within the chunks and you won't need a sort on the huge list of all records.

[cberkhoff]

Yeah, I still need to come up with a way to chunk/vectorize things.

[akoshelev]

don't we know the breakdown in the clear, so we can trivially group them as we reveal it?

[danielmasny]

yes its all local so you could sort by breakdown and then vectorize within events with the same breakdown. Sorting a large list might still cause a lot of reallocations which might not be necessary.

[andyleiserson]

Yeah, for the breakdown counts that we're contemplating currently, I would say just fan the values out into a bucket per breakdown. Then once we get two chunks worth of records in a bucket, we can do a vectorized reduction.

If we're doing a full resharding here (which a sharded shuffle is), then maybe it makes sense to shard by breakdowns rather than randomly? There is a question whether we get better parallelism across breakdowns or by eagerly pulling more chunks from a particular aggregation stream.

[akoshelev]

Yes its all local so you could sort by breakdown

I still don't see a need to sort a big list by breakdown key. As Andy pointed out, we fan out events to the corresponding shards by the breakdown key as we drain the input. Grouping comes essentially for free

If we're doing a full resharding here (which a sharded shuffle is), then maybe it makes sense to shard by breakdowns rather than randomly?

This makes sense to me - maybe in sharded world in this case we can avoid transpose

There is a question whether we get better parallelism across breakdowns or by eagerly pulling more chunks from a particular aggregation stream.

To make a decision here, it would be helpful to understand the distribution of events per breakdown. If it is not close to uniform in presence of fake events (basically follows user-provided distribution), then we can assume the worst case and vectorize across breakdowns per shard

[danielmasny]

contribs is a strange name.

[cberkhoff]

I'll change it on a future revision. Please consider this code just a starting point to better discuss the vectorization part.

[akoshelev]

I agree with Daniel - namings should be part of the review. For things not relevant, there needs to be a hint to reviewers to skip certain parts of the code on the review - although I think it makes reviewer's life harder.

[danielmasny]

why is ao needed here and why not using attribution_outputs directly?

[cberkhoff]

Just a small aid for Rust Analyzer. Rust can't infer the type.

[akoshelev]

Yea, IDEs that support Rust language are far from ideal and there are gaps in them. I don't think it warrants code modifications like this though - this code will be read in many IDEs, text editors, web browsers and it is bad for readability.

[danielmasny]

reveal context needs to be defined outside of the loop, otherwise you generate a context for every record.

[cberkhoff]

Will do. The for loop is going away anyway.

[danielmasny]

Why do we need this in this PR?

[cberkhoff]

Because I haven't deleted the old aggregation code yet

[akoshelev]

I think this is not relevant to this change and shouldn't be a part of it

[cberkhoff]

I will delete all the old-aggregation code before I merge but I would like to keep it for reference (easier to navigate code with IDE than Github). I allow the code so that all code checks still run on every push.

[danielmasny]

It is still stored in a u128. I am not sure whether I would call it a decimal and whether this is substantially different from the way other numbers are stored.

[cberkhoff]

I didn't came up with that name. Rather have a separate PR for renaming things if you deem that necessary.

[akoshelev]

this made it public which made me questioning whether it is only used in tests and should be marked as such?

[cberkhoff]

It's configured to be a test struct only with #[cfg]

[danielmasny]

I think the naming is confusing and I do think it makes more sense to implement shared value (which implies additiveshare) for SecretSharedAttributionOutputs rather than merging BK and TV into a single Boolean Array. We might not even implement BooleanArrays that have the correct size needed.

[cberkhoff]

This entire part of the shuffling is going away anyway in favor of the sharded version which has a Shuffle-able trait

[danielmasny]

I see so this is just a temporary change. Maybe mark it with a todo?

[akoshelev]

yea that's pretty gross, but as @cberkhoff pointed out a necessary change due to shuffle not really supporting any other input except IPA event

[danielmasny]

If we don't try to merge BA just for the sake of shuffling (see comment below on attribution_outputs_to_shuffle) We do not need the generic R and the trait bounds. I don't think we should introduce new BA types just for the sake of shuffling.

[cberkhoff]

Yeah, I don't think these conversions to BA are necessary, in fact the sharded version of shuffle provides better ergonomics. I'm just using this version as a temporary stop-gap.

[danielmasny]

This could also be removed by implementing shared value for SecretSharedAttributionOutputs

[cberkhoff]

Will keep this in mind but this whole part of shuffling is going away

[akoshelev]

this may be a good suggestion to keep the code concise for the time being, if that works. I much rather prefer traits over standalone functions to keep the nomenclature of things used somewhat under control

[akoshelev]

It is too generic to be at this level I think. We should use a more specific error type that explains what happened

[akoshelev]

I agree with Daniel - namings should be part of the review. For things not relevant, there needs to be a hint to reviewers to skip certain parts of the code on the review - although I think it makes reviewer's life harder.

[akoshelev]

Yea, IDEs that support Rust language are far from ideal and there are gaps in them. I don't think it warrants code modifications like this though - this code will be read in many IDEs, text editors, web browsers and it is bad for readability.

[akoshelev]

heh, it is ok to assume breakdown key fits into usize :)

[akoshelev]

perhaps letting compiler to infer the type is the way to go here. Most of the Rust libraries, including IPA use this approach: https://doc.rust-lang.org/rust-by-example/types/inference.html

[akoshelev]

this may be a good suggestion to keep the code concise for the time being, if that works. I much rather prefer traits over standalone functions to keep the nomenclature of things used somewhat under control

[akoshelev]

this made it public which made me questioning whether it is only used in tests and should be marked as such?

[akoshelev]

BA32 can be generated using Rng, so you can simplify this part as well

[akoshelev]

a bit of bikeshedding, but this does generate an input row and expected result, so name can reflect that

[akoshelev]

this variable could have a better name

[cberkhoff]

This change is still a WIP. Just want to get some baseline numbers from Draft.

[cberkhoff]

I ran a queries and got the following stats:

	Old	New
Runtime [m]	9.583333333	30.0	313.48%
Aggregation / Total Runtime	63.9%	93.59%
Shuffle		0.41%
Reveal		4.92%
Additions		83.05%

Having this in mind I focus on Additions and then Reveal

[cberkhoff]

With the seq_join in add_tvs_by_bk performance improved by ~6x and now the total runtime is the same between old and new:

	Old	New
Runtime [m]	9.583333333	9.5
Aggregation time / Total Runtime	63.9%	79.16%
Attribution		23.02%
Shuffle		1.56%
Reveal		18.44%
Additions		56.98%

[cberkhoff]

Using seq_join in reveal_breakdowns made it 14x faster. The protocol as a whole is 18% faster than the old one.

[cberkhoff]

Added a new aggregation logic for Trigger Values into the Histogram. With it, aggregation as a whole is about 3x faster than the current one.

Results running IPA for 1M events
	Old [duration]	New [duration]	Improvement
Total Runtime	09:35	03:57	242.62%
Aggregation time	06:08	02:06	292.06%
		Duration	% of aggregation
Attribution	-	01:30	71.43%
Shuffle	-	00:07	5.56%
Reveal	-	00:05	3.97%
Additions	-	00:23	18.25%

[cberkhoff]

Digging trough the logs I think vectorizing can make aggregation take 20seconds off aggregation, which is taking around 126 seconds. There might be more gains from more efficient code.

Spreadsheet

[akoshelev]

This is mostly good to go I think. There are some things to improve, but most importantly we shouldn't replace the existing aggregation just yet. We haven't added DP noise in OPRF and we may need a proof or tight bound on noise added per breakdown key.

Once these figured, we can replace the aggregation in a separate PR

[akoshelev]

You only need HV in expand and there is no runtime check at construction time. You probably want to drop this generic from struct definition and change expand to expand::<HV>(..)

[akoshelev]

Suggested change

	let atributions = shuffle_attributions::<_, _, B>(&ctx, atributions).await?;
	let grouped_tvs = reveal_breakdowns::<HV, _, _, B>(&ctx, atributions).await?;
	let atributions = shuffle_attributions(&ctx, atributions).await?;
	let grouped_tvs = reveal_breakdowns(&ctx, atributions).await?;

[akoshelev]

impossible states are better modelled with panics imo

[akoshelev]

Suggested change

	let mut r: Vec<Replicated<HV>> = vec![];
	let mut r = Vec::<Replicated<HV>>::with_capacity(groupted_tvs.singles.len())

[akoshelev]

there is no reason to collect this into a vector. Just add things into grouped_tvs as they come from the reveal stream

[cberkhoff]

the reason I was doing it is because I didn't wanted to modify grouped_tvs in an async scope. I wanted all the modifications of grouped_tvs to happen in the main thread. If I do something like:

seq_join(reveal_ctx.active_work(), reveal_work)
        .try_for_each(move |(bk, tv)| {
            grouped_tvs.push(bk, tv.to_bits())
        })
        .await?;

I'm getting an issue with captured variables escaping the closure body

[akoshelev]

it works if you pin the stream and try_next it

[akoshelev]

it would probably be safer if you consume pairs at this point

[akoshelev]

also, you could do zip(pairs, repeat(add_ctx)).map(...) to get a fresh context for every row

[cberkhoff]

you meant into_iter ?

with the existing enumerate the resulting tuple will look weird: (i, (p, add_ctx)).
I find the current code more legible.

[akoshelev]

Suggested change

	// Should never come to this. Insted it should return from the exit
	// This loop terminates if the number of steps exceeds 64, which means processing more than 2^64 events that shouldn't happen in practice

[akoshelev]

does this operation have a cost? i.e. are we adding these zeroes after expanding in MPC?

[cberkhoff]

We're adding 0's to match the results of the non-saturated additions. The actual sum happens after.

I could be wrong, but adding these zeroes is "local", there's no communication required. Each helper just adds a Replicated::ZERO to each item in the singles. This should be very fast.

[akoshelev]

Suggested change

	let op = self.singles[bk].take();
	if let Some(existing_value) = op {
	self.pairs.push(Pair {
	left: existing_value,
	right: value,
	bk,
	});
	self.singles[bk] = None;
	} else {
	self.singles[bk] = Some(value);
	}
	if let Some(existing_value) = self.singles[bk].take() {
	self.pairs.push(Pair {
	left: existing_value,
	right: value,
	bk,
	});
	} else {
	self.singles[bk] = Some(value);
	}

[akoshelev]

this is great, but not enough to confidently say the logic is correct. I'd love to see more comprehensive testing here:

• All breakdowns have more than one event
• Some have one event, some two, some three (testing odd/even)
• Some breakdowns have zero events, while others have many
• Some breakdowns saturate and some do not (use small HV, TV for it)

and resistance testing for errors as well

[martinthomson]

r.push(s.map_or_default(|hv_bits| hv_bits.collect_bits()));

[akoshelev]

This is good starting point to keep improving the new aggregation. We should create an issue with all the improvements and action items we need to take before we can make it the default