RAPPOR implementation

components/rappor/rappor_metric.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/rappor/rappor_metric.h"
+
+#include "base/logging.h"
+
+namespace rappor {
+
+RapporMetric::RapporMetric(const std::string& metric_name,
+                           const RapporParameters& parameters,
+                           int32_t cohort)
+    : metric_name_(metric_name),
+      parameters_(parameters),
+      bloom_(parameters.bloom_filter_size_bytes,
+             parameters.bloom_filter_hash_function_count,
+             cohort * parameters.bloom_filter_hash_function_count) {

[Ilya Sherman, 2014/02/13 01:39:03]

Is it useful/desirable to DCHECK that this computed value is less than the
number of bytes in the Bloom filter?  Or, if it's ok for this to exceed the
Bloom filter's size, please add test code to exercise the relevant code paths. 
(You might already have such test code in place, in which case, good on ya', and
feel free to ignore this comment :)

[Steven Holte, 2014/02/13 05:11:12]

Changed "BloomFilterTest.HugeFilter" test to use a large seed offset.

+    DCHECK_GE(cohort, 0);

[Ilya Sherman, 2014/02/13 01:39:03]

nit: De-indent by two spaces.

[Steven Holte, 2014/02/13 05:11:12]

Done.

+}
+
+RapporMetric::~RapporMetric() {}
+
+void RapporMetric::AddSample(const std::string& str) { bloom_.AddString(str); }
+
+ByteVector RapporMetric::GetReport(const std::string& secret) const {
+  // Generate a deterministically random mask of fake data using the
+  // client's secret key + real data as a seed.  The inclusion of the secret
+  // in the seed avoids correlations between real and fake data.
+  // The seed isn't a human-readable string.
+  std::string personalization_string = metric_name_ +
+      std::string(bytes().begin(), bytes().end());

[Ilya Sherman, 2014/02/13 01:39:03]

IMPORTANT: Hmm, it doesn't seem safe to re-interpret the bytes as a string.  For
example, what if there are control characters, or NUL bytes?  I think you need
to base64-encode the bytes first, or something like that.

[Steven Holte, 2014/02/13 05:11:12]

std::string is not null terminated.

+  HmacByteVectorGenerator hmac_generator(bytes().size(), secret,
+                                         personalization_string);
+  const ByteVector fake_mask =
+      hmac_generator.GetWeightedRandomByteVector(parameters().fake_prob);
+  ByteVector fake_ones =

[Ilya Sherman, 2014/02/13 01:39:03]

nit: I think "fake_bytes" might be a clearer name than "fake_ones".

[Steven Holte, 2014/02/13 05:11:12]

That seems like it might imply that the bits are masked in by bytes.

[Ilya Sherman, 2014/02/13 23:23:08]

fake_bits, then?

[Steven Holte, 2014/02/14 02:53:28]

Done.

+      hmac_generator.GetWeightedRandomByteVector(parameters().fake_one_prob);
+
+  // Redact most of the real data by replacing it with the fake data, hiding
+  // and limiting the amount of information an individual client reports on.
+  const ByteVector* fake_and_redacted_bits =
+      ByteVectorMerge(fake_mask, bytes(), &fake_ones);
+
+  // Generate biased coin flips for each bit.
+  ByteVectorGenerator coin_generator(bytes().size());
+  const ByteVector zero_coins =
+      coin_generator.GetWeightedRandomByteVector(parameters().zero_coin_prob);
+  ByteVector one_coins =
+      coin_generator.GetWeightedRandomByteVector(parameters().one_coin_prob);
+
+  // Create a randomized response report on the fake and redacted data, sending
+  // the outcome of flipping a zero coin for the zero bits in that data, and of
+  // flipping a one coin for the one bits in that data, as the final report.
+  return *ByteVectorMerge(*fake_and_redacted_bits, zero_coins, &one_coins);
+}
+
+}  // namespace rappor