RAPPOR implementation

components/rappor/rappor_metric.cc

Index: components/rappor/rappor_metric.cc
diff --git a/components/rappor/rappor_metric.cc b/components/rappor/rappor_metric.cc
new file mode 100644
index 0000000000000000000000000000000000000000..b3ca841862823ecc92cfb95b5f3b7fc4fc7f9a9c
--- /dev/null
+++ b/components/rappor/rappor_metric.cc
@@ -0,0 +1,56 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/rappor/rappor_metric.h"
+
+#include "base/logging.h"
+
+namespace rappor {
+
+RapporMetric::RapporMetric(const std::string& metric_name,
+                           const RapporParameters& parameters,
+                           int32_t cohort)
+    : metric_name_(metric_name),
+      parameters_(parameters),
+      bloom_(parameters.bloom_filter_size_bytes,
+             parameters.bloom_filter_hash_function_count,
+             cohort * parameters.bloom_filter_hash_function_count) {
+    DCHECK_GE(cohort, 0);
+}
+
+RapporMetric::~RapporMetric() {}
+
+void RapporMetric::AddSample(const std::string& str) { bloom_.AddString(str); }
+
+ByteVector RapporMetric::GetReport(const std::string& secret) const {
+  // Generate a deterministically random mask of fake data using the
+  // client's secret key + real data as a seed.  The inclusion of the secret
+  // in the seed prevents fake data from being correlated with real data.

[ulfar, 2014/02/07 20:19:02]

// in the seed avoids correlations between the real and fake data.

[Steven Holte, 2014/02/07 21:08:16]

Done.

+  // The seed isn't a human-readable string.
+  std::string seed = secret + metric_name_ +
+      std::string(bytes().begin(), bytes().end());
+  HmacByteVectorGenerator hmac_generator(bytes().size(), seed);
+  const ByteVector fake_mask =
+      hmac_generator.GetWeightedRandomByteVector(parameters().fake_prob);
+  ByteVector fake_ones =
+      hmac_generator.GetWeightedRandomByteVector(parameters().fake_one_prob);
+
+  // Redact most of the real data by replacing it with the fake data, hiding
+  // and limiting the amount of information an individual client reports on.
+  const ByteVector* redacted_bits =

[ulfar, 2014/02/07 20:19:02]

better name would be fake_and_redacted_bits

[Steven Holte, 2014/02/07 21:08:16]

Done.

+      ByteVectorMerge(fake_mask, bytes(), &fake_ones);
+
+  // Generate biased coin flips for each bit.
+  ByteVectorGenerator coin_generator(bytes().size());
+  const ByteVector zero_coins =
+      coin_generator.GetWeightedRandomByteVector(parameters().zero_coin_prob);
+  ByteVector one_coins =
+      coin_generator.GetWeightedRandomByteVector(parameters().one_coin_prob);
+
+  // Use the redacted data to select which coin type is used for each bit in
+  // the final report.
+  return *ByteVectorMerge(*redacted_bits, zero_coins, &one_coins);

[ulfar, 2014/02/07 20:19:02]

A better comment would be 

// Create a randomized response report on the fake and redacted data, sending
// the outcome of flipping a zero coin for the zero bits in that data, and of 
// flipping a one coin for the one bits in that data, as the final report.

[Steven Holte, 2014/02/07 21:08:16]

Done.

+}
+
+}  // namespace rappor