Chromium Code Reviews Chromium Code Reviews
Issue 49753002:
RAPPOR implementation (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: components/rappor/rappor_metric.cc |
| diff --git a/components/rappor/rappor_metric.cc b/components/rappor/rappor_metric.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..29c51f89ff73c537733c7ce227544e0699b9ac55 |
| --- /dev/null |
| +++ b/components/rappor/rappor_metric.cc |
| @@ -0,0 +1,58 @@ |
| +// Copyright 2014 The Chromium Authors. All rights reserved. |
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "components/rappor/rappor_metric.h" |
| + |
| +#include "base/logging.h" |
| + |
| +namespace rappor { |
| + |
| +RapporMetric::RapporMetric(const std::string& metric_name, |
| + const RapporParameters& parameters, |
| + int32_t cohort) |
| + : metric_name_(metric_name), |
| + parameters_(parameters), |
| + bloom_(parameters.bloom_filter_size_bytes, |
| + parameters.bloom_filter_hash_function_count, |
| + cohort * parameters.bloom_filter_hash_function_count) { |
|
Ilya Sherman
2014/02/13 01:39:03
Is it useful/desirable to DCHECK that this compute
Steven Holte
2014/02/13 05:11:12
Changed "BloomFilterTest.HugeFilter" test to use a
|
| + DCHECK_GE(cohort, 0); |
|
Ilya Sherman
2014/02/13 01:39:03
nit: De-indent by two spaces.
Steven Holte
2014/02/13 05:11:12
Done.
|
| +} |
| + |
| +RapporMetric::~RapporMetric() {} |
| + |
| +void RapporMetric::AddSample(const std::string& str) { bloom_.AddString(str); } |
| + |
| +ByteVector RapporMetric::GetReport(const std::string& secret) const { |
| + // Generate a deterministically random mask of fake data using the |
| + // client's secret key + real data as a seed. The inclusion of the secret |
| + // in the seed avoids correlations between real and fake data. |
| + // The seed isn't a human-readable string. |
| + std::string personalization_string = metric_name_ + |
| + std::string(bytes().begin(), bytes().end()); |
|
Ilya Sherman
2014/02/13 01:39:03
IMPORTANT: Hmm, it doesn't seem safe to re-interpr
Steven Holte
2014/02/13 05:11:12
std::string is not null terminated.
|
| + HmacByteVectorGenerator hmac_generator(bytes().size(), secret, |
| + personalization_string); |
| + const ByteVector fake_mask = |
| + hmac_generator.GetWeightedRandomByteVector(parameters().fake_prob); |
| + ByteVector fake_ones = |
|
Ilya Sherman
2014/02/13 01:39:03
nit: I think "fake_bytes" might be a clearer name
Steven Holte
2014/02/13 05:11:12
That seems like it might imply that the bits are m
Ilya Sherman
2014/02/13 23:23:08
fake_bits, then?
Steven Holte
2014/02/14 02:53:28
Done.
|
| + hmac_generator.GetWeightedRandomByteVector(parameters().fake_one_prob); |
| + |
| + // Redact most of the real data by replacing it with the fake data, hiding |
| + // and limiting the amount of information an individual client reports on. |
| + const ByteVector* fake_and_redacted_bits = |
| + ByteVectorMerge(fake_mask, bytes(), &fake_ones); |
| + |
| + // Generate biased coin flips for each bit. |
| + ByteVectorGenerator coin_generator(bytes().size()); |
| + const ByteVector zero_coins = |
| + coin_generator.GetWeightedRandomByteVector(parameters().zero_coin_prob); |
| + ByteVector one_coins = |
| + coin_generator.GetWeightedRandomByteVector(parameters().one_coin_prob); |
| + |
| + // Create a randomized response report on the fake and redacted data, sending |
| + // the outcome of flipping a zero coin for the zero bits in that data, and of |
| + // flipping a one coin for the one bits in that data, as the final report. |
| + return *ByteVectorMerge(*fake_and_redacted_bits, zero_coins, &one_coins); |
| +} |
| + |
| +} // namespace rappor |
