Parameter  Description 

ID: int  Algorithm identifier for this DAF, in range(2**32). 
SHARES: int  Number of input shares into which each measurement is sharded. 
NONCE_SIZE: int  Size of the nonce passed by the application. 
RAND_SIZE: int  Size of the random byte string passed to sharding algorithm. 
Measurement  Type of each measurement. 
PublicShare  Type of each public share. 
InputShare  Type of each input share. 
AggParam  Type of aggregation parameter. 
OutShare  Type of each output share. 
AggShare  Type of the aggregate share. 
AggResult  Type of the aggregate result. 
Parameter  Description 

ID  Algorithm identifier for this VDAF. 
VERIFY_KEY_SIZE  Size (in bytes) of the verification key ( 
RAND_SIZE  Size of the random byte string passed to sharding algorithm. 
NONCE_SIZE  Size (in bytes) of the nonce. 
ROUNDS  Number of rounds of communication during the Preparation stage ( 
SHARES  Number of input shares into which each measurement is sharded ( 
Measurement  Type of each measurement. 
PublicShare  Type of each public share. 
InputShare  Type of each input share. 
AggParam  Type of aggregation parameter. 
OutShare  Type of each output share. 
AggShare  Type of the aggregate share. 
AggResult  Type of the aggregate result. 
PrepState  Aggregator's state during preparation. 
PrepShare  Type of each prep share. 
PrepMessage  Type of each prep message. 
Parameter  Field64  Field128  Field255 

MODULUS  2^32 * 4294967295 + 1  2^66 * 4611686018427387897 + 1  2^255  19 
ENCODED_SIZE  8  16  32 
Generator  7^4294967295  7^4611686018427387897  n/a 
GEN_ORDER  2^32  2^66  n/a 
Parameter  Description 

PROVE_RAND_LEN  Length of the prover randomness, the number of random field elements consumed by the prover when generating a proof 
QUERY_RAND_LEN  Length of the query randomness, the number of random field elements consumed by the verifier 
JOINT_RAND_LEN  Length of the joint randomness, the number of random field elements consumed by both the prover and verifier 
MEAS_LEN  Length of the encoded measurement ( 
OUTPUT_LEN  Length of the aggregatable output ( 
PROOF_LEN  Length of the proof 
VERIFIER_LEN  Length of the verifier message generated by querying the measurement and proof 
Measurement  Type of the measurement 
AggResult  Type of the aggregate result 
field  Class object for the field ( 
Parameter  Value 

VERIFY_KEY_SIZE  Xof.SEED_SIZE 
RAND_SIZE  Xof.SEED_SIZE * (1 + 2 * (SHARES  1)) if flp.JOINT_RAND_LEN == 0 else Xof.SEED_SIZE * (1 + 2 * (SHARES  1) + SHARES) 
NONCE_SIZE  16 
ROUNDS  1 
SHARES  in [2, 256) 
Measurement  Flp.Measurement 
AggParam  None 
PublicShare  Optional[list[bytes]] 
InputShare  tuple[list[F], list[F], Optional[bytes]]  tuple[bytes, bytes, Optional[bytes]] 
OutShare  list[F] 
AggShare  list[F] 
AggResult  Flp.AggResult 
PrepState  tuple[list[F], Optional[bytes]] 
PrepShare  tuple[list[F], Optional[bytes]] 
PrepMessage  Optional[bytes] 
Variable  Value 

USAGE_MEAS_SHARE: int  1 
USAGE_PROOF_SHARE: int  2 
USAGE_JOINT_RANDOMNESS: int  3 
USAGE_PROVE_RANDOMNESS: int  4 
USAGE_QUERY_RANDOMNESS: int  5 
USAGE_JOINT_RAND_SEED: int  6 
USAGE_JOINT_RAND_PART: int  7 
Parameter  Description 

GADGETS  A list of gadgets 
GADGET_CALLS  Number of times each gadget is called 
MEAS_LEN  Length of the measurement 
OUTPUT_LEN  Length of the aggregatable output 
JOINT_RAND_LEN  Length of the random input 
EVAL_OUTPUT_LEN  Length of the circuit output 
Measurement  The type of measurement 
AggResult  Type of the aggregate result 
field  Class object for the field 
Parameter  Value 

PROVE_RAND_LEN 
valid.prove_rand_len() (see 
QUERY_RAND_LEN 
valid.query_rand_len() (see 
JOINT_RAND_LEN  valid.JOINT_RAND_LEN 
MEAS_LEN  valid.MEAS_LEN 
OUTPUT_LEN  valid.OUTPUT_LEN 
PROOF_LEN 
valid.proof_len() (see 
VERIFIER_LEN 
valid.verifier_len() (see 
Measurement  valid.Measurement 
Parameter  Value 

Valid  Count(Field64) (this section) 
Field 
Field64 ( 
PROOFS  1 
Xof 
XofTurboShake128 ( 
Parameter  Value 

GADGETS  [Mul] 
GADGET_CALLS  [1] 
MEAS_LEN  1 
OUTPUT_LEN  1 
JOINT_RAND_LEN  0 
EVAL_OUTPUT_LEN  1 
Measurement  int in range(2) 
AggResult  int 
Parameter  Value 

Valid  Sum(Field128, bits) (this section) 
Field 
Field128 ( 
PROOFS  1 
Xof 
XofTurboShake128 ( 
Parameter  Value 

GADGETS  [Range2] 
GADGET_CALLS  [bits] 
MEAS_LEN  bits 
OUTPUT_LEN  1 
JOINT_RAND_LEN  1 
EVAL_OUTPUT_LEN  1 
Measurement  int in range(2**bits) 
AggResult  int 
Parameter  Value 

Valid  SumVec(Field128, length, bits, chunk_lengh) (this section) 
Field 
Field128 ( 
PROOFS  1 
Xof 
XofTurboShake128 ( 
Parameter  Value 

GADGETS  [ParallelSum(Mul(), chunk_length)] 
GADGET_CALLS  [(length * bits + chunk_length  1) // chunk_length] 
MEAS_LEN  length * bits 
OUTPUT_LEN  length 
JOINT_RAND_LEN  1 
EVAL_OUTPUT_LEN  1 
Measurement  list[int], each element in range(2**bits) 
AggResult  list[int] 
Parameter  Value 

Valid  Histogram(Field128, length, chunk_lengh) (this section) 
Field 
Field128 ( 
PROOFS  1 
Xof 
XofTurboShake128 ( 
Parameter  Value 

GADGETS  [ParallelSum(Mul(), chunk_length)] 
GADGET_CALLS  [(length + chunk_length  1) // chunk_length] 
MEAS_LEN  length 
OUTPUT_LEN  length 
JOINT_RAND_LEN  2 
EVAL_OUTPUT_LEN  1 
Measurement  int 
AggResult  list[int] 
Parameter  Value 

Valid  MultihotCountVec(Field128, length, max_weight, chunk_lengh) (this section) 
Field 
Field128 ( 
PROOFS  1 
Xof 
XofTurboShake128 ( 
Parameter  Value 

GADGETS  [ParallelSum(Mul(), chunk_length)] 
GADGET_CALLS  [(length + bits_for_weight + chunk_length  1) // chunk_length] 
MEAS_LEN  length + bits_for_weight 
OUTPUT_LEN  length 
JOINT_RAND_LEN  2 
Measurement  list[int] 
AggResult  list[int] 
Parameter  Description 

SHARES  Number of IDPF keys output by IDPFkey generator 
BITS  Length in bits of each input string 
VALUE_LEN  Number of field elements of each output value 
RAND_SIZE  Size of the random string consumed by the IDPFkey generator. Equal to twice the XOF's seed size. 
NONCE_SIZE  Size of the randon nonce generated by the Client. 
KEY_SIZE  Size in bytes of each IDPF key 
FieldInner  Implementation of Field ( 
FieldLeaf  Implementation of Field used for values of leaf nodes 
PublicShare  Type of public share for this IDPF 
Output  Alias of list[list[FieldInner]]  list[list[FieldLeaf]] 
FieldVec  Alias of list[FieldInner]  list[FieldLeaf] 
Parameter  Value 

VERIFY_KEY_SIZE  Xof.SEED_SIZE 
RAND_SIZE  Xof.SEED_SIZE * 3 + Idpf.RAND_SIZE 
NONCE_SIZE  16 
ROUNDS  2 
SHARES  2 
Measurement  int 
AggParam  tuple[int, Sequence[int]] 
PublicShare  same as the IDPF 
InputShare  tuple[bytes, bytes, list[FieldInner], list[FieldLeaf]] 
OutShare  FieldVec 
AggShare  FieldVec 
AggResult  list[int] 
PrepState  tuple[bytes, int, FieldVec] 
PrepShare  FieldVec 
PrepMessage  Optional[FieldVec] 
Variable  Value 

USAGE_SHARD_RAND: int  1 
USAGE_CORR_INNER: int  2 
USAGE_CORR_LEAF: int  3 
USAGE_VERIFY_RAND: int  4 
Parameter  Value 

SHARES  2 
BITS  any positive integer 
VALUE_LEN  any positive integer 
KEY_SIZE  Xof.SEED_SIZE 
FieldInner 
Field64 ( 
FieldLeaf 
Field255 ( 
Value  Scheme  Type  Reference 

0x00000000  Prio3Count  VDAF 

0x00000001  Prio3Sum  VDAF 

0x00000002  Prio3SumVec  VDAF 

0x00000003  Prio3Histogram  VDAF 

0x00000004  Prio3MultihotCountVec  VDAF 

0x00000005 to 0x00000FFF  reserved for Prio3  VDAF  n/a 
0x00001000  Poplar1  VDAF 

0xFFFF0000 to 0xFFFFFFFF  reserved  n/a  n/a 