Maintenance.

BMR/Party.cpp

@@ -31,7 +31,6 @@
 #include "GC/Thread.hpp"
 #include "GC/ThreadMaster.hpp"
 #include "GC/Program.hpp"
-#include "GC/Instruction.hpp"
 #include "Processor/Instruction.hpp"
 #include "Protocols/Share.hpp"
 

BMR/RealProgramParty.hpp

@@ -17,7 +17,6 @@
 #include "GC/Machine.hpp"
 #include "GC/Processor.hpp"
 #include "GC/Program.hpp"
-#include "GC/Instruction.hpp"
 #include "GC/Secret.hpp"
 #include "GC/Thread.hpp"
 #include "GC/ThreadMaster.hpp"
@@ -113,6 +112,7 @@ RealProgramParty<T>::RealProgramParty(int argc, const char** argv) :
 	garble_processor.reset(program);
 	this->processor.open_input_file(N.my_num(), 0);
 
+	T::bit_type::mac_key_type::init_field();
 	GC::ShareThread<typename T::bit_type> share_thread(N, online_opts, *P, 0, usage);
 	shared_proc = new SubProcessor<T>(dummy_proc, *MC, *prep, *P);
 

BMR/Register.hpp

@@ -56,7 +56,7 @@ void EvalRegister::store_clear_in_dynamic(GC::Memory<T>& mem,
 		T& dest = mem[access.address];
 		GC::Clear value = access.value;
 		ProgramParty& party = ProgramParty::s();
-		dest.assign(value.get(), party.get_id() - 1, party.get_mac_key().get());
+		dest = T::constant(value.get(), party.get_id() - 1, party.get_mac_key().get());
 #ifdef DEBUG_DYNAMIC
 		cout << "store clear " << dest.share << " " << dest.mac << " " << value << endl;
 #endif
@@ -105,7 +105,7 @@ void EvalRegister::store(GC::Memory<U>& mem,
 			U tmp;
 			gf2n_long ext = (int)reg.get_external();
 			//cout << "ext:" << ext << "/" << (int)reg.get_external() << " " << endl;
-			tmp.add(spdz_wire.mask, ext, (int)party.get_id() - 1, party.get_mac_key());
+			tmp = spdz_wire.mask + U::constant(ext, (int)party.get_id() - 1, party.get_mac_key());
 			S.push_back(tmp);
 			tmp *= gf2n_long(1) << i;
 			dest += tmp;

BMR/TrustedParty.cpp

@@ -28,7 +28,6 @@
 #include "GC/Thread.hpp"
 #include "GC/ThreadMaster.hpp"
 #include "GC/Program.hpp"
-#include "GC/Instruction.hpp"
 #include "GC/ShareSecret.hpp"
 #include "Processor/Instruction.hpp"
 #include "Protocols/Share.hpp"

CHANGELOG.md

@@ -1,5 +1,14 @@
 The changelog explains changes pulled through from the private development repository. Bug fixes and small enhancements are committed between releases and not documented here.
 
+## 0.2.2 (Jan 21, 2020)
+
+- Infrastructure for random element generation
+- Programs generating as much preprocessing data as required by a particular high-level program
+- Smaller binaries
+- Cleaning up code
+- Removing unused virtual machine instructions
+- Fixed security bug: wrong MAC check in SPDZ2k input tuple generation
+
 ## 0.2.1 (Dec 11, 2020)
 
 - Virtual machines automatically use the modulus used during compilation
@@ -14,9 +23,9 @@ The changelog explains changes pulled through from the private development repos
 - Training and inference for multi-class classification
 - Local share conversion for semi-honest protocols based on additive secret sharing modulo a power of two
 - edaBit generation based on local share conversion
-- Optimize exponentation with local share conversion
+- Optimize exponentiation with local share conversion
 - Optimize Shamir pseudo-random secret sharing using a hyper-invertible matrix
-- Mathematical functions (exponentation, logarithm, square root, and trigonometric functions) with binary circuits
+- Mathematical functions (exponentiation, logarithm, square root, and trigonometric functions) with binary circuits
 - Direct construction of fixed-point values from any type, breaking `sfix(x)` where `x` is the integer representation of a fixed-point number. Use `sfix._new(x)` instead.
 - Optimized dot product for `sfix`
 - Matrix multiplication via operator overloading uses VM-optimized multiplication.
@@ -70,7 +79,7 @@ The changelog explains changes pulled through from the private development repos
 - Mixed circuit computation with secret sharing
 - Binary computation for dishonest majority using secret sharing as in [FKOS15](https://eprint.iacr.org/2015/901)
 - Fixed security bug: insufficient OT correlation check in SPDZ2k
-- This version breaks bytecode compatibilty.
+- This version breaks bytecode compatibility.
 
 ## 0.1.3 (Nov 21, 2019)
 
@@ -133,7 +142,7 @@ The changelog explains changes pulled through from the private development repos
 ## 0.0.4 (Oct 11, 2018)
 
 - Added BMR, Yao's garbled circuits, and semi-honest 3-party replicated secret sharing for arithmetic and binary circuits.
-- Use inline assembly instead of MPIR for arithmetic modulo primes up length upt to 128 bit.
+- Use inline assembly instead of MPIR for arithmetic modulo primes up length up to 128 bit.
 - Added a secure multiplication instruction to the instruction set in order to accommodate protocols that don't use Beaver randomization.
 
 ## 0.0.3 (Mar 2, 2018)

Compiler/allocator.py

@@ -483,10 +483,6 @@ def keep_merged_order(instr, n, t):
                 print("Processed dependency of %d/%d instructions at" % \
                     (n, len(block.instructions)), time.asctime())
 
-        if len(open_nodes) > 1000 and self.block.parent.program.verbose:
-            print("Basic block has %d %s instructions" %
-                  (len(open_nodes), merge_classes))
-
     def merge_nodes(self, i, j):
         """ Merge node j into i, removing node j """
         G = self.G

Compiler/floatingpoint.py

@@ -288,18 +288,8 @@ def BitDecFieldRaw(a, k, m, kappa, bits_to_compute=None):
     c = types.cint()
     r = [types.sint() for i in range(m)]
     comparison.PRandM(r_dprime, r_prime, r, k, m, kappa)
-    #assert(r_prime.value == sum(r[i].value*2**i for i in range(m)) % comparison.program.P)
     pow2 = two_power(k + kappa)
     asm_open(c, pow2 + two_power(k) + a - two_power(m)*r_dprime - r_prime)
-    #rval = 2**m*r_dprime.value + r_prime.value
-    #assert(rval % 2**m == r_prime.value)
-    #assert(rval == (2**m*r_dprime.value + sum(r[i].value*2**i for i in range(m)) % comparison.program.P ))
-    try:
-        pass#assert(c.value == (2**(k + kappa) + 2**k + (a.value%2**k) - rval) % comparison.program.P)
-    except AssertionError:
-        print('BitDec assertion failed')
-        print('a =', a.value)
-        print('a mod 2^%d =' % k, (a.value % 2**k))
     res = r[0].bit_adder(r, list(r[0].bit_decompose_clear(c,m)))
     return res
 
@@ -328,7 +318,6 @@ def B2U(a, l, kappa):
     return B2U_from_Pow2(pow2a, l, kappa), pow2a
 
 def B2U_from_Pow2(pow2a, l, kappa):
-    #assert(pow2a.value == 2**a.value)
     r = [types.sint() for i in range(l)]
     t = types.sint()
     c = types.cint()
@@ -354,8 +343,10 @@ def B2U_from_Pow2(pow2a, l, kappa):
     #print ' '.join(str(b.value) for b in y)
     return [types.sint.conv(1 - y[i]) for i in range(l)]
 
-def Trunc(a, l, m, kappa, compute_modulo=False, signed=False):
+def Trunc(a, l, m, kappa=None, compute_modulo=False, signed=False):
     """ Oblivious truncation by secret m """
+    prog = program.Program.prog
+    kappa = kappa or prog.security
     if util.is_constant(m) and not compute_modulo:
         # cheaper
         res = type(a)(size=a.size)
@@ -376,28 +367,22 @@ def Trunc(a, l, m, kappa, compute_modulo=False, signed=False):
     ci = [types.cint() for i in range(l)]
     d = types.sint()
     x, pow2m = B2U(m, l, kappa)
-    #assert(pow2m.value == 2**m.value)
-    #assert(sum(b.value for b in x) == m.value)
     for i in range(l):
         bit(r[i])
         t1 = two_power(i) * r[i]
         t2 = t1*x[i]
         r_prime += t2
         r_dprime += t1 - t2
-    #assert(r_prime.value == (sum(2**i*x[i].value*r[i].value for i in range(l)) % comparison.program.P))
     if program.Program.prog.options.ring:
         n_shift = int(program.Program.prog.options.ring) - l
         c = ((a + r_dprime + r_prime) << n_shift).reveal() >> n_shift
     else:
         comparison.PRandInt(rk, kappa)
         r_dprime += two_power(l) * rk
-        #assert(r_dprime.value == (2**l * rk.value + sum(2**i*(1 - x[i].value)*r[i].value for i in range(l)) % comparison.program.P))
         asm_open(c, a + r_dprime + r_prime)
     for i in range(1,l):
         ci[i] = c % two_power(i)
-        #assert(ci[i].value == c.value % 2**i)
     c_dprime = sum(ci[i]*(x[i-1] - x[i]) for i in range(1,l))
-    #assert(c_dprime.value == (sum(ci[i].value*(x[i-1].value - x[i].value) for i in range(1,l)) % comparison.program.P))
     lts(d, c_dprime, r_prime, l, kappa)
     if compute_modulo:
         b = c_dprime - r_prime + pow2m * d
@@ -408,7 +393,6 @@ def Trunc(a, l, m, kappa, compute_modulo=False, signed=False):
             shifted = TruncInRing(to_shift, l, pow2m)
         else:
             pow2inv = Inv(pow2m)
-            #assert(pow2inv.value * pow2m.value % comparison.program.P == 1)
             shifted = to_shift * pow2inv
         b = shifted - d
     return b

Compiler/instructions.py

@@ -256,27 +256,6 @@ class gstmsi(base.WriteMemoryInstruction, base.IndirectMemoryInstruction):
     arg_format = ['sg','ci']
     direct = staticmethod(gstms)
 
-@base.gf2n
-@base.vectorize
-class protectmems(base.Instruction):
-    r""" Protects secret memory range $[ci_i,ci_j)$. """
-    code = base.opcodes['PROTECTMEMS']
-    arg_format = ['ci','ci']
-
-@base.gf2n
-@base.vectorize
-class protectmemc(base.Instruction):
-    r""" Protects clear memory range $[ci_i,ci_j)$. """
-    code = base.opcodes['PROTECTMEMC']
-    arg_format = ['ci','ci']
-
-@base.gf2n
-@base.vectorize
-class protectmemint(base.Instruction):
-    r""" Protects integer memory range $[ci_i,ci_j)$. """
-    code = base.opcodes['PROTECTMEMINT']
-    arg_format = ['ci','ci']
-
 @base.gf2n
 @base.vectorize
 class movc(base.Instruction):
@@ -1177,6 +1156,18 @@ class randoms(base.Instruction):
     arg_format = ['sw','int']
     field_type = 'modp'
 
+@base.vectorize
+class randomfulls(base.Instruction):
+    """ Store share(s) of a fresh secret random element in secret
+    register (vectors).
+
+    :param: destination (sint)
+    """
+    __slots__ = []
+    code = base.opcodes['RANDOMFULLS']
+    arg_format = ['sw']
+    field_type = 'modp'
+
 @base.gf2n
 @base.vectorize
 class square(base.DataInstruction):
@@ -1415,14 +1406,6 @@ def add_usage(self, req_node):
             req_node.increment((self.field_type, 'input', player), \
                                self.get_size())
 
-@base.gf2n
-@base.vectorize
-class print_mem(base.IOInstruction):
-    r""" Print value in clear memory \verb|C[ci]| to stdout. """
-    __slots__ = []
-    code = base.opcodes['PRINTMEM']
-    arg_format = ['c']
-
 @base.gf2n
 @base.vectorize
 class print_reg(base.IOInstruction):
@@ -1527,18 +1510,6 @@ class cond_print_str(base.IOInstruction):
     def __init__(self, cond, val):
         super(cond_print_str, self).__init__(cond, self.str_to_int(val))
 
-@base.vectorize
-class print_char_regint(base.IOInstruction):
-    r""" Print register $ci_i$ as a single character to stdout. """
-    code = base.opcodes['PRINTCHRINT']
-    arg_format = ['ci']
-
-@base.vectorize
-class print_char4_regint(base.IOInstruction):
-    r""" Print register $ci_i$ as a four character string to stdout. """
-    code = base.opcodes['PRINTSTRINT']
-    arg_format = ['ci']
-
 @base.vectorize
 class pubinput(base.PublicFileIOInstruction):
     """ Store public input in clear integer register (vector).
@@ -1717,6 +1688,11 @@ class startprivateoutput(base.Instruction):
     __slots__ = []
     code = base.opcodes['STARTPRIVATEOUTPUT']
     arg_format = ['sw','s','p']
+    field_type = 'modp'
+
+    def add_usage(self, req_node):
+        req_node.increment((self.field_type, 'input', self.args[2]), \
+                               self.get_size())
 
 @base.gf2n
 @base.vectorize

Compiler/instructions_base.py

@@ -112,6 +112,7 @@
     EDABIT = 0x59,
     SEDABIT = 0x5A,
     RANDOMS = 0x5B,
+    RANDOMFULLS = 0x5D,
     # Input
     INPUT = 0x60,
     INPUTFIX = 0xF0,

Compiler/library.py

@@ -1511,7 +1511,7 @@ def break_point(name=''):
 # Fixed point ops
 
 from math import ceil, log
-from .floatingpoint import PreOR, TruncPr, two_power, shift_two
+from .floatingpoint import PreOR, TruncPr, two_power
 
 def approximate_reciprocal(divisor, k, f, theta):
     """
@@ -1599,7 +1599,6 @@ def sint_cint_division(a, b, k, f, kappa):
     B = absolute_b
     W = w0
 
-
     @for_range(1, theta)
     def block(i):
         A.link(TruncPr(A * W, 2*k, f, kappa))

Compiler/mpc_math.py

@@ -393,7 +393,7 @@ class my_fix(type(a)):
 
 @types.vectorize
 @instructions_base.sfix_cisc
-def log2_fx(x, use_division=False):
+def log2_fx(x, use_division=True):
     """
     Returns the result of :math:`\log_2(x)` for any unbounded
     number. This is achieved by changing :py:obj:`x` into

Compiler/types.py

@@ -614,12 +614,6 @@ class _clear(_register):
     __slots__ = []
     mov = staticmethod(movc)
 
-    @vectorized_classmethod
-    @set_instruction_type
-    def protect_memory(cls, start, end):
-        program.curr_tape.start_new_basicblock(name='protect-memory')
-        protectmemc(regint(start), regint(end))
-
     @set_instruction_type
     @vectorize
     def load_other(self, val):
@@ -1140,11 +1134,6 @@ class regint(_register, _int):
     instruction_type = 'modp'
     mov = staticmethod(movint)
 
-    @classmethod
-    def protect_memory(cls, start, end):
-        program.curr_tape.start_new_basicblock(name='protect-memory')
-        protectmemint(regint(start), regint(end))
-
     @vectorized_classmethod
     def load_mem(cls, address, mem_type=None):
         """ Load from memory by public address. """
@@ -1530,12 +1519,6 @@ class _secret(_register):
     PreOR = staticmethod(lambda l: floatingpoint.PreORC(l))
     PreOp = staticmethod(lambda op, l: floatingpoint.PreOpL(op, l))
 
-    @vectorized_classmethod
-    @set_instruction_type
-    def protect_memory(cls, start, end):
-        program.curr_tape.start_new_basicblock(name='protect-memory')
-        protectmems(regint(start), regint(end))
-
     @vectorized_classmethod
     @set_instruction_type
     def get_input_from(cls, player):
@@ -1831,6 +1814,13 @@ def get_random_int(cls, bits):
         comparison.PRandInt(res, bits)
         return res
 
+    @vectorized_classmethod
+    def get_random(cls):
+        """ Secret random ring element according to security model. """
+        res = sint()
+        randomfulls(res)
+        return res
+
     @vectorized_classmethod
     def get_input_from(cls, player):
         """ Secret input.
@@ -3197,6 +3187,8 @@ class _single(_number, _structure):
     __slots__ = ['v']
     kappa = None
     round_nearest = False
+    """ Whether to round deterministically to nearest instead of
+    probabilistically, e.g. after fixed-point multiplication. """
 
     @classmethod
     def receive_from_client(cls, n, client_id, message_type=ClientMessageType.NoType):

ECDSA/Fake-ECDSA.cpp

@@ -10,6 +10,7 @@
 #include "Protocols/fake-stuff.hpp"
 #include "Protocols/Share.hpp"
 #include "Processor/Data_Files.hpp"
+#include "Math/gfp.hpp"
 
 int main()
 {

ECDSA/P256Element.cpp

@@ -86,9 +86,7 @@ P256Element& P256Element::operator +=(const P256Element& other)
 
 P256Element& P256Element::operator /=(const Scalar& other)
 {
-    auto tmp = other;
-    tmp.invert();
-    *this = *this * tmp;
+    *this = *this * other.invert();
     return *this;
 }