Protocols with function-dependent preprocessing.

Author: mkskeller

.github/ISSUE_TEMPLATE/unexpected-benchmark.md

@@ -0,0 +1,23 @@
+---
+name: Unexpected benchmarking result
+about: Some aspects are unexpectedly slow or fast
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the result**
+Why is the result unexpected?
+
+**To reproduce**
+High-level code as well as compilation and execution command lines
+
+**Outputs**
+Virtual machine outputs using `--verbose`
+
+**MP-SPDZ version**
+Version or commit you are using
+
+**Additional context**
+Add any other context about the problem here.

BMR/RealGarbleWire.h

@@ -12,7 +12,7 @@ template<class T> class RealProgramParty;
 template<class T> class RealGarbleWire;
 
 template<class T>
-class GarbleInputter
+class GarbleInputter : public InputterBase
 {
 public:
 	RealProgramParty<T>& party;

BMR/Register.h

@@ -194,6 +194,11 @@ class Register {
     void set_trace();
 };
 
+inline ostream& operator<<(ostream&, const Register&)
+{
+	throw runtime_error("BMR secret output not implemented");
+}
+
 
 // this is to fake a "cout" that does nothing
 class BlackHole
@@ -221,18 +226,18 @@ class Phase
 
 	static const bool actual_inputs = true;
 
+	static const bool garbled = true;
+
 	template <class T>
-	static void store_clear_in_dynamic(T& mem, const vector<GC::ClearWriteAccess>& accesses)
-	{ (void)mem; (void)accesses; }
+	static void store_clear_in_dynamic(T&, const vector<GC::ClearWriteAccess>&)
+	{}
 
 	template<class T>
-	static void store(NoMemory& dest,
-			const vector<GC::WriteAccess<T> >& accesses)
-	{ (void)dest; (void)accesses; throw runtime_error("dynamic memory not implemented"); }
+	static void store(NoMemory&, const vector<GC::WriteAccess<T> >&)
+	{ throw no_dynamic_memory(); }
 	template<class T>
-	static void load(vector<GC::ReadAccess<T> >& accesses,
-			const NoMemory& source)
-	{ (void)accesses; (void)source; throw runtime_error("dynamic memory not implemented"); }
+	static void load(vector<GC::ReadAccess<T> >&, const NoMemory&)
+	{ throw no_dynamic_memory(); }
 
 	template <class T>
 	static void andrs(T& processor, const vector<int>& args) { processor.andrs(args); }
@@ -265,7 +270,16 @@ class Phase
 	void output() {}
 };
 
-class NoOpInputter
+class InputterBase
+{
+public:
+    static bool is_me(int player, int my_num)
+    {
+        return player == my_num;
+    }
+};
+
+class NoOpInputter : public InputterBase
 {
 public:
 	PointerVector<char> inputs;
@@ -337,7 +351,7 @@ class PRFRegister : public ProgramRegister
 class ProgramParty;
 class EvalRegister;
 
-class EvalInputter
+class EvalInputter : public InputterBase
 {
 	class Tuple
 	{

CHANGELOG.md

@@ -1,5 +1,20 @@
 The changelog explains changes pulled through from the private development repository. Bug fixes and small enhancements are committed between releases and not documented here.
 
+## 0.4.1 (May 30, 2025)
+
+- Add protocols with function-dependent preprocessing (https://eprint.iacr.org/2025/919)
+- Parallelize shuffling (@vincent-ehrmanntraut)
+- More efficient probabilistic truncation in Rep3
+- More efficient binary to arithmetic conversion for one bit in Rep3
+- Backend optimizations benefitting the most efficient protocols like Rep3
+- Allow regint registers as argument in exported functions
+- More efficient dot product for GF(2^n)
+- File persistance for GF(2^n)
+- Output of binary secrets
+- SHA256
+- Improved navigation by providing links to relevant papers (`./compile.py --papers`) and outputting which code is executed (`./<protocol>-party.x --code-locations`)
+- Fixed security bug: remove MAC key in case of failure
+
 ## 0.4.0 (November 21, 2024)
 
 - Functionality to call high-level code from C++

CONFIG

@@ -102,6 +102,7 @@ endif
 
 ifeq ($(OS), Linux)
 LDLIBS += -lrt
+LDLIBS += -z noexecstack
 endif
 
 BOOST = -lboost_thread $(MY_BOOST)

Compiler/GC/instructions.py

@@ -76,6 +76,7 @@ class ClearBitsAF(base.RegisterArgFormat):
     PRINTREGPLAINB = 0x222,
     PRINTFLOATPLAINB = 0x223,
     CONDPRINTSTRB = 0x224,
+    PRINTREGPLAINSB = 0x225,
     CONVCBIT = 0x230,
     CONVCBITVEC = 0x231,
 )
@@ -551,6 +552,11 @@ def __init__(self, *args, **kwargs):
         super(split_class, self).__init__(*args, **kwargs)
         assert (len(args) - 2) % args[0] == 0
 
+    def add_usage(self, req_node):
+        req_node.increment(('modp', '%d-way split' % self.args[0]),
+                           self.get_size())
+        req_node.increment(('modp', '%d-way split round' % self.args[0]), 1)
+
 class movsb(BinaryVectorInstruction):
     """ Copy secret bit register.
 
@@ -694,6 +700,14 @@ class print_reg_plainb(NonVectorInstruction, base.IOInstruction):
     code = opcodes['PRINTREGPLAINB']
     arg_format = ['cb']
 
+class print_reg_plainsb(NonVectorInstruction, base.IOInstruction):
+    """ Output secret bit register.
+
+    :param: source (sbit)
+    """
+    code = opcodes['PRINTREGPLAINSB']
+    arg_format = ['sb']
+
 class print_reg_signed(base.IOInstruction):
     """ Signed output of clear bit register.
 

Compiler/GC/types.py

@@ -136,6 +136,10 @@ def new(cls, value=None, n=None):
         if util.is_constant(value):
             n = value.bit_length()
         return cls.get_type(n)(value)
+    @classmethod
+    def same_type(cls, size=None):
+        assert size is None or size == math.ceil(self.n / self.unit)
+        return cls()
     def __init__(self, value=None, n=None, size=None):
         assert n == self.n or n is None
         if size != 1 and size is not None:
@@ -163,7 +167,7 @@ def load_int(self, value):
     def load_other(self, other):
         if isinstance(other, cint):
             assert(self.n == other.size)
-            self.conv_regint_by_bit(self.n, self, other.to_regint(1))
+            self.conv_regint_by_bit(self.n, self, other.to_regint(1, sync=False))
         elif isinstance(other, int):
             self.set_length(self.n or util.int_len(other))
             self.load_int(other)
@@ -284,8 +288,7 @@ def copy_from_part(self, source, base, size):
                  self.bit_compose(source.bit_decompose()[base:base + size]))
     def vector_size(self):
         return self.n
-    @staticmethod
-    def size_for_mem():
+    def size_for_mem(self):
         return 1
 
 class cbits(bits):
@@ -576,7 +579,7 @@ def __mul__(self, other):
     __rmul__ = __mul__
     def _and(self, other):
         res = self.new(n=self.n)
-        if not isinstance(other, sbits):
+        if not isinstance(other, sbits) and Program.prog.use_mulm:
             other = cbits.get_type(self.n).conv(other)
             inst.andm(self.n, res, self, other)
             return res
@@ -687,6 +690,8 @@ def bit_adder(*args, **kwargs):
     @staticmethod
     def ripple_carry_adder(*args, **kwargs):
         return sbitint.ripple_carry_adder(*args, **kwargs)
+    def output(self):
+        inst.print_reg_plainsb(self)
 
 class sbitvec(_vec, _bit, _binary):
     """ Vector of registers of secret bits, effectively a matrix of secret bits.
@@ -789,6 +794,8 @@ def __init__(self, other=None, size=None):
                 instructions_base.check_vector_size(size)
                 if other is not None:
                     if util.is_constant(other):
+                        if util.int_len(other) > n:
+                            raise CompilerError('constant outside domain')
                         t = sbits.get_type(size or 1)
                         self.v = [t(((other >> i) & 1) * ((1 << t.n) - 1))
                                   for i in range(n)]
@@ -870,13 +877,14 @@ def from_matrix(cls, matrix):
         # any number of rows, limited number of columns
         return cls.combine(cls(row) for row in matrix)
     @classmethod
-    def from_hex(cls, string):
+    def from_hex(cls, string, reverse=True):
         """ Create from hexadecimal string (little-endian). """
         assert len(string) % 2 == 0
         v = []
+        trans = reversed if reverse else list
         for i in range(0, len(string), 2):
             v += [sbit(int(x))
-                  for x in reversed(bin(int(string[i:i + 2], 16))[2:].zfill(8))]
+                  for x in trans(bin(int(string[i:i + 2], 16))[2:].zfill(8))]
         return cls.from_vec(v)
     def __init__(self, elements=None, length=None, input_length=None):
         if length:

Compiler/allocator.py

@@ -499,14 +499,15 @@ def handle_mem_access(addr, reg_type, last_access_this_kind,
         def mem_access(n, instr, last_access_this_kind, last_access_other_kind):
             addr = instr.args[1]
             reg_type = instr.args[0].reg_type
+            budget = block.parent.program.budget
             if isinstance(addr, int):
-                for i in range(min(instr.get_size(), 100)):
+                for i in range(min(instr.get_size(), budget)):
                     addr_i = addr + i
                     handle_mem_access(addr_i, reg_type, last_access_this_kind,
                                       last_access_other_kind)
                 if block.warn_about_mem and \
                    not block.parent.warned_about_mem and \
-                   (instr.get_size() > 100) and not instr._protect:
+                   (instr.get_size() > budget) and not instr._protect:
                     print('WARNING: Order of memory instructions ' \
                         'not preserved due to long vector, errors possible')
                     block.parent.warned_about_mem = True
@@ -593,7 +594,7 @@ def keep_text_order(inst, n):
                 keep_text_order(instr, n)
             elif isinstance(instr, RawInputInstruction):
                 keep_merged_order(instr, n, RawInputInstruction)
-            elif isinstance(instr, matmulsm):
+            elif isinstance(instr, matmulsm_class):
                 if options.preserve_mem_order:
                     strict_mem_access(n, last_mem_read, last_mem_write)
                 else:
@@ -735,7 +736,7 @@ def merge_nodes(self, i, j):
         G.get_attr(i, 'merges').append(j)
         G.remove_node(j)
 
-    def eliminate_dead_code(self):
+    def eliminate_dead_code(self, only_ldint=False):
         instructions = self.instructions
         G = self.G
         merge_nodes = self.open_nodes
@@ -745,6 +746,8 @@ def eliminate_dead_code(self):
         for i,inst in zip(range(len(instructions) - 1, -1, -1), reversed(instructions)):
             if inst is None:
                 continue
+            if only_ldint and not isinstance(inst, ldint_class):
+                continue
             can_eliminate_defs = True
             for reg in inst.get_def():
                 for dup in reg.duplicates:
@@ -800,7 +803,9 @@ def add_offset(self, res, new_base, new_offset, multiplier):
             self.rev_offset_cache[new_base.i, new_offset, multiplier] = res
 
     def run(self, instructions, program):
+        changed = defaultdict(int)
         for i, inst in enumerate(instructions):
+            pre = inst
             if isinstance(inst, ldint_class):
                 self.cache[inst.args[0]] = inst.args[1]
             elif isinstance(inst, incint):
@@ -882,8 +887,12 @@ def f(reg, cached, reverse):
                     cond = self.cache[inst.args[0]]
                     if not cond:
                         instructions[i] = None
+            if pre != instructions[i]:
+                changed[type(inst).__name__] += 1
         pre = len(instructions)
         instructions[:] = list(filter(lambda x: x is not None, instructions))
         post = len(instructions)
+        if changed and program.options.verbose:
+            print('regint optimizer changed:', dict(changed))
         if pre != post and program.options.verbose:
             print('regint optimizer removed %d instructions' % (pre - post))

Compiler/circuit.py

@@ -11,7 +11,7 @@
 import math
 
 from Compiler.GC.types import *
-from Compiler.library import function_block, get_tape
+from Compiler.library import *
 from Compiler import util
 import itertools
 import struct
@@ -63,8 +63,11 @@ def __call__(self, *inputs):
     def run(self, *inputs):
         n = inputs[0][0].n, get_tape()
         if n not in self.functions:
-            self.functions[n] = function_block(
-                lambda *args: self.compile(*args))
+            if get_program().force_cisc_tape:
+                f = function_call_tape
+            else:
+                f = function_block
+            self.functions[n] = f(lambda *args: self.compile(*args))
             self.functions[n].name = '%s(%d)' % (self.name, inputs[0][0].n)
         flat_res = self.functions[n](*itertools.chain(*inputs))
         res = []
@@ -234,6 +237,69 @@ def insert_block(local_S, local_P):
             S = unflatten(Keccak_f(flatten(S)))
     return sbitvec.from_vec(Z[:256])
 
+sha256_circuit = None
+
+def sha256(x):
+    """
+    This function implements SHA2-256::
+
+      from circuit import sha256
+      a = sbitvec.from_vec([])
+      b = sbitvec.from_hex('d3', reverse=False)
+      c = sbitvec.from_hex(
+        '3ebfb06db8c38d5ba037f1363e118550aad94606e26835a01af05078533cc25f2f39573c04b632f62f68c294ab31f2a3e2a1a0d8c2be51',
+        reverse=False)
+      d = sbitvec.from_hex(
+        '5a86b737eaea8ee976a0a24da63e7ed7eefad18a101c1211e2b3650c5187c2a8a650547208251f6d4237e661c7bf4c77f335390394c37fa1a9f9be836ac28509',
+        reverse=False)
+
+      for x in a, b, c:
+        sha256(x).reveal().print_reg()
+
+    This should output the hashes of the above inputs, namely
+    the `test vectors
+    <https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Secure-Hashing#shavs>`_
+    of SHA2-256 for 0, 8, 440, 512 bits::
+
+      Reg[0] = 0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 #
+      Reg[0] = 0x28969cdfa74a12c82f3bad960b0b000aca2ac329deea5c2328ebc6f2ba9802c1 #
+      Reg[0] = 0x6595a2ef537a69ba8583dfbf7f5bec0ab1f93ce4c8ee1916eff44a93af5749c4 #
+      Reg[0] = 0x42e61e174fbb3897d6dd6cef3dd2802fe67b331953b06114a65c772859dfc1aa #
+
+    """
+    global sha256_circuit
+    if not sha256_circuit:
+        sha256_circuit = Circuit('sha256')
+
+    L = len(x.v)
+    padding = [1]
+    while (len(padding) + L) % 512 != (512 - 64):
+        padding.append(0)
+    padding += [(L >> (63 - i)) & 1 for i in range(64)]
+
+    padded = x.v + [sbit(b) for b in padding]
+
+    h = [
+        0x6a, 0x09, 0xe6, 0x67,
+        0xbb, 0x67, 0xae, 0x85,
+        0x3c, 0x6e, 0xf3, 0x72,
+        0xa5, 0x4f, 0xf5, 0x3a,
+        0x51, 0x0e, 0x52, 0x7f,
+        0x9b, 0x05, 0x68, 0x8c,
+        0x1f, 0x83, 0xd9, 0xab,
+        0x5b, 0xe0, 0xcd, 0x19
+    ]
+
+    state = list(reversed(
+        [sbit((h[i // 8] >> (7 - i % 8)) & 1) for i in range(256)]))
+
+    for i in range(0, len(padded), 512):
+        chunk = list(reversed(padded[i:i + 512]))
+        assert len(chunk) == 512
+        state = sha256_circuit(chunk + state).v
+
+    return sbitvec.from_vec(state)
+
 class ieee_float:
     """
     This gives access IEEE754 floating-point operations using Bristol