Add np_onewayhashchains demo; secfxp (np)mul optimization.

Author: lschoe

demos/np_onewayhashchains.py

@@ -0,0 +1,171 @@
+"""Demo Threshold One-Way Hash Chains, vectorized.
+
+This demo is an extended reimplementation of the onewayhashchain.py demo for
+generating and reversing one-way hash chains in a multiparty setting.
+
+In addition to the Matyas-Meyer-Oseas one-way function based on AES, the SHAKE128
+oneway function from the SHA3 faimlty is also provided as an option.
+
+Note that in the output stage the hashes pertaining to different pebbles are
+evaluated in parallel, without increasing the overall round complexity. Multiple
+hashes pertaining to the same pebble, however, are necessarily evaluated in series,
+increasing the overall round complxity accordingly. 
+
+See demo onewayhashchain.py for more information.
+"""
+
+import argparse
+import itertools
+import numpy as np
+from mpyc.runtime import mpc
+import np_aes as aes  # vectorized AES demo operating on secure arrays over GF(256)
+import sha3  # vectorized SHA3/SHAKE demo operating on secure arrays over GF(2)
+
+f = None  # one-way function
+
+
+def tS(k, r):
+    """Optimal schedule for binary pebbling."""
+    if r < 2**(k-1):
+        return 0
+
+    return ((k + r)%2 + k+1 - ((2*r) % (2**(2**k - r).bit_length())).bit_length()) // 2
+
+
+def P(k, x):
+    """Recursive optimal binary pebbler outputs {f^i(x)}_{i=0}^{n-1} in reverse, n=2^k."""
+    # initial stage
+    y = [None]*k + [x]
+    i = k
+    g = 0
+    for r in range(1, 2**k):
+        for _ in range(tS(k, r)):
+            z = y[i]
+            if g == 0:
+                i -= 1
+                g = 2**i
+            y[i] = f(z)
+            g -= 1
+        yield
+    # output stage
+    yield y[0]
+    for v in itertools.zip_longest(*(P(i-1, y[i]) for i in range(1, k+1))):
+        yield next(filter(None, v))
+
+
+def p(k, x):
+    """Iterative optimal binary pebbler generating {f^i(x)}_{i=0}^{n-1} in reverse, n=2^k."""
+    # initial stage
+    z = []
+    y = x
+    for h in range(2**k, 1, -1):
+        if h & (h-1) == 0:  # h is power of 2
+            z.insert(0, y)
+        y = f(y)
+        yield
+    # output stage
+    yield y
+    a = [None] * (k>>1)
+    v = 0
+    for r in range(2**k - 1, 0, -1):
+        yield z[0]
+        c = r
+        i = 0
+        while ~c&1:
+            z[i] = z[i+1]
+            i += 1
+            c >>= 1
+        i += 1
+        c >>= 1
+        if c&1:
+            a[v] = (i, 0)
+            v += 1
+        u = v
+        w = (r&1) + i+1
+        while c:
+            while ~c&1:
+                w += 1
+                c >>= 1
+            u -= 1
+            q, g = a[u]
+            for _ in range(w//2):
+                y = z[q]
+                if not g:
+                    q -= 1
+                    g = 2**q
+                z[q] = f(y)
+                g -= 1
+            if q:
+                a[u] = q, g
+            else:
+                v -= 1
+            w = w&1
+            while c&1:
+                w += 1
+                c >>= 1
+
+
+async def main():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('-k', '--order', type=int, metavar='K',
+                        help='order K of hash chain, length n=2**K')
+    parser.add_argument('--recursive', action='store_true',
+                        help='use recursive pebbler')
+    parser.add_argument('--sha3', action='store_true',
+                        help='use SHAKE128 as one-way function')
+    parser.add_argument('--no-one-way', action='store_true',
+                        help='use dummy one-way function')
+    parser.add_argument('--no-random-seed', action='store_true',
+                        help='use fixed seed')
+    parser.set_defaults(order=1)
+    args = parser.parse_args()
+
+    await mpc.start()
+
+    if args.recursive:
+        Pebbler = P
+    else:
+        Pebbler = p
+
+    secfld = sha3.secfld if args.sha3 else aes.secfld
+
+    IV = np.array([[3] * 4] * 4)  # IV as 4x4 array of bytes
+    global f
+    if args.no_one_way:
+        D = aes.circulant([3, 0, 0, 0])
+        f = lambda x: D @ x
+    elif args.sha3:
+        f = lambda x: sha3.shake(x, 128)
+    else:
+        K = aes.key_expansion(secfld.array(IV))
+        f = lambda x: aes.encrypt(K, x) + x
+
+    if args.no_random_seed:
+        if args.sha3:
+            # convert 4x4 array of bytes to length-128 array of bits
+            IV = np.array([(b >> i) & 1 for b in IV.flat for i in range(8)])
+        x0 = secfld.array(IV)
+    else:
+        x0 = mpc.np_random_bits(secfld, 128)
+        if not args.sha3:
+            # convert length-128 array of bits to 4x4 array of bytes
+            x0 = mpc.np_from_bits(x0.reshape(4, 4, 8))
+
+    xprint = sha3.xprint if args.sha3 else aes.xprint
+
+    k = args.order
+    print(f'Hash chain of length {2**k}:')
+    r = 1
+    for v in Pebbler(k, x0):
+        if v is None:  # initial stage
+            print(f'{r:4}', '-')
+            await mpc.throttler(0.0625)  # raise barrier every 16 calls to one-way f()
+        else:  # output stage
+            await xprint(f'{r:4} x{2**(k+1) - 1 - r:<4} =', v)
+        r += 1
+    print(f'Performed {k * 2**(k-1) = } hashes in total.')
+
+    await mpc.shutdown()
+
+if __name__ == '__main__':
+    mpc.run(main())

demos/onewayhashchains.py

@@ -143,6 +143,7 @@ async def main():
         else:  # output stage
             await aes.xprint(f'{r:4} x{2**(k+1) - 1 - r:<4} =', v)
         r += 1
+    print(f'Performed {k * 2**(k-1) = } hashes in total.')
 
     await mpc.shutdown()
 

demos/sha3.py

@@ -148,6 +148,16 @@ def shake(M, d, c=256):
     return keccak(c, N, d)
 
 
+async def xprint(text, s):
+    """Print and return bit array s as hex string."""
+    s = await mpc.output(s)
+    s = np.fliplr(s.reshape(-1, 8)).reshape(-1)  # reverse bits for each byte
+    d = len(s)
+    s = f'{int("".join(str(int(b)) for b in s), 2):0{d//4}x}'  # bits to hex digits with leading 0s
+    print(f'{text} {s}')
+    return s
+
+
 async def main():
     global keccak_f1600
 
@@ -206,15 +216,11 @@ async def main():
 
     X = args.i.encode() * args.n
     print(f'Input: {X}')
-
     x = np.array([(b >> i) & 1 for b in X for i in range(8)])  # bytes to bits
     x = secfld.array(x)  # secret-shared input bits
-    y = F(x, d, c)  # secret-shared output bits
-    y = await mpc.output(y)
-    y = np.fliplr(y.reshape(-1, 8)).reshape(-1)  # reverse bits for each byte
-    Y = f'{int("".join(str(int(b)) for b in y), 2):0{d//4}x}'  # bits to hex digits with leading 0s
 
-    print(f'Output: {Y}')
+    y = F(x, d, c)  # secret-shared output bits
+    Y = await xprint(f'Output:', y)
     assert Y == f(X).hexdigest(*e)
 
     await mpc.shutdown()

mpyc/__init__.py

@@ -26,7 +26,7 @@
 and statistics (securely mimicking Python’s statistics module).
 """
 
-__version__ = '0.8.9'
+__version__ = '0.8.10'
 __license__ = 'MIT License'
 
 import os
@@ -86,7 +86,7 @@ def get_arg_parser():
 
     group = parser.add_argument_group('MPyC misc')
     group.add_argument('--output-windows', action='store_true',
-                       help='screen output for parties 0<i<m (only on Windows)')
+                       help='screen output for parties 0<i<m (one window each)')
     group.add_argument('--output-file', action='store_true',
                        help='append output of parties 0<i<m to party{m}_{i}.log')
     group.add_argument('-f', type=str, default='',

mpyc/runtime.py

@@ -884,13 +884,15 @@ async def mul(self, a, b):
         else:
             a_integral = a.integral
             b_integral = shb and b.integral
-            b_is_int = False
+            z = 0
             if not shb:
                 if isinstance(b, int):
-                    b_is_int = True
+                    z = f
                 elif isinstance(b, float):
                     b = round(b * 2**f)
-            await self.returnType((stype, a_integral and (b_integral or b_is_int)))
+                    z = max(0, min(f, (b & -b).bit_length() - 1))
+                    b >>= z  # remove trailing zeros
+            await self.returnType((stype, a_integral and (b_integral or z == f)))
 
         if not shb:
             a = await self.gather(a)
@@ -899,12 +901,12 @@ async def mul(self, a, b):
         else:
             a, b = await self.gather(a, b)
         c = a * b
-        if f and (a_integral or b_integral) and not b_is_int:
-            c >>= f  # NB: in-place rshift
+        if f and (a_integral or b_integral) and z != f:
+            c >>= f - z  # NB: in-place rshift
         if shb:
             c = self._reshare(c)
-        if f and not (a_integral or b_integral) and not b_is_int:
-            c = self.trunc(stype(c))
+        if f and not (a_integral or b_integral) and z != f:
+            c = self.trunc(stype(c), f=f - z)
         return c
 
     @mpc_coro
@@ -920,21 +922,23 @@ async def np_multiply(self, a, b):
         else:
             a_integral = a.integral
             b_integral = shb and b.integral
-            b_is_int = False
+            z = 0
             if not shb:
                 if isinstance(b, int):
-                    b_is_int = True
+                    z = f
                 elif isinstance(b, float):
                     b = round(b * 2**f)
+                    z = max(0, min(f, (b & -b).bit_length() - 1))
+                    b >>= z  # remove trailing zeros
                 elif isinstance(b, np.ndarray):
                     if np.issubdtype(b.dtype, np.integer):
-                        b_is_int = True
+                        z = f
                     elif np.issubdtype(b.dtype, np.floating):
                         # NB: unlike for self.mul() no test if all entries happen to be integral
                         # Scale to Python int entries (by setting otypes='O', prevents overflow):
                         b = np.vectorize(round, otypes='O')(b * 2**f)
                     # TODO: handle b.dtype=object, checking if all elts are int
-            await self.returnType((stype, a_integral and (b_integral or b_is_int), shape))
+            await self.returnType((stype, a_integral and (b_integral or z == f), shape))
 
         if not shb:
             a = await self.gather(a)
@@ -943,12 +947,12 @@ async def np_multiply(self, a, b):
         else:
             a, b = await self.gather(a, b)
         c = a * b
-        if f and (a_integral or b_integral) and not b_is_int:
-            c >>= f  # NB: in-place rshift
+        if f and (a_integral or b_integral) and z != f:
+            c >>= f - z  # NB: in-place rshift
         if shb:
             c = self._reshare(c)
-        if f and not (a_integral or b_integral) and not b_is_int:
-            c = self.np_trunc(stype(c, shape=shape))
+        if f and not (a_integral or b_integral) and z != f:
+            c = self.np_trunc(stype(c, shape=shape), f=f - z)
         return c
 
     def div(self, a, b):
@@ -2240,7 +2244,16 @@ async def np_reshape(self, a, shape, order='C'):
         if isinstance(shape, int):
             shape = (shape,)  # ensure shape is a tuple
         if -1 in shape:
-            raise ValueError('reshape with unknown dimension not allowed for secure arrays')
+            if shape.count(-1) > 1:
+                raise ValueError('can only specify one unknown dimension')
+
+            if (n := a.size) % (n1 := -math.prod(shape)) != 0:
+                raise ValueError(f'cannot reshape array of size {n} into shape {shape}')
+
+            i = shape.index(-1)
+            shape = list(shape)
+            shape[i] = n // n1
+            shape = tuple(shape)
 
         if issubclass(stype, self.SecureFixedPointArray):
             await self.returnType((stype, a.integral, shape))
@@ -2461,6 +2474,17 @@ def np_append(self, arr, values, axis=None):
         """
         return self.np_concatenate((arr, values), axis=axis)
 
+    @mpc_coro_no_pc
+    async def np_fliplr(self, a):
+        """Reverse the order of elements along axis 1 (left/right).
+
+        For a 2D array, this flips the entries in each row in the left/right direction.
+        Columns are preserved, but appear in a different order than before.
+        """
+        await self.returnType((type(a), a.shape))
+        a = await self.gather(a)
+        return np.fliplr(a)
+
     def np_minimum(self, a, b):
         return b + (a < b) * (a - b)
 

mpyc/sectypes.py

@@ -588,8 +588,6 @@ def _coerce(self, other):
 
     def _coerce2(self, other):
         if isinstance(other, float):
-            if other.is_integer():
-                other = round(other)
             return other
 
         return super()._coerce2(other)
@@ -1030,6 +1028,10 @@ def __init__(self, value=None, shape=None):
         self.shape = shape
         super().__init__(value)
 
+    def __bool__(self):
+        """Return True if secure array is nonempty, False otherwise."""
+        return bool(self.size)
+
     def __array_function__(self, func, types, args, kwargs):
         # minimal redirect for now
         return eval(f'runtime.np_{func.__name__}')(*args, **kwargs)

tests/test_runtime.py

@@ -55,6 +55,8 @@ def test_secint_array(self):
         np.assertEqual(mpc.run(mpc.output(np.row_stack((c, c, c)))), np.row_stack((a, a, a)))
         np.assertEqual(mpc.run(mpc.output(np.split(c, 2, 1)[0])), np.split(a, 2, 1)[0])
         np.assertEqual(mpc.run(mpc.output(np.vsplit(c, np.array([1]))[0])), np.vsplit(a, [1])[0])
+        np.assertEqual(mpc.run(mpc.output(np.reshape(c, (-1,)))), np.reshape(a, (-1,)))
+        np.assertEqual(mpc.run(mpc.output(np.fliplr(c))), np.fliplr(a))
         a1, a2 = a[:, :, 1], a[:, 0, :].reshape(2, 1)
         np.assertEqual(mpc.run(mpc.output(np.add(secnum.array(a1), secnum.array(a2)))), a1 + a2)
         np.assertEqual(mpc.run(mpc.output(a1 + secnum.array(a[:, 0, :]).reshape(2, 1))), a1 + a2)