add src/libspu/mpc/swift #984
Conversation
There was a problem hiding this comment.
一些整体建议和疑问:
- 协议实现说明添加:没有silent、没有malicious TTP处理ideal func、没有online/offline分割、没有SOC的IO流程、只有三方协议
- 添加作者信息和联系邮箱
- 每个协议最好标注对应论文位置
- 和aby3对比,算子列表diff
一共注册了32个算子
- aby3的b2a有两个,byot和byppa,还有个selector
- swift多出来的:CastTypeB、TruncA
- swift缺少的:CommonTypeV、equalAA/equalAP、MulA1B、randB
- 建一个experimental文件夹放
- 通信addCommStatsManually调用不在真正通信的位置,是什么约定俗成的写法么?
- prsspair生成随机数,有的地方移位,有的地方不移位的原因:e.g. sharing、MulAA_semi、RssMul_semi
@gemini-code-assist Please double check if these concerns are resolved, thanks. |
|
Thanks for your review, @rivertalk. I'll address these points:
|
|
|
||
| NdArrayRef fromShares(const std::vector<NdArrayRef>& shares) const override; | ||
|
|
||
| // std::vector<NdArrayRef> makeBitSecret(const PtBufferView& in) const |
|
|
||
| NdArrayRef alpha1(ty, in.shape()); | ||
| NdArrayRef alpha2(ty, in.shape()); | ||
| NdArrayRef beta(ty, in.shape()); |
There was a problem hiding this comment.
虽然没看懂你的解释,不过本质上传这俩安全性一样,P0本地都可以反推出来,只是为了和论文描述保持一致而已,不改也行
|
|
||
| auto reconstruct_w = | ||
| RSS_A2P(ctx, w, "reconstruct w in MulPre"); // comm => 1, 2k | ||
| // We need to change w from field_sigma_plus_k to field, |
There was a problem hiding this comment.
好像不是因为 c = c0 + c1 + c2- 2^l, 是因为 c=a*b mod 2^l
There was a problem hiding this comment.
应该是两种情况都有,但分片进位这种情况在环转换协议正确的情况下,应该是不存在的。理论上说,应该在密态下去处理这个ab出现的进位,不然是有安全问题的,泄漏了ab>2^l这一信息。
|
|
||
| auto reconstruct_w = | ||
| RSS_A2P(ctx, w, "reconstruct w in MulPre"); // comm => 1, 2k | ||
| // We need to change w from field_sigma_plus_k to field, |
There was a problem hiding this comment.
应该是两种情况都有,但分片进位这种情况在环转换协议正确的情况下,应该是不存在的。理论上说,应该在密态下去处理这个ab出现的进位,不然是有安全问题的,泄漏了ab>2^l这一信息。
| } | ||
|
|
||
| // extend each element from FieldType_in to FieldType_out | ||
| NdArrayRef RingChange(KernelEvalContext* ctx, const NdArrayRef& in, |
There was a problem hiding this comment.
这个环转换协议有论文出处么,这里的实现看起来就是把分片直接转到大环上,那这个协议正确性是有问题的。小环转换大环上,是要处理分片进位的,才能保证数值正确性。
| } | ||
|
|
||
| // matrix version of MulPre | ||
| NdArrayRef MatMulPre(KernelEvalContext* ctx, const NdArrayRef& lhs, |
There was a problem hiding this comment.
reminder: 后续这个函数里面的mod 2^l也需要处理
| // rd = \Sigma_{i=d}^{k-1} (2^{i-d} * r[i]) | ||
| // so in swift : r = rshift(r, d) | ||
| // which cause the truncation result to be wrong | ||
| // so we need to guarantee the msb of r is 0, |
There was a problem hiding this comment.
那是不是意味着使用trunc(v)=trunc(v-r)+trunc(r), open(v-r)的时候,会泄漏v的最高位?
| // and use the following expression to calculate r and rd | ||
| // r = \Sigma_{i=0}^{k-1} (2^i * r[i]) | ||
| // rd = \Sigma_{i=d}^{k-1} (2^{i-d} * r[i]) | ||
| // so in swift : r = rshift(r, d) |
There was a problem hiding this comment.
论文里面只处理了(d, . . . , l−1), 如果把高d位补充为最高位r[l-1],加到计算里面,是不是就能解决了?
| Y = Y.transpose(); | ||
| Q = Q.transpose(); | ||
|
|
||
| tmp = matmul.proc(ctx, X, Y); |
There was a problem hiding this comment.
这里用matmul来实现内积,冗余计算太多了。numel个内积->矩阵乘的numel*numel个内积
| // For the AndPre, the probability of accepting incorrect triple is 1/2 | ||
| // However, when we are handling a boolean share with nbits, the probability | ||
| // will be 2^{-nbits} | ||
| NdArrayRef AndPre(KernelEvalContext* ctx, const NdArrayRef& lhs, |
There was a problem hiding this comment.
对于boolean share是不是应该用你cite那篇文章里面的cut-and-choose的方法做check, 附录A.2.2
|
|
||
| SPU_ENFORCE(start <= end); | ||
| SPU_ENFORCE(end <= SizeOf(field) * 8); | ||
| const size_t out_nbits = std::max(getNumBits(in), end); |
There was a problem hiding this comment.
感觉如果end大于有效的nbits的话,reverse后的结果会是一个比较怪的形式,会将原来的 nbits 到 end中间的无效比特位转到start 和 end 中间。但目前的这些本地布尔操作的实现是参考已有的semi2k中的代码,也是取out_nbits = std::max(getNumBits(in), end),请问一下水乐老师这样处理是对的吗? @w-gc
Pull Request
What problem does this PR solve?
增加Swift协议,参考论文《SWIFT: Super-fast and Robust Privacy-Preserving Machine Learning》(ref: https://eprint.iacr.org/2020/592) 中的三方恶意安全版本。
Issue Number: Fixed #
Possible side effects?
Performance:
Backward compatibility: