Convert secure int to secure field using mpc.convert()

[abraj]

Hi,
I need to convert a secure int value to a secure finite field value
without an intermediate reveal of the underlying value.

from mpyc.runtime import mpc

secint = mpc.SecInt(32)
secfld = mpc.SecFld(2**8)

###### Approach 1 ######
a = secint(3)
b = await mpc.output(a) # I want to avoid this reveal step
c = secfld(b)
d = await mpc.output(c)
print(d) # prints `x+1` as expected

###### Approach 2 ######
p = secint(3)
q = mpc.convert(p, secfld)
r = await mpc.output(q)
print(r) # prints some random value like `x^7+x^6+x^5+x^2+x` ?!

Am I using mpc.convert() correctly or not in Approach 2,
because the final expected value (x+1) is not printed.

Also, is using mpc.output() to reveal a secret value okay here?
(as I'm using mpc.output() without any mpc.input() before it)

Any help would be appreciated.
Thanks

[lschoe]

Yes, that's right, a conversion from a secint to a secfld value, where the target secfld is not a prime field is not supported.

It is possible to do such a conversion securely. But it is also important to check if and why you would need such a conversion precisely?

[abraj]

Thanks for the response.
Actually, I'am trying to reuse the AES encryption function encrypt(K, p) from this demo.
However, in my case, the encryption key K is reconstructed from multiple shares in a previous step,
and, at this point, the encryption key is available as a matrix of SecInt(16) values.
(with each value guaranteed to be in the range 0-255 to fit in 1 byte)

However, encrypt(K, p) function in the aforementioned demo accepts a matrix of GF(2^8) field values.
Currently, I am revealing all the SecInt(16) values and then packing them again as GF(2^8) field values
using something like secfld.array(f256.array(encryption_key)).

However, I am trying to figure out a way to do the same without the intermediate reveal step involved.
Hope this clarifies my use case.
Thanks

[abraj]

Yes, that's right, a conversion from a secint to a secfld value, where the target secfld is not a prime field is not supported.

As mentioned by you, when I tried with a prime number (say 283) as target secfld, then it converted correctly (for the first part).
However, when I tried to then convert SecFld9(GF(283)) to SecFld8(GF(2^8)), I am again getting some incorrect value.
(as shown below)

p = secint(3)
q = mpc.convert(p, mpc.SecFld(283))
print(await mpc.output(q))  # prints `3`
r = mpc.convert(q, mpc.SecFld(2**8))
print(await mpc.output(r))  # prints some value like `x^6+x^4+x^3+x^2+x` ?!

I also tried with a prime number (like 251) which is smaller than 2**8, but still large enough to hold all the values I need.
But, again that conversion to SecFld8(GF(2^8)) also didn't work with the above approach.

[lschoe]

Right, those things won't work. It's a bit more complicated as we need to use random bits that "live" both as a secint and as a secfld256.

Here's some starter code that does the job. It may be sufficiently efficient for your case?

import secrets
from mpyc.runtime import mpc

secint = mpc.SecInt()
secfld256 = mpc.SecFld(256)

@mpc.coroutine
async def to(x):
    n = len(x)
    await mpc.returnType(secfld256, n)
    
    r = [secrets.randbits(1) for _ in range(n)]
    r_src = [secint.field(1-2*a) for a in r]
    r_src = mpc.input([secint(a) for a in r_src])
    r_src = list(map(list, zip(*r_src)))
    r_src = [mpc.prod(a) for a in r_src]
    r_src = [(1-a)/2 for a in r_src]
    c = mpc.vector_add(x, r_src)
    c = [mpc.lsb(a) for a in c]
    c = await mpc.output(c)

    r_tgt = [secfld256.field(a) for a in r]
    r_tgt = mpc.input([secfld256(a) for a in r_tgt])
    r_tgt = list(map(sum, zip(*r_tgt)))
    r_tgt = [a + b for a,b in zip(c, r_tgt)]
    return r_tgt
    
mpc.run(mpc.start())
a = secint(3)
x = mpc.to_bits(a)
x = to(x)
b = 0
for xi in reversed(x[1:]):
    b += xi
    b *= secfld256.field(2)
b += x[0]
print(mpc.run(mpc.output(b)))
mpc.run(mpc.shutdown())

[abraj]

@lschoe Thanks a lot for the solution provided above! It works as expected.
I need to admit that I don't understand it completely, maybe because I am not yet
much aware of the internal data structures and architecture for MPyC. But, that's on me.
Thanks for your time.

[abraj]

Using the above solution, I can perform the transformations for the secint matrix on each element basis.
So, now I have a 2D matrix of secure secfld elements.

Is there a way to convert that into an ArraySecFld8 object while retaining the shape of the matrix?
I see that mpc.np_fromlist() can't be applied directly on a 2D matrix.

So, I came up with the following approach:

a = [[secfld(1), secfld(2)],
     [secfld(3), secfld(4)]]
b = mpc.np_fromlist(sum(a, [])) # first, flatten the list, then apply `np_fromlist`
c = mpc.np_reshape(b, (2, 2))  # now, reshape to get back the original shape

print(c)  # `ArraySecFld8(GF(2^8))`
print(c.shape)  # (2, 2)

Am I doing it the correct way?
Or, is there another way to do the same more easily?

[lschoe]

Yes, that's the right way to do it, given the current API. This is to keep the implementation of mpc.np_fromlist() simple.

[abraj]

Hi @lschoe, I have a followup question.

How can I extract bits securely from SecFld8(GF(2^8)) as an array of SecFld1(GF(2)) items?
I can see the mpc.to_bits() can perform the extraction. However, if the original object is, say SecFld8(GF(2^8)),
then mpc.to_bits() returns a list of SecFld8(GF(2^8)) objects by default.
Is there a way to get SecFld1(GF(2)) objects for the individual bits?

I am trying to create some hash commitment using sha3-256 which accepts a list of SecFld1(GF(2)) items
as input.

My original item is a SecInt(256), which I converted to a list of SecFld8(GF(2^8)) using your solution provided earlier.
However, I am unable to convert (spread) it to a list of SecFld1(GF(2)) items so that I can pass it to the sha-256 function.

When I tried to directly extract all the bits of SecInt, and then convert each of those extracted secint bits individually to
SecFld1(GF(2)) one-by-one, then it works. However, this makes the whole process very slow. For example, for 64 bytes data,
the conversion of the extracted (512) bits alone, takes more than 10-15 sec (with 4 parties involved).

So, looking for an alternative approach for the conversion, which is more practical in terms of time consumption.

[lschoe]

Hi @abraj, maybe there is an easy way out in this case. The point is that instead of using secfld = mpc.SecFld(2)

mpyc/demos/sha3.py

Line 35 in 15f747c

secfld = mpc.SecFld(2)

you can also use secfld = mpc.SecFld(256). The algorithm only uses bit values 0 and 1, which are in the GF(2) subfield, and therefore it should work without problems.

[abraj]

Yeah, that works!
Thanks for pointing that out.