emp-toolkit / emp-sh2pc Goto Github PK

Hi, I'm having trouble compiling after using cmake . -DTHREADING=ON.

after compiling emp-tool and emp-ot successfully with -DTHREADING=ON, I then get:

On OSX catalina:

benediamond@Benjamins-MBP emp-sh2pc % make
[ 10%] Building CXX object CMakeFiles/example.dir/test/example.cpp.o
[ 20%] Linking CXX executable bin/example
ld: illegal thread local variable reference to regular symbol __ZN3emp16CircuitExecution9circ_execE for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [bin/example] Error 1
make[1]: *** [CMakeFiles/example.dir/all] Error 2
make: *** [all] Error 2

on Ubuntu 18.04:

ubuntu@ip-172-31-15-228:~/emp-sh2pc$ make
[ 10%] Building CXX object CMakeFiles/bit.dir/test/bit.cpp.o
[ 20%] Linking CXX executable bin/bit
/usr/bin/ld: _ZN3emp16CircuitExecution9circ_execE: TLS reference in CMakeFiles/bit.dir/test/bit.cpp.o mismatches non-TLS definition in /usr/local/lib/libemp-tool.so section .bss
/usr/local/lib/libemp-tool.so: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
CMakeFiles/bit.dir/build.make:88: recipe for target 'bin/bit' failed
make[2]: *** [bin/bit] Error 1
CMakeFiles/Makefile2:72: recipe for target 'CMakeFiles/bit.dir/all' failed
make[1]: *** [CMakeFiles/bit.dir/all] Error 2
Makefile:129: recipe for target 'all' failed
make: *** [all] Error 2

Any thoughts on this? I just encountered this so will keep digging, but I figured I'd run it by you. Thanks.

Is it possible to switch out the underlying OT being used by the protocol?

This is useful because if one is using sh2pc to run a DualEx style protocol (paper here) malicious OT is required.

Hi, thank you for developing such a good library, I have met two problems, hope that you could give me some guidance. when I run the test_millionare in example.cpp, I know how it works roughly, but I have two question as follows:

(1) when it runs Bit res=a>b, then there is a comparison circuit required, I want to know whethrer the circuit is constructed according to Huang.pdf, in which it provide a T circuit. In fact, given that And、XOR and Not gate. I want to know the logical structure of the comparison circuit.

	Integer a(32, number, ALICE);
	Integer b(32, number, BOB);
	Bit res = a > b;

(2) in sh_eva.h, the evaluator sends the choice bit vector tmp directly, is there any issue?

UPDATE: feel much confident now. the post is changed

It seems online/offline has some interesting things (but should be resolvable) with feed/reveal. (anybody did reactive online/offline semi-honest GC?) So I am wondering if you have any suggestion before I move forward.

ProtocolExecution has reveal and feed. These two are crucial for reactive programs.

feed uses a special trick to avoid sending for Alice -- Bob always receives the corresponding labels for 0 and 1 from shared PRG. Alice reverses the labels according to the data she wants to use.

That is to say, Alice is changing the circuit to input instead of changing the label to input. Therefore, Alice has nothing to send -- she writes it in the circuit.

This is a runtime optimization. It works for the input Alice always knows (e.g. share of a long-term key). But not the input Alice does not anticipate (e.g., current time when we evaluate).

(1) I guess we need a modification of feed -> Alice can specify whether an input is okay to specify in offline mode or wait! I will specify it in online mode. An offline test run should use this opportunity.

(2) To generate the circuit for offline, we actually run the program. If the program does not change the outside (stateless), then it is safe to run $f$ to generate the circuit. But now in such a reactive case, if the outside application needs to get the filename from the circuit, and feeds the data back to the circuit. Then such an application will find reveal returns something strange -- $f$ may not be designed for the offline test run.

(3) An optimization: the offline package can also contain the information to reveal. Therefore, if the reveal is to PUBLIC and cached in the offline package, Bob can immediately get the answer without asking Alice. Additionally, I think to reveal, Bob doesn't need Alice to send the whole block (semihonest_gen.h Ln 56), but LSB of 0-label is enough? So does Bob sends data back to Alice.

I think I still need one day to think about these details :) especially, I hope to get the plaintext circuit file of a real run and later all the offline phases is just garbling a circuit.

What I am thinking about is Circuit ORAM in FlexSC, where the paths in different ORAMs in the recursive constructions, are sent inside to continue the operation.

This is an interactive protocol for GC-based computation.

When we need to output some data and input some data in the middle, we don't need to discard all the state information -- we can keep the most of existing gates.

In the test examples in emp-toolkit, it seems no such an example for interactive cases. Any idea on how to secure this?

Thanks!

(I am starting to implement something!)

I want to know whether both sides can run under two threads. If so, can you provide an example.

ferrt ot brings a dramitic improvement of cot. i wonder if there is a plan about extend ferret to in emp-sh2pc. thanks for the wonderful works which help me a lot.

Hi,

May I ask if there are any way to handle the long binary inputs to the circuits, for example 512 bits or longer?

I found that if I would like to take the sha-256 circuit (https://homes.esat.kuleuven.be/~nsmart/MPC/sha-256.txt) into circuit_file.cpp, I cannot create a 512 bit binary input into the Integer object.

Thank you!

I am experimenting multiplication by two parties using triplets. Here is my code:

NetIO *io1, *io2;

void foo(int port, int party)
{
io1 = new NetIO(party==ALICE ? nullptr : "127.0.0.1", port);
io1->set_nodelay();

}

void bar(int port, int party)
{
io2 = new NetIO(party==ALICE ? nullptr : "127.0.0.1", port);
io2->set_nodelay();

}

int main(int argc, char** argv){

//one terminal
int port = 12345;
int party1 = 1;
int party2 = 2;

std::thread first_io (foo,port,party1);     // spawn new thread that calls foo()
std::thread second_io (bar,port,party2);  // spawn new thread that calls bar(0)
std::cout << "main, foo and bar now execute concurrently...\n";
// synchronize threads:
first_io.join();                // pauses until first finishes
second_io.join();               // pauses until second finishes

}

As you can see, I am trying to create this connection without running the terminal twice. However, the program always PAUSE with message
"main, foo and bar now execute concurrently...
connected
connected"

What should I do?

Hi, I wonder in emp-tool, is there built-in functionality such as hash or commitment that one can use in this 2pc? I see that you mentioned in README of emp-tool you have the hash function, is this one that can be used in 2pc? Unfortunately I did not see the commitment class you mentioned in the reamde. If there is, what is the commitment scheme you are using? Thank you!

I see the following error:

.../emp-sh2pc/semihonest/semihonest_gen.h:3:20: fatal error: emp-tool: No such file or directory
#include emp-tool

Does it come from the file adjustment which seems to be, in these several hours?

Follow the latest code in emp-ot. I try
emp-tool to emp-tool/emp-tool.h

The compiling is successful. Waiting for the update! Thanks for presenting emp-toolkit!

Hello,
I have a question about the test. When I try to run ./run ./bin/example 12345 , it return
./run: line 30:14919 Segmentation fault (core dumped) $1 1 $2.
Can you tell me how to avoid this error ?
Thank you for your time,
Vinny

Is there a way to measure communication for evaluation of circuits or other mpc protocols within emp toolkit. Also, is it possible to time individual components of the GC evaluation like garbling, OT setups etc?

Thanks for the help in emp-sh2pc update. Later I use tc to simulate the latency in loopback network, and use a network listener wireshark to determine the upper bound time.

I see emp-m2pc (EUROCRYPT'17) has offline+online. step backward. If the goal is smaller latency, some applications may turn to semi-honest and offline+online. But it seems emp-sh2pc does not provide offline+online.

So my question (request for programming advice) is:
Do you think, reducing the code of emp-m2pc by reducing the ssp to 1 and make E[j]=1 makes a roughly clean version for emp-sh2pcwithoffline... or I underestimate the LoC?

Are there some incoming updates for emp-sh2pc working on offline+online?

Circuit evaluation seems to be a parallelizable task, but some empirical testing seems to show that emp is not doing this.

Is this possible?

I am looking at circuit_file.cpp and try to understand how sh2pc works.
In circuit_file.cpp, Alice and Bob tries to compute AES function together, but it seems they do not run it on a garbled circuit or ot. Instead, they run on a straight-forward circuit evaluation.
I do not know whether it can be defined as semi-honest, since either Bob or Alice can easily learn the other's secret in the test function.
Is there any hint?

emp-sh2pc seems to work with c code (probably generating the GC in the background) while emp-ag2pc seems to need a pre designed GC as an input. Is there a way to port emp-sh2pc to emp-sg2pc for malicious security? Or is it possible to recover the underlying circuit file generated by emp-sh2pc.

Finally, are there standard garbled circuit generators (from a high level language like C) compatible with emp-ag2pc.

OT is block wised, and therefore even when we call OT for less than block_size number of OT, more are performed.

Hello, Xiaowang! I want to use this package for my work, Is it have any document about EMP-toolkit? By the way, can you tell me how to get LSB from a block? Thanks!

Hello, sorry for disturbing you.
I have observed that shift operations can be conducted on secure integers successfully on bit-representation. However, it will turn a negative signed integer into an unsigned one.
Here is an example.

Integer a(32, -44, ALICE);
cout<< "a:	"<< a.reveal<int32_t>()<<endl;
a = (a >> 2);
cout<< "a:	"<< a.reveal<int32_t>()<<endl;

The output is:

a:        -44
a:        1073741813

From the view of bit representation, the 11111111 11111111 11111111 11010100 is shifted by 2 bits to 11111111 11111111 11111111 11110101 successfully. However, it is now converted to an unsigned form.
In comparison, if the operation is conducted on a public variable

int a = -44;
cout<< "a:	"<< a<<endl;
a = a >> 2;
cout<< "a:	"<< a<<endl;

The output is:

a:        -44
a:        -11

I am curious whether this is caused by my misuse of shift or if I did not define the type of variable correctly. Or maybe, this behavior is special in the MPC scenario so I should avoid using it. May you help me by explaining this?

multiple definition of emp::afree(void*)' multiple definition of eb_curve_get_tab_data'

I am trying to use EMP-sh2pc with FerretOT, see also issue #31.

What I have done so far is:

• For the SemiHonestParty constructor in sh_party.h, I have replaced ot = new IKNP<IO>(io) by ot = new FerretCOT<IO>(party, 1, &io, false, false) (and adopted the declaration at the beginning of the file). In my understanding, the second false of the FerretCOT constructor implies that the setup operations will be done later.
• For the SemiHonestGen constructor in sh_gen.h, I have replaced this->ot->setup_send(delta_bool) by this->ot->setup(this->gc->delta), to initialize the COT delta to the one used by 2PC (is that correct?).
• For the SemiHonestEva constructor in sh_eva.h, I have replaced this->ot->setup_recv() by this->ot->setup() to initialize the evaluator side.

When I run 2PC, I get a segfault in the extend() operation on the garbler/Gen. What am I doing wrong?

How to compile float.cpp, other cpp files have compiled executable files in the bin folder.
Then why does the example file report an error after execution?

Hi XIAO Wang,
Thank you for providing such a great tool. But, I don't know how to use this tool to implement Garbled Circuits. Could you please explain how to use this tool or whether there is an explanation document.Thanks！

nvm