In [27]:
import random

## Parameters

In [4]:
#
# Use e.g. https://www.compilejava.net/
#
#import java.util.*;
#import java.math.*;
#
#public class Entrypoint
#{
#  public static void main(String[] args)
#  {
#    BigInteger q = BigInteger.probablePrime(128, new Random());    
#    System.out.println(q);
#  }
#}

# small and large field
Q = 6497992661811505123 # < 64 bits
P = 1802216888453791673313287943102424579859887305661122324585863735744776691801009887 # < 270 bits

# Public and private values

In [47]:
class PublicValue:
    
    def __init__(self, value):
        self.value = value
    
    def unwrap(self):
        return self.value
    
    def add(x, y):
        if type(y) is int: y = PublicValue(y)
        if type(y) is PublicValue:
            value = (x.value + y.value) % Q
            return PublicValue(value)
        if type(y) is PrivateValue:
            share0 = (x.value + y.share0) % Q
            share1 =            y.share1
            return PrivateValue(None, share0, share1)
        
    def sub(x, y):
        if type(y) is int: y = PublicValue(y)
        if type(y) is PublicValue:
            value = (x.value - y.value) % Q
            return PublicValue(value)
        if type(y) is PrivateValue:
            share0 = (x.value + Q - y.share0) % Q
            share1 = (          Q - y.share1) % Q
            return PrivateValue(None, share0, share1)
        
    def mul(x, y):
        if type(y) is int: y = PublicValue(y)
        if type(y) is PublicValue:
            value = (x.value * y.value) % Q
            return PublicValue(value)
        if type(y) is PrivateValue:
            share0 = (x.value * y.share0) % Q
            share1 = (x.value * y.share1) % Q
            return PrivateValue(None, share0, share1)
    
    def square(x):
        value = pow(x.value, 2, Q)
        return PublicValue(value)
    
#     def pows(x, highest_power):
#         x_powers = ( np.power(x.values, e) % Q for e in range(0, highest_power+1) )
#         return [ PublicTensor(v) for v in x_powers ]
    
    def __add__(x, y):
        return x.add(y)
    
    def __sub__(x, y):
        return x.sub(y)
    
    def __mul__(x, y):
        return x.mul(y)
        
    def __repr__(self):
        return "PublicValue(%s)" % self.value

In [48]:
def share(secret):
    share0 = random.randrange(Q)
    share1 = (secret - share0) % Q
    return [share0, share1]

def reconstruct(share0, share1):
    return (share0 + share1) % Q

In [49]:
def generate_mul_triple():
    a = random.randrange(Q)
    b = random.randrange(Q)
    c = (a * b) % Q
    return PrivateValue(a), PrivateValue(b), PrivateValue(c)

In [50]:
def generate_square_triple():
    a = random.randrange(Q)
    b = pow(a, 2, Q)
    return PrivateValue(a), PrivateValue(b)

In [51]:
class PrivateValue:
    
    def __init__(self, value, share0=None, share1=None):
        if not value is None:
            share0, share1 = share(value)
        self.share0 = share0
        self.share1 = share1
    
    def reconstruct(self):
        return PublicValue(reconstruct(self.share0, self.share1))
    
    def unwrap(self):
        return reconstruct(self.share0, self.share1)
    
    def add(x, y):
        if type(y) is int: y = PublicValue(y)
        if type(y) is PublicValue:
            share0 = (x.share0 + y.value) % Q
            share1 =  x.share1
            return PrivateValue(None, share0, share1)
        if type(y) is PrivateValue:
            share0 = (x.share0 + y.share0) % Q
            share1 = (x.share1 + y.share1) % Q
            return PrivateValue(None, share0, share1)
        
    def sub(x, y):
        if type(y) is int: y = PublicValue(y)
        if type(y) is PublicValue:
            share0 = (x.share0 - y.value) % Q
            share1 =  x.share1
            return PrivateValue(None, share0, share1)
        if type(y) is PrivateValue:
            share0 = (x.share0 - y.share0) % Q
            share1 = (x.share1 - y.share1) % Q
            return PrivateValue(None, share0, share1)
        
    def mul(x, y):
        if type(y) is int: y = PublicValue(y)
        if type(y) is PublicValue:
            share0 = (x.share0 * y.value) % Q
            share1 = (x.share1 * y.value) % Q
            return PrivateValue(None, share0, share1)
        if type(y) is PrivateValue:
            a, b, a_mul_b = generate_mul_triple()
            alpha = (x - a).reconstruct()
            beta  = (y - b).reconstruct()
            return alpha.mul(beta) + \
                   alpha.mul(b) + \
                   a.mul(beta) + \
                   a_mul_b
                    
    def square(x):
        a, aa = generate_square_triple()
        alpha = (x - a).reconstruct()
        return alpha.square() + \
               (a * alpha) * 2 + \
               aa
    
#     def pows(x, highest_power):
#         x_powers = ( np.power(x.values, e) % Q for e in range(0, highest_power+1) )
#         return [ PublicTensor(v) for v in x_powers ]
    
    def __add__(x, y):
        return x.add(y)
    
    def __sub__(x, y):
        return x.sub(y)
    
    def __mul__(x, y):
        return x.mul(y)
        
    def __repr__(self):
        return "PrivateValue(%s)" % self.unwrap()

In [52]:
v = 5
w = 3

for x_type in [PublicValue, PrivateValue]:
    for y_type in [PublicValue, PrivateValue]:
        
        x = x_type(v)
        y = y_type(w)

        z = x + y; assert z.unwrap() == v + w
        z = x - y; assert z.unwrap() == v - w
        z = x * y; assert z.unwrap() == v * w
        z = x.square(); assert z.unwrap() == v * v

## Powering and polynomials

In [10]:
def generate_powering_triple(exponent, field=Q):
    a = random.randrange(field)
    return [ share(pow(a, e, field)) for e in range(1, exponent+1) ]

a, aa, aaa, aaaa = generate_powering_triple(4)
assert reconstruct(a) * reconstruct(a) % Q == reconstruct(aa) 
assert reconstruct(aa) * reconstruct(a) % Q == reconstruct(aaa)
assert reconstruct(aaa) * reconstruct(a) % Q == reconstruct(aaaa)

In [11]:
from functools import reduce
from scipy.misc import comb
binom = lambda n, k: comb(n, k, exact=True)

ONE = [1,0] # constant sharing of 1

def pows(x, triple, field=Q):
    # local masking
    a = triple[0]
    v = sub(x, a)
    # communication: the players simultanously send their share to the other
    epsilon = reconstruct(v)
    # local combination
    x_powers = []
    for exponent in range(1, len(triple)+1):
        # prepare all term values
        a_powers = [ONE] + triple[:exponent]
        e_powers = [ pow(epsilon, e, Q) for e in range(exponent+1) ]
        coeffs   = [ binom(exponent, k) for k in range(exponent+1) ]
        # compute and sum terms
        terms = ( mul_public(a, c * e) for a, c, e in zip(a_powers, coeffs, reversed(e_powers)) )
        x_powers.append(reduce(lambda x,y: add(x, y, field), terms))
    return x_powers

x = share(4)

xs = pows(x, generate_powering_triple(3))
assert [ reconstruct(x) for x in xs ] == [ pow(4,e,Q) for e in range(1,3+1) ]

xs = pows(x, generate_powering_triple(10))
assert [ reconstruct(x) for x in xs ] == [ pow(4,e,Q) for e in range(1,10+1) ]

ModuleNotFoundError: No module named 'scipy'

In [None]:
def pol_public(x, coeffs, triple, field):
    powers = [ONE] + pows(x, triple, field)
    terms = ( mul_public(xe, ce, field) for xe,ce in zip(powers, coeffs) )
    return reduce(lambda y,z: add(y, z, field), terms)

x = share(5)
coeffs = [1,2,3,4]
y = pol_public(x, coeffs, generate_powering_triple(len(coeffs)-1, Q), Q)
assert reconstruct(y) == (1*pow(5,0) + 2*pow(5,1) + 3*pow(5,2) + 4*pow(5,3)) % Q

### Up and down sharing

In [None]:
def generate_statistical_mask():
    return random.randrange(2*BOUND * BASE**KAPPA)

def generate_zero_triple(field):
    return share(0, field)

def convert(x, from_field, to_field, zero_triple):
    # local mapping to positive representation
    x = add_public(x, BOUND, from_field)
    # local masking and conversion by player 0
    r = generate_statistical_mask()
    y0 = (zero_triple[0] - r) % to_field
    # exchange of masked share: one round of communication
    e = (x[0] + r) % from_field
    # local conversion by player 1
    xr = (e + x[1]) % from_field
    y1 = (zero_triple[1] + xr) % to_field
    # local combine
    y = [y0, y1]
    # local mapping back from positive representation
    y = sub_public(y, BOUND, to_field)
    return y

def upshare(x, large_zero_triple):
    return convert(x, Q, P, large_zero_triple)

def downshare(x, small_zero_triple):
    return convert(x, P, Q, small_zero_triple)

x = share(encode(-.5, Q), Q)
y = upshare(x, generate_zero_triple(P))
assert reconstruct(y, P) == encode(-.5, P)
z = downshare(y, generate_zero_triple(Q))
assert reconstruct(z, Q) == encode(-.5, Q)

In [None]:
x = share(encode(-.5, Q), Q)
x2 = mul(x, x, generate_multiplication_triple(Q), Q)
x4 = mul(x2, x2, generate_multiplication_triple(Q), Q)
y = truncate(x4, 4 * PRECISION_FRACTIONAL - PRECISION_FRACTIONAL, Q)
assert not decode(reconstruct(y, Q), Q) == (-.5)**4

x = share(encode(-.5, Q), Q)
x = upshare(x, generate_zero_triple(P))
x2 = mul(x, x, generate_multiplication_triple(P), P)
x4 = mul(x2, x2, generate_multiplication_triple(P), P)
y = truncate(x4, 4 * PRECISION_FRACTIONAL - PRECISION_FRACTIONAL, P)
y = downshare(y, generate_zero_triple(Q))
assert decode(reconstruct(y, Q), Q) == (-.5)**4

## Fixed-point encoding

In [12]:

BASE = 10
KAPPA = 9 # ~29 bits

PRECISION_INTEGRAL = 2
PRECISION_FRACTIONAL = 7
PRECISION = PRECISION_INTEGRAL + PRECISION_FRACTIONAL
BOUND = BASE**PRECISION

Q_MAXDEGREE = 2
assert Q > BASE**(PRECISION * Q_MAXDEGREE) # supported multiplication degree (without truncation)
assert Q > 2*BOUND * BASE**KAPPA # supported kappa when in positive range 

P_MAXDEGREE = 9
assert P > Q
assert P > BASE**(PRECISION * P_MAXDEGREE)

In [13]:
def encode(rational, field=Q, precision_fractional=PRECISION_FRACTIONAL):
    upscaled = int(rational * BASE**precision_fractional)
    field_element = upscaled % field
    return field_element

def decode(field_element, field=Q, precision_fractional=PRECISION_FRACTIONAL):
    upscaled = field_element if field_element <= field/2 else field_element - field
    rational = upscaled / BASE**precision_fractional
    return rational

In [14]:
# using trick from SecureML paper that only requires a local operation

def truncate(x, amount=PRECISION_FRACTIONAL, field=Q):
    y0 = x[0] // BASE**amount
    y1 = field - ((field - x[1]) // BASE**amount)
    return [y0, y1]

In [16]:
x = share(encode(-.5))

x2 = truncate(mul( x,  x, generate_mul_triple()), PRECISION_FRACTIONAL)
x4 = truncate(mul(x2, x2, generate_mul_triple()), PRECISION_FRACTIONAL)
y = decode(reconstruct(x4))
assert y == (-.5)**4

x2 = mul( x,  x, generate_mul_triple())
x4 = mul(x2, x2, generate_mul_triple())
y = decode(reconstruct(truncate(x4, 2*PRECISION_FRACTIONAL)))
assert not y == (-.5)**4