# CS 3990/5990: Secure Distributed Computation
## In-Class Exercise, Week of 9/11/2023

In [None]:
# Imports and definitions
import numpy as np
from collections import defaultdict
import galois

GF = galois.GF(97)

# Questions from Last Week

## Question 4

Consider a semi-honest adversary. In the real world, what information is included in the view of the (potentially corrupted) party $p_i$?

YOUR ANSWER HERE

## Question 5

Describe a *simulator* for the ideal world, that constructs views which are indistinguishable from the ones described in Question 1.

YOUR ANSWER HERE

In [None]:
from collections import defaultdict
class Party:
    """A participant in a multiparty computation protocol."""
    def __init__(self):
        """Initialize the dictionary to hold received messages."""
        self.received = defaultdict(list)
    
    def send(self, other, round, msg):
        """Simulate sending a message `msg` to another party `other` during round `round`"""
        other.received[round].append(msg)

## Question 6

Implement the `InsecureAggregationParty` class, which adds up the parties' inputs *insecurely*.

In [None]:
class InsecureAggregationParty(Party):
    def round1(self, parties, input):
        self.input = GF(input)
        
        # YOUR CODE HERE
        raise NotImplementedError()

    def round2(self):
        # YOUR CODE HERE
        raise NotImplementedError()

    def get_view(self):
        return (self.input, self.output, self.received[1])

In [None]:
# TEST CASE for question 1

# 5 parties
parties = [InsecureAggregationParty() for _ in range(5)]

# run round 1
for party in parties:
    party.round1(parties, 5)

# run round 2 and output
for party in parties:
    party.round2()
    #print('Party output:', party.output, type(party.output))
    assert party.output == GF(25)

## Question 7

Implement a simulator for the `InsecureAggregationParty` protocol, which constructs the view for party $i$ indistinguishable from the real-world view of party $i$ in the protocol, using only the inputs and output of the ideal functionality.

In [None]:
def simulator(n, i, inputs, output):
    """Simulates a real-world view in the ideal world. Outputs a 
    3-tuple: (input, output, received messages from round 1)"""
    # YOUR CODE HERE
    raise NotImplementedError()

In [None]:
# TEST CASE for question 2

# the real-world view of each party should be indistinguishable
# from the simulated view in the ideal world
# there is no randomness here, so they are really equal!
all_inputs = [5 for _ in range(5)]
for i, party in enumerate(parties):
    assert party.get_view() == simulator(5, i, all_inputs, 25)

## Question 8

Can you construct a simulator for `InsecureAggregationParty` without using the input for all $n$ parties? If not, why not? What does this mean about the security of `InsecureAggregationParty`?

YOUR ANSWER HERE

# New Questions

## Question 1

Write code to generate shares of a secret $x$ in a $(t, n)$-secret sharing scheme using Shamir's technique, where $n = 5$ and $t = 2$.

In [None]:
def shr_2_5(v):
    # YOUR CODE HERE
    raise NotImplementedError()

In [None]:
# Example for question 1

shr_2_5(GF(5))

In [None]:
# TEST CASE for question 1

assert len(shr_2_5(GF(5))) == 5

## Question 2

Write a function to reconstruct the secret, using only two shares.

In [None]:
def reconstruct(s1, s2):
    # YOUR CODE HERE
    raise NotImplementedError()

shares = shr_2_5(GF(5))
reconstruct(shares[0], shares[1])

In [None]:
# TEST CASE
shares = shr_2_5(GF(5))
assert reconstruct(shares[0], shares[1]) == GF(5)

## Question 3

Why is a threshold secret sharing scheme more useful than the simpler additive secret sharing scheme we saw earlier?

YOUR ANSWER HERE

## Question 4

Write code to generate shares of a secret $x$ in a $(t, n)$-secret sharing scheme using Shamir's technique, for any $t$ and $n$.

In [None]:
def shamir_share(v, t, n):
    # YOUR CODE HERE
    raise NotImplementedError()

shamir_share(GF(5), 3, 6)

In [None]:
# Example for question 1

shr_2_5(GF(5))

In [None]:
# TEST CASE
assert len(shamir_share(GF(5), 3, 6)) == 6
shares = shamir_share(GF(5), 2, 6)
assert reconstruct(shares[0], shares[1]) == GF(5)

## Question 5

Given the two sets of shares `shares1` and `shares2` below, write a function whose output is their sum (as a set of shares).

In [None]:
shares1 = shamir_share(GF(20), 2, 6)
shares2 = shamir_share(GF(5), 2, 6)

def add_shares(shares1, shares2):
    # YOUR CODE HERE
    raise NotImplementedError()

added_shares = add_shares(shares1, shares2)
print(added_shares)
reconstruct(added_shares[0], added_shares[1])

In [None]:
# TEST CASE
added_shares = add_shares(shares1, shares2)
assert reconstruct(added_shares[0], added_shares[2]) == GF(25)

## Question 6

Write a function to reconstruct a secret from a set of at least $t$ shares. Use the `galois.lagrange_poly` function, which implements [Lagrange interpolation](https://en.wikipedia.org/wiki/Lagrange_polynomial).

In [None]:
def reconstruct(shares):
    # YOUR CODE HERE
    raise NotImplementedError()

reconstruct(added_shares)

In [None]:
# TEST CASE
shares = shamir_share(GF(30), 5, 10)
assert reconstruct(shares) == GF(30)
assert reconstruct(shares[:5]) == GF(30)  # t shares are sufficient
assert reconstruct(shares[:4]) != GF(30)  # t - 1 shares are not sufficient

## Question 7

Given the two sets of shares `shares1` and `shares2` below, write a function whose output is their product (as a set of shares).

In [None]:
shares1 = shamir_share(GF(20), 3, 6)
shares2 = shamir_share(GF(3), 3, 6)

def mult_shares(shares1, shares2):
    # YOUR CODE HERE
    raise NotImplementedError()

product_shares = mult_shares(shares1, shares2)
print(product_shares)
reconstruct(shares1)
reconstruct(product_shares)

In [None]:
# TEST CASE
product_shares = mult_shares(shares1, shares2)

assert reconstruct(product_shares) == GF(60)
assert reconstruct(product_shares[:4]) != GF(60)  # t shares are no longer sufficient