# Malicious scenario

In the malicious scenario, we do not use an MPC protocol due to the very high computational cost. We however can rely on Alice computing the model inference offline to obtain y' (prediction on x), then participate in the MPC protocol to compute the loss. Given that Alice is malicious, we ask for a ZKP to verify that the prediction is correct.

First, Bob will send his data point (without label) to Alice. Alice runs inference on her model and sends the hash of the prediction, with a ZKP, back to Bob. 

# Part 0: The Setup

In [3]:
import torch
import torch.nn as nn
import torch.nn.functional as F
import ezkl
import os
import json

In [7]:
class LeNet(nn.Sequential):
    """
    Adaptation of LeNet that uses ReLU activations
    """

    # network architecture:
    def __init__(self):
        super(LeNet, self).__init__()
        self.conv1 = nn.Conv2d(3, 6, 5)
        self.pool = nn.MaxPool2d(2, 2)
        self.conv2 = nn.Conv2d(6, 16, 5)
        self.fc1 = nn.Linear(16 * 5 * 5, 120)
        self.fc2 = nn.Linear(120, 84)
        self.fc3 = nn.Linear(84, 10)

    def forward(self, x):
        x = self.pool(F.relu(self.conv1(x)))
        x = self.pool(F.relu(self.conv2(x)))
        x = x.view(-1, 16 * 5 * 5)
        x = F.relu(self.fc1(x))
        x = F.relu(self.fc2(x))
        x = self.fc3(x)
        return x


circuit = LeNet()

#Next, we define the data loader for CIFAR-10 dataset.
import torchvision
import torchvision.transforms as transforms

transform = transforms.Compose(
    [transforms.ToTensor(),
     transforms.Normalize((0.5, 0.5, 0.5), (0.5, 0.5, 0.5))])

trainset = torchvision.datasets.CIFAR10(root='./data', train=False,transform=transform)
data, lbl  = trainset[4]
classes = trainset.classes  # ['airplane', 'automobile', 'bird', ..., 'truck']
class_name = classes[lbl]

label_eye = torch.eye(10)
y = label_eye[lbl]

x = data.unsqueeze(0)  # Add batch dimension

In [8]:
#Specifying some path parameters
model_path = os.path.join('data','network.onnx')
compiled_model_path = os.path.join('data','network.compiled')
pk_path = os.path.join('data','test.pk')
vk_path = os.path.join('data','test.vk')
settings_path = os.path.join('data','settings.json')

witness_path = os.path.join('data','witness.json')
data_path = os.path.join('data','input.json')
output_path = os.path.join('data','output.json')

In [9]:
# Flips the neural net into inference mode
circuit.eval()

out = circuit(x)
print(out)


    # Export the model
torch.onnx.export(circuit,               # model being run
                      x,                   # model input (or a tuple for multiple inputs)
                      model_path,            # where to save the model (can be a file or file-like object)
                      export_params=True,        # store the trained parameter weights inside the model file
                      opset_version=10,          # the ONNX version to export the model to
                      do_constant_folding=True,  # whether to execute constant folding for optimization
                      input_names = ['input'],   # the model's input names
                      output_names = ['output'], # the model's output names
                      dynamic_axes={'input' : {0 : 'batch_size'},    # variable length axes
                                    'output' : {0 : 'batch_size'}})

data_array = ((x).detach().numpy()).reshape([-1]).tolist()

data = dict(input_data = [data_array])

    # Serialize data into file:
json.dump( data, open(data_path, 'w' ))

out_array = out.detach().numpy().tolist()
output = dict(output_data = out_array)

    # Serialize data into file:
json.dump( output, open(output_path, 'w' ))

tensor([[ 0.0308,  0.0662,  0.0673, -0.0997,  0.0847, -0.0593,  0.0111,  0.1004,
          0.0978,  0.0232]], grad_fn=<AddmmBackward0>)


# Part 1: The ZKP

In [10]:
py_run_args = ezkl.PyRunArgs()
py_run_args.input_visibility = "public" #Bob can see this
py_run_args.output_visibility = "hashed/public" #This hash is given to Bob
py_run_args.param_visibility = "private" 

res = ezkl.gen_settings(model_path, settings_path, py_run_args=py_run_args)
assert res == True


In [14]:
cal_path = os.path.join('data',"calibration.json")

#Alice should use some real data to calibrate the model, here we use random data
data_array = (trainset.data[:10]).reshape([-1]).tolist()

data = dict(input_data = [data_array])

# Serialize data into file:
json.dump(data, open(cal_path, 'w'))


await ezkl.calibrate_settings(cal_path, model_path, settings_path, "resources")
res = ezkl.compile_circuit(model_path, compiled_model_path, settings_path)
assert res == True

# srs path - This actually requires a trusted setup.
res = await ezkl.get_srs( settings_path)
res = await ezkl.gen_witness(data_path, compiled_model_path, witness_path)
assert os.path.isfile(witness_path)

[tensor] decomposition error: integer -616231148 is too large to be represented by base 16384 and n 2
forward pass failed: "failed to forward: [halo2] General synthesis error"
[tensor] decomposition error: integer 280290966 is too large to be represented by base 16384 and n 2
forward pass failed: "failed to forward: [halo2] General synthesis error"
[tensor] decomposition error: integer 494109996 is too large to be represented by base 16384 and n 2
forward pass failed: "failed to forward: [halo2] General synthesis error"
[tensor] decomposition error: integer 330210604 is too large to be represented by base 16384 and n 2
forward pass failed: "failed to forward: [halo2] General synthesis error"
[tensor] decomposition error: integer 658852439 is too large to be represented by base 16384 and n 2
forward pass failed: "failed to forward: [halo2] General synthesis error"
[tensor] decomposition error: integer -1910242224 is too large to be represented by base 16384 and n 2
forward pass failed: 

In [15]:
res = ezkl.setup(
        compiled_model_path,
        vk_path,
        pk_path,
    )

assert res == True
assert os.path.isfile(vk_path)
assert os.path.isfile(pk_path)
assert os.path.isfile(settings_path)

In [17]:
# GENERATE A PROOF
proof_path = os.path.join('data','test.pf')

res = ezkl.prove(
        witness_path,
        compiled_model_path,
        pk_path,
        proof_path,
        "single",
    )

print(res)
assert os.path.isfile(proof_path)

{'instances': [['51f0ffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '93f1ffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '0decffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '89e7ffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', 'c7e5ffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '0beaffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '0cebffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '4cebffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '4cebffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '0beaffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '84e2ffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', 'c5e3ffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '0cebffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', '4eedffef93f5e1439170b97948e833285d588181b64550b829a031e1724e6430', 'ceecffef93f5e1439170b97948e8332

In [19]:
# VERIFY IT

res = ezkl.verify(
        proof_path,
        settings_path,
        vk_path,
        
    )

assert res == True
print("verified")

verified


# Step 2: Secure MPC to calculate valuation

After Alice has computed $y'$, Alice and Bob can then compute the loss function in a secure MPC protocol.
The MPC protocol supposedly requires verifying the Poseidon hash. But we skipped this for now.