Support cross-shard PRSS in sharded MPC circuits (in memory only for now) #1410
Conversation
We ran into an issue where shards need coordinated randomness in more than one protocol: * Malicious shuffle needs it to generate MAC keys * PRF needs it to generate PRF key to mask the values At this point I strongly suspect we will need it in more places and the current mitigation is not sustainable. We do simulate key exchange in shuffle and about to in PRF, so I decided to stop the bleeding and implemented coordinated randomness for PRSS. The only API difference between those two is to use cross-shard PRSS, one would call `ShardedContext::cross_shard_prss` and shard-scoped PRSS is still available by calling `ShardedContext::prss`. Both return the same structure, so anything that can be generated with shard-scoped PRSS, can also be generated with cross-shard randomness. It is basically a drop-in replacement, only available for sharded MPC circuits. Note that this only brings in-memory implementation, but I have implemented 50% of distribution circuit already and it looks pretty straightforward - just generate a key using PRSS and distribute it across shards - it will be used to bootstrap generators on every shard. This will be a separate PR and will take some time to implement - but folks shouldn't be blocked as this change unblocks using the in-memory infrastructure.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1410 +/- ##
==========================================
- Coverage 93.32% 93.29% -0.03%
==========================================
Files 223 224 +1
Lines 38533 38602 +69
==========================================
+ Hits 35960 36014 +54
- Misses 2573 2588 +15 ☔ View full report in Codecov by Sentry. |
|
|
||
| /// This trait serves the purpose of setting up shard contexts. Each shard shares some | ||
| /// global state with others (cross-shard PRSS) and also owns its own state (per-shard PRSS). | ||
| /// This construction allows [`ShardWorld`] to |
There was a problem hiding this comment.
did the end of this get cut off?
There was a problem hiding this comment.
ah, missed that one!
| @@ -1329,4 +1317,45 @@ mod tests { | |||
| assert_eq!(first_result, second_result); | |||
| }); | |||
| } | |||
|
|
|||
| #[test] | |||
| fn cross_shard_prss() { | |||
There was a problem hiding this comment.
is it worth also adding a test to ensure that regular PRSS is not consistent across shards?
There was a problem hiding this comment.
Great suggestion, we do already have it. It was implemented with in-memory sharding. Check unique_prss_per_shard test in this file
| @@ -211,6 +211,14 @@ impl ShardedContext for Base<'_, Sharded> { | |||
| .gateway | |||
| .get_shard_receiver(&ChannelId::new(origin, self.gate.clone())) | |||
| } | |||
|
|
|||
| fn cross_shard_prss(&self) -> InstrumentedIndexedSharedRandomness<'_> { | |||
There was a problem hiding this comment.
would it make sense to implement this on non-sharded contexts, so that a protocol can use this regardless of sharding (in the non-sharded case, it just acts like normal prss)?
There was a problem hiding this comment.
I think this is where Rust type system plays nicely for us - in non-sharded world you should never require cross-shard PRSS and use regular PRSS instead. All sharded circuits we write operate over ShardedContext that will make this API available. Non-sharded MPC won't compile if it tries to use it, which is what we would want imo
There was a problem hiding this comment.
got it. so for example with gen_prf_key we'd just have two different implementations, one with Upgradable constraint on C, and another with Upgradable + Sharded? (just to make sure I'm understanding correctly.)
There was a problem hiding this comment.
yea, we will delete non-sharded version anyway, so the only one that we will use is gen_prf_key with C: UpgradableContext + ShardedContext bound. That will provide access to cross_shard_prss
|
I've discussed this PR with @andyleiserson - our conclusion is to merge it to unblock work on hybrid, but there are some things we want to investigate in #1418 |
We ran into an issue where shards need coordinated randomness in more than one protocol:
At this point I strongly suspect we will need it in more places and the current mitigation is not sustainable. We do simulate key exchange in shuffle and about to in PRF, so I decided to stop the bleeding and implemented coordinated randomness for PRSS.
The only API difference between those two is to use cross-shard PRSS, one would call
ShardedContext::cross_shard_prssand shard-scoped PRSS is still available by callingShardedContext::prss. Both return the same structure, so anything that can be generated with shard-scoped PRSS, can also be generated with cross-shard randomness. It is basically a drop-in replacement, only available for sharded MPC circuits.Note that this only brings in-memory implementation, but I have implemented 50% of distribution circuit already and it looks pretty straightforward - just generate a key using PRSS and distribute it across shards - it will be used to bootstrap generators on every shard. This will be a separate PR and will take some time to implement - but folks shouldn't be blocked as this change unblocks using the in-memory infrastructure.