lschoe
commented
2 years ago Right, currently the responsibility for keeping values in range (if desired) is with the programmer indeed. So, for inputs and outputs there is an opportunity to provide some range checks, but in general it is not possible (and certainly not without a heavy performance penalty) to check if values of secure integers etc. are within the type's nominal range.
For your example, if in fact all three parties use an input in the range of 8-bit signed integers, like each party using 100 as input value, the nominal range check would pass for all the inputs, but the sum a1 = sum(a0) would already be out of range. It's the programmer's task to avoid such overflows, if these would be a problem. Whether this should give an error upon output is not so clear; if the output protocol is run the actual value, even if it's out of range, has been revealed to all parties, and therefore they might have a look at it anyway. Issuing warnings if input or outputs are out of range still makes sense of course.
To automatically reduce all integer values modulo 256 say for 8-bit integers is a common and reasonable approach but unfortunately that would kill the performance. Simple arithmetic with secure integers +,- and even * are efficient as long as we don't require any range checks or automatic modulo 256 reductions.
Interestingly, however, it's actually advantageous in some cases to let intermediate values go out of range. Secure integers are implemented as secret-shared values modulo a prime, and this prime $p$ is like 30-bits longer than the nominal range. This "headroom" is needed for operations like secure comparisons. But this headroom also means that simple arithmetic can be done beyond the nominal range, modulo $p$, and the results will still be meaningful if the final value is known to be within the range $-p/2$ to $p/2$. We use this kind of ideas in multilateration.py for example, where the linear algebra is done modulo the prime attached to the secure integer type.
So, to keep the door open for these advanced methods, no strict range checking is currently enforced. This also gives some more time to evaluate different options, like having a symmetric range of ${-2^{\ell-1}, \ldots, 2^{\ell-1}}$ for $\ell$-bit signed integers, which may be useful sometimes. Other times the usual asymmetric range ${-2^{\ell-1}, \ldots, 2^{\ell-1}-1}$ is more appropriate, which fits well with two's complement bit representations. The choice could be left to the programmer.
This needs to be handled before MPyC can go into version 1.0 at some point, so something for next year.
Do you have some use cases already? That would be very nice of course.
samcowger
Suppose I run the following program on three parties, with input hardcoded purely to demonstrate this issue:
(I'm executing this program on localhost in three separate shells via
python prog.py -M 3 -I {0,1,2} -B 8000, Python 3.10.5.)At first glance, I would expect this program to either:
SecInt(8)with a value that overflows the type's nominal range,outputthe result of the overflowing addition, or-124(i.e.(300 + 300 + 300) & 0xffinterpreted as a two's-complement signed value)Instead, the program produces the result
900. Should I expect this behavior, or is there some way I can leverage the library's other types to achieve one of the potential behaviors I listed above?