ladnir
commented
4 years ago And you have the current version of libOTe?
Closed freelyyu closed 4 years ago
ladnir
commented
4 years ago And you have the current version of libOTe?
freelyyu
commented
4 years ago Thanks for your reply, I download the latest version of libOTe and libPSI. I run cmake . -DENABLE_DCW_PSI=ON , then I run make secussfully, I run ./bin/frontend.exe -dcwr -v, it says DCW PSI is not enabled
`
freelyyu
commented
4 years ago I'm sorry to have been interrupting you, if I set ENABLE_DCW_PSI. there are several errors. such as follows:
libPSI-master/libPSI/MPSI/Dcw/DcwRBfPsiSender.cpp:225:25: error: ‘ByteStream’ was not declared in this scope
std::unique_ptr<ByteStream> myMasksBuff(new ByteStream((mBfBitCount)* sizeof(block)));ok, yeah there is a bit of "code rot" here. I'll update and let you know when I push.
ladnir
commented
4 years ago I assume you want the semi-honest DCW scheme? This is the buggy "malicious secure" scheme. I'll remove the extra stuff and just have SH DCW with the PSSZ random garbled BF optimization.
ladnir
commented
4 years ago So I added SH DCW. It's now in the PSI folder.
freelyyu
commented
4 years ago Thank you for your patient help. I am sorry I don't make myself clear. In fact, for some reason, I want to use:(1) the semi-honest DCW without PSZ random GBF optimization. (2) buggy "malicious secure" scheme " with polynomial interpolation but without random GBF optimization. Your previous DcwBfPsiReceiver.cpp, DcwBfPsiSender.cpp and ShamirSSScheme.cpp meet the need.
------------------ 原始邮件 ------------------ 发件人: "Jack Doerner"<notifications@github.com>; 发送时间: 2020年2月10日(星期一) 凌晨0:31 收件人: "osu-crypto/libPSI"<libPSI@noreply.github.com>; 抄送: "freely钰"<482356841@qq.com>;"Author"<author@noreply.github.com>; 主题: Re: [osu-crypto/libPSI] problem when adding -DENABLE_DCW to Cmakelist.txt (#10)
I assume you want the semi-honest DCW scheme? This is the buggy "malicious secure" scheme. I'll remove the extra stuff and just have SH DCW with the PSSZ random garbled BF optimization.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
ladnir
commented
4 years ago For 1), it should be pretty easy to remove the PSZ optimization. You just need to use the OT messages in a slightly different way. I am not going to implement this.
for 2), that protocol is extremely slow. Shamir secret sharing over that many things is very slow. See table 6 https://eprint.iacr.org/2016/746.pdf. Also, I don't think I actually got it working. I think I just did the correct number of operations (maybe?). But as you say, the old code did do something to this effect so you can look at it as a reference.
freelyyu
commented
4 years ago Ok, thanks for you guidance.
------------------ 原始邮件 ------------------ 发件人: "Jack Doerner"<notifications@github.com>; 发送时间: 2020年2月10日(星期一) 中午11:05 收件人: "osu-crypto/libPSI"<libPSI@noreply.github.com>; 抄送: "freely钰"<482356841@qq.com>;"Author"<author@noreply.github.com>; 主题: Re: [osu-crypto/libPSI] problem when adding -DENABLE_DCW to Cmakelist.txt (#10)
For 1), it should be pretty easy to remove the PSZ optimization. You just need to use the OT messages in a slightly different way. I am not going to implement this.
for 2), that protocol is extremely slow. Shamir secret sharing over that many things is very slow. See table 6 https://eprint.iacr.org/2016/746.pdf. Also, I don't think I actually got it working. I think I just did the correct number of operations (maybe?). But as you say, the old code did do something to this effect so you can look at it as a reference.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.
freelyyu
commented
4 years ago I am sorry to trouble you again.
I want the semi-honest DCW without PSZ random GBF optimization, but I I don't know much about the implementation of OT. I have the previous version of DCW, which is semi -honest without PSZ random GBF optimization and Shamir secret sharing. When Bob and Alice interact to get the intersection GBF, I want to know if it is implemented using OT according to the idea in the following picture or Alice just send her GBF to Bob.
.
what's more, I do not know why do you have to calculate and send otCorrection.
ladnir
commented
4 years ago not sure about your first question.
With regards to the otCorrection: In the offline phase we do random OT with random choice bits.
That is, the OT receiver picks mBfBitCount random bits mRandomChoices. They then perform a random OT for each of these bits where the receiver gets receiverMsg[i] = senderMsg[i][mRandomChoices[i]] and senderMsg[i][0],senderMsg[i][1] are the random OT messages. Later, we want the OT messages to correspond to the bloom filter. What we do it "relable" the OT messages so that we have newReceiverMsg[i] = newSenderMsg[i][bf[i]]. We do this by defining
newReceiverMsg[i] = receiverMsg[i]
and
newSenderMsg[i][0] = senderMsg[i][perm[i]]
newSenderMsg[i][1] = senderMsg[i][perm[i]^1]Thanks a lot for your reply. Sorry to bother you again. I could understand the reason to calculate otCorrection now.
I want the semi-honest DCW without PSZ random GBF optimization, and I think the following codes (your previous version)meets my requirements.
the sender "encrypt" the garbledBF[idx] using OT meassage newSenderMsg[i][1], such as mask=garbledBF[idx] ^ mSendOtMessages[idx][otCorrection[idx] ^ 1], then she sends the garbledBF to receiver, if the receiver's bf[idx]==1, then he can "decrypt" the ciphertext to get garbledBF[idx], otherwise the xored value looks random to him. I think it fulfils the idea of the picture, I want to know if I understand it right.
//sender.cpp
for (u64 i = start, k = 0; i < end; ++i, ++k)
{
u64 firstFreeIdx(-1);
auto sum = inputs[i];
//std::cout << "input[" << i << "] " << inputs[i] << std::endl;
idxs.clear();
for (u64 j = 0; j < mHashs.size(); ++j)
{
// copy the hash since its stateful
auto hash = mHashs[j];
hash.Update(inputs[i]);
hash.Final(hashOut);
u64 &idx = *(u64 *)hashOut;
idx %= mBfBitCount;
idxs.emplace(idx);
}
for (auto idx : idxs)
{
if (eq(garbledBF[idx], ZeroBlock))
{
if (firstFreeIdx == u64(-1))
{
firstFreeIdx = idx;
}
else
{
garbledBF[idx] = prng.get<block>();
}
}
auto mask = garbledBF[idx] ^ mSendOtMessages[idx][otCorrection[idx] ^ 1];
sum = sum ^ mask;
//std::cout << "sender "<< i << " " << j << " " << garbledBF[idx] << " " << mask << " " << idx << std::endl;
}
garbledBF[firstFreeIdx] = sum;
//std::cout << "sender " << i << " * " << garbledBF[firstFreeIdx] << " " << firstFreeIdx << std::endl;
}
for (u64 i = 0; i < garbledBF.size(); ++i)
{
if (eq(garbledBF[i], ZeroBlock))
garbledBF[i] = prng.get<block>();
}
gTimer.setTimePoint("online.masksComputed");
chl.asyncSend(std::move(garbledBF));
gTimer.setTimePoint("online.masksSent");//receiver.cpp
for (u64 i = start; i < end; ++i)
{
auto &item = inputs[i];
//std::cout << "input[" << i << "] " << inputs[i] << std::endl;
for (u64 j = 0; j < mHashs.size(); ++j)
{
// copy the hash since its stateful and has the seed in it
auto hash = mHashs[j];
hash.Update((u8 *)&item, sizeof(block));
hash.Final(hashOut);
*idxIter = *(u64 *)hashOut % mBfBitCount;
//std::cout << "recver " << i << " " << j << " " /*<< garbledBF[idx] << " " << mask */ << " " << *idxIter << std::endl;
bf[*idxIter++] = 1;
}
}
if (--hashingsRemaing == 0)
hashingsDoneProm.set_value();
else
hashingsDoneFuture.get();
// all hashing is done now.
if (t == 0)
{
gTimer.setTimePoint("online.BF_computed");
// if we are the main thread, then convert the bloom filter into a permutation
//TODO("make perm item size smaller");
std::unique_ptr<BitVector> otCorrection(new BitVector(mBfBitCount));
auto &perm = *otCorrection;
//std::array<u64, 2> permIdxs{ 0,0 };
u64 i = 0;
for (; i < mBfBitCount; ++i)
{
perm[i] = bf[i] ^ mRandChoices[i];
}
chl.asyncSend(std::move(otCorrection));
gTimer.setTimePoint("online.Bf_permuite_sent");
auto recvDone = chl.asyncRecv((u8 *)garbledBF.data(), garbledBF.size() * sizeof(block));
gTimer.setTimePoint("online.sharesRecved");
recvDone.get();
}
// now lets generate the masks. we have the computed indices in the permIdxs vector.
idxIter = idxs.begin();
std::vector<u64> localIntersection;
std::set<u64> ss;
//std::cout << IoStream::lock;
for (u64 i = start; i < end; ++i)
{
ss.clear();
block mask(ZeroBlock);
for (u64 j = 0; j < mHashs.size(); ++j)
{
if (ss.find(*idxIter) == ss.end())
{
//receiver get OT mMessages[*idxIter] in the offline phase
auto gbf = mMessages[*idxIter] ^ garbledBF[*idxIter];
mask = mask ^ gbf;
ss.emplace(*idxIter);
}
++idxIter;
}
if (eq(mask, inputs[i]))
localIntersection.push_back(i);
}Looks correct to me.
freelyyu
commented
4 years ago Thanks for your reply.
I build and run the library successfully on WSL of windows.
And I build the libOTe and libPSI successfully on ubuntu18.04 of Mac, but when I run it, it occurs the error segment default, then I debug with gdb, it shows the following error reason:
And I found the following code segment cause this error. When the following code segment is executed, this error occurs.
if (otExt.hasBaseOts() == false)
{
otExt.genBaseOts(prng, chl0);
}Is this the code you modified or the master branch?
Hi, Thanks a lot for developing such a good library about PSI. I want to run protocol DCW, I add the option
-DENABLE_DCWto Cmakelist.txt, then I runmake, it occus the following error.