WIP: Frist approach towards an implementation of HoneyBadgerMPC

mpc/src/lib.rs

@@ -1 +1,2 @@
+mod protocols;
 mod utils;

mpc/src/protocols/honey_badger/honey_badger_notes.md

@@ -0,0 +1,46 @@
+# Honey Badger MPC Overview
+
+This document serves as a summary to extract the relevant parts of the [HoneyBadgerMPC] paper.
+We will leave out the implementation of AsynchroMix as this part is not relevant for us.
+
+[HoneyBadgerMPC]: https://eprint.iacr.org/2019/883
+
+### Arithmetic in FFT-Friendly Finite Fields
+HoneyBadgerMPC operates on the finite field behind the BL12-381 curve. This means that field
+elements are a multiple of some $2^k$-root of unity $\omega$. We should check how these
+operations are supported in the ark-ff crate.
+
+### Batch Reconstruction
+This is the [algorithm] \(page 13, second box\) used to batch-reconstruct shares, which makes use
+of RobustInterpolate twice. The key idea is to extend $t + 1$ sharings to $n$ sharings, by 
+switching the roles of coefficients and points, so $M(x_{ij}) \alpha_j = y_i$ becomes
+$M(\alpha_{ij}) x_j = y_i$, with $i = (1...n)$ and $j = (1...t+1)$. Then every player sends his
+row $j$ to player $j$, who robust-interpolates all the equations he received this way and hence
+reconstucts $y_j$. This process is repeated once more and we end up with $t +1$ opened values
+$x_1, x_2, ..., x_{t + 1}$.
+
+[algorithm]: https://www.iacr.org/archive/crypto2007/46220565/46220565.pdf
+
+### Robust Interpolation
+
+Honey Badger MPC is based on a robust form of Shamir Secret Sharing. We assume that $t < n/3$ 
+parties can act maliciously. **RobustInterpolate** tries to interpolate the polynomial with 
+the first $t + 1$ shares received. After that a party waits until $2t + 1$ shares are received.
+If all shares mtach with each other we can directly interpolate the polynomial. If not we
+have to use a form of [online error correction].
+
+[online error correction]: https://eprint.iacr.org/2012/517
+
+### RSDecode
+
+Used to correct errors if RobustInterpolate receives a set of shares, which do not agree. This
+can either use ordinary matrix multiplication, in which case the [Berlekamp-Welch] algorithm is used, 
+or an FFT-based algorithm ([Soro-Lacan]). It seems that the
+FFT-based approach is faster for Vandermonde matrices, which have more than 10k columns.
+
+[Berlekamp-Welch]: https://jeremykun.com/2015/09/07/welch-berlekamp
+[Soro-Lacan]: https://sci-hub.mksa.top/10.1109/ccnc.2010.5421749
+
+### TODO:
+
+- Preprocessing for Beaver triples with RanDouSha

mpc/src/protocols/honey_badger/mod.rs

@@ -0,0 +1,48 @@
+use super::{Channel, Open};
+use crate::types::{PubInt, SecInt};
+use std::io::{Read, Write};
+use std::marker::PhantomData;
+
+const FFT_THRESHOLD: usize = 1000;
+
+pub struct HoneyBadger<T> {
+    parties: Vec<Box<dyn Channel>>,
+    threshold: usize,
+    secret_type: PhantomData<T>,
+}
+
+impl<T> HoneyBadger<T> {
+    fn batch_recieve(&mut self, secrets: &[SecInt<T>]) -> Vec<PubInt> {
+        if self.parties.len() < FFT_THRESHOLD {
+            self.vandermonde_interpolate(secrets)
+        } else {
+            self.fft_interpolate(secrets)
+        }
+    }
+
+    fn robust_interpolate(secrets: &[SecInt<T>]) -> Vec<PubInt> {
+        todo!();
+    }
+
+    fn rs_decode() {
+        todo!();
+    }
+
+    fn ran_dou_sha() {
+        todo!();
+    }
+
+    fn vandermonde_interpolate(&mut self, secrets: &[SecInt<T>]) -> Vec<PubInt> {
+        todo!();
+    }
+
+    fn fft_interpolate(&mut self, secrets: &[SecInt<T>]) -> Vec<PubInt> {
+        todo!()
+    }
+}
+
+impl<T> Open<T> for HoneyBadger<T> {
+    fn open<U: Read + Write>(channel: &mut U, secret: SecInt<T>) -> PubInt {
+        todo!()
+    }
+}

mpc/src/protocols/mod.rs

@@ -0,0 +1,16 @@
+use crate::types::{PubInt, SecInt};
+use std::io::{Read, Write};
+
+pub mod honey_badger;
+
+pub trait Channel: Read + Write {}
+
+pub trait Protocol<T>: Open<T> + Channel {
+    // This definitely not final
+    fn preprocess();
+    fn run();
+}
+
+pub trait Open<T> {
+    fn open<U: Channel>(channel: &mut U, secret: SecInt<T>) -> PubInt;
+}