Mastic aggregator and collector implementation

[hannahdaviscrypto]

Implements preparation, aggregation, and unsharding for the Mastic VDAF, and adjusts the VIDPF and SZK modules in support of this development.

[cjpatton]

Comments through prep_init(). Great start!

[cjpatton]

Comments up to prepare_init().

[cjpatton]

@divergentdave can you check if Debug should be fenced by a feature flag? In the past we discussed using this pattern to prevent secrets from being logged in production environments. I'm not sure what the state of play is now.

[divergentdave]

We don't currently gate any Debug impls on that feature flag. A number of structs currently derive Debug, like Seed, Prio3InputShare, Poplar1InputShare.

[cjpatton]

nit: rust convention (AFAIK)

Suggested change

	part.encode(bytes)?
	part.encode(bytes)?;

[cjpatton]

It looks like we can now delete this type.

[divergentdave]

Notably, the two encode/decode implementations are unused, and since they are on a type alias, they would bleed outside of the module to any use of a Vec<T>.

[cjpatton]

General control flow tip: Avoid nesting if statements. E.g., instead of

if cond1 {
   do_this();
   if cond2 {
      do_that();
   } else {
      handle_error();
   }
} else {
  handle_error();
}

do

if !cond1 {
   handle_error();
}
do_this();
if !cond2 {
    handle_error();
}
do_that();

This makes code easier to read and maintain.

[cjpatton]

Here we could already combine the parts into the seed. The advantage is we reduce the amount of bits on the wire by half. (Plus, IIRC, this is what the current spec says to do.)

[cjpatton]

Suggested change

	}
	}

[cjpatton]

Convention: Use the concrete type here

Suggested change

	fn aggregate<M: IntoIterator<Item = Self::OutputShare>>(
	fn aggregate<M: IntoIterator<Item = MasticOutputShare<T::Field>>>(

[cjpatton]

Suggested change

	let n = agg_param.level_and_prefixes.prefixes().len();
	let num_prefixes = agg_param.level_and_prefixes.prefixes().len();

[cjpatton]

Use chunks() to get an iterator instead: https://doc.rust-lang.org/std/slice/struct.Chunks.html#example

This is easier to read and allows the compiler to do some more optimization.

[cjpatton]

You've hard coded the number of measurements to be 1. In fact, this is supposed to be the number of measurements that have the prefix in common. See https://github.com/jimouris/draft-mouris-cfrg-mastic/blob/482903a99a52cfb61ec06d979ade2fc0512e8c3f/poc/mastic.py#L351.

Rather than address it in this PR, I suggest leaving it as a TODO for #947 and taking care of it later.

[divergentdave]

It looks like we need to add the counter prefix to the encoded measurement, from sharding through to here. Once that's addressed in a follow-up, I think we'll want convenience constructors for Mastic with particular circuits, to take care of constructing the Szk and Vidpf objects, and calculating the VIDPF weight parameter from szk.typ.output_len() + 1.

[divergentdave]

I also noticed that the spec currently calls truncate during preparation, before producing an output share, as opposed to during unsharding.

[cjpatton]

Put this in an array and reference the indices of the array below.

Suggested change

	let first_input = VidpfInput::from_bytes(&[240u8, 0u8, 1u8, 4u8][..]);
	let second_input = VidpfInput::from_bytes(&[112u8, 0u8, 1u8, 4u8][..]);
	let third_input = VidpfInput::from_bytes(&[48u8, 0u8, 1u8, 4u8][..]);
	let fourth_input = VidpfInput::from_bytes(&[32u8, 0u8, 1u8, 4u8][..]);
	let fifth_input = VidpfInput::from_bytes(&[0u8, 0u8, 1u8, 4u8][..]);
	let first_prefix = VidpfInput::from_bools(&[false, false, true]);
	let second_prefix = VidpfInput::from_bools(&[false]);
	let third_prefix = VidpfInput::from_bools(&[true]);
	let prefixes = [
	VidpfInput::from_bytes(&[240u8, 0u8, 1u8, 4u8][..]),
	VidpfInput::from_bytes(&[112u8, 0u8, 1u8, 4u8][..]),
	... and so on
	];

[cjpatton]

I think we should use run_vdaf() to run the whole thing end-to-end, including aggregation and collection:

libprio-rs/src/vdaf.rs

Line 486 in d2fe428

pub fn run_vdaf<V, M, const SEED_SIZE: usize>(

[divergentdave]

Partial review, of the SZK module:

[divergentdave]

We don't currently gate any Debug impls on that feature flag. A number of structs currently derive Debug, like Seed, Prio3InputShare, Poplar1InputShare.

[divergentdave]

This error variant is no longer used for this purpose. It's now used when the leader share and helper share have a mismatched presence/absence of joint randomness parts. Since that error condition is not related to the prepare state, I think we can remove this InvalidState variant.

[divergentdave]

I think this needs some further explanation, since this is a novel term.

Suggested change

	/// Joint share type for the SZK proof.
	/// Joint share type for the SZK proof.
	///
	/// This is produced by [`Szk::merge_verifiers`] as the result of combining two query shares.
	/// It contains the joint randomness parts from each aggregator, if applicable. It is consumed by [`Szk::decide`].

Or, taking https://github.com/divviup/libprio-rs/pull/1107/files#r1823527498 into account:

Suggested change

	/// Joint share type for the SZK proof.
	/// Joint share type for the SZK proof.
	///
	/// This is produced by [`Szk::merge_verifiers`] as the result of combining two query shares.
	/// It contains the re-computed joint randomness seed, if applicable. It is consumed by [`Szk::decide`].

[divergentdave]

I think we could better encapsulate the SZK logic if this took in a &SzkJointShare instead. This would let us remove the match block from Mastic::prepare_next().

[divergentdave]

As mentioned above, this error case is no longer about the prepare state, since this just depends on query shares.

[divergentdave]

Can we remove #![allow(dead_code)] etc. from the bt module now that this is using it?

Relatedly, I think we ought to make the bt module public now, since BinaryTree appears in the arguments of the public Vidpf::eval_with_cache() method.

[divergentdave]

We can combine these and remove the .expect() by using Option::get_or_insert_with()

Suggested change

	if cache_tree.root.is_none() {
	cache_tree.root = Some(Box::new(Node::new(VidpfEvalCache {
	state: VidpfEvalState::init_from_key(id, key),
	share: W::zero(&self.weight_parameter), // not used
	})));
	}
	let mut sub_tree = cache_tree.root.as_mut().expect("root was visited");
	let mut sub_tree = cache_tree.root.get_or_insert_with(|| {
	Box::new(Node::new(VidpfEvalCache {
	state: VidpfEvalState::init_from_key(id, key),
	share: W::zero(&self.weight_parameter), // not used
	}))
	});

[divergentdave]

nit: another place where we can use this constant

Suggested change

	let mut proof = [0u8; 32];
	let mut proof = [0u8; VIDPF_PROOF_SIZE];

[divergentdave]

nit: Using the get_... helper methods can save some boilerplate, and gets us a check for unused bytes for free.

Suggested change

	let mut bytes = vec![];
	public.encode(&mut bytes).unwrap();
	assert_eq!(public.encoded_len().unwrap(), bytes.len());
	let decoded = VidpfPublicShare::<TestWeight>::decode_with_param(
	&(8, TEST_WEIGHT_LEN),
	&mut Cursor::new(&bytes),
	)
	.unwrap();
	let bytes = public.get_encode().unwrap();
	assert_eq!(public.encoded_len().unwrap(), bytes.len());
	let decoded = VidpfPublicShare::<TestWeight>::get_decoded_with_param(
	&(8, TEST_WEIGHT_LEN),
	&bytes,
	)
	.unwrap();

[divergentdave]

nit: typo

Suggested change

	/// state for [`Szk``] verification, the output shares currently being validated, and
	/// state for [`Szk`] verification, the output shares currently being validated, and

[divergentdave]

Here and elsewhere, we can drop the name of methods from their documentation, since this will appear just below the full method signature.

Suggested change

	/// [`Vidpf::eval_with_cache`] evaluates the entire `input` and produces a share of the
	/// Evaluates the entire `input` and produces a share of the

[divergentdave]

We should add some test cases covering require_weight_check = false.

[divergentdave]

Here's a suggested rephrasing

Suggested change

	/// Broadcast message from an aggregator between rounds of Mastic. Includes the
	/// Broadcast message from an aggregator during preparation. Includes the

[divergentdave]

I think this code could be further simplified by fusing this if-else and the if-else above. szk_verify_opt is constructed by the previous if-else block, and immediately destructured here, with no other uses

[divergentdave]

It looks like we need to add the counter prefix to the encoded measurement, from sharding through to here. Once that's addressed in a follow-up, I think we'll want convenience constructors for Mastic with particular circuits, to take care of constructing the Szk and Vidpf objects, and calculating the VIDPF weight parameter from szk.typ.output_len() + 1.

[divergentdave]

I also noticed that the spec currently calls truncate during preparation, before producing an output share, as opposed to during unsharding.