Implement resharding and sharded shuffle based on it.

[akoshelev]

This change add a generic reshard functionality that allows shards to redistribute their shares according to some logic based on the share value, index in the input or the context that provides access to PRSS.

Most commonly, the redistribution logic is either deterministic - send all shares to the shard 0 or based on PRSS sampling. Sharded shuffle uses the latter, the future sharded attribution will make use of deterministic reshard.

To prove that resharding works, the sharded shuffle protocol was implemented in this change as well. It is basically the same protocol as we implemented back in October (#816) with one caveat - shards on H1 do not know the cardinality of C and they can't set their shares without knowing it.

The protocol was amended to account for that. It was decided (for no particular reason) that H2 shards will inform H1 about $|C|$.

[codecov]

Codecov Report

Attention: Patch coverage is 96.31491% with 22 lines in your changes are missing coverage. Please review.

Project coverage is 90.25%. Comparing base (e1bc038) to head (83fb57b).

Files	Patch %	Lines
ipa-core/src/protocol/ipa_prf/shuffle/sharded.rs	98.23%	6 Missing ⚠️
ipa-core/src/helpers/buffers/unordered_receiver.rs	54.54%	5 Missing ⚠️
ipa-core/src/helpers/gateway/receive.rs	55.55%	4 Missing ⚠️
ipa-core/src/protocol/context/mod.rs	97.94%	4 Missing ⚠️
ipa-core/src/helpers/mod.rs	25.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1014      +/-   ##
==========================================
+ Coverage   90.06%   90.25%   +0.19%     
==========================================
  Files         171      172       +1     
  Lines       25157    25727     +570     
==========================================
+ Hits        22658    23221     +563     
- Misses       2499     2506       +7     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[akoshelev]

@danielmasny please take a look at the protocol and see if it makes sense to you

[andyleiserson]

It would panic if shard_picker returned an out-of-range shard index, which seems like it is possible given that ShardIndex allows construction from arbitrary integers.

(This is admittedly a nitpick -- perhaps a more salient question is whether the clippy lints for error / panic docs are worthwhile.)

[akoshelev]

It is annoying sometimes but it could be useful to see all places where things may panic, often w/o intention to have it

[andyleiserson]

I am curious why this ended up in the context module?

I worry a bit that shard location could leak information, which will depend on how this function is used. Gluing it together with the local shuffle (which is the only way it is used currently), might mitigate that risk.

[akoshelev]

I foresee this function being used in OPRF and other parts where we need shards to redistribute the shares. I don't see anything that cannot be otherwise done manually by opening a shard channel and sending data there.

I also worry about timing attacks as intra-helper communication is now exposed and I was thinking that we need to add some protection on network layer - not sure if anything can be done in protocol code to prevent that

[danielmasny]

The shuffle makes sense to me and looks pretty clean. Thanks! I have a couple of questions, see below.

[benjaminsavage]

This is a beautiful PR. I love it. I only have one major concern: are we improperly using PRSS, specifically are the shards all re-using the same PRSS for different things. If that's the case, it seems like a potential security issue.

[benjaminsavage]

If there are N^2 channels, it seems like the probability of an error might get pretty high. I assume there is some kind of retry logic automatically build into the communication layer to mitigate sporadic failures, right?

[akoshelev]

yea we don't have retry mechanisms built-in at the application layer right now and we rely on transport layer (TCP) to provide reliable channels. We may build something for that purpose if we see that TCP does not satisfy our needs, but it shouldn't be visible to MPC because there isn't anything you can do here that you can't do at the infrastructure layer.

[benjaminsavage]

I don't understand this name. What do you mean by "ends"?

[andyleiserson]

SendingEnd is the type returned by shard_send_channel. You can think of it as "transmit handle" (in the sense of let (tx, rx) = mpsc::channel().

[akoshelev]

for every channel there is always at least one sender and one receiver. Sending end of a channel is what we give to the sender(s) and receiving end is owned by receiver(s).

To avoid confusion here, let me rename it to send_channels

[benjaminsavage]

What does this do?

[akoshelev]

The result of send operation is a unit () and we need to map it to Option<Value> to conform to receive API. The goal is to handle "receive from other shards" and "receive from this shard" operations in a uniform way (line 518)

[benjaminsavage]

Elegant! These are great trait bounds. Only 4 of them, the names make sense... great work!

[benjaminsavage]

What's the use-case for when the value itself is used by the shard picker? Is this for the OPRF part?

[akoshelev]

Yes that would be one use case - for OPRF resharding we will use some bits of the value itself to determine a destination shard.

[benjaminsavage]

I don't love the variable name se. What does it mean / stand for? Is this a term of art I'm just unfamiliar with?

[akoshelev]

too abbreviated, I agree. fixed it

[benjaminsavage]

Won't this cause every single shard to select the same destination shard index for its first record? I think they're all narrowed to the same step, and all start from RecordId::FIRST and count up. If this is the case, it feels like a security issue.

[akoshelev]

we discussed this below, to summarize - it shouldn't be a security issue because all shards run MPC circuits independent from each other. Each circuit runs an independent Diffie-Hellman protocol between each pair of helpers, so the probability of them negotiating the same shared secret is $\frac{N}{2^{256}}$ where $N$ is the total number of shards

[andyleiserson]

Suggested change

	use futures::Stream;
	use futures_util::stream;
	use futures::{Stream, StreamExt, stream};

(and delete the import on line 13)

[akoshelev]

my IDE keeps failing me on this one. It always prefers futures_util over futures - I don't know why

[andyleiserson]

Suggested change

	/// The destination shard for each masked row is decided based on value obtained from sampling
	/// PRSS. Which value to use (left or right) is decided based on `direction` parameter.
	/// The mask value, and destination shard for each masked row, are determined by
	/// sampling PRSS. `Direction::Left` means to use the PRSS shared with the left
	/// helper, and `Direction::Right` means to use the PRSS shared with the right
	/// helper.

This is similar to a suggestion Ben left elsewhere.

Since this code (more precisely, the h#_shuffle routines that call this one) relies on the fact that "left" means "peer $i - 1$" and "right" means "peer $i + 1$", maybe it's worth adding a static assertion to check that? Or alternatively, we could put a comment on Role::peer referencing this protocol, but the static assertion seems better unless it can't be written against public APIs or something like that.

[akoshelev]

Yep added set of static checks in Role module

[andyleiserson]

My initial reaction was that this isn't that hard (maybe something like impl FromPrss for Left<T>), but upon going to try and mock it up, I realized it's a bit harder than that because it needs to propagate through a few layers of functions in the PRSS implementation.

Since the PRSS stuff needs to be monomorphized anyways, maybe the compiler will figure out that it can skip half of the PRSS generation?

[akoshelev]

my worry is that as you said there are quite a few layers before we get to AES, so compiler may not have enough memory to keep track of things and/or time to do that. Cutting of 50% of CPU time to generate these masks seems to be important enough to have some guarantee of it happening

[andyleiserson]

SendingEnd is the type returned by shard_send_channel. You can think of it as "transmit handle" (in the sense of let (tx, rx) = mpsc::channel().

[andyleiserson]

This isn't directly about this PR, but if we're settling on a "protocols should be written against upgraded contexts" policy (see discussion in #1021), then maybe ShardConfiguration shouldn't be implemented for the base context.

[akoshelev]

I merged this PR and then I saw this comment - for some reason it wasn't showing up on the "Changes" tab. I could be wrong but I think we don't expose Base context directly - it is always wrapped into a semi-honest or malicious version

[andyleiserson]

Yeah, I was mixing things up when I made this comment. By "base context" I meant semi_honest::Context, which is not the same as struct Base.