【OSCP】在 YACL 上支持基于 OT 的 Private Set Union 算法

[zhangwfjh]

Fixed #98

[Jamie-Cui]

Please make changes to this PR accordingly~ thanks

[Jamie-Cui]

Thanks for you contribution, currently this PR is under security review by our team, this PR will be merged if our security team has no more concerns.

[cmh927]

Could you explain the implementation of the function Interpolate() in yacl/crypto/primitives/psu/krtw19_psu.cc?

[zhangwfjh]

Could you explain the implementation of the function Interpolate() in yacl/crypto/primitives/psu/krtw19_psu.cc?

The key recursive step is the following
$$[x^k](x-x_1) \dotsm (x-x_j) = [x^{k-1}](x-x_1) \dotsm (x-x_{j-1}) - x_j \cdot [x^k](x-x_1) \dotsm (x-x_{j-1}),$$
where $[x^k] p(x)$ represents the $k$-th order coefficient $p_k$ of the polynomial $p(x)=\sum_k p_kx^k$.

[Jamie-Cui]

Could you explain the implementation of the function Interpolate() in yacl/crypto/primitives/psu/krtw19_psu.cc?

The key recursive step is the following xk⋯(x−xj)=xk−1⋯(x−xj−1)−xj⋅xk⋯(x−xj−1), where [xk]p(x) represents the k-th order coefficient pk of the polynomial p(x)=∑kpkxk.

Sorry I've been away from work for some time. Can you please explain more details about the codes (or, is there any other references that you can refer your code to? If there is, we may speed up the security-review process and merge this PR). Many thanks.

Again, sorry for the delay :)

[zhangwfjh]

Could you explain the implementation of the function Interpolate() in yacl/crypto/primitives/psu/krtw19_psu.cc?

The key recursive step is the following xk⋯(x−xj)=xk−1⋯(x−xj−1)−xj⋅xk⋯(x−xj−1), where [xk]p(x) represents the k-th order coefficient pk of the polynomial p(x)=∑kpkxk.

Sorry I've been away from work for some time. Can you please explain more details about the codes (or, is there any other references that you can refer your code to? If there is, we may speed up the security-review process and merge this PR). Many thanks.

Again, sorry for the delay :)

The implementation is based on the following formula (w.o. optimization).

I made some minor changes to the original codes to improve readability.

// @param x The x-coordinates of the points.
// @param y The y-coordinates of the points.
// @return The interpolation polynomial L(X) such that L(x[i]) = y[i] for all i.
auto Interpolate(const std::vector<uint64_t>& x,
                 const std::vector<uint64_t>& y) {
  using Poly = std::vector<uint64_t>;
  size_t n{x.size()};
  Poly L(n);  // L(X) = sum_{i=0}^{n-1} yi * Li(X)
  for (size_t i{}; i != n; ++i) {
    Poly Li(n);       // Li(X) = num(X) / den
    uint64_t den{1};  // den = ∏_{j≠i} (xi - xj) = den<n-1>
    Poly num(n);      // num(X) = ∏_{j≠i} (X - xj) = num<n-1>(X)
    for (size_t j{}; j != n; ++j) {
      if (x[i] != x[j]) {
        den = GfMul64(den, x[i] ^ x[j]);  // den<j> = den<j-1> * (xi - xj)
        uint64_t num_km1{0};              // num<j-1>(X)[k-1]
        for (size_t k{}; k != n; ++k) {
          // num<j>(X)[k] = (num<j-1>(X) * (X - xj))[k]
          //              = (num<j-1>(X) * X)[k] - (num<j-1>(X) * xj)[k]
          //              = num<j-1>(X)[k-1] - num<j-1>(X)[k] * xj
          num_km1 = std::exchange(num[k], num_km1 ^ GfMul64(num[k], x[j]));
        }
      }
    }
    for (size_t k{}; k != n; ++k) {
      Li[k] = GfMul64(num[k], Inv64(den));
      L[k] ^= GfMul64(y[i], Li[k]);
    }
  }
  return L;
}

[Jamie-Cui]

LGTM