Questions about If/Else and Parallelization

[JulianLiedtke]

Hi,

I have a program of the following structre:

Input ciphertext y, Witness: secret key

1. Decrypt y using the secret key, obtaining x
2. If x has some property output 1
3. Output 0

My questions are:

• How is it possible to realize the if/else clause?
• Assuming that I have multiple ciphertexts as input, it is possible to run the decryptions in parallel for efficiency?

[meilof]

For the if clause, you would need to somehow compute whether the property holds in a secret way. For example, if you want to compare whether a value equals 10 you could do

x=(val==10)

Which compares the secret value val to the constant 10 and sets x to 1 if they are equal and 0 otherwise. You could then open the value x, e.g. with x.val()

Conxerning parallelizing, since the main computation is the proof construction after the python script, paralellizing the python script itself would not help much.

Hope that helps!

[JulianLiedtke]

Thanks for the reply.

Is it also possible to perform a greater-than test (val >=10)?

[meilof]

Sorry for the late reply but I thought about this and yes, it is possible.

If you already know that val is going to be >=10 and you just want to prove that this is indeed the case, you can do (val-10).assert_positive().

If you don't know whether val is going to be >= 10 and you want to compute a secret value such that val=1 if x>=10 and val=0 if not, then this is also possible but it is a bit more involved. Suppose you know that val>=0 and you want cmp=1 if val<=B and cmp=0 if val>B. This seems to work out to the following:

• compute cmp and assert that it is a bit
• compute bits b1,...,bn that are a bit decomposition of B-x if val<=B and of x-B-1 if val>B. This bit decompositon would need to be max(bitlength(B),bitlengh(x)) bits lomg
• assert that cmp*(2x-2bitsum(b1,..,bn)-1)+bitsum(b1,...,bn)-x+B+1 is equal to zero

If you still need this I could implement such an operation in the runtime. Would an operator cmp=(x<=B) where B is constant and x is known to be non-negative indeed be enough?

[JulianLiedtke]

Sounds great. I would appreciate it if you could implement such an operator.

Do you think a comparison of two secret values is possible (e.g. B is also a secret)?

[meilof]

I made a function val.check_smaller(arg, bl) that checks whether "val" is strictly smaller than "arg" (both with maximum bit length "bl"). It works both for secret and public "arg". See:

https://github.com/Charterhouse/pysnark/blob/master/examples/compare.py

Hope that's useful. Note that val.equals(var) allows to compare "val" and "var" with a private result, so this way you can let behaviour depend on whether a<b, a==b, or a>b. Hope that helps!

[JulianLiedtke]

Sorry for the late reply. Thanks for your work, I will have a look into it.