make vdaf::verify_finish take a slice

[tgeoghegan]

verify_finish wants to consume a collection of VerifierMessage.
Accomplishing this with Vec<VerifierMessage> forces allocation and
copying to the heap. We now instead use const generics and take M: TryInto<[VerifierMessage; const N: usize]>, so that callers that hold
either a [VerifierMessage] on the stack or a Vec<VerifierMessage> on
the heap, or anything else that can be converted to a slice of
VerifierMessage, can use verify_finish.

[cjpatton]

Dope! While at it, do you think we should do the same thing for dist_input() and dist_init(), i.e., make these output a vector of constant size?

[cjpatton]

It would be nice to reduce the number of type parameters. Is this possible?

Suggested change

	M: TryInto<[VerifierMessage<V::Field>; N], Error = E>,
	E: std::fmt::Debug,
	M: TryInto<[VerifierMessage<V::Field>; N], Error: std::fmt::Debug>,

It would avoid the additional type parameter E. (Also, I think Debug is imported by default these days.)

Alternatively, I would be comfortable with a panic!() here instead of propagating the error. This is less of an input validation issue than it is a programmer error.

[tgeoghegan]

I tried doing that but you can't do it yet. There's a Rust RFC, it's implemented, but it's not yet stabilized.

[cjpatton]

In that case my preference would be to panic instead of propagating the error.

[tgeoghegan]

Sure, I struggle to imagine this failing for any reason beyond whatever collection msg is having the wrong number of elements, so I think we can just panic! and get rid of the Debug trait bound.

[tgeoghegan]

cjpatton and I chatted about this and got extremely galaxy brained about it. I'm going to try changing this so that verify_finish takes IntoIterator<Item = VerifierMessage<V::Field>>, which ✅ allows callers to provide any kind of slice or a vec or whatever and ✅ is infallible so we don't have to deal with any type bounds on errors.

[cjpatton]

Suggested change

	"input could not be converted to VerifierMessage slice: {:?}",
	"verify_finish(): input could not be converted to VerifierMessage slice: {:?}",

For consistency

[cjpatton]

I'm curious if all of the type parameters, including NUM_SHARES, could be inferred if verifiers had type [VerifierMessage<Boolean<Field64>>; NUM_SHARES].

[tgeoghegan]

Yes, you could instead do:

let verifiers_slice: [VerifierMessage<Field64>; NUM_SHARES] = verifiers.try_into().unwrap();
for state in states {
    let output_share = verify_finish(state, verifiers_slice.clone()).unwrap();
<...>

I wanted to prove that passing in a Vec<VerifierMessage<F>> works, though. What would be cool is if Rust had named trait bounds, so that instead of specifying NUM_SHARES positionally, I could do let output_share = verify_finish::<N = NUM_SHARES>(...);, since the _, _, _, is rather ugly.

[cjpatton]

I'm not concerened about the ugliness here, I was just curious.

[cjpatton]

How about SHARES instead of N? This would align nicely with the spec.

[tgeoghegan]

Dope! While at it, do you think we should do the same thing for dist_input() and dist_init(), i.e., make these output a vector of constant size?

Yeah, that is a good idea, if we're prepared to commit to making the number of shares a parameter that's known at compile time. I think that's fine because num_shares will be 2 in all realistic deployments of libprio-rs for as far out as I can see. I'm going to refactor dist_input and dist_init as you suggest and update ppm-prototype to use the resulting interfaces. It will take me until Friday to update this PR with those changes because I'm flying tomorrow, though.

[cjpatton]

Dope! While at it, do you think we should do the same thing for dist_input() and dist_init(), i.e., make these output a vector of constant size?

Yeah, that is a good idea, if we're prepared to commit to making the number of shares a parameter that's known at compile time. I think that's fine because num_shares will be 2 in all realistic deployments of libprio-rs for as far out as I can see. I'm going to refactor dist_input and dist_init as you suggest and update ppm-prototype to use the resulting interfaces. It will take me until Friday to update this PR with those changes because I'm flying tomorrow, though.

If we're going to constrain the number of inputs to verify_finish, then it makes sense to constrain the other functions the same way, since they would be effectively constrained at the protocol level anyway.

I think SHARES > 2 is going to be needed eventually. I think the more important underlying assumption s that a PPM task is always going to have a constant number of aggregators, so hard-coding this at compile time is fine.

[tgeoghegan]

I tried using const generics to make dist_input and dist_init return constant size vectors, but I found that it ends up being quite awkward. Right now we do something like:

let mut out: Vec<Value> = Vec::with_capacity(num_shares);
for foo in foos {
    out.push(Value { ... });
}
out

The equivalent construction with an array would be something like:

let mut out = <[Value; NUM_SHARES]>::default();
for (i, foo) in foos.enumerate() {
    out[i] = Value { ... }
}
out

Because you can't have an uninitialized array in Rust. The problem is that we need to provide an std::default::Default implementation for types like InputShareMessage and VerifierMessage, and in turn for Key, which isn't obvious. Since @cjpatton wants to change the VDAF syntax early next week, I think I'd rather defer that change until other stuff stabilizes some more.

[tgeoghegan]

Tagging @branlwyd for visibility -- don't worry if none of this makes sense, I just want you to be in the loop on libprio-rs changes.