Secure Linear Algebra

Secure Linear Algebra Payman Mohassel and Enav Weinreb against Covert or Unbounded Adversaries CWI UC Davis

A1x = b1 A2x = b2 A4x = b4 A1 A2 A3 A4 b1 b2 b3 b4 x A3x = b3 = Solving Distributed Linear Constraints Privately output

E1 E2 Perfect Matching in Bipartite Graphs • G = (E,V) • E = E1U E2 • AG=AG1 AG2 AG2 AG1 P1 P2 AG is the adjacency matrix of graph G With variables replacing 1’s Det(AG1 AG2) =? 0 Det is non-zero, iff G has a perfect matching

Problem • Secure linear algebra computation • Solving linear systems • Computing rank, determinant, … • Setting • Shared n X nmatrix/linear system • Multiparty (honest majority) • Linear secret sharing • Two-party • Additive homomorphic encryption • Goal • Improve round and communication efficiency • Defend against stronger adversaries

Current Status • Multiparty • [CKP07] • Const. round, O(m4 + n2m) comm. for m x n systems • Worst case: O(n4) comm. • Malicious adversaries (honest majority) • [NW06] • O(n0.27) rounds, O(n2) comm. • Semi-honest adversaries • Two-party • [KMWF07] • O(logn) rounds, O(n2logn) comm. • Semi-honest adversaries • Yao’s • O(1) rounds, O(n2.38) comm.

Our Protocols • Efficiency • For every constant s • O(s) rounds, O(sn2+1/s) communication • Sublinear comm. in circuit complexity • Security • Multiparty: malicious adversary (honest majority) • Two-party: covert adversaries

Approach • Reduce linear algebra problems to matrix singularity • Reduce general singularity to Toeplitz singularity • Reduce Toeplitz singularity to matrix product • Design a secure matrix product protocol Reductions need to be secure and efficient

From Linear Algebra to Singularity • Problems such as • Solving a linear system of equations • Computing the determinant • Computing the Rank • Reduced to • Matrix Singularity Det([A]) =? 0 • Round and communication preserving

Approach • Reduce linear algebra problems to matrix singularity • Reduce general singularity to Toeplitz singularity • Reduce Toeplitz singularity to matrix product • Design a secure matrix product protocol

General to Toeplitz Theorem: For every positive integer s, there exist a O(s) round and O(sn2+1/s) communication protocol that securely transforms shares of a general matrix Mto shares of a Toeplitz matrix T , s.t. with high probability, M is singular iff T is. O(s) rounds, O(sn2+1/s) comm M T M is singular iff T is

Minimal Polynomials • All values are over a large finite field F • Minimal polynomial of a matrix A (mA) • Smallest degree polynomial f = (f0,…,fd) • f0 I +f1A + … + fdAd = 0 • Linearly recurrent sequence {ai}0≤ i ≤N • Minimal polynomial f • f0 aj +f1aj+1 + … + fdaj+d= 0

General to Toeplitz • Generate random matrices V, W over F and compute M’=VMW • Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) • Generate random diagonal matrix D, and compute M’’ = DM’ • Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1 • Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v • Lemma ([Wei86]): W.h.p., minimal polynomial of αi is equal to mM’’

General to Toeplitz Tn singular iff M is Lemma ([KP91]): Det(Td) ≠ 0, and for all d < , and Det(T ) = 0 Where, d = degree of minimal polynomial of ɑi

General to Toeplitz • Generate random matrices V, W over F and compute M’=VMW • Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) • Generate random diagonal matrix D, and compute M’’ = DM’ • Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1 • Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v • Lemma ([Wei86]): W.h.p., minimal polynomial of αi is equal to mM’’

Toeplitz to Matrix Product • Compute traces of T1, …,Tndenoted, s1, …, sn • Then, use Leverrier’s Lemma to compute char. polynomial of T Test if c1 is 0?

Toeplitz to Matrix Product For any Toeplitz matrix T we have: Trace of X contains traces of powers of T Where ut =(u1,…,un) and vt=(v1,…,vn) are first and last column of X

Toeplitz to Matrix Product • e1=(1,0,…,0)t , en = (0,…,0,1)t • {ui = Tie1},{vi=Tien}

Secure Computation of {Miv}{1<i<2n} • [CKP07]: Secure computation of POWd (M) = {I,M,…,Md}reduced to O(d) matrix product • A baby step, giant step algorithm • Given O(n2) comm. secure matrix product: O(s) rounds, O(sn2+1/s) comm.

Multiparty Matrix Product • A and B, shared using a linear secret sharing scheme • Parties compute shares of C=AB • Implicit in existing works • [CDM00], using a distributed homomorphic commitments • Const. round protocol with O(n2) comm. • Secure against malicious adversaries

Two-Party Matrix Product Bob Alice B1, B2 A1, A2 Inputs C Outputs (A1+B1)(A2+B2)+C • Bob sends EBob(B1), EBob(B2) to Alice • Alice computes and sends to Bob EBob((A1+B1)(A2+B2)+C) Only secure against semi-honest adversaries

Two-Party Matrix Productagainst Covert Adversaries • Break each matrix into random additive shares • Perform many matrix product protocols on shares • Reveal all but one for verification • Simulation-based security against covert adversaries

Open Questions • Fully malicious adversaries? • With the same efficiency • Sparse or structured matrices – how efficient can we get?

Secure Linear Algebra

Secure Linear Algebra

Presentation Transcript

INTEGERS LINEAR ALGEBRA

Linear Algebra

Linear algebra: matrices

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

Linear algebra

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

LINEAR ALGEBRA

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

Linear Algebra

LINEAR ALGEBRA