secure linear algebra
DESCRIPTION
Secure Linear Algebra . Payman Mohassel and Enav Weinreb. against Covert or Unbounded Adversaries. CWI. UC Davis. A 1 x = b 1. A 2 x = b 2. A 4 x = b 4. A 1 A 2 A 3 A 4. b 1 b 2 b 3 b 4. x. A 3 x = b 3. =. Solving Distributed Linear Constraints Privately. - PowerPoint PPT PresentationTRANSCRIPT
Secure Linear Algebra against Covert or Unbounded
Adversaries
Payman Mohassel and Enav WeinrebUC Davis CWI
Solving Distributed Linear Constraints Privately
A1x = b1
A4x = b4
A3x = b3
A2x = b2
output
=A1A2A3A4
xb1b2b3b4
Perfect Matching in Bipartite Graphs
E1
E2
• G = (E,V) • E = E1 U E2• AG = AG
1 AG2
P1 P2
AG1
AG2
Det(AG1 AG
2) =? 0
AG is the adjacency matrix of graph GWith variables replacing 1’s
Det is non-zero, iff G has a perfect matching
Problem Secure linear algebra computation
Solving linear systems Computing rank, determinant, …
Setting Shared n X n matrix/linear system Multiparty (honest majority)
Linear secret sharing Two-party
Additive homomorphic encryption Goal
Improve round and communication efficiency Defend against stronger adversaries
Current Status Multiparty
[CKP07] Const. round, O(m4 + n2m) comm. for m x n systems Worst case: O(n4) comm. Malicious adversaries (honest majority)
[NW06] O(n0.27) rounds, O(n2) comm. Semi-honest adversaries
Two-party [KMWF07]
O(logn) rounds, O(n2logn) comm. Semi-honest adversaries
Yao’s O(1) rounds, O(n2.38) comm.
Our Protocols Efficiency
For every constant s O(s) rounds, O(sn2+1/s) communication Sublinear comm. in circuit complexity
Security Multiparty: malicious adversary
(honest majority) Two-party: covert adversaries
Approach1. Reduce linear algebra problems to
matrix singularity2. Reduce general singularity to Toeplitz
singularity3. Reduce Toeplitz singularity to matrix
product4. Design a secure matrix product protocolReductions need to be secure and efficient
From Linear Algebra to Singularity Problems such as
Solving a linear system of equations Computing the determinant Computing the Rank
Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving
Approach1. Reduce linear algebra problems to
matrix singularity2. Reduce general singularity to Toeplitz
singularity3. Reduce Toeplitz singularity to matrix
product4. Design a secure matrix product protocol
General to ToeplitzTheorem: For every positive integer s, there exist a
O(s) round and O(sn2+1/s) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T , s.t. with high probability, M is singular iff T is.
M TO(s) rounds, O(sn2+1/s) comm
M is singular iff T is
Minimal Polynomials All values are over a large finite field F Minimal polynomial of a matrix A (mA)
Smallest degree polynomial f = (f0,…,fd) f0 I +f1A + … + fdAd = 0
Linearly recurrent sequence {ai}0≤ i ≤N Minimal polynomial f f0 aj +f1aj+1 + … + fdaj+d
= 0
General to Toeplitz Generate random matrices V, W over F and
compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices
of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and
compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1
Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi
is equal to mM’’
General to Toeplitz
Det(Td) ≠ 0, and for all d < , and Det(T ) = 0
Lemma ([KP91]):Where, d = degree of minimal polynomial of ɑi
Tn singular iff M is
General to Toeplitz Generate random matrices V, W over F and
compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices
of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and
compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1
Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi
is equal to mM’’
Approach1. Reduce linear algebra problems to
matrix singularity2. Reduce general singularity to Toeplitz
singularity3. Reduce Toeplitz singularity to matrix
product4. Design a secure matrix product protocol
Toeplitz to Matrix Product Compute traces of T1, …,Tn
denoted, s1, …, sn Then, use Leverrier’s Lemma to
compute char. polynomial of T
Test if c1 is 0?
Toeplitz to Matrix ProductFor any Toeplitz matrix T we have:
Where ut =(u1,…,un) and vt=(v1,…,vn) are first and last column of X
Trace of X contains traces of powers of
T
Toeplitz to Matrix Product
e1=(1,0,…,0)t , en = (0,…,0,1)t
{ui = Tie1}, {vi=Tien}
Secure Computation of {Miv}{1<i<2n}
[CKP07]: Secure computation of POWd (M) = {I,M,…,Md} reduced to O(d) matrix product
A baby step, giant step algorithm Given O(n2) comm. secure matrix product:
O(s) rounds, O(sn2+1/s) comm.
Approach1. Reduce linear algebra problems to
matrix singularity2. Reduce general singularity to Toeplitz
singularity3. Reduce Toeplitz singularity to matrix
product4. Design a secure matrix product protocol
Multiparty Matrix Product A and B, shared using a linear secret
sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed homomorphic
commitments Const. round protocol with O(n2) comm. Secure against malicious adversaries
Two-Party Matrix Product
A1, A2
Alice BobB1, B2
(A1+B1)(A2+B2)+C
Inputs
Outputs
Bob sends EBob(B1), EBob(B2) to Alice
Alice computes and sends to Bob
EBob((A1+B1)(A2+B2)+C)
Only secure against semi-honest adversaries
C
Two-Party Matrix Product against Covert Adversaries Break each matrix into random
additive shares Perform many matrix product
protocols on shares Reveal all but one for verification Simulation-based security against
covert adversaries
Open Questions
Fully malicious adversaries? With the same efficiency
Sparse or structured matrices – how efficient can we get?