Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI

Solving Distributed Linear Constraints Privately A 1 x = b 1 A 4 x = b 4 A 3 x = b 3 A 2 x = b 2 output = A1A2A3A4A1A2A3A4 x b1b2b3b4b1b2b3b4

Perfect Matching in Bipartite Graphs E1E1 E2E2 G = (E,V) E = E 1 U E 2 A G = A G 1 A G 2 P1P1 P2P2 AG1AG1 AG2AG2 Det(A G 1 A G 2 ) =? 0 A G is the adjacency matrix of graph G With variables replacing 1’s Det is non-zero, iff G has a perfect matching

Problem Secure linear algebra computation Solving linear systems Computing rank, determinant, … Setting Shared n X n matrix/linear system Multiparty (honest majority) Linear secret sharing Two-party Additive homomorphic encryption Goal Improve round and communication efficiency Defend against stronger adversaries

Current Status Multiparty [CKP07] Const. round, O(m 4 + n 2 m) comm. for m x n systems Worst case: O(n 4 ) comm. Malicious adversaries (honest majority) [NW06] O(n 0.27 ) rounds, O(n 2 ) comm. Semi-honest adversaries Two-party [KMWF07] O(logn) rounds, O(n 2 logn) comm. Semi-honest adversaries Yao’s O(1) rounds, O(n 2.38 ) comm.

Our Protocols Efficiency For every constant s O(s) rounds, O(sn 2+1/s ) communication Sublinear comm. in circuit complexity Security Multiparty: malicious adversary (honest majority) Two-party: covert adversaries

Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol Reductions need to be secure and efficient

From Linear Algebra to Singularity Problems such as Solving a linear system of equations Computing the determinant Computing the Rank Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving

Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

General to Toeplitz Theorem: For every positive integer s, there exist a O(s) round and O(sn 2+1/s ) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T, s.t. with high probability, M is singular iff T is. MT O(s) rounds, O(sn 2+1/s ) comm M is singular iff T is

Minimal Polynomials All values are over a large finite field F Minimal polynomial of a matrix A (m A ) Smallest degree polynomial f = (f 0,…,f d ) f 0 I +f 1 A + … + f d A d = 0 Linearly recurrent sequence {a i } 0≤ i ≤N Minimal polynomial f f 0 a j +f 1 a j+1 + … + f d a j+d = 0

General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’

General to Toeplitz Det(T d ) ≠ 0, and for all d <, and Det(T ) = 0Lemma ([KP91]): Where, d = degree of minimal polynomial of ɑ i T n singular iff M is

General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’

Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

Toeplitz to Matrix Product Compute traces of T 1, …,T n denoted, s 1, …, s n Then, use Leverrier’s Lemma to compute char. polynomial of T Test if c 1 is 0?

Toeplitz to Matrix Product For any Toeplitz matrix T we have: Where u t =(u 1,…,u n ) and v t =(v 1,…,v n ) are first and last column of X Trace of X contains traces of powers of T

Toeplitz to Matrix Product  e 1 =(1,0,…,0) t, e n = (0,…,0,1) t  {u i = T i e 1 }, {v i =T i e n }

Secure Computation of {M i v} {1<i<2n} [CKP07]: Secure computation of POW d (M) = {I,M,…,M d } reduced to O(d) matrix product A baby step, giant step algorithm Given O(n 2 ) comm. secure matrix product: O(s) rounds, O(sn 2+1/s ) comm.

Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

Multiparty Matrix Product A and B, shared using a linear secret sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed homomorphic commitments Const. round protocol with O(n 2 ) comm. Secure against malicious adversaries

Two-Party Matrix Product A 1, A 2 Alice Bob B 1, B 2 (A 1 +B 1 )(A 2 +B 2 )+C Inputs Outputs  Bob sends E Bob (B 1 ), E Bob (B 2 ) to Alice  Alice computes and sends to Bob E Bob ((A 1 +B 1 )(A 2 +B 2 )+C) Only secure against semi-honest adversaries C

Two-Party Matrix Product against Covert Adversaries Break each matrix into random additive shares Perform many matrix product protocols on shares Reveal all but one for verification Simulation-based security against covert adversaries

Open Questions Fully malicious adversaries? With the same efficiency Sparse or structured matrices – how efficient can we get?