Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Published byKelsi Roll Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI."— Presentation transcript:

1 Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI

2 Solving Distributed Linear Constraints Privately A 1 x = b 1 A 4 x = b 4 A 3 x = b 3 A 2 x = b 2 output = A1A2A3A4A1A2A3A4 x b1b2b3b4b1b2b3b4

3 Perfect Matching in Bipartite Graphs E1E1 E2E2 G = (E,V) E = E 1 U E 2 A G = A G 1 A G 2 P1P1 P2P2 AG1AG1 AG2AG2 Det(A G 1 A G 2 ) =? 0 A G is the adjacency matrix of graph G With variables replacing 1’s Det is non-zero, iff G has a perfect matching

4 Problem Secure linear algebra computation Solving linear systems Computing rank, determinant, … Setting Shared n X n matrix/linear system Multiparty (honest majority) Linear secret sharing Two-party Additive homomorphic encryption Goal Improve round and communication efficiency Defend against stronger adversaries

5 Current Status Multiparty [CKP07] Const. round, O(m 4 + n 2 m) comm. for m x n systems Worst case: O(n 4 ) comm. Malicious adversaries (honest majority) [NW06] O(n 0.27 ) rounds, O(n 2 ) comm. Semi-honest adversaries Two-party [KMWF07] O(logn) rounds, O(n 2 logn) comm. Semi-honest adversaries Yao’s O(1) rounds, O(n 2.38 ) comm.

6 Our Protocols Efficiency For every constant s O(s) rounds, O(sn 2+1/s ) communication Sublinear comm. in circuit complexity Security Multiparty: malicious adversary (honest majority) Two-party: covert adversaries

7 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol Reductions need to be secure and efficient

8 From Linear Algebra to Singularity Problems such as Solving a linear system of equations Computing the determinant Computing the Rank Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving

9 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

10 General to Toeplitz Theorem: For every positive integer s, there exist a O(s) round and O(sn 2+1/s ) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T, s.t. with high probability, M is singular iff T is. MT O(s) rounds, O(sn 2+1/s ) comm M is singular iff T is

11 Minimal Polynomials All values are over a large finite field F Minimal polynomial of a matrix A (m A ) Smallest degree polynomial f = (f 0,…,f d ) f 0 I +f 1 A + … + f d A d = 0 Linearly recurrent sequence {a i } 0≤ i ≤N Minimal polynomial f f 0 a j +f 1 a j+1 + … + f d a j+d = 0

12 General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’

13 General to Toeplitz Det(T d ) ≠ 0, and for all d <, and Det(T ) = 0Lemma ([KP91]): Where, d = degree of minimal polynomial of ɑ i T n singular iff M is

14 General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’

15 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

16 Toeplitz to Matrix Product Compute traces of T 1, …,T n denoted, s 1, …, s n Then, use Leverrier’s Lemma to compute char. polynomial of T Test if c 1 is 0?

17 Toeplitz to Matrix Product For any Toeplitz matrix T we have: Where u t =(u 1,…,u n ) and v t =(v 1,…,v n ) are first and last column of X Trace of X contains traces of powers of T

18 Toeplitz to Matrix Product  e 1 =(1,0,…,0) t, e n = (0,…,0,1) t  {u i = T i e 1 }, {v i =T i e n }

19 Secure Computation of {M i v} {1<i<2n} [CKP07]: Secure computation of POW d (M) = {I,M,…,M d } reduced to O(d) matrix product A baby step, giant step algorithm Given O(n 2 ) comm. secure matrix product: O(s) rounds, O(sn 2+1/s ) comm.

20 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

21 Multiparty Matrix Product A and B, shared using a linear secret sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed homomorphic commitments Const. round protocol with O(n 2 ) comm. Secure against malicious adversaries

22 Two-Party Matrix Product A 1, A 2 Alice Bob B 1, B 2 (A 1 +B 1 )(A 2 +B 2 )+C Inputs Outputs  Bob sends E Bob (B 1 ), E Bob (B 2 ) to Alice  Alice computes and sends to Bob E Bob ((A 1 +B 1 )(A 2 +B 2 )+C) Only secure against semi-honest adversaries C

23 Two-Party Matrix Product against Covert Adversaries Break each matrix into random additive shares Perform many matrix product protocols on shares Reveal all but one for verification Simulation-based security against covert adversaries

24 Open Questions Fully malicious adversaries? With the same efficiency Sparse or structured matrices – how efficient can we get?

Download ppt "Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.

Provable Unlinkability Against Traffic Analysis Ron Berman Joint work with Amos Fiat and Amnon Ta-Shma School of Computer Science, Tel-Aviv University.
Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:

Hard Instances of the Constrained Discrete Logarithm Problem Ilya MironovMicrosoft Research Anton MityaginUCSD Kobbi NissimBen Gurion University Speaker:
Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Aim: How do we find the zeros of polynomial functions?

Aim: How do we find the zeros of polynomial functions?
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Notes 6.6 Fundamental Theorem of Algebra

Notes 6.6 Fundamental Theorem of Algebra
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.

Direct Product : Decoding & Testing, with Applications Russell Impagliazzo (IAS & UCSD) Ragesh Jaiswal (Columbia) Valentine Kabanets (SFU) Avi Wigderson.
Binomial Forms Expansion of Binomial Expressions.

Binomial Forms Expansion of Binomial Expressions.
Graphs, representation, isomorphism, connectivity

Graphs, representation, isomorphism, connectivity
Abbas Edalat Imperial College London www.doc.ic.ac.uk/~ae Contains joint work with Andre Lieutier (AL) and joint work with Marko Krznaric (MK) Data Types.

Abbas Edalat Imperial College London Contains joint work with Andre Lieutier (AL) and joint work with Marko Krznaric (MK) Data Types.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Two parallel lines intersected by another line   A B 1 1 2 2 3 3 4 4 1. Corresponding angles (sehadap) Corresponding angles are congruent  A1 =  B1.

Two parallel lines intersected by another line   A B Corresponding angles (sehadap) Corresponding angles are congruent  A1 =  B1.
CS 395/495-26: Spring 2004 IBMR: Singular Value Decomposition (SVD Review) Jack Tumblin

CS 395/495-26: Spring 2004 IBMR: Singular Value Decomposition (SVD Review) Jack Tumblin
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Blackbox Reductions from Mechanisms to Algorithms.

Blackbox Reductions from Mechanisms to Algorithms.

Similar presentations

Ads by Google