Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.

Similar presentations


Presentation on theme: "Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI."— Presentation transcript:

1 Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI

2 Solving Distributed Linear Constraints Privately A 1 x = b 1 A 4 x = b 4 A 3 x = b 3 A 2 x = b 2 output = A1A2A3A4A1A2A3A4 x b1b2b3b4b1b2b3b4

3 Perfect Matching in Bipartite Graphs E1E1 E2E2 G = (E,V) E = E 1 U E 2 A G = A G 1 A G 2 P1P1 P2P2 AG1AG1 AG2AG2 Det(A G 1 A G 2 ) =? 0 A G is the adjacency matrix of graph G With variables replacing 1’s Det is non-zero, iff G has a perfect matching

4 Problem Secure linear algebra computation Solving linear systems Computing rank, determinant, … Setting Shared n X n matrix/linear system Multiparty (honest majority) Linear secret sharing Two-party Additive homomorphic encryption Goal Improve round and communication efficiency Defend against stronger adversaries

5 Current Status Multiparty [CKP07] Const. round, O(m 4 + n 2 m) comm. for m x n systems Worst case: O(n 4 ) comm. Malicious adversaries (honest majority) [NW06] O(n 0.27 ) rounds, O(n 2 ) comm. Semi-honest adversaries Two-party [KMWF07] O(logn) rounds, O(n 2 logn) comm. Semi-honest adversaries Yao’s O(1) rounds, O(n 2.38 ) comm.

6 Our Protocols Efficiency For every constant s O(s) rounds, O(sn 2+1/s ) communication Sublinear comm. in circuit complexity Security Multiparty: malicious adversary (honest majority) Two-party: covert adversaries

7 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol Reductions need to be secure and efficient

8 From Linear Algebra to Singularity Problems such as Solving a linear system of equations Computing the determinant Computing the Rank Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving

9 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

10 General to Toeplitz Theorem: For every positive integer s, there exist a O(s) round and O(sn 2+1/s ) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T, s.t. with high probability, M is singular iff T is. MT O(s) rounds, O(sn 2+1/s ) comm M is singular iff T is

11 Minimal Polynomials All values are over a large finite field F Minimal polynomial of a matrix A (m A ) Smallest degree polynomial f = (f 0,…,f d ) f 0 I +f 1 A + … + f d A d = 0 Linearly recurrent sequence {a i } 0≤ i ≤N Minimal polynomial f f 0 a j +f 1 a j+1 + … + f d a j+d = 0

12 General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’

13 General to Toeplitz Det(T d ) ≠ 0, and for all d <, and Det(T ) = 0Lemma ([KP91]): Where, d = degree of minimal polynomial of ɑ i T n singular iff M is

14 General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’

15 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

16 Toeplitz to Matrix Product Compute traces of T 1, …,T n denoted, s 1, …, s n Then, use Leverrier’s Lemma to compute char. polynomial of T Test if c 1 is 0?

17 Toeplitz to Matrix Product For any Toeplitz matrix T we have: Where u t =(u 1,…,u n ) and v t =(v 1,…,v n ) are first and last column of X Trace of X contains traces of powers of T

18 Toeplitz to Matrix Product  e 1 =(1,0,…,0) t, e n = (0,…,0,1) t  {u i = T i e 1 }, {v i =T i e n }

19 Secure Computation of {M i v} {1<i<2n} [CKP07]: Secure computation of POW d (M) = {I,M,…,M d } reduced to O(d) matrix product A baby step, giant step algorithm Given O(n 2 ) comm. secure matrix product: O(s) rounds, O(sn 2+1/s ) comm.

20 Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol

21 Multiparty Matrix Product A and B, shared using a linear secret sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed homomorphic commitments Const. round protocol with O(n 2 ) comm. Secure against malicious adversaries

22 Two-Party Matrix Product A 1, A 2 Alice Bob B 1, B 2 (A 1 +B 1 )(A 2 +B 2 )+C Inputs Outputs  Bob sends E Bob (B 1 ), E Bob (B 2 ) to Alice  Alice computes and sends to Bob E Bob ((A 1 +B 1 )(A 2 +B 2 )+C) Only secure against semi-honest adversaries C

23 Two-Party Matrix Product against Covert Adversaries Break each matrix into random additive shares Perform many matrix product protocols on shares Reveal all but one for verification Simulation-based security against covert adversaries

24 Open Questions Fully malicious adversaries? With the same efficiency Sparse or structured matrices – how efficient can we get?


Download ppt "Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI."

Similar presentations


Ads by Google