Download presentation
Presentation is loading. Please wait.
Published byKelsi Roll Modified over 10 years ago
1
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI
2
Solving Distributed Linear Constraints Privately A 1 x = b 1 A 4 x = b 4 A 3 x = b 3 A 2 x = b 2 output = A1A2A3A4A1A2A3A4 x b1b2b3b4b1b2b3b4
3
Perfect Matching in Bipartite Graphs E1E1 E2E2 G = (E,V) E = E 1 U E 2 A G = A G 1 A G 2 P1P1 P2P2 AG1AG1 AG2AG2 Det(A G 1 A G 2 ) =? 0 A G is the adjacency matrix of graph G With variables replacing 1’s Det is non-zero, iff G has a perfect matching
4
Problem Secure linear algebra computation Solving linear systems Computing rank, determinant, … Setting Shared n X n matrix/linear system Multiparty (honest majority) Linear secret sharing Two-party Additive homomorphic encryption Goal Improve round and communication efficiency Defend against stronger adversaries
5
Current Status Multiparty [CKP07] Const. round, O(m 4 + n 2 m) comm. for m x n systems Worst case: O(n 4 ) comm. Malicious adversaries (honest majority) [NW06] O(n 0.27 ) rounds, O(n 2 ) comm. Semi-honest adversaries Two-party [KMWF07] O(logn) rounds, O(n 2 logn) comm. Semi-honest adversaries Yao’s O(1) rounds, O(n 2.38 ) comm.
6
Our Protocols Efficiency For every constant s O(s) rounds, O(sn 2+1/s ) communication Sublinear comm. in circuit complexity Security Multiparty: malicious adversary (honest majority) Two-party: covert adversaries
7
Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol Reductions need to be secure and efficient
8
From Linear Algebra to Singularity Problems such as Solving a linear system of equations Computing the determinant Computing the Rank Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving
9
Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol
10
General to Toeplitz Theorem: For every positive integer s, there exist a O(s) round and O(sn 2+1/s ) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T, s.t. with high probability, M is singular iff T is. MT O(s) rounds, O(sn 2+1/s ) comm M is singular iff T is
11
Minimal Polynomials All values are over a large finite field F Minimal polynomial of a matrix A (m A ) Smallest degree polynomial f = (f 0,…,f d ) f 0 I +f 1 A + … + f d A d = 0 Linearly recurrent sequence {a i } 0≤ i ≤N Minimal polynomial f f 0 a j +f 1 a j+1 + … + f d a j+d = 0
12
General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’
13
General to Toeplitz Det(T d ) ≠ 0, and for all d <, and Det(T ) = 0Lemma ([KP91]): Where, d = degree of minimal polynomial of ɑ i T n singular iff M is
14
General to Toeplitz Generate random matrices V, W over F and compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(m M’’ ) - 1 Compute sequence { ɑ i = u t (M’’) i v} 1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of α i is equal to m M’’
15
Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol
16
Toeplitz to Matrix Product Compute traces of T 1, …,T n denoted, s 1, …, s n Then, use Leverrier’s Lemma to compute char. polynomial of T Test if c 1 is 0?
17
Toeplitz to Matrix Product For any Toeplitz matrix T we have: Where u t =(u 1,…,u n ) and v t =(v 1,…,v n ) are first and last column of X Trace of X contains traces of powers of T
18
Toeplitz to Matrix Product e 1 =(1,0,…,0) t, e n = (0,…,0,1) t {u i = T i e 1 }, {v i =T i e n }
19
Secure Computation of {M i v} {1<i<2n} [CKP07]: Secure computation of POW d (M) = {I,M,…,M d } reduced to O(d) matrix product A baby step, giant step algorithm Given O(n 2 ) comm. secure matrix product: O(s) rounds, O(sn 2+1/s ) comm.
20
Approach 1. Reduce linear algebra problems to matrix singularity 2. Reduce general singularity to Toeplitz singularity 3. Reduce Toeplitz singularity to matrix product 4. Design a secure matrix product protocol
21
Multiparty Matrix Product A and B, shared using a linear secret sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed homomorphic commitments Const. round protocol with O(n 2 ) comm. Secure against malicious adversaries
22
Two-Party Matrix Product A 1, A 2 Alice Bob B 1, B 2 (A 1 +B 1 )(A 2 +B 2 )+C Inputs Outputs Bob sends E Bob (B 1 ), E Bob (B 2 ) to Alice Alice computes and sends to Bob E Bob ((A 1 +B 1 )(A 2 +B 2 )+C) Only secure against semi-honest adversaries C
23
Two-Party Matrix Product against Covert Adversaries Break each matrix into random additive shares Perform many matrix product protocols on shares Reveal all but one for verification Simulation-based security against covert adversaries
24
Open Questions Fully malicious adversaries? With the same efficiency Sparse or structured matrices – how efficient can we get?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.