secure linear algebra against covert or unbounded adversaries payman mohassel and enav weinreb uc...

Secure Linear Algebra against Covert or Unbounded

Adversaries

Payman Mohassel and Enav Weinreb

UC Davis CWI

Solving Distributed Linear Constraints Privately

A1x = b1

A4x = b4

A3x = b3

A2x = b2

output

=

A1

A2

A3

A4

xb1

b2

b3

b4

Perfect Matching in Bipartite Graphs

E1

E2

• G = (E,V) • E = E1 U E2

• AG = AG1 AG

2

P1 P2

AG1

AG2

Det(AG1 AG

2) =? 0

AG is the adjacency matrix of graph GWith variables replacing 1’s

Det is non-zero, iff G has a perfect matching

Problem Secure linear algebra computation

Solving linear systems Computing rank, determinant, …

Setting Shared n X n matrix/linear system Multiparty (honest majority)

Linear secret sharing Two-party

Additive homomorphic encryption Goal

Improve round and communication efficiency Defend against stronger adversaries

Current Status Multiparty

[CKP07] Const. round, O(m4 + n2m) comm. for m x n systems Worst case: O(n4) comm. Malicious adversaries (honest majority)

[NW06] O(n0.27) rounds, O(n2) comm. Semi-honest adversaries

Two-party [KMWF07]

O(logn) rounds, O(n2logn) comm. Semi-honest adversaries

Yao’s O(1) rounds, O(n2.38) comm.

Our Protocols Efficiency

For every constant s O(s) rounds, O(sn2+1/s) communication Sublinear comm. in circuit complexity

Security Multiparty: malicious adversary

(honest majority) Two-party: covert adversaries

Approach

1. Reduce linear algebra problems to matrix singularity

2. Reduce general singularity to Toeplitz singularity

3. Reduce Toeplitz singularity to matrix product

4. Design a secure matrix product protocol

Reductions need to be secure and efficient

From Linear Algebra to Singularity

Problems such as Solving a linear system of equations Computing the determinant Computing the Rank

Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving

Approach

1. Reduce linear algebra problems to matrix singularity

2. Reduce general singularity to Toeplitz singularity

3. Reduce Toeplitz singularity to matrix product

4. Design a secure matrix product protocol

General to Toeplitz

Theorem: For every positive integer s, there exist a O(s) round and O(sn2+1/s) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T , s.t. with high probability, M is singular iff T is.

M TO(s) rounds, O(sn2+1/s) comm

M is singular iff T is

Minimal Polynomials

All values are over a large finite field F Minimal polynomial of a matrix A (mA)

Smallest degree polynomial f = (f0,…,fd) f0 I +f1A + … + fdAd = 0

Linearly recurrent sequence {ai}0≤ i ≤N

Minimal polynomial f f0 aj +f1aj+1 + … + fdaj+d

= 0

General to Toeplitz Generate random matrices V, W over F and

compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices

of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and

compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1

Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi

is equal to mM’’

General to Toeplitz

Det(Td) ≠ 0, and for all d < , and Det(T ) = 0

Lemma ([KP91]):

Where, d = degree of minimal polynomial of ɑi

Tn singular iff M is

General to Toeplitz Generate random matrices V, W over F and

compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices

of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and

compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1

Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi

is equal to mM’’

Approach

1. Reduce linear algebra problems to matrix singularity

2. Reduce general singularity to Toeplitz singularity

3. Reduce Toeplitz singularity to matrix product

4. Design a secure matrix product protocol

Toeplitz to Matrix Product Compute traces of T1, …,Tn

denoted, s1, …, sn Then, use Leverrier’s Lemma to

compute char. polynomial of T

Test if c1 is 0?

Toeplitz to Matrix ProductFor any Toeplitz matrix T we have:

Where ut =(u1,…,un) and vt=(v1,…,vn) are first and last column of X

Trace of X contains traces of powers of

T

Toeplitz to Matrix Product

e1=(1,0,…,0)t , en = (0,…,0,1)t

{ui = Tie1}, {vi=Tien}

Secure Computation of {Miv}{1<i<2n}

[CKP07]: Secure computation of POWd (M) = {I,M,…,Md} reduced to O(d) matrix product

A baby step, giant step algorithm Given O(n2) comm. secure matrix product:

O(s) rounds, O(sn2+1/s) comm.

Approach

1. Reduce linear algebra problems to matrix singularity

2. Reduce general singularity to Toeplitz singularity

3. Reduce Toeplitz singularity to matrix product

4. Design a secure matrix product protocol

Multiparty Matrix Product A and B, shared using a linear secret

sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed

homomorphic commitments Const. round protocol with O(n2) comm. Secure against malicious adversaries

Two-Party Matrix Product

A1, A2

Alice Bob

B1, B2

(A1+B1)(A2+B2)+C

Inputs

Outputs

Bob sends EBob(B1), EBob(B2) to Alice

Alice computes and sends to Bob

EBob((A1+B1)(A2+B2)+C)

Only secure against semi-honest adversaries

C

Two-Party Matrix Product against Covert Adversaries

Break each matrix into random additive shares

Perform many matrix product protocols on shares

Reveal all but one for verification Simulation-based security against

covert adversaries

Open Questions

Fully malicious adversaries? With the same efficiency

Sparse or structured matrices – how efficient can we get?