Secure Computation of Linear Algebraic Functions

1 / 50

# Secure Computation of Linear Algebraic Functions - PowerPoint PPT Presentation

Secure Computation of Linear Algebraic Functions. Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim. Talk Overview. Secure Computation in General Secure Linear Algebra Based on “Oblivious Gaussian Elimination”

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'Secure Computation of Linear Algebraic Functions' - flora

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Secure Computation of Linear Algebraic Functions

Enav Weinreb – CWI, Amsterdam

Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim

Talk Overview
• Secure Computation in General
• Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
• Secure Linear Algebra Based on Linearly Recurrent Sequences
• Recent Developments and Open Problems
Secure Computation
• Alice has an input x
• Bob has an input y
• Let f:{0,1}2n{0,1} be a Boolean function.
• Alice and Bob wish to compute f(x,y) without leaking any further information on their private inputs.

The players cooperate but do not trust each other.

The Millionaires’ Problem

x = 100\$ ???

x = 999,999,999\$ ???

Secure Computation - Example

x

1,000,000,000\$

x > y ?

Levels of security:

Computational - adversary is computationally limited

Information theoretic - adversary is computationally unbounded.

“Leak no further information”

Real World

Ideal World

y

x

y

x

f(x,y)

f(x,y)

f(x,y)

h(x)

h(x)

• Important complexity measures:
• Communication complexity
• Round complexity
• Computational complexity
• Malicious – adversary arbitrarily deviates from the protocol

0

1

0

1

0

0

0

1

1

0

1

0

0

1

1

0

1

x1

x2

x3

x4

x5

x6

x7

x8

Boolean Circuit Complexity
• Let f:{0,1}2n  {0,1}
• We consider digital circuits with the gates {AND, OR, NOT} that compute f in the natural way.
• circuit size – number of gates
• circuit depth – max distance from an input wire to output
General Result – two-party [Yao]

Boolean circuit that computes f(x,y) with size s(n)

implies

secure two party protocol for computing f(x,y) with:

• communication complexity linear in s(n)
• 2 rounds.

computational security.

General Result – Multi-Party [BGW, CCD]

Boolean circuit that computes f(x1,...,xk) with size s(n) and depth d(n)

implies

A secure k-party protocol for computing f(x1,...,xk) with:

• communication complexity linear in s(n)
• round complexity d(n)
• Information theoretic security against:
• Less than k/2 adversarial players – honest but curious
• Less than k/3 adversarial players – malicious
Talk Overview
• Secure Computation in General
• Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
• Secure Linear Algebra Based on Linearly Recurrent Sequences
• Recent Developments and Open Problems
Linear Algebraic Functions

Matrix singularity:

• Alice and Bob hold A ∊Fnxn and B ∊Fnxn respectively, where F is a finite field
• They wish to (securely) compute whether M=A+B is singular

Efficient secure protocol for singularity leads to efficient protocols for:

• solving a joint system of equations (linear constraints may contain private information!)
• computing det(M), char.poly(M), min.poly(M)
• computing subspaces intersection
• more...
Applying General Results
• Circuit complexity of matrix singularity is similar to number of multiplications in matrix product.
• Best known result O(n2.38) [Coppersmith Winograd]
• Input size is only n2 - trivial non-cryptographic protocol has complexity n2
• Can we achieve this in a secure protocol?
• Can we achieve this keeping the round complexity low?
A previous result
• “Secure linear algebra in a constant number of rounds.” [Cramer Damgård]
• Information theoretic security
• constant round complexity
• communication complexity O(n3)
Our results
• Secure protocol for singularity(A+B) in the computational two party setting with:
• communication complexity O(n2log n)
• round complexity O(log n)
• Recent improvements [Mohassel W]
• constant round
• information theoretical security
Oblivious Gaussian Elimination
• Protocol from [Nissim W]
• Achieves:
• communication complexity O(n2log n)
• round complexity O(n0.275)
• Cryptographic assumption: public key homomorphic encryption
Tool: Homomorphic Encryption
• Public key encryption scheme
• Public key PK is published – everybody can encrypt
• Secret key SK is private – only one can decrypt
• For
• Corollary:
• Example: [Goldwasser Micali] (QR) for F=GF(2).

(with PK only)

Initial Step

A∊Fnxn

B ∊Fnxn

PK

Generates

+

=

Is M singular?

Algorithms on Encrypted Data
• Bob can locally compute:

Use Alice!

?

Multiplying a Vector by a Scalar

Communication complexity is O(n).

Find a row that “starts” with a 1.

Swap this row and the top row.

“Eliminate” the leftmost column.

Continue recursively.

Gaussian Elimination
Oblivious Gaussian Elimination
• “Find a row that starts with a 1.”
• “Swap this row and the top row.”

Use Alice!

w.h.p

Finding a row starting with a 1

STEP 1: Randomization

• Bob multiplies E(M) by a random full rank matrix R.

E(M)  R E(M)

• Set m = log2n

1

Finding a row that starts with a 1

STEP 2: Moving the 1 to the top row.

Moving the 1 to the top row.
• Bob computes E(M[1,1]M1)
• If M[1,1]=0 Bob gets E(0).
• If M[1,1]=1 Bob gets E(M1).
• For every 2 ≤ j ≤ m, Bob computesE(Mj)  E(Mj – M[j,1]M[1,1]M1)
• Same with E(M2), E(M3), ..., E(Mm)
• Update E(M1) = E(Mi)
• Eliminate leftmost column.

1

0

0

1

m

1

0

0

1

0

0

1

1

1

Moving the 1 to the top row.
• Continue recursively on the lower right submatrix
• Finally, multiply all diagonal elements. M is singular if and only if the product of the diagonal entries is 1.

1

m

0

0

0

0

Communication Complexity

Single row

One column

Overall

Alice  Bob

Alice  Bob

Lazy Evaluation

Send data “on demand”

Memory

Single row

One column

Overall

Alice  Bob

Alice  Bob

Talk Overview
• Secure Computation in General
• Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
• Secure Linear Algebra Based on Linearly Recurrent Sequences
• Recent Developments and Open Problems
Improved Round Complexity
• Protocol from [Kiltz Mohassel W Franklin]
• Achieves:
• communication complexity O(n2log n)
• round complexity O(log n)
• Setting:
• Two party with computational security
• Computational assumption – homomorphic encryption
Linearly Recurrent Sequences
• General idea: apply algorithms designed for sparse matrices for secure computation on general matrices.
• Assumption – the underlying field is large |F| > nlog n (otherwise – use field extension)
A Simple Reduction

Randomized approach:

To check if M is singular:

• Pick a random vector v.
• Check whether the system Mx = v is solvable.

Not solvable – M is singular.Solvable – with high prob. (1 – 1/|F|), M is non-singular

Deciding if Mx = v is Solvable [Wiedemann]
• Consider the n+1 vectors:

v, Mv, M2v, ..., Mnv

• There are a=(a0, ..., an) such that

∑aiMiv = 0

• Linearly recurrent sequences: If ∑aiMiv =0 then for all j:∑aiMi+jv = Mj(∑aiMiv) = Mj0 = 0
Deciding if Mx = v is Solvable [Wiedemann86]
• For every b=(b0, ..., bn) such that ∑biMiv = 0, consider the polynomial pb(x) = ∑bixi
• The set of such polynomials forms an ideal in F[x] – the annihilator ideal
• Minimal polynomial m(x) – the generator of the ideal
The annihilatorideal
• Let fM(x) be the characteristic polynomial of M.
• [Cayley Hamilton]: fM(M)=0 → fM(M)v = 0 → fM(x) is in the annihilatorideal →m(x) | fM(x)
• We will be interested in the constant coefficient of m(x).
The Constant Coefficient of m(x)

Claim:

• Ifm(0)≠ 0 then Mx = v is solvable.
• If m(0) = 0 then Mx = v is not solvable
The Constant Coefficient of m(x)

Claim:

• If m(0)≠ 0 then Mx = v is solvable.
• If m(0) = 0 then Det(M) = 0.

Conclusion:

With probability (1 – 1/|F|):

m(0) = 0 if and only if det(M)=0

Proof of the Claim (i)
• If m(0)≠0 then Mx=v is solvable.
• m(x) = cnxn+...+c1x+c0
• where c0=m(0) ≠ 0
• m(M)v = 0 (m(x) is in the ideal)
• cnMnv+...+c1Mv+c0v = 0
• M(cnMn-1v+...+c1v) = -c0v
• set x = -c0-1(cnMnv+...+c1Mv)
• Mx = v the system is solvable.
Proof of the Claim (ii)

(ii) If m(0)=0 then Det(M) = 0.

fM(0) = Det(M)

We saw before that m(x) | fM(x).

Hence fM(0)=0 and thus Det(M) = 0 □

Berlekamp/Massey Algorithm
• We are interested in computing m(0).
• Berlekamp/Massey algorithm:computes m(x) in O(n log n) operations, given v, Mv, ..., M2n-1v.
• General idea: the algorithm uses an intermediate result of the extended Euclidean algorithm executed on:
• x2n
• a polynomial whose coefficients are the elements uTM0v, uTM1v, ..., uTM2n-1v for some random vector u.
Multiplying two matrices

Communication complexity is O(n2)

Secure Two-Party Algorithm (sketch)

(PK,SK)

E(M)

Next slide: O(log n) rounds,

O(n2 log n) communication

E(Miv)i=0,1,…,2n-1

Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication

E(m(x))

Decryption of E(m(0)r) where r is a random number.

m(0) =? 0

Computing the Sequence EPK(Miv)
• Bob is given E(M) and computes E(v)
• Bob computes E(M2^i), i=1...log n
• log n rounds, n2 log n communication
• Bob computes:
• E(Mv)
• E(M3v|M2v) = E(M2) · E(Mv|v)
• E(M7v|M6v|M5v|M4v) = E(M4) ·E(M3v|M2v|Mv|v)
• Finally: E(v), E(Mv), …, E(M2n-1v)
• O(log n) rounds, O(n2 log n) communication
Talk Overview
• Secure Computation in General
• Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
• Secure Linear Algebra Based on Linearly Recurrent Sequences
• Recent Developments and Open Problems
Recent Developements
• Protocol from [Mohassel W]
• For every constant t:
• communication complexity O(n2+1/t)
• round complexity t
• Gives information theoretic security.
• Based on a reduction to deciding the singularity of Toeplitz matrices.
Open Problem
• Secure Linear Algebra
• Malicious case for two party computation
• General Secure Computation
• Understand the relation between circuit complexity and secure protocol complexity of problem.
• Is linear communication complexity always possible?