- By
**flora** - Follow User

- 280 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about 'Secure Computation of Linear Algebraic Functions' - flora

Download Now**An Image/Link below is provided (as is) to download presentation**

Download Now

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Secure Computation of Linear Algebraic Functions

Talk Overview

Enav Weinreb – CWI, Amsterdam

Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim

Talk Overview

- Secure Computation in General
- Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
- Secure Linear Algebra Based on Linearly Recurrent Sequences
- Recent Developments and Open Problems

Secure Computation

- Alice has an input x
- Bob has an input y
- Let f:{0,1}2n{0,1} be a Boolean function.
- Alice and Bob wish to compute f(x,y) without leaking any further information on their private inputs.

The players cooperate but do not trust each other.

Computational - adversary is computationally limited

Information theoretic - adversary is computationally unbounded.

“Leak no further information”

Real World

Ideal World

y

x

y

x

f(x,y)

f(x,y)

f(x,y)

h(x)

h(x)

Complexity Measures and Adversary Model

- Important complexity measures:
- Communication complexity
- Round complexity
- Computational complexity
- Adversary models:
- Honest but curious – adversary follows the protocol but tries to learn more information
- Malicious – adversary arbitrarily deviates from the protocol

1

0

1

0

0

0

1

1

0

1

0

0

1

1

0

1

x1

x2

x3

x4

x5

x6

x7

x8

Boolean Circuit Complexity- Let f:{0,1}2n {0,1}
- We consider digital circuits with the gates {AND, OR, NOT} that compute f in the natural way.
- circuit size – number of gates
- circuit depth – max distance from an input wire to output

General Result – two-party [Yao]

Boolean circuit that computes f(x,y) with size s(n)

implies

secure two party protocol for computing f(x,y) with:

- communication complexity linear in s(n)
- 2 rounds.

computational security.

General Result – Multi-Party [BGW, CCD]

Boolean circuit that computes f(x1,...,xk) with size s(n) and depth d(n)

implies

A secure k-party protocol for computing f(x1,...,xk) with:

- communication complexity linear in s(n)
- round complexity d(n)
- Information theoretic security against:
- Less than k/2 adversarial players – honest but curious
- Less than k/3 adversarial players – malicious

Talk Overview

- Secure Computation in General
- Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
- Secure Linear Algebra Based on Linearly Recurrent Sequences
- Recent Developments and Open Problems

Linear Algebraic Functions

Matrix singularity:

- Alice and Bob hold A ∊Fnxn and B ∊Fnxn respectively, where F is a finite field
- They wish to (securely) compute whether M=A+B is singular

Efficient secure protocol for singularity leads to efficient protocols for:

- solving a joint system of equations (linear constraints may contain private information!)
- computing det(M), char.poly(M), min.poly(M)
- computing subspaces intersection
- more...

Applying General Results

- Circuit complexity of matrix singularity is similar to number of multiplications in matrix product.
- Best known result O(n2.38) [Coppersmith Winograd]
- Input size is only n2 - trivial non-cryptographic protocol has complexity n2
- Can we achieve this in a secure protocol?
- Can we achieve this keeping the round complexity low?

A previous result

- “Secure linear algebra in a constant number of rounds.” [Cramer Damgård]
- Information theoretic security
- constant round complexity
- communication complexity O(n3)

Our results

- Secure protocol for singularity(A+B) in the computational two party setting with:
- communication complexity O(n2log n)
- round complexity O(log n)
- Recent improvements [Mohassel W]
- constant round
- information theoretical security

Oblivious Gaussian Elimination

- Protocol from [Nissim W]
- Achieves:
- communication complexity O(n2log n)
- round complexity O(n0.275)
- Cryptographic assumption: public key homomorphic encryption

Tool: Homomorphic Encryption

- Public key encryption scheme
- Public key PK is published – everybody can encrypt
- Secret key SK is private – only one can decrypt
- For
- Corollary:
- Example: [Goldwasser Micali] (QR) for F=GF(2).

(with PK only)

Multiplying a Vector by a Scalar

Communication complexity is O(n).

Find a row that “starts” with a 1.

Swap this row and the top row.

“Eliminate” the leftmost column.

Continue recursively.

Gaussian EliminationOblivious Gaussian Elimination

- “Find a row that starts with a 1.”
- “Swap this row and the top row.”

Use Alice!

Finding a row starting with a 1

STEP 1: Randomization

- Bob multiplies E(M) by a random full rank matrix R.

E(M) R E(M)

- Set m = log2n

Moving the 1 to the top row.

- Bob computes E(M[1,1]M1)
- If M[1,1]=0 Bob gets E(0).
- If M[1,1]=1 Bob gets E(M1).
- For every 2 ≤ j ≤ m, Bob computesE(Mj) E(Mj – M[j,1]M[1,1]M1)
- Same with E(M2), E(M3), ..., E(Mm)
- Update E(M1) = E(Mi)
- Eliminate leftmost column.

1

0

0

1

m

1

0

0

1

0

0

1

1

Moving the 1 to the top row.- Continue recursively on the lower right submatrix
- Finally, multiply all diagonal elements. M is singular if and only if the product of the diagonal entries is 1.

1

m

0

0

0

0

Talk Overview

- Secure Computation in General
- Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
- Secure Linear Algebra Based on Linearly Recurrent Sequences
- Recent Developments and Open Problems

Improved Round Complexity

- Protocol from [Kiltz Mohassel W Franklin]
- Achieves:
- communication complexity O(n2log n)
- round complexity O(log n)
- Setting:
- Two party with computational security
- Computational assumption – homomorphic encryption

Linearly Recurrent Sequences

- General idea: apply algorithms designed for sparse matrices for secure computation on general matrices.
- Assumption – the underlying field is large |F| > nlog n (otherwise – use field extension)

A Simple Reduction

Randomized approach:

To check if M is singular:

- Pick a random vector v.
- Check whether the system Mx = v is solvable.

Not solvable – M is singular.Solvable – with high prob. (1 – 1/|F|), M is non-singular

Deciding if Mx = v is Solvable [Wiedemann]

- Consider the n+1 vectors:

v, Mv, M2v, ..., Mnv

- There are a=(a0, ..., an) such that

∑aiMiv = 0

- Linearly recurrent sequences: If ∑aiMiv =0 then for all j:∑aiMi+jv = Mj(∑aiMiv) = Mj0 = 0

Deciding if Mx = v is Solvable [Wiedemann86]

- For every b=(b0, ..., bn) such that ∑biMiv = 0, consider the polynomial pb(x) = ∑bixi
- The set of such polynomials forms an ideal in F[x] – the annihilator ideal
- Minimal polynomial m(x) – the generator of the ideal

The annihilatorideal

- Let fM(x) be the characteristic polynomial of M.
- [Cayley Hamilton]: fM(M)=0 → fM(M)v = 0 → fM(x) is in the annihilatorideal →m(x) | fM(x)
- We will be interested in the constant coefficient of m(x).

The Constant Coefficient of m(x)

Claim:

- Ifm(0)≠ 0 then Mx = v is solvable.
- If m(0) = 0 then Mx = v is not solvable

The Constant Coefficient of m(x)

Claim:

- If m(0)≠ 0 then Mx = v is solvable.
- If m(0) = 0 then Det(M) = 0.

Conclusion:

With probability (1 – 1/|F|):

m(0) = 0 if and only if det(M)=0

Proof of the Claim (i)

- If m(0)≠0 then Mx=v is solvable.
- m(x) = cnxn+...+c1x+c0
- where c0=m(0) ≠ 0
- m(M)v = 0 (m(x) is in the ideal)
- cnMnv+...+c1Mv+c0v = 0
- M(cnMn-1v+...+c1v) = -c0v
- set x = -c0-1(cnMnv+...+c1Mv)
- Mx = v the system is solvable.

Proof of the Claim (ii)

(ii) If m(0)=0 then Det(M) = 0.

fM(0) = Det(M)

We saw before that m(x) | fM(x).

Hence fM(0)=0 and thus Det(M) = 0 □

Berlekamp/Massey Algorithm

- We are interested in computing m(0).
- Berlekamp/Massey algorithm:computes m(x) in O(n log n) operations, given v, Mv, ..., M2n-1v.
- General idea: the algorithm uses an intermediate result of the extended Euclidean algorithm executed on:
- x2n
- a polynomial whose coefficients are the elements uTM0v, uTM1v, ..., uTM2n-1v for some random vector u.

Multiplying two matrices

Communication complexity is O(n2)

Secure Two-Party Algorithm (sketch)

(PK,SK)

E(M)

Next slide: O(log n) rounds,

O(n2 log n) communication

E(Miv)i=0,1,…,2n-1

Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication

E(m(x))

Decryption of E(m(0)r) where r is a random number.

m(0) =? 0

Computing the Sequence EPK(Miv)

- Bob is given E(M) and computes E(v)
- Bob computes E(M2^i), i=1...log n
- log n rounds, n2 log n communication
- Bob computes:
- E(Mv)
- E(M3v|M2v) = E(M2) · E(Mv|v)
- E(M7v|M6v|M5v|M4v) = E(M4) ·E(M3v|M2v|Mv|v)
- Finally: E(v), E(Mv), …, E(M2n-1v)
- O(log n) rounds, O(n2 log n) communication

- Secure Computation in General
- Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
- Secure Linear Algebra Based on Linearly Recurrent Sequences
- Recent Developments and Open Problems

Recent Developements

- Protocol from [Mohassel W]
- For every constant t:
- communication complexity O(n2+1/t)
- round complexity t
- Gives information theoretic security.
- Based on a reduction to deciding the singularity of Toeplitz matrices.

Open Problem

- Secure Linear Algebra
- Malicious case for two party computation
- General Secure Computation
- Understand the relation between circuit complexity and secure protocol complexity of problem.
- Is linear communication complexity always possible?

Download Presentation

Connecting to Server..