secure computation of linear algebraic functions l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Computation of Linear Algebraic Functions PowerPoint Presentation
Download Presentation
Secure Computation of Linear Algebraic Functions

Loading in 2 Seconds...

play fullscreen
1 / 50

Secure Computation of Linear Algebraic Functions - PowerPoint PPT Presentation


  • 283 Views
  • Uploaded on

Secure Computation of Linear Algebraic Functions. Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim. Talk Overview. Secure Computation in General Secure Linear Algebra Based on “Oblivious Gaussian Elimination”

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure Computation of Linear Algebraic Functions' - flora


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure computation of linear algebraic functions

Secure Computation of Linear Algebraic Functions

Enav Weinreb – CWI, Amsterdam

Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim

talk overview
Talk Overview
  • Secure Computation in General
  • Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
  • Secure Linear Algebra Based on Linearly Recurrent Sequences
  • Recent Developments and Open Problems
secure computation
Secure Computation
  • Alice has an input x
  • Bob has an input y
  • Let f:{0,1}2n{0,1} be a Boolean function.
  • Alice and Bob wish to compute f(x,y) without leaking any further information on their private inputs.

The players cooperate but do not trust each other.

secure computation example5

The Millionaires’ Problem

x = 100$ ???

x = 999,999,999$ ???

Secure Computation - Example

x

1,000,000,000$

x > y ?

Answer: x < y

slide6

Levels of security:

Computational - adversary is computationally limited

Information theoretic - adversary is computationally unbounded.

“Leak no further information”

Real World

Ideal World

y

x

y

x

f(x,y)

f(x,y)

f(x,y)

h(x)

h(x)

complexity measures and adversary model
Complexity Measures and Adversary Model
  • Important complexity measures:
    • Communication complexity
    • Round complexity
    • Computational complexity
  • Adversary models:
    • Honest but curious – adversary follows the protocol but tries to learn more information
    • Malicious – adversary arbitrarily deviates from the protocol
boolean circuit complexity

0

1

0

1

0

0

0

1

1

0

1

0

0

1

1

0

1

x1

x2

x3

x4

x5

x6

x7

x8

Boolean Circuit Complexity
  • Let f:{0,1}2n  {0,1}
  • We consider digital circuits with the gates {AND, OR, NOT} that compute f in the natural way.
  • circuit size – number of gates
  • circuit depth – max distance from an input wire to output
general result two party yao
General Result – two-party [Yao]

Boolean circuit that computes f(x,y) with size s(n)

implies

secure two party protocol for computing f(x,y) with:

  • communication complexity linear in s(n)
  • 2 rounds.

computational security.

general result multi party bgw ccd
General Result – Multi-Party [BGW, CCD]

Boolean circuit that computes f(x1,...,xk) with size s(n) and depth d(n)

implies

A secure k-party protocol for computing f(x1,...,xk) with:

  • communication complexity linear in s(n)
  • round complexity d(n)
  • Information theoretic security against:
    • Less than k/2 adversarial players – honest but curious
    • Less than k/3 adversarial players – malicious
talk overview11
Talk Overview
  • Secure Computation in General
  • Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
  • Secure Linear Algebra Based on Linearly Recurrent Sequences
  • Recent Developments and Open Problems
linear algebraic functions
Linear Algebraic Functions

Matrix singularity:

  • Alice and Bob hold A ∊Fnxn and B ∊Fnxn respectively, where F is a finite field
  • They wish to (securely) compute whether M=A+B is singular

Efficient secure protocol for singularity leads to efficient protocols for:

    • solving a joint system of equations (linear constraints may contain private information!)
    • computing det(M), char.poly(M), min.poly(M)
    • computing subspaces intersection
    • more...
applying general results
Applying General Results
  • Circuit complexity of matrix singularity is similar to number of multiplications in matrix product.
    • Best known result O(n2.38) [Coppersmith Winograd]
  • Input size is only n2 - trivial non-cryptographic protocol has complexity n2
  • Can we achieve this in a secure protocol?
  • Can we achieve this keeping the round complexity low?
a previous result
A previous result
  • “Secure linear algebra in a constant number of rounds.” [Cramer Damgård]
  • Information theoretic security
  • constant round complexity
  • communication complexity O(n3)
our results
Our results
  • Secure protocol for singularity(A+B) in the computational two party setting with:
    • communication complexity O(n2log n)
    • round complexity O(log n)
  • Recent improvements [Mohassel W]
    • constant round
    • information theoretical security
oblivious gaussian elimination
Oblivious Gaussian Elimination
  • Protocol from [Nissim W]
  • Achieves:
    • communication complexity O(n2log n)
    • round complexity O(n0.275)
  • Cryptographic assumption: public key homomorphic encryption
tool homomorphic encryption
Tool: Homomorphic Encryption
  • Public key encryption scheme
    • Public key PK is published – everybody can encrypt
    • Secret key SK is private – only one can decrypt
  • For
  • Corollary:
  • Example: [Goldwasser Micali] (QR) for F=GF(2).

(with PK only)

initial step
Initial Step

A∊Fnxn

B ∊Fnxn

PK

Generates

+

=

Is M singular?

algorithms on encrypted data
Algorithms on Encrypted Data
  • Bob can locally compute:
  • What about multiplication?

Use Alice!

?

multiplying a vector by a scalar
Multiplying a Vector by a Scalar

Communication complexity is O(n).

gaussian elimination
Find a row that “starts” with a 1.

Swap this row and the top row.

“Eliminate” the leftmost column.

Continue recursively.

Gaussian Elimination
oblivious gaussian elimination24
Oblivious Gaussian Elimination
  • “Find a row that starts with a 1.”
  • “Swap this row and the top row.”

Use Alice!

finding a row starting with a 1

w.h.p

Finding a row starting with a 1

STEP 1: Randomization

  • Bob multiplies E(M) by a random full rank matrix R.

E(M)  R E(M)

  • Set m = log2n
finding a row that starts with a 1

1

Finding a row that starts with a 1

STEP 2: Moving the 1 to the top row.

moving the 1 to the top row
Moving the 1 to the top row.
  • Bob computes E(M[1,1]M1)
    • If M[1,1]=0 Bob gets E(0).
    • If M[1,1]=1 Bob gets E(M1).
  • For every 2 ≤ j ≤ m, Bob computesE(Mj)  E(Mj – M[j,1]M[1,1]M1)
  • Same with E(M2), E(M3), ..., E(Mm)
  • Update E(M1) = E(Mi)
  • Eliminate leftmost column.

1

0

0

1

m

1

0

0

1

0

0

moving the 1 to the top row28

1

1

1

Moving the 1 to the top row.
  • Continue recursively on the lower right submatrix
  • Finally, multiply all diagonal elements. M is singular if and only if the product of the diagonal entries is 1.

1

m

0

0

0

0

communication complexity
Communication Complexity

Single row

One column

Overall

Alice  Bob

Alice  Bob

lazy evaluation
Lazy Evaluation

Send data “on demand”

Memory

Single row

One column

Overall

Alice  Bob

Alice  Bob

talk overview31
Talk Overview
  • Secure Computation in General
  • Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
  • Secure Linear Algebra Based on Linearly Recurrent Sequences
  • Recent Developments and Open Problems
improved round complexity
Improved Round Complexity
  • Protocol from [Kiltz Mohassel W Franklin]
  • Achieves:
    • communication complexity O(n2log n)
    • round complexity O(log n)
  • Setting:
    • Two party with computational security
  • Computational assumption – homomorphic encryption
linearly recurrent sequences
Linearly Recurrent Sequences
  • General idea: apply algorithms designed for sparse matrices for secure computation on general matrices.
  • Assumption – the underlying field is large |F| > nlog n (otherwise – use field extension)
a simple reduction
A Simple Reduction

Randomized approach:

To check if M is singular:

  • Pick a random vector v.
  • Check whether the system Mx = v is solvable.

Not solvable – M is singular.Solvable – with high prob. (1 – 1/|F|), M is non-singular

deciding if mx v is solvable wiedemann
Deciding if Mx = v is Solvable [Wiedemann]
  • Consider the n+1 vectors:

v, Mv, M2v, ..., Mnv

  • There are a=(a0, ..., an) such that

∑aiMiv = 0

  • Linearly recurrent sequences: If ∑aiMiv =0 then for all j:∑aiMi+jv = Mj(∑aiMiv) = Mj0 = 0
deciding if mx v is solvable wiedemann86
Deciding if Mx = v is Solvable [Wiedemann86]
  • For every b=(b0, ..., bn) such that ∑biMiv = 0, consider the polynomial pb(x) = ∑bixi
  • The set of such polynomials forms an ideal in F[x] – the annihilator ideal
  • Minimal polynomial m(x) – the generator of the ideal
the annihilator ideal
The annihilatorideal
  • Let fM(x) be the characteristic polynomial of M.
  • [Cayley Hamilton]: fM(M)=0 → fM(M)v = 0 → fM(x) is in the annihilatorideal →m(x) | fM(x)
  • We will be interested in the constant coefficient of m(x).
the constant coefficient of m x
The Constant Coefficient of m(x)

Claim:

  • Ifm(0)≠ 0 then Mx = v is solvable.
  • If m(0) = 0 then Mx = v is not solvable
the constant coefficient of m x39
The Constant Coefficient of m(x)

Claim:

  • If m(0)≠ 0 then Mx = v is solvable.
  • If m(0) = 0 then Det(M) = 0.

Conclusion:

With probability (1 – 1/|F|):

m(0) = 0 if and only if det(M)=0

proof of the claim i
Proof of the Claim (i)
  • If m(0)≠0 then Mx=v is solvable.
  • m(x) = cnxn+...+c1x+c0
    • where c0=m(0) ≠ 0
  • m(M)v = 0 (m(x) is in the ideal)
    • cnMnv+...+c1Mv+c0v = 0
    • M(cnMn-1v+...+c1v) = -c0v
  • set x = -c0-1(cnMnv+...+c1Mv)
    • Mx = v the system is solvable.
proof of the claim ii
Proof of the Claim (ii)

(ii) If m(0)=0 then Det(M) = 0.

fM(0) = Det(M)

We saw before that m(x) | fM(x).

Hence fM(0)=0 and thus Det(M) = 0 □

berlekamp massey algorithm
Berlekamp/Massey Algorithm
  • We are interested in computing m(0).
  • Berlekamp/Massey algorithm:computes m(x) in O(n log n) operations, given v, Mv, ..., M2n-1v.
    • General idea: the algorithm uses an intermediate result of the extended Euclidean algorithm executed on:
      • x2n
      • a polynomial whose coefficients are the elements uTM0v, uTM1v, ..., uTM2n-1v for some random vector u.
multiplying two matrices
Multiplying two matrices

Communication complexity is O(n2)

secure two party algorithm sketch
Secure Two-Party Algorithm (sketch)

(PK,SK)

E(M)

Next slide: O(log n) rounds,

O(n2 log n) communication

E(Miv)i=0,1,…,2n-1

Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication

E(m(x))

Decryption of E(m(0)r) where r is a random number.

m(0) =? 0

computing the sequence e pk m i v
Computing the Sequence EPK(Miv)
  • Bob is given E(M) and computes E(v)
  • Bob computes E(M2^i), i=1...log n
    • log n rounds, n2 log n communication
  • Bob computes:
    • E(Mv)
    • E(M3v|M2v) = E(M2) · E(Mv|v)
    • E(M7v|M6v|M5v|M4v) = E(M4) ·E(M3v|M2v|Mv|v)
  • Finally: E(v), E(Mv), …, E(M2n-1v)
    • O(log n) rounds, O(n2 log n) communication
talk overview47
Talk Overview
  • Secure Computation in General
  • Secure Linear Algebra Based on “Oblivious Gaussian Elimination”
  • Secure Linear Algebra Based on Linearly Recurrent Sequences
  • Recent Developments and Open Problems
recent developements
Recent Developements
  • Protocol from [Mohassel W]
  • For every constant t:
    • communication complexity O(n2+1/t)
    • round complexity t
  • Gives information theoretic security.
  • Based on a reduction to deciding the singularity of Toeplitz matrices.
open problem
Open Problem
  • Secure Linear Algebra
    • Malicious case for two party computation
  • General Secure Computation
    • Understand the relation between circuit complexity and secure protocol complexity of problem.
    • Is linear communication complexity always possible?