Secure Computation of Linear Algebraic Functions
Enav Weinreb – CWI, Amsterdam
Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel
and Kobbi Nissim
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
Secure Computation
Alice has an input x Bob has an input y Let f:{0,1}2n{0,1} be a Boolean function. Alice and Bob wish to compute f(x,y) without
leaking any further information on their private inputs.
The players cooperate but do not trust each other.
Secure Computation - Example
yx
x > y ?
The Millionaires’ Problem
The Millionaires’ Problem
1,000,000,000$
Secure Computation - Example
x
x > y ?
Answer: x < y
x = 100$ ???
x = 999,999,999$ ???
Real WorldIdeal World
xxy y
f(x,y)
f(x,y)f(x,y)
h(x)h(x)
Levels of security:Computational - adversary is computationally limitedInformation theoretic - adversary is computationally unbounded.“Leak no further information”
Complexity Measures and Adversary Model
Important complexity measures:• Communication complexity
• Round complexity
• Computational complexity Adversary models:
• Honest but curious – adversary follows the protocol but tries to learn more information
• Malicious – adversary arbitrarily deviates from the protocol
Boolean Circuit Complexity
Let f:{0,1}2n {0,1} We consider digital circuits with the
gates {AND, OR, NOT} that compute f in the natural way.
circuit size – number of gates circuit depth – max distance from
an input wire to output 00 00 1 11 1
0 0 1 1
10
01
0
x1 x2 x3 x4 x5 x6 x7 x8
General Result – two-party [Yao]
Boolean circuit that computes f(x,y) with size s(n)
impliessecure two party protocol for computing f(x,y)
with: communication complexity linear in s(n) 2 rounds.computational security.
General Result – Multi-Party [BGW, CCD]
Boolean circuit that computes f(x1,...,xk) with size s(n) and depth d(n)
impliesA secure k-party protocol for computing f(x1,...,xk)
with: communication complexity linear in s(n) round complexity d(n) Information theoretic security against:
• Less than k/2 adversarial players – honest but curious• Less than k/3 adversarial players – malicious
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
Linear Algebraic Functions
Matrix singularity: Alice and Bob hold A ∊ Fnxn and B ∊ Fnxn respectively,
where F is a finite field They wish to (securely) compute whether M=A+B is
singularEfficient secure protocol for singularity leads to efficient
protocols for:• solving a joint system of equations (linear constraints may
contain private information!)• computing det(M), char.poly(M), min.poly(M)• computing subspaces intersection• more...
Applying General Results
Circuit complexity of matrix singularity is similar to number of multiplications in matrix product.• Best known result O(n2.38) [Coppersmith Winograd]
Input size is only n2 - trivial non-cryptographic protocol has complexity n2
Can we achieve this in a secure protocol? Can we achieve this keeping the round complexity
low?
A previous result
“Secure linear algebra in a constant number of rounds.” [Cramer Damgård]
Information theoretic security constant round complexity communication complexity O(n3)
Our results
Secure protocol for singularity(A+B) in the computational two party setting with:
• communication complexity O(n2log n)
• round complexity O(log n)
Recent improvements [Mohassel W]
• constant round
• information theoretical security
Oblivious Gaussian Elimination
Protocol from [Nissim W] Achieves:
• communication complexity O(n2log n)
• round complexity O(n0.275) Cryptographic assumption: public key
homomorphic encryption
Tool: Homomorphic Encryption Public key encryption scheme
• Public key PK is published – everybody can encrypt• Secret key SK is private – only one can decrypt
For
Corollary:
Example: [Goldwasser Micali] (QR) for F=GF(2).
Fcba ,,
)(E ba )(E a )(E b)(E ac )(E ca
)(E vc )(E vc
)(E 2M1M )(E 21MM
(with PK only)
Initial Step
),( SKPKGenerates
)(E APK
)(E MPK
A ∊ Fnxn B ∊ Fnxn
)(E BPK+ =
Is M singular?
PK
Algorithms on Encrypted Data
Bob can locally compute:
What about multiplication?
)(E ba )(E a )(E b
)(E ac )(E ca
)(E vc )(E vc
)(E 2M1M )(E 21MM
Use Alice!
? )(E ab)(E a )(E b
Multiplication
)(E
)(E
b
a
PK
PK
ba rr ,Chooses random
)))(((E baPK rbra PK
PK
E
E
)(
)(
b
a
rb
ra
)))(((E baPK rbra )(E bPK ar
)(E braPK)(E abPK)(E baPK rr
),( SKPK
Multiplying a Vector by a Scalar
)(E
)(E
v
a
PK
PK),( SKPK
Communication complexity is O(n).
)(E vaPK
Encrypted Matrix Singularity (reminder)
),( SKPK
Is singular?M
)(E MPK
Find a row that “starts” with a 1.
Swap this row and the top row.
“Eliminate” the leftmost column.
Continue recursively.
0111
1110
Gaussian Elimination0010
1001
1010
1001
Oblivious Gaussian Elimination
)(E)(E
)(E)(E
)(E
PK1PK
1PK11PK
kkk
k
PK
MM
MM
M
“Find a row that starts with a 1.” “Swap this row and the top row.”
),( SKPK
Use Alice!
STEP 1: Randomization Bob multiplies E(M) by a random full rank matrix
R.
E(M) R E(M) Set m = log2n
RM
Finding a row starting with a 1
M
1
1m
w.h.p
Finding a row that starts with a 1
STEP 2: Moving the 1 to the top row.
m1
M
m1
M
Moving the 1 to the top row.
Bob computes E(M[1,1]M1)
• If M[1,1]=0 Bob gets E(0).
• If M[1,1]=1 Bob gets E(M1). For every 2 ≤ j ≤ m, Bob computes
E(Mj) E(Mj – M[j,1]M[1,1]M1) Same with E(M2), E(M3), ..., E(Mm)
Update E(M1) = E(Mi) Eliminate leftmost column.
0011010
)0(E
)(E 3M)0(E
0
0
m
i 1
1
m
M
Moving the 1 to the top row.
Continue recursively on the lower right submatrix Finally, multiply all diagonal elements.
M is singular if and only if the product of the diagonal entries is 1.
0
0
0
1
M0
11
1
m
)(nO )( 2nO )( 2nO
Communication Complexity
)]1,[(E ]1,[ jMrjM )))(]1,[((E
11]1,[ MjM rMrjM
Single row One column
Alice Bob
Alice Bob
)(nO
)(nO )( 2nO
)(E11 MrM
Overall
)( 3nO
)( 3nO
)( 2nO)(nO
Lazy Evaluation
Single row One column
Alice Bob
Alice Bob
)(nO
)(nO )( 2nO
)(nO
Overall
)( 3nO
)( 2nO
Memory
Send data “on demand”
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
Improved Round Complexity
Protocol from [Kiltz Mohassel W Franklin] Achieves:
• communication complexity O(n2log n)
• round complexity O(log n) Setting:
• Two party with computational security Computational assumption – homomorphic
encryption
Linearly Recurrent Sequences
General idea: apply algorithms designed for sparse matrices for secure computation on general matrices.
Assumption – the underlying field is large |F| > nlog n
(otherwise – use field extension)
A Simple Reduction
Randomized approach:
To check if M is singular:
• Pick a random vector v.
• Check whether the system Mx = v is solvable.
Not solvable – M is singular.Solvable – with high prob. (1 – 1/|F|), M is non-singular
Deciding if Mx = v is Solvable [Wiedemann]
Consider the n+1 vectors:
v, Mv, M2v, ..., Mnv There are a=(a0, ..., an) such that
∑aiMiv = 0 Linearly recurrent sequences:
If ∑aiMiv =0 then for all j:
∑aiMi+jv = Mj(∑aiMiv) = Mj0 = 0
Deciding if Mx = v is Solvable [Wiedemann86]
For every b=(b0, ..., bn) such that ∑biMiv = 0, consider the polynomial pb(x) = ∑bixi
The set of such polynomials forms an ideal in F[x] – the annihilator ideal
Minimal polynomial m(x) – the generator of the ideal
The annihilator ideal Let fM(x) be the characteristic polynomial of M.
[Cayley Hamilton]: fM(M)=0 → fM(M)v = 0 → fM(x) is in the annihilator ideal → m(x) | fM(x)
We will be interested in the constant coefficient of m(x).
The Constant Coefficient of m(x)
Claim:
(i) If m(0) ≠ 0 then Mx = v is solvable.
(ii) If m(0) = 0 then Mx = v is not solvable
The Constant Coefficient of m(x)
Claim:
(i) If m(0) ≠ 0 then Mx = v is solvable.
(ii) If m(0) = 0 then Det(M) = 0.
Conclusion:
With probability (1 – 1/|F|):
m(0) = 0 if and only if det(M)=0
Proof of the Claim (i)
(i) If m(0)≠0 then Mx=v is solvable. m(x) = cnxn+...+c1x+c0
• where c0=m(0) ≠ 0 m(M)v = 0 (m(x) is in the ideal)
• cnMnv+...+c1Mv+c0v = 0
• M(cnMn-1v+...+c1v) = -c0v
set x = -c0-1(cnMnv+...+c1Mv)
• Mx = v the system is solvable.
Proof of the Claim (ii)
(ii) If m(0)=0 then Det(M) = 0.
fM(0) = Det(M)
We saw before that m(x) | fM(x).
Hence fM(0)=0 and thus Det(M) = 0 □
Berlekamp/Massey Algorithm
We are interested in computing m(0). Berlekamp/Massey algorithm:
computes m(x) in O(n log n) operations, given v, Mv, ..., M2n-1v.
• General idea: the algorithm uses an intermediate result of the extended Euclidean algorithm executed on:• x2n
• a polynomial whose coefficients are the elements uTM0v, uTM1v, ..., uTM2n-1v for some random vector u.
And now: the protocol
Multiplying two matrices
)(E
)(E
B
A),( SKPK
Communication complexity is O(n2)
)(E AB
Secure Two-Party Algorithm (sketch)
E (M)(PK,SK)
E(Miv)i=0,1,…,2n-1
E(m(x))
m(0) =? 0
Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication
Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication
Decryption of E(m(0)r) where r is a random number.
Decryption of E(m(0)r) where r is a random number.
Next slide: O(log n) rounds,
O(n2 log n) communication
Next slide: O(log n) rounds,
O(n2 log n) communication
Computing the Sequence EPK(Miv)
1. Bob is given E(M) and computes E(v)
2. Bob computes E(M2^i), i=1...log n• log n rounds, n2 log n communication
3. Bob computes:• E(Mv)
• E(M3v|M2v) = E(M2) · E(Mv|v)
• E(M7v|M6v|M5v|M4v) = E(M4) ·E(M3v|M2v|Mv|v)
4. Finally: E(v), E(Mv), …, E(M2n-1v)
• O(log n) rounds, O(n2 log n) communication
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
Recent Developements
Protocol from [Mohassel W] For every constant t:
• communication complexity O(n2+1/t)
• round complexity t Gives information theoretic security. Based on a reduction to deciding the singularity of
Toeplitz matrices.
Open Problem
Secure Linear Algebra
• Malicious case for two party computation General Secure Computation
• Understand the relation between circuit complexity and secure protocol complexity of problem.
• Is linear communication complexity always possible?