secure linear algebra against covert or unbounded adversaries payman mohassel and enav weinreb uc...
TRANSCRIPT
![Page 1: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/1.jpg)
Secure Linear Algebra against Covert or Unbounded
Adversaries
Payman Mohassel and Enav Weinreb
UC Davis CWI
![Page 2: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/2.jpg)
Solving Distributed Linear Constraints Privately
A1x = b1
A4x = b4
A3x = b3
A2x = b2
output
=
A1
A2
A3
A4
xb1
b2
b3
b4
![Page 3: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/3.jpg)
Perfect Matching in Bipartite Graphs
E1
E2
• G = (E,V) • E = E1 U E2
• AG = AG1 AG
2
P1 P2
AG1
AG2
Det(AG1 AG
2) =? 0
AG is the adjacency matrix of graph GWith variables replacing 1’s
Det is non-zero, iff G has a perfect matching
![Page 4: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/4.jpg)
Problem Secure linear algebra computation
Solving linear systems Computing rank, determinant, …
Setting Shared n X n matrix/linear system Multiparty (honest majority)
Linear secret sharing Two-party
Additive homomorphic encryption Goal
Improve round and communication efficiency Defend against stronger adversaries
![Page 5: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/5.jpg)
Current Status Multiparty
[CKP07] Const. round, O(m4 + n2m) comm. for m x n systems Worst case: O(n4) comm. Malicious adversaries (honest majority)
[NW06] O(n0.27) rounds, O(n2) comm. Semi-honest adversaries
Two-party [KMWF07]
O(logn) rounds, O(n2logn) comm. Semi-honest adversaries
Yao’s O(1) rounds, O(n2.38) comm.
![Page 6: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/6.jpg)
Our Protocols Efficiency
For every constant s O(s) rounds, O(sn2+1/s) communication Sublinear comm. in circuit complexity
Security Multiparty: malicious adversary
(honest majority) Two-party: covert adversaries
![Page 7: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/7.jpg)
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
Reductions need to be secure and efficient
![Page 8: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/8.jpg)
From Linear Algebra to Singularity
Problems such as Solving a linear system of equations Computing the determinant Computing the Rank
Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving
![Page 9: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/9.jpg)
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
![Page 10: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/10.jpg)
General to Toeplitz
Theorem: For every positive integer s, there exist a O(s) round and O(sn2+1/s) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T , s.t. with high probability, M is singular iff T is.
M TO(s) rounds, O(sn2+1/s) comm
M is singular iff T is
![Page 11: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/11.jpg)
Minimal Polynomials
All values are over a large finite field F Minimal polynomial of a matrix A (mA)
Smallest degree polynomial f = (f0,…,fd) f0 I +f1A + … + fdAd = 0
Linearly recurrent sequence {ai}0≤ i ≤N
Minimal polynomial f f0 aj +f1aj+1 + … + fdaj+d
= 0
![Page 12: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/12.jpg)
General to Toeplitz Generate random matrices V, W over F and
compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices
of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and
compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1
Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi
is equal to mM’’
![Page 13: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/13.jpg)
General to Toeplitz
Det(Td) ≠ 0, and for all d < , and Det(T ) = 0
Lemma ([KP91]):
Where, d = degree of minimal polynomial of ɑi
Tn singular iff M is
![Page 14: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/14.jpg)
General to Toeplitz Generate random matrices V, W over F and
compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices
of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and
compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1
Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi
is equal to mM’’
![Page 15: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/15.jpg)
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
![Page 16: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/16.jpg)
Toeplitz to Matrix Product Compute traces of T1, …,Tn
denoted, s1, …, sn Then, use Leverrier’s Lemma to
compute char. polynomial of T
Test if c1 is 0?
![Page 17: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/17.jpg)
Toeplitz to Matrix ProductFor any Toeplitz matrix T we have:
Where ut =(u1,…,un) and vt=(v1,…,vn) are first and last column of X
Trace of X contains traces of powers of
T
![Page 18: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/18.jpg)
Toeplitz to Matrix Product
e1=(1,0,…,0)t , en = (0,…,0,1)t
{ui = Tie1}, {vi=Tien}
![Page 19: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/19.jpg)
Secure Computation of {Miv}{1<i<2n}
[CKP07]: Secure computation of POWd (M) = {I,M,…,Md} reduced to O(d) matrix product
A baby step, giant step algorithm Given O(n2) comm. secure matrix product:
O(s) rounds, O(sn2+1/s) comm.
![Page 20: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/20.jpg)
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
![Page 21: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/21.jpg)
Multiparty Matrix Product A and B, shared using a linear secret
sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed
homomorphic commitments Const. round protocol with O(n2) comm. Secure against malicious adversaries
![Page 22: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/22.jpg)
Two-Party Matrix Product
A1, A2
Alice Bob
B1, B2
(A1+B1)(A2+B2)+C
Inputs
Outputs
Bob sends EBob(B1), EBob(B2) to Alice
Alice computes and sends to Bob
EBob((A1+B1)(A2+B2)+C)
Only secure against semi-honest adversaries
C
![Page 23: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/23.jpg)
Two-Party Matrix Product against Covert Adversaries
Break each matrix into random additive shares
Perform many matrix product protocols on shares
Reveal all but one for verification Simulation-based security against
covert adversaries
![Page 24: Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI](https://reader036.vdocuments.site/reader036/viewer/2022070307/551b3dc7550346dd1a8b5504/html5/thumbnails/24.jpg)
Open Questions
Fully malicious adversaries? With the same efficiency
Sparse or structured matrices – how efficient can we get?