Embed Size (px)
Citation preview
Secure Linear Algebra against Covert or Unbounded
Adversaries
Payman Mohassel and Enav Weinreb
UC Davis CWI
Solving Distributed Linear Constraints Privately
A1x = b1
A4x = b4
A3x = b3
A2x = b2
output
=
A1
A2
A3
A4
xb1
b2
b3
b4
Perfect Matching in Bipartite Graphs
E1
E2
• G = (E,V) • E = E1 U E2
• AG = AG1 AG
2
P1 P2
AG1
AG2
Det(AG1 AG
2) =? 0
AG is the adjacency matrix of graph GWith variables replacing 1’s
Det is non-zero, iff G has a perfect matching
Problem Secure linear algebra computation
Solving linear systems Computing rank, determinant, …
Setting Shared n X n matrix/linear system Multiparty (honest majority)
Linear secret sharing Two-party
Additive homomorphic encryption Goal
Improve round and communication efficiency Defend against stronger adversaries
Current Status Multiparty
[CKP07] Const. round, O(m4 + n2m) comm. for m x n systems Worst case: O(n4) comm. Malicious adversaries (honest majority)
[NW06] O(n0.27) rounds, O(n2) comm. Semi-honest adversaries
Two-party [KMWF07]
O(logn) rounds, O(n2logn) comm. Semi-honest adversaries
Yao’s O(1) rounds, O(n2.38) comm.
Our Protocols Efficiency
For every constant s O(s) rounds, O(sn2+1/s) communication Sublinear comm. in circuit complexity
Security Multiparty: malicious adversary
(honest majority) Two-party: covert adversaries
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
Reductions need to be secure and efficient
From Linear Algebra to Singularity
Problems such as Solving a linear system of equations Computing the determinant Computing the Rank
Reduced to Matrix Singularity Det([A]) =? 0 Round and communication preserving
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
General to Toeplitz
Theorem: For every positive integer s, there exist a O(s) round and O(sn2+1/s) communication protocol that securely transforms shares of a general matrix M to shares of a Toeplitz matrix T , s.t. with high probability, M is singular iff T is.
M TO(s) rounds, O(sn2+1/s) comm
M is singular iff T is
Minimal Polynomials
All values are over a large finite field F Minimal polynomial of a matrix A (mA)
Smallest degree polynomial f = (f0,…,fd) f0 I +f1A + … + fdAd = 0
Linearly recurrent sequence {ai}0≤ i ≤N
Minimal polynomial f f0 aj +f1aj+1 + … + fdaj+d
= 0
General to Toeplitz Generate random matrices V, W over F and
compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices
of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and
compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1
Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi
is equal to mM’’
General to Toeplitz
Det(Td) ≠ 0, and for all d < , and Det(T ) = 0
Lemma ([KP91]):
Where, d = degree of minimal polynomial of ɑi
Tn singular iff M is
General to Toeplitz Generate random matrices V, W over F and
compute M’=VMW Lemma ([KS91]): W.h.p., upper-left i x i submatrices
of M’ are invertible (for i ≤ Rank(M)) Generate random diagonal matrix D, and
compute M’’ = DM’ Lemma ([KS91]): W.h.p., rank(M’) = deg(mM’’) - 1
Compute sequence {ɑi = ut(M’’)iv}1≤ i ≤2n for random vectors u, v Lemma ([Wei86]): W.h.p., minimal polynomial of αi
is equal to mM’’
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
Toeplitz to Matrix Product Compute traces of T1, …,Tn
denoted, s1, …, sn Then, use Leverrier’s Lemma to
compute char. polynomial of T
Test if c1 is 0?
Toeplitz to Matrix ProductFor any Toeplitz matrix T we have:
Where ut =(u1,…,un) and vt=(v1,…,vn) are first and last column of X
Trace of X contains traces of powers of
T
Toeplitz to Matrix Product
e1=(1,0,…,0)t , en = (0,…,0,1)t
{ui = Tie1}, {vi=Tien}
Secure Computation of {Miv}{1<i<2n}
[CKP07]: Secure computation of POWd (M) = {I,M,…,Md} reduced to O(d) matrix product
A baby step, giant step algorithm Given O(n2) comm. secure matrix product:
O(s) rounds, O(sn2+1/s) comm.
Approach
1. Reduce linear algebra problems to matrix singularity
2. Reduce general singularity to Toeplitz singularity
3. Reduce Toeplitz singularity to matrix product
4. Design a secure matrix product protocol
Multiparty Matrix Product A and B, shared using a linear secret
sharing scheme Parties compute shares of C=AB Implicit in existing works [CDM00], using a distributed
homomorphic commitments Const. round protocol with O(n2) comm. Secure against malicious adversaries
Two-Party Matrix Product
A1, A2
Alice Bob
B1, B2
(A1+B1)(A2+B2)+C
Inputs
Outputs
Bob sends EBob(B1), EBob(B2) to Alice
Alice computes and sends to Bob
EBob((A1+B1)(A2+B2)+C)
Only secure against semi-honest adversaries
C
Two-Party Matrix Product against Covert Adversaries
Break each matrix into random additive shares
Perform many matrix product protocols on shares
Reveal all but one for verification Simulation-based security against
covert adversaries
Open Questions
Fully malicious adversaries? With the same efficiency
Sparse or structured matrices – how efficient can we get?
