Secure Computation of
Linear Algebraic
Functions
Enav Weinreb – CWI,
Amsterdam
Joint work with: Matt Franklin,
Eike Kiltz, Payman Mohassel
and Kobbi Nissim
Talk Overview




Secure Computation in General
Secure Linear Algebra Based on
“Oblivious Gaussian Elimination”
Secure Linear Algebra Based on Linearly
Recurrent Sequences
Recent Developments and Open
Problems
Secure Computation




Alice has an input x
Bob has an input y
Let f:{0,1}2n{0,1} be a Boolean function.
Alice and Bob wish to compute f(x,y) without
leaking any further information on their private
inputs.
The players cooperate but do not trust each other.
Secure Computation Example
The Millionaires’ Problem
x
y
x>y?
Secure Computation
x = 100$ ???Example
x = 999,999,999$ ???
The Millionaires’ Problem
x
1,000,000,000$
x>y?
Answer: x < y
Levels of security:
Computational - adversary is computationally limited
Information
- adversaryinformation”
is computationally unbounded.
“Leak theoretic
no further
Real World
Ideal World
y
x
f(x,y)
y
x
f(x,y)
f(x,y)
h(x)
h(x)
Complexity Measures and Adversary
Model

Important complexity measures:

Adversary models:
• Communication complexity
• Round complexity
• Computational complexity
• Honest but curious – adversary follows the
•
protocol but tries to learn more information
Malicious – adversary arbitrarily deviates from the
protocol
Boolean Circuit Complexity




Let f:{0,1}2n  {0,1}
We consider digital circuits with the
gates {AND, OR, NOT} that
compute f in the natural way.
1

circuit size – number of gates
0
circuit depth – max distance from 
0
0
an input wire to output

1
x1

0 0
x2 x3
0

0
1
1

0 1
x4 x5

1

1 0
1
x6 x7 x8
General Result – two-party [Yao]
Boolean circuit that computes f(x,y) with size
s(n)
implies
secure two party protocol for computing f(x,y)
with:
 communication complexity linear in s(n)
 2 rounds.
computational security.
General Result – Multi-Party
[BGW, CCD]
Boolean circuit that computes f(x1,...,xk) with size
s(n) and depth d(n)
implies
A secure k-party protocol for computing f(x1,...,xk)
with:
 communication complexity linear in s(n)
 round complexity d(n)
 Information theoretic security against:
•
•
Less than k/2 adversarial players – honest but curious
Less than k/3 adversarial players – malicious
Talk Overview




Secure Computation in General
Secure Linear Algebra Based on
“Oblivious Gaussian Elimination”
Secure Linear Algebra Based on Linearly
Recurrent Sequences
Recent Developments and Open
Problems
Linear Algebraic Functions
Matrix singularity:
 Alice and Bob hold A ∊ Fnxn and B ∊ Fnxn
respectively, where F is a finite field
 They wish to (securely) compute whether M=A+B
is singular
Efficient secure protocol for singularity leads to
efficient protocols for:
• solving a joint system of equations (linear constraints
may contain private information!)
• computing det(M), char.poly(M), min.poly(M)
• computing subspaces intersection
• more...
Applying General Results

Circuit complexity of matrix singularity is similar
to number of multiplications in matrix product.
• Best known result O(n2.38) [Coppersmith Winograd]



Input size is only n2 - trivial non-cryptographic
protocol has complexity n2
Can we achieve this in a secure protocol?
Can we achieve this keeping the round complexity
low?
A previous result

“Secure linear algebra in a constant number of
rounds.” [Cramer Damgård]

Information theoretic security

constant round complexity
communication complexity O(n3)

Our results

Secure protocol for singularity(A+B) in the
computational two party setting with:
• communication complexity O(n2log n)
• round complexity O(log n)

Recent improvements [Mohassel W]
• constant round
• information theoretical security
Oblivious Gaussian Elimination


Protocol from [Nissim W]
Achieves:
• communication complexity O(n2log n)
• round complexity O(n0.275)

Cryptographic assumption: public key
homomorphic encryption
Tool: Homomorphic Encryption




Public key encryption scheme
•
•
Public key PK is published – everybody can encrypt
Secret key SK is private – only one can decrypt
For a, b, c  F
E(a )
c
Corollary:
c
(with PK only)
E (b )
E(a )

E (v )
E ( a  b)
E(ca)

E(cv )
M1
E(M 2 )
E(M1M 2 )
Example: [Goldwasser Micali] (QR) for F=GF(2).
Initial Step
A ∊ Fnxn
Generates
( PK , SK )
B ∊ Fnxn
PK
E PK ( A)
Is M singular?
E PK ( B) =
E PK (M )
+
Algorithms on Encrypted Data


Bob can locally compute:
E(a )
c
c
E (b )
E(a )

E (v )
E ( a  b)
E(ca)

E(cv )
M1
E(M 2 )
E(M1M 2 )
What about multiplication? Use Alice!
E(a )
E (b )
?
E ( ab)
Multiplication
( PK , SK )
E PK ( a )
E PK (b)
Chooses random ra , rb
E PK ( a  ra )
E PK (b  rb )
E PK (( a  ra )(b  rb ))
E PK (( a  ra )(b  rb ))  E PK (ra b)
 E PK (arb )  E PK (ra rb )  E PK (ab)
Multiplying a Vector by a Scalar
E PK ( a )

( PK , SK )
E PK (v )

E PK (av )
Communication complexity is O(n).
Encrypted Matrix Singularity
(reminder)
( PK , SK )
Is M singular?
E PK (M )
Gaussian Elimination




Find a row that
“starts” with a 1.
Swap this row and
the top row.
“Eliminate” the
leftmost column.
Continue recursively.
1 1
0 00 1
0
0
1 0 0 1
1 1 1 0
0 1 1 1

 0 1 0 1
Oblivious Gaussian Elimination
( PK , SK )
E PK ( M ) 
E PK ( M 11 )  E PK ( M 1k )



E PK ( M k1 )  E PK ( M kk )
“Find a row that starts with a 1.”
 “Swap this row and the top row.”

Use Alice!
Finding a row starting with a 1
STEP 1: Randomization

Bob multiplies E(M) by a random full rank matrix
R.
E(M)  R E(M)

Set m = log2n
m
M
1
w.h.p
1
RM
Finding a row that starts with a
1
STEP 2: Moving the 1 to the top row.
m
m
1
M
1
M
Moving the 1 to the top row.



Bob computes E(M[1,1]M1)
• If M[1,1]=0 Bob gets E(0).
• If M[1,1]=1 Bob gets E(M1).
For every 2 ≤ j ≤ m, Bob computes
E(Mj)  E(Mj – M[j,1]M[1,1]M1)
Same with E(M2), E(M3), ..., E(Mm)
m


Update E(M1) = E(Mi)
i 1
Eliminate leftmost column.
m

0 E (0
1
)
0 E (0)
1 E( M 3 )
1
0
0
1
0
0
M
Moving the 1 to the top row.


Continue recursively on the lower right submatrix
Finally, multiply all diagonal elements.
M is singular if and only if the product of the
diagonal entries is 1.
1
m
0
0
1
1
M
0
0
1
Communication Complexity
 
E( M 1  rM1 )
E( M [ j ,1]  rM [ j ,1] )
 
E(( M [ j,1]  rM [ j ,1] )( M1  rM1 ))
Single row
Alice  Bob
O (n)
Alice  Bob
O (n)
One column
O (n
(n)2 )
2
O(n )
Overall
O(n 32 )
O(n 3 )
Lazy Evaluation
Send data “on demand”
Memory
Single row
Alice  Bob
Alice  Bob
O (n)
O (n)
One column
O (n)
2
O((n
n ))
Overall
O(n 2 )
32
O(n )
Talk Overview




Secure Computation in General
Secure Linear Algebra Based on
“Oblivious Gaussian Elimination”
Secure Linear Algebra Based on Linearly
Recurrent Sequences
Recent Developments and Open
Problems
Improved Round Complexity

Protocol from [Kiltz Mohassel W Franklin]
Achieves:

Setting:

Computational assumption – homomorphic
encryption

• communication complexity O(n2log n)
• round complexity O(log n)
• Two party with computational security
Linearly Recurrent Sequences


General idea: apply algorithms designed for sparse
matrices for secure computation on general
matrices.
Assumption – the underlying field is large
|F| > nlog n
(otherwise – use field extension)
A Simple Reduction
Randomized approach:
To check if M is singular:
• Pick a random vector v.
• Check whether the system Mx = v is solvable.
Not solvable – M is singular.
Solvable
– with high prob. (1 – 1/|F|),
M is non-singular
Deciding if Mx = v is Solvable
[Wiedemann]



Consider the n+1 vectors:
v, Mv, M2v, ..., Mnv
There are a=(a0, ..., an) such that
∑aiMiv = 0
Linearly recurrent sequences:
If ∑aiMiv =0 then
for all j:
∑aiMi+jv = Mj(∑aiMiv) = Mj0 = 0
Deciding if Mx = v is Solvable
[Wiedemann86]



For every b=(b0, ..., bn) such that ∑biMiv = 0,
consider the polynomial
pb(x) = ∑bixi
The set of such polynomials forms an ideal in
F[x] – the annihilator ideal
Minimal polynomial m(x) – the generator of the
ideal
The annihilator ideal

Let fM(x) be the characteristic polynomial of M.

[Cayley Hamilton]: fM(M)=0
→ fM(M)v = 0
→ fM(x) is in the annihilator ideal
→ m(x) | fM(x)
We will be interested in the constant coefficient of
m(x).

The Constant Coefficient of
m(x)
Claim:
(i)
If m(0) ≠ 0 then Mx = v is solvable.
(ii) If m(0) = 0 then Mx = v is not solvable
The Constant Coefficient of
m(x)
Claim:
(i)
If m(0) ≠ 0 then Mx = v is solvable.
(ii) If m(0) = 0 then Det(M) = 0.
Conclusion:
With probability (1 – 1/|F|):
m(0) = 0 if and only if det(M)=0
Proof of the Claim (i)
(i)



If m(0)≠0 then Mx=v is solvable.
m(x) = cnxn+...+c1x+c0
• where c0=m(0) ≠ 0
m(M)v = 0
(m(x) is in the ideal)
• cnMnv+...+c1Mv+c0v = 0
• M(cnMn-1v+...+c1v) = -c0v
set x = -c0-1(cnMnv+...+c1Mv)
• Mx = v  the system is solvable.
Proof of the Claim (ii)
(ii) If m(0)=0 then Det(M) = 0.
fM(0) = Det(M)
We saw before that m(x) | fM(x).
Hence fM(0)=0 and thus Det(M) = 0
□
Berlekamp/Massey Algorithm


We are interested in computing m(0).
Berlekamp/Massey algorithm:
computes m(x) in O(n log n) operations, given
v, Mv, ..., M2n-1v.
• General idea: the algorithm uses an intermediate
result of the extended Euclidean algorithm
executed on:
• x2n
• a polynomial whose coefficients are the elements
uTM0v, uTM1v, ..., uTM2n-1v for some random vector u.
And now: the protocol
Multiplying two matrices
E ( A)
( PK , SK )
E( B)
E ( AB)
Communication complexity is O(n2)
Secure Two-Party Algorithm
(sketch)
(PK,SK)
E (M)
Next slide: O(log n) rounds,
O(n2 log n) communication
Yao’s general method applied on
Berlekamp/Massey algorithm: O(1)
rounds, O(n logn) communication
Decryption of E(m(0)r) where r is a
random number.
E(Miv)i=0,1,…,2n-1
E(m(x))
m(0) =? 0
Computing the Sequence
EPK(Miv)
1.
2.
3.
4.
Bob is given E(M) and computes E(v)
Bob computes E(M2^i), i=1...log n
•
log n rounds, n2 log n communication
Bob computes:
•
•
•
E(Mv)
E(M3v|M2v)
E(M7v|M6v|M5v|M4v)
= E(M2) · E(Mv|v)
= E(M4) ·E(M3v|M2v|Mv|v)
Finally: E(v), E(Mv), …, E(M2n-1v)
•
O(log n) rounds, O(n2 log n) communication
Talk Overview




Secure Computation in General
Secure Linear Algebra Based on
“Oblivious Gaussian Elimination”
Secure Linear Algebra Based on Linearly
Recurrent Sequences
Recent Developments and Open
Problems
Recent Developements




Protocol from [Mohassel W]
For every constant t:
• communication complexity O(n2+1/t)
• round complexity t
Gives information theoretic security.
Based on a reduction to deciding the singularity of
Toeplitz matrices.
Open Problem


Secure Linear Algebra
• Malicious case for two party computation
General Secure Computation
• Understand the relation between circuit
complexity and secure protocol complexity of
problem.
• Is linear communication complexity always
possible?