Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with:...
-
Upload
maverick-macey -
Category
Documents
-
view
213 -
download
0
Transcript of Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with:...
![Page 1: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/1.jpg)
Secure Computation of Linear Algebraic Functions
Enav Weinreb – CWI, Amsterdam
Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel
and Kobbi Nissim
![Page 2: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/2.jpg)
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
![Page 3: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/3.jpg)
Secure Computation
Alice has an input x Bob has an input y Let f:{0,1}2n{0,1} be a Boolean function. Alice and Bob wish to compute f(x,y) without
leaking any further information on their private inputs.
The players cooperate but do not trust each other.
![Page 4: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/4.jpg)
Secure Computation - Example
yx
x > y ?
The Millionaires’ Problem
![Page 5: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/5.jpg)
The Millionaires’ Problem
1,000,000,000$
Secure Computation - Example
x
x > y ?
Answer: x < y
x = 100$ ???
x = 999,999,999$ ???
![Page 6: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/6.jpg)
Real WorldIdeal World
xxy y
f(x,y)
f(x,y)f(x,y)
h(x)h(x)
Levels of security:Computational - adversary is computationally limitedInformation theoretic - adversary is computationally unbounded.“Leak no further information”
![Page 7: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/7.jpg)
Complexity Measures and Adversary Model
Important complexity measures:• Communication complexity
• Round complexity
• Computational complexity Adversary models:
• Honest but curious – adversary follows the protocol but tries to learn more information
• Malicious – adversary arbitrarily deviates from the protocol
![Page 8: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/8.jpg)
Boolean Circuit Complexity
Let f:{0,1}2n {0,1} We consider digital circuits with the
gates {AND, OR, NOT} that compute f in the natural way.
circuit size – number of gates circuit depth – max distance from
an input wire to output 00 00 1 11 1
0 0 1 1
10
01
0
x1 x2 x3 x4 x5 x6 x7 x8
![Page 9: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/9.jpg)
General Result – two-party [Yao]
Boolean circuit that computes f(x,y) with size s(n)
impliessecure two party protocol for computing f(x,y)
with: communication complexity linear in s(n) 2 rounds.computational security.
![Page 10: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/10.jpg)
General Result – Multi-Party [BGW, CCD]
Boolean circuit that computes f(x1,...,xk) with size s(n) and depth d(n)
impliesA secure k-party protocol for computing f(x1,...,xk)
with: communication complexity linear in s(n) round complexity d(n) Information theoretic security against:
• Less than k/2 adversarial players – honest but curious• Less than k/3 adversarial players – malicious
![Page 11: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/11.jpg)
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
![Page 12: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/12.jpg)
Linear Algebraic Functions
Matrix singularity: Alice and Bob hold A ∊ Fnxn and B ∊ Fnxn respectively,
where F is a finite field They wish to (securely) compute whether M=A+B is
singularEfficient secure protocol for singularity leads to efficient
protocols for:• solving a joint system of equations (linear constraints may
contain private information!)• computing det(M), char.poly(M), min.poly(M)• computing subspaces intersection• more...
![Page 13: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/13.jpg)
Applying General Results
Circuit complexity of matrix singularity is similar to number of multiplications in matrix product.• Best known result O(n2.38) [Coppersmith Winograd]
Input size is only n2 - trivial non-cryptographic protocol has complexity n2
Can we achieve this in a secure protocol? Can we achieve this keeping the round complexity
low?
![Page 14: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/14.jpg)
A previous result
“Secure linear algebra in a constant number of rounds.” [Cramer Damgård]
Information theoretic security constant round complexity communication complexity O(n3)
![Page 15: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/15.jpg)
Our results
Secure protocol for singularity(A+B) in the computational two party setting with:
• communication complexity O(n2log n)
• round complexity O(log n)
Recent improvements [Mohassel W]
• constant round
• information theoretical security
![Page 16: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/16.jpg)
Oblivious Gaussian Elimination
Protocol from [Nissim W] Achieves:
• communication complexity O(n2log n)
• round complexity O(n0.275) Cryptographic assumption: public key
homomorphic encryption
![Page 17: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/17.jpg)
Tool: Homomorphic Encryption Public key encryption scheme
• Public key PK is published – everybody can encrypt• Secret key SK is private – only one can decrypt
For
Corollary:
Example: [Goldwasser Micali] (QR) for F=GF(2).
Fcba ,,
)(E ba )(E a )(E b)(E ac )(E ca
)(E vc )(E vc
)(E 2M1M )(E 21MM
(with PK only)
![Page 18: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/18.jpg)
Initial Step
),( SKPKGenerates
)(E APK
)(E MPK
A ∊ Fnxn B ∊ Fnxn
)(E BPK+ =
Is M singular?
PK
![Page 19: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/19.jpg)
Algorithms on Encrypted Data
Bob can locally compute:
What about multiplication?
)(E ba )(E a )(E b
)(E ac )(E ca
)(E vc )(E vc
)(E 2M1M )(E 21MM
Use Alice!
? )(E ab)(E a )(E b
![Page 20: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/20.jpg)
Multiplication
)(E
)(E
b
a
PK
PK
ba rr ,Chooses random
)))(((E baPK rbra PK
PK
E
E
)(
)(
b
a
rb
ra
)))(((E baPK rbra )(E bPK ar
)(E braPK)(E abPK)(E baPK rr
),( SKPK
![Page 21: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/21.jpg)
Multiplying a Vector by a Scalar
)(E
)(E
v
a
PK
PK),( SKPK
Communication complexity is O(n).
)(E vaPK
![Page 22: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/22.jpg)
Encrypted Matrix Singularity (reminder)
),( SKPK
Is singular?M
)(E MPK
![Page 23: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/23.jpg)
Find a row that “starts” with a 1.
Swap this row and the top row.
“Eliminate” the leftmost column.
Continue recursively.
0111
1110
Gaussian Elimination0010
1001
1010
1001
![Page 24: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/24.jpg)
Oblivious Gaussian Elimination
)(E)(E
)(E)(E
)(E
PK1PK
1PK11PK
kkk
k
PK
MM
MM
M
“Find a row that starts with a 1.” “Swap this row and the top row.”
),( SKPK
Use Alice!
![Page 25: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/25.jpg)
STEP 1: Randomization Bob multiplies E(M) by a random full rank matrix
R.
E(M) R E(M) Set m = log2n
RM
Finding a row starting with a 1
M
1
1m
w.h.p
![Page 26: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/26.jpg)
Finding a row that starts with a 1
STEP 2: Moving the 1 to the top row.
m1
M
m1
M
![Page 27: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/27.jpg)
Moving the 1 to the top row.
Bob computes E(M[1,1]M1)
• If M[1,1]=0 Bob gets E(0).
• If M[1,1]=1 Bob gets E(M1). For every 2 ≤ j ≤ m, Bob computes
E(Mj) E(Mj – M[j,1]M[1,1]M1) Same with E(M2), E(M3), ..., E(Mm)
Update E(M1) = E(Mi) Eliminate leftmost column.
0011010
)0(E
)(E 3M)0(E
0
0
m
i 1
1
m
M
![Page 28: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/28.jpg)
Moving the 1 to the top row.
Continue recursively on the lower right submatrix Finally, multiply all diagonal elements.
M is singular if and only if the product of the diagonal entries is 1.
0
0
0
1
M0
11
1
m
![Page 29: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/29.jpg)
)(nO )( 2nO )( 2nO
Communication Complexity
)]1,[(E ]1,[ jMrjM )))(]1,[((E
11]1,[ MjM rMrjM
Single row One column
Alice Bob
Alice Bob
)(nO
)(nO )( 2nO
)(E11 MrM
Overall
)( 3nO
)( 3nO
![Page 30: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/30.jpg)
)( 2nO)(nO
Lazy Evaluation
Single row One column
Alice Bob
Alice Bob
)(nO
)(nO )( 2nO
)(nO
Overall
)( 3nO
)( 2nO
Memory
Send data “on demand”
![Page 31: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/31.jpg)
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
![Page 32: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/32.jpg)
Improved Round Complexity
Protocol from [Kiltz Mohassel W Franklin] Achieves:
• communication complexity O(n2log n)
• round complexity O(log n) Setting:
• Two party with computational security Computational assumption – homomorphic
encryption
![Page 33: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/33.jpg)
Linearly Recurrent Sequences
General idea: apply algorithms designed for sparse matrices for secure computation on general matrices.
Assumption – the underlying field is large |F| > nlog n
(otherwise – use field extension)
![Page 34: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/34.jpg)
A Simple Reduction
Randomized approach:
To check if M is singular:
• Pick a random vector v.
• Check whether the system Mx = v is solvable.
Not solvable – M is singular.Solvable – with high prob. (1 – 1/|F|), M is non-singular
![Page 35: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/35.jpg)
Deciding if Mx = v is Solvable [Wiedemann]
Consider the n+1 vectors:
v, Mv, M2v, ..., Mnv There are a=(a0, ..., an) such that
∑aiMiv = 0 Linearly recurrent sequences:
If ∑aiMiv =0 then for all j:
∑aiMi+jv = Mj(∑aiMiv) = Mj0 = 0
![Page 36: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/36.jpg)
Deciding if Mx = v is Solvable [Wiedemann86]
For every b=(b0, ..., bn) such that ∑biMiv = 0, consider the polynomial pb(x) = ∑bixi
The set of such polynomials forms an ideal in F[x] – the annihilator ideal
Minimal polynomial m(x) – the generator of the ideal
![Page 37: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/37.jpg)
The annihilator ideal Let fM(x) be the characteristic polynomial of M.
[Cayley Hamilton]: fM(M)=0 → fM(M)v = 0 → fM(x) is in the annihilator ideal → m(x) | fM(x)
We will be interested in the constant coefficient of m(x).
![Page 38: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/38.jpg)
The Constant Coefficient of m(x)
Claim:
(i) If m(0) ≠ 0 then Mx = v is solvable.
(ii) If m(0) = 0 then Mx = v is not solvable
![Page 39: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/39.jpg)
The Constant Coefficient of m(x)
Claim:
(i) If m(0) ≠ 0 then Mx = v is solvable.
(ii) If m(0) = 0 then Det(M) = 0.
Conclusion:
With probability (1 – 1/|F|):
m(0) = 0 if and only if det(M)=0
![Page 40: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/40.jpg)
Proof of the Claim (i)
(i) If m(0)≠0 then Mx=v is solvable. m(x) = cnxn+...+c1x+c0
• where c0=m(0) ≠ 0 m(M)v = 0 (m(x) is in the ideal)
• cnMnv+...+c1Mv+c0v = 0
• M(cnMn-1v+...+c1v) = -c0v
set x = -c0-1(cnMnv+...+c1Mv)
• Mx = v the system is solvable.
![Page 41: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/41.jpg)
Proof of the Claim (ii)
(ii) If m(0)=0 then Det(M) = 0.
fM(0) = Det(M)
We saw before that m(x) | fM(x).
Hence fM(0)=0 and thus Det(M) = 0 □
![Page 42: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/42.jpg)
Berlekamp/Massey Algorithm
We are interested in computing m(0). Berlekamp/Massey algorithm:
computes m(x) in O(n log n) operations, given v, Mv, ..., M2n-1v.
• General idea: the algorithm uses an intermediate result of the extended Euclidean algorithm executed on:• x2n
• a polynomial whose coefficients are the elements uTM0v, uTM1v, ..., uTM2n-1v for some random vector u.
![Page 43: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/43.jpg)
And now: the protocol
![Page 44: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/44.jpg)
Multiplying two matrices
)(E
)(E
B
A),( SKPK
Communication complexity is O(n2)
)(E AB
![Page 45: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/45.jpg)
Secure Two-Party Algorithm (sketch)
E (M)(PK,SK)
E(Miv)i=0,1,…,2n-1
E(m(x))
m(0) =? 0
Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication
Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication
Decryption of E(m(0)r) where r is a random number.
Decryption of E(m(0)r) where r is a random number.
Next slide: O(log n) rounds,
O(n2 log n) communication
Next slide: O(log n) rounds,
O(n2 log n) communication
![Page 46: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/46.jpg)
Computing the Sequence EPK(Miv)
1. Bob is given E(M) and computes E(v)
2. Bob computes E(M2^i), i=1...log n• log n rounds, n2 log n communication
3. Bob computes:• E(Mv)
• E(M3v|M2v) = E(M2) · E(Mv|v)
• E(M7v|M6v|M5v|M4v) = E(M4) ·E(M3v|M2v|Mv|v)
4. Finally: E(v), E(Mv), …, E(M2n-1v)
• O(log n) rounds, O(n2 log n) communication
![Page 47: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/47.jpg)
Talk Overview
Secure Computation in General Secure Linear Algebra Based on
“Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly
Recurrent Sequences Recent Developments and Open
Problems
![Page 48: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/48.jpg)
Recent Developements
Protocol from [Mohassel W] For every constant t:
• communication complexity O(n2+1/t)
• round complexity t Gives information theoretic security. Based on a reduction to deciding the singularity of
Toeplitz matrices.
![Page 49: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/49.jpg)
Open Problem
Secure Linear Algebra
• Malicious case for two party computation General Secure Computation
• Understand the relation between circuit complexity and secure protocol complexity of problem.
• Is linear communication complexity always possible?
![Page 50: Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.](https://reader030.fdocuments.us/reader030/viewer/2022032701/56649c745503460f949271fd/html5/thumbnails/50.jpg)