Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim.

Similar presentations


Presentation on theme: "Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim."— Presentation transcript:

1 Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim

2 Talk Overview Secure Computation in General Secure Linear Algebra Based on “Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly Recurrent Sequences Recent Developments and Open Problems

3 Secure Computation Alice has an input x Bob has an input y Let f:{0,1} 2n  {0,1} be a Boolean function. Alice and Bob wish to compute f(x,y) without leaking any further information on their private inputs. The players cooperate but do not trust each other.

4 Secure Computation - Example yx x > y ? The Millionaires’ Problem

5 1,000,000,000$ Secure Computation - Example x x > y ? Answer: x < y x = 100$ ??? x = 999,999,999$ ???

6 “ Leak no further information ” How to formulate the security requirement? Ideal world - third trusted party. Alice and Bob send their inputs to the trusted party. Trusted party computes f(x,y) and sends answer to the players. Prove a claim of the form: “whatever a ‘bad’ Alice can do while interacting with Bob, could be done while interacting with the trusted party”. Computational security versus information theoretic security.

7 Real World Ideal World x xyy f(x,y) h(x) Levels of security: Computational - adversary is computationally limited Information theoretic - adversary is computationally unbounded. “ Leak no further information ”

8 Complexity Measures and Adversary Model Important complexity measures: Communication complexity Round complexity Computational complexity Adversary models: Honest but curious – adversary follows the protocol but tries to learn more information Malicious – adversary arbitrarily deviates from the protocol

9 Boolean Circuit Complexity Let f:{0,1} 2n  {0,1} We consider digital circuits with the gates {AND, OR, NOT} that compute f in the natural way. circuit size – number of gates circuit depth – max distance from an input wire to output x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8

10 General Result – two-party [Yao] Boolean circuit that computes f(x,y) with size s(n) implies secure two party protocol for computing f(x,y) with: communication complexity linear in s(n) 2 rounds. computational security.

11 General Result – Multi-Party [BGW, CCD] Boolean circuit that computes f(x 1,...,x k ) with size s(n) and depth d(n) implies A secure k-party protocol for computing f(x 1,...,x k ) with: communication complexity linear in s(n) round complexity d(n) Information theoretic security against: Less than k/2 adversarial players – honest but curious Less than k/3 adversarial players – malicious

12 Talk Overview Secure Computation in General Secure Linear Algebra Based on “Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly Recurrent Sequences Recent Developments and Open Problems

13 Linear Algebraic Functions Matrix singularity: Alice and Bob hold A ∊ F nxn and B ∊ F nxn respectively, where F is a finite field They wish to (securely) compute whether M=A+B is singular Efficient secure protocol for singularity leads to efficient protocols for: solving a joint system of equations (linear constraints may contain private information!) computing det(M), char.poly(M), min.poly(M) computing subspaces intersection more...

14 Applying General Results Circuit complexity of matrix singularity is similar to number of multiplications in matrix product. Best known result O(n 2.38 ) [Coppersmith Winograd] Input size is only n 2 - trivial non-cryptographic protocol has complexity n 2 Can we achieve this in a secure protocol? Can we achieve this keeping the round complexity low?

15 A previous result “Secure linear algebra in a constant number of rounds.” [Cramer Damgård] Information theoretic security constant round complexity communication complexity O(n 3 )

16 Our results Secure protocol for singularity(A+B) in the computational two party setting with: communication complexity O(n 2 log n) round complexity O(log n) Recent improvements [Mohassel W] constant round information theoretical security

17 Oblivious Gaussian Elimination Protocol from [Nissim W] Achieves: communication complexity O (n 2 log n) round complexity O(n ) Cryptographic assumption: public key homomorphic encryption

18 Tool: Homomorphic Encryption Public key encryption scheme Public key PK is published – everybody can encrypt Secret key SK is private – only one can decrypt For Corollary: Example: [Goldwasser Micali] (QR) for F =GF(2). (with PK only)

19 Initial Step Generates A ∊ F nxn B ∊ F nxn += Is M singular? PK

20 Algorithms on Encrypted Data Bob can locally compute: What about multiplication? Use Alice! ?

21 Multiplication Chooses random

22 Multiplying a Vector by a Scalar Communication complexity is O(n).

23 Encrypted Matrix Singularity (reminder) Is singular?

24 Find a row that “starts” with a 1. Swap this row and the top row. “Eliminate” the leftmost column. Continue recursively. Gaussian Elimination

25 Oblivious Gaussian Elimination  “Find a row that starts with a 1.”  “Swap this row and the top row.” Use Alice!

26 STEP 1: Randomization Bob multiplies E(M) by a random full rank matrix R. E(M)  R E(M) Set m = log 2 n Finding a row starting with a 1 w.h.p

27 Finding a row that starts with a 1 STEP 2: Moving the 1 to the top row. 1

28 Moving the 1 to the top row. Bob computes E(M[1,1]M 1 ) If M[1,1]=0 Bob gets E(0). If M[1,1]=1 Bob gets E(M 1 ). For every 2 ≤ j ≤ m, Bob computes E(M j )  E(M j – M[j,1]M[1,1]M 1 ) Same with E(M 2 ), E(M 3 ),..., E(M m ) Update E(M 1 ) = E(M i ) Eliminate leftmost column m

29 Moving the 1 to the top row. Continue recursively on the lower right submatrix Finally, multiply all diagonal elements. M is singular if and only if the product of the diagonal entries is m

30 Communication Complexity Single rowOne column Alice  Bob Alice  Bob Overall

31 Lazy Evaluation Single row One column Alice  Bob Alice  Bob Overall Memory Send data “ on demand ”

32 Talk Overview Secure Computation in General Secure Linear Algebra Based on “Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly Recurrent Sequences Recent Developments and Open Problems

33 Improved Round Complexity Protocol from [Kiltz Mohassel W Franklin] Achieves: communication complexity O(n 2 log n) round complexity O(log n) Setting: Two party with computational security Computational assumption – homomorphic encryption

34 Linearly Recurrent Sequences General idea: apply algorithms designed for sparse matrices for secure computation on general matrices. Assumption – the underlying field is large | F | > n log n (otherwise – use field extension)

35 A Simple Reduction Randomized approach: To check if M is singular: Pick a random vector v. Check whether the system Mx = v is solvable. Not solvable – M is singular. Solvable – with high prob. (1 – 1/| F |), M is non-singular

36 Deciding if Mx = v is Solvable [Wiedemann] Consider the n+1 vectors: v, Mv, M 2 v,..., M n v There are a=(a 0,..., a n ) such that ∑a i M i v = 0 Linearly recurrent sequences: If ∑a i M i v =0 then for all j: ∑a i M i+j v = M j (∑a i M i v) = M j 0 = 0

37 Deciding if Mx = v is Solvable [Wiedemann86] For every b=(b 0,..., b n ) such that ∑b i M i v = 0, consider the polynomial p b (x) = ∑b i x i The set of such polynomials forms an ideal in F [x] – the annihilator ideal Minimal polynomial m(x) – the generator of the ideal

38 The annihilator ideal Let f M (x) be the characteristic polynomial of M. [ Cayley Hamilton ]: f M (M)=0 → f M (M)v = 0 → f M (x) is in the annihilator ideal → m(x) | f M (x) We will be interested in the constant coefficient of m(x).

39 The Constant Coefficient of m(x) Claim: (i) If m(0) ≠ 0 then Mx = v is solvable. (ii) If m(0) = 0 then Mx = v is not solvable

40 The Constant Coefficient of m(x) Claim: (i) If m(0) ≠ 0 then Mx = v is solvable. (ii) If m(0) = 0 then Det(M) = 0. Conclusion: With probability (1 – 1/| F |): m(0) = 0 if and only if det(M)=0

41 Proof of the Claim (i) (i) If m(0)≠0 then Mx=v is solvable. m(x) = c n x n +...+c 1 x+c 0 where c 0 =m(0) ≠ 0 m(M)v = 0 (m(x) is in the ideal) c n M n v+...+c 1 Mv+c 0 v = 0 M(c n M n-1 v+...+c 1 v) = -c 0 v set x = -c 0 -1 (c n M n v+...+c 1 Mv) Mx = v  the system is solvable.

42 Proof of the Claim (ii) (ii) If m(0)=0 then Det(M) = 0. f M (0) = Det(M) We saw before that m(x) | f M (x). Hence f M (0)=0 and thus Det(M) = 0 □

43 Berlekamp/Massey Algorithm We are interested in computing m(0). Berlekamp/Massey algorithm: computes m(x) in O(n log n) operations, given v, Mv,..., M 2n-1 v. General idea: the algorithm uses an intermediate result of the extended Euclidean algorithm executed on: x 2n a polynomial whose coefficients are the elements u T M 0 v, u T M 1 v,..., u T M 2n-1 v for some random vector u.

44 And now: the protocol

45 Multiplying two matrices Communication complexity is O(n 2 )

46 Secure Two-Party Algorithm (sketch) E (M) (PK,SK) E(M i v) i=0,1,…,2n-1 E(m(x)) m(0) =? 0 Yao’s general method applied on Berlekamp/Massey algorithm: O(1) rounds, O(n logn) communication Decryption of E(m(0)r) where r is a random number. Next slide: O(log n) rounds, O(n 2 log n) communication Next slide: O(log n) rounds, O(n 2 log n) communication

47 Computing the Sequence E PK (M i v) 1. Bob is given E(M) and computes E(v) 2. Bob computes E(M 2^i ), i=1...log n log n rounds, n 2 log n communication 3. Bob computes: E(Mv) E(M 3 v|M 2 v) = E(M 2 ) · E(Mv|v) E(M 7 v|M 6 v|M 5 v|M 4 v) = E(M 4 ) ·E(M 3 v|M 2 v|Mv|v) 4. Finally: E(v), E(Mv), …, E(M 2n-1 v) O(log n) rounds, O(n 2 log n) communication

48 Talk Overview Secure Computation in General Secure Linear Algebra Based on “Oblivious Gaussian Elimination” Secure Linear Algebra Based on Linearly Recurrent Sequences Recent Developments and Open Problems

49 Recent Developements Protocol from [Mohassel W] For every constant t: communication complexity O(n 2+1/t ) round complexity t Gives information theoretic security. Based on a reduction to deciding the singularity of Toeplitz matrices.

50 Open Problem Secure Linear Algebra Malicious case for two party computation General Secure Computation Understand the relation between circuit complexity and secure protocol complexity of problem. Is linear communication complexity always possible?

51


Download ppt "Secure Computation of Linear Algebraic Functions Enav Weinreb – CWI, Amsterdam Joint work with: Matt Franklin, Eike Kiltz, Payman Mohassel and Kobbi Nissim."

Similar presentations


Ads by Google