## Efficient Secure Linear Algebra in the Presence of Covert or Computationally Unbounded Adversaries

### Cached

### Download Links

Citations: | 5 - 1 self |

### BibTeX

@MISC{Mohassel_efficientsecure,

author = {Payman Mohassel and Enav Weinreb},

title = {Efficient Secure Linear Algebra in the Presence of Covert or Computationally Unbounded Adversaries},

year = {}

}

### OpenURL

### Abstract

Abstract. In this work we study the design of secure protocols for linear algebra problems. All current solutions to the problem are either inefficient in terms of communication complexity or assume that the adversary is honest but curious. We design protocols for two different adversarial settings: First, we achieve security in the presence of a covert adversary, a notion recently introduced by [Aumann and Lindell, TCC 2007]. Roughly speaking, this guarantees that if the adversary deviates from the protocol in a way that allows him to cheat, then he will be caught with good probability. Second, we achieve security against arbitrary malicious behaviour in the presence of a computationally unbounded adversary that controls less than a third of the parties. Our main result is a new upper bound of O(n 2+1/t) communication for testing singularity of a shared n×n matrix in constant round, for any constant t in both of these adversarial environments. We use this construction to design secure protocols for computing the rank of a shared matrix and solving a shared linear system of equations with similar efficiency. We use different techniques from computer algebra, together with recent ideas from [Cramer, Kiltz, and Padró, CRYPTO 2007], to reduce the problem of securely deciding singularity to the problem of securely computing matrix product. We then design new and efficient protocols for secure matrix product in both adversarial settings. In the two-party setting, we combine cut-and-choose techniques on random additive decomposition of the input, with a careful use of the random strings of a homomorphic encryption scheme to achieve simulation-based security. Thus, our protocol avoids general zero-knowledge proofs and only makes a black-box use of a homomorphic encryption scheme. 1

### Citations

798 | Matrix multiplication via arithmetic progressions - Coppersmith, Winograd - 1990 |

677 | Completeness Theorems for NonCryptographic Fault-Tolerant Distributed Computation - Ben-Or, Goldwasser, et al. - 1988 |

636 |
An Introduction to Parallel Algorithms
- JAJA
- 1992
(Show Context)
Citation Context ...rom [Wie86], [KP91], and [KS91] to reduce the problem of deciding the singularity of a general matrix M into deciding the singularity of a related Toeplitz matrix T . We then use a lemma by Leverrier =-=[JáJ92]-=- which reduces the problem into computing the traces of powers of T . Finally, we define the Toeplitz matrix of polynomials (I − λT ) and use the Gohberg-Semencul formula for the inverse of a Toeplitz... |

562 | How to Generate and Exchange Secrets - Yao - 1986 |

531 |
Protocols for secure computations
- Yao
- 1982
(Show Context)
Citation Context ...ecure in the malicious model, assuming the adversary controls less that a third of the parties.) Computational Setting. As previously noted, using the general well-known garbled circuit method of Yao =-=[Yao82]-=-, one can get a constant round protocol for various linear algebraic problems with communication complexity that is proportional to the Boolean circuit complexity of matrix multiplication, for which t... |

433 | Multiparty Unconditionally Secure Protocols - Chaum, Crépeau, et al. - 1988 |

182 |
Algebraic complexity theory
- Bürgisser, Clausen, et al.
- 1997
(Show Context)
Citation Context ...es in case of information theoretic security). Alas, the circuit complexity of matrix singularity, as well as that of many other linear algebraic problem, is tightly related to that of matrix product =-=[BCS97]-=-. The best known upper bound for circuits for matrix product is O(n ω ) [CW87] with ω ∼ = 2.38, which is significantly larger than the input size. Moreover, in the information theoretic setting the ro... |

130 | Fast solution of Toeplitz systems of equations and computation of Padé approximations - Brent, Gustavson, et al. - 1980 |

122 | General secure multi-party computation from any linear scheme
- Cramer, Damg˚ard, et al.
- 2000
(Show Context)
Citation Context ...res of [a] and [b] to non-interactively compute a value ci. The product ab can then be computed from ci’s using a fixed reconstruction vector(r1, . . . , rk), where k is the number of parties 4 . In =-=[CDM00]-=-, it is shown how to construct a multiplicative LSSS scheme from any LSSS scheme without sacrificing efficiency. 3 Matrix Product Secure Against Covert Adversaries Given shares of two n×n matrices, we... |

115 |
Non-Cryptographic Fault-Tolerant Computing
- Bar-Ilan, Beaver
- 1989
(Show Context)
Citation Context ...-Semencul formula for the inverse of a Toeplitz matrix, to compute the above traces efficiently. We rely on techniques for iterated matrix product [CKP07] (which, in turn, is based on techniques from =-=[BIB89]-=-), combined with some simple linear algebraic manipulations, to translate the above algorithmic ideas into a constant round secure protocol for matrix singularity with the above mentioned communicatio... |

90 |
Processor efficient parallel solution of linear systems over an abstract field
- Kaltofen, Pan
- 1991
(Show Context)
Citation Context ...ix singularity, equipped with our secure protocol 1 the cheating probability can be reduced to 1/k paying a factor of k in the communication complexity.for matrix product. We use ideas from [Wie86], =-=[KP91]-=-, and [KS91] to reduce the problem of deciding the singularity of a general matrix M into deciding the singularity of a related Toeplitz matrix T . We then use a lemma by Leverrier [JáJ92] which reduc... |

77 | Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation
- Lindell
- 2001
(Show Context)
Citation Context ...f our protocol for this functionality, a protocol for a functionality with random C and ra ′ as outputs. Hence we assume that we have access to a secure coin-tossing protocol such as the one given in =-=[Lin01]-=-. To simplify the composition, we divide the protocol into several parts, where the parts will be performed sequentially one after the other. Alice’s Computation 1. Alice writes her inputs as sums. Fo... |

74 |
On Wiedemann’s method of solving sparse linear systems
- Kaltofen, Saunders
- 1991
(Show Context)
Citation Context ...ty, equipped with our secure protocol 1 the cheating probability can be reduced to 1/k paying a factor of k in the communication complexity.for matrix product. We use ideas from [Wie86], [KP91], and =-=[KS91]-=- to reduce the problem of deciding the singularity of a general matrix M into deciding the singularity of a related Toeplitz matrix T . We then use a lemma by Leverrier [JáJ92] which reduces the probl... |

55 | Security against covert adversaries: Efficient protocols for realistic adversaries. Theory of Cryptography
- Aumann, Lindell
- 2007
(Show Context)
Citation Context ...ank of a shared matrix, are efficiently reducible to this task. When no honest majority is assumed, as in the classic two-party setting, our protocols are secure in the presence of a covert adversary =-=[AL07]-=-, assuming the existence of public key homomorphic encryption schemes. Previous communication efficient secure protocols for linear algebra were known only in the honest but curious setting. In case t... |

38 | The inversion of finite Toeplitz matrices and their continual analogues - Gohberg, Semencul - 1972 |

22 | Information-Theoretically Secure Protocols and Security Under Composition
- Kushilevitz, Lindell, et al.
(Show Context)
Citation Context ... other linear algebra problems is reduced to a secure matrix product protocol. The guaranteed security is in part due to the existing general composition theorems in the information-theoretic setting =-=[KLR06]-=-. 5 5 From Matrix Singularity to Matrix Product In this section we design a secure protocol for deciding singularity of a shared matrix given an efficient implementation of a secure protocol for matri... |

20 | Secure distributed linear algebra in a constant number of rounds
- Cramer, Damg˚ard
(Show Context)
Citation Context ...r various linear algebraic tasks, these general constructions fall well short of giving optimal protocols in terms of communication and round complexity. Starting with the work of Cramer and Damg˚ard =-=[CD01]-=-, the task of designing secure protocols for linear algebraic problems has been the focus of several recent works in secure computation [NW06,KMWF07,CKP07]. We focus on the problem of deciding the sin... |

20 | New inversion formulas for matrices classified in terms of their distance from Toeplitz matrices - Friedlander, Morf, et al. - 1979 |

10 | Secure linear algebra using linearly recurrent sequences
- Kiltz, Mohassel, et al.
- 2007
(Show Context)
Citation Context ...[CW87] for ω ∼ = 2.38. As discussed above, the protocol of [NW06] was the first to improve the communication complexity to roughly O(n 2 ), in the price of large round complexity. Later, Kiltz et al. =-=[KMWF07]-=- improved on the 2 The complexity of their protocols can be reduced to O(n 3 ) using the matrix product protocol from this paper.round complexity to get a protocol with O(log n) rounds and communicat... |

9 | Communication efficient secure linear algebra
- Nissim, Weinreb
(Show Context)
Citation Context ...2 m) which improves on [CD01] for small values of m. The only protocol applicable to the information theoretical setting with communication complexity of roughly O(n 2 ) is that of Nissim and Weinreb =-=[NW06]-=-. However, this protocol has polynomial round complexity (Ω(n 0.27 )) and is proved secure only in the honest but curious model. (The protocols of [CD01] and [CKP07] are secure in the malicious model,... |

9 |
Public-key cryptosystems based on composite degree residuosity classes
- Pallier
- 1999
(Show Context)
Citation Context ...ne can compute a string r such that C = E(m1 + m2, r). We note that although not every homomorphic encryption scheme has this property, some well known encryption schemes, such as the one by Paillier =-=[Pal99]-=-, are suitable for our purposes. After the computations take place, the parties reveal parts of their additive sharing of the input, catching cheating adversaries 1 with probability 1/2. Revealing par... |

4 |
A note on secure computation of the MoorePenrose pseudoinverse and its spplication to secure linear algebra
- Cramer, Kiltz, et al.
- 2007
(Show Context)
Citation Context ...z matrix of polynomials (I − λT ) and use the Gohberg-Semencul formula for the inverse of a Toeplitz matrix, to compute the above traces efficiently. We rely on techniques for iterated matrix product =-=[CKP07]-=- (which, in turn, is based on techniques from [BIB89]), combined with some simple linear algebraic manipulations, to translate the above algorithmic ideas into a constant round secure protocol for mat... |

1 | Fitzi and Eike Kiltz and Jesper Buus Nielsen and Tomas Toft. Unconditionally Secure Constant-Rounds Multi-Party Computation for Equality, Comparison, Bits and Exponentiation - Damgaard, Matthias |

1 |
Solving sparse linear equations over finite fields
- classes
- 1999
(Show Context)
Citation Context ... for matrix singularity, equipped with our secure protocol 1 the cheating probability can be reduced to 1/k paying a factor of k in the communication complexity.for matrix product. We use ideas from =-=[Wie86]-=-, [KP91], and [KS91] to reduce the problem of deciding the singularity of a general matrix M into deciding the singularity of a related Toeplitz matrix T . We then use a lemma by Leverrier [JáJ92] whi... |

1 | Algebraic complexity theory - LNCS - 2007 |

1 | A.: Completeness theorems for noncryptographic fault-tolerant distributed computations - Springer - 1997 |

1 | Processor efficient parallel solution of linear systems over an abstract field - LNCS - 1991 |