A New Secure Matrix Multiplication from Ring-LWE

Abstract

Matrix multiplication is one of the most basic and useful operations in statistical calculations and machine learning. When the matrices contain sensitive information and the computation has to be carried out in an insecure environment, such as a cloud server, secure matrix multiplication computation (MMC) is required, so that the computation can be outsourced without information leakage. Dung et al. apply the Ring-LWE-based somewhat public key homomorphic encryption scheme to secure MMC [TMMP2016], whose packing method is an extension of Yasuda et al.’s methods [SCN2015 and ACISP2015] for secure inner product. In this study, we propose a new packing method for secure MMC from Ring-LWE-based secure inner product and show that ours is efficient and flexible.

A Correctness of Theorem 2

Apart from Notation list-1.\(\sim \)3., the following list of notation should be useful:

Notation List-4. For a vector \(V=(v_1, ... , v_{\gamma })\), \({\mathsf { pol}}(V)= v_1x^{\delta _1}+ ... + v_{\gamma }x^{\delta _{\gamma }}\), let

When V is a row or column vector of a matrix of size \(\beta \times \beta \), \(\gamma = \beta \).

Proof

According to Eqs. (6) and (5), we have

$$ \begin{array}{l} x^{2j {\beta }^2-\beta }\widehat{A}(x)= x^{2j {\beta }^2-\beta } \widetilde{A}(x)[rows] + x^{2j {\beta }^2-\beta } \widetilde{A}(x)[columns] \end{array} $$

$$ \begin{array}{l} x^{2j {\beta }^2-\beta } \widetilde{A}(x)[rows] \\ \qquad =( a_{11}x^{2j\beta ^2-\beta } \,+\, ...\,+\,a_{1\beta }x^{2j\beta ^2-1} )\,+\,...\,+\,( a_{i-1,1}x^{2j\beta ^2-(i-3)\beta } \\ \qquad \quad +...+\,a_{i-1,\beta }x^{2j\beta ^2+(i-2)\beta -1} ) + ( a_{i,1}x^{2j\beta ^2-(i-2)\beta } + ... + a_{i,\beta }x^{2j\beta ^2+(i-1)\beta -1} ) \\ \qquad \quad + ( a_{i+1,1}x^{2j\beta ^2-(i-1)\beta } + ... + a_{i+1,\beta }x^{2j\beta ^2+i \beta -1} )+ ... + ( a_{\beta ,1}x^{2j\beta ^2-(\beta -2)\beta } \\ \qquad \quad + ... + a_{\beta ,\beta }x^{2j\beta ^2+ \beta ^2 -\beta -1} ) \\ \qquad = {\mathsf { pol}}(A_1^{(r)}) + ... + {\mathsf { pol}}(A_{i-1}^{(r)}) + {\mathsf { pol}}(A_i^{(r)}) + {\mathsf { pol}}(A_{i+1}^{(r)}) + ... + {\mathsf { pol}}(A_{\beta }^{(r)}), \\ x^{2j {\beta }^2-\beta } \widetilde{A}(x)[columns] \\ \qquad =x^{2j {\beta }^2-\beta }(x^{2\times {\beta }^2-\beta }A_1^{(c)}+ ...+ x^{2i\times {\beta }^2-\beta }A_i^{(c)}\,+\,...\,+\,x^{2\beta \times {\beta }^2-\beta }A_{\beta }^{(c)}) X \\ \qquad = x^{2 {\beta }^2-\beta } (a_{11}x^{2j {\beta }^2-\beta } \,+\,...\,+\, a_{\beta ,1}x^{2j {\beta }^2-1} ) \,+\,...\,+\, x^{2i {\beta }^2-\beta } (a_{1,i}x^{2j {\beta }^2-\beta } \\ \qquad \quad +... + a_{\beta ,i}x^{2j {\beta }^2-1} ) \,+\,...\,+\, x^{2\beta {\beta }^2-\beta } (a_{1,\beta }x^{2j {\beta }^2-\beta } \,+\,...\,+\, a_{\beta ,\beta }x^{2j {\beta }^2-1} ) \\ \qquad = {\mathsf { pol}}(A_1^{(c)}) + ... + {\mathsf { pol}}(A_i^{(c)}) + ... + {\mathsf { pol}}(A_{\beta }^{(c)}); \end{array} $$

and

$$ \begin{array}{l} x^{(i-1)\beta }\widehat{B}(x) = x^{(i-1)\beta } \widetilde{B}(x)[rows] + x^{(i-1)\beta } \widetilde{B}(x)[columns] \end{array} $$

$$ \begin{array}{l} x^{(i-1)\beta } \widetilde{B}(x)[rows] \\ \qquad =( b_{11}x^{(i-1)\beta } + ... + b_{1\beta }x^{i \beta -1} ) + ( b_{21}x^{i \beta } + ... + b_{2 \beta }x^{(i+1) \beta -1} ) \\ \qquad \quad + ... + ( b_{\beta ,1}x^{(i-1)\beta + (\beta -1)\beta } + ... + b_{\beta ,\beta }x^{(i-1)\beta + \beta ^2 -1} ) \\ \qquad = {\mathsf { pol}}(B_1^{(r)}) + {\mathsf { pol}}(B_2^{(r)}) + ... + {\mathsf { pol}}(B_{\beta }^{(r)}), \\ x^{(i-1)\beta } \widetilde{B}(x)[columns] \\ \qquad = x^{(i-1)\beta } (x^{2\times {\beta }^2-\beta }B_1^{(c)}+ ...+ x^{2j \times {\beta }^2-\beta }B_i^{(c)}\,+\,...\,+\,x^{2\beta \times {\beta }^2-\beta }B_{\beta }^{(c)}) X \\ \qquad =x^{2{\beta }^2-\beta } ( b_{11}x^{(i-1)\beta } + ... + b_{\beta 1}x^{i \beta -1} ) + x^{4 {\beta }^2-\beta } ( b_{12}x^{(i-1) \beta } + ... + b_{ \beta 2}x^{i \beta -1} ) \\ \qquad \quad + ... + x^{2j {\beta }^2-\beta } ( b_{1j}x^{(i-1)\beta } + ... + b_{\beta j}x^{i \beta -1} ) + x^{2(j+1) {\beta }^2-\beta } ( b_{1,j+1}x^{(i-1)\beta } \end{array} $$

$$ \begin{array}{l} \quad \quad + ... + b_{\beta , j+1}x^{i \beta -1} ) + ... + x^{2\beta {\beta }^2-\beta } ( b_{1\beta }x^{(i-1)\beta } + ... + b_{\beta \beta }x^{i \beta -1} ) \\ \quad = {\mathsf { pol}}(B_1^{(c)}) + {\mathsf { pol}}(B_2^{(c)}) + ... + {\mathsf { pol}}(B_j^{(c)}) + {\mathsf { pol}}(B_{j+1}^{(c)}) + ... + {\mathsf { pol}}(B_{\beta }^{(c)}). \end{array} $$

We should prove for any \(i,j=1,...,\beta \), \({\mathsf { pol}}(A_i^{(r)})\) in \(x^{2j {\beta }^2-\beta }\widehat{A}(x)\) and \({\mathsf { pol}}(B_j^{(c)})\) in \(x^{(i-1) \beta }\widehat{B}(x)\) satisfy exactly

$$ {\mathsf { deg}}({\mathsf { pol}}(A_i^{(r)}[k]))= {\mathsf { deg}}({\mathsf { pol}}(B_j^{(c)}[k])) \quad (k=1,..., \beta ). $$

Case 1: when \(j=1\), i.e., \(\langle {\mathsf { Vec}}(x^{2 {\beta }^2-\beta }\widehat{A}(x), {\mathsf { Vec}}(x^{(i-1) \beta }\widehat{B}(x)) \rangle = \langle {A}_i, {B}_1 \rangle \). It can be easily check that

$$ \begin{array}{l} \mathsf {left-deg}({\mathsf { pol}}(A_1^{(r)}))< \cdots< {\mathsf {right-deg}}({\mathsf { pol}}(A_{i-1}^{(r)})) = 2\beta ^2 + (i-2)\beta -1< \\ < 2\beta ^2 + (i-2)\beta \le \end{array} $$

\({\mathsf { deg}}({\mathsf { pol}}(A_i^{(r)}[k]))= {\mathsf { deg}}({\mathsf { pol}}(B_1^{(c)}[k])) = 2\beta ^2+(i-2)\beta + (k -1)\) for \(k=1,..., \beta \)

$$ \begin{array}{l} \le 2\beta ^2+(i-1)\beta -1< 2\beta ^2+(i-1)\beta = {\mathsf {left-deg}}({\mathsf { pol}}(A_{i+1}^{(r)})) \\< \cdots< {\mathsf {left-deg}}({\mathsf { pol}}(A_1^{(c)}))< {\mathsf {right-deg}}({\mathsf { pol}}(A_1^{(c)}))< {\mathsf {left-deg}}({\mathsf { pol}}(B_2^{(c)})) \\< \cdots<{\mathsf { deg}}({\mathsf { pol}}(B_l^{(c)}))<{\mathsf { deg}}({\mathsf { pol}}(A_l^{(c)}))< \cdots<{\mathsf { deg}}({\mathsf { pol}}(B_{\beta }^{(c)})) <{\mathsf { deg}}({\mathsf { pol}}(A_{\beta }^{(c)})). \end{array} $$

Case 2: when \(j \ge 2\), i.e., \(\langle {\mathsf { Vec}}(x^{2j {\beta }^2-\beta }\widehat{A}(x)), {\mathsf { Vec}}(x^{(i-1) \beta }\widehat{B}(x)) \rangle = \langle {A}_i, {B}_j \rangle \). It can be easily check that

$$ \begin{array}{l} {\mathsf {right-deg}}({\mathsf { pol}}(B_{j-1}^{(c)}))< {\mathsf {left-deg}}({\mathsf { pol}}(A_1^{(r)}))< \cdots< \mathsf{right-}{\mathsf { deg}}({\mathsf { pol}}(A_{i-1}^{(r)})) \\ = 2j\beta ^2 + (i-2)\beta -1 < 2j\beta ^2 + (i-2)\beta \le \end{array} $$

\({\mathsf { deg}}({\mathsf { pol}}(A_i^{(r)}[k]))= {\mathsf { deg}}({\mathsf { pol}}(B_j^{(c)}[k])) = 2j\beta ^2+(i-2)\beta + (k -1)\), for \(k=1,..., \beta \)

$$ \begin{array}{l} \le 2j\beta ^2+(i-1)\beta -1< 2j\beta ^2+(i-1)\beta = \mathsf{left-}{\mathsf { deg}}({\mathsf { pol}}(A_{i+1}^{(r)})) \\< \cdots< \mathsf{left-}{\mathsf { deg}}({\mathsf { pol}}(A_1^{(c)}))< \mathsf{right-}{\mathsf { deg}}({\mathsf { pol}}(A_1^{(c)}))< \mathsf{left-}{\mathsf { deg}}({\mathsf { pol}}(B_{j+1}^{(c)})) \\< \cdots<{\mathsf { deg}}({\mathsf { pol}}(B_{j+l-1}^{(c)}))<{\mathsf { deg}}({\mathsf { pol}}(A_l^{(c)}))<\cdots<{\mathsf { deg}}({\mathsf { pol}}(B_{\beta }^{(c)})) \\<{\mathsf { deg}}({\mathsf { pol}}(A_{\beta -j+1}^{(c)}))< ... < {\mathsf { deg}}({\mathsf { pol}}(A_{\beta }^{(c)})). \end{array} $$

Note. Since

$$ \begin{array}{l} \mathsf{right-}{\mathsf { deg}}(x^{2j {\beta }^2-\beta }\widehat{A}(x)) = 4\beta ^3-\beta -1,\\ \mathsf{right-}{\mathsf { deg}}(x^{(i-1) \beta }\widehat{B}(x)) \, \, = 2\beta ^3 + \beta ^2 -\beta -1, \end{array} $$

we have

$$\displaystyle \max _{i, j}\{ {\mathsf { deg}}(x^{2j {\beta }^2-\beta }\widehat{A}(x)) , {\mathsf { deg}}(x^{(i-1) \beta }\widehat{B}(x)) \} < 4\beta ^3.$$

Therefore, our packing method works if

$$4\beta ^3 \le n.$$

The proof for correctness of the MMC AB is complete. Correctness of the MMC BA can be proved similarly.    \(\square \)