Private Outsourcing of Matrix Multiplication over Closed Semi-rings
Mikhail J. Atallah
1
, Keith B Frikken
2
and Shumiao Wang
1
1
Department of Computer Science, Purdue University, West Lafayette, IN, U.S.A.
2
Department of Computer Science and Software Engineering, Miami University, Oxford, OH, U.S.A.
Keywords:
Privacy-preserving Protocols, Private Outsourcing.
Abstract:
Many protocols exist for a client to outsource the multiplication of matrices to a remote server without reveal-
ing to the server the input matrices or the resulting product, and such that the server does all of the super-linear
work whereas the client does only work proportional to the size of the input matrices. These existing tech-
niques hinge on the existence of additive and multiplicative inverses for the familiar matrix multiplication over
the (+, ) ring, and they fail when one (or both) of these inverses do not exist, as happens for many practi-
cally important algebraic structures (including closed semi-rings) when one or both of the two operations in
the matrix multiplication is the “min” or “max” operation. Such matrix multiplications are very common in
optimization. We give protocols for the cases of (+, min) multiplication, (min,max) multiplication, and of
(min, +) multiplication; the last two cases are particularly important primitives in many combinatorial opti-
mization problems.
1 INTRODUCTION
In secure computational outsourcing, a client out-
sources to a server a computationally expensive task,
such that the server learns neither the inputs nor the
output, yet carries out the bulk of the computational
burden whereas the client does an amount of comput-
ing that is proportional to the size of the input. For
the usual (+,) matrix multiplication, this means that
the server does all the super-linear work (cubic if it
uses the most commonly used algorithm for carry-
ing out the product), and the client does work pro-
portional to the number of entries in the input matri-
ces. For the massive data arising in engineering, the
physical sciences, and economic and market model-
ing, matrix multiplication is a notoriously expensive
operation and is therefore a prime candidate for com-
putational outsourcing. Even modular exponentiation
has been the subject of extensive protocol design for
the purpose of getting the remote server(s) to do the
cubic amount of work (in the number of bits) with
the local client doing only quadratic work (i.e., a con-
stant number of integer multiplications); of the long
sequence of papers on this topic, we refer the reader
to (Hohenberger and Lysyanskaya, 2005a).
The techniques used in the existing protocols for
the secure outsourcing of (+, ) matrix multiplica-
tion, do not work in the cases of (min,+), (min, max),
and (+, min) multiplications, because in these cases
one or both of the algebraic operations does not have
an inverse. This paper presents efficient secure out-
sourcing protocols for these cases (hence for the cases
where the roles of max and min are interchanged). Of
particular practical importance are the (min, +) and
(min,max) cases. The formerarises in many contexts,
one of which is the MAP inference problem in graph-
ical models including cyclic and skip-chain models
that arise in many applications (Felzenszwalb and
McAuley, 2011). It also arises in the context of opti-
mizing a sequence of tasks where the cost of perform-
ing a task depends on the state and there is a cost in-
curred in moving between states (Saks, 1988). It is in
fact a standard part of textbooks, usually in the chap-
ters on graph algorithms (see, e.g., Section 25.1 of
(Cormen et al., 2001)). The (min, max) matrix mul-
tiplication (or equivalently, (max,min)) arises in the
context of bottleneck optimization problems, where
one wants to optimize a quantity subject to upper lim-
its constraints (i.e., maximum capacity) or, symmet-
rically, lower limit constraints (see, e.g., (Duan and
Pettie, 2009), (Vassilevska et al., 2007) and the bibli-
ographic references therein). The case for outsourc-
ing such computations is compelling not only because
matrix multiplication is expensive and the matrices
that arise in the application domains are huge, but also
because it is rarely the case that a single such multipli-
cation suffices: In the above-mentionedcombinatorial
optimization problems a (possibly long) sequence of
136
J. Atallah M., B Frikken K. and Wang S..
Private Outsourcing of Matrix Multiplication over Closed Semi-rings.
DOI: 10.5220/0004054101360144
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 136-144
ISBN: 978-989-8565-24-2
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
(min, +) or (max, min) multiplications is needed to
solve the combinatorial optimization problem at hand
(Duan and Pettie, 2009; Vassilevska et al., 2007; Cor-
men et al., 2001). In cases where the input matrices,
the intermediate matrices, and the output matrices are
confidential (e.g., too revealing of proprietary models
or organizational data and operations), this outsourc-
ing needs to be done in the privacy-preserving frame-
work considered in this paper.
This paper is organized as follows. Section 2
gives the problem definition, Section 3 reviews related
work. Section 4 gives the protocol for the (+, min)
multiplication, Section 5 for the (min, max) multipli-
cation, Section 6 for the (min,+) multiplication, and
Section 7 concludes.
2 PROBLEM DEFINITION
The main goal of this paper is to compute various
types of generalized matrix multiplication in a private
outsourced manner. Given N ×N matrices A and B
where each entry is in the range [0, Σ). We consider
the following types of computations
1
:
1. (+,min): That is if C = AB, then
C[i, j] =
N
=1
min{A[i, ], B[ℓ, j]}.
2. (min,max): That is if C = AB, then
C[i, j] = min
[1,N]
{max{A[i, ], B[ℓ, j]}}.
3. (min,+): That is if C = AB, then
C[i, j] = min
[1,N]
{A[i, ] + B[, j]}.
To achieve these computations we introduce pro-
tocols that use arithmetic circuits (i.e., circuits using
the operations: addition, multiplication by constant,
and multiplication). Our protocols take the follow-
ing form: the client does some pre-processing to cre-
ate the inputs to an arithmetic circuit (or circuits), the
computation of the arithmetic circuits is privately out-
sourced to a server (or servers), and the client does
some post-processing on the outputs of the circuits
to obtain the results. The goals are to minimize the
client’s work, the server’s work, the multiplicative
depth of the circuit, and the number of rounds in the
protocol. Several techniques exist for the private out-
sourcing of arithmetic circuits, and thus these tech-
niques allow us to privately outsource the computa-
tion in the following scenarios:
1. The Sharemind system(Bogdanov et al., 2008) al-
lows 3 servers to compute a result, and is secure
against any single honest-but-curious server. This
1
Note that is is straightforward to modify our protocols
to support (+, max), (max,min), and (max,+).
system requires 2 rounds of interaction for multi-
plication, but multiplications can be done in par-
allel. Thus the number of communication rounds
is the depth of the circuit, and the total compu-
tation is the size of the circuit. Furthermore, the
client’s computation is proportional to the num-
ber of inputs in the circuit. Another version of
this, is to use the generic results in SMC (such
as (Goldreich et al., 1987)), which would allow n
servers where more than two-thirds of the servers
are honest, but the dishonest servers are actively
corrupted.
2. There are many somewhat homomorphic encryp-
tion schemes, that allow a bounded multiplica-
tive depth circuit to be computed. For example,
the scheme in (Boneh et al., 2005) allow a single
multiplication to be performed. Other schemes
(Naehrig et al., 2011; Brakerski and Vaikun-
tanathan, 2011b; Brakerski and Vaikuntanathan,
2011a) support a larger multiplicative depth, but
the schemes are more efficient when the depth is
small. These schemes allow a client to outsource
the computation to a single server by doing work
proportional to the number of inputs to the circuit,
and the server does work proportional to the size
of the circuit.
Thus by providing schemes that use circuits of
limited multiplicative depth to compute the desired
matrix multiplications, we provide a mechanism to
securely compute the matrix multiplications. That is,
all that the server (or servers) see if the results that
they see in the arithmetic circuit computation, and the
computations have the same structure (regardless of
the input). Hence, if the underlying protocol is secure
then the resulting protocol based on these computa-
tions will also be secure.
Table 1 summarizes the results presented in this
paper where Client denotes the amount of compu-
tations performed by the client, Server denotes the
amount of computation performed by the server, dep
is the multiplicative depth of the computations, and
rds is the number of rounds of interaction that are re-
quired.
Table 1: Result Summary.
Operation Client Server Dep Rds
(+,min) O(|Σ|N
2
) O(|Σ|N
3
) 1 1
(+,min) O(
p
|Σ|N
2
) O(
p
|Σ|N
3
) 2 1
(min,max) O(|Σ|N
2
) O(|Σ|N
3
) 1 1
(min,max) O(
p
|Σ|N
2
)
O(
p
|Σ|N
3
)
3 2
(min,+) O(|Σ|
2
N
2
) O(|Σ|
2
N
3
) 1 1
(min,+) O(|Σ|
1.5
N
2
) O(|Σ|
1.5
N
3
) 2 1
PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings
137
3 RELATED WORK
In the area of private computational outsourcing there
is a growing list of problems considered in this frame-
work (e.g., (Beguin and Quisquater, 1995; Kawamura
and Shimbo, 1993; Lim and Lee, 1995; Matsumoto
et al., 1988; Pfitzmann and Waidner, 1992; Atallah
et al., 2001; Hohenberger and Lysyanskaya, 2005b),
and others). We briefly review this work.
In the server-aided secret computation literature
(e.g. (Beguin and Quisquater, 1995; Kawamura and
Shimbo, 1993; Lim and Lee, 1995; Matsumoto et al.,
1988; Pfitzmann and Waidner, 1992; Hohenberger
and Lysyanskaya, 2005b), to list a few),a weak smart-
card performs public key decryptions by “borrowing”
computing power from an untrusted server, without
revealing to that server its private information. These
papers deal primarily with the important problem of
modular exponentiations.
In the privacy homomorphism approach proposed
in (Rivest et al., 1978), the outsourcing agent is used
as a permanent repository of data, performing cer-
tain operations on it and maintaining certain predi-
cates while it remains encrypted, whereas the cus-
tomer needs only to decrypt the data from the agent
to obtain the real data. Our secure outsourcing frame-
work differs in that the customer is not interested in
keeping data permanently with the external agents,
instead, the customer only wants to temporarily use
their superior computational power.
The paper (Abadi et al., 1987) shows an impossi-
bility result: That one cannot hope to outsource an ex-
ponential computation while locally doing only poly-
nomial time work. This delineates the limits of what
can be achieved. But securely outsourcing expensive
polynomial time computations (such as a cubic-time
matrix multiplication) remains an important practi-
cal goal. Mobile devices can be so computationally
weak or battery-limited as to be unable of carrying
out computations that would be completely tractable
for a powerful server or supercomputer, and therefore
would benefit from the development of techniques for
the secure outsourcing of expensive polynomial-time
computations.
The work in (Atallah et al., 2001) has a differ-
ent framework because it allows leakage of private
information, whereas in this paper we are interested
in achieving no leakage.
The paper (Atallah and Li, 2005) used homomor-
phic encryption for the problem of computing the edit
distance between two sequences. Its protocol requires
communication between the two servers, a drawback
that the framework of the present paper avoids.
There are several protocols in the area of private
outsourcing of traditional matrix multiplication (Ben-
jamin and Atallah, 2008; Atallah and Frikken, 2010;
Mohassel, 2011). In (Benjamin and Atallah, 2008)
the scheme inherently requires more than one server,
requires the servers to do expensivehomomorphic en-
cryptions, and is vulnerableto collusion by the servers
(they would learn the inputs). The scheme in (Atallah
and Frikken, 2010) only uses a single server, and uses
a heuristic security approach. That is the client has
to perform O(k
2
n
2
) work for a security parameter k.
Finally, the scheme in (Mohassel, 2011) considers se-
curity in a more traditional approach for single server
solutions, but utilizes expensive cryptography.
There are also general results that solve this prob-
lem using a single-server. For example, if privacy is
the only concern, then fully homomorphic encryption
(for example (Gentry, 2009)) could be used to solve
this problem.
While there are many protocols for private out-
sourcing of computations, to our knowledge this pa-
per is the first that considers the general forms of
matrix multiplication. Furthermore, as described in
the previous section the approaches described here
can be used in many settings, including: work in the
case of somewhat fully homomorphic encryption, the
heuristic approaches of(Atallah and Frikken, 2010),
and the multi-party outsourcing based on SMC solu-
tions (such as Sharemind).
4 PROTOCOLS FOR (+,MIN)
MATRIX MULTIPLICATION
4.1 A Preliminary Solution
In this section, we propose a protocol for (+,min)
where the workload is O(|Σ|N
2
) for client and
O(|Σ|N
3
) for server. To simplify the presentation of
this protocol, we assume the values are in the range
[1, |Σ|] (as opposed to [0, |Σ|1]). The crux of this
solution are the following two expansions from val-
ues in Σ to vectors with 2|Σ| elements:
1. T1(x) = x
1
,. . . , x
|Σ|
,x
|Σ|+1
,. . . , ,x
2|Σ|
where for i
[1, |Σ|], x
i
= 1 if i x and is 0 otherwise. Also,
for i [|Σ|+ 1, 2|Σ|] x
i
= x if i |Σ| = x and is 0
otherwise.
2. T2(x) = x
1
,. . . , x
|Σ|
,x
|Σ|+1
,. . . , ,x
2|Σ|
where for i
[|Σ|+ 1,2|Σ|], x
i
= 1 if i|Σ| < x and is 0 other-
wise. Also, for i [1,|Σ|] x
i
= x if i = x and is 0
otherwise.
Lemma 1. Given any two values x,y [1, Σ], T1(x) ·
T2(y) = min{x, y}.
SECRYPT2012-InternationalConferenceonSecurityandCryptography
138
Proof: Now, T1(x) · T2(y) =
|Σ|
i=1
x
i
y
i
+
2|Σ|
i=|Σ|+1
x
i
y
i
. Furthermore, since y
i
= 0 ex-
cept where i = y, then
|Σ|
i=1
x
i
y
i
= x
y
y
y
= x
y
y.
Now x
y
= 1 if x y and thus this value is y if x y
and is 0 otherwise. A symmetrical argument can be
used to show that
2|Σ|
i=|Σ|+1
x
i
y
i
= x if x < y and is
0 otherwise. Therefore, T1(x) ·T2(y) = min{x, y}.
The protocol is as follows:
1. The client expands A into an N ×2|Σ|N matrix by
expanding each cell in its row using T1. Also,
the client expands B into an 2|Σ|N ×N matrix by
expanding each cell in its column using T2.
2. The client outsources the computations C = AB,
which is the desired result.
For each entry in the matrix, the client performs
O(|Σ|) work. Thus the client performs work propor-
tional to O(|Σ|N
2
) total work. The server must per-
form O(|Σ|N
3
) total work. Furthermore, the number
of rounds is 1, since everything can be done in paral-
lel. Finally, the multiplicative depth is 1.
4.2 Improved Solution
In this section, we propose a protocol for (+, min).
The workload is O(
p
|Σ|N
2
) for client and
O(
p
|Σ|N
3
) for server. The main idea of this
approach is that the scheme partitions the values in Σ
into groups of size
p
|Σ|, and it handles things in the
same group differently then it handles things in other
groups.
More specifically, Let σ =
p
|Σ|, then we partition
the range [0, |Σ|) into σ partitions each of size σ. For
any value v [0,|Σ|), it could be represented by two
values less than σ, v
′′
= v mod σ and v
=
v
σ
. Note
that v = v
σ + v
′′
. Given a and b, we say that these
values are in the same group if a
= b
.
First we define 6 expansion functions that expand
v [0,|Σ|) into vectors of length σ.
1. V1(v) = f
0
,. . ., f
σ1
where f
i
= 1 if i < v
and is
0 otherwise.
2. V2(v) = f
0
,. . . , f
σ1
where f
i
= v if i = v
and is
0 otherwise.
3. V3(v) = f
0
,. . ., f
σ1
where f
i
= 1 if i = v
and is
0 otherwise.
4. V4(v) = f
0
,. . ., f
σ1
where f
i
= 1 if i v
′′
and is
0 otherwise.
5. V5(v) = f
0
,. . ., f
σ1
where f
i
= 1 if i < v
′′
and is
0 otherwise.
6. V6(v) = f
0
,. . . , f
σ1
where f
i
= v if i = v
′′
and is
0 otherwise.
Lemma 2. For any values a, b Σ,
(V3(a) ·V3(b)) (V4(a) ·V6(b) +V5(b) ·V6(a))+
(V1(a) ·V2(b) +V1(b) ·V2(a)) = min{a, b} where ·
denotes the inner product of vectors
Proof:
There are two cases to consider: i) the case where a
and b are in different groups, and ii) the case where a
and b are in the same group.
Consider the case where a and b are in different
groups. Now, V1(a) ·V2(b) = b if b
< a
and is 0
otherwise. Furthermore, V1(b) ·V2(a) = a if a
< b
and is 0 otherwise. Hence, If a and b are in dif-
ferent groups, then V1(a) ·V2(b) + V1(b) ·V2(a) =
min{a, b}. If a and b are in the same group, then this
is 0.
Consider the case where a and b are in the same
group. First, V3(a) ·V3(b) = 1 if a
= b
and is 0
otherwise. That is, this value is 1 if a and b are in
the same group and is 0 otherwise. Given that a
= b
then:
1. If a b, then V4(a) ·V6(b) = b. Otherwise,
V4(a) ·V6(b) = 0
2. If a < b, then V5(b) ·V6(a) = a. Otherwise,
V5(b) ·V6(a) = 0
Putting these two pieces together: if a
= b
then
(V4(a) ·V6(b) +V5(b) ·V6(a)) = min{a, b}. Hence,
(V3(a) · V3(b))(V4(a) · V6(b) + V5(b) · V6(a)) =
min{a, b} when a and b are in the same group, but
is 0 if there are in different groups.
Therefore by combining these two cases: (V3(a) ·
V3(b))(V4(a) · V6(b) + V5(b) · V6(a)) + (V1(a) ·
V2(b) +V1(b) ·V2(a)) = min{a, b}.
The protocol is as follows:
1. The client creates 5 matrices A
i
(resp. B
j
), each
cell of which is the expansion vector Vi (respec-
tively, V j) of the corresponding cell in A (resp. in
B), for i = 1, 2,3,4,6 (resp. j = 1,2, 3, 5, 6.)
2. The client uses an outsourced server to com-
pute a matrix C where C[i, j] =
N
=1
((A
3
(i,) ·
B
3
(ℓ, j))(A
4
(i,) · B
6
(ℓ, j) + B
5
(ℓ, j) · A
6
(i,)) +
(A
1
(i,) ·B
2
(ℓ, j) + B
1
(ℓ, j) ·A
2
(i,))).
C is the (+,min) product of A and B, because each
cell of C is the sum of N minimums of aligned cells in
A and B. The client’s work is mainly to create matri-
ces A
i
and B
j
, which is of size O(σN
2
) = O(
p
|Σ|N
2
).
And the server’s work is O(
p
|Σ|N
3
) to compute the
N
2
result cells, since for each cell he has to compute
the sums of N minimums by the circuit. Notice that
the multiplicative depth of this circuit is 2, and num-
ber of communication rounds is 1.
PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings
139
5 PROTOCOLS FOR (min,max)
MATRIX MULTIPLICATION
5.1 Preliminary Solution
We now introduce a protocol for (min, max). To
achieve this the client will outsource |Σ| matrix multi-
plications in parallel (each of which has multiplicative
depth of 1). The ith multiplication will reveal which
entries in the result matrix are i. These values can
be combined together to find the actual values of the
entries; that is, the value of a cell is the minimum ma-
trix product that is non-zero in that cell.
The protocol is as follows:
1. For each i [0,|Σ), the client computes A
i
and
B
i
which are N ×N matrices where A
i
[ j,k] (resp.
B
i
[ j,k]) is 1 if A[ j, k] i (resp. B[ j,k] i) and
is 0 otherwise. Note that A
i
[ j,k] B
i
[k, ] = 1 if
both A
i
[ j,k] and B
[
k, are i. In other words,
A
i
[ j,k]B
i
[k, ] = 1 if max{A[ j,k], B[k, ]}i and
is 0 otherwise.
2. The client has the server compute C
i
= A
i
B
i
for
all i [0,|Σ|). Note that C
i
[ j,k] =
N
=1
(A
i
[ j,]
B
i
[ℓ, k]), which will be non-zero if and only if
there is an such that A[ j, k] and B[k, ] are
both i. Such an exists if and only if
min
z[1,N]
{max{A[ j, z],B[z,k]}} i.
3. The client computes the result matrixC, by setting
C[i, j] to be the smallest value such that C
[i, j]
is non-zero.
The above protocol works because C
i
[ j,k] will be
non-zero if and only if there is a value such that
A
i
[ j,] and B
i
[ℓ, k] are both 1. But this means that
A
i
[ j,] and B
i
[ℓ, k] are both i, and thus the minimum
of the maximums will be i.
Note that the client has to perform O(|Σ|N
2
) work,
and the server has to perform O(|Σ|N
3
) work. The
number of rounds is 1, and the multiplicative depth is
1.
5.2 Improved Solution
In this section, we improve the protocol in the
previous section by reducing the client’s cost to
O(
p
|Σ|N
2
). This is achieved by increasing the depth
of the circuit and by increasing the number of rounds.
Let σ =
p
|Σ|, and given a value v [0, |Σ|), let
v
′′
= v mod σ and v
=
v
σ
. Note that v = v
σ + v
′′
.
We refer to v
as the group of v and to v
′′
as the offset
of v.
First observe that the protocol in the previous sec-
tion can be modified to find the value of each cell
within an additive factor of σ. That is, it is possi-
ble to find a matrix C
where C
[i, j] = c if C[i, j]
[cσ,(c+ 1)σ). Furthermore, this can be done by com-
pute A
i
and B
i
only for multiples of σ in the protocol
in the previous section. The client’s cost of this pro-
tocol is O(σN
2
). This will be the first round of the
computation, and this matrix will be used in the sec-
ond round.
The second part of this protocol will be to com-
pute the offset in each group. The difficult part will
be creating a test for each cell of the matrix that tests
if the offset is t for some value t. The difficult part
of this is to ignore the pairs of values that are not in
the correct group for a cell.
Before giving our full protocol, we describe a few
functions that are used in the construction.
1. Given v [0, σ), EQ(v) = v
0
,. . ., v
σ
where v
v
= 1
and all other values are 0.
2. Given v [0, σ), LT(v) = v
0
,. . . , v
σ
where v
i
= 1
if i < v and is 0 otherwise.
3. Given v [0, σ), EQ
t
(v) = 1 if t = v and is 0 oth-
erwise.
4. Given v [0,σ), LT
t
(v) = 1 if v < t and is 0 oth-
erwise.
5. Given v [0, σ), LE
t
(v) = 1 if v t and is 0 oth-
erwise.
Given values a, b [0, Σ) and c,t [0, σ) sup-
pose that we wanted to create a test to determine
if max{a, b} = cσ + t. There are 3 possible ways
that this could happen: 1) a
< c and b = cσ + t, 2)
b
< c and a = cσ + t, and 3) a
= c, b
= c, and
max{a
′′
,b
′′
} = t. Note that these three cases are mu-
tually exclusive. We now define various functionsthat
are used in the protocol:
1. F1
t
(a,b,c) = (EQ(a
) · LT(c)) (EQ(b
) ·
EQ(c)) EQ
t
(b
′′
). Note that F1
t
(a,b,c) = 1 if
a
< c and b = cσ + t and is 0 otherwise. Also,
note that this function has multiplicative depth 3.
2. F2
t
(a,b,c) = (EQ(b
) · LT(c)) (EQ(a
) ·
EQ(c)) EQ
t
(a
′′
). Note that F2
t
(a,b,c) = 1 if
b
< c and a = cσ + t and is 0 otherwise. Also,
note that this function has multiplicative depth 3.
3. F
3
(t, a, b,c) = (EQ(a
) · EQ(c)) (EQ(b
) ·
EQ(c)) (LE
t
(b
′′
)EQ
t
(a
′′
) + LT
t
(a
′′
)EQ
t
(b
′′
)).
Note that F3
t
(a,b,c) = 1 if a
= b
= c and
max{a, b}= cσ+t and is 0 otherwise. Also, note
that this function has multiplicative depth 3.
4. F
t
(a,b,c) = F1
t
(a,b,c) + F2
t
(a,b,c) +
F3
t
(a,b.c). Note that this function is 1 if
max{a, b} = cσ + t and is 0 otherwise. The three
cases above are mutually exclusive and partition
SECRYPT2012-InternationalConferenceonSecurityandCryptography
140
all possible cases where max{a,b}= cσ+t. Note
that this function has multiplicative depth 3. It is
important to note that to compute this function
that we need only to have: LT(c), EQ(c), EQ(a
),
EQ(b
), EQ
t
(b
′′
), EQ
t
(a
′′
), LE
t
(b
′′
), LT
t
(a
′′
).
We are now ready to give the protocol.
1. For each i [0, σ), the client computes A
iσ
and
B
iσ
which are N×N matrices where A
i
[ j,k] (resp.
B
i
[ j,k]) is 1 if A[ j,k] i (resp. B[ j, k] i) and is
0 otherwise.
2. The client has the server computeC
iσ
= A
iσ
B
iσ
for
all i [0,σ). These can be done in parallel.
3. The client computes an intermediate matrixC
, by
setting C
[i, j] to be the smallest value such that
C
σ
[i, j] is non-zero.
4. For each t [0,σ), the client outsources the com-
putations of a matrix C
t
where
C
t
[i, j] =
N
=1
F
t
(A[i,], B[, j],C
[i, j]). This is
done by having the client outsource the above
mentioned vectors and values to the server(or
servers) that are necessary for this computation.
Note thatC
t
[i, j] is the number of values [1, N]
such that max{A[i, ], B[ℓ, j]} = C
[i, j]σ+ t.
5. Given C
0
,. . . ,C
σ1
, the client computes the result
C[i, j] as follows: Let q be the smallest values such
that C
q
[i, j] is non-zero and set C[i, j] = C
[i, j]σ+
q.
The above protocol requires the client to per-
form O(
p
|Σ|N
2
) computations, the server to per-
form O(
p
|Σ|N
3
) computations, requires multiplica-
tive depth 3 and requires 2 rounds.
6 PROTOCOLS FOR (MIN,+)
MATRIX MULTIPLICATION
6.1 Preliminary Solution
In this section we present a scheme for (min,+)
where the client performs work O(|Σ|
2
N
2
). The main
idea of this scheme is to perform a test for each pos-
sible value of a cell in the result. The test for value T
will determine which cells in the result have a value
T (specifically the test counts the number of values
in the corresponding row of A and column of B where
the sum is T). This test is performed for all val-
ues from 0 to 2|Σ|2. These results can be combined
together to determine the actual value of the cell by
finding the minimum value of T where the value is
non-zero for each cell. We now give the functional-
ity TEST
T
(A,B) (which is used to test if a cell in the
result is T):
1. For each cell A[i, j], expand it into |Σ|
cells in its row. Denote these cells as
A
(0)
[i, j], .. . ,A
(|Σ|−1)
[i, j] where A
()
[i, j] = 1
if + A[i, j] T and is 0 otherwise. Denote as
A
T
the N × |Σ|N matrix that results from this
expansion.
2. For each cell B[i, j], expand it into |Σ|
cells in its column. Denote these cells as
B
(0)
[i, j], .. . ,B
(|Σ|−1)
[i, j] where B
()
[i, j] = 1 if
= B[i, j] and is 0 otherwise. Denote as B
T
the
|Σ|N ×N matrix that results from this expansion.
As an example, suppose that |Σ| = 4, A[i, j] =
2 and B[ j,k] = 1. When doing the test for
T = 3, the value of A[i, j] will be expanded into
A
(0)
[i, j], .. . ,A
(3)
[i, j] = 1, 1, 0, 0, and the value of
B[ j,k] will be expanded into B
(0)
[i, j], .. . ,B
(0
[i, j] =
0, 1, 0,0. Notice that the scalar product of these two
values is 1, and in this case A[i, j] + B[ j, k] 3. More
generally, the scalar product of the expansions of two
values will be 1 when the sum of the two values is
T and and is 0 otherwise.
If we denote as C
T
= A
T
B
T
where (A
T
,B
T
)
TEST
T
(A,B), then C
T
is a N ×N matrix with the fol-
lowing property:
Lemma 3. C
T
[i, j] = 0 if and only if min{A[i][] +
B[][ j] : 1 N} > T.
Proof: Now, since C
T
= A
T
B
T
:
C
T
[i, j] =
N
=1
|Σ|−1
m=0
A
(m)
T
[i,]B
(m)
T
[ℓ, j]
According to the transformation B
(m)
T
[ℓ, j] =
1 if m = B[, j] and is 0 otherwise, hence
A
(m)
T
[i,]B
(m)
T
[ℓ, j] = 0 if m 6= B[ℓ, j], and is A
(m)
T
[i,]
otherwise. Therefore,
N
=1
|Σ|−1
m=0
A
(m)
T
[i,]B
(m)
T
[ℓ, j] =
N
=1
A
(B[ℓ, j])
T
[i,]
According to the transformation A
(B[ℓ, j])
T
[i,] = 1
if A[i, ] + B[ℓ, j] T and is 0 otherwise. Hence,
C
T
[i, j] = 0 if and only if A[i,] + B[, j] > T for all
[0,N 1]. However, this means that min{A[i][] +
B[][ j] : 0 N 1} > T, which concludes the
proof.
Now that the TEST
T
functionality has been de-
fined, we present the main protocol of this section
for computing the (min, +) matrix multiplication of
A and B:
PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings
141
1. The data owner computes (A
i
,B
i
) TEST
i
(A,B)
for all i [0, 2|Σ|2].
2. The data owner uses an outsourced server to com-
pute C
i
= A
i
B
i
for all i [0, 2|Σ|2].
3. Set C[i, j] to be the smallest value v such that
C
v
[i, j] 6= 0.
The correctness of the above algorithm is based
on Lemma 3. That is, if C
v1
[i, j] = 0 and C
v
[i, j] 6=
0, then there must be at least one value in A[i,] +
B[ℓ, j] v, but there is no such value where A[i,] +
B[ℓ, j] v1, and hence the minimum of the sums is
v.
The client’s work in the TEST functionality is
O(|Σ|N
2
), and the test functionality is invoked O(|Σ|)
times, and thus the client’s work is O(|Σ|
2
N
2
). Fur-
thermore for each TEST the server must perform
O(|Σ|N
3
) work, and thus the server’s computation is
O(|Σ|
2
N
3
). The number of rounds in the protocol is
1, since the matrix multiplications can be done in par-
allel. Finally, the server only performs matrix multi-
plications, and thus multiplication depth is 1.
6.2 Reducing Costs by Increasing Depth
In this section we give a scheme that has client com-
plexity O(|Σ|
1.5
N
2
) for (min,+). The main idea of
this scheme is that it trades off lower computational
costs by increasing the multiplicative depth of the cir-
cuits that are used. Essentially, this scheme reduces
the cost of the test functionality in the previous algo-
rithm to O(
Σ|).
Let σ =
p
|Σ|, and given a value v [0, |Σ|), let
v
′′
= v mod σ and v
=
v
σ
. Note that v = v
σ+ v
′′
.
Before describing our scheme we define several
expansion functions that takes a value v [0, |Σ|) and
a value t [0,2|Σ|2] and produces a vector with σ
elements.
1. V1(t, v) = a
0
,. . . , a
σ1
where a
i
= 1 if i = t
v
1 and is 0 otherwise.
2. V2(t, v) = a
0
,. . . , a
σ1
where a
i
= 1 if i = t
v
and is 0 otherwise.
3. V3(t, v) = a
0
,. . . , a
σ1
where a
i
= 1 if i = t
′′
v
′′
and is 0 otherwise.
4. V4(t, v) = a
0
,. . . , a
σ1
where a
i
= 1 if i = σ+t
′′
v
′′
and is 0 otherwise.
5. V5(t, v) = a
0
,. . . , a
σ1
where a
i
= 1 if i = v
and
is 0 otherwise.
6. V6(t, v) = a
0
,. . . , a
σ1
where a
i
= 1 if i = v
′′
and
is 0 otherwise.
We will test when a specific cell has any cells in its
corresponding row and column where the sum of the
cells is equal to a target value t. Given two values a
and b, there are two mutually exclusive ways in which
this can happen: 1) a
+ b
= t
and a
′′
+ b
′′
= t
′′
and
2) a
+ b
= t
1 and a
′′
+ b
′′
= σ + t
′′
. We consider
each of these cases separately:
For the first case the value V2(t, a) ·V
5
(t, b) =
1 if a
+ b
= t
and is 0 otherwise. To see this,
suppose that V2(t, a) = a
0
,. . ., a
σ1
and V5(t,b) =
b
0
,. . . , b
σ1
. Now b
i
= 1 only when i = b
, and thus
V2(t,a)·V
5
(t, b) = a
b
, which will be 1 iff b
= t
a
.
Consider, the value V
3
(t, a) ·V6(t, b); this value will
be 1 if and only if a
′′
+ b
′′
= t
′′
. To see this, no-
tice that both of these vectors have a single 1, and
so the ones must align. Furthermore, these values
align only when a
′′
+ b
′′
= t
′′
. Thus if we com-
pute (V2(t, a)·V
5
(t, b))(V
3
(t, a)·V6(t,b)), then this
value will be 1 only when a
+b
= t
and a
′′
+b
′′
= t
′′
and will be 0 otherwise.
Now consider the second case. The value
V1(t,a) ·V5(t,b) will be 1 only when a
+ b
= t
1
and will be 0 otherwise. The reasoning is the same
as in the previous paragraph. Furthermore, the values
V4(t,a)·V6(t, b) is 1 only when a
′′
+ b
′′
= σ+t
′′
and
will be 0 otherwise. Thus if we compute (V1(t,a) ·
V
5
(t, b))(V
4
(t, a)·V6(t, b)), then this value will be 1
only when a
+ b
= t
1 and a
′′
+ b
′′
= σ + t
′′
and
will be 0 otherwise.
Putting these pieces together, the value (V2(t,a) ·
V
5
(t, b)) (V
3
(t, a) ·V6(t,b)) + (V1(t, a) ·V
5
(t, b))
(V
4
(t, a) ·V6(t, b)) will be 1 if a + b = t and will be
0 otherwise. As a shorthand notation we denote this
value as F(a,b,t).
We are nowready to present the main protocol that
will use the above vectors and values.
1. For each value t [0,2|Σ|2] the client does the
following:
(a) For each entry A[i, j], the client computes
V1(t,A[i, j]), V2(t, A[i, j]), V3(t, A[i, j]), and
V4(t,A[i, j]).
(b) For each entry B[i, j], the client computes
V5(t,B[i, j]), V6(t, B[i, j])
(c) The client has the server compute a matrix C
t
where C
t
[i, j] =
N
=1
F(A[i,], B[ℓ, j],t).
2. For the end result, the client sets the value of
C[i, j] to be the smallest value t such that C
t
[i, j] 6=
0.
The above protocol works because F(v
1
,v
2
,t)
is non-zero only when v
1
+ v
2
= t. Thus
N
=1
F(A[i, ], B[ℓ, j],t) will be non-zero if and only
if there is a pair of entries in the ith row in A and jth
column of B such that the sum of the two values is t.
Hence, the minimum value t such that C
t
[i, j] is non-
zero will be the minimum of the sums as required.
SECRYPT2012-InternationalConferenceonSecurityandCryptography
142
For each entry in the matrix, the client performs
O(σ) work per test. Since there are O(|Σ|) such tests
the client performs work proportional to O(|Σ|
1.5
N
2
)
total work. The server must perform O(|Σ|
1.5
N
3
) total
work. Furthermore, the number of rounds is 1, since
everything can be done in parallel. Finally, the multi-
plicative depth is 2.
7 CONCLUSIONS AND FUTURE
WORK
We introduced techniques for outsourcing matrix
multiplications over closed semi-rings and other al-
gebraic structures that lack the ring algebraic struc-
ture of the (+, ) multiplication. These techniques
can be used in a variety of settings to outsource the
computations in a secure manner. The remote server
being used does not learn anything about the inputs or
the outputs to a computation other than the size of the
matrices and of the alphabet. Although in most prac-
tical situations it is harmless to leak the size of the
alphabet, it is nevertheless of intellectual interest to
extend our protocols so as to hide it. There is a more
practical need for extending our schemes to hide the
size of the matrices, which we leave for future work.
ACKNOWLEDGMENTS
The authors would like to thank the anonymous
reviewers for their comments and useful sugges-
tions. Portions of this work were supported Na-
tional Science Foundation Grants CNS-0915436,
CNS-0913875,CNS-0915843, Science and Technol-
ogy Center CCF-0939370; by an NPRP grant from
the Qatar National Research Fund; by Grant FA9550-
09-1-0223 from the Air Force Office of Scientific Re-
search; and by sponsors of the Center for Education
and Research in Information Assurance and Security.
The statements made herein are solely the responsi-
bility of the authors.
REFERENCES
Abadi, M., Feigenbaum, J., and Kilian, J. (1987). On hid-
ing information from an oracle. In Proceedings of the
nineteenth annual ACM conference on Theory of com-
puting, pages 195–203. ACM Press.
Atallah, M. J. and Frikken, K. B. (2010). Securely out-
sourcing linear algebra computations. In Proceedings
of the 5th ACM Symposium on Information, Computer
and Communications Security, ASIACCS ’10, pages
48–59, New York, NY, USA. ACM.
Atallah, M. J. and Li, J. (2005). Secure outsourcing of se-
quence comparisons. In International Journal of In-
formation Security, pages 277–287.
Atallah, M. J., Pantazopoulos, K. N., Rice, J., and Spafford,
E. H. (2001). Secure outsourcing of scientific compu-
tations. Advances in Computers, 54(6):215–272.
Beguin, P. and Quisquater, J. J. (1995). Fast server-aided rsa
signatures secure against active attacks. In CRYPT0
95, pages 57–69.
Benjamin, D. and Atallah, M. J. (2008). Private and
cheating-free outsourcing of algebraic computations.
In Sixth Annual Conference on Privacy, Security and
Trust, PST 2008, October 1-3, 2008, Fredericton, New
Brunswick, Canada, pages 240–245.
Bogdanov, D., Laur, S., and Willemson, J. (2008). Share-
mind: A framework for fast privacy-preserving com-
putations. In Jajodia, S. and Lopez, J., editors, Com-
puter Security - ESORICS 2008, volume 5283 of
Lecture Notes in Computer Science, pages 192–206.
Springer Berlin / Heidelberg.
Boneh, D., Goh, E.-J., and Nissim, K. (2005). Evaluating 2-
dnf formulas on ciphertexts. In Kilian, J., editor, The-
ory of Cryptography, volume 3378 of Lecture Notes
in Computer Science, pages 325–341. Springer Berlin
/ Heidelberg.
Brakerski, Z. and Vaikuntanathan, V. (2011a). Efficient
fully homomorphic encryption from (standard) lwe.
Cryptology ePrint Archive, Report 2011/344.
Brakerski, Z. and Vaikuntanathan, V. (2011b). Fully ho-
momorphic encryption from ring-lwe and security for
key dependent messages. In Rogaway, P., editor, Ad-
vances in Cryptology CRYPTO 2011, volume 6841 of
Lecture Notes in Computer Science, pages 505–524.
Springer Berlin / Heidelberg.
Cormen, T. H., Stein, C., Rivest, R. L., and Leiserson, C. E.
(2001). Introduction to Algorithms. McGraw-Hill
Higher Education, 2nd edition.
Duan, R. and Pettie, S. (2009). Fast algorithms for (max,
min)-matrix multiplication and bottleneck shortest
paths. In Proceedings of the twentieth Annual ACM-
SIAM Symposium on Discrete Algorithms, SODA ’09,
pages 384–391, Philadelphia, PA, USA. Society for
Industrial and Applied Mathematics.
Felzenszwalb, P. and McAuley, J. (2011). Fast infer-
ence with min-sum matrix product. Pattern Analy-
sis and Machine Intelligence, IEEE Transactions on,
33(12):2549 –2554.
Gentry, C. (2009). Fully homomorphic encryption using
ideal lattices. In Proceedings of the 41st annual ACM
symposium on Theory of computing, STOC ’09, pages
169–178, New York, NY, USA. ACM.
Goldreich, O., Micali, S., and Wigderson, A. (1987). How
to play any mental game. In Proceedings of the nine-
teenth annual ACM conference on Theory of comput-
ing, pages 218–229.
Hohenberger, S. and Lysyanskaya, A. (2005a). How to se-
curely outsource cryptographic computations. In Kil-
ian, J., editor, Theory of Cryptography, volume 3378
PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings
143
of Lecture Notes in Computer Science, pages 264–
282. Springer Berlin / Heidelberg.
Hohenberger, S. and Lysyanskaya, A. (2005b). How to se-
curely outsource cryptographic computations. In The-
ory of Cryptography Conference (TCC'05), volume
3378 of LNCS, pages 264–282.
Kawamura, S. I. and Shimbo, A. (1993). Fast server-aided
secret computation protocols for modular exponentia-
tion. IEEE Journal on Selected Areas in Communica-
tions, 11(5):778–784.
Lim, C. H. and Lee, P. J. (1995). Security and performance
of server-aided rsa computation protocols. In CRYPT0
95, pages 70–83.
Matsumoto, T., Kato, K., and Imai, H. (1988). Speeding up
secret computations with insecure auxiliary devices.
In CRYPT0 88, pages 497–506.
Mohassel, P. (2011). Efficient and secure delegation of
linear algebra. Cryptology ePrint Archive, Report
2011/605. http://eprint.iacr.org/.
Naehrig, M., Lauter, K., and Vaikuntanathan, V. (2011).
Can homomorphic encryption be practical? In Pro-
ceedings of the 3rd ACM workshop on Cloud comput-
ing security workshop, CCSW ’11, pages 113–124,
New York, NY, USA. ACM.
Pfitzmann, B. and Waidner, M. (1992). Attacks on protocols
for server-aided rsa computations. In EUROCRYPT
92, pages 153–162.
Rivest, R. L., Adleman, L., and Dertouzos, M. L. (1978).
On data banks and privacy homomorphisms. Founda-
tions of Secure Computation, pages 169–177.
Saks, M. E. (1988). A limit theorem for (min, +) matrix
multiplication. Math. Oper. Res., 13:606–618.
Vassilevska, V., Williams, R., and Yuster, R. (2007). All-
pairs bottleneck paths for general graphs in truly sub-
cubic time. In Proceedings of the thirty-ninth annual
ACM symposium on Theory of computing, STOC ’07,
pages 585–589, New York, NY, USA. ACM.
SECRYPT2012-InternationalConferenceonSecurityandCryptography
144