Private Outsourcing of Matrix Multiplication over Closed Semi-rings

Mikhail J. Atallah

, Keith B Frikken

and Shumiao Wang

Department of Computer Science, Purdue University, West Lafayette, IN, U.S.A.

Department of Computer Science and Software Engineering, Miami University, Oxford, OH, U.S.A.

Keywords:

Privacy-preserving Protocols, Private Outsourcing.

Abstract:

Many protocols exist for a client to outsource the multiplication of matrices to a remote server without reveal-

ing to the server the input matrices or the resulting product, and such that the server does all of the super-linear

work whereas the client does only work proportional to the size of the input matrices. These existing tech-

niques hinge on the existence of additive and multiplicative inverses for the familiar matrix multiplication over

the (+, ∗) ring, and they fail when one (or both) of these inverses do not exist, as happens for many practi-

cally important algebraic structures (including closed semi-rings) when one or both of the two operations in

the matrix multiplication is the “min” or “max” operation. Such matrix multiplications are very common in

optimization. We give protocols for the cases of (+, min) multiplication, (min,max) multiplication, and of

(min, +) multiplication; the last two cases are particularly important primitives in many combinatorial opti-

mization problems.

1 INTRODUCTION

In secure computational outsourcing, a client out-

sources to a server a computationally expensive task,

such that the server learns neither the inputs nor the

output, yet carries out the bulk of the computational

burden whereas the client does an amount of comput-

ing that is proportional to the size of the input. For

the usual (+,∗) matrix multiplication, this means that

the server does all the super-linear work (cubic if it

uses the most commonly used algorithm for carry-

ing out the product), and the client does work pro-

portional to the number of entries in the input matri-

ces. For the massive data arising in engineering, the

physical sciences, and economic and market model-

ing, matrix multiplication is a notoriously expensive

operation and is therefore a prime candidate for com-

putational outsourcing. Even modular exponentiation

has been the subject of extensive protocol design for

the purpose of getting the remote server(s) to do the

cubic amount of work (in the number of bits) with

the local client doing only quadratic work (i.e., a con-

stant number of integer multiplications); of the long

sequence of papers on this topic, we refer the reader

to (Hohenberger and Lysyanskaya, 2005a).

The techniques used in the existing protocols for

the secure outsourcing of (+, ∗) matrix multiplica-

tion, do not work in the cases of (min,+), (min, max),

and (+, min) multiplications, because in these cases

one or both of the algebraic operations does not have

an inverse. This paper presents efﬁcient secure out-

sourcing protocols for these cases (hence for the cases

where the roles of max and min are interchanged). Of

particular practical importance are the (min, +) and

(min,max) cases. The formerarises in many contexts,

one of which is the MAP inference problem in graph-

ical models including cyclic and skip-chain models

that arise in many applications (Felzenszwalb and

McAuley, 2011). It also arises in the context of opti-

mizing a sequence of tasks where the cost of perform-

ing a task depends on the state and there is a cost in-

curred in moving between states (Saks, 1988). It is in

fact a standard part of textbooks, usually in the chap-

ters on graph algorithms (see, e.g., Section 25.1 of

(Cormen et al., 2001)). The (min, max) matrix mul-

tiplication (or equivalently, (max,min)) arises in the

context of bottleneck optimization problems, where

one wants to optimize a quantity subject to upper lim-

its constraints (i.e., maximum capacity) or, symmet-

rically, lower limit constraints (see, e.g., (Duan and

Pettie, 2009), (Vassilevska et al., 2007) and the bibli-

ographic references therein). The case for outsourc-

ing such computations is compelling not only because

matrix multiplication is expensive and the matrices

that arise in the application domains are huge, but also

because it is rarely the case that a single such multipli-

cation sufﬁces: In the above-mentionedcombinatorial

optimization problems a (possibly long) sequence of

136

J. Atallah M., B Frikken K. and Wang S..

Private Outsourcing of Matrix Multiplication over Closed Semi-rings.

DOI: 10.5220/0004054101360144

In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 136-144

ISBN: 978-989-8565-24-2

 2012 SCITEPRESS (Science and Technology Publications, Lda.)

(min, +) or (max, min) multiplications is needed to

solve the combinatorial optimization problem at hand

(Duan and Pettie, 2009; Vassilevska et al., 2007; Cor-

men et al., 2001). In cases where the input matrices,

the intermediate matrices, and the output matrices are

conﬁdential (e.g., too revealing of proprietary models

or organizational data and operations), this outsourc-

ing needs to be done in the privacy-preserving frame-

work considered in this paper.

This paper is organized as follows. Section 2

gives the problem deﬁnition, Section 3 reviews related

work. Section 4 gives the protocol for the (+, min)

multiplication, Section 5 for the (min, max) multipli-

cation, Section 6 for the (min,+) multiplication, and

Section 7 concludes.

2 PROBLEM DEFINITION

The main goal of this paper is to compute various

types of generalized matrix multiplication in a private

outsourced manner. Given N ×N matrices A and B

where each entry is in the range [0, Σ). We consider

the following types of computations

1. (+,min): That is if C = AB, then

C[i, j] =

∑

ℓ=1

min{A[i, ℓ], B[ℓ, j]}.

2. (min,max): That is if C = AB, then

C[i, j] = min

ℓ∈[1,N]

{max{A[i, ℓ], B[ℓ, j]}}.

3. (min,+): That is if C = AB, then

C[i, j] = min

ℓ∈[1,N]

{A[i, ℓ] + B[ℓ, j]}.

To achieve these computations we introduce pro-

tocols that use arithmetic circuits (i.e., circuits using

the operations: addition, multiplication by constant,

and multiplication). Our protocols take the follow-

ing form: the client does some pre-processing to cre-

ate the inputs to an arithmetic circuit (or circuits), the

computation of the arithmetic circuits is privately out-

sourced to a server (or servers), and the client does

some post-processing on the outputs of the circuits

to obtain the results. The goals are to minimize the

client’s work, the server’s work, the multiplicative

depth of the circuit, and the number of rounds in the

protocol. Several techniques exist for the private out-

sourcing of arithmetic circuits, and thus these tech-

niques allow us to privately outsource the computa-

tion in the following scenarios:

1. The Sharemind system(Bogdanov et al., 2008) al-

lows 3 servers to compute a result, and is secure

against any single honest-but-curious server. This

Note that is is straightforward to modify our protocols

to support (+, max), (max,min), and (max,+).

system requires 2 rounds of interaction for multi-

plication, but multiplications can be done in par-

allel. Thus the number of communication rounds

is the depth of the circuit, and the total compu-

tation is the size of the circuit. Furthermore, the

client’s computation is proportional to the num-

ber of inputs in the circuit. Another version of

this, is to use the generic results in SMC (such

as (Goldreich et al., 1987)), which would allow n

servers where more than two-thirds of the servers

are honest, but the dishonest servers are actively

corrupted.

2. There are many somewhat homomorphic encryp-

tion schemes, that allow a bounded multiplica-

tive depth circuit to be computed. For example,

the scheme in (Boneh et al., 2005) allow a single

multiplication to be performed. Other schemes

(Naehrig et al., 2011; Brakerski and Vaikun-

tanathan, 2011b; Brakerski and Vaikuntanathan,

2011a) support a larger multiplicative depth, but

the schemes are more efﬁcient when the depth is

small. These schemes allow a client to outsource

the computation to a single server by doing work

proportional to the number of inputs to the circuit,

and the server does work proportional to the size

of the circuit.

Thus by providing schemes that use circuits of

limited multiplicative depth to compute the desired

matrix multiplications, we provide a mechanism to

securely compute the matrix multiplications. That is,

all that the server (or servers) see if the results that

they see in the arithmetic circuit computation, and the

computations have the same structure (regardless of

the input). Hence, if the underlying protocol is secure

then the resulting protocol based on these computa-

tions will also be secure.

Table 1 summarizes the results presented in this

paper where Client denotes the amount of compu-

tations performed by the client, Server denotes the

amount of computation performed by the server, dep

is the multiplicative depth of the computations, and

rds is the number of rounds of interaction that are re-

quired.

Table 1: Result Summary.

Operation Client Server Dep Rds

(+,min) O(|Σ|N

) O(|Σ|N

) 1 1

(+,min) O(

|Σ|N

) O(

|Σ|N

) 2 1

(min,max) O(|Σ|N

) O(|Σ|N

) 1 1

(min,max) O(

|Σ|N

)

|Σ|N

)

3 2

(min,+) O(|Σ|

) O(|Σ|

) 1 1

(min,+) O(|Σ|

1.5

) O(|Σ|

1.5

) 2 1

PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings

137

3 RELATED WORK

In the area of private computational outsourcing there

is a growing list of problems considered in this frame-

work (e.g., (Beguin and Quisquater, 1995; Kawamura

and Shimbo, 1993; Lim and Lee, 1995; Matsumoto

et al., 1988; Pﬁtzmann and Waidner, 1992; Atallah

et al., 2001; Hohenberger and Lysyanskaya, 2005b),

and others). We brieﬂy review this work.

In the server-aided secret computation literature

(e.g. (Beguin and Quisquater, 1995; Kawamura and

Shimbo, 1993; Lim and Lee, 1995; Matsumoto et al.,

1988; Pﬁtzmann and Waidner, 1992; Hohenberger

and Lysyanskaya, 2005b), to list a few),a weak smart-

card performs public key decryptions by “borrowing”

computing power from an untrusted server, without

revealing to that server its private information. These

papers deal primarily with the important problem of

modular exponentiations.

In the privacy homomorphism approach proposed

in (Rivest et al., 1978), the outsourcing agent is used

as a permanent repository of data, performing cer-

tain operations on it and maintaining certain predi-

cates while it remains encrypted, whereas the cus-

tomer needs only to decrypt the data from the agent

to obtain the real data. Our secure outsourcing frame-

work differs in that the customer is not interested in

keeping data permanently with the external agents,

instead, the customer only wants to temporarily use

their superior computational power.

The paper (Abadi et al., 1987) shows an impossi-

bility result: That one cannot hope to outsource an ex-

ponential computation while locally doing only poly-

nomial time work. This delineates the limits of what

can be achieved. But securely outsourcing expensive

polynomial time computations (such as a cubic-time

matrix multiplication) remains an important practi-

cal goal. Mobile devices can be so computationally

weak or battery-limited as to be unable of carrying

out computations that would be completely tractable

for a powerful server or supercomputer, and therefore

would beneﬁt from the development of techniques for

the secure outsourcing of expensive polynomial-time

computations.

The work in (Atallah et al., 2001) has a differ-

ent framework because it allows leakage of private

information, whereas in this paper we are interested

in achieving no leakage.

The paper (Atallah and Li, 2005) used homomor-

phic encryption for the problem of computing the edit

distance between two sequences. Its protocol requires

communication between the two servers, a drawback

that the framework of the present paper avoids.

There are several protocols in the area of private

outsourcing of traditional matrix multiplication (Ben-

jamin and Atallah, 2008; Atallah and Frikken, 2010;

Mohassel, 2011). In (Benjamin and Atallah, 2008)

the scheme inherently requires more than one server,

requires the servers to do expensivehomomorphic en-

cryptions, and is vulnerableto collusion by the servers

(they would learn the inputs). The scheme in (Atallah

and Frikken, 2010) only uses a single server, and uses

a heuristic security approach. That is the client has

to perform O(k

) work for a security parameter k.

Finally, the scheme in (Mohassel, 2011) considers se-

curity in a more traditional approach for single server

solutions, but utilizes expensive cryptography.

There are also general results that solve this prob-

lem using a single-server. For example, if privacy is

the only concern, then fully homomorphic encryption

(for example (Gentry, 2009)) could be used to solve

this problem.

While there are many protocols for private out-

sourcing of computations, to our knowledge this pa-

per is the ﬁrst that considers the general forms of

matrix multiplication. Furthermore, as described in

the previous section the approaches described here

can be used in many settings, including: work in the

case of somewhat fully homomorphic encryption, the

heuristic approaches of(Atallah and Frikken, 2010),

and the multi-party outsourcing based on SMC solu-

tions (such as Sharemind).

4 PROTOCOLS FOR (+,MIN)

MATRIX MULTIPLICATION

4.1 A Preliminary Solution

In this section, we propose a protocol for (+,min)

where the workload is O(|Σ|N

) for client and

O(|Σ|N

) for server. To simplify the presentation of

this protocol, we assume the values are in the range

[1, |Σ|] (as opposed to [0, |Σ|−1]). The crux of this

solution are the following two expansions from val-

ues in Σ to vectors with 2|Σ| elements:

1. T1(x) = x

,. . . , x

|Σ|

|Σ|+1

,. . . , ,x

2|Σ|

where for i ∈

[1, |Σ|], x

= 1 if i ≤ x and is 0 otherwise. Also,

for i ∈ [|Σ|+ 1, 2|Σ|] x

= x if i −|Σ| = x and is 0

otherwise.

2. T2(x) = x

,. . . , x

|Σ|

|Σ|+1

,. . . , ,x

2|Σ|

where for i ∈

[|Σ|+ 1,2|Σ|], x

= 1 if i−|Σ| < x and is 0 other-

wise. Also, for i ∈ [1,|Σ|] x

= x if i = x and is 0

otherwise.

Lemma 1. Given any two values x,y ∈[1, Σ], T1(x) ·

T2(y) = min{x, y}.

SECRYPT2012-InternationalConferenceonSecurityandCryptography

138

Proof: Now, T1(x) · T2(y) =



∑

|Σ|

i=1





∑

2|Σ|

i=|Σ|+1



. Furthermore, since y

= 0 ex-

cept where i = y, then



∑

|Σ|

i=1



= x

∗y

= x

∗y.

Now x

= 1 if x ≥ y and thus this value is y if x ≥ y

and is 0 otherwise. A symmetrical argument can be

used to show that



∑

2|Σ|

i=|Σ|+1



= x if x < y and is

0 otherwise. Therefore, T1(x) ·T2(y) = min{x, y}. 

The protocol is as follows:

1. The client expands A into an N ×2|Σ|N matrix by

expanding each cell in its row using T1. Also,

the client expands B into an 2|Σ|N ×N matrix by

expanding each cell in its column using T2.

2. The client outsources the computations C = AB,

which is the desired result.

For each entry in the matrix, the client performs

O(|Σ|) work. Thus the client performs work propor-

tional to O(|Σ|N

) total work. The server must per-

form O(|Σ|N

) total work. Furthermore, the number

of rounds is 1, since everything can be done in paral-

lel. Finally, the multiplicative depth is 1.

4.2 Improved Solution

In this section, we propose a protocol for (+, min).

The workload is O(

|Σ|N

) for client and

|Σ|N

) for server. The main idea of this

approach is that the scheme partitions the values in Σ

into groups of size

|Σ|, and it handles things in the

same group differently then it handles things in other

groups.

More speciﬁcally, Let σ =

|Σ|, then we partition

the range [0, |Σ|) into σ partitions each of size σ. For

any value v ∈ [0,|Σ|), it could be represented by two

values less than σ, v

′′

= v mod σ and v

′

= ⌊

⌋. Note

that v = v

′

σ + v

′′

. Given a and b, we say that these

values are in the same group if a

′

= b

′

First we deﬁne 6 expansion functions that expand

v ∈ [0,|Σ|) into vectors of length σ.

1. V1(v) = f

,. . ., f

σ−1

where f

= 1 if i < v

′

and is

0 otherwise.

2. V2(v) = f

,. . . , f

σ−1

where f

= v if i = v

′

and is

0 otherwise.

3. V3(v) = f

,. . ., f

σ−1

where f

= 1 if i = v

′

and is

0 otherwise.

4. V4(v) = f

,. . ., f

σ−1

where f

= 1 if i ≤ v

′′

and is

0 otherwise.

5. V5(v) = f

,. . ., f

σ−1

where f

= 1 if i < v

′′

and is

0 otherwise.

6. V6(v) = f

,. . . , f

σ−1

where f

= v if i = v

′′

and is

0 otherwise.

Lemma 2. For any values a, b ∈ Σ,

(V3(a) ·V3(b)) (V4(a) ·V6(b) +V5(b) ·V6(a))+

(V1(a) ·V2(b) +V1(b) ·V2(a)) = min{a, b} where ·

denotes the inner product of vectors

Proof:

There are two cases to consider: i) the case where a

and b are in different groups, and ii) the case where a

and b are in the same group.

Consider the case where a and b are in different

groups. Now, V1(a) ·V2(b) = b if b

′

< a

′

and is 0

otherwise. Furthermore, V1(b) ·V2(a) = a if a

′

< b

′

and is 0 otherwise. Hence, If a and b are in dif-

ferent groups, then V1(a) ·V2(b) + V1(b) ·V2(a) =

min{a, b}. If a and b are in the same group, then this

is 0.

Consider the case where a and b are in the same

group. First, V3(a) ·V3(b) = 1 if a

′

= b

′

and is 0

otherwise. That is, this value is 1 if a and b are in

the same group and is 0 otherwise. Given that a

′

= b

′

then:

1. If a ≥ b, then V4(a) ·V6(b) = b. Otherwise,

V4(a) ·V6(b) = 0

2. If a < b, then V5(b) ·V6(a) = a. Otherwise,

V5(b) ·V6(a) = 0

Putting these two pieces together: if a

′

= b

′

then

(V4(a) ·V6(b) +V5(b) ·V6(a)) = min{a, b}. Hence,

(V3(a) · V3(b))(V4(a) · V6(b) + V5(b) · V6(a)) =

min{a, b} when a and b are in the same group, but

is 0 if there are in different groups.

Therefore by combining these two cases: (V3(a) ·

V3(b))(V4(a) · V6(b) + V5(b) · V6(a)) + (V1(a) ·

V2(b) +V1(b) ·V2(a)) = min{a, b}. 

The protocol is as follows:

1. The client creates 5 matrices A

(resp. B

), each

cell of which is the expansion vector Vi (respec-

tively, V j) of the corresponding cell in A (resp. in

B), for i = 1, 2,3,4,6 (resp. j = 1,2, 3, 5, 6.)

2. The client uses an outsourced server to com-

pute a matrix C where C[i, j] =

∑

ℓ=1

((A

(i,ℓ) ·

(ℓ, j))(A

(i,ℓ) · B

(ℓ, j) + B

(ℓ, j) · A

(i,ℓ)) +

(i,ℓ) ·B

(ℓ, j) + B

(ℓ, j) ·A

(i,ℓ))).

C is the (+,min) product of A and B, because each

cell of C is the sum of N minimums of aligned cells in

A and B. The client’s work is mainly to create matri-

ces A

and B

, which is of size O(σN

) = O(

|Σ|N

And the server’s work is O(

|Σ|N

) to compute the

result cells, since for each cell he has to compute

the sums of N minimums by the circuit. Notice that

the multiplicative depth of this circuit is 2, and num-

ber of communication rounds is 1.

PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings

139

5 PROTOCOLS FOR (min,max)

MATRIX MULTIPLICATION

5.1 Preliminary Solution

We now introduce a protocol for (min, max). To

achieve this the client will outsource |Σ| matrix multi-

plications in parallel (each of which has multiplicative

depth of 1). The ith multiplication will reveal which

entries in the result matrix are ≤ i. These values can

be combined together to ﬁnd the actual values of the

entries; that is, the value of a cell is the minimum ma-

trix product that is non-zero in that cell.

The protocol is as follows:

1. For each i ∈ [0,|Σ), the client computes A

and

which are N ×N matrices where A

[ j,k] (resp.

[ j,k]) is 1 if A[ j, k] ≤ i (resp. B[ j,k] ≤ i) and

is 0 otherwise. Note that A

[ j,k] ∗B

[k, ℓ] = 1 if

both A

[ j,k] and B

[

k, ℓ are ≤ i. In other words,

[ j,k]∗B

[k, ℓ] = 1 if max{A[ j,k], B[k, ℓ]}≤i and

is 0 otherwise.

2. The client has the server compute C

= A

for

all i ∈ [0,|Σ|). Note that C

[ j,k] =

∑

ℓ=1

[ j,ℓ] ∗

[ℓ, k]), which will be non-zero if and only if

there is an ℓ such that A[ j, k] and B[k, ℓ] are

both ≤ i. Such an ℓ exists if and only if

min

z∈[1,N]

{max{A[ j, z],B[z,k]}} ≤ i.

3. The client computes the result matrixC, by setting

C[i, j] to be the smallest value ℓ such that C

ℓ

[i, j]

is non-zero.

The above protocol works because C

[ j,k] will be

non-zero if and only if there is a value ℓ such that

[ j,ℓ] and B

[ℓ, k] are both 1. But this means that

[ j,ℓ] and B

[ℓ, k] are both ≤i, and thus the minimum

of the maximums will be ≤ i.

Note that the client has to perform O(|Σ|N

) work,

and the server has to perform O(|Σ|N

) work. The

number of rounds is 1, and the multiplicative depth is

5.2 Improved Solution

In this section, we improve the protocol in the

previous section by reducing the client’s cost to

|Σ|N

). This is achieved by increasing the depth

of the circuit and by increasing the number of rounds.

Let σ =

|Σ|, and given a value v ∈ [0, |Σ|), let

′′

= v mod σ and v

′

= ⌊

⌋. Note that v = v

′

σ + v

′′

We refer to v

′

as the group of v and to v

′′

as the offset

of v.

First observe that the protocol in the previous sec-

tion can be modiﬁed to ﬁnd the value of each cell

within an additive factor of σ. That is, it is possi-

ble to ﬁnd a matrix C

′

where C

′

[i, j] = c if C[i, j] ∈

[cσ,(c+ 1)σ). Furthermore, this can be done by com-

pute A

and B

only for multiples of σ in the protocol

in the previous section. The client’s cost of this pro-

tocol is O(σN

). This will be the ﬁrst round of the

computation, and this matrix will be used in the sec-

ond round.

The second part of this protocol will be to com-

pute the offset in each group. The difﬁcult part will

be creating a test for each cell of the matrix that tests

if the offset is ≤ t for some value t. The difﬁcult part

of this is to ignore the pairs of values that are not in

the correct group for a cell.

Before giving our full protocol, we describe a few

functions that are used in the construction.

1. Given v ∈ [0, σ), EQ(v) = v

,. . ., v

where v

= 1

and all other values are 0.

2. Given v ∈ [0, σ), LT(v) = v

,. . . , v

where v

= 1

if i < v and is 0 otherwise.

3. Given v ∈ [0, σ), EQ

(v) = 1 if t = v and is 0 oth-

erwise.

4. Given v ∈ [0,σ), LT

(v) = 1 if v < t and is 0 oth-

erwise.

5. Given v ∈ [0, σ), LE

(v) = 1 if v ≤t and is 0 oth-

erwise.

Given values a, b ∈ [0, Σ) and c,t ∈ [0, σ) sup-

pose that we wanted to create a test to determine

if max{a, b} = cσ + t. There are 3 possible ways

that this could happen: 1) a

′

< c and b = cσ + t, 2)

′

< c and a = cσ + t, and 3) a

′

= c, b

′

= c, and

max{a

′′

} = t. Note that these three cases are mu-

tually exclusive. We now deﬁne various functionsthat

are used in the protocol:

1. F1

(a,b,c) = (EQ(a

′

) · LT(c)) ∗ (EQ(b

′

) ·

EQ(c)) ∗EQ

′′

). Note that F1

(a,b,c) = 1 if

′

< c and b = cσ + t and is 0 otherwise. Also,

note that this function has multiplicative depth 3.

2. F2

(a,b,c) = (EQ(b

′

) · LT(c)) ∗ (EQ(a

′

) ·

EQ(c)) ∗EQ

′′

). Note that F2

(a,b,c) = 1 if

′

< c and a = cσ + t and is 0 otherwise. Also,

note that this function has multiplicative depth 3.

3. F

(t, a, b,c) = (EQ(a

′

) · EQ(c)) ∗ (EQ(b

′

) ·

EQ(c)) ∗ (LE

′′

)EQ

′′

) + LT

′′

)EQ

′′

)).

Note that F3

(a,b,c) = 1 if a

′

= b

′

= c and

max{a, b}= cσ+t and is 0 otherwise. Also, note

that this function has multiplicative depth 3.

4. F

(a,b,c) = F1

(a,b,c) + F2

(a,b,c) +

(a,b.c). Note that this function is 1 if

max{a, b} = cσ + t and is 0 otherwise. The three

cases above are mutually exclusive and partition

SECRYPT2012-InternationalConferenceonSecurityandCryptography

140

all possible cases where max{a,b}= cσ+t. Note

that this function has multiplicative depth 3. It is

important to note that to compute this function

that we need only to have: LT(c), EQ(c), EQ(a

′

EQ(b

′

), EQ

′′

), EQ

′′

), LE

′′

), LT

′′

We are now ready to give the protocol.

1. For each i ∈ [0, σ), the client computes A

iσ

and

iσ

which are N×N matrices where A

[ j,k] (resp.

[ j,k]) is 1 if A[ j,k] ≤ i (resp. B[ j, k] ≤ i) and is

0 otherwise.

2. The client has the server computeC

iσ

= A

iσ

for

all i ∈ [0,σ). These can be done in parallel.

3. The client computes an intermediate matrixC

′

, by

setting C

′

[i, j] to be the smallest value ℓ such that

ℓσ

[i, j] is non-zero.

4. For each t ∈ [0,σ), the client outsources the com-

putations of a matrix C

where

[i, j] =

∑

ℓ=1

(A[i,ℓ], B[ℓ, j],C

′

[i, j]). This is

done by having the client outsource the above

mentioned vectors and values to the server(or

servers) that are necessary for this computation.

Note thatC

[i, j] is the number of values ℓ ∈ [1, N]

such that max{A[i, ℓ], B[ℓ, j]} = C

′

[i, j]σ+ t.

5. Given C

,. . . ,C

σ−1

, the client computes the result

C[i, j] as follows: Let q be the smallest values such

that C

[i, j] is non-zero and set C[i, j] = C

′

[i, j]σ+

The above protocol requires the client to per-

form O(

|Σ|N

) computations, the server to per-

form O(

|Σ|N

) computations, requires multiplica-

tive depth 3 and requires 2 rounds.

6 PROTOCOLS FOR (MIN,+)

MATRIX MULTIPLICATION

6.1 Preliminary Solution

In this section we present a scheme for (min,+)

where the client performs work O(|Σ|

). The main

idea of this scheme is to perform a test for each pos-

sible value of a cell in the result. The test for value T

will determine which cells in the result have a value

≤T (speciﬁcally the test counts the number of values

in the corresponding row of A and column of B where

the sum is ≤ T). This test is performed for all val-

ues from 0 to 2|Σ|−2. These results can be combined

together to determine the actual value of the cell by

ﬁnding the minimum value of T where the value is

non-zero for each cell. We now give the functional-

ity TEST

(A,B) (which is used to test if a cell in the

result is ≤ T):

1. For each cell A[i, j], expand it into |Σ|

cells in its row. Denote these cells as

(0)

[i, j], .. . ,A

(|Σ|−1)

[i, j] where A

(ℓ)

[i, j] = 1

if ℓ + A[i, j] ≤ T and is 0 otherwise. Denote as

the N × |Σ|N matrix that results from this

expansion.

2. For each cell B[i, j], expand it into |Σ|

cells in its column. Denote these cells as

(0)

[i, j], .. . ,B

(|Σ|−1)

[i, j] where B

(ℓ)

[i, j] = 1 if

ℓ = B[i, j] and is 0 otherwise. Denote as B

the

|Σ|N ×N matrix that results from this expansion.

As an example, suppose that |Σ| = 4, A[i, j] =

2 and B[ j,k] = 1. When doing the test for

T = 3, the value of A[i, j] will be expanded into

(0)

[i, j], .. . ,A

(3)

[i, j] = 1, 1, 0, 0, and the value of

B[ j,k] will be expanded into B

(0)

[i, j], .. . ,B

[i, j] =

0, 1, 0,0. Notice that the scalar product of these two

values is 1, and in this case A[i, j] + B[ j, k] ≤ 3. More

generally, the scalar product of the expansions of two

values will be 1 when the sum of the two values is

≤ T and and is 0 otherwise.

If we denote as C

= A

where (A

) ←

TEST

(A,B), then C

is a N ×N matrix with the fol-

lowing property:

Lemma 3. C

[i, j] = 0 if and only if min{A[i][ℓ] +

B[ℓ][ j] : 1 ≤ ℓ ≤ N} > T.

Proof: Now, since C

= A

[i, j] =

∑

ℓ=1

|Σ|−1

∑

m=0

(m)

[i,ℓ]B

(m)

[ℓ, j]

According to the transformation B

(m)

[ℓ, j] =

1 if m = B[ℓ, j] and is 0 otherwise, hence

(m)

[i,ℓ]B

(m)

[ℓ, j] = 0 if m 6= B[ℓ, j], and is A

(m)

[i,ℓ]

otherwise. Therefore,

∑

ℓ=1

|Σ|−1

∑

m=0

(m)

[i,ℓ]B

(m)

[ℓ, j] =

∑

ℓ=1

(B[ℓ, j])

[i,ℓ]

According to the transformation A

(B[ℓ, j])

[i,ℓ] = 1

if A[i, ℓ] + B[ℓ, j] ≤ T and is 0 otherwise. Hence,

[i, j] = 0 if and only if A[i,ℓ] + B[ℓ, j] > T for all

ℓ ∈ [0,N −1]. However, this means that min{A[i][ℓ] +

B[ℓ][ j] : 0 ≤ ℓ ≤ N −1} > T, which concludes the

proof. 

Now that the TEST

functionality has been de-

ﬁned, we present the main protocol of this section

for computing the (min, +) matrix multiplication of

A and B:

PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings

141

1. The data owner computes (A

) ← TEST

(A,B)

for all i ∈ [0, 2|Σ|−2].

2. The data owner uses an outsourced server to com-

pute C

= A

for all i ∈ [0, 2|Σ|−2].

3. Set C[i, j] to be the smallest value v such that

[i, j] 6= 0.

The correctness of the above algorithm is based

on Lemma 3. That is, if C

v−1

[i, j] = 0 and C

[i, j] 6=

0, then there must be at least one value in A[i,ℓ] +

B[ℓ, j] ≤ v, but there is no such value where A[i,ℓ] +

B[ℓ, j] ≤v−1, and hence the minimum of the sums is

The client’s work in the TEST functionality is

O(|Σ|N

), and the test functionality is invoked O(|Σ|)

times, and thus the client’s work is O(|Σ|

). Fur-

thermore for each TEST the server must perform

O(|Σ|N

) work, and thus the server’s computation is

O(|Σ|

). The number of rounds in the protocol is

1, since the matrix multiplications can be done in par-

allel. Finally, the server only performs matrix multi-

plications, and thus multiplication depth is 1.

6.2 Reducing Costs by Increasing Depth

In this section we give a scheme that has client com-

plexity O(|Σ|

1.5

) for (min,+). The main idea of

this scheme is that it trades off lower computational

costs by increasing the multiplicative depth of the cir-

cuits that are used. Essentially, this scheme reduces

the cost of the test functionality in the previous algo-

rithm to O(

√

Σ|).

Let σ =

|Σ|, and given a value v ∈ [0, |Σ|), let

′′

= v mod σ and v

′

= ⌊

⌋. Note that v = v

′

σ+ v

′′

Before describing our scheme we deﬁne several

expansion functions that takes a value v ∈ [0, |Σ|) and

a value t ∈ [0,2|Σ|−2] and produces a vector with σ

elements.

1. V1(t, v) = a

,. . . , a

σ−1

where a

= 1 if i = t

′

−v

′

−

1 and is 0 otherwise.

2. V2(t, v) = a

,. . . , a

σ−1

where a

= 1 if i = t

′

−v

′

and is 0 otherwise.

3. V3(t, v) = a

,. . . , a

σ−1

where a

= 1 if i = t

′′

−v

′′

and is 0 otherwise.

4. V4(t, v) = a

,. . . , a

σ−1

where a

= 1 if i = σ+t

′′

−

′′

and is 0 otherwise.

5. V5(t, v) = a

,. . . , a

σ−1

where a

= 1 if i = v

′

and

is 0 otherwise.

6. V6(t, v) = a

,. . . , a

σ−1

where a

= 1 if i = v

′′

and

is 0 otherwise.

We will test when a speciﬁc cell has any cells in its

corresponding row and column where the sum of the

cells is equal to a target value t. Given two values a

and b, there are two mutually exclusive ways in which

this can happen: 1) a

′

+ b

′

= t

′

and a

′′

+ b

′′

= t

′′

and

2) a

′

+ b

′

= t

′

−1 and a

′′

+ b

′′

= σ + t

′′

. We consider

each of these cases separately:

For the ﬁrst case the value V2(t, a) ·V

(t, b) =

1 if a

′

+ b

′

= t

′

and is 0 otherwise. To see this,

suppose that V2(t, a) = a

,. . ., a

σ−1

and V5(t,b) =

,. . . , b

σ−1

. Now b

= 1 only when i = b

′

, and thus

V2(t,a)·V

(t, b) = a

′

, which will be 1 iff b

′

= t

′

−a

′

Consider, the value V

(t, a) ·V6(t, b); this value will

be 1 if and only if a

′′

+ b

′′

= t

′′

. To see this, no-

tice that both of these vectors have a single 1, and

so the ones must align. Furthermore, these values

align only when a

′′

+ b

′′

= t

′′

. Thus if we com-

pute (V2(t, a)·V

(t, b))∗(V

(t, a)·V6(t,b)), then this

value will be 1 only when a

′

= t

′

and a

′′

= t

′′

and will be 0 otherwise.

Now consider the second case. The value

V1(t,a) ·V5(t,b) will be 1 only when a

′

+ b

′

= t

′

−1

and will be 0 otherwise. The reasoning is the same

as in the previous paragraph. Furthermore, the values

V4(t,a)·V6(t, b) is 1 only when a

′′

+ b

′′

= σ+t

′′

and

will be 0 otherwise. Thus if we compute (V1(t,a) ·

(t, b))∗(V

(t, a)·V6(t, b)), then this value will be 1

only when a

′

+ b

′

= t

′

−1 and a

′′

+ b

′′

= σ + t

′′

and

will be 0 otherwise.

Putting these pieces together, the value (V2(t,a) ·

(t, b)) ∗ (V

(t, a) ·V6(t,b)) + (V1(t, a) ·V

(t, b)) ∗

(t, a) ·V6(t, b)) will be 1 if a + b = t and will be

0 otherwise. As a shorthand notation we denote this

value as F(a,b,t).

We are nowready to present the main protocol that

will use the above vectors and values.

1. For each value t ∈ [0,2|Σ|−2] the client does the

following:

(a) For each entry A[i, j], the client computes

V1(t,A[i, j]), V2(t, A[i, j]), V3(t, A[i, j]), and

V4(t,A[i, j]).

(b) For each entry B[i, j], the client computes

V5(t,B[i, j]), V6(t, B[i, j])

where C

[i, j] =

∑

ℓ=1

F(A[i,ℓ], B[ℓ, j],t).

2. For the end result, the client sets the value of

C[i, j] to be the smallest value t such that C

[i, j] 6=

The above protocol works because F(v

,t)

is non-zero only when v

+ v

= t. Thus

∑

ℓ=1

F(A[i, ℓ], B[ℓ, j],t) will be non-zero if and only

if there is a pair of entries in the ith row in A and jth

column of B such that the sum of the two values is t.

Hence, the minimum value t such that C

[i, j] is non-

zero will be the minimum of the sums as required.

SECRYPT2012-InternationalConferenceonSecurityandCryptography

142

For each entry in the matrix, the client performs

O(σ) work per test. Since there are O(|Σ|) such tests

the client performs work proportional to O(|Σ|

1.5

)

total work. The server must perform O(|Σ|

1.5

) total

work. Furthermore, the number of rounds is 1, since

everything can be done in parallel. Finally, the multi-

plicative depth is 2.

7 CONCLUSIONS AND FUTURE

WORK

We introduced techniques for outsourcing matrix

multiplications over closed semi-rings and other al-

gebraic structures that lack the ring algebraic struc-

ture of the (+, ∗) multiplication. These techniques

can be used in a variety of settings to outsource the

computations in a secure manner. The remote server

being used does not learn anything about the inputs or

the outputs to a computation other than the size of the

matrices and of the alphabet. Although in most prac-

tical situations it is harmless to leak the size of the

alphabet, it is nevertheless of intellectual interest to

extend our protocols so as to hide it. There is a more

practical need for extending our schemes to hide the

size of the matrices, which we leave for future work.

ACKNOWLEDGMENTS

The authors would like to thank the anonymous

reviewers for their comments and useful sugges-

tions. Portions of this work were supported Na-

tional Science Foundation Grants CNS-0915436,

CNS-0913875,CNS-0915843, Science and Technol-

ogy Center CCF-0939370; by an NPRP grant from

the Qatar National Research Fund; by Grant FA9550-

09-1-0223 from the Air Force Ofﬁce of Scientiﬁc Re-

search; and by sponsors of the Center for Education

and Research in Information Assurance and Security.

The statements made herein are solely the responsi-

bility of the authors.

REFERENCES

Abadi, M., Feigenbaum, J., and Kilian, J. (1987). On hid-

ing information from an oracle. In Proceedings of the

nineteenth annual ACM conference on Theory of com-

puting, pages 195–203. ACM Press.

Atallah, M. J. and Frikken, K. B. (2010). Securely out-

sourcing linear algebra computations. In Proceedings

of the 5th ACM Symposium on Information, Computer

and Communications Security, ASIACCS ’10, pages

48–59, New York, NY, USA. ACM.

Atallah, M. J. and Li, J. (2005). Secure outsourcing of se-

quence comparisons. In International Journal of In-

formation Security, pages 277–287.

Atallah, M. J., Pantazopoulos, K. N., Rice, J., and Spafford,

E. H. (2001). Secure outsourcing of scientiﬁc compu-

tations. Advances in Computers, 54(6):215–272.

Beguin, P. and Quisquater, J. J. (1995). Fast server-aided rsa

signatures secure against active attacks. In CRYPT0

95, pages 57–69.

Benjamin, D. and Atallah, M. J. (2008). Private and

cheating-free outsourcing of algebraic computations.

In Sixth Annual Conference on Privacy, Security and

Trust, PST 2008, October 1-3, 2008, Fredericton, New

Brunswick, Canada, pages 240–245.

Bogdanov, D., Laur, S., and Willemson, J. (2008). Share-

mind: A framework for fast privacy-preserving com-

putations. In Jajodia, S. and Lopez, J., editors, Com-

puter Security - ESORICS 2008, volume 5283 of

Lecture Notes in Computer Science, pages 192–206.

Springer Berlin / Heidelberg.

Boneh, D., Goh, E.-J., and Nissim, K. (2005). Evaluating 2-

dnf formulas on ciphertexts. In Kilian, J., editor, The-

ory of Cryptography, volume 3378 of Lecture Notes

in Computer Science, pages 325–341. Springer Berlin

/ Heidelberg.

Brakerski, Z. and Vaikuntanathan, V. (2011a). Efﬁcient

fully homomorphic encryption from (standard) lwe.

Cryptology ePrint Archive, Report 2011/344.

Brakerski, Z. and Vaikuntanathan, V. (2011b). Fully ho-

momorphic encryption from ring-lwe and security for

key dependent messages. In Rogaway, P., editor, Ad-

vances in Cryptology CRYPTO 2011, volume 6841 of

Lecture Notes in Computer Science, pages 505–524.

Springer Berlin / Heidelberg.

Cormen, T. H., Stein, C., Rivest, R. L., and Leiserson, C. E.

(2001). Introduction to Algorithms. McGraw-Hill

Higher Education, 2nd edition.

Duan, R. and Pettie, S. (2009). Fast algorithms for (max,

min)-matrix multiplication and bottleneck shortest

paths. In Proceedings of the twentieth Annual ACM-

SIAM Symposium on Discrete Algorithms, SODA ’09,

pages 384–391, Philadelphia, PA, USA. Society for

Industrial and Applied Mathematics.

Felzenszwalb, P. and McAuley, J. (2011). Fast infer-

ence with min-sum matrix product. Pattern Analy-

sis and Machine Intelligence, IEEE Transactions on,

33(12):2549 –2554.

Gentry, C. (2009). Fully homomorphic encryption using

ideal lattices. In Proceedings of the 41st annual ACM

symposium on Theory of computing, STOC ’09, pages

169–178, New York, NY, USA. ACM.

Goldreich, O., Micali, S., and Wigderson, A. (1987). How

to play any mental game. In Proceedings of the nine-

teenth annual ACM conference on Theory of comput-

ing, pages 218–229.

Hohenberger, S. and Lysyanskaya, A. (2005a). How to se-

curely outsource cryptographic computations. In Kil-

ian, J., editor, Theory of Cryptography, volume 3378

PrivateOutsourcingofMatrixMultiplicationoverClosedSemi-rings

143

of Lecture Notes in Computer Science, pages 264–

282. Springer Berlin / Heidelberg.

Hohenberger, S. and Lysyanskaya, A. (2005b). How to se-

curely outsource cryptographic computations. In The-

ory of Cryptography Conference (TCC'05), volume

3378 of LNCS, pages 264–282.

Kawamura, S. I. and Shimbo, A. (1993). Fast server-aided

secret computation protocols for modular exponentia-

tion. IEEE Journal on Selected Areas in Communica-

tions, 11(5):778–784.

Lim, C. H. and Lee, P. J. (1995). Security and performance

of server-aided rsa computation protocols. In CRYPT0

95, pages 70–83.

Matsumoto, T., Kato, K., and Imai, H. (1988). Speeding up

secret computations with insecure auxiliary devices.

In CRYPT0 88, pages 497–506.

Mohassel, P. (2011). Efﬁcient and secure delegation of

linear algebra. Cryptology ePrint Archive, Report

2011/605. http://eprint.iacr.org/.

Naehrig, M., Lauter, K., and Vaikuntanathan, V. (2011).

Can homomorphic encryption be practical? In Pro-

ceedings of the 3rd ACM workshop on Cloud comput-

ing security workshop, CCSW ’11, pages 113–124,

New York, NY, USA. ACM.

Pﬁtzmann, B. and Waidner, M. (1992). Attacks on protocols

for server-aided rsa computations. In EUROCRYPT

92, pages 153–162.

Rivest, R. L., Adleman, L., and Dertouzos, M. L. (1978).

On data banks and privacy homomorphisms. Founda-

tions of Secure Computation, pages 169–177.

Saks, M. E. (1988). A limit theorem for (min, +) matrix

multiplication. Math. Oper. Res., 13:606–618.

Vassilevska, V., Williams, R., and Yuster, R. (2007). All-

pairs bottleneck paths for general graphs in truly sub-

cubic time. In Proceedings of the thirty-ninth annual

ACM symposium on Theory of computing, STOC ’07,

pages 585–589, New York, NY, USA. ACM.

SECRYPT2012-InternationalConferenceonSecurityandCryptography

144