HerA Scheme: Secure Distributed Matrix Multiplication via Hermitian Codes

Matrix multiplication is an essential back-end operation of numerous applications in signal processing and machine learning. When facing applications involving massive matrices, matrix multiplication in a single computer is slow, and distributed solutions need to be adopted. In such a scenario, the goal is to speed up the computational time to perform the matrix multiplication. Thus, the multiplication task is divided into smaller sub-tasks distributed across dedicated workers.

The setting for the problem considered in this paper is as follows. A user has two matrices, $A\in\mathbb{F}^{a\times b}_{q^{2}}$ and $B\in\mathbb{F}^{b\times c}_{q^{2}}$, and wishes to compute their product, $AB\in\mathbb{F}_{q^{2}}^{a\times c}$, with the assistance of $N$ servers, without leaking any information about either $A$ or $B$ to any server. We assume that all servers are honest but curious (passive) in that they are not malicious and will follow the pre-agreed-upon protocol. However, any $T$ may collude to eavesdrop and deduce information about either $A$ or $B$.

We follow the setting proposed in [1], with many follow-up works [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18]. The performance metric initially used was the download cost, i.e., the total amount of data downloaded by the users from the server. Subsequent work has also considered the upload cost [11], the total communication cost [17, 15], and computational costs [9, 16].

Different partitionings of the matrices lead to different trade-offs between upload and download costs. In this paper, we consider the inner product partitioning given by $A=\begin{bmatrix}A_{1}&\cdots&A_{L}\end{bmatrix}$ and $B^{\intercal}=\begin{bmatrix}B_{1}^{\intercal}&\cdots&B_{L}^{\intercal}\end{bmatrix}$ such that $AB=A_{1}B_{1}+\cdots+A_{L}B_{L}$, where all products $A_{\ell}B_{\ell}$ are well-defined and of the same size. Under this partitioning, a polynomial code is a polynomial $h(x,y)=f(x,y)\cdot g(x,y)$, whose coefficients encode the sub-matrices $A_{k}B_{\ell}$. The $N$ servers compute the evaluations $h(P_{1}),\ldots,h(P_{N})$ for certain points $P_{1},\ldots,P_{N}$ in an Hermitian curve. The servers send these evaluations to the user. The two-variable polynomial $h(x,y)$ is constructed to ensure that no $T$-subset of evaluations reveals any information about $A$ or $B$ ($T$-security), and the user can reconstruct $AB$ given all $N$ evaluations $h(P_{1})$, $\ldots$, $h(P_{N})$(decodability).

Examples of polynomial schemes using the inner product partitioning are the secure MatDot codes in [6], the DFT-codes in [11], and the FTP codes [15]. Some authors started exploring two-variable polynomials in the context of secure distributed matrix multiplication using outer product partitioning, [18, 13]. One of the literature’s main focuses was minimizing the minimum amount of helping servers $N$, also known as the recovery threshold, to reduce the communication cost. In [15], Machado et al. presented a scheme to reduce the total communication by contacting more servers. Most of the constructions rely on large finite fields and even extensions of finite fields. This paper investigates the partitioning and security capacities given matrices $A$ and $B$ have entries in $\mathbb{F}_{q^{2}}$, a finite field with $q^{2}$ elements.

We present the Hermitian Algebraic (HerA) scheme, a two-variable polynomial scheme inspired by Algebraic Codes in secret sharing schemes literature, specifically the Algebraic Codes for Secret Sharing Schemes were first introduced in [19], a protocol close to optimal communication efficiency and robust security with lengths not bounded by the field size. When employing this scheme to the secure matrix multiplication problem, matrix $A$ should be encoded in a Hermitian code while matrix $B$ is encoded in its dual. Therefore, the recovery threshold is allowed to be larger than the field’s size ${q^{2}}$, which no other polynomial scheme could achieve.

This section introduces some basic notation and the main results in Hermitian codes needed for the rest of the paper. For example, we define $[M,N]=\{M,M+1,\ldots,N\}$ and $[M]=[1,M]$.

We record some facts about Hermitian codes from [34].

Theoretically, a Hermitian code can also be constructed by evaluating $f(x,y)\in\mathcal{L}(mP_{\infty})$ at a proper subset of the affine rational points, but then Remark 1 may no longer hold.

We begin our description of HerA (Hermitian Algebraic) codes with the following example, which we present in as much detail as possible to present the crucial components of the scheme. We compare the size of the field required for a Discrete Fourier Transform code and a HerA code to illustrate the flexibility HerA codes have.

In this example, a user desires to compute the product of two matrices $A=\begin{bmatrix}A_{1}&A_{2}\end{bmatrix}\in\mathbb{F}_{5}^{a\times b}$ and $B$ where $B^{\intercal}=\begin{bmatrix}B_{1}^{\intercal}&B_{2}^{\intercal}\end{bmatrix}\in\mathbb{F}_{5}^{c\times b}$ such that $AB=A_{1}B_{1}+A_{2}B_{2}$ with the assistance of non-colluding helper servers. The solution via Discrete Fourier Transform codes schemes utilizes $N=4$ servers. It involves picking two random matrices $R\in\mathbb{F}_{5}^{a\times\frac{b}{2}}$ and $S\in\mathbb{F}_{5}^{\frac{b}{2}\times c}$ and constructing the one-variable polynomials $f^{\prime}(x)=A_{1}+A_{2}x+Rx^{2}$ and $g^{\prime}(x)=B_{1}+B_{2}x^{-1}+Sx^{-3}$. The user then selects four distinct non-zero elements $\beta_{1},\beta_{2},\beta_{3},\beta_{4}\in\mathbb{F}_{5}$ and uploads both $f^{\prime}(\beta_{i})$ and $g^{\prime}(\beta_{i})$ to Server $i$. Each server then computes the product $f^{\prime}(\beta_{i})\cdot g^{\prime}(\beta_{i})$. This is equivalent to computing an evaluation $h^{\prime}(\beta_{i})$ of the polynomial $h^{\prime}(x)=(A_{1}B_{1}+A_{2}B_{2})+(A_{2}B_{1}+RB_{2})x+RB_{1}x^{2}+A_{1}Sx^{-3}+A_{2}Sx^{-2}+(A_{1}B_{2}+RS)x^{-1}$. The user then downloads each $h^{\prime}(\beta_{i})$, obtaining four evaluations of a polynomial of degree two. Therefore, the user can retrieve $AB=A_{1}B_{1}+A_{2}B_{2}$ by operating $4\sum_{i=1}^{4}h^{\prime}(\beta_{i})$ since $\sum_{i=1}^{4}(3^{i})^{s}=0\ \ \forall s:4\nmid s$.

The security of the Discrete Fourier Transform codes follows from the fact that $I(f^{\prime}(\beta_{i}),g^{\prime}(\beta_{i});A,B)=0$. As for the communication costs, first the user uploads $f^{\prime}(\beta_{i})$ and $g^{\prime}(\beta_{i})$, which cost $ab$ and $bc$, symbols respectively, four times. Thus, the upload cost is $4(ab+bc)$ symbols of $\mathbb{F}_{5}$. Then, the user downloads $h^{\prime}(\beta_{i})$, which costs $ac$ symbols of $\mathbb{F}_{5}$, four times, obtaining a download cost of $4ac$ symbols of $\mathbb{F}_{5}$. Since the user retrieves $AB\in\mathbb{F}_{5}^{a\times c}$, which consists of $ac$ symbols of $\mathbb{F}_{5}$, the total communication rate is given by $\mathcal{R}^{\prime}=\frac{ac}{4ab+4bc+4ac}$.

The setting we consider for our construction is similar to the one considered for DFT codes except for the size of the field, i.e., a user wants to compute the product of two matrices $A=\begin{bmatrix}A_{1}&A_{2}\end{bmatrix}\in\mathbb{F}_{4}^{a\times b}$ and $B$ where $B^{\intercal}=\begin{bmatrix}B_{1}^{\intercal}&B_{2}^{\intercal}\end{bmatrix}\in\mathbb{F}_{4}^{c\times b}$ such that $AB=A_{1}B_{1}+A_{2}B_{2}$. We also pick two random matrices $R\in\mathbb{F}_{4}^{a\times\frac{b}{2}}$ and $S\in\mathbb{F}_{4}^{\frac{b}{2}\times c}$. Based on properties of Hermitian codes, we present an HerA code which allows multiplying matrices in a smaller finite field utilizing $N=4$ servers.

Let $\delta\in\mathbb{F}_{4}$ denote a algebraic element in $\mathbb{F}_{4}$ such that $\delta^{2}+\delta+1=0$. Let $P_{\alpha\beta}\in\mathbb{F}_{4}\times\Gamma_{\alpha}$ denote rational points satisfying $\beta^{2}+\beta=\alpha^{3}$. Therefore, $P_{00}=(0,0)$, $P_{01}=(0,1)$, $P_{1\delta}=(1,\delta)$, $P_{1\delta^{2}}=(1,\delta^{2})$, $P_{\delta\delta}=(\delta,\delta)$, $P_{\delta\delta^{2}}=(\delta,\delta^{2})$, $P_{\delta^{2}\delta}=(\delta^{2},\delta)$ and $P_{\delta^{2}\delta^{2}}=(\delta^{2},\delta^{2})$ are all the possible affine rational points. Let $f(x,y)$ be a two-variable polynomial generated by monomials $\{1,x,y\}$ such that $f(P_{00})=A_{1}$, $f(P_{01})=A_{2}$ and $f(P_{1\delta})=R$. Let $g(x,y)$ be a two-variable polynomial generated by monomials $\{1,x,x^{2},y,xy\}$ such that $g(P_{00})=B_{1}$, $g(P_{01})=B_{2}$, $g(P_{1\delta})=S$, $g(P_{1\delta^{2}})=0$ and $g(P_{\delta\delta})=0$. The explicit polynomials are

and

Then, $h(x,y)=f(x,y)\cdot g(x,y)$ is such that $h(P_{00})+h(P_{01})=A_{1}B_{1}+A_{2}B_{2}=AB$.

Since $(f(P_{00}),f(P_{01}),\ldots,f(P_{\delta^{2}\delta^{2}}))\in\mathcal{C}(3P_{\infty})$ and

the dual of $\mathcal{C}(3P_{\infty})$, it follows that

Our scheme works as follows: the user uploads the evaluations $f(P_{i})$ and $g(P_{i})$ to each Server $i$, where $(P_{1},P_{2},P_{3},P_{4})=(P_{1\delta},P_{\delta\delta^{2}},P_{\delta^{2}\delta},P_{\delta^{2}\delta^{2}})$. Then, each Server $i$ computes $-h(P_{i})$, and sends it back to the user. The user can decode $AB$ as follows:

The first equality follows from the fact that $h(P_{1\delta^{2}})=f(P_{1\delta^{2}})\cdot g(P_{1\delta^{2}})=0=f(P_{\delta\delta})\cdot g(P_{\delta\delta})=h(P_{\delta\delta})$ since $g(P_{1\delta^{2}})=g(P_{\delta\delta})=0$. The second equality follows from Equation 4.

Security follows by showing that $I(f(P_{i}),g(P_{i});A,B)=0$, as is done in Lemma 3. As for the communication costs, first, the user uploads $f(P_{i})$ and $g(P_{i})$, which cost $2ab$ and $2bc$, symbols, respectively. Thus, the upload cost is $(2ab+2bc)$ symbols of $\mathbb{F}_{4}$. Then, the user downloads $h(P_{i})$, which costs $ac$ symbols of $\mathbb{F}_{4}$, four times, obtaining a download cost of $4ac$ symbols of $\mathbb{F}_{4}$. Since the user retrieves $AB\in\mathbb{F}_{4}^{a\times c}$, which consists of $2ac$ symbols of $\mathbb{F}_{4}$, the total communication rate is given by $\mathcal{R}=\frac{ac}{4ab+4bc+2ac}$.

We note that the total communication rate of the HerA code is equal to the total communication rate of the DFT code. However, we showcase that the HerA code utilizes a smaller field size avoiding the divisibility constraint required for DFT codes. It raises the theoretical question on the field’s capacity: Is $\mathbb{F}_{4}$ the smallest field to perform the product of matrices $A$ and $B$ given $L=2$ and $T=1$? On the other side, what are the maximum partitioning and security parameters allowed in secure distributed matrix multiplication over $\mathbb{F}_{4}$?

This section presents the general construction for the HerA Scheme. The main idea is to perform the same technique as in Section III that retrieves the product $AB$ using the inner product and encoding matrix $A$ in a Hermitian code while matrix $B$ is encoded in its dual code. Consider the matrices $A\in\mathbb{F}_{q^{2}}^{a\times b}$, $B\in\mathbb{F}_{q^{2}}^{b\times c}$.

We split the proof into lemmas. We show that HerA schemes are decodable in Lemma 2 and $T$-secure, in Lemma 3. These statements combined prove Theorem 1.