Interactive Certificates for Polynomial Matrices with Sub-Linear - - PowerPoint PPT Presentation

Introduction Setting Vector Spaces Modules Outlook

Interactive Certificates for Polynomial Matrices with Sub-Linear Communication

Daniel S. Roche

Computer Science Department United States Naval Academy Annapolis, Maryland, U.S.A.

6 March 2019 CUNY/Courant Seminar in Symbolic-Numeric Computing

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 1 / 30

Introduction Setting Vector Spaces Modules Outlook

Collaborators

David Lucas

• U. Grenoble Alpes

Vincent Neiger

• U. Limoges

Cl´ ement Pernet

• U. Grenoble Alpes

Johan Rosenkilde TU Denmark

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 2 / 30

Introduction Setting Vector Spaces Modules Outlook

Traditional Computation

Input: Problem description (e.g., a matrix) Output: Solution (e.g., its determinant) Generally assumes: One problem at a time One user One computer

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 3 / 30

Introduction Setting Vector Spaces Modules Outlook

Verified Computation

Input: Problem description and a “claimed” solution Output: Accept or reject Goals: Be much faster than traditional computation Assume nothing about the possible solution Always accept a correct solution Almost always reject an incorrect solution, even if someone tried very hard to trick you

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 4 / 30

Introduction Setting Vector Spaces Modules Outlook

Applications for verified computing

High-performance distributed computing: Running large computations on many nodes, failures will occur. Cloud computing: “Client” doesn’t know how the result was computed, but wants to check it. Monte carlo or heuristic algorithms: Run fast but possibly-erroneous algorithm, then verify the result. Many theoretical runtime bounds are very pessimistic! Smart contracts? Perhaps to ensure some payment for correct results

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 5 / 30

Introduction Setting Vector Spaces Modules Outlook

Outline

1 Introduction and Motivation 2 Setting and background 3 Vector space problems (“easy”) 4 Lattice/Module problems (harder) 5 Outlook

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 6 / 30

Introduction Setting Vector Spaces Modules Outlook

Two approaches to verification

1 Generic verification

Work for any problem in some computational model Prover and Verifier must follow the same algorithm Often based on computational hardness assumptions (crypto)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 7 / 30

Introduction Setting Vector Spaces Modules Outlook

Two approaches to verification

1 Generic verification

Work for any problem in some computational model Prover and Verifier must follow the same algorithm Often based on computational hardness assumptions (crypto)

2 Problem-specific verification

Verify the solution to one class of problems Can achieve (much) greater efficiency Usually provide information-theoretic security

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 7 / 30

Introduction Setting Vector Spaces Modules Outlook

Generic verification algorithms

x1 x2 x3 + × −

General idea: View computation as an arithmetic circuit, then cryptographically verify circuit execution Some results: Goldwasser, Kalai, & Rothblum. “Delegating computation: Interactive proofs for muggles”. STOC 2008. Parno, Howell, Gentry, & Raykova. “Pinocchio: Nearly Practical Verifiable Computation”. IEEE Security & Privacy 2013. Thaler, Roberts, Mitzenmacher, & Pfister. “Verifiable Computation with Massively Parallel Interactive Proofs”. USENIX HotCloud 2013.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 8 / 30

Introduction Setting Vector Spaces Modules Outlook

Linear Algebra Verification

Problem-specific methods: Freivalds (1977). Non-interactive, randomized certificate for matrix multiplication Kaltofen, Nehring, Saunders (ISSAC 2011). Generic interactive linear-algebra certificates in

O

• n2

time and communication. Dumas, Kaltofen, Thom´ e, & Villard (ISSAC 2016). Matrix minpoly and determinant, at the cost of matrix-vector product. Dumas, Lucas, Pernet (ISSAC 2017). Rank (profile), LU decomposition, and more, with O(n) communication and O(n2) verification time.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 9 / 30

Introduction Setting Vector Spaces Modules Outlook

Example verification protocol

Claim: Company had X dollars of revenue last year.

Prover Verifier

• 1. Commitment

Y1, . . . , Y12 − − − − − − − − − − − − − − →

• 2. Challenge

i ∈ {1, . . . , 12} ← − − − − − − − − − − − − − −

• 3. Response

Receipts from month i − − − − − − − − − − − − − − − − − − − − − − →

• 4. Check

Y1 + · · · + Y12

?

= X Receipts match for month i

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 10 / 30

Introduction Setting Vector Spaces Modules Outlook

Our Setting

We will develop interactive verification protocols between a Prover and a Verifier, to verify a claim. Public information: The input and output are known to everyone, and do not need to be communicated. Completeness: If the claim is true, the protocol always accepts. Soundness: If the claim is false, the protocol does not accept with probability at least 1 − ǫ. Fast Prover: The time for the Prover should at most the cost to perform the original computation. Faster Verifier: The time for the Verifier should be linear in the size of the public information. Low communication: The amount of data transferred should be as little as possible, less than the size of the public information.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 11 / 30

Introduction Setting Vector Spaces Modules Outlook

Caution: Lies

Our results apply only to polynomial matrices. In this talk I will mostly show integer matrices. THIS IS A LIE — I will try to point out when.

          2x + 7 x2 x + 6 8 3x2 + 5 4x x2 + x 3x2 + 1                     27 100 16 8 305 40 110 301          

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 12 / 30

Introduction Setting Vector Spaces Modules Outlook

A useful tool

The entries of input matrix A ∈ Zn×n may have large bit-length. Write d = log2 A∞.

Lemma

For a random prime p with O(log d) bits, with high probability, A = B if and only if (A mod p) = (B mod p).

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 13 / 30

Introduction Setting Vector Spaces Modules Outlook

A useful tool

The entries of input matrix A ∈ Zn×n may have large bit-length. Write d = log2 A∞.

Lemma

For a random prime p with O(log d) bits, with high probability, A = B if and only if (A mod p) = (B mod p).

Lemma

For most primes p with more than O(log d + log n) bits,

rank(A mod p) = rank A.

Proof: Hadamard’s bound on the determinant, plus bounds on the prime counting function. For this talk, we assume needed primes p are word-size.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 13 / 30

Introduction Setting Vector Spaces Modules Outlook

MatrixMul

Public: Matrices A, B, C ∈ Zn×n Claim: AB = C

Prover Verifier p ← random prime c ∈ Fn×1

p

random (A mod p)((B mod p)c)

?

= (C mod p)c Notice: No communication!

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 14 / 30

Introduction Setting Vector Spaces Modules Outlook

MatrixMul analysis

Assume p is word-size and write d = max(log2 A∞, log2 B∞, log2 C∞) Completeness: If AB = C, it always succeeds. Soundness: Follows from previous lemma and Frievalds in Fp Communication: none! Verifier: O(n2d) Prover: no cost!

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 15 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity

Public: Matrix A ∈ Zn×n Claim: A is nonsingular

Prover Verifier prime p − − − − − − − − − − − − − − → random c ∈ Fn×1

p

← − − − − − − − − − − − − − − − − w ∈ Fn×1

p

− − − − − − − − − − − − − − → (A mod p)w

?

= c

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 16 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity example

Public Data A =                722 203 77 438 667 3 861 543 670 568 424 373 432 172 356 168                Protocol

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 17 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity example

Public Data A =                722 203 77 438 667 3 861 543 670 568 424 373 432 172 356 168                Protocol mod 17 p

Prover (1)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 17 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity example

Public Data A =                722 203 77 438 667 3 861 543 670 568 424 373 432 172 356 168                Protocol                6 16 13 4                mod 17 c p

Verifier (2) Prover (1)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 17 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity example

Public Data A =                722 203 77 438 667 3 861 543 670 568 424 373 432 172 356 168                Protocol                15 1 10 4                               6 16 13 4                mod 17 w c p

Prover (3) Verifier (2) Prover (1)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 17 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity example

Public Data A =                722 203 77 438 667 3 861 543 670 568 424 373 432 172 356 168                Protocol                8 16 9 13 4 3 11 16 7 7 16 16 7 2 16 15                               15 1 10 4               

?

=                6 16 13 4                mod 17 A mod p w c p

Verifier (4) Prover (3) Verifier (2) Prover (1)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 17 / 30

Introduction Setting Vector Spaces Modules Outlook

Nonsingularity analysis

Assume p is word-size and write d = log2 A∞ Completeness: A small p always exists s.t. rank(A mod p) = rank A Soundness:

rank(A mod p) ≤ rank A

Communication: O(n) Verifier: O(n2d) Prover: O(nωd)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 18 / 30

Introduction Setting Vector Spaces Modules Outlook

More in the paper!

SystemSolve Verifier chooses p, then check product mod p. Singularity Verifier chooses p, Prover provides null vector mod p RankLowerBound Verifier provides full-rank submatrix, then verify NonSingularity RankUpperBound Verifier chooses p and challenge c, Prover responds with sparse w whose image is the same as c. Rank: Just do RankLowerBound and RankUpperBound. Determinant Verifier chooses p, then verify determinant mod p.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 19 / 30

Introduction Setting Vector Spaces Modules Outlook

Flawed Protocol for Row Space Membership

Public: Vector v ∈ Z1×n, matrix A ∈ Zm×n Claim: v is in the Z-RowSpan of A

Prover Verifier prime p ← − − − − − − − − − − − − − − w ∈ F1×m

p

− − − − − − − − − − − − − − → w(A mod p)

?

= (v mod p)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 20 / 30

Introduction Setting Vector Spaces Modules Outlook

Problem with the flawed protocol

Checking modp only ensures rational RowSpace membership, not integer RowSpace membership.

RowSpZ(A) is a module, not a vector space!

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 21 / 30

Introduction Setting Vector Spaces Modules Outlook

Problem with the flawed protocol

Checking modp only ensures rational RowSpace membership, not integer RowSpace membership.

RowSpZ(A) is a module, not a vector space!

Solution: Make Prover commit (a projection of) vA−1 before sending the prime p.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 21 / 30

Introduction Setting Vector Spaces Modules Outlook

Full-Rank Row Space Membership

Public: Vector v ∈ Z1×n, matrix A ∈ Zm×n Claim: v is in the Z-RowSpan of A and rank A = m

Prover Verifier random c ∈ Zm×1 ← − − − − − − − − − − − − − − − − − g ∈ Z − − − − − − − − − − − − − − → prime p ← − − − − − − − − − − − − − − w ∈ F1×m

p

− − − − − − − − − − − − − − → w(A mod p)

?

= (v mod p) w · c

?

= g mod p

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 22 / 30

Introduction Setting Vector Spaces Modules Outlook

Public Data

v =

• −355

855 224 −222

• ,

A =           893 65 116 508 538 920 340 286 55 826 670 609          

Protocol

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 23 / 30

Introduction Setting Vector Spaces Modules Outlook

Public Data

v =

• −355

855 224 −222

• ,

A =           893 65 116 508 538 920 340 286 55 826 670 609          

Protocol

          4 −9 −3           c Verifier (1)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 23 / 30

Introduction Setting Vector Spaces Modules Outlook

Public Data

v =

• −355

855 224 −222

• ,

A =           893 65 116 508 538 920 340 286 55 826 670 609          

Protocol

          4 −9 −3           −13 c g Verifier (1) Prover (2)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 23 / 30

Introduction Setting Vector Spaces Modules Outlook

Public Data

v =

• −355

855 224 −222

• ,

A =           893 65 116 508 538 920 340 286 55 826 670 609          

Protocol

          4 −9 −3           −13 mod 13 c g p Verifier (1) Prover (2) Verifier (3)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 23 / 30

Introduction Setting Vector Spaces Modules Outlook

Public Data

v =

• −355

855 224 −222

• ,

A =           893 65 116 508 538 920 340 286 55 826 670 609          

Protocol

• 12

1

• w

Prover (4)

• 12

1

• 

         4 −9 −3           −13 mod 13 w c g p Prover (4) Verifier (1) Prover (2) Verifier (3)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 23 / 30

Introduction Setting Vector Spaces Modules Outlook

Public Data

v =

• −355

855 224 −222

• ,

A =           893 65 116 508 538 920 340 286 55 826 670 609          

Protocol

• 12

1

• 

         9 12 1 5 10 2 3 7 7 11          

?

=

• 9

10 3 12

• w

(A mod p) (v mod p) Prover (4) Verifier (5) Verifier (5)

• 12

1

• 

         4 −9 −3          

?

= −13 mod 13 w c g p Prover (4) Verifier (1) Prover (2) Verifier (3)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 23 / 30

Introduction Setting Vector Spaces Modules Outlook

Full row rank RowSpace membership analysis

Assume p is word-size and write d = max(log2 v∞, log2 A∞) Completeness: If claim is true, then u = vA−1 is integral. Sending g = u · c satisfies the protocol. Communication: O(md) Verifier: O(mnd) Prover: O(nmω−1d)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 24 / 30

Introduction Setting Vector Spaces Modules Outlook

Soundness proof sketch

Claim: v is in the Z-RowSpan of A Check 1: w(A mod p)

?

= (v mod p)

Check 2: w · c

?

= g mod p

To prove soundness, we assume the claim is false. Case 1: v is not in the rational RowSpan Then it’s a vector space problem; Check 1 will likely fail. Case 2: v is in the rational RowSpan but not integer Rowspan Then u = vA−1 is unique and truly rational, and the Prover must send w = (u mod p). W.h.p, u · c is also truly rational, so

w · c = (u · c mod p) is not integral for most primes p.

Because g is an integer, Check 2 fails.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 25 / 30

Introduction Setting Vector Spaces Modules Outlook

Even more in the paper!

RowSpaceMembership for any rank Take O(log n) Toeplitz left projections CA. The gcd of denominators of v(CA)−1 is 1 w.h.p. RowSpaceSubset Vector projection followed by RowSpaceMembership test RowBasis Check RankLowerBound and then verify RowSpaceEquality. HermiteForm, PopovForm Checks degree conditions, then run RowSpaceEquality Saturated Check RowSpaceSubset with Identity matrix SaturationBasis Check RankLowerBound, RowSpaceSubset, and Saturated KernelBasis Check ranks, product is zero using MatMul, and check basis is Saturated.

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 26 / 30

Introduction Setting Vector Spaces Modules Outlook

Verification helps us get along!

INF Treaty, 1987 “Trust, but verify” JPCOA, 2015 “Not built on trust, but verification”

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 27 / 30

Introduction Setting Vector Spaces Modules Outlook

What we can do

Verify most vector-space and many module operations using interactive protocols with: Communication complexity equivalent to one row/column of A Verifier complexity (soft)-linear in the public data Prover complexity equal to the cost of computing the result Our algorithms work for univariate polynomials with coefficients in a (sufficiently large) field.

Check it out on https://arxiv.org/abs/1807.01272 Co-authors: David Lucas, Vincent Neiger, Cl´ ement Pernet, Johan Rosenkilde

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 28 / 30

Introduction Setting Vector Spaces Modules Outlook

What we cannot do (yet)

Extend these results to integers and Euclidean lattices Remove the extra log factors in RowSpace membership testing Other polynomial problems: Matrix inverse, Hermite-Pad´ e approximation, Smith form Go further and correct errors Recently done for field matrix multiplication and LU,

see (R., ISSAC 2018) and (Dumas, van der Hoeven, Pernet, and R., 2019)

Dan Roche (USNA) Polynomial Matrix Certificates 6 March 2019 29 / 30

Thank you!