Prover Efficient Public Verification of Dense or Sparse/Structured Matrix-Vector Multiplication

Abstract

With the emergence of cloud computing services, computationally weak devices (Clients) can delegate expensive tasks to more powerful entities (Servers). This raises the question of verifying a result at a lower cost than that of recomputing it. This verification can be private, between the Client and the Server, or public, when the result can be verified by any third party. We here present protocols for the verification of matrix-vector multiplications, that are secure against malicious Servers. The obtained algorithms are essentially optimal in the amortized model: the overhead for the Server is limited to a very small constant factor, even in the sparse or structured matrix case; and the computational time for the public Verifier is linear in the dimension. Our protocols combine probabilistic checks and cryptographic operations, but minimize the latter to preserve practical efficiency. Therefore our protocols are overall more than two orders of magnitude faster than existing ones.

This work is partly funded by the OpenDreamKit Horizon 2020 European Research Infrastructures project (#676541).

A    Small Fields

The protocol of Fig. 1 is quite efficient. We have made experiments with randomly generated dense matrices and vectors with the PBC library (see Footnote 1) for the pairings and the FFLAS-FFPACK library (see Footnote 2) for the exact linear algebra over finite fields. For instance, it is shown in Table 4, that for a \(8000 \times 8000\) matrix over a field of size 256 bits, the protocol is highly practical: first, if the base field and the group orders are of similar sizes, the verification phase is very efficient; second, the overhead of computing \(\zeta \) for the server is quite negligible and third, the key generation is dominated by the computation of one matrix-vector product.

Table 4. Verification of a \(8000 \times 8000\) matrix-vector multiplication with different field sizes via the protocol in Fig. 1 on a single core @3.4 GHz.

Differently, if the base field is small, say machine word-size, then having to use cryptographic sizes for the group orders can be penalizing for the Key Generation: multiplying a small field matrix A with a large field vector \(u^T\) is much slower than \(y=Ax\) with x and A small. First of all, the computations must be compatible. For this, one possibility is to ask and verify instead for \(y=Ax\) over \(\mathbb {Z}\) and then to let the Verifier compute \(y\mod p\) for himself. There, to reduce the overhead of computing \(u^TA\), one can instead select the m values of the vector u as \(u_\ell =\alpha r_i s_j\) with \(\ell =i\lceil \sqrt{m}\rceil {}+j\) for \(\alpha \) a randomly chosen large value and \(r_i,s_j\) some randomly chosen small values. Indeed then \(u^T A\) can be computed by first performing \((r s^T)A\) via \({\mathcal O}\left( \sqrt{m}\right) \) matrix-vector computations with s (or a \(\sqrt{m}{\times }n\sqrt{m}\) matrix-vector multiplication) followed by \({\mathcal O}\left( n\sqrt{m}\right) \) multiplications by r (or a \(n{\times }\sqrt{m}\) matrix-vector multiplication) where \(s_j\) and \(r_i\) are small values. Then it remains only to multiply a vector of small values by \(\alpha \). We have traded \({\mathcal O}\left( mn\right) \) operations with large values for \({\mathcal O}\left( \sqrt{m}n\sqrt{m}+n\sqrt{m}\right) \) operations with small values and \({\mathcal O}\left( n\right) \) with large values.

Fig. 7.

Trustee-helped Verification of a dense matrix-vector product in a 10-bits finite field on a single core @3.4 GHz.

Now, in order for the values to remain correct over \(\mathbb {Z}\), the value of \((u^TA+t^T)x\) must not overflow. For this, one must choose a group order larger than \(mnp^4\) (for \((r s^T)Ax\)). Now the security is not anymore half the size of the group order but potentially half the size of the set from which \(t^T\) is selected, that is at most the group order size minus that of np (for \(t^Tx\)). To be conservative we even propose, as an estimated security of the obtained protocol, to consider only half the size of \(\alpha \) (that is the size of the group order minus that of \(mnp^4\)). In terms of efficiency, the improvement is shown in Table 4, last row. On the one hand, the key generation is now dominant and can be amortized only after about 10 matrix-vector multiplications. On the other hand, the verification time starts to be faster than the computation time. This is also shown in Fig. 7 where the equivalent of the last row in Table 4 is shown for different matrix dimensions.