Secure Outsourced Matrix Multiplication with Fully Homomorphic Encryption

Abstract

Fully Homomorphic Encryption (FHE) is a powerful cryptographic tool that enables the handling of sensitive encrypted data in untrusted computing environments. This capability allows for the outsourcing of computational tasks, effectively addressing security and privacy concerns. This paper studies the secure matrix multiplication problem, a fundamental operation used in various outsourced computing applications such as statistical analysis and machine learning. We propose a novel method to solve the secure matrix multiplication \(A_{m\times l}\times B_{l\times n}\) with arbitrary dimensions, which requires only O(l) rotations and \(\min (m,l,n)\) homomorphic multiplications. In comparison to the state-of-the-art method [14], our approach stands out by achieving a remarkable reduction in the number of rotations by a factor of \(O(\log \max (l,n))\), as well as a reduction in the number of homomorphic multiplications by a factor of \(O(l/\min (m,l,n))\). We implemented [14, 21], and our method using the BGV scheme supported by the HElib library. Experimental results show that our scheme has the best performance for matrix multiplication of any dimension. For example, for \(A_{16\times 128}\times B_{128\times 4}=C_{16\times 4}\), the runtime of our method is 32 s, while both [14, 21] take 569 seconds.

A Appendix

1.1 A.1 Practical Implementation Issues and Solutions

Choosing the good dimensions in the hypercube can minimize the overhead of a Rotation1D. Therefore, for performance reasons, the implementation always prioritizes the hypercube with good dimensions. However, to meet this requirement, the actual hypercube size chosen is usually larger than the expected minimum size. For example, when using Algorithm 2 to calculate a \(3\times 3\) square matrix multiplication, the expected hypercube size is \(3\times 3\), while the actual size that fulfills the requirement is \(3\times 4\) (refer to the first matrix in Fig. 5a). Calling RotateAlign directly becomes incorrect due to the presence of redundant columns. By observing the terminal error state(i.e., the second matrix in Fig. 5a), it becomes apparent that the correction can be performed in a single step, utilizing 2 CMult, 1 Rotate1D, and 1 Add(see the changes brought by the first arrow in Fig. 5b). Subsequent operations of Rotate1D can also be corrected by employing an additional CMult and Add, as illustrated in Fig. 5b. These corrections only introduce a few constant operations.

Fig. 5.

An overview of the error in raw RotateAlign and the modified algorithms addressing the issue in subsequent steps.

One alternative is to expand the dimensions of the hypercube, although this may not always be feasible. Specifically, we can set the expected value of \(m_1\) to \(3m^*_1-2\)(\(m^*_1\) denotes the minimum number of columns required in the aforementioned algorithm), thereby ensuring the correctness of all subsequent steps without requiring the correction steps shown in Fig. 5b. Figure 6 depicts the state of the extended version after performing a raw RotateAlign. All the columns required for subsequent steps have been prepared. This extension may seem to degrade performance due to an increase in M. However, the constraints of k, \(m_0\), and \(m_1\) as mentioned in Sect. 4.1, allow for generating similar values of M when the expected size is selected as \((m^*_0, 3m^*_1-2)\) or \((m^*_0, m^*_1)\). More details and suggestions for leveraging the extended version can be found in Appendix A.2.

Fig. 6.

Modified algorithm in the extended version.

1.2 A.2 Speedup of Extended and Non-extended Versions

In practical implementations, a minimum value for M is typically set to meet security requirements. This leads to selecting p of ord(p) is large when the matrix dimension is small. When ord\((p)\ge 3\), switching to an extended version provides the opportunity to fully utilize the potential of generating a larger hypercube structure with a large M, thereby achieving a certain degree of performance improvement. The performance comparison results and parameter sets \(\mathcal {P}_1\) and \(\mathcal {P}_2\) for the two scenarios are shown in Table 6. The extended version achieved \(3.1\times \) speedup compared to [21] when the dimension is 64. The slight improvement over the non-extended version indicates that the correction steps have a limited impact. Considering the potential performance improvement, it is applicable in real-world applications to generate parameters using two different expected hypercube sizes: \((m^*_0, m^*_1)\) and \((m^*_0, 3m^*_1 - 2)\). If the value of M generated by the extended version parameter setting is similar to that of the non-extended version, the extended version can offer performance benefits.

Table 6. Performance(seconds) of homomorphic square matrix multiplication and speedup \(\mathcal {S}\)( [21] and non-extended version vs. extended version). The parameter sets \(\mathcal {P}_1\) and \(\mathcal {P}_2\) correspond to \((m_0, m_1, \text {ord}(p))\) and M for the non-extended and extended versions, respectively.

1.3 A.3 Noise Testing and Analysis

The experiments originally aimed to test larger matrix dimensions, such as a hypercube size exceeding \(256\times 256\). However, when maintaining the aforementioned parameter settings, [21] encountered decryption failures due to excessive noise. Consequently, we examined how the noise varied with the increase in matrix dimensions for different methods. In HElib, the logarithm of the ratio of the modulus to the noise bound is referred to as capacity. Here, we use noise to represent the difference between the initial capacity and the remaining capacity. The breakdown of the initial capacity is illustrated in Fig. 7, with the shaded part representing the noise generated by evaluation and the light part representing the remaining capacity. While [11] asserts that Rot introduces less noise than Mult and CMult, the depth of Rot also significantly contributes to noise growth, particularly in the case of the prominently dominant Rot illustrated in Fig. 3. Compared to [21], our method increases Add but heavily decreases Rot, resulting in slower growth of noise with increasing matrix dimension.

Fig. 7.

Noise generation volume. The bottom (shaded) part represents generated noise, while the top (light) part represents the remaining capacity.