Secure distributed matrix multiplication (SDMM) was first introduced by Chang and Tandon [1] as a way to utilize a distributed system to compute the product of two matrices without revealing information about the matrices to the workers. Large scale matrix multiplication is a key part of many computationally heavy algorithms and methods in machine learning, data science, signal processing, medical imaging, and natural language processing [2], [3]. SDMM can be used to outsource these computations when the privacy of the data in the matrices is vital. Several schemes have been introduced, including those in [4], [5], [6], and [7] and more recently in [8], [9], [10], [11], [12], and [13]. Many of the schemes presented in the literature follow a similar structure, where the encoding is done with linear codes. A general framework, titled linear SDMM, was introduced in [14]. There, the codes that are used in the encoding, as well as their star product, are studied to give some fundamental bounds on such schemes.
An important class in linear codes are algebraic geometry (AG) codes, which are constructed from projective smooth irreducible algebraic curves, or equivalently, algebraic function fields. The first construction was introduced by Goppa [15] as a generalization of Reed-Solomon codes by considering Riemann-Roch spaces instead of spaces of bounded degree polynomials. Since then, these codes have been shown to have nice coding-theoretic properties derived from the structure of algebraic function fields. The asymptotic Gilbert-Varshamov bound states that there exists a family codes with a certain rate and given relative minimum distance, and for decades this was the best known lower bound on achievable code rates [16]. In [17], Tsfasman et al. were able to give a construction of AG codes that exceeds the asymptotic Gilbert-Varshamov bound, which has accelerated the study of AG codes.
For an AG code construction, one can work with a basis of a Riemann-Roch space to provide a generator matrix of the code. However, computing an explicit basis of a Riemann-Roch space is difficult in general [18]. Correspondingly, a similar difficulty can also be observed in the determination of Weierstrass semigroups, which can be used to retrieve some information about the bases of Riemann-Roch spaces of specific divisors [19], [20]. In this paper, we consider the Weierstrass semigroups to choose bases for subspaces of a Riemann-Roch space.
The theory of AG codes has also been used for applications such as locally recoverable codes (LRCs) and code-based cryptography. For instance, the importance of AG codes for LRCs was shown in [21] as a generalization of the case where Reed-Solomon (RS) codes were used in [22]. Another well-known application of AG codes was considered by McEliece in [23] where a public key cryptosystem based on Goppa codes was introduced. See [24], [25] for surveys on the applications of AG codes.
A. Contributions and Related Work
In this paper, we utilize AG codes to construct a linear SDMM scheme, called the PoleGap SDMM scheme, that outperforms the state-of-the-art schemes in terms of the download rate for some parameter choices. Our construction utilizes a similar strategy as the Gap Additive Secure Polynomial (GASP) scheme, introduced in [4] and [5], where the “gaps” in a certain polynomial are utilized to decrease the download cost. Such polynomials are designed using the help of a degree table. Similarly, we utilize the gaps in a Weierstrass semigroup of an algebraic function field, yielding a pole number table. The response code of our construction will be an AG code, which means that suitable error correction algorithms from the literature can be utilized to provide robustness against Byzantine workers. This is in contrast to previous outer product partitioning schemes, where the response codes have not had similar structure.
There have been some generalizations to the schemes based on polynomial encoding, including those in [9], but to the best of our knowledge, this paper is the first to explicitly utilize AG codes in SDMM. However, our work was soon followed by [26], where an inner product partitioning scheme is constructed by utilizing Hermitian codes, with the aim of reducing the field size. Their work differs from ours in that they consider a different matrix partitioning as well as utilizing a field extension. The reason for restricting ourselves to function fields that do not require extension fields is explained in Remark 2. Recently, algebraic geometry codes have also been considered in distributed matrix multiplication without the security aspect in [27], [28], and [29].
B. Organization
The structure of our paper is as follows. In Section II we recall necessary background from AG codes and linear SDMM. In Section III we introduce how to use AG codes in SDMM by introducing the pole number table. In Section IV we present our construction of the PoleGap scheme based on hyperelliptic function fields. Finally, in Section V we compare our construction to some schemes from the literature. For the interested reader, we have also included a generalization of our construction using Kummer extensions of the rational function field in the Appendix.
Let $\mathbb {F}_{q}$
denote the finite field with q elements, $\mathbb {F}_{q}^{\times } $
the group of units in $\mathbb {F}_{q}$
, $\mathbb {N}_{0} = \{0, 1, 2, {\dots }\}$
and $[n] = \{1, 2, {\dots }, n\}$
. In this section, we present necessary background on algebraic function fields and AG codes by mainly following [30].
A. Algebraic Function Fields
Let $\mathbb {F}_{q}[x]$
denote the polynomial ring in one variable over the finite field $\mathbb {F}_{q}$
. Recall that we define $\mathbb {F}_{q}(x)$
as the field of fractions of $\mathbb {F}_{q}[x]$
. That is,\begin{equation*} \mathbb {F}_{q}(x) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\left \{{{ \frac {f(x)}{g(x)} \colon f(x), g(x) \in \mathbb {F} _{q}[x] \text {with}~ g(x) \neq 0 }}\right \},\end{equation*}
View Source
\begin{equation*} \mathbb {F}_{q}(x) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\left \{{{ \frac {f(x)}{g(x)} \colon f(x), g(x) \in \mathbb {F} _{q}[x] \text {with}~ g(x) \neq 0 }}\right \},\end{equation*}
which is called the rational function field over $\mathbb {F}_{q}$
. One can easily see that $\mathbb {F}_{q}(x)$
is indeed a field and an infinite transcendental extension over $\mathbb {F}_{q}$
.
A field F is said to be a function field over $\mathbb {F}_{q}$
, denoted by $F/\mathbb {F}_{q}$
, if it is a finite extension of $\mathbb {F}_{q}(x)$
. We often consider simple algebraic extensions of $\mathbb {F}_{q}(x)$
, which are generated by an irreducible polynomial, i.e., $F = \mathbb {F}_{q}(x,y)$
, where $y \in F$
is a root of some irreducible polynomial $\varphi (T) \in \mathbb {F} _{q}(x)[T]$
.
It is well-known that such extensions, like in number theory or algebraic geometry, are studied in terms of certain local components. In this paper, we use the standard definitions and notations as in [30]. Briefly, let P be a place in the set of places, denoted by $\mathbb {P}_{F}$
, in a function field $F/\mathbb {F}_{q}$
. Recall that P is called a rational place if $\deg (P) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}[F_{P}: \mathbb {F}_{q}] = 1$
, where $F_{P}$
is the residue class field of P. We denote the set of rational places by $\mathbb {P}_{F}^{1}$
. For a given place P, $v_{P}$
denotes the corresponding discrete valuation map. For a function $f \in F$
and place $P \in \mathbb {P} _{F}$
, we say P is a zero (resp., pole) of f if $v_{P}(f) \gt 0$
(resp., $v_{P}(f) \lt 0$
). Here, let us note that the discrete valuation map $v_{P}$
measures the multiplicity of a zero or a pole of the function f at $P \in \mathbb {P} _{F}$
. The places of the function field $F/\mathbb {F}_{q}$
and $\mathbb {F}_{q}(x)/\mathbb {F}_{q}$
are related in the following way. Each place $P' \in \mathbb {P} _{F}$
contains a unique place $P \in \mathbb {P} _{\mathbb {F}_{q}(x)}$
and there are at most $[F: \mathbb {F}_{q}(x)]$
places $P' \in \mathbb {P} _{F}$
containing $P \in \mathbb {P} _{\mathbb {F}_{q}(x)}$
by [30, Theorem 3.1.11].
A divisor is defined as a formal sum of places and represented by $G \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\sum _{P \in \mathbb {P} _{F}} n_{P} P$
with finitely many nonzero integers $n_{P}$
. The support of G is the set of places with nonzero coefficients, i.e., $\mathop {\mathrm {supp}}\nolimits (G) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\{P \in \mathbb {P} _{F} \colon n_{P} \neq 0\}$
. Also, we define the degree of a divisor as $\deg (G) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\sum _{P \in \mathbb {P} _{F}} n_{P} \deg (P)$
. We denote the divisor group of F, i.e., the set containing all divisors, by $\mathop {\mathrm {Div}}\nolimits (F)$
. Since every function in F has finitely many zeros and poles, we can introduce the zero and pole divisors of a function $f \in F$
by $(f)_{0} \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\sum _{v_{P}(f) \gt 0} v_{P}(f) P$
and $(f)_{\infty } \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=} -\sum _{v_{P}(f) \lt 0} v_{P}(f) P$
, respectively. The principal divisor of $f \in F$
is then $(f) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}(f)_{0} - (f)_{\infty } $
.
Recall that a Riemann-Roch space of a divisor $G \in \mathop {\mathrm {Div}}\nolimits (F)$
is defined as\begin{equation*} \mathcal {L}(G) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\{f \in F \colon (f) + G \geq 0\} \cup \{0\}.\end{equation*}
View Source
\begin{equation*} \mathcal {L}(G) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\{f \in F \colon (f) + G \geq 0\} \cup \{0\}.\end{equation*}
This set is a finite-dimensional vector space over $\mathbb {F}_{q}$
, whose dimension is denoted by $\ell (G)$
. However, computing the dimension or giving an explicit basis is difficult and leads to the definition of the genus of a function field. Let us also recall that if $\deg (G) \lt 0$
, then $\ell (G) = 0$
. If $F/\mathbb {F}_{q}$
is a function field of genus g and $G \in \mathop {\mathrm {Div}}\nolimits (F)$
with $\deg (G) \geq 2g - 1$
, then $\ell (G) = \deg (G) + 1 - g$
by the famous Riemann-Roch theorem.
In this paper we are interested in the Riemann-Roch spaces of divisors of the form $G = kP$
for some rational place P. Such Riemann-Roch spaces can be studied using the Weierstrass semigroup $W(P)$
. For a given place $P \in \mathbb {P} _{F}$
, we define\begin{equation*} W(P) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\{n \geq 0 \mid \exists f \in F \colon (f)_{\infty }= nP \}.\end{equation*}
View Source
\begin{equation*} W(P) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\{n \geq 0 \mid \exists f \in F \colon (f)_{\infty }= nP \}.\end{equation*}
The elements in $W(P)$
are said to be pole numbers of P, while the elements in $\mathbb {N}_{0} \setminus W(P)$
are called gaps. It is easy to see that $W(P)$
is a semigroup under addition. The following theorem provides partial information on the structure of the Weierstrass semigroup.
Let $F/\mathbb {F}_{q}$
be a function field of genus g and $P \in \mathbb {P} _{F}^{1}$
. Then $W(P) = \mathbb {N}_{0} \setminus \mathcal {G}$
, where $\lvert \mathcal {G} \rvert = g$
. Furthermore, if $g \gt 0$
, then $\mathcal {G} = \{i_{1}, {\dots }, i_{g}\}$
with\begin{equation*} 1 = i_{1} \lt i_{2} \lt {\dots }\lt i_{g} \leq 2g - 1.\end{equation*}
View Source
\begin{equation*} 1 = i_{1} \lt i_{2} \lt {\dots }\lt i_{g} \leq 2g - 1.\end{equation*}
B. Hyperelliptic Function Fields
In this section we consider hyperelliptic function fields. As a summary, we state the following theorem about the structures needed in Section III.
Theorem 2:
Let $\mathbb {F}_{q}$
be a field with odd characteristic. Let $F = \mathbb {F}_{q}(x, y)$
with $y^{2} = \prod _{i=1}^{d} (x - \alpha _{i})$
, where $\alpha _{1}, {\dots }, \alpha _{d} \in \mathbb {F} _{q}$
are distinct and $d \geq 3$
is odd. Then, the following items hold.
The function field $F/\mathbb {F}_{q}$
has genus $g = \frac {d - 1}{2}$
.
We have $(x)_{\infty } = 2P_{\infty } $
and $(y)_{\infty } = dP_{\infty } $
, where $P_{\infty } $
is the unique place at infinity.
The above theorem follows from [30, Proposition 6.3.1] and the computation of the pole numbers follows from [31, Proposition 13.2]. Function fields given by Theorem 2 with genus $g = 1$
are known as elliptic function fields while those with genus $g \geq 2$
are known as hyperelliptic function fields. A similar construction can be made for fields of characteristic two. In this case, the function field is defined by $y^{2} + r(x)y = s(x)$
, where $\deg (r(x)) \leq g$
, $\deg (s(x)) = 2g + 1$
, and the curve defined by this equation is nonsingular.
For these types of extensions, the following theorem describes the Weierstrass semigroup of $P_{\infty } \in \mathbb {P}_{F}$
.
Let $F/\mathbb {F}_{q}$
be a function field described in Theorem 2. Then the Weierstrass semigroup of $P_{\infty } $
is an additive semigroup generated by 2 and d.
The Weierstrass semigroup of $P_{\infty } $
can be written explicitly as $W(P_{\infty }) = \mathbb {N}_{0} \setminus \{1, 3, {\dots }, 2g - 1\}$
for $g \gt 1$
and $W(P_{\infty }) = \mathbb {N}_{0} \setminus \{1\}$
for $g = 1$
using Theorem 3. We can easily construct a function f with pole divisor $nP_{\infty } $
for $n \in W(P_{\infty })$
by taking $f = x^{i}y^{j}$
, where $j = 0$
if n is even and $j = 1$
if n is odd.
Finally, in our construction we need an estimate for the number of rational places $N \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\lvert \mathbb {P}_{F}^{1} \rvert $
. Clearly, in the rational function field $\mathbb {F}_{q}(x)$
there are exactly $q + 1$
rational places. In general, it is difficult to determine N in $F/\mathbb {F}_{q}$
. Here we consider the estimate\begin{equation*} \lvert N - (q + 1) \rvert \leq 2g\sqrt {q},\end{equation*}
View Source
\begin{equation*} \lvert N - (q + 1) \rvert \leq 2g\sqrt {q},\end{equation*}
which is known as the Hasse-Weil bound.
C. Algebraic Geometry Codes
A linear code $\mathcal {C}$
over a finite field $\mathbb {F}_{q}$
is defined as a k-dimensional subspace of $\mathbb {F}_{q}^{n}$
endowed with the Hamming metric. Such a code is denoted by its parameters $[n, k, d]_{q}$
, where d is the minimum distance of the code, i.e., the minimal number of nonzero coordinates in a nonzero codeword. These parameters are related through the well-known Singleton bound $k + d \leq n + 1$
. Codes that achieve this bound with equality are called maximum distance separable (MDS).
Example 1 (Reed-Solomon Codes):
Let $\mathbb {F}_{q}[x]^{\lt k} \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\{f \in \mathbb {F} _{q}[x] \mid \deg (f) \lt k \}$
be the set of polynomials of degree at most $k - 1$
in $\mathbb {F}_{q}[x]$
where $0 \leq k \leq n$
. Consider n distinct elements $\alpha = \{\alpha _{1}, {\dots }, \alpha _{n}\}$
in $\mathbb {F}_{q}$
. The evaluation map $\mathop {\mathrm {ev}}\nolimits _{\alpha } \colon \mathbb {F}_{q}[x]^{\lt k} \to \mathbb {F} _{q}^{n}$
defined by\begin{equation*} f \mapsto (f(\alpha _{1}), {\dots }, f(\alpha _{n}))\end{equation*}
View Source
\begin{equation*} f \mapsto (f(\alpha _{1}), {\dots }, f(\alpha _{n}))\end{equation*}
is an $\mathbb {F}_{q}$
-linear map with $\ker (\mathop {\mathrm {ev}}\nolimits _{\alpha }) = \{0\}$
. Then\begin{equation*} \mathop {\mathrm {RS}}\nolimits _{k}(\alpha ) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\mathop {\mathrm {ev}}\nolimits _{\alpha }(\mathbb {F}_{q}[x]^{\lt k})\end{equation*}
View Source
\begin{equation*} \mathop {\mathrm {RS}}\nolimits _{k}(\alpha ) \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\mathop {\mathrm {ev}}\nolimits _{\alpha }(\mathbb {F}_{q}[x]^{\lt k})\end{equation*}
is an $[n, k, d]_{q}$
linear code and is called a Reed-Solomon (RS) code. It is well-known that RS codes are MDS, i.e., their minimum distance is $d = n {-} k + 1$
.
One of the breakthrough generalizations of Reed-Solomon constructions was given by Goppa in the 1970s [15]. Like in the case of RS codes, it can be easily observed that the parameters and properties of such constructions can be determined and studied by the notions in algebraic function fields. More explicitly, we first fix an algebraic function field $F/\mathbb {F}_{q}$
. To define a linear map, we consider a Riemann-Roch space $\mathcal {L}(G)$
of a divisor $G \in \mathop {\mathrm {Div}}\nolimits (F)$
as the domain vector space and n distinct rational places $\mathcal {P} = \{P_{1}, {\dots }, P_{n}\}$
that are not in the support of G. Then a linear map can be defined by evaluating functions $f \in \mathcal {L}(G)$
at the given places. Indeed, the map $\mathop {\mathrm {ev}}\nolimits _{\mathcal {P}} \colon \mathcal {L}(G) \to \mathbb {F} _{q}^{n}$
defined by\begin{equation*} f \mapsto (f(P_{1}), {\dots }, f(P_{n}))\end{equation*}
View Source
\begin{equation*} f \mapsto (f(P_{1}), {\dots }, f(P_{n}))\end{equation*}
is well-defined as the $P_{i}$
’s are not in the support of G. We define an algebraic geometry (AG) code as the image of such an evaluation map, i.e., ${\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, G) = \mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}(\mathcal {L}(G))$
. Furthermore, we note that the evaluation map is $\mathbb {F}_{q}$
-linear with kernel $\mathcal {L}(G - D)$
, where $D \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=} P_{1} + P_{2} + {\dots }+ P_{n}$
is a divisor of degree n. By this setting, we are ready to present the parameters of an AG code as follows.
Theorem 4[30]:
${\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, G)$
is an $[n, k, d]_{q}$
linear code with\begin{equation*} k = \ell (G) - \ell (G - D) \quad \text {and} \quad d \geq n - \deg (G).\end{equation*}
View Source
\begin{equation*} k = \ell (G) - \ell (G - D) \quad \text {and} \quad d \geq n - \deg (G).\end{equation*}
We can easily observe that as $\deg (G) \lt n$
, the Riemann-Roch space $\mathcal {L}(G - D)$
will be the trivial space, and thus the dimension of the AG code is exactly $\ell (G)$
. The following example shows how RS codes can be seen as a special case of AG codes.
Example 2 (RS Codes as AG Codes):
Let us consider the rational function field $F = \mathbb {F}_{q}(x)$
and the pole $P_{\infty } $
of $x \in F$
. For any nonnegative integer $k \leq n$
, we know that $\mathcal {L}((k-1)P_{\infty }) = \mathbb {F}_{q}[x]^{\lt k}$
. Now as $n \leq q$
, we can consider n distinct rational places $\mathcal {P} = \{P_{x - \alpha _{1}}, {\dots }, P_{x - \alpha _{n}}\}$
in $\mathbb {P}_{F}^{1}$
to denote points $\alpha _{1}, \ldots , \alpha _{n}$
in $\mathbb {F}_{q}$
. Then the evaluation map yields a RS code, ${\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k - 1)P_{\infty })$
, with parameters $[n, k]_{q}$
. Note that the length n and the dimension k are the number of the rational places $P_{x - {\alpha }_{i}} \in \mathcal {P}$
and the dimension of the Riemann-Roch space $\mathcal {L}((k - 1)P_{\infty })$
, respectively.
In this paper, we are interested in one-point AG codes, which are codes coming from $\mathcal {L}(kP)$
with a rational place P in a function field $F/\mathbb {F}_{q}$
. Note that RS codes presented in Example 2 are a special case of one-point AG codes.
Finally, we observe how the function field structure provides more information on the star product AG codes by following [24]. To this end, recall that the star product of two linear codes $\mathcal {C}, \mathcal {D} \subseteq \mathbb {F} _{q}^{n}$
is defined as\begin{equation*} \mathcal {C} \star \mathcal {D} = \mathop {\mathrm {span}}\nolimits \{ c \star d \mid c \in \mathcal {C}, d \in \mathcal {D} \},\end{equation*}
View Source
\begin{equation*} \mathcal {C} \star \mathcal {D} = \mathop {\mathrm {span}}\nolimits \{ c \star d \mid c \in \mathcal {C}, d \in \mathcal {D} \},\end{equation*}
where $c \star d$
denotes the componentwise product. We study the star products of AG codes with the following theorem. We define the product of two subspaces $V, W \subseteq F$
of a function field F as\begin{equation*} V \cdot W = \mathop {\mathrm {span}}\nolimits \{ fg \mid f \in V, g \in W \},\end{equation*}
View Source
\begin{equation*} V \cdot W = \mathop {\mathrm {span}}\nolimits \{ fg \mid f \in V, g \in W \},\end{equation*}
where fg is the ordinary product of field elements.
Theorem 5 ([24]):
Let $F/\mathbb {F}_{q}$
be a function field of genus g. Then, the product of Riemann-Roch spaces $\mathcal {L}(G)$
and $\mathcal {L}(H)$
satisfies\begin{equation*} \mathcal {L}(G) \cdot \mathcal {L}(H) \subseteq \mathcal {L}(G + H).\end{equation*}
View Source
\begin{equation*} \mathcal {L}(G) \cdot \mathcal {L}(H) \subseteq \mathcal {L}(G + H).\end{equation*}
Furthermore, equality holds if $\deg (G) \geq 2g$
and $\deg (H) \geq 2g + 1$
.
The above theorem gives the following property for the star product of AG codes.
Example 3 (Star Product of Reed-Solomon Codes):
Like in Example 2, let us consider two RS codes ${\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k - 1)P_{\infty })$
and ${\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k' - 1)P_{\infty })$
with $1 \leq k \leq n$
and $2 \leq k' \leq n$
. Since $g = 0$
for the rational function field we have $k - 1 \geq 2g $
and $k' - 1 \geq 2g + 1$
. Finally, by Remark 1 we can see that\begin{align*} & {\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k - 1)P_{\infty }) \star {\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k' - 1)P_{\infty }) \\ & = {\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k + k' - 2)P_{\infty }).\end{align*}
View Source
\begin{align*} & {\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k - 1)P_{\infty }) \star {\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k' - 1)P_{\infty }) \\ & = {\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k + k' - 2)P_{\infty }).\end{align*}
Note that the evaluation map is not necessarily injective, therefore, one should note that the dimension of the RS code ${\mathcal {C}}_{\mathcal {L}}(\mathcal {P}, (k + k' - 2)P_{\infty })$
is $\min \{k + k' - 1, n\}$
.
D. Linear SDMM
In SDMM we consider the problem of distributing a matrix multiplication task to N workers. The information contained in the matrices should be kept secret from the workers even if at most X of them collude, i.e., share their information in an attempt to infer information about the matrices. A general framework for linear SDMM schemes was presented in [14]. The matrices A and B are partitioned to KM and LM pieces\begin{align*} A = \begin{pmatrix} A_{11} & \cdots & A_{1M} \\ \vdots & \ddots & \vdots \\ A_{K1} & \cdots & A_{KM} \end{pmatrix}, \quad B = \begin{pmatrix} B_{11} & \cdots & B_{1L} \\ \vdots & \ddots & \vdots \\ B_{M1} & \cdots & B_{ML} \end{pmatrix}\end{align*}
View Source
\begin{align*} A = \begin{pmatrix} A_{11} & \cdots & A_{1M} \\ \vdots & \ddots & \vdots \\ A_{K1} & \cdots & A_{KM} \end{pmatrix}, \quad B = \begin{pmatrix} B_{11} & \cdots & B_{1L} \\ \vdots & \ddots & \vdots \\ B_{M1} & \cdots & B_{ML} \end{pmatrix}\end{align*}
such that their product can be expressed as\begin{align*} AB = C = \begin{pmatrix} C_{11} & \cdots & C_{1L} \\ \vdots & \ddots & \vdots \\ C_{K1} & \cdots & C_{KL} \end{pmatrix},\end{align*}
View Source
\begin{align*} AB = C = \begin{pmatrix} C_{11} & \cdots & C_{1L} \\ \vdots & \ddots & \vdots \\ C_{K1} & \cdots & C_{KL} \end{pmatrix},\end{align*}
where $C_{ik} = \sum _{j=1}^{M} A_{ij}B_{jk}$
. In this paper we are interested in the case of $M = 1$
, which is known as the outer product partitioning. The matrices are assumed to have entries in the finite field $\mathbb {F}_{q}$
.
The matrices A and B are encoded using linear codes ${\mathcal {C}}_{A}$
and ${\mathcal {C}}_{B}$
of length N and dimensions $K + X$
and $L + X$
. In particular, if $G_{A}$
and $G_{B}$
are generator matrices of ${\mathcal {C}}_{A}$
and ${\mathcal {C}}_{B}$
, respectively, then the encoded matrices are\begin{align*} \widetilde {A} & = (\widetilde {A}_{1}, {\dots }, \widetilde {A}_{N}) = (A_{1}, {\dots }, A_{K}, R_{1}, {\dots }, R_{X})G_{A} \\ \widetilde {B} & = (\widetilde {B}_{1}, {\dots }, \widetilde {B}_{N}) = (B_{1}, {\dots }, B_{L}, S_{1}, {\dots }, S_{X})G_{B},\end{align*}
View Source
\begin{align*} \widetilde {A} & = (\widetilde {A}_{1}, {\dots }, \widetilde {A}_{N}) = (A_{1}, {\dots }, A_{K}, R_{1}, {\dots }, R_{X})G_{A} \\ \widetilde {B} & = (\widetilde {B}_{1}, {\dots }, \widetilde {B}_{N}) = (B_{1}, {\dots }, B_{L}, S_{1}, {\dots }, S_{X})G_{B},\end{align*}
where $R_{1}, {\dots }, R_{X}$
and $S_{1}, {\dots }, S_{X}$
are matrices of suitable size whose entries are chosen uniformly at random from $\mathbb {F}_{q}$
. The workers compute the products $\widetilde {C}_{i} = \widetilde {A}_{i}\widetilde {B}_{i}$
, which corresponds to the entries in the star product $\widetilde {A} \star \widetilde {B}$
consisting of componentwise matrix products.
Definition 1:
A linear SDMM scheme is said to be decodable if there are coefficients $\Lambda _{i} \in \mathbb {F} _{q}^{K \times L}$
that are independent of A, B and the random matrices $R_{j}$
and $S_{j}$
such that\begin{equation*} AB = \sum _{i \in [N]} \Lambda _{i} \otimes \widetilde {C}_{i}\end{equation*}
View Source
\begin{equation*} AB = \sum _{i \in [N]} \Lambda _{i} \otimes \widetilde {C}_{i}\end{equation*}
for all A and B. Here, $\otimes $
denotes the Kronecker product between matrices.
The above definition states that the blocks $A_{k} B_{\ell } $
can be computed as linear combinations of the $\widetilde {C}_{i}$
’s, where the coefficients are the $(k, \ell)$
th coordinates of $\Lambda _{i}$
. An SDMM scheme is said to be X-secure if any X colluding workers cannot extract any information about A or B from their shares. In terms of mutual information\begin{equation*} I(\boldsymbol {A}, \boldsymbol {B}; \widetilde {\boldsymbol {A}}_{\mathcal {X}}, \widetilde {\boldsymbol {B}}_{\mathcal {X}}) = 0\end{equation*}
View Source
\begin{equation*} I(\boldsymbol {A}, \boldsymbol {B}; \widetilde {\boldsymbol {A}}_{\mathcal {X}}, \widetilde {\boldsymbol {B}}_{\mathcal {X}}) = 0\end{equation*}
for all $\mathcal {X} \subseteq [N]$
with $\lvert \mathcal {X} \rvert = X$
. Here, the bold symbols correspond to the random variables of the nonbold symbols and $\widetilde {\boldsymbol {A}}_{\mathcal {X}} = \{\widetilde {\boldsymbol {A}}_{i} \mid i \in \mathcal {X}\}$
denotes the shares of the workers indexed by $\mathcal {X}$
.
Let ${\mathcal {C}}_{A}^{\sec }$
and ${\mathcal {C}}_{B}^{\sec }$
denote the linear codes that are used to encode just the random part in the linear SDMM scheme, i.e., the codes spanned by the rows of the generator matrices $G_{A}$
and $G_{B}$
that correspond to the random matrices. One way to show the security of the linear SDMM scheme is by the following theorem. The proof of the theorem uses standard arguments from information theory and relies on the fact that all the $X \times X$
submatrices of the generator matrices are invertible.
A linear SDMM scheme is X-secure if ${\mathcal {C}}_{A}^{\sec }$
and ${\mathcal {C}}_{B}^{\sec }$
are MDS codes.
To motivate our construction we consider the following example of linear SDMM based on the GASP scheme presented in [4].
Example 4 (GASP):
The matrices A and B are split into $K = L = 3$
submatrices using the outer product partitioning. We wish to protect against $X = 2$
colluding workers. Define the polynomials\begin{align*} f(x) & = A_{1} + A_{2}x + A_{3}x^{2} + R_{1}x^{9} + R_{2}x^{12}, \\ g(x) & = B_{1} + B_{2}x^{3} + B_{3}x^{6} + S_{1}x^{9} + S_{2}x^{10},\end{align*}
View Source
\begin{align*} f(x) & = A_{1} + A_{2}x + A_{3}x^{2} + R_{1}x^{9} + R_{2}x^{12}, \\ g(x) & = B_{1} + B_{2}x^{3} + B_{3}x^{6} + S_{1}x^{9} + S_{2}x^{10},\end{align*}
where $R_{1}, R_{2}, S_{1}, S_{2}$
are matrices of appropriate size that are chosen uniformly at random over $\mathbb {F}_{q}$
. The exponents are chosen carefully so that the total number of workers needed is as low as possible. Let $\alpha _{1}, {\dots }, \alpha _{N} \in \mathbb {F} _{q}^{\times } $
be distinct nonzero points and evaluate the polynomials $f(x)$
and $g(x)$
at these points to get the encoded matrices\begin{equation*} \widetilde {A}_{i} = f(\alpha _{i}), \quad \widetilde {B}_{i} = g(\alpha _{i}).\end{equation*}
View Source
\begin{equation*} \widetilde {A}_{i} = f(\alpha _{i}), \quad \widetilde {B}_{i} = g(\alpha _{i}).\end{equation*}
The ith encoded matrices are sent to the ith worker node. The workers compute the matrix products $\widetilde {C}_{i} = \widetilde {A}_{i} \widetilde {B}_{i}$
and send these to the user. The user receives evaluations of the polynomial $h(x) = f(x)g(x)$
from each worker. Using the definition of $f(x)$
and $g(x)$
we can write out the coefficients of $h(x)$
as\begin{align*} h(x) & = A_{1}B_{1} + A_{2}B_{1}x + A_{3}B_{1}x^{2} + A_{1}B_{2}x^{3} + A_{2}B_{2}x^{4} \\ & + A_{3}B_{2}x^{5} + A_{1}B_{3}x^{6} + A_{2}B_{3}x^{7} + A_{3}B_{3}x^{8} \\ & + (\text {terms of degree $\geq 9$}).\end{align*}
View Source
\begin{align*} h(x) & = A_{1}B_{1} + A_{2}B_{1}x + A_{3}B_{1}x^{2} + A_{1}B_{2}x^{3} + A_{2}B_{2}x^{4} \\ & + A_{3}B_{2}x^{5} + A_{1}B_{3}x^{6} + A_{2}B_{3}x^{7} + A_{3}B_{3}x^{8} \\ & + (\text {terms of degree $\geq 9$}).\end{align*}
We notice that the coefficients of the first 9 terms are exactly the submatrices we wish to recover. We may study the terms that appear in the product using the degree table in Table I. As the degree table contains 18 distinct elements, we need 18 responses from the workers, provided that the corresponding linear equations are solvable. In this case, the number of workers is $N = 18$
.
The general choice of the exponents in the polynomials $f(x)$
and $g(x)$
is explained in [5]. The security of the scheme is proven by showing that the condition of Theorem 6 is satisfied for a suitable choice of evaluation points.
It may be desirable to recover the result from a subset of the workers such that stragglers, i.e., slow or unresponsive workers, do not negatively affect the computation time. The minimal number of responses needed to decode the result in the worst case scenario is known as the recovery threshold. The recovery threshold of the scheme described in the above example is 18, which equals the number of workers. This means that the scheme is not able to tolerate stragglers.
SECTION III.
Using Algebraic Geometry Codes in Linear SDMM
Extending Example 4 with AG codes is based on the fact that the exponents of the monomials $x^{i}$
can also be chosen with respect to some pole numbers of the pole of x in the rational function field $\mathbb {F}_{q}(x)$
. This approach leads us to set up a pole number table that is similar to the degree table in Table I. Furthermore, we consider certain subcodes of AG codes, which is a neat generalization of the subcodes of RS codes used in Example 4.
We consider one-point AG codes from a divisor of the form $G = kP$
for some $P \in \mathbb {P} _{F}^{1}$
, and subcodes of such codes. This corresponds to the extension of the GASP codes, where the encoding is done by certain subcodes of RS codes. In particular, we choose some pole numbers in $W(P)$
, say\begin{equation*} \varphi = (\varphi _{1}, {\dots }, \varphi _{K + X}), \quad \gamma = (\gamma _{1}, {\dots }, \gamma _{L + X}).\end{equation*}
View Source
\begin{equation*} \varphi = (\varphi _{1}, {\dots }, \varphi _{K + X}), \quad \gamma = (\gamma _{1}, {\dots }, \gamma _{L + X}).\end{equation*}
Additionally, we choose functions $f_{1}, {\dots }, f_{K + X} \in F$
and $g_{1}, {\dots }, g_{L + X} \in F$
such that $(f_{j})_{\infty } = \varphi _{j} P$
and $(g_{j})_{\infty } = \gamma _{j} P$
. The matrices are partitioned according to the partition in Section II-D with $M = 1$
, i.e., the outer product partition. We encode our matrices by computing the following linear combinations\begin{align*} f & = \sum _{j=1}^{X} R_{j} f_{j} + \sum _{k=1}^{K} A_{k} f_{X + k}, \\ g & = \sum _{j=1}^{X} S_{j} g_{j} + \sum _{\ell =1}^{L} B_{\ell } g_{X + \ell }.\end{align*}
View Source
\begin{align*} f & = \sum _{j=1}^{X} R_{j} f_{j} + \sum _{k=1}^{K} A_{k} f_{X + k}, \\ g & = \sum _{j=1}^{X} S_{j} g_{j} + \sum _{\ell =1}^{L} B_{\ell } g_{X + \ell }.\end{align*}
We want the encodings to be injective (by [14, Proposition 2]), which means that the collection $f_{1}, {\dots }, f_{K + X}$
has to be linearly independent. This can be achieved, for instance, by choosing the pole numbers $\varphi _{1}, {\dots }, \varphi _{K + X}$
to be distinct. Similarly, we want the pole numbers $\gamma _{1}, {\dots }, \gamma _{L + X}$
to be distinct. The goal is to design the pole numbers $\varphi $
and $\gamma $
such that we can extract the submatrix products $A_{k}B_{\ell } $
from the product $h = fg$
. We may study the possible pole numbers that appear in the product by considering the pole number table $\varphi \oplus \gamma $
, which is defined as the outer sum of $\varphi $
and $\gamma $
. Recall that the pole divisor of the product $f_{j}g_{j'}$
is $(f_{j}g_{j'})_{\infty } = (\varphi _{j} + \gamma _{j'})P$
. This is a direct generalization of the degree tables introduced in [5].
Notice that our encoding is done such that the random matrices correspond to the functions $f_{1}, {\dots }, f_{X}$
and $g_{1}, {\dots }, g_{X}$
and the matrix partitions correspond to the functions $f_{K + 1}, {\dots }, f_{K + X}$
and $g_{L + 1}, {\dots }, g_{L + X}$
. This is merely a notational difference to earlier constructions, but should be noted in the next section where the pole number table is analyzed.
SECTION IV.
Construction of the PoleGap Scheme
Let $\mathbb {F}_{q}$
be a finite field with odd characteristic. Fix the partitioning parameters $K \geq 2$
even, $L \geq 1$
and the collusion parameter $X \geq 1$
, and set\begin{equation*} d = K(L - 1) + 2X - 1.\end{equation*}
View Source
\begin{equation*} d = K(L - 1) + 2X - 1.\end{equation*}
Let $\alpha _{1}, {\dots }, \alpha _{d} \in \mathbb {F} _{q}$
be distinct and consider the function field $F/\mathbb {F}_{q}$
defined by $y^{2} = \prod _{i=1}^{d} (x - \alpha _{i})$
. By Theorem 2 this function field has genus\begin{equation*} g = \frac {d - 1}{2} = \frac {1}{2}\left ({{K(L - 1) + 2X - 2}}\right ).\end{equation*}
View Source
\begin{equation*} g = \frac {d - 1}{2} = \frac {1}{2}\left ({{K(L - 1) + 2X - 2}}\right ).\end{equation*}
Let $P_{\infty } $
be the unique pole of $x \in F$
. Then we have that $(x)_{\infty } = 2P_{\infty } $
. Hence, the Weierstrass semigroup at $P_{\infty } $
is\begin{equation*} W \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=} W(P_{\infty }) = \{ 0, 2, 4, {\dots }, 2g, 2g + 1, {\dots }\},\end{equation*}
View Source
\begin{equation*} W \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=} W(P_{\infty }) = \{ 0, 2, 4, {\dots }, 2g, 2g + 1, {\dots }\},\end{equation*}
i.e., all even integers are pole numbers, as well as all integers at least $2g$
.
Consider the following sequences of natural numbers\begin{align*} \varphi & =(0, 2, 4, {\dots }, 2X - 2, d, d + 1, {\dots }, d + K - 1) \in W^{K + X} \\ \gamma & = (0, 2, 4, {\dots }, 2X - 2, \\ & K \!+\! 2X - 2, 2K + 2X - 2, {\dots }, KL + 2X - 2) \in W^{L + X}.\end{align*}
View Source
\begin{align*} \varphi & =(0, 2, 4, {\dots }, 2X - 2, d, d + 1, {\dots }, d + K - 1) \in W^{K + X} \\ \gamma & = (0, 2, 4, {\dots }, 2X - 2, \\ & K \!+\! 2X - 2, 2K + 2X - 2, {\dots }, KL + 2X - 2) \in W^{L + X}.\end{align*}
We see that all the elements of $\gamma $
are even as K is assumed to be even, so all the elements of $\gamma $
are pole numbers. Similarly, the first X elements of $\varphi $
are even, so they are pole numbers. Finally, the last K elements of $\varphi $
are at least $d = 2g + 1$
, so they are also pole numbers. Therefore, we can choose functions $f_{1}, {\dots }, f_{K + X} \in F$
and $g_{1}, {\dots }, g_{L + X} \in F$
such that $(f_{j})_{\infty } = \varphi _{j} P_{\infty } $
and $(g_{j})_{\infty } = \gamma _{j} P_{\infty } $
. We will consider the subspaces\begin{equation*} {\mathcal {L}}_{A} = \mathop {\mathrm {span}}\nolimits \{f_{1}, {\dots }, f_{K + X}\}, \quad {\mathcal {L}}_{B} = \mathop {\mathrm {span}}\nolimits \{g_{1}, {\dots }, g_{L + X}\}.\end{equation*}
View Source
\begin{equation*} {\mathcal {L}}_{A} = \mathop {\mathrm {span}}\nolimits \{f_{1}, {\dots }, f_{K + X}\}, \quad {\mathcal {L}}_{B} = \mathop {\mathrm {span}}\nolimits \{g_{1}, {\dots }, g_{L + X}\}.\end{equation*}
The maximal pole number of fg for $f \in {\mathcal {L}}_{A}$
and $g \in {\mathcal {L}}_{B}$
is $\varphi _{K + X} + \gamma _{L + X} = 2KL + 4X - 4$
. Hence, we consider the divisor $G = (2KL + 4X - 4)P_{\infty } $
. We see that ${\mathcal {L}}_{A}, {\mathcal {L}}_{B} \subseteq \mathcal {L}(G)$
and ${\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B} \subseteq \mathcal {L}(G)$
by choice of G.
Let $\widehat {\mathcal {P}} \subseteq \mathbb {P} _{F}^{1} \setminus \{P_{\infty } \}$
be a set of places of size $\widehat {N} = \lvert \widehat {\mathcal {P}} \rvert $
. By considering the evaluation map $\mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}} \colon \mathcal {L}(G) \to \mathbb {F} _{q}^{\widehat {N}}$
we define the codes $\widehat {\mathcal {C}}_{A} = \mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}}({\mathcal {L}}_{A})$
and $\widehat {\mathcal {C}}_{B} = \mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}}({\mathcal {L}}_{B})$
. The star product of these codes is\begin{equation*} \widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B} = \mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}}({\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B}) \subseteq \mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}}(\mathcal {L}(G)) = {\mathcal {C}}_{\mathcal {L}}(\widehat {\mathcal {P}}, G).\end{equation*}
View Source
\begin{equation*} \widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B} = \mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}}({\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B}) \subseteq \mathop {\mathrm {ev}}\nolimits _{\widehat {\mathcal {P}}}(\mathcal {L}(G)) = {\mathcal {C}}_{\mathcal {L}}(\widehat {\mathcal {P}}, G).\end{equation*}
Assuming that $\widehat {N} \gt \deg G = 2KL + 4X - 4$
we get\begin{align*} \dim \widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B} & \leq \dim {\mathcal {C}}_{\mathcal {L}}(\widehat {\mathcal {P}}, G) \\ & =\deg G + 1 {-} g \\ & = \tfrac {3}{2}KL + \tfrac {1}{2}K + 3X - 2.\end{align*}
View Source
\begin{align*} \dim \widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B} & \leq \dim {\mathcal {C}}_{\mathcal {L}}(\widehat {\mathcal {P}}, G) \\ & =\deg G + 1 {-} g \\ & = \tfrac {3}{2}KL + \tfrac {1}{2}K + 3X - 2.\end{align*}
This follows from the fact that\begin{equation*} \deg G = 2KL + 4X - 4 \geq K(L - 1) + 2X - 3 = 2g - 1.\end{equation*}
View Source
\begin{equation*} \deg G = 2KL + 4X - 4 \geq K(L - 1) + 2X - 3 = 2g - 1.\end{equation*}
Let $\mathcal {P} \subseteq \widehat {\mathcal {P}}$
be a subset of places corresponding to an information set of $\widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B}$
. Define the codes ${\mathcal {C}}_{A} = \mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}({\mathcal {L}}_{A})$
and ${\mathcal {C}}_{B} = \mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}({\mathcal {L}}_{B})$
. These codes have length $N = \dim \widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B}$
and dimensions $K + X$
and $L + X$
, respectively.
We partition the matrices A and B using the outer product partitioning such that\begin{align*} A = \begin{pmatrix} A_{1} \\ \vdots \\ A_{K} \end{pmatrix}, \quad B = \begin{pmatrix} B_{1} & \cdots & B_{L} \end{pmatrix}.\end{align*}
View Source
\begin{align*} A = \begin{pmatrix} A_{1} \\ \vdots \\ A_{K} \end{pmatrix}, \quad B = \begin{pmatrix} B_{1} & \cdots & B_{L} \end{pmatrix}.\end{align*}
Then the product AB can computed directly from the submatrix products $A_{k} B_{\ell } $
. For encoding A and B we consider the functions\begin{align*} f & = \sum _{j=1}^{X} R_{j} f_{j} + \sum _{k=1}^{K} A_{k} f_{X + k} \in {\mathcal {L}}_{A}, \\ g & = \sum _{j=1}^{X} S_{j} g_{j} + \sum _{\ell =1}^{L} B_{\ell } g_{X + \ell } \in {\mathcal {L}}_{B},\end{align*}
View Source
\begin{align*} f & = \sum _{j=1}^{X} R_{j} f_{j} + \sum _{k=1}^{K} A_{k} f_{X + k} \in {\mathcal {L}}_{A}, \\ g & = \sum _{j=1}^{X} S_{j} g_{j} + \sum _{\ell =1}^{L} B_{\ell } g_{X + \ell } \in {\mathcal {L}}_{B},\end{align*}
where $R_{1}, {\dots }, R_{X}, S_{1}, {\dots }, S_{X}$
are random matrices of appropriate size. The encoded pieces of A and B are determined by $\widetilde {A} = \mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}(f)$
and $\widetilde {B} = \mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}(g)$
. As each worker computes the product of their encoded pieces, the user receives the responses $\mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}(h)$
, where $h = fg$
. As the set $\mathcal {P}$
is chosen to be an information set of the code $\widehat {\mathcal {C}}_{A} \star \widehat {\mathcal {C}}_{B}$
, we get that $\mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}$
is injective on ${\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B}$
. Hence, we can recover h from the response vector $\mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}(h)$
.
Let us study the form of the product $h = fg$
with the pole number table depicted in Table II. The pole numbers in the bottom right quadrant are all at least $KL + 4X - 3$
, while the pole numbers in the remaining quadrants are at most $KL + 4X - 4$
. Furthermore, the pole numbers in the bottom right quadrant are all distinct. The product $h = fg \in {\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B}$
has the form\begin{align*} h & = \sum _{j=1}^{X} \sum _{j'=1}^{X} R_{j} S_{j'} f_{j} g_{j'} + \sum _{j=1}^{X} \sum _{\ell =1}^{L} R_{j} B_{\ell } f_{j} g_{X + \ell } \\ & + \sum _{k=1}^{K} \sum _{j'=1}^{X} A_{k} S_{j'} f_{X + k} g_{j'} + \sum _{k=1}^{K} \sum _{\ell =1}^{L} A_{k} B_{\ell } f_{X + k} g_{X + \ell }.\end{align*}
View Source
\begin{align*} h & = \sum _{j=1}^{X} \sum _{j'=1}^{X} R_{j} S_{j'} f_{j} g_{j'} + \sum _{j=1}^{X} \sum _{\ell =1}^{L} R_{j} B_{\ell } f_{j} g_{X + \ell } \\ & + \sum _{k=1}^{K} \sum _{j'=1}^{X} A_{k} S_{j'} f_{X + k} g_{j'} + \sum _{k=1}^{K} \sum _{\ell =1}^{L} A_{k} B_{\ell } f_{X + k} g_{X + \ell }.\end{align*}
The terms in the first three sums correspond to the pole numbers in the first three quadrants of the pole number table, i.e., they are contained in the Riemann-Roch space $\mathcal {L}(G')$
, where $G' = (KL + 4X - 4)P_{\infty } $
. Therefore, we consider the decomposition ${\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B} = {\mathcal {L}}_{L} \oplus {\mathcal {L}}_{H}$
, where\begin{align*} {\mathcal {L}}_{L} & = ({\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B}) \cap \mathcal {L}(G'), \\ {\mathcal {L}}_{H} & = \mathop {\mathrm {span}}\nolimits \{f_{X + k}g_{X + \ell } \mid k \in [K], \ell \in [L]\}.\end{align*}
View Source
\begin{align*} {\mathcal {L}}_{L} & = ({\mathcal {L}}_{A} \cdot {\mathcal {L}}_{B}) \cap \mathcal {L}(G'), \\ {\mathcal {L}}_{H} & = \mathop {\mathrm {span}}\nolimits \{f_{X + k}g_{X + \ell } \mid k \in [K], \ell \in [L]\}.\end{align*}
We can therefore project h to ${\mathcal {L}}_{H}$
to obtain\begin{equation*} \sum _{k=1}^{K} \sum _{\ell =1}^{L} A_{k} B_{\ell } f_{X + k}g_{X + \ell }.\end{equation*}
View Source
\begin{equation*} \sum _{k=1}^{K} \sum _{\ell =1}^{L} A_{k} B_{\ell } f_{X + k}g_{X + \ell }.\end{equation*}
The functions $f_{X + k}g_{X + \ell }$
have distinct pole numbers, which means that they are linearly independent. This means that the coefficients $A_{k} B_{\ell } $
are uniquely determined by h and can be computed as linear combinations of the evaluations $\mathop {\mathrm {ev}}\nolimits _{\mathcal {P}}(h)$
.
Theorem 7:
By choosing $f_{j} = x^{j-1}$
and $g_{j} = x^{j-1}$
for $1 \leq j \leq X$
and the set $\widehat {\mathcal {P}}$
appropriately, the scheme is X-secure.
Proof:
Let $\alpha \in \mathbb {F}_{q}$
. There can be at most two places in $\mathbb {P}_{F}$
such that $(x - \alpha)(P) = 0$
, since the extension degree of F over $\mathbb {F}_{q}(x - \alpha) = \mathbb {F}_{q}(x)$
is 2. Choose the set $\widehat {\mathcal {P}} \subseteq \mathbb {P} _{F}^{1} \setminus \{P_{\infty } \}$
such that it includes at most one of these two solutions for all $\alpha \in \mathbb {F}_{q}$
. Thus, $\widehat {\mathcal {P}}$
can be chosen to have size at least $\frac {1}{2}\lvert \mathbb {P} _{F}^{1} \setminus \{P_{\infty } \} \rvert $
. Then $x(P) \in \mathbb {F} _{q}$
are distinct for all $P \in \widehat {\mathcal {P}}$
. By the Hasse-Weil bound we can take $\mathbb {P}_{F}^{1}$
to be as large as we want for large enough q.
The choice of $f_{j}$
and $g_{j}$
is appropriate, since $(x^{j-1})_{\infty } = 2(j-1)P_{\infty } $
, which is exactly what was required in the construction of the scheme. Let $\mathcal {P} = \{P_{1}, {\dots }, P_{N}\}$
and $\alpha _{i} = x(P_{i}) \in \mathbb {F} _{q}$
. The generator matrix of the security part is then\begin{align*} G_{A} = \begin{pmatrix} f_{1}(P_{1}) & \cdots & f_{1}(P_{N}) \\ \vdots & \ddots & \vdots \\ f_{X}(P_{1}) & \cdots & f_{X}(P_{N}) \end{pmatrix} = \begin{pmatrix} 1 & \cdots & 1 \\ \alpha _{1} & \cdots & \alpha _{N} \\ \vdots & \ddots & \vdots \\ \alpha _{1}^{X - 1} & \cdots & \alpha _{N}^{X - 1} \end{pmatrix}.\end{align*}
View Source
\begin{align*} G_{A} = \begin{pmatrix} f_{1}(P_{1}) & \cdots & f_{1}(P_{N}) \\ \vdots & \ddots & \vdots \\ f_{X}(P_{1}) & \cdots & f_{X}(P_{N}) \end{pmatrix} = \begin{pmatrix} 1 & \cdots & 1 \\ \alpha _{1} & \cdots & \alpha _{N} \\ \vdots & \ddots & \vdots \\ \alpha _{1}^{X - 1} & \cdots & \alpha _{N}^{X - 1} \end{pmatrix}.\end{align*}
This matrix is the generator matrix of an MDS code, since it is a Vandermonde matrix with distinct evaluation points. Similarly, $G_{B} = G_{A}$
is the generator matrix of an MDS code. By Theorem 6 the scheme is X-secure.■
By computing $B^{T}A^{T} = (AB)^{T}$
we can interchange the role of K and L, so we may formulate the our construction as the following theorem. We call this the PoleGap SDMM scheme.
Theorem 8 (PoleGap SDMM Scheme):
Given partitioning parameters $K, L \geq 1$
such that at least one of them is even, and the collusion parameter $X \geq 1$
, our construction gives an X-secure linear SDMM scheme that uses at most\begin{align*} \begin{cases} \tfrac {3}{2}KL + \tfrac {1}{2}K + 3X - 2 & {\mathrm {if}}~ K ~{\mathrm {even~ and}} ~L ~{\mathrm {odd}} \\ \tfrac {3}{2}KL + \tfrac {1}{2}L + 3X - 2 & {\mathrm {if}} ~K ~{\mathrm {odd ~and}} ~L~ {\mathrm {even}} \\ \tfrac {3}{2}KL + \tfrac {1}{2}\min \{K, L\} + 3X - 2 & {\mathrm {if}} ~K ~{\mathrm {and}}~ L ~{\mathrm {are~ even}} \end{cases}\end{align*}
View Source
\begin{align*} \begin{cases} \tfrac {3}{2}KL + \tfrac {1}{2}K + 3X - 2 & {\mathrm {if}}~ K ~{\mathrm {even~ and}} ~L ~{\mathrm {odd}} \\ \tfrac {3}{2}KL + \tfrac {1}{2}L + 3X - 2 & {\mathrm {if}} ~K ~{\mathrm {odd ~and}} ~L~ {\mathrm {even}} \\ \tfrac {3}{2}KL + \tfrac {1}{2}\min \{K, L\} + 3X - 2 & {\mathrm {if}} ~K ~{\mathrm {and}}~ L ~{\mathrm {are~ even}} \end{cases}\end{align*}
workers.
We conclude this section with an example of our scheme construction.
Example 5 (PoleGap):
The matrices A and B are split into $K = L = 4$
submatrices using the outer product partitioning. We wish to protect against $X = 4$
colluding workers. Let $d = K(L - 1) + 2X - 1 = 19$
. Let $\alpha _{1}, {\dots }, \alpha _{d} \in \mathbb {F} _{q}$
be distinct. Then, $F = \mathbb {F}_{q}(x, y)$
with $y^{2} = \prod _{i=1}^{d} (x - \alpha _{i})$
defines a hyperelliptic function field of genus $g = 9$
. Define the functions\begin{align*} f & = R_{1} + R_{2}x + R_{3}x^{2} + R_{4}x^{3} \\ & + A_{1}y + A_{2}x^{10} + A_{3}xy + A_{4}x^{11}\end{align*}
View Source
\begin{align*} f & = R_{1} + R_{2}x + R_{3}x^{2} + R_{4}x^{3} \\ & + A_{1}y + A_{2}x^{10} + A_{3}xy + A_{4}x^{11}\end{align*}
and\begin{align*} g & = S_{1} + S_{2}x + S_{3}x^{2} + S_{4}x^{3} \\ & + B_{1}x^{5} + B_{2}x^{7} + B_{3}x^{9} + B_{4}x^{11},\end{align*}
View Source
\begin{align*} g & = S_{1} + S_{2}x + S_{3}x^{2} + S_{4}x^{3} \\ & + B_{1}x^{5} + B_{2}x^{7} + B_{3}x^{9} + B_{4}x^{11},\end{align*}
where $R_{1}, R_{2}, R_{3}, R_{4}, S_{1}, S_{2}, S_{3}, S_{4}$
are matrices of appropriate size that are chosen uniformly at random over $\mathbb {F}_{q}$
. Let $P_{1}, {\dots }, P_{N} \in \mathbb {P} _{F}^{1}$
be the chosen places. We evaluate the functions f and g at these places to get the encoded matrices\begin{equation*} \widetilde {A}_{i} = f(P_{i}), \quad \widetilde {B}_{i} = g(P_{i}).\end{equation*}
View Source
\begin{equation*} \widetilde {A}_{i} = f(P_{i}), \quad \widetilde {B}_{i} = g(P_{i}).\end{equation*}
The ith encoded matrices are sent to the ith worker node who computes $\widetilde {C}_{i} = \widetilde {A}_{i} \widetilde {B}_{i}$
and sends it to the user. The user receives evaluations of the function $h = fg$
from each worker. We may write this function as\begin{align*} h & = (\text {terms in}~ \mathcal {L}(28P_{\infty })) \\ & + A_{1}B_{1} x^{5}y + A_{2}B_{1} x^{15} + A_{3}B_{1} x^{6}y + A_{4}B_{1} x^{16} \\ & + A_{1}B_{2} x^{7}y + A_{2}B_{2} x^{17} + A_{3}B_{2} x^{8}y + A_{4}B_{2} x^{18} \\ & + A_{1}B_{3} x^{9}y + A_{2}B_{3} x^{19} + A_{3}B_{3} x^{10}y + A_{4}B_{3} x^{20} \\ & + A_{1}B_{4} x^{11}y + A_{2}B_{4} x^{21} + A_{3}B_{4} x^{12}y + A_{4}B_{4} x^{22}.\end{align*}
View Source
\begin{align*} h & = (\text {terms in}~ \mathcal {L}(28P_{\infty })) \\ & + A_{1}B_{1} x^{5}y + A_{2}B_{1} x^{15} + A_{3}B_{1} x^{6}y + A_{4}B_{1} x^{16} \\ & + A_{1}B_{2} x^{7}y + A_{2}B_{2} x^{17} + A_{3}B_{2} x^{8}y + A_{4}B_{2} x^{18} \\ & + A_{1}B_{3} x^{9}y + A_{2}B_{3} x^{19} + A_{3}B_{3} x^{10}y + A_{4}B_{3} x^{20} \\ & + A_{1}B_{4} x^{11}y + A_{2}B_{4} x^{21} + A_{3}B_{4} x^{12}y + A_{4}B_{4} x^{22}.\end{align*}
The last 16 terms correspond to the submatrices we wish to recover. As these terms have distinct pole numbers, they are linearly independent. This construction will have recovery threshold 36, which also equals the number of distinct pole numbers in the pole number table given in Table III. The base field $\mathbb {F}_{q}$
and $\alpha _{1}, {\dots }, \alpha _{d}$
should be chosen such that the corresponding function field F has sufficiently many rational places. An implementation of this construction in SageMath [33] can be found on GitHub.
Working with hyperelliptic function fields to create the generator matrices needed in the encoding and decoding incurs an increase in computational complexity. However, this needs to be done only once for any set of parameters. Indeed, after the initialization, all computations are performed over the field $\mathbb {F}_{q}$
in the same manner as in other linear SDMM schemes.
This construction can be extended to more general Kummer extensions of the rational function field, but this does not yield any improvement as seen in the Appendix.
In this section, we will compare our construction to some state-of-the-art schemes which use the same matrix partitioning that is used in our construction. Comparing schemes with the same partitioning makes the comparison meaningful since the parameters in different partitioning methods are not directly comparable. Some state-of-the-art SDMM schemes that use the outer product partitioning include the A3S scheme in [6] and the GASP scheme in [5], which generalizes the A3S construction. We will compare the schemes by computing their download rate\begin{equation*} \mathcal {R} \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\frac {KL}{N},\end{equation*}
View Source
\begin{equation*} \mathcal {R} \mathrel {\mathrel {\mathop :}\hspace {-0.0672em}=}\frac {KL}{N},\end{equation*}
which is inversely proportional to the number of workers that are needed. The goal is to maximize the rate. The GASP scheme was constructed to interpolate between the GASPsmall and GASPbig schemes, which work well for small and large values of X. The A3S scheme is a special case of the GASPsmall construction for some parameters. The number of workers needed for the GASP scheme is given by various polynomial expressions in $K, L, X$
for different ranges of parameters. To give an idea of how our construction compares to other constructions, we will compare the number of workers in our scheme (given by Theorem 8) with the number of workers in the A3S scheme ($N = (K + X)(L + 1) - 1 = KL + K + (L + 1)X - 1$
) and the GASPbig scheme ($N = 2KL + 2X - 1$
).
For fixed $K, L \geq 3$
, we see that the number of workers in A3S scales with $(L + 1)X \geq 4X$
as X is increased, the PoleGap scheme scales with $3X$
, and GASPbig with $2X$
. Similarly, for a fixed X, the number of workers in the A3S scheme scales with KL as KL is increased, the PoleGap scheme scales with $\tfrac {3}{2}KL$
, and GASPbig with $2KL$
. For this reason, we should expect that the PoleGap scheme works well in the medium range, where neither KL nor X is too large.
This analysis and Fig. 1 demonstrate the potential of our construction, offering an improvement over the state-of-the-art schemes for interesting parameter ranges. For instance, in Fig. 1 we observe rate improvements up to 4.4% over the general GASP scheme for some parameters. While 4.4% may not sound very impressive as a relative measure, it easily results in massive absolute savings in, e.g., energy consumption. In particular, our scheme achieves a better rate than the GASP scheme for 11.3% of parameters in the range $2 \leq K \leq 50$
, $1 \leq L \leq K$
, $1 \leq X \leq 50$
and K even. The A3S scheme achieves a similar performance as the GASPsmall scheme, but has the advantage that it is simple to add tolerance against straggling workers.
Given the pole number table in Table II we could also do a similar construction as the GASP scheme in [4]. Instead of choosing suitable functions with certain pole numbers we could choose monomials with specified degrees. In this approach the resulting star product code would not be an AG code, but would some arbitrary linear code. The easy computation of the dimension of such a code by utilizing the genus of the underlying function field, as well as being able to utilize error correction algorithms, makes this approach quite interesting.
In this paper, we investigated how AG codes may be used in secure distributed matrix multiplication by giving an explicit construction coming from hyperelliptic function fields, which we call the PoleGap SDMM scheme. This construction is a proof-of-concept that using AG codes can bring advantages over previously considered schemes. The gaps in the Weierstrass semigroup correspond to the gaps in the GASP scheme, which means that the number of the gaps is counted by the genus of the algebraic function field. Additionally, using AG codes may have other benefits, such as more flexibility in field size and error correction. The fact that the response code is known to be an AG code allows us to utilize error correction algorithms such as list decoding for the SDMM scheme. As future work, we would also like to extend our construction to the analog case, since the theory of hyperelliptic function fields works just as well over the fields $\mathbb {R}$
and $\mathbb {C}$
.
Extending our construction, and the ideas in this paper, to other algebraic curves and function fields requires care. It does not seem at all obvious how to choose the pole numbers in general, even if the Weierstrass semigroup of the function field is known. The genus of the hyperelliptic function field that is used in the PoleGap scheme depends on the parameters $K, L, X$
of the SDMM scheme. This means that we do not start with a known function field and choose suitable pole numbers, but rather we choose the function field according to our SDMM parameters that allows us to choose good pole numbers. The extension of our scheme to Kummer extensions of the rational function field can be found in the Appendix below.
In addition to outer product partitioning, so-called grid partitioning has also been investigated. It would be interesting to see if AG codes can be utilized in this setting as well, although we imagine it is not straightforward. Instead of outer product partitioning, inner product partitioning has been used in SDMM. The authors of [26] propose the use of Hermitian function fields in SDMM with the inner product partitioning. However, it was noted in [34] that AG codes are not necessary to achieve optimal recovery thresholds for the inner product partitioning with a small field size.
ACKNOWLEDGMENT
The authors would like to thank the anonymous reviewers for the valuable comments and suggestions, which helped them improve the quality of the article. The work of Elif Saçıkara was completed when she was with the Department of Mathematics and Systems Analysis, Aalto University, Finland.
Appendix
In this appendix we go through a more general construction compared to the one presented in Section IV by utilizing Kummer extensions. It turns out that we do not achieve better performance with this more general construction, which is why we do not include it in the main part of the paper.
By utilizing [30, Proposition 6.3.1] and [20, Theorem 3.2] we can formulate the following theorem about constructing Kummer extensions of the rational function field $\mathbb {F}_{q}(x)$
. This can be seen as a generalization of Theorem 2, but it is not the most general version of Kummer extensions.
Theorem 9:
Let $F = \mathbb {F}_{q}(x, y)$
with $y^{m} = \prod _{i=1}^{d} (x - \alpha _{i})$
, where $\alpha _{1}, {\dots }, \alpha _{d} \in \mathbb {F} _{q}$
are distinct, $\mathop {\mathrm {char}}\nolimits \mathbb {F} _{q} \nmid m$
, and $\gcd (m, d) = 1$
. Then, $F / \mathbb {F}_{q}$
has genus\begin{equation*} g = \tfrac {1}{2}(m - 1)(d - 1) \in \mathbb {Z} .\end{equation*}
View Source
\begin{equation*} g = \tfrac {1}{2}(m - 1)(d - 1) \in \mathbb {Z} .\end{equation*}
The Weierstrass semigroup at $P_{\infty } $
is generated by m and d.
Using this way of constructing function fields, we may construct a linear SDMM scheme similar to the one in Theorem 8. Let $m \geq 2$
be the degree of our Kummer extension. Let K be a multiple of m, X and $L - 1$
multiples of $m - 1$
, and set\begin{equation*} d = \frac {K(L - 1) + mX}{m - 1} - 1.\end{equation*}
View Source
\begin{equation*} d = \frac {K(L - 1) + mX}{m - 1} - 1.\end{equation*}
We have that $\gcd (m, d) = 1$
, so we may construct a Kummer extension $F / \mathbb {F}_{q}$
using Theorem 9. Then the genus of this function field is\begin{equation*} g = \frac {1}{2} (K(L - 1) + mX - 2m + 2).\end{equation*}
View Source
\begin{equation*} g = \frac {1}{2} (K(L - 1) + mX - 2m + 2).\end{equation*}
Let $W = W(P_{\infty })$
. We will choose the pole numbers\begin{align*} \varphi & = (0, m, {\dots }, m(X - 1), 2g + m - 1, \\ & \hspace {2em} 2g + m, {\dots }, 2g + m + K - 2) \in W^{K + X} \\ \gamma & = (0, m, {\dots }, m(X - 1), m(X - 1) + K, \\ & \hspace {2em} m(X - 1) + 2K, {\dots }, m(X - 1) + KL) \in W^{L + X}.\end{align*}
View Source
\begin{align*} \varphi & = (0, m, {\dots }, m(X - 1), 2g + m - 1, \\ & \hspace {2em} 2g + m, {\dots }, 2g + m + K - 2) \in W^{K + X} \\ \gamma & = (0, m, {\dots }, m(X - 1), m(X - 1) + K, \\ & \hspace {2em} m(X - 1) + 2K, {\dots }, m(X - 1) + KL) \in W^{L + X}.\end{align*}
Let $f_{1}, {\dots }, f_{K + X} \in F$
and $g_{1}, {\dots }, g_{L + X} \in F$
be suitable functions such that $(f_{j})_{\infty } = \varphi _{j} P_{\infty } $
and $(g_{j})_{\infty } = \gamma _{j} P_{\infty } $
. We can define the functions\begin{align*} f = \sum _{j=1}^{X} R_{j} f_{j} + \sum _{k=1}^{K} A_{k} f_{X + k} \\ g = \sum _{j=1}^{X} S_{j} g_{j} + \sum _{\ell =1}^{L} B_{\ell } g_{X + \ell },\end{align*}
View Source
\begin{align*} f = \sum _{j=1}^{X} R_{j} f_{j} + \sum _{k=1}^{K} A_{k} f_{X + k} \\ g = \sum _{j=1}^{X} S_{j} g_{j} + \sum _{\ell =1}^{L} B_{\ell } g_{X + \ell },\end{align*}
where the matrices $R_{j}, S_{j}$
are chosen uniformly at random and $A_{1}, {\dots }, A_{K}$
and $B_{1}, {\dots }, B_{L}$
are partitions of the matrices A and B. As before, the workers will be given evaluations of f and g at suitable places and will compute an evaluation of $h = fg$
.
The interference terms (those containing random matrices) in h will have pole numbers at most $KL + 2mX - 2m$
, while the information terms will have distinct pole numbers starting at $KL + 2mX - 2m + 1$
. This means that all the interference terms in h will live in $\mathcal {L}(G')$
and the function h will be in $\mathcal {L}(G)$
, where $G' = (KL + 2mX - 2m)P_{\infty } $
and $G = (2KL + 2mX - 2m)P_{\infty } $
. This means that given h, we can deduce the submatrices $A_{k}B_{\ell } $
as they are the coefficients of linearly independent terms $f_{X + k} g_{X + \ell }$
. The dimension of $\mathcal {L}(G)$
is\begin{equation*} \ell (G) = \deg (G) {-} g + 1 = \tfrac {3}{2}KL + \tfrac {1}{2}K + \tfrac {3}{2}mX {-} m = N.\end{equation*}
View Source
\begin{equation*} \ell (G) = \deg (G) {-} g + 1 = \tfrac {3}{2}KL + \tfrac {1}{2}K + \tfrac {3}{2}mX {-} m = N.\end{equation*}
Hence, we need N workers for this SDMM scheme. The security of the scheme can be proven analogously to Theorem 7 given that $f_{1}, {\dots }, f_{X}$
and $g_{1}, {\dots }, g_{X}$
as well as the places are chosen carefully.
We see that the formula in Theorem 8 corresponds to the above formula with $m = 2$
. For general $m \geq 3$
the coefficient $\tfrac {3}{2}m$
for X is worse than that of Theorem 8, which means that using Kummer extensions does not give any more improvement. Furthermore, the strict divisibility conditions for $K, L, X$
mean that this construction is not as flexible compared to the one with $m = 2$
in Theorem 8.