Securely Straggler-Exploiting Coded Computation for Distributed Matrix Multiplication

In this paper, we consider coded computation for matrix multiplication tasks in distributed computing, which can mitigate the effect of slow workers, called stragglers, using a coding approach. We assume that the straggler computation results can be leveraged at the master by assigning multiple sub-tasks to the workers. In this scenario, a new coded computation scheme is proposed to preserve the data security and privacy from workers, which is called securely straggler-exploiting codes (SSEC). Moreover, the proposed SSEC can efficiently reduce the communication load in distributed computing for assigning the sub-tasks to the workers, by overlapping the encoded matrices in assigning multiple sub-tasks with appropriate polynomial functions. It is also proven that the data security and privacy constraints are satisfied in SSEC in an information-theoretic sense. In conclusion, SSEC shows good performance on the recovery threshold and communication loads and compare them with the existing secure coded computation schemes for matrix multiplication tasks.


I. INTRODUCTION
For many machine learning operations and big data analytics, matrix multiplication is a common computation in making inferences from a dataset. As the size of a dataset increases, there has been an attempt to process numerous calculations on a large-scale dataset using distributed computing with multiple processing nodes, called workers. However, it has been reported that among multiple workers there could exist straggling workers that return computation results too slowly or even fail [2]. The effect of straggling workers, i.e., straggler effects, could be critical to the performance of distributed computing systems because it can be detrimental to the completion of a calculation task.
This study considers coded computation in distributed computing where the straggler effect can be reduced by a coding approach. For instance, it has been shown that when (M , K ) maximum distance separable (MDS) codes The associate editor coordinating the review of this manuscript and approving it for publication was Massimo Cafaro . are employed for matrix-vector multiplication tasks for distributed computing with M workers, the straggler effect can be significantly mitigated because an aggregation node, called a master, only requires the fastest K computation results to obtain the final outcome [3]. This approach has been extended to various computational tasks, especially for matrix multiplication tasks [4]- [11]. In [4], the authors have employed polynomial codes [12] to the matrix multiplication tasks in distributed computing to alleviate the straggler effect. It was proved that by polynomial codes, the recovery threshold at a master, i.e., the minimum number of computation returns that the master needs to wait to obtain the final product for the worst-case scenario, does not scale with the number of workers, which implies that the straggler effect does not worsen as the number of workers increases. This work has been generalized in [5] and [6] to various matrix partitioning settings. In particular, the authors in [5] have proposed Matdot and Polydot coding schemes to reduce the memory usage of workers, and provided a fundamental trade-off between the communication load in distributed computing and the recovery threshold at the master. The authors in [6] have also demonstrated this trade-off by introducing a general coding scheme from polynomial codes, called entangled polynomial codes. Various coding schemes have also been proposed for matrix multiplication tasks in distributed computing to alleviate the straggler effect [7]- [11].
Recently, a different approach has been proposed to mitigate the straggler effect in distributed computing by exploiting straggling workers' computation results at the master, rather than ignoring them [13]- [17]. This concept can be realized by assigning many partitioned small sub-tasks to the workers and letting the workers return the computation results of the sub-tasks instantly to leverage the computational capability of the straggling workers. This concept is called the straggler-exploiting coded computation in this study. The authors in [13] have introduced a new task allocation scheme to assign multiple small sub-tasks to the workers for a straggler-exploiting scenario, instead of assigning a single big sub-task to each worker. In addition, the authors in [14] have proposed a new fine-grained task allocation scheme to efficiently utilize the straggling workers' computation ability to speed up the entire task execution. Furthermore, recent papers [15]- [17] have suggested new encoding schemes for matrix multiplication to efficiently utilize the memory of the workers and to lower the communication load in distributed computing.
In a distributed computing framework, it is important to resolve security issues when a master wants to exploit suspicious but useful workers to boost the performance of distributed computing, thus security-sensitive information, such as personal information and medical records, in input data should be protected from the workers. In addition, there could exist an eavesdropper who overhears input data from the links between a master and workers. For instance, assume that a master wants to perform training on a security-sensitive dataset with large-scale deep neural networks. It can utilize multiple workers to deal with multiplications between huge matrices in neural networks, but may want to hide information on the input dataset and parameter updates of neural networks from workers and possible eavesdroppers. This study considers two types of security issues in distributed computing for matrix multiplication tasks. The first one is to protect information about input matrices from workers in an informationtheoretic sense, which has also been studied in [18]- [27].
To avoid revealing information about input matrices from the allocated sub-tasks to workers, random matrices generated at a master are added to the encoded sub-matrices that will be transmitted to the workers. The second is to maintain data privacy from the workers in an information-theoretic sense, which has also been considered in [23]- [28]. In this setting, a master wants to perform matrix multiplication between its own matrix and another in a worker library consisting of multiple matrices. To preserve data privacy, the master does not want to reveal the matrix that it wants to perform matrix multiplication from a library at workers. For this purpose, symmetry between the matrices in a library needs to be guaranteed across the encoded sub-matrices to allocate the sub-tasks.
In this paper, we utilize a coded computation scheme in straggler-exploiting distributed computing for matrix multiplication tasks, while preserving data security and privacy from workers. We propose a novel encoding scheme for assigning sub-tasks that efficiently reduces the communication load from a master to the workers for assigning sub-tasks and ensures data security and privacy at the allocated submatrices to the workers as well, called securely stragglerexploiting codes (SSEC). Specifically, the main contributions of this study are twofold.
• We propose a coded computation scheme for a stragglerexploiting scenario that can preserve data privacy from workers for the first time to the best of our knowledge. This implies that data privacy can be maintained from multiple sub-tasks assigned to each worker in the scheme. To preserve data privacy from multiple subtasks, a special polynomial function is introduced that has several sets of evaluation points that have the same value in encoding functions. With the special polynomial function, a symmetry between the matrices in a library at the encoding functions can be guaranteed, thus the index of the desired matrix can be hidden from each worker.
• In the proposed SSEC, the communication load for allocating sub-tasks to workers can be significantly reduced.
The key idea of SSEC is to overlap encoded sub-matrices for assigning multiple sub-tasks with appropriate polynomial functions, as in [16], [17]. For the proposed SSEC, the encoding conditions that the polynomial function in the encoding scheme need to satisfy are derived. Furthermore, it is proven that in SSEC, data security and privacy can be guaranteed in an information-theoretic sense in the allocated sub-matrices sent to workers. Finally, the performance of the SSEC on the recovery threshold and communication loads for task allocation and computation return between a master and workers is stated. An analysis of computational complexities in the entire distributed computing process of SSEC, such as encoding the sub-matrices for allocating sub-tasks, computing the sub-tasks at the workers, and decoding the final product at the master from the returned computation results of the sub-tasks is also complementally provided.

A. RELATED WORK
In the literature, several coded computation schemes have been proposed for matrix multiplication tasks considering security issues in distributed computing. Existing studies have focused on preserving data security [18]- [27], and some studies have assumed a straggler-exploiting scenario, but this was limited to matrix-vector multiplication tasks [21]. It should be noted that other schemes for preserving data security from colluding workers but not considering a straggler-exploiting scenario can be easily extended to this scenario by allocating multiple sub-tasks to each worker which were designed to be allocated to colluding workers. In addition, several studies have covered data privacy for matrix multiplication tasks [23]- [28]. However, they did not consider a straggler-exploiting scenario or protected data privacy from multiple colluding workers, with the exception of the authors in [28], who proposed a coded computation scheme that preserves data privacy for a straggler-exploiting scenario. However, their scheme is based on a grouping-based approach, thus decoding conditions should be satisfied for all groups of workers and therefore shows poor performance in terms of the recovery threshold considering the worstcase scenario. However, the proposed SSEC is not affected by the worst case, and a master requires a fixed number of computation results from workers.

B. ORGANIZATION
In Section II, we describe the system model considered in this study, and formulate a distributed matrix multiplication problem to be addressed. In Section III and IV, we propose SSEC for private and secure distributed matrix multiplications, and provide the corresponding main results. In Section V, we analyze the computational complexity of the SSEC. Finally, we conclude this paper in Section VI.

II. SYSTEM MODEL & PROBLEM FORMULATION
We consider a straggler-exploiting distributed computing scenario for the matrix multiplication task. For instance, a master wants to perform a matrix multiplication C = AB on largescale input matrices A ∈ F N ×N and B ∈ F N ×N , i.e., N 1, for a sufficiently large finite field F with W workers in parallel. 1 Each worker W i , i ∈ [1 : W ] is assigned to compute L sub-tasks {C i,j } L j=1 and each sub-task for W i is computed by multiplying two coded matricesC i,j =Ã i,jBi,j , whereÃ i,j and 1 We do not restrict relative computational capability between a master and workers.B i,j are encoded from A and B by the encoding functions at the master, respectively.
To allocate the sub-tasks to the workers, the master encodes the coded matrices of A and B, and sends them to each worker. Specifically, the master encodesÃ i,j andB i,j for j ∈ [1 : L] for W i , and sends , it computes the allocated sub-tasksC i,j =Ã i,jBi,j for j ∈ [1 : L], and sends the completed results to the master asynchronously, which means that the workers send the computation results of the sub-tasks whenever each sub-task is completed. In addition, the computation order of the sub-tasks among L sub-tasks for each worker is not restricted.
By using decoding functions, the master decodes the final product C after a sufficient number of computation results are obtained. Specifically, it is assumed that the computation resultsC i,j for j ∈ [1 : L] of the sub-task at W i are rearranged by the finishing time order ofC i,t for t ∈ [1 : L]. If the master can decode C from the received T i computation results from each W i at time T , the master stops receiving the computation results and decodes C from {C i,t } T i t=1 for ∀i ∈ [1 : W ]. Using the above system model, the problem of stragglerexploiting distributed matrix multiplication is formulated by defining the following terminologies. We define encoding functions p A and p B to encode the sub-matricesÃ i,j andB i,j on the sub-taskC i,j for ∀i ∈ [1 : W ] and ∀j ∈ [1 : L].
In this study, we especially focus on linear encoding schemes that make linear encoding functions by using the partitions of matrices A and B for coefficients. In linear encoding schemes, a master divides the input matrices A and B into sub-matrices of equal size A q,r ∈ F   the security of the input matrices A and B from the workers. Thus, the encoding functions p A and p B can be written as where n are the additional terms that will be defined later, x represents the variable of the encoding functions p A and p B , and a q,r (x), b w,y (x), c s (x), and d z (x) denote the polynomial functions on x. By using these encoding functions,Ã i,j ∈ F N m × N p andB i,j ∈ F N p × N n are encoded from p A (x) and p B (x) at evaluation points x = x i,j , implying thatÃ i,j = p A (x i,j ) andB i,j = p B (x i,j ). The subtasks assigned to W i are represented asC i,j =Ã i,jBi,j ∈ F N m × N n for j ∈ [1 : L]. These results represent the values of the objective function p C (x), which is given by Given that p C is also a polynomial function as p A and p B , the master aims to decode the final product C = AB by interpolating the objective function p C (x) from the received results on evaluation points at x = x i,j . We formally define two private and secure distributed computing problems in a straggler-exploiting scenario for matrix multiplication tasks, which are also described in Fig. 1. In the considered scenarios, a master is assumed to be safe from adversaries and workers are assumed to be honest but curious, which means that workers always return correct computation results to a master but they are able to leak information to adversaries. The workers and possible adversaries are assumed to be computationally unbounded, thus the information-theoretic privacy and security constraints are considered.
i) Private and secure matrix multiplication (Scenario A): The master aims at ensuring data security among one of the input matrices, and at the same time keeping data privacy on the other input matrix from non-colluding workers. In private distributed computing, there is a library B consisting of K different matrices {B (k) } K k=1 , which can be shared with the workers. The master would like to compute AB (D) , where D ∈ [1 : K ], while hiding the identity of the desired matrix B (D) from each worker. It can be said that the input matrix B (D) is privately encoded from non-colluding workers if the set of L elements of the allocated sub-tasks to any worker has zero information about the index D among the matrices, i.e., Additionally, the input matrix A is securely encoded from non-colluding workers if the set of L elements of the allocated sub-tasks to any worker has zero information about A, i.e., ii) Fully secure matrix multiplication (Scenario B): The master aims to ensure the security of both the input matrices from the colluding workers. We say that the input matrices A and B are securely encoded from E-colluding workers if the set of LE elements of the allocated sub-tasks to any E worker has zero information about A and B, i.e., The main problem of this study is the design of the encoding functions p A and p B for a distributed matrix multiplication in the two scenarios. We define the important metrics to evaluate the performance of straggler-exploiting distributed computing for matrix multiplication, which has been widely used in the literature. VOLUME 9, 2021 • Recovery threshold R: The minimum number of computation results of the sub-tasksC i,j that the master needs to wait to obtain the final product C for the worst-case scenario, which means that the master can always obtain the final product if the number of received computation results of the sub-tasks is not smaller than recovery threshold R.
• Task-allocation communication load L t : The number of elements of the coded matrices that the master sends to allocate the sub-tasks per worker. If there exist some replicated matrices among the coded matrices for a single worker, they are not counted again. It should be noted that this metric corresponds to the memory usage of each worker, as it can also represent the required memory size at each worker to store the coded matrices for the allocated sub-tasks from the master.
• Computation-return communication load L r : The number of the elements of the computation results that the workers send to the master, as the master can decode the final product C from the returned computation results. The notations used in this paper are summarized in Table 1, and they are also defined throughout this paper.

III. SECURELY STRAGGLER-EXPLOITING CODES FOR PRIVATE AND SECURE DISTRIBUTED MATRIX MULTIPLICATION
We dedicate this section to introduce SSEC for private and secure distributed matrix multiplication (Scenario A) in a straggler-exploiting scenario.

A. MOTIVATING EXAMPLE
We provide a motivating example for the SSEC, where the case of m = 2, n = 2, K = 3, D = 1 and where the master wants to compute C = AB (1) while hiding the computation AB (1) among AB (1) , AB (2) , and AB (3) from each worker is considered. The master wants to ensure the security of the input A from each worker as well.

Example 1 (Private and Secure Distributed Matrix Multiplication):
The master divides the input matrices A and B (k) for k ∈ [1 : 3] into half (m = 2, n = 2) to encode the subtasks with a 1 4 size of the original task as follows.
In this case, the final product C = AB (1) can be written as Using the divided sub-matrices as coefficients, the encoding functions of SSEC are given by where x denotes the variables of the polynomials of p A and p B , R A 1 and R A 2 are random matrices generated at the master, and x * 1,1 , x * 1,2 , x * 2,1 , and x * 2,2 are constant values that will be explained later.
To ensure that the encoding function p B (x) has several sets of two points that have the same value on g(x), we will use g(x) = x 4 . It can also be achieved by g(x) = x 2 , however, the decoding condition at the master was also considered, which will be explained later. By using the encoding functions p A (x) and p B (x), the encoded matricesÃ i,j andB i,j for i ∈ [1 : W ] and j ∈ [1 : 2] can be determined by setting x i,1 = −i and Then, the encoded matricesÃ i,j andB i,j for i ∈ [1 : W ] and j ∈ [1 : 2] can be determined as follows.
We notice that each worker cannot obtain information about which matrix the master wants to compute among B, because each worker cannot distinguish the variables assigned to each worker and the constant values x * i,j . This is because B (1) , B (2) , and B (3) are symmetric in the encoding function p B (x), and each worker cannot identify that A is encoded with x = i and x = −i for W i because of the random matrices R A 1 and R A 2 .
In the other case, if the master wants to compute C = AB (2) , the encoding function p B (x) is given by and encoded matricesB i,j for i ∈ [1 : W ] and j ∈ [1 : 2] can be determined as 2 .
Because the symmetry between matrices in a library is guaranteed in the encoded matrices given to each worker, the index of the desired matrix can be hidden from each worker by randomly permuting the evaluation points and the constant values (x * 1,1 , x * 1,2 , x * 2,1 , and x * 2,2 ) between the sets {x i,j } 2 j=1 for i ∈ [1 : W ] and {x * i,j } 2 j=1 for i ∈ [1 : 2] for every matrix multiplication task.
Given the assigned sub-matrices, each worker W i computes the matrix multiplications as is an 11th-degree polynomial function, the master should wait for any fastest 12 computation results from the workers to decode the coefficients of p C (x) by interpolating it from 12 distinct points. The master can obtain the sub-matrices of the final product C, which correspond to (1) 2 , from the coefficients of p C (x) (specifically from the coefficients of x 4 , x 5 , x 8 , and x 9 ). Thus, the recovery threshold is R = 12.
Considering the communication loads, each worker W i needs to receive four sub- are sent to the master. Therefore, the communication loads in this example are as follows.

B. GENERAL CONSTRUCTION OF SSEC FOR PRIVATE AND SECURE DISTRIBUTED MATRIX MULTIPLICATION
To encode the sub-tasks with a 1 mn size of the original task, the master divides the inputs A and B along the row and column sides into m and n pieces, respectively, as The master computes AB (D) , then the final product C = AB (D) can be represented as For sub-task encoding, we now introduce the polynomial function g(x) that will be used in the encoding function p B (x). The polynomial function g(x) needs to satisfy the following conditions. Definition 1: The polynomial function g(x) used in the encoding function p B (x) for the SSEC satisfies the following conditions. i) g(x) is an (m + L)-th order polynomial function. ii) g(x) has at least W + K − 1 sets of L points for a sufficiently large field F. 2 By using the divided sub-matrices and polynomial function g(x), the encoding functions are given by denote the random matrices generated at the master to maintain the security of the input matrix A and hide the index of the desired matrix B (D) from each worker. It should be noted that x d+W ,j is a constant, thus the second term in p B (x) is a constant term. Using these encoding functions, the encoded matricesÃ i,j andB i,j for i ∈ [1 : W ] and j ∈ [1 : L] can be determined by setting and ∀j ∈ [1 : L] as follows.
Therefore,B i,j become constant for all j ∈ [1 : L], thus the master does not need to separately sendB i,j for j ∈ [1 : L] to W i . The master can reduce the task-allocation communication load L t by allocating sub-tasksC i,j =Ã i,jBi,j for j ∈ [1 : L], which requiresB i,j for j ∈ [1 : L] of the same value to W i . In this scheme, the data privacy of B (D) , i.e., the index of the desired input matrix D, can be hidden from each worker, because a symmetry between B (k) , k ∈ [1 : K ] including B (D) in a library is guaranteed in the encoded matrices. To preserve data privacy for multiple rounds of matrix multiplication tasks, the evaluation points should not be fixed to be hidden from the workers. Thus, the master must perform a random permutation of the evaluation points and the constant values between the sets {x i,j } L j=1 for i ∈ [1 : W + K ] − [W + D] for every multiplication task. We defer the proof of data privacy in an information-theoretic sense in Lemma 2. Moreover, we will also show that the data security on the input matrix A can be guaranteed from each worker in Lemma 1.
Given the assigned sub-matricesÃ i,j andB i,j for j ∈ [1 : L], each worker W i computes the matrix multiplication as on the evaluation points x = x i,1 , . . . , x i,L , and sends the completed results to the master asynchronously. Because p C (x) is a ((m+L)(n+1)−1)-th degree polynomial function, it can be interpolated from (m + L)(n + 1) distinct points of p C (x) [30]. In addition, the master can obtain the coefficients of p C (x) using any Reed-Solomon decoding algorithm [31]. Hence, the master should wait for any fastest (m + L)(n + 1) computation results from the workers to obtain the coefficients of p C (x). The terms (12)  According to the result, the master can decode the final product C, thus the recovery threshold is given by In this scheme, each worker W i receives L sub-matrices A i,j ∈ F N m ×N for j ∈ [1 : L] and a single sub-matrices among B i,j ∈ F N × N n for j ∈ [1 : L] for a sub-task allocation, as has been observed beforeB i,1 = · · · =B i,L for all i ∈ [1 : W ]. Therefore, the task-allocation communication load L t is given by For computation returns, a total of (m+L)(n+1) computation is sent to the master. Thus, the computation-return communication load L r is given by It is subsequently shown that data security on A can be guaranteed for each worker in the encoded sub-matrices of the SSEC.
Lemma 1: Each worker W i obtains no information about the input data A from the sub-matrices {Ã i,j } L j=1 and {B i,j } L j=1 , i.e., the data security constraint in (4) is satisfied.
Proof: Without loss of generality, we prove Lemma 1 for W i , which can be extended to any worker. First, we define the following notations as to simplify the notations in the proof. From the security constraint in (4), we can derive where (19) comes fromB i, [1:L] is independent of A, (21) and (22) come from conditioning reduces entropy, (23) and (26) This completes the proof. We now provide an important Lemma to show that data privacy can be guaranteed from each worker in the encoded sub-matrices of the SSEC.

Lemma 2:
Each worker W i obtains no information about the index of the desired input matrix B (D) from the submatrices {Ã i,j } L j=1 and {B i,j } L j=1 , i.e., the data privacy constraint in (3) is satisfied.
Proof: Without loss of generality, we prove Lemma 2 for W i , which can be extended to any worker. The simplified notation defined in (16) where (32) is guaranteed in the encoded sub-matrices. This implies that the probability of each realization ofB i, [1:L] does not depend on the index of the desired matrix D. Furthermore, we show thatÃ i, [1:L] contains no information about x i, [1:L] , which implies that the symmetry between B

C. MAIN RESULTS FOR PRIVATE AND SECURE DISTRIBUTED MATRIX MULTIPLICATION
From Section III-B, we provide the main results on the recovery threshold, task-allocation communication load, and computation-return communication load of SSEC for private and secure distributed matrix multiplications.
Theorem 1: For a private and secure matrix multiplication task in a straggler-exploiting distributed computing (Scenario A) specified in Section II, SSEC achieves the recovery threshold and communication loads as R = (m + L)(n + 1), Proof: See Section III-B. Remark 1 (Scalability): It is worth mentioning that the recovery threshold of SSEC does not scale with the number of workers W . This means that SSEC can ensure a fixed number of required computation returns at a master with the determined m, n, and L regardless of the number of workers W that the master exploits for distributed computation. Thus, a master can efficiently deal with straggling effects by utilizing numerous workers in distributed computing systems. On the other hand, as the number of workers increases, computational complexity for encoding and decoding at a master and communication load will also increase, thus we need to carefully determine the size of a distributed computing system by considering this trade-off between straggler effects, computational complexity, and communication load.

Remark 2 (Reduction in Task-Allocation Communication Load):
According to the linear encoding functions in (1), the task-allocation communication load is expected to be O 1 µ 2N 2 L , where µ is determined by the matrix partitioning parameters m, n, and p, which scales with the number of sub-tasks at each worker L and the size of both the input matrices A and B. However, it can be seen VOLUME 9, 2021 that the task-allocation communication load of the SSEC is O 1 µ (N 2 L + N 2 ) . This is due to the reduction in the taskallocation communication load of the SSEC, which will be described in Section III. From this result, we can claim that this gain in the task-allocation communication load of SSEC will increase as more sub-tasks are assigned to each worker in order to fully exploit the stragglers' computation results by dividing the sub-tasks smaller.

Remark 3 (Assumptions on Private Matrix Multiplication):
In this paper, we assume that the master sends the encoded matricesÃ i,j andB i,j for j ∈ [1 : L] to each worker W i . However, because in Scenario A, the workers can share the library B consisting of the matrices {B (k) } K k=1 , the master can only send the queries forB i,j that contain a polynomial function and evaluation points for encoding the sub-tasks, as in the previous works for private matrix multiplication [23]- [28]. With this assumption, each worker W i can encode the sub-matricesB i,j for j ∈ [1 : L] from the queries, while not being aware of the identity of the desired matrix. This approach imposes computational burden on workers in encoding the sub-tasks in addition to assigned matrix multiplication tasks. In addition, because the master does not need to send the encoded matrices for B to the workers, the advantage of SSEC in reducing the task-allocation communication load cannot be guaranteed.

IV. SECURELY STRAGGLER-EXPLOITING CODES FOR FULLY SECURE DISTRIBUTED MATRIX MULTIPLICATION
We dedicate this section to propose the SSEC for fully secure distributed matrix multiplication in a straggler-exploiting scenario.

A. MOTIVATING EXAMPLE
We provide a motivating example for the proposed scheme. We consider the case of m = 2, n = 2, L = 2, E = 1. Given that mn equals 4, the original task C = AB will be divided into sub-tasks with a 1 4 size of the original task.

Example 2 (Fully Secure Distributed Matrix Multiplication):
A master divides two input matrices A and B into half to encode the sub-tasks with a 1 4 size of the original task as follows.
In this case, the final product C = AB can be written as Using the divided sub-matrices as coefficients, the encoding functions of SSEC are given by where x denotes the variable of the polynomials of p A and p B , and R A 1 , R A 2 , and R B 1 are random matrices generated at the master to hide the information about input matrices A and B from each worker.
To make the encoding function p B (x) has the W sets of the two points that have the same value on g(x), we will use g(x) = x 4 . Using the encoding functions p A (x) and p B (x), the encoded matricesÃ i,j andB i,j for i ∈ [1 : W ] and j ∈ [1 : 2] can be determined by setting x i,1 = −i and x i,2 = i for i ∈ [1 : W ] of 2W points for each encoded matrices as It should be noted that each worker cannot obtain information about input matrices A and B from the allocated sub-matrices 2 . This is because the random matrices R A 1 , R A 2 , and R B 1 are added to the allocated sub-matrices.
Given the assigned sub-matrices, each worker W i computes the matrix multiplication as on the evaluation points x = i and x = −i. The decoding process is similar to that of Example 1. Because p C (x) is an 11th-degree polynomial function, the master should wait for any fastest 12 computation results from the workers to decode the coefficients of p C (x) by interpolating it from 12 distinct points. The master can obtain the sub-matrices of the final product C, which correspond to A 1 B (1)
Considering the communication loads, each worker W i should receive two sub-matricesÃ i,j ∈ F N 2 ×N for j ∈ [1 : 2] and a single sub-matrix ofB i,j ∈ F N × N 2 for j ∈ [1 : 2], becauseB i,1 =B i,2 for all i ∈ [1 : W ]. For computation returns, a total of 12 computation results amongC i,j ∈ should be sent to the master to decode the final product. Therefore, the communication loads in this example are as

B. GENERAL CONSTRUCTION OF SSEC FOR FULLY SECURE DISTRIBUTED MATRIX MULTIPLICATION
To encode the sub-tasks with a 1 mn size of the original task, the master divides the inputs A row-wise and B column-wise into m and n pieces, respectively, as The final product C = AB can be represented by For sub-task encoding, we introduce the polynomial function g(x) that will be used in the encoding function p B (x). The polynomial function g(x) should satisfy the following conditions. Definition 2: The polynomial function g(x) used in the encoding function p B (x) for the SSEC satisfies the following conditions. i) g(x) is an (m + LE)-th order polynomial function. ii) g(x) has at least W sets of L points x 1,1 , x 1,2 , . . . , x W ,L that satisfies g(x i,1 ) = g(x i,2 ) = · · · = g(x i,L ) for i ∈ [1 : W ] for a sufficiently large field F.
Using the divided sub-matrices and polynomial function g(x), the encoding functions are given by Using these encoding functions, the encoded matricesÃ i,j and B i,j for i ∈ [1 : W ] and j ∈ [1 : L] can be determined by setting x i,j to satisfy g(x i,j ) = w i for j ∈ [1 : L] as The master can reduce the task-allocation communication load L t by allocating sub-tasksC i,j =Ã i,jBi,j for j ∈ [1 : L], which requiresB i,j for j ∈ [1 : L], which becomes constant to W i . It should be noted that the data security of the input matrices A and B can be guaranteed from any E colluding workers because of the added random matrices R A j for j ∈ [1 : LE] and R B l for l ∈ [1 : E]. The detailed proof is provided in Lemma 3.
Given the assigned sub-matricesÃ i,j andB i,j for j ∈ [1 : L], each worker W i computes the matrix multiplication as Thus, the master can decode the final product C, and the recovery threshold is given by In this scheme, each worker W i receives L sub-matrices A i,j ∈ F N m ×N for j ∈ [1 : L] and a single sub-matrices among B i,j ∈ F N × N n for j ∈ [1 : L] for a sub-task allocation becausẽ B i,1 = · · · =B i,L for all i ∈ [1 : W ]. Therefore, the taskallocation communication load L t is given by For computation returns, a total of (m + LE)(n + E) computation results amongC i,j ∈ F N m × N n , i ∈ [1 : W ], j ∈ [1 : L] is sent to the master. Thus, the computation-return communication load L r is given by We show that the data security on input matrices A and B can be ensured from any E colluding workers in the encoded sub-matrices of the SSEC.
Lemma 3: The E-colluding workers W E , ∀E ⊂ [1 : W ], |E| = E obtain no information about the input data A and B from the sub-matrices {{Ã i,j } L j=1 } ∀i∈E and {{B i,j } L j=1 } ∀i∈E , i.e., the data security constraint in (5) is satisfied.
Proof: Without loss of generality, we prove Lemma 3 for W E , E ⊂ [1 : W ], |E| = E, which can be generalized to any E workers. We use the simplified notations defined in (16) and the additional notation as where (53) Thus, we can conclude that From the security constraint in (5), we can obtain the following equations from (62) Thus, we can conclude that the security constraint in (5) is satisfied. This completes the proof.

C. MAIN RESULTS FOR FULLY SECURE DISTRIBUTED MATRIX MULTIPLICATION
From Section IV-B, we derive the main results on the recovery threshold, task-allocation communication load, and computation-return communication load of SSEC for fully secure distributed matrix multiplications. Theorem 2: For a fully secure matrix multiplication task in a straggler-exploiting distributed computing (Scenario B) specified in Section II, SSEC achieves the recovery threshold and communication loads as follows.
Proof: See Section IV-B. Remark 4: Note that Remark 1 and Remark 2 can also be applied to fully secure distributed matrix multiplication (Scenario B) for SSEC.

Remark 5 (Comparison):
We compare the recovery threshold and the communication loads of SSEC with those of the existing schemes, namely gap additive secure polynomial codes (GASP) [22] and secure generalized polydot (SGPD) [26], for fully secure distributed matrix multiplication. Although GASP and SGPD were not proposed for a straggler-exploiting scenario, we simply modify them for a straggler-exploiting scenario by allocating LE sub-tasks, which were designed to preserve data security from LE colluding workers, to E colluding workers with L sub-tasks each. Fig. 2 presents the performances on the recovery threshold and the communication loads of the proposed SSEC, GASP, and SGPD on the number of the sub-tasks for each worker L for the case of N = 1000, m = n = 10 (or m = n = 1 for SGPD with p = 10), and E = 1 with sufficient number of workers. Fig. 2 (a) shows the recovery threshold of the three schemes. It can be seen that SSEC have the lower recovery threshold than SGPD for the case of p = 1 where the input matrices are divided in the same way as in SSEC. This comes from the fact that in SSEC, the number of allocated submatrices for the sub-tasks at each worker is reduced so that the additional overhead on recovery threshold to preserve data security from workers can be lowered. However, SSEC shows the greater recovery threshold than GASP. In GASP, the recovery threshold could be reduced by the special approach on a polynomial function for minimizing the number of nonzero coefficients, whereas SSEC are designed to reduce the communication load while sacrificing the loss of the recovery threshold. Fig. 2 (b) shows the task-allocation communication load of the three schemes. Compared to the other schemes, SSEC has lower task-allocation communication load. Moreover, this gap gets larger as the number of the sub-tasks at each worker L increases, as shown in Remark 2. This implies that by SSEC, we can alleviate the communication overhead in a distributed computing system on allocating the sub-tasks to the workers. Fig. 2 (c) shows the computation-return communication load of three schemes. When we set m = n = 1 in SGPD to have the minimum recovery threshold, the communication load to return each computation result becomes N 2 , while the other schemes (including SGPD with p = 1) have N 2 mn of communication load for returning each computation result. Thus, SGPD with m = n = 1 has greater computationreturn communication load than other schemes although it has lower recovery threshold. The other schemes including SSEC, GASP and SGPD with p = 1 have the same communication load to return each computation result, thus the computation-return communication loads differ in the difference of recovery threshold which corresponds to the number of required computation results at the master.
In summary, SSEC outperforms the other coding schemes in reducing the task-allocation communication load. Let us simply express the total execution time for distributed matrix multiplication as where T A , T P , and T R denote the required times for task allocation from a master to workers, computation at workers, and returning computation results from workers to a master, respectively, for some constants c A > 0, c P > 0, and c R > 0. If c A c P , where the communication for task allocation is heavy in distributed computing, SSEC can show better performance in terms of the total execution time than GASP and SGPD. On the other hand, if c P c A , where the workers require considerable computing time, GASP and SGPD for m = n = 1 may show better performance than SSEC. In addition, if c R c A , c P , where the communication for returning computation results is heavy, SGPD for m = n = 1 may show worse performance than others although it achieves the minimum recovery threshold.

V. COMPLEXITY ANALYSIS
We dedicate this section to evaluate the computational complexities for the encoding and decoding procedures of the proposed SSEC, and the computational costs for the workers.  We assume that the sizes of input matrices A and B are very large, thus N is very much greater than L, W , and K , i.e., N L, W , K . Thus, the encoding complexity for SSEC is much less than the computational complexity for the whole task C = AB which corresponds to O N 3 .

2) COMPUTATIONAL COST AT WORKERS
Each worker multiplies two matricesÃ i,j andB i,j which have dimensions of F N m ×N and F N × N n . This requires N m · N · N n = N 3 mn multiplication operations. Thus, the computational cost for a sub-task of the workers is O N 3 mn . Let us calculate the computation time at the workers when the computation time for a sub-task at each worker follows a shifted exponential distribution [11]. We assume that the computation time T C for the whole task C = AB follows the probability distribution of where µ is the straggling parameter and α is the shift parameter. The computation time T s for a single sub-task follows the probability distribution of where L denotes that the computational cost for a sub-task has L fraction of the computational cost for the whole task.
Therefore, the computation time distribution for a sub-task at each worker with SSEC is given by From the computation time distribution, we can derive the expected computation time E[T s ] for a sub-task at each worker as Finally, the expected computation time E[T k−s ] for k subtasks at each worker is given by

3) DECODING COMPLEXITY
To decode the final product C = AB (D) , the master solves a polynomial interpolation problem on a ((m+L)(n+1)−1)thdegree polynomial for N 2 mn elements. Because the polynomial interpolation algorithm has a complexity of O klog 2 k for a kth-degree polynomial [32], the decoding complexity for polynomial interpolation is given by In addition, the master needs to solve the linear equations on (m + L)n elements for N 2 mn times for each matrix element. Solving a linear equation on (m + L)n using the Gaussian elimination method has a computational complexity of O((m + L) 3 n 3 ). In conclusion, the decoding complexity of the master is given by To encode the sub-matricesÃ i,j for j ∈ [1 : L] for each worker W i , the master adds m + LE matrices of sizes F N m ×N . In addition, to encode a single sub-matrix amongB i,1 , . . . ,B i,L , the master adds n + E matrices of size F N × N n . Thus, the computational complexity for encoding the sub-matrices for all W workers is given by With SSEC, the encoding complexity and task-allocation communication load can be reduced by overlapping L submatrices forB i,j , j ∈ [1 : L] into a single matrix of the same size. If the proposed SSEC is not used in the encoding functions, the computational complexity to encode the submatrices is given by Compared to that, SSEC requires half of the encoding complexity under the assumptions of m = n and L 1.

2) COMPUTATIONAL COST AT WORKERS
Each worker multiplies two matricesÃ i,j andB i,j that have dimensions of F N m ×N and F N × N n , which requires N 3 mn operations. Thus, the computational cost for a sub-task at the workers is O N 3 mn . The computation time for the sub-tasks at each worker can be derived as the same value as in Section V-A.

3) DECODING COMPLEXITY
To decode the final product C = AB, the master solves a polynomial interpolation problem on a ((m + LE)(n + E) − 1)th-degree polynomial for N 2 mn elements. Thus, the decoding complexity for polynomial interpolation is given by In addition, the master should solve linear equations on (m + LE)(n + E) elements for N 2 mn times for each matrix element, which has a computational complexity of O( N 2 mn (m+LE) 3 (n+ E) 3 ). In conclusion, the decoding complexity of the master is given by It can be seen that the decoding complexity at the master is highly related to the recovery threshold, thus it may have a similar tendency between SSEC and the other existing schemes as in the comparison of the recovery threshold in Remark 5. 3

VI. CONCLUSION
In this paper, we explored a secure coded computation scheme for matrix multiplication tasks in straggler-exploiting distributed computing. We proposed a new coded computation scheme, namely SSEC, which can preserve data security and privacy from workers and efficiently reduce the taskallocation communication load as well. It was shown that by SSEC, data security and privacy can be ensured at the encoded sub-matrices sent to the workers to allocate the subtasks. Finally, we discussed the performance of the SSEC in terms of the recovery threshold and communication loads between a master and workers. A future work could be to modify the SSEC to assign computation tasks with a common encoded matrix to exploit the advantage of broadcasting the encoded matrices to multiple workers and to preserve data privacy and data security from multiple colluding workers.