Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

Secure and efficient general matrix multiplication on cloud using homomorphic encryption

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Despite the enormous technical and financial advantages of cloud computing, security and privacy have always been the primary concerns for adopting cloud computing facilities, especially for government agencies and commercial sectors with high-security requirements. Homomorphic encryption (HE) has recently emerged as an effective tool in ensuring privacy and security for sensitive applications by allowing computing on encrypted data. One major obstacle to employing HE-based computation, however, is its excessive computational cost, which can be orders of magnitude higher than its counterpart based on the plaintext. In this paper, we study the problem of how to reduce the HE-based computational cost for general matrix multiplication, i.e., a fundamental building block for numerous practical applications, by taking advantage of the single instruction multiple data operations supported by HE schemes. Specifically, we develop a novel element-wise algorithm for general matrix multiplication, based on which we propose two HE-based general matrix multiplication algorithms to reduce the HE computation cost. Our experimental results show that our algorithms significantly outperform the state-of-the-art approaches of HE-based matrix multiplication.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Rent this article via DeepDyve

Fig. 1
Fig. 2
Fig. 3
Algorithm 1
Fig. 4
Fig. 5
Algorithm 2
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Data availability

No datasets were generated or analyzed during the current study.

References

  1. Varghese B, Buyya R (2018) Next generation cloud computing: new trends and research directions. Futur Gener Comput Syst 79:849–861

    Article  Google Scholar 

  2. Vasiljeva T, Shaikhulina S, Kreslins K (2017) Cloud computing: business perspectives, benefits and challenges for small and medium enterprises (case of Latvia). Procedia Eng 178:443–451

    Article  Google Scholar 

  3. Scale R (2015) State of the cloud report. Technical report

  4. Rajaraman V (2014) Cloud computing. Resonance 19(3):242–258

    Article  Google Scholar 

  5. Rivest RL, Adleman L, Dertouzos ML et al (1978) On data banks and privacy homomorphisms. Found Secure Comput 4(11):169–180

    MathSciNet  Google Scholar 

  6. Gentry C (2009) Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp 169–178

  7. Brakerski Z, Gentry C, Vaikuntanathan V (2014) (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans Comput Theory (TOCT) 6(3):1–36

    Article  MathSciNet  Google Scholar 

  8. Ran R, Xu N, Wang W, Gang Q, Yin J, Wen W (2022) Cryptogcn: fast and scalable homomorphically encrypted graph convolutional network inference. Preprint arXiv:2209.11904

  9. Smart NP, Vercauteren F (2014) Fully homomorphic SIMD operations. Des Codes Crypt 71(1):57–81

    Article  Google Scholar 

  10. Ibarrondo A, Viand A (2021) Pyfhel: Python for homomorphic encryption libraries. In: Proceedings of the 9th on Workshop on Encrypted Computing & Applied Homomorphic Cryptography, pp 11–16

  11. Fan J, Vercauteren F (2012) Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive

  12. Brakerski Z (2012) Fully homomorphic encryption without modulus switching from classical GapSVP. In: Annual Cryptology Conference. Springer, pp 868–886

  13. Cheon JH, Kim A, Kim M, Song Y (2017) Homomorphic encryption for arithmetic of approximate numbers. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer, pp 409–437

  14. Ames S, Venkitasubramaniam M, Page A, Kocabas O, Soyata T (2020) Secure health monitoring in the cloud using homomorphic encryption: a branching-program formulation, pp 56–92. https://doi.org/10.4018/978-1-5225-9863-3.ch004

  15. Nocker M, Drexel D, Rader M, Montuoro A, Schöttle P (2023) He-man–homomorphically encrypted machine learning with ONNX models. Preprint arXiv:2302.08260

  16. Reagen B, Choi W-S, Ko Y, Lee VT, Lee H-HS, Wei G-Y, Brooks D (2021) Cheetah: optimizing and accelerating homomorphic encryption for private inference. In: IEEE International Symposium on High-Performance Computer Architecture (HPCA). IEEE, pp 26–39

  17. Masliah I, Abdelfattah A, Haidar A, Tomov S, Baboulin M, Falcou J, Dongarra J (2019) Algorithms and optimization techniques for high-performance matrix-matrix multiplications of very small matrices. Parallel Comput 81:1–21

    Article  MathSciNet  Google Scholar 

  18. Nagasaka Y, Matsuoka S, Azad A, Buluç A (2018) High-performance sparse matrix-matrix products on intel KNL and multicore architectures. In: Proceedings of the 47th International Conference on Parallel Processing Companion, pp 1–10

  19. Jiang P, Hong C, Agrawal G (2020) A novel data transformation and execution strategy for accelerating sparse matrix multiplication on GPUs. In: Proceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, pp 376–388

  20. Liu W, Vinter B (2014) An efficient GPU general sparse matrix-matrix multiplication for irregular data. In: IEEE 28th International Parallel and Distributed Processing Symposium. IEEE, pp 370–381

  21. Valero-Lara P, Martínez-Pérez I, Mateo S, Sirvent R, Beltran V, Martorell X, Labarta J (2018) Variable batched DGEMM. In: 2018 26th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp 363–367. https://doi.org/10.1109/PDP2018.2018.00065

  22. Zhang Z, Wang H, Han S, Dally WJ (2020) SpArch: efficient architecture for sparse matrix multiplication. In: 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, pp 261–274

  23. Lu W-j, Kawasaki S, Sakuma J (2016) Using fully homomorphic encryption for statistical analysis of categorical, ordinal and numerical data. Cryptology ePrint Archive

  24. Halevi S, Shoup V (2014) Algorithms in HElib. In: Annual Cryptology Conference. Springer, pp 554–571

  25. Duong DH, Mishra PK, Yasuda M (2017) Efficient secure matrix multiplication over LWE-based homomorphic encryption. Tatra Mt Math Publ 67(1):69–83. https://doi.org/10.1515/tmmp-2016-0031

    Article  MathSciNet  Google Scholar 

  26. Mishra PK, Duong DH, Yasuda M (2017) Enhancement for secure multiple matrix multiplications over ring-LWE homomorphic encryption. In: Information Security Practice and Experience: 13th International Conference, ISPEC 2017, Melbourne, Proceedings 13. Springer, pp 320–330

  27. Jiang X, Kim M, Lauter K, Song Y (2018) Secure outsourced matrix computation and application to neural networks. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp 1209–1222

  28. Huang Z, Hong C, Weng C, Lu W-J, Qu H (2023) More efficient secure matrix multiplication for unbalanced recommender systems. IEEE Trans Dependable Secure Comput 20(1):551–562. https://doi.org/10.1109/TDSC.2021.3139318

    Article  Google Scholar 

  29. Rathee D, Mishra PK, Yasuda M (2018) Faster PCA and linear regression through hypercubes in HElib. In: Proceedings of the 2018 Workshop on Privacy in the Electronic Society, pp 42–53

  30. Huang H, Zong H (2022) Secure matrix multiplication based on fully homomorphic encryption. J Supercomput 1–22

  31. Lyubashevsky V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: 29th International Conference on the Theory and Applications of Cryptographic Techniques. Springer, pp 1–23

Download references

Acknowledgements

This work was supported in part by the Air Force Office of Scientific Research (AFOSR) and the Air Force Research Laboratory/Information Directorate (AFRL/RI), Rome, NY under the 2021 Summer Faculty Fellowship Program, and Information Directorate Internship Program, respectively. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force Research Laboratory or the US Government. Approved for Public Release on March 06, 2024. Distribution is Unlimited. Case Number: 2024-0184 (original case number(s): AFRL-2024-0944).

Funding

This research was supported by funding from the Air Force Office of Scientific Research (AFOSR) and the Air Force Research Laboratory/Information Directorate (AFRL/RI), Rome, NY, under the 2021 Summer Faculty Fellowship Program, Grant Number 2024-0184 (original case number: AFRL-2024-0944). The funding body had no role in the design of the study, the collection, analysis, or interpretation of data. Additional support was provided by NSF grant 1952792, 2321572 and CNS-2348733.

Author information

Authors and Affiliations

Authors

Contributions

YG and GQ wrote the main manuscript and YG prepared all figures and tables. LW reviewed and rewrote multiple parts of the manuscript. All authors reviewed the manuscript.

Corresponding author

Correspondence to Liqiang Wang.

Ethics declarations

Conflict of interest

No, I declare that the authors have no conflict of interest as defined by Springer, or other interests that might be perceived to influence the results and/or discussion reported in this paper.

Ethical statements

It is not applicable. This study did not involve human participants, personal data, or any procedures requiring ethical approval.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Y. Gang and L. Wang were supported in part by NSF grant 1952792 and 2321572. W. Wen was supported in part by NSF grant CNS-2348733.

Soamar Homsi: Approved for Public Release on March 06, 2024. Distribution is unlimited. Case Number: 2024-0184 (original case number(s): AFRL-2024-0944).

Appendices

Appendix 1: The proof for Theorem 3.1 to Theorem 3.4

Theorem

 3.1 Let \(\sigma ({\mathcal {A}}) = {\textbf {U}}^\sigma {\mathcal {A}}\) for \({\mathcal {A}}\) with a dimension of \(m\times l\). There are at most \(2\cdot \min (m,l)-1\) nonzero diagonals in \({\textbf {U}}^\sigma\) no matter if the matrix is flattened with a column-major or row-major order.

Proof

When applying \(\sigma\) transformation on matrix \({\mathcal {A}}_{m\times l}\) in column-major order, \({\textbf {U}}^\sigma\) is formulated in Eq. (12). Note that \({\textbf {U}}^\sigma _{i+j\cdot m,h} = 1\) when \(h= i+ [i+j]_l\cdot m\) and, for all elements of \({\textbf {U}}^\sigma _{i+j\cdot m,h}\) that belong to the same diagonal, we have \(h-(i+j\cdot m)\) as a constant.

Considering all the nonzero elements in \({\textbf {U}}^\sigma _{i+j\cdot m,h}\), we have

$$\begin{aligned} h-(i+j\cdot m)= \,& {} i+ [i+j]_l\cdot m - (i+j\cdot m) \\= \,& {} i+(i+j-\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l) \cdot m - (i+j\cdot m) \\= \,& {} (i-\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l)\cdot m. \end{aligned}$$

Since \(\left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor +1\) and \(0\le j < l\), we have \(\left\lfloor \frac{i}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{i}{l} \right\rfloor +1\).

Now consider two different scenarios: 1) \(m<l\); 2) \(m \ge l\). When \(m<l\), for each \(i=\{1,2,\ldots ,m-1\}\), \(h-(i+j\cdot m)\) can at most take two constant values since \(\left\lfloor \frac{i}{l} \right\rfloor =0\) and \(0 \le \left\lfloor \frac{i+j}{l} \right\rfloor \le 1\). When \(i=0\), \(h-(i+j\cdot m)\) can only be zero since \(\left\lfloor \frac{i+j}{l} \right\rfloor =0\). Therefore, \({\textbf {U}}^\sigma _{i+j\cdot m,h}\) has at most \(2m-1\) nonzero diagonals under this case.

When \(m \ge l\), we have

$$\begin{aligned} h-(i+j\cdot m)= \,& {} \left( i-\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l\right) \cdot m \\= \,& {} \left( \left\lfloor \frac{i}{l} \right\rfloor \cdot l + p -\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l\right) \cdot m, \end{aligned}$$

with \(0 \le p < l\). Since \(-1 \le \left( \left\lfloor \frac{i}{l} \right\rfloor - \left\lfloor \frac{i+j}{l} \right\rfloor \right) \le 0\), \({\textbf {U}}^\sigma _{i+j\cdot m,h}\) has at most \(2l-1\) nonzero diagonals under this case.

Therefore, in summary, there are at most \(2\cdot \min (m,l)-1\) nonzero diagonals in \({\textbf {U}}^\sigma\) when the matrix is flattened with a column-major. Similar proof can be obtained when the matrix is flattened with the row-major order. \(\square\)

Theorem

3.2 Let \(\tau ({\mathcal {B}}) = {\textbf {U}}^\tau {\mathcal {B}}\) for \({\mathcal {B}}\) with a dimension of \(l\times n\). There are at most \(2\cdot \min (n,l)-1\) nonzero diagonals in \({\textbf {U}}^\tau\) no matter if the matrix is flattened with a column-major or row-major order.

Proof

When applying \(\tau\) transformation on matrix \({\mathcal {B}}_{l\times n}\) in column-major order, \({\textbf {U}}^\tau\) is formulated in Eq. (13). Note that \({\textbf {U}}^\tau _{i+j\cdot l,h} = 1\) when \(h= [i+j]_l + j\cdot l\) and, for all elements of \({\textbf {U}}^\tau _{i+j\cdot l,h}\) that belong to the same diagonal, we have \(h-(i+j\cdot l)\) as a constant.

Considering all the nonzero elements in \({\textbf {U}}^\tau _{i+j\cdot l,h}\), we have

$$\begin{aligned} h-(i+j\cdot l)= \,& {} [i+j]_l + j\cdot l - (i+j\cdot m) \\= \,& {} i+j-\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l+j\cdot l - (i+j\cdot m) \\= \,& {} j-\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l. \end{aligned}$$

Since \(\left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor +1\) and \(0\le i < l\), we have \(\left\lfloor \frac{j}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{j}{l} \right\rfloor +1\).

Now consider two different scenarios: 1) \(n<l\); 2) \(n \ge l\). When \(n<l\), for each \(j=\{1,2,\ldots ,n-1\}\), \(h-(i+j\cdot l)\) can at most take two constant values since \(\left\lfloor \frac{j}{l} \right\rfloor =0\) and \(0 \le \left\lfloor \frac{i+j}{l} \right\rfloor \le 1\). When \(i=0\), \(h-(i+j\cdot l)\) can only be zero since \(\left\lfloor \frac{i+j}{l} \right\rfloor =0\). Therefore, \({\textbf {U}}^\tau _{i+j\cdot l,h}\) has at most \(2n-1\) nonzero diagonals under this case.

When \(n \ge l\), we have

$$\begin{aligned} h-(i+j\cdot l)= \,& {} j-\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l \\= \,& {} \left\lfloor \frac{j}{l} \right\rfloor \cdot l + p -\left\lfloor \frac{i+j}{l} \right\rfloor \cdot l, \end{aligned}$$

with \(0 \le p < l\). Since \(-1 \le (\left\lfloor \frac{j}{l} \right\rfloor - \left\lfloor \frac{i+j}{l} \right\rfloor ) \le 0\), \({\textbf {U}}^\tau _{i+j\cdot l,h}\) has at most \(2l-1\) nonzero diagonals under this case.

Therefore, in summary, there are at most \(2\cdot \min (n,l)-1\) nonzero diagonals in \({\textbf {U}}^\tau\) when the matrix is flattened with a column-major. Similar proof can be obtained when the matrix is flattened with the row-major order. \(\square\)

Theorem

3.3 Let \(\epsilon ^k_{m\times n}({\mathcal {A}}) ={\textbf {U}}^{\epsilon ^k_{m\times n}} {\mathcal {A}}\) be the linear transformation \(\epsilon _{m\times n}: {\mathcal {R}}_{m\times l} \rightarrow {\mathcal {R}}_{m\times n}\) with matrix \({\mathcal {A}}\) having a dimension of \(m\times l\). There are at most \(\left\lfloor \frac{n}{l} \right\rfloor +1\) nonzero diagonal vectors in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) when the matrix is flattened with the column-major order. There are at most \((\left\lfloor \frac{n}{l} \right\rfloor +2)\cdot m\) nonzero diagonal vectors in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) when matrix \({\mathcal {A}}\) is flattened with the row-major order. Specifically, when \(n=l\), there are no more than two nonzero diagonals in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\), no matter if the matrix is flattened in column-major or row-major order.

Proof

When applying \(\epsilon\) transformation on matrix \({\mathcal {A}}_{m\times l}\) in column-major order, \({\textbf {U}}^\epsilon\) is formulated in Eq. (14). Note that \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j} = 1\) when \(j=[k\cdot m+i]_{m\cdot l}\) and, for all elements of \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.

Considering all the nonzero elements in \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\), we have

$$\begin{aligned} j-i= \,& {} [k\cdot m+i]_{m\cdot l} - i \\= \,& {} k\cdot m+i-\left\lfloor \frac{k\cdot m+i}{m\cdot l}\right\rfloor \cdot m\cdot l - i \\= \,& {} k\cdot m-\left\lfloor \frac{k\cdot m+i}{m\cdot l}\right\rfloor \cdot m\cdot l \nonumber \end{aligned}$$

Since \(\max (k)=l-1\) and \(\max (i)=m\cdot n-1\), we have

$$\begin{aligned} \max (\frac{k\cdot m+i}{m\cdot l})< & {} \frac{l-1+n}{l} \\\le & {} \left\lfloor \frac{l-1}{l} \right\rfloor + \left\lfloor \frac{n}{l} \right\rfloor +1 \\= \,& {} \left\lfloor \frac{n}{l} \right\rfloor +1 \end{aligned}$$

Therefore, we get \(\left\lfloor \frac{k\cdot m+i}{m\cdot l}\right\rfloor \in \{0,1,\ldots ,\left\lfloor \frac{n}{l} \right\rfloor \}\). Then, \(j-i=k\cdot m-\left\lfloor \frac{k\cdot m+i}{m\cdot l}\right\rfloor \cdot m\cdot l\). k, m and l are all constant number for one transformation. The set \(\{0,1,\ldots ,\left\lfloor \frac{n}{l} \right\rfloor \}\) is of size \(\left\lfloor \frac{n}{l} \right\rfloor +1\). In summary, \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) has at most \(\left\lfloor \frac{n}{l} \right\rfloor +1\) constant values when \({\mathcal {A}}_{m\times l}\) in column-major.

Special circumstances are when \(n=l\), \(\left\lfloor \frac{n}{l} \right\rfloor =1\). Therefore, \(\left\lfloor \frac{n}{l} \right\rfloor +1=2\) and this means \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) has only 2 nonzero diagonals when \(n=l\)..

When applying \(\epsilon\) transformation on matrix \({\mathcal {A}}_{m\times l}\) in row-major order, we can formulate permutation matrix according to formula (15), but apply on \({\mathcal {A}}_{l\times m}\) instead of \({\mathcal {A}}_{l\times n}\). Note that \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j} = 1\) when \(j=[k+[i]_n]_{l}+\left\lfloor i/n \right\rfloor \cdot l\) and, for all elements of \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.

Considering all the nonzero elements in \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\), we have

$$\begin{aligned} j= \,& {} k+[i]_n-\left\lfloor \frac{k+[i]_n}{l}\right\rfloor \cdot l+\left\lfloor \frac{i}{n} \right\rfloor \cdot l\\= \,& {} k+[i]_n+\left( \left\lfloor \frac{i}{n} \right\rfloor - \left\lfloor \frac{k+[i]_n}{l}\right\rfloor \right) \cdot l \end{aligned}$$

Since \(i\in [0,mn)\), we split i to m circumstances that \(i\in [pn,(p+1)n)\) where \(p =\{0,1,2,\ldots ,m-1\}\). For each circumstance that \(i\in [pn,(p+1)n)\), we have

$$\begin{aligned} j= k+i-pn+\left( p - \left\lfloor \frac{k+[i]_n}{l}\right\rfloor \right) \cdot l \end{aligned}$$

and

$$\begin{aligned} j-i= k-pn+\left( p - \left\lfloor \frac{k+[i]_n}{l}\right\rfloor \right) \cdot l \end{aligned}$$

Note that we have

$$\begin{aligned} \left\lfloor \frac{[pn]_n}{l}\right\rfloor \le \left\lfloor \frac{k+[i]_n}{l}\right\rfloor < \left\lfloor \frac{[pn]_n}{l}\right\rfloor + \left\lfloor \frac{n}{l}\right\rfloor +1+1 \end{aligned}$$

which has \(2 + \left\lfloor \frac{n}{l} \right\rfloor\) constant values. And this means \(j-i\), which represents the number of nonzero diagonals in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\), has \((2 + \left\lfloor \frac{n}{l} \right\rfloor )\cdot m\) in total when \({\mathcal {A}}_{m\times l}\) in row-major because there are m circumstances.

Special circumstances are when \(n=l\), \(j-i \in \{0,1\}\). The reason is that, since

$$\begin{aligned} \left\lfloor \frac{k}{l}\right\rfloor + \left\lfloor \frac{[i]_n}{l}\right\rfloor \le \left\lfloor \frac{k+[i]_n}{l}\right\rfloor \le \left\lfloor \frac{k}{l}\right\rfloor + \left\lfloor \frac{[i]_n}{l}\right\rfloor +1 \end{aligned}$$

and we also have \(k<l\) and \({[i]_n}<{l}\), thus

$$\begin{aligned} 0 \le \left\lfloor \frac{k+[i]_n}{l}\right\rfloor \le 1 \end{aligned}$$

On the other hand, we have

$$\begin{aligned} j-i= k - \left\lfloor \frac{k+[i]_n}{l}\right\rfloor \cdot l \end{aligned}$$

for each \(i\in [pn,(p+1)n)\). \(j-i\) has the same constant value in each \(i\in [pn,(p+1)n)\) and this means \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) has only 2 nonzero diagonals when \(n=l\). \(\square\)

Theorem

3.4 Let \(\omega ^k_{m\times n}({\mathcal {B}}) = {\textbf {U}}^{\omega ^k_{m\times n}} {\mathcal {B}}\) be the linear transformation \(\omega _{m\times n}: {\mathcal {R}}_{l\times n} \rightarrow {\mathcal {R}}_{m\times n}\) with matrix \({\mathcal {B}}\) having a dimension of \(l\times n\). There are at most \((\left\lfloor \frac{m}{l} \right\rfloor +2)\cdot n\) nonzero diagonal vectors in \({\textbf {U}}^{\omega ^k_{m\times n}}\) when the matrix is flattened with column-major order. There are at most \(\left\lfloor \frac{m}{l} \right\rfloor +1\) nonzero diagonal vectors in \({\textbf {U}}^{\omega ^k_{m\times n}}\) when matrix \({\mathcal {B}}\) is flattened with row-major order. Specifically, when \(m=l\), there are no more than two nonzero diagonals in \({\textbf {U}}^{\omega ^k_{m\times n}}\), no matter if the matrix is flattened in column-major or row-major order.

Proof

When applying \(\omega\) transformation on matrix \({\mathcal {B}}_{l\times n}\) in column-major order, \({\textbf {U}}^\omega\) is formulated in Eq. (15). Note that \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j} = 1\) when \(j=[k+[i]_m]_{l}+\left\lfloor i/m \right\rfloor \cdot l\) and, for all elements of \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.

Considering all the nonzero elements in \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\), we have

$$\begin{aligned} j= \,& {} k+[i]_m-\left\lfloor \frac{k+[i]_m}{l}\right\rfloor \cdot l+\left\lfloor \frac{i}{m} \right\rfloor \cdot l\\= \,& {} k+[i]_m+\left( \left\lfloor \frac{i}{m} \right\rfloor - \left\lfloor \frac{k+[i]_m}{l}\right\rfloor \right) \cdot l \end{aligned}$$

Since \(i\in [0,mn)\), we split i to n circumstances that \(i\in [pm,(p+1)m)\) where \(p =\{0,1,2,\ldots ,n-1\}\). For each circumstance that \(i\in [pm,(p+1)m)\), we have

$$\begin{aligned} j= k+i-pm+\left( p - \left\lfloor \frac{k+[i]_m}{l}\right\rfloor \right) \cdot l \end{aligned}$$

and

$$\begin{aligned} j-i= k-pm+\left( p - \left\lfloor \frac{k+[i]_m}{l}\right\rfloor \right) \cdot l \end{aligned}$$

Note that we have

$$\begin{aligned} \left\lfloor \frac{[pm]_m}{l}\right\rfloor \le \left\lfloor \frac{k+[i]_m}{l}\right\rfloor < \left\lfloor \frac{[pm]_m}{l}\right\rfloor + \left\lfloor \frac{m}{l}\right\rfloor +1+1 \end{aligned}$$

which has \(2 + \left\lfloor \frac{m}{l} \right\rfloor\) constant values. And this means \(j-i\), which represents the number of nonzero diagonals in \({\textbf {U}}^{\omega ^k_{m\times n}}\), has \((2 + \left\lfloor \frac{m}{l} \right\rfloor )\cdot n\) in total when \({\mathcal {B}}_{m\times l}\) in row-major because there are n circumstances.

Special circumstances are when \(m=l\), \(j-i \in \{0,1\}\). The reason is that, since

$$\begin{aligned} \left\lfloor \frac{k}{l}\right\rfloor + \left\lfloor \frac{[i]_l}{l}\right\rfloor \le \left\lfloor \frac{k+[i]_l}{l}\right\rfloor \le \left\lfloor \frac{k}{l}\right\rfloor + \left\lfloor \frac{[i]_l}{l}\right\rfloor +1 \end{aligned}$$

and we also have \(k<l\) and \({[i]_l}<{l}\), thus

$$\begin{aligned} 0 \le \left\lfloor \frac{k+[i]_l}{l}\right\rfloor \le 1 \end{aligned}$$

On the other hand, we have

$$\begin{aligned} j-i= k - \left\lfloor \frac{k+[i]_l}{l}\right\rfloor \cdot l \end{aligned}$$

for each \(i\in [pm,(p+1)m)\). \(j-i\) has the same constant value in each \(i\in [pm,(p+1)m)\) and this means \({\textbf {U}}^{\omega ^k_{m\times n}}\) has only 2 nonzero diagonals when \(m=l\).

When applying \(\omega\) transformation on matrix \({\mathcal {B}}_{l\times n}\) in row-major order, we can formulate permutation matrix according to formula (14), but apply on \({\mathcal {B}}_{n\times l}\) instead of \({\mathcal {B}}_{m\times l}\). Note that \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j} = 1\) when \(j=[k\cdot n+i]_{n\cdot l}\) and, for all elements of \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.

Considering all the nonzero elements in \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\), we have

$$\begin{aligned} j-i= \,& {} [k\cdot n+i]_{n\cdot l} - i \\= \,& {} k\cdot n+i-\left\lfloor \frac{k\cdot n+i}{n\cdot l}\right\rfloor \cdot n\cdot l - i \\= \,& {} k\cdot n-\left\lfloor \frac{k\cdot n+i}{n\cdot l}\right\rfloor \cdot n\cdot l \end{aligned}$$

Since \(\max (k)=l-1\) and \(\max (i)=m\cdot n-1\), we have

$$\begin{aligned} \max (\frac{k\cdot n+i}{n\cdot l})< & {} \frac{l-1+m}{l} \\\le & {} \left\lfloor \frac{l-1}{l} \right\rfloor + \left\lfloor \frac{m}{l} \right\rfloor +1 \\= \,& {} \left\lfloor \frac{m}{l} \right\rfloor +1 \end{aligned}$$

Therefore, we get \(\left\lfloor \frac{k\cdot n+i}{n\cdot l}\right\rfloor \in \{0,1,\ldots ,\left\lfloor \frac{m}{l} \right\rfloor \}\). Then, \(j-i=k\cdot n-\left\lfloor \frac{k\cdot n+i}{n\cdot l}\right\rfloor \cdot n\cdot l\). Here, k, n and l are all constant number for one transformation. The set \(\{0,1,\ldots ,\left\lfloor \frac{m}{l} \right\rfloor \}\) is of size \(\left\lfloor \frac{m}{l} \right\rfloor +1\). In summary, \({\textbf {U}}^{\omega ^k_{m\times n}}\) has at most \(\left\lfloor \frac{m}{l} \right\rfloor +1\) constant values when \({\mathcal {B}}_{m\times l}\) in row-major.

Special circumstances are when \(m=l\), \(\left\lfloor \frac{m}{l} \right\rfloor =1\). Therefore, \(\left\lfloor \frac{m}{l} \right\rfloor +1=2\) and this means \({\textbf {U}}^{\omega ^k_{m\times n}}\) has only 2 nonzero diagonals when \(m=l\). \(\square\)

Theorem

3.5 Let \({\mathcal {A}}_{m\times l}\) and \({\mathcal {B}}_{l\times n}\) with \(m < l\), and let \({\bar{A}}\) be matrix expanded with \(t=\left\lceil \frac{l}{m} \right\rceil\) copies of \({\mathcal {A}}\) vertically, i.e., \(\bar{{\mathcal {A}}} = \{\bar{A_0}; \bar{A_1};\ldots ; {\bar{A}}_{(t-1)}\}^T\) with \(\bar{A_0}=\bar{A_1}=\cdots = {\bar{A}}_{(t-1)}={\mathcal {A}}_{m\times l}\). Then,

  • \(\epsilon ^k_{tm\times n} ( \sigma (\bar{{\mathcal {A}}}))\odot \omega ^k_{tm\times n} ( \tau ({\mathcal {B}}))\) contains t items of \(\epsilon ^p_{m\times n} ( \sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n} ( \tau ({\mathcal {B}}))\), with \(p \in \{[k]_l,[k+m]_l,\ldots , [k+(t-1)m]_l\}\).

  • \(\epsilon ^k_{tm\times n} ( \sigma (\bar{{\mathcal {A}}}))\odot \omega ^k_{tm\times n} ( \tau ({\mathcal {B}}))\), \(k=0,1,\ldots ,(m-1)\) contains all items of \(\epsilon ^p_{m\times n} (\sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n} (\tau ({\mathcal {B}}))\), with \(p\in \{0, 1,\ldots , (l-1)\}\).

Proof

Consider a sub-matrix of \((\epsilon ^k_{tm\times n} \circ \sigma ({\bar{{\mathcal {A}}})})\) with dimension of \(m\times n\), i.e., \((\epsilon ^k_{tm\times n} \circ \sigma ({\bar{{\mathcal {A}}})})_{hm+i,j}\), where \(0 \le i< m, 0 \le j < n\). h is a constant with \(0 \le h < t\). Based on Eq. (1) and (3), we have

$$\begin{aligned} (\epsilon ^k_{tm\times n} \circ \sigma ({\bar{{\mathcal {A}}})})_{hm+i,j}= \,& {} \sigma ({\bar{{\mathcal {A}}}})_{hm+i,[j+k]_l} \nonumber \\= \,& {} {\bar{{\mathcal {A}}}}_{hm+i,[hm+i+j+k]_l} \nonumber \\= \,& {} {\mathcal {A}}_{i,[hm+i+j+k]_l} \end{aligned}$$
(16)

On the other hand, let \(p = [k+hm]_l\), for \(0 \le i< m, 0 \le j < n\), we have

$$\begin{aligned} (\epsilon ^p_{m\times n} \circ \sigma ({{\mathcal {A}}}))_{i,j}= \,& {} \sigma ({{\mathcal {A}})_{i,[j+p]_l}} \nonumber \\= \,& {} {\mathcal {A}}_{i,[i+j+k+hm]_l} \end{aligned}$$
(17)

Similarly, consider the sub-matrix of \((\omega ^k_{tm\times n} \circ \tau ({{\mathcal {B}}}))\) with dimension of \(m\times n\), i.e., \((\omega ^k_{tm\times n} \circ \tau ({{\mathcal {B}}}))_{hm+i,j}\), with \(0 \le i< m, 0 \le j < n\). Based on Eq. (2) and (4), we have

$$\begin{aligned} (\omega ^k_{tm\times n} \circ \tau ({{\mathcal {B}}}))_{hm+i,j}= \,& {} \tau ({{\mathcal {B}}})_{[hm+i+k]_l,j} \nonumber \\= \,& {} {{\mathcal {B}}}_{[hm+i+j+k]_l,j} \end{aligned}$$
(18)

If we let \(p = [k+hm]_l\), for \(0 \le i< m, 0 \le j < n\), and \(0 \le h < t\), we have

$$\begin{aligned} \omega ^p_{m\times n} \circ \tau ({{\mathcal {B}}})_{i,j}= \,& {} \tau ({{\mathcal {B}}})_{[i+p]_l,j} \nonumber \\= \,& {} {{\mathcal {B}}}_{[i+k+hm+j]_l,j} \end{aligned}$$
(19)

Since \(0 \le h < t\), there are total t sub-matrices in \(\epsilon ^k_{tm\times n} ( \sigma (\bar{{\mathcal {A}}}))\) and \(\omega ^k_{tm\times n}(\tau ({\mathcal {B}}))\), the conclusion for the first part of the theorem follows naturally from Eqs. (16) to (19).

To prove the second part of the theorem, we only need to note that since \(t=\left\lceil \frac{l}{m} \right\rceil\), we have \(tm \ge l\). Therefore, for any \(p\in \{0, 1,\ldots , (l-1)\}\), we must be able to find at least one set of k and h, with \(0 \le k < m\), \(0 \le h <t\), and \(p = [k+hm]_l\). Together with Eqs. (16) to (19), we thus prove the theorem. \(\square\)

Theorem

3.6 Let \({\mathcal {A}}_{m\times l}\) and \({\mathcal {B}}_{l\times n}\) with \(n < l\), and let \(\bar{{\mathcal {B}}}\) be matrix expanded with \(t=\left\lceil \frac{l}{n} \right\rceil\) copies of \({\mathcal {B}}\) horizontally, i.e., \(\bar{{\mathcal {B}}} = \{{\mathcal {B}}; {\mathcal {B}};\ldots ; {\mathcal {B}}\}\). Then,

  • \(\epsilon ^k_{m\times tn}( \sigma ({\mathcal {A}}))\odot \omega ^k_{m\times tn}( \tau (\bar{{\mathcal {B}}}))\) contains t items of \(\epsilon ^p_{m\times n}( \sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n}( \tau ({\mathcal {B}}))\), with \(p=[k]_l, [k+n]_l,\ldots , [k+(t-1)n]_l\);

  • \(\epsilon ^k_{m\times tn}( \sigma ({\mathcal {A}}))\odot \omega ^k_{m\times tn}( \tau (\bar{{\mathcal {B}}})\), \(k=0,1,\ldots ,(n-1)\) contains all items of \(\epsilon ^p_{m\times n}( \sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n}( \tau ({\mathcal {B}}))\), with \(p=0, 1,\ldots , (l-1)\).

Proof

Consider a sub-matrix of \((\epsilon ^k_{m\times tn} \circ \sigma ({{\mathcal {A}})})\) with dimension of \(m\times n\), i.e., \((\epsilon ^k_{m\times tn} \circ \sigma ({{\mathcal {A}})})_{i,hn+j}\), where \(0 \le i< m, 0 \le j < n\). h is a constant with \(0 \le h < t\). Based on Eqs. (1) and (3), we have

$$\begin{aligned} (\epsilon ^k_{m\times tn} \circ \sigma ({{\mathcal {A}})})_{i,hn+j}= \,& {} \sigma ({{\mathcal {A}}})_{i,[hn+j+k]_l} \nonumber \\= \,& {} {{\mathcal {A}}}_{i,[i+hn+j+k]_l} \end{aligned}$$
(20)

On the other hand, let \(p = [k+hn]_l\), for \(0 \le i< m, 0 \le j < n\), we have

$$\begin{aligned} (\epsilon ^p_{m\times n} \circ \sigma ({{\mathcal {A}}}))_{i,j}= \,& {} \sigma ({{\mathcal {A}})_{i,[j+p]_l}} \nonumber \\= \,& {} {\mathcal {A}}_{i,[i+j+k+hn]_l}. \end{aligned}$$
(21)

Similarly, consider the sub-matrix of \((\omega ^k_{m\times tn} \circ \tau (\bar{{\mathcal {B}}}))\) with dimension of \(m\times n\), i.e., \((\omega ^k_{m\times tn} \circ \tau (\bar{{\mathcal {B}}}))_{i,hn+j}\), with \(0 \le i< m, 0 \le j < n\). Based on Eq. (2) and (4), we have

$$\begin{aligned} (\omega ^k_{m\times tn} \circ \tau (\bar{{\mathcal {B}}}))_{i,hn+j}= \,& {} \tau (\bar{{\mathcal {B}}})_{[i+k]_l,hn+j} \nonumber \\= \,& {} \bar{{\mathcal {B}}}_{[hn+i+j+k]_l,hn+j} \nonumber \\= \,& {} {\mathcal {B}}_{[hn+i+j+k]_l,j} \end{aligned}$$
(22)

If we let \(p = [k+hn]_l\), for \(0 \le i< m, 0 \le j < n\), and \(0 \le h < t\), we have

$$\begin{aligned} \omega ^p_{m\times n} \circ \tau ({{\mathcal {B}}})_{i,j}= \,& {} \tau ({{\mathcal {B}}})_{[i+p]_l,j} \nonumber \\= \,& {} {{\mathcal {B}}}_{[i+k+hn+j]_l,j} \end{aligned}$$
(23)

Since \(0 \le h < t\), there are total t sub-matrices in \(\epsilon ^k_{m\times tn} ( \sigma ({\mathcal {A}}))\) and \(\omega ^k_{m\times tn}(\tau ({\mathcal {B}}))\), the conclusion for the first part of the theorem follows naturally from Eqs. (20) to (23).

To prove the second part of the theorem, we only need to note that since \(t=\left\lceil \frac{l}{n} \right\rceil\), we have \(tn \ge l\). Therefore, for any \(p\in \{0, 1,\ldots , (l-1)\}\), we must be able to find at least one set of k and h, with \(0 \le k < m\), \(0 \le h <t\), and \(p = [k+hn]_l\). Together with Eqs. (20) to (23), we thus prove the theorem. \(\square\)

Appendix 2: Meaning of symbolize

See Table 9.

Table 9 Meaning of symbolize

Appendix 3: Some experiments results

See Table 10.

Table 10 Performance comparison

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gao, Y., Quan, G., Homsi, S. et al. Secure and efficient general matrix multiplication on cloud using homomorphic encryption. J Supercomput 80, 26394–26434 (2024). https://doi.org/10.1007/s11227-024-06428-8

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-024-06428-8

Keywords