Abstract
Despite the enormous technical and financial advantages of cloud computing, security and privacy have always been the primary concerns for adopting cloud computing facilities, especially for government agencies and commercial sectors with high-security requirements. Homomorphic encryption (HE) has recently emerged as an effective tool in ensuring privacy and security for sensitive applications by allowing computing on encrypted data. One major obstacle to employing HE-based computation, however, is its excessive computational cost, which can be orders of magnitude higher than its counterpart based on the plaintext. In this paper, we study the problem of how to reduce the HE-based computational cost for general matrix multiplication, i.e., a fundamental building block for numerous practical applications, by taking advantage of the single instruction multiple data operations supported by HE schemes. Specifically, we develop a novel element-wise algorithm for general matrix multiplication, based on which we propose two HE-based general matrix multiplication algorithms to reduce the HE computation cost. Our experimental results show that our algorithms significantly outperform the state-of-the-art approaches of HE-based matrix multiplication.
Access this article
Rent this article via DeepDyve
Similar content being viewed by others
Data availability
No datasets were generated or analyzed during the current study.
References
Varghese B, Buyya R (2018) Next generation cloud computing: new trends and research directions. Futur Gener Comput Syst 79:849–861
Vasiljeva T, Shaikhulina S, Kreslins K (2017) Cloud computing: business perspectives, benefits and challenges for small and medium enterprises (case of Latvia). Procedia Eng 178:443–451
Scale R (2015) State of the cloud report. Technical report
Rajaraman V (2014) Cloud computing. Resonance 19(3):242–258
Rivest RL, Adleman L, Dertouzos ML et al (1978) On data banks and privacy homomorphisms. Found Secure Comput 4(11):169–180
Gentry C (2009) Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp 169–178
Brakerski Z, Gentry C, Vaikuntanathan V (2014) (Leveled) fully homomorphic encryption without bootstrapping. ACM Trans Comput Theory (TOCT) 6(3):1–36
Ran R, Xu N, Wang W, Gang Q, Yin J, Wen W (2022) Cryptogcn: fast and scalable homomorphically encrypted graph convolutional network inference. Preprint arXiv:2209.11904
Smart NP, Vercauteren F (2014) Fully homomorphic SIMD operations. Des Codes Crypt 71(1):57–81
Ibarrondo A, Viand A (2021) Pyfhel: Python for homomorphic encryption libraries. In: Proceedings of the 9th on Workshop on Encrypted Computing & Applied Homomorphic Cryptography, pp 11–16
Fan J, Vercauteren F (2012) Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive
Brakerski Z (2012) Fully homomorphic encryption without modulus switching from classical GapSVP. In: Annual Cryptology Conference. Springer, pp 868–886
Cheon JH, Kim A, Kim M, Song Y (2017) Homomorphic encryption for arithmetic of approximate numbers. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer, pp 409–437
Ames S, Venkitasubramaniam M, Page A, Kocabas O, Soyata T (2020) Secure health monitoring in the cloud using homomorphic encryption: a branching-program formulation, pp 56–92. https://doi.org/10.4018/978-1-5225-9863-3.ch004
Nocker M, Drexel D, Rader M, Montuoro A, Schöttle P (2023) He-man–homomorphically encrypted machine learning with ONNX models. Preprint arXiv:2302.08260
Reagen B, Choi W-S, Ko Y, Lee VT, Lee H-HS, Wei G-Y, Brooks D (2021) Cheetah: optimizing and accelerating homomorphic encryption for private inference. In: IEEE International Symposium on High-Performance Computer Architecture (HPCA). IEEE, pp 26–39
Masliah I, Abdelfattah A, Haidar A, Tomov S, Baboulin M, Falcou J, Dongarra J (2019) Algorithms and optimization techniques for high-performance matrix-matrix multiplications of very small matrices. Parallel Comput 81:1–21
Nagasaka Y, Matsuoka S, Azad A, Buluç A (2018) High-performance sparse matrix-matrix products on intel KNL and multicore architectures. In: Proceedings of the 47th International Conference on Parallel Processing Companion, pp 1–10
Jiang P, Hong C, Agrawal G (2020) A novel data transformation and execution strategy for accelerating sparse matrix multiplication on GPUs. In: Proceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming, pp 376–388
Liu W, Vinter B (2014) An efficient GPU general sparse matrix-matrix multiplication for irregular data. In: IEEE 28th International Parallel and Distributed Processing Symposium. IEEE, pp 370–381
Valero-Lara P, Martínez-Pérez I, Mateo S, Sirvent R, Beltran V, Martorell X, Labarta J (2018) Variable batched DGEMM. In: 2018 26th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp 363–367. https://doi.org/10.1109/PDP2018.2018.00065
Zhang Z, Wang H, Han S, Dally WJ (2020) SpArch: efficient architecture for sparse matrix multiplication. In: 2020 IEEE International Symposium on High Performance Computer Architecture (HPCA). IEEE, pp 261–274
Lu W-j, Kawasaki S, Sakuma J (2016) Using fully homomorphic encryption for statistical analysis of categorical, ordinal and numerical data. Cryptology ePrint Archive
Halevi S, Shoup V (2014) Algorithms in HElib. In: Annual Cryptology Conference. Springer, pp 554–571
Duong DH, Mishra PK, Yasuda M (2017) Efficient secure matrix multiplication over LWE-based homomorphic encryption. Tatra Mt Math Publ 67(1):69–83. https://doi.org/10.1515/tmmp-2016-0031
Mishra PK, Duong DH, Yasuda M (2017) Enhancement for secure multiple matrix multiplications over ring-LWE homomorphic encryption. In: Information Security Practice and Experience: 13th International Conference, ISPEC 2017, Melbourne, Proceedings 13. Springer, pp 320–330
Jiang X, Kim M, Lauter K, Song Y (2018) Secure outsourced matrix computation and application to neural networks. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp 1209–1222
Huang Z, Hong C, Weng C, Lu W-J, Qu H (2023) More efficient secure matrix multiplication for unbalanced recommender systems. IEEE Trans Dependable Secure Comput 20(1):551–562. https://doi.org/10.1109/TDSC.2021.3139318
Rathee D, Mishra PK, Yasuda M (2018) Faster PCA and linear regression through hypercubes in HElib. In: Proceedings of the 2018 Workshop on Privacy in the Electronic Society, pp 42–53
Huang H, Zong H (2022) Secure matrix multiplication based on fully homomorphic encryption. J Supercomput 1–22
Lyubashevsky V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: 29th International Conference on the Theory and Applications of Cryptographic Techniques. Springer, pp 1–23
Acknowledgements
This work was supported in part by the Air Force Office of Scientific Research (AFOSR) and the Air Force Research Laboratory/Information Directorate (AFRL/RI), Rome, NY under the 2021 Summer Faculty Fellowship Program, and Information Directorate Internship Program, respectively. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force Research Laboratory or the US Government. Approved for Public Release on March 06, 2024. Distribution is Unlimited. Case Number: 2024-0184 (original case number(s): AFRL-2024-0944).
Funding
This research was supported by funding from the Air Force Office of Scientific Research (AFOSR) and the Air Force Research Laboratory/Information Directorate (AFRL/RI), Rome, NY, under the 2021 Summer Faculty Fellowship Program, Grant Number 2024-0184 (original case number: AFRL-2024-0944). The funding body had no role in the design of the study, the collection, analysis, or interpretation of data. Additional support was provided by NSF grant 1952792, 2321572 and CNS-2348733.
Author information
Authors and Affiliations
Contributions
YG and GQ wrote the main manuscript and YG prepared all figures and tables. LW reviewed and rewrote multiple parts of the manuscript. All authors reviewed the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
No, I declare that the authors have no conflict of interest as defined by Springer, or other interests that might be perceived to influence the results and/or discussion reported in this paper.
Ethical statements
It is not applicable. This study did not involve human participants, personal data, or any procedures requiring ethical approval.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Y. Gang and L. Wang were supported in part by NSF grant 1952792 and 2321572. W. Wen was supported in part by NSF grant CNS-2348733.
Soamar Homsi: Approved for Public Release on March 06, 2024. Distribution is unlimited. Case Number: 2024-0184 (original case number(s): AFRL-2024-0944).
Appendices
Appendix 1: The proof for Theorem 3.1 to Theorem 3.4
Theorem
3.1 Let \(\sigma ({\mathcal {A}}) = {\textbf {U}}^\sigma {\mathcal {A}}\) for \({\mathcal {A}}\) with a dimension of \(m\times l\). There are at most \(2\cdot \min (m,l)-1\) nonzero diagonals in \({\textbf {U}}^\sigma\) no matter if the matrix is flattened with a column-major or row-major order.
Proof
When applying \(\sigma\) transformation on matrix \({\mathcal {A}}_{m\times l}\) in column-major order, \({\textbf {U}}^\sigma\) is formulated in Eq. (12). Note that \({\textbf {U}}^\sigma _{i+j\cdot m,h} = 1\) when \(h= i+ [i+j]_l\cdot m\) and, for all elements of \({\textbf {U}}^\sigma _{i+j\cdot m,h}\) that belong to the same diagonal, we have \(h-(i+j\cdot m)\) as a constant.
Considering all the nonzero elements in \({\textbf {U}}^\sigma _{i+j\cdot m,h}\), we have
Since \(\left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor +1\) and \(0\le j < l\), we have \(\left\lfloor \frac{i}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{i}{l} \right\rfloor +1\).
Now consider two different scenarios: 1) \(m<l\); 2) \(m \ge l\). When \(m<l\), for each \(i=\{1,2,\ldots ,m-1\}\), \(h-(i+j\cdot m)\) can at most take two constant values since \(\left\lfloor \frac{i}{l} \right\rfloor =0\) and \(0 \le \left\lfloor \frac{i+j}{l} \right\rfloor \le 1\). When \(i=0\), \(h-(i+j\cdot m)\) can only be zero since \(\left\lfloor \frac{i+j}{l} \right\rfloor =0\). Therefore, \({\textbf {U}}^\sigma _{i+j\cdot m,h}\) has at most \(2m-1\) nonzero diagonals under this case.
When \(m \ge l\), we have
with \(0 \le p < l\). Since \(-1 \le \left( \left\lfloor \frac{i}{l} \right\rfloor - \left\lfloor \frac{i+j}{l} \right\rfloor \right) \le 0\), \({\textbf {U}}^\sigma _{i+j\cdot m,h}\) has at most \(2l-1\) nonzero diagonals under this case.
Therefore, in summary, there are at most \(2\cdot \min (m,l)-1\) nonzero diagonals in \({\textbf {U}}^\sigma\) when the matrix is flattened with a column-major. Similar proof can be obtained when the matrix is flattened with the row-major order. \(\square\)
Theorem
3.2 Let \(\tau ({\mathcal {B}}) = {\textbf {U}}^\tau {\mathcal {B}}\) for \({\mathcal {B}}\) with a dimension of \(l\times n\). There are at most \(2\cdot \min (n,l)-1\) nonzero diagonals in \({\textbf {U}}^\tau\) no matter if the matrix is flattened with a column-major or row-major order.
Proof
When applying \(\tau\) transformation on matrix \({\mathcal {B}}_{l\times n}\) in column-major order, \({\textbf {U}}^\tau\) is formulated in Eq. (13). Note that \({\textbf {U}}^\tau _{i+j\cdot l,h} = 1\) when \(h= [i+j]_l + j\cdot l\) and, for all elements of \({\textbf {U}}^\tau _{i+j\cdot l,h}\) that belong to the same diagonal, we have \(h-(i+j\cdot l)\) as a constant.
Considering all the nonzero elements in \({\textbf {U}}^\tau _{i+j\cdot l,h}\), we have
Since \(\left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{i}{l} \right\rfloor + \left\lfloor \frac{j}{l} \right\rfloor +1\) and \(0\le i < l\), we have \(\left\lfloor \frac{j}{l} \right\rfloor \le \left\lfloor \frac{i+j}{l} \right\rfloor \le \left\lfloor \frac{j}{l} \right\rfloor +1\).
Now consider two different scenarios: 1) \(n<l\); 2) \(n \ge l\). When \(n<l\), for each \(j=\{1,2,\ldots ,n-1\}\), \(h-(i+j\cdot l)\) can at most take two constant values since \(\left\lfloor \frac{j}{l} \right\rfloor =0\) and \(0 \le \left\lfloor \frac{i+j}{l} \right\rfloor \le 1\). When \(i=0\), \(h-(i+j\cdot l)\) can only be zero since \(\left\lfloor \frac{i+j}{l} \right\rfloor =0\). Therefore, \({\textbf {U}}^\tau _{i+j\cdot l,h}\) has at most \(2n-1\) nonzero diagonals under this case.
When \(n \ge l\), we have
with \(0 \le p < l\). Since \(-1 \le (\left\lfloor \frac{j}{l} \right\rfloor - \left\lfloor \frac{i+j}{l} \right\rfloor ) \le 0\), \({\textbf {U}}^\tau _{i+j\cdot l,h}\) has at most \(2l-1\) nonzero diagonals under this case.
Therefore, in summary, there are at most \(2\cdot \min (n,l)-1\) nonzero diagonals in \({\textbf {U}}^\tau\) when the matrix is flattened with a column-major. Similar proof can be obtained when the matrix is flattened with the row-major order. \(\square\)
Theorem
3.3 Let \(\epsilon ^k_{m\times n}({\mathcal {A}}) ={\textbf {U}}^{\epsilon ^k_{m\times n}} {\mathcal {A}}\) be the linear transformation \(\epsilon _{m\times n}: {\mathcal {R}}_{m\times l} \rightarrow {\mathcal {R}}_{m\times n}\) with matrix \({\mathcal {A}}\) having a dimension of \(m\times l\). There are at most \(\left\lfloor \frac{n}{l} \right\rfloor +1\) nonzero diagonal vectors in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) when the matrix is flattened with the column-major order. There are at most \((\left\lfloor \frac{n}{l} \right\rfloor +2)\cdot m\) nonzero diagonal vectors in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) when matrix \({\mathcal {A}}\) is flattened with the row-major order. Specifically, when \(n=l\), there are no more than two nonzero diagonals in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\), no matter if the matrix is flattened in column-major or row-major order.
Proof
When applying \(\epsilon\) transformation on matrix \({\mathcal {A}}_{m\times l}\) in column-major order, \({\textbf {U}}^\epsilon\) is formulated in Eq. (14). Note that \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j} = 1\) when \(j=[k\cdot m+i]_{m\cdot l}\) and, for all elements of \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.
Considering all the nonzero elements in \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\), we have
Since \(\max (k)=l-1\) and \(\max (i)=m\cdot n-1\), we have
Therefore, we get \(\left\lfloor \frac{k\cdot m+i}{m\cdot l}\right\rfloor \in \{0,1,\ldots ,\left\lfloor \frac{n}{l} \right\rfloor \}\). Then, \(j-i=k\cdot m-\left\lfloor \frac{k\cdot m+i}{m\cdot l}\right\rfloor \cdot m\cdot l\). k, m and l are all constant number for one transformation. The set \(\{0,1,\ldots ,\left\lfloor \frac{n}{l} \right\rfloor \}\) is of size \(\left\lfloor \frac{n}{l} \right\rfloor +1\). In summary, \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) has at most \(\left\lfloor \frac{n}{l} \right\rfloor +1\) constant values when \({\mathcal {A}}_{m\times l}\) in column-major.
Special circumstances are when \(n=l\), \(\left\lfloor \frac{n}{l} \right\rfloor =1\). Therefore, \(\left\lfloor \frac{n}{l} \right\rfloor +1=2\) and this means \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) has only 2 nonzero diagonals when \(n=l\)..
When applying \(\epsilon\) transformation on matrix \({\mathcal {A}}_{m\times l}\) in row-major order, we can formulate permutation matrix according to formula (15), but apply on \({\mathcal {A}}_{l\times m}\) instead of \({\mathcal {A}}_{l\times n}\). Note that \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j} = 1\) when \(j=[k+[i]_n]_{l}+\left\lfloor i/n \right\rfloor \cdot l\) and, for all elements of \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.
Considering all the nonzero elements in \({\textbf {U}}^{\epsilon ^k_{m\times n}}_{i,j}\), we have
Since \(i\in [0,mn)\), we split i to m circumstances that \(i\in [pn,(p+1)n)\) where \(p =\{0,1,2,\ldots ,m-1\}\). For each circumstance that \(i\in [pn,(p+1)n)\), we have
and
Note that we have
which has \(2 + \left\lfloor \frac{n}{l} \right\rfloor\) constant values. And this means \(j-i\), which represents the number of nonzero diagonals in \({\textbf {U}}^{\epsilon ^k_{m\times n}}\), has \((2 + \left\lfloor \frac{n}{l} \right\rfloor )\cdot m\) in total when \({\mathcal {A}}_{m\times l}\) in row-major because there are m circumstances.
Special circumstances are when \(n=l\), \(j-i \in \{0,1\}\). The reason is that, since
and we also have \(k<l\) and \({[i]_n}<{l}\), thus
On the other hand, we have
for each \(i\in [pn,(p+1)n)\). \(j-i\) has the same constant value in each \(i\in [pn,(p+1)n)\) and this means \({\textbf {U}}^{\epsilon ^k_{m\times n}}\) has only 2 nonzero diagonals when \(n=l\). \(\square\)
Theorem
3.4 Let \(\omega ^k_{m\times n}({\mathcal {B}}) = {\textbf {U}}^{\omega ^k_{m\times n}} {\mathcal {B}}\) be the linear transformation \(\omega _{m\times n}: {\mathcal {R}}_{l\times n} \rightarrow {\mathcal {R}}_{m\times n}\) with matrix \({\mathcal {B}}\) having a dimension of \(l\times n\). There are at most \((\left\lfloor \frac{m}{l} \right\rfloor +2)\cdot n\) nonzero diagonal vectors in \({\textbf {U}}^{\omega ^k_{m\times n}}\) when the matrix is flattened with column-major order. There are at most \(\left\lfloor \frac{m}{l} \right\rfloor +1\) nonzero diagonal vectors in \({\textbf {U}}^{\omega ^k_{m\times n}}\) when matrix \({\mathcal {B}}\) is flattened with row-major order. Specifically, when \(m=l\), there are no more than two nonzero diagonals in \({\textbf {U}}^{\omega ^k_{m\times n}}\), no matter if the matrix is flattened in column-major or row-major order.
Proof
When applying \(\omega\) transformation on matrix \({\mathcal {B}}_{l\times n}\) in column-major order, \({\textbf {U}}^\omega\) is formulated in Eq. (15). Note that \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j} = 1\) when \(j=[k+[i]_m]_{l}+\left\lfloor i/m \right\rfloor \cdot l\) and, for all elements of \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.
Considering all the nonzero elements in \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\), we have
Since \(i\in [0,mn)\), we split i to n circumstances that \(i\in [pm,(p+1)m)\) where \(p =\{0,1,2,\ldots ,n-1\}\). For each circumstance that \(i\in [pm,(p+1)m)\), we have
and
Note that we have
which has \(2 + \left\lfloor \frac{m}{l} \right\rfloor\) constant values. And this means \(j-i\), which represents the number of nonzero diagonals in \({\textbf {U}}^{\omega ^k_{m\times n}}\), has \((2 + \left\lfloor \frac{m}{l} \right\rfloor )\cdot n\) in total when \({\mathcal {B}}_{m\times l}\) in row-major because there are n circumstances.
Special circumstances are when \(m=l\), \(j-i \in \{0,1\}\). The reason is that, since
and we also have \(k<l\) and \({[i]_l}<{l}\), thus
On the other hand, we have
for each \(i\in [pm,(p+1)m)\). \(j-i\) has the same constant value in each \(i\in [pm,(p+1)m)\) and this means \({\textbf {U}}^{\omega ^k_{m\times n}}\) has only 2 nonzero diagonals when \(m=l\).
When applying \(\omega\) transformation on matrix \({\mathcal {B}}_{l\times n}\) in row-major order, we can formulate permutation matrix according to formula (14), but apply on \({\mathcal {B}}_{n\times l}\) instead of \({\mathcal {B}}_{m\times l}\). Note that \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j} = 1\) when \(j=[k\cdot n+i]_{n\cdot l}\) and, for all elements of \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\) that belong to the same diagonal, we have \(j-i\) as a constant.
Considering all the nonzero elements in \({\textbf {U}}^{\omega ^k_{m\times n}}_{i,j}\), we have
Since \(\max (k)=l-1\) and \(\max (i)=m\cdot n-1\), we have
Therefore, we get \(\left\lfloor \frac{k\cdot n+i}{n\cdot l}\right\rfloor \in \{0,1,\ldots ,\left\lfloor \frac{m}{l} \right\rfloor \}\). Then, \(j-i=k\cdot n-\left\lfloor \frac{k\cdot n+i}{n\cdot l}\right\rfloor \cdot n\cdot l\). Here, k, n and l are all constant number for one transformation. The set \(\{0,1,\ldots ,\left\lfloor \frac{m}{l} \right\rfloor \}\) is of size \(\left\lfloor \frac{m}{l} \right\rfloor +1\). In summary, \({\textbf {U}}^{\omega ^k_{m\times n}}\) has at most \(\left\lfloor \frac{m}{l} \right\rfloor +1\) constant values when \({\mathcal {B}}_{m\times l}\) in row-major.
Special circumstances are when \(m=l\), \(\left\lfloor \frac{m}{l} \right\rfloor =1\). Therefore, \(\left\lfloor \frac{m}{l} \right\rfloor +1=2\) and this means \({\textbf {U}}^{\omega ^k_{m\times n}}\) has only 2 nonzero diagonals when \(m=l\). \(\square\)
Theorem
3.5 Let \({\mathcal {A}}_{m\times l}\) and \({\mathcal {B}}_{l\times n}\) with \(m < l\), and let \({\bar{A}}\) be matrix expanded with \(t=\left\lceil \frac{l}{m} \right\rceil\) copies of \({\mathcal {A}}\) vertically, i.e., \(\bar{{\mathcal {A}}} = \{\bar{A_0}; \bar{A_1};\ldots ; {\bar{A}}_{(t-1)}\}^T\) with \(\bar{A_0}=\bar{A_1}=\cdots = {\bar{A}}_{(t-1)}={\mathcal {A}}_{m\times l}\). Then,
-
\(\epsilon ^k_{tm\times n} ( \sigma (\bar{{\mathcal {A}}}))\odot \omega ^k_{tm\times n} ( \tau ({\mathcal {B}}))\) contains t items of \(\epsilon ^p_{m\times n} ( \sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n} ( \tau ({\mathcal {B}}))\), with \(p \in \{[k]_l,[k+m]_l,\ldots , [k+(t-1)m]_l\}\).
-
\(\epsilon ^k_{tm\times n} ( \sigma (\bar{{\mathcal {A}}}))\odot \omega ^k_{tm\times n} ( \tau ({\mathcal {B}}))\), \(k=0,1,\ldots ,(m-1)\) contains all items of \(\epsilon ^p_{m\times n} (\sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n} (\tau ({\mathcal {B}}))\), with \(p\in \{0, 1,\ldots , (l-1)\}\).
Proof
Consider a sub-matrix of \((\epsilon ^k_{tm\times n} \circ \sigma ({\bar{{\mathcal {A}}})})\) with dimension of \(m\times n\), i.e., \((\epsilon ^k_{tm\times n} \circ \sigma ({\bar{{\mathcal {A}}})})_{hm+i,j}\), where \(0 \le i< m, 0 \le j < n\). h is a constant with \(0 \le h < t\). Based on Eq. (1) and (3), we have
On the other hand, let \(p = [k+hm]_l\), for \(0 \le i< m, 0 \le j < n\), we have
Similarly, consider the sub-matrix of \((\omega ^k_{tm\times n} \circ \tau ({{\mathcal {B}}}))\) with dimension of \(m\times n\), i.e., \((\omega ^k_{tm\times n} \circ \tau ({{\mathcal {B}}}))_{hm+i,j}\), with \(0 \le i< m, 0 \le j < n\). Based on Eq. (2) and (4), we have
If we let \(p = [k+hm]_l\), for \(0 \le i< m, 0 \le j < n\), and \(0 \le h < t\), we have
Since \(0 \le h < t\), there are total t sub-matrices in \(\epsilon ^k_{tm\times n} ( \sigma (\bar{{\mathcal {A}}}))\) and \(\omega ^k_{tm\times n}(\tau ({\mathcal {B}}))\), the conclusion for the first part of the theorem follows naturally from Eqs. (16) to (19).
To prove the second part of the theorem, we only need to note that since \(t=\left\lceil \frac{l}{m} \right\rceil\), we have \(tm \ge l\). Therefore, for any \(p\in \{0, 1,\ldots , (l-1)\}\), we must be able to find at least one set of k and h, with \(0 \le k < m\), \(0 \le h <t\), and \(p = [k+hm]_l\). Together with Eqs. (16) to (19), we thus prove the theorem. \(\square\)
Theorem
3.6 Let \({\mathcal {A}}_{m\times l}\) and \({\mathcal {B}}_{l\times n}\) with \(n < l\), and let \(\bar{{\mathcal {B}}}\) be matrix expanded with \(t=\left\lceil \frac{l}{n} \right\rceil\) copies of \({\mathcal {B}}\) horizontally, i.e., \(\bar{{\mathcal {B}}} = \{{\mathcal {B}}; {\mathcal {B}};\ldots ; {\mathcal {B}}\}\). Then,
-
\(\epsilon ^k_{m\times tn}( \sigma ({\mathcal {A}}))\odot \omega ^k_{m\times tn}( \tau (\bar{{\mathcal {B}}}))\) contains t items of \(\epsilon ^p_{m\times n}( \sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n}( \tau ({\mathcal {B}}))\), with \(p=[k]_l, [k+n]_l,\ldots , [k+(t-1)n]_l\);
-
\(\epsilon ^k_{m\times tn}( \sigma ({\mathcal {A}}))\odot \omega ^k_{m\times tn}( \tau (\bar{{\mathcal {B}}})\), \(k=0,1,\ldots ,(n-1)\) contains all items of \(\epsilon ^p_{m\times n}( \sigma ({\mathcal {A}}))\odot \omega ^p_{m\times n}( \tau ({\mathcal {B}}))\), with \(p=0, 1,\ldots , (l-1)\).
Proof
Consider a sub-matrix of \((\epsilon ^k_{m\times tn} \circ \sigma ({{\mathcal {A}})})\) with dimension of \(m\times n\), i.e., \((\epsilon ^k_{m\times tn} \circ \sigma ({{\mathcal {A}})})_{i,hn+j}\), where \(0 \le i< m, 0 \le j < n\). h is a constant with \(0 \le h < t\). Based on Eqs. (1) and (3), we have
On the other hand, let \(p = [k+hn]_l\), for \(0 \le i< m, 0 \le j < n\), we have
Similarly, consider the sub-matrix of \((\omega ^k_{m\times tn} \circ \tau (\bar{{\mathcal {B}}}))\) with dimension of \(m\times n\), i.e., \((\omega ^k_{m\times tn} \circ \tau (\bar{{\mathcal {B}}}))_{i,hn+j}\), with \(0 \le i< m, 0 \le j < n\). Based on Eq. (2) and (4), we have
If we let \(p = [k+hn]_l\), for \(0 \le i< m, 0 \le j < n\), and \(0 \le h < t\), we have
Since \(0 \le h < t\), there are total t sub-matrices in \(\epsilon ^k_{m\times tn} ( \sigma ({\mathcal {A}}))\) and \(\omega ^k_{m\times tn}(\tau ({\mathcal {B}}))\), the conclusion for the first part of the theorem follows naturally from Eqs. (20) to (23).
To prove the second part of the theorem, we only need to note that since \(t=\left\lceil \frac{l}{n} \right\rceil\), we have \(tn \ge l\). Therefore, for any \(p\in \{0, 1,\ldots , (l-1)\}\), we must be able to find at least one set of k and h, with \(0 \le k < m\), \(0 \le h <t\), and \(p = [k+hn]_l\). Together with Eqs. (20) to (23), we thus prove the theorem. \(\square\)
Appendix 2: Meaning of symbolize
See Table 9.
Appendix 3: Some experiments results
See Table 10.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Gao, Y., Quan, G., Homsi, S. et al. Secure and efficient general matrix multiplication on cloud using homomorphic encryption. J Supercomput 80, 26394–26434 (2024). https://doi.org/10.1007/s11227-024-06428-8
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-024-06428-8