Secure Multi-Party Linear Algebra with Perfect Correctness

. We present new secure multi-party computation protocols for linear algebra over a finite field, which improve the state-of-the-art in terms of security. We look at the case of unconditional security with perfect correctness , i.e., information-theoretic security without errors. We notably propose an expected constant-round protocol for solving systems of m linear equations in n variables over F q with expected complexity O ( k ( n 2 . 5 + m 2 . 5 + n 2 m 0 . 5 )) where k > m ( m + n ) + 1 (complexity is measured in terms of the number of secure multiplications required). The previous proposals were not error-free: known protocols can indeed fail and thus reveal information with probability Ω( poly ( m ) /q ) . Our protocols are simple and rely on existing computer-algebra techniques, notably the Preparata-Sarwate algorithm, a simple but poorly known “baby-step giant-step” method for computing the characteristic polynomial of a matrix, and techniques due to Mulmuley for error-free linear algebra in positive characteristic.


Introduction
The importance of linear algebra computation over finite fields for a wild range of tasks is a well-established fact (e.g. for integer polynomial factorization, Gröbner basis computation, integer system solving, large integer factorization, discrete logarithms, error correcting codes,...).The concept of secure multi-party computation (MPC) was introduced by Yao [Yao86] and allows mutually distrusting parties to run joint computations without disclosing any participant's private inputs.
We present new MPC protocols for linear algebra computation over a finite field, improving state-of-the-art security.We notably propose efficient protocols for (matrix)-polynomial evaluation, determinant computation, and other linear algebra problems, particularly the computation of the characteristic polynomial which underlies many problems such as the resolution of linear systems of equations.We target protocols with everlasting security unconditionally, without relying on unproven intractability assumptions.There already exist numerous protocols in this setting, but we require in addition that in our protocols, (honest) parties always get a valid output and that protocols fail with a zero-error probability.Indeed, known protocols can fail and thus reveal information on the parties' inputs.Apart from being a natural goal, achieving unconditional security and perfect correctness provides important security advantages over protocols that have a negligible probability of failure.Indeed, it has been proven that every protocol that is perfectly secure in the stand-alone model is secure under concurrent general composition [KLR06].Moreover, we target efficient multi-party protocols, meaning that our protocols enjoy both low communication and round complexity.Indeed, since in almost all systems, the time spent on sending and receiving messages is large compared to local computation time, one tries to achieve an expected constant round complexity while keeping the communication complexity as low as possible.

Related work
General results in MPC do not yield efficient protocols for linear algebra with informationtheoretic security.Cramer and Damgård [CD01] proposed the first efficient informationtheoretically secure MPC protocols for solving linear systems, i.e. that achieve security even against computationally unbounded adversaries.The main focus of their proposal was to achieve constant-round complexity, and they notably proposed a constant-round protocol for solving m equations in n variables with communication complexity Ω(n 4 ) elements of the underlying finite field, which can be reduced to O(n 3 ) with the subsequent matrix product protocol from [MW08].In 2007, Cramer, Kiltz and Padró [CKP07] designed a constantround protocol for solving m equations in n variables with communication complexity O(n 4 + n 2 m).Then, Mohassel and Weinreb [MW08] developed a constant-round protocol, with O(t n 2+1/t ) communication for every constant t ∈ N, for computing the rank and solving a shared linear system of equations.In all the protocols from [CD01, CKP07, MW08], non-zero error probabilities arise when the parties happen to select obliviously zeroes of "hidden" polynomials.This error probability is typically a polynomial in the dimensions of the matrix considered divided by the cardinal of the underlying finite field (e.g.Θ(m 2 /q) in [CKP07, MW08] over a finite field F q ).The authors of [CD01, CKP07, MW08] thus require to consider only large values of q, typically q superpolynomial in m to achieve protocols with negligible error probability (which may not be compatible with the problem being solved), or to instantiate the protocols in large enough extensions of the underlying finite field (which increase the computation and communication costs).Even in these cases, the error probability is not null and may reveal information on the parties' inputs.In [CD01], Cramer and Damgård mentioned a work in progress (co-authored with Daza) to achieve perfect security, but as far as we know, this work has not been published, and it remains an open problem to propose efficient constant-round protocols for linear algebra with perfect correctness and unconditional security.
Numerous protocols were also proposed for computationally secure MPC linear algebra.For instance, using the garbled circuit method of Yao [Yao86], one can get a constant-round two-party protocol for various linear algebraic problems.A protocol due to Nissim and Weinreb [NW06] was the first to improve the communication complexity to roughly O(n 2 ) (for n × n matrices), but with a trade-off on a large O(n 0.275 ) round complexity.The protocols from [CD01,CKP07] can be readily adapted to the computationally-secure setting using linearly homomorphic encryption schemes, and the resulting schemes achieve similar complexities.Later, [KMWF07] achieved O(n 2 log n) communication complexity and O(log n) round complexity with an ingenuous concatenation idea to compute iterative powers of a matrix.This protocol to solve linear systems also has a non-zero error probability of 3n 2 /q over a finite field of cardinal q.The protocols from [MW08] can also be adapted to the computational setting (with similar complexities and error probability).Finally, Bouman and de Vreede [BdV18] recently proposed two protocols based on (oblivious) Gaussian elimination with O(n 3 ) computational complexity and O(n) round complexity, and based on block-recursive matrix decomposition with O(n 2 ) computational complexity and O(n 1.585 ) round complexity.Both protocols use a preconditioning method, and non-zero error probabilities also arise.

Our contributions
We present new secure multi-party computation protocols for linear algebra over a finite field with unconditional security and perfect correctness, i.e., information-theoretic without error.These protocols rely on known techniques in computer algebra and their adaptation in an MPC setting is actually more routine than innovative.However, even if this paper assumes an expository character, we contend that describing these protocols is of interest to the community given the potential impact to design threshold cryptosystems.In particular, the NIST has recently initiated a process to solicit, evaluate, and standardize "threshold schemes, for a secure distribution of trust in the operation of cryptographic primitives".Variants of our protocols (with security against malicious adversaries) could find applications to design post-quantum threshold digital signatures.They can be used to distribute the signing algorithms used, for instance, in the code-based Wave signatures [DST19] or the multivariate unbalanced Oil and Vinegar signatures [KPG99, Beu21, BCH + 23] (that both require a linear system solving in a small finite field).
Previous efficient proposals [CKP07, KMWF07, MW08] are based on the computation of a certain characteristic polynomial.Cramer, Kiltz, and Padró [CKP07] presented a protocol for secure polynomial evaluation of a shared polynomial of degree d at a shared point that runs in a constant number of rounds and O(d) secure multiplications.However, the protocol leaks information about the input with probability 1/q over a finite field of cardinal q.Then, they developed a perfectly correct protocol with O(d) secure multiplications using Chebyshev polynomials.As a first contribution, we propose simple secure protocols for polynomial evaluation of a shared polynomial of degree d at a shared point with perfect correctness that runs in O(t) rounds and has communication complexity O(t d 1/t ) for any parameter t ∈ N.For polynomial evaluation of a shared polynomial at a shared n × n matrix, the complexity increases to O(t n 2 d 1/t ).These protocols are of independent interest and can be used for instance in the recent Polymath framework from Lu, Yu, Kate, and Maji [LYKM22] with round complexity (and therefore latency) for secure polynomial evaluations of scalars and matrices independent of the polynomial degree and matrix dimensions (and therefore for their interesting use cases of privacy-preserving evaluation of decision trees and privacy-preserving evaluation of Markov processes).
Using these tools, we propose an expected constant-round protocol for solving systems of m linear equations in n variables over F q with expected complexity O(k(n 2.5 + m 2.5 + n 2 m 0.5 )) (where complexity is measured in terms of the number of secure multiplications required) for k > m(m + n) + 1 when the field characteristic is greater than n.This last condition can be removed via a work of Schönhage [Sch93] for securely computing the characteristic polynomial over a field of positive characteristic.This increases the cost of communication by a factor n.
As mentioned above, our protocols are simple and rely on existing computer algebra techniques.In particular, we make use of the Preparata-Sarwate algorithm [PS78].It is a simple "baby-step giant-step" method for computing the characteristic polynomial, determinant, and adjugate of a n × n matrix using only ring operations together with exact divisions by small integers with complexity O(n 2.5 ).This algorithm is poorly known and has been rediscovered several times (see e.g.[Joh20]).We adapt this algorithm for secure MPC using classical techniques.The algorithm boils down to performing O( √ n) multiplications of matrices, each naively requiring O(n 2 ) operations in the ring.We take up a technique sketched without details in [MW08] allowing us to perform these multiplications at a communication cost similar to O(n 2 ) secure multiplications (but always with a computational cost in O(n 3 )).
Using this error-free protocol, we follow the blueprint from [CKP07] and obtain an error-free protocol for the computation of the Moore-Penrose pseudo-inverse of a matrix A over a finite field.This requires computing the characteristic polynomial of the so-called Gram matrix of A from which we can compute the Moore-Penrose pseudo-inverse via a technique due to Diaz-Toca, Gonzalez-Vega and Lombardi [DGL05] as an extension of the work of Mulmuley [Mul86] to achieve perfect correctness (and avoid the errors and possible leakage on the parties' inputs from [CKP07]).

Preliminaries
We denote by F q a finite field with q elements, and by GL n (F q ) the subset of non-singular matrices over F n×n q which is a group for multiplication (with n ∈ N).
Secure Multi-Party Computation (MPC).MPC deals with a set of parties who want to compute a public function of their secret inputs such that each party obtains the correct result but no additional information about the other parties' inputs.We consider the honest but curious model (or semi-honest setting), in which parties try to find out as much as possible about the other inputs despite following the protocol.
Security Model.Protocols can be categorized based on their security into two main types: those relying on computational hardness assumptions and those deemed unconditionally secure (information-theoretical). We focus on the second category: we construct secure protocols against adversaries with unlimited computing resources and time.Moreover, our protocols do not leak information with probability 1, and thus achieve perfect correctness.In the following, when we say that a protocol is secure, we mean that it is unconditionally secure.
Complexity Measures.Two measures of complexity are important for our protocols.The first one is the communication complexity, i.e., the total number of bits exchanged during the whole execution of the protocol.This complexity only depends on the number of secure multiplications that the protocol requires, since, for protocols relying on linear secret sharings (see below) only secure multiplications involve communication between parties.We consider a secure multiplication protocol that needs to communicate 2 field elements per invocation.Hence, to determine the communication complexity of a protocol, it is equivalent to computing the number of calls to the secure multiplication subprotocol.Fortunately, parties can batch some multiplications before interacting with others, decreasing the communication complexity.The second complexity measure is the round complexity, i.e., the number of sequential rounds of secure multiplication that the protocol invokes.In other words, it corresponds to the number of interactions during which each party is allowed to send one flow of messages to other parties.

Definitions of our theoretical information model
The protocols that we present do not rely on any cryptographic assumption, except that the underlying secret sharing has to be unconditionally secure.Let P 1 , . . ., P k be k parties taking part in some MPC protocol.We use a linear secret sharing scheme to design secure MPC protocols to share values over a finite field F q .
Linear secret sharing scheme.A secret sharing scheme is a cryptographic primitive with a sharing and a reconstruction phase.The sharing phase allows a secret to be distributed among a group of parties (by some dealer).Once the secret has been distributed, each of the parties holds a share of the secret.On its own, this share does not reveal any information about the secret, unless combined with sufficient other shares of a subset of the participants (the reconstruction phase).One denotes by a secret sharing of s ∈ F q with [s] i the share of the party P i (for 1 ≤ i ≤ k).A secret sharing scheme is linear if the reconstruction function of the secret from the shares is a linear mapping.Due to the linearity of the secret sharing, given secret sharings [a] and [b] and a third field element c ∈ F q , parties can compute their share of the secret sharing [a + cb] locally (i.e.without communication).Furthermore, we require our linear secret sharing scheme to be multiplicative.In a nutshell, this means that a party P i can use their shares from [a] and [b] to locally compute a value c i .Then, via some computation using the c i 's, parties communicate to realize a refreshing step.Based on a public reconstruction vector λ ∈ F k q , the product ab can be reconstructed, hence leading to a secret sharing of ab.Moreover, one can construct a multiplicative linear secret sharing scheme from any linear secret sharing scheme without loss of efficiency [CDM00].We may use Shamir's secret sharing along with BGW protocol [BGW88] with quadratic communication (in the number of parties) per secure multiplication.But any other linearly homomorphic secret sharing with, for example, the Damgård-Nielsen multiplication protocol [DN07] yields a protocol with linear communication at the cost of preparing a pair of random double sharings for each multiplicative gate.
The sharing of a vector or more generally of a matrix is seen component-wisely.In the same spirit, the sharing of a polynomial p(x) A well-known multiplicative linear secret sharing scheme is the Shamir secret sharing based on polynomial interpolation over some finite field.Given a public set of k distinct non-zero field points {α 1 , . . ., α k } ∈ F q , the share of ] is a random polynomial with constant term s and degree d < k.In particular, the field size has to be larger than the number of players.Any subset of d + 1 shares enables recovery of the secret, however, a subset with less than d + 1 shares does not reveal any information about the secret.
Field elements multiplication.Given a multiplicative secret sharing, one assumes that it has a secure MPC protocol Mult which computes the product of sharing of a, b with constant communication and round complexity.We detail this protocol in the proof of Theorem 2. For example, when dealing with the Shamir secret sharing, the BGW protocol [BGW88] straightly provides Mult([a], [b]) (and requires k 2 log 2 (q) bits to communicate where k is the number of parties, which corresponds to one round of dealing).Thus, the communication complexity, which usually corresponds to the number of bits exchanged during the protocol, can also be expressed in terms of the number of secure multiplications over the field (for every considered protocol, a factor k 2 is hidden in the communication complexity).As an example, if a protocol involves α secure multiplications in parallel and later in the protocol β secure multiplications in parallel, then the round complexity is at most 2 and the communication complexity is α + β.Up to now, we have been looking at the communication complexity over F q , but at some point, we may need to work over a field extension.The complexity will still be stated over the base field (i.e. the number of secure multiplication over the base field).
Random element.To generate a sharing of a random value, each party P i chooses at random a sharing [r i ] of a random element r i ∈ F q and deals it with the other parties such that at the end The communication complexity is k 2 log q thus bounded by one invocation of the secure multiplication protocol.
Test to zero.Assume that each party owns a share of a ∈ F q , and suppose that they would like to compute a share of 1 if a ̸ = 0 or a share of 0 if a = 0.For this purpose, there exists a protocol from Damgård et al. [DFK + 06] in a constant number of rounds and with O(log log q) communication, improved by Nishide and Ohta [NO07] with a protocol in O(1) communication complexity.

Matrix multiplication.
Let A ∈ F m×ℓ and B ∈ F ℓ×n be shared matrices.A naive approach to compute [AB] would be to compute it component-wisely with nℓm parallel invocation of Mult.The work [MW08] reduces this communication complexity from O(mℓn) to O(mn).We immediately adapt this protocol for inner-product (with constant communication), and for matrix-vector multiplication with linear communication (in the size of the vector) and constant rounds.

Generation of random non-singular matrices.
To generate a set of m random non-singular matrices, consider the following Protocol 1.
Protocol 1: Generation of random non-singular matrices (NonSingularMatrix) Data: The target number m of drawn non-singular n × n matrices over F q , I ← ∅, and a counter η ← 1. Result: A set of m such random non-singular matrices.
1. Parties conjointly construct c couples of random shared matrices in parallel, and securely multiply R i S i := T i with O(n 2 ) communication and O(1) rounds for each i ∈ {1, . . ., c}.

Parties reveal T i and publicly check whether
If #I ≥ m, go to 3. Otherwise, set I ← ∅, η ← η + 1 and go back to 1.
3. For m matrices R i ∈ I, parties publicly inverse the corresponding T i and multiply The security of this protocol relies on the security of previous protocols (generation of random elements, secure multiplication protocol) and on the fact that GL n (F q ) is a group for multiplication.Indeed, we then get that T i = R i S i is a uniform random element of GL n (F q ) and thus Step 2 of Protocol 1 reveals no information.
Lemma 1. Protocol 1 to randomly generate m non-singular n × n matrices over F q has expected O(m n 2 ) communication and expected O(1) rounds complexity.
Proof.In the following, we pick c = Θ(m), thus the overall communication complexity is O(η m n 2 ).Since Step 1 is realized in parallel, the overall round complexity is O(η).Indeed, Step 1 can be realized via the Random element protocol from subsection 2.1 with O(m n 2 ) communication and constant rounds.We show via the Chernoff Bound Theorem that the overall protocol has in fact expected O(m n 2 ) communication and O(1) rounds complexity.We apply the lower tail of the Chernoff Bounds Theorem (see Appendix 10).Consider η trials of (1 + 3 q−1 )m drawings of two random non-singular matrices over F q .The result of the j-th drawing of the i-th trial is modelled by the random variable X i,j : where M n (F q ) is the monoid of n × n matrices over F q .Otherwise, the probability for a matrix to be invertible is at least 1/4.See Appendix 8 for further details.Therefore, the probability that in a couple, both random matrices are non-singular is at least of Protocol 1), then the expected number of couples with both non-singular matrices is at least By defining µ : one has that µ > η m.Since the X i,j 's are independent random variables, so are the X i 's.X i is a characteristic function for the number of pairs of random non-singular matrices among (1 + 3 q−1 )m drawings being less than m or not during the i-th trial.Therefore, X is a sum of independent Bernoulli trials, thus we can apply Chernoff Bounds Theorem (see Appendix 10), and the lower tail gives us Since µ > η m ≥ η, one has: Therefore for every ϵ as small as possible, there exists a constant (which depends on δ) such that the probability that the counter η in Protocol 1 exceeds this constant is bounded by ϵ.

Matrix inversion.
Let A ∈ F n×n be a shared non-singular matrix.The inversion protocol from Bar-Ilan and Beaver [BB89] works as follows: parties generate a shared random non-singular matrix R ∈ F n×n with Protocol 1, and securely compute AR with (expected) O(n 2 ) communication.They reveal and invert it publicly.Then they locally compute is a group for multiplication, AR is a uniform random element of GL n (F) and thus reveals no information.With Lemma 1, this protocol has expected O(n 2 ) communication and O(1) rounds complexity.

Power of a matrix
Let A ∈ F n×n q .The following protocol to compute the sharing of powers of A is based on a variant of an iterative products method developed in [BB89] and works as follows.Generate two non-singular shared random matrices M and N in F n×n q .Following the above discussion, parties securely compute [M −1 ] and [N −1 ].Then they securely compute by local computation.This reasoning can be iterated to get a higher shared power of A. Hence, to compute the first m shared power of A, one protocol needs to generate 2m non-singular matrices (e.g. with Protocol 1).
One presents the following protocol to compute the first m powers of a matrix A ∈ F n×n q : This protocol 2, for computing the first m powers of a matrix A ∈ F n×n q , has expected O(m n 2 ) communication and O(1) rounds complexity.Step 1 yields to expected O(m n 2 ) Protocol 2: Basic Power Computation Protocol (Power) 4. They reveal all the N i 's and compute in the clear However, this protocol is not perfectly correct because of step 4: if the matrix A is singular, then the protocol reveals its determinant.One will explain later how to manage this leakage by developing and proving a secure protocol.

Managing the error-probability
The Power protocol to compute powers of A ∈ F n×n in sharing needs, after drawing two random non-singular matrices M, N ∈ F n×n in sharing, to reveal [M AN −1 ] and so if its determinant is 0 then one learns information about the determinant of A. To overcome this problem, one increases the size of the matrix A by 2 by adding identity block matrices: so that det(A + ) = 1 regardless the invertibility of A.
Once shared powers of A + are computed, parties would like to get shared powers of A. For 0 ≤ i ≤ m, from sharing of I 2n , A + , A + 2 , . . ., A + i , one can deduce sharing of A i using linear combinations (via linearity of the secret sharing).Indeed, the n × n top-left block of A + i denoted by A + i 1 equals with some α i,j ∈ F. This leads to the following triangular invertible linear system where and In the following, we call A m the matrix of this system.
Remark 1.Note that the recurrence relationship defining Chebyshev polynomials appears in the inverse of the matrix A m in Equation 2, these same polynomials used by [CKP07].
The above discussion yields to the following secure protocol SecPower with the same complexity as Power i.e. expected constant round and O(m n 2 ) communication to securely compute the first m powers of a matrix A ∈ F n×n : Protocol 3: Secure Power Computation (SecPower) Proof.The correctness relies on the one from Power and of the linear system 2. The round complexity is the same as Power (step 1 and 2 have constant and expected constant rounds in parallel).
Step 3 contains no interaction between parties, thus the communication complexity is dominated by step 2, which is doubled compared to Power.We show that the protocol does not leak information about A. The crucial step is the fifth in Power during which values are revealed.Firstly, we call Power with the non-singular matrix A + , thus the discussion in 2.3 ensures us that no information about the determinant of A leaks in step 5 of Power when A is singular.Moreover, keeping notation from Power, for every 2 ≤ i ≤ m the couple (R i−1 , R −1 i ) is hiding A + because they are elements of GL 2n (F), a group under multiplication, thus N i = R i−1 A + R i is a random element of GL 2n (F).So, revealing N i does not leak any information about A. At the end, each party has a share for each power of A, thus we shall check that it does not give additional information on A. In the last step of Power, shares of A j are constructed as P j [R j ] = [A j ].We have seen in the proof of Power that the N i 's and so the P j = j i=1 N i 's are random elements of GL 2n (F), hence sharing of powers of A are independent of each other and of the sharing of A.

Secure matrix multiplication
With the naive approach based on the usual matrix multiplication, one would have a O(n 3 ) communication complexity (and constant rounds) protocol for secure matrix multiplication.One uses [MW08] for an efficient protocol with O(n 2 ) communication.
Consider the Shamir secret sharing scheme to illustrate the need of a conjoint refreshing/resharing step.Let a, b ∈ F with |F| = q encoded by f a (x) and f b (x) via Shamir secret sharing, where f a and f b are two random rational polynomials of degree ℓ over F with ℓ smaller than k the number of parties.Note that the constant term of g(x) := f a (x)f b (x) is ab.Ben-Or et al. [BGW88] noticed two problems with using g(x) to encode the product ab.The first one is that the degree of g(x) is 2ℓ.As long as q > 2ℓ interpolation is possible, however, the degree raises during each multiplication, and this limits the number of multiplication that can be handled.The second problem comes from the fact that g(x) is not a random polynomial of degree 2ℓ: for example g(x) is never irreducible.To overcome these two problems, we randomize the coefficients of g(x) and reduce its degree while keeping the constant coefficient unchanged as a refreshing step.Mohassel and Weinreb [MW08] took into account these remarks when stating the following theorem.
Theorem 2. Let two shared matrices A and B where A ∈ F m×n , B ∈ F n×j .Then there exists a secure MPC protocol for computing a secret sharing of the product AB with a constant number of rounds and O(jm) communication.
One takes advantage to give more details about this theorem, in particular, one proves the following corollary.For the sake of completeness, this corollary states a more general statement by adapting the algorithm of Mohassel and Weinreb to securely compute the inner product, where ⟨•, •⟩ denotes the inner product.
We 3.Each party P t deduces a share of the secret by computing c t = k h=1 λ h [c t ] h , where (λ 1 , . . ., λ k ) is the public recombination vector for the sharing scheme.
Corollary 1.Given two shared vectors a and b in F n , InnerProd is a secure protocol for computing a secret sharing of the inner product ⟨a, b⟩ with a constant number of rounds and O(1) communication.
Proof.Protocol InnerProd has communication complexity in O(1): the only communication occurs during step 2 where each party sends a share of its secret to other parties.The correctness of InnerProd follows from the proof of Corollary 1.We prove the security of InnerProd).Parties may learn information about a or b during the second step when they communicate with each other.From step 1, each party P t computes a secret ct and sends to the other a share of it.This sharing created by P t is independent of all the other sharings created by the other parties.Thus, P t does not learn more information about a or b by receiving shares of other parties.Let's prove the correctness of Protocol 2.4 when dealing with the Shamir secret sharing scheme.Let a, b ∈ F n q , and define f aj (x) and f bj (x) rational polynomials of degree ℓ respectively encoding a j and b j for 1 ≤ j ≤ n via the Shamir secret sharing.Assume that k ≥ 2ℓ + 1 where k is the number of parties.Consider that party P i holds the values f aj (i) and f bj (i) for every j ≤ n.Define for every j ≤ n, and f ⟨a,b⟩ (x) := n j=1 f aj bj (x).Thus for 1 ≤ i ≤ k.This yields the following Vandermonde linear system: . . .
, where the ij-th coefficient of the (2ℓ + 1) × (2ℓ + 1) matrix A is i j−1 .Clearly, A is invertible and we denote the first row of its inverse as (λ 1 , . . ., λ 2ℓ+1 ), the fixed recombination vector.Then Now one refreshes: P i shares the value f ⟨a,b⟩ (i) by choosing a random polynomial g i (x) of degree ℓ such that g i (0) = f ⟨a,b⟩ (i).They give the value g i (j) to P j for every party.Therefore, each party P j can compute their share of ⟨a, b⟩ via the polynomial G(x) = i λ i g i (x) of degree ℓ: they locally compute the linear combination G(j) = i λ i g i (j).G(1), . . ., G(k) determine G(0) = ⟨a, b⟩ (via polynomial interpolation).
Remark 2. Note that the proof of Corollary 1 can be adapted to prove Theorem 2. We can derive a protocol for secure matrix multiplication by invoking n 2 times in parallel the protocol InnerProd.This is the algorithm of Mohassel and Weinreb [MW08], where each party P t first locally compute [A] t [B] t before resharing this matrix with other parties, whence O(n 2 ) communication.Note also that secure matrix-vector multiplication can be computed with O(n) communication complexity via n invocation of InnerProd.Now, we state a simple but important fact about InnerProd which will be mainly used in the following to batch communication: ). (3) In particular, we can apply this batching for the sum of matrix products, i.e. if we are dealing with n × n matrices the secure computation of the sum implies O(n 2 ) communication.

Moore-Penrose pseudo-inverse
The existence of solution(s) of a linear system Ax = b over a field K only depends on the rank of the concatenated matrix A∥b.The rank of A can be computed via the characteristic polynomial of G := A T A, the so-called Gram matrix of A. To apply this, we have to avoid non-trivial intersection between some subspaces and their orthogonals.However, it may appear over fields with positive characteristic as explained in [CKP07].For this purpose, we will use a work of Mulmuley [Mul86] for computing rank over arbitrary field along with the paper from Diaz-Toca, Gonzalez-Vega and Lombardi [DGL05] for solving linear system.A previous work of [CKP07] gives a probabilistic algorithm without perfect correctness.By taking a sufficient large extension, we can get rid of this probability.
In the following, let K be a field.Let V ⊂ K i be a subspace, then one defines the set However, this result is not true over a field of positive characteristic.
The next lemma characterizes the rank of a matrix via the coefficients of the characteristic polynomial of its Gram-matrix.In the following, one identifies a matrix A ∈ K n×n as a linear endomorphism of K n .Lemma 2. Let A ∈ K m×n , and G its Gram-matrix.Assume that Proof.[Mul86,CKP07] For a general matrix over a finite field, the conditions on the vector spaces intersection do not always hold.However, there exists a matrix that always satisfies these conditions and has the same rank as the initial matrix.We use a work of Mulmuley [Mul86] that proposes a technique to compute the rank over an arbitrary field.He considered the transcendental field extension K(x).Over this extension, for every matrix A ∈ K m×n , the matrix diag(1, x, . . ., x m−1 )A := DA ∈ K m×n (x) satisfy (Im DA) ⊥ ∩ Im DA = {0} and then lemma 2 holds for DA.This yields a method for computing the rank of A (with perfect correctness) since it's equal to the rank of DA.
We now introduce the notion of pseudo-inverse.A pseudo-inverse of a matrix A ∈ K m×n is a matrix X ∈ K n×m that exists for a class of matrices larger than the class of nonsingular matrices, and reduces to the classical inverse when A is non-singular.In this paper, we consider the class of Moore-Penrose pseudo-inverse determined by the following four properties, also known as the Penrose equations [Pen55]: In this case, we denote X by A † .A † exists if and only if rank(AA T ) = rank(A T A) = rank(A), and existence implies uniqueness.
Our motivation for studying this pseudo inverse is the following: let b ∈ K n then the system Ax = b has at least one solution if and only if AA † b = b.In this case, all the solutions are given by with arbitrary v ∈ K n .If a solution exists, then either the solution is unique when A † A has full column rank (i.e.A † A = I n ) or there exists infinitely many solutions when A † A does not have full column rank.We mention other motivations such as the least squares problem or even the minimum norm problem for a linear system.

(Matrix)-Polynomial Evaluation
Based on Paterson and Stockmeyer work [PS73], a preliminary protocol can be unrolled for evaluating a public polynomial of degree d into a shared element running with a constant number of rounds and O( √ d) communication.This protocol leaks information on the secret with probability 1/q.Later, Cramer, Kiltz and Padro [CKP07] presented a secure and perfectly correct protocol with constant rounds and O(d) communication.One starts by adapting the protocol following the technique [PS73] to get a protocol with expected O(t) rounds and O(t d 1/t ) communication for any t ∈ N. Then one uses [CKP07] and an idea of Bar-Ilan and Beaver to obtain a perfectly correct protocol with the same expected complexity.For any t ∈ N, we obtain the following result for the evaluation of a degree-t polynomial with a n × n matrix: O( 1) The technique of [PS73] can be applied to [CKP07], leading to a communication complexity in O(n 3 √ d).When the polynomial is also shared, then [CKP07] has also O(n 3 d) communication complexity since their protocol for iterative powers requires O(n 3 d) communication.The generalization of our work to shared polynomials does not increase the communication complexity.
Firstly, we will detail our non-perfectly-correct protocol.Let s ∈ F shared via the Shamir secret sharing scheme, p a public polynomial of degree d, and t ∈ N. If the polynomial was shared, then our construction could be easily adapted.We could directly apply SecPower to get a protocol with O(d) communication, but we follow another path to get a better complexity.If one computes shares of power of s via Power, one would leak information when s = 0 (i.e., when s is not invertible since one applies the iterative products' method from Bar-Ilan Beaver, see the discussion in 2.3).That's why one apply Power to [s + r] with a random r ∈ Fq to randomize the input and reduce its probability to be non-zero to 1/q.For this purpose, parties conjointly generate a random element r ∈ F * and reveal r.Let m = ⌈d 1/t ⌉.
For the baby steps, parties first compute the sharings [s + r], . . ., [(s + r) m ] by invoking Power([s + r], m).Then they locally compute [s 2 ], . . ., [s m ] via the commutativity of Fq and the linearity of the secret sharing scheme.This is done recursively using Newton binomial For the giant steps, parties proceed in expected O(t) rounds of communication.Once they know [s m j ] for 1 ≤ j ≤ t − 1, they can invoke Power([s m j + r], m) with an expected constant number of rounds to get [(s m j + r) 2 ], . . ., [(s m j + r) m ] and locally deduce [s 2m j ], . . ., [s m j+1 ] via Newton binomial as in baby-step: This procedure leads to an expected number of O(t) rounds and expected O(t•d 1/t ) communication.This step is secure as long as s + r ̸ ≡ 0 mod q which happens with probability 1 − 1/q.Note that a degree-d polynomial p(x) can be decomposed as follows: where pi are public polynomials of degree at most m − 1. Let's denote pi(x) a] and [b] can been locally deduced from previously computation.In particular, when iterative powers of s have been computed, this evaluation requires O(1) calls to the secure multiplication protocol.
Remark 3. If the polynomial p(x) was shared between the parties, before calling to InnerProd([a], [b]), we should compute [a] which would add d calls to the secure multiplication protocol and lead to O(n 2 d) communication.However, the protocol InnerProd can be generalized to sum with three terms i as long as the number of participants is larger than 3ℓ, where ℓ is the degree of the encoding polynomials for the Shamir secret sharing scheme.

Secure polynomial evaluation
In the following and for the sake of generality, one considers the more general case of matrixpolynomial evaluation.Let p(x) ∈ Fq[x] be a rational polynomial of degree d with public (shared) coefficients and a shared matrix [A] ∈ F n×n q .One modifies the previous approach to get a perfectly correct protocol with an expected O(t) number of rounds and expected O(n 2 td 1/t ) communication for computing [p(A)] = following the decomposition from Equation 5, with m = ⌈ t √ d⌉ and pi(x) public (shared) polynomial of degree at most m − 1.
Protocol 5: Secure Polynomial Evaluation (PolyEval) If p is shared among the parties, then step 2 is modified as explained in Remark 3: each inner product is substituted by a sum of three terms.Theorem 3. Let A ∈ F n×n q be a shared matrix, p ∈ F[x] a public polynomial of degree d, and t ∈ N. Then PolyEval is a secure with perfect correctness protocol to evaluate p(A) with expected O(t) rounds and O(n 2 td 1/t ) communication.
Proof.The correctness of Protocol 5 relies on the correctness of SecPower.We now prove the complexity of Protocol 5.The first step of the protocol can be done with expected O(t) rounds and O(n 2 td 1/t ) communication: each invocation of SecPower requires O(n 2 d 1/t ) communication.The step 2 is done with O(n 2 ) secure multiplication using the batching property 2. Finally, we prove the security of Protocol 5. First, notice that parties never reconstruct a secret value.For the first three steps, we have seen that SecPower is secure and that knowing shares of different powers of A does not reveal information about A (see proof of security of SecPower).The security of the last step follows from the one of InnerProd.

Computation of the Characteristic Polynomial
Leverrier's Lemma and Preparata-Sarwate Algorithm.In 1840, Le Verrier published a method to compute the characteristic polynomial χA(X) = X n + n i=1 X n−i di of A ∈ F n×n q summarized in the following lemma.It was redeveloped by many authors including Faddeev.We use this latter version.Define by recurrence the following sequence of matrices (Ai) 0≤i≤n−1 ∈ Then it holds that di = − 1 i tr(Ai−1) for 1 ≤ i ≤ n where tr is the trace operator.Lemma 3. (Leverrier's Lemma).The coefficients d1, d2, • • • , dn of the characteristic polynomial of the matrix where tj := tr(A j ).
Note that if Fq has characteristic greater than n, then the matrix is guaranteed to be nonsingular since its determinant is n i=1 i ̸ ≡ 0 mod q.Preparata and Sarwate [PS78] introduced a new idea improving Leverrier and Faddeev's method.It relies on the computation of the trace of the product AB for A = (ai,j) 1≤i,j≤n , B = (bi,j) 1≤i,j≤n ∈ F n×n via tr with a k the k-th line of A and b k the k-th column of B. Thus, the complete matrix product AB is not necessary.Hence computing [tr(AB)] only requires one invocation of InnerProd, since the n inner products from Equation 9 can be batched via Equation 3.This yields to O(1) secure matrix multiplication.Moreover, in order to apply Leverrier's Lemma, Preparata and Sarwate used a babystep giant-step approach: one only needs to precompute A 2 , A 3 , . . ., A m and A 2m , A 3m , . . ., A m 2 for m = ⌈ √ n⌉.Indeed, to get t2, t3, . . ., tn, we can compute ti+jm = tr(A i+jm ) = tr(A i A jm ) with O(1) communication.See Appendix 7 for the complete protocol.

Secure protocol for the characteristic polynomial
Let A ∈ F n×n q be a shared matrix, Fq of characteristic greater than n (denoted as char(Fq) in the following), m = ⌈ √ n⌉, and A + the augmented matrix defined in Equation 1.Then, based on previous secure protocols and on the above discussion on characteristic polynomial computation, we propose the following protocol.Theorem 4. Let A ∈ F n×n q be a shared matrix with char(Fq) > n.Then PolyChar is a secure protocol with perfect correctness with expected O(n 2.5 ) communication complexity and O(1) rounds.
To compare with the work [CKP07] who achieved a protocol with small error probability O(n 2 /q) and O(m 4 + m 2 n) multiplications.
Proof.The correctness and security of Protocol 6 follows from the one of SecPower, InnerProd, and the linear system 8.About this linear system, we have seen in Matrix inversion 2.1 that our inversion protocol is secure, and the security of the matrix-vector product relies on the one of InnerProd.Moreover, notice that parties never reconstruct a secret value, and knowing shares of different powers of A does not reveal information about A (see proof of security of SecPower).
Complexity of step 1 and 2 is equivalent to the one of SecPower, with expected O(mn 2 ) = O(n 2.5 ) communication and constant rounds.During step 3, for each trace, parties can compute a sharing of it by invoking InnerProd with Equation 9 and the batching Equation 3.This yields to O(1) communication complexity in constant rounds for each trace, thus an overall of O(n) communication.Since the computation of all the traces is done in parallel, it yields to an overall constant number of rounds.In step 4, they securely compute the inverse of the Toeplitz matrix via Matrix inversion 2.1 (O(n 2 ) communication) and then apply the secure matrix-vector multiplication as in Remark 2 with O(n) communication (and a constant number of rounds).about the rank of A. Thus, one chooses k such that k > m(n + m) + 1 > r(n + m − 2r) + 1.The first step consists of detailing the complexity of the secure matrix multiplication over Fq(ζ).We define by diag(u1, ..., u ℓ ) ∈ F ℓ×ℓ q the diagonal matrix of size ℓ with coefficient u1, ..., u ℓ .Lemma 4. Let A ∈ Fq(ζ) m×n and B ∈ Fq(ζ) n×m be two shared matrices, then a sharing of the product AB can be securely computed with expected constant round and O(km 2 ) communication.
Proof.Over Fq(ζ) ≃ F q k , the sharing computation of AB requires O(m 2 log 2 (q k )) = O(km 2 log 2 (q)) bits communication (with InnerProd over F q k ), which corresponds to O(km 2 ) call to the secure multiplication protocol (defined over the base field Fq) or in other words O(km 2 ) communication.A more detailed proof would be to decompose A and B as where A0, . . ., A k−1 ∈ F m×n q and B0, . . ., . The double sum βj can be securely computed with O(n 2 ) communication via InnerProd and Equation 3 where the batching is applied to the sum of matrix product.Finally, we get an overall communication complexity of O(km 2 ).
This yields to the following protocol to securely compute A † .Theorem 6.Let Fq be a finite field, A ∈ F m×n q of rank r and consider the field extension F q k where k > m(n + m) + 1.Then Protocol 7 is a secure protocol with perfect correctness to compute the Moore-Penrose pseudo-inverse with expected constant round and O(k(n 2.5 + m 2.5 + n 2 m 0.5 )) communication as long as char(Fq) > n.
Proof.Correctness of Protocol 7 follows from Theorem 5, the correctness of InnerProd (when using Lemma 4), PolyChar, SecPower, PolyEval and Test to zero protocol from [NO07].The security of genInverse relies on the security of these subprotocols.
Let's prove the complexity.The first step requires O(k(n 2 + m 2 )) communication thanks to Lemma 4 and the fact that Qn and Qm are public (so we use the linearity of the sharing).Theorem 4 with Remark 5 implies that step 2 requires O(km 2.5 ) communication.Still with Remark 5, step 3 yields to O(kn 2.5 ) communication, and step 4 to O(kn 2 m 1/2 ) (Theorem 3 with t = 2).

Parties invoke SecPower([A
We give additional details on the different step of Protocol 7. In particular, we detail the invocation of PolyChar over the extension field.In step 1 of Polychar, the augmented matrix G + is obviously defined over the extension.SecPower invokes Power where shared non-singular matrices are drawn at random over the field extension.One refers to the discussion 2.3 about the probability of drawing a non-singular matrix over F p k .The security is preserved because GL2m(Fp(ζ)) is a group for multiplication.The last step of SecPower yields shared powers of G from shared powers of G + by solving the linear system 2: the public matrix A √ m is inverted, and the parties locally compute is the m × m top-left block of G + j i which is the (i + 1)-th term in the decomposition of G + j as a polynomial in ζ, where G + j is the j-th power of G + .This is realized with expected constant rounds and O(km 2.5 ) communication.Take a look at the third step of PolyChar.For every 0 (with all the Gv ∈ F 2m×2m q ).Define H := G √ m , then via the linearity of the trace and of the secret sharing We have seen that a trace over Fq can be computed with one invocation of InnerProd, and by batching these two double sums of inner products with Remark 2, this yields to O(k) communication for trace of each power of G and an overall of O(km) communication (in parallel).Finally, they securely solve the linear system 8 by adapting the Bar-Ilan and Beaver's protocol for secure Matrix inversion in subsection 2.1 with O(km 2 ) communication.The matrix-vector multiplication is also adapted and requires O(km) communication.
Step 4 requires developing a protocol for securely computing the rank of a shared matrix.By defining gi := (−1) m ai(ζ), one has that χG(X) = m i=0 giX m−i with g0 = 1.From each sharing of gi for i ∈ {0, . . ., m}, the parties can compute a sharing of hi defined as: This can be done using the protocol Test to zero 2.1 in parallel with O(1) rounds and O(k) invocations of the secure multiplication protocol for each coefficient (and thus an overall of O(1) rounds and O(mk) communication).Let define Pj(X) := j−1 i=0 aj−1−iX i for j ∈ {2, . . ., m}.Parties can locally compute a sharing of Pj(X) for each j.Then, one can readily see that the Moore-Penrose pseudo-inverse is equal to where one defines recursively Indeed, if hi = 1, we obtain βi = Pi and if hi = 0, we obtain βi = βi−1.One can expand the following expression as the algebraic expression: and by expanding it one can see that it can be expressed as a linear combination of elements of the form Then parties can compute [βm(A 0 A)] = [Pr(A 0 A)] with the baby-step giant-step method.Indeed, each Pj can be computed as follows: where j = ⌈ √ j − 1⌉ and each Qi is a polynomial of degree at most j − 1.These latter polynomials can be deduced locally: Qj(X) = a0X j and Qi(X) = j−1 s=0 a i j+s−j+1 X s for i ̸ = j.Once sharing of successive powers of A have been computed, a sharing of Qi(A 0 A) can be deduced with O(kn 2 ) communication using Lemma 4 and batching the sum.Finally, [Pr(A 0 A)] follows with O(kn 2 ) communication by applying the same idea for the sum of product of the form [(A 0 A) i j ][Qi(A 0 A)].
Step 5 also requires the protocol for securely computing the rank of a shared matrix.But first, we need to check that ar is invertible.By definition, And ar is securely inverted with O(mk) secure multiplications.
Finally, we can extend this result to fields of any positive characteristic by adapting the work of Schönhage [Sch93] (see Appendix 9).When n ≥ m, this yields to a protocol with O(n 5.5 ) communication.

Supplementary Material 6 Secure Computation of the Rank
As an additional application, one presents a secure protocol computing the rank of a shared matrix with perfect correctness.Let Fq be a finite field with characteristic greater than n, an extension degree k chosen as in Section 5, and let A ∈ F m×n q .One works over F q k ≃ Fq(ζ) where ζ of degree k is defined as in Section 5. Let A 0 := Q −1 n A t Qm ∈ F q k with Qn = diag Define gi := (−1) m ai(ζ), then χG(X) = m i=0 giX m−i with g0 = 1.It now remains to compute the rank of A as the largest integer k ∈ {0, . . ., m} such that g k ̸ = 0.In order to do so, from each sharing of gi for i ∈ {0, . . ., m}, the parties will compute a sharing of hi for i ∈ {0, . . ., m} defined as: Eventually, they can all compute locally a sharing of the expression given in (11) which is the rank of the matrix A.
Theorem 7. Let Fq be a finite field with characteristic greater than n, and consider k > m(m + n) + 1, and A ∈ F m×n of rank r.Then there exists a secure protocol with perfect correctness computing the rank in expected constant round protocol with expected communication complexity in O(km 2.5 + mk).
A generalization over finite fields of any characteristic is possible using Remark 4 and Appendix 9 leading to O(km 3.5 + mk) communication.
communication and constant round with Lemma 1. Step 2 and 3 both implies O(n 2 ) communication for each 2 ≤ i ≤ m and thus can be done with O(m n 2 ) communication and O(1) rounds (in parallel).Step 4 leads to O(m n 2 ) communication and O(1) rounds (in parallel) for broadcasting the shares.Step 6 is local.
Parties randomly compute sharing of 0 and 1 to get [A + ] as defined in Equation 1; 2. They invoke Power([A + ], m); 3.They compute in the clear the matrix of the linear system 2, invert it publicly to locally get shares of the solution of this system.Theorem 1.Let A ∈ F n×n , and m ∈ N.Then, SecPower is a secure protocol with perfect correctness for computing the first m power of A with expected O(m n 2 ) communication and O(1) rounds complexity.

Protocol 7 :
Secure Computation of the generalized Moore-Penrose inverse (genInverse) Data: [A] with A ∈ F q (ζ) m×n of rank r Result: [A † ] 1. Parties locally compute a sharing of A 0 and then securely and conjointly compute a sharing of G = AA 0 and of A 0 A with Lemma 4; 2. Parties invoke PolyChar([G]);

Table 1 :
Complexity and correctess of n×n matrix secure evaluation of degree-t polynomial