Certificates for triangular equivalence and rank profiles
Jean-Guillaume Dumas (CASYS), David Lucas (CASYS), Cl\'ement Pernet, (CASYS)

TL;DR
This paper introduces new certificates for verifying triangular equivalence and rank profiles that are faster and more efficient than previous methods, with applications to determinant certification.
Contribution
It presents novel quadratic-time, non-interactive certificates and efficient interactive certificates for rank profiles and matrix determinants.
Findings
Quadratic time and space certificates for rank verification
Interactive certificates with minimal matrix-vector multiplications
Faster determinant certification protocol
Abstract
In this paper, we give novel certificates for triangular equivalence and rank profiles. These certificates enable to verify the row or column rank profiles or the whole rank profile matrix faster than recomputing them, with a negligible overall overhead. We first provide quadratic time and space non-interactive certificates saving the logarithmic factors of previously known ones. Then we propose interactive certificates for the same problems whose Monte Carlo verification complexity requires a small constant number of matrix-vector multiplications, a linear space, and a linear number of extra field operations. As an application we also give an interactive protocol, certifying the determinant of dense matrices, faster than the best previously known one.
| Dimension | |||
|---|---|---|---|
| PLUQ | 0.28s | 17.99s | 1448.16s |
| CharPoly | 1.96s | 100.37s | 8047.56s |
| Linear comm. | 0.50s | 0.50s | 0.50s |
| Quadratic comm. | 1.50s | 7.50s | 222.68s |
| fgemv | 0.0013s | 0.038s | 1.03s |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsComplexity and Algorithms in Graphs · Cryptography and Data Security · graph theory and CDMA systems
\setcopyright
licensedothergov
\isbn978-1-4503-5064-8/17/07\acmPrice$15.00
Certificates for triangular equivalence and rank profiles††thanks: This work is partly funded by the OpenDreamKit Horizon 2020 European Research Infrastructures project (#676541).
Jean-Guillaume Dumas
David Lucas
Clément Pernet
(2017)
Abstract
In this paper, we give novel certificates for triangular equivalence and rank profiles. These certificates enable to verify the row or column rank profiles or the whole rank profile matrix faster than recomputing them, with a negligible overall overhead. We first provide quadratic time and space non-interactive certificates saving the logarithmic factors of previously known ones. Then we propose interactive certificates for the same problems whose Monte Carlo verification complexity requires a small constant number of matrix-vector multiplications, a linear space, and a linear number of extra field operations. As an application we also give an interactive protocol, certifying the determinant of dense matrices, faster than the best previously known one.
doi:
http://dx.doi.org/10.1145/3087604.3087609
††conference: ISSAC ’17 July 25–28, 2017, Kaiserslautern, Germany
1 Introduction
Within the setting of verifiable computing, we propose in this paper interactive certificates with the taxonomy of [4]. Indeed, we consider a protocol where a Prover performs a computation and provides additional data structures or exchanges with a Verifier who will use these to check the validity of the result, faster than by just recomputing it. More precisely, in an interactive certificate, the Prover submits a Commitment, that is some result of a computation; the Verifier answers by a Challenge, usually some uniformly sampled random values; the Prover then answers with a Response, that the Verifier can use to convince himself of the validity of the commitment. Several rounds of challenge/response might be necessary for the Verifier to be fully convinced.
By Prover (resp. Verifier) time, we thus mean bounds on the number of arithmetic operations performed by the Prover (resp. Verifier) during the protocol, while by extra space, we mean bounds on the volume of data being exchanged, not counting the size of the input and output of the computation.
Such protocols are said to be complete if the probability that a true statement is rejected by the Verifier can be made arbitrarily small; and sound if the probability that a false statement is accepted by the Verifier can be made arbitrarily small. In practice it is sufficient that those probabilities are , as the protocols can always be run several times. Some certificates will also be perfectly complete, that is a true statement is never rejected by the Verifier. All these certificates can be simulated non-interactively by Fiat-Shamir heuristic [10]: uniformly sampled random values produced by the Verifier are replaced by cryptographic hashes of the input and of previous messages in the protocol. Complexities are preserved.
We do not use generic approaches to verified computation (where protocols check circuits with polylogarithmic depth [12] or use amortized models and homomorphic encryption [2]). Rather, we use dedicated certificates as those designed for dense [11, 14] or sparse [4, 5] exact linear algebra. The obtained certificates are problem-specific, but try to reduce as much as possible the overhead for the Prover, while preserving a fast verification procedure.
We will consider an matrix of rank over a field . The row rank profile of is the lexicographically minimal sequence of indices of independent rows of . Matrix has generic row rank profile if its row rank profile is . The column rank profile is defined similarly on the columns of . Matrix has generic rank profile if its first leading principal minors are nonzero. The rank profile matrix of , denoted by is the unique -matrix with nonzero entries, of which every leading sub-matrix has the same rank as the corresponding sub-matrix of . It is possible to compute with a deterministic algorithm in or with a Monte-Carlo probabilistic algorithm in field operations [8], where is the arithmetic cost to multiply by a vector.
We first propose quadratic, space and verification time, non-interactive practical certificates for the row or column rank profile and for the rank profile matrix that are rank-sensitive. Previously known certificates have additional logarithmic factors to the quadratic complexities: replacing matrix multiplications by quadratic verifications in recursive algorithms yields at least one factor [14], graph-based approaches cumulate this and other logarithmic factors, at least from a compression by magical graphs and from a dichotomic search [16].
We then propose two linear space interactive certificates: one certifying that two non-singular matrices are triangular equivalent, i.e. there is a triangular change of basis from one to the other; the other one, certifying that a matrix has a generic rank profile. These certificates are then applied to certify the row or column rank profile, the (permutation) and (diagonal) factors of a LDUP factorization, the determinant and the rank profile matrix. These certificates require, for the Verifier, between 1 and 3 applications of to a vector and a linear amount of field operations. They are still elimination-based for the Prover, but do not require to communicate the obtained triangular decomposition. For the Determinant, this new certificates require the computation of a PLUQ decomposition for the Prover, linear communication and Verifier time, with no restriction on the field size.
Table 1 compares linear quadratic volumes of communication, as well as sub-cubic (PLUQ, CharPoly) or quadratic matrix operations (one matrix-vector multiplication with a dense matrix is denoted fgemv). The results shows first that it is interesting to use linear space certificates even when they have quadratic Verification time. The table also presents a practical constant factor of about 5 between PLUQ and CharPoly computations. Computations use the FFLAS-FFPACK library (http://linbox-team.github.io/fflas-ffpack) on a single Intel Skylake core @3.4GHz, while we measured some communications between two workstations over an Ethernet Cat. 6, @1Gb/s network cable.
A summary of our contributions is given in Table 3, to be compared with the state of the art in Table 2.
We identify the symmetric group with the group of permutation matrices, and write to denote that a matrix is a permutation matrix. There, is the row index of the nonzero element of its -th column; is the group of invertible diagonal matrices over the field and is the -minor of the matrix (the determinant of the submatrix of with row indices in and column indices in ). Lastly, x\xleftarrow{\}{S}xS$.
2 Non interactive and quadratic communication certificates
In this section, we propose two certificates, first for the column (resp. row) rank profile, and, second, for the rank profile matrix. While the certificates have a quadratic space communication complexity, they have the advantage of being non-interactive.
2.1 Freivalds’ certificate for matrix product
In this paper, we will use Freivalds’ certificate [11] to verify matrix multiplication. Considering three matrices and in , such that , a straightforward way of verifying the equality would be to perform the multiplication and to compare its result coefficient by coefficient with . While this method is deterministic, it has a time complexity of , which is the matrix multiplication complexity. As such, it cannot be a certificate, as there is no complexity difference between the computation and the verification.
Freivalds’ certificate proposes a probabilistic method to check this product in a time complexity of using matrix/vector multiplication, as detailed in Figure 1.
2.2 Column rank profile certificate
We now propose a certificate for the column rank profile.
Lemma 1
Let be the PLUQ decomposition of an matrix of rank . If is in row echelon form then is the column rank profile of .
Proof 2.1**.**
Write , where and are lower and upper triangular respectively. If is in echelon form, then is in reduced echelon form. Now
[TABLE]
*is left equivalent to and is therefore the echelon form of . Hence the sequence of column positions of the pivots in , that is , is the column rank profile of . *
Lemma 1 provides a criterion to verify a column rank profile from a PLUQ decomposition. Such decompositions can be computed in practice by several variants of Gaussian elimination, with no arithmetic overhead, as shown in [13] or [7, § 8]. Hence, we propose the certificate in Protocol 2.
Theorem 2.2**.**
Let with . Certificate 2, verifying the column rank profile of is sound, perfectly complete, with a communication bounded by , a Prover computation bounded by and a Verifier computation cost bounded by .
Proof 2.3**.**
If the Prover is honest, then, will be in row echelon form and , thus, by Lemma 1, the Verifier will be able to read the column rank profile of from . If the Prover is dishonest, either , which will be caught by the Prover with probabilty using Freivalds’ certificate [11] or is not in row echelon from, which will be caught every time by the Verifier.
The Prover sends to the Verifier, hence the communication cost of , as and are permutation matrices and , are respectively and matrices, with . Using algorithms provided in [13], one can compute the expected decomposition in . The Verifier has to check if , and if is in row echelon form, which can be done in .
Note that this holds for the row rank profile of : in that case, the Verifier has to check if is in column echelon form.
2.3 Rank profile matrix certificate
Lemma 2.4**.**
A decomposition reveals the rank profile matrix, namely , if and only if is lower triangular and is upper triangular.
Proof 2.5**.**
The only if case is proven in [8, Th. 21]. Now suppose that is lower triangular. Then we must also have that is lower triangular and non-singular. Similarly suppose that is upper triangular so that is non-singular upper triangular. We have . Hence the rank of any leading submatrix of is that of the leading submatrix of , thus proving that .
We use this characterization to verify the computation of the rank profile matrix in the following protocol: Once the Verifier receives , he has to:
Check that , using Freivalds’ certificate [11] 2. 2.
Check that is echelonized by and by . 3. 3.
If successful, compute the rank profile matrix of as
Theorem 2.6**.**
Certificate 3 verifies the rank profile matrix of , it is sound and perfectly complete, with a communication cost bounded by , a Prover computation cost bounded by and a Verifier computation cost bounded by .
Proof 2.7**.**
If the Prover is honest, then, the provided decomposition is indeed a factorization of , which means Freivalds’ certificate will pass. It also means this decomposition reveals the rank profile matrix. According to Lemma 2.4, will be lower triangular and upper triangular. Hence the verification will succeeds and is indeed the rank profile matrix of . If the Prover is dishonest, either , which will be caught with probabilty by Freivalds’ certificate or the decomposition does not reveal the rank profile matrix of . In that case, Lemma 2.4 implies that either is not lower triangular or is not upper triangular which the will be detected.
The Prover sends to the Verifier, hence the communication cost of . A rank profile matrix revealing decomposition can be computed in operations [6]. The Verifier has to check if , which can be achieved in field operations.
3 Linear communication certificate toolbox
3.1 Triangular one sided equivalence
Two matrices are right (resp. left) equivalent if there exist an invertible matrix such that (resp. ). If in addition is a lower triangular matrix, we say that and are lower triangular right (resp. left) equivalent. The upper triangular right (resp. left ) equivalence is defined similarly. We propose a certification protocol that two matrices are left or right triangular equivalent. Here, and are input, known by the Verifier and the Prover. A simple certificate would be the matrix itself, in which case the Verifier would check the product using Freivalds’ certificate. This certificate is non-interactive and requires a quadratic amount of communication. In what follows, we present a certificate which allows to verify the one sided triangular equivalence without communicating , requiring only communications. It is essentially a Freivalds’ certificate with a more constrained interaction pattern in the way the challenge vector and the response vector are communicated. This pattern imposes a triangular structure in the way the Provers’ responses depend on the Verifier challenges which match with the structure of the problem.
Theorem 3.8**.**
Let , and assume is regular. Certificate 4 proves that there exists a lower triangular matrix such that . This certificate is sound, with probabilty larger than , perfectly complete, occupies communication space, and can be computed in field operations and verified in field operations.
Proof 3.9**.**
If the Prover is honest, then and she just computes , so that . If the Prover is dishonest, replace the random values by algebraically independent variables . Since is regular, there is a unique matrix (that is, with the Moore-Penrose inverse of ) such that . For the same reason, there is a unique vector such that . The vector is then formed by degree- polynomials in . If is not lower triangular, let be the first row such that for some , and let be the largest such . Then has degree 1 in . Let be the vector output by the Prover. At step , the value for was still not released, hence is constant in . As is regular, the verification is equivalent to . The -th component in this equation is , whose left hand-side contains a non zero monomial in . There is therefore a probability lower than that the random choice for makes this polynomial vanish.
This certificate requires to transmit and , which costs in communication. The Verifier has to compute and , whose computational cost is . The Prover has to compute , this can be done by a PLUQ elimination on followed by a triangular system solve, both in . Then requires only operations.
Note that the case where is upper triangular works similarly: the Verifier needs to transmit in reverse order, starting by .
3.2 Generic rank profile-ness
The problem here is to verify whether a non-singular input matrix has generic rank profile (to test non-singularity, one can apply beforehand the linear communication certificate in [4, Fig. 2], see also Protocol 8 thereafter). A matrix has generic rank profile if and only if it has an LU decomposition , with unit lower triangular and non-singular upper triangular. The protocol picks random vectors and asks the Prover to provide the vectors , , on the fly, while receiving the coefficients of the vectors one at a time. These vectors satisfy the fundamental equations and that will be checked by the Verifier.
Theorem 3.10**.**
Certificate 5 verifying that a non-singular matrix has generic rank profile is sound, with probability larger than , perfectly complete, communicates field elements, and can be computed in field operations for the Prover and field operations for the Verifier.
We will need the following Lemma, used in Dodgson determinant condensation rule.
Lemma 3.11** (Desnanot-Jacobi, or Dodgson rule [3]).**
[TABLE]
Applying the same permutation, the cyclic shift of order 1 to the left, on the rows and columns of , yields the following formula with no change of sign:
[TABLE]
Proof 3.12** (of Theorem 3.10).**
The protocol is perfectly complete: if , then .
Now, for the soundness, replace every chosen at random by the Verifier by vectors of algebraically independent variables . Similarly, the responses of the Prover are now vectors of algebraically independent variables . Under the assumption of the success of the Verifier test,
[TABLE]
and that is non-singular, we will prove the following induction hypothesis:
[TABLE]
where , .
For , note that , hence the right handsides of the first two equations of can be written as:
[TABLE]
by (2). Finally is obviously nonzero.
Now suppose is true for some . Then
[TABLE]
At the time of choosing the value for , all variables are set, except . Hence for all value assigned to , there is a value for that satisfies the above system of two linear equations in and . Consequently this system is singular and the following two determinants vanish:
[TABLE]
[TABLE]
where , for . Actually, Equation (5) is thus of the form \left|\begin{array}[]{cc}d_{i}\Phi_{i}+b&a\Phi_{i}+e\\ d_{i}\Psi_{i}+c&a\Psi_{i}+f\end{array}\right|=0 where , and are constants with respect to the variables .
If , then, at least one for must be nonzero, otherwise would be singular. Similarly, at least one for is nonzero, hence is a nonzero polynomial in and are nonzero polynomials in for , but constant in and . This is a contradiction, as the first column of the determinant, can not be colinear with the second one. Hence .
Therefore which is
[TABLE]
Applying variant (1) of Lemma 3.11 to , yields
[TABLE]
and is verified.
We have proven that if is true, then either is also true or the system (3) has a single solution and the Verifier randomly chose precisely that . Therefore, suppose that has not generic rank profile, it means that some and is false. But the Verifier checks that is true. If this is the case, then at least once, did the Verifier choose the value expected by the dishonest Prover. This happens with probability lower than .
Finally, for the complexity, the Prover needs one Gaussian elimination to compute in time , then her extra work is just three triangular solve in . The extra communication is three vectors, , and the Verifier’s work is four dot-products and one multiplication by the initial matrix .
3.3 LDUP decomposition
With Protocol 5, when the matrix does not have generic rank profile, any attempt to prove that it has generic rank profile will be detected w.h.p. (soundness). However when it is the case, the verification will accept many possible vectors : any scaling of by and by would be equally accepted for any non zero constants . This slack correspond to our lack of specification of the diagonals’ shape in the used LU decomposition. Indeed, for any diagonal matrix with non zero elements, is also a valid LU decomposition and yields and scaled as above. Specifying these diagonals is not necessary to prove generic rank profileness, so we left it as is for this task.
However, for the determinant or the rank profile matrix certificates of Sections 4.1 and 4.3, we will need to ensure that this scaling is independent from the choice of the vectors . Hence we propose an updated protocol, where has to be unit diagonal, and the prover has to first commit the main diagonal of .
For an triangular matrix , its strictly triangular part is denoted : for instance if is upper triangular, then for and [math] otherwise.
For an invertible upper triangular matrix we have for its diagonal and the associated diagonal matrix , that is unitary. Thus, for any : .
So the idea is that the Prover will commit beforehand, and that within a generic rank profile certificate, the Verifier will only communicate and to obtain , and . Then the Verifier will compute by herself the complete vectors. This ensures that is unitary and that with unitary.
Finally, if an invertible matrix does not have generic rank profile, we note that it is also possible to incorporate the permutations, by committing them in the beginning and reapplying them to the matrix during the checks. The full certificate is given in Figure 6.
Theorem 3.13**.**
The Protocol of Figure 6, committing a permutation matrix and a diagonal matrix for an invertible matrix , such that there exists unitary triangular matrices and with , is sound, with probability larger than , and perfectly complete. For an matrix, it requires less than extra communications and the computational cost for the Verifier is bounded by .
Proof 3.14**.**
If the Prover is honest, then , so that for any choice of and we have: , that is and the same is true for and , so that the protocol is perfectly complete.
Now, the last part of the Protocol of Figure 6 is actually a verification that has generic rank profile, in other words that there exists lower and upper triangular matrices and such that . This verification is sound by Theorem 3.10. Next, the multiplication by the diagonal is performed by the Verifier, so he is actually convinced that there exists lower and upper triangular matrices and such that . Finally, the construction of the vectors with the form is also done by the Verifier, so he in fact has a guaranty that and are unitary.
Overall, if the Prover is dishonest, the Verifier will catch him with the probability of Theorem 3.10.
Finally, for the complexity bounds, the extra communications are: one permutation matrix , a diagonal matrix and vectors , , and , and . That is non-negative integers lower than and field elements. The arithmetic computations of the Verifier are one multiplication by a diagonal matrix, vector sums, dot-products and one matrix-vector multiplication by (for ), that is .
We, furthermore, have some guaranties on the actual values of :
Proposition 3.15**.**
Let be a finite subset of in Protocol 6, if then the verification will pass with probability at most .
Proof 3.16**.**
Equation (4) implies that, if the verification check passes, with , then the vector must be co-linear with the right column of this determinant, that can be written in the form with and and depending only on with . Hence, any value , supplied by the Prover, must satisfy
[TABLE]
when and are still unknown. This condition is ensured for any and if and only if . If the Prover is dishonest and if then at least one couple is incorrect. Then, either the Verifier has chosen a couple of values making the degree determinant (6) vanish, this happens with probability at most , or System (3) has a unique solution . But if the latter is true and the final check succeeds then, as for Theorem 3.10, at least once the Prover chose to have chances that the Verifier picked the unique possibility for , . Overall, the Verification thus fails with probability at most .
Remark 3.17**.**
Correctness of the vector can also be ensured with the same probability: for the singular System (3), with respect to the unknowns and , to have rank at least one, it is sufficient that one of or is non zero. The Verifier, knowing , can ensure this by restricting the set of choices for . Thus if and are correct, the Prover will have to provide a correct associated or increase the probability of being caught.
4 Linear communication interactive certificates
In this section, we give linear space communication certificates for the determinant, the column/row rank profile of a matrix, and for the rank profile matrix.
4.1 Linear communication certificate for the
determinant
Existing certificates for the determinant are either optimal for the Prover in the dense case, using the strategy of [14, Theorem 5] over a PLUQ decomposition, but quadratic in communication; or linear in communication, using [5, Theorem 14], but using a reduction to the characteristic polynomial. In the sparse case the determinant and the characteristic polynomial both reduce to the same minimal polynomial computations and therefore the latter certificate is currently optimal for the Prover. Now in the dense case, while the determinant and characteristic polynomial both reduce to matrix multiplication, the determinant, via a single PLUQ decomposition is more efficient in practice [15]. Therefore, we propose here an alternative in the dense case: use only one PLUQ decomposition for the Prover while keeping linear extra communications and operations for the Verifier. The idea is to extract the information of a LDUP decomposition without communicating it: one uses Protocol 6 for with and unitary, but kept on the Prover side, and then the Verifier only has to compute , with additional field operations.
Corollary 4.18**.**
For an matrix, there exists a sound and perfectly complete protocol for the determinant over a field using less than extra communications and with computational cost for the Verifier bounded by .
As a comparison, the protocol of [5, Theorem 14] reduces to CharPoly instead of PLUQ for the Prover, requires extra communications and operations for the Verifier as well. Also the new protocol requires random field elements for any field, where that of [5, Theorem 14] requires random elements but a field larger than .
For instance, using the routines shown in Table 1, the determinant of an random dense matrix can be computed in about 24 minutes, where with the certificate of Figure 6, the overhead of the Prover is less than 5s and the Verifier time is about 1s.
4.2 Column or row rank profile certificate
In Figure 7 and 8, we first recall the two linear time and space certificates for an upper and a lower bound to the rank that constitute a rank certificate. We present here the variant sketched in [9, § 2] of the certificates of [4]. An upper bound on the rank is certified by the capacity for the Prover to generate any vector sampled from the image of by a linear combination of column of . A lower bound is certified by the capacity for the Prover to recover the unique coefficients of a linear combination of linearly independent columns of .
Theorem 4.19**.**
Let , and let be a finite subset of . The interactive certificate 7 of an upper bound for the rank of is sound, with probability larger than , perfectly complete, occupies communication space, can be computed in and verified in time.
Theorem 4.20**.**
Let , and let be a finite subset of . The interactive certificate 8 of a lower bound for the rank of is sound, , with probability larger than , perfectly complete and occupies communication space, can be computed in and verified in operations.
We now consider a column rank profile certificate: the Prover is given a matrix , and answers the column rank profile of , . In order to certify this column rank profile, we need to certify two properties:
the columns given by are linearly independent; 2. 2.
the columns given by form the lexicographically smallest set of independent columns of .
Property 1 is verified by Certificate 8, as it checks wether a set of columns are indeed linearly independent. Property 2 could be certified by successive applications of Certificate 7: at step , checking that the rank of is at most would certify that there is no column located between and in which increases the rank of . Hence, it would prove the minimality of . However, this method requires communication space.
Instead, we reduce these communication by seeding all challenges from a single dimensional vector, and by compressing the responses with a random projection. The right triangular equivalence certificate plays here a central role, ensuring the lexicographic minimality of . More precisely, the Verifier chooses a vector uniformly at random and sends it to the Prover. Then, for each index the Prover computes the linear combination of the first columns of using the first coefficients of and has to prove that it can be generated from the columns . This means, find a vector solution to the system:
[TABLE]
Equivalently, find a strictly upper triangular matrix such that:
[TABLE]
Note that where (with by convention) In order to avoid having to transmit the whole upper triangular matrix , the Verifier only checks a random projection of it, using the triangular equivalence Certificate 4. We then propose the certificate in Figure 9.
Theorem 4.21**.**
For and , certificate 9 is sound, with probability larger than , perfectly complete, with a Prover computational cost bounded by , a communication space complexity bounded by and a Verifier cost bounded by .
Proof 4.22**.**
If the Prover is honest, the protocol corresponds first to an application of Theorem 4.20 to certify that is a set of independent columns. This certificate is perfectly complete. Second the protocol also uses challenges from Certificate 7, which is perfectly complete, together with Certificate 4, which is perfectly complete as well. The latter certificate is used on , a regular submatrix, as is a set of independent columns of . The final check then corresponds to and, overall, Certificate 9 is perfectly complete.
If the Prover is dishonest, then either the set of columns in are not linearly independent, which will be caught by the Verifier with probability at least , from Theorem 4.20, or is not lexicographically minimal, or the rank of is not . If the rank is wrong, it will not be possible for the prover to find a suitable . This will be caught by the verifier with probability , from Theorem 3.8. Finally, if is not lexicographically minimal, there exists at least one column for some fixed such that form a set of linearly independant columns of . This means that , whereas it was expected to be . Thus, the prover cannot reconstruct a suitable triangular and this will be detected by the verifier also with probability , as shown in Theorem 3.8).
The Prover’s time complexity is that of computing a decomposition of . The transmission of and yields a communication space of . Finally, in addition to Protocol 8, the Verifier computes as a prefix sum with additions, multiplies it by , then substracts at the correct positions and finally multiplies by for a total cost bounded by .
4.3 Rank profile matrix certificate
We propose an interactive certificate for the rank profile matrix based on [8, Algorithm 4]: first computing the row and column support of the rank profile matrix, using Certificate 9 twice for the row and column rank profiles, then computing the rank profile matrix of the invertible submatrix of lying on this grid.
In the following we then only focus on a certificate for the rank profile matrix of an invertible matrix. It relies on an LUP decomposition that reveals the rank profile matrix. From Theorem 2.4, this is the case if and only if is upper triangular. Protocol 10 thus gives an interactive certificate that combines Certificate 6 for a LDUP decomposition with a certificate that is upper triangular. The latter is achieved by Certificate 4 showing that and are left upper triangular equivalent, but since is unknown to the Verifier, the verification is done on a random right projection with the vector used in Certificate 6.
Theorem 4.23**.**
Protocol 10 is sound, with probability greater than , and perfectly complete. The Prover cost is field operations, the communication space is bounded by and the Verifier cost is bounded by .
Proof 4.24**.**
If the Prover is dishonest and is not upper triangular, then let be the lexicographically minimal coordinates such that and . Now either , and the verification will then fail to detect it with probability less than , from Proposition 3.15. Or one can write . If
[TABLE]
is not satisfied, then a random will fail to detect it with probability less than , since and are set before choosing for . At the time of commiting , the value of is still unknown, hence is constant in the symbolic variable . Thus the -th coordinate in (7) is a nonzero polynomial in and therefore vanishes with probability when sampling the values of uniformly. Hence, overall if is not upper triangular, the verification will fail to detect it with probability at most .
Finally, the rank profile matrix of any matrix, even a singular one, can thus be verified with two applications of Certificate 9 (one for the row rank profile and one for the column rank profile, themselves calling Certificate 8 only once), followed by Certificate 10 on the selection of lexicographically minimal independent rows and columns. Overall this is operations for the Verifier, and communications.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] H. Y. Cheung, T. C. Kwok, and L. C. Lau. Fast Matrix Rank Algorithms and Applications. Journal of the ACM , 60(5):31:1–31:25, Oct. 2013. doi:10.1145/2528404 . · doi ↗
- 2[2] C. Costello, C. Fournet, J. Howell, M. Kohlweiss, B. Kreuter, M. Naehrig, B. Parno, and S. Zahur. Geppetto: Versatile verifiable computation. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015 , pages 253–270, 2015. doi:10.1109/SP.2015.23 . · doi ↗
- 3[3] C. L. Dodgson. Condensation of Determinants, Being a New and Brief Method for Computing their Arithmetical Values. Proceedings of the Royal Society of London , 15:150–155, 1866. URL: http://www.jstor.org/stable/112607 .
- 4[4] J.-G. Dumas and E. Kaltofen. Essentially optimal interactive certificates in linear algebra. In K. Nabeshima, editor, ISSAC’2014 , pages 146–153. ACM Press, New York, July 2014. doi:10.1145/2608628.2608644 . · doi ↗
- 5[5] J.-G. Dumas, E. Kaltofen, E. Thomé, and G. Villard. Linear time interactive certificates for the minimal polynomial and the determinant of a sparse matrix. In X.-S. Gao, editor, ISSAC’2016 , pages 199–206. ACM Press, New York, July 2016. doi:10.1145/2930889.2930908 . · doi ↗
- 6[6] J.-G. Dumas, C. Pernet, and Z. Sultan. Simultaneous computation of the row and column rank profiles. In M. Kauers, editor, ISSAC’2013 , pages 181–188. ACM Press, New York, June 2013. doi:10.1145/2465506.2465517 . · doi ↗
- 7[7] J.-G. Dumas, C. Pernet, and Z. Sultan. Computing the rank profile matrix. In Yokoyama [ 17 ] , pages 149–156. doi:10.1145/2755996.2756682 . · doi ↗
- 8[8] J.-G. Dumas, C. Pernet, and Z. Sultan. Fast computation of the rank profile matrix and the generalized Bruhat decomposition. Journal of Symbolic Computation , 2016. in press. doi:10.1016/j.jsc.2016.11.011 . · doi ↗
