**A Practical Approach to the Secure Computation of the Moore-Penrose Pseudoinverse over the Rationals**

*Niek J. Bouman and Niels de Vreede*

**Abstract: **Solving linear systems of equations is a universal problem. In the context of secure multiparty computation (MPC), a method to solve such systems, especially for the case in which the rank of the system is unknown and should remain private, is an important building block.

We devise an efficient and data-oblivious algorithm (meaning that the algorithm's execution time and branching behavior are independent of all secrets) for solving a bounded integral linear system of unknown rank over the rational numbers via the Moore-Penrose pseudoinverse, using finite-field arithmetic. I.e., we compute the Moore-Penrose inverse over a finite field of sufficiently large order, so that we can recover the rational solution from the solution over the finite field. While we have designed the algorithm with an MPC context in mind, it could be valuable also in other contexts where data-obliviousness is required, like secure enclaves in CPUs.

Previous work by Cramer, Kiltz and PadrĂ³ (CRYPTO 2007) proposes a constant-rounds protocol for computing the Moore-Penrose pseudoinverse over a finite field. The asymptotic complexity (counted as the number of secure multiplications) of their solution is $O(m^4 + n^2 m)$, where $m$ and $n$, $m\leq n$, are the dimensions of the linear system. To reduce the number of secure multiplications, we sacrifice the constant-rounds property and propose a protocol for computing the Moore-Penrose pseudoinverse over the rational numbers in a linear number of rounds, requiring only $O(m^2n)$ secure multiplications.

To obtain the common denominator of the pseudoinverse, required for constructing an integer-representation of the pseudoinverse, we generalize a result by Ben-Israel for computing the squared volume of a matrix. Also, we show how to precondition a symmetric matrix to achieve generic rank profile while preserving symmetry and being able to remove the preconditioner after it has served its purpose. These results may be of independent interest.

**Category / Keywords: **cryptographic protocols / secure multiparty computation, secure linear algebra, Moore-Penrose pseudoinverse, oblivious algorithms

**Original Publication**** (with minor differences): **ACNS 2020

**Date: **received 8 May 2019, last revised 23 Apr 2020

**Contact author: **niek bouman at rosemanlabs com, n d vreede at tue nl

**Available format(s): **PDF | BibTeX Citation

**Note: **Minor revision

**Version: **20200423:152057 (All versions of this report)

**Short URL: **ia.cr/2019/470

[ Cryptology ePrint archive ]