A Communication-Efficient Distributed Matrix Multiplication Scheme with Privacy, Security, and Resiliency

Abstract

Secure distributed matrix multiplication (SDMM) schemes are crucial for distributed learning algorithms where extensive data computation is distributed across multiple servers. Inspired by the application of repairing Reed–Solomon (RS) codes in distributed storage and secret sharing, we propose SDMM schemes with reduced communication overhead through the use of trace polynomials. Specifically, these schemes are designed to address three critical concerns: (i) ensuring information-theoretic privacy against collusion among servers; (ii) providing security against Byzantine servers; and (iii) offering resiliency against stragglers to mitigate computing delays. To the best of our knowledge, security and resiliency are being considered for the first time within trace polynomial-based approaches. Furthermore, our schemes offer the advantage of reduced sub-packetization and a lower server-count requirement, which diminish the computational complexity and download cost for the user.

1. Introduction

Large-scale matrix multiplication is a fundamental building block in today’s big data era, finding applications in various fields such as signal processing, wireless communication, and machine learning. With the increasing scale of large language models, computing on a single server is no longer feasible. Therefore, distributing large matrix computation tasks across multiple servers becomes a viable solution. In distributed computing, when all servers are considered trustworthy, the increased computation time primarily stems from two factors: (i) the need to await responses from slower servers (stragglers), and (ii) network congestion resulting from the transmission of large volumes of data. Furthermore, the situation becomes more complex when some servers are untrustworthy, especially if the computation includes sensitive information. In such a scenario, servers might share their received data to infer the contents of original matrices held by the user, which compromises the privacy of the user. This highlights the importance of researching communication-efficient SDMM schemes.

Polynomial codes were initially proposed by Yu et al. in [1] to mitigate the impact of stragglers on computation time in distributed matrix multiplication. Subsequent works [2,3,4,5,6] extended Yu et al.’s work by incorporating random matrices during the upload phase of polynomial codes, constructing information-theoretically secure SDMM schemes that meet specific privacy requirements with a minimal number of servers. Different schemes have also been introduced in [7,8,9,10]. The above efforts concern the scenario in which servers are untrustworthy. More generally, they are concerned with scenarios when servers are considered untrustworthy-but-useful, implying that some might deviate from the predefined algorithms. In this case, the system may not only have colluding servers but also Byzantine servers—those who intentionally or erroneously return incorrect results to the user for their own benefit, significantly impacting SDMM by yielding erroneous computation results and rendering the efforts of normal servers futile. An SDMM scheme is said to provide security against Byzantine servers if it can ensure the correctness of computation results even in the presence of Byzantine servers within the system. There are several schemes proposed in the literature [11,12,13] that address the challenges posed by stragglers and Byzantine servers. These schemes treat stragglers as erasures and Byzantine servers as errors within some linear codes. As a result, handling a straggling server requires one additional server, whereas addressing a Byzantine server necessitates two additional servers.

Repairing RS codes were first introduced in distributed storage systems by Guruswami et al. in [14], aiming to repair a failed node with lower communication overhead. It was further extended in [15] to address the repair problem of multiple failed nodes. In such systems, a large file is encoded into fragments before being distributed across multiple nodes. When a node fails, the system initiates a replacement node, which is required to recover the data stored at the failed node by receiving the necessary information from the remaining surviving nodes (helper nodes). The repair bandwidth is the total volume of data (in bits) required by the replacement node during the repair process. To minimize the repair bandwidth, the approach proposed in [14] utilizes trace polynomials, enabling the helper nodes to transmit only part of their contents to the replacement node while still ensuring precise data recovery. This approach involves breaking up a symbol in ${\mathbb{F}}_q^t$ into t symbols in ${\mathbb{F}}_q$, where t is referred to as sub-packetization. In order to recover the data in a failed node with as little repair bandwidth as possible, the repairing RS codes constructed in [16] are designed to meet the cut-set bound. It is worth noting that, as discussed in [15], SDMM is similar to repairing multiple failed nodes in a distributed storage system, where servers are analogous to helper nodes and the user is analogous to the replacement node.

Inspired by the work in [16], Machado et al. were the first to employ the field trace function in polynomial codes (FTP), constructing a communication-efficient fully X-private SDMM scheme [17]. This scheme ensures that the user can securely compute matrix multiplication $MN$ using $d=p_L+2L+2X-2$ servers without revealing any information about the matrices $M\in {\mathbb{F}}_{q^t}^{a\times b}$ and $N\in {\mathbb{F}}_{q^t}^{b\times c}$, even in the presence of up to X colluding servers. In order to meet the cut-set bound, this scheme possesses sub-packetization $t=p_1{p}_2\cdots p_L$, where L denotes the number of blocks in M, $\{p_1,p_2,\cdots ,p_L\}$ is a set of prime numbers in increasing order, and q is a prime power. It is widely recognized that minimizing sub-packetization is essential, as the time complexity of multiplication increases significantly with the size of the finite field. In [18], schemes based on trace polynomials and subspace polynomials for computing linear combinations of coded symbols were introduced. These schemes provide information-theoretic privacy for either M or N amidst X colluding servers, with sub-packetization $t\ge {log}_q\left({\displaystyle \frac{L+X-1}{q^s}}+L\right)+s$, under the condition $q^{t-s}>L$, where s is the dimension of the subspace. In many cases, the sub-packetizations in these schemes are smaller than those in [17]. It is noteworthy that the schemes in [18] are more suitable for distributed computation scenarios compared to FTP codes, as the user can directly obtain the desired value, while FTP codes require additional operations. However, the schemes outlined in [18] necessitate at least $d\ge L{q}^s+X-1$ servers, a requirement that poses challenges for practical implementation. Moreover, neither of the aforementioned schemes considered the robustness of SDMM against Byzantine servers and stragglers.

The comparison between our schemes and previous works is shown in

Table 1. Comparison of key parameters for different fully X-privacy SDMM schemes.

	Download Cost	Sub-Packetization t	Number of Servers d	Restrictions	Remark
FTP codes	$ac{\sum }_{i=1}^L{N}_L{\prod }_{m\in \{1,\cdots ,L\}\setminus \left\{i\right\}}{p}_m$ *	$t=p_1{p}_2\cdots p_L$	$p_L+2L+2X-2$	$q\ge d$	No
Scheme 1 in [18]	$\ge ac(L{q}^{t-1}+L+2X-1)$	$L+d\le q^t$	$\ge L{q}^{t-1}+L+2X-1$		No
Scheme 2 in [18]	$\ge ac(t-s)(L{q}^s+L+2X-1)$	$L+d\le q^t$	$\ge L{q}^s+L+2X-1$	$s<t$	No
Fully SDMM scheme in this paper	$\ge (2L+2X+t-2)Lac$	$NDA{\left(t\right)}_{{\mathbb{F}}_q}\ge L$ **	$\ge 2L+2X+t-2$	$q\ge d$	No
Scheme in Theorem 3 (i)	$\ge ((3L+2X-3)q^{t-1}+1)Lac$	$L+d=q^t$	$\ge q^{t-1}(3L+2X-3)$		Yes
Scheme in Theorem 3 (ii)	$\ge (q^{t-1}+2L+2X-2\mathit{\ell }-1)Lac$ ***	$L+d\le q^t$	$\ge q^{t-1}+2L+2X-2$		Yes

* $N_L=p_L+2L+2T-2$; ** $NDA{\left(t\right)}_{{\mathbb{F}}_q}$ means the number of distinct algebraic with degree t over ${\mathbb{F}}_q$; *** $\mathit{\ell }=\lceil {\displaystyle \frac{d-k+2}{2q^{t-1}}}\rceil$.

and discussed in more detail in Section 4 and  Section 5. Table 1 presents a comparison of FTP codes [17], the scheme proposed in [18], and our proposed schemes in terms of key parameters. Note that in Table 1, the header “Download cost” indicates the number of symbols from ${\mathbb{F}}_q$ that the user needs to download from the servers in the corresponding scheme. The header “Remark” specifies whether the fully X-privacy SDMM scheme is robust against Byzantine servers and stragglers.

Building on the discussions above, this paper proposes communication-efficient SDMM schemes that provide privacy against colluding servers, security against Byzantine servers, and resiliency against stragglers. Specifically, (i) in Section 4, the minimal polynomial is utilized to construct communication-efficient one-sided and fully X-privacy SDMM schemes; (ii) in Section 5, by refining the data returned by the servers to form an L-interleaved code, ensuring that our schemes provide security against Byzantine servers; (iii) by treating the impact of stragglers as erasures in linear codes, our schemes also demonstrate resiliency against straggler servers.

2. System Model and Problem Formulation

We consider a scenario where a user possesses matrices $M\in {\mathbb{F}}_{q^t}^{a\times b}$ and $N\in {\mathbb{F}}_{q^t}^{b\times c}$ and intends to securely compute their product $MN$ with the collaborative effort of d servers. The matrices M and N are respectively partitioned by columns and rows into L blocks, as follows:

$$M=\left[\begin{array}{cccc}{M}_1& M_2& \cdots & M_L\end{array}\right],N=\left[\begin{array}{c}{N}_1\\ N_2\\ ⋮\\ N_L\end{array}\right],$$

then $MN=M_1{N}_1+M_2{N}_2+\cdots +M_L{N}_L$. It can be observed that computing the product $MN$ is equivalent to computing $M_i{N}_i$ for all $i\in \{1,2,\cdots ,L\}$. The user connects to each server through a private link and assumes that these servers are untrustworthy-but-useful. To prevent any leakage of information about M and N to the servers, the user sends the securely encoded versions $m_j$ and $n_j$ of M and N to each server j, for $j\in \{1,2,\cdots ,d\}$. Upon receiving the encoded matrices, server j computes the response $E_j$ such that $MN=decode(E_1,E_2,\cdots ,E_d)$, where $decode$ is noted as the decoding function.

One of the key requirements in SDMM is to provide information-theoretic privacy for the matrices that the user possesses, even in the presence of X colluding servers. Information-theoretic privacy means that no matter how powerful the computational capabilities of these colluding servers are, they cannot gain any information about the matrices owned by the user. In this paper, we first study the one-sided privacy SDMM scheme with X colluding servers. In this scenario, matrix N is accessible to all servers, while matrix M is exclusively owned by the user. The primary objective is to securely compute $MN$ without disclosing any information about M to any X colluding servers. Moreover, the user is unaware of which X servers may potentially collude. As shown in Figure 1, let $\mathit{𝒳}=\{j_1,j_2,\cdots ,j_X\}\subset \{1,2,\cdots ,d\}$ be the index set of X colluding servers, and $m_{\mathit{𝒳}}\triangleq \{m_{j_1},m_{j_2},\cdots ,m_{j_X}\}$. These colluding servers intend to infer the contents of M from $m_{\mathit{𝒳}}$. To achieve information-theoretical X-privacy in a scheme, the encoded fragments $m_{\mathit{𝒳}},\forall \mathit{𝒳}\subset \{1,2,\cdots ,d\},|\mathit{𝒳}|=X$ must not leak any information about M, i.e.,

$$I(M;m_{\mathit{𝒳}})=0,\forall \mathit{𝒳}\subset \{1,2,\cdots ,d\},|\mathit{𝒳}|=X.$$

When both M and N are exclusively owned by the user, a scheme that securely computes $MN$ without disclosing any information about M and N to any X colluding servers is referred to as information-theoretically fully X-privacy. Let $\mathit{𝒳}=\{j_1,j_2,\cdots ,j_X\}\subset \{1,2,\cdots ,d\}$ denote the set of indices for the X colluding servers. In this case, $m_{\mathit{𝒳}}\triangleq \{m_{j_1},m_{j_2},\cdots ,m_{j_X}\}$ and $n_{\mathit{𝒳}}\triangleq \{n_{j_1},n_{j_2},\cdots ,n_{j_X}\}$ should not leak any information about M and N. The privacy constraint in this case is

$$I(M,N;m_{\mathit{𝒳}},n_{\mathit{𝒳}})=0,\forall \mathit{𝒳}\subset \{1,2,\cdots ,d\},|\mathit{𝒳}|=X.$$

One of the bottlenecks in distributed computing is network congestion caused by the transmission of large amounts of data during computation. Therefore, it is crucial to study matrix multiplication schemes with communication efficiency. This paper proposes a communication-efficient SDMM scheme that differs from traditional polynomial-based schemes. Let $\mathbb{E}$ be a t-degree extension field of a finite field $\mathbb{F}$. We incorporate the concept of repairing Reed–Solomon codes from distributed storage into distributed matrix multiplication. Specifically, each server j stores the evaluation of the polynomial $h\left(x\right)\in \mathbb{E}\left[x\right]$ at point ${\alpha }_j\in \mathbb{E}$, where $MN$ corresponds to the data stored on failed nodes. By carefully designing $h\left(x\right)$, a distributed matrix multiplication scheme that ensures X-privacy can be constructed. To reduce the amount of data transmitted over the network, the key tool in designing the communication-efficient SDMM scheme is the trace function. The trace function $T{r}_{\mathbb{E}/\mathbb{F}}:\mathbb{E}\to \mathbb{F}$ maps elements from $\mathbb{E}$ to $\mathbb{F}$. Specifically, the trace function $T{r}_{\mathbb{E}/\mathbb{F}}$ maps a t-dimensional vector over $\mathbb{F}$ to an element in $\mathbb{F}$. In summary, in the SDMM scheme proposed in this paper, server j does not send the full evaluation $h\left({\alpha }_j\right)$, but instead sends $T{r}_{\mathbb{E}/\mathbb{F}}\left(h\left({\alpha }_j\right)\right)$ to help the user compute $MN$, thereby reducing the amount of data transmitted in SDMM. Since the servers are considered untrustworthy-but-useful, the system may not only have colluding servers but also possible Byzantine servers who might return incorrect computation results $E_j+Z_j$ to the user, for some non-zero $Z_j$. Additionally, there may be stragglers in the system who fail to return the computation results on time. In Figure 1, servers 3 and 2 represent these two types of servers, respectively. Hence, when designing an SDMM scheme, multiple goals must to be considered, including reducing communication overhead, providing security against Byzantine servers, and mitigating the impact of stragglers on computation time.

Coding theory tools are employed to design a communication-efficient SDMM scheme that meets the aforementioned objectives. Specifically, as discussed previously, when the data returned by all servers forms a linear code, these tools can correct errors introduced by Byzantine servers and mitigate erasures caused by stragglers.

3. Preliminaries

Some notation and essential concepts are introduced in this section. In the rest of this paper, we write $\left[n\right]=\{1,2,\cdots ,n\}$.

Definition 1.

Let q be a prime power, ${\mathbb{F}}_q\left[x\right]$ be the polynomial ring over finite field ${\mathbb{F}}_q$. An RS code $RS(\Omega ,k)$ over ${\mathbb{F}}_q$ is defined as

$$RS(\Omega ,k)=\left\{{\left(f\left(\alpha \right)\right)}_{\alpha \in \Omega }:f\left(x\right)\in {\mathbb{F}}_q\left[x\right],deg\left(f\left(x\right)\right)<k\right\},$$

where $\Omega =\{{\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_n\}$ and $n>k$.

The dual code of $RS(\Omega ,k)$ is a generalized RS code

$$GRS(\Omega ,n-k,V)=\left\{{\left(vh\left(\alpha \right)\right)}_{v\in V,\alpha \in \Omega }:h\left(x\right)\in {\mathbb{F}}_q\left[x\right],deg\left(h\left(x\right)\right)<n-k\right\},$$

where $V=\{v_1,v_2,\cdots ,v_n\}$ is determined by $\Omega$:

$$v_i=\prod _{m\in \left[n\right],m\ne i}{({\alpha }_i-{\alpha }_m)}^{-1}.$$

(1)

It is evident that

$$\sum _{i\in \left[n\right]}f\left({\alpha }_i\right)v_{i}h\left({\alpha }_i\right)=0.$$

(2)

Definition 2.

Let ${\mathbb{F}}_{q^t}$ be a t-extension field of ${\mathbb{F}}_q$. For any $\alpha \in {\mathbb{F}}_{q^t}$, the trace function $T{r}_{{\mathbb{F}}_{q^t}/{\mathbb{F}}_q}:{\mathbb{F}}_{q^t}\to {\mathbb{F}}_q$ of α is defined as $T{r}_{{\mathbb{F}}_{q^t}/{\mathbb{F}}_q}\left(\alpha \right)=\alpha +{\alpha }^q+{\alpha }^{q^2}+\cdots +{\alpha }^{q^{t-1}}$.

For ease of notation, we omit the subscript ${\mathbb{F}}_{q^t}/{\mathbb{F}}_q$ of the trace function when it is clear from the context.

Lemma 1

([19]). The trace function $Tr:{\mathbb{F}}_{q^t}\to {\mathbb{F}}_q$ satisfies

(i) 

$Tr(\alpha +\beta )=Tr\left(\alpha \right)+Tr\left(\beta \right)$, $\forall \alpha ,\beta \in {\mathbb{F}}_{q^t}$;

(ii) 

$Tr\left(a\alpha \right)=aTr\left(\alpha \right)$, $\forall a\in {\mathbb{F}}_q,\alpha \in {\mathbb{F}}_{q^t}$.

Since ${\mathbb{F}}_{q^t}$ can be regarded as a t-dimensional vector space over ${\mathbb{F}}_q$, let $\{u_1,u_2,\cdots ,u_t\}$ be an ${\mathbb{F}}_q$-basis for ${\mathbb{F}}_{q^t}$. There must exist a dual basis $\{{\tilde{u}}_1,{\tilde{u}}_2,\cdots ,{\tilde{u}}_t\}$ for ${\mathbb{F}}_{q^t}$ such that $Tr\left(u_i{\tilde{u}}_j\right)=1$ for $i=j$, and $Tr\left(u_i{\tilde{u}}_j\right)=0$, otherwise. Furthermore, for any $\alpha \in {\mathbb{F}}_{q^t}$, we have

$$\alpha =\sum _{i\in \left[t\right]}Tr\left(\alpha u_i\right){\tilde{u}}_i.$$

(3)

Let $\alpha \in {\mathbb{F}}_{q^t}$, $g\left(x\right)$ be a nontrivial polynomial over ${\mathbb{F}}_q\left[x\right]$. If $g\left(\alpha \right)=0$, then $\alpha$ is referred to as algebraic over ${\mathbb{F}}_q$.

Definition 3.

Let $𝒞$ be a linear code of length n over ${\mathbb{F}}_q$. Then the L-interleaved code of $𝒞$ is defined as

$${𝒞}^{\left(L\right)}=\left\{{\left({\mathbf{c}}_1,{\mathbf{c}}_2,\cdots ,{\mathbf{c}}_L\right)}^T:{\mathbf{c}}_i\in 𝒞,\forall i\in \left[L\right]\right\},$$

where ${\mathbf{c}}_i\in {\mathbb{F}}_q^{n\times 1}$.

4. SDMM Schemes with X Colluding Servers

In this section, all servers are considered untrustworthy, meaning they do not necessarily adhere faithfully to the pre-agreed protocol. We first focus on the one-sided SDMM scheme, where N is publicly available to all servers, and the user aims to securely compute $MN$ without disclosing any information about M to any X colluding servers. Subsequently, we refine this to develop a fully X-privacy SDMM scheme.

Throughout this section, let $B=\{{\beta }_1,{\beta }_2,\cdots ,{\beta }_L\}\subset {\mathbb{F}}_{q^t}$ be a set of distinct algebraic elements of degree t over ${\mathbb{F}}_q$, and let $A=\{{\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_d\}\subseteq {\mathbb{F}}_q$. Additionally, let $U=\{u_1,u_2,\cdots ,u_t\}$ be an ${\mathbb{F}}_q$-basis of ${\mathbb{F}}_{q^t}$ and $\tilde{U}=\{{\tilde{u}}_1,{\tilde{u}}_2,\cdots ,{\tilde{u}}_t\}$ be the corresponding dual basis.

4.1. One-Sided X-Privacy SDMM Scheme

Theorem 1.

Algorithm 1 is a one-sided X-privacy SDMM scheme with a download cost of $dLac{log}_{2}q$ bits.

Algorithm 1 One-sided SDMM scheme with X colluding servers

Let $d\ge L+X+t-1$. The matrix $N\in {\mathbb{F}}_{q^t}^{b\times c}$ is available to all servers, whereas $M\in {\mathbb{F}}_{q^t}^{a\times b}$ is exclusively owned by the user. • Upload phase: The user partitions the matrix M by columns into L blocks of equal size as $M=\left[\begin{array}{cccc}{M}_1& M_2& \cdots & M_L\end{array}\right]$. Then, the user selects a random polynomial $$f\left(x\right)=f_0+f_{1}x+\cdots +f_{L+X-1}{x}^{L+X-1}\in {\mathbb{F}}_{q^t}\left[x\right]$$ (4) such that $f\left({\beta }_i\right)=M_i$ for $i\in \left[L\right]$, and calculates $f\left({\alpha }_j\right)$ to send to server j, where $j\in \left[d\right]$. • Download phase: The user downloads $E_j\left(f\left({\alpha }_j\right)\right)$ from server j, where $j\in \left[d\right]$ and $$\begin{array}{c}\hfill E_j\left(f\left({\alpha }_j\right)\right)={\left(Tr\left({\displaystyle \frac{f\left({\alpha }_j\right)N_i{\prod }_{m\in \left[d\right]}({\beta }_i-{\alpha }_m)}{{\alpha }_j-{\beta }_i}}\right)\right)}_{i\in \left[L\right]}.\end{array}$$ • Decoding phase: The user chooses $h_{i,\delta }\left(x\right)\in {\mathbb{F}}_q\left[x\right]$ as in (6). Then, $MN$ can be decoded as $$MN=-\sum _{\delta \in \left[t\right]}\sum _{j\in \left[d\right]}{\tilde{u}}_{\delta }{h}_{\left[L\right],\delta }\left({\alpha }_j\right)v_j^{\prime }·E_j\left(f\left({\alpha }_j\right)\right),$$ (5) where $v_j^{\prime }={\prod }_{m\in \left[d\right],m\ne j}{({\alpha }_j-{\alpha }_m)}^{-1}$.

Proof. 

Since N is a public matrix, servers partition N by rows into L blocks of equal size, so that $N={\left[\begin{array}{cccc}{N}_1^T& N_2^T& \cdots & N_L^T\end{array}\right]}^T$. Note that ${\beta }_i,i\in \left[L\right]$ is an algebraic with degree t over ${\mathbb{F}}_q$, then there must exist $h_{i,\delta }\left(x\right)\in {\mathbb{F}}_q\left[x\right]$ such that:

$$h_{i,\delta }\left({\beta }_i\right)=u_{\delta },$$

(6)

where $\delta \in \left[t\right]$ and $deg\left(h_{i,\delta }\left(x\right)\right)\le t-1$.

• Correctness of Algorithm 1:

Let $𝒞=RS(B\cup A,L+X)$ be an RS code over ${\mathbb{F}}_{q^t}$. Then $(f\left({\beta }_1\right),\cdots ,f\left({\beta }_L\right),f\left({\alpha }_1\right),\cdots ,f\left({\alpha }_d\right))\in 𝒞$, where $f\left(x\right)$ is a random polynomial that satisfies (4). Consider the dual code of $𝒞$:

$$\begin{array}{cc}\hfill {𝒞}^{\perp }=\left\{\right(v_{1}g\left({\beta }_1\right),\cdots ,v_{L}g\left({\beta }_L\right),v_{L+1}g\left({\alpha }_1\right),\cdots ,& v_{L+d}g\left({\alpha }_d\right)):\hfill \\ \hfill & g\left(x\right)\in {\mathbb{F}}_{q^t}\left[x\right],deg\left(g\left(x\right)\right)<d-X\},\hfill \end{array}$$

where $v_i={\prod }_{m\in \left[L\right],m\ne i}{({\beta }_i-{\beta }_m)}^{-1}{\prod }_{m\in \left[d\right]}{({\beta }_i-{\alpha }_m)}^{-1}$ for $i\in \left[L\right]$, and $v_{L+j}={\prod }_{m\in \left[L\right]}{({\alpha }_j-{\beta }_m)}^{-1}{\prod }_{m\in \left[d\right],m\ne j}{({\alpha }_j-{\alpha }_m)}^{-1}$ for $j\in \left[d\right]$. By (2) and (4), we have

$$\sum _{i\in \left[L\right]}f\left({\beta }_i\right)v_{i}g\left({\beta }_i\right)=\sum _{i\in \left[L\right]}{M}_i{v}_{i}g\left({\beta }_i\right)=-\sum _{j\in \left[d\right]}f\left({\alpha }_j\right)v_{L+j}g\left({\alpha }_j\right).$$

(7)

Now let $g_{\delta }\left(x\right)\in {\mathbb{F}}_{q^t}\left[x\right]$ be such that $g_{\delta }\left({\beta }_i\right)=v_i^{-1}{u}_{\delta }{N}_i$ for $i\in \left[L\right]$ and $\delta \in \left[t\right]$. By Lagrange interpolation, $g_{\delta }\left(x\right)$ can be expressed as follows:

$$g_{\delta }\left(x\right)=\sum _{i\in \left[L\right]}{v}_i^{-1}{u}_{\delta }{N}_i\prod _{m\in \left[L\right],m\ne i}{\displaystyle \frac{(x-{\beta }_m)}{({\beta }_i-{\beta }_m)}}\stackrel{\left(a\right)}{=}\sum _{i=1}^L{v}_i^{-1}{h}_{i,\delta }\left(x\right)N_i\prod _{m\in \left[L\right],m\ne i}{\displaystyle \frac{(x-{\beta }_m)}{({\beta }_i-{\beta }_m)}},$$

where $\left(a\right)$ follows from (6). Since $deg\left(g_{\delta }\left(x\right)\right)<L+t-1\le L+d-L-T$, we have

$$(v_1{g}_{\delta }\left({\beta }_1\right),\cdots ,v_L{g}_{\delta }\left({\beta }_L\right),v_{L+1}{g}_{\delta }\left({\alpha }_1\right),\cdots ,v_{L+d}{g}_{\delta }\left({\alpha }_d\right))\in {𝒞}^{\perp }.$$

(8)

By combining (7) and (8) and then applying a trace function to both sides of the resulting equation, we obtain the following:

$$\begin{array}{cc}\hfill Tr\left(u_{\delta }\sum _{i\in \left[L\right]}{M}_i{N}_i\right)& =-\sum _{j\in \left[d\right]}Tr\left(f\left({\alpha }_j\right)v_{L+j}{g}_{\delta }\left({\alpha }_j\right)\right)\hfill \\ \hfill & =-\sum _{j\in \left[d\right]}Tr\left(f\left({\alpha }_j\right)v_{L+j}\sum _{i\in \left[L\right]}{v}_i^{-1}{h}_{i,\delta }\left({\alpha }_j\right)N_i\prod _{m\in \left[L\right],m\ne i}{\displaystyle \frac{({\alpha }_j-{\beta }_m)}{({\beta }_i-{\beta }_m)}}\right)\hfill \\ \hfill & =-\sum _{j\in \left[d\right]}\sum _{i\in \left[L\right]}{h}_{i,\delta }\left({\alpha }_j\right)v_j^{\prime }Tr\left({\displaystyle \frac{f\left({\alpha }_j\right)N_i{\prod }_{m\in \left[d\right]}({\beta }_i-{\alpha }_m)}{{\alpha }_j-{\beta }_i}}\right).\hfill \end{array}$$

(9)

The last equality holds because $h_{i,\delta }\left({\alpha }_j\right)\in {\mathbb{F}}_q$ and $v_j^{\prime }={\prod }_{m\in \left[d\right],m\ne j}{({\alpha }_j-{\alpha }_m)}^{-1}\in {\mathbb{F}}_q$. Hence, the user can obtain $\{Tr\left(u_{\delta }MN\right),\delta \in \left[t\right]\}$ by utilizing $acL$ symbols over ${\mathbb{F}}_q$ sent by server j:

$$E_j\left(f\left({\alpha }_j\right)\right)={\left(Tr\left({\displaystyle \frac{f\left({\alpha }_j\right)N_i{\prod }_{m\in \left[d\right]}({\beta }_i-{\alpha }_m)}{{\alpha }_j-{\beta }_i}}\right)\right)}_{i\in \left[L\right]}.$$

Using (3), the user can obtain $MN$ directly as follows:

$$MN=\sum _{\delta \in \left[t\right]}{\tilde{u}}_{\delta }Tr\left(u_{\delta }MN\right)=-\sum _{\delta \in \left[t\right]}\sum _{j\in \left[d\right]}{\tilde{u}}_{\delta }{h}_{\left[L\right],\delta }\left({\alpha }_j\right)v_j^{\prime }·E_j\left(f\left({\alpha }_j\right)\right),$$

(10)

where $h_{\left[L\right],\delta }\left({\alpha }_j\right)=\left(h_{1,\delta }\left({\alpha }_j\right),h_{2,\delta }\left({\alpha }_j\right),\cdots ,h_{L,\delta }\left({\alpha }_j\right)\right)$ and “·” denotes the inner product. The download cost is $dLac{log}_{2}q$.

• One-sided X-privacy of Algorithm 1: Suppose the X colluding servers $\{j_1,j_2,\cdots ,j_X\}$ share the encoded pieces they each received from the user, with the aim of obtaining any information about M from the set $m_{\mathit{𝒳}}=\{m_{j_1},m_{j_2},\cdots ,m_{j_X}\}$. Note that $m_{j_{\mathit{\ell }}}$ is the evaluation of a random polynomial $f\left(x\right)=f_0+f_{1}x+\cdots +f_{L+X-1}{x}^{L+X-1}\in {\mathbb{F}}_{q^t}\left[x\right]$ at point ${\alpha }_{j_{\mathit{\ell }}}$, where $\mathit{\ell }\in \left[X\right]$ and $j_{\mathit{\ell }}\in \left[d\right]$. For any $\left[\begin{array}{cccc}{M}_1^{\prime }& M_2^{\prime }& \cdots & M_L^{\prime }\end{array}\right]\in {\mathbb{F}}_{q^t}^{a\times b}$, one can obtain a unique $f^{\prime }\left(x\right)\in {\mathbb{F}}_{q^t}\left[x\right]$ with degree $L+X-1$ by using the Lagrange interpolation formula such that $f^{\prime }\left({\beta }_i\right)=M_i^{\prime }$ for $i\in \left[L\right]$ and $f^{\prime }\left({\alpha }_{j_{\mathit{\ell }}}\right)=m_{j_{\mathit{\ell }}}$ for $\mathit{\ell }\in \left[X\right]$. This implies that the colluding servers learn nothing about $f\left({\beta }_i\right)=M_i$ for $i\in \left[L\right]$, i.e.,

$$I(M;m_{\mathit{𝒳}})=H\left(M\right)-H\left(M\right|m_{\mathit{𝒳}})\stackrel{\left(a\right)}{=}H\left(M\right)-H\left(M\right)=0,$$

where $\left(a\right)$ follows from the fact that $m_{\mathit{𝒳}}$ cannot determine any element in M. □

Remark 1.

According to Algorithm 1, upon receiving $E_j\left(f\left({\alpha }_j\right)\right)$ from all servers, the user can directly derive $MN$ by performing the operations as in (10). However, in FTP codes, $L-1$ additional addition operations are required after the trace operation to obtain $MN$. This implies a reduced decoding delay within our scheme.

Example 1.

Here, we present a toy example of Algorithm 1 with $q=11,L=2,X=6,d=11$, and $t=4$. Therefore, we operate over ${\mathbb{F}}_{{11}^4}$ (indeed, it suffices for the base field to be ${\mathbb{F}}_q$ provided that $q\ge 11$). Let β be an algebraic with degree of 4 over ${\mathbb{F}}_{11}$ such that ${\beta }^4+8{\beta }^2+10\beta +2=0$. Then $U=\{1,\beta ,{\beta }^2,{\beta }^3\}$ forms an ${\mathbb{F}}_{11}$-basis for ${\mathbb{F}}_{{11}^4}$, and the dual basis of U is $\tilde{U}=\{8{\beta }^3+3{\beta }^2+9\beta +9,8{\beta }^3+{\beta }^2+\beta +9,9{\beta }^2+\beta +3,4{\beta }^3+8\beta +8\}$. Let $B=\{\beta ,{\beta }^2\}$ be a set of two distinct algebraic elements of degree 4 over ${\mathbb{F}}_{11}$, and $A=\{0,1,\cdots ,10\}\subseteq {\mathbb{F}}_{11}$. Let the public matrix $N=\left[\begin{array}{cc}{\beta }^{787}& {\beta }^{7636}\\ {\beta }^{9799}& {\beta }^{13719}\end{array}\right]\in {\mathbb{F}}_{{11}^4}^{2\times 2}$.

• Upload phase: Let the private matrix that the user possesses be $M=\left[\begin{array}{cc}{\beta }^{8760}& {\beta }^{1520}\end{array}\right]\in {\mathbb{F}}_{{11}^4}^{1\times 2}$. Since $L=2$, the user selects a random polynomial $f\left(x\right)={\beta }^{11654}+{\beta }^{1332}x+{\beta }^{5327}{x}^2+{\beta }^{9564}{x}^3+{\beta }^{11930}{x}^4+{\beta }^{8951}{x}^5+{\beta }^{1829}{x}^6+{\beta }^{5462}{x}^7$, such that $f\left(\beta \right)={\beta }^{8760}=M_1,f\left({\beta }^2\right)={\beta }^{1520}=M_2$. Then the user sends $f\left({\alpha }_j\right),{\alpha }_j\in A$ to server j. After receiving $f\left({\alpha }_j\right)$, server j computes $E_j\left(f\left({\alpha }_j\right)\right)=\left(Tr\left(f\left({\alpha }_j\right)N_1{\gamma }_{1,j}\right),Tr\left(f\left({\alpha }_j\right)N_2{\gamma }_{2,j}\right)\right)$, where $N={\left[\begin{array}{cc}{N}_1^T& N_2^T\end{array}\right]}^T$ and ${\gamma }_{i,j}={\displaystyle \frac{{\prod }_{m\in \left[d\right]}({\beta }_i-{\alpha }_m)}{{\alpha }_j-{\beta }_i}}$, $i\in \left[2\right]$.
• Download phase: The user downloads $E_j\left(f\left({\alpha }_j\right)\right)$ from all servers.
• Decoding phase: The user chooses 8 polynomials over ${\mathbb{F}}_{11}$:

$$\begin{array}{cccc}{h}_{1,1}\left(x\right)=1,\hfill & h_{1,2}\left(x\right)=x,\hfill & h_{1,3}\left(x\right)=x^2,\hfill & h_{1,4}\left(x\right)=x^3,\hfill \\ h_{2,1}\left(x\right)=1,\hfill & h_{2,2}\left(x\right)=x^2+8x+2,\hfill & h_{2,3}\left(x\right)=x,\hfill & h_{2,4}\left(x\right)=x^3+8x^2+2x,\hfill \end{array}$$

such that $h_{i,\delta }\left({\beta }^i\right)={\beta }^{\delta -1}$ for $i\in \left[2\right]$ and $\delta \in \left[4\right]$. In summary, the user possesses the pre-computed values $v_j^{\prime }{h}_{\left[L\right],\delta }\left({\alpha }_j\right)$ and the received values $E_j\left(f\left({\alpha }_j\right)\right)$ from server j, as shown in

Table 2. The pre-computed values and received values in Example 1.

Sever j	A	${\mathit{v}}_{\mathit{j}}^{\prime }{\mathit{h}}_{\left[\mathit{L}\right],\mathit{\delta }}\left({\mathit{\alpha }}_{\mathit{j}}\right)$	${\mathit{E}}_{\mathit{j}}\left(\mathit{f}\left({\mathit{\alpha }}_{\mathit{j}}\right)\right)$
1	0	[10,10],[0,9],[0,0],[0,0]	[[10,4],[4,7]]
2	1	[10,10],[10,0],[10,10],[10,0]	[[6,3],[10,4]]
3	2	[10,10],[9,0],[7,9],[3,0]	[[9,9],[8,3]]
4	3	[10,10],[8,9],[2,8],[6,5]	[[0,4],[1,9]]
5	4	[10,10],[7,5],[6,7],[2,9]	[[7,3],[3,4]]
6	5	[10,10],[6,10],[8,6],[7,6]	[[4,3],[5,3]]
7	6	[10,10],[5,2],[8,5],[4,1]	[[2,1],[7,4]]
8	7	[10,10],[4,3],[6,4],[9,10]	[[3,10],[5,9]]
9	8	[10,10],[3,2],[2,3],[5,5]	[[2,3],[4,8]]
10	9	[10,10],[2,10],[7,2],[8,2]	[[4,3],[5,10]]
11	10	[10,10],[1,5],[10,1],[1,6]	[[1,5],[8,10]]

. By (9), the user obtains 4 different traces: $Tr\left(MN\right)=[9,9],Tr\left(\beta MN\right)=[7,7],Tr\left({\beta }^{2}MN\right)=[6,0]$, and $Tr\left({\beta }^{3}MN\right)=[3,2]$. Using the dual basis $\tilde{U}$, the user obtains the desired value:

$$MN=\sum _{\delta \in \left[4\right]}{\tilde{u}}_{\delta }Tr\left({\beta }^{\delta -1}MN\right)=\left[\begin{array}{cc}{\beta }^{7602}& {\beta }^{1438}\end{array}\right].$$

In this scenario ($L=2,X=6$), as shown in Table 2, the user downloads 44 symbols $E_j\left(f\left({\alpha }_j\right)\right)$ from the 11 servers over ${\mathbb{F}}_{11}$. This is fewer than the 64 symbols typically required in conventional methods and the 54 symbols required in Scheme 2 in [18].

4.2. Fully X-Privacy SDMM Scheme

In this subsection, a fully X-privacy SDMM scheme is proposed. This scheme ensures information-theoretic privacy for both M and N amidst possible collusion of X servers by choosing two random polynomials $m\left(x\right)$ and $n\left(x\right)$.

Theorem 2.

Algorithm 2 is a fully X-privacy SDMM scheme with download cost $dLac{log}_{2}q$ bits.

Algorithm 2 Fully SDMM scheme with X colluding servers

Let $d\ge 2L+2X+t-2$. In this model, both $M\in {\mathbb{F}}_{q^t}^{a\times b}$ and $N\in {\mathbb{F}}_{q^t}^{b\times c}$ are exclusively owned by the user. • Upload phase: The user partitions matrix M by columns and N by rows into L blocks as $M=\left[\begin{array}{cccc}{M}_1& M_2& \cdots & M_L\end{array}\right]$ and $N={\left[\begin{array}{cccc}{N}_1^T& N_2^T& \cdots & N_L^T\end{array}\right]}^T$. Then the user select two random polynomials $$\begin{array}{cc}\hfill m\left(x\right)& =m_0+m_{1}x+\cdots +m_{L+X-1}{x}^{L+X-1}\in {\mathbb{F}}_{q^t}\left[x\right],\hfill \\ \hfill n\left(x\right)& =n_0+n_{1}x+\cdots +n_{L+X-1}{x}^{L+X-1}\in {\mathbb{F}}_{q^t}\left[x\right],\hfill \end{array}$$ such that $m\left({\beta }_i\right)=M_i,n\left({\beta }_i\right)=N_i,i\in \left[L\right]$. The user then calculates $m\left({\alpha }_j\right),n\left({\alpha }_j\right)$ and sends these to server j, for $j\in \left[d\right]$. • Download phase: The user downloads $E_j(m\left({\alpha }_j\right),n\left({\alpha }_j\right))$ from server j, where $j\in \left[d\right]$ and $$E_j(m\left({\alpha }_j\right),n\left({\alpha }_j\right))={\left(Tr\left({\displaystyle \frac{m\left({\alpha }_j\right)n\left({\alpha }_j\right){\prod }_{m\in \left[d\right]}({\beta }_i-{\alpha }_m)}{({\alpha }_j-{\beta }_i)}}\right)\right)}_{i\in \left[L\right]}.$$ • Decoding phase: The user chooses $h_{i,\delta }\left(x\right)\in {\mathbb{F}}_q\left[x\right]$ as in (6). Then $MN$ can be decoded as follows: $$MN=-\sum _{\delta \in \left[t\right]}\sum _{j\in \left[d\right]}{\tilde{u}}_{\delta }{h}_{\left[L\right],\delta }\left({\alpha }_j\right)v_j^{\prime }·E_j(m\left({\alpha }_j\right),n\left({\alpha }_j\right)),$$ where $v_j^{\prime }={\prod }_{m\in \left[d\right],m\ne j}{({\alpha }_j-{\alpha }_m)}^{-1}$.

Proof. 

The proofs of correctness and privacy closely resemble those of Theorem 1, except that $f\left(x\right)$ is replaced by $m\left(x\right)n\left(x\right)$ in Algorithm 2. □

5. SDMM Schemes with Byzantine Servers

This section focuses on the robustness of X-privacy SDMM schemes against Byzantine servers and stragglers. The main idea is to utilize a novel parity-check polynomial, employing the same technique described in [20], to ensure that the data returned by servers form an L-interleaved code of an RS code. Hence, tools from coding theory can be used to correct the errors caused by Byzantine servers and erasures caused by stragglers. Notably, our scheme does not necessitate any additional servers to handle Byzantine and straggling servers.

Throughout this section, let $B=\{{\beta }_1,{\beta }_2,\cdots ,{\beta }_L\}$ and $A=\{{\alpha }_1,{\alpha }_2,\cdots ,{\alpha }_d\}$ be two distinct public sets over ${\mathbb{F}}_{q^t}$ and consider the RS code

$$𝒞=RS(B\cup A,k)=\left\{{\left(h\left(\gamma \right)\right)}_{\gamma \in B\cup A}:h\left(x\right)\in {\mathbb{F}}_{q^t}\left[x\right],deg\left(h\left(x\right)\right)<k\right\}$$

and its dual code ${𝒞}^{\perp }=GRS(B\cup A,L+d-k,V)$. Moreover, we impose the condition $d\ge q^{t-1}+k-1$ for further analysis. To enhance the robustness of the SDMM scheme against Byzantine servers, we define the parity-check polynomial of $𝒞$ as

$$g_{\delta }\left(x\right)=\sum _{i\in \left[L\right]}{v}_i^{-1}{\displaystyle \frac{Tr\left(u_{\delta }(x-{\beta }_i)\right)}{(x-{\beta }_i)}}{k}_i\prod _{m\in \left[L\right],m\ne i}{\displaystyle \frac{(x-{\beta }_m)}{({\beta }_i-{\beta }_m)}},$$

(11)

where $\delta \in \left[t\right]$ and $v_i$ is defined in (1). Observe that $g_{\delta }\left({\beta }_i\right)=u_{\delta }{v}_i^{-1}{k}_i$ for $i\in \left[L\right]$, $\delta \in \left[t\right]$ and $deg\left(g_{\delta }\left(x\right)\right)=q^{t-1}+L-2$. From $d\ge q^{t-1}+k-1$ and (2), we obtain

$$\sum _{i\in \left[L\right]}h\left({\beta }_i\right)v_i{g}_{\delta }\left({\beta }_i\right)=u_{\delta }\sum _{i\in \left[L\right]}h\left({\beta }_i\right)k_i=-\sum _{j\in \left[d\right]}h\left({\alpha }_j\right)v_{L+j}{g}_{\delta }\left({\alpha }_j\right).$$

(12)

Remark 2.

In the scenario where $h\left(x\right)=f\left(x\right)$ corresponds to the random polynomial in Algorithm 1, with $k_i=N_i$ for $i\in \left[L\right]$, the scheme ensures one-sided X-privacy. On the other hand, if $h\left(x\right)=m\left(x\right)n\left(x\right)$ represents the product of random polynomials in Algorithm 2, with $k_i=1$ for $i\in \left[L\right]$, the scheme becomes a fully X-privacy SDMM scheme.

By Remark 2 and applying a trace function to the both sides of (12), we have the following:

$$Tr\left(u_{\delta }MN\right)=-\sum _{j\in \left[d\right]}\sum _{i\in \left[L\right]}Tr\left(u_{\delta }({\alpha }_j-{\beta }_i)\right)s_{j,i},$$

(13)

where $s_{j,i}=Tr\left({\displaystyle \frac{h\left({\alpha }_j\right)v_{L+j}{v}_i^{-1}{k}_i}{({\alpha }_j-{\beta }_i)}}{\prod }_{m\in \left[L\right],m\ne i}{\displaystyle \frac{({\alpha }_j-{\beta }_m)}{({\beta }_i-{\beta }_m)}}\right)$.

From (3) and (13), it is evident that the user can obtain $MN$ after receiving $ℛ\triangleq {\left[\begin{array}{cccc}{\mathbf{s}}_1^T& {\mathbf{s}}_2^T& \cdots & {\mathbf{s}}_d^T\end{array}\right]}^T$, where ${\mathbf{s}}_j=\left[\begin{array}{cccc}{s}_{j,1}& s_{j,2}& \cdots & s_{j,L}\end{array}\right]\in {\mathbb{F}}_q^{a\times cL}$ represents the data sent by server $j,j\in \left[d\right]$ to the user, and $s_{j,i}\in {\mathbb{F}}_q^{a\times c}$ for all $i\in \left[L\right]$. To ensure that our scheme provides X-privacy while also being robust against Byzantine servers and resilient to stragglers, additional conditions are necessary so that the data from all servers forms an L-interleaved code. In other words, because the data transmitted by the servers forms an L-interleaved code, tools from coding theory can be used to correct errors introduced by Byzantine servers and handle erasures caused by stragglers. Specifically, for any $i\in \left[L\right]$, ${\tau }_i\triangleq (s_{1,i},s_{2,i},\cdots ,s_{d,i})$ is a codeword of an L-interleaved RS code. Since $s_{j,i}\in {\mathbb{F}}_q^{a\times c}$, according to the definition of L-interleaved codes, let $s_{j,i}^{({\mathit{\ell }}_1,{\mathit{\ell }}_2)}$ be the element in the ${\mathit{\ell }}_1$-th row and ${\mathit{\ell }}_2$-th column of $s_{j,i}$, where $\forall {\mathit{\ell }}_1\in \left[a\right]$ and $\forall {\mathit{\ell }}_2\in \left[c\right]$. Then $(s_{1,i}^{({\mathit{\ell }}_1,{\mathit{\ell }}_2)},s_{2,i}^{({\mathit{\ell }}_1,{\mathit{\ell }}_2)},\cdots ,s_{d,i}^{({\mathit{\ell }}_1,{\mathit{\ell }}_2)})$ forms a codeword of an RS code.

Figure 2 illustrates the responses from all servers in our scheme. As described above, each horizontal layer in Figure 2, ${\mathbf{s}}_j=\left[\begin{array}{cccc}{s}_{j,1}& s_{j,2}& \cdots & s_{j,L}\end{array}\right]$, represents the response from server j. After satisfying the necessary constraints, each vertical column in Figure 2, $(s_{1,i},s_{2,i},\cdots ,s_{d,i})$, forms a codeword in an L-interleaved RS code. In Figure 2, we use a purple layer to indicate that a server has returned incorrect data. For instance, server 2 in the figure returns $s_{2,i}+z_{2,i}$, where $z_{2,i}$ is a non-zero matrix. Consequently, the second symbol in the codeword ${\tau }_i$ is treated as an error. If a server fails to respond promptly, we use a blurred red layer to represent this server, as seen with server 4 in Figure 2, resulting in the fourth symbol in the codeword ${\tau }_i$ being treated as an erasure. The user can then utilize linear coding methods to address these errors and erasures to obtain ${\tau }_i$, and subsequently use Equation (13) to derive $MN$.

For the sake of clarity, we define ${\tau }_i\triangleq (s_{1,i},s_{2,i},\cdots ,s_{d,i})\in {\mathbb{F}}_q^{1\times d}$. It should be noted that this definition does not impact our proof, as when ${\mathbf{s}}_j$ is reshaped into a vector of length $acL$ in ${\mathbb{F}}_q$, and $s_{j,i}$ becomes an element in ${\mathbb{F}}_q$. Subsequently, we will demonstrate how to operate $ℛ$ to transform it into a codeword of an L-interleaved code of an RS code. Hence, the enhanced SDMM schemes possess security against Byzantine servers and the influence caused by stragglers. The results can be summarized by the following theorem.

Theorem 3.

For a fixed $i,i\in \left[L\right]$, consider ${\tau }_i=(s_{1,i},s_{2,i},\cdots ,s_{d,i})$:

(i) 

If $B\cup A={\mathbb{F}}_{q^t}$ and $d\ge \Delta$, then the minimum weight of ${\tau }_i$ is greater than $d-\Delta$, where $\Delta =(k+L-2)q^{t-1}$ and ${\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}}{s}_{j,i}\right)}_{j\in \left[d\right]}\in RS(A,\Delta +1)$;

(ii) 

If $k\le d-2q^{t-1}+1$, then ${\tau }_i\in GRS(A,d-2\mathit{\ell }+1,V)$ for some V, where $\mathit{\ell }=\lceil {\displaystyle \frac{d-k+2}{2q^{t-1}}}\rceil -1$.

5.1. Enhanced SDMM Scheme with Full-Length RS Code

In this subsection, we let $B\cup A={\mathbb{F}}_{q^t}$, thus $V=(1,1,\cdots ,1)$. By (13), the user can obtain $\{Tr\left(u_{\delta }MN\right),\delta \in \left[t\right]\}$ by receiving $acL$ symbols over ${\mathbb{F}}_q$ from server j:

$${\mathbf{s}}_j={\left({\left(s_{j,i}\right)}_{i\in \left[L\right]}\right)}^T={\left({\left(Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j{C}_i}{({\alpha }_j-{\beta }_i)}}\right)\right)}_{i\in \left[L\right]}\right)}^T,$$

where ${\nu }_j={\prod }_{m\in \left[L\right],m\ne i}({\alpha }_j-{\beta }_m)$ and $C_i=k_i{\prod }_{m\in \left[L\right],m\ne i}$${({\beta }_i-{\beta }_m)}^{-1}$.

Proposition 1.

For a fixed $i,i\in \left[L\right]$, if $d\ge \Delta$, then the minimum weight of ${\tau }_i$ is greater than $d-\Delta$.

Proof. 

Note that ${\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}}{s}_{j,i}\right)}_{j\in \left[d\right]}$ can be represented as

$$\begin{array}{cc}\hfill {\left(F_i\left({\alpha }_j\right)\right)}_{j\in \left[d\right]}& ={\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}}Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j{C}_i}{({\alpha }_j-{\beta }_i)}}\right)\right)}_{j\in \left[d\right]}\hfill \\ \hfill & ={\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}}\sum _{\delta \in \left[t\right]}{\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j{C}_i)}{({\alpha }_j-{\beta }_i)}}\right)}^{q^{\delta -1}}\right)}_{j\in \left[d\right]}\hfill \\ \hfill & ={\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}-1}h\left({\alpha }_j\right){\nu }_j{C}_i+\cdots +{\left(h\left({\alpha }_j\right){\nu }_j{C}_i\right)}^{q^{t-1}}\right)}_{j\in \left[d\right]}.\hfill \end{array}$$

Hence,

$$F_i\left(x\right)={(x-{\beta }_i)}^{q^{t-1}-1}h\left(x\right)\prod _{m\in \left[L\right],m\ne i}(x-{\beta }_i)C_i+\cdots +{\left(h\left(x\right)\prod _{m\in \left[L\right],m\ne i}(x-{\beta }_i)C_i\right)}^{q^{t-1}}$$

is a polynomial with degree $\Delta =max\left\{q^{t-1}+k+L-3,\cdots ,(k+L-2)q^{t-1}\right\}$. Then

$${\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}}{s}_{j,i}\right)}_{j\in \left[d\right]}\in RS(A,\Delta +1).$$

This completes the proof of Theorem 3 (i). □

5.2. Enhanced SDMM Scheme with Non-Full-Length RS Code

Proposition 1 applies only when $k<q-L+2$ and requires a full-length RS code. In this subsection, we study the properties of ${\tau }_i$ when k is large. For a non-full-length RS code, the $s_{j,i}$ in (13) is equal to $Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j^{\prime }{C}_i^{\prime }}{{({\alpha }_j-{\beta }_i)}^2}}\right)$, where ${\nu }_j^{\prime }={\prod }_{m\in \left[d\right],m\ne j}{({\alpha }_j-{\alpha }_m)}^{-1}$ and $C_i^{\prime }=k_i{\prod }_{m\in \left[d\right]}$$({\beta }_i-{\alpha }_m)$.

Proposition 2.

For a fixed $i,i\in \left[L\right]$, ${\tau }_i=(s_{1,i},s_{2,i},\cdots ,s_{d,i})$ is a codeword of $GRS(A,d-2\mathit{\ell }+1,V)$ for some V.

Proof. 

Note that $\left(h\left({\alpha }_1\right),h\left({\alpha }_2\right),\cdots ,h\left({\alpha }_d\right)\right)\in RS(A,k)$. Let $g_{\delta ,i}^{(\mathit{\ell })}\left(x\right)={\displaystyle \frac{Tr\left(u_{\delta }{(x-{\beta }_i)}^{2\mathit{\ell }}\right)C_i^{\prime }}{{(x-{\beta }_i)}^2}}$, and let ℓ be an integer such that $1\le \mathit{\ell }<{\displaystyle \frac{d-k+2}{2q^{t-1}}}$. Since $deg\left(g_{\delta ,i}^{(\mathit{\ell })}\left(x\right)\right)=2\mathit{\ell }{q}^{t-1}-2<d-k$ and (2), we have

$$\begin{array}{cc}\hfill \sum _{j\in \left[d\right]}Tr\left(h\left({\alpha }_j\right){\nu }_j^{\prime }{g}_{\delta ,i}^{(\mathit{\ell })}\left({\alpha }_j\right)\right)& =\sum _{j\in \left[d\right]}Tr\left(Tr\left(u_{\delta }{({\alpha }_j-{\beta }_i)}^{2\mathit{\ell }}\right){\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j^{\prime }{C}_i^{\prime }}{{({\alpha }_j-{\beta }_i)}^2}}\right)\hfill \\ \hfill & =\sum _{j\in \left[d\right]}Tr\left(u_{\delta }{({\alpha }_j-{\beta }_i)}^{2\mathit{\ell }}Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j^{\prime }{C}_i^{\prime }}{{({\alpha }_j-{\beta }_i)}^2}}\right)\right)=\sum _{j\in \left[d\right]}Tr\left(u_{\delta }{({\alpha }_j-{\beta }_i)}^{2\mathit{\ell }}{s}_{j,i}\right)\hfill \\ \hfill & =Tr\left(u_{\delta }\sum _{j\in \left[d\right]}{({\alpha }_j-{\beta }_i)}^{2\mathit{\ell }}{s}_{j,i}\right)=0.\hfill \end{array}$$

Based on the final equality in the above equation, and (3), we have

$$\sum _{\delta \in \left[t\right]}{\tilde{u}}_{\delta }Tr\left(u_{\delta }\sum _{j\in \left[d\right]}{({\alpha }_j-{\beta }_i)}^{2\mathit{\ell }}{s}_{j,i}\right)=\sum _{j\in \left[d\right]}{({\alpha }_j-{\beta }_i)}^{2\mathit{\ell }}{s}_{j,i}=0.$$

The above equation can be Expressed in matrix form as follows:

$$\left[\begin{array}{cccc}{({\alpha }_1-{\beta }_i)}^2& {({\alpha }_2-{\beta }_i)}^2& \cdots & {({\alpha }_d-{\beta }_i)}^2\\ {({\alpha }_1-{\beta }_i)}^3& {({\alpha }_2-{\beta }_i)}^3& \cdots & {({\alpha }_d-{\beta }_i)}^3\\ ⋮& ⋮& \ddots & ⋮\\ {({\alpha }_1-{\beta }_i)}^{2\mathit{\ell }}& {({\alpha }_2-{\beta }_i)}^{2\mathit{\ell }}& \cdots & {({\alpha }_d-{\beta }_i)}^{2\mathit{\ell }}\end{array}\right]\left[\begin{array}{c}{s}_{1,i}\\ s_{2,i}\\ ⋮\\ s_{d,i}\end{array}\right]=0,$$

for $\mathit{\ell }=\lceil {\displaystyle \frac{d-k+2}{2q^{t-1}}}\rceil -1$. Hence, ${\tau }_i=(s_{1,i},s_{2,i},\cdots ,s_{d,i})\in GRS(A,d-2\mathit{\ell }+1,V)$ for some multiplier V. This completes the proof of Theorem 3 (ii). □

Remark 3.

In Theorem 3 (i), since ${\left({({\alpha }_j-{\beta }_i)}^{q^{t-1}}{s}_{j,i}\right)}_{i\in \left[d\right]}\in RS(A,\Delta +1)$, it is sufficient for the user to accurately obtain $MN$ by receiving the computation results from $\Delta +1$ normal servers. Hence, this scheme is capable of mitigating the impact of $d-\Delta -1$ stragglers on computation time or providing security against $\lceil {\displaystyle \frac{d-\Delta }{2}}\rceil$ Byzantine servers. Similarly, in Theorem 3 (ii), this scheme can at most eliminate the influence caused by $2\mathit{\ell }-1$ stragglers or provide security against ℓ Byzantine servers.

Example 2.

Here, we provide an example of a one-sided X-privacy scheme over ${\mathbb{F}}_{{11}^2}$ that is robust to Byzantine servers and stragglers, with parameters $d=95,L=2$, and $X=6$. Let β be algebraic with degree of 2 over ${\mathbb{F}}_{11}$ such that ${\beta }^2+7\beta +2=0$, then $U=\{1,\beta \}$ be the ${\mathbb{F}}_{11}$-basis for ${\mathbb{F}}_{{11}^2}$ and the dual basis of U is $\tilde{U}=\{{\beta }^{113},{\beta }^{42}\}$. Let $B=\{1,\beta \}$, $A=\{{\beta }^2,{\beta }^3,\cdots ,{\beta }^{96}\}$ and the public matrix $N=\left[\begin{array}{cc}{\beta }^{78}& {\beta }^{34}\\ {\beta }^{91}& {\beta }^{56}\end{array}\right]\in {\mathbb{F}}_{{11}^2}^{2\times 2}$.

• Upload phase: Let the private matrix that the user possesses be $M=\left[\begin{array}{cc}{\beta }^{118}& {\beta }^{116}\end{array}\right]\in {\mathbb{F}}_{{11}^2}^{1\times 2}$. Since $L=2,X=6$, the user selects a random polynomial with degree $L+X-1$ as $h\left(x\right)={\beta }^{45}+{\beta }^{78}x+{\beta }^{15}{x}^2+{\beta }^{92}{x}^3+{\beta }^{33}{x}^4+{\beta }^{56}{x}^6+{\beta }^{88}{x}^7$, such that $h\left(1\right)={\beta }^{118}=M_1,h\left(\beta \right)={\beta }^{116}=M_2$. Then the user sends $h\left({\alpha }_j\right),{\alpha }_j\in A$ to server j. Let

  $$g_{\delta }\left(x\right)={\displaystyle \frac{v_1^{-1}Tr\left(u_{\delta }(x-1)\right)N_1}{(x-1)}}{\displaystyle \frac{x-\beta }{1-\beta }}+{\displaystyle \frac{v_2^{-1}Tr\left(u_{\delta }(x-\beta )\right)N_2}{(x-\beta )}}{\displaystyle \frac{x-1}{\beta -1}},$$

  where $\delta \in \left[2\right]$. Since $deg\left(g_{\delta }\left(x\right)\right)=11<d+L-8$, we have

  $$\sum _{i\in \left[2\right]}h\left({\beta }_i\right)v_i{g}_{\delta }\left({\beta }_i\right)=u_{\delta }MN=-\sum _{j\in \left[95\right]}h\left({\alpha }_j\right)v_{2+j}{g}_{\delta }\left({\alpha }_j\right).$$

  Apply a trace function to both sides of the above equation:

  $$\begin{array}{cc}\hfill Tr\left(u_{\delta }MN\right)& =-\sum _{j\in \left[95\right]}Tr\left(h\left({\alpha }_j\right)v_{2+j}\sum _{i\in \left[2\right]}\left({\displaystyle \frac{v_i^{-1}Tr\left(u_{\delta }({\alpha }_j-{\beta }_i)\right)N_i}{({\alpha }_j-{\beta }_i)}}\prod _{m\in \left[2\right],m\ne i}{\displaystyle \frac{({\alpha }_j-{\beta }_m)}{({\beta }_i-{\beta }_m)}}\right)\right)\hfill \\ \hfill & =\sum _{j\in \left[95\right]}\sum _{i\in \left[2\right]}Tr\left(u_{\delta }({\alpha }_j-{\beta }_i)\right)Tr\left({\displaystyle \frac{h\left({\alpha }_j\right)N_i}{({\alpha }_j-{\beta }_i)}}\prod _{m\in \left[95\right],m\ne j}{\displaystyle \frac{({\beta }_i-{\alpha }_m)}{({\alpha }_j-{\alpha }_m)}}\right)\hfill \\ \hfill & =-\sum _{j\in \left[95\right]}\sum _{i\in \left[2\right]}Tr\left(u_{\delta }({\alpha }_j-{\beta }_i)\right)s_{j,i},\hfill \end{array}$$

  (14)

  where $s_{j,i}=Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\left({\prod }_{m\in \left[95\right],m\ne j}({\alpha }_j-{\alpha }_m)\right)}^{-1}{N}_i{\prod }_{m\in \left[95\right]}({\beta }_i-{\alpha }_m)}{{({\alpha }_j-{\beta }_i)}^2}}\right)$.
  Hence, after receiving $h\left({\alpha }_j\right)$, server j computes

  $$E_j\left(h\left({\alpha }_j\right)\right)=\left(s_{j,1},s_{j,2}\right)=\left(Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j^{\prime }{C}_1^{\prime }}{{({\alpha }_j-1)}^2}}\right),Tr\left({\displaystyle \frac{h\left({\alpha }_j\right){\nu }_j^{\prime }{C}_2^{\prime }}{{({\alpha }_j-\beta )}^2}}\right)\right),$$

  where ${\nu }_j^{\prime }={\prod }_{m\in \left[95\right],m\ne j}{({\alpha }_j-{\alpha }_m)}^{-1},C_i^{\prime }=N_i{\prod }_{m\in \left[d\right]}({\beta }_i-{\alpha }_m)$.
• Download phase: The user downloads $E_j\left(h\left({\alpha }_j\right)\right)=(s_{j,1},s_{j,2})$ from all servers.
• Decoding phase: When the ${\left\{E_j\left(h\left({\alpha }_j\right)\right)\right\}}_{j\in \left[95\right]}$ downloaded by the user from all servers are error-free, the user can obtain $Tr\left(MN\right)=[8,0]$ and $Tr\left(\beta MN\right)=[2,6]$ by (14). According to (3) and $\tilde{U}$, the user can derive $MN$ as follows:

  $$MN={\beta }^{113}Tr\left(MN\right)+{\beta }^{42}Tr\left(\beta MN\right)=\left[\begin{array}{cc}{\beta }^{13}& {\beta }^{30}\end{array}\right].$$

  In this scenario, our scheme has one-sided 6-privacy. Moreover, based on the parameters provided in this example, we have:

  $$\left[\begin{array}{cccc}{\left({\beta }^{82}\right)}^2& {\left({\beta }^{41}\right)}^2& \cdots & 2^2\\ {\left({\beta }^{82}\right)}^3& {\left({\beta }^{41}\right)}^3& \cdots & 2^3\\ ⋮& ⋮& \ddots & ⋮\\ {\left({\beta }^{82}\right)}^8& {\left({\beta }^{41}\right)}^8& \cdots & 2^8\end{array}\right]\left[\begin{array}{cc}0& 5\\ 7& 3\\ ⋮& ⋮\\ 7& 9\end{array}\right]=\mathbf{0},\left[\begin{array}{cccc}{\left(b^{56}\right)}^2& {\left(b^{83}\right)}^2& \cdots & {\left(b^5\right)}^2\\ {\left(b^{56}\right)}^3& {\left(b^{83}\right)}^3& \cdots & {\left(b^5\right)}^3\\ ⋮& ⋮& \ddots & ⋮\\ {\left(b^{56}\right)}^8& {\left(b^{83}\right)}^8& \cdots & {\left(b^5\right)}^8\end{array}\right]\left[\begin{array}{cc}7& 0\\ 9& 1\\ ⋮& ⋮\\ 8& 0\end{array}\right]=\mathbf{0},$$

  (15)

  where $s_{1,1}={[0,5]}^T,s_{2,1}={[7,3]}^T,\cdots ,s_{95,1}={[7,9]}^T$ and $s_{1,2}={[7,0]}^T,s_{2,2}={[9,1]}^T,\cdots ,s_{95,2}={[8,0]}^T$ are the data sent from the servers. By (15), it is evident that for a fixed $i\in \{1,2\}$, $(s_{1,i},s_{2,i},\cdots ,s_{95,i})$ is a codeword in a 2-interleaved code of $GRS(A,88,V)$ for some V. Hence, according to coding theory, the scheme in this example also provides security against up to 4 Byzantine servers or resiliency against up to 7 stragglers.

6. Conclusions

This paper proposes novel communication-efficient SDMM schemes that leverage trace polynomials. As investigated in Section 4, the innovative use of minimal polynomials leads to low-degree parity-check polynomials, resulting in a reduction of the requisite number of servers for the one-sided X-privacy SDMM scheme to $d\ge L+X+t-1$ ($d\ge 2L+2X+t-1$ for fully X-privacy SDMM). Although the data transmission per server is L times that of previous work [18], the overall data transmitted across the network is reduced due to fewer involved servers. Furthermore, in Section 5, new parity-check polynomials are constructed to ensure that the data returned by servers form an L-interleaved code of an RS code. This enhancement endows our SDMM schemes with not only X-privacy but also security against Byzantine servers, potentially mitigating the effects of stragglers. Compared to other SDMM schemes based on trace polynomials, our proposed scheme features reduced sub-packetization and an appropriate number of servers, making it suitable for real-world applications. Additionally, this work is the first to consider the security and resiliency of SDMM schemes based on trace polynomials. Investigating the theoretical limits of the download cost in SDMM schemes, and proposing explicit SDMM schemes with lower download costs, represents a promising direction for future research.