Gap Additive Secure Polynomial Code

Updated 5 December 2025

GASP code is a family of polynomial codes that uses structured additive gaps in exponent choices to securely encode matrix products for distributed multiplication.
It leverages degree tables and arithmetic progression designs to minimize server requirements while guaranteeing T-security and efficient recovery of matrix blocks.
Extensions to quantum PDMM and GGASP offer rate enhancements and robustness, illustrating the method’s adaptability across diverse privacy and system regimes.

The Gap Additive Secure Polynomial (GASP) code is a family of polynomial codes for secure distributed matrix multiplication (SDMM) that achieves a favorable trade-off between privacy, communications overhead, and decoding complexity by means of a combinatorial arrangement of additive “gaps” in exponent choices. GASP codes operate by encoding matrix blocks as polynomials evaluated at specific points, such that any $T$ colluding servers (from $N$ total) learn nothing about the matrices, while the user can efficiently recover all submatrix products given responses from the servers. The code’s constructions leverage degree tables and careful arithmetic progression designs to minimize the required number of servers, with quantum generalizations that further optimize rates under additional feasibility constraints.

1. Secure Matrix Multiplication and Degree Table Framework

SDMM is the problem in which a user, lacking local resources, wishes to compute $C = AB$ for matrices $A$ and $B$ using $N$ servers, while protecting the privacy of $A$ and $B$ from any subset of $T$ colluding servers. The standard approach partitions $A$ and $B$ into $K$ and $L$ blocks, respectively. The user constructs two univariate encoding polynomials: $f(x) = \sum_{k=1}^K A_k\,x^{\alpha_k} + \sum_{t=1}^T R_t\,x^{\alpha_{K+t}}, \qquad g(x) = \sum_{\ell=1}^L B_\ell\,x^{\beta_\ell} + \sum_{t=1}^T S_t\,x^{\beta_{L+t}}$ with $\{R_t\}$ and $\{S_t\}$ as independent random masks. The user evaluates $f(x)$ and $g(x)$ at $N$ distinct points $\{a_n\}$ , and each server receives $(f(a_n), g(a_n))$ and returns the product $f(a_n)g(a_n)$ . The coefficients of $x^{\alpha_k+\beta_\ell}$ in $f(x)g(x)$ encode $A_kB_\ell$ .

A central structural tool is the degree table $PM_{i,j} = \alpha_i + \beta_j$ (of size $(K+T)\times(L+T)$ ), which records all resulting exponents in the product $f(x)g(x)$ . Achieving privacy and recoverability forces requirements on the arrangement and distinctness of these exponents, motivating the design of the “gap” structure that gives GASP codes their name (D'Oliveira et al., 2018, D'Oliveira et al., 2021).

2. GASP Construction: Gap Placement and Exponent Patterns

GASP codes select exponent vectors $\alpha$ and $\beta$ as structured arithmetic progressions, segmented by controlled “gaps.” For outer-product partitioning ( $A$ partitioned by rows, $B$ by columns), canonical choices are:

$\alpha$ prefix: $(0,1,\ldots,K-1)$ , suffix: arithmetic progression(s) chosen to produce $T$ “random” terms positioned to form non-overlapping security gaps.
$\beta$ prefix: $(0,K,2K,\ldots,K(L-1))$ , suffix: progression(s) offset to maximize distinctness and separation.

The explicit construction for $K=L=T=n$ in the “small GASP” regime is: $\alpha_i = i,\quad i=0,1,\dots, T-1,\qquad \beta_j = jT,\quad j=0,1,\dots,T-1,$ with “random” exponents appended as blocks to create disjoint intervals (gaps). The arithmetic structure ensures that any $T$ colluding servers receive shares corresponding to polynomials whose evaluated degrees have at least one block of length $T$ devoted solely to random coefficients, achieving perfect $T$ -security (D'Oliveira et al., 2018, D'Oliveira et al., 2021, Nomeir et al., 28 Nov 2025).

A generalization—GASP $_r$ —introduces the gap size parameter $r$ , controlling the arrangement of the random exponents in the degree table. By optimizing $r$ , one minimizes $N$ , the total number of evaluations (servers).

3. Decodability, Security, and Recovery Threshold

For correctness, the table’s $(K\times L)$ “upper-left” block (signal exponents corresponding to $A_kB_\ell$ products) must consist of pairwise-distinct entries, and these must not collide with any exponents associated with random masks. The download rate is $R_C=KL/N$ .

The conditions for a valid GASP code are:

$\forall (k, \ell)\in[K]\times[L],\, (i, j)\in[K+T]\times[L+T]$ with $(k, \ell)\neq(i, j)$ : $\alpha_k+\beta_\ell\ne\alpha_i+\beta_j$ (distinct exponents for all signal and random terms).
The extra exponents $\{\alpha_{K+1},\ldots,\alpha_{K+T}\}$ and $\{\beta_{L+1},...,\beta_{L+T}\}$ are mutually distinct among themselves (Nomeir et al., 28 Nov 2025).

Efficient algorithms for discovering optimal degree tables (integer programming, greedy search) validate the construction’s optimality for small and moderate parameter regimes, minimizing $N$ subject to the above constraints (D'Oliveira et al., 2021).

4. Extension to Quantum PDMM: Feasibility and Rate Doubling

Recent developments extend the classical GASP design to the quantum private distributed matrix multiplication (PDMM) model, where servers share an $N$ -partite entangled state and communicate over quantum channels (Nomeir et al., 28 Nov 2025). In this setting, the quantum protocol allows two independent instances to be encoded in each round (“super-dense coding”), potentially doubling the classical download rate to $R_Q=2KL/N^*$ .

A feasibility constraint is necessary: the largest consecutive chain (LCC) in the set of interference exponents in the degree table must satisfy $|LCC(\mathcal{J})|\geq\lceil N^*/2\rceil$ . If this is met, the protocol achieves $R_Q=2R_C$ . When the feasibility constraint fails, either $T$ is increased until it holds, or fully quantum-native codes using new exponent arrangements are adopted. Explicit constructions are provided for numerous high-privacy quantum settings, each yielding $R_Q>R_C$ .

A quadratic regression quantifies the minimal privacy parameter $T$ required for feasibility as a function of $K$ and $L$ —for $K=L$ , $T\approx0.5\,K^2-10^{-3}K+0.772$ (Nomeir et al., 28 Nov 2025).

5. Low-Privacy Regime and Comparisons to Other Code Families

In the regime $T<\min(K,L)$ , GASP is not rate-optimal. Alternative constructions—the cyclic-addition degree table (CAT) and discretely optimized GASP (DOG)—offer improved performance. Each is subject to the same quantum feasibility criterion, but only in specific parameter regimes (e.g., CAT $_2$ (2,2,2)) does the quantum rate doubling persist. When no classical $T$ -private code meets the feasibility requirement, additional dummy noise slots are introduced (enhanced privacy level $\bar{T}>T$ ) to force the desired interference structure and enable partial quantum gains (up to $1.5\times$ the classical rate) (Nomeir et al., 28 Nov 2025).

6. Generalizations: Grid Partitioning, GGASP, and Straggler Robustness

GASP can be extended to grid partitionings, leading to the Generalized GASP (GGASP) codes with explicit recovery thresholds and optimality properties for a broad class of distributed matrix multiplication problems (Karpuk et al., 2023). GGASP encodes both matrices over partitions indexed by $(K,M,L)$ , exploits similar gap structures, and achieves provable $T$ -security and decodability. Empirical results confirm that for moderate to large $T$ , GGASP outperforms previous polynomial-based and entangled polynomial codes.

Straggler-robustness is preserved: GGASP achieves the optimal threshold in the absence of privacy, and modular polynomial (MP) codes can outperform GGASP with respect to decoding cost and recovery flexibility when there are failures.

7. Summary of Key Results and Connections

GASP codes provide an explicit, tunable framework for constructing SDMM codes that are provably optimal or near-optimal in many regimes. The codes are grounded in combinatorial designs of degree tables and allow precise control over the download rate for required privacy thresholds (D'Oliveira et al., 2021, D'Oliveira et al., 2018).
In the quantum setting, rate doubling is achievable when the interference block in the degree table contains a sufficiently long consecutive chain; otherwise, tailored quantum-native code constructions or enhanced masking restore functionality (Nomeir et al., 28 Nov 2025).
GGASP extends the approach to grid partitions, preserving rate and privacy guarantees while allowing efficient decoding and robustness to stragglers (Karpuk et al., 2023).
Comparative studies confirm GASP and its generalizations outperform prior art in tested scenarios, and systematic construction methods are available for a wide range of matrix partition schemes and privacy levels.

References:

"Quantum Private Distributed Matrix Multiplication With Degree Tables" (Nomeir et al., 28 Nov 2025)
"GASP Codes for Secure Distributed Matrix Multiplication" (D'Oliveira et al., 2018)
"Degree Tables for Secure Distributed Matrix Multiplication" (D'Oliveira et al., 2021)
"Modular Polynomial Codes for Secure and Robust Distributed Matrix Multiplication" (Karpuk et al., 2023)