Security and Communication Networks

Volume 2018, Article ID 5275132, 15 pages

https://doi.org/10.1155/2018/5275132

## Confidentiality-Preserving Publicly Verifiable Computation Schemes for Polynomial Evaluation and Matrix-Vector Multiplication

^{1}School of Mathematics, Shandong University, Jinan, Shandong 250100, China^{2}State Key Laboratory of Information Security Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China^{3}School of Engineering and Information Technology, University of New South Wales Defence Force Academy, Canberra, Australia^{4}Centre for Computer and Computational Science, School of Computing and Mathematical Sciences, University of Greenwich, London, UK

Correspondence should be addressed to Jing Qin; nc.ude.uds@gnijniq

Received 4 December 2017; Revised 9 May 2018; Accepted 26 May 2018; Published 21 June 2018

Academic Editor: Mamoun Alazab

Copyright © 2018 Jiameng Sun et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

With the development of cloud services, outsourcing computation tasks to a commercial cloud server has drawn attention of various communities, especially in the Big Data era. Public verifiability offers a flexible functionality in real circumstance where the cloud service provider (CSP) may be untrusted or some malicious users may slander the CSP on purpose. However, sometimes the computational result is sensitive and is supposed to remain undisclosed in the public verification phase, while existing works on publicly verifiable computation (PVC) fail to achieve this requirement. In this paper, we highlight the property of result confidentiality in publicly verifiable computation and present confidentiality-preserving public verifiable computation (CP-PVC) schemes for multivariate polynomial evaluation and matrix-vector multiplication, respectively. The proposed schemes work efficiently under the amortized model and, compared with previous PVC schemes for these computations, achieve confidentiality of computational results, while maintaining the property of public verifiability. The proposed schemes proved to be secure, efficient, and result-confidential. In addition, we provide the algorithms and experimental simulation to show the performance of the proposed schemes, which indicates that our proposal is also acceptable in practice.

#### 1. Introduction

Outsourcing computation has been served as a significant service with the rapid development of Cloud Computing Technology. It provides the service purchaser (whom we call user) with constraint computational power to delegate the complicated computational tasks to the service provider (which we call cloud server) and enjoy its unlimited computational resources in a pay-per-use manner. This brings a huge convenience for resource-constraint devices to reduce their computational overhead and thus has attracted significant interests in both industrial and academic communities. A number of large enterprise groups, such as Amazon, Google, and Alibaba, have launched their Cloud Computing to provide computation outsourcing services. What is more, in Big Data era, the ability to deal with the massive data has become core competitiveness while outsourcing computation just fits this demand.

While outsourcing computation paradigm enjoys numerous benefits, it also suffers from rigorous challenges [1]. To begin with, since the cloud server is commercialized, sometimes it may not perform the computation honestly but output a computationally indistinguishable result in order to save its cost for more interests. Therefore, a basic requirement of outsourcing computation is to assure the correctness of the computational result. In other words, the user should have a way to verify the correctness of the output from the cloud server with an overwhelming probability. Despite the untrustworthy of cloud server, misbehavior may also happen from the user side. For example, a malicious user may deliberately claim the output from the cloud server incorrect and slander the cloud service provider by this even if the cloud server has performed the computation honestly. This is due to the fact that verification is done in a private manner. Therefore, it is preferable that the verification can be done publicly. That is to say, anyone except the user himself is able to verify the output from the cloud server. With public verification, not only cannot the cloud server cheat with an incorrect output, but also the user cannot claim the output from the cloud server incorrect for no reason, because now the output is witnessed and verified by everyone. Secondly, since sometimes the computational result is something sensitive, it needs to be kept secret to any party except the user himself. Thus another challenge of outsourcing computation is to assure confidentiality of the computational result, especially when the output from the cloud server can be verified publicly. Last but not least, the whole workload of the user in certain computation outsourcing procedure must be much less than accomplishing this computation task all by the user himself. We call this the requirement of efficiency. This is essential because if not, the outsourcing will be meaningless.

The evaluation of multivariate polynomials is one of the most fundamental computational tasks in scientific communities. In practice, there are so many problems that can be reduced to a model of evaluating certain polynomial with multivariate input value, for example, to evaluate an employee’s performance in a company and to evaluate a person’s health condition. Matrix-vector multiplication is another fundamental computational task that is widely applied, for example the Discrete Fourier Transform (DFT) and the Singular Value Decomposition (SVD). And in Big Data era, with the data we need to deal with getting more and more enormous, it is very likely that the storage requirement when evaluating multivariate polynomials or matrix-vector multiplication exceeds the available memory of the user’s computational devices, like cell phones or portable laptop. Thus we need to find another way to fulfill the computational tasks securely and efficiently. Plenty of works have been done to seek secure and efficient schemes of outsourcing computation for polynomials and matrix-vector multiplication. Fiore and Gennaro [2] proposed schemes to securely outsource evaluation of multivariate polynomials and matrix-vector multiplication and verify the corresponding result in a public manner. Unfortunately, one disadvantage of their proposal is the leakage of final result. Anyone is able to verify the correctness of the output from the cloud server and then obtain the result of the target evaluation. This brings a drawback in practice when the result is something sensitive, for example, the year-end bonus of an employee and the health condition of a person.

##### 1.1. Related Works

###### 1.1.1. Verifiable Computation

Verifiable computation (VC) was first proposed by Gennaro et al. [3]. In VC, only two parties are involved, the client that processes the input data and the server that evaluates the target function with the value client sends. The output of the server can be verified by the client only. Both the input and output value of the function are private in the whole procedure. Gennaro et al. proposed a concrete VC scheme for arbitrary circuit using Yao’s [4] two-party computation scheme and Gentry’s [5] fully homomorphic encryption (FHE) scheme. After that, different VC schemes using FHE were proposed [6–8]. They made use of various techniques to achieve verifiability. However, applying FHE in practice brings expensive overhead.

To avoid applying FHE and promote efficiency, a lot of papers [9–15] focused on VC schemes for various kinds of computation and had achieved outstanding results.

###### 1.1.2. Publicly Verifiable Computation

Different from VC where the verification is done privately, publicly verifiable computation (PVC) allows anyone to verify the result output by the server. PVC brings more flexible application in the untrusted cloud environment than VC, mainly in two-fold. One is to release the workloads of verification for the client. Another is the supervision of users. This is because if the verification is only done privately, once an incorrect result is claimed, it is hard to tell whether the server misbehaved or the user is intentionally slandering. However if the result can be verified publicly, the user’s slandering is easy to detect. PVC was first proposed by Parno et al. [16]. They constructed a PVC scheme for Boolean functions using KP-ABE schemes. After that, many PVC schemes were proposed [2, 17–19]. In 2012, Fiore et al. [2] proposed a PVC scheme for multivariate polynomial evaluation and matrix multiplication. They took inspiration from Benabbas et al.’s [9] VC scheme to use pseudorandom function that enjoys closed form efficiency to generate the verification key efficiently, and they generalized the function to multivariate case. Moreover, by leveraging the technique of bilinear map, they have improved the verification procedure from private to public manner. With the similar technique, Sun et al. [17] constructed batch verifiable computation schemes with public verification for polynomial and matrix that achieve simultaneously evaluation of multiple functions in one outsourcing phase. In 2016, Elkhiyaoui et al. proposed another solution for univariate polynomial evaluation and matrix multiplication. They leverage the idea of Euclidean division of polynomials to construct the structure of the verifiable computation. And the bilinear map technique is utilized to make the verification able to be public. However, this idea is only suitable for univariate polynomial scenario. What is more, all the schemes mentioned above share the same disadvantage that anyone except for the user that verifies the result will surely obtain its concrete value. This is insecure in practice when the result of certain computation is usually something sensitive and the verification process is supposed to output a judgement to the correctness of the result rather than disclosing the value itself. To overcome this, Alderman et al. [20] improved Parno et al.’s [16] scheme with a secret substitution bit and presented a PVC with key distribution center (KDC) for Boolean functions. They also achieved other properties like revocation based on this PVC with KDC [21, 22], but this way of using secret substitution bit cannot fit other functions that have large range.

##### 1.2. Our Contributions

In this paper, we present a modified PVC model that is considered to be more practical. It captures the confidentiality of the computational result, which we believe is an important property when utilizing in practice.

We present outsourcing schemes for securely and efficiently evaluating high degree multivariate polynomials and matrix-vector multiplication. Compared with existing outsourcing schemes for polynomials [2, 23] and matrix multiplication, our proposal simultaneously captures properties of both public verifiability and result confidentiality. This offers a more flexible application in practice.

We also provide the algorithm for our outsourcing scheme and run some simulated experiments to show the efficiency of the proposed schemes.

This paper is an extension of its corresponding conference version [24]. In the revised version, we extends the CP-PVC scheme to the matrix-vector multiplication case. The resulting scheme proved to achieve not only the properties of polynomial case (i.e., security, public verifiability, and result confidentiality) but also the input privacy. We run corresponding simulated experiments and the result is also acceptable for practice.

##### 1.3. Paper Organization

The remaining parts of the paper are organized as follows. Some necessary preliminaries are provided for the proposed schemes in Section 2. The framework of the proposed CP-PVC protocol is defined in Section 3. The concrete constructions of the CP-PVC schemes for polynomial evaluation and matrix-vector multiplication are presented, analyzed, and simultaneously experimented separately in Sections 4 and 5. The conclusion of the paper is in Section 6.

#### 2. Preliminaries

In this section, we provide some definitions about algebraic pseudorandom function (PRF) with closed form efficiency, bilinear Map, and some related notions. We also provide the computational assumptions that are used for the construction of our schemes.

##### 2.1. Algebraic PRF with Closed Form Efficiency

One of our main techniques is the PRF with closed form efficiency. PRF is a function (denoted by ) that is generated from a secret seed . It owns the properties of both randomness and computational efficiency. A closed form efficient PRF consists of algorithms (**KG**, ) that are defined as follows:(i)**KG**: The randomized key generation algorithm takes as input the security parameter and outputs a tuple of parameters , where denotes the secret seed and denotes the public parameters that specifies the domain and range of the function, respectively.(ii): The deterministic functional computation algorithm takes as input the secret seed and the value and computes a value . We usually denote it by .

An algebraic PRF with closed form efficiency must satisfies the following properties:(*Algebraic*) A PRF is algebraic if the range of forms an abelian group. We use multiplication notation for group operation.(*Pseudorandom*) A PRF is pseudorandom if for every PPT adversary , there holds where and is a random function.(Closed form efficiency) Let** Comp** represent arbitrary computation that takes as input random values and a vector of arbitrary values . Assume that the fastest algorithm to compute** Comp** takes time . Let be a tuple of arbitrary values taken from . Then a PRF is closed form efficient for (**Comp**, ) if there exists an algorithm such that and its running time is . When , we usually omit it from the subscript and write instead.

Here we only show the definition of PRF with closed form efficiency. We will give a concrete algorithm of PRF with closed form efficiency for multivariate polynomials in Section 3.

##### 2.2. Bilinear Map

Our constructions also use bilinear maps. Bilinear pairing is a powerful tool in noninteractive authentication and has been widely applied in both encryption and signature schemes [9, 25]. To be specific, let , and be finite cyclic multiplicative groups of order , and let be generators of and . A map is called a bilinear map if it satisfies the following properties:Bilinearity: it holds that for all .Nondegeneracy: there exist such that .Computability: there exists an efficient algorithm to compute for any .

##### 2.3. Computational Assumptions

The computational assumption that is used for the construction of the PRF with closed form efficiency is decision linear (DL) assumption. We present the definition below.

*Definition 1 (decision linear assumption). *Let be a group of prime order . Given and , one defines the advantage of an algorithm in deciding the decision linear problem in asOne says that the decision linear assumption holds in if for every -time algorithm one has .

Note that the decision linear assumption holds in generic bilinear groups. Relative proof can be found in [26].

Next we present the definition of co-CDH, which is the base for the security of our proposed schemes. The co-CDH assumption was first introduced in BLS signature scheme presented by Boneh et al. [27], as a natural extension of standard CDH problem in asymmetric bilinear pairing. It is defined as follows.

*Definition 2 (co-CDH assumption). *Let be as above in Section 2.2. Given random , one defines the advantage of an algorithm in solving the co-CDH problem in asand one says that the co-CDH assumption holds in if for every -time algorithm one has .

Note that when , the co-CDH problem reduces to standard CDH.

#### 3. Modelling CP-PVC

We use an amortized model [16] to construct our CP-PVC scheme. That is, the user (denoted by S) shall invest a larger amount of computational work in a preprocessing phase in order to obtain efficiency during the computation outsourcing phase. The adversaries in a PVC protocol are two types, the cloud server (denoted by ) and some “curious” verifiers (denoted by ). The former is in lazy-but-honest model [28] and the latter is in honest-but-curious model. This is reasonable since, in practice, a rational commercial cloud service will try to minimize the computation it needs to do to pass the verification algorithm. And passing the verification algorithm is its priority because only in this way can it get the payback. Also since the verification is public, there will be some curious verifiers that perform the public verification algorithm and try to discover some secret information about the final result value.

A difference between the framework of PVC proposed by Parno et al. [16] and ours is that we address the confidentiality of the computational result. In the public verification phase, a bit is output instead of the result value. And the result value is obtained in the later phase called private retrieval. To realize confidentiality, the user needs to operate the target function in the preprocessing phase and obtain a secret key for retrieval and keep it secret.

Let be a class of functions and . We define a confidentiality-preserving publicly verifiable computation (CP-PVC) protocol via the following five algorithms:(i)KeyGen: The randomized key generation algorithm takes as input a security parameter and the function and as outputs a secret key for the input delegation phase, an evaluation key for the cloud server to compute the outsourced message, and the public parameter . This is done by the client.(ii)ProbGen: Given the public parameter , the secret key , and the input value , the randomized problem generation algorithm outputs a public value , which is the encoding of , together with a public verification key for nonclient parties to verify the correctness and a private retrieval key for the client to retrieve final result . This is done by the client.(iii)Compute: On inputting the evaluation key together with the value , the randomized computation algorithm outputs a value . This is done by the worker (cloud server).(iv)PubVer: The deterministic public verification algorithm uses the public parameter and public verification key to check whether the final result is correct and returns or accordingly. This is done by the nonclient verifiers.(v)PrivRet: The deterministic private retrieval algorithm is run on input , ,, and to compute a string . Here, the special symbol indicates that the public verification algorithm rejects the worker’s answer . This is done by the client.

A verifiable computation scheme should be both correct and secure. We give the definition of correctness and security in the following.

*Definition 3 (correctness). *A confidentiality-preserving publicly verifiable computation protocol is correct for a class of functions if, for any from , any tuple output by KeyGen, any chosen from Domain, any tuple output by ProbGen, and any output by Compute, the PubVer algorithm on input () outputs , and the PrivRet algorithm on input , and outputs .

The security of a verifiable computation requires that the worker is not able to output an incorrect value that passes the PubVer or the PrivRet algorithm. We give the formal definition via the following experiment.

*Definition 4 (security). *Let be a confidentiality-preserving publicly verifiable computation scheme for a class of functions , and assume that is PPT adversaries. Consider Experiment for any below: ; to , ; ; ; ; ; ; ; A confidentiality-preserving publicly verifiable computation scheme is secure for a class of functions , if, for any from and any PPT adversary , it holds thatHere represents a negligible function in .

Next we give the confidentiality definition of CP-PVC which is not defined in existing PVC frameworks [2, 16]. In this paper we focus on the confidentiality for final result, which means that the adversaries cannot learn any information about the value from the value output by Compute algorithm. Here the adversaries refer to the cloud server and any nonclient verifier. Since the cloud server has extra knowledge of the evaluation key compared with the nonclient verifiers, we only need to define the result confidentiality to cloud server. And the confidentiality to cloud server implicitly implies the confidentiality to nonclient verifiers. Notice that we do not emphasize the input privacy as a necessity in publicly verifiable computation. This is because, in some scenarios, input data is obtained from some public sources that can be accessed by anyone. However, we still present a loose definition on input privacy for multivariate function, which we call -privacy. Intuitively, it means that, for a function with an input set of multi-independent variables, the probability that the adversary leans the values of a fraction of the input sets is . The definitions are as follows.

*Definition 5 (result confidentiality). *A confidentiality-preserving publicly verifiable computation protocol is result-confidential for a class of functions if, for any from , any tuple output by KeyGen, any chosen from Domain, any tuple output by ProbGen, any output by Compute, and any PPT adversary , it holds that

*Definition 6 ( input privacy). *A confidentiality-preserving publicly verifiable computation protocol for a class of multivariate functions achieves input privacy if, for any from , any tuple output by KeyGen, any input set chosen from Domain, any tuple output by ProbGen, any output by Compute, and any PPT adversary , it holds that

Finally, we give the definition of efficiency. Informally speaking, efficiency means that the total computational cost on the client side by engaging the CP-PVC scheme is less than that of executing the direct algorithm to compute the target function. In the amortized model, since the KeyGen is done once and amortized by multiple function evaluation with different input value, this part of computational overhead does not need to be counted in.

*Definition 7 (efficiency). *A confidentiality-preserving publicly verifiable computation protocol for a class of multivariate functions is efficient if, for any from and any chosen from Domain, the total computational cost of algorithms ProbGen and PrivRet is less than that of directly evaluating on .

#### 4. The CP-PVC Scheme for Polynomial Evaluation

In this section, we first review the construction of PRF in [29], showing that it is closed form efficient for polynomials in variables and degree at most in each variable. Then we present the corresponding algorithm for evaluating the PRF and its closed form efficiency. After that, we give the concrete construction of our CP-PVC scheme for polynomial evaluation together with the analysis and experimental simulation.

##### 4.1. Algorithm for PRF with Closed Form Efficiency

Let be a group generator that takes as input a secure parameter and outputs a description of group with prime order. Consider any polynomial that has variables and degree at most in each variable. Then the polynomial has totally monomials. Index them with tuple , . We say that the construction of admits the closed form efficiency for the following computation:where is the polynomial whose coefficients are the discrete logs of the values. If we set , then there exists an algorithm that can computein time , instead of the regular running time .

The proof of the above claim can be found in [2]. Here we show the algorithm for evaluating the PRF as well as the polynomial .

Let . The construction of PRF is the following algorithm:(i)** KG**: Run to generate a group description . Choose random values

The algorithm outputs

The domain of the function is , and the range is .(ii): Let be the input of the PRF. First interpret each as a binary string of bits. Then run Algorithm 1.