Blockchain Technologies for Decentralization and Forensics of Outsourcing Services
View this Special IssueResearch Article  Open Access
Mingyang Song, Yingpeng Sang, Yuying Zeng, Shunchao Luo, "BlockchainBased Secure Outsourcing of Polynomial Multiplication and Its Application in Fully Homomorphic Encryption", Security and Communication Networks, vol. 2021, Article ID 9962575, 14 pages, 2021. https://doi.org/10.1155/2021/9962575
BlockchainBased Secure Outsourcing of Polynomial Multiplication and Its Application in Fully Homomorphic Encryption
Abstract
The efficiency of fully homomorphic encryption has always affected its practicality. With the dawn of Internet of things, the demand for computation and encryption on resourceconstrained devices is increasing. Complex cryptographic computing is a major burden for those devices, while outsourcing can provide great convenience for them. In this paper, we firstly propose a generic blockchainbased framework for secure computation outsourcing and then propose an algorithm for secure outsourcing of polynomial multiplication into the blockchain. Our algorithm for polynomial multiplication can reduce the local computation cost to . Previous work based on Fast Fourier Transform can only achieve for the local cost. Finally, we integrate the two secure outsourcing schemes for polynomial multiplication and modular exponentiation into the fully homomorphic encryption using hidden ideal lattice and get an outsourcing scheme of fully homomorphic encryption. Through security analysis, our schemes achieve the goals of privacy protection against passive attackers and cheating detection against active attackers. Experiments also demonstrate our schemes are more efficient in comparisons with the corresponding nonoutsourcing schemes.
1. Introduction
As the development of the big data era, there is an increasing demand for largescale timeconsuming computations. Fortunately, with the emergence of cloud computing, computation outsourcing brings convenience to resourceconstrained users. They can outsource complex computing tasks into the cloud by paying a fee and avoiding buying expensive highperformance hardware. It not only improves the resource utilization in cloud but also brings economic benefits to resourceconstrained users. Nevertheless, the attractive computing scheme also causes security issues. A passive attacker in the cloud may be only curious about the privacy contained in the user’s outsourced data, while an active attacker may make malicious damage or forge the results to sabotage the computation. Even if there is no attacker, computing errors caused by cloud hardware failure and software errors, etc. should also be considered. Furthermore, it should not be a great burden for the user to check the correctness of the returned results from the cloud; otherwise, the efficiency benefit of outsourcing will be nullified. Therefore, the secure and efficient outsourcing of computations that can not only protect the privacy of users but also ensure the correct results has become a hot research topic.
Gentry proposed a homomorphic encryption algorithm based on ideal lattice [1] for the first time, providing us with a direction to solve the privacy issues in computation outsourcing. The direction is a secure computation outsourcing mode: encryptionoutsourcingdecryption (EOD). Even if we use the common EOD model, the device should also undertake the computations of secret key generation, encryption, verification, decryption, and so on, locally. These computations are also great burden for the resourceconstrained devices (such as mobile phones and IoT nodes).
Blockchain has attractive features such as transparency, traceability, decentralization, and immutability, which make it an optimal approach for applications intrinsically with untrusted natures, such as computation outsourcing. A central trusted entity is not required for the computation outsourcing based on blockchain. Information about the whole data exchange process, computations, users, and computational nodes is recorded and is traceable in blockchain. Besides, smart contract can be utilized to digitally facilitate the implementation of whole transaction, which greatly improves the speed of building applications on blockchain. However, privacy is still an issue in the computation outsourcing based on blockchain.
Owing to the low efficiency of fully homomorphic encryption algorithms, the general computation outsourcing mode based on EOD is impractical on the resourceconstrained devices. In this paper, we will outsource some complex computations in the fully homomorphic encryption using hidden ideal lattice (FHEHIL) [2] into a blockchain framework. The contributions of this paper can be summarized as follows:(1)We propose a framework of blockchainbased computation outsourcing, in which we can implement secure outsourcing for FHEHIL. The framework has a creditbased task allocation strategy, which will significantly reduce the probability of malicious nodes participating in computing.(2)We propose a secure outsourcing algorithm for polynomial multiplication, which reduces the local computation cost (including the cost on result verification) to . Previous work based on the Fast Fourier Transform (FFT) can only achieve for the local cost. Besides, the algorithm can not only detect cheating but also identify cheating nodes combining with blockchain. The result verification in the outsourcing algorithm does not cause extra burden.(3)We also extend the secure outsourcing algorithm of modular exponentiation, in [3], in our blockchainbased framework. The two algorithms for polynomial multiplication and modular exponentiation are employed in FHEHIL as basic operations, and the FHEHIL implementation on the blockchainbased framework can have higher efficiency compared with previous work.
2. Related Work
At present, research studies on secure outsourcing can be roughly divided into two directions. In one direction, a general outsourcing mechanism is studied. In this mechanism, a fully homomorphic encryption algorithm is designed and the EOD model is used to outsource any computations. After the work of Gennaro et al. [1], great progress has been made in the field of fully homomorphic encryption [4–6]. However, the fully homomorphic encryption algorithms have high computational complexity. Recently, there are many researches to reduce the computation cost of homomorphic encryption algorithm. For example, Su et al. accelerated the leveled RingLWE fully homomorphic encryption [7]. These research studies mainly focus on the efficiency of hardware. However, secure outsourcing complex computations of fully homomorphic encryption is a better way to improve efficiency for resourceconstrained devices.
In the other direction, specific outsourcing algorithms are designed for various scientific computations, e g., modular exponentiation, solution of largescale linear equations [8], bilinear pairings, and extend Euclidean. The Wei pairing and Tate pairing in algebraic curves are commonly used in key establishment and signature schemes in the field of cryptography. However, the computation of bilinear pairings is timeconsuming in resourceconstrained devices. Thus, many outsourcing schemes have been proposed [9–11]. To our knowledge, the scheme in [9] is the most efficient and secure till now. Because of the wide application in cryptography, the study on modular exponentiation is also a hot topic of research. Hohenberger and Lysyanskaya [12] proposed a modular exponentiation secure outsourcing scheme. Chen et al. [13] further improved its efficiency and verifiability. Ren et al. [14] proposed a scheme that only protects the privacy of exponent. Recently, Fu et al. [3] proposed a secure outsourcing scheme of modular exponentiation with hidden exponent and base. It has a stronger checkability. In cryptography, extended Euclidean algorithm is usually used to calculate modular inverse, which is widely used in RSA encryption algorithm. Similarly, Euclidean algorithm can be used to find the greatest common factor of two polynomials, which is commonly used in encryption algorithm based on Lattice. Zhou et al. [15] proposed the secure outsourcing algorithm of extended Euclidean algorithm.
Polynomial multiplication is likewise a commonly used operation in cryptography schemes, error correcting codes, and computer algebra. The complexity of polynomial multiplication is still a major open problem. Using the FFT, the local computation of polynomial multiplication can achieve the complexity of . Recently, some efficient polynomial multiplication methods based on the FFT are proposed. Harvey et al. proposed a faster method over finite fields when the degree of polynomials is less than [16]. The efficiency has been further improved in [17]. For the hardware utilization, Liu et al. designed a high hardware efficiency polynomial multiplication on fieldprogrammable gate array (FPGA) platform [18]. Hsu and Shieh proposed a method with less addition and multiplication [19] in 2020. Besides, there are also some research studies on reducing the space complexity of polynomial multiplication [20, 21]. However, the complexity of some research studies based on the acceleration of FFT remains at . Other methods using distributed computing to improve hardware utilization are not applied to the resourceconstrained device. Till now, there are few research studies on the secure outsourcing of polynomial multiplication.
Due to the characteristics of the blockchain and Bitcoin [22], there are lots of research studies and applications on blockchain in recent years including the secure outsourcing. Lin et al. studied the secure outsourcing for bilinear pairings based on blockchain [23]. Zheng et al. [24] proposed a secure outsourcing scheme for attributebased encryption on blockchain. There are also some schemes [25, 26] of outsourced data integrity verification. The fairness problem in blockchainbased secure multiparty computation was also solved by multiple efforts. For example, Gao et al. [27] proposed a scheme which realized fairness by maintaining an open reputation system. This type of general scheme for secure multiparty computation can be cumbersome for the problems in secure outsourcing computation.
Andrychowicz et al. [28] utilized only scripts in Bitcoin currency to construct a fair protocol for secure multiparty lotteries, without relying on a trusted third party. Zhang et al. proposed BCPay in [29] and BPay in [30] to achieve fair payment for blockchainbased outsourcing services, which are compatible with the Bitcoin and Ethereum platforms. However, these frameworks can only provide fairness between the client and a single server. They are applicable to the outsourcing scenarios where the task is outsourced to a single server from the client. In the problem of our work, the computation task needs to be outsourced to multiple computational nodes simultaneously. Therefore, we propose a new one, considering the penalty on the cheating nodes, compensation on the honest nodes, and application of a creditbased scheme.
3. Notations and Background
3.1. Notations
We use upper case bold letters for matrices and for the determinant of matrix . Lower case bold letters represent vectors (eg., ), where is the element in . We denote polynomial by lower case italics (eg., ). For a rational number , represents the nearest integer to . The rational vector can also be rounded to . We use for the polynomial form of the vector . We use for polynomial multiplication () on the ring. We use for the norm of and for the base of set . We use for correlation (). We use for the rotation matrix of whose row is the coefficients of . We use for the extended Euclidean algorithm on and . represents the degree of . We use to denote the coefficient set of Discrete Fourier transform (DFT) of and for the coefficient set of inverse DFT of .
3.2. Fully Homomorphic Encryption Using Hidden Ideal Lattice
The FHEHIL scheme [2] is described in Algorithm 1, including the components of key generation, encryption, and decryption. The related parameters are shown in Table 1.
As shown in Algorithm 1, it is obvious that polynomial multiplication is the primary computation in encryption and decryption. Therefore, our proposed algorithm for the secure outsourcing of polynomial multiplication can be directly applied. As for the key generation, the computing burden is from Step 7, 9, and 11. The main computational cost of Step 7 is on computing the determinant of matrix . The most timeconsuming operation in Step 9 is polynomial multiplication. Step 11 computes the inverse of polynomial. Below, we will analyze the detailed computations in Step 7 and 11 and demonstrate that polynomial multiplication and modular exponentiation are the main types of computations, which are the two improvement aims of this paper.
3.2.1. The Method of Computing in Algorithm 1
Because of the characteristic of , computing the determinant of matrix needs only times of polynomial multiplication using the method in [31]. is the free item of . Thus, , where is the root of in the complex domain and they satisfy equation (2). Due to equation (2), we have . Thus, the computation of mainly involves polynomial multiplications and modular exponentiations.
3.2.2. The Method of Computing in Algorithm 1 When Is a Prime
In the algorithm of FHEHIL, if is a prime, we can obtain by performing once. The extended Euclidean algorithm computes to get , , and , satisfying . The specific procedures of secure outsourcing for extended Euclidean algorithm [15] are summarized in Algorithm 2. It can be seen that the local computations of this algorithm consist of mostly modular exponentiation and polynomial multiplications. Detailed analysis of Algorithm 2 can be found in [15].
3.2.3. The Method of Computing in Algorithm 1 When Is Not a Prime
When d is not a prime, the fastest method to calculate polynomial inverse at present is Gentry’s method in [31]. The method is based on fast Fourier transform and halves the number of terms in each step to offset the doubling of the bit length of the coefficients. This method relays on , where n is a power of 2. The method is analyzed as follows.
Firstly, the second coefficient of polynomial can be computed, where is the ith root of in the complex domain. We can get . Secondly, can be constructed. Then, the second coefficient ) of polynomial can be computed. We can get . Finally, other coefficients of can be computed by
Since is a power of 2 in , the roots satisfy equation (2). In the process of computing coefficients and , the major computations are also polynomial multiplications and modular exponentiations.


4. The Framework of BlockchainBased Computation Outsourcing
This section introduces a blockchainbased computation outsourcing framework. The overall system model is illustrated in Figure 1, and the related symbols are described in Table 2. In Figure 1, we assume that, at least, one trusted third party is available to implement the smart contract. This is a generic model on which a variety of computational tasks can be implemented, including the tasks of secure outsourcing of polynomial multiplication and modular exponentiation. The two specific tasks will be given in details in the rest of this paper.
4.1. Registration
Users and computational nodes need to register before joining the network. They need to pay deposits in advance, the amount of which needs to be greater than a specified threshold or they will be rejected. The smart contract initializes the same credit score to all new nodes and users. After registration, information of users and computational nodes is written to the smart contract. The specific function is shown as Algorithm 3. In this algorithm, addr[p] is the deposit account of node p in the smart contract. Node p’s asset privacy is protected because it is unnecessary for him to expose his total asset to the smart contract.



4.2. Computational Service
User posts computing tasks, data, and rewards of each task to the smart contract. If the account balance of is insufficient for the computations, smart contract refuses this service and reduces the credit score of , to prevent malicious users from attacking the smart contract by constantly sending tasks that they cannot afford to. After the smart contract accepts the tasks of , the user’s computing tasks are stored in the task queue and wait for the selection of computational nodes.
To achieve a high benefit, the computational nodes will be active to undertake computing tasks. If multiple computational nodes select the same task at the same time, the node with the highest credit score will win the task. Nodes that undertake the computing task should submit the results after completing. If any computational node cannot finish on time, it will be added to the dishonest set. If all computational nodes can submit the results on time, the smart contract sends the results to user and initiates the period of dispute resolving. During this period, the user needs to verify the results locally and notify the smart contract whether the results are accepted or not. If the period of dispute ends and there is no feedback received from the user, the smart contract assumes that the computations succeed and performs the reward and charge operations. If the user does not accept the results in the feedback, the smart contract will verify the results by itself. The specific function is shown as Algorithm 4.

4.3. Verification and Payment
If the user does not accept the computing results, the smart contract will perform verification operations to find dishonest nodes or users. In the verification, he will simulate all computations required by the user on the encrypted data uploaded by the latter. This means he will repeat exactly every step the computational nodes have carried out, so as to find which step is not correct and who is cheating. Decryptions are not required in the simulation, and thus, the data privacy of the user is protected.
To complete the verification, the smart contract should be equipped with the same function modules as those of the computational nodes. For example, in the secure outsourcing of polynomial multiplication, a function should be added into the smart contract to simulate the FFT/IFFT operations on the data uploaded by the user in case of disputes.
The dishonest nodes and users will be put into the dishonest set. If no one is put into the dishonest set, the user will pay the reward to all participating nodes. Otherwise, cheating nodes will be penalized and the honest nodes will be compensated. The credit score of the participating nodes that have correctly completed their tasks will increase, while the credit score of the malicious nodes will decrease. When the account balance of a node is lower than the threshold value or its credit score is reduced to zero, the system will remove it. The specific function is shown as Algorithm 5.
A malicious user with enough balance may constantly initiate transactions, aiming to increase the burden of the smart contract. However, he cannot refuse to pay because his deposit account is managed by the smart contract. By setting up a suitable threshold in the registration, sooner or later his balance will be used up by his attack.

4.4. Security Analysis
Both the malicious user nodes and computational nodes can launch attacks to the framework, but their strategies are different. The malicious user nodes could launch a DDoS attack. A malicious computational node could destroy the computation by returning forged results or not returning any result.
The user nodes could employ two ways to launch a DDoS attack. One is to continuously publish the tasks that the user actually cannot afford to; the other is to maliciously inform the smart contract that the results are not accepted during the dispute resolving period. For the first attack, the smart contract will refuse to add the computing tasks and data to the queue and reduce the credit score of the user. Moreover, when the node’s credit score drops below 0, the node will be removed. We can increase in the function of TASK UPLOAD to remove malicious users as soon as possible. For the second attack, the smart contract has to simulate the computations of all nodes participating in the outsourcing according to the data and records. This attack has a greater impact on the smart contract, but it brings more loss to the attackers (including the financial punishment). Similarly, we can increase in Algorithm 5 to mitigate the impact on smart contracts.
The computational nodes also have two ways to deploy attack: returning forged results or not returning any result. The cost of both attacks is the same (in financial and credit punishment). Since forged results render the smart contract to simulate the computations of all nodes, rational computational nodes prefer to attack by returning forged results, rather than return nothing. Similarly, we can increase and in Algorithm 5 to mitigate the impact on smart contracts. The proposed framework adopts a task allocation strategy based on credit scores. When malicious nodes are found, their credit score is reduced, and their probability of obtaining computing tasks in the next time is also reduced. We assume there are enough computational nodes which are willing to return correct results to fulfil the requirement of outsourcing, under the incentives of achieving financial and credit reward.
4.5. Compatibility Analysis
We know that the Bitcoin script is not Turingcomplete, and Ethereum has a complete programming language on the blockchain to execute more complex smart contracts. It is easy to see that our framework is compatible with opcodes allowed by the Ethereum blockchain. Since the function of Verification and Payment (Algorithm 5) involves loops, which are not allowed by the Bitcoin script, our framework is not compatible with opcodes of the Bitcoin blockchain.
5. Polynomial Multiplication and Modular Exponentiation Secure Outsourcing Algorithm
5.1. Polynomial Multiplication Secure Outsourcing Algorithm
The computational complexity of traditional polynomial multiplication is , which is reduced to by the FFT. In this section, we employ secure outsourcing to further reduce the local computational complexity to . The outsourcing is implemented in our proposed framework of blockchainbased secure computation outsourcing. The main idea of our algorithm is as follows. Firstly, the Fourier transform of the polynomial coefficients are securely outsourced. Secondly, correlation operation on the results of the Fourier transform is locally performed. Finally, the inverse Fourier transform on result of the correlation operation are securely outsourced. The specific process of our algorithm is shown as Algorithm 6.
5.1.1. Description
In Algorithm 6, the input polynomials are and . The output is . For convenience, polynomials are replaced with vectors of polynomial coefficients (, , and ). Besides, , in this section. We use computational nodes in this algorithm, where p is a parameter associated with the number of computational nodes. There are six steps in the algorithm:(1)Six parameters are picked randomly, three of which are and . The other three are . We define that can generate one ndimensional vector in which the element is , and all the other elements are zeros. We define that can generate a random matrix satisfying . Then, the user generates , , , , , , and . In this way, one must know to recover from or and know to recover from or .(2)The user uploads the data (, , , and ) and task requirement (i.e., FFT) to smart contract, by the function TASK UPLOAD. The smart contract calls the function TASK ALLOCATION and distributes the vectors in , , , and to and computational nodes. After receiving the vectors, the computational nodes perform the Fourier transform on the received vectors and call the function RESULT UPLOAD. The smart contract collects the results and returns , , , and to the user by calling the function RETURN RESULT. Meanwhile, the user locally computes and which are Fourier transform of and and inverse Fourier transform of , respectively. Because there is only one nonzero coefficient in , as well as and , we simplify the DFT/IDFT, as shown in the DFTRV/IDFTRV functions in Algorithm 6.(3)The user verifies equations (3) and (4). If they are valid, the user computes , , and :(4)The user generates and and uploads them with the task requirement (i.e., IFFT) to smart contract, by the function TASK UPLOAD. Calling the function TASK ALLOCATION, the smart contract distributes the vectors in and to computational nodes.(5)After receiving the vectors, the computational nodes perform the inverse Fourier transform on the received vectors and return and to smart contract by the function TASK UPLOAD. Smart contract returns them to the user by calling the function RETURN RESULT.(6)The user computes, selects two integers randomly, and verifies equations (5)–(7). If they are valid, the computing succeeds; otherwise, the computing fails. The user sends a message to the smart contract. Then, the latter calls the function VERIFICATION AND PAYMENT:
In Algorithm 6, if any verification fails, the user will report a cheating and the algorithm will come to an end.
Figure 2 demonstrates the procedures and data communications in the six steps of Algorithm 6.

5.1.2. Correctness and Complexity
Because and and the Fourier transform is a linear transform, we can have and . We get . Because of the convolution theorem, .
Using the DFTRV/IDFTRV in Algorithm 6, computing Fourier transform of and inverse Fourier transform of needs multiplications. Because of the characteristics of ,, and , only one multiplication is needed to compute each term in , and . Computing and needs additions. Computing needs multiplications. The verification of equations (3)–(5) takes additions. additions are needed to compute . The final verification (equations (6) and (7)) needs multiplications. To sum up, we need multiplications and additions. The local complexity of multiplication in this algorithm is , and the local complexity of addition is . Therefore, the local complexity of this algorithm is .
5.1.3. Security against Passive Attackers
A participant may be a passive attacker. Passive attackers will follow the scripts of the algorithm while exploiting the intermediate information to breach the privacy of polynomials. In the following, we analyze the security of our algorithm against passive attackers.
The algorithm should protect the privacy of , , , and . As it is known to all, when all nodes collude, the passive attackers can get the most information, and the security of privacy is the lowest.
Since the operations on and are consistent, the risks of privacy leakage of them are the same. We analyze the security of in the worst case, i e., collusion of all nodes. When all the computational nodes collude, they can guess a set of values , in which values are consistent with the true coefficients of , while one value is not. Because of , they even do not know the position of the false value. They still have to make a bruteforce guessing. If , where the base of is , the attackers should traverse all possibilities by taking different values for each coefficient. In this case, the attackers have to make attempts to get . However, in FHEHIL. Then, , and the attackers cannot get .
and are also privacyprotected. For the security of , when all the computational nodes collude, the passive attackers can guess a set of values , in which values are consistent with the true coefficients of , while one value is not. However, the existence of shows that passive attackers do not know the position of the false value. The only way to attack is by making a bruteforce guessing. Same as and , the domain of the coefficients of is infinite. Therefore, the attackers cannot get . For the security of , on the one hand, the attackers cannot compute using inverse Fourier transform without knowing . On the other hand, it is easy to see that when lacking , attackers cannot get c which is equal to .
5.1.4. Security against Active Attackers
A participant may also be an active attacker. Active attackers will inject false computations into the algorithm to tamper with the whole process. In the following, we analyze the security of our algorithm against active attackers.
Active attackers may return forged values to damage computing. To damage computing without being detected, attackers prefer to make minimal changes on results. In Algorithm 6, it is easy to see that the lowest risk way for computational nodes to cheat is to tamper with only one item of the results returned to the user, while the other items are correct.
There is one way to cheat in the process of securely outsourcing Fourier transform. For example, the nodes of computing the DFT of perform honestly, while the nodes of computing the DFT of do not. One node changed the term in and another node also changed the term in . This way of cheating can nullify the verification at equations (3) and (4) and damage the result of , whereas the error in the term of will be propagated to and every term of c. Equation (6) computes the correct and the false . Since is false, is not equal to for any random . The verification at equation (6) can certainly detect this cheating.
There is the other way to cheat in the process of securely outsourcing the inverse DFT of . One node changed the term in and another node also changed the term in . In this way, we can nullify the verification at equation (9) and return a false item . The false item causes that is also a false value in equation (7). will not be equal to , for all . The verification at equation (7) can certainly detect this way of cheating.
5.2. Secure Outsourcing of Modular Exponentiation
To the secure outsourcing of modular exponentiation, we extend the algorithm in [3] and apply it to the blockchain. In our extension, six modular exponentiation pairs are outsourced to six computational nodes, instead of a single cloud, aiming to protect against possible attacks on small discrete logarithms. The process is shown as Algorithm 7. The input is two integers. The output is , where u is the base and d is the exponent. In a similar way to Figure 2, Algorithm 7 can be implemented in the framework of Blockchainbased computation outsourcing, but we omit it due to limitation of space.
5.2.1. Correctness and Complexity
It is easy to prove that the algorithm is correct from equations (8) and (9). In the process of parameter generation, there are two exponentiations, two divisions, and two multiplications. Two exponentiations and six multiplications are involved during the verification. Compared with the exponentiation, the complexity of multiplication and division can be ignored. However, in the algorithm, the exponents are e and t_{1} which are much smaller than the original exponent d through the transformation of . Therefore, local complexity will be greatly reduced:
