Blockchain-Based Secure Outsourcing of Polynomial Multiplication and Its Application in Fully Homomorphic Encryption

Song, Mingyang; Sang, Yingpeng; Zeng, Yuying; Luo, Shunchao

doi:https://doi.org/10.1155/2021/9962575

Security and Communication Networks

On this page

Abstract Introduction Related Work Background Results and Discussion Conclusions Data Availability Disclosure Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Blockchain Technologies for Decentralization and Forensics of Outsourcing Services

View this Special Issue

Research Article | Open Access

Volume 2021 | Article ID 9962575 | https://doi.org/10.1155/2021/9962575

Blockchain-Based Secure Outsourcing of Polynomial Multiplication and Its Application in Fully Homomorphic Encryption

Mingyang Song,¹Yingpeng Sang,¹Yuying Zeng,¹and Shunchao Luo¹

Academic Editor: Yinghui Zhang

Received15 Mar 2021

Revised26 May 2021

Accepted07 Jun 2021

Published25 Jun 2021

Abstract

The efficiency of fully homomorphic encryption has always affected its practicality. With the dawn of Internet of things, the demand for computation and encryption on resource-constrained devices is increasing. Complex cryptographic computing is a major burden for those devices, while outsourcing can provide great convenience for them. In this paper, we firstly propose a generic blockchain-based framework for secure computation outsourcing and then propose an algorithm for secure outsourcing of polynomial multiplication into the blockchain. Our algorithm for polynomial multiplication can reduce the local computation cost to . Previous work based on Fast Fourier Transform can only achieve for the local cost. Finally, we integrate the two secure outsourcing schemes for polynomial multiplication and modular exponentiation into the fully homomorphic encryption using hidden ideal lattice and get an outsourcing scheme of fully homomorphic encryption. Through security analysis, our schemes achieve the goals of privacy protection against passive attackers and cheating detection against active attackers. Experiments also demonstrate our schemes are more efficient in comparisons with the corresponding nonoutsourcing schemes.

1. Introduction

As the development of the big data era, there is an increasing demand for large-scale time-consuming computations. Fortunately, with the emergence of cloud computing, computation outsourcing brings convenience to resource-constrained users. They can outsource complex computing tasks into the cloud by paying a fee and avoiding buying expensive high-performance hardware. It not only improves the resource utilization in cloud but also brings economic benefits to resource-constrained users. Nevertheless, the attractive computing scheme also causes security issues. A passive attacker in the cloud may be only curious about the privacy contained in the user’s outsourced data, while an active attacker may make malicious damage or forge the results to sabotage the computation. Even if there is no attacker, computing errors caused by cloud hardware failure and software errors, etc. should also be considered. Furthermore, it should not be a great burden for the user to check the correctness of the returned results from the cloud; otherwise, the efficiency benefit of outsourcing will be nullified. Therefore, the secure and efficient outsourcing of computations that can not only protect the privacy of users but also ensure the correct results has become a hot research topic.

Gentry proposed a homomorphic encryption algorithm based on ideal lattice [1] for the first time, providing us with a direction to solve the privacy issues in computation outsourcing. The direction is a secure computation outsourcing mode: encryption-outsourcing-decryption (EOD). Even if we use the common EOD model, the device should also undertake the computations of secret key generation, encryption, verification, decryption, and so on, locally. These computations are also great burden for the resource-constrained devices (such as mobile phones and IoT nodes).

Blockchain has attractive features such as transparency, traceability, decentralization, and immutability, which make it an optimal approach for applications intrinsically with untrusted natures, such as computation outsourcing. A central trusted entity is not required for the computation outsourcing based on blockchain. Information about the whole data exchange process, computations, users, and computational nodes is recorded and is traceable in blockchain. Besides, smart contract can be utilized to digitally facilitate the implementation of whole transaction, which greatly improves the speed of building applications on blockchain. However, privacy is still an issue in the computation outsourcing based on blockchain.

Owing to the low efficiency of fully homomorphic encryption algorithms, the general computation outsourcing mode based on EOD is impractical on the resource-constrained devices. In this paper, we will outsource some complex computations in the fully homomorphic encryption using hidden ideal lattice (FHEHIL) [2] into a blockchain framework. The contributions of this paper can be summarized as follows:(1)We propose a framework of blockchain-based computation outsourcing, in which we can implement secure outsourcing for FHEHIL. The framework has a credit-based task allocation strategy, which will significantly reduce the probability of malicious nodes participating in computing.(2)We propose a secure outsourcing algorithm for polynomial multiplication, which reduces the local computation cost (including the cost on result verification) to . Previous work based on the Fast Fourier Transform (FFT) can only achieve for the local cost. Besides, the algorithm can not only detect cheating but also identify cheating nodes combining with blockchain. The result verification in the outsourcing algorithm does not cause extra burden.(3)We also extend the secure outsourcing algorithm of modular exponentiation, in [3], in our blockchain-based framework. The two algorithms for polynomial multiplication and modular exponentiation are employed in FHEHIL as basic operations, and the FHEHIL implementation on the blockchain-based framework can have higher efficiency compared with previous work.

At present, research studies on secure outsourcing can be roughly divided into two directions. In one direction, a general outsourcing mechanism is studied. In this mechanism, a fully homomorphic encryption algorithm is designed and the EOD model is used to outsource any computations. After the work of Gennaro et al. [1], great progress has been made in the field of fully homomorphic encryption [4–6]. However, the fully homomorphic encryption algorithms have high computational complexity. Recently, there are many researches to reduce the computation cost of homomorphic encryption algorithm. For example, Su et al. accelerated the leveled Ring-LWE fully homomorphic encryption [7]. These research studies mainly focus on the efficiency of hardware. However, secure outsourcing complex computations of fully homomorphic encryption is a better way to improve efficiency for resource-constrained devices.

In the other direction, specific outsourcing algorithms are designed for various scientific computations, e g., modular exponentiation, solution of large-scale linear equations [8], bilinear pairings, and extend Euclidean. The Wei pairing and Tate pairing in algebraic curves are commonly used in key establishment and signature schemes in the field of cryptography. However, the computation of bilinear pairings is time-consuming in resource-constrained devices. Thus, many outsourcing schemes have been proposed [9–11]. To our knowledge, the scheme in [9] is the most efficient and secure till now. Because of the wide application in cryptography, the study on modular exponentiation is also a hot topic of research. Hohenberger and Lysyanskaya [12] proposed a modular exponentiation secure outsourcing scheme. Chen et al. [13] further improved its efficiency and verifiability. Ren et al. [14] proposed a scheme that only protects the privacy of exponent. Recently, Fu et al. [3] proposed a secure outsourcing scheme of modular exponentiation with hidden exponent and base. It has a stronger checkability. In cryptography, extended Euclidean algorithm is usually used to calculate modular inverse, which is widely used in RSA encryption algorithm. Similarly, Euclidean algorithm can be used to find the greatest common factor of two polynomials, which is commonly used in encryption algorithm based on Lattice. Zhou et al. [15] proposed the secure outsourcing algorithm of extended Euclidean algorithm.

Polynomial multiplication is likewise a commonly used operation in cryptography schemes, error correcting codes, and computer algebra. The complexity of polynomial multiplication is still a major open problem. Using the FFT, the local computation of polynomial multiplication can achieve the complexity of . Recently, some efficient polynomial multiplication methods based on the FFT are proposed. Harvey et al. proposed a faster method over finite fields when the degree of polynomials is less than [16]. The efficiency has been further improved in [17]. For the hardware utilization, Liu et al. designed a high hardware efficiency polynomial multiplication on field-programmable gate array (FPGA) platform [18]. Hsu and Shieh proposed a method with less addition and multiplication [19] in 2020. Besides, there are also some research studies on reducing the space complexity of polynomial multiplication [20, 21]. However, the complexity of some research studies based on the acceleration of FFT remains at . Other methods using distributed computing to improve hardware utilization are not applied to the resource-constrained device. Till now, there are few research studies on the secure outsourcing of polynomial multiplication.

Due to the characteristics of the blockchain and Bitcoin [22], there are lots of research studies and applications on blockchain in recent years including the secure outsourcing. Lin et al. studied the secure outsourcing for bilinear pairings based on blockchain [23]. Zheng et al. [24] proposed a secure outsourcing scheme for attribute-based encryption on blockchain. There are also some schemes [25, 26] of outsourced data integrity verification. The fairness problem in blockchain-based secure multiparty computation was also solved by multiple efforts. For example, Gao et al. [27] proposed a scheme which realized fairness by maintaining an open reputation system. This type of general scheme for secure multiparty computation can be cumbersome for the problems in secure outsourcing computation.

Andrychowicz et al. [28] utilized only scripts in Bitcoin currency to construct a fair protocol for secure multiparty lotteries, without relying on a trusted third party. Zhang et al. proposed BCPay in [29] and BPay in [30] to achieve fair payment for blockchain-based outsourcing services, which are compatible with the Bitcoin and Ethereum platforms. However, these frameworks can only provide fairness between the client and a single server. They are applicable to the outsourcing scenarios where the task is outsourced to a single server from the client. In the problem of our work, the computation task needs to be outsourced to multiple computational nodes simultaneously. Therefore, we propose a new one, considering the penalty on the cheating nodes, compensation on the honest nodes, and application of a credit-based scheme.

3. Notations and Background

3.1. Notations

We use upper case bold letters for matrices and for the determinant of matrix . Lower case bold letters represent vectors (eg., ), where is the element in . We denote polynomial by lower case italics (eg., ). For a rational number , represents the nearest integer to . The rational vector can also be rounded to . We use for the polynomial form of the vector . We use for polynomial multiplication () on the ring. We use for the norm of and for the base of set . We use for correlation (). We use for the rotation matrix of whose row is the coefficients of . We use for the extended Euclidean algorithm on and . represents the degree of . We use to denote the coefficient set of Discrete Fourier transform (DFT) of and for the coefficient set of inverse DFT of .

3.2. Fully Homomorphic Encryption Using Hidden Ideal Lattice

The FHEHIL scheme [2] is described in Algorithm 1, including the components of key generation, encryption, and decryption. The related parameters are shown in Table 1.

As shown in Algorithm 1, it is obvious that polynomial multiplication is the primary computation in encryption and decryption. Therefore, our proposed algorithm for the secure outsourcing of polynomial multiplication can be directly applied. As for the key generation, the computing burden is from Step 7, 9, and 11. The main computational cost of Step 7 is on computing the determinant of matrix . The most time-consuming operation in Step 9 is polynomial multiplication. Step 11 computes the inverse of polynomial. Below, we will analyze the detailed computations in Step 7 and 11 and demonstrate that polynomial multiplication and modular exponentiation are the main types of computations, which are the two improvement aims of this paper.

3.2.1. The Method of Computing in Algorithm 1

Because of the characteristic of , computing the determinant of matrix needs only times of polynomial multiplication using the method in [31]. is the free item of . Thus, , where is the root of in the complex domain and they satisfy equation (2). Due to equation (2), we have . Thus, the computation of mainly involves polynomial multiplications and modular exponentiations.

3.2.2. The Method of Computing in Algorithm 1 When Is a Prime

In the algorithm of FHEHIL, if is a prime, we can obtain by performing once. The extended Euclidean algorithm computes to get , , and , satisfying . The specific procedures of secure outsourcing for extended Euclidean algorithm [15] are summarized in Algorithm 2. It can be seen that the local computations of this algorithm consist of mostly modular exponentiation and polynomial multiplications. Detailed analysis of Algorithm 2 can be found in [15].

3.2.3. The Method of Computing in Algorithm 1 When Is Not a Prime

When d is not a prime, the fastest method to calculate polynomial inverse at present is Gentry’s method in [31]. The method is based on fast Fourier transform and halves the number of terms in each step to offset the doubling of the bit length of the coefficients. This method relays on , where n is a power of 2. The method is analyzed as follows.

Firstly, the second coefficient of polynomial can be computed, where is the ith root of in the complex domain. We can get . Secondly, can be constructed. Then, the second coefficient ) of polynomial can be computed. We can get . Finally, other coefficients of can be computed by

Since is a power of 2 in , the roots satisfy equation (2). In the process of computing coefficients and , the major computations are also polynomial multiplications and modular exponentiations.

	Input:, , , ,
	Output:,
(1)	function KEY GENERARTION
(2)	generate a random vector satisfying
(3)	generate t − 1 random vectors satisfying
(4)	generate a random vector g_t satisfying
(5)	generate t − 1 random vectors satisfying
(6)	generate a random vector r_t satisfying
(7)
(8)	for
(9)
(10)	end for
(11)	Get w satisfying = d mod f
(12)	return
(13)	end return
(14)	function ENCRYPTION
(15)	generate t − 1 random integer vectors satisfying
(16)	generate a random vector satisfying
(17)	generate a random vector satisfying
(18)
(19)	return
(20)	end function
(21)	function DECRYPTION
(22)
(23)
(24)	return plaintext
(25)	end function

4. The Framework of Blockchain-Based Computation Outsourcing

This section introduces a blockchain-based computation outsourcing framework. The overall system model is illustrated in Figure 1, and the related symbols are described in Table 2. In Figure 1, we assume that, at least, one trusted third party is available to implement the smart contract. This is a generic model on which a variety of computational tasks can be implemented, including the tasks of secure outsourcing of polynomial multiplication and modular exponentiation. The two specific tasks will be given in details in the rest of this paper.

4.1. Registration

Users and computational nodes need to register before joining the network. They need to pay deposits in advance, the amount of which needs to be greater than a specified threshold or they will be rejected. The smart contract initializes the same credit score to all new nodes and users. After registration, information of users and computational nodes is written to the smart contract. The specific function is shown as Algorithm 3. In this algorithm, addr[p] is the deposit account of node p in the smart contract. Node p’s asset privacy is protected because it is unnecessary for him to expose his total asset to the smart contract.

	Input:,
	Output:, ,
(1)	generate and randomly
(2)
(3)
(4)
(5)	to computational node
(6)	get from computational mode
(7)	verify
(8)
(9)
(10)

(1)	function Registration(p, role)
(2)	if the balance of addr[p] ≥ the threshold then
(3)	if role = user then
(4)	put addr[p] into User
(5)	else
(6)	put addr[p] into Node
(7)	end if
(8)	Rep[p] ⟵ Default credit value; state ⟵ true
(9)	else
(10)	state ⟵ false
(11)	end if
(12)	return false
(13)	end function

4.2. Computational Service

User posts computing tasks, data, and rewards of each task to the smart contract. If the account balance of is insufficient for the computations, smart contract refuses this service and reduces the credit score of , to prevent malicious users from attacking the smart contract by constantly sending tasks that they cannot afford to. After the smart contract accepts the tasks of , the user’s computing tasks are stored in the task queue and wait for the selection of computational nodes.

To achieve a high benefit, the computational nodes will be active to undertake computing tasks. If multiple computational nodes select the same task at the same time, the node with the highest credit score will win the task. Nodes that undertake the computing task should submit the results after completing. If any computational node cannot finish on time, it will be added to the dishonest set. If all computational nodes can submit the results on time, the smart contract sends the results to user and initiates the period of dispute resolving. During this period, the user needs to verify the results locally and notify the smart contract whether the results are accepted or not. If the period of dispute ends and there is no feedback received from the user, the smart contract assumes that the computations succeed and performs the reward and charge operations. If the user does not accept the results in the feedback, the smart contract will verify the results by itself. The specific function is shown as Algorithm 4.

(1)	function TASK UPLOAD (user, tasks, data, price)
(2)	if the balance of addr[user] ≥ \|tasks\| price then
(3)	put tasks into Task; put data into Data
(4)	else
(5)	Rep[user]⟵Rep[user] − ∆c
(6)	end if
(7)	end function
(8)	function TASK ALLOCATION (nodes, task)
(9)	if task ≠ ALLOCATED then
(10)	sort the nodes with their credit descending; send task and Data[task] to nodes [0]
(11)	put task into ALLOCATED; Time[task]⟵current time + ∆t
(12)	end if
(13)	end function
(14)	function RESULT UPLOAD (node, task, result)
(15)	if current time < Time[task] then
(16)	put node into Honest; Put result into result
(17)	else
(18)	put node into Dinhonest
(19)	end if
(20)	end function
(21)	function RESULT UPLOAD(node, task, result)
(22)	if Dishonest = 0 and \|Result\| = \|Task\| then
(23)	send Result to user; Wait for the feedback from user
(24)	end if
(25)	call verification and payment
(26)	end function

4.3. Verification and Payment

If the user does not accept the computing results, the smart contract will perform verification operations to find dishonest nodes or users. In the verification, he will simulate all computations required by the user on the encrypted data uploaded by the latter. This means he will repeat exactly every step the computational nodes have carried out, so as to find which step is not correct and who is cheating. Decryptions are not required in the simulation, and thus, the data privacy of the user is protected.

To complete the verification, the smart contract should be equipped with the same function modules as those of the computational nodes. For example, in the secure outsourcing of polynomial multiplication, a function should be added into the smart contract to simulate the FFT/IFFT operations on the data uploaded by the user in case of disputes.

The dishonest nodes and users will be put into the dishonest set. If no one is put into the dishonest set, the user will pay the reward to all participating nodes. Otherwise, cheating nodes will be penalized and the honest nodes will be compensated. The credit score of the participating nodes that have correctly completed their tasks will increase, while the credit score of the malicious nodes will decrease. When the account balance of a node is lower than the threshold value or its credit score is reduced to zero, the system will remove it. The specific function is shown as Algorithm 5.

A malicious user with enough balance may constantly initiate transactions, aiming to increase the burden of the smart contract. However, he cannot refuse to pay because his deposit account is managed by the smart contract. By setting up a suitable threshold in the registration, sooner or later his balance will be used up by his attack.

(1)	function VERIFICATION AND PAYMENT (feedback, Result, Honest, user, price)
(2)	if feedback ≥ user or (feedback = NULL and \|Result\| = \|Task\|) then
(3)	addr[user] ⟵ addr[user]-[Honest]price
(4)	for i = 1⟶\|Honest\| do
(5)	Rep[node_i] ⟵ Rep[node_i] + ∆c; addr[node_i]⟵addr[node_i] + price
(6)	end for
(7)	else
(8)	stimulate all computations and put dishonest user or nodes into Dishonest
(9)	t ⟵ ∆b[IDishonest]
(10)	for i = 1⟶\|Dishonest\| do
(11)	Rep[node_i]⟵Rep[node_i] + ∆c; addr[node_i] ⟵ addr[node_i]−∆b
(12)	end for
(13)	for i = 1⟶\|Honest\|do
(14)	Rep[node_i] ⟵ Rep[node_i] + ∆c; addr[node_i] ⟵ addr[node_i] + t/\|Honest\|
(15)	end for
(16)	end if
(17)	end function

4.4. Security Analysis

Both the malicious user nodes and computational nodes can launch attacks to the framework, but their strategies are different. The malicious user nodes could launch a DDoS attack. A malicious computational node could destroy the computation by returning forged results or not returning any result.

The user nodes could employ two ways to launch a DDoS attack. One is to continuously publish the tasks that the user actually cannot afford to; the other is to maliciously inform the smart contract that the results are not accepted during the dispute resolving period. For the first attack, the smart contract will refuse to add the computing tasks and data to the queue and reduce the credit score of the user. Moreover, when the node’s credit score drops below 0, the node will be removed. We can increase in the function of TASK UPLOAD to remove malicious users as soon as possible. For the second attack, the smart contract has to simulate the computations of all nodes participating in the outsourcing according to the data and records. This attack has a greater impact on the smart contract, but it brings more loss to the attackers (including the financial punishment). Similarly, we can increase in Algorithm 5 to mitigate the impact on smart contracts.

The computational nodes also have two ways to deploy attack: returning forged results or not returning any result. The cost of both attacks is the same (in financial and credit punishment). Since forged results render the smart contract to simulate the computations of all nodes, rational computational nodes prefer to attack by returning forged results, rather than return nothing. Similarly, we can increase and in Algorithm 5 to mitigate the impact on smart contracts. The proposed framework adopts a task allocation strategy based on credit scores. When malicious nodes are found, their credit score is reduced, and their probability of obtaining computing tasks in the next time is also reduced. We assume there are enough computational nodes which are willing to return correct results to fulfil the requirement of outsourcing, under the incentives of achieving financial and credit reward.

4.5. Compatibility Analysis

We know that the Bitcoin script is not Turing-complete, and Ethereum has a complete programming language on the blockchain to execute more complex smart contracts. It is easy to see that our framework is compatible with opcodes allowed by the Ethereum blockchain. Since the function of Verification and Payment (Algorithm 5) involves loops, which are not allowed by the Bitcoin script, our framework is not compatible with opcodes of the Bitcoin blockchain.

5. Polynomial Multiplication and Modular Exponentiation Secure Outsourcing Algorithm

5.1. Polynomial Multiplication Secure Outsourcing Algorithm

The computational complexity of traditional polynomial multiplication is , which is reduced to by the FFT. In this section, we employ secure outsourcing to further reduce the local computational complexity to . The outsourcing is implemented in our proposed framework of blockchain-based secure computation outsourcing. The main idea of our algorithm is as follows. Firstly, the Fourier transform of the polynomial coefficients are securely outsourced. Secondly, correlation operation on the results of the Fourier transform is locally performed. Finally, the inverse Fourier transform on result of the correlation operation are securely outsourced. The specific process of our algorithm is shown as Algorithm 6.

5.1.1. Description

In Algorithm 6, the input polynomials are and . The output is . For convenience, polynomials are replaced with vectors of polynomial coefficients (, , and ). Besides, , in this section. We use computational nodes in this algorithm, where p is a parameter associated with the number of computational nodes. There are six steps in the algorithm:(1)Six parameters are picked randomly, three of which are and . The other three are . We define that can generate one n-dimensional vector in which the element is , and all the other elements are zeros. We define that can generate a random matrix satisfying . Then, the user generates , , , , , , and . In this way, one must know to recover from or and know to recover from or .(2)The user uploads the data (, , , and ) and task requirement (i.e., FFT) to smart contract, by the function TASK UPLOAD. The smart contract calls the function TASK ALLOCATION and distributes the vectors in , , , and to and computational nodes. After receiving the vectors, the computational nodes perform the Fourier transform on the received vectors and call the function RESULT UPLOAD. The smart contract collects the results and returns , , , and to the user by calling the function RETURN RESULT. Meanwhile, the user locally computes and which are Fourier transform of and and inverse Fourier transform of , respectively. Because there is only one nonzero coefficient in , as well as and , we simplify the DFT/IDFT, as shown in the DFTRV/IDFTRV functions in Algorithm 6.(3)The user verifies equations (3) and (4). If they are valid, the user computes , , and :(4)The user generates and and uploads them with the task requirement (i.e., IFFT) to smart contract, by the function TASK UPLOAD. Calling the function TASK ALLOCATION, the smart contract distributes the vectors in and to computational nodes.(5)After receiving the vectors, the computational nodes perform the inverse Fourier transform on the received vectors and return and to smart contract by the function TASK UPLOAD. Smart contract returns them to the user by calling the function RETURN RESULT.(6)The user computes, selects two integers randomly, and verifies equations (5)–(7). If they are valid, the computing succeeds; otherwise, the computing fails. The user sends a message to the smart contract. Then, the latter calls the function VERIFICATION AND PAYMENT:

In Algorithm 6, if any verification fails, the user will report a cheating and the algorithm will come to an end.

Figure 2 demonstrates the procedures and data communications in the six steps of Algorithm 6.

Input: a,b
Output:
(1)	function DISCRETE FOURIER TRANSFORM FOR RESERVED VECTOR (DFTRV) (r, i)
(2)	the length of r
(3)
(4)
(5)	for
(6)
(7)	end for
(8)	return
(9)	end function
(10)	function INVERSE DISCRETE FOURIER TRANSFORM FOR RESERVED VECTOR(IDFTRV) (r, i)
(11)	the length or r
(12)
(13)
(14)	for
(15)
(16)	end for
(17)	return
(18)	end function
(19)	The user picks random parameters and generates
(20)
(21)
(22)	The user calls TASK UPLOAD locally and uploads to the smart contract;
(23)	The smart contract calls TASK ALLOCATION and sends vectors in to nodes;
(24)	The computational nodes compute and call RESULT UPLOAD;
(25)	The smart contract calls RETURN RESULT;
(26)	The user computes and verifies equations (3) and (4) locally;
(27)	The user computes
(28)	The user generates calls TASK UPLOAD locally and uploads to the smart contract;
(29)	The smart contract calls TASK ALLOCATION and sends vectors in to nodes;
(30)	The computational nodes compute and call RESULT UPLOAD;
(31)	The smart contract calls RETURN RESULT;
(32)	The user computes and verifies equations (5)–(7) locally;
(33)	The user sends feedback to the smart contract;
(34)	The smart contract calls VERIFICATION AND PAYMENT.

5.1.2. Correctness and Complexity

Because and and the Fourier transform is a linear transform, we can have and . We get . Because of the convolution theorem, .

Using the DFTRV/IDFTRV in Algorithm 6, computing Fourier transform of and inverse Fourier transform of needs multiplications. Because of the characteristics of ,, and , only one multiplication is needed to compute each term in , and . Computing and needs additions. Computing needs multiplications. The verification of equations (3)–(5) takes additions. additions are needed to compute . The final verification (equations (6) and (7)) needs multiplications. To sum up, we need multiplications and additions. The local complexity of multiplication in this algorithm is , and the local complexity of addition is . Therefore, the local complexity of this algorithm is .

5.1.3. Security against Passive Attackers

A participant may be a passive attacker. Passive attackers will follow the scripts of the algorithm while exploiting the intermediate information to breach the privacy of polynomials. In the following, we analyze the security of our algorithm against passive attackers.

The algorithm should protect the privacy of , , , and . As it is known to all, when all nodes collude, the passive attackers can get the most information, and the security of privacy is the lowest.

Since the operations on and are consistent, the risks of privacy leakage of them are the same. We analyze the security of in the worst case, i e., collusion of all nodes. When all the computational nodes collude, they can guess a set of values , in which values are consistent with the true coefficients of , while one value is not. Because of , they even do not know the position of the false value. They still have to make a brute-force guessing. If , where the base of is , the attackers should traverse all possibilities by taking different values for each coefficient. In this case, the attackers have to make attempts to get . However, in FHEHIL. Then, , and the attackers cannot get .

and are also privacy-protected. For the security of , when all the computational nodes collude, the passive attackers can guess a set of values , in which values are consistent with the true coefficients of , while one value is not. However, the existence of shows that passive attackers do not know the position of the false value. The only way to attack is by making a brute-force guessing. Same as and , the domain of the coefficients of is infinite. Therefore, the attackers cannot get . For the security of , on the one hand, the attackers cannot compute using inverse Fourier transform without knowing . On the other hand, it is easy to see that when lacking , attackers cannot get c which is equal to .

5.1.4. Security against Active Attackers

A participant may also be an active attacker. Active attackers will inject false computations into the algorithm to tamper with the whole process. In the following, we analyze the security of our algorithm against active attackers.

Active attackers may return forged values to damage computing. To damage computing without being detected, attackers prefer to make minimal changes on results. In Algorithm 6, it is easy to see that the lowest risk way for computational nodes to cheat is to tamper with only one item of the results returned to the user, while the other items are correct.

There is one way to cheat in the process of securely outsourcing Fourier transform. For example, the nodes of computing the DFT of perform honestly, while the nodes of computing the DFT of do not. One node changed the term in and another node also changed the term in . This way of cheating can nullify the verification at equations (3) and (4) and damage the result of , whereas the error in the term of will be propagated to and every term of c. Equation (6) computes the correct and the false . Since is false, is not equal to for any random . The verification at equation (6) can certainly detect this cheating.

There is the other way to cheat in the process of securely outsourcing the inverse DFT of . One node changed the term in and another node also changed the term in . In this way, we can nullify the verification at equation (9) and return a false item . The false item causes that is also a false value in equation (7). will not be equal to , for all . The verification at equation (7) can certainly detect this way of cheating.

5.2. Secure Outsourcing of Modular Exponentiation

To the secure outsourcing of modular exponentiation, we extend the algorithm in [3] and apply it to the blockchain. In our extension, six modular exponentiation pairs are outsourced to six computational nodes, instead of a single cloud, aiming to protect against possible attacks on small discrete logarithms. The process is shown as Algorithm 7. The input is two integers. The output is , where u is the base and d is the exponent. In a similar way to Figure 2, Algorithm 7 can be implemented in the framework of Blockchain-based computation outsourcing, but we omit it due to limitation of space.

5.2.1. Correctness and Complexity

It is easy to prove that the algorithm is correct from equations (8) and (9). In the process of parameter generation, there are two exponentiations, two divisions, and two multiplications. Two exponentiations and six multiplications are involved during the verification. Compared with the exponentiation, the complexity of multiplication and division can be ignored. However, in the algorithm, the exponents are e and t₁ which are much smaller than the original exponent d through the transformation of . Therefore, local complexity will be greatly reduced:

Input:
Output:
(1)	The user generates random parameters
(2)	and computes
(3)
(4)	The user uploads to the smart contract;
(5)	The smart contract distributes to 6 computational nodes;
(6)	The computational nodes compute after receiving and return results to the smart contract;
(7)	The user gets from the smart contract;
(8)	The user verifies
(9)	If the verification is valid,

5.2.2. Security

The only way to pass the verification is that the six computational nodes perform correctly. The forged results of active attackers cannot pass the verification in Step 8. The user only needs to know whether the results are correct or not, and the smart contract can detect the cheating nodes according to the records.

We analyze the security against passive attackers in the worst case, i e., the conspiring of six computational nodes. The exponents , , and are visible for attackers, while the other exponents , , and are not. The bases , , , and are visible for attackers, while , , and are not. We discover that the privacy of may leak in [3], which sends six pairs to a single node in the cloud. In [3], the base and exponent are about 1000 bit, while the parameters including , , , , and are only 64-bit long, to reduce the overhead of local computation. The shorter bit length of parameters may promote an easier attack on the small discrete logarithms. In this kind of attack, an attacker in the cloud can exhaust x so that . Then, e is breached. The attacker then exhausts , satisfying . Finally, the cloud can obtain u by .

We solve this attack by distributing six modular exponentiation pairs to six computational nodes, which increases the difficulty of the above attack.

6. Results and Discussion

In this section, we conduct three types of experiments. Firstly, we evaluate the efficiency of the secure outsourcing of polynomial multiplication in various numbers of polynomial multiplications and compare it with the traditional nonoutsourcing method using FFT. Secondly, we evaluate the efficiency of the secure outsourcing of polynomial multiplication by varying the numbers of items and bit length of coefficients and also compare it with the nonoutsourcing method. Finally, we complete the secure outsourcing for FHEHIL in blockchain, analyze the time consumption of each step, and compare it with the nonoutsourcing method. The experiments are simulated on two machines with Intel Core i7 processor running at 2.90 GHz and 16G memory as a cloud server and Intel Core i5 processor running at 1.80 GHz and 8G memory as a local user. The communication bandwidth is 20 Mbps.

6.1. The Evaluation of Secure Outsourcing of Polynomial Multiplication

We make experiments to evaluate the efficiency of the secure outsourcing algorithm for polynomial multiplication. We implement this experiment using Python3 language.

We compare the secure outsourcing of polynomial multiplication with the nonsourcing algorithm on time consumption with different numbers of polynomial multiplication, in which , , and all the coefficients are 512-bit long. As demonstrated in Figure 3, it is easy to see that when the number of polynomial multiplications is less than 60, the efficiency of the outsourcing scheme is lower than the nonoutsourcing scheme due to the communication time consumption. However, when the number of polynomial multiplications increases above 60, the efficiency of the outsourcing scheme becomes higher than the nonoutsourcing scheme. When the number of polynomial multiplications is less than 300, the bottleneck of the outsourcing scheme is the time consumption on nodes’ computations and interactions. When the number of polynomial multiplications becomes larger, the bottleneck is the time consumption on local computation.

We make another type of experiments to analyze the influence of number of terms and bit length of coefficients on the efficiency of secure outsourcing of polynomial multiplication. We count the time consumption of 400 random polynomial multiplications, with the number of polynomial items varying from 50 to 1000, and the item bit length varying from 50 to 1000. Figure 4(a) demonstrates that the time consumption increases with the increase of items of polynomials and bit length of coefficients. Moreover, the number of terms has a more obvious effect on time consumption. Besides, compared with the nonoutsourcing polynomial multiplication, our method always has a higher efficiency under all scales of data, as shown in Figure 4(b).

(a)

(b)

6.2. The Evaluation of Blockchain-Based Secure Outsourcing Scheme of Fully Homomorphic Encryption Using Hidden Ideal Lattice

We employ the relevant security parameters recommended in [2], i.e., , , and . Our outsourcing scheme consists of the local user’s program and the computational nodes’ program. Our outsourcing scheme is compared with the nonoutsourcing scheme. The programs are written in Python3, and the smart contract based on the Ethereum platform is written in Solidity. The smart contract interacts with computational nodes’ program and local program by the interface provided by Web3.

Figure 5 demonstrates the running time at all stages of the two schemes. This figure does not display the time consumption on generating parameters in the FHEHIL because that is not what we are improving. In the process of computing efficiency is slightly improved. Compared with the non-sourcing scheme, our scheme saves about 2.6 s. The overall time consumption is improved by about (the unmarked areas in Figure 5 are the communication time consumption for interacting with the blockchain). Table 3 shows the detailed time consumption of different entities (user, smart contract, and computational nodes) in different stages (verification, communication, DFTRV/IDFTRV, FFT/IFFT, and other computations) for Key Generation. Table 4 shows the detailed time consumption of different entities in different stages for encryption.

The time consumption of decryption is not shown in Figure 5. Since there is only one polynomial multiplication, the time consumption of communication is dominant in the process of decryption, as illustrated in Figure 3. Therefore, the time consumption of outsourcing decryption (0.379 s) is larger than the nonoutsourcing decryption (0.103 s).

7. Conclusions

In this paper, we propose a secure outsourcing algorithm for polynomial multiplication that reduces the local complexity to . According to security analysis, our algorithm is secure against passive and active attackers. We also propose a framework for blockchain-based computation outsourcing. It has a credit-based task allocation strategy, which significantly reduces the probability of failed computations. Using this framework, we implement the secure outsourcing of FHEHIL, in which the basic computations including polynomial multiplication and modular exponentiation can be securely outsourced by our proposed algorithms. The security analysis and experimental results show that our proposed outsourcing schemes are secure and efficient. In the future, we will apply the secure outsourcing of FHEHIL into some practical secure computation problems, such as the millionaire problem, and set operation problems.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Disclosure

The conference version of this paper has been published in the 21st International Conference on Parallel and Distributed Computing, Applications, and Technologies (PDCAT 2020).

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by the Key-Area Research and Development Program of Guangdong Province (No. 2020B010164003), the Science and Technology Program of Guangzhou, China (No. 201904010209), and the Science and Technology Program of Guangdong Province, China (No. 2017A010101039).

References

R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiable computing: outsourcing computation to untrusted workers,” in Proceedings of the Advances in Cryptology-CRYPTO 2010, pp. 465–482, Santa Barbara, CA, USA, August 2010.
View at: Publisher Site | Google Scholar
T. Plantard, W. Susilo, and Z. Zhang, “Fully homomorphic encryption using hidden ideal lattice,” IEEE transactions on information forensics and security, vol. 8, no. 12, pp. 2127–2137, 2013.
View at: Publisher Site | Google Scholar
A. Fu, S. Li, S. Yu, Y. Zhang, and Y. Sun, “Privacy-preserving composite modular exponentiation outsourcing with optimal checkability in single untrusted cloud server,” Journal of Network and Computer Applications, vol. 118, pp. 102–112, 2018.
View at: Publisher Site | Google Scholar
Z. Brakerski, “Fully homomorphic encryption without modulus switching from classical gapsvp,” in Proceedings of the Annual Cryptology Conference, pp. 868–886, Santa Barbara, CA, USA, August 2012.
View at: Publisher Site | Google Scholar
Z. Brakerski and V. Vaikuntanathan, “Efficient fully homomorphic encryption from (standard) LWE,” SIAM Journal on Computing, vol. 43, no. 2, pp. 831–871, 2014.
View at: Publisher Site | Google Scholar
G. Craig, S. Amit, and B. Waters, “Homomorphic encryption from learning with errors: conceptually-simpler, asymptotically-faster, attribute-based,” in Proceedings of the Annual Cryptology Conference, pp. 75–92, Santa Barbara, CA, USA, August 2013.
View at: Publisher Site | Google Scholar
Y. Su, B. Yang, C. Yang, and L. Tian, “Fpga-based hardware accelerator for leveled ring-lwe fully homomorphic encryption,” IEEE Access, vol. 8, pp. 168008–168025, 2020.
View at: Publisher Site | Google Scholar
F. Chen, T. Xiang, and Y. Yang, “Privacy-preserving and verifiable protocols for scientific computation outsourcing to the cloud,” Journal of Parallel and Distributed Computing, vol. 74, no. 3, pp. 2141–2151, 2014.
View at: Publisher Site | Google Scholar
X. Chen, W. Susilo, D. S. Wong, J. Ma, S. Tang, and Q. Tang, “Efficient algorithms for secure outsourcing of bilinear pairings,” Theoretical Computer Science, vol. 562, pp. 112–121, 2015.
View at: Publisher Site | Google Scholar
B. Kang, M. Lee, and J. Park, “Efficient delegation of pairing computation,” International Association of Cryptologic Research, vol. 259, 2005.
View at: Google Scholar
Y. Ren, N. Ding, T.-Y. Wang, H. Lu, and D. Gu, “New algorithms for verifiable outsourcing of bilinear pairings,” Science China Information Sciences., vol. 59, no. 9, Article ID 99103, 2016.
View at: Publisher Site | Google Scholar
S. Hohenberger and A. Lysyanskaya, “How to securely outsource cryptographic computations,” in Proceedings of the Theory of Cryptography Conference, pp. 264–282, Cambridge, MA, USA, February 2005.
View at: Publisher Site | Google Scholar
X. Chen, L. Jin, J. Ma, Q. Tang, and W. Lou, “New algorithms for secure outsourcing of modular exponentiations,,” IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 9, pp. 2386–2396, 2013.
View at: Publisher Site | Google Scholar
Y. Ren, N. Ding, X. Zhang, H. Lu, and D. Gu, “Verifiable outsourcing algorithms for modular exponentiations withimproved checkability,” in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 293–303, NewYork, NY, USA, May 2016.
View at: Google Scholar
Q. Zhou, C. Tian, H. Zhang, Y. Jia, and F. Li, “How to securely outsource the extended euclidean algorithm for large-scale polynomials over finite fields,” Information Sciences, vol. 512, pp. 641–660, 2020.
View at: Publisher Site | Google Scholar
D. Harvey, J. Van Der Hoeven, and G. Lecerf, “Faster polynomial multiplication over finite fields,” Journal of the Association for Computing Machinery, vol. 63, no. 6, p. 52, 2016.
View at: Google Scholar
D. Harvey and J. van der Hoeven, “Faster polynomial multiplication over finite fields using cyclotomic coefficient rings,” Journal of Complexity, vol. 54, Article ID 101404, 2019.
View at: Publisher Site | Google Scholar
W. Liu, S. Fan, A. Khalid, C. Rafferty, and M. O’Neill, “Optimized schoolbook polynomial multiplication for compact lattice-based cryptography on fpga,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 27, no. 10, pp. 2459–2463, 2019.
View at: Publisher Site | Google Scholar
H. J. Hsu and M. D. Shieh, “Vlsi architecture of polynomial multiplication for bgv fully homomorphic encryption,” in Proceedings of the 2020 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1–4, Monterey, CL, USA, October 2020.
View at: Google Scholar
P. Giorgi, B. Grenet, and D. S. Roche, “Generic reductions for in-place polynomial multiplication,” 2019.
View at: Google Scholar
V. Nakos, “Nearly optimal sparse polynomial multiplication,” 2019, https://arxiv.org/abs/1901.09355.
View at: Google Scholar
S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” Tech. Rep., Springer, Berlin, Germany, 2019, Technical report.
View at: Google Scholar
C. Lin, D. He, X. Huang, X. Xie, and K. -Kwang Raymond Choo, “Blockchain-based system for secure outsourcing of bilinear pairings,” Information Sciences, vol. 527, pp. 590–601, 2020.
View at: Publisher Site | Google Scholar
H. Zheng, J. Shao, and G. Wei, “Attribute-based encryption with outsourced decryption in blockchain,” Peer-to-Peer Networking and Applications, vol. 13, no. 5, pp. 1643–1655, 2020.
View at: Publisher Site | Google Scholar
H. Kun, J. Xin, Z. Wang, and G. Wang, “Outsourced data integrity verification based on blockchain in untrusted environment,” World Wide Web, vol. 43, pp. 1–24, 2020.
View at: Google Scholar
H. Wang, X. A. Wang, W. Wang, and S. Xiao, “A basic framework of blockchain-based decentralized verifiable outsourcing,” in Proceedings of the International Conference on Intelligent Networking and Collaborative Systems, pp. 415–421, Oita, Japan, September 2019.
View at: Publisher Site | Google Scholar
H. Gao, Z. Ma, S. Luo, and Z. Wang, “BFR-MPC: a blockchain-based fair and robust multi-party computation scheme,” IEEE Access, vol. 7, pp. 110439–110450, 2019.
View at: Publisher Site | Google Scholar
M. Andrychowicz, S. Dziembowski, D. Malinowski, and K. Mazurek, “Secure multiparty computations on Bitcoin,” Communications of the ACM, vol. 59, no. 4, pp. 76–84, 2016.
View at: Publisher Site | Google Scholar
Y. Zhang, R. H. Deng, X. Liu, and Z. Dong, “Blockchain based efficient and robust fair payment for outsourcing services in cloud computing,” Information Sciences, vol. 462, pp. 262–277, 2018.
View at: Publisher Site | Google Scholar
Y. Zhang, R. H. Deng, X. Liu, and Z. Dong, “Outsourcing service fair payment based on blockchain and its applications in cloud computing,” IEEE Transactions on Services Computing, vol. 73, p. 1, 2018.
View at: Publisher Site | Google Scholar
G. Craig and S. Halevi, “Implementing gentry’s fully-homomorphic encryption scheme,” in Proeedings of the Annual international conference on the theory and applications of cryptographic techniques, pp. 129–148, Tallinn, Estonia, May 2011.
View at: Google Scholar

Copyright

Copyright © 2021 Mingyang Song et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

669

Downloads

727

Citations

Security and Communication Networks

Blockchain Technologies for Decentralization and Forensics of Outsourcing Services

Blockchain-Based Secure Outsourcing of Polynomial Multiplication and Its Application in Fully Homomorphic Encryption

Abstract

1. Introduction

2. Related Work

3. Notations and Background

3.1. Notations

3.2. Fully Homomorphic Encryption Using Hidden Ideal Lattice

3.2.1. The Method of Computing in Algorithm 1

3.2.2. The Method of Computing in Algorithm 1 When Is a Prime

3.2.3. The Method of Computing in Algorithm 1 When Is Not a Prime

4. The Framework of Blockchain-Based Computation Outsourcing

4.1. Registration

4.2. Computational Service

4.3. Verification and Payment

4.4. Security Analysis

4.5. Compatibility Analysis

5. Polynomial Multiplication and Modular Exponentiation Secure Outsourcing Algorithm

5.1. Polynomial Multiplication Secure Outsourcing Algorithm

5.1.1. Description

5.1.2. Correctness and Complexity

5.1.3. Security against Passive Attackers

5.1.4. Security against Active Attackers

5.2. Secure Outsourcing of Modular Exponentiation

5.2.1. Correctness and Complexity

5.2.2. Security

6. Results and Discussion

6.1. The Evaluation of Secure Outsourcing of Polynomial Multiplication

6.2. The Evaluation of Blockchain-Based Secure Outsourcing Scheme of Fully Homomorphic Encryption Using Hidden Ideal Lattice

7. Conclusions

Data Availability

Disclosure

Conflicts of Interest

Acknowledgments

References

Copyright