#### Abstract

Outsourcing computation with verifiability is a merging notion in cloud computing, which enables lightweight clients to outsource costly computation tasks to the cloud and efficiently check the correctness of the result in the end. This advanced notion is more important in marine mobile computing since the oceangoing vessels are usually constrained with less storage and computation resources. In such a scenario, vessels always firstly outsource data set and perform a function computing over them or at first outsource computing functions and input data set into them. However, vessels may choose which delegation computation type to outsource, which generally depends on the actual circumstances. Hence, we propose a scalable verifiable outsourcing computation protocol () in marine cloud computing at first and extract a single-mode version of it (), where both protocols allow anyone who holds verification tokens to efficiently verify the computed result returned from cloud. In this way, the introduced “scalable” property lets vessels adjust the protocol to cope with different delegation situations in practice. We additionally prove both and achieving selective soundness in the random oracle model and evaluate their performance in the end.

#### 1. Introduction

Cloud computing [1], a shared pool of massive configurable computing resources, provides resource-constrained clients with various capabilities to access computation resources in an on-demand way. The merging development of hardware (e.g., sensor, wearable-device unit) makes it possible for mobile devices [2, 3] feeling free to use and enjoy the cloud service in mobile computing category [4, 5].

This is especially important for the marine mobile computing filed since marine ecosystems should be exploited and treated seriously from both environmental side and economic side. In order to monitor the changes of marine ecosystems, scientific vessels need to perform a series of mathematical or statical analysis over collected data [6]. This includes calculating the average temperature of ocean in an instantaneous moment or during a time period and reporting the variance of the dissolved oxygen during 24 hours, 72 hours, 6 months, or more [7, 8].

However, the vessels are usually not supported by powerful data collection devices and large-scale computation processers. As a result, marine sensor units should collect marine data at first and send the collected data to vessels or base stations. Also, they may outsource some expensive computations to the cloud server and expect to use the result enjoyably after an efficient verification phase (since the cloud may return an incorrect answer for some profits). Moreover, a public verification method is preferable; namely, anyone holding the verification token can run the verification procedure in public.

Moreover, we notice that the vessel’s usual outsourcing computation in marine mobile computing comes from the following two types (as in Table 1).

*Type I. *A client outsources a combined input tuple containing data set and function together as inputs at first and then types into an importing function over the outsourced data and an importing data set towards the outsourced function in a combined way.

*Type II. *A client outsources a function as an input at first and then types into an importing data set towards the outsourced function. (Here, we do not consider a delegation type where a client outsources a data set at first and takes inputs on it. A detailed analysis on this can be found in Section 5.)

Maybe, clients should flexibly switch Type I and Type II due to their actual demands in reality. If we design and deploy two respective outsourcing computation protocol systems for respective delegation type, there is no doubt that this will cause a big waste of resources, which is even not feasible in marine WSNs. Hence, a “scalable” property for an outsourcing computation protocol should be highlighted. Apart from this, some desirable features for verifiable outsourcing computation protocols in marine WSNs should also be considered seriously.

Therefore, we may have the following doubt:* whether an efficient scalable outsourcing computation protocol with public verifiability towards Type I or/and Type II delegation in marine mobile computing field exists or not?*

*Our Results. *To give an affirmative answer to this expectation, we manage to design a public verifiable outsourcing computation protocol for Type I outsourcing and moreover extend it to support Type II outsourcing as well, which are inspired by [9–11]. Specifically, our contributions in this work can be summarized as the following four parts:(i)Aiming for securely performing Type I computation outsourcing, we put forward a scalable public verifiable outsourcing computation protocol in marine mobile computing, namely, . This protocol allows anyone to use a granted verification token to verify the result originated from any vessel’s Type I computation request.(ii)By treating the outsourced data set as an “on-the-fly” input of , we extract a single-mode version (i.e., for Type II computation) with adding a slight additional cost. As a result, vessels can just use a protocol enough for both Type I and Type II computation as they like, which shows the “scalable property’s” flexibility at a maximum extent.(iii)Both our and protocols are proven to achieve perfect correctness and selective soundness in the random oracle model. Furthermore, the efficiency analysis and concrete performance evaluations on both two protocols are provided.(iv)We motivate an intuition that the protocol can be viewed as a hierarchical public VC protocol towards only outsourced function (Type II), where the subjective function accepts the outsourced data which can be viewed as a hierarchical access control procedure.

##### 1.1. Problem Statement

In this subsection, we present design goals and system overview for our introduced protocols.

*Design Goals. *To achieve both functionalities and privacy-preserving requirements for an outsourcing computation protocol in marine mobile computing, the design goals can be thought from the following five parts.

*(1) Scalability. *The protocol should be able to flexibly vary its shapes depending on the type of outsourcing computation.

*(2) Public Verifiability. *Anyone with verification tokens can check the correctness of the result.

*(3) Public Delegation. *Any client can outsource a computation assignment to the cloud once the system is set up.

*(4) Correctness. *A dishonest cloud cannot return an incorrect output that passes verification.

*(5) Soundness. *A public (verifiable) outsourcing computation protocol should be secure and sound (cf. Section 2.3).

*System Description. *Our or protocol consists of the following three entities.

*(i) Cloud Server. *It receives the outsourcing computation request from any vessel and returns a result.

*(ii) Vessels (consisting of a pilot one and a number of nonpilot ones)*. They delegate outsourcing computation tasks to the cloud and expect to receive the correct computational outcome.

*(iii) Satellite. *It provides a wireless communication channel between cloud server and vessels.

*High-Level Roadmap. *Figure 1 gives a high-level system overview on a group verifiable outsourcing computation protocol, namely, both protocol and protocol. To be specific, the cloud server provides a verifiable outsourcing computation service for group vessels through the wireless channel supplied by the satellite. Note that a pilot vessel in a group of vessels initializes the public verifiable outsourcing computation service by outsourcing the delegation computing function (and accompanied outsourced data set), as well as sending the generated public system information to the whole system and the generated evaluation key information about computing function (and accompanied data set) to the cloud. In this way, any vessel in this group can delegate computations by directly typing inputs into the computing function (and accompanied data set). Then the cloud server performs a computation for the outsourcing request from a vessel. Finally, anyone who possesses a legal verification token (granted from the delegating vessel) is able to verify the result. We note that the above procedure path is highly similar to Type II (and Type I) outsourcing computation, that is, or protocol, respectively, where the only difference is the clients’ outsourcing type and importing type.

##### 1.2. Related Work

The studied problem is usually solved through a verification computation (VC) [12, 13] method, which starts with outsourcing a computing function to the cloud at first and then takes inputs on it. However, current VC protocols do not satisfy the listed design goals simultaneously in specific marine cloud computing. The other way to consider the verifiable outsourcing computation field is designed for running some verifiable delegations on outsourced data sets [14, 15], which is a little different from the formal VC concept where it differs in outsourcing whether it is a computing function or a data set at first. Also some works focused on performing computations towards outsourced functions (outsourcing at first) have been proposed [9, 13, 16–18]. For the public delegation and the public verifiable property, Applebaum et al.’s works did not satisfy them, as well as the work presented in [13, 14, 19]. Reference [11] presented protocol supported Type I computation outsourcing but neglected Type II one, so was the* hybrid* [20, 21] notion for verifiable computation failing the scalable property.

We note that all approaches to construct VC protocols except for functional encryption-based method failed to provide* public delegation* property for a verifiable outsourcing protocol towards a group of clients. From this point of view, our proposed solution is more enjoyable for such a scenario. More importantly, current works fail to achieve all the mentioned design goals simultaneously.

*Organization. *In Section 2, we introduce the system model and security definition for our protocol. Section 3 gives the protocol and its security analysis is provided in Section 4. An extracted version for single-mode public verifiable outsourcing computation protocol towards just outsourced function is shown in Section 5. Section 6 evaluates the performance and Section 7 gives a conclusion.

#### 2. Background Knowledge

*Notations 1. *We denote by the fact that is picked uniformly at random from a finite set . We denote PPT as a probabilistic polynomial-time algorithm. We use to denote multiplication (or group operation) as well as component-wise multiplication.

##### 2.1. Outsourcing Functions’ Description Using Access Structures

*Definition 2. *A (monotone)* access structure * for set universe . One may hold the fact for an attribute set : accepts Here, is a row vector; as represents the th row vector of matrix , a linear span is a collection of vectors over .

*Remark 3. *In this paper, we mainly focus on giving a verifiable outsourcing computation protocol for Boolean formula delegating functions. When we manage to enable our protocol to be usable for multibits rather than one bit (Boolean formula), we usually take the following steps to realize: (1)Split the computing function in to some subfunctions , where is the th output bit of the computing function .(2)Now we can run the and (for Boolean formula function) with conducting each subfunction .

Therefore, we can obtain a scalable outsourcing computation protocol for (polynomial many) multibits output for , where can be implemented by a polynomial-size Boolean formula’s circuit. In this case, any outsourcing function can be computed by a polynomial-size Boolean formula and can thus be described by a (monotone) access structure [22]. We therefore use the access structures to symbolize the aiming outsourced (Boolean) functions throughout this paper.

##### 2.2. Underlying Security Guarantee

The security of our protocol relies on the decisional -BDHE assumption. Let , be two cyclic groups of prime order and a generator of group along with an efficient computable map . Randomly choose generators and and a tuple , and an adversary should distinguish a computed value from a random element in . Finally, outputs having an advantage in solving the decisional -BDHE problem if

*Definition 4. *One says that the decisional -BDHE assumption holds in if, for any PPT adversary , its advantage in above game is negligible in security parameter .

##### 2.3. Definition for Scalable Verifiable Outsourcing Computation

In this subsection, we present the system definition, correctness definition, security definition, and privacy definition for a scalable verifiable outsourcing computation protocol.

* System Definition. *A scalable verifiable outsourcing computation protocol is composed of the following four PPT algorithms:(i): given a security parameter , on input a function and an accompanied outsourced data set , the pilot vessel outputs a public key and an evaluation key .(ii): on input , any (pilot or nonpilot) vessel can use it to encode an input into a problem description , as well as outputting a verification key .(iii): on input and a problem description , the data center (cloud) computes an outcome .(iv): with input of the cloud’s output , anyone returns an output or (rejects the cloud’s answer using ).

*Correctness Definition. *Given a security parameter , for any outsourced data set and outsourced function and any subjective function and for any objective data set , , , then

*Security Definition. *We define a security experiment against adaptive (adaptively chosen outsourced function and data sets) adversaries, which is played by a challenger and a stateful adversary .

A protocol achieves* selective soundness* if for all PPT adversaries and for any and , ’s winning advantage under the following condition, ; ; ; ; outputs “1”,

is negligible in security parameter , where means that the adversary can submit pairs that make the experiment always output “1.”

*Privacy Definition. *The clients’ outsourced/input computing function and data set are altogether kept hidden from the adversary’s view. Moreover, the cloud’s output for the problem solution does also not leak any information on the problem description. In this paper, we consider these as* outsourcing privacy*,* input privacy,* and* output privacy*.

#### 3. Our Scalable Verifiable Outsourcing Computation Protocol:

Inspired by the dual-policy attribute-based encryption (ABE) scheme [10, 23], we present the first publicly verifiable outsourcing computation protocol towards both (Boolean formula) outsourced functions and outsourced data sets altogether, which also relies on our introduced variant transformation [11] of the general relationship between ABE and public VC [9].

Specifically specifying the example in Section 1, the pilot vessel first initializes the service by inputting an outsourced function and an accompanied data set to generate a public key and an evaluation key and sends them to the cloud and other vessels. Thus, any vessel in this fleet can directly input the objective input for and an accompanied computation function over data set along with randomly chosen messages , altogether, to generate a problem description and a verification key . Once receiving and , the cloud computes the problem result on the problem . Finally the vessel (or a legal granted anyone) can use the verification key to efficiently check the result ’s correctness.

##### 3.1. System Initialization Phase

Given an outsourced function with input size as inputs, define two hash functions , . The pilot vessel randomly chooses and . Then it generates and outputs two master public/secret key pairs of information pieces:

##### 3.2. Evaluation Key Generation Phase

For an encoded objective outsourced function ’s access structure , as well as a subjective outsourced data set , pick a random vector such that for and set . Output

Similarly, we obtain the corresponding secret key using uniformly and randomly chosen independent “”-type variables. (Here, we omit the descriptions on the sampling process on “”, since it is almost same as that for ) Then, where denotes the complement function of the outsourced function . Hence, output the public key and the evaluation key information as

##### 3.3. Problem Generation Phase

Given an objective data set and the access structure of an encoded subjective function altogether as inputs, randomly choose a random vector such that for and set , . Pick two messages , and output and similarly we generate (by introducing new “”-type parameters to generate by using ):Hence, output the problem description and the verification key information as where is a one-way function.

##### 3.4. Compute Phase

Upon the problem description and the evaluation key , compute Output the problem solution .

Here, we note that this compute process can be realized efficiently (reducing the number of pairing operations) but just add a few exponentiation operations as a tradeoff.

##### 3.5. Verification Phase

Input and . Output

*Remark 5. *The verifiability of is mainly against the outsourced function since the concept of the complement data sets of does not make sense in practice compared to . Hence, our can be served as a hierarchical public VC protocol towards just outsourced function, which regards the subjective function accepting outsourced data set as a hierarchical (fine-grained) access control condition.

#### 4. Security Analysis

In this section, we give correctness and efficiency analysis on our protocol at first and sketch a security analysis and privacy analysis on it as well.

##### 4.1. Correctness Analysis

Based on the correctness of [10] dual-policy attribute-based encryption along with our modified transformation [11] between ABE and public VC in terms of [9], the correctness follows straightforwardly when both the following two conditions hold: (1) the outsourced function accepts the data set ; (2) the outsourced data set satisfies the function .

In the compute phase, the recovery process of is parallel to that of . Here, we just show the correctness of the case: where the fourth equation follows the linear reconstruction property of Definition 2, and we have

*Remark 6. *The correctness of the above compute phase is similar to that of the decryption process in [10].

##### 4.2. Efficiency Analysis

In this part, we give a time and a size efficiency analysis for . Concretely, Table 3 lists the dominant time operations (i.e., pairing, exponentiation, and multiplication) in group that belongs to each step of , and moreover Table 2 gives the size calculations.

*Remark 7. *The compute phase’s overhead can be optimized up to .

In the protocol, Step and Step are altogether done by the pilot vessel, any vessel can perform Step , and the data center (e.g., cloud) completes Step along with the fact that anyone can carry out Step .

As the bandwidth between each entity across this marine WSNs is low [5, 24], the low parameter size is highly demanded. From Table 3, we find that most operations that need high cost reside in the data center side. Consequently, the pilot vessel can certainly afford the VC service initialization computation overhead. In this way, the overhead of the problem description paid by any vessel is short, and anyone’s verification cost on the result is very little as well. Therefore, the efficiency of the obtained is enjoyably applicable to the marine wireless sensor networks.

##### 4.3. Security Analysis

Theorem 8 (main theorem). *Let be a class of Boolean functions (implemented by a family of circuits ), and let be a class of the complement function of each function and the class of the outsourced data set and be any one-way function. Suppose Definition 4 holds; then the protocol in Section 3 achieves selective soundness property according to the security definition in Section 2.3.*

We can easily reduce the security of with adaptive soundness to the adaptive security of the dual-policy ABE [10] and the general transformation between them, since one can obtain the protocol by running the ABE scheme twice along with other techniques. More technical details can be found in Section of [10] and Appendix of [9].

##### 4.4. Privacy Analysis

During the protocol’s process carried out, the specific contents of the outsourced part and the input part are encoded as another form. Specifically, the clients’ outsourced computing function and accompanied data set are encoded as an evaluation key and any client’s input , and is encoded as a problem generation , in such a way that the cloud cannot obtain any knowledge about the* outsourcing privacy* and* input privacy*. For the output privacy, the random message is also hidden by a owe-way function ; thus the cloud can just get and is unable to recover from it (except a negligible advantage) which is considered to achieve* output privacy* as well.

#### 5. Extracted Single-Mode Version of Protocol

In some cases, the clients (e.g., vessels) may just outsource either data sets or computing function to the cloud; therefore we have to ask the following question: *Can we transform the dual-mode verifiable outsourcing computation into a single-mode one?*

Intuitively, setting one of the outsourced data sets and outsourced function as “on-the-fly” input of protocol, we hence assume obtaining two single-mode public VC protocols towards respective outsourced function and outsourced data sets. However, this assumption fails due to the nonexistence of a single-mode for outsourcing data sets. The reasons are as follows:(1)Firstly, we should observe that the complement class of the outsourced data sets does not make any sense in practice, which is not similar to the relation between and . It is also not easy to obtain the complement class of .(2)Secondly, one can run the key-policy ABE (KP-ABE) mode of dual-policy ABE (DP-ABE) in [10] twice for respective and , but the relation between ciphertext-policy ABE and public VC is not known so far. In this way, the checkability of the single-mode over outsourcing data sets cannot achieve “1.”

Hence, we can just obtain the single-mode variant of for outsourced computing function at first, namely, Type II delegation type.

##### 5.1. Construction for Single-Mode for Just Outsourcing Functions:

Inspired by the KP-ABE mode of dual-policy ABE [10] and our protocol, we give the* single-mode publicly verifiable outsourcing computation towards outsourcing computing functions*’ construction.

*(1) System Initialization Phase. *This step is same as that of except for adding special data as a new input.

*(2) Evaluation Key Generation Phase. *This stage is same as that of except by randomly choosing and setting Hence the evaluation key behaves as

*(3) Problem Generation Phase. *This is almost same as that of except for sampling and setting Hence, the problem description behaves as

*(4) Compute Phase. *In this case, this process computes as follows: Finally, output the problem solution .

*(5) Verification Phase. *This step is exactly same as that of .

This concludes the construction description.

##### 5.2. Analysis on the Single-Mode for Just Outsourcing Computing Functions

In this subsection, we still give a correctness, efficiency, and security analysis on the protocol.

###### 5.2.1. Correctness Analysis

The correctness holds when accepts the data sets , where the secret shares’ reconstruction follows

###### 5.2.2. Efficiency Analysis

In general, the size and time efficiency of the single-mode protocol for only outsourcing computing functions are comparable to those of one. Next, we present the time and size efficiency analysis for in concrete way; Table 4 gives the size calculations and moreover Table 5 lists the dominant time operations (i.e., pairing, exponentiation, and multiplication) in group which performed in each step of single-mode .

In concrete way, the problem generation and verification overheads enjoy better efficiency than that in , but its overhead on generating evaluation key is a little expensive (including the size of ) compared to , since “on-the-fly” data set is involved to handle the construction. A tradeoff between Steps , , and and Steps and over the above three steps does inevitably exist. Apart from this, the overall time and time overhead are almost same as that of .

As a result, the (non)pilot vessel or anyone can efficiently run the single-mode service, and moreover the cloud’s running cost on computing the problem also turns out to be short. In this way, we can directly extract a highly efficient protocol from .

###### 5.2.3. Security Analysis

Theorem 9 (main theorem). *Let be a class of Boolean functions (implemented by a family of circuits ), and let be a class of the complement function of each function and be any one-way function. Suppose Definition 4 holds; then the single-mode protocol for only outsourcing computing functions achieves selective soundness according to the security definition in Section 2.3.*

The proposed single-mode verifiable outsourcing computation protocol can be seen as a special variant of in fact, whereas their functionalities are merely not the same. Based on the security analysis on Theorem 8, Theorem 9 can be proved easily as well.

###### 5.2.4. Privacy Analysis

The privacy analysis on the protocol is same as that of the protocol in Section 4.4.

#### 6. Performance Evaluation

In this section, we give a performance evaluation on our and its extracted single-mode outsourcing computation protocol . Applying a certain implementation technique on realizing bilinear maps, we choose using an asymmetric bilinear group to implement the symmetric bilinear group for and in the actual experiment as in [25].

Standing by the standard NIST recommendation [26] and general remarks [25, 27] based on the Python language’s realizations along with its provided Charm-crypto Benchmark, we note that the charm tool [25] is an extensible -based framework under Pairing-Based Cryptography (PBC) library for rapidly prototyping cryptographic schemes and protocols, which is widely used in conducting functional encryption-based primitives. We remark that this is instantiated in an Ubuntu 12.04 operating system with 1 GB RAM (established in a MACBOOK Air Intel [email protected] GHz and 4 GB RAM equipped with a VMWare software). Next, we decide to employ the “SS512” elliptic curve for our performance evaluation. Finally, Table 7 shows the “SS512” curve’s element length; and moreover Table 6 gives a list of the “SS512” curve’s average running-times for each protocol step.

Suppose that the size of the data set , is and the value of , is . Based on the employed “SS512” elliptic curve [28], the actual size evaluation in Figure 2 and the time efficiency simulation in Figure 3 are both given. In addition, we use “+” to denote the* dual-mode * protocol and “⋄” to denote the* extracted single-model *: protocol in both Figures 2 and 3.

From Figures 2 and 3, we can deduce the fact that both and achieve high space and time efficiency. Our protocol’s efficiency is comparable to the extracted one’s efficiency. Particularly, the overload that belongs to the weak clients’ sides is actual satisfactory.

#### 7. Concluding Remarks

This paper presented a scalable and soundness verifiable outsourcing computation protocol in marine mobile cloud computing. Our protocol enabled any client to delegate a computation task to the server and was also able to designate anyone to verify the result. In addition, an extracted single-mode outsourcing computation protocol from was presented, which led to a fact that the client can adapt based on the inputs’ option in terms of its interest or its own needs. However, we found that our protocol could just handle the outsourcing function as the single mode; hence a design of a verifiable outsourcing computation protocol towards outsourced function may be an open problem.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

The authors want to acknowledge the WASA 2017 anonymous reviewers’ suggestions. This work was supported by the National Natural Science Foundation of China (61571191, 61572192, 61472249, 61472142, and 61402282), the “Dawn” Program of Shanghai Education Commission (no. 16SG21), and the Open Foundation of State Key Laboratory of Integrated Services Networks (ISN17-11).