Secure Outsourcing of Matrix Determinant Computation under the Malicious Cloud

Computing the determinant of large matrix is a time-consuming task, which is appearing more and more widely in science and engineering problems in the era of big data. Fortunately, cloud computing can provide large storage and computation resources, and thus, act as an ideal platform to complete computation outsourced from resource-constrained devices. However, cloud computing also causes security issues. For example, the curious cloud may spy on user privacy through outsourced data. The malicious cloud violating computing scripts, as well as cloud hardware failure, will lead to incorrect results. Therefore, we propose a secure outsourcing algorithm to compute the determinant of large matrix under the malicious cloud mode in this paper. The algorithm protects the privacy of the original matrix by applying row/column permutation and other transformations to the matrix. To resist malicious cheating on the computation tasks, a new verification method is utilized in our algorithm. Unlike previous algorithms that require multiple rounds of verification, our verification requires only one round without trading off the cheating detectability, which greatly reduces the local computation burden. Both theoretical and experimental analysis demonstrate that our algorithm achieves a better efficiency on local users than previous ones on various dimensions of matrices, without sacrificing the security requirements in terms of privacy protection and cheating detectability.


Introduction
The development of cloud computing provides great convenience to resource-constrained clients. They can outsource complex computations into the cloud by paying a fee. Computation outsourcing brings economic benefits to both resource-constrained clients and high-performance servers. Nevertheless, in practice, cloud servers are untrustworthy, which brings many security issues to computation outsourcing. According to [1], security has become a top issue that affects the business potential of cloud computing. The outsourced data usually contain private user information. The curious cloud may spy on user privacy through outsourced data. Besides, the malicious cloud may violate the computing scripts and return incorrect results to the client. Even without considering the maliciousness of the cloud, computing errors caused by the cloud hardware failure, software errors, etc. should also be detected by the client locally. In addition to these traditional security issues, with the development of smart phones, virtual assistants (VA) have been widely used in smart phones, which are vulnerable to malicious attacks; it uploads voice records to the cloud without the user's knowledge or consent [2]. Therefore, cloud-based secure computation outsourcing algorithms have become hot topics of researches.
There are generally two types of security assumptions in cloud-based secure outsourcing algorithms [3]. The cloud that is assumed to be semihonest (or honest-but-curious) is only curious about the privacy contained in outsourced data. The cloud assumed to be malicious may firstly be semihonest, and then cause damage or forge results to sabotage the computation. Besides, in the above two security assumptions, the local computational burden of the client should be as low as possible. Otherwise, the efficiency benefit of outsourcing will be nullified. Therefore, the secure outsourcing algorithms under the malicious model require the considerations of efficiency, privacy protection, and cheating detectability.
In order to reduce the local computational burden using cloud computation outsourcing while protecting privacy and detecting false results, researchers have proposed secure outsourcing algorithms for many commonly used and complex computations, including the computation of matrix determinant. The computation of matrix determinant has appeared more and more widely in science and engineering problems recently. Many researches of medicine and biology use the matrix determinant for signal processing before using machine learning algorithms for practical classification tasks. For example, when machine learning algorithms are used for medical diagnosis, the data collected by the medical sensors are usually time series and contain private user information. Many researches divide the signal into several segments and fill them into matrices. Then, the determinants of matrices are considered as the feature values of the original signal. However, the computation of matrix determinant is still unaffordable for the sensors. They usually need to outsource matrix determinant computations to high-performance hardware.
To improve the detectability of cheating behaviors from the malicious cloud, all previous algorithms must increase the rounds of verification, which significantly increase the local computational burden of the client. Moreover, the currently known algorithm with the best privacy protection in [4] uses significantly more local computations than other algorithms. Therefore, we aim to propose a novel algorithm for secure outsourcing of matrix determinant computation, to solve the conflicts between the efficiency and security issues. The contributions of this paper are summarized as follows: • We propose a secure outsourcing algorithm for the matrix determinant computation under the malicious cloud model, which can not only ensure the confidentiality of matrix, but also detect the forged results returned from the malicious cloud. We use the permutation, mix-row/mix-column, and split operations in our algorithm to protect privacy, which achieves the currently known lowest computation cost. • We propose a one-round verification method in the proposed algorithm, which achieves a high cheating detectability. The malicious forged results can only escape our local verification with the probability of 1 (n!) 4 , given a matrix of n × n dimensions. In all the previous algorithms, the detectability of malicious forged results depends on the rounds of verification, and to achieve a high cheating detectability, multiple rounds of verification are required, which also brings high computational burden to the client. In the previous three algorithms [4][5][6], the succeeding probability of malicious forged results is 1 2 l , where l is the number of verification rounds and recommended to be greater than 20.

•
We conduct theoretical proofs of the correctness, efficiency, privacy protection, and cheating detectability for the proposed algorithm. Experimental results also demonstrate the superior efficiency of the proposed algorithm.
The rest of the paper is organized as follows: We introduce the related work and comparative analysis in Section 2. In Section 3, we introduce some background knowledge and the system model of our algorithm. Section 4 describes the proposed secure outsourcing algorithm for matrix determinant. We conduct the correctness, security, and complexity analysis of the proposed algorithm in Section 5. We evaluate the performance of our algorithm in Section 6. Finally, we conclude our work in Section 7.

Related Work and Comparative Analysis
Recently, the privacy and security issues in lightweight devices are widely concerned (e.g., the intrusion detection system on lightweight devices [7] and the secure computation outsourcing on resource-constrained devices). As we all know, although cloud computation outsourcing brings convenience to resource-constrained devices, it also causes privacy issues. Therefore, there are many researches on how to protect user privacy and verify the correctness of results when using cloud computing. From the perspective of the cloud, data access control mechanisms can be used to protect user privacy and ensure data availability. Kayes et al. [8] gave a survey on context-aware access control mechanisms (CAAC) during data management in cloud and fog networks. They also proposed a new generation of Fog-Based CAAC (FB-CAAC) framework for accessing data from distributed cloud data centers. When computations on the encrypted data are required, access control mechanisms are not enough. From the perspective of the client, Fully Homomorphic Encryption algorithms (FHE) [9][10][11][12] and Attribute-based Encryption algorithms (ABE) [13][14][15] have great application potential in cloud secure computation outsourcing, but their high computational complexities limit their practical applications, especially for resource-constrained devices. In addition, there are a large number of researches on the secure outsourcing algorithms for commonly-used and complex scientific computations (e.g., modular exponentiation [16,17], extended Euclidean [18], bilinear pairings [19][20][21], polynomial multiplication [22]).
There are many applications of matrix in the field of computer science, such as Digital Image Processing (DIP), computer graphics, computer geometry, Artificial Intelligence (AI), network communications, and so on. Thus, many computations of matrix are also commonly used and complex. However, some scientific computations of matrix have high computational complexities. Therefore, there are also many researches on secure outsourcing algorithms for computations of matrix. For example, the secure outsourcing algorithm for matrix multiplication has been widely studied [23][24][25][26]. In addition, Nonnegative Matrix Factorization (NMF) is widely used in DIP, face recognition, text analysis, and other fields. Thus, there are many secure outsourcing algorithms for NMF [27][28][29][30]. Matrix inverse is also one of the most basic computations in large-scale data analysis. Computing the inverse of matrix on resource-constrained devices such as sensors is usually costly. Thus, there are also some secure outsourcing algorithms for matrix inverse [31][32][33]. Besides, in the field of machine learning, Singular Value Decomposition (SVD) has a wide range of applications. It can be used not only for feature decomposition in dimension reduction algorithms but also recommendation system, Natural Language Processing (NLP), and other fields. Securely outsourcing SVD to the cloud can greatly reduce the computation costs of the client. Chakan et al. proposed a secure outsourcing algorithm for SVD [34]. The local computational complexity of this algorithm is O(n 2 ) and the complexity of cloud is O(n 3 ). Chen et al. proposed a secure outsourcing scheme for SVD with less interactions between the client and the cloud [35].
Similar to the above computations of matrix, the determinant is also an important computation of matrix in the field of scientific and engineering. In the semihonest model, Kim et al. proposed a secure matrix determinant outsourcing method based on FHE [36]. Their scheme computes the determinant by the standard definition of matrix determinant, which results in a high computational burden of the client. Zong et al. introduced a division-free computational method for FHE-based secure matrix determinant computation outsourcing [37], which is significantly more efficient than the method in [36]. The above two algorithms only considered the privacy under the semihonest model.
However, in practice, the cloud may be malicious. To the best of our knowledge, the existing secure outsourcing algorithms for matrix determinant computation under the malicious model include [4][5][6]. In [5], Lei et al. used the block matrix and permutation techniques to protect privacy. In their algorithm, the client's local computations include (2 + l)n 2 + 2m 2 + 4mn + 2n + m multiplications, where m is the increase in dimension after encryption and n is the original dimension of matrix. Liu et al. proposed a new matrix determinant secure outsourcing algorithm using the permutation and mix-row/mix-column operations, which avoid the increase in matrix dimension during the encryption and reduces the number of local multiplications to (2 + l)n 2 + 3n [6]. Zhang et al. proposed a method that has better privacy [4]; however, because 8n times of elementary column/row transformations are involved in the process of encryption, it has a higher local computational burden than other algorithms, which require (10 + l)n 2 + 6n local multiplications. All the above three algorithms and our proposed algorithm have the same cloud computational complexity (O(n 2.373 )).
In our algorithm, in addition to the permutation and mix-row/mix-column operations, we used split operation to achieve a higher privacy. To prevent malicious cloud from forging computation results, the above three algorithms adopted the idea of Freivalds' algorithm [38] with ln 2 computation costs that need to increase the frequency of verification (l) to improve the cheating detectability. l is greater than 20 at least in their works. In our proposed algorithm, only one round of verification is required, so there is no factor l in the computation cost. Table 1 demonstrates comparisons of our algorithm and the three existing algorithms from aspects of local multiplications, privacy protection level, and cheating detectability. Since multiplications dominate the local computation, local additions are omitted here and will be discussed later in Section 5. As we will discuss in Section 5, our proposed algorithm uses the lowest overall local computation cost to achieve a high detectability of result cheating (or a negligible probability of cheating success).

Preliminary
The notations and their implications used in this paper are shown in Table 2. This section will introduce some background knowledge of our algorithm.

Symbol
Implication The determinant of matrix M α ← K Choose an element α from set K randomly λ Security parameter Prob x A (χ) The probability that attacker A obtains the secret input x using data χ Prob The probability that the client C detects the forged results f orge using data χ The element in the ith row and jth column of matrix The inner product of vector a and vector b f LU (M) The Low triangle and Up triangle decomposition of matrix M

System Model
The secure outsourcing algorithm for matrix determinant consists of the following five parts.
• KeyGen(λ) → (SK 1 , SK 2 ): λ is a security parameter related to key generation. The generated key SK 1 is used to encrypt the input data, and SK 2 is used to verify and decrypt the returned results. Both SK 1 and SK 2 should be kept privately by the client C.
x is the input data. The client uses SK 1 to encrypt the input x and gets encrypted data σ x . σ x is sent to the server S for computing.
f is a function given by the client. The server computes σ y using the given function f and encrypted data σ x . • Verify(σ y , SK 2 ) → (True/⊥): The client verifies the results returned from the cloud. If the σ y is valid, the output of this function is True. Otherwise, the output is ⊥.
The client uses the secret key SK 2 to decrypt σ y and obtains the result y.
The proposed algorithm is effective in the malicious cloud model. The malicious cloud can not only use its known information to infer the privacy of the client, but also maliciously forge false computation results to tamper with the whole algorithm. The system model of secure outsourcing for matrix determinant in this paper is shown as Figure 1.
A semihonest attacker may only be curious about the privacy contained in outsourced data. As shown in Equation (1), for any attacker A in the cloud server, if the probability of computing the secret input x with its known information (σ x , f , σ y ) is so small that it can be ignored in the polynomial time, the proposed secure outsourcing algorithm for matrix determinant is privacy-protected.
A malicious attacker may cause damage or forge results to sabotage the computation. As shown in Equation (2), for any forged computation results ( f orge) returned from the cloud server, if the probability that the client (C) recognizes the forged results using the Verify(σ y ,SK 2 ) function is infinitely close to 1, the proposed secure outsourcing algorithm for matrix determinant is cheating-detected, which means the cheating detectability of the algorithm is high, and the success probability of attacker's result cheating is negligible.
If the local computation complexity of the client is substantially less than the computation complexity of the previous algorithm without outsourcing, the secure outsourcing algorithm for matrix determinant is efficient.

Secure Outsourcing of Matrix Determinant
In this section, we propose a secure outsourcing algorithm for matrix determinant. In comparison with the previous algorithms, our algorithm aims to improve the privacy protection ability and cheating detectability with less local computation costs. We use the permutation, mix-row/mix-column, and split operations in our algorithm to protect the privacy of matrix. Besides, we use a new result verification method to improve the cheating detectability, which is different from [4][5][6]. The main idea of the verification method is to ensure that at least the diagonal elements in the results of Low triangle and Up triangle (LU) decomposition returned from the cloud are correct. The security analysis in Section 5 will prove that it is more difficult for the forged results returned from the malicious cloud to pass this verification than the previous ones. The proposed algorithm is described as follows. The size of the input matrix is n × n in the rest of this section.

Algorithm 1 Procedure of Secret Key Generation
Pick 8 random parameters satisfying n ≤ n 1 , n 2 , n 3 , n 4 , m 1 , m 2 , m 3 , m 4 ≤ 2n 4: end for 7: for i = 1 → 4 do 8: for j = 1 → n i do 9: Randomly select two rows of P i and exchange them. 10: end for 11: for j = 1 → m i do 12: Randomly select two columns of Q i and exchange them. 13: end for 14: end for 15: In the KeyGen function, K can be {0, 1} λ , given a security parameter λ. From the analysis in Section 5, the number of elements in K is associated with the security of the algorithm. When λ = 10, the probability that the cloud obtains the privacy input is less than 1 2 40 , which is negligible. Other ways of defining K are also applicable, as long as the number of elements in the set K is sufficient to resist the brute-force attack of the cloud.

Encryption
• While keeping the other rows, the client randomly splits the ith and jth rows of M to get four matrices M 1 ,  (3) and (4). 4:  The cloud returns σ y = {r 1 , r 2 , r 3 , r 4 , L 1 , U 1 , L 3 , U 3 } to the client.
Algorithm 3 Procedure of Computation : If the output of the Verify function is true, the clients executes the Decrypt function. Otherwise, the client rejects the results returned from the cloud.  for i = 1 → n do 7: Pick j, k in [i, n] randomly. 8: if  for j = 1 → n do 13: Pick i, k in [1, j] randomly. 14: if 15: f lag ← ⊥; return f lag. Obviously, the input parameters of the Verify and Decrypt functions are the same. In fact, the result of the Decrypt function can be obtained during the execution of the Verify function in the proposed algorithm. We separate them into two parts for the sake of clarity and convenience to compare with the previous algorithms. The specific flowchart of the proposed algorithm is shown in Figure 2. In the next section, the correctness, security, and computational complexity of the proposed algorithm will be analyzed.

Correctness
Theorem 1. The proposed secure outsourcing algorithm for matrix determinant is correct.
Proof of Theorem 1. When proving the correctness of a secure outsourcing algorithm, it is reasonable to believe that both the client and the cloud honestly follow the procedure of the algorithm. In the procedure of DECRYPT, the determinant of matrix is computed by According to the function KEYGEN, we can obtain Thus, we can obtain Finally, Equation (8) is proved. This implies that the function DECRYPT always yields the correct determinant and the proposed algorithm is correct.

Computational Complexity
We analyze the computational complexities of the client and the cloud in this section. The KEYGEN function, ENCRYPT function, VERIFY function, and DECRYPT function are executed by the client. The COMPUTE function is executed by the cloud. We first analyze the computational complexity of the client. The ENCRYPT function involves matrix split operations and matrix multiplications. Obviously, the matrix split operation needs only 2n subtractions. The major computations are lines 4-7. Since P 1 , P 2 , P 3 , P 4 , Q 1 , Q 2 , Q 3 , and Q 4 are obtained by randomly swapping rows/columns of diagonal matrices, the computations of Y 1 , Y 2 , Y 3 , and Y 4 require a total of 8n 2 multiplications; therefore, the ENCRYPT function requires a total of 8n 2 multiplications and 2n subtractions.
Two divisions and one addition are required in DECRYPT. Thus, it is easy to see that the computational complexity of the DECRYPT function is O(1).
In conclusion, the client needs to undertake a total of 12n 2 + 12n multiplications and 4n 2 + 10n + 7 additions. Therefore, the computational complexity of the client side of the proposed algorithm is O(n 2 ).
In Table 3, the number of multiplications required by every part of the proposed algorithm is demonstrated and compared with three existing algorithms from [4][5][6]. In Table 4, the numbers of additions required by the proposed algorithm are listed and compared in the same way as Table 3. Although the complexity of the KEYGEN and ENCRYPT is higher than the compared schemes [5,6], the complexities of VERIFY and DECRYPT in the compared schemes are higher than that of the proposed algorithm. According to [4][5][6], to improve security, the value of l is usually greater than 20 and the value of m is usually greater than 100, where l is the frequency of verification and m is the increase of the dimension after encryption. In fact, when l in the compared algorithms is set to 20, the security of those algorithms are very poor, which is equivalent to the security of the proposed algorithm running on a matrix of dimensions 4 × 4. When pursuing higher security, the local computational cost of the compared algorithms will be significantly higher than the algorithm in this paper. Therefore, it is easy to see that the proposed algorithm has the lowest local computational burden.

Proof of Theorem 3.
Only the COMPUTE function is performed by the server side. Four iterations of LU decomposition computations and 8n multiplications are required in Algorithm 3. If the server supposes the fastest LU decomposition algorithm (e.g., Williams' algorithm [39]), the computational overhead for the cloud side can be reduced to O(n 2.373 ), which has been proven in [5].
In comparison with the previous algorithms, the specific theoretical performance of the proposed algorithm is shown in Table 5. The nonoutsourcing algorithm for matrix determinant is O(n 2.373 ) using the fast LU decomposition method in paper [39]. Obviously, the local computation complexity of the client (O(n 2 )) is substantially less than the computation complexity of nonoutsourcing (O(n 2.373 )).

Security
A cloud server can be a passive or active attacker. Next, we will analyze the security of the proposed algorithm against both passive and active attacks.

Privacy against Passive Attacks
A passive attacker (semihonest) follows the procedure of the algorithm while exploiting the intermediate information to breach the privacy of matrix. Theorem 4. The proposed secure outsourcing algorithm for matrix determinant is privacy-protected.

Proof of Theorem 4.
It is easy to see that the methods of encrypting matrices M 1 , M 2 , M 3 , and M 4 are consistent. The privacy input matrix M can be obtained by computing {M 1 , M 2 } or {M 3 , M 4 }. We take {M 1 , M 2 } as an example to prove that the proposed algorithm is privacy-protected. As Y 1 and Y 2 are visible to the attacker, to restore {M 1 , M 2 }, the attacker needs to guess P 1 , Q 1 , P 2 , and Q 2 . Then, the attacker uses the inverse matrices of P 1 , Q 1 , P 2 , and Q 2 to restore {M 1 , M 2 }. When generating the original diagonal matrices P 1 , Q 1 , P 2 , and Q 2 in the KEYGEN function, a total of 4n elements are selected from the key space K = {1, 0} λ . The probability of attacker A correctly guessing the 4n elements is 1 (2 λ ) 4n . Besides, from the perspective of the attacker, as long as the frequencies of mix-rows/mixcolumns (n 1 , n 2 , m 1 , m 2 ) are large enough, it is equivalent to repositioning the n nonzero elements of the diagonal matrix (P 1 , Q 1 , P 2 , Q 2 ) to ensure that all rows/columns of the new matrix have only one element. Thus, through the mix-row/mix-column operations in lines 7-14 of Algorithm 1, the attacker successfully guessing any matrix requires n! attempts. Therefore, the passive attacker should make (n!) 4 (2 λ ) 4n brute-force guesses to obtain {M 1 , M 2 }. Then, the attacker can easily compute M. The probability that the attacker A obtains the secret input M is shown at Equation (14). When either the size of the matrix or the key space K is large enough, the value of Prob M A will be so small that it can be ignored.
As for the privacy of the output det(M), because det(M) = r 1 t 1 + r 2 t 2 , the attacker must obtain t 1 , t 2 before computing det(M). As t 1 = det(P 1 )det(Q 1 ), t 2 = det(P 2 )det(Q 2 ), computing t 1 , t 2 is equivalent to guessing P 1 , Q 1 , P 2 , and Q 2 . Thus, the probability that the attacker A obtains the secret output det(M) is the same as obtaining the input privacy.
Thus, we can conclude that the proposed secure outsourcing algorithm for matrix determinant is privacy-protected.

Security against Active Attacks
An active attacker (malicious) injects false computation results into the algorithm to tamper with the whole procedure.
Theorem 5. The proposed secure outsourcing algorithm for matrix determinant is cheating-detected.
Proof of Theorem 5. There are three types of attacks with different complexity levels.
In the first attack, the attacker returns random r 1 , r 2 , r 3 , r 4 , L 1 , L 2 , U 1 , U 2 to the client with O(1) computational complexity. Obviously, . Thus, it cannot pass the verifications of Equations (5)- (7). The malicious cloud can also perform a small number of computations with O(n) computational complexity so that , which can nullify the verifications of Equations (5) and (6). However, due to the lack of t 1 , t 2 , t 3 , t 4 , it still fails to pass the verification of Equation (7).
The complexity of the second type of attack is O(n 2.373 ). There are two ways of attacking. In the first way, the attacker computes the correct results σ y , but chooses a random ath element on the diagonal of L 1 or U 1 and tampers with it (e.g. , L 1 (a, a) = γL 1 (a, a)). In the same way, the attacker tampers with a random bth element on the diagonal of L 3 or U 3 (e.g., L 3 (b, b) = γL 3 (b, b)). Besides, the attacker also changes the r 1 , r 2 , r 3 , r 4 by r 1 = γr 1 , . . . , r 4 = γr 4 . The above attack returns r 1 , r 2 , r 3 , r 4 , L 1 , U 1 , L 3 , U 3 to the client, which can successfully nullify the verifications of Equations (5)- (7). However, it cannot pass the verification in lines 6-17 of the VERIFY function. The verifications in lines 6-17 verify all the diagonal elements in L 1 , L 3 , U 1 , and U 3 at least once. The nature of the verifications in lines 6-17 is to select 2n elements in the matrices Y 1 and Y 3 , respectively, to verify the correctness of the diagonal elements in L 1 , L 3 , U 1 , and U 3 . As shown in Equa-tions (15) and (16), the error in the ath/bth term in l 1 (a, −)/l 3 (b, −) will be propagated to Y 1 (a, j)/Y 3 (b, k), which is not equal to Y 1 (a, j)/Y 3 (b, k). Thus, the forged L 1 (a, a) and L 3 (a, a) can be certainly detected.
In the second way, before performing the COMPUTE function, the attacker tampers with a random element in Y 1 and Y 3 , respectively (Tampering with more items will be easier to detect.). Then, the attacker performs the COMPUTE function with the forged input Y 1 , Y 3 , and returns the cheating result σ y = r 1 , r 2 , r 3 , r 4 , L 1 , U 1 , L 3 , U 3 to the client. As the verification in lines 6-17 can only detect this attack with a probability of 2 n . This way of attacking can easily nullify the verification in lines 6-17. However, as shown in Equation (17), it cannot pass the verification of Equation (7). Forging more elements in Y 1 , Y 3 , or elements in Y 2 , Y 4 can also be detected by Equation (7) (e.g., the cloud returns σ y = r 1 , r 2 , r 3 , r 4 , L 1 , U 1 , L 3 , U 3 to the client where r i is the cheating result and r i is the correct result).
The complexity of the third attack is much greater than others. In order to pass all the verification, before attacking, the attacker has to make (n!) 4 brute-force guesses to get the 4n positions that the client verifies in Y 1 and Y 3 (lines [6][7][8][9][10][11][12][13][14][15][16][17]. Then, the cloud constructs two forged matrices Y 1 and Y 3 . The forged matrices Y 1 and Y 3 satisfy the condition that the elements at the detected positions remain unchanged, and the elements at other positions are changed. Meanwhile, the attacker ensures det( Afterwards, the cloud tampers with r 1 , r 2 , r 3 , r 4 by r 1 = γr 1 , . . . , r 4 = γr 4 . The third attack is the only way to pass all the verifications in VERIFY with a probability of 1 (n!) 4 and return a forged result y = γy. The probability that the client C successfully detects the forged result is shown in Equation (18), which infinitely approaches 1 when n is large enough. Thus, we can conclude that the proposed secure outsourcing algorithm for matrix determinant is cheating-detected, when the size of the matrix is large enough.
Prob f orge C (r 1 , r 2 , r 3 , r 4 , L 1 , L 3 , U 1 , As shown in Table 6, the theoretical security of the proposed algorithm is significantly higher than the other three algorithms while using the same key space K = {1, 0} λ . According to [4][5][6], the parameter l is recommended to be greater than 20. Thus, when n ≥ 5, the proposed algorithm can achieve a high cheating detectability comparable to these three algorithms with the lowest computational cost, as demonstrated in Tables 3 and 4. Actually, it is common to compute the determinant of the large matrices with dimensions of far-greater than 5 in DIP and machine learning.

Performance Evaluation
According to the above theoretical analysis, our algorithm can significantly reduce the local computational burden of the client. In this section, we implement the algorithm to assess its practical efficiency. The client and the cloud server functions in our experiments were conducted on the same machine, which has an Intel(R) Core(TM) i7-8550U CPU 1.80 GHz with eight cores. We implemented the proposed algorithm by Matlab and used the LAPACK [40] package to perform the LU decomposition. The communication costs between the client and the server were ignored, since the computations dominate the running time. Table 7 shows the notations used in this section. The time consumption of client in key generation and encryption. t c2 The time consumption of client in decryption and verification. t c The time consumption of client.
Our goal is to reduce the client's computational burden through outsourcing. Therefore, the ratio of time consumption without outsourcing to time consumption with outsourcing is an important measure, which is referred to as the Acceleration Ratio of clients.
In our comparisons, we only considered the existing algorithms proposed for the malicious model, without considering those merely for the semihonest model, since the former model is more secure. As far as we know, the currently existing algorithms for the malicious model include only Lei's algorithm [5], Liu's algorithm [6], and Zhang's algorithm [4]. In the experiment, we set the parameter l to 20 in the three previous algorithms, and set the parameter m to 500 in Lei's algorithm. We compared the running time of every part of the algorithms on matrices of different dimensions. Table 8 and Figure 3 show that our algorithm has the highest acceleration rate on matrices of all dimensions. The time consumption on cloud in our algorithm is slightly higher than the three previous algorithms, which is not a big issue since this follows the aim of outsourcing by moving computational burden from local to cloud. As shown in Figure 4, compared with the previous algorithms and nonoutsourcing algorithms, our proposed algorithm has the lowest local computational burden. As for the security level, even if l is set to 20, the security of the three previous algorithms are still much lower than the proposed algorithm.
In order to prove that the proposed algorithm achieves a higher security level with less local computation costs. we also compare the local running time of the proposed algorithm with the previous three algorithm on different values of parameter l. In this experiment, the dimension of matrix is fixed at 2000. As shown in Figure 5, because the proposed algorithm uses a new verification method, which does not involve the parameter l, the local running time of the proposed algorithm remains unchanged. As the parameter l increases, the cheating detectability of the previous three algorithms increases, since the forged results can escape local verifications with the probability of 1 2 l , while in our algorithm the cheating detectability remains at the probability of 1 − 1 (2000!) 4 . However, the local computational burden of the three algorithms also increases significantly.
We also apply the proposed secure outsourcing algorithm as a basic module to the Cramer's rule to solve linear equations. We compare the time consumption of outsourcing determinant computation and nonoutsourcing in solving linear equations of different dimensions. As shown in Figure 6, outsourcing the computations of determinant can significantly reduce the time consumption of solving linear equations, which also proves the efficiency superiority of the proposed secure outsourcing algorithm for matrix determinant computation.

Conclusions
In this paper, we propose a new secure outsourcing algorithm for matrix determinant computation under the malicious model. We also conduct theoretical analysis to prove the correctness, efficiency, privacy protection level, and cheating detectability for the proposed algorithm. In comparison with the previous algorithms in [4][5][6], the proposed algorithm achieves higher cheating detectability with less computations on the client. The previous algorithms [4][5][6] use Freivald's method [38] for verification, which achieves a high cheating detectability by continuously increasing local computational burden. The cheating detectability of the proposed algorithm does not depend on the frequency of verification but is only related to the size of the matrix. Even in the case that the dimension of the matrix is not large enough (greater than or equal to 5), the cheating detectability of our algorithm is significantly better than the previous algorithms. For the privacy, the state-of-the-art algorithm [4] has the highest privacy, but its local computation cost usually nullifies the efficiency benefit of outsourcing when the dimension of matrix is less than 2000. Our algorithm with the lowest local computation cost achieves privacy comparable with the state-of-the-art works. We also conduct experiments to demonstrate the local efficiency superiority of the proposed algorithm. However, the theoretical analysis and experimental results also show that the proposed algorithm has a higher cloud computation cost than the three previous algorithms, which is not a big issue since this follows the aim of outsourcing by moving computational burden from local to cloud. As future work, we will study how to reduce the cloud's computational burden in the secure outsourcing algorithms for computations of the matrix.