RPVC: A Revocable Publicly Verifiable Computation Solution for Edge Computing

With publicly verifiable computation (PVC) development, users with limited resources prefer to outsource computing tasks to cloud servers. However, existing PVC schemes are mainly proposed for cloud computing scenarios, which brings bandwidth consumption or network delay of IoT devices in edge computing. In addition, dishonest edge servers may reduce resource utilization by returning unreliable results. Therefore, we propose a revocable publicly verifiable computation(RPVC) scheme for edge computing. On the one hand, RPVC ensures that users can verify the correct results at a small cost. On the other hand, it can revoke the computing abilities of dishonest edge servers. First, polynomial commitments are employed to reduce proofs’ length and generation speed. Then, we improve revocable group signature by knowledge signatures and subset covering theory. This makes it possible to revoke dishonest edge servers. Finally, theoretical analysis proves that RPVC has correctness and security, and experiments evaluate the efficiency of RPVC.


Introduction
The rapid popularization of smart devices has spawned a large number of Internet of Things (IoT) applications, one of which is the Internet of Vehicles (IoV). The reason why vehicles tend to outsource computing tasks that include road conditions and vehicle information to cloud servers during their travel is that the computing resources are limited. Edge computing can improve the response speed and user experience. As a bridge between users and cloud servers, on the one hand, they improve response speed by sharing part of the cloud computing, while users with the limited resource can rely on them to reduce computing pressure. One specific implementation is the Intelligent Transport System (ITS) [1,2], as shown in Figure 1, which is used to help users receive the best driving plan in current road and traffic conditions as soon as possible. There are four participants in ITS: User, road side unit (RSU, which can be seen as an edge server), cloud server, and car manufacturers. The car manufacturer dispatches functions for making a driving plan for the cloud server. The edge server downloads the function from the cloud server. The user sends vehicle parameters to the edge server. The edge server returns results to the user.
However, ITS has the following problems: (1) The cloud server may tamper with the functions uploaded by the car manufacturer, and the edge server may provide users with incorrect results [3]. (2) When a user is driving, the vehicle needs to switch among RSUs that serve different areas. To verify signature messages from a specific RSU, a large public key list is needed [4]. This results in overhead storage for users and overhead computation for finding public keys (3) Once a user receives messages from an edge server that it has never met, frequent communication brought by public key transmission will cause delays (4) If the identity of the edge server is exposed, adversaries can use the same attack method to threaten edge servers with similar configurations.
From the example of IoV, the requirements for edge computing are as follows: (1) Results returned by the edge server should be verifiable, and a dishonest edge server can be revoked. (2) The time for the user to verify the result and the number of keys stored should be minimized. (3) Key transmission processes between users and new edge servers should be minimized. (4) The identity of the edge server should be anonymous to users.

Cloud Car manufacturer
Dispatch functions Download functions

Car parameters
Drive scheme For requirement 1, verifiable computation (VC) [5] can be used to ensure the result is correct. However, the verifier in VC schemes can only be the user or the one he specified. Other participants cannot believe in the verification processes or the reliability of results. Therefore, Parno [6] first proposed publicly verifiable computation (PVC) to solve these defects. Since then, Fiore [7] expanded PVC to evaluate the higher-degree polynomial and matrix multiplication. Catalano [8] introduced a one-way function and RSA mathematical hypothesis to improve the computing speed. However, the verification process of the former uses low-efficiency bilinear pairing, and the practical implementation of the latter is very complex. Polynomial commitment [9] achieves two basic goals: making a commitment to a polynomial and providing proof that a specific point belongs to the polynomial. Therefore, the polynomial commitment can be used to improve the efficiency of existing PVC solutions. To revoke dishonest edge servers, James [10] applies the revocable key policy attribute encryption [11,12] to PVC. However, such schemes are based on timeconsuming operations such as encryption and decryption, as meanwhile, the revoking process will cause other participants to synchronize the key list. In addition, the latest research [13][14][15] requires either a trusted computing environment such as SGX or specific hardware support, thus, the scope of their application is limited. Therefore, revocable group signatures are recommended to revoke dishonest edge servers.
For requirements 2-4, group signature schemes are suitable. That is because any group member can make signatures stand for the whole group, and anyone outside the group cannot forge the signature. Verifiers can verify the signature with only one group public key. The verifier only knows that the signature is from a member of the group, but cannot distinguish the specific signer. The group manager can open a group signature to trace the specific signer. When applied to an edge computing scenario, edge servers can form a group and set up a group manager. For users, only one group public key is required to verify any edge server signed results, thus, reducing delay and key storage. There will be no key transmission process between users and the new edge server, moreover, the identity of the edge server is anonymous to users. The group manager can trace the signature of incorrect results to find the dishonest edge servers, so, a revocable group signature is recommended for revoking their computing ability.
The classical group signature scheme proposed by Camenisch [16] cannot revoke group members. To make group signature revocable, Song [17] proposed a revocable group signature scheme to ensure forward security. However, the time cost increases linearly with the number of group members. Camenisch [18] proposed an accumulator solution, but once the group members join or quit the group frequently, the members still in the group need to update their credentials continually. Inspired by Boneh [19], Brickell [20] presents a revocation list (RL) solution that keeps members in the group from frequently updating their credentials. However, the final signature of this scheme contains nine parts, which leads to the extremely tedious verification process. Moreover, the drawback of the latest research [21] is that there is not an extremely strong privacy demand in an IoV scenario, which will cause resource waste. At the same time, ref. [22,23] based on merkle hash tree, suggested that the storage and computational overhead vary superlinearly along with the number of users who frequently join or quit An attribute tree using secret sharing [24] and Lagrange interpolation impels the users satisfying certain attributes and can decrypt messages under the broadcast encryption [25]. The idea of subset covering or subset difference [26,27] in an attribute tree to reduce search time and communication cost can be used to improve revocable group signature.
Our contributions are as follows: • We propose a revocable publicly verifiable computation (RPVC) model. Its main ideas are: Using the properties of PVC to ensure the results returned by the edge server are reliable. Using the properties of group signature to reduce the cost of verification and key storage for users, and keep edge server identity anonymous. If the group signature is revocable, the group manager can trace and revoke the dishonest edge server. • After analyzing the RPVC threat model, four security goals of the RPVC model are summarized according to possible attack methods and available information for adversaries: function binding, result reliability, anonymity, and revocability. • An RPVC scheme is given. The scheme speeds up the PVC proof generation and verification time with the help of polynomial commitment and improves the revocable group signature with a subset covering idea. Finally, the correctness analysis and security proof of the scheme are provided. • We implemented the RPVC scheme, and experiments show that the time delay and storage cost of the RPVC scheme is acceptable when it is applied to edge computing scenarios.

Publicly Verifiable Computation (PVC)
Verifiable computing (VC) was proposed to verify the outsource computing results by Gennaro [28] via a boolean circuit in 2010. Benabbas [29] expands VC to compute polynomials in a higher degree. Other studies such as [30][31][32] also consider VC However, the common defect of all the above VC schemes is that the verifier can only be the user or the one he specifies, which limits the promotion of VC. Thus, public verifiable computation by Parno [6] was first proposed to address this shortcoming. Though [33,34] can also achieve PVC, ref. [33] needs an honest user to generate the main private key, which makes the status of users unequal. In addition, the users in [34] obtain a decrypt key by interaction, which leads to low efficiency. Fiore [7], based on the solution from Benabbas, constructed a PVC scheme aimed to solve matric products. However, the verification time is long because of the use of bilinear mapping. Although Catalano [8] introduced one-way hash function and RSA assumption to improve the speed, this is hard to deploy on existing applications. Another solution to achieve efficient PVC is the work by Ding [15], his idea is to use a trusted computation environment provided by Intel SGX. Similarly, a scheme [13,14] by Fraust and Liu also needs specific hardware support, these schemes are not suitable for complex large-scale networks.

Revocable Group Signature
Any group member can make group signature stands for the whole group, others cannot forge a group signature. The verifier can verify a group signature by a group public key without finding out the specific signer. The group manager can open the group signature and figure out who makes this signature. The original concept was proposed by Camenisch [16], but this scheme cannot revoke group members. In order to make a group signature revocable, Song [17] developed with a revocable group signature model which can guarantee forward security, but its verification time increases linearly with the number of group members. Camenisch also proposed a scheme based on an accumulator [18], but if group members frequently join or quit the group, another group member needs to update their credential in a timely manner. The same problems also occur in the scheme [22,23] by Yehia and Buser, furthermore, the mechanism of merkle tree makes the scale increase superlinearly with the joining or quitting of users. Brickell [20] put forward a solution based on the local revocation list, which is inspired by the work of Boneh [19]; group members do not need to update their credentials frequently. However, the final signature contains nine parts, and the verification processes are extremely complex. To confirm whether the signer is in the revocation list more efficiently, Nakanishi [35] brings in a subgroup idea, however, his scheme is still based on an accumulator with the same defects as the Camenisch solution. Yue [21] proposed a revocable group signature which can preserve the privacy, but the drawback is the high consumption of computation resources due to the high level security assumption.

Bilinear Maps and Related Assumptions
Let G be cyclic additive group, whose order is prime p. G is generated by g. Define G T as multiplicative group with the same order p. The bilinear pairing e : G × G −→ G T holds three properties: bilinearity, non-degeneracy, and computability. ε denotes negligible value.
• DL Assumption : Given g and a $ ← Z * p , for every adversary A DL , Pr[A DL (g, g a ) = a] = ε.

Signature of Knowledge
The signer can use the signature of knowledge (SKSIG) to prove he owns a secret without leaking that secret. It is a kind of non-interactive zero-knowledge prove system, which has three typical constructions: (1) signature of knowledge of discrete logarithms (SKLOG). (2) signature of knowledge of double discrete logarithms (SKLOGLOG). (3) signature of knowledge of an e − th root of the discrete logarithms (SKROOTLOG). No adversary can recover the secret or create an illegal signature by the chosen message attack. More detail is in [16,37].
• SKLOG: SKLOG of element y ∈ G n to the base g on message m is a pair (c, s) ∈ {0, 1} k × Z * n satisfying c = H(m||y||g||g s y c ). H(·) is a one-way hash function. SKLOG is denoted SKLOG[α : y = g α ](m), where α is the target of zero-knowledge proof, it should be secret to verifier. For any adversary A SKLOG , where β should be kept secret to the verifier, other references are public.
where β should be kept secret to the verifier, other references are public.

Strong RSA Assumption
Let p, q be two big prime integers, compute n = pq. Given tuple (n, e), for every

Revocable Publicly Verifiable Computation (RPVC) Model
This section first introduces the RPVC model, then provides its threat model, and finally puts forward the design goals.

RPVC Model
As shown in Figure 2, there are four entities in the RPVC model: cloud server, edge server, auditor, and user. The reason why the function owner does not become an RPVC entity is that the edge server downloaded the computing function from a cloud server. The process that the function owner entrusts the computing function to the cloud can be initialized offline Edge servers and the auditor are in the same group, the edge server has the role of a group member, and the auditor has the role of the group manager. RPVC entities are described as follows: • Cloud Server: The cloud server receives functions initialized by different function owners and allows legal edge servers to download functions. • Edge Server: The edge server sends a request to the auditor for joining edge computing. After the auditor approves, the edge server downloads functions from the cloud server and performs computing for users. • Auditor: The auditor is responsible for approving the edge server's join request and revoking a dishonest edge server who provided incorrect results. • User: The user verifies the results returned by the edge server. If the result fails to pass the verification, the user will send a revoke request to the auditor.
As shown in Figure 2, an RPVC can be divided into three phases: an initialize phase, a join phase and an outsource computing phase: • Initialize Phase: As step 1 in Figure 2, this phase can be performed offline by the function owner. The function owner selects the function private key α, and sends the computing function F and function evaluation key EK to the cloud server. Then, the function owner sends the verification key VK to users. • Join Phase: The join phase includes step 2 -5 in Figure 2. The edge server applies to the auditor for joining computation in step 2 . After the auditor validates the edge server's application, the auditor sends a group member certificate Cert or its mask σ Cert to the edge server by a secure channel in step 3 . In step 4 , the edge server downloads the computing function F and evaluation key EK from the cloud server. In step 5 , the auditor broadcasts data structure T which stores the currently valid edge server and group public key Gpk to users. • Outsource Computing Phase: The outsource computing phase includes step 6 -9 in Figure 2. In step 6 , the user sends function input x to the edge server. In step 7 , the edge server evaluates function with input x. Then, return result y = F(x), corresponding proof proo f and computation signature SKSIG comp to the user. In step 8 , the user verifies SKSIG comp to confirm the result is returned by a legal edge server, next, verify y is correct with proo f . In step 9 , If the result verification doesn't pass, the user sends a revoke request to the auditor. The auditor traces and revokes a dishonest edge server and reorganize T which gets rid of the information of the dishonest edge server. (1)

Cloud Function Owner
Cloud server setup: In order to make the outsourcing computation results verifiable and so they cannot be forged, the function owner privately selects a random number α, and generates a function evaluation key EK and a function verification key VK according to the security parameter λ. (2) Auditor setup: The auditor generates a group private key Gsk and a group public key Gpk by security parameter λ, that Gsk used for issuing a group member certificate and Gpk used for verifying the validity of group signature for results and its proof. The auditor creates a binary tree T which can quickly search all valid edge servers, and record the identities of edge servers in list L privately.
The auditor executes this algorithm. The auditor will receive a request from an edge server that wants to join the outsource computation. That request should use the mask of the identity private key σ id to prevent the real identity id of the edge server from being exposed. The edge server should use Gpk to generate mem(σ id ) which is the mask code of group membership for the auditor to trace the signer. To prevent man-in-the-middle attacks, the edge server should use knowledge signature SKSIG Reg to prove he knows the identity private key id without leaking it. After the auditor verified SKSIG Reg , the edge server will receive the mask of the group member certificate σ Cert . Then, the auditor adds the edge server to T and L. The edge server gets the group member certificate Cert by decoding σ Cert .
Compute(x, F, EK, SK S , Cert) −→ (y, proo f , SKSIG comp ): The edge server executes this algorithm. The edge server evaluates the function value y by the user input x, then, uses EK to compute the corresponding proof proo f of y. Finally, the edge server makes a revocable group signature SKSIG comp to y and proo f , with Cert and a signature private key set SK S . SKSIG comp can prove the identity of the edge server through non-interactive zero-knowledge proof, at the same time, it can ensure the edge server is not revoked by the auditor. Verify(T, Gpk, VK, y, proo f , SKSIG Comp ) −→ τ y : The user executes this algorithm. The user first verifies SKSIG comp by T and Gpk to ensure the result is from a legal edge server that has not been revoked. Next, the user verifies y is correct by VK and proo f . Finally, if these two verifications are passed, the user outputs accept token The auditor executes this algorithm. The auditor opens SKSIG comp with L to trace the identity of the dishonest edge server under the condition of τ y = f alse, then removes it from T and L. From then on, the result returned by a dishonest edge server will never pass the verification.

Threat Model
For users, the auditor is trusted and other entities are semi-trusted. In other words, edge servers and cloud servers may tamper with or forge content. Based on the information available to adversaries, we consider the following two threat models: (1) Chosen Plaintext Attack Model: In this model, the attacker may obtain encryptions of his chosen messages, such as the mask code of id, VK of the function F, or the proof for computing result y. (2) Chosen Message Attack Model: In this model, the attacker may obtain signatures of his chosen messages, such as additional information which would be used to construct an existential universal forgery group signature.

Design Goals
To achieve RPVC in edge computing, we aim to achieve the following design goals.
(1) Function Binding: The VK and EK should only be used to verify or compute the specific function F which the function owner provided. The function binding experiment  F ←− A(EK, VK, F) 3.

Proposed RPVC Scheme
We now give the detailed construction of each algorithm in RPVC. Notations used in RPVC are in Table 1. The token decides whether accept y proo f Verifiable proof of y SKSIG Signature of knowledge for joining the group or computing x The value which user outsource.

Setup
The setup algorithm of the RPVC scheme including cloud server setup and auditor setup.
(1) Cloud server setup: The function owner owns a polynomial form function which can be expressed as Equation (1) Φ Step 1. The function owner chooses two groups G and G T with prime order p, two groups can make bilinear maping e : G × G −→ G T satisfies the t − SDH assumption. G =< e, G, G T > is defined as a bilinear group with generator Step 2. The function owner privately chooses α R ← Z * p , then, computes function evaluation key EK = {G, g 2 , g α 2 , . . . , g α t 2 } and function verification key in Equation (2) according to α.
Step 3. The function owner sends F and EK to the cloud server, sends VK to users. This step can be completed offline, such as VK can be embedded in vehicle OBU by car manufacturers in IoV applications.
(2) Auditor setup: The auditor outputs group private key Gsk and group public tree Gpk with security parameters a, λ, then generates a subset covering complete tree (SCST) according to valid edge servers at time t, at last, updates list L.
Step 1. The auditor first privately chooses two big primes at random, and gets their product n c as RSA modulus. Then, it generates group G 1 in order n c with generator g 1 ← G 1 . Next, it selects security parameters a and λ for knowledge signature. After that, it choses e c R ← Z n and computes d c which satisfies Equation (3). Finally, the auditor keeps a group private key Gsk = (n c , d c ), and broadcasts a group public key Gpk = {n c , e c , g 1 .G 1 , a, λ}.
Step 2. Let N be the overall set of edge servers, R is the set of revoked edge servers, clearly, N\R is the set of valid edge servers right now. The auditor builds a minimum complete binary tree CT with a height of l = log|N| , at the same time, it initializes all leaf nodes to ⊥. The root node of CT is recorded as x 0,0 , other nodes can be expressed as x i,j , where i ∈ [0, . . . , l], j ∈ [1, . . . , 2 i ]. According to the subset covering theory, the parent node can be used to represent the set composed of its two child nodes under the condition of both child nodes belonging to N\R. If iterate to the root node in this way, N\R can be expressed by the set of parent nodes, these parent nodes represent num disjoint subsets S 1 ∪ S 2 ∪ · · · ∪ S num , in which num is the minimum amount of disjoint subsets in the current valid leaf node arrangement. The resulting SCST is the set of nodes from the above processes. Algorithm 1 shows how SCST is generated.
Step 3. The auditor should assign random e i,j to each node x i,j on SCST, and calculate d i,j which satisfies Equation (4) and then attach a timestamp t to SCST. At last, it should put the edge servers' information into L. if x in R then 5: tmp.add(path(x)) 6: end if 7: end for 8: for all x in tmp do 9: if x le f t in tmp then add x le f t to SCST 10: else add x right to SCST 11: end if 12: end for 13: return SCST

Register
The auditor issues a group membership certificate to the edge server and broadcasts the latest SCST to users.
Step 1. The edge server privately selects an identifier id R ← Z * p , then, computes Equation (5) as the mask of id and Equation (6) as the mask of group membership. Next, it makes the knowledge signature SKSIG Reg to σ id and mem(σ id ) by Equation (7), and sends a request for joining the edge computing to the auditor. The request should involve σ id , mem(σ id ) and SKSIG Reg .
Step 2. If the auditor verifies SKSIG Reg successfully, it indicates that the edge server owns id. Based on this premise, auditor selects free leaf node x l,k (k ≤ 2 i ) on SCST, chooses random e l,k and d l,k which satisfies Equation (8). Obviously, the group member certificate for the edge server is Equation (9). The auditor puts the information of the edge server into L, the form of the record is {σ id , mem(σ id ), d l,k }, after that, it updates SCST by Algorithm 1.
σ Cert = (σ id + e l,k ) d c mod n c Step 3. The auditor broadcasts the latest SCST to users, transmits σ Cert and Cred id = g d l,k 1 which is used for proving the identity of the edge server is valid at time t to the edge server.
Step 4. The edge server creates a signature private key set SK S = {id, σ Cert , Cred id }.

Compute
The edge server evaluates the function value and its proof for users, then, makes the group signature revocable on result and proof.
Step 1. The user sends function input x to the edge server.
Step 2. The edge server evaluates the function value y = F(x), and calculates the corresponding proo f by EK with Equation (10).
Step 3. In order to show the validity and that it has not been revoked, the edge server should make the signature q to y and proo f by Equation (11), where h(·) is a one-way hash function.
Furthermore, the edge server makes a group signature by Equation (12) as in [16,37]. The final computation signature is Step 4. The edge server returns {e l,k , y, proo f , SKSIG Comp } to user.

Verify
The user first verifies whether the result is from a valid legal edge server, then, verifies that the result is correct. If a fault occurs during the verification process, the user will send a revoke request to the auditor.
Step 1. The user synchronizes the SCST from the auditor and confirms e l,k ∈ SCST by Equation (13). = q e l,k mod n c (13) Step 2. The user rapid verifies V 1 , V 2 in SKSIG Comp by the hash functions provided by SKLOGLOG and SKROOTLOG.
Step 3. The user verifies the result is correct by Equation (14), and outputs an accept token τ y = accept after the result hass passed verification. Otherwise, the user sends a revoke request to the auditor; the request contains a reject token τ y = reject and SKSIG Comp . e(VK, g 2 ) = e(proo f , g α 2 /g x 2 ) · e(g 2 , g 2 ) F(x) (14)

Revoke
The auditor opens the revocable group signature to lock the identity of the dishonest edge server, removes it from L, and broadcasts the updated SCST which deletes the leaf node of the dishonest edge server to users.
Step 1. After the auditor received the revoke request, the auditor opened SKSIG Comp to trace the dishonest edge server with the help of L, and then deletes it from L.
Step 2. The auditor updates SCST by means of deleting the leaf node corresponding to the dishonest edge server via Algorithm 1, then broadcasts the latest SCST. For example, as shown in Figure 5, there are eight signers x 3,1 , . . . , x 3,8 . When the auditor receives the request to revoke x 3,2 , x 3,5 , x 3,6 at time t, SCST will be updated to {t||x 3,1 , x 2,2 , x 2,4 }.

Scheme Analysis
This section first illustrates the correctness of RPVC from the correctness of the result and signature. Then, combined with the security model proved the security of RPVC from the aspects of function binding, result reliability, anonymity, and revocability.

Correctness of Result
The edge computing results and its verification processes are correct, because: = e(g 2 , g 2 ) F(α) = e(VK, g 2 )

Correctness of Signature
The signature q used by the edge server to prove it has not been revoked and the verification process of q is correct, because:

Security Analysis
The proof method of RPVC uses "game-playing" technology which was proposed in [39][40][41]. This technology uses the game sequence specification to prove that the possibility of the adversary winning the game is negligible, and the probability of the adversary winning two adjacent games should be controlled within a negligible range (i.e., indistinguishable in polynomial time). Define the probability of Game i happens is Pr(S i ).

Proof of Function Binding
Game 0: This is the original function binding game in Figure 3, A trying to find another F which has the same VK with F. A obtains EK, VK and F as information. Clearly, Adv f b RPVC (A) = Pr(S 0 ). Game 1: This game is the same as Game 0 except that replace F with F +F. If A can find F , he must find a different functionF. So, Pr(S 1 ) = Pr(S 0 ). Game 2: This game is the same as Game 1 except that replace the winning condition tô Because F = F, the polynomial coefficientsφ j cannot be all 0. Clearly, Pr(S 2 ) = Pr(S 1 ). Claim 1: Pr(S 2 ) ≤ Adv DL g,g a (B A ) Let n be the degree of polynomial, algorithm B is a tool that assumes A can solve a class of problems including the games. If the simplest case in these problems is the current difficult mathematical problem, it means that the adversary cannot break the security characteristic. B A (n, F, F ) computing a collision as in the following steps: Else return 0 Proof. Game 2 is equivalent to B A (t, F, F ). It will be the simplest polynomial of degree one problem when n = 2, so Adv That means to solve the latter is easier than the former, A will own more advantages. Now let n = 2, the processes to find a collision are as follows: Clearly, find α via g 2 and g α 2 on cyclic group G is a more efficient way, which exactly is DL assumption. Hence, That is, the probability of the adversary successfully attacking is negligible, the RPVC scheme achieves Function Binding.

Game 2:
For g 2 is part of Gpk, the adversary can give valid pair (−x, g 1 α−x 2 ). Obviously, Game 1 ≈ p Game 2. Claim 2: can give a valid pair (c, g 1 α+c 2 ), where V is some kind of valid algorithm, c ∈ Z * n . B A 2 is a bridge between Game 2 and t-SDH difficult mathematical.
Proof. When EK = {G, g 2 , g α 2 , . . . , g α t 2 }, algotithm B A 2 is t-SDH assumption. Though the adversary can give a valid algorithm V(x, y, proo f , So the following equation holds, That is, the probability of the adversary succesfully attacking is negligible, the RPVC scheme achieves Result Reliability.

Proof of Anonymity
Game 0: This is an original anonymity game in Figure 4, A trying to figure out the identity of the edge server. Clearly, Adv ano RPVC (A) = Pr(S 0 ). Game 1: The adversary has the ability to extract id from at least one of the following parts: z, V 1 , V 2 . Explicitly, Game 0 ⇐⇒ Game 1 and Pr(S 1 ) = Pr(S 0 ) for the identity information in SKSIG Comp only including z, V 1 , V 2 . Game 2: This game is the same as Game 1 except that the adversary has the ability to extract id from V 1 or V 2 . Function F 1 (y, x) denotes the probability of extract x from y = g x under the DL assumption. Extract id from z should sequentially execute: F 1 ( z, rσ id ), F 1 ( g, r) and F 1 (σ id , id). The recursive proof method can refer to the literature [41]. The above process can be expressed as: and it is not more than Pr(F 1 ( z, rσ id ))Pr(F 1 ( g, r))Pr(F 1 (σ id , id)) ≤ (Adv DL g,g a (·)) 3 Finally, Game 1 ≈ p Game 2 and Pr(S 2 ) = Pr(S 1 ), due to (Adv DL g,g a (·)) 3 ≤ ε 3 ≤ ε Game 3: This game is the same as Game 2 except that the adversary can extract id from V 1 . Function F 2 (y, x) and F 3 (y, x) denotes the probability of extract x from y under the RSA assumption and SKROOTLOG signature. Extract id from V 2 should sequentially execute: F 3 (V 2 , σ cert ), F 2 (σ cert , σ id ) and F 1 (σ id , id). Similiar to Game 2, it can infer that |Pr(S 3 ) − Pr(S 2 )| ≤ Pr(Event 3 ) ≤ Adv DL g,g a (·)Adv RSA n,e (·)Adv SKROOTLOG SKSIG (·) ≤ ε, so Game 3 ≈ p Game 2 and Pr(S 2 ) = Pr(S 3 ). The RPVC scheme achieves Anonymity for

Proof of Revocability
Game 0: This is an original revocable game in Figure 4, a revoked A trying to succesfully sign results or faking an honest user's signature on wrong results. Clearly, Adv rev RPVC (A) = Pr(S 0 ). Game 1: This game is the same as Game 0, the adversary can recovery corresponding d l,k by e l,k or replace valid q in malicious SKSIG Comp . Game 0 ⇔ Game 1. Game 2: This game is the same as Game 1 except that the adversary can recover corresponding d l,k by e l,k . If an adversary can replace valid q in malicious SKSIG Comp , he must make sure V 2 can be verified succesfully So further, Game 1 ≈ p Game 2. The RPVC scheme achieves Revocability for Pr(S 2 ) ≤ Adv RSA n,e (·) ≤ ε

Performance Analysis
In Table 2, we compare other existing group signature schemes in the IoV scenario with RPVC. The results in Table 2 show that our scheme uses a superior audit method to find the dishonest participants, and the core cryptographic algorithm is the non-interactive zero-knowledge signature, which is mainly based on a hash function that is more efficient than existing schemes. Besides, RPVC updates the SCST at a regular time, which provides participants with more fault tolerance.  [48]. The reaction time of a driving human to brake is 600-1400 ms [49].
The test contains two parts: One is the process of the edge server applying to join edge computing and the auditor revokes a dishonest edge server, the other one is the user asking for outsourcing computing and receiving verifiable reliable results. The former has three test items: (1) The execution time for the auditor. For test item 1, the execution time for the auditor can be divided into the time to add the edge server into the group and the time to generate SCST. As shown in Table 3, the time to add an edge server into the group is about 27.996 ms, which is independent of the scale of the edge server. As shown in Table 4, with edge servers scale increase in the group, the time of the auditor adding or removing an edge server increases proportionally. However, even if the number of edge server reaches 2 15 (RSU service can cover about 321,700 km 2 ), the auditor can generate SCST within 1 ms. The driving distance is only 1.45 m during the user vehicle receives SCST at the highest speed, far less than the service radius of RSU. That is, users have enough time to safely synchronize the current valid edge server. For test item 2, as shown in Table 4, the size of SCST is independent from the scale of the edge server, SCST is only about 5 kB. For test item 3, the local storage space for the user is multiplied with the increase of the edge server scale, which is shown in Table 5. However, even when the number of edge servers comes up to 2 15 , storage is less than 15 MB. In test items 4-6, we set the degree of polynomial and input x as independent variables, the time cost as dependent variable (default is ns, 10 −9 s). The rule to choose the independent variable x is: randomly select a value from each range, ranges including [0, 2 4 Figure 6a, the extra cost of applying the RPVC proportionally tothe polynomial degree, the larger the x, the smaller the curve fluctuation. For test item 5, as shown in Figure 6b, the time of user verification fluctuates between 36 ms and 38 ms, which is less affected by independent variables. Figure 6c indicates the total extra time delay brought by the RPVC application. Even if the degree of a polynomial function is up to 100, the total delay is less than 100 ms, which is far less than the driver's reaction time [49].   From the above six test items, it is clear that the RPVC can be used to improve the security of existing edge computing applications. We can summarize the key influencing factor from Figure 7: if the polynomial degree is larger than 40, the performance of the edge server takes the most portion of total time delay, the portion gets larger with the increase of degree. So, a better edge server may expand the application scope of the RPVC.

Discussion
For the requirements of edge computing in the IoV scenario, the RPVC first achieves the goal of results returned by the edge server being verifiable. At the same time, the identity of the edge server is anonymous to user vehicles and a dishonest edge server can be revoked. From the test results, when a new edge server takes part in outsourced computing, user vehicles do not need to exchange keys with it. The time in which the auditor adds one edge server into the group can be fixed, nearly 28 ms that is independent of the scale of the edge server. The time of user vehicles receiving SCST mainly depends on the communication delay because the generated speed of SCST is less than 1 ms. Though the total delay for user vehicles increases with the degree of the polynomial, it is less than 95 ms when the degree is up to 100 (a very complex computation). Furthermore, the storage overhead is acceptable for user vehicles, even if the number of edge servers comes up to 2 15 , storage demand is less than 15 MB.
The low delay and overhead are owed to the subset covering complete tree and noninteractive zero-knowledge signature. SCST makes user queries faster than iterating local revoke lists at a small cost. Besides, the non-interactive zero-knowledge signature is mainly based on the hash function, which is more efficient than other large number or exponent multiply schemes. The practical applications of the research can be used to assist the construction of intelligent transportation or vehicle networking.
For future work, we will first reduce the size of SCST for the larger scale of the edge server. Next, machine learning and federated learning can be introduced to improve the performance of edge servers, good solutions can be found in [50][51][52]. In addition, different regions have different traffic rules and habits, these should be considered. Finally, we will extend the outsource function to varied forms, such as verifiable matrix computation.

Conclusions
In this article, we proposed an RPVC model for the edge computing scenario which can be used in IoV applications. The RPVC model cannot only ensure the results returned by edge servers are reliable, but can also revoke dishonest edge servers. The following security proofs show that the RPVC has characteristics of function binding, result reliability, anonymity, and revocability. Experiments show that a new edge server which takes part in edge computing does not need transfer keys to users, and an auditor can approve the request in a fixed time (28 ms). Due to the SCST, users have a low overhead storage and a faster query time, even when the number of edge servers came up to 2 15 , storage demand is less than 15 MB. Because of the non-interactive zero-knowledge signature, even the degree of outsource function up to 100, the total delay of users is about 95 ms. Thus, applying RPVC to existing IoV applications is acceptable. In the future, we are committed to reducing the size of SCST, trying to introduce machine learning or federated learning to improve the performance of edge servers and supporting verifiable matrix computation.

Data Availability Statement:
The datasets generated for this study are available on request to the corresponding author.

Conflicts of Interest:
The authors declare no conflict of interest.