Next Article in Journal
Machine Failure Prediction Using Survival Analysis
Next Article in Special Issue
Task-Aware Meta Learning-Based Siamese Neural Network for Classifying Control Flow Obfuscated Malware
Previous Article in Journal
Distributed Systems for Emerging Computing: Platform and Application
Previous Article in Special Issue
Information and Future Internet Security, Trust and Privacy
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Protecting Function Privacy and Input Privacy in the Publicly Verifiable Outsourcing Computation of Polynomial Functions

1
College of Cyber Security, Jinan University, Guangzhou 511436, China
2
College of Information Science and Technology, Jinan University, Guangzhou 510632, China
*
Author to whom correspondence should be addressed.
Future Internet 2023, 15(4), 152; https://doi.org/10.3390/fi15040152
Submission received: 23 March 2023 / Revised: 10 April 2023 / Accepted: 20 April 2023 / Published: 21 April 2023
(This article belongs to the Special Issue Information and Future Internet Security, Trust and Privacy II)

Abstract

:
With the prevalence of cloud computing, the outsourcing of computation has gained significant attention. Clients with limited computing power often outsource complex computing tasks to the cloud to save on computing resources and costs. In outsourcing the computation of functions, a function owner delegates a cloud server to perform the function’s computation on the input received from the user. There are three primary security concerns associated with this process: protecting function privacy for the function owner, protecting input privacy for the user and guaranteeing that the cloud server performs the computation correctly. Existing works have only addressed privately verifiable outsourcing computation with privacy or publicly verifiable outsourcing computation without input privacy or function privacy. By using the technologies of homomorphic encryption, proxy re-encryption and verifiable computation, we propose the first publicly verifiable outsourcing computation scheme that achieves both input privacy and function privacy for matrix functions, which can be extended to arbitrary multivariate polynomial functions. We additionally provide a faster privately verifiable method. Moreover, the function owner retains control over the function.

1. Introduction

With the explosive growth of data, the demand for data processing among users is constantly growing, which makes cloud services increasingly popular. These cloud services can help weak clients with limited resources store large-scale data or complete expensive computational tasks at a low cost. One of the most common applications of cloud services is outsourcing computation.
Consider a setting with three entities in the process of outsourcing the computation of functions as shown in Figure 1: a function owner, who possesses the function model and wants to outsource its computation to a cloud server; a series of request users, who need to obtain the function’s results on the private inputs; and a cloud server that performs the computation of the function based on the inputs and returns the results to the request users. In this process, the cloud server is untrusted. It should not learn anything about either the input or the function. Additionally, the correctness of the results should be verified. Thus, there are three requirements that need to be considered: function privacy, input privacy and public verifiability.
For example, in a medical predication scenario, a doctor, as the function owner, has developed an expensive disease prediction function model; in addition, some patients, as the request users, want to predict the probability of contracting this disease with their personal health data. It would be stressful for the doctor to perform the computation locally, so he wants to outsource the computation of the function to a cloud server. The cloud server would then compute the prediction function based on the inputs from the patients and return the predicted results to them.
The function parameters in this process are that private data owned by the doctor should remain confidential from the cloud server. Similarly, the health data of the patients should also be kept confidential. Since the cloud server is unreliable, it may compress the function model or simplify the computation for its own benefit, which can lead to a biased predicted result. Therefore, a fundamental requirement is that the patients can verify the correctness of the computed results. However, in many scenarios, individual verification is not sufficient. For example, patients may need to convince their insurance institutions to accept verification, which means that private verification cannot meet this requirement. Hence, we emphasize public verification, which allows anyone to verify the results of an outsourced function without learning anything about the sensitive data.
To address these requirements, researchers have proposed a series of solutions, such as Homomorphic Encryption (HE) [1,2,3], Secure Multi-Party Computation (SMPC) [4,5,6] and Publicly Verifiable Computation (PVC) [7,8,9]. Among them, homomorphic encryption can perform computations on ciphertexts. Secure multi-party computation can enable multiple parties to jointly complete a computing task without revealing their secret information. Publicly verifiable computation can verify the correctness of the computation results. It is important to combine privacy protection with verifiable computation.
Many works have been devoted to addressing one or more of the requirements in outsourcing the computation of functions [7,8,9,10,11,12,13,14,15,16,17,18,19], but none have achieved all of the above-mentioned requirements simultaneously. Our work aims to fill this gap, and the contributions of this study are listed below:
  • We propose the first publicly verifiable outsourcing computation scheme that achieves both function privacy and input privacy for matrix functions, which can be extended to arbitrary polynomial functions (the extension method is provided).
  • We additionally provide a faster privately verifiable method, which allows the request user to verify the results more efficiently than with public verification.
  • The function owner retains control over the function. If they do not allow a user to use their function model, the cloud server cannot complete the computation.
The remainder of this paper is organized as follows. We present a brief overview of the related works in Section 2. We define the notation and review the necessary preliminaries in Section 3. We provide the system model and design goals in Section 4. In Section 5, we provide our publicly verifiable outsourcing computation scheme with privacy measures, and in Section 6, we analyze the performance of our scheme. Finally, Section 7 contains our conclusions and future works.

2. Related Works

There have been many works addressing one or more of the requirements mentioned above in outsourcing function computation. The schemes in [10,11,12] realize function privacy and input privacy based on FHE [2] or GCs [4]. However, they can only achieve private verification and not public verification. Additionally, the expensiveness of cryptographic primitives, such as GCs and FHE, limits their practical relevance. The schemes in [13,14,15] use lightweight algorithms for encryption and decryption instead of FHE to construct schemes with input privacy and function privacy. They reduce the system costs but still do not realize public verification.
The scheme in [16] shares the function model and input data among multiple servers using additive secret sharing [20] rather than encryption, and the results are obtained through the cooperation of these servers. Although it protects both function privacy and input privacy, it only provides private verification and not public verification. It also requires a strong assumption of non-collusion for the servers or the private data will be leaked.
Some works construct publicly verifiable computation schemes for specific functions. For instance, the works in [7,17,18,19] have constructed publicly verifiable computation schemes that are efficient for specific functions, such as univariate polynomial functions and matrix functions. In [8], a publicly verifiable computation scheme for Boolean functions was constructed based on key policy attribute-based encryption (KP-ABE) [21]. However, this scheme does not offer input or function privacy. Moreover, ref. [9] proposed a publicly verifiable scheme with privacy protection, but it can only protect one element between function privacy and input privacy, i.e., either a publicly verifiable computation scheme with function privacy or a publicly verifiable computation scheme with input privacy.
Table 1 summarizes the requirements achieved in the surveyed literature, which can inform the research findings of our proposed scheme.
To improve efficiency, our work employs a partial homomorphic encryption scheme. The cloud server needs to perform a transformation on the ciphertexts from two different clients before computing. Several works have addressed this transformation on ciphertexts. For instance, Peter et al. [22] proposed a scheme that requires a participant to possess a strong private key that can decrypt any ciphertext in order to complete the transformation on ciphertexts. However, this approach poses a threat to data privacy and makes the data owner lose the right to control their data.
In contrast, our work ensures that the function owner retains control over their function, thereby strengthening data privacy. In [23], Ximeng Liu et al. split the strong private key in the BCP [24] scheme among multiple participants to decentralize the decryption power of the strong private key. However, their approach did not consider how to split the key securely. Additionally, their ciphertext transformation requires more cooperation among participants, which increases communication costs and decreases computing efficiency.
In contrast, our approach involves fewer participants, has lower communication costs and offers higher computing efficiency. In [25], Yutaka Kawai et al. proposed a homomorphic proxy re-encryption scheme that supports homomorphic operations for re-encrypted ciphertexts. However, this scheme requires a large number of computations of the discrete logarithm and group operations in bilinear groups, which increases the computational cost. Our approach is based on a lean homomorphic proxy re-encryption scheme, which makes computations more efficient.

3. Preliminaries

In this section, we review the basic notations and the primitives that are treated in this paper. The basic notations are shown in Table 2.

3.1. Additive Homomorphic Encryption (Additive HE)

Rivest et al. first proposed homomorphic encryption (HE) in 1978 [1], and this encryption performs homomorphic operations on ciphertexts without decryption. This is equivalent to performing the corresponding operations on plaintext, ensuring data privacy while also maintaining data availability.
Depending on the supported mathematical operations, HE can be classified into partial (additive or multiplicative) homomorphic encryption (PHE) [26,27], fully homomorphic encryption (FHE) [2] and somewhat homomorphic encryption (SWHE) [28,29,30]. PHE supports only one type of operation (either additive or multiplicative) on the ciphertext. FHE supports both additive and multiplicative operations but with high computational costs. SWHE supports limited multiplication and addition operations, with lower computational costs compared with FHE.
The following describes the additive homomorphic encryption scheme that we use based on [24], which contains five algorithms: H E = ( S e t u p , K e y G e n , E n c , D e c , E v a l ) . The details are as follows:
  • S e t u p ( λ ) p p : The security parameter λ is taken as input, and two λ -bit large prime numbers, p , q , are chosen. Then, we have N = p q , where p = 2 p + 1 and q = 2 q + 1. A generator g Z N 2 * is randomly sampled, and then the public parameters p p = ( N , g ) are output.
  • K e y G e n ( p p ) ( p k , s k ) : The public parameters p p are taken as input. According to p p = ( N , g ) , a $ Z N 2 is randomly sampled. Then, the public/secret key pair ( p k = g a m o d N 2 , s k = a ) is output.
  • E n c ( m , p k ) c : For a message m Z N , r $ Z N 2 is sampled. The message m is encrypted with public key p k = g a and outputs ciphertext c = ( A , B ) , where A = g a r m o d N 2 , B = g r ( 1 + m N ) m o d N 2 .
  • D e c ( c , s k ) m : For the ciphertext c = ( A , B ) , secret key s k = a is used for decryption, and the output message is m = B / ( A 1 a ) 1 m o d N 2 N .
  • E v a l ( c 1 , c 2 ) c 1 c 2 : For two ciphertexts c 1 and c 2 , whose corresponding plaintexts are m 1 , m 2 , where
    c 1 = E n c ( m 1 ) = ( A 1 , B 1 ) = ( g a r 1 m o d N 2 , g r 1 ( 1 + m 1 N ) m o d N 2 )
    c 2 = E n c ( m 2 ) = ( A 2 , B 2 ) = ( g a r 2 m o d N 2 , g r 2 ( 1 + m 2 N ) m o d N 2 ) ,
    the additive homomorphism property is described as follows:
    c 1 c 2 = E n c ( m 1 ) E n c ( m 2 ) = ( g a r 1 · g a r 2 , g r 1 ( 1 + m 1 N ) · g r 2 ( 1 + m 2 N ) ) m o d N 2 = ( g a ( r 1 + r 2 ) , g r 1 + r 2 ( 1 + ( m 1 + m 2 ) N ) ) m o d N 2 E n c ( m 1 + m 2 , p k ) .
    In particular, given a constant γ , we have E v a l ( c 1 , γ ) c 1 γ , where
    c 1 γ = ( g a γ r 1 , g γ r 1 ( 1 + m 1 N ) γ ) m o d N 2 = ( g a γ r 1 , g γ r 1 ( 1 + γ m 1 N ) ) m o d N 2 E n c ( γ m 1 , p k ) .

3.2. Linear Homomorphic Encryption (LHE)

Linear homomorphic encryption (LHE) [28,29,30] can support limited additive and multiplicative operations on ciphertexts. It is able to compute a linear combination of multiple ciphertexts, which has practical applications.
Given n plaintexts ( m 1 , , m n ), the corresponding ciphertext is ( c 1 , , c n ). Given n constant coefficients ( γ 1 , , γ n ), the ciphertext of the linear combination i = 1 n γ i · m i can be computed by { c i } i = 1 n and { γ i } i = 1 n . Next, we describe the LHE algorithms based on the private key version by Brakerski and Vaikuntanathan [3]. It contains five algorithms: L H E = ( S e t u p , K e y G e n , E n c , D e c , E v a l ) . The details are as follows:
  • S e t u p ( λ ) p p : The security parameter λ is taken as input. Two λ -bit large prime numbers q and p Z q * are chosen. Set n = 2 log λ 1 , and there is a cyclotomic polynomial f ( x ) = x n + 1 . χ is the discrete Gaussian distribution over the ring R q = Z q [ x ] / f ( x ) . The public parameters p p ={ n , f , q , χ } are obtained as outputs.
  • K e y G e n ( p p ) s k : The public parameter p p is taken as input. A ring element s $ χ is a sample, and the secret key s k = s is obtained as an output.
  • E n c ( s k , m ) c : For a message m R p , a $ R q , e $ χ is taken as a sample, and the output ciphertext is c = ( u , v ) = ( a s + p e + m , a ) .
  • D e c ( s k , c ) m : The ciphertext c = ( u , v ) is decrypted with the secret key s k = s , and the output m = ( u + v · s k ) mod p is obtained.
  • E v a l ( ( γ 1 , , γ d ) , ( ( c ( 1 ) , , c ( d ) ) ) c : Given d coefficients γ 1 , , γ d Z q and d ciphertexts c ( 1 ) , , c ( d ) ( R q ) 2 , the linear homomorphism property is described as follows:
    c = i = 1 d γ i · c ( i ) = i = 1 d γ i · ( u , v ) ( i ) = ( i = 1 d γ i · u ( i ) , i = 1 d γ i · v ( i ) ) = ( i = 1 d γ i a · s + i = 1 d γ i p e + i = 1 d γ i m i , i = 1 d γ i a ) E n c ( s k , i = 1 d γ i m i ) .

3.3. Homomorphic Proxy Re-Encryption (HPRE)

Blaze, Bleumer and Strauss first proposed proxy re-encryption (PRE) [31] at EUROCRYPT 1998. The proxy can convert the ciphertext encrypted by the data owner into another ciphertext that can be decrypted by the specified data receiver. Homomorphic proxy re-encryption was introduced in [25], which combines the homomorphic property of HE and the “key-switching” property of PRE.
The following describes our homomorphic proxy re-encryption method, which consists of six algorithms: P R E = ( S e t u p , K e y G e n , E n c , R e K e y G e n , R e E n c , D e c ) . It is based on the additive homomorphic encryption above, and the details are as follows:
  • S e t u p ( λ ) p p : The security parameter λ is taken as input. H E . S e t u p ( λ ) p p is run to generate p p = ( N , g ) . Then, the output p p = ( N , g ) is obtained.
  • K e y G e n ( p p ) ( ( p k i , s k i ) , ( p k j , s k j ) ) : The public parameter p p is taken as input. H E . K e y G e n ( p p ) ( p k , s k ) is run twice to generate ( p k i = g a m o d N 2 , s k i = a ) , ( p k j = g b m o d N 2 , s k j = b ) , which stands for the public/secret key pair of the data owner and data receiver, respectively. Then, the output ( ( p k i , s k i ) , ( p k j , s k j ) ) is obtained.
  • E n c ( m , p k i ) c i : For a message m Z N , the data owner runs H E . E n c ( m , p k i ) c i to output the ciphertext c i = ( A i , B i ) , where A i = g a r m o d N 2 , B i = g r ( 1 + m N ) m o d N 2 . Then, the output is c i .
  • R e K e y G e n ( s k i , s k j ) r k i j : The data owner’s secret key s k i and the data receiver’s secret key s k j are taken as input, and the re-encryption key r k i j = s k j s k i = b a is the output.
  • R e E n c ( r k i j , c i ) c j : The re-encryption key r k i j and the ciphertext c i are taken as inputs, and the re-encryption ciphertext c j is obtained as the output, where
    c j = ( A j , B j ) = ( A i r k i j , B i ) = ( g a r b a , g r ( 1 + m N ) ) m o d N 2 = ( g b r , g r ( 1 + m N ) ) m o d N 2 E n c ( m , p k j ) .
  • D e c ( c j , s k j ) m : The ciphertext c j = ( A j , B j ) = ( g b r , g r ( 1 + m N ) ) is decrypted with the data receiver’s secret key s k j = b , and the output is m = B j / ( A j 1 b ) 1 m o d N 2 N .

3.4. Verifiable Matrix-Vector Multiplication (VerM)

Verifiable computation is a computational model that allows the client to delegate computational tasks to a computational entity and then to verify the correctness of the computed result without re-executing the entire computation task. The schemes in [32,33] propose a critical observation of matrix–vector multiplication, and the scheme in [9] proposes a solution for publicly verifiable matrix–vector multiplication computation.
The following describes the publicly verifiable matrix–vector multiplication scheme that we use based on [9], which consists of four algorithms: V e r M = ( S e t u p , P r e p a r e , C o m p u t e , V e r i f y ) . Table 3 shows the data size in the scheme, and the details are given below:
  • S e t u p ( λ ) p p : The security parameter λ is taken as input, and a λ -bit large prime number q is chosen. Let Z q be a finite field and G = g be a cyclic group of generator g and order q. Let m , d > 0 be integers, and then output p p = ( q , m , d , g ) .
  • P r e p a r e ( F ) ver : The function owner takes their matrix F F , where F = Z q m × d is the set of all m × d matrices over Z q as input to generate the public verification data ver (once and for all). A vector t = ( t 1 , , t m ) $ Z q m is uniformly sampled, and s = ( s 1 , , s d ) = t · F is computed. The obtained output is ver = ( T , S ) , where T = g t = ( g t 1 , , g t m ) , S = g s = ( g s 1 , , g s d ) .
  • C o m p u t e ( F , x ) y : The function F F and the input x = ( x 1 , , x d ) Z q d are taken as inputs. The result y = F · x = ( y 1 , , y m ) is obtained.
  • V e r i f y ( ver , x , y ) ( 0 , 1 ) : The public verification data ver , the input x and the result y are taken as input. This convinces the user to accept the result if and only if
    i = 1 d g s i · x i = i = 1 m g t i · y i
    If the equation is valid, then the output is 1; otherwise, the output is 0.
The correctness of the verification is as follows:
The left side:
i = 1 d g s i · x i = i = 1 d g ( j = 1 m t j F j , i ) x i = g i = 1 d j = 1 m t j F j , i x i .
The right side:
i = 1 m g t i · y i = i = 1 m g t i · ( j = 1 d F i , j x j ) = g i = 1 m j = 1 d t j F i , j x j .
If y = F · x , then it is easy to verify that Equation (7) holds.

4. System Model and Design Goals

4.1. System Model

Consider a setting in our system model with three entities: a function owner who wants to outsource the function’s computation; two non-collusive cloud service providers C S P 1 and C S P 2 that collaborate to complete the computation; and a series of request users who want to obtain the computation results on their inputs. Figure 2 outlines a rough sketch of our system model. It consists of the following three phases: Preparation, Computation and Verification. The number before the text corresponds to Figure 2.
  • Preparation:
    (1)
    The function owner encrypts the function parameters and prepares the public verification data. Then, they upload the function’s ciphertext to the cloud service provider C S P 1 .
    (2)
    A request user encrypts their input when they request C S P 1 to perform the computation.
    (3)
    When C S P 1 receives the request from the user, it asks the function owner for permission.
    (4)
    The function owner generates a temporary public/secret key pair and a re-encryption key when they permit the use of their function.
    (5)
    The function owner sends the temporary public key and the re-encryption key to C S P 1 and sends the temporary secret key to C S P 2 .
  • Computation:
    (6)
    C S P 1 re-encrypts the original function ciphertext with a mask. Then, the new ciphertext can be decrypted by C S P 2 with the temporary secret key. C S P 1 then collaborates with C S P 2 to complete the computation.
    (7)
    C S P 1 returns the result ciphertext to the user.
  • Verification:
    (8)
    The public verification is performed using the public verification data, the input ciphertext and the result ciphertext. Simultaneously, the user decrypts the result ciphertext and verifies the result privately in a fast way with the public verification data and the plaintexts of their input and result.

4.2. Design Goals

There are five goals that need to be achieved in our model:
  • Maintain function privacy: The function ciphertext and public verification data cannot reveal any information about the function, so the encryption schemes that we use should be semantically secure so that no adversary can infer any information from the obtained ciphertext.
  • Maintain input privacy. Similarly, the input ciphertext must not reveal information about the input. The encryption scheme for the input, thus, needs to be semantically secure.
  • Maintain result privacy. No one should be able to obtain information about the result plaintext except for the request user. The result ciphertext cannot be distinguished from the random elements.
  • Achieve public verification. Anyone can complete the verification with the publicly available information, and there is no malicious CSP that can persuade the public to accept an incorrect result with a non-negligible probability. We assume that the public has limited computational resources, and so verification must be efficient.
  • Ensure the function owner’s control over the function. CSPs cannot complete the computation if the function owner does not allow the user to use their function model.

5. The Proposed Solution

We propose a scheme for the publicly verifiable outsourcing of computation with both input privacy and function privacy for matrix–vector multiplication in this section. The scheme can also be extended to various polynomial functions.
We provide the extension method in Section 5.4. In our setting, the function owner has a matrix F Z q m × d , and the request user has a vector x . The user requests access from the cloud server for the result y = F · x . Our scheme consists of three phases: Preparation, Computation and Verification, which are specified below.

5.1. Preparation

  • The key pair of preparation steps for the function owner:
    -
    Run H E . S e t u p ( λ ) p p h e to generate p p h e = ( N , g ) .
    -
    Run H E . K e y G e n ( p p h e ) ( p k f , s k f ) to generate ( p k f , s k f ) = ( g a , a ) .
  • The function owner encrypts the matrix and uploads it to C S P 1 :
    -
    For each element f i in the matrix F Z q m × d , 0 < i m × d , run
    H E . E n c ( p k f , f i ) c t i to generate c t i = ( g a r i , g r i ( 1 + f i N ) ) , where r i $ Z N 2 .
    -
    Upload ct = ( c t 1 , , c t m · d ) to C S P 1 .
  • The function owner generates the verification data ver :
    -
    Run V e r M . P r e p a r e ( F ) ver to generate ver = ( T , S ) . It holds that
    T = g t = ( g t 1 , , g t m ) ,
    S = g s = ( g s 1 , , g s d ) ,
    where t $ Z q m and s = ( s 1 , , s d ) = t · F .
  • The request user encrypts the input vector and sends it to C S P 1 :
    -
    Run L H E . S e t u p ( λ ) p p l h e to generate the public parameters p p l h e = ( n , f , q , χ ) for the request user.
    -
    Run L H E . K e y G e n ( p p l h e ) s k to generate the secret key s k = s for the request user.
    -
    For each x i in the input vector x = ( x 1 , , x d ) , i [ d ] , x i Z p [ x ] / f ( x ) , run L H E . E n c ( s k , x i ) c i to generate the ciphertext c i = ( u i , v i ) = ( a i s + p e i + x i , a i ) , where a i $ R q , e i $ χ and c i R q 2 .
    -
    The user sends the ciphertext c = ( c 1 , , c d ) to C S P 1 and requests computation.
  • C S P 1 asks the function owner for permission.
  • The function owner will generate a temporary key pair and a re-encryption key if permission is granted:
    -
    The function owner runs H E . K e y G e n ( p p h e ) ( p k f , s k f ) again to generate a temporary public/secret key pair ( p k f = g a , s k f = a ) .
    -
    Run P R E . R e K e y G e n ( s k f , s k f ) r k f f to generate a re-encryption key r k f f = s k f s k f = a a .
    -
    The function owner sends p k f and r k f f to C S P 1 and sends s k f to C S P 2 .

5.2. Computation

  • C S P 1 re-encrypts the matrix ciphertext:
    -
    For each element c t i in the matrix ciphertext ct , 0 < i m × d , C S P 1 runs P R E . R e E n c ( r k f f , c t i ) c t i to re-encrypt c t i into c t i , where
    c t i = ( A , B ) = ( g a r i , g r i ( 1 + f i N ) ) , r k f f = a a .
    Then, c t i = ( A r k f f , B ) = ( g a r i , g r i ( 1 + f i N ) ) m o d N 2 .
  • C S P 1 sends the re-encryption ciphertext with a mask to C S P 2 :
    -
    For each element c t i in ct = ( c t 1 , , c t m · d ) , 0 < i m · d , C S P 1 samples r i $ Z N 2 as the mask.
    -
    For each mask r i , run H E . E n c ( r i , p k f ) r c t i with the temporary key p k f to generate r c t i = ( g a r i ^ , g r i ^ ( 1 + r i N ) ) m o d N 2 , where r ^ i $ Z N 2 .
    -
    For i [ m · d ] , run H E . E v a l ( c t i , r c t i ) c t i r c t i to generate the masked ciphertext m c t i = r c t i c t i E n c ( f i + r i ) .
    -
    C S P 1 sends the masked ciphertext mct = { m c t i } i = 1 m × d and the user’s input ciphertext c = { c i } i = 1 d to C S P 2 .
  • C S P 1 computes the final result’s first part res 1 :
    -
    Parse r as a m × d -size matrix and write r i , j to index the ( i , j ) -th element.
    -
    For i [ m ] , run L H E . E v a l ( ( r i , 1 , , r i , d ) , ( c 1 , , c d ) ) r e s i 1 to generate r e s i 1 = j = 1 d r i , j c j . The first part of the final result is res 1 = [ r e s 1 1 , . . . , r e s m 1 ] T .
  • C S P 2 performs the decryption for the masked ciphertext:
    -
    After receiving the masked ciphertext { m c t i } i = 1 m × d , for i [ m · d ] , C S P 2 runs H E . D e c ( m c t i , s k f ) f i to generate the masked matrix parameters { f i = f i + r i } i = 1 m × d .
    -
    Parse f = ( f 1 , . . . , f m · d ) as an m × d -size matrix and write f i , j to index the ( i , j ) -th element. It holds that f i , j = f i , j + r i , j .
  • C S P 2 computes the second part of the final result res 2 :
    -
    For i [ m ] , run L H E . E v a l ( ( f i , 1 , , f i , d ) , ( c 1 , , c d ) ) r e s i 2 to generate r e s i 2 = j = 1 d f i , j c j . Then, send the second part of the final result res 2 = [ r e s 1 2 , . . . , r e s m 2 ] T to C S P 1 .
  • C S P 1 computes the final result res and returns it to the user:
    -
    For i [ m ] , C S P 1 computes r e s i = r e s i 2 r e s i 1 = j = 1 d f i , j c j j = 1 d r i , j c j = j = 1 d f i , j c j . Then, the final result res = [ r e s 1 , , r e s m ] T is returned to the user.

5.3. Verification

  • Public Verification:
    -
    The public runs V e r M . V e r i f y ( ver , c , res ) ( 0 , 1 ) . It outputs 1 if and only if
    i = 1 d g s i · c i = i = 1 d g t i · r e s i .
  • Private Verification:
    -
    After the user receives the result ciphertext res = ( r e s 1 , . . . , r e s m ) T , for i [ m ] , they run L H E . D e c ( s k , r e s i ) y i to generate the plaintext y i , where y i = j = 1 d f i , j x j . The final result plaintext is y = ( y 1 , , y m ) = F · x .
    -
    Run V e r M . V e r i f y ( ver , x , y ) ( 0 , 1 ) . It outputs 1 if and only if
    j = 1 d g s i · x i = j = 1 d g t i · y i .

5.4. The Extension Method for Arbitrary Polynomial Functions

In the previous subsection, we described the verifiable matrix–vector multiplication. However, the function may be arbitrary. The scheme in [9] gives a solution for outsourcing these arbitrary polynomial functions based on the verifiable matrix–vector multiplication scheme.
This scheme decomposes the computation of arbitrary polynomials into a two-phase computation in which the heavy part is the matrix–vector multiplication that can be delegated to the cloud server, and the other part provides a substantially fast computation for the user. Then, we describe the decomposition scheme for univariate polynomials and arbitrary multivariate polynomials based on [9].

5.4.1. Univariate Polynomials

Let F be the set of all univariate polynomials of higher order over a finite field Z q . For any f ( x ) F , suppose that f ( x ) = f 0 + f 1 x + f d x d . Let m = d + 1 and define
F = ( f 0 f 1 f m 1 f m f m + 1 f 2 m 1 f m 2 m f m 2 m + 1 f m 2 1 )
as a matrix of order m, where f i = 0 for all i > d . Set x = ( 1 , x , , x m 1 ) and y = ( 1 , x m , , x m 2 m ) . Then, we have f ( x ) = y · ( F · x ) .
This is a two-phase computation: (i) the computation of u = F x and (ii) the computation of f ( x ) = y · u . The first phase is a matrix–vector multiplication function that can be delegated to a cloud server using our verifiable computation scheme. It requires O ( m 2 ) = O ( d ) arithmetic operations. The second phase is a substantially fast computation for the user that requires only O ( m ) = O ( d ) arithmetic operations locally.

5.4.2. Multivariate Polynomials

Let F be the set of all arbitrary multivariate polynomials over a finite field Z q . For any f x 1 , , x m = i 1 , , i m = 1 d f i 1 , , i m · x 1 i 1 x m i m F , m 2 , l = m / 2 , parse the parameters as a d l × d m l matrix
F = F ( i 1 , , i l ) , ( i l + 1 , , i m )
where F ( i 1 , , i l ) , ( i l + 1 , , i m ) = f i 1 , , i m . Set y = x 1 i 1 x l i l Z q d l and x = x l + 1 i l + 1 x m i m Z q d m 1 ; then, we have f x 1 , , x m = y · ( F · x ) .
This is a two-phase computation: (i) the computation of u = F x and (ii) the computation of f x 1 , , x m = y · u . The first phase is a matrix–vector multiplication that can be delegated to a cloud server using our verifiable computation scheme. It requires O ( d m ) arithmetic operations. The second phase is a substantially fast computation for the user that requires O ( d m / 2 ) arithmetic operations locally.

6. Results

6.1. Correctness Analysis

  • Correctness of the result ciphertext res from C S P 1 . Given the ciphertexts of the result res and the input vector c , for i [ d ] , it holds that:
    c i = ( u i , v i ) = a i s + p e i + x i , a i r e s i = j = 1 d f i , j u j , j = 1 d f i , j v j
    = j = 1 d f i , j a i s + j = 1 d f i , j p e i + j = 1 d f i , j x i , j = 1 d f i , j a i
    Let j = 1 d f i , j a i = a i ^ and j = 1 d f i , j e i = e i ^ , such that the following holds:
    r e s i = a i ^ s + p e i ^ + j = 1 d f i , j x i , a i ^ E n c s k , j = 1 d f i , j x i
    We can see that the result res corresponds to the multiplication of matrix F and vector x in plaintext.
  • Correctness of decryption for the result ciphertext res . Given the ciphertext of the result res , where
    r e s i = j = 1 d f i , j u j , j = 1 d f i , j v j = a i ^ s + p e i ^ + j = 1 d f i , j x i , a i ^
    for i [ d ] , it holds that:
    y i = j = 1 d f i , j u j + j = 1 d f i , j v j · s k m o d p = a i ^ s + p e i ^ + j = 1 d f i , j x i a i ^ s m o d p = j = 1 d f i , j x i
    We can see that the decryption for the result ciphertext is correct.
  • Correctness of public verification.
    Given the input vector ciphertext c , the result ciphertext res and the public verification data ver = ( T , S ) = ( ( g t 1 , , g t m ) , ( g s 1 , , g s d ) ) , where
    c i = u i , v i
    r e s i = j = 1 d f i , j u j , j = 1 d f i , j v j
    s i = j = 1 m t j F j , i
    for i [ d ] , it convinces the public to accept the result if and only if:
    i = 1 d g s i · c i = i = 1 d g t i · r e s i .
    The left side is:
    i = 1 d g s i · c i = i = 1 d g s i · u i , i = 1 d g s i · v i = i = 1 d g ( j = 1 m t j f j , i ) · u i , i = 1 d g j = 1 m t j f j , i · v i = ( g i = 1 d j = 1 m t j f j , i u i , g i = 1 d j = 1 m t j f j , i v i )
    and the right side is:
    i = 1 d g t i · r e s i = i = 1 d g t i · j = 1 d f i , j u j , i = 1 d g t i · j = 1 d f i , j v j = g i = 1 m j = 1 d t j f i , j u j , g i = 1 m j = 1 d t j f i , j v j
    If y = F · x , then Equation (22) holds.
  • Correctness of private verification.
    The correctness of private verification is consistent with the description provided in Section 3.4.

6.2. Security Analysis

In our two-server setup, we assume that C S P 1 and C S P 2 are non-collusive. Our security model allows for one or both servers to be malicious, as our verifiable computation scheme can detect the malicious behavior and reject the computation result. However, they cannot cooperate with each other. Under the non-collusion assumption, suppose one of the CSPs is malicious; then, the two CSPs cannot collaborate to perform the correct computation because the other CSP updates its data, causing the temporary ciphertext to not correspond to the temporary key. In this process, the malicious CSP does not learn any valuable information.
In our system, the function owner cannot obtain any additional information other than the function parameters. C S P 1 learns only the original ciphertext, the temporary ciphertext after re-encryption and the input ciphertext. C S P 2 learns only the temporary private key, the masked function parameters and the user’s input ciphertext. The request user only learns its own input and the computation result. Any public verification party can only learn the input ciphertext, the result ciphertext and the public verification data.
Next, we present the security analysis of our encryption schemes.
  • HE. The scheme is based on the hardness of the Decisional Composite Residuosity Assumption and Decisional Diffie–Hellman Assumption, which is stated below:
    Definition 1.
    (Decisional Composite Residuosity Problem [26]) Given a composite n and an integer z, decide if z is an n r e s i d u e modulo n 2 or not, namely, if there exists y such that z = y n ( m o d n 2 ) .
    Definition 2.
    (Decisional Diffie–Hellman Problem [24]) Let g be an element of prime order in a cyclic group G . Given g a , g b , h G , decide whether or not h = g a b .
    Theorem 1.
    The scheme is semantically secure if and only if the Decisional Composite Residuosity Assumption and Decisional Diffie–Hellman Assumption hold.
  • LHE. The security is established in [3], and we state it below:
    Theorem 2.
    LHE is linearly homomorphic as long as max { | γ 1 | , , | γ d | } · p r n 1.5 < q / 2 .
    Theorem 3.
    Let r = poly ( n ) and q = 2 n ϵ for some 0 < ϵ < 1 . The scheme is semantically secure under the worst-case hardness of approximating the shortest vectors on ideal lattices to within a factor of O ( 2 n ϵ ) .
  • HPRE. It is based on the security of HE.
  • VerM. It is based on the hardness of the Discrete Logarithm Assumption [9]. It will pass the verification by mistake with a probability of 1 / q at most, which is negligible when q is a λ -bit prime. It is stated below:
    Definition 3.
    (Discrete Logarithm Problem) Let g be an element of prime order in a cyclic group G . Given h G , compute x such that h = g x .
    Theorem 4.
    The scheme is semantically secure if and only if the Discrete Logarithm Assumption holds.

6.3. Experimental Results

To verify the efficiency, we performed our experiments on a personal computer with an AMD Ryzen 5 3600 3.6 GHz processor with 8 GB memory and running on the Ubuntu Desktop-20.04.1-LTS operating system using python language. We used the charm-crypto library to implement HE operations, PRE operations and VerM operations and used Microsoft SEAL to implement LHE operations. In the experiment, we set the security parameter of LHE to 4096 and that of HE to 1024. We tested the efficiency for the four entities when the matrix size was ( 10 × 10 , 50 × 50 , 100 × 100 , 150 × 150 ). The average time for each experiment was obtained by running it multiple times as shown in the graphs.
Figure 3 illustrates the time cost for the function owner, where the blue line presents the time for encrypting the matrix, the red line presents the time for preparing the generation of the verification data, and the gray line represents the time for the generation of the verification data. As shown in Figure 3, the function owner efficiently prepares the generation of verification data once for all parties. The primary overhead is the encryption of matrix parameters; however, since the function owner only needs to encrypt the function once for all parties, the computation cost can be amortized. Note that the vertical axis is on a logarithmic scale with a base of 10, and the same applies to Figure 4 and Figure 5.
Figure 4 illustrates the time cost for C S P 1 . The blue line represents the time for re-encrypting the ciphertext, the red line represents the time for encrypting the mask, the gray line represents the time for generating the masked ciphertext, and the yellow line represents the time for computing the first part of the result ciphertext. As shown in Figure 4, the time for re-encryption and encrypting masks is nearly identical to that for the function owner to encrypt the matrix, and the homomorphic operations are highly efficient. The computation involving LHE ciphertexts is the most time-consuming, which would significantly burden the user if performed locally. Therefore, it was outsourced to the cloud server for computation.
Figure 5 illustrates the time cost for C S P 2 , where the blue line represents the time for decrypting the masked ciphertext, and the red line represents the time computing the second part of the result ciphertext. As can be seen from Figure 5, the computation with LHE ciphertexts is the most time-consuming, which is the same as C S P 1 , so it was outsourced to the cloud server.
Figure 6 illustrates the time cost for the request user, where the blue line represents the time for encrypting their input vector and the red line represents the time for decrypting the final result ciphertext. As shown in Figure 6, the encryption and decryption for users are very efficient.
Figure 7 illustrates the time cost for verification, where the blue line represents the time for private verification, and the red line represents the time for public verification. As shown in Figure 7, the process of private verification is quick and efficient. Public verification, on the other hand, may take more time but is still accessible for the public.
Next, we present the communication costs in Table 4, where the matrix size is m × d , N is the parameter in HE, and R p is the ring in LHE.
Compared with [9], our scheme achieves both function privacy and input privacy. In terms of computational complexity, our scheme is similar to their second scheme with only input privacy for the cloud server side, but we have two servers, which requires twice the computational overhead. At the same time, the two servers need to communicate with each other, which incurs additional communication overhead, but these additional costs provide privacy for the function.

7. Conclusions and Future Work

In this paper, we focused on the privacy-preserving and publicly verifiable outsourcing computation of matrix functions and polynomial functions. Our publicly verifiable computation scheme achieved both input privacy and function privacy for matrix functions, and it can be extended to arbitrary polynomial functions. Our scheme additionally provides a faster privately verifiable method and ensures the function owner’s control over access to the function. Our solution may be of interest to applications in oblivious polynomial evaluation or polynomial prediction model inference.
In the future, we plan to construct a publicly verifiable outsourcing computation scheme for nonlinear functions, such as for activation functions in convolutional neural networks. Furthermore, we will address how to identify malicious cloud servers if the verification fails.

Author Contributions

Conceptualization, B.S. and D.Z.; methodology, B.S.; software, J.W. and X.Y.; validation, J.W., X.Y. and B.S.; formal analysis, B.S., J.W. and X.Y.; investigation, B.S. and Y.Z.; resources, B.S. and Y.Z.; data curation, J.W. and X.Y.; writing—original draft preparation, B.S.; writing—review and editing, Y.Z., D.Z. and C.W.; visualization, B.S. and J.W.; supervision, D.Z. and C.W.; project administration, D.Z. and C.W.; funding acquisition, D.Z. and C.W. All authors have read and agreed to the published version of the manuscript.

Funding

This paper was funded by the National Natural Science Foundation of China (Nos. U2001205, 61732021,61932010), Guangdong Basic and Applied Basic Research Foundation (Nos. 2019B030302008, 2023B1515040020), and TESTBED2 (No. H2020-MSCA-RISE-2019).

Data Availability Statement

All data are presented in the main text.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Rivest, R.L.; Adleman, L.; Dertouzos, M.L. On data banks and privacy homomorphisms. Found. Secur. Comput. 1978, 4, 169–180. [Google Scholar]
  2. Gentry, C. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, 31 May–2 June 2009; Mitzenmacher, M., Ed.; ACM: New York, NY, USA, 2009; pp. 169–178. [Google Scholar]
  3. Brakerski, Z.; Vaikuntanathan, V. Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages. In Proceedings of the Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2011; Rogaway, P., Ed.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2011; Volume 6841, pp. 505–524. [Google Scholar] [CrossRef]
  4. Yao, C.C. How to generate and exchange secrets. In Proceedings of the 27th Annual Symposium on Foundations of Computer Science, Toronto, ON, Canada, 27–29 October 1986; IEEE Computer Society: Washington, DC, USA, 1986; pp. 162–167. [Google Scholar]
  5. Demmler, D.; Schneider, T.; Zohner, M. ABY—A Framework for Efficient Mixed-Protocol Secure Two-Party Computation. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, CA, USA, 8–11 February 2015; The Internet Society: Reston, VA, USA, 2015. [Google Scholar]
  6. Feng, D.; Yang, K. Concretely efficient secure multi-party computation protocols: Survey and more. Secur. Saf. 2022, 1, 2021001. [Google Scholar] [CrossRef]
  7. Papamanthou, C.; Shi, E.; Tamassia, R. Signatures of Correct Computation. In Proceedings of the Theory of Cryptography—10th Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, 3–6 March 2013; Volume 7785, pp. 222–242. [Google Scholar]
  8. Parno, B.; Raykova, M.; Vaikuntanathan, V. How to Delegate and Verify in Public: Verifiable Computation from Attribute-Based Encryption. In Proceedings of the Theory of Cryptography—9th Theory of Cryptography Conference, TCC 2012, Taormina, Italy, 19–21 March 2012; Volume 7194, pp. 422–439. [Google Scholar]
  9. Zhang, L.F.; Safavi-Naini, R. Protecting data privacy in publicly verifiable delegation of matrix and polynomial functions. Des. Codes Cryptogr. 2020, 88, 677–709. [Google Scholar] [CrossRef]
  10. Applebaum, B.; Ishai, Y.; Kushilevitz, E. From Secrecy to Soundness: Efficient Verification via Secure Computation. In Proceedings of the 37th International Colloquium Conference on Automata, Languages and Programming, ICALP 2010, Bordeaux, France, 6–10 July 2010; Springer: Berlin/Heidelberg, Germany, 2010. Part I. Volume 6198, pp. 152–163. [Google Scholar]
  11. Barbosa, M.; Farshim, P. Delegatable Homomorphic Encryption with Applications to Secure Outsourcing of Computation. In Proceedings of the Topics in Cryptology—CT-RSA 2012—The Cryptographers’ Track at the RSA Conference 2012, San Francisco, CA, USA, 27 February–2 March 2012; Springer: Berlin/Heidelberg, Germany, 2012; Volume 7178, pp. 296–312. [Google Scholar]
  12. Chung, K.M.; Kalai, Y.T.; Vadhan, S.P. Improved Delegation of Computation using Fully Homomorphic Encryption. In Advances in Cryptology—CRYPTO 2010, Proceedings of the 30th Annual Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2010; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6223, pp. 483–501. [Google Scholar]
  13. Fiore, D.; Gennaro, R.; Pastro, V. Efficiently Verifiable Computation on Encrypted Data. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, 3–7 November 2014; ACM: New York, NY, USA, 2014; pp. 844–855. [Google Scholar]
  14. Joo, C.; Yun, A. Homomorphic authenticated encryption secure against chosen-ciphertext attack. In Proceedings of the Advances in Cryptology–ASIACRYPT 2014: 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, 7–11 December 2014; Springer: Berlin/Heidelberg, Germany, 2014. Part II 20. pp. 173–192. [Google Scholar]
  15. Libert, B.; Peters, T.; Joye, M.; Yung, M. Linearly Homomorphic Structure-Preserving Signatures and Their Applications. In Proceedings of the Advances in Cryptology—CRYPTO 2013—33rd Annual Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2013; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2013. Part II. Volume 8043, pp. 289–307. [Google Scholar]
  16. Zhang, L.F. Multi-server verifiable delegation of computations: Unconditional security and practical efficiency. Inf. Comput. 2021, 281, 104740. [Google Scholar] [CrossRef]
  17. Catalano, D.; Fiore, D.; Gennaro, R.; Vamvourellis, K. Algebraic (trapdoor) one-way functions and their applications. In Proceedings of the Theory of Cryptography: Tenth Theory of Cryptography Conference, TCC 2013, Tokyo, Japan, 3–6 March 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 680–699. [Google Scholar]
  18. Elkhiyaoui, K.; Önen, M.; Azraoui, M.; Molva, R. Efficient Techniques for Publicly Verifiable Delegation of Computation. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, China, 30 May–3 June 2016; ACM: New York, NY, USA, 2016; pp. 119–128. [Google Scholar]
  19. Fiore, D.; Gennaro, R. Publicly verifiable delegation of large polynomials and matrix computations, with applications. In Proceedings of the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, 16–18 October 2012; ACM: New York, NY, USA, 2012; pp. 501–512. [Google Scholar] [CrossRef]
  20. Beimel, A. Secure Schemes for Secret Sharing and Key Distribution. Ph.D. Thesis, Technion—Israel Institute of Technology, Haifa, Israel, 1996. [Google Scholar]
  21. Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute-based encryption for fine-grained access control of encrypted data. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, 30 October–3 November 2006; ACM: New York, NY, USA, 2006; pp. 89–98. [Google Scholar]
  22. Peter, A.; Tews, E.; Katzenbeisser, S. Efficiently Outsourcing Multiparty Computation Under Multiple Keys. IEEE Trans. Inf. Forensics Secur. 2013, 8, 2046–2058. [Google Scholar] [CrossRef]
  23. Liu, X.; Robert, H.; Deng, K.K.R.C.; Weng, J. An Efficient Privacy-Preserving Outsourced Calculation Toolkit With Multiple Keys. IEEE Trans. Comput. 2016, 65, 3567–3579. [Google Scholar] [CrossRef]
  24. Bresson, E.; Catalano, D.; Pointcheval, D. A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications. In Proceedings of the Advances in Cryptology—ASIACRYPT 2003, Ninth International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, 30 November–4 December 2003; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2003; Volume 2894, pp. 37–54. [Google Scholar]
  25. Kawai, Y.; Matsuda, T.; Hirano, T.; Koseki, Y.; Hanaoka, G. Proxy Re-Encryption That Supports Homomorphic Operations for Re-Encrypted Ciphertexts. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2019, 102-A, 81–98. [Google Scholar] [CrossRef]
  26. Paillier, P. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In Proceedings of the Advances in Cryptology—EUROCRYPT ’99, International Conference on the Theory and Application of Cryptographic Techniques, Prague, Czech Republic, 2–6 May 1999; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1999; Volume 1592, pp. 223–238. [Google Scholar] [CrossRef]
  27. Gamal, T.E. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 1985, 31, 469–472. [Google Scholar] [CrossRef]
  28. Goldwasser, S.; Micali, S. Probabilistic Encryption. J. Comput. Syst. Sci. 1984, 28, 270–299. [Google Scholar] [CrossRef]
  29. Brakerski, Z.; Gentry, C.; Vaikuntanathan, V. (Leveled) Fully Homomorphic Encryption without Bootstrapping. ACM Trans. Comput. Theory 2014, 6, 1–36. [Google Scholar]
  30. Zhou, H.; Wornell, G.W. Efficient homomorphic encryption on integer vectors and its applications. In Proceedings of the 2014 Information Theory and Applications Workshop, ITA 2014, San Diego, CA, USA, 9–14 February 2014; pp. 1–9. [Google Scholar]
  31. Blaze, M.; Bleumer, G.; Strauss, M. Divertible Protocols and Atomic Proxy Cryptography. In Proceedings of the Advances in Cryptology—EUROCRYPT ’98, International Conference on the Theory and Application of Cryptographic Techniques, Espoo, Finland, 31 May–4 June 1998; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 1998; Volume 1403, pp. 127–144. [Google Scholar]
  32. Blum, M.; Luby, M.; Rubinfeld, R. Self-Testing/Correcting with Applications to Numerical Problems. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 13–17 May 1990; ACM: New York, NY, USA, 1990; pp. 73–83. [Google Scholar] [CrossRef]
  33. Blum, M.; Wasserman, H. Program Result-Checking: A Theory of Testing Meets a Test of Theory. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; IEEE Computer Society: Washington, DC, USA, 1994; pp. 382–392. [Google Scholar] [CrossRef]
Figure 1. Outsourcing computation model of functions.
Figure 1. Outsourcing computation model of functions.
Futureinternet 15 00152 g001
Figure 2. The publicly verifiable outsourcing computation model with privacy.
Figure 2. The publicly verifiable outsourcing computation model with privacy.
Futureinternet 15 00152 g002
Figure 3. The time cost for the function owner.
Figure 3. The time cost for the function owner.
Futureinternet 15 00152 g003
Figure 4. The time cost for C S P 1 .
Figure 4. The time cost for C S P 1 .
Futureinternet 15 00152 g004
Figure 5. The time cost for C S P 2 .
Figure 5. The time cost for C S P 2 .
Futureinternet 15 00152 g005
Figure 6. The time cost for the request user.
Figure 6. The time cost for the request user.
Futureinternet 15 00152 g006
Figure 7. The time cost for verification.
Figure 7. The time cost for verification.
Futureinternet 15 00152 g007
Table 1. Comparison of the proposed scheme with previous works.
Table 1. Comparison of the proposed scheme with previous works.
Study Ref./NoFunction Privacy/Input PrivacyPrivate VerificationPublic Verification
[10,11,12]✓/✓×
[13,14,15]✓/✓×
[16]✓/✓×
[7,8,17,18,19]×/×
[9]✓/× or ×/✓
Our scheme✓/✓
Note: ✓—supported; and ×—not supported.
Table 2. Summary of notations.
Table 2. Summary of notations.
NotationsDescriptions
x The lowercase bold letters denote vectors where x i indexes the i-th element
M The uppercase bold letters denote matrices where M i , j indexes the ( i , j ) -th element
x The transpose of vector x
x , , y The dot product of two vectors, x = ( x 1 , , x n ) and y = ( y 1 , , y n ) , where x · y = i = 1 n x i y i
M · x The matrix–vector multiplication of M and x
x $ S Uniformly sample x from a set S at random.
N The set of all natural numbers
[ n ] The set { 1 , , n } , where n N
λ The security parameter
p , q The odd primes
Z N A group under addition modulo N
Z N * A group satisfies g c d ( b , N ) = 1 , where b [ N 1 ]
F = Z q m × d The set of all m × d matrices over Z q
G = g The cyclic group with generator g
Φ m ( X ) The m-th cyclotomic polynomial, where Φ m ( X ) = X N + 1
R : = Z [ X ] / Φ m ( X ) The ring of integer polynomials modulo Φ m
R p The ring R with coefficients modulo p
χ The discrete Gaussian distribution over the ring
( p k , s k ) The key pair of public key and secret key
Table 3. Data size.
Table 3. Data size.
DataSize
Matrix F m × d
Verification data t 1 × m
Verification data s 1 × d
Vector x d × 1
The final result y m × 1
Table 4. Communication Costs.
Table 4. Communication Costs.
SenderReceiverPhaseCommunication Cost
Function owner C S P 1 Preparation 2 · ( m × d ) · Z N 2 * (Once for all)
Function ownerThe publicPreparation ( m + d ) · Z q (Once for all)
Function owner C S P 1 Preparation 1 · Z N 2 + 1 · Z N 2 *
Function owner C S P 2 Preparation 1 · Z N 2
Request User C S P 1 Preparation d · ( R q ) 2
C S P 1 Function ownerPreparationPermission Message
C S P 1 C S P 2 Computation 2 · ( m × d ) · Z N 2 * + d · ( R q ) 2
C S P 1 Request UserComputation m · ( R q ) 2
C S P 1 The publicVerification ( d + m ) · ( R q ) 2
C S P 2 C S P 1 Computation m · ( R q ) 2
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Song, B.; Zhou, D.; Wu, J.; Yuan, X.; Zhu, Y.; Wang, C. Protecting Function Privacy and Input Privacy in the Publicly Verifiable Outsourcing Computation of Polynomial Functions. Future Internet 2023, 15, 152. https://doi.org/10.3390/fi15040152

AMA Style

Song B, Zhou D, Wu J, Yuan X, Zhu Y, Wang C. Protecting Function Privacy and Input Privacy in the Publicly Verifiable Outsourcing Computation of Polynomial Functions. Future Internet. 2023; 15(4):152. https://doi.org/10.3390/fi15040152

Chicago/Turabian Style

Song, Beibei, Dehua Zhou, Jiahe Wu, Xiaowei Yuan, Yiming Zhu, and Chuansheng Wang. 2023. "Protecting Function Privacy and Input Privacy in the Publicly Verifiable Outsourcing Computation of Polynomial Functions" Future Internet 15, no. 4: 152. https://doi.org/10.3390/fi15040152

APA Style

Song, B., Zhou, D., Wu, J., Yuan, X., Zhu, Y., & Wang, C. (2023). Protecting Function Privacy and Input Privacy in the Publicly Verifiable Outsourcing Computation of Polynomial Functions. Future Internet, 15(4), 152. https://doi.org/10.3390/fi15040152

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop