An efficient polynomial-based verifiable computation scheme on multi-source outsourced data
Yiran Zhang, Huizheng Geng, Li Su, Shen He, Li Lu

TL;DR
This paper introduces a fast and secure way to verify polynomial computations on data from multiple sources in cloud computing.
Contribution
The paper proposes an efficient polynomial-based verifiable computation scheme for multi-source outsourced data using Horner’s method and homomorphic verification tags.
Findings
The proposed scheme allows polynomial verification with inputs from multiple sources.
Data contributors can sign 1000 new data in 2 seconds.
Verification of a degree-100 polynomial takes only 18 ms.
Abstract
With the development of cloud computing, users are more inclined to outsource complex computing tasks to cloud servers with strong computing capacity, and the cloud returns the final calculation results. However, the cloud is not completely trustworthy, which may leak the data of user and even return incorrect calculations on purpose. Therefore, it is important to verify the results of computing tasks without revealing the privacy of the users. Among all the computing tasks, the polynomial calculation is widely used in information security, linear algebra, signal processing and other fields. Most existing polynomial-based verifiable computation schemes require that the input of the polynomial function must come from a single data source, which means that the data must be signed by a single user. However, the input of the polynomial may come from multiple users in the practical…
Genes, proteins, chemicals, diseases, species, mutations and cell lines named across the full text — each resolved to its canonical identifier and authoritative record.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6- —Research and Verification of Key Technologies for Secure and Efficient Federated Learning
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Cryptography and Residue Arithmetic · Cloud Data Security Solutions
Introduction
Cloud computing technology has become an indispensable tool in the Internet era, and it has gradually penetrated into all aspects of daily life. Users with weak computing capabilities tend to outsource complex computing tasks to cloud servers with powerful computing and storage capabilities, thus reducing the complexity of local computing^1^. However, cloud servers are not completely trustworthy. The cloud servers have the potential to leak user data or intentionally return incorrect calculation result. Therefore, it is of practical significance to verify the calculation results of outsourcing services without disclosing user privacy^2,3^.
Verifiable computation (VC, verifiable computation) solves the above problem. The user sends the function and the input data of the function to the cloud server, and the cloud server returns the calculated result and the proof of the result. Users can verify the correctness of the calculation results, and the computational complexity of this process is much smaller than that of directly calculating functions. Verifiable computation is generally divided into two categories: (1) verifiable computation of general functions, which is suitable for the computation of any function^4,5^; (2) verifiable computation of special functions, such as modular exponential operation^6,7^, polynomial calculation^8^, attribute-based decryption operation^9^, etc. Among them, the polynomial-based verifiable computation is widely used in information security, linear algebra, signal processing and other fields, so it has attracted wide attention.
Motivation and contribution
The researchers have proposed some verifiable computation based on polynomial schemes^10–35^. Benabbas et al.^10^ put forward a polynomial outsourcing computing scheme for the first time. The scheme requires that the input of the polynomial must come from a single data source, which means that the data must be signed by a single user. However, the input of the polynomial may come from multiple users in the practical application. In order to solve this problem, the scheme^11^ is proposed to design an outsourced polynomial computation program based on the idea of homomorphic verifiable computation tags, and make the scheme support multiple data sources. However, the scheme requires that all multiplication gates must be executed before the addition gate when generating verification tag, which greatly limits the speed of generating the verification tag and leads to low efficiency. Want et al.^12^ improved the scheme^11^, but it only improved the security of signatures and do not consider the efficiency degradation caused by he design of verification tag. In particular, when the order of the polynomial function is relatively high and the data of the same user is calculated many times, the correctness verification of the result will be extremely slow.
From the above references, there are two problems with the proposed scheme. First, the existing scheme requires that the input of the polynomial must come from a single data source; Secondly, the design of verification tags may cause a decrease in efficiency, especially when the polynomial function is relatively complex, so that the result correctness verification process will be extremely slow, and even affect the use of data. Therefore, we define two key requirements for efficient verifiable computation schemes on multi-source outsourced data. (1) Efficient. The scheme should ensure that the verification can be completed quickly. (2) Support for multiple data sources. The input of the polynomial can come from multiple independent data sources, which means that the data from different data sources can be signed with different private keys.
To address these issues, we propose a new and efficient polynomial-based verifiable computation scheme on multi-source outsourced data, which has the characteristics of efficient and supporting multiple data sources. We optimize the polynomials using Horner’s Method to increase the speed of verification, in which the addition gate and the multiplication gate can be interleaved to represent the polynomial function. In order to adapt to this structure, we design the corresponding verification tag, which is additive homomorphism and multiplicative homomorphic, so as to suit for all types of polynomials. We have verified the correctness and soundness of the scheme based on Computational Diffie-Hellman(CDH) Assumption. The experimental prove the efficiency of the scheme.
The main contributions of this paper can be summarized as follows:
- We design for the first time an efficient polynomial-based verifiable computation scheme on multi-source outsourced data, which has the characteristics of efficient and supporting multiple data sources. For multi-source outsourcing systems, the cloud server can perform polynomial functions to obtain the calculation results and generate proof information, which can be used by third parties to verify the correctness of the calculation results without knowing the input.
- In order to solve the problem of single data source, this paper designs a homomorphic verification tag structure that supports multiple data sources. As the polynomial function is executed gate by gate, we use the key management center to convert the signatures signed by different user into the verification tag with the unified public and private keys, so that the input of the polynomial can come from multiple data sources.
- In order to solve the problem of low efficiency, we optimize the polynomials using Horner’s Method, and the generation of corresponding verification tag can be generated with the cross-operator of multiplication gate and addition gate, so as to improve the verification speed.
Related work
Gennaro et al.^13^ combined outsourced computation and verification technology to propose the concept of verifiable computation for the first time. It constructed an outsourced scheme of verifiable computation by using obfuscated circuits and full homomorphic encryption, which can ensure the privacy of input and output. However, this scheme can only do private verification. Benabbas et al.^10^ proposed a polynomial outsourcing computing scheme with Chosen Plaintext Attack (CPA) security, which solved the problem left by Gennaro et al.^13^ The scheme used addition homomorphic encryption algorithm to ensure the privacy of the polynomial, but could not guarantee the privacy of inputs and realize public verification. Zhang et al.^14^ constructed a univariate polynomial outsourcing calculation scheme by using multilinear mapping and homomorphic encryption algorithm. This scheme can ensure the privacy of input, and its extension scheme can ensure the privacy of function, but it can only achieve private verification. Papamanthou et al.^15^ proposed a verifiable outsourcing computation scheme for dynamic polynomials that allows incremental updating of the coefficients. Fiore et al.^16^ proposed a verifiable polynomial outsourcing computation scheme with adaptive security, but this scheme can only guarantee the privacy of the function. Zhang et al.^18^ improved the efficiency of IOT cross-chain computing by outsourcing polynomials to the blockchain, and they proposed an efficient and verifiable polynomial cross-chain outsourcing computing scheme for verifying the correctness of the results of calculations on the blockchain, but the practicality of the scheme is modest.
Other researchers have proposed verifiable computation schemes based on homomorphic signatures^19–30^. Barbosa et al.^19^ put forward the Delegatable Homomorphic Encryption (DHE) cryptographic primitive, and give a method on how to use DHE to construct a verifiable computation scheme. In recent years, Guo et al.^20^ has developed a lightweight verifiable blind decryption technique based on a linear homomorphic encryption scheme to verify the correctness of the final result. Boneh and Freeman^21^ proposed the implementation of homomorphic signatures based on polynomials of constant degree, but this scheme can only be applied to the verifiable computation of polynomials of constant degree. Fiore and Gennaro^22^ proposed a publicly verifiable secure outsourcing protocol for polynomial and matrix multiplication evaluation. However, this scenario does not support multiple data contributors. Song et al.^23^ proposed a verifiable computation scheme that supports multiple data sources. It is based on the verifying data structure of the Homomorphic Verifiable Computation Tags, which is only an additive homomorphism. However, polynomials not only have addition operations, but also multiplication operations, so the scheme is not functional enough to support polynomial computation. Further, song et al.^11^ proposed a verifiable polynomial computation scheme that supports multiple data sources. When two inputs are signed by different keys from different data contributors, it is difficult to have a uniform validation data structure to support addition and multiplication. To solve this problem, the idea is to place all addition gates behind product gates to represent delegated polynomial functions. Then, based on this structure, they further designed the first-level verification label and the second-level verification label. By utilizing these designs, the server is able to output homomorphic validation labels for each gate even if the validation labels for the two inputs are signed by different keys. However, it is clear that executing the addition gate after the multiplication gate will affect the speed of the verification label generation, especially if the input with a data source is evaluated multiple times. Although Want et al.^12^ improved the scheme^11^, it only improved the security of signatures and did not pay attention to the inefficiency. Although there are few solutions solve the problem of correctness verification of polynomial calculation with multi-sources, they do not pay attention to the efficiency reduction caused by the designing of scheme.
Preliminaries
Arithmetic circuit
Definition
Arithmetic circuits^36^ on fields F and variable sets \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$X={x_1,\ldots ,x_n}$$\end{document} have two kinds of gates: multiplication gate ’ \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\times$$\end{document} ’ and addition gate ’+’. Every gate marked with the ’x’ is called the product gate, and every gate marked with the ’+’ is called the sum gate.
The arithmetic circuit computes polynomial functions, where the product gate computes the product of polynomials on its input wire, and the summation gate computes the sum of polynomials on its input wire. In this paper, the cloud server performs gate-to-gate processing of polynomials based on arithmetic circuits.
Bilinear mapping
Bilinear mapping refers to the linear mapping relationship between two cyclic groups^37^. We define the mapping \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e:G_1\times G_1\rightarrow G_2$$\end{document} as a bilinear mapping, where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_2$$\end{document} are multiplicative cyclic group of order p, and g, h are two generators of the group \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1$$\end{document} . It satisfies the following properties:
- Bilinear: for \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a,b\in Z_p, g^a,g^b,h^a,h^b\in G_1$$\end{document} , then \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e\left( g^a,g^b\right) =e{(g,h)}^{ab}$$\end{document} can be calculated.
- Non-degenerate: \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e\left( g,g\right) \ne 1$$\end{document} .
- Computability: For any \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g,h\in G_1$$\end{document} , there are effective algorithms that can calculate \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e\left( g,h\right)$$\end{document} . Computational Diffie-Hellman (CDH) Assumption: For x, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y\in Z_p$$\end{document} , there are g, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g^x$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g^y\in G_1$$\end{document} , then it is difficult to compute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$g^{xy}$$\end{document} .
Horner’s method
Horner’s method^38^ is a polynomial evaluation method with a single data source, aiming to simplify polynomial calculation. It transfers a polynomial of degree n to n linear functions of degree one, and it can be represented as an equation:
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} f(x)&=a_0+a_1\ x+a_2\ x^2+\ldots +a_n\ x^n\\&=a_0+x(a_1+x(a_2+\ldots +x(a_(n-1)+xa_n\ )))\\ \end{aligned}$$\end{document}For a polynomial \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$f\left( x\right)$$\end{document} with a single data source, it only needs to perform n multiplications and n additions, with a time complexity of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {O}\left( n\right)$$\end{document} . Compared to normal evaluation, which requires \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n(n+1)/2$$\end{document} multiplications and n additions, resulting in a time complexity of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {O}\left( n^2\right)$$\end{document} , Horner’s Method is a faster and better way to compute higher-order polynomials.
Problem statement
System model
There are three entities in the system model of this scheme: the cloud, the users, and the key management center (KMC).
Cloud
It provides storage services for users and computes polynomial functions on outsourced data. And it generates the proof message to verify the correctness of the calculation results. It’s not entirely trustworthy.
Users
They outsource their data to the cloud. And they also upload signature data to verify the correctness of the polynomial calculation results. We assume that there are \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n(n\ge 1)$$\end{document} users. They are completely trustworthy.
Key management center
It assigns keys to users and helps the cloud generate verification information. After the polynomial function is computed, it verifies the correctness of the result based on the proof information. It’s completely trustworthy.
Figure 1 represents the system model of “An efficient polynomial-based verifiable computation scheme on multi-source outsourced data”. In a multi-source data verifiable computing system, there are n user \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_i(1\le i\le n)$$\end{document} . Each user \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_i$$\end{document} holds their own public key and private key. The user \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_i$$\end{document} generates signature by signing the data with the private key, then the user \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_i$$\end{document} uploads signature and data to the cloud. The cloud calculates the polynomial to obtain the calculation result, and it also outputs the proof information. The cloud sends the result and the proof information to KMC. KMC helps the user verify the correctness of the result using the proof information.Figure 1. System model.
Threat model
The cloud is not completely trustworthy. It may cause misbehavior due to monetary reasons, hacking or system failure. In practical applications, there is a risk that the cloud server may produce incorrect calculation results for users without actually performing the computation. The cloud server may even deliberately provide incorrect calculations. Consider, for instance, a scenario where 5000 users (acting as urban pollution data collection points) in 5000 cities gather information on air pollution from various locations. These users upload their air pollution data to the cloud daily, and request that the cloud calculate the average air pollution based on data from multiple locations. However, the cloud server may perform the calculation using only a subset of the data instead of the entire dataset, leading to erroneous results. Even worse, the cloud server may not perform the computation and return historical data directly or generate random numerical values for the user. Therefore, the work is primarily motivated by the need to provide a verifiable polynomial evaluation scheme. This scheme allows users to verify that the cloud server has correctly executed the entrusted polynomial function. The security threats of this scheme are as follow:
- Data corruption: The adversary may compromise data during the data is uploaded to the cloud. The corrupted data used as input for polynomial may result in incorrect results.
- Incorrect results: For monetary reasons, the cloud may not be able to fully execute the entrusted polynomial, or output the result randomly to save computing resources.
- Forgery attacks: The adversary may forge the signature and proof information on purpose, in order to trick the user into passing the correctness verification.
Security goal
The security goal of the proposed scheme is twofold: correctness and soundness.
- Correctness: the cloud performed the polynomial correctly, then the corresponding proof information can pass the correctness check of result, that is, there are no false negatives.
- Soundness: the verification information corresponding to the wrong result must be detected and fail the correctness check, that is, there are no false positives.
Efficient polynomial-based verifiable computation scheme on multi-source outsourced data
Notations in this section
Table 1 shows some important notations.Table 1. Notations.NotationsDescription \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1,G_2$$\end{document} The group of the same prime order p**g, hThe generator of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1$$\end{document} eBilinear mapping \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e:G_1\times G_1\rightarrow G_2$$\end{document} HOne-way hash function \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H:\left\{ 0,1\right\} ^*\rightarrow Z_p$$\end{document} skPrivate key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$sk=a$$\end{document} pkPublic key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$pk=(g^a,h^a,h^\frac{1}{a})$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau$$\end{document} The label of the outsourced data \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_\tau$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_\tau =H(\tau )$$\end{document} mThe outsourced data m \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m$$\end{document} The signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m=\left( r,s\right)$$\end{document} of data m \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta$$\end{document} The verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta (pk,\sigma )$$\end{document} PThe proof message \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P=\delta _R(pk,\sigma )$$\end{document} which is the final verification tag for the result of polynomial function
Overview
The system executes the algorithm SetUp() to initialize the system parameters. KMC performs the algorithm KeyGen() to obtain the public keys and private keys. The users execute algorithm Sign() for signing the data, and the data and the corresponding signatures are outsourced to cloud. The cloud computes the polynomial function to obtain calculation result, and the cloud executes the algorithm GateVal() to obtain the verification tag. As the circuit is executed gate by gate, the verification tag of the last gate is output as the final proof information. The cloud executes the algorithm ProofCre() which sends the proof information to the KMC. KMC executes the algorithm VerifyProof() which verifies the correctness of the final calculation result. If the output is True, it shows the result is correct; if the output is False, it shows that the result is incorrect.
The proposed scheme
\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$${SetUp\left( 1^\lambda \right) \rightarrow (e,p,G_1,G_2,h,H)}$$\end{document}SetUp1λ→(e,p,G1,G2,h,H)
The algorithm is executed by the cloud to generate system parameters. The input is the security parameter \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\lambda$$\end{document} , and the output is the security parameter of system \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${{e,p,G_1,G_2,h,H}}$$\end{document} .
Suppose that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1,G_2$$\end{document} are two p-order prime groups, g, h are generators of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1$$\end{document} , e is a bilinear mapping \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e:G_1\times G_1\rightarrow G_2$$\end{document} . \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$H:\left\{ 0,1\right\} ^*\rightarrow Z_p$$\end{document} is a hash function that maps any string to an element in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$Z_p$$\end{document} .
\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$KeyGen\left( 1^k\right) \rightarrow (pk,sk)$$\end{document}KeyGen1k→(pk,sk)
The algorithm is executed by the key management center to generate public keys and private keys. The input is the security parameter k, and the output is public key pk and private key sk.
KMC randomly selects \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a^*\in Z_p$$\end{document} as the conversion private key. When a new user joins the system, KMC randomly selects a random number \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a\in Z_p$$\end{document} as the private key sk of the user, generates and stores \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a\prime$$\end{document} satisfying \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a*a\prime =a^*$$\end{document} , and outputs public key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$pk=(g^a,h^a,h^\frac{1}{a})$$\end{document} . KMC sends the sk and pk to the user, then sends the pk to the cloud.
\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$\varvec{Sign\left( m,sk\right) \rightarrow \sigma _m}$$\end{document}Signm,sk→σm
The algorithm is executed by the user to sign the data. The input is the outsourced data m and private key sk, and the output is the signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m$$\end{document} .
We set the label \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau$$\end{document} , which is selected by the user to express the physical implication for the data m. And the label \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau$$\end{document} is public. The user computes \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_\tau =H\left( \tau \right)$$\end{document} , chooses k at random, computes \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$r=h^k,s=h^{a\left( t_\tau +m+k\right) }\ mod\ p$$\end{document} , where a is the private key. Then it generates signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m=(r=h^k,s=h^{a\left( t_\tau +m+k\right) }\ mod\ p)$$\end{document} . Finally, the user uploads data m, the label \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau$$\end{document} , and signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m=(r,s)$$\end{document} to the cloud.
After receiving data m and the corresponding signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m$$\end{document} , the cloud verifies the signature as shown in Eq. (2), where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$pk^{(1)}=g^a$$\end{document} . If the verification is successful, the cloud stores the data m, the label \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau$$\end{document} , signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _m$$\end{document} , otherwise, the cloud outputs \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\bot$$\end{document} .
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} e\left( g,s\right)&=e\left( g^a,r*h^{t_\tau +m}\right) \\&=e(pk^{\left( 1\right) },r{*h}^{t_\tau +m})\\ \end{aligned}$$\end{document}Table 2 shows the userID, labels, data, public keys, and signatures of the users. Each user has a public key, such as the public key corresponding to \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_i$$\end{document} is represented as \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(g^{a_i},h^{a_i},h^{{\frac{1}{a}}_i})(1\le i\le n)$$\end{document} . A user can upload multiple data. For example, data \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$m_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$m_2$$\end{document} are uploaded by \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_1$$\end{document} .Table 2. The cloud stores label, data, public key, signature of the user with userid.UserIDLabelDataPublic keySignature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_1$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _1$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$m_1$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(g^{a_1},h^{a_1},h^{{\frac{1}{a}}_1})$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _1$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_1$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _2$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$m_2$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(g^{a_1},h^{a_1},h^{{\frac{1}{a}}_1})$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _2$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_2$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _3$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$m_3$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(g^{a_2},h^{a_2},h^{{\frac{1}{a}}_2})$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _3$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$u_3$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _4$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$m_4$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(g^{a_3},h^{a_3},h^{{\frac{1}{a}}_3})$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _4$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ldots$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ldots$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ldots$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ldots$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ldots$$\end{document}
\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$\varvec{GateVal()\rightarrow \delta }$$\end{document}GateVal()→δ
The algorithm is executed by the cloud to generate verification tags. The inputs of a gate could be the original outsourced data, the constant \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in Z_p$$\end{document} , or the output of the previous gate. The output is verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta$$\end{document} . As the circuit is executed gate by gate, the verification tag of the previous gate output is used as the input for the next gate.
Let \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$f\left( x_1,\ldots ,x_n\right)$$\end{document} be a polynomial function, where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_i(1\le i\le n)$$\end{document} represents the outsourced data. Reference^11^ gives the definition of the polynomial function \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$f\left( x_1,\ldots ,x_n\right) =\sum _{i=1}^{n}{(c_i*\prod _{j} x_j^{e_j})}$$\end{document} . Then drawing on the idea of Horner’s method^38^, we further represent the delegate function as Eq. (3).
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} &f\left( x_1,\ldots ,x_n\right) \\&=c_0+c_1\left( x_0^{e_{10}}x_1^{e_{11}}\ldots x_n^{e_{1n}}\right) \ldots c_n\left( x_0^{e_{n0}}x_1^{e_{n1}}\ldots x_n^{e_{nn}}\right) \\&=c_0+x_0\left( c_1x_0^{e_{10}-1}+\ldots +c_nx_0^{e_{n0}-1}\right) +\ldots \\ \end{aligned}$$\end{document}where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c_i$$\end{document} represents the constant coefficient and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$e_j$$\end{document} represents the exponent of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_j$$\end{document} . It requires that multiplication gates and addition gates can be interleaved to express the delegated polynomial function as shown in Fig. 2, which improves the situation that the addition gate must be carried out after the multiplication gate in the scheme^11^, so as to improve the verification efficiency. The cloud runs the polynomial function using the arithmetic circuit.Figure 2. Polynomial functions are represented by arithmetic circuits. For example, \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$f=x_1x_2x_3+3x_1x_4x_5+6{x_1x}_4=x_1(x_2x_3+3x_4\left( x_5+2\right) )$$\end{document} .
If the gate is a multiplication gate, then
- The inputs are the constant \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in Z_p$$\end{document} and the variable x which has the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta (pk,\sigma \left( r,s\right) )$$\end{document} . For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x*c$$\end{document} , the GateVal() algorithm outputs the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta \prime (pk\prime ,\sigma \prime )$$\end{document} as Eq. (4).
- The inputs are variable \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} with the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _1({pk}_1,\sigma _1(r_1=h^{k_1},s_1=h^{a_1\left( t_{\tau 1}+x_1+k_1\right) }mod\ p))$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _2({pk}_2,\sigma _2(r_2=h^{k_2},s_2=h^{a_2\left( t_{\tau 2}+x_2+k_2\right) }mod\ p))$$\end{document} respectively. For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x_1*x_2$$\end{document} , the GateVal() outputs the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta \prime (pk\prime ,\sigma \prime )$$\end{document} .
- The cloud sends \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _2,x_2$$\end{document} to KMC.
- KMC verifies the signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _2$$\end{document} as shown in Eq. (2). If that fails, output \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\bot$$\end{document} ; otherwise, KMC randomly selects \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$k_2^\prime$$\end{document} , and uses the \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a_1^\prime$$\end{document} to generate \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$s_2^\prime =a_1^\prime \left( t_{\tau 2}+x_2+k_2^\prime \right)$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${{\hat{r}=r}_1}^{t_{\tau 2}+x_2+k_2^\prime }$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h^{k_2^\prime }$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$pk^\prime =(g^{a^*},h^{a^*},h^\frac{1}{a^*})$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a_1 *a_1'=a^*$$\end{document} , and send them to the cloud.
- The cloud computes verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma \prime =(r^\prime ,s^\prime )$$\end{document} .
where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\phi =t_{\tau 1}x_2+t_{\tau 1}k_2^\prime +x_1t_{\tau 2}+x_1k_2^\prime +k_1t_{\tau 2}+k_1x_2+k_1k_2^\prime$$\end{document} . If the gate is an additive gate ’+’, then
- The inputs are the constant \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in Z_p$$\end{document} and the variable x which has the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta (pk,\sigma \left( r,s\right) )$$\end{document} . For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x+c$$\end{document} , the GateVal() algorithm outputs the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta \prime (pk\prime ,\sigma \prime )$$\end{document} as Eq. (6).
- The inputs are variable \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} with the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _1({pk}_1,\sigma _1\left( r_1,s_1\right) )$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _2({pk}_2,\sigma _2\left( r_2,s_2\right) )$$\end{document} respectively. For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x_1+x_2$$\end{document} , the GateVal() algorithm outputs the verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta \prime (pk\prime ,\sigma \prime )$$\end{document} .
- If \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${pk}_1={pk}_2$$\end{document} , this means that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _2$$\end{document} have the same private key, i.e \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a=a_1=a_2$$\end{document} .
-
If \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${pk}_1\ne {pk}_2$$\end{document} , this means that \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _2$$\end{document} have different private keys, i.e \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a_1\ne a_2$$\end{document} .
-
(i)The cloud sends \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _1,\sigma _2$$\end{document} to KMC.
-
(ii)KMC generates \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$s_1^\prime ={(s_1)}^{a_1^\prime }=h^{a^*\left( t_{\tau 1}+x_1+k_1\right) }$$\end{document} using \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a_1^\prime$$\end{document} , generates \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$s_2^\prime ={(s_2)}^{a_2^\prime }=h^{a^*\left( t_{\tau 2}+x_2+k_2\right) }$$\end{document} using \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a_2^\prime$$\end{document} , and send them to the cloud.
-
(iii)The cloud computes verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma \prime =(r^\prime ,s^\prime )$$\end{document} .
\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$ProofCre\left( \delta \right) \rightarrow (P)$$\end{document}ProofCreδ→(P)
The algorithm is executed by the cloud to generate the final proof message. The input is the verification tag by running the GateVal() on the last gate and the output is the final proof message \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P=\delta _R(pk,\sigma )$$\end{document} . The cloud sends the proof message P to KMC.
\documentclass[12pt]{minimal}
\usepackage{amsmath}
\usepackage{wasysym}
\usepackage{amsfonts}
\usepackage{amssymb}
\usepackage{amsbsy}
\usepackage{mathrsfs}
\usepackage{upgreek}
\setlength{\oddsidemargin}{-69pt}
\begin{document}$$VerifyProof\left( P\right) \rightarrow (True,False)$$\end{document}VerifyProofP→(True,False)
The algorithm is executed by KMC to verify the results of the polynomial calculations. The input is proof message P, and the output is True or False. True shows that the result is correct, False shows that the result is incorrect.
KMC receives the calculation result of the function \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$R=f\left( x_1,\ldots ,x_n\right)$$\end{document} and the proof information \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P=\delta _R(pk,\sigma (r,s))$$\end{document} . Given that each input \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_i$$\end{document} of the polynomial has a label \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _i$$\end{document} , KMC computes \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_i=H(\tau _i)$$\end{document} , then KMC computes \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\rho \leftarrow f\left( t_1,\ldots ,t_n\right)$$\end{document} . The correctness of the result R is verified using P. If the check is passed, the result R is correct and the output is True. Otherwise, the result R is incorrect and the output is False.
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} e\left( g,s\right) =e({pk}^{\left( 1\right) },r*h^\rho *h^R) \end{aligned}$$\end{document}In practice, the data \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\rho \leftarrow f\left( t_1,\ldots ,t_n\right)$$\end{document} can be generated and stored in advance to increase efficiency.
Security analysis
We analyzed the security of the scheme from two aspects: correctness and soundness. First of all, we confirm that the verification tag designed in this scheme support addition homomorphism and multiplication homomorphism, and on this basis we verify the correctness of the scheme based on the Computational Diffie-Hellman (CDH) Assumption. Secondly, we confirm the soundness of the scheme, in which the verification tag forged by the attacker cannot pass the verification test.
Correctness
We verify that the verification tag designed by the scheme support addition homomorphism and multiplication homomorphism, and then we verify the correctness of the scheme based on CDH hypothesis.
Lemma 1
The verification tag is additive homomorphic.
Proof
In the addition gate, the inputs \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} have the labels \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _2$$\end{document} (for the constant c, the labels are c), and get \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_{\tau 1}=H(\tau _1)and t_{\tau 2}=H(\tau _2)$$\end{document} . For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x_1+x_2$$\end{document} , the cloud generates verification tags \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma ^\prime =\left( r^\prime ,s^\prime \right) =(h^{k_1+k_2}$$\end{document} , \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h^{a^*\left( t_{\tau 1}+t_{\tau 2}+(x_1+x_2)+k_1+k_2\right) })$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a^*$$\end{document} is the security parameter selected by KMC. Therefore, KMC can verify the correctness of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x_1+x_2$$\end{document} by Eq. (10) using the verification tags without knowing \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} .
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} e\left( g,s\right)&=e(g^{a^*},h^{a^*\left( {(t}_{\tau 1}+t_{\tau 2})+(x_1+x_2)+{(k}_1+k_2)\right) })\\&=e({pk}^{\left( 1\right) },r\prime *h^{t_{\tau 1}+t_{\tau 2}}*h^{x_1+x_2}) \end{aligned}$$\end{document}It is obvious that verification tags are additive homomorphic.
Lemma 2
- The verifying tag is multiplicative homomorphic*.
Proof
In the multiplication gate, the inputs \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} have the labels \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\tau _2$$\end{document} (for the constant c, the labels are c), and get \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_{\tau 1}=H(\tau _1)$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_{\tau 2}=H(\tau _2)$$\end{document} . For \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x_1*x_2$$\end{document} , the cloud generates verification tags \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma ^\prime =\left( r^\prime ,s^\prime \right) =(h^k,h^{a^*\left( t_{\tau 1}t_{\tau 2}+x_1x_2+k\right) })$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a^*$$\end{document} is the security parameter selected by KMC. Therefore, KMC can verify the correctness of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$y=x_1*x_2$$\end{document} by Eq. (11) using the verification tags without knowing \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} .
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} e\left( g,s\right)&=e(g^{a^*},h^{t_{\tau 1}t_{\tau 2}+x_1x_2+k})\\&=e({pk}^{\left( 1\right) },r\prime *h^{t_{\tau 1}t_{\tau 2}}*h^{x_1x_2}) \end{aligned}$$\end{document}It is obvious that verification tags are multiplicative homomorphic.
Theorem 1
The correctness of the scheme is achieved.
Proof
According to Lemmas 1 and 2, the verification tag of this scheme is a homomorphic verifiable label. KMC can verify the correctness of the calculation results without knowing the input. The correctness of this scheme is equivalent to proofing the correctness of VerifyProof(). The correctness of Eq. (9) can be verified by Eq. (12).
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} e\left( g,s\right)&=e(g,h^{a(\rho +R+k)})\\&=e\left( g^a,h^{\rho +R+k}\right) \\&=e({pk}^{\left( 1\right) },r*h^\rho *h^R) \end{aligned}$$\end{document}Soundness
Theorem 2
- The soundness of the scheme is achieved*.
Proof
We demonstrate the soundness of the scheme, which shows that once the cloud or external attacker is able to pass the verification by forging the verification tag with false result, they are able to establish adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {A}$$\end{document} with a non-negligible probability.
Assume that the security parameters of the system are \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(e,p,G_1,G_2,h,H)$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$h=g^x,x\in Z_p$$\end{document} . Define the proof information \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P=\delta _R(PK,\sigma (r,s)), {PK}^{(1)}=g^a,$$\end{document} where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$a=x*y(y\in Z_p)$$\end{document} . The adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {A}$$\end{document} outputs CDH challenge as \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(g^{xy},g^y)=({PK}^{(1)},h)$$\end{document} . Define \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$q_{H_i}$$\end{document} as the number of times to count the process \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_\tau =H\left( \tau \right)$$\end{document} . Thus, the probability of the collision occurring in H used to compute \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$t_{\tau _i}$$\end{document} is at most \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$q_{H_i}/2^l$$\end{document} , where l is the length of the output of H. Based on Reset Lemma^39^, adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {A}$$\end{document} can generate two verification tags \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\delta _1(PK,\sigma _1\left( r,s_1\right) ),\ \delta _2(PK,\sigma _2\left( r,s_2\right) )$$\end{document} with the possibility at least \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\prod _{i=1}^{n}{(\epsilon -\left( \epsilon *q_{H_i}+1\right) /2^l)}^2$$\end{document} .
The adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {A}$$\end{document} forge verification tags \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma _1(r=h^k,s_1=h^{a\left( \rho _1+R+k\right) }mod\ p),\sigma _2(r=h^k,s_2=h^{a\left( \rho _2+R+k\right) }mod\ p)$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\rho _1,\rho _2$$\end{document} are two different outputs of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\rho \leftarrow f\left( t_1,\ldots ,t_n\right)$$\end{document} . Adversary \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathcal {A}$$\end{document} can solve the CDH problem by calculating:
\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\begin{aligned} {(\frac{s_1}{s_2})}^\frac{1}{(\rho _1-\rho _2)} ={(\frac{h^{a\left( \rho _1+R+k\right) }}{h^{a\left( \rho _2+R+k\right) }})}^\frac{1}{(\rho _1-\rho _2)}=h^a={(g^x)}^{xy}=g^{x^2y} \end{aligned}$$\end{document}It is obvious that if the attacker can forge the verification tag, then we can solve the CDH problem, which is impossible. Therefore, the verifiable computation scheme is soundness, that is, attacker cannot fabricate proof information for any wrong result.
Performance analysis
Communication cost
In the polynomial verifiable computation scheme, there are two types of communication costs.
- The cloud needs to communicate with KMC to transmit proof information. The proof information is expressed as \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$P=\delta _R(pk,\sigma )$$\end{document} , so the communication cost of the proof information is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\left| S_{pk}\right| +\left| S_\sigma \right|$$\end{document} , where the size of the public key pk is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\left| S_{pk}\right|$$\end{document} and the size of the signature \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sigma$$\end{document} is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\left| S_\sigma \right|$$\end{document} .
- The cloud needs to communicate with KMC to generate corresponding security parameters in GateVal() algorithm. The communication cost of the generated intermediate parameter in the multiplication gate is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c_**\left| S_G\right|$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\left| S_G\right|$$\end{document} indicates the size of the data in \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$G_1$$\end{document} , and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c_*$$\end{document} is 0 or 1 indicates the two calculation methods of the multiplication gates. For the additive gate of the polynomial function, the communication cost of the generated intermediate parameter is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c_+*\left| S_G\right|$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c_+$$\end{document} is 0, 1, and 2 indicate the three computation methods of the additive gates. Thus the communication cost is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\left( c_**{sum}_*\right) *\left| S_G\right| +{(c}_+*{sum}_+)*\left| S_G\right| ={(c}_+*{sum}_++c_**{sum}_*)*\left| S_G\right|$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${sum}_*$$\end{document} represents the number of multiplication gates in the circuit and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${sum}_+$$\end{document} represents the number of multiplication gates in the circuit.
Computation cost
We assume \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{exp},T_{add},T_{mul},T_{hash},T_{mod},T_{pair}$$\end{document} represent exponentiation operation, addition operation, multiplication operation, hash operation, module operation, and pairing operation of bilinear mapping respectively.
The calculating cost of Sign() is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2T_{exp}$$\end{document} .
In the GateVal(), the calculating cost is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2T_{exp}$$\end{document} for Eq. (4), the calculating cost is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{add}+3T_{mul}+2T_{hash}+3T_{exp}$$\end{document} for Eq. (5), the calculating cost is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2T_{exp}+T_{add}+2T_{mul}+T_{hash}$$\end{document} for Eq. (6), the calculating cost is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}$$\end{document} for Eq. (7), the calculating cost is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{mul}$$\end{document} for Eq. (8).
The calculating cost of ProofGen() is the sum of the calculating costs of all gates \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sum _{g\in \left| f\right| } T_g$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\left| f\right|$$\end{document} represents the set of gates in a polynomial function, and \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_g$$\end{document} represents the calculating cost of performing an addition or multiplication gate of the GateVal() algorithm.
The calculating cost of VerifyProof() is \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}+2T_{mul}+T_{pair}+T_\rho$$\end{document} , where \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_\rho$$\end{document} indicates the calculating cost of computing \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\rho \leftarrow f\left( t_1,\ldots ,t_n\right)$$\end{document} .
We compare the proposed scheme in the paper with existing solutions^11^, as shown in Table 3. In Table 3, we can see that their calculating costs are similar during the signature stage. However, in practice, the signature method of the two schemes are different in design and operation. There are two signature methods designed in the existing scheme^11^, which may be due to the requirement that the addition gate must be executed after the multiplication gate when generating the verification tag. This approach affects the generation efficiency of verification tag in subsequent steps. In contrast, the proposed scheme in the paper does not have this limitation, so it can generate verification tag more efficiently. In addition, the scheme in the paper uses Horner’s method to optimize polynomials when generating verification labels. We can see that the GateVal() and ProofCre() algorithms are used to generate verification tag, which is more efficient than existing scheme^11^. This method can make the generation of verification tag faster, thereby improving the efficiency of the entire scheme. In contrast, the existing schemes^11^ may not adopt this optimization method, resulting in slower generation of verification tag. We can find that the difference in calculating cost between the two schemes mainly exists when the inputs are the variable \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1,x_2$$\end{document} with the different public key. This is because for the polynomial-based verifiable computation scheme on multi-source outsourced data, the design of this part is the difficulty and focus. The scheme^11^ require that addition gates must be executed after multiplication gates, and design complex two-level tags, resulting in inefficiency. The proposed scheme improves this by using a unified verification tag, allowing multiplication and addition gates to be executed in parallel, resulting in improved efficiency of verification tag generation.
To sum up, we use Horner’s method to optimize the polynomial, which will make the system execute the addition gate or multiplication gate significantly less times than the existing scheme. This is our main idea to improve efficiency. In order to adapt to this structure, an efficient verification tag is designed to support addition homomorphism and multiplication homomorphism, so that the addition gate and multiplication gate can be crossed and the verification speed can be further improved.As a result, the proposed scheme on efficiency is better than the existing scheme.Table 3. Comparison with scheme^11^.SchemeThe scheme^11^The proposed schemeThe input of algorithmSign() \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{exp}+{2T}_{add}+T_{mul}+T_{hash}+T_{mod}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{exp}+{2T}_{add}+T_{mul}+T_{hash}+T_{mod}$$\end{document} The inputs is the outsourced data xmultiplication gate in GateVal() \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{exp}+T_{mul}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2T_{exp}$$\end{document} The inputs are the constant \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in Z_p$$\end{document} and the variable x \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{add}+4T_{mul}+2T_{hash}+2T_{exp}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{add}+3T_{mul}+2T_{hash}+3T_{exp}$$\end{document} The inputs are the variable \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1,x_2$$\end{document} additive gate in GateVal() \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}$$\end{document} The inputs are the variable \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1,x_2$$\end{document} with the same public key \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2T_{exp}+T_{add}+2T_{mul}+T_{hash}$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2T_{exp}+T_{add}+2T_{mul}+T_{hash}$$\end{document} The inputs are the constant \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in Z_p$$\end{document} and the variable x \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}+2T_{mul}$$\end{document} , where the verification tags of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1,x_2$$\end{document} are both 1-level verification tag; \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$T_{exp}+T_{add}+T_{mul}+T_{hash}$$\end{document} , where the inputs are a constant \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$c\in Z_p$$\end{document} and the variable x with the 2-level verification tag; \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{mul}+T_{exp}$$\end{document} , where the verification tag of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1$$\end{document} is 1-level verification tag, the verification tag of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_2$$\end{document} is 2-level verification tag; \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{mul}+T_{exp}$$\end{document} , where the verification tags of \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1,x_2$$\end{document} are both 2-level verification tag \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{mul}$$\end{document} The inputs are the variable \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$x_1,x_2$$\end{document} with the different public keyProofCre() \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sum _{g\in \left| f\right| } T_g$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\sum _{g\in \left| f\right| } T_g$$\end{document} The verification tagVerifyProof() \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}+2T_{mul}+T_{pair}+T_\rho$$\end{document} \documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${2T}_{exp}+2T_{mul}+T_{pair}+T_\rho$$\end{document} The final proof message
Experimental results
Experiment setup
The experiment was conducted in the environment of Intel(R) Core(TM) i5-10210U CPU @ 1.60 GHz 2.11 GHz. The dataset we used was air pollution data for 367 major cities in China. In the experiment, we uploaded air pollution data as raw data to cloud server. This air pollution data will be used for data analysis, and the results of the data analysis will be published. These data analyses will be used to calculate the average air quality of all cities in the country, the average value of a certain pollution component in a city, etc.
The performance of the scheme is compared with homomorphic MAC^10^, ADSNARK^40^, and verifying tag^11^. The homomorphic MAC^10^ does not support multiple data sources. We mainly measure the efficiency of the scheme from three aspects: the calculating cost of signature generation, the calculating cost of proof information generation, the calculating cost of verification phase, etc.
The calculating cost of signature generation
In the signature generation, the data is signed and uploaded to the cloud along with the original data. We must ensure the efficiency of signing, which is closely related to the efficiency of the offline phase. In order to verify the calculating cost of the signature generation algorithm Sign(), we compare the calculating cost of the Sign() algorithm in the scheme, the homomorphism MAC^10^ , the ADSNARK^40^ and verifying tag^11^, where the data scale ranges from 1000 to 10,000. As shown in the Fig. 3, the calculating cost of signature increases with the increase of data volume. The time cost of signature generation in this scheme is similar to verifying tag^11^. Specially, the signature generation can be generated offline at the user side before the data is uploaded to the cloud, which will not affect the data correctness checks at the online stage. And Homomorphic MAC cannot directly support multiple data contributors, so this scheme can generate signatures relatively quickly and the input of polynomials support multiple data sources.Figure 3. The calculating cost of the signature generation with different data scale.
The calculating cost of proof information generation
After the signature is generated, the cloud generates the proof information by algorithm ProofGen(). Here we evaluate the calculating cost of the algorithm ProofGen() from two perspectives.
First, one of the important motivations of our scheme is to improve efficiency and to be suitable for polynomial calculations of higher order. So we evaluate the calculating cost of polynomial functions with different order sizes. In order to comprehensively measure the efficiency of the scheme, we randomly select some polynomials with high order, where the order of polynomial function range from 50 to 500. We compare the ProofGen() algorithm in the scheme, the homomorphism MAC , the ADSNARK and verifying tag, and we assume that all data is outsourced and signed by a single user.
Figure 4 illustrates the calculating cost of the scheme will not increase obviously with the increase of polynomial order. And this scheme consumes less time compared with the other schemes^10,11,40^, which shows this scheme can effectively reduce the calculating cost of proof information generation. In particular, the scheme can generate verification tag much faster when the order of polynomials is high. This is because the scheme is not limited by the polynomial structure, and the multiplicative gate and the additive gates can be executed interactively. When polynomials are optimized by Horner’s Method, the verification tag generation can be faster compared to other schemes.Figure 4. The calculating cost of the proof information generation with different polynomial order.
Second, one of the motivations for our scheme is that it is suitable for cases where the input of a polynomial comes from multiple data sources. So we evaluate the calculating cost of polynomial functions with different number of data owners, where the number of data owners ranges from 1 to 300. In the experiment, the input of the polynomial is pollution data from multiple cities, which will be signed using different private keys. The homomorphic MAC cannot directly support multiple data contributors, so we compare the ProofGen() algorithm in the scheme, the ADSNARK and verifying tag.
Figure 5 illustrates the algorithm ProofGen() is executed very quickly on the cloud server and does not significantly increase even the data sourcing from multiple users. It is very obvious that the scheme can perform calculations much faster than the other schemes. By comparing two subgraphs, the time cost does not increase significantly with the increase of polynomial order, which indicates that the scheme is suitable for complex polynomials. Therefore, this scheme can verify the correctness of the calculated results very quickly, in which the data can be derived from multiple data sources.Figure 5. The calculating cost of proof information generation in the cloud with different number of data owner.
The calculating cost of verification phase
After the proof information is sent to the Key management center, the Key management center executes the algorithm VerifyProof() to verify the accuracy of the calculation results using the proof information. We evaluate the calculating cost of verification phase with different order sizes of polynomial function, and we assume that all data is outsourced and signed by a single user. We compare the ProofGen() algorithm in the scheme, the homomorphism MAC , the ADSNARK and verifying tag, and we assume that all data is outsourced and signed by a single user.
Figure 6 illustrates that the calculating cost of the scheme does not increase significantly with the increase of polynomial order. This is because even if the data comes from a large number of users, only one proof information corresponding to one result can be generated after polynomial calculation. Therefore, the time consumption during the verification phase does not significantly increase due to the increase in data sources. Then it turns out that the calculating cost of the scheme is smaller than that of other schemes. The experimental results show that the proposed scheme can quickly and effectively verify the correctness of the calculated results, even if the data comes from multiple data sources.Figure 6. The calculating cost of the verification phase with different polynomial order.
Discussion
This paper presents an efficient polynomial-based verifiable computation scheme for multi-source outsourced data. We optimize polynomials for faster verification using the Horner method, where addition and multiplication gates can interlace polynomial functions. In order to adapt to this structure, we design the corresponding homomorphic verification labels, so that the input of the polynomial can come from multiple data sources. Our proposal has some important advantages. First, it works with multi-source data, which means that the values of the input polynomials can come from multiple users. This can be important in practical applications, such as in distributed systems or secure multi-party computing. Secondly, our solution is efficient. By using the Horner method, we can reduce the amount of computation required, which speeds up verification.
However, our proposal also has some potential limitations and directions for future research. First, our scheme is only suitable for verifying the correctness of the calculation results of entrusted polynomial functions, and may not be suitable for all types of data and computation tasks. Then, the work of user in the preprocessing stage may be complex, and it will consume a certain amount of computing resources and storage resources in user side. To solve these problems, the future work will focus on extending this scheme to handle more complex polynomial functions and to further enhance its efficiency. We also plan to investigate the application of this scheme in other fields, such as cryptography and distributed computing, where polynomial-based computations play a crucial role. Additionally, we aim to develop more secure and privacy-preserving methods for outsourced data computation to address the concerns of untrustworthy cloud servers.
Conclusion
Verifiable computing means that the computing task is outsourced to the untrusted cloud server, and the untrusted cloud server needs to submit a correctness proof of the calculation results while completing the computing task. There are two main problems with the existing verifiable computing scheme. First, the existing scheme requires that the input of the polynomial must come from a single data source. Secondly, the design of verification labels may cause problems such as reduced efficiency, especially when the polynomial function is relatively complex, so that the verification process will be extremely slow, and even affect the use of data. To solve these problems, we design for the first time an efficient polynomial-based verifiable computation scheme on multi-source outsourced data, which has the characteristics of efficient and supporting multiple data sources. As the polynomial function is executed gate by gate, we use the key management center to convert the signatures signed by different user into the verification tag with the unified public and private keys, so that the input of the polynomial can come from multiple data sources. Specially, we optimize the polynomials using Horner’s Method, and the generation of corresponding verification tag can be generated with the cross-operator of multiplication gate and addition gate, so as to improve the efficiency. Then we demonstrate the security of the scheme from two aspects: correctness and soundness. The performance of the scheme is verified by experiments, which shows that the scheme is more efficient than the existing schemes. Therefore, the scheme is able to provide efficient verifiable computing services in cloud outsourcing services, where the input of polynomials can come from multiple data sources. Overall, the work presented in this paper represents a significant step forward in achieving efficient and secure verifiable computation on multi-source outsourced data. We believe that our future research will further enhance the capabilities and applicability of this scheme, paving the way for more reliable and privacy-preserving cloud computing services.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Abo-alian, A., Badr, N.L., & Tolba, M.F. Data storage security service in cloud computing: challenges and solutions. In Handbook of Research on Machine Learning Innovations and Trends. 61–93 10.1007/978-3-319-44270-9_2 (2017).
- 2Ramesh D Mishra R Trivedi MCPCS-ABE (t, n): A secure threshold multi authority CP-ABE scheme based efficient access control systems for cloud environment J. Ambient Intell. Hum. Comput.202112109303932210.1007/s 12652-020-02643-2 · doi ↗
- 3Mishra R Ramesh D Edla DR Dynamic large branching hash tree based secure and efficient dynamic auditing protocol for cloud environment Cluster Comput.2021241361137910.1007/s 10586-020-03193-0 · doi ↗
- 4Applebaum, B., Ishai, Y., & Kushilevitz, E. From Secrecy to Soundness: Efficient Verification via Secure Computation. 152–163 10.1007/978-3-642-14165-2_14 (Springer, 2010).
- 5Parno, B., Raykova, M., & Vaikuntanathan, V. How to Delegate and Verify in Public: Verifiable Computation from Attribute-Based Encryption. 422–439 10.1007/978-3-642-28914-9_24 (Springer, 2012).
- 6Chen X Li J Ma J New algorithms for secure outsourcing of modular exponentiations ESORICS 201325923862396
- 7Hohenberger, S., & Lysyanskaya, A. How to securely outsource cryptographic computations. In TCC 2005. 264–282 (2005).
- 8Zhang, L. F. & Safavi-Naini, R. Private outsourcing of polynomial evaluation and matrix multiplication using multilinear maps. In CANS 2013. 329–348 (2013).
