Privacy-preserving verifiable delegation of polynomial and matrix functions

1.1 Our work

In this paper, we develop the first verifiable computation schemes where the client’s input is kept private from the server; both the client and the server computations are free of FHE, garbled circuits and Boolean circuit representations, and the security is proved in a strong model that allows verification queries. We achieve these properties for two types of functions: multivariate polynomials and functions that are represented by a matrix over a finite field.

1.2 Related work

Securely outsourcing computation dates back to the work on interactive proofs [3, 22], PCP-based efficient arguments [29, 30], CS proofs [35] and the muggle proofs [21]. While these schemes are either interactive or in the random oracle model, the verifiable computation of Gennaro, Gentry and Parno [18] is non-interactive and in the standard model.

The verifiable computation schemes of [2, 4, 13, 18] attain input (and output) privacy and thus resolve both security issues simultaneously. However, they have to use the expensive cryptographic primitives such as FHE and/or garbled circuits and occasionally represent the function f as a Boolean circuit. As a result, these schemes are not efficient enough both in terms of server computation and in terms of client computation. Furthermore, these schemes are only secure against adversaries that do not make verification queries. Goldwasser et al. [20] show how to construct reusable garbled circuits and obtain private schemes but again make use of FHE. Ananth et al. [1] constructed a verifiable computation scheme achieving input (and output) privacy using multiple servers, where FHE is not used but the security requires at least one of the servers is honest.

Fiore, Gennaro and Pastro [17] consider verifiable computation schemes where the data on cloud server (the function f in our setting) is kept private. In our schemes, the data on server is not necessarily encrypted, but the client’s input x should be kept semantically secure in order to achieve input (and output) privacy. That is, we are studying a problem orthogonal to [17]. The schemes of [27, 32] consider the same problem as [17].

The verifiable computation schemes of [6, 9, 11, 14, 16, 21, 39] require the client to send its input to the cloud server in clear and thus attain no input (or output) privacy.

2.1 Verifiable computation

A verifiable computation scheme [6, 18] is a two-party protocol between a client and a server. The client provides a function f and an input x to the server. The server is expected to compute f(x) and respond with the (possibly encoded) output together with a proof that the output is correct. The client then verifies the output is indeed correct. The goal of verifiable computation is to make the client’s verification as efficient as possible, and in particular much faster than the computation of f(x) from scratch. In the amortized model of [6, 18], the client is allowed to do an expensive preprocessing on f to produce a key pair and then use the key pair to efficiently verify the server’s computation of f on many different inputs. The scheme is said to be outsourceable if each individual verification is much faster than the corresponding computation.

A verifiable computation scheme 𝓥𝓒 = (KeyGen, ProbGen, Compute, Verify) for an admissible function family 𝓕 consists of four polynomial-time algorithms defined below.

• (PK_f, SK_f) ← KeyGen(1^λ, f): Based on the security parameter λ, the randomized key generation algorithm generates a public key that encodes the target function f and the matching secret key. The public key is provided to the server, and the secret key is kept private by the client.

• (σ_x, τ_x) ← ProbGen(SK_f, x): The problem generation algorithm uses the secret key SK_f to encode the function input x as a public value σ_x which is given to the server, and a secret value τ_x which is kept private by the client.

• σ_y ← Compute(PK_f, σ_x): Using the client’s public key and the encoded input, the server computes an encoded version (i.e., σ_y) of the function’s output y = f(x).

• {y, ⊥} ← Verify(SK_f, τ_x, σ_y): Using the secret key SK_f and the secret “decoding” value τ_x, the verification algorithm converts the server’s encoded output into the output of the function, e.g., y = f(x), or outputs ⊥ indicating that σ_y does not represent the valid output of f on x.

We are interested in verifiable computation schemes that are correct, secure, private and outsourceable. The scheme is said to be correct if the problem generation algorithm produces values that allow an honest server to compute values that will verify successfully and be converted to the evaluation of f on the client’s input x.

Definition 1

(Correctness). The scheme 𝓥𝓒 is correct if, for any function f from the admissible function family 𝓕, the key generation algorithm produces keys (PK_f, SK_f) ← KeyGen(1^λ, f) such that, for all x ∈ Domain(f), if (σ_x, τ_x) ← ProbGen(SK_f, x) and σ_y ← Compute(PK_f, σ_x), then Verify(SK_f, τ_x, σ_y) = f(x).

Intuitively, a verifiable computation scheme is secure if a malicious server cannot persuade the verification algorithm to accept an incorrect output. In other words, for a given function f and input x, a malicious server should not be able to convince the verification algorithm to output a value ŷ such that ŷ ≠ f(x). This intuition can be formalized by the following experiment.

Figure 1

Experiment ExpAVer (𝓥𝓒, f, λ).

In the experiment ExpAVer(𝓥𝓒, f, λ), the adversary 𝓐 is given a polynomial number (i.e., L) of opportunities to persuade the verification algorithm to accept the wrong output value for an input value. In each trial, the adversary is given oracle access to generate the encoding of a problem instance, and also oracle access to the result of the verification algorithm on an arbitrary string on that instance. The adversary succeeds if it ever convinces the verification algorithm in a trial to accept the wrong output value for the input value. The security of 𝓥𝓒 requires that the adversary succeeds only with negligible probability.

Definition 2

(Security). The scheme 𝓥𝓒 is secure if, for any function f ∈ 𝓕 and for any probabilistic polynomial-time adversary 𝓐, there is a negligible function negl such that

Pr[ExpAVer(VC,f,λ)=1]≤negl⁡(λ).

Intuitively, a verifiable computation scheme is (input) private when the public outputs of the problem generation algorithm ProbGen for two different inputs are indistinguishable; i.e., nobody can decide which encoding is the correct one for a given input. The input privacy can be defined based on a typical indistinguishability argument and yields output privacy. Let PubProbGen(SK_f, ⋅) be an oracle that computes (σ_x, τ_x) ← ProbGen(SK_f, x) on any input x and returns only the public value σ_x. We formalize the intuition (on input privacy) with the following experiment.

Figure 2

Experiment ExpAPri(𝓥𝓒, f, λ).

We work in the amortized model of [6, 18], where the time required for KeyGen(1^λ, f) is not included in the above definition. In this model, computing the key pair (PK_f, SK_f) is a one-time operation (per function) that can be amortized over the computation of on many (in fact, any poly(λ) number of) different inputs. Apart from this amortization, we also consider a second level of amortization occasionally, where a number of different inputs, say x₁, …, x_s, are processed by ProbGen together and the delegation and verification of the computations f(x₁), …, f(x_s) are done simultaneously.

3.1 Noisy curve reconstruction assumption

The noisy curve reconstruction assumption generalizes the noisy polynomial reconstruction assumption [28, 36], which was widely used in protocol design [26, 42] and is based on the hardness of noisy polynomial list reconstruction problems.

An augmented version of the CR problem requires one to learn a from {(zi,yi)}i=1n (instead of {yi}i=1n) and was resolved in [15] when t > (nk^h)^1/(h+1) + k + 1. The problem remains hard when t = o((nk^h)^1/(h+1)), and the CR assumption remains plausible despite of the progress in list decoding [7, 15, 23, 26, 40].

3.2 Multivariate polynomial interpolation and noisy encoding

Multivariate polynomial interpolation allows one to learn the value of a multivariate polynomial at a point, given its restriction on a parametric curve passing through that point. Let h, d > 0 be integers. For any vector i = (i₁, …, i_h) of non-negative integers, we denote wt(i) = i₁ + ⋯ + i_h as the weight of i. Let 𝔽 be any finite field. We denote by 𝔽[x] = 𝔽[x₁, …, x_h] the ring of all polynomials in the h variables x = (x₁, …, x_h) and denote by xi=x1i1⋯xhih the monomial of multidegreei (and degree wt(i)) in x. Let f(x) = ∑_i:wt(i)≤df_i ⋅ xⁱ be any h-variate polynomial of degree ≤ d over 𝔽, and let a = (a₁, …, a_h) ∈ 𝔽^h. The multivariate polynomial interpolation technique of learning f(a) can be described as the following procedure:

• choose r₁, …, r_k ← 𝔽^h; define a parametric curve γ(z) = a + r₁ ⋅ z + ⋯ + r_k ⋅ z^k;

• learn f(γ(z_i)) for t ≥ kd + 1 distinct nonzero field elements z₁, …, z_t ∈ 𝔽 ∖ {0};

• interpolate the polynomial g(z) = f(γ(z)) of degree ≤ kd with {(zi,f(γ(zi)))}i=1t;

• output g(0) (which is equal to f(γ(0)) = f(a)).

This procedure allows one to hide a from a subset of the players in distributed protocols for evaluating a multivariate polynomial f(x), such as in the private information retrieval (PIR) protocols [12, 43], where a client gives t points γ(z₁), …, γ(z_t) to t servers such that no k or less servers can learn any information about a, the i-th server returns g(z_i) and the client recovers f(a) from the t values g(z₁), …, g(z_t). We consider the t points γ(z₁), …, γ(z_t) as a noiseless encoding of a, which leaks absolutely no information about a to any adversary that observes ≤ k of the t points.

We shall construct verifiable computation schemes where the client’s input a is kept private from a single cloud server. While sending a noiseless encoding (γ(z₁), …, γ(z_t)) of a to the server simply reveals a to that server, the CR assumption allows us to develop a noisy encoding{yi}i=1n of a (as in the procedure of Definition 6) that keeps a semantically secure. Unfortunately, we cannot directly use this noisy encoding in the constructions due to efficiency loss. On one hand, the CR assumption requires that t ≤ (nk^h)^1/(h+1) + k + 1. On the other hand, one has to choose t ≥ kd + 1 to enable the interpolation of g(z) = f(γ(z)). As a result, n ≥ (d – 1)^h+1 ⋅ k and is comparable to h+dd, the number coefficients of f. And the noisy encoding only yields a scheme that is not outsourceable.

We bypass this difficulty with a second level of amortization, i.e., by processing multiple function inputs a₁, …, a_s together such that the average encoding length of each input is short and thus results in outsourceable schemes. In [26], it was shown that if n − t noisy points suffice to keep one point semantically secure, then, for any s = poly(k), they suffice to keep s points semantically secure. With this observation, we describe an extended noisy encoding algorithm (pk_a⃗, rk_a⃗) ← NEnc(k, a⃗) that takes a⃗ = (a₁, …, a_s) ∈ (𝔽^h)^s as input and outputs a public noisy encoding pk_a⃗ and a private value rk_a⃗ for reconstruction use as follows.

• for every ℓ ∈ [s], randomly choose h polynomials γ_ℓ,1(z), …, γ_ℓ,s(z) ∈ 𝔽[z] of degree ≤ k such that a_ℓ = (γ_ℓ,1(0), …, γ_ℓ,h(0));

• randomly choose m = ts + n – t nonzero distinct field elements z₁, …, z_m ∈ 𝔽 ∖ {0};

• randomly choose s pairwise disjoint subsets T₁, …, T_s ⊂ [m], each of cardinality t;

• for every ℓ ∈ [s] and j ∈ T_ℓ, set c_j = (γ_ℓ,1(z_j), …, γ_ℓ,h(z_j));

• set T₀ = [m] ∖ (T₁ ∪ T₂ ∪ ⋯ ∪ T_s); for every j ∈ T₀, randomly choose a vector c_j ∈ 𝔽^h;

• output pka→={cj}j=1m and rka→={Ti}i=0s.

3.3 The transformation

The algorithm NEnc allows one to hide s function inputs, say a⃗ = (a₁, …, a_s), with a public noisy encoding pk_a⃗ such that no information about a⃗ will be leaked (under the CR assumption). Let Σ be a non-private verifiable computation scheme [6, 10, 16, 37] with an admissible function family of multivariate polynomials over a finite field. We shall present a transformation 𝓣 that adds (input and output) privacy to Σ. The idea of our transformation is letting the client encode a⃗ as pk_a⃗ and give pk_a⃗ to the server; the server runs Σ. Compute on every element (which is a point) of pk_a⃗ and provides the public values of evaluating the polynomial f on all points to the client; at last the client runs Σ. Verify to both verify the server’s work and recover the results f(a₁), …, f(a_s). This idea gives a new scheme Π = 𝓣(Σ) as below.

• (PK_f, SK_f) ← Π. KeyGen(1^k, f): Given f = f(x) ∈ 𝔽[x₁, …, x_h], an h-variate polynomial of degree ≤ d, run Σ. KeyGen(1^k, f) to generate a public key pk_f and the matching secret key sk_f; output PK_f = pk_f and SK_f = sk_f.

• (σ_a⃗, τ_a⃗) ← Π. ProbGen(SK_f, a⃗): Given a⃗ = (a₁, …, a_s) ∈ (𝔽^h)^s, a set of s inputs from Domain(f), run NEnc(k, a⃗) to generate both a public noisy encoding pk_a⃗ of a⃗ and a private value rk_a⃗ for the reconstruction use. Parse pk_a⃗ as {cj}j=1m⊆Fh, a set of m points. For every j ∈ [m], run Σ. ProbGen(SK_f, c_j) to generate both a public encoding σ_cj of c_j and a private value τ_cj for verification use. At last, output σa→={σcj}j=1m as the public encoding of a⃗, and output τa→=(rka→,{τcj}j=1m), the private values for verification and reconstruction.

• σ_y ← Π. Compute(PK_f, σ_a⃗): Parse σ_a⃗ as {σcj}j=1m, the set of s public encodings, one for each element in pk_a⃗. For every j ∈ [m], run Σ. Compute(PK_f, σ_cj) to compute an encoded version σ_f(cj) of the function’s output f(c_j). At last, output σy={σf(cj)}j=1m as the encoded version of the function’s outputs on all s inputs, i.e., f(a₁), …, f(a_s).

• {y, ⊥} ← Π. Verify(SK_f, τ_a⃗, σ_y): Parse τ_a⃗ as (rk_a⃗, {τcj}j=1m), where {τcj}j=1m is for verification use and rk_a⃗ is for reconstruction use. Parse σ_y as {σf(cj)}j=1m, an encoded version of the s function outputs f(a₁), …, f(a_s). For every j ∈ [m], run Σ. Verify(SK_f, τ_cj, σ_f(cj)) to verify the server’s work of computing f(c_j) and output v_j, where v_j = f(c_j) or v_j = ⊥ (indicating that σ_f(cj) is not a valid encoding of f(c_j)). If there exists j ∈ [m] such that v_j = ⊥, then output ⊥ to indicate that σ_y is not a valid encoding of the s function outputs. Otherwise, parse rk_a⃗ as (T₀, T₁, …, T_s), where T₁, …, T_s ⊆ [m] are pairwise disjoint t-subsets and T₀ = [m] ∖ T₁ ∪ ⋯ ∪ T_s; for every ℓ ∈ [s], interpolate a polynomial Q_ℓ(z) = f(γ_ℓ,1(z), …, γ_ℓ,h(z)) of degree ≤ t from the t points {(z_j, v_j)}_j∈Tℓ. At last, output y = (Q₁(0), …, Q_s(0)).

Correctness: The correctness of Σ implies that v_j = f(c_j) for every j ∈ [m]. For every ℓ ∈ [s], the points {c_j}_j∈Tℓ are on the parametric curve γ_ℓ(z) = (γ_ℓ,1(z), …, γ_ℓ,h(z)). Then {v_j}_j∈Tℓ are values of Q_ℓ(z) = f(γ_ℓ(z)) at t = |T_ℓ| distinct points {z_j}_j∈Tℓ, where deg(Q_ℓ(z)) ≤ k ⋅ deg(f) ≤ kd. If the parameters t, k, d are chosen such that t ≥ kd + 1, then the t points {(z_j, v_j)}_j∈Tℓ suffice to interpolate the univariate polynomial Q_ℓ(z) of degree ≤ kd and give

Hence, the scheme Π = 𝓣(Σ) is correct when t ≥ kd + 1.

Privacy: In the scheme Π, a⃗ = (a₁, …, a_s) is encoded with NEnc and then given to the server. The CR assumption implies that a⃗ will be kept semantically secure against the server as long as t = o((nk^h)^1/(h+1) + k + 1). Therefore, Π achieves input privacy (and thus output privacy) under the CR assumption.

Security: The security of Π requires that no adversary running in probabilistic polynomial-time should be able to persuade the verification algorithm to accept and output incorrect values on the input values. The proof of the following theorem is straightforward and left to Appendix A.

Efficiency: A verifiable computation scheme is outsourceable if the time to encode the input and verify the output is smaller than the time to compute the function from scratch. The existing verifiable computation schemes [6, 18] are in an amortized model, where the one-time cost of KeyGen(1^λ, f) is amortized over many different inputs. And for each input x, the total time required for ProbGen(SK_f, x) and Verify(SK_f, τ_x, σ_y) is substantially less than the time required for computing f(x) from scratch.

The scheme Π works in two levels of amortization. At the first level, the one-time cost of Π. KeyGen(1^λ, f) is amortized over the executions of the scheme on many different sets of inputs. At the second level, in every execution of Π. ProbGen(SK_f, a⃗) and Π. Verify(SK_f, τ_a⃗, σ_y), the client can process s function inputs a⃗ = (a₁, …, a_s) together; and the total time required for both algorithms, when averaged over the s function inputs, allows Π to be outsourceable. More precisely, a⃗ is encoded as a set of m = n – t + ts points. The time spent on Π. ProbGen(SK_f, a⃗) is equal to the time spent on NEnc(k, a⃗), which is dominated by m computations of h-dimensional curve of degree k plus the total time spent on m executions of Σ. ProbGen. The average time spent on processing each function input is dominated by m/s curve computations and m/s executions of Σ. ProbGen. The time spent on Π. Verify(SK_f, τ_a⃗, σ_y) is equal to the total time spent on m executions of Σ. Verify plus the total time spent on interpolations of s polynomials of degree ≤ t. Therefore, the average time spent on verifying each output is dominated by the time spent on m/s executions of Σ. Verify plus the time spent on interpolation of a polynomial of degree ≤ t.

There is a tradeoff between the number s of simultaneously delegated function inputs and the average time T̄ spent on processing each function input and verifying its output. If we choose s = O(n/t), then T̄ will be dominated by O(t) curve evaluations, O(t) executions of Σ. ProbGen, O(t) executions of Σ. Verify and interpolation of a degree ≤ t univariate polynomial. For Π to be correct and secure, n, k, t, h, d should be chosen such that kd < t ≤ (nk^h)^1/(h+1) + k + 1. As a result, one must have that n ≥ (d – 1)^h+1 ⋅ k, which is comparable to N = h+dd, the number of coefficients of f. There are many ways to choose n, k, t, h, d such that T̄ = o(N). As an example, if we choose

T̄ will be dominated by O(kd log k) curve computations, O(kd log k) executions of Σ. ProbGen, O(kd log k) executions of Σ. Verify and interpolation of a polynomial of degree ≤ t. Since Σ is outsourceable, Π is outsourceable as well.

Our transformation gives efficient verifiable computation schemes that enable the delegation of high-degree polynomial computations on private (encrypted) function inputs. In particular, our scheme neither relies on the expensive primitives such as fully homomorphic encryption (FHE) and garbled circuits nor has to represent the function f as a Boolean circuit. Even for very small k and d, our schemes are the first ensuring security and privacy without using expensive primitives. We can easily extend 𝓣 such that it is not only applicable to privately verifiable schemes [6] but also applicable to publicly verifiable schemes [10, 16, 37]. Furthermore, 𝓣 never changes the verifiability of the underlying scheme Σ.

Implementation: Applying our transformation to the privately delegatable and verifiable computation scheme Σ_bgv for multivariate polynomials of bounded total degree from Benabbas, Gennaro and Vahlis [6] gives a new scheme Π_bgv that achieves input and output privacy for the client. We implemented Π_bgv with a cyclic group of order ≥ 2¹⁰²⁴, where strong DDH [6] is supposed true. Let T_c(⋅) and T_s(⋅) denote the average client running time and server running time. Our implementation shows that T_c(Π_bgv) = O(T_c(Σ_bgv)) and T_s(Π_bgv) = O(T_s(Σ_bgv)), where the constants hidden in O depend on k and d. The moderate efficiency loss stems from 𝓣, which adds privacy to Σ_bgv. In contrast, the FHE-based schemes [2, 4, 13, 18] achieve input privacy but provide no implementations for polynomial computations. More precisely, we implemented Π_bgv on a Dell Optiplex 9020 desktop with Intel Core i7-4790 Processor running at 3.6 GHz, on which we run Ubuntu 16.04.1 with 4 GB of RAM and the g++ compiler version 5.4.0. All our programs are single-threaded and built on top of NTL (and GMP). In order to achieve 128-bit security, the underlying scheme Π_bgv requires a cyclic group of order ≥ 2¹⁰²⁴, where strong DDH assumption [6] is supposed to be true. We consider the computation of a 4-variate polynomial of total degree ≤ 6 at 504 points. The test shows that the client-side computations (Π_bgv. ProbeGen and Π_bgv. Verify) can be done very efficiently with total running time 27.616 seconds, and the average client’s work for each of the 504 delegated computations is ≤ 0.88 milliseconds; the one-time work of running Π_bgv. KeyGen takes 0.636 seconds. On the other hand, the server’s work of running Π_bgv. Compute takes 4444.24 seconds, which gives an amortized cost of 8.818 seconds for each of the 504 function inputs. Compared with the cost of 0.142 seconds in the non-private scheme, this high cost is the price of converting a non-private scheme to one that achieves privacy. This cost will become reasonable if the work of executing Π_bgv. Compute is done in parallel. The performance of our implementation shows that the resulting schemes of our transformation in this section is potentially practical.

4.1 Somewhat homomorphic encryption

A somewhat homomorphic encryption scheme allows one to evaluate low-degree polynomials on encrypted data. Fiore, Gennaro and Pastro [17] described a slight variation HE = (ParamGen, KeyGen, Eval, Enc, Dec) of the somewhat homomorphic encryption scheme by Brakerski and Vaikuntanathan [8], based on the hardness of the polynomial learning with error (LWE) problem. The variation is specialized to evaluate circuits of multiplicative depth 1 and sketched as below:

• HE.ParamGen(λ): Given the security parameter λ, generate

  1. a message space 𝓜 = ℤ_p[X]/Φ_m(X), where Φ_m(X) ∈ ℤ[X] is the m-th cyclotomic polynomial of degree ϕ(m), where ϕ(⋅) is the Euler totient function,

  2. a ciphertext space 𝓒 ⊆ ℤ_q[X, Y] that consists of two kinds of elements:

     1. level-0 ciphertext: c = c₀ + c₁Y with c₀, c₁ ∈ ℤ_q[X]/Φ_m(X), where q > p, gcd(p, q) = 1 and deg_X(c_i) ≤ ϕ(m) – 1 for i ∈ {0, 1},

     2. level-1 ciphertext: c = c₀ + c₁Y + c₂Y², where c₀, c₁, c₂ ∈ ℤ_q[X] and deg_X(c_i) ≤ 2(ϕ(m)–1) for i ∈ {0, 1, 2},

  3. two distributions: D_ℤⁿ,σ and ZO_n.

• HE.KeyGen(1^λ): Choose a ← ℤ_q[X]/Φ_m(X) and s, e ← D_ℤⁿ,σ; compute b ← as + pe; output dk = s and pk = (a, b).

• HE.Enc_pk(m, r): Given m ∈ 𝓜 and r = (u, v, w) ← (ZO_n, D_ℤⁿ,σ, D_ℤⁿ,σ), compute c₀ ← bu + pw + m and c₁ ← au + pv; output c = c₀ + c₁Y.

• HE.Eval_pk(f, a, b): Given a, b ∈ 𝓒, where a = a₀ + a₁Y + a₂Y², b = b₀ + b₁Y + b₂Y², homomorphic additions and multiplications (when a₂ = b₂ = 0) are done over ℤ_q[X, Y]:

  1. (a₀ + a₁Y + a₂Y²) + (b₀ + b₁Y + b₂Y²) = (a₀ + b₀) + (a₁ + b₁)Y + (a₂ + b₂)Y²,

  2. (a₀ + a₁Y) ⋅ (b₀ + b₁Y) = a₀b₀ + (a₀b₁ + a₁b₀)Y + a₁b₁Y².

• HE.Dec_dk(c): Given c = c₀ + c₁Y + c₂Y² ∈ 𝓒, compute ci′ = c_i mod Φ_m(X) for i = 0, 1, 2; compute t ∈ R_q as t←c0′−s⋅c1′−s2⋅c2′; output (t mod p).

4.2 Homomorphic hash

A keyed homomorphic hash (H.KeyGen, H, H.Eval) is defined by three algorithms, where H.KeyGen generates two keys K (public) and κ (private), H uses K or κ to map any input μ ∈ 𝓓 to a digest H_K(μ) ∈ 𝓡 and H.Eval allows homomorphic computations (addition “+”, multiplication “∗” and scalar multiplication “⋅”) over 𝓡. Let bgpp = (q, 𝔾₁, 𝔾₂, 𝔾_T, e, g, h) be a tuple of bilinear group parameters, and let

The following homomorphic hash with domain 𝓓 and range 𝓡 = 𝔾₁ × 𝔾₂ (or 𝔾_T) is from [17].

• H.KeyGen(1^λ): Choose α, β ← ℤ_q; output a public key

  K={(gαiβj,hαiβj):i∈{0,1,2},j∈{0,1,…,2(ϕ(m)−1)}}

  and a matching secret key κ = (α, β); both allow the computation of hash digest, and the latter usually makes the computation more efficient.

• H_K(μ): Given an input μ ∈ 𝓓, if deg_Y(μ) ≤ 1, then output (g^μ(β,α), h^μ(β,α)) as the digest; if deg_Y(μ) = 2, then output e(g, h)^μ(β,α) as the digest. In particular, when deg_Y(μ) ≤ 1, we denote [H_K(μ)]₁ = g^μ(β,α) and [H_K(μ)]₂ = h^μ(β,α).

• H.Eval(f, ν₁, ν₂): This algorithm enables the homomorphic computations of arithmetic circuits f of degree ≤ 2 as below:

  1. ν₁ = (t₁, u₁), ν₂ = (t₂, u₂) ∈ 𝔾₁ × 𝔾₂, f = “+”: output (t₁t₂, u₁u₂);

  2. ν₁ = (t₁, u₁) ∈ 𝔾₁ × 𝔾₂, ν₂ = c ∈ ℤ_q, f = “⋅”: output (t1c,u1c);

  3. ν₁ = (t₁, u₁), ν₂ = (t₂, u₂) ∈ 𝔾₁ × 𝔾₂, f = “*”: output e(t₁, u₂) ∈ 𝔾_T;

  4. ν₁, ν₂ ∈ 𝔾_T, f = “+”: output ν₁ν₂ ∈ 𝔾_T;

  5. ν₁ ∈ 𝔾_T, ν₂ = c ∈ ℤ_q, f = “⋅”: output ν1c ∈ 𝔾_T.

The homomorphic hash H was shown collision-resistant under the ℓ-BDHI assumption. That is, when ℓ ≥ max{2(ϕ(m) – 1), 2}, for any (K, κ) ← H.KeyGen(1^λ), for any adversary 𝓐 running in probabilistic polynomial time,

4.3 PRFs with amortized closed-form efficiency

A pseudorandom function (F.KG, F) is defined by two algorithms, where the key generation algorithm F.KG takes as input the security parameter 1^λ and outputs a secret key k and some public parameters pp that specify domain 𝓧 and range 𝓡 of the function, and the function F_k(x) takes input x ∈ 𝓧 and uses the secret key k to compute a value R ∈ 𝓡. The PRF (F.KG, F) is said to be secure (satisfy the pseudorandomness property) if, for any p.p.t. adversary 𝓐,

where (k, pp) ← F.KG(1^λ) and Φ: 𝓧 → 𝓡 is a random function.

Let C be a computation that takes as input n random values R₁, …, R_n ∈ 𝓡 and a vector of m arbitrary values z = (z₁, …, z_m), and assume that the computation of C(R₁, …, R_n; z₁, …, z_m) requires time t(n, m). Let L = ((ξ, η₁), …, (ξ, η_n)) ∈ 𝓧ⁿ and η = (η₁, …, η_n). The PRF (F.KG, F) is said to satisfy the amortized closed-form efficiency for (C, L) if there exist two polynomial-time algorithms CFEvalC,ηoff and CFEvalC,ξon such that

1. for any ω←CFEvalC,ηoff(k,z),CFEvalC,ξon(k,ω)=C({Fk(ξ,ηj)}j=1n;z),

2. the running time of CFEvalC,ξon(k,ω) is o(t).

Let f(x1,…,xn)=∑i,j=1nαi,jxixj+∑i=1nβixi be a degree-2 arithmetic circuit defined by f={αi,j,βi}i,j=1n. Let C:(G1×G2)n×Zqn2+n→GT be a computation defined by

Let bgpp = (q, 𝔾₁, 𝔾₂, 𝔾_T, e, g, h) be a tuple of bilinear group parameters, and let F^′ be a PRF with domain {0, 1}^∗ and range Zq2. Fiore, Gennaro and Pastro [17] proposed a PRF with amortized closed-form efficiency for (C, L).

• F.KG(1^λ): Choose two secret keys k₁, k₂ for the PRF F^′; output k = (k₁, k₂) and pp, where pp defines the domain 𝓧 = ({0, 1}^∗)² and the range 𝓡 = 𝔾₁ × 𝔾₂ (or 𝔾_T).

• F_k(ξ, η): Compute (u,v)←Fk1′(η),(a,b)←Fk2′(ξ); output (g^ua+vb, h^ua+vb); in particular, we denote

  Fk(ξ,η)]1=gua+vb,[Fk(ξ,η)]2=hua+vb.

• CFEvalC,ηoff(k, f): Compute (ui,vi)←Fk1′(ηi) for all i ∈ [n]; let

  ω(z1,z2)=f(u1⋅z1+v1⋅z2,…,un⋅z1+vn⋅z2);

  output the bivariate polynomial ω.

• CFEvalC,ξon(k, ω): Compute (a,b)←Fk2′(ξ); output e(g, h)^ω(a,b).

4.4 The construction

In this section, we present a private verifiable computation scheme Γ with an admissible function family of all matrix functions over a finite field. In this scheme, the function to be delegated is a square matrix M = (M_i,j) of order n, and the input is a vector x = (x₁, …, x_n) of dimension n; the server is required to compute and reply with an encoding of M ⋅ x^′, where x^′ is the transpose of x. The input (and output) privacy of Γ is attained by the client encrypting x (as HE.Enc(x)) and then giving it to the server. The somewhat homomorphic encryption scheme used here allows the server to perform homomorphic scalar multiplications and additions on the elements of M (in clear) and the ciphertext of x, which gives an encrypted version of M ⋅ x^′ for the client. The server is able to compute the homomorphic hash digests of HE.Enc(x) and combine these digests with the tags of M to generate a proof that its computation is correct. The homomorphic property of the hash and the amortized closed-form efficiency property of the PRF makes the client’s verification significantly faster than the computation of M ⋅ x^′ from scratch. Below is the description of Γ.

• (PK_M, SK_M) ← Γ.KeyGen(1^λ, M):

  1. run HE.ParamGen(1^λ) to choose message and ciphertext spaces 𝓜 = ℤ_p[X]/Φ_m(X) and 𝓒 ⊆ ℤ_q[X, Y].

  2. run HE.KeyGen(1^λ) to generate an encryption key pk and a decryption key dk for the encryption scheme HE;

  3. choose a tuple bgpp = (q, 𝔾₁, 𝔾₂, 𝔾_T, e, g, h) of bilinear map parameters;

  4. run H.KeyGen(1^λ) to choose two keys K (public) and κ (private) for the homomorphic hash H;

  5. run F.KG(1^λ) to generate a secret key k = (k₁, k₂) for the PRF F; choose a ← ℤ_q;

  6. compute T_i,j = g^aM_i,j ⋅ [F_k(i, j)]₁ for all (i, j) ∈ [n]²;

  7. output PK_M = (p, m, n, bgpp, pk, K, M, T = (T_i,j)), SK_M = (dk, κ, k, a).

• (σ_x, τ_x) ← Γ.ProbGen(SK_M, x): let x = (x₁, …, x_n) ∈ Zqn;

  1. for every j∈ [n], compute μ_j ← HE.Enc_pk(x_j);

  2. parse κ as (α, β) ∈ Zq2; compute ω=∑j=1nμj(β,α)⋅Fk1′(j)∈Zq2;

  3. let μ = (μ₁, …, μ_n); output σ_x = μ and τ_x = ω.

• σ_y ← Γ.Compute(PK_M, σ_x): parse σ_x as μ = (μ₁, …, μ_n) ∈ 𝓒ⁿ;

  1. for every i∈ [n], compute γi=∑j=1nMi,j⋅μj;

  2. for every i∈ [n], compute δi=∏j=1ne(Ti,j,[HK(μj)]2);

  3. let γ = (γ₁, …, γ_n); let δ = (δ₁, …, δ_n); output σ_y = (γ, δ).

• {y, ⊥} ← Γ.Verify(SK_M, τ_x, σ_y):

  1. for every i∈ [n], let Wi=e(g,h)〈ω,Fk2′(i)〉 where 〈ω,Fk2′(i)〉 is the dot product of ω and Fk2′(i); check if the following identity holds:

     δi=e(g,h)a⋅γi(β,α)⋅Wi;(*)

  2. if there is an i∈ [n] such that (*) does not hold, then output ⊥; otherwise, output

     y=(HE.Decdk(γ1),…,HE.Decdk(γn)).

Correctness: The correctness of Γ requires that, for any matrix function M, any key pair

any function input x, any (σ_x, τ_x) ← ProbGen(SK_M, x), if σ_y is output by the algorithm Compute(PK_M, σ_x), then Verify(SK_M, τ_x, σ_y) will always accept and output M ⋅ x^′. For every i∈ [n], if Compute was honestly executed, then it is not hard to verify that

Hence, the n equalities always hold, and σ_y will be accepted. Then the decryption correctness of HE gives (HE.Dec_dk(γ₁), …, HE.Dec_dk(γ_n)) = M ⋅ x^′.

Privacy: In the scheme Γ, the client’s input x is encrypted using HE, the slight variation of the somewhat homomorphic encryption scheme by Brakerski and Vaikuntanathan [8]. The encryption scheme is semantically secure based on the hardness of the polynomial learning with error (LWE) problem. The input (and output) privacy of Γ follows from HE’s semantic security.

Security: The security of Γ requires that no adversary running in probabilistic polynomial time would be able to persuade the verification algorithm to accept and output wrong results.

Efficiency: A VC scheme is outsourceable if the time to encode the input and verify the output is smaller than the time to compute the function from scratch. For every x ∈ Zqn, the time spent on Γ.ProbGen(SK_M, x) is equal to the time of computing {HE.Encpk(xi)}i=1n plus the time of computing ω (n PRF computations and O(n) field operations). For every σ_y, the time cost of Γ.Verify(SK_M, τ_x, σ_y) is dominated by O(n) group operations and n executions of HE.Dec_sk. Note that M ⋅ x^′ requires O(n²) field operations. When n is large enough, the client’s cost of running Γ.ProbGen and Γ.Verify is o(n²) and substantially less than that of computing M ⋅ x^′ from scratch. Hence, Γ is outsourceable.

Implementation: We implemented the scheme Γ on a Dell Optiplex 9020 desktop with Intel Core i7-4790 Processor running at 3.6 GHz, on which we run Ubuntu 16.04.1 with 4 GB of RAM and the g++ compiler version 5.4.0. All our programs are single-threaded and built on top of GMP. We consider the multiplication between a random square matrix of n rows (columns) over a finite field of order > 2²⁵⁶ and a random vector of dimension n over the same field, for n = 100, 200, …, 1000. We record the client’s time of running Γ.ProbGen and Γ.Verify, and get Figure 3.

Figure 3

Performance of the matrix delegation scheme.

The experiment shows that, for n = 100, the client-side computation can be done in 0.89 seconds. If we use the scheme Γ in a natural way to delegate the multiplication of two 100 × 100 matrices, then the client-side computation can be done in at most 89 seconds. Parno, Howell, Gentry and Raykova [38] implemented the scheme of [18] to delegate the same computation. Their experiment shows that the client in [18] has to spend at least 10¹¹ seconds on problem generation and result verification. Compared with [18], the client in our scheme is faster with an order of 9. The performance of our implementation shows that the resulting schemes of our transformation in this section is nearly practical.