kavita sharma, manoj singh - alliedjournals.com · kavita sharma, gurukul institute of engineering...

International Journal of Engineering, Management & Sciences (IJEMS)ISSN-2348 –3733, Volume-2, Issue-3, March 2015

9 www.alliedjournals.com

Abstract— Many new start-ups have been possible in IT

industry due to cloud computing’s concept of pay-per-use. Thishas led to outsourcing of many business-critical functions tocloud, termed as Delegation of Computation. But usefulness ofthis concept depends on whether the results of computation canbe verified. Verifiability of computation has been achievedpreviously through interactive proof systems, having highcommunication cost. Methods based on cryptography have highcomputation cost making them unsuitable for mobile clients.This paper proposes a verifiable delegation protocol based oncryptographic primitives. It has reduced communication costmaking it suitable for light-weight devices. Theproof-generating function is incorporated into the delegatedfunction to make it fool-proof.

Index Terms— Verifiable delegation of computation,interactive proofs.

I. INTRODUCTION

The question whether the result of any computation can beverified or not has been raised within the computer sciencetheory community several decades ago. It led to proposals likeinteractive proofs (IPs), interactive arguments (IAs) andprobabilistically checkable proofs (PCPs) [1,2]. All theseprotocols consider two parties – a prover and a verifier. Theprover P performs a computation and sends V the answer. Pand V then engage in a randomized protocol involving theexchange of one or more messages; where P’s goal is toconvince V that the answer is correct. Results quantifying thepower of IPs, IAs, and PCPs represent some of the mostcelebrated results in all of computational complexity theory[1,2], but until recently they were mainly of theoreticalinterest, far too inefficient for actual deployment.

Increasing popularity of cloud computing has broughtrenewed interest in positive applications of protocols forverifiable computation. A typical motivating scenario is asfollows. A business processes billions or trillions oftransactions a day. The volume is sufficiently high that thebusiness cannot or will not store and process the transactionson its own. Instead, it offloads the processing to a commercialcloud computing service. The offloading of any computationraises issues of trust: the business may be concerned aboutrelatively benign events like dropped transactions, buggyalgorithms, or uncorrected hardware faults, or the businessmay be more paranoid and fear that the cloud operator isdeliberately deceptive or has been externally compromised.Either way, each time the business poses a query to the cloud,

Manuscript received March 16, 2015.Kavita Sharma, Gurukul Institute of Engineering & Technology, KotaRajasthan, IndiaManoj Singh, Gurukul Institute of Engineering & Technology, KotaRajasthan, India

the business may demand that the cloud also provide aguarantee that the returned answer is correct. This is preciselywhat protocols for verifiable computation accomplish, withthe cloud acting as the prover in the protocol, and the businessacting as the verifier.

Cloud computing has a lot to offer in terms of computationalpower for lightweight and mobile computing devices. Thepay-per-use is a prominent feature leading to growingpopularity, as companies and users reduce their computingassets and turn to weaker computing devices; therebydelegating a number and variety of computations to cloudservice providers. Yet the monetary benefits related to suchservices raise a concern about trust. The major risk here is thatthe business critical computations are being performedremotely by untrusted parties that may be error-prone or evenmalicious. This motivates exploring methods for delegatingcomputations reliably: a weak client delegates hiscomputation to a powerful server. After the server returns theresult of the computation, the client should be able to verifythe correctness of that result using considerably less resourcesthan required to actually perform the computation fromscratch. Users may benefit a lot by outsourcing thecomputational intensive functions to the cloud, the data canwell be secured through encryption, but can the computationbe performed over encrypted data? Even if it is practicallyfeasible, can the user trust that the results returned by thecloud are correct? Verifiable delegation of computation(VDoC) is a possible solution.

VDoC is a paradigm where a delegator (commonly alightweight device) delegates data and function to becomputed over it to a worker (such as cloud service provider).For security purposes this data may be encrypted. The workerreturns the result of computation along with a proof that theresult is correct. Delegator processes the proof andaccordingly accepts or rejects the result. The majorrequirement over here is that cost of verification processshould be much less than actual computation. A fewprotocols, implementations and results in the field of VDoChave been produced. Most of the work in this field has beendirected towards efficient verification of result of acomputation, or towards secure computation thereby usingcryptographic primitives. Yet, in the light of monetarybenefits related to outsourced computations, clouds have amotivation to provide imprecise results or some previouslycalculated results. Hence, we should steer the direction ofresearch towards ensuring that the computation is indeed doneover the provided input. Existing schemes which accomplishthis rely on the soundness of cryptographic primitivesinvolved, or they depend on heavy communication between

Input Verifiability in Delegation of ComputationKavita Sharma, Manoj Singh

Input Verifiability in Delegation of Computation


delegator and worker. That’s why, effort to decrease thecommunication costs is also a possible research area.

II. RELATED WORK

The theoretical community has given much attention to theverifiable computation of arbitrary functions set in differentscenarios. Generally, in a verifiable computation, a clientwants to delegate a computationally heavy task to a remoteserver while being able to verify the result in a very efficientway. Majorly, the approaches can be classified intointeractive and non-interactive methods. Interactive proofslike that of [3] are a way for a powerful (e.g.super-polynomial) prover to (probabilistically) convince aweak (e.g. polynomial) verifier of the truth of statements thatthe verifier could not compute on its own. The work oninteractive proofs lead to the concept of probabilisticallycheckable proofs (PCPs), where a prover can prepare a proofthat need not be checked entirely, rather the verifier can checkonly few number of bits. Notice, however, that the PCP proofmight be very long, potentially too long for the verifier toprocess. To avoid this complication, Kilian proposed the useof efficient arguments [4] in which the prover sends theverifier a short commitment to the entire proof using a Merkletree. The prover can then interactively open the bits requestedby the verifier (this requires the use of a collision-resistanthash function). A non-interactive solution can be obtainedusing Micali’s CS Proofs [5], which remove interaction fromthe above argument by choosing the bits to open based on theapplication of a random oracle to the commitment string. Inmore recent work, which still uses some PCP machinery,Goldwasser et al. [5] show how to build an interactive proof toverify arbitrary polynomial-time computations in almostlinear time. They also extend the result to a non-interactiveargument for a restricted class of functions. Both [4] and [5]are non-interactive protocols. Gentry, Gennaro and Parno [6]not only introduced the notion of “verifiable computation”,but also gave a proper protocol. They suggested a scheme thatis non-interactive, works for any function, and is provable inthe standard model. It also provides the client with input andoutput privacy, a property not considered in previous works.

In the definition proposed by Gennaro, Gentry, and Parno [6](and later adopted in several works, e.g., [7, 9, 12, 13]), todelegate the computation of f(D), the client has to compute anencoding of D, which depends on the function f. However,if we want to choose f after outsourcing D, the computation of

is no longer possible. Alternatively, one could keep theentire input D locally and then compute from D and f,which would yield a running time proportional to the inputsize. In other work (e.g.,[4.16]) the efficiency requirement fora client is to run in time poly(n, log T), when delegating afunction f that runs in time T and takes inputs of size n. Thenotion of multi-function verifiable computation proposed in[9 and 17] is close to our model, in that a client can delegatethe computation of many functions on the same input D, whilebeing able to efficiently verify the results.

Currently, the best performing, fully general-purposeverifiable computation protocols [21,22] are based onQuadratic Arithmetic Programs(QAPs). To providenon-interactive, publicly verifiable computation, as well aszero-knowledge proofs (i.e., computations in which some orall of the worker’s inputs are private) recent systems [19, 20,21, 22] have converged on the Pinocchio protocol [24] as acryptographic back end. Pinocchio, in turn, depends onQAPs. While these protocols have made proof verificationnearly practical, the cost to generate a proof remains asignificant barrier to practicality. Indeed, most applicationsare constrained to small instances, since proof generationcosts 3-6 orders of magnitude more than the originalcomputation.

These solutions also work in a model where the client needs toknow the input of the computation, and it also has to engage inan interactive protocol with the server in order to verify theresults. In contrast, our work considers a completelynon-interactive setting in which the proof is transferred fromthe server to the client in a single round of communication,similar to [22].

III. PROPOSED PROTOCOL AND SCHEME

A. ProtocolWe propose to send the challenge to the worker in the form

of a choice vector. The vector selects only one out of all inputdata provided. The worker is required to compute an extrafunction over this selected data point. The extra functionalityis built into the delegated function. We employ a specialcryptographic primitive (described in further section) so thatthe result of extra functionality can be verified by a single stepcalculation by the delegator. If this result is verified, it impliesthat the delegated function was indeed computed over theprovided input data.

Formally, the steps are:

Phase I: Delegation

Step 1: Input Preparation

For data input be the vector of inputs , andchoice be the vector of bits such that only one of them is 1, allother 0’s. Size of choice is also n. Now, encrypt bits of choiceusing Encryption method E. Let choice bewhich after encryption becomes , thatis

Step 2: Send Input

Send , ,key) to Worker

Phase II: Computation

Step 1: Worker computes .has additional functionality, that is, besides computing

, it also computes



calculatedas: .

Step 2: Worker sends result and proof to the delegator.

Phase III: Verification

Delegator verifies where ,if yes then accept result, else reject.

B. Cryptographic PrimitivesFor the purpose of the proposed protocol we suggest a

simple homomorphic encryption primitive. The basic idea isto use probabilistic encryption for security. We suggest amethod to randomize a plaintext from a ring Zn to obtain aninteger ciphertext. Hence, addition and multiplication withinthe ring are homomorphic to ordinary integer addition andmultiplication operations. The method is similar to thesomewhat homomorphic scheme of [25] with symmetric keys.But we modify it to make it simple yet secure. The Encryptionprocess used is

Step 1: Choose an integer y equivalent to plaintext x modulosecret key s, that is

Step 2: Select a random number r>key

Step 3: Compute

Step 4: Output c as ciphertext

Parameter values: To enable proper modular operations, wemaintain key>s and r>key.

C. ExampleWe present here how to encrypt a bit using the proposed

scheme, under the parameters s = 19, μ = 3. Let key = 469 (anumber of length bits). Suppose the plaintext is 1, that is x= 1. Selecting , we have y=153. Let the randomnumber be 573.

Thus, encryption of 1 is, c = y + key*r = 153 + 469*573 =268890.

The correctness can be seen as,

We construct a toy example of the VDoC protocol, takingnumber of inputs n=4 and the parameter μ = 5. Suppose theinput data vector is ⟨21,4,17,9⟩, and the choice vector is⟨0,1,0,0⟩.Input preparation: We encrypt the choice vector withkey=29342513, under s=21, as ⟨796472263254181,957786953793533, 828249031132577, 536273656014965⟩Proof Computation: The worker knows key = 29342513, itcomputes

Verification: The delegator computes, which is same as the

input number at which position the bit 1 was sent in choicevector.

D. BenefitsThe proposed scheme and protocol have several benefits

over other VDoC protocols:

• Tamper-proof: The extra functionality is built into thedelegated function. Hence, the worker cannot cheat bytampering with the proof function.

• No rejection problem: Most of the interactive VDoCschemes suffer from the rejection problem, which means thatthe worker might know whether the result was accepted orrejected and take counter-steps for future. But, in our proposalthe interaction of the delegator and worker is limited. Theworker never comes to know whether the result was acceptedor rejected.

• Low communication cost: We have only three stepcommunication protocol, which means lesser communicationcost.

• There are some issues of concern around our proposal,which could be explained as follows:

• Overhead of modification of functions – Our proposalrequires modification in the function itself. A question aboutthe overhead incurred may arise. We counter this by statingthat many VDoC protocols use FHE, hence the functions haveto be modified for homomorphic operations. Thesemodifications are much costlier than our suggestion.

• Long input size – including the choice vector with the inputdata raises concern about the length of input. Our protocol canbe modified to have a shorter choice vector.

• Lightweight device as delegator – Such delegator requireslightweight operations. The input preparation can be done incollaboration with a third party. The scheme is secure even ifsame choice vector is used many times. Thus, amortizedcomputation cost is very low.

E. Mathematical AnalysisLength of input sent to the worker depends on the actual datato be input for the delegated function. Say the largest is oflength μ bits. Then, any is of maximum length μ bits. Tohave proper modulo operations, we have to select key oflength bits. Thus, making every bits long. For aninput of μ bits, an extra input of bit length is sent.

Input Verifiability in Delegation of Computation


Communication overhead can be computed as the ratio oflengths of actual input and the input sent to worker.

Length of input sent to worker =

Communication overhead =

Thus, communication overhead is cubic in bit length of input.Computation overhead includes cost of proof calculation onbehalf of worker. This computational cost is governed bymost costly operation, that is, multiplication of 2n numbersand . The bit lengths are μ and respectively.Hence, cost of multiplication is Ο( ) bit operations or Ο(n)integer operations. Thus, computation overhead is linear ininput size.

Verification procedure consists only of modulo divisions.Time complexity of verification is Ο( ) bit operations orΟ(1) integer operations.

Cost of input preparation: Since Delegator has to prepare theinput; such cost should also be considered as computationoverhead on Delegator’s part. The input preparation involvesencryption of n numbers. Hence, the cost is Ο( ) bitoperations or Ο(n) integer operations. This cost is linear ininput size, so it should be reduced in case of large inputdataset. Reduction can be achieved by selecting a choicevector for only first k data-items.

The proposed scheme derives its security from the security ofthe involved encryption scheme. The key is known to theworker, but the random number involved in encryption is notknown. Also, the number s is not known. Hence, the workercannot decrypt the choice vector only by knowing the key.Under the assumption that is known s can be guessedcorrectly with a negligible probability of

2( 1) ( 1)

ln 22 b b

b

, where

b =. Let =8 bit, we get probability of guessing s correctly =(8*0.693)/270 = 4.69*10-21, which is almost zero. Theruntimes recorded for various steps of the protocol are shownin tables below. The parameter μ is varied as increasing value,and corresponding growth of the run time is noted. Therecorded runtime in nanoseconds is shown in Table 1, 2 and 3for different values of n. It can be observed that Encryptionprocess requires much more time than proof generation orverification.

Table 1 Runtime in nanoseconds for various values of n=4and μ


µ Encryption ProofGeneration

Verification

4 1318700 34099 83588

5 2739397 43152 90922

6 3546007 58926 148769

7 3842338 64275 155408

8 4817331 66991 154502

9 6888627 70612 178945

10 11644701 72423 193430


µ Encryption

ProofGeneration

Verification

4 2971754 34401 82985

5 3573467 43756 99704

6 5197854 68500 172909

7 5542466 77553 152993

8 6518063 86606 144846

9 8496241 90058 109540

10 13859936 98163 189507

IV. IMPLEMENTATION RESULTS

To study the impact of both parameters on runtimes, we plotthe results as shown in Fig 1, 2 and 3. Cost of encryptionincreases with both μ and n. This is emphasized by the plotshown in Fig 1. It plots the encryption time on y-axis, value ofn on x-axis, for different values of μ. The growth ispolynomial in n, and same for every value of μ. Cost ofencryption can be reduced if same choice vector is used formany inputs, only proof computation and verification will beperformed every time. Thus, the per–session cost of inputpreparation will be reduced. Also, we can reduce the size ofchoice vector thereby reducing number of operations in inputpreparation (and hence time of encryption) and proofgeneration. Cost of proof generation is very small, therebymaking it unobjectionable for worker. As we can observe costof verification varies only according to value of μ and doesnot depend on n for many continuous values of n. The growthcan be seen in Fig 2, which is a plot of runtime for proofgeneration against values of n on x-axis. The three differentplots correspond to different values of μ. The runtime forverification follows a step growth as can be seen in Fig 3. Thesharp increase for every value of μ appears after n=6. Thesudden increase can be attributed to implementation. But, themajor observation is that the values are almost same for everyμ, which implies that it doesn’t depend on μ.

µ Encryption Proof

Generation

Verification

4 1087551 27461 80571

5 2288263 28365 83381

6 2633177 34703 137000

7 3491388 52205 148467

8 4406934 54016 155105

9 5866558 57939 170796

10 9660614 59447 207311



V. CONCLUSION

Our proposal presents a new method of input verifiability fordelegated computation, applicable in cloud computing andmobile cloud computing. Based on the interactive methods ofproofs and arguments, we have reduced the inherentcommunication cost of the interactive protocols. A majorissue with the soundness of any interactive delegationschemes is the Verifier Rejection problem. In such schemes, itis required that the cheating worker does not learn whether theverifier accepts or rejects previous proofs from the prover.Our proposal aims at removing this problem by limiting theinteraction between the delegator and verifier. Many schemesuse FHE as a primitive in their protocol, while practicalfeasibility of a FHE scheme is still under consideration. Wehave used the homomorphic encryption for hiding the choicevector, in a novel way to achieve its benefits to make ittamper-proof while keeping away from the drawbacks ofinfeasibility. Apart from these, the benefits of lowcomputation cost of verification and scope of amortizing thetotal cost of tag preparation and verification make ourprotocol attractive for practical applications.

Future research can be directed towards studying theimplementation of the proposed protocol in real applicationenvironment.

REFERENCES

[1] S. Arora, C. Lund, R. Motwani, M. Sudan, and M. Szegedy. Proofverification and the hardness of approximation problems. J. ACM,45(3):501-555, May 1998.

[2] S. Arora and S. Safra. Probabilistic checking of proofs: a newcharacterization of np. J. ACM, 45(1):70-122, Jan, 1998.

[3] A. C.-C. Yao. How to Generate and Exchange Secrets. In 27thSymposium on Foundations of Computer Science (FOCS), 1986.

[4] J. Kilian. “Improved efficient arguments.” In Proceedings ofCRYPTO, 1995.

[5] S. Micali. “CS proofs.” In Proceedings of the IEEE Symposium onFoundations of Computer Science, 1994.

[6] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum. Delegatingcomputation: interactive proofs for muggles. In STOC, pages 113–122,2008.

[7] R. Gennaro, C. Gentry, and B. Parno. “Non-interactive verifiablecomputing: Outsourcing computation to untrusted workers.” In TalRabin, editor, CRYPTO, volume 6223 of Lecture Notes in ComputerScience, pages 465-482. Springer, 2010.

[8] K.-M. Chung, Y. Kalai, and S. P. Vadhan. “Improved delegation ofcomputation using fully homomorphic encryption.” In T. Rabin,editor, Advances in Cryptology – CRYPTO 2010, volume 6223 ofLecture Notes in Computer Science, pp 483–501, Springer.

[9] B. Applebaum, Y. Ishai and E. Kushilevitz. “From Secrecy toSoundness: Efficient Verification via Secure Computation”.Automata, Languages and Programming. Lecture Notes in ComputerScience Volume 6198, 2010, pp 152-163.

[10] B. Parno, M. Raykova and V. Vaikuntanathan. “How to Delegate andVerify in Public: Verifiable Computation from Attribute-basedEncryption.” IACR Cryptology ePrint Archive, 2011:597. 2011.

[11] R. Gennaro, C. Gentry, B. Parno, and M. Raykova. Quadratic spanprograms and succinct NIZKs without PCPs. In Eurocrypt '13:Proceedings of the 32nd Annual International Conference on theTheory and Applications of Cryptographic Techniques, 2013. Also inCryptology ePrint Archive, Report 2012/215,http://eprint.iacr.org/2012/215.

[12] B. Parno, C.Gentry, J.Howell and M.Raykova. “Pinocchio: NearlyPractical Verifiable Computation.” IEEE Symposium on Security andPrivacy, 2013.

[13] S. Benabbas, R. Gennaro, and Y. Vahlis. Verifiable delegation ofcomputation over large datasets. In P. Rogaway, editor, CRYPTO2011, volume 6841 of LNCS, pages 111{131, Santa Barbara, CA,USA, Aug. 14-18, 2011. Springer, Berlin, Germany.

[14] D. Fiore and R. Gennaro. Publicly verifiable delegation of largepolynomials and matrix computations, with applications. In 2012ACM Conference on Computer and Communication Security. ACMPress, October 2012. Full version available athttp://eprint.iacr.org/2012/281.

[15] C. Papamanthou, E. Shi, and R. Tamassia. Signatures of correctcomputation, 2013.

[16] D. Catalano, D. Fiore, R. Gennaro, and K. Vamvourellis. Algebraic(trapdoor) one way functions and their applications. In TCC 2013,volume 7785 of LNCS, pages 680-699. Springer, Berlin, Germany,2013.

[17] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum. Delegatingcomputation: interactive proofs for muggles. In R. E. Ladner and C.Dwork, editors, 40th ACM STOC, pages 113-122, Victoria, BritishColumbia, Canada, May 17-20, 2008. ACM Press.

[18] S.G. Choi, J.Katz, R. Kumaresan and C. Cid. “Multi-UserNon-Interactive Verifiable Computation.” 2012.

[19] Srinath Setty, Richard McPherson, Andrew J. Blumberg, and MichaelWalfish. Making Argument Systems for Outsourced ComputationPractical (Sometimes). In Network and Distributed System SecuritySymposium (NDSS), Feb. 2012.

[20] S. Setty, V. Vu, N. Panpalia, B. Braun, A. J. Blumberg, and M.Walfish. Taking proof-based verified computation a few steps closer topracticality. In USENIX Security, pages 253–268, Aug. 2012.

[21] S. Setty, B. Braun, V. Vu, A. J. Blumberg, B. Parno, and M. Walfish.Resolving the conflict between generality and plausibility in verifiedcomputation. In European Conference on Computer Systems(EuroSys), pages 71–84, Apr. 2013.

[22] Victor Vu, Srinath Setty, Andrew J. Blumberg, and Michael Walfish.A hybrid architecture for interactive verifiable computation. IEEESymposium on Security and Privacy, Oakland 2013.

[23] M. Backes, D.Fiore and R.M. Reischuk. “Verifiable Delegation ofComputation on Outsourced Data.” IACR Cryptology ePrint Archive,2013:469, 2013.

[24] B Parno and C Gentry, “Pinocchio: Nearly Practical VerifiableComputation”, 2013 IEEE Symposium on Security and Privacy, 2013.

[25] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. “Fullyhomomorphic encryption over the integers”, Proceedings ofEurocrypt-10, Lecture Notes in Computer Science, vol 6110,.Springer, pp 24-43, 2010.

kavita sharma, manoj singh - alliedjournals.com · kavita sharma, gurukul institute of engineering...

Documents