secure optimization computation outsourcing in cloud...
TRANSCRIPT
1
Secure Optimization Computation Outsourcingin Cloud Computing: A Case Study of Linear
ProgrammingCong Wang, Student Member, IEEE, Kui Ren, Member, IEEE, and Jia Wang, Member, IEEE
Abstract—Cloud computing enables an economically promising paradigm of computation outsourcing. However, how to protectcustomers confidential data processed and generated during the computation is becoming the major security concern. Focusing onengineering computing and optimization tasks, this paper investigates secure outsourcing of widely applicable linear programming (LP)computations. Our mechanism design explicitly decomposes LP computation outsourcing into public LP solvers running on the cloudand private LP parameters owned by the customer. The resulting flexibility allows us to explore appropriate security/efficiency tradeoffvia higher-level abstraction of LP computation than the general circuit representation. Specifically, by formulating private LP problemas a set of matrices/vectors, we develop efficient privacy-preserving problem transformation techniques, which allow customers totransform the original LP into some random one while protecting sensitive input/output information. To validate the computation result,we further explore the fundamental duality theorem of LP and derive the necessary and sufficient conditions that correct results mustsatisfy. Such result verification mechanism is very efficient and incurs close-to-zero additional cost on both cloud server and customers.Extensive security analysis and experiment results show the immediate practicability of our mechanism design.
Index Terms—Confidential data, computation outsourcing, optimization, cloud computing.
F
1 INTRODUCTION
C LOUD Computing provides convenient on-demandnetwork access to a shared pool of configurable
computing resources that can be rapidly deployed withgreat efficiency and minimal management overhead [2].One fundamental advantage of the cloud paradigmis computation outsourcing, where the computationalpower of cloud customers is no longer limited by theirresource-constraint devices. By outsourcing the work-loads into the cloud, customers could enjoy the literallyunlimited computing resources in a pay-per-use mannerwithout committing any large capital outlays in thepurchase of both hardware and software and/or theoperational overhead therein.
Despite the tremendous benefits, outsourcing compu-tation to the commercial public cloud is also deprivingcustomers’ direct control over the systems that processand generate their data during the computation, whichinevitably brings in new security concerns and chal-lenges towards this promising computing model [3].On the one hand, the outsourced computation work-loads often contain sensitive information, such as thebusiness financial records, proprietary research data, orpersonally identifiable health information etc. To combatagainst unauthorized information leakage, sensitive data
• Cong Wang, Kui Ren, and Jia Wang are all with the Department ofElectrical and Computer Engineering, Illinois Institute of Technology,Chicago, IL 60616. E-mail: {cong,kren,jwang}@ece.iit.edu.
A preliminary version [1] of this paper is to be presented at the 30th IEEEConference on Computer Communications (INFOCOM’11).
have to be encrypted before outsourcing [3] so as toprovide end-to-end data confidentiality assurance in thecloud and beyond. However, ordinary data encryptiontechniques in essence prevent cloud from performingany meaningful operation of the underlying plaintextdata [4], making the computation over encrypted data avery hard problem. On the other hand, the operationaldetails inside the cloud are not transparent enough tocustomers [5]. As a result, there do exist various moti-vations for cloud server to behave unfaithfully and toreturn incorrect results, i.e., they may behave beyondthe classical semi-honest model. For example, for thecomputations that require a large amount of computingresources, there are huge financial incentives for thecloud to be “lazy” if the customers cannot tell the cor-rectness of the output. Besides, possible software bugs,hardware failures, or even outsider attacks might alsoaffect the quality of the computed results. Thus, weargue that the cloud is intrinsically not secure from theviewpoint of customers. Without providing a mechanismfor secure computation outsourcing, i.e., to protect thesensitive input and output information of the workloadsand to validate the integrity of the computation result,it would be hard to expect cloud customers to turn overcontrol of their workloads from local machines to cloudsolely based on its economic savings and resource flex-ibility. For practical consideration, such a design shouldfurther ensure that customers perform less amount ofoperations following the mechanism than completing thecomputations by themselves directly. Otherwise, there isno point for customers to seek help from cloud.
2
Recent researches in both the cryptography and thetheoretical computer science communities have madesteady advances in “secure outsourcing expensive com-putations” (e.g. [6]–[11]). Based on Yao’s garbled cir-cuits [12] and Gentry’s breakthrough work on fully ho-momorphic encryption (FHE) scheme [13], a general re-sult of secure computation outsourcing has been shownviable in theory [10], where the computation is repre-sented by an encrypted combinational boolean circuitthat allows to be evaluated with encrypted private in-puts. However, applying this general mechanism to ourdaily computations would be far from practical, due tothe extremely high complexity of FHE operation as wellas the pessimistic circuit sizes that cannot be handledin practice when constructing original and encryptedcircuits. This overhead in general solutions motivatesus to seek efficient solutions at higher abstraction levelsthan the circuit representations for specific computationoutsourcing problems. Although some elegant designson secure outsourcing of scientific computations, se-quence comparisons, and matrix multiplication etc. havebeen proposed in the literature, it is still hardly possibleto apply them directly in a practically efficient manner,especially for large problems. In those approaches, eitherheavy cloud-side cryptographic computations [8], [9], ormulti-round interactive protocol executions [6], or hugecommunication complexities [11], are involved (detaileddiscussions in Section 7). In short, practically efficientmechanisms with immediate practices for secure com-putation outsourcing in cloud are still missing.
Focusing on engineering computing and optimizationtasks, in this paper, we study practically efficient mecha-nisms for secure outsourcing of linear programming (LP)computations. Linear programming is an algorithmicand computational tool which captures the first ordereffects of various system parameters that should beoptimized, and is essential to engineering optimization.It has been widely used in various engineering disci-plines that analyze and optimize real-world systems,such as packet routing, flow control, power manage-ment of data centers, etc. [14]. Because LP computationsrequire a substantial amount of computational powerand usually involve confidential data, we propose toexplicitly decompose the LP computation outsourcinginto public LP solvers running on the cloud and privateLP parameters owned by the customer. The flexibility ofsuch a decomposition allows us to explore higher-levelabstraction of LP computations than the general circuitrepresentation for the practical efficiency.
Specifically, we first formulate private data ownedby the customer for LP problem as a set of matricesand vectors. This higher level representation allows usto apply a set of efficient privacy-preserving problemtransformation techniques, including matrix multiplica-tion and affine mapping, to transform the original LPproblem into some random one while protecting thesensitive input/output information. One crucial benefitof this higher level problem transformation method is
that existing algorithms and tools for LP solvers canbe directly reused by the cloud server. Although thegeneric mechanism defined at circuit level, e.g. [10],can even allow the customer to hide the fact that theoutsourced computation is LP, we believe imposing thismore stringent security measure than necessary wouldgreatly affect the efficiency. To validate the computationresult, we utilize the fact that the result is from cloudserver solving the transformed LP problem. In particular,we explore the fundamental duality theorem togetherwith the piece-wise construction of auxiliary LP problemto derive a set of necessary and sufficient conditions thatthe correct result must satisfy. Such a method of resultvalidation can be very efficient and incurs close-to-zeroadditional overhead on both customer and cloud server.With correctly verified result, customer can use the secrettransformation to map back the desired solution for hisoriginal LP problem. We summarize our contributionsas follows:
1) For the first time, we formalize the problem ofsecurely outsourcing LP computations, and pro-vide such a secure and practical mechanism de-sign which fulfills input/output privacy, cheatingresilience, and efficiency.
2) Our mechanism brings cloud customer great com-putation savings from secure LP outsourcing as itonly incurs O(nρ) for some 2 < ρ ≤ 3 local com-putation overhead on the customer, while solvinga normal LP problem usually requires more thanO(n3) time [14].
3) The computations done by the cloud server sharesthe same time complexity of currently practicalalgorithms for solving the linear programmingproblems, which ensures that the use of cloud iseconomically viable.
4) The experiment evaluation further demonstratesthe immediate practicality: our mechanism can al-ways help customers achieve more than 30× sav-ings when the sizes of the original LP problemsare not too small, while introducing no substantialoverhead on the cloud.
The rest of the paper is organized as follows. Section2 introduces the system and threat model, and ourdesign goals. Then we provide the detailed mechanismdescription in Section 3, followed by the security analysisin Section 4 and some further considerations in Section5. We give performance evaluation in Section 6, followedby Section 7 which overviews the related work. Finally,Section 8 concludes the whole paper.
2 PROBLEM STATEMENT
2.1 System and Threat ModelWe consider a computation outsourcing architecture in-volving two different entities, as illustrated in Fig. 1: thecloud customer, who has large amount of computationallyexpensive LP problems to be outsourced to the cloud;the cloud server (CS), which has significant computation
3
Customer
LP problem Φ
Cloud
Servers
Encrypt LP problem ΦK
Answer to Φ Verify &
Decrypt
Answer to ΦK
Proof Γ
Secret K
Fig. 1: Architecture of secure outsourcing linear pro-gramming problems in Cloud Computing
resources and provides utility computing services, suchas hosting the public LP solvers in a pay-per-use manner.
The customer has a large-scale linear programmingproblem Φ (to be formally defined later) to be solved.However, due to the lack of computing resources, likeprocessing power, memory, and storage etc., he cannotcarry out such expensive computation locally. Thus, thecustomer resorts to CS for solving the LP computationand leverages its computation capacity in a pay-per-usemanner. Instead of directly sending original problem Φ,the customer first uses a secret K to map Φ into someencrypted version ΦK and outsources problem ΦK to CS.CS then uses its public LP solver to get the answer of ΦKand provides a correctness proof Γ, but it is supposedto learn nothing or little of the sensitive informationcontained in the original problem description Φ. Afterreceiving the solution of encrypted problem ΦK , thecustomer should be able to first verify the answer viathe appended proof Γ. If it’s correct, he then uses thesecret K to map the output into the desired answer forthe original problem Φ.
The security threats faced by the computation modelprimarily come from the malicious behavior of CS. Weassume that the CS may behave beyond “honest-but-curious”, i.e. the semi-honest model that was assumedby many previous researches (e.g., [15], [16]), eitherbecause it intends to do so or because it is compromised.The CS may be persistently interested in analyzing theencrypted input sent by the customer and the encryptedoutput produced by the computation to learn the sen-sitive information as in the semi-honest model. In ad-dition, CS can also behave unfaithfully or intentionallysabotage the computation, e.g. to lie about the result tosave the computing resources, while hoping not to becaught at the same time.
We assume the communication channels between thecloud server and the customer are reliably authenticated,which can be achieved in practice with little overhead.These authentication handshakes are omitted in the fol-lowing presentation.
2.2 Design GoalsTo enable secure and practical outsourcing of LP un-der the aforementioned model, our mechanism designshould achieve the following security and performanceguarantees.
1) Correctness: Any cloud server that faithfully fol-lows the mechanism must produce an output that
can be decrypted and verified successfully by thecustomer.
2) Soundness: No cloud server can generate an in-correct output that can be decrypted and verifiedsuccessfully by the customer with non-negligibleprobability.
3) Input/output privacy: No sensitive informationfrom the customer’s private data can be derivedby the cloud server during performing the LPcomputation.
4) Efficiency: The local computations done by cus-tomer should be substantially less than solving theoriginal LP on his own. The computation burdenon the cloud server should be within the compara-ble time complexity of existing practical algorithmssolving LP problems.
2.3 Background on Linear ProgrammingAn optimization problem is usually formulated as amathematical programming problem that seeks the val-ues for a set of decision variables to minimize (ormaximize) an objective function representing the costsubject to a set of constraints. For linear programming,the objective function is an affine function of the decisionvariables, and the constraints are a system of linearequations and inequalities. Since a constraint in theform of a linear inequality can be expressed as a linearequation by introducing a non-negative slack variable,and a free decision variable can be expressed as thedifference of two non-negative auxiliary variables, anylinear programming problem can be expressed in thefollowing standard form,
minimize cTx subject to Ax = b,x ≥ 0. (1)
Here x is an n × 1 vector of decision variables, A is anm × n matrix, c is an n × 1 column vector, and b isan m× 1 column vector. It can be assumed further thatm ≤ n and that A has full row rank; otherwise, extrasrows can always be eliminated from A.
In this paper, we study a more general form as follows,
minimize cTx subject to Ax = b,Bx ≥ 0. (2)
In Eq. (2), we replace the non-negative requirements inEq. (1) by requiring that each component of Bx to benon-negative, where B is an n× n non-singular matrix,i.e. Eq. (2) degenerates to Eq. (1) when B is the identitymatrix. Thus, the LP problem can be defined via thetuple Φ = (A,B,b, c) as input, and the solution x asoutput.
3 THE PROPOSED SCHEMES
This section presents our LP outsourcing scheme whichprovides a complete outsourcing solution for – not onlythe privacy protection of problem input/output, but alsoits efficient result checking. We first give an overviewof our methodology, and systematically justify why and
4
Linear Programming
System of Linear Equations
Matrix/Vector Operations
Scalar Operations
Boolean Gates
MoreSecure,
MoreExpressibility
MoreEfficient
Fig. 2: A hierarchy of computations and mechanisms
how we can leverage the security/efficiency tradeoffsthrough properly-chosen problem decomposition. Wenext present the design framework for secure LP out-sourcing and discuss a few basic techniques and theirdemerits. This leads to a stronger problem transforma-tion design utilizing affine mapping. We then discusseffective result verification mechanisms by leveragingthe duality property of LP. Finally, we give the fullscheme description.
3.1 Methodology Overview
Secure LP outsourcing in cloud can be represented bydecomposing LP computation into public LP solversrunning on the cloud and private data owned by thecustomer. Because different decompositions of LP usu-ally lead to different trade-offs among efficiency andsecurity guarantees, how to choose the right one thatis most suitable for our design goal is thus of criticalimportance. To systematically study the difference, weorganize the different decompositions into a hierarchy,as shown in Fig. 2, which ensembles the usual way thata computation is specified: a computation at a higherabstraction level is made up from the computationsat lower abstraction levels. As we move up to higherabstraction levels within the hierarchy, more informationabout the computations becomes public so that securityguarantees become weaker, but more structures becomeavailable and the mechanisms become more efficient. Aswe move down to lower abstraction levels, the structuresbecome generic but less information is available to thecloud so that stronger security guarantees could beachieved at the cost of efficiency.
Because our goal is to design practically efficientmechanisms of secure LP outsourcing, in this paper, wefocus on the top level of the hierarchy in Fig. 2. In otherwords, we propose to study problem transformationtechniques that enable customers to secretly transformthe original LP into some random one to achieve thesecure LP outsourcing design.
3.2 Mechanism Design Framework
The general framework is adopted from a generic ap-proach [10], while our instantiation is completely differ-ent and novel. In this framework, the process on cloudserver can be represented by algorithm ProofGen and
the process on customer can be organized into threealgorithms (KeyGen, ProbEnc, ResultDec). These four al-gorithms are summarized below and will be instantiatedlater.• KeyGen(1k) → {K}. This is a randomized key genera-
tion algorithm which takes a system security parameter k,and returns a secret key K that is used later by customerto encrypt the target LP problem.
• ProbEnc(K,Φ) → {ΦK}. This algorithm encrypts theinput tuple Φ into ΦK with the secret key K. Accordingto problem transformation, the encrypted input ΦK hasthe same form as Φ, and thus defines the problem to besolved in the cloud.
• ProofGen(ΦK) → {(y,Γ)}. This algorithm augments ageneric solver that solves the problem ΦK to produce boththe output y and a proof Γ. The output y later decryptsto x, and Γ is used later by the customer to verify thecorrectness of y or x.
• ResultDec(K,Φ,y,Γ) → {x,⊥}. This algorithm maychoose to verify either y or x via the proof Γ. In any case,a correct output x is produced by decrypting y using thesecret K. The algorithm outputs ⊥ when the validationfails, indicating the cloud server was not performing thecomputation faithfully.
Note that our proposed mechanism provides us one-time-pad type of flexibility. Namely, we shall never usethe same secret key K to two different problems. Thus,for security analysis of the mechanism, we focus onthe ciphertext only attack. We do not consider known-plaintext attack in this paper but do allow adversariesto do offline guessing via various problem-dependentinformation including sizes and signs of the solution,which are not necessarily confidential.
3.3 Basic TechniquesBefore presenting the details of our proposed mech-anism, we study in this subsection a few basic tech-niques and show that the input encryption based onthese techniques along may result in an unsatisfactorymechanism. However, the analysis will give insights onhow a stronger mechanism should be designed. Notethat to simplify the presentation, we assume that thecloud server honestly performs the computation, anddefer the discussion on soundness to a later section.
3.3.1 Hiding equality constraints (A,b)
First of all, a randomly generated m × m non-singularmatrix Q can be part of the secret key K. The customercan apply the matrix to Eq. (2) for the following con-straints transformation,
Ax = b ⇒ A′x = b′
where A′ = QA and b′ = Qb.Since we have assumed that A has full row rank, A′
must have full row rank. Without knowing Q, it is notpossible for one to determine the exact elements of A.However, the nullspaces of A and A′ remains the same,
5
which may violate the security requirement of someapplications. The vector b is encrypted in a perfect waysince it can be mapped to an arbitrary b′ with a properchoice of Q.
3.3.2 Hiding inequality constraints (B)
The customer cannot transform the inequality con-straints in the similar way as used for the equalityconstraints, because for an arbitrary invertible matrix Q,Bx ≥ 0 is not equivalent to QBx ≥ 0 in general.
To hide B, we can leverage the fact that a feasiblesolution to Eq. (2) must satisfy the equality constraints.To be more specific, the feasible regions defined by thefollowing two groups of constraints are the same,{
Ax = b
Bx ≥ 0⇒
{Ax = b
(B− λA)x = B′x ≥ 0,
where λ is a randomly generated n × m matrix in Ksatisfying that |B′| = |B−λA| 6= 0 and λb = 0. Since thecondition λb = 0 is largely underdetermined, it leavesgreat flexibility to choose λ in order to satisfy the aboveconditions.
3.3.3 Hiding objective functions c and value cTx
Given the widely application of LP, such as the estima-tion of business annul revenues or personal portfolioholdings etc., the information contained in objectivefunction c and optimal objective value cTx might be assensitive as the constraints of A,B,b. Thus, they shouldbe protected, too.
To achieve this, we apply constant scaling to theobjective function, i.e. a real positive scalar γ is gen-erated randomly as part of encryption key K and c isreplaced by γc. It is not possible to derive the originaloptimal objective value cTx without knowing γ first,since it can be mapped to any value with the same sign.While hiding the objective value well, this approach doesleak structure-wise information of objective function c.Namely, the number and position of zero-elements in care not protected. Besides, the ratio between the elementsin c are also preserved after constant scaling.Summarization of basic techniques Overall, the basictechniques would choose a secret key K = (Q,λ, γ)and encrypt the input tuple Φ into ΦK = (A′,B′,b′, γc),which gives reasonable strength of problem input hid-ing. Also, these techniques are clearly correct in the sensethat solving ΦK would give the same optimal solutionas solving Φ. However, it also implies that althoughinput privacy is achieved, there is no output privacy.Essentially, it shows that although one can change theconstraints to a completely different form, it is not nec-essary the feasible region defined by the constraints willchange, and the adversary can leverage such informationto gain knowledge of the original LP problem. Therefore,any secure linear programming mechanism must be ableto not only encrypt the constraints but also to encryptthe feasible region defined by the constraints.
3.4 Enhanced Techniques via Affine MappingTo enhance the security strength of LP outsourcing, wemust be able to change the feasible region of original LPand at the same time hide output vector x during theproblem input encryption. We propose to encrypt thefeasible region of Φ by applying an affine mapping onthe decision variables x. This design principle is basedon the following observation: ideally, if we can arbitrarilytransform the feasible area of problem Φ from one vectorspace to another and keep the mapping function as thesecret key, there is no way for cloud server to learn theoriginal feasible area information. Further, such a linearmapping also serves the important purpose of outputhiding, as illustrated below.
Let M be a random n×n non-singular matrix and r bean n×1 vector. The affine mapping defined by M and rtransforms x into y = M−1(x + r). Since this mapping isan one-to-one mapping, the LP problem Φ in Eq. (2) canbe expressed as the following LP problem of the decisionvariables y,
minimize cTMy − cT r
subject to AMy = b + Ar
BMy ≥ Br.
Next, by using the basic techniques to pick a randomnon-singular Q for equality constraints, then λ for in-equality constraints, and γ for objective function, thisLP problem can be further transformed to,
minimize γcTMy
subject to QAMy = Q(b + Ar),
BMy − λQAMy ≥ Br− λQ(b + Ar).
One can denote the constraints of above LP via Eq. (3),A′ = QAM
B′ = (B− λQA)M
b′ = Q(b + Ar)
c′ = γMT c
(3)
If the following conditions hold,
|B′| 6= 0, λb′ = Br, and b + Ar 6= 0, (4)
then the LP problem ΦK = (A′,B′,b′, c′), which isequivalent to Φ in Eq. (2), can be formulated via Eq. (5),
minimize c′Ty subject to A′y = b′,B′y ≥ 0. (5)
Remark. Note that during the transformation, we ignorethe constant term cT r as it has nothing to do with finalsolution y, and we can always add it back to get the orig-inal objective value. By keeping the randomly selectedM and r as part of secret key K for affine mapping, it canbe ensured that the feasible region of encrypted problemΦK no longer contains any resemblance of the feasiblearea in original problem Φ. As we will show later, bothinput and output privacy can be achieved by sendingΦK instead of Φ to the cloud.
6
3.5 Result VerificationTill now, we have been assuming the server is hon-estly performing the computation, while being interestedlearning information of original LP problem. However,such semi-honest model is not strong enough to capturethe adversary behaviors in the real world. In many cases,especially when the computation on the cloud requires ahuge amount of computing resources, there exists strongfinancial incentives for the cloud server to be “lazy”.They might either be not willing to commit service-level-agreed computing resources to save cost, or even bemalicious just to sabotage any following-up computationat the customers. Since the cloud server promises tosolve the LP problem ΦK = (A′,B′,b′, c′), we proposeto solve the result verification problem by designing amethod to verify the correctness of the solution y of ΦK .The soundness condition would be a corollary thereafterwhen we present the whole mechanism in the nextsection. Note that in our design, the workload requiredfor customers on the result verification is substantiallycheaper than solving the LP problem on their own,which ensures the great computation savings for secureLP outsourcing.
The LP problem does not necessarily have an optimalsolution. There are three cases as follows: i) Normal —there is an optimal solution with finite objective value;ii) Infeasible — the constraints cannot be all satisfiedat the same time; iii) Unbounded — for the standardform in Eq. (1), the objective function can be arbitrarilysmall while the constraints are all satisfied. Therefore,the result verification method not only needs to verify asolution if the cloud server returns one, but also needs toverify the cases when the cloud server claims that the LPproblem is infeasible or unbounded. We will first presentthe proof Γ that the cloud server should provide and theverification method when the cloud server returns anoptimal solution, and then present the proofs and themethods for the other two cases, each of which is builtupon the previous one.
3.5.1 The normal caseWe first assume that the cloud server returns an optimalsolution y. In order to verify y without actually solvingthe LP problems, we design our method by seeking a setof necessary and sufficient conditions that the optimalsolution must satisfy. We derive these conditions fromthe well-studied duality theory of the LP problems [14].For the primal LP problem ΦK defined as Eq. (5), itsdual problem is defined as,
maximize b′Ts subject to A′
Ts + B′
Tt = c′, t ≥ 0,
(6)where s and t are the m × 1 and n × 1 vectors of dualdecision variables respectively. The strong duality of theLP problems states that if a primal feasible solution yand a dual feasible solution (s, t) lead to the same primaland dual objective value, then both y and (s, t) are theoptimal solutions of the primal and the dual problems
respectively [14]. Therefore, we should ask the cloudserver to provide the dual optimal solution as part ofthe proof Γ. Then, the correctness of y can be verifiedbased on the following conditions,
c′Ty = b′
Ts,A′y = b′,B′y ≥ 0,A′
Ts + B′
Tt = c′, t ≥ 0.
(7)Here, c′Ty = b′
Ts tests the equivalence of primal and
dual objective value for strong duality. All the remainingconditions ensure that both y and (s, t) are feasiblesolutions of the primal and dual problems, respectively.Note that due to the possible truncation errors in thecomputation, the equality test A′y = b′ can be achievedin practice by checking whether ||A′y − b′|| is smallenough.
3.5.2 The infeasible caseWe then assume that the cloud server claims ΦK to beinfeasible. In this case, we leverage the methods to find afeasible solution of a LP problem, usually known as thephase I methods [17]. These methods construct auxiliaryLP problems to determine if the original LP problemsare feasible or not. We choose the following auxiliaryproblem,
minimize z subject to −1z ≤ A′y−b′ ≤ 1z,B′y ≥ −1z.(8)
Clearly, this auxiliary LP problem has an optimal solu-tion since it has at least one feasible solution and itsobjective function is lower-bounded. Further more, onecan prove that Eq. (8) has 0 as the optimal objective valueif and only if ΦK is feasible. (See Lemma 29.11 in [18]).Thus, to prove ΦK is infeasible, the cloud server mustprove Eq. (8) has a positive optimal objective value. Thiscan be achieved by including such an optimal solutionand a proof of optimality in Γ, which is readily availablefrom the method for the normal case.
3.5.3 The unbounded caseFinally, we assume that the cloud server claims ΦKto be unbounded. The duality theory implies that thiscase is equivalent to that ΦK is feasible and the dualproblem of ΦK , i.e. Eq. (6), is infeasible. Therefore, thecloud server should provide a proof showing that thosetwo conditions hold. It is straight-forward to provide afeasible solution of ΦK and then to verify it is actuallyfeasible. Based on the method for the infeasible case,the cloud server can prove that Eq. (6) is infeasible byconstructing the auxiliary problem of Eq. (6), i.e.,
minimize z
subject to −1z ≤ A′Ts + B′
Tt− c′ ≤ 1z (9)
t ≥ −1z,
and showing this problem has positive optimal objectivevalue.Remark. For all three cases, the cloud server is requiredto provide correctness proof by proving a normal LP(either ΦK or some auxiliary LP related to ΦK) has
7
an optimal solution. Since most common LP algorithmslike Simplex and Interior Point methods compute boththe primal and dual solutions at the same time [14],providing the dual optimal solution as the optimalityproof does not incur any additional overhead for cloudserver. Note that the form of auxiliary LP for infeasi-ble/unbounded cases is not unique. In practice, we canadjust it to suit the public solver on cloud, which canbe pre-specified by the customer and cloud server withlittle cost.
3.6 The Complete Mechanism DescriptionBased on the previous sections, the proposed mechanismfor secure outsourcing of linear programming in thecloud is summarized below.• KeyGen(1k): Let K = (Q,M, r,λ, γ). For the system
initialization, the customer runs KeyGen(1k) to ran-domly generate a secret K, which satisfies Eq. (4).
• ProbEnc(K,Φ): With secret K and original LP prob-lem Φ, the customer runs ProbEnc(K,Φ) to computethe encrypted LP problem ΦK = (A′,B′,b′, c′) fromEq. (3).
• ProofGen(ΦK): The cloud server attempts to solvethe LP problem ΦK in Eq. (5) to obtain the op-timal solution y. If the LP problem ΦK has anoptimal solution, Γ should indicate so and includethe dual optimal solution (s, t). If the LP problemΦK is infeasible, Γ should indicate so and includethe primal and the dual optimal solutions of theauxiliary problem in Eq. (8). If the LP problem ΦK isunbounded, y should be a feasible solution of it, andΓ should indicate so and include the primal and thedual optimal solutions of Eq. (9), i.e. the auxiliaryproblem of the dual problem of ΦK .
• ResultDec(K,Φ,y,Γ): First, the customer verifies yand Γ according to the various cases. If they arecorrect, the customer computes x = My − r if thereis an optimal solution or reports Φ to be infeasibleor unbounded accordingly; otherwise the customeroutputs ⊥, indicating the cloud server was notperforming the computation faithfully.
4 SECURITY ANALYSIS
4.1 Analysis on Correctness and Soundness Guar-anteeWe give the analysis on correctness and soundness guar-antee via the following two theorems.
Theorem 1: Our scheme is a correct verifiable linear pro-gramming outsourcing scheme.
Proof: The proof consists of two steps. First, we showthat for any problem Φ and its encrypted version ΦK ,solution y computed by honest cloud server will alwaysbe verified successfully. This follows directly from thecorrectness of duality theorem of linear programming.Namely, all conditions derived from duality theorem andauxiliary LP problem construction for result verificationare necessary and sufficient.
Next, we show that correctly verified solution y al-ways corresponds to the optimal solution x of origi-nal problem Φ. For space limit, we only focus on thenormal case. The reasoning for infeasible/unboundedcases follows similarly. By way of contradiction, supposex = My − r is not the optimized solution for Φ. Then,there exists x∗ such that cTx∗ < cTx, where Ax∗ = band Bx∗ ≥ 0. Since x∗ = My∗ − r, it is straightforwardthat cTMy∗ − cT r = cTx∗ < cTx = cTMy− cT r, whereA′y∗ = b′ and B′y∗ ≥ 0. Thus, y∗ is a better solutionthan y for problem ΦK , which contradicts the fact thatthe optimality of y has been correctly verified. Thiscompletes the proof.
Theorem 2: Our scheme is a sound verifiable linear pro-gramming outsourcing scheme.
Proof: Similar to correctness argument, the sound-ness of the proposed mechanism follows from the factsthat the LP problem Φ and ΦK are equivalent to eachother through affine mapping, and all the conditionsthereafter for result verification are necessary and suf-ficient.
4.2 Analysis on Input and Output Privacy Guarantee
We now analyze the input/output privacy guaranteeunder the aforementioned ciphertext only attack model.Specifically, the only information the cloud server ob-tains is ΦK = (A′,B′,b′, c′), and the obvious factthat A and B of original LP problem are general fullrank matrices as defined in Eq. (2). Note that undersuch model and considering the one-time-pad type offlexibility of our mechanism (see Section 3.2), offlineguessing on problem input/output does not bring cloudserver any advantage, since there is no way to justifythe validity of the guess. Because in our applicationscustomers themselves generate and encrypt LP problemsbefore outsourcing, our security model should work wellin practice.
We start from the relationship between the primalproblem Φ and its encrypted one ΦK . First of all, thematrix A and the vector b are protected perfectly. Be-cause for ∀ m × n matrix A′ that has the full row rankand ∀ n×1 vector b′, ∃ a tuple (Q,M, r) that transforms(A,b) into (A′,b′). This is straightforward since wecan always find invertible matrices Q,M for equivalentmatrices A and A′ such that A′ = QAM, and then solver from b′ = Q(b + Ar). Thus from (A′,b′), cloud canonly derive the rank and size information of originalequality constraints A, but nothing else. Secondly, the in-formation of matrix B is protected by B′ = (B−λQA)M.Recall that the n×m matrix λ in the condition λb′ = Bris largely underdetermined. Namely, for each m× 1 rowvector in λ, there are m−1 elements that can be set freely.Thus, the unlimited choices of λ, which can be viewedas encryption key with large key space, ensures that B iswell obfuscated. Thirdly, the vector c is protected well by
8
Customer Cloud Server1. Generate a random secret keyK = (Q,M, r,λ, γ), satisfying Eq. (4);
2. Use K to encrypt Φ = (A,B,b, c)ΦK−−−−−−−−−→
encrypted LP3. If ΦK is normal, solve ΦK with dual optimal
into a random ΦK = (A′,B′,b′, c′); solution of Eq. (6) as part of proof Γ4. If ΦK is infeasible, prove the auxiliary problem
in Eq. (8) has positive objective value .solution to ΦK←−−−−−−−−−−with proof Γ
5. If ΦK is unbounded, prove its dual problem
6. Verify Γ accordingly. If it’s normal case, in Eq. (6) is infeasible.output x = My − r.
Fig. 3: The complete mechanism for secure LP outsourcing in cloud
scaling factor γ and M. By multiplication of matrix M,both the elements and the structure pattern of c are nolonger exposed from c′ = γMTc. As for the output, sinceM, r is kept as a one-time secret and drawn uniformlyat random, deriving x = My − r solely from y can behard for cloud.
Given the complementary relationship of primal anddual problem, it is also worth looking into the in-put/output privacy guarantee from dual problems ofboth Φ and ΦK . Same as Eq. (6), the dual problem ofΦ is defined as,
maximize bTα subject to ATα + BTβ = c,β ≥ 0,(10)
where α and β are the m× 1 and n× 1 vectors of dualdecision variables respectively. Clearly, the analysis forprimal problem Φ’s input privacy guarantee still holdsfor its dual problem input (A,B,b, c). As for the outputprivacy, we plug Eq. (3) into ΦK ’s dual problem definedin Eq. (6) and rearrange it as,
maximize [Q(b + Ar)]T s
subject to ATQT (s− λT t) + BT t = γc (11)t ≥ 0,
Note that MT in the equality constraint is canceledout during the rearrangement. Comparing Eq. (10) andEq. (11), we derive the linear mapping between (α,β)and (s, t) as,
α =1
γQT (s− λT t), β =
1
γt (12)
Following similar reasoning for Φ’s output privacy andanalysis for hiding objective function c in basic tech-niques (Section 3.3.3), the dual decision variables (α,β)of original problem Φ is protected well by the randomchoice of (Q,λ, γ).
5 FURTHER INVESTIGATIONS
From above discussions, we know that both input andoutput of the problem Φ has been protected well via therandom choice of keys (Q,M, r,λ, γ). However, it is notyet clear what the underlying connection between the
two LP problems Φ and ΦK is and how that relationshipcould benefit our mechanism design. In this section, wethoroughly investigate this problem through rigorousmathematical reasoning. In addition, we discuss how theuncovered results could affect the possible informationleakage on some special cases, and how we can effec-tively address them via lightweight techniques.
5.1 Connections between Φ and ΦK
To better understand the connection between Φ andΦK , we start by introducing two new problems Ψ andΨK , which are derived from Φ and ΦK respectively byusing one more step of transformation. Specifically, forΦ defined in Eq. (2), we define another LP problem Ψvia the transformation z = Bx as follows:
minimize cTB−1z subject to AB−1z = b, z ≥ 0.(13)
Similarly, we can define the LP problem ΨK from ΦK inEq. (5) via the transformation w′ = B′y′ as:
minimize c′TB′−1w subject to A′B′−1w = b′,w ≥ 0.
(14)Then, the underlying connections between Φ and ΦK
can be captured by the following theorem:Theorem 3: For any original LP problem Φ and its trans-
formed problem ΦK derived via our proposed transformationmechanisms in Section 3.4, the two related transformed prob-lems Ψ and ΨK share the same feasible region.
To prove Theorem 3, we first prove the followinglemma. Note that hereafter we use I to denote theidentity matrix for different dimensions, and assume thematrix dimensions always agree without further notice.
Lemma 1: For any m× n matrix S with full row rank m,m ≤ n, and any n × m matrix λ, if |I− λS| 6= 0, then|I− Sλ| 6= 0.
Proof: Since (I− λS) is a n× n matrix, we have
S(I− λS) = S− SλS = (I− Sλ)S.
If we compute the rank of the matrices on both sides,denoted by rank(·), we have
rank(S(I− λS)) = rank((I− Sλ)S)
9
Because |I− λS| 6= 0, from the left hand side we have
rank(S(I− λS)) = rank(S) = m.
On the right hand side, using basic linear algebra prop-erty we have
m = rank((I− Sλ)S) ≤ min(rank(I− Sλ), rank(S))
= min(rank(I− Sλ),m)
Thus, rank(I− Sλ) = m. Since I− Sλ is an m×m squarematrix, it is indeed invertible, i.e., |I− Sλ| 6= 0.
What Theorem 3 states is equivalent to proveAB−1x = b and A′B′−1w = b′ have exactly the samesolution set. Thus, all we need to do is to show theaugmented matrix [AB−1 b] can be transformed to[A′B′−1 b′] by left-multiplying an invertible matrix.
Proof: According to the value A′,B′ in Eq. (3), wehave
A′B′−1 = QA(B− λQA)−1
= QA[(I− λQAB−1)B]−1
= QAB−1(I− λQAB−1)−1
= (I−QAB−1λ)−1QAB−1.
The last equation is derived from Lemma 1 by viewingQAB−1 as an m×n matrix with full row rank m. Thus,
Q−1(I−QAB−1λ)A′B′−1 = AB−1.
On the other hand, according to Eq. (3) and (4), we haveb′ = Q(b + Ar) and λb′ = Br. Therefore,
Q−1(I−QAB−1λ)b′ = Q−1(b′ −QAB−1λb′)
= Q−1(b′ −QAB−1Br)
= Q−1b′ −Ar = b.
Hence, the m × m random invertible matrixQ−1(I−QAB−1λ) = (Q−1 −AB−1λ) is the rowtransformation matrix we are look for. Thus, it provesthat AB−1x = b and A′B′−1w = b′ have exactly thesame solution set.
Remark. Beyond the resemblance of feasible region, wemust note that the problem Ψ and ΨK are actually twototally different LP problems, due to the random choiceof λ and Q. In particular, the objective function of Ψ iscTB−1, while the objective function of ΨK is c′
TB′−1
=γcT (B− λQA)−1 = γcTB−1(I− λQAB−1)−1. Thus, aslong as λ and Q can be set freely and kept secrettogether with γ,B,A, solving ΨK does not give adver-sary any advantage learning either the objective valueor the objective function from Ψ, let alone the corre-sponding information on Φ. Moreover, since we havex = My − r = MB′−1w − r = (B− λQA)−1w − r, thesecrecy of output is also protected well by the randomchoice of λ,Q, r. Thus, the aforementioned security anal-ysis in Section 4.2 still holds.
5.2 Enhancements on Feasible Region Protection
From Theorem 3, we know that an adversary can learnthe feasible region on Ψ from ΨK . However, he cannotlearn further information on Φ from Ψ due to the un-known value of B, which serves for the transformationkey between Φ and Ψ. While this is true when B is somegeneral invertible matrix as we assumed throughout thispaper, there might be an issue for the special case ofB = I. Because when B = I, Φ and Ψ becomes equiva-lent to each other. Thus, the adversary in possession ofΨK may know the feasible region of original problem Φthrough Ψ directly.
To avoid this unwanted information leakage on fea-sible region, we propose to use an additional general-ized permutation matrix (from products of non-singulardiagonal and permutation matrices) P with positive1
non-zero elements to multiply both sides of B′y ≥ 0in Eq. (3) and get B′′ = PB′y ≥ 0, which is now ourfinal transformed inequality constraints. By doing so,the constraint of ΨK is now changed to A′B′′−1w =A′B′−1P−1w = b′,w ≥ 0. Due to the random choiceof P, ΨK ’s feasible region is no longer the same asΨ in Eq. (13) any more. That is, AB−1x = b andA′B′−1P−1w = b′ no longer have the same solution set.Note that P does not have to be introduced for everytransformation but only at this special case for enhancedprotection of feasible region. Since P is a generalizedpermutation matrix, multiplying P to B′ only incursO(n2) cost, which can indeed be deemed lightweight,compared to other O(n3) matrix-matrix multiplicationsincurred in the problem transformation design.
6 PERFORMANCE ANALYSIS
6.1 Theoretic Analysis
6.1.1 Customer Side Overhead
For the three customer side algorithms KeyGen,ProbEnc, and ResultDec, it is straight-forward thatthe most time-consuming operations are the matrix-matrix multiplications in problem encryption algorithmProbEnc. Since m ≤ n, the time complexity for the cus-tomer local computation is thus asymptotically the sameas matrix-matrix multiplication, i.e., O(nρ) for some2 < ρ ≤ 3. In our experiment, the matrix multiplication isimplemented via standard cubic-time method, thus theoverall computation overhead is O(n3). However, othermore efficient matrix multiplication algorithms can alsobe adopted, such as the Strassen’s algorithm with timecomplexity O(n2.81) [19] or the Coppersmith-Winogradalgorithm [20] in O(n2.376). In either case, the customerside efficiency can be further improved.
1. In fact, if P has negative values, the only difference is that notall the rows in PB′y will remain larger than 0. Though it won’t affectour result, for ease of presentation, we refine non-zero elements in Pto be positive.
10
6.1.2 Server Side OverheadFor cloud server, its only computation overhead is tosolve the encrypted LP problem ΦK as well as generatingthe result proof Γ, both of which correspond to thealgorithm ProofGen. If the encrypted LP problem ΦKbelongs to normal case, cloud server just solves it withthe dual optimal solution as the result proof Γ, whichis usually readily available in the current LP solvingalgorithms and incurs no additional cost for cloud (seeSection 3.5). If the encrypted problem ΦK does not havean optimal solution, additional auxiliary LP problemscan be solved to provide a proof. Because for generalLP solvers, phase I method (solving the auxiliary LP) isalways executed at first to determine the initial feasiblesolution [17], proving the auxiliary LP with optimal so-lutions also introduces little additional overhead. Thus,in all the cases, the computation complexity of the cloudserver is asymptotically the same as to solve a normalLP problem, which usually requires more than O(n3)time [14].
Obviously, the customer will not spend more timeto encrypt the problem and solve the problem in thecloud than to solve the problem on his own. Therefore,in theory, the proposed mechanism would allow thecustomer to outsource their LP problems to the cloudand gain great computation savings.
6.2 Experiment ResultsWe now assess the practical efficiency of the proposedsecure and verifiable LP outsourcing scheme with exper-iments. We implement the proposed mechanism includ-ing both the customer and the cloud side processes inMatlab and utilize the MOSEK optimization [21] throughits Matlab interface to solve the original LP problem Φand encrypted LP problem ΦK . Both customer and cloudserver computations in our experiment are conductedon the same workstation with an Intel Core 2 Duoprocessor running at 1.86 GHz with 4 GB RAM. Inthis way, the practical efficiency of the proposed mecha-nism can be assessed without a real cloud environment.We also ignore the communication latency between thecustomers and the cloud for this application since thecomputation dominates the running time as evidencedby our experiments.
Our randomly generated test benchmark covers thesmall and medium sized problems, where m and n areincreased from 50 to 3200 and 60 to 3840, respectively.All these benchmarks are for the normal cases withfeasible optimal solutions. Since in practice the infea-sible/unbounded cases for LP computations are veryrare, we do not include those experiments for the currentwork. Table 1 gives our experimental results, where eachentry in the table represents the mean of 20 trials.
In this table, the sizes of the original LP problemsare reported in the first two columns. The times tosolve the original LP problem in seconds, toriginal, arereported in the third column. The times to solve the
encrypted LP problem in seconds are reported in thefourth and fifth columns, separated into the time forthe cloud server tcloud and the time for the customertcustomer. Note that since each KeyGen would generatea different key, the encrypted LP problem ΦK generatedby ProbEnc would be different and thus result in adifferent running time to solve it. The tcloud and tcustomerreported in Table 1 are thus the average of multipletrials. We propose to assess the practical efficiency bytwo characteristics calculated from toriginal, tcloud, andtcustomer. The Asymmetric Speedup, calculated as toriginal
tcustomer,
represents the savings of the computing resources forthe customers to outsource the LP problems to the cloudusing the proposed mechanism. The Cloud Efficiency, cal-culated as toriginal
tcloud, represents the overhead introduced to
the overall computation by the proposed mechanism. Itcan be seen from the table that we can always achievemore than 30× savings when the sizes of the originalLP problems are not too small. On the other hand, fromthe last column, we can claim that for the whole systemincluding the customers and the cloud, the proposedmechanism will not introduce a substantial amount ofoverhead. It thus confirms that secure outsourcing LP incloud computing is economically viable.
7 RELATED WORK
7.1 Work on Secure Computation Outsourcing
General secure computation outsourcing that fulfillsall aforementioned requirements, such as input/outputprivacy and correctness/soundness guarantee has beenshown feasible in theory by Gennaro et al. [10]. However,it is currently not practical due to its huge computationcomplexity. Instead of outsourcing general functions, inthe security community, Atallah et al. explore a list ofwork [6], [8], [9], [11] for securely outsourcing specificapplications. The customized solutions are expected tobe more efficient than the general way of construct-ing the circuits. In [6], they give the first investiga-tion of secure outsourcing of numerical and scientificcomputation. A set of problem dependent disguisingtechniques are proposed for different scientific applica-tions like linear algebra, sorting, string pattern matching,etc. However, these disguise techniques explicitly allowinformation disclosure to certain degree. Besides, theydo not handle the important case of result verification,which in our work is bundled into the design and comesat close-to-zero additional cost. Later on in [8] and [9],Atallah et al. give two protocol designs for both securesequence comparison outsourcing and secure algebraiccomputation outsourcing. However, both protocols useheavy cryptographic primitive such as homomorphicencryptions [22] and/or oblivious transfer [23] and donot scale well for large problem set. In addition, bothdesigns are built upon the assumption of two non-colluding servers and thus vulnerable to colluding at-tacks. Based on the same assumption, Hohenberger et
11
TABLE 1: Performance Results. Here toriginal, tcloud, and tcustomer denotes the cloud-side original problem solvingtime, cloud-side encrypted problem solving time, and customer-side computation time, respectively. The asymmetricspeedup captures the customer efficiency gain via LP outsourcing. The cloud efficiency captures the overallcomputation cost on cloud introduced by solving encrypted LP problem, which should ideally be as close to 1as possible.
Benchmark Original Problem Encrypted Problem Asymmetric Speedup Cloud Efficiency# small and medium size toriginal (sec) tcloud (sec) tcustomer (sec) toriginal
tcustomer
toriginal
tcloud
1 m = 50, n = 60 0.167 0.170 0.007 26.5 × 0.9812 m = 100, n = 120 0.227 0.239 0.005 46.7 × 0.9563 m = 200, n = 240 0.630 0.613 0.017 37.3 × 1.0374 m = 400, n = 480 3.033 3.671 0.090 33.5 × 0.8355 m = 800, n = 960 19.838 23.527 0.569 34.9 × 0.8516 m = 1,600, n = 1,920 171.862 254.012 4.015 42.6 × 0.6907 m = 3,200, n = 3,840 1,757.570 2,661.360 47.602 36.4 × 0.745
al. [7] provide protocols for secure outsourcing of mod-ular exponentiation, which is considered as prohibitivelyexpensive in most public-key cryptography operations.Very recently, Atallah [11] et al. give a provably secureprotocol for secure outsourcing matrix multiplicationsbased on secret sharing [24]. While this work outper-forms their previous work [9] in the sense of singleserver assumption and computation efficiency (no ex-pensive cryptographic primitives), the drawback is thelarge communication overhead. Namely, due to secretsharing technique, all scalar operations in original matrixmultiplication are expanded to polynomials, introducingsignificant amount of overhead. Considering the caseof the result verification, the communication overheadmust be further doubled, due to the introducing ofadditional pre-computed “random noise” matrices.
In short, these solutions, although elegant, are still notefficient enough for immediate practical uses, which weaim to address for the secure LP outsourcing in thispaper.
7.2 Work on Secure Multiparty ComputationAnother large existing list of work that relates to (butis also significantly different from) ours is Secure Multi-party Computation (SMC), first introduced by Yao [12].SMC allows two or more parties to jointly compute somegeneral function while hiding their inputs to each other.As general SMC can be very inefficient, Du and Atallahet. al. have proposed a series of customized solutionsunder the SMC context to a spectrum of special com-putation problems, such as privacy-preserving coopera-tive statistical analysis, scientific computation, geometriccomputations, sequence comparisons, etc. [25]. How-ever, directly applying these approaches to the cloudcomputing model for secure computation outsourcingwould still be problematic. The major reason is that theydid not address the asymmetry among the computa-tional powers possessed by cloud and the customers,i.e., all these schemes in the context of SMC imposeeach involved parties comparable computation burdens,which we specifically avoid in the mechanism design
by shifting as much as possible computation burden tocloud only. Another reason is the asymmetric securityrequirement. In SMC no single involved party knowsall the problem input information, making result ver-ification a very difficult task. But in our model, wecan explicitly exploit the fact that the customer knowsall input information and thus design efficient resultverification mechanism.
Under the SMC model, Li and Atallah [26] give thefirst study for secure and collaborative computationof linear programming. Their solution is based on theadditive split of the constraint matrix between two in-volved parties, followed by a series of interactive (andarguably heavy) cryptographic protocols collaborativelyexecuted in each iteration step of the Simplex Algorithm.The work does not provide practical performance forbig size problems. Besides, they only consider honest-but-curious model and thus do not guarantee that thefinal solution is optimal. Following the same framework,Toft [27] also proposes a secure Simplex Algorithm basedon secret sharing, which outperforms the one in [26]with slightly better protocol complexity. In [28], Vaidyapresented a revised Simplex Algorithm based on securescalar product and secure comparison protocols, but themethod only applies to the case where one party holdsthe cost function, and the other holds the constraints.Recently, Catrina et al. [29] propose a secure multipartylinear programming via fixed-point arithmetics. Thoughmore efficient than the work in [26], [27], their approachstill only works for relatively small size problems, anddoes not enjoy the computational simplicity as our mech-anism. Moreover, all these designs have the computationasymmetry issue mentioned previously, and thus are notsuitable for the computation outsourcing scenario.
In other related work, both Du [30] and Vaidya [31]have studied using disguising matrix based transforma-tion approaches to tackle privacy-preserving linear pro-gramming problems. However, as later pointed out byBednarz et al. [32], both Du’s and Vaidya’s approacheshave correctness flaws, which may lead to returned solu-tions falling into infeasible region of original problems.
12
To fix the problem, Bednarz et al. [32] propose to usegeneralized permutation matrices with only positive el-ements to disguise the linear constraints. However, suchpermutation matrices explicitly preserve the number ofzero elements (aka. sparsity) of both the original con-straint matrix and the original problem solution. Thusthe input/ouput protection is not complete. Note thatthis is not the case in our generalized affine mappingbased approach (see Section 4.2). Very recently, Man-gasarian proposes two privacy-preserving formulationsof linear programming over vertically [33] and hori-zontally partitioned [34] constraint matrix, respectively,among different involved entities. Both approaches aredesigned under SMC model and do not support a wayto guarantee the quality of final solution in case ofmaliciously adversaries. Additionally, in his horizontallypartitioned problem setting, the proposed approach islimited to hiding equality constraints only, and leavessecrecy of output unprotected.
7.3 Work on Delegating Computation and CheatingDetection
Detecting the unfaithful behaviors for computation out-sourcing is not an easy task, even without consider-ation of input/output privacy. Verifiable computationdelegation, where a computationally weak customercan verify the correctness of the delegated computationresults from a powerful but untrusted server withoutinvesting too much resources, has found great interestsin theoretical computer science community. Some recentgeneral result can be found in Goldwasser et al. [35]. Indistributed computing and targeting the specific compu-tation delegation of one-way function inversion, Golle etal. [36] propose to insert some pre-computed results (im-ages of “ringers”) along with the computation workloadto defeat untrusted (or lazy) workers. Szada et al. [37]extend the ringer scheme and propose methods to dealwith cheating detection of other classes of computationoutsourcing, including optimization tasks and MonteCarlo simulations. In [38], Du. et al. propose a method ofcheating detection for general computation outsourcingin grid computing. The server is required to provide acommitment via a Merkle tree based on the results itcomputed. The customer can then use the commitmentcombined with a sampling approach to carry out theresult verification (without re-doing much of the out-sourced work.)
However, all above schemes allow server actually seethe data and result it is computing with, which is strictlyprohibited in the cloud computing model for data pri-vacy. Thus, the problem of result verification essentiallybecomes more difficult, when both input/output privacyis demanded. Our work leverages the duality theoryof LP problem and effectively bundles the result veri-fication within the mechanism design, with little extraoverhead on both customer and cloud server.
8 CONCLUDING REMARKS
In this paper, for the first time, we formalized the prob-lem of securely outsourcing LP computations in cloudcomputing, and provided such a practical mechanismdesign which fulfills input/output privacy, cheating re-silience, and efficiency. By explicitly decomposing LPcomputation outsourcing into public LP solvers andprivate data, our mechanism design is able to exploreappropriate security/efficiency tradeoffs via higher levelLP computation than the general circuit representation.We developed problem transformation techniques thatenable customers to secretly transform the original LPinto some random one while protecting sensitive in-put/output information. We also investigated dualitytheorem and derived a set of necessary and sufficientcondition for result verification. Such a cheating re-silience design can be bundled in the overall mechanismwith close-to-zero additional overhead. Both securityanalysis and experiment results demonstrates the imme-diate practicality of the proposed mechanism.
ACKNOWLEDGEMENT
This work was supported in part by the US NationalScience Foundation under grant CNS-0831963.
REFERENCES[1] C. Wang, K. Ren, and J. Wang, “Secure and practical outsourcing
of linear programming in cloud computing,” in Proc. of IEEEINFOCOM, 2011, to appear.
[2] P. Mell and T. Grance, “Draft nist working definition of cloudcomputing,” Referenced on Jan. 23rd, 2010 Online at http://csrc.nist.gov/groups/SNS/cloud-computing/index.html, 2010.
[3] Cloud Security Alliance, “Security guidance for critical areasof focus in cloud computing,” 2009, online at http://www.cloudsecurityalliance.org.
[4] C. Gentry, “Computing arbitrary functions of encrypted data,”Commun. ACM, vol. 53, no. 3, pp. 97–105, 2010.
[5] Sun Microsystems, Inc., “Building customer trust in cloud com-puting with transparent security,” 2009, online at https://www.sun.com/offers/details/sun transparency.xml.
[6] M. J. Atallah, K. N. Pantazopoulos, J. R. Rice, and E. H. Spaf-ford, “Secure outsourcing of scientific computations,” Advances inComputers, vol. 54, pp. 216–272, 2001.
[7] S. Hohenberger and A. Lysyanskaya, “How to securely outsourcecryptographic computations,” in Proc. of TCC, 2005, pp. 264–282.
[8] M. J. Atallah and J. Li, “Secure outsourcing of sequence compar-isons,” Int’l J. Inf. Sec., vol. 4, no. 4, pp. 277–287, 2005.
[9] D. Benjamin and M. J. Atallah, “Private and cheating-free out-sourcing of algebraic computations,” in Proc. of Int’l Conf. onPrivacy, Security, and Trust (PST), 2008, pp. 240–245.
[10] R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiablecomputing: Outsourcing computation to untrusted workers,” inProc. of CRYPTO, Aug. 2010.
[11] M. Atallah and K. Frikken, “Securely outsourcing linear algebracomputations,” in Proc. of ASIACCS, 2010, pp. 48–59.
[12] A. C.-C. Yao, “Protocols for secure computations (extended ab-stract),” in Proc. of FOCS, 1982, pp. 160–164.
[13] C. Gentry, “Fully homomorphic encryption using ideal lattices,”in Proc of STOC, 2009, pp. 169–178.
[14] D. Luenberger and Y. Ye, Linear and Nonlinear Programming, 3rd ed.Springer, 2008.
[15] C. Wang, N. Cao, J. Li, K. Ren, and W. Lou, “Secure rankedkeyword search over encrypted cloud data,” in Proc. of ICDCS,2010.
[16] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,and fine-grained access control in cloud computing,” in Proc. ofIEEE INFOCOM’10, San Diego, CA, USA, March 2010.
13
[17] S. Boyd and L. Vandenberghe, Convex Optimization. CambridgeUniversity Press, 2004.
[18] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein, Intro-duction to Algorithms, 2nd ed. MIT press, 2008.
[19] V. Strassen, “Gaussian elimination is not optimal,” Numer. Math.,vol. 13, pp. 354–356, 1969.
[20] D. Coppersmith and S. Winograd, “Matrix multiplication viaarithmetic progressions,” in Proc. of STOC, 1987, pp. 1–6.
[21] MOSEK ApS, “The MOSEK Optimization Software,” Online athttp://www.mosek.com/, 2010.
[22] P. Paillier, “Public-key cryptosystems based on composite degreeresiduosity classes,” in Proc. of EUROCRYPT, 1999, pp. 223–238.
[23] S. Even, O. Goldreich, and A. Lempel, “A randomized protocolfor signing contracts,” Commun. ACM, vol. 28, no. 6, pp. 637–647,1985.
[24] A. Shamir, “How to share a secret,” Commun. ACM, vol. 22, no. 11,pp. 612–613, 1979.
[25] W. Du and M. J. Atallah, “Secure multi-party computation prob-lems and their applications: a review and open problems,” in Proc.of New Security Paradigms Workshop (NSPW), 2001, pp. 13–22.
[26] J. Li and M. J. Atallah, “Secure and private collaborative linearprogramming,” in Proc. of Int’l Conf. on Collaborative Computing,2006.
[27] T. Toft, “Solving linear programs using multiparty computation,”in Proc. of Financial Cryptography and Data Security, 2009, pp. 90–107.
[28] J. Vaidya, “A secure revised simplex algorithm for privacy-preserving linear programming,” in Proc. of IEEE Conf. on Ad-vanced Information Networking and Applications (AINA), 2009.
[29] O. Catrina and S. De Hoogh, “Secure multiparty linear program-ming using fixed-point arithmetic,” in Proc. of ESORICS, 2010, pp.134–150.
[30] W. Du, “A study of several specific secure two-party computationproblems,” Ph.D. dissertation, Purdue University, Indiana, 2001.
[31] J. Vaidya, “Privacy-preserving linear programming,” in Proc. of24th ACM Symposium on Applied Computing, 2009.
[32] A. Bednarz, N. Bean, and M. Roughan, “Hiccups on the roadto privacy-preserving linear programming,” in Proc. of ACMworkshop on Privacy in the Electronic Society (WPES), 2009.
[33] O. L. Mangasarian, “Privacy-preserving linear programming,”Optimization Letters, vol. 5, pp. 165–172, 2011.
[34] ——, “Privacy-preserving horizontally-partitioned linear pro-gramming,” Optimization Letters, 2011, to appear.
[35] S. Goldwasser, Y. T. Kalai, and G. N. Rothblum, “Delegatingcomputation: interactive proofs for muggles,” in Proc. of STOC,2008, pp. 113–122.
[36] P. Golle and I. Mironov, “Uncheatable distributed computations,”in Proc. of CT-RSA, 2001, pp. 425–440.
[37] D. Szajda, B. G. Lawson, and J. Owen, “Hardening functions forlarge scale distributed computations,” in Proc. of IEEE Symposiumon Security and Privacy, 2003, pp. 216–224.
[38] W. Du, J. Jia, M. Mangal, and M. Murugesan, “Uncheatable gridcomputing,” in Proc. of ICDCS, 2004, pp. 4–11.