Abstract
The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result.
In this work, we introduce the notion of Revocable Publicly Verifiable Computation (RPVC), where a cheating server is revoked and may not perform future computations (thus incurring a financial penalty). We introduce a Key Distribution Center (KDC) to efficiently handle the generation and distribution of the keys required to support RPVC. The KDC is an authority over entities in the system and enables revocation. We also introduce a notion of blind verification such that results are verifiable (and hence servers can be rewarded or punished) without learning the value. We present a rigorous definitional framework, define a number of new security models and present a construction of such a scheme built upon Key-Policy Attribute-based Encryption.
J. Alderman acknowledges support from BAE Systems Advanced Technology Centre under a CASE Award.
C. Cid—This research was partially sponsored by US Army Research laboratory and the UK Ministry of Defence under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the US Army Research Laboratory, the U.S. Government, the UK Ministry of Defence, or the UK Government. The US and UK Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that if a server is not given \(RK_{F,x}\) then it too cannot learn the output.
- 2.
In some instantiations, it may not be necessary to issue entirely new evaluation keys to each entity. In Sect. 4, we only need to issue a partially updated key for example.
- 3.
We do not need to provide a \(\mathsf {Verify}\) oracle since this is a publicly verifiable scheme and \(\mathcal {A}\) is given verification keys (thus we also avoid the rejection problem).
- 4.
This is due to the selective IND-sHRSS game that we base the construction upon. Since this is used in a black-box manner however, a stronger primitive may allow this game to be improved accordingly.
- 5.
Following Parno et al. we restrict our attention to Boolean functions, and in particular the complexity class \(NC^1\) which includes all circuits of depth \(\mathcal {O}(\log n)\). Thus functions we can outsource can be built from common operations such as AND, OR, NOT, equality and comparison operators, arithmetic operators and regular expressions.
- 6.
\(\mathbb {T}\) could be a counter that is maintained in the public parameters or a networked clock.
- 7.
If input privacy is required then a predicate encryption scheme could be used in place of the KP-ABE scheme.
References
Alderman, J., Janson, C., Cid, C., Crampton, J.: Revocation in publicly verifiable outsourced computation. Cryptology ePrint Archive, Report 2014/640 (2014). http://eprint.iacr.org/
Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009)
Carter, H., Lever, C., Traynor, P.: Whitewash: outsourcing garbled circuit generation for mobile devices. In: Payne, Jr. C.N., Hahn, A., Butler, K.R.B., Sherr, M. (eds.) Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 266–275. ACM (2014)
Choi, S.G., Katz, J., Kumaresan, R., Cid, C.: Multi-client non-interactive verifiable computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 499–518. Springer, Heidelberg (2013)
Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC, pp. 169–178. ACM (2009)
Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.-H., Sahai, A., Shi, E., Zhou, H.-S.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 89–98. ACM (2006)
Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: 2011 Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, August 8–12. USENIX Association (2011)
Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: verifiable computation from attribute-based encryption. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 422–439. Springer, Heidelberg (2012)
Yao, A.C.-C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167. IEEE Computer Society (1986)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A PVC Using KP-ABE
A PVC Using KP-ABE
Parno et al. [10] provide a instantiation using Key-policy Attribute-based Encryption Footnote 7 (KP-ABE) [8], for Boolean functions. Define a universe \({\mathcal {U}}\) of \(n\) attributes and associate \(V \subseteq {\mathcal {U}}\) with a binary \(n\)-tuple (the characteristic tuple of \(V\)) where the \(i\)th place is \(1\) if and only if the \(i\)th attribute is in \(V\). Thus, there is a natural one-to-one correspondence between \(n\)-tuples and attribute sets; we write \(A_x\) to denote the set associated with \(x\). A function \(F\!\! : \{0,1\}^n \rightarrow \{0,1\}\) is monotonic if \(x \leqslant y\) implies \(F(x) \leqslant F(y)\), where \(x = (x_1,\dots ,x_n)\) is less than or equal to \(y = (y_1,\dots ,y_n)\) if and only if \(\forall i, x_i \leqslant y_i\). For a monotonic F, the set \(\mathbb {A}_F = \{x \in \{0,1\}^n : F(x) = 1\}\) defines a monotonic access structure. Informally, for a Boolean function \(F\), the client generates a private key \(SK_{\mathbb {A}_F}\) using the KeyGen algorithm.
Given an input \(x\), a client encrypts a random message \(m\) “with” \(A_x\) using the Encrypt algorithm and publishes \(VK_{F,x} = g(m)\) where \(g\) is a suitable one-way function (e.g. a pre-image resistant hash function). The server decrypts the message using the Decrypt algorithm, which will either return \(m\) (when \(F(x) = 1\)) or \(\bot \).
The server returns \(m\) to the client. Any client can test whether the value returned by the server is equal to \(g(m)\). Note, however, that a “rational” malicious server will always return \(\bot \), since returning any other value will (with high probability) result in the verification algorithm returning a reject decision. Thus, it is necessary to have the server compute both \(F\) and its “complement” (and for both outputs to be verified).
Note that, to compute the private key \(SK_{\mathbb {A}_F}\), it is necessary to identify all minimal elements \(x\) of \(\{0,1\}^n\) such that \(F(x) = 1\). There may be exponentially many such \(x\). Thus, the initial phase is indeed computationally expensive for the client. Note also that the client may generate different private keys to enable the evaluation of different functions.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Alderman, J., Janson, C., Cid, C., Crampton, J. (2015). Revocation in Publicly Verifiable Outsourced Computation. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)