Skip to main content

Revocation in Publicly Verifiable Outsourced Computation

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8957))

Included in the following conference series:

Abstract

The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result.

In this work, we introduce the notion of Revocable Publicly Verifiable Computation (RPVC), where a cheating server is revoked and may not perform future computations (thus incurring a financial penalty). We introduce a Key Distribution Center (KDC) to efficiently handle the generation and distribution of the keys required to support RPVC. The KDC is an authority over entities in the system and enables revocation. We also introduce a notion of blind verification such that results are verifiable (and hence servers can be rewarded or punished) without learning the value. We present a rigorous definitional framework, define a number of new security models and present a construction of such a scheme built upon Key-Policy Attribute-based Encryption.

J. Alderman acknowledges support from BAE Systems Advanced Technology Centre under a CASE Award.

C. Cid—This research was partially sponsored by US Army Research laboratory and the UK Ministry of Defence under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the US Army Research Laboratory, the U.S. Government, the UK Ministry of Defence, or the UK Government. The US and UK Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Note that if a server is not given \(RK_{F,x}\) then it too cannot learn the output.

  2. 2.

    In some instantiations, it may not be necessary to issue entirely new evaluation keys to each entity. In Sect. 4, we only need to issue a partially updated key for example.

  3. 3.

    We do not need to provide a \(\mathsf {Verify}\) oracle since this is a publicly verifiable scheme and \(\mathcal {A}\) is given verification keys (thus we also avoid the rejection problem).

  4. 4.

    This is due to the selective IND-sHRSS game that we base the construction upon. Since this is used in a black-box manner however, a stronger primitive may allow this game to be improved accordingly.

  5. 5.

    Following Parno et al. we restrict our attention to Boolean functions, and in particular the complexity class \(NC^1\) which includes all circuits of depth \(\mathcal {O}(\log n)\). Thus functions we can outsource can be built from common operations such as AND, OR, NOT, equality and comparison operators, arithmetic operators and regular expressions.

  6. 6.

    \(\mathbb {T}\) could be a counter that is maintained in the public parameters or a networked clock.

  7. 7.

    If input privacy is required then a predicate encryption scheme could be used in place of the KP-ABE scheme.

References

  1. Alderman, J., Janson, C., Cid, C., Crampton, J.: Revocation in publicly verifiable outsourced computation. Cryptology ePrint Archive, Report 2014/640 (2014). http://eprint.iacr.org/

  2. Attrapadung, N., Imai, H.: Attribute-based encryption supporting direct/indirect revocation modes. In: Parker, M.G. (ed.) Cryptography and Coding 2009. LNCS, vol. 5921, pp. 278–300. Springer, Heidelberg (2009)

    Google Scholar 

  3. Carter, H., Lever, C., Traynor, P.: Whitewash: outsourcing garbled circuit generation for mobile devices. In: Payne, Jr. C.N., Hahn, A., Butler, K.R.B., Sherr, M. (eds.) Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 266–275. ACM (2014)

    Google Scholar 

  4. Choi, S.G., Katz, J., Kumaresan, R., Cid, C.: Multi-client non-interactive verifiable computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 499–518. Springer, Heidelberg (2013)

    Google Scholar 

  5. Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)

    Google Scholar 

  6. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) STOC, pp. 169–178. ACM (2009)

    Google Scholar 

  7. Goldwasser, S., Gordon, S.D., Goyal, V., Jain, A., Katz, J., Liu, F.-H., Sahai, A., Shi, E., Zhou, H.-S.: Multi-input functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014)

    Google Scholar 

  8. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Juels, A., Wright, R.N., di Vimercati, S.D.C. (eds.) Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, pp. 89–98. ACM (2006)

    Google Scholar 

  9. Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: 2011 Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, USA, August 8–12. USENIX Association (2011)

    Google Scholar 

  10. Parno, B., Raykova, M., Vaikuntanathan, V.: How to delegate and verify in public: verifiable computation from attribute-based encryption. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 422–439. Springer, Heidelberg (2012)

    Google Scholar 

  11. Yao, A.C.-C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167. IEEE Computer Society (1986)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to James Alderman .

Editor information

Editors and Affiliations

A PVC Using KP-ABE

A PVC Using KP-ABE

Parno et al. [10] provide a instantiation using Key-policy Attribute-based Encryption Footnote 7 (KP-ABE) [8], for Boolean functions. Define a universe \({\mathcal {U}}\) of \(n\) attributes and associate \(V \subseteq {\mathcal {U}}\) with a binary \(n\)-tuple (the characteristic tuple of \(V\)) where the \(i\)th place is \(1\) if and only if the \(i\)th attribute is in \(V\). Thus, there is a natural one-to-one correspondence between \(n\)-tuples and attribute sets; we write \(A_x\) to denote the set associated with \(x\). A function \(F\!\! : \{0,1\}^n \rightarrow \{0,1\}\) is monotonic if \(x \leqslant y\) implies \(F(x) \leqslant F(y)\), where \(x = (x_1,\dots ,x_n)\) is less than or equal to \(y = (y_1,\dots ,y_n)\) if and only if \(\forall i, x_i \leqslant y_i\). For a monotonic F, the set \(\mathbb {A}_F = \{x \in \{0,1\}^n : F(x) = 1\}\) defines a monotonic access structure. Informally, for a Boolean function \(F\), the client generates a private key \(SK_{\mathbb {A}_F}\) using the KeyGen algorithm.

Given an input \(x\), a client encrypts a random message \(m\) “with” \(A_x\) using the Encrypt algorithm and publishes \(VK_{F,x} = g(m)\) where \(g\) is a suitable one-way function (e.g. a pre-image resistant hash function). The server decrypts the message using the Decrypt algorithm, which will either return \(m\) (when \(F(x) = 1\)) or \(\bot \).

The server returns \(m\) to the client. Any client can test whether the value returned by the server is equal to \(g(m)\). Note, however, that a “rational” malicious server will always return \(\bot \), since returning any other value will (with high probability) result in the verification algorithm returning a reject decision. Thus, it is necessary to have the server compute both \(F\) and its “complement” (and for both outputs to be verified).

Note that, to compute the private key \(SK_{\mathbb {A}_F}\), it is necessary to identify all minimal elements \(x\) of \(\{0,1\}^n\) such that \(F(x) = 1\). There may be exponentially many such \(x\). Thus, the initial phase is indeed computationally expensive for the client. Note also that the client may generate different private keys to enable the evaluation of different functions.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Alderman, J., Janson, C., Cid, C., Crampton, J. (2015). Revocation in Publicly Verifiable Outsourced Computation. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16745-9_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16744-2

  • Online ISBN: 978-3-319-16745-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics