Public Non-interactive
Verifiable Computation
Framework
Directory
1.
2.
3.
4.
Introduction ............................................................................................................................. 3
1.1
What is public verifiable computation ...................................................................... 3
1.2
What is public non-interactive verifiable computation ........................................... 4
framework ............................................................................................................................... 4
1.3
Audience....................................................................................................................... 4
1.4
Guide to using the public verifiable computation .................................................... 5
1.5
Example ....................................................................................................................... 5
1.6
Notational conventions................................................................................................ 6
Preliminaries............................................................................................................................ 7
2.1
Background.................................................................................................................. 7
2.2
Purpose......................................................................................................................... 7
2.3
Pre-conditions .............................................................................................................. 8
2.4
Related theories ........................................................................................................... 8
2.4.1 The computational complexity basic ................................................................. 8
2.4.2 Bilinear pairing.................................................................................................. 10
2.4.3 Three-part data authentication model ............................................................ 10
2.4.4 Polynomial expression form and decomposition theorem ............................. 12
Public Non-interactive Verifiable Computation Framework ............................................ 14
3.1
General description ................................................................................................... 14
3.2 Entities ............................................................................................................................. 15
3.3 Sequence diagram ........................................................................................................ 16
An Example ............................................................................................................................ 21
5. Appendix: related symbols ................................................................................................... 29
1. Introduction
1.1
What is public verifiable computation
With the popularity and variation of internet technology, followed
by data outsourcing, calculation outsourcing is known to more and more
people. Calculation outsourcing, also known as commissioned calculation,
allows a client with weak computing ability to outsource the computation
of a function on a series of inputs x(1), x(2)... to a more powerful but
untrusted server. The powerful but untrusted server calculates and then
returns the results to the client.
There are many examples belongs to outsource computation from a
relatively weak computational device (a client ) to a more powerful entity
or collection of entities (servers). Examples include:
(1)Distributed-computing projects, in which idle processing time
on thousands of computers is harnessed to solve a computational
problem.
(2)Cloud computing, where individuals or companies can purchase
computing power as a service when solving some difficult task.
(3)Outsourcing computationally intensive operations from weak
mobile devices(e.g., smart phones, sensors) to a back-end server or some
other third party.
In each of the above scenarios, there may be an incentive for the
server to try to cheat and return an incorrect result to the client. This may
be related to the nature of the performed computation— e.g., if the server
wants to convince the client of a particular result for some sort of gain —
or may simply due to the server’s desire to minimize the use of its own
computational resources. Errors can also occur due to faulty algorithm
implementation or system failures. In all these cases, the client needs
some guarantee that the answer returned from the server is correct.
Then, how the client can guarantee that the answer returned from the
server is correct? The client needs some methods to guarantee that the
answer returned from the server is correct .So the concept of public
non-interactive verifiable computation is put forward, the client and
server interact only once in every calculation. Steps are as follows:
First, the client has some calculation parameters, after the
parameters are processed by the client, they are sent to the server .Then
the server calculates according to the customer's parameters and output
calculation results and corresponding evidence, and they are both sent to
the client. After receiving the returned results from the server, the client
processes the results and gets the calculation results. At the same time,
according to the evidence, the client can guarantee that the answer
returned from the server is correct.
With the cost of equipment resources declining in recent years, a
large number of computing devices are in the idle state, this provides a
larger development space for public non-interactive verifiable
computation and calculation outsourcing has great prospects for
development.
1.2
What is public non-interactive verifiable computation
framework
The aim of public non-interactive verifiable computation framework
is to provide some instructional ideas for the deployment and application
of public non-interactive verifiable computation, including calculation
outsourcing entities, attributes of each entity, the interaction of the
entities, and validation of the calculation results, etc.
1.3
Audience
The document is written for the following readers:
(1) Designers and developers of the public non-interactive verifiable
computation system.
(2) Analysis and development personnel of the related public
non-interactive verifiable computation documents.
(3) Users who want to have a better understanding of public
non-interactive verifiable computation.
1.4
Guide to using the public verifiable computation
We suggest early readers read the entire contents of this document in
detail. The terms at the back of the document are listed in order of
appearance, and are convenient for readers to quickly understand.
This part introduces the concept of public non-interactive verifiable
computation. Non-professional readers are suggested to read this part in
detail.
The second part introduces the background, the purpose, premise
condition and related theories of public non-interactive verifiable
computation .So it is convenient for readers to have a comprehensive
understanding of public non-interactive verifiable computation.
The third part includes the core contents of this document; it
introduces the frame structure of public non-interactive verifiable
computation in detail, including the entities, the initialization process of
each entity, the interaction process of entities, calculation process and the
verification of the results. This section will be of great help to deploy the
framework of public non-interactive verifiable computation.
The fourth part introduces an implementation scenario of the public
non-interactive verifiable computation, we implements a public
non-interactive verifiable computation system for one indeterminate
polynomial calculation using the third part’s framework.
1.5
Example
With the emergence of cloud computing, closely integrated with the
cloud computing, the public non-interactive verifiable computation has
been widely used .Below are two practical scenarios.
The first scenario is: supposing you have a source side to develop an
algorithm about stock movements. Simply, the algorithm only returns
rising or falling. The algorithm is given to the cloud server, and the client
is an equipment of limited computing power, such as mobile phones.
Then the client just need to send stock codes to the server, the server
sends the result and the parameters of the client required to the client .The
client accepts the results and verify the authenticity of the results.
The second scenario is that: the source side has developed a large
mobile phone games, and upload all kinds of computing algorithm that
users need to the cloud server. When users play games on the mobile
phone that have limited computing power, due to the limited computing
power, users send some parameters to the game server on the clouds and
the cloud server use the game parameters to calculate. Then the results
together with the attached parameters (validation parameters) is returned
to the mobile users, users can validate the results and continue the game.
1.6
Notational conventions
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL
NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and
OPTIONAL in this document are to be interpreted as described in
[RFC2119].
2. Preliminaries
2.1
Background
With the popularity and variation of internet technology, after data
outsourcing, calculation outsourcing has been more and more knowing.
Outsourcing calculation is one of hot topics in the study of the current
cryptography, the vast majority of research scenario is that weaker
calculation equipment gives the difficulty calculation to a device which
has more computing power, and gets the calculation results from the
device of strong calculation power.
In the real world, the computing resources distribution is not balanced.
First, there are a lot of idle computing resources in the network, such as in
the off-season there will be a lot of idle machine in large supermarkets.
Second, the network has a lot of different computing devices, such as
weaker computing power equipment: mobile phones, netbooks, and
strong computing power equipment: computers. If you want to process a
complex calculation (such as encryption operation or image processing),
poor ability equipment needs to give the calculation to the strong
equipment to process.
Because of these reasons, computation outsourcing begins to develop
rapidly, and become an important solution to calculate the complex
problem and also can make good use of calculation resources, and
promote the development of convenient carrying, less computing power
equipment. Because the users shall delivery calculation to other
equipment for processing, it has strict requirements for the validation of
the correctness of the result.
You can see that the validation of the correctness of the outsourcing
calculation is a good development direction of the topic, and it has a
positive effect in people's daily life and activities.
2.2
Purpose
Public non-interactive verifiable computation framework can
publicly validate the correctness of the outsourcing calculation, which has
solved the safety problem、accuracy problem in the process of calculation
outsourcing. Under the environment of uneven distribution of resources,
making it possible to make full use of computing resources and powerful
equipment .At the same time it can reduce the waiting time of customers.
2.3
Pre-conditions
The precondition of public non-interactive verifiable computation is
that: the equipment of powerful computing resources has idle computing
resources; the equipment of weaker computing resources is in dire need
of computing resources; the results of calculation outsourcing can be
verified; the client’s processing time and verification time are less than
the time that the client process the calculation, and the time that the server
compute the calculation can't be a lot more than the time that the client
process the calculation, because it can aggravate the burden of server.
2.4
Related theories
2.4.1
The computational complexity basic
The purpose of computational complexity theory is to provide a
categorizing mechanism according to the resources needed. Generally
there are two categories : time complexity and space complexity.
Algorithm: algorithm is a computational process with some variable
as the input, and will return the calculation results in the end. The
algorithm is divided into deterministic algorithm and random algorithm.
Algorithm running time: for a specific input, the running time of the
algorithm refers to the number of atomic operations or the steps to
perform before the end.
Worst running time: the upper bound of the running time of the
algorithm for any input.
Expected running time: the average running time of algorithm for all
input of a certain scale.
The related definition:
Definition 2.1: for two functions f (x) and g (x), if there is a positive
normal number c and a positive integer xc , for all x xc , there must be
0 f ( x) cg ( x) ,then we say f ( x) O( g ( x))
Define 2.2( the negligible function ) : if a function f (x), for
arbitrary polynomial p() , there is always a natural number N, for all
x N , there must be f ( x)
1
, then the function f (x) is negligible.
p ( x)
Definition 2.3 (the non-ignorable function): in contrast to the
definition 2.2, if the function f (x) does not meet the definition 2.2, then
the function f (x) is non-ignorable.
Definition 2.4 (polynomial time algorithm): if a algorithm’s worst
running time is O(l c ) , l is the size of the input of the algorithm, c is a
constant, we says that the algorithm is polynomial time algorithm. On the
other hand, if the running time of an algorithm cannot be defined as this,
then we call it a non-polynomial time algorithm.
Usually a non-polynomial time algorithm is regarded as an invalid
algorithm, and a polynomial time algorithm is effective. If a problem
cannot be solved in polynomial time, it is a problem that can’t be solved.
Definition 2.5(Probability polynomial time algorithm): supposing
M is an algorithm, its input is a bit string x, x is the length of the string.
If M is probabilistic and there is always a polynomial p() making M stop
in at most p( x ) steps, and the number of random throwing coins of M is
always polynomial bounded, we says that M is a probability polynomial
time algorithm.
2.4.2
Bilinear pairing
G1 is a cycle additive group, its order is a big prime number q and
generating element is P (aP refers to P pluses itself for ‘a’ times). G2 is a
cycle multiplicative group, its order is also a big prime number q.
Respectively in G1 and G2, solving the discrete logarithm problem is very
difficult. Representation for the bilinear pairing function is e : G1 G1 G2 .
The bilinear pairing is determined by quintuple { p, G1 , G2 , e, g} , and for
P, Q G1 , a, b Zq* ,there are the following features:
(a)Bilinearity:
e(aP, bQ) e( P, Q) ab
e( P1 P2 , Q) e( P1 , Q)e( P2 , Q)
e( P, Q1 Q2 ) e( P, Q1 )e( P, Q2 )
(b) Non-degeneracy: If G1 ’s generating element is P, then e( P, P ) is
a generation element of G2 . In other words, e( P, P) 1 .
(c) Computability: For all P, Q G1 , there is an efficient algorithm to
calculate e( P, Q ) .
2.4.3
Three-part data authentication model
Three-part data authentication model is shown in figure 2.1.A
tripartite model consists of three entities: a credible source, multiple
untrusted responder and clients. It also contains the tripartite entity
authentication algorithm. The algorithm mainly includes operations such
as query, verify and update on the authentication data structure.
Sign(Basic)
Data source
respondents
Update
Search
Responce
Search
Request
User
Figure 2.1 three-way data authentication model
The data source side holds the right data information and it is
credible. Users only trusts the source in three entities, so the data source
should deal with data information using ADS to generate the digest value
‘Basis’, and signed on the Basis as original credentials of user
authentication. Data source also need to update the ADS in the process of
updating data .At this point, the data source updates ADS, generates new
characteristic value ‘Basis’, then sign on the new Basis, and finally sends
the updated values to all the responder.
Responders can be multiple, they save a copy of the source data and
a copy of the ADS .When the responders receive the update command
and the signature of the Basis from the data source, they update the
information and save the updated Basis. When the user sends query
requests, it uses the ADS to generate data proving information. The query
results and the signature of Basis from the source shall be returned to the
user.
The user can send query requests to the responder, and certificate the
returned result. When the system initializes, data source needs signature
on client-side validation procedures to ensure the reliability of the
certification process.
2.4.4
Polynomial expression form and decomposition
theorem
Definition 2.6 (multiple collection): S is a subset of the universal
collection U, each element in S can appear multiple times, such a
collection S is called multiple collection.
For example, {1,1, 2,3,3,3} is a multiple collection.
Definition 2.7 (element’s order of multiple collection): in a
multiple collection S, S ( x ) represent the order of the element ‘x’, the
order of an element is the number of occurrences of the element in the
multiple collection S.
For
example,
in
a
multiple
collection {a, a, b, c, c, c}
,
S (a) 2, S (b) 1, S (c) 3 , other elements’ order is 0.
Definition 2.8 (polynomial expression form): supposing S d ,n is a
collection of all n-indeterminate d-degree polynomial, f ( x1 , x2 ,..., xn ) is a
n-indeterminate d-degree function, this function can be expressed as:
f ( x1 , x2 ,..., xn )
C x
SSd ,n
S
iS
S (i )
i
Among them, CS is1the corresponding coefficient.
For
example,
2-indeterminate
f ( x1 , x2 ) x12 6 x22 9 x1 x2 8 x2 10 ,
2-degree
S2,2 {x12 , x22 , x1 x2 , x1 , x2 ,1} ,
polynomial
every
CS
corresponding to S is 1, 6,9, 0,8,10 , at the same time, the element’s order
of x12 is S (1) 2, S (2) 0 , and the order of each element can be obtained
as above. According to the definition, f ( x1 , x2 ) can be unfolded into this
form: f ( x1 , x2 ) 1 x12 x20 6 x10 x22 9 x11 x12 0 x11 x20 8 x10 x12 10 x10 x20 .
Theorem 2.1 (polynomial decomposition theorem): there is an
n-indeterminate polynomial f ( x1 , x2 ,..., xn ) that takes n random values
a1 , a2 ,..., an , calculates the function value f (a1 , a2 ,..., an ) . If and only if the
value of the polynomial is 0 at the variables a1 , a2 ,..., an the polynomial
f ( x1 , x2 ,..., xn ) f (a1 , a2 ,..., an ) can be expressed as
i[ n ]
( xi ai )qi ( x) .
3. Public
Non-interactive
Computation Framework
3.1
Verifiable
General description
Entities mainly includes: a credible algorithm publishers (algorithm
providers), multiple untrusted algorithm actors (servers) and clients.
Interaction between entities is shown in figure 3.1.
Pk,Sk
F,PK,SK
The
algorithm
publisher
The
algorithm
actor
The
algorithm:f
The signatur
of f:sig(f)
...
Client 1
Client 2
Client n
Figure 3.1 interactions between entities
The algorithm publisher provides a new algorithm to solve the actual
calculation problem in daily life, for example: polynomial calculation.
It is also responsible for releasing algorithm, generating a public/private
keys and signature values of the algorithm.
Algorithm actors can be multiple. Actors receive the algorithms and
the pair of public and private keys which the algorithm publisher sent.
When receiving the request of clients, according to the basic information
of the publisher, the actors calculate to output results and produce
evidence. Then the actors return the results and evidence to the clients.
Clients can send the calculation request to algorithm actors, and
verify the returned result of algorithm actors.
3.2 Entities
1.The algorithm publisher: after selected a specific function ‘f’, the
publisher will send the function ‘f’ to the server. It will also send the
signature sign( f ) of the particular function out and the generated public
key pk is sent to the server.
At the beginning, the publisher Sou creates a function cluster ‘F’, F
contains many functions. First according to F and secret parameters, the
publisher can obtain the public-private key pair ( pk , sk ) according to the
algorithm KeyGen . Then the publisher selects a specific function f from F,
calculates the function signature value sign( f ) by the algorithm Setup .
When the function needs to be changed, the publisher carries on an
update operation to generate the signature of a new function and send it
out to ensure the correctness of the calculation function.
2. The server: the function actors. It is responsible for calculating
for the client C . The server stores the function f , the public key pk .
When the client C
sends a variable to calculate the function, the server
Server acts the algorithm Compute to generate the results and evidence,
then returns the results and evidence to the client.
3. Client C: the delegate of calculation. It sends the computation
request to the server Server , and gets the results and evidence value from
the server. The client C can verify the calculation results returned from
the server. Because the client doesn’t receive the calculation results from
the trusted source side (the algorithm publisher), and in the network the
server is not credible, so it is reasonable to doubt the accuracy of the
calculation results from the server. After the client receive the results and
the corresponding evidence from the server, the function signature value
sign( f ) and pk from the source, verification algorithm Verify is run to
verify the correctness of the result.
3.3
Sequence diagram
The communication sequence diagram between three entities is
shown in figure 3.2.
Publisher
Server
Client
Keygen ( , F ) ( pk , sk )
Setup ( sk , pk , f ) sign ( f )
Publish( pk , sign( f ))
SourceSend( pk ,f )
UserSend(a)
Compute( pk , f , a) (r , p)
Return(a,r , p )
Verify ( pk , sign ( f ), a , r , p ) {0,1}
Update( sk , pk , sign ( f ), f ' ) sign ( f ' )
Figure 3.2 entity communication between sequence diagrams
(1)Key generation algorithm
( pk , sk ) KeyGen( , F )
The algorithm KeyGen is done by the algorithm publisher. The
algorithm has two inputs: safety parameters and function cluster F.
The security parameters is selected by the algorithm publisher, the
functions cluster F is a kind of collection saved by the algorithm actor,
and the functions of the collection can be classified as a class according
to some characteristics. Function cluster F is used to represent the
characteristics of this kind of functions. By executing the algorithm, the
publisher generates a pair of public and private key: ‘pk’ and ‘sk’. The
pair of public and private key is used in the server’s calculation algorithm,
the customer’s validation algorithm and the publisher’s function updating
algorithm.
(2)Function signature algorithm
Set up( sk , pk , f ) si gn( f )
The algorithm Setup is done by the algorithm publisher, the
algorithm has three inputs: public key pk, private key sk and function f.
The public key ‘pk’ and private key ‘sk’ is generated by the above
algorithm, the function f is a specific function selected from function
cluster F by the algorithm publisher (the client is to enter a variable to the
function to produce the required results, but the function’s calculation is
not on the client side, but on the algorithm actor).
By executing the algorithm, the algorithm publisher generates the
signature value of the function f .The input of si gn( f ) is the pair of the
public key and the private key, and the output is the signature value of the
function f. There is some basic information in the signature value of the
function f, which is used to verify the validity of the calculation results.
(3)Publish algorithm
Publ i sh( pk , si gn( f ) )
The algorithm Publ i sh which is done by the algorithm publisher,
will send the public key, the signature value of the function f output
through the clouds. It is convenient for the users to download it at any
time.
(4)Function sending algorithm
Sour ceSend( pk , f )
The algorithm Sour ceSend is done by the algorithm publisher, it is
used to send both the public key from the algorithm publisher and the
function f selected from the function cluster F to the algorithm actor.
(5)Variable sending algorithm
User Send( a)
The algorithm User Send is done by the client. The client will send
the computation variable ‘a’ to the algorithm actor to get f(a);
(6)Computation algorithm
Comput e( pk , f , a) ( r , p )
The algorithm Comput e is done by the algorithm actor. Its inputs are
the public key in the key generation algorithm, the selected specific
function f in the initialization algorithm and the computation variable ‘a’
from the client, and its output is the result r f (a ) and the evidence p
which the client needs.
(7)Return algorithm
Ret ur n(a, r , p )
The algorithm Ret ur n which is done by the algorithm actor, is used
to send the result and the evidence information from the algorithm actor
to the client.
(8)Verify algorithm
Ver i f y( pk , si gn( f ) , a, r , p ) { 0, 1}
The algorithm Ver i f y is done by the client, its inputs are the public
key from (3.3.1), the signature value sign( f ) from (3.3.2), the
computation variable ‘a’ from (3.3.5), the result r f (a ) and the
evidence ‘p’ from (3.3.6). The output is 1 or 0: 1 represents the result is
right, that is to say the result from the algorithm actor is credible, 0
represents errors, and the result is not trusted.
(9)Update algorithm
Updat e( sk , pk , si gn( f ) , f ' ) si gn( f ' )
The algorithm Update is done by the algorithm publisher. When the
algorithm of the publisher needs to be changed, the publisher will update
the algorithm and the signature of the algorithm .Its inputs are the pair of
the public key and the private key from (3.3.1), the signature value from
(3.3.2), a specific function selected from the function cluster, it’s output is
a new function signature value.
4. An Example
According to the framework described above, we build a public
non-interactive verifiable computation system about the polynomial
function. In the system, by using the property of the bilinear pairing
function and the polynomial, we realize multivariate polynomial’s
calculation, and can validate the correction of the result. The scheme
includes three entities, including algorithm publishers, algorithm actors
and clients. As shown above section three.
Pk,Sk
F,PK,SK
The
algorithm
publisher
The
algorithm
actor
The
algorithm:f
The signatur
of f:sig(f)
...
Client 1
Client 2
Client n
Figure 4.1 polynomial outsourcing calculation scheme
Algorithm publisher: provide polynomial calculation algorithms and
generate public and private keys, the signature of polynomial calculation
algorithm. Polynomial algorithm actor: calculate polynomial and generate
the necessary evidence. Clients: send the request of calculation and
validate the returned results.
In the implementation of the system, our F is: one-indeterminate
nine-degree polynomial clusters, the function selected from F is:
f 2x 2 x 1
Each algorithm implementation is as follows.
(1)Key generation algorithm
( pk , sk ) KeyGen( , F )
The algorithm is performed by algorithm publishers.
Supposing the function cluster F is a collection of n- indeterminate
d-degree polynomial function. First, the algorithm KeyGen generates a
-bit prime p by calling the random algorithm, and then generates a p
-order specific bilinear group and a bilinear mapping function
e : G G GT by calling the generating algorithm of bilinear group.
And then the publisher selects a generator g from the group G and n
random values [t1, t2 ,..., tn ] Z pn .Then it calculates the signature generating
set Wn ,d
using
Wn,d {g iS i
tS (i )
Wn , d is
generated
elements.
The
structure
of
Wn , d
is
: S Sn,d } .What’s more, the number of elements in
, when F is determined, the size of W
nd
n ,d
n
is also determined.
For example, the number of elements of 2-indeterminate 3-degree
polynomial function set’s signature generating set is ten, they are
2
2
3
3
t 2t
2
g , g t1 , g t2 , g t1 , g t2 , g t1t2 , g t1 , g t2 , g 1 2 , g t1t2 .
The public key pk from key generation algorithm includes five
parts, g ,Wn,d , G, GT , e , respectively. The private key generated only
includes n random values [t1 , t2 ,..., tn ] .
In the implementation of the system, because it is one- indeterminate,
so we choose the private key SK: t = 2 .Because we choose F: 1-yuan 9-ci
polynomial
cluster,
2
3
so
4
5
the
6
7
public
8
key
is:
9
W1,9 { g, gt , gt , gt , gt , gt , gt , gt , gt , gt } ,Bringing in t=2, the
final
public
key
becomes:
W1,9 { g, g2, g4 , g8 , g16 , g32, g64 , g128 , g256 , g512}
(2)Function signature algorithm
sign( f ) Setup( sk , pk , f )
The algorithm is performed by algorithm publishers.
Supposing
the
function
f (t ) Z p [t1 , t2 ,..., tn ]
represent
a
n-
indeterminate polynomial function, including k items, the power of each
item is no more than d, each item is represented by multiple collection
S1 , S2 ,..., Sk , for i 1, 2,..., k , Si S n ,d , each corresponding coefficient is
represented as c1 , c2 ,..., ck . In this algorithm, by using the signature
generating set Wn ,d and the detailed parameters of the elliptic curve in pk,
we can calculate the signature of the polynomial value:
sign( f ) g f ( t ) ( g
xS1 tiS1 ( i )
)c1 ( g
xS2 tiS2 ( i )
)c2 ... ( g
xSk tiSk ( i )
)ck (4.1)
The algorithm’s output is the algorithm signature value sign( f ) of
the function f (t ) . From (4.1) we can see, when we calculate the function
signature value, we take either pk or sk, combined with f, we can get
sign( f ) . But it is more convenient to use sk. Thus it can be seen that the
server which has got pk can completely create a n-indeterminate d-degree
polynomial function h. And in the scheme we have supposed that the
power of server is so strong that the server can get sign(h) using pk after
a series of complicated calculation to cheat the client. So in this design
scheme, the signature value of the function is not transmitted to the client
by the server, which can avoid the above question.
In this scheme, the signature of the function f of the algorithm
publisher is as follows:
Si gn( f ) g f ( t ) g 2t
2
t 1
g 11
(3)Publish algorithm
Publ i sh( pk , si gn( f ) )
Algorithm Publ i sh is done by the algorithm publisher. It will send
the public key g ,Wn,d , G, GT , e from the algorithm publisher and the
signature value sign( f ) of the function f:
sign( f ) g f ( t ) ( g
xS1 tiS1 ( i )
)c1 ( g
xS2 tiS2 ( i )
)c2 ... ( g
xSk tiSk ( i )
)ck
out by the cloud. So it is convenient for the client to download.
In this scheme, it is to send the pk and Sign (f) out for being
downloaded by the client.
(4)Function sending algorithm
Sour ceSend( pk , f )
Algorithm Sour ceSend is done by the algorithm publisher, it is used
to send the public key pk g ,Wn,d , G, GT , e which is from algorithm
publisher and the function f which isselected from the function cluster to
algorithm actor.
In the system implementation in this paper, the publisher will put
the pk and f on the server.
(5)Variable sending algorithm
User Send( a)
Algorithm User Send is done by the client. The client will send the
calculation variable a to the algorithm executive.
In this scheme, ‘a’ can be literally token, such as we take a = 1.
(6)Computation algorithm
(r , p) Compute( pk , f , a )
The algorithm firstly calculate r f (a ) . Polynomial function
evaluation is very simple, we don’t talk here. The next is the detailed
description on how to generate detailed evidence.
If the function results is calculated correctly, then according to the
theorem 2.1, we can find out n polynomials q1 ( x), q2 ( x),..., qn ( x) , which
can be used to get the form of a polynomial decomposition
f ( x) r
( x a )q ( x) .
i[ n ]
i
i
i
After that it is the generation of evidence, the evidence p consists
of n elements p1 , p2 ,..., pn , the above n polynomials constitute every
element of the evidence p , and an arbitrary element can be calculated in
the form pi g q ( t ) .
i
The same as the function signature algorithm shown in (4.1), we can
use the public key to calculate each pi , which can be combined to get the
evidence. By the design of the elliptic curve algorithm, we can know that
every element of the evidence is a point on the elliptic curve.
According to the steps described above, the algorithm generates the
result of the polynomial function and the evidence which is used to verify
the correctness of the result.
In this scheme, the server calculates the function according to the user's
request f ( a) v 2a a 1 4
2
Then polynomial decomposition: f ( x) 4 ( x 1) ( 2x 3)
The evidence: w g
2t 3
( gt )2 * ( g)3 g 7 .
(7)Return algorithm
Ret ur n(a, r , p )
Algorithm Ret ur n is done by the algorithm executor. It is used to
send the result and the evidence information from the algorithm executor
to the client.
(8)Verify algorithm
(0,1) Verify( pk , sign( f ), a, r , p)
The algorithm is performed by the user.
To test whether the results is actually the correct polynomial value of
the corresponding variable a, we can validate the correctness of the result
using the evidence collection p [ p1 , p2 ,..., pn ] , pk , the function signature
value sign( f ) , r, the variable a, bilinear pairing function’s bilinear property.
The algorithm is based on the following equation test the correction of the
result:
?
n
e( sign( f ) g r , g ) e( g ti ai , pi )
(4.2)
i 1
In (4.2), g t reads the corresponding element from Wn ,d in pk , the
i
function signature value sign( f ) is g f ( t ) . By bilinear properties of the
bilinear pairing function we can see (4.2) can be converted into
authentication
?
n
f (t ) r ti ai qi (t ) (4.3)
i 1
According to polynomial decomposition of the step (3), we can know
the conditions of the equation (4.3) are the correct execution of
polynomial division. If (4.3) is established, then the algorithm accepts r as
a result, and the output is 1. Or else the algorithm refused the result and
the output is 1.
In the implementation of the system in this scheme, the returned
result of the server is f (x) = 4, the validation process of the client is as
follows:
Calculate and verify the equation:
v
?
e( FK( f ) g , g) e( gt a , w) :
?
4
21
that is: e( g * g , g) e( g
11
?
, g7 )
that is: e( g , g) e( g , g ) e( g, g)
7
1
7
g6
e( g, g)g
6
By verifying the equation, we can verify that the execution of the
server is correct. Or we will refuse to accept the results.
(9)Update algorithm
sign( f ') Update( sk , pk , sign( f ), f ')
The algorithm is done by the algorithm publisher.
In this algorithm, f represents the current polynomial calculation
function, f ' represents the new polynomial calculation function. In the
process of updating, we can assume that the difference between these two
functions is only one factor, corresponding to S, which’s coefficient are
CS and CS ' respectively. The point corresponded to S can be got from
Wn , d in pk, if the signature value of the current function is sign( f ) , the
calculation procedure of the algorithm are as follows:
sign( f ') sign( f ) g
( c 'S cS )
iS tiS ( i ) (4.4)
Then sign( f ) is updated to sign( f ') and the new function signature
value is outputted.
We can see from the computational process, if the difference between
the new function and the old function is only a few coefficients, so it can
be calculated as this. If there is a lot of different coefficients, the signature
value of the new function can be calculated using the algorithm Update . If
the computing power of the source is very strong, then we can use the
algorithm Update , for the reason that the program's purpose is to reduce
the burden of the client, but not the computational complexity of the
source.
5. Appendix: related symbols
meaning
symbol
C
client
secret parameters
F
function cluster
a
the calculation variable
r
the result of the function
p
the evidence of the correctness
sk
the private key of the function
cluster
pk
the public key of the function
cluster
f
the
function
selected
from
the
function cluster
Sou
the source
Ser
the server
KeyGen
key generation algorithm
Setup
function
signature
generation
algorithm
sign( f )
the
signature
of
the
specific
function
Compute
the function calculation algorithm
Verify
the authentication algorithm
of
query result
Update
the
function
signature
updating
algorithm
Publish
publish the information
0
{0,1}
represents
the
correction,
represents the errors
1
© Copyright 2026 Paperzz