Revocation in Publicly Verifiable Outsourced Computation

Abstract

The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result.

In this work, we introduce the notion of Revocable Publicly Verifiable Computation (RPVC), where a cheating server is revoked and may not perform future computations (thus incurring a financial penalty). We introduce a Key Distribution Center (KDC) to efficiently handle the generation and distribution of the keys required to support RPVC. The KDC is an authority over entities in the system and enables revocation. We also introduce a notion of blind verification such that results are verifiable (and hence servers can be rewarded or punished) without learning the value. We present a rigorous definitional framework, define a number of new security models and present a construction of such a scheme built upon Key-Policy Attribute-based Encryption.

J. Alderman acknowledges support from BAE Systems Advanced Technology Centre under a CASE Award.

C. Cid—This research was partially sponsored by US Army Research laboratory and the UK Ministry of Defence under Agreement Number W911NF-06-3-0001. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the US Army Research Laboratory, the U.S. Government, the UK Ministry of Defence, or the UK Government. The US and UK Governments are authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon.

A PVC Using KP-ABE

Parno et al. [10] provide a instantiation using Key-policy Attribute-based Encryption ⁷ (KP-ABE) [8], for Boolean functions. Define a universe \({\mathcal {U}}\) of \(n\) attributes and associate \(V \subseteq {\mathcal {U}}\) with a binary \(n\)-tuple (the characteristic tuple of \(V\)) where the \(i\)th place is \(1\) if and only if the \(i\)th attribute is in \(V\). Thus, there is a natural one-to-one correspondence between \(n\)-tuples and attribute sets; we write \(A_x\) to denote the set associated with \(x\). A function \(F\!\! : \{0,1\}^n \rightarrow \{0,1\}\) is monotonic if \(x \leqslant y\) implies \(F(x) \leqslant F(y)\), where \(x = (x_1,\dots ,x_n)\) is less than or equal to \(y = (y_1,\dots ,y_n)\) if and only if \(\forall i, x_i \leqslant y_i\). For a monotonic F, the set \(\mathbb {A}_F = \{x \in \{0,1\}^n : F(x) = 1\}\) defines a monotonic access structure. Informally, for a Boolean function \(F\), the client generates a private key \(SK_{\mathbb {A}_F}\) using the KeyGen algorithm.

Given an input \(x\), a client encrypts a random message \(m\) “with” \(A_x\) using the Encrypt algorithm and publishes \(VK_{F,x} = g(m)\) where \(g\) is a suitable one-way function (e.g. a pre-image resistant hash function). The server decrypts the message using the Decrypt algorithm, which will either return \(m\) (when \(F(x) = 1\)) or \(\bot \).

The server returns \(m\) to the client. Any client can test whether the value returned by the server is equal to \(g(m)\). Note, however, that a “rational” malicious server will always return \(\bot \), since returning any other value will (with high probability) result in the verification algorithm returning a reject decision. Thus, it is necessary to have the server compute both \(F\) and its “complement” (and for both outputs to be verified).

Note that, to compute the private key \(SK_{\mathbb {A}_F}\), it is necessary to identify all minimal elements \(x\) of \(\{0,1\}^n\) such that \(F(x) = 1\). There may be exponentially many such \(x\). Thus, the initial phase is indeed computationally expensive for the client. Note also that the client may generate different private keys to enable the evaluation of different functions.