CN106921491B - Safe and efficient outsourcing calculation implementation method and system - Google Patents

Safe and efficient outsourcing calculation implementation method and system Download PDF

Info

Publication number
CN106921491B
CN106921491B CN201710086781.4A CN201710086781A CN106921491B CN 106921491 B CN106921491 B CN 106921491B CN 201710086781 A CN201710086781 A CN 201710086781A CN 106921491 B CN106921491 B CN 106921491B
Authority
CN
China
Prior art keywords
client
server
function
servers
public
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201710086781.4A
Other languages
Chinese (zh)
Other versions
CN106921491A (en
Inventor
李佩丽
徐海霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201710086781.4A priority Critical patent/CN106921491B/en
Publication of CN106921491A publication Critical patent/CN106921491A/en
Application granted granted Critical
Publication of CN106921491B publication Critical patent/CN106921491B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy

Abstract

The invention relates to a safe and efficient outsourcing calculation implementation method and system. The method comprises the following steps: 1) the client generates two independent public and private key pairs by using a function encryption scheme; 2) the client side sends private keys in the two public and private key pairs and functions related to outsourcing calculation functions to the two servers respectively; 3) the two servers respectively generate decryption keys corresponding to the functions and send results to the opposite side; 4) the client encrypts the message and the random number by using a public key in the two public and private key pairs and respectively sends the ciphertext to the two servers; 5) the two servers respectively adopt the decryption keys to decrypt the ciphertext and return the calculation result to the client; 6) and the client verifies the calculation results returned by the two servers, if the results pass the verification, the value of the outsourcing calculation function is obtained, and if the results do not pass the verification, the value is rejected. The invention can improve the overall efficiency of outsourcing computing protocol, reduce the computing amount of the server while reducing the computing amount of the client, and can detect who is a malicious server.

Description

Safe and efficient outsourcing calculation implementation method and system
Technical Field
The invention belongs to the technical field of information security, relates to a design scheme of an outsourcing computation protocol, and particularly relates to a method and a system for realizing secure outsourcing computation based on a function encryption scheme, which can ensure the security and the overall efficiency of protocol execution.
Background
With the development of cloud computing, outsourcing computing is more and more widely applied. Outsourcing computation refers to that a client with weak computing power sends a computing task to an external server to help the client to complete computation, and the server returns a computing result to the client after completing the computation. The design of outsourced computing protocols requires three main properties to be met: correctness, safety and high efficiency. The correctness refers to that a result obtained by the honest execution protocol of the server can pass verification after being returned to the client; the security means that if the server returns an incorrect calculation result, the client fails to verify and refuses to accept; the high efficiency means that the calculation amount of the client is far less than that of the direct calculation function, otherwise, the significance of outsourcing calculation is lost. In addition to this, there is a need to consider the confidentiality of the client data, since in some scenarios the client may not want the server to know its own outsourced data.
In the outsourced computing scenario, because the server is not necessarily honest, the client needs to verify the correctness (or reliability) of the results returned by the server. The interactive proof may be used to help the server prove to the client the correctness of the computation results. The proposal of a proof-of-chance system based on probabilistic verifiable proofs can be used to implement an efficient outsourcing computation scheme. Micalii proposed a non-interactive outsourcing computation scheme using a stochastic prophragma in the written paper "CS proofs". Goldwasser S, Lin H, Rubinstein A in the article "deletion of Computation with a polynomial project from signaled modifier CS-Proofs", designed a non-interactive proof system for arbitrary polynomial time-calculable functions, with which the designed outsourcing Computation scheme satisfies the high efficiency of client Computation. However, the above work is concerned with the reliability of the results returned by the server, and does not consider the confidentiality of the client outsourced data. And a plurality of subsequent works are carried out to research the outsourcing calculation.
Outsourcing computation can be divided into outsourcing computation for specific functions and outsourcing computation for general functions. Aiming at specific functions, because the structural characteristics of the functions are clear, an efficient and safe outsourcing calculation protocol is easy to design, and a plurality of excellent achievements exist in this respect. Designing a generic function's outsourcing computation protocol that satisfies privacy has been a difficult task in the past. The introduction of the Gentry homomorphic encryption scheme up to 2009 theoretically solved the existing problem of the general function outsourcing computing protocol that satisfies confidentiality.
In the article "Non-interactive verification to unregulated works" by Gennaro R, Gentry C and Parno B, authors implement an Outsourcing computation protocol for general functions using a homomorphic encryption scheme and Yao's chaotic circuit (Garbled circuit). The problem that the chaotic circuit cannot be repeatedly used in the outsourcing calculation is solved through the fully homomorphic encryption. The protocol is divided into an offline stage and an online stage: in an off-line stage, a client performs preprocessing calculation and publicly transmits a part of calculated information to a server; and in the online stage, the client sends the code of the outsourced data to the server, the server returns the operation result after performing operation, and finally the client verifies and recovers the result. In the scheme, outsourcing data, functions and operation results of a client are kept secret from the server, and the client can verify the reliability of the results returned by the server by using tags in the disordered circuit. By running the online phase multiple times, the computational efficiency of the customer is efficient in an average sense. Subsequently, in the paper "Improved depletion of computing Using full Homomorphic Encryption" by Chung K M, Kalai Y and Vadhan S, authors designed a new outsourcing Computation protocol for general functions based on the indiscriminate nature of the ciphertext Using the Fully Homomorphic Encryption scheme. In contrast to the work of Gennaro et al, the Chung et al scheme also separates into an offline phase and an online phase, although the client does not need to send any data to the server during the offline phase. Similarly, the customer's calculations are only as efficient in an average sense.
Considering that the preprocessing of the two schemes requires a large amount of computation and the fully homomorphic encryption is not efficient at present, ant P and chantran N et al study the outsourced computing protocol Without preprocessing and fully homomorphic encryption in the paper "improving Privacy in verifyible computing with Multiple Servers-withouthe and Without Pre-processing" to cooperatively complete the computing task of the client by using Multiple Servers (N > ═ 2). The basic idea is that the preprocessing operation (operation for generating the disordered circuit) in the work of Gennaro et al is also handed to the server to be done, and the last server is responsible for completing the function calculation. Their approach reduces the computational load on the customer, but the server needs to regenerate the garbled circuit each time an outsourced computation is performed. This is because the garbled circuit cannot be directly reused, otherwise the reliability and confidentiality of the outsourcing protocol would be compromised. The repeated generation of the garbled circuit increases the computational cost at the server side, which in turn increases the overhead cost of the client.
From the current research work, the main problem facing outsourcing computation for general functions today is still the efficiency problem.
Disclosure of Invention
The existing secure outsourcing computation protocol for general functions has the disadvantages that the computation amount of a client is high in efficiency in an average sense, or the computation efficiency of a server is not high (a messy circuit needs to be generated when a protocol is executed every time). In order to improve the overall efficiency of the outsourcing computing protocol, the outsourcing computing protocol based on the functional encryption scheme is designed, so that the computing amount of a client is reduced, and meanwhile, the computing amount of a server is reduced.
In order to achieve the purpose, the invention adopts the following technical scheme:
a safe and efficient outsourcing computation implementation method comprises the following steps:
1) the client generates two independent public and private key pairs by using a function encryption scheme;
2) the client side sends private keys in the two public and private key pairs and functions related to outsourcing calculation functions to the two servers respectively;
3) the two servers respectively generate decryption keys corresponding to the functions and send results to the opposite side;
4) the client encrypts the message and the random number by using a public key in the two public and private key pairs and respectively sends the ciphertext to the two servers;
5) the two servers respectively adopt the decryption keys to decrypt the ciphertext and return the calculation result to the client;
6) and the client verifies the calculation results returned by the two servers, if the results pass the verification, the value of the outsourcing calculation function is obtained, and if the results do not pass the verification, the value is rejected.
Specifically, the outsourcing computing protocol of the present invention includes a client (or client, denoted by D) and two servers (S) 1,S 2) The outsourcing computation function is f and the input is x. It is assumed that at least one of the servers is semi-honest (the term "semi-honest" as used herein means that the participating parties truthfully execute the protocol, may record intermediate results and deduce useful information, but cannot modify intermediate results). The protocol implementation procedure is as follows:
(1) two independent public and private key pairs (MPKs) are generated by a client using a functional encryption scheme 1,MSK 1),(MPK 2,MSK 2) Defining a function g related to the function f:the input to the function g is a triplet (x, s) 1,s 2) If f (x) is equal to 0, the function g outputs s 1If f (x) is equal to 1, s is output 2Otherwise, stopping;
(2) customer order MSK 1The sum function g is sent to the first server S 1
(3) Customer order MSK 2The sum function g is sent to a second server S 2
(4) Server S 1Generation of a decryption key SK corresponding to a function g using a key generation algorithm of a functional encryption scheme 1g(ii) a Let SK 1gIs sent to the server S 2
(5) Server S 2Generation of a decryption key SK corresponding to a function g using a key generation algorithm of a functional encryption scheme 2gTo SK 2gIs sent to the server S 1
(6) The customer inputs x, selects a random number r 1,r 2,r 3,r 4
(7) Public key MPK of functional encryption scheme for clients 1Encryption (x, r) 1,r 2) To obtain a ciphertext C 1Sends it to the server S 2
(8) Public key MPK of functional encryption scheme for clients 2Encryption (x, r) 3,r 4) To obtain a ciphertext C 2Sends it to the server S 1
(9) Server S 2Using the private key SK 1gDecryption C 1Obtaining a result z 1And is combined with z 1Returning to the client;
(10) server S 1Using the private key SK 2gDecryption C 2Obtaining a result z 2And is combined with z 2Returning to the client;
(11) and (3) the client verifies the values returned by the two servers, if the returned values of the two servers are verified by the random numbers and the corresponding function values are equal, the client accepts to obtain f (x), otherwise, the client rejects.
A safe and efficient outsourcing computation implementation system comprises a client and two servers; the client generates two independent public and private key pairs by using a function encryption scheme, and respectively sends a private key in the two public and private key pairs and a function related to an outsourcing calculation function to the two servers; the two servers respectively generate decryption keys corresponding to the functions and send results to the opposite side; the client encrypts a message and a random number by using a public key in two public and private key pairs and respectively sends ciphertexts to the two servers; the two servers respectively adopt the decryption keys to decrypt the ciphertext and return the calculation result to the client; and the client verifies the calculation results returned by the two servers, if the results pass the verification, the value of the outsourcing calculation function is obtained, and if the results do not pass the verification, the value is rejected.
Compared with the prior art, the calculation amount of the client only comprises the generation of the master key, the generation of the ciphertext and the simple comparison and verification, and is irrelevant to the outsourcing function f; the server side generates a decryption key corresponding to the function g when executing the protocol for the first time, and the decryption key does not need to be generated again subsequently, and only function operation is needed (high efficiency). By using functional encryption, the client' S data x is encrypted for both servers (S) 1,S 2) Are confidential (secret). When the input x is encrypted, the result returned by the last server can be verified by the client (result reliability) by introducing two secret random numbers. Therefore, the invention provides an overall efficient and safe outsourcing calculation protocol design method.
Drawings
Fig. 1 is a schematic diagram of the protocol initial preparation phase of the present invention. In the initial stage of protocol operation, a client respectively sends two generated main private keys and functions to two servers (assuming that channels are secret channels), and the two servers respectively generate decryption keys corresponding to the functions and send results to the other server.
FIG. 2 is a schematic diagram of the outsourced computing protocol execution phase of the present invention. And in the protocol calculation execution stage, the client encrypts the message and the random number by using two different public keys and respectively sends the encrypted message and the random number to the two servers. And after the server finishes the operation, returning the calculation result to the client. And (4) the client verifies the result, if the verification is passed, the function value is obtained, and if not, the function value is rejected.
FIG. 3 is a schematic diagram of the preliminary phase of an alternate protocol for outsourcing computations of the present invention.
FIG. 4 is a schematic diagram of the authentication operation of an alternate protocol to the outsourced computing protocol of the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
The function encryption scheme is a fine-grained encryption scheme, and a decryptor can obtain a function value corresponding to the plaintext by using a decryption key, but does not know other information related to the plaintext. This feature may be well applied in outsourcing computations, since the client wants the server to complete the computation, but does not want to leak the value of the outsourcing data x.
The functional encryption means that a decryption party has a ciphertext C of a message x and a decryption key SK corresponding to a function f fOnly the function value f (x) of the message can be obtained by decryption, but other information about x cannot be known. The definition of the functional encryption algorithm is as follows:
the functional encryption algorithm FE ═ { Setup, KeyGen, Enc, Dec }
Setup(1 k) The algorithm inputs a security parameter k and outputs a pair of public and private keys (MPK, MSK).
KeyGen (MSK, f) algorithm inputs main private key MSK and function f and outputs corresponding secret key SK f.
Enc (MPK, x) the encryption algorithm inputs the public key MPK and the message x and outputs a ciphertext c.
Dec(SK fC) decryption algorithm input Key SK fAnd ciphertext c, output f (x).
One straightforward idea is that the client uses the master private key to generate the private key SK corresponding to function f fThen the ciphertext of x is summed with SK fSending the data to the server to make the server do decryption operation, and then returning f (x) to the client. However, in this protocol, the client generates the private key SK fThe amount of computation of (a) is comparable to the amount of computation of the computation function f, and therefore the efficiency of the client is not high.
To reduce the computation load of the client, we consider computing SK fTask of (2)Handed to one server and then letting the other server complete the outsourcing computation task. We assume that at least one server is semi-honest and we have both servers involved in the computation in order to guarantee the reliability of the computation results. The specific idea is to construct a new function g, and input the new function g into outsourcing data x and two random numbers s 1,s 2If f (x) is equal to 0, s is output 1If f (x) is equal to 1, s is output 2. Malicious behavior of the server is resisted through the method.
In the protocol, the client is marked as D, and the two servers are respectively marked as (S) 1,S 2) The outsourcing calculation function is f, and the outsourcing data is x. The client needs to outsource the task of computing f (x) to two servers. It is assumed that at least one server in the protocol is semi-honest.
The preliminary stage of the protocol execution is shown in fig. 1, the protocol execution stage is shown in fig. 2, and the specific process is as follows:
1) the client executes the Setup algorithm of the twice function encryption scheme and outputs two pairs of public and private keys (MPK) 1,MSK 1),(MPK 2,MSK 2). Defining a function g related to the function f: the input to the function g is a triplet (x, r) 1,r 2) If f (x) is 0, the function g outputs r 1If f (x) is 1, the function g outputs r 2
2) Customer order MSK 1The sum function g is sent to the first server S 1. Here we assume that the channel is a secret channel, on which the client can use the server S 1Public key encrypted Message (MSK) 1G) is then sent to S 1
3) Customer order MSK 2The sum function g is sent to a second server S 2
4) Server S 1Key Generation Algorithm KeyGen, input (MSK) running a functional encryption scheme 1G), outputting a decryption key SK corresponding to the function g 1g. Server S 1Let SK 1gIs sent to the server S 2
5) Server S 2Key Generation Algorithm KeyGen, input (MSK) running a functional encryption scheme 2,g),Outputting a decryption key SK corresponding to a function g 2g. Server S 2Let SK 2gIs sent to the server S 1
6) The customer selects four random numbers r 1,r 2,r 3,r 4
7) Public key MPK of functional encryption scheme for clients 1Encryption (x, r) 1,r 2) To obtain a ciphertext C 1Mixing C with 1Is sent to the server S 2
8) Public key MPK of functional encryption scheme for clients 2Encryption (x, r) 3,r 4) To obtain a ciphertext C 2Mixing C with 2Is sent to the server S 1
9) Server S 2Using the private key SK 1gDecryption C 1Obtaining a result z 1And is combined with z 1Returning to the client;
10) server S 1Using the private key SK 2gDecryption C 2Obtaining a result z 2And is combined with z 2Returning to the client;
11) the client verifies the values returned by both servers: verification z 1Whether or not to cooperate with r 1Or r 2Equal, z 2Whether or not to cooperate with r 3Or r 4Is equal to, if z 1=r 1And z is 2=r 3If z is equal to 0, then the client outputs f (x) is equal to 0 1=r 2And z is 2=r 4Then the client outputs f (x) 1, otherwise the client rejects.
The invention utilizes a function encryption scheme and adopts an outsourcing calculation model of two servers, thus realizing the security of outsourcing data and greatly reducing the calculation amount of a client (the calculation amount of the client is irrelevant to a function f). Because the decryption key of the function encryption algorithm can be reused, the server only needs to generate the decryption key of the function f once, and only needs to perform decryption operation subsequently. In addition, in order to realize the correctness of the calculation result, the invention introduces two secret random numbers into the input part to realize the verification of the result returned by the client to the server. Therefore, the outsourcing computing protocol designed by the invention meets the requirements of confidentiality, safety and overall efficiency.
Table 1 below is a comparison of the present invention with the calculated amount of the prior art. Compared with the prior art, the invention reduces the calculation amount of the server and realizes the overall efficient and safe outsourcing calculation protocol on the premise of ensuring lower calculation amount of the client.
TABLE 1 comparison of the calculated amount of the present invention with that of the prior art
Work by Customer calculated volume Server computation volume
Gennaro et al [ GGP10] Related to f, high efficiency on average Calculating function f
Chung et al [ CKV10] Related to f, high efficiency on average Calculating 2k functions f
Anth et al [ ACG ] +14] Independent of f Calculating a chaotic circuit and a function f
The invention Independent of f In average sense: calculating function f
The invention provides a safe outsourcing calculation method, and a client can verify whether a returned result is correct or not through comparison operation. On this basis, if the client wishes to know which server is malicious. Alternative protocols may be employed as follows. The preliminary phase of the alternative protocol is shown in fig. 3, the protocol execution calculation process is still shown in fig. 2, and in addition, a further verification operation is added at the end, as shown in fig. 4. The specific procedure of the alternative protocol is as follows:
1) the client executes the Setup algorithm of the twice function encryption scheme and outputs two pairs of public and private keys (MPK) 1,MSK 1),(MPK 2,MSK 2). Defining a function g related to the function f: the input to the function g is a triplet (x, r) 1,r 2) If f (x) is 0, the function g outputs r 1If f (x) is 1, the function g outputs r 2
2) Customer order MSK 1The sum function g is sent to the first server S 1. Here we assume that the channel is a secret channel, on which the client can use the server S 1Public key encrypted Message (MSK) 1G) is then sent to S 1
3) Customer order MSK 2The sum function g is sent to a second server S 2
4) Server S 1Key Generation Algorithm KeyGen, input (MSK) running a functional encryption scheme 1G), outputting a decryption key SK corresponding to the function g 1g. Server S 1Let SK 1gIs sent to the server S 2
5) Server S 2Key Generation Algorithm KeyGen, input (MSK) running a functional encryption scheme 2G), outputting a decryption key SK corresponding to the function g 2g. Server S 2Let SK 2gIs sent to the server S 1
6) Server S 1Computing a hash function H (SK) 1g),H(SK 2g) Sending them to the client;
7) server S 2Computing a hash function H (SK) 1g),H(SK 2g) Sending them to the client;
8) the client verifies whether the hash values returned by the two servers are correspondingly equal, if so, the operation is continued, otherwise, the operation is stopped;
9) the customer selects four random numbers r 1,r 2,r 3,r 4
10) Public key MPK of functional encryption scheme for clients 1Encryption (x, r) 1,r 2) To obtain a ciphertext C 1Mixing C with 1Is sent to the server S 2
11) Public key MPK of functional encryption scheme for clients 2Encryption (x, r) 3,r 4) To obtain a ciphertext C 2Mixing C with 2Is sent to the server S 1
12) Server S 2Using the private key SK 1gDecryption C 1Obtaining a result z 1And is combined with z 1Returning to the client;
13) server S 1Using the private key SK 2gDecryption C 2Obtaining a result z 2And is combined with z 2Returning to the client;
14) the client verifies the values returned by both servers: verification z 1Whether or not to cooperate with r 1Or r 2Equal, z 2Whether or not to cooperate with r 3Or r 4Is equal to, if z 1=r 1And z is 2=r 3If z is equal to 0, then the client outputs f (x) is equal to 0 1=r 2And z is 2=r 4If yes, the client outputs f (x) is 1, otherwise, the execution is continued by 15);
15) the client runs the set-up algorithm for L to generate the function KeyGen (MSK) using the proof system (denoted L) in the article "deletion of computing with a layout project from a signed modifier CS-Proofs" by Godwasser et al 1V.) corresponding public and private keys (pp) 1,sp 1) Generating the function KeyGen (MSK) 2V.) corresponding public and private keys (pp) 2,sp 2). Pp to 1Is sent to the server S 1Pp to 2Is sent to S 2
16) Server S 1Executing a prover algorithm in a proof system L to produce a proof pi 1Sending (SK) 1g1) Give guestsHousehold, the same server S 2Generation of proof pi 2Sending (SK) 2g2) To the customer.
17) Client computing H (SK) 1g) And H (SK) 2g) And verifying whether the hash value is equal to the hash value received in the step 6) or 7), if so, judging that the corresponding server is malicious, and stopping, otherwise, continuing. The client runs the verifier algorithm of the attestation system L with the received message and the private key sp 1,sp 2Respectively verifying and proving pi 1And pi 2Whether or not it is true, if i(i ∈ {1,2}) fails to verify, the corresponding server S fails iAnd if the information is malicious, terminating, otherwise, continuing. Z the client determines which server returns i(i ∈ {1,2}) fails in step 14), i.e., z is iIf there is no equality relation with the random number selected by the client, the corresponding server is malicious and terminates.
Wherein pi iIs a server S iSK proving its return to client igAre generated truthfully. Proof of computational complexity of verifier (here client) in system L and function KeyGen (MSK) iLog correlation of the computational complexity of (c). Because of the algorithm KeyGen (MSK) in the functional encryption scheme iThe computational complexity of (c) is comparable to the computational complexity of the function f. Thus, in this alternative, the customer's computational effort is related to the log (| f |) of the function f, which is still efficient compared to the work of Gennaro et al and Chung et al. This alternative may help the client to know who the malicious server is after authentication fails. In addition, after step 14), if any server refuses to execute step 16) and selects to stop in advance, the server is judged to be malicious.
In the above scheme, the proving system L includes three algorithms: set-up algorithm, prover algorithm, verifier algorithm. Wherein a set-up algorithm is used for the verifier to generate public and secret parameters; the prover algorithm is run by the prover to produce proof of its honestly performed calculations; the verifier algorithm is run by the verifier to determine whether the proof passes.
Let k be the security parameter and n be the size of the input x. To prove that y ═ f (x), proof is usedSystem L, the server may be at poly (k, t) x) The verifier receives the proof and can get poly (k, n, logt) at time poly (k, | x |, | pi |) (y) x) And verifying the validity of the certificate. Wherein poly is a function of polynomial time and acts on k, t xThe above step (1); t is t xIs the run time of the function f on x.
In the above scheme, it proves that 1Is a server S 1The prover algorithm in the proof system L is executed to prove that it has performed the 4) th calculation truthfully according to the protocol specification. Namely the server S 1SK proving its return to client 1gAre generated truthfully. Prove pi 2Is a server S 2The prover algorithm in the proof system L is executed to prove that it has honestly performed the 5) th calculation as specified by the protocol. Namely the server S 2SK proving its return to client 2gAre generated truthfully.
The invention has the following expanded implementation modes: the function encryption scheme is replaced by a multi-input function encryption scheme, and the method is suitable for the outsourcing computing scene of multiple clients. The multi-input functional encryption scheme is an extension of the single-input functional encryption scheme. In a multiple input function encryption scheme, the decryption key SK fThe corresponding function f is n-element function, key SK fIs n ciphertexts. Given n messages (x) 1,x 2,…,x n) Is denoted as (c) 1,c 2,…,c n) And decryption Key SK fThe decryptor can decrypt to obtain f (x) 1,x 2,…,x n) The value of (c). And the outsourcing computation of multiple customers refers to n customers (n)>2) having respective inputs x iWant f (x) to be calculated 1,x 2,…,x n) Is outsourced to an external server. By replacing the function encryption scheme in the invention with multi-input function encryption, an outsourcing calculation scheme that a plurality of clients outsource calculation tasks to two servers can be directly designed.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (8)

1. A safe and efficient outsourcing computation implementation method is characterized by comprising the following steps:
1) the client generates two independent public and private key pairs by using a function encryption scheme;
2) the client side sends private keys in the two public and private key pairs and functions related to outsourcing calculation functions to the two servers respectively;
3) the two servers respectively generate decryption keys corresponding to the functions and send results to the opposite side;
4) the client encrypts the message and the random number by using a public key in the two public and private key pairs and respectively sends the ciphertext to the two servers;
5) the two servers respectively adopt the decryption keys to decrypt the ciphertext and return the calculation result to the client;
6) the client verifies the calculation results returned by the two servers, if the results pass the verification, the value of the outsourcing calculation function is obtained, otherwise, the result is rejected;
let two servers be S 1And S 2The outsourcing calculation function is f, and the input is x; assuming that at least one server is semi-honest; the specific steps for realizing outsourcing calculation comprise:
(1) client generates two independent public and private key pairs (MPKs) by using function encryption scheme 1,MSK 1),(MPK 2,MSK 2) Defining a function g related to the function f: the input to the function g is a triplet (x, s) 1,s 2) If f (x) is equal to 0, the function g outputs s 1If f (x) is equal to 1, s is output 2Otherwise, stopping; wherein s is 1,s 2Is two random numbers;
(2) client-side MSK 1The sum function g is sent to the first server S 1
(3) Client-side MSK 2The sum function g is sent to a second server S 2
(4) Server S 1Generation of a decryption key SK corresponding to a function g using a key generation algorithm of a functional encryption scheme 1g(ii) a Let SK 1gIs sent to the server S 2
(5) Server S 2Generation of a decryption key SK corresponding to a function g using a key generation algorithm of a functional encryption scheme 2gTo SK 2gIs sent to the server S 1
(6) The client inputs x, selects a random number r 1,r 2,r 3,r 4
(7) Public key MPK of function encryption scheme for client 1Encryption (x, r) 1,r 2) To obtain a ciphertext C 1Sends it to the server S 2
(8) Public key MPK of function encryption scheme for client 2Encryption (x, r) 3,r 4) To obtain a ciphertext C 2Sends it to the server S 1
(9) Server S 2Using the private key SK 1gDecryption C 1Obtaining a result z 1And is combined with z 1Returning to the client;
(10) server S 1Using the private key SK 2gDecryption C 2Obtaining a result z 2And is combined with z 2Returning to the client;
(11) the client verifies the values returned by the two servers, if the returned values of the two servers are verified by the random numbers and the corresponding function values are equal, the client accepts to obtain f (x), otherwise, the client rejects;
in step (11), the client verifies z 1Whether or not to cooperate with r 1Or r 2Equal, z 2Whether or not to cooperate with r 3Or r 4Equal; if z is 1=r 1And z is 2=r 3If so, the client outputs f (x) is 0; if z is 1=r 2And z is 2=r 4If so, the client outputs f (x) 1; otherwise the client rejects.
2. The method of claim 1, wherein the following method is used to determine which server is malicious, wherein the attestation system L contains three algorithms: set-up algorithm, prover algorithm, verifier algorithm; the set-up algorithm is used for the verifier to generate public and secret parameters; the prover algorithm is run by the prover to produce proof of its honestly performed calculations; the verifier algorithm is run by the verifier to judge whether the proof passes:
a) after step (5), performing the following steps, and then performing step (6):
a1) server S 1Computing a hash function H (SK) 1g),H(SK 2g) Sending them to the client;
a2) server S 2Computing a hash function H (SK) 1g),H(SK 2g) Sending them to the client;
a3) the client verifies whether the hash values returned by the two servers are correspondingly equal, if so, the client continues, otherwise, the client ends are stopped;
b) in step (11), if the client fails to verify, the following steps are performed:
b1) set-up algorithm generation function KeyGen (MSK) of client operation certification system L 1V.) corresponding public and private keys (pp) 1,sp 1) Generating the function KeyGen (MSK) 2V.) corresponding public and private keys (pp) 2,sp 2) (ii) a Pp to 1Is sent to the server S 1Pp to 2Is sent to S 2
b2) Server S 1Executing a prover algorithm in a proof system L to produce a proof pi 1Sending (SK) 1g1) Sending the data to a client; server S 2Generation of proof pi 2Sending (SK) 2g2) Sending the data to a client;
b3) client computing H (SK) 1g) And H (SK) 2g) Verifying whether the hash value is correspondingly equal to the hash value received in the step a), if the hash value is unequal, judging that the corresponding server is malicious, and stopping, otherwise, continuing; the client runs the verifier algorithm of the attestation system L with the received message and the private key sp 1,sp 2Respectively verifying and proving pi 1And pi 2Whether or not it is true, if i(i ∈ {1,2}) fails to verify, the corresponding server S fails iIf the result is malicious, the operation is terminated, otherwise, the operation is continued; z the client determines which server returns i(i ∈ {1,2}) fails in step (11), i.e., z is equal iIf there is no equality relation with the random number selected by the client, the corresponding server is malicious and terminates.
3. The method as claimed in claim 2, wherein after step (11), if there is a server refusing to execute step b2) and the server is selected to be aborted, it is determined that the server is malicious.
4. The method of claim 1, wherein the channel between the client and the server is a secret channel; if the channel between the client and the server is a public channel, the client encrypts the message by using the public key of the server and then sends the message to the server.
5. The method of any one of claims 1 to 4, wherein the functional encryption scheme is replaced with a multi-input functional encryption scheme suitable for use in a multi-customer outsourced computing scenario.
6. A secure and efficient outsourcing computing implementation system that employs the method of claim 1, comprising a client and two servers; the client generates two independent public and private key pairs by using a function encryption scheme, and respectively sends a private key in the two public and private key pairs and a function related to an outsourcing calculation function to the two servers; the two servers respectively generate decryption keys corresponding to the functions and send results to the opposite side; the client encrypts a message and a random number by using a public key in two public and private key pairs and respectively sends ciphertexts to the two servers; the two servers respectively adopt the decryption keys to decrypt the ciphertext and return the calculation result to the client; and the client verifies the calculation results returned by the two servers, if the results pass the verification, the value of the outsourcing calculation function is obtained, and if the results do not pass the verification, the value is rejected.
7. The system of claim 6, wherein the channel between the client and the server is a secret channel.
8. The system of claim 6, wherein the channel between the client and the server is a public channel, and wherein the client encrypts the message using the server's public key before sending it to the server.
CN201710086781.4A 2017-02-17 2017-02-17 Safe and efficient outsourcing calculation implementation method and system Expired - Fee Related CN106921491B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710086781.4A CN106921491B (en) 2017-02-17 2017-02-17 Safe and efficient outsourcing calculation implementation method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710086781.4A CN106921491B (en) 2017-02-17 2017-02-17 Safe and efficient outsourcing calculation implementation method and system

Publications (2)

Publication Number Publication Date
CN106921491A CN106921491A (en) 2017-07-04
CN106921491B true CN106921491B (en) 2020-02-11

Family

ID=59454571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710086781.4A Expired - Fee Related CN106921491B (en) 2017-02-17 2017-02-17 Safe and efficient outsourcing calculation implementation method and system

Country Status (1)

Country Link
CN (1) CN106921491B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109032792A (en) * 2018-07-10 2018-12-18 矩阵元技术(深圳)有限公司 Outsourcing calculation method and system
CN108809623B (en) * 2018-07-10 2020-09-25 矩阵元技术(深圳)有限公司 Secure multiparty computing method, device and system
CN112468284A (en) * 2020-11-26 2021-03-09 东北大学 SHE-based secure outsourcing method
CN114257374B (en) * 2021-12-20 2023-08-15 山东大学 Verifiable secure outsourcing calculation method and system for identifying cryptosystem

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7979711B2 (en) * 2007-08-08 2011-07-12 International Business Machines Corporation System and method for privacy preserving query verification
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103414690A (en) * 2013-07-15 2013-11-27 北京航空航天大学 Publicly-verifiable cloud data possession checking method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7979711B2 (en) * 2007-08-08 2011-07-12 International Business Machines Corporation System and method for privacy preserving query verification
CN103281377A (en) * 2013-05-31 2013-09-04 北京鹏宇成软件技术有限公司 Cryptograph data storage and searching method for cloud
CN103414690A (en) * 2013-07-15 2013-11-27 北京航空航天大学 Publicly-verifiable cloud data possession checking method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
《Multi-client Outsourced Computation》;Li P等;《Information Security and Cryptology》;20160507;第9589卷;全文 *
《Multi-input Functional Encryption and Its Application in Outsourcing Computation》;Li P等;《Information and Communication Secrity》;20160305;第9543卷;全文 *
《隐私保护的可验证多元多项式外包计算方案》;任艳丽等;《通信学报》;20150831;第36卷(第8期);全文 *

Also Published As

Publication number Publication date
CN106921491A (en) 2017-07-04

Similar Documents

Publication Publication Date Title
Doerner et al. Secure two-party threshold ECDSA from ECDSA assumptions
US11722305B2 (en) Password based threshold token generation
CN107948189B (en) Asymmetric password identity authentication method and device, computer equipment and storage medium
Katz et al. Scalable protocols for authenticated group key exchange
Wang et al. Security analysis of a single sign-on mechanism for distributed computer networks
CN106921491B (en) Safe and efficient outsourcing calculation implementation method and system
CN111682938A (en) Three-party authenticatable key agreement method facing centralized mobile positioning system
EP2792098B1 (en) Group encryption methods and devices
CN105721153A (en) System and method for key exchange based on authentication information
Chakrabarti et al. Password-based authentication: Preventing dictionary attacks
Jiang et al. No one can track you: Randomized authentication in vehicular ad-hoc networks
CN111447065B (en) Active and safe SM2 digital signature two-party generation method
Abdalla et al. (Password) authenticated key establishment: From 2-party to group
Yin et al. Two-round password-based authenticated key exchange from lattices
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
Liu et al. Identity-based remote data integrity checking of cloud storage from lattices
Chain et al. Enhancement authentication protocol using zero‐knowledge proofs and chaotic maps
CN116865970A (en) Multiparty cooperative key generation and digital signature method and system based on national cryptographic algorithm
Wen et al. Intersection-policy private mutual authentication from authorized private set intersection
Zhang et al. Dssp: Efficient dual-server secret sharing protocol based on password authentication for cloud storage services
Qu et al. Optimistic fair exchange of ring signatures
Tsai et al. A Secure Group Signature Scheme.
Mandal et al. An ID-based non-interactive deniable authentication protocol based on ECC
Xu An efficient HPRA-based multiclient verifiable computation: transform and instantiation
Krzywiecki Deniable version of SIGMA key exchange protocol resilient to ephemeral key leakage

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20200211

Termination date: 20220217