CASO: Cost-Aware Secure Outsourcing of General Computational Problems
aa r X i v : . [ c s . CR ] N ov CASO: Cost-Aware Secure Outsourcing ofGeneral Computational Problems
Kai Zhou and Jian Ren
Abstract
Computation outsourcing is an integral part of cloud computing. It enables end-users to outsourcetheir computational tasks to the cloud and utilize the shared cloud resources in a pay-per-use manner.However, once the tasks are outsourced, the end-users will lose control of their data, which may result insevere security issues especially when the data is sensitive. To address this problem, secure outsourcingmechanisms have been proposed to ensure security of the end-users’ outsourced data. In this paper,we investigate outsourcing of general computational problems which constitute the mathematical basicsfor problems emerged from various fields such as engineering and finance. To be specific, we proposeaffine mapping based schemes for the problem transformation and outsourcing so that the cloud isunable to learn any key information from the transformed problem. Meanwhile, the overhead for thetransformation is limited to an acceptable level compared to the computational savings introduced by theoutsourcing itself. Furthermore, we develop cost-aware schemes to balance the trade-offs between end-users’ various security demands and computational overhead. We also propose a verification scheme toensure that the end-users will always receive a valid solution from the cloud. Our extensive complexityand security analysis show that our proposed Cost-Aware Secure Outsourcing (CASO) scheme is bothpractical and effective.
Index Terms
Cloud computing, computation outsourcing, security, efficiency, cost-aware.
I. I
NTRODUCTION
Cloud computing paradigm provides end-users an on-demand access to a shared pool ofcomputing resources, such as computational power and storage. It enables the end-users to utilize
The authors are with the Department of Electrical and Computer Engineering, Michigan State University, East Lansing, MI48824-1226, Email: { zhoukai, renjian } @msu. edu October 19, 2015 DRAFT those resources in a pay-per-use manner instead of purchasing expensive equipment upfront.Computation outsourcing is a key component of cloud computing. It enables the resource-constrained end-users to outsource their computational tasks to the cloud servers. Then the tasksare processed in the cloud servers and solutions are returned to the end-users. The technicaland economic advantages make computation outsourcing a promising application for cloudcomputing.However, security has become one of the major concerns that prevent computation outsourcingfrom being widely adopted. When the end-users outsource their tasks to the cloud, they inevitablylose control of their own data, while the cloud servers will get full access to not only the problemitself but also the input, the intermediate computational results and the output of the problem,which may contain sensitive end-user data, such as financial statistics or health records. As aresult, the end-users’ privacy is totally exposed to the cloud. Furthermore, the cloud may havethe motivation to cheat in the computation process thus false solutions may be returned to theend-users. This is because the computing resources are regarded as a kind of commodity andthe cloud may try to reduce the cost by simply not investing enough computing resources asit has claimed. For example, the cloud may just return a trivial result for an outsourced taskthus saving a lot of resources. All these issues call for designs of more secure and privacy-preserving outsourcing mechanisms that can also provide end-users the ability to validate thereceived results.To address the aforementioned issues, researchers have proposed various secure outsourcingschemes for different types of computational problems, such as sequence comparison [1]–[3],linear algebra [4]–[7] and modular exponentiation [8], [9]. The techniques utilized by theseschemes can be divided into two categories: encryption based schemes and disguising basedschemes. Researchers from the cryptography community are trying to develop specific encryptionschemes under which computation can be carried out on encrypted data. For instance, in [10]the authors proposed a fully homomorphic encryption scheme under which an arbitrary booleancircuit can be evaluated directly over the encrypted data. Based on this homomorphic encryptionand Yao’s garbled circuit [11], the authors in [12] designed a secure outsourcing scheme forarbitrary functions where the input and output privacy are protected and the results can beverified in a non-interactive way. However, the main drawback of this type of schemes is thatthey all require expensive encryption operations thus making it impractical to be carried out in
October 19, 2015 DRAFT the cloud scenario. Researchers in the theoretic computer science community have developedsome disguising techniques to transform different types of computational problems to disguisedforms so that the private information of the original problems is concealed. Based on disguising,the authors in [13] and [4] developed schemes to securely outsource some basic scientificoperations such as matrix multiplication, matrix inversion and convolution. More recently, secureand practical outsourcing schemes were proposed in [6] [14] for linear programming. In [15][16], the authors focused on outsourcing of large-scale systems of linear equations. However, theabove mentioned disguising techniques are specially designed for a particular kind of scientificcomputation, mostly lies in the scope of linear algebra. Thus the application of the proposedschemes is quite limited.In this paper, we aim at developing a secure outsourcing scheme that is suitable for generalcomputational problems. The challenges come from various aspects. First, we target at generalcomputational problems which cover the scope of linear and non-linear problems such as systemof equations (linear or non-linear), linear programming and convex optimization. Due to thedifferent natures of these problems, it is extremely challenging to design an outsourcing schemesuitable for various kinds of computational problems. Second, in the cloud scenario, the end-users are resource-constrained which means that the operations can be implemented before andafter the outsourcing are quite limited. Third, the end-users vary from handheld mobile devicesto desktop workstations in terms of resource constraints and security requirements. Thus it isnot easy to design a scheme that can meet the requirements of various end-users. Finally, ourpreliminary investigation shows that a more complex pre-processing of the problem will ensurea more secure outsourcing process. However, it also creates more computational burden on theend-users. Thus there exists a trade-off between the computational complexity that the end-userscan afford and the security they can get in return. All these concerns make it extremely hard todesign a secure outsourcing scheme for general computational problems.To deal with the aforementioned challenges, we propose a secure outsourcing scheme basedon affine mappings. The basic idea is that before outsourcing, the independent variables ofthe computational problem is mapped to a new group of variables through an affine mapping.Correspondingly, the original problem is transformed to a new form that can be securely out-sourced to the cloud. Then the cloud can generate valid results from the transformed problemand return the results of the transformed problem back to the end-user. By applying an inverse
October 19, 2015 DRAFT affine transformation on the results returned from the cloud, the end-user can derive the validresults to the original problem efficiently at the local environment. We prove that the proposedoutsourcing scheme can ensure security of the private information of the original problem.The contributions of this paper can be summarized as follows: • We propose a cost-aware secure outsourcing scheme (CASO) that is generally suitable for awide variety of computational problems, such as system of equations, linear programmingand convex optimization. • We investigate the trade-off between the computational complexity and security such thatend-users can choose the most suitable outsourcing scheme according to their own resourceconstraints and security demands. • Our analysis and performance comparison demonstrate that CASO is much more efficientthan the existing schemes with comparable security levels. • We also introduce a verification process which enables the end-users to verify the validityof the results returned from the cloud servers.The rest of this paper is organized as follows. In Section II, we introduce our system model,threat model and our design goals. In Section III, we present the basic idea of CASO based onaffine mappings. We use system of linear equations as a case study to illustrate our cost-awaredesign philosophies in Section IV. We extend our design to non-linear problems in Section Vand the result verification scheme is introduced in Section VI. We evaluate the performance ofour scheme by comparing it with several existing works and giving some numeric results inSection VII. We conclude our work in Section VIII.II. P
ROBLEM S TATEMENT
A. System and Threat Model
We consider a system consisting of two entities: the end-user and the cloud. Suppose thatan end-user wants to solve a general computational problem denoted by F ( x ) , where x =( x , x , · · · , x n ) is a series of independent variables. Note that F ( x ) describes a general com-putational problem not necessarily restricted to a function. For example, it can be a system ofequations or an optimization problem. However, due to lack of resources, the end-user needs tooutsource the problem to the cloud which is considered to have infinite computing resources.Before outsourcing, the end-user will transform the original problem at the local side in order October 19, 2015 DRAFT to prevent information leakage. On receiving the transformed problem, the cloud server willcarry out the computing process and return the solution to the end-user. Then at the local side,an inverse transformation is carried out on the solution returned from the cloud to recover thesolution of the original problem. Based on the transformation and the information returned bythe cloud, the end-user is able to verify the validity of the received solution.As the problem is outsourced to the cloud, the end-users totally lose control of their own data.The private data and the computational result will be revealed to the cloud. There are at leastthree reasons that the cloud cannot be fully trusted. First, the cloud could be honest but curious.That is the cloud may collect any information that could be revealed by the problem. Second,the cloud is profit-motivated. As the end-users pay for the resources during the computationprocess, the cloud may reduce the cost by utilizing less resources and simply returning sometrivial results. Third, cloud is a shared environment, it is hard to secure individual data usingjust regular processor. As a result, a secure outsourcing scheme should not only prevent theprivate information from being exposed to the cloud but also guarantee that the end-users canreceive valid results. As a result, we have to develop effective mechanisms to protect this privateend-user information.
B. Design Goals
Under the above system and threat model, our proposed outsourcing scheme should achievethe following goals:1)
Soundness : Given that the cloud is trustworthy, the transformation on the problem and theinverse transformation of the returned result should guarantee that the recovered solutionis correct.2)
Security : When the problem is outsourced to the cloud, it should be computationallyinfeasible for the cloud server to infer the coefficient matrix, the input and output of theoriginal outsourced problem.3)
Verifiability : In case that the cloud cannot be fully trusted, the end user should have theability to verify the validity of the solution returned by the cloud.4)
Efficiency : The outsourcing scheme should be efficient in computation and communica-tion. For computation, the overhead caused by the problem transformation, the inversetransformation and the result verification should be limited to O ( n ) . For communication, October 19, 2015 DRAFT the overhead caused by the outsourcing process should be in the same level as that ofoutsourcing the original problem.5)
Cost-Awareness : The end-users can select different outsourcing strategies according totheir own computational constraints and security demands in a cost-aware manner.III. S
ECURE O UTSOURCING B ASED ON A FFINE M APPING
In this section, we will first present the basic framework of the proposed CASO. Then weintroduce the equivalence concept of two general computational problems. Under this definition,we explain in detail the process of problem transformation. At the end of this section, we provethe soundness of the CASO.
A. Basic Framework
As mentioned previously, we assume that the end user has a general computational problem F ( x ) to be solved. Due to the lack of resources, the end user needs to outsource F ( x ) to thecloud. We formally divide the outsourcing process into the following phases.1) Problem Transformation : ProbTran { S , F ( x ) } → { G ( y ) } . In this phase, the end userfirst generates a key S which is kept secret at the local side during the whole process.Based on this secret key, the end user transforms F ( x ) to a new form G ( y ) , where y isthe new input.2) Cloud Computation : CloudCom { G ( y ) } → { y ∗ , Φ } . On receiving the transformed prob-lem G ( y ) , the cloud carries out the necessary computation and gives the solution y ∗ aswell as a proof Φ of the validity of the returned solution.3) Result Recovery and Verification : RecVeri { y ∗ , S , Φ } → { x ∗ , Λ } . By utilizing the secretkey S , the end-user recovers solution x ∗ to the original problem from y ∗ . Based on theproof Φ , the end-user gives the decision Λ = { Ture , False } , indicating the validity of x ∗ . B. Problem Transformation
The basic idea of problem transformation is to map the independent variables of the problemto a new group of variables such that the original problem is transformed to a new form. Tobe specific, suppose the original problem is F ( x ) . We assume that ψ : R n → R n is a generalone-to-one mapping function. Let x = ψ ( y ) , then F ( x ) = F ( ψ ( y )) = ( F ◦ ψ )( y ) = G ( y ) . In October 19, 2015 DRAFT this way, the original input x can be transformed to input y with the relationship determined bythe function ψ . Below, we give the equivalence definition of two computational problems. Definition 1 (Equivalence) . Denote a set of computational problems as
Ω = { Γ | Γ : R n → R n } .For any F ∈ Ω , if there exists a one-to-one mapping ψ : R n → R n such that F ( x ) = F ( ψ ( y )) =( F ◦ ψ )( y ) = G ( y ) , then F is said to be equivalent to G . We denote it as F ∼ G . The equivalentclass of F is denoted as [ F ] = { Γ ∈ Ω | Γ ∼ F } . Theorem 2.
The equivalence relation defined in Definition 1 is well-defined.Proof:
We only need to prove that the relation defined in Definition 1 is reflexive, symmetricand transitive. First, it is obvious that for every F ∈ Ω , if we select the one-to-one mapping ψ tobe the identity mapping, then we have F ( x ) = F ( ψ ( y )) = F ( y ) . Thus for every F ∈ Ω , we have F ∼ F which demonstrates the property of reflexivity. Second, for F, G ∈ Ω , if F ∼ G , thenthere exists a one-to-one mapping ψ such that F ( x ) = F ( ψ ( y )) = ( F ◦ ψ )( y ) = G ( y ) , whichindicates the existence of an inverse mapping ψ − such that G ( y ) = ( F ◦ ψ )( ψ − ( x )) = F ( x ) .Thus we have G ∼ F and the property of symmetry holds. To prove the property of transitivity,assume that F, G, H ∈ Ω such that F ∼ G and G ∼ H . This means that there are two one-to-one mappings ψ and φ such that x = ψ ( y ) , F ( x ) = F ( ψ ( y )) = G ( y ) and y = φ ( z ) , G ( y ) = G ( φ ( z )) = H ( z ) . Therefore, we have F ( x ) = F ( ψ ( y )) = F (( ψ ◦ φ )( z )) = H ( z ) . Since ψ and φ are both one-to-one mappings, the mapping ψ ◦ φ is also one-to-one. Thus from thedefinition we have F ∼ H and the equivalence relation is transitive.The following example illustrates the basic idea of problem transformation. Example 3.
Suppose F ( x ) represents a system of linear equations with two independent vari-ables: F ( x ) := x + 2 x = 63 x + x = 3 . (1)If we take the mapping function as x = ( x , x ) = ψ ( y ) = (2 y + 1 , y + 2) , the originalproblem is transformed to G ( y ) = F ( ψ ( y )) = y + 2 y = 13 y + 6 y = − . (2) October 19, 2015 DRAFT
Since the above mapping ψ is one-to-one, we have F ∼ G according to Definition 1. In fact,the solutions to the two systems also satisfy the same mapping function. It is easy to obtain thesolutions as y ∗ = ( , − ) and x ∗ = (0 , , which satisfy x ∗ = ψ ( y ∗ ) .The above example gives an insight of CASO. Based on a one-to-one mapping ψ , the end-user first transforms the original problem F ( x ) to an equivalent form G ( y ) that can be securelyoutsourced to the cloud. Since the solutions to the two problem satisfy x ∗ = ψ ( y ∗ ) , the end-usercan always recover x ∗ from y ∗ returned by the cloud. Thus the essence of our proposed schemelies in finding a proper one-to-one mapping that satisfies the various design goals. Definition 4.
An affine mapping ψ : R n → R n is defined as a mapping from x ∈ R n to y ∈ R n satisfying x = Ky + r , where K ∈ R n × n is nonsingular and r ∈ R n .It is clear that as long as K is nonsingular, the affine mapping defined above is a one-to-onemapping. The soundness of our proposed scheme based on affine mapping is guaranteed by thefollowing theorem. Theorem 5 (Soundness) . Under the affine mapping, the transformed problem is equivalent tothe original problem. That is the end-user is guaranteed to be able to recover the valid solutionof the original problem from the solution returned by the cloud.Proof:
The proof of soundness follows the definition of equivalence. The affine mapping x = Ky + r is one-to-one as long as K is non-singular. Thus by definition, F ∼ G under thisaffine mapping. Since the solutions to the two problems satisfy x ∗ = Ky ∗ + r , given y ∗ returnedby the cloud, the end-user is able to recover x ∗ at the local side.In the rest of this paper, we will show that our proposed affine mapping based CASO will notonly meet the end-user’s resource constraints but also conceal the end-user’s private information.Furthermore, CASO can provide a cost-aware trade-off so that the end-user can achieve thedesired security levels by selecting different outsourcing strategies with different computationaland communication overhead. In the following analysis, we divide the computational problemsinto two categories: linear systems and non-linear systems due to their different mathematicalproperties. October 19, 2015 DRAFT
IV. C
OST -A WARE D ESIGN FOR L INEAR S YSTEMS
In this section, we present our cost-aware secure outsourcing scheme for general computationalproblems. In the region of linear computation, we deploy system of linear equations as a casestudy to show the principles of our design. Then we show that the proposed CASO can be wellextended to linear programming.
A. Outsourcing Scheme
In the problem transformation phase, the end-user first generates a one-time secret key S = { K , r } , where K ∈ R n × n is a non-singular matrix and r ∈ R n . Then x = Ky + r is a one-to-onemapping from x to y .Suppose the computational problem is a system of linear equations Ax = b , where x , b ∈ R n and A is an n × n nonsingular matrix. The function ProbTran { S , F ( x ) } → { G ( y ) } takes thesecret key S = { K , r } and the linear system as input and generates the output as AKy = b − Ar . Denote A ′ = AK and b ′ = b − Ar and the system is transformed to G ( y ) : A ′ y = b ′ which can be outsourced to the cloud.In the phase of cloud computation, the cloud solves G ( y ) utilizing the typical methods andreturns the solution y ∗ to the end-user. Then in the result recovery phase, the end-user recoversthe solution to the original system of linear equations as x ∗ = Ky ∗ + r . The result verificationwill be discussed in detail in Section VI. B. Design Analysis
From the above outsourcing scheme, we can see that the computational overhead for the end-user incurs both in the problem transformation and the result recovery phase. To be more specific,in the problem transformation phase, the end-user needs to calculate AK and Ar . To recover theoriginal solution x ∗ from the received solution y ∗ , the end-user has to calculate Ky ∗ . Amongthose operations, the matrix multiplication AK is the most computationally expensive one. Thusin our discussion, we will analyze the number of multiplications M required to compute AK . Inthe following analysis, we denote A = { a ij | i, j = 1 , , · · · , n } and K = { k ij | i, j = 1 , , · · · , n } .To multiply two arbitrary n × n matrices, the typical complexity is O ( n ) , which is generallybelieved to be too high and unacceptable for mobile client computation. However, in our design,we can actually control the complexity by selecting matrix K properly so that the computational October 19, 2015 DRAFT0 complexity can be effectively reduced without compromising security. Since matrix multiplicationis the most expensive part of the end-user’s processing, our goal is to ensure that the complexityof multiplying K with an arbitrary matrix A is bounded by O ( n ) , which is within the end-user’scomputational constraints.In the following sections, we provide four schemes with different types of non-singular secretkey K based on the above described complexity constraints. K is a Diagonal Matrix (Scheme-1): A diagonal matrix K has the format K = { k ij | k ij =0 , ∀ i = j } . Since K must be non-singular, all the entries in the diagonal have to be non-zeronumbers. When K is a diagonal matrix, we have M = n . K is a Permutation Matrix (Scheme-2): A permutation matrix K has exactly one non-zeroentry in each row and each column in the matrix. When K is a permutation matrix, we have M = n . K is a Band Matrix (Scheme-3): Suppose the band matrix K has an upper half-bandwidth p and a lower half-bandwidth q such that k ij = 0 for i > j + p and j > i + q . The total bandwidthof K is denoted by W = p + q + 1 . When K is a band matrix, for simplicity, we assume that K has an equal upper and lower half-bandwidth p = q = ω , then W = 2 ω + 1 , and the numberof multiplications M can be calculated as M = (2 ω + 1) n − ( ω + ω ) n . K is a sparse matrix (Scheme-4): Suppose K is a sparse matrix. The density d is definedas the ratio of non-zero elements in the matrix. We assume that the number of non-zero elementsin each row and each column of K is up-bounded by a constant θ . When K is a sparse matrix,it is usually stored in a special manner such as Dictionary of Keys (DOK) [17] in computation.Thus the complexity of matrix multiplication can be approximately measured by the numberof non-zero elements, which is dn in our discussion. Since we have assumed that d ≤ θn , thenumber of multiplication becomes M = θn .In summary, through the above analysis, we demonstrate that for the four proposed schemes,the complexity of multiplying K with an arbitrary matrix A is O ( n ) . Since matrix multipli-cation is the most expensive part of the end-user’s processing, we can derive that the overallcomputational complexity for the end-user is O ( n ) , which is within the end-user’s computationalconstraints.For the four types of matrices, sparse matrix is the most general case. When the non-zeroelements are centralized around the diagonal, then the sparse matrix K becomes a band matrix. October 19, 2015 DRAFT1
When θ = W , the complexity of scheme-3 and scheme-4 is in the same level. The only differenceis that the non-zero elements are randomly distributed in sparse matrix. This difference mayprovide different security protection for side information which we will explain in detail later.Further, when θ = 1 , then K becomes a permutation matrix as in scheme-2. Similarly when W = 1 , then the band matrix K becomes a diagonal matrix. Generally speaking, from scheme-1to scheme-4, the computational complexity increases. In the following sections, we will analyzethe security of CASO. C. Security Analysis
In this section, we will analyze the security of our proposed CASO. We will focus on thesecurity of the coefficient matrix A of the original function F ( x ) , the variable x in the function F ( x ) and the form of the function F ( x ) . Theorem 6.
For the four schemes in CASO, it is computationally infeasible for the cloud torecover the original coefficient matrix A of problem F ( x ) and the output x ∗ for the system oflinear equations.Proof: For a system of linear equations Ax = b , the original problem is represented bythe matrix A and the vector b . The output is x ∗ , which is the solution of the system. Underthe affine mapping, the system of equations is transformed to A ′ y = b ′ , where A ′ = AK and b ′ = b − Ar . Therefore, both A and b are concealed by the secret key S = { K , r } . Since both K and r are only used once and kept secret at the local side, the equations can be concealedform the cloud. Additionally, since the original solution is recovered by x ∗ = Ky ∗ + r , withoutknowing K and r , the cloud cannot recover x ∗ . In this way, the output of the system is concealed.Thus, all the four schemes are secure in outsourcing the system of linear equations. Theorem 7.
Under the proposed CASO scheme, it is computationally infeasible for the cloudto recover the zeros, poles and optimums.Proof:
Under the affine mapping x = Ky + r , the values of x is being mapped to y = K − ( x − r ) . Since both r and K are secret and randomly selected, it is computationally infeasibleto recover x from y . As a result, given y , the zeros, poles and optimums are concealed. Theprotection depends on the selection of K and r . October 19, 2015 DRAFT2
While we cannot recover the coefficient matrix A, the four scheme do provide different levelsof security protection for side information. For scheme-1, the zeros of the coefficient matrix A ′ of the outsourced problem are also the zeros of the original problem. The order of the entries ineach column of A ′ is the same as that of A. For scheme-2, while the number of zeros for A ′ and A are the same in each column, the distribution of the zeros and the order of the entries in eachcolumn are different. For scheme-3 and scheme-4, both the number of zeros and the distributionof entries in each column of A ′ and A are different. Therefore, the end user should select thescheme based on whether the possible side information that may be leaked from scheme-1 andscheme-2 is sensitive. Theorem 8.
Suppose ψ is a rational mapping, meaning that ψ can be represented as a quotientof two polynomial functions, G = F ◦ ψ , then we have the following results: If F is a rational function, then G is rational. If F is an irrational function, then G is irrational.Proof: Since ψ is a rational mapping, we assume ψ ( x ) = P ( x ) Q ( x ) , where P ( x ) and Q ( x ) arepolynomials. When F is a rational function, suppose F ( x ) = a + a x + · · · + a n x n b + b x + · · · + b m x m . Then ( F ◦ ψ )( x ) = a + a P ( x ) Q ( x ) + · · · + a n P n ( x ) Q n ( x ) b + b P ( x ) Q ( x ) + · · · + b m P m ( x ) Q m ( x ) . Without loss of generality, we assume that m > n . Then we have ( F ◦ ψ )( x ) = a Q m ( x ) + a P ( x ) Q m − ( x ) + · · · + a n P n ( x ) Q m − n ( x ) b Q m ( x ) + b P ( x ) Q m − ( x ) + · · · + b m P m ( x ) , where F ◦ ψ is the quotient of two polynomials. Thus, the composition G = F ◦ ψ is a rationalfunction.When F is irrational, the composition G = F ◦ ψ cannot be rational. Otherwise, there existsan inverse rational function ψ − such that F = G ◦ ψ − = F ◦ ψ ◦ ψ − becomes rational. Hence, G = F ◦ ψ is irrational when F is irrational.Since the proposed affine mapping is rational, we have the following corollary. October 19, 2015 DRAFT3
Corollary 9.
Under an affine mapping ψ , the rationality of the function G is the same as theoriginal function F . Theorem 8 and Corollary 9 state that the rationality of the function F cannot be changedthrough composition with a rational mapping or an affine mapping ψ . That is, if the function F is rational, after the composition G = F ◦ ψ , the transformed function G is still rational. If F is irrational, G is still irrational. As a result, the side information that is related to the specificform of the function F (e. g., sin( · ) or log( · ) ) may not be fully concealed by an affine mappingor even a rational mapping.Now, we will analyze the side information that can be revealed by the coefficient matrix A of the four schemes. Under an affine mapping, the coefficient matrix A is transformed to AK .For scheme-1, the secret key K is a diagonal matrix denoted by K = { k ij | k ij = 0 , ∀ i = j } .The entry a ′ ij in A ′ can be calculated as a ′ ij = k ii a ij . By investigating A ′ , it is obvious thateach column in A ′ is related in a simple way to that in A such that the i th column in A ′ isthe multiplication of the i th column in A with k ii . In this way, only based on A ′ , the cloud caneasily know the ratio between any two entries within the same column in A .For K to be a permutation matrix in scheme-2, the difference is that A ′ in scheme-2 can beregarded as the result of permuting the columns of A ′ obtained from scheme-1. Thus, althoughthe cloud can get a knowledge of the ratio between two entries in the same column of A , itis not sure which particular column those two entries belong to. Therefore, scheme-2 is moresecure than scheme-1 in terms of concealing the side information of the outsourced problem.In scheme-3, for K to be a band matrix with upper half-bandwidth and lower half-bandwidthboth equal to ω , it can be calculated that a ′ ij = j + ω X r = j − ω a ir k rj . Since each entry in A ′ is a linear combination of α entries in A and β entries in K , the ratioinformation of entries in A is concealed. However, the disadvantage is that the cloud can stilllearn how a particular entry in A ′ is composed. For example, suppose ω = 1 , the cloud canknow for sure that a ′ ij = a i ( j − k ( j − j + a ij k jj + a i ( j +1) k ( j +1) j .At last, for K to be a sparse matrix in scheme-4, we assume that there are exactly θ non-zeroentries in each row and column of K . Similar to scheme-3, the ratio information of entries in October 19, 2015 DRAFT4
TABLE IC
OMPLEXITY AND SECURITY OF EACH SCHEME
Scheme Complexity
Diagonal matrix n Permutation matrix n Band matrix with bandwidth W = (2 ω + 1) W n Sparse matrix with density d = θn θn A can be concealed. Moreover, since the non-zero entries are randomly positioned in the sparsematrix K , the cloud is unable to know how each entry in A ′ is composed.From the above analysis, we can see that the coefficient matrix A is protected through thelinear combination of the entries in A and K . To be specific, in scheme-1 the effect is thescaling of the columns of A . In scheme-2, the effect is scaling and permutation. In scheme-3and scheme-4, the entries in A and K are related in a more complex way. We summarize thecomputational complexity and security of CASO in Table I. D. Trade-off between Complexity and Security
From the above complexity and security analysis, we can see that there is a trade-off betweenthe computational complexity and security. As the simple scheme, scheme-1 is able to protectthe original coefficient matrix while exposing the ratio between any two entries in the samecolumn. In comparison, scheme-2 is slightly more expensive (e. g. the positions of the non-zero entries have to be stored), but it is this cost for non-zero entries’ random positions thatmakes it effective to conceal the ratio information. The complexity of scheme-3 and scheme-4 islinearly dependent on W and θ , respectively. They are more costly than scheme-1 and scheme-2.However, the transformed matrix A ′ can conceal A and K in a more complex way since it canconceal the structure of the coefficient matrix. In summary, from scheme-1 to scheme-4, thesecurity levels that they can provide increase at a cost of computational power.In the context of cloud computing, the end-users vary from mobile devices to powerful work-stations thus having different computational constraints as well as different security demands. October 19, 2015 DRAFT5
Thus CASO provides end-users with the flexibility to choose the outsourcing schemes that aremost suitable for them. These four schemes give cost-aware outsourcing for end-users to addressthe various security demands and computational constraints.
E. Application to Linear Programming
In this section, we will demonstrate that our design and analysis for system of linear equationscan be well applied to many computational problems, such as linear programming. We considera linear programming problem denoted by F ( x ) := minimize c T x subject to Ax = bDx ≥ , where b , c ∈ R n , A ∈ R m × n and D ∈ R s × n ( m, s ≤ n ).Under the affine mapping x = Ky + r , the problem is transformed to G ( y ) := minimize c T Ky + c T r subject to AKy = b − ArDKy ≥ − Dr , from which we can see that the original coefficient matrix can be concealed by the secret key K and r . It is obvious that the computational bottleneck lies in the multiplication of K with A and D . Thus the same complexity and security analysis for systems of linear equations appliesfor linear programming. That is the complexity of the previous four schemes is all bounded by O ( n ) . In terms of security, the four schemes are all secure in protecting the original coefficientmatrix while providing different levels of protection of the side information.In the next section, we explore the differences for non-linear computation by investigatingsystem of non-linear equations and convex optimization problems.V. E XTENSION TO N ON - LINEAR S YSTEMS
In this section, we aim at exploring the different design issues between linear and non-linearcomputation. We consider a system of non-linear equations denoted by F ( x ) = , where F ( x ) = { f i ( x ) | f i ( x ) : R n → R , i = 1 , , · · · , n } . Typically, it is hard to obtain a symbolic solution for October 19, 2015 DRAFT6 the system. Thus the normal method is to solve the system of equations numerically in aniterative way. The main idea is that given a solution x k in the k th iteration, we need to solvethe linear system ∂F ( x ) | x = x k ( x k +1 − x k ) = − F ( x ) | x = x k , where ∂F ( x ) is the Jacob matrixof F ( x ) . Then we can obtain the solution x k +1 in the ( k + 1) th iteration. The iteration willterminate when k F ( x ∗ ) k < ε , where ε is the error tolerance and x ∗ is the final solution. Tominimize the communication overhead and the energy consumption of the end-users, our goal isto design off-line scheme so that the end-users are not required to interact with the cloud exceptthe problem outsourcing and result retrieving process. In this way, the end-users only need tofocus on the high level view of the problem without knowing the details of problem solvingprocess. The detailed design and analysis of the outsourcing scheme are presented as follows. A. Outsourcing Scheme
Compared with outsourcing of the system of linear equations, the main difference lies in theproblem transformation phase. First, to start the iteration at the cloud side, an initial guess ofthe solution should also be outsourced. We assume that at the local side, the end-user generatesan initial solution x . Then with the affine mapping, the outsourced initial solution becomes y = K − ( x − r ) . We should notice that there is an inversion operation on K which willimpose more constraints on our selection of K in terms of computational complexity. Second,after substituting x with y , the problem should be further transformed. We use a simple exampleto illustrate this point. Suppose we want to solve a system of nonlinear equations F ( x ) := sin(3 x ) + 4 x + x x = 02 x + e x + 2 x = 0lg(5 x ) + x +1 + 3( x + 1) = 0 . (3)We take the affine mapping x = Ky + r , where r = and K = . October 19, 2015 DRAFT7
Then the system is transformed to G ( y ) := sin(9 y ) + 16 y + 8 y y = 06 y + e y + 128 y = 0lg(15 y ) + y +1 + 48 y + 24 y = − . (4)It is obvious that to protect the cloud from revealing information from the transformed system,it is sufficient to mix the coefficient of each term in the equations with the key entry. To bespecific, we assume that there are π i terms in equation f i ( x ) and each term is denoted by f ji ( tx ) ,where t is the coefficient. Then each equation in the system can be written as f i ( x ) = π i X j =1 f ji ( tx ) . Under the affine mapping x = Ky + r , f ji ( tx ) is transformed to g i ( y ) = f i ( Ky + r ) = π i X j =1 f ji ( t ( Ky + r )) . Thus the coefficient t is concealed by K and r , which is similar to the case of the system oflinear equations. However, as illustrated in the example, the multiplication cannot be simplycarried out when f ji ( · ) is a polynomial. Thus a further transformation is needed to mix t with K and r for polynomials.Without loss of generality, we assume that the polynomial is denoted by t i x mi and in the affinemapping, K is a band matrix with bandwidth W = 3 and r = . Thus under the affine mapping,the polynomial is transformed to t i ( k i − y i − + k i y i + k i +1 y i +1 ) m . To mix the coefficient t i withthe secret keys, one straightforward way is to expand the polynomial and then multiple it with t i .However, the complexity is unacceptable for high order polynomials. Instead, we propose that itis sufficient to split the secret keys as k s = pq s , where s = i − , i, i + 1 such that t i ( k i − y i − + k i y i + k i +1 y i +1 ) m = t i ( pq i − y i − + pq i y i + pq i +1 y i +1 ) m = t i p m ( q i − y i − + q i y i + q i +1 y i +1 ) m . Inthis way, the coefficient t i in the original function and the secret keys k i are concealed. B. Complexity Analysis
From the analysis above, we can see that the complexity of the problem transformationmainly depends on two aspects. One is the specific form of the equations, that is the number ofpolynomials in the equations. The other one is how x and y are related, which is determinedby the number of non-zero entries in K . October 19, 2015 DRAFT8
TABLE IIC
OMPLEXITY FOR SYSTEM OF NON - LINEAR EQUATIONS
Scheme Complexity
Diagonal matrix N + (log m + 1) L Permutation matrix N + (log m + 1) L Band matrix with bandwidth W = (2 ω + 1) W N + (log m + 1) L Sparse matrix with density d = θn θN + (log m + 1) L For a given system of non-linear equations, suppose that there are N terms in total in thesystems, among which L are polynomials with orders no greater than m . Assume that the numberof non-zero entries in K is up-bounded by λ (i. e. each x is substituted by at most λ y ’s). Thusfor each non-polynomial term, the transformation takes λ multiplications between the coefficientof the term and the key entries. And for a polynomial term t i x mi , we assume that it is replacedby t i ( k y + · · · + k λ y λ ) m = t i ( pq y + · · · + pq λ y λ ) m = t i p m ( q y + · · · + q λ y λ ) m . Then theoperations involved in the transformation include one multiplication, λ division and raising p tothe power of m . As stated previously, we utilize the number of multiplication as a measurementfor complexity. We assume that in terms of computational complexity, one division is equal toone multiplication and with the method of exponentiation by squaring, the computation for m th power takes log m multiplications. Thus, for a system of non-liner equations with N termsamong which L are polynomials, the complexity can be calculated as λN + (log m + 1) L. It is obvious that the complexity depends on λ which is further determined by the selection of K . We summarize the complexity of the four different types of matrices in Table II. We cansee from the table that the complexities of all schemes are constrained to O ( N ) , where N isthe number of terms in the system of non-linear equations. Notice that typically for a system ofequations, the number of terms N is in the level of n , where n is the number of independentvariables. Thus the complexity is still bounded by O ( n ) , which fulfills our design goals. October 19, 2015 DRAFT9
C. Security Analysis
Similar to the security analysis for linear systems, all of the proposed four schemes are securein protecting the coefficient matrix, the zeros, poles and optimums of the outsourced problem.As stated in Corollary 9, CASO cannot conceal the specific form of the functions. For instance,in the example given in Section V-A, the original system of equations is transformed to G ( y ) such that the coefficients in each term of the function are changed. However, the specific formsof the function (e. g., sin( · ) , lg( · ) , etc. ) remain unchanged.For the four schemes, generally as the complexity increases, more side information can beconcealed from the cloud. Different from the linear equations, a non-linear function f i ( x ) maycontain some side information, such as maximum or minimum value which is important insome applications. For instance, the plot of the function or the extreme values may exposethe distribution of the incidence of a disease among different age groups. For scheme-1 andscheme-2, the curve of the function is just a scaled version. Though scheme-2 provides betterprotection since it can conceal the independent variables. In scheme-3 and scheme-4, eachindependent variables in the original problem is substituted by several new variables. Thus theside information, such as the curve and the extreme values can be perfectly concealed. D. Application to Convex Optimization
In this section, we show that the above schemes and analysis can also be applied to convexoptimization. Convex optimization is widely deployed in various practical problems. We considera convex optimization problem denoted by F ( x ) := minimize f ( x ) subject to f i ( x ) ≤ , i = 1 , · · · , mh j ( x ) = 0 , j = 1 , · · · , t, (5)where f i : R n → R , i = 0 , ..., m and h i : R n → R , i = 1 , ..., t are all convex functions. Underthe affine mapping x = Ky + r , the original problem F ( x ) is transformed to G ( y ) := minimize f ( Ky + r ) subject to f i ( Ky + r ) ≤ , i = 1 , · · · , mh j ( Ky + r ) = 0 , j = 1 , · · · , t. October 19, 2015 DRAFT0
Since the key matrix K and r are randomly generated and kept secret at the local side, thecoefficient matrix of the outsourced problem is perfectly protected. And because the functions f i ( · ) and h j ( · ) are all non-linear functions, the security and the complexity analysis of systemof non-linear equations can be well applied in this case. Thus we conclude that our outsourcingscheme is also applicable to convex optimization problems.VI. R ESULTS V ERIFICATION
In this section, we propose a result verification scheme under which the end-users are guar-anteed to receive the valid results from the cloud. As stated previously, the cloud is not onlycurious about the end-users’ private information, it may also behave “lazily” to increase its ownbenefits. That is, to reduce the computational cost, the cloud has the motivation to deploy lesscomputational resources and simply returns some trivial results. As a consequence, the end-usersare not able to recover the valid results from those returned by the cloud.The general idea of our proposed verification scheme is to outsource the problem twice undertwo different affine mappings and to verify whether the two results returned by the cloud matchwith each other. To be specific, under the affine mappings x = K y + r and x = K z + r ,the original problem F ( x ) is transformed to G ( y ) and H ( z ) which are outsourced to the cloud.Then the cloud solves the two outsourced problems and returns the corresponding results y ∗ and z ∗ . Since the condition K y ∗ + r = K z ∗ + r holds for these two results, the end-users canutilize it as a criterion to verify whether the returned results are valid. A. System of Equations
The idea introduced above can be applied to system of equations directly. When F ( x ) is asystem of linear equations, it is sufficient to verify directly whether k Ax ∗ k < ε , where k · k denotes the Euclidean norm of a vector and ε is a pre-defined error tolerance. The complexityof this verification process is O ( n ) .When F ( x ) is a system of non-linear equations, since the end-user will have to evaluatethe non-linear functions, the computational cost for direct verification generally exceeds O ( n ) .However, based on our idea of outsourcing twice, the end-user only needs to check the condition K y ∗ + r = K z ∗ + r . Since the verification process involves only linear operations, thecomputational complexity is bounded by O ( n ) . As system of equations is typically solved by October 19, 2015 DRAFT1 iterative method, the solution is not accurate. Thus we may need to change the equality conditionto k ( K y ∗ + r ) − ( Kz ∗ + r ) k < ε . In the following analysis, we uniformly utilize the equalitycondition K y ∗ + r = K z ∗ + r as the verification criteria. When the computational problemsare solved inaccurately, the equality condition should be changed to its inequality variation. B. Optimization Problems
When F ( x ) is an optimization problem, we utilize convex optimization as an example toillustrate the verification process. And it can be easily applied to other optimization problems,such as linear programming. The output of a convex optimization problem can be divided intothree cases: normal, infeasible and unbounded [18, Chapter 4.1]. For the convex optimizationproblem defined in equation (5), the domain D is the set for which the objective function andthe constraint functions are defined. That is D = m \ i =1 dom f i ∩ t \ i = i dom h i . The feasible set is E = { x ∈ D | f i ( x ) ≤ , i = 1 , · · · , m, h i ( x ) = 0 , i = 1 , · · · , t } . In the normalcase, there exists an optimal point x ∗ ∈ E such that f ( x ∗ ) ≤ f ( x ) , ∀ x ∈ E . In the infeasiblecase, E = ∅ . In the unbounded case, there exists points x k ∈ E such that f ( x k ) → −∞ as k → ∞ .For the cloud to cheat, it must return results in the same case for the two outsourced problem G ( y ) and H ( z ) as mentioned above. Suppose that y ∗ and z ∗ are the two returned results andthey belong to the same case. In the following, we will present the verification scheme for thethree different cases separately.
1) Normal Case:
The above proposed verification scheme works well for the normal case.That is if the equality K y ∗ + r = K z ∗ + r holds, the end-user can make sure that a validresult can be recovered. This is because whatever the correct result is (normal, infeasible orunbounded), the cloud is not able to come up with two results that satisfy the equality withoutactually conduct the computation process. And this verification process for normal case formsthe basis for the verification for other cases.
2) Infeasible Case :
The above verification scheme would fail if the cloud simply returns aninfeasible result for any outsourced convex optimization problem. To deal with this issue, weutilize phase I method as described in [18, Chapter 11] to check the feasibility of the problem.
October 19, 2015 DRAFT2
For a convex optimization problem F ( x ) , a corresponding phase I optimization problem can beconstructed as: F I ( x ) := minimize ρ subject to f i ( x ) ≤ ρ, i = 1 , · · · , mh j ( x ) = 0 , j = 1 , · · · , t , where ρ is a single variable. It is obvious that when ρ is large enough, F I ( x ) is always feasible.Suppose x ∗ minimizes the objective function and ρ ∗ is the corresponding minimum value.The phase I problem is designed in such a way that when ρ ∗ ≤ , the original problem F ( x ) is feasible and F ( x ) is infeasible otherwise. Thus the verification scheme for infeasible casecan be designed as follows. When the cloud indicates that the solutions to the two outsourcedproblem G ( y ) and H ( z ) are infeasible, it then generates the corresponding two phase I problems G I ( y ) and H I ( z ) and computes the optimal points y ∗ and z ∗ and the minimum values ρ ∗ G and ρ ∗ H , respectively. Then at the local side, the verification is the same as that in the normal case.That is only when ρ ∗ G > and ρ ∗ H > and the equality K y ∗ + r = K z ∗ + r holds can theend-user be guaranteed to receive valid solutions.
3) Unbounded Case:
In the unbounded case, the cloud indicates that the objective function f ( x ) → −∞ in its domain. We utilize duality to verify the soundness of the returned result.For a convex optimization problem, we can construct the corresponding Lagrangian L as L ( x , u , v ) = f ( x ) + m X i =1 u i f i ( x ) + t X j =1 v j h j ( x ) , where u ∈ R m and v ∈ R t are the associated Lagrange multiplier vectors . Then based on thisLagrangian L ( x , u , v ) , a Lagrange dual function can be constructed as Φ( u , v ) = inf x ∈D L ( x , u , v )= inf x ∈D f ( x ) + m X i =1 u i f i ( x ) + t X j =1 v j h j ( x ) ! , where D is the domain of the optimization problem. From this definition, it is easy to prove that ∀ u (cid:23) , we have the following inequality: Φ( u , v ) ≤ L ( x ∗ , u , v ) ≤ f ( x ∗ ) , where f ( x ∗ ) denotes the optimal value of the objective function. The above inequality gives alower bounded of the objective function that depends on the selection of u and v . Thus, among October 19, 2015 DRAFT3 all the selections of u and v , find the optimal lower bound is equivalent to solving the followingoptimization problem: maximize Φ( u , v ) subject to u (cid:23) . The objective function Φ( u , v ) is concave since it is the point-wise infimum of a series of affinefunction of ( u , v ) . Thus the above optimization problem is also a convex optimization problem.If the original problem is unbounded below, the convex optimization problem described aboveshould be infeasible since it gives a lower bound of the optimal value in the original problem.Thus the remaining task is to verify the feasibility of the above convex optimization problem,which has been illustrated in the infeasible case. Let the cloud solve the phase I problems ofthe two Lagrange dual problems and return the optimal solutions denoted by ( ρ ∗ G , y ∗ , u ∗ G , v ∗ G ) and ( ρ ∗ H , z ∗ , u ∗ H , v ∗ H ) . At the local side, the end-user then checks whether ρ ∗ G > and ρ ∗ H > and whether the equality K y ∗ + r = K z ∗ + r holds.VII. E VALUATION
In this section, we will evaluate the performance of the proposed CASO scheme. We firstcompare CASO with several existing outsourcing schemes. Then we present some numericresults to show the efficiency of CASO.
A. Performance Comparison
The existing schemes on outsourcing of numeric computation mainly focus on some specificproblems. To the best of our knowledge, no effective outsourcing schemes have been proposed fornon-linear problems. For instance, in [6] and [15], the authors proposed two outsourcing schemesspecially designed for linear programming and system of linear equations, respectively. In [19],the authors focus on the result verification of convex optimization problems without giving anoutsourcing scheme. In comparison, we propose an outsourcing scheme that is suitable for generalcomputational problems, including the problems investigated in the above works. Especially, wepresent the application of our scheme on both linear and non-linear problems.In the following part, we compare the performance of our proposed CASO scheme withthree existing schemes specially designed for three types of problems in terms of security,
October 19, 2015 DRAFT4 computational complexity and communication overhead. To measure the communication over-head, we introduce a communication overhead index I c which is defined as the fraction of thecommunication cost of transmitting the original problem over that of the transformed problem.Thus a larger I c indicates better communication efficiency.
1) Linear Programming:
In this section, we compare CASO for linear programming problemswith the schemes proposed in [6] and [14] in both security and complexity. We will show thatwhile achieving the same security level, our scheme outperforms in terms of complexity. Inaddition, our scheme also provides end-users with the flexibility to select different outsourcingoptions with different complexity according to their security demands.The general linear programming problems can be expressed as minimize c T x subject to Ax = bDx ≥ . (6)In [6], to transform the problem, a secret key K = { Q , M , r , λ , γ } is generated, where Q is arandomly generated m × m non-singular matrix, M is a randomly generated n × n non-singularmatrix, and r is an n × vector. With this secret key, the original problem is transformed to thefollowing problem minimize c ′ T x subject to A ′ x = b ′ D ′ x ≥ , where A ′ = QAM , D ′ = ( D − λ QA ) M , b ′ = Q ( b + Ar ) and c ′ = γ M T c . Then the transformedproblem is outsourced to the cloud which is similar as our approach.In terms of computational complexity, the computational overhead of the outsourcing schemein [6] as well as our scheme lies primarily in matrix multiplication. As stated in their paper,the overall computational complexity for the scheme proposed in [6] is slightly less than O ( n ) depending the algorithm chosen to implement matrix multiplication. For instance, when theStrassen algorithm is adopted, the complexity becomes O ( n . ) ; while for the Coppersmith-Winograd algorithm the complexity is O ( n . ) . However, by carefully selecting the secret key K , our scheme can limit the complexity within O ( n ) . October 19, 2015 DRAFT5
In terms of communication overhead, the original problems in both schemes are transformedby matrix multiplication such that the resulting matrices are still in the same scale. As a result,the communication cost of the original and transformed problems are in the same level. Thuswe have I c = 1 in our scheme and the scheme in [6].In terms of security, both schemes can conceal the private information by some disguisingtechniques, that is to disguise the original matrices by multiplying them with some randommatrices. As a consequence, the security they can achieve in protecting the original coefficientmatrix is in the same level. Since the types of the transformation matrices (e. g. Q , M ) arenot specified, each entry in the disguised coefficient matrix A ′ can be the linear combinationof multiple entries in A and the transformation matrices. Thus, the ratio information can beconcealed. In this sense, the security of the scheme in [6] is comparable with our scheme-4 interms of protecting side information.The scheme proposed in [14] can be regarded as a variation of that in [6]. The main differenceis that the authors in [14] specify the transformation matrices as sparse matrices in to order toachieve a lower computational complexity of O ( n ) . For example, the schemes in [14] disguisesthe coefficient matrix by matrix multiplication as A ′ = MAN , where M and N are bothsparse matrices. In this way, the complexity is reduced to O ( n ) . Actually, this scheme can beconsidered as a special case of our proposed CASO where K is selected as a sparse matrix.
2) System of Linear Equations :
In [15], the authors investigated outsourcing of system oflinear equations Ax = b based on iterative method. First, the problem is transformed to Ay = b ′ , where y = x + r , b ′ = b + Ar and r is a random vector. Then the end-user solves thetransformed problem iteratively with the aid of cloud servers and an initial guess y from thefollowing iteration equation: y k + = T · y k + c ′ , (7)where A = D + R such that D is non-singular, T = − D − · R and c ′ = D − · b ′ . The end-user utilizes the cloud servers to compute the most expensive part T · y k based on homomorphicencryption to conceal the private information T . To be specific, the matrix T is pre-computedat the local side and the encrypted version Enc ( T ) is outsourced to the cloud. At each iteration,the end-user sends y k to the cloud and based on the homomorphic properties of the encryption, October 19, 2015 DRAFT6 the cloud servers compute
Enc ( T · y k ) by Enc ( T · y k )[ i ] = Enc ( P nj =1 T [ i, j ] · y k,j )= Q nj =1 Enc ( T [ i, j ]) y k,j for i = 1 , · · · , n and send Enc ( T · y k ) back to the end-user. On receiving Enc ( T · y k ) , the end-user decrypts it and get y k + . This iteration terminates when it converges to the final result y .At last the end-user can recover the desired solution x by x = y − r .As stated above, the computational overhead at the local side primarily lies in the decryptionof T · y k in each iteration. Suppose the algorithm terminates after L rounds of iteration, then theend-user has to perform L · n times of decryption. However, the decryption process of public-keycryptosystem is much more expensive than simple multiplication of real numbers since it mainlyconsists of modular exponentiation of large numbers. For instance, the decryption process [20]adopted in [15] has a complexity of O ( n ) and a modified version can achieve a complexity of O ( n ǫ ) . Thus, the outsourcing scheme in [15] introduces O ( n ǫ ) computational overhead atthe local side. In terms of communication overhead, the outsourcing process requires the end-user to send y k and receive Enc ( T · y k ) at each iteration. As a consequence, the communicationoverhead index I c = L is dependent on the convergence speed. Furthermore, this iteration processrequires the end-user to be “online” for the process to continue. In comparison, our scheme canlimit the computational overhead to O ( n ) with I c = 1 . Moreover, during the outsourcingprocess, the end-user is “offline”, which means that after outsourcing the transformed problem,the end-user does not need to interact with the cloud servers until the result is sent back.The system of linear equations considered in [15] includes the coefficient matrix T and thesolution vector x . In [15], the matrix T is encrypted utilizing the Paillier cryptosystem [20] as Enc ( T ) and the vector x is transformed to y = x + r , where r is a random vector. In comparison,CASO disguises the coefficient matrix A and the solution vector x as A ′ = AK and x = Ky + r ,respectively. In the Paillier cryptosystem, each entry of the coefficient matrix T ( i, j ) is encryptedas Enc ( T ( i, j )) = g T ( i,j ) r n mod n , where g, r, n are parameters in the cryptosystem. There aretwo scenarios: (i) If r ’s are the same for all entries in the coefficient matrix, then all the identicalentries in A will be encrypted to identical entries in A ′ . In other words, by inspecting identicalentries in A ′ , we can determine whether entries in A are identical or not. However, in CASO,since an entry in A ′ is the linear combination of entries in A and K , the identical entries in A ′ would not indicate that the corresponding entries in A are identical. Thus, in this case, October 19, 2015 DRAFT7
CASO will provide better security protection.
In this case, the end-user needs to compute n + 1 exponential operation. (ii) If a different r is used for each entry of the coefficient matrix, thenthe end-user has to randomly select n r ’s, which is quite complex. Furthermore, the end-userneed to compute exponential operations for each entry ( g a i,j and r n ). Therefore, altogether, theend-user has to compute n exponential operations. In addition, due to security requirement, n has to be at least 1024 bits long. In this case, n would be 2048 bits. As an example, thesize of the outsourced coefficient matrix for 5000 variables would be around 6MB without datacompression. While in scheme-1 and scheme-2 of our proposed CASO, the transformation isapplied in the column basis. As a result, the order information of each column may be exposed.In this sense, the scheme in [15] may provide better protection than scheme-1 and scheme-2regarding the coefficient matrix A . However, in scheme-3, each entry in A is transformed to a ′ ij = j + ω X r = j − ω a ir k rj . When ω > , since each k rj in K is randomly chosen, the order information in each column willalso be concealed. Thus the scheme in [15] can provide comparable security protection regradingthe coefficient matrix A as scheme-3. In scheme-4, the entries in A ′ are further permuted. Asa result, there exist no explicit relation between the entry a ij in A and the corresponding entry a ′ ij in A ′ . However, one can know for sure that the entry t ′ ij in Enc ( T ) is encrypted from theentry t ij in T . Thus scheme-4 can provide better protection of A .In terms of the solution vector x , in [15], the solution vector x is protected by adding a randomvector r as y = x + r , while in our scheme, we conceal x by the affine mapping x = Ky + r .Thus, CASO scheme can provide better security protection in this aspect.
3) Convex Optimization:
In [19], the authors proposed a verification scheme for convexoptimization problems. However, they did not give any outsourcing scheme. Compare to [19], inaddition to result verification, CASO also provides a secure outsourcing scheme. Even in resultverification, CASO outperforms it in terms of computational complexity.The result verification of convex optimization is divided into three categories: normal, infea-sible and unbounded. The verification for normal case forms the basis for other two cases. Forthe normal case, the basic idea in [19] is to check the Karush-Kuhn-Tucker (KKT) optimalitycondition. The end-user has to evaluate the original functions as well as their differentials basedon the optimal points returned by the cloud. This verification process is much more expensive
October 19, 2015 DRAFT8
TABLE IIIP
ERFORMANCE C OMPARISON
Applicability Computational Complexity Communication Overhead Index I c LE LP NLE COPTOur Scheme √ √ √ √ O ( n ) √ O ( n . ) √ O ( n ǫ ) L [19] Only Verification Not Applicable Not Applicable since all the original functions are non-linear. In comparison, our verification scheme requiresonly linear operations (e. g. multiplication and addition) on the independent variables and thereturned solution, therefore, it must be more efficient.
4) Summary:
We summarize the performance comparison of CASO with some existing worksin Table III. We have shown that in the case of outsourcing linear programming (LP) and systemof linear equations (LE), CASO outperforms the existing schemes in computational complexity.In terms of security, all the schemes are secure in protecting the original coefficient matrix. Thatis, given the disguised problem, input and output, it is computational infeasible to recover theoriginal problem, input and output. CASO can also be applied to system of non-linear equations(NLE) and convex optimization (COPT). This shows that CASO possesses better applicability.Furthermore, compared to the existing works, CASO also gives end-users the flexibility to choosethe most suitable outsourcing strategy on a cost-aware basis. That is the end user can select thesecret key K for the outsourcing scheme based on its various security demands and computationalresources. B. Numeric Results
In this section, we measure the performance of CASO utilizing MATLAB. The computation ofboth the end-user and the cloud server is simulated using the same computer with an Intel Core2 Due CPU running at 2. 53 GHz with 4GB RAM. We take outsourcing of the system of linearand non-linear equations as examples. In the process of outsourcing, we focus on the overhead
October 19, 2015 DRAFT9 of problem transformation, result recovery and the performance gain that they can achieve byoutsourcing problems to the cloud. We denote the time for local computation in the outsourcingprocess T e , the time cost without outsourcing T s , and the performance gain I = T s / T e .We first show the simulation results for outsourcing of system of linear equations Ax = b ,where A is an n × n matrix. In complexity analysis, we show that the complexities of scheme-1 and scheme-2 are in the same level while the complexity for scheme-3 and scheme-4 arecomparable.In scheme-3, when the bandwidth W equals to , it reduced to scheme-1. Thus in ourevaluation, we take scheme-3 as an example and let K be a band matrix with bandwidth W varying from 1 to 31. To investigate the impact of problem size on our proposed scheme, we let n vary from 1000 to 5000. The numeric results are shown in Table IV. First, we can learn fromthe results that when the bandwidth of the banded matrix K becomes larger, the computationaloverhead at local side grows and the performance gain decreases. This fact coincides with ouranalysis of the trade off between complexity and security. Second, the performance gain increaseswith the growth of the problem dimension n . This is because our scheme requires the end-usersto carry out simple operations such as addition and multiplication. And this feature becomesmore obvious for the case of non-linear computation.Then we show the performance of our proposed scheme for system of non-linear equations.We assumes that the non-linear system is composed of polynomials on ten variables and let thenumber of independent terms N vary from 1000 to 5000. Also for the same reason, we deployband matrix as the key matrix and let the bandwidth W vary from 1 to 3. The simulation resultis shown in Table V. For system of non-linear equations, the performance gain is larger than itslinear counterpart. This is because CASO requires only linear operations (e. g. multiplication andaddition) in the local environment. Similar to that of the system of linear equations, the resultsclearly show that there exists a trade-off between the computational complexity and security.VIII. C ONCLUSION
In this paper, we proposed a cost-aware secure outsourcing scheme (CASO) for generalcomputational problems. We demonstrated that CASO can be utilized for secure outsourcing ofvarious computational problems, such as system of equations, linear programming and convexoptimizations. Our scheme also provides mechanisms for the end-users to verify results received
October 19, 2015 DRAFT0
TABLE IVP
ERFORMANCE E VALUATION FOR S YSTEM OF L INEAR E QUATIONS
Dimension Bandwidth T e (sec) T s (sec) I n = 1000 W = 1 0 . . . W = 7 0 . . . W = 15 0 . . . W = 31 0 . . . n = 2000 W = 1 0 . . . W = 7 0 . . . W = 15 0 . . . W = 31 0 . . . n = 3000 W = 1 0 . . . W = 7 0 . . . W = 15 0 . . . W = 31 0 . . . n = 4000 W = 1 0 . . . W = 7 0 . . . W = 15 0 . . . W = 31 1 . . . n = 5000 W = 1 0 . . . W = 7 0 . . . W = 15 1 . . . W = 31 1 . . . October 19, 2015 DRAFT1
TABLE VP
ERFORMANCE E VALUATION FOR S YSTEM OF N ON - LINEAR E QUATIONS
Dimension Bandwidth T e (sec) T s (sec) I N = 1000 W = 1 1 . . . W = 2 2 . . . W = 3 3 . . . N = 2000 W = 1 3 . . . W = 2 5 . . . W = 3 6 . . . N = 3000 W = 1 5 . . . W = 2 7 . . . W = 3 9 . . . N = 4000 W = 1 7 . . . W = 2 12 . . . W = 3 13 . . . N = 5000 W = 1 9 . . . W = 2 16 . . . W = 3 20 . . . from the cloud. We provided security analysis on our proposed scheme on a cost-aware basis. Inparticular, we proved that CASO is secure in protecting the coefficient matrix of the outsourcedproblem and can partly conceal the side information. Our analysis shows that CASO can limitthe computational overhead at the local side to O ( n ) . Since CASO is executed off-line, thecommunication overhead is in the same level as that of outsourcing the original problem itself.We also compared CASO with several existing schemes and showed that CASO is more efficientand has a wider applicability. October 19, 2015 DRAFT2 R EFERENCES [1] M. J. Atallah and J. Li, “Secure outsourcing of sequence comparisons,”
International Journal of Information Security ,vol. 4, no. 4, pp. 277–287, 2005.[2] M. Blanton, M. J. Atallah, K. B. Frikken, and Q. Malluhi, “Secure and efficient outsourcing of sequence comparisons,”in
Computer Security–ESORICS 2012 , pp. 505–522, Springer, 2012.[3] M. Blanton and M. Aliasgari, “Secure outsourcing of dna searching via finite automata,” in
Data and Applications Securityand Privacy XXIV , pp. 49–64, Springer, 2010.[4] M. J. Atallah and K. B. Frikken, “Securely outsourcing linear algebra computations,” in
Proceedings of the 5th ACMSymposium on Information, Computer and Communications Security , pp. 48–59, ACM, 2010.[5] D. Benjamin and M. J. Atallah, “Private and cheating-free outsourcing of algebraic computations,” in
Privacy, Securityand Trust, 2008. PST’08. Sixth Annual Conference on , pp. 240–245, IEEE, 2008.[6] C. Wang, K. Ren, and J. Wang, “Secure and practical outsourcing of linear programming in cloud computing,” in
INFOCOM, 2011 Proceedings IEEE , pp. 820–828, IEEE, 2011.[7] Y. N. Seitkulov, “New methods of secure outsourcing of scientific computations,”
The Journal of Supercomputing , vol. 65,no. 1, pp. 469–482, 2013.[8] S. Hohenberger and A. Lysyanskaya, “How to securely outsource cryptographic computations,” in
Theory of Cryptography ,pp. 264–282, Springer, 2005.[9] X. Chen, J. Li, J. Ma, Q. Tang, and W. Lou, “New algorithms for secure outsourcing of modular exponentiations,” in
Computer Security–ESORICS 2012 , pp. 541–556, Springer, 2012.[10] C. Gentry, “Fully homomorphic encryption using ideal lattices.,” in
STOC , vol. 9, pp. 169–178, 2009.[11] A. C. Yao, “Protocols for secure computations,” in , pp. 160–164, IEEE, 1982.[12] R. Gennaro, C. Gentry, and B. Parno, “Non-interactive verifiable computing: Outsourcing computation to untrustedworkers,” in
Advances in Cryptology–CRYPTO 2010 , pp. 465–482, Springer, 2010.[13] M. J. Atallah, K. Pantazopoulos, J. R. Rice, and E. E. Spafford, “Secure outsourcing of scientific computations,”
Advancesin Computers , vol. 54, pp. 215–272, 2002.[14] H. Nie, X. Chen, J. Li, J. Liu, and W. Lou, “Efficient and verifiable algorithm for secure outsourcing of large-scale linearprogramming,” in
Advanced Information Networking and Applications (AINA), 2014 IEEE 28th International Conferenceon , pp. 591–596, IEEE, 2014.[15] C. Wang, K. Ren, J. Wang, and K. M. R. Urs, “Harnessing the cloud for securely solving large-scale systems of linearequations,” in
Distributed Computing Systems (ICDCS), 2011 31st International Conference on , pp. 549–558, IEEE, 2011.[16] X. Chen, X. Huang, J. Li, J. Ma, W. Lou, and D. Wong, “New algorithms for secure outsourcing of large-scale systemsof linear equations,”
Information Forensics and Security, IEEE Transactions on , vol. 10, no. 1, pp. 69–78, 2015.[17] S. Pissanetzky,
Sparse matrix technology . Academic Press, 1984.[18] S. Boyd and L. Vandenberghe,
Convex optimization . Cambridge university press, 2009.[19] Z. Xu, C. Wang, Q. Wang, K. Ren, and L. Wang, “Proof-carrying cloud computation: The case of convex optimization,”in
INFOCOM, 2013 Proceedings IEEE , pp. 610–614, IEEE, 2013.[20] P. Paillier, “Public-key cryptosystems based on composite degree residuosity classes,” in
Advances in cryptology-EUROCRYPT , pp. 223–238, Springer, 1999., pp. 223–238, Springer, 1999.