Scalable and Soundness Verifiable Outsourcing Computation in Marine Mobile Computing

Outsourcing computation with verifiability is a merging notion in cloud computing, which enables lightweight clients to outsource costly computation tasks to the cloud and efficiently check the correctness of the result in the end. This advanced notion is more important in marine mobile computing since the oceangoing vessels are usually constrained with less storage and computation resources. In such a scenario, vessels always firstly outsource data set and perform a function computing over them or at first outsource computing functions and input data set into them. However, vessels may choose which delegation computation type to outsource, which generally depends on the actual circumstances. Hence, we propose a scalable verifiable outsourcing computation protocol (SV-OC) inmarine cloud computing at first and extract a single-mode version of it (SM-SV-OC), where both protocols allow anyone who holds verification tokens to efficiently verify the computed result returned from cloud. In this way, the introduced “scalable” property lets vessels adjust the protocol to cope with different delegation situations in practice. We additionally prove bothSV-OC andSM-SV-OC achieving selective soundness in the random oracle model and evaluate their performance in the end.


Introduction
Cloud computing [1], a shared pool of massive configurable computing resources, provides resource-constrained clients with various capabilities to access computation resources in an on-demand way.The merging development of hardware (e.g., sensor, wearable-device unit) makes it possible for mobile devices [2,3] feeling free to use and enjoy the cloud service in mobile computing category [4,5].This is especially important for the marine mobile computing filed since marine ecosystems should be exploited and treated seriously from both environmental side and economic side.In order to monitor the changes of marine ecosystems, scientific vessels need to perform a series of mathematical or statical analysis over collected data [6].This includes calculating the average temperature of ocean in an instantaneous moment or during a time period and reporting the variance of the dissolved oxygen during 24 hours, 72 hours, 6 months, or more [7,8].
However, the vessels are usually not supported by powerful data collection devices and large-scale computation processers.As a result, marine sensor units should collect marine data at first and send the collected data to vessels or base stations.Also, they may outsource some expensive computations to the cloud server and expect to use the result enjoyably after an efficient verification phase (since the cloud may return an incorrect answer for some profits).Moreover, a public verification method is preferable; namely, anyone holding the verification token can run the verification procedure in public.
Moreover, we notice that the vessel's usual outsourcing computation in marine mobile computing comes from the following two types (as in Table 1).Type I.A client outsources a combined input tuple containing data set and function together as inputs at first and then types into an importing function over the outsourced data and an importing data set towards the outsourced function in a combined way.
Type II.A client outsources a function as an input at first and then types into an importing data set towards the outsourced function.(Here, we do not consider a delegation type where a client outsources a data set at first and takes inputs on it.A detailed analysis on this can be found in Section 5.) Maybe, clients should flexibly switch Type I and Type II due to their actual demands in reality.If we design and deploy two respective outsourcing computation protocol systems for respective delegation type, there is no doubt that this will cause a big waste of resources, which is even not feasible in marine WSNs.Hence, a "scalable" property for an outsourcing computation protocol should be highlighted.Apart from this, some desirable features for verifiable outsourcing computation protocols in marine WSNs should also be considered seriously.
Therefore, we may have the following doubt: whether an efficient scalable outsourcing computation protocol with public verifiability towards Type I or/and Type II delegation in marine mobile computing field exists or not?Our Results.To give an affirmative answer to this expectation, we manage to design a public verifiable outsourcing computation protocol for Type I outsourcing and moreover extend it to support Type II outsourcing as well, which are inspired by [9][10][11].Specifically, our contributions in this work can be summarized as the following four parts: (i) Aiming for securely performing Type I computation outsourcing, we put forward a scalable public verifiable outsourcing computation protocol in marine mobile computing, namely, SV-OC.This protocol allows anyone to use a granted verification token to verify the result originated from any vessel's Type I computation request.
(ii) By treating the outsourced data set as an "on-the-fly" input of SV-OC, we extract a single-mode version (i.e., for Type II computation) with adding a slight additional cost.As a result, vessels can just use a SV-OC protocol enough for both Type I and Type II computation as they like, which shows the "scalable property's" flexibility at a maximum extent.
(iii) Both our SV-OC and SM-SV-OC protocols are proven to achieve perfect correctness and selective soundness in the random oracle model.Furthermore, the efficiency analysis and concrete performance evaluations on both two protocols are provided.
(iv) We motivate an intuition that the SV-OC protocol can be viewed as a hierarchical public VC protocol towards only outsourced function (Type II), where the subjective function accepts the outsourced data which can be viewed as a hierarchical access control procedure.

Problem Statement.
In this subsection, we present design goals and system overview for our introduced protocols.
Design Goals.To achieve both functionalities and privacypreserving requirements for an outsourcing computation protocol in marine mobile computing, the design goals can be thought from the following five parts.
(1) Scalability.The protocol should be able to flexibly vary its shapes depending on the type of outsourcing computation.
(2) Public Verifiability.Anyone with verification tokens can check the correctness of the result.
(3) Public Delegation.Any client can outsource a computation assignment to the cloud once the system is set up.
(4) Correctness.A dishonest cloud cannot return an incorrect output that passes verification.
System Description.Our SV-OC or SM-SV-OC protocol consists of the following three entities.
(i) Cloud Server.It receives the outsourcing computation request from any vessel and returns a result.
(ii) Vessels (consisting of a pilot one and a number of nonpilot ones).They delegate outsourcing computation tasks to the cloud and expect to receive the correct computational outcome.
(iii) Satellite.It provides a wireless communication channel between cloud server and vessels.
High-Level Roadmap. Figure 1 gives a high-level system overview on a group verifiable outsourcing computation protocol, namely, both SV-OC protocol and SM-SV-OC protocol.To be specific, the cloud server provides a verifiable outsourcing computation service for group vessels through the wireless channel supplied by the satellite.Note that a pilot vessel in a group of vessels initializes the public verifiable outsourcing computation service by outsourcing the delegation computing function (and accompanied outsourced data set), as well as sending the generated public system information to the whole system and the generated evaluation key information about computing function (and accompanied data set) to the cloud.In this way, any vessel in this group can delegate computations by directly typing inputs into the computing function (and accompanied data set).Then the cloud server performs a computation for the outsourcing request from a vessel.Finally, anyone who possesses a legal verification token (granted from the delegating vessel) is able to verify the result.We note that the above procedure path is highly similar to Type II (and Type I) outsourcing computation, that is, SV-OC or SM-SV-OC protocol, respectively, where the only difference is the clients' outsourcing type and importing type.

Related Work.
The studied problem is usually solved through a verification computation (VC) [12,13] method, which starts with outsourcing a computing function to the cloud at first and then takes inputs on it.However, current VC protocols do not satisfy the listed design goals simultaneously in specific marine cloud computing.The other way to consider the verifiable outsourcing computation field is designed for running some verifiable delegations on outsourced data sets [14,15], which is a little different from the formal VC concept where it differs in outsourcing whether it is a computing function or a data set at first.Also some works focused on performing computations towards outsourced functions (outsourcing at first) have been proposed [9,13,[16][17][18].For the public delegation and the public verifiable property, Applebaum et al. 's works did not satisfy them, as well as the work presented in [13,14,19].Reference [11] presented SV-OC protocol supported Type I computation outsourcing but neglected Type II one, so was the hybrid [20,21] notion for verifiable computation failing the scalable property.
We note that all approaches to construct VC protocols except for functional encryption-based method failed to provide public delegation property for a verifiable outsourcing protocol towards a group of clients.From this point of view, our proposed solution is more enjoyable for such a scenario.More importantly, current works fail to achieve all the mentioned design goals simultaneously.
Organization.In Section 2, we introduce the system model and security definition for our protocol.Section 3 gives the SV-OC protocol and its security analysis is provided in Section 4.An extracted version for single-mode public verifiable outsourcing computation protocol towards just outsourced function is shown in Section 5. Section 6 evaluates the performance and Section 7 gives a conclusion.

Background Knowledge
Notations 1.We denote by  $ ←   the fact that  is picked uniformly at random from a finite set .We denote PPT as a probabilistic polynomial-time algorithm.We use ⋅ to denote multiplication (or group operation) as well as componentwise multiplication.

Outsourcing Functions' Description Using
Access Structures Definition 2. A (monotone) access structure A = (M ∈  ℓ×ℓ   ,  : [ℓ] → U) for set universe U.One may hold the fact for an attribute set  ⊆ U: Here, 1 = (1, 0, . . ., 0) ∈ Z ℓ   is a row vector; as M  represents the th row vector of matrix M, a linear span span⟨M  ⟩ is a collection of vectors M  = {M  : () ∈ } over Z  .
Remark 3. In this paper, we mainly focus on giving a verifiable outsourcing computation protocol for Boolean formula delegating functions.When we manage to enable our protocol to be usable for multibits F rather than one bit (Boolean formula), we usually take the following steps to realize: (1) Split the computing function F in to some subfunctions  1 , . . .,   , where   is the th output bit of the computing function F.
(2) Now we can run the SV-OC and SM-SV-OC (for Boolean formula function) with conducting each subfunction   .
Therefore, we can obtain a scalable outsourcing computation protocol for (polynomial many) multibits output for F ∈ F, where F can be implemented by a polynomialsize Boolean formula's circuit.In this case, any outsourcing function  ∈ F can be computed by a polynomial-size Boolean formula and can thus be described by a (monotone) access structure [22].We therefore use the access structures to symbolize the aiming outsourced (Boolean) functions F throughout this paper.

Underlying Security Guarantee.
The security of our protocol relies on the decisional -BDHE assumption.Let G, G  be two cyclic groups of prime order  and a generator  of group G along with an efficient computable map  : . .,  2 , ), and an adversary A should distinguish a computed value Definition 4. One says that the decisional -BDHE assumption holds in (G, G  ) if, for any PPT adversary A, its advantage in above game is negligible in security parameter .

Definition for Scalable Verifiable Outsourcing Computation.
In this subsection, we present the system definition, correctness definition, security definition, and privacy definition for a scalable verifiable outsourcing computation protocol.
System Definition.A scalable verifiable outsourcing computation SV-OC protocol is composed of the following four PPT algorithms: ( Security Definition.We define a security experiment against adaptive (adaptively chosen outsourced function and data sets) adversaries, which is played by a challenger and a stateful adversary A = (A 1 , A 2 ).
A SV-OC protocol achieves selective soundness if for all PPT adversaries A and for any F ∈ F and  ∈ U  , A's winning advantage under the following condition, that make the experiment always output "1." Privacy Definition.The clients' outsourced/input computing function and data set are altogether kept hidden from the adversary's view.Moreover, the cloud's output for the problem solution does also not leak any information on the problem description.In this paper, we consider these as outsourcing privacy, input privacy, and output privacy.

Our Scalable Verifiable Outsourcing Computation Protocol: SV-OC
Inspired by the dual-policy attribute-based encryption (ABE) scheme [10,23], we present the first publicly verifiable outsourcing computation protocol towards both (Boolean formula) outsourced functions and outsourced data sets altogether, which also relies on our introduced variant transformation [11] of the general relationship between ABE and public VC [9].Specifically specifying the example in Section 1, the pilot vessel first initializes the SV-OC service by inputting an outsourced function and an accompanied data set to generate a public key pk F and an evaluation key ek F and sends them to the cloud and other vessels.Thus, any vessel in this fleet can directly input the objective input  for F and an accompanied computation function G over data set G along with randomly chosen messages ,   altogether, to generate a problem description  ,G and a verification key vk ,G .Once receiving pk F and ek F , the cloud computes the problem result  ot on the problem  ,G .Finally the vessel (or a legal granted anyone) can use the verification key vk ,G to efficiently check the result  ,G 's correctness.(3)

Evaluation Key Generation Phase.
For an encoded objective outsourced function F ∈ F's access structure ), as well as a subjective outsourced data set  ⊂ U  , pick a random vector k Similarly, we obtain the corresponding secret key sk F, using uniformly and randomly chosen independent "xx"type variables.(Here, we omit the descriptions on the sampling process on "xx", since it is almost same as that for sk F, ) Then, where F denotes the complement function of the outsourced function F. Hence, output the public key and the evaluation key information as pk F fl (mpk, mpk) and similarly we generate ct ,G (by introducing new "xx"type parameters to generate ct ,G by using mbk): Hence, output the problem description and the verification key information as where  is a one-way function.
Here, we note that this compute process can be realized efficiently (reducing the number of pairing operations) but just add a few exponentiation operations as a tradeoff.( Remark 5.The verifiability of SV-OC is mainly against the outsourced function since the concept of the complement data sets of  does not make sense in practice compared to F. Hence, our SV-OC can be served as a hierarchical public VC protocol towards just outsourced function, which regards the subjective function accepting outsourced data set as a hierarchical (fine-grained) access control condition.

Security Analysis
In this section, we give correctness and efficiency analysis on our SV-OC protocol at first and sketch a security analysis and privacy analysis on it as well.

Correctness Analysis.
Based on the correctness of [10] dual-policy attribute-based encryption along with our modified transformation [11] between ABE and public VC in terms of [9], the correctness follows straightforwardly when both the following two conditions hold: (1) the outsourced function F accepts the data set ; (2) the outsourced data set  satisfies the function G.
In the compute phase, the recovery process of   is parallel to that of .Here, we just show the correctness of the  case: where the fourth equation follows the linear reconstruction property of Definition 2, and we have ∑ Remark 6.The correctness of the above compute phase is similar to that of the decryption process in [10].

Efficiency Analysis.
In this part, we give a time and a size efficiency analysis for SV-OC.Concretely, Table 3 lists the dominant time operations (i.e., pairing, exponentiation, and multiplication) in group that belongs to each step of SV-OC, and moreover Table 2 gives the size calculations.
In the SV-OC protocol, Step (1) and Step (2) are altogether done by the pilot vessel, any vessel can perform Step (3), and the data center (e.g., cloud) completes Step (4) along with the fact that anyone can carry out Step (5).
As the bandwidth between each entity across this marine WSNs is low [5,24], the low parameter size is highly demanded.From Table 3, we find that most operations that need high cost reside in the data center side.Consequently, the pilot vessel can certainly afford the VC service initialization computation overhead.In this way, the overhead of the problem description paid by any vessel is short, and anyone's verification cost on the result is very little as well.Therefore, the efficiency of the obtained SV-OC is enjoyably applicable to the marine wireless sensor networks.We can easily reduce the security of SV-OC with adaptive soundness to the adaptive security of the dual-policy ABE [10] and the general transformation between them, since one can obtain the SV-OC protocol by running the ABE scheme twice along with other techniques.More technical details can be found in Section 4.2 of [10] and Appendix A of [9].

Privacy Analysis.
During the SV-OC protocol's process carried out, the specific contents of the outsourced part and the input part are encoded as another form.Specifically, the clients' outsourced computing function and accompanied data set are encoded as an evaluation key ek F and any client's input , and G is encoded as a problem generation ct ,G , in such a way that the cloud cannot obtain any knowledge about the outsourcing privacy and input privacy.For the output privacy, the random message  is also hidden by a owe-way function ; thus the cloud can just get () and is unable to recover  from it (except a negligible advantage) which is considered to achieve output privacy as well.

Extracted Single-Mode Version of SV-OC Protocol
In some cases, the clients (e.g., vessels) may just outsource either data sets or computing function to the cloud; therefore we have to ask the following question: Can we transform the dual-mode verifiable outsourcing computation into a single-mode one?
Intuitively, setting one of the outsourced data sets and outsourced function as "on-the-fly" input of SV-OC protocol, we hence assume obtaining two single-mode public VC protocols towards respective outsourced function and outsourced data sets.However, this assumption fails due to the nonexistence of a single-mode SV-OC for outsourcing data sets.The reasons are as follows: (1) Firstly, we should observe that the complement class of the outsourced data sets  does not make any sense in practice, which is not similar to the relation between F and F. It is also not easy to obtain the complement class of .(2) Secondly, one can run the key-policy ABE (KP-ABE) mode of dual-policy ABE (DP-ABE) in [10] twice for respective F and F, but the relation between ciphertext-policy ABE and public VC is not known so far.In this way, the checkability of the single-mode SV-OC over outsourcing data sets cannot achieve "1." Hence, we can just obtain the single-mode variant of SM-SV-OC for outsourced computing function at first, namely, Type II delegation type.
Table 3: Group operations analysis in each phase of our SV-OC protocol.In the table, "Pairing" represents a paring operation in the protocol; Exp G and Exp G  denote an exponentiation operation in groups G and G  , respectively; similarly, Mul G and Mul G  denote a multiplication operation in group G and G  , respectively; ", ℓ," respectively, represent the maximum input size and the row's number in the sharing matrix M.
Step Description Performer Operations (1) System initialization Pilot vessel 2Pairing + 2Exp Evaluation key generation Pilot vessel Problem generation Any vessel 5.1.Construction for Single-Mode SV-OC for Just Outsourcing Functions: SM-SV-OC.Inspired by the KP-ABE mode of dual-policy ABE [10] and our SV-OC protocol, we give the single-mode publicly verifiable outsourcing computation towards outsourcing computing functions' construction.
(1) System Initialization Phase.This step is same as that of SV-OC except for adding special data  0 as a new input.
(2) Evaluation Key Generation Phase.This stage is same as that of SV-OC except by randomly choosing  0 ,  0 $ ←  Z  and setting Hence the evaluation key behaves as (3) Problem Generation Phase.This is almost same as that of SV-OC except for sampling  $ ←  Z  and setting Hence, the problem description behaves as )) Finally, output the problem solution  ot := (  ,   ).
(5) Verification Phase.This step is exactly same as that of SV-OC.
This concludes the construction description.In concrete way, the problem generation and verification overheads enjoy better efficiency than that in SV-OC, but its overhead on generating evaluation key is a little expensive (including the size of ek F ) compared to SV-OC, since "onthe-fly" data set is involved to handle the construction.A tradeoff between Steps (1), (2), and (3) and Steps (4) and (5) over the above three steps does inevitably exist.Apart from this, the overall time and time overhead are almost same as that of SV-OC.

Analysis on the
As a result, the (non)pilot vessel or anyone can efficiently run the single-mode SV-OC service, and moreover the cloud's running cost on computing the problem also turns out to be short.In this way, we can directly extract a highly efficient SM-SV-OC protocol from SV-OC.

Security Analysis
Theorem 9 (main theorem).Let F be a class of Boolean functions (implemented by a family of circuits C), and let F = {F | F ∈ F} be a class of the complement function F of each function F and  be any one-way function.Suppose Definition 4 holds; then the single-mode SV-OC protocol for only outsourcing computing functions achieves selective soundness according to the security definition in Section 2.3.
The proposed single-mode verifiable outsourcing computation protocol SV-OC can be seen as a special variant of SV-OC in fact, whereas their functionalities are merely not the same.Based on the security analysis on Theorem 8, Theorem 9 can be proved easily as well.

Privacy Analysis.
The privacy analysis on the SM-SV-OC protocol is same as that of the SV-OC protocol in Section 4.4.

Performance Evaluation
In this section, we give a performance evaluation on our SV-OC and its extracted single-mode outsourcing for SV-OC and SM-SV-OC in the actual experiment as in [25].
Standing by the standard NIST recommendation [26] and general remarks [25,27] based on the Python language's realizations along with its provided Charm-crypto Benchmark, we note that the charm tool [25] is an extensible Pythonbased framework under Pairing-Based Cryptography (PBC) library for rapidly prototyping cryptographic schemes and protocols, which is widely used in conducting functional encryption-based primitives.We remark that this is instantiated in an Ubuntu 12.04 operating system with 1 GB RAM (established in a MACBOOK Air Intel i5@1.8GHz and 4 GB RAM equipped with a VMWare software).Next, we decide to employ the "SS512" elliptic curve for our performance evaluation.Finally, Table 7 shows the "SS512" curve's element length; and moreover Table 6 gives a list of the "SS512" curve's average running-times for each protocol step.
Suppose that the size of the data set ,  is  and the value of ℓ, ℓ  is 10.Based on the employed "SS512" elliptic curve [28], the actual size evaluation in Figure 2 and the time efficiency simulation in Figure 3 are both given.In addition, we use "+" to denote the dual-mode SV-OC protocol and "⬦" to denote the extracted singlemodel SV-OC: SM-SV-OC protocol in both Figures 2 and  3.
From Figures 2 and 3, we can deduce the fact that both SV-OC and SM-SV-OC achieve high space and time efficiency.Our SV-OC protocol's efficiency is comparable to the extracted SM-SV-OC one's efficiency.Particularly, the overload that belongs to the weak clients' sides is actual satisfactory.

Concluding Remarks
This paper presented a scalable and soundness verifiable outsourcing computation protocol in marine mobile cloud computing.Our SV-OC protocol enabled any client to delegate a computation task to the server and was also able to designate anyone to verify the result.In addition, an extracted single-mode outsourcing computation protocol SM-SV-OC from SV-OC was presented, which led to a fact that the client can adapt SV-OC based on the inputs' option in terms of its interest or its own needs.However, we found that our SM-SV-OC protocol could just handle the outsourcing function as the single mode; hence a design of a verifiable outsourcing computation protocol towards outsourced function may be an open problem.

) 3 . 3 .
Problem Generation Phase.Given an objective data set  ⊂ U and the access structure A fl ( ∈ Z ℓ×  ,  : [ℓ] → []) of an encoded subjective function G ∈ G altogether as inputs, randomly choose a random vector u $ ←  Z   such that 1u =  for  $ ←  Z  and set   =   ⋅ u,  ∈ [ℓ].Pick two messages ,  and output ct ,G fl (,   , {

Theorem 8 (
main theorem).Let F be a class of Boolean functions (implemented by a family of circuits C), and let F = {F | F ∈ F} be a class of the complement function F of each function F and the class of the outsourced data set U  = { |  ∈ U  } and  be any one-way function.Suppose Definition 4 holds; then the SV-OC protocol in Section 3 achieves selective soundness property according to the security definition in Section 2.3.

Figure 2 :
Figure 2: Size efficiency of the SV-OC protocol.

Figure 3 :
Figure 3: Time efficiency of the SV-OC protocol.

Table 1 :
Outsourcing computation types in mobile computing.
, 1  ): given a security parameter 1  , on input a function F and an accompanied outsourced data set , the pilot vessel outputs a public key pk F and an evaluation key ek F .(ii) ProbGen(pk F , , G): on input pk F , any (pilot or nonpilot) vessel can use it to encode an input  into a problem description  ,G , as well as outputting a verification key vk ,G .(iii) Compute(ek F, ,  ,G ): on input ek F, and a problem description  ,G , the data center (cloud) computes an outcome  ot .(iv) Verify(vk ,G ,  ot ): with input of the cloud's output  ot , anyone returns an output ot ∈ {0, 1} * or ⊥ (rejects the cloud's answer  ot using vk ,G ).

Table 4 :
Size analysis of our single-mode SV-OC protocol.In the table, "|G|, |G  |" denote the size of a group element in groups G and G  , respectively; ", ℓ," respectively, represent the maximum input size and the row's number in the sharing matrix M.
Single-Mode SV-OC for Just Outsourcing Computing Functions.In this subsection, we still give a correctness, efficiency, and security analysis on the SM-SV-OC protocol.In general, the size and time efficiency of the single-mode SV-OC protocol for only outsourcing computing functions are comparable to those of SV-OC one.Next, we present the time and size efficiency analysis for SV-OC in concrete way; Table4gives the size

Table 5 :
Group operations analysis in each phase of single-mode SV-OC protocol.In the table, "Pairing" represents a paring operation in the protocol; Exp G and Exp G  denote an exponentiation operation in group G or G  , respectively; similarly, Mul G and Mul G  denote a multiplication operation in groups G and G  , respectively; ", ℓ," respectively, represent the maximum input size and the row's number in the sharing matrix M.
computation protocol SM-SV-OC.Applying a certain implementation technique on realizing bilinear maps, we choose using an asymmetric bilinear group  :

Table 7 :
Average running-time of "SS512" elliptic curve.In the table, the symbol "ms" denotes running-time millisecond.