Publicly Verifiable Outsourcing Computation for QR Decomposition Based on Blockchain

. In the Big Data Era, outsourcing computation has become increasingly signiﬁcant as it supplies computation resources for clients with limited resources. However, there are still many security challenges such as payment fairness, privacy protection, and veriﬁcation. In this paper, we propose a secure publicly veriﬁable outsourcing computation scheme for the large-scale matrix QR decomposition. In the proposed scheme, client can pay for outsourcing services through blockchain-based payment system which achieves the payment fairness. Moreover, to protect privacy, both permutation matrix and block diagonal matrix are applied in encryption process. Meanwhile, to achieve the public veriﬁcation, the computational complexity is reduced by using the matrix digest technology. It is worth mentioning that our scheme is provable and secure under the co-CDH assumption.


Introduction
Cloud computing, a new computing technology and service concept, has appeared in the public's vision and serves customers in a pay-per-use manner [1][2][3].It has promoted the development of the emerging fields such as smart medical systems in recent years.
Outsourcing computation, as one of the basic applications of cloud computing, can reduce significantly the clients' computational burden [4].
ere are two parts, including payment and computation, in outsourcing scheme.For payment part, it often requires online payment and relies on trusted third party such as bank.To realize secure and fair payment of outsourcing services without relying on any third party, fair payment framework based on blockchain has been used for outsourcing services in cloud computing [5].For computation part, service requester submits the data-to-service provider, which might get service requester's privacy from the data.erefore, there exist many security challenges during the outsourcing process.
About the protection of client privacy, computing tasks authorized to cloud server involve some important sensitive information frequently, such as core technology of a company and patient health records.So, it is important for users to conceal their data information before uploaded to the cloud server.e previous works have attempted to protect the confidentiality of the data.For example, full homomorphic encryption [6], a cryptographic technique, can allow service provider to perform valid and meaningful operations on ciphertext.However, the existing schemes based on FHE suffer from high computation complexity.
Moreover, the result verification is vital as well.Since the process of cloud computing is not transparent to the public who will upload their data, the public should detect in time whether there are any errors in outsourcing result.ere may be many reasons to produce an invalid and wrong result, such as hardware malfunction, software bugs, or malicious hackers.Furthermore, a semihonest cloud server [7] might work dishonestly or even cut down calculation steps due to huge benefits.
Considering financial expenses, an outsourcing computating scheme should be highly efficient.at is, the user's computation in the outsourced process is far less than the computation of their task directly.Otherwise, the outsourcing will get meaningless for the client.
Matrix computation has many applications in scientific and engineering fields.e outsourcing matrix computation also involves the above security challenges.We research on secure outsourcing matrix QR decomposition computation and propose a publicly verifiable scheme based on blockchain.e system consists of two parts: blockchain-based payment and publicly verifiable computation.In this paper, we focus on designing publicly verifiable computation scheme and we refer the reader to reference [5] to know more about blockchain-based payment.

Contributions.
e contribution of this paper can be described from the following three points: (i) We multiply a sparse block diagonal matrix with the original matrix to protect the client's privacy.e computational complexity is O(n 2 ) in the encryption process.(ii) e scheme provides public verification.To reduce the workload of the verifier, we use matrix digest technique which transforms any matrix into a specific vector with chosen parameter in the verification of QR decomposition.(iii) We show the soundness of the scheme through detailed theoretical analysis, including correctness, security, and efficiency.It is proved that the scheme achieves secure under co-CDH difficulty assumption.

Related Work.
Looking back on the development of outsourcing computation in the past decades, many schemes have been designed for different scientific computations.Atallah et al. [8] proposed the concept of the scientific computing outsourcing firstly.To protect privacy of clients, researchers have devoted to design the secure outsourcing schemes [9][10][11][12][13][14]. Salinas et al. [9] mentioned a privacypreserving transformation method by adding random matrix to original matrix.For the verifiability of the outsourcing results, Golle and Mironov [15] firstly realized this goal in their scheme.en, a verifiable scheme about any random function was designed by Gentry [6] which provided the formal concept of verifiable computing.Banabbas et al. [16] put forward to a verifiable scheme for high-degree polynomial functions.Nevertheless, in many applications, verification needs to be public.In other words, any customer can verify it.Recently, some experts turned their attention to public verifiable computation.Fioreand Gennaro [17] allowed service requester to verify the result with a noninteractive evidence.Meanwhile, Parno et al. [18] gave the concept of the correctness and security which had established a connection between public verification computation and attribute-based encryption (ABE).In addition, Fiore and Gennaro [17] also designed the matrix multiplication outsourcing scheme according to Yao's Garbled Circuits [19].Different from traditional scheme [11], the scheme [20] has achieved that all clients can share a common matrix M to perform matrix multiplication, which did not protect the security of the original matrix.
Jia et al. [12] took the privacy protection into account, where the matrix can be arbitrary.Li et al. [21] improved its efficiency compared to previous work and achieved the public verification.Zhang et al. [13] reduced the computing overhead in the verification process hugely.e scheme in [22] not only achieved the public verification but also protected privacy information of original data, where matrix digest was utilized to reduce the overhead of key generation and cloud computing.
e above results [12,17,[20][21][22] are about publicly verifiable solutions for matrix multiplication.However, there is no publicly verifiable solution about matrix decomposition.Matrix decomposition, as one of the basic matrix operations, has many application scenarios [23][24][25][26].Luo et al. [27] had designed a secure algorithm for QR decompositions without the public verification achieved.We propose a scheme which achieves the promising public verification under the amortized model for QR decomposition of large-scale matrices.To protect privacy, sparse matrices which cut down the computational complexity from O(n 3 ) to O(n 2 ) are applied during encryption.

Organization.
In Section 2, it introduces related definitions of verifiable computing and significant mathematical knowledge.Section 3 details the proposed scheme for the publicly verifiable computation of the QR decomposition.e correctness, security, and efficiency analysis are shown in Section 4. At last, it ends up with our conclusion in Section 5.

Preliminaries
In this part, we introduce some related definitions, mathematical knowledge, and important techniques.

Publicly Verifiable Computation.
As mentioned by Gennaro [28], a public verifiable computation scheme VC not only allows a client to outsource his computating task but also states that the outsourcing result is correct and verifiable.
e formal definitions of these properties for public verifiable computation are presented in [22,28].For the sake of integrity, we give some related definitions before introducing our scheme.Definition 1.A outsourcing scheme VC consists of the following five subalgorithms: Given the random selected parameter λ, a public key PK is produced to protect the function According to the PK and the encrypted σ x , the outsourcing server provider produces a blinded output σ y .(iv) Verify SK (τ x , σ y ) ⟶ (y ∪ ⊥): Based on σ y and τ x , if σ y of function F is correct, it outputs y.Otherwise, it outputs the symbol ⊥. (v) Solve SK (τ x , σ y ) ⟶ (y): e algorithm decodes σ y to generate the final result y � F(x) with SK and τ x .
Next, we focus on these properties in publicly verifiable computation scheme VC, including correctness, security, privacy, and efficiency.Definition 2 (correctness).For a function F, we say the verifiable outsourcing scheme VC is correct if the key generation algorithm generates keys (PK, SK) ← KeyGen(F, 1 λ ) and satisfies the following condition: ∀x ∈ Domain(F), y � F(x)←Verify SK (τ x , σ y ) if (σ x , τ x )←ProbGen SK (x) and σ y ←Compute PK .e formalized definition of security of a verifiable computation outsourcing scheme VC is introduced, where a malicious server cannot persuade the verifier to output a invalid result  y according to the function F and input x, e.g., F(x) ≠  y.Now, we abstract this objective fact with an experiment which is expressed as below.

Experience Exp
Verify A

[VC, F, λ];
For i � 1, . . ., l � poly(λ); (PK, SK) R ← KeyGen(F, λ); Here, poly(•) is defined as a polynomial.Given an oracle access, the adversary can produce the encryption of multiple problems.Considering a known input, the adversary can persuade the verifier to work smoothly, where any error is unable to be detected in the output.
Definition 3 (security).For a verifiable computation outsourcing scheme VC, the capability of an adversary A in the above experiment is defined as follows: ( For a function F, the scheme VC is secure if, for any adversary A running in probabilistic polynomial time (PPT), where negli(•) is a negligible function of its input.
If the outputs of the ProbGen algorithm over two different inputs are indistinguishable, we think a VC scheme is private.To define privacy of a verifiable computation scheme, we need an experiment.Given the public key PK for the scheme, the adversary A treats x 0 and x 1 as two inputs randomly.en, he is given the encoded version of one of x 0 and x 1 and must guess which one was encoded.In the process, the oracle PubProbGen SK (x) calls ProbGen SK (x) to obtain (δ x , τ x ) and returns only the public part δ x .Now, the experiment is described below.

Experience Exp
Definition 4 (privacy).According to the above experiment, the ability of an adversary A is defined as . (3) A verifiable computation scheme is private if, for a function F any adversary A running in PPT, where negli(•) is a negligible function of its input.

Definition 5. (efficiency).
A verifiable scheme VC must be highly efficiency for the client.at is, the time for encryption and verification in the scheme should be shorter than the time to accomplish the computing task directly by itself.

Bilinear Pairings.
e knowledge about bilinear pairings, in a verifiable computating scheme VC, will be introduced as follows.
Let G 1 , G 2 , and G T be three multiplicative cyclic groups with the same large prime order p and g 1 and g 2 be generators of G 1 and G 2 , respectively.A bilinear pairing is a map e: G 1 × G 2 ⟶ G T , which has the following three characteristics: the equation e(g α , h β ) � e(g, h) αβ holds Security and Communication Networks (ii) Computability: there exist a valid algorithm for solving e(g, h) for any where g and h can be interchanged According to the above, the related definitions about computational assumptions can be described as follows.
Definition 7 (co-CDH assumption).Given g, g α ∈ G 1 and h, h β ∈ G 2 , for randomly selecting α, β∈ R F * p , if the probability to compute g αβ is negligible in any PPT, the co-computational Diffie-Hellman assumption holds in G 1 .

Matrix Digest Technique.
As an one-way irreversible mapping process, matrix digest [22,29] refers to transform an any matrix into a specific vector with a chosen parameter, which makes computational complexity reduce from O(n 3 ) to O(n 2 ).In fact, a matrix consists of some column vectors, in which a vector is also a special matrix.For example, a square matrix  A can be denoted as

By this novel technique, we can transform the matrix 􏽢
A into the vector b → by a row vector s → ∈ Z * , where the vector b ere are three properties of matrix digest: (i) Deterministic: the matrix digest of a matrix will be determined uniquely by the known parameter vector, i.e., if s → is chosen as the parameter, b → must be unique for  A. (ii) Computable: the result of matrix digest essentially is a vector and retains the computing ability of the initial matrix.(iii) Irreversible: given a matrix digest, it is difficult for anyone to detect initial matrix and selected parameter.Furthermore, if the matrix digest and the parameter are known at the same time, the initial matrix cannot be obtained as well.

Treat Model.
e semihonest model introduced in [7] is an honest but curious one with an untrustworthy cloud server as the main adversary.It was also mentioned in [30], where participants in the outsourcing are required to honestly execute the designed scheme.With returning a correct result, semihonest cloud will try to recover sensitive information of the data.Our scheme is based on a semihonest cloud server and introduces an independent data center which is trustworthy.

System Model.
Considering the public verification, we give a system model about outsourcing computation with the following five entities introduced, as shown in Figure 1.
(i) Data center (DC): some keys are produced by DC.
After initializing parameters, it generates the private keys and some public keys.Next, it takes advantage of the private key to generate the evaluation key for CS.Finally, it sends the private key to C and V over the secure channel.(ii) Client (C): first of all, C should deposit enough money into B P for the cost of outsourcing services.Meanwhile, a request is sent to CS about solving a QR decomposition of the large-scale matrix.To protect privacy, C needs to encode the original matrix before the private matrix is uploaded to CS. en, a verification key should be generated for V. (iii) Cloud server (CS): like C, CS also needs to provide deposits to B P .As service provider, CS needs to perform QR decomposition of the encryption matrix and earn fees from C.Moreover, a proof sent to V together with computating results is generated by using the evaluation key.Finally, the result matrices will be transmitted to C. If C has no objection to the outsourcing result within a specified time, CS will provide a proof OS end to B P and get the corresponding fees.Otherwise, CS provides compensation to C. (iv) Verifier (V): any verifier can be regarded as V.
Utilizing the verification key and the proof, V will examine the correctness of the outsourcing results.(v) Blockchain payment (B P ): we take advantage of the payment system based on blockchain B P .After receiving deposit from C and CS, B P provides a proof OS start for CS to confirm to start the outsourcing service.

Process Description.
e system model consists of two parts: blockchain-based payment system and publicly verifiable outsourcing computing system.In blockchain-based payment system, C needs to provide the corresponding deposits in B P as the cost of service before requesting CS to perform QR decomposition of large-scale matrix  A. Meanwhile, CS also deposits the compensation in B P as a guarantee for honest computing.If outsourcing result is correct, CS can obtain the corresponding service fees from B P .Otherwise, C informs B P to terminate the payment process, and CS will accept punishment and provide compensation to C. In this paper, we focus on designing publicly verifiable outsourcing computation for QR decomposition scheme called PVCMD-QR.
PVCMD-QR can be divided into five phases including initialization phase, encryption phase, computation phase, verification phase, and decryption phase.To better understand this process, a flowchart is shown in Figure 2. Now, the specific process of the scheme is described below.
In en, the compute algorithm is implemented in the computation phase.CS receives  A to perform QR decomposition.Using EK from DC, it generates a value v for V.After getting the orthogonal matrix  Q and the upper triangular matrix  R, V begins to execute the verify algorithm by using both the key VK and the proof v in the verification phase.If the verification is true, V YES is sent to C at once and V informs C to accept the decomposition results.By the matrix digest, the verifier uses the vector l → and the decomposition results to produce the vector y → � (y 1 , . . ., y j , . . ., y n ).It is this technology that prevents V from having to traverse each element of the result matrices.Eventually, in the decryption phase, utilizing the unit permutation matrix P T and the inverse matrix N − 1 of the matrix N, C runs the solve algorithm and decrypts the result matrices to get the orthogonal matrix Q and the upper triangular matrix R of A.
Algorithm 1 (KeyGen) is executed by DC.
Encryption phase (C) Verification phase (V) where PK 1i � g s i , PK 2i � e(g k i ,  h), and PK 3i �  g s i for i � 1 to n.
Algorithm 2 (ProbGen)is expressed and is executed by C to encrypt a privacy matrix A.

(a) C needs to perform 􏽢
A � PAN, where N ∈ Z n×n p .In particular, the matrix P is an n-order unit permutation matrix, and the matrix N is a sparse block diagonal square matrix, whose main diagonal is composed of several matrices N i and the remaining positions are all 0 elements: where the submatrix N i (i � Suppose that the nonsingular matrix A can be decomposed into A � QR.Algorithm 5 (Solve) is executed by C to obtain both Q and R.
(a) C gets the transposed matrix P T and the inverse matrix N − 1 of N which needs to solve the inverse of the upper triangular submatrix N i for i � 1 to t.(b) Multiplying P T by the left of  Q and N − 1 by the right of  R, the QR decomposition of matrix A can be obtained:

Protocol Analysis
In this section, PVCMD-QR is analyzed from the perspectives of correctness, security, and efficiency.

Correctness Analysis
4.1.1.ProbGen Algorithm.Since the result of QR decomposition is unique when the main diagonal elements are positive in the upper triangular matrix, not all matrices can be decomposed and the square matrix to be decomposed must be invertible and nonsingular.erefore, conditions of decomposition of the input matrix  A should satisfy |  A| ≠ 0.
In fact, after the matrix A is encrypted, this condition is still satisfied.From  A � PAN, we get the equation |  A| � |P| • |A| • |N|.Specifically, since both P and N are invertible matrices, |P| ≠ 0 and |N| ≠ 0. In addition, the privacy matrix A is a full rank matrix, |A| ≠ 0.

Verify Algorithm.
Considering the property of the orthogonal matrix, there is Q T Q � I, where I represents the identity matrix.If the vectors y → 2 and y → 1 are identical,  Q must be an orthogonal matrix.However, the matrix  R can be observed directly.
e results are correct if the parties involved in the scheme execute the agreement honestly.
Before verification, it is necessary for V to compute the result vector y → , which can be obtained by y Because of equations ( 11) and ( 12), equation ( 13) According to equation ( 13), we have  (11) Step 3: return V YES or V NO ALGORITHM 4: Verify algorithm.

Input:
Q and  R; Output: Q and R (1) Solve P T and N − 1 .

Security and Communication Networks e(v, h)
In short, equation ( 9) is established and the verification is successful and sound.

Theorem 1.
e publicly verifiable computation scheme PVCMD-QR is secure under the co-CDH in group G 1 .
Proof.We follow Definition 3 to illustrate the theoretical analysis for security of our proposed scheme.
To prove this theorem, there are two adversaries A and B. Suppose that the adversary A has a very strong ability to destroy the soundness of PVCMD-QR with a probability ε so that it can obtain important information of the scheme.However, the challenger B with these information from adversary A tries the best to address the co-CDH problem with a nonnegligible probability ε ′ , and ε ≈ ε ′ .
To break this assumption, challenger B accesses the random oracle O co− CDH which generates g, g ′ � g α ∈ G 1 and h, h ′ � h β ∈ G 2 as the result of output in return and selects α, β ∈ F * P .en, the challenger B simulates adversary A to carry out this soundness experiment: Adversary B denotes  g ′ � g ′ δ and  h ′ � h ′ δ by selecting δ ∈ F * p randomly as well as generates the parameter para ′ , namely, para ′ � (p, G 1 , G 2 , G T , e, g,  g ′ , h,  h ′ ).It uses parameters para ′ to generate PK 1 ′ and PK 3 ′ respectively, which are shown as follows: where where en, it generates an auxiliary vector m ′ ∈ G n×1 1 , where A ji 3j for i to n.According to m ′ and PK 1 ′ , it computes the public key PK 2 ′ which is a vector.In other words, the expression of PK 2 ′ is determined directly: We take each element of PK 2 ′ as the following: ere is an important condition for the above expression to be correct, namely, b i ≠ 0. Since the matrix  A is full rank and s → ∈ F * p , the vector b erefore, the challenger B can obtain some corresponding information eventually to complete this experiment such as PK 2 ′ , para ′ , and EK ′ .
Secondly, different from the real output of the KeyGen algorithm, the distribution of the output of the random oracle O keyGen is independent and indistinguishable.So, we have reason to believe these two facts: ), the following formula must be correct: Now, we are going to provide the specific process of the above solving g αβ .
If the wrong vector y → * passes the verification, the following equation ( 21) must be true: Considering equation (18), it is achieved that To divide equations ( 21) with (22), we obtain As g ′ � g α ,  h ′ � h δβ , and Hence, if (y * j − y j ) ≠ 0 and δs j ≠ 0, there is namely, Hence, if this scheme is destroyed by adversary A with a certain probability ε, challenger B is able to break the co-CDH with a nonnegligible advantage ε ′ .In summary, PVCMD-QR is secure under the co-CDH in group G 1 .

Efficiency Analysis.
In this section, we intend to give a detailed analysis of the computational overhead of PVCMD-QR.
e matrix N, where the order of each submatrix N i for i � 1 to t is chosen randomly from 2 to w (w ≪ n), is produced by C, so there will be many combinations in reality.However, since the matrix N is sparse with the computational complexity O(n 2 ) for solving N − 1 , the computational overhead is not taken into consideration about generation of N and N − 1 .
To simplify the analysis, suppose that each submatrix N i is a w-order upper triangular matrix in the main diagonal of N.However, the inverse matrix of the w-order upper triangular matrix is obtained easily, it is convenient to obtain the inverse matrix N − 1 of N, where the inverse erefore, we suppose that the order n of the original matrix A should meet this condition, namely, n � wt.
In KeyGen algorithm, three vectors s → , l → , and k → which are generated randomly require 3n random numbers in the group operation.Next, it needs to calculate PK 1 , PK 2 , PK 3 , and EK separately.e public key PK 1 is an n-dimensional vector where there is PK 1i � g s i , so DC will execute n exponential operations to obtain PK 1 .Since the public key PK 2 , an n-dimensional vector, is obtained by n exponential operations and n pairing operations similarly, where PK 2i � e(g k i ,  h), additionally, n exponential operations needs to be performed to get the public key PK 3 .As the evaluation key EK is also an n-dimensional vector, DC should perform n additions.
To perform ProbGen algorithm where we have  A � PAN, C needs to use a sparse block diagonal upper triangular matrix N and a unit permutation matrix P.
erefore, there are n 2 + (1/2)(w + 1)n 2 multiplications and (1/2)(w − 1)n 2 additions in encryption operation.On the contrary, C also computes a verification key VK �  n i�1 PK b i 2i with the vector b → .To get the vector, it is going to perform n 2 multiplications.
erefore, both n exponentials and n − 1 multiplications should be required in the process of generating VK.
CS executes the QR decomposition of the matrix  A according to Compute algorithm.It is necessary to produce the value v, where this process involves n exponentiation operations and n − 1 multiplications.However, before generating the value v, it should utilize the public key PK 3 to get an n-dimensional auxiliary vector m → , which requires n 2 exponential and n(n − 1) multiplications operations.We also should take the computation cost of Solve algorithm.C has to decrypt the matrices  Q and  R to obtain the result of QR decomposition of original matrix A. erefore, n 2 multiplication operations are carried out for solving Q � P T  Q.In order to compute R �  RN − 1 , it will deal with (1/4)(w + 1)n 2 + ((1/4)w + (1/3) − (1/12)w 2 )n multiplications and (1/4)(w − 1)n 2 + ((1/4)w + (1/3) − (1/12)w 2 )n additions.
Here, we denote an exponentiation operation with Ex, a multiplication operation with Mu, an addition operation with Ad, a pairing operation with Pa, a matrix decomposition with De, and a random number generation operation with Ge.T 1 and T 2 are described as follows: where w ≪ n.In summary, the computation cost of each algorithm is shown in Table 1.
According to the above analysis, the computational complexity of the client is O(n 2 ) and is lower than to accomplish QR decomposition directly.

Experiment Analysis.
Here, we evaluate the proposed scheme with experiments.Using C language, we emulate the data center DC, the client C, the cloud server CS, and the verifier V on a laptop with Intel Core(TM) i5-8265U CPU processor, 8 GB RAM memory.
To better describe the computational efficiency of the proposed PVCMD-QR scheme, we simulate all these algorithms in our scheme (i.e., KeyGen, ProbGen, Compute, Verify, and Solve).First, we assume that the order of each submatrix of the block diagonal matrix N is identical, w � 25.
e computation costs with different scales of the problem are listed in Table 2, and the specific trend is shown in Figure 3. e experiment shows that the overhead of the client side is smaller than the CS, as listed in Table 3.   Security and Communication Networks en, we illustrate the superiority of the outsourcing computation in Figure 4, in which we mainly consider the time cost of C. In Figure 4, the symbol T(EncAndDec) represents the time cost of C in encryption and decryption phases of outsourcing process, and the symbol T(QR) means the time cost is required for the C to compute QR decomposition of matrix A directly.Compared to directly computing QR decomposition on the original matrix A, the PVCMD-QR scheme is more efficient obviously as the dimension of matrix increases.

Conclusion
Aiming at the public verification outsourcing computation, this paper proposes a new publicly verifiable scheme with blockchain payment under the amortized model for QR decomposition of large-scale matrix.e sensitive data information is protected by using the sparse matrix.erefore, client can upload his/her privacy matrix to the outsourcing service provider to perform QR decomposition.Simultaneously, the matrix digest technique is applied to the verification operation of outsourcing computation, which cuts down the workload of verifier dramatically.Afterwards, we also provide the specific theoretical proof of the correctness, safety, and efficiency of the PVCMD-QR scheme, and the result proves that the scheme is secure under the co-CDH assumption.

Figure 2 :Figure 1 :
Figure 2: A plan flowchart of the proposed scheme.
(a) According to the vectors b → and y

Figure 3 :
Figure 3: Computational time cost for each algorithm.

Table 2 :
Computation cost of PVCMD-QR scheme for different problem sizes.

Table 3 :
Comparison of computation cost between the client and cloud side.