Blockchain-Based Secure Outsourcing of Polynomial Multiplication and Its Application in Fully Homomorphic Encryption

(e efficiency of fully homomorphic encryption has always affected its practicality. With the dawn of Internet of things, the demand for computation and encryption on resource-constrained devices is increasing. Complex cryptographic computing is a major burden for those devices, while outsourcing can provide great convenience for them. In this paper, we firstly propose a generic blockchain-based framework for secure computation outsourcing and then propose an algorithm for secure outsourcing of polynomial multiplication into the blockchain. Our algorithm for polynomial multiplication can reduce the local computation cost to O(n). Previous work based on Fast Fourier Transform can only achieve O(nlog(n)) for the local cost. Finally, we integrate the two secure outsourcing schemes for polynomial multiplication and modular exponentiation into the fully homomorphic encryption using hidden ideal lattice and get an outsourcing scheme of fully homomorphic encryption.(rough security analysis, our schemes achieve the goals of privacy protection against passive attackers and cheating detection against active attackers. Experiments also demonstrate our schemes are more efficient in comparisons with the corresponding nonoutsourcing schemes.


Introduction
As the development of the big data era, there is an increasing demand for large-scale time-consuming computations. Fortunately, with the emergence of cloud computing, computation outsourcing brings convenience to resourceconstrained users. ey can outsource complex computing tasks into the cloud by paying a fee and avoiding buying expensive high-performance hardware. It not only improves the resource utilization in cloud but also brings economic benefits to resource-constrained users. Nevertheless, the attractive computing scheme also causes security issues. A passive attacker in the cloud may be only curious about the privacy contained in the user's outsourced data, while an active attacker may make malicious damage or forge the results to sabotage the computation. Even if there is no attacker, computing errors caused by cloud hardware failure and software errors, etc. should also be considered.
Furthermore, it should not be a great burden for the user to check the correctness of the returned results from the cloud; otherwise, the efficiency benefit of outsourcing will be nullified. erefore, the secure and efficient outsourcing of computations that can not only protect the privacy of users but also ensure the correct results has become a hot research topic.
Gentry proposed a homomorphic encryption algorithm based on ideal lattice [1] for the first time, providing us with a direction to solve the privacy issues in computation outsourcing. e direction is a secure computation outsourcing mode: encryption-outsourcing-decryption (EOD). Even if we use the common EOD model, the device should also undertake the computations of secret key generation, encryption, verification, decryption, and so on, locally. ese computations are also great burden for the resource-constrained devices (such as mobile phones and IoT nodes).
Blockchain has attractive features such as transparency, traceability, decentralization, and immutability, which make it an optimal approach for applications intrinsically with untrusted natures, such as computation outsourcing. A central trusted entity is not required for the computation outsourcing based on blockchain. Information about the whole data exchange process, computations, users, and computational nodes is recorded and is traceable in blockchain. Besides, smart contract can be utilized to digitally facilitate the implementation of whole transaction, which greatly improves the speed of building applications on blockchain. However, privacy is still an issue in the computation outsourcing based on blockchain.
Owing to the low efficiency of fully homomorphic encryption algorithms, the general computation outsourcing mode based on EOD is impractical on the resource-constrained devices. In this paper, we will outsource some complex computations in the fully homomorphic encryption using hidden ideal lattice (FHEHIL) [2] into a blockchain framework. e contributions of this paper can be summarized as follows: (1) We propose a framework of blockchain-based computation outsourcing, in which we can implement secure outsourcing for FHEHIL. e framework has a credit-based task allocation strategy, which will significantly reduce the probability of malicious nodes participating in computing. (2) We propose a secure outsourcing algorithm for polynomial multiplication, which reduces the local computation cost (including the cost on result verification) to O(n). Previous work based on the Fast Fourier Transform (FFT) can only achieve O(nlog(n)) for the local cost. Besides, the algorithm can not only detect cheating but also identify cheating nodes combining with blockchain. e result verification in the outsourcing algorithm does not cause extra burden.
(3) We also extend the secure outsourcing algorithm of modular exponentiation, in [3], in our blockchainbased framework. e two algorithms for polynomial multiplication and modular exponentiation are employed in FHEHIL as basic operations, and the FHEHIL implementation on the blockchain-based framework can have higher efficiency compared with previous work.

Related Work
At present, research studies on secure outsourcing can be roughly divided into two directions. In one direction, a general outsourcing mechanism is studied. In this mechanism, a fully homomorphic encryption algorithm is designed and the EOD model is used to outsource any computations. After the work of Gennaro et al. [1], great progress has been made in the field of fully homomorphic encryption [4][5][6]. However, the fully homomorphic encryption algorithms have high computational complexity.
Recently, there are many researches to reduce the computation cost of homomorphic encryption algorithm. For example, Su et al. accelerated the leveled Ring-LWE fully homomorphic encryption [7]. ese research studies mainly focus on the efficiency of hardware. However, secure outsourcing complex computations of fully homomorphic encryption is a better way to improve efficiency for resourceconstrained devices.
In the other direction, specific outsourcing algorithms are designed for various scientific computations, e g., modular exponentiation, solution of large-scale linear equations [8], bilinear pairings, and extend Euclidean. e Wei pairing and Tate pairing in algebraic curves are commonly used in key establishment and signature schemes in the field of cryptography. However, the computation of bilinear pairings is time-consuming in resource-constrained devices. us, many outsourcing schemes have been proposed [9][10][11]. To our knowledge, the scheme in [9] is the most efficient and secure till now. Because of the wide application in cryptography, the study on modular exponentiation is also a hot topic of research. Hohenberger and Lysyanskaya [12] proposed a modular exponentiation secure outsourcing scheme. Chen et al. [13] further improved its efficiency and verifiability. Ren et al. [14] proposed a scheme that only protects the privacy of exponent. Recently, Fu et al. [3] proposed a secure outsourcing scheme of modular exponentiation with hidden exponent and base. It has a stronger checkability. In cryptography, extended Euclidean algorithm is usually used to calculate modular inverse, which is widely used in RSA encryption algorithm. Similarly, Euclidean algorithm can be used to find the greatest common factor of two polynomials, which is commonly used in encryption algorithm based on Lattice. Zhou et al. [15] proposed the secure outsourcing algorithm of extended Euclidean algorithm.
Polynomial multiplication is likewise a commonly used operation in cryptography schemes, error correcting codes, and computer algebra. e complexity of polynomial multiplication is still a major open problem. Using the FFT, the local computation of polynomial multiplication can achieve the complexity of O(nlog(n)). Recently, some efficient polynomial multiplication methods based on the FFT are proposed. Harvey et al. proposed a faster method over finite fields Z p when the degree of polynomials is less than p [16]. e efficiency has been further improved in [17]. For the hardware utilization, Liu et al. designed a high hardware efficiency polynomial multiplication on field-programmable gate array (FPGA) platform [18]. Hsu and Shieh proposed a method with less addition and multiplication [19] in 2020. Besides, there are also some research studies on reducing the space complexity of polynomial multiplication [20,21]. However, the complexity of some research studies based on the acceleration of FFT remains at O(nlog(n)). Other methods using distributed computing to improve hardware utilization are not applied to the resource-constrained device. Till now, there are few research studies on the secure outsourcing of polynomial multiplication.
Due to the characteristics of the blockchain and Bitcoin [22], there are lots of research studies and applications on blockchain in recent years including the secure outsourcing. Lin et al. studied the secure outsourcing for bilinear pairings based on blockchain [23]. Zheng et al. [24] proposed a secure outsourcing scheme for attribute-based encryption on blockchain. ere are also some schemes [25,26] of outsourced data integrity verification. e fairness problem in blockchain-based secure multiparty computation was also solved by multiple efforts. For example, Gao et al. [27] proposed a scheme which realized fairness by maintaining an open reputation system. is type of general scheme for secure multiparty computation can be cumbersome for the problems in secure outsourcing computation.
Andrychowicz et al. [28] utilized only scripts in Bitcoin currency to construct a fair protocol for secure multiparty lotteries, without relying on a trusted third party. Zhang et al. proposed BCPay in [29] and BPay in [30] to achieve fair payment for blockchain-based outsourcing services, which are compatible with the Bitcoin and Ethereum platforms. However, these frameworks can only provide fairness between the client and a single server. ey are applicable to the outsourcing scenarios where the task is outsourced to a single server from the client. In the problem of our work, the computation task needs to be outsourced to multiple computational nodes simultaneously. erefore, we propose a new one, considering the penalty on the cheating nodes, compensation on the honest nodes, and application of a credit-based scheme. where v i is the i th element in v. We denote polynomial by lower case italics (eg., f(x)). For a rational number r, round(r) represents the nearest integer to r. e rational vector v can also be rounded to round(v) � [round(v 1 ), . . . , round(v n )]. We use v(x) for the polynomial form of the vector v. We use v 1 × v 2 for polynomial multiplication (v 1 × v 2 � (v 1 (x) × v 2 (x))modf(x)) on the ring. We use |v| for the norm of v and |S| for the base of set S. We use v ∘ w for correlation (v ∘ w � [v 1 * w 1 , . . . , w n ]). We use R(v, f) for the rotation matrix of v whose i th row is the coefficients of v(x) × x (i− 1) modf(x). We use xgcd(a(x), b(x)) for the extended Euclidean algorithm on a(x) and b(x). deg(f(x)) represents the degree of f(x). We use F v to denote the coefficient set of Discrete Fourier transform (DFT) of v and F − v for the coefficient set of inverse DFT of v.

Fully Homomorphic Encryption Using Hidden Ideal
Lattice. e FHEHIL scheme [2] is described in Algorithm 1, including the components of key generation, encryption, and decryption. e related parameters are shown in Table 1.
As shown in Algorithm 1, it is obvious that polynomial multiplication is the primary computation in encryption and decryption. erefore, our proposed algorithm for the secure outsourcing of polynomial multiplication can be directly applied. As for the key generation, the computing burden is from Step 7, 9, and 11. e main computational cost of Step 7 is on computing the determinant of matrix V. e most time-consuming operation in Step 9 is polynomial multiplication.
Step 11 computes the inverse of polynomial. Below, we will analyze the detailed computations in Step 7 and 11 and demonstrate that polynomial multiplication and modular exponentiation are the main types of computations, which are the two improvement aims of this paper.

3.2.1.
e Method of Computing d in Algorithm 1. Because of the characteristic of V, computing the determinant of matrix V needs only log(n) times of polynomial multiplication using the method in [31]. d is the free item of where p i is the root of f(x) � 0 in the complex domain and they satisfy equation (2). Due to equation (2), we have us, the computation of d mainly involves polynomial multiplications and modular exponentiations.

e Method of Computing
e specific procedures of secure outsourcing for extended Euclidean algorithm [15] are summarized in Algorithm 2. It can be seen that the local computations of this algorithm consist of mostly modular exponentiation and polynomial multiplications. Detailed analysis of Algorithm 2 can be found in [15].

e Method of Computing w in Algorithm 1 When d Is
Not a Prime. When d is not a prime, the fastest method to calculate polynomial inverse at present is Gentry's method in [31]. e method is based on fast Fourier transform and halves the number of terms in each step to offset the doubling of the bit length of the coefficients. is method relays on f(x) � x n+1 , where n is a power of 2. e method is analyzed as follows.
Firstly, the second coefficient can be computed. We can get w 1 � (g 1 ′ /n). Finally, other coefficients of w can be computed by Since n is a power of 2 in f(x), the roots satisfy equation (2). In the process of computing coefficients g 1 and g 1 ′ , the major computations are also polynomial multiplications and modular exponentiations.

The Framework of Blockchain-Based Computation Outsourcing
is section introduces a blockchain-based computation outsourcing framework. e overall system model is illustrated in Figure 1, and the related symbols are described in Table 2. In Figure 1, we assume that, at least, one trusted third party is available to implement the smart contract. is is a generic model on which a variety of computational tasks can be implemented, including the tasks of secure outsourcing of polynomial multiplication and modular exponentiation. e two specific tasks will be given in details in the rest of this paper.

Registration.
Users and computational nodes need to register before joining the network. ey need to pay deposits in advance, the amount of which needs to be greater than a specified threshold or they will be rejected. e smart contract initializes the same credit score to all new nodes and users. After registration, information of users and computational nodes is written to the smart contract. e specific function is shown as Algorithm 3. In this algorithm, addr[p] is the deposit account of node p in the smart contract. Node p's asset privacy is protected because it is unnecessary for him to expose his total asset to the smart contract.

Computational Service.
User p posts computing tasks, data, and rewards of each task to the smart contract. If the account balance of p is insufficient for the computations, smart contract refuses this service and reduces the credit score of p, to prevent malicious users from attacking the smart contract by constantly sending tasks that they cannot afford to. After the smart contract accepts the tasks of p, the user's computing tasks are stored in the task queue and wait for the selection of computational nodes. To achieve a high benefit, the computational nodes will be active to undertake computing tasks. If multiple computational nodes select the same task at the same time, the node with the highest credit score will win the task. Nodes that undertake the computing task should submit the results after completing. If any computational node cannot finish on time, it will be added to the dishonest set. If all computational nodes can submit the results on time, the smart contract sends the results to user and initiates the period of dispute resolving. During this period, the user needs to verify the results locally and notify the smart contract whether the (1)   results are accepted or not. If the period of dispute ends and there is no feedback received from the user, the smart contract assumes that the computations succeed and performs the reward and charge operations. If the user does not accept the results in the feedback, the smart contract will verify the results by itself. e specific function is shown as Algorithm 4.

Verification and Payment.
If the user does not accept the computing results, the smart contract will perform verification operations to find dishonest nodes or users. In the verification, he will simulate all computations required by the user on the encrypted data uploaded by the latter. is means he will repeat exactly every step the computational nodes have carried out, so as to find which step is not correct and who is cheating. Decryptions are not required in the simulation, and thus, the data privacy of the user is protected.
To complete the verification, the smart contract should be equipped with the same function modules as those of the computational nodes. For example, in the secure outsourcing of polynomial multiplication, a function should be Blockchain User ALGORITHM 2: Securely outsource the extended Euclidean algorithm. Security and Communication Networks 5 added into the smart contract to simulate the FFT/IFFT operations on the data uploaded by the user in case of disputes. e dishonest nodes and users will be put into the dishonest set. If no one is put into the dishonest set, the user will pay the reward to all participating nodes. Otherwise, cheating nodes will be penalized and the honest nodes will be compensated. e credit score of the participating nodes that have correctly completed their tasks will increase, while the credit score of the malicious nodes will decrease.
When the account balance of a node is lower than the threshold value or its credit score is reduced to zero, the system will remove it.
e specific function is shown as Algorithm 5.
A malicious user with enough balance may constantly initiate transactions, aiming to increase the burden of the smart contract. However, he cannot refuse to pay because his deposit account is managed by the smart contract. By setting up a suitable threshold in the registration, sooner or later his balance will be used up by his attack.

Security Analysis.
Both the malicious user nodes and computational nodes can launch attacks to the framework, but their strategies are different. e malicious user nodes could launch a DDoS attack. A malicious computational node could destroy the computation by returning forged results or not returning any result. e user nodes could employ two ways to launch a DDoS attack. One is to continuously publish the tasks that the user actually cannot afford to; the other is to maliciously inform the smart contract that the results are not accepted during the dispute resolving period. For the first attack, the smart contract will refuse to add the computing tasks and data to the queue and reduce the credit score of the user. Moreover, when the node's credit score drops below 0, the node will be removed. We can increase Δc in the function of TASK UPLOAD to remove malicious users as soon as possible. For the second attack, the smart contract has to simulate the computations of all nodes participating in the outsourcing according to the data and records. is attack has a greater impact on the smart contract, but it brings more loss to the attackers (including the financial punishment). Similarly, we can increase Δb in Algorithm 5 to mitigate the impact on smart contracts. e computational nodes also have two ways to deploy attack: returning forged results or not returning any result. e cost of both attacks is the same (in financial and credit punishment). Since forged results render the smart contract to simulate the computations of all nodes, rational computational nodes prefer to attack by returning forged results, rather than return nothing. Similarly, we can increase Δb and Δc in Algorithm 5 to mitigate the impact on smart contracts. e proposed framework adopts a task allocation strategy based on credit scores. When malicious nodes are found, their credit score is reduced, and their probability of obtaining computing tasks in the next time is also reduced. We assume there are enough computational nodes which are willing to return correct results to fulfil the requirement of outsourcing, under the incentives of achieving financial and credit reward.

Compatibility Analysis.
We know that the Bitcoin script is not Turing-complete, and Ethereum has a complete programming language on the blockchain to execute more complex smart contracts. It is easy to see that our framework is compatible with opcodes allowed by the Ethereum blockchain. Since the function of Verification and Payment (Algorithm 5) involves loops, which are not allowed by the Bitcoin script, our framework is not compatible with opcodes of the Bitcoin blockchain.

Polynomial Multiplication and Modular
Exponentiation Secure Outsourcing Algorithm

Polynomial Multiplication Secure Outsourcing
Algorithm. e computational complexity of traditional polynomial multiplication is O(n 2 ), which is reduced to O(nlog(n)) by the FFT. In this section, we employ secure outsourcing to further reduce the local computational complexity to O(n). e outsourcing is implemented in our proposed framework of blockchain-based secure computation outsourcing. e main idea of our algorithm is as follows. Firstly, the Fourier transform of the polynomial coefficients are securely outsourced. Secondly, correlation operation on the results of the Fourier transform is locally performed. Finally, the inverse Fourier transform on result of the correlation operation are securely outsourced. e specific process of our algorithm is shown as Algorithm 6.

Description.
In Algorithm 6, the input polynomials are f(x) � a 0 + a 1 x + · · · + a n−1 x n− 1 and g(x) � b 0 + b 1 x + · · · + b n−1 x n− 1 . e output is t(x) � f(x) × g(x) � c 0 + c 1 x + · · · + c 2n−1 x 2n− 1 . For convenience, polynomials are replaced with vectors of polynomial coefficients (a � [a 0 , a 1 , . . . , a n    (6) end for (7) else (8) stimulate all computations and put dishonest user or nodes into Dishonest (9) t ⟵ ∆b * [IDishonest] (10) for i � 1⟶|Dishonest| do (11) Rep[node i ]⟵Rep[node i ] + ∆c; addr[node i ] ⟵ addr[node i ]−∆b (12) end for (13) for i � 1⟶|Honest|do (14) Rep (1) Six parameters are picked randomly, three of which are i, j, β, s.t.0 ≤ n − 1, 0 ≤ j ≤ n − 1 and 0 ≤ β ≤ 2n − 2. e other three are k 1 , k 2 , k 3 ∈ R Z. We define that L(i, k, n): Z 3 ⟶ Z n can generate one n-dimensional vector in which the i th element is k, and all the other elements are zeros. We define that T(v, r): z (n * 2) ⟶ Z (n * p) can generate a random matrix en, the user generates r 1 � L(i, k 1 , n), r 2 � L(j, k 2 , n), r 3 � L(β, k 3 , 2n), V � T(a, r 1 ), U � T(a, r 1 ), Z � T(b, r 2 ), and S � T(b, r 2 ). In this way, one must know r 1 to recover a from V or U and know r 2 to recover b from Z or S.  (1) function DISCRETE FOURIER TRANSFORM FOR RESERVED VECTOR (DFTRV) (r, i) (2) n ⟵ the length of r  (3) and (4) locally; (27) (5)-(7). If they are valid, the computing succeeds; otherwise, the computing fails. e user sends a message to the smart contract. en, the latter calls the function VERIFICATION AND PAYMENT: In Algorithm 6, if any verification fails, the user will report a cheating and the algorithm will come to an end. Figure 2 demonstrates the procedures and data communications in the six steps of Algorithm 6.

Correctness and Complexity. Because
Using the DFTRV/IDFTRV in Algorithm 6, computing Fourier transform of r 1 , r 2 and inverse Fourier transform of r s needs 4 n multiplications. Because of the characteristics of r 1 ,r 2 , and r 3 , only one multiplication is needed to compute each term in F r 1 , F r 2 , and F − rs . Computing F a and F b needs 2pn additions. Computing F c needs 2n multiplications. e verification of equations (3)-(5) takes 6(p − 1)n additions. 6(p − 1)n additions are needed to compute c. e final verification (equations (6) and (7)) needs l + 2n multiplications. To sum up, we need l + 8n multiplications and 10pn − 6n additions. e local complexity of multiplication in this algorithm is O(n), and the local complexity of addition is O(n). erefore, the local complexity of this algorithm is O(n).

Security against Passive Attackers.
A participant may be a passive attacker. Passive attackers will follow the scripts of the algorithm while exploiting the intermediate information to breach the privacy of polynomials. In the following, we analyze the security of our algorithm against passive attackers. e algorithm should protect the privacy of f(x), g(x), c, and F c . As it is known to all, when all nodes collude, the passive attackers can get the most information, and the security of privacy is the lowest.
Since the operations on f(x) and g(x) are consistent, the risks of privacy leakage of them are the same. We analyze the security of f(x) in the worst case, i e., collusion of all nodes. When all the computational nodes collude, they can guess a set of values [a 0 ′ , a 1 ′ , . . . , a n−1 ′ ], in which n − 1 values are consistent with the true coefficients of f(x), while one value is not. Because of r 1 , they even do not know the position of the false value. ey still have to make a bruteforce guessing. If a i ∈ D, where the base of D is m, the attackers should traverse all possibilities by taking m different values for each coefficient. In this case, the attackers have to make m n attempts to get f(x). However, a i ∈ Z in FHEHIL.
en, m ⟶ ∞, and the attackers cannot get f(x). F c and c are also privacy-protected. For the security of F c , when all the computational nodes collude, the passive attackers can guess a set of values F 1 , in which 2n − 2 values are consistent with the true coefficients of F c , while one value is not. However, the existence of r 3 shows that passive attackers do not know the position of the false value. e only way to attack is by making a brute-force guessing. Same as a and b, the domain of the coefficients of F c is infinite. erefore, the attackers cannot get F c . For the security of c, on the one hand, the attackers cannot compute c using inverse Fourier transform without knowing F c . On the other hand, it is easy to see that when lacking F − ra , attackers cannot get c which is equal to

Security against Active Attackers.
A participant may also be an active attacker. Active attackers will inject false computations into the algorithm to tamper with the whole process. In the following, we analyze the security of our algorithm against active attackers. Active attackers may return forged values to damage computing. To damage computing without being detected, attackers prefer to make minimal changes on results. In Algorithm 6, it is easy to see that the lowest risk way for computational nodes to cheat is to tamper with only one item of the results returned to the user, while the other items are correct.
ere is one way to cheat in the process of securely outsourcing Fourier transform. For example, the nodes of computing the DFT of f(x) perform honestly, while the nodes of computing the DFT of g(x) do not. One node n j changed the i th term in F z j and another node n k ′ also changed the i th term in F s k .
is way of cheating can nullify the verification at equations (3) and (4) ′ is not equal to c l for any random l. e verification at equation (6) can certainly detect this cheating.
ere is the other way to cheat in the process of securely outsourcing the inverse DFT of F c . One node n j changed the i th term in F − d j and another node n k ′ also changed the i th term in F − e k . In this way, we can nullify the verification at equation (9) and return a false item c i . e false item c i causes that F c ′ [m] � 2n−2 i�0 W mi 2n−1 c i is also a false value in equation (7). F c ′ [m] will not be equal to F c [m], for all 0 ≤ m ≤ 2n − 2.
e verification at equation (7) can certainly detect this way of cheating.

Secure Outsourcing of Modular Exponentiation.
To the secure outsourcing of modular exponentiation, we extend the algorithm in [3] and apply it to the blockchain. In our extension, six modular exponentiation pairs are outsourced to six computational nodes, instead of a single cloud, aiming to protect against possible attacks on small discrete logarithms. e process is shown as Algorithm 7. e input is two integers. e output is u d , where u is the base and d is the exponent. In a similar way to Figure 2, Algorithm 7 can be implemented in the framework of Blockchain-based computation outsourcing, but we omit it due to limitation of space.

Correctness and Complexity.
It is easy to prove that the algorithm is correct from equations (8) and (9). In the process of parameter generation, there are two exponentiations, two divisions, and two multiplications. Two exponentiations and six multiplications are involved during the verification. Compared with the exponentiation, the   complexity of multiplication and division can be ignored. However, in the algorithm, the exponents are e and t 1 which are much smaller than the original exponent d through the transformation of t 1 � d − k 1 e. erefore, local complexity will be greatly reduced:

Security.
e only way to pass the verification is that the six computational nodes perform correctly. e forged results of active attackers cannot pass the verification in Step 8. e user only needs to know whether the results are correct or not, and the smart contract can detect the cheating nodes according to the records.
We analyze the security against passive attackers in the worst case, i e., the conspiring of six computational nodes. e exponents k 1 , l 1 , and k 2 are visible for attackers, while the other exponents t 1 , d, and e are not. e bases v 1 , v 2 , w 1 , and w 2 are visible for attackers, while g 1 , g 2 , and e are not. We discover that the privacy of u may leak in [3], which sends six pairs to a single node in the cloud. In [3], the base and exponent are about 1000 bit, while the parameters including g 1 , g 2 , e, k 1 , and k 2 are only 64-bit long, to reduce the overhead of local computation. e shorter bit length of parameters may promote an easier attack on the small discrete logarithms. In this kind of attack, an attacker in the cloud can exhaust x so that w * en, e is breached. e attacker then exhausts g, satisfying g e � v 1 . Finally, the cloud can obtain u by w 1 * g.
We solve this attack by distributing six modular exponentiation pairs to six computational nodes, which increases the difficulty of the above attack.

Results and Discussion
In this section, we conduct three types of experiments. Firstly, we evaluate the efficiency of the secure outsourcing of polynomial multiplication in various numbers of polynomial multiplications and compare it with the traditional nonoutsourcing method using FFT. Secondly, we evaluate the efficiency of the secure outsourcing of polynomial multiplication by varying the numbers of items and bit length of coefficients and also compare it with the nonoutsourcing method. Finally, we complete the secure outsourcing for FHEHIL in blockchain, analyze the time consumption of each step, and compare it with the nonoutsourcing method. e experiments are simulated on two machines with Intel Core i7 processor running at 2.90 GHz and 16G memory as a cloud server and Intel Core i5 processor running at 1.80 GHz and 8G memory as a local user. e communication bandwidth is 20 Mbps.

e Evaluation of Secure Outsourcing of Polynomial Multiplication.
We make experiments to evaluate the efficiency of the secure outsourcing algorithm for polynomial multiplication. We implement this experiment using Py-thon3 language.
We compare the secure outsourcing of polynomial multiplication with the nonsourcing algorithm on time consumption with different numbers of polynomial multiplication, in which n � 1024, p � 3, and all the coefficients are 512-bit long. As demonstrated in Figure 3, it is easy to see that when the number of polynomial multiplications is less than 60, the efficiency of the outsourcing scheme is lower than the nonoutsourcing scheme due to the communication time consumption. However, when the number of polynomial multiplications increases above 60, the efficiency of the outsourcing scheme becomes higher than the nonoutsourcing scheme. When the number of polynomial multiplications is less than 300, the bottleneck of the outsourcing scheme is the time consumption on nodes' computations and interactions. When the number of polynomial Input: u, d Output: u d (1) e user generates random parameters g 1 , g 2 , e, k 1 , k 2 ∈ Z, (2) and computes v 1 ⟵ g e l , v 2 ⟵ g e 2 , w 1 ⟵ (u/g 1 ), w 2 ⟵ (u/g 2 ), (4) e user uploads (k 1 , v 1 ), (k 1 , v 2 ), (l 1 , w 1 ), (k 2 , w 1 ), (l 1 , w 2 ), (k 2 , w 2 ) to the smart contract; (5) e smart contract distributes (k 1 , v 1 ), (k 1 , v 2 ), (l 1 , w 1 ), (k 2 , w 1 ), (l 1 , w 2 ), (k 2 , w 2 ) to 6 computational nodes; (6) e computational nodes compute b a after receiving (a, b) and return results to the smart contract; multiplications becomes larger, the bottleneck is the time consumption on local computation.
We make another type of experiments to analyze the influence of number of terms and bit length of coefficients on the efficiency of secure outsourcing of polynomial multiplication. We count the time consumption of 400 random polynomial multiplications, with the number of polynomial items varying from 50 to 1000, and the item bit length varying from 50 to 1000. Figure 4(a) demonstrates that the time consumption increases with the increase of items of polynomials and bit length of coefficients. Moreover, the number of terms has a more obvious effect on time consumption. Besides, compared with the nonoutsourcing polynomial multiplication, our method always has a higher efficiency under all scales of data, as shown in Figure 4(b).

e Evaluation of Blockchain-Based Secure Outsourcing Scheme of Fully Homomorphic Encryption Using Hidden Ideal
Lattice. We employ the relevant security parameters recommended in [2], i.e., n � 1024, t � 310, and p � 3. Our outsourcing scheme consists of the local user's program and the computational nodes' program. Our outsourcing scheme is compared with the nonoutsourcing scheme. e programs are written in Python3, and the smart contract based on the Ethereum platform is written in Solidity. e smart contract interacts with computational nodes' program and local program by the interface provided by Web3. Figure 5 demonstrates the running time at all stages of the two schemes.
is figure does not display the time consumption on generating parameters in the FHEHIL because that is not what we are improving. In the process of computing w efficiency is slightly improved. Compared with the non-sourcing scheme, our scheme saves about 2.6 s. e overall time consumption is improved by about 40.7% (the unmarked areas in Figure 5 are the communication time consumption for interacting with the blockchain). Table 3 shows the detailed time consumption of different entities (user, smart contract, and computational nodes) in different stages (verification, communication, DFTRV/IDFTRV, FFT/IFFT, and other computations) for Key Generation. Table 4 shows the detailed time consumption of different entities in different stages for encryption. e time consumption of decryption is not shown in Figure 5. Since there is only one polynomial multiplication, the time consumption of communication is dominant in the process of decryption, as illustrated in Figure 3. erefore, the time consumption of outsourcing decryption (0.379 s) is larger than the nonoutsourcing decryption (0.103 s).

Conclusions
In this paper, we propose a secure outsourcing algorithm for polynomial multiplication that reduces the local complexity to O(n). According to security analysis, our algorithm is secure against passive and active attackers. We also propose a framework for blockchain-based computation outsourcing. It has a credit-based task allocation strategy, which significantly reduces the probability of failed computations. Using this framework, we implement the secure outsourcing of FHEHIL, in which the basic computations including polynomial multiplication and modular exponentiation can be securely outsourced by our proposed algorithms. e security analysis and experimental results show that our proposed outsourcing schemes are secure and efficient. In the future, we will apply the secure outsourcing of FHEHIL into some practical secure computation problems, such as the millionaire problem, and set operation problems.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request. Disclosure e conference version of this paper has been published in the 21st International Conference on Parallel and Distributed Computing, Applications, and Technologies (PDCAT 2020).