Multi-Server Verifiable Delegation of Computations: Unconditional Security and Practical Efficiency

Outsourcing computation has gained significant popularity in recent years due to the prevalence of cloud computing. There are two main security concerns in outsourcing computation: how to guarantee the cloud server performs the computation correctly and how to keep the client's data secret. The {\em single-server verifiable computation} (SSVC) of Gennaro, Gentry and Parno (Crypto'10) enables a client to delegate the computation of a function $f$ on any input $x$ with both concerns highly relieved, but only results in {\em computationally secure} schemes that {\em lack practical efficiency}. While the SSVC schemes use a single server, in this paper we develop a {\em multi-server verifiable computation} (MSVC) model where the client shares both $f$ and $x$ among multiple servers, each server performs a set of computations on its shares, and finally the client reconstructs $f(x)$ from all servers' results. In this MSVC model we propose a generic construction for outsourcing computations of the form $F{\bf x}$, where $F$ is a matrix and $\bf x$ is a vector. Our generic construction achieves {\em information-theoretic security, input privacy} and {\em function privacy}. By optimizing the parameters, we obtain both a 3-server scheme,which uses the least number of servers, and a 4-server scheme, which incurs the least workload. By decomposing many polynomial computations as a two-stage computation, where the first-stage has the form $F{\bf x}$ and the second-stage is fast, and delegating the first-stage computation, we obtain MSVC schemes for these polynomials. We implement our MSVC schemes and show that they are among the most {\em practical} ones to date.