Verifiable Private Polynomial Evaluation

Abstract: Delegating the computation of a polynomial to a server in a verifiable way is challenging. An even more challenging problem is ensuring that this polynomial remains hidden to clients who are able to query such a server. In this paper, we formally define the notion of Private Polynomial Evaluation (PPE). Our main contribution is to design a rigorous security model along with relations between the different security properties. We define polynomial protection (PP), proof unforgeability (UNF), and indistinguishab… Show more

“…Following this work, Bultel et al [4] show that hiding the degree k is useless and that no scheme can be secure when user query more than k points to the server. Moreover, they give a cryptanalysis of Guo et al [14] PPE scheme and of Gajera et al [12] PPE scheme which requires only one query to the server and present the first security model for PPE schemes.…”

“…More recently, Xia et al [25] proposed a new efficient PPE scheme. As PIPE, their scheme satisfies the required security properties defined in [4]. Their scheme is based on the Pedersen's Verifiable Secret Sharing [24] and does not depend on NIZKP to allow the client to verify the correctness of the result contrary to Bultel et al [4].…”

“…In this scenario, the problem is how to delegate computations on a secret polynomial function to an external server in a verifiable way. This problem is solved by Private Polynomial Evaluation (PPE) schemes [14,12,4,25] illustrated in Fig. 1.…”

“…Finally, the nature of VPOPE is very close to those of Private Polynomial Evaluation (PPE). To the best of our knowledge, only five papers [15,14,12,4,25] propose to hide a polynomial used by the server and allow a client to verify the returned results. Kate et al [15] formally define a primitive called commitments to polynomials that can be used as a PPE scheme and propose the PolyCommit Ped scheme.…”

Verifiable and Private Oblivious Polynomial Evaluation

“…Following this work, Bultel et al [4] show that hiding the degree k is useless and that no scheme can be secure when user query more than k points to the server. Moreover, they give a cryptanalysis of Guo et al [14] PPE scheme and of Gajera et al [12] PPE scheme which requires only one query to the server and present the first security model for PPE schemes.…”

“…More recently, Xia et al [25] proposed a new efficient PPE scheme. As PIPE, their scheme satisfies the required security properties defined in [4]. Their scheme is based on the Pedersen's Verifiable Secret Sharing [24] and does not depend on NIZKP to allow the client to verify the correctness of the result contrary to Bultel et al [4].…”

“…In this scenario, the problem is how to delegate computations on a secret polynomial function to an external server in a verifiable way. This problem is solved by Private Polynomial Evaluation (PPE) schemes [14,12,4,25] illustrated in Fig. 1.…”

“…Finally, the nature of VPOPE is very close to those of Private Polynomial Evaluation (PPE). To the best of our knowledge, only five papers [15,14,12,4,25] propose to hide a polynomial used by the server and allow a client to verify the returned results. Kate et al [15] formally define a primitive called commitments to polynomials that can be used as a PPE scheme and propose the PolyCommit Ped scheme.…”

Verifiable and Private Oblivious Polynomial Evaluation

“…Following this line, a series of subsequent outsourcing computations systems [12][13][14][15] developed schemes with improved efficiency for restricted classes of functions. Some research studies [16,17] are dedicated to provide additional security, ensuring that the outsourced polynomial remains hidden.…”

An Efficient HPRA-Based Multiclient Verifiable Computation: Transform and Instantiation

Fair Distributed Oblivious Polynomial Evaluation via Bitcoin Deposits: Compute-as-a-Service