Outsourcing computation has gained significant popularity in recent years due to the prevalence of cloud computing. There are two main security concerns in outsourcing computation: how to guarantee the cloud server performs the computation correctly and how to keep the client's data secret. The single-server verifiable computation (SSVC) of Gennaro, Gentry and Parno (Crypto'10) enables a client to delegate the computation of a function f on any input x with both concerns highly relieved, but only results in computationally secure schemes that lack practical efficiency.

While the SSVC schemes use a single server, in this paper we develop a multi-server verifiable computation (MSVC) model where the client shares both f and x among multiple servers, each server performs a set of computations on its shares, and finally the client reconstructs $f(x)$ from all servers' results. In this MSVC model we propose a generic construction for outsourcing computations of the form $F\mathbf{x}$, where F is a matrix and x is a vector. Our generic construction achieves information-theoretic security, input privacy and function privacy. By optimizing the parameters, we obtain both a 3-server scheme, which uses the least number of servers, and a 4-server scheme, which incurs the least workload. By decomposing many polynomial computations as a two-stage computation, where the first-stage has the form $F\mathbf{x}$ and the second-stage is fast, and delegating the first-stage computation, we obtain MSVC schemes for these polynomials. We implement our MSVC schemes and show that they are among the most practical ones to date.

近年来，由于云计算的盛行，外包计算变得非常流行。外包计算有两个主要的安全问题：如何保证云服务器正确执行计算以及如何对客户端的数据保密。Gennaro、Gentry 和 Parno (Crypto'10)的单服务器可验证计算(SSVC) 使客户端能够在任何输入x上委托函数f的计算，这两个问题都得到了极大的缓解，但只会导致计算安全的方案缺乏实用效率。

虽然 SSVC 方案使用单个服务器，但在本文中，我们开发了一个多服务器可验证计算(MSVC) 模型，其中客户端在多个服务器之间共享f和x，每个服务器对其共享执行一组计算，最后客户重建$F(X)$从所有服务器的结果。在这个 MSVC 模型中，我们提出了一种用于外包计算的通用结构$F\mathbf{X}$，其中F是矩阵，x是向量。我们的通用结构实现了信息论安全、输入隐私和功能隐私。通过优化参数，我们得到了使用最少服务器数量的 3 台服务器方案和产生最少工作量的 4 台服务器方案。通过将许多多项式计算分解为两阶段计算，其中第一阶段的形式为$F\mathbf{X}$第二阶段很快，委托第一阶段的计算，我们得到这些多项式的 MSVC 方案。我们实施了我们的 MSVC 方案，并表明它们是迄今为止最实用的方案之一。