Privacy-Preserving Transformation Used in Verifiable (Outsourced) Computation, Revisited

Recently, a privacy-preserving technique called Privacy-Preserving Matrix Transformation (PPMT) is widely used to construct efficient privacy-preserving Verifiable (outsourced) Computation (VC) protocols for specific functions. This technique is first proposed and formalized by Salinas et al. in 2015, and it enjoys provable privacy and high efficiency. Although it seems that Salinas et al.'s PPMT scheme and the further modified scheme are elegant, we still need to take a step back and precisely discuss whether the PPMT schemes are suitable choices for VC protocols. Since Salinas et al. gave two concrete PPMT schemes to achieve the matrix-related VC in data protection and proved that their schemes are private (in terms of indistinguishability), and Zhou et al. devised a new type of PPMT scheme for the same purpose, we focus on exploring privacy of these three types of PPMT schemes. In this article, to achieve our object, we first propose the concept of a linear distinguisher and two constructions of the linear distinguisher algorithms. In particular, the linear distinguisher is a polynomial-time algorithm employed by an adversary to explore the privacy property of a cryptographic primitive. Then, we take these three PPMT schemes (including Salinas et al.'s original work, Yu et al.'s generalization and Zhou et al.'s variant) as targets and analyze their privacy property by letting an adversary make use of our linear distinguisher algorithms. The analysis results show that all these three types of transformations do not hold privacy even against passive eavesdropping (i.e., a ciphertext-only attack), and subsequently, the privacy-preserving VC protocols, based on any of these PPMT schemes, also do not hold the same privacy.