Abstract
The problem of securely outsourcing cryptographic computations to the untrusted servers was formally addressed first by Hohenberger and Lysyanskaya in TCC 2005. They presented an algorithm which outsources computation of modular exponentiations securely to two non-interacting third-party servers but the checkability of third-party computations has probability 1 / 2. Chen et al. improved this algorithm for two non-colluding servers by increasing the checkability probability to 2/3. For real-world cryptographic applications it is desirable that the checkability probability is \(1-\epsilon \), where \(\epsilon \) becomes negligible for appropriate parameter choices. Towards a more practical use, we present an algorithm(s) for secure outsourcing of (simultaneous) modular exponentiation(s) which can be seen as another application of the Chinese remainder theorem (CRT). Interestingly the checkability probability of our algorithm is 1 in the presence of two non colluding servers. Our algorithm is superior in both efficiency and checkability compared to that of the previously known schemes of the same kind. Finally we discuss the potential practical applications for our outsourcing schemes, for example computing the final exponentiation in pairings.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We use the terms worker, program and oracle interchangeably to refer to the untrusted server.
References
Abadi, M., Feigenbaum, J., Kilian, J.: On hiding information from an oracle. In: Proceedings of the Second Annual Conference on Structure in Complexity Theory, pp. 195–203. IEEE Computer Society (1987)
Golle, P., Mironov, I.: Uncheatable distributed computations. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 425–440. Springer, Heidelberg (2001). doi:10.1007/3-540-45353-9_31
Girault, M., Lefranc, D.: Server-aided verification: theory and practice. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 605–623. Springer, Heidelberg (2005). doi:10.1007/11593447_33
Wu, W., Mu, Y., Susilo, W., Huang, X.: Server-aided verification signatures: definitions and new constructions. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 141–155. Springer, Heidelberg (2008). doi:10.1007/978-3-540-88733-1_10
Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14623-7_25
Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: USENIX Security Symposium 2011. USENIX Association (2011)
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher, M. (ed.) Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005). doi:10.1007/978-3-540-30576-7_15
van Dijk, M., Clarke, D.E., Gassend, B., Suh, G.E., Devadas, S.: Speeding up exponentiation using an untrusted computational resource. Des. Codes Cryptogr. 39(2), 253–273 (2006)
Chen, X., Li, J., Ma, J., Tang, Q., Lou, W.: New algorithms for secure outsourcing of modular exponentiations. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 541–556. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33167-1_31
Wang, Y., Wu, Q., Wong, D.S., Qin, B., Chow, S.S.M., Liu, Z., Tan, X.: Securely outsourcing exponentiations with single untrusted program for cloud storage. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 326–343. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11203-9_19
Kiraz, M.S., Uzunkol, O.: Efficient and verifiable algorithms for secure outsourcing of cryptographic computations. Cryptology ePrint Archive, Report 2014/748 (2014). http://eprint.iacr.org/
Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computations with insecure auxiliary devices. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 497–506. Springer, Heidelberg (1990). doi:10.1007/0-387-34799-2_35
Nguyen, P.Q., Shparlinski, I.E.: On the insecurity of a server-aided RSA protocol. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 21–35. Springer, Heidelberg (2001). doi:10.1007/3-540-45682-1_2
Chevalier, C., Laguillaumie, F., Vergnaud, D.: Privately outsourcing exponentiation to a single server: cryptanalysis and optimal constructions. IACR Cryptology ePrint Archive 2016/309 (2016)
Kiraz, M.S., Uzunkol, O.: Efficient and verifiable algorithms for secure outsourcing of cryptographic computations. Int. J. Inf. Secur. 15(5), 519–537 (2016). doi:10.1007/s10207-015-0308-7
Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998). doi:10.1007/BFb0054129
Nguyen, P., Shparlinski, I., Stern, J.: Distribution of modular sums and the security of the server aided exponentiation. In: Proceedings of the Workshop on Cryptography and Computational Number Theory (CCNT 1999), Singapore, Birkhäuser, pp. 257–268 (2001)
Hinek, M.: On the security of multi-prime RSA. http://cacr.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
Chevallier-Mames, B., Coron, J.-S., McCullagh, N., Naccache, D., Scott, M.: Secure delegation of elliptic-curve pairing. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 24–35. Springer, Heidelberg (2010). doi:10.1007/978-3-642-12510-2_3
Guillevic, A.: Comparing the pairing efficiency over composite-order and prime-order elliptic curves. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS. LNCS, vol. 7954, pp. 357–372. Springer, Heidelberg (2013)
Scott, M.: Unbalancing pairing-based key exchange protocols. IACR Cryptology ePrint Archive 2013/688 (2013). http://eprint.iacr.org/2013/688
Miller, V.S.: The weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004)
Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03298-1_6
Kim, T., Kim, S., Cheon, J.H.: On the final exponentiation in tate pairing computations. IEEE Trans. Inf. Theory 59(6), 4033–4041 (2013)
Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990). doi:10.1007/0-387-34805-0_22
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)
Ateniese, G., Medeiros, B.: Identity-based chameleon hash and applications. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 164–180. Springer, Heidelberg (2004). doi:10.1007/978-3-540-27809-2_19
Fischlin, M., Fischlin, R.: Efficient non-malleable commitment schemes. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 413–431. Springer, Heidelberg (2000). doi:10.1007/3-540-44598-6_26
Ateniese, G., Burns, R.C., Curtmola, R., Herring, J., Kissner, L., Peterson, Z.N.J., Song, D.X.: Provable data possession at untrusted stores. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM CCS 2007, pp. 598–609. ACM (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Security Defintions
Definition 1 (Algorithm with IO-outsource)
The outsource algorithm \(\mathsf {Alg}\) obeys the input/output specification if it accepts five inputs and produces three outputs. The honest entity generates the first three inputs and the last two adversarially chosen inputs are generated by the environment \(\mathcal {E}.\) The first three inputs can be further classified based on the information about them available to the adversary \(\mathcal {A}= (\mathcal {E}, \mathcal {U}).\) The first input is the honest, secret input which is unknown to both \(\mathcal {E}\) and \(\mathcal {U}.\) The second input is the honest, protected input which may be known by \(\mathcal {E},\) but is protected from \(\mathcal {U}.\) The third input is the honest, unprotected input which may be known by both \(\mathcal {E}\) and \(\mathcal {U}.\) The fourth input is the adversarial, protected input which may be known by \(\mathcal {E},\) but is protected from \(\mathcal {U}.\) The fifth input is the the adversarial, protected input which may be known by \(\mathcal {E},\) but is protected from \(\mathcal {U}.\) Similarly, the first, second and third outputs are called secret, protected and unprotected outputs respectively.
Definition 2 (Outsource-security)
A pair of algorithms \((\mathcal {C}, \mathcal {U})\) is said to be an outsource-secure implementation of an algorithm \(\mathsf {Alg}\) with IO-outsource if:
-
Correctness \(\mathcal {C}^{\mathcal {U}}\) is a correct implementation of \(\mathsf {Alg}.\)
-
Security For all probabilistic polynomial-time adversaries \(\mathcal {A}= (\mathcal {E}, \mathcal {U}'),\) there exist probabilistic expected polynomial-time simulators \((\mathcal {S}_1,\mathcal {S}_2)\) such that the following pairs of random variables are computationally indistinguishable.
Pair One (\(\mathcal {E}\) learns nothing): \( EVIEW _{real} \sim EVIEW _{ideal} .\)
The real process: This process proceeds in rounds. Assume that the honestly generated inputs are chosen by a process I. The view that the adversarial environment obtains by participating in the following process:
$$ EVIEW _{real} = EVIEW _{real}^i if stop^i = TRUE .$$In round i, The adversarial environment does not have access to the honest inputs \((x_{hs}^i, x_{hp}^i, x_{hu}^i)\) that are picked using an honest, stateful process I. The environment based on its view from last round, chooses the value of its \(estate_i\) variable that is used to recall what it did next time it is invoked. Then, among the previously generated honest inputs, the environment chooses a input vector \((x_{hs}^{j^i}, x_{hp}^{j^i}, x_{hu}^{j^i})\) to give it to \(\mathcal {C}^{\mathcal {U}'}.\) Observe that the environment can specify the index \(j^i\) of the inputs but not the values. The environment also chooses the adversarial protected and unprotected input \(x_{ap}^i\) and \(x_{au}^i\) respectively. It also chooses the boolean variable \(stop^i\) that determines whether round i is the last round in this process.
Then, \(\mathcal {C}^{\mathcal {U}'}\) is run on inputs \((tstate^{i-1}, x_{hs}^{j^i}, x_{hp}^{j^i}, x_{hu}^{j^i}, x_{ap}^{i},x_{au}^{i} )\) where \(tstate^{i-1}\) is \(\mathcal {C}\)’s previously saved state. The algorithm produces a new state \(tstate^{i}\) for \(\mathcal {C}\) along with the secret \(y_s^i\), protected \(y_p^i\) and unprotected \(y_u^i\) outputs. The oracle \(\mathcal {U}'\) is given \(ustate^{i-1}\) as input and the current state in saved in \(ustate^{i}.\) The view of the real process in round i consists of \(estate^i,\) and the values \(y_p^i\) and \(y_u^i.\) The overall view of the environment in the real process is just its view in the last round.c
The ideal process:
$$ EVIEW _{ideal} = EVIEW _{ideal}^i if stop^i = TRUE .$$This process also proceeds in rounds. The secret input \(x_{hs}^i\) is hidden from the stateful simulator \(\mathcal {S}_1.\) But, the non-secret inputs produced by the algorithm that is run on all inputs of round i is given to \(\mathcal {S}_1.\) Now, \(\mathcal {S}_1\) decides whether to output the values \((y_p^i, y_u^i)\) generated by the algorithm \(\mathsf {Alg}\) or replace them with some other values \((Y_p^i, Y_u^i).\) This replacement is captured using the indicator variable \(replace^i \in \{0,1\}.\) The simulator is allowed to query the oracle \(\mathcal {U}'\) which saves its state as in the real experiment.
Pair Two (\(\mathcal {U}'\) Learns Nothing): \( UVIEW _{real} \sim UVIEW _{ideal} .\)
The view that the untrusted entity \(\mathcal {U}'\) obtains by participating in the real process is described in pair one. \( UVIEW _{real} = ustate^i if stop^i = TRUE .\) The ideal process:
$$ UVIEW _{ideal} = UVIEW _{ideal}^i if stop^i = TRUE .$$In the ideal process, the stateful simulator \(\mathcal {S}_2\) is given with only the unprotected inputs \((x_{hu}^i, x_{au}^i),\) queries \(\mathcal {U}'.\) As before, \(\mathcal {U}'\) may maintain state.
Definition 3
( \(\alpha -\) efficient, secure outsourcing). A pair of algorithms \((\mathcal {C}, \mathcal {U})\) is said to be an \(\alpha -\)efficient implementation of an algorithm \(\mathsf {Alg}\) if \((\mathcal {C}, \mathcal {U})\) is an outsource secure implementation of algorithm \(\mathsf {Alg}\) and for all inputs x, the running time of \(\mathcal {C}\) is \(\le \) an \(\alpha -\) multiplicative factor of the running time of \(\mathsf {Alg}(x)\)
Definition 4
( \(\beta -\) checkable, secure outsourcing). A pair of algorithms \((\mathcal {C}, \mathcal {U})\) is a \(\beta -\)checkable implementation of an algorithm \(\mathsf {Alg}\) if \((\mathcal {C}, \mathcal {U})\) is an outsource secure implementation of algorithm \(\mathsf {Alg}\) and for all inputs x, if \(\mathcal {U}'\) deviates from its advertised functionality during the execution of \(\mathcal {C}^{\mathcal {U}'}(x),\) \(\mathcal {C}\) will detect the error with probability \(\ge \beta \)
Definition 5
( \((\alpha , \beta )-\) outsource-security). A pair of algorithms \((\mathcal {C}, \mathcal {U})\) is said to be an \((\alpha , \beta )-\)outsource-secure implementation of an algorithm \(\mathsf {Alg}\) if they are both \(\alpha -\)efficient and \(\beta -\)checkable.
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Kuppusamy, L., Rangasamy, J. (2016). CRT-Based Outsourcing Algorithms for Modular Exponentiations. In: Dunkelman, O., Sanadhya, S. (eds) Progress in Cryptology – INDOCRYPT 2016. INDOCRYPT 2016. Lecture Notes in Computer Science(), vol 10095. Springer, Cham. https://doi.org/10.1007/978-3-319-49890-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-49890-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49889-8
Online ISBN: 978-3-319-49890-4
eBook Packages: Computer ScienceComputer Science (R0)