Tải bản đầy đủ - 0 (trang)

1 2EXP: Secure Outsourcing Algorithm for Single Modular Exponentiation

CRT-Based Outsourcing Algorithms for Modular Exponentiations

87

Masking a. In order to mask a, C invokes the BPV+ algorithm to get the pairs

(α, g2α ) and (β, g2β ). Now C computes:

1. a1 = a − α;

2. a2 = a − β;

Queries to U1 . Now C invokes the BPV+ algorithm to get the pair (t, g1t ) and

sends the following queries to U1 in random order:

1. (x, a1 , n) → X1 ;

2. (x, β, n) → X2 ;

3. (g1t , −aθ/t, p) → X4 ;

Queries to U2 . Now C sends the following queries to U2 in random order:

1. (x, a2 , n) → X3 ;

2. (g1t , −aθ/t, p) → X5 ;

Verifying the correctness of {U1 , U2 }’s output.

1. C checks whether

?

(2)

g2β mod r2 = X2 mod r2 .

2. C checks whether

?

[X1 mod r2 · g2α ] mod r2 = X2 · X3 mod r2 .

3. C checks whether

?

X4 = X5 mod p.

(3)

(4)

Recovering u . If Eqs. 2, 3 and 4 hold, then C believes that all the values

X1 , X2 , X3 , X4 and X5 have been computed correctly. This implies that

X2 · X3 · X4 ≡ ua mod p due to simultaneous system of congruences. If the

check fails, then C outputs an error message.

a

Remark 1. (Checkability) Note that all the queries output are checked by the

client and then only the output ua is computed. Hence the client now believes

that ua has been computed correctly. In the above algorithms, both p and n are

sent to both the servers U1 and U2 and thus reveal r1 r2 , but the servers do not

gain any advantage in knowing r1 r2 . Note that the correctness of the outputs

X1 X2 and X3 are checked using the client’s stored values g2α and g2β and hence

the server trying to send bogus results can be detected.

3.2

Security and Eﬃciency Analysis

In this section, we analyse the security properties of the proposed algorithm

using the one malicious model of Hohenberger and Lysyanskaya [8].

Lemma 1 (Correctness). In the one malicious model, the algorithms (C, U1 , U2 )

are correct implementation of 2EXP, where the inputs (a, u, p) may be honest,

secret; or honest, protected; or adversarial protected.

88

L. Kuppusamy and J. Rangasamy

Proof. We know that for any integer m ≥ 0,

xm = {u · g1θ · r1 · r2 · (r1−1 r2−1 mod p) + h · r2 · p · (r2−1 p−1 mod r1 )

+ g2 · p · r1 · (p−1 r1−1 mod r2 )}m

=

k1 +k2 +k3 =m

(5)

m!

k1 k2 k3

k1 !+k2 !+k3 ! A B C

where A = u · g1θ · r1 · r2 · (r1−1 r2−1 mod p), B = h · r2 · p · (r2−1 p−1 mod r1 ),

C = g2 · p · r1 · (p−1 r1−1 mod r2 ) and ki , 1 ≤ i ≤ 3 are non-negative integers. By

taking a reduction modulo r2 to both sides of Eq. 5, we obtain,

xm mod r2 = g2m mod r2 ,

(6)

since all the terms except for the case k3 = m in the above summation vanishes.

Similarly, a reduction modulo p to both sides of Eq. 5, we obtain

xm mod p = um · g1mθ mod p;

(7)

If one of Ui , i = 1, 2 performs honestly, then it easy to check whether

?

X4 = X5 mod p.

(8)

Also using Eqs. 6, and 7 we see that

X1 = xa1 mod n =

and

X2 = xβ mod n =

and

X3 = xa2 mod n =

ua1 g1a1 θ mod p

g2a1 mod r2

(9)

uβ g1βθ mod p

g2β mod r2

(10)

ua2 g1a2 θ mod p

g2a2 mod r2

(11)

Using the stored g2β value, it is easy to see from Eq. 10 that X2 mod r2 = g2β .

Once the value X2 is checked for correctness, then it is easy to check whether

?

X1 mod r2 · g2α mod r2 = X2 · X3 mod r2 using Eqs. 9 and 11. If all the equalities

hold, then the desired result is obtained using reduction modulo p.

In the following theorem, we give a proof sketch to show that (C, U1 , U2 ) is an

outsource-secure implementation of 2EXP, as per the Hohenberger-Lysyanskaya

security model.

Theorem 1 (Privacy). In the one malicious program model, the pair of algorithms (C, U) is an outsource-secure implementation of 2EXP, where the input

(a, u, p) may be honest, secret; or honest, protected; or adversarial protected.

CRT-Based Outsourcing Algorithms for Modular Exponentiations

89

Proof. Assume that A = (E, U1 , U2 ) be a probabilistic polynomial time (PPT)

adversary which interacts with the PPT algorithm C in the one malicious program model.

Pair One: (E learns nothing) EVIEWreal ∼ EVIEWideal

If the input (a, u, p) is not honest, secret, the simulator S1 behaves the same

way as in the real experiment. If the input is honest, secret, then S1 behaves

as follows: S1 ignores the input it received in the ith round and chooses three

primes p∗ , r1∗ and r2∗ of same size as p, r1 and r2 respectively and set n∗ = p∗ r1∗ r2∗ .

The main task of S1 in the ith round is to outsource and verify the computation

∗

of (u∗ )a , where u∗ and a∗ are chosen by S1 from the same distribution used

to choose u and a. S1 mask u∗ and a∗ the same way as in our algorithm using

appropriately chosen α∗ , and β ∗ and computes x∗ , a∗1 and a∗2 . Now, s1 query U1

∗ ∗

∗t∗

with the inputs (x∗ , a∗1 , n∗ ), (x∗ , β ∗ , n∗ ) and (g1 1 , −at∗θ , p∗ ). Then s1 query U2

∗t∗

∗ ∗

1

with the inputs (x∗ , a∗2 , n∗ ) and (g1 1 , −at∗θ , p∗ ). S1 checks all the outputs as per

1

the algorithm description. If no error is detected, then S1 outputs Ypi = ∅, Yui = ∅,

replacei = 0. That is, the output of the ideal process is set to (estatei , ypi , yui );

otherwise, S1 selects a random element r and outputs Ypi = r, Yui = ∅, replacei = 1.

That is the output of the ideal process is set to (estatei , r, ∅). In both the cases,

S1 saves the appropriate states.

In real process, all the components (x, g1t1 , a1 , β, a2 , −aθ

t1 ) in the queries made

by C are independently re-randomized to achieve computational indistinguisha∗ ∗

∗t∗

bility. In the ideal process the values (x∗ , g1 1 , a∗1 , β ∗ , a∗2 , −at∗θ ) are chosen uni1

formly at random from the same distribution. Hence, both in the real and the

ideal process, the input distributions to U1 and U2 are computationally indistinguishable. Now, consider the following scenarios:

– If either one of Ui behaves honestly in the ith round, then it perfectly executes

the algorithm 2EXP such that the outputs from Ui in the ideal experiment

matches. Therefore, the simulator S1 does not replace the output of 2EXP in

the real experiment (i.e., replacei = 0). Hence EVIEWireal ∼ EVIEWiideal .

– If one of Ui is dishonest and outputs an incorrect value in round i, then it will

be detected by both C and S1 with probability 1 as all the ouptputs could be

validated. In the real experiment, the outputs from Ui are further processed as

in Eqs. 9, 10. Similarly, in the ideal experiment, S1 simulates with the random

value r. Hence, EVIEWireal ∼ EVIEWiideal even if Ui is dishonest in the ith

round.

By the hybrid argument, it can be shown that EVIEWreal ∼ EVIEWideal .

Pair Two: ( Ui learns nothing): UVIEWreal ∼ UVIEWideal

Let S2 be a PPT simulator that behaves in the same manner regardless of

whether the input (a, u, p) is honest, secret or honest, protected or adversarial

protected. That is, S2 ignores the input in the ith round, and makes queries

∗ ∗

∗t∗

of the form (x∗ , a∗1 , n∗ ), (x∗ , β ∗ , n∗ ), (x∗ , a∗2 , n∗ ), (g1 1 , −at∗θ , p∗ ), accordingly to

1

90

L. Kuppusamy and J. Rangasamy

Ui . Then S2 saves both its state and U ’s state. Note that E can easily distinguish between these two experiments as the inputs to the experiment might

be honest, protected and adversarial protected. But it cannot communicate

this information to Ui . This is due to the fact that, in the ideal experiment,

the inputs are computationally blinded by C before being given as input to

Ui . In the ideal experiment, the simulator S2 always query the components

∗ ∗

∗t∗

(x∗ , g1 1 , a∗1 , β ∗ , a∗2 , −at∗θ ) that are selected uniform at random from the same

1

distribution. Hence UVIEWireal ∼ UVIEWiideal for each round i. By the hybrid

argument, it can be shown that UVIEWreal ∼ UVIEWideal .

Theorem 2 (Checkability). In the one malicious program model, the above algorithms (C, U1 , U2 ) are an (3, 1)-outsource-secure implementation of 2EXP.

Proof. For an k−bit exponent a, the computation of ua mod p requires roughly

1.5k modular multiplications (MM) using square and multiply method. Note that

the computation of Eq. 12 and t−1 can be done oﬄine. The online computations

could be as in Eqs. 2, 3 and for the computation of aθt−1 . Thus our algorithm

2EXP requires 3 Modular Multiplications. Therefore our algorithm (C, U) is an

3−eﬃcient implementation of 2EXP.

Since the third query (X4 and X5 ) is same for both the servers Ui , it is easy

to detect if one of the server exhibits malicious behaviour. The other outputs

X1 , X2 , X3 are validated by the client by reducing the values to modulo r2 . If

the check passes then by simulataneous system of linear congruences, the client

computes the required result by reducing the values to modulo p. However, a

malicious server Ui outputs incorrect values without being detected by C provided

if it can ﬁnd the modulus r2 . That is, if the malicious Ui knows r2 and reduces

x to modulo r2 to obtain g 2 then it can submit the results of X1 , X2 , X3 for the

base g2 instead of xi . As the client validates Ui ’s output by reducing them to r2 ,

the validation goes through. But the values X1 , X2 , X3 will not help the client

to ﬁnd ua as reducing Xi to modulo p will not lead to the value with base u.

Since the server knows p and r1 ∗ r2 through the input to the queries, it has to

solve the factorisation problem for r1 ∗ r2 . That is it is evident from [19] that for

a suﬃciently large 3-prime modulus n = p ∗ r1 ∗ r2 there is no known polynomial

time algorithm to factor it into primes even if one of the primes, say p, is known.

Hence our algorithm is a 1-checkable implementation of 2EXP. Combining

the above arguments, we prove the theorem.

3.3

Comparison

Table 1 lists the number of operations performed by C in the previous outsourcing schemes that achieves both privacy and eﬃciency with two untrusted

servers. From the table, it is evident that our algorithm is superior in terms of

both the eﬃciency and checkability parameters. We use MM to denote modular

multiplication.

CRT-Based Outsourcing Algorithms for Modular Exponentiations

91

Table 1. Comparison of outsourcing algorithms for single exponentiation

4

Exp Algorithm

MMs

ua

6 O(RAND) +9 2

8

1/2

5 O(RAND) + 7 2

3

2

6

5

2/3

1

HohenbergerLysyanskaya [8]

Chen et al. [10]

Ours

Servers Queries to Checkability

U1 + U2

2GEXP: Algorithm to Outsource Simultaneous

Modular Exponentiations

Consider two primes p and q such that q|(p − 1) and the multiplicative subgroup

of Z∗p with order q. The task of C is to compute

s

i=1

uai i mod p where ui ∈ Z∗p are

the variable bases and ai ∈ Zq are the variable exponents. The task of {U1 , U2 }

is to return the output ij mod k on input (i, j, k). Since C aims to protect the

values ui and ai for 1 ≤ i ≤ s from {U1 , U2 }, they are computationally blinded

before being given as input to {U1 , U2 }. As seen in Sect. 3.1, the variable-bases

ui are masked using CRT. Our algorithm is described as follows:

Pre-computation. We use the same pre-processing technique, namely the

BPV+ algorithm and primes r1 and r2 as in Sect. 3.1. The only diﬀerence

is that C needs to call it for each pair (ai , ui ). Choose a base h ∈ Z∗r1 .

Masking ui . Compute (θi , g1θi ), i = {1, . . . , s} using the BPV+ technique. Using

CRT for each i = {1, . . . , s} leads us to the following system of three simultaneous congruences

xi ≡ ui g1θi mod p

and xi ≡ h mod r1

and xi ≡ g2 mod r2

and its unique solution xi mod n can be computed as

xi = ui · g1θi · r1 · r2 · (r1−1 r2−1 mod p) + h · r2 · p · (r2−1 p−1 mod r1 )

+ g2 · p · r1 · (p−1 r1−1 mod r2 ).

(12)

Masking ai . To blind ai (1 ≤ i ≤ s), C runs BPV+ 2s times to obtain the pairs

{(αi , g2αi )}si=1 and {(βi , g2βi )}si=1 . Then C computes:

ai1 = ai − αi and ai2 = ai − βi .

Queries to U1 . Now C invokes the BPV+ algorithm to get a pair (t, g1t ) and

sends the following queries to U1 in random order:

1. (xi , ai1 , n) → Xi1 ;

2. (xi , βi , n) → Xi2 ;

3. (g1t ,

s

i=1

(−ai θi )/t, p) → X4 ;

92

L. Kuppusamy and J. Rangasamy

Queries to U2 . Now C makes the following queries to U2 in random order:

1. (xi , ai2 , n) → Xi3 ;

2. (g1t ,

s

i=1

(−ai θi )/t, p) → X5 ;

Verifying the correctness of {U1 , U2 } output.

1. C checks ﬁrst if

s

g2βi

?

s

mod r2 =

i=1

Xi2 mod r2 .

(13)

i=1

2. C then checks whether

s

s

Xi1 mod r2 ·

i=1

?

s

g2αi mod r2 =

i=1

(Xi2 · Xi3 ) mod r2 .

3. and

?

X4 = X5 mod p.

s

Recovering

i=1

(14)

i=1

(15)

uai i . If Eqs. 13, 14 and 15 hold, then C believes that for 1 ≤ i ≤ s

all the values Xi1 , Xi2 , Xi3 , Xi4 and Xi5 have been computed correctly. This

s

implies that

i=1

Xi2 · Xi3 · Xi4 ≡

s

i=1

uai i mod p due to simultaneous system of

congruences. If the check fails, then C outputs an error message.

4.1

Security and Eﬃciency Analysis

The algorithms proposed in Sects. 3 and 4 depend on the same techniques to

mask the inputs (a, u). Thus, due to space limitation we do not repeat the

correctness lemma as in Lemma 1 and the proof of following theorem for the

simulataneous exponentiation case.

Theorem 3. In the one malicious program model, the pair of algorithms (C, U)

is an outsource-secure implementation of 2GEXP, where the input (ai , ui , p)

may be honest, secret; or honest, protected; or adversarial protected.

Theorem 4. In the one malicious program model, the above algorithms

(C, U1 , U2 ) are an (3s, 1)-outsource-secure implementation of 2GEXP.

4.2

Comparison

Table 2 lists the number of operations performed by C in the previous outsourcing

schemes that achieves both privacy and eﬃciency with two untrusted servers.

From the table, it is evident that our algorithm is superior in terms of both the

eﬃciency and checkability parameters. We achieved 1−checkable property at the

cost of little communication overhead compared to the existing one. However we

could reduce the communication overhead with lesser checkability probability.

We use MM to denote modular multiplication.

CRT-Based Outsourcing Algorithms for Modular Exponentiations

93

Table 2. Comparison of outsourcing algorithms for simultaneous exponentiation

Exp

s

i=1

Algorithm

Servers Queries to Checkablity

U1 + U2

uai i Chen et al. [10] 5O(RAND) + 3s + 4 2

Ours

5

MMs

3s

2

2s + 4

2/(s + 2)

3s + 2

1

Potential Applications of Our Algorithms

In this section we identify and discuss the usefulness of our secure outsourcing

algorithms for single and simultaneous modular exponentiation.

5.1

Securely Oﬄoading the Final Exponentiation in Pairings

Pairings have been widely used in cryptography and have become an important

and attractive research area. Given the advantages of pairing-based schemes,

recent studies focused on deploying them in various scenarios [20–22]. As the

usage of hand-held resourced-constrained devices grows exponentially, equipping

them with pairings may help the devices cater to variety of security services.

A typical pairing computation consists of two steps, namely the Miller’s algorithm [23] and the ﬁnal exponentiation. Research works focused to speed up pairing computation are mainly about improving the complexity of Miller’s algorithm

and there are only few works related to speeding up the ﬁnal exponentiation step

[24,25]. Now we will show how our secure outsourcing algorithms could beneﬁt

the ﬁnal exponentiation step.

Let us consider the Tate pairing, the most widely used pairing type. Consider

an elliptic curve E over a ﬁnite ﬁeld Fq with k being the embedding degree.

For any two points P and Q on E(Fqk ), The Tate pairing value at (P, Q) is

q k −1

speciﬁed to be e(P, Q) = fr,P (Q) r where fr,P ∈ Fqk [x, y] is called as the

Miller function. Thus the ﬁnal exponentiation in the Tate pairing is obtained

by raising an element in Fqk to the exponent (q k − 1)/r. We note that our

outsourcing algorithm for single exponentiation can be adapted to this setting

to securely oﬄoad the ﬁnal exponentiation in full.

Another common method is to split the exponent (q k − 1)/r accordingly so

that the the computation of ﬁnal exponentiation is given by a ﬁnite product of

s

the following form h i=1 gi ri , where h is relatively easy part to compute and the

rest of the product is considered to be hard part. Since every gi being dependent

on P and Q is not a ﬁxed element, the hard part of the ﬁnal exponentiation can

be seen as a simultaneous exponentiation and thus our outsourcing algorithm

for simultaneous case may be used to securely oﬄoad the hard part of the ﬁnal

exponentiation.

94

5.2

L. Kuppusamy and J. Rangasamy

Outsource-Secure Cryptographic Schemes and Primitives

In this section we recall the applications identiﬁed in the related literature for outsourcing algorithms for modular exponentiation. Hohenberger and

Lysyanskaya [8] showed how to use their outsourcing algorithm for the single

exponentiation to obtain outsource-secure Cramer-Shoup encryption [26] and

outsource-secure Schnorr signature [27,28] schemes. Chen et al. [10] demonstrated the use of their outsourcing algorithm for simultaneous modular exponentiation in cryptographic primitives such as chameleon hashing [29] and trapdoor

commitment [30]. Recently Wang et al. [11] showed evidence of advantages in

using an outsourcing algorithm for the simultaneous case in provable data possession (PDP) [31] schemes for cloud storage. Since our algorithm is generic and

superior, it may provide more beneﬁts when used in any of the above mentioned

cryptographic protocols.

6

Conclusion

We presented secure outsourcing algorithms for single and simultaneous modular

exponentiations. Our algorithms are superior compared to the existing schemes

with two servers. We then showed that the proposed algorithms meet the security

notions of the Hohenberger-Lysyanskaya security model. Finally we discussed

some interesting applications such as outsourcing of ﬁnal exponentiation in pairings. We leave open the problem of securely outsourcing modular exponentiations

using single untrusted server achieving checkability probability 1.

Appendix

A

Security Defintions

Deﬁnition 1 (Algorithm with IO-outsource). The outsource algorithm

Alg obeys the input/output speciﬁcation if it accepts ﬁve inputs and produces

three outputs. The honest entity generates the ﬁrst three inputs and the last two

adversarially chosen inputs are generated by the environment E. The ﬁrst three

inputs can be further classiﬁed based on the information about them available

to the adversary A = (E, U). The ﬁrst input is the honest, secret input which

is unknown to both E and U. The second input is the honest, protected input

which may be known by E, but is protected from U. The third input is the honest,

unprotected input which may be known by both E and U. The fourth input is the

adversarial, protected input which may be known by E, but is protected from U.

The ﬁfth input is the the adversarial, protected input which may be known by E,

but is protected from U. Similarly, the ﬁrst, second and third outputs are called

secret, protected and unprotected outputs respectively.

Deﬁnition 2 (Outsource-security). A pair of algorithms (C, U) is said to be

an outsource-secure implementation of an algorithm Alg with IO-outsource if:

Correctness C U is a correct implementation of Alg.

CRT-Based Outsourcing Algorithms for Modular Exponentiations

95

Security For all probabilistic polynomial-time adversaries A = (E, U ), there

exist probabilistic expected polynomial-time simulators (S1 , S2 ) such that the

following pairs of random variables are computationally indistinguishable.

Pair One (E learns nothing): EVIEWreal ∼ EVIEWideal .

The real process: This process proceeds in rounds. Assume that the honestly

generated inputs are chosen by a process I. The view that the adversarial

environment obtains by participating in the following process:

EVIEWireal = { istatei , xihs , xihp , xihu ← I 1k , istatei−1 ;

i−1

estatei , j i , xiap , xiau , stopi ← E 1k , EVIEWreal

, xihp , xihu ;

tstatei , ustatei , ysi , ypi , yui ← C U

i

(ustatei−1 )

i

i

tstatei−1 , xjhs , xjhp , xjhu , xiap , xiau :

estatei , ypi , yui }

EVIEWreal = EVIEWireal if stopi = TRUE.

In round i, The adversarial environment does not have access to the honest

inputs (xihs , xihp , xihu ) that are picked using an honest, stateful process I. The

environment based on its view from last round, chooses the value of its estatei

variable that is used to recall what it did next time it is invoked. Then, among

the previously generated honest inputs, the environment chooses a input vector

i

i

i

(xjhs , xjhp , xjhu ) to give it to C U . Observe that the environment can specify the

index j i of the inputs but not the values. The environment also chooses the

adversarial protected and unprotected input xiap and xiau respectively. It also

chooses the boolean variable stopi that determines whether round i is the last

round in this process.

i

i

i

Then, C U is run on inputs (tstatei−1 , xjhs , xjhp , xjhu , xiap , xiau ) where tstatei−1

is C’s previously saved state. The algorithm produces a new state tstatei for C

along with the secret ysi , protected ypi and unprotected yui outputs. The oracle

U is given ustatei−1 as input and the current state in saved in ustatei . The

view of the real process in round i consists of estatei , and the values ypi and

yui . The overall view of the environment in the real process is just its view in

the last round.c

The ideal process:

EVIEWiideal = { istatei , xihs , xihp , xihu ← I 1k , istatei−1 ;

i−1

estatei , j i , xiap , xiau , stopi ← E 1k , EVIEWideal

, xihp , xihu ;

i

i

i

astatei , ysi , ypi , yui ← Alg astatei−1 , xjhs , xjhp , xjhu , xiap , xiau ;

i−1

U (ustate

)

i

i

sstatei , ustatei , Ypi , Yui , replacei ← S1

sstatei−1 , xjhp , xjhu , xiap , xiau , ypi , yui ;

i

i

zp , zu = replacei Ypi , Yui + 1 − replacei ypi , yui :

estatei , zpi , zui }

EVIEWideal = EVIEWiideal if stopi = TRUE.

This process also proceeds in rounds. The secret input xihs is hidden from the

stateful simulator S1 . But, the non-secret inputs produced by the algorithm

96

L. Kuppusamy and J. Rangasamy

that is run on all inputs of round i is given to S1 . Now, S1 decides whether to

output the values (ypi , yui ) generated by the algorithm Alg or replace them with

some other values (Ypi , Yui ). This replacement is captured using the indicator

variable replacei ∈ {0, 1}. The simulator is allowed to query the oracle U

which saves its state as in the real experiment.

Pair Two (U Learns Nothing): UVIEWreal ∼ UVIEWideal .

The view that the untrusted entity U obtains by participating in the real

process is described in pair one. UVIEWreal = ustatei if stopi = TRUE. The

ideal process:

UVIEWiideal = { istatei , xihs , xihp , xihu ← I 1k , istatei−1 ;

estatei , j i , xiap , xiau , stopi ← E 1k , estatei−1 , xihp , xihu , ypi−1 , yui−1 ;

i

i

i

astatei , ysi , ypi , yui ← Alg astatei−1 , xjhs , xjhp , xjhu , xiap , xiau ;

U (ustatei−1 )

sstatei , ustatei ← S2

i

sstatei−1 , xjhu , xiau ;

ustatei }

UVIEWideal = UVIEWiideal if stopi = TRUE.

In the ideal process, the stateful simulator S2 is given with only the unprotected

inputs (xihu , xiau ), queries U . As before, U may maintain state.

Deﬁnition 3 (α−eﬃcient, secure outsourcing). A pair of algorithms (C, U)

is said to be an α−eﬃcient implementation of an algorithm Alg if (C, U) is

an outsource secure implementation of algorithm Alg and for all inputs x, the

running time of C is ≤ an α− multiplicative factor of the running time of Alg(x)

Deﬁnition 4 (β−checkable, secure outsourcing). A pair of algorithms

(C, U) is a β−checkable implementation of an algorithm Alg if (C, U) is an outsource secure implementation of algorithm Alg and for all inputs x, if U deviates

from its advertised functionality during the execution of C U (x), C will detect the

error with probability ≥ β

Deﬁnition 5 ((α, β)−outsource-security). A pair of algorithms (C, U) is said

to be an (α, β)−outsource-secure implementation of an algorithm Alg if they are

both α−eﬃcient and β−checkable.

References

1. Abadi, M., Feigenbaum, J., Kilian, J.: On hiding information from an oracle. In:

Proceedings of the Second Annual Conference on Structure in Complexity Theory,

pp. 195–203. IEEE Computer Society (1987)

2. Golle, P., Mironov, I.: Uncheatable distributed computations. In: Naccache, D.

(ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 425–440. Springer, Heidelberg (2001).

doi:10.1007/3-540-45353-9 31

CRT-Based Outsourcing Algorithms for Modular Exponentiations

97

3. Girault, M., Lefranc, D.: Server-aided veriﬁcation: theory and practice. In: Roy,

B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 605–623. Springer, Heidelberg

(2005). doi:10.1007/11593447 33

4. Wu, W., Mu, Y., Susilo, W., Huang, X.: Server-aided veriﬁcation signatures: definitions and new constructions. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.)

ProvSec 2008. LNCS, vol. 5324, pp. 141–155. Springer, Heidelberg (2008). doi:10.

1007/978-3-540-88733-1 10

5. Gennaro, R., Gentry, C., Parno, B.: Non-interactive veriﬁable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO

2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi:10.1007/

978-3-642-14623-7 25

6. Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: USENIX Security Symposium 2011. USENIX Association (2011)

7. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher,

M. (ed.) Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)

8. Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer,

Heidelberg (2005). doi:10.1007/978-3-540-30576-7 15

9. van Dijk, M., Clarke, D.E., Gassend, B., Suh, G.E., Devadas, S.: Speeding up

exponentiation using an untrusted computational resource. Des. Codes Cryptogr.

39(2), 253–273 (2006)

10. Chen, X., Li, J., Ma, J., Tang, Q., Lou, W.: New algorithms for secure outsourcing of modular exponentiations. In: Foresti, S., Yung, M., Martinelli, F. (eds.)

ESORICS 2012. LNCS, vol. 7459, pp. 541–556. Springer, Heidelberg (2012). doi:10.

1007/978-3-642-33167-1 31

11. Wang, Y., Wu, Q., Wong, D.S., Qin, B., Chow, S.S.M., Liu, Z., Tan, X.: Securely

outsourcing exponentiations with single untrusted program for cloud storage. In:

Kutylowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 326–343.

Springer, Heidelberg (2014). doi:10.1007/978-3-319-11203-9 19

12. Kiraz, M.S., Uzunkol, O.: Eﬃcient and veriﬁable algorithms for secure outsourcing of cryptographic computations. Cryptology ePrint Archive, Report 2014/748

(2014). http://eprint.iacr.org/

13. Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computations with insecure

auxiliary devices. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 497–

506. Springer, Heidelberg (1990). doi:10.1007/0-387-34799-2 35

14. Nguyen, P.Q., Shparlinski, I.E.: On the insecurity of a server-aided RSA protocol. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 21–35. Springer,

Heidelberg (2001). doi:10.1007/3-540-45682-1 2

15. Chevalier, C., Laguillaumie, F., Vergnaud, D.: Privately outsourcing exponentiation to a single server: cryptanalysis and optimal constructions. IACR Cryptology

ePrint Archive 2016/309 (2016)

16. Kiraz, M.S., Uzunkol, O.: Eﬃcient and veriﬁable algorithms for secure outsourcing

of cryptographic computations. Int. J. Inf. Secur. 15(5), 519–537 (2016). doi:10.

1007/s10207-015-0308-7

17. Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT

1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998). doi:10.1007/

BFb0054129

1 2EXP: Secure Outsourcing Algorithm for Single Modular Exponentiation