1 2EXP: Secure Outsourcing Algorithm for Single Modular Exponentiation
Tải bản đầy đủ - 0trang
CRT-Based Outsourcing Algorithms for Modular Exponentiations
87
Masking a. In order to mask a, C invokes the BPV+ algorithm to get the pairs
(α, g2α ) and (β, g2β ). Now C computes:
1. a1 = a − α;
2. a2 = a − β;
Queries to U1 . Now C invokes the BPV+ algorithm to get the pair (t, g1t ) and
sends the following queries to U1 in random order:
1. (x, a1 , n) → X1 ;
2. (x, β, n) → X2 ;
3. (g1t , −aθ/t, p) → X4 ;
Queries to U2 . Now C sends the following queries to U2 in random order:
1. (x, a2 , n) → X3 ;
2. (g1t , −aθ/t, p) → X5 ;
Verifying the correctness of {U1 , U2 }’s output.
1. C checks whether
?
(2)
g2β mod r2 = X2 mod r2 .
2. C checks whether
?
[X1 mod r2 · g2α ] mod r2 = X2 · X3 mod r2 .
3. C checks whether
?
X4 = X5 mod p.
(3)
(4)
Recovering u . If Eqs. 2, 3 and 4 hold, then C believes that all the values
X1 , X2 , X3 , X4 and X5 have been computed correctly. This implies that
X2 · X3 · X4 ≡ ua mod p due to simultaneous system of congruences. If the
check fails, then C outputs an error message.
a
Remark 1. (Checkability) Note that all the queries output are checked by the
client and then only the output ua is computed. Hence the client now believes
that ua has been computed correctly. In the above algorithms, both p and n are
sent to both the servers U1 and U2 and thus reveal r1 r2 , but the servers do not
gain any advantage in knowing r1 r2 . Note that the correctness of the outputs
X1 X2 and X3 are checked using the client’s stored values g2α and g2β and hence
the server trying to send bogus results can be detected.
3.2
Security and Eﬃciency Analysis
In this section, we analyse the security properties of the proposed algorithm
using the one malicious model of Hohenberger and Lysyanskaya [8].
Lemma 1 (Correctness). In the one malicious model, the algorithms (C, U1 , U2 )
are correct implementation of 2EXP, where the inputs (a, u, p) may be honest,
secret; or honest, protected; or adversarial protected.
88
L. Kuppusamy and J. Rangasamy
Proof. We know that for any integer m ≥ 0,
xm = {u · g1θ · r1 · r2 · (r1−1 r2−1 mod p) + h · r2 · p · (r2−1 p−1 mod r1 )
+ g2 · p · r1 · (p−1 r1−1 mod r2 )}m
=
k1 +k2 +k3 =m
(5)
m!
k1 k2 k3
k1 !+k2 !+k3 ! A B C
where A = u · g1θ · r1 · r2 · (r1−1 r2−1 mod p), B = h · r2 · p · (r2−1 p−1 mod r1 ),
C = g2 · p · r1 · (p−1 r1−1 mod r2 ) and ki , 1 ≤ i ≤ 3 are non-negative integers. By
taking a reduction modulo r2 to both sides of Eq. 5, we obtain,
xm mod r2 = g2m mod r2 ,
(6)
since all the terms except for the case k3 = m in the above summation vanishes.
Similarly, a reduction modulo p to both sides of Eq. 5, we obtain
xm mod p = um · g1mθ mod p;
(7)
If one of Ui , i = 1, 2 performs honestly, then it easy to check whether
?
X4 = X5 mod p.
(8)
Also using Eqs. 6, and 7 we see that
X1 = xa1 mod n =
and
X2 = xβ mod n =
and
X3 = xa2 mod n =
ua1 g1a1 θ mod p
g2a1 mod r2
(9)
uβ g1βθ mod p
g2β mod r2
(10)
ua2 g1a2 θ mod p
g2a2 mod r2
(11)
Using the stored g2β value, it is easy to see from Eq. 10 that X2 mod r2 = g2β .
Once the value X2 is checked for correctness, then it is easy to check whether
?
X1 mod r2 · g2α mod r2 = X2 · X3 mod r2 using Eqs. 9 and 11. If all the equalities
hold, then the desired result is obtained using reduction modulo p.
In the following theorem, we give a proof sketch to show that (C, U1 , U2 ) is an
outsource-secure implementation of 2EXP, as per the Hohenberger-Lysyanskaya
security model.
Theorem 1 (Privacy). In the one malicious program model, the pair of algorithms (C, U) is an outsource-secure implementation of 2EXP, where the input
(a, u, p) may be honest, secret; or honest, protected; or adversarial protected.
CRT-Based Outsourcing Algorithms for Modular Exponentiations
89
Proof. Assume that A = (E, U1 , U2 ) be a probabilistic polynomial time (PPT)
adversary which interacts with the PPT algorithm C in the one malicious program model.
Pair One: (E learns nothing) EVIEWreal ∼ EVIEWideal
If the input (a, u, p) is not honest, secret, the simulator S1 behaves the same
way as in the real experiment. If the input is honest, secret, then S1 behaves
as follows: S1 ignores the input it received in the ith round and chooses three
primes p∗ , r1∗ and r2∗ of same size as p, r1 and r2 respectively and set n∗ = p∗ r1∗ r2∗ .
The main task of S1 in the ith round is to outsource and verify the computation
∗
of (u∗ )a , where u∗ and a∗ are chosen by S1 from the same distribution used
to choose u and a. S1 mask u∗ and a∗ the same way as in our algorithm using
appropriately chosen α∗ , and β ∗ and computes x∗ , a∗1 and a∗2 . Now, s1 query U1
∗ ∗
∗t∗
with the inputs (x∗ , a∗1 , n∗ ), (x∗ , β ∗ , n∗ ) and (g1 1 , −at∗θ , p∗ ). Then s1 query U2
∗t∗
∗ ∗
1
with the inputs (x∗ , a∗2 , n∗ ) and (g1 1 , −at∗θ , p∗ ). S1 checks all the outputs as per
1
the algorithm description. If no error is detected, then S1 outputs Ypi = ∅, Yui = ∅,
replacei = 0. That is, the output of the ideal process is set to (estatei , ypi , yui );
otherwise, S1 selects a random element r and outputs Ypi = r, Yui = ∅, replacei = 1.
That is the output of the ideal process is set to (estatei , r, ∅). In both the cases,
S1 saves the appropriate states.
In real process, all the components (x, g1t1 , a1 , β, a2 , −aθ
t1 ) in the queries made
by C are independently re-randomized to achieve computational indistinguisha∗ ∗
∗t∗
bility. In the ideal process the values (x∗ , g1 1 , a∗1 , β ∗ , a∗2 , −at∗θ ) are chosen uni1
formly at random from the same distribution. Hence, both in the real and the
ideal process, the input distributions to U1 and U2 are computationally indistinguishable. Now, consider the following scenarios:
– If either one of Ui behaves honestly in the ith round, then it perfectly executes
the algorithm 2EXP such that the outputs from Ui in the ideal experiment
matches. Therefore, the simulator S1 does not replace the output of 2EXP in
the real experiment (i.e., replacei = 0). Hence EVIEWireal ∼ EVIEWiideal .
– If one of Ui is dishonest and outputs an incorrect value in round i, then it will
be detected by both C and S1 with probability 1 as all the ouptputs could be
validated. In the real experiment, the outputs from Ui are further processed as
in Eqs. 9, 10. Similarly, in the ideal experiment, S1 simulates with the random
value r. Hence, EVIEWireal ∼ EVIEWiideal even if Ui is dishonest in the ith
round.
By the hybrid argument, it can be shown that EVIEWreal ∼ EVIEWideal .
Pair Two: ( Ui learns nothing): UVIEWreal ∼ UVIEWideal
Let S2 be a PPT simulator that behaves in the same manner regardless of
whether the input (a, u, p) is honest, secret or honest, protected or adversarial
protected. That is, S2 ignores the input in the ith round, and makes queries
∗ ∗
∗t∗
of the form (x∗ , a∗1 , n∗ ), (x∗ , β ∗ , n∗ ), (x∗ , a∗2 , n∗ ), (g1 1 , −at∗θ , p∗ ), accordingly to
1
90
L. Kuppusamy and J. Rangasamy
Ui . Then S2 saves both its state and U ’s state. Note that E can easily distinguish between these two experiments as the inputs to the experiment might
be honest, protected and adversarial protected. But it cannot communicate
this information to Ui . This is due to the fact that, in the ideal experiment,
the inputs are computationally blinded by C before being given as input to
Ui . In the ideal experiment, the simulator S2 always query the components
∗ ∗
∗t∗
(x∗ , g1 1 , a∗1 , β ∗ , a∗2 , −at∗θ ) that are selected uniform at random from the same
1
distribution. Hence UVIEWireal ∼ UVIEWiideal for each round i. By the hybrid
argument, it can be shown that UVIEWreal ∼ UVIEWideal .
Theorem 2 (Checkability). In the one malicious program model, the above algorithms (C, U1 , U2 ) are an (3, 1)-outsource-secure implementation of 2EXP.
Proof. For an k−bit exponent a, the computation of ua mod p requires roughly
1.5k modular multiplications (MM) using square and multiply method. Note that
the computation of Eq. 12 and t−1 can be done oﬄine. The online computations
could be as in Eqs. 2, 3 and for the computation of aθt−1 . Thus our algorithm
2EXP requires 3 Modular Multiplications. Therefore our algorithm (C, U) is an
3−eﬃcient implementation of 2EXP.
Since the third query (X4 and X5 ) is same for both the servers Ui , it is easy
to detect if one of the server exhibits malicious behaviour. The other outputs
X1 , X2 , X3 are validated by the client by reducing the values to modulo r2 . If
the check passes then by simulataneous system of linear congruences, the client
computes the required result by reducing the values to modulo p. However, a
malicious server Ui outputs incorrect values without being detected by C provided
if it can ﬁnd the modulus r2 . That is, if the malicious Ui knows r2 and reduces
x to modulo r2 to obtain g 2 then it can submit the results of X1 , X2 , X3 for the
base g2 instead of xi . As the client validates Ui ’s output by reducing them to r2 ,
the validation goes through. But the values X1 , X2 , X3 will not help the client
to ﬁnd ua as reducing Xi to modulo p will not lead to the value with base u.
Since the server knows p and r1 ∗ r2 through the input to the queries, it has to
solve the factorisation problem for r1 ∗ r2 . That is it is evident from [19] that for
a suﬃciently large 3-prime modulus n = p ∗ r1 ∗ r2 there is no known polynomial
time algorithm to factor it into primes even if one of the primes, say p, is known.
Hence our algorithm is a 1-checkable implementation of 2EXP. Combining
the above arguments, we prove the theorem.
3.3
Comparison
Table 1 lists the number of operations performed by C in the previous outsourcing schemes that achieves both privacy and eﬃciency with two untrusted
servers. From the table, it is evident that our algorithm is superior in terms of
both the eﬃciency and checkability parameters. We use MM to denote modular
multiplication.
CRT-Based Outsourcing Algorithms for Modular Exponentiations
91
Table 1. Comparison of outsourcing algorithms for single exponentiation
4
Exp Algorithm
MMs
ua
6 O(RAND) +9 2
8
1/2
5 O(RAND) + 7 2
3
2
6
5
2/3
1
HohenbergerLysyanskaya [8]
Chen et al. [10]
Ours
Servers Queries to Checkability
U1 + U2
2GEXP: Algorithm to Outsource Simultaneous
Modular Exponentiations
Consider two primes p and q such that q|(p − 1) and the multiplicative subgroup
of Z∗p with order q. The task of C is to compute
s
i=1
uai i mod p where ui ∈ Z∗p are
the variable bases and ai ∈ Zq are the variable exponents. The task of {U1 , U2 }
is to return the output ij mod k on input (i, j, k). Since C aims to protect the
values ui and ai for 1 ≤ i ≤ s from {U1 , U2 }, they are computationally blinded
before being given as input to {U1 , U2 }. As seen in Sect. 3.1, the variable-bases
ui are masked using CRT. Our algorithm is described as follows:
Pre-computation. We use the same pre-processing technique, namely the
BPV+ algorithm and primes r1 and r2 as in Sect. 3.1. The only diﬀerence
is that C needs to call it for each pair (ai , ui ). Choose a base h ∈ Z∗r1 .
Masking ui . Compute (θi , g1θi ), i = {1, . . . , s} using the BPV+ technique. Using
CRT for each i = {1, . . . , s} leads us to the following system of three simultaneous congruences
xi ≡ ui g1θi mod p
and xi ≡ h mod r1
and xi ≡ g2 mod r2
and its unique solution xi mod n can be computed as
xi = ui · g1θi · r1 · r2 · (r1−1 r2−1 mod p) + h · r2 · p · (r2−1 p−1 mod r1 )
+ g2 · p · r1 · (p−1 r1−1 mod r2 ).
(12)
Masking ai . To blind ai (1 ≤ i ≤ s), C runs BPV+ 2s times to obtain the pairs
{(αi , g2αi )}si=1 and {(βi , g2βi )}si=1 . Then C computes:
ai1 = ai − αi and ai2 = ai − βi .
Queries to U1 . Now C invokes the BPV+ algorithm to get a pair (t, g1t ) and
sends the following queries to U1 in random order:
1. (xi , ai1 , n) → Xi1 ;
2. (xi , βi , n) → Xi2 ;
3. (g1t ,
s
i=1
(−ai θi )/t, p) → X4 ;
92
L. Kuppusamy and J. Rangasamy
Queries to U2 . Now C makes the following queries to U2 in random order:
1. (xi , ai2 , n) → Xi3 ;
2. (g1t ,
s
i=1
(−ai θi )/t, p) → X5 ;
Verifying the correctness of {U1 , U2 } output.
1. C checks ﬁrst if
s
g2βi
?
s
mod r2 =
i=1
Xi2 mod r2 .
(13)
i=1
2. C then checks whether
s
s
Xi1 mod r2 ·
i=1
?
s
g2αi mod r2 =
i=1
(Xi2 · Xi3 ) mod r2 .
3. and
?
X4 = X5 mod p.
s
Recovering
i=1
(14)
i=1
(15)
uai i . If Eqs. 13, 14 and 15 hold, then C believes that for 1 ≤ i ≤ s
all the values Xi1 , Xi2 , Xi3 , Xi4 and Xi5 have been computed correctly. This
s
implies that
i=1
Xi2 · Xi3 · Xi4 ≡
s
i=1
uai i mod p due to simultaneous system of
congruences. If the check fails, then C outputs an error message.
4.1
Security and Eﬃciency Analysis
The algorithms proposed in Sects. 3 and 4 depend on the same techniques to
mask the inputs (a, u). Thus, due to space limitation we do not repeat the
correctness lemma as in Lemma 1 and the proof of following theorem for the
simulataneous exponentiation case.
Theorem 3. In the one malicious program model, the pair of algorithms (C, U)
is an outsource-secure implementation of 2GEXP, where the input (ai , ui , p)
may be honest, secret; or honest, protected; or adversarial protected.
Theorem 4. In the one malicious program model, the above algorithms
(C, U1 , U2 ) are an (3s, 1)-outsource-secure implementation of 2GEXP.
4.2
Comparison
Table 2 lists the number of operations performed by C in the previous outsourcing
schemes that achieves both privacy and eﬃciency with two untrusted servers.
From the table, it is evident that our algorithm is superior in terms of both the
eﬃciency and checkability parameters. We achieved 1−checkable property at the
cost of little communication overhead compared to the existing one. However we
could reduce the communication overhead with lesser checkability probability.
We use MM to denote modular multiplication.
CRT-Based Outsourcing Algorithms for Modular Exponentiations
93
Table 2. Comparison of outsourcing algorithms for simultaneous exponentiation
Exp
s
i=1
Algorithm
Servers Queries to Checkablity
U1 + U2
uai i Chen et al. [10] 5O(RAND) + 3s + 4 2
Ours
5
MMs
3s
2
2s + 4
2/(s + 2)
3s + 2
1
Potential Applications of Our Algorithms
In this section we identify and discuss the usefulness of our secure outsourcing
algorithms for single and simultaneous modular exponentiation.
5.1
Securely Oﬄoading the Final Exponentiation in Pairings
Pairings have been widely used in cryptography and have become an important
and attractive research area. Given the advantages of pairing-based schemes,
recent studies focused on deploying them in various scenarios [20–22]. As the
usage of hand-held resourced-constrained devices grows exponentially, equipping
them with pairings may help the devices cater to variety of security services.
A typical pairing computation consists of two steps, namely the Miller’s algorithm [23] and the ﬁnal exponentiation. Research works focused to speed up pairing computation are mainly about improving the complexity of Miller’s algorithm
and there are only few works related to speeding up the ﬁnal exponentiation step
[24,25]. Now we will show how our secure outsourcing algorithms could beneﬁt
the ﬁnal exponentiation step.
Let us consider the Tate pairing, the most widely used pairing type. Consider
an elliptic curve E over a ﬁnite ﬁeld Fq with k being the embedding degree.
For any two points P and Q on E(Fqk ), The Tate pairing value at (P, Q) is
q k −1
speciﬁed to be e(P, Q) = fr,P (Q) r where fr,P ∈ Fqk [x, y] is called as the
Miller function. Thus the ﬁnal exponentiation in the Tate pairing is obtained
by raising an element in Fqk to the exponent (q k − 1)/r. We note that our
outsourcing algorithm for single exponentiation can be adapted to this setting
to securely oﬄoad the ﬁnal exponentiation in full.
Another common method is to split the exponent (q k − 1)/r accordingly so
that the the computation of ﬁnal exponentiation is given by a ﬁnite product of
s
the following form h i=1 gi ri , where h is relatively easy part to compute and the
rest of the product is considered to be hard part. Since every gi being dependent
on P and Q is not a ﬁxed element, the hard part of the ﬁnal exponentiation can
be seen as a simultaneous exponentiation and thus our outsourcing algorithm
for simultaneous case may be used to securely oﬄoad the hard part of the ﬁnal
exponentiation.
94
5.2
L. Kuppusamy and J. Rangasamy
Outsource-Secure Cryptographic Schemes and Primitives
In this section we recall the applications identiﬁed in the related literature for outsourcing algorithms for modular exponentiation. Hohenberger and
Lysyanskaya [8] showed how to use their outsourcing algorithm for the single
exponentiation to obtain outsource-secure Cramer-Shoup encryption [26] and
outsource-secure Schnorr signature [27,28] schemes. Chen et al. [10] demonstrated the use of their outsourcing algorithm for simultaneous modular exponentiation in cryptographic primitives such as chameleon hashing [29] and trapdoor
commitment [30]. Recently Wang et al. [11] showed evidence of advantages in
using an outsourcing algorithm for the simultaneous case in provable data possession (PDP) [31] schemes for cloud storage. Since our algorithm is generic and
superior, it may provide more beneﬁts when used in any of the above mentioned
cryptographic protocols.
6
Conclusion
We presented secure outsourcing algorithms for single and simultaneous modular
exponentiations. Our algorithms are superior compared to the existing schemes
with two servers. We then showed that the proposed algorithms meet the security
notions of the Hohenberger-Lysyanskaya security model. Finally we discussed
some interesting applications such as outsourcing of ﬁnal exponentiation in pairings. We leave open the problem of securely outsourcing modular exponentiations
using single untrusted server achieving checkability probability 1.
Appendix
A
Security Defintions
Deﬁnition 1 (Algorithm with IO-outsource). The outsource algorithm
Alg obeys the input/output speciﬁcation if it accepts ﬁve inputs and produces
three outputs. The honest entity generates the ﬁrst three inputs and the last two
adversarially chosen inputs are generated by the environment E. The ﬁrst three
inputs can be further classiﬁed based on the information about them available
to the adversary A = (E, U). The ﬁrst input is the honest, secret input which
is unknown to both E and U. The second input is the honest, protected input
which may be known by E, but is protected from U. The third input is the honest,
unprotected input which may be known by both E and U. The fourth input is the
adversarial, protected input which may be known by E, but is protected from U.
The ﬁfth input is the the adversarial, protected input which may be known by E,
but is protected from U. Similarly, the ﬁrst, second and third outputs are called
secret, protected and unprotected outputs respectively.
Deﬁnition 2 (Outsource-security). A pair of algorithms (C, U) is said to be
an outsource-secure implementation of an algorithm Alg with IO-outsource if:
Correctness C U is a correct implementation of Alg.
CRT-Based Outsourcing Algorithms for Modular Exponentiations
95
Security For all probabilistic polynomial-time adversaries A = (E, U ), there
exist probabilistic expected polynomial-time simulators (S1 , S2 ) such that the
following pairs of random variables are computationally indistinguishable.
Pair One (E learns nothing): EVIEWreal ∼ EVIEWideal .
The real process: This process proceeds in rounds. Assume that the honestly
generated inputs are chosen by a process I. The view that the adversarial
environment obtains by participating in the following process:
EVIEWireal = { istatei , xihs , xihp , xihu ← I 1k , istatei−1 ;
i−1
estatei , j i , xiap , xiau , stopi ← E 1k , EVIEWreal
, xihp , xihu ;
tstatei , ustatei , ysi , ypi , yui ← C U
i
(ustatei−1 )
i
i
tstatei−1 , xjhs , xjhp , xjhu , xiap , xiau :
estatei , ypi , yui }
EVIEWreal = EVIEWireal if stopi = TRUE.
In round i, The adversarial environment does not have access to the honest
inputs (xihs , xihp , xihu ) that are picked using an honest, stateful process I. The
environment based on its view from last round, chooses the value of its estatei
variable that is used to recall what it did next time it is invoked. Then, among
the previously generated honest inputs, the environment chooses a input vector
i
i
i
(xjhs , xjhp , xjhu ) to give it to C U . Observe that the environment can specify the
index j i of the inputs but not the values. The environment also chooses the
adversarial protected and unprotected input xiap and xiau respectively. It also
chooses the boolean variable stopi that determines whether round i is the last
round in this process.
i
i
i
Then, C U is run on inputs (tstatei−1 , xjhs , xjhp , xjhu , xiap , xiau ) where tstatei−1
is C’s previously saved state. The algorithm produces a new state tstatei for C
along with the secret ysi , protected ypi and unprotected yui outputs. The oracle
U is given ustatei−1 as input and the current state in saved in ustatei . The
view of the real process in round i consists of estatei , and the values ypi and
yui . The overall view of the environment in the real process is just its view in
the last round.c
The ideal process:
EVIEWiideal = { istatei , xihs , xihp , xihu ← I 1k , istatei−1 ;
i−1
estatei , j i , xiap , xiau , stopi ← E 1k , EVIEWideal
, xihp , xihu ;
i
i
i
astatei , ysi , ypi , yui ← Alg astatei−1 , xjhs , xjhp , xjhu , xiap , xiau ;
i−1
U (ustate
)
i
i
sstatei , ustatei , Ypi , Yui , replacei ← S1
sstatei−1 , xjhp , xjhu , xiap , xiau , ypi , yui ;
i
i
zp , zu = replacei Ypi , Yui + 1 − replacei ypi , yui :
estatei , zpi , zui }
EVIEWideal = EVIEWiideal if stopi = TRUE.
This process also proceeds in rounds. The secret input xihs is hidden from the
stateful simulator S1 . But, the non-secret inputs produced by the algorithm
96
L. Kuppusamy and J. Rangasamy
that is run on all inputs of round i is given to S1 . Now, S1 decides whether to
output the values (ypi , yui ) generated by the algorithm Alg or replace them with
some other values (Ypi , Yui ). This replacement is captured using the indicator
variable replacei ∈ {0, 1}. The simulator is allowed to query the oracle U
which saves its state as in the real experiment.
Pair Two (U Learns Nothing): UVIEWreal ∼ UVIEWideal .
The view that the untrusted entity U obtains by participating in the real
process is described in pair one. UVIEWreal = ustatei if stopi = TRUE. The
ideal process:
UVIEWiideal = { istatei , xihs , xihp , xihu ← I 1k , istatei−1 ;
estatei , j i , xiap , xiau , stopi ← E 1k , estatei−1 , xihp , xihu , ypi−1 , yui−1 ;
i
i
i
astatei , ysi , ypi , yui ← Alg astatei−1 , xjhs , xjhp , xjhu , xiap , xiau ;
U (ustatei−1 )
sstatei , ustatei ← S2
i
sstatei−1 , xjhu , xiau ;
ustatei }
UVIEWideal = UVIEWiideal if stopi = TRUE.
In the ideal process, the stateful simulator S2 is given with only the unprotected
inputs (xihu , xiau ), queries U . As before, U may maintain state.
Deﬁnition 3 (α−eﬃcient, secure outsourcing). A pair of algorithms (C, U)
is said to be an α−eﬃcient implementation of an algorithm Alg if (C, U) is
an outsource secure implementation of algorithm Alg and for all inputs x, the
running time of C is ≤ an α− multiplicative factor of the running time of Alg(x)
Deﬁnition 4 (β−checkable, secure outsourcing). A pair of algorithms
(C, U) is a β−checkable implementation of an algorithm Alg if (C, U) is an outsource secure implementation of algorithm Alg and for all inputs x, if U deviates
from its advertised functionality during the execution of C U (x), C will detect the
error with probability ≥ β
Deﬁnition 5 ((α, β)−outsource-security). A pair of algorithms (C, U) is said
to be an (α, β)−outsource-secure implementation of an algorithm Alg if they are
both α−eﬃcient and β−checkable.
References
1. Abadi, M., Feigenbaum, J., Kilian, J.: On hiding information from an oracle. In:
Proceedings of the Second Annual Conference on Structure in Complexity Theory,
pp. 195–203. IEEE Computer Society (1987)
2. Golle, P., Mironov, I.: Uncheatable distributed computations. In: Naccache, D.
(ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 425–440. Springer, Heidelberg (2001).
doi:10.1007/3-540-45353-9 31
CRT-Based Outsourcing Algorithms for Modular Exponentiations
97
3. Girault, M., Lefranc, D.: Server-aided veriﬁcation: theory and practice. In: Roy,
B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 605–623. Springer, Heidelberg
(2005). doi:10.1007/11593447 33
4. Wu, W., Mu, Y., Susilo, W., Huang, X.: Server-aided veriﬁcation signatures: definitions and new constructions. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.)
ProvSec 2008. LNCS, vol. 5324, pp. 141–155. Springer, Heidelberg (2008). doi:10.
1007/978-3-540-88733-1 10
5. Gennaro, R., Gentry, C., Parno, B.: Non-interactive veriﬁable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO
2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010). doi:10.1007/
978-3-642-14623-7 25
6. Green, M., Hohenberger, S., Waters, B.: Outsourcing the decryption of ABE ciphertexts. In: USENIX Security Symposium 2011. USENIX Association (2011)
7. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Mitzenmacher,
M. (ed.) Proceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
8. Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer,
Heidelberg (2005). doi:10.1007/978-3-540-30576-7 15
9. van Dijk, M., Clarke, D.E., Gassend, B., Suh, G.E., Devadas, S.: Speeding up
exponentiation using an untrusted computational resource. Des. Codes Cryptogr.
39(2), 253–273 (2006)
10. Chen, X., Li, J., Ma, J., Tang, Q., Lou, W.: New algorithms for secure outsourcing of modular exponentiations. In: Foresti, S., Yung, M., Martinelli, F. (eds.)
ESORICS 2012. LNCS, vol. 7459, pp. 541–556. Springer, Heidelberg (2012). doi:10.
1007/978-3-642-33167-1 31
11. Wang, Y., Wu, Q., Wong, D.S., Qin, B., Chow, S.S.M., Liu, Z., Tan, X.: Securely
outsourcing exponentiations with single untrusted program for cloud storage. In:
Kutylowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 326–343.
Springer, Heidelberg (2014). doi:10.1007/978-3-319-11203-9 19
12. Kiraz, M.S., Uzunkol, O.: Eﬃcient and veriﬁable algorithms for secure outsourcing of cryptographic computations. Cryptology ePrint Archive, Report 2014/748
(2014). http://eprint.iacr.org/
13. Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computations with insecure
auxiliary devices. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 497–
506. Springer, Heidelberg (1990). doi:10.1007/0-387-34799-2 35
14. Nguyen, P.Q., Shparlinski, I.E.: On the insecurity of a server-aided RSA protocol. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 21–35. Springer,
Heidelberg (2001). doi:10.1007/3-540-45682-1 2
15. Chevalier, C., Laguillaumie, F., Vergnaud, D.: Privately outsourcing exponentiation to a single server: cryptanalysis and optimal constructions. IACR Cryptology
ePrint Archive 2016/309 (2016)
16. Kiraz, M.S., Uzunkol, O.: Eﬃcient and veriﬁable algorithms for secure outsourcing
of cryptographic computations. Int. J. Inf. Secur. 15(5), 519–537 (2016). doi:10.
1007/s10207-015-0308-7
17. Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT
1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998). doi:10.1007/
BFb0054129