Abstract
Delegation of operations used in cryptographic schemes from a computationally weaker client to a computationally stronger server has been advocated to expand the applicability of cryptosystems to computing with resource-constrained devices. Classical results for the verification of integer and polynomial products are based on a test due to Pippenger, Yao and Kaminski which verifies these operations modulo a small prime. In this paper we describe and prove an efficient small integer modulus test and show its application to single-server delegated computation of operations of interest in cryptosystems. In particular, we show single-server delegated computation protocols, without any preprocessing, for the following operations:
-
1.
modular multiplication of two public group values,
-
2.
modular inverse of a public group value,
-
3.
modular inverse of a private group value, and
-
4.
exponentiation of a public base to a small public exponent in the RSA group.
Our protocols satisfy result correctness, input privacy (unless the input is public), result security and client efficiency. Previous work satisfied only a subset of these properties, or required preprocessing, or satisfied lower client efficiency.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abadi, M., Feigenbaum, J., Kilian, J.: On hiding information from an oracle. J. Comput. Syst. Sci. 39(1), 21–50 (1989)
Ahmad, H., et al.: Primitives towards verifiable computation: a survey. Front. Comput. Sci. 12(3), 451–478 (2018)
Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (eds.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054130
Bouillaguet, C., Martinez, F., Vergnaud, D.: Cryptanalysis of modular exponentiation outsourcing protocols. Comput. J. 65(9), 2299–2314 (2022)
Cavallo, B., Di Crescenzo, G., Kahrobaei, D., Shpilrain, V.: Efficient and secure delegation of group exponentiation to a single server. In: Mangard, S., Schaumont, P. (eds.) Radio Frequency Identification. Security and Privacy Issues, pp. 156–173. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24837-0_10
Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective, 2nd edn. Springer, New York (2005). https://doi.org/10.1007/0-387-28979-8
Di Crescenzo, G., Khodjaeva, M., Shpilrain, V., Kahrobaei, D., Krishnan, R.: Single-server delegation of ring multiplications from quasilinear-time clients. In: Proceedings of SINCONF 2021, pp. 1–8 (2021)
Di Crescenzo, G., et al.: On single-server delegation of RSA. In: Bella, G., Doinea, M., Janicke, H. (eds.) SecITC 2022. LNCS, vol. 13809, pp. 81–101. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-32636-3_5
Di Crescenzo, G., Khodjaeva, M., Kahrobaei, D., Shpilrain, V.: Computing multiple exponentiations in discrete log and RSA groups: from batch verification to batch delegation. In: Proceedings of CNS 2017, pp. 531–539 (2017)
Di Crescenzo, G., Khodjaeva, M., Morales Caro, D.: Single-server batch delegation of variable-input pairings with unbounded client lifetime. In: Proceedings of ADIoT 2023, ESORICS 2023 Workshops, LNCS. Springer, to appear (2023)
Feigenbaum, J.: Encrypting problem instances. In: Williams, H.C. (eds.) CRYPTO 1985. LNCS, vol. 218, pp. 477–488. Springer, Heidelberg (1986). https://doi.org/10.1007/3-540-39799-X_38
Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (eds.). CRYPTO 2010. LNCS, vol. 6223, pp. 465–488. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_25
Girault, M., Lefranc, D.: Server-aided verification: theory and practice. In: Roy, B. (eds.). ASIACRYPT 2005. LNCS, vol. 3788, pp. 605–623. Springer, Heidelberg (2005). https://doi.org/10.1007/11593447_33
Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (eds.). TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_15
Kaminski, M.: A note on probabilistically verifying integer and polynomial products. J. ACM 36(1), 142–149 (1989)
Karatsuba, A., Ofman, Y.: Multiplication of many-digital numbers by automatic computers. Proc. USSR Acad. Sci. 145, 293–294 (1963). Translation in Physics-Doklady 7, 595–596 (1963)
Karatsuba, A.A.: The complexity of computations. Proc. Steklov Inst. Math. 211, 169–183 (1995). Translation from Trudy Mat. Inst. Steklova 211, 186–202 (1995)
Karp, R.M., Rabin, M.O.: Efficient randomized pattern-matching algorithms. In: Rep. TR-31-81. Harvard Univ. Center for Research in Computing Technology, Cambridge (1981)
Khodjaeva, M., Di Crescenzo, G.: On single-server delegation without precomputation. In: Proceedings of 20th International Conference on Security and Cryptography, SECRYPT 2023, ScitePress, pp. 540–547 (2023)
Kalkar, O., Sertkaya, I., Tutdere, S.: On the batch outsourcing of pairing computations. Comput. J. 66(10), 2437–2446 (2022)
Liu, J.K., Au, M.H., Susilo, W.: Self-generated-certificate public-key cryptography and certificateless signature/encryption scheme in the standard model. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security. ACM Press (2007)
Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computations with insecure auxiliary devices. In: Goldwasser, S. (eds.). CRYPTO 1988. LNCS, vol. 403, pp. 497–506. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_35
Mefenza, T., Vergnaud, D.: Verifiable outsourcing of pairing computations. Technical report (2018)
Rangasamy, J., Kuppusamy, L.: Revisiting single-server algorithms for outsourcing modular exponentiation. In: Chakraborty, D., Iwata, T. (eds.). INDOCRYPT 2018. LNCS, vol. 11356, pp. 3–20. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_1
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Rosser, J., Schoenfeldl, L.: Approximate formulas for some functions of prime numbers. Ill. J. Math. 6, 64–94 (1962)
Shan, Z., Ren, K., Blanton, M., Wang, C.: Practical secure computation outsourcing: a survey. ACM Comput. Surv. 51(2), 31:1–31:40 (2018)
Su, Q., Zhang, R., Xue, R.: Secure outsourcing algorithms for composite modular exponentiation based on single untrusted cloud. Comput. J. 63, 1271 (2020)
Tong, L., Yu, J., Zhang, H.: Secure outsourcing algorithm for bilinear pairings without pre-computation. In: Proceedings of IEEE DSC (2019)
Tsang, P.P., Chow, S.S.M., Smith, S.W.: Batch pairing delegation. In: Miyaji, A., Kikuchi, H., Rannenberg, K. (eds.) Advances in Information and Computer Security. LNCS, vol. 4752, pp. 74–90. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75651-4_6
Wasserman, H., Blum, M.: Software reliability via run-time result-checking. J. ACM 44(6), 826–849 (1997). Proc. IEEE FOCS 94
Yao, A.: A lower bound to palindrome recognition by probabilistic turing machines. In: Tech. Rep. STAN-CS-77-647 (1977)
Zhou, K., Afifi, M., Ren, J.: ExpSOS: secure and verifiable outsourcing of exponentiation operations for mobile cloud computing. IEEE Trans. Inf. Forens. Secur. 12(11), 2518–2531 (2017)
Acknowledgements
Work by Matluba Khodjaeva was supported by the NSF CNS - CISE MSI Research Expansion grant N2131182 and PSC CUNY Cycle 53. Work by Giovanni Di Crescenzo, was supported by the Defense Advanced Research Projects Agency (DARPA), contract n. HR001120C0156. Approved for Public Release, Distribution Unlimited. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation hereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA, or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Formal Definitions
In this section we recall the formal definition (based on [12, 14]), of delegation protocols and their correctness, privacy, security, and efficiency requirements.
Basic Notations. The expression \(z\leftarrow T\) denotes randomly and independently choosing z from set T. By \(y\leftarrow A(x_1,x_2,\ldots )\) we denote running the algorithm A on input \(x_1,x_2,\ldots \) and any random coins, and returning y as output. By \((y,tr)\leftarrow (A(u_1,u_2,\ldots ),B(v_1,v_2,\ldots ))\) we denote running the interactive protocol between A, with input \(u_1,u_2,\ldots \) and any random coins, and B, with input \(v_1,v_2,\ldots \) and any random coins, where tr denotes A’s and B’s messages in this execution, and y is A’s final output.
System Scenario: Entities and Protocol. We consider a system with a single client, denoted by C, and a single server, denoted by S, who are connected by an authenticated channel, and therefore do not consider any integrity or replay attacks on this channel. Differently than much of previous work in the area, we consider a delegation protocol without offline phase or preprocessing client computations, typically storing extra values in client’s memory, and only consider client computations in what is also called online phase in the literature, where C has time constraints.
Let \(\sigma \) denote the computational security parameter (derived from hardness considerations of the underlying computational problem), and let \(\lambda \) denote the statistical security parameter (defined so that statistical test failure events with probability \(2^{-\lambda }\) are extremely rare). Both parameters are expressed in unary notation (i.e., \(1^\sigma ,1^{\lambda }\)). We think of \(\sigma \) as being asymptotically much larger than \(\lambda \). Let F denote a function and desc(F) denote F’s description. Assuming \(1^\sigma ,1^{\lambda },desc(F)\) are known to both C and S, we define a client-server protocol for the delegated (n-instance) computation of F as the execution: \(\{(y,tr)\leftarrow (C(x),S)\}\), where both parties are assume to be aware of inputs \((1^\sigma ,1^\lambda ,desc(F))\), which we will ofter omit for brevity, and tr is the transcript of the communication exchanged between C and S.
Correctness Requirement. Informally, the correctness requirement states that if both parties follow the protocol, C obtains some output at the end of the protocol, and this output is, with high probability, equal to the value obtained by evaluating function F on C’s input. Formally, we say that a no-preprocessing client-server protocol (C, S) for the delegated computation of F satisfies \(\delta _c\)-correctness if for any x in Dom(F),
for some \(\delta _c\) close to 1, where experiment \(\textrm{CorrExp}\) is:
-
1.
\((y,tr)\leftarrow (C(x),S)\)
-
2.
if \(y=F(x)\), then return: 1 else return: 0
Privacy Requirement. Informally, the privacy requirement should guarantee the following: if C follows the protocol, a malicious adversary corrupting S cannot obtain any information about C’s input x from a protocol execution. This is formalized by extending the indistinguishability-based approach typically used in definitions for encryption schemes. Let (C, S) be a no-preprocessing client-server protocol for the delegated computation of F. We say that (C, S) satisfies \(\epsilon _p\)-privacy (in the sense of indistinguishability) against a malicious adversary if for any algorithm A, it holds that
for some \(\epsilon _p\) close to 0, where experiment \(\textrm{PrivExp}\) is:
-
1.
\((x_{0},x_1,aux)\leftarrow A(desc(F))\)
-
2.
\(b\leftarrow \{0,1\}\)
-
3.
\((y,tr)\leftarrow (C(x_{b}),A(aux))\)
-
4.
\(d\leftarrow A(tr,aux)\)
-
5.
if \(b=d\) then return: 1 else return: 0.
Security Requirement. Informally, the security requirement states that for any efficient and malicious adversary corrupting S and even choosing C’s input tuple x, at the end of the protocol, C cannot be convinced to obtain some output tuple z containing a value \(z\ne F(x)\) Formally, we say that the client-server protocol (C, S) for the delegated n-instance computation of F satisfies \(\epsilon _s\)-security against a malicious adversary if for any algorithm A,
for some \(\epsilon _s\) close to 0, where experiment \(\textrm{SecExp}\) is:
-
1.
\((\vec x,aux)\leftarrow A(desc(F))\)
-
2.
\((\vec z,tr)\leftarrow (C(x),A(aux))\)
-
3.
if \(z \in \{\perp ,F(x)\}\) then return: 0 else return: 1.
We consider different input scenarios, where the input x may be private or public. The above definition considered the “x private” input scenario. The definition for the “x public” input scenario is obtained by the following slight modifications: (1) S is also given x as input; (2) no input privacy is required.
B Properties of \(\mathcal{P}^{mul}\)
The correctness property follows by observing that if C and S follow the protocol, then S computes \(w_0,w_1\) as \(w=a\cdot b=w_0\cdot m+w_1\) and the equation \(a\cdot b=w_0\cdot m+w_1\) is satisfied over \(\mathbb {Z}\) and is therefore satisfied also modulo the small prime s. This prevents C to return \(\perp \), and allows C to return the correct output value \(w_1=w\mod m = a\cdot b \mod m\).
To prove the security property against any malicious S we need to compute an upper bound \(\epsilon _s\) on the security probability that an adversary corrupting S convinces C to output a y such that \(y\ne a\cdot b\mod m\).
We continue the proof of the unbounded security property by defining the following events:
-
\(e_{y,\ne }\), defined as “C outputs y such that \(y\ne a\cdot b\mod m\)”
-
\(e_{t}\), defined as “S’s message contains \(w_0,w_1\) such that \(a\cdot b\ne w_0\cdot m+w_1\mod m\)”.
We now compute an upper bound on the probability of event \(e_{y,\ne }\), conditioned on event \(e_{t}\). We observe that, when event \(e_t\) is true, it holds that \(a\cdot b\mod m\ne w_1\). In this scenario, for event \(e_{y,\ne }\) to happen, it needs to hold that
This happens when
By setting \(x=a\cdot b-w_0\cdot m-w_1\), and applying Lemma 1 for this value of x, we obtain that the probability that \(x=0\mod s\) is at most \(2^{-\lambda }\), which implies the following
Fact 3
\(\textrm{Prob}\left[ \, e_{y,\ne }\,|\,e_{t} \,\right] \le 2^{-\lambda }\)
We then observe that when event \(e_t\) is false, then the message from S follows the protocol and therefore \(e_{y,\ne }\) is also false. This implies the following
Fact 4
\(\textrm{Prob}\left[ \, e_{y,\ne }\,|\,\lnot e_{t} \,\right] =0\)
We can now compute an upper bound on the probability of event \(e_{y,\ne }\). We have that \(\textrm{Prob}\left[ \, e_{y,\ne } \,\right] \) is
where the first equality and the first inequality follow from basic probability facts; the second inequality follows by applying Fact 4, and the last inequality follows by applying Fact 3.
C Properties of \(\mathcal{P}^{inv}_1\)
The result correctness property follows directly by observing that if C and S follow the protocol, the same property of \({\mathcal P}^{mul}\) implies that
after which C returns \(y=w=x^{-1}\mod m\).
To prove the result security property against any malicious S we need to compute an upper bound \(\epsilon _s\) on the security probability that an adversary corrupting S convinces C to output a y such that \(y\ne x^{-1}\mod m\). Assume this adversary sends \(w'\) to C and runs \({\mathcal P}^{mul}\) with C, resulting in C obtaining \(z'\). Now, because C checks whether \(z'\ne 1\), the only possible cheating strategy for the adversary is that of convincing C to accept that \(z'=1\) and \(z'\) is the product of x and \(w'\), even when \(w'\) is not the inverse of x. By the result security property of \({\mathcal P}^{mul}\), this can only happen with probability at most \(2^{-\lambda }\).
D Properties of \(\mathcal{P}^{inv}_2\)
The result correctness property follows directly by observing that if C and S follow the protocol, the same property of \({\mathcal P}^{mul}\) implies that
after which C returns \(y=r\cdot w=r\cdot (x\cdot r)^{-1}=r\cdot r^{-1}\cdot x^{-1}=x^{-1}\mod m\).
The input privacy follows by observing that C only sends a random group value to S.
To prove the result security property against any malicious S we need to compute an upper bound \(\epsilon _s\) on the security probability that an adversary corrupting S convinces C to output a y such that \(y\ne x^{-1}\mod m\). Assume this adversary, after receiving z from c, sends \(w'\) to C and runs \({\mathcal P}^{mul}\) with C, resulting in C obtaining \(v'\). Now, because C checks whether \(v'\ne 1\), the only possible cheating strategy for the adversary is that of convincing C to accept that \(v'=1\) and \(v'\) is the product of z and \(w'\), even when \(w'\) is not the inverse of z. By the result security property of \({\mathcal P}^{mul}\), this can only happen with probability \(\le 2^{-\lambda }\).
E Protocol \(\mathcal{P}^{exp}\)
To formally define protocol \(\mathcal{P}^{exp}=(C,S)\) for the delegated computation of \(x^e\mod m\), we use definitions and algorithms from protocol \({\mathcal P}^{mul}\) as well as an optimized version of it, as mentioned in Sect. 5 and further discussed below.
First, by \({\mathcal P}^{mul}=(S_{m},C_{m})\) we denote a protocol for the delegation of function \(F_{mul}\) with statistical parameter \(\lambda _m\), for public inputs a and b, such as the protocol in Sect. 3. In particular, the notation \((q,r)\leftarrow S_{m}(a,b)\) refers to an execution of the \({\mathcal P}^{mul}\) server’s algorithm with inputs a, b, returning message (q, r) for C, such that \(a\cdot b=q\cdot m+r\), where \(0\le r<m\). Similarly, the notation \(d\leftarrow C_{m}(a,b,q,r)\) refers to an execution of the \({\mathcal P}^{mul}\) client’s algorithm with inputs a, b, and server’s message (q, r), and returning decision bit d where \(d=1/0\) depending on whether \(C_{m}\) accepts/does not accept the statement \(r=a\cdot b\mod n\).
While algorithm S will run \(S^m\), algorithm C will run an optimized version of \(C^m\), which reuses the same modulus s, and the same values \(m'=m\mod s\) and \(x'=x\mod s\), whenever possible across the multiple uses of multiplication delegation within exponentiation delegation, as we now define. Given a randomly chosen \(\eta \)-bit integer s, and values \(m'=m\mod s\) and \(x'=x\mod s\), we define the notation \(d\leftarrow C'_{m}(a,b,q,r,s,m',x')\) to refer to a variant of algorithm \(C_m\), where the computation of s and \(m'\) are replaced by the use of its arguments \(s,m'\), and the use of x as a product factor in correspondence of a bit of exponent e being \(=1\) is replaced by the use of its argument \(x'\). Here, by using \(C'_m\), the client only computes the values \(s,m',x'\) once, while by using \(C_m\), it would have recomputed each of these values either \(\log e\) or about \((\log e)/2\) times.
We now formally describe protocol \({\mathcal P}^{exp}\) to delegate small-exponent exponentiation function \(F_{exp,c}\), which maps \(x\in \mathbb {Z}_m^*\) to \(x^e\mod m\). in a group \(\mathbb {Z}^*_m\), where x and e are public, and e has c bits.
Online Input to C and S: \(1^\sigma ,1^\lambda ,1^c\), \(m\in \{0,1\}^\sigma \), \(x\in \mathbb {Z}_m^*\), \(e\in \{0,1\}^c\)
Online Phase of \({\mathcal P}^{exp}\):
-
1.
S sets \(z=x\), \(y=1\) and \(i=1\)
-
2.
While \(e>1\) do
S computes \((q_{1i},r_{1i})=S_{m}(z,z)\) and sets \(z=r_{i1}\)
if e is even then
S sets \(q_{2i}=r_{2i}=0\), \(i=i+1\) and \(e=e/2\)
if e is odd then
S computes \((q_{2i},r_{2i})=S_{m}(z,x)\) and sets
S sets \(z=r_{i2}\), \(i=i+1\) and \(e=(e-1)/2\)
-
3.
S sends \(((q_{11},r_{11},q_{21},r_{21}),\ldots ,(q_{1c},r_{1c},q_{2c},r_{2c})\) to C
-
4.
C sets \(i=1\) and \(z=x\)
-
5.
C randomly chooses an \(\eta \)-bit integer s, where \(\eta =\lceil \lambda +\log _2\sigma \rceil \)
C computes \(m'=m\mod s\) and \(x'=x\mod s\)
-
6.
While \(e>1\) do
if e is even then
C computes \(d_{1i}=C_{m}(z,z,q_{1i},r_{1i},s,m',x')\)
if \(d_{1i}= 0\) then C halts
else C sets \(z=r_{1i}\), \(i=i+1\) and \(e=e/2\) if e is odd then
C computes \(d_{1i}=C_{m}(z,z,q_{1i},r_{1i},s,m',x')\) and sets \(z=r_{1i}\)
C computes \(d_{2i}=C_{m}(z,x',q_{2i},r_{2i},s,m',x')\) and sets \(z=r_{2i}\)
if \(d_{1i}= 0\) or \(d_{2i}= 0\) then C halts
else C sets \(i=i+1\) and \(e=(e-1)/2\)
-
7.
C returns: \(y=r_{2i}\) and halts
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Khodjaeva, M., di Crescenzo, G. (2024). An Efficient Small Modulus Test and Its Applications to Delegated Computation Without Preprocessing. In: Manulis, M., Maimuţ, D., Teşeleanu, G. (eds) Innovative Security Solutions for Information Technology and Communications. SecITC 2023. Lecture Notes in Computer Science, vol 14534. Springer, Cham. https://doi.org/10.1007/978-3-031-52947-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-52947-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-52946-7
Online ISBN: 978-3-031-52947-4
eBook Packages: Computer ScienceComputer Science (R0)