Skip to main content
SpringerLink
Log in

Speeding up Exponentiation using an Untrusted Computational Resource

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

We present protocols for speeding up fixed-base variable-exponent exponentiation and variable-base fixed-exponent exponentiation using an untrusted computational resource. In the fixed-base protocols, the exponent may be blinded. In the variable-base protocols, the base may be blinded. The protocols are described for exponentiation in a cyclic group. We describe how to extend them to exponentiation modulo an integer where the modulus is the product of primes with single multiplicity. The protocols provide a speedup of \(\frac{3}{2}((\log k)-1)\) over the square-and-multiply algorithm, where k is the bitlength of the exponent.

One application of the protocols is to speed up exponentiation-based verification in discrete log-based signature and credential schemes. The protocols also allow signature verifiers to dynamically choose, for each message, the amount of work it would like to perform to verify the signature. This results in a work-security tradeoff. We introduce a fifth protocol to perform variable-base variable- exponent exponentiation, which also has this feature.

Our model allows the trusted resource to perform computations in its idle time. The protocols facilitate the offloading of work to the offline stage, such that the work the trusted resource performs when it has to do an exponentiation is smaller. Our protocols are unconditionally secure.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. L. M. Adleman and J. DeMarrais, A subexponential algorithm for discrete logarithms over all finite fields. In Advances in Cryptology—Crypto ’93 Proceedings, Vol. 773 of LNCS, Springer-Verlag (1994) pp. 147–158.

  2. R. J. Anderson (1992) ArticleTitleAttack on server assisted authentication protocols Electronic Letters 28 IssueID15 1473

    Google Scholar 

  3. P. Béguin and J-J. Quisquater, Secure acceleration of DSS signatures using insecure server. In Advances in Cryptology—Asiacrypt ’94 Proceedings, Vol. 917 of LNCS. (1994) Springer-Verlag.

  4. P. Béguin and J-J. Quisquater, Fast server-aided RSA signatures secure against active attacks. In Advances in Cryptology—Crypto ’95 Proceedings, Vol. 963 of LNCS, (1995) Springer-Verlag, pp. 57–69.

  5. M. Blaze, High-bandwidth encryption with low-bandwidth smartcards. In Fast Software Encryption (FSE) ’96, (1996) pp. 33–40.

  6. M. Blaze, J. Feigenbaum and M. Naor, A formal treatment of remotely keyed encryption. In Eurocrypt ’98, (1998) pp. 251–265.

  7. J. Bløomer and A. May, A generalized wiener attack on RSA. In Public Key Cryptography (PKC) ’04, (2004).

  8. M. Blum and S. Kannan, Designing programs that check their work. In Proceedings of the 21st Annual Symposium on Theory of Computing, ACM, (1989) pp. 86–97.

  9. D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than n0.292. In IEEE Transactions on Information Theory, Vol. 46 ISSUE 4, (2000) pp. 1339–1349.

  10. V. Boyko, M. Peinado and R. Venkatesan, Speeding up discrete log and factoring based schemes via precomputations. In Proc. of Eurocrypt ’98, Vol. 1403 of LNCS, (1998) pp. 221–232.

  11. Stefan Brands, (2002). http://www.credentica.com/technology/overview.pdf.

  12. E. Brickell, D. M. Gordon, K. S. McCurley and D. Wilson, Fast exponentiation with precomputation. In Advances in Cryptology—Eurocrypt ’92 Proceedings, Vol. 658 of LNCS, (1993) Springer-Verlag, pp. 200–207.

  13. J. Burns and C. J. Mitchell, Parameter selection for server-aided RSA computation schemes. IEEE Transactions on Computers, Vol. 43, (1994).

  14. D. Chaum, Blind signatures for untraceable payments. In Advances in Cryptology—Crypto ’82 Proceedings, (1982) Plenum Press, pp. 199–203.

  15. D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. In IEEE Transactions Information Theory 30, (1984) pp. 587–594.

  16. Y. Dodis and J. An, Concealment and its applications to authenticated encryption. In Eurocrypt ’03, (2003) pp. 306–323.

  17. G. Durfee and P. Nguyen, Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99. In Advances in Cryptology—Asiacrypt 2000 Proceedings, Vol. 1976 of LNCS, (2000) Springer-Verlag, pp. 14–29.

  18. T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology—Crypto ’84 Proceedings, LNCS, (1985) Springer-Verlag, pp. 10–18.

  19. D. Gordon, Discrete logarithms in GF(p) using the number field sieve. In SIAM J. Discrete Math. 6, (1993) pp. 312–323.

  20. S. Hohenberger and A. Lysyanskaya, How to securely outsource cryptographic computations. In TOC 2005, (2005).

  21. S. Kawamura and A. Shimbo, Fast server-aided secret computation protocols for modular exponentiation. In IEEE Journal on Selected Areas of Communications, volume 11, 1993.

  22. Neal Koblitz, A Course in Number Theory and Cryptography, Second Edition. Springer, (1994).

  23. C. H. Lim and P. J. Lee, More flexible exponentiation with precomputation. In Advances in Cryptology—Crypto ’94 Proceedings, Vol. 839 of LNCS, (1994) Springer-Verlag, pp. 95–107.

  24. C. H. Lim and P. J. Lee, Server(prover/signer)-aided verification of identify proofs and signatures. In Advances in Cryptology—EuroCrypt ’95 Proceedings, Vol. 921 of LNCS, (1995) Springer-Verlag, pp. 64–78.

  25. C. H. Lim and P. J. Lee, Security and performance of server-aided RSA computation protocols. In Advances in Cryptology—Crypto ’95 Proceedings, Vol. 963 of LNCS, (1995) Springer-Verlag, pp. 70–83.

  26. S. Lucks, On the Security of remotely Keyed Encryption. In Fast Software Encryption (FSE) ’97, (1997) pp. 219–229.

  27. S. Lucks, Accelerated Remotely Keyed Encryption. In Fast Software Encryption (FSE) ’99, (1999) pp. 112–123.

  28. T. Matsumoto, H. Imai, C. S. Laih and S. M. Yen, On verifiable implicit asking protocols for RSA computation. In Proc. of Auscrypt ’92, (1993) pp. 296–307.

  29. T. Matsumoto, K. Kato and H. Imai, Speeding up secret computation with insecure auxiliary devices. In Advances in Cryptology—Crypto ’88 Proceedings, Vol. 403 of LNCS, (1989) Springer-Verlag, pp. 497–506.

  30. Alfred J. Menezes, Paul C. van Oorschot and Scott A, Vanstone. Handbook of Applied Cryptography. CRC Press, (1996).

  31. N. Modadugu, D. Boneh and M. Kim, Generating RSA keys on a handheld using an untrusted server. In Cryptographer’s Track RSA Conference, (2000).

  32. P. Q. Nguyen and I. E. Shparlinski, On the insecurity of a server-aided RSA protocol. In Proc. of Asiacrypt 2001, Vol. 2248 of LNCS, (2001) pp. 21–35.

  33. P. Q. Nguyen, I. E. Shparlinski and J. Stern, Distribution of modular sums and the security of server aided exponentiation. In Proceedings of the Workshop on Comp. Number Theory and Crypt., (1999) pp. 1–16.

  34. P. Q. Nguyen and J. Stern, The Béguin-Quisquater Server-Aided RSA Protocol from Crypto ’95 is not Secure. In Proc. of Asiacrypt ’98, Vol. 1514 of LNCS, (1998) pp. 372–379.

  35. NIST. FIPS PUB 186: Digital Signature Standard, May 1994.

  36. A. Odlyzko, Discrete logarithms: The past and the future. In Designs, Codes and Cryptography, 19, (2000) pp. 129–145.

  37. B. Pfitzmann and M. Waidner, Attacks on protocols for server-aided RSA computation. In Proc. of Eurocrypt ’92, Vol. 658 of LNCS, (1993) pp. 153–162.

  38. J. M. Pollard, Monte Carlo methods for index computation (mod p). In Mathematics of Computation. 32, (1978) pp. 918–924.

  39. J-J. Quisquater and M. De Soete, Speeding up smart card RSA computation with insecure coprocessors. In Proc. Smart Card 2000, (1991) pp. 191–197.

  40. R. Rivest A. Shamir L. Adleman (1978) ArticleTitleA Method for Obtaining Digital Signatures and Public-Key Cryptosystems Communications of the ACM 21 120–126 Occurrence Handle10.1145/359340.359342 Occurrence Handle83m:94003

    Article  MathSciNet  Google Scholar 

  41. P. de Rooij, On the security of the Schnorr scheme using preprocessing. In Advances in Cryptology – Eurocrypt ’91 Proceedings, Vol. 547 of LNCS, (1991) Springer-Verlag, pp. 71–80.

  42. P. de Rooij, Efficient exponentiation using precomputation and vector addition chains. In Advances in Cryptology—Eurocrypt ’94 Proceedings, Vol. 950 of LNCS, (1995) Springer-Verlag, pp. 389–399.

  43. P. Rooij Particlede (1997) ArticleTitleOn Schnorr’s preprocessing for digital signature schemes Journal of Cryptology 10 IssueID1 1–16 Occurrence Handle10.1007/s001459900016 Occurrence Handle0865.94023

    Article  MATH  Google Scholar 

  44. K. Rubin and A. Silverberg, Torus-based cryptography. In Advances in Cryptology—Crypto ’03 Proceedings, Vol. 2729 of LNCS, (2003) Springer-Verlag, pp. 349–365.

  45. T. Sander and C. Tschudin, Towards mobile cryptography. In IEEE Symposium on Security and Privacy, (1998).

  46. O. Schirokauer, D. Weber and Th. F. Denny. Discrete logarithms: the effectiveness of the index calculus method. In Proceedings ANTS II, Vol. 1122 of LNCS. (1996) Springer-Verlag.

  47. C. P. Schnorr, Efficient identification and signatures for smart cards. In Advances in Cryptology—Crypto ’89 Proceedings, Vol. 435 of LNCS, (1990) Springer-Verlag, pp. 239–252.

  48. C. P. Schnorr (1991) ArticleTitleEfficient signature generation by smart cards Journal of Cryptology 4 IssueID3 161–174 Occurrence Handle10.1007/BF00196725 Occurrence Handle0743.68058 Occurrence Handle92i:65020

    Article  MATH  MathSciNet  Google Scholar 

  49. Eric R. Verheul Henk C.A. Tilborg Particlevan (1997) ArticleTitleCryptanalysis of ‘less short’ rsa secret exponents Applicable Algebra in Engineering, Communication and Computing 8 IssueID5 425–435 Occurrence Handle10.1007/s002000050082 Occurrence Handle98h:94022

    Article  MathSciNet  Google Scholar 

  50. A. Weimerskirch and C. Paar, Generalizations of the Karatsuba Algorithm for Efficient Implementations. (2003). http://www.crypto.rurh-uni-bochum.de/Publikationen/.

  51. Michael J. Wiener, Cryptanalysis of short RSA secret exponents (abstract). In IEEE Transactions on Information Theory, Vol. 36, ISSUE 3 (1990) pp. 553–558.

Download references

Author information

Authors and Affiliations

  1. MIT Computer Science and Artificial Intelligence Laboratory, 32 Vassar Street, Cambridge, MA, 02139, USA

    Marten Van Dijk, Dwaine Clarke, Blaise Gassend, G. Edward Suh & Srinivas Devadas

Authors
  1. Marten Van Dijk
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dwaine Clarke
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Blaise Gassend
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. G. Edward Suh
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Srinivas Devadas
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marten Van Dijk.

Additional information

Communicated by: I. F. Blake

Rights and permissions

Reprints and permissions

About this article

Cite this article

Van Dijk, M., Clarke, D., Gassend, B. et al. Speeding up Exponentiation using an Untrusted Computational Resource. Des Codes Crypt 39, 253–273 (2006). https://doi.org/10.1007/s10623-005-3710-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-005-3710-8

Keywords

AMS Classification

Search

Navigation