Privately Outsourcing Exponentiation to a Single Server: Cryptanalysis and Optimal Constructions

We address the problem of speeding up group computations in cryptography using a single untrusted computational resource. We analyze the security of an efficient protocol for securely outsourcing multi-exponentiations proposed at ESORICS 2014. We show that this scheme does not achieve the claimed security guarantees and we present practical polynomial-time attacks on the delegation protocol which allow the untrusted helper to recover part (or the whole) of the device secret inputs. We then provide simple constructions for outsourcing group exponentiations in different settings (e.g. public/secret, fixed/variable bases and public/secret exponents). Finally, we prove that our attacks on the ESORICS 2014 protocol are unavoidable if one wants to use a single untrusted computational resource and to limit the computational cost of the limited device to a constant number of (generic) group operations. In particular, we show that our constructions are actually optimal in terms of operations in the underlying group.

[1]  M. Hellman The Mathematics of Public-Key Cryptography , 1979 .

[2]  László Lovász,et al.  Factoring polynomials with rational coefficients , 1982 .

[3]  László Babai,et al.  On Lovász’ lattice reduction and the nearest lattice point problem , 1986, Comb..

[4]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.

[5]  Peter de Rooij,et al.  Efficient Exponentiation using Procomputation and Vector Addition Chains , 1994, EUROCRYPT.

[6]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[7]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[8]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[9]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[10]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[11]  Charanjit S. Jutla,et al.  On Finding Small Solutions of Modular Multivariate Polynomial Equations , 1998, EUROCRYPT.

[12]  Ramarathnam Venkatesan,et al.  Speeding up Discrete Log and Factoring Based Schemes via Precomputations , 1998, EUROCRYPT.

[13]  Scott A. Vanstone,et al.  Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms , 2001, CRYPTO.

[14]  Phong Q. Nguyen,et al.  Distribution of Modular Sums and the Security of the Server Aided Exponentiation , 2001 .

[15]  Bodo Möller Algorithms for Multi-exponentiation , 2001, Selected Areas in Cryptography.

[16]  Alexander W. Dent,et al.  Adapting the Weaknesses of the Random Oracle Model to the Generic Group Model , 2002, ASIACRYPT.

[17]  Roberto Maria Avanzi The Complexity of Certain Multi-Exponentiation Techniques in Cryptography , 2004, Journal of Cryptology.

[18]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[19]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[20]  CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION , 2005 .

[21]  David Naccache,et al.  Secure Delegation of Elliptic-Curve Pairing , 2010, IACR Cryptol. ePrint Arch..

[22]  Anna Lysyanskaya,et al.  How to Securely Outsource Cryptographic Computations , 2005, TCC.

[23]  Damien Stehlé,et al.  Floating-Point LLL Revisited , 2005, EUROCRYPT.

[24]  Silvio Micali,et al.  Input-Indistinguishable Computation , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[25]  Mary Baker,et al.  Auditing to Keep Online Storage Services Honest , 2007, HotOS.

[26]  Peter de Rooij,et al.  On Schnorr’s preprocessing for digital signature schemes , 1997, Journal of Cryptology.

[27]  Reza Curtmola,et al.  Provable data possession at untrusted stores , 2007, CCS '07.

[28]  Ari Juels,et al.  Pors: proofs of retrievability for large files , 2007, CCS '07.

[29]  Mathias Herrmann Lattice-based Cryptanalysis using Unravelled Linearization , 2011 .

[30]  George Danezis,et al.  Proceedings of the 2012 ACM conference on Computer and communications security , 2012, CCS 2012.

[31]  Hovav Shacham,et al.  Compact Proofs of Retrievability , 2008, Journal of Cryptology.

[32]  Benjamin Smith Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians , 2013, IACR Cryptol. ePrint Arch..

[33]  Sébastien Canard,et al.  Delegating a Pairing Can Be Both Secure and Efficient , 2014, ACNS.

[34]  Mohamed A. Sharaf,et al.  Databases Theory and Applications , 2014, Lecture Notes in Computer Science.

[35]  Jianfeng Ma,et al.  New Algorithms for Secure Outsourcing of Modular Exponentiations , 2012, IEEE Transactions on Parallel and Distributed Systems.

[36]  Zhen Liu,et al.  Securely Outsourcing Exponentiations with Single Untrusted Program for Cloud Storage , 2014, ESORICS.

[37]  Aurore Guillevic,et al.  Algorithms for Outsourcing Pairing Computation , 2014, CARDIS.

[38]  Antoine Joux,et al.  A Heuristic Quasi-Polynomial Algorithm for Discrete Logarithm in Finite Fields of Small Characteristic , 2014, EUROCRYPT.

[39]  Osmanbey Uzunkol,et al.  Efficient and verifiable algorithms for secure outsourcing of cryptographic computations , 2015, International Journal of Information Security.

[40]  Giovanni Di Crescenzo,et al.  Efficient and Secure Delegation of Group Exponentiation to a Single Server , 2015, RFIDSec.

[41]  Kim-Kwang Raymond Choo,et al.  Secure outsourcing of modular exponentiations under single untrusted programme model , 2017, J. Comput. Syst. Sci..