How to Securely Outsource Cryptographic Computations

We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsource-secure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most public-key cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for n-bit exponents. The load reduces to O(log2n) for any exponentiation-based scheme where the honest device may use two untrusted exponentiation programs; we highlight the Cramer-Shoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2-secure encryption scheme using only one untrusted Cramer-Shoup encryption program.

[1]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[2]  Ramarathnam Venkatesan,et al.  Speeding up Discrete Log and Factoring Based Schemes via Precomputations , 1998, EUROCRYPT.

[3]  Chae Hoon Lim,et al.  More Flexible Exponentiation with Precomputation , 1994, CRYPTO.

[4]  Joan Feigenbaum,et al.  Advances in Cryptology-Crypto 91 , 1992 .

[5]  Martín Abadi,et al.  On Hiding Information from an Oracle , 1987, Proceeding Structure in Complexity Theory.

[6]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[7]  Hideki Imai,et al.  Speeding Up Secret Computations with Insecure Auxiliary Devices , 1988, CRYPTO.

[8]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[9]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[10]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[11]  Alfredo De Santis,et al.  Advances in Cryptology — EUROCRYPT'94 , 1994, Lecture Notes in Computer Science.

[12]  Rainer A. Rueppel Advances in Cryptology — EUROCRYPT’ 92 , 2001, Lecture Notes in Computer Science.

[13]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[14]  Igor E. Shparlinski,et al.  On the Insecurity of a Server-Aided RSA Protocol , 2001, ASIACRYPT.

[15]  Joan Feigenbaum,et al.  Hiding Instances in Multioracle Queries , 1990, STACS.

[16]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[17]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[18]  Avi Wigderson,et al.  Multi-prover interactive proofs: how to remove intractability assumptions , 2019, STOC '88.

[19]  G. Edward Suh,et al.  Speeding up Exponentiation using an Untrusted Computational Resource , 2006, Des. Codes Cryptogr..

[20]  Peter de Rooij,et al.  On the Security of the Schnorr Scheme using Preprocessing , 1991, EUROCRYPT.

[21]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[22]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[23]  Peter de Rooij,et al.  Efficient Exponentiation using Procomputation and Vector Addition Chains , 1994, EUROCRYPT.

[24]  David Wagner,et al.  Janus: an Approach for Confinement of Untrusted Applications , 1999 .

[25]  Martín Abadi,et al.  On hiding information from an oracle , 1987, STOC '87.

[26]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[27]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[28]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[29]  Neal Koblitz,et al.  Advances in Cryptology — CRYPTO ’96 , 2001, Lecture Notes in Computer Science.

[30]  Peter de Rooij,et al.  On Schnorr’s preprocessing for digital signature schemes , 1997, Journal of Cryptology.

[31]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[32]  Manuel Blum,et al.  Designing programs that check their work , 1989, STOC '89.

[33]  Shafi Goldwasser,et al.  Advances in Cryptology — CRYPTO’ 88: Proceedings , 1990, Lecture Notes in Computer Science.

[34]  Phong Q. Nguyen,et al.  Distribution of Modular Sums and the Security of the Server Aided Exponentiation , 2001 .

[35]  Manuel Blum,et al.  Self-testing/correcting with applications to numerical problems , 1990, STOC '90.

[36]  Manuel Blum,et al.  Program Result Checking against Adaptive Programs and in Cryptographic Settings , 1989, Distributed Computing And Cryptography.

[37]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[38]  Joan Feigenbaum,et al.  Locally random reductions: Improvements and applications , 1997, Journal of Cryptology.

[39]  George C. Necula,et al.  Oracle-based checking of untrusted software , 2001, POPL '01.

[40]  Matthew K. Franklin,et al.  The Blinding of Weak Signatures (Extended Abstract) , 1994, EUROCRYPT.

[41]  Brent Waters,et al.  Receiver anonymity via incomparable public keys , 2003, CCS '03.

[42]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.