Secure and Efficient Delegation of a Single and Multiple Exponentiations to a Single Malicious Server

Group exponentiation is an important operation used in many cryptographic protocols, specifically public-key cryptosystems such as RSA, Diffie Hellman, ElGamal, etc. To expand the applicability of group exponentiation to computationally weaker devices, procedures were established by which to delegate this operation from a computationally weaker client to a computationally stronger server. However, solving this problem with a single, possibly malicious, server, has remained open since a formal cryptographic model was introduced by Hohenberger and Lysyanskaya in 2005. Several later attempts either failed to achieve privacy or only achieved constant security probability. In this dissertation, we study and solve this problem for discrete log type groups and RSA type groups for both single and multiple (batch) exponentiations and apply our solution in several protocols. Each of our protocols satisfies natural correctness, security, privacy, and efficiency requirements, where security holds with exponentially small probability

Secure and Efficient Delegation of Elliptic-Curve Pairing

Many public-key cryptosystems and, more generally, cryp- tographic protocols, use pairings as important primitive operations. To expand the applicability of these solutions to computationally weaker devices, it has been advocated that a computationally weaker client del- egates such primitive operations to a computationally stronger server. Important requirements for such delegation protocols include privacy of the client's pairing inputs and security of the client's output, in the sense of detecting, except for very small probability, any malicious server's at- tempt to convince the client of an incorrect pairing result. In this paper we show that the computation of bilinear pairings in all known pairing-based cryptographic protocols can be eciently, privately and securely delegated to a single, possibly malicious, server. Our tech- niques provides eciency improvements over past work in all input sce- narios, regardless on whether inputs are available to the parties in an oine phase or only in the online phase, and on whether they are public or have privacy requirements. The client's online runtime improvement is, for some of our protocols almost 1 order of magnitude, no matter which practical elliptic curve, among recently recommended ones, is used for the pairing realization

Practical and Secure Outsourcing of Discrete Log Group Exponentiation to a Single Malicious Server

Group exponentiation is an important operation used in many public-key cryptosystems and, more generally, cryptographic protocols. To expand the applicability of these solutions to computationally weaker devices, it has been advocated that this operation is outsourced from a computationally weaker client to a computationally stronger server, possibly implemented in a cloud-based architecture. While preliminary solutions to this problem considered mostly honest servers, or multiple separated servers, some of which honest, solving this problem in the case of a single (logical), possibly malicious, server, has remained open since a formal cryptographic model was introduced. Several later attempts either failed to achieve privacy or only bounded by a constant the (security) probability that a cheating server convinces a client of an incorrect result. In this paper we solve this problem for a large class of cyclic groups, thus making our solutions applicable to many cryptosystems in the literature that are based on the hardness of the discrete logarithm problem or on related assumptions. Our main protocol satisfies natural correctness, security, privacy and efficiency requirements, where the security probability is exponentially small. In our main protocol, with very limited offline computation and server computation, the client can delegate an exponentiation to an exponent of the same length as a group element by performing an exponentiation to an exponent of short length (i.e., the length of a statistical parameter). We also show an extension protocol that further reduces client computation by a constant factor, while increasing offline computation and server computation by about the same factor

Delegating a Product of Group Exponentiations with Application to Signature Schemes

Many public-key cryptosystems and, more generally, cryptographic protocols, use group exponentiations as important primitive operations. To expand the applicability of these solutions to computationally weaker devices, it has been advocated that a computationally weaker client (i.e., capable of performing a relatively small number of modular multiplications) delegates such primitive operations to a computationally stronger server. Important requirements for such delegation protocols include privacy of the client's input exponent and security of the client's output, in the sense of detecting, except for very small probability, any malicious server's attempt to convince the client of an incorrect exponentiation result. Only recently, ecient protocols for the delegation of a xed-based exponentiation, over cyclic and RSA-type groups with certain properties, have been presented and proved to satisfy both requirements. In this paper we show that a product of many xed-base exponentiations, over a cyclic groups with certain properties, can be privately and securely delegated by keeping the client's online number of modular multiplications only slightly larger than in the delegation of a single exponentiation. We use this result to show the rst delegations of entire cryptographic schemes: the well-known digital signature schemes by El-Gamal, Schnorr and Okamoto, over the q-order subgroup in Zp, for p; q primes, as well as their variants based on elliptic curves. Previous ecient delegation results seem limited to the delegation of single algorithms within cryptographic schemes

Efficient and Secure Delegation of Exponentiation in General Groups to a Single Malicious Server

Group exponentiation is an important and relatively expensive operation used in many public-key cryptosystems and, more generally, cryptographic protocols. To expand the applicability of these solutions to computationally weaker devices, it has been advocated that this operation is delegated from a computationally weaker client to a computationally stronger server. Solving this problem in the case of a single, possibly malicious, server, has remained open since the introduction of a formal model. In previous work we have proposed practical and secure solutions applicable to two classes of specific groups, related to well-known cryptosystems. In this paper, we investigate this problem in a general class of multiplicative groups, possibly going beyond groups currently subject to quantum cryptanalysis attacks. Our main results are efficient delegation protocols for exponentiation in these general groups. The main technique in our results is a reduction of the protocol's security probability (i.e., the probability that a malicious server convinces a client of an incorrect exponentiation output) that is more efficient than by standard parallel repetition. The resulting protocols satisfy natural requirements such as correctness, security, privacy and efficiency, even if the adversary uses the full power of quantum computers. In particular, in our protocols the client performs a number of online group multiplications smaller by 1 to 2 orders of magnitude than in a non-delegated computation