## How to Securely Outsource Cryptographic Computations

Venue: | In Theory of Cryptography (2005 |

Citations: | 25 - 0 self |

### BibTeX

@INPROCEEDINGS{Hohenberger_howto,

author = {Susan Hohenberger and Anna Lysyanskaya},

title = {How to Securely Outsource Cryptographic Computations},

booktitle = {In Theory of Cryptography (2005},

year = {},

pages = {264--282}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsource-secure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most publickey cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for n-bit exponents. The load reduces to O(log 2 n) for any exponentiation-based scheme where the honest device may use two untrusted exponentiation programs; we highlight the Cramer-Shoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2-secure encryption scheme using only one untrusted Cramer-Shoup encryption program. 1

### Citations

583 |
Efficient Signature Generation by Smart Cards
- Schnorr
- 1991
(Show Context)
Citation Context ...artcards [27]. However, the output of Schnorr’s algorithm is too dependent, and de Rooij found a series of equations that allow the recovery of a signer’s secret key [14]. A subsequent fix by Schnorr =-=[28]-=- was also broken by de Rooij [15, 17]. Since then several new preprocessing algorithms were proposed [16, 9, 21, 8, 25]. Among the most promising is the EBPV generator by Nguyen, Shparlinski, and Ster... |

417 | Security Without Identification: Transaction Systems to make Big Brother Obsolete
- Chaum
- 1985
(Show Context)
Citation Context ...r trusted applications to operate [30], and oracle-based checking of untrusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols =-=[10, 18, 31]-=-. Secure outsourcing of exponentiations is a popular topic [27, 28, 17, 8, 25, 22, 1, 2, 3, 12], but past approaches either focus on fixed-base (or fixed-exponent) exponentiation or meet a weaker noti... |

377 | E.A.: A Secure Environment for Untrusted Helper Applications
- Goldberg, Wagner, et al.
- 1996
(Show Context)
Citation Context ... which was subsequently broken by NguyenHow to Securely Outsource Cryptographic Computations 267 and Shparlinski [24]. We incorporate many previous notions including: the idea of an untrusted helper =-=[19]-=-, confining untrusted applications and yet allowing a sanitized space for trusted applications to operate [30], and oracle-based checking of untrusted software [23]. Our techniques in Section 4 also o... |

345 | Self-testing/correcting with applications to numerical problems
- Blum, Luby, et al.
- 1993
(Show Context)
Citation Context ...ies of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle [1, 2, 3]. Research in program checking merged into this area when Blum, Luby, and Rubinfeld =-=[5, 7, 6]-=- considered checking adaptive, malicious programs (i.e., oracles capable of intelligently failing). The need for a formal security definition of outsourcing is apparent from previous research on using... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ... denote the commitment scheme as Com and the decommitment scheme as Decom. 4.2 CCA2 and Outsource-Security of T U Encryption First, we observe that the Cramer-Shoup variant in Figure 2 is CCA2-secure =-=[26]-=-. Here, we only need to look at the honest algorithm T U . Theorem 3. The cryptosystem T U is secure against adaptive chosen-ciphertext attack (CCA2) assuming the CCA2-security of Cramer-Shoup encrypt... |

311 |
Efficient identification and signatures for smart cards
- Schnorr
- 1990
(Show Context)
Citation Context ...trusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols [10, 18, 31]. Secure outsourcing of exponentiations is a popular topic =-=[27, 28, 17, 8, 25, 22, 1, 2, 3, 12]-=-, but past approaches either focus on fixed-base (or fixed-exponent) exponentiation or meet a weaker notion of security. 2 Definition of Security Suppose that we have a cryptographic algorithm Alg. Ou... |

305 | Designing Programs that Check Their Work
- Blum, Kannan
- 1995
(Show Context)
Citation Context ...ies of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle [1, 2, 3]. Research in program checking merged into this area when Blum, Luby, and Rubinfeld =-=[5, 7, 6]-=- considered checking adaptive, malicious programs (i.e., oracles capable of intelligently failing). The need for a formal security definition of outsourcing is apparent from previous research on using... |

300 |
Wallet databases with observers
- Chaum, Pedersen
- 1992
(Show Context)
Citation Context ...ond result is non-trivial because we show how to do this for the non-malleable Cramer-Shoup encryption scheme, while achieving the same asymptotic speed-up as before. Related Work. Chaum and Pedersen =-=[11]-=- previously introduced “wallets with observers” where a third party, such as a bank, is allowed to install a piece of hardware on a user’s computer. Each transaction between the bank and the user is d... |

190 | Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. Cryptology ePrint Archive, Report 2001/108
- Cramer, Shoup
- 2001
(Show Context)
Citation Context ...r n-bit exponents. The load reduces to O(log 2 n) for any exponentiation-based scheme where the honest device may use two untrusted exponentiation programs; we highlight the Cramer-Shoup cryptosystem =-=[13]-=- and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2-secure encryption scheme using only one untrusted Cramer-Shoup encryption... |

160 |
Hiding instances in multioracle queries
- Beaver, Feigenbaum
- 1990
(Show Context)
Citation Context ...as a way of removing intractability assumptions in interactive proofs [4], which led to a series of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle =-=[1, 2, 3]-=-. Research in program checking merged into this area when Blum, Luby, and Rubinfeld [5, 7, 6] considered checking adaptive, malicious programs (i.e., oracles capable of intelligently failing). The nee... |

131 | Multiprover interactive proofs: How to remove the intractability assumptions
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...ts/outputs to travel directly between the environment and untrusted components. In the 1980s, Ben-Or et al. used multiple provers as a way of removing intractability assumptions in interactive proofs =-=[4]-=-, which led to a series of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle [1, 2, 3]. Research in program checking merged into this area when Blum, ... |

130 | On Hiding Information from an Oracle
- Abadi, Feigenbaum, et al.
- 1989
(Show Context)
Citation Context ...as a way of removing intractability assumptions in interactive proofs [4], which led to a series of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle =-=[1, 2, 3]-=-. Research in program checking merged into this area when Blum, Luby, and Rubinfeld [5, 7, 6] considered checking adaptive, malicious programs (i.e., oracles capable of intelligently failing). The nee... |

82 | More flexible exponentiation with precomputation", Advances in Cryptology -- Crypto ’94
- Lim, Lee
- 1994
(Show Context)
Citation Context ...8, 17, 8, 25] and (2) untrusted server-aided computation [22, 1, 2, 3]. The preprocessing techniques (introduced by Schnorr [27, 28], broken by de Rooij [14, 15, 17], and subsequently fixed by others =-=[16, 9, 21, 8, 25]-=-) seek to optimize the production of random (k, g k mod p) pairs used in signature generation (e.g., El Gamal, Schnorr, DSA) and encryption (e.g., El Gamal, Cramer-Shoup). By offline, we mean the rand... |

66 |
Fast exponentiation with precomputation
- Brickell, Gordon, et al.
- 1992
(Show Context)
Citation Context ...8, 17, 8, 25] and (2) untrusted server-aided computation [22, 1, 2, 3]. The preprocessing techniques (introduced by Schnorr [27, 28], broken by de Rooij [14, 15, 17], and subsequently fixed by others =-=[16, 9, 21, 8, 25]-=-) seek to optimize the production of random (k, g k mod p) pairs used in signature generation (e.g., El Gamal, Schnorr, DSA) and encryption (e.g., El Gamal, Cramer-Shoup). By offline, we mean the rand... |

66 | Practical and Provably-Secure Commitment Schemes from CollisionFree Hashing
- Halevi, Micali
- 1996
(Show Context)
Citation Context ...ncryption include a public, non-malleable string called a tag.) 4.1 Com: Efficient, Statistically-Hiding Commitments We use Halevi and Micali’s commitment scheme based on collision-free hash families =-=[20]-=-. Let HF : {0, 1} O(k) →{0, 1} k be a family of universal hash functions and let MD : {0, 1} ∗ →{0, 1} k be a collision-free hash function. Given any value m ∈{0, 1} ∗ and security parameter k, genera... |

55 | Oracle-based checking of untrusted software
- Necula, Rahul
- 2001
(Show Context)
Citation Context ...ng: the idea of an untrusted helper [19], confining untrusted applications and yet allowing a sanitized space for trusted applications to operate [30], and oracle-based checking of untrusted software =-=[23]-=-. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols [10, 18, 31]. Secure outsourcing of exponentiations is a popular topic [27, 28, 17, 8, 25, 2... |

47 | Janus: An Approach for Confinement of Untrusted Applications
- Wagner
- 1999
(Show Context)
Citation Context ...ski [24]. We incorporate many previous notions including: the idea of an untrusted helper [19], confining untrusted applications and yet allowing a sanitized space for trusted applications to operate =-=[30]-=-, and oracle-based checking of untrusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols [10, 18, 31]. Secure outsourcing of ex... |

40 |
Speeding up secret computations with insecure auxiliary devices
- Matsumoto, Kato, et al.
- 1988
(Show Context)
Citation Context ...telligently failing). The need for a formal security definition of outsourcing is apparent from previous research on using untrusted servers for RSA computations, such as the work of Matsumoto et al. =-=[22]-=- which was subsequently broken by NguyenHow to Securely Outsource Cryptographic Computations 267 and Shparlinski [24]. We incorporate many previous notions including: the idea of an untrusted helper ... |

34 | Locally random reductions: Improvements and applications
- Beaver, Feigenbaum, et al.
- 1997
(Show Context)
Citation Context ...as a way of removing intractability assumptions in interactive proofs [4], which led to a series of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle =-=[1, 2, 3]-=-. Research in program checking merged into this area when Blum, Luby, and Rubinfeld [5, 7, 6] considered checking adaptive, malicious programs (i.e., oracles capable of intelligently failing). The nee... |

29 |
Efficient exponentiation using precomputation and vector addition chains
- Rooij
(Show Context)
Citation Context ...8, 17, 8, 25] and (2) untrusted server-aided computation [22, 1, 2, 3]. The preprocessing techniques (introduced by Schnorr [27, 28], broken by de Rooij [14, 15, 17], and subsequently fixed by others =-=[16, 9, 21, 8, 25]-=-) seek to optimize the production of random (k, g k mod p) pairs used in signature generation (e.g., El Gamal, Schnorr, DSA) and encryption (e.g., El Gamal, Cramer-Shoup). By offline, we mean the rand... |

16 | Speeding up discrete log and factoring based schemes via precomputations
- Boyko, Peinado, et al.
- 1998
(Show Context)
Citation Context ...trusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols [10, 18, 31]. Secure outsourcing of exponentiations is a popular topic =-=[27, 28, 17, 8, 25, 22, 1, 2, 3, 12]-=-, but past approaches either focus on fixed-base (or fixed-exponent) exponentiation or meet a weaker notion of security. 2 Definition of Security Suppose that we have a cryptographic algorithm Alg. Ou... |

14 | Program result checking against adaptive programs and in cryptographic settings
- Blum, Luby, et al.
- 1991
(Show Context)
Citation Context ...ies of results on hiding the input, and yet obtaining the desired output, from an honest-butcurious oracle [1, 2, 3]. Research in program checking merged into this area when Blum, Luby, and Rubinfeld =-=[5, 7, 6]-=- considered checking adaptive, malicious programs (i.e., oracles capable of intelligently failing). The need for a formal security definition of outsourcing is apparent from previous research on using... |

13 |
On the Security of the Schnorr Scheme Using Preprocessing
- Rooij
- 1991
(Show Context)
Citation Context ...ding-up signature generation in smartcards [27]. However, the output of Schnorr’s algorithm is too dependent, and de Rooij found a series of equations that allow the recovery of a signer’s secret key =-=[14]-=-. A subsequent fix by Schnorr [28] was also broken by de Rooij [15, 17]. Since then several new preprocessing algorithms were proposed [16, 9, 21, 8, 25]. Among the most promising is the EBPV generato... |

13 | A.: Receiver anonymity via incomparable public keys
- Waters, Felten, et al.
- 2003
(Show Context)
Citation Context ...r trusted applications to operate [30], and oracle-based checking of untrusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols =-=[10, 18, 31]-=-. Secure outsourcing of exponentiations is a popular topic [27, 28, 17, 8, 25, 22, 1, 2, 3, 12], but past approaches either focus on fixed-base (or fixed-exponent) exponentiation or meet a weaker noti... |

9 |
On Schnorr’s preprocessing for digital signature schemes
- Rooij
- 1997
(Show Context)
Citation Context ...icks to speed-up offline exponentiations [27, 28, 17, 8, 25] and (2) untrusted server-aided computation [22, 1, 2, 3]. The preprocessing techniques (introduced by Schnorr [27, 28], broken by de Rooij =-=[14, 15, 17]-=-, and subsequently fixed by others [16, 9, 21, 8, 25]) seek to optimize the production of random (k, g k mod p) pairs used in signature generation (e.g., El Gamal, Schnorr, DSA) and encryption (e.g., ... |

9 | Distribution of modular sums and the security of server aided exponentiation
- Nguyen, Shparlinski, et al.
- 1999
(Show Context)
Citation Context ...trusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols [10, 18, 31]. Secure outsourcing of exponentiations is a popular topic =-=[27, 28, 17, 8, 25, 22, 1, 2, 3, 12]-=-, but past approaches either focus on fixed-base (or fixed-exponent) exponentiation or meet a weaker notion of security. 2 Definition of Security Suppose that we have a cryptographic algorithm Alg. Ou... |

5 | Speeding up exponentiation using an untrusted computational resource
- Dijk, Clarke, et al.
(Show Context)
Citation Context |

4 | The blinding of weak signatures (extended abstract
- Franklin, Yung
- 1995
(Show Context)
Citation Context ...r trusted applications to operate [30], and oracle-based checking of untrusted software [23]. Our techniques in Section 4 also offer novel approaches to the area of message and key blinding protocols =-=[10, 18, 31]-=-. Secure outsourcing of exponentiations is a popular topic [27, 28, 17, 8, 25, 22, 1, 2, 3, 12], but past approaches either focus on fixed-base (or fixed-exponent) exponentiation or meet a weaker noti... |

4 | On the insecurity of a server-aided RSA protocol
- Nguyen, Shparlinski
- 2001
(Show Context)
Citation Context ...sing untrusted servers for RSA computations, such as the work of Matsumoto et al. [22] which was subsequently broken by NguyenHow to Securely Outsource Cryptographic Computations 267 and Shparlinski =-=[24]-=-. We incorporate many previous notions including: the idea of an untrusted helper [19], confining untrusted applications and yet allowing a sanitized space for trusted applications to operate [30], an... |