How to securely outsource
cryptographic computations
Susan Hohenberger and Anna Lysyanskaya
TCC2005
1
Outline
 Introduction
 Definition of Security
 Outsource-Secure Exponentiation Using Two
Untrusted Programs
 Outsource-Secure Encryption Using One
Untrusted Program
 Conclusion
2
Definition
HS
S
HP
H
U
AP
Output
Input
5
Alg
P
3
U
AU
3
Definition
I
Input
S2
H
E
Input
T
Query
A
S1
U’
Output
4
Definition
 Definition 8: (α,β)-outsource-security
 A pair of algorithm (T, U) are an (α,β)-outsourcesecurity implementation of an algorithm Alg if they
are both α-efficient and β-checkable.
5
Outline
 Introduction
 Definition of Security
 Outsource-Secure Exponentiation Using Two
Untrusted Programs
 Outsource-Secure Encryption Using One
Untrusted Program
 Conclusion
6
Outsource-Secure Exponentiation Using
Two Untrusted Programs
 To compute a variable-exponent, variable-base
exponentiation modulo a prime, by combining
two pervious approaches to this problem:
 Preprocessing to speed-up offline exponentiations.
 Untrusted server-aided computation.
7
Outsource-Secure Exponentiation Using
Two Untrusted Programs
 Provide a technique for computing and
checking the result of a modular exponentiation
using two untrusted exponentiation boxes
U’=(U1’, U2’).
 U1’ and U2’ cannot communicate with each
other after deciding on an initial strategy.
 At most one of them can deviate from its
advertised functionality on a non-negligible
fraction of the input.
8
Outsource-Secure Exponentiation Using
Two Untrusted Programs
 This algorithm
 reveals no more information than the size of the input.
 the running time is reduced to O(lg n) multiplications for an
n-bit exponent.
 an asymptotic improvement over the 1.5n multiplications
needed to compute an exponentiation using square-andmultiply.
 an error in the output be detected with probability ½.
 (O(lg n / n), ½ ) – outsource – secure exponentiation
implementation.
9
Outsource-Secure Exponentiation Using
Two Untrusted Programs
In the two untrusted program model
The one-malicious version of this model.
At most one the programs U1’,U2’ deviates
from its adversarial functionality on a nonnegligible fraction of the inputs, but we do
not know which one.
U1’
Adversarial
environment
E
T
Adversarial software
written by E
U2’
10
Outsource-Secure Exponentiation Using
Two Untrusted Programs
11
Outsource-Secure Exponentiation Using
Two Untrusted Programs
12
Outsource-Secure Exponentiation Using
Two Untrusted Programs
13
Rand 1, Rand 2
 Rand 1, Rand 2: Algorithm for computing
(b, gb mod p) pairs
 Rand 1 is initialized by a prime p and a base g3,
it must produce a random, independent pair
(b, g3b mod p).
 Rand 2 is initialized by a prime p and two bases
g1, g2, it must produce triplets
(b, g1b mod p, g2b mod p).
14
Rand 1, Rand 2
 Naïve approach
 A trusted server to compute a table of random,
independent pairs
 Load it into T’s memory.
15
Rand 1, Rand 2
 Preprocessing technique – Schnorr’s algorithm
 Input a small set of truly random (k, gk) pair,
produces a long series of nearly random (r, gr) pair.
 The output of Schnorr’s algorithm is too dependent.
16
Rand 1, Rand 2
 Preprocessing technique – EBPV generator
 Taking a subset of truly random (k, gk) pairs and
combining them with a random walk on expander
on Cayley graphs to reduce the dependency of the
pairs in the output sequence.
 The EBPV generator, secure against adaptive
adversaries, runs in time O(lg2 n) for an n-bit
exponent.
 The output distribution of the EBPV generator is
statistically-close to the uniform distribution.
17
Exp
 Exp : Outsource-Secure Exponentiation
Modulo a Prime
 T out-source its exponentiation computations, by
invoking U1 and U2.
 Let primes p and q are global parameters, Zp* has
order q.
 Exp takes as input a∈Zq, u∈Zp*, and outputs ua mod
p.
18
Exp
Input
Input
Input
gp
p
q
U1’
Input
HS, HP, AP
Global parameters
HU
a
Output
T
ua
Input
HP, AP
S, P
u
U2’
No AU inputs.
All S, P inputs are computationally blinded before sent to U1 or U2.
19
Exp
 T runs Rand 1 twice to create two blinding pairs.
 , g   and   , g  
 Denote v  g and vb  g  , where b   
 Goal: logically break u and a into random
looking pieces that can then be computed by U1
and U2.
20
Exp
 First, u is hidden by
u   vw  v a wa  vbvc wa , where w  u
a
a
v
and c  a  b
 T selects two blinding elements d∈Zq and f∈G
at random.
 Second, a is hidden by
v v w v
b c
a
b
 fh 
where h  v
f
c
wd e  vb f c hc wd we ,
and e  a  d
21
Exp
 T fixed two test queries per program by running
Rand 1 to obtain




t1 , g t1 , t2 , g t2 , r1 , g r1 , r2 , g r2

 T queries U1 in random order as
t
t
U1  d , w  wd ,U1  c, f   f c ,U1  1 , g r1   g t1 ,U1  2 , g r2   g r2 .
 r1

 r2

 T queries U2 in random order as
t
t
U 2  e, w  we ,U 2  c, h   hc ,U 2  1 , g r1   g t1 ,U 2  2 , g r2   g r2 .
 r1

 r2

22
Exp
 Finally, T checks that the test queries to U1 and
U2 both produce the correct outputs gt1 and gt2.
 If not, T outputs “ERROR”
 Otherwise, T multiplies the real outputs of U1 and
U2 with vb to compute ua as
v f h w w v
b
c
c
d
e
b c
w
d w
 v w   vw   u a .
a
a
a
23
Correctness and Security
 Theorem: In the one-malicious model, the above algorithms (T, (U1,
U2)) are an outsource-secure implementation of Exp, where the
input (a, u) may be HS, HP or AP.
 Correctness
 Straight-forward.
 Security
 Let A = (E, U1’, U2’) be a PPT adversary that interacts with a PPT
algorithm T in the two untrusted program model.
 Part one: EVIEWreal ~ EVIEWideal (The external adversary, E learns
nothing.)
 Part two: UVIEWreal ~ UVIEWideal (The untrusted software, (U1, U2)
learns nothing.)
24
Correctness and Security
Make for random queries of the form (αj∈Zq, βj∈Zp*) to both U1’ and U2’.
S1 randomly tests two outputs from each program (i.e. βjαj).
Input
Input
Input
Input
Test
Test
Test
Test
Output
Output
Output
Output
Test
Test
Test
Test
E
S1
T
S2
Output
Output
Output
Output
Test
Test
Test
Test
S1
S2
PPT simulator
U1’
U2’
Input
Input
Input
Input
Test
Test
Test
Test
25
Correctness and Security
 If an error is detected
 S1 saves the state
 Outputs YPi = “ERROR”, YUi = ψ, replacei = 1.
 If no error is detected, S1 checks the remaining four
outputs
 If all checks pass
 S1 outputs YPi = ψ, YUi = ψ, replacei = 0.
 Otherwise
 S1 selects a random element r∈Zp*
 S1 outputs YPi = r, YUi = ψ, replacei = 1.
26
Correctness and Security
 The input distributions to (U1’, U2’) in the real
and ideal experiments are computationally
indistinguishable.
 In the ideal experiment, the inputs are chosen
uniformly at random.
27
Correctness and Security
 In real experiment,
t
t
U1  d , w  wd ,U1  c, f   f c ,U1  1 , g r   g t ,U1  2 , g r
r
r
  g r2 .

 1

 2

t
t
U 2  e, w  we ,U 2  c, h   hc ,U 2  1 , g r1   g t1 ,U 2  2 , g r2   g r2 .
 r1

 r2

1
1
2
each part of each query T makes to any one
program is first independent re-randomized,
where these re-randomization factors are either
 Truly random or
 Computationally indistinguishable from random
(assumption of the EBPV generator.)
28
Correctness and Security
 Three possible scenarios to consider.
 If (U1’, U2’) behave honestly in the ith round.
 EVIEW reali~EVIEWideali
 In the real experiment T(U1’, U2’) perfectly executes Exp.
 In the ideal experiment S1 chooses not to replace the
output of Exp.
 If one of (U1’, U2’) give an incorrect output in the
ith round.
 Both T and S1 with ½ probability, resulting in an output
of “ERROR”
29
Correctness and Security
 Three possible scenarios to consider.
 Otherwise
 (U1’, U2’) will actually succeed in corrupting the
output of Exp.
 In the real experiment, the four real outputs are
multiplied together along with a random value, thus a
corrupted output of Exp, but random to E.
 In the ideal experiment, S1 replace the output of Exp
with a random value when an attempt to cheat by (U1’,
U2’) would have gone undetected by T in the real
experiment.
30
Correctness and Security
 S2 is similar to S1.
 S2 makes four random queries of the form
(αj∈Zq, βj∈Zp*) to both U1’ and U2’.
 In the real experiment, T always re-randomizes
his inputs to (U1’, U2’) using six Rand 1 pairs.
 In the ideal experiment, S2 always creates
random independent queries for (U1’, U2’).
31
Correctness and Security
 Even when one of (U1’, U2’) behaves
dishonsetly in the ith round,
 EVIEW reali~EVIEWideali
 UVIEW reali~UVIEWideali
 By hybrid argument
 EVIEW real~EVIEWideal
 UVIEW real~UVIEWideal
32
Analysis
 In the one-malicious model, the above
algorithms (T, (U1, U2))
 are an O(lg2 n / n)-efficient implementation of Exp.
 are a ½-checkable implementation of Exp.
 are an (O(lg2 n / n), ½)-outsource-secure
implementation of Exp.
33
Outline
 Introduction
 Definition of Security
 Outsource-Secure Exponentiation Using Two
Untrusted Programs
 Outsource-Secure Encryption Using One
Untrusted Program
 Conclusion
34
Outline
 Introduction
 Definition of Security
 Outsource-Secure Exponentiation Using Two
Untrusted Programs
 Outsource-Secure Encryption Using One
Untrusted Program
 Conclusion
35