Proposal: RFID Security by Client and Server Delegation

Transcription

1 Proposal: RFID Security by Client and Server Delegation Matluba Khodjaeva PhD Program in Computer Science, The Graduate Center, City University of New York address: Committee Members: Prof. Delaram Kahrobaei (advisor), Prof. Giovanni Di Crescenzo, Prof. Vladimir Shpilrain, Prof. Xiaowen Zhang April 2017

2

3 Contents 1 Introduction RFID tags Thesis Statement Construction Related Work Definitions Basic notations System Scenario, Entities, and Protocol Correctness Requirements Security Requirements Privacy Requirements Efficiency Metrics and Requirements Delegation of a Single Exponentiation in General Group Basic Delegating Exponentiation Basic Delegating Exponentiation for Fixed-Base Variable-Exponent Group Basic Delegating Exponentiation for Fixed Exponent Variable Base Group Delegating Exponentiation Using Parallel Repetition Delegating Exponentiation Using Parallel Repetition for Fixed- Base Variable-Exponent Group

4 3.2.2 Delegating Exponentiation Using Parallel Repetition for Fixed Exponent Variable Base Group Delegating Exponentiation with Improved Security Error Reduction on Atomic Execution Delegating Exponentiation with Improved Security Error Reduction on Atomic Execution for Fixed-Base Variable-Exponent Group Delegating Exponentiation with Improved Security Error Reduction an Atomic Execution for Fixed-Exponent Variable-Base Group Delegating Exponentiation with Improved Security Error Reduction with Multiple Execution Delegating Exponentiation with Improved Security Error Reduction with Multiple Execution for Fixed-Base Variable Exponent Group Delegating Exponentiation with Improved Security Error Reduction with Multiple Execution for Fixed-Exponent Variable-Base Group Delegation of Exponentiation in Special Group Delegation of Exponentiation in Special Group for the Function Fixed- Base Variable-Exponent Conclusions 67 A Delegation of Inverses 69 B Exponentiation Algorithms Without Delegation 73 B.1 Naive Way Calculating Modular Exponentiation B.2 Square and Multiply Method for Modular Exponentiation Bibliography 77 4

5 Abstract In this paper, there are two parties, client and server, where the client is computationally weaker than the server, and the client needs computational help from the server to compute the group exponentiations, specifically fixed-base and variable exponent, fixed-exponent and variable base. The problem is to write the protocol for computationally weaker client which is holding an input and description of the function to a single, possibly malicious, server (computationally stronger devise) holding the same description of the function. The protocol must satisfy correctness, security, privacy and efficiency requirements. This problem has remained open since a formal model was introduced in [2]. In this proposal we solved this problem for the following groups: 1. Prime order groups: our protocols satisfies natural correctness, security, privacy, and efficiency requirements where the security parameter is exponentially small. 2. General groups, our protocol satisfies natural correctness, security, privacy, and efficiency requirements where the security parameter is exponentially small, however, it requires more calculation from client in offline phase and more calculation from server. 5

6

7 Chapter 1 Introduction 1.1 RFID tags Radio frequency identification, [6] (RFID) is an automatic identification which contains two things: tags and reader. A tag contains in its memory information about its identification (ID) and a reader can read IDs of tags by running a link- layer protocol over the wireless when it will be in the neighborhood of tags. There are two different kind of RFID tags, passive and active. Passive tags do not have battery so their lifetime is unlimited and they are not expensive (few cents). The reader energizes with RF power continuously while reading information from tags. Passive RFID tags are more challenging because they have limited capabilities and hence, writing an efficient protocol for them requires consideration for storage, power and computational resources. This research is about implementing security and privacy in RFID communication. Secure communication requires encryption of information before it is transmitted. In addition, only the intended receiver should be able to decrypt the information. While an eavesdropper should not be able to do the same. There are two categories of encryption schemes: asymmetric key and symmetric key. The public key and asymmetric protocols are most challenging among them since they demand more storage space and power than symmetric. There is a need to design strong cryptographic schemes for computationally weaker devices such as RFID tags. This problem is solved in this paper given the constraints: computationally weaker client holding an input and description of the function computationally stronger server holding the same description of the function and given the above constraints, solution satisfies: 7

8 correctness: the client obtains the output of the function which is evaluated by the server using some inputs given by the client if the client and servers are honest. security: servers may not convince the client of wrong computational output. privacy: servers may not learn any information about client s input. efficiency: client s computation time is much shorter than the servers computation time or the time to non interactively compute the function. Idea of this paper is that delegated computation to a single server of an operation that is component of a large number of cryptographic primitives or protocols: exponentiation in multiplicative group. The goal is that the client makes a smaller number of group multiplications than a non-delegated group exponentiation. 1.2 Thesis Statement Modular exponentiation is one of the basic operations among most of current cryptosystem, such as RSA, DH, ElGamal, DSS et al. For an σ-bit exponent x, the traditional square-and multiply method require in average 1.5σ modular multiplications and in worst case 2σ modular multiplications. Therefore, it is very time consuming for limited computation resources. The application of fast exponentiation include speeding up signature verification of DSS, RSA, ElGamal ets. schemes. For these scheme, the online generation of message signature can be done quickly because the part of the signature that requires exponentiation can be precomputed offline. But, the verification of the signature has to be online exponentiation since the message signature is used in the exponentiation. Our goal in theses is to write correct protocols for two version of modular exponentiations with low security and privacy probability errors and efficient in an atomic protocol for the following functions: 1. Fixed-base variable-exponent function, F G,exp,g : Z n G defined as F G,exp,g (x) = g x where G is multiplicative group and fixed g G. More specifically, in this modular exponentiation, we concentrated on discrete log based scheme (i.e DH) function, F G,exp,g : Z q Z q defined as F G,exp,g (x) =g x where g Z p where p is prime. 8

9 2. Fixed-variable exponent-base function, F G,exp,k : G G defined as F G,exp,k (x) = x k where G is multiplicative group and fixed k Z +. More specifically in this modular exponentiation, we concentrated on RSA function, F G,exp,k : Z N Z N defined as F G,exp,k (x) =x k mod N where N = p q where p and q are large primes. In this proposal paper we write protocols for both functions in Chapter 3 and Chapter 4. In Chapter 3, we get the resulting an efficient atomic protocol with constant security probability in general multiplicative group G and used parallel repetition of an atomic protocol to get desirable security probability, ϵ s =2 λ. In Chapter 4, we get an efficient atomic protocol with desirable security probability, ϵ s =2 λ, in prime order group without using parallel repetition of an atomic protocol. The goal is to get improved results from this proposal. More specifically, we want to get an efficient atomic protocol for functions DH and RSA with security probability error ϵ s =2 λ without using parallel repetition. protocols for multiple exponentiations (i.e. a batch of exponentiations) for both DH and RSA functions. 1.3 Construction The construction in this paper is first of all to write the rigorous definitions based on [2, 9] for the correctness, security, privacy and efficiency requirements for delegated computation protocols in a single server (might be malicious) setting. In this model, we construct several protocols that provably satisfy these requirements while delegating, to a single malicious server, group exponentiation, specifically fixed-base variable-exponent and fixedexponent variable-base functions. First we write the protocol for group exponentiation for fixed-base variable-exponent, and then we implement similar protocol for fixed-exponent variable-base using group inverse delegation from Appendix A which discussed in [1]. Most of the protocols satisfy security probability exponentially small in security parameter (which can be set equal to, for instance, if security parameter =128then security probability =2 128 ). We introduced protocols for general groups and specific group such as prime-order groups. 9

10 Before talking our protocols we want to talk about the pseudo-random power generator which we used in all our protocols in offline phase, which holds under the assumption of hidden-subset-sum holds (introduced in [7, 8]). Alternatively, we could consider a model with an offline phase, where a client can precomputed exponentiations to random exponents using square and multiply algorithm which we discussed in Appendix B, or another party can precomputed them and store them on the client s device. First we introduce protocols for general groups in chapter 3. In section 3.1, we wrote an efficient protocol with security probability =1/2 for group exponentiation such as fixed-exponent variable-base exponentiation and variable-exponent fixed-base exponentiation. The main idea of this protocol is coming from paper [1]. In section 3.2, we wrote the protocols using direct parallel repetition of the protocol in Section 3.1 in order to achieve security probability ϵ s =2 λ. Our next protocol, presented in Section 3.3, is a parameterized class of protocols where, for some values of the parameters, the security probability is reduced more efficiently than by direct parallel repetition. Both protocols achieve the following efficiency trade off: they reduce the number of the client s group multiplications during the online phase, while increasing the number of group exponentiations of random exponents during the offline phase and the number of the server s group exponentiations. The protocols privacy and security properties assumes the existence of pseudo random power generator and there is no other complexity assumptions, as the adversary corrupting the server is not limited to run in polynomial time. These protocols are written for the functions of delegation: F G,exp,g (x) =g x (i.e., variable-exponent, fixed-base exponentiation) and F G,exp,k (x) =x k (i.e., fixed-exponent, variable-base exponentiation). Note that for the function F G,exp,k (x) =x k, we need the delegation of group inverses protocol, which we wrote in appendix A. Overall, in this chapter the resulting protocols has constant security probability in an atomic protocol, however our goal in theses to improve the the security probability of the client which equals to 2 λ for statistical security parameter λ without using parallel repetition of an atomic protocol. Table 1.1: Comparison of protocols with previous solutions delegating fixed-exponent, variable-base exponentiation to a single, malicious, server. [1] , c = , c = , c = , c = 9 Mod. Mult. (online) Mod. Exp. (offline) Mod. Inverse Security Prob

11 Table 1.2: Comparison of protocols delegating variable-exponent, fixed-base exponentiation to a single, malicious, server in this proposal paper ,c = ,c = ,c = ,c = Mod. Mult.(online) Mod. Exp.(offline) Mod. Inverse Security Prob Our main protocol (in Chapter 4) delegates exponentiation in prime-order groups to a single, possibly malicious, server. The client only performs a number of group multiplications linear (= 2λ +2)and security probability is ϵ s =2 λ. The protocol assumes that pseudo random power generator existence which is used in offline phase and no any additional complexity assumptions, as the adversary corrupting the server is not limited to run in polynomial time. In addition, the protocol only require 2 precomputed exponentiations with random exponents using pseudo random power generator in offline phase and communication of 4-6 group multiplications, thus making the schemes of much greater interest for practical applications. This protocol delegates for the function F G,exp,g (x) =g x (i.e., variable-exponent, fixed-base exponentiation over group G). Overall, this chapter is improves the previous chapter on security probability and efficiency of the client and server in an atomic protocol, meaning without using parallel repetition, we obtain security probability, ϵ s =2 λ on the function of variable-exponent fixed-base exponentiation over the prime order group. Table 1.1 and Table 1.2 shows comparison of previous work and protocols in this paper. Our goal in thesis, to write protocols which works for both functions F G,exp,g (x) and F G,exp,k (x) where the group is not only prime order but for groups Z p and Z N. More specifically for the functions: log based scheme function, F G,exp,g : Z q Z q defined as F G,exp,g (x) =g x where g Z p where p is prime and RSA function, F G,exp,k : Z N Z N defined as F G,exp,k(x) =x k mod N where N = p q where p and q are large primes. In addition, we want to apply our protocols delegation of multiple exponentiations in the presence of a malicious adversary. 11

12 1.4 Related Work Secure outsourcing or delegating exponentiation has been continuously popular topic. Many papers proposed new ideas, but then broken in follow-up papers. In papers [9] and [5] written a good solution for client to any polynomial circuit to a single (semi honest for paper [5]) server using garbled circuit and fully-homomorphic encryption for a general functions. The solution of those papers are asymptotically efficient, but it is not efficient for low power device such as passive RFID tags. In papers [1, 2, 13, 14, 4, 18, 15] written solution for client and server using pseudorandom-powers generation assumption, which we also use in this protocol. In addition, hidden-subset-sum assumption is used in papers [4, 8] and [3] under the (stronger) subset sum hardness assumption. In [1, 2], modular exponentiation usage motivated in RFID tags. Specifically, in [2] the authors presented two kind of protocols where (1) client delegates with two non-colluding cloud servers, of which at most one is untrusted from either of these servers and (2) client delegated with one cloud server which is trusted on average. In this protocol client has to perform O(log 2 l) multiplications, where G = l, and security probability is =1/2 where group is prime order. The follow up paper, [13], is similar feature as [2] but obtains improvement of the solution in efficiency of the client and security probability which decreases to 1/3 and stated that "the interesting open problem is whether there is efficient algorithm for secure outsourcing modular exponentiation using only one untrusted cloud server" which we are working on this proposal. The next follow up paper, [18], with the same definition as in paper [2] tries to improve security probability to 1/λ 2 where λ is bit length of exponent for the function variable-base, variable-exponent exponentiation, but we found contradiction on both described protocols (i.e. defined privacy requirement does not hold because given information a 1 and a 2 to server can leak information about private input a). In Table 1.3 we make a comparison between our scheme in Chapter 4 and schemes in [4, 13, 1]. A batch exponentiation was first studied in [15] and later improved in [3]. The paper was written for the group which has prime order (i.e. cyclic group); first two protocols requires two non-collusion servers and last protocol requires a single malicious server, in the delegation of protocol the client has to perform O(l + t) multiplications and security probability in protocol 1 and 2 is constant and protocol 3 is negligible amount, where l is number of bits of the exponent and t number of exponentiations client has to evaluate. 12

13 The authors in [14] provide secure and efficient, asymptotic speed up of about O(0.24( l log l ) 2 3 ) over the square and multiply algorithm by assuming prime order group. In addition, the base and exponent are known to server and adversary, thus the privacy requirement is not applicable in this paper. The authors in paper [4] present protocol to delegate variable-exponent, variable- base exponentiations to a single untrusted server. In [1], the authors wrote protocols for delegation of group inverse and delegation of group exponentiation for fixed-exponent, variable-base exponentiations with constant security probability. In this proposal, we improve the security probability of this paper and extend it in variable-exponent, fixed base exponentiations. Table 1.3: Comparing of outsourcing single exponentiation [4] [13] [1] Ours in Chapter 4 Rand G,exp,g Modular Multiplication Modular Exponentiation Modular Inversion Queries to S Privacy Security λ The number of servers Single server Two servers Single server Single server 13

14

15 Chapter 2 Definitions In this chapter we will write basic definition of correctness, security, privacy and efficiency requirements for delegation protocol (such as [2] and [9]). 2.1 Basic notations Lets define y T : the probabilistic process of randomly and independently choosing y from set T. y A(x 1,x 2,...):getting y as output from (possible probabilistic) algorithm A on input x 1,x 2,...and any necessary random coins. (z A,z B,tr) (A(x 1,x 2,...),B(y 1,y 2,...)) : getting z A as output from (possible probabilistic) algorithms A on input x 1,x 2,... and any necessary random coins, similarly getting z B from algorithm B, and tr is the sequence of messages exchanged by A and B as a result of execution. 2.2 System Scenario, Entities, and Protocol Consider the system of two type of parties: client and server, where client s computational resources is more limited than the server, thus client needs to delegate (outsource) the computation of specific function to servers. Let C be a single client and S be a single server in all our protocols. 15

16 Let σ denote the computational security parameter (i.e., the parameter derived from hardness considerations on the underlying computational problem), and let λ denote the statistical security parameter (i.e., a parameter such that events with probability 2 λ are extremely rare). Both parameters are expressed in unary notation (i.e., 1 σ, 1 λ ). For concreteness, we will use σ = 2048 and λ = 128 as currently recommended parameter settings in many cryptographic protocols and applications. Let F : Dom(F ) CoDom(F ) be a function where Dom(F ) is domain of F, and CoDom is a range of F, and desc(f ) denote as description of F. Let (C(1 σ, 1 λ,desc(f),x),s(1 σ, 1 λ,desc(f))) be a client-server protocol for the delegated computation of F as a two party communication protocol between C and S where desc(f) is known to both C and S, and input x is known only to C. Adelegated computation of the value y = F (x) is an execution, using independently chosen random bits for C and S, of the above client-server protocol and denoted following cases: 1. pp C(1 σ, 1 λ,desc(f )), 2. (y C,y S,tr) (C(1 σ, 1 λ,desc(f ),x),s(1 σ, 1 λ,desc(f )) Case 1 is executed in an offline phase, when the input x to the function F is not yet available, and, if needed by the application, could also be executed by a third party, not colluding with S. Case 2 is executed in the online phase, when the input x to the function F is available to C. At the end of both phases, C learns y C = y, S learns y S (usually empty string in this survey) and tr is the transcript of the communication between C and S. The delegated computation between client and server can be sequential (i.e. each execution starting after the previous one is finished) and concurrent (i.e. server computes at the same time several executions from different clients). In this paper we will only consider sequential computation. 2.3 Correctness Requirements Intuitively, correctness requirement states that if client and server follow the protocol then at the end of the protocol client gets some output which is equal to the value obtained by evaluating F function on client s input x. First, consider correctness algorithm below denoted as CorrExp F,A (1 σ, 1 λ ): 16

17 Algorithm 1: Security Algorithm: CorrExp F,A (1 σ, 1 λ ) pp C(desc(F )) (y C,y S ) (C(pp, x),s) if y C = F (x) then return: 1 else return: 0 Definition. Let σ, λ be the security parameters, and F be a function, and let (C, S) be a client-server protocol for the delegated computation of F. We say that (C, S) satisfies δ c -correctness if for any x in F s domain, it holds that Pr [ out CorrExp F,A (1 σ, 1 λ ):out =1 ] δ c for some δ c close to Security Requirements Intuitively, the basic security requirement states that if C follows the protocol, at the end of the protocol, a malicious adversary corrupting S cannot convince C to obtain output y such that y y where y = F (x) and x is input chosen by C. For the stronger and more realistic security we can extend the power of the adversary by letting him to choose C s input x and execute the protocol polynomially many times, before trying to convince C to an incorrect output. First, consider security algorithm below denoted as SecExp F,A (1 σ, 1 λ ): Definition. Let σ, λ be the security parameters, F be a function, and (C, S) be a clientserver protocol for the delegated computation of F. We say that (C, S) satisfies ϵ s security against a malicious adversary if for any algorithm A, it holds that Pr [ out SecExp F,A (1 σ, 1 λ ):out =1 ] ϵ s for some small ϵ s. 17

18 Algorithm 2: Security Algorithm: SecExp F,A (1 σ, 1 λ ) i =1 pp C(desc(F )) (a, x 1,aux) A(desc(F )) while (a attack ) do (y i, (a, x i+1,aux)) (C(pp, x i ),A(aux)) i = i +1 x A(aux) (y,aux) (C(pp, x),a(aux)) if y and y F (x) then return: 1 if y = or y = F (x) then return: Privacy Requirements Intuitively, the basic privacy requirement states that if C follows the protocol, a malicious adversary corrupting S cannot get any information regarding C s input x from a protocol execution. In cryptography literature it is indistinguishable based approach meaning the adversary can pick two inputs x 0,x 1 then one of these inputs is chosen randomly by C and used in the protocol and then the adversary should try to guess what input C used in the protocol. For stronger and more realistic privacy requirement we should extend the power of adversary by letting him chose the input of C and then executing the protocol polynomially many time before attempting to guess C s input. First, consider privacy algorithm denote it as PrivExp F,A (1 σ, 1 λ ): Algorithm 3: Privacy Algorithm: PrivExp F,A (1 σ, 1 λ ) pp C(desc(F )) (x 0,x 1,aux) A(desc(F )) b {0, 1} (y,d) (C(pp, x),a(aux)) if b = d then return: 1 if b d then return: 0 18

19 Definition. Let σ, λ be the security parameters, F be a function, and (C, S) be a clientserver protocol for the delegated computation of F. We say that (C, S) satisfies ϵ p - privacy (in the sense of indistinguishability) against a malicious adversary if for any algorithm A, it holds that for some small ϵ p. P [ out PrivExp F,A (1 σ, 1 λ ):out =1 ] ϵ p 2.6 Efficiency Metrics and Requirements Let (C, S) be a client-server protocol for the delegated computation of function F.We say that (C, S) has efficiency parameters (t F,t P,t C,t S,cc,mc) where F can be computed using t F (σ, λ) atomic operations, C can run in the offline phase using t P (σ, λ) atomic operations and in the online phase using t C (σ, λ) atomic operations, S can be run t S (σ, λ) atomic operations, C and S exchange a total of at most mc messages, the length of those messages is cc. The atomic operation is considered as group operation such as group multiplication, inverse, and/or exponentiation and it not considered in lower-order operations (e.g equality testing between two elements). In our analysis, we only consider the most expensive group operations as atomic operations (e.g., group multiplications and/or exponentiation), and neglect lower-order operations (e.g., equality testing, additions and subtractions between group elements). The main goal is to get the protocols such that t C (σ, λ) is smaller than t F (σ, λ) and t S (σ, λ) is not significantly larger than t F (σ, λ), with the following underlying assumptions: 1. group inverses require significantly more resources than the group multiplication; 2. group exponentiation require significantly more resources than the group multiplication; In addition, minimize other protocol efficiency metrics, such as message complexity mc and communication complexity cc. We note that, according to the textbook square-andmultiply algorithm, t F (σ, λ) is, on average, =1.5σ group multiplications. 19

20

21 Chapter 3 Delegation of a Single Exponentiation in General Group In this chapter we present protocols for delegation of exponentiation in general groups for the functions F G,exp,g : Z q G denoted as F G,exp,x (x) =g x and F G,exp,k : G G denoted as F G,exp,k (x) =x k. In Section 3.1 we describe basic protocol which satisfies security parameter ϵ s equals to 1/2 for both functions. In Section 3.2, we use the idea of parallel repetition of the protocol in Section 3.1 λ times in order to improve security probability to 2 λ. The next protocol in Section 3.3, we introduce class of protocols which depends on parameters c and m where the security parameter ϵ s reduces from 1/2 to roughly 1/c without using parallel repetition. In Section 3.4 we use the protocol in Section 3.3 with the method of parallel repetition in order to get security probability ϵ s =2 λ. In these protocols we have the following conditions: security probability ϵ s decreases the client s group multiplication during the online phase decreases in client s group exponentiation during the offline phase increases in server s group exponentiation increases The protocols privacy and security properties use pseudo random power generator assumption and no other additional complexity assumptions. The adversary corrupting the server can be any malicious and not limited to run the protocol in polynomial time. 21

22 3.1 Basic Delegating Exponentiation This section describes the most efficient protocol with constant security probability for evaluating group exponentiations, specifically fixed-base variable exponent and fixedexponent variable-base exponentiations. In further sections we write protocols to improve security probability of this section Basic Delegating Exponentiation for Fixed-Base Variable-Exponent Group In this section we write efficient protocol for the function F G,exp,g : Z q G denoted as F G,exp,x (x) =g x and security probability is constant, specifically ϵ s =1/2. First we write notations, theorem, description of the protocol which satisfies theorem for the function F G,exp,g and then we prove the theorem by showing correctness, efficiency, privacy, and security requirements. Notations: Let l =: log G, the length of the binary representation of the element of group. Define the efficient group as if its description is short, i.e. has length polynomial in l, its associated operation and inverse operation are efficient, i.e. they can be executed in time polynomial in l. Let σ be security parameter and l be group element length where σ and l be typically the same value. Assume (G, ) be an efficient group, and let g G with order > 2q for some large integer q which is known to client and let y = g x denote the exponentiation of g to the x-th power; i.e. the value y G such that g g = y, where the multiplication operation is applied x 1 times. Let the function F G,exp,g : Z q G denoted as F G,exp,x (x) =g x where x Z q = {0, 1,...,q 1}, g G and g > 2q. We say that Rand G,g a pseudo-random power generator if it is a satisfy probabilistic polynomial-time algorithm with the following syntax and properties: 1. on input i =0, Rand G,g returns an auxiliary state information aux; 2. on input i>0auxiliary state information aux, Rand G,g returns a pair (u i,g u i ), where u i G and update the state aux; 3. for any polynomial p, the tuple {(u 1,g u 1 ),...,(u p(σ),g u p(σ) )}, obtained as part of the output of algorithm Rand G,g, is computationally indistinguishable from the tuple {(z 1,g z 1 ),...,(z p(σ),g z p(σ) )}, where z1,...,z p(σ) are random and independent elements from G. 22

23 A generator with these properties was first designed in [7], then refined in [8], and since then used in a number of works, including previous work in outsourcing modular exponentiation in [1]. This generator can be designed based on the hidden-subset-sum assumption in groups. The running time of Rand G,k is comparable to about m r group multiplication where m r = O(log 2 l) using the same design. Theorem 1. Let σ be security parameter, and let G be an efficient group. There exists (constructively) a client-server protocol (C, S) for delegated computation of function F G,exp,g which satisfies 1. δ c -correctness, for δ c =1 2. ϵ s -security, for ϵ s =1/2 3. ϵ p -privacy, for ϵ p =0 4. efficiency with parameters (t P,t F,t S,t P,t C,cc,mc), where t F is = 1 group exponentiation in G t S is = 2 group exponentiations in G t P is = 2 group exponentiations with random exponents in G using pseudo random power generator ( 2log 2 (l) group multiplications). t C is = 1 group multiplications in G cc =2elements in G and 2 elements in Z q mc =2. We remark that Theorem 1 satisfies security requirement is constant, i.e. ϵ s =1/2 and it makes only 1 group multiplications comparing to average number of group multiplication in the square-and-multiply algorithm which discussed in Appendix B (which performs 1.5σ multiplications, more specifically when σ =2048, 1.5σ =3072>> 1). Next we will show the protocol which satisfies Theorem 1 and its requirements. Informal description of the protocol (C, S). In our protocol we have offline phase and online phase. In an offline phase, C generates using pseudo random power generator two pairs (u 0,v 0 ), (u 1,v 1 ), where u 0,u 1 random element in Z q and v i = g u i mod q for i =0, 1. In an online phase, one of these two pairs is used to verify that one of the two pairs sent by S is correct, and the other is used to mask C s input x and calculate y = g x 23

24 using help of S. Since S does not know which pair will be used by C for any of these two purposes. Thus security of this protocol is at most 1/2 meaning that C can compute an incorrect output for the function F G,exp,g with at most probability 1/2. Formal description of the protocol (C, S). Input to S: 1 σ, desc(f G,exp,g ) Input to C: 1 σ, desc(f G,exp,g ), g G and x Z q, aux = Rand G,g (0) Protocol instructions: Offline phase instructions: 1. C computes (u i,v i,aux)=rand G,g (i, aux), for i =0, 1; Online phase instructions: 1. C randomly chooses b {0, 1}; C sets z b := u b,z 1 b := x u 1 b mod q; C sends z 0,z 1 to S; 2. S computes w i := g z i for i =0, 1; S sends w 0,w 1 to C 3. if w b v b C returns: and the protocol halts; C computes y := w 1 b v 1 b and returns: y Illustration of the Protocol (C, S): Client Offline Phase: (u i,v i,aux)=rand G,g (i, aux) for i =0, 1 Online Phase: b R {0, 1} z b := u b,z 1 b := x u 1 b mod q z 0,z 1 Server w 0,w 1 wi = g z i for i =0, 1 C checks if w b? = v b then If no, C returns: and protocol halts; 24

25 C returns: y = w 1 b v 1 b Proof of Theorem 1: Properties of protocol (C, S): 1. The efficiency properties are verified by protocol inspection. With respect to round complexity: only one round complexity One message from C to S followed by one message from S to C (i.e. mc =2.) With respect to communication complexity: Protocol requires the transfer of 2 elements in Z q and 2 elements in G (i.e. z 0,z 1 Z q and w 0,w 1 G). Thus cc =4. With respect to running time complexity: S runs 2 exponentiation operations. C runs 2 offline phase group exponentiation, t P =2using pseudo random generator. And 1 online phase multiplication operations in G, t C =1. 2. The correctness properties follows by observing that if C and S follows the protocol, C s equality verification in step 3 will be satisfied, and thus C s output y is and satisfies: y =w 1 b v 1 b =g z 1 b g u 1 b =g x u 1 b g u 1 b =g x which is y = F G,exp,g (x) for each x Z q. 3. The privacy property follows by observing that the messages z 0,z 1 sent by C does not leak any information about x Z q. Notice that (u 0,u 1 ) is computationally indistinguishable from a pair of random elements in Z q, it follows by the property 3 of pseudo-random (G, g)-power generator. Thus, it is true for the pair (z 0,z 1 ), because z b = u b and z 1 b = x u 1 b mod q for b R {0, 1}. Therefore the message z 0,z 1 sent by C does not leak any information about x. 25

26 4. To show security property is satisfied, we consider three cases about w 0,w 1 which server sent to client: a) If both inequalities w 0 g z 0 and w 1 g z 1 holds. b) If one of the two inequalities w 0 g z 0 and w 1 g z 1 holds. c) if both equalities w 0 = g z 0 and w 1 = g z 1 holds. In case a), C returns because in step 3 of the protocol, C chicks if w b v b then the protocol halts. Therefore the adversary is successful to convincing C to return an output F G,exp,g (x) with probability 0. In case b), either C returns in step 3, or C computes y F G,exp,g (x). The goal of the adversary to pass the check in step 3 and C computes y F G,exp,g (x), and this can happen if adversary correctly guesses what b value is. Which happens with probability 1/2. in case c), server is honest. Therefore the adversary is successful to convincing C to return an output F G,exp,g (x) with probability 0. Hence the adversary is successful to convincing C to return an output F G,exp,g (x) with probability at most 1/ Basic Delegating Exponentiation for Fixed Exponent Variable Base Group In this section we write similar protocol as previous subsection for the function F G,exp,k : G G denoted as F G,exp,k (x) = x k which were introduced in [1]. First we write notations, theorem, description of the protocol which satisfies theorem for the function F G,exp,k and then we prove the theorem by showing correctness, efficiency, privacy, and security requirements. Notations: Let (G, ) be a commutative group, let l = log G and let k>0be an integer (assumed for simplicity k< G ) Let σ be a security parameter. Similarly as before Rand G,k a pseudo-random power generator if it is a satisfy probabilistic polynomial-time algorithm with the following syntax and properties: on input i =0, Rand G,k returns an auxiliary state information aux;

27 2. on input i>0 auxiliary state information aux, Rand G,k returns a pair (u i,u k i ), where u i G and update the state aux; 3. for any polynomial p, the tuple {(u 1,u k 1),...,(u p(σ),u k p(σ) )}, obtained as part of the output of algorithm Rand G,k, is computationally indistinguishable from the tuple {(z 1,z k 1),...,(z p(σ),z k p(σ) )}, where z 1,...,z p(σ) are random and independent elements from G. Now we write formal Theorem: Theorem 2. Let σ be a security parameter, let k be a positive integer and assume the existence of a pseudo-random (G, k)-powers generator. There exists (contractively) a client-server protocol (C, S) for delegated computation of function F G,exp,k which satisfies: 1. δ c -correctness, for δ c =1 2. ϵ s -security, for ϵ s =1/2 3. ϵ p -privacy, for ϵ p =0 4. efficiency with parameters (t P,t F,t S,t P,t C,cc,mc), where t F is = 1 group exponentiation in G; t S is = 2 group exponentiations and =1group inverse in G; t P is = 2 group exponentiations using pseudo random power generator in G; t C is = 5 group multiplications in G; cc =6elements in G and mc =2. We remark that Theorem 2 satisfies security requirement is constant for the function F G,exp,k, i.e. ϵ s =1/2 and it makes only 5 group multiplications comparing to average number of group multiplication in the square-and-multiply algorithm which discussed in Appendix B (which performs 1.5σ multiplications, more specificly when σ =2048, 1.5σ =3072>> 5). Next we will show the protocol which satisfies Theorem 1 and its requirements. Informal description of protocol (C, S). In this protocol C uses the procedure Rand G,k to generate two pairs (u 0,v 0 ), (u 1,v 1 ) of random group element u 0,u 1 and their k-th powers v 0,v 1 respectively. Then, one of these two pairs is used to verify that the 27

28 answer from S are correct and the other pair is used to mask C s input x and allow C to compute a k-th power of x, using answers received from S. The division is delegated to S by using one group multiplications and the inverse delegation from protocol in Appendix A. The privacy property follows from the fact that the message sent by C to S is computationally indistinguishable from random elements in G with their k-th powers, in turn based on the properties of Rand G,k, and thus leaks no information about x. The security property follows from the fact that the massage sent by C to S does not reveal which of the two pairs of group elements is used for verification and which is used for computation and therefore any dishonest answer from S will be determined by C with probability at least 1/2. Formal description of protocol (C, S). We will use Theorem 10 from Appendix A on (C inv,s inv ) for delegated computation of inverse in group G. For instant, on input value x in G to be inverted, C inv returns a group value d to sent to S inv ; then on input d, S inv returns a group value e to be sent to C inv ; finally based on x, d, e algorithm C inv computes value x 1. Also, let Rand G,k denote a pseudo-random (G, k)-powers generator. We assume that C computes aux = Rand G,k (0) once and at set up time, before running any delegated computation protocol. Input to S: 1 σ, 1 λ, desc(f G,exp,k ) Input to C: 1 σ, 1 λ, desc(f G,exp,k ),x G, aux = Rand G,k (0) Protocol instructions: Offline phase instructions: 1. C computes (u i,v i,aux)=rand G,g (i, aux), for i =0, 1; Online phase instructions: 1. C randomly chooses b {0, 1}; C sets z b = u b,z 1 b = x u 1 b ; C runs C inv on input v 1 b, thus obtaining d; C sends z 0,z 1,dto S; 2. S computes w i = zi k for i =0, 1; S runs S inv on input d, thus obtains e; S sends w 0,w 1,eto C 28

29 3. C runs C inv on input v 1 b,d,eto compute v 1 1 b ; if this execution of (C inv,s inv ) returned as output C returns: and the protocol halts; if w b v b (w b = z k b = uk b = vk b ) C returns: and the protocol halts; C computes y = w 1 b v 1 1 b and returns: y Illustration of the Protocol (C, S): Client Server Offline Phase: (u i,v i,aux)=rand G,k (i, aux) for i =0, 1 Online Phase: b R {0, 1} z b := u b,z 1 b := x u 1 b C inv (v 1 b )=d ( v 1 b c = d, c R G) C inv (v 1 b,d,e)=v 1 1 b ( c e = c d 1 = c (v 1 b c) 1 = v 1 1 b ) if (C inv,s inv ) returned as output z 0,z 1,d w i = z k i for i =0, 1 w 0,w 1,e S inv (d) =e (d 1 = e) C returns: and protocol halts; if w b v b then C returns: and protocol halts; C computes y = w 1 b v 1 1 band returns: y Proof of Theorem 3: Properties of protocol (C, S): 1. The efficiency properties are verified by protocol inspection. With respect to round complexity: only one round complexity One message from C to S followed by one message from S to C (i.e. mc =2.) 29

30 With respect to communication complexity: Protocol requires the transfer of 6 elements (i.e. cc =6) With respect to running time complexity: S runs 2 exponentiation operations and 1 inversion operation. C runs 2 multiplication operation in G, 1 execution of the inverse delegation protocols (requires 3 multiplications) t P =2because in offline phase C execute the procedure Rand G,k. 2. The correctness properties follows by observing that if C and S follows the protocol, C s equality verification in step 3 will be satisfied, and thus C s output y is and satisfies: y =w 1 b v 1 1 b =(z 1 b ) k ((u 1 b ) k ) 1 =(x u 1 b ) k (u 1 b ) k =x k (u 1 b ) k (u 1 b ) k (by commutativity) =x k which is y = F G,exp (x) for each x G. 3. The privacy property follows from the following two observations: a) on a single execution of (C, S) the message z 0,z 1,dsent by C does not leak any information about x. b) seeing multiple execution of (C, S) does not help the adversary in obtaining information about input x in a new execution, even when C s input is chosen by the adversary. To show the observation (a), first notice that (u 0,u 1 ) is computationally indistinguishable from a pair of random group elements, it follows by the property 3 of pseudo-random (G, k)-power generator. Thus, it is true for the pair (z 0,z 1 ), because z b = u b and z 1 b = x u 1 b for b R {0, 1}. In addition, the value d does not depend on x. Therefore the message z 0,z 1,dsent by C does not leak any information about x follows from Theorem 1. To show observation (b), notice that the protocol (C, S) is one round complexity, by 30

31 extending it in multiple executions of the same protocol will show the observation (b). 4. The security property follows by combining the following two observations: a) in each execution of (C, S), if S follows the protocol, then the equality y = F G,exp,k (x) holds for each x G; b) seeing multiple executions of (C, S) does not help the adversary violate the equality y = F G,exp,k (x) in a future execution, even when C s input in these executions are chosen by adversary. To show the observation (a), first consider a single execution of (C, S), where C follows the protocol, and, for any probabilistic polynomial adversary corrupting S, consider the values w 0,w 1,ereturned by the adversary to C. The value e is associated with an execution of the inverse delegation protocol from Appendix A which is calculating inverse of d and it is secure by Theorem(10). If the adversary deviate from the protocol in computing an e, C will detect it and return the failure symbol. The value w 0,w 1, where w i = zi k for i {0, 1}. Since v b = u k b and assuming property 3 of the pseudo-random (G, k)-powers generator, S cannot guess random bit b, the verification w b = v b will be passed with probability at most 1/2. If w b v b then C returns the failure symbol. If w b = v b then C returns y = w 1 b v 1 1 b which is equal to xk for each x by correctness property. To show the observation (b), to see multiple execution of (C, S) does not help the adversary to increase the probability of verification w b = v b in the next execution, assuming property 3 of the pseudo-random (G, k)-powers generator and discussed when showing the privacy property. 3.2 Delegating Exponentiation Using Parallel Repetition Last section we introduced protocol which satisfies the security probability ϵ s =1/2. In this section we want to improve security probability ϵ s using the idea of parallel repetition 31

32 of the same protocol in previous section for both functions F G,exp,g and F G,exp,k Delegating Exponentiation Using Parallel Repetition for Fixed-Base Variable-Exponent Group In this sub-section, we want to decrease ϵ s = 1/2 to ϵ s = 1/2 λ for a fixed security parameter λ for the function F G,exp,g : Z q G denoted as F G,exp,g (x) = g x. Now we extend the protocol (C, S) using parallel repetition method. We will write theorem and protocol which satisfies the theorem and then we prove it by showing correctness, efficiency, privacy, and security requirements. Theorem 3. Let σ, λ be security parameters, and let G be an efficient group. There exists (constructively) a client-server protocol (C, S) for delegated computation of function F G,exp,g which satisfies 1. δ c -correctness, for δ c =1 2. ϵ s -security, for ϵ s =2 λ 3. ϵ p -privacy, for ϵ p =0 4. efficiency with parameters (t P,t F,t S,t P,t C,cc,mc), where t F is = 1 group exponentiation in G t S is = 2λ group exponentiations in G t P is = 2λ group exponentiations with random exponents in Z q using pseudo random power generatorsubtractions in Z q t C is = λ group multiplications in G. cc =2λelements in G and 2λ elements in Z q mc =2. We remark that this Theorem 3 satisfies much better security probability ϵ s =2 λ than previous section where security probability is ϵ s =2 1. However, to get low security probability the client need to calculate more group multiplications, more specificly if λ gets large efficiency get worst because C has to calculate λ times more than the Theorem 1. However, it is still better than using the square-and-multiply algorithm which discussed in Appendix B. More specifically, if λ =128,σ =2048, then C performs in Theorem 32

33 3, 256 group multiplications comparing to 1.5σ = 3072multiplication using the squareand-multiply algorithm. Informal description of the protocol (C, S). In our protocol we have two phases, offline phase and online phase as in previous section. In an offline phase, C generates using pseudo random power generator 2λ pairs (u i,0,v i,0 ), (u i,1,v i,1 ), where u i,0,u i,1 random elements in Z q and v i,j = g u i mod q for i =1,...,λand j =0, 1. In an online phase, λ of these two pairs is used to verify that λ of the 2λ pairs sent by S is correct, and from the other one pair is used to mask C s input x and calculate y = g x using help of S. Since S does not know which pair will be used by C for any of these two purposes. Thus security of this protocol is at most 2 λ meaning that C can compute an incorrect output for the function F G,exp,g in this protocol with at most probability 2 λ. Formal description of the protocol (C, S). Input to S: 1 σ, 1 λ, desc(f G,exp,g ), g G Input to C: 1 σ, 1 λ, desc(f G,exp,g ), g G, x Z q, aux = Rand G,g (0) Protocol instructions: Offline phase instructions: 1. C computes (u i,j,v i,j,aux)=rand G,g (i j,aux), for i =1,...,λand j =0, 1; Online phase instructions: 1. For each i =1,...,λ C randomly chooses b i {0, 1}; C sets z i,bi := u i,bi,z i,1 bi := x u i,1 bi mod q; C sends z i,0,z i,1 to S; 2. For each i =1,...,λ S computes w i,j := g z i,j for j =0, 1; S sends w i,0,w i,1 to C 3. For each i =1,...,λ, if w i,bi v i,bi C returns: and the protocol halts; C computes y i := w i,1 bi v i,1 bi if y 1 = = y λ 33

34 C returns: y 1 else C returns Illustration of the Protocol (C, S): Client Offline Phase: (u i,j,v i,j,aux)=rand G,g (i j,aux) for i =1,...,λ, j =0, 1 Online Phase: b i R {0, 1} Server z i,bi := u i,bi,z i,1 bi := x u i,1 bi mod q z 0,1,,z 0,λ,z 1,1,,z 1,λ for i =1,...,λ, j =0, 1 w 0,1,,w 0,λ,w 1,1,,w 1,λ wi,j = g z i,j if w i,bi v i,bi for some i =1,...,λthen C returns: and protocol halts; C computes y i := w i,1 bi v i,1 bi for i =1,...,λ if y 1 = = y λ then C returns: y 1 else C returns: Proof of Theorem 3: Properties of protocol (C, S): 1. The efficiency properties are verified by protocol inspection. 34 With respect to round complexity: only one round complexity One message from C to S followed by one message from S to C (i.e. mc =2.) With respect to communication complexity: Protocol requires the transfer of 2λ elements in Z q and 2λ elements in G (i.e. z 0,1,,z 0,λ,z 1,1,,z 1,λ Z q and w 0,1,,w 0,λ,w 1,1,,w 1,λ G). Thus cc =4λ. With respect to running time complexity: S runs 2λ exponentiation operations.

35 C runs 2λ offline phase group exponentiation, t P = 2λ using pseudo random generator. And λ online phase multiplication operations in G, t C = λ. 2. The correctness properties follows by observing that if C and S follows the protocol, C s equality verification in step 3 will be satisfied, and thus C s output is and satisfies: y 1 =w 1,1 b v 1,1 b =g z 1,1 b g u 1,1 b =g x u 1,1 b g u 1,1 b =g x which is = F G,exp,g (x) for each x Z q. 3. The privacy property follows by observing that the messages z 0,1,,z 0,λ,z 1,1,,z 1,λ sent by C does not leak any information about x Z q. Notice that u 0,1,,u 0,λ,u 1,1,,u 1,λ are computationally indistinguishable from a random elements in Z q, it follows by the property 3 of pseudo-random (G, g)-power generator. Thus, it is true for the values z 0,1,,z 0,λ,z 1,1,,z 1,λ, because for all i = 0,...,λ, C sets z i,bi := u i,bi and z i,1 bi := x u i,1 bi mod q for b i R {0, 1}. Therefore the messages z 0,1,,z 0,λ,z 1,1,,z 1,λ sent by C does not leak any information about x. 4. To show security property is satisfied, we consider three cases about messages w 0,i,w 1,i for all i =1,...,λ, which S sent to C: a) There exist i {1,...,λ} such that both inequalities w i,0 g z i,0 and w i,1 g z i,1 holds. b) For all i {1,...,λ} such that one of inequalities either w i,0 g z i,0 or w i,1 g z i,1 holds. c) For all i {1,...,λ} such that both equalities w i,0 = g z i,0 and w i,1 = g z i,1 holds. In case a), C returns, because in step 3 of the protocol above, C chicks if w i,bi v i,bi then C halts the protocol. Therefore the adversary is successful to convincing C to return an output F G,exp,g (x) with probability 0. 35