Designs, Codes and Cryptography

, Volume 39, Issue 2, pp 253–273 | Cite as

Speeding up Exponentiation using an Untrusted Computational Resource

  • Marten Van Dijk
  • Dwaine Clarke
  • Blaise Gassend
  • G. Edward Suh
  • Srinivas Devadas


We present protocols for speeding up fixed-base variable-exponent exponentiation and variable-base fixed-exponent exponentiation using an untrusted computational resource. In the fixed-base protocols, the exponent may be blinded. In the variable-base protocols, the base may be blinded. The protocols are described for exponentiation in a cyclic group. We describe how to extend them to exponentiation modulo an integer where the modulus is the product of primes with single multiplicity. The protocols provide a speedup of \(\frac{3}{2}((\log k)-1)\) over the square-and-multiply algorithm, where k is the bitlength of the exponent.

One application of the protocols is to speed up exponentiation-based verification in discrete log-based signature and credential schemes. The protocols also allow signature verifiers to dynamically choose, for each message, the amount of work it would like to perform to verify the signature. This results in a work-security tradeoff. We introduce a fifth protocol to perform variable-base variable- exponent exponentiation, which also has this feature.

Our model allows the trusted resource to perform computations in its idle time. The protocols facilitate the offloading of work to the offline stage, such that the work the trusted resource performs when it has to do an exponentiation is smaller. Our protocols are unconditionally secure.


untrusted computation exponentiation signature verification 

AMS Classification



Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    L. M. Adleman and J. DeMarrais, A subexponential algorithm for discrete logarithms over all finite fields. In Advances in Cryptology—Crypto ’93 Proceedings, Vol. 773 of LNCS, Springer-Verlag (1994) pp. 147–158.Google Scholar
  2. 2.
    Anderson, R. J. 1992Attack on server assisted authentication protocolsElectronic Letters281473Google Scholar
  3. 3.
    P. Béguin and J-J. Quisquater, Secure acceleration of DSS signatures using insecure server. In Advances in Cryptology—Asiacrypt ’94 Proceedings, Vol. 917 of LNCS. (1994) Springer-Verlag.Google Scholar
  4. 4.
    P. Béguin and J-J. Quisquater, Fast server-aided RSA signatures secure against active attacks. In Advances in Cryptology—Crypto ’95 Proceedings, Vol. 963 of LNCS, (1995) Springer-Verlag, pp. 57–69.Google Scholar
  5. 5.
    M. Blaze, High-bandwidth encryption with low-bandwidth smartcards. In Fast Software Encryption (FSE) ’96, (1996) pp. 33–40.Google Scholar
  6. 6.
    M. Blaze, J. Feigenbaum and M. Naor, A formal treatment of remotely keyed encryption. In Eurocrypt ’98, (1998) pp. 251–265.Google Scholar
  7. 7.
    J. Bløomer and A. May, A generalized wiener attack on RSA. In Public Key Cryptography (PKC) ’04, (2004).Google Scholar
  8. 8.
    M. Blum and S. Kannan, Designing programs that check their work. In Proceedings of the 21st Annual Symposium on Theory of Computing, ACM, (1989) pp. 86–97.Google Scholar
  9. 9.
    D. Boneh and G. Durfee, Cryptanalysis of RSA with private key d less than n0.292. In IEEE Transactions on Information Theory, Vol. 46 ISSUE 4, (2000) pp. 1339–1349.Google Scholar
  10. 10.
    V. Boyko, M. Peinado and R. Venkatesan, Speeding up discrete log and factoring based schemes via precomputations. In Proc. of Eurocrypt ’98, Vol. 1403 of LNCS, (1998) pp. 221–232.Google Scholar
  11. 11.
  12. 12.
    E. Brickell, D. M. Gordon, K. S. McCurley and D. Wilson, Fast exponentiation with precomputation. In Advances in Cryptology—Eurocrypt ’92 Proceedings, Vol. 658 of LNCS, (1993) Springer-Verlag, pp. 200–207.Google Scholar
  13. 13.
    J. Burns and C. J. Mitchell, Parameter selection for server-aided RSA computation schemes. IEEE Transactions on Computers, Vol. 43, (1994).Google Scholar
  14. 14.
    D. Chaum, Blind signatures for untraceable payments. In Advances in Cryptology—Crypto ’82 Proceedings, (1982) Plenum Press, pp. 199–203.Google Scholar
  15. 15.
    D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. In IEEE Transactions Information Theory 30, (1984) pp. 587–594.Google Scholar
  16. 16.
    Y. Dodis and J. An, Concealment and its applications to authenticated encryption. In Eurocrypt ’03, (2003) pp. 306–323.Google Scholar
  17. 17.
    G. Durfee and P. Nguyen, Cryptanalysis of the RSA Schemes with Short Secret Exponent from Asiacrypt ’99. In Advances in Cryptology—Asiacrypt 2000 Proceedings, Vol. 1976 of LNCS, (2000) Springer-Verlag, pp. 14–29.Google Scholar
  18. 18.
    T. ElGamal, A public-key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology—Crypto ’84 Proceedings, LNCS, (1985) Springer-Verlag, pp. 10–18.Google Scholar
  19. 19.
    D. Gordon, Discrete logarithms in GF(p) using the number field sieve. In SIAM J. Discrete Math. 6, (1993) pp. 312–323.Google Scholar
  20. 20.
    S. Hohenberger and A. Lysyanskaya, How to securely outsource cryptographic computations. In TOC 2005, (2005).Google Scholar
  21. 21.
    S. Kawamura and A. Shimbo, Fast server-aided secret computation protocols for modular exponentiation. In IEEE Journal on Selected Areas of Communications, volume 11, 1993.Google Scholar
  22. 22.
    Neal Koblitz, A Course in Number Theory and Cryptography, Second Edition. Springer, (1994).Google Scholar
  23. 23.
    C. H. Lim and P. J. Lee, More flexible exponentiation with precomputation. In Advances in Cryptology—Crypto ’94 Proceedings, Vol. 839 of LNCS, (1994) Springer-Verlag, pp. 95–107.Google Scholar
  24. 24.
    C. H. Lim and P. J. Lee, Server(prover/signer)-aided verification of identify proofs and signatures. In Advances in Cryptology—EuroCrypt ’95 Proceedings, Vol. 921 of LNCS, (1995) Springer-Verlag, pp. 64–78.Google Scholar
  25. 25.
    C. H. Lim and P. J. Lee, Security and performance of server-aided RSA computation protocols. In Advances in Cryptology—Crypto ’95 Proceedings, Vol. 963 of LNCS, (1995) Springer-Verlag, pp. 70–83.Google Scholar
  26. 26.
    S. Lucks, On the Security of remotely Keyed Encryption. In Fast Software Encryption (FSE) ’97, (1997) pp. 219–229.Google Scholar
  27. 27.
    S. Lucks, Accelerated Remotely Keyed Encryption. In Fast Software Encryption (FSE) ’99, (1999) pp. 112–123.Google Scholar
  28. 28.
    T. Matsumoto, H. Imai, C. S. Laih and S. M. Yen, On verifiable implicit asking protocols for RSA computation. In Proc. of Auscrypt ’92, (1993) pp. 296–307.Google Scholar
  29. 29.
    T. Matsumoto, K. Kato and H. Imai, Speeding up secret computation with insecure auxiliary devices. In Advances in Cryptology—Crypto ’88 Proceedings, Vol. 403 of LNCS, (1989) Springer-Verlag, pp. 497–506.Google Scholar
  30. 30.
    Alfred J. Menezes, Paul C. van Oorschot and Scott A, Vanstone. Handbook of Applied Cryptography. CRC Press, (1996).Google Scholar
  31. 31.
    N. Modadugu, D. Boneh and M. Kim, Generating RSA keys on a handheld using an untrusted server. In Cryptographer’s Track RSA Conference, (2000).Google Scholar
  32. 32.
    P. Q. Nguyen and I. E. Shparlinski, On the insecurity of a server-aided RSA protocol. In Proc. of Asiacrypt 2001, Vol. 2248 of LNCS, (2001) pp. 21–35.Google Scholar
  33. 33.
    P. Q. Nguyen, I. E. Shparlinski and J. Stern, Distribution of modular sums and the security of server aided exponentiation. In Proceedings of the Workshop on Comp. Number Theory and Crypt., (1999) pp. 1–16.Google Scholar
  34. 34.
    P. Q. Nguyen and J. Stern, The Béguin-Quisquater Server-Aided RSA Protocol from Crypto ’95 is not Secure. In Proc. of Asiacrypt ’98, Vol. 1514 of LNCS, (1998) pp. 372–379.Google Scholar
  35. 35.
    NIST. FIPS PUB 186: Digital Signature Standard, May 1994.Google Scholar
  36. 36.
    A. Odlyzko, Discrete logarithms: The past and the future. In Designs, Codes and Cryptography, 19, (2000) pp. 129–145.Google Scholar
  37. 37.
    B. Pfitzmann and M. Waidner, Attacks on protocols for server-aided RSA computation. In Proc. of Eurocrypt ’92, Vol. 658 of LNCS, (1993) pp. 153–162.Google Scholar
  38. 38.
    J. M. Pollard, Monte Carlo methods for index computation (mod p). In Mathematics of Computation. 32, (1978) pp. 918–924.Google Scholar
  39. 39.
    J-J. Quisquater and M. De Soete, Speeding up smart card RSA computation with insecure coprocessors. In Proc. Smart Card 2000, (1991) pp. 191–197.Google Scholar
  40. 40.
    Rivest, R., Shamir, A., Adleman, L. 1978A Method for Obtaining Digital Signatures and Public-Key CryptosystemsCommunications of the ACM21120126CrossRefMathSciNetGoogle Scholar
  41. 41.
    P. de Rooij, On the security of the Schnorr scheme using preprocessing. In Advances in Cryptology – Eurocrypt ’91 Proceedings, Vol. 547 of LNCS, (1991) Springer-Verlag, pp. 71–80.Google Scholar
  42. 42.
    P. de Rooij, Efficient exponentiation using precomputation and vector addition chains. In Advances in Cryptology—Eurocrypt ’94 Proceedings, Vol. 950 of LNCS, (1995) Springer-Verlag, pp. 389–399.Google Scholar
  43. 43.
    Rooij, P. 1997On Schnorr’s preprocessing for digital signature schemesJournal of Cryptology10116CrossRefzbMATHGoogle Scholar
  44. 44.
    K. Rubin and A. Silverberg, Torus-based cryptography. In Advances in Cryptology—Crypto ’03 Proceedings, Vol. 2729 of LNCS, (2003) Springer-Verlag, pp. 349–365.Google Scholar
  45. 45.
    T. Sander and C. Tschudin, Towards mobile cryptography. In IEEE Symposium on Security and Privacy, (1998).Google Scholar
  46. 46.
    O. Schirokauer, D. Weber and Th. F. Denny. Discrete logarithms: the effectiveness of the index calculus method. In Proceedings ANTS II, Vol. 1122 of LNCS. (1996) Springer-Verlag.Google Scholar
  47. 47.
    C. P. Schnorr, Efficient identification and signatures for smart cards. In Advances in Cryptology—Crypto ’89 Proceedings, Vol. 435 of LNCS, (1990) Springer-Verlag, pp. 239–252.Google Scholar
  48. 48.
    Schnorr, C. P. 1991Efficient signature generation by smart cardsJournal of Cryptology4161174CrossRefzbMATHMathSciNetGoogle Scholar
  49. 49.
    Verheul, Eric R., Tilborg, Henk C.A. 1997Cryptanalysis of ‘less short’ rsa secret exponentsApplicable Algebra in Engineering, Communication and Computing8425435CrossRefMathSciNetGoogle Scholar
  50. 50.
    A. Weimerskirch and C. Paar, Generalizations of the Karatsuba Algorithm for Efficient Implementations. (2003).
  51. 51.
    Michael J. Wiener, Cryptanalysis of short RSA secret exponents (abstract). In IEEE Transactions on Information Theory, Vol. 36, ISSUE 3 (1990) pp. 553–558.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2006

Authors and Affiliations

  • Marten Van Dijk
    • 1
  • Dwaine Clarke
    • 1
  • Blaise Gassend
    • 1
  • G. Edward Suh
    • 1
  • Srinivas Devadas
    • 1
  1. 1.MIT Computer Science and Artificial Intelligence LaboratoryCambridgeUSA

Personalised recommendations