Privately Outsourcing Exponentiation to a Single Server: Cryptanalysis and Optimal Constructions

Abstract

We address the problem of speeding up group computations in cryptography using a single untrusted computational resource. We analyze the security of two efficient protocols for securely outsourcing (multi-)exponentiations. We show that the schemes do not achieve the claimed security guarantees and we present practical polynomial-time attacks on the delegation protocols which allow the untrusted helper to recover part (or the whole) of the device’s secret inputs. We then provide simple constructions for outsourcing group exponentiations in different settings (e.g. public/secret, fixed/variable bases and public/secret exponents). Finally, we prove that our attacks are unavoidable if one wants to use a single untrusted computational resource and to limit the computational cost of the limited device to a constant number of (generic) group operations. In particular, we show that our constructions are actually optimal in terms of operations in the underlying group.

Appendices

Appendix A: Practical Example of the Attack on Wang et al.’s Algorithm

In this section, we provide a concrete example of the attack described in Sect. 4.

For p a 256-bit prime, recovering roots which have less than 110 bits implies the reduction of lattice of a dimension 3 with entries of largest bit-size around 360. Indeed, as mentioned in Sect. 4, we construct the matrix

$$\begin{aligned} M=\left( \begin{array}{lll} p &{} \quad 0 &{}\quad 0 \\ 0 &{}\quad pY &{}\quad 0 \\ c &{}\quad bY &{}\quad X \end{array}\right) \end{aligned}$$

whose rows are formed by the coefficients of the polynomials p, pyY and P(xX, yY) in the basis (1, X, Y).

Let us consider a 256-bit prime

$$\begin{aligned} p = \begin{array}[t]{cccc} \mathtt {10A98A92} &{} \mathtt {2EC19799} &{} \mathtt {E81125D6} &{} \mathtt {D3B0C1EB} \\ \mathtt {0D6FE6D8} &{} \mathtt {67D32C56} &{} \mathtt {492FC5521} &{} \mathtt {D1398C33}. \end{array} \end{aligned}$$

The bound X and Y are set as

$$\begin{aligned} X=Y= \begin{array}[t]{cccc} \mathtt {42E0EA80}&\mathtt {D850A1EF}&\mathtt {BDAFD0E7}&\mathtt {6115D4.} \end{array} \end{aligned}$$

The Coppersmith matrix M constructed as previously mentioned and the corresponding LLL-reduced matrix \(M_{\textsf {red} }\) are given in Fig. 7.

Fig. 7

Example of an attack against [44]

The two first vectors allow to recover

$$\begin{aligned} \left\{ \begin{array}[t]{cccc}x_0= \mathtt {37921F2A} &{} \mathtt {890AA857} &{} \mathtt {DAC77BBF} &{} \mathtt {803B5D} \\ y_0= \mathtt {2379CD0E} &{} \mathtt {21A56BC1} &{} \mathtt {33CAA48C} &{} \mathtt {43B4B2.} \end{array} \right. \end{aligned}$$

in less than 0.1 second on a standard laptop, using Sage math software [37] and fplll [1] . These vectors are of norms of size respectively 245 and 256 bits.

Remark 9

Note that an alternative attack can also be adapted from Yie’s paper [45], which aimed at recovering an ElGamal signature secret key when two signatures with small message nonces are available. Indeed, during the verification of an ElGamal signature, an equation of the form \(h(m) = xr+ks \mod q\) is verified, where x (the secret key) and k (the nonce) are unknown, and r and s are part of the signature of the message m. Two such equations make it possible to get rid of x, and we are back to an equation like Eq. 5. Yie adapted the algorithm of Gallant, Lambert and Vanstone \(\mathrm {GLV\text {-}Dec}\). This algorithm uses the extended Euclidean algorithm and has a complexity of \(O(\log _2(q)^3)\).

Appendix B: Outsourcing Exponentiations in Groups with Efficient Inverses

Let \(\textsf {GroupGen}\) be a group generator which takes as input a security parameter \(\lambda\). It provides a set params which contains a description of a (multiplicative) group \((\mathbb {G},\cdot )\), the group order, say \(p = \vert \mathbb {G}\vert\), and one generator g. In this Appendix, we consider a variant of the generic group model in \(\mathbb {G}\) where the computation of group inverse is easy. This generic group is still implemented by choosing a random encoding \(\sigma : \mathbb {G}\longrightarrow \{0,1\}^m\) (with \(2^m > p\)). As above, a generic algorithm \(\mathcal {A}\) takes as input (in addition to the group order p) their image under \(\sigma\). This way, all \(\mathcal {A}\) can test is group elements equality (by encoding equality). \(\mathcal {A}\) is also given access to an oracle \(\mathcal {G}\) computing group multiplication: taking \(\sigma (g_1)\) and \(\sigma (g_2)\) encodings of two group elements \(g_1,g_2 \in \mathbb {G}\) and a sign in \(s \in \{-1,+1\}\) as inputs and returning \(\sigma (g_1 \cdot g_2^{s})\) the encoding of the product \(g_1 \cdot g_2^{s} \in G\) (i.e., \(g_1 \cdot g_2\) or \(g_1/g_2\)) . We assume again that \(\mathcal {A}\) submits to the oracle only encodings of elements it had previously received. In this enhanced generic group model, we have the following lemma analogous to Lemma 1:

Lemma 4

Considering this enhanced generic group model, let \(\textsf {GroupGen}\) be a group generator, let \(\mathbb {G}\) be a group of prime order p output by \(\textsf {GroupGen}\) and let \(\mathcal {A}\) be a generic algorithm in \(\mathbb {G}\). If \(\mathcal {A}\) is given as inputs encodings \(\sigma (g_1)\),... ,\(\sigma (g_n)\) of group elements \(g_1,\dots ,g_n \in \mathbb {G}\) (for \(n \in \mathbb {N}\)) and outputs the encoding \(\sigma (h)\) of a group element \(h \in \mathbb {G}\) in time \(\tau\), then there exists integers \(\alpha _1,\dots ,\alpha _n \in \mathbb {Z}\) such that \(h = g_1^{\alpha _1} \dots g_n^{\alpha _n}\) and \(\max (|\alpha _1|,\dots ,|\alpha _n|) \le 2^{\tau }\).

Proof

We can—as in the proof of Lemma 1—define a map \(\pi : \{0,1\}^m \rightarrow \mathbb {Z}^n\) which associates to each encoding obtained by \(\mathcal {A}\) during its execution an n-dimensional vector in \(\mathbb {Z}^n\). For each input encoding \(\sigma (g_i)\), \(\pi (\sigma (g_i))\) is defined as the i-th vector from the \(\mathbb {Z}^n\) canonical basis (for \(i \in \{1,\dots ,n\}\)) and for each encoding \(\sigma (h_1)\) and \(\sigma (h_2)\) and each sign \(s \in \{-1,1\}\) queried to \(\mathcal {G}\), \(\pi (\sigma (h_1 \cdot h_2)^{s}) = \pi (\sigma (h_1)) + s \cdot \pi (\sigma (h_2)\). By construction, during the whole execution of \(\mathcal {A}\), we have \(\pi (\sigma (h)) = (\alpha _1,\dots ,\alpha _n)\) if and only if \(h = g_1^{\alpha _1} \dots g_n^{\alpha _n}\) for all encodings \(\sigma (h)\). As in the proof of Lemma 1, the \(\ell _\infty\)-norm of \(\pi (\sigma (h_1 \cdot h_2^s))\) is upper-bounded by \(\ell _\infty (\pi (\sigma (h_1))) + \ell _\infty (\pi (\sigma (h_2))\) Since the \(\ell _\infty\)-norm of the input encodings \(\pi (\sigma (g_i))\) is equal to 1 (for \(i \in \{1,\dots ,n\}\)) and the \(\ell _\infty\)-norm of encodings at most doubles for each query to \(\mathcal {G}\), we obtained the claimed result. \(\square\)

In this setting, we can consider a variant of Algorithm 1 that computes the multi-exponentiation \(\prod _{i=1}^t g_i^{x_i}\), for \(g_1,\dots ,g_t \in \mathbb {G}\) and \(x_1,\dots ,x_t \in \mathbb {N}\) by interleaving signed expansions of exponents. In particular, we can use the w-ary non-adjacent form method which guarantees that on average there will be fewer group multiplications for the same window size w (see [3, 34] for details). In this case, the precomputation stage generates \(\prod _{1 \le i \le t} g_i^{E_i}\) (and the algorithm can use the values \(\prod _{1 \le i \le t} g_i^{-E_i}\)) for all non-zero t-tuples \((E_1,\dots ,E_t) \in \{0, \dots , 2^w - 1\}^t\) at no extra storage-cost). The total cost is thus for the precomputation phase \(t2^{tw-2} - t\) multiplications and t squarings and overall less than \(\ell /(w+1/t) \le \ell /w\) multiplications on average and \(\ell\) squarings. For \(t=2\), the cost is again minimal for w around \(1/2 \log \ell - \log \log \ell\) with \(\ell (1+3/\log \ell ) = \ell (1+o(1))\) multiplications overall. Therefore, the method does not improve the asymptotic complexity (at least when the precomputation stage and the storage are not strongly limited). We can replace the use of Algorithm 1 by this variant but this does not improve the asymptotic complexity of the delegation protocols in the number of generic group operations (even with efficient inverses).

Actually, this fact is not surprising, since we can replace the use of Lemma 1 in the proof of our lower bound complexities (Theorems 2–7) by the use of Lemma 4 to obtain the same lower bounds for delegation protocols in the enhanced generic group model with inverses.