An Efficient Small Modulus Test and Its Applications to Delegated Computation Without Preprocessing

Abstract

Delegation of operations used in cryptographic schemes from a computationally weaker client to a computationally stronger server has been advocated to expand the applicability of cryptosystems to computing with resource-constrained devices. Classical results for the verification of integer and polynomial products are based on a test due to Pippenger, Yao and Kaminski which verifies these operations modulo a small prime. In this paper we describe and prove an efficient small integer modulus test and show its application to single-server delegated computation of operations of interest in cryptosystems. In particular, we show single-server delegated computation protocols, without any preprocessing, for the following operations:

1. 1.

   modular multiplication of two public group values,

2. 2.

   modular inverse of a public group value,

3. 3.

   modular inverse of a private group value, and

4. 4.

   exponentiation of a public base to a small public exponent in the RSA group.

Our protocols satisfy result correctness, input privacy (unless the input is public), result security and client efficiency. Previous work satisfied only a subset of these properties, or required preprocessing, or satisfied lower client efficiency.

Appendices

A Formal Definitions

In this section we recall the formal definition (based on [12, 14]), of delegation protocols and their correctness, privacy, security, and efficiency requirements.

Basic Notations. The expression \(z\leftarrow T\) denotes randomly and independently choosing z from set T. By \(y\leftarrow A(x_1,x_2,\ldots )\) we denote running the algorithm A on input \(x_1,x_2,\ldots \) and any random coins, and returning y as output. By \((y,tr)\leftarrow (A(u_1,u_2,\ldots ),B(v_1,v_2,\ldots ))\) we denote running the interactive protocol between A, with input \(u_1,u_2,\ldots \) and any random coins, and B, with input \(v_1,v_2,\ldots \) and any random coins, where tr denotes A’s and B’s messages in this execution, and y is A’s final output.

System Scenario: Entities and Protocol. We consider a system with a single client, denoted by C, and a single server, denoted by S, who are connected by an authenticated channel, and therefore do not consider any integrity or replay attacks on this channel. Differently than much of previous work in the area, we consider a delegation protocol without offline phase or preprocessing client computations, typically storing extra values in client’s memory, and only consider client computations in what is also called online phase in the literature, where C has time constraints.

Let \(\sigma \) denote the computational security parameter (derived from hardness considerations of the underlying computational problem), and let \(\lambda \) denote the statistical security parameter (defined so that statistical test failure events with probability \(2^{-\lambda }\) are extremely rare). Both parameters are expressed in unary notation (i.e., \(1^\sigma ,1^{\lambda }\)). We think of \(\sigma \) as being asymptotically much larger than \(\lambda \). Let F denote a function and desc(F) denote F’s description. Assuming \(1^\sigma ,1^{\lambda },desc(F)\) are known to both C and S, we define a client-server protocol for the delegated (n-instance) computation of F as the execution: \(\{(y,tr)\leftarrow (C(x),S)\}\), where both parties are assume to be aware of inputs \((1^\sigma ,1^\lambda ,desc(F))\), which we will ofter omit for brevity, and tr is the transcript of the communication exchanged between C and S.

Correctness Requirement. Informally, the correctness requirement states that if both parties follow the protocol, C obtains some output at the end of the protocol, and this output is, with high probability, equal to the value obtained by evaluating function F on C’s input. Formally, we say that a no-preprocessing client-server protocol (C, S) for the delegated computation of F satisfies \(\delta _c\)-correctness if for any x in Dom(F),

$$\textrm{Prob}\left[ \, out\leftarrow \textrm{CorrExp}_\mathrm{{F}} \,:\,out=1 \,\right] \ge \delta _c,$$

for some \(\delta _c\) close to 1, where experiment \(\textrm{CorrExp}\) is:

1. 1.

   \((y,tr)\leftarrow (C(x),S)\)

2. 2.

   if \(y=F(x)\), then return: 1 else return: 0

Privacy Requirement. Informally, the privacy requirement should guarantee the following: if C follows the protocol, a malicious adversary corrupting S cannot obtain any information about C’s input x from a protocol execution. This is formalized by extending the indistinguishability-based approach typically used in definitions for encryption schemes. Let (C, S) be a no-preprocessing client-server protocol for the delegated computation of F. We say that (C, S) satisfies \(\epsilon _p\)-privacy (in the sense of indistinguishability) against a malicious adversary if for any algorithm A, it holds that

$$\textrm{Prob}\left[ \, out\leftarrow \textrm{PrivExp}_\textrm{F,A} \,:\,out=1 \,\right] \le 1/2+\epsilon _p,$$

for some \(\epsilon _p\) close to 0, where experiment \(\textrm{PrivExp}\) is:

1. 1.

   \((x_{0},x_1,aux)\leftarrow A(desc(F))\)

2. 2.

   \(b\leftarrow \{0,1\}\)

3. 3.

   \((y,tr)\leftarrow (C(x_{b}),A(aux))\)

4. 4.

   \(d\leftarrow A(tr,aux)\)

5. 5.

   if \(b=d\) then return: 1 else return: 0.

Security Requirement. Informally, the security requirement states that for any efficient and malicious adversary corrupting S and even choosing C’s input tuple x, at the end of the protocol, C cannot be convinced to obtain some output tuple z containing a value \(z\ne F(x)\) Formally, we say that the client-server protocol (C, S) for the delegated n-instance computation of F satisfies \(\epsilon _s\)-security against a malicious adversary if for any algorithm A,

$$\textrm{Prob}\left[ \, out\leftarrow \textrm{SecExp}_\textrm{F,A} \,:\,out=1 \,\right] \le \epsilon _s,$$

for some \(\epsilon _s\) close to 0, where experiment \(\textrm{SecExp}\) is:

1. 1.

   \((\vec x,aux)\leftarrow A(desc(F))\)

2. 2.

   \((\vec z,tr)\leftarrow (C(x),A(aux))\)

3. 3.

   if \(z \in \{\perp ,F(x)\}\) then return: 0 else return: 1.

We consider different input scenarios, where the input x may be private or public. The above definition considered the “x private” input scenario. The definition for the “x public” input scenario is obtained by the following slight modifications: (1) S is also given x as input; (2) no input privacy is required.

B Properties of \(\mathcal{P}^{mul}\)

The correctness property follows by observing that if C and S follow the protocol, then S computes \(w_0,w_1\) as \(w=a\cdot b=w_0\cdot m+w_1\) and the equation \(a\cdot b=w_0\cdot m+w_1\) is satisfied over \(\mathbb {Z}\) and is therefore satisfied also modulo the small prime s. This prevents C to return \(\perp \), and allows C to return the correct output value \(w_1=w\mod m = a\cdot b \mod m\).

To prove the security property against any malicious S we need to compute an upper bound \(\epsilon _s\) on the security probability that an adversary corrupting S convinces C to output a y such that \(y\ne a\cdot b\mod m\).

We continue the proof of the unbounded security property by defining the following events:

• \(e_{y,\ne }\), defined as “C outputs y such that \(y\ne a\cdot b\mod m\)”

• \(e_{t}\), defined as “S’s message contains \(w_0,w_1\) such that \(a\cdot b\ne w_0\cdot m+w_1\mod m\)”.

We now compute an upper bound on the probability of event \(e_{y,\ne }\), conditioned on event \(e_{t}\). We observe that, when event \(e_t\) is true, it holds that \(a\cdot b\mod m\ne w_1\). In this scenario, for event \(e_{y,\ne }\) to happen, it needs to hold that

$$(a\mod s)(b\mod s)=(w_0\mod s)(m\mod s)+w_1\mod s.$$

This happens when

$$(a\cdot b-w_0\cdot m-w_1)=0\mod s.$$

By setting \(x=a\cdot b-w_0\cdot m-w_1\), and applying Lemma 1 for this value of x, we obtain that the probability that \(x=0\mod s\) is at most \(2^{-\lambda }\), which implies the following

Fact 3

\(\textrm{Prob}\left[ \, e_{y,\ne }\,|\,e_{t} \,\right] \le 2^{-\lambda }\)

We then observe that when event \(e_t\) is false, then the message from S follows the protocol and therefore \(e_{y,\ne }\) is also false. This implies the following

Fact 4

\(\textrm{Prob}\left[ \, e_{y,\ne }\,|\,\lnot e_{t} \,\right] =0\)

We can now compute an upper bound on the probability of event \(e_{y,\ne }\). We have that \(\textrm{Prob}\left[ \, e_{y,\ne } \,\right] \) is

$$\begin{aligned} {} & {} = \textrm{Prob}\left[ \, e_{t} \,\right] \textrm{Prob}\left[ \, e_{y,\ne }|e_{t} \,\right] + \textrm{Prob}\left[ \, \lnot \,e_{t} \,\right] \textrm{Prob}\left[ \, e_{y,\ne }|\lnot \,e_{t} \,\right] \\ {} & {} \le \textrm{Prob}\left[ \, e_{y,\ne }|\lnot \,e_{t} \,\right] + \textrm{Prob}\left[ \, e_{y,\ne }|\lnot \,e_{t} \,\right] \\ {} & {} \le \textrm{Prob}\left[ \, e_{y,\ne }|\lnot \,e_{t} \,\right] \, \le \, 2^{-\lambda }, \end{aligned}$$

where the first equality and the first inequality follow from basic probability facts; the second inequality follows by applying Fact 4, and the last inequality follows by applying Fact 3.

C Properties of \(\mathcal{P}^{inv}_1\)

The result correctness property follows directly by observing that if C and S follow the protocol, the same property of \({\mathcal P}^{mul}\) implies that

$$z=a\cdot b\mod m = x\cdot w\mod m = x\cdot (x^{-1})\mod m=1,$$

after which C returns \(y=w=x^{-1}\mod m\).

To prove the result security property against any malicious S we need to compute an upper bound \(\epsilon _s\) on the security probability that an adversary corrupting S convinces C to output a y such that \(y\ne x^{-1}\mod m\). Assume this adversary sends \(w'\) to C and runs \({\mathcal P}^{mul}\) with C, resulting in C obtaining \(z'\). Now, because C checks whether \(z'\ne 1\), the only possible cheating strategy for the adversary is that of convincing C to accept that \(z'=1\) and \(z'\) is the product of x and \(w'\), even when \(w'\) is not the inverse of x. By the result security property of \({\mathcal P}^{mul}\), this can only happen with probability at most \(2^{-\lambda }\).

D Properties of \(\mathcal{P}^{inv}_2\)

The result correctness property follows directly by observing that if C and S follow the protocol, the same property of \({\mathcal P}^{mul}\) implies that

$$v=z\cdot w\mod m = (x\cdot r) \cdot z^{-1}\mod m = (x\cdot r) \cdot (x\cdot r)^{-1}\mod m=1,$$

after which C returns \(y=r\cdot w=r\cdot (x\cdot r)^{-1}=r\cdot r^{-1}\cdot x^{-1}=x^{-1}\mod m\).

The input privacy follows by observing that C only sends a random group value to S.

To prove the result security property against any malicious S we need to compute an upper bound \(\epsilon _s\) on the security probability that an adversary corrupting S convinces C to output a y such that \(y\ne x^{-1}\mod m\). Assume this adversary, after receiving z from c, sends \(w'\) to C and runs \({\mathcal P}^{mul}\) with C, resulting in C obtaining \(v'\). Now, because C checks whether \(v'\ne 1\), the only possible cheating strategy for the adversary is that of convincing C to accept that \(v'=1\) and \(v'\) is the product of z and \(w'\), even when \(w'\) is not the inverse of z. By the result security property of \({\mathcal P}^{mul}\), this can only happen with probability \(\le 2^{-\lambda }\).

E Protocol \(\mathcal{P}^{exp}\)

To formally define protocol \(\mathcal{P}^{exp}=(C,S)\) for the delegated computation of \(x^e\mod m\), we use definitions and algorithms from protocol \({\mathcal P}^{mul}\) as well as an optimized version of it, as mentioned in Sect. 5 and further discussed below.

First, by \({\mathcal P}^{mul}=(S_{m},C_{m})\) we denote a protocol for the delegation of function \(F_{mul}\) with statistical parameter \(\lambda _m\), for public inputs a and b, such as the protocol in Sect. 3. In particular, the notation \((q,r)\leftarrow S_{m}(a,b)\) refers to an execution of the \({\mathcal P}^{mul}\) server’s algorithm with inputs a, b, returning message (q, r) for C, such that \(a\cdot b=q\cdot m+r\), where \(0\le r<m\). Similarly, the notation \(d\leftarrow C_{m}(a,b,q,r)\) refers to an execution of the \({\mathcal P}^{mul}\) client’s algorithm with inputs a, b, and server’s message (q, r), and returning decision bit d where \(d=1/0\) depending on whether \(C_{m}\) accepts/does not accept the statement \(r=a\cdot b\mod n\).

While algorithm S will run \(S^m\), algorithm C will run an optimized version of \(C^m\), which reuses the same modulus s, and the same values \(m'=m\mod s\) and \(x'=x\mod s\), whenever possible across the multiple uses of multiplication delegation within exponentiation delegation, as we now define. Given a randomly chosen \(\eta \)-bit integer s, and values \(m'=m\mod s\) and \(x'=x\mod s\), we define the notation \(d\leftarrow C'_{m}(a,b,q,r,s,m',x')\) to refer to a variant of algorithm \(C_m\), where the computation of s and \(m'\) are replaced by the use of its arguments \(s,m'\), and the use of x as a product factor in correspondence of a bit of exponent e being \(=1\) is replaced by the use of its argument \(x'\). Here, by using \(C'_m\), the client only computes the values \(s,m',x'\) once, while by using \(C_m\), it would have recomputed each of these values either \(\log e\) or about \((\log e)/2\) times.

We now formally describe protocol \({\mathcal P}^{exp}\) to delegate small-exponent exponentiation function \(F_{exp,c}\), which maps \(x\in \mathbb {Z}_m^*\) to \(x^e\mod m\). in a group \(\mathbb {Z}^*_m\), where x and e are public, and e has c bits.

Online Input to C and S: \(1^\sigma ,1^\lambda ,1^c\), \(m\in \{0,1\}^\sigma \), \(x\in \mathbb {Z}_m^*\), \(e\in \{0,1\}^c\)

Online Phase of \({\mathcal P}^{exp}\):

1. 1.

   S sets \(z=x\), \(y=1\) and \(i=1\)

2. 2.

   While \(e>1\) do

         S computes \((q_{1i},r_{1i})=S_{m}(z,z)\) and sets \(z=r_{i1}\)

      if e is even then

         S sets \(q_{2i}=r_{2i}=0\), \(i=i+1\) and \(e=e/2\)

      if e is odd then

         S computes \((q_{2i},r_{2i})=S_{m}(z,x)\) and sets

         S sets \(z=r_{i2}\), \(i=i+1\) and \(e=(e-1)/2\)

3. 3.

   S sends \(((q_{11},r_{11},q_{21},r_{21}),\ldots ,(q_{1c},r_{1c},q_{2c},r_{2c})\) to C

4. 4.

   C sets \(i=1\) and \(z=x\)

5. 5.

   C randomly chooses an \(\eta \)-bit integer s, where \(\eta =\lceil \lambda +\log _2\sigma \rceil \)

   C computes \(m'=m\mod s\) and \(x'=x\mod s\)

6. 6.

   While \(e>1\) do

      if e is even then

         C computes \(d_{1i}=C_{m}(z,z,q_{1i},r_{1i},s,m',x')\)

         if \(d_{1i}= 0\) then C halts

            else C sets \(z=r_{1i}\), \(i=i+1\) and \(e=e/2\)    if e is odd then

         C computes \(d_{1i}=C_{m}(z,z,q_{1i},r_{1i},s,m',x')\) and sets \(z=r_{1i}\)

         C computes \(d_{2i}=C_{m}(z,x',q_{2i},r_{2i},s,m',x')\) and sets \(z=r_{2i}\)

         if \(d_{1i}= 0\) or \(d_{2i}= 0\) then C halts

            else C sets \(i=i+1\) and \(e=(e-1)/2\)

7. 7.

   C returns: \(y=r_{2i}\) and halts