Privately Outsourcing Exponentiation to a Single Server: Cryptanalysis and Optimal Constructions

  • Céline Chevalier
  • Fabien Laguillaumie
  • Damien VergnaudEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


We address the problem of speeding up group computations in cryptography using a single untrusted computational resource. We analyze the security of an efficient protocol for securely outsourcing multi-exponentiations proposed at ESORICS 2014. We show that this scheme does not achieve the claimed security guarantees and we present practical polynomial-time attacks on the delegation protocol which allow the untrusted helper to recover part (or the whole) of the device secret inputs. We then provide simple constructions for outsourcing group exponentiations in different settings (e.g. public/secret, fixed/variable bases and public/secret exponents). Finally, we prove that our attacks on the ESORICS 2014 protocol are unavoidable if one wants to use a single untrusted computational resource and to limit the computational cost of the limited device to a constant number of (generic) group operations. In particular, we show that our constructions are actually optimal in terms of operations in the underlying group.



The authors are supported in part by the French ANR JCJC ROMAnTIC project (ANR-12-JS02-0004), the French ANR EnBid Project (ANR-14-CE28-0003) and by ERC Starting Grant ERC-2013-StG-335086-LATTAC. The authors thank Guillaume Hanrot and Damien Stehlé for helpful discussions, and Olivier Billet for his comments and for pointing out references.


  1. 1.
    Ateniese, G., Burns, R.C., Curtmola, R., Herring, J., Kissner, L., Peterson, Z.N.J., Song, D.X.: Provable data possession at untrusted stores. In: Ning et al. [22], pp. 598–609.
  2. 2.
    Avanzi, R.M.: The complexity of certain multi-exponentiation techniques in cryptography. J. Cryptology 18(4), 357–373 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Babai, L.: On Lovász’ lattice reduction and the nearest lattice point problem. Combinatorica 6(1), 1–13 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297–319 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Canard, S., Devigne, J., Sanders, O.: Delegating a pairing can be both secure and efficient. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 549–565. Springer, Heidelberg (2014)Google Scholar
  7. 7.
    Cavallo, B., Crescenzo, G.D., Kahrobaei, D., Shpilrain, V.: Efficient and secure delegation of group exponentiation to a single server. In: Mangard, S., Schaumont, P. (eds.) Radio Frequency Identification. LNCS, vol. 9440, pp. 156–173. Springer, Heidelberg (2015)Google Scholar
  8. 8.
    Chen, X., Li, J., Ma, J., Tang, Q., Lou, W.: New algorithms for secure outsourcing of modular exponentiations. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 541–556. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Chevalier, C., Laguillaumie, F., Vergnaud, D.: Privately outsourcing exponentiation to a single server: Cryptanalysis and optimal constructions. Cryptology ePrint Archive, Report 2016/309 (2016).
  10. 10.
    Chevallier-Mames, B., Coron, J.-S., McCullagh, N., Naccache, D., Scott, M.: Secure delegation of elliptic-curve pairing. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 24–35. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  11. 11.
    Coppersmith, D.: Finding a small root of a univariate modular equation. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 155–165. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  12. 12.
    Dent, A.W.: Adapting the weaknesses of the random oracle model to the generic group model. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 100–109. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  13. 13.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Hohenberger, S., Lysyanskaya, A.: How to securely outsource cryptographic computations. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 264–282. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Howgrave-Graham, N.: Finding small roots of univariate modular equations revisited. In: Darnell, M. (ed.) Crytography and Coding. LNCS, vol. 1355, pp. 131–142. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  16. 16.
    Juels, A., Kaliski Jr., B.S.: PORS: proofs of retrievability for large files. In: Ning et al. [22], pp. 584–597.
  17. 17.
    Jutla, C.S.: On finding small solutions of modular multivariate polynomial equations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 158–170. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  18. 18.
    Kiraz, M.S., Uzunkol, O.: Efficient and verifiable algorithms for secure outsourcing of cryptographic computations. Int. J. Inf. Secur, 1–19 (2015, to appear). doi: 10.1007/s10207-015-0308-7 Google Scholar
  19. 19.
    Lenstra, A.K., Lenstra, H.W.J., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261, 515–534 (1982)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Nguyen, P., Shparlinski, I., Stern, J.: Distribution of modular sums and the security of server aided exponentiation. Workshop Comp. Number Theor. Crypt. 20, 1–16 (1999)MathSciNetGoogle Scholar
  21. 21.
    Nguyen, P.Q., Stehlé, D.: Floating-point LLL revisited. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 215–233. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.): Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28–31, 2007. ACM (2007)Google Scholar
  23. 23.
    Shacham, H., Waters, B.: Compact proofs of retrievability. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 90–107. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  24. 24.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  25. 25.
    Smith, B.: Easy scalar decompositions for efficient scalar multiplication on elliptic curves and genus 2 Jacobians. Contemp. Math. Ser. 637, 15 (2015)MathSciNetzbMATHGoogle Scholar
  26. 26.
    Straus, E.G.: Problems and solutions: Addition chains of vectors. Am. Math. Mon. 71, 806–808 (1964)MathSciNetGoogle Scholar
  27. 27.
    Wang, Y., Wu, Q., Wong, D.S., Qin, B., Chow, S.S.M., Liu, Z., Tan, X.: Securely outsourcing exponentiations with single untrusted program for cloud storage. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014, Part I. LNCS, vol. 8712, pp. 326–343. Springer, Heidelberg (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Céline Chevalier
    • 1
  • Fabien Laguillaumie
    • 2
  • Damien Vergnaud
    • 3
    Email author
  1. 1.CRED (U. Panthéon–Assas Paris II)ParisFrance
  2. 2.LIP (UCBL, U. Lyon, CNRS, ENS Lyon, INRIA)LyonFrance
  3. 3.DI/ENS (ENS, CNRS, INRIA, PSL)ParisFrance

Personalised recommendations