How to Securely Outsource Cryptographic Computations

  • Susan Hohenberger
  • Anna Lysyanskaya
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3378)


We address the problem of using untrusted (potentially malicious) cryptographic helpers. We provide a formal security definition for securely outsourcing computations from a computationally limited device to an untrusted helper. In our model, the adversarial environment writes the software for the helper, but then does not have direct communication with it once the device starts relying on it. In addition to security, we also provide a framework for quantifying the efficiency and checkability of an outsourcing implementation. We present two practical outsource-secure schemes. Specifically, we show how to securely outsource modular exponentiation, which presents the computational bottleneck in most public-key cryptography on computationally limited devices. Without outsourcing, a device would need O(n) modular multiplications to carry out modular exponentiation for n-bit exponents. The load reduces to O(log2 n) for any exponentiation-based scheme where the honest device may use two untrusted exponentiation programs; we highlight the Cramer-Shoup cryptosystem [13] and Schnorr signatures [28] as examples. With a relaxed notion of security, we achieve the same load reduction for a new CCA2-secure encryption scheme using only one untrusted Cramer-Shoup encryption program.


Modular Multiplication Commitment Scheme Covert Channel Modular Exponentiation Honest Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Feigenbaum, J., Kilian, J.: On hiding information from an oracle. Journal of Comput. Syst. Sci. 39(1), 21–50 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Beaver, D., Feigenbaum, J.: Hiding instances in multioracle queries. In: Proceedings of STAC 1990, pp. 37–48 (1990)Google Scholar
  3. 3.
    Beaver, D., Feigenbaum, J., Kilian, J., Rogaway, P.: Locally random reductions: Improvements and applications. Journal of Cryptology 10(1), 17–36 (1997)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Ben-Or, M., Goldwasser, S., Kilian, J., Wigderson, A.: Multi-prover interactive proofs: How to remove intractability assumptions. In: Proceedings of STOC, pp. 113–131 (1988)Google Scholar
  5. 5.
    Blum, M., Kannan, S.: Designing programs that check their work. Journal of the ACM, 269–291 (1995)Google Scholar
  6. 6.
    Blum, M., Luby, M., Rubinfeld, R.: Program result checking against adaptive programs and in cryptographic settings. DIMACS Series in Discrete Mathematics and Theoretical Computer Science, pp. 107–118 (1991)Google Scholar
  7. 7.
    Blum, M., Luby, M., Rubinfeld, R.: Self-testing/correcting with applications to numerical problems. Journal of Computer and System Science, 549–595 (1993)Google Scholar
  8. 8.
    Boyko, V., Peinado, M., Venkatesan, R.: Speeding up discrete log and factoring based schemes via precomputations. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 221–235. Springer, Heidelberg (1998), CrossRefGoogle Scholar
  9. 9.
    Brickell, E.F., Gordon, D.M., McCurley, K.S., Wilson, D.B.: Fast exponentiation with precomputation. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 200–207. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  10. 10.
    Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Communications of the ACM 28(10), 1030–1044 (1985)CrossRefGoogle Scholar
  11. 11.
    Chaum, D., Pedersen, T.P.: Wallet Databases with Observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993)Google Scholar
  12. 12.
    Clarke, D., Devadas, S., van Dijk, M., Gassend, B., Suh, G.E.: Speeding up Exponentiation using an Untrusted Computational Resource. Technical Report Memo 469, MIT CSAIL Computation Structures Group (August 2003)Google Scholar
  13. 13.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal of Computing (2003) (to appear), Available at
  14. 14.
    de Rooij, P.: On the security of the Schnorr scheme using preprocessing. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 71–80. Springer, Heidelberg (1991)Google Scholar
  15. 15.
    de Rooij, P.: On Schnorr’s preprocessing for digital signature schemes. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 435–439. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    de Rooij, P.: Efficient exponentiation using precomputation and vector addition chains. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 389–399. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  17. 17.
    de Rooij, P.: On Schnorr’s preprocessing for digital signature schemes. Journal of Cryptology 10(1), 1–16 (1997)zbMATHCrossRefGoogle Scholar
  18. 18.
    Franklin, M., Yung, M.: The blinding of weak signatures (extended abstract). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 67–76. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  19. 19.
    Goldberg, I., Wagner, D., Thomas, R., Brewer, E.A.: A secure environment for untrusted helper applications. In: Proceedings of the 6th Usenix Security Symposium (1996)Google Scholar
  20. 20.
    Halevi, S., Micali, S.: Practical and provably-secure commitment schemes from collision-free hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 201–212. Springer, Heidelberg (1996)Google Scholar
  21. 21.
    Lim, C.H., Lee, P.J.: More flexible exponentiation with precomputation. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 95–107. Springer, Heidelberg (1994)Google Scholar
  22. 22.
    Matsumoto, T., Kato, K., Imai, H.: Speeding up secret computations with insecure auxiliary devices. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 497–506. Springer, Heidelberg (1990)Google Scholar
  23. 23.
    Necula, G.C., Rahul, S.P.: Oracle-based checking of untrusted software. ACM SIGPLAN Notices 36(3), 142–154 (2001)CrossRefGoogle Scholar
  24. 24.
    Nguyen, P.Q., Shparlinski, I.: On the insecurity of a server-aided RSA protocol. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 21–35. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  25. 25.
    Nguyen, P.Q., Shparlinski, I., Stern, J.: Distribution of modular sums and the security of server aided exponentiation. In: Proceedings of the Workshop on Comp. Number Theory and Crypt., pp. 1–16 (1999)Google Scholar
  26. 26.
    Rackoff, C., Simon, D.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  27. 27.
    Schnorr, C.-P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, Heidelberg (1990)Google Scholar
  28. 28.
    Schnorr, C.-P.: Efficient signature generation by smart cards. Journal of Cryptography 4, 161–174 (1991)zbMATHGoogle Scholar
  29. 29.
    Trusted Computing Group. Trusted computing platform alliance, main specification version 1.1b (2004) (Date of Access: February 10 2004)Google Scholar
  30. 30.
    Wagner, D.A.: Janus: an approach for confinement of untrusted applications. Technical Report CSD-99-1056, UC Berkeley, 12 (1999)Google Scholar
  31. 31.
    Waters, B.R., Felten, E.W., Sahai, A.: Receiver anonymity via incomparable public keys. In: Proceedings of the 10th ACM CCS Conference, pp. 112–121 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Susan Hohenberger
    • 1
  • Anna Lysyanskaya
    • 2
  1. 1.CSAILMassachusetts Institute of TechnologyCambridgeUSA
  2. 2.Computer Science DepartmentBrown UniversityProvidenceUSA

Personalised recommendations