Abstract
Many public-key cryptosystems and, more generally, cryptographic
protocols, use group exponentiations as important primitive
operations. To expand the applicability of these solutions to computationally
weaker devices, it has been advocated that a computationally
weaker client (i.e., capable of performing a relatively small number of
modular multiplications) delegates such primitive operations to a computationally
stronger server. Important requirements for such delegation protocols include privacy of the client's input exponent and security of the client's output, in the sense of detecting, except for very small probability, any malicious server's attempt to convince the client of an incorrect exponentiation result. Only recently, ecient protocols for the delegation of a xed-based exponentiation, over cyclic and RSA-type groups with certain properties, have been presented and proved to satisfy both requirements.
In this paper we show that a product of many xed-base exponentiations,
over a cyclic groups with certain properties, can be privately and securely
delegated by keeping the client's online number of modular multiplications
only slightly larger than in the delegation of a single exponentiation.
We use this result to show the rst delegations of entire cryptographic
schemes: the well-known digital signature schemes by El-Gamal, Schnorr
and Okamoto, over the q-order subgroup in Zp, for p; q primes, as well
as their variants based on elliptic curves. Previous ecient delegation
results seem limited to the delegation of single algorithms within cryptographic
schemes.
protocols, use group exponentiations as important primitive
operations. To expand the applicability of these solutions to computationally
weaker devices, it has been advocated that a computationally
weaker client (i.e., capable of performing a relatively small number of
modular multiplications) delegates such primitive operations to a computationally
stronger server. Important requirements for such delegation protocols include privacy of the client's input exponent and security of the client's output, in the sense of detecting, except for very small probability, any malicious server's attempt to convince the client of an incorrect exponentiation result. Only recently, ecient protocols for the delegation of a xed-based exponentiation, over cyclic and RSA-type groups with certain properties, have been presented and proved to satisfy both requirements.
In this paper we show that a product of many xed-base exponentiations,
over a cyclic groups with certain properties, can be privately and securely
delegated by keeping the client's online number of modular multiplications
only slightly larger than in the delegation of a single exponentiation.
We use this result to show the rst delegations of entire cryptographic
schemes: the well-known digital signature schemes by El-Gamal, Schnorr
and Okamoto, over the q-order subgroup in Zp, for p; q primes, as well
as their variants based on elliptic curves. Previous ecient delegation
results seem limited to the delegation of single algorithms within cryptographic
schemes.
| Original language | English |
|---|---|
| Pages (from-to) | 438–459 |
| Number of pages | 22 |
| Journal | Journal of Mathematical Cryptology |
| Volume | 14 |
| Issue number | 1 |
| DOIs | |
| Publication status | Published - 30 Oct 2020 |
