Speeding up Exponentiation using an Untrusted Computational Resource

(Part 1)Author: M. Van Dijk, D. Clarke, B. Gassend, G.E. Suh and S. Devadas

Source: Designs, Codes and Cryptography (IF:0.825), 39, 253-273,2006. (7 citations)

Presenter: Yu-Chi Chen

Outline

• Introduction and model

• The protocols

• Conclusions

2

Introduction

spiderman

Compute gx

rely

HTC Desire HD

rely

Server

Untrusted Computational Resource

3

Introduction

Compute gx

HTC Desire HD rely

Server

Untrusted Computational Resource

Correctness-checkingand get gx

4

Model

• Tim: – a trusted device

– wants to solve a problem P.

– relies on a more powerful device to solve.

• Ursula:– a powerful device

– possibly untrusted.

5

Model

• Requirements and properties:– Efficiency: Relying on Ursula is better than Tim’s

computing directly.

– Completeness: Tim can obtain the correct solution from Ursula’s help.

– Soundness: Tim must be with sufficiently high probability to get the correct solution and detect that Ursula is being dishonest.

6

Model

• A method is desirable to hide problem P or parts of P for Ursula.

• Assumption:– Tim can perform Off-line tasks, when Ursula is

doing something.

– The off-line tasks only perform less or simple computations.

– Communication bandwidth is good.

7

Model

• We only consider the computation cost (not the communication cost).

• This kind of methods is not applied in smartcards, because of no off-line task.

8

Outline

• Introduction and model

• The protocols

• Conclusions

9

Fixed Base-Variable Exponent Exponentiation (FBVE)

• Assume the cyclic group G and the factorization of the order of the cyclic group n are known.

• Set the security parameter s (s ≤ n) and the derived parameters ws and qs (n=wsqs, ws ≤ s, qs

> s).

• Notice ws increases as s increases.

10

FBVE

• (In the paper) assume Ursula may know the inputs g and a and parameters

• Maybe it is just a case which does not affect the proposed protocol, since Ursula only know the base g in the protocol.

11

sss wnqneaw /,,/

FBVE protocol

12

n

s

s

ZZr

sm

wbae

wab

ag

}1,...,0{

/)(

mod

),(input :Tim

rem

e

gy

gx

:Ursula

g, e, em+r

x, y

bwa

rm

gxg

ygxs

:output

?

This protocol is done.

13

n

s

s

ZZr

sm

wbae

wab

ag

}1,...,0{

/)(

mod

),(input :Tim

rem

e

gy

gx

:Ursula

g, e, em+r

x, y

bwa

rm

gxg

ygxs

:output

?3

log2

s

2

log sw

Pre-compute

2 log n

2

log sw

Performance analysis

• Tim’s online cost:

14

2log2

log3 sw

s

Outline

• Introduction and model

• The protocols

• Conclusions

15