On Single-Server Delegation Without Precomputation

Matluba Khodjaeva

and Giovanni Di Crescenzo

2 a

CUNY John Jay College of Criminal Justice, NY, U.S.A.

Peraton Labs, Basking Ridge, NJ, U.S.A.

Keywords:

Cryptography, Secure Delegation, Pairings, Elliptic Curves.

Abstract:

Many public-key cryptosystems use pairings as important primitive operations. To expand the applicability

of these solutions to computationally weaker devices, it has been advocated that a computationally weaker

client delegates such primitive operations to a computationally stronger server. Important requirements for

such delegation protocols include privacy of the client’s pairing inputs and security of the client’s output,

in the sense of detecting, except for very small probability, any malicious server’s attempt to convince the

client of an incorrect pairing result. Except for less than a handful of results, all single-server delegation

protocols in the literature are structured into an ofﬂine phase, where precomputation can be performed, and an

online phase, where the client has resource constraints. Designing single-server delegation protocols without

precomputation is naturally harder. In this paper, we show that the computation of a pairing with non-private

inputs can be efﬁciently delegated to a single server, without need for precomputation. We also discuss the

failure of a previously published attempt, and note the inefﬁciency of natural extensions of our protocol to

more demanding input cases.

1 INTRODUCTION

The area of server-aided cryptography investigates the

problem of computationally weaker clients delegat-

ing the most expensive cryptographic computations

to computationally powerful servers. Interest in this

area is recently increasing because of computation

paradigms shifts, including cloud/fog/edge comput-

ing, large-scale computations over big data, and com-

putations with resource-constrained devices, as in the

Internet of Things.

This problem of delegating (aka outsourcing)

computation in cryptography was ﬁrst discussed in

(Feigenbaum, 1985; Abadi et al., 1989; Matsumoto et

al., 1988), ﬁrst modeled in (Hohenberger and Lysyan-

skaya, 2005). Consistently with these and follow-up

papers in the area (see, e.g., (Gennaro et al., 2010;

Cavallo et al., 2015; Di Crescenzo et al., 2022)), we

consider a model where a client, denoted as C, with an

input x, delegates to a server, denoted as S, the com-

putation of a function F on the client’s input, and the

main desired requirements are:

1. result correctness: if C and S honestly run the pro-

tocol, at the end of the protocol C returns F(x);

https://orcid.org/0000-0002-5138-1144

2. input privacy: no new information about x should

be revealed to S;

3. result security: S should not be able, except pos-

sibly with very small probability, to convince C to

return a result different than F(x) at the end of the

protocol; and

4. efﬁciency: C’s runtime, denoted as t

, should be

much smaller than the runtime, denoted as t

of computing F(x) without delegation; moreover,

it is of interest to minimize S’s runtime t

, the

communication complexity cc, and the number of

messages mc.

In almost all previous work in single-server delega-

tion, protocols can be partitioned into (a) an ofﬂine

phase, where input x is not yet known, but somewhat

expensive pre-computation, performed by the client

or a client deployer, is stored on the client’s device,

and (b) an online phase, where client’s runtime is lim-

ited, and thus help by the server is needed to compute

F(x). This partition has proved very useful to obtain

delegation protocols for many operations often used

in cryptographic protocols (see, e.g., (Di Crescenzo

et al., 2022) for a survey in the area). The problem of

designing delegation protocols without ofﬂine phase

precomputation, which we consider in this paper (see

also Figure 1), is of interest for both theoretical and

540

Khodjaeva, M. and Di Crescenzo, G.

On Single-Server Delegation Without Precomputation.

DOI: 10.5220/0012140100003555

In Proceedings of the 20th International Conference on Security and Cr yptography (SECRYPT 2023), pages 540-547

ISBN: 978-989-758-666-8; ISSN: 2184-7711

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

practical reasons. From a theoretical point of view,

a delegation protocol with precomputation typically

involves precomputation in the ofﬂine phase of the

same function that is being delegated on different in-

puts, while a delegation protocol without precompu-

tation would realize a more demanding type of del-

egated computation, giving different insights on the

problem that admit such solutions. From a practical

point of view, at the end of the ofﬂine phase, typi-

cally secret values are stored on the client’s resource-

constrained device, and the rest of the protocol has

to signiﬁcantly rely on such values to remain secrets,

thus increasing the storage and trust requirements on

the system.

Figure 1: Delegated computation of y = F(x).

Our Contributions. In this paper we show that a

pairing (aka bilinear map) with publicly known inputs

can be efﬁciently and securely delegated to a single,

possibly malicious, server, without need for ofﬂine

phase precomputations. We show that our protocol

is efﬁcient with respect to a number of metrics; most

notably, the client performs strictly less computation

than in non-delegated computation, for all 4 classes of

practical elliptic curve families underlying the pairing

deﬁnition. We also discuss the failure of a very recent

attempt (Kalkar et al., 2022), and observe the inefﬁ-

ciency of natural extensions of our protocol to more

demanding input scenario, where one of the two in-

puts or both have to remain private. Previously, del-

egation protocols without precomputation were given

for group inverses (Cavallo et al., 2015), for a batch

of group exponentiations with a single public base and

multiple public exponents (Di Crescenzo et al., 2017),

and for a batch of pairings with one public ﬁxed in-

put and one public variable input from (Tsang et al.,

2007).

Related Work. Pairing-based cryptography, start-

ing with (Joux, 2000; Sakai et al., 2000; Boneh and

Franklin, 2001), has attracted much research in the

past 2-3 decades (see, e.g., (Moody et al., 2015)).

Single-server delegation protocols with precompu-

tation for pairings have been proposed in (Girault

and Lefranc, 2005; Guillevic and Vergnaud, 2014;

Chevallier-Mames et al., 2010; Kang et al., 2005; Ca-

nard et al., 2014; Kachisa et al., 2008; Guillevic and

Vergnaud, 2014; Canard et al., 2014; Di Crescenzo

et al., 2020a; Di Crescenzo et al., 2020b). A sur-

vey on delegated computation of speciﬁc operations

beyond cryptography can be found in (Shan et al.,

2018). A survey on delegated computation of ar-

bitrary functions, with clients more computationally

powerful than considered here, can be found in (Ah-

mad et al., 2018).

2 DEFINITIONS

Let G

, G

be additive cyclic groups of order l and

be a multiplicative cyclic group of the same order

l, for some large prime l. A pairing is an efﬁciently

computable map e : G

× G

→ G

, with description

denoted as desc(e), with the following properties:

1. Bilinearity: for all A ∈ G

and B ∈ G

, and for

any r,s ∈ Z

, it holds that e(rA, sB) = e(A,B)

2. Non-triviality: if U is a generator for G

and V

is a generator for G

then e(U,V ) is a generator

for G

(this property rules out the trivial scenario

where e maps all of its inputs to 1).

The currently most practical pairing realizations use

an ordinary elliptic curve E deﬁned over a ﬁeld F

for some large prime p, as follows. Group G

is the l-

order additive subgroup of E(F

); group G

is a spe-

ciﬁc l-order additive subgroup of E(F

) contained

in E(F

) \ E(F

); and group G

is the l-order mul-

tiplicative subgroup of F

∗

. Here, k is the embed-

ding degree; i.e., the smallest positive integer such

that l|(p

− 1); F

is the extension ﬁeld of F

degree k; and F

∗

is the ﬁeld composed of non-zero

elements of F

. After the Weil pairing was consid-

ered in (Boneh and Franklin, 2001), more efﬁcient

constructions were proposed as variants of the Tate

pairing, including the more recent ate pairing variants

(see, e.g., (Vercauteren, 2010; Scott, 2013; Barreto et

al., 2015) for details on the currently most practical

constructions).

For our results, we further assume that G

is a

subgroup of a group G

, also contained in F

∗

, with

the following two properties:

1. testing membership in G

is more efﬁcient than

testing membership in G

;

2. all elements of G

have order ≥ l.

This assumption is satisﬁed by a recently proposed

security strengthening of the most practical pairing

realizations. Motivated by reducing the chances of

low-order attacks in cryptographic protocols, in (Bar-

reto et al., 2015) the authors proposed the notion of

On Single-Server Delegation Without Precomputation

541

subgroup-secure elliptic curves underlying a pairing,

in turn extending the notion of G

-strong curves from

(Scott, 2013). As a critical step in achieving these no-

tions, both of these papers set G

= G

(p)

, where

(p)

is the cyclotomic subgroups of order Φ

(p)

in F

∗

, and where Φ

(p) denotes the k-th cyclotomic

polynomial. Satisfaction of above property (2) is di-

rectly implied by the deﬁnitions of both G

-strong

and subgroup-secure curves. Satisfaction of above

property (1) when G

= G

(p)

is detailed in Sec-

tion 5.2 of (Barreto et al., 2015) for the curve families

BN-12, BLS-12, KSS-18, and BLS-24, in turn elabo-

rating on Section 8.2 of (Scott, 2013). There, testing

membership in G

is shown to only require one mul-

tiplication in G

and a few lower-order Frobenius-

based simpliﬁcations. As a comparison, currently the

best methods for testing membership in G

involve

a large-exponent exponentiation in G

(see, e.g., dis-

cussions in (Scott, 2021)). Thus, in our protocols, in-

stead of an expensive membership test for G

, we use

a much cheaper membership test for G

, and prove

that it sufﬁces for our purposes, when used in con-

junction with our probabilistic correctness tests.

For parameterized efﬁciency evaluation of our

protocols, we will use the following deﬁnitions:

• a

: runtime for addition in G

, for i = 1,2;

• m

(`): runtime for scalar multiplication of a group

value in G

with an `-bit scalar value, for i = 1,2;

• m

: runtime for multiplication of group values in

;

• e

(`): runtime for an exponentiation in G

to an

`-bit exponent;

• p

: runtime for the bilinear pairing e;

• i

denotes the runtime for multiplicative inversion

in Z

;

• t

: runtime for testing membership of a value to

= G

(p)

We recall some well-known facts about these quan-

tities, of interest when evaluating the efﬁciency of

our protocols. First, for large enough `, a

(`), a

<< m

(`), m

(`) << e

(`), and e

(`) <

. Also, using a double-and-add (resp., square-and-

multiply) algorithm, one can realize scalar multipli-

cation (resp., exponentiation) in additive (resp., mul-

tiplicative) groups using, for random scalars (resp.,

random exponents), about 1.5` additions (resp., mul-

tiplications). Membership of a value w in G

can be

computed using one exponentiation in G

to the l-th

power (i.e., checking that w

= 1), but we avoid this

or any other expensive group membership tests in our

protocols.

For numeric efﬁciency evaluation of our proto-

cols, we will use benchmark results from (Bos et al.,

2013) on runtime of an optimal ate pairing and of

other most expensive operations (i.e., scalar multipli-

cation in groups G

, G

and exponentiation in G

) for

some of the best curve families, also recalled in Ta-

ble 2. For both parameterized and numeric evaluation

of our protocols, we will neglect lower-order opera-

tions such as equality testing, assignments, Frobenius

calculations, etc.

3 A FLAWED PROTOCOL

In this section we review a protocol underlying the

ﬁrst 3 delegation schemes in (Kalkar et al., 2022),

and study its properties. We show that this proto-

col satisﬁes result correctness without need for pre-

computation but does not satisfy result security, by

describing an adversary who, while acting as S, can

force C to return an incorrect output with probability

1. We also discuss the ﬂaw in the proof for the result

security property which was described in (Kalkar et

al., 2022).

Informal Description: We consider the task of dele-

gating, without pre-computation, the computation of

a pairing e on input A ∈ G

and B ∈ G

, for the in-

put scenario where both A and B are publicly known

(thus, no input privacy is required). A very natural ap-

proach consists of C asking S to produce both the de-

sired pairing e(A,B) and a pairing for a related input

pair e(A

), and use the relationship between (A,B)

and (A

) to probabilistically check the correctness

of the ﬁrst pairing value. We formally describe one

instance of this approach from (Kalkar et al., 2022).

Formal Description: A formal description of Algo-

rithm 1 (PVPV) in (Kalkar et al., 2022) for i = 1.

Input scenario: A and B are public online.

Online phase instructions:

1. C randomly chooses a, b ∈ Z

C computes A

:= aA and B

= bB

C sends A

to S

2. S computes α := e(A,B) and α

:= e(A

)

S sends α,α

to C

3. C checks that α, α

∈ G

C checks that α

= α

If any of these tests fails,

C returns ⊥ and the protocol halts

C returns y := α

Remarks. In (Kalkar et al., 2022), the authors use a

particular case of this protocol as part of their delega-

tion protocol for a batch of pairing computations. We

SECRYPT 2023 - 20th International Conference on Security and Cryptography

542

note that their batch delegation protocol is a direct n-

fold repetition of the same subprotocol for each input

pair (A

) in the batch. This subprotocol, in turn,

can be seen as a particular case of the protocol above

described; speciﬁcally the pair of values (a,b) is cho-

sen in a small set (i.e., [0, 2

] × {1}) in their protocol,

for some small value t, and in a much larger set (i.e.,

× Z

) here, where l is the (large) order of pairing

groups G

. This generalization increases the

entropy of C’s message and thus even strengthens our

observation below that this approach is not successful.

Result Correctness Is Satisﬁed. To see that the result

correctness property is satisﬁed with probability 1, we

observe that if C and S follow the protocol, then C’s

output y satisﬁes y = e(A,B) by step 2 of the protocol,

and C does not output ⊥ since the veriﬁcation check

in step 3 is satisﬁed, as:

= e(aA,bB) = e(A, B)

= α

Result Security Is Not Satisﬁed. To see that the re-

sult security property is not satisﬁed with probability

1, we now show an attacker algorithm S

which, when

playing as S, makes C return y 6= e(A, B) with proba-

bility very close to 1.

S’s instructions: On input C’s message (A

), S

does the following:

1. randomly choose u,v ∈ Z

2. S

sets β := e(uA,vB) and β

:= e(uA

,vB

)

3. S

sends β,β

to C.

We now show that both of C’s veriﬁcations are sat-

isﬁed. About the ﬁrst veriﬁcation, we observe that

,uA, uA

∈ G

since so does A, B

,vB, vB

∈ G

since so does B, and thus β, β

∈ G

by deﬁnition of

pairing. About the second veriﬁcation, we observe

that

= e(uA

,vB

) = e(u(aA), v(bB))

= e(a(uA),b(vB)) = e(uA,vB)

= β

Thus, C returns y = β = e(uA, vB), which is 6= e(A,B)

whenever u 6= 1 and v 6= 1, and thus with probability

1 − 1/l

Flaws in the Proof from (Kalkar et al., 2022). The

proof for the result security property, as written in

(Kalkar et al., 2022), is based on the following 3

claims:

1. A

leaks no information about a

2. A

is uniformly distributed since a is chosen uni-

formly random

3. Claim 2 implies Claim 1.

We now analyze these 3 claims.

As written, Claim 2 is unspeciﬁed because there

are no domains for the uniform distribution or set

from which a is chosen. Given that the protocol uni-

formly chooses a from [1,2

], and sets A

= a · A, a

correct revision of this statement would say that A

uniformly distributed in a 2

-size subset of G

since a

is chosen uniformly from [1,2

To meaningful analyze Claim 3, we observe that

the above updated variant of Claim 2 does not imply

Claim 1. This is because there are only 2

possible

values for a, if not conditioning on A,A

, and there is

only 1 value of a, when conditioning on A,A

Indeed Claim 1 is also false because given A,A

and a, it is possible to test whether A

= aA. In other

words, A

always leaks the output of a predicate of

equality to a given value a.

4 A NEW PROTOCOL

In this section we investigate client-server protocols

for pairing delegation, in the scenario where the two

pairing inputs are known to both parties, and there is

no ofﬂine phase or precomputation prior to the online

phase. In other words, all calculation will be done

only during the online phase. Our main result is a new

protocol with desirable security and efﬁciency prop-

erties. In what follows, we give a formal statement

of our result, an asymptotic and concrete efﬁciency

comparison with the previous most efﬁcient protocols

in the same input scenario, an informal description of

the ideas behind the protocol, a formal description of

the protocol and a proof of the protocol’s correctness

and security properties.

Theorem 4.1. Let e be a pairing, as deﬁned in Sec-

tion 2, let σ be its computational security param-

eter, and let λ be a statistical security parameter.

There exists (constructively) a client-server protocol

(C, S) for delegating the computation of e without pre-

computation, when inputs A and B are both publicly

known in the online phase, which satisﬁes 1-result

correctness, 2

−λ

-result security, and efﬁciency with

parameters (t

,cc, mc), where

– t

= 3 p

– t

≤ a

+ i

+ m

(σ) + m

+ e

(λ) + e

(r) + 2t

– cc = 2 values in G

+ 3 values in G

– mc = 2.

The main takeaway from this theorem is that C can

securely and efﬁciently delegate to S the computation

of a bilinear pairing whose both inputs A and B are

publicly known in the online phase and where there

is no ofﬂine phase for C to precomputes anything. In

On Single-Server Delegation Without Precomputation

543

particular, in the online phase C performs one group

exponentiation and 1 exponentiation to a λ-bit expo-

nent in G

, and 1 group multiplication and 1 multipli-

cation to a λ-bit scalar in G

, as well as other lower-

order operations; see also Table 3 for a more detailed

analysis of the asymptotic performance of our proto-

col, even compared with previous work. The numeric

efﬁciency improvement over non-delegated computa-

tion was estimated to range between 1.353 and 2.832

depending on the curve used; see also Table 3. Addi-

tionally, C does not precalculate any operations dur-

ing ofﬂine phase, S only computes 3 pairings, and C

and S only exchange 2 messages containing a small

number of group values.

Protocol Description. The main idea in this pro-

tocol is that since both inputs A and B are publicly

known, S can compute w

= e(A,B) and send w

to C, along with some efﬁciently veriﬁable ‘proof’

that w

was correctly computed. This proof is re-

alized by the following 3 steps: ﬁrst, C sends to S

a randomized version Z

and Z

of a randomly cho-

sen value U and the input value A (masked using

U); then S computes and sends to C pairing values

= e(Z

,B) and w

= e(Z

,B); and ﬁnally C ver-

iﬁes that w

∈ G

and uses w

and w

in an

efﬁcient probabilistic veriﬁcation for the correctness

of S’s message (w

). We stress that instead

of performing ofﬂine calculations, C performs 1 ex-

ponentiation with a full-domain exponent and 1 ex-

ponentiation with a 1 short, λ-bit exponent, in group

. A formal description follows.

Formal Description of Protocol P

(C,S).

Online Input to C and S: 1

, desc(e), A ∈ G

, and

B ∈ G

Online phase instructions:

1. C randomly chooses b ∈ {1, ...,2

}, and U ∈ G

;

C sets u

:= u

−1

mod l, Z

:= u

· U, and Z

b · A +U

C sends Z

to S

2. S computes w

:= e(A, B), w

:= e(Z

,B) and

:= e(Z

,B)

S sends w

to C

3. Membership Test: C checks that w

∈ G

Probabilistic Test: C checks that w

= w

· w

If any of these tests fails,

C returns ⊥ and the protocol halts

C returns y = w

Properties of Protocol P

(C, S): The efﬁciency prop-

erties are veriﬁed by protocol inspection. In particu-

lar:

- Round complexity: the online phase of the proto-

col only requires two messages: one from C to S,

followed by one from S to C.

- Communication complexity: during the online

phase, C sends 2 values in G

and S sends 3 values

in G

- Runtime complexity: the runtime property directly

follows by protocol inspection. In particular, C’s

calculation of Z

only requires 1 group multi-

plication, 1 multiplication to a short, λ-bit, scalar,

and 1 scalar addition in a group G

. In C’s G

membership test only requires 1 multiplication in

for each membership test, as discussed in Sec-

tion 2, total 1 multiplications in G

, and C’s prob-

abilistic test requires 1 multiplication, 1 group

multiplication and 1 exponentiation in G

to a

short, λ-bit, exponent.

The correctness property follows by showing that

if C and S follow the protocol, C always output y =

e(A,B). We show that the 2 tests performed by C are

always passed. The membership test is always passed

by pairing deﬁnition; the probabilistic test is always

passed since

= e(Z

,B) = e(b · A +U,B)

= e(A,B)

· e(U, B) = e(A,B)

· e(u

−1

·U,B)

= e(A,B)

· e(Z

,B)

= w

· w

This implies that C never returns ⊥, and thus returns

y = w

= e(A,B).

To prove the security property against any mali-

cious S we need to compute an upper bound ε

on the

security probability that S convinces C to output a y

such that y 6= e(A,B). We obtain that ε

≤ 2

−λ

as a

consequence of the following 3 facts, which we later

prove:

1. (Z

) leaks no information about b to S;

2. for any S’s message (w

) different than

what would be returned according to the proto-

col instructions, there is only one b for which the

tuple (w

) satisﬁes both membership and

probabilistic tests in step 2;

3. for any S’s message (w

) different than

what would be returned according to the proto-

col instructions, the probability that (w

)

satisﬁes the probabilistic test is ≤ 2

−λ

Towards proving Fact 1, we observe that: (a) Z

−1

·U is uniformly and indigently distributed in G

since so is the u in Z

and it does not leak any in-

formation about U in G

; (b) Z

= b · A + U is also

uniformly distributed in G

since so is U by (a) and

does not leak any information about b to S.

SECRYPT 2023 - 20th International Conference on Security and Cryptography

544

Table 1: Protocols comparison in the input scenario (A and B public online). The expressions for t

only include higher-order

functions p

Protocols C’s pre-calculation (t

) C’s online calculation (t

)

(Chevallier-Mames et al., 2010) §5.2 p

+ e

(r) + m

(r) 3e

(r) + m

(r)

(Canard et al., 2014) §4.1 p

+ e

(r) + m

(r) e

(r) + m

(r)

(Di Crescenzo et al., 2020a) §4.1 2 p

+ m

(r) + 2 m

(r) 2e

(λ) + m

(r) + m

(λ)

(Di Crescenzo et al., 2020b) §3 p

+ m

(r) e

(λ) + m

(r)

Ours [§ 4] 0 e

(r) + e

(λ) + m

(r)

Towards proving Fact 2, let (w

) be

the values that would be returned by S accord-

ing to the protocol, and assume a malicious algo-

rithm Adv, corrupting S returns a different triple

). Note that if w

6∈ G

or w

6∈ G

, the

triple (w

) does not satisfy the group G

membership test. Thus, we assume that both w

∈ G

and w

∈ G

and observe that if triple (w

)

satisﬁes the probabilistic correctness test, then w

∈

. Because G

is a multiplicative group, we can

write w

= d

· w

for i = 0,1, 2 and some d

∈

such that d

6= 1 or d

6= 1. Now, as-

sume wlog that d

6= 1 and consider the following

equivalent rewritings of the probabilistic test, ob-

tained by variable substitutions and simpliﬁcations:

= (w

)

· (w

)

· w

= (d

· w

)

· (d

· w

)

· w

= (d

· d

) · w

· w

= d

· d

)

−u

= d

where the 4th equality follows from the correctness

property implying that w

= w

· w

Now, if there exist two distinct b

and b

, assumed

wlog to satisfy b

> b

, and such that

)

−u

= d

and d

)

−u

= d

then d

−b

= 1. By our assumption that every el-

ement in G

has order > l, which is > 2

, and by

observing that b

− b

< 2

, we derive that d

cannot

have order ≤ b

− b

. Thus the equality d

−b

= 1

can only hold when b

= b

This proves Fact 2.

Towards proving Fact 3, note that, by Fact 1, C’s

message Z

does not leak any information about

b. This implies that all values in {1,..., 2

} are still

equally likely for c even when conditioning over mes-

sages Z

. Then, by using Fact 2, the probability

that S’s message (w

) satisﬁes the probabilis-

tic test, is 1 divided by the number 2

of values of

b that are still equally likely when conditioning over

message Z

. This proves Fact 3.

4.1 Extension to Other Input Cases

A Private and B Public. In this input scenario, we

can deﬁne protocol P

by some natural modiﬁcations

to protocol P

, where C further apply a random mask

to A before asking S to compute and return pairings,

and later C performs one more exponentiation in G

to undo the mask, and recover the desired pairing

value.

A and B Private. In this input scenario, we can de-

ﬁne protocol P

by some natural modiﬁcations to pro-

tocols P

and P

, where C further applies a random

mask to both A and B before asking S to compute and

return pairings, and later C performs one more expo-

nentiation in G

to undo the masks, check the cor-

rectness of the received values and recover the desired

pairing value.

Performance Analysis. In our performance analy-

sis for protocols P

and P

, C’s runtime is only lower

than non-delegated computation for one of the 4 con-

sidered curve families.

5 NUMERICAL PERFORMANCE

ANALYSIS

We show a numerical performance analysis of our

protocols from Section 4, as well as previous proto-

cols from the literature in each of the considered in-

put scenarios. Our numerical performance analysis

consists of using benchmark results from (Bos et al.,

2013) for the runtime of an optimal ate pairing and of

the other most expensive operations (i.e., scalar multi-

plication in groups G

, G

and exponentiation in G

)

for relative to an optimal ate pairing based on some

of the currently most practical elliptic curve families

(i.e., BN-12, BLS-12, KSS-18, BLS-24), also recalled

in Table 2. In Table 3 we compare the performance of

our protocols in Section 4 with past work for the same

input scenario.

On Single-Server Delegation Without Precomputation

545

Table 2: Benchmark results (obtained by (Bos et al., 2013) on an Intel Core i7-3520M CPU averaged over thousands of

random instances) for scalar multiplications in G

and exponentiations in G

relative to an optimal ate pairing based on

some of the best known curve families, measured in millions (M) of clock cycles. The security levels are from (Bos et al.,

2013), except for BN-12, whose level was reduced because of recent attacks (Kim and Barbulescu, 2016).

Sec. level Family-k Pairing e Scal. mul. in G

Scal. mul. in G

Exp. in G

105-bits BN-12 7.0 0.9 1.8 3.1

192-bits

BLS-12 47.2 4.4 10.9 17.5

KSS-18 63.3 3.5 9.8 15.7

256-bits BLS-24 115.0 5.2 27.6 47.1

Table 3: Protocols comparison in scenarios where both A and B are publicly known.

Protocols C’s pre-calculation (t

)

Ratio: p

BN12

r = 210

BLS12

r = 424

KSS18

r = 376

BLS24

r = 504

Input Scenario: (A and B are publicly known and thus no input privacy is required)

(Chevallier-Mames et al., 2010) §5.2 p

+ e

(r) 0.580 0.694 1.045 0.659

(Canard et al., 2014) §4.1 p

+ e

(r) + m

(r) 1.197 1.433 2.173 1.434

(Di Crescenzo et al., 2020a) §4 2 p

+ m

(r) + 2 m

(r) 2.001 4.045 6.869 5.571

(Di Crescenzo et al., 2020b) §3 p

+ m

(r) 2.981 5.519 8.216 7.994

This paper §4 0 1.353 1.881 2.832 1.958

6 CONCLUSIONS

In this paper we studied the problem of techniques

for a computationally weaker client to efﬁciently, pri-

vately and securely delegate bilinear pairings to a sin-

gle, possibly malicious, server, without precompu-

tation. Previously to this paper, we only knew of

two examples of operation commonly used in cryp-

tographic protocols having such delegation protocols

without precomputation: group inverses, and multiple

group exponentiations with a public base and mul-

tiple public exponents. It remains of interest to ex-

tend our protocol to more elaborated input scenarios

(i.e., keeping input privacy) while achieving client ef-

ﬁciency for many curve families of interest in practi-

cal applications of pairings. It also remains of interest

to ﬁnd more operations often used in cryptography

constructions for which such delegation protocols ex-

ist.

ACKNOWLEDGEMENTS

Work by Matluba Khodjaeva was supported by a

Faculty Scholarship grant from the Ofﬁce for the

Advancement of Research at John Jay College and

PSC CUNY Cycles 53 and 54. Work by Giovanni

Di Crescenzo was supported by the Defense Ad-

vanced Research Projects Agency (DARPA), contract

n. HR001120C0156. Approved for Public Release,

Distribution Unlimited. The U.S. Government is au-

thorized to reproduce and distribute reprints for Gov-

ernmental purposes notwithstanding any copyright

annotation hereon. Disclaimer: The views and con-

clusions contained herein are those of the authors and

should not be interpreted as necessarily representing

the ofﬁcial policies or endorsements, either expressed

or implied, of DARPA, or the U.S. Government.

REFERENCES

M. Abadi, J. Feigenbaum, J. Kilian, On Hiding Information

from an Oracle In: J. Comput. Syst. Sci. 39(1): 21-50

(1989).

H. Ahmad, L. Wang, H. Hong, J. Li, H. Dawoo, M. Ahmed,

Y. Yang, Primitives towards veriﬁable computation: a

survey. In Front. Comput. Sci. 2018, Vol. 12, Issue (3)

: 451-478.

P.S.L.M. Barreto, C. Costello, R. Misoczki, M. Naehrig,

G.C.C.F. Pereira, G. Zanon, Subgroup security in

pairing-based cryptography. In Lauter K., Rodr

ıguez-

Henr

ıquez F. (eds) LATINCRYPT 2015. LCNS vol.

9230. Springer.

D. Boneh, M. Franklin, Identity-based encryption from the

weil pairing. In Kilian J. (eds) Advances in Cryptol-

ogy — CRYPTO 2001. LNCS vol 2139. Springer.

J.W. Bos, C. Costello, M. Naehrig, Exponentiating in pair-

ing groups. In Lange T., Lauter K., Lison

ek P. (eds)

SAC 2013. LNCS vol 8282. Springer.

S. Canard, J. Devigne, O. Sanders: Delegating a pairing

can be both secure and efﬁcient. In Boureanu I., Owe-

sarski P., Vaudenay S. (eds) Applied Cryptography

SECRYPT 2023 - 20th International Conference on Security and Cryptography

546

and Network Security. ACNS 2014. LNCS vol 8479.

Springer

B. Cavallo, G. Di Crescenzo, D. Kahrobaei, V. Shpilrain,

Efﬁcient and secure delegation of group exponentia-

tion to a single server. In Proc. of RFIDSec 2015: pp.

156–173, LNCS, Springer.

X. Chen, W. Susilo, J. Li, D.S. Wong, J. Ma, S. Tang, and

Q. Tang, Efﬁcient algorithms for secure outsourcing

of bilinear pairings. In Theor. Comput. Sci., vol. 562,

no. 9, pp. 112–121, 2015.

B. Chevallier-Mames, J.S. Coron, N. McCullagh, D.

Naccache, M. Scott: Secure delegation of elliptic-

curve pairing. Cryptology ePrint Archive. In Proc.

of Smart Card Research and Advanced Application.

CARDIS 2010. LNCS vol 6035. Springer. Also in

http://eprint.iacr.org/2005/150.

G. Di Crescenzo, M. Khodjaeva, D. Kahrobaei, V. Shpil-

rain, Secure and Efﬁcient Delegation of Elliptic-Curve

Pairing. In: Proc. of ACNS 2020. LNCS, vol 12146.

Springer, Cham.

G. Di Crescenzo, M. Khodjaeva, D. Kahrobaei, V. Shpil-

rain, Secure and Efﬁcient Delegation of Pairings with

Online Inputs. In: Proc. of CARDIS 2020. LNCS, vol.

12609. Springer.

G. Di Crescenzo, M. Khodjaeva, D. Kahrobaei, and V. Sh-

pilrain, Computing Multiple Exponentiations in Dis-

crete Log and RSA Groups: From Batch Veriﬁcation

to Batch Delegation. In Proc. of 3rd IEEE Workshop

on Security and Privacy in the Cloud, IEEE, 2017.

G. Di Crescenzo, M. Khodjaeva, D. Kahrobaei, and V. Sh-

pilrain: A Survey on Delegated Computation. In Proc.

of DLT 2022: 33-53.

J. Feigenbaum, Encrypting Problem Instances: Or ..., Can

You Take Advantage of Someone Without Having to

Trust Him? In Proc. of CRYPTO 1985: 477-488.

R. Gennaro, C. Gentry, B. Parno, Non-interactive veri-

ﬁable computing: Outsourcing computation to un-

trusted workers. In Proc. of CRYPTO 2010, LNCS

6223, pp. 465–482.

M. Girault, D. Lefranc, Server-aided veriﬁcation: Theory

and practice. In Roy, B.K. (ed.) ASIACRYPT 2005.

LNCS, vol. 3788, pp. 605–623.

A. Guillevic, D. Vergnaud, Algorithms for outsourcing pair-

ing computation. In Joye M., Moradi A. (eds) Smart

Card Research and Advanced Applications. CARDIS

2014. LNCS vol 8968. Springer.

S. Hohenberger, A. Lysyanskaya, How to securely out-

source cryptographic computations. In Proc. of TCC

2005, pp. 264–282, Springer.

A. Joux, A one round protocol for tripartite Difﬁe-Hellman,

in Proc. of ANTS IV, LNCS, vol. 1838, Springer,

2000, pp. 385–393.

E.J. Kachisa, E.F. Schaefer, M. Scott, Constructing Brezing-

Weng pairing friendly elliptic curves using elements in

the cyclotomic ﬁeld. In Galbraith S.D., Paterson K.G.

(eds) Pairing-Based Cryptography – Pairing 2008.

LNCS vol. 5209. Springer.

B.G. Kang, M.S. Lee, J.H. Park, Efﬁcient delegation of pair-

ing computation. In IACR Cryptology ePrint Archive,

n. 259, 2005.

O. Kalkar, I. Sertkaya, and S. Tutdere, On The Batch Out-

sourcing Of Pairing Computations, in: The Computer

Journal, 2022.

T. Kim, R. Barbulescu, Extended Tower Number Field

Sieve: A New Complexity for the Medium Prime Case.

In Proc. of CRYPTO (1) 2016, pp. 543–571, Springer.

T. Matsumoto, K. Kato, H. Imai, An improved algorithm

for secure outsourcing of modular exponentiations.

In Proc. of CRYPTO 1988, pp. 497–506, LNCS,

Springer.

D. Moody, R. Peralta, R. Perlner, A. Regenscheid, A. Ro-

ginsky, and L. Chen, Report on Pairing-based Cryp-

tography, in J. Res. Natl. Inst. Stand. Technol. 120:

11–27, 2015.

M. Scott, Unbalancing pairing-based key exchange pro-

tocols. In IACR Cryptology ePrint Archive, n. 688,

2013.

M. Scott, A note on group membership tests for G

, G

and

on BLS pairing-friendly curves. In IACR Cryptol-

ogy ePrint Archive, n. 1130, 2021.

R. Sakai, K. Ohgishi, andM. Kasahara, Cryptosystems

based on pairing, in Symposium on Cryptography and

Information Security (SCIS), 2000.

Z. Shan, K. Ren, M. Blanton, C. Wang, Practical Secure

Computation Outsourcing: A Survey. In ACM Com-

put. Surv. 51(2): 31:1-31:40, 2018.

P. Tsang, S. Chow, and S. Smith Batch pairing del-

egation. In: Proceedings of International Work-

shop on Security Nara, Japan, 29-31 October, 2007,

pp.74–90.Springer,Berlin.

F. Vercauteren, Optimal Pairings. In IEEE Transactions on

Information Theory, vol. 56, no. 1, pp. 455–461, Jan.

2010.

On Single-Server Delegation Without Precomputation

547