Noninteractive Verifiable Outsourcing Algorithm for...
10
Research Article Noninteractive Verifiable Outsourcing Algorithm for Bilinear Pairing with Improved Checkability Yanli Ren, 1 Min Dong, 1 Zhihua Niu, 2 and Xiaoni Du 3 1 School of Communication and Information Engineering, Shanghai University, Shanghai 200444, China 2 School of Computer Engineering and Science, Shanghai University, Shanghai 200444, China 3 College of Mathematics and Information Science, Northwest Normal University, Lanzhou 730070, China Correspondence should be addressed to Yanli Ren; [email protected] Received 19 June 2017; Revised 27 August 2017; Accepted 6 September 2017; Published 15 October 2017 Academic Editor: R´ emi Cogranne Copyright © 2017 Yanli Ren et al. is is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. It is well known that the computation of bilinear pairing is the most expensive operation in pairing-based cryptography. In this paper, we propose a noninteractive verifiable outsourcing algorithm of bilinear pairing based on two servers in the one-malicious model. e outsourcer need not execute any expensive operation, such as scalar multiplication and modular exponentiation. Moreover, the outsourcer could detect any failure with a probability close to 1 if one of the servers misbehaves. erefore, the proposed algorithm improves checkability and decreases communication cost compared with the previous ones. Finally, we utilize the proposed algorithm as a subroutine to achieve an anonymous identity-based encryption (AIBE) scheme with outsourced decryption and an identity-based signature (IBS) scheme with outsourced verification. 1. Introduction Outsourcing computation has received widespread attention with the development of cloud computing and the prolif- eration of mobile devices [1]. Despite of the huge benefits, it also encounters some security concerns and challenges. Firstly, the computation tasks oſten include some private information that should not be disclosed to the cloud servers, since the servers are not fully trusted. Secondly, the cloud servers may return an invalid result, but the outsourcer fails to detect the error [1]. erefore, two main security challenges of the outsourcing computation are privacy and checkability: (1) the cloud servers cannot learn anything about the private inputs and the outputs of the computation outsourced to them; (2) the outsourcer can detect any failure if the cloud servers return a wrong computation result. Verifiable computation (VC) allows a client with limited computation capability to outsource evaluation of a function on some inputs to a powerful but semitrusted server [2, 3]. e client in this model first executes a lot of off-line compu- tation and encrypts the function which will be evaluated and then sends the encrypted function to the server. e server then performs the computation on the encoded function and responds with a result and a proof that the result is correct. Finally, the client verifies whether the computation has been carried out honestly based on the server’s proof. During the whole process, the computation cost of the client is less than computing the function directly itself. Our Contributions. In this paper, we propose a noninterac- tive verifiable outsourcing algorithm of bilinear pairing in the one-malicious model of two untrusted servers, which improves the checkability of the outsourcer without any interactive operation between the outsourcer and the server. In the proposed algorithm, the outsourcer could detect any failure with a probability close to 1 if one of the servers returns the false result. e proposed algorithm improves the checkability at the expense of only a little efficiency when compared with previous algorithms. Finally, we utilize the proposed algorithm as a subroutine to achieve an AIBE scheme with outsourced decryption and an IBS scheme with outsourced verification. Hindawi Security and Communication Networks Volume 2017, Article ID 4892814, 9 pages https://doi.org/10.1155/2017/4892814
Transcript of Noninteractive Verifiable Outsourcing Algorithm for...
Research ArticleNoninteractive Verifiable Outsourcing Algorithm forBilinear Pairing with Improved Checkability
Yanli Ren1 Min Dong1 Zhihua Niu2 and Xiaoni Du3
1School of Communication and Information Engineering Shanghai University Shanghai 200444 China2School of Computer Engineering and Science Shanghai University Shanghai 200444 China3College of Mathematics and Information Science Northwest Normal University Lanzhou 730070 China
Correspondence should be addressed to Yanli Ren renyanlishueducn
Received 19 June 2017 Revised 27 August 2017 Accepted 6 September 2017 Published 15 October 2017
Academic Editor Remi Cogranne
Copyright copy 2017 Yanli Ren et alThis is an open access article distributed under theCreative CommonsAttribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
It is well known that the computation of bilinear pairing is the most expensive operation in pairing-based cryptography In thispaper we propose a noninteractive verifiable outsourcing algorithm of bilinear pairing based on two servers in the one-maliciousmodel The outsourcer need not execute any expensive operation such as scalar multiplication and modular exponentiationMoreover the outsourcer could detect any failure with a probability close to 1 if one of the servers misbehaves Therefore theproposed algorithm improves checkability and decreases communication cost compared with the previous ones Finally we utilizethe proposed algorithm as a subroutine to achieve an anonymous identity-based encryption (AIBE) scheme with outsourceddecryption and an identity-based signature (IBS) scheme with outsourced verification
1 Introduction
Outsourcing computation has received widespread attentionwith the development of cloud computing and the prolif-eration of mobile devices [1] Despite of the huge benefitsit also encounters some security concerns and challengesFirstly the computation tasks often include some privateinformation that should not be disclosed to the cloud serverssince the servers are not fully trusted Secondly the cloudservers may return an invalid result but the outsourcer failsto detect the error [1]Therefore twomain security challengesof the outsourcing computation are privacy and checkability(1) the cloud servers cannot learn anything about the privateinputs and the outputs of the computation outsourced tothem (2) the outsourcer can detect any failure if the cloudservers return a wrong computation result
Verifiable computation (VC) allows a client with limitedcomputation capability to outsource evaluation of a functionon some inputs to a powerful but semitrusted server [2 3]The client in this model first executes a lot of off-line compu-tation and encrypts the function which will be evaluated and
then sends the encrypted function to the server The serverthen performs the computation on the encoded function andresponds with a result and a proof that the result is correctFinally the client verifies whether the computation has beencarried out honestly based on the serverrsquos proof During thewhole process the computation cost of the client is less thancomputing the function directly itself
Our Contributions In this paper we propose a noninterac-tive verifiable outsourcing algorithm of bilinear pairing inthe one-malicious model of two untrusted servers whichimproves the checkability of the outsourcer without anyinteractive operation between the outsourcer and the serverIn the proposed algorithm the outsourcer could detect anyfailure with a probability close to 1 if one of the serversreturns the false result The proposed algorithm improvesthe checkability at the expense of only a little efficiencywhen compared with previous algorithms Finally we utilizethe proposed algorithm as a subroutine to achieve an AIBEscheme with outsourced decryption and an IBS scheme withoutsourced verification
HindawiSecurity and Communication NetworksVolume 2017 Article ID 4892814 9 pageshttpsdoiorg10115520174892814
2 Security and Communication Networks
11 Related Works In the cryptographic community out-sourcing expensive operations to a semitrusted device iswidely studied Chaum and Pedersen [4] introduced theconcept of ldquowallets with observersrdquo that allows installing apiece of hardware on the clientrsquos device to execute some oper-ations for each transaction Hohenberger and Lysyanskayaformalized this model [5] and presented algorithms for thecomputation of modular exponentiations (MExps) based ontwo noncolluding servers Further Chen et al [1] proposeda new outsourcing algorithm for MExps with improvedefficiency and checkability based on the same model as[5] However it is still possible for the outsourcer to becheated by the server Ren et al then constructed a verifiableoutsourcing scheme of MExps where the outsourcer candetect the errorwith a probability of 1 if the servermisbehaves[6] Lai et al [7] proposed an attribute-based encryption(ABE) scheme with verifiable outsourcing decryption whichguaranteed that an outsourcer can efficiently detect thewrongresults Qin et al [8] then proposed new ABE schemewith outsourced decryption where the outsourcer couldverify the outsourcing results with a high efficiency at theexpense of minimal overhead Chen et al first consideredthe problem of outsourcing computation in attribute-basedsignature (ABS) schemes and delegated the verification ofsignature to an untrusted server [9] Yu et al [10] proposeda secure and efficient cloud storage auditing scheme withverifiable outsourcing of key updates The process of keyupdates is outsourced to the third party auditor (TPA) andthe TPA only knows the encrypted secret key Meanwhilethe outsourcer could verify the effectiveness of encryptedsecret keyswhen uploading newfiles to the cloud server AlsoWang et al [11] proposed a privacy-preserving public auditingsystem for data storage security and extended it to handlethe problem of multiple auditing where the TPA could learnnothing about data and the integrity of data could be verifiedpublicly Other works target specific classes of functions suchas revocable identity-based encryption [12] solution of linearequations [13] and image features extraction [14]
In recent years bilinear pairings have various applicationsin constructing new cryptographic primitive for exampleidentity-based encryption [15] short signature [16] andkey agreement protocol [17] In pairing-based cryptographythe computation of bilinear pairing is the most expensiveoperation and it has important effects on efficiency of theseschemes or protocols Thus a lot of research work has beendone to compute bilinear pairing efficiently [18 19]
Chevallier-Mames et al [20] presented the first algorithmfor secure outsourcing of bilinear pairings based on anuntrusted server where the outsourcer could detect anyfailure with probability of 1 if the server returns an incorrectresult However the outsourcer must execute some otherexpensive operations such as scalar multiplications andmodular exponentiations where these computations are evencomparable to those of bilinear pairings in some scenarios[19 21] Subsequently other works on delegation of bilinearpairings [22 23] also suffer from the same problems Chenet al proposed the first efficient outsourcing algorithm ofbilinear pairing in the one-malicious version of two untrustedprogram models [24] where the outsourcer only carried out
5 point additions and 4multiplicationswithout any expensiveoperations which is suitable for the computation-limitedclient However the checkability of the algorithm in [24]is only 12 and the outsourcer may accept a false resultreturned by a malicious server with probability of 12 Tian etal presented two outsourcing algorithms of bilinear pairingbased on two servers [25] One is more efficient than thealgorithmof [24] and the outsourcer needs to execute 4 pointadditions and 3 multiplications with the same checkabilityThe other algorithm is more flexible based on two untrustedservers with improved checkability As we know it is alsopossible for the outsourcer to be cheated by the server andthe error cannot be detected successfully Recently Ren et alpresented a new outsourcing algorithm of bilinear pairingwhich improves the checkability of the outsourcer to 1 andit is impossible for the server to cheat the outsourcer toaccept a false outsourcing result [26] However it needs twointeractive rounds between the outsourcer and the server andincreases the communication cost though the checkability isimproved to 1
12 Organization The rest of this paper is organized asfollows In Section 2 we introduce the definition of bilinearpairing and security model of the outsourcing scheme Anoninteractive verifiable outsourcing algorithm of bilinearpairing is presented and its security analysis is given inSection 3 In Section 4 we introduce two applications ofthe proposed outsourcing scheme an AIBE scheme withoutsourced decryption and an IBS scheme with outsourcedverification The performance evaluation of the proposedscheme is presented in Section 5 In Section 6 we concludethe paper
2 Definitions
In this section we introduce the properties of bilinearpairings security definition and model of the proposedoutsourcing algorithms
21 Bilinear Pairings Let 119902 be a large prime 119866119866 aretwo cyclic addition groups of order 119902 and 119866119879 is a cyclicmultiplicative group of order 119902 119875119876 are generators of 119866119866respectively 119890 119866 times 119866 rarr 119866119879 is a bilinear map with thefollowing properties [15 16 21]
1 Bilinear 119890(1198860119877 1198870119881) = 119890(119877 119881)11988601198870 for any 119877 isin 119866 119881 isin119866 and 1198860 1198870 isin 119885119902lowast2 Nondegenerate there exist 1198770 isin 119866 1198810 isin 119866 such that119890(1198770 1198810) = 13 Computable there is an efficient algorithm to com-pute 119890(119877 119881) for any 119877 isin 119866 119881 isin 119866
The bilinear map and the bilinear pairing can be realizedby supersingular elliptic curves or hyperelliptic curves overfinite groups and Weil or Tate pairings respectively [15 1621]
Security and Communication Networks 3
22 SecurityDefinition andModel Nowwe review the formalsecurity definition of an outsourcing algorithm introducedby [5] An algorithm Alg includes a trusted part 119879 and anuntrusted program 119880 and 119879119880 denotes the works carriedout by 119879 invoking 119880 An adversary 119860 is simulated by apair of algorithms (119864 1198801015840) where 119864 denotes the adversarialenvironment that submits adversarial inputs for Alg and 1198801015840represents adversarial software written by 119864 As described in[5] we assume that the two adversaries (119864 1198801015840) can onlymakedirect communication before the execution of 119879119880 and inother cases they can only communicate with each other bypassing messages through the outsourcer 119879Definition 1 (algorithm with outsource IO) An algorithmAlg takes five inputs and generates three outputs The firstthree inputs are chosen by an honest party and the last twoinputs are generated by the environment 119864 The first input ishonest and secret which is unknown for both 119864 and 1198801015840 thesecond is honest and protected whichmay be public for119864 butis private for 1198801015840 the third is honest and unprotected whichmay be public for both 119864 and 1198801015840 the fourth is adversarialand protected which is public for 119864 but is protected from1198801015840 and the last one is adversarial and unprotected which ispublic for 119864 and1198801015840 Similarly the first output is secret whichis protected from 119864 and 1198801015840 the second is protected whichmay be public for 119864 but not 1198801015840 and the third is unprotectedwhich may be public for both 119864 and 1198801015840
The following security definition ensures that both 119864 and1198801015840 cannot obtain any information about the private inputsand outputs of 119879119880 even if 119879 uses the malicious software 1198801015840written by 119864Definition 2 (outsource-security) Let Alg be an algorithmwith outsource IO 119879119880 is called an outsource-secure imple-mentation of Alg if the following conditions hold
(1) Correctness 119879119880 is a correct implementation of Alg(2) Security for all probabilistic polynomial-time (PPT)
adversaries 119860 = (1198641198801015840) there exist two PPT simulators(1198781 1198782) such that the following pairs of random variables arecomputationally indistinguishable
Pair One 119864119881119868119864119882real sim 119864119881119868119864119882ideal which means that themalicious environment 119864 cannot gain anything interestingabout the private inputs and outputs during the execution of119879119880 The detailed definitions of the real process and the idealprocess are omitted because of limited space please see [5]for the details
Pair Two 119880119881119868119864119882real sim 119880119881119868119864119882ideal which means that theuntrusted software 1198801015840 written by 119864 learns nothing about theinputs and outputs during the execution of119879119880 Please also see[5] for the detailed definitions
Assume that 119879119880 is a correct implementation of Alg wehave the following definitions
Definition 3 (120572-efficient secure outsourcing) A pair of algo-rithms (119879 119880) are 120572-efficient if the running time of 119879is not
more than an 120572-multiplicative factor of that of Alg for anyinput 119909Definition 4 (120573-checkable secure outsourcing) A pair ofalgorithms (119879 119880) are 120573-checkable if 119879 detects any deviationof1198801015840 from its advertised functionality during the implemen-tation of 1198791198801015840(119909) with probability not less than 120573 for any input119909Definition 5 ((120572 120573)-outsource-security) A pair of algorithms(119879 119880) are called an (120572 120573)-outsource-secure implementationof Alg if they are both 120572-efficient and 120573-checkable
The proposed algorithms are executed based on twountrusted program models introduced by [5] In this modelthe adversarial environment 119864 writes two programs 1198801015840 =(11988010158401 11988010158402) and 119879 installs these programs in a manner such thatall subsequent communication between any two of11986411988010158401 and11988010158402 must pass through 119879 The new adversary attacking 119879 is119860 = (11986411988010158401 11988010158402) We assume that at most one of the programsmisbehaves but we do not knowwhich one It is named as theone-malicious version of two untrusted models In the realworld it is equivalent to buying two copies of the untrustedsoftware from different vendors and achieving the outsourcesecurity as long as one of them is honest [1]
3 Verifiable Secure Outsourcing ofBilinear Pairing
As [5] a subroutine named Rand is used to speed up thecomputations The inputs for Rand are a prime 119902 two cyclicaddition groups 119866119866 of order 119902 and a bilinear map 119890 119866 times119866 rarr 119866119879 where 119866119879 is a cyclic multiplicative group of order 119902and the output for each invocation is a random independentvector of the following form
(1199051 1199052 1198861119875 + 1198862119875 1198863119875 1198864119875 1198871119875 + 1198872119875 1198873119875minus (1198861119875 + 1198862119875 + 1198873119875) minus (11990521198861119875 + 1198862119875) minus (1198861119875 + 11990521198862119875) 1198861119876 + 1198862119876 1198863119876 1198871119876 + 1198872119876 11988731198761198874119876 minus (1198871119876 + 1198872119876 + 1198863119876) minus (11990511198871119876 + 1198872119876) minus (1198871119876 + 11990511198872119876) 119890 (1198863119875 1198863119876) 119890 (1198873119875 1198873119876) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1)
(1)
where 1198861 1198862 1198863 1198864 1198871 1198872 1198873 1198874isin119877119885119902lowast 1199051 1199052 isin [2 3 119904]and 119904 is a small number
We can use the table-lookup method to implement thisfunctionality First a trusted server computes a table ofrandom independent vectors in advance and then stores itinto the memory of 119879 For each invocation of i 119879 needs toretrieves a new vector in the table
31 Verifiable Outsourcing Algorithm We propose a nonin-teractive verifiable outsourcing algorithmNIVBP for bilinear
4 Security and Communication Networks
pairing in the one-malicious model In NIVBP algorithm 119879outsources its bilinear pairing computations to 1198801 and 1198802 byinvoking the subroutine Rand A requirement for NIVBP isthat the adversary 119860 cannot know any useful informationabout the inputs and outputs of NIVBP
Let 119902 be a large prime The input of NIVBP is 119860 isin 119866and 119861 isin 119866 and the output is 119890(119860 119861) 119860 and 119861 are bothcomputationally blinded to 1198801 and 1198802 The proposed NIVBPalgorithm is described as follows
(1) 119879 firstly runs Rand one time to create a blindingvector as (1)(2) 119879 queries 1198801 in random order as follows
1198801 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057211 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198801 (119860 + 1198871119875 + 1198872119875 1198863119876) 997888rarr12057212 = 119890 (119860 + 1198871119875 + 1198872119875 1198863119876) 1198801 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 997888rarr12057213 = 119890 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 1198801 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 997888rarr12057214 = 119890 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 1198801 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876) 997888rarr12057215 = 119890 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876)
(2)
Similarly 119879 queries 1198802 in random order as follows
1198802 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057221 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198802 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 997888rarr12057222 = 119890 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 1198802 (1198873119875 119861 + 1198861119876 + 1198862119876) 997888rarr12057223 = 119890 (1198873119875 119861 + 1198861119876 + 1198862119876) 1198802 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 997888rarr12057224 = 119890 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 1198802 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876) 997888rarr12057225 = 119890 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876)
(3)
(3) 119879 verifies whether 1198801 and 1198802 generate the correctoutputs which means that (4)ndash(6) hold
(a)
12057211 = 12057221 (4)
(b)
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 (5)
(c)
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 (6)
If not 119879 outputs ldquoerrorrdquo otherwise 119879 outputs
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876) = 119890 (119860 1198871119876 + 1198872119876)minus1 12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876) = 119890 (1198861119875 + 1198862119875 119861)minus1 (7)
119890 (119860 119861)= 12057211 sdot 119890 (119860 1198871119876 + 1198872119876)minus1 sdot 119890 (1198861119875 + 1198862119875 119861)minus1
sdot 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1 (8)
Correctness It is obvious that formula (4) holds if two serversare all honest In addition
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876)= 119890 (1198871119875 + 1198872119875 1198863119876) 119890 (119860 + 1198863119875 minus1198871119876 minus 1198872119876)= 119890 (119860 1198871119876 + 1198872119876)minus1
(9)
12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876)= 119890 (minus1198861119875 minus 1198862119875 119861 + 1198873119876) 119890 (1198873119875 1198861119876 + 1198862119876)= 119890 (1198861119875 + 1198862119875 119861)minus1
(10)
(1205721212057222119890 (1198863119875 1198863119876))1199051+1= 1205721412057224119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 + 1198864119875 1198871119876 + 1198872119876)minus(1199051+1) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 1198871119876 + 1198872119876)minus(1199051+1)
(11)
(1205721312057223119890 (1198873119875 1198873119876))1199052+1= 1205721512057225119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861 + 1198874119876)minus(1199052+1) 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861)minus(1199052+1)
(12)
Therefore formulas (4)ndash(6) hold according to the aboveanalysis Finally 119879 obtains 119890(119860 119861) as (8)Remark 6 If one of the servers is dishonest the results couldbe verified successfully with a probability close to 1 except that
Security and Communication Networks 5
the dishonest server knows the values of 12057211 12057212 12057213 12057214 12057215(or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 As we know five queriessent to 1198801 and 1198802 are submitted in random order and 1199051 1199052 isin[2 3 119904] So the dishonest server could guess the values of12057211 12057212 12057213 12057214 12057215 (or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 withthe probabilities of 15 and 1(119904minus1)2 respectivelyThereforethe checkability of the NIVBP algorithm is
1 minus 15 (119904 minus 1)2 = 1 minus 1120 (119904 minus 1)2 asymp 1 (13)
Remark 7 The proposed algorithmNIVBP is also applicativein the condition where 119866119866 are two cyclic multiplicationgroups Let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr 119866119879 is a bilinear map In this case the inputs of NIVBPare also 119860 isin 119866 and 119861 isin 119866 and the output is also 119890(119860 119861) Thedetails are also omitted because of limited space
32 Security Analysis
Theorem 8 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an outsource-secure implementation ofNIVBP where the input (119860 119861) may be honest and secret orhonest and protected or adversarial and protected
Proof Let 119860 = (11986411988010158401 11988010158402) be a PPT adversary that interactswith a PPT algorithm 119879 in the one-malicious model
First we prove that EVIEWreal sim EVIEWideal whichmeans that the environment 119864 learns nothing during theexecution of (119879 (1198801 1198802)) If the input (119860 119861) is honest andprotected or adversarial and protected it is obvious thatthe simulator 1198781 behaves the same as in the real executionTherefore we only need to prove the case where (119860 119861) is anhonest secret input
So suppose that (119860 119861) is an honest secret input Thesimulator 1198781 in the ideal experiment behaves as follows Onreceiving the input on round 119894 1198781 ignores it and insteadmakesfive random queries of the form (120572119895 120573119895) to both 11988010158401 and 11988010158402Finally 1198781 randomly checks one output 119890(120572119895 120573119895) from eachprogram If an error is detected 1198781 saves all states and outputs119884119894119901 = ldquoerrorrdquo 119884119894119906 = rep119894 = 1 and thus the final output forideal process is (estate119894 ldquoerrorrdquo ) If no error is detected1198781 checks the remaining four outputs If all checks pass 1198781outputs 119884119894119901 = 119884119894119906 = rep119894 = 0 that is the final outputfor ideal process is (estate119894 119910119894119901 119910119894119906) otherwise 1198781 selects arandom element 119903 and outputs 119884119894119901 = 119903 119884119894119906 = rep119894 = 1and the output for ideal process is (estate119894 119903 )
In addition we need to show that the inputs to (11988010158401 11988010158402)in the real experiment are computationally indistinguishablefrom those in the ideal one In the ideal experiment theinputs are selected uniformly at random In the real oneeach part of all five queries that 119879 makes to any programis generated by invoking the subroutine Rand and thus iscomputationally indistinguishable from random numbersTherefore we consider three possible conditions If (11988010158401 11988010158402)both are honest in round 119894 EVIEW119894real sim EVIEW119894ideal sincethe outputs of NIVBP are not replaced and rep119894 = 0
if one of (11988010158401 11988010158402) is dishonest in round 119894 the fault mustbe detected by both 119879 and 1198781 with a probability close to1 resulting in an output of ldquoerrorrdquo otherwise the outputof NIVBP is corrupted with a probability of 1120(119904 minus1)2 In the real experiment the five outputs generated by(11988010158401 11988010158402) are multiplied together along with a random valueThus EVIEW119894real sim EVIEW119894ideal even when one of (11988010158401 11988010158402)misbehaves so we conclude that EVIEWreal sim EVIEWideal
Second we prove that UVIEWreal sim UVIEWideal whichmeans that the untrusted software (11988010158401 11988010158402) learns nothingduring the execution of (119879 (11988010158401 11988010158402)) In the ideal experimentthe simulator 1198782 always behaves as follows when receiving theinput on round 119894 1198782 ignores it but submits five randomqueriesof the form (120572119895 120573119895) to 11988010158401 and 11988010158402 Then 1198782 saves its states andthose of (11988010158401 11988010158402) Since the honest secret or honest protectedor adversarial protected inputs are all private for (11988010158401 11988010158402) thesimulator 1198782 is applicable to all those conditions As shownin Pair One the inputs to (11988010158401 11988010158402) in the real experiment arecomputationally indistinguishable from those in the ideal onerandomly chosen by 1198782 Thus UVIEW119894real sim UVIEW119894ideal foreach round 119894 and so UVIEWreal sim UVIEWideal
Theorem 9 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) in Section 31 is verifiable that is theoutsourcer can test the error with a probability close to 1 if oneof the servers outputs the false result
Proof Assume that 1198801 is an honest server and 1198802 is amalicious server At the end of the algorithm the outsourcerverifies the results by formulas (4)ndash(6) It is obvious that 1198802must generate the correct value of 12057221 otherwise formula(4) cannot pass the verification with a probability of 1Thus the only possibility of 1198802 cheating 119879 is returningthe false value of 12057221 12057222 12057223 12057224 12057225 which is denoted by12057221 12057222 12057223 12057224 12057225 respectively
Assume that 12057221 12057222 12057223 12057224 12057225 could pass the verifica-tion of formulas (5) and (6) that is
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1
(14)
which means that
(12057222)1199051+112057224 = 12057214 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1120572121199051+1 sdot 119890 (1198863119875 1198863119876)1199051+1
(12057223)1199051+112057225 = 12057215 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1120572131199052+1 sdot 119890 (1198873119875 1198873119876)1199052+1
(15)
Since 1198801 is an honest server 12057211 12057212 12057213 12057214 12057215 mustbe correct In addition 119890(1198863119875 1198863119876) 119890(1198873119875 1198873119876) 119890(1198864119875 1198871119876+1198872119876)1199051+1 119890(1198861119875 + 1198862119875 1198874119876)1199052+1 are generated randomly byRand subroutine and so these values must be true Thus the
6 Security and Communication Networks
Table 1 Comparison of the outsourcing algorithms for bilinearpairing
Algorithm Pair[24]
TZR1[25]
TZR2[25](119904 = 4) VBP [26] NIVBP(119904 = 4)
PA (119879) 5 4 11 8 8M (119879) 4 3 9 11 19Invoke (Rand) 3 1 2 2 1Pair (119880) 8 6 6 6 10MExp (119880) 0 0 0 4 0Interactive No No No Yes NoServers Two Two Two Two TwoCheckability 05 05 084 1 0999
values of (12057222)1199051+112057224 and (12057223)1199052+112057225 should be true even if12057221 12057222 12057223 12057224 12057225 are incorrect otherwise they could notpass the verification of formulas (5) and (6)
In order to obtain the true values of (12057222)1199051+112057224 and(12057223)1199052+1120572251198802must guess the values of12057221 12057222 1205722312057224 12057225and 1199051 1199052 As shown in Section 31 the probabilities ofguessing the true values of 12057221 12057222 12057223 12057224 12057225 and 1199051 1199052 are15 and 1(119904 minus 1)2 respectively Therefore the outsourcercan test the error with a probability of 1 minus 15(119904 minus 1)2 =1 minus 1120(119904 minus 1)2 asymp 1Theorem 10 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an (119874(119904119898) asymp 1)-outsource-secureimplementation of NIVBP where 119904 is a small positive integerand 119898 is the bit length of 119902 and 119902 is the order of 119866119866Proof The proposed algorithm NIVBP makes one call toRand and 8 point additions (PA) in 119866 or 119866 and 119874(119904)multiplication in 119866119879 in order to compute 119890(119860 119861) As shownin [24] it takes roughly 119874(119898) multiplications in resultingfinite field to compute the bilinear pairing where 119898 is thebit length of 119902 Thus the proposed algorithm is an 119874(119904119898)-efficient implementation of NIVBP On the other hand itmust be detected with a probability close to 1 if 1198801 or 1198802 failsduring any execution of NIVBP fromTheorem 9
33 Comparison We compare the outsourcing algorithmsfor bilinear pairing with input privacy in Table 1 where 119904is a small positive integer and ldquoPArdquo and ldquoMrdquo denote theoperation of point addition in 119866 or 119866 and multiplication in119866119879 respectively
From Table 1 we conclude that the NIVBP algorithmincreases checkability of the outsourcer though a little com-putation cost is appended comparedwith Pair andTZR1 algo-rithms In addition theNIVBP algorithm improves computa-tion efficiency and checkability of the outsourcer simultane-ously compared with TZR2 algorithm for the same param-eter 119904 = 4 The efficiency and checkability of the NIVBPalgorithm are nearly the same as those of VBP algorithm butit decreases the communication cost since it is noninteractivewhile the VBP algorithm is interactiveTherefore theNIVBP
algorithm increases checkability and decreases communica-tion cost of the outsourcer although a little computation costis appended
4 Applications
In this section we introduce two applications of the pro-posed NIVBP algorithm anonymous identity-based encryp-tion (AIBE) scheme [27] and identity-based signature (IBS)scheme [28]
Let119866119866 119866119879 be three cyclicmultiplication groups of order119902 and let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr119866119879 is a bilinear map In the following schemes 119866 = 11986641 Boyen-Waters AIBE Scheme with Outsourcing DecryptionThe proposed outsource-secure AIBE scheme consists of thefollowing algorithms
Setup It chooses a random generator 119892 isin 119866 random groupelements 1198920 1198921 isin 119866 and random exponents 120596 1199051 1199052 1199053 1199054 isin119885119902 The master key MSK = 120596 1199051 1199052 1199053 1199054 and the publicparameters PK are as follows
119890 (119892 119892)11990511199052120596 119892 1198920 1198921 V1 = 1198921199051 V2 = 1198921199052 V3 = 1198921199053 V4= 1198921199054 (16)
Extract (MSK ID) To issue a private key for identity ID itchooses two random exponents 1199031 1199032 isin 119885119902 and computes theprivate key SKID = 1198890 1198891 1198892 1198893 1198894 as follows
1198890 = 119892119903111990511199052+119903211990531199054 1198891 = 119892minus1205961199052 (11989201198921ID)minus11990311199052 1198892 = 119892minus1205961199051 (11989201198921ID)minus11990311199051 1198893 = (11989201198921ID)minus11990321199054 1198894 = (11989201198921ID)minus11990321199053
(17)
Encrypt (PK ID M) To encrypt a message 119872 isin 119866119879 for anidentity ID it chooses random 119904 1199041 1199042 isin 119885119902 and creates theciphertext CT = 1198621015840 1198620 1198621 1198622 1198623 1198624 as follows
119872119890 (119892 119892)11990511199052120596119904 (11989201198921ID)119904 V1119904minus1199041 V21199041 V3119904minus1199042 V41199042 (18)
Decrypt (PK ID CT) The outsourcer 119879 executes the NIVBPalgorithm for five times and obtains
119890 (119862119894 119889119894) = NIVBP (119862119894 119889119894) 119894 = 0 1 2 3 4 (19)
and then computes 1198621015840prod4119894=0119890(119862119894 119889119894) = 119872
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 Security and Communication Networks
11 Related Works In the cryptographic community out-sourcing expensive operations to a semitrusted device iswidely studied Chaum and Pedersen [4] introduced theconcept of ldquowallets with observersrdquo that allows installing apiece of hardware on the clientrsquos device to execute some oper-ations for each transaction Hohenberger and Lysyanskayaformalized this model [5] and presented algorithms for thecomputation of modular exponentiations (MExps) based ontwo noncolluding servers Further Chen et al [1] proposeda new outsourcing algorithm for MExps with improvedefficiency and checkability based on the same model as[5] However it is still possible for the outsourcer to becheated by the server Ren et al then constructed a verifiableoutsourcing scheme of MExps where the outsourcer candetect the errorwith a probability of 1 if the servermisbehaves[6] Lai et al [7] proposed an attribute-based encryption(ABE) scheme with verifiable outsourcing decryption whichguaranteed that an outsourcer can efficiently detect thewrongresults Qin et al [8] then proposed new ABE schemewith outsourced decryption where the outsourcer couldverify the outsourcing results with a high efficiency at theexpense of minimal overhead Chen et al first consideredthe problem of outsourcing computation in attribute-basedsignature (ABS) schemes and delegated the verification ofsignature to an untrusted server [9] Yu et al [10] proposeda secure and efficient cloud storage auditing scheme withverifiable outsourcing of key updates The process of keyupdates is outsourced to the third party auditor (TPA) andthe TPA only knows the encrypted secret key Meanwhilethe outsourcer could verify the effectiveness of encryptedsecret keyswhen uploading newfiles to the cloud server AlsoWang et al [11] proposed a privacy-preserving public auditingsystem for data storage security and extended it to handlethe problem of multiple auditing where the TPA could learnnothing about data and the integrity of data could be verifiedpublicly Other works target specific classes of functions suchas revocable identity-based encryption [12] solution of linearequations [13] and image features extraction [14]
In recent years bilinear pairings have various applicationsin constructing new cryptographic primitive for exampleidentity-based encryption [15] short signature [16] andkey agreement protocol [17] In pairing-based cryptographythe computation of bilinear pairing is the most expensiveoperation and it has important effects on efficiency of theseschemes or protocols Thus a lot of research work has beendone to compute bilinear pairing efficiently [18 19]
Chevallier-Mames et al [20] presented the first algorithmfor secure outsourcing of bilinear pairings based on anuntrusted server where the outsourcer could detect anyfailure with probability of 1 if the server returns an incorrectresult However the outsourcer must execute some otherexpensive operations such as scalar multiplications andmodular exponentiations where these computations are evencomparable to those of bilinear pairings in some scenarios[19 21] Subsequently other works on delegation of bilinearpairings [22 23] also suffer from the same problems Chenet al proposed the first efficient outsourcing algorithm ofbilinear pairing in the one-malicious version of two untrustedprogram models [24] where the outsourcer only carried out
5 point additions and 4multiplicationswithout any expensiveoperations which is suitable for the computation-limitedclient However the checkability of the algorithm in [24]is only 12 and the outsourcer may accept a false resultreturned by a malicious server with probability of 12 Tian etal presented two outsourcing algorithms of bilinear pairingbased on two servers [25] One is more efficient than thealgorithmof [24] and the outsourcer needs to execute 4 pointadditions and 3 multiplications with the same checkabilityThe other algorithm is more flexible based on two untrustedservers with improved checkability As we know it is alsopossible for the outsourcer to be cheated by the server andthe error cannot be detected successfully Recently Ren et alpresented a new outsourcing algorithm of bilinear pairingwhich improves the checkability of the outsourcer to 1 andit is impossible for the server to cheat the outsourcer toaccept a false outsourcing result [26] However it needs twointeractive rounds between the outsourcer and the server andincreases the communication cost though the checkability isimproved to 1
12 Organization The rest of this paper is organized asfollows In Section 2 we introduce the definition of bilinearpairing and security model of the outsourcing scheme Anoninteractive verifiable outsourcing algorithm of bilinearpairing is presented and its security analysis is given inSection 3 In Section 4 we introduce two applications ofthe proposed outsourcing scheme an AIBE scheme withoutsourced decryption and an IBS scheme with outsourcedverification The performance evaluation of the proposedscheme is presented in Section 5 In Section 6 we concludethe paper
2 Definitions
In this section we introduce the properties of bilinearpairings security definition and model of the proposedoutsourcing algorithms
21 Bilinear Pairings Let 119902 be a large prime 119866119866 aretwo cyclic addition groups of order 119902 and 119866119879 is a cyclicmultiplicative group of order 119902 119875119876 are generators of 119866119866respectively 119890 119866 times 119866 rarr 119866119879 is a bilinear map with thefollowing properties [15 16 21]
1 Bilinear 119890(1198860119877 1198870119881) = 119890(119877 119881)11988601198870 for any 119877 isin 119866 119881 isin119866 and 1198860 1198870 isin 119885119902lowast2 Nondegenerate there exist 1198770 isin 119866 1198810 isin 119866 such that119890(1198770 1198810) = 13 Computable there is an efficient algorithm to com-pute 119890(119877 119881) for any 119877 isin 119866 119881 isin 119866
The bilinear map and the bilinear pairing can be realizedby supersingular elliptic curves or hyperelliptic curves overfinite groups and Weil or Tate pairings respectively [15 1621]
Security and Communication Networks 3
22 SecurityDefinition andModel Nowwe review the formalsecurity definition of an outsourcing algorithm introducedby [5] An algorithm Alg includes a trusted part 119879 and anuntrusted program 119880 and 119879119880 denotes the works carriedout by 119879 invoking 119880 An adversary 119860 is simulated by apair of algorithms (119864 1198801015840) where 119864 denotes the adversarialenvironment that submits adversarial inputs for Alg and 1198801015840represents adversarial software written by 119864 As described in[5] we assume that the two adversaries (119864 1198801015840) can onlymakedirect communication before the execution of 119879119880 and inother cases they can only communicate with each other bypassing messages through the outsourcer 119879Definition 1 (algorithm with outsource IO) An algorithmAlg takes five inputs and generates three outputs The firstthree inputs are chosen by an honest party and the last twoinputs are generated by the environment 119864 The first input ishonest and secret which is unknown for both 119864 and 1198801015840 thesecond is honest and protected whichmay be public for119864 butis private for 1198801015840 the third is honest and unprotected whichmay be public for both 119864 and 1198801015840 the fourth is adversarialand protected which is public for 119864 but is protected from1198801015840 and the last one is adversarial and unprotected which ispublic for 119864 and1198801015840 Similarly the first output is secret whichis protected from 119864 and 1198801015840 the second is protected whichmay be public for 119864 but not 1198801015840 and the third is unprotectedwhich may be public for both 119864 and 1198801015840
The following security definition ensures that both 119864 and1198801015840 cannot obtain any information about the private inputsand outputs of 119879119880 even if 119879 uses the malicious software 1198801015840written by 119864Definition 2 (outsource-security) Let Alg be an algorithmwith outsource IO 119879119880 is called an outsource-secure imple-mentation of Alg if the following conditions hold
(1) Correctness 119879119880 is a correct implementation of Alg(2) Security for all probabilistic polynomial-time (PPT)
adversaries 119860 = (1198641198801015840) there exist two PPT simulators(1198781 1198782) such that the following pairs of random variables arecomputationally indistinguishable
Pair One 119864119881119868119864119882real sim 119864119881119868119864119882ideal which means that themalicious environment 119864 cannot gain anything interestingabout the private inputs and outputs during the execution of119879119880 The detailed definitions of the real process and the idealprocess are omitted because of limited space please see [5]for the details
Pair Two 119880119881119868119864119882real sim 119880119881119868119864119882ideal which means that theuntrusted software 1198801015840 written by 119864 learns nothing about theinputs and outputs during the execution of119879119880 Please also see[5] for the detailed definitions
Assume that 119879119880 is a correct implementation of Alg wehave the following definitions
Definition 3 (120572-efficient secure outsourcing) A pair of algo-rithms (119879 119880) are 120572-efficient if the running time of 119879is not
more than an 120572-multiplicative factor of that of Alg for anyinput 119909Definition 4 (120573-checkable secure outsourcing) A pair ofalgorithms (119879 119880) are 120573-checkable if 119879 detects any deviationof1198801015840 from its advertised functionality during the implemen-tation of 1198791198801015840(119909) with probability not less than 120573 for any input119909Definition 5 ((120572 120573)-outsource-security) A pair of algorithms(119879 119880) are called an (120572 120573)-outsource-secure implementationof Alg if they are both 120572-efficient and 120573-checkable
The proposed algorithms are executed based on twountrusted program models introduced by [5] In this modelthe adversarial environment 119864 writes two programs 1198801015840 =(11988010158401 11988010158402) and 119879 installs these programs in a manner such thatall subsequent communication between any two of11986411988010158401 and11988010158402 must pass through 119879 The new adversary attacking 119879 is119860 = (11986411988010158401 11988010158402) We assume that at most one of the programsmisbehaves but we do not knowwhich one It is named as theone-malicious version of two untrusted models In the realworld it is equivalent to buying two copies of the untrustedsoftware from different vendors and achieving the outsourcesecurity as long as one of them is honest [1]
3 Verifiable Secure Outsourcing ofBilinear Pairing
As [5] a subroutine named Rand is used to speed up thecomputations The inputs for Rand are a prime 119902 two cyclicaddition groups 119866119866 of order 119902 and a bilinear map 119890 119866 times119866 rarr 119866119879 where 119866119879 is a cyclic multiplicative group of order 119902and the output for each invocation is a random independentvector of the following form
(1199051 1199052 1198861119875 + 1198862119875 1198863119875 1198864119875 1198871119875 + 1198872119875 1198873119875minus (1198861119875 + 1198862119875 + 1198873119875) minus (11990521198861119875 + 1198862119875) minus (1198861119875 + 11990521198862119875) 1198861119876 + 1198862119876 1198863119876 1198871119876 + 1198872119876 11988731198761198874119876 minus (1198871119876 + 1198872119876 + 1198863119876) minus (11990511198871119876 + 1198872119876) minus (1198871119876 + 11990511198872119876) 119890 (1198863119875 1198863119876) 119890 (1198873119875 1198873119876) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1)
(1)
where 1198861 1198862 1198863 1198864 1198871 1198872 1198873 1198874isin119877119885119902lowast 1199051 1199052 isin [2 3 119904]and 119904 is a small number
We can use the table-lookup method to implement thisfunctionality First a trusted server computes a table ofrandom independent vectors in advance and then stores itinto the memory of 119879 For each invocation of i 119879 needs toretrieves a new vector in the table
31 Verifiable Outsourcing Algorithm We propose a nonin-teractive verifiable outsourcing algorithmNIVBP for bilinear
4 Security and Communication Networks
pairing in the one-malicious model In NIVBP algorithm 119879outsources its bilinear pairing computations to 1198801 and 1198802 byinvoking the subroutine Rand A requirement for NIVBP isthat the adversary 119860 cannot know any useful informationabout the inputs and outputs of NIVBP
Let 119902 be a large prime The input of NIVBP is 119860 isin 119866and 119861 isin 119866 and the output is 119890(119860 119861) 119860 and 119861 are bothcomputationally blinded to 1198801 and 1198802 The proposed NIVBPalgorithm is described as follows
(1) 119879 firstly runs Rand one time to create a blindingvector as (1)(2) 119879 queries 1198801 in random order as follows
1198801 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057211 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198801 (119860 + 1198871119875 + 1198872119875 1198863119876) 997888rarr12057212 = 119890 (119860 + 1198871119875 + 1198872119875 1198863119876) 1198801 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 997888rarr12057213 = 119890 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 1198801 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 997888rarr12057214 = 119890 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 1198801 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876) 997888rarr12057215 = 119890 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876)
(2)
Similarly 119879 queries 1198802 in random order as follows
1198802 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057221 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198802 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 997888rarr12057222 = 119890 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 1198802 (1198873119875 119861 + 1198861119876 + 1198862119876) 997888rarr12057223 = 119890 (1198873119875 119861 + 1198861119876 + 1198862119876) 1198802 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 997888rarr12057224 = 119890 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 1198802 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876) 997888rarr12057225 = 119890 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876)
(3)
(3) 119879 verifies whether 1198801 and 1198802 generate the correctoutputs which means that (4)ndash(6) hold
(a)
12057211 = 12057221 (4)
(b)
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 (5)
(c)
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 (6)
If not 119879 outputs ldquoerrorrdquo otherwise 119879 outputs
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876) = 119890 (119860 1198871119876 + 1198872119876)minus1 12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876) = 119890 (1198861119875 + 1198862119875 119861)minus1 (7)
119890 (119860 119861)= 12057211 sdot 119890 (119860 1198871119876 + 1198872119876)minus1 sdot 119890 (1198861119875 + 1198862119875 119861)minus1
sdot 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1 (8)
Correctness It is obvious that formula (4) holds if two serversare all honest In addition
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876)= 119890 (1198871119875 + 1198872119875 1198863119876) 119890 (119860 + 1198863119875 minus1198871119876 minus 1198872119876)= 119890 (119860 1198871119876 + 1198872119876)minus1
(9)
12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876)= 119890 (minus1198861119875 minus 1198862119875 119861 + 1198873119876) 119890 (1198873119875 1198861119876 + 1198862119876)= 119890 (1198861119875 + 1198862119875 119861)minus1
(10)
(1205721212057222119890 (1198863119875 1198863119876))1199051+1= 1205721412057224119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 + 1198864119875 1198871119876 + 1198872119876)minus(1199051+1) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 1198871119876 + 1198872119876)minus(1199051+1)
(11)
(1205721312057223119890 (1198873119875 1198873119876))1199052+1= 1205721512057225119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861 + 1198874119876)minus(1199052+1) 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861)minus(1199052+1)
(12)
Therefore formulas (4)ndash(6) hold according to the aboveanalysis Finally 119879 obtains 119890(119860 119861) as (8)Remark 6 If one of the servers is dishonest the results couldbe verified successfully with a probability close to 1 except that
Security and Communication Networks 5
the dishonest server knows the values of 12057211 12057212 12057213 12057214 12057215(or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 As we know five queriessent to 1198801 and 1198802 are submitted in random order and 1199051 1199052 isin[2 3 119904] So the dishonest server could guess the values of12057211 12057212 12057213 12057214 12057215 (or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 withthe probabilities of 15 and 1(119904minus1)2 respectivelyThereforethe checkability of the NIVBP algorithm is
1 minus 15 (119904 minus 1)2 = 1 minus 1120 (119904 minus 1)2 asymp 1 (13)
Remark 7 The proposed algorithmNIVBP is also applicativein the condition where 119866119866 are two cyclic multiplicationgroups Let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr 119866119879 is a bilinear map In this case the inputs of NIVBPare also 119860 isin 119866 and 119861 isin 119866 and the output is also 119890(119860 119861) Thedetails are also omitted because of limited space
32 Security Analysis
Theorem 8 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an outsource-secure implementation ofNIVBP where the input (119860 119861) may be honest and secret orhonest and protected or adversarial and protected
Proof Let 119860 = (11986411988010158401 11988010158402) be a PPT adversary that interactswith a PPT algorithm 119879 in the one-malicious model
First we prove that EVIEWreal sim EVIEWideal whichmeans that the environment 119864 learns nothing during theexecution of (119879 (1198801 1198802)) If the input (119860 119861) is honest andprotected or adversarial and protected it is obvious thatthe simulator 1198781 behaves the same as in the real executionTherefore we only need to prove the case where (119860 119861) is anhonest secret input
So suppose that (119860 119861) is an honest secret input Thesimulator 1198781 in the ideal experiment behaves as follows Onreceiving the input on round 119894 1198781 ignores it and insteadmakesfive random queries of the form (120572119895 120573119895) to both 11988010158401 and 11988010158402Finally 1198781 randomly checks one output 119890(120572119895 120573119895) from eachprogram If an error is detected 1198781 saves all states and outputs119884119894119901 = ldquoerrorrdquo 119884119894119906 = rep119894 = 1 and thus the final output forideal process is (estate119894 ldquoerrorrdquo ) If no error is detected1198781 checks the remaining four outputs If all checks pass 1198781outputs 119884119894119901 = 119884119894119906 = rep119894 = 0 that is the final outputfor ideal process is (estate119894 119910119894119901 119910119894119906) otherwise 1198781 selects arandom element 119903 and outputs 119884119894119901 = 119903 119884119894119906 = rep119894 = 1and the output for ideal process is (estate119894 119903 )
In addition we need to show that the inputs to (11988010158401 11988010158402)in the real experiment are computationally indistinguishablefrom those in the ideal one In the ideal experiment theinputs are selected uniformly at random In the real oneeach part of all five queries that 119879 makes to any programis generated by invoking the subroutine Rand and thus iscomputationally indistinguishable from random numbersTherefore we consider three possible conditions If (11988010158401 11988010158402)both are honest in round 119894 EVIEW119894real sim EVIEW119894ideal sincethe outputs of NIVBP are not replaced and rep119894 = 0
if one of (11988010158401 11988010158402) is dishonest in round 119894 the fault mustbe detected by both 119879 and 1198781 with a probability close to1 resulting in an output of ldquoerrorrdquo otherwise the outputof NIVBP is corrupted with a probability of 1120(119904 minus1)2 In the real experiment the five outputs generated by(11988010158401 11988010158402) are multiplied together along with a random valueThus EVIEW119894real sim EVIEW119894ideal even when one of (11988010158401 11988010158402)misbehaves so we conclude that EVIEWreal sim EVIEWideal
Second we prove that UVIEWreal sim UVIEWideal whichmeans that the untrusted software (11988010158401 11988010158402) learns nothingduring the execution of (119879 (11988010158401 11988010158402)) In the ideal experimentthe simulator 1198782 always behaves as follows when receiving theinput on round 119894 1198782 ignores it but submits five randomqueriesof the form (120572119895 120573119895) to 11988010158401 and 11988010158402 Then 1198782 saves its states andthose of (11988010158401 11988010158402) Since the honest secret or honest protectedor adversarial protected inputs are all private for (11988010158401 11988010158402) thesimulator 1198782 is applicable to all those conditions As shownin Pair One the inputs to (11988010158401 11988010158402) in the real experiment arecomputationally indistinguishable from those in the ideal onerandomly chosen by 1198782 Thus UVIEW119894real sim UVIEW119894ideal foreach round 119894 and so UVIEWreal sim UVIEWideal
Theorem 9 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) in Section 31 is verifiable that is theoutsourcer can test the error with a probability close to 1 if oneof the servers outputs the false result
Proof Assume that 1198801 is an honest server and 1198802 is amalicious server At the end of the algorithm the outsourcerverifies the results by formulas (4)ndash(6) It is obvious that 1198802must generate the correct value of 12057221 otherwise formula(4) cannot pass the verification with a probability of 1Thus the only possibility of 1198802 cheating 119879 is returningthe false value of 12057221 12057222 12057223 12057224 12057225 which is denoted by12057221 12057222 12057223 12057224 12057225 respectively
Assume that 12057221 12057222 12057223 12057224 12057225 could pass the verifica-tion of formulas (5) and (6) that is
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1
(14)
which means that
(12057222)1199051+112057224 = 12057214 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1120572121199051+1 sdot 119890 (1198863119875 1198863119876)1199051+1
(12057223)1199051+112057225 = 12057215 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1120572131199052+1 sdot 119890 (1198873119875 1198873119876)1199052+1
(15)
Since 1198801 is an honest server 12057211 12057212 12057213 12057214 12057215 mustbe correct In addition 119890(1198863119875 1198863119876) 119890(1198873119875 1198873119876) 119890(1198864119875 1198871119876+1198872119876)1199051+1 119890(1198861119875 + 1198862119875 1198874119876)1199052+1 are generated randomly byRand subroutine and so these values must be true Thus the
6 Security and Communication Networks
Table 1 Comparison of the outsourcing algorithms for bilinearpairing
Algorithm Pair[24]
TZR1[25]
TZR2[25](119904 = 4) VBP [26] NIVBP(119904 = 4)
PA (119879) 5 4 11 8 8M (119879) 4 3 9 11 19Invoke (Rand) 3 1 2 2 1Pair (119880) 8 6 6 6 10MExp (119880) 0 0 0 4 0Interactive No No No Yes NoServers Two Two Two Two TwoCheckability 05 05 084 1 0999
values of (12057222)1199051+112057224 and (12057223)1199052+112057225 should be true even if12057221 12057222 12057223 12057224 12057225 are incorrect otherwise they could notpass the verification of formulas (5) and (6)
In order to obtain the true values of (12057222)1199051+112057224 and(12057223)1199052+1120572251198802must guess the values of12057221 12057222 1205722312057224 12057225and 1199051 1199052 As shown in Section 31 the probabilities ofguessing the true values of 12057221 12057222 12057223 12057224 12057225 and 1199051 1199052 are15 and 1(119904 minus 1)2 respectively Therefore the outsourcercan test the error with a probability of 1 minus 15(119904 minus 1)2 =1 minus 1120(119904 minus 1)2 asymp 1Theorem 10 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an (119874(119904119898) asymp 1)-outsource-secureimplementation of NIVBP where 119904 is a small positive integerand 119898 is the bit length of 119902 and 119902 is the order of 119866119866Proof The proposed algorithm NIVBP makes one call toRand and 8 point additions (PA) in 119866 or 119866 and 119874(119904)multiplication in 119866119879 in order to compute 119890(119860 119861) As shownin [24] it takes roughly 119874(119898) multiplications in resultingfinite field to compute the bilinear pairing where 119898 is thebit length of 119902 Thus the proposed algorithm is an 119874(119904119898)-efficient implementation of NIVBP On the other hand itmust be detected with a probability close to 1 if 1198801 or 1198802 failsduring any execution of NIVBP fromTheorem 9
33 Comparison We compare the outsourcing algorithmsfor bilinear pairing with input privacy in Table 1 where 119904is a small positive integer and ldquoPArdquo and ldquoMrdquo denote theoperation of point addition in 119866 or 119866 and multiplication in119866119879 respectively
From Table 1 we conclude that the NIVBP algorithmincreases checkability of the outsourcer though a little com-putation cost is appended comparedwith Pair andTZR1 algo-rithms In addition theNIVBP algorithm improves computa-tion efficiency and checkability of the outsourcer simultane-ously compared with TZR2 algorithm for the same param-eter 119904 = 4 The efficiency and checkability of the NIVBPalgorithm are nearly the same as those of VBP algorithm butit decreases the communication cost since it is noninteractivewhile the VBP algorithm is interactiveTherefore theNIVBP
algorithm increases checkability and decreases communica-tion cost of the outsourcer although a little computation costis appended
4 Applications
In this section we introduce two applications of the pro-posed NIVBP algorithm anonymous identity-based encryp-tion (AIBE) scheme [27] and identity-based signature (IBS)scheme [28]
Let119866119866 119866119879 be three cyclicmultiplication groups of order119902 and let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr119866119879 is a bilinear map In the following schemes 119866 = 11986641 Boyen-Waters AIBE Scheme with Outsourcing DecryptionThe proposed outsource-secure AIBE scheme consists of thefollowing algorithms
Setup It chooses a random generator 119892 isin 119866 random groupelements 1198920 1198921 isin 119866 and random exponents 120596 1199051 1199052 1199053 1199054 isin119885119902 The master key MSK = 120596 1199051 1199052 1199053 1199054 and the publicparameters PK are as follows
119890 (119892 119892)11990511199052120596 119892 1198920 1198921 V1 = 1198921199051 V2 = 1198921199052 V3 = 1198921199053 V4= 1198921199054 (16)
Extract (MSK ID) To issue a private key for identity ID itchooses two random exponents 1199031 1199032 isin 119885119902 and computes theprivate key SKID = 1198890 1198891 1198892 1198893 1198894 as follows
1198890 = 119892119903111990511199052+119903211990531199054 1198891 = 119892minus1205961199052 (11989201198921ID)minus11990311199052 1198892 = 119892minus1205961199051 (11989201198921ID)minus11990311199051 1198893 = (11989201198921ID)minus11990321199054 1198894 = (11989201198921ID)minus11990321199053
(17)
Encrypt (PK ID M) To encrypt a message 119872 isin 119866119879 for anidentity ID it chooses random 119904 1199041 1199042 isin 119885119902 and creates theciphertext CT = 1198621015840 1198620 1198621 1198622 1198623 1198624 as follows
119872119890 (119892 119892)11990511199052120596119904 (11989201198921ID)119904 V1119904minus1199041 V21199041 V3119904minus1199042 V41199042 (18)
Decrypt (PK ID CT) The outsourcer 119879 executes the NIVBPalgorithm for five times and obtains
119890 (119862119894 119889119894) = NIVBP (119862119894 119889119894) 119894 = 0 1 2 3 4 (19)
and then computes 1198621015840prod4119894=0119890(119862119894 119889119894) = 119872
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 3
22 SecurityDefinition andModel Nowwe review the formalsecurity definition of an outsourcing algorithm introducedby [5] An algorithm Alg includes a trusted part 119879 and anuntrusted program 119880 and 119879119880 denotes the works carriedout by 119879 invoking 119880 An adversary 119860 is simulated by apair of algorithms (119864 1198801015840) where 119864 denotes the adversarialenvironment that submits adversarial inputs for Alg and 1198801015840represents adversarial software written by 119864 As described in[5] we assume that the two adversaries (119864 1198801015840) can onlymakedirect communication before the execution of 119879119880 and inother cases they can only communicate with each other bypassing messages through the outsourcer 119879Definition 1 (algorithm with outsource IO) An algorithmAlg takes five inputs and generates three outputs The firstthree inputs are chosen by an honest party and the last twoinputs are generated by the environment 119864 The first input ishonest and secret which is unknown for both 119864 and 1198801015840 thesecond is honest and protected whichmay be public for119864 butis private for 1198801015840 the third is honest and unprotected whichmay be public for both 119864 and 1198801015840 the fourth is adversarialand protected which is public for 119864 but is protected from1198801015840 and the last one is adversarial and unprotected which ispublic for 119864 and1198801015840 Similarly the first output is secret whichis protected from 119864 and 1198801015840 the second is protected whichmay be public for 119864 but not 1198801015840 and the third is unprotectedwhich may be public for both 119864 and 1198801015840
The following security definition ensures that both 119864 and1198801015840 cannot obtain any information about the private inputsand outputs of 119879119880 even if 119879 uses the malicious software 1198801015840written by 119864Definition 2 (outsource-security) Let Alg be an algorithmwith outsource IO 119879119880 is called an outsource-secure imple-mentation of Alg if the following conditions hold
(1) Correctness 119879119880 is a correct implementation of Alg(2) Security for all probabilistic polynomial-time (PPT)
adversaries 119860 = (1198641198801015840) there exist two PPT simulators(1198781 1198782) such that the following pairs of random variables arecomputationally indistinguishable
Pair One 119864119881119868119864119882real sim 119864119881119868119864119882ideal which means that themalicious environment 119864 cannot gain anything interestingabout the private inputs and outputs during the execution of119879119880 The detailed definitions of the real process and the idealprocess are omitted because of limited space please see [5]for the details
Pair Two 119880119881119868119864119882real sim 119880119881119868119864119882ideal which means that theuntrusted software 1198801015840 written by 119864 learns nothing about theinputs and outputs during the execution of119879119880 Please also see[5] for the detailed definitions
Assume that 119879119880 is a correct implementation of Alg wehave the following definitions
Definition 3 (120572-efficient secure outsourcing) A pair of algo-rithms (119879 119880) are 120572-efficient if the running time of 119879is not
more than an 120572-multiplicative factor of that of Alg for anyinput 119909Definition 4 (120573-checkable secure outsourcing) A pair ofalgorithms (119879 119880) are 120573-checkable if 119879 detects any deviationof1198801015840 from its advertised functionality during the implemen-tation of 1198791198801015840(119909) with probability not less than 120573 for any input119909Definition 5 ((120572 120573)-outsource-security) A pair of algorithms(119879 119880) are called an (120572 120573)-outsource-secure implementationof Alg if they are both 120572-efficient and 120573-checkable
The proposed algorithms are executed based on twountrusted program models introduced by [5] In this modelthe adversarial environment 119864 writes two programs 1198801015840 =(11988010158401 11988010158402) and 119879 installs these programs in a manner such thatall subsequent communication between any two of11986411988010158401 and11988010158402 must pass through 119879 The new adversary attacking 119879 is119860 = (11986411988010158401 11988010158402) We assume that at most one of the programsmisbehaves but we do not knowwhich one It is named as theone-malicious version of two untrusted models In the realworld it is equivalent to buying two copies of the untrustedsoftware from different vendors and achieving the outsourcesecurity as long as one of them is honest [1]
3 Verifiable Secure Outsourcing ofBilinear Pairing
As [5] a subroutine named Rand is used to speed up thecomputations The inputs for Rand are a prime 119902 two cyclicaddition groups 119866119866 of order 119902 and a bilinear map 119890 119866 times119866 rarr 119866119879 where 119866119879 is a cyclic multiplicative group of order 119902and the output for each invocation is a random independentvector of the following form
(1199051 1199052 1198861119875 + 1198862119875 1198863119875 1198864119875 1198871119875 + 1198872119875 1198873119875minus (1198861119875 + 1198862119875 + 1198873119875) minus (11990521198861119875 + 1198862119875) minus (1198861119875 + 11990521198862119875) 1198861119876 + 1198862119876 1198863119876 1198871119876 + 1198872119876 11988731198761198874119876 minus (1198871119876 + 1198872119876 + 1198863119876) minus (11990511198871119876 + 1198872119876) minus (1198871119876 + 11990511198872119876) 119890 (1198863119875 1198863119876) 119890 (1198873119875 1198873119876) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1)
(1)
where 1198861 1198862 1198863 1198864 1198871 1198872 1198873 1198874isin119877119885119902lowast 1199051 1199052 isin [2 3 119904]and 119904 is a small number
We can use the table-lookup method to implement thisfunctionality First a trusted server computes a table ofrandom independent vectors in advance and then stores itinto the memory of 119879 For each invocation of i 119879 needs toretrieves a new vector in the table
31 Verifiable Outsourcing Algorithm We propose a nonin-teractive verifiable outsourcing algorithmNIVBP for bilinear
4 Security and Communication Networks
pairing in the one-malicious model In NIVBP algorithm 119879outsources its bilinear pairing computations to 1198801 and 1198802 byinvoking the subroutine Rand A requirement for NIVBP isthat the adversary 119860 cannot know any useful informationabout the inputs and outputs of NIVBP
Let 119902 be a large prime The input of NIVBP is 119860 isin 119866and 119861 isin 119866 and the output is 119890(119860 119861) 119860 and 119861 are bothcomputationally blinded to 1198801 and 1198802 The proposed NIVBPalgorithm is described as follows
(1) 119879 firstly runs Rand one time to create a blindingvector as (1)(2) 119879 queries 1198801 in random order as follows
1198801 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057211 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198801 (119860 + 1198871119875 + 1198872119875 1198863119876) 997888rarr12057212 = 119890 (119860 + 1198871119875 + 1198872119875 1198863119876) 1198801 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 997888rarr12057213 = 119890 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 1198801 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 997888rarr12057214 = 119890 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 1198801 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876) 997888rarr12057215 = 119890 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876)
(2)
Similarly 119879 queries 1198802 in random order as follows
1198802 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057221 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198802 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 997888rarr12057222 = 119890 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 1198802 (1198873119875 119861 + 1198861119876 + 1198862119876) 997888rarr12057223 = 119890 (1198873119875 119861 + 1198861119876 + 1198862119876) 1198802 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 997888rarr12057224 = 119890 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 1198802 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876) 997888rarr12057225 = 119890 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876)
(3)
(3) 119879 verifies whether 1198801 and 1198802 generate the correctoutputs which means that (4)ndash(6) hold
(a)
12057211 = 12057221 (4)
(b)
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 (5)
(c)
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 (6)
If not 119879 outputs ldquoerrorrdquo otherwise 119879 outputs
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876) = 119890 (119860 1198871119876 + 1198872119876)minus1 12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876) = 119890 (1198861119875 + 1198862119875 119861)minus1 (7)
119890 (119860 119861)= 12057211 sdot 119890 (119860 1198871119876 + 1198872119876)minus1 sdot 119890 (1198861119875 + 1198862119875 119861)minus1
sdot 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1 (8)
Correctness It is obvious that formula (4) holds if two serversare all honest In addition
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876)= 119890 (1198871119875 + 1198872119875 1198863119876) 119890 (119860 + 1198863119875 minus1198871119876 minus 1198872119876)= 119890 (119860 1198871119876 + 1198872119876)minus1
(9)
12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876)= 119890 (minus1198861119875 minus 1198862119875 119861 + 1198873119876) 119890 (1198873119875 1198861119876 + 1198862119876)= 119890 (1198861119875 + 1198862119875 119861)minus1
(10)
(1205721212057222119890 (1198863119875 1198863119876))1199051+1= 1205721412057224119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 + 1198864119875 1198871119876 + 1198872119876)minus(1199051+1) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 1198871119876 + 1198872119876)minus(1199051+1)
(11)
(1205721312057223119890 (1198873119875 1198873119876))1199052+1= 1205721512057225119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861 + 1198874119876)minus(1199052+1) 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861)minus(1199052+1)
(12)
Therefore formulas (4)ndash(6) hold according to the aboveanalysis Finally 119879 obtains 119890(119860 119861) as (8)Remark 6 If one of the servers is dishonest the results couldbe verified successfully with a probability close to 1 except that
Security and Communication Networks 5
the dishonest server knows the values of 12057211 12057212 12057213 12057214 12057215(or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 As we know five queriessent to 1198801 and 1198802 are submitted in random order and 1199051 1199052 isin[2 3 119904] So the dishonest server could guess the values of12057211 12057212 12057213 12057214 12057215 (or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 withthe probabilities of 15 and 1(119904minus1)2 respectivelyThereforethe checkability of the NIVBP algorithm is
1 minus 15 (119904 minus 1)2 = 1 minus 1120 (119904 minus 1)2 asymp 1 (13)
Remark 7 The proposed algorithmNIVBP is also applicativein the condition where 119866119866 are two cyclic multiplicationgroups Let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr 119866119879 is a bilinear map In this case the inputs of NIVBPare also 119860 isin 119866 and 119861 isin 119866 and the output is also 119890(119860 119861) Thedetails are also omitted because of limited space
32 Security Analysis
Theorem 8 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an outsource-secure implementation ofNIVBP where the input (119860 119861) may be honest and secret orhonest and protected or adversarial and protected
Proof Let 119860 = (11986411988010158401 11988010158402) be a PPT adversary that interactswith a PPT algorithm 119879 in the one-malicious model
First we prove that EVIEWreal sim EVIEWideal whichmeans that the environment 119864 learns nothing during theexecution of (119879 (1198801 1198802)) If the input (119860 119861) is honest andprotected or adversarial and protected it is obvious thatthe simulator 1198781 behaves the same as in the real executionTherefore we only need to prove the case where (119860 119861) is anhonest secret input
So suppose that (119860 119861) is an honest secret input Thesimulator 1198781 in the ideal experiment behaves as follows Onreceiving the input on round 119894 1198781 ignores it and insteadmakesfive random queries of the form (120572119895 120573119895) to both 11988010158401 and 11988010158402Finally 1198781 randomly checks one output 119890(120572119895 120573119895) from eachprogram If an error is detected 1198781 saves all states and outputs119884119894119901 = ldquoerrorrdquo 119884119894119906 = rep119894 = 1 and thus the final output forideal process is (estate119894 ldquoerrorrdquo ) If no error is detected1198781 checks the remaining four outputs If all checks pass 1198781outputs 119884119894119901 = 119884119894119906 = rep119894 = 0 that is the final outputfor ideal process is (estate119894 119910119894119901 119910119894119906) otherwise 1198781 selects arandom element 119903 and outputs 119884119894119901 = 119903 119884119894119906 = rep119894 = 1and the output for ideal process is (estate119894 119903 )
In addition we need to show that the inputs to (11988010158401 11988010158402)in the real experiment are computationally indistinguishablefrom those in the ideal one In the ideal experiment theinputs are selected uniformly at random In the real oneeach part of all five queries that 119879 makes to any programis generated by invoking the subroutine Rand and thus iscomputationally indistinguishable from random numbersTherefore we consider three possible conditions If (11988010158401 11988010158402)both are honest in round 119894 EVIEW119894real sim EVIEW119894ideal sincethe outputs of NIVBP are not replaced and rep119894 = 0
if one of (11988010158401 11988010158402) is dishonest in round 119894 the fault mustbe detected by both 119879 and 1198781 with a probability close to1 resulting in an output of ldquoerrorrdquo otherwise the outputof NIVBP is corrupted with a probability of 1120(119904 minus1)2 In the real experiment the five outputs generated by(11988010158401 11988010158402) are multiplied together along with a random valueThus EVIEW119894real sim EVIEW119894ideal even when one of (11988010158401 11988010158402)misbehaves so we conclude that EVIEWreal sim EVIEWideal
Second we prove that UVIEWreal sim UVIEWideal whichmeans that the untrusted software (11988010158401 11988010158402) learns nothingduring the execution of (119879 (11988010158401 11988010158402)) In the ideal experimentthe simulator 1198782 always behaves as follows when receiving theinput on round 119894 1198782 ignores it but submits five randomqueriesof the form (120572119895 120573119895) to 11988010158401 and 11988010158402 Then 1198782 saves its states andthose of (11988010158401 11988010158402) Since the honest secret or honest protectedor adversarial protected inputs are all private for (11988010158401 11988010158402) thesimulator 1198782 is applicable to all those conditions As shownin Pair One the inputs to (11988010158401 11988010158402) in the real experiment arecomputationally indistinguishable from those in the ideal onerandomly chosen by 1198782 Thus UVIEW119894real sim UVIEW119894ideal foreach round 119894 and so UVIEWreal sim UVIEWideal
Theorem 9 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) in Section 31 is verifiable that is theoutsourcer can test the error with a probability close to 1 if oneof the servers outputs the false result
Proof Assume that 1198801 is an honest server and 1198802 is amalicious server At the end of the algorithm the outsourcerverifies the results by formulas (4)ndash(6) It is obvious that 1198802must generate the correct value of 12057221 otherwise formula(4) cannot pass the verification with a probability of 1Thus the only possibility of 1198802 cheating 119879 is returningthe false value of 12057221 12057222 12057223 12057224 12057225 which is denoted by12057221 12057222 12057223 12057224 12057225 respectively
Assume that 12057221 12057222 12057223 12057224 12057225 could pass the verifica-tion of formulas (5) and (6) that is
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1
(14)
which means that
(12057222)1199051+112057224 = 12057214 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1120572121199051+1 sdot 119890 (1198863119875 1198863119876)1199051+1
(12057223)1199051+112057225 = 12057215 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1120572131199052+1 sdot 119890 (1198873119875 1198873119876)1199052+1
(15)
Since 1198801 is an honest server 12057211 12057212 12057213 12057214 12057215 mustbe correct In addition 119890(1198863119875 1198863119876) 119890(1198873119875 1198873119876) 119890(1198864119875 1198871119876+1198872119876)1199051+1 119890(1198861119875 + 1198862119875 1198874119876)1199052+1 are generated randomly byRand subroutine and so these values must be true Thus the
6 Security and Communication Networks
Table 1 Comparison of the outsourcing algorithms for bilinearpairing
Algorithm Pair[24]
TZR1[25]
TZR2[25](119904 = 4) VBP [26] NIVBP(119904 = 4)
PA (119879) 5 4 11 8 8M (119879) 4 3 9 11 19Invoke (Rand) 3 1 2 2 1Pair (119880) 8 6 6 6 10MExp (119880) 0 0 0 4 0Interactive No No No Yes NoServers Two Two Two Two TwoCheckability 05 05 084 1 0999
values of (12057222)1199051+112057224 and (12057223)1199052+112057225 should be true even if12057221 12057222 12057223 12057224 12057225 are incorrect otherwise they could notpass the verification of formulas (5) and (6)
In order to obtain the true values of (12057222)1199051+112057224 and(12057223)1199052+1120572251198802must guess the values of12057221 12057222 1205722312057224 12057225and 1199051 1199052 As shown in Section 31 the probabilities ofguessing the true values of 12057221 12057222 12057223 12057224 12057225 and 1199051 1199052 are15 and 1(119904 minus 1)2 respectively Therefore the outsourcercan test the error with a probability of 1 minus 15(119904 minus 1)2 =1 minus 1120(119904 minus 1)2 asymp 1Theorem 10 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an (119874(119904119898) asymp 1)-outsource-secureimplementation of NIVBP where 119904 is a small positive integerand 119898 is the bit length of 119902 and 119902 is the order of 119866119866Proof The proposed algorithm NIVBP makes one call toRand and 8 point additions (PA) in 119866 or 119866 and 119874(119904)multiplication in 119866119879 in order to compute 119890(119860 119861) As shownin [24] it takes roughly 119874(119898) multiplications in resultingfinite field to compute the bilinear pairing where 119898 is thebit length of 119902 Thus the proposed algorithm is an 119874(119904119898)-efficient implementation of NIVBP On the other hand itmust be detected with a probability close to 1 if 1198801 or 1198802 failsduring any execution of NIVBP fromTheorem 9
33 Comparison We compare the outsourcing algorithmsfor bilinear pairing with input privacy in Table 1 where 119904is a small positive integer and ldquoPArdquo and ldquoMrdquo denote theoperation of point addition in 119866 or 119866 and multiplication in119866119879 respectively
From Table 1 we conclude that the NIVBP algorithmincreases checkability of the outsourcer though a little com-putation cost is appended comparedwith Pair andTZR1 algo-rithms In addition theNIVBP algorithm improves computa-tion efficiency and checkability of the outsourcer simultane-ously compared with TZR2 algorithm for the same param-eter 119904 = 4 The efficiency and checkability of the NIVBPalgorithm are nearly the same as those of VBP algorithm butit decreases the communication cost since it is noninteractivewhile the VBP algorithm is interactiveTherefore theNIVBP
algorithm increases checkability and decreases communica-tion cost of the outsourcer although a little computation costis appended
4 Applications
In this section we introduce two applications of the pro-posed NIVBP algorithm anonymous identity-based encryp-tion (AIBE) scheme [27] and identity-based signature (IBS)scheme [28]
Let119866119866 119866119879 be three cyclicmultiplication groups of order119902 and let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr119866119879 is a bilinear map In the following schemes 119866 = 11986641 Boyen-Waters AIBE Scheme with Outsourcing DecryptionThe proposed outsource-secure AIBE scheme consists of thefollowing algorithms
Setup It chooses a random generator 119892 isin 119866 random groupelements 1198920 1198921 isin 119866 and random exponents 120596 1199051 1199052 1199053 1199054 isin119885119902 The master key MSK = 120596 1199051 1199052 1199053 1199054 and the publicparameters PK are as follows
119890 (119892 119892)11990511199052120596 119892 1198920 1198921 V1 = 1198921199051 V2 = 1198921199052 V3 = 1198921199053 V4= 1198921199054 (16)
Extract (MSK ID) To issue a private key for identity ID itchooses two random exponents 1199031 1199032 isin 119885119902 and computes theprivate key SKID = 1198890 1198891 1198892 1198893 1198894 as follows
1198890 = 119892119903111990511199052+119903211990531199054 1198891 = 119892minus1205961199052 (11989201198921ID)minus11990311199052 1198892 = 119892minus1205961199051 (11989201198921ID)minus11990311199051 1198893 = (11989201198921ID)minus11990321199054 1198894 = (11989201198921ID)minus11990321199053
(17)
Encrypt (PK ID M) To encrypt a message 119872 isin 119866119879 for anidentity ID it chooses random 119904 1199041 1199042 isin 119885119902 and creates theciphertext CT = 1198621015840 1198620 1198621 1198622 1198623 1198624 as follows
119872119890 (119892 119892)11990511199052120596119904 (11989201198921ID)119904 V1119904minus1199041 V21199041 V3119904minus1199042 V41199042 (18)
Decrypt (PK ID CT) The outsourcer 119879 executes the NIVBPalgorithm for five times and obtains
119890 (119862119894 119889119894) = NIVBP (119862119894 119889119894) 119894 = 0 1 2 3 4 (19)
and then computes 1198621015840prod4119894=0119890(119862119894 119889119894) = 119872
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 Security and Communication Networks
pairing in the one-malicious model In NIVBP algorithm 119879outsources its bilinear pairing computations to 1198801 and 1198802 byinvoking the subroutine Rand A requirement for NIVBP isthat the adversary 119860 cannot know any useful informationabout the inputs and outputs of NIVBP
Let 119902 be a large prime The input of NIVBP is 119860 isin 119866and 119861 isin 119866 and the output is 119890(119860 119861) 119860 and 119861 are bothcomputationally blinded to 1198801 and 1198802 The proposed NIVBPalgorithm is described as follows
(1) 119879 firstly runs Rand one time to create a blindingvector as (1)(2) 119879 queries 1198801 in random order as follows
1198801 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057211 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198801 (119860 + 1198871119875 + 1198872119875 1198863119876) 997888rarr12057212 = 119890 (119860 + 1198871119875 + 1198872119875 1198863119876) 1198801 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 997888rarr12057213 = 119890 (minus1198873119875 minus 1198861119875 minus 1198862119875 119861 + 1198873119876) 1198801 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 997888rarr12057214 = 119890 (119860 + 1198864119875 minus11990511198871119876 minus 1198872119876) 1198801 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876) 997888rarr12057215 = 119890 (minus11990521198861119875 minus 1198862119875 119861 + 1198874119876)
(2)
Similarly 119879 queries 1198802 in random order as follows
1198802 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 997888rarr12057221 = 119890 (119860 + 1198861119875 + 1198862119875 119861 + 1198871119876 + 1198872119876) 1198802 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 997888rarr12057222 = 119890 (119860 + 1198863119875 minus1198863119876 minus 1198871119876 minus 1198872119876) 1198802 (1198873119875 119861 + 1198861119876 + 1198862119876) 997888rarr12057223 = 119890 (1198873119875 119861 + 1198861119876 + 1198862119876) 1198802 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 997888rarr12057224 = 119890 (119860 + 1198864119875 minus1198871119876 minus 11990511198872119876) 1198802 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876) 997888rarr12057225 = 119890 (minus1198861119875 minus 11990521198862119875 119861 + 1198874119876)
(3)
(3) 119879 verifies whether 1198801 and 1198802 generate the correctoutputs which means that (4)ndash(6) hold
(a)
12057211 = 12057221 (4)
(b)
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1 (5)
(c)
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1 (6)
If not 119879 outputs ldquoerrorrdquo otherwise 119879 outputs
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876) = 119890 (119860 1198871119876 + 1198872119876)minus1 12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876) = 119890 (1198861119875 + 1198862119875 119861)minus1 (7)
119890 (119860 119861)= 12057211 sdot 119890 (119860 1198871119876 + 1198872119876)minus1 sdot 119890 (1198861119875 + 1198862119875 119861)minus1
sdot 119890 (1198861119875 + 1198862119875 1198871119876 + 1198872119876)minus1 (8)
Correctness It is obvious that formula (4) holds if two serversare all honest In addition
12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876)= 119890 (1198871119875 + 1198872119875 1198863119876) 119890 (119860 + 1198863119875 minus1198871119876 minus 1198872119876)= 119890 (119860 1198871119876 + 1198872119876)minus1
(9)
12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876)= 119890 (minus1198861119875 minus 1198862119875 119861 + 1198873119876) 119890 (1198873119875 1198861119876 + 1198862119876)= 119890 (1198861119875 + 1198862119875 119861)minus1
(10)
(1205721212057222119890 (1198863119875 1198863119876))1199051+1= 1205721412057224119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 + 1198864119875 1198871119876 + 1198872119876)minus(1199051+1) 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1= 119890 (119860 1198871119876 + 1198872119876)minus(1199051+1)
(11)
(1205721312057223119890 (1198873119875 1198873119876))1199052+1= 1205721512057225119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861 + 1198874119876)minus(1199052+1) 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1= 119890 (1198861119875 + 1198862119875 119861)minus(1199052+1)
(12)
Therefore formulas (4)ndash(6) hold according to the aboveanalysis Finally 119879 obtains 119890(119860 119861) as (8)Remark 6 If one of the servers is dishonest the results couldbe verified successfully with a probability close to 1 except that
Security and Communication Networks 5
the dishonest server knows the values of 12057211 12057212 12057213 12057214 12057215(or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 As we know five queriessent to 1198801 and 1198802 are submitted in random order and 1199051 1199052 isin[2 3 119904] So the dishonest server could guess the values of12057211 12057212 12057213 12057214 12057215 (or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 withthe probabilities of 15 and 1(119904minus1)2 respectivelyThereforethe checkability of the NIVBP algorithm is
1 minus 15 (119904 minus 1)2 = 1 minus 1120 (119904 minus 1)2 asymp 1 (13)
Remark 7 The proposed algorithmNIVBP is also applicativein the condition where 119866119866 are two cyclic multiplicationgroups Let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr 119866119879 is a bilinear map In this case the inputs of NIVBPare also 119860 isin 119866 and 119861 isin 119866 and the output is also 119890(119860 119861) Thedetails are also omitted because of limited space
32 Security Analysis
Theorem 8 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an outsource-secure implementation ofNIVBP where the input (119860 119861) may be honest and secret orhonest and protected or adversarial and protected
Proof Let 119860 = (11986411988010158401 11988010158402) be a PPT adversary that interactswith a PPT algorithm 119879 in the one-malicious model
First we prove that EVIEWreal sim EVIEWideal whichmeans that the environment 119864 learns nothing during theexecution of (119879 (1198801 1198802)) If the input (119860 119861) is honest andprotected or adversarial and protected it is obvious thatthe simulator 1198781 behaves the same as in the real executionTherefore we only need to prove the case where (119860 119861) is anhonest secret input
So suppose that (119860 119861) is an honest secret input Thesimulator 1198781 in the ideal experiment behaves as follows Onreceiving the input on round 119894 1198781 ignores it and insteadmakesfive random queries of the form (120572119895 120573119895) to both 11988010158401 and 11988010158402Finally 1198781 randomly checks one output 119890(120572119895 120573119895) from eachprogram If an error is detected 1198781 saves all states and outputs119884119894119901 = ldquoerrorrdquo 119884119894119906 = rep119894 = 1 and thus the final output forideal process is (estate119894 ldquoerrorrdquo ) If no error is detected1198781 checks the remaining four outputs If all checks pass 1198781outputs 119884119894119901 = 119884119894119906 = rep119894 = 0 that is the final outputfor ideal process is (estate119894 119910119894119901 119910119894119906) otherwise 1198781 selects arandom element 119903 and outputs 119884119894119901 = 119903 119884119894119906 = rep119894 = 1and the output for ideal process is (estate119894 119903 )
In addition we need to show that the inputs to (11988010158401 11988010158402)in the real experiment are computationally indistinguishablefrom those in the ideal one In the ideal experiment theinputs are selected uniformly at random In the real oneeach part of all five queries that 119879 makes to any programis generated by invoking the subroutine Rand and thus iscomputationally indistinguishable from random numbersTherefore we consider three possible conditions If (11988010158401 11988010158402)both are honest in round 119894 EVIEW119894real sim EVIEW119894ideal sincethe outputs of NIVBP are not replaced and rep119894 = 0
if one of (11988010158401 11988010158402) is dishonest in round 119894 the fault mustbe detected by both 119879 and 1198781 with a probability close to1 resulting in an output of ldquoerrorrdquo otherwise the outputof NIVBP is corrupted with a probability of 1120(119904 minus1)2 In the real experiment the five outputs generated by(11988010158401 11988010158402) are multiplied together along with a random valueThus EVIEW119894real sim EVIEW119894ideal even when one of (11988010158401 11988010158402)misbehaves so we conclude that EVIEWreal sim EVIEWideal
Second we prove that UVIEWreal sim UVIEWideal whichmeans that the untrusted software (11988010158401 11988010158402) learns nothingduring the execution of (119879 (11988010158401 11988010158402)) In the ideal experimentthe simulator 1198782 always behaves as follows when receiving theinput on round 119894 1198782 ignores it but submits five randomqueriesof the form (120572119895 120573119895) to 11988010158401 and 11988010158402 Then 1198782 saves its states andthose of (11988010158401 11988010158402) Since the honest secret or honest protectedor adversarial protected inputs are all private for (11988010158401 11988010158402) thesimulator 1198782 is applicable to all those conditions As shownin Pair One the inputs to (11988010158401 11988010158402) in the real experiment arecomputationally indistinguishable from those in the ideal onerandomly chosen by 1198782 Thus UVIEW119894real sim UVIEW119894ideal foreach round 119894 and so UVIEWreal sim UVIEWideal
Theorem 9 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) in Section 31 is verifiable that is theoutsourcer can test the error with a probability close to 1 if oneof the servers outputs the false result
Proof Assume that 1198801 is an honest server and 1198802 is amalicious server At the end of the algorithm the outsourcerverifies the results by formulas (4)ndash(6) It is obvious that 1198802must generate the correct value of 12057221 otherwise formula(4) cannot pass the verification with a probability of 1Thus the only possibility of 1198802 cheating 119879 is returningthe false value of 12057221 12057222 12057223 12057224 12057225 which is denoted by12057221 12057222 12057223 12057224 12057225 respectively
Assume that 12057221 12057222 12057223 12057224 12057225 could pass the verifica-tion of formulas (5) and (6) that is
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1
(14)
which means that
(12057222)1199051+112057224 = 12057214 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1120572121199051+1 sdot 119890 (1198863119875 1198863119876)1199051+1
(12057223)1199051+112057225 = 12057215 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1120572131199052+1 sdot 119890 (1198873119875 1198873119876)1199052+1
(15)
Since 1198801 is an honest server 12057211 12057212 12057213 12057214 12057215 mustbe correct In addition 119890(1198863119875 1198863119876) 119890(1198873119875 1198873119876) 119890(1198864119875 1198871119876+1198872119876)1199051+1 119890(1198861119875 + 1198862119875 1198874119876)1199052+1 are generated randomly byRand subroutine and so these values must be true Thus the
6 Security and Communication Networks
Table 1 Comparison of the outsourcing algorithms for bilinearpairing
Algorithm Pair[24]
TZR1[25]
TZR2[25](119904 = 4) VBP [26] NIVBP(119904 = 4)
PA (119879) 5 4 11 8 8M (119879) 4 3 9 11 19Invoke (Rand) 3 1 2 2 1Pair (119880) 8 6 6 6 10MExp (119880) 0 0 0 4 0Interactive No No No Yes NoServers Two Two Two Two TwoCheckability 05 05 084 1 0999
values of (12057222)1199051+112057224 and (12057223)1199052+112057225 should be true even if12057221 12057222 12057223 12057224 12057225 are incorrect otherwise they could notpass the verification of formulas (5) and (6)
In order to obtain the true values of (12057222)1199051+112057224 and(12057223)1199052+1120572251198802must guess the values of12057221 12057222 1205722312057224 12057225and 1199051 1199052 As shown in Section 31 the probabilities ofguessing the true values of 12057221 12057222 12057223 12057224 12057225 and 1199051 1199052 are15 and 1(119904 minus 1)2 respectively Therefore the outsourcercan test the error with a probability of 1 minus 15(119904 minus 1)2 =1 minus 1120(119904 minus 1)2 asymp 1Theorem 10 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an (119874(119904119898) asymp 1)-outsource-secureimplementation of NIVBP where 119904 is a small positive integerand 119898 is the bit length of 119902 and 119902 is the order of 119866119866Proof The proposed algorithm NIVBP makes one call toRand and 8 point additions (PA) in 119866 or 119866 and 119874(119904)multiplication in 119866119879 in order to compute 119890(119860 119861) As shownin [24] it takes roughly 119874(119898) multiplications in resultingfinite field to compute the bilinear pairing where 119898 is thebit length of 119902 Thus the proposed algorithm is an 119874(119904119898)-efficient implementation of NIVBP On the other hand itmust be detected with a probability close to 1 if 1198801 or 1198802 failsduring any execution of NIVBP fromTheorem 9
33 Comparison We compare the outsourcing algorithmsfor bilinear pairing with input privacy in Table 1 where 119904is a small positive integer and ldquoPArdquo and ldquoMrdquo denote theoperation of point addition in 119866 or 119866 and multiplication in119866119879 respectively
From Table 1 we conclude that the NIVBP algorithmincreases checkability of the outsourcer though a little com-putation cost is appended comparedwith Pair andTZR1 algo-rithms In addition theNIVBP algorithm improves computa-tion efficiency and checkability of the outsourcer simultane-ously compared with TZR2 algorithm for the same param-eter 119904 = 4 The efficiency and checkability of the NIVBPalgorithm are nearly the same as those of VBP algorithm butit decreases the communication cost since it is noninteractivewhile the VBP algorithm is interactiveTherefore theNIVBP
algorithm increases checkability and decreases communica-tion cost of the outsourcer although a little computation costis appended
4 Applications
In this section we introduce two applications of the pro-posed NIVBP algorithm anonymous identity-based encryp-tion (AIBE) scheme [27] and identity-based signature (IBS)scheme [28]
Let119866119866 119866119879 be three cyclicmultiplication groups of order119902 and let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr119866119879 is a bilinear map In the following schemes 119866 = 11986641 Boyen-Waters AIBE Scheme with Outsourcing DecryptionThe proposed outsource-secure AIBE scheme consists of thefollowing algorithms
Setup It chooses a random generator 119892 isin 119866 random groupelements 1198920 1198921 isin 119866 and random exponents 120596 1199051 1199052 1199053 1199054 isin119885119902 The master key MSK = 120596 1199051 1199052 1199053 1199054 and the publicparameters PK are as follows
119890 (119892 119892)11990511199052120596 119892 1198920 1198921 V1 = 1198921199051 V2 = 1198921199052 V3 = 1198921199053 V4= 1198921199054 (16)
Extract (MSK ID) To issue a private key for identity ID itchooses two random exponents 1199031 1199032 isin 119885119902 and computes theprivate key SKID = 1198890 1198891 1198892 1198893 1198894 as follows
1198890 = 119892119903111990511199052+119903211990531199054 1198891 = 119892minus1205961199052 (11989201198921ID)minus11990311199052 1198892 = 119892minus1205961199051 (11989201198921ID)minus11990311199051 1198893 = (11989201198921ID)minus11990321199054 1198894 = (11989201198921ID)minus11990321199053
(17)
Encrypt (PK ID M) To encrypt a message 119872 isin 119866119879 for anidentity ID it chooses random 119904 1199041 1199042 isin 119885119902 and creates theciphertext CT = 1198621015840 1198620 1198621 1198622 1198623 1198624 as follows
119872119890 (119892 119892)11990511199052120596119904 (11989201198921ID)119904 V1119904minus1199041 V21199041 V3119904minus1199042 V41199042 (18)
Decrypt (PK ID CT) The outsourcer 119879 executes the NIVBPalgorithm for five times and obtains
119890 (119862119894 119889119894) = NIVBP (119862119894 119889119894) 119894 = 0 1 2 3 4 (19)
and then computes 1198621015840prod4119894=0119890(119862119894 119889119894) = 119872
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 5
the dishonest server knows the values of 12057211 12057212 12057213 12057214 12057215(or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 As we know five queriessent to 1198801 and 1198802 are submitted in random order and 1199051 1199052 isin[2 3 119904] So the dishonest server could guess the values of12057211 12057212 12057213 12057214 12057215 (or 12057221 12057222 12057223 12057224 12057225) and 1199051 1199052 withthe probabilities of 15 and 1(119904minus1)2 respectivelyThereforethe checkability of the NIVBP algorithm is
1 minus 15 (119904 minus 1)2 = 1 minus 1120 (119904 minus 1)2 asymp 1 (13)
Remark 7 The proposed algorithmNIVBP is also applicativein the condition where 119866119866 are two cyclic multiplicationgroups Let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr 119866119879 is a bilinear map In this case the inputs of NIVBPare also 119860 isin 119866 and 119861 isin 119866 and the output is also 119890(119860 119861) Thedetails are also omitted because of limited space
32 Security Analysis
Theorem 8 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an outsource-secure implementation ofNIVBP where the input (119860 119861) may be honest and secret orhonest and protected or adversarial and protected
Proof Let 119860 = (11986411988010158401 11988010158402) be a PPT adversary that interactswith a PPT algorithm 119879 in the one-malicious model
First we prove that EVIEWreal sim EVIEWideal whichmeans that the environment 119864 learns nothing during theexecution of (119879 (1198801 1198802)) If the input (119860 119861) is honest andprotected or adversarial and protected it is obvious thatthe simulator 1198781 behaves the same as in the real executionTherefore we only need to prove the case where (119860 119861) is anhonest secret input
So suppose that (119860 119861) is an honest secret input Thesimulator 1198781 in the ideal experiment behaves as follows Onreceiving the input on round 119894 1198781 ignores it and insteadmakesfive random queries of the form (120572119895 120573119895) to both 11988010158401 and 11988010158402Finally 1198781 randomly checks one output 119890(120572119895 120573119895) from eachprogram If an error is detected 1198781 saves all states and outputs119884119894119901 = ldquoerrorrdquo 119884119894119906 = rep119894 = 1 and thus the final output forideal process is (estate119894 ldquoerrorrdquo ) If no error is detected1198781 checks the remaining four outputs If all checks pass 1198781outputs 119884119894119901 = 119884119894119906 = rep119894 = 0 that is the final outputfor ideal process is (estate119894 119910119894119901 119910119894119906) otherwise 1198781 selects arandom element 119903 and outputs 119884119894119901 = 119903 119884119894119906 = rep119894 = 1and the output for ideal process is (estate119894 119903 )
In addition we need to show that the inputs to (11988010158401 11988010158402)in the real experiment are computationally indistinguishablefrom those in the ideal one In the ideal experiment theinputs are selected uniformly at random In the real oneeach part of all five queries that 119879 makes to any programis generated by invoking the subroutine Rand and thus iscomputationally indistinguishable from random numbersTherefore we consider three possible conditions If (11988010158401 11988010158402)both are honest in round 119894 EVIEW119894real sim EVIEW119894ideal sincethe outputs of NIVBP are not replaced and rep119894 = 0
if one of (11988010158401 11988010158402) is dishonest in round 119894 the fault mustbe detected by both 119879 and 1198781 with a probability close to1 resulting in an output of ldquoerrorrdquo otherwise the outputof NIVBP is corrupted with a probability of 1120(119904 minus1)2 In the real experiment the five outputs generated by(11988010158401 11988010158402) are multiplied together along with a random valueThus EVIEW119894real sim EVIEW119894ideal even when one of (11988010158401 11988010158402)misbehaves so we conclude that EVIEWreal sim EVIEWideal
Second we prove that UVIEWreal sim UVIEWideal whichmeans that the untrusted software (11988010158401 11988010158402) learns nothingduring the execution of (119879 (11988010158401 11988010158402)) In the ideal experimentthe simulator 1198782 always behaves as follows when receiving theinput on round 119894 1198782 ignores it but submits five randomqueriesof the form (120572119895 120573119895) to 11988010158401 and 11988010158402 Then 1198782 saves its states andthose of (11988010158401 11988010158402) Since the honest secret or honest protectedor adversarial protected inputs are all private for (11988010158401 11988010158402) thesimulator 1198782 is applicable to all those conditions As shownin Pair One the inputs to (11988010158401 11988010158402) in the real experiment arecomputationally indistinguishable from those in the ideal onerandomly chosen by 1198782 Thus UVIEW119894real sim UVIEW119894ideal foreach round 119894 and so UVIEWreal sim UVIEWideal
Theorem 9 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) in Section 31 is verifiable that is theoutsourcer can test the error with a probability close to 1 if oneof the servers outputs the false result
Proof Assume that 1198801 is an honest server and 1198802 is amalicious server At the end of the algorithm the outsourcerverifies the results by formulas (4)ndash(6) It is obvious that 1198802must generate the correct value of 12057221 otherwise formula(4) cannot pass the verification with a probability of 1Thus the only possibility of 1198802 cheating 119879 is returningthe false value of 12057221 12057222 12057223 12057224 12057225 which is denoted by12057221 12057222 12057223 12057224 12057225 respectively
Assume that 12057221 12057222 12057223 12057224 12057225 could pass the verifica-tion of formulas (5) and (6) that is
(12057212 sdot 12057222 sdot 119890 (1198863119875 1198863119876))1199051+1= 12057214 sdot 12057224 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1
(12057213 sdot 12057223 sdot 119890 (1198873119875 1198873119876))1199052+1= 12057215 sdot 12057225 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1
(14)
which means that
(12057222)1199051+112057224 = 12057214 sdot 119890 (1198864119875 1198871119876 + 1198872119876)1199051+1120572121199051+1 sdot 119890 (1198863119875 1198863119876)1199051+1
(12057223)1199051+112057225 = 12057215 sdot 119890 (1198861119875 + 1198862119875 1198874119876)1199052+1120572131199052+1 sdot 119890 (1198873119875 1198873119876)1199052+1
(15)
Since 1198801 is an honest server 12057211 12057212 12057213 12057214 12057215 mustbe correct In addition 119890(1198863119875 1198863119876) 119890(1198873119875 1198873119876) 119890(1198864119875 1198871119876+1198872119876)1199051+1 119890(1198861119875 + 1198862119875 1198874119876)1199052+1 are generated randomly byRand subroutine and so these values must be true Thus the
6 Security and Communication Networks
Table 1 Comparison of the outsourcing algorithms for bilinearpairing
Algorithm Pair[24]
TZR1[25]
TZR2[25](119904 = 4) VBP [26] NIVBP(119904 = 4)
PA (119879) 5 4 11 8 8M (119879) 4 3 9 11 19Invoke (Rand) 3 1 2 2 1Pair (119880) 8 6 6 6 10MExp (119880) 0 0 0 4 0Interactive No No No Yes NoServers Two Two Two Two TwoCheckability 05 05 084 1 0999
values of (12057222)1199051+112057224 and (12057223)1199052+112057225 should be true even if12057221 12057222 12057223 12057224 12057225 are incorrect otherwise they could notpass the verification of formulas (5) and (6)
In order to obtain the true values of (12057222)1199051+112057224 and(12057223)1199052+1120572251198802must guess the values of12057221 12057222 1205722312057224 12057225and 1199051 1199052 As shown in Section 31 the probabilities ofguessing the true values of 12057221 12057222 12057223 12057224 12057225 and 1199051 1199052 are15 and 1(119904 minus 1)2 respectively Therefore the outsourcercan test the error with a probability of 1 minus 15(119904 minus 1)2 =1 minus 1120(119904 minus 1)2 asymp 1Theorem 10 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an (119874(119904119898) asymp 1)-outsource-secureimplementation of NIVBP where 119904 is a small positive integerand 119898 is the bit length of 119902 and 119902 is the order of 119866119866Proof The proposed algorithm NIVBP makes one call toRand and 8 point additions (PA) in 119866 or 119866 and 119874(119904)multiplication in 119866119879 in order to compute 119890(119860 119861) As shownin [24] it takes roughly 119874(119898) multiplications in resultingfinite field to compute the bilinear pairing where 119898 is thebit length of 119902 Thus the proposed algorithm is an 119874(119904119898)-efficient implementation of NIVBP On the other hand itmust be detected with a probability close to 1 if 1198801 or 1198802 failsduring any execution of NIVBP fromTheorem 9
33 Comparison We compare the outsourcing algorithmsfor bilinear pairing with input privacy in Table 1 where 119904is a small positive integer and ldquoPArdquo and ldquoMrdquo denote theoperation of point addition in 119866 or 119866 and multiplication in119866119879 respectively
From Table 1 we conclude that the NIVBP algorithmincreases checkability of the outsourcer though a little com-putation cost is appended comparedwith Pair andTZR1 algo-rithms In addition theNIVBP algorithm improves computa-tion efficiency and checkability of the outsourcer simultane-ously compared with TZR2 algorithm for the same param-eter 119904 = 4 The efficiency and checkability of the NIVBPalgorithm are nearly the same as those of VBP algorithm butit decreases the communication cost since it is noninteractivewhile the VBP algorithm is interactiveTherefore theNIVBP
algorithm increases checkability and decreases communica-tion cost of the outsourcer although a little computation costis appended
4 Applications
In this section we introduce two applications of the pro-posed NIVBP algorithm anonymous identity-based encryp-tion (AIBE) scheme [27] and identity-based signature (IBS)scheme [28]
Let119866119866 119866119879 be three cyclicmultiplication groups of order119902 and let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr119866119879 is a bilinear map In the following schemes 119866 = 11986641 Boyen-Waters AIBE Scheme with Outsourcing DecryptionThe proposed outsource-secure AIBE scheme consists of thefollowing algorithms
Setup It chooses a random generator 119892 isin 119866 random groupelements 1198920 1198921 isin 119866 and random exponents 120596 1199051 1199052 1199053 1199054 isin119885119902 The master key MSK = 120596 1199051 1199052 1199053 1199054 and the publicparameters PK are as follows
119890 (119892 119892)11990511199052120596 119892 1198920 1198921 V1 = 1198921199051 V2 = 1198921199052 V3 = 1198921199053 V4= 1198921199054 (16)
Extract (MSK ID) To issue a private key for identity ID itchooses two random exponents 1199031 1199032 isin 119885119902 and computes theprivate key SKID = 1198890 1198891 1198892 1198893 1198894 as follows
1198890 = 119892119903111990511199052+119903211990531199054 1198891 = 119892minus1205961199052 (11989201198921ID)minus11990311199052 1198892 = 119892minus1205961199051 (11989201198921ID)minus11990311199051 1198893 = (11989201198921ID)minus11990321199054 1198894 = (11989201198921ID)minus11990321199053
(17)
Encrypt (PK ID M) To encrypt a message 119872 isin 119866119879 for anidentity ID it chooses random 119904 1199041 1199042 isin 119885119902 and creates theciphertext CT = 1198621015840 1198620 1198621 1198622 1198623 1198624 as follows
119872119890 (119892 119892)11990511199052120596119904 (11989201198921ID)119904 V1119904minus1199041 V21199041 V3119904minus1199042 V41199042 (18)
Decrypt (PK ID CT) The outsourcer 119879 executes the NIVBPalgorithm for five times and obtains
119890 (119862119894 119889119894) = NIVBP (119862119894 119889119894) 119894 = 0 1 2 3 4 (19)
and then computes 1198621015840prod4119894=0119890(119862119894 119889119894) = 119872
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 Security and Communication Networks
Table 1 Comparison of the outsourcing algorithms for bilinearpairing
Algorithm Pair[24]
TZR1[25]
TZR2[25](119904 = 4) VBP [26] NIVBP(119904 = 4)
PA (119879) 5 4 11 8 8M (119879) 4 3 9 11 19Invoke (Rand) 3 1 2 2 1Pair (119880) 8 6 6 6 10MExp (119880) 0 0 0 4 0Interactive No No No Yes NoServers Two Two Two Two TwoCheckability 05 05 084 1 0999
values of (12057222)1199051+112057224 and (12057223)1199052+112057225 should be true even if12057221 12057222 12057223 12057224 12057225 are incorrect otherwise they could notpass the verification of formulas (5) and (6)
In order to obtain the true values of (12057222)1199051+112057224 and(12057223)1199052+1120572251198802must guess the values of12057221 12057222 1205722312057224 12057225and 1199051 1199052 As shown in Section 31 the probabilities ofguessing the true values of 12057221 12057222 12057223 12057224 12057225 and 1199051 1199052 are15 and 1(119904 minus 1)2 respectively Therefore the outsourcercan test the error with a probability of 1 minus 15(119904 minus 1)2 =1 minus 1120(119904 minus 1)2 asymp 1Theorem 10 In the one-malicious model the proposed algo-rithm (119879 (1198801 1198802)) is an (119874(119904119898) asymp 1)-outsource-secureimplementation of NIVBP where 119904 is a small positive integerand 119898 is the bit length of 119902 and 119902 is the order of 119866119866Proof The proposed algorithm NIVBP makes one call toRand and 8 point additions (PA) in 119866 or 119866 and 119874(119904)multiplication in 119866119879 in order to compute 119890(119860 119861) As shownin [24] it takes roughly 119874(119898) multiplications in resultingfinite field to compute the bilinear pairing where 119898 is thebit length of 119902 Thus the proposed algorithm is an 119874(119904119898)-efficient implementation of NIVBP On the other hand itmust be detected with a probability close to 1 if 1198801 or 1198802 failsduring any execution of NIVBP fromTheorem 9
33 Comparison We compare the outsourcing algorithmsfor bilinear pairing with input privacy in Table 1 where 119904is a small positive integer and ldquoPArdquo and ldquoMrdquo denote theoperation of point addition in 119866 or 119866 and multiplication in119866119879 respectively
From Table 1 we conclude that the NIVBP algorithmincreases checkability of the outsourcer though a little com-putation cost is appended comparedwith Pair andTZR1 algo-rithms In addition theNIVBP algorithm improves computa-tion efficiency and checkability of the outsourcer simultane-ously compared with TZR2 algorithm for the same param-eter 119904 = 4 The efficiency and checkability of the NIVBPalgorithm are nearly the same as those of VBP algorithm butit decreases the communication cost since it is noninteractivewhile the VBP algorithm is interactiveTherefore theNIVBP
algorithm increases checkability and decreases communica-tion cost of the outsourcer although a little computation costis appended
4 Applications
In this section we introduce two applications of the pro-posed NIVBP algorithm anonymous identity-based encryp-tion (AIBE) scheme [27] and identity-based signature (IBS)scheme [28]
Let119866119866 119866119879 be three cyclicmultiplication groups of order119902 and let 119892 119892 be generators of 119866119866 respectively 119890 119866 times119866 rarr119866119879 is a bilinear map In the following schemes 119866 = 11986641 Boyen-Waters AIBE Scheme with Outsourcing DecryptionThe proposed outsource-secure AIBE scheme consists of thefollowing algorithms
Setup It chooses a random generator 119892 isin 119866 random groupelements 1198920 1198921 isin 119866 and random exponents 120596 1199051 1199052 1199053 1199054 isin119885119902 The master key MSK = 120596 1199051 1199052 1199053 1199054 and the publicparameters PK are as follows
119890 (119892 119892)11990511199052120596 119892 1198920 1198921 V1 = 1198921199051 V2 = 1198921199052 V3 = 1198921199053 V4= 1198921199054 (16)
Extract (MSK ID) To issue a private key for identity ID itchooses two random exponents 1199031 1199032 isin 119885119902 and computes theprivate key SKID = 1198890 1198891 1198892 1198893 1198894 as follows
1198890 = 119892119903111990511199052+119903211990531199054 1198891 = 119892minus1205961199052 (11989201198921ID)minus11990311199052 1198892 = 119892minus1205961199051 (11989201198921ID)minus11990311199051 1198893 = (11989201198921ID)minus11990321199054 1198894 = (11989201198921ID)minus11990321199053
(17)
Encrypt (PK ID M) To encrypt a message 119872 isin 119866119879 for anidentity ID it chooses random 119904 1199041 1199042 isin 119885119902 and creates theciphertext CT = 1198621015840 1198620 1198621 1198622 1198623 1198624 as follows
119872119890 (119892 119892)11990511199052120596119904 (11989201198921ID)119904 V1119904minus1199041 V21199041 V3119904minus1199042 V41199042 (18)
Decrypt (PK ID CT) The outsourcer 119879 executes the NIVBPalgorithm for five times and obtains
119890 (119862119894 119889119894) = NIVBP (119862119894 119889119894) 119894 = 0 1 2 3 4 (19)
and then computes 1198621015840prod4119894=0119890(119862119894 119889119894) = 119872
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 7
42 Paterson-Schuldt IBS Scheme with Outsourcing Verifica-tion The detailed scheme is shown as follows
Setup It picks 120572 isin 119885119902 1198922 isin 119866 and computes 1198921 =119892120572 Further choose 1199061015840 1198981015840 isin 119866 and vectors 119880 = (119906119894)119872 = (119898119894) of length 119899119906 and 119899119898 respectively where 119906119894 119898119894 arerandom elements from 119866 The public parameters are PK =119892 1198921 1198922 1199061015840 1198801198981015840119872 119890(1198922 1198921) and the master secret key is1198922120572Extract Let 119906 be a bit string of length 119899119906 representing anidentity and let 119906[119894] be the 119894-th bit of 119906 Set 119880 sub 1 2 119899119906as the set of index 119894 such that 119906[119894] = 1 To construct the privatekey 119889119906 of the identity 119906 pick 119903119906 isin 119885119902 and compute
119889119906 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 119892119903119906) (20)
Sign Let 119872 sub 1 119899119898 be the set of index 119895 such that119898[119895] = 1 where 119898 is a message and 119898[119895] is the 119895-th bit of119898 To generate a signature 120590 for the message 119898 randomlychoose 119903119898 isin 119885119902 and compute
120590 = (1198922120572(1199061015840prod119894isin119880
119906119894)119903119906 (1198981015840prod
119895isin119872
119898119895)119903119898 119892119903119906 119892119903119898) (21)
Verify Given a signature 120590 = (119881 119877119906 119877119898) of an identity 119906 for amessage 119898 the outsourcer 119879 executes the NIVBP algorithmand obtains
119890 (119881 119892) = 119873119868119881119861119875 (119881 119892) 119890 (1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1199061015840prod119894isin119880
119906119894 119877119906)
119890(1199061015840prod119894isin119880
119906119894 119877119906) = 119873119868119881119861119875(1198981015840prod119895isin119872
119898119895 119877119898) (22)
And verify
119890 (119881 119892)= 119890 (1198922 1198921) 119890(1199061015840prod
119894isin119880
119906119894 119877119906)119890(1199061015840prod119894isin119880
119906119894 119877119906) (23)
It is obvious that the two outsourcing schemes areverifiable and secure since the NIVBP algorithm is verifiablewith input privacy as described in Section 3
5 Performance Evaluation
In this section we provide an experimental evaluation ofthe proposed outsourcing algorithms Our experiment issimulated on two machines with Intel Xeon Processor run-ning at 34GHz with 32G memory (cloud server) and IntelCeleron Processor running at 12 GHz with 2G memory (the
Tim
e (m
s)
200 300 400 500 600 700 800 900 1000100Computing rounds
0
1000
2000
3000
4000
5000
6000
7000
DirectServer (U1)Server (U2)
Client
Figure 1 Simulation for the NIVBP algorithm
outsourcer) respectively The programming language is Javausing Java Pairing-Based Cryptography (JPBC) Library Theparameter 119902 is a 160-bit prime that is randomly generated
In Figure 1 we provide the simulation of NIVBP algo-rithm which means that the fault can be found with aprobability close to 1 if one of the servers misbehaves Itis obvious that the time cost for the outsourcer 119879 is muchsmaller than that for directly computing bilinear pairingsince a number of computations have been delegated totwo servers Therefore the proposed NIVBP algorithm isthe implementation of secure and verifiable outsourcing forbilinear pairing
In Figure 2 we compare the evaluation times of theoutsourcing algorithms for bilinear pairing proposed in[24ndash26] and this paper respectively From Figure 2 weconclude that for the outsourcer 119879 the NIVBP algorithm issuperior toTZR2 algorithm in efficiency and it appends smallcomputation cost to improve the checkability compared withPair and TZR1 algorithms In addition the NIVBP algorithmis nearly the same as VBP algorithm in efficiency but it isnoninteractive and decreases the communication cost of theoutsourcer Thus the proposed NIVBP algorithm improvesthe checkability and decreases communication cost for theoutsourcer simultaneously based on two servers in the one-malicious model
6 Conclusions
In this paper we propose a noninteractive verifiable out-source-secure algorithm for bilinear pairing The securitymodel of our proposed algorithm is based on two noncol-luding servers and the outsourcer can detect any failure witha probability close to 1 if one of the servers misbehavesCompared with the previous ones the proposed algorithmimproves the checkability and communication efficiencysimultaneously for the outsourcer
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 Security and Communication NetworksTi
me (
ms)
0
100
200
300
400
500
600
700
800
200 300 400 500 600 700 800 900 1000100Computing rounds
VBP [26]NIVBP (s = 4)
Pair [24]TZR1 [25]
TZR2 [25] (s = 4)
Figure 2 Efficiency comparison of the outsourcing algorithms forbilinear pairing
Conflicts of Interest
The authors declare that they have no conflicts of interest
Acknowledgments
The work described in this paper was supported by theNational Natural Science Foundation of China (Grant no61572309) Natural Science Foundation of Shanghai (no16ZR1411200) and Program for New Century Excellent Tal-ents in University (NCET-12-0620)
References
[1] X F Chen J Li J Ma Q Tang and W Lou ldquoNew algorithmsfor secure outsourcing of modular exponentiationsrdquo IEEETransactions On Parallel And Distributed Systems vol 25 no9 pp 2386ndash2396 2014
[2] RGennaro CGentry andB Parno ldquoNon-interactive verifiablecomputing outsourcing computation to untrusted workersrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 465ndash482 Springer Berlin Germany2010
[3] K-M Chung Y Kalai and S Vadhan ldquoImproved delega-tion of computation using fully homomorphic encryptionrdquo inAdvances in cryptologymdashCRYPTO 2010 vol 6223 of LectureNotes in Comput Sci pp 483ndash501 Springer Berlin Germany2010
[4] D Chaum and T Pedersen ldquoWallet databases with observersrdquoin Advances in CryptologymdashCRYPTOrsquo 92 vol 740 of LectureNotes in Computer Science pp 89ndash105 Springer Berlin Ger-many 1993
[5] S Hohenberger and A Lysyanskaya ldquoHow to securely out-source cryptographic computationsrdquo in Proceedings of the TCC2005 vol 3378 of Lecture Notes in Computer Science pp 264ndash282 Springer
[6] Y Ren N Dingy X Zhang H Lu and D Gu ldquoVerifi-able outsourcing algorithms for modular exponentiations withimproved checkabilityrdquo in Proceedings of the 11th ACM AsiaConference on Computer and Communications Security ASIACCS 2016 pp 293ndash303 ACM June 2016
[7] J-Z Lai R H Deng C Guan and J Weng ldquoAttribute-based encryption with verifiable outsourced decryptionrdquo IEEETransactions on Information Forensics and Security vol 8 no 8pp 1343ndash1354 2013
[8] B Qin R H Deng S Liu and S Ma ldquoAttribute-basedencryption with efficient verifiable outsourced decryptionrdquoIEEE Transactions on Information Forensics and Security vol 10no 7 pp 1384ndash1393 2015
[9] X Chen J Li X Huang J Li Y Xiang and D SWong ldquoSecureoutsourced attribute-based signaturesrdquo IEEE Transactions onParallel and Distributed Systems vol 25 no 12 pp 3284ndash32942014
[10] J Yu K Ren and C Wang ldquoEnabling cloud storage auditingwith verifiable outsourcing of key updatesrdquo IEEE Transactionson Information Forensics and Security vol 11 no 6 pp 1362ndash1375 2016
[11] C Wang Q Wang K Ren and W Lou ldquoPrivacy-preservingpublic auditing for data storage security in cloud computingrdquoin Proceedings of the IEEE INFO-COM pp 525ndash533 San DiegoCalif USA March 2010
[12] Y Ren N Ding X Zhang H Lu and D Gu ldquoIdentity-basedencryption with verifiable outsourced revocationrdquo ComputerJournal vol 59 no 11 pp 1659ndash1668 2016
[13] X Chen X Huang J Li J Ma W Lou and D S WongldquoNew algorithms for secure outsourcing of large-scale systemsof linear equationsrdquo IEEE Transactions on Information andForensics Security vol 10 no 1 pp 69ndash78 2015
[14] Y Ren X Zhang G Feng Z Qian and F Li ldquoHow to ExtractImage Features based on Co-occurrence Matrix Securely andEfficiently in Cloud Computingrdquo IEEE Transactions on CloudComputing 2017
[15] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of LectureNotes in Computer Science pp 213ndash229 SpringerBerlin Germany 2001
[16] J C Cha and JH Cheon ldquoAn identity-based signature fromgapDiffie-Hellman groupsrdquo in Proceedings of the PKC vol 2567 ofLecture Notes in Computer Science pp 18ndash30 Springer
[17] A Joux ldquoA one round protocol for tripartite Diffie-Hellmanrdquo inProceedings of the ANTS vol 1838 of Lecture Notes in ComputerScience pp 385ndash393 Springer 2000
[18] M Scott N Costigan and W Abdulwahab ldquoImplementingcryptographic pairings on smartcardsrdquo in Proceedings of theCHES vol 4249 of LNCS pp 134ndash147 2006
[19] P S Barreto S D Galbraith C Heigeartaigh and M ScottldquoEfficient pairing computation on supersingular abelian vari-etiesrdquo Designs Codes and Cryptography vol 42 no 3 pp 239ndash271 2007
[20] B Chevallier-Mames J-S Coron N McCullagh D Naccacheand M Scott ldquoSecure delegation of elliptic-curve pairingrdquo inProceedings of the CARDIS 2010 vol 6035 of LNCS pp 24ndash352010
[21] S D Galbraith K G Paterson and N Smart ldquoPairings forcryptographersrdquo Discrete Applied Mathematics vol 156 no 16pp 3113ndash3121 2008
[22] P Tsang S Chow and S Smith ldquoBatch pairing delegationrdquo inProceedings of the IWSEC 2007 90 74 pages 2007
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Security and Communication Networks 9
[23] S SMChowMHAu andW Susilo ldquoServer-aided signaturesverification secure against collusion attackrdquo in Proceedings ofthe 6th International Symposium on Information Computer andCommunications Security ASIACCS 2011 pp 401ndash405 March2011
[24] X Chen W Susilo J Li et al ldquoEfficient algorithms for secureoutsourcing of bilinear pairingsrdquoTheoretical Computer Sciencevol 562 pp 112ndash121 2015
[25] H Tian F Zhang and K Ren ldquoSecure bilinear pairingoutsourcing made more efficient and flexiblerdquo in Proceedingsof the 10th ACM Symposium on Information Computer andCommunications Security ASIACCS 2015 pp 417ndash426 April2015
[26] Y Ren N Ding T Wang H Lu and D Gu ldquoNew algorithmsfor verifiable outsourcing of bilinear pairingsrdquo Science ChinaInformation Sciences vol 59 no 9 Article ID 99103 2016
[27] X Boyen and B Waters ldquoAnonymous hierarchical identity-based encryption (without random oracles)rdquo in Advances incryptologymdashCRYPTO 2006 vol 4117 of Lecture Notes in Com-puter Science pp 290ndash307 Springer Berlin Germany 2006
[28] K G Paterson and J C N Schuldt ldquoEfficient identity-basedsignatures secure in the standard modelrdquo in Proceedings of theACISP 2006 vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal of
Volume 201
Submit your manuscripts athttpswwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 201
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
