Noninteractive Verifiable Outsourcing Algorithm for Bilinear Pairing with Improved Checkability

. It is well known that the computation of bilinear pairing is the most expensive operation in pairing-based cryptography. In this paper, we propose a noninteractive verifiable outsourcing algorithm of bilinear pairing based on two servers in the one-malicious model. The outsourcer need not execute any expensive operation, such as scalar multiplication and modular exponentiation. Moreover, the outsourcer could detect any failure with a probability close to 1 if one of the servers misbehaves. Therefore, the proposed algorithm improves checkability and decreases communication cost compared with the previous ones. Finally, we utilize the proposed algorithm as a subroutine to achieve an anonymous identity-based encryption (AIBE) scheme with outsourced decryption and an identity-based signature (IBS) scheme with outsourced verification.


Introduction
Outsourcing computation has received widespread attention with the development of cloud computing and the proliferation of mobile devices [1].Despite of the huge benefits, it also encounters some security concerns and challenges.Firstly, the computation tasks often include some private information that should not be disclosed to the cloud servers, since the servers are not fully trusted.Secondly, the cloud servers may return an invalid result, but the outsourcer fails to detect the error [1].Therefore, two main security challenges of the outsourcing computation are privacy and checkability: (1) the cloud servers cannot learn anything about the private inputs and the outputs of the computation outsourced to them; (2) the outsourcer can detect any failure if the cloud servers return a wrong computation result.
Verifiable computation (VC) allows a client with limited computation capability to outsource evaluation of a function on some inputs to a powerful but semitrusted server [2,3].The client in this model first executes a lot of off-line computation and encrypts the function which will be evaluated and then sends the encrypted function to the server.The server then performs the computation on the encoded function and responds with a result and a proof that the result is correct.Finally, the client verifies whether the computation has been carried out honestly based on the server's proof.During the whole process, the computation cost of the client is less than computing the function directly itself.
Our Contributions.In this paper, we propose a noninteractive verifiable outsourcing algorithm of bilinear pairing in the one-malicious model of two untrusted servers, which improves the checkability of the outsourcer without any interactive operation between the outsourcer and the server.In the proposed algorithm, the outsourcer could detect any failure with a probability close to 1 if one of the servers returns the false result.The proposed algorithm improves the checkability at the expense of only a little efficiency when compared with previous algorithms.Finally, we utilize the proposed algorithm as a subroutine to achieve an AIBE scheme with outsourced decryption and an IBS scheme with outsourced verification.
1.1.Related Works.In the cryptographic community, outsourcing expensive operations to a semitrusted device is widely studied.Chaum and Pedersen [4] introduced the concept of "wallets with observers" that allows installing a piece of hardware on the client's device to execute some operations for each transaction.Hohenberger and Lysyanskaya formalized this model [5] and presented algorithms for the computation of modular exponentiations (MExps) based on two noncolluding servers.Further, Chen et al. [1] proposed a new outsourcing algorithm for MExps with improved efficiency and checkability based on the same model as [5].However, it is still possible for the outsourcer to be cheated by the server.Ren et al. then constructed a verifiable outsourcing scheme of MExps, where the outsourcer can detect the error with a probability of 1 if the server misbehaves [6].Lai et al. [7] proposed an attribute-based encryption (ABE) scheme with verifiable outsourcing decryption, which guaranteed that an outsourcer can efficiently detect the wrong results.Qin et al. [8] then proposed new ABE scheme with outsourced decryption, where the outsourcer could verify the outsourcing results with a high efficiency at the expense of minimal overhead.Chen et al. first considered the problem of outsourcing computation in attribute-based signature (ABS) schemes and delegated the verification of signature to an untrusted server [9].Yu et al. [10] proposed a secure and efficient cloud storage auditing scheme with verifiable outsourcing of key updates.The process of key updates is outsourced to the third party auditor (TPA), and the TPA only knows the encrypted secret key.Meanwhile, the outsourcer could verify the effectiveness of encrypted secret keys when uploading new files to the cloud server.Also, Wang et al. [11] proposed a privacy-preserving public auditing system for data storage security and extended it to handle the problem of multiple auditing, where the TPA could learn nothing about data and the integrity of data could be verified publicly.Other works target specific classes of functions, such as revocable identity-based encryption [12], solution of linear equations [13], and image features extraction [14].
In recent years, bilinear pairings have various applications in constructing new cryptographic primitive, for example, identity-based encryption [15], short signature [16], and key agreement protocol [17].In pairing-based cryptography, the computation of bilinear pairing is the most expensive operation and it has important effects on efficiency of these schemes or protocols.Thus, a lot of research work has been done to compute bilinear pairing efficiently [18,19].
Chevallier-Mames et al. [20] presented the first algorithm for secure outsourcing of bilinear pairings based on an untrusted server, where the outsourcer could detect any failure with probability of 1 if the server returns an incorrect result.However, the outsourcer must execute some other expensive operations such as scalar multiplications and modular exponentiations, where these computations are even comparable to those of bilinear pairings in some scenarios [19,21].Subsequently, other works on delegation of bilinear pairings [22,23] also suffer from the same problems.Chen et al. proposed the first efficient outsourcing algorithm of bilinear pairing in the one-malicious version of two untrusted program models [24], where the outsourcer only carried out 5 point additions and 4 multiplications without any expensive operations, which is suitable for the computation-limited client.However, the checkability of the algorithm in [24] is only 1/2, and the outsourcer may accept a false result returned by a malicious server with probability of 1/2.Tian et al. presented two outsourcing algorithms of bilinear pairing based on two servers [25].One is more efficient than the algorithm of [24], and the outsourcer needs to execute 4 point additions and 3 multiplications with the same checkability.The other algorithm is more flexible based on two untrusted servers with improved checkability.As we know, it is also possible for the outsourcer to be cheated by the server and the error cannot be detected successfully.Recently, Ren et al. presented a new outsourcing algorithm of bilinear pairing, which improves the checkability of the outsourcer to 1, and it is impossible for the server to cheat the outsourcer to accept a false outsourcing result [26].However, it needs two interactive rounds between the outsourcer and the server and increases the communication cost, though the checkability is improved to 1.

Organization.
The rest of this paper is organized as follows.In Section 2, we introduce the definition of bilinear pairing and security model of the outsourcing scheme.A noninteractive verifiable outsourcing algorithm of bilinear pairing is presented and its security analysis is given in Section 3. In Section 4, we introduce two applications of the proposed outsourcing scheme: an AIBE scheme with outsourced decryption and an IBS scheme with outsourced verification.The performance evaluation of the proposed scheme is presented in Section 5.In Section 6, we conclude the paper.

Definitions
In this section, we introduce the properties of bilinear pairings, security definition, and model of the proposed outsourcing algorithms.

Security Definition and
Model.Now we review the formal security definition of an outsourcing algorithm introduced by [5].An algorithm Alg includes a trusted part  and an untrusted program , and   denotes the works carried out by  invoking .An adversary  is simulated by a pair of algorithms (,   ), where  denotes the adversarial environment that submits adversarial inputs for Alg and   represents adversarial software written by .As described in [5], we assume that the two adversaries (,   ) can only make direct communication before the execution of   , and, in other cases, they can only communicate with each other by passing messages through the outsourcer .

Definition 1 (algorithm with outsource I/O). An algorithm
Alg takes five inputs and generates three outputs.The first three inputs are chosen by an honest party, and the last two inputs are generated by the environment .The first input is honest and secret, which is unknown for both  and   ; the second is honest and protected, which may be public for  but is private for   ; the third is honest and unprotected, which may be public for both  and   ; the fourth is adversarial and protected, which is public for  but is protected from   ; and the last one is adversarial and unprotected, which is public for  and   .Similarly, the first output is secret, which is protected from  and   ; the second is protected, which may be public for  but not   ; and the third is unprotected, which may be public for both  and   .
The following security definition ensures that both  and   cannot obtain any information about the private inputs and outputs of   , even if  uses the malicious software   written by .
Definition 2 (outsource-security). Let Alg be an algorithm with outsource I/O.  is called an outsource-secure implementation of Alg if the following conditions hold: (1) Correctness:   is a correct implementation of Alg (2) Security: for all probabilistic polynomial-time (PPT) adversaries  = (,  ), there exist two PPT simulators ( 1 ,  2 ) such that the following pairs of random variables are computationally indistinguishable Pair One. real ∼  ideal , which means that the malicious environment  cannot gain anything interesting about the private inputs and outputs during the execution of   .The detailed definitions of the real process and the ideal process are omitted because of limited space; please see [5] for the details.
Pair Two. real ∼  ideal , which means that the untrusted software   written by  learns nothing about the inputs and outputs during the execution of   .Please also see [5] for the detailed definitions.
Assume that   is a correct implementation of Alg; we have the following definitions.Definition 3 (-efficient, secure outsourcing).A pair of algorithms (, ) are -efficient if the running time of is not more than an -multiplicative factor of that of Alg for any input .Definition 4 (-checkable, secure outsourcing).A pair of algorithms (, ) are -checkable if  detects any deviation of   from its advertised functionality during the implementation of    () with probability not less than  for any input .
The proposed algorithms are executed based on two untrusted program models introduced by [5].In this model, the adversarial environment  writes two programs   = (  1 ,   2 ), and  installs these programs in a manner such that all subsequent communication between any two of ,    1 , and   2 must pass through .The new adversary attacking  is  = (,   1 ,   2 ).We assume that at most one of the programs misbehaves, but we do not know which one.It is named as the one-malicious version of two untrusted models.In the real world, it is equivalent to buying two copies of the untrusted software from different vendors and achieving the outsource security as long as one of them is honest [1].

Verifiable Secure Outsourcing of Bilinear Pairing
As [5], a subroutine named Rand is used to speed up the computations.The inputs for Rand are a prime , two cyclic addition groups , Ĝ of order , and a bilinear map  :  × Ĝ →   , where   is a cyclic multiplicative group of order  and the output for each invocation is a random, independent vector of the following form: where and  is a small number.
We can use the table-lookup method to implement this functionality.First, a trusted server computes a table of random, independent vectors in advance and then stores it into the memory of .For each invocation of i,  needs to retrieves a new vector in the table.

Verifiable Outsourcing Algorithm.
We propose a noninteractive verifiable outsourcing algorithm NIVBP for bilinear pairing in the one-malicious model.In NIVBP algorithm,  outsources its bilinear pairing computations to  1 and  2 by invoking the subroutine Rand.A requirement for NIVBP is that the adversary  cannot know any useful information about the inputs and outputs of NIVBP.
Let  be a large prime.The input of NIVBP is  ∈  and  ∈ Ĝ, and the output is (, ). and  are both computationally blinded to  1 and  2 .The proposed NIVBP algorithm is described as follows: (1)  firstly runs Rand one time to create a blinding vector as (1).

Security Analysis
Theorem 8.In the one-malicious model, the proposed algorithm (, ( 1 ,  2 )) is an outsource-secure implementation of NIVBP, where the input (, ) may be honest and secret or honest and protected or adversarial and protected.
Proof.Let  = (,   1 ,   2 ) be a PPT adversary that interacts with a PPT algorithm  in the one-malicious model.
First, we prove that EVIEW real ∼ EVIEW ideal , which means that the environment  learns nothing during the execution of (, ( 1 ,  2 )).If the input (, ) is honest and protected or adversarial and protected, it is obvious that the simulator  1 behaves the same as in the real execution.Therefore, we only need to prove the case where (, ) is an honest, secret input.
So, suppose that (, ) is an honest, secret input.The simulator  1 in the ideal experiment behaves as follows.On receiving the input on round ,  1 ignores it and instead makes five random queries of the form (  ,   ) to both   1 and   2 Finally,  1 randomly checks one output (  ,   ) from each program.If an error is detected,  1 saves all states and outputs    = "error,"    = ⌀, rep  = 1, and thus the final output for ideal process is (estate  , "error," ⌀).If no error is detected,  1 checks the remaining four outputs.If all checks pass,  1 outputs    = ⌀,    = ⌀, rep  = 0; that is, the final output for ideal process is (estate  ,    ,    ); otherwise,  1 selects a random element  and outputs    = ,    = ⌀, rep  = 1, and the output for ideal process is (estate  , , ⌀).
In addition, we need to show that the inputs to (  1 ,   2 ) in the real experiment are computationally indistinguishable from those in the ideal one.In the ideal experiment, the inputs are selected uniformly at random.In the real one, each part of all five queries that  makes to any program is generated by invoking the subroutine Rand and thus is computationally indistinguishable from random numbers.Therefore, we consider three possible conditions.If (  1 ,   2 ) both are honest in round , EVIEW  real ∼ EVIEW  ideal , since the outputs of NIVBP are not replaced and rep  = 0; if one of (  1 ,   2 ) is dishonest in round , the fault must be detected by both  and  1 with a probability close to 1, resulting in an output of "error"; otherwise, the output of NIVBP is corrupted with a probability of 1/120( − 1) 2 .In the real experiment, the five outputs generated by (  1 ,   2 ) are multiplied together along with a random value.Thus, EVIEW  real ∼ EVIEW  ideal even when one of (  1 ,   2 ) misbehaves, so we conclude that EVIEW real ∼ EVIEW ideal .
Second, we prove that UVIEW real ∼ UVIEW ideal , which means that the untrusted software (  1 ,   2 ) learns nothing during the execution of (, (  1 ,   2 )).In the ideal experiment, the simulator  2 always behaves as follows: when receiving the input on round ,  2 ignores it but submits five random queries of the form (  ,   ) to   1 and   2 .Then  2 saves its states and those of (  1 ,   2 ).Since the honest, secret or honest, protected or adversarial, protected inputs are all private for (  1 ,   2 ), the simulator  2 is applicable to all those conditions.As shown in Pair One, the inputs to (  1 ,   2 ) in the real experiment are computationally indistinguishable from those in the ideal one randomly chosen by  2 .Thus, UVIEW  real ∼ UVIEW  ideal for each round , and so UVIEW real ∼ UVIEW ideal .Theorem 9.In the one-malicious model, the proposed algorithm (, ( 1 ,  2 )) in Section 3.1 is verifiable; that is, the outsourcer can test the error with a probability close to 1 if one of the servers outputs the false result.
Proof.Assume that  1 is an honest server and  2 is a malicious server.At the end of the algorithm, the outsourcer verifies the results by formulas (4)- (6).It is obvious that  2 must generate the correct value of  21 ; otherwise, formula (4) cannot pass the verification with a probability of 1.Thus, the only possibility of  2 cheating  is returning the false value of  21 ,  22 ,  23 ,  24 ,  25 , which is denoted by  21 ,  22 ,  23 ,  24 ,  25 , respectively.
Proof.The proposed algorithm NIVBP makes one call to Rand and 8 point additions (PA) in  or Ĝ and () multiplication in   in order to compute (, ).As shown in [24], it takes roughly () multiplications in resulting finite field to compute the bilinear pairing, where  is the bit length of .Thus, the proposed algorithm is an (/)efficient implementation of NIVBP.On the other hand, it must be detected with a probability close to 1 if  1 or  2 fails during any execution of NIVBP from Theorem 9.

Comparison.
We compare the outsourcing algorithms for bilinear pairing with input privacy in Table 1, where  is a small positive integer and "PA" and "M" denote the operation of point addition in  or Ĝ and multiplication in   , respectively.
From Table 1, we conclude that the NIVBP algorithm increases checkability of the outsourcer, though a little computation cost is appended compared with Pair and TZR1 algorithms.In addition, the NIVBP algorithm improves computation efficiency and checkability of the outsourcer simultaneously compared with TZR2 algorithm for the same parameter:  = 4.The efficiency and checkability of the NIVBP algorithm are nearly the same as those of VBP algorithm, but it decreases the communication cost, since it is noninteractive while the VBP algorithm is interactive.Therefore, the NIVBP algorithm increases checkability and decreases communication cost of the outsourcer, although a little computation cost is appended.

Applications
In this section, we introduce two applications of the proposed NIVBP algorithm: anonymous identity-based encryption (AIBE) scheme [27] and identity-based signature (IBS) scheme [28].
Let , Ĝ,   be three cyclic multiplication groups of order , and let , ĝ be generators of , Ĝ, respectively. :  × Ĝ →   is a bilinear map.In the following schemes,  = Ĝ.

Boyen-Waters AIBE Scheme with Outsourcing Decryption.
The proposed outsource-secure AIBE scheme consists of the following algorithms.
And verify It is obvious that the two outsourcing schemes are verifiable and secure, since the NIVBP algorithm is verifiable with input privacy as described in Section 3.

Performance Evaluation
In this section, we provide an experimental evaluation of the proposed outsourcing algorithms.Our experiment is simulated on two machines with Intel Xeon Processor running at 3.4 GHz with 32 G memory (cloud server) and Intel Celeron Processor running at 1.2 GHz with 2 G memory (the outsourcer), respectively.The programming language is Java, using Java Pairing-Based Cryptography (JPBC) Library.The parameter  is a 160-bit prime that is randomly generated.
In Figure 1, we provide the simulation of NIVBP algorithm, which means that the fault can be found with a probability close to 1 if one of the servers misbehaves.It is obvious that the time cost for the outsourcer  is much smaller than that for directly computing bilinear pairing, since a number of computations have been delegated to two servers.Therefore, the proposed NIVBP algorithm is the implementation of secure and verifiable outsourcing for bilinear pairing.
In Figure 2, we compare the evaluation times of the outsourcing algorithms for bilinear pairing proposed in [24][25][26] and this paper, respectively.From Figure 2, we conclude that, for the outsourcer , the NIVBP algorithm is superior to TZR2 algorithm in efficiency, and it appends small computation cost to improve the checkability compared with Pair and TZR1 algorithms.In addition, the NIVBP algorithm is nearly the same as VBP algorithm in efficiency, but it is noninteractive and decreases the communication cost of the outsourcer.Thus, the proposed NIVBP algorithm improves the checkability and decreases communication cost for the outsourcer simultaneously based on two servers in the onemalicious model.

Conclusions
In this paper, we propose a noninteractive verifiable outsource-secure algorithm for bilinear pairing.The security model of our proposed algorithm is based on two noncolluding servers, and the outsourcer can detect any failure with a probability close to 1 if one of the servers misbehaves.Compared with the previous ones, the proposed algorithm improves the checkability and communication efficiency simultaneously for the outsourcer.Pair [24] TZR1 [25] TZR2 [25] (s = 4)

Figure 2 :
Figure 2: Efficiency comparison of the outsourcing algorithms for bilinear pairing.