Delegating a Product of Group Exponentiations with Application to Signature Schemes

Many public-key cryptosystems and, more generally, cryptographic protocols, use group exponentiations as important primitive operations. To expand the applicability of these solutions to computationally weaker devices, it has been advocated that a computationally weaker client (i.e., capable of performing a relatively small number of modular multiplications) delegates such primitive operations to a computationally stronger server. Important requirements for such delegation protocols include privacy of the client's input exponent and security of the client's output, in the sense of detecting, except for very small probability, any malicious server's attempt to convince the client of an incorrect exponentiation result. Only recently, ecient protocols for the delegation of a xed-based exponentiation, over cyclic and RSA-type groups with certain properties, have been presented and proved to satisfy both requirements. In this paper we show that a product of many xed-base exponentiations, over a cyclic groups with certain properties, can be privately and securely delegated by keeping the client's online number of modular multiplications only slightly larger than in the delegation of a single exponentiation. We use this result to show the rst delegations of entire cryptographic schemes: the well-known digital signature schemes by El-Gamal, Schnorr and Okamoto, over the q-order subgroup in Zp, for p; q primes, as well as their variants based on elliptic curves. Previous ecient delegation results seem limited to the delegation of single algorithms within cryptographic schemes.