Obfuscating encrypted threshold signature algorithm and its applications in cloud computing

Current cloud computing causes serious restrictions to safeguarding users’ data privacy. Since users’ sensitive data is submitted in unencrypted forms to remote machines possessed and operated by untrusted service providers, users’ sensitive data may be leaked by service providers. Program obfuscation shows the unique advantages that it can provide for cloud computing. In this paper, we construct an encrypted threshold signature functionality, which can outsource the threshold signing rights of users to cloud server securely by applying obfuscation, while revealing no more sensitive information. The obfuscator is proven to satisfy the average case virtual black box property and existentially unforgeable under the decisional linear (DLIN) assumption and computational Diffie-Hellman (CDH) assumption in the standard model. Moreover, we implement our scheme using the Java pairing-based cryptography library on a laptop.


Introduction
Cloud computing provides various data storage and services over a network [1]. Due to its many benefits, it collaborates with other promising technologies such as 5G networks [2,3] and IoT [4,5]. Meanwhile, more individual and corporate gradually outsource data storage or computation to the cloud for its cost saving and convenience. Despite various merits of cloud computing, however in practice, cloud servers are not entirely reliable [6][7][8]. Since if users directly delivery their data to cloud platforms, the important information in data will be leaked to cloud servers, which will lead to the exposure of users' privacy. Therefore, the concern is how to secure the data and rely on the services in cloud.
Obfuscation and cryptography are powerful tools that protect the data of users from a malicious/curious cloud server while preserving the services [9,10]. When user chooses the cloud service to finish computation task without knowing the sensitive information of the task. In service used in cloud computing, this paper focuses on achieving encrypted threshold signature, which designs an obfuscator to protect users' privacy. It should offer outsourcing computation without compromising data privacy. However, the existing threshold cryptography mainly focuses on how to afford secure data for users, few works consider another requirement for the cloud application that needs to protect the sensitive data. In order to protect the privacy of the information sent from the user to the cloud, our work follows the idea of Hada's work and applies it to threshold signature setting. In this paper, we propose a secure obfuscation for encrypted threshold signature. The main contributions are as follows: 1. We propose an obfuscator that implements encrypted threshold signature (ETS) functionality, which can outsource the threshold signing rights of users to cloud server securely by obfuscation. Besides, this method can protect the sensitive leakage from the ETS program running on an untrusted sever.
2. We propose some security notions of ETS functionality and the corresponding obfuscator. Under the decisional linear assumption and computational Diffie-Hellman assumption, the proposed obfuscator satisfies the requirements of ACVBP and existentially unforgeability in the standard model.
3. We analyze the correctness of functionality preservation and polynomial slowdown. Meanwhile, the performance analysis of ETS functionality and the obfuscator are provided. Finally, we implement the proposed algorithms in a personal computer by using java pairing-based cryptography library.
The remainder of this paper is organized as follows. In section 2, we present some preliminaries including bilinear pairings, security problems and circuit obfuscators. In section 3, we present some build blocks will be used in our proposed schemes, then we propose an encrypted threshold signature scheme and the corresponding obfuscator based on linear encryption scheme and threshold signature. Section 4 analyzes the security and performance of our scheme from the perspectives of functionality preservation, ACVBP and existentially unforgeability. Section 5 presents our conclusion.

Bilinear pairings and security problems
In this section, we describe bilinear maps and hard problems [38]. Let consider two cyclic groups G and G T with the same prime order q, and let g is a generator of G. A bilinear map e : G � G ! G T need satisfy the following properties: 1. Bilinearity: For all g; h 2 G, and a; b 2 Z q ,êðg a ; h b Þ ¼êðg; hÞ ab .

Circuit obfuscators
In this section, we briefly review some notations of circuit obfuscators used in this paper [32]. We use C ¼ fC l g l2N to denote a class of probabilistic circles, here C λ is the circuits in C of input length l in (λ). the notation C C λ denotes the generation procedure. PPT denotes probability polynomial time. Obf denotes an obfuscator. poly(λ) indicates the set of all polynomials of λ. We now provide definitions of statistical difference and preserving functionality. Definition 3. [32] The statistical difference between C 0 (x) and C 1 (x) is given by: (Preserving Functionality) [32] A PPT machine Obf is a circuit obfuscator for a class of probabilistic circuits C ¼ fC l g l2N , if for every probabilistic circuit C 2 C λ , the following holds: Pr½C 0 À ObfðCÞ : 8x; 4ðCðxÞ; C 0 ðxÞÞ ¼ 0� ¼ 1:

Obfuscation of encrypted threshold signatures
Encrypted threshold signatures (ETS) functionality utilizes a threshold signature (TS) scheme, which was proposed in [21] and an asymmetric linear encryption scheme [39]. After that, we will give a detailed description of obfuscation.
3. To generate public key, n users jointly generate user public key g 1 = g α by using GJKR's DKG. 4. Each user P i broadcasts g f(i) for a random jointly generated degree k − 1 polynomial f 2 Z q ½X� such that α = f(0).
6. Output the public key p = (VK, params, g 1 , g 2 , u 0 , U), and each user is supplied with the private key share sk i .

Linear encryption scheme
The linear encryption scheme consists of three algorithms ∑ = (Key generation algorithm (KG), Encrypt algorithm(Enc), Decrypt algorithm(Dec)), the algorithms are described as follows: • KG(params): Parse system parameter params ¼ ðG; G T ;ê; g; qÞ, choose a; b 2 Z q as the private key sk e , compute the encryption public key pk e = (pk e1 , pk e2 ) = (g a , g b ).

The ETS functionality
ETS functionality is composed of ETS.Setup, ETS.Sign, ETS.Verify. We give the concrete construction as follows: • ETS.Setup(params, λ, k, n): 2. For users(participants), generate public keys and private shares by running (VK, params, 3. For receiver(verifier), randomly choose a; b 2 Z q as the receiver's private key sk e , compute receiver's public key pk e = (pk e1 , pk e2 ) = (g a , g b ).

The obfuscation of ETS functionality
From the description of the ETS functionality in above section, we regard a family of circuits C ETS ¼ fC l g l2N for the ETS functionality, C λ is a group of circuits C p;SK;pk e . We can draw system parameters (SK, pk e , p) from C p;SK;pk e . Given a circuit C p;SK;pk e , the Obf ETS works as follows: • Obf ETS ðC p;SK;pk e Þ : 1. Extract system parameters (pk e , SK, p).
3. For each j 2 {1, 2, � � �, n}, randomly choose x j1 ; x j2 2 Z q , encrypt user's private share sk j to run ðpk ; pk x j2 e2 ; sk 0 j Þ Encðpk e ; sk j Þ, sk 0 j ¼ g x j1 þx j2 sk j is an encrypted form of the original signing key sk j , then compute vk 0 4. Construct an obfuscated circles R p,pke ,t that contains the values ðp; pk e ; vk 0 j ; tÞ: • R p,pke,t : The obfuscated circuit can be executed on any untrusted cloud server, and it does the following.

PLOS ONE
Obfuscating encrypted threshold signature algorithm 6. Randomly choose x 0 1 ; x 0 2 ; y 0 1 ; y 0 2 2 Z q , rerandomize the generated signature s 1 0 by running ReRand ðp; pk e ; ðc 1 ; c 2 ; s 1 0 ÞÞ; that is ; g x 0 Enc ðpk e ; s 2 0 Þ; that is . Besides, the polynomial time property is evident as all the calculation here is valid in polynomial time. It is easily to verify that the obfuscated program by theorem 1. Theorem 1. The algorithm R p,pke,t can pass verification. Proof 1. For a valid ciphertext ðS � 1 ; S � 2 Þ, receiver decrypts ðS � 1 ; S � 2 Þ, the correctness of R p,pke,t is elaborated as follows: The following equation shows that R p,pke ,t satisfies correctness:

Security properties
In the threshold cryptosystem, we should consider a coalition of k curious but honest users attack against the proposed obfuscator. Therefore, we suppose that an adversary is capable of obtaining the private key shares of corrupted users against the obfuscator, excepting the user who generates the obfuscated implementation as a challenge, that is, an adversary can access the corruption oracle on any corrupted user, but corrupt up to k − 1 of the n players, the set of oracle restrictions dependent on C is defined as R(C). In this paper, we define R(C) = {Corruption, jFj � k − 1}, which can be expressed as Corruption jFj�k−1 . Some security requirements of the proposed obfuscator are introduced in the following descriptions. Definition 5. [34] An obfuscator Obf for C meets the ACVBP w.r.t. dependent oracle set T(C) and restricted dependent oracle set R(C) if the following situation holds: There exists a PPT simulator S such that, for distinguisher D, arbitrary polynomial f, all sufficiently large l 2 N, and arbitrary z 2 {0, 1} poly(λ) , Pr C À C l ; C 0 À ObfðCÞ; where D �C,T(C),R(C)� means that D has sampling access to all oracles contained in T(C) and R(C) in addition to C.
where Share À Sign p;sk i is the Share-Sign oracle, Corruption |F|�k−1 is the corruption oracle such as no more than k − 1 private key shares can be obtained by adversary A in the whole game, Q is the set of message queried by A adaptively.
where Share À Sign p;sk i is the share sign oracle, Corruption |F|�k−1 is the corruption oracle such as no more than k − 1 private key shares can be obtained by adversary A in the whole game, Q is the set of message queried by A adaptively.

Correctness
In this section, we identify the following goals that the obfuscator for ETS should satisfy.
1. Correctness: The correctness of an obfuscator requires "Preserving Functionality" as described in Definition 4.
2. Security: The obfuscator needs satisfy ACVBP with respect to T(C) and R(C) and existentially unforgeable with respect to ETS Obfuscator.
Below, we state the Theorem 2 which is a key result used to show the correctness of our construction.

Theorem 2. (Preserving Functionality) The obfuscated program preserves the functionality of original ETS.
Proof 2. On receiving the encrypted threshold signature (S 1 , S 2 ), that is On receiving the obfuscated program ðS � 1 ; S � 2 Þ; that is

Security proof
Theorem 3. Under the DLLN assumption, the algorithm Obf ETS is ACVBP with respect to dependent oracle TðCÞ ¼ Share À Sign p;sk i and restricted dependent oracle R(C) = Corruption jFj�k−1 . Proof 3. Suppose C ¼ C p;SK;pk e , TðCÞ ¼ Share À Sign p;sk i and R(C) = Corruption jFj�k−1 . There are a pair of probabilities (Pr Nick , Pr Junk ) that represent D �C,T(C),D(C)� outputs 1, given the true and imitated distributions, respectively. We show that S K = (sk 1 , sk 2 , � � �, sk n ) and Junk ¼ ðJunk 1 ; Junk 2 ; � � � ; Junk n Þ are encrypted in the true and imitated distributions. Since the algorithm Obf ETS is equivalent to the values ðp; pk e ; vk 0 i ; tÞ. So we can utilize a simulator S which imitates these values with sampling access to C. The values (p, pk e ) can be easily draw from C. In order to simulate ðt; vk 0 i Þ. Then S chooses n junk values and encrypts them using the receiver's public encryption key pk e .
The detailed procedure of S is as below.
1. Using the sampling access to C p;SK;pk e to get (p, pk e ).

5.
Compute vk i ¼ g x i1 þx i2 vk i for i = 1 to n.
7. Output ðp; pk e ; vk i ; JunkÞ, obviously, R p;pk e ;Junk has the same distribution as R p;pk e ;t .
We will first prove that the output distributions of the simulator and the obfuscator are indistinguishable. We prove this by contradiction, assume that the probability that a distinguisher D �C,T(C),D(C)� can distinguish between the probabilities described is not negligible. That is, From Theorem 3 and Theorem 4, the TS scheme satisfies the existentially unforgeable, even if the adversary can obtain the obfuscated circuit. The obfuscator for ETS is mainly to enhance the security, and it is safe for the obfuscation circuit to be executed by any untrusted cloud server, and the cloud server could not get any useful information from it.

Theoretical performance analysis
Here we analyze the performance efficiency of our scheme, in terms of computational complexity when performing ETS.Sign, Obf ETS , R p,pke ,t and ETS.Verify operations. The result is showed in Table 1. In this table, Rand denotes the operation that randomly selects element, Add denotes addition, Mult denotes multiplication, Exp be an exponent operation, Inv denotes inverse operation. As shown in Table 1, the computational complexity of ETS.Sign and R p,pke ,t algorithms is linear in the number of n and k. All these operations are polynomial bounded operations and can be computed effectively. Therefore, all algorithms are efficient from a theoretical perspective.

Implementation
To provide numerical results, we implement it to measure the performance of our scheme. Our implementation is written in C using the Pairing-Based Cryptography Library [40]. For the computations, we use the curve groups that are implemented in the Libpbc library. The computations are run on a PC with 3.70 GHz CPU frequency, and 4 GB of RAM. In the experiment, we use elliptical curves with a base field size of 512 bits and an embedding degree of 2. The security levels are selects as |p| = 512.
The following results denote the average running times of related cryptographic operations. In the experiment, the experimental result is the average number of 10 runs. We measure the running time of four algoritms, that is: ETS.Sign, Obf ETS , R p,pke,t and ETS.Verify. The performing consequence of our scheme is provided in Fig 1 when n = 5 and k = 3. It is shown that the obfuscated implementation have high efficiency in general, because the algorithm needs perform more exponent operation. Figs 2 and 3 show the time variety when the number of n and k as variables, respectively. Fig 2 shows the operations time of ETS.Sign, Obf ETS and R p,pke,t when k is set as 3 and the number of n is set varies from 5 to 9 increased by an interval of 1. Fig 3 shows the execution time of the three algorithms when n is set as 7 and the number of k is set varies from 3 to 7 increased by an interval of 1. We observe that R p,pke,t , ETS.Sign and Obf ETS 's time cost increases fastly along with the increasing of n and k. It can be seen from the results that R p,pke,t is more costly than ETS.Sign with the same n or k.

Conclusion
Obfuscation technique can provide much greater security for sensitive data from service providers in cloud computing. In this paper, we design an obfuscator for encrypted threshold signature, according to this technique, key shares are obfuscated before they are uploaded to the cloud services. In this regard, we can implement the program obfuscator run on a untrusted cloud sever, while hiding privacy-related sensitive information from the obfuscated program. The security analysis demonstrate that our scheme can meet the average case virtual black box property. (DOC) S1 Table. Computational overhead, where n is the number of users, k is the threshold number.