Secure and Efficient Delegation of Pairings with Online Inputs

Delegation of pairings from a computationally weaker client to a computationally stronger server has been advocated to expand the applicability of pairing-based cryptographic protocols to computation paradigms with resource-constrained devices. Important requirements for such delegation protocols include privacy of the client’s inputs and security of the client’s output, in the sense of detecting, with high probability, any malicious server’s attempt to convince the client of an incorrect pairing result. In this paper we show that pairings with inputs only available in the online phase can be efficiently, privately and securely delegated to a single, possibly malicious, server. We present new protocols in 2 different scenarios: (1) the two pairing inputs are publicly known; (2) privacy of both pairing inputs needs to be maintained (left open in previous papers; e.g., [27]). In both cases, we improve the online-phase client’s runtime with respect to previous work. In the latter case, we show the first protocol where the client’s online-phase runtime is faster than non-delegated computation for all of the most practical known curves. In previous work, the client’s runtime was worse, especially for one of the most practical elliptic curves underlying the pairing function (i.e., BN-12).