Securely Outsource Modular Exponentiations With Single Untrusted Cloud Server

Modular exponentiation is one of the most fundamental operations in lots of encryption and signature systems. Due to the heavy computation cost of modular exponentiation, many schemes have been put forward to securely outsource modular exponentiation to cloud. However, most of the existing approaches need two non-colluded cloud servers to securely complete the modular exponentiation, which will result in private data leakage upon the cloud servers collude. Besides, most existing schemes assume both base and exponent in modular exponentiation are private, which does not conform to many real-world applications. For example, in public key encryption system that uses modular exponentiation, one of base and exponent is the public key, and the other is a message. Usually, only the message should be privately protected. In this paper, we propose two secure outsourcing schemes for fixed-base (public base and private exponent) and fixed-exponent (private base and public exponent), respectively. In the proposed schemes, we employ only one cloud server and can thus avoid collusion attack. Further, we achieve an efficient and secure Paillier encryption outsourcing scheme based on our secure modular exponentiation outsourcing methods. Additionally, we theoretically analyze our overheads and leverage simulation experiments to evaluate our proposed solutions, which show our schemes can achieve high efficiency.


I. INTRODUCTION
Cloud computing, as a new network service model, has become a hot topic, since it can economically and efficiently provide users with dynamic storage and computation services in a pay-as-you-go manner. The users can thus avoid large capital expenditures in hardware, software deployment and maintenance. Besides, by leveraging the computing resource of cloud servers, a resource-constrained device in the Internet of Things (IoT) can finish their computation tasks that go beyond its computation capability.
Nevertheless, it will inevitably bring some new security challenges when users outsource the computation tasks to the cloud [1], [20], [27], as the direct physical control will be transferred to the cloud server. Firstly, the cloud servers cannot be fully trusted and the outsourced computation tasks usually contain some private information. Therefore, the most basic security requirement is confidentiality of the The associate editor coordinating the review of this manuscript and approving it for publication was Weizhi Meng . computation tasks. Although fully homomorphic encryption provides a theoretical way for the problem, there is no practical fully homomorphic encryption scheme now. Secondly, the untrusted servers may not return the right results for some reasons, such as loaf on the job, software bugs, hardware error. Accordingly, the users should be able to verify the validity of the results with little cost which are returned by the cloud servers (the cost must be far less than the outsourcing task).
As well known, modular exponentiation is one of the most fundamental and expensive operations in most encryption and signature systems, such as RSA, Paillier encryption system [31]. For resource-limited devices in IoT, both the running time and cost of the computations are very huge. Thus, it is fatal for some schemes which need to complete some modular exponentiations in a short time. Most of the secure outsourcing of modular exponentiation is implemented by employing two cloud servers [2], [3], [6], [19]. However, all of these schemes cannot resist the collusion attack of the cloud servers. Ding et al. [26] recently proposes a secure modular exponentiation outsourcing scheme. Nevertheless, they assume both base and exponent in modular exponentiation are private, which does not conform to many real-world applications. For example, in public key encryption system that uses modular exponentiation, one of the base and exponent is public key, and the other is message. In fact, only the message should be privately protected. In this paper, we propose two new secure outsourcing algorithms for fixed-base (public base and private exponent) and fixedexponent (private base and public exponent) in the model of a single malicious cloud server. Further, we achieve an efficient and secure Paillier encryption outsourcing scheme based on our secure modular exponentiation outsourcing methods. Additionally, we theoretically analyze our overheads and leverage simulation experiments to evaluate our proposed solution, which shows our solutions can achieve high efficiency. In general, our main contributions in this paper are as follows.
• We propose two secure outsourcing schemes for fixed-base (public base and private exponent) and fixed-exponent (private base and public exponent) modular exponentiation, respectively. Our proposed schemes require only one untrusted server.
• Based on our modular exponentiation outsourcing schemes, we propose an efficient and secure Paillier encryption outsourcing scheme.
• We theoretically analyze our schemes in security, efficiency and checkability, and conduct simulation experiments to evaluate our schemes. The results show that our schemes can securely complete the modular exponentiation and encryption tasks outsourcing in an efficient manner.
The rest of this paper is organized as follows. In Section II, we simply review the related work. In Section III, we present the system model and security definitions of our schemes. In Section IV, we describe our two secure modular exponentiations outsourcing schemes, and present the security and complexity analysis. Then, we propose secure Paillier encryption outsourcing scheme in Section V. Finally, we conclude this paper in Section VI.

II. RELATED WORK
How to securely outsource expensive computations has been attracting the attention from computer science community. Hohenberger and Lysyanskaya [3] presented the formal security definition of secure outsourcing model and proposed a CCA2 secure outsourcing encryption scheme. Barbosa and Farshim [5] presented a modular construction of delegatable homomorphic encryption from fully homomorphic encryption, functional encryption and MAC, and then described how to build a secure outsourcing computation scheme from delegatable homomorphic encryption. However, fully homomorphic encryption is limited to immaturity and it cannot be put into practice.
There are also a lot of research works on the securely outsourcing computation. Chen et al. [6] proposed a new secure outsourcing algorithm EXP which improved in both efficiency and checkability. Atallah and Frikken [7], Benjamin and Atallah [8] proposed protocols to solve the problem of secure outsourcing for widely applicable linear algebra computations with homomorphic encryptions. Applebaum et al. [9] in 2010 presented an improved protocol based on the weak secret hiding assumption. Chevallier-Mames et al. [10] proposed the first algorithm for a secure delegation of elliptic-curve pairings in the model of one untrusted server. Then Parno et al. [11] described a construction of a multi-function computation delegation scheme.
However, outsourcers can't fully trust the cloud server. Plenty of works have been done to achieve secure and efficient outsourcing computations by the untrusted server. Mironov and Golle [22] first presented the notion of ringers to verify the truth of results from untrusted servers. Gennaro et al. [12] first integrated the notion of checkability to solve the issue of trust. In 2005, Hohenberger and Lysyanskaya [3] proposed a checkable algorithm that verify the results by two untrusted servers. Based on this work, they further achieved secure outsourcing encryption and signature, but the checkability of the algorithm is only 1 2 . Chen et al. [6] further studied and proposed an improved version, they rise the checkability to 2 3 . Ye et al. [21] made further improvements in checkability and it comes to 19 20 . Focusing on fixed-base and fixed-exponent, Ma et al. [2] proposed three secure outsourcing schemes in 2013 and the checkability reach 3 4 . One of their schemes is in the model of one untrust server and the checkability almost reaches 1. Wang et al. [13] proposed a new secure outsourcing scheme of modular exponentiation in one untrusted server, while their checkability is just 1 2 . Xue et al. [29] proposed a new joint distribution estimation under Local Differential Privacy which can be used to Naive Bayes Classification.
Recently, Zhao et al. [23] improved the checkability to nearly 1 with the method of blinding matrix, while the server needs to undertake too much computation. In addition, Cai et al. [24] proposed a new algorithm SmExp whose checkability can almost reach 1 with a single sever. Ding et al. [26] improved the checkability of algorithm EXP and SEXP to 119 120 and 74 75 , while the client needs to do part of modular exponentiations.

III. SYSTEM MODEL AND SECURITY DEFINITIONS A. SYSTEM MODEL
In this paper, our system model is composed of a client and a server. The client has input data x, and wants to gain the result f (x) where the function f is appointed by the client. However, because of lacking enough computing resource, the client can not finish it by itself. Therefore, the client needs to complete it with the help of cloud servers. Considering that the input data x may be private, cloud servers should know nothing about x. Thus the client will transform the private data such that the original input data can be well protected. With function f and the transformed input data, the cloud servers can complete calculation tasks. After receiving the computing results from the cloud server, the client can get the final result f (x) with little cost. Meanwhile, the client also can verify the correctness of cloud server's returned data. In this paper, the function f represents modular exponentiation. Generally, this kind of modular exponentiation scheme can be described as follows: 1) Given modular exponentiations which will be computed, client invokes Rand.
2) The client blinds the inputs with the rand pairs and sends them to cloud server. 3) After receiving these transformed values, the cloud server compute and return the results to the client. 4) After receiving the results from the cloud server, the client verifies the correctness of the results. If the results are not right, the cloud server outputs ''error''. Otherwise, the client computes the real results of the modular exponentiations.
In our schemes, we propose two system models for two different situations, which is shown in Fig.1.
• For the fixed-base modular exponentiation (public base and private exponent) scheme, the client wants to compute (g x 1 , g x 2 , . . . , g x t ) mod p where base g is public and exponent x i (1 ≤ i ≤ t) is private. With our method, the client divides the private exponent set into a public set A. The cloud server returns g a i mod p (a i ∈ A) to the client. Finally, with the returned data from cloud server, the client can get g x i (1 ≤ i ≤ t).
• For the fixed-exponent modular exponentiation (private base and public exponent) scheme, what the client needs is the result of (g x 1 , g x 2 , . . . , g x t ) modp where exponent x is public and base g i (1 ≤ i ≤ t) is private. With our method, the client divides the private base set into a public set A. The cloud server returns the result a x i mod p (a i ∈ A) to the client. In the end, the client can get g x i (1 ≤ i ≤ t) by some transformations of the results from cloud server.

B. SECURITY DEFINITIONS
In this paper, we follow the security definitions of outsourcing cryptographic computations proposed by Hohenberger and Lysyanskaya in [3]. Generally, it is said that the computation-constrained client T securely outsources some computation tasks to cloud server U , and (T , U ) is an outsource-secure implementation of a cryptographic algorithm Alg, if (1) T and U correctly achieve Alg, i.e., Alg = T U , and (2) assume that, instead of cloud server U , T is given oracle access to an adversary U who records all its computation during every implementation and tries to act maliciously, but the adversary U can learn nothing useful about the client's input and output. We will introduce Hohenberger and Lysyanskaya's formal definitions as follows.

Definition 1 (Algorithm With Outsource-I/O [3]): An algorithm Alg obeys the outsource input/output specification if it takes in five inputs, and produces three outputs: Alg
Inputs: The first three inputs are generated by an honest party, and are classified by in what degree the adversary A = (E, U ) has knowledge about them, where E is the adversarial environment that submits adversarially chosen inputs to Alg, and U is the adversarial software operating in place of oracle U .
• The honest, secret input x hs , which is unknown to both E and U .
• The honest, protected input x hp , which may be known by E, but is protected from U .
• The honest, unprotected input x hu , which may be known by both E and U .
In addition, there are two adversarially-chosen inputs generated by the environment E: • The adversarial, protected input x ap , which is known to E, but protected from U .
• The adversarial, unprotected input x au , which may be known to E and U .
Outputs: Similarly, the outputs are defined as follows.
• The secret output y s , which is unknown to both E and U .
200766 VOLUME 8, 2020 • The protected output y p , which may be known to E, but is unknown to U .

• The unprotected y u , which may be known by both parts of A. Definition 2 (Outsource-Security [3]): Let Alg be an algorithm with outsource I/O. A pair of algorithm (T , U ) is said to be an outsource-secure implementation of Alg if:
1) Correctness: T U is a correct implementation of Alg.
2) Security: For all probabilistic polynomial-time adversaries A = (E, U ), there exist probabilistic expected polynomial-time simulators (S 1 , S 2 ) such that the following pairs of random variables are computationally indistinguishable.
• Pair one: EVIEW real ∼ EVIEW ideal The real process: The ideal process also proceeds in rounds. In the ideal process, we have a stateful simulator S 1 who, shielded from the secret input x i hs , but given the non-secret outputs that Alg produces when run all the inputs for round i, decides to either output the values (y i p , y i u ) generated by Alg, or replace them with some other values (Y i p , Y i u ). Note that this is captured by having the indicator variable rep i be a bit that determines whether y i p will be replaced with Y i p . In doing so, it is allowed to query oracle U ; moreover, U saves its state as in the real experiment. The ideal process: The overall view is just its view in the last round, i.e., The view that the untrusted software U obtains by participating in the real process described in Pair One.
In the ideal process, we have a stateful simulator S 2 who, equipped with only the unprotected inputs (x i hu , x i au ), queries U . As before, U may maintain state. The ideal process: (2) for any input x, if U deviates from its advertised functionality during the execution of T U (x), T will detect the error with probability no less than β. (2) for any input x, the running time of T is no more than an α-multiplicative factor of the running time of Alg.

C. RAND ALGORITHM
The subroutine Rand is used to expedite calculation the speed of scheme [3]. The main inputs for Rand are a prime p and a base g ∈ Z * p while the output is a random independent pair (a, g a mod p) for some a ∈ Z * p . We use Rand 1 and Rand 2 for our schemes respectively. Rand 1 is used to generate random pair (a, g a mod p) like Rand described above for the scheme of fixed-base exponent exponentiation. In addition, Rand 2 is used to generate random pair (g, g x mod p) for the scheme of fixed-exponent base exponentiation where x ∈ Z p , g ∈ G p . Until now, EBPV generator, taking into account the efficiency and security, is the most excellent algorithm, which runs in time O(log 2 n) for an n-bit exponent.

IV. SECURE OUTSOURCING PROTOCOLS OF MODULAR EXPONENTIATIONS
In this paper, we propose two algorithms for secure outsourcing modular exponentiations. Both schemes only need one cloud server. The two schemes are executed within the cyclic group G p , where p is a large secure prime and g is the generator of G p .

A. SECURE FIXED-BASE MODULAR EXPONENT EXPONENTIATION OUTSOURCING ALGORITHM
The fixed-base modular exponentiation scheme is aimed at securely computing fixed-base exponent exponentiations by VOLUME 8, 2020 outsourcing them to cloud server, i.e., (g x 1 , g x 2 , . . . , g x t ) mod p. Due to that the base g is public, what we should protect is the exponents x 1 , x 2 , · · · , x t . To reach the purpose that the cloud server cannot get any information about the exponents and the client can easily verify the correctness of the returned data, we transform the exponents into some other numbers which seem to be irrelevant to protect the privacy of exponents. In the end, the exponents (x 1 , x 2 , . . . , x t ) are translated into a set A = {a 1 , a 2 , . . . , a n } which can be sent to cloud server.
The cloud server makes some computations based on the information (g, p, A) and returns the result to the client. According to the internal relation between set A and exponents {x 1 , x 2 , . . . , x t }, the client can figure out g x i and verify the correctness of the returned values with little cost. Next, the fixed-base exponent exponentiation scheme can be formally described as follows.
• Given (g, x 1 ), (g, x 2 ), . . . , (g, x t ) as input data to compute (g The client needs to invoke the subroutine Rand 1 e times to get pairs (g, g y i ). Next, the rest set R can be generated by the way like set C, r i can be generated by r b i = y i − m−1 j=1 b j , 1 ≤ i ≤ e and r c k = y k − t j=1 c j , 1 ≤ k ≤ e. Finally, the client, using a pseudo-random permutation function, transforms the set ofÃ = {b 1 , b 2 , . . . , b m−1 , c 1 , c 2 , . . . , c t , r b 1 , r b 2 , . . . , r b e , r c 1 , r c 2 , . . . , r c e } into permutate set A = {a 1 , a 2 , . . . , a n } where n = m + t + 2e − 1, while the client needs to record the index of set B, C, R. Then, the client sends σ x = (A, g, P) to the cloud server.
• The server returns the result set V = {g a 1 , g a 2 , . . . , g a n } to the client.
• After receiving the result set V from the cloud server, the client needs to check the truth of the returned data. Firstly, the client needs to calculate S b l and S c l by the following formulas: S b l = g b i · g r b l and S c l = g c i ·g r c l . If S b l = S c l = g y l , the client concludes that the cloud server is honest. Then the client completes the exponentiations as: Otherwise, the client concludes that the server is dishonest.

B. SECURE FIXED-EXPONENT MODULAR EXPONENTIATION OUTSOURCING ALGORITHM
This subsection focuses on securely computing fixedexponent modular exponentiations by outsourcing them to cloud server, i.e., (g 1 x , g 2 x , . . . , g t x ) modp. Due to that the exponent x is public, what we should protect is the bases. To reach the purpose that the cloud server cannot get any information about the bases and the client can easily verify the correctness of the returned data, we process the bases into some other numbers which seem to be irrelevant to protect the privacy of bases. In the end, the bases (g 1 , g 2 , . . . , g t ) are translated into a set A = {a 1 , a 2 , . . . , a n } which can be sent to cloud server.
The cloud server makes some computations based on the information (x, p, A) and returns the result to the client. According to the internal relation between set A and bases {g 1 , g 2 , . . . , g t }, the client can figure out g i x and verify the correctness of the returned values with little cost. Next, the fixed-exponent base exponentiation scheme can be formally described as follows.
• Given (g 1 , x), (g 2 , x), . . . , (g t , x) as input data to compute (g 1 , where x ∈ Z p and g i ∈ G p . The client first transforms the bases (g 1 , g 2 , . . . , g t ) into another set A = {a 1 , a 2 , . . . , a n } where m elements of set A can be multiplied to g i for each i ∈ The client needs to invoke the subroutine Rand 2 e times to get pairs (g y i , x). Similarly, the element r i of set R can be generated by r b i = y i / m−1 j=1 b j , 1 ≤ i ≤ e and r c k = y k / t j=1 c j , 1 ≤ k ≤ e. Finally, the client, using a pseudo-random permutation function, transforms the set ofÃ = {b 1 , b 2 , . . . , b m−1 , c 1 , c 2 , . . . , c t , r b 1 , r b 2 , . . . , r b e , r c 1 , r c 2 , . . . , r c e } into permutate set A = {a 1 , a 2 , . . . , a n } where n = m + t + 2e − 1, while the client needs to record the index of set B, C, R. Then, the client sends σ x = (A, g, P) to the cloud server.
• The server returns the result set V = {a 1 x , a 2 x , . . . , a t x } to the client.
• After receiving the result set V from the cloud server, the client needs to check the truth of the returned data. Firstly, the client needs to calculate S b l and S c l by the following formulas: x . If S b l = S c l = g y i x , the client concludes that the cloud server is honest. Then the client can compute g i Otherwise, the client concludes that the server is dishonest.

Theorem 1: Fixed-base algorithm and fixed-exponent algorithm satisfy the the requirements of Correctness.
Proof: In the calculating part, the client can get the correct value (g x 1 , g x 2 , . . . , g x t ) in fixed-base scheme and (g x 1 , g x 2 , . . . , g x t ) in fixed-exponent scheme if the values returned by the cloud server are correct. The calculation procedure is as follows: Theorem 2: The algorithm (T fixed−base , U ) is outsourcesecure implementation, under the conditions that the inputs (x 1 , x 2 , . . . , x t , g) are honest, secret; or honest, protected; or adversarial protected.
Proof: In this section, we only focus on security. Let A = (E, U ) be a PPT adversary.
Fistly, we prove Pair One EVIEW real ∼ EVIEW ideal : The simulator S 1 behaves the same way as in the real execution under the input (x 1 , x 2 , . . . , x t , g) anything other than honest, secret. If (x 1 , x 2 , . . . , x t , g) are honest, secret inputs, then the simulator S 1 behaves as follows: S 1 makes n random queries of form (x 1 , x 2 , . . . , x n , g) to U when receiving the inputs in round i. S 1 tests two outputs from each program randomly. If an error is detected, S 1 checks the rest two outputs (error, ∅, 1). If no error is detected, S 1 checks the rest two outputs. If all checks pass, S 1 outputs (∅, ∅, 0); Otherwise, S 1 selects a random element r and outputs (r, ∅, 1). In other case, S 1 saves the appropriate states. In the real experiment, all three queries are computationally indistinguishable. In the ideal experiment, the inputs are chosen randomly and uniformly. Thus the input distributions to U are computationally indistinguishable. In the ideal experiment, the inputs are chosen randomly and uniformly. Thus the input distributions to U are computationally indistinguishable both in the real and ideal experiments. Next, it can be proved that EVIEW i real ∼ EVIEW i ideal , which implies EVIEW real ∼ EVIEW ideal . Secondly, we prove Pair Two UVIEW real ∼ UVIEW ideal : The simulator S 2 behaves as follows: S 2 makes n random queries of form (x 1 , x 2 , . . . , x n , g) to U when receiving the inputs of round i. Then S 2 saves its states and the states of U . Although, E can distinguish between these real and ideal experiments, he cannot communicate this information to U . Thus, UVIEW i real ∼ UVIEW i ideal for each round i, proceed to the next step, and we have UVIEW real ∼ UVIEW ideal .
Theorem 3: The algorithm (T fixed−exponent , U ) is outsource-secure implementation, under the conditions that the inputs (g 1 , g 2 , . . . , g t , x) are honest, secret; or honest, protected; or adversarial protected.
Proof: In this section, we focus on the security of fixed-exponent algorithm. Because of the similarity between the two algorithms, we omit the specific proof process. The security proof can refer to the proof process of Theorem 2.
Theorem 4: The checkability of fixed-base algorithm is 1 − e+1 , if the server cheats the client. Proof: The checkability of a secure outsourcing scheme is that the malicious server cannot successfully persuade the client to trust that the returned values are exactly correct. In our schemes, the client has ability to verify the correctness of the result from cloud server, which prove the checkability of our schemes.
Then we will analyze the checkability of fixed-base scheme by probability. We split set A into B, C, R, however, what we care the returned data are Client needs to check the equations: The server successfully cheats the client means that returned result pass the verification while it changes some right values.
On the one hand, the server computes the correct values and chooses a random number w. Then the server returns the w·g b i or w · g c i and the corresponding 1 w · g b i or 1 w · g c i . After that, The probability that the server finds the right ele- e+1 . In this way, the probability that cloud server can cheat the client is 2e . Compared with another circumstance, the probability of this condition is much less. On the other hand, the server chooses a random number l and two elements c i , c j which belong to set C. Then the server returns g c i +l , g c j −l to the client. In this way, the probability is Thus the checkability of client is 1 − e+1 . To improve the efficiency of our schemes, we suggest that e should be much smaller than t and m. In our experiment, we set e = 5 while m = 100. After the values of t and e have been determined, we can find that the checkability increases with the increase of n, but efficiency is getting lower and lower. Considering that users have different requirements for efficiency and checkability, users can adjust the value of n to balance checkability or efficiency according to their own circumstances. Finally, the user can choose a suitable n to determine all parameters in this scheme.
Theorem 5: The checkability of fixed-exponent algorithm is 1 − e+1 , if the server cheats the client. Proof: Due to the similarity between the two algorithms, the specific proof of fixed-exponent algorithm can refer to the proof in Theorem 4.

D. COMPLEXITY ANALYSIS
Compared with previous secure outsourcing modular exponentiation schemes, the advantages of our schemes in efficiency must be emphasized. Above all, our schemes do not need any complicated precomputations, which is more efficient than the existing schemes in [3], [6]. In addition, we will VOLUME 8, 2020 analyze the efficiency in computation, communication and storage complexity.

1) COMPUTATION COMPLEXITY
We compare the proposed schemes with the algorithms in Ma et al. [2], Chen et al. [6], Ding et al. [26], and Ren et al. [19] on outsourcing modular exponentiations. We denote by MM a modular multiplication and by MInv a modular inverse. We omit other operations such as modular additions in these algorithms. The comparison of the efficiency and the checkability of the algorithms are shown in Table 1.
Compared with the scheme of Ma et al. [2], our scheme is almost the same in terms of MM, MInv and Invoke (Server) than the other schemes. However, we invoke rand for e times and we use only one cloud server while Ma et al. [2] is based on the two severs model. What's more, the minimum checkability of our scheme is better than Ma et al. [2]. As for Chen et al. [6], our scheme is more excellent in both efficiency and checkability. In addition, our scheme is performed in single cloud server, which can save a lot expenses for client. Based on Ma et al. [2], Ding et al. [26] made improvements in checkability and the number of cloud server. However, they put part of modular exponentiations to the client, which is a burden for the client. On the contrary, our schemes are clearly superior to Ding et al. [26] in terms of the times of the invoking server while the client doesn't need to do any complicated computations. Although the checkability of Ren et al. [19] has reached 1, it seems to perform better than ours in the above tables. However, our schemes, considering MM and MInv, are more efficient. What's more, our schemes only need one cloud server.
We implement our experiment using C++ language and the GNU multiple precision arithmetic library (GMP). The experiment has been carried out on a LINUX machine with Intel Core i3-3320 processors running at 3.30GHz and 4G memory. The time cost is shown in Fig.1.
In our experiment, we randomly generate 180 random numbers in the range of 0 to 512 bit and invoke Rand 5 times. We also randomly select a 100-bit g. As shown in Fig.2, when computing (g x 1 , g x 2 , . . . , g x t ), the time cost of our outsourcing scheme is far less than without outsourcing. As the number of modular exponentiations increases, the rate of using time of the without outsourcing scheme grows clearly faster than the outsourcing scheme. The larger amounts of modular exponentiations need to be computed, the more resource and energy a device can be saved.

2) STORAGE COMPLEXITY
In fixed-base algorithm, the client needs to compute S setB and S setC and the g y i . Thus the client has to store m + t + 2e − 1 indexes, which is same as fixed-exponent algorithm. Therefore, the storage complexity is m + t + 2e − 1 elements in every scheme.

3) COMMUNICATION COMPLEXITY
In our schemes, the client sends set A to the cloud server. In fixed-base algorithm, the number of rounds between the client and cloud server is only one. Due to the uncertainty of the specific size of the number, we substitute the number of elements in communication set for communication complexity. Combined with the process of schemes, the communication complexity of fixed-base algorithm is 2n, which is same as fixed-exponent algorithm.
As we can see, both Encryption and Decryption algorithms contain fixed-base and fixed-exponent modular exponentiations. While we utilize Paillier encryption system to encryption a big number of values, it will cost much computation time, especially for resource-constrained clients. Thus, it is necessary to accelerate the Encryption and Decryption algorithms of Paillier encryption system by employing the strong computation ability of cloud. Here, we will propose a secure scheme for outsourcing Encryption and Decryption of Paillier algorithm based on our Protocols 1 and 2. We assume that the client want to encrypt or decrypt t plaintexts or ciphertexts simultaneously. Our general idea are as follows.
Based on Paillier algorithm, the parameter λ is λ = lcm(p − 1, q − 1) where lcm means least common multiple. The logarithmic function L(x) can be described as L(x) = (x − 1)/n. According to the encryption formula c = g m r n mod n 2 , the problem we want to solve is how to compute g m while the random number r has been selected. Because what we concentrate on is encrypting t plaintexts simultaneously, the protocol 1 is right to compute g m i . Due to that the base g is public key, what we should protect in the process of outsourcing is the plaintext m i . To reach the purpose that the cloud server cannot get any information about the plaintexts and the client can easily verify the correctness of the returned data, we divide the plaintexts into some other numbers which seem to be irrelevant to protect the privacy of plaintexts. In the end, the plaintexts {m 1 , m 2 , . . . , m t } are translated into a set A = {a 1 , a 2 , . . . , a n } which can be sent to cloud server. The cloud server does some computations based on the information (g, n, A) and returns the result to the client. According to the internal relation between set A and plaintexts {m 1 , m 2 , . . . , m t }, the client can figure out g m i and verify the correctness of the returned results with little cost.
In the process of decryption, the client should have decrypted by the formula m = L(c λ mod n 2 ) L(g λ mod n 2 ) mod n. We find that the main problem we need to solve is how to compute c λ mod n 2 while g λ mod n 2 is a fixed value. Because what we concentrate on is decrypting t ciphertexts simultaneously, the protocol 2 is right to compute c i λ . In order to avoid the cloud server learning anything about the process of decryption, what we should protect in this process of outsourcing is the ciphertext c i while the exponent λ is public. To reach the purpose that the cloud server cannot get any information about the ciphertexts and the client can easily verify the correctness of the returned data, we divide the ciphertexts into some other numbers which seem to be irrelevant to protect the privacy of ciphertexts. In the end, the ciphertexts {c 1 , c 2 , . . . , c t } are translated into a set H A = {a 1 , a 2 , . . . , a n } which can be sent to cloud server. The cloud server does some computations based on the information (λ, n, H A ) and returns the result to the client. According to the internal relation between set H A and ciphertexts {c 1 , c 2 , . . . , c t }, the client can figure out c i λ and verify the correctness of the returned results with little cost. Next, secure outsourcing of Paillier algorithm can be formally described as follows.
• Encryption On input the public key g, n, a message set M = {m 1 , m 2 , . . . , m t } and a random number r(r < n), the client first conceals the plaintext set M by dividing m i in a manner that m elements of set A = {a 1 , a 2 , . . . , a n } can be summed to m i . In addition, set A is composed of set B, C and R. Then the client needs to randomly choose m − 1 numbers from Z n , which comprise set B = {b 1 , b 2 , . . . , b m−1 }. Thus, the set C can be generated by the function sc i = m i − b i . Then the client needs to invoke rand 1 e times to get pairs (g, g y i ). The set R can be generated by the formulas Next, the client sends g, n and set A to cloud server. After receiving the result set V = {g a 1 , g a 2 , . . . , g a n } from the cloud server, the client needs to check the truth of the results. Firstly, the client needs to calculate S b l and S c l by the following formulas: S b l = g b i · g r b l and S c l = g sc i · g r c l . If S b l = S c l = g y l , the client concludes that the cloud server is honest. Then the client can compute g Otherwise, the client concludes that the server is dishonest. In the end, the client can compute the ciphertext by c i = g m i r n mod n 2 .
• Decryption Firstly, the client needs to hide the ciphertext set {c 1 , c 2 , . . . , c t } by dividing c i in a manner that m elements of set H A = {a 1 , a 2 , . . . , a n } can be multiplied to c i . In addition, the set H A can be composed of set H B , H C and H R . The client randomly selects m − 1 numbers from G n , which make up H B = {h b 1 , h b 2 , . . . , h b m−1 }. Therefore, set H C can be generated by the formula h c i = c i / h b i . Then the client needs to invoke rand 2 e times to get pairs (y i , y i λ ). The set H R can be generated by the formulas hb i = y i / h b i , 1 ≤ i ≤ e and hc i = y i / h c i , 1 ≤ i ≤ e. Next, the client sends λ, n and set H A to the cloud server. After receiving the result set H V = {a 1 λ , a 2 λ , . . . , a n λ } from the cloud server, the client needs to check the truth of the results. Firstly, the client needs to calculate S b l and S c l by the following formulas: x , the client concludes that the cloud server is honest. Then the client can compute g i Otherwise, the client concludes that the server is dishonest. In the end, the client can compute the plaintext by m i = L(c i λ mod n 2 ) L(g λ mod n 2 ) mod n. The proposed algorithms can be used in both encryption and decryption. By using our schemes, we securely outsource the modular exponentiations that are burden for resource-constrained devices to cloud, which strikingly reduces the cost of time in encryption and decryption. Therefore, the efficiency of paillier algorithm is exceedingly improved. For space limitation, we will provide analysis detail of secure Paillier algorithm outsourcing scheme in extended version.

VI. CONCLUSION
In this paper, we presented two secure outsourcing schemes for outsourcing modular exponentiations to single cloud server, which are suitable for fixed-base modular exponentiation and fixed-exponent modular exponentiation, respectively. Based on secure modular exponentiation outsourcing schemes, we then proposed a secure outsourcing of the Paillier algorithm. Additionally, we theoretically analyzed our overheads and leveraged simulation experiments to evaluate our proposed schemes, which shows our solutions can achieve high efficiency.
DEZHI AN is currently a Professor with the School of Cyber Security, Gansu University of Political Science and Law, Lanzhou, China. His research interests include network security, public opinion analysis, and data mining.
YAN LI is currently an Associate Professor with the School of Cyber Security, Gansu University of Political Science and Law, China. She has published nearly 20 refereed journal and conference papers in these areas. Her research interests include data processing, multimedia security, computer vision, and information content security.
SHENGCAI ZHANG received the master's degree in signal and information processing from the Lanzhou University of Technology, Lanzhou, China, in 2009, where he is currently pursuing the Ph.D. degree in control theory and control engineering. He is also an Associate Professor with the School of Cyber Security, Gansu University of Political Science and Law. His research interests include information security, artificial intelligence, and intelligent optimization.
JUN LU is currently an Associate Professor with the School of Cyber Security, Gansu University of Political Science and Law. His research interests include computer network security, computational intelligence, and data mining. VOLUME 8, 2020