Computer Standards & Interfaces 97 (2026) 104107 Contents lists available at ScienceDirect Computer Standards & Interfaces journal homepage: www.elsevier.com/locate/csi MExpm: Fair computation offloading for batch modular exponentiation with improved privacy and checkability in IoV โˆ—,1 Sipeng Shen 1 , Qiang Wang , Fucai Zhou, Jian Xu , Mingxing Jin Software College, Northeastern University, China ARTICLE INFO ABSTRACT Keywords: Modular exponentiation is a fundamental cryptographic operation extensively applied in the Internet of Internet of Vehicles Vehicles (IoV). However, its computational intensity imposes significant resource and time demands on Modular exponentiation intelligent vehicles. Offloading such computations to Mobile Edge Computing (MEC) servers has emerged as Computation offloading a promising approach. Nonetheless, existing schemes are generally impractical, as they either fail to ensure Smart contract fairness between intelligent vehicles and MEC servers, lack privacy protection for the bases and exponents, or cannot guarantee the correctness of results with overwhelming probability due to potential misbehavior by MEC servers. To address these limitations, we propose MExpm, a fair and efficient computation offloading scheme for batch modular exponentiation under a single untrusted server model. Our scheme leverages blockchain technology to ensure fairness through publicly verifiable results. Furthermore, MExpm achieves high checkability, offering a near-perfect probability of checkability. To enhance privacy, we introduce secure obfuscation and logical split techniques, effectively protecting both the bases and the exponents. Extensive theoretical analysis and experimental results demonstrate that our scheme is not only efficient in terms of computation, communication, and storage overheads but also significantly improves privacy protection and checkability. 1. Introduction requirements of intelligent vehicles [10,11]. Despite these benefits, it still suffers from some security challenges. Once the computation tasks 1.1. Motivation are offloaded, it will lose control over them. As a result, the MEC server may forge the outcome of the computation. To address this issue, Batch modular exponentiation, a fundamental mathematical opera- verifiable CO was first proposed by [12] to ensure the integrity of the โˆ ๐‘Ž tion, denoted as ๐‘›๐‘–=1 ๐‘ข๐‘– ๐‘– mod ๐‘, which is widely used in the Internet results. A fundamental requirement for verifiable CO is that the total of Vehicles (IoV) (i.e., key exchange, digital signatures, and identity time invested in the verification process should be less than the time authentication) and is assumed as one of the most resource-intensive spent performing the computation by himself. Otherwise, the intelligent operations. Considering limited computation resources in intelligent vehicle would not prefer to offload its computation. vehicles, locally executing the above task is unviable, which cannot meet both computation resources and time latency requirements [1]. 1.2. Limitations of prior art To tackle this challenge, computation offloading (CO) is proposed to undertake resource-intensive computation tasks for intelligent vehi- In this paper, we mainly focus on verifiable computation offloading cles [2]. However, current cloud computation paradigm for modular for batch modular exponentiation with MEC servers. However, to the exponentiation offloading in [3โ€“8] fails to meet the requirements of low best of our knowledge, none of the existing prior schemes are practical latency, location awareness, and mobility support [9], since the cloud enough, as demonstrated in Fig. 1. They suffer from the following servers are far from the vehicles, it is a challenge for network transfer latency. To overcome the limitations of cloud computation, offloading challenges. computational tasks from intelligent vehicles to MEC servers, being Fairness. Most verifiable CO schemes for batch modular exponen- closer to intelligent vehicles than cloud servers, can provide adequate tiation make sure the results are correct for the client before paying computation resources for offloaded tasks while meeting the latency but often disregard the cloudโ€™s interests. As a result, the client might โˆ— Corresponding author. E-mail address: wangqiang1@mail.neu.edu.cn (Q. Wang). 1 Equal contribution. https://doi.org/10.1016/j.csi.2025.104107 Received 3 June 2025; Received in revised form 12 August 2025; Accepted 28 November 2025 Available online 3 December 2025 0920-5489/ยฉ 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies. S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 Fig. 1. Limitations of Prior Art and Our Defenses: Scenario 1: Previous works adopt private verification algorithm. Under this assumption, the greedy intelligent vehicle may reject the correct computation results and refuse to pay for the MEC serverโ€™s work. Scenario 2: Previous works with low checkability fail to detect MEC serverโ€™s misbehavior. Scenario 3: Previous works with plaintext offloading strategy fail to protect the confidentiality of inputs and outputs. refuse to pay by deliberately claiming that the MEC server returns Table 1 an incorrect result even when executed faithfully. Furthermore, the Comparison of properties. cloud may intentionally manipulate the computation outcome for some Scheme Batch size Privacy Checkability rate Verification Fairness 119 economic incentives. When a dispute occurs between them, a fully MExp [3] 1 ร— 120 Private ร— 119 trusted third party (TTP), such as a judge, has to be involved to deduce SMCExp [4] 1 ร— 120 Private ร— 119 which party is wrong. As an ex-post measure, the dispute can be finally SoRSA [6] 1 ร— 120 Private ร— handled, but it is unfriendly for time-sensitive IoV applications [13]. EPExp [7] 1 ร— 0 Private ร— MExpm(ours) 1 โœ“ โ‰ˆ1 Public โœ“ Therefore, it is essential to find an immediate resolution without TTP to 2 guarantee fairness between the MEC server and the intelligent vehicle. MExp [3] n ร— 1 โˆ’ 10(4๐‘›2๐‘›+6๐‘›+2) Private ร— 2 Due to transparency, accountability, and immutability, blockchain can SMCExp [4] n ร— 1 โˆ’ 10(4๐‘›2๐‘›+6๐‘›+2) Private ร— 1 be used to establish trust among untrusted parties. A naive solution is to GExp [5] n ร— ๐‘›+1 Private ร— ๐‘›2 delegate the entire computation to the blockchain. It is inefficient and MExpm(ours) n โœ“ 1 โˆ’ (4๐‘›2 +6๐‘›+2)(๐‘โˆ’2) Public โœ“ imposes financial burdens on intelligent vehicles, such as significant gas Batch Size: The number of bases in one offloading; fees for modular exponentiation in Ethereum. Besides, this approach Privacy: Whether it can protect privacy of bases and exponents; seriously deviates from the original intent of computation offloading. Checkability Rate: The Checkability of Offloading scheme; Verification: Verification method for offloading; Checkability Rate. The existing schemes employ verification mech- Fairness: The fairness for both service provider and intelligent vehicles; anisms to ensure computation correctness against malicious MEC โœ“: means the scheme achieves this property; ร—: means it does not. servers [14]. However, the achieved checkability rate often falls short of expectations, failing to reach 100%. For example, in [3,4], the checkability rate is only 97.5% when the batch size ๐‘› = 1000. In a fair computation offloading task, the verification algorithm should other words, intelligent vehicles may fail to detect misbehavior by be public. To tackle this challenge, a straightforward approach is to malicious MEC servers with a 2.5% probability. Besides, the intelligent process the computation using fully homomorphic encryption (FHE). vehicle may make misjudgments even if the MEC servers return correct Specifically, the bases ๐‘ข๐‘– are encrypted using the data ownerโ€™s public results. When disputes arise between the intelligent vehicle and the key and outsourced to the MEC server. The intelligent vehicle encodes MEC servers, as previously mentioned, a complex procedure involving the queries ๐‘Ž๐‘– under the same public key. To recover the final result TTP is imperative. This ex-post measure is valid, but it is unsuitable for returned by the MEC server, the private key of the data owner should IoV time-sensitive applications. Furthermore, there is no such a fully be shared with the intelligent vehicle. If the private key is leaked, it trusted entity in the real world. will cause serious privacy issues [15,16]. Furthermore, the intelligent Privacy. Most of the existing schemes offload modular exponenti- โˆ ๐‘Ž vehicle cannot afford this heavy computation owing to the limitation ation ๐‘›๐‘–=1 ๐‘ข๐‘– ๐‘– mod ๐‘ in a plaintext way [6,7]. If we directly apply of resources. them into IoV, this inevitably comes with the privacy concern. Modular Compared with existing works in Table 1, MExpm supports privacy exponentiation plays a critical role in secure cryptography algorithms and fairness both for service providers and intelligent vehicles. Our (i.e., key exchange, digital signatures, identity authentication). In this contributions can be summarized as follows. case, the MEC server knows the base ๐‘ข๐‘– , exponent ๐‘Ž๐‘– , and output which is the result of ๐‘ข๐‘Ž ( mod ๐‘), so it will increase the risks of privacy 1. To the best of our knowledge, we are the first ones to attempt fair leakage and attacks. From this point, it is essential to protect the computation offloading of batch modular exponentiation under privacy of the bases, exponents, and results. To tackle this challenge, a single untrusted server model, which is more appropriate for some researchers [3โ€“5] utilize the logical split technique to protect practical applications. privacy. The security relies on a strong assumption that the auxiliary 2. We integrate smart contracts into the verification process to en- information cannot be known by the malicious adversary. Therefore, sure fairness and correctness. Compared with existing schemes, the verification algorithm can only be executed by the data owner. For our approach incurs lower gas consumption. 2 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 3. We employ a logical split method and secure obfuscation tech- niques to conceal the bases, exponents, and modulus before offloading computation. Consequently, MExpm achieves near- perfect checkability rate. 2. Related work 2.1. Computation offloading Intelligent vehicles, with limited computation resources and an increasing number of in-car applications, struggle to efficiently execute computation-intensive tasks. To address the challenges faced by intel- ligent vehicles, computation offloading has been proposed. It transfers communication, computation, and storage tasks to MEC servers situ- ated around intelligent vehicles [17]. Existing computation offloading schemes mainly focus on computation efficiency [17โ€“19], resource allo- cation [20,21], or decision-making optimization [11] task. While these schemes lay the foundation for offloading computationally intensive tasks to MEC servers, they often lack adequate security considerations, Fig. 2. The architecture of system model. leading to a gap in verifiable computation offloading for batch modular exponentiation. 3. Fair computation offloading for batch modular exponentiation 2.2. Secure outsourcing algorithm for modular exponentiation scheme in IoV 3.1. System model The secure outsourcing algorithm for modular exponentiation can be categorized into single and dual-server models. Dual-server model As illustrated in Fig. 2, the fair computation offloading for batch assumes that there is no complicity risk between cloud servers [22โ€“25]. modular exponentiation in IoV mainly comprises four entities: Service This assumption, complex to implement in real-world applications, is Agency (SA), Intelligent Vehicle (IV), Roadside Unit (RSU), and MEC vulnerable to collusion attacks between servers. Therefore, we mainly Server. consider the single-server model, which is first proposed in 2006 by SA: It is an honest entity. It provides the intelligent vehicle with the Dijk et al. [26]. Recently, numerous algorithms have been proposed to initialized bases ๐‘ข๐‘– and modulus ๐‘ of the batch modular exponentiation improve checkability rate [5,27,28]. In 2016, Ding et al. [3] proposed โˆ ๐‘Ž task ๐‘›๐‘–=1 ๐‘ข๐‘– ๐‘– mod ๐‘, and its communication with intelligent vehicles a modular exponentiation outsourcing scheme with checkability rate is based on secure channels. close to 119 120 , especially when batch size ๐‘› = 1, which is rather higher IV: It is a resource-limited entity. It does not trust the MEC server, than before. Thereafter, Su et al. [4], in 2020, expanded Dingโ€™s method, but it wants to offload some requests ๐‘Ž๐‘– to the MEC server, where optimized the logical split, and changed the modulus of the algorithm ๐‘– โˆˆ {1, โ€ฆ , ๐‘›}. Furthermore, it may try to get the result without paying to a composite number. Recent schemes including SoRSA [6] and EP- by intentionally saying that the cloudโ€™s computation result is wrong. Exp [7] assume that bases in computation tasks are ciphertext and lack RSU: It is an untrusted entity, which serves as a full node of the the consideration of security of bases. The checkability rate of these blockchain. It provides verifiable services to guarantee the integrity of methods is still far from 1, and it can result in certain security risks. the result. Meanwhile, many of these schemes concurrently present outsourcing MEC Server: It is a powerful entity deployed at the networkโ€™s algorithms for ๐‘ข๐‘Ž . Nevertheless, a single modular exponentiation out- edge with adequate computation resources, which is responsible for sourcing algorithm represents a specific instance of batch modular performing the computation offloading tasks for the intelligent vehicle. exponentiation outsourcing with batch size ๐‘› = 1. Similar to the intelligent vehicle, it is also a profit-driven entity. It would like to get the reward from the intelligent vehicle without performing the computation. 2.3. Fair computation A fair computation offloading for batch modular exponentiation (MExpm) in IoV consists of the following algorithms. Recently, blockchain and smart contracts have been proposed to (๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘ , ๐‘…๐พ) โ† ๐‘†๐‘’๐‘ก๐‘ข๐‘(1๐œ† , ๐‘ข1 , โ€ฆ , ๐‘ข๐‘› , ๐‘). Given a security parameter ๐œ†, the bases ๐‘ข1 , โ€ฆ , ๐‘ข๐‘› and ๐‘, SA invokes this algorithm to generate the address these fairness issues [29]. Smart contracts can provide a secure public parameters ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘  and the recovery key ๐‘…๐พ, where ๐‘ข๐‘– and ๐‘ solution for participants to execute contracts on Ethereum, essentially are the base and modulus for modular exponentiation tasks. being executable code with correctness, transparency, and immutabil- (๐‘‡ ๐พ, ๐‘‰ ๐พ, ๐ด๐‘ข๐‘ฅ) โ† ๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘›(๐‘Ž1 , โ€ฆ , ๐‘Ž๐‘› , ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘ ). On inputting the ex- ity [30]. Although there are some studies utilizing smart contract to ponents ๐‘Ž1 , โ€ฆ , ๐‘Ž๐‘› and the public parameters ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘ , IV runs this fulfill fair computation, they either rely on the assumption that the algorithm to generate the evaluation key ๐‘‡ ๐พ for performing the compu- client and the cloud are honest [31], or utilize smart contract con- tation task, witness generation key ๐‘‰ ๐พ and auxiliary information ๐ด๐‘ข๐‘ฅ. ducting complex computation tasks [29,32,33]. However, in standard It is worth noting that this algorithm can be carried out entirely offline blockchain systems such as Ethereum, users are typically charged gas before the online phase, so it does not introduce additional latency fees based on the complexity of the computational task running in the during computation outsourcing. The input ๐‘Ž๐‘– is the exponent of ๐‘ข๐‘– , smart contract. The gas fees for smart contracts are recorded in the where ๐‘– โˆˆ {1, โ€ฆ , ๐‘›}. fee table EIP150 [34]. Generally, the cost of Ethereum is high, and (๐œŽE , ๐œ‹๐ธ ) โ† ๐ถ๐‘œ๐‘š๐‘๐‘ข๐‘ก๐‘’(๐‘‡ ๐พ, ๐‘‰ ๐พ). On inputting the evaluation key considering that modular exponentiation is an expensive computation ๐‘‡ ๐พ and witness generation key ๐‘‰ ๐พ, the MEC server performs this task, Existing schemes may increase the financial burden on users. algorithm to produce the encoding result ๐œŽE and witness ๐œ‹๐ธ . 3 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 Table 2 ๐Ÿ. ๐‘ฒ๐’†๐’š๐‘ฎ๐’†๐’(๐’‚1 , โ€ฆ , ๐’‚๐’ , ๐‘ท ๐’‚๐’“๐’‚๐’Ž๐’”) โˆถ This algorithm is executed by the Notations. IV to construct the evaluation key ๐‘‡ ๐พ for performing the computation Symbols Descriptions task, the witness generation key ๐‘‰ ๐พ, and auxiliary information ๐ด๐‘ข๐‘ฅ. {๐‘ข1 , ๐‘ข2 , โ€ฆ , ๐‘ข๐‘› } Computation bases Notably, the IV can execute this procedure in an offline manner, thereby ๐œ† Security Parameter avoiding additional delays in the online authentication or verification ๐‘ 512-bit prime integer ๐‘ 512-bit prime integer phase. This algorithm works as follows: ๐ฟ A composite integer ๐ฟ = ๐‘๐‘ (a) IV parses ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘  as {๐ฟ, ๐‘ฆ๐‘– } and the input exponents ๐‘Ž๐‘– โˆˆ Zโˆ—๐œ™(๐ฟ) . ๐‘˜ A random integer (b) IV runs RandN program [35] four times to generate four blinding ๐œ A composite integer ๐œ = ๐‘˜๐‘ {๐‘ฆ1 , ๐‘ฆ2 , โ€ฆ , ๐‘ฆ๐‘› } Bases after secure obfuscation pairs (๐‘˜1 , ๐‘” ๐‘˜1 ), (๐‘˜2 , ๐‘” ๐‘˜2 ), (๐‘˜3 , ๐‘” ๐‘˜3 ), (๐‘˜4 , ๐‘” ๐‘˜4 ) and sets: (๐‘˜๐‘– , ๐‘” ๐‘˜๐‘– ), ๐‘– โˆˆ {1, 2, 3, 4} Random pairs generated by RandN algorithm {๐‘Ž1 , ๐‘Ž2 , โ€ฆ , ๐‘Ž๐‘› } Computation exponents ๐‘ฃ1 = ๐‘” ๐‘˜1 mod ๐ฟ, ๐‘ฃ2 = ๐‘” ๐‘˜2 mod ๐ฟ, (2) ๐œ™(โ‹…) Eulerโ€™s function ๐‘ฃ3 = ๐‘” ๐‘˜3 mod ๐ฟ, ๐‘ฃ4 = ๐‘” ๐‘˜4 mod ๐ฟ. {๐‘ค๐‘– , ๐‘ง1 , ๐›ฟ1 , ๐‘š๐‘– }, ๐‘– โˆˆ {1, โ€ฆ , ๐‘›} Computation tasks after logical division ๐‘Ÿ โˆˆ {2, โ€ฆ , ๐‘} Random integer where ๐‘” โˆˆ Zโˆ—๐ฟ and its order is ๐œ™(๐ฟ). ๐œ‰ โˆˆ {1, โ€ฆ , ๐‘›} Random index (c) IV performs logical split to compute ๐‘ค๐‘– , ๐‘ง1 , ๐›ฟ1 , and ๐‘š๐‘– such that ๐‘‘ Modular Multiplicative Inverse of ๐‘Ž๐œ‰ {๐‘คโ€ฒ๐‘– , ๐‘ง2 , ๐›ฟ2 , ๐‘šโ€ฒ๐‘– }, ๐‘– โˆˆ {1, โ€ฆ , ๐‘›} Verification tasks after logical division {๐œŽ๐ธ , ๐œ‹๐ธ } Computation results returned by MEC server ๐‘ค๐‘– = ๐‘ฆ๐‘– โˆ•๐‘ฃ1 (mod ๐ฟ), ( ) ๐‘˜1 ๐‘Ž1 + ๐‘Ž2 + โ‹ฏ + ๐‘Ž๐‘› = ๐‘˜3 + ๐›ฟ1 ๐‘ง1 (mod ๐œ™(๐ฟ)), (3) ๐‘Ž๐‘– = ๐›ฟ1 ๐‘ง1 + ๐‘š๐‘– (mod ๐œ™(๐ฟ)). {0โˆ•1, ๐œŽE } โ† ๐‘‰ ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ(๐œŽE , ๐œ‹๐ธ , ๐ด๐‘ข๐‘ฅ). On inputting the encoding result (d) IV chooses two random integers ๐‘Ÿ โˆˆ {2, โ€ฆ , ๐‘} and ๐œ‰ โˆˆ {1, โ€ฆ , ๐‘›} ๐œŽE , the witness ๐œ‹๐ธ and auxiliary information ๐ด๐‘ข๐‘ฅ, the RSU runs this and computes ๐‘‘, where ๐‘Ž๐œ‰ ๐‘‘ โ‰ก 1 (mod ๐œ™(๐ฟ)). algorithm to check whether the MEC server returns a correct result (e) IV computes ๐‘คโ€ฒ๐‘– , ๐‘ง2 , ๐›ฟ2 , and ๐‘šโ€ฒ๐‘– such that utilizing smart contract. If not, it outputs 0, 1 and ๐œŽE otherwise. ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก โ† ๐‘…๐‘’๐‘๐‘œ๐‘ฃ๐‘’๐‘Ÿ๐‘ฆ(๐œŽE , ๐‘…๐พ). On inputting ๐œŽE and recovery key ๐‘…๐พ, ๐‘คโ€ฒ๐‘– = ๐‘ฆ๐‘– โˆ•๐‘ฃ2 (mod ๐ฟ), the intelligent vehicle runs this algorithm to decode the true result ( ) ๐‘˜2 ๐‘Ž1 + ๐‘Ž2 + โ‹ฏ + ๐‘Ž๐‘› = ๐‘˜4 + ๐›ฟ2 ๐‘ง2 (mod ๐œ™(๐ฟ)), (4) ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก. ๐‘Ž๐‘– = ๐›ฟ2 ๐‘ง2 + ๐‘šโ€ฒ๐‘– (mod ๐œ™(๐ฟ)). 3.2. Overview of construction and notations Especially when ๐‘– = ๐œ‰, we have ๐‘ฆโ€ฒ๐œ‰ = ๐‘ฆ๐œ‰ ๐‘Ÿ๐‘‘ ( mod ๐ฟ) and ๐‘คโ€ฒ๐œ‰ = ๐‘ฆโ€ฒ๐œ‰ โˆ•๐‘ฃ2 ( mod ๐ฟ), where ๐œ‰ โˆˆ [1, ๐‘›] is a random integer. โˆ Similar to [3], the bases and exponents are protected using logical (f) IV sets ๐‘‡๐พ = {(๐‘” ๐‘›๐‘–=1 ๐‘ค๐‘– , ๐‘ง1 ), (๐‘ค๐‘– , ๐‘š๐‘– )๐‘–โˆˆ[๐‘›] }, โˆ๐‘› split. A recovery algorithm is also involved to protect the confidentiality ๐‘‰ ๐พ = {(๐‘” ๐‘–=1 ๐‘คโ€ฒ๐‘– , ๐‘ง2 ), (๐‘คโ€ฒ๐‘– , ๐‘šโ€ฒ๐‘– )๐‘–โˆˆ[๐‘›] } and ๐ด๐‘ข๐‘ฅ = {๐‘Ÿ๐‘ฃ3 , ๐‘ฃ4 , ๐›ฟ1 , ๐›ฟ2 }, where of the final result. At the setup phase, we utilize the secure obfuscation ๐›ฟ1 , ๐›ฟ2 โˆˆ Zโˆ—๐œ™(๐ฟ) . The pseudo code of the key generation procedure can be technique to hide the modulus ๐‘ and bases ๐‘ข๐‘– . In ๐‘†๐‘’๐‘ก๐‘ข๐‘ step (a), only found in Algorithm 1. the masked modulus ๐ฟ = ๐‘ โ‹… ๐‘ is sent to MEC server, so the MEC server cannot get any information about ๐‘ without the mask factor Algorithm 1: KeyGen Algorithm ๐‘ chosen and kept privately by the User. To prevent the MEC server from learning the original bases ๐‘ข๐‘– , we apply a modular obfuscation Input: Exponents ๐‘Ž1 , โ‹ฏ , ๐‘Ž๐‘› โˆˆ Zโˆ—๐œ™(๐ฟ) , public parameters technique by embedding each base into a larger modular space (i.e., Eq. ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘  = {๐ฟ, ๐‘ฆ๐‘– } (1)) in ๐‘†๐‘’๐‘ก๐‘ข๐‘ step (b). Since ๐‘˜ and ๐‘ are sampled uniformly, the Output: Evaluation key ๐‘‡ ๐พ, verification key ๐‘‰ ๐พ, auxiliary info adversarial MEC server cannot recover them. The original computation ๐ด๐‘ข๐‘ฅ โˆ๐‘› ๐‘Ž๐‘– mod ๐‘ is converted into โˆ๐‘› ๐‘ฆ ๐‘Ž๐‘– mod ๐ฟ. 1 Parse ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘  as {๐ฟ, ๐‘ฆ๐‘– } ; // Step (a) offloading task ๐‘–=1 ๐‘ข๐‘– ๐‘–=1 ๐‘– 2 Run RandN algorithm four times to get The privacy of the exponent ๐‘Ž๐‘– is ensured by the logical split, where ๐‘Ž๐‘– = ๐›ฟ1 โ‹… ๐‘ง๐‘– + ๐‘š๐‘– mod ๐œ™(๐ฟ). Since the standard integer factorization (๐‘˜1 , ๐‘” ๐‘˜1 ), (๐‘˜2 , ๐‘” ๐‘˜2 ), (๐‘˜3 , ๐‘” ๐‘˜3 ), (๐‘˜4 , ๐‘” ๐‘˜4 ); // Step (b) ๐‘˜ ๐‘˜ 3 Compute ๐‘ฃ1 = ๐‘” 1 mod ๐ฟ, ๐‘ฃ2 = ๐‘” 2 mod ๐ฟ, ๐‘ฃ3 = ๐‘” 3 mod ๐ฟ, ๐‘˜ assumption holds, the adversary cannot derive their factors ๐‘ and ๐‘ from ๐ฟ. Without factors ๐‘ and ๐‘, it is infeasible to compute ๐œ™(๐ฟ) = ๐‘ฃ4 = ๐‘” ๐‘˜4 mod ๐ฟ; // Compute Equation 2 4 Compute ๐‘˜1 (๐‘Ž1 + โ‹ฏ + ๐‘Ž๐‘› ) = ๐‘˜3 + ๐›ฟ1 ๐‘ง1 mod ๐œ™(๐ฟ) ; // Equation (๐‘ โˆ’ 1)(๐‘ โˆ’ 1).๐œ™(๐ฟ) = (๐‘ โˆ’ 1) โ‹… (๐‘ โˆ’ 1). As a result, the reduction modulo ๐œ™(๐ฟ) effectively hides the underlying value, which makes it infeasible 3 5 for ๐‘– โ† 1 to ๐‘› do to recover ๐‘Ž๐‘– from ๐›ฟ1 โ‹… ๐‘ง๐‘– + ๐‘š๐‘– mod ๐œ™(๐ฟ). Furthermore, the malicious adversary learns nothing about the final computation result without the 6 Compute ๐‘ค๐‘– = ๐‘ฆ๐‘– โˆ•๐‘ฃ1 mod ๐ฟ ; // Equation 3 recovery key. A detailed description of the notations used in MExpm 7 Compute ๐‘Ž๐‘– = ๐›ฟ1 ๐‘ง1 + ๐‘š๐‘– mod ๐œ™(๐ฟ); // Equation 3 can be found in Table 2. 8 Sample ๐‘Ÿ โˆˆ {2, โ‹ฏ , ๐‘} and ๐œ‰ โˆˆ {1, โ‹ฏ , ๐‘›} randomly ; // Step (d) 9 Compute ๐‘‘ = ๐‘Ž โˆ’1 mod ๐œ™(๐ฟ); // Step (d) 3.3. Detailed construction ๐œ‰ 10 Compute ๐‘˜2 (๐‘Ž1 + โ‹ฏ + ๐‘Ž๐‘› ) = ๐‘˜4 + ๐›ฟ2 ๐‘ง2 mod ๐œ™(๐ฟ); // Equation 3 ๐Ÿ. ๐‘บ๐’†๐’•๐’–๐’‘(๐Ÿ๐€ , ๐’–1 , โ€ฆ , ๐’–๐’ , ๐‘ต) โˆถ This algorithm is run by SA. Given 11 for ๐‘– โ† 1 to ๐‘› do a security parameter ๐œ† and a 512-bit prime integer ๐‘, SA works as 12 Compute ๐‘คโ€ฒ๐‘– = ๐‘ฆ๐‘– โˆ•๐‘ฃ2 mod ๐ฟ ; // Equation 3 follows: 13 Compute ๐‘Ž๐‘– = ๐›ฟ2 ๐‘ง2 + ๐‘šโ€ฒ๐‘– mod ๐œ™(๐ฟ); // Equation 3 (a) SA generates a 512-bit prime integer ๐‘, and computes ๐ฟ = ๐‘๐‘. 14 Randomly Select ๐œ‰ โˆˆ [1, ๐‘›], and Update ๐‘ฆโ€ฒ๐œ‰ = ๐‘ฆ๐œ‰ โ‹… ๐‘Ÿ๐‘‘ mod ๐ฟ, (b) SA uniformly chooses ๐‘˜ from ๐‘๐‘ and computes ๐œ = ๐‘˜๐‘. For any ๐‘คโ€ฒ๐œ‰ = ๐‘ฆโ€ฒ๐œ‰ โˆ•๐‘ฃ2 mod ๐ฟ ; // Step (e) ๐‘– โˆˆ {1, 2, โ€ฆ , ๐‘›}, SA sets ๐‘ฆ๐‘– as follows: โˆ 15 Set ๐‘‡ ๐พ = {(๐‘” โ‹… ๐‘›๐‘–=1 ๐‘ค๐‘– , ๐‘ง1 ), (๐‘ค๐‘– , ๐‘š๐‘– )๐‘–โˆˆ[๐‘›] }; // Step (f) โˆ๐‘› โ€ฒ โ€ฒ โ€ฒ ๐‘ฆ๐‘– = ๐‘ข๐‘– + ๐œ mod ๐ฟ (1) 16 Set ๐‘‰ ๐พ = {(๐‘” โ‹… ๐‘–=1 ๐‘ค๐‘– , ๐‘ง2 ), (๐‘ค๐‘– , ๐‘š๐‘– )๐‘–โˆˆ[๐‘›] }; // Step (f) 17 Set ๐ด๐‘ข๐‘ฅ = {๐‘Ÿ๐‘ฃ3 , ๐‘ฃ4 , ๐›ฟ1 , ๐›ฟ2 }; // Step (f) (c) SA sets ๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘  = {๐ฟ, ๐‘ฆ๐‘– } and ๐‘…๐พ = {๐‘}, where ๐‘…๐พ is 18 return ๐‘‡ ๐พ, ๐‘‰ ๐พ, ๐ด๐‘ข๐‘ฅ; transmitted via a secure channel between SA and IV. 4 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 1. ๐‘†๐‘’๐‘ก๐‘ข๐‘: Generate two distinct secure primes ๐‘ = 13, ๐‘ = 11. Compute ๐ฟ = ๐‘ โ‹… ๐‘ = 143. Then generate ๐‘ข = 128, ๐‘Ž = 79. ๐Ÿ‘. ๐‘ช๐’๐’Ž๐’‘๐’–๐’•๐’†(๐‘ป ๐‘ฒ, ๐‘ฝ ๐‘ฒ) โˆถ This algorithm is run by MEC server to 2. ๐ถ๐‘œ๐‘š๐‘๐‘ข๐‘ก๐‘’: Locally compute result ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก = 12879 mod 43 = 8. generate encoding result ๐œŽ๐ธ and witness result ๐œ‹๐ธ . The MEC server works as follows: The proposed MExpm consists of the following procedures. โˆ (a) MEC server parses ๐‘‡ ๐พ as {(๐‘” ๐‘›๐‘–=1 ๐‘ค๐‘– , ๐‘ง1 ), (๐‘ค๐‘– , ๐‘š๐‘– )๐‘–โˆˆ[๐‘›] } and ๐‘‰ ๐พ โˆ๐‘› โ€ฒ as {(๐‘” ๐‘–=1 ๐‘ค๐‘– , ๐‘ง2 ), (๐‘ค๐‘– , ๐‘š๐‘– )๐‘–โˆˆ[๐‘›] }, and then sets ๐›พ๐‘– = (๐‘ค๐‘– )๐‘š๐‘– and ๐›พ๐‘–โ€ฒ = (๐‘คโ€ฒ๐‘– )๐‘š๐‘– โ€ฒ โ€ฒ โ€ฒ 1. ๐‘†๐‘’๐‘ก๐‘ข๐‘: SA generates ๐‘ = 13, ๐‘ = 11 and computes ๐ฟ = ๐‘โ‹…๐‘ = 143. for any ๐‘– โˆˆ {1, โ€ฆ , ๐‘›}, respectively. Then SA generates base ๐‘ข = 128 and utilizes random integer ( โˆ )๐‘ง ( โˆ )๐‘ง (b) MEC server sets ๐‘„0 = ๐‘” ๐‘›๐‘–=1 ๐‘ค๐‘– 1 and ๐‘„1 = ๐‘” ๐‘›๐‘–=1 ๐‘คโ€ฒ๐‘– 2 . ๐‘˜ = 5 to compute ๐‘ฆ = ๐‘ข + ๐‘˜ โ‹… ๐‘ mod ๐ฟ = 40. (c) MEC server sets ๐œŽ๐ธ = {๐‘„0 , (๐›พ๐‘– )๐‘–โˆˆ[๐‘›] } and ๐œ‹๐ธ = {๐‘„1 , (๐›พ๐‘–โ€ฒ )๐‘–โˆˆ[๐‘›] }. 2. ๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘›: Intelligent Vehicle runs ๐‘…๐‘Ž๐‘›๐‘‘๐‘ algorithm to obtain ๐Ÿ’. ๐‘ฝ ๐’†๐’“๐’Š๐’‡ ๐’š(๐ˆ ๐‘ฌ , ๐… ๐‘ฌ , ๐‘จ๐’–๐’™) โˆถ The algorithm is run by RSU to check the (63, 125), (42, 25), (52, 113), (82, 69), ๐‘” = 71 and compute ๐‘ฃ1 โˆ’1 = correctness of the result returned by the MEC. The RSU works as 125โˆ’1 mod ๐ฟ = 135, ๐‘ฃ2 โˆ’1 = 25โˆ’1 mod ๐ฟ = 103. Then it gener- follows: ates a computation task ๐‘Ž = 79. Thereafter, intelligent vehicle (a) Upon receiving the encoding result ๐œŽ๐ธ and witness ๐œ‹๐ธ , it first generate random integers ๐›ฟ1 = 11, ๐›ฟ2 = 109, ๐‘Ÿ = 7 and compute parses them as {๐‘„0 , (๐›พ๐‘– )๐‘–โˆˆ[๐‘›] } and {๐‘„1 , (๐›พ๐‘–โ€ฒ )๐‘–โˆˆ[๐‘›] }, respectively. (b) it ๐‘‘ = ๐‘Žโˆ’1 mod ๐œ™(๐ฟ) = 79, ๐‘Ÿ๐‘‘ mod ๐ฟ = 19. Finally, intelligent parses auxiliary information ๐ด๐‘ข๐‘ฅ as {๐‘Ÿ๐‘ฃ3 , ๐‘ฃ4 , ๐›ฟ1 , ๐›ฟ2 }. vehicle utilizes Eqs. (3) and (4) to conduct logical split, then ( )๐›ฟ (c) RSU utilizes smart contract to compute ๐œ‚ = ๐‘„0 1 and then obtain ๐‘ค = 109, ๐‘”๐‘ค = 17, ๐‘คโ€ฒ = 59, ๐‘”๐‘คโ€ฒ = 42, ๐›ฟ1 ๐‘ง1 = 57, ๐‘ง1 = check whether the following equation holds: 55, ๐›ฟ2 ๐‘ง2 = 78, ๐‘ง2 = 44, ๐‘š = 74, ๐‘šโ€ฒ = 83, ๐‘Ÿ๐‘ฃ3 = 76. โˆ ๐‘› ( )๐›ฟ โˆ ๐‘› 3. ๐ถ๐‘œ๐‘š๐‘๐‘ข๐‘ก๐‘’: MEC server receives the offloading tasks and com- ๐‘Ÿ๐‘ฃ3 โ‹… ๐œ‚ โ‹… ๐›พ๐‘– = ๐‘ฃ4 โ‹… ๐‘„1 2 โ‹… ๐›พ๐‘–โ€ฒ (mod ๐ฟ) (5) pute (๐‘”๐‘ค)๐‘ง1 = 5955 mod 143 = 43, (๐‘”๐‘คโ€ฒ )๐‘ง2 = 4244 mod 143 = โ€ฒ ๐‘–=1 ๐‘–=1 126, ๐‘ค๐‘š = 12, ๐‘คโ€ฒ ๐‘š = 119. If not, the smart contract outputs 0 and aborts. Otherwise, outputs 1 โˆ 4. ๐‘‰ ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ: Smart contract is called to verify ๐ฟ๐‘’๐‘“ ๐‘ก = 76 โ‹… 12 โ‹… 4311 and sets ๐œŽ๐ธ = {๐‘Ÿ๐‘ฃ3 ๐œ‚ ๐‘›๐‘–=1 ๐›พ๐‘– }. The verification logic of the smart contract mod 143 = 111 and ๐‘…๐‘–๐‘”โ„Ž๐‘ก = 69 โ‹… 126109 โ‹… 119 mod 143 = 111. can be found in Algorithm 2. 5. ๐‘…๐‘’๐‘๐‘œ๐‘ฃ๐‘’๐‘Ÿ๐‘ฆ: Intelligent Vehicle computes ๐‘Ÿโˆ’1 mod ๐ฟ = 41, then obtain ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก = 111 โ‹… 41 mod 11 = 8. Algorithm 2: Verification Logic of Smart Contract Input: ๐‘„0 , ๐‘„1 โˆˆ Z๐ฟ ; (๐›พ๐‘– )๐‘–โˆˆ[๐‘›] , (๐›พ๐‘–โ€ฒ )๐‘–โˆˆ[๐‘›] โˆˆ Z๐ฟ 4. Theoretical analysis Scalars: ๐‘Ÿ๐‘ฃ3 , ๐‘ฃ4 , ๐›ฟ1 , ๐›ฟ2 โˆˆ Z๐ฟ Output: Boolean flag indicating verification result 4.1. Correctness ๐›ฟ1 1 ๐œ‚ โ†๐‘„ 0 mod ๐ฟ ; // Compute ๐œ‚ 2 prodGamma โ† 1; To prove the correctness, we need to argue that the returned results 3 for ๐‘– โ† 1 to ๐‘› do by the MEC server can pass the verification algorithm and the intel- 4 prodGamma โ† prodGamma โ‹… ๐›พ๐‘– mod ๐ฟ; // Accumulate ligent vehicle can recover the final result if all entities involved are product of ๐›พ๐‘– honest. 5 prodGammaPrime โ† 1; For the first part, we mainly argue it based on Eq. (5). That is, we 6 for ๐‘– โ† 1 to ๐‘› do prove that the ๐œŽ๐ธ and ๐œ‹๐ธ can pass the ๐‘ฃ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ algorithm when MEC 7 prodGammaPrime โ† prodGammaPrime โ‹… ๐›พ๐‘–โ€ฒ mod ๐ฟ; server is honest and follows all algorithms mentioned above. // Accumulate product of proofs ๐›พ๐‘–โ€ฒ Based on Eq. (4), the right-hand side (๐‘…๐ป๐‘†) of Eq. (5) can be 8 lhs โ† ๐‘Ÿ๐‘ฃ3 โ‹… ๐œ‚ โ‹… prodGamma mod ๐ฟ; // Left-hand side of expressed as: the equality ๐›ฟ2 9 rhs โ† ๐‘ฃ4 โ‹… ๐‘„ โ‹… prodGammaPrime mod ๐ฟ; // Right-hand ( )๐›ฟ โˆ ๐‘› 1 ๐‘…๐ป๐‘† = ๐‘ฃ4 โ‹… ๐‘„1 2 โ‹… ๐›พ๐‘–โ€ฒ (mod ๐ฟ) side of the equality ๐‘–=1 10 return (lhs == rhs); // Return true if verification ( )๐‘ง2 ๐›ฟ2 ๐‘› โˆ ๐‘› โˆ ๐‘šโ€ฒ passes = ๐‘” ๐‘˜4 ๐‘” ๐‘คโ€ฒ๐‘– ๐‘คโ€ฒ๐‘– ๐‘– (mod ๐ฟ) ๐‘–=1 ๐‘–=1 ( ๐‘› )๐‘ง2 ๐›ฟ 2 ๐‘› โˆ โˆ ๐‘šโ€ฒ ๐Ÿ“. ๐‘น๐’†๐’„๐’๐’—๐’†๐’“๐’š(๐ˆ ๐‘ฌ , ๐‘น๐‘ฒ) โˆถ The algorithm is run by IV to recover the = ๐‘” ๐‘˜4 +๐‘ง2 ๐›ฟ2 ๐‘คโ€ฒ๐‘– ๐‘คโ€ฒ๐‘– ๐‘– (mod ๐ฟ) encoding result ๐œŽ๐ธ to the true result ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก. ๐‘–=1 ๐‘–=1 โˆ )โˆ ๐‘› (a) IV parses ๐‘…๐พ as {๐‘} and ๐œŽ๐ธ as {๐‘Ÿ๐‘ฃ3 ๐œ‚ ๐‘›๐‘–=1 ๐›พ๐‘– }, where ๐œ‚ = ( โ€ฒ ( โˆ๐‘› )๐‘ง1 ๐›ฟ1 = ๐‘” ๐‘˜2 ๐‘Ž1 +๐‘Ž2 +ยทยทยท+๐‘Ž๐‘› ๐‘คโ€ฒ๐‘– ๐‘š๐‘– +๐›ฟ2 ๐‘ง2 (mod ๐ฟ) ๐‘” ๐‘–=1 ๐‘ค๐‘– . ๐‘–=1 (b) IV recovers the final computation result ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก as follows: ( )โˆ ๐‘› ๐‘˜2 ๐‘Ž1 +๐‘Ž2 +ยทยทยท+๐‘Ž๐‘› =๐‘” ๐‘คโ€ฒ๐‘– ๐‘Ž๐‘– (mod ๐ฟ) (7) โˆ ๐‘› ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก = ๐‘Ÿ๐‘ฃ3 ๐œ‚ ๐›พ๐‘– โ‹… ๐‘Ÿโˆ’1 (mod ๐ฟ) ๐‘–=1 ๐‘–=1 โˆ๐‘› ( )๐‘ง1 ๐›ฟ1 (6) = ๐‘” ๐‘˜2 ๐‘Ž๐‘– ๐‘คโ€ฒ๐‘– ๐‘Ž๐‘– (mod ๐ฟ) โˆ ๐‘› โˆ ๐‘› ๐‘š ๐‘–=1 = ๐‘” ๐‘˜3 ๐‘” ๐‘ค๐‘– ๐‘ค๐‘– ๐‘– (mod ๐‘) ๐‘–=1 ๐‘–=1 โˆ๐‘› ๐‘Ž = ๐‘ฃ2๐‘– ๐‘คโ€ฒ๐‘– ๐‘Ž๐‘– (mod ๐ฟ) ๐‘–=1 3.4. An illustrative โˆ๐‘› = ๐‘ฆโ€ฒ๐‘– ๐‘Ž๐‘– (mod ๐ฟ) ๐‘–=1 We now provide a toy example to further illustrate MExpm. MExpm performs the following procedures. The original modular exponentia- โˆ ๐œ‰โˆ’1 ๐‘Ž โˆ ๐‘› ๐‘Ž = ๐‘ฆ๐‘– ๐‘– โ‹… ๐‘ฆโ€ฒ๐œ‰ ๐‘Ÿ๐‘‘๐‘Ž๐œ‰ โ‹… ๐‘ฆ๐‘– ๐‘– (mod ๐ฟ) tion performs the following procedures. ๐‘–=1 ๐‘–=๐œ‰+1 5 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 Since ๐‘Ž๐œ‰ ๐‘‘ โ‰ก 1( mod ๐œ™(๐ฟ)), we always have ๐‘ฆโ€ฒ๐œ‰ ๐‘Ÿ๐‘‘๐‘Ž๐œ‰ = ๐‘Ÿ๐‘ฆ๐œ‰ mod ๐ฟ. Based on Eq. (3), we can get: โˆ ๐‘› ๐‘Ž ๐‘…๐ป๐‘† = ๐‘Ÿ ๐‘ฆ๐‘– ๐‘– (mod ๐ฟ) ๐‘–=1 โˆ ๐‘› ๐‘Ž =๐‘Ÿ ๐‘” ๐‘˜1 ๐‘Ž๐‘– ๐‘ค๐‘– ๐‘– (mod ๐ฟ) ๐‘–=1 ( )โˆ ๐‘› ๐‘š +๐›ฟ1 ๐‘ง1 = ๐‘Ÿ๐‘” ๐‘˜1 ๐‘Ž1 +๐‘Ž2 +ยทยทยท+๐‘Ž๐‘› ๐‘ค๐‘– ๐‘– (mod ๐ฟ) ๐‘–=1 ( ๐‘› )๐‘ง1 ๐›ฟ1 โˆ โˆ ๐‘› ๐‘š ๐‘˜3 +๐‘ง1 ๐›ฟ1 = ๐‘Ÿ๐‘” ๐‘ค๐‘– ๐‘ค๐‘– ๐‘– (mod ๐ฟ) (8) ๐‘–=1 ๐‘–=1 ( )๐‘ง1 ๐›ฟ1 โˆ ๐‘› โˆ ๐‘› ๐‘š = ๐‘Ÿ๐‘” ๐‘˜3 ๐‘” ๐‘ค๐‘– ๐‘ค๐‘– ๐‘– (mod ๐ฟ) Fig. 3. Comparison of checkability rate. ๐‘–=1 ๐‘–=1 ( )๐›ฟ โˆ ๐‘› = ๐‘Ÿ๐‘ฃ3 ๐‘„0 1 ๐›พ๐‘– (mod ๐ฟ) ๐‘–=1 Proof. If the malicious MEC server deceives the intelligent vehicle IV โˆ ๐‘› successfully, the following equation will hold. = ๐‘Ÿ๐‘ฃ3 โ‹… ๐œ‚ โ‹… ๐›พ๐‘– (mod ๐ฟ) ๐‘–=1 โˆ ๐‘› ( )๐›ฟ โˆ๐‘› ๐‘ก โ‹… ๐‘Ÿ๐‘ฃ3 ๐œ‚ ๐›พ๐‘– = ๐‘ก โ‹… ๐‘ฃ4 ๐‘„1 2 ๐›พ๐‘–โ€ฒ (10) Obviously, according to Eq. (8), if the MEC server and intelligent ๐‘–=1 ๐‘–=1 vehicle IV are honest and follow all procedures described above, the The corresponding encoding result will be decoded by IV as follows: encoding result ๐œŽ๐ธ and witness result ๐œ‹๐ธ can always pass the ๐‘‰ ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ algorithm. โˆ ๐‘› ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก = ๐‘ก โ‹… ๐‘ฃ3 ๐œ‚ ๐›พ๐‘– (mod ๐‘) (11) Second, we will argue that the encoding result ๐œŽ๐ธ can be decoded ๐‘–=1 to the actual result ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก. In this section, we mainly rely on Eq. (1), Since the MEC server could not gain access to the values of ๐›ฟ1 and ๐›ฟ2 , Eq. (2), Eq. (3) and (6). The ๐œŽ๐ธ can be parsed and computed as follows: ( )๐›ฟ it cannot obtain the correct values of ๐œ‚ and ๐‘„1 2 . Therefore, the MEC server can only turn to other ๐‘› pairs to cheat the intelligent vehicle, โˆ ๐‘› then it needs to determine the correct meanings of 2๐‘› + 2 sub-tasks to ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก = ๐‘Ÿ๐‘ฃ3 ๐œ‚ ๐›พ๐‘– โ‹… ๐‘Ÿโˆ’1 (mod ๐‘) obtain pairs: (๐‘คโ„Ž , ๐‘šโ„Ž ) and (๐‘คโ€ฒ๐‘— , ๐‘šโ€ฒ๐‘— ). Since the sending order of these 2๐‘›+ ๐‘–=1 ( )๐‘ง1 ๐›ฟ1 2 pairs is random, the MEC server is unaware of the specific meanings โˆ ๐‘› โˆ ๐‘› = ๐‘” ๐‘˜3 ๐‘” ๐‘ค๐‘– ๐‘š ๐‘ค๐‘– ๐‘– (mod ๐‘) of each pair. Therefore, it needs to find (๐‘คโ„Ž , ๐‘šโ„Ž ) and (๐‘คโ€ฒ๐‘— , ๐‘šโ€ฒ๐‘— ) among the ๐‘› ๐‘› ๐‘–=1 ๐‘–=1 2๐‘› + 2 pairs. The probability of this operation is 2๐‘›+2 2๐‘›+1 . Additionally, ( ๐‘› )๐‘ง1 ๐›ฟ 1 for successful deception, the MEC server needs to determine the value โˆ โˆ ๐‘› ๐‘š = ๐‘” ๐‘˜3 +๐‘ง1 ๐›ฟ1 ๐‘ค๐‘– ๐‘ค๐‘– ๐‘– (mod ๐‘) of ๐‘Ÿ, where ๐‘Ÿ โˆˆ {2, โ€ฆ , ๐‘}. Thus, the probability of finding the correct ๐‘Ÿ ๐‘–=1 ๐‘–=1 1 is ๐‘โˆ’2 . Subsequently, the MEC server generates a random number ๐‘ก and ( )โˆ ๐‘› ๐‘š ๐‘šโ€ฒ = ๐‘” ๐‘˜1 ๐‘Ž1 +๐‘Ž2 +ยทยทยท+๐‘Ž๐‘› ๐‘š +๐›ฟ ๐‘ง ๐‘ค๐‘– ๐‘– 1 1 (mod ๐‘) returns ๐‘ก๐‘คโ„Ž โ„Ž and ๐‘ก๐‘คโ€ฒ๐‘— ๐‘— . We denote the malicious server successfully ๐‘–=1 (9) determining the correct meaning of (๐‘คโ„Ž , ๐‘šโ„Ž ) and (๐‘คโ€ฒ๐‘— , ๐‘šโ€ฒ๐‘— ) as event ๐ธ1 , โˆ ๐‘› ๐‘Ž and denote the determining the value of ๐‘Ÿ as event ๐ธ2 . We have: ๐‘˜1 ๐‘Ž ๐‘– = ๐‘” ๐‘ค๐‘– ๐‘– (mod ๐‘) ๐‘› ๐‘› 1 Pr(๐ธ1 ) = 2๐‘›+2 2๐‘›+1 and Pr(๐ธ2 ) = ๐‘โˆ’2 . ๐‘–=1 โˆ๐‘› Therefore, the probability of the intelligent vehicle being deceived ๐‘Ž ๐‘›2 = ๐‘ฆ๐‘– ๐‘– (mod๐‘) is: Pr(๐ธ1 โˆฉ ๐ธ2 ) = Pr(๐ธ1 ) Pr(๐ธ2 ) = (4๐‘›2 +6๐‘›+2)(๐‘โˆ’2) . Therefore, the checka- ๐‘–=1 ๐‘› 2 bility rate of our proposed scheme MExpm is: 1 โˆ’ (4๐‘›2 +6๐‘›+2)(๐‘โˆ’2) . โˆ๐‘› ( )๐‘Ž = ๐‘ข๐‘– + ๐‘˜๐‘ ๐‘– (mod ๐‘) ๐‘–=1 โˆ ๐‘› 5. Simulation ๐‘Ž = ๐‘ข๐‘– ๐‘– (mod ๐‘) ๐‘–=1 In this section, we evaluate the performance of our proposed scheme Obviously, when Eq. (9) holds, the correctness of the algorithm MExpm by comparing it with the most advanced and representative ๐‘…๐‘’๐‘๐‘œ๐‘ฃ๐‘’๐‘Ÿ๐‘ฆ is guaranteed and the proof is completed. modular exponentiation offloading schemes reported in recent litera- ture. Specifically, we consider MExp [3] and SMCExp [4] for secure 4.2. Security analysis batch modular exponentiation, as well as SoRSA [6] and EPExp [7] for single modular exponentiation. These schemes reflect the latest In this section, we demonstrate the privacy for computation of- advancements in both batch-oriented and single-operation settings and โˆ floading results. In MExpm, we firstly convert ๐‘›๐‘–=1 ๐‘ข๐‘– ๐‘Ž๐‘– (mod ๐‘) into are widely recognized as benchmarks in the field. Notably, all of these โˆ๐‘› ๐‘Ž ๐‘–=1 ๐‘ฆ๐‘– (mod ๐ฟ), then the exponents ๐‘Ž๐‘– are transformed into ๐›ฟ1 ๐‘ง1 + ๐‘– algorithms are incorporated as baselines in our experimental evalua- ๐‘š๐‘–,๐‘–โˆˆ[๐‘›] and ๐›ฟ2 ๐‘ง2 + ๐‘šโ€ฒ๐‘–,๐‘–โˆˆ[๐‘›] . The public information in our scheme are tion, covering key performance indicators such as local computation {๐‘ƒ ๐‘Ž๐‘Ÿ๐‘Ž๐‘š๐‘ , ๐‘‡ ๐พ, ๐‘‰ ๐พ, ๐ด๐‘ข๐‘ฅ, ๐œŽ๐ธ , ๐œ‹๐ธ }, and the adversaries cannot obtain any time, end-to-end execution latency, communication overhead, and gas information about secret information {๐‘ข๐‘–,๐‘–โˆˆ[๐‘›] , ๐‘Ž๐‘–,๐‘–โˆˆ[๐‘›] , ๐‘…๐พ, ๐‘…๐‘’๐‘ ๐‘ข๐‘™๐‘ก}. consumption. Since MExpm is designed for batch modular exponenti- ation, while SoRSA and EPExp are designed solely for single modular Theorem 1. When the MEC server cheats the client, the misbehavior can exponentiation, for fairness, we also conduct the comparison for the ๐‘›2 be detected with checkability rate 1 โˆ’ (4๐‘›2 +6๐‘›+2)(๐‘โˆ’2) . case where the batch size ๐‘› = 1. 6 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 Fig. 4. Comparsion of time cost in ๐‘ข๐‘Ž mod ๐‘. โˆ๐‘› Fig. 5. Comparison of time cost in ๐‘–=1 ๐‘ข๐‘– ๐‘Ž๐‘– mod ๐‘. Fig. 6. Comparison of communication cost. Fig. 7. Comparison of storage cost. 7 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 usage, communication overhead, and storage overhead. We quantify privacy using the checkability rate. Computation cost is measured by the execution time (in milliseconds), where longer runtimes correspond to higher resource consumption. We assess blockchain resource usage on the Ethereum simulation platform, Remix, using gas consumption as the metric. Communication overhead is defined as the total data transmitted during offloading. Storage overhead is quantified by the additional storage required on both the client and server sides. 5.3. Checkability The details of checkability rate comparison of these four schemes are shown in Fig. 3. As ๐‘› increases, our proposed scheme MExpm always maintains a high checkability rate close to 1, while the other three schemes gradually decrease. When ๐‘› = 1000, the checkability 1 rate of GExp is only 1001 . It means that a forged result can pass the verification algorithm with the probability 1000 1001 . Both MExp and SMCExp have the same checkability rate. However, when ๐‘› = 5000, the Fig. 8. Comparison of Gas Consumption in Verify Algorithm when the size of checkability rate for these two schemes is only 0.975. Since MExpm ๐‘Ÿ is larger than 32 bits. uses a prime number ๐‘ with size 512, its checkability rate is higher than 0.999. 5.4. Computation cost 5.4.1. Single modular exponentiation offloading The comparsion results of single modular exponentiation offloading could be found in Fig. 4. Compared with MExp and SMCExp, MExpm demonstrates better performance either in ๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘› algorithm or in ๐‘†๐‘’๐‘ก๐‘ข๐‘ algorithm. Particularly in ๐‘‰ ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ algorithm, MExpm outperforms these competitors. When it comes to SoRSA and EPExp, whose security assumption is rather simple and cannot applied in real-world scenarios, it seems unfair to compare them with schemes for batch modular exponentiation with higher security standard. 5.4.2. Batch modular exponentiation offloading Fig. 5 compares the computational cost of batch modular exponen- tiation offloading. MExpm consistently requires fewer resources than MExp across all phases. Although MExpm adds a recovery phase, it Fig. 9. The relative saving ratio of MExp and MExpm. consists of a single modular inversionโ€”incurring a fixed and negligible overhead. 5.5. Communication and storage cost 5.1. Experimental setting We implemented MExpm and MExp for batch modular exponentia- To simulate a low-bandwidth network environment, we set the tion offloading, MExp, SMCExp, EPExp, SoRSA and MExpm for single transmission rate to 1 Kbps. Fig. 6 shows the communication cost of modular exponentiation offloading using Python 3.8, along with the Py- the all competitors and MExpm in terms of the time cost of trans- Cryptodome and GNU Multiple Precision (gmpy2 version 2.1.5) library. mission. For fair comparison, all schemes employ 1024-bit modulus. All simulation experiments were conducted on the same Windows ma- For EPExp and SoRSA, whose authors assume that they only offload chine equipped with an Intel Core TM i9-13900HX processor (running ciphertext to servers and do not need to take security of bases into at 2.20 GHz) and 16 GB of memory. We perform each algorithm 100 consideration, and thus, they have lower communication cost com- times and then computed the mean of its time cost. The size of prime pared with other schemes. Compared with MExp and SMCExp, MExpm numbers selected in MExpm are all 512 bits, meaning the number ๐ฟ shares the same communication cost in ๐ถ๐‘œ๐‘š๐‘๐‘ข๐‘ก๐‘’ and ๐‘‰ ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ algorithm. is 1024 bits. For MExp and methods without offloading, we randomly SMCExp shows the least communication cost in ๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘› and ๐‘†๐‘’๐‘ก๐‘ข๐‘ generate a pair of 1024-bit prime numbers. In our simulation, โ€˜MExpm algorithm. The results in Fig. 6 demonstrate that MExpm can deploy w/o obfuscationโ€™ denotes MExpm without the secure obfuscation oper- a more secure offloading strategy while with similar communication ation and โ€˜w/o offloadingโ€™ indicates the local execution of the modular cost compared with other competitors. Fig. 7 shows the storage cost exponentiation operation. among all schemes, SoRSA needs to store ๐‘›, ๐‘ž, ๐‘, ๐ถ, ๐‘˜, ๐‘ก1 , ๐‘ก2 to conduct 5.2. Evaluation metrics verification and recovery, leading to the most demanding storage cost. EPExp demonstrates the best storage performance, while it lacks a To comprehensively evaluate MExpm, we assess its performance consideration of a malicious MEC server. Among MExp and SMCExp, across five dimensions: privacy, computation cost, blockchain resource MExpm demonstrates the best performance in storage performance. 8 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 5.6. Gas consumption โ€ข Witness Tampering: The MEC server alters or forges witnesses with the objective of deceiving the verifier and illegitimately The results of the gas consumption comparison are demonstrated in passing the verification process. Fig. 8. It can be observed that as ๐‘Ÿ increases, the gas consumption for In our simulation, the Intelligent Vehicle (IV) executes the KeyGen both MExpm and MExp grows steadily. However, the gap between them algorithm entirely offline to generate the evaluation key ๐‘‡ ๐พ, witness widens significantly. For instance, when ๐‘› = 5, the gas fee difference generation key ๐‘‰ ๐พ, and auxiliary information ๐ด๐‘ข๐‘ฅ. The ๐‘‡ ๐พ and ๐‘‰ ๐พ rises from 7,504 gas at ๐‘Ÿ = 32 bits to 58,981 gas at ๐‘Ÿ = 256 bits. are then transmitted to the MEC server and the Roadside Unit (RSU), Furthermore, the gas cost of MExpmโ€™s ๐‘‰ ๐‘’๐‘Ÿ๐‘–๐‘“ ๐‘ฆ algorithm scales linearly respectively. The RSU, acting as a lightweight verifier, executes the with ๐‘› and is largely unaffected by ๐‘Ÿ, whereas MExpโ€™s verification cost verification algorithm upon receiving computation results from the increases with both ๐‘Ÿ and ๐‘›. This highlights MExpmโ€™s superior efficiency MEC server. in reducing computational and financial burdens for intelligent vehi- Experimental results demonstrate that our verification mechanism cles, especially at larger scales. To provide a normalized view of these achieves a 100% detection rate for all injected malicious behaviors, savings, we evaluate the relative saving ratio (SR) defined as with zero false positives under benign conditions. This confirms that ๐‘›,๐‘Ÿ ๐‘›,๐‘Ÿ ๐บMExp โˆ’ ๐บMExpm the proposed scheme maintains strong security guarantees even in the ๐‘†๐‘… = ๐‘›,๐‘Ÿ presence of malicious MEC servers, thereby reinforcing its practicality ๐บMExp for real-world V2X deployments. ๐‘›,๐‘Ÿ ๐‘›,๐‘Ÿ where ๐บMExp , ๐บMExpm is the gas consumption of MExp and MExpm with same ๐‘› and ๐‘Ÿ respectively. As illustrated in Fig. 9, MExpm consistently 5.9. Deployment feasibility in real-world V2X environments achieves ๐‘†๐‘… > 0 across all tested parameter, with observed savings The proposed scheme is designed for secure computation outsourc- ranging from approximately 30% to 70%. These results confirm that ing in resource-constrained vehicular networks. In such scenarios, the MExpm delivers substantial resource savings over MExp, reinforcing its primary metric for evaluation is whether the total computational cost scalability and economic advantages. incurred locally after outsourcing is significantly lower than that of fully local execution. Therefore, as is common in the literature on com- 5.7. Economic analysis of gas savings putation outsourcing, we perform all experiments โ€” including the com- putation algorithm, verification algorithm, and a non-outsourced base- To further assess the practical impact of our scheme in real-world line โ€” on the same hardware platform. This ensures a fair and repro- deployments, we provide an economic estimation of gas savings ducible comparison under identical computational conditions, thereby achieved by the proposed MExpm scheme compared with the represen- directly demonstrating the benefits of outsourcing. tative baseline MExp, particularly in the context of blockchain-based In the proposed system, the Service Authority (SA) is responsible for smart contract verification. As shown in Fig. 8, the gas cost of each handling the bulk of initialization tasks, such as modulus generation, offloaded batch modular exponentiation result increases with both the base obfuscation, and parameter distribution. This design choice aligns batch size ๐‘› and the bit length of the randomness parameter ๐‘Ÿ. When ๐‘› = with the practical division of labor in vehicular networks, reducing 1 and bit length of ๐‘Ÿ is 32 bits, MExp incurs 24,013 gas while MExpm the computational burden on field devices. The Intelligent Vehicle (IV) requires only 16,509 gas, leading to a difference of 7504 gas per executes the KeyGen algorithm to generate the evaluation key ๐‘‡ ๐พ, verification. The average gas price is approximately 30 Gwei (1 Gwei = witness generation key ๐‘‰ ๐พ, and auxiliary information ๐ด๐‘ข๐‘ฅ. Crucially, 10โˆ’9 ETH), the ETH/USD exchange rate is approximately $4, 000, and 1 the KeyGen algorithm can be performed entirely offline before the million gas cost approximately $120 on Ethereum networks. Therefore, online phase, ensuring that no additional delay is introduced when the savings can be translated as initiating the outsourced computation. Once ๐‘‡ ๐พ is generated, the IV transmits ๐‘‡ ๐พ to the MEC server for performing the computation tasks. Gas Savings = 7,504 gas ร— 0.03 USDโˆ•1,000,000 โ‰ˆ 0.90 USD In real deployments, RSUs are lightweight verification devices typi- Consider a practical usage scenario where each intelligent vehicle cally deployed at traffic intersections or along highways, where power offloads batch modular exponentiation tasks 10 times per day (e.g., for supply and network connectivity can be unstable. To emulate these authentication, key negotiation, digital signatures, etc.), the annual constraints, we configure the RSU role on a lightweight laptop and number of invocations is 10 (tasks/day)ร—365 (days/year) = 3,650 tasks/ limit the network transmission rate to 1 Kbps, thereby simulating a year. Thus, the total annual gas cost saving per vehicle is: 0.90 realistic low-bandwidth vehicular environment. Meanwhile, the Service Authority (SA) undertakes the bulk of initialization tasks, ensuring that USD/task ร— 3,650 tasks/year โ‰ˆ ๐Ÿ‘๐Ÿ๐Ÿ–๐Ÿ“๐”๐’๐ƒโˆ•๐ฒ๐ž๐š๐ซ. This estimation high- RSUs and IVs remain computationally efficient during the online phase. lights the substantial economic benefits of MExpm when deployed at This deployment-oriented design, together with our simulation set- scale in large IoV systems. For a fleet of 10,000 vehicles, the projected tings, ensures that the evaluation faithfully reflects real-world lim- gas savings could exceed 32.8 million USD annually. itations while remaining reproducible. Consequently, the proposed scheme is shown to be both practically feasible and robust for secure 5.8. Robustness evaluation against malicious MEC servers computation outsourcing in V2X environments. To address potential security risks in practical deployments, we 6. Conclusion and future work conducted robustness experiments simulating malicious Mobile Edge Computing (MEC) servers that deviate from the prescribed computation In this paper, we propose MExpm, a secure and efficient computa- protocol. Such adversarial behaviors may include, but are not limited tion offloading scheme for batch modular exponentiation in Vehicle- to: to-Everything (V2X) communications. Our proposed scheme addresses critical challenges in V2X systems, such as computational burden, โ€ข Forged Results: The MEC server deliberately returns computa- latency, and privacy concerns, by leveraging Mobile Edge Computing tion results that deviate from the prescribed algorithm, thereby (MEC) servers and blockchain technology. Our scheme achieves several attempting to mislead the verifier regarding the correctness of the significant improvements over existing methods. It ensures fairness computation. in computation offloading by using smart contracts, provides high โ€ข Partial Omission or Manipulation: The MEC server selectively checkability to detect any misbehavior by MEC servers, and enhances omits partial computation results or manipulates intermediate privacy protection through secure obfuscation and logical split tech- values with the intent of reducing its own computational work- niques. These features make MExpm particularly well-suited for various load. real-time applications in V2X systems. These include 9 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 โ€ข Real-time Cryptographic Operations: MExpm can offload [6] H. Zhang, J. Yu, C. Tian, L. Tong, J. Lin, L. Ge, H. Wang, Efficient and secure resource-intensive cryptographic tasks, such as digital signatures outsourcing scheme for rsa decryption in internet of things, IEEE Internet Things J. 7 (8) (2020) 6868โ€“6881. and key exchanges, ensuring secure and efficient communication [7] Q. Hu, M. Duan, Z. Yang, S. Yu, B. Xiao, Efficient parallel secure outsourcing of with reduced latency. modular exponentiation to cloud for iot applications, IEEE Internet Things J. 8 โ€ข Safety-Critical Message Signature: Offloading the computation (16) (2020) 12782โ€“12791. of digital signatures (which rely on exponentiation) for emer- [8] K. Zhou, M. Afifi, J. Ren, Expsos: Secure and verifiable outsourcing of exponen- gency braking alerts and collision avoidance warnings, with on- tiation operations for mobile cloud computing, IEEE Trans. Inf. Forensics Secur. 12 (11) (2017) 2518โ€“2531. chain smart contracts validating each signature to prevent tam- [9] Y. Saleem, F. Salim, M.H. Rehmani, Integration of cognitive radio sensor pering. networks and cloud computing: A recent trend, in: Cognitive Radio Sensor โ€ข Privacy-Preserving Authentication: The scheme guarantees the Networks: Applications, Architectures, and Challenges, IGI Global, 2014, pp. privacy of sensitive data, such as cryptographic bases and expo- 288โ€“312. nents, while allowing verification of computation results. This is [10] J. Wang, Y. Wang, H. Ke, Joint optimization for mec computation offloading and resource allocation in iov based on deep reinforcement learning, Mob. Inf. essential for secure authentication in V2X communications, pro- Syst. 2022 (2022). tecting both vehicles and infrastructure from malicious attacks. [11] L. Yao, X. Xu, M. Bilal, H. Wang, Dynamic edge computation offloading for โ€ข Traffic Management Systems: MExpm can be integrated into internet of vehicles with deep reinforcement learning, IEEE Trans. Intell. Transp. smart city infrastructures, supporting secure communication for Syst. (2022). traffic management, tolling systems, and other applications where [12] R. Gennaro, C. Gentry, B. Parno, Non-interactive verifiable computing: Out- sourcing computation to untrusted workers, in: Advances in Cryptologyโ€“CRYPTO privacy and computation efficiency are crucial. 2010: 30th Annual Cryptology Conference, Santa Barbara, CA, USA, August 2010 15-19. Proceedings 30, Springer, 2010, pp. 465โ€“482. Although MExpm significantly reduces computation resources com- [13] Y. Guan, H. Zheng, J. Shao, R. Lu, G. Wei, Fair outsourcing polynomial pared to local execution, it introduces additional complexity due to en- computation based on the blockchain, IEEE Trans. Serv. Comput. 15 (5) (2021) hanced security features. Future work should aim to design a more gen- 2795โ€“2808. eralized verifiable computation offloading framework that optimizes [14] H. Pagnia, F.C. Gรคrtner, et al., On the Impossibility of Fair Exchange Without a the balance between security and computational efficiency. Trusted Third Party, Tech. Rep., Citeseer, 1999. [15] A. Aloufi, P. Hu, Y. Song, K. Lauter, Computing blindfolded on data homomor- phically encrypted under multiple keys: A survey, ACM Comput. Surv. 54 (9) CRediT authorship contribution statement (2021) http://dx.doi.org/10.1145/3477139. [16] J. Zhang, Z.L. Jiang, P. Li, S.M. Yiu, Privacy-preserving multikey com- Sipeng Shen: Writing โ€“ review & editing, Writing โ€“ original draft, puting framework for encrypted data in the cloud, Inform. Sci. 575 Methodology, Conceptualization. Qiang Wang: Writing โ€“ review & (2021) 217โ€“230, http://dx.doi.org/10.1016/j.ins.2021.06.017, https://www. sciencedirect.com/science/article/pii/S0020025521006083. editing, Writing โ€“ original draft, Methodology. Fucai Zhou: Writing โ€“ [17] M. Cui, S. Zhong, B. Li, X. Chen, K. Huang, Offloading autonomous driving review & editing, Supervision. Jian Xu: Writing โ€“ review & editing, services via edge computing, IEEE Internet Things J. 7 (10) (2020) 10535โ€“10547. Supervision. Mingxing Jin: Writing โ€“ review & editing. [18] J. Zhou, F. Wu, K. Zhang, Y. Mao, S. Leng, Joint optimization of offloading and resource allocation in vehicular networks with mobile edge computing, in: Declaration of competing interest 2018 10th International Conference on Wireless Communications and Signal Processing, WCSP, IEEE, 2018, pp. 1โ€“6. [19] S. Yang, A task offloading solution for internet of vehicles using combination The authors declare no competing interests. auction matching model based on mobile edge computing, IEEE Access 8 (2020) 53261โ€“53273. Acknowledgments [20] H. Xu, W. Huang, Y. Zhou, D. Yang, M. Li, Z. Han, Edge computing resource allocation for unmanned aerial vehicle assisted mobile network with blockchain This work was supported in part by the National Natural Sci- applications, IEEE Trans. Wirel. Commun. 20 (5) (2021) 3107โ€“3121. [21] Y. Liu, H. Yu, S. Xie, Y. Zhang, Deep reinforcement learning for offloading and ence Foundation of China under Grants 62202090, 62173101, and resource allocation in vehicle edge computing and networks, IEEE Trans. Veh. 62372069, by Natural Science Foundation of Liaoning Province un- Technol. 68 (11) (2019) 11158โ€“11168. der Grant 2025-MS-046, by the Fundamental Research Funds for the [22] J. Kilian, Theory of Cryptography: Second Theory of Cryptography Conference, Central Universities, China under Grant N2417006, and by Liaoning TCC 2005, Cambridge, MA, USA, February 10-12. 2005, Proceedings, vol. 3378, Collaboration Innovation Center for CSLE under Grant XTCX2024-015. Springer, 2005. [23] X. Ma, J. Li, F. Zhang, Efficient and secure batch exponentiations outsourcing in cloud computing, in: 2012 Fourth International Conference on Intelligent Data availability Networking and Collaborative Systems, IEEE, 2012, pp. 600โ€“605. [24] X. Chen, J. Li, J. Ma, Q. Tang, W. Lou, New algorithms for secure outsourcing Data will be made available on request. of modular exponentiations, IEEE Trans. Parallel Distrib. Syst. 25 (9) (2013) 2386โ€“2396. [25] Y. Ren, N. Ding, X. Zhang, H. Lu, D. Gu, Verifiable outsourcing algorithms for References modular exponentiations with improved checkability, in: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, 2016, pp. [1] R. Sun, Y. Wen, N. Cheng, W. Wang, R. Chai, Y. Hui, Structural knowledge- 293โ€“303. driven meta-learning for task offloading in vehicular networks with integrated [26] M. Van Dijk, D. Clarke, B. Gassend, G.E. Suh, S. Devadas, Speeding up communications, sensing and computing, J. Inf. Intell. (2024). exponentiation using an untrusted computational resource, Des. Codes Cryptogr. [2] S. Yuan, Y. Fan, Y. Cai, A survey on computation offloading for vehicular 39 (2006) 253โ€“273. edge computing, in: Proceedings of the 2019 7th International Conference on [27] J. Ye, J. Wang, Secure outsourcing of modular exponentiation with single Information Technology: IoT and Smart City, 2019, pp. 107โ€“112. untrusted server, in: 2015 18th International Conference on Network-Based [3] Y. Ding, Z. Xu, J. Ye, K.-K.R. Choo, Secure outsourcing of modular exponen- Information Systems, IEEE, 2015, pp. 643โ€“645. tiations under single untrusted programme model, J. Comput. System Sci. 90 [28] S. Li, L. Huang, A. Fu, J. Yearwood, Cexp: secure and verifiable outsourcing of (2017) 1โ€“13. composite modular exponentiation with single untrusted server, Digit. Commun. [4] Q. Su, R. Zhang, R. Xue, Secure outsourcing algorithms for composite modular Netw. 3 (4) (2017) 236โ€“241. exponentiation based on single untrusted cloud, Comput. J. 63 (8) (2020) [29] C. Dong, Y. Wang, A. Aldweesh, P. McCorry, A. van Moorsel, Betrayal, distrust, 1271โ€“1271. and rationality: Smart counter-collusion contracts for verifiable cloud comput- [5] Y. Wang, Q. Wu, D.S. Wong, B. Qin, S.S. Chow, Z. Liu, X. Tan, Securely ing, in: Proceedings of the 2017 ACM SIGSAC Conference on Computer and outsourcing exponentiations with single untrusted program for cloud storage, in: Communications Security, 2017, pp. 211โ€“227. Computer Security-ESORICS 2014: 19th European Symposium on Research in [30] J. Ellul, G.J. Pace, Runtime verification of ethereum smart contracts, in: 2018 Computer Security, Wroclaw, Poland, September 2014 7-11. Proceedings, Part I 14th European Dependable Computing Conference, EDCC, IEEE, 2018, pp. 19, Springer, 2014, pp. 326โ€“343. 158โ€“163. 10 S. Shen et al. Computer Standards & Interfaces 97 (2026) 104107 [31] M.R. Dorsala, V. Sastry, S. Chapram, Fair payments for verifiable cloud services [33] D. Xu, Y. Ren, X. Li, G. Feng, Efficient and secure outsourcing of modular using smart contracts, Comput. Secur. 90 (2020) 101712. exponentiation based on smart contract, Int. J. Netw. Secur. 22 (6) (2020) [32] S. Avizheh, M. Nabi, R. Safavi-Naini, K. M. Venkateswarlu, Verifiable computa- 934โ€“944. tion using smart contracts, in: Proceedings of the 2019 ACM SIGSAC Conference [34] G. Wood, et al., Ethereum: a secure decentralised generalised transaction ledger, on Cloud Computing Security Workshop, 2019, pp. 17โ€“28. (2014) 2017. [35] S. Mahdavi-Hezavehi, Y. Alimardani, R. Rahmani, D. Rosaci, An efficient frame- work for a third party auditor in cloud computing environments, Comput. J. 63 (1) (2020) 1285โ€“1297. 11