introduction to modern cryptography, lecture 11
DESCRIPTION
Introduction to Modern Cryptography, Lecture 11. 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes. Montgomery Reduction. Let m be a positive integer Let R and T be integers such that. - PowerPoint PPT PresentationTRANSCRIPT
Introduction to Modern Cryptography, Lecture 11
1) More about efficient computation: Montgomery arithmetic, efficient exponentiation2)Secret Sharing schemes
Montgomery Reduction
• Let m be a positive integer
• Let R and T be integers such that
, gcd( , ) 1, 0R m m R T mR The Montgomery reduction of of T modulo m with respect to R :
1 modTR m
Montgomery Reduction
• Typical use:
2log
2
(RSA modulus)
2
, gcd(R,m)=1
m
m
m pq
R
R m
T mR
Compute 5 mod
mod
x m
x xR m
Montgomery Reduction (cont.)
Compute 5 mod
mod
x m
x xR mMontgomery reduction of
2 2 1mod modx m x R mMontgomery reduction of
2 1 2 4 3( ) mod modx R m x R m Montgomery reduction of
2 1 2 5 4 5( ) mod mod modx R x m x R m x R m
22 mod mod modx m m x m
Let
Montegomery Reduction (cont)
• Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m
• This always leaves one extra “R”• Worthwhile if Montgomery reduction
is faster than simple modular reduction
Fact• Given m and R where gcd(m,R)=1, let 0
≤ T ≤ mR, then:1. (T + (-Tm-1 mod R) m)/R is an integer and2. (T + (-Tm-1 mod R) m)/R =TR-1 mod m.
2. T+ (-Tm-1 mod R) m = T mod m, (T+ (-Tm-1 mod R)m)/R mod m= TR-1 mod m
3. (-Tm-1 mod R) = T(-m-1 mod R) + kR, m(-m-1 mod R)=-1 + jR,
(T + (-Tm-1 mod R)m) / R = (T + (T (-m-1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km
More Facts
• As T < mR, and (-Tm-1 mod R) < R, then (T+ (-Tm-1 mod R) m)/R < (mR + mR)/R < 2m.
• Computing -TR-1 mod m can be done with two multiplications:– U = (-Tm-1 mod R) (if R = power of 2, mod R =
low order bits)– U m
• If R = power of 2, division = rightshift of high order bits for (T + Um)/R
Example
• m = 187, R=190, R-1 mod m = 125, m-1 mod R = 63, -m-1 mod R = 127
• T=563, -T m-1 mod R = 185, (T+(-T m-1 mod R) m)/R = 188 = (TR-1 mod m) + m
Homework Assignment 3 part 1
• Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32)
• Implement Montgomery reduction in Maple for 1024 bit modulii
• Implement Fiat-Shamir in Maple making use of Montgomery reduction
Exponentiation
• Base 2 left to right:
- To compute xe we compute - S=1- For i=1 to j
- S = S2
- If ei =1 then S=Sx,
1 2 je e e e
Worst case: j multiplications, j squares“Average case”: j/2 multiplications, j squares
Exponentiation
• Base 2 right to left:
- To compute xe we compute - A=x, S=1- For i=j downto 1
- If ei =1 then S=SA,
- A = A2
1 2 je e e e
Worst case: j multiplications, j squares“Average case”: j/2 multiplications, j squares
Exponentiation• Base b left to right:
- To compute xe we compute - S=1- For i=1 to j
- S = (…(((S2)2)2)…)2 S to the power 2b
- If ei ≠0 then
1 2 (base ), 0 1j ie e e e b e b
Worst case: 2b+j multiplications, jb = log2e sq“Average case”: 2b+j(2b-1)/2b multiplications, jb sq
ieS S x (precomputed)
For 1024 bit exponent, what is the optimal b?
For a log(e) bit exponent?
• log(e)+2b+log(e)/log(b) mults+squares– 2b=log(e)/log(b)– 2blog(b)=log(e)– b≈loglog(e)/c – log(e)+2b+log(e)/logloglog(e) =
log(e) + log(e)1/c + log(e)/logloglog(e) = log(e) + o(log(e))
Addition chains• Example: 1,2,3,4,7,10• A list of integers, starting at 1, where the
next element is the sum of two previous elements
• Addition chain of length 5 for 15:– 1,2,3,6,12,15 (don’t count the 1)
• To compute x15, the binary left to right exponentiation algorithm computes: x, x2, x3, x6, x7, x14, x15 (3 mults, 3 squares)
• The addition chain algorithm would compute x, x2, x3, x6, x12, x15 (2 mults, 3 squares)
• Finding the optimal addition chain is NP-Hard
• See algorithms in Knuth Volume 2, seminumerical algorithms
Addition chains (cont.)
• Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”)
• Binary left to right exponentiation: log(n) + wt(n)
• Base b left to right exponentiation, log(n)+2b+log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)
Fixed base exponentiation (E.g., ge mod p)
• Base b,• Precompute
for 1 log( ) / log( ) 1ibg i e b
0 1 (base ), 0 1t ie e e e b e b
0
ti
ii
e e b
1
0 1
ii i
i
jet be b b
i j e jg g g
Fixed base exponentiation (E.g., ge mod p)
0
ti
ii
e e b
1
0 1
ii i
i
jet be b b
i j e jg g g
Base b, number of multiplications islog(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))
New Subject: Secret Sharing
• Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret.
• Easy solution: split the secret into t random shares, and give to every subset of size t out of n.
• Every user gets shares1
1
n
t
Shamir’s threshold secret sharing scheme
• Choose a random polynomial over a finite field, of degree t-1, with p(0)=c0 equal to the secret.
• Give User j the value p(j)
• Any t users can reconstruct p(x) and compute p(0)
0
( )t
ii
i
p x c x
Generalized Secret Sharing
• P – a set of users• A – an access structure, a set of subsets
of P• Perfect secret sharing – the shares
corresponding to each unauthorized subset provide no information– H(S|B) = 0 for all B in A– H(S|B) = H(S) for all B not in A
• The information rate for a user is (size of shared secret)/(size of user share)
Generalized Secret Sharing• Theorem: In any perfect secret sharing
scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1.
• Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share.
• Secret sharing scheme for which the rate is 1 are called ideal.