210 likes | 337 Views
Introduction to Modern Cryptography, Lecture 11. 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes. Montgomery Reduction. Let m be a positive integer Let R and T be integers such that.
E N D
Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes
Montgomery Reduction • Let m be a positive integer • Let R and T be integers such that The Montgomery reduction of of T modulo m with respect to R :
Montgomery Reduction • Typical use: Compute
Montgomery Reduction (cont.) Compute Let Montgomery reduction of Montgomery reduction of Montgomery reduction of
Montegomery Reduction (cont) • Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m • This always leaves one extra “R” • Worthwhile if Montgomery reduction is faster than simple modular reduction
Fact • Given m and R where gcd(m,R)=1, let 0 ≤ T ≤ mR, then: • (T + (-Tm-1mod R) m)/R is an integer and • (T + (-Tm-1mod R) m)/R =TR-1 mod m. • T+ (-Tm-1mod R) m = T mod m, (T+(-Tm-1mod R)m)/R mod m= TR-1 mod m • (-Tm-1mod R) = T(-m-1 mod R) + kR, m(-m-1 mod R)=-1 + jR, (T + (-Tm-1mod R)m) / R = (T + (T (-m-1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km
More Facts • As T < mR, and (-Tm-1 mod R)< R, then (T+ (-Tm-1 mod R) m)/R < (mR + mR)/R < 2m. • Computing -TR-1 mod m can be done with two multiplications: • U = (-Tm-1 mod R)(if R = power of 2, mod R = low order bits) • U m • If R = power of 2, division = rightshift of high order bits for (T + Um)/R
Example • m = 187, R=190, R-1 mod m = 125, m-1 mod R = 63, -m-1 mod R = 127 • T=563, -T m-1 mod R = 185, (T+(-T m-1 mod R) m)/R = 188 = (TR-1 mod m) + m
Homework Assignment 3 part 1 • Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32) • Implement Montgomery reduction in Maple for 1024 bit modulii • Implement Fiat-Shamir in Maple making use of Montgomery reduction
Exponentiation • Base 2 left to right: • To compute xe we compute • S=1 • For i=1 to j • S = S2 • If ei =1 then S=Sx, Worst case: j multiplications, j squares “Average case”: j/2 multiplications, j squares
Exponentiation • Base 2 right to left: • To compute xe we compute • A=x, S=1 • For i=j downto 1 • If ei =1 then S=SA, • A = A2 Worst case: j multiplications, j squares “Average case”: j/2 multiplications, j squares
Exponentiation • Base b left to right: • To compute xe we compute • S=1 • For i=1 to j • S = (…(((S2)2)2)…)2 S to the power 2b • If ei ≠0 then (precomputed) Worst case: 2b+j multiplications, jb = log2e sq “Average case”: 2b+j(2b-1)/2b multiplications, jb sq For 1024 bit exponent, what is the optimal b?
For a log(e) bit exponent? • log(e)+2b+log(e)/log(b)mults+squares • 2b=log(e)/log(b) • 2blog(b)=log(e) • b≈loglog(e)/c • log(e)+2b+log(e)/logloglog(e)= log(e) + log(e)1/c + log(e)/logloglog(e) = log(e) + o(log(e))
Addition chains • Example: 1,2,3,4,7,10 • A list of integers, starting at 1, where the next element is the sum of two previous elements • Addition chain of length 5 for 15: • 1,2,3,6,12,15 (don’t count the 1) • To compute x15, the binary left to right exponentiation algorithm computes: x, x2, x3, x6, x7, x14, x15 (3 mults, 3 squares) • The addition chain algorithm would compute x, x2, x3, x6, x12, x15 (2 mults, 3 squares) • Finding the optimal addition chain is NP-Hard • See algorithms in Knuth Volume 2, seminumerical algorithms
Addition chains (cont.) • Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”) • Binary left to right exponentiation: log(n) + wt(n) • Base b left to right exponentiation, log(n)+2b+log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)
Fixed base exponentiation (E.g., ge mod p) • Base b, • Precompute
Fixed base exponentiation (E.g., ge mod p) Base b, number of multiplications is log(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))
New Subject: Secret Sharing • Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret. • Easy solution: split the secret into t random shares, and give to every subset of size t out of n. • Every user gets shares
Shamir’s threshold secret sharing scheme • Choose a random polynomial over a finite field, of degree t-1, with p(0)=c0 equal to the secret. • Give User j the value p(j) • Any t users can reconstruct p(x) and compute p(0)
Generalized Secret Sharing • P – a set of users • A – an access structure, a set of subsets of P • Perfect secret sharing – the shares corresponding to each unauthorized subset provide no information • H(S|B) = 0 for all B in A • H(S|B) = H(S) for all B not in A • The information rate for a user is (size of shared secret)/(size of user share)
Generalized Secret Sharing • Theorem: In any perfect secret sharing scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1. • Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share. • Secret sharing scheme for which the rate is 1 are called ideal.