Introduction to Modern Cryptography, Lecture 11

1
Introduction to Modern Cryptography, Lecture 11

• 1) More about efficient computation Montgomery
  arithmetic, efficient exponentiation
• 2)Secret Sharing schemes

2
Montgomery Reduction

• Let m be a positive integer
• Let R and T be integers such that

The Montgomery reduction of of T modulo m with
respect to R
3
Montgomery Reduction

• Typical use

Compute
4
Montgomery Reduction (cont.)

• Compute

Let
Montgomery reduction of
Montgomery reduction of
Montgomery reduction of
5
Montegomery Reduction (cont)

• Idea rather than compute xy mod m, compute the
  Montgomery reduction of xR and yR mod m which is
  xyR mod m
• This always leaves one extra R
• Worthwhile if Montgomery reduction is faster than
  simple modular reduction

6
Fact

• Given m and R where gcd(m,R)1, let 0 T mR,
  then
• (T (-Tm-1 mod R) m)/R is an integer and
• (T (-Tm-1 mod R) m)/R TR-1 mod m.
• T (-Tm-1 mod R) m T mod m,
• (T (-Tm-1 mod R)m)/R mod m TR-1 mod m
• (-Tm-1 mod R) T(-m-1 mod R) kR,
  m(-m-1 mod R)-1 jR,
• (T (-Tm-1 mod R)m) / R
• (T (T (-m-1 mod R) kR)m) / R
• T((1 -1 jR) kRm) / R
• (Tj km)R / R Tjkm

7
More Facts

• As T lt mR, and (-Tm-1 mod R) lt R, then (T (-Tm-1
  mod R) m)/R lt (mR mR)/R lt 2m.
• Computing -TR-1 mod m can be done with two
  multiplications
• U (-Tm-1 mod R) (if R power of 2, mod R low
  order bits)
• U m
• If R power of 2, division rightshift of high
  order bits for (T Um)/R

8
Example

• m 187, R190, R-1 mod m 125, m-1 mod R 63,
  -m-1 mod R 127
• T563, -T m-1 mod R 185, (T(-T m-1 mod R) m)/R
  188 (TR-1 mod m) m

9
Homework Assignment 3 part 1

• Describe and prove correctness of the binary
  Montgomery reduction algorithm (Handbook of
  Applied Cryptography, page 601, 14.32)
• Implement Montgomery reduction in Maple for 1024
  bit modulii
• Implement Fiat-Shamir in Maple making use of
  Montgomery reduction

10
Exponentiation

• Base 2 left to right
• To compute xe we compute
• S1
• For i1 to j
• S S2
• If ei 1 then SSx,

Worst case j multiplications, j squares Average
case j/2 multiplications, j squares
11
Exponentiation

• Base 2 right to left
• To compute xe we compute
• Ax, S1
• For ij downto 1
• If ei 1 then SSA,
• A A2

Worst case j multiplications, j squares Average
case j/2 multiplications, j squares
12
Exponentiation

• Base b left to right
• To compute xe we compute
• S1
• For i1 to j
• S ((((S2)2)2))2 S to the power 2b
• If ei ?0 then

(precomputed)
Worst case 2bj multiplications, jb log2e
sq Average case 2bj(2b-1)/2b multiplications,
jb sq
For 1024 bit exponent, what is the optimal b?
13
For a log(e) bit exponent?

• log(e)2blog(e)/log(b) multssquares
• 2blog(e)/log(b)
• 2blog(b)log(e)
• bloglog(e)/c
• log(e)2blog(e)/logloglog(e) log(e)
  log(e)1/c log(e)/logloglog(e) log(e)
  o(log(e))

14
Addition chains

• Example 1,2,3,4,7,10
• A list of integers, starting at 1, where the next
  element is the sum of two previous elements
• Addition chain of length 5 for 15
• 1,2,3,6,12,15 (dont count the 1)
• To compute x15, the binary left to right
  exponentiation algorithm computes x, x2, x3, x6,
  x7, x14, x15 (3 mults, 3 squares)
• The addition chain algorithm would compute x, x2,
  x3, x6, x12, x15 (2 mults, 3 squares)
• Finding the optimal addition chain is NP-Hard
• See algorithms in Knuth Volume 2, seminumerical
  algorithms

15
Addition chains (cont.)

• Length of addition chain for n is at least log(n)
  log(wt(n)) (wt(n)log(n)/2 on average)
• Binary left to right exponentiation log(n)
  wt(n)
• Base b left to right exponentiation,
  log(n)2blog(n)/log(b), bloglog(n) /2 implies
  log(n) o(log n)

16
Fixed base exponentiation (E.g., ge mod p)

• Base b,
• Precompute

17
Fixed base exponentiation (E.g., ge mod p)
Base b, number of multiplications
is log(e)/log(b) b. Take bsqrt(log(e)) and the
number of multiplications is O(sqrt(log(e)))
18
New Subject Secret Sharing

• Threshold secret sharing scheme a secret is
  divided amongst n users, but any t amongst them
  can recreate the secret.
• Easy solution split the secret into t random
  shares, and give to every subset of size t out of
  n.
• Every user gets shares

19
Shamirs threshold secret sharing scheme

• Choose a random polynomial over a finite field,
  of degree t-1, with p(0)c0 equal to the secret.
• Give User j the value p(j)
• Any t users can reconstruct p(x) and compute p(0)

20
Generalized Secret Sharing

• P a set of users
• A an access structure, a set of subsets of P
• Perfect secret sharing the shares corresponding
  to each unauthorized subset provide no
  information
• H(SB) 0 for all B in A
• H(SB) H(S) for all B not in A
• The information rate for a user is (size of
  shared secret)/(size of user share)

21
Generalized Secret Sharing

• Theorem In any perfect secret sharing scheme,
  for all user shares, (size of user share) (size
  of shared secret). In other words, information
  rate 1.
• Proof If not, then not knowing the share of some
  user that belongs to some B in A would reduce the
  uncertainly to at most the length of the user
  share.
• Secret sharing scheme for which the rate is 1 are
  called ideal.

22
Homework Assignment 3, part 2

• Arrange n users along a cycle.
• Every two adjacent users should share the secret.
• Construct an ideal scheme for this access
  pattern, if possible. If not, show that an ideal
  scheme is not possible.