Title: Introduction to Modern Cryptography, Lecture 11
1Introduction to Modern Cryptography, Lecture 11
- 1) More about efficient computation Montgomery
arithmetic, efficient exponentiation - 2)Secret Sharing schemes
2Montgomery Reduction
- Let m be a positive integer
- Let R and T be integers such that
The Montgomery reduction of of T modulo m with
respect to R
3Montgomery Reduction
Compute
4Montgomery Reduction (cont.)
Let
Montgomery reduction of
Montgomery reduction of
Montgomery reduction of
5Montegomery Reduction (cont)
- Idea rather than compute xy mod m, compute the
Montgomery reduction of xR and yR mod m which is
xyR mod m - This always leaves one extra R
- Worthwhile if Montgomery reduction is faster than
simple modular reduction
6Fact
- Given m and R where gcd(m,R)1, let 0 T mR,
then - (T (-Tm-1 mod R) m)/R is an integer and
- (T (-Tm-1 mod R) m)/R TR-1 mod m.
- T (-Tm-1 mod R) m T mod m,
- (T (-Tm-1 mod R)m)/R mod m TR-1 mod m
- (-Tm-1 mod R) T(-m-1 mod R) kR,
m(-m-1 mod R)-1 jR, - (T (-Tm-1 mod R)m) / R
- (T (T (-m-1 mod R) kR)m) / R
- T((1 -1 jR) kRm) / R
- (Tj km)R / R Tjkm
7More Facts
- As T lt mR, and (-Tm-1 mod R) lt R, then (T (-Tm-1
mod R) m)/R lt (mR mR)/R lt 2m. - Computing -TR-1 mod m can be done with two
multiplications - U (-Tm-1 mod R) (if R power of 2, mod R low
order bits) - U m
- If R power of 2, division rightshift of high
order bits for (T Um)/R
8Example
- m 187, R190, R-1 mod m 125, m-1 mod R 63,
-m-1 mod R 127 - T563, -T m-1 mod R 185, (T(-T m-1 mod R) m)/R
188 (TR-1 mod m) m
9Homework Assignment 3 part 1
- Describe and prove correctness of the binary
Montgomery reduction algorithm (Handbook of
Applied Cryptography, page 601, 14.32) - Implement Montgomery reduction in Maple for 1024
bit modulii - Implement Fiat-Shamir in Maple making use of
Montgomery reduction
10Exponentiation
- Base 2 left to right
- To compute xe we compute
- S1
- For i1 to j
- S S2
- If ei 1 then SSx,
Worst case j multiplications, j squares Average
case j/2 multiplications, j squares
11Exponentiation
- Base 2 right to left
- To compute xe we compute
- Ax, S1
- For ij downto 1
- If ei 1 then SSA,
- A A2
Worst case j multiplications, j squares Average
case j/2 multiplications, j squares
12Exponentiation
- Base b left to right
- To compute xe we compute
- S1
- For i1 to j
- S ((((S2)2)2))2 S to the power 2b
- If ei ?0 then
(precomputed)
Worst case 2bj multiplications, jb log2e
sq Average case 2bj(2b-1)/2b multiplications,
jb sq
For 1024 bit exponent, what is the optimal b?
13For a log(e) bit exponent?
- log(e)2blog(e)/log(b) multssquares
- 2blog(e)/log(b)
- 2blog(b)log(e)
- bloglog(e)/c
- log(e)2blog(e)/logloglog(e) log(e)
log(e)1/c log(e)/logloglog(e) log(e)
o(log(e))
14Addition chains
- Example 1,2,3,4,7,10
- A list of integers, starting at 1, where the next
element is the sum of two previous elements - Addition chain of length 5 for 15
- 1,2,3,6,12,15 (dont count the 1)
- To compute x15, the binary left to right
exponentiation algorithm computes x, x2, x3, x6,
x7, x14, x15 (3 mults, 3 squares) - The addition chain algorithm would compute x, x2,
x3, x6, x12, x15 (2 mults, 3 squares) - Finding the optimal addition chain is NP-Hard
- See algorithms in Knuth Volume 2, seminumerical
algorithms
15Addition chains (cont.)
- Length of addition chain for n is at least log(n)
log(wt(n)) (wt(n)log(n)/2 on average) - Binary left to right exponentiation log(n)
wt(n) - Base b left to right exponentiation,
log(n)2blog(n)/log(b), bloglog(n) /2 implies
log(n) o(log n)
16Fixed base exponentiation (E.g., ge mod p)
17Fixed base exponentiation (E.g., ge mod p)
Base b, number of multiplications
is log(e)/log(b) b. Take bsqrt(log(e)) and the
number of multiplications is O(sqrt(log(e)))
18New Subject Secret Sharing
- Threshold secret sharing scheme a secret is
divided amongst n users, but any t amongst them
can recreate the secret. - Easy solution split the secret into t random
shares, and give to every subset of size t out of
n. - Every user gets shares
19Shamirs threshold secret sharing scheme
- Choose a random polynomial over a finite field,
of degree t-1, with p(0)c0 equal to the secret. - Give User j the value p(j)
- Any t users can reconstruct p(x) and compute p(0)
20Generalized Secret Sharing
- P a set of users
- A an access structure, a set of subsets of P
- Perfect secret sharing the shares corresponding
to each unauthorized subset provide no
information - H(SB) 0 for all B in A
- H(SB) H(S) for all B not in A
- The information rate for a user is (size of
shared secret)/(size of user share)
21Generalized Secret Sharing
- Theorem In any perfect secret sharing scheme,
for all user shares, (size of user share) (size
of shared secret). In other words, information
rate 1. - Proof If not, then not knowing the share of some
user that belongs to some B in A would reduce the
uncertainly to at most the length of the user
share. - Secret sharing scheme for which the rate is 1 are
called ideal.
22Homework Assignment 3, part 2
- Arrange n users along a cycle.
- Every two adjacent users should share the secret.
- Construct an ideal scheme for this access
pattern, if possible. If not, show that an ideal
scheme is not possible.