1 / 21

Introduction to Modern Cryptography, Lecture 11

Introduction to Modern Cryptography, Lecture 11. 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes. Montgomery Reduction. Let m be a positive integer Let R and T be integers such that.

ghamilton
Télécharger la présentation

Introduction to Modern Cryptography, Lecture 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes

  2. Montgomery Reduction • Let m be a positive integer • Let R and T be integers such that The Montgomery reduction of of T modulo m with respect to R :

  3. Montgomery Reduction • Typical use: Compute

  4. Montgomery Reduction (cont.) Compute Let Montgomery reduction of Montgomery reduction of Montgomery reduction of

  5. Montegomery Reduction (cont) • Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m • This always leaves one extra “R” • Worthwhile if Montgomery reduction is faster than simple modular reduction

  6. Fact • Given m and R where gcd(m,R)=1, let 0 ≤ T ≤ mR, then: • (T + (-Tm-1mod R) m)/R is an integer and • (T + (-Tm-1mod R) m)/R =TR-1 mod m. • T+ (-Tm-1mod R) m = T mod m, (T+(-Tm-1mod R)m)/R mod m= TR-1 mod m • (-Tm-1mod R) = T(-m-1 mod R) + kR, m(-m-1 mod R)=-1 + jR, (T + (-Tm-1mod R)m) / R = (T + (T (-m-1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km

  7. More Facts • As T < mR, and (-Tm-1 mod R)< R, then (T+ (-Tm-1 mod R) m)/R < (mR + mR)/R < 2m. • Computing -TR-1 mod m can be done with two multiplications: • U = (-Tm-1 mod R)(if R = power of 2, mod R = low order bits) • U m • If R = power of 2, division = rightshift of high order bits for (T + Um)/R

  8. Example • m = 187, R=190, R-1 mod m = 125, m-1 mod R = 63, -m-1 mod R = 127 • T=563, -T m-1 mod R = 185, (T+(-T m-1 mod R) m)/R = 188 = (TR-1 mod m) + m

  9. Homework Assignment 3 part 1 • Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32) • Implement Montgomery reduction in Maple for 1024 bit modulii • Implement Fiat-Shamir in Maple making use of Montgomery reduction

  10. Exponentiation • Base 2 left to right: • To compute xe we compute • S=1 • For i=1 to j • S = S2 • If ei =1 then S=Sx, Worst case: j multiplications, j squares “Average case”: j/2 multiplications, j squares

  11. Exponentiation • Base 2 right to left: • To compute xe we compute • A=x, S=1 • For i=j downto 1 • If ei =1 then S=SA, • A = A2 Worst case: j multiplications, j squares “Average case”: j/2 multiplications, j squares

  12. Exponentiation • Base b left to right: • To compute xe we compute • S=1 • For i=1 to j • S = (…(((S2)2)2)…)2 S to the power 2b • If ei ≠0 then (precomputed) Worst case: 2b+j multiplications, jb = log2e sq “Average case”: 2b+j(2b-1)/2b multiplications, jb sq For 1024 bit exponent, what is the optimal b?

  13. For a log(e) bit exponent? • log(e)+2b+log(e)/log(b)mults+squares • 2b=log(e)/log(b) • 2blog(b)=log(e) • b≈loglog(e)/c • log(e)+2b+log(e)/logloglog(e)= log(e) + log(e)1/c + log(e)/logloglog(e) = log(e) + o(log(e))

  14. Addition chains • Example: 1,2,3,4,7,10 • A list of integers, starting at 1, where the next element is the sum of two previous elements • Addition chain of length 5 for 15: • 1,2,3,6,12,15 (don’t count the 1) • To compute x15, the binary left to right exponentiation algorithm computes: x, x2, x3, x6, x7, x14, x15 (3 mults, 3 squares) • The addition chain algorithm would compute x, x2, x3, x6, x12, x15 (2 mults, 3 squares) • Finding the optimal addition chain is NP-Hard • See algorithms in Knuth Volume 2, seminumerical algorithms

  15. Addition chains (cont.) • Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”) • Binary left to right exponentiation: log(n) + wt(n) • Base b left to right exponentiation, log(n)+2b+log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)

  16. Fixed base exponentiation (E.g., ge mod p) • Base b, • Precompute

  17. Fixed base exponentiation (E.g., ge mod p) Base b, number of multiplications is log(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))

  18. New Subject: Secret Sharing • Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret. • Easy solution: split the secret into t random shares, and give to every subset of size t out of n. • Every user gets shares

  19. Shamir’s threshold secret sharing scheme • Choose a random polynomial over a finite field, of degree t-1, with p(0)=c0 equal to the secret. • Give User j the value p(j) • Any t users can reconstruct p(x) and compute p(0)

  20. Generalized Secret Sharing • P – a set of users • A – an access structure, a set of subsets of P • Perfect secret sharing – the shares corresponding to each unauthorized subset provide no information • H(S|B) = 0 for all B in A • H(S|B) = H(S) for all B not in A • The information rate for a user is (size of shared secret)/(size of user share)

  21. Generalized Secret Sharing • Theorem: In any perfect secret sharing scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1. • Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share. • Secret sharing scheme for which the rate is 1 are called ideal.

More Related