Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes.

Published byReynaldo Coy Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes."— Presentation transcript:

1 Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes

2 Montgomery Reduction Let m be a positive integer Let R and T be integers such that The Montgomery reduction of of T modulo m with respect to R :

3 Montgomery Reduction Typical use: Compute

4 Montgomery Reduction (cont.) Compute Montgomery reduction of Let

5 Montegomery Reduction (cont) Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m This always leaves one extra “ R ” Worthwhile if Montgomery reduction is faster than simple modular reduction

6 Fact Given m and R where gcd(m,R)=1, let 0 ≤ T ≤ mR, then: 1. (T + (-Tm -1 mod R) m)/R is an integer and 2. (T + (-Tm -1 mod R) m)/R =TR -1 mod m. 2.T+ (-Tm -1 mod R) m = T mod m, (T+ (-Tm -1 mod R)m)/R mod m= TR -1 mod m 1.(-Tm -1 mod R) = T(-m -1 mod R) + kR, m(-m -1 mod R)=-1 + jR, (T + (-Tm -1 mod R)m) / R = (T + (T (-m -1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km

7 More Facts As T < mR, and (-Tm -1 mod R) < R, then (T+ (-Tm -1 mod R) m)/R < (mR + mR)/R < 2m. Computing -TR -1 mod m can be done with two multiplications: –U = (-Tm -1 mod R) (if R = power of 2, mod R = low order bits) –U m If R = power of 2, division = rightshift of high order bits for (T + Um)/R

8 Example m = 187, R=190, R -1 mod m = 125, m -1 mod R = 63, -m -1 mod R = 127 T=563, -T m -1 mod R = 185, (T+(-T m -1 mod R) m)/R = 188 = (TR -1 mod m) + m

9 Homework Assignment 3 part 1 Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32) Implement Montgomery reduction in Maple for 1024 bit modulii Implement Fiat-Shamir in Maple making use of Montgomery reduction

10 Exponentiation Base 2 left to right: -To compute x e we compute -S=1 -For i=1 to j -S = S 2 -If e i =1 then S=Sx, Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

11 Exponentiation Base 2 right to left: -To compute x e we compute -A=x, S=1 -For i=j downto 1 -If e i =1 then S=SA, -A = A 2 Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

12 Exponentiation Base b left to right: -To compute x e we compute -S=1 -For i=1 to j -S = ( … (((S 2 ) 2 ) 2 ) … ) 2 S to the power 2 b -If e i ≠0 then Worst case: 2 b +j multiplications, jb = log 2 e sq “ Average case ” : 2 b +j(2 b -1)/2 b multiplications, jb sq (precomputed) For 1024 bit exponent, what is the optimal b?

13 For a log(e) bit exponent? log(e)+2 b +log(e)/log(b) mults+squares –2 b =log(e)/log(b) –2 b log(b)=log(e) –b≈loglog(e)/c –log(e)+2 b +log(e)/logloglog(e) = log(e) + log(e) 1/c + log(e)/logloglog(e) = log(e) + o(log(e))

14 Addition chains Example: 1,2,3,4,7,10 A list of integers, starting at 1, where the next element is the sum of two previous elements Addition chain of length 5 for 15: –1,2,3,6,12,15 (don ’ t count the 1) To compute x 15, the binary left to right exponentiation algorithm computes: x, x 2, x 3, x 6, x 7, x 14, x 15 (3 mults, 3 squares) The addition chain algorithm would compute x, x 2, x 3, x 6, x 12, x 15 (2 mults, 3 squares) Finding the optimal addition chain is NP-Hard See algorithms in Knuth Volume 2, seminumerical algorithms

15 Addition chains (cont.) Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”) Binary left to right exponentiation: log(n) + wt(n) Base b left to right exponentiation, log(n)+2 b +log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)

16 Fixed base exponentiation (E.g., g e mod p) Base b, Precompute

17 Fixed base exponentiation (E.g., g e mod p) Base b, number of multiplications is log(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))

18 New Subject: Secret Sharing Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret. Easy solution: split the secret into t random shares, and give to every subset of size t out of n. Every user gets shares

19 Shamir ’ s threshold secret sharing scheme Choose a random polynomial over a finite field, of degree t-1, with p(0)=c 0 equal to the secret. Give User j the value p(j) Any t users can reconstruct p(x) and compute p(0)

20 Generalized Secret Sharing P – a set of users A – an access structure, a set of subsets of P Perfect secret sharing – the shares corresponding to each unauthorized subset provide no information –H(S|B) = 0 for all B in A –H(S|B) = H(S) for all B not in A The information rate for a user is (size of shared secret)/(size of user share)

21 Generalized Secret Sharing Theorem: In any perfect secret sharing scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1. Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share. Secret sharing scheme for which the rate is 1 are called ideal.

22 Homework Assignment 3, part 2 Arrange n users along a cycle. Every two adjacent users should share the secret. Construct an ideal scheme for this access pattern, if possible. If not, show that an ideal scheme is not possible.

Download ppt "Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes."

Similar presentations

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.

Models of Computation Prepared by John Reif, Ph.D. Distinguished Professor of Computer Science Duke University Analysis of Algorithms Week 1, Lecture 2.
Mathematics of Cryptography Part II: Algebraic Structures

Mathematics of Cryptography Part II: Algebraic Structures
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.

Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.
Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
Computability and Complexity

Computability and Complexity
Number Theory and Cryptography

Number Theory and Cryptography
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Computational problems, algorithms, runtime, hardness

Computational problems, algorithms, runtime, hardness
1 Efficient Algorithms for Elliptic Curve Cryptosystems Original article by Jorge Guajardo and Christof Paar Of WPI ECE Department Presentation by Curtis.

1 Efficient Algorithms for Elliptic Curve Cryptosystems Original article by Jorge Guajardo and Christof Paar Of WPI ECE Department Presentation by Curtis.
Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.

Factoring 1 Factoring Factoring 2 Factoring  Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves.

Introduction to Modern Cryptography, Lecture 10 Performance Improvements: Fast Arithmetic, Montegomery representation, Batch RSA, Elliptic Curves.
Secret Sharing Algorithms

Secret Sharing Algorithms
Introduction Polynomials

Introduction Polynomials
Cryptography & Number Theory

Cryptography & Number Theory
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.

Similar presentations

Ads by Google