Download presentation

Presentation is loading. Please wait.

Published byReynaldo Coy Modified over 2 years ago

1
Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes

2
Montgomery Reduction Let m be a positive integer Let R and T be integers such that The Montgomery reduction of of T modulo m with respect to R :

3
Montgomery Reduction Typical use: Compute

4
Montgomery Reduction (cont.) Compute Montgomery reduction of Let

5
Montegomery Reduction (cont) Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m This always leaves one extra “ R ” Worthwhile if Montgomery reduction is faster than simple modular reduction

6
Fact Given m and R where gcd(m,R)=1, let 0 ≤ T ≤ mR, then: 1. (T + (-Tm -1 mod R) m)/R is an integer and 2. (T + (-Tm -1 mod R) m)/R =TR -1 mod m. 2.T+ (-Tm -1 mod R) m = T mod m, (T+ (-Tm -1 mod R)m)/R mod m= TR -1 mod m 1.(-Tm -1 mod R) = T(-m -1 mod R) + kR, m(-m -1 mod R)=-1 + jR, (T + (-Tm -1 mod R)m) / R = (T + (T (-m -1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km

7
More Facts As T < mR, and (-Tm -1 mod R) < R, then (T+ (-Tm -1 mod R) m)/R < (mR + mR)/R < 2m. Computing -TR -1 mod m can be done with two multiplications: –U = (-Tm -1 mod R) (if R = power of 2, mod R = low order bits) –U m If R = power of 2, division = rightshift of high order bits for (T + Um)/R

8
Example m = 187, R=190, R -1 mod m = 125, m -1 mod R = 63, -m -1 mod R = 127 T=563, -T m -1 mod R = 185, (T+(-T m -1 mod R) m)/R = 188 = (TR -1 mod m) + m

9
Homework Assignment 3 part 1 Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32) Implement Montgomery reduction in Maple for 1024 bit modulii Implement Fiat-Shamir in Maple making use of Montgomery reduction

10
Exponentiation Base 2 left to right: -To compute x e we compute -S=1 -For i=1 to j -S = S 2 -If e i =1 then S=Sx, Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

11
Exponentiation Base 2 right to left: -To compute x e we compute -A=x, S=1 -For i=j downto 1 -If e i =1 then S=SA, -A = A 2 Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

12
Exponentiation Base b left to right: -To compute x e we compute -S=1 -For i=1 to j -S = ( … (((S 2 ) 2 ) 2 ) … ) 2 S to the power 2 b -If e i ≠0 then Worst case: 2 b +j multiplications, jb = log 2 e sq “ Average case ” : 2 b +j(2 b -1)/2 b multiplications, jb sq (precomputed) For 1024 bit exponent, what is the optimal b?

13
For a log(e) bit exponent? log(e)+2 b +log(e)/log(b) mults+squares –2 b =log(e)/log(b) –2 b log(b)=log(e) –b≈loglog(e)/c –log(e)+2 b +log(e)/logloglog(e) = log(e) + log(e) 1/c + log(e)/logloglog(e) = log(e) + o(log(e))

14
Addition chains Example: 1,2,3,4,7,10 A list of integers, starting at 1, where the next element is the sum of two previous elements Addition chain of length 5 for 15: –1,2,3,6,12,15 (don ’ t count the 1) To compute x 15, the binary left to right exponentiation algorithm computes: x, x 2, x 3, x 6, x 7, x 14, x 15 (3 mults, 3 squares) The addition chain algorithm would compute x, x 2, x 3, x 6, x 12, x 15 (2 mults, 3 squares) Finding the optimal addition chain is NP-Hard See algorithms in Knuth Volume 2, seminumerical algorithms

15
Addition chains (cont.) Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”) Binary left to right exponentiation: log(n) + wt(n) Base b left to right exponentiation, log(n)+2 b +log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)

16
Fixed base exponentiation (E.g., g e mod p) Base b, Precompute

17
Fixed base exponentiation (E.g., g e mod p) Base b, number of multiplications is log(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))

18
New Subject: Secret Sharing Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret. Easy solution: split the secret into t random shares, and give to every subset of size t out of n. Every user gets shares

19
Shamir ’ s threshold secret sharing scheme Choose a random polynomial over a finite field, of degree t-1, with p(0)=c 0 equal to the secret. Give User j the value p(j) Any t users can reconstruct p(x) and compute p(0)

20
Generalized Secret Sharing P – a set of users A – an access structure, a set of subsets of P Perfect secret sharing – the shares corresponding to each unauthorized subset provide no information –H(S|B) = 0 for all B in A –H(S|B) = H(S) for all B not in A The information rate for a user is (size of shared secret)/(size of user share)

21
Generalized Secret Sharing Theorem: In any perfect secret sharing scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1. Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share. Secret sharing scheme for which the rate is 1 are called ideal.

22
Homework Assignment 3, part 2 Arrange n users along a cycle. Every two adjacent users should share the secret. Construct an ideal scheme for this access pattern, if possible. If not, show that an ideal scheme is not possible.

Similar presentations

OK

Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.

Polynomial Factorization Olga Sergeeva Ferien-Akademie 2004, September 19 – October 1.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on idiopathic thrombocytopenia purpura File type ppt on cybercrime convention Ppt on new zealand culture Ppt on omission of articles in spanish Ppt on sexually transmitted diseases Ppt on high voltage engineering fundamentals Ppt on acute renal failure Free download ppt on sources of energy Ppt on pin diode spice Ppt on advertising and brand management