# Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes.

## Presentation on theme: "Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes."— Presentation transcript:

Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes

Montgomery Reduction Let m be a positive integer Let R and T be integers such that The Montgomery reduction of of T modulo m with respect to R :

Montgomery Reduction Typical use: Compute

Montgomery Reduction (cont.) Compute Montgomery reduction of Let

Montegomery Reduction (cont) Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m This always leaves one extra “ R ” Worthwhile if Montgomery reduction is faster than simple modular reduction

Fact Given m and R where gcd(m,R)=1, let 0 ≤ T ≤ mR, then: 1. (T + (-Tm -1 mod R) m)/R is an integer and 2. (T + (-Tm -1 mod R) m)/R =TR -1 mod m. 2.T+ (-Tm -1 mod R) m = T mod m, (T+ (-Tm -1 mod R)m)/R mod m= TR -1 mod m 1.(-Tm -1 mod R) = T(-m -1 mod R) + kR, m(-m -1 mod R)=-1 + jR, (T + (-Tm -1 mod R)m) / R = (T + (T (-m -1 mod R) + kR)m) / R = T((1 + -1 + jR) + kRm) / R = (Tj + km)R / R = Tj+km

More Facts As T < mR, and (-Tm -1 mod R) < R, then (T+ (-Tm -1 mod R) m)/R < (mR + mR)/R < 2m. Computing -TR -1 mod m can be done with two multiplications: –U = (-Tm -1 mod R) (if R = power of 2, mod R = low order bits) –U m If R = power of 2, division = rightshift of high order bits for (T + Um)/R

Example m = 187, R=190, R -1 mod m = 125, m -1 mod R = 63, -m -1 mod R = 127 T=563, -T m -1 mod R = 185, (T+(-T m -1 mod R) m)/R = 188 = (TR -1 mod m) + m

Homework Assignment 3 part 1 Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32) Implement Montgomery reduction in Maple for 1024 bit modulii Implement Fiat-Shamir in Maple making use of Montgomery reduction

Exponentiation Base 2 left to right: -To compute x e we compute -S=1 -For i=1 to j -S = S 2 -If e i =1 then S=Sx, Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

Exponentiation Base 2 right to left: -To compute x e we compute -A=x, S=1 -For i=j downto 1 -If e i =1 then S=SA, -A = A 2 Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

Exponentiation Base b left to right: -To compute x e we compute -S=1 -For i=1 to j -S = ( … (((S 2 ) 2 ) 2 ) … ) 2 S to the power 2 b -If e i ≠0 then Worst case: 2 b +j multiplications, jb = log 2 e sq “ Average case ” : 2 b +j(2 b -1)/2 b multiplications, jb sq (precomputed) For 1024 bit exponent, what is the optimal b?

For a log(e) bit exponent? log(e)+2 b +log(e)/log(b) mults+squares –2 b =log(e)/log(b) –2 b log(b)=log(e) –b≈loglog(e)/c –log(e)+2 b +log(e)/logloglog(e) = log(e) + log(e) 1/c + log(e)/logloglog(e) = log(e) + o(log(e))

Addition chains Example: 1,2,3,4,7,10 A list of integers, starting at 1, where the next element is the sum of two previous elements Addition chain of length 5 for 15: –1,2,3,6,12,15 (don ’ t count the 1) To compute x 15, the binary left to right exponentiation algorithm computes: x, x 2, x 3, x 6, x 7, x 14, x 15 (3 mults, 3 squares) The addition chain algorithm would compute x, x 2, x 3, x 6, x 12, x 15 (2 mults, 3 squares) Finding the optimal addition chain is NP-Hard See algorithms in Knuth Volume 2, seminumerical algorithms

Addition chains (cont.) Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”) Binary left to right exponentiation: log(n) + wt(n) Base b left to right exponentiation, log(n)+2 b +log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)

Fixed base exponentiation (E.g., g e mod p) Base b, Precompute

Fixed base exponentiation (E.g., g e mod p) Base b, number of multiplications is log(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))

New Subject: Secret Sharing Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret. Easy solution: split the secret into t random shares, and give to every subset of size t out of n. Every user gets shares

Shamir ’ s threshold secret sharing scheme Choose a random polynomial over a finite field, of degree t-1, with p(0)=c 0 equal to the secret. Give User j the value p(j) Any t users can reconstruct p(x) and compute p(0)

Generalized Secret Sharing P – a set of users A – an access structure, a set of subsets of P Perfect secret sharing – the shares corresponding to each unauthorized subset provide no information –H(S|B) = 0 for all B in A –H(S|B) = H(S) for all B not in A The information rate for a user is (size of shared secret)/(size of user share)

Generalized Secret Sharing Theorem: In any perfect secret sharing scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1. Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share. Secret sharing scheme for which the rate is 1 are called ideal.

Homework Assignment 3, part 2 Arrange n users along a cycle. Every two adjacent users should share the secret. Construct an ideal scheme for this access pattern, if possible. If not, show that an ideal scheme is not possible.

Download ppt "Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes."

Similar presentations