Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes

Montgomery Reduction Let m be a positive integer Let R and T be integers such that The Montgomery reduction of of T modulo m with respect to R :

Montgomery Reduction Typical use: Compute

Montgomery Reduction (cont.) Compute Montgomery reduction of Let

Montegomery Reduction (cont) Idea: rather than compute xy mod m, compute the Montgomery reduction of xR and yR mod m which is xyR mod m This always leaves one extra “ R ” Worthwhile if Montgomery reduction is faster than simple modular reduction

Fact Given m and R where gcd(m,R)=1, let 0 ≤ T ≤ mR, then: 1. (T + (-Tm -1 mod R) m)/R is an integer and 2. (T + (-Tm -1 mod R) m)/R =TR -1 mod m. 2.T+ (-Tm -1 mod R) m = T mod m, (T+ (-Tm -1 mod R)m)/R mod m= TR -1 mod m 1.(-Tm -1 mod R) = T(-m -1 mod R) + kR, m(-m -1 mod R)=-1 + jR, (T + (-Tm -1 mod R)m) / R = (T + (T (-m -1 mod R) + kR)m) / R = T(( jR) + kRm) / R = (Tj + km)R / R = Tj+km

More Facts As T < mR, and (-Tm -1 mod R) < R, then (T+ (-Tm -1 mod R) m)/R < (mR + mR)/R < 2m. Computing -TR -1 mod m can be done with two multiplications: –U = (-Tm -1 mod R) (if R = power of 2, mod R = low order bits) –U m If R = power of 2, division = rightshift of high order bits for (T + Um)/R

Example m = 187, R=190, R -1 mod m = 125, m -1 mod R = 63, -m -1 mod R = 127 T=563, -T m -1 mod R = 185, (T+(-T m -1 mod R) m)/R = 188 = (TR -1 mod m) + m

Homework Assignment 3 part 1 Describe and prove correctness of the binary Montgomery reduction algorithm (Handbook of Applied Cryptography, page 601, 14.32) Implement Montgomery reduction in Maple for 1024 bit modulii Implement Fiat-Shamir in Maple making use of Montgomery reduction

Exponentiation Base 2 left to right: -To compute x e we compute -S=1 -For i=1 to j -S = S 2 -If e i =1 then S=Sx, Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

Exponentiation Base 2 right to left: -To compute x e we compute -A=x, S=1 -For i=j downto 1 -If e i =1 then S=SA, -A = A 2 Worst case: j multiplications, j squares “ Average case ” : j/2 multiplications, j squares

Exponentiation Base b left to right: -To compute x e we compute -S=1 -For i=1 to j -S = ( … (((S 2 ) 2 ) 2 ) … ) 2 S to the power 2 b -If e i ≠0 then Worst case: 2 b +j multiplications, jb = log 2 e sq “ Average case ” : 2 b +j(2 b -1)/2 b multiplications, jb sq (precomputed) For 1024 bit exponent, what is the optimal b?

For a log(e) bit exponent? log(e)+2 b +log(e)/log(b) mults+squares –2 b =log(e)/log(b) –2 b log(b)=log(e) –b≈loglog(e)/c –log(e)+2 b +log(e)/logloglog(e) = log(e) + log(e) 1/c + log(e)/logloglog(e) = log(e) + o(log(e))

Addition chains Example: 1,2,3,4,7,10 A list of integers, starting at 1, where the next element is the sum of two previous elements Addition chain of length 5 for 15: –1,2,3,6,12,15 (don ’ t count the 1) To compute x 15, the binary left to right exponentiation algorithm computes: x, x 2, x 3, x 6, x 7, x 14, x 15 (3 mults, 3 squares) The addition chain algorithm would compute x, x 2, x 3, x 6, x 12, x 15 (2 mults, 3 squares) Finding the optimal addition chain is NP-Hard See algorithms in Knuth Volume 2, seminumerical algorithms

Addition chains (cont.) Length of addition chain for n is at least log(n) + log(wt(n)) (wt(n)≈log(n)/2 on “average”) Binary left to right exponentiation: log(n) + wt(n) Base b left to right exponentiation, log(n)+2 b +log(n)/log(b), b=loglog(n) /2 implies log(n) + o(log n)

Fixed base exponentiation (E.g., g e mod p) Base b, Precompute

Fixed base exponentiation (E.g., g e mod p) Base b, number of multiplications is log(e)/log(b) + b. Take b=sqrt(log(e)) and the number of multiplications is O(sqrt(log(e)))

New Subject: Secret Sharing Threshold secret sharing scheme: a secret is divided amongst n users, but any t amongst them can recreate the secret. Easy solution: split the secret into t random shares, and give to every subset of size t out of n. Every user gets shares

Shamir ’ s threshold secret sharing scheme Choose a random polynomial over a finite field, of degree t-1, with p(0)=c 0 equal to the secret. Give User j the value p(j) Any t users can reconstruct p(x) and compute p(0)

Generalized Secret Sharing P – a set of users A – an access structure, a set of subsets of P Perfect secret sharing – the shares corresponding to each unauthorized subset provide no information –H(S|B) = 0 for all B in A –H(S|B) = H(S) for all B not in A The information rate for a user is (size of shared secret)/(size of user share)

Generalized Secret Sharing Theorem: In any perfect secret sharing scheme, for all user shares, (size of user share) ≥ (size of shared secret). In other words, information rate ≤ 1. Proof: If not, then not knowing the share of some user that belongs to some B in A would reduce the uncertainly to at most the length of the user share. Secret sharing scheme for which the rate is 1 are called ideal.

Homework Assignment 3, part 2 Arrange n users along a cycle. Every two adjacent users should share the secret. Construct an ideal scheme for this access pattern, if possible. If not, show that an ideal scheme is not possible.