Lecture 14. Outline. Modular Arithmetic Fact and Secrets There exists a polynomial... Modular Arithmetic Fact: Exactly 1 degree ≤ d polynomial with arithmetic modulo prime p contains d + 1 pts. Modular Arithmetic Fact: There is exactly 1 polynomial of degree ≤ d with arithmetic modulo prime p that contains d + 1 pts. Proof of at least one polynomial: Given points: ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x d + 1 , y d + 1 ) . Note: The points have to have different x values! 1. Finish Polynomials and Secrets. Shamir’s k out of n Scheme: ∆ i ( x ) = ∏ j � = i ( x − x j ) ∏ j � = i ( x i − x j ) . Secret s ∈ { 0 ,..., p − 1 } 2. Finite Fields: Abstract Algebra 1. Choose a 0 = s , and random a 1 ,..., a k − 1 . 3. Erasure Coding 2. Let P ( x ) = a k − 1 x k − 1 + a k − 2 x k − 2 + ··· a 0 with a 0 = s . Numerator is 0 at x j � = x i . 3. Share i for i ≥ 1 is point ( i , P ( i ) mod p ) . Denominator makes it 1 at x i . Robustness: Any k shares gives secret. And.. Knowing k pts, find unique P ( x ) , evaluate P ( 0 ) . Secrecy: Any k − 1 shares give nothing. P ( x ) = y 1 ∆ 1 ( x )+ y 2 ∆ 2 ( x )+ ··· + y d + 1 ∆ d + 1 ( x ) . Knowing ≤ k − 1 pts, any P ( 0 ) is possible. hits points ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x d + 1 , y d + 1 ) . Degree d polynomial! Construction proves the existence of a polynomial! Reiterating Examples. Simultaneous Equations Method. Quadratic ∆ i ( x ) = ∏ j � = i ( x − x j ) ∏ j � = i ( x i − x j ) . For a quadratic polynomial, a 2 x 2 + a 1 x + a 0 hits ( 1 , 2 );( 2 , 4 );( 3 , 0 ) . For a line, a 1 x + a 0 = mx + b contains points ( 1 , 3 ) and ( 2 , 4 ) . Plug in points to find equations. Degree 1 polynomial, P ( x ) , that contains ( 1 , 3 ) and ( 3 , 4 ) ? P ( 1 ) = m ( 1 )+ b ≡ m + b ≡ 3 ( mod 5 ) Work modulo 5. P ( 1 ) = a 2 + a 1 + a 0 ≡ 2 ( mod 5 ) P ( 2 ) = m ( 2 )+ b ≡ 2 m + b ≡ 4 ( mod 5 ) ∆ 1 ( x ) contains ( 1 , 1 ) and ( 3 , 0 ) . P ( 2 ) = 4 a 2 + 2 a 1 + a 0 ≡ 4 ( mod 5 ) ∆ 1 ( x ) = ( x − 3 ) P ( 3 ) = 4 a 2 + 3 a 1 + a 0 ≡ 0 ( mod 5 ) 1 − 3 = x − 3 − 2 Subtract first from second.. = 2 ( x − 3 ) = 2 x − 6 = 2 x + 4 ( mod 5 ) . a 2 + a 1 + a 0 ≡ 2 ( mod 5 ) For a quadratic, a 2 x 2 + a 1 x + a 0 hits ( 1 , 3 );( 2 , 4 );( 3 , 0 ) . m + b ≡ 3 ( mod 5 ) 3 a 1 + 2 a 0 ≡ 1 ( mod 5 ) Work modulo 5. m ≡ 1 ( mod 5 ) 4 a 1 + 2 a 0 ≡ 2 ( mod 5 ) Find ∆ 1 ( x ) polynomial contains ( 1 , 1 );( 2 , 0 );( 3 , 0 ) . Subtracting 2nd from 3rd yields: a 1 = 1 . Backsolve: b ≡ 2 ( mod 5 ) . Secret is 2. a 0 = ( 2 − 4 ( a 1 )) 2 − 1 = ( − 2 )( 2 − 1 ) = ( 3 )( 3 ) = 9 ≡ 4 ( mod 5 ) ∆ 1 ( x ) = ( x − 2 )( x − 3 ) ( 1 − 2 )( 1 − 3 ) = ( x − 2 )( x − 3 ) = 3 ( x − 2 )( x − 3 ) 2 And the line is... a 2 = 2 − 1 − 4 ≡ 2 ( mod 5 ) . = 3 x 2 + 1 ( mod 5 ) x + 2 mod 5 . So polynomial is 2 x 2 + 1 x + 4 ( mod 5 ) Put the delta functions together.
In general.. Summary. Finite Fields Given points: ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x k , y k ) . Solve... Proof works for reals, rationals, and complex numbers. a k − 1 x k − 1 + ··· + a 0 ≡ y 1 ( mod p ) ..but not for integers, since no multiplicative inverses. Modular Arithmetic Fact: Exactly 1 polynomial of degree ≤ d with 1 arithmetic modulo prime p contains d + 1 pts. a k − 1 x k − 1 + ··· + a 0 ≡ y 2 ( mod p ) Arithmetic modulo a prime p has multiplicative inverses.. 2 Existence: . . . ..and has only a finite number of elements. . . . . . . Lagrange Interpolation. Good for computer science. a k − 1 x k − 1 + ··· + a 0 ≡ y k ( mod p ) Uniqueness: (proved last time) k Arithmetic modulo a prime p is a finite field denoted by F p or GF ( p ) . At most d roots for degree d polynomial. Intuitively, a field is a set with operations corresponding to addition, Will this always work? multiplication, and division. As long as solution exists and it is unique! And... Modular Arithmetic Fact: Exactly 1 polynomial of degree ≤ d with arithmetic modulo prime p contains d + 1 pts. Secret Sharing Revisited Efficiency. Runtime. Modular Arithmetic Fact: Exactly one polynomial degree ≤ d over GF ( p ) , P ( x ) , that hits d + 1 points. Need p > n to hand out n shares: P ( 1 ) ... P ( n ) . Shamir’s k out of n Scheme: For b -bit secret, must choose a prime p > 2 b . Runtime: polynomial in k , n , and log p . Secret s ∈ { 0 ,..., p − 1 } Theorem: There is always a prime between n and 2 n . 1. Evaluate degree n − 1 polynomial n + k times using log p -bit 1. Choose a 0 = s , and random a 1 ,..., a k − 1 . numbers. O ( kn log 2 p ) . Working over numbers within 1 bit of secret size. 2. Let P ( x ) = a k − 1 x k − 1 + a k − 2 x k − 2 + ··· a 0 with a 0 = s . Minimal! 2. Reconstruct secret by solving system of n equations using log p -bit arithmetic. O ( n 3 log 2 p ) . 3. Share i is point ( i , P ( i ) mod p ) . With k shares, reconstruct polynomial, P ( x ) . 3. Matrix has special form so O ( n log n log 2 p ) reconstruction. With k − 1 shares, any of p values possible for P ( 0 )! Robustness: Any k knows secret. (Within 1 bit of) any b -bit string possible! Knowing k pts, only one P ( x ) , evaluate P ( 0 ) . Faster versions in practice are almost as efficient. Secrecy: Any k − 1 knows nothing. (Within 1 bit of) b -bits are missing: one P ( i ) . Knowing ≤ k − 1 pts, any P ( 0 ) is possible. Within 1 of optimal number of bits. Efficiency: ???
A bit of counting. Erasure Codes. Satellite 3 packet message. So send 6! Problem: Want to send a message with n packets. What is the number of degree d polynomials over GF ( m ) ? 1 2 3 1 2 3 Channel: Lossy channel: loses k packets. ◮ m d + 1 : d + 1 coefficients from { 0 ,..., m − 1 } . Question: Can you send n + k packets and recover message? ◮ m d + 1 : d + 1 points with y -values from { 0 ,..., m − 1 } Lose 3 out 6 packets. Solution Idea: Use Polynomials!!! 1 2 3 1 2 3 Infinite number for reals, rationals, complex numbers! GPS device Gets packets 1,1,and 3. Solution Idea. Erasure Codes. Problem: Want to send a message with n packets. Satellite n packet message. So send n + k ! Channel: Lossy channel: loses k packets. ··· 1 2 n + k n packet message, channel that loses k packets. ······ Question: Can you send n + k packets and recover message? Must send n + k packets! A degree n − 1 polynomial determined by any n points! Lose k packets. Any n packets should allow reconstruction of n packet message. Erasure Coding Scheme: message = m 0 , m 1 , m 2 ,..., m n − 1 . Each m i ··· n + k 1 2 is a packet. Any n point values allow reconstruction of degree n − 1 polynomial ······ which has n coefficients! 1. Choose prime p > 2 b for packet size b (size = number of bits). Alright!!! 2. P ( x ) = m n − 1 x n − 1 + ··· m 0 ( mod p ) . Use polynomials. GPS device Any n packets is enough! 3. Send P ( 1 ) ,..., P ( n + k ) . n packet message. Any n of the n + k packets gives polynomial ...and message! Optimal.
Comparison with Secret Sharing. Erasure Code: Example. Example Make polynomial with P ( 1 ) = 1, P ( 2 ) = 4, P ( 3 ) = 4. Send message of 1,4, and 4. up to 3 erasures. n = 3, k = 3 Modulo 7 to accommodate at least 6 packets. Make polynomial with P ( 1 ) = 1, P ( 2 ) = 4, P ( 3 ) = 4. Linear equations: How? P ( 1 ) = a 2 + a 1 + a 0 ≡ 1 ( mod 7 ) Comparing information content: Lagrange Interpolation. P ( 2 ) = 4 a 2 + 2 a 1 + a 0 ≡ 4 ( mod 7 ) Linear System. Secret Sharing: each share is size of whole secret. P ( 3 ) = 2 a 2 + 3 a 1 + a 0 ≡ 4 ( mod 7 ) Work modulo 5. Coding: Each packet has size 1 / n of the whole message. 6 a 1 + 3 a 0 = 2 ( mod 7 ) , 5 a 1 + 4 a 0 = 0 ( mod 7 ) P ( x ) = x 2 ( mod 5 ) a 1 = 2 a 0 . a 0 = 2 ( mod 7 ) a 1 = 4 ( mod 7 ) a 2 = 2 ( mod 7 ) P ( 1 ) = 1 , P ( 2 ) = 4 , P ( 3 ) = 9 = 4 ( mod 5 ) P ( x ) = 2 x 2 + 4 x + 2 Send ( 0 , P ( 0 )) ... ( 5 , P ( 5 )) . P ( 1 ) = 1, P ( 2 ) = 4, and P ( 3 ) = 4 6 points. Better work modulo 7 at least! Send Why? ( 0 , P ( 0 )) = ( 5 , P ( 5 )) ( mod 5 ) Packets: ( 1 , 1 ) , ( 2 , 4 ) , ( 3 , 4 ) , ( 4 , 7 ) , ( 5 , 2 ) , ( 6 , 0 ) Notice that packets contain “x-values”. Summary: Polynomials are useful! ◮ ..give Secret Sharing. ◮ ..give Erasure Codes. Next time: correct broader class of errors!
Recommend
More recommend
