Polynomial evaluation and message authentication D. J. Bernstein University of Illinois at Chicago
m 1 r 1 m 2 r 2 m 3 r 3 m 4 r 4 m 5 r 5 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � + � � � � + � � � � + � � � � + Cost of this algorithm: 5 mults, 4 adds. Output of this algorithm, m 1 ; : : : ; r 1 ; : : : 2 F q : given m 1 r 1 + � � � + m 5 r 5 .
� � � � � � � � � � � � � Alternative (1968 Winograd), � 2 � speedup in matrix mult: m 1 r 2 m 2 r 1 m 3 r 4 m 4 r 3 m 5 r 5 � � � � � � � � � � � � � � � � � � � � � + + + + � � � � � � � � � � � � � � � � � � � � + � � � � + q [ m 1 ; : : : ; r 1 ; : : : ]: Output in F m 5 r 5 + ( m 3 + r 4 )( m 4 + r 3 ) + m 1 + r 2 )( m 2 + r 1 ) = m 1 r 1 + ( m 2 r 2 + m 3 r 3 + m 4 r 4 + m 5 r 5 + m 1 m 2 + m 3 m 4 + r 1 r 2 + r 3 r 4 .
One good way to recognize forged/corrupted messages: p = 1000003. Standardize a prime Sender rolls 10-sided die to generate independent uniform random secrets r 1 2 f 0 ; 1 ; : : : ; 999999 g , r 2 2 f 0 ; 1 ; : : : ; 999999 g , : : : , r 5 2 f 0 ; 1 ; : : : ; 999999 g , s 1 2 f 0 ; 1 ; : : : ; 999999 g , : : : , s 100 2 f 0 ; 1 ; : : : ; 999999 g .
Sender meets receiver in private and tells receiver the same r 1 ; r 2 ; : : : ; r 5 ; s 1 ; : : : ; s 100 . secrets Later: Sender wants to send m 1 ; : : : ; m 100 , 100 messages m n having 5 components each m ; m ; m ; m ; m n; 1 n; 2 n; 3 n; 4 n; 5 m 2 f 0 ; 1 ; : : : ; 999999 g . n;i with Sender transmits 30-digit m ; m ; m ; m ; m n; 1 n; 2 n; 3 n; 4 n; 5 together with an authenticator m r 1 + � � � + m r 5 mod p ) n; 1 n; 5 ( s n mod 1000000 + n . and the message number
r 1 = 314159, r 2 = 265358, e.g. r 3 = 979323, r 4 = 846264, r 5 = 338327, s 10 = 950288, m 10 = 000006 000007 000000 000000 000000 : Sender computes authenticator (6 r 1 + 7 r 2 mod p ) s 10 mod 1000000 = + � 314159 + 7 � 265358 (6 mod 1000003) + 950288 mod 1000000 = 742451 + 950288 mod 1000000 = 692739. Sender transmits 10 000006 000007 000000 000000 000000 69273 9 .
Main work is multiplication. For each 6-digit message chunk, have to do one multiplication r i . by a 6-digit secret Scaled up for serious security: p = 2 130 � 5. Choose, e.g., For each 128-bit message chunk, have to do one multiplication r i . by a 128-bit secret � 5. Reduce output mod 2 130 � 5 cycles per message byte, depending on CPU. Many papers on choosing fields, computing products quickly.
Provably secure authenticators m 1 r 1 + m 2 r 2 + � � � ) + s : 1974 ( Gilbert/MacWilliams/Sloane. 1999 Black/Halevi/Krawczyk/ Krovetz/Rogaway (crediting unpublished Carter/Wegman, failing to credit Winograd): m 1 r 1 + m 2 r 2 Replace m 1 + r 1 )( m 2 + r 2 ), with ( m 3 r 3 + m 4 r 4 replace m 3 + r 3 )( m 4 + r 4 ), etc. with ( Half as many multiplications for each message chunk.
k into Expand short key r 1 ; : : : ; s 1 ; : : : long secret ; AES ; : : : . k (1) k (2) as, e.g., AES Oops, not uniform random. But easily prove that attack implies attack on AES. r ’s, s ’s on demand? Generate ` + 1 AES invocations Need r 1 ; r 2 ; : : : ; r ; s n . ` for r 1 ; r 2 ; : : : ; r ` ? Cache ` : Bad performance for large huge initialization cost; many expensive cache misses; too big for low-cost hardware.
1979 Wegman/Carter: Another authentication function, r 1 ; r 2 ; : : : . fewer secrets 1987 Karp/Rabin, 1981 Rabin: Another authentication function, r , extremely short secret but expensive to generate. 1993 den Boer; independently 1994 Taylor; independently 1994 Johansson/Kabatianskii/Smeets: Another authentication function, r , extremely short secret trivial to generate.
� � � � � � � � � � � � � � � � � � Horner’s rule (const coeff 0): m 5 m 4 m 3 m 2 m 1 r � � � � � � � � + � � � � + � � � � + � � � � + �
Cost of this algorithm: 5 mults, 4 adds, just like dot product. Output in q [ m 1 ; m 2 ; m 3 ; m 4 ; m 5 ; r ]: F m 5 r 5 + m 4 r 4 + � � � + m 1 r . Substituting any message m 1 ; m 2 ; m 3 ; m 4 ; m 5 ) 2 F 5 q ( q [ r ]; produces poly in F 7! poly is injective. message Secure for authentication: r are roots at most 5 values of of any shifted difference of polys for distinct messages.
1 multiplication per chunk. Can we do better? Classic observation (1955 Motzkin, 1958 Belaga, et al.): ' 2 C [ r ] there is an For each ' using algorithm that computes � (deg ' ) = 2 multiplications. � � � ar + b )( r 2 + ) + d � Idea: ( r 2 + e ) + f r 2 + g ) + h . ( ( Doesn’t solve the authentication problem. This set of algorithms maps surjectively but not injectively to C [ r ].
1970 Winograd: Can achieve � (deg ' ) = 2 multiplications with “rational preparation,” ' 7! algorithm. i.e., rational map � � r + a )( r 2 + b ) + r + Idea: ( r 4 + d )+( r + e )( r 2 + f )+ r + g . ( ' Adapt idea to non-monic ' 2 = f 1 ; 3 ; 7 ; 15 ; : : : g . and to deg � � r + a )( r 2 + b ) + r + “Aha! ( r 4 + d )+( r + e )( r 2 + f )+ r + g ( is an authenticator of a; b; ; d; e; f ; g ).” message ( Have to be careful. Injective? Not just for fixed degree?
p . Define Fix odd prime � H : f 0 ; 2 ; 4 ; : : : ; p � 3 g ! F p [ r ] H () = 0; H ( m 1 ) = r + m 1 ; by H ( m 1 ; : : : ; m ` ) = H ( m ; : : : ; m t +1 ` ) + t + r m H ( m 1 ; : : : ; m t ) t � 1 ) if ( t 2 f 2 ; 4 ; 8 ; 16 ; : : : g , t � ` < 2 t . H ( m 1 ; m 2 ) = e.g. r + m 1 )( r 2 + m 2 ); ( H ( m 1 ; m 2 ; m 3 ) = r + m 1 )( r 2 + m 2 ) + ( r + m 3 ). ( H () to 1, (Could change ` = 1. avoid special case for H is slightly faster.) But my
H is injective. Easy to prove: r H ( m ) + s n as authenticator Use n th message m . of p : 2 107 � 1. (Good choice of Put 13 bytes into each chunk.) Combines all the advantages of previous authenticators: r , extremely short secret trivial to generate; 1 = 2 multiplications per chunk.
Recommend
More recommend
