1 / 33

Number Theory III: Polynomials Modulo A Prime: Secret Sharing, And Error-Correcting Codes.

X 1. X 2. X 3. +. +. Number Theory III: Polynomials Modulo A Prime: Secret Sharing, And Error-Correcting Codes. ´ p 0. Modular equivalence of integers a and b: a ´ b [mod n] a ´ n b “a and b are equivalent modulo n” iff (a mod n) = (b mod n) iff n|(a-b).

humess
Download Presentation

Number Theory III: Polynomials Modulo A Prime: Secret Sharing, And Error-Correcting Codes.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. X1 • X2 • X3 • + • + Number Theory III:Polynomials Modulo A Prime: Secret Sharing, And Error-Correcting Codes. ´p 0

  2. Modular equivalence of integers a and b: a ´ b [mod n] a ´n b “a and b are equivalent modulo n” iff (a mod n) = (b mod n)iff n|(a-b)

  3. Zn = {0, 1, 2, …, n-1} Zn* = {x 2 Zn | GCD(x,n) =1} Define +n and *n: a +n b = (a+b mod n) a *n b = (a*b mod n) c *n ( a +n b) ´n (c *n a) +n (c*n b) • <Zn, +n> • Closed • Associative • 0 is identity • Additive Inverses • Cancellation • Commutative • <Zn*, *n> • Closed • Associative • 1 is identity • Multiplicative Inverses • Cancellation • Commutative

  4. Polynomials Modulo n Let f(x) and g(x) be finite polynomials with integer coefficients. We define: f(x) ´poly g(x) iff each pair of corresponding coefficients of f and g are equivalent modulo n.

  5. Polynomial Evaluation Modulo n Theorem: f(x) ´poly g(x) )8 integer a, f(a) ´n g(a) Proof: Arithmetic with plus, minus, and times modulo n is equivalent no matter which representatives mod n are used.

  6. Degree of a Polynomial Modulo n Degree of f(x) mod n is the highest power of x in f(x) with a non-zero coefficient modulo n. Theorem: For any g(x), there is a degree ·(n) polynomial f(x) such that g(a) ´n f(a), for every a2 Zn*. Proof: Transform g(x) by doing all arithmetic with the rule x(n)´n 1

  7. For rest of lecture: Zp and Zp* p prime

  8. Zp = {0, 1, 2, …, p-1} Zp* = {1,2,3,…., p-1} Define +p and *p: a +p b = (a+b mod p) a *p b = (a*b mod p) c *p ( a +p b) ´p (c *p a) +p (c*p b) • <Zp, +p> • Closed • Associative • 0 is identity • Additive Inverses • Cancellation • Commutative • <Zp-{0}, *p> • Closed • Associative • 1 is identity • Multiplicative Inverses • Cancellation • Commutative

  9. We will now work in Zp = {0, 1, 2, …, p-1} • + defined as +p • * defined as *p • ab means a*b • Let X denote a variable.

  10. A polynomial f(X) over Zp is any expression of the form: a0 + a1 X + a2 X2 + … + ap-1 Xp-1 where a0, a1, …, ap-12 Zp Degree of f(X) = highest power wit a non-zero coefficient.

  11. Solving Linear Equations: a  0 ) aX+b = 0 has the unique solution X = -b / a Proof: aX + b + (-b) = (-b) aX + 0 = -b aX = -b (1/a) aX = (1/a)(-b) = -b/a

  12. Two points define a line. Let (x1, y1) and (x2, y2) be points where x1 x2. There is a unique line f(X) = aX+b passing through the two points. ax1 + b = y1 ax2 +b = y2 ax1 – ax2 = y2 – y1 a(x1 – x2)= y2 – y1 a = (y2 – y1)/(x1 – x2) b = y1 – ax1

  13. Polynomial Interpolation Let a1, a2, …, ak+1 be any distinct elements of Zp. Let b1, …., bk+1 be any elements of Zp. There is a degree k polynomial f(X) over Zp such that f(ai) = bi for 1 i  k+1. I.e., it is possible to fit a degree k polynomial through any set of k+1 points with distinct first coordinates.

  14. Polynomial interpolation is just encoding a “case statement” in polynomial arithmetic.

  15. Encoding a case statementon distinct cases: a1, a2, a3, …, ak+1. • For all 1  j  k+1, define hj(X) = i  j (X – ai) • hj(aj) = product of non-zero things  0 • CASEj(X) = (hj(aj))-1 hj(X) • CASEj (X) has degree · k • CASEj(ai) = 0, i  j • CASEj(aj) = 1

  16. CASEj(X) has degree  kCASEj(ai) = 0, i  j CASEj(aj) = 1 • f(X) = • CASE1(X)b1 + CASE2(X)b2 + … + CASEk+1(X)bk+1 • f(X) has degree  k • f(aj) = bj for all 1  j  k+1

  17. Polynomial Interpolation Let a1, a2, …, ak+1 be any distinct elements of Zp. Let b1, …., bk+1 be any elements of Zp. There is a degree k polynomial f(X) over Zp such that f(ai) = bi for 1  i  k+1. I.e., it is possible to fit a degree k polynomial through any set of k+1 points with distinct first coordinates.

  18. Theorem: No two of the pd+1 polynomials of degree  d compute the same function.. • Lemma 1: There are  pd+1 distinct polynomials of degree  d since they all have the form: a0 + a1 X + a2 X2 + … + ad Xd • Lemma 2: There are pd+1 distinct functions that have degree  d: interpolate the points (1,b1), (2,b2), …, (k+1, bk+1) for any b’s.

  19. Unique Polynomial Interpolation Let a1, a2, …, ak+1 be any distinct elements of Zp. Let b1, …., bk+1 be any elements of Zp. There is a unique degree k polynomial f(X) over Zp such that f(ai) = bi for 1  i  k+1. A set of k+1 points with distinct first coordinates defines a unique degree k curve.

  20. Lagrange’s Theorem for Zp:A non-trivial polynomial p(X) of degree d has at most d roots. • Proof: d+1 roots means there is a unique degree d polynomial h(x) passing through them (interpolation theorem). The trivial (all 0) polynomial passes through them. Hence, h(x) is the trivial polynomial.

  21. Corollary: Two distinct, degree d polynomials can agree in at most d places. • Suppose two degree d f(x) and g(x) agree in more than d places. Then f(x) – g (x) has more than d roots and is hence zero in every coefficient. Thus f(x) = g(x). Contradiction.

  22. Fundamental Theorem Of Polynomials Modulo p Each of the pd+1 degree d polynomials mod p computes a distinct function. Any non-zero, degree d polynomial over Zp has at most d roots. Two distinct, degree d polynomials can agree in at most d places.

  23. X2 – 1 = 0 modulo 8 has 4 solutions 1, -1, 3,-3

  24. These polynomials have great applications to secret sharing!

  25. Nuclear Launch Codessub/silo sanity/authority check • Missile has random secret s deeply encoded into its hardware. It will not arm without being given s. • n officers have memorized a private, individual “share”. • Any k out of n of them should be able to assemble their shares so as to obtain s. • Any  k-1 of them should not be able to jointly determine any information about s.

  26. k out of n threshold secret sharing scheme using polynomials over Zp. • Let s 2 Zp be a random “secret”. • Create randomized shares as follows: • Pick random r1, r2, …, rk-12 Zp • Let f(X) = s + r1 X + r2 X2 + … + rk Xk-1 • For each i, give officer i the value of the polynomial evaluated at i. • “Officer i’s share”: f(i)

  27. k out of n threshold secret sharing scheme using polynomials over Zp. • Let s 2 Zp be a random “secret”. • Pick random r1, r2, …, rk-12 Zp • Let f(X) = s + r1 X + r2 X2 + … + rk Xk-1 • “Officer i’s share”: f(i) • f(0) = s = where f hits y-axis. • f(X) was chosen to be a random degree k-1 polynomial given that f hits the y-axis at s. • I,e., Each such polynomial is equally likely to be chosen

  28. k out of n threshold secret sharing scheme using polynomials over Zp. • Let s 2 Zp be a random “secret”. • Pick random r1, r2, …, rk-12 Zp • Let f(X) = s + r1 X + r2 X2 + … + rk Xk-1 • “Officer i’s share”: f(i) • If k officers combine they will know f(X) evaluated at k points. They can interpolate f(X) and calculate f(0)=s.

  29. k out of n threshold secret sharing scheme using polynomials over Zp. • Let s 2 Zp be a “secret”. • Pick random r1, r2, …, rk-12 Zp • Let f(X) = s + r1 X + r2 X2 + … + rk Xk-1 • “Officer i’s share”: f(i) • If k-1 officers combine they will know f(X) evaluated at k-1 points. For each s’ 2 Zp, there is a unique polynomial passing through their points and f(0) = s’. Each one is equally likely. Thus, the officers get no information.

  30. Shamir’s k out of n Secret Sharing Scheme: Let s 2 Zp be a random “secret”. Create randomized shares as follows: Pick random r1, r2, …, rk-12 Zp Let f(X) = s + r1 X + r2 X2 + … + rk Xk-1 Share i = f(i) Any k shares can be interpolated to obtain f(X), and hence f(0) = s. Fewer than k shares give no information at all about s.

  31. Error Correcting Codes Length d messages over an alphabet of size p. Use elements of Zp as your alphabet. Pick any 1-1 correspondence between messages and polynomials of degree  d-1. We can think of sending a polynomial P(X) instead of a message. Let n = 3d + 1. [requires p > 2d + 1] Send n - symbols: P(1), P(2), …, P(n) Up to d errors at receiver end:P’(1), P’(2), …., P’(n)

  32. Error Correcting Codes Pick any 1-1 correspondence between messages and polynomials of degree  d-1. We can think of sending a polynomial P(X) instead of a message. Let n = 3d + 1. [requires p > 3d + 1] Send n - symbols: P(1), P(2), …, P(n) Up to d errors at receiver end:P’(1), P’(2), …., P’(n) P’ agrees with P on 2d+1 of values. Any other degree d-1 polynomial agreeing on so many values would agree with p on d+1 values.

  33. Error Correcting Codes Pick any 1-1 correspondence between messages and polynomials of degree  d-1. We can think of sending a polynomial P(X) instead of a message. Let n = 3d + 1. [requires p > 3d + 1] Send n - symbols: P(1), P(2), …, P(n) Up to d errors at receiver end:P’(1), P’(2), …., P’(n) The original message can be uniquely reconstructed!

More Related