Lecture 14. Outline. Modular Arithmetic Fact and Secrets There exists a polynomial... Modular Arithmetic Fact: Exactly 1 degree d polynomial with ≤ arithmetic modulo prime p contains d + 1 pts. Modular Arithmetic Fact: There is exactly 1 polynomial of degree d with arithmetic modulo prime p that contains d + 1 pts. Proof of at least one polynomial: ≤ Given points: (x ,y );(x ,y ) (x ,y ). Note: The points have to have different x values! 1 1 2 2 ··· d+1 d+1 1. Finish Polynomials and Secrets. Shamir’s k out of n Scheme: ∏j=i (x xj ) Secret s 0,...,p 1 ∆i (x) = 6 − . 2. Finite Fields: Abstract Algebra ∈ { − } ∏j=i (xi xj ) 6 − 1. Choose a0 = s, and random a1,...,ak 1. 3. Erasure Coding k 1 k 2 − 2. Let P(x) = ak 1x − + ak 2x − + a0 with a0 = s. Numerator is 0 at xj = xi . − − ··· 6 3. Share i is point (i,P(i) mod p). Denominator makes it 1 at xi . Roubustness: Any k shares gives secret. And.. Knowing k pts, find unique P(x), evaluate P(0). Secrecy: Any k 1 shares give nothing. − P(x) = y1∆1(x) + y2∆2(x) + + yd+1∆d+1(x). Knowing k 1 pts, any P(0) is possible. ··· ≤ − hits points (x ,y );(x ,y ) (x ,y ). Degree d polynomial! 1 1 2 2 ··· d+1 d+1 Construction proves the existence of a polynomial! Reiterating Examples. Simultaneous Equations Method. Quadratic ∏j=i (x xj ) ∆ (x) = 6 − . 2 i ∏j=i (xi xj ) For a line, a1x + a0 = mx + b contains points (1,3) and (2,4). For a quadratic polynomial, a2x + a1x + a0 hits (1,2);(2,4);(3,0). 6 − Degree 1 polynomial, P(x), that contains (1,3) and (3,4)? Plug in points to find equations. P(1) = m(1) + b m + b 3 (mod 5) Work modulo 5. ≡ ≡ P(2) = m(2) + b 2m + b 4 (mod 5) P(1)= a2 + a1 + a0 2 (mod 5) ≡ ≡ ≡ ∆ (x) contains (1,1) and (3,0). P(2)= 4a + 2a + a 4 (mod 5) 1 2 1 0 ≡ (x 3) x 3 P(3)= 4a2 + 3a1 + a0 0 (mod 5) ∆1(x) = 1−3 = −2 ≡ = 2−(x 3−) = 2x 6 = 2x + 4 (mod 5). Subtract first from second.. − − a2 + a1 + a0 2 (mod 5) For a quadratic, a x2 + a x + a hits (1,3);(2,4);(3,0). ≡ 2 1 0 m + b 3 (mod 5) 3a + 2a 1 (mod 5) ≡ 1 0 ≡ Work modulo 5. m 1 (mod 5) 4a + 2a 2 (mod 5) ≡ 1 0 ≡ Find ∆1(x) polynomial contains (1,1);(2,0);(3,0). Subtracting 2nd from 3rd yields: a1 = 1. (x 2)(x 3) (x 2)(x 3) Backsolve: b 2 (mod 5). Secret is 2. 1 1 ∆ (x) = − − = − − = 3(x 2)(x 3) ≡ a0 = (2 4(a1))2− = ( 2)(2− ) = (3)(3) = 9 4 (mod 5) 1 (1 2)(1 3) 2 − − ≡ − − − − And the line is... a = 2 1 4 2 (mod 5) . = 3x2 + 1 (mod 5) 2 − − ≡ x + 2 mod 5. So polynomial is 2x2 + 1x + 4 (mod 5) Put the delta functions together. In general.. Uniqueness. Given points: (x ,y );(x ,y ) (x ,y ). 1 1 2 2 ··· k k Solve... Uniqueness Fact. At most one degree d polynomial contains d + 1 points. k 1 ak 1x − + + a0 y1 (mod p) − 1 ··· ≡ Proof: k 1 Modular Arithmetic Fact: Exactly 1 polynomial of degree d with ak 1x − + + a0 y2 (mod p) ≤ − 2 ··· ≡ arithmetic modulo prime p contains d + 1 pts. Roots fact: Any degree d polynomial has at most d roots. Existence: Lagrange interpolation. Uniqueness? Assume two different polynomials Q(x) and P(x) hits d + 1 points. k 1 ak 1x − + + a0 yk (mod p) Uniqueness Fact. At most one degree d polynomial hits d +1 points. R(x) = Q(x) P(x) has d + 1 roots and is degree d. − k ··· ≡ − Contradiction. Must prove Roots fact. Will this always work? As long as solution exists and it is unique! And... Modular Arithmetic Fact: Exactly 1 polynomial of degree d with ≤ arithmetic modulo prime p contains d + 1 pts. Polynomial Division. Only d roots. Summary. 2 Divide 4x 3x + 2 by (x 3) modulo 5. Lemma 1: P(x) has root a iff P(x)/(x a) has remainder 0: − − − P(x) = (x a)Q(x). − Proof: P(x) =( x a)Q(x)+ r. 4 x + 4 r 4 − ----------------- Plugin a: P(a) = r = 0. x - 3 ) 4xˆ2 - 3 x + 2 Modular Arithmetic Fact: Exactly 1 polynomial of degree d with Lemma 2: P(x) has d roots; r1,...,rd then ≤ 4xˆ2 - 2x arithmetic modulo prime p contains d + 1 pts. P(x) = (x r1)(x r2) (x rd )c(x). ---------- − − ··· − Existence: 4x + 2 Proof Sketch: By induction. Lagrange Interpolation. 4x - 2 Base Case: degree 0. No roots. ------- Uniqueness: Induction Step: P(x) = (x r )Q(x) by Lemma 1. 4 − 1 At most d roots for degree d polynomial. Q(x) has smaller degree ... so by induction hypothesis... we are done. 4x2 3x + 2 (x 3)(4x + 4) + 4 (mod 5) − ≡ − Thus,d + 1 roots implies degree is at least d + 1. In general, divide P(x) by (x a) gives Q(x) and remainder r. − The contrapositive... That is, P(x) = (x a)Q(x) + r − Roots fact: Any degree d polynomial has at most d roots. r is degree 0 polynomial..or a constant! Finite Fields Secret Sharing Efficiency. Modular Arithmetic Fact: Exactly one polynomial degree d over ≤ GF(p), P(x), that hits d + 1 points. Need p > n to hand out n shares: P(1)...P(n). Proof works for reals, rationals, and complex numbers. Shamir’s k out of n Scheme: For b-bit secret, must choose a prime p > 2b. ..but not for integers, since no multiplicative inverses. Secret s 0,...,p 1 ∈ { − } Theorem: There is always a prime between n and 2n. Arithmetic modulo a prime p has multiplicative inverses.. 1. Choose a0 = s, and random a1,...,ak 1. − Working over numbers within 1 bit of secret size. ..and has only a finite number of elements. k 1 k 2 2. Let P(x) = ak 1x − + ak 2x − + a0 with a0 = s. Minimal! − − ··· Good for computer science. 3. Share i is point (i,P(i) mod p). With k shares, reconstruct polynomial, P(x). Arithmetic modulo a prime p is a finite field denoted by Fp or GF(p). With k 1 shares, any of p values possible for P(0)! − Intuitively, a field is a set with operations corresponding to addition, Roubustness: Any k knows secret. (Within 1 bit of) any b-bit string possible! multiplication, and division. Knowing k pts, only one P(x), evaluate P(0). Secrecy: Any k 1 knows nothing. (Within 1 bit of) b-bits are missing: one P(i). − Knowing k 1 pts, any P(0) is possible. ≤ − Within 1 of optimal number of bits. Efficiency: ??? Runtime. A bit of counting. Erasure Codes. Satellite 3 packet message. So send 6! Runtime: polynomial in k, n, and logp. What is the number of degree d polynomials over GF(m)? 1 2 3 1 2 3 1. Evaluate degree n 1 polynomial n + k times using logp-bit 2− numbers. O(knlog p). I md+1: d + 1 coefficients from 0,...,m 1 . { − } 2. Reconstruct secret by solving system of n equations using I md+1: d + 1 points with y-values from 0,...,m 1 Lose 3 out 6 packets. logp-bit arithmetic. O(n3 log2 p). { − } 1 2 3 1 2 3 3. Matrix has special form so O(nlognlog2 p) reconstruction. Infinite number for reals, rationals, complex numbers! Faster versions in practice are almost as efficient. GPS device Gets packets 1,1,and 3. Problem: Want to send a message with n packets. Channel: Lossy channel: loses k packets. Question: Can you send n + k packets and recover message? On Friday!.