modular exponentiation - centro de investigaci³n y de estudios

Aritmética Computacional Francisco Rodríguez Henríquez

Modular Exponentiation



We do NOT compute C := Me mod n

By first computing Me

And then computing C := (Me) mod n

Temporary results must be reduced modulo

n at each step of the exponentiation.



M15

How many multiplications are needed??

Naïve Answer (requires 14 multiplications):

M→ M2 → M3 → M4 → M5 →… → M15

Binary Method (requires 6 multiplications):

M→ M2 → M3 → M6 → M7 →M14→ M15


Modular Exponentiation: Binary Method

Let k be the number of bits of e, i.e.,

Input: M, e, n.

Output: C := Me mod n1. If ek-1 = 1 then C := M else C := 1;2. For i = k-2 downto 0

3. C := C2 mod n4. If ei = 1 then C := C⋅M mod n

5. Return C;

! "

( )

{ }1,0for

2

log1

1

0

0121

2

#

==

+=

$%

=%%

i

k

i

i

ikk

e

eeeeee

ek

K



Example: e = 250 = (11111010), thus k = 8

Initially, C = M since ek-1 = e7 = 1.

M250(M125)2 = M25000M124⋅M = M125(M62)2 = M12411

M62(M31)2 = M6202M30⋅M = M31(M15)2 = M3013M14⋅M = M15(M7)2 = M1414M6⋅M = M7(M3)2 = M615M2⋅M = M3(M)2 = M216

MM17Step 2bStep 2aeii



The binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary

expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)



By scanning the bits of e2 at a time: quaternary method3 at a time: octal methodEtc.m at a time: m-ary method.Consider the quaternary method: 250 = 11 11 10 10Some preprocessing required.At each step 2 squaring performed.


Modular Exponentiation: Quaternary Method

Example:

M2⋅M =M3311M⋅M =M2210

M1011000

Mjjbits


Modular Exponentiation: Quaternary Method

Example: e = 250 = 11 11 10 10

The number of multiplications: 2+6+3 = 11

M248⋅M2 =M250(M62)4 = M24810M60⋅M2 =M62(M15)4 = M6010M12⋅M3 =M15(M3)4 = M1211

M3M311Step 2bStep 2abits


Modular Exponentiation: Octal Method

M6⋅M =M77111M5⋅M =M66110M4⋅M =M55101M3⋅M =M44100M2⋅M =M33011M⋅M =M22010

M100110000

Mjjbits



Example: e = 250 = 011 111 010

The number of multiplications: 6+6+2 = 14(compute only M2 and M7: 4+6+2 = 12)

M248⋅M2 =M250(M31)8 = M248010M24⋅M7 =M31(M3)8 = M24111

M3M3011Step 2bStep 2abits



Assume 2d = m and k/d is an integer. The averagenumber of multiplications plus squaringsrequired by the m-ary method:

• Preprocessing Multiplications: m-2 = 2d – 2.(why??)

• Squarings: (k/d - 1) ⋅ d = k – d. (why??)• Multiplications:• Moral: There is an optimum d for every k.

( ) !"

#$%

&'('=!

"

#$%

&'(

' '1211

1

d

k

d

k

m

m d


Modular Exponentiation: Average Number ofMultiplications

20.6624393071204818.8512461535102417.2563576751215.1432538325612.63, 416719112810.538595648.52, 34347328.622123169.1210118

Savings %dMMBMk


Modular Exponentiation: PreprocessingMultiplications

Consider the following exponent for k = 16 and d =4: 1011 0011 0111 1000

Which implies that we need to compute Mw mod nfor only: w = 3, 7, 8, 11.

M2 = M⋅M; M3 = M2⋅M; M4 = M2⋅M2;M7 = M3⋅M4; M8 = M4⋅ M4; M11 = M8⋅M3.This requires 6 multiplications. Computing all of the

exponent values would require 16-2 = 14preprocessing multiplications.


Modular Exponentiation: Sliding WindowTechniques

Based on adaptive (data dependent) m-ary partitioning ofthe exponent.

• Constant length nonzero windowsRule: Partition the exponent into zero words of any

length and nonzero words of length d.• Variable length nonzero windowsRule: Partition the exponent into zero words of length at

least q and nonzero words of length at most d.


Modular Exponentiation: Constant lengthnonzero Windows

Example: for d = 3, we partitione = 3665 = (111001010001)2As 111 00 101 0 001First compute Mj for odd j ∈ [1, m-1]

M5⋅M2 = M77111M3⋅M2 = M55101M⋅M2 = M33011M⋅M = M22010

M1001Mjjbits



Example: for d = 3, we partitione = 3665 = (111001010001)2As 111 00 101 0 001First compute Mj for odd j ∈ [1, m-1]

M3664⋅M1 = M3665(M458)8 = M3664001M458(M229)2 = M4580

M224⋅M5 = M229(M28)8 = M224101M28(M7)4 = M2800M7M7111

Step 2bStep 2abits



Example: for d = 3, we partitione = 3665 = (111001010001)2As 111 00 101 0 001

Average Number of Multiplications

3.2723606243920484.1611955124610244.4560756355125.2530843252566.641564167128

%dCLNWdm-aryk


Modular Exponentiation: Variable Lengthnonzero Windows

Example: d = 5 and q = 2.101 0 11101 00 10110111 000000 1 00 111 000 1011

Example: d = 10 and q = 4.1011011 0000 11 000011110111 00 1111110101 0000 11011


Modular Exponentiation: The Factor Method.

• The factor Method is based on factorization of theexponent e = rs where r is the smallest prime factorof e and s > 1.

• We compute Me by first computing Mr and thenraising this value to the sth power.

(Mr)s = Me.

If e is prime, we first compute Me-1, then multiply thisquantity by M.


Modular Exponentiation: The Factor Method.

Factor Method: 55 = 5⋅11.Compute M → M2 → M4 → M5;Assign y := M5;Compute y → y2;Assign z := y2;Compute z → z2 → z4 → z5;Compute z5 → (z5y) = y11 = M55;Total: 8 multiplications!Binary Method: e = 55 = (110111)2

5+4 = 9 multiplications!!


Sliding Window Method.


Modular Exponentiation: The Power TreeMethod.

Consider the node e of the kth level, from left to right.Construct the (k+1)st level by attaching below thenode e the nodes e + a1, e + a2, e + a3, …, e + ak

Where a1, a2, a3, …, ak

is the path from the root of the tree to e.

(Note: a1 = 1 and ak = e)

Discard any duplicates that have already appeared in thetree.



1

2

3 46

5

7 10

14 11 13 15 20

19 21 28 22 23 26

9 12

18 24

8

16

17 32


Computation using power tree.

Find e in the power tree. The sequence of exponents thatoccurs in the computation of Me is found on the pathfrom the root to e.

Example: e = 23 requires 6 multiplications.M → M2 → M3 → M5 → M10 → M13 → M23.Since 23 = (10111), the binary method requires 4 + 3 = 7

multiplications.Since 23 -1 = 22 = 2⋅11, the factor method requires 1 + 5

+ 1 = 7 multiplications.


Addition Chains

Consider a sequence of integers a0, a1, a2, …, ar

With a0 = 1 and ar = e. The sequence is constructed in such a waythat for all k there exist indices i, j ≤ k such that, ak = ai + aj.

The length of the chain is r. A short chain for a given e implies anefficient algorithm for computing Me.

Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55

QM: 1 2 3 6 12 13 26 52 55

FM: 1 2 4 5 10 20 40 50 55

PTM: 1 2 3 5 10 11 22 44 55


Addition Chains

• Finding the shortest addition chain is NP-complete.

• Upper-bound is given by binary method:

Where H(e) is the Hamming weight of e.

• Lower-bound given by Schönhage:

• Heuristics: binary, m-ary, adaptive m-ary, sliding windows,power tree, factor.

! " ( ) 1log2 #+ eHe

! " ( ) 13.2log2 #+ eHe


Addition-Subtraction Chains

Convert the binary number to a signed-digitrepresentation using the digits {0, 1, -1}.

These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i =2i+j - 2i

To collapse a block of 1s in order to obtain a sparserepresentation of the exponent.

Example: (011110) = 24 + 23 + 22 + 21

(10001’0) = 25 - 21

These methods require that M-1 mod n be supplied alongwith M.


Recoding Binary Method

Input: M, M-1, e, n.Output: C := Me mod n.1. Obtain signed-digit recoding d of e.2. If dk = 1 then C := M else C := 13. For i = k -1 downto 0

4. C := C⋅C mod n5. If di = 1 then C := C⋅M mod n6. If di = 1’ then C := C⋅ M-1 mod n

7. Return C;

This algorithm is especially usefulFor ECC since theInverse is availableAt no cost.


Modular Exponentiation: BinaryMethod Variations


Side Channel Attacks

Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0)　　　　　(dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;

The time or the power to execute c2 and c*a are different

(side channel information).

Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];


Mod. Exponentiation: LSB-First Binary

Let k be the number of bits of e, i.e.,

Input: M, e, n.

Output: C := Me mod n1. R:= 1; C := M;2. For i = 0 to n-1

3. If ei = 1 then R := R⋅C mod n4. C := C2 mod n

5. Return R;

! "

( )

{ }1,0for

2

log1

1

0

0121

2

#

==

+=

$%

=%%

i

k

i

i

ikk

e

eeeeee

ek

K


Modular Exponentiation: LSB First Binary

Example: e = 250 = (11111010), thus k = 8

(M128)2 = M256M122 * M128=M250

10(M64)2 = M128M58 * M64= M12211(M32)2 = M64M26 * M32= M5812(M16)2 = M32M10 * M16= M2613(M8)2 = M16M2 * M8= M1014(M4)2 = M8M205(M2)2 = M41*(M)2 = M216

M2107Step 4 (C)Step 3 (R)eii


Modular Exponentiation: LSB First Binary

The LSB-First binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary

expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)Same as before, but here we can compute the

Multiplication operation in parallel with thesquarings!!


Arquitectura del Multiplicador[Mario García et al ENC03]


Desarrollo (Método q-ario)


Ejemplo

• 0xCAFE = 1100 1010 1111 1110• BM: 10 Mult. + 15 Sqr.• Q-ary : 3 Mult + 47 sqr + 7 Symb.• Q-ary+PC: 3 Mult. + 3sqr. + 28 Symb

012316161616 !!!!

=EFACCAFE

MMMMM


Desarrollo (Método q-ario)

• Precálculo de W.

• Tamaño de q.

• Cálculo de d = 2^p * q


Desarrollo (Análisis)

• Tamaño de memoria y tiempo deejecución del precómputo W.

• Número de multiplicaciones yelevaciones al cuadrado para método q-ario.


Tiempo de Ejecución Vs. Número de Procs.


Tamaño de Memoria

modular exponentiation - centro de investigaci³n y de estudios

Documents