1 / 44

Modular Exponentiation

Modular Exponentiation. Modular Exponentiation. We do NOT compute C := M e mod n By first computing M e And then computing C := ( M e ) mod n Temporary results must be reduced modulo n at each step of the exponentiation. Modular Exponentiation. M 15

dorcas
Download Presentation

Modular Exponentiation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modular Exponentiation

  2. Modular Exponentiation We do NOT compute C := Me mod n By first computing Me And then computing C := (Me) mod n Temporary results must be reduced modulo n at each step of the exponentiation.

  3. Modular Exponentiation M15 How many multiplications are needed?? Naïve Answer (requires 14 multiplications): M M2  M3  M4  M5 …  M15 Binary Method (requires 6 multiplications): M M2  M3  M6  M7 M14 M15

  4. Modular Exponentiation: Binary Method Let k be the number of bits of e, i.e., Input: M, e, n. Output: C := Me mod n • If ek-1 = 1 then C := M else C := 1; • For i = k-2 downto 0 • C := C2 mod n • If ei = 1 then C := CM mod n • Return C;

  5. Modular Exponentiation: Binary Method Example: e = 250 = (11111010), thus k = 8 Initially, C = M since ek-1 = e7 = 1.

  6. Modular Exponentiation: Binary Method The binary method requires: • Squarings: k-1 • Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum: (k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1)

  7. Modular Exponentiation By scanning the bits of e 2 at a time: quaternary method 3 at a time: octal method Etc. m at a time: m-ary method. Consider the quaternary method: 250 = 11111010 Some preprocessing required. At each step 2 squaring performed.

  8. Modular Exponentiation: Quaternary Method Example:

  9. Modular Exponentiation: Quaternary Method Example: e = 250 = 11111010 The number of multiplications: 2+6+3 = 11

  10. Modular Exponentiation: Octal Method

  11. Modular Exponentiation: Octal Method Example: e = 250 = 011111010 The number of multiplications: 6+6+2 = 14 (compute only M2 and M7: 4+6+2 = 12)

  12. Modular Exponentiation: Octal Method Assume 2d = m and k/d is an integer. The average number of multiplications plus squarings required by the m-ary method: • Preprocessing Multiplications: m-2 = 2d – 2. (why??) • Squarings: (k/d - 1)  d = k – d. (why??) • Multiplications: • Moral: There is an optimum d for every k.

  13. Modular Exponentiation: Average Number of Multiplications

  14. Modular Exponentiation: Preprocessing Multiplications Consider the following exponent for k = 16 and d = 4: 1011001101111000 Which implies that we need to compute Mw mod n for only: w = 3, 7, 8, 11. M2 = MM; M3 = M2M; M4 = M2M2; M7 = M3M4; M8 = M4 M4; M11 = M8M3. This requires 6 multiplications. Computing all of the exponent values would require 16-2 = 14 preprocessing multiplications.

  15. Modular Exponentiation: Sliding Window Techniques Based on adaptive (data dependent) m-ary partitioning of the exponent. • Constant length nonzero windows Rule: Partition the exponent into zero words of any length and nonzero words of length d. • Variable length nonzero windows Rule: Partition the exponent into zero words of length at least q and nonzero words of length at most d.

  16. Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111001010001 First compute Mjfor odd j  [1, m-1]

  17. Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111001010001 First compute Mjfor odd j  [1, m-1]

  18. Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111001010001 Average Number of Multiplications

  19. Modular Exponentiation: Variable Length nonzero Windows Example: d = 5 and q = 2. 101 0 11101 00 101 10111 000000 1 00 111 000 1011 Example: d = 10 and q = 4. 1011011 0000 11 0000 11110111 00 1111110101 0000 11011

  20. Modular Exponentiation: The Factor Method. • The factor Method is based on factorization of the exponent e = rs where r is the smallest prime factor of e and s > 1. • We compute Me by first computing Mr and then raising this value to the sth power. (Mr)s = Me. If e is prime, we first compute Me-1, then multiply this quantity by M.

  21. Modular Exponentiation: The Factor Method. Factor Method: 55 = 511. Compute M  M2  M4  M5; Assign y := M5; Compute y  y2; Assign z := y2; Compute z  z2  z4  z5; Compute z5  (z5y) = y11 = M55; Total: 8 multiplications! Binary Method: e = 55 = (110111)2 5+4 = 9 multiplications!!

  22. Sliding Window Method.

  23. Sliding Window Method.

  24. Sliding Window Method.

  25. Modular Exponentiation: The Power Tree Method. Consider the node e of the kth level, from left to right. Construct the (k+1)st level by attaching below the node e the nodes e + a1, e + a2, e + a3, …, e + ak Where a1, a2, a3, …, ak is the path from the root of the tree to e. (Note:a1 = 1 and ak = e) Discard any duplicates that have already appeared in the tree.

  26. 1 2 4 3 Modular Exponentiation: The Power Tree Method. 8 6 5 9 12 18 24 16 7 10 17 32 14 11 13 15 20 19 21 28 22 23 26

  27. Modular Exponentiation: The Power Tree Method.

  28. Computation using power tree. Find e in the power tree. The sequence of exponents that occurs in the computation of Me is found on the path from the root to e. Example: e = 23 requires 6 multiplications. M  M2  M3  M5  M10  M13  M23. Since 23 = (10111), the binary method requires 4 + 3 = 7 multiplications. Since 23 -1 = 22 = 211, the factor method requires 1 + 5 + 1 = 7 multiplications.

  29. Addition Chains Consider a sequence of integers a0, a1, a2, …, ar With a0 = 1 and ar = e. The sequence is constructed in such a way that for all k there exist indices i, j≤ k such that, ak = ai + aj. The length of the chain is r. A short chain for a given e implies an efficient algorithm for computing Me. Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55 QM: 1 2 3 6 12 13 26 52 55 FM: 1 2 4 5 10 20 40 50 55 PTM: 1 2 3 5 10 11 22 44 55

  30. Addition Chains • Finding the shortest addition chain is NP-complete. • Upper-bound is given by binary method: Where H(e) is the Hamming weight of e. • Lower-bound given by Schönhage: • Heuristics: binary, m-ary, adaptive m-ary, sliding windows, power tree, factor.

  31. Addition-Subtraction Chains Convert the binary number to a signed-digit representation using the digits {0, 1, -1}. These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i = 2i+j - 2i To collapse a block of 1s in order to obtain a sparse representation of the exponent. Example: (011110) = 24 + 23 + 22 + 21 (10001’0) = 25 - 21 These methods require that M-1 mod n be supplied along with M.

  32. Recoding Binary Method Input: M, M-1, e, n. Output: C := Me mod n. • Obtain signed-digit recoding d of e. • If dk = 1 then C := M else C := 1 • For i = k -1 downto 0 • C := CC mod n • If di = 1 then C := CM mod n • If di = 1’ then C := CM-1 mod n • Return C; This algorithm is especially useful For ECC since the Inverse is available At no cost.

  33. Modular Exponentiation: Binary Method Variations

  34. Side Channel Attacks Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0) (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c; The time or the power to execute c2and c*a are different (side channel information). Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];

  35. Mod. Exponentiation: LSB-First Binary Let k be the number of bits of e, i.e., Input: M, e, n. Output: C := Me mod n • R:= 1; C := M; • For i = 0 to n-1 • If ei = 1 then R := RC mod n • C := C2 mod n • Return R;

  36. Modular Exponentiation: LSB First Binary Example: e = 250 = (11111010), thus k = 8

  37. Modular Exponentiation: LSB First Binary The LSB-First binary method requires: • Squarings: k-1 • Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum: (k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1) Same as before, but here we can compute the Multiplication operation in parallel with the squarings!!

  38. Arquitectura del Multiplicador[Mario García et al ENC03]

  39. Desarrollo (Método q-ario)

  40. Ejemplo • 0xCAFE = 1100 1010 1111 1110 • BM: 10 Mult. + 15 Sqr. • Q-ary : 3 Mult + 47 sqr + 7 Symb. • Q-ary+PC: 3 Mult. + 3sqr. + 28 Symb

  41. Desarrollo (Método q-ario) • Precálculo de W. • Tamaño de q. • Cálculo de d = 2^p * q

  42. Desarrollo (Análisis) • Tamaño de memoria y tiempo de ejecución del precómputo W. • Número de multiplicaciones y elevaciones al cuadrado para método q-ario.

  43. Tiempo de Ejecución Vs. Número de Procs.

  44. Tamaño de Memoria

More Related