1 / 15

OEO: O ptimization of E xponentiation O peration ~ A Brief Discussion ~

OEO: O ptimization of E xponentiation O peration ~ A Brief Discussion ~. Kirti Chawla kirti@cs.virginia.edu. Outline. Problem definition Motivation Prevalent Approaches Suggestion Q & A/Feedback. Problem definition. Given n, compute g n

dragon
Download Presentation

OEO: O ptimization of E xponentiation O peration ~ A Brief Discussion ~

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OEO: Optimization of Exponentiation Operation~ A Brief Discussion ~ Kirti Chawla kirti@cs.virginia.edu

  2. Outline • Problem definition • Motivation • Prevalent Approaches • Suggestion • Q & A/Feedback

  3. Problem definition Given n, compute gn Where, g is fixed element of a group and n < N (order of group).

  4. Motivation • Exponentiation is the most frequently used operation in algorithms including: • Factorization and primality testing • GCD computation • RSA public key cryptosystem • Verification of polynomial identities • … • Exponentiation is also found in most widely deployed authentication protocols including: • Diffie-Hellman Key Exchange • Internet Key Exchange a.k.a IKE • Secure Socket Layer a.k.a SSL • … • Quick biased conclusion: Any and all optimization of exponentiation operation improves performance for aforementioned algorithms and protocols.

  5. Prevalent Approach 1 • Approach 1: Montgomery Multiplication • Step 1. Pick A, B, R, N s.t k; (((R = 2k) > N)  (GCD(R, N) = 1)) • Step 2. Find R’ and N’ s.t. (RR’ – NN’ = 1) • Step 3. Construct a function F with following details: F(T) { m  (T mod R) N’ (mod R) t  (T + mN)/R return t } • It should evident here that F(T) returns (TR’ mod N), where T = A * B • Also, RR’  1 (mod N), NN’  -1 (mod N) • Also, the output of F(T) lies in range [0, N – 1]

  6. Prevalent Approach 1 cont’d Example: Let N = 79, A = 17, B = 26, R = 100; (relaxed requirement for R = 2k) R’ = 64, N’ = 81; (check RR’ – NN’ = 1) A’; (17  A’ * 100 mod 79)  (17 * 64  A’ mod 79)  (17 * 64  61 mod 79) B’; (17  B’ * 100 mod 79)  (26 * 64  B’ mod 79)  (26 * 64  5 mod 79) Therefore, A * B in above representation can be seen as follows: A * B = 17 * 26 = 442  (61 * 100) * (5 * 100)  (305) * (100) * (100)  (68) * (100) * (100) mod 79 442*64  (68) * (100) mod 79 (28228) mod 79  6  (68) * (100) mod 79 Therefore, F(T) should take 442 as input and return 6, which can be verified as under: T = 442, R = 100, R’ = 64, N’ = 81, N = 79 m  (T mod R) * N’ * (mod R) t  (T + mN)/R  (442 mod 100) * 81 * (mod 100)  (442 + 2*79)/100  (42 * 81) mod 100  600/100  6 mod 79

  7. Prevalent Approach 2 Approach 2: Brickell, Gordon, McCurley and Wilson or BGMW by [Gordon et al] Premise: square-and-multiply (from: addition chains) method for gn requires 2 logN, where N is order of group. Suggestion: Pre-compute and store powers of 2 (of g). Quick inference 1: There is no reason to store powers of 2 Quick inference 2: Pre-compute gx0, gx1, … gxm-1 for some integers x0, x1 … xm-1 Requirement: Find a decomposition for n s.t. Where, 0  a  h and 0  i < m What are the implications ?

  8. Prevalent Approach 2 cont’d gn can be computed as follows: Algorithm: ComputeG(gxi) { b 1 a 1 for (d = h; d  1; d--) { for (i=0; ai == d; i++) { b  b * gxi } a  a * b } return a; }

  9. Prevalent Approach 2 cont’d • Quick Inference 3: number of multiplications are 2h – 2 • Quick Inference 4: if cd’s have no relation amongst themselves, then aforementioned metric is optimal. • Approach 2 is extended to other number system as well • Approach 2 can be parallelized. It is shown as under: • b  b * gxi (calculation for cd); spread each cd to 1 of h available • a  a * b (calculation of gn); each processor can compute cd for one d using addition chain method and finally repeated multiplication in pairs to form gn. • This offers the speedup of (loglogN) worst-case using (logN/log2logN) processors.

  10. Prevalent Approach 3 Approach 3: Flexibility + BGMW approach  [Lim et al] Approach Step 1. Divide n (from: gn) into h blocks ni; where, 0  i  h – 1 of size k = b/h Step 2. Further, divide ni into smaller blocks ni, j; where 0  j  v – 1 of size t = k/v Step 3. This division of n for gn transforms the problem of computation as under: Step 4. if we have ni to be expressed in binary representation then gn can be written as under: Step 5. Using pre-computed and stored values of G[j][i] = (G[0][i])2jb

  11. 0 1 2 … h – 1 0 1 … v – 1 Prevalent Approach 3 Algorithm: ComputeG(G[0][i]) { Z  1 for (k = b – 1; k  0; k--) { Z  Z*Z for (j = v – 1; j  0; j--) { Z Z*G[j][Ij, k] } } return Z; } i j

  12. Suggestion Suppose gN is to be calculated, where N can be broken into p, q s.t. N = p * q. Furthermore, p and q are s.t. p * q = 10 * (p + q) WLOG, gN = gp * q = g10 * (p + q) Where, g10 can be pre-computed and stored. Additionally, if N is prime, the N can be broken into p, q s.t. N = 10 * (p + q) + C Where C is any constant For example, if p = 35, q = 14, C = 1  N = 491 WLOG, gN = g10 * (p + q) + C Where, g10 and gC can be pre-computed and stored.

  13. Suggestion cont’d

  14. gC1 gC2 gC3 gC4 … gCk p g10 * (p + q) + c  gN p + q + q E g10 g10 * (p + q) Suggestion cont’d

  15. Q & A/Feedback Feedback

More Related