Exponenciacionmodular

Modular Exponentiation
Aritmtica Computacional
Francisco Rodrguez Henrquez
We do NOT compute C := Me mod n By first computing Me And then computing C := (Me) mod n Temporary results must be reduced modulo n at each step of the exponentiation.
M15 How many multiplications are needed?? Nave Answer (requires 14 multiplications): M M2 M3 M4 M5 M15 Binary Method (requires 6 multiplications): M M2 M3 M6 M7 M14 M15
Modular Exponentiation: Binary Method

Let k be the number of bits of e, i.e.,
k = 1 + !log 2 e"
Input: M, e, n.
e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i

i =0
k %1
for ei # { ,1} 0 Output: C := Me mod n 1. If ek-1 = 1 then C := M else C := 1; 2. For i = k-2 downto 0 3. C := C2 mod n 4. If ei = 1 then C := CM mod n 5. Return C;

Example: e = 250 = (11111010), thus k = 8 Initially, C = M since ek-1 = e7 = 1.
i 7 6 5 4 3 2 1 0
ei 1 1 1 1 1 0 1 0
Step 2a M (M)2 = M2 (M3)2 = M6 (M7)2 = M14 (M15)2 = M30 (M31)2 = M62 (M62)2 = M124 (M125)2 = M250
Step 2b M M2M = M3 M6M = M7 M14M = M15 M30M = M31 M62 M124M = M125 M250

The binary method requires: Squarings: k-1 Multiplications: The number of 1s in the binary expansion of e, excluding the MSB.
The total number of multiplications: Maximum: (k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1)
By scanning the bits of e 2 at a time: quaternary method 3 at a time: octal method Etc. m at a time: m-ary method. Consider the quaternary method: 250 = 11 11 10 10 Some preprocessing required. At each step 2 squaring performed.
Modular Exponentiation: Quaternary Method

Example: bits 00 01 10 11 j 0 1 2 3 Mj 1 M MM =M2 M2M =M3
Modular Exponentiation: Quaternary Method

Example: e = 250 = 11 11 10 10 bits 11 11 10 10 Step 2a M3 (M3)4 = M12 (M15)4 = M60 (M62)4 = M248 Step 2b M3 M12M3 =M15 M60M2 =M62 M248M2 =M250
The number of multiplications: 2+6+3 = 11

Modular Exponentiation: Octal Method

bits 000 001 010 011 100 101 110 111
j 0 1 2 3 4 5 6 7
Mj 1 M MM =M2 M2M =M3 M3M =M4 M4M =M5 M5M =M6 M6M =M7

Example: e = 250 = 011 111 010 bits 011 111 010 Step 2a M3 (M3)8 = M24 (M31)8 = M248 Step 2b M3 M24M7 =M31 M248M2 =M250
The number of multiplications: 6+6+2 = 14 (compute only M2 and M7: 4+6+2 = 12)

Assume 2d = m and k/d is an integer. The average number of multiplications plus squarings required by the m-ary method: Preprocessing Multiplications: m-2 = 2d 2. (why??) Squarings: (k/d - 1) d = k d. (why??) Multiplications: Moral: There is an optimum d for every k.
m '1 & k # ( $ ' 1! = 1 ' 2 ' d m %d "
k )( & d ' 1# $ ! % "
Modular Exponentiation: Average Number of Multiplications

k 8 16 32 64 128 256 512 1024 2048 BM 11 23 47 95 191 383 767 1535 3071 MM 10 21 43 85 167 325 635 1246 2439 d 2 2 2, 3 3 3, 4 4 5 5 6 Savings % 9.1 8.6 8.5 10.5 12.6 15.1 17.2 18.8 20.6
Modular Exponentiation: Preprocessing Multiplications

Consider the following exponent for k = 16 and d = 4: 1011 0011 0111 1000 Which implies that we need to compute Mw mod n for only: w = 3, 7, 8, 11. M2 = MM; M3 = M2M; M4 = M2M2; M7 = M3M4; M8 = M4 M4; M11 = M8M3. This requires 6 multiplications. Computing all of the exponent values would require 16-2 = 14 preprocessing multiplications.
Modular Exponentiation: Sliding Window Techniques

Based on adaptive (data dependent) m-ary partitioning of the exponent. Constant length nonzero windows Rule: Partition the exponent into zero words of any length and nonzero words of length d. Variable length nonzero windows Rule: Partition the exponent into zero words of length at least q and nonzero words of length at most d.
Modular Exponentiation: Constant length nonzero Windows

Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111 00 101 0 001 First compute Mj for odd j [1, m-1]
bits 001 010 011 101 111
j 1 2 3 5 7
Mj M MM = M2 MM2 = M3 M3M2 = M5 M5M2 = M7


Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111 00 101 0 001 First compute Mj for odd j [1, m-1]
bits 111 00 101 0 001
Step 2a M7 (M7)4 = M28 (M28)8 = M224 (M229)2 = M458 (M458)8 = M3664
Step 2b M7 M28 M224M5 = M229 M458 M3664M1 = M3665


Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111 00 101 0 001 Average Number of Multiplications
k 128 256 512 1024 2048 m-ary 167 325 635 1246 2439 d 4 4 5 5 6 CLNW 156 308 607 1195 2360 d 4 5 5 6 7 % 6.6 5.2 4.4 4.1 3.2
Modular Exponentiation: Variable Length nonzero Windows

Example: d = 5 and q = 2. 101 0 11101 00 101 10111 000000 1 00 111 000 1011 Example: d = 10 and q = 4. 1011011 0000 11 0000 11110111 00 1111110101 0000 11011
Modular Exponentiation: The Factor Method.

The factor Method is based on factorization of the exponent e = rs where r is the smallest prime factor of e and s > 1. We compute Me by first computing Mr and then raising this value to the sth power. (Mr)s = Me. If e is prime, we first compute Me-1, then multiply this quantity by M.
Modular Exponentiation: The Factor Method.

Factor Method: 55 = 511. Compute M M2 M4 M5; Assign y := M5; Compute y y2; Assign z := y2; Compute z z2 z4 z5; Compute z5 (z5y) = y11 = M55; Total: 8 multiplications! Binary Method: e = 55 = (110111)2 5+4 = 9 multiplications!!
Sliding Window Method.
Modular Exponentiation: The Power Tree Method.

Consider the node e of the kth level, from left to right. Construct the (k+1)st level by attaching below the node e the nodes e + a1, e + a2, e + a3, , e + ak Where a1, a2, a3, , ak is the path from the root of the tree to e. (Note: a1 = 1 and ak = e) Discard any duplicates that have already appeared in the tree.

1 2 3 5 7 14 19 21 28 10 11 13 15 22 23 26
4 6 9 18 20 12 24
8 16 17 32
Computation using power tree.

Find e in the power tree. The sequence of exponents that occurs in the computation of Me is found on the path from the root to e. Example: e = 23 requires 6 multiplications. M M2 M3 M5 M10 M13 M23. Since 23 = (10111), the binary method requires 4 + 3 = 7 multiplications. Since 23 -1 = 22 = 211, the factor method requires 1 + 5 + 1 = 7 multiplications.
Addition Chains
Consider a sequence of integers a0, a1, a2, , ar With a0 = 1 and ar = e. The sequence is constructed in such a way that for all k there exist indices i, j k such that, ak = ai + aj. The length of the chain is r. A short chain for a given e implies an efficient algorithm for computing Me. Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55 QM: 1 2 3 6 12 13 26 52 55 FM: 1 2 4 5 10 20 40 50 55 PTM: 1 2 3 5 10 11 22 44 55
Addition Chains
Finding the shortest addition chain is NP-complete. Upper-bound is given by binary method:
!log 2 e" + H (e )# 1
Where H(e) is the Hamming weight of e. Lower-bound given by Schnhage:
!log 2 e" + H (e )# 2.13

Heuristics: binary, m-ary, adaptive m-ary, sliding windows, power tree, factor.
Addition-Subtraction Chains
Convert the binary number to a signed-digit representation using the digits {0, 1, -1}. These techniques use the identity: 2i+j-1 + 2i+j-2 ++2i = 2i+j - 2i To collapse a block of 1s in order to obtain a sparse representation of the exponent. Example: (011110) = 24 + 23 + 22 + 21 (100010) = 25 - 21 These methods require that M-1 mod n be supplied along with M.
Recoding Binary Method

Input: M, M-1, e, n. Output: C := Me mod n. 1. Obtain signed-digit recoding d of e. 2. If dk = 1 then C := M else C := 1 3. For i = k -1 downto 0 4. C := CC mod n 5. If di = 1 then C := CM mod n 6. If di = 1 then C := C M-1 mod n
This algorithm is especially useful For ECC since the Inverse is available At no cost.
7. Return C;
Modular Exponentiation: Binary Method Variations
Side Channel Attacks

Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,,d0) (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;
The time or the power to execute c2 and c*a are different (side channel information).
Algorithm Corons exponentiation Input: a in G, exponent d = (dk,dk-1,,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];
Mod. Exponentiation: LSB-First Binary

Let k be the number of bits of e, i.e.,
k = 1 + !log 2 e"
Input: M, e, n.
e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i

i =0
k %1
for ei # { ,1} 0 Output: C := Me mod n 1. R:= 1; C := M; 2. For i = 0 to n-1 3. If ei = 1 then R := RC mod n 4. C := C2 mod n 5. Return R;
Modular Exponentiation: LSB First Binary

Example: e = 250 = (11111010), thus k = 8
i 7 6 5 4 3 2 1 0
ei 0 1 0 1 1 1 1 1
Step 3 (R) 1 1*(M)2 = M2 M2 M2 * M8= M10 M10 * M16= M26 M26 * M32= M58 M58 * M64= M122 M122 * M128= M250
Step 4 (C) M2 (M2)2 = M4 (M4)2 = M8 (M8)2 = M16 (M16)2 = M32 (M32)2 = M64 (M64)2 = M128 (M128)2 = M256
Modular Exponentiation: LSB First Binary

The LSB-First binary method requires: Squarings: k-1 Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum: (k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1) Same as before, but here we can compute the Multiplication operation in parallel with the squarings!!
Arquitectura del Multiplicador [Mario Garca et al ENC03]
Desarrollo (Mtodo q-ario)
Ejemplo
C !163 A!16 2 F !161 E !160
CAFE
=M
0xCAFE = 1100 1010 1111 1110 BM: 10 Mult. + 15 Sqr. Q-ary : 3 Mult + 47 sqr + 7 Symb. Q-ary+PC: 3 Mult. + 3sqr. + 28 Symb
Desarrollo (Mtodo q-ario)

Preclculo de W. Tamao de q. Clculo de d = 2^p * q
Desarrollo (Anlisis)
Tamao de memoria y tiempo de ejecucin del precmputo W. Nmero de multiplicaciones y elevaciones al cuadrado para mtodo qario.
Tiempo de Ejecucin Vs. Nmero de Procs.
Tamao de Memoria

Exponenciacionmodular

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Exponenciacionmodular

Încărcat de

Drepturi de autor:

Formate disponibile

Modular Exponentiation

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Modular Exponentiation: Binary Method

e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i

Modular Exponentiation: Binary Method

Francisco Rodrguez Henrquez

Modular Exponentiation: Binary Method

Modular Exponentiation: Quaternary Method

Francisco Rodrguez Henrquez

Modular Exponentiation: Quaternary Method

The number of multiplications: 2+6+3 = 11

Modular Exponentiation: Octal Method

Modular Exponentiation: Octal Method

Modular Exponentiation: Octal Method

k )( & d ' 1# $ ! % "

Francisco Rodrguez Henrquez

Modular Exponentiation: Average Number of Multiplications

Francisco Rodrguez Henrquez

Modular Exponentiation: Preprocessing Multiplications

Modular Exponentiation: Sliding Window Techniques

Modular Exponentiation: Constant length nonzero Windows

Mj M MM = M2 MM2 = M3 M3M2 = M5 M5M2 = M7

Modular Exponentiation: Constant length nonzero Windows

Step 2a M7 (M7)4 = M28 (M28)8 = M224 (M229)2 = M458 (M458)8 = M3664

Step 2b M7 M28 M224M5 = M229 M458 M3664M1 = M3665

Modular Exponentiation: Constant length nonzero Windows

Francisco Rodrguez Henrquez

Modular Exponentiation: Variable Length nonzero Windows

Francisco Rodrguez Henrquez

Modular Exponentiation: The Factor Method.

Francisco Rodrguez Henrquez

Modular Exponentiation: The Factor Method.

Sliding Window Method.

Francisco Rodrguez Henrquez

Sliding Window Method.

Francisco Rodrguez Henrquez

Sliding Window Method.

Francisco Rodrguez Henrquez

Modular Exponentiation: The Power Tree Method.

Modular Exponentiation: The Power Tree Method.

Modular Exponentiation: The Power Tree Method.

Francisco Rodrguez Henrquez

Computation using power tree.

!log 2 e" + H (e )# 2.13

Recoding Binary Method

Modular Exponentiation: Binary Method Variations

Francisco Rodrguez Henrquez

Side Channel Attacks

Mod. Exponentiation: LSB-First Binary

e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i

Modular Exponentiation: LSB First Binary

Francisco Rodrguez Henrquez

Modular Exponentiation: LSB First Binary

Arquitectura del Multiplicador [Mario Garca et al ENC03]

Francisco Rodrguez Henrquez

Desarrollo (Mtodo q-ario)

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez

Desarrollo (Mtodo q-ario)

Francisco Rodrguez Henrquez

Francisco Rodrguez Henrquez