modular exponentiation
DESCRIPTION
Modular Exponentiation. Modular Exponentiation. We do NOT compute C := M e mod n By first computing M e And then computing C := ( M e ) mod n Temporary results must be reduced modulo n at each step of the exponentiation. Modular Exponentiation. M 15 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/1.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
![Page 2: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/2.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
We do NOT compute C := Me mod n
By first computing Me
And then computing C := (Me) mod n
Temporary results must be reduced modulo
n at each step of the exponentiation.
![Page 3: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/3.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
M15
How many multiplications are needed??
Naïve Answer (requires 14 multiplications):
M M2 M3 M4 M5 … M15
Binary Method (requires 6 multiplications):
M M2 M3 M6 M7 M14 M15
![Page 4: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/4.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method
Let k be the number of bits of e, i.e.,
Input: M, e, n.
Output: C := Me mod n 1. If ek-1 = 1 then C := M else C := 1;2. For i = k-2 downto 0
3. C := C2 mod n4. If ei = 1 then C := CM mod n
5. Return C;
1,0for
2
log11
00121
2
i
k
i
iikk
e
eeeeee
ek
![Page 5: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/5.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method
Example: e = 250 = (11111010), thus k = 8
Initially, C = M since ek-1 = e7 = 1.i ei Step 2a Step 2b
7 1 M M6 1 (M)2 = M2 M2M = M3
5 1 (M3)2 = M6 M6M = M7
4 1 (M7)2 = M14 M14M = M15
3 1 (M15)2 = M30 M30M = M31
2 0 (M31)2 = M62 M62
1 1 (M62)2 = M124 M124M = M125
0 0 (M125)2 = M250 M250
![Page 6: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/6.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method
The binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary
expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)
![Page 7: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/7.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
By scanning the bits of e2 at a time: quaternary method3 at a time: octal methodEtc.m at a time: m-ary method.Consider the quaternary method: 250 = 11 11 10 10Some preprocessing required.At each step 2 squaring performed.
![Page 8: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/8.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Quaternary Method
Example:
bits j Mj
00 0 101 1 M10 2 MM =M2
11 3 M2M =M3
![Page 9: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/9.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Quaternary Method
Example: e = 250 = 11 11 10 10
The number of multiplications: 2+6+3 = 11
bits Step 2a Step 2b11 M3 M3
11 (M3)4 = M12 M12M3 =M15
10 (M15)4 = M60 M60M2 =M62
10 (M62)4 = M248 M248M2 =M250
![Page 10: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/10.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Octal Method
bits j Mj
000 0 1001 1 M010 2 MM =M2
011 3 M2M =M3
100 4 M3M =M4
101 5 M4M =M5
110 6 M5M =M6
111 7 M6M =M7
![Page 11: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/11.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Octal Method
Example: e = 250 = 011 111 010
The number of multiplications: 6+6+2 = 14(compute only M2 and M7: 4+6+2 = 12)
bits Step 2a Step 2b011 M3 M3
111 (M3)8 = M24 M24M7 =M31
010 (M31)8 = M248 M248M2 =M250
![Page 12: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/12.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Octal Method
Assume 2d = m and k/d is an integer. The average number of multiplications plus squarings required by the m-ary method:
• Preprocessing Multiplications: m-2 = 2d – 2. (why??)
• Squarings: (k/d - 1) d = k – d. (why??)• Multiplications:• Moral: There is an optimum d for every k.
12111
dk
dk
mm d
![Page 13: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/13.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Average Number of Multiplications
k BM MM d Savings %8 11 10 2 9.116 23 21 2 8.632 47 43 2, 3 8.564 95 85 3 10.5
128 191 167 3, 4 12.6256 383 325 4 15.1512 767 635 5 17.2
1024 1535 1246 5 18.82048 3071 2439 6 20.6
![Page 14: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/14.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Preprocessing Multiplications
Consider the following exponent for k = 16 and d = 4: 1011 0011 0111 1000
Which implies that we need to compute Mw mod n for only: w = 3, 7, 8, 11.
M2 = MM; M3 = M2M; M4 = M2M2;
M7 = M3M4; M8 = M4 M4; M11 = M8M3.This requires 6 multiplications. Computing all of the
exponent values would require 16-2 = 14 preprocessing multiplications.
![Page 15: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/15.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Sliding Window Techniques
Based on adaptive (data dependent) m-ary partitioning of the exponent.
• Constant length nonzero windowsRule: Partition the exponent into zero words of any
length and nonzero words of length d.• Variable length nonzero windowsRule: Partition the exponent into zero words of length at
least q and nonzero words of length at most d.
![Page 16: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/16.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Constant length nonzero Windows
Example: for d = 3, we partition e = 3665 = (111001010001)2
As 111 00 101 0 001First compute Mj for odd j [1, m-1]
bits j Mj
001 1 M010 2 MM = M2
011 3 MM2 = M3
101 5 M3M2 = M5
111 7 M5M2 = M7
![Page 17: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/17.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Constant length nonzero Windows
Example: for d = 3, we partition e = 3665 = (111001010001)2
As 111 00 101 0 001First compute Mj for odd j [1, m-1]
bits Step 2a Step 2b111 M7 M7
00 (M7)4 = M28 M28
101 (M28)8 = M224 M224M5 = M229
0 (M229)2 = M458 M458
001 (M458)8 = M3664 M3664M1 = M3665
![Page 18: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/18.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Constant length nonzero Windows
Example: for d = 3, we partition e = 3665 = (111001010001)2
As 111 00 101 0 001Average Number of Multiplications
k m-ary d CLNW d %
128 167 4 156 4 6.6256 325 4 308 5 5.2512 635 5 607 5 4.4
1024 1246 5 1195 6 4.12048 2439 6 2360 7 3.2
![Page 19: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/19.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Variable Length nonzero Windows
Example: d = 5 and q = 2. 101 0 11101 00 10110111 000000 1 00 111 000 1011
Example: d = 10 and q = 4. 1011011 0000 11 000011110111 00 1111110101 0000 11011
![Page 20: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/20.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Factor Method.
• The factor Method is based on factorization of the exponent e = rs where r is the smallest prime factor of e and s > 1.
• We compute Me by first computing Mr and then raising this value to the sth power.
(Mr)s = Me.
If e is prime, we first compute Me-1, then multiply this quantity by M.
![Page 21: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/21.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Factor Method.
Factor Method: 55 = 511.Compute M M2 M4 M5;Assign y := M5;Compute y y2;Assign z := y2;Compute z z2 z4 z5;Compute z5 (z5y) = y11 = M55;Total: 8 multiplications!Binary Method: e = 55 = (110111)2
5+4 = 9 multiplications!!
![Page 22: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/22.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Sliding Window Method.
![Page 23: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/23.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Sliding Window Method.
![Page 24: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/24.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Sliding Window Method.
![Page 25: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/25.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Power Tree Method.
Consider the node e of the kth level, from left to right. Construct the (k+1)st level by attaching below the node e the nodes e + a1, e + a2, e + a3, …, e + ak
Where a1, a2, a3, …, ak
is the path from the root of the tree to e.
(Note: a1 = 1 and ak = e)
Discard any duplicates that have already appeared in the tree.
![Page 26: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/26.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Power Tree Method.
1
2
3 46
5
7 10
14 11 13 15 20
19 21 28 22 23 26
9 12
18 24
8
16
17 32
![Page 27: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/27.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Power Tree Method.
![Page 28: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/28.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Computation using power tree.
Find e in the power tree. The sequence of exponents that occurs in the computation of Me is found on the path from the root to e.
Example: e = 23 requires 6 multiplications.M M2 M3 M5 M10 M13 M23.Since 23 = (10111), the binary method requires 4 + 3 = 7
multiplications. Since 23 -1 = 22 = 211, the factor method requires 1 + 5
+ 1 = 7 multiplications.
![Page 29: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/29.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Addition Chains
Consider a sequence of integers a0, a1, a2, …, ar
With a0 = 1 and ar = e. The sequence is constructed in such a way that
for all k there exist indices i, j ≤ k such that, ak = ai + aj.
The length of the chain is r. A short chain for a given e implies an efficient algorithm for computing Me.
Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55
QM: 1 2 3 6 12 13 26 52 55
FM: 1 2 4 5 10 20 40 50 55
PTM: 1 2 3 5 10 11 22 44 55
![Page 30: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/30.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Addition Chains
• Finding the shortest addition chain is NP-complete.
• Upper-bound is given by binary method:
Where H(e) is the Hamming weight of e.
• Lower-bound given by Schönhage:
• Heuristics: binary, m-ary, adaptive m-ary, sliding windows, power tree, factor.
1log2 eHe
13.2log2 eHe
![Page 31: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/31.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Addition-Subtraction Chains
Convert the binary number to a signed-digit representation using the digits {0, 1, -1}.
These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i = 2i+j - 2i
To collapse a block of 1s in order to obtain a sparse representation of the exponent.
Example: (011110) = 24 + 23 + 22 + 21
(10001’0) = 25 - 21
These methods require that M-1 mod n be supplied along with M.
![Page 32: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/32.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Recoding Binary Method
Input: M, M-1, e, n.Output: C := Me mod n.1. Obtain signed-digit recoding d of e.2. If dk = 1 then C := M else C := 1
3. For i = k -1 downto 04. C := CC mod n5. If di = 1 then C := CM mod n
6. If di = 1’ then C := C M-1 mod n
7. Return C;
This algorithm is especially usefulFor ECC since theInverse is availableAt no cost.
![Page 33: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/33.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method Variations
![Page 34: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/34.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Side Channel Attacks
Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0) (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;
The time or the power to execute c2 and c*a are different
(side channel information).
Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];
![Page 35: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/35.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Mod. Exponentiation: LSB-First Binary
Let k be the number of bits of e, i.e.,
Input: M, e, n.
Output: C := Me mod n 1. R:= 1; C := M;2. For i = 0 to n-1
3. If ei = 1 then R := RC mod n4. C := C2 mod n
5. Return R;
1,0for
2
log11
00121
2
i
k
i
iikk
e
eeeeee
ek
![Page 36: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/36.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: LSB First Binary
Example: e = 250 = (11111010), thus k = 8
i ei Step 3 (R) Step 4 (C)
7 0 1 M2
6 1 1*(M)2 = M2 (M2)2 = M4 5 0 M2 (M4)2 = M8
4 1 M2 * M8= M10 (M8)2 = M16
3 1 M10 * M16= M26 (M16)2 = M32
2 1 M26 * M32= M58 (M32)2 = M64
1 1 M58 * M64= M122 (M64)2 = M128
0 1 M122 * M128= M250 (M128)2 = M256
![Page 37: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/37.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: LSB First Binary
The LSB-First binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary
expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)Same as before, but here we can compute the
Multiplication operation in parallel with the squarings!!
![Page 38: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/38.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Arquitectura del Multiplicador[Mario García et al ENC03]
![Page 39: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/39.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Desarrollo (Método q-ario)
![Page 40: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/40.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Ejemplo
• 0xCAFE = 1100 1010 1111 1110• BM: 10 Mult. + 15 Sqr.• Q-ary : 3 Mult + 47 sqr + 7
Symb.• Q-ary+PC:3 Mult. + 3sqr. + 28 Symb
0123 16161616 EFACCAFE MMMMM
![Page 41: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/41.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Desarrollo (Método q-ario)
• Precálculo de W.
• Tamaño de q.
• Cálculo de d = 2^p * q
![Page 42: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/42.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Desarrollo (Análisis)
• Tamaño de memoria y tiempo de ejecución del precómputo W.
• Número de multiplicaciones y elevaciones al cuadrado para método q-ario.
![Page 43: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/43.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Tiempo de Ejecución Vs. Número de Procs.
![Page 44: Modular Exponentiation](https://reader035.vdocument.in/reader035/viewer/2022062816/56815270550346895dc0a273/html5/thumbnails/44.jpg)
Aritmética Computacional Francisco Rodríguez Henríquez
Tamaño de Memoria