Post on 12-Sep-2021
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
We do NOT compute C := Me mod n
By first computing Me
And then computing C := (Me) mod n
Temporary results must be reduced modulo
n at each step of the exponentiation.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
M15
How many multiplications are needed??
Naïve Answer (requires 14 multiplications):
M→ M2 → M3 → M4 → M5 →… → M15
Binary Method (requires 6 multiplications):
M→ M2 → M3 → M6 → M7 →M14→ M15
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method
Let k be the number of bits of e, i.e.,
Input: M, e, n.
Output: C := Me mod n1. If ek-1 = 1 then C := M else C := 1;2. For i = k-2 downto 0
3. C := C2 mod n4. If ei = 1 then C := C⋅M mod n
5. Return C;
! "
( )
{ }1,0for
2
log1
1
0
0121
2
#
==
+=
$%
=%%
i
k
i
i
ikk
e
eeeeee
ek
K
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method
Example: e = 250 = (11111010), thus k = 8
Initially, C = M since ek-1 = e7 = 1.
M250(M125)2 = M25000M124⋅M = M125(M62)2 = M12411
M62(M31)2 = M6202M30⋅M = M31(M15)2 = M3013M14⋅M = M15(M7)2 = M1414M6⋅M = M7(M3)2 = M615M2⋅M = M3(M)2 = M216
MM17Step 2bStep 2aeii
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Binary Method
The binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary
expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation
By scanning the bits of e2 at a time: quaternary method3 at a time: octal methodEtc.m at a time: m-ary method.Consider the quaternary method: 250 = 11 11 10 10Some preprocessing required.At each step 2 squaring performed.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Quaternary Method
Example:
M2⋅M =M3311M⋅M =M2210
M1011000
Mjjbits
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Quaternary Method
Example: e = 250 = 11 11 10 10
The number of multiplications: 2+6+3 = 11
M248⋅M2 =M250(M62)4 = M24810M60⋅M2 =M62(M15)4 = M6010M12⋅M3 =M15(M3)4 = M1211
M3M311Step 2bStep 2abits
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Octal Method
M6⋅M =M77111M5⋅M =M66110M4⋅M =M55101M3⋅M =M44100M2⋅M =M33011M⋅M =M22010
M100110000
Mjjbits
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Octal Method
Example: e = 250 = 011 111 010
The number of multiplications: 6+6+2 = 14(compute only M2 and M7: 4+6+2 = 12)
M248⋅M2 =M250(M31)8 = M248010M24⋅M7 =M31(M3)8 = M24111
M3M3011Step 2bStep 2abits
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Octal Method
Assume 2d = m and k/d is an integer. The averagenumber of multiplications plus squaringsrequired by the m-ary method:
• Preprocessing Multiplications: m-2 = 2d – 2.(why??)
• Squarings: (k/d - 1) ⋅ d = k – d. (why??)• Multiplications:• Moral: There is an optimum d for every k.
( ) !"
#$%
&'('=!
"
#$%
&'(
' '1211
1
d
k
d
k
m
m d
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Average Number ofMultiplications
20.6624393071204818.8512461535102417.2563576751215.1432538325612.63, 416719112810.538595648.52, 34347328.622123169.1210118
Savings %dMMBMk
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: PreprocessingMultiplications
Consider the following exponent for k = 16 and d =4: 1011 0011 0111 1000
Which implies that we need to compute Mw mod nfor only: w = 3, 7, 8, 11.
M2 = M⋅M; M3 = M2⋅M; M4 = M2⋅M2;M7 = M3⋅M4; M8 = M4⋅ M4; M11 = M8⋅M3.This requires 6 multiplications. Computing all of the
exponent values would require 16-2 = 14preprocessing multiplications.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Sliding WindowTechniques
Based on adaptive (data dependent) m-ary partitioning ofthe exponent.
• Constant length nonzero windowsRule: Partition the exponent into zero words of any
length and nonzero words of length d.• Variable length nonzero windowsRule: Partition the exponent into zero words of length at
least q and nonzero words of length at most d.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Constant lengthnonzero Windows
Example: for d = 3, we partitione = 3665 = (111001010001)2As 111 00 101 0 001First compute Mj for odd j ∈ [1, m-1]
M5⋅M2 = M77111M3⋅M2 = M55101M⋅M2 = M33011M⋅M = M22010
M1001Mjjbits
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Constant lengthnonzero Windows
Example: for d = 3, we partitione = 3665 = (111001010001)2As 111 00 101 0 001First compute Mj for odd j ∈ [1, m-1]
M3664⋅M1 = M3665(M458)8 = M3664001M458(M229)2 = M4580
M224⋅M5 = M229(M28)8 = M224101M28(M7)4 = M2800M7M7111
Step 2bStep 2abits
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Constant lengthnonzero Windows
Example: for d = 3, we partitione = 3665 = (111001010001)2As 111 00 101 0 001
Average Number of Multiplications
3.2723606243920484.1611955124610244.4560756355125.2530843252566.641564167128
%dCLNWdm-aryk
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: Variable Lengthnonzero Windows
Example: d = 5 and q = 2.101 0 11101 00 10110111 000000 1 00 111 000 1011
Example: d = 10 and q = 4.1011011 0000 11 000011110111 00 1111110101 0000 11011
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Factor Method.
• The factor Method is based on factorization of theexponent e = rs where r is the smallest prime factorof e and s > 1.
• We compute Me by first computing Mr and thenraising this value to the sth power.
(Mr)s = Me.
If e is prime, we first compute Me-1, then multiply thisquantity by M.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Factor Method.
Factor Method: 55 = 5⋅11.Compute M → M2 → M4 → M5;Assign y := M5;Compute y → y2;Assign z := y2;Compute z → z2 → z4 → z5;Compute z5 → (z5y) = y11 = M55;Total: 8 multiplications!Binary Method: e = 55 = (110111)2
5+4 = 9 multiplications!!
Aritmética Computacional Francisco Rodríguez Henríquez
Sliding Window Method.
Aritmética Computacional Francisco Rodríguez Henríquez
Sliding Window Method.
Aritmética Computacional Francisco Rodríguez Henríquez
Sliding Window Method.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Power TreeMethod.
Consider the node e of the kth level, from left to right.Construct the (k+1)st level by attaching below thenode e the nodes e + a1, e + a2, e + a3, …, e + ak
Where a1, a2, a3, …, ak
is the path from the root of the tree to e.
(Note: a1 = 1 and ak = e)
Discard any duplicates that have already appeared in thetree.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Power TreeMethod.
1
2
3 46
5
7 10
14 11 13 15 20
19 21 28 22 23 26
9 12
18 24
8
16
17 32
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: The Power TreeMethod.
Aritmética Computacional Francisco Rodríguez Henríquez
Computation using power tree.
Find e in the power tree. The sequence of exponents thatoccurs in the computation of Me is found on the pathfrom the root to e.
Example: e = 23 requires 6 multiplications.M → M2 → M3 → M5 → M10 → M13 → M23.Since 23 = (10111), the binary method requires 4 + 3 = 7
multiplications.Since 23 -1 = 22 = 2⋅11, the factor method requires 1 + 5
+ 1 = 7 multiplications.
Aritmética Computacional Francisco Rodríguez Henríquez
Addition Chains
Consider a sequence of integers a0, a1, a2, …, ar
With a0 = 1 and ar = e. The sequence is constructed in such a waythat for all k there exist indices i, j ≤ k such that, ak = ai + aj.
The length of the chain is r. A short chain for a given e implies anefficient algorithm for computing Me.
Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55
QM: 1 2 3 6 12 13 26 52 55
FM: 1 2 4 5 10 20 40 50 55
PTM: 1 2 3 5 10 11 22 44 55
Aritmética Computacional Francisco Rodríguez Henríquez
Addition Chains
• Finding the shortest addition chain is NP-complete.
• Upper-bound is given by binary method:
Where H(e) is the Hamming weight of e.
• Lower-bound given by Schönhage:
• Heuristics: binary, m-ary, adaptive m-ary, sliding windows,power tree, factor.
! " ( ) 1log2 #+ eHe
! " ( ) 13.2log2 #+ eHe
Aritmética Computacional Francisco Rodríguez Henríquez
Addition-Subtraction Chains
Convert the binary number to a signed-digitrepresentation using the digits {0, 1, -1}.
These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i =2i+j - 2i
To collapse a block of 1s in order to obtain a sparserepresentation of the exponent.
Example: (011110) = 24 + 23 + 22 + 21
(10001’0) = 25 - 21
These methods require that M-1 mod n be supplied alongwith M.
Aritmética Computacional Francisco Rodríguez Henríquez
Recoding Binary Method
Input: M, M-1, e, n.Output: C := Me mod n.1. Obtain signed-digit recoding d of e.2. If dk = 1 then C := M else C := 13. For i = k -1 downto 0
4. C := C⋅C mod n5. If di = 1 then C := C⋅M mod n6. If di = 1’ then C := C⋅ M-1 mod n
7. Return C;
This algorithm is especially usefulFor ECC since theInverse is availableAt no cost.
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: BinaryMethod Variations
Aritmética Computacional Francisco Rodríguez Henríquez
Side Channel Attacks
Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0) (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;
The time or the power to execute c2 and c*a are different
(side channel information).
Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];
Aritmética Computacional Francisco Rodríguez Henríquez
Mod. Exponentiation: LSB-First Binary
Let k be the number of bits of e, i.e.,
Input: M, e, n.
Output: C := Me mod n1. R:= 1; C := M;2. For i = 0 to n-1
3. If ei = 1 then R := R⋅C mod n4. C := C2 mod n
5. Return R;
! "
( )
{ }1,0for
2
log1
1
0
0121
2
#
==
+=
$%
=%%
i
k
i
i
ikk
e
eeeeee
ek
K
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: LSB First Binary
Example: e = 250 = (11111010), thus k = 8
(M128)2 = M256M122 * M128=M250
10(M64)2 = M128M58 * M64= M12211(M32)2 = M64M26 * M32= M5812(M16)2 = M32M10 * M16= M2613(M8)2 = M16M2 * M8= M1014(M4)2 = M8M205(M2)2 = M41*(M)2 = M216
M2107Step 4 (C)Step 3 (R)eii
Aritmética Computacional Francisco Rodríguez Henríquez
Modular Exponentiation: LSB First Binary
The LSB-First binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary
expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)Same as before, but here we can compute the
Multiplication operation in parallel with thesquarings!!
Aritmética Computacional Francisco Rodríguez Henríquez
Arquitectura del Multiplicador[Mario García et al ENC03]
Aritmética Computacional Francisco Rodríguez Henríquez
Desarrollo (Método q-ario)
Aritmética Computacional Francisco Rodríguez Henríquez
Ejemplo
• 0xCAFE = 1100 1010 1111 1110• BM: 10 Mult. + 15 Sqr.• Q-ary : 3 Mult + 47 sqr + 7 Symb.• Q-ary+PC: 3 Mult. + 3sqr. + 28 Symb
012316161616 !!!!
=EFACCAFE
MMMMM
Aritmética Computacional Francisco Rodríguez Henríquez
Desarrollo (Método q-ario)
• Precálculo de W.
• Tamaño de q.
• Cálculo de d = 2^p * q
Aritmética Computacional Francisco Rodríguez Henríquez
Desarrollo (Análisis)
• Tamaño de memoria y tiempo deejecución del precómputo W.
• Número de multiplicaciones yelevaciones al cuadrado para método q-ario.
Aritmética Computacional Francisco Rodríguez Henríquez
Tiempo de Ejecución Vs. Número de Procs.
Aritmética Computacional Francisco Rodríguez Henríquez
Tamaño de Memoria