modular exponentiation

Aritmética Computacional Francisco Rodríguez Henríquez

Modular Exponentiation

We do NOT compute C := Me mod n

By first computing Me

And then computing C := (Me) mod n

Temporary results must be reduced modulo

n at each step of the exponentiation.

How many multiplications are needed??

Naïve Answer (requires 14 multiplications):

M M2 M3 M4 M5 … M15

Binary Method (requires 6 multiplications):

M M2 M3 M6 M7 M14 M15

Modular Exponentiation: Binary Method

Let k be the number of bits of e, i.e.,

Input: M, e, n.

Output: C := Me mod n 1. If ek-1 = 1 then C := M else C := 1;2. For i = k-2 downto 0

3. C := C2 mod n4. If ei = 1 then C := CM mod n

5. Return C;

1,0for

eeeeee

Example: e = 250 = (11111010), thus k = 8

Initially, C = M since ek-1 = e7 = 1.i ei Step 2a Step 2b

7 1 M M6 1 (M)2 = M2 M2M = M3

5 1 (M3)2 = M6 M6M = M7

4 1 (M7)2 = M14 M14M = M15

3 1 (M15)2 = M30 M30M = M31

2 0 (M31)2 = M62 M62

1 1 (M62)2 = M124 M124M = M125

0 0 (M125)2 = M250 M250

The binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary

expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)

By scanning the bits of e2 at a time: quaternary method3 at a time: octal methodEtc.m at a time: m-ary method.Consider the quaternary method: 250 = 11 11 10 10Some preprocessing required.At each step 2 squaring performed.

Modular Exponentiation: Quaternary Method

Example:

bits j Mj

00 0 101 1 M10 2 MM =M2

11 3 M2M =M3

Modular Exponentiation: Quaternary Method

Example: e = 250 = 11 11 10 10

The number of multiplications: 2+6+3 = 11

bits Step 2a Step 2b11 M3 M3

11 (M3)4 = M12 M12M3 =M15

10 (M15)4 = M60 M60M2 =M62

10 (M62)4 = M248 M248M2 =M250

Modular Exponentiation: Octal Method

bits j Mj

000 0 1001 1 M010 2 MM =M2

011 3 M2M =M3

100 4 M3M =M4

101 5 M4M =M5

110 6 M5M =M6

111 7 M6M =M7

Example: e = 250 = 011 111 010

The number of multiplications: 6+6+2 = 14(compute only M2 and M7: 4+6+2 = 12)

111 (M3)8 = M24 M24M7 =M31

010 (M31)8 = M248 M248M2 =M250

Assume 2d = m and k/d is an integer. The average number of multiplications plus squarings required by the m-ary method:

• Preprocessing Multiplications: m-2 = 2d – 2. (why??)

• Squarings: (k/d - 1) d = k – d. (why??)• Multiplications:• Moral: There is an optimum d for every k.

Modular Exponentiation: Average Number of Multiplications

k BM MM d Savings %8 11 10 2 9.116 23 21 2 8.632 47 43 2, 3 8.564 95 85 3 10.5

128 191 167 3, 4 12.6256 383 325 4 15.1512 767 635 5 17.2

1024 1535 1246 5 18.82048 3071 2439 6 20.6

Modular Exponentiation: Preprocessing Multiplications

Consider the following exponent for k = 16 and d = 4: 1011 0011 0111 1000

Which implies that we need to compute Mw mod n for only: w = 3, 7, 8, 11.

M2 = MM; M3 = M2M; M4 = M2M2;

M7 = M3M4; M8 = M4 M4; M11 = M8M3.This requires 6 multiplications. Computing all of the

exponent values would require 16-2 = 14 preprocessing multiplications.

Modular Exponentiation: Sliding Window Techniques

Based on adaptive (data dependent) m-ary partitioning of the exponent.

• Constant length nonzero windowsRule: Partition the exponent into zero words of any

length and nonzero words of length d.• Variable length nonzero windowsRule: Partition the exponent into zero words of length at

least q and nonzero words of length at most d.

Modular Exponentiation: Constant length nonzero Windows

Example: for d = 3, we partition e = 3665 = (111001010001)2

As 111 00 101 0 001First compute Mj for odd j [1, m-1]

bits j Mj

001 1 M010 2 MM = M2

011 3 MM2 = M3

101 5 M3M2 = M5

111 7 M5M2 = M7

As 111 00 101 0 001First compute Mj for odd j [1, m-1]

00 (M7)4 = M28 M28

101 (M28)8 = M224 M224M5 = M229

0 (M229)2 = M458 M458

001 (M458)8 = M3664 M3664M1 = M3665

As 111 00 101 0 001Average Number of Multiplications

k m-ary d CLNW d %

128 167 4 156 4 6.6256 325 4 308 5 5.2512 635 5 607 5 4.4

1024 1246 5 1195 6 4.12048 2439 6 2360 7 3.2

Modular Exponentiation: Variable Length nonzero Windows

Example: d = 5 and q = 2. 101 0 11101 00 10110111 000000 1 00 111 000 1011

Example: d = 10 and q = 4. 1011011 0000 11 000011110111 00 1111110101 0000 11011

Modular Exponentiation: The Factor Method.

• The factor Method is based on factorization of the exponent e = rs where r is the smallest prime factor of e and s > 1.

• We compute Me by first computing Mr and then raising this value to the sth power.

(Mr)s = Me.

If e is prime, we first compute Me-1, then multiply this quantity by M.

Modular Exponentiation: The Factor Method.

Factor Method: 55 = 511.Compute M M2 M4 M5;Assign y := M5;Compute y y2;Assign z := y2;Compute z z2 z4 z5;Compute z5 (z5y) = y11 = M55;Total: 8 multiplications!Binary Method: e = 55 = (110111)2

5+4 = 9 multiplications!!

Sliding Window Method.

Modular Exponentiation: The Power Tree Method.

Consider the node e of the kth level, from left to right. Construct the (k+1)st level by attaching below the node e the nodes e + a1, e + a2, e + a3, …, e + ak

Where a1, a2, a3, …, ak

is the path from the root of the tree to e.

(Note: a1 = 1 and ak = e)

Discard any duplicates that have already appeared in the tree.

14 11 13 15 20

19 21 28 22 23 26

Computation using power tree.

Find e in the power tree. The sequence of exponents that occurs in the computation of Me is found on the path from the root to e.

Example: e = 23 requires 6 multiplications.M M2 M3 M5 M10 M13 M23.Since 23 = (10111), the binary method requires 4 + 3 = 7

multiplications. Since 23 -1 = 22 = 211, the factor method requires 1 + 5

+ 1 = 7 multiplications.

Addition Chains

Consider a sequence of integers a0, a1, a2, …, ar

With a0 = 1 and ar = e. The sequence is constructed in such a way that

for all k there exist indices i, j ≤ k such that, ak = ai + aj.

The length of the chain is r. A short chain for a given e implies an efficient algorithm for computing Me.

Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55

QM: 1 2 3 6 12 13 26 52 55

FM: 1 2 4 5 10 20 40 50 55

PTM: 1 2 3 5 10 11 22 44 55

Addition Chains

• Finding the shortest addition chain is NP-complete.

• Upper-bound is given by binary method:

Where H(e) is the Hamming weight of e.

• Lower-bound given by Schönhage:

• Heuristics: binary, m-ary, adaptive m-ary, sliding windows, power tree, factor.

1log2 eHe

13.2log2 eHe

Addition-Subtraction Chains

Convert the binary number to a signed-digit representation using the digits {0, 1, -1}.

These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i = 2i+j - 2i

To collapse a block of 1s in order to obtain a sparse representation of the exponent.

Example: (011110) = 24 + 23 + 22 + 21

(10001’0) = 25 - 21

These methods require that M-1 mod n be supplied along with M.

Recoding Binary Method

Input: M, M-1, e, n.Output: C := Me mod n.1. Obtain signed-digit recoding d of e.2. If dk = 1 then C := M else C := 1

3. For i = k -1 downto 04. C := CC mod n5. If di = 1 then C := CM mod n

6. If di = 1’ then C := C M-1 mod n

7. Return C;

This algorithm is especially usefulFor ECC since theInverse is availableAt no cost.

Modular Exponentiation: Binary Method Variations

Side Channel Attacks

Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0)　　　　　 (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c;

The time or the power to execute c2 and c*a are different

(side channel information).

Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0];

Mod. Exponentiation: LSB-First Binary

Let k be the number of bits of e, i.e.,

Input: M, e, n.

Output: C := Me mod n 1. R:= 1; C := M;2. For i = 0 to n-1

3. If ei = 1 then R := RC mod n4. C := C2 mod n

5. Return R;

1,0for

eeeeee

Modular Exponentiation: LSB First Binary

Example: e = 250 = (11111010), thus k = 8

i ei Step 3 (R) Step 4 (C)

7 0 1 M2

6 1 1*(M)2 = M2 (M2)2 = M4 5 0 M2 (M4)2 = M8

4 1 M2 * M8= M10 (M8)2 = M16

3 1 M10 * M16= M26 (M16)2 = M32

2 1 M26 * M32= M58 (M32)2 = M64

1 1 M58 * M64= M122 (M64)2 = M128

0 1 M122 * M128= M250 (M128)2 = M256

Modular Exponentiation: LSB First Binary

The LSB-First binary method requires:• Squarings: k-1• Multiplications: The number of 1s in the binary

expansion of e, excluding the MSB.The total number of multiplications:Maximum: (k-1) + (k-1) = 2(k-1)Minimum: (k-1) + 0 = k-1Average: (k-1) + 1/2 (k-1) = 1.5(k-1)Same as before, but here we can compute the

Multiplication operation in parallel with the squarings!!

Arquitectura del Multiplicador[Mario García et al ENC03]

Desarrollo (Método q-ario)

Ejemplo

• 0xCAFE = 1100 1010 1111 1110• BM: 10 Mult. + 15 Sqr.• Q-ary : 3 Mult + 47 sqr + 7

Symb.• Q-ary+PC:3 Mult. + 3sqr. + 28 Symb

0123 16161616 EFACCAFE MMMMM

Desarrollo (Método q-ario)

• Precálculo de W.

• Tamaño de q.

• Cálculo de d = 2^p * q

Desarrollo (Análisis)

• Tamaño de memoria y tiempo de ejecución del precómputo W.

• Número de multiplicaciones y elevaciones al cuadrado para método q-ario.

Tiempo de Ejecución Vs. Número de Procs.

Tamaño de Memoria

modular exponentiation

Documents

modular exponentiation on reconï¬gurable hardware

n multi exponentiation in cryptography · 2002-10-28 · on...

cryptographic algorithms and their implementations...

horizontal correlation analysis on exponentiation ·...

modular exponentiation algorithm analysis for energy...

torturing openssl - black hat briefings · rithm, used in...

to do rsa we need fast modular exponentiation and primality

fast batch veriï¬‚cation for modular exponentiation and...

efficient software implementations of modular...

elliptic curve cryptosystems using efficient...

exploiting collisions in addition chain-based exponentiation...

spa on mist exponentiation algorithm with multiple

lecture 13: modular inverse, exponentiation · 2018. 4....

fast parallel exponentiation algorithm for rsa public-key

fpga implementation of modular exponentiation using...

cs 312: algorithm analysis lecture #3: algorithms for...

cryptography lecture 6 - public key principles, one-way...

rsa and primality testing -...

new single-trace side-channel attacks on a speci …the...

a new modified cmm modular exponentiation algorithm...2.3....