oeo: o ptimization of e xponentiation o peration ~ a brief discussion ~
DESCRIPTION
OEO: O ptimization of E xponentiation O peration ~ A Brief Discussion ~. Kirti Chawla [email protected]. Outline. Problem definition Motivation Prevalent Approaches Suggestion Q & A/Feedback. Problem definition. Given n, compute g n - PowerPoint PPT PresentationTRANSCRIPT
Outline
1. Problem definition
2. Motivation
3. Prevalent Approaches
4. Suggestion
5. Q & A/Feedback
Problem definition
Given n, compute gn
Where, g is fixed element of a group and n < N (order of group).
Motivation
1. Exponentiation is the most frequently used operation in algorithms including:• Factorization and primality testing• GCD computation• RSA public key cryptosystem• Verification of polynomial identities• …
2. Exponentiation is also found in most widely deployed authentication protocols including:• Diffie-Hellman Key Exchange• Internet Key Exchange a.k.a IKE• Secure Socket Layer a.k.a SSL• …
3. Quick biased conclusion: Any and all optimization of exponentiation operation improves performance for aforementioned algorithms and protocols.
Prevalent Approach 1
Approach 1: Montgomery Multiplication
Step 1. Pick A, B, R, N s.t k; (((R = 2k) > N) (GCD(R, N) = 1))
Step 2. Find R’ and N’ s.t. (RR’ – NN’ = 1)
Step 3. Construct a function F with following details:F(T){
m (T mod R) N’ (mod R) t (T + mN)/R
return t}
It should evident here that F(T) returns (TR’ mod N), where T = A * B
Also, RR’ 1 (mod N), NN’ -1 (mod N)
Also, the output of F(T) lies in range [0, N – 1]
Prevalent Approach 1 cont’d
Example:
Let N = 79, A = 17, B = 26, R = 100; (relaxed requirement for R = 2k)R’ = 64, N’ = 81; (check RR’ – NN’ = 1)
A’; (17 A’ * 100 mod 79) (17 * 64 A’ mod 79) (17 * 64 61 mod 79)B’; (17 B’ * 100 mod 79) (26 * 64 B’ mod 79) (26 * 64 5 mod 79)
Therefore, A * B in above representation can be seen as follows:
A * B = 17 * 26 = 442 (61 * 100) * (5 * 100) (305) * (100) * (100) (68) * (100) * (100) mod 79
442*64 (68) * (100) mod 79 (28228) mod 79 6 (68) * (100) mod 79
Therefore, F(T) should take 442 as input and return 6, which can be verified as under:
T = 442, R = 100, R’ = 64, N’ = 81, N = 79
m (T mod R) * N’ * (mod R) t (T + mN)/R (442 mod 100) * 81 * (mod 100) (442 + 2*79)/100 (42 * 81) mod 100 600/100 6 mod 79
Prevalent Approach 2
Approach 2: Brickell, Gordon, McCurley and Wilson or BGMW by [Gordon et al]
Premise: square-and-multiply (from: addition chains) method for gn requires 2 logN, where N is order of group.
Suggestion: Pre-compute and store powers of 2 (of g).
Quick inference 1: There is no reason to store powers of 2
Quick inference 2: Pre-compute gx0, gx1, … gxm-1 for some integers x0, x1 … xm-1
Requirement: Find a decomposition for n s.t.
Where, 0 a h and 0 i < m
What are the implications ?
m-1
i ii=0
n = a x
Prevalent Approach 2 cont’d
gn can be computed as follows:
Algorithm: ComputeG(gxi){
b 1a 1
for (d = h; d 1; d--){
for (i=0; ai == d; i++){
b b * gxi
}a a * b
}
return a;}
i
i
hxn d
d dd=1 a =d
g = c ;where c = g
Prevalent Approach 2 cont’d
Quick Inference 3: number of multiplications are 2h – 2
Quick Inference 4: if cd’s have no relation amongst themselves, then aforementioned metric is optimal.
1.Approach 2 is extended to other number system as well
2.Approach 2 can be parallelized. It is shown as under:• b b * gxi (calculation for cd); spread each cd to 1 of h available• a a * b (calculation of gn); each processor can compute cd for one d
using addition chain method and finally repeated multiplication in pairs to form gn.
3.This offers the speedup of (loglogN) worst-case using (logN/log2logN) processors.
Prevalent Approach 3
Approach 3: Flexibility + BGMW approach [Lim et al] Approach
Step 1. Divide n (from: gn) into h blocks ni; where, 0 i h – 1 of size k = b/h
Step 2. Further, divide ni into smaller blocks ni, j; where 0 j v – 1 of size t = k/v
Step 3. This division of n for gn transforms the problem of computation as under:
Step 4. if we have ni to be expressed in binary representation then gn can be written as under:
Step 5. Using pre-computed and stored values of G[j][i] = (G[0][i])2jb
2
1 12 ,
0 0 01
k
jbb h
n jb ki
k j iv
g g
,1
2
0 01
i jjbh n
ni
j iv
g g
Prevalent Approach 3
Algorithm: ComputeG(G[0][i]){
Z 1for (k = b – 1; k 0; k--){
Z Z*Zfor (j = v – 1; j 0; j--){
Z Z*G[j][Ij, k]}
}return Z;
}
0 1 2 … h – 1
01…
v – 1
i
j
Suggestion
Suppose gN is to be calculated, where N can be broken into p, q s.t. N = p * q.
Furthermore, p and q are s.t. p * q = 10 * (p + q)
WLOG, gN = gp * q = g10 * (p + q)
Where, g10 can be pre-computed and stored.
Additionally, if N is prime, the N can be broken into p, q s.t. N = 10 * (p + q) + CWhere C is any constant
For example, if p = 35, q = 14, C = 1 N = 491
WLOG, gN = g10 * (p + q) + C
Where, g10 and gC can be pre-computed and stored.
Suggestion cont’d
Suggestion cont’d
gC1 gC2 gC3 gC4 … gCk
+
E
p
q
g10
gNp + q
g10 * (p + q)
g10 * (p + q) + c
Q & A/Feedback
Feedback