Modular Exponentiation

Transcripción

Aritmética Computacional
Francisco Rodríguez Henríquez
We do NOT compute C := Me mod n
By first computing Me
And then computing C := (Me) mod n
Temporary results must be reduced modulo
n at each step of the exponentiation.
M15
How many multiplications are needed??
Naïve Answer (requires 14 multiplications):
M→ M2 → M3 → M4 → M5 →… → M15
Binary Method (requires 6 multiplications):
M→ M2 → M3 → M6 → M7 →M14→ M15
Modular Exponentiation: Binary Method
Let k be the number of bits of e, i.e.,
k = 1 + !log 2 e"
k %1
Input: M, e, n.
e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i
i =0
for ei # {0,1}
Output: C := Me mod n
1. If ek-1 = 1 then C := M else C := 1;
2. For i = k-2 downto 0
3. C := C2 mod n
4. If ei = 1 then C := C⋅M mod n
5. Return C;
Example: e = 250 = (11111010), thus k = 8
Initially, C = M since ek-1 = e7 = 1.
i
ei
Step 2a
Step 2b
7
1
M
6
1
(M)2 = M2
M
M2⋅M = M3
5
1
(M3)2 = M6
M6⋅M = M7
4
1
(M7)2 = M14
M14⋅M = M15
3
1
(M15)2 = M30
M30⋅M = M31
2
0
(M31)2 = M62
M62
1
1
(M62)2 = M124
M124⋅M = M125
0
0
(M125)2 = M250
M250
The binary method requires:
•
Squarings: k-1
•
Multiplications: The number of 1s in the binary
expansion of e, excluding the MSB.
The total number of multiplications:
Maximum: (k-1) + (k-1) = 2(k-1)
Minimum: (k-1) + 0 = k-1
Average:
(k-1) + 1/2 (k-1) = 1.5(k-1)
By scanning the bits of e
2 at a time: quaternary method
3 at a time: octal method
Etc.
m at a time: m-ary method.
Consider the quaternary method: 250 = 11 11 10 10
Some preprocessing required.
At each step 2 squaring performed.
Modular Exponentiation: Quaternary Method
Example:
bits
00
01
10
11
j
0
1
2
3
Mj
1
M
M⋅M =M2
M2⋅M =M3
Modular Exponentiation: Quaternary Method
Example: e = 250 = 11 11 10 10
bits
Step 2a
Step 2b
11
M3
11
10
(M3)4 = M12
(M15)4 = M60
M3
M12⋅M3 =M15
M60⋅M2 =M62
10
(M62)4 = M248
M248⋅M2 =M250
The number of multiplications: 2+6+3 = 11
Modular Exponentiation: Octal Method
bits
000
001
010
011
100
101
110
111
j
0
1
2
3
4
5
6
7
Mj
1
M
M⋅M =M2
M2⋅M =M3
M3⋅M =M4
M4⋅M =M5
M5⋅M =M6
M6⋅M =M7
Example: e = 250 = 011 111 010
bits
Step 2a
Step 2b
011
M3
111
010
(M3)8 = M24
(M31)8 = M248
M3
M24⋅M7 =M31
M248⋅M2 =M250
The number of multiplications: 6+6+2 = 14
(compute only M2 and M7: 4+6+2 = 12)
Assume 2d = m and k/d is an integer. The average
number of multiplications plus squarings
required by the m-ary method:
•
•
Preprocessing Multiplications: m-2 = 2d – 2.
(why??)
Squarings: (k/d - 1) ⋅ d = k – d. (why??)
•
Multiplications:
•
Moral: There is an optimum d for every k.
m '1 & k #
( $ ' 1! = 1 ' 2 ' d
m %d "
(
)( &$ dk ' 1#!
%
"
Modular Exponentiation: Average Number of
Multiplications
k
8
16
32
64
128
256
512
1024
BM
11
23
47
95
191
383
767
1535
MM
10
21
43
85
167
325
635
1246
d
2
2
2, 3
3
3, 4
4
5
5
Savings %
9.1
8.6
8.5
10.5
12.6
15.1
17.2
18.8
2048
3071
2439
6
20.6
Modular Exponentiation: Preprocessing
Multiplications
Consider the following exponent for k = 16 and d =
4:
1011 0011 0111 1000
Which implies that we need to compute Mw mod n
for only: w = 3, 7, 8, 11.
M2 = M⋅M;
M3 = M2⋅M;
M4 = M2⋅M2;
M7 = M3⋅M4;
M8 = M4⋅ M4;
M11 = M8⋅M3.
This requires 6 multiplications. Computing all of the
exponent values would require 16-2 = 14
preprocessing multiplications.
Modular Exponentiation: Sliding Window
Techniques
Based on adaptive (data dependent) m-ary partitioning of
the exponent.
•
Constant length nonzero windows
Rule: Partition the exponent into zero words of any
length and nonzero words of length d.
•
Variable length nonzero windows
Rule: Partition the exponent into zero words of length at
least q and nonzero words of length at most d.
Modular Exponentiation: Constant length
nonzero Windows
Example: for d = 3, we partition
e = 3665 = (111001010001)2
As 111 00 101 0 001
First compute Mj for odd j ∈ [1, m-1]
bits
001
010
011
101
111
j
1
2
3
5
7
Mj
M
M⋅M = M2
M⋅M2 = M3
M3⋅M2 = M5
M5⋅M2 = M7
nonzero Windows
e = 3665 = (111001010001)2
As 111 00 101 0 001
First compute Mj for odd j ∈ [1, m-1]
bits
111
00
101
0
001
Step 2a
M7
(M7)4 = M28
(M28)8 = M224
(M229)2 = M458
(M458)8 = M3664
Step 2b
M7
M28
M224⋅M5 = M229
M458
M3664⋅M1 = M3665
nonzero Windows
e = 3665 = (111001010001)2
As 111 00 101 0 001
Average Number of Multiplications
k
m-ary
d
CLNW
d
%
128
256
512
1024
2048
167
325
635
1246
2439
4
4
5
5
6
156
308
607
1195
2360
4
5
5
6
7
6.6
5.2
4.4
4.1
3.2
Modular Exponentiation: Variable Length
nonzero Windows
Example: d = 5 and q = 2.
101 0 11101 00 101
10111 000000 1 00 111 000 1011
Example: d = 10 and q = 4.
1011011 0000 11 0000
11110111 00 1111110101 0000 11011
Modular Exponentiation: The Factor Method.
•
The factor Method is based on factorization of the
exponent e = rs where r is the smallest prime factor
of e and s > 1.
•
We compute Me by first computing Mr and then
raising this value to the sth power.
(Mr)s = Me.
If e is prime, we first compute Me-1, then multiply this
quantity by M.
Modular Exponentiation: The Factor Method.
Factor Method: 55 = 5⋅11.
Compute M → M2 → M4 → M5;
Assign y := M5;
Compute y → y2;
Assign z := y2;
Compute z → z2 → z4 → z5;
Compute z5 → (z5y) = y11 = M55;
Total: 8 multiplications!
Binary Method: e = 55 = (110111)2
5+4 = 9 multiplications!!
Sliding Window Method.
Modular Exponentiation: The Power Tree
Method.
Consider the node e of the kth level, from left to right.
Construct the (k+1)st level by attaching below the
node e the nodes e + a1, e + a2, e + a3, …, e + ak
Where
a1, a2, a3, …, ak
is the path from the root of the tree to e.
(Note: a1 = 1 and ak = e)
Discard any duplicates that have already appeared in the
tree.
Method.
1
2
4
3
6
5
7
14
19
21
11 13 15
28
12
18
24
10
9
22
8
16
17
32
20
23 26
Method.
Computation using power tree.
Find e in the power tree. The sequence of exponents that
occurs in the computation of Me is found on the path
from the root to e.
Example: e = 23 requires 6 multiplications.
M → M2 → M3 → M5 → M10 → M13 → M23.
Since 23 = (10111), the binary method requires 4 + 3 = 7
multiplications.
Since 23 -1 = 22 = 2⋅11, the factor method requires 1 + 5
+ 1 = 7 multiplications.
Addition Chains
Consider a sequence of integers a0, a1, a2, …, ar
With a0 = 1 and ar = e. The sequence is constructed in such a way
that for all k there exist indices i, j ≤ k such that, ak = ai + aj.
The length of the chain is r. A short chain for a given e implies an
efficient algorithm for computing Me.
Example: e = 55
BM: 1 2 3 6 12 13 26 27 54 55
QM: 1 2 3 6 12 13 26 52 55
FM: 1 2 4 5 10 20 40 50 55
PTM: 1 2 3 5 10 11 22 44 55
Addition Chains
•
Finding the shortest addition chain is NP-complete.
•
Upper-bound is given by binary method:
!log 2 e" + H (e )# 1
Where H(e) is the Hamming weight of e.
•
Lower-bound given by Schönhage:
!log 2 e" + H (e )# 2.13
•
Heuristics: binary, m-ary, adaptive m-ary, sliding windows,
power tree, factor.
Addition-Subtraction Chains
Convert the binary number to a signed-digit
representation using the digits {0, 1, -1}.
These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i =
2i+j - 2i
To collapse a block of 1s in order to obtain a sparse
representation of the exponent.
Example:
(011110) = 24 + 23 + 22 + 21
(10001’0) = 25 - 21
These methods require that M-1 mod n be supplied along
with M.
Recoding Binary Method
Input:
M, M-1, e, n.
Output:
C := Me mod n.
1. Obtain signed-digit recoding d of e.
2. If dk = 1 then C := M else C := 1
3. For i = k -1 downto 0
4. C := C⋅C mod n
5. If di = 1 then C := C⋅M mod n
6. If di = 1’ then C := C⋅ M-1 mod n
This algorithm
is especially useful
For ECC since the
Inverse is available
At no cost.
7. Return C;
Modular Exponentiation: Binary
Method Variations
Side Channel Attacks
Algorithm Binary exponentiation
Input: a in G, exponent d = (dk,dk-1,…,d0)
(dk is the most significant bit)
Output: c = ad in G
1. c = a;
2. For i = k-1 down to 0;
3. c = c2;
4. If di =1 then c = c*a;
5. Return c;
The time or the power to execute
c2 and c*a are different
(side channel information).
Algorithm Coron’s exponentiation
Input: a in G, exponent d = (dk,dk-1,…,dl0)
Output: c = ad in G
1. c[0] = 1;
2. For i = k-1 down to 0;
3. c[0] = c[0]2;
4. c[1] = c[0]*a;
5. c[0] = c[di];
6. Return c[0];
Mod. Exponentiation: LSB-First Binary
Let k be the number of bits of e, i.e.,
k = 1 + !log 2 e"
k %1
Input: M, e, n.
e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i
i =0
for ei # {0,1}
Output: C := Me mod n
1. R:= 1; C := M;
2. For i = 0 to n-1
3. If ei = 1 then R := R⋅C mod n
4. C := C2 mod n
5. Return R;
Modular Exponentiation: LSB First Binary
Example: e = 250 = (11111010), thus k = 8
i
ei
Step 3 (R)
Step 4 (C)
7
0
1
M2
6
1
1*(M)2 = M2
(M2)2 = M4
5
0
M2
(M4)2 = M8
4
1
M2 * M8= M10
(M8)2 = M16
3
1
M10 * M16= M26
(M16)2 = M32
2
1
M26 * M32= M58
(M32)2 = M64
1
1
M58 * M64= M122
(M64)2 = M128
0
1
M122 * M128=
M250
(M128)2 = M256
Modular Exponentiation: LSB First Binary
The LSB-First binary method requires:
• Squarings: k-1
• Multiplications: The number of 1s in the binary
expansion of e, excluding the MSB.
The total number of multiplications:
Maximum: (k-1) + (k-1) = 2(k-1)
Minimum: (k-1) + 0 = k-1
Average: (k-1) + 1/2 (k-1) = 1.5(k-1)
Same as before, but here we can compute the
Multiplication operation in parallel with the
squarings!!
Arquitectura del Multiplicador
[Mario García et al ENC03]
Desarrollo (Método q-ario)
Ejemplo
M
•
•
•
•
CAFE
=M
C !163
M
A!16 2
M
F !161
M
E !160
0xCAFE = 1100 1010 1111 1110
BM:
10 Mult. + 15 Sqr.
Q-ary :
3 Mult + 47 sqr + 7 Symb.
Q-ary+PC:
3 Mult. + 3sqr. + 28 Symb
Desarrollo (Método q-ario)
• Precálculo de W.
• Tamaño de q.
• Cálculo de d = 2^p * q
Desarrollo (Análisis)
• Tamaño de memoria y tiempo de
ejecución del precómputo W.
• Número de multiplicaciones y
elevaciones al cuadrado para método qario.
Tiempo de Ejecución Vs. Número de Procs.
Tamaño de Memoria

Modular Exponentiation

Transcripción

Documentos relacionados

Iberia Airlines

Roma. El mundial anticipado de Papa Francisco

Pages 87-117 - La Santa Sede