Modular Exponentiation
Transcripción
Modular Exponentiation
Modular Exponentiation Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation We do NOT compute C := Me mod n By first computing Me And then computing C := (Me) mod n Temporary results must be reduced modulo n at each step of the exponentiation. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation M15 How many multiplications are needed?? Naïve Answer (requires 14 multiplications): M→ M2 → M3 → M4 → M5 →… → M15 Binary Method (requires 6 multiplications): M→ M2 → M3 → M6 → M7 →M14→ M15 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method Let k be the number of bits of e, i.e., k = 1 + !log 2 e" k %1 Input: M, e, n. e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i i =0 for ei # {0,1} Output: C := Me mod n 1. If ek-1 = 1 then C := M else C := 1; 2. For i = k-2 downto 0 3. C := C2 mod n 4. If ei = 1 then C := C⋅M mod n 5. Return C; Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method Example: e = 250 = (11111010), thus k = 8 Initially, C = M since ek-1 = e7 = 1. i ei Step 2a Step 2b 7 1 M 6 1 (M)2 = M2 M M2⋅M = M3 5 1 (M3)2 = M6 M6⋅M = M7 4 1 (M7)2 = M14 M14⋅M = M15 3 1 (M15)2 = M30 M30⋅M = M31 2 0 (M31)2 = M62 M62 1 1 (M62)2 = M124 M124⋅M = M125 0 0 (M125)2 = M250 M250 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method The binary method requires: • Squarings: k-1 • Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum: (k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1) Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation By scanning the bits of e 2 at a time: quaternary method 3 at a time: octal method Etc. m at a time: m-ary method. Consider the quaternary method: 250 = 11 11 10 10 Some preprocessing required. At each step 2 squaring performed. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Quaternary Method Example: bits 00 01 10 11 Aritmética Computacional j 0 1 2 3 Mj 1 M M⋅M =M2 M2⋅M =M3 Francisco Rodríguez Henríquez Modular Exponentiation: Quaternary Method Example: e = 250 = 11 11 10 10 bits Step 2a Step 2b 11 M3 11 10 (M3)4 = M12 (M15)4 = M60 M3 M12⋅M3 =M15 M60⋅M2 =M62 10 (M62)4 = M248 M248⋅M2 =M250 The number of multiplications: 2+6+3 = 11 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Octal Method bits 000 001 010 011 100 101 110 111 Aritmética Computacional j 0 1 2 3 4 5 6 7 Mj 1 M M⋅M =M2 M2⋅M =M3 M3⋅M =M4 M4⋅M =M5 M5⋅M =M6 M6⋅M =M7 Francisco Rodríguez Henríquez Modular Exponentiation: Octal Method Example: e = 250 = 011 111 010 bits Step 2a Step 2b 011 M3 111 010 (M3)8 = M24 (M31)8 = M248 M3 M24⋅M7 =M31 M248⋅M2 =M250 The number of multiplications: 6+6+2 = 14 (compute only M2 and M7: 4+6+2 = 12) Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Octal Method Assume 2d = m and k/d is an integer. The average number of multiplications plus squarings required by the m-ary method: • • Preprocessing Multiplications: m-2 = 2d – 2. (why??) Squarings: (k/d - 1) ⋅ d = k – d. (why??) • Multiplications: • Moral: There is an optimum d for every k. Aritmética Computacional m '1 & k # ( $ ' 1! = 1 ' 2 ' d m %d " ( )( &$ dk ' 1#! % " Francisco Rodríguez Henríquez Modular Exponentiation: Average Number of Multiplications k 8 16 32 64 128 256 512 1024 BM 11 23 47 95 191 383 767 1535 MM 10 21 43 85 167 325 635 1246 d 2 2 2, 3 3 3, 4 4 5 5 Savings % 9.1 8.6 8.5 10.5 12.6 15.1 17.2 18.8 2048 3071 2439 6 20.6 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Preprocessing Multiplications Consider the following exponent for k = 16 and d = 4: 1011 0011 0111 1000 Which implies that we need to compute Mw mod n for only: w = 3, 7, 8, 11. M2 = M⋅M; M3 = M2⋅M; M4 = M2⋅M2; M7 = M3⋅M4; M8 = M4⋅ M4; M11 = M8⋅M3. This requires 6 multiplications. Computing all of the exponent values would require 16-2 = 14 preprocessing multiplications. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Sliding Window Techniques Based on adaptive (data dependent) m-ary partitioning of the exponent. • Constant length nonzero windows Rule: Partition the exponent into zero words of any length and nonzero words of length d. • Variable length nonzero windows Rule: Partition the exponent into zero words of length at least q and nonzero words of length at most d. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111 00 101 0 001 First compute Mj for odd j ∈ [1, m-1] bits 001 010 011 101 111 Aritmética Computacional j 1 2 3 5 7 Mj M M⋅M = M2 M⋅M2 = M3 M3⋅M2 = M5 M5⋅M2 = M7 Francisco Rodríguez Henríquez Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111 00 101 0 001 First compute Mj for odd j ∈ [1, m-1] bits 111 00 101 0 001 Aritmética Computacional Step 2a M7 (M7)4 = M28 (M28)8 = M224 (M229)2 = M458 (M458)8 = M3664 Step 2b M7 M28 M224⋅M5 = M229 M458 M3664⋅M1 = M3665 Francisco Rodríguez Henríquez Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001)2 As 111 00 101 0 001 Average Number of Multiplications k m-ary d CLNW d % 128 256 512 1024 2048 167 325 635 1246 2439 4 4 5 5 6 156 308 607 1195 2360 4 5 5 6 7 6.6 5.2 4.4 4.1 3.2 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Variable Length nonzero Windows Example: d = 5 and q = 2. 101 0 11101 00 101 10111 000000 1 00 111 000 1011 Example: d = 10 and q = 4. 1011011 0000 11 0000 11110111 00 1111110101 0000 11011 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Factor Method. • The factor Method is based on factorization of the exponent e = rs where r is the smallest prime factor of e and s > 1. • We compute Me by first computing Mr and then raising this value to the sth power. (Mr)s = Me. If e is prime, we first compute Me-1, then multiply this quantity by M. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Factor Method. Factor Method: 55 = 5⋅11. Compute M → M2 → M4 → M5; Assign y := M5; Compute y → y2; Assign z := y2; Compute z → z2 → z4 → z5; Compute z5 → (z5y) = y11 = M55; Total: 8 multiplications! Binary Method: e = 55 = (110111)2 5+4 = 9 multiplications!! Aritmética Computacional Francisco Rodríguez Henríquez Sliding Window Method. Aritmética Computacional Francisco Rodríguez Henríquez Sliding Window Method. Aritmética Computacional Francisco Rodríguez Henríquez Sliding Window Method. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Power Tree Method. Consider the node e of the kth level, from left to right. Construct the (k+1)st level by attaching below the node e the nodes e + a1, e + a2, e + a3, …, e + ak Where a1, a2, a3, …, ak is the path from the root of the tree to e. (Note: a1 = 1 and ak = e) Discard any duplicates that have already appeared in the tree. Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Power Tree Method. 1 2 4 3 6 5 7 14 19 21 11 13 15 28 Aritmética Computacional 12 18 24 10 9 22 8 16 17 32 20 23 26 Francisco Rodríguez Henríquez Modular Exponentiation: The Power Tree Method. Aritmética Computacional Francisco Rodríguez Henríquez Computation using power tree. Find e in the power tree. The sequence of exponents that occurs in the computation of Me is found on the path from the root to e. Example: e = 23 requires 6 multiplications. M → M2 → M3 → M5 → M10 → M13 → M23. Since 23 = (10111), the binary method requires 4 + 3 = 7 multiplications. Since 23 -1 = 22 = 2⋅11, the factor method requires 1 + 5 + 1 = 7 multiplications. Aritmética Computacional Francisco Rodríguez Henríquez Addition Chains Consider a sequence of integers a0, a1, a2, …, ar With a0 = 1 and ar = e. The sequence is constructed in such a way that for all k there exist indices i, j ≤ k such that, ak = ai + aj. The length of the chain is r. A short chain for a given e implies an efficient algorithm for computing Me. Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55 QM: 1 2 3 6 12 13 26 52 55 FM: 1 2 4 5 10 20 40 50 55 PTM: 1 2 3 5 10 11 22 44 55 Aritmética Computacional Francisco Rodríguez Henríquez Addition Chains • Finding the shortest addition chain is NP-complete. • Upper-bound is given by binary method: !log 2 e" + H (e )# 1 Where H(e) is the Hamming weight of e. • Lower-bound given by Schönhage: !log 2 e" + H (e )# 2.13 • Heuristics: binary, m-ary, adaptive m-ary, sliding windows, power tree, factor. Aritmética Computacional Francisco Rodríguez Henríquez Addition-Subtraction Chains Convert the binary number to a signed-digit representation using the digits {0, 1, -1}. These techniques use the identity: 2i+j-1 + 2i+j-2 +…+2i = 2i+j - 2i To collapse a block of 1s in order to obtain a sparse representation of the exponent. Example: (011110) = 24 + 23 + 22 + 21 (10001’0) = 25 - 21 These methods require that M-1 mod n be supplied along with M. Aritmética Computacional Francisco Rodríguez Henríquez Recoding Binary Method Input: M, M-1, e, n. Output: C := Me mod n. 1. Obtain signed-digit recoding d of e. 2. If dk = 1 then C := M else C := 1 3. For i = k -1 downto 0 4. C := C⋅C mod n 5. If di = 1 then C := C⋅M mod n 6. If di = 1’ then C := C⋅ M-1 mod n This algorithm is especially useful For ECC since the Inverse is available At no cost. 7. Return C; Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method Variations Aritmética Computacional Francisco Rodríguez Henríquez Side Channel Attacks Algorithm Binary exponentiation Input: a in G, exponent d = (dk,dk-1,…,d0) (dk is the most significant bit) Output: c = ad in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c2; 4. If di =1 then c = c*a; 5. Return c; Aritmética Computacional The time or the power to execute c2 and c*a are different (side channel information). Algorithm Coron’s exponentiation Input: a in G, exponent d = (dk,dk-1,…,dl0) Output: c = ad in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0]2; 4. c[1] = c[0]*a; 5. c[0] = c[di]; 6. Return c[0]; Francisco Rodríguez Henríquez Mod. Exponentiation: LSB-First Binary Let k be the number of bits of e, i.e., k = 1 + !log 2 e" k %1 Input: M, e, n. e = (ek %1ek % 2 K e1e0 ) = $ ei 2 i i =0 for ei # {0,1} Output: C := Me mod n 1. R:= 1; C := M; 2. For i = 0 to n-1 3. If ei = 1 then R := R⋅C mod n 4. C := C2 mod n 5. Return R; Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: LSB First Binary Example: e = 250 = (11111010), thus k = 8 i ei Step 3 (R) Step 4 (C) 7 0 1 M2 6 1 1*(M)2 = M2 (M2)2 = M4 5 0 M2 (M4)2 = M8 4 1 M2 * M8= M10 (M8)2 = M16 3 1 M10 * M16= M26 (M16)2 = M32 2 1 M26 * M32= M58 (M32)2 = M64 1 1 M58 * M64= M122 (M64)2 = M128 0 1 M122 * M128= M250 (M128)2 = M256 Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: LSB First Binary The LSB-First binary method requires: • Squarings: k-1 • Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum: (k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1) Same as before, but here we can compute the Multiplication operation in parallel with the squarings!! Aritmética Computacional Francisco Rodríguez Henríquez Arquitectura del Multiplicador [Mario García et al ENC03] Aritmética Computacional Francisco Rodríguez Henríquez Desarrollo (Método q-ario) Aritmética Computacional Francisco Rodríguez Henríquez Ejemplo M • • • • CAFE =M C !163 M A!16 2 M F !161 M E !160 0xCAFE = 1100 1010 1111 1110 BM: 10 Mult. + 15 Sqr. Q-ary : 3 Mult + 47 sqr + 7 Symb. Q-ary+PC: 3 Mult. + 3sqr. + 28 Symb Aritmética Computacional Francisco Rodríguez Henríquez Desarrollo (Método q-ario) • Precálculo de W. • Tamaño de q. • Cálculo de d = 2^p * q Aritmética Computacional Francisco Rodríguez Henríquez Desarrollo (Análisis) • Tamaño de memoria y tiempo de ejecución del precómputo W. • Número de multiplicaciones y elevaciones al cuadrado para método qario. Aritmética Computacional Francisco Rodríguez Henríquez Tiempo de Ejecución Vs. Número de Procs. Aritmética Computacional Francisco Rodríguez Henríquez Tamaño de Memoria Aritmética Computacional Francisco Rodríguez Henríquez