Presentation is loading. Please wait.

Presentation is loading. Please wait.

OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla

Published byMateo Donn Modified over 9 years ago

Similar presentations

Presentation on theme: "OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla"— Presentation transcript:

1 OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla kirti@cs.virginia.edu

2 Outline 1.Problem definition 2.Motivation 3.Prevalent Approaches 4.Suggestion 5.Q & A/Feedback

3 Problem definition Given n, compute g n Where, g is fixed element of a group and n < N (order of group).

4 Motivation 1.Exponentiation is the most frequently used operation in algorithms including: Factorization and primality testing GCD computation RSA public key cryptosystem Verification of polynomial identities … 2.Exponentiation is also found in most widely deployed authentication protocols including: Diffie-Hellman Key Exchange Internet Key Exchange a.k.a IKE Secure Socket Layer a.k.a SSL … 3.Quick biased conclusion : Any and all optimization of exponentiation operation improves performance for aforementioned algorithms and protocols.

5 Prevalent Approach 1 Approach 1: Montgomery Multiplication Step 1. Pick A, B, R, N s.t  k; (((R = 2 k ) > N)  (GCD(R, N) = 1)) Step 2. Find R’ and N’ s.t. (RR’ – NN’ = 1) Step 3. Construct a function F with following details: F(T) { m  (T mod R) N’ (mod R) t  (T + mN)/R return t } It should evident here that F(T) returns (TR’ mod N), where T = A * B Also, RR’  1 (mod N), NN’  -1 (mod N) Also, the output of F(T) lies in range [0, N – 1]

6 Prevalent Approach 1 cont’d Example: Let N = 79, A = 17, B = 26, R = 100; (relaxed requirement for R = 2 k ) R’ = 64, N’ = 81; (check RR’ – NN’ = 1)  A’; (17  A’ * 100 mod 79)  (17 * 64  A’ mod 79)  (17 * 64  61 mod 79)  B’; (17  B’ * 100 mod 79)  (26 * 64  B’ mod 79)  (26 * 64  5 mod 79) Therefore, A * B in above representation can be seen as follows: A * B = 17 * 26 = 442  (61 * 100) * (5 * 100)  (305) * (100) * (100)  (68) * (100) * (100) mod 79 442*64  (68) * (100) mod 79 (28228) mod 79  6  (68) * (100) mod 79 Therefore, F(T) should take 442 as input and return 6, which can be verified as under: T = 442, R = 100, R’ = 64, N’ = 81, N = 79 m  (T mod R) * N’ * (mod R)t  (T + mN)/R  (442 mod 100) * 81 * (mod 100)  (442 + 2*79)/100  (42 * 81) mod 100  600/100  6 mod 79

7 Prevalent Approach 2 Approach 2: Brickell, Gordon, McCurley and Wilson or BGMW by [Gordon et al] Premise: square-and-multiply (from: addition chains) method for g n requires 2  logN , where N is order of group. Suggestion: Pre-compute and store powers of 2 (of g). Quick inference 1: There is no reason to store powers of 2 Quick inference 2: Pre-compute g x0, g x1, … g xm-1 for some integers x 0, x 1 … x m-1 Requirement: Find a decomposition for n s.t. Where, 0  a  h and 0  i < m What are the implications ?

8 Prevalent Approach 2 cont’d g n can be computed as follows: Algorithm: ComputeG(g xi ) { b  1 a  1 for (d = h; d  1; d--) { for (i=0; a i == d; i++) { b  b * g xi } a  a * b } return a; }

9 Prevalent Approach 2 cont’d Quick Inference 3: number of multiplications are 2h – 2 Quick Inference 4: if c d ’s have no relation amongst themselves, then aforementioned metric is optimal. 1.Approach 2 is extended to other number system as well 2.Approach 2 can be parallelized. It is shown as under: b  b * g xi (calculation for c d ); spread each c d to 1 of h available a  a * b (calculation of g n ); each processor can compute c d for one d using addition chain method and finally repeated multiplication in pairs to form g n. 3.This offers the speedup of (loglogN) worst-case using (logN/log 2 logN) processors.

10 Prevalent Approach 3 Approach 3: Flexibility + BGMW approach  [Lim et al] Approach Step 1. Divide n (from: g n ) into h blocks n i ; where, 0  i  h – 1 of size k =  b/h  Step 2. Further, divide n i into smaller blocks n i, j; where 0  j  v – 1 of size t =  k/v  Step 3. This division of n for g n transforms the problem of computation as under: Step 4. if we have n i to be expressed in binary representation then g n can be written as under: Step 5. Using pre-computed and stored values of G[j][i] = (G[0][i]) 2jb

11 Prevalent Approach 3 Algorithm: ComputeG(G[0][i]) { Z  1 for (k = b – 1; k  0; k--) { Z  Z*Z for (j = v – 1; j  0; j--) { Z  Z*G[j][I j, k] } return Z; } 0 1 2 … h – 1 0 1 … v – 1 i j

12 Suggestion Suppose g N is to be calculated, where N can be broken into p, q s.t. N = p * q. Furthermore, p and q are s.t. p * q = 10 * (p + q) WLOG, g N = g p * q = g 10 * (p + q) Where, g 10 can be pre-computed and stored. Additionally, if N is prime, the N can be broken into p, q s.t. N = 10 * (p + q) + C Where C is any constant For example, if p = 35, q = 14, C = 1  N = 491 WLOG, g N = g 10 * (p + q) + C Where, g 10 and g C can be pre-computed and stored.

13 Suggestion cont’d

14 g C1 g C2 g C3 g C4 … g Ck  + E p q g 10 gNgN p + q g 10 * (p + q) g 10 * (p + q) + c

15 Q & A/Feedback Feedback

Download ppt "OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla"

Similar presentations

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…

1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Lecture 19: Parallel Algorithms

Lecture 19: Parallel Algorithms
Splash Screen.

Splash Screen.
Cryptography and Network Security

Cryptography and Network Security
Parshuram Budhathoki FAU October 25, 2012 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.

Parshuram Budhathoki FAU October 25, /25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.
Having Proofs for Incorrectness

Having Proofs for Incorrectness
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
CENG536 Computer Engineering Department Çankaya University.

CENG536 Computer Engineering Department Çankaya University.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
and Factoring Integers (I)

and Factoring Integers (I)
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem

RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
UMass Lowell Computer Science 91.503 Analysis of Algorithms Prof. Karen Daniels Fall, 2002 Tuesday, 26 November Number-Theoretic Algorithms Chapter 31.

UMass Lowell Computer Science Analysis of Algorithms Prof. Karen Daniels Fall, 2002 Tuesday, 26 November Number-Theoretic Algorithms Chapter 31.
6/20/2015 5:05 AMNumerical Algorithms1 x0123456789 x1x1 1739.

6/20/2015 5:05 AMNumerical Algorithms1 x x1x
Inverses and GCDs Supplementary Notes Prepared by Raymond Wong

Inverses and GCDs Supplementary Notes Prepared by Raymond Wong
and Factoring Integers

and Factoring Integers
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)

Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

Similar presentations

Ads by Google