# Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation.

## Presentation on theme: "Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation."— Presentation transcript:

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation We do NOT compute C := M e mod n By first computing M e And then computing C := (M e ) mod n Temporary results must be reduced modulo n at each step of the exponentiation.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation M 15 How many multiplications are needed?? Naïve Answer (requires 14 multiplications): M  M 2  M 3  M 4  M 5  …  M 15 Binary Method (requires 6 multiplications): M  M 2  M 3  M 6  M 7  M 14  M 15

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method Let k be the number of bits of e, i.e., Input: M, e, n. Output: C := M e mod n 1.If e k-1 = 1 then C := M else C := 1; 2.For i = k-2 downto 0 3. C := C 2 mod n 4.If e i = 1 then C := C  M mod n 5.Return C;

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method Example: e = 250 = (11111010), thus k = 8 Initially, C = M since e k-1 = e 7 = 1. ieiei Step 2aStep 2b 71MM 61(M) 2 = M 2 M 2  M = M 3 51(M 3 ) 2 = M 6 M 6  M = M 7 41(M 7 ) 2 = M 14 M 14  M = M 15 31(M 15 ) 2 = M 30 M 30  M = M 31 20(M 31 ) 2 = M 62 M 62 11(M 62 ) 2 = M 124 M 124  M = M 125 00(M 125 ) 2 = M 250 M 250

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method The binary method requires: Squarings: k-1 Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum:(k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1)

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation By scanning the bits of e 2 at a time: quaternary method 3 at a time: octal method Etc. m at a time: m-ary method. Consider the quaternary method: 250 = 11 11 10 10 Some preprocessing required. At each step 2 squaring performed.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Quaternary Method Example: bitsjMjMj 0001 011M 102 M  M =M 2 113 M 2  M =M 3

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Quaternary Method Example: e = 250 = 11 11 10 10 The number of multiplications: 2+6+3 = 11 bitsStep 2aStep 2b 11M3M3 M3M3 (M 3 ) 4 = M 12 M 12  M 3 =M 15 10(M 15 ) 4 = M 60 M 60  M 2 =M 62 10(M 62 ) 4 = M 248 M 248  M 2 =M 250

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Octal Method bitsjMjMj 00001 0011M 0102 M  M =M 2 0113 M 2  M =M 3 1004 M 3  M =M 4 1015 M 4  M =M 5 1106 M 5  M =M 6 1117 M 6  M =M 7

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Octal Method Example: e = 250 = 011 111 010 The number of multiplications: 6+6+2 = 14 (compute only M 2 and M 7 : 4+6+2 = 12) bitsStep 2aStep 2b 011M3M3 M3M3 111(M 3 ) 8 = M 24 M 24  M 7 =M 31 010(M 31 ) 8 = M 248 M 248  M 2 =M 250

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Octal Method Assume 2 d = m and k/d is an integer. The average number of multiplications plus squarings required by the m-ary method: Preprocessing Multiplications: m-2 = 2 d – 2. (why??) Squarings: (k/d - 1)  d = k – d. (why??) Multiplications: Moral: There is an optimum d for every k.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Average Number of Multiplications kBMMMdSavings % 8111029.1 16232128.6 3247432, 38.5 649585310.5 1281911673, 412.6 256383325415.1 512767635517.2 102415351246518.8 204830712439620.6

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Preprocessing Multiplications Consider the following exponent for k = 16 and d = 4: 1011 0011 0111 1000 Which implies that we need to compute M w mod n for only: w = 3, 7, 8, 11. M 2 = M  M; M 3 = M 2  M; M 4 = M 2  M 2 ; M 7 = M 3  M 4 ; M 8 = M 4  M 4 ; M 11 = M 8  M 3. This requires 6 multiplications. Computing all of the exponent values would require 16-2 = 14 preprocessing multiplications.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Sliding Window Techniques Based on adaptive (data dependent) m-ary partitioning of the exponent. Constant length nonzero windows Rule: Partition the exponent into zero words of any length and nonzero words of length d. Variable length nonzero windows Rule: Partition the exponent into zero words of length at least q and nonzero words of length at most d.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001) 2 As 111 00 101 0 001 First compute M j for odd j  [1, m-1] bitsjMjMj 0011M 0102 M  M = M 2 0113 M  M 2 = M 3 1015 M 3  M 2 = M 5 1117 M 5  M 2 = M 7

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001) 2 As 111 00 101 0 001 First compute M j for odd j  [1, m-1] bitsStep 2aStep 2b 111M7M7 M7M7 00(M 7 ) 4 = M 28 M 28 101(M 28 ) 8 = M 224 M 224  M 5 = M 229 0(M 229 ) 2 = M 458 M 458 001(M 458 ) 8 = M 3664 M 3664  M 1 = M 3665

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Constant length nonzero Windows Example: for d = 3, we partition e = 3665 = (111001010001) 2 As 111 00 101 0 001 Average Number of Multiplications km-arydCLNWd% 128167415646.6 256325430855.2 512635560754.4 102412465119564.1 204824396236073.2

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Variable Length nonzero Windows Example: d = 5 and q = 2. 101 0 11101 00 101 10111 000000 1 00 111 000 1011 Example: d = 10 and q = 4. 1011011 0000 11 0000 11110111 00 1111110101 0000 11011

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Factor Method. The factor Method is based on factorization of the exponent e = rs where r is the smallest prime factor of e and s > 1. We compute M e by first computing M r and then raising this value to the sth power. (M r ) s = M e. If e is prime, we first compute M e-1, then multiply this quantity by M.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Factor Method. Factor Method: 55 = 5  11. Compute M  M 2  M 4  M 5 ; Assign y := M 5 ; Compute y  y 2 ; Assign z := y 2 ; Compute z  z 2  z 4  z 5 ; Compute z 5  (z 5 y) = y 11 = M 55 ; Total: 8 multiplications! Binary Method: e = 55 = (110111) 2 5+4 = 9 multiplications!!

Aritmética Computacional Francisco Rodríguez Henríquez Sliding Window Method.

Aritmética Computacional Francisco Rodríguez Henríquez Sliding Window Method.

Aritmética Computacional Francisco Rodríguez Henríquez Sliding Window Method.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Power Tree Method. Consider the node e of the kth level, from left to right. Construct the (k+1)st level by attaching below the node e the nodes e + a 1, e + a 2, e + a 3, …, e + a k Wherea 1, a 2, a 3, …, a k is the path from the root of the tree to e. (Note: a 1 = 1 and a k = e) Discard any duplicates that have already appeared in the tree.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Power Tree Method. 1 2 3 4 6 5 710 14 11131520 1921282223 26 9 12 18 24 8 16 17 32

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: The Power Tree Method.

Aritmética Computacional Francisco Rodríguez Henríquez Computation using power tree. Find e in the power tree. The sequence of exponents that occurs in the computation of M e is found on the path from the root to e. Example: e = 23 requires 6 multiplications. M  M 2  M 3  M 5  M 10  M 13  M 23. Since 23 = (10111), the binary method requires 4 + 3 = 7 multiplications. Since 23 -1 = 22 = 2  11, the factor method requires 1 + 5 + 1 = 7 multiplications.

Aritmética Computacional Francisco Rodríguez Henríquez Addition Chains Consider a sequence of integers a 0, a 1, a 2, …, a r With a 0 = 1 and a r = e. The sequence is constructed in such a way that for all k there exist indices i, j ≤ k such that, a k = a i + a j. The length of the chain is r. A short chain for a given e implies an efficient algorithm for computing M e. Example: e = 55 BM: 1 2 3 6 12 13 26 27 54 55 QM: 1 2 3 6 12 13 26 52 55 FM: 1 2 4 5 10 20 40 50 55 PTM: 1 2 3 5 10 11 22 44 55

Aritmética Computacional Francisco Rodríguez Henríquez Addition Chains Finding the shortest addition chain is NP-complete. Upper-bound is given by binary method: Where H(e) is the Hamming weight of e. Lower-bound given by Schönhage: Heuristics: binary, m-ary, adaptive m-ary, sliding windows, power tree, factor.

Aritmética Computacional Francisco Rodríguez Henríquez Addition-Subtraction Chains Convert the binary number to a signed-digit representation using the digits {0, 1, -1}. These techniques use the identity: 2 i+j-1 + 2 i+j-2 +…+2 i = 2 i+j - 2 i To collapse a block of 1s in order to obtain a sparse representation of the exponent. Example: (011110) = 2 4 + 2 3 + 2 2 + 2 1 (10001’0) = 2 5 - 2 1 These methods require that M -1 mod n be supplied along with M.

Aritmética Computacional Francisco Rodríguez Henríquez Recoding Binary Method Input: M, M -1, e, n. Output:C := M e mod n. 1.Obtain signed-digit recoding d of e. 2.If d k = 1 then C := M else C := 1 3.For i = k -1 downto 0 4.C := C  C mod n 5.If d i = 1 then C := C  M mod n 6.If d i = 1’ then C := C  M -1 mod n 7.Return C; This algorithm is especially useful For ECC since the Inverse is available At no cost.

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: Binary Method Variations

Aritmética Computacional Francisco Rodríguez Henríquez Side Channel Attacks Algorithm Binary exponentiation Input: a in G, exponent d = (d k,d k-1,…,d 0 ) (d k is the most significant bit) Output: c = a d in G 1. c = a; 2. For i = k-1 down to 0; 3. c = c 2 ; 4. If d i =1 then c = c*a; 5. Return c; The time or the power to execute c 2 and c*a are different (side channel information). Algorithm Coron’s exponentiation Input: a in G, exponent d = (d k,d k-1,…,d l0 ) Output: c = a d in G 1. c[0] = 1; 2. For i = k-1 down to 0; 3. c[0] = c[0] 2 ; 4. c[1] = c[0]*a; 5. c[0] = c[d i ]; 6. Return c[0];

Aritmética Computacional Francisco Rodríguez Henríquez Mod. Exponentiation: LSB-First Binary Let k be the number of bits of e, i.e., Input: M, e, n. Output: C := M e mod n 1.R:= 1; C := M; 2.For i = 0 to n-1 3. If e i = 1 then R := R  C mod n 4.C := C 2 mod n 5.Return R;

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: LSB First Binary Example: e = 250 = (11111010), thus k = 8 ieiei Step 3 (R)Step 4 (C) 701M2M2 611*(M) 2 = M 2 (M 2 ) 2 = M 4 50M2M2 (M 4 ) 2 = M 8 41M 2 * M 8 = M 10 (M 8 ) 2 = M 16 31M 10 * M 16 = M 26 (M 16 ) 2 = M 32 21M 26 * M 32 = M 58 (M 32 ) 2 = M6 4 11M 58 * M 64 = M 122 (M 64 ) 2 = M 128 01M 122 * M 128 = M 250 (M 128 ) 2 = M 256

Aritmética Computacional Francisco Rodríguez Henríquez Modular Exponentiation: LSB First Binary The LSB-First binary method requires: Squarings: k-1 Multiplications: The number of 1s in the binary expansion of e, excluding the MSB. The total number of multiplications: Maximum:(k-1) + (k-1) = 2(k-1) Minimum: (k-1) + 0 = k-1 Average: (k-1) + 1/2 (k-1) = 1.5(k-1) Same as before, but here we can compute the Multiplication operation in parallel with the squarings!!

Aritmética Computacional Francisco Rodríguez Henríquez Arquitectura del Multiplicador [Mario García et al ENC03]

Aritmética Computacional Francisco Rodríguez Henríquez Desarrollo (Método q-ario)

Aritmética Computacional Francisco Rodríguez Henríquez Ejemplo 0xCAFE = 1100 1010 1111 1110 BM: 10 Mult. + 15 Sqr. Q-ary :3 Mult + 47 sqr + 7 Symb. Q-ary+PC:3 Mult. + 3sqr. + 28 Symb

Aritmética Computacional Francisco Rodríguez Henríquez Desarrollo (Método q-ario) Precálculo de W. Tamaño de q. Cálculo de d = 2^p * q

Aritmética Computacional Francisco Rodríguez Henríquez Desarrollo (Análisis) Tamaño de memoria y tiempo de ejecución del precómputo W. Número de multiplicaciones y elevaciones al cuadrado para método q- ario.

Aritmética Computacional Francisco Rodríguez Henríquez Tiempo de Ejecución Vs. Número de Procs.

Aritmética Computacional Francisco Rodríguez Henríquez Tamaño de Memoria