OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla

Slides:



Advertisements
Similar presentations
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Advertisements

Lecture 19: Parallel Algorithms
Splash Screen.
Cryptography and Network Security
Parshuram Budhathoki FAU October 25, /25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.
Having Proofs for Incorrectness
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
CENG536 Computer Engineering Department Çankaya University.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Session 4 Asymmetric ciphers.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
and Factoring Integers (I)
RSA ( Rivest, Shamir, Adleman) Public Key Cryptosystem
UMass Lowell Computer Science Analysis of Algorithms Prof. Karen Daniels Fall, 2002 Tuesday, 26 November Number-Theoretic Algorithms Chapter 31.
6/20/2015 5:05 AMNumerical Algorithms1 x x1x
Inverses and GCDs Supplementary Notes Prepared by Raymond Wong
and Factoring Integers
Csci5233 Computer Security & Integrity 1 Cryptography: Basics (2)
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CSC 2300 Data Structures & Algorithms January 30, 2007 Chapter 2. Algorithm Analysis.
CSE 321 Discrete Structures Winter 2008 Lecture 8 Number Theory: Modular Arithmetic.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
CSE 246: Computer Arithmetic Algorithms and Hardware Design Numbers: RNS, DBNS, Montgomory Prof Chung-Kuan Cheng Lecture 3.
1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 5 Instructor: Paul Beame TA: Gidon Shavit.
Lecture 6: Public Key Cryptography
Foundations of Network and Computer Security J J ohn Black Lecture #14 Oct 1 st 2007 CSCI 6268/TLEN 5831, Fall 2007.
LECTURE 5 Learning Objectives  To apply division algorithm  To apply the Euclidean algorithm.

1 Network Security Lecture 6 Public Key Algorithms Waleed Ejaz
FINITE FIELDS 7/30 陳柏誠.
CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
Implementing RSA Encryption in Java
The Integers. The Division Algorithms A high-school question: Compute 58/17. We can write 58 as 58 = 3 (17) + 7 This forms illustrates the answer: “3.
Advanced Algebraic Algorithms on Integers and Polynomials Prepared by John Reif, Ph.D. Analysis of Algorithms.
RSA Prepared by: SITI ZAINAH ADNAN
Public key ciphers 2 Session 6.
Information Security Lab. Dept. of Computer Engineering 87/121 PART I Symmetric Ciphers CHAPTER 4 Finite Fields 4.1 Groups, Rings, and Fields 4.2 Modular.
CS Modular Division and RSA1 RSA Public Key Encryption To do RSA we need fast Modular Exponentiation and Primality generation which we have shown.
Computer Security Lecture 5 Ch.9 Public-Key Cryptography And RSA Prepared by Dr. Lamiaa Elshenawy.
9.1 Primes and Related Congruence Equations 23 Sep 2013.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Great Theoretical Ideas in Computer Science.
Lecture 3 (Chapter 9) Public-Key Cryptography and RSA Prepared by Dr. Lamiaa M. Elshenawy 1.
Remarks on Fast Exp (4/2) How do we measure how fast any algorithm is? Definition. The complexity of an algorithm is a measure of the approximate number.
1 Cryptanalysis Lab Elliptic Curves. Cryptanalysis Lab Elliptic Curves 2 Outline [1] Elliptic Curves over R [2] Elliptic Curves over GF(p) [3] Properties.
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
CS480 Cryptography and Information Security
Copyright © Zeph Grunschlag, RSA Encryption Zeph Grunschlag.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Efficient Montgomery Modular Multiplication Algorithm Using Complement and Partition Techniques Speaker: Te-Jen Chang.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
Montgomery Modular Multiplication
Outline of implementation
RSA and El Gamal Cryptosystems
Elliptic Curves.
Public Key Cryptosystems - RSA
RSA Cryptosystem Bits PCs Memory MB ,000 4GB 1,020
Efficient CRT-Based RSA Cryptosystems
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
Where Complexity Finally Comes In Handy…
Cryptology Design Fundamentals
Where Complexity Finally Comes In Handy…
Where Complexity Finally Comes In Handy…
Presentation transcript:

OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla

Outline 1.Problem definition 2.Motivation 3.Prevalent Approaches 4.Suggestion 5.Q & A/Feedback

Problem definition Given n, compute g n Where, g is fixed element of a group and n < N (order of group).

Motivation 1.Exponentiation is the most frequently used operation in algorithms including: Factorization and primality testing GCD computation RSA public key cryptosystem Verification of polynomial identities … 2.Exponentiation is also found in most widely deployed authentication protocols including: Diffie-Hellman Key Exchange Internet Key Exchange a.k.a IKE Secure Socket Layer a.k.a SSL … 3.Quick biased conclusion : Any and all optimization of exponentiation operation improves performance for aforementioned algorithms and protocols.

Prevalent Approach 1 Approach 1: Montgomery Multiplication Step 1. Pick A, B, R, N s.t  k; (((R = 2 k ) > N)  (GCD(R, N) = 1)) Step 2. Find R’ and N’ s.t. (RR’ – NN’ = 1) Step 3. Construct a function F with following details: F(T) { m  (T mod R) N’ (mod R) t  (T + mN)/R return t } It should evident here that F(T) returns (TR’ mod N), where T = A * B Also, RR’  1 (mod N), NN’  -1 (mod N) Also, the output of F(T) lies in range [0, N – 1]

Prevalent Approach 1 cont’d Example: Let N = 79, A = 17, B = 26, R = 100; (relaxed requirement for R = 2 k ) R’ = 64, N’ = 81; (check RR’ – NN’ = 1)  A’; (17  A’ * 100 mod 79)  (17 * 64  A’ mod 79)  (17 * 64  61 mod 79)  B’; (17  B’ * 100 mod 79)  (26 * 64  B’ mod 79)  (26 * 64  5 mod 79) Therefore, A * B in above representation can be seen as follows: A * B = 17 * 26 = 442  (61 * 100) * (5 * 100)  (305) * (100) * (100)  (68) * (100) * (100) mod *64  (68) * (100) mod 79 (28228) mod 79  6  (68) * (100) mod 79 Therefore, F(T) should take 442 as input and return 6, which can be verified as under: T = 442, R = 100, R’ = 64, N’ = 81, N = 79 m  (T mod R) * N’ * (mod R)t  (T + mN)/R  (442 mod 100) * 81 * (mod 100)  ( *79)/100  (42 * 81) mod 100  600/100  6 mod 79

Prevalent Approach 2 Approach 2: Brickell, Gordon, McCurley and Wilson or BGMW by [Gordon et al] Premise: square-and-multiply (from: addition chains) method for g n requires 2  logN , where N is order of group. Suggestion: Pre-compute and store powers of 2 (of g). Quick inference 1: There is no reason to store powers of 2 Quick inference 2: Pre-compute g x0, g x1, … g xm-1 for some integers x 0, x 1 … x m-1 Requirement: Find a decomposition for n s.t. Where, 0  a  h and 0  i < m What are the implications ?

Prevalent Approach 2 cont’d g n can be computed as follows: Algorithm: ComputeG(g xi ) { b  1 a  1 for (d = h; d  1; d--) { for (i=0; a i == d; i++) { b  b * g xi } a  a * b } return a; }

Prevalent Approach 2 cont’d Quick Inference 3: number of multiplications are 2h – 2 Quick Inference 4: if c d ’s have no relation amongst themselves, then aforementioned metric is optimal. 1.Approach 2 is extended to other number system as well 2.Approach 2 can be parallelized. It is shown as under: b  b * g xi (calculation for c d ); spread each c d to 1 of h available a  a * b (calculation of g n ); each processor can compute c d for one d using addition chain method and finally repeated multiplication in pairs to form g n. 3.This offers the speedup of (loglogN) worst-case using (logN/log 2 logN) processors.

Prevalent Approach 3 Approach 3: Flexibility + BGMW approach  [Lim et al] Approach Step 1. Divide n (from: g n ) into h blocks n i ; where, 0  i  h – 1 of size k =  b/h  Step 2. Further, divide n i into smaller blocks n i, j; where 0  j  v – 1 of size t =  k/v  Step 3. This division of n for g n transforms the problem of computation as under: Step 4. if we have n i to be expressed in binary representation then g n can be written as under: Step 5. Using pre-computed and stored values of G[j][i] = (G[0][i]) 2jb

Prevalent Approach 3 Algorithm: ComputeG(G[0][i]) { Z  1 for (k = b – 1; k  0; k--) { Z  Z*Z for (j = v – 1; j  0; j--) { Z  Z*G[j][I j, k] } return Z; } … h – … v – 1 i j

Suggestion Suppose g N is to be calculated, where N can be broken into p, q s.t. N = p * q. Furthermore, p and q are s.t. p * q = 10 * (p + q) WLOG, g N = g p * q = g 10 * (p + q) Where, g 10 can be pre-computed and stored. Additionally, if N is prime, the N can be broken into p, q s.t. N = 10 * (p + q) + C Where C is any constant For example, if p = 35, q = 14, C = 1  N = 491 WLOG, g N = g 10 * (p + q) + C Where, g 10 and g C can be pre-computed and stored.

Suggestion cont’d

g C1 g C2 g C3 g C4 … g Ck  + E p q g 10 gNgN p + q g 10 * (p + q) g 10 * (p + q) + c

Q & A/Feedback Feedback