OEO: O PTIMIZATION OF E XPONENTIATION O PERATION ~ A B RIEF D ISCUSSION ~ Kirti Chawla

Outline 1.Problem definition 2.Motivation 3.Prevalent Approaches 4.Suggestion 5.Q & A/Feedback

Problem definition Given n, compute g n Where, g is fixed element of a group and n < N (order of group).

Motivation 1.Exponentiation is the most frequently used operation in algorithms including: Factorization and primality testing GCD computation RSA public key cryptosystem Verification of polynomial identities … 2.Exponentiation is also found in most widely deployed authentication protocols including: Diffie-Hellman Key Exchange Internet Key Exchange a.k.a IKE Secure Socket Layer a.k.a SSL … 3.Quick biased conclusion : Any and all optimization of exponentiation operation improves performance for aforementioned algorithms and protocols.

Prevalent Approach 1 Approach 1: Montgomery Multiplication Step 1. Pick A, B, R, N s.t  k; (((R = 2 k ) > N)  (GCD(R, N) = 1)) Step 2. Find R’ and N’ s.t. (RR’ – NN’ = 1) Step 3. Construct a function F with following details: F(T) { m  (T mod R) N’ (mod R) t  (T + mN)/R return t } It should evident here that F(T) returns (TR’ mod N), where T = A * B Also, RR’  1 (mod N), NN’  -1 (mod N) Also, the output of F(T) lies in range [0, N – 1]

Prevalent Approach 1 cont’d Example: Let N = 79, A = 17, B = 26, R = 100; (relaxed requirement for R = 2 k ) R’ = 64, N’ = 81; (check RR’ – NN’ = 1)  A’; (17  A’ * 100 mod 79)  (17 * 64  A’ mod 79)  (17 * 64  61 mod 79)  B’; (17  B’ * 100 mod 79)  (26 * 64  B’ mod 79)  (26 * 64  5 mod 79) Therefore, A * B in above representation can be seen as follows: A * B = 17 * 26 = 442  (61 * 100) * (5 * 100)  (305) * (100) * (100)  (68) * (100) * (100) mod *64  (68) * (100) mod 79 (28228) mod 79  6  (68) * (100) mod 79 Therefore, F(T) should take 442 as input and return 6, which can be verified as under: T = 442, R = 100, R’ = 64, N’ = 81, N = 79 m  (T mod R) * N’ * (mod R)t  (T + mN)/R  (442 mod 100) * 81 * (mod 100)  ( *79)/100  (42 * 81) mod 100  600/100  6 mod 79

Prevalent Approach 2 Approach 2: Brickell, Gordon, McCurley and Wilson or BGMW by [Gordon et al] Premise: square-and-multiply (from: addition chains) method for g n requires 2  logN , where N is order of group. Suggestion: Pre-compute and store powers of 2 (of g). Quick inference 1: There is no reason to store powers of 2 Quick inference 2: Pre-compute g x0, g x1, … g xm-1 for some integers x 0, x 1 … x m-1 Requirement: Find a decomposition for n s.t. Where, 0  a  h and 0  i < m What are the implications ?

Prevalent Approach 2 cont’d g n can be computed as follows: Algorithm: ComputeG(g xi ) { b  1 a  1 for (d = h; d  1; d--) { for (i=0; a i == d; i++) { b  b * g xi } a  a * b } return a; }

Prevalent Approach 2 cont’d Quick Inference 3: number of multiplications are 2h – 2 Quick Inference 4: if c d ’s have no relation amongst themselves, then aforementioned metric is optimal. 1.Approach 2 is extended to other number system as well 2.Approach 2 can be parallelized. It is shown as under: b  b * g xi (calculation for c d ); spread each c d to 1 of h available a  a * b (calculation of g n ); each processor can compute c d for one d using addition chain method and finally repeated multiplication in pairs to form g n. 3.This offers the speedup of (loglogN) worst-case using (logN/log 2 logN) processors.

Prevalent Approach 3 Approach 3: Flexibility + BGMW approach  [Lim et al] Approach Step 1. Divide n (from: g n ) into h blocks n i ; where, 0  i  h – 1 of size k =  b/h  Step 2. Further, divide n i into smaller blocks n i, j; where 0  j  v – 1 of size t =  k/v  Step 3. This division of n for g n transforms the problem of computation as under: Step 4. if we have n i to be expressed in binary representation then g n can be written as under: Step 5. Using pre-computed and stored values of G[j][i] = (G[0][i]) 2jb

Prevalent Approach 3 Algorithm: ComputeG(G[0][i]) { Z  1 for (k = b – 1; k  0; k--) { Z  Z*Z for (j = v – 1; j  0; j--) { Z  Z*G[j][I j, k] } return Z; } … h – … v – 1 i j

Suggestion Suppose g N is to be calculated, where N can be broken into p, q s.t. N = p * q. Furthermore, p and q are s.t. p * q = 10 * (p + q) WLOG, g N = g p * q = g 10 * (p + q) Where, g 10 can be pre-computed and stored. Additionally, if N is prime, the N can be broken into p, q s.t. N = 10 * (p + q) + C Where C is any constant For example, if p = 35, q = 14, C = 1  N = 491 WLOG, g N = g 10 * (p + q) + C Where, g 10 and g C can be pre-computed and stored.

Suggestion cont’d

g C1 g C2 g C3 g C4 … g Ck  + E p q g 10 gNgN p + q g 10 * (p + q) g 10 * (p + q) + c

Q & A/Feedback Feedback