Add to collection(s) Add to saved
  1. No category
Uploaded by yisiwac280

Brooks & Odderskov - Modular Exponentiation

advertisement 
Modular Exponentiation
Richard Brooks & Io Odderskov
MSE
2018
1
1
Introduction
A challenging task is that of exponentiation modulo 𝑛, i.e. computing
𝑎𝑏 mod 𝑛 for base 𝑎 ∈ ℤ𝑛 and integer exponent 𝑏 > 0.1 This problem arises
in many cases within software engineering. The question we need to answer is the following: What is the fastest way to compute a large integer
power of a number modulo 𝑛?
For instance, suppose I want to compute 460 mod 69. One way to do this
is to just compute 460 in ℤ and then reduce the answer
460 = 1329227995784915872903807060280344576
modulo 69. This gives the result 460 ≡ 58 mod 69. This seems like a lot of
work just to get to the number 58, so one naturally wonders if there is an
easier way? The answer is yes, and this short paper will demonstrate two
efficient methods for doing this.
1.1
Exponentiation - the successive squaring approach
Let us try to think like a computer. So I want to do 𝑥4 . How do we compute this? Well a naïve way of computing it would be
Naïve:
𝑥 ⋅ 𝑥 = 𝑥2
𝑥2 ⋅ 𝑥 = 𝑥3
𝑥3 ⋅ 𝑥 = 𝑥4
So what did this computation cost us? It cost three multiplications. Now,
the question is, is there a way to do this in less than three multiplications?
Fortunately, there is a better way of doing the above calculation:
Better:
𝑥 ⋅ 𝑥 = 𝑥2
𝑥 ⋅ 𝑥2 = 𝑥4
2
When 𝑏 = 0 the problem is easy. When 𝑏 < 0 and 𝑎 ∈ ℤ·𝑛 then 𝑎𝑏 = (𝑎−1 )−𝑏 mod 𝑛 and the
problem is reduced to the case of exponentiation with a positive exponent given that we can compute inverses (as discussed in the previous lesson).
1
2
By using the output of the former multiplication as input to the next, we
saved one calculation. Let us try to apply our two methods to a larger exponent, 𝑥32 :
Naïve:
Better:
2
𝑥 ⋅ 𝑥 = 𝑥2
𝑥2 ⋅ 𝑥2 = 𝑥4
.
.
.
𝑥16 ⋅ 𝑥16 = 𝑥32
𝑥⋅𝑥=𝑥
𝑥2 ⋅ 𝑥 = 𝑥3
.
.
.
𝑥31 ⋅ 𝑥 = 𝑥32
The naïve method uses 31 multiplications and the Better method uses 5.
The naïve algorithm seems to be relying on the following recurrence:
𝑎𝑏 = 𝑎 ⋅ 𝑎𝑏−1 = 𝑎 ⋅ 𝑎 ⋅ 𝑎𝑏−2 = ⋅ ⋅ ⋅,
and uses 𝑏 − 1 multiplications, which would be prohibitive for large exponents. It should be clear from the above discussion that the naïve method
is not an efficient way to perform modular exponentiation.
The Better method, however, relies on the fact that 𝑏 is a power of 2, i.e.
7
𝑏 = 2𝑘 . For example, we can compute 𝑎128 ≡ 𝑎2 mod 𝑛 using only 7 modular multiplications
𝑎2 = (𝑎)2 ≡ 𝑎 ⋅ 𝑎 mod 𝑛
2
𝑎4 = 𝑎2 = (𝑎2 )2 ≡ 𝑎2 ⋅ 𝑎2 mod 𝑛
3
2 2
𝑎8 = 𝑎2 = (𝑎2 ) ≡ 𝑎4 ⋅ 𝑎4 mod 𝑛
4
3 2
𝑎16 = 𝑎2 = (𝑎2 ) ≡ 𝑎8 ⋅ 𝑎8 mod 𝑛
5
4 2
6
5 2
𝑎32 = 𝑎2 = (𝑎2 ) ≡ 𝑎16 ⋅ 𝑎16 mod 𝑛
𝑎64 = 𝑎2 = (𝑎2 ) ≡ 𝑎32 ⋅ 𝑎32 mod 𝑛
7
6 2
𝑎128 = 𝑎2 = (𝑎2 ) ≡ 𝑎64 ⋅ 𝑎64 𝑚𝑜𝑑 𝑛
As mentioned, this only works for exponents that are a power of 2. The
question is, of course, what we do when 𝑏 is not a power of 2, e.g. 𝑎205 ?
Let us write the exponent 𝑏 = 205 as the sum of powers of 2:
3
𝑎205 , such that 𝑏 = 20510 = (11001101)2 = (27 + 26 + 23 + 22 + 20 )10 .
Given the computations above, only 4 more modular multiplications produce 𝑎205 mod 𝑛:
𝑎205 = 𝑎2
7 +26 +23 +22 +20
7
6
3
2
= 𝑎2 ⋅ 𝑎2 ⋅ 𝑎2 ⋅ 𝑎2 ⋅ 𝑎.
(We actually reduce modular 𝑛 after each multiplication.)
Collectively, the above discussion results in what is known as the Method
of Successive Squaring. Before describing it in general, we will illustrate it
by computing
4923 mod 55
The first step is to create a table giving the values of 49, 492 , 494 , 498 ,
4916 , . . . mod 55. Notice that to get each successive entry in the list, we
just have to square the previous number. Furthermore, since we always reduce modulo 55 before squaring, we never have to work with any numbers
larger than 552 . Here is the table of 2𝑘 -powers of 49 modulo 55:
491
492
494
498
4916
1 2
= (49 )
= (492 )2
= (494 )2
= (498 )2
2
= 49
= 362
= 312
= 262
= 49
= 2401
= 1296
= 961
= 676
≡ 49
≡ 36
≡ 31
≡ 26
≡ 16
mod
mod
mod
mod
mod
55
55
55
55
55
The next step is to write the exponent 23 as a sum of powers of 2. This is
called the binary expansion of 23. The largest power of 2 less than 23 is
24 =16, so we write 23 = 16 + 7. Then the largest power of 2 less than 7 is
22 = 4, so 23 = 16 + 4 + 3. We continue in this manner and obtain the following:
23 = 16 + 7
= 16 + 4 + 3
= 16 + 4 + 2 + 1
Now we use the binary expansion of 23 to compute
4
4923 = 4916+4+2+1
= 4916 ⋅ 494 ⋅ 492 ⋅ 491
We now look in the table created previously in order to find the values of
the entries of the final right-hand side and obtain
4923 = 4916 ⋅ 494 ⋅ 492 ⋅ 491 ≡ 16 ⋅ 31 ⋅ 36 ⋅ 49 mod 55
The numbers in the last line are taken from the table of powers of 49 that
we computed earlier. To complete the computation of 4923 mod 55, we
just need to multiply the four numbers 16·31·36·49 modulo 55. If the
product of all four numbers is too large, we can just multiply the first two,
reduce modulo 55, multiply by the third, reduce modulo 55, and so on. In
this way we will never need to work with any number greater than 552 .
Thus
16 ⋅ 31 ⋅ 36 ⋅ 49 = 496 ⋅ 36 ⋅ 49
= 1 ⋅ 36 ⋅ 49
≡ 4 mod 55
1 0 1 1 1
This may seem like a lot of work, but upon inspection the method can be
simplified a bit. Consider the exponent 𝑏 = 23. The binary representation
of this is 101112 and tells us which numbers we should use from the table
of powers of 49:
491
492
494
498
4916
≡ 49
≡ 36
≡ 31
≡ 26
≡ 16
mod
mod
mod
mod
mod
55
55
55
55
55
We use the lines where the bit in the binary representation is 1. We are
now ready to state a general method of computing 𝑎𝑏 mod 𝑛 by successive
squaring.
1. Write 𝑏 in binary and note the most significant bit.
2. Make a table of 𝑎 modulo 𝑛
5
Note that to compute each line of the table you only need to
take the number at the end of the previous line, square it,
and then reduce it modulo 𝑛. Also note that the table has
the same number of lines as there are bits in the binary representation of 𝑏.
3. Take the product of each line where the bit in the binary representation is 1 and reduce modulo 𝑛.
Let us run through a couple of examples:
Ex 1: Compute 7327 mod 853 using successive squaring
Step 1: 32710 = 1010001112
1 0 1 0 0 0 1 1 1
Step 2:
71
72
74
78
716
732
764
7128
7256
1 2
= (7 )
= (72 )2
= (74 )2
= (78 )2
= (716 )2
= (732 )2
= (764 )2
= (7128 )2
=7
= 49
= 2401
= 483025
= 51529
= 121801
= 455625
= 15129
= 394384
2
=7
= 492
= 6952
= 2272
= 3492
= 6752
= 1232
= 6282
≡7
≡ 49
≡ 695
≡ 227
≡ 349
≡ 675
≡ 123
≡ 628
≡ 298
mod
mod
mod
mod
mod
mod
mod
mod
mod
853
853
853
853
853
853
853
853
853
Step 3:
7256 ⋅ 764 ⋅ 74 ⋅ 72 ⋅ 71 = 298 ⋅ 123 ⋅ 695 ⋅ 49 ⋅ 7
= 828 ⋅ 695 ⋅ 49 ⋅ 7
= 538 ⋅ 49 ⋅ 7
= 772 ⋅ 7
≡ 286 mod 853
This may seem like a lot of work, but suppose instead that we try to compute 7327 mod 853 directly by first computing 7327 and then dividing by
853 and taking the remainder. It is possible to do this with a small computer and you will get a number which has 277 digits in its decimal expansion. However, it is completely infeasible to compute an exponent exactly
when the exponent has, say 20 digits, much less when the exponent has
6
hundreds of digits. On the other hand, the method of successive squaring
can be used to compute an exponent modulo 𝑛 even when the exponent
has hundreds or thousands of digits. Let us conclude this section with a
couple of examples that you may be able to do without a calculator.
Ex 2: Compute 517 mod 19 using successive squaring
We will use the method outlined above implicitly.
51 ≡ 5 mod 19
52 = 25 ≡ 6 mod 19
4
5 = (52 )2 ≡ 62 = 36 ≡ 17 mod 19
58 = (54 )2 ≡ 172 = 289 = 4 mod 19
516 = (58 )2 ≡ 42 = 16 ≡ 16 mod 19
Since the binary representation of 17 is 10001, we must multiply the results of the first line with the result of the last line:
517 = 516 ⋅ 51 ≡ 16 ⋅ 5 = 80 ≡ 4 mod 19
Ex 3: Compute 4134 mod 11 using successive squaring
41 ≡ 4 mod 11
42 = 16 ≡ 5 mod 11
4
4 = (42 )2 ≡ 52 = 25 ≡ 3 mod 11
48 = (44 )2 ≡ 32 = 9 = 9 mod 11
416 = (48 )2 ≡ 92 = 81 ≡ 4 mod 11
432 = (416 )2 ≡ 42 = 16 ≡ 5 mod 11
464 = (432 )2 ≡ 52 = 25 ≡ 3 mod 11
4128 = (464 )2 ≡ 32 = 9 ≡ 9 mod 11
Since the binary representation of 134 is 10000110, we must multiply the
results of the second, third and last lines:
5 ⋅ 25 ⋅ 9 = 125 ⋅ 9 ≡ 4 ⋅ 9 = 36 ≡ 3 mod 11
1.2
Exponentiation - the square/multiply approach
The next method for doing modular exponentiation is very similar to the
successive squaring approach outlined in the previous section. They are
7
fundamentally similar and yet the square/multiply (we will refrain from
abbreviating this name!) approach outlined here has its advantages.
In its essence, the square/multiply approach combines steps 2 and 3 of the
successive squaring method, ultimately producing a different algorithm.
Like before, we need to find the binary representation of the exponent. We
scan the bits of the exponent from the most significant bit (often abbreviated ‘msb’) to the least significant bit (‘lsb’), i.e. from left to right. A
squaring is performed at each step, and depending on the scanned bit
value, a subsequent multiplication is performed: if the bit is a 1 we also
multiply. The input at each step is the output of the previous step (except
for the first). Let us illustrate with an example which we introduced at the
beginning of this paper.
Ex 4: Compute 460 mod 69 using square/multiply
6010 = 1111002 , so we need to first do four square/multiply iterations and
then two iterations where we only square:
1
Sq+mult
(40 )2 ⋅ 4 = 41 ≡ 4 mod 69
1
Sq+mult
(41 )2 ⋅ 4 = 43 ≡ 64 mod 69
1
Sq+mult
(43 )2 ⋅ 4 = 47 ≡ 642 ⋅ 4 ≡ 31 mod 69
1
Sq+mult
(47 )2 ⋅ 4 = 415 ≡ 312 ⋅ 4 ≡ 49 mod 69
0
Sq
(415 )2 = 430 ≡ 492 ≡ 55 mod 69
0
Sq
(430 )2 = 460 ≡ 552 ≡ 58 mod 69
As you can see from the above, the most significant bit really just sets off
the algorithm and it isn’t until the second step that the Sq+mult take effect. Let us consider one more example:
Ex 5: Compute 2582 mod 7 using square/multiply
8210 = 1010010
252 ≡ 2 mod 7
(25 ) ⋅ 25 ≡ 255 = 22 ⋅ 25 ≡ 2 mod 7
2 2
8
(255 )2 ≡ 2510 = 22 ≡ 4 mod 7
(2510 )2 ≡ 2520 = 42 ≡ 2 mod 7
(2520 )2 ⋅ 25 = 2541 ≡ 22 ⋅ 25 ≡ 4 ⋅ 4 ≡ 2 mod 7
(2541 )2 = 2582 ≡ 22 ≡ 4 mod 7
We introduced this section by stating that the successive squaring and
square/multiply algorithms are essentially the same. Collectively, they are
known as binary exponentiation. The distinguishing feature between them
is whether we view the binary representation of the exponent from right to
left (lsb to msb) or from left to right (msb to lsb). It should be clear from
the previous sections that the right-to-left binary method is what we here
have called ‘successive squaring’ and the left-to-right binary method is
what we have called ‘square/multiply’.
1.3
Using Fermat’s Little Theorem for modular exponentiation
Sometimes you can use Fermat’s Little Theorem to perform modular exponentiation. Recall that Fermat’s Little Theorem states the following:
If 𝑝 is prime, then
𝑎𝑝−1 ≡ 1 mod 𝑝,
for any 𝑎 which is not a multiplum of 𝑝.
Ex 6: Compute 7222 mod 11 using Fermat’s Little Theorem.
From the theorem we note that 711−1 = 710 ≡ 1 mod 11 such that
(710 )𝑘 ≡ 1 mod 11 for 𝑘 ∈ ℕ. We know from the division algorithm that
222 = 22 ⋅ 10 + 2 and thus obtain:
7222 = 722·10+2 = (710 )22 · 72
Now, since (710 )𝑘 ≡ 1 mod 11 we get
(710 )22 · 72 ≡ 122 · 49 ≡ 5 mod 11
9
Ex 7: Compute 7256 mod 13 using Fermat’s Little Theorem.
From Fermat we get that 712 ≡ 1 mod 13 and observe that
256 = 21 · 12 + 4:
7256 = 721·12+4 = (712 )21 · 74 ≡ 122 · 49 · 49 ≡ 10 · 10 ≡ 9 mod 13
Ex 8: Compute 2245 mod 11 using Fermat’s Little Theorem.
2245 = 224·10+5 = (210 )24 · 25 ≡ 124 · 32 ≡ 10 mod 11
10
Related documents
MA342J: Introduction to Modular Forms Homework 5, due on March 28
MA342J: Introduction to Modular Forms Homework 5, due on March 28
Applied Algebra
Applied Algebra
Math 5248 Lec 2 Homework 3 Due Thursday March 7
Math 5248 Lec 2 Homework 3 Due Thursday March 7
MATH 3360 Exam I July 25, 1994
MATH 3360 Exam I July 25, 1994
Math 345/645 - Weekly homework 7
Math 345/645 - Weekly homework 7
Applied Algebra
Applied Algebra
MATH 433 April 24, 2015 Quiz 11: Solutions
MATH 433 April 24, 2015 Quiz 11: Solutions
Download
advertisement