Module 4 : Modular Arithmetic

Lecture 2 : Modular exponentiation

Invariant: In each iteration the following invariant is maintained:

  1. 1.  Let the current bit being processed is bi. The value of c is the same as the prefi x < bkbk-1 ..., bi+1 > of the binary representation of b .

    2. 2.  d = a c mod n .

We use this loop invariant as follows:

Initialization:

Initially i = k , so that the prefi x < bkbk-1 ..., b i+1 > is empty, which corresponds to c = 0. Moreover, d = 1 = a c mod n .

Maintenance:

Let c ' and d ' denote the values of c and d at the end of an iteration of the for loop and thus the values prior to the next iteration. Each iteration updates c ' ← 2 c (if bi = 0) or c ' ← 2 c + 1 (if bi = 1), so that c will be correct prior to the next iteration.

If bi = 0 then d ' = d2 mod n i.e., d ' = ( a c)2 mod n and hence d ' = a 2c mod n = ac' mod n .

If bi = 1 then d' = d 2 a mod n i.e., d ' = ( a c)2 a mod n and hence d ' = a 2c+1 mod n = ac' mod n .

in either case, d = acmod n prior to the next iteration.

Termination:

At termination, i = -1. Thus, c = b , since c has the value of the prefi x < bkbk-1 ... b0 > of b 's binary representation. Hence d = ac mod n = ab mod n .

Analysis of Time Complexity:

If the inputs a , b , and n are β -bit numbers then the total number of arithmetic operations required is O( β ) since we are iterating β times. Since the time complexity of multiplying two β -bit numbers is O( β 2 ) the total number of bit operations required is O( β 3 ). Thus the algorithm is clearly polynomial with respect to input size.

Note: Modular exponentiation algorithm is an essential component used in several cryptographic algorithms.

One weakness of the algorithm is the different timing requirement of each iteration depending on the value of the bit bi. If the bit bi= 0 clearly the for loop take much less computation time than the bit bi = 1. This weakness of modular exponentiation had been exploited to attack several cryptographic algorithms. This attack is known as timing attack .

There are several remedies to overcome the attack. One possible solution is to remove the difference in computation time for bi= 0 or 1 by adding some delay in each iteration when bi= 0 and making the loop execution time equal to that of bi = 1. We will discuss other remedies later.

Reference:

1.  Introduction to Algorithms , Second Edition, T. H. Cormen, C. E. Leiserson, R. Rivest and C. Stein, Prentice Hall India .