52 Things: Number 24: Describe the binary, m-ary and sliding window exponentiation algorithms.
52 Things: Number 24: Describe the binary, m-ary and sliding window exponentiation algorithms.
52件事:第24件:描述二进制、m进制和滑动窗口求幂算法。
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. Continuing the section on implementation details, we consider some different methods for calculating modular exponentiations.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。继续关于实现细节的部分,我们考虑一些不同的计算模指数的方法。
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。继续关于实现细节的部分,我们考虑一些不同的计算模指数的方法。
Brief reminder of what we already know
简要提醒我们已经知道的事情
A large number of cryptographic algorithms are based around the security of exponentiation-based problems, such as RSA or DH. Therefore, having an efficient implementation of Modular exponentiation is required for modern cryptography. We should begin by addressing the naive solution: to calculate xa(modN) we use our favourite exponentiation algorithm to calculate xa, then reduce the answer modulo N. However, for most cryptographic uses xa will be excessively large. Now, most traditional methods can be modified simply by reducing modulo N at every possible stage, and this leads to some of the common techniques. Here we present a few possible methods for calculating XEmodN.大量的密码算法都是基于幂运算问题的安全性,例如RSA或DH。因此,现代密码学需要有效地实现模幂运算。我们应该从解决简单的解决方案开始:为了计算 xa(modN) ,我们使用我们最喜欢的求幂算法来计算 xa ,然后将答案模为 N 。然而,对于大多数加密使用来说,#3将过大。现在,大多数传统方法可以通过在每个可能的阶段减少模#4来简单地进行修改,这导致了一些常见的技术。在这里,我们提出了几种可能的方法来计算 XEmodN 。
Binary 二进制的
The binary modular exponentiation method closely resembles the traditional square-and-multiply method for calculating exponentiation. Indeed, the only difference is that at each stage we reduce modulo N (preventing any of the intermediate values getting any larger than necessary). We can do this from left-to-right or right-to-left (either going up or down the bits of the exponent), and there are subtitles that may affect your choice.二进制模求幂方法与传统的乘方求幂方法非常相似。事实上,唯一的区别是在每个阶段我们都减少模 N (防止任何中间值变得大于必要值)。我们可以从左到右或从右到左(指数的位向上或向下)执行此操作,并且有可能影响您选择的字幕。
m-ary
The m-ary method works in a similar way, but instead of considering the exponent as a sequence of bits, we consider them as elements of some alphabet of M=2m elements (ie m-bit strings). In fact, the binary method can be thought of as the m-ary method with M=2 (hence the name). So, how does it work? Well, first we calculate a lookup table for all the Xi for i=1 to 2m−1.m-ary方法以类似的方式工作,但我们不将指数视为比特序列,而是将它们视为 M=2m 元素的某些字母表(即m-比特串)的元素。事实上,二进制方法可以被认为是m=2的m元方法(因此得名)。那么,它是如何工作的呢?首先,我们为#2到#3的所有 Xi 计算一个查找表。
Then, we work our way through the exponent E (in base M). Then, for each 'term' in E we simply look up the appropriate value from our table, and then instead of doubling we shift by m.
然后,我们计算指数 E (以 M 为基数)。然后,对于#2中的每个“term”,我们只需从表中查找适当的值,然后不加倍,而是按#3移位。
Compared to the binary technique, this means more precomputation (ie calculate more powers of X) and so requires more space, but in return have to make fewer multiplications.
与二进制技术相比,这意味着更多的预计算(即计算X的更多幂),因此需要更多的空间,但反过来必须进行更少的乘法运算。
Sliding Window 滑动车窗
So, the m-ary window certainly reduces the number of multiplications we had to do, but can we do better? The answer is (unsurprisingly given the retorical question) yes, in the right circumstances. Suppose we are working with m=4, and E=22=(0,0,0,1,0,1,1,0)2=(1,6)24. Then we could use the 4-ary method, but perhaps if we 'reposition' our window, we can do even better: after all there are only 3 set bits, and they're all within a window of 4. If we knew this in advance, we could apply our lookup table at that position, and so only have to do one lookup. So, for the sliding window method, we first look through the binary representation of X, and using this find a representation of X=∑xi2i where 0≤xi≤2m−1 and as many xi are zero as possible. This leads to even more precomputation work than the m-ary method, since we have to calculate an efficient representation of X as well as the lookup table used previously. However, if X is known to be sufficiently sparse, a sliding-window method will almost certainly be more efficient.所以,m元窗口当然减少了我们必须进行的乘法运算的次数,但我们能做得更好吗?在正确的情况下,答案是肯定的(考虑到这个反诘的问题并不奇怪)。假设我们正在使用 m=4 和 E=22=(0,0,0,1,0,1,1,0)2=(1,6)24 。然后我们可以使用4元方法,但也许如果我们“重新定位”我们的窗口,我们可以做得更好:毕竟只有3个设置位,并且它们都在4的窗口内。如果我们事先知道这一点,我们可以在那个位置应用查找表,因此只需要进行一次查找。因此,对于滑动窗口方法,我们首先查看#2的二进制表示,并使用它找到#3的表示,其中#4和尽可能多的 xi 为零。这导致了比m元方法更多的预计算工作,因为我们必须计算 X 的有效表示以及之前使用的查找表。然而,如果已知 X 足够稀疏,则滑动窗口方法几乎肯定会更有效。
The Working Class Must Lead!