SPA resistant Exponentiation based on Bruns GCD algorithm Val erie - - PowerPoint PPT Presentation

SPA resistant Exponentiation based on Brun’s GCD algorithm

Val´ erie Berth´ e, Thomas Plantard

Paris Diderot Universit´ e, University of Wollongong http://www.uow.edu.au/˜ thomaspl thomaspl@uow.edu.au

2019

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 1 / 31

Introduction

1

Introduction

2

Exponentiation based on Euclid Algorithm

3

Exponentiation based on Brun Algorithm

4

Result/Conclusion/Future Works

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 2 / 31

Introduction

1

Introduction

2

Exponentiation based on Euclid Algorithm

3

Exponentiation based on Brun Algorithm

4

Result/Conclusion/Future Works

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 3 / 31

Exponentiation

Exponentiation

RSA: in (Z/(NZ))∗, compute g e mod N using Modular Multiplication and Squaring. ECC: on a group, compute kP using 2P and P + Q.

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 4 / 31

Exponentiation

Exponentiation

RSA: in (Z/(NZ))∗, compute g e mod N using Modular Multiplication and Squaring. ECC: on a group, compute kP using 2P and P + Q.

Generic Algorithm

Right To Left Left To Right Radix-R exponentiation Radix-R exponentiation with Odd Coefficient Sliding Window Montgomery Ladder

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 4 / 31

Specific Group

For (Z/NZ)

Multiply Always Square Always Square And Multiply Always: 1 replace by N + 1 Exponentiation using multiplicative half-size splitting Montgomery Ladder with Common Operand Multiplication

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 5 / 31

Specific Group

For (Z/NZ)

Multiply Always Square Always Square And Multiply Always: 1 replace by N + 1 Exponentiation using multiplicative half-size splitting Montgomery Ladder with Common Operand Multiplication

For ECC

NAF Exponentiation: using −P Addition Chain Exponentiation: No Doubling Double Base: exponent in base 2a3b

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 5 / 31

Specific Case

Exponentiation with g constant

Radix-R exponentiation: exponent in base R = 2t NAF Representation Comb Method RNS Digit Exponent: exponent represented in base m0m1

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 6 / 31

Specific Case

Exponentiation with g constant

Radix-R exponentiation: exponent in base R = 2t NAF Representation Comb Method RNS Digit Exponent: exponent represented in base m0m1

Exponentiation with e random

Addition Chain Double Base

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 6 / 31

In this Work

Exponentiation

Generic Group SPA Protection g variable e given

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 7 / 31

In this Work

Exponentiation

Generic Group SPA Protection g variable e given

Current Solution

Radix-R Memorise g i, i ∈ [1, R]

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 7 / 31

Exponentiation: g e with e < 2k

Left To Right Exponentiation

a ← 1 for i = k − 1 to 0 do

a ← a2 if ei = 1 then

a ← a × g

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 8 / 31

Exponentiation: g e with e < 2k

Left To Right Exponentiation

a ← 1 for i = k − 1 to 0 do

a ← a2 if ei = 1 then

a ← a × g

Right To Left Exponentiation

a ← 1, b ← g for i = 0 to k − 1 do

if ei = 1 then

a ← a × b

b ← b2

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 8 / 31

SPA Attack

Recognising Operations

XXXXXXXXXXXXXXXXXXXXXXXX Modular Squaring (S): a ← a2 Modular Multiplication (M): a ← a × g SSMSMSSMSMSSSMSMSMSSSSMS

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 9 / 31

SPA Attack

Recognising Operations

XXXXXXXXXXXXXXXXXXXXXXXX Modular Squaring (S): a ← a2 Modular Multiplication (M): a ← a × g SSMSMSSMSMSSSMSMSMSSSSMS

Regroup Operations

SSMSMSSMSMSSSMSMSMSSSSMS (S)(SM)(SM)(S)(SM)(SM)(S)(S)(SM)(SM)(SM)(S)(S)(S)(SM)(S)

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 9 / 31

SPA Counter Measure

Classic Solution: Constant Time Algorithm

Goal: Unlink Sequence of Operations to Secret Key Solution: Same Sequence for all secret key Drawback: Average Case=Worst Case

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 10 / 31

SPA Counter Measure

Classic Solution: Constant Time Algorithm

Goal: Unlink Sequence of Operations to Secret Key Solution: Same Sequence for all secret key Drawback: Average Case=Worst Case

A second Solution: Stop parenthesing Phase

Goal: Stop Attacker to be able to regroup operations Solution: Use Sequence of Equivalent Operations

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 10 / 31

Squaring Always

Taylor Formulae

A × B = A + B 4 2 − A − B 4 2

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 11 / 31

Squaring Always

Taylor Formulae

A × B = A + B 4 2 − A − B 4 2

Rewriting

Modular Squaring (S) : a ← a2 Modular Multiplication (SS): a ← a × g SSMSMSSMSMSSSMSMSMSSSSMS SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 11 / 31

Squaring Always

Taylor Formulae

A × B = A + B 4 2 − A − B 4 2

Rewriting

Modular Squaring (S) : a ← a2 Modular Multiplication (SS): a ← a × g SSMSMSSMSMSSSMSMSMSSSSMS SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS

Drawback

Cost of two S greater than M Only for (Z/NZ)

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 11 / 31

Brun Algorithm

1

Introduction

2

Exponentiation based on Euclid Algorithm

3

Exponentiation based on Brun Algorithm

4

Result/Conclusion/Future Works

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 12 / 31

Exponentiation based on Euclid Algorithm

Exponentiation

a ← g, b ← g 2

k 2

u ← e mod 2

k 2 , v ← e−u

2

k 2 , e = u + 2 k 2 v

while v = 0 do

if u > v then

u ← u − v b ← b × a

else

v ← v − u a ← a × b

a ← au

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 13 / 31

Correctness

Invariant

aubv = g e

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 14 / 31

Correctness

Invariant

aubv = g e

Initialisation

aubv = g u(g 2

k 2 )v) = g u+v2 k 2 = g e Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 14 / 31

Correctness

Invariant

aubv = g e

Initialisation

aubv = g u(g 2

k 2 )v) = g u+v2 k 2 = g e

In the loop

au−v(ab)v = aubv (ab)ubv−u = aubv

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 14 / 31

Example:g 3165

u v a b If u > v ?

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098 T 3 − 2 2 g 323 g 1098+323

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098 T 3 − 2 2 g 323 g 1098+323 1 2 g 323 g 1421

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098 T 3 − 2 2 g 323 g 1098+323 1 2 g 323 g 1421 F 1 2 − 1 g 323+1421 g 1421

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098 T 3 − 2 2 g 323 g 1098+323 1 2 g 323 g 1421 F 1 2 − 1 g 323+1421 g 1421 1 1 g 1744 g 1421

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098 T 3 − 2 2 g 323 g 1098+323 1 2 g 323 g 1421 F 1 2 − 1 g 323+1421 g 1421 1 1 g 1744 g 1421 F 1 1 − 1 g 1744+1421 g 1421

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Example:g 3165

u v a b If u > v ? 29 49 g 1 g 64 F 29 49 − 29 g 1+64 g 64 29 20 g 65 g 64 T 29 − 20 20 g 65 g 64+65 9 20 g 65 g 129 F 9 20 − 9 g 65+129 g 129 9 11 g 194 g 129 F 9 11 − 9 g 194+129 g 129 9 2 g 323 g 129 T 9 − 2 2 g 323 g 129+323 7 2 g 323 g 452 T 7 − 2 2 g 323 g 452+323 5 2 g 323 g 775 T 5 − 2 2 g 323 g 775+323 3 2 g 323 g 1098 T 3 − 2 2 g 323 g 1098+323 1 2 g 323 g 1421 F 1 2 − 1 g 323+1421 g 1421 1 1 g 1744 g 1421 F 1 1 − 1 g 1744+1421 g 1421 1 g 3165 g 1421

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 15 / 31

Cost

Squaring: 0.5 k S Multiplication: qi M with qi = ai bi

• the Partial Quotient of Euclid Algorithm applied on a, b

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 16 / 31

Cost

Squaring: 0.5 k S Multiplication: qi M with qi = ai bi

• the Partial Quotient of Euclid Algorithm applied on a, b

Continued Fractions

u v = q0 + 1 q1 + 1 q2 + 1 q3 + · · · + 1 qn

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 16 / 31

Euclid Algorithm

Lam´ e’s Theorem

The Maximum Number l(u,v) of steps of Brun Algorithm on the set u > v > 0 satisfies l(u,v) ≃ log v log 1+

√ 5 2

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 17 / 31

Euclid Algorithm

Lam´ e’s Theorem

The Maximum Number l(u,v) of steps of Brun Algorithm on the set u > v > 0 satisfies l(u,v) ≃ log v log 1+

√ 5 2

Heilbronn’s Theorem

The Mean Number of the total number of steps LN is 12 log 2 π2 log N + O(1) ≃ 0.5841 log2 N

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 17 / 31

Euclid Algorithm

Sum of Partial Quotient

The Mean of the Sum of Partial Quotients is 1 2 12 log 2 π2 log N 2 ≃ 0.17062 log2 N

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 18 / 31

Euclid Algorithm

Sum of Partial Quotient

The Mean of the Sum of Partial Quotients is 1 2 12 log 2 π2 log N 2 ≃ 0.17062 log2 N

Exponentiation based on Euclid

Squaring: 0.5k S Multiplication: 0.04265k2 M

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 18 / 31

Exponentiation based on Euclid Algorithm

Advantage: parenthesing Phase Blocked

SSSSSSSSSSSMMMMMMMMMMMMMMMMMMM Few S ≃ 0.5k

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 19 / 31

Exponentiation based on Euclid Algorithm

Advantage: parenthesing Phase Blocked

SSSSSSSSSSSMMMMMMMMMMMMMMMMMMM Few S ≃ 0.5k

Inconvenient

Too Many M GCD(u, v) can be big

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 19 / 31

Exponentiation based on Brun Algorithm

1

Introduction

2

Exponentiation based on Euclid Algorithm

3

Exponentiation based on Brun Algorithm

4

Result/Conclusion/Future Works

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 20 / 31

Exponentiation based on Multidimensional GCD Algorithm

Idea

Cut e in d blocks e =

d−1

• i=0

ei2

ik d

Apply Multidimensional GCD Algorithm Repercuss operations on g, g 2

k d , g 2 2k d ... Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 21 / 31

Exponentiation based on Multidimensional GCD Algorithm

Idea

Cut e in d blocks e =

d−1

• i=0

ei2

ik d

Apply Multidimensional GCD Algorithm Repercuss operations on g, g 2

k d , g 2 2k d ...

Cost

Squaring:

d−1 d kS

Multiplication: qi M

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 21 / 31

Multidimensional Euclid’s algorithms

Jacobi-Perron Subtract the first one to the two other ones (u0, u1, u2) → (u2, u0 − u0 u2

• u2, u1 −

u1 u2

• u2)

Brun Subtract the second largest entry (u0 ≥ u1 ≥ u2 ≥ 0) (u0, u1, u2) → (u0 − u1, u1, u2) Poincar´ e Subtract the previous entry (u0 ≥ u1 ≥ u2 ≥ 0) (u0, u1, u2) → (u0 − u1, u1 − u2, u2) Selmer Subtract the smallest to the largest (u0, u1, u2) → (u0 − u2, u1, u2) Fully subtractive Subtract the smallest one to the other ones (u0, u1, u2) → (u0 − u2, u1 − u2, u2)

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 22 / 31

On the proportion of quotients equal to 1

For d = 16, more than 99% of the Euclidean divisions are in fact subtractions For d = 50, the proportion is 99.99%.

0.4 0.5 0.6 0.7 0.8 0.9 1 10 20 30 40 50 60 70 80 90 100 ratio dimension (d+1) ratio Number of subtractions/Number of euclidean divisions during the first phase ratio

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 23 / 31

Brun Algorithm Number of Step

Lam-Shallit-Vanstone Theorem

The Maximum Number Q(d,N) of steps of Brun Algorithm on the set N ≥ u0 > u1 > u2 > . . . > ud > 0 satisfies Q(d,N) ∼ 1 | log τd|log N (N → ∞) Let τd ∈]0, 1[ be the smallest real root of X d+1 + X − 1 | log τd| ∼ log d (d + 1) (d → ∞)

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 24 / 31

Brun Algorithm Number of Step

Berth´ e-Lhote-Vall´ ee Theorem

The Mean Number of the total number of steps Ld, when N tends to ∞ is EN[Ld] ∼ d + 1 Ed · log N (N → ∞) Ed: entropy of the Brun dynamical system Ed ∼ log d Ed ∼ log d (d → ∞)

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 25 / 31

Brun Algorithm

Practical Case

EN[L2] = 0.58 EN[L3] = 1.036 EN[L4] = 1.416 EN[L5] = 1.753 EN[L6] = 2.058 EN[L7] = 2.342

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 26 / 31

Future Works

1

Introduction

2

Exponentiation based on Euclid Algorithm

3

Exponentiation based on Brun Algorithm

4

Result/Conclusion/Future Works

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 27 / 31

Cost of Exponentiation with Brun’s Algorithm

100 200 300 400 500 20 40 60 80 100 120 Operations Memory Usage Exponentiation with k=256 S M 0.8S+M

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 28 / 31

Comparison for k = 256

300 350 400 450 500 20 40 60 80 100 120 Operations Memory Usage Exponentiation with k=256 Brun Radix-R

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 29 / 31

Comparison for k = 2048

2000 2050 2100 2150 2200 2250 2300 2350 2400 50 100 150 200 250 Operations Memory Usage Exponentiation with k=2048 Brun Radix-R

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 30 / 31

Conclusion

Exponentiation with Brun Algorithm offers

Group Genericity SPA protection Adaptability on memory usage Efficiency

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 31 / 31

Conclusion

Exponentiation with Brun Algorithm offers

Group Genericity SPA protection Adaptability on memory usage Efficiency

Future Works

Brun with Euclidean Division Adapt to ECC special case: −P ,co-Z,...

Berthe, Plantard (IRIF, UOW) Exponentiation based on Brun Algorithm 2019 31 / 31