Tompa [7], von zur Gathen and Nocker [25], and Mnuk [16]. Recently, von zur Gathen and Shparlinski gave a lower bound of (log n) for the parallel time

Transcription

1 A Sublinear-Time Parallel Algorithm for Integer Modular Exponentiation Jonathan P. Sorenson Department of Mathematics and Computer Science Butler University March 1, 1999 Abstract The modular exponentiation problem is, given integers x; a; m with m > 0, compute x a mod m. Let n denote the sum of the lengths of x, a, and m in binary. We present a parallel algorithm for this problem that takes O(n= log log n) time on the common CRCW PRAM using O(n 2+ ) processors. This algorithm is based on Bernstein's Explicit Chinese Remainder Theorem combined with a fast method for parallel prex summation. We also present a linear time algorithm for the EREW PRAM. 1 Introduction. In this paper we present a new parallel algorithm for the modular exponentiation problem. This problem is, given integers x; a and a positive integer m, compute x a mod m. Applications for this problem are quite numerous, and include primality testing, integer factoring, the discrete logarithm problem, and cryptographic protocols based on these problems such as RSA. It is not an overstatement to say that modular exponentiation is a fundamentally important problem, and fast algorithms for this problem are of great interest [2, 14, 15, 17]. A classical analysis of the well-known binary algorithm for this problem yields a running time of O(n 3 ), where n is the number of bits in x, a, and m [2, Section 5.4]. By using FFT multiplication, this can be reduced to O(n 2 log n log log n) bit operations [21]. Research into speeding modular exponentiation has focused on ideas such as addition chains, window methods, and precomputation; see Gordon [8] for a recent survey of such techniques. The parallel complexity of modular exponentiation is an open problem. Like for the GCD problem, it is not known whether modular exponentiation is in the parallel complexity class N C. Previous work on parallel algorithms includes that of Adleman and Kompella [1], who gave a probabilistic parallel algorithm that takes O(log 3 n) time using exp[o( p n log n)] processors. Von zur Gathen proved that if the modulus m is suciently smooth (that is, composed entirely of suciently small primes), then in this special case modular exponentiation takes parallel circuit depth O(log n) for P-uniform circuit families [24]. Previous work on parallel algorithms for modular inverses, exponentiation in nite elds, and exponentiation of polynomials includes that of Fich and Supported in part by NSF grant CCR

2 Tompa [7], von zur Gathen and Nocker [25], and Mnuk [16]. Recently, von zur Gathen and Shparlinski gave a lower bound of (log n) for the parallel time of modular inverse on the CREW PRAM [26]. As any algorithm for modular exponentiation can be used to compute inverses, this result gives a lower bound for modular exponentiation as well. For many applications in cryptography, the base x is xed. In this case, precomputation can be used to obtain parallel algorithms that run in O(log n) time using a sublinear number of processors; see Gordon [8] for details on these methods. In this paper, we present a sublinear-time parallel algorithm for performing modular exponentiation. It takes O(n= log log n) time on the CRCW PRAM using a polynomial number of processors. This algorithm makes use of Bernstein's version of the explicit Chinese Remainder Theorem[4] and a fast CRCW PRAM method for parallel prex summation. We also present a simple O(n) time algorithm for the EREW PRAM, which is used as a preliminary step in obtaining our sublinear-time algorithm. Our results are primarily of theoretical interest only. However, Bernstein's method parallelizes very nicely, and may be practical for modular exponentiation for very large moduli such as in the search for large Mersenne primes using vector processors or shared-memory parallel computers. The parallel prex computations are probably not well-suited to distributed computing. The rest of this paper is organized as follows. In the next section we review the PRAM model of parallel computation and review known results on parallel arithmetic that we will use later. In Section 3 we present a linear-time EREW PRAM algorithm. We review some of Bernstein's results in Section 4, and we present our sublinear-time parallel algorithm for the CRCW PRAM in Section 5. 2 Preliminaries. In this section we discuss some background material on parallel models of computation and the complexity of parallel arithmetic. Model of Computation. Our model of computation is the parallel random access machine (PRAM). This consists of a potentially innite number of one-bit processors that we assume execute in lockstep, and a potentially innite shared memory. There are several dierent avors of PRAM based on how read and write conicts to shared memory are handled: EREW PRAM: The exclusive-read exclusive-write PRAM does not permit any read or write conicts of any kind. CREW PRAM: The concurrent-read exclusive-write PRAM permits multiple processors to read the same memory location at once, but write conicts are not permitted. CRCW PRAM: The concurrent-read concurrent-write PRAM permits mutliple processors to read and/or write the same memory location at the same time. The question then arises as to what the nal value of a memory location is if several processors wrote to it at the same time. In the common CRCW PRAM model, processors that write to the same location must write the same value. In the priority CRCW PRAM model, the processor with the highest priority (the lowest processor number, say) has its value written, with the others ignored. In the arbitrary CRCW PRAM model, the memory location is set to one of the values written, but which value is chosen is not known beforehand. 2

3 Of the three CRCW PRAM models, the priority model has the most power, and the common and arbitrary models are equal in power (up to a constant factor in running time) [9]. Thus, any program for the EREW PRAM will run on a CREW PRAM, and any program for the CREW PRAM will run on a CRCW PRAM of any avor. We use only the common/arbitrary avor of the CRCW PRAM model in this paper. For a more thorough introduction to the PRAM and parallel complexity, see [9, Chapter 2]. Parallel Integer Arithmetic. We make use of the following results on the parallel complexity of integer arithmetic. Here x and y are n-bit integers. Computing x y and performing comparisons takes O(log n) time and O(n) processors on the EREW PRAM. Computing x y and performing comparisons takes O(1) time and O(n log log n) processors on the common CRCW PRAM [5]. Computing xy takes O(log n) time and O(n log n log log n) processors on the EREW PRAM (using FFT methods) [21]. Computing bx=yc and x mod y takes either O(log n log log n) time and O(n log n log log n) processors (logspace-uniform circuits) [19] or O(log n) time and O(n 1+ ) processors (P-uniform circuits) [3], both on the EREW PRAM. Computing x y where 0 y = O(n) takes O(log n) time and polynomial number of processors [3] on the EREW PRAM. In our description of the sublinear algorithm is Section 5, we make the simplifying assumption that arithmetic on O(log n)-bit integers can be done in constant time. We briey explain how this is done. For all pairs of r-bit integers, compute their sum, dierence, product, and quotient, and store these values in a table. This table requires O(r2 2r ) bits of space, and can be searched in constant time on a CRCW PRAM using O(r2 2r ) processors. Constructing this table takes O(log r) time using O(r 2 2 2r ) processors on an EREW PRAM. Note that any arithmetic operation involving integers of O(r) bits can be done in constant time by viewing these numbers in base 2 r. The following two results make use of these tables: Computing xy where y has O(r) bits takes O(1) time and O(n2 2r ) processors on the CRCW PRAM [6, Lemma 8]. This requires r = (log log n). Computing bx=yc and x mod y where y has O(r) bits takes O(n= log log n) time and O(n2 2r ) processors on the CRCW PRAM [6, Lemma 9]. This requires r = (log log n) and r = O(log n). 3 A Linear-Time Parallel Algorithm. In this section we present a linear-time EREW PRAM algorithm for modular exponentiation. We begin by reviewing the classical binary sequential algorithm for this problem: 3

4 Let l denote the number of bits in a; Write a = P l?1 i=0 a i2 i, where a i 2 f0; 1g; y := 1; For(j := l? 1; j 0; j := j? 1) do: y := y 2 mod m; y := yx a j mod m; Output(y); A straightforward parallelization of this algorithm takes O(n log n) time, as there are O(n) iterations, each of which takes O(log n) time to execute. This assumes the use of the O(log n) time division algorithm of Beame, Cook, and Hoover [3]. To improve this, we set b = 2 blog nc, and write a in base b. We obtain the following algorithm: Let l denote the number of base-b digits in a; Write a = P l?1 i=0 a ib i, where 0 a i < b; y := 1; For(j := l? 1; j 0; j := j? 1) do: y := y b mod m; y := yx a j mod m; Output(y); We have l = O(log b a) = O(n= log n). The cost of each iteration remains at O(log n), as powering with an exponent n takes only O(log n) time. This algorithm takes a total of O(n) time using a polynomial number of processors on the EREW PRAM. 4 The Explicit Chinese Remainder Theorem. In this section we review Bernstein's results on the explicit Chinese Remainder Theorem. The idea is to use modular arithmetic (see [13, Section 4.3.2]) in our main loop. Dene round(x) to be the unique integer i such that jx? ij < 1=2, when such an integer exists. Theorem 4.1 (Explicit CRT [4]) Let P = Q s k i P=p i 1 ( mod p i ). Let u be an integer with juj < P=2. If x i = k i u ( mod p i ) and z = P s then u = P z? P round(z). i=1 p i where the p i are prime. Dene k i such that i=1 x i=p i, The following lemma is used to obtain an integer approximation to the sum of a list of rational numbers. Lemma 4.2 ([4, Lemma 3.1]) P s Let t 1 ; : : : ; t s be real numbers and let r be an integer with j rj < 1=4. If 2 a 2s and q i = b2 a t i c, then r = b3=4 + 2 P?a s i=1 q ic. i=1 t i? The following lemma shows how to reduce modulo m without converting to standard integer representation. Lemma 4.3 ([4, Lemma 5.1]) Let the p i, the k i, and P be as above. Let u be an integer with juj < P=2. Write x i = k i u mod p i and r = round P s i=1 x i=p i. Then u v ( mod m) where sx mod m? (P mod m)r: v = i=1 x i P p i 4

5 In addition, v and jvj < m P s i=1 p i. sx i=1 x i P p i mod m mod p j? (P mod m mod p j )r ( mod p j ) 5 A Sublinear-Time Parallel Algorithm. In this section we present our sublinear-time algorithm. We divide the algorithm into three parts: precomputation, the main loop, and postcomputation. Choose > 0, and set := =7. We use the method explained in Section 2 to perform basic arithmetic operations on integers of O(log n) bits in constant time. We use r = (=3) log 2 n so that the processor penalty is O(n ). Precomputation. 1. Set b := 2 b log 2 nc = O(n ); Write a = P l?1 i=0 a ib i with 0 a i < b. 2. Find the primes p i up to 8b log 2m and let s := (8b log 2m). Dene (but do not compute) P = Q s i=1 p i and P i = P=p i. 3. Factor all integers up to p s. For i := 1 to s in parallel do: Find a generator g i for the multiplicative group modulo p i : For each integer g, 1 g < p i, in parallel do: Mark A i [g] = 1; For each prime divisor f of p i? 1 in parallel do: If g (p i?1)=f mod p i 6= 1 mark A i [g] := 0; If A i [g] = 1 Then Write g i := g; (an arbitrary concurrent write) Compute a discrete log table modulo p i : For e := 0 to p i? 2 in parallel do: D i [g e i mod p i] := e; E i [e] := g e i mod p i; 4. For i := 1 to s in parallel do: k i := P?1 i mod p i ; Compute P i mod m; For j := 1 to s in parallel do: Compute P i mod m mod p j ; Step 1. Because b is a power of two, the a j s can be read o directly from the binary expansion of a. This can be done in O(1) time using O(n) processors. Step 2. For x 41, P log p x(1? 1= log x) [20]. Thus, for x 41, P log p x=2. px px From this, we have that log P = P s i=1 log p i 4b log 2m and P 2(m 4b ) 2( P p i m 2 ) b for m suciently large. We will use this later for the explicit Chinese Remainder Theorem. Also observe that p s = O(b log m) = O(n 1+ ) and, by the prime number theorem, that s = O(p s = log p s ) = O(n 1+ ), and nally log P = O(p s ) = O(n 1+ ). Finding the primes up to O(b log m) takes O(log(b log m)) time using O(b log m) processors using a parallel sieve [23]. 5

6 We explicitly calculate P and the P i in Step 4 below. Step 3. To factor the integers up to p s, we can rst nd the least prime factor of each integer up to p s using Algorithm 3.1 from [23] in O(log p s ) time using O(p s log log p s ) processors. To nd successive prime factors, simply divide by the least prime factor and look up the least prime factor of the quotient. Each integer up to p s has at most O(log p s ) prime factors total, so this process only need iterate O(log p s ) times. We can thus nd all prime factors of each integer up to p s in O(log p s ) time using O(p s log log p s ) processors, which is O(log n) time using O(n 1+ log log n) processors. For the discrete log table computations, we can use sequential arthmetic to bound all operations by O(log 3 n) time. This gives a total of O(log 3 n) time and O(sp s log p s ) = O(n 2+2 ) processors. Step 4. P i can be computed using a binary tree arrangement of depth O(log s), for a total time of O(log s log n) time using O(n 1+ log n log log n) processors for each i. Dividing each P i by p i falls within this complexity bound, as does the GCD computation to compute inverses [22] (we could even do the GCD computation sequentially for each i). Dividing each P i by m takes O(log n log log n) time and O(n 1+ log n log log n) processors for each i. This takes a total of O(log 2 n) time using O(n 2+3 ) processors. The inner parallel loop takes an additional O(log n log log n) time, with a total of O(s 2 n 1+ log n log log n) processors. The total cost of this step is O(log 2 n) time and O(n 3+4 ) processors. We purposely use only O(n 2+6 ) processors, thereby increasing the time to O(n 1?2 log 2 n) = O(n 1? ) = o(n= log log n). The Main Loop. For i := 1 to s in parallel do: x i := x mod p i ; For(k := l? 1; k 0; k := k? 1 ) do: Compute y i := y b i xa k i mod p i : For i := 1 to s in parallel do: y i := E i [(bd i [y i ] + a k D i [x i ]) mod (p i? 1)]; Reduce modulo m using the explicit CRT r := round( P s i=1(y i k i )=p i ); For i := 1 to s in parallel do: t i := P s j=1 y jk j mod p i ; y i := [t i (P j mod m mod p i )? (P mod m mod p i )(r mod p i )] mod p i ; Thus, the total cost of precomputation is o(n= log log n) time using O(n 2+6 ) = O(n 2+ ) processors. First we note that r is computed using Lemma 3.1 from [4]. Also, computing both r and t i require integers of at most O(log sp 2 s) = O(log n) bits. It should be clear that computing t i dominates the cost of the main loop. We use the fast CRCW PRAM parallel prex circuit of Hagerup [10]. For xed i, computing t i then requires O(log n= log log n) time and O(n 1+ ) processors. Thus, the total cost for the main loop is O(l log n= log log n) = O(n= log log n) time and O(sn 1+ ) = O(n 2+2 ) = O(n 2+ ) processors. Postcomputation. Compute y := P s i=1 y ik i P i mod m; Output(y); 6

7 The products y i k i P i mod m can be computed in time O(log n) using O(n log n log log n) processors for each i, as we have previously computed P i mod m. We then perform a simple parallel prex computation. This totals O(log n) time and O(n 2+2 ) = O(n 2+ ) processors. All that remains is to note that, to remove our assumption that arithmetic on O(log n)-bit integers takes constant time using a single processor, is to multiply our processor count by n. As = 7, we still require only O(n 2+ ) processors. We have proven the following theorem: Theorem 5.1 Let > 0. Given integers x, a, and m > 0, each of at most n bits in length, there exists a common CRCW PRAM algorithm to compute x a mod m in time O(n= log log n) using at most O(n 2+ ) processors. Acknowledgements Special thanks to Dan Bernstein for explaining the explicit Chinese Remainder Theorem, and to the Purdue University Computer Science Department, where the author spent his Fall 1998 sabbatical. References [1] L. M. Adleman and K. Kompella. Using smoothness to achieve parallelism. In 20th Annual ACM Symposium on Theory of Computing, pages 528{538, [2] E. Bach and J. Shallit. Algorithmic Number Theory, volume 1. MIT Press, [3] P. W. Beame, S. A. Cook, and H. J. Hoover. Log depth circuits for division and related problems. SIAM Journal on Computing, 15:994{1003, [4] Daniel J. Bernstein. Multidigit modular multiplication with the explicit chinese remainder theorem. Chapter 4, PhD Thesis, University of California at Berkeley, May [5] A. K. Chandra, S. Fortune, and R. Lipton. Unbounded fan-in circuits and associative functions. Journal of Computer and System Sciences, 30, [6] S. M. Meyer Eikenberry and J. P. Sorenson. Ecient algorithms for computing the Jacobi symbol. Journal of Symbolic Computation, 26(4):509{523, [7] F. Fich and M. Tompa. The parallel complexity of exponentiating polynomials over nite elds. Journal of the ACM, 35(4):651{667, [8] Daniel M. Gordon. A survey of fast exponentiation methods. Journal of Algorithms, 27:129{ 146, [9] R. Greenlaw, H. J. Hoover, and W. L. Ruzzo. Limits to Parallel Computation. Oxford University Press, [10] Torben Hagerup. The parallel complexity of integer prex summation. Information Processing Letters, 56:59{64, [11] G. H. Hardy and E. M. Wright. An Introduction to the Theory of Numbers. Oxford University Press, 5th edition,

8 [12] R. Karp and V. Ramachandran. Parallel algorithms for shared-memory machines. In J. van Leeuwen, editor, Algorithms and Complexity. Elsevier and MIT Press, Handbook of Theoretical Computer Science, volume A. [13] D. E. Knuth. The Art of Computer Programming: Seminumerical Algorithms, volume 2. Addison-Wesley, Reading, Mass., 3rd edition, [14] N. Koblitz. A Course in Number Theory and Cryptography. Springer-Verlag, New York, 2nd edition, [15] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, Boca Raton, [16] Michal Mnuk. A div(n) depth Boolean circuit for smooth modular inverse. Information Processing Letters, 38:153{156, [17] C. Pomerance, editor. Cryptology and Computational Number Theory, volume 42 of Proceedings of Symposia in Applied Mathematics. American Mathematical Society, Providence, Rhode Island, [18] J. H. Reif, editor. Synthesis of Parallel Algorithms. Morgan Kaufman, San Mateo, California, [19] J. H. Reif and S. R. Tate. Optimal size integer division circuits. In 21st Annual ACM Symposium on Theory of Computing, pages 264{273, [20] J. B. Rosser and L. Schoenfeld. Approximate formulas for some functions of prime numbers. Illinois Journal of Mathematics, 6:64{94, [21] A. Schonhage and V. Strassen. Schnelle Multiplikation groer Zahlen. Computing, 7:281{292, [22] J. P. Sorenson. Two fast GCD algorithms. Journal of Algorithms, 16:110{144, [23] J. P. Sorenson and I. Parberry. Two fast parallel prime number sieves. Information and Computation, 144(1):115{130, [24] J. von zur Gathen. Computing powers in parallel. SIAM Journal on Computing, 16:930{945, [25] Joachim von zur Gathen and Micheal Nocker. Exponentiation in nite elds: theory and practice. In Proceedings of the 12th Symposium on Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, pages 88{133, Toulouse, France, LNCS [26] Joachim von zur Gathen and Igor Shparlinski. The CREW PRAM complexity of modular inversion. In Proceedings of the Latin American Theoretical Informatics Conference, pages 305{315, LNCS To appear in SIAM Journal on Computing. 8