Modular exponentiation

Template:Short description Script error: No such module "Unsubst". Modular exponentiation is exponentiation performed over a modulus. It is useful in computer science, especially in the field of public-key cryptography, where it is used in both Diffie–Hellman key exchange and RSA public/private keys.

Modular exponentiation is the remainder when an integer bScript error: No such module "Check for unknown parameters". (the base) is raised to the power eScript error: No such module "Check for unknown parameters". (the exponent), and divided by a positive integer mScript error: No such module "Check for unknown parameters". (the modulus); that is, c = b^e mod mScript error: No such module "Check for unknown parameters".. From the definition of division, it follows that 0 ≤ c < mScript error: No such module "Check for unknown parameters"..

For example, given b = 5Script error: No such module "Check for unknown parameters"., e = 3Script error: No such module "Check for unknown parameters". and m = 13Script error: No such module "Check for unknown parameters"., dividing 5³ = 125Script error: No such module "Check for unknown parameters". by 13Script error: No such module "Check for unknown parameters". leaves a remainder of c = 8Script error: No such module "Check for unknown parameters"..

When bScript error: No such module "Check for unknown parameters". and mScript error: No such module "Check for unknown parameters". are relatively prime, one can also allow the exponent eScript error: No such module "Check for unknown parameters". to be negative by finding the multiplicative inverse dScript error: No such module "Check for unknown parameters". of bScript error: No such module "Check for unknown parameters". modulo mScript error: No such module "Check for unknown parameters". (for instance by using extended Euclidean algorithm). More precisely:

c = b^e mod m = d^−e mod mScript error: No such module "Check for unknown parameters"., where e < 0Script error: No such module "Check for unknown parameters". and b ⋅ d ≡ 1 (mod m)Script error: No such module "Check for unknown parameters"..

Modular exponentiation is efficient to compute, even for very large integers. On the other hand, computing the modular discrete logarithm – that is, finding the exponent eScript error: No such module "Check for unknown parameters". when given bScript error: No such module "Check for unknown parameters"., cScript error: No such module "Check for unknown parameters"., and mScript error: No such module "Check for unknown parameters". – is believed to be difficult. This one-way function behavior makes modular exponentiation a candidate for use in cryptographic algorithms.

Direct method

The most direct method of calculating a modular exponent is to calculate b^eScript error: No such module "Check for unknown parameters". directly, then to take this number modulo mScript error: No such module "Check for unknown parameters".. Consider trying to compute cScript error: No such module "Check for unknown parameters"., given b = 4Script error: No such module "Check for unknown parameters"., e = 13Script error: No such module "Check for unknown parameters"., and m = 497Script error: No such module "Check for unknown parameters".:

c ≡ 4¹³ (mod 497)Script error: No such module "Check for unknown parameters".

One could use a calculator to compute 4¹³; this comes out to 67,108,864. Taking this value modulo 497, the answer cScript error: No such module "Check for unknown parameters". is determined to be 445.

Note that bScript error: No such module "Check for unknown parameters". is only one digit in length and that eScript error: No such module "Check for unknown parameters". is only two digits in length, but the value b^eScript error: No such module "Check for unknown parameters". is eight digits in length.

In strong cryptography, bScript error: No such module "Check for unknown parameters". is often at least 1024 bits.^[1] Consider b = 5 × 10⁷⁶Script error: No such module "Check for unknown parameters". and e = 17Script error: No such module "Check for unknown parameters"., both of which are perfectly reasonable values. In this example, bScript error: No such module "Check for unknown parameters". is 77 digits in length and eScript error: No such module "Check for unknown parameters". is two digits in length, but the value b^eScript error: No such module "Check for unknown parameters". is 1,304 decimal digits in length. Such calculations are possible on modern computers, but the sheer magnitude of such numbers causes the speed of calculations to drop considerably. As bScript error: No such module "Check for unknown parameters". and eScript error: No such module "Check for unknown parameters". increase even further to provide better security, the value b^eScript error: No such module "Check for unknown parameters". becomes unwieldy.

The time required to perform the exponentiation depends on the operating environment and the processor. The method described above requires Θ(e)Script error: No such module "Check for unknown parameters". multiplications to complete.

Memory-efficient method

Keeping the numbers smaller requires additional modular reduction operations, but the reduced size makes each operation faster, saving time (as well as memory) overall.

This algorithm makes use of the identity

(a ⋅ b) mod m = [(a mod m) ⋅ (b mod m)] mod mScript error: No such module "Check for unknown parameters".

The modified algorithm is:

Inputs An integer Template:Mvar (base), integer Template:Mvar (exponent), and a positive integer Template:Mvar (modulus)

Outputs The modular exponent Template:Mvar where c = b^e mod mScript error: No such module "Check for unknown parameters".

1. Initialise c = 1Script error: No such module "Check for unknown parameters". and loop variable e′ = 0Script error: No such module "Check for unknown parameters".
2. While e′ < eScript error: No such module "Check for unknown parameters". do
   1. Increment Template:Mvar by 1
   2. Calculate c = (b ⋅ c) mod mScript error: No such module "Check for unknown parameters".
3. Output Template:Mvar

Note that at the end of every iteration through the loop, the equation c ≡ b^e′ (mod m)Script error: No such module "Check for unknown parameters". holds true. The algorithm ends when the loop has been executed Template:Mvar times. At that point Template:Mvar contains the result of b^e mod mScript error: No such module "Check for unknown parameters"..

In summary, this algorithm increases Template:Mvar by one until it is equal to Template:Mvar. At every step multiplying the result from the previous iteration, Template:Mvar, by Template:Mvar and performing a modulo operation on the resulting product, thereby keeping the resulting Template:Mvar a small integer.

The example b = 4Script error: No such module "Check for unknown parameters"., e = 13Script error: No such module "Check for unknown parameters"., and m = 497Script error: No such module "Check for unknown parameters". is presented again. The algorithm performs the iteration thirteen times:

(e′ =  1)   c = (4 ⋅ 1) mod 497 = 4 mod 497 = 4Script error: No such module "Check for unknown parameters".

(e′ =  2)   c = (4 ⋅ 4) mod 497 = 16 mod 497 = 16Script error: No such module "Check for unknown parameters".

(e′ =  3)   c = (4 ⋅ 16) mod 497 = 64 mod 497 = 64Script error: No such module "Check for unknown parameters".

(e′ =  4)   c = (4 ⋅ 64) mod 497 = 256 mod 497 = 256Script error: No such module "Check for unknown parameters".

(e′ =  5)   c = (4 ⋅ 256) mod 497 = 1024 mod 497 = 30Script error: No such module "Check for unknown parameters".

(e′ =  6)   c = (4 ⋅ 30) mod 497 = 120 mod 497 = 120Script error: No such module "Check for unknown parameters".

(e′ =  7)   c = (4 ⋅ 120) mod 497 = 480 mod 497 = 480Script error: No such module "Check for unknown parameters".

(e′ =  8)   c = (4 ⋅ 480) mod 497 = 1920 mod 497 = 429Script error: No such module "Check for unknown parameters".

(e′ =  9)   c = (4 ⋅ 429) mod 497 = 1716 mod 497 = 225Script error: No such module "Check for unknown parameters".

(e′ = 10)   c = (4 ⋅ 225) mod 497 = 900 mod 497 = 403Script error: No such module "Check for unknown parameters".

(e′ = 11)   c = (4 ⋅ 403) mod 497 = 1612 mod 497 = 121Script error: No such module "Check for unknown parameters".

(e′ = 12)   c = (4 ⋅ 121) mod 497 = 484 mod 497 = 484Script error: No such module "Check for unknown parameters".

(e′ = 13)   c = (4 ⋅ 484) mod 497 = 1936 mod 497 = 445Script error: No such module "Check for unknown parameters".

The final answer for Template:Mvar is therefore 445, as in the direct method.

Like the first method, this requires O(e)Script error: No such module "Check for unknown parameters". multiplications to complete. However, since the numbers used in these calculations are much smaller than the numbers used in the first algorithm's calculations, the computation time decreases by a factor of at least O(e)Script error: No such module "Check for unknown parameters". in this method.

In pseudocode, this method can be performed the following way:

function modular_pow(base, exponent, modulus) is
    if modulus = 1 then
        return 0
    c := 1
    for e_prime = 0 to exponent-1 do
        c := (c * base) mod modulus
    return c

Right-to-left binary method

A third method drastically reduces the number of operations to perform modular exponentiation, while keeping the same memory footprint as in the previous method. It is a combination of the previous method and a more general principle called exponentiation by squaring (also known as binary exponentiation).

First, it is required that the exponent eScript error: No such module "Check for unknown parameters". be converted to binary notation. That is, eScript error: No such module "Check for unknown parameters". can be written as:

${\displaystyle e={\displaystyle \sum _{i=0}^{n-1}}{a}_i{2}^i}$

In such notation, the length of eScript error: No such module "Check for unknown parameters". is nScript error: No such module "Check for unknown parameters". bits. a_iScript error: No such module "Check for unknown parameters". can take the value 0 or 1 for any iScript error: No such module "Check for unknown parameters". such that 0 ≤ i < nScript error: No such module "Check for unknown parameters".. By definition, a_{n − 1} = 1Script error: No such module "Check for unknown parameters"..

The value b^eScript error: No such module "Check for unknown parameters". can then be written as:

${\displaystyle b^e=b^{\left({\displaystyle \sum _{i=0}^{n-1}}{a}_i{2}^i\right)}={\displaystyle \prod _{i=0}^{n-1}}{b}^{a_i{2}^i}}$

The solution cScript error: No such module "Check for unknown parameters". is therefore:

${\displaystyle c\equiv {\displaystyle \prod _{i=0}^{n-1}}{b}^{a_i{2}^i}(\mathrm{mod}m)}$

Pseudocode

The following is an example in pseudocode based on Applied Cryptography by Bruce Schneier.^[2] The inputs base, exponent, and modulus correspond to Template:Mvar, Template:Mvar, and Template:Mvar in the equations given above.

function modular_pow(base, exponent, modulus) is
    if modulus = 1 then
        return 0
    Assert :: (modulus - 1) * (modulus - 1) does not overflow base
    result := 1
    base := base mod modulus
    while exponent > 0 do
        if (exponent mod 2 == 1) then
            result := (result * base) mod modulus
        exponent := exponent >> 1
        base := (base * base) mod modulus
    return result

Note that upon entering the loop for the first time, the code variable base is equivalent to Template:Mvar. However, the repeated squaring in the third line of code ensures that at the completion of every loop, the variable base is equivalent to b²ⁱ mod mScript error: No such module "Check for unknown parameters"., where Template:Mvar is the number of times the loop has been iterated. (This makes Template:Mvar the next working bit of the binary exponent exponent, where the least-significant bit is exponent₀).

The first line of code simply carries out the multiplication in ${\displaystyle {\displaystyle \prod _{i=0}^{n-1}}{b}^{a_i{2}^i}(\mathrm{mod}m)}$. If Template:Mvar is zero, no code executes since this effectively multiplies the running total by one. If Template:Mvar instead is one, the variable base (containing the value b²ⁱ mod mScript error: No such module "Check for unknown parameters". of the original base) is simply multiplied in.

In this example, the base Template:Mvar is raised to the exponent e = 13Script error: No such module "Check for unknown parameters".. The exponent is 1101 in binary. There are four binary digits, so the loop executes four times, with values a₀ = 1, a₁ = 0, a₂ = 1Script error: No such module "Check for unknown parameters"., and a₃ = 1Script error: No such module "Check for unknown parameters"..

First, initialize the result ${\displaystyle R}$ to 1 and preserve the value of bScript error: No such module "Check for unknown parameters". in the variable xScript error: No such module "Check for unknown parameters".:

${\displaystyle R\leftarrow 1(=b^0)\text{ and }x\leftarrow b}$.

Step 1) bit 1 is 1, so set ${\displaystyle R\leftarrow R\cdot x(=b^1)}$;

set ${\displaystyle x\leftarrow x^2(=b^2)}$.

Step 2) bit 2 is 0, so do not reset RScript error: No such module "Check for unknown parameters".;

set ${\displaystyle x\leftarrow x^2(=b^4)}$.

Step 3) bit 3 is 1, so set ${\displaystyle R\leftarrow R\cdot x(=b^5)}$;

set ${\displaystyle x\leftarrow x^2(=b^8)}$.

Step 4) bit 4 is 1, so set ${\displaystyle R\leftarrow R\cdot x(=b^{13})}$;

This is the last step so we don't need to square xScript error: No such module "Check for unknown parameters"..

We are done: RScript error: No such module "Check for unknown parameters". is now ${\displaystyle b^{13}}$.

Here is the above calculation, where we compute b = 4Script error: No such module "Check for unknown parameters". to the power e = 13Script error: No such module "Check for unknown parameters"., performed modulo 497.

Initialize:

${\displaystyle R\leftarrow 1(=b^0)}$ and ${\displaystyle x\leftarrow b=4}$.

Step 1) bit 1 is 1, so set ${\displaystyle R\leftarrow R\cdot 4\equiv 4(\mathrm{mod}497)}$;

set ${\displaystyle x\leftarrow x^2(=b^2)\equiv 4^2\equiv 16(\mathrm{mod}497)}$.

Step 2) bit 2 is 0, so do not reset RScript error: No such module "Check for unknown parameters".;

set ${\displaystyle x\leftarrow x^2(=b^4)\equiv 16^2\equiv 256(\mathrm{mod}497)}$.

Step 3) bit 3 is 1, so set ${\displaystyle R\leftarrow R\cdot x(=b^5)\equiv 4\cdot 256\equiv 30(\mathrm{mod}497)}$;

set ${\displaystyle x\leftarrow x^2(=b^8)\equiv 256^2\equiv 429(\mathrm{mod}497)}$.

Step 4) bit 4 is 1, so set ${\displaystyle R\leftarrow R\cdot x(=b^{13})\equiv 30\cdot 429\equiv 445(\mathrm{mod}497)}$;

We are done: Template:Mvar is now ${\displaystyle 4^{13}\equiv 445(\mathrm{mod}497)}$, the same result obtained in the previous algorithms.

The running time of this algorithm is O(log Script error: No such module "Check for unknown parameters".exponent)Script error: No such module "Check for unknown parameters".. When working with large values of exponent, this offers a substantial speed benefit over the previous two algorithms, whose time is O(Script error: No such module "Check for unknown parameters".exponent)Script error: No such module "Check for unknown parameters".. For example, if the exponent was 2²⁰ = 1048576, this algorithm would have 20 steps instead of 1048576 steps.

Implementation in Lua

function modPow(b, e, m)
  if m == 1 then
    return 0
  end
  local r = 1
  b = b % m
  while e > 0 do
    if e % 2 == 1 then
      r = (r*b) % m
    end
    b = (b*b) % m
    e = e >> 1     --use 'e = math.floor(e / 2)' on Lua 5.2 or older
  end
  return r
end

Left-to-right binary method

We can also use the bits of the exponent in left to right order. In practice, we would usually want the result modulo some modulus mScript error: No such module "Check for unknown parameters".. In that case, we would reduce each multiplication result (mod m)Script error: No such module "Check for unknown parameters". before proceeding. For simplicity, the modulus calculation is omitted here. This example shows how to compute ${\displaystyle b^{13}}$ using left to right binary exponentiation. The exponent is 1101 in binary; there are four bits, so there are four iterations.

Initialize the result to 1: ${\displaystyle r\leftarrow 1(=b^0)}$.

Step 1) ${\displaystyle r\leftarrow r^2(=b^0)}$; bit 1 = 1, so compute ${\displaystyle r\leftarrow r\cdot b(=b^1)}$;

Step 2) ${\displaystyle r\leftarrow r^2(=b^2)}$; bit 2 = 1, so compute ${\displaystyle r\leftarrow r\cdot b(=b^3)}$;

Step 3) ${\displaystyle r\leftarrow r^2(=b^6)}$; bit 3 = 0, so we are done with this step;

Step 4) ${\displaystyle r\leftarrow r^2(=b^{12})}$; bit 4 = 1, so compute ${\displaystyle r\leftarrow r\cdot b(=b^{13})}$.

Minimum multiplications

In The Art of Computer Programming, Vol. 2, Seminumerical Algorithms, page 463, Donald Knuth notes that contrary to some assertions, this method does Template:Em always give the minimum possible number of multiplications. The smallest counterexample is for a power of 15, when the binary method needs six multiplications. Instead, form x³ in two multiplications, then x⁶ by squaring x³, then x¹² by squaring x⁶, and finally x¹⁵ by multiplying x¹² and x³, thereby achieving the desired result with only five multiplications. However, many pages follow describing how such sequences might be contrived in general.

Generalizations

Matrices

The Template:Mvar-th term of any constant-recursive sequence (such as Fibonacci numbers or Perrin numbers) where each term is a linear function of Template:Mvar previous terms can be computed efficiently modulo Template:Mvar by computing A^m mod nScript error: No such module "Check for unknown parameters"., where Template:Mvar is the corresponding k×kScript error: No such module "Check for unknown parameters". companion matrix. The above methods adapt easily to this application. This can be used for primality testing of large numbers Template:Mvar, for example.

Pseudocode

A recursive algorithm for ModExp(A, b, c) = A^b mod cScript error: No such module "Check for unknown parameters"., where Template:Mvar is a square matrix.

function Matrix_ModExp(Matrix A, int b, int c) is
    if b == 0 then
        return I  // The identity matrix
    if (b mod 2 == 1) then
        return (A * Matrix_ModExp(A, b - 1, c)) mod c
    Matrix D := Matrix_ModExp(A, b / 2, c)
    return (D * D) mod c

Finite cyclic groups

Diffie–Hellman key exchange uses exponentiation in finite cyclic groups. The above methods for modular matrix exponentiation clearly extend to this context. The modular matrix multiplication C ≡ AB (mod n)Script error: No such module "Check for unknown parameters". is simply replaced everywhere by the group multiplication c = abScript error: No such module "Check for unknown parameters"..

Reversible and quantum modular exponentiation

In quantum computing, modular exponentiation appears as the bottleneck of Shor's algorithm, where it must be computed by a circuit consisting of reversible gates, which can be further broken down into quantum gates appropriate for a specific physical device. Furthermore, in Shor's algorithm it is possible to know the base and the modulus of exponentiation at every call, which enables various circuit optimizations.^[3]

Software implementations

Because modular exponentiation is an important operation in computer science, and there are efficient algorithms (see above) that are much faster than simply exponentiating and then taking the remainder, many programming languages and arbitrary-precision integer libraries have a dedicated function to perform modular exponentiation:

• Python's built-in pow() (exponentiation) function [1] takes an optional third argument, the modulus
• .NET Framework's BigInteger class has a ModPow() method to perform modular exponentiation
• Java's java.math.BigInteger class has a modPow() method to perform modular exponentiation
• MATLAB's powermod function from Symbolic Math Toolbox
• Wolfram Language has the PowerMod function
• Perl's Math::BigInt module has a bmodpow() method [2] to perform modular exponentiation
• Raku has a built-in routine expmod.
• Go's big.Int type contains an Exp() (exponentiation) method [3] whose third parameter, if non-nil, is the modulus
• PHP's BC Math library has a bcpowmod() function [4] to perform modular exponentiation
• The GNU Multiple Precision Arithmetic Library (GMP) library contains a mpz_powm() function [5] to perform modular exponentiation
• Custom Function @PowerMod() for FileMaker Pro (with 1024-bit RSA encryption example)
• Ruby's openssl package has the OpenSSL::BN#mod_exp method [6] to perform modular exponentiation.

See also

• Montgomery reduction, for calculating the remainder when the modulus is very large.
• Kochanski multiplication, serializable method for calculating the remainder when the modulus is very large
• Barrett reduction, algorithm for calculating the remainder when the modulus is very large.

References

<templatestyles src="Reflist/styles.css" />

Script error: No such module "Check for unknown parameters".

External links

Template:Sister project

• Script error: No such module "citation/CS1".
• Paul Garrett, Fast Modular Exponentiation Java Applet
• Script error: No such module "Citation/CS1".

Script error: No such module "Navbox".