even modern cpus have shortcuts for squaring and for multiplying by small numbers, so this algo is still benefitial

Johnny Ball covered this on Numberphile before - search "Russian multiplication". Let's call the two numbers A and B. With number A, we shift all the bits to the right once. The rightmost bit "falls out" of the number and typically gets shifted into a flag on most CPUs - let's say our CPU shifts the bit out of the right into the carry flag. So, the carry flag now contains the rightmost (least significant) bit of number A. If it's a one, then we add number B to our running total. If it's a zero, carry on (so you could code that as a "branch if carry not set" over a "add B to total" instruction). Then we shift B left one, which doubles it. Then we do it again. Shift A to the right. The rightmost bit falls out into the carry flag. If it's a one, then we add B (which we've just doubled, remember) to the running total. Shift B left one, doubling it again. Shift A to the right. If it's a one, then add B (now four times bigger than it originally was, as we're shifting it left every round) to the running total. You keep doing this until you've shifted every original bit of A out of the right side. Stop. You've multiplied the two numbers together and your answer is in the running total register. And all we did was shifting bits left and right, and simple addition. And there's only as many "rounds" of this as there are bits in A. Another bit of useful binary maths is that the result cannot be more than twice the number of bits in B. That is, if A and B are 8-bit numbers, the result register only needs to be 16-bits - as it's just not possible for two 8-bit numbers to multiply to more than a 16-bit number. Indeed, if you're implementing this algorithm, then stick B in a register with twice as many bits and have your "running total" register be twice as many bits. Then you can run the algorithm blindly. Which is, as you may have guessed, what the CPU's actually doing in the circuitry with a hardware multiply. It's just multiplying by 2 - which, in binary, is nothing more than shifting all the bits to the left once - and addition. So, yeah, it's basically the same algorithm as this video, but working in a higher order. So multiplication -> exponential. And multiplying by 2 -> squaring. And addition -> multiplication.

@@NoNameAtAll2 Are those tables actually part of the CPU (making use of microcode) or done by a compiler?

@@RegrinderAlert multipliers are simple enough to be just logic gates what I was talking about is "check if top 48 bits are 0, so we don't need to wait/use most of the circuit" that is too, simple enough to be just logic about compilers... idk how common the explicit "square" command is in processors

yes, except that's a shift & add algorithm, & shifts aren't like squaring but like multiplying by a power of 2.

Yes! And the technical term for it is a "timing attack". Timing attacks can be so insidious that you need to resort to assembly language just to get everything out of the way. Dr Pound's example has us doing an "always multiply", multiplying by one (the multiplication identity) after squaring for an unset bit in the exponent, so that we execute the algorithm in constant time. However, using a statement like [if (bit is zero) { multiplicand = one; } else { multiplicand = base; }] to do this "always multiplication" can end up in the *branch predictor's way.* If there are lots of zeroes in your key, it's going to take the "if" path more of the time; conversely, if there are lots of ones in your key, it's going to take the "else" path more of the time. Either way, the branch predictor will execute it faster than if the key were evenly-distributed ones and zeroes. To execute *that* in constant time, the CPU has to have a branchless test instruction to set the new multiplicand. Either you validate that the compiler uses the branchless instruction in your C code (say), or you write at least that part of the algorithm in assembly language. Edit: Or use the Montgomery form of the numbers, per David Gillies's comment, which makes it easier to have constant-time algorithms

In data centers that have servers that the government uses, the government requires that their servers are plugged into an air-gapped power supply, unconnected to the power that every other server uses, so that a spy couldn't surreptitiously measure changes in their power usage. These are surprisingly effective attacks.

That's why cryptographic implementation need to have constant time, no optimization allowed for multiplication by zero.

@@nebuleon Multiply by base^binary. Thus if there is a 0, it will be multiplied by 1, and for 1 it's the ordinary multiply. As both x^n where n is 0 or 1 is easily calculated that should be same time (?).

Why not just simply add a random sleep at the end of the algorithm? The size of the sleep would be a question, but if it’s a random amount each time that is sufficiently large to mask any work being done (or lack there of), it would remove this timing attack issue. It’s certainly wasteful to simply sleep, but it’s also wasteful to do unnecessary calculations to remain in constant time, no?

Absolutely, but this specific piece of knowledge is pretty much common knowledge for anyone in CS. I studied this in college about 7 years ago, it was NOT a fun time since we had a pretty bad professor...

Not necessarily the breadth, but connecting the theoretical with the practical. Bit on timing attacks was pretty nice.

@@quincy2142 he has a very impeccable pedagogy

Even if he doesn't have the knowledge I still like his teaching style, it's engaging and fun.

Now I have to look up Montgomery forms - or wait for the Computerphile video. I do like internet rabbit holes.

@@andrewharrison8436 also look up Montgomery Ladder which is the similar algorithm for elliptic curves

fascinating, I had no idea this exists

You might have noticed that Mike said that this was the left to right method. Yours (with taking the modulus) is the right to left variant and is just as quick.

The NP-completeness is a common misconception: this is only proven for sets of numbers, not single numbers. In practice I believe a window method is used, for which one precomputes some values so one can "combine" some multiplications.

@@pikasnoop6552 Thanks for the correction

Efficient exponentiation is a very interesting topic. The minimum number of multiplications required for N is an open problem in mathematics, you can read more about that on OEIS A003313, "Length of shortest addition chain for n".

That example seems to use more space (you need to remember N^6 until after you finish (N^12)^2). May be the minimum operations in fixed space, where the space is exactly the size of the input string. Also important for cryptographic libraries which shouldn’t be allocating memory dynamically.

If you introduce division as an additional operation, the example of 31 can be reduced to 6 operations: SSSSSD

Unless you cache the results, this is no faster than multiplying one-by-one (probably slower because of recursion overhead)

@@canaDavid1 I don't think you appreciate the difference between O(N) and O(logN).

@@longlostwraith5106 you have O(2^log(N)) so O(N)

@@schwingedeshaehers How, exactly? Are you taking the division into account?

@@longlostwraith5106 you have log n layers, but these layer get more and more calculations each level. And they get an exponential growth until the log n barrier from the amount of layers

Why are you purchasing a degree? Maybe do it somewhere with better teaching then?

@@QuantumHistorian he probably meant pursuing

I’m afraid that is the model for university education these days

@@ait-gacemnabil9181yeah, you right. but, in some sense, it means actually a business activities for university.

In a way, he is right. Nowadays everything needs to be purchased -- even knowledge.

Matt Parker and Mike Pound. MP=MP.

i did this aswell in codeforces

Well, the algorithm you use is efficient for human, unfortunately computers don't see the same thing as us and know instinctively to do it, and it is just one particular case, this algorithm allows to be applied on all case scenario with the complexity of O(2*floor(log2(n)) +1) (worst case scenario, so big O) which n is the exponent of the number, so very efficient in terms of complexity. Anyways the method you use is very useful too, just for humans, not pc

In encryption, properties like this are what makes the selection of values so necessary. In this case, the modulo value is generally thousands of bits, while the base is either 3 or 65537 (and the exponent is the message and must be less than the modulo)

Whats the next step?

yes, but CRT reduces the cost by a factor of about 3, so the private key operations are still slower than the public key operations which need to calculate power by a 16 bit number

This is basically how you create the Binary Number out of the 10-base ^^ So its the same

That might explain it, but that is not how it would be programmed efficiently

@@Loldemord True

@@deanjohnson8233 That's probably true, if we're talking about something like assembly (those bit shifts are single opcodes, aren't they?), but if i were doing this is in python, it probably wouldn't matter...

@@user-vn9ld2ce1s you would implement it like this in assembly, c, c++, go, rust, c#, Java and many more. Bit shifting is not a rare and unusual thing. In python it would be strange because python does not have fixed numeric sizes. Using bitwise operations on something like that can easily lead to the wrong result if you don’t carefully study what Python does in various cases. Also, this video was about how to efficiently do this math. If you are concerned with the efficiency of math operations, you probably aren’t going to be using python.

You can do it faster. For instance, observe that 3^6 mod 7 is 1. So 3^45 mod 7 is going to be the same as 3^3 mod 7, which is 6.

@@trejkaz That depends on you knowing the totient of the modulus / order of the multiplicative group, which is hard if you don't know the prime factorisation of the modulus.

@@JivanPal I don't know much about groups at all and didn't really use any group theory to do that solution, just normal modular arithmetic. Although, in the video he did say that the modulus is usually prime for these examples, so I don't think I'd have too much trouble determining the factors either.

@@trejkaz It depends. The hardness of that factorisation problem is what gives RSA its security. The totient function, denoted φ(x), counts how many numbers less than x are coprime to x. It is such that φ(p) = p-1 where _p_ is any prime, and φ(ab) = φ(a)·φ(b) where _a_ and _b_ are any two integers. The encryptor's/signer's secret is a pair of large primes, _p_ and _q,_ that serve as the private key, and the public knowledge that serves as the public key is their product, _n_ = _pq._ Thus, the encryptor/signer is always dealing with _p_ and _q,_ whereas the decryptor/verifier is always dealing with _n,_ whose prime factorisation he doesn't know. Without that knowledge, computing φ(n) is hard; with that knowledge, it is trivial: φ(n) = (p-1)(q-1). If he could figure out the prime factorisation, the encryption scheme is broken, precisely because he then knows φ(n) and can thus quickly compute these modular exponentials we're interested in: g^x mod n = g^[x mod φ(n)] mod n.

@@trejkaz can you generalized this method for all case scenario for computers? This method allows to be generalized for every case scenario with complexity of O(2*floor(log2(n))+1) and it is very efficient already (n being the exponent of the number to verify). Since I'm at it I'll also remind you that computer don't have instinct or intelligence like us

This is also how I've seen multiplication done on mechanical calculators.

You can. But it's faster to subtract squares. You have to build the table first. But you don't need multiplies to do it.

@@PvblivsAelivs this depends on the speed of memory accesses, and how much memory space is available. But yes, table lookups are usually faster.

Indeed! That is the basis of a common efficient algorithm for converting string representations of integers expressed in base _n_ into actual integer datatypes, too, e.g. for decimal in C: char* input_string = "285657"; int result = 0; for (char* c = input_string; c != NULL; c++) { result += *c - '0'; result *= 10; } Or for capitalised hexadecimal: char* input_string = "45BD9"; int result = 0; for (char* c = input_string; c != NULL; c++) { result += isdigit(*c) ? *c - '0' : 10 + *c - 'A'; result *= 16; }

that's backward of this algorithm you did calculation of powers of 2 and multiply them in the video 101101 -> (((((1)*2+0)*2+1)*2+1)*2+0)*2+1

@@NoNameAtAll2 Or in postfix notation to avoid all those parentheses: 1 2× 0+ 2× 1+ 2× 1+ 2× 0+ 2× 1+.

@@JivanPal why not prefix then? + * + * + * + * + * 1 2 0 2 1 2 1 2 0 2 1 :)

That's because it's not. For instance, if you knew your exponent was x^y and X was odd, it would be fastest to be taking to the power of X repeatedly. However, this is useful with computers because they use binary, so finding which powers of 2 make up the exponent is trivial

It indeed is still an open problem. The fact that this is not the fastest way can be seen even for n=15. In that case one can compute (x^3)^5 and save a step.

What do you mean by "commuting" here?

If you can't do "mod" at any step of the way, you have to allocate enough memory for a multi-word number having, as a number of bits, at least the sum of the number of bits in both multiplicands at every multiplication. For example, if you're at a point where base^64 is 415 bits, you need at least 830 bits for a square (base^64 x base^64), since both multiplicands are 415 bits and 415 + 415 = 830. Then the multiplication proceeds as usual: on a 64-bit computer, bits 63 to 0 of each multiplicand contribute to partial sums at bits 127 to 0 of the result, and so on, until bits 447 to 384 contribute to partial sums at bits 895 to 768 of the result. You could always pre-allocate enough bits for the entire number in advance. Then you would execute a modified square and multiply algorithm that just calculates how many bits you're likely to need to hold the final result given all the multiplications involved, allocate that (say it's 16190 bits), and execute the proper square and multiply in multi-word arithmetic on 16190 bits.

No; see "side-channel attack". For example, the encryption may be running in a trusted execution environment (like ARM TrustZone or Apple Secure Enclave) and the adversary is running untrusted code outside of that environment that can determine power consumption / voltage levels / timings. Another example: the adversary is sitting outside your house with a supersensitive probe in the electricity lines that run into your bedroom, where your desktop computer is plugged in, and is able to determine changes in voltage on the lines that way, which correspond to your computer's power consumption. In both examples, the adversary does _not_ have any access to the trusted environment, but is able to acquire information about the behaviour of that environment which can be reverse-engineered to determine what was actually happening in that environment.

@@JivanPal thanks for the reply, that clears things up

It is true that in base _n,_ you will determine which of _n_ operations to do (e.g. for _n_ = 3, these are multiply, square, or cube). However, cubing is just multiplying a number by itself twice, so _n_ = 3 actually gives *_worse_* performance. In fact, _n_ ≥ 4 also gives worse performance, since what would be squaring twice in the _n_ = 2 case would become multiplying a number by itself four times. Thus, _n_ = 2 gives the best average performance. Even more generally, square and multiply does not give the best possible performance / shortest possible algorithm for any given exponent, but it is the best we can do without solving a harder problem for the exponent first, which on average would give us much worse performance. It is this: if we know the totient of the modulus _m_ (or equivalently, the order of the multiplicative group { g^x mod m | x ∈ 𝐙 }, where _g_ is the generator of the group, i.e. the base of the modular exponential we're trying to compute, which was 23 in the video), which is denoted φ(m), then we have g^[φ(m)] mod m = 1 (by an extension of Fermat's Little Theorem), and so g^x mod m = g^[q φ(m) + r] mod m = ( g^[φ(m)] ^ q ) g^r mod m = g^r mod m, where _q_ and _r_ are the quotient and remainder of _x_ divided by φ(m), respectively. However, computing φ(m) is hard unless the prime factorisation of _m_ is known, so in practice this is not used often. The hardness of this problem is what underpins the security of RSA.

OpenSSL has a big number library. If you look at their documentation look up BIGNUM and any function starting with BN_* . It dynamically allocates a buffer of however many bits it needs. So I guess the data type is an array of bytes. There are other bignum libs out there, that's just the one I've used.

@@DFPercush thanks, I’ll give it a try.

No; this appears to be a common misconception amongst viewers of this video. Mike is / we are *_not_* raising 23 to the powers of 2, and then multiplying together the values that correspond to the bits that are set to 1 in the binary representation of the exponent. That is, we are *_not_* computing 23, 463, 400, 142, etc. and then multiplying them together. That is an alternative algorithm which reads the binary digits from right to left (least significant first) and requires more memory, since you need to store all those intermediate values somewhere until you've got them all. _[Note also that you made a mistake in that final step, summing the values rather than multiplying them; you should've got 131 as the answer, not 154.]_ What we *_are_* doing is reading the binary representation of the exponent _from left to right (most significant bit first),_ doubling a working value (a.k.a. "accumulator" or "acc" for short) with each digit that is read, and subsequently multiplying the acc by the base if that digit happened to be a "1". The acc starts out equal to the base. The working is as follows for the example in the video, i.e base 23, exponent 373 (bitstring "101110101"), with all instances of "=" being congruences modulo 747: • Read the first (nonzero) digit, which is (of course, being nonzero) "1". Set acc ← base = 23. • Read the next digit, which is "0". Set acc ← acc² = 23² = 529. • Read "1": (a) Set acc ← acc² = 529² = 463. (b) We read a "1", so multiply by the base: acc ← acc × base = 463 × 23 = 191. *_[This is where square-and-multiply deviates from your method!]_* • Read "1": acc ← acc² × base = 191² × 23 = 182. • Read "1": acc ← acc² × base = 182² × 23 = 659. • Read "0": acc ← acc² = 659² = 274. • Read "1": acc ← acc² × base = 274² × 23 = 431. • Read "0": acc ← acc² = 431² = 505. • Read "1": acc ← acc² × base = 505² × 23 = 131. The answer is the final acc value: 23^373 mod 747 = 131.

@@JivanPal Yeah, many thanks. I guess this could be described as in place calculation. Ok, I'm gonna edit my comment.

Taking the leading zeroes into account doesn't change the implementation The working value / accumulator starts off as 0. Every time you read a digit, you double the accumulator. If that digit happens to be a "1", you then also increment the accumulator. Thus, if a bitstring happens to start with a bunch of "0"s, you just double the accumulator (which will be 0) that many times (which still gives you 0). The right-to-left version requires that you keep track of the value of g^x mod n for each x from 0 to d, where d is the number of digits / length of the bitstring (binary representation of the exponent), so you need O(d) memory, or equivalently O(log p) memory where p is the power/exponent. By contrast, the left-to-right version only requires that the current accumulator value be kept in memory, i.e. you only need O(1) memory. *EDIT:* Whoops! In the first paragraph, I mixed up exponentiation / "square and multiply" with converting a bitstring to a decimal number. Yes, you're right that you need to skip over the leading zeroes, but this doesn't make implementation any harder, really: just precede the actual square-and-multiply logic with the equivalent of `while ( (c = getchar()) == '0') ;` in C to skip over them, then `c` will be the first nonzero digit.