Efficient Implementation

1. Efficient Implementation

2. Multiple-precision integer arithmetic If (anan-1...a1a0)b is the base b representation of a and an ? 0, then the precision or length of a is n+1. If n=0, a is called single-precision integer, otherwise a is multiple precision integer.

3. Addition and subtraction Addition/subtraction: x+y /x-y c=0, which is the carry digit For i from � to n do the following: wi = (xi+/-yi+c) mod b if (xi - yi+c) < b, c=0; otherwise c=1/-1; wn+1=c Return (wn+1wn...w0)

4. Multiplication Multiplication: x: n+1bits; y: t+1 bits. w=xy For i from 0 to (n+t+1) do wi=0 For i from 0 to t do following: c=0; for j from 0 to n: (uv)b=wi+j+xjyi+c, wi+j=v, c=u wi+n+1 =u Return (wn+t+t...w1w0) (n+1)(t+1) single-precision multiplications

5. Squaring Squaring: t bits x, w=x2 For i from 0 to (2t-1) do: wi=0 For i from 0 to (t-1) do following (uv)b=w2i+xixi, w2i=v, c=u for j from i+1 to (t-1) do (uv)b=wi+j+2xixj+c, wi+j=v, c= u wi+t=u (uv)b=w2t-2+xt-1xt-1,w2t-2=v, w2t-1=u Return (w2t-1w2t-1...w0)b u may exceed single-precision. about (t2+t)/2 single precision multiplication squaring can be at best no more than twice faster than multiplication.

6. Modular arithmetic Montgomery reduction Def: Let m be a positive integer; R>m and gcd(m,R)=1, 0?T<mR. TR-1mod m is called a Montgomery reduction of T modulo m with respect to R. E.g. 0 ?x,y ?m. Let x1=xR mod m, y1=yR mod m. The M reduction of x1y1 is x1y1R-1 mod m= xyR mod m If m is based on b with length n, R is chosen as bn (if gcd(b,m)=1)

7. Montgomery reduction Fact: Given m, R and gcd(m,R)=1; Let m1=-m-1mod R, If U=Tm1 mod R, then (T+Um)/R is integer and congruent to TR-1 mod m Fact: Choose R=bn s.t. we can easily compute U Fact: (T+Um)/R<2m, hence (T+Um)/R =TR-1mod m or (T+Um)/R = (TR-1 mod m)+m

8. Montgomery reduction Algorithm: m, R,b m1=-m-1mod b, T A=T ( A =(a2n-1...a1a0)b) For i to 0 to n-1 do: ui = aim1 mod b A = A+uimbi A=A/R If A>m then A=A-m Return A Efficiency: n(n+1) bit operation

9. Montgomery multiplication m,x,y n bits long. R, m1=-m-1mod b. Compute xyR-1 mod m A=0 for i=0 to n-1 do: ui= (a0+xiy0)m1 mod b A=(A+xiy+uim)/b If A >m , A=A-m. return A 2n(n+1) bit multiplication Montgomery is better for modular exponentiation, rather than modular multiplication

10. Barrett redution Algorithm: x=(x2k-1...x0), m=(mk-1...m0) u= ?b2k/m?. Compute r=x mod m q1= ?x/bk-1 ?, q2=q1u, q3= ?q2/bk+1? r1=x mod bk+1, r2=q3m mod bk+1, r=r1-r2 if r<0, the r = r+bk+1 while r?m do r=r-m. Return r Partial justification x=Qm+R, Q-1<q3<Q+1, Q=?x/m? Q= ?(x/bk-1)(b2k/m)(1/bk+1)??q3

11. Barrett modular reduction Computation efficiency: All division are simple right-shift ops determine q3 requires (k+1)2-Ck2 single precision multiplication r2 and q2 are computed by a partial multiple precision multiplication

12. Reduction for special moduli m=bt-c, c is l bit long, l<t, comp r=x mod m q0= ?x/bt?, r0=x-q0bt, r=r0, i=0 While qi> 0 do qi+1= ?qic/bt ?, ri+1=qic-qi+1bt i++, r=r+ri while r>m-1, do r=r-m. Return r Efficiency about sl bit multiplication, where s is the # of loop Numbers of this form are more susceptible to factoring by the special number field sieve.

13. GCD algorithm Binary extended gcd algorithm given x,y, comp a,b,v, ax+by=v,v=gcd(x,y) g=1; while x,y are both even, x=x/2, y=y/2,g=2g u=x, v=y, A=1,B=0,C=0,D=1 *while u is even,do: u=u/2; if A=B=0mod 2, A=A/2, B=B/2, otherwise A=(A+y)/2, B=(B-x)/2 while v is even do following: v=v/2 If C=D=0mod 2, C=C/2,D=D/2, otherwise C=(C+y)/2, D=(D-x)/2 if u?v, then u=u-v, A=A-C, B=B-D; otherwise v=v-u, C=C-A, D=D-B If u=0, then a=C,b=D, return. Otherwise goto *

14. Binary extended GCD Computational efficiency: Only multiple precision ops needed are addition and subtraction. Division is r-shift The number of bits needed to represent u,v decreases by (at least) 1,after at most two iterations. Thus it takes at most 2(?lgx?+ ?lgy?+2) such iterations to compute multiplicative inverse z, s.t. az=1mod m, which is D if D>0, or m-D

15. C.R.T for integers Residue number systems modular representation or mixed radix representation of x for moduli m1,m2...mt is v(x)=(v1,v2...vt), where vi=x mod mi v(x)=(v1,v2...vt), v(y)=(u1,u2...ut). Define v(x)+v(y)=(w1,w2...wt), wi=ui+vimod mi. Same for v(x)v(y) v((x+y)mod M)=v(x)+v(y),v(xymodM)=v(x)v(y) CRT is used in RSA decryption and sign xdmod n can be computed as vd(x)=(v1dmodp, v2dmod q)

16. Garner�s Algorithm for CRT Algorithm: For i=2 to t do: Ci=1 For j=1 to (i-1) do: u=mj-1mod mi Ci= uCi mod mi u=v1,x=u For i from 2 to t do: u=(vi-x)Cimod mi, x=x+u?j=1i-1mj Return x

17. Garner�s Algorithm for CRT Efficiency: Step 1 can be used as pre-computation if same Modulus M is used No modular reduction with M is required, which takes O((kt)2) while reduction with mi only takes O(k2).Totally t loops, to overall complexity is O(tk2) RSA: p,q t-bit prime, d is 2bit prime without CRT: (3/2)(2t)3=12t3 bit ops with CRT: 2(3/2)(t3)=3t3 bit ops (smaller modulus)

18. Basic techniques for exponentiation: ge Right-to-left binary exponentiation Left-to-right binary exponentiation same # of ops as in RL, however, if g has special structure, it is easier for mulitplication Left-to-right k-ary exponentiation(window method) Modified left-to-right k-ary exponentiation

19. Basic techniques for exponentiation: ge Comparison: e: t+1 bit, l+1 for k-ary