Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/arith/arith2.pdf ·...

Francisco Rodríguez Henríquez Aritmética Computacional

Francisco Rodríguez HenríquezCINVESTAV

e-mail: francisco@cs.cinvestav.mx

Aritmética Computacional

Fairy Tale: Chinese Emperor used to count hisarmy by giving a series of tasks.

All troops should form groups of 3. Reportback the number of soldiers that were not ableto do this.

Now form groups of 5. Report back.Now form groups of 7. Report back.Etc.At the end, if product of all group numbers is

sufficiently large, can ingeniously figure outhow many troops.

Chinese Remainder Theorem

mod 3:

N mod 3 = 1

mod 5:

N mod 5 = 2

mod 7:

N mod 7 = 2

Secret inversion formula (for N < 105 = 3·5·7):N ≡ a (mod 3)N ≡ b (mod 5)N ≡ c (mod 7)

Implies that N = (-35a + 21b + 15c) mod 105.So in our case a = 1, b = 2, c = 2 gives:N = (-35·1 + 21·2 + 15·2) mod 105

= (-35 + 42 + 30) mod 105= 37 mod 105= 37

CRT: Example

Find three numbers l,m,n with following properties– l ≡ 1(mod 3), l ≡ 0(mod 5), l ≡ 0(mod 7)– m≡0(mod 3), m ≡1(mod 5), m ≡0(mod 7)– n ≡0(mod 3), n ≡ 0(mod 5), n ≡ 1(mod 7)

Then y = al+bm +cn [secret formula] satisfies– y ≡ al+bm +cn (mod 3) ≡

a·1+0 + 0 (mod 3) ≡ a (mod 3)– Similarly, y ≡ b (mod 5)– Similarly, y ≡ c (mod 7)

This will imply x ≡ y (mod 3·5·7)

Find three numbers l,m,n: Standard trick.EG, to find l : Multiply together all modulii different from 3.

Result: 5·7 = 35 Find an inverse of this number mod 3: In this

case it’s easy. 35 ≡ 2(mod 3) so find an inverseof 2 [2 or anything congruent to 2(mod 3)].Practice shows that should choose inverse ofsmallest magnitude: –1.

l is the product of (a) and (b): l = -35l is 0 mod 5 and 7 since it’s divisible by 5·7. But (c)

guarantees that it’s 1 modulo 3!

CRT: Example

Similarly, m = 21 and n = 15. So our solution toall three congruences is:

x = -35a + 21b + 15cIf we want to guarantee a solution between 0

and 104, just computex mod 105 .

The same tricks can be generalized to prove:

CRT: Example

THM (CRT): Let m1, m2, … , mn be pairwise relativelyprime positive integers. Then there is a uniquesolution x in [0,m1·m2···mn-1] to the system ofcongruences:

x ≡ a1 (mod m1 )x ≡ a2 (mod m2 )

x ≡ an (mod mn )

CRT: Conversion Algorithm

Step 1. Compute using multi-precision arithmetic.

Step 2. Compute the multiplicative inverses ofmodulo mi for 1 ≤ i ≤ n, i.e., compute the constants ci

such that,

Step 3. Compute u by performing the sum (inmultiprecision arithmetic):

MmmmmmM == ! KK

.1for ,mod1 nimcm

!++!+!= K

CRT: Conversion Algorithm

Theorem. Given the moduli m1, m2,…, mn

and the remainders u1, u2,…, un the number

u can be computed in O(n2).

CRT: Mixed-Radix Conversion Algorithm

Step 1. Compute constants cij for 1 ≤ i < j ≤ n suchthat,

Step 2. Compute

Step 3. Compute

jiijmmc mod1!"

( )( )( )

( )( )( )nnnnnnnnmcvcvcvuv

mcvcvuv

,112211

223213133

212122

!!!!!!"

121213121 !++++=nnmmmvmmvmvvu KK

Computation of u using the above formula also requiresO(n2) arithmetic operations. We now define Vij for

0 ≤ i < j ≤ n such that Voi = ui for 1 ≤ i ≤ n. These Vij arethe temporary values of vj resulting from theoperations in Step 2 of the mixed-radix conversionalgorithm. This way, we build a triangular table ofvalues with diagonal entries Vi = Vi-1,j for 0 ≤ i ≤ n.The entries of this table are named multiplieddifferences.

An Example: For n = 4, it can be given as follows,

Where [mi] stands for modulo mi.

[ ][ ] ( ) [ ][ ] ( ) [ ] ( ) [ ][ ] ( ) [ ] ( ) [ ] ( ) [ ]

4342324344241214244140104144404

3231213233130103133303

2120102122202

mcVVVmcVVVmcVVVmuV

mcVVVmcVVVmuV

mcVVVmuV

!=!=!==

Finite fields: Arithmeticoperations

FP finite field operations : Addition, subtraction,

multiplication, Squaring, inversion, exponentiation andPrimality Testing

Arithmetic Operations in GFp

O ((lg n)3)Inversion a-1 mod n

O(lg a lg b) = O ((lg n)2)Multiplication a*b mod n

O(lg a + lg b) = O (lg n)Subtraction a – b mod n

O(lg a + lg b) = O (lg n)Addition a + b mod n

Bit ComplexityOperation

O ((lg n)3)Exponentiation ak mod n

Modular Addition andSubtraction

Modular Addition

Input: A modulus p, and integers a, b in [0, p-1]Output: c = (a + b) mod p.1. C0 = Add(a0, b0);2. For i from 1 to t-1do: Ci = Add_with_carry(ai, bi);3. If the carry bit is set, then subtract p from

c = (ct-1,…, c2,c1,c0). (why??)4. If c ≥ p then c -= p; (why??)5. Return(c);

Modular Subtraction

Input: A modulus p, and integers a, b in [0, p-1]Output: c = (a - b) mod p.1. C0 = Subtract(a0, b0);2. For i from 1 to t-1do: Ci = Subtract_with_borrow(ai, bi);

3. If the carry bit is set, then add p toc = (ct-1,…, c2,c1,c0). (why??)

4. Return(c);

Modular Multiplication

Computation of c = ab mod n can be performed byusing:

• Classical: Normal integer multiplication followedby reduction

• Blakley’s method: The multiplication steps areinterleaved with reduction steps.

• Montgomery’s method: Uses predominantlymodulo 2j arithmetic.

Modular Multiplication:Classical Method

Integer Multiplication

We perform the operations radix W = 2w: wordsize of thecomputer:

We define (Carry, Sum) pairs. Our notation is:

WbWbbbb

WaWaaaa

:jiij abt =

12,,1,0for :

1,,1,0for :,

sibaba

01234567

30313233

20212223

10111213

00010203

tttttttt

1. for i = 0 to s-1 do:2. C:= 0

3. for j = 0 to s-1 do:4. (C, S) := ti+j + ajbi + C;5. ti+j := S;

6. end7. ti+j+1:= C;8. end

002436000436(2, 4)

t2 + a2b0 + C0 + 3⋅7 + 3

2000036(3,3)

t1 + a1b0 + C0 + 3⋅7 + 3

000000000006

(0, *)(5, 6)

t0 + a0b0 + C0 + 8⋅7 + 0

00Partial t(C, S)Stepji

019836009836(1, 9)

t3 + a2b1 + C2 + 3⋅5 + 2

2002836(2, 8)

t2 + a1b1 + C4 + 4⋅5 + 4

1002436

(0, *)(4, 3)

t1 + a0b1 + C3 + 8⋅5 + 0

298236098236(2, 9)

t4 + a2b2 + C1 + 3⋅8 + 4

2018236(4, 8)

t3 + a1b2 + C9 + 4⋅8 + 7

1019236

(0, *)(7, 2)

t2 + a0b2 + C8 + 8⋅8 + 0

This algorithm requires s2 = (k/w)2 inner productsteps: (C, S) := ti+j+ajbi+C;

In other words, O(k2) bit operations.The variables ti+j, aj, bi, C and S each hold a single-

word, or a w-bit number.Notice that from the main operation in the loop we

obtain a double-word, or a 2w-bit number since:

( )( ) 12121212122!=!+!!+!

A straightforward modification of themultiplication algorithm gives the followingalgorithm for squaring. There are roughly ½fewer multiplication operations.

Integer Squaring

Integer Squaring [Guajardo and Paar]

Input: An integer a ∈ [0, p-1], a = (at-1 at-2 … a1 a0)Output: c = a2.1. for i from 0 to 2t-1 do: ci = 0;2. for i from 0 to t-1 do

3. (uv) = c2i + ai2;

4. C2i=v; C1= u; C2 = 0;5. for j from i+1 to t-1 do

6. (uv) = ci+j + ai aj + C1; C1 = u;7. (uv) = v + ai aj + C2; ci+j = v ; C2 = u;

8. (uv) = C1+C2, C2 = u;9. (uv) = ci+t + v; ci+t= v;10.ci+t+1 = C2 + u;

11. return (c);

Integer Squaring [Classical]

Input: An integer a ∈ [0, p-1], a = (at-1 at-2 … a1 a0)Output: c = a2.1. r0 = r1 = r2 = 0;2. for k from 0 to 2(t-1) do

3. For each elmt. of {(i, j)| i+j = k, 0 ≤ i ≤ j < t} do4. (uv) = ai aj;5. If (i < j) then (uv) << 1; r2 = AddC(r2, 0);6. r0 = Add(r0, v); r1 = AddC(r1, u); r2 = AddC(r2, 0);

8. ck = r0; r0 = r1; r1 = r2; r2 = 0;9. c2t-1 = r0;

11. return (c);

Reduction

Given t, the computation of R which satisfiest = Qn + R

With R < n. Here t is a 2k-bit number and n is a k-bitnumber.

The number t and n are positive, so are the results Qand R.

Since we are not interested in the quotient, steps of thedivision algorithm can be simplified.

Reduction

Two algorithms of interest:

• Restoring Division

• Non-restoring division

Restoring Division

1. R0 := t;2. n := 2kn;

3. for i = 1 to k do:4. Ri := Ri-1-n;5. if Ri<0 then Ri := Ri-1;6. n := n/2;

6. end7. Return Rk;

Restoring Division: An example

• We give an example of the restoring divisionalgorithm for computing 3019 mod 53, where,

3019 = (101111001011)2

53 = (110101)2

The result is:51 = (110011)2

Subtract101000110n/2Not restore0110110111R3

Positive rem.010000+0111Subtract0100001101n/2

Not restore10101110100R2Positive Remainder100000+10100

Subtract10000011010n/2Restore001011101111R1

Negative Remainder-000110Subtract110101n

t001011101111R0

Final Remainder110011RRestore110011R5

Negative Remainder000010-Subtract1101010n/2

101011n/2010111n/2

Not Restore110011000R4Positive remainder110000+000

Non restoring Division Algorithm

• The non-restoring division algorithm allows a negativeremainder.

• Suppose Ri:=Ri-1-n< 0, then the restoring algorithm assignsRi:=Ri-1 and performs a subtraction with the shifted n,obtaining Ri+1:= Ri-n/2 = Ri-1-n/2;

• However, if Ri = Ri-1 – n < 0, then the non-restoringalgorithm lets Ri remain negative and adds the shifted n inthe following cycle. Thus it obtains,

Ri+1:= Ri+n/2 = (Ri-1-n)+n/2 = Ri-1-n/2;

i.e., the same value (!!)

Non-Restoring Division Algorithm

1. R0 := t;2. n := 2kn;

3. for i = 1 to k do:4. if Ri-1<0 then Ri := Ri-1-n;

5. else Ri := Ri-1+n;6. n := n/2;

6. end7. Return Rk;

Non-Restoring Division Algorithm

• Since the remainder is allowed to stay negative, we use 2’scomplement coding to represent such numbers.

• Also, note that the nonrestoring division algorithm mayrequire a final restoration cycle in which a negativeremainder is corrected by adding the last value of n back toit.

• Example Computation of 51 = 3019 mod 53.

10101001n/2010100011n/2

Positive remainder1100000R4Subtract101000110n/2

Positive remainder0100000111R3Subtract0100001101n/2

Positive remainder100000010100R2add100000011010n/2

Negative Remainder1111010Subtract110101n

t001011101111R0

Final Remainder110011RAdd (restore)1101010n

Negative Remainder1111101R5subtract110101n/2

Barrett Reduction

Barrett reduction computes r = x mod m given x and m. Thealgorithm requires the precomputation of the quantity,

It is advantageous if many reductions are performed with a singlemodulus. Typically, the radix b is chosen to be a power of twoclosed to the word-size of the processor.

Barrett reduction is based on the following fact:

( )( )( )! "121/1//

as, written becan ,0 and

kkk bpbbxQ

xpRRQpx

Barrett Reduction

Input: positive integers x = (x2k-1 … x1x0), p = (pk-1 … p1p0)

Output: x mod p.1.2.3. if r < 0 then4. While r ≥ p do: r= r-p;5. Return(r);

! "! ";//ˆ11 +# $= kk bbxq µ

( ) ( );modˆmod11 ++

!"= kk bpqbxr1+

+=kbrr

! " #"

$=%%+=>

bbxpkpb

22 ,0,1log,,3 µ

Barrett Reduction

Example: Let b = 4, k = 3, x = (313221)b, and p = (233)b (i.e.,x = 3561, and p = 47). Then µ = |46/p| = 87 = (1113)b,

|x/bk-1| = |(313221)b/42| = (3132)b,|x/bk-1|⋅ µ = (3132)b ⋅ (1113)b = (10231302)b

Hence q = (1023)b,

r1 = (3221)b (why??)r2 = (1023)b ⋅(233)b mod b4 =(3011)b, and r = r1 – r2 = (210)b

Thus x mod p = (210)b = 36

Barrett Reduction : Computational efficiency

• All divisions performed in the algorithm are

simple right-shifts of the base b representation.

• Since the k+1 MSBs of x/bk-1|⋅ µ are not needed

to determine q (why??), only a partial multiple-

precision multiplication is necessary.

Reduction

The arithmetic in Barrett reduction can be reduced bychoosing b to be a power of 2. For primes p ofspecial form, there exist very fast modularreduction techniques [For example, see “SoftwareImplementation of the NIST Elliptic Curves OverPrime Fields”, Brown, Hankerson, López andMenezes].

Modular Multiplication:Blakley’s Method

Blakley’s Method

Let ai and bi represent the bits of the k-bit numbers aand b, respectively. The product t (2k-bit number)can be written as,

This formulation yields the shift-add multiplicationalgorithm. Blakley’s algorithm uses thisformulation and furthermore reduces the partialproduct modulo n at each step.

ibababat 22

Blakley’s Method

1. R := 0;

2. For i = 0 to k-1do3. R := 2R + ak-1-i⋅b;

4. R := R mod n;

5. End

6. Return R;

Blakley’s Method

Assuming that 0 ≤ a, b, R ≤ n-1, the new R will be inthe range 0 ≤ R ≤ 3n – 3

SinceAt most two subtraction will be needed to bring the

new R to the range [0, n - 1]. Thus we can useWhile (R ≥ n) R -= n;Blakley’s algorithm computes the remainder R in k

steps, where at each step one left shift, oneaddition, and at most two subtractions areperformed; the operands involved in thesecomputations are of length k bits.

( ) ( ) 331122: !=!+!"#+= nnnbarR j

Modular Multiplication:Montgomery’s Method

Montgomery’s Method

This method replaces division by n operations withdivision by r = 2k. Assuming n is a k-bit integer,i.e., 2k-1 < n < 2k

We assign r = 2k. Now, we perform the mapping ofthe integers a ∈ [0, n-1] to the integers ∈ [0, n-1] using the one-to-one mapping

We call the n-residue of a.

nraa mod: !=a

We now define the Montgomery product of two n-residues as

Also we need n’ such that rr-1-nn’ = 1; r-1 and n’ arecomputed by using the extended Euclid’s algorithm.

nrbabaoMon mod),(Pr 1!""=

( ); else )( then if

mod: 2.

ureturnnureturnnu

baoMon

This routine requires only modulo r arithmetic, whichis efficiently accomplished on a computer if r = 2j.

Theorem 1. If c = ab mod n thenProof:

);,(Pr baoMonc =

baoMon

nrrbra

Theorem 2.

Proof:

)1,(Pr coMonc =

)1,(Pr

MonPro procedure can be utilized to computec: =ab mod n as follows:ModMul(a, b, n) /* n is odd (why???) */1. Compute n’ using EEA.2.3.4.5.6. Return c;

nraa mod!=nrbb mod!=

( )baoMonc ,Pr:=

( )1,Pr: coMonc =

Since preprocessing operations such as,

• Computation of n’ and,

• Conversion from ordinary to n-residue

• Conversion from n-residue to ordinary

Are time consuming, it is not a good idea to useMontgomery’s method for a single modularmultiplication. However, it is very suitable formodular exponentiation.

MonPro procedure can be utilized to computec: =Me mod n as follows:ModExp(M, e, n) /* n is odd (why???) */1. Compute n’ using EEA.2.3.4. for i=k-1 down to 0 do5.6. If ei = 1 then7. C :=8. Return C;

nrMM mod!=

nrC mod1!=

( )ccoMonc ,Pr:=

( )CMoMonc ,Pr:=

This function uses the Binary method that will be discuss in detail later. AnyOther exponential algorithmwill work as well.

);1,(Pr CoMon

Example: Computation of 710 mod 13r = 2k=16. Since 16*9-13*11 = 1, we have r-1 = 9, n´= 11.

M = 7, thusC = 1, thusHence,

813mod167mod: =!=!= nrCM

8M and 3 ==C

MonPro(7, 7) = 120MonPro(8, 1) = 7MonPro(4, 4) = 11

MonPro(8, 8) = 40MonPro(8, 3) = 8MonPro(3, 3) = 31

Step 6Step 5ei

Step 7: C = MonPro(12, 1) = 4Computation of MonPro(3, 3):t := 3*3 = 9;m := 9*11 mod 16 = 3u := (9+3*13)/16=48/16=3

Computation of MonPro(8, 1):t := 8*1 = 8;m :=8*11 mod 16 = 8u :=(8+8*13)/16=112/16=7

Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/arith/arith2.pdf ·...

Documents

Transcript of Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/arith/arith2.pdf ·...

SALOMÉ UREÑA DE HENRÍQUEZ Silveria R. de Rodríguez Demorizi

Códigos y Criptografía Francisco Rodríguez Henríquez Códigos y Criptografía Francisco Rodríguez Henríquez CINVESTAV e-mail: francisco@cs.cinvestav.mx.

Imágenes Primera Guerra Mundial Profesor Francisco Henríquez .

Estadística PLH 406 Representación Gráfica Francisco Henríquez Henriquez.fco@gmail.com.

Francisco rodríguez inteligencia artificial

Francisco José Rodríguez Nepote

Variable aleatoria: definiciones básicasdelta.cs.cinvestav.mx/~francisco/prope/v_aleatoria_short.pdf · Introducción a la Probabilidad Francisco Rodríguez Henríquez Variable Aleatoria

Seguridad en Sistemas de Información verano 2004 Francisco Rodríguez Henríquez Security Services in Information Systems.

Max Francisco Rodríguez Murcia

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez Certificados e Infraestructura de Llave Pública Francisco Rodríguez-Henríquez CINVESTAV-IPN.

Variable aleatoria: definiciones básicasdelta.cs.cinvestav.mx/~francisco/prope/v_aleatoria.pdf · Introducción a la Probabilidad Francisco Rodríguez Henríquez Ejemplo de valor

Maestría en Seguridad, Universidad Don Bosco, marzo de 2014 Francisco Rodríguez Henríquez Certificados e Infraestructura de Llave Pública Francisco Rodríguez-Henríquez.

Francisco José Rodríguez Henríquez€¦ · 1. CINVESTAV-IPN Mayo 2002 – Hasta la fecha. Profesor Investigador CINVESTAV 3B, Coordinador Académico del Departamento de Computación

Códigos y Criptografía Francisco Rodríguez Henríquez A Short Introduction to Stream Ciphers.

Códigos y Criptografía Francisco Rodríguez Henríquez Security Attacks: Active and Passive Active Masquerade (impersonation) Replay Modification of message.

Estadística PLH 406 Introducción y definiciones previas Francisco Henríquez Henriquez.fco@gmail.com.

COMISIÓN SISTEMA ESTADÍSTICO REGIONAL - (S.E.R) ALEJANDRO HENRÍQUEZ RODRÍGUEZ DIRECTOR REGIONAL INE ARAUCANÍA 2013.

Desarrollo e implementación de un prototipo de Notaría Digital Vladimir González García Tesis de Maestría LANIA Asesores: Dr. Francisco Rodríguez Henríquez.

Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/cripto/conceptos.pdf · Las tres leyes de la seguridad: 3. Típicamente la criptografía no se rompe, se

Francisco Rodríguez Cascante Editor