Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/arith/arith2.pdf ·...

Francisco Rodríguez Henríquez Aritmética Computacional

Francisco Rodríguez HenríquezCINVESTAV

e-mail: [email protected]

Aritmética Computacional


Fairy Tale: Chinese Emperor used to count hisarmy by giving a series of tasks.

All troops should form groups of 3. Reportback the number of soldiers that were not ableto do this.

Now form groups of 5. Report back.Now form groups of 7. Report back.Etc.At the end, if product of all group numbers is

sufficiently large, can ingeniously figure outhow many troops.

Chinese Remainder Theorem


mod 3:

N mod 3 = 1



mod 5:

N mod 5 = 2



mod 7:

N mod 7 = 2



Secret inversion formula (for N < 105 = 3·5·7):N ≡ a (mod 3)N ≡ b (mod 5)N ≡ c (mod 7)

Implies that N = (-35a + 21b + 15c) mod 105.So in our case a = 1, b = 2, c = 2 gives:N = (-35·1 + 21·2 + 15·2) mod 105

= (-35 + 42 + 30) mod 105= 37 mod 105= 37



CRT: Example

Find three numbers l,m,n with following properties– l ≡ 1(mod 3), l ≡ 0(mod 5), l ≡ 0(mod 7)– m≡0(mod 3), m ≡1(mod 5), m ≡0(mod 7)– n ≡0(mod 3), n ≡ 0(mod 5), n ≡ 1(mod 7)

Then y = al+bm +cn [secret formula] satisfies– y ≡ al+bm +cn (mod 3) ≡

a·1+0 + 0 (mod 3) ≡ a (mod 3)– Similarly, y ≡ b (mod 5)– Similarly, y ≡ c (mod 7)

This will imply x ≡ y (mod 3·5·7)


Find three numbers l,m,n: Standard trick.EG, to find l : Multiply together all modulii different from 3.

Result: 5·7 = 35 Find an inverse of this number mod 3: In this

case it’s easy. 35 ≡ 2(mod 3) so find an inverseof 2 [2 or anything congruent to 2(mod 3)].Practice shows that should choose inverse ofsmallest magnitude: –1.

l is the product of (a) and (b): l = -35l is 0 mod 5 and 7 since it’s divisible by 5·7. But (c)

guarantees that it’s 1 modulo 3!

CRT: Example


Similarly, m = 21 and n = 15. So our solution toall three congruences is:

x = -35a + 21b + 15cIf we want to guarantee a solution between 0

and 104, just computex mod 105 .

The same tricks can be generalized to prove:

CRT: Example


THM (CRT): Let m1, m2, … , mn be pairwise relativelyprime positive integers. Then there is a uniquesolution x in [0,m1·m2···mn-1] to the system ofcongruences:

x ≡ a1 (mod m1 )x ≡ a2 (mod m2 )

x ≡ an (mod mn )



CRT: Conversion Algorithm

Step 1. Compute using multi-precision arithmetic.

Step 2. Compute the multiplicative inverses ofmodulo mi for 1 ≤ i ≤ n, i.e., compute the constants ci

such that,

Step 3. Compute u by performing the sum (inmultiprecision arithmetic):

i

nii

m

MmmmmmM == ! KK

121

im

M

.1for ,mod1 nimcm

M

ii

i

!!"#

Mucm

Muc

m

Muc

m

Mu

nn

n

mod22

2

11

1

!++!+!= K


CRT: Conversion Algorithm

Theorem. Given the moduli m1, m2,…, mn

and the remainders u1, u2,…, un the number

u can be computed in O(n2).


CRT: Mixed-Radix Conversion Algorithm

Step 1. Compute constants cij for 1 ≤ i < j ≤ n suchthat,

Step 2. Compute

Step 3. Compute

jiijmmc mod1!"

( )( )( )

( )( )( )nnnnnnnnmcvcvcvuv

mcvcvuv

mcvuv

muv

mod

,mod

,mod

,mod

,112211

223213133

212122

111

!!!!!!"

!!"

!"

"

KK

M

121213121 !++++=nnmmmvmmvmvvu KK



Computation of u using the above formula also requiresO(n2) arithmetic operations. We now define Vij for

0 ≤ i < j ≤ n such that Voi = ui for 1 ≤ i ≤ n. These Vij arethe temporary values of vj resulting from theoperations in Step 2 of the mixed-radix conversionalgorithm. This way, we build a triangular table ofvalues with diagonal entries Vi = Vi-1,j for 0 ≤ i ≤ n.The entries of this table are named multiplieddifferences.



An Example: For n = 4, it can be given as follows,

Where [mi] stands for modulo mi.

[ ][ ] ( ) [ ][ ] ( ) [ ] ( ) [ ][ ] ( ) [ ] ( ) [ ] ( ) [ ]

4342324344241214244140104144404

3231213233130103133303

2120102122202

1101

mcVVVmcVVVmcVVVmuV

mcVVVmcVVVmuV

mcVVVmuV

muV

!=!=!==

!=!==

!==

=


Finite fields: Arithmeticoperations

FP finite field operations : Addition, subtraction,

multiplication, Squaring, inversion, exponentiation andPrimality Testing


Arithmetic Operations in GFp

O ((lg n)3)Inversion a-1 mod n

O(lg a lg b) = O ((lg n)2)Multiplication a*b mod n

O(lg a + lg b) = O (lg n)Subtraction a – b mod n

O(lg a + lg b) = O (lg n)Addition a + b mod n

Bit ComplexityOperation

O ((lg n)3)Exponentiation ak mod n


Modular Addition andSubtraction


Modular Addition

Input: A modulus p, and integers a, b in [0, p-1]Output: c = (a + b) mod p.1. C0 = Add(a0, b0);2. For i from 1 to t-1do: Ci = Add_with_carry(ai, bi);3. If the carry bit is set, then subtract p from

c = (ct-1,…, c2,c1,c0). (why??)4. If c ≥ p then c -= p; (why??)5. Return(c);


Modular Subtraction

Input: A modulus p, and integers a, b in [0, p-1]Output: c = (a - b) mod p.1. C0 = Subtract(a0, b0);2. For i from 1 to t-1do: Ci = Subtract_with_borrow(ai, bi);

3. If the carry bit is set, then add p toc = (ct-1,…, c2,c1,c0). (why??)

4. Return(c);


Modular Multiplication


Modular Multiplication

Computation of c = ab mod n can be performed byusing:

• Classical: Normal integer multiplication followedby reduction

• Blakley’s method: The multiplication steps areinterleaved with reduction steps.

• Montgomery’s method: Uses predominantlymodulo 2j arithmetic.


Modular Multiplication:Classical Method


Integer Multiplication

We perform the operations radix W = 2w: wordsize of thecomputer:

We define (Carry, Sum) pairs. Our notation is:

( )

( ) !

!"

=

""

"

=

""

==

==

1

0

021

1

0

021

s

j

i

iss

s

j

i

iss

WbWbbbb

WaWaaaa

K

K

:jiij abt =

12,,1,0for :

1,,1,0for :,

!=

!=

sitt

sibaba

i

ii

K

K



01234567

30313233

20212223

10111213

00010203

0123

0123

tttttttt

tttt

tttt

tttt

tttt

bbbb

aaaa



1. for i = 0 to s-1 do:2. C:= 0

3. for j = 0 to s-1 do:4. (C, S) := ti+j + ajbi + C;5. ti+j := S;

6. end7. ti+j+1:= C;8. end



002436000436(2, 4)

t2 + a2b0 + C0 + 3⋅7 + 3

2000036(3,3)

t1 + a1b0 + C0 + 3⋅7 + 3

1

000000000006

(0, *)(5, 6)

t0 + a0b0 + C0 + 8⋅7 + 0

00Partial t(C, S)Stepji



019836009836(1, 9)

t3 + a2b1 + C2 + 3⋅5 + 2

2002836(2, 8)

t2 + a1b1 + C4 + 4⋅5 + 4

1002436

(0, *)(4, 3)

t1 + a0b1 + C3 + 8⋅5 + 0




298236098236(2, 9)

t4 + a2b2 + C1 + 3⋅8 + 4

2018236(4, 8)

t3 + a1b2 + C9 + 4⋅8 + 7

1019236

(0, *)(7, 2)

t2 + a0b2 + C8 + 8⋅8 + 0




This algorithm requires s2 = (k/w)2 inner productsteps: (C, S) := ti+j+ajbi+C;

In other words, O(k2) bit operations.The variables ti+j, aj, bi, C and S each hold a single-

word, or a w-bit number.Notice that from the main operation in the loop we

obtain a double-word, or a 2w-bit number since:

( )( ) 12121212122!=!+!!+!

WWWWW


A straightforward modification of themultiplication algorithm gives the followingalgorithm for squaring. There are roughly ½fewer multiplication operations.

Integer Squaring


Integer Squaring [Guajardo and Paar]

Input: An integer a ∈ [0, p-1], a = (at-1 at-2 … a1 a0)Output: c = a2.1. for i from 0 to 2t-1 do: ci = 0;2. for i from 0 to t-1 do

3. (uv) = c2i + ai2;

4. C2i=v; C1= u; C2 = 0;5. for j from i+1 to t-1 do

6. (uv) = ci+j + ai aj + C1; C1 = u;7. (uv) = v + ai aj + C2; ci+j = v ; C2 = u;

8. (uv) = C1+C2, C2 = u;9. (uv) = ci+t + v; ci+t= v;10.ci+t+1 = C2 + u;

11. return (c);


Integer Squaring [Classical]

Input: An integer a ∈ [0, p-1], a = (at-1 at-2 … a1 a0)Output: c = a2.1. r0 = r1 = r2 = 0;2. for k from 0 to 2(t-1) do

3. For each elmt. of {(i, j)| i+j = k, 0 ≤ i ≤ j < t} do4. (uv) = ai aj;5. If (i < j) then (uv) << 1; r2 = AddC(r2, 0);6. r0 = Add(r0, v); r1 = AddC(r1, u); r2 = AddC(r2, 0);

8. ck = r0; r0 = r1; r1 = r2; r2 = 0;9. c2t-1 = r0;

11. return (c);


Reduction

Given t, the computation of R which satisfiest = Qn + R

With R < n. Here t is a 2k-bit number and n is a k-bitnumber.

The number t and n are positive, so are the results Qand R.

Since we are not interested in the quotient, steps of thedivision algorithm can be simplified.


Reduction

Two algorithms of interest:

• Restoring Division

• Non-restoring division


Restoring Division

1. R0 := t;2. n := 2kn;

3. for i = 1 to k do:4. Ri := Ri-1-n;5. if Ri<0 then Ri := Ri-1;6. n := n/2;

6. end7. Return Rk;


Restoring Division: An example

• We give an example of the restoring divisionalgorithm for computing 3019 mod 53, where,

3019 = (101111001011)2

53 = (110101)2

The result is:51 = (110011)2



Subtract101000110n/2Not restore0110110111R3

Positive rem.010000+0111Subtract0100001101n/2

Not restore10101110100R2Positive Remainder100000+10100

Subtract10000011010n/2Restore001011101111R1

Negative Remainder-000110Subtract110101n

t001011101111R0



Final Remainder110011RRestore110011R5

Negative Remainder000010-Subtract1101010n/2

101011n/2010111n/2

Not Restore110011000R4Positive remainder110000+000


Non restoring Division Algorithm

• The non-restoring division algorithm allows a negativeremainder.

• Suppose Ri:=Ri-1-n< 0, then the restoring algorithm assignsRi:=Ri-1 and performs a subtraction with the shifted n,obtaining Ri+1:= Ri-n/2 = Ri-1-n/2;

• However, if Ri = Ri-1 – n < 0, then the non-restoringalgorithm lets Ri remain negative and adds the shifted n inthe following cycle. Thus it obtains,

Ri+1:= Ri+n/2 = (Ri-1-n)+n/2 = Ri-1-n/2;

i.e., the same value (!!)


Non-Restoring Division Algorithm

1. R0 := t;2. n := 2kn;

3. for i = 1 to k do:4. if Ri-1<0 then Ri := Ri-1-n;

5. else Ri := Ri-1+n;6. n := n/2;

6. end7. Return Rk;


Non-Restoring Division Algorithm

• Since the remainder is allowed to stay negative, we use 2’scomplement coding to represent such numbers.

• Also, note that the nonrestoring division algorithm mayrequire a final restoration cycle in which a negativeremainder is corrected by adding the last value of n back toit.

• Example Computation of 51 = 3019 mod 53.



10101001n/2010100011n/2

Positive remainder1100000R4Subtract101000110n/2

Positive remainder0100000111R3Subtract0100001101n/2

Positive remainder100000010100R2add100000011010n/2

Negative Remainder1111010Subtract110101n

t001011101111R0



Final Remainder110011RAdd (restore)1101010n

Negative Remainder1111101R5subtract110101n/2


Barrett Reduction

Barrett reduction computes r = x mod m given x and m. Thealgorithm requires the precomputation of the quantity,

It is advantageous if many reductions are performed with a singlemodulus. Typically, the radix b is chosen to be a power of twoclosed to the word-size of the processor.

Barrett reduction is based on the following fact:

Given

!"

!#$

#=

p

b k2

µ

( )( )( )! "121/1//

as, written becan ,0 and

+#=

$"

$%!

%&&+=

kkk bpbbxQ

p

xpRRQpx


Barrett Reduction

Input: positive integers x = (x2k-1 … x1x0), p = (pk-1 … p1p0)

Output: x mod p.1.2.3. if r < 0 then4. While r ≥ p do: r= r-p;5. Return(r);

! "! ";//ˆ11 +# $= kk bbxq µ

( ) ( );modˆmod11 ++

!"= kk bpqbxr1+

+=kbrr

! " #"

#$!

$=%%+=>

p

bbxpkpb

kk

b

22 ,0,1log,,3 µ


Barrett Reduction

Example: Let b = 4, k = 3, x = (313221)b, and p = (233)b (i.e.,x = 3561, and p = 47). Then µ = |46/p| = 87 = (1113)b,

|x/bk-1| = |(313221)b/42| = (3132)b,|x/bk-1|⋅ µ = (3132)b ⋅ (1113)b = (10231302)b

Hence q = (1023)b,

r1 = (3221)b (why??)r2 = (1023)b ⋅(233)b mod b4 =(3011)b, and r = r1 – r2 = (210)b

Thus x mod p = (210)b = 36


Barrett Reduction : Computational efficiency

• All divisions performed in the algorithm are

simple right-shifts of the base b representation.

• Since the k+1 MSBs of x/bk-1|⋅ µ are not needed

to determine q (why??), only a partial multiple-

precision multiplication is necessary.


Reduction

The arithmetic in Barrett reduction can be reduced bychoosing b to be a power of 2. For primes p ofspecial form, there exist very fast modularreduction techniques [For example, see “SoftwareImplementation of the NIST Elliptic Curves OverPrime Fields”, Brown, Hankerson, López andMenezes].


Modular Multiplication:Blakley’s Method


Blakley’s Method

Let ai and bi represent the bits of the k-bit numbers aand b, respectively. The product t (2k-bit number)can be written as,

This formulation yields the shift-add multiplicationalgorithm. Blakley’s algorithm uses thisformulation and furthermore reduces the partialproduct modulo n at each step.

( ) i

k

i

i

k

i

i

ibababat 22

1

0

1

0

!!"

=

"

=

#=#$%

&'(

)=#=


Blakley’s Method

1. R := 0;

2. For i = 0 to k-1do3. R := 2R + ak-1-i⋅b;

4. R := R mod n;

5. End

6. Return R;


Blakley’s Method

Assuming that 0 ≤ a, b, R ≤ n-1, the new R will be inthe range 0 ≤ R ≤ 3n – 3

SinceAt most two subtraction will be needed to bring the

new R to the range [0, n - 1]. Thus we can useWhile (R ≥ n) R -= n;Blakley’s algorithm computes the remainder R in k

steps, where at each step one left shift, oneaddition, and at most two subtractions areperformed; the operands involved in thesecomputations are of length k bits.

( ) ( ) 331122: !=!+!"#+= nnnbarR j


Modular Multiplication:Montgomery’s Method


Montgomery’s Method

This method replaces division by n operations withdivision by r = 2k. Assuming n is a k-bit integer,i.e., 2k-1 < n < 2k

We assign r = 2k. Now, we perform the mapping ofthe integers a ∈ [0, n-1] to the integers ∈ [0, n-1] using the one-to-one mapping

We call the n-residue of a.

nraa mod: !=a

a



We now define the Montgomery product of two n-residues as

Also we need n’ such that rr-1-nn’ = 1; r-1 and n’ arecomputed by using the extended Euclid’s algorithm.

nrbabaoMon mod),(Pr 1!""=

( )

( ); else )( then if

/: .3

mod: 2.

;: .1

,Pr

ureturnnureturnnu

rnmtu

rntm

bat

baoMon

!"

#+=

$#=

#=



This routine requires only modulo r arithmetic, whichis efficiently accomplished on a computer if r = 2j.

Theorem 1. If c = ab mod n thenProof:

);,(Pr baoMonc =

),(Pr

mod

mod

mod

mod

1

1

baoMon

nrba

nrrbra

nrba

nrcc

=

!!=

!!!!=

!!=

!=

"

"



Theorem 2.

Proof:

)1,(Pr coMonc =

)1,(Pr

mod1

mod

mod

1

1

1

coMon

nrc

nrc

nrrcc

=

!!=

!=

!!=

"

"

"



MonPro procedure can be utilized to computec: =ab mod n as follows:ModMul(a, b, n) /* n is odd (why???) */1. Compute n’ using EEA.2.3.4.5.6. Return c;

nraa mod!=nrbb mod!=

( )baoMonc ,Pr:=

( )1,Pr: coMonc =



Since preprocessing operations such as,

• Computation of n’ and,

• Conversion from ordinary to n-residue

• Conversion from n-residue to ordinary

Are time consuming, it is not a good idea to useMontgomery’s method for a single modularmultiplication. However, it is very suitable formodular exponentiation.



MonPro procedure can be utilized to computec: =Me mod n as follows:ModExp(M, e, n) /* n is odd (why???) */1. Compute n’ using EEA.2.3.4. for i=k-1 down to 0 do5.6. If ei = 1 then7. C :=8. Return C;

nrMM mod!=

nrC mod1!=

( )ccoMonc ,Pr:=

( )CMoMonc ,Pr:=

This function uses the Binary method that will be discuss in detail later. AnyOther exponential algorithmwill work as well.

);1,(Pr CoMon



Example: Computation of 710 mod 13r = 2k=16. Since 16*9-13*11 = 1, we have r-1 = 9, n´= 11.

M = 7, thusC = 1, thusHence,

813mod167mod: =!=!= nrCM

813mod167mod: =!=!= nrCM

8M and 3 ==C

MonPro(7, 7) = 120MonPro(8, 1) = 7MonPro(4, 4) = 11

MonPro(8, 8) = 40MonPro(8, 3) = 8MonPro(3, 3) = 31

Step 6Step 5ei



Step 7: C = MonPro(12, 1) = 4Computation of MonPro(3, 3):t := 3*3 = 9;m := 9*11 mod 16 = 3u := (9+3*13)/16=48/16=3

Computation of MonPro(8, 1):t := 8*1 = 8;m :=8*11 mod 16 = 8u :=(8+8*13)/16=112/16=7

Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/arith/arith2.pdf ·...

Documents

Transcript of Francisco Rodríguez Henríquez CINVESTAVdelta.cs.cinvestav.mx/~francisco/arith/arith2.pdf ·...