Lecture 11-12 Implementations

The efficiency of a particular cryptographic scheme based on any one of the algebraic structures will depend on a number of factors, such as parameter size, time-memory tradeoffs, processing power available, software and/or hardware optimization, and mathematical algorithms. This lecture is concerned primarily with mathematical algorithms for efficiently carrying out computations in the underlying algebraic structure.

The algorithms described in this lecture are those which, for the most part, have received considerable attention in the literature. Although some attempt is made to point out their relative merits, no detailed comparisons are given.

Outline Prime Number Issue Exponentiation Exponent Recoding Multi-Exponentiation Chinese Remainder Theorem for RSA Montgomery Reduction Method

1 Prime Number Issue

attacks.

dspecialize toesusceptibl emscryptosyst associated themakenot

do they order thatin ,properties additionalcertain have torequired

bemay numbers Prime y.probabilitsuch on basedstrategy search

a optimizing through advantage gaining fromadversary an preclude

tosmallly sufficient bemust selected being prime particularany

ofy probabilit that thesense in the random"" be and size, sufficient

of bemust prime thecase, In this . modulusRSA an for

and primes oft requiremen theis exampleAnother s.derivative its

and logarithm discrete for the field finite a define tonumber prime

a oft requiremen theis example specificA systems.key -publicin

teprerequisi a is parameterskey -public of generationefficient The

qpn

qp

p

1.1 Miller-Rabin Test

.for primality) (toliar strong a called is integer The . base

the toepseudoprim strong a be tosaid is then ,1 0 , some

for ) (mod 1or ) (mod 1either if i.e., Otherwise, (2)

.for ess)compositen (to witnessstrong a called is then

,1 0 , allfor ) (mod 1 if and ) (mod 1 If (1)

1]. [1, interval in theinteger an be Let odd. is where

21let andinteger composite oddan be Let

.1 0 , somefor ) (mod 1or

) (mod 1either Then 1. ) ,gcd(such that integer any be

Let odd. is where21let and prime, oddan be Let

2

2

2

n aa

nsjj

nana

na

sjjnana

n ar

rnn

sjjna

nana

arr nn

rr

rr

s

r

r

s

j

j

j

1 Definition

1Fact

1.1 Miller-Rabin Test (Continued)

).prime"("Return (3)

).composite"("return then 1 If (2.3.3)

).composite"("return then 1 If (2.3.2.2)

.) (mod Compute (2.3.2.1)

:following thedo 1 and 1 le Whi(2.3.2)

1 (2.3.1)

:following thedo then 1 and 1 If (2.3)

.) (mod Compute (2.2)

.22 ,integer random a Choose (2.1)

:following thedo to1 from For (2)

odd. is such that 2 = 1 e Writ(1)

prime?" Is" :question the tocomposite""or prime""answer an :OUTPUT

1parameter security and 3integer oddan :INPUT

),( RABIN-MILLER

)Rabin test-(Miller

2

y

y =

nyy

ysj

.j

yy

nay

naa

ti

rrn

n

tn

tn

r

s

1 Algorithm


). (mod1 with ) (mod1

since, factor can weand composite, is then ), (mod1

weIf composite. is mean that choicesother All ). (mod1

prime, is if Therefore, theorem.sFermat'by prime, is if

)1(mod bemust which , is thisof square The ). (mod

computed have we,reach weIf step. previous by the stopped

have wouldalgorithm thecase,former In the .offactor nontrival a

gives ) ,1gcd( case,latter In the composite. is and ) (mod1

or ), (mod1Either .) (mod1 that means This

). (mod1 that ose(2.3).Supp of step in the denote to use We

Rabin test-Miller Proof

22

22

1

1

12/)1(

11

2

2222

2

3

nyn

ynnn

ynn

ynn

nana

yy

n

nynn

ynyny

nyjyy

.

s

s

s

s

nn

ss

j


200.primes are that bases allfor epseudoprim

strong a ist number thadigit -337 a is There . allfor

epseudoprim strong are that integersmany infinitely are

therebases, of set finiteany for that,provedbeen has

it rare, are epseudoprim strongThough 2. base for the

epseudoprim strong 3291 are there,10 to Up(1) 10

Bb

B

Comment.


practical.rather is Rabin test-Miller Therefore,

.10(1/4)most at is prime asnumber composite a

certifying of probabilty t theexpect tha then we

,10 If 1/4.most at is chosen randomly afor

compsite a recognize tofails Rabin test-Miller the

y that probabilit the theshown that becan It (2)

610

ta

)(Continued Comment.


2. base for the

epseudoprim a is 561 ),561 (mod12 since However, 561. of

factor nontrival a is which 33,561) 1,gcd( Moreover,

composite. is 561 that conclude we),561(mod1 Since

)561(mod1

)561(mod67

)561(mod166

)561(mod2632

Then 2.Let 35. and 22 so

35,165601Then .561Let

560

2

3

223

212

201

350

4

y

y

yy

yy

yy

y

ar

nns

1 Example


time.same at the allnot primes the

modulo 1 reached sequence that theis method by this 561factor

could reason we The 17.not but 11, and 3 factors thecontians

1 11), (mod and 3) (modonly 1 tocongruent is Since

).17(mod1 ),11(mod1 ),3(mod1

),561(mod1

)17(mod1 ),11(mod1 ),3(mod1

),561(mod67

)17(mod4 ),11(mod1 ),3(mod1

),561(mod166

)17(mod8 ),11(mod1 ),3(mod1

),561(mod263

computecan We.17113561 Since )(Continued

22

3

2

1

0

yy

y

y

y

y

n 2 Example


time.same at the 1reach

)(mod1 and )(mod1 sequences thehave tois

Rabin test-Miller thepasscan hatonly way t The .factor

can weTherefore,).(mod1 ),(mod1 have

will wecase, In this times.different at 1 then and 1reach

)(mod1 and )(mod1 sequences t thelikely tha isIt

). (mod1 suppose and case heConsider t

11

1

qypy

nn

qypy

qypy

naqpn

ii

ii

ii

n

2. Example onComment

1.2 Prime Number Generation

Prime number generation differs from primality testing as before, but may and typically does involve the latter. The former allows the construction of candidates of a fixed form which may lead to more efficient testing than possible for random candidates.

1.2.1 Random Search for Probable Primes

.parameter security theof valueeappropriat

an for )( ),( RABIN-MILLER

by prime"" be todeclared is that found is one

until integers oddbit - randompick repeatedly tois

prime (probable)bit - random a selectingfor strategy

reasonable a that suggests This 1/177. ln(2))2/(512

ely approximat is prime are that 2 integers odd all of

proportion theinstance,For .ln 2/ ely approximat

is prime are that integers odd of proportion

theeven, are integers all of half Since .1/ln

elyapproximat is prime are that integers (positive)

of proportion theorem,number the prime By the

512

t

tn

nk

k

x

x

xx

x

1 Algorithm

1.2.1 Random Search for Probable Primes (Continued)

(1). Step togo Otherwise, ).(return then prime""

outputs )( ),( RABIN-MILLER If (3)

(1). Step togo then isit If .prime oddany

by divisible is whether determine odivision t trial Use(2)

random.at integerbit - oddan Generate (1)

prime. probablebit - random a :OUTPUT

.parameter security a and ,integer an :INPUT

),( SEARCH-RANDOM

)Rabin test-Miller the(Using

n

tn

B

n

nk

k

tk

tk

1 Algorithm

2 Algorithm


performed. is Rabin test-Millercostly

more thebefore discarded are 80% i.e., stage,division trial

thepass integers odd candidate of 20%only then 256, = if

example,For .lnely1.12/ approximat is theorem,sMertens'by

division, trialby thisout rulednot integers odd candidate

of proportion The . below primes theallby dividing

by done becan This . bound nedpredetermi a below divisors

smallfor testedbe should candidate the,Rabin test-Miller

theapplying before large, relatively isdivisor prime

small a has integer random ay that probabilit theSince )1(

nB

B

n

B n

B

n

n

Explain.


.10 allfor

1/4) ( then ], [3, interval in the numbers odd ofset the

from randomat chosen are candidates if :following theis

result concreteA .by denoted isnumber composite a returns

),SEARCH(-RANDOMy that probabilit thedefinecan We

composite.fact in is y that probabilit theof estimatean have

to, thereforeimportant, isIt prime. probable a is

by returned number theprime, indeed isnumber a that proof

almathematic a providenot does Rabin test-Miller theSince )2(

)Continued(

60

,

,

x

px

k

p

tk

n

n

ttk

tk

2 Algorithm

Explain.


improved. becan

on boundsupper thes, techniqueadvanced more Using)Continued)(2(

,tkp

. )21( implies and toingcorrespondentry

An . and of valuessamplefor on boundsupper shows tableAbove

,

,

jt k

t k

/pt k j

t kp

1.2.2 Strong Primes

. denoted factor, prime large a has 1 (3)

and ; denoted factor, prime large a has 1 (2)

; denoted factor, prime large a has 1 (1)

:satisfied

are conditions threefollowing thesuch that exist and , ,

integers if prime strong a be tosaid isnumber primeA

tr

sp

rp

tsr

p

1.2.2 Strong Primes (Continued)

).(Return (5)

.2

by prime thisDenote .. . . 2, 1, , for ,2

sequence in the primefirst theFind .integer an Select (4)

1.)) (mod (2 Compute (3)

.12

by prime thisDenote .. . . 2, 1, , for ,12

sequence in the primefirst theFind .integer an Select (2)

bitlength.

equalroughly of and primes random large twoGenerate (1)

generated. is prime strong a :SUMMARY

prime) strong a generatingfor algorithm s(Gordon'

0

0000

0

20

000

0

p

srjpp

jjj jsrjp

j

srsp

tir

iii iti

i

ts

p

r

3 Algorithm

1.2.2 Strong Primes (Continued)

. of than thatlessslightly be will ofbitlength the

while,of that halfabout be will and of bitlengths that theNote

. prime resulting theofbitlength exact thecontrolcan one ,

,parameters and , primes of sizes thechoosingcarefully By (2)

prime. probable a is algorithm

sGordon' oftion implementa thisofoutput thetest,primality

ticprobabilis a is Rabin test-Miller theSince . bound somethan

less prime small aby divisible are that candidatesout rulingafter

(4), and (2) Stepsin primality for candidateeach test toused becan

)( Rabin test-Miller The .by generated

primes probable becan (1) Stepin required and primes The (1)

0

0

rt

ps r

pj

its

B

ts

1 Algorithm2 Algorithm

Explain.

1.2.3 Generating DSA Primes

.1 divides (3)

and 8;0 some

for 64512 = where, specified afor 22 (2)

prime;bit -160 a is is, that ;2 < < 2 (1)

:conditions threefollowing thesatisfying and

primes tworequires Algorithm Signature Digital NIST The

1

160159

pq

l

l+LL<p<

qq

qp

LL

1.2.3 Generating DSA Primes (Continued)

prime. (probable) a be tofound is Until

18.for ),( RABIN-MILLER usingprimality for Test (2.4)

integer.) oddbit -160 a is that (Note .of bitst significanleast

andt significanmost the1 tosettingby from Form (2.3)

).2 mod 1) (()( Compute (2.2)

160.bitlength

of secret)y necessaril(not seed random a Choose (2.1)

:following Repeat the (2)

160. 0 where,1601such that , find 160,by

)1( ofdivision long Using.64512 Compute (1)

).1(| and 64512

where, primebit -an and primebit -160 a :OUTPUT

8. 0 ,integer an :INPUT

primesDSA generatingfor method NIST

q

ttq q

q U

Uq

sHsHU

g

s

bn +bLbn

Ll + L

pql L

pLq

ll

g

4 Algorithm


(2). step toGo (5)

.1 ,1Set (4.5)

).,(return then prime (probable) a is If

5.for ),( RABIN-MILLER usingprimality for Test

:following thedo then 2 If (4.4)

).)2 (mod 1 that (Note

).1(set and )2mod( Compute (4.3)

.2)2mod(222

integer.)bit -an is ( .2let

below, defined integer For the (4.2)

)).2 (mod )((set

:following thedo to0 from For (4.1)

:following thedo 4096 While(4)

2. 0,Set (3)

)(Continued

1

160)1(1601

3202

16010

1

njjii

pqp

ttp p

p

qp

cX pq Xc

VV V V VW

LXWX

W

kjsHV

nk

i

ji

L

nbn

nn

L

gk

4 Algorithm


keys. private entities'other recover exploit toly subsequent couldit which

and primes weak"" ngconstructilly intentiona fromDSA in the

usefor parameters wide-system as and generates whoauthority

central a prevents feature This method. approved theusing generated

were and that can verify anyone then public, made are counter

and seed theIf .generationnumber prime the toseedinput theof

on manipulati precludes This seed. random actual theas used is which of

output the(4.1)), and (2.2) (Steps procession randomizat ableuncontroll

and bleunpredictaan rather tobut itself, algorithm theofportion

generationnumber prime theinput tonot is seed random The (2)

codes.-hashbit -160 to2

bitlength of bitstrings mapshich function whash 1-SHA thedenotes (1)64

qp

qp

pqi

s

s

H

Explain.


.Rabin test-Miller theinvoking before bound

some than less primes odd allby division trial tosubjected be

should and primes candidate e,performanc improve To (4)

prime. probable a is ofoutput the

test,primality ticprobabilis a is Rabin test-Miller theSince

ly.respective (4.4), and (2.4) Stepsin 5 and 18 requriesIt

.(1/2)most at is prime declared beinginteger composite a

ofy probabilit thetest whereprimality a i.e., (4.4), and

(2.4) Stepsin used betest primality robust a that specifies

only described originally asdocument w 186 FIPS The (3)

)(Continued

80

B

pq

tt

4 Algorithm

Explain.

2 Exponentiation

both. do wouldone Ideally, .

compute toused tionsmultiplica ofnumber thereduce

toisother thegroup; in the elements womultiply t

to time thedecrease tois way One tion.exponentia

do torequired time thereduce to ways twoare

tion.Thereexponentia ishy cryptograpkey -public

for operations arithmeticimportant most theof One

eg

.algorithmssuch frombenefit

schemes signatures and encryption ElGamal allowed.

are exponent theof choicesarbitrary and fixed is

base The .algorithmstion exponentia base-Fixed (3)

.algorithmssuch frombenefit

schemes signature and encryptionRSA allowed. are

base theof choicesarbitrary and fixed is exponent

The .algorithmstion exponentiaexponent -Fixed (2)

allowed. are exponent and base theof choices

Arbitrary tion.exponentiafor s techniqueBasic (1)

.algorithmstion exponentia of typeshreeconsider t We

e

g

ge

eg

2.1 Problem Model2.1.1 Addition Chains

logarithm.

2-base thedenotes log where,log log

log(1))(1 )log()(

large, for that,

known isIt . of valuessmall relativelyfor only known is )( of value

exact The .for chain addition shortest theoflength thebe )(Let (2)

. , , , , compute:

computingfor algorithmfast a gives for chain addition short A (1)

.

and 1 with and some is there1, each for (2)

; ,1 (1)

satisfying ,,,

, integers positive oflist a is for chain addition An

132

1

2

1

e

eoeel

e

eel

eel

ggggg

e

uuu

ikjkjil

e uu

uu

ue

ll uuuue

kji

l

l

Explain.

2 Defintion

2.1.2 Addition–Subtraction Chains

logarithm. discrete

and curves ellipticfor useful very becan chainsn subtractioAddition (2)

31. 32, 16, 8, 4, 2, 1,

chainshorter get the weallowed isn subtractio ifbut

31, 21, 11, 10, 5, 3, 2, 1,

is 31for

chainaddition shortest theexample,For n.subtractio assuch ,operations

other allow toischain addition an oflength thereduce way toOne (1)

.

and 1 with and some is there1, each for (2)

; ,1 (1)

satisfying ,,,,

integers positive oflist a is for chain n subtractioaddition An

1

21

Explain.

3 Defintion

kji

l

l

uuu

ikjkjil

e uu

uuu

e

2.1.3 Addition Sequences and Vector Addition Chains

}. ,, ,max{ where

, log log

log))1((log) ,, ,(

is ,, ,for sequence

addition an of ) ,, ,(length minimal that theshowed Yao (2)

. ,, , i.e. powers,

multiple toraised be tois one when used are sequencesAddition (1)

. ,, , contains which ,,,,

chainaddition an is ,, ,for sequenceaddition An

21

21

21

21

2121

21

21

t

t

t

t

eee

tl

t

eeee

e

eoteeeel

eee

eeel

ggg

g

eeeu uu

eee

t

Explain.

4 Defintion

2.1.3 Addition Sequences and Vector Addition Chains (Continued)

. i.e. powers, nomial

-multi compute toused bemay chainsaddition Vector (1)

. and

0 with and some is there, each for (2)

; ,

,]1 ,,0 ,0 [,,]0 ,,1 ,0 [ ,]0 ,,0 ,1 [ (1)

satisfying,, , , elements of sequence

a is ] ,, , [chain addition A vector

21

21

110

10

21

tet

ee

kji

l

t

l

t

ggg

DDD

ikjkjtil

DD

DDD

DDD

eeeD

Explain.

5 Defintion

2.1.3 Addition Sequences and Vector Addition Chains (Continued)

complete.-NP is sequenceaddition shortest the

finding of problem that theshowed Downey )3(

).1() ,, ,(

]) ,, ,([ i.e. ,equivalent are sequences

addition and chainsaddition vector good finding of

problems that showed Olivos .] ,, ,[for chain

addition ector shortest v thebe]) ,, ,([Let (2)

)(Continued

21

21

21

21

et al.

teeel

eeel

eee

eeel

t

t

t

t

Explain.

2.2 Techniques for General Exponentiation2.2.1 The Binary Method

).Return( (3)

. then 1 If (2.2)

. then If (2.1)

:following thedo 0 down to from For (2)

.1 (1)

. :OUTPUT

.)( integer positive a and :INPUT

tionexponentiabinary right -to-Left

2011

A

gAAe

AAAti

t i

A

g

e eeeeGg

i

e

tt

5 Algorithm

.)(100011011 283 and 8 that Note . Computing 2283 tg

2.2.1 The Binary Method (Continued)

1/2.2/31)/2( :Average

, 1 1 :Minimum

, 12 1)( :Maximum

:as found is

tionsmultiplica ofnumber total theThus, 1.)(1 have We

. of expansion)binary in the 1s ofnumber (theweight

Hamming theis )( where)( :(2.2)) (Step tionsMultiplica

. ofexpansion binary in the

bits ofnumber theis 1 where :(2.1)) (Step Squarings

ttt

tt

ttt

teH

e

eHeH

e

tt

.Efficiency



).Return( (3)

. then If (2.2)

. then 1 If (2.1)


. ,1 (1)

. :OUTPUT

.)( integer positive a and :INPUT

tionexponentiabinary left -to-Right

2011

A

SSSti

SAAe

t i

gSA

g

e eeeeGg

i

e

tt

6 Algorithm

. Computing 283g


1/2.2/31)/2( :Average

, 1 1 :Minimum

, 12 1)( :Maximum

:as found is tionsmultiplica

ofnumber total theThus, 1.)(1 have We

. )( :(2.1)) (Step tionsMultiplica

. :(2.2)) (Step Squarings

ttt

tt

ttt

teH

eH

t

.Efficiency2.2.1 The Binary Method (Continued)

.arbitrary for y than efficientl

more computed bemay , of choices someFor ). fixed

(for operation by the )arbitrary (for operation

thereplaces tion whichexponentiabinary right -to-left a is

. 1 whenever computes (2)

squares. computingfor required time totalby the bounded is

of timerunning theavailable,squarer one and

multiplier one that Provide ed.paralleliz becan loopeach

at operations two thusand another, one oft independen are

tionexponentiabinary left -to-right in this square

andtion multiplica that Note .in variable

middle thestore toregister data extraan requiresIt (1)

SSA

gAgg

gASSA

eSA

S

i


6 Algorithm

6 Algorithm

Comment.2.2.1The Binary Method (Continued)

2.2.2 k-ary Method

time.aat bits scanned are of

bits Then the .12,3, 2, =for of values thecomputesfirst

methodary - The .2 and 120 that Note

.2 )(

definecan We0s. 1most at with padded

isexponent the,1dividenot does If .1)1(for each

length of blocks 1into dpartitione is oftion representa This

Mehtodary -)(

MehtodBinary )(

: computingfor Idea

0

1

0221

011

2011

ke

i g

keee

f fffe

k

n knkt

k te

keeeee

ffffe

g

ki

ikt

i ik

i

jk

jjkikikkikkii

btt

nn

e

2.2.2 k-ary Method (Continued)

).Return( (4)

. · then 0 If (3.2)

. then If (3.1)


1. (2)

.) (Thus, . :do )12( to2 from For (1.2)

. (1.1)

tion.Precomputa (1)

. :OUTPUT

1. somefor 2 where,)( and :INPUT

tionexponentiaary -right -to-Left

2

1

1

011

A

gAAe

AAti

t i

A

ggg ggi

gg

g

kbeeeeeg

k

i

k

ei

iiii

k

e

kbtt

7 Algorithm


.121 ,for 12 Storage (2)

.)2/11()1( 22 :Average

, 122 :Minimum

, 1 22 :Maximum

:as found is

tionsmultiplica ofnumber total theThus, 1.)(1 have We

. of ) nonzero ofnumber (theweight

Hamming theis )( where)( :(3.2)) (Step tionsMultiplica

. :(3.1)) (Step Squarings

.22112 :(1.2)) (Steption Precomputa

nComputatio (1)

ki

k

kk

k

k

b

b

bb

kk

ig

ttk

tk

ttk

teH

e

eHeH

tk

.Efficiency


).Return( (4)

.) · ( then 0 If


1. (2)

. :do )12( to1 from For (1.2)

. , (1.1)

tion.Precomputa (1)

. :OUTPUT

1. somefor 2 where,)( and :INPUT

tionexponentiaary -right -to-left Modified

22

21212

221

011

A

gAAu

t i

A

g ggi

gggg

g

kbeeeeeg

k

ih

i

ihk

ui

iik

e

kbtt

8 Algorithm


tion.precomputa ofamount thereduce to

slightly modified is ,In )2(

0. and

0 let then 0, if odd; is where2

e then writ0, if , 0 ,each For (1)


Explain.

i

iiiih

i

i

u

heuue

etii

i

2.2.3 Sliding-Window Exponentiation

).Return( (4)

.1

, :following thedo and 1, and 1that

such bitstringlongest thefind 0), ( Otherwise (3.2)

.1 , :do then 0 If (3.1)


. 1, (2)

. :do )12( to1 from For (1.2)

. , (1.1)

tion.Precomputa (1)

. :OUTPUT

1. integer an and,1 where,)( and :INPUT

tionexponentia window-Sliding

21

1+

)(2

1

2

21212

221

2011

A

li

gAAekl+i

ee ee

iiAA e

i

tiA

g ggi

gggg

g

keeeeeeg

lii

li

eeel

liii

i

iik

e

ttt

9 Algorithm

3. and 00101)(101101111 11749 2 ke

2.2.3 Sliding-Window Exponentiation (Continued)

2.3 Fixed-Exponent Exponentiation Algorithms

There are numerous situations in which a number of exponentiations by a fixed exponent must be performed. Examples include RSA encryption and decryption, and ElGamal decryption.

2.3 Fixed-Exponent Exponentiation Algorithms (Continued)

).Return( (3)

. :do to1 from For (2)

. (1)

. :OUTPUT

). ,( where, , , , sequence associated

theand ,integer positive afor length of

) , , ,( chain addition an , :INPUT

tionexponentiachain Addition

21

0

2121

10

s

iii

e

is

s

g

gggsi

gg

g

iiwwww

es

uuuVg

10 Algorithm


15. 12, 6, 3, 2, 1, is

15 for 5length ofchain addition An . Computing

543210

15

uuuuuu

eg


exponent.

given for the possiblechain addition shortest theprovidenot

dogenerally way in this dconstructe Chains tion.representa this

fromdirectly chain addition an construct task tosimplerelativly

a isit ,exponent an oftion representabinary Given the (2)

tions.multiplica

exactly using,1any for computes

,integer positive for the length ofchain addition an Given (1)

e

sgg

ese 10 Algorithm

Explain.

2.4 Fixed-Base Exponentiation Algorithms

choices. possible are

and then 2, th integer wi basedigit

-1) + (any is ifexample,For .integer positive fixed

somefor 0 where, aswritten

becan bounded)(suitably 1 exponent any that

such 0, somefor integers ofset a is } , , ,{

Idea.

0

10

bhbbbb

teh

hebee

e

tbbb

ii

iti ii

t

2.4.1 Fixed-Base Windowing Method

).Return( (3)

. (2.2)

. :do for which each For (2.1)

:following thedo 1 down to )1( fromFor (2)

.1 1, (1)

. :OUTPUT

.and , },,,,{ :INPUT

tionexponentiafor method windowingbase-Fixed

010

A

BAA

gBBjei

h j

BA

g

hbeeg gg

i

t

bi

e

ti ii

bbb

11 Algorithm

2.4.1 Fixed-Base Windowing Method (Continued)

. , , , ,

elements group thePrecompute 4.0for 4 = and

4, 4, take,(31132)862 for compute To

256641641

4

ggggg

i b

htegi

i

e

2.4.1 Fixed-Base Windowing Method (Continued)

.0,for 1 Storage (2)

. tionsmultiplica 2 most at

with computes Thus, 1. with value

operandan involves tionsmultiplica theseof oneleast

at but times,1 executed is (2.2) Step (2.1). Step

in done are tionsmultiplica most at 1,initially also

is ncecounted.Si are 1 fromdistinct are operands

both wheretionsmultiplicaOnly 2. Suppose

nComputatio (1)

tigt

ht

g

h

t

B

h t

ib

e

11 Algorithm

Explain.

2.4.2 Fixed-Base Euclidean Method

. ,0 allfor

such that , ], [0, interval in theinteger

an be to Define .0 allfor that

such ] [0, interval in theinteger an be to Define

2. with integers ofset a be } ,, ,{Let 10

Mitixx

MNt

Nti xx

tM

txxx

iN

iM

t

2.4.2 Fixed-Base Euclidean Method (Continued)

). Return( (4)

}. , ,,{for and indices theDetermine (3.2)

).(mod , )( , (3.1)


}. , ,,{for and indices theDetermine (2)

. , :following thedo to0 from For (1)

. :OUTPUT

.and , },,,,{ :INPUT

tionexponentiafor methodEuclidean base-Fixed

10

10

010

M

i

t

xM

t

NMMNq

MNNM

N

t

iib

i

e

ti ii

bbb

g

x xxNM

xxxggg/xxq

x

x xxNM

exgg ti

g

hbeeg gg

12 Algorithm


. , , Precompute .14) 5, (3, Then

256. 16, 1, Take 862. , ofn computatio The256161

16

210

ggge

bbbeg e


values.dprecomputefor storage

lessin results This . than of uelarger val

a of advantage can take inputs, theof

size in the clogarithmi is algorithmdivision theSince (2)

. of than those

greater tly significannot are algorithm thisof tsrequiremen

nalcomputatio the, basegiven aFor 1. is

of (3.1) Stepin computed quotient thecases,most In )1(

11 Algorithm

12 Algorithm

11 Algorithm

12 Algorithm

Comment.

h

b

q

3 Exponent Recoding Another approach to reducing the number of

multiplications in the basic binary method is to replace the binary representation of the exponent e with a representation which has fewer non-zero terms. Since the binary representation is unique, finding a representation with fewer non-zero components necessitates the use of digits besides 0 and 1. Transforming an exponent from one representation to another is called exponent recoding.

3.1 Signed-Digit Representation

tion.representa

digit -signed a of examplean istion representa

binary The unique.not isinteger an oftion representa

digit -signed thetion,representabinary theUnlike

.integer for the 2radix tion with representa

digit-signed a called is )( then ,0

1},1, {0, where2 If

011

0

e

ddddti

dd e

SDtt

iit

i i

6 Definition

3.1 Signed-Digit Representation (Continued)

).)Return(( (3)

.2 (2.2)

.)/2( (2.1)


.0 (1)

.for )(

tion representa formadjacent -non :OUTPUT

0.with

)( integer positive a :INPUT

recodingexponent (NAF) formadjacent -Non

011

1

11

0

011

1

20111

NAFtt

iiii

iiii

NAFtt

tt

ttt

dddd

cced

c e ec

ti

c

edddd

ee

eeeeee

13 Algorithm


Table look-up for the non-adjacent form exponent recoding.


1/3. is NAF amongdensity average theis,That .for

tionsrepresentadigit -signed all among entries zero-non

ofnumber smallest thehas for tion representa NAF (4)

.0for 0 (3)

. oftion representabinary theof

length than themore onemost at is NAF oflength The (2)

tion.representa NAF unique a has integerEvery (1)

tion.representa (NAF) formadjacent -nonfor Property

1

e

e

tidd

e

e

ii

3.2 The Binary Method Using NAF

).Return( (3)

. then 1 If (2.3)

. then 1 If (2.2)

. then If (2.1)


.1 (1)

. :OUTPUT

.)(integer positive a and :INPUT

NAF usingtion exponentiabinary right -to-Left

1

011

A

gAAd

gAAd

AAAti

t i

A

g

dddde Gg

i

i

e

NAFtt

14 Algorithm

4 Multi-Exponentiation There are a number of situations which req

uire computation of the product of several exponentials with distinct bases and distinct exponents, for example, verification of ElGamal signatures. Rather than computing each exponential separately, we consider the method to do them simultaneously.

4.1 Shamir Trick

. ofn Computatio 2037 hg

4.1 Shamir Trick (Continued)

).Return( (4)

. then 0) (0,),( If (3.2)

. then If (3.1)


.1 )2(

. store and Compute (1)

. :OUTPUT

.)(

,)(integer positive a and , :INPUT

ckShamir tri

2011

2011

A

hgAAba

AAAti

ti

A

hg

hg

bbbbb

aaaaaGhg

ii baii

ba

tt

tt

15 Algorithm

4.1 Shamir Trick (Continued)

.for register extraan needsIt (2)

3/4.4/7 as found

is tionsmultiplica ofnumber total theThus, average.on

tionsmultiplica 1)/4(3)1( 1/4)and(1 squarings

performingby computes (1)

hg

t

tt

thg ba

15 Algorithm

Explain.

4.2 Extend Shamir Trick

).Return( (5)

. then 0) (0,),( If (4.2)

. then If (4.1)


.1 )3(

., ,,,, store (or) and Compute (2)

.)(

,)( tionsrepresenta NAF to , Recode (1)

. :OUTPUT

.)(

,)(integer positive a and , :INPUT

ckShamir tri Extend

111111

011

011

2011

2011

A

hgAAba

AAAti

ti

A

hghghghghg

ffffb

ddddaba

hg

bbbbb

aaaaaGhg

ii fdii

NAFtt

NAFtt

ba

tt

tt

16 Algorithm

5 Chinese Remainder Theorem for RSA

. :modulus theof factors the

knowsuser thesince (CRT) theoremremainder

Chinese theusingfaster performed becan

, ) (mod ofn computatio the,given

i.e., operation, signing and decryptionRSA The

qpn

nCMC d

5 Chinese Remainder Theorem for RSA (Continued)

).Return( (4)

.] mod )) (mod )[(( Compute (3)

.) (mod Compute (2)

.) (mod Compute (1)

.plaintext :OUTPUT

.) (mod ),1( mod ),1( mod

valuesdprecompute , and primes , ciphertext :INPUT

CRT using algorithm decryptionRSA

1212

2

1

121

2

1

M

qppqMMMM

qCM

pC M

M

pqqddpdd

qpC

d

d

17 Algorithm


.0

1)( ) (mod

0 ) (mod

sincecorrect is

] mod )) (mod )[((

summation The

1212

22

1212

qpM

MMMMpM

MMqM

qppqMMMM

ion.Justificat


CRT. the

without algorithm n thefaster tha times4ely approximat be

willalgorithm based CRT theselected,randomly is If (2)

). (mod ) of (inverse -- INTEGER,t coefficien

1)( mod -- INTEGER, 2exponent

1)( mod -- INTEGER, 1exponent

:variables

thehaskey private suser' of values theholding 1 # PKCS

standardhy cryptograpkey -publicin structure data The (1)

d

pq

qd

pd

Explain.

6 Montgomery Reduction Method

universe. in the particles ofnumber the toequal

elyapproximat isnumber This . store order toin bits

102 2562)(log )(log

need weeach, bits 256 have and Assuming,

enormous. is number binary theoft requiremen space

thebecause is This tion.exponentia theof stepeach

at modulo reduced bemust results temporaryThe

8026425622

e

e

e

g

geg

eg

g

n

6.1 Montgomery Multiplication

). and (i.e.,

tionsmultiplica with twocomputed becan ) (mod

then , and radix in drepresente are integers all If (2)

.) (mod )/(

or ) (mod )/(either Thus .2

)/( )/( then , and

Since ). (modfor estimatean is )/((1)

). (mod )/( andinteger an is

)/( then ,)(mod If . 0

such that integer any be let and ,) (mod

let 1,),gcd( where and integersGiven

1

1

1

1

1

1

mUmTU

mRT

bRb

mmRTRmUT

mRTRmUTm

RRmRmRmUTRURmT

mRTRmUT

mRTRmUT

RmUTRmTU RmT

TRmm

RmRm

n

Comment.

1Fact

6.1 Montgomery Multiplication (Continued)

.) mod(

188 )/( and 185)(mod

then 1125 If ). mod( 63

)/ ( and 61 )(mod then

563, If 127. and 63, ) mod(125,

) (modThen 190. 187, Let

1

1

1

1

mmRT

RmUT RmT

UTmRT

RmUT RmTU

TmRm

mRRm

3 Example

6.1 Montgomery Multiplication (Continued)

).Return( (5)

. then If (4)

./)( (3)

).(mod (2)

. (1)

.) mod( :OUTPUT

. 0

and ),(mod 1, = ) ,gcd(with

, ,0 with , , integers :INPUT

tionmultiplica Montgomery

1

1

A

mAAmA

RmUAA

RmyxU

yxA

mRyx

Rmyx

RmmRm

mRmyxyxm

18 Algorithm

6.2 Montgomery Exponentiation

).Return( (4)

).1 ,Mont( (3)

).~,Mont( then 1 If (2.2)

).,Mont( then If (2.1)

:following thedo 0 down to fromFor (2)

). (mod )), (mod,Mont(~ (1)

). (mod :OUTPUT

. 0 ,integer an and1, with) (

,2 , ) ( integers:INPUT

tionexponentia Montgomery

2

201

2021

A

AA

xAAe

AAAti

ti

mRAmRxx

mx

mxx eeee

eRmmmm

i

e

ttt

lll

19 Algorithm

6.2 Montgomery Exponentiation (Continued)

(3). Stepafter and (2), Step

ofiteration each of end at the ) (mod of values

thedisplays tableThe 3. here, ;(1011) 11 Let 2

mA

te

Thank you!

Lecture 11-12 Implementations

Documents

Transcript of Lecture 11-12 Implementations