Francisco Rodríguez Henríquez Aritmética Computacional
Francisco Rodríguez HenríquezCINVESTAV
e-mail: [email protected]
Aritmética Computacional
Francisco Rodríguez Henríquez Aritmética Computacional
Fairy Tale: Chinese Emperor used to count hisarmy by giving a series of tasks.
All troops should form groups of 3. Reportback the number of soldiers that were not ableto do this.
Now form groups of 5. Report back.Now form groups of 7. Report back.Etc.At the end, if product of all group numbers is
sufficiently large, can ingeniously figure outhow many troops.
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
mod 3:
N mod 3 = 1
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
mod 5:
N mod 5 = 2
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
mod 7:
N mod 7 = 2
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
Secret inversion formula (for N < 105 = 3·5·7):N ≡ a (mod 3)N ≡ b (mod 5)N ≡ c (mod 7)
Implies that N = (-35a + 21b + 15c) mod 105.So in our case a = 1, b = 2, c = 2 gives:N = (-35·1 + 21·2 + 15·2) mod 105
= (-35 + 42 + 30) mod 105= 37 mod 105= 37
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
CRT: Example
Find three numbers l,m,n with following properties– l ≡ 1(mod 3), l ≡ 0(mod 5), l ≡ 0(mod 7)– m≡0(mod 3), m ≡1(mod 5), m ≡0(mod 7)– n ≡0(mod 3), n ≡ 0(mod 5), n ≡ 1(mod 7)
Then y = al+bm +cn [secret formula] satisfies– y ≡ al+bm +cn (mod 3) ≡
a·1+0 + 0 (mod 3) ≡ a (mod 3)– Similarly, y ≡ b (mod 5)– Similarly, y ≡ c (mod 7)
This will imply x ≡ y (mod 3·5·7)
Francisco Rodríguez Henríquez Aritmética Computacional
Find three numbers l,m,n: Standard trick.EG, to find l : Multiply together all modulii different from 3.
Result: 5·7 = 35 Find an inverse of this number mod 3: In this
case it’s easy. 35 ≡ 2(mod 3) so find an inverseof 2 [2 or anything congruent to 2(mod 3)].Practice shows that should choose inverse ofsmallest magnitude: –1.
l is the product of (a) and (b): l = -35l is 0 mod 5 and 7 since it’s divisible by 5·7. But (c)
guarantees that it’s 1 modulo 3!
CRT: Example
Francisco Rodríguez Henríquez Aritmética Computacional
Similarly, m = 21 and n = 15. So our solution toall three congruences is:
x = -35a + 21b + 15cIf we want to guarantee a solution between 0
and 104, just computex mod 105 .
The same tricks can be generalized to prove:
CRT: Example
Francisco Rodríguez Henríquez Aritmética Computacional
THM (CRT): Let m1, m2, … , mn be pairwise relativelyprime positive integers. Then there is a uniquesolution x in [0,m1·m2···mn-1] to the system ofcongruences:
x ≡ a1 (mod m1 )x ≡ a2 (mod m2 )
x ≡ an (mod mn )
Chinese Remainder Theorem
Francisco Rodríguez Henríquez Aritmética Computacional
CRT: Conversion Algorithm
Step 1. Compute using multi-precision arithmetic.
Step 2. Compute the multiplicative inverses ofmodulo mi for 1 ≤ i ≤ n, i.e., compute the constants ci
such that,
Step 3. Compute u by performing the sum (inmultiprecision arithmetic):
i
nii
m
MmmmmmM == ! KK
121
im
M
.1for ,mod1 nimcm
M
ii
i
!!"#
Mucm
Muc
m
Muc
m
Mu
nn
n
mod22
2
11
1
!++!+!= K
Francisco Rodríguez Henríquez Aritmética Computacional
CRT: Conversion Algorithm
Theorem. Given the moduli m1, m2,…, mn
and the remainders u1, u2,…, un the number
u can be computed in O(n2).
Francisco Rodríguez Henríquez Aritmética Computacional
CRT: Mixed-Radix Conversion Algorithm
Step 1. Compute constants cij for 1 ≤ i < j ≤ n suchthat,
Step 2. Compute
Step 3. Compute
jiijmmc mod1!"
( )( )( )
( )( )( )nnnnnnnnmcvcvcvuv
mcvcvuv
mcvuv
muv
mod
,mod
,mod
,mod
,112211
223213133
212122
111
!!!!!!"
!!"
!"
"
KK
M
121213121 !++++=nnmmmvmmvmvvu KK
Francisco Rodríguez Henríquez Aritmética Computacional
CRT: Mixed-Radix Conversion Algorithm
Computation of u using the above formula also requiresO(n2) arithmetic operations. We now define Vij for
0 ≤ i < j ≤ n such that Voi = ui for 1 ≤ i ≤ n. These Vij arethe temporary values of vj resulting from theoperations in Step 2 of the mixed-radix conversionalgorithm. This way, we build a triangular table ofvalues with diagonal entries Vi = Vi-1,j for 0 ≤ i ≤ n.The entries of this table are named multiplieddifferences.
Francisco Rodríguez Henríquez Aritmética Computacional
CRT: Mixed-Radix Conversion Algorithm
An Example: For n = 4, it can be given as follows,
Where [mi] stands for modulo mi.
[ ][ ] ( ) [ ][ ] ( ) [ ] ( ) [ ][ ] ( ) [ ] ( ) [ ] ( ) [ ]
4342324344241214244140104144404
3231213233130103133303
2120102122202
1101
mcVVVmcVVVmcVVVmuV
mcVVVmcVVVmuV
mcVVVmuV
muV
!=!=!==
!=!==
!==
=
Francisco Rodríguez Henríquez Aritmética Computacional
Finite fields: Arithmeticoperations
FP finite field operations : Addition, subtraction,
multiplication, Squaring, inversion, exponentiation andPrimality Testing
Francisco Rodríguez Henríquez Aritmética Computacional
Arithmetic Operations in GFp
O ((lg n)3)Inversion a-1 mod n
O(lg a lg b) = O ((lg n)2)Multiplication a*b mod n
O(lg a + lg b) = O (lg n)Subtraction a – b mod n
O(lg a + lg b) = O (lg n)Addition a + b mod n
Bit ComplexityOperation
O ((lg n)3)Exponentiation ak mod n
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Addition andSubtraction
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Addition
Input: A modulus p, and integers a, b in [0, p-1]Output: c = (a + b) mod p.1. C0 = Add(a0, b0);2. For i from 1 to t-1do: Ci = Add_with_carry(ai, bi);3. If the carry bit is set, then subtract p from
c = (ct-1,…, c2,c1,c0). (why??)4. If c ≥ p then c -= p; (why??)5. Return(c);
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Subtraction
Input: A modulus p, and integers a, b in [0, p-1]Output: c = (a - b) mod p.1. C0 = Subtract(a0, b0);2. For i from 1 to t-1do: Ci = Subtract_with_borrow(ai, bi);
3. If the carry bit is set, then add p toc = (ct-1,…, c2,c1,c0). (why??)
4. Return(c);
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Multiplication
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Multiplication
Computation of c = ab mod n can be performed byusing:
• Classical: Normal integer multiplication followedby reduction
• Blakley’s method: The multiplication steps areinterleaved with reduction steps.
• Montgomery’s method: Uses predominantlymodulo 2j arithmetic.
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Multiplication:Classical Method
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
We perform the operations radix W = 2w: wordsize of thecomputer:
We define (Carry, Sum) pairs. Our notation is:
( )
( ) !
!"
=
""
"
=
""
==
==
1
0
021
1
0
021
s
j
i
iss
s
j
i
iss
WbWbbbb
WaWaaaa
K
K
:jiij abt =
12,,1,0for :
1,,1,0for :,
!=
!=
sitt
sibaba
i
ii
K
K
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
01234567
30313233
20212223
10111213
00010203
0123
0123
tttttttt
tttt
tttt
tttt
tttt
bbbb
aaaa
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
1. for i = 0 to s-1 do:2. C:= 0
3. for j = 0 to s-1 do:4. (C, S) := ti+j + ajbi + C;5. ti+j := S;
6. end7. ti+j+1:= C;8. end
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
002436000436(2, 4)
t2 + a2b0 + C0 + 3⋅7 + 3
2000036(3,3)
t1 + a1b0 + C0 + 3⋅7 + 3
1
000000000006
(0, *)(5, 6)
t0 + a0b0 + C0 + 8⋅7 + 0
00Partial t(C, S)Stepji
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
019836009836(1, 9)
t3 + a2b1 + C2 + 3⋅5 + 2
2002836(2, 8)
t2 + a1b1 + C4 + 4⋅5 + 4
1002436
(0, *)(4, 3)
t1 + a0b1 + C3 + 8⋅5 + 0
01Partial t(C, S)Stepji
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
298236098236(2, 9)
t4 + a2b2 + C1 + 3⋅8 + 4
2018236(4, 8)
t3 + a1b2 + C9 + 4⋅8 + 7
1019236
(0, *)(7, 2)
t2 + a0b2 + C8 + 8⋅8 + 0
02Partial t(C, S)Stepji
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Multiplication
This algorithm requires s2 = (k/w)2 inner productsteps: (C, S) := ti+j+ajbi+C;
In other words, O(k2) bit operations.The variables ti+j, aj, bi, C and S each hold a single-
word, or a w-bit number.Notice that from the main operation in the loop we
obtain a double-word, or a 2w-bit number since:
( )( ) 12121212122!=!+!!+!
WWWWW
Francisco Rodríguez Henríquez Aritmética Computacional
A straightforward modification of themultiplication algorithm gives the followingalgorithm for squaring. There are roughly ½fewer multiplication operations.
Integer Squaring
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Squaring [Guajardo and Paar]
Input: An integer a ∈ [0, p-1], a = (at-1 at-2 … a1 a0)Output: c = a2.1. for i from 0 to 2t-1 do: ci = 0;2. for i from 0 to t-1 do
3. (uv) = c2i + ai2;
4. C2i=v; C1= u; C2 = 0;5. for j from i+1 to t-1 do
6. (uv) = ci+j + ai aj + C1; C1 = u;7. (uv) = v + ai aj + C2; ci+j = v ; C2 = u;
8. (uv) = C1+C2, C2 = u;9. (uv) = ci+t + v; ci+t= v;10.ci+t+1 = C2 + u;
11. return (c);
Francisco Rodríguez Henríquez Aritmética Computacional
Integer Squaring [Classical]
Input: An integer a ∈ [0, p-1], a = (at-1 at-2 … a1 a0)Output: c = a2.1. r0 = r1 = r2 = 0;2. for k from 0 to 2(t-1) do
3. For each elmt. of {(i, j)| i+j = k, 0 ≤ i ≤ j < t} do4. (uv) = ai aj;5. If (i < j) then (uv) << 1; r2 = AddC(r2, 0);6. r0 = Add(r0, v); r1 = AddC(r1, u); r2 = AddC(r2, 0);
8. ck = r0; r0 = r1; r1 = r2; r2 = 0;9. c2t-1 = r0;
11. return (c);
Francisco Rodríguez Henríquez Aritmética Computacional
Reduction
Given t, the computation of R which satisfiest = Qn + R
With R < n. Here t is a 2k-bit number and n is a k-bitnumber.
The number t and n are positive, so are the results Qand R.
Since we are not interested in the quotient, steps of thedivision algorithm can be simplified.
Francisco Rodríguez Henríquez Aritmética Computacional
Reduction
Two algorithms of interest:
• Restoring Division
• Non-restoring division
Francisco Rodríguez Henríquez Aritmética Computacional
Restoring Division
1. R0 := t;2. n := 2kn;
3. for i = 1 to k do:4. Ri := Ri-1-n;5. if Ri<0 then Ri := Ri-1;6. n := n/2;
6. end7. Return Rk;
Francisco Rodríguez Henríquez Aritmética Computacional
Restoring Division: An example
• We give an example of the restoring divisionalgorithm for computing 3019 mod 53, where,
3019 = (101111001011)2
53 = (110101)2
The result is:51 = (110011)2
Francisco Rodríguez Henríquez Aritmética Computacional
Restoring Division: An example
Subtract101000110n/2Not restore0110110111R3
Positive rem.010000+0111Subtract0100001101n/2
Not restore10101110100R2Positive Remainder100000+10100
Subtract10000011010n/2Restore001011101111R1
Negative Remainder-000110Subtract110101n
t001011101111R0
Francisco Rodríguez Henríquez Aritmética Computacional
Restoring Division: An example
Final Remainder110011RRestore110011R5
Negative Remainder000010-Subtract1101010n/2
101011n/2010111n/2
Not Restore110011000R4Positive remainder110000+000
Francisco Rodríguez Henríquez Aritmética Computacional
Non restoring Division Algorithm
• The non-restoring division algorithm allows a negativeremainder.
• Suppose Ri:=Ri-1-n< 0, then the restoring algorithm assignsRi:=Ri-1 and performs a subtraction with the shifted n,obtaining Ri+1:= Ri-n/2 = Ri-1-n/2;
• However, if Ri = Ri-1 – n < 0, then the non-restoringalgorithm lets Ri remain negative and adds the shifted n inthe following cycle. Thus it obtains,
Ri+1:= Ri+n/2 = (Ri-1-n)+n/2 = Ri-1-n/2;
i.e., the same value (!!)
Francisco Rodríguez Henríquez Aritmética Computacional
Non-Restoring Division Algorithm
1. R0 := t;2. n := 2kn;
3. for i = 1 to k do:4. if Ri-1<0 then Ri := Ri-1-n;
5. else Ri := Ri-1+n;6. n := n/2;
6. end7. Return Rk;
Francisco Rodríguez Henríquez Aritmética Computacional
Non-Restoring Division Algorithm
• Since the remainder is allowed to stay negative, we use 2’scomplement coding to represent such numbers.
• Also, note that the nonrestoring division algorithm mayrequire a final restoration cycle in which a negativeremainder is corrected by adding the last value of n back toit.
• Example Computation of 51 = 3019 mod 53.
Francisco Rodríguez Henríquez Aritmética Computacional
Restoring Division: An example
10101001n/2010100011n/2
Positive remainder1100000R4Subtract101000110n/2
Positive remainder0100000111R3Subtract0100001101n/2
Positive remainder100000010100R2add100000011010n/2
Negative Remainder1111010Subtract110101n
t001011101111R0
Francisco Rodríguez Henríquez Aritmética Computacional
Restoring Division: An example
Final Remainder110011RAdd (restore)1101010n
Negative Remainder1111101R5subtract110101n/2
Francisco Rodríguez Henríquez Aritmética Computacional
Barrett Reduction
Barrett reduction computes r = x mod m given x and m. Thealgorithm requires the precomputation of the quantity,
It is advantageous if many reductions are performed with a singlemodulus. Typically, the radix b is chosen to be a power of twoclosed to the word-size of the processor.
Barrett reduction is based on the following fact:
Given
!"
!#$
#=
p
b k2
µ
( )( )( )! "121/1//
as, written becan ,0 and
+#=
$"
$%!
%&&+=
kkk bpbbxQ
p
xpRRQpx
Francisco Rodríguez Henríquez Aritmética Computacional
Barrett Reduction
Input: positive integers x = (x2k-1 … x1x0), p = (pk-1 … p1p0)
Output: x mod p.1.2.3. if r < 0 then4. While r ≥ p do: r= r-p;5. Return(r);
! "! ";//ˆ11 +# $= kk bbxq µ
( ) ( );modˆmod11 ++
!"= kk bpqbxr1+
+=kbrr
! " #"
#$!
$=%%+=>
p
bbxpkpb
kk
b
22 ,0,1log,,3 µ
Francisco Rodríguez Henríquez Aritmética Computacional
Barrett Reduction
Example: Let b = 4, k = 3, x = (313221)b, and p = (233)b (i.e.,x = 3561, and p = 47). Then µ = |46/p| = 87 = (1113)b,
|x/bk-1| = |(313221)b/42| = (3132)b,|x/bk-1|⋅ µ = (3132)b ⋅ (1113)b = (10231302)b
Hence q = (1023)b,
r1 = (3221)b (why??)r2 = (1023)b ⋅(233)b mod b4 =(3011)b, and r = r1 – r2 = (210)b
Thus x mod p = (210)b = 36
Francisco Rodríguez Henríquez Aritmética Computacional
Barrett Reduction : Computational efficiency
• All divisions performed in the algorithm are
simple right-shifts of the base b representation.
• Since the k+1 MSBs of x/bk-1|⋅ µ are not needed
to determine q (why??), only a partial multiple-
precision multiplication is necessary.
Francisco Rodríguez Henríquez Aritmética Computacional
Reduction
The arithmetic in Barrett reduction can be reduced bychoosing b to be a power of 2. For primes p ofspecial form, there exist very fast modularreduction techniques [For example, see “SoftwareImplementation of the NIST Elliptic Curves OverPrime Fields”, Brown, Hankerson, López andMenezes].
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Multiplication:Blakley’s Method
Francisco Rodríguez Henríquez Aritmética Computacional
Blakley’s Method
Let ai and bi represent the bits of the k-bit numbers aand b, respectively. The product t (2k-bit number)can be written as,
This formulation yields the shift-add multiplicationalgorithm. Blakley’s algorithm uses thisformulation and furthermore reduces the partialproduct modulo n at each step.
( ) i
k
i
i
k
i
i
ibababat 22
1
0
1
0
!!"
=
"
=
#=#$%
&'(
)=#=
Francisco Rodríguez Henríquez Aritmética Computacional
Blakley’s Method
1. R := 0;
2. For i = 0 to k-1do3. R := 2R + ak-1-i⋅b;
4. R := R mod n;
5. End
6. Return R;
Francisco Rodríguez Henríquez Aritmética Computacional
Blakley’s Method
Assuming that 0 ≤ a, b, R ≤ n-1, the new R will be inthe range 0 ≤ R ≤ 3n – 3
SinceAt most two subtraction will be needed to bring the
new R to the range [0, n - 1]. Thus we can useWhile (R ≥ n) R -= n;Blakley’s algorithm computes the remainder R in k
steps, where at each step one left shift, oneaddition, and at most two subtractions areperformed; the operands involved in thesecomputations are of length k bits.
( ) ( ) 331122: !=!+!"#+= nnnbarR j
Francisco Rodríguez Henríquez Aritmética Computacional
Modular Multiplication:Montgomery’s Method
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
This method replaces division by n operations withdivision by r = 2k. Assuming n is a k-bit integer,i.e., 2k-1 < n < 2k
We assign r = 2k. Now, we perform the mapping ofthe integers a ∈ [0, n-1] to the integers ∈ [0, n-1] using the one-to-one mapping
We call the n-residue of a.
nraa mod: !=a
a
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
We now define the Montgomery product of two n-residues as
Also we need n’ such that rr-1-nn’ = 1; r-1 and n’ arecomputed by using the extended Euclid’s algorithm.
nrbabaoMon mod),(Pr 1!""=
( )
( ); else )( then if
/: .3
mod: 2.
;: .1
,Pr
ureturnnureturnnu
rnmtu
rntm
bat
baoMon
!"
#+=
$#=
#=
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
This routine requires only modulo r arithmetic, whichis efficiently accomplished on a computer if r = 2j.
Theorem 1. If c = ab mod n thenProof:
);,(Pr baoMonc =
),(Pr
mod
mod
mod
mod
1
1
baoMon
nrba
nrrbra
nrba
nrcc
=
!!=
!!!!=
!!=
!=
"
"
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
Theorem 2.
Proof:
)1,(Pr coMonc =
)1,(Pr
mod1
mod
mod
1
1
1
coMon
nrc
nrc
nrrcc
=
!!=
!=
!!=
"
"
"
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
MonPro procedure can be utilized to computec: =ab mod n as follows:ModMul(a, b, n) /* n is odd (why???) */1. Compute n’ using EEA.2.3.4.5.6. Return c;
nraa mod!=nrbb mod!=
( )baoMonc ,Pr:=
( )1,Pr: coMonc =
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
Since preprocessing operations such as,
• Computation of n’ and,
• Conversion from ordinary to n-residue
• Conversion from n-residue to ordinary
Are time consuming, it is not a good idea to useMontgomery’s method for a single modularmultiplication. However, it is very suitable formodular exponentiation.
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
MonPro procedure can be utilized to computec: =Me mod n as follows:ModExp(M, e, n) /* n is odd (why???) */1. Compute n’ using EEA.2.3.4. for i=k-1 down to 0 do5.6. If ei = 1 then7. C :=8. Return C;
nrMM mod!=
nrC mod1!=
( )ccoMonc ,Pr:=
( )CMoMonc ,Pr:=
This function uses the Binary method that will be discuss in detail later. AnyOther exponential algorithmwill work as well.
);1,(Pr CoMon
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
Example: Computation of 710 mod 13r = 2k=16. Since 16*9-13*11 = 1, we have r-1 = 9, n´= 11.
M = 7, thusC = 1, thusHence,
813mod167mod: =!=!= nrCM
813mod167mod: =!=!= nrCM
8M and 3 ==C
MonPro(7, 7) = 120MonPro(8, 1) = 7MonPro(4, 4) = 11
MonPro(8, 8) = 40MonPro(8, 3) = 8MonPro(3, 3) = 31
Step 6Step 5ei
Francisco Rodríguez Henríquez Aritmética Computacional
Montgomery’s Method
Step 7: C = MonPro(12, 1) = 4Computation of MonPro(3, 3):t := 3*3 = 9;m := 9*11 mod 16 = 3u := (9+3*13)/16=48/16=3
Computation of MonPro(8, 1):t := 8*1 = 8;m :=8*11 mod 16 = 8u :=(8+8*13)/16=112/16=7