|
19
|
1 \documentclass[b5paper]{book} |
|
|
2 \usepackage{hyperref} |
|
|
3 \usepackage{makeidx} |
|
|
4 \usepackage{amssymb} |
|
|
5 \usepackage{color} |
|
|
6 \usepackage{alltt} |
|
|
7 \usepackage{graphicx} |
|
|
8 \usepackage{layout} |
|
|
9 \def\union{\cup} |
|
|
10 \def\intersect{\cap} |
|
|
11 \def\getsrandom{\stackrel{\rm R}{\gets}} |
|
|
12 \def\cross{\times} |
|
|
13 \def\cat{\hspace{0.5em} \| \hspace{0.5em}} |
|
|
14 \def\catn{$\|$} |
|
|
15 \def\divides{\hspace{0.3em} | \hspace{0.3em}} |
|
|
16 \def\nequiv{\not\equiv} |
|
|
17 \def\approx{\raisebox{0.2ex}{\mbox{\small $\sim$}}} |
|
|
18 \def\lcm{{\rm lcm}} |
|
|
19 \def\gcd{{\rm gcd}} |
|
|
20 \def\log{{\rm log}} |
|
|
21 \def\ord{{\rm ord}} |
|
|
22 \def\abs{{\mathit abs}} |
|
|
23 \def\rep{{\mathit rep}} |
|
|
24 \def\mod{{\mathit\ mod\ }} |
|
|
25 \renewcommand{\pmod}[1]{\ ({\rm mod\ }{#1})} |
|
|
26 \newcommand{\floor}[1]{\left\lfloor{#1}\right\rfloor} |
|
|
27 \newcommand{\ceil}[1]{\left\lceil{#1}\right\rceil} |
|
|
28 \def\Or{{\rm\ or\ }} |
|
|
29 \def\And{{\rm\ and\ }} |
|
|
30 \def\iff{\hspace{1em}\Longleftrightarrow\hspace{1em}} |
|
|
31 \def\implies{\Rightarrow} |
|
|
32 \def\undefined{{\rm ``undefined"}} |
|
|
33 \def\Proof{\vspace{1ex}\noindent {\bf Proof:}\hspace{1em}} |
|
|
34 \let\oldphi\phi |
|
|
35 \def\phi{\varphi} |
|
|
36 \def\Pr{{\rm Pr}} |
|
|
37 \newcommand{\str}[1]{{\mathbf{#1}}} |
|
|
38 \def\F{{\mathbb F}} |
|
|
39 \def\N{{\mathbb N}} |
|
|
40 \def\Z{{\mathbb Z}} |
|
|
41 \def\R{{\mathbb R}} |
|
|
42 \def\C{{\mathbb C}} |
|
|
43 \def\Q{{\mathbb Q}} |
|
|
44 \definecolor{DGray}{gray}{0.5} |
|
|
45 \newcommand{\emailaddr}[1]{\mbox{$<${#1}$>$}} |
|
|
46 \def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}} |
|
|
47 \def\gap{\vspace{0.5ex}} |
|
|
48 \makeindex |
|
|
49 \begin{document} |
|
|
50 \frontmatter |
|
|
51 \pagestyle{empty} |
|
|
52 \title{Implementing Multiple Precision Arithmetic \\ ~ \\ Draft Edition } |
|
|
53 \author{\mbox{ |
|
|
54 %\begin{small} |
|
|
55 \begin{tabular}{c} |
|
|
56 Tom St Denis \\ |
|
|
57 Algonquin College \\ |
|
|
58 \\ |
|
|
59 Mads Rasmussen \\ |
|
|
60 Open Communications Security \\ |
|
|
61 \\ |
|
|
62 Greg Rose \\ |
|
|
63 QUALCOMM Australia \\ |
|
|
64 \end{tabular} |
|
|
65 %\end{small} |
|
|
66 } |
|
|
67 } |
|
|
68 \maketitle |
|
|
69 This text has been placed in the public domain. This text corresponds to the v0.30 release of the |
|
|
70 LibTomMath project. |
|
|
71 |
|
|
72 \begin{alltt} |
|
|
73 Tom St Denis |
|
|
74 111 Banning Rd |
|
|
75 Ottawa, Ontario |
|
|
76 K2L 1C3 |
|
|
77 Canada |
|
|
78 |
|
|
79 Phone: 1-613-836-3160 |
|
|
80 Email: [email protected] |
|
|
81 \end{alltt} |
|
|
82 |
|
|
83 This text is formatted to the international B5 paper size of 176mm wide by 250mm tall using the \LaTeX{} |
|
|
84 {\em book} macro package and the Perl {\em booker} package. |
|
|
85 |
|
|
86 \tableofcontents |
|
|
87 \listoffigures |
|
|
88 \chapter*{Prefaces to the Draft Edition} |
|
|
89 I started this text in April 2003 to complement my LibTomMath library. That is, explain how to implement the functions |
|
|
90 contained in LibTomMath. The goal is to have a textbook that any Computer Science student can use when implementing their |
|
|
91 own multiple precision arithmetic. The plan I wanted to follow was flesh out all the |
|
|
92 ideas and concepts I had floating around in my head and then work on it afterwards refining a little bit at a time. Chance |
|
|
93 would have it that I ended up with my summer off from Algonquin College and I was given four months solid to work on the |
|
|
94 text. |
|
|
95 |
|
|
96 Choosing to not waste any time I dove right into the project even before my spring semester was finished. I wrote a bit |
|
|
97 off and on at first. The moment my exams were finished I jumped into long 12 to 16 hour days. The result after only |
|
|
98 a couple of months was a ten chapter, three hundred page draft that I quickly had distributed to anyone who wanted |
|
|
99 to read it. I had Jean-Luc Cooke print copies for me and I brought them to Crypto'03 in Santa Barbara. So far I have |
|
|
100 managed to grab a certain level of attention having people from around the world ask me for copies of the text was certain |
|
|
101 rewarding. |
|
|
102 |
|
|
103 Now we are past December 2003. By this time I had pictured that I would have at least finished my second draft of the text. |
|
|
104 Currently I am far off from this goal. I've done partial re-writes of chapters one, two and three but they are not even |
|
|
105 finished yet. I haven't given up on the project, only had some setbacks. First O'Reilly declined to publish the text then |
|
|
106 Addison-Wesley and Greg is tried another which I don't know the name of. However, at this point I want to focus my energy |
|
|
107 onto finishing the book not securing a contract. |
|
|
108 |
|
|
109 So why am I writing this text? It seems like a lot of work right? Most certainly it is a lot of work writing a textbook. |
|
|
110 Even the simplest introductory material has to be lined with references and figures. A lot of the text has to be re-written |
|
|
111 from point form to prose form to ensure an easier read. Why am I doing all this work for free then? Simple. My philosophy |
|
|
112 is quite simply ``Open Source. Open Academia. Open Minds'' which means that to achieve a goal of open minds, that is, |
|
|
113 people willing to accept new ideas and explore the unknown you have to make available material they can access freely |
|
|
114 without hinderance. |
|
|
115 |
|
|
116 I've been writing free software since I was about sixteen but only recently have I hit upon software that people have come |
|
|
117 to depend upon. I started LibTomCrypt in December 2001 and now several major companies use it as integral portions of their |
|
|
118 software. Several educational institutions use it as a matter of course and many freelance developers use it as |
|
|
119 part of their projects. To further my contributions I started the LibTomMath project in December 2002 aimed at providing |
|
|
120 multiple precision arithmetic routines that students could learn from. That is write routines that are not only easy |
|
|
121 to understand and follow but provide quite impressive performance considering they are all in standard portable ISO C. |
|
|
122 |
|
|
123 The second leg of my philosophy is ``Open Academia'' which is where this textbook comes in. In the end, when all is |
|
|
124 said and done the text will be useable by educational institutions as a reference on multiple precision arithmetic. |
|
|
125 |
|
|
126 At this time I feel I should share a little information about myself. The most common question I was asked at |
|
|
127 Crypto'03, perhaps just out of professional courtesy, was which school I either taught at or attended. The unfortunate |
|
|
128 truth is that I neither teach at or attend a school of academic reputation. I'm currently at Algonquin College which |
|
|
129 is what I'd like to call ``somewhat academic but mostly vocational'' college. In otherwords, job training. |
|
|
130 |
|
|
131 I'm a 21 year old computer science student mostly self-taught in the areas I am aware of (which includes a half-dozen |
|
|
132 computer science fields, a few fields of mathematics and some English). I look forward to teaching someday but I am |
|
|
133 still far off from that goal. |
|
|
134 |
|
|
135 Now it would be improper for me to not introduce the rest of the texts co-authors. While they are only contributing |
|
|
136 corrections and editorial feedback their support has been tremendously helpful in presenting the concepts laid out |
|
|
137 in the text so far. Greg has always been there for me. He has tracked my LibTom projects since their inception and even |
|
|
138 sent cheques to help pay tuition from time to time. His background has provided a wonderful source to bounce ideas off |
|
|
139 of and improve the quality of my writing. Mads is another fellow who has just ``been there''. I don't even recall what |
|
|
140 his interest in the LibTom projects is but I'm definitely glad he has been around. His ability to catch logical errors |
|
|
141 in my written English have saved me on several occasions to say the least. |
|
|
142 |
|
|
143 What to expect next? Well this is still a rough draft. I've only had the chance to update a few chapters. However, I've |
|
|
144 been getting the feeling that people are starting to use my text and I owe them some updated material. My current tenative |
|
|
145 plan is to edit one chapter every two weeks starting January 4th. It seems insane but my lower course load at college |
|
|
146 should provide ample time. By Crypto'04 I plan to have a 2nd draft of the text polished and ready to hand out to as many |
|
|
147 people who will take it. |
|
|
148 |
|
|
149 \begin{flushright} Tom St Denis \end{flushright} |
|
|
150 |
|
|
151 \newpage |
|
|
152 I found the opportunity to work with Tom appealing for several reasons, not only could I broaden my own horizons, but also |
|
|
153 contribute to educate others facing the problem of having to handle big number mathematical calculations. |
|
|
154 |
|
|
155 This book is Tom's child and he has been caring and fostering the project ever since the beginning with a clear mind of |
|
|
156 how he wanted the project to turn out. I have helped by proofreading the text and we have had several discussions about |
|
|
157 the layout and language used. |
|
|
158 |
|
|
159 I hold a masters degree in cryptography from the University of Southern Denmark and have always been interested in the |
|
|
160 practical aspects of cryptography. |
|
|
161 |
|
|
162 Having worked in the security consultancy business for several years in S\~{a}o Paulo, Brazil, I have been in touch with a |
|
|
163 great deal of work in which multiple precision mathematics was needed. Understanding the possibilities for speeding up |
|
|
164 multiple precision calculations is often very important since we deal with outdated machine architecture where modular |
|
|
165 reductions, for example, become painfully slow. |
|
|
166 |
|
|
167 This text is for people who stop and wonder when first examining algorithms such as RSA for the first time and asks |
|
|
168 themselves, ``You tell me this is only secure for large numbers, fine; but how do you implement these numbers?'' |
|
|
169 |
|
|
170 \begin{flushright} |
|
|
171 Mads Rasmussen |
|
|
172 |
|
|
173 S\~{a}o Paulo - SP |
|
|
174 |
|
|
175 Brazil |
|
|
176 \end{flushright} |
|
|
177 |
|
|
178 \newpage |
|
|
179 It's all because I broke my leg. That just happened to be at about the same time that Tom asked for someone to review the section of the book about |
|
|
180 Karatsuba multiplication. I was laid up, alone and immobile, and thought ``Why not?'' I vaguely knew what Karatsuba multiplication was, but not |
|
|
181 really, so I thought I could help, learn, and stop myself from watching daytime cable TV, all at once. |
|
|
182 |
|
|
183 At the time of writing this, I've still not met Tom or Mads in meatspace. I've been following Tom's progress since his first splash on the |
|
|
184 sci.crypt Usenet news group. I watched him go from a clueless newbie, to the cryptographic equivalent of a reformed smoker, to a real |
|
|
185 contributor to the field, over a period of about two years. I've been impressed with his obvious intelligence, and astounded by his productivity. |
|
|
186 Of course, he's young enough to be my own child, so he doesn't have my problems with staying awake. |
|
|
187 |
|
|
188 When I reviewed that single section of the book, in its very earliest form, I was very pleasantly surprised. So I decided to collaborate more fully, |
|
|
189 and at least review all of it, and perhaps write some bits too. There's still a long way to go with it, and I have watched a number of close |
|
|
190 friends go through the mill of publication, so I think that the way to go is longer than Tom thinks it is. Nevertheless, it's a good effort, |
|
|
191 and I'm pleased to be involved with it. |
|
|
192 |
|
|
193 \begin{flushright} |
|
|
194 Greg Rose, Sydney, Australia, June 2003. |
|
|
195 \end{flushright} |
|
|
196 |
|
|
197 \mainmatter |
|
|
198 \pagestyle{headings} |
|
|
199 \chapter{Introduction} |
|
|
200 \section{Multiple Precision Arithmetic} |
|
|
201 |
|
|
202 \subsection{What is Multiple Precision Arithmetic?} |
|
|
203 When we think of long-hand arithmetic such as addition or multiplication we rarely consider the fact that we instinctively |
|
|
204 raise or lower the precision of the numbers we are dealing with. For example, in decimal we almost immediate can |
|
|
205 reason that $7$ times $6$ is $42$. However, $42$ has two digits of precision as opposed to one digit we started with. |
|
|
206 Further multiplications of say $3$ result in a larger precision result $126$. In these few examples we have multiple |
|
|
207 precisions for the numbers we are working with. Despite the various levels of precision a single subset\footnote{With the occasional optimization.} |
|
|
208 of algorithms can be designed to accomodate them. |
|
|
209 |
|
|
210 By way of comparison a fixed or single precision operation would lose precision on various operations. For example, in |
|
|
211 the decimal system with fixed precision $6 \cdot 7 = 2$. |
|
|
212 |
|
|
213 Essentially at the heart of computer based multiple precision arithmetic are the same long-hand algorithms taught in |
|
|
214 schools to manually add, subtract, multiply and divide. |
|
|
215 |
|
|
216 \subsection{The Need for Multiple Precision Arithmetic} |
|
|
217 The most prevalent need for multiple precision arithmetic, often referred to as ``bignum'' math, is within the implementation |
|
|
218 of public-key cryptography algorithms. Algorithms such as RSA \cite{RSAREF} and Diffie-Hellman \cite{DHREF} require |
|
|
219 integers of significant magnitude to resist known cryptanalytic attacks. For example, at the time of this writing a |
|
|
220 typical RSA modulus would be at least greater than $10^{309}$. However, modern programming languages such as ISO C \cite{ISOC} and |
|
|
221 Java \cite{JAVA} only provide instrinsic support for integers which are relatively small and single precision. |
|
|
222 |
|
|
223 \begin{figure}[!here] |
|
|
224 \begin{center} |
|
|
225 \begin{tabular}{|r|c|} |
|
|
226 \hline \textbf{Data Type} & \textbf{Range} \\ |
|
|
227 \hline char & $-128 \ldots 127$ \\ |
|
|
228 \hline short & $-32768 \ldots 32767$ \\ |
|
|
229 \hline long & $-2147483648 \ldots 2147483647$ \\ |
|
|
230 \hline long long & $-9223372036854775808 \ldots 9223372036854775807$ \\ |
|
|
231 \hline |
|
|
232 \end{tabular} |
|
|
233 \end{center} |
|
|
234 \caption{Typical Data Types for the C Programming Language} |
|
|
235 \label{fig:ISOC} |
|
|
236 \end{figure} |
|
|
237 |
|
|
238 The largest data type guaranteed to be provided by the ISO C programming |
|
|
239 language\footnote{As per the ISO C standard. However, each compiler vendor is allowed to augment the precision as they |
|
|
240 see fit.} can only represent values up to $10^{19}$ as shown in figure \ref{fig:ISOC}. On its own the C language is |
|
|
241 insufficient to accomodate the magnitude required for the problem at hand. An RSA modulus of magnitude $10^{19}$ could be |
|
|
242 trivially factored\footnote{A Pollard-Rho factoring would take only $2^{16}$ time.} on the average desktop computer, |
|
|
243 rendering any protocol based on the algorithm insecure. Multiple precision algorithms solve this very problem by |
|
|
244 extending the range of representable integers while using single precision data types. |
|
|
245 |
|
|
246 Most advancements in fast multiple precision arithmetic stem from the need for faster and more efficient cryptographic |
|
|
247 primitives. Faster modular reduction and exponentiation algorithms such as Barrett's algorithm, which have appeared in |
|
|
248 various cryptographic journals, can render algorithms such as RSA and Diffie-Hellman more efficient. In fact, several |
|
|
249 major companies such as RSA Security, Certicom and Entrust have built entire product lines on the implementation and |
|
|
250 deployment of efficient algorithms. |
|
|
251 |
|
|
252 However, cryptography is not the only field of study that can benefit from fast multiple precision integer routines. |
|
|
253 Another auxiliary use of multiple precision integers is high precision floating point data types. |
|
|
254 The basic IEEE \cite{IEEE} standard floating point type is made up of an integer mantissa $q$, an exponent $e$ and a sign bit $s$. |
|
|
255 Numbers are given in the form $n = q \cdot b^e \cdot -1^s$ where $b = 2$ is the most common base for IEEE. Since IEEE |
|
|
256 floating point is meant to be implemented in hardware the precision of the mantissa is often fairly small |
|
|
257 (\textit{23, 48 and 64 bits}). The mantissa is merely an integer and a multiple precision integer could be used to create |
|
|
258 a mantissa of much larger precision than hardware alone can efficiently support. This approach could be useful where |
|
|
259 scientific applications must minimize the total output error over long calculations. |
|
|
260 |
|
|
261 Another use for large integers is within arithmetic on polynomials of large characteristic (i.e. $GF(p)[x]$ for large $p$). |
|
|
262 In fact the library discussed within this text has already been used to form a polynomial basis library\footnote{See \url{http://poly.libtomcrypt.org} for more details.}. |
|
|
263 |
|
|
264 \subsection{Benefits of Multiple Precision Arithmetic} |
|
|
265 \index{precision} |
|
|
266 The benefit of multiple precision representations over single or fixed precision representations is that |
|
|
267 no precision is lost while representing the result of an operation which requires excess precision. For example, |
|
|
268 the product of two $n$-bit integers requires at least $2n$ bits of precision to be represented faithfully. A multiple |
|
|
269 precision algorithm would augment the precision of the destination to accomodate the result while a single precision system |
|
|
270 would truncate excess bits to maintain a fixed level of precision. |
|
|
271 |
|
|
272 It is possible to implement algorithms which require large integers with fixed precision algorithms. For example, elliptic |
|
|
273 curve cryptography (\textit{ECC}) is often implemented on smartcards by fixing the precision of the integers to the maximum |
|
|
274 size the system will ever need. Such an approach can lead to vastly simpler algorithms which can accomodate the |
|
|
275 integers required even if the host platform cannot natively accomodate them\footnote{For example, the average smartcard |
|
|
276 processor has an 8 bit accumulator.}. However, as efficient as such an approach may be, the resulting source code is not |
|
|
277 normally very flexible. It cannot, at runtime, accomodate inputs of higher magnitude than the designer anticipated. |
|
|
278 |
|
|
279 Multiple precision algorithms have the most overhead of any style of arithmetic. For the the most part the |
|
|
280 overhead can be kept to a minimum with careful planning, but overall, it is not well suited for most memory starved |
|
|
281 platforms. However, multiple precision algorithms do offer the most flexibility in terms of the magnitude of the |
|
|
282 inputs. That is, the same algorithms based on multiple precision integers can accomodate any reasonable size input |
|
|
283 without the designer's explicit forethought. This leads to lower cost of ownership for the code as it only has to |
|
|
284 be written and tested once. |
|
|
285 |
|
|
286 \section{Purpose of This Text} |
|
|
287 The purpose of this text is to instruct the reader regarding how to implement efficient multiple precision algorithms. |
|
|
288 That is to not only explain a limited subset of the core theory behind the algorithms but also the various ``house keeping'' |
|
|
289 elements that are neglected by authors of other texts on the subject. Several well reknowned texts \cite{TAOCPV2,HAC} |
|
|
290 give considerably detailed explanations of the theoretical aspects of algorithms and often very little information |
|
|
291 regarding the practical implementation aspects. |
|
|
292 |
|
|
293 In most cases how an algorithm is explained and how it is actually implemented are two very different concepts. For |
|
|
294 example, the Handbook of Applied Cryptography (\textit{HAC}), algorithm 14.7 on page 594, gives a relatively simple |
|
|
295 algorithm for performing multiple precision integer addition. However, the description lacks any discussion concerning |
|
|
296 the fact that the two integer inputs may be of differing magnitudes. As a result the implementation is not as simple |
|
|
297 as the text would lead people to believe. Similarly the division routine (\textit{algorithm 14.20, pp. 598}) does not |
|
|
298 discuss how to handle sign or handle the dividend's decreasing magnitude in the main loop (\textit{step \#3}). |
|
|
299 |
|
|
300 Both texts also do not discuss several key optimal algorithms required such as ``Comba'' and Karatsuba multipliers |
|
|
301 and fast modular inversion, which we consider practical oversights. These optimal algorithms are vital to achieve |
|
|
302 any form of useful performance in non-trivial applications. |
|
|
303 |
|
|
304 To solve this problem the focus of this text is on the practical aspects of implementing a multiple precision integer |
|
|
305 package. As a case study the ``LibTomMath''\footnote{Available at \url{http://math.libtomcrypt.org}} package is used |
|
|
306 to demonstrate algorithms with real implementations\footnote{In the ISO C programming language.} that have been field |
|
|
307 tested and work very well. The LibTomMath library is freely available on the Internet for all uses and this text |
|
|
308 discusses a very large portion of the inner workings of the library. |
|
|
309 |
|
|
310 The algorithms that are presented will always include at least one ``pseudo-code'' description followed |
|
|
311 by the actual C source code that implements the algorithm. The pseudo-code can be used to implement the same |
|
|
312 algorithm in other programming languages as the reader sees fit. |
|
|
313 |
|
|
314 This text shall also serve as a walkthrough of the creation of multiple precision algorithms from scratch. Showing |
|
|
315 the reader how the algorithms fit together as well as where to start on various taskings. |
|
|
316 |
|
|
317 \section{Discussion and Notation} |
|
|
318 \subsection{Notation} |
|
|
319 A multiple precision integer of $n$-digits shall be denoted as $x = (x_{n-1} ... x_1 x_0)_{ \beta }$ and represent |
|
|
320 the integer $x \equiv \sum_{i=0}^{n-1} x_i\beta^i$. The elements of the array $x$ are said to be the radix $\beta$ digits |
|
|
321 of the integer. For example, $x = (1,2,3)_{10}$ would represent the integer |
|
|
322 $1\cdot 10^2 + 2\cdot10^1 + 3\cdot10^0 = 123$. |
|
|
323 |
|
|
324 \index{mp\_int} |
|
|
325 The term ``mp\_int'' shall refer to a composite structure which contains the digits of the integer it represents, as well |
|
|
326 as auxilary data required to manipulate the data. These additional members are discussed further in section |
|
|
327 \ref{sec:MPINT}. For the purposes of this text a ``multiple precision integer'' and an ``mp\_int'' are assumed to be |
|
|
328 synonymous. When an algorithm is specified to accept an mp\_int variable it is assumed the various auxliary data members |
|
|
329 are present as well. An expression of the type \textit{variablename.item} implies that it should evaluate to the |
|
|
330 member named ``item'' of the variable. For example, a string of characters may have a member ``length'' which would |
|
|
331 evaluate to the number of characters in the string. If the string $a$ equals ``hello'' then it follows that |
|
|
332 $a.length = 5$. |
|
|
333 |
|
|
334 For certain discussions more generic algorithms are presented to help the reader understand the final algorithm used |
|
|
335 to solve a given problem. When an algorithm is described as accepting an integer input it is assumed the input is |
|
|
336 a plain integer with no additional multiple-precision members. That is, algorithms that use integers as opposed to |
|
|
337 mp\_ints as inputs do not concern themselves with the housekeeping operations required such as memory management. These |
|
|
338 algorithms will be used to establish the relevant theory which will subsequently be used to describe a multiple |
|
|
339 precision algorithm to solve the same problem. |
|
|
340 |
|
|
341 \subsection{Precision Notation} |
|
|
342 For the purposes of this text a single precision variable must be able to represent integers in the range |
|
|
343 $0 \le x < q \beta$ while a double precision variable must be able to represent integers in the range |
|
|
344 $0 \le x < q \beta^2$. The variable $\beta$ represents the radix of a single digit of a multiple precision integer and |
|
|
345 must be of the form $q^p$ for $q, p \in \Z^+$. The extra radix-$q$ factor allows additions and subtractions to proceed |
|
|
346 without truncation of the carry. Since all modern computers are binary, it is assumed that $q$ is two, for all intents |
|
|
347 and purposes. |
|
|
348 |
|
|
349 \index{mp\_digit} \index{mp\_word} |
|
|
350 Within the source code that will be presented for each algorithm, the data type \textbf{mp\_digit} will represent |
|
|
351 a single precision integer type, while, the data type \textbf{mp\_word} will represent a double precision integer type. In |
|
|
352 several algorithms (notably the Comba routines) temporary results will be stored in arrays of double precision mp\_words. |
|
|
353 For the purposes of this text $x_j$ will refer to the $j$'th digit of a single precision array and $\hat x_j$ will refer to |
|
|
354 the $j$'th digit of a double precision array. Whenever an expression is to be assigned to a double precision |
|
|
355 variable it is assumed that all single precision variables are promoted to double precision during the evaluation. |
|
|
356 Expressions that are assigned to a single precision variable are truncated to fit within the precision of a single |
|
|
357 precision data type. |
|
|
358 |
|
|
359 For example, if $\beta = 10^2$ a single precision data type may represent a value in the |
|
|
360 range $0 \le x < 10^3$, while a double precision data type may represent a value in the range $0 \le x < 10^5$. Let |
|
|
361 $a = 23$ and $b = 49$ represent two single precision variables. The single precision product shall be written |
|
|
362 as $c \leftarrow a \cdot b$ while the double precision product shall be written as $\hat c \leftarrow a \cdot b$. |
|
|
363 In this particular case, $\hat c = 1127$ and $c = 127$. The most significant digit of the product would not fit |
|
|
364 in a single precision data type and as a result $c \ne \hat c$. |
|
|
365 |
|
|
366 \subsection{Algorithm Inputs and Outputs} |
|
|
367 Within the algorithm descriptions all variables are assumed to be scalars of either single or double precision |
|
|
368 as indicated. The only exception to this rule is when variables have been indicated to be of type mp\_int. This |
|
|
369 distinction is important as scalars are often used as array indicies and various other counters. |
|
|
370 |
|
|
371 \subsection{Mathematical Expressions} |
|
|
372 The $\lfloor \mbox{ } \rfloor$ brackets imply an expression truncated to an integer not greater than the expression |
|
|
373 itself. For example, $\lfloor 5.7 \rfloor = 5$. Similarly the $\lceil \mbox{ } \rceil$ brackets imply an expression |
|
|
374 rounded to an integer not less than the expression itself. For example, $\lceil 5.1 \rceil = 6$. Typically when |
|
|
375 the $/$ division symbol is used the intention is to perform an integer division with truncation. For example, |
|
|
376 $5/2 = 2$ which will often be written as $\lfloor 5/2 \rfloor = 2$ for clarity. When an expression is written as a |
|
|
377 fraction a real value division is implied, for example ${5 \over 2} = 2.5$. |
|
|
378 |
|
|
379 The norm of a multiple precision integer, for example, $\vert \vert x \vert \vert$ will be used to represent the number of digits in the representation |
|
|
380 of the integer. For example, $\vert \vert 123 \vert \vert = 3$ and $\vert \vert 79452 \vert \vert = 5$. |
|
|
381 |
|
|
382 \subsection{Work Effort} |
|
|
383 \index{big-Oh} |
|
|
384 To measure the efficiency of the specified algorithms, a modified big-Oh notation is used. In this system all |
|
|
385 single precision operations are considered to have the same cost\footnote{Except where explicitly noted.}. |
|
|
386 That is a single precision addition, multiplication and division are assumed to take the same time to |
|
|
387 complete. While this is generally not true in practice, it will simplify the discussions considerably. |
|
|
388 |
|
|
389 Some algorithms have slight advantages over others which is why some constants will not be removed in |
|
|
390 the notation. For example, a normal baseline multiplication (section \ref{sec:basemult}) requires $O(n^2)$ work while a |
|
|
391 baseline squaring (section \ref{sec:basesquare}) requires $O({{n^2 + n}\over 2})$ work. In standard big-Oh notation these |
|
|
392 would both be said to be equivalent to $O(n^2)$. However, |
|
|
393 in the context of the this text this is not the case as the magnitude of the inputs will typically be rather small. As a |
|
|
394 result small constant factors in the work effort will make an observable difference in algorithm efficiency. |
|
|
395 |
|
|
396 All of the algorithms presented in this text have a polynomial time work level. That is, of the form |
|
|
397 $O(n^k)$ for $n, k \in \Z^{+}$. This will help make useful comparisons in terms of the speed of the algorithms and how |
|
|
398 various optimizations will help pay off in the long run. |
|
|
399 |
|
|
400 \section{Exercises} |
|
|
401 Within the more advanced chapters a section will be set aside to give the reader some challenging exercises related to |
|
|
402 the discussion at hand. These exercises are not designed to be prize winning problems, but instead to be thought |
|
|
403 provoking. Wherever possible the problems are forward minded, stating problems that will be answered in subsequent |
|
|
404 chapters. The reader is encouraged to finish the exercises as they appear to get a better understanding of the |
|
|
405 subject material. |
|
|
406 |
|
|
407 That being said, the problems are designed to affirm knowledge of a particular subject matter. Students in particular |
|
|
408 are encouraged to verify they can answer the problems correctly before moving on. |
|
|
409 |
|
|
410 Similar to the exercises of \cite[pp. ix]{TAOCPV2} these exercises are given a scoring system based on the difficulty of |
|
|
411 the problem. However, unlike \cite{TAOCPV2} the problems do not get nearly as hard. The scoring of these |
|
|
412 exercises ranges from one (the easiest) to five (the hardest). The following table sumarizes the |
|
|
413 scoring system used. |
|
|
414 |
|
|
415 \begin{figure}[here] |
|
|
416 \begin{center} |
|
|
417 \begin{small} |
|
|
418 \begin{tabular}{|c|l|} |
|
|
419 \hline $\left [ 1 \right ]$ & An easy problem that should only take the reader a manner of \\ |
|
|
420 & minutes to solve. Usually does not involve much computer time \\ |
|
|
421 & to solve. \\ |
|
|
422 \hline $\left [ 2 \right ]$ & An easy problem that involves a marginal amount of computer \\ |
|
|
423 & time usage. Usually requires a program to be written to \\ |
|
|
424 & solve the problem. \\ |
|
|
425 \hline $\left [ 3 \right ]$ & A moderately hard problem that requires a non-trivial amount \\ |
|
|
426 & of work. Usually involves trivial research and development of \\ |
|
|
427 & new theory from the perspective of a student. \\ |
|
|
428 \hline $\left [ 4 \right ]$ & A moderately hard problem that involves a non-trivial amount \\ |
|
|
429 & of work and research, the solution to which will demonstrate \\ |
|
|
430 & a higher mastery of the subject matter. \\ |
|
|
431 \hline $\left [ 5 \right ]$ & A hard problem that involves concepts that are difficult for a \\ |
|
|
432 & novice to solve. Solutions to these problems will demonstrate a \\ |
|
|
433 & complete mastery of the given subject. \\ |
|
|
434 \hline |
|
|
435 \end{tabular} |
|
|
436 \end{small} |
|
|
437 \end{center} |
|
|
438 \caption{Exercise Scoring System} |
|
|
439 \end{figure} |
|
|
440 |
|
|
441 Problems at the first level are meant to be simple questions that the reader can answer quickly without programming a solution or |
|
|
442 devising new theory. These problems are quick tests to see if the material is understood. Problems at the second level |
|
|
443 are also designed to be easy but will require a program or algorithm to be implemented to arrive at the answer. These |
|
|
444 two levels are essentially entry level questions. |
|
|
445 |
|
|
446 Problems at the third level are meant to be a bit more difficult than the first two levels. The answer is often |
|
|
447 fairly obvious but arriving at an exacting solution requires some thought and skill. These problems will almost always |
|
|
448 involve devising a new algorithm or implementing a variation of another algorithm previously presented. Readers who can |
|
|
449 answer these questions will feel comfortable with the concepts behind the topic at hand. |
|
|
450 |
|
|
451 Problems at the fourth level are meant to be similar to those of the level three questions except they will require |
|
|
452 additional research to be completed. The reader will most likely not know the answer right away, nor will the text provide |
|
|
453 the exact details of the answer until a subsequent chapter. |
|
|
454 |
|
|
455 Problems at the fifth level are meant to be the hardest |
|
|
456 problems relative to all the other problems in the chapter. People who can correctly answer fifth level problems have a |
|
|
457 mastery of the subject matter at hand. |
|
|
458 |
|
|
459 Often problems will be tied together. The purpose of this is to start a chain of thought that will be discussed in future chapters. The reader |
|
|
460 is encouraged to answer the follow-up problems and try to draw the relevance of problems. |
|
|
461 |
|
|
462 \section{Introduction to LibTomMath} |
|
|
463 |
|
|
464 \subsection{What is LibTomMath?} |
|
|
465 LibTomMath is a free and open source multiple precision integer library written entirely in portable ISO C. By portable it |
|
|
466 is meant that the library does not contain any code that is computer platform dependent or otherwise problematic to use on |
|
|
467 any given platform. |
|
|
468 |
|
|
469 The library has been successfully tested under numerous operating systems including Unix\footnote{All of these |
|
|
470 trademarks belong to their respective rightful owners.}, MacOS, Windows, Linux, PalmOS and on standalone hardware such |
|
|
471 as the Gameboy Advance. The library is designed to contain enough functionality to be able to develop applications such |
|
|
472 as public key cryptosystems and still maintain a relatively small footprint. |
|
|
473 |
|
|
474 \subsection{Goals of LibTomMath} |
|
|
475 |
|
|
476 Libraries which obtain the most efficiency are rarely written in a high level programming language such as C. However, |
|
|
477 even though this library is written entirely in ISO C, considerable care has been taken to optimize the algorithm implementations within the |
|
|
478 library. Specifically the code has been written to work well with the GNU C Compiler (\textit{GCC}) on both x86 and ARM |
|
|
479 processors. Wherever possible, highly efficient algorithms, such as Karatsuba multiplication, sliding window |
|
|
480 exponentiation and Montgomery reduction have been provided to make the library more efficient. |
|
|
481 |
|
|
482 Even with the nearly optimal and specialized algorithms that have been included the Application Programing Interface |
|
|
483 (\textit{API}) has been kept as simple as possible. Often generic place holder routines will make use of specialized |
|
|
484 algorithms automatically without the developer's specific attention. One such example is the generic multiplication |
|
|
485 algorithm \textbf{mp\_mul()} which will automatically use Toom--Cook, Karatsuba, Comba or baseline multiplication |
|
|
486 based on the magnitude of the inputs and the configuration of the library. |
|
|
487 |
|
|
488 Making LibTomMath as efficient as possible is not the only goal of the LibTomMath project. Ideally the library should |
|
|
489 be source compatible with another popular library which makes it more attractive for developers to use. In this case the |
|
|
490 MPI library was used as a API template for all the basic functions. MPI was chosen because it is another library that fits |
|
|
491 in the same niche as LibTomMath. Even though LibTomMath uses MPI as the template for the function names and argument |
|
|
492 passing conventions, it has been written from scratch by Tom St Denis. |
|
|
493 |
|
|
494 The project is also meant to act as a learning tool for students, the logic being that no easy-to-follow ``bignum'' |
|
|
495 library exists which can be used to teach computer science students how to perform fast and reliable multiple precision |
|
|
496 integer arithmetic. To this end the source code has been given quite a few comments and algorithm discussion points. |
|
|
497 |
|
|
498 \section{Choice of LibTomMath} |
|
|
499 LibTomMath was chosen as the case study of this text not only because the author of both projects is one and the same but |
|
|
500 for more worthy reasons. Other libraries such as GMP \cite{GMP}, MPI \cite{MPI}, LIP \cite{LIP} and OpenSSL |
|
|
501 \cite{OPENSSL} have multiple precision integer arithmetic routines but would not be ideal for this text for |
|
|
502 reasons that will be explained in the following sub-sections. |
|
|
503 |
|
|
504 \subsection{Code Base} |
|
|
505 The LibTomMath code base is all portable ISO C source code. This means that there are no platform dependent conditional |
|
|
506 segments of code littered throughout the source. This clean and uncluttered approach to the library means that a |
|
|
507 developer can more readily discern the true intent of a given section of source code without trying to keep track of |
|
|
508 what conditional code will be used. |
|
|
509 |
|
|
510 The code base of LibTomMath is well organized. Each function is in its own separate source code file |
|
|
511 which allows the reader to find a given function very quickly. On average there are $76$ lines of code per source |
|
|
512 file which makes the source very easily to follow. By comparison MPI and LIP are single file projects making code tracing |
|
|
513 very hard. GMP has many conditional code segments which also hinder tracing. |
|
|
514 |
|
|
515 When compiled with GCC for the x86 processor and optimized for speed the entire library is approximately $100$KiB\footnote{The notation ``KiB'' means $2^{10}$ octets, similarly ``MiB'' means $2^{20}$ octets.} |
|
|
516 which is fairly small compared to GMP (over $250$KiB). LibTomMath is slightly larger than MPI (which compiles to about |
|
|
517 $50$KiB) but LibTomMath is also much faster and more complete than MPI. |
|
|
518 |
|
|
519 \subsection{API Simplicity} |
|
|
520 LibTomMath is designed after the MPI library and shares the API design. Quite often programs that use MPI will build |
|
|
521 with LibTomMath without change. The function names correlate directly to the action they perform. Almost all of the |
|
|
522 functions share the same parameter passing convention. The learning curve is fairly shallow with the API provided |
|
|
523 which is an extremely valuable benefit for the student and developer alike. |
|
|
524 |
|
|
525 The LIP library is an example of a library with an API that is awkward to work with. LIP uses function names that are often ``compressed'' to |
|
|
526 illegible short hand. LibTomMath does not share this characteristic. |
|
|
527 |
|
|
528 The GMP library also does not return error codes. Instead it uses a POSIX.1 \cite{POSIX1} signal system where errors |
|
|
529 are signaled to the host application. This happens to be the fastest approach but definitely not the most versatile. In |
|
|
530 effect a math error (i.e. invalid input, heap error, etc) can cause a program to stop functioning which is definitely |
|
|
531 undersireable in many situations. |
|
|
532 |
|
|
533 \subsection{Optimizations} |
|
|
534 While LibTomMath is certainly not the fastest library (GMP often beats LibTomMath by a factor of two) it does |
|
|
535 feature a set of optimal algorithms for tasks such as modular reduction, exponentiation, multiplication and squaring. GMP |
|
|
536 and LIP also feature such optimizations while MPI only uses baseline algorithms with no optimizations. GMP lacks a few |
|
|
537 of the additional modular reduction optimizations that LibTomMath features\footnote{At the time of this writing GMP |
|
|
538 only had Barrett and Montgomery modular reduction algorithms.}. |
|
|
539 |
|
|
540 LibTomMath is almost always an order of magnitude faster than the MPI library at computationally expensive tasks such as modular |
|
|
541 exponentiation. In the grand scheme of ``bignum'' libraries LibTomMath is faster than the average library and usually |
|
|
542 slower than the best libraries such as GMP and OpenSSL by only a small factor. |
|
|
543 |
|
|
544 \subsection{Portability and Stability} |
|
|
545 LibTomMath will build ``out of the box'' on any platform equipped with a modern version of the GNU C Compiler |
|
|
546 (\textit{GCC}). This means that without changes the library will build without configuration or setting up any |
|
|
547 variables. LIP and MPI will build ``out of the box'' as well but have numerous known bugs. Most notably the author of |
|
|
548 MPI has recently stopped working on his library and LIP has long since been discontinued. |
|
|
549 |
|
|
550 GMP requires a configuration script to run and will not build out of the box. GMP and LibTomMath are still in active |
|
|
551 development and are very stable across a variety of platforms. |
|
|
552 |
|
|
553 \subsection{Choice} |
|
|
554 LibTomMath is a relatively compact, well documented, highly optimized and portable library which seems only natural for |
|
|
555 the case study of this text. Various source files from the LibTomMath project will be included within the text. However, |
|
|
556 the reader is encouraged to download their own copy of the library to actually be able to work with the library. |
|
|
557 |
|
|
558 \chapter{Getting Started} |
|
|
559 \section{Library Basics} |
|
|
560 The trick to writing any useful library of source code is to build a solid foundation and work outwards from it. First, |
|
|
561 a problem along with allowable solution parameters should be identified and analyzed. In this particular case the |
|
|
562 inability to accomodate multiple precision integers is the problem. Futhermore, the solution must be written |
|
|
563 as portable source code that is reasonably efficient across several different computer platforms. |
|
|
564 |
|
|
565 After a foundation is formed the remainder of the library can be designed and implemented in a hierarchical fashion. |
|
|
566 That is, to implement the lowest level dependencies first and work towards the most abstract functions last. For example, |
|
|
567 before implementing a modular exponentiation algorithm one would implement a modular reduction algorithm. |
|
|
568 By building outwards from a base foundation instead of using a parallel design methodology the resulting project is |
|
|
569 highly modular. Being highly modular is a desirable property of any project as it often means the resulting product |
|
|
570 has a small footprint and updates are easy to perform. |
|
|
571 |
|
|
572 Usually when I start a project I will begin with the header file. I define the data types I think I will need and |
|
|
573 prototype the initial functions that are not dependent on other functions (within the library). After I |
|
|
574 implement these base functions I prototype more dependent functions and implement them. The process repeats until |
|
|
575 I implement all of the functions I require. For example, in the case of LibTomMath I implemented functions such as |
|
|
576 mp\_init() well before I implemented mp\_mul() and even further before I implemented mp\_exptmod(). As an example as to |
|
|
577 why this design works note that the Karatsuba and Toom-Cook multipliers were written \textit{after} the |
|
|
578 dependent function mp\_exptmod() was written. Adding the new multiplication algorithms did not require changes to the |
|
|
579 mp\_exptmod() function itself and lowered the total cost of ownership (\textit{so to speak}) and of development |
|
|
580 for new algorithms. This methodology allows new algorithms to be tested in a complete framework with relative ease. |
|
|
581 |
|
|
582 FIGU,design_process,Design Flow of the First Few Original LibTomMath Functions. |
|
|
583 |
|
|
584 Only after the majority of the functions were in place did I pursue a less hierarchical approach to auditing and optimizing |
|
|
585 the source code. For example, one day I may audit the multipliers and the next day the polynomial basis functions. |
|
|
586 |
|
|
587 It only makes sense to begin the text with the preliminary data types and support algorithms required as well. |
|
|
588 This chapter discusses the core algorithms of the library which are the dependents for every other algorithm. |
|
|
589 |
|
|
590 \section{What is a Multiple Precision Integer?} |
|
|
591 Recall that most programming languages, in particular ISO C \cite{ISOC}, only have fixed precision data types that on their own cannot |
|
|
592 be used to represent values larger than their precision will allow. The purpose of multiple precision algorithms is |
|
|
593 to use fixed precision data types to create and manipulate multiple precision integers which may represent values |
|
|
594 that are very large. |
|
|
595 |
|
|
596 As a well known analogy, school children are taught how to form numbers larger than nine by prepending more radix ten digits. In the decimal system |
|
|
597 the largest single digit value is $9$. However, by concatenating digits together larger numbers may be represented. Newly prepended digits |
|
|
598 (\textit{to the left}) are said to be in a different power of ten column. That is, the number $123$ can be described as having a $1$ in the hundreds |
|
|
599 column, $2$ in the tens column and $3$ in the ones column. Or more formally $123 = 1 \cdot 10^2 + 2 \cdot 10^1 + 3 \cdot 10^0$. Computer based |
|
|
600 multiple precision arithmetic is essentially the same concept. Larger integers are represented by adjoining fixed |
|
|
601 precision computer words with the exception that a different radix is used. |
|
|
602 |
|
|
603 What most people probably do not think about explicitly are the various other attributes that describe a multiple precision |
|
|
604 integer. For example, the integer $154_{10}$ has two immediately obvious properties. First, the integer is positive, |
|
|
605 that is the sign of this particular integer is positive as opposed to negative. Second, the integer has three digits in |
|
|
606 its representation. There is an additional property that the integer posesses that does not concern pencil-and-paper |
|
|
607 arithmetic. The third property is how many digits placeholders are available to hold the integer. |
|
|
608 |
|
|
609 The human analogy of this third property is ensuring there is enough space on the paper to write the integer. For example, |
|
|
610 if one starts writing a large number too far to the right on a piece of paper they will have to erase it and move left. |
|
|
611 Similarly, computer algorithms must maintain strict control over memory usage to ensure that the digits of an integer |
|
|
612 will not exceed the allowed boundaries. These three properties make up what is known as a multiple precision |
|
|
613 integer or mp\_int for short. |
|
|
614 |
|
|
615 \subsection{The mp\_int Structure} |
|
|
616 \label{sec:MPINT} |
|
|
617 The mp\_int structure is the ISO C based manifestation of what represents a multiple precision integer. The ISO C standard does not provide for |
|
|
618 any such data type but it does provide for making composite data types known as structures. The following is the structure definition |
|
|
619 used within LibTomMath. |
|
|
620 |
|
|
621 \index{mp\_int} |
|
|
622 \begin{verbatim} |
|
|
623 typedef struct { |
|
|
624 int used, alloc, sign; |
|
|
625 mp_digit *dp; |
|
|
626 } mp_int; |
|
|
627 \end{verbatim} |
|
|
628 |
|
|
629 The mp\_int structure can be broken down as follows. |
|
|
630 |
|
|
631 \begin{enumerate} |
|
|
632 \item The \textbf{used} parameter denotes how many digits of the array \textbf{dp} contain the digits used to represent |
|
|
633 a given integer. The \textbf{used} count must be positive (or zero) and may not exceed the \textbf{alloc} count. |
|
|
634 |
|
|
635 \item The \textbf{alloc} parameter denotes how |
|
|
636 many digits are available in the array to use by functions before it has to increase in size. When the \textbf{used} count |
|
|
637 of a result would exceed the \textbf{alloc} count all of the algorithms will automatically increase the size of the |
|
|
638 array to accommodate the precision of the result. |
|
|
639 |
|
|
640 \item The pointer \textbf{dp} points to a dynamically allocated array of digits that represent the given multiple |
|
|
641 precision integer. It is padded with $(\textbf{alloc} - \textbf{used})$ zero digits. The array is maintained in a least |
|
|
642 significant digit order. As a pencil and paper analogy the array is organized such that the right most digits are stored |
|
|
643 first starting at the location indexed by zero\footnote{In C all arrays begin at zero.} in the array. For example, |
|
|
644 if \textbf{dp} contains $\lbrace a, b, c, \ldots \rbrace$ where \textbf{dp}$_0 = a$, \textbf{dp}$_1 = b$, \textbf{dp}$_2 = c$, $\ldots$ then |
|
|
645 it would represent the integer $a + b\beta + c\beta^2 + \ldots$ |
|
|
646 |
|
|
647 \index{MP\_ZPOS} \index{MP\_NEG} |
|
|
648 \item The \textbf{sign} parameter denotes the sign as either zero/positive (\textbf{MP\_ZPOS}) or negative (\textbf{MP\_NEG}). |
|
|
649 \end{enumerate} |
|
|
650 |
|
|
651 \subsubsection{Valid mp\_int Structures} |
|
|
652 Several rules are placed on the state of an mp\_int structure and are assumed to be followed for reasons of efficiency. |
|
|
653 The only exceptions are when the structure is passed to initialization functions such as mp\_init() and mp\_init\_copy(). |
|
|
654 |
|
|
655 \begin{enumerate} |
|
|
656 \item The value of \textbf{alloc} may not be less than one. That is \textbf{dp} always points to a previously allocated |
|
|
657 array of digits. |
|
|
658 \item The value of \textbf{used} may not exceed \textbf{alloc} and must be greater than or equal to zero. |
|
|
659 \item The value of \textbf{used} implies the digit at index $(used - 1)$ of the \textbf{dp} array is non-zero. That is, |
|
|
660 leading zero digits in the most significant positions must be trimmed. |
|
|
661 \begin{enumerate} |
|
|
662 \item Digits in the \textbf{dp} array at and above the \textbf{used} location must be zero. |
|
|
663 \end{enumerate} |
|
|
664 \item The value of \textbf{sign} must be \textbf{MP\_ZPOS} if \textbf{used} is zero; |
|
|
665 this represents the mp\_int value of zero. |
|
|
666 \end{enumerate} |
|
|
667 |
|
|
668 \section{Argument Passing} |
|
|
669 A convention of argument passing must be adopted early on in the development of any library. Making the function |
|
|
670 prototypes consistent will help eliminate many headaches in the future as the library grows to significant complexity. |
|
|
671 In LibTomMath the multiple precision integer functions accept parameters from left to right as pointers to mp\_int |
|
|
672 structures. That means that the source (input) operands are placed on the left and the destination (output) on the right. |
|
|
673 Consider the following examples. |
|
|
674 |
|
|
675 \begin{verbatim} |
|
|
676 mp_mul(&a, &b, &c); /* c = a * b */ |
|
|
677 mp_add(&a, &b, &a); /* a = a + b */ |
|
|
678 mp_sqr(&a, &b); /* b = a * a */ |
|
|
679 \end{verbatim} |
|
|
680 |
|
|
681 The left to right order is a fairly natural way to implement the functions since it lets the developer read aloud the |
|
|
682 functions and make sense of them. For example, the first function would read ``multiply a and b and store in c''. |
|
|
683 |
|
|
684 Certain libraries (\textit{LIP by Lenstra for instance}) accept parameters the other way around, to mimic the order |
|
|
685 of assignment expressions. That is, the destination (output) is on the left and arguments (inputs) are on the right. In |
|
|
686 truth, it is entirely a matter of preference. In the case of LibTomMath the convention from the MPI library has been |
|
|
687 adopted. |
|
|
688 |
|
|
689 Another very useful design consideration, provided for in LibTomMath, is whether to allow argument sources to also be a |
|
|
690 destination. For example, the second example (\textit{mp\_add}) adds $a$ to $b$ and stores in $a$. This is an important |
|
|
691 feature to implement since it allows the calling functions to cut down on the number of variables it must maintain. |
|
|
692 However, to implement this feature specific care has to be given to ensure the destination is not modified before the |
|
|
693 source is fully read. |
|
|
694 |
|
|
695 \section{Return Values} |
|
|
696 A well implemented application, no matter what its purpose, should trap as many runtime errors as possible and return them |
|
|
697 to the caller. By catching runtime errors a library can be guaranteed to prevent undefined behaviour. However, the end |
|
|
698 developer can still manage to cause a library to crash. For example, by passing an invalid pointer an application may |
|
|
699 fault by dereferencing memory not owned by the application. |
|
|
700 |
|
|
701 In the case of LibTomMath the only errors that are checked for are related to inappropriate inputs (division by zero for |
|
|
702 instance) and memory allocation errors. It will not check that the mp\_int passed to any function is valid nor |
|
|
703 will it check pointers for validity. Any function that can cause a runtime error will return an error code as an |
|
|
704 \textbf{int} data type with one of the following values. |
|
|
705 |
|
|
706 \index{MP\_OKAY} \index{MP\_VAL} \index{MP\_MEM} |
|
|
707 \begin{center} |
|
|
708 \begin{tabular}{|l|l|} |
|
|
709 \hline \textbf{Value} & \textbf{Meaning} \\ |
|
|
710 \hline \textbf{MP\_OKAY} & The function was successful \\ |
|
|
711 \hline \textbf{MP\_VAL} & One of the input value(s) was invalid \\ |
|
|
712 \hline \textbf{MP\_MEM} & The function ran out of heap memory \\ |
|
|
713 \hline |
|
|
714 \end{tabular} |
|
|
715 \end{center} |
|
|
716 |
|
|
717 When an error is detected within a function it should free any memory it allocated, often during the initialization of |
|
|
718 temporary mp\_ints, and return as soon as possible. The goal is to leave the system in the same state it was when the |
|
|
719 function was called. Error checking with this style of API is fairly simple. |
|
|
720 |
|
|
721 \begin{verbatim} |
|
|
722 int err; |
|
|
723 if ((err = mp_add(&a, &b, &c)) != MP_OKAY) { |
|
|
724 printf("Error: %s\n", mp_error_to_string(err)); |
|
|
725 exit(EXIT_FAILURE); |
|
|
726 } |
|
|
727 \end{verbatim} |
|
|
728 |
|
|
729 The GMP \cite{GMP} library uses C style \textit{signals} to flag errors which is of questionable use. Not all errors are fatal |
|
|
730 and it was not deemed ideal by the author of LibTomMath to force developers to have signal handlers for such cases. |
|
|
731 |
|
|
732 \section{Initialization and Clearing} |
|
|
733 The logical starting point when actually writing multiple precision integer functions is the initialization and |
|
|
734 clearing of the mp\_int structures. These two algorithms will be used by the majority of the higher level algorithms. |
|
|
735 |
|
|
736 Given the basic mp\_int structure an initialization routine must first allocate memory to hold the digits of |
|
|
737 the integer. Often it is optimal to allocate a sufficiently large pre-set number of digits even though |
|
|
738 the initial integer will represent zero. If only a single digit were allocated quite a few subsequent re-allocations |
|
|
739 would occur when operations are performed on the integers. There is a tradeoff between how many default digits to allocate |
|
|
740 and how many re-allocations are tolerable. Obviously allocating an excessive amount of digits initially will waste |
|
|
741 memory and become unmanageable. |
|
|
742 |
|
|
743 If the memory for the digits has been successfully allocated then the rest of the members of the structure must |
|
|
744 be initialized. Since the initial state of an mp\_int is to represent the zero integer, the allocated digits must be set |
|
|
745 to zero. The \textbf{used} count set to zero and \textbf{sign} set to \textbf{MP\_ZPOS}. |
|
|
746 |
|
|
747 \subsection{Initializing an mp\_int} |
|
|
748 An mp\_int is said to be initialized if it is set to a valid, preferably default, state such that all of the members of the |
|
|
749 structure are set to valid values. The mp\_init algorithm will perform such an action. |
|
|
750 |
|
|
751 \begin{figure}[here] |
|
|
752 \begin{center} |
|
|
753 \begin{tabular}{l} |
|
|
754 \hline Algorithm \textbf{mp\_init}. \\ |
|
|
755 \textbf{Input}. An mp\_int $a$ \\ |
|
|
756 \textbf{Output}. Allocate memory and initialize $a$ to a known valid mp\_int state. \\ |
|
|
757 \hline \\ |
|
|
758 1. Allocate memory for \textbf{MP\_PREC} digits. \\ |
|
|
759 2. If the allocation failed return(\textit{MP\_MEM}) \\ |
|
|
760 3. for $n$ from $0$ to $MP\_PREC - 1$ do \\ |
|
|
761 \hspace{3mm}3.1 $a_n \leftarrow 0$\\ |
|
|
762 4. $a.sign \leftarrow MP\_ZPOS$\\ |
|
|
763 5. $a.used \leftarrow 0$\\ |
|
|
764 6. $a.alloc \leftarrow MP\_PREC$\\ |
|
|
765 7. Return(\textit{MP\_OKAY})\\ |
|
|
766 \hline |
|
|
767 \end{tabular} |
|
|
768 \end{center} |
|
|
769 \caption{Algorithm mp\_init} |
|
|
770 \end{figure} |
|
|
771 |
|
|
772 \textbf{Algorithm mp\_init.} |
|
|
773 The \textbf{MP\_PREC} name represents a constant\footnote{Defined in the ``tommath.h'' header file within LibTomMath.} |
|
|
774 used to dictate the minimum precision of allocated mp\_int integers. Ideally, it is at least equal to $32$ since for most |
|
|
775 purposes that will be more than enough. |
|
|
776 |
|
|
777 Memory for the default number of digits is allocated first. If the allocation fails the algorithm returns immediately |
|
|
778 with the \textbf{MP\_MEM} error code. If the allocation succeeds the remaining members of the mp\_int structure |
|
|
779 must be initialized to reflect the default initial state. |
|
|
780 |
|
|
781 The allocated digits are all set to zero (step three) to ensure they are in a known state. The \textbf{sign}, \textbf{used} |
|
|
782 and \textbf{alloc} are subsequently initialized to represent the zero integer. By step seven the algorithm returns a success |
|
|
783 code and the mp\_int $a$ has been successfully initialized to a valid state representing the integer zero. |
|
|
784 |
|
|
785 \textbf{Remark.} |
|
|
786 This function introduces the idiosyncrasy that all iterative loops, commonly initiated with the ``for'' keyword, iterate incrementally |
|
|
787 when the ``to'' keyword is placed between two expressions. For example, ``for $a$ from $b$ to $c$ do'' means that |
|
|
788 a subsequent expression (or body of expressions) are to be evaluated upto $c - b$ times so long as $b \le c$. In each |
|
|
789 iteration the variable $a$ is substituted for a new integer that lies inclusively between $b$ and $c$. If $b > c$ occured |
|
|
790 the loop would not iterate. By contrast if the ``downto'' keyword were used in place of ``to'' the loop would iterate |
|
|
791 decrementally. |
|
|
792 |
|
|
793 EXAM,bn_mp_init.c |
|
|
794 |
|
|
795 One immediate observation of this initializtion function is that it does not return a pointer to a mp\_int structure. It |
|
|
796 is assumed that the caller has already allocated memory for the mp\_int structure, typically on the application stack. The |
|
|
797 call to mp\_init() is used only to initialize the members of the structure to a known default state. |
|
|
798 |
|
|
799 Before any of the other members of the structure are initialized memory from the application heap is allocated with |
|
|
800 the calloc() function (line @22,calloc@). The size of the allocated memory is large enough to hold \textbf{MP\_PREC} |
|
|
801 mp\_digit variables. The calloc() function is used instead\footnote{calloc() will allocate memory in the same |
|
|
802 manner as malloc() except that it also sets the contents to zero upon successfully allocating the memory.} of malloc() |
|
|
803 since digits have to be set to zero for the function to finish correctly. The \textbf{OPT\_CAST} token is a macro |
|
|
804 definition which will turn into a cast from void * to mp\_digit * for C++ compilers. It is not required for C compilers. |
|
|
805 |
|
|
806 After the memory has been successfully allocated the remainder of the members are initialized |
|
|
807 (lines @29,used@ through @31,sign@) to their respective default states. At this point the algorithm has succeeded and |
|
|
808 a success code is returned to the calling function. |
|
|
809 |
|
|
810 If this function returns \textbf{MP\_OKAY} it is safe to assume the mp\_int structure has been properly initialized and |
|
|
811 is safe to use with other functions within the library. |
|
|
812 |
|
|
813 \subsection{Clearing an mp\_int} |
|
|
814 When an mp\_int is no longer required by the application, the memory that has been allocated for its digits must be |
|
|
815 returned to the application's memory pool with the mp\_clear algorithm. |
|
|
816 |
|
|
817 \begin{figure}[here] |
|
|
818 \begin{center} |
|
|
819 \begin{tabular}{l} |
|
|
820 \hline Algorithm \textbf{mp\_clear}. \\ |
|
|
821 \textbf{Input}. An mp\_int $a$ \\ |
|
|
822 \textbf{Output}. The memory for $a$ is freed for reuse. \\ |
|
|
823 \hline \\ |
|
|
824 1. If $a$ has been previously freed then return(\textit{MP\_OKAY}). \\ |
|
|
825 2. for $n$ from 0 to $a.used - 1$ do \\ |
|
|
826 \hspace{3mm}2.1 $a_n \leftarrow 0$ \\ |
|
|
827 3. Free the memory allocated for the digits of $a$. \\ |
|
|
828 4. $a.used \leftarrow 0$ \\ |
|
|
829 5. $a.alloc \leftarrow 0$ \\ |
|
|
830 6. $a.sign \leftarrow MP\_ZPOS$ \\ |
|
|
831 7. Return(\textit{MP\_OKAY}). \\ |
|
|
832 \hline |
|
|
833 \end{tabular} |
|
|
834 \end{center} |
|
|
835 \caption{Algorithm mp\_clear} |
|
|
836 \end{figure} |
|
|
837 |
|
|
838 \textbf{Algorithm mp\_clear.} |
|
|
839 This algorithm releases the memory allocated for an mp\_int back into the memory pool for reuse. It is designed |
|
|
840 such that a given mp\_int structure can be cleared multiple times between initializations without attempting to |
|
|
841 free the memory twice\footnote{In ISO C for example, calling free() twice on the same memory block causes undefinied |
|
|
842 behaviour.}. |
|
|
843 |
|
|
844 The first step determines if the mp\_int structure has been marked as free already. If it has, the algorithm returns |
|
|
845 success immediately as no further actions are required. Otherwise, the algorithm will proceed to put the structure |
|
|
846 in a known empty and otherwise invalid state. First the digits of the mp\_int are set to zero. The memory that has been allocated for the |
|
|
847 digits is then freed. The \textbf{used} and \textbf{alloc} counts are both set to zero and the \textbf{sign} set to |
|
|
848 \textbf{MP\_ZPOS}. This known fixed state for cleared mp\_int structures will make debuging easier for the end |
|
|
849 developer. That is, if they spot (via their debugger) an mp\_int they are using that is in this state it will be |
|
|
850 obvious that they erroneously and prematurely cleared the mp\_int structure. |
|
|
851 |
|
|
852 Note that once an mp\_int has been cleared the mp\_int structure is no longer in a valid state for any other algorithm |
|
|
853 with the exception of algorithms mp\_init, mp\_init\_copy, mp\_init\_size and mp\_clear. |
|
|
854 |
|
|
855 EXAM,bn_mp_clear.c |
|
|
856 |
|
|
857 The ``if'' statement (line @21,a->dp != NULL@) prevents the heap from being corrupted if a user double-frees an |
|
|
858 mp\_int. This is because once the memory is freed the pointer is set to \textbf{NULL} (line @30,NULL@). |
|
|
859 |
|
|
860 Without the check, code that accidentally calls mp\_clear twice for a given mp\_int structure would try to free the memory |
|
|
861 allocated for the digits twice. This may cause some C libraries to signal a fault. By setting the pointer to |
|
|
862 \textbf{NULL} it helps debug code that may inadvertently free the mp\_int before it is truly not needed, because attempts |
|
|
863 to reference digits should fail immediately. The allocated digits are set to zero before being freed (line @24,memset@). |
|
|
864 This is ideal for cryptographic situations where the integer that the mp\_int represents might need to be kept a secret. |
|
|
865 |
|
|
866 \section{Maintenance Algorithms} |
|
|
867 |
|
|
868 The previous sections describes how to initialize and clear an mp\_int structure. To further support operations |
|
|
869 that are to be performed on mp\_int structures (such as addition and multiplication) the dependent algorithms must be |
|
|
870 able to augment the precision of an mp\_int and |
|
|
871 initialize mp\_ints with differing initial conditions. |
|
|
872 |
|
|
873 These algorithms complete the set of low level algorithms required to work with mp\_int structures in the higher level |
|
|
874 algorithms such as addition, multiplication and modular exponentiation. |
|
|
875 |
|
|
876 \subsection{Augmenting an mp\_int's Precision} |
|
|
877 When storing a value in an mp\_int structure, a sufficient number of digits must be available to accomodate the entire |
|
|
878 result of an operation without loss of precision. Quite often the size of the array given by the \textbf{alloc} member |
|
|
879 is large enough to simply increase the \textbf{used} digit count. However, when the size of the array is too small it |
|
|
880 must be re-sized appropriately to accomodate the result. The mp\_grow algorithm will provide this functionality. |
|
|
881 |
|
|
882 \newpage\begin{figure}[here] |
|
|
883 \begin{center} |
|
|
884 \begin{tabular}{l} |
|
|
885 \hline Algorithm \textbf{mp\_grow}. \\ |
|
|
886 \textbf{Input}. An mp\_int $a$ and an integer $b$. \\ |
|
|
887 \textbf{Output}. $a$ is expanded to accomodate $b$ digits. \\ |
|
|
888 \hline \\ |
|
|
889 1. if $a.alloc \ge b$ then return(\textit{MP\_OKAY}) \\ |
|
|
890 2. $u \leftarrow b\mbox{ (mod }MP\_PREC\mbox{)}$ \\ |
|
|
891 3. $v \leftarrow b + 2 \cdot MP\_PREC - u$ \\ |
|
|
892 4. Re-Allocate the array of digits $a$ to size $v$ \\ |
|
|
893 5. If the allocation failed then return(\textit{MP\_MEM}). \\ |
|
|
894 6. for n from a.alloc to $v - 1$ do \\ |
|
|
895 \hspace{+3mm}6.1 $a_n \leftarrow 0$ \\ |
|
|
896 7. $a.alloc \leftarrow v$ \\ |
|
|
897 8. Return(\textit{MP\_OKAY}) \\ |
|
|
898 \hline |
|
|
899 \end{tabular} |
|
|
900 \end{center} |
|
|
901 \caption{Algorithm mp\_grow} |
|
|
902 \end{figure} |
|
|
903 |
|
|
904 \textbf{Algorithm mp\_grow.} |
|
|
905 It is ideal to prevent re-allocations from being performed if they are not required (step one). This is useful to |
|
|
906 prevent mp\_ints from growing excessively in code that erroneously calls mp\_grow. |
|
|
907 |
|
|
908 The requested digit count is padded up to next multiple of \textbf{MP\_PREC} plus an additional \textbf{MP\_PREC} (steps two and three). |
|
|
909 This helps prevent many trivial reallocations that would grow an mp\_int by trivially small values. |
|
|
910 |
|
|
911 It is assumed that the reallocation (step four) leaves the lower $a.alloc$ digits of the mp\_int intact. This is much |
|
|
912 akin to how the \textit{realloc} function from the standard C library works. Since the newly allocated digits are |
|
|
913 assumed to contain undefined values they are initially set to zero. |
|
|
914 |
|
|
915 EXAM,bn_mp_grow.c |
|
|
916 |
|
|
917 The first step is to see if we actually need to perform a re-allocation at all (line @24,a->alloc < size@). If a reallocation |
|
|
918 must occur the digit count is padded upwards to help prevent many trivial reallocations (line @28,size@). Next the reallocation is performed |
|
|
919 and the return of realloc() is stored in a temporary pointer named $tmp$ (line @36,realloc@). The return is stored in a temporary |
|
|
920 instead of $a.dp$ to prevent the code from losing the original pointer in case the reallocation fails. Had the return been stored |
|
|
921 in $a.dp$ instead there would be no way to reclaim the heap originally used. |
|
|
922 |
|
|
923 If the reallocation fails the function will return \textbf{MP\_MEM} (line @39,return@), otherwise, the value of $tmp$ is assigned |
|
|
924 to the pointer $a.dp$ and the function continues. A simple for loop from line @48,a->alloc@ to line @50,}@ will zero all digits |
|
|
925 that were above the old \textbf{alloc} limit to make sure the integer is in a known state. |
|
|
926 |
|
|
927 \subsection{Initializing Variable Precision mp\_ints} |
|
|
928 Occasionally the number of digits required will be known in advance of an initialization, based on, for example, the size |
|
|
929 of input mp\_ints to a given algorithm. The purpose of algorithm mp\_init\_size is similar to mp\_init except that it |
|
|
930 will allocate \textit{at least} a specified number of digits. |
|
|
931 |
|
|
932 \begin{figure}[here] |
|
|
933 \begin{small} |
|
|
934 \begin{center} |
|
|
935 \begin{tabular}{l} |
|
|
936 \hline Algorithm \textbf{mp\_init\_size}. \\ |
|
|
937 \textbf{Input}. An mp\_int $a$ and the requested number of digits $b$. \\ |
|
|
938 \textbf{Output}. $a$ is initialized to hold at least $b$ digits. \\ |
|
|
939 \hline \\ |
|
|
940 1. $u \leftarrow b \mbox{ (mod }MP\_PREC\mbox{)}$ \\ |
|
|
941 2. $v \leftarrow b + 2 \cdot MP\_PREC - u$ \\ |
|
|
942 3. Allocate $v$ digits. \\ |
|
|
943 4. for $n$ from $0$ to $v - 1$ do \\ |
|
|
944 \hspace{3mm}4.1 $a_n \leftarrow 0$ \\ |
|
|
945 5. $a.sign \leftarrow MP\_ZPOS$\\ |
|
|
946 6. $a.used \leftarrow 0$\\ |
|
|
947 7. $a.alloc \leftarrow v$\\ |
|
|
948 8. Return(\textit{MP\_OKAY})\\ |
|
|
949 \hline |
|
|
950 \end{tabular} |
|
|
951 \end{center} |
|
|
952 \end{small} |
|
|
953 \caption{Algorithm mp\_init\_size} |
|
|
954 \end{figure} |
|
|
955 |
|
|
956 \textbf{Algorithm mp\_init\_size.} |
|
|
957 This algorithm will initialize an mp\_int structure $a$ like algorithm mp\_init with the exception that the number of |
|
|
958 digits allocated can be controlled by the second input argument $b$. The input size is padded upwards so it is a |
|
|
959 multiple of \textbf{MP\_PREC} plus an additional \textbf{MP\_PREC} digits. This padding is used to prevent trivial |
|
|
960 allocations from becoming a bottleneck in the rest of the algorithms. |
|
|
961 |
|
|
962 Like algorithm mp\_init, the mp\_int structure is initialized to a default state representing the integer zero. This |
|
|
963 particular algorithm is useful if it is known ahead of time the approximate size of the input. If the approximation is |
|
|
964 correct no further memory re-allocations are required to work with the mp\_int. |
|
|
965 |
|
|
966 EXAM,bn_mp_init_size.c |
|
|
967 |
|
|
968 The number of digits $b$ requested is padded (line @22,MP_PREC@) by first augmenting it to the next multiple of |
|
|
969 \textbf{MP\_PREC} and then adding \textbf{MP\_PREC} to the result. If the memory can be successfully allocated the |
|
|
970 mp\_int is placed in a default state representing the integer zero. Otherwise, the error code \textbf{MP\_MEM} will be |
|
|
971 returned (line @27,return@). |
|
|
972 |
|
|
973 The digits are allocated and set to zero at the same time with the calloc() function (line @25,calloc@). The |
|
|
974 \textbf{used} count is set to zero, the \textbf{alloc} count set to the padded digit count and the \textbf{sign} flag set |
|
|
975 to \textbf{MP\_ZPOS} to achieve a default valid mp\_int state (lines @29,used@, @30,alloc@ and @31,sign@). If the function |
|
|
976 returns succesfully then it is correct to assume that the mp\_int structure is in a valid state for the remainder of the |
|
|
977 functions to work with. |
|
|
978 |
|
|
979 \subsection{Multiple Integer Initializations and Clearings} |
|
|
980 Occasionally a function will require a series of mp\_int data types to be made available simultaneously. |
|
|
981 The purpose of algorithm mp\_init\_multi is to initialize a variable length array of mp\_int structures in a single |
|
|
982 statement. It is essentially a shortcut to multiple initializations. |
|
|
983 |
|
|
984 \newpage\begin{figure}[here] |
|
|
985 \begin{center} |
|
|
986 \begin{tabular}{l} |
|
|
987 \hline Algorithm \textbf{mp\_init\_multi}. \\ |
|
|
988 \textbf{Input}. Variable length array $V_k$ of mp\_int variables of length $k$. \\ |
|
|
989 \textbf{Output}. The array is initialized such that each mp\_int of $V_k$ is ready to use. \\ |
|
|
990 \hline \\ |
|
|
991 1. for $n$ from 0 to $k - 1$ do \\ |
|
|
992 \hspace{+3mm}1.1. Initialize the mp\_int $V_n$ (\textit{mp\_init}) \\ |
|
|
993 \hspace{+3mm}1.2. If initialization failed then do \\ |
|
|
994 \hspace{+6mm}1.2.1. for $j$ from $0$ to $n$ do \\ |
|
|
995 \hspace{+9mm}1.2.1.1. Free the mp\_int $V_j$ (\textit{mp\_clear}) \\ |
|
|
996 \hspace{+6mm}1.2.2. Return(\textit{MP\_MEM}) \\ |
|
|
997 2. Return(\textit{MP\_OKAY}) \\ |
|
|
998 \hline |
|
|
999 \end{tabular} |
|
|
1000 \end{center} |
|
|
1001 \caption{Algorithm mp\_init\_multi} |
|
|
1002 \end{figure} |
|
|
1003 |
|
|
1004 \textbf{Algorithm mp\_init\_multi.} |
|
|
1005 The algorithm will initialize the array of mp\_int variables one at a time. If a runtime error has been detected |
|
|
1006 (\textit{step 1.2}) all of the previously initialized variables are cleared. The goal is an ``all or nothing'' |
|
|
1007 initialization which allows for quick recovery from runtime errors. |
|
|
1008 |
|
|
1009 EXAM,bn_mp_init_multi.c |
|
|
1010 |
|
|
1011 This function intializes a variable length list of mp\_int structure pointers. However, instead of having the mp\_int |
|
|
1012 structures in an actual C array they are simply passed as arguments to the function. This function makes use of the |
|
|
1013 ``...'' argument syntax of the C programming language. The list is terminated with a final \textbf{NULL} argument |
|
|
1014 appended on the right. |
|
|
1015 |
|
|
1016 The function uses the ``stdarg.h'' \textit{va} functions to step portably through the arguments to the function. A count |
|
|
1017 $n$ of succesfully initialized mp\_int structures is maintained (line @47,n++@) such that if a failure does occur, |
|
|
1018 the algorithm can backtrack and free the previously initialized structures (lines @27,if@ to @46,}@). |
|
|
1019 |
|
|
1020 |
|
|
1021 \subsection{Clamping Excess Digits} |
|
|
1022 When a function anticipates a result will be $n$ digits it is simpler to assume this is true within the body of |
|
|
1023 the function instead of checking during the computation. For example, a multiplication of a $i$ digit number by a |
|
|
1024 $j$ digit produces a result of at most $i + j$ digits. It is entirely possible that the result is $i + j - 1$ |
|
|
1025 though, with no final carry into the last position. However, suppose the destination had to be first expanded |
|
|
1026 (\textit{via mp\_grow}) to accomodate $i + j - 1$ digits than further expanded to accomodate the final carry. |
|
|
1027 That would be a considerable waste of time since heap operations are relatively slow. |
|
|
1028 |
|
|
1029 The ideal solution is to always assume the result is $i + j$ and fix up the \textbf{used} count after the function |
|
|
1030 terminates. This way a single heap operation (\textit{at most}) is required. However, if the result was not checked |
|
|
1031 there would be an excess high order zero digit. |
|
|
1032 |
|
|
1033 For example, suppose the product of two integers was $x_n = (0x_{n-1}x_{n-2}...x_0)_{\beta}$. The leading zero digit |
|
|
1034 will not contribute to the precision of the result. In fact, through subsequent operations more leading zero digits would |
|
|
1035 accumulate to the point the size of the integer would be prohibitive. As a result even though the precision is very |
|
|
1036 low the representation is excessively large. |
|
|
1037 |
|
|
1038 The mp\_clamp algorithm is designed to solve this very problem. It will trim high-order zeros by decrementing the |
|
|
1039 \textbf{used} count until a non-zero most significant digit is found. Also in this system, zero is considered to be a |
|
|
1040 positive number which means that if the \textbf{used} count is decremented to zero, the sign must be set to |
|
|
1041 \textbf{MP\_ZPOS}. |
|
|
1042 |
|
|
1043 \begin{figure}[here] |
|
|
1044 \begin{center} |
|
|
1045 \begin{tabular}{l} |
|
|
1046 \hline Algorithm \textbf{mp\_clamp}. \\ |
|
|
1047 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1048 \textbf{Output}. Any excess leading zero digits of $a$ are removed \\ |
|
|
1049 \hline \\ |
|
|
1050 1. while $a.used > 0$ and $a_{a.used - 1} = 0$ do \\ |
|
|
1051 \hspace{+3mm}1.1 $a.used \leftarrow a.used - 1$ \\ |
|
|
1052 2. if $a.used = 0$ then do \\ |
|
|
1053 \hspace{+3mm}2.1 $a.sign \leftarrow MP\_ZPOS$ \\ |
|
|
1054 \hline \\ |
|
|
1055 \end{tabular} |
|
|
1056 \end{center} |
|
|
1057 \caption{Algorithm mp\_clamp} |
|
|
1058 \end{figure} |
|
|
1059 |
|
|
1060 \textbf{Algorithm mp\_clamp.} |
|
|
1061 As can be expected this algorithm is very simple. The loop on step one is expected to iterate only once or twice at |
|
|
1062 the most. For example, this will happen in cases where there is not a carry to fill the last position. Step two fixes the sign for |
|
|
1063 when all of the digits are zero to ensure that the mp\_int is valid at all times. |
|
|
1064 |
|
|
1065 EXAM,bn_mp_clamp.c |
|
|
1066 |
|
|
1067 Note on line @27,while@ how to test for the \textbf{used} count is made on the left of the \&\& operator. In the C programming |
|
|
1068 language the terms to \&\& are evaluated left to right with a boolean short-circuit if any condition fails. This is |
|
|
1069 important since if the \textbf{used} is zero the test on the right would fetch below the array. That is obviously |
|
|
1070 undesirable. The parenthesis on line @28,a->used@ is used to make sure the \textbf{used} count is decremented and not |
|
|
1071 the pointer ``a''. |
|
|
1072 |
|
|
1073 \section*{Exercises} |
|
|
1074 \begin{tabular}{cl} |
|
|
1075 $\left [ 1 \right ]$ & Discuss the relevance of the \textbf{used} member of the mp\_int structure. \\ |
|
|
1076 & \\ |
|
|
1077 $\left [ 1 \right ]$ & Discuss the consequences of not using padding when performing allocations. \\ |
|
|
1078 & \\ |
|
|
1079 $\left [ 2 \right ]$ & Estimate an ideal value for \textbf{MP\_PREC} when performing 1024-bit RSA \\ |
|
|
1080 & encryption when $\beta = 2^{28}$. \\ |
|
|
1081 & \\ |
|
|
1082 $\left [ 1 \right ]$ & Discuss the relevance of the algorithm mp\_clamp. What does it prevent? \\ |
|
|
1083 & \\ |
|
|
1084 $\left [ 1 \right ]$ & Give an example of when the algorithm mp\_init\_copy might be useful. \\ |
|
|
1085 & \\ |
|
|
1086 \end{tabular} |
|
|
1087 |
|
|
1088 |
|
|
1089 %%% |
|
|
1090 % CHAPTER FOUR |
|
|
1091 %%% |
|
|
1092 |
|
|
1093 \chapter{Basic Operations} |
|
|
1094 |
|
|
1095 \section{Introduction} |
|
|
1096 In the previous chapter a series of low level algorithms were established that dealt with initializing and maintaining |
|
|
1097 mp\_int structures. This chapter will discuss another set of seemingly non-algebraic algorithms which will form the low |
|
|
1098 level basis of the entire library. While these algorithm are relatively trivial it is important to understand how they |
|
|
1099 work before proceeding since these algorithms will be used almost intrinsically in the following chapters. |
|
|
1100 |
|
|
1101 The algorithms in this chapter deal primarily with more ``programmer'' related tasks such as creating copies of |
|
|
1102 mp\_int structures, assigning small values to mp\_int structures and comparisons of the values mp\_int structures |
|
|
1103 represent. |
|
|
1104 |
|
|
1105 \section{Assigning Values to mp\_int Structures} |
|
|
1106 \subsection{Copying an mp\_int} |
|
|
1107 Assigning the value that a given mp\_int structure represents to another mp\_int structure shall be known as making |
|
|
1108 a copy for the purposes of this text. The copy of the mp\_int will be a separate entity that represents the same |
|
|
1109 value as the mp\_int it was copied from. The mp\_copy algorithm provides this functionality. |
|
|
1110 |
|
|
1111 \newpage\begin{figure}[here] |
|
|
1112 \begin{center} |
|
|
1113 \begin{tabular}{l} |
|
|
1114 \hline Algorithm \textbf{mp\_copy}. \\ |
|
|
1115 \textbf{Input}. An mp\_int $a$ and $b$. \\ |
|
|
1116 \textbf{Output}. Store a copy of $a$ in $b$. \\ |
|
|
1117 \hline \\ |
|
|
1118 1. If $b.alloc < a.used$ then grow $b$ to $a.used$ digits. (\textit{mp\_grow}) \\ |
|
|
1119 2. for $n$ from 0 to $a.used - 1$ do \\ |
|
|
1120 \hspace{3mm}2.1 $b_{n} \leftarrow a_{n}$ \\ |
|
|
1121 3. for $n$ from $a.used$ to $b.used - 1$ do \\ |
|
|
1122 \hspace{3mm}3.1 $b_{n} \leftarrow 0$ \\ |
|
|
1123 4. $b.used \leftarrow a.used$ \\ |
|
|
1124 5. $b.sign \leftarrow a.sign$ \\ |
|
|
1125 6. return(\textit{MP\_OKAY}) \\ |
|
|
1126 \hline |
|
|
1127 \end{tabular} |
|
|
1128 \end{center} |
|
|
1129 \caption{Algorithm mp\_copy} |
|
|
1130 \end{figure} |
|
|
1131 |
|
|
1132 \textbf{Algorithm mp\_copy.} |
|
|
1133 This algorithm copies the mp\_int $a$ such that upon succesful termination of the algorithm the mp\_int $b$ will |
|
|
1134 represent the same integer as the mp\_int $a$. The mp\_int $b$ shall be a complete and distinct copy of the |
|
|
1135 mp\_int $a$ meaing that the mp\_int $a$ can be modified and it shall not affect the value of the mp\_int $b$. |
|
|
1136 |
|
|
1137 If $b$ does not have enough room for the digits of $a$ it must first have its precision augmented via the mp\_grow |
|
|
1138 algorithm. The digits of $a$ are copied over the digits of $b$ and any excess digits of $b$ are set to zero (step two |
|
|
1139 and three). The \textbf{used} and \textbf{sign} members of $a$ are finally copied over the respective members of |
|
|
1140 $b$. |
|
|
1141 |
|
|
1142 \textbf{Remark.} This algorithm also introduces a new idiosyncrasy that will be used throughout the rest of the |
|
|
1143 text. The error return codes of other algorithms are not explicitly checked in the pseudo-code presented. For example, in |
|
|
1144 step one of the mp\_copy algorithm the return of mp\_grow is not explicitly checked to ensure it succeeded. Text space is |
|
|
1145 limited so it is assumed that if a algorithm fails it will clear all temporarily allocated mp\_ints and return |
|
|
1146 the error code itself. However, the C code presented will demonstrate all of the error handling logic required to |
|
|
1147 implement the pseudo-code. |
|
|
1148 |
|
|
1149 EXAM,bn_mp_copy.c |
|
|
1150 |
|
|
1151 Occasionally a dependent algorithm may copy an mp\_int effectively into itself such as when the input and output |
|
|
1152 mp\_int structures passed to a function are one and the same. For this case it is optimal to return immediately without |
|
|
1153 copying digits (line @24,a == b@). |
|
|
1154 |
|
|
1155 The mp\_int $b$ must have enough digits to accomodate the used digits of the mp\_int $a$. If $b.alloc$ is less than |
|
|
1156 $a.used$ the algorithm mp\_grow is used to augment the precision of $b$ (lines @29,alloc@ to @33,}@). In order to |
|
|
1157 simplify the inner loop that copies the digits from $a$ to $b$, two aliases $tmpa$ and $tmpb$ point directly at the digits |
|
|
1158 of the mp\_ints $a$ and $b$ respectively. These aliases (lines @42,tmpa@ and @45,tmpb@) allow the compiler to access the digits without first dereferencing the |
|
|
1159 mp\_int pointers and then subsequently the pointer to the digits. |
|
|
1160 |
|
|
1161 After the aliases are established the digits from $a$ are copied into $b$ (lines @48,for@ to @50,}@) and then the excess |
|
|
1162 digits of $b$ are set to zero (lines @53,for@ to @55,}@). Both ``for'' loops make use of the pointer aliases and in |
|
|
1163 fact the alias for $b$ is carried through into the second ``for'' loop to clear the excess digits. This optimization |
|
|
1164 allows the alias to stay in a machine register fairly easy between the two loops. |
|
|
1165 |
|
|
1166 \textbf{Remarks.} The use of pointer aliases is an implementation methodology first introduced in this function that will |
|
|
1167 be used considerably in other functions. Technically, a pointer alias is simply a short hand alias used to lower the |
|
|
1168 number of pointer dereferencing operations required to access data. For example, a for loop may resemble |
|
|
1169 |
|
|
1170 \begin{alltt} |
|
|
1171 for (x = 0; x < 100; x++) \{ |
|
|
1172 a->num[4]->dp[x] = 0; |
|
|
1173 \} |
|
|
1174 \end{alltt} |
|
|
1175 |
|
|
1176 This could be re-written using aliases as |
|
|
1177 |
|
|
1178 \begin{alltt} |
|
|
1179 mp_digit *tmpa; |
|
|
1180 a = a->num[4]->dp; |
|
|
1181 for (x = 0; x < 100; x++) \{ |
|
|
1182 *a++ = 0; |
|
|
1183 \} |
|
|
1184 \end{alltt} |
|
|
1185 |
|
|
1186 In this case an alias is used to access the |
|
|
1187 array of digits within an mp\_int structure directly. It may seem that a pointer alias is strictly not required |
|
|
1188 as a compiler may optimize out the redundant pointer operations. However, there are two dominant reasons to use aliases. |
|
|
1189 |
|
|
1190 The first reason is that most compilers will not effectively optimize pointer arithmetic. For example, some optimizations |
|
|
1191 may work for the Microsoft Visual C++ compiler (MSVC) and not for the GNU C Compiler (GCC). Also some optimizations may |
|
|
1192 work for GCC and not MSVC. As such it is ideal to find a common ground for as many compilers as possible. Pointer |
|
|
1193 aliases optimize the code considerably before the compiler even reads the source code which means the end compiled code |
|
|
1194 stands a better chance of being faster. |
|
|
1195 |
|
|
1196 The second reason is that pointer aliases often can make an algorithm simpler to read. Consider the first ``for'' |
|
|
1197 loop of the function mp\_copy() re-written to not use pointer aliases. |
|
|
1198 |
|
|
1199 \begin{alltt} |
|
|
1200 /* copy all the digits */ |
|
|
1201 for (n = 0; n < a->used; n++) \{ |
|
|
1202 b->dp[n] = a->dp[n]; |
|
|
1203 \} |
|
|
1204 \end{alltt} |
|
|
1205 |
|
|
1206 Whether this code is harder to read depends strongly on the individual. However, it is quantifiably slightly more |
|
|
1207 complicated as there are four variables within the statement instead of just two. |
|
|
1208 |
|
|
1209 \subsubsection{Nested Statements} |
|
|
1210 Another commonly used technique in the source routines is that certain sections of code are nested. This is used in |
|
|
1211 particular with the pointer aliases to highlight code phases. For example, a Comba multiplier (discussed in chapter six) |
|
|
1212 will typically have three different phases. First the temporaries are initialized, then the columns calculated and |
|
|
1213 finally the carries are propagated. In this example the middle column production phase will typically be nested as it |
|
|
1214 uses temporary variables and aliases the most. |
|
|
1215 |
|
|
1216 The nesting also simplies the source code as variables that are nested are only valid for their scope. As a result |
|
|
1217 the various temporary variables required do not propagate into other sections of code. |
|
|
1218 |
|
|
1219 |
|
|
1220 \subsection{Creating a Clone} |
|
|
1221 Another common operation is to make a local temporary copy of an mp\_int argument. To initialize an mp\_int |
|
|
1222 and then copy another existing mp\_int into the newly intialized mp\_int will be known as creating a clone. This is |
|
|
1223 useful within functions that need to modify an argument but do not wish to actually modify the original copy. The |
|
|
1224 mp\_init\_copy algorithm has been designed to help perform this task. |
|
|
1225 |
|
|
1226 \begin{figure}[here] |
|
|
1227 \begin{center} |
|
|
1228 \begin{tabular}{l} |
|
|
1229 \hline Algorithm \textbf{mp\_init\_copy}. \\ |
|
|
1230 \textbf{Input}. An mp\_int $a$ and $b$\\ |
|
|
1231 \textbf{Output}. $a$ is initialized to be a copy of $b$. \\ |
|
|
1232 \hline \\ |
|
|
1233 1. Init $a$. (\textit{mp\_init}) \\ |
|
|
1234 2. Copy $b$ to $a$. (\textit{mp\_copy}) \\ |
|
|
1235 3. Return the status of the copy operation. \\ |
|
|
1236 \hline |
|
|
1237 \end{tabular} |
|
|
1238 \end{center} |
|
|
1239 \caption{Algorithm mp\_init\_copy} |
|
|
1240 \end{figure} |
|
|
1241 |
|
|
1242 \textbf{Algorithm mp\_init\_copy.} |
|
|
1243 This algorithm will initialize an mp\_int variable and copy another previously initialized mp\_int variable into it. As |
|
|
1244 such this algorithm will perform two operations in one step. |
|
|
1245 |
|
|
1246 EXAM,bn_mp_init_copy.c |
|
|
1247 |
|
|
1248 This will initialize \textbf{a} and make it a verbatim copy of the contents of \textbf{b}. Note that |
|
|
1249 \textbf{a} will have its own memory allocated which means that \textbf{b} may be cleared after the call |
|
|
1250 and \textbf{a} will be left intact. |
|
|
1251 |
|
|
1252 \section{Zeroing an Integer} |
|
|
1253 Reseting an mp\_int to the default state is a common step in many algorithms. The mp\_zero algorithm will be the algorithm used to |
|
|
1254 perform this task. |
|
|
1255 |
|
|
1256 \begin{figure}[here] |
|
|
1257 \begin{center} |
|
|
1258 \begin{tabular}{l} |
|
|
1259 \hline Algorithm \textbf{mp\_zero}. \\ |
|
|
1260 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1261 \textbf{Output}. Zero the contents of $a$ \\ |
|
|
1262 \hline \\ |
|
|
1263 1. $a.used \leftarrow 0$ \\ |
|
|
1264 2. $a.sign \leftarrow$ MP\_ZPOS \\ |
|
|
1265 3. for $n$ from 0 to $a.alloc - 1$ do \\ |
|
|
1266 \hspace{3mm}3.1 $a_n \leftarrow 0$ \\ |
|
|
1267 \hline |
|
|
1268 \end{tabular} |
|
|
1269 \end{center} |
|
|
1270 \caption{Algorithm mp\_zero} |
|
|
1271 \end{figure} |
|
|
1272 |
|
|
1273 \textbf{Algorithm mp\_zero.} |
|
|
1274 This algorithm simply resets a mp\_int to the default state. |
|
|
1275 |
|
|
1276 EXAM,bn_mp_zero.c |
|
|
1277 |
|
|
1278 After the function is completed, all of the digits are zeroed, the \textbf{used} count is zeroed and the |
|
|
1279 \textbf{sign} variable is set to \textbf{MP\_ZPOS}. |
|
|
1280 |
|
|
1281 \section{Sign Manipulation} |
|
|
1282 \subsection{Absolute Value} |
|
|
1283 With the mp\_int representation of an integer, calculating the absolute value is trivial. The mp\_abs algorithm will compute |
|
|
1284 the absolute value of an mp\_int. |
|
|
1285 |
|
|
1286 \newpage\begin{figure}[here] |
|
|
1287 \begin{center} |
|
|
1288 \begin{tabular}{l} |
|
|
1289 \hline Algorithm \textbf{mp\_abs}. \\ |
|
|
1290 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1291 \textbf{Output}. Computes $b = \vert a \vert$ \\ |
|
|
1292 \hline \\ |
|
|
1293 1. Copy $a$ to $b$. (\textit{mp\_copy}) \\ |
|
|
1294 2. If the copy failed return(\textit{MP\_MEM}). \\ |
|
|
1295 3. $b.sign \leftarrow MP\_ZPOS$ \\ |
|
|
1296 4. Return(\textit{MP\_OKAY}) \\ |
|
|
1297 \hline |
|
|
1298 \end{tabular} |
|
|
1299 \end{center} |
|
|
1300 \caption{Algorithm mp\_abs} |
|
|
1301 \end{figure} |
|
|
1302 |
|
|
1303 \textbf{Algorithm mp\_abs.} |
|
|
1304 This algorithm computes the absolute of an mp\_int input. First it copies $a$ over $b$. This is an example of an |
|
|
1305 algorithm where the check in mp\_copy that determines if the source and destination are equal proves useful. This allows, |
|
|
1306 for instance, the developer to pass the same mp\_int as the source and destination to this function without addition |
|
|
1307 logic to handle it. |
|
|
1308 |
|
|
1309 EXAM,bn_mp_abs.c |
|
|
1310 |
|
|
1311 \subsection{Integer Negation} |
|
|
1312 With the mp\_int representation of an integer, calculating the negation is also trivial. The mp\_neg algorithm will compute |
|
|
1313 the negative of an mp\_int input. |
|
|
1314 |
|
|
1315 \begin{figure}[here] |
|
|
1316 \begin{center} |
|
|
1317 \begin{tabular}{l} |
|
|
1318 \hline Algorithm \textbf{mp\_neg}. \\ |
|
|
1319 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1320 \textbf{Output}. Computes $b = -a$ \\ |
|
|
1321 \hline \\ |
|
|
1322 1. Copy $a$ to $b$. (\textit{mp\_copy}) \\ |
|
|
1323 2. If the copy failed return(\textit{MP\_MEM}). \\ |
|
|
1324 3. If $a.used = 0$ then return(\textit{MP\_OKAY}). \\ |
|
|
1325 4. If $a.sign = MP\_ZPOS$ then do \\ |
|
|
1326 \hspace{3mm}4.1 $b.sign = MP\_NEG$. \\ |
|
|
1327 5. else do \\ |
|
|
1328 \hspace{3mm}5.1 $b.sign = MP\_ZPOS$. \\ |
|
|
1329 6. Return(\textit{MP\_OKAY}) \\ |
|
|
1330 \hline |
|
|
1331 \end{tabular} |
|
|
1332 \end{center} |
|
|
1333 \caption{Algorithm mp\_neg} |
|
|
1334 \end{figure} |
|
|
1335 |
|
|
1336 \textbf{Algorithm mp\_neg.} |
|
|
1337 This algorithm computes the negation of an input. First it copies $a$ over $b$. If $a$ has no used digits then |
|
|
1338 the algorithm returns immediately. Otherwise it flips the sign flag and stores the result in $b$. Note that if |
|
|
1339 $a$ had no digits then it must be positive by definition. Had step three been omitted then the algorithm would return |
|
|
1340 zero as negative. |
|
|
1341 |
|
|
1342 EXAM,bn_mp_neg.c |
|
|
1343 |
|
|
1344 \section{Small Constants} |
|
|
1345 \subsection{Setting Small Constants} |
|
|
1346 Often a mp\_int must be set to a relatively small value such as $1$ or $2$. For these cases the mp\_set algorithm is useful. |
|
|
1347 |
|
|
1348 \begin{figure}[here] |
|
|
1349 \begin{center} |
|
|
1350 \begin{tabular}{l} |
|
|
1351 \hline Algorithm \textbf{mp\_set}. \\ |
|
|
1352 \textbf{Input}. An mp\_int $a$ and a digit $b$ \\ |
|
|
1353 \textbf{Output}. Make $a$ equivalent to $b$ \\ |
|
|
1354 \hline \\ |
|
|
1355 1. Zero $a$ (\textit{mp\_zero}). \\ |
|
|
1356 2. $a_0 \leftarrow b \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1357 3. $a.used \leftarrow \left \lbrace \begin{array}{ll} |
|
|
1358 1 & \mbox{if }a_0 > 0 \\ |
|
|
1359 0 & \mbox{if }a_0 = 0 |
|
|
1360 \end{array} \right .$ \\ |
|
|
1361 \hline |
|
|
1362 \end{tabular} |
|
|
1363 \end{center} |
|
|
1364 \caption{Algorithm mp\_set} |
|
|
1365 \end{figure} |
|
|
1366 |
|
|
1367 \textbf{Algorithm mp\_set.} |
|
|
1368 This algorithm sets a mp\_int to a small single digit value. Step number 1 ensures that the integer is reset to the default state. The |
|
|
1369 single digit is set (\textit{modulo $\beta$}) and the \textbf{used} count is adjusted accordingly. |
|
|
1370 |
|
|
1371 EXAM,bn_mp_set.c |
|
|
1372 |
|
|
1373 Line @21,mp_zero@ calls mp\_zero() to clear the mp\_int and reset the sign. Line @22,MP_MASK@ copies the digit |
|
|
1374 into the least significant location. Note the usage of a new constant \textbf{MP\_MASK}. This constant is used to quickly |
|
|
1375 reduce an integer modulo $\beta$. Since $\beta$ is of the form $2^k$ for any suitable $k$ it suffices to perform a binary AND with |
|
|
1376 $MP\_MASK = 2^k - 1$ to perform the reduction. Finally line @23,a->used@ will set the \textbf{used} member with respect to the |
|
|
1377 digit actually set. This function will always make the integer positive. |
|
|
1378 |
|
|
1379 One important limitation of this function is that it will only set one digit. The size of a digit is not fixed, meaning source that uses |
|
|
1380 this function should take that into account. Only trivially small constants can be set using this function. |
|
|
1381 |
|
|
1382 \subsection{Setting Large Constants} |
|
|
1383 To overcome the limitations of the mp\_set algorithm the mp\_set\_int algorithm is ideal. It accepts a ``long'' |
|
|
1384 data type as input and will always treat it as a 32-bit integer. |
|
|
1385 |
|
|
1386 \begin{figure}[here] |
|
|
1387 \begin{center} |
|
|
1388 \begin{tabular}{l} |
|
|
1389 \hline Algorithm \textbf{mp\_set\_int}. \\ |
|
|
1390 \textbf{Input}. An mp\_int $a$ and a ``long'' integer $b$ \\ |
|
|
1391 \textbf{Output}. Make $a$ equivalent to $b$ \\ |
|
|
1392 \hline \\ |
|
|
1393 1. Zero $a$ (\textit{mp\_zero}) \\ |
|
|
1394 2. for $n$ from 0 to 7 do \\ |
|
|
1395 \hspace{3mm}2.1 $a \leftarrow a \cdot 16$ (\textit{mp\_mul2d}) \\ |
|
|
1396 \hspace{3mm}2.2 $u \leftarrow \lfloor b / 2^{4(7 - n)} \rfloor \mbox{ (mod }16\mbox{)}$\\ |
|
|
1397 \hspace{3mm}2.3 $a_0 \leftarrow a_0 + u$ \\ |
|
|
1398 \hspace{3mm}2.4 $a.used \leftarrow a.used + 1$ \\ |
|
|
1399 3. Clamp excess used digits (\textit{mp\_clamp}) \\ |
|
|
1400 \hline |
|
|
1401 \end{tabular} |
|
|
1402 \end{center} |
|
|
1403 \caption{Algorithm mp\_set\_int} |
|
|
1404 \end{figure} |
|
|
1405 |
|
|
1406 \textbf{Algorithm mp\_set\_int.} |
|
|
1407 The algorithm performs eight iterations of a simple loop where in each iteration four bits from the source are added to the |
|
|
1408 mp\_int. Step 2.1 will multiply the current result by sixteen making room for four more bits in the less significant positions. In step 2.2 the |
|
|
1409 next four bits from the source are extracted and are added to the mp\_int. The \textbf{used} digit count is |
|
|
1410 incremented to reflect the addition. The \textbf{used} digit counter is incremented since if any of the leading digits were zero the mp\_int would have |
|
|
1411 zero digits used and the newly added four bits would be ignored. |
|
|
1412 |
|
|
1413 Excess zero digits are trimmed in steps 2.1 and 3 by using higher level algorithms mp\_mul2d and mp\_clamp. |
|
|
1414 |
|
|
1415 EXAM,bn_mp_set_int.c |
|
|
1416 |
|
|
1417 This function sets four bits of the number at a time to handle all practical \textbf{DIGIT\_BIT} sizes. The weird |
|
|
1418 addition on line @38,a->used@ ensures that the newly added in bits are added to the number of digits. While it may not |
|
|
1419 seem obvious as to why the digit counter does not grow exceedingly large it is because of the shift on line @27,mp_mul_2d@ |
|
|
1420 as well as the call to mp\_clamp() on line @40,mp_clamp@. Both functions will clamp excess leading digits which keeps |
|
|
1421 the number of used digits low. |
|
|
1422 |
|
|
1423 \section{Comparisons} |
|
|
1424 \subsection{Unsigned Comparisions} |
|
|
1425 Comparing a multiple precision integer is performed with the exact same algorithm used to compare two decimal numbers. For example, |
|
|
1426 to compare $1,234$ to $1,264$ the digits are extracted by their positions. That is we compare $1 \cdot 10^3 + 2 \cdot 10^2 + 3 \cdot 10^1 + 4 \cdot 10^0$ |
|
|
1427 to $1 \cdot 10^3 + 2 \cdot 10^2 + 6 \cdot 10^1 + 4 \cdot 10^0$ by comparing single digits at a time starting with the highest magnitude |
|
|
1428 positions. If any leading digit of one integer is greater than a digit in the same position of another integer then obviously it must be greater. |
|
|
1429 |
|
|
1430 The first comparision routine that will be developed is the unsigned magnitude compare which will perform a comparison based on the digits of two |
|
|
1431 mp\_int variables alone. It will ignore the sign of the two inputs. Such a function is useful when an absolute comparison is required or if the |
|
|
1432 signs are known to agree in advance. |
|
|
1433 |
|
|
1434 To facilitate working with the results of the comparison functions three constants are required. |
|
|
1435 |
|
|
1436 \begin{figure}[here] |
|
|
1437 \begin{center} |
|
|
1438 \begin{tabular}{|r|l|} |
|
|
1439 \hline \textbf{Constant} & \textbf{Meaning} \\ |
|
|
1440 \hline \textbf{MP\_GT} & Greater Than \\ |
|
|
1441 \hline \textbf{MP\_EQ} & Equal To \\ |
|
|
1442 \hline \textbf{MP\_LT} & Less Than \\ |
|
|
1443 \hline |
|
|
1444 \end{tabular} |
|
|
1445 \end{center} |
|
|
1446 \caption{Comparison Return Codes} |
|
|
1447 \end{figure} |
|
|
1448 |
|
|
1449 \begin{figure}[here] |
|
|
1450 \begin{center} |
|
|
1451 \begin{tabular}{l} |
|
|
1452 \hline Algorithm \textbf{mp\_cmp\_mag}. \\ |
|
|
1453 \textbf{Input}. Two mp\_ints $a$ and $b$. \\ |
|
|
1454 \textbf{Output}. Unsigned comparison results ($a$ to the left of $b$). \\ |
|
|
1455 \hline \\ |
|
|
1456 1. If $a.used > b.used$ then return(\textit{MP\_GT}) \\ |
|
|
1457 2. If $a.used < b.used$ then return(\textit{MP\_LT}) \\ |
|
|
1458 3. for n from $a.used - 1$ to 0 do \\ |
|
|
1459 \hspace{+3mm}3.1 if $a_n > b_n$ then return(\textit{MP\_GT}) \\ |
|
|
1460 \hspace{+3mm}3.2 if $a_n < b_n$ then return(\textit{MP\_LT}) \\ |
|
|
1461 4. Return(\textit{MP\_EQ}) \\ |
|
|
1462 \hline |
|
|
1463 \end{tabular} |
|
|
1464 \end{center} |
|
|
1465 \caption{Algorithm mp\_cmp\_mag} |
|
|
1466 \end{figure} |
|
|
1467 |
|
|
1468 \textbf{Algorithm mp\_cmp\_mag.} |
|
|
1469 By saying ``$a$ to the left of $b$'' it is meant that the comparison is with respect to $a$, that is if $a$ is greater than $b$ it will return |
|
|
1470 \textbf{MP\_GT} and similar with respect to when $a = b$ and $a < b$. The first two steps compare the number of digits used in both $a$ and $b$. |
|
|
1471 Obviously if the digit counts differ there would be an imaginary zero digit in the smaller number where the leading digit of the larger number is. |
|
|
1472 If both have the same number of digits than the actual digits themselves must be compared starting at the leading digit. |
|
|
1473 |
|
|
1474 By step three both inputs must have the same number of digits so its safe to start from either $a.used - 1$ or $b.used - 1$ and count down to |
|
|
1475 the zero'th digit. If after all of the digits have been compared, no difference is found, the algorithm returns \textbf{MP\_EQ}. |
|
|
1476 |
|
|
1477 EXAM,bn_mp_cmp_mag.c |
|
|
1478 |
|
|
1479 The two if statements on lines @24,if@ and @28,if@ compare the number of digits in the two inputs. These two are performed before all of the digits |
|
|
1480 are compared since it is a very cheap test to perform and can potentially save considerable time. The implementation given is also not valid |
|
|
1481 without those two statements. $b.alloc$ may be smaller than $a.used$, meaning that undefined values will be read from $b$ past the end of the |
|
|
1482 array of digits. |
|
|
1483 |
|
|
1484 \subsection{Signed Comparisons} |
|
|
1485 Comparing with sign considerations is also fairly critical in several routines (\textit{division for example}). Based on an unsigned magnitude |
|
|
1486 comparison a trivial signed comparison algorithm can be written. |
|
|
1487 |
|
|
1488 \begin{figure}[here] |
|
|
1489 \begin{center} |
|
|
1490 \begin{tabular}{l} |
|
|
1491 \hline Algorithm \textbf{mp\_cmp}. \\ |
|
|
1492 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
1493 \textbf{Output}. Signed Comparison Results ($a$ to the left of $b$) \\ |
|
|
1494 \hline \\ |
|
|
1495 1. if $a.sign = MP\_NEG$ and $b.sign = MP\_ZPOS$ then return(\textit{MP\_LT}) \\ |
|
|
1496 2. if $a.sign = MP\_ZPOS$ and $b.sign = MP\_NEG$ then return(\textit{MP\_GT}) \\ |
|
|
1497 3. if $a.sign = MP\_NEG$ then \\ |
|
|
1498 \hspace{+3mm}3.1 Return the unsigned comparison of $b$ and $a$ (\textit{mp\_cmp\_mag}) \\ |
|
|
1499 4 Otherwise \\ |
|
|
1500 \hspace{+3mm}4.1 Return the unsigned comparison of $a$ and $b$ \\ |
|
|
1501 \hline |
|
|
1502 \end{tabular} |
|
|
1503 \end{center} |
|
|
1504 \caption{Algorithm mp\_cmp} |
|
|
1505 \end{figure} |
|
|
1506 |
|
|
1507 \textbf{Algorithm mp\_cmp.} |
|
|
1508 The first two steps compare the signs of the two inputs. If the signs do not agree then it can return right away with the appropriate |
|
|
1509 comparison code. When the signs are equal the digits of the inputs must be compared to determine the correct result. In step |
|
|
1510 three the unsigned comparision flips the order of the arguments since they are both negative. For instance, if $-a > -b$ then |
|
|
1511 $\vert a \vert < \vert b \vert$. Step number four will compare the two when they are both positive. |
|
|
1512 |
|
|
1513 EXAM,bn_mp_cmp.c |
|
|
1514 |
|
|
1515 The two if statements on lines @22,if@ and @26,if@ perform the initial sign comparison. If the signs are not the equal then which ever |
|
|
1516 has the positive sign is larger. At line @30,if@, the inputs are compared based on magnitudes. If the signs were both negative then |
|
|
1517 the unsigned comparison is performed in the opposite direction (\textit{line @31,mp_cmp_mag@}). Otherwise, the signs are assumed to |
|
|
1518 be both positive and a forward direction unsigned comparison is performed. |
|
|
1519 |
|
|
1520 \section*{Exercises} |
|
|
1521 \begin{tabular}{cl} |
|
|
1522 $\left [ 2 \right ]$ & Modify algorithm mp\_set\_int to accept as input a variable length array of bits. \\ |
|
|
1523 & \\ |
|
|
1524 $\left [ 3 \right ]$ & Give the probability that algorithm mp\_cmp\_mag will have to compare $k$ digits \\ |
|
|
1525 & of two random digits (of equal magnitude) before a difference is found. \\ |
|
|
1526 & \\ |
|
|
1527 $\left [ 1 \right ]$ & Suggest a simple method to speed up the implementation of mp\_cmp\_mag based \\ |
|
|
1528 & on the observations made in the previous problem. \\ |
|
|
1529 & |
|
|
1530 \end{tabular} |
|
|
1531 |
|
|
1532 \chapter{Basic Arithmetic} |
|
|
1533 \section{Introduction} |
|
|
1534 At this point algorithms for initialization, clearing, zeroing, copying, comparing and setting small constants have been |
|
|
1535 established. The next logical set of algorithms to develop are addition, subtraction and digit shifting algorithms. These |
|
|
1536 algorithms make use of the lower level algorithms and are the cruicial building block for the multiplication algorithms. It is very important |
|
|
1537 that these algorithms are highly optimized. On their own they are simple $O(n)$ algorithms but they can be called from higher level algorithms |
|
|
1538 which easily places them at $O(n^2)$ or even $O(n^3)$ work levels. |
|
|
1539 |
|
|
1540 MARK,SHIFTS |
|
|
1541 All of the algorithms within this chapter make use of the logical bit shift operations denoted by $<<$ and $>>$ for left and right |
|
|
1542 logical shifts respectively. A logical shift is analogous to sliding the decimal point of radix-10 representations. For example, the real |
|
|
1543 number $0.9345$ is equivalent to $93.45\%$ which is found by sliding the the decimal two places to the right (\textit{multiplying by $\beta^2 = 10^2$}). |
|
|
1544 Algebraically a binary logical shift is equivalent to a division or multiplication by a power of two. |
|
|
1545 For example, $a << k = a \cdot 2^k$ while $a >> k = \lfloor a/2^k \rfloor$. |
|
|
1546 |
|
|
1547 One significant difference between a logical shift and the way decimals are shifted is that digits below the zero'th position are removed |
|
|
1548 from the number. For example, consider $1101_2 >> 1$ using decimal notation this would produce $110.1_2$. However, with a logical shift the |
|
|
1549 result is $110_2$. |
|
|
1550 |
|
|
1551 \section{Addition and Subtraction} |
|
|
1552 In common twos complement fixed precision arithmetic negative numbers are easily represented by subtraction from the modulus. For example, with 32-bit integers |
|
|
1553 $a - b\mbox{ (mod }2^{32}\mbox{)}$ is the same as $a + (2^{32} - b) \mbox{ (mod }2^{32}\mbox{)}$ since $2^{32} \equiv 0 \mbox{ (mod }2^{32}\mbox{)}$. |
|
|
1554 As a result subtraction can be performed with a trivial series of logical operations and an addition. |
|
|
1555 |
|
|
1556 However, in multiple precision arithmetic negative numbers are not represented in the same way. Instead a sign flag is used to keep track of the |
|
|
1557 sign of the integer. As a result signed addition and subtraction are actually implemented as conditional usage of lower level addition or |
|
|
1558 subtraction algorithms with the sign fixed up appropriately. |
|
|
1559 |
|
|
1560 The lower level algorithms will add or subtract integers without regard to the sign flag. That is they will add or subtract the magnitude of |
|
|
1561 the integers respectively. |
|
|
1562 |
|
|
1563 \subsection{Low Level Addition} |
|
|
1564 An unsigned addition of multiple precision integers is performed with the same long-hand algorithm used to add decimal numbers. That is to add the |
|
|
1565 trailing digits first and propagate the resulting carry upwards. Since this is a lower level algorithm the name will have a ``s\_'' prefix. |
|
|
1566 Historically that convention stems from the MPI library where ``s\_'' stood for static functions that were hidden from the developer entirely. |
|
|
1567 |
|
|
1568 \newpage |
|
|
1569 \begin{figure}[!here] |
|
|
1570 \begin{center} |
|
|
1571 \begin{small} |
|
|
1572 \begin{tabular}{l} |
|
|
1573 \hline Algorithm \textbf{s\_mp\_add}. \\ |
|
|
1574 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
1575 \textbf{Output}. The unsigned addition $c = \vert a \vert + \vert b \vert$. \\ |
|
|
1576 \hline \\ |
|
|
1577 1. if $a.used > b.used$ then \\ |
|
|
1578 \hspace{+3mm}1.1 $min \leftarrow b.used$ \\ |
|
|
1579 \hspace{+3mm}1.2 $max \leftarrow a.used$ \\ |
|
|
1580 \hspace{+3mm}1.3 $x \leftarrow a$ \\ |
|
|
1581 2. else \\ |
|
|
1582 \hspace{+3mm}2.1 $min \leftarrow a.used$ \\ |
|
|
1583 \hspace{+3mm}2.2 $max \leftarrow b.used$ \\ |
|
|
1584 \hspace{+3mm}2.3 $x \leftarrow b$ \\ |
|
|
1585 3. If $c.alloc < max + 1$ then grow $c$ to hold at least $max + 1$ digits (\textit{mp\_grow}) \\ |
|
|
1586 4. $oldused \leftarrow c.used$ \\ |
|
|
1587 5. $c.used \leftarrow max + 1$ \\ |
|
|
1588 6. $u \leftarrow 0$ \\ |
|
|
1589 7. for $n$ from $0$ to $min - 1$ do \\ |
|
|
1590 \hspace{+3mm}7.1 $c_n \leftarrow a_n + b_n + u$ \\ |
|
|
1591 \hspace{+3mm}7.2 $u \leftarrow c_n >> lg(\beta)$ \\ |
|
|
1592 \hspace{+3mm}7.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1593 8. if $min \ne max$ then do \\ |
|
|
1594 \hspace{+3mm}8.1 for $n$ from $min$ to $max - 1$ do \\ |
|
|
1595 \hspace{+6mm}8.1.1 $c_n \leftarrow x_n + u$ \\ |
|
|
1596 \hspace{+6mm}8.1.2 $u \leftarrow c_n >> lg(\beta)$ \\ |
|
|
1597 \hspace{+6mm}8.1.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1598 9. $c_{max} \leftarrow u$ \\ |
|
|
1599 10. if $olduse > max$ then \\ |
|
|
1600 \hspace{+3mm}10.1 for $n$ from $max + 1$ to $oldused - 1$ do \\ |
|
|
1601 \hspace{+6mm}10.1.1 $c_n \leftarrow 0$ \\ |
|
|
1602 11. Clamp excess digits in $c$. (\textit{mp\_clamp}) \\ |
|
|
1603 12. Return(\textit{MP\_OKAY}) \\ |
|
|
1604 \hline |
|
|
1605 \end{tabular} |
|
|
1606 \end{small} |
|
|
1607 \end{center} |
|
|
1608 \caption{Algorithm s\_mp\_add} |
|
|
1609 \end{figure} |
|
|
1610 |
|
|
1611 \textbf{Algorithm s\_mp\_add.} |
|
|
1612 This algorithm is loosely based on algorithm 14.7 of HAC \cite[pp. 594]{HAC} but has been extended to allow the inputs to have different magnitudes. |
|
|
1613 Coincidentally the description of algorithm A in Knuth \cite[pp. 266]{TAOCPV2} shares the same deficiency as the algorithm from \cite{HAC}. Even the |
|
|
1614 MIX pseudo machine code presented by Knuth \cite[pp. 266-267]{TAOCPV2} is incapable of handling inputs which are of different magnitudes. |
|
|
1615 |
|
|
1616 The first thing that has to be accomplished is to sort out which of the two inputs is the largest. The addition logic |
|
|
1617 will simply add all of the smallest input to the largest input and store that first part of the result in the |
|
|
1618 destination. Then it will apply a simpler addition loop to excess digits of the larger input. |
|
|
1619 |
|
|
1620 The first two steps will handle sorting the inputs such that $min$ and $max$ hold the digit counts of the two |
|
|
1621 inputs. The variable $x$ will be an mp\_int alias for the largest input or the second input $b$ if they have the |
|
|
1622 same number of digits. After the inputs are sorted the destination $c$ is grown as required to accomodate the sum |
|
|
1623 of the two inputs. The original \textbf{used} count of $c$ is copied and set to the new used count. |
|
|
1624 |
|
|
1625 At this point the first addition loop will go through as many digit positions that both inputs have. The carry |
|
|
1626 variable $\mu$ is set to zero outside the loop. Inside the loop an ``addition'' step requires three statements to produce |
|
|
1627 one digit of the summand. First |
|
|
1628 two digits from $a$ and $b$ are added together along with the carry $\mu$. The carry of this step is extracted and stored |
|
|
1629 in $\mu$ and finally the digit of the result $c_n$ is truncated within the range $0 \le c_n < \beta$. |
|
|
1630 |
|
|
1631 Now all of the digit positions that both inputs have in common have been exhausted. If $min \ne max$ then $x$ is an alias |
|
|
1632 for one of the inputs that has more digits. A simplified addition loop is then used to essentially copy the remaining digits |
|
|
1633 and the carry to the destination. |
|
|
1634 |
|
|
1635 The final carry is stored in $c_{max}$ and digits above $max$ upto $oldused$ are zeroed which completes the addition. |
|
|
1636 |
|
|
1637 |
|
|
1638 EXAM,bn_s_mp_add.c |
|
|
1639 |
|
|
1640 Lines @27,if@ to @35,}@ perform the initial sorting of the inputs and determine the $min$ and $max$ variables. Note that $x$ is a pointer to a |
|
|
1641 mp\_int assigned to the largest input, in effect it is a local alias. Lines @37,init@ to @42,}@ ensure that the destination is grown to |
|
|
1642 accomodate the result of the addition. |
|
|
1643 |
|
|
1644 Similar to the implementation of mp\_copy this function uses the braced code and local aliases coding style. The three aliases that are on |
|
|
1645 lines @56,tmpa@, @59,tmpb@ and @62,tmpc@ represent the two inputs and destination variables respectively. These aliases are used to ensure the |
|
|
1646 compiler does not have to dereference $a$, $b$ or $c$ (respectively) to access the digits of the respective mp\_int. |
|
|
1647 |
|
|
1648 The initial carry $u$ is cleared on line @65,u = 0@, note that $u$ is of type mp\_digit which ensures type compatibility within the |
|
|
1649 implementation. The initial addition loop begins on line @66,for@ and ends on line @75,}@. Similarly the conditional addition loop |
|
|
1650 begins on line @81,for@ and ends on line @90,}@. The addition is finished with the final carry being stored in $tmpc$ on line @94,tmpc++@. |
|
|
1651 Note the ``++'' operator on the same line. After line @94,tmpc++@ $tmpc$ will point to the $c.used$'th digit of the mp\_int $c$. This is useful |
|
|
1652 for the next loop on lines @97,for@ to @99,}@ which set any old upper digits to zero. |
|
|
1653 |
|
|
1654 \subsection{Low Level Subtraction} |
|
|
1655 The low level unsigned subtraction algorithm is very similar to the low level unsigned addition algorithm. The principle difference is that the |
|
|
1656 unsigned subtraction algorithm requires the result to be positive. That is when computing $a - b$ the condition $\vert a \vert \ge \vert b\vert$ must |
|
|
1657 be met for this algorithm to function properly. Keep in mind this low level algorithm is not meant to be used in higher level algorithms directly. |
|
|
1658 This algorithm as will be shown can be used to create functional signed addition and subtraction algorithms. |
|
|
1659 |
|
|
1660 MARK,GAMMA |
|
|
1661 |
|
|
1662 For this algorithm a new variable is required to make the description simpler. Recall from section 1.3.1 that a mp\_digit must be able to represent |
|
|
1663 the range $0 \le x < 2\beta$ for the algorithms to work correctly. However, it is allowable that a mp\_digit represent a larger range of values. For |
|
|
1664 this algorithm we will assume that the variable $\gamma$ represents the number of bits available in a |
|
|
1665 mp\_digit (\textit{this implies $2^{\gamma} > \beta$}). |
|
|
1666 |
|
|
1667 For example, the default for LibTomMath is to use a ``unsigned long'' for the mp\_digit ``type'' while $\beta = 2^{28}$. In ISO C an ``unsigned long'' |
|
|
1668 data type must be able to represent $0 \le x < 2^{32}$ meaning that in this case $\gamma = 32$. |
|
|
1669 |
|
|
1670 \newpage\begin{figure}[!here] |
|
|
1671 \begin{center} |
|
|
1672 \begin{small} |
|
|
1673 \begin{tabular}{l} |
|
|
1674 \hline Algorithm \textbf{s\_mp\_sub}. \\ |
|
|
1675 \textbf{Input}. Two mp\_ints $a$ and $b$ ($\vert a \vert \ge \vert b \vert$) \\ |
|
|
1676 \textbf{Output}. The unsigned subtraction $c = \vert a \vert - \vert b \vert$. \\ |
|
|
1677 \hline \\ |
|
|
1678 1. $min \leftarrow b.used$ \\ |
|
|
1679 2. $max \leftarrow a.used$ \\ |
|
|
1680 3. If $c.alloc < max$ then grow $c$ to hold at least $max$ digits. (\textit{mp\_grow}) \\ |
|
|
1681 4. $oldused \leftarrow c.used$ \\ |
|
|
1682 5. $c.used \leftarrow max$ \\ |
|
|
1683 6. $u \leftarrow 0$ \\ |
|
|
1684 7. for $n$ from $0$ to $min - 1$ do \\ |
|
|
1685 \hspace{3mm}7.1 $c_n \leftarrow a_n - b_n - u$ \\ |
|
|
1686 \hspace{3mm}7.2 $u \leftarrow c_n >> (\gamma - 1)$ \\ |
|
|
1687 \hspace{3mm}7.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1688 8. if $min < max$ then do \\ |
|
|
1689 \hspace{3mm}8.1 for $n$ from $min$ to $max - 1$ do \\ |
|
|
1690 \hspace{6mm}8.1.1 $c_n \leftarrow a_n - u$ \\ |
|
|
1691 \hspace{6mm}8.1.2 $u \leftarrow c_n >> (\gamma - 1)$ \\ |
|
|
1692 \hspace{6mm}8.1.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1693 9. if $oldused > max$ then do \\ |
|
|
1694 \hspace{3mm}9.1 for $n$ from $max$ to $oldused - 1$ do \\ |
|
|
1695 \hspace{6mm}9.1.1 $c_n \leftarrow 0$ \\ |
|
|
1696 10. Clamp excess digits of $c$. (\textit{mp\_clamp}). \\ |
|
|
1697 11. Return(\textit{MP\_OKAY}). \\ |
|
|
1698 \hline |
|
|
1699 \end{tabular} |
|
|
1700 \end{small} |
|
|
1701 \end{center} |
|
|
1702 \caption{Algorithm s\_mp\_sub} |
|
|
1703 \end{figure} |
|
|
1704 |
|
|
1705 \textbf{Algorithm s\_mp\_sub.} |
|
|
1706 This algorithm performs the unsigned subtraction of two mp\_int variables under the restriction that the result must be positive. That is when |
|
|
1707 passing variables $a$ and $b$ the condition that $\vert a \vert \ge \vert b \vert$ must be met for the algorithm to function correctly. This |
|
|
1708 algorithm is loosely based on algorithm 14.9 \cite[pp. 595]{HAC} and is similar to algorithm S in \cite[pp. 267]{TAOCPV2} as well. As was the case |
|
|
1709 of the algorithm s\_mp\_add both other references lack discussion concerning various practical details such as when the inputs differ in magnitude. |
|
|
1710 |
|
|
1711 The initial sorting of the inputs is trivial in this algorithm since $a$ is guaranteed to have at least the same magnitude of $b$. Steps 1 and 2 |
|
|
1712 set the $min$ and $max$ variables. Unlike the addition routine there is guaranteed to be no carry which means that the final result can be at |
|
|
1713 most $max$ digits in length as opposed to $max + 1$. Similar to the addition algorithm the \textbf{used} count of $c$ is copied locally and |
|
|
1714 set to the maximal count for the operation. |
|
|
1715 |
|
|
1716 The subtraction loop that begins on step seven is essentially the same as the addition loop of algorithm s\_mp\_add except single precision |
|
|
1717 subtraction is used instead. Note the use of the $\gamma$ variable to extract the carry (\textit{also known as the borrow}) within the subtraction |
|
|
1718 loops. Under the assumption that two's complement single precision arithmetic is used this will successfully extract the desired carry. |
|
|
1719 |
|
|
1720 For example, consider subtracting $0101_2$ from $0100_2$ where $\gamma = 4$ and $\beta = 2$. The least significant bit will force a carry upwards to |
|
|
1721 the third bit which will be set to zero after the borrow. After the very first bit has been subtracted $4 - 1 \equiv 0011_2$ will remain, When the |
|
|
1722 third bit of $0101_2$ is subtracted from the result it will cause another carry. In this case though the carry will be forced to propagate all the |
|
|
1723 way to the most significant bit. |
|
|
1724 |
|
|
1725 Recall that $\beta < 2^{\gamma}$. This means that if a carry does occur just before the $lg(\beta)$'th bit it will propagate all the way to the most |
|
|
1726 significant bit. Thus, the high order bits of the mp\_digit that are not part of the actual digit will either be all zero, or all one. All that |
|
|
1727 is needed is a single zero or one bit for the carry. Therefore a single logical shift right by $\gamma - 1$ positions is sufficient to extract the |
|
|
1728 carry. This method of carry extraction may seem awkward but the reason for it becomes apparent when the implementation is discussed. |
|
|
1729 |
|
|
1730 If $b$ has a smaller magnitude than $a$ then step 9 will force the carry and copy operation to propagate through the larger input $a$ into $c$. Step |
|
|
1731 10 will ensure that any leading digits of $c$ above the $max$'th position are zeroed. |
|
|
1732 |
|
|
1733 EXAM,bn_s_mp_sub.c |
|
|
1734 |
|
|
1735 Line @24,min@ and @25,max@ perform the initial hardcoded sorting of the inputs. In reality the $min$ and $max$ variables are only aliases and are only |
|
|
1736 used to make the source code easier to read. Again the pointer alias optimization is used within this algorithm. Lines @42,tmpa@, @43,tmpb@ and @44,tmpc@ initialize the aliases for |
|
|
1737 $a$, $b$ and $c$ respectively. |
|
|
1738 |
|
|
1739 The first subtraction loop occurs on lines @47,u = 0@ through @61,}@. The theory behind the subtraction loop is exactly the same as that for |
|
|
1740 the addition loop. As remarked earlier there is an implementation reason for using the ``awkward'' method of extracting the carry |
|
|
1741 (\textit{see line @57, >>@}). The traditional method for extracting the carry would be to shift by $lg(\beta)$ positions and logically AND |
|
|
1742 the least significant bit. The AND operation is required because all of the bits above the $\lg(\beta)$'th bit will be set to one after a carry |
|
|
1743 occurs from subtraction. This carry extraction requires two relatively cheap operations to extract the carry. The other method is to simply |
|
|
1744 shift the most significant bit to the least significant bit thus extracting the carry with a single cheap operation. This optimization only works on |
|
|
1745 twos compliment machines which is a safe assumption to make. |
|
|
1746 |
|
|
1747 If $a$ has a larger magnitude than $b$ an additional loop (\textit{see lines @64,for@ through @73,}@}) is required to propagate the carry through |
|
|
1748 $a$ and copy the result to $c$. |
|
|
1749 |
|
|
1750 \subsection{High Level Addition} |
|
|
1751 Now that both lower level addition and subtraction algorithms have been established an effective high level signed addition algorithm can be |
|
|
1752 established. This high level addition algorithm will be what other algorithms and developers will use to perform addition of mp\_int data |
|
|
1753 types. |
|
|
1754 |
|
|
1755 Recall from section 5.2 that an mp\_int represents an integer with an unsigned mantissa (\textit{the array of digits}) and a \textbf{sign} |
|
|
1756 flag. A high level addition is actually performed as a series of eight separate cases which can be optimized down to three unique cases. |
|
|
1757 |
|
|
1758 \begin{figure}[!here] |
|
|
1759 \begin{center} |
|
|
1760 \begin{tabular}{l} |
|
|
1761 \hline Algorithm \textbf{mp\_add}. \\ |
|
|
1762 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
1763 \textbf{Output}. The signed addition $c = a + b$. \\ |
|
|
1764 \hline \\ |
|
|
1765 1. if $a.sign = b.sign$ then do \\ |
|
|
1766 \hspace{3mm}1.1 $c.sign \leftarrow a.sign$ \\ |
|
|
1767 \hspace{3mm}1.2 $c \leftarrow \vert a \vert + \vert b \vert$ (\textit{s\_mp\_add})\\ |
|
|
1768 2. else do \\ |
|
|
1769 \hspace{3mm}2.1 if $\vert a \vert < \vert b \vert$ then do (\textit{mp\_cmp\_mag}) \\ |
|
|
1770 \hspace{6mm}2.1.1 $c.sign \leftarrow b.sign$ \\ |
|
|
1771 \hspace{6mm}2.1.2 $c \leftarrow \vert b \vert - \vert a \vert$ (\textit{s\_mp\_sub}) \\ |
|
|
1772 \hspace{3mm}2.2 else do \\ |
|
|
1773 \hspace{6mm}2.2.1 $c.sign \leftarrow a.sign$ \\ |
|
|
1774 \hspace{6mm}2.2.2 $c \leftarrow \vert a \vert - \vert b \vert$ \\ |
|
|
1775 3. Return(\textit{MP\_OKAY}). \\ |
|
|
1776 \hline |
|
|
1777 \end{tabular} |
|
|
1778 \end{center} |
|
|
1779 \caption{Algorithm mp\_add} |
|
|
1780 \end{figure} |
|
|
1781 |
|
|
1782 \textbf{Algorithm mp\_add.} |
|
|
1783 This algorithm performs the signed addition of two mp\_int variables. There is no reference algorithm to draw upon from |
|
|
1784 either \cite{TAOCPV2} or \cite{HAC} since they both only provide unsigned operations. The algorithm is fairly |
|
|
1785 straightforward but restricted since subtraction can only produce positive results. |
|
|
1786 |
|
|
1787 \begin{figure}[here] |
|
|
1788 \begin{small} |
|
|
1789 \begin{center} |
|
|
1790 \begin{tabular}{|c|c|c|c|c|} |
|
|
1791 \hline \textbf{Sign of $a$} & \textbf{Sign of $b$} & \textbf{$\vert a \vert > \vert b \vert $} & \textbf{Unsigned Operation} & \textbf{Result Sign Flag} \\ |
|
|
1792 \hline $+$ & $+$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
1793 \hline $+$ & $+$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
1794 \hline $-$ & $-$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
1795 \hline $-$ & $-$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
1796 \hline &&&&\\ |
|
|
1797 |
|
|
1798 \hline $+$ & $-$ & No & $c = b - a$ & $b.sign$ \\ |
|
|
1799 \hline $-$ & $+$ & No & $c = b - a$ & $b.sign$ \\ |
|
|
1800 |
|
|
1801 \hline &&&&\\ |
|
|
1802 |
|
|
1803 \hline $+$ & $-$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
1804 \hline $-$ & $+$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
1805 |
|
|
1806 \hline |
|
|
1807 \end{tabular} |
|
|
1808 \end{center} |
|
|
1809 \end{small} |
|
|
1810 \caption{Addition Guide Chart} |
|
|
1811 \label{fig:AddChart} |
|
|
1812 \end{figure} |
|
|
1813 |
|
|
1814 Figure~\ref{fig:AddChart} lists all of the eight possible input combinations and is sorted to show that only three |
|
|
1815 specific cases need to be handled. The return code of the unsigned operations at step 1.2, 2.1.2 and 2.2.2 are |
|
|
1816 forwarded to step three to check for errors. This simplifies the description of the algorithm considerably and best |
|
|
1817 follows how the implementation actually was achieved. |
|
|
1818 |
|
|
1819 Also note how the \textbf{sign} is set before the unsigned addition or subtraction is performed. Recall from the descriptions of algorithms |
|
|
1820 s\_mp\_add and s\_mp\_sub that the mp\_clamp function is used at the end to trim excess digits. The mp\_clamp algorithm will set the \textbf{sign} |
|
|
1821 to \textbf{MP\_ZPOS} when the \textbf{used} digit count reaches zero. |
|
|
1822 |
|
|
1823 For example, consider performing $-a + a$ with algorithm mp\_add. By the description of the algorithm the sign is set to \textbf{MP\_NEG} which would |
|
|
1824 produce a result of $-0$. However, since the sign is set first then the unsigned addition is performed the subsequent usage of algorithm mp\_clamp |
|
|
1825 within algorithm s\_mp\_add will force $-0$ to become $0$. |
|
|
1826 |
|
|
1827 EXAM,bn_mp_add.c |
|
|
1828 |
|
|
1829 The source code follows the algorithm fairly closely. The most notable new source code addition is the usage of the $res$ integer variable which |
|
|
1830 is used to pass result of the unsigned operations forward. Unlike in the algorithm, the variable $res$ is merely returned as is without |
|
|
1831 explicitly checking it and returning the constant \textbf{MP\_OKAY}. The observation is this algorithm will succeed or fail only if the lower |
|
|
1832 level functions do so. Returning their return code is sufficient. |
|
|
1833 |
|
|
1834 \subsection{High Level Subtraction} |
|
|
1835 The high level signed subtraction algorithm is essentially the same as the high level signed addition algorithm. |
|
|
1836 |
|
|
1837 \newpage\begin{figure}[!here] |
|
|
1838 \begin{center} |
|
|
1839 \begin{tabular}{l} |
|
|
1840 \hline Algorithm \textbf{mp\_sub}. \\ |
|
|
1841 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
1842 \textbf{Output}. The signed subtraction $c = a - b$. \\ |
|
|
1843 \hline \\ |
|
|
1844 1. if $a.sign \ne b.sign$ then do \\ |
|
|
1845 \hspace{3mm}1.1 $c.sign \leftarrow a.sign$ \\ |
|
|
1846 \hspace{3mm}1.2 $c \leftarrow \vert a \vert + \vert b \vert$ (\textit{s\_mp\_add}) \\ |
|
|
1847 2. else do \\ |
|
|
1848 \hspace{3mm}2.1 if $\vert a \vert \ge \vert b \vert$ then do (\textit{mp\_cmp\_mag}) \\ |
|
|
1849 \hspace{6mm}2.1.1 $c.sign \leftarrow a.sign$ \\ |
|
|
1850 \hspace{6mm}2.1.2 $c \leftarrow \vert a \vert - \vert b \vert$ (\textit{s\_mp\_sub}) \\ |
|
|
1851 \hspace{3mm}2.2 else do \\ |
|
|
1852 \hspace{6mm}2.2.1 $c.sign \leftarrow \left \lbrace \begin{array}{ll} |
|
|
1853 MP\_ZPOS & \mbox{if }a.sign = MP\_NEG \\ |
|
|
1854 MP\_NEG & \mbox{otherwise} \\ |
|
|
1855 \end{array} \right .$ \\ |
|
|
1856 \hspace{6mm}2.2.2 $c \leftarrow \vert b \vert - \vert a \vert$ \\ |
|
|
1857 3. Return(\textit{MP\_OKAY}). \\ |
|
|
1858 \hline |
|
|
1859 \end{tabular} |
|
|
1860 \end{center} |
|
|
1861 \caption{Algorithm mp\_sub} |
|
|
1862 \end{figure} |
|
|
1863 |
|
|
1864 \textbf{Algorithm mp\_sub.} |
|
|
1865 This algorithm performs the signed subtraction of two inputs. Similar to algorithm mp\_add there is no reference in either \cite{TAOCPV2} or |
|
|
1866 \cite{HAC}. Also this algorithm is restricted by algorithm s\_mp\_sub. Chart \ref{fig:SubChart} lists the eight possible inputs and |
|
|
1867 the operations required. |
|
|
1868 |
|
|
1869 \begin{figure}[!here] |
|
|
1870 \begin{small} |
|
|
1871 \begin{center} |
|
|
1872 \begin{tabular}{|c|c|c|c|c|} |
|
|
1873 \hline \textbf{Sign of $a$} & \textbf{Sign of $b$} & \textbf{$\vert a \vert \ge \vert b \vert $} & \textbf{Unsigned Operation} & \textbf{Result Sign Flag} \\ |
|
|
1874 \hline $+$ & $-$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
1875 \hline $+$ & $-$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
1876 \hline $-$ & $+$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
1877 \hline $-$ & $+$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
1878 \hline &&&& \\ |
|
|
1879 \hline $+$ & $+$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
1880 \hline $-$ & $-$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
1881 \hline &&&& \\ |
|
|
1882 \hline $+$ & $+$ & No & $c = b - a$ & $\mbox{opposite of }a.sign$ \\ |
|
|
1883 \hline $-$ & $-$ & No & $c = b - a$ & $\mbox{opposite of }a.sign$ \\ |
|
|
1884 \hline |
|
|
1885 \end{tabular} |
|
|
1886 \end{center} |
|
|
1887 \end{small} |
|
|
1888 \caption{Subtraction Guide Chart} |
|
|
1889 \label{fig:SubChart} |
|
|
1890 \end{figure} |
|
|
1891 |
|
|
1892 Similar to the case of algorithm mp\_add the \textbf{sign} is set first before the unsigned addition or subtraction. That is to prevent the |
|
|
1893 algorithm from producing $-a - -a = -0$ as a result. |
|
|
1894 |
|
|
1895 EXAM,bn_mp_sub.c |
|
|
1896 |
|
|
1897 Much like the implementation of algorithm mp\_add the variable $res$ is used to catch the return code of the unsigned addition or subtraction operations |
|
|
1898 and forward it to the end of the function. On line @38, != MP_LT@ the ``not equal to'' \textbf{MP\_LT} expression is used to emulate a |
|
|
1899 ``greater than or equal to'' comparison. |
|
|
1900 |
|
|
1901 \section{Bit and Digit Shifting} |
|
|
1902 MARK,POLY |
|
|
1903 It is quite common to think of a multiple precision integer as a polynomial in $x$, that is $y = f(\beta)$ where $f(x) = \sum_{i=0}^{n-1} a_i x^i$. |
|
|
1904 This notation arises within discussion of Montgomery and Diminished Radix Reduction as well as Karatsuba multiplication and squaring. |
|
|
1905 |
|
|
1906 In order to facilitate operations on polynomials in $x$ as above a series of simple ``digit'' algorithms have to be established. That is to shift |
|
|
1907 the digits left or right as well to shift individual bits of the digits left and right. It is important to note that not all ``shift'' operations |
|
|
1908 are on radix-$\beta$ digits. |
|
|
1909 |
|
|
1910 \subsection{Multiplication by Two} |
|
|
1911 |
|
|
1912 In a binary system where the radix is a power of two multiplication by two not only arises often in other algorithms it is a fairly efficient |
|
|
1913 operation to perform. A single precision logical shift left is sufficient to multiply a single digit by two. |
|
|
1914 |
|
|
1915 \newpage\begin{figure}[!here] |
|
|
1916 \begin{small} |
|
|
1917 \begin{center} |
|
|
1918 \begin{tabular}{l} |
|
|
1919 \hline Algorithm \textbf{mp\_mul\_2}. \\ |
|
|
1920 \textbf{Input}. One mp\_int $a$ \\ |
|
|
1921 \textbf{Output}. $b = 2a$. \\ |
|
|
1922 \hline \\ |
|
|
1923 1. If $b.alloc < a.used + 1$ then grow $b$ to hold $a.used + 1$ digits. (\textit{mp\_grow}) \\ |
|
|
1924 2. $oldused \leftarrow b.used$ \\ |
|
|
1925 3. $b.used \leftarrow a.used$ \\ |
|
|
1926 4. $r \leftarrow 0$ \\ |
|
|
1927 5. for $n$ from 0 to $a.used - 1$ do \\ |
|
|
1928 \hspace{3mm}5.1 $rr \leftarrow a_n >> (lg(\beta) - 1)$ \\ |
|
|
1929 \hspace{3mm}5.2 $b_n \leftarrow (a_n << 1) + r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1930 \hspace{3mm}5.3 $r \leftarrow rr$ \\ |
|
|
1931 6. If $r \ne 0$ then do \\ |
|
|
1932 \hspace{3mm}6.1 $b_{n + 1} \leftarrow r$ \\ |
|
|
1933 \hspace{3mm}6.2 $b.used \leftarrow b.used + 1$ \\ |
|
|
1934 7. If $b.used < oldused - 1$ then do \\ |
|
|
1935 \hspace{3mm}7.1 for $n$ from $b.used$ to $oldused - 1$ do \\ |
|
|
1936 \hspace{6mm}7.1.1 $b_n \leftarrow 0$ \\ |
|
|
1937 8. $b.sign \leftarrow a.sign$ \\ |
|
|
1938 9. Return(\textit{MP\_OKAY}).\\ |
|
|
1939 \hline |
|
|
1940 \end{tabular} |
|
|
1941 \end{center} |
|
|
1942 \end{small} |
|
|
1943 \caption{Algorithm mp\_mul\_2} |
|
|
1944 \end{figure} |
|
|
1945 |
|
|
1946 \textbf{Algorithm mp\_mul\_2.} |
|
|
1947 This algorithm will quickly multiply a mp\_int by two provided $\beta$ is a power of two. Neither \cite{TAOCPV2} nor \cite{HAC} describe such |
|
|
1948 an algorithm despite the fact it arises often in other algorithms. The algorithm is setup much like the lower level algorithm s\_mp\_add since |
|
|
1949 it is for all intents and purposes equivalent to the operation $b = \vert a \vert + \vert a \vert$. |
|
|
1950 |
|
|
1951 Step 1 and 2 grow the input as required to accomodate the maximum number of \textbf{used} digits in the result. The initial \textbf{used} count |
|
|
1952 is set to $a.used$ at step 4. Only if there is a final carry will the \textbf{used} count require adjustment. |
|
|
1953 |
|
|
1954 Step 6 is an optimization implementation of the addition loop for this specific case. That is since the two values being added together |
|
|
1955 are the same there is no need to perform two reads from the digits of $a$. Step 6.1 performs a single precision shift on the current digit $a_n$ to |
|
|
1956 obtain what will be the carry for the next iteration. Step 6.2 calculates the $n$'th digit of the result as single precision shift of $a_n$ plus |
|
|
1957 the previous carry. Recall from ~SHIFTS~ that $a_n << 1$ is equivalent to $a_n \cdot 2$. An iteration of the addition loop is finished with |
|
|
1958 forwarding the carry to the next iteration. |
|
|
1959 |
|
|
1960 Step 7 takes care of any final carry by setting the $a.used$'th digit of the result to the carry and augmenting the \textbf{used} count of $b$. |
|
|
1961 Step 8 clears any leading digits of $b$ in case it originally had a larger magnitude than $a$. |
|
|
1962 |
|
|
1963 EXAM,bn_mp_mul_2.c |
|
|
1964 |
|
|
1965 This implementation is essentially an optimized implementation of s\_mp\_add for the case of doubling an input. The only noteworthy difference |
|
|
1966 is the use of the logical shift operator on line @52,<<@ to perform a single precision doubling. |
|
|
1967 |
|
|
1968 \subsection{Division by Two} |
|
|
1969 A division by two can just as easily be accomplished with a logical shift right as multiplication by two can be with a logical shift left. |
|
|
1970 |
|
|
1971 \newpage\begin{figure}[!here] |
|
|
1972 \begin{small} |
|
|
1973 \begin{center} |
|
|
1974 \begin{tabular}{l} |
|
|
1975 \hline Algorithm \textbf{mp\_div\_2}. \\ |
|
|
1976 \textbf{Input}. One mp\_int $a$ \\ |
|
|
1977 \textbf{Output}. $b = a/2$. \\ |
|
|
1978 \hline \\ |
|
|
1979 1. If $b.alloc < a.used$ then grow $b$ to hold $a.used$ digits. (\textit{mp\_grow}) \\ |
|
|
1980 2. If the reallocation failed return(\textit{MP\_MEM}). \\ |
|
|
1981 3. $oldused \leftarrow b.used$ \\ |
|
|
1982 4. $b.used \leftarrow a.used$ \\ |
|
|
1983 5. $r \leftarrow 0$ \\ |
|
|
1984 6. for $n$ from $b.used - 1$ to $0$ do \\ |
|
|
1985 \hspace{3mm}6.1 $rr \leftarrow a_n \mbox{ (mod }2\mbox{)}$\\ |
|
|
1986 \hspace{3mm}6.2 $b_n \leftarrow (a_n >> 1) + (r << (lg(\beta) - 1)) \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1987 \hspace{3mm}6.3 $r \leftarrow rr$ \\ |
|
|
1988 7. If $b.used < oldused - 1$ then do \\ |
|
|
1989 \hspace{3mm}7.1 for $n$ from $b.used$ to $oldused - 1$ do \\ |
|
|
1990 \hspace{6mm}7.1.1 $b_n \leftarrow 0$ \\ |
|
|
1991 8. $b.sign \leftarrow a.sign$ \\ |
|
|
1992 9. Clamp excess digits of $b$. (\textit{mp\_clamp}) \\ |
|
|
1993 10. Return(\textit{MP\_OKAY}).\\ |
|
|
1994 \hline |
|
|
1995 \end{tabular} |
|
|
1996 \end{center} |
|
|
1997 \end{small} |
|
|
1998 \caption{Algorithm mp\_div\_2} |
|
|
1999 \end{figure} |
|
|
2000 |
|
|
2001 \textbf{Algorithm mp\_div\_2.} |
|
|
2002 This algorithm will divide an mp\_int by two using logical shifts to the right. Like mp\_mul\_2 it uses a modified low level addition |
|
|
2003 core as the basis of the algorithm. Unlike mp\_mul\_2 the shift operations work from the leading digit to the trailing digit. The algorithm |
|
|
2004 could be written to work from the trailing digit to the leading digit however, it would have to stop one short of $a.used - 1$ digits to prevent |
|
|
2005 reading past the end of the array of digits. |
|
|
2006 |
|
|
2007 Essentially the loop at step 6 is similar to that of mp\_mul\_2 except the logical shifts go in the opposite direction and the carry is at the |
|
|
2008 least significant bit not the most significant bit. |
|
|
2009 |
|
|
2010 EXAM,bn_mp_div_2.c |
|
|
2011 |
|
|
2012 \section{Polynomial Basis Operations} |
|
|
2013 Recall from ~POLY~ that any integer can be represented as a polynomial in $x$ as $y = f(\beta)$. Such a representation is also known as |
|
|
2014 the polynomial basis \cite[pp. 48]{ROSE}. Given such a notation a multiplication or division by $x$ amounts to shifting whole digits a single |
|
|
2015 place. The need for such operations arises in several other higher level algorithms such as Barrett and Montgomery reduction, integer |
|
|
2016 division and Karatsuba multiplication. |
|
|
2017 |
|
|
2018 Converting from an array of digits to polynomial basis is very simple. Consider the integer $y \equiv (a_2, a_1, a_0)_{\beta}$ and recall that |
|
|
2019 $y = \sum_{i=0}^{2} a_i \beta^i$. Simply replace $\beta$ with $x$ and the expression is in polynomial basis. For example, $f(x) = 8x + 9$ is the |
|
|
2020 polynomial basis representation for $89$ using radix ten. That is, $f(10) = 8(10) + 9 = 89$. |
|
|
2021 |
|
|
2022 \subsection{Multiplication by $x$} |
|
|
2023 |
|
|
2024 Given a polynomial in $x$ such as $f(x) = a_n x^n + a_{n-1} x^{n-1} + ... + a_0$ multiplying by $x$ amounts to shifting the coefficients up one |
|
|
2025 degree. In this case $f(x) \cdot x = a_n x^{n+1} + a_{n-1} x^n + ... + a_0 x$. From a scalar basis point of view multiplying by $x$ is equivalent to |
|
|
2026 multiplying by the integer $\beta$. |
|
|
2027 |
|
|
2028 \newpage\begin{figure}[!here] |
|
|
2029 \begin{small} |
|
|
2030 \begin{center} |
|
|
2031 \begin{tabular}{l} |
|
|
2032 \hline Algorithm \textbf{mp\_lshd}. \\ |
|
|
2033 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
2034 \textbf{Output}. $a \leftarrow a \cdot \beta^b$ (equivalent to multiplication by $x^b$). \\ |
|
|
2035 \hline \\ |
|
|
2036 1. If $b \le 0$ then return(\textit{MP\_OKAY}). \\ |
|
|
2037 2. If $a.alloc < a.used + b$ then grow $a$ to at least $a.used + b$ digits. (\textit{mp\_grow}). \\ |
|
|
2038 3. If the reallocation failed return(\textit{MP\_MEM}). \\ |
|
|
2039 4. $a.used \leftarrow a.used + b$ \\ |
|
|
2040 5. $i \leftarrow a.used - 1$ \\ |
|
|
2041 6. $j \leftarrow a.used - 1 - b$ \\ |
|
|
2042 7. for $n$ from $a.used - 1$ to $b$ do \\ |
|
|
2043 \hspace{3mm}7.1 $a_{i} \leftarrow a_{j}$ \\ |
|
|
2044 \hspace{3mm}7.2 $i \leftarrow i - 1$ \\ |
|
|
2045 \hspace{3mm}7.3 $j \leftarrow j - 1$ \\ |
|
|
2046 8. for $n$ from 0 to $b - 1$ do \\ |
|
|
2047 \hspace{3mm}8.1 $a_n \leftarrow 0$ \\ |
|
|
2048 9. Return(\textit{MP\_OKAY}). \\ |
|
|
2049 \hline |
|
|
2050 \end{tabular} |
|
|
2051 \end{center} |
|
|
2052 \end{small} |
|
|
2053 \caption{Algorithm mp\_lshd} |
|
|
2054 \end{figure} |
|
|
2055 |
|
|
2056 \textbf{Algorithm mp\_lshd.} |
|
|
2057 This algorithm multiplies an mp\_int by the $b$'th power of $x$. This is equivalent to multiplying by $\beta^b$. The algorithm differs |
|
|
2058 from the other algorithms presented so far as it performs the operation in place instead storing the result in a separate location. The |
|
|
2059 motivation behind this change is due to the way this function is typically used. Algorithms such as mp\_add store the result in an optionally |
|
|
2060 different third mp\_int because the original inputs are often still required. Algorithm mp\_lshd (\textit{and similarly algorithm mp\_rshd}) is |
|
|
2061 typically used on values where the original value is no longer required. The algorithm will return success immediately if |
|
|
2062 $b \le 0$ since the rest of algorithm is only valid when $b > 0$. |
|
|
2063 |
|
|
2064 First the destination $a$ is grown as required to accomodate the result. The counters $i$ and $j$ are used to form a \textit{sliding window} over |
|
|
2065 the digits of $a$ of length $b$. The head of the sliding window is at $i$ (\textit{the leading digit}) and the tail at $j$ (\textit{the trailing digit}). |
|
|
2066 The loop on step 7 copies the digit from the tail to the head. In each iteration the window is moved down one digit. The last loop on |
|
|
2067 step 8 sets the lower $b$ digits to zero. |
|
|
2068 |
|
|
2069 \newpage |
|
|
2070 FIGU,sliding_window,Sliding Window Movement |
|
|
2071 |
|
|
2072 EXAM,bn_mp_lshd.c |
|
|
2073 |
|
|
2074 The if statement on line @24,if@ ensures that the $b$ variable is greater than zero. The \textbf{used} count is incremented by $b$ before |
|
|
2075 the copy loop begins. This elminates the need for an additional variable in the for loop. The variable $top$ on line @42,top@ is an alias |
|
|
2076 for the leading digit while $bottom$ on line @45,bottom@ is an alias for the trailing edge. The aliases form a window of exactly $b$ digits |
|
|
2077 over the input. |
|
|
2078 |
|
|
2079 \subsection{Division by $x$} |
|
|
2080 |
|
|
2081 Division by powers of $x$ is easily achieved by shifting the digits right and removing any that will end up to the right of the zero'th digit. |
|
|
2082 |
|
|
2083 \newpage\begin{figure}[!here] |
|
|
2084 \begin{small} |
|
|
2085 \begin{center} |
|
|
2086 \begin{tabular}{l} |
|
|
2087 \hline Algorithm \textbf{mp\_rshd}. \\ |
|
|
2088 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
2089 \textbf{Output}. $a \leftarrow a / \beta^b$ (Divide by $x^b$). \\ |
|
|
2090 \hline \\ |
|
|
2091 1. If $b \le 0$ then return. \\ |
|
|
2092 2. If $a.used \le b$ then do \\ |
|
|
2093 \hspace{3mm}2.1 Zero $a$. (\textit{mp\_zero}). \\ |
|
|
2094 \hspace{3mm}2.2 Return. \\ |
|
|
2095 3. $i \leftarrow 0$ \\ |
|
|
2096 4. $j \leftarrow b$ \\ |
|
|
2097 5. for $n$ from 0 to $a.used - b - 1$ do \\ |
|
|
2098 \hspace{3mm}5.1 $a_i \leftarrow a_j$ \\ |
|
|
2099 \hspace{3mm}5.2 $i \leftarrow i + 1$ \\ |
|
|
2100 \hspace{3mm}5.3 $j \leftarrow j + 1$ \\ |
|
|
2101 6. for $n$ from $a.used - b$ to $a.used - 1$ do \\ |
|
|
2102 \hspace{3mm}6.1 $a_n \leftarrow 0$ \\ |
|
|
2103 7. $a.used \leftarrow a.used - b$ \\ |
|
|
2104 8. Return. \\ |
|
|
2105 \hline |
|
|
2106 \end{tabular} |
|
|
2107 \end{center} |
|
|
2108 \end{small} |
|
|
2109 \caption{Algorithm mp\_rshd} |
|
|
2110 \end{figure} |
|
|
2111 |
|
|
2112 \textbf{Algorithm mp\_rshd.} |
|
|
2113 This algorithm divides the input in place by the $b$'th power of $x$. It is analogous to dividing by a $\beta^b$ but much quicker since |
|
|
2114 it does not require single precision division. This algorithm does not actually return an error code as it cannot fail. |
|
|
2115 |
|
|
2116 If the input $b$ is less than one the algorithm quickly returns without performing any work. If the \textbf{used} count is less than or equal |
|
|
2117 to the shift count $b$ then it will simply zero the input and return. |
|
|
2118 |
|
|
2119 After the trivial cases of inputs have been handled the sliding window is setup. Much like the case of algorithm mp\_lshd a sliding window that |
|
|
2120 is $b$ digits wide is used to copy the digits. Unlike mp\_lshd the window slides in the opposite direction from the trailing to the leading digit. |
|
|
2121 Also the digits are copied from the leading to the trailing edge. |
|
|
2122 |
|
|
2123 Once the window copy is complete the upper digits must be zeroed and the \textbf{used} count decremented. |
|
|
2124 |
|
|
2125 EXAM,bn_mp_rshd.c |
|
|
2126 |
|
|
2127 The only noteworthy element of this routine is the lack of a return type. |
|
|
2128 |
|
|
2129 -- Will update later to give it a return type...Tom |
|
|
2130 |
|
|
2131 \section{Powers of Two} |
|
|
2132 |
|
|
2133 Now that algorithms for moving single bits as well as whole digits exist algorithms for moving the ``in between'' distances are required. For |
|
|
2134 example, to quickly multiply by $2^k$ for any $k$ without using a full multiplier algorithm would prove useful. Instead of performing single |
|
|
2135 shifts $k$ times to achieve a multiplication by $2^{\pm k}$ a mixture of whole digit shifting and partial digit shifting is employed. |
|
|
2136 |
|
|
2137 \subsection{Multiplication by Power of Two} |
|
|
2138 |
|
|
2139 \newpage\begin{figure}[!here] |
|
|
2140 \begin{small} |
|
|
2141 \begin{center} |
|
|
2142 \begin{tabular}{l} |
|
|
2143 \hline Algorithm \textbf{mp\_mul\_2d}. \\ |
|
|
2144 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
2145 \textbf{Output}. $c \leftarrow a \cdot 2^b$. \\ |
|
|
2146 \hline \\ |
|
|
2147 1. $c \leftarrow a$. (\textit{mp\_copy}) \\ |
|
|
2148 2. If $c.alloc < c.used + \lfloor b / lg(\beta) \rfloor + 2$ then grow $c$ accordingly. \\ |
|
|
2149 3. If the reallocation failed return(\textit{MP\_MEM}). \\ |
|
|
2150 4. If $b \ge lg(\beta)$ then \\ |
|
|
2151 \hspace{3mm}4.1 $c \leftarrow c \cdot \beta^{\lfloor b / lg(\beta) \rfloor}$ (\textit{mp\_lshd}). \\ |
|
|
2152 \hspace{3mm}4.2 If step 4.1 failed return(\textit{MP\_MEM}). \\ |
|
|
2153 5. $d \leftarrow b \mbox{ (mod }lg(\beta)\mbox{)}$ \\ |
|
|
2154 6. If $d \ne 0$ then do \\ |
|
|
2155 \hspace{3mm}6.1 $mask \leftarrow 2^d$ \\ |
|
|
2156 \hspace{3mm}6.2 $r \leftarrow 0$ \\ |
|
|
2157 \hspace{3mm}6.3 for $n$ from $0$ to $c.used - 1$ do \\ |
|
|
2158 \hspace{6mm}6.3.1 $rr \leftarrow c_n >> (lg(\beta) - d) \mbox{ (mod }mask\mbox{)}$ \\ |
|
|
2159 \hspace{6mm}6.3.2 $c_n \leftarrow (c_n << d) + r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2160 \hspace{6mm}6.3.3 $r \leftarrow rr$ \\ |
|
|
2161 \hspace{3mm}6.4 If $r > 0$ then do \\ |
|
|
2162 \hspace{6mm}6.4.1 $c_{c.used} \leftarrow r$ \\ |
|
|
2163 \hspace{6mm}6.4.2 $c.used \leftarrow c.used + 1$ \\ |
|
|
2164 7. Return(\textit{MP\_OKAY}). \\ |
|
|
2165 \hline |
|
|
2166 \end{tabular} |
|
|
2167 \end{center} |
|
|
2168 \end{small} |
|
|
2169 \caption{Algorithm mp\_mul\_2d} |
|
|
2170 \end{figure} |
|
|
2171 |
|
|
2172 \textbf{Algorithm mp\_mul\_2d.} |
|
|
2173 This algorithm multiplies $a$ by $2^b$ and stores the result in $c$. The algorithm uses algorithm mp\_lshd and a derivative of algorithm mp\_mul\_2 to |
|
|
2174 quickly compute the product. |
|
|
2175 |
|
|
2176 First the algorithm will multiply $a$ by $x^{\lfloor b / lg(\beta) \rfloor}$ which will ensure that the remainder multiplicand is less than |
|
|
2177 $\beta$. For example, if $b = 37$ and $\beta = 2^{28}$ then this step will multiply by $x$ leaving a multiplication by $2^{37 - 28} = 2^{9}$ |
|
|
2178 left. |
|
|
2179 |
|
|
2180 After the digits have been shifted appropriately at most $lg(\beta) - 1$ shifts are left to perform. Step 5 calculates the number of remaining shifts |
|
|
2181 required. If it is non-zero a modified shift loop is used to calculate the remaining product. |
|
|
2182 Essentially the loop is a generic version of algorith mp\_mul2 designed to handle any shift count in the range $1 \le x < lg(\beta)$. The $mask$ |
|
|
2183 variable is used to extract the upper $d$ bits to form the carry for the next iteration. |
|
|
2184 |
|
|
2185 This algorithm is loosely measured as a $O(2n)$ algorithm which means that if the input is $n$-digits that it takes $2n$ ``time'' to |
|
|
2186 complete. It is possible to optimize this algorithm down to a $O(n)$ algorithm at a cost of making the algorithm slightly harder to follow. |
|
|
2187 |
|
|
2188 EXAM,bn_mp_mul_2d.c |
|
|
2189 |
|
|
2190 Notes to be revised when code is updated. -- Tom |
|
|
2191 |
|
|
2192 \subsection{Division by Power of Two} |
|
|
2193 |
|
|
2194 \newpage\begin{figure}[!here] |
|
|
2195 \begin{small} |
|
|
2196 \begin{center} |
|
|
2197 \begin{tabular}{l} |
|
|
2198 \hline Algorithm \textbf{mp\_div\_2d}. \\ |
|
|
2199 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
2200 \textbf{Output}. $c \leftarrow \lfloor a / 2^b \rfloor, d \leftarrow a \mbox{ (mod }2^b\mbox{)}$. \\ |
|
|
2201 \hline \\ |
|
|
2202 1. If $b \le 0$ then do \\ |
|
|
2203 \hspace{3mm}1.1 $c \leftarrow a$ (\textit{mp\_copy}) \\ |
|
|
2204 \hspace{3mm}1.2 $d \leftarrow 0$ (\textit{mp\_zero}) \\ |
|
|
2205 \hspace{3mm}1.3 Return(\textit{MP\_OKAY}). \\ |
|
|
2206 2. $c \leftarrow a$ \\ |
|
|
2207 3. $d \leftarrow a \mbox{ (mod }2^b\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
2208 4. If $b \ge lg(\beta)$ then do \\ |
|
|
2209 \hspace{3mm}4.1 $c \leftarrow \lfloor c/\beta^{\lfloor b/lg(\beta) \rfloor} \rfloor$ (\textit{mp\_rshd}). \\ |
|
|
2210 5. $k \leftarrow b \mbox{ (mod }lg(\beta)\mbox{)}$ \\ |
|
|
2211 6. If $k \ne 0$ then do \\ |
|
|
2212 \hspace{3mm}6.1 $mask \leftarrow 2^k$ \\ |
|
|
2213 \hspace{3mm}6.2 $r \leftarrow 0$ \\ |
|
|
2214 \hspace{3mm}6.3 for $n$ from $c.used - 1$ to $0$ do \\ |
|
|
2215 \hspace{6mm}6.3.1 $rr \leftarrow c_n \mbox{ (mod }mask\mbox{)}$ \\ |
|
|
2216 \hspace{6mm}6.3.2 $c_n \leftarrow (c_n >> k) + (r << (lg(\beta) - k))$ \\ |
|
|
2217 \hspace{6mm}6.3.3 $r \leftarrow rr$ \\ |
|
|
2218 7. Clamp excess digits of $c$. (\textit{mp\_clamp}) \\ |
|
|
2219 8. Return(\textit{MP\_OKAY}). \\ |
|
|
2220 \hline |
|
|
2221 \end{tabular} |
|
|
2222 \end{center} |
|
|
2223 \end{small} |
|
|
2224 \caption{Algorithm mp\_div\_2d} |
|
|
2225 \end{figure} |
|
|
2226 |
|
|
2227 \textbf{Algorithm mp\_div\_2d.} |
|
|
2228 This algorithm will divide an input $a$ by $2^b$ and produce the quotient and remainder. The algorithm is designed much like algorithm |
|
|
2229 mp\_mul\_2d by first using whole digit shifts then single precision shifts. This algorithm will also produce the remainder of the division |
|
|
2230 by using algorithm mp\_mod\_2d. |
|
|
2231 |
|
|
2232 EXAM,bn_mp_div_2d.c |
|
|
2233 |
|
|
2234 The implementation of algorithm mp\_div\_2d is slightly different than the algorithm specifies. The remainder $d$ may be optionally |
|
|
2235 ignored by passing \textbf{NULL} as the pointer to the mp\_int variable. The temporary mp\_int variable $t$ is used to hold the |
|
|
2236 result of the remainder operation until the end. This allows $d$ and $a$ to represent the same mp\_int without modifying $a$ before |
|
|
2237 the quotient is obtained. |
|
|
2238 |
|
|
2239 The remainder of the source code is essentially the same as the source code for mp\_mul\_2d. (-- Fix this paragraph up later, Tom). |
|
|
2240 |
|
|
2241 \subsection{Remainder of Division by Power of Two} |
|
|
2242 |
|
|
2243 The last algorithm in the series of polynomial basis power of two algorithms is calculating the remainder of division by $2^b$. This |
|
|
2244 algorithm benefits from the fact that in twos complement arithmetic $a \mbox{ (mod }2^b\mbox{)}$ is the same as $a$ AND $2^b - 1$. |
|
|
2245 |
|
|
2246 \begin{figure}[!here] |
|
|
2247 \begin{small} |
|
|
2248 \begin{center} |
|
|
2249 \begin{tabular}{l} |
|
|
2250 \hline Algorithm \textbf{mp\_mod\_2d}. \\ |
|
|
2251 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
2252 \textbf{Output}. $c \leftarrow a \mbox{ (mod }2^b\mbox{)}$. \\ |
|
|
2253 \hline \\ |
|
|
2254 1. If $b \le 0$ then do \\ |
|
|
2255 \hspace{3mm}1.1 $c \leftarrow 0$ (\textit{mp\_zero}) \\ |
|
|
2256 \hspace{3mm}1.2 Return(\textit{MP\_OKAY}). \\ |
|
|
2257 2. If $b > a.used \cdot lg(\beta)$ then do \\ |
|
|
2258 \hspace{3mm}2.1 $c \leftarrow a$ (\textit{mp\_copy}) \\ |
|
|
2259 \hspace{3mm}2.2 Return the result of step 2.1. \\ |
|
|
2260 3. $c \leftarrow a$ \\ |
|
|
2261 4. If step 3 failed return(\textit{MP\_MEM}). \\ |
|
|
2262 5. for $n$ from $\lceil b / lg(\beta) \rceil$ to $c.used$ do \\ |
|
|
2263 \hspace{3mm}5.1 $c_n \leftarrow 0$ \\ |
|
|
2264 6. $k \leftarrow b \mbox{ (mod }lg(\beta)\mbox{)}$ \\ |
|
|
2265 7. $c_{\lfloor b / lg(\beta) \rfloor} \leftarrow c_{\lfloor b / lg(\beta) \rfloor} \mbox{ (mod }2^{k}\mbox{)}$. \\ |
|
|
2266 8. Clamp excess digits of $c$. (\textit{mp\_clamp}) \\ |
|
|
2267 9. Return(\textit{MP\_OKAY}). \\ |
|
|
2268 \hline |
|
|
2269 \end{tabular} |
|
|
2270 \end{center} |
|
|
2271 \end{small} |
|
|
2272 \caption{Algorithm mp\_mod\_2d} |
|
|
2273 \end{figure} |
|
|
2274 |
|
|
2275 \textbf{Algorithm mp\_mod\_2d.} |
|
|
2276 This algorithm will quickly calculate the value of $a \mbox{ (mod }2^b\mbox{)}$. First if $b$ is less than or equal to zero the |
|
|
2277 result is set to zero. If $b$ is greater than the number of bits in $a$ then it simply copies $a$ to $c$ and returns. Otherwise, $a$ |
|
|
2278 is copied to $b$, leading digits are removed and the remaining leading digit is trimed to the exact bit count. |
|
|
2279 |
|
|
2280 EXAM,bn_mp_mod_2d.c |
|
|
2281 |
|
|
2282 -- Add comments later, Tom. |
|
|
2283 |
|
|
2284 \section*{Exercises} |
|
|
2285 \begin{tabular}{cl} |
|
|
2286 $\left [ 3 \right ] $ & Devise an algorithm that performs $a \cdot 2^b$ for generic values of $b$ \\ |
|
|
2287 & in $O(n)$ time. \\ |
|
|
2288 &\\ |
|
|
2289 $\left [ 3 \right ] $ & Devise an efficient algorithm to multiply by small low hamming \\ |
|
|
2290 & weight values such as $3$, $5$ and $9$. Extend it to handle all values \\ |
|
|
2291 & upto $64$ with a hamming weight less than three. \\ |
|
|
2292 &\\ |
|
|
2293 $\left [ 2 \right ] $ & Modify the preceding algorithm to handle values of the form \\ |
|
|
2294 & $2^k - 1$ as well. \\ |
|
|
2295 &\\ |
|
|
2296 $\left [ 3 \right ] $ & Using only algorithms mp\_mul\_2, mp\_div\_2 and mp\_add create an \\ |
|
|
2297 & algorithm to multiply two integers in roughly $O(2n^2)$ time for \\ |
|
|
2298 & any $n$-bit input. Note that the time of addition is ignored in the \\ |
|
|
2299 & calculation. \\ |
|
|
2300 & \\ |
|
|
2301 $\left [ 5 \right ] $ & Improve the previous algorithm to have a working time of at most \\ |
|
|
2302 & $O \left (2^{(k-1)}n + \left ({2n^2 \over k} \right ) \right )$ for an appropriate choice of $k$. Again ignore \\ |
|
|
2303 & the cost of addition. \\ |
|
|
2304 & \\ |
|
|
2305 $\left [ 2 \right ] $ & Devise a chart to find optimal values of $k$ for the previous problem \\ |
|
|
2306 & for $n = 64 \ldots 1024$ in steps of $64$. \\ |
|
|
2307 & \\ |
|
|
2308 $\left [ 2 \right ] $ & Using only algorithms mp\_abs and mp\_sub devise another method for \\ |
|
|
2309 & calculating the result of a signed comparison. \\ |
|
|
2310 & |
|
|
2311 \end{tabular} |
|
|
2312 |
|
|
2313 \chapter{Multiplication and Squaring} |
|
|
2314 \section{The Multipliers} |
|
|
2315 For most number theoretic problems including certain public key cryptographic algorithms, the ``multipliers'' form the most important subset of |
|
|
2316 algorithms of any multiple precision integer package. The set of multiplier algorithms include integer multiplication, squaring and modular reduction |
|
|
2317 where in each of the algorithms single precision multiplication is the dominant operation performed. This chapter will discuss integer multiplication |
|
|
2318 and squaring, leaving modular reductions for the subsequent chapter. |
|
|
2319 |
|
|
2320 The importance of the multiplier algorithms is for the most part driven by the fact that certain popular public key algorithms are based on modular |
|
|
2321 exponentiation, that is computing $d \equiv a^b \mbox{ (mod }c\mbox{)}$ for some arbitrary choice of $a$, $b$, $c$ and $d$. During a modular |
|
|
2322 exponentiation the majority\footnote{Roughly speaking a modular exponentiation will spend about 40\% of the time performing modular reductions, |
|
|
2323 35\% of the time performing squaring and 25\% of the time performing multiplications.} of the processor time is spent performing single precision |
|
|
2324 multiplications. |
|
|
2325 |
|
|
2326 For centuries general purpose multiplication has required a lengthly $O(n^2)$ process, whereby each digit of one multiplicand has to be multiplied |
|
|
2327 against every digit of the other multiplicand. Traditional long-hand multiplication is based on this process; while the techniques can differ the |
|
|
2328 overall algorithm used is essentially the same. Only ``recently'' have faster algorithms been studied. First Karatsuba multiplication was discovered in |
|
|
2329 1962. This algorithm can multiply two numbers with considerably fewer single precision multiplications when compared to the long-hand approach. |
|
|
2330 This technique led to the discovery of polynomial basis algorithms (\textit{good reference?}) and subquently Fourier Transform based solutions. |
|
|
2331 |
|
|
2332 \section{Multiplication} |
|
|
2333 \subsection{The Baseline Multiplication} |
|
|
2334 \label{sec:basemult} |
|
|
2335 \index{baseline multiplication} |
|
|
2336 Computing the product of two integers in software can be achieved using a trivial adaptation of the standard $O(n^2)$ long-hand multiplication |
|
|
2337 algorithm that school children are taught. The algorithm is considered an $O(n^2)$ algorithm since for two $n$-digit inputs $n^2$ single precision |
|
|
2338 multiplications are required. More specifically for a $m$ and $n$ digit input $m \cdot n$ single precision multiplications are required. To |
|
|
2339 simplify most discussions, it will be assumed that the inputs have comparable number of digits. |
|
|
2340 |
|
|
2341 The ``baseline multiplication'' algorithm is designed to act as the ``catch-all'' algorithm, only to be used when the faster algorithms cannot be |
|
|
2342 used. This algorithm does not use any particularly interesting optimizations and should ideally be avoided if possible. One important |
|
|
2343 facet of this algorithm, is that it has been modified to only produce a certain amount of output digits as resolution. The importance of this |
|
|
2344 modification will become evident during the discussion of Barrett modular reduction. Recall that for a $n$ and $m$ digit input the product |
|
|
2345 will be at most $n + m$ digits. Therefore, this algorithm can be reduced to a full multiplier by having it produce $n + m$ digits of the product. |
|
|
2346 |
|
|
2347 Recall from ~GAMMA~ the definition of $\gamma$ as the number of bits in the type \textbf{mp\_digit}. We shall now extend the variable set to |
|
|
2348 include $\alpha$ which shall represent the number of bits in the type \textbf{mp\_word}. This implies that $2^{\alpha} > 2 \cdot \beta^2$. The |
|
|
2349 constant $\delta = 2^{\alpha - 2lg(\beta)}$ will represent the maximal weight of any column in a product (\textit{see ~COMBA~ for more information}). |
|
|
2350 |
|
|
2351 \newpage\begin{figure}[!here] |
|
|
2352 \begin{small} |
|
|
2353 \begin{center} |
|
|
2354 \begin{tabular}{l} |
|
|
2355 \hline Algorithm \textbf{s\_mp\_mul\_digs}. \\ |
|
|
2356 \textbf{Input}. mp\_int $a$, mp\_int $b$ and an integer $digs$ \\ |
|
|
2357 \textbf{Output}. $c \leftarrow \vert a \vert \cdot \vert b \vert \mbox{ (mod }\beta^{digs}\mbox{)}$. \\ |
|
|
2358 \hline \\ |
|
|
2359 1. If min$(a.used, b.used) < \delta$ then do \\ |
|
|
2360 \hspace{3mm}1.1 Calculate $c = \vert a \vert \cdot \vert b \vert$ by the Comba method (\textit{see algorithm~\ref{fig:COMBAMULT}}). \\ |
|
|
2361 \hspace{3mm}1.2 Return the result of step 1.1 \\ |
|
|
2362 \\ |
|
|
2363 Allocate and initialize a temporary mp\_int. \\ |
|
|
2364 2. Init $t$ to be of size $digs$ \\ |
|
|
2365 3. If step 2 failed return(\textit{MP\_MEM}). \\ |
|
|
2366 4. $t.used \leftarrow digs$ \\ |
|
|
2367 \\ |
|
|
2368 Compute the product. \\ |
|
|
2369 5. for $ix$ from $0$ to $a.used - 1$ do \\ |
|
|
2370 \hspace{3mm}5.1 $u \leftarrow 0$ \\ |
|
|
2371 \hspace{3mm}5.2 $pb \leftarrow \mbox{min}(b.used, digs - ix)$ \\ |
|
|
2372 \hspace{3mm}5.3 If $pb < 1$ then goto step 6. \\ |
|
|
2373 \hspace{3mm}5.4 for $iy$ from $0$ to $pb - 1$ do \\ |
|
|
2374 \hspace{6mm}5.4.1 $\hat r \leftarrow t_{iy + ix} + a_{ix} \cdot b_{iy} + u$ \\ |
|
|
2375 \hspace{6mm}5.4.2 $t_{iy + ix} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2376 \hspace{6mm}5.4.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
2377 \hspace{3mm}5.5 if $ix + pb < digs$ then do \\ |
|
|
2378 \hspace{6mm}5.5.1 $t_{ix + pb} \leftarrow u$ \\ |
|
|
2379 6. Clamp excess digits of $t$. \\ |
|
|
2380 7. Swap $c$ with $t$ \\ |
|
|
2381 8. Clear $t$ \\ |
|
|
2382 9. Return(\textit{MP\_OKAY}). \\ |
|
|
2383 \hline |
|
|
2384 \end{tabular} |
|
|
2385 \end{center} |
|
|
2386 \end{small} |
|
|
2387 \caption{Algorithm s\_mp\_mul\_digs} |
|
|
2388 \end{figure} |
|
|
2389 |
|
|
2390 \textbf{Algorithm s\_mp\_mul\_digs.} |
|
|
2391 This algorithm computes the unsigned product of two inputs $a$ and $b$, limited to an output precision of $digs$ digits. While it may seem |
|
|
2392 a bit awkward to modify the function from its simple $O(n^2)$ description, the usefulness of partial multipliers will arise in a subsequent |
|
|
2393 algorithm. The algorithm is loosely based on algorithm 14.12 from \cite[pp. 595]{HAC} and is similar to Algorithm M of Knuth \cite[pp. 268]{TAOCPV2}. |
|
|
2394 Algorithm s\_mp\_mul\_digs differs from these cited references since it can produce a variable output precision regardless of the precision of the |
|
|
2395 inputs. |
|
|
2396 |
|
|
2397 The first thing this algorithm checks for is whether a Comba multiplier can be used instead. If the minimum digit count of either |
|
|
2398 input is less than $\delta$, then the Comba method may be used instead. After the Comba method is ruled out, the baseline algorithm begins. A |
|
|
2399 temporary mp\_int variable $t$ is used to hold the intermediate result of the product. This allows the algorithm to be used to |
|
|
2400 compute products when either $a = c$ or $b = c$ without overwriting the inputs. |
|
|
2401 |
|
|
2402 All of step 5 is the infamous $O(n^2)$ multiplication loop slightly modified to only produce upto $digs$ digits of output. The $pb$ variable |
|
|
2403 is given the count of digits to read from $b$ inside the nested loop. If $pb \le 1$ then no more output digits can be produced and the algorithm |
|
|
2404 will exit the loop. The best way to think of the loops are as a series of $pb \times 1$ multiplications. That is, in each pass of the |
|
|
2405 innermost loop $a_{ix}$ is multiplied against $b$ and the result is added (\textit{with an appropriate shift}) to $t$. |
|
|
2406 |
|
|
2407 For example, consider multiplying $576$ by $241$. That is equivalent to computing $10^0(1)(576) + 10^1(4)(576) + 10^2(2)(576)$ which is best |
|
|
2408 visualized in the following table. |
|
|
2409 |
|
|
2410 \begin{figure}[here] |
|
|
2411 \begin{center} |
|
|
2412 \begin{tabular}{|c|c|c|c|c|c|l|} |
|
|
2413 \hline && & 5 & 7 & 6 & \\ |
|
|
2414 \hline $\times$&& & 2 & 4 & 1 & \\ |
|
|
2415 \hline &&&&&&\\ |
|
|
2416 && & 5 & 7 & 6 & $10^0(1)(576)$ \\ |
|
|
2417 &2 & 3 & 6 & 1 & 6 & $10^1(4)(576) + 10^0(1)(576)$ \\ |
|
|
2418 1 & 3 & 8 & 8 & 1 & 6 & $10^2(2)(576) + 10^1(4)(576) + 10^0(1)(576)$ \\ |
|
|
2419 \hline |
|
|
2420 \end{tabular} |
|
|
2421 \end{center} |
|
|
2422 \caption{Long-Hand Multiplication Diagram} |
|
|
2423 \end{figure} |
|
|
2424 |
|
|
2425 Each row of the product is added to the result after being shifted to the left (\textit{multiplied by a power of the radix}) by the appropriate |
|
|
2426 count. That is in pass $ix$ of the inner loop the product is added starting at the $ix$'th digit of the reult. |
|
|
2427 |
|
|
2428 Step 5.4.1 introduces the hat symbol (\textit{e.g. $\hat r$}) which represents a double precision variable. The multiplication on that step |
|
|
2429 is assumed to be a double wide output single precision multiplication. That is, two single precision variables are multiplied to produce a |
|
|
2430 double precision result. The step is somewhat optimized from a long-hand multiplication algorithm because the carry from the addition in step |
|
|
2431 5.4.1 is propagated through the nested loop. If the carry was not propagated immediately it would overflow the single precision digit |
|
|
2432 $t_{ix+iy}$ and the result would be lost. |
|
|
2433 |
|
|
2434 At step 5.5 the nested loop is finished and any carry that was left over should be forwarded. The carry does not have to be added to the $ix+pb$'th |
|
|
2435 digit since that digit is assumed to be zero at this point. However, if $ix + pb \ge digs$ the carry is not set as it would make the result |
|
|
2436 exceed the precision requested. |
|
|
2437 |
|
|
2438 EXAM,bn_s_mp_mul_digs.c |
|
|
2439 |
|
|
2440 Lines @31,if@ to @35,}@ determine if the Comba method can be used first. The conditions for using the Comba routine are that min$(a.used, b.used) < \delta$ and |
|
|
2441 the number of digits of output is less than \textbf{MP\_WARRAY}. This new constant is used to control |
|
|
2442 the stack usage in the Comba routines. By default it is set to $\delta$ but can be reduced when memory is at a premium. |
|
|
2443 |
|
|
2444 Of particular importance is the calculation of the $ix+iy$'th column on lines @64,mp_word@, @65,mp_word@ and @66,mp_word@. Note how all of the |
|
|
2445 variables are cast to the type \textbf{mp\_word}, which is also the type of variable $\hat r$. That is to ensure that double precision operations |
|
|
2446 are used instead of single precision. The multiplication on line @65,) * (@ makes use of a specific GCC optimizer behaviour. On the outset it looks like |
|
|
2447 the compiler will have to use a double precision multiplication to produce the result required. Such an operation would be horribly slow on most |
|
|
2448 processors and drag this to a crawl. However, GCC is smart enough to realize that double wide output single precision multipliers can be used. For |
|
|
2449 example, the instruction ``MUL'' on the x86 processor can multiply two 32-bit values and produce a 64-bit result. |
|
|
2450 |
|
|
2451 \subsection{Faster Multiplication by the ``Comba'' Method} |
|
|
2452 MARK,COMBA |
|
|
2453 |
|
|
2454 One of the huge drawbacks of the ``baseline'' algorithms is that at the $O(n^2)$ level the carry must be computed and propagated upwards. This |
|
|
2455 makes the nested loop very sequential and hard to unroll and implement in parallel. The ``Comba'' \cite{COMBA} method is named after little known |
|
|
2456 (\textit{in cryptographic venues}) Paul G. Comba who described a method of implementing fast multipliers that do not require nested |
|
|
2457 carry fixup operations. As an interesting aside it seems that Paul Barrett describes a similar technique in |
|
|
2458 his 1986 paper \cite{BARRETT} written five years before. |
|
|
2459 |
|
|
2460 At the heart of the Comba technique is once again the long-hand algorithm. Except in this case a slight twist is placed on how |
|
|
2461 the columns of the result are produced. In the standard long-hand algorithm rows of products are produced then added together to form the |
|
|
2462 final result. In the baseline algorithm the columns are added together after each iteration to get the result instantaneously. |
|
|
2463 |
|
|
2464 In the Comba algorithm the columns of the result are produced entirely independently of each other. That is at the $O(n^2)$ level a |
|
|
2465 simple multiplication and addition step is performed. The carries of the columns are propagated after the nested loop to reduce the amount |
|
|
2466 of work requiored. Succintly the first step of the algorithm is to compute the product vector $\vec x$ as follows. |
|
|
2467 |
|
|
2468 \begin{equation} |
|
|
2469 \vec x_n = \sum_{i+j = n} a_ib_j, \forall n \in \lbrace 0, 1, 2, \ldots, i + j \rbrace |
|
|
2470 \end{equation} |
|
|
2471 |
|
|
2472 Where $\vec x_n$ is the $n'th$ column of the output vector. Consider the following example which computes the vector $\vec x$ for the multiplication |
|
|
2473 of $576$ and $241$. |
|
|
2474 |
|
|
2475 \newpage\begin{figure}[here] |
|
|
2476 \begin{small} |
|
|
2477 \begin{center} |
|
|
2478 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
2479 \hline & & 5 & 7 & 6 & First Input\\ |
|
|
2480 \hline $\times$ & & 2 & 4 & 1 & Second Input\\ |
|
|
2481 \hline & & $1 \cdot 5 = 5$ & $1 \cdot 7 = 7$ & $1 \cdot 6 = 6$ & First pass \\ |
|
|
2482 & $4 \cdot 5 = 20$ & $4 \cdot 7+5=33$ & $4 \cdot 6+7=31$ & 6 & Second pass \\ |
|
|
2483 $2 \cdot 5 = 10$ & $2 \cdot 7 + 20 = 34$ & $2 \cdot 6+33=45$ & 31 & 6 & Third pass \\ |
|
|
2484 \hline 10 & 34 & 45 & 31 & 6 & Final Result \\ |
|
|
2485 \hline |
|
|
2486 \end{tabular} |
|
|
2487 \end{center} |
|
|
2488 \end{small} |
|
|
2489 \caption{Comba Multiplication Diagram} |
|
|
2490 \end{figure} |
|
|
2491 |
|
|
2492 At this point the vector $x = \left < 10, 34, 45, 31, 6 \right >$ is the result of the first step of the Comba multipler. |
|
|
2493 Now the columns must be fixed by propagating the carry upwards. The resultant vector will have one extra dimension over the input vector which is |
|
|
2494 congruent to adding a leading zero digit. |
|
|
2495 |
|
|
2496 \begin{figure}[!here] |
|
|
2497 \begin{small} |
|
|
2498 \begin{center} |
|
|
2499 \begin{tabular}{l} |
|
|
2500 \hline Algorithm \textbf{Comba Fixup}. \\ |
|
|
2501 \textbf{Input}. Vector $\vec x$ of dimension $k$ \\ |
|
|
2502 \textbf{Output}. Vector $\vec x$ such that the carries have been propagated. \\ |
|
|
2503 \hline \\ |
|
|
2504 1. for $n$ from $0$ to $k - 1$ do \\ |
|
|
2505 \hspace{3mm}1.1 $\vec x_{n+1} \leftarrow \vec x_{n+1} + \lfloor \vec x_{n}/\beta \rfloor$ \\ |
|
|
2506 \hspace{3mm}1.2 $\vec x_{n} \leftarrow \vec x_{n} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2507 2. Return($\vec x$). \\ |
|
|
2508 \hline |
|
|
2509 \end{tabular} |
|
|
2510 \end{center} |
|
|
2511 \end{small} |
|
|
2512 \caption{Algorithm Comba Fixup} |
|
|
2513 \end{figure} |
|
|
2514 |
|
|
2515 With that algorithm and $k = 5$ and $\beta = 10$ the following vector is produced $\vec x= \left < 1, 3, 8, 8, 1, 6 \right >$. In this case |
|
|
2516 $241 \cdot 576$ is in fact $138816$ and the procedure succeeded. If the algorithm is correct and as will be demonstrated shortly more |
|
|
2517 efficient than the baseline algorithm why not simply always use this algorithm? |
|
|
2518 |
|
|
2519 \subsubsection{Column Weight.} |
|
|
2520 At the nested $O(n^2)$ level the Comba method adds the product of two single precision variables to each column of the output |
|
|
2521 independently. A serious obstacle is if the carry is lost, due to lack of precision before the algorithm has a chance to fix |
|
|
2522 the carries. For example, in the multiplication of two three-digit numbers the third column of output will be the sum of |
|
|
2523 three single precision multiplications. If the precision of the accumulator for the output digits is less then $3 \cdot (\beta - 1)^2$ then |
|
|
2524 an overflow can occur and the carry information will be lost. For any $m$ and $n$ digit inputs the maximum weight of any column is |
|
|
2525 min$(m, n)$ which is fairly obvious. |
|
|
2526 |
|
|
2527 The maximum number of terms in any column of a product is known as the ``column weight'' and strictly governs when the algorithm can be used. Recall |
|
|
2528 from earlier that a double precision type has $\alpha$ bits of resolution and a single precision digit has $lg(\beta)$ bits of precision. Given these |
|
|
2529 two quantities we must not violate the following |
|
|
2530 |
|
|
2531 \begin{equation} |
|
|
2532 k \cdot \left (\beta - 1 \right )^2 < 2^{\alpha} |
|
|
2533 \end{equation} |
|
|
2534 |
|
|
2535 Which reduces to |
|
|
2536 |
|
|
2537 \begin{equation} |
|
|
2538 k \cdot \left ( \beta^2 - 2\beta + 1 \right ) < 2^{\alpha} |
|
|
2539 \end{equation} |
|
|
2540 |
|
|
2541 Let $\rho = lg(\beta)$ represent the number of bits in a single precision digit. By further re-arrangement of the equation the final solution is |
|
|
2542 found. |
|
|
2543 |
|
|
2544 \begin{equation} |
|
|
2545 k < {{2^{\alpha}} \over {\left (2^{2\rho} - 2^{\rho + 1} + 1 \right )}} |
|
|
2546 \end{equation} |
|
|
2547 |
|
|
2548 The defaults for LibTomMath are $\beta = 2^{28}$ and $\alpha = 2^{64}$ which means that $k$ is bounded by $k < 257$. In this configuration |
|
|
2549 the smaller input may not have more than $256$ digits if the Comba method is to be used. This is quite satisfactory for most applications since |
|
|
2550 $256$ digits would allow for numbers in the range of $0 \le x < 2^{7168}$ which, is much larger than most public key cryptographic algorithms require. |
|
|
2551 |
|
|
2552 \newpage\begin{figure}[!here] |
|
|
2553 \begin{small} |
|
|
2554 \begin{center} |
|
|
2555 \begin{tabular}{l} |
|
|
2556 \hline Algorithm \textbf{fast\_s\_mp\_mul\_digs}. \\ |
|
|
2557 \textbf{Input}. mp\_int $a$, mp\_int $b$ and an integer $digs$ \\ |
|
|
2558 \textbf{Output}. $c \leftarrow \vert a \vert \cdot \vert b \vert \mbox{ (mod }\beta^{digs}\mbox{)}$. \\ |
|
|
2559 \hline \\ |
|
|
2560 Place an array of \textbf{MP\_WARRAY} double precision digits named $\hat W$ on the stack. \\ |
|
|
2561 1. If $c.alloc < digs$ then grow $c$ to $digs$ digits. (\textit{mp\_grow}) \\ |
|
|
2562 2. If step 1 failed return(\textit{MP\_MEM}).\\ |
|
|
2563 \\ |
|
|
2564 Zero the temporary array $\hat W$. \\ |
|
|
2565 3. for $n$ from $0$ to $digs - 1$ do \\ |
|
|
2566 \hspace{3mm}3.1 $\hat W_n \leftarrow 0$ \\ |
|
|
2567 \\ |
|
|
2568 Compute the columns. \\ |
|
|
2569 4. for $ix$ from $0$ to $a.used - 1$ do \\ |
|
|
2570 \hspace{3mm}4.1 $pb \leftarrow \mbox{min}(b.used, digs - ix)$ \\ |
|
|
2571 \hspace{3mm}4.2 If $pb < 1$ then goto step 5. \\ |
|
|
2572 \hspace{3mm}4.3 for $iy$ from $0$ to $pb - 1$ do \\ |
|
|
2573 \hspace{6mm}4.3.1 $\hat W_{ix+iy} \leftarrow \hat W_{ix+iy} + a_{ix}b_{iy}$ \\ |
|
|
2574 \\ |
|
|
2575 Propagate the carries upwards. \\ |
|
|
2576 5. $oldused \leftarrow c.used$ \\ |
|
|
2577 6. $c.used \leftarrow digs$ \\ |
|
|
2578 7. If $digs > 1$ then do \\ |
|
|
2579 \hspace{3mm}7.1. for $ix$ from $1$ to $digs - 1$ do \\ |
|
|
2580 \hspace{6mm}7.1.1 $\hat W_{ix} \leftarrow \hat W_{ix} + \lfloor \hat W_{ix-1} / \beta \rfloor$ \\ |
|
|
2581 \hspace{6mm}7.1.2 $c_{ix - 1} \leftarrow \hat W_{ix - 1} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2582 8. else do \\ |
|
|
2583 \hspace{3mm}8.1 $ix \leftarrow 0$ \\ |
|
|
2584 9. $c_{ix} \leftarrow \hat W_{ix} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2585 \\ |
|
|
2586 Zero excess digits. \\ |
|
|
2587 10. If $digs < oldused$ then do \\ |
|
|
2588 \hspace{3mm}10.1 for $n$ from $digs$ to $oldused - 1$ do \\ |
|
|
2589 \hspace{6mm}10.1.1 $c_n \leftarrow 0$ \\ |
|
|
2590 11. Clamp excessive digits of $c$. (\textit{mp\_clamp}) \\ |
|
|
2591 12. Return(\textit{MP\_OKAY}). \\ |
|
|
2592 \hline |
|
|
2593 \end{tabular} |
|
|
2594 \end{center} |
|
|
2595 \end{small} |
|
|
2596 \caption{Algorithm fast\_s\_mp\_mul\_digs} |
|
|
2597 \label{fig:COMBAMULT} |
|
|
2598 \end{figure} |
|
|
2599 |
|
|
2600 \textbf{Algorithm fast\_s\_mp\_mul\_digs.} |
|
|
2601 This algorithm performs the unsigned multiplication of $a$ and $b$ using the Comba method limited to $digs$ digits of precision. The algorithm |
|
|
2602 essentially peforms the same calculation as algorithm s\_mp\_mul\_digs, just much faster. |
|
|
2603 |
|
|
2604 The array $\hat W$ is meant to be on the stack when the algorithm is used. The size of the array does not change which is ideal. Note also that |
|
|
2605 unlike algorithm s\_mp\_mul\_digs no temporary mp\_int is required since the result is calculated directly in $\hat W$. |
|
|
2606 |
|
|
2607 The $O(n^2)$ loop on step four is where the Comba method's advantages begin to show through in comparison to the baseline algorithm. The lack of |
|
|
2608 a carry variable or propagation in this loop allows the loop to be performed with only single precision multiplication and additions. Now that each |
|
|
2609 iteration of the inner loop can be performed independent of the others the inner loop can be performed with a high level of parallelism. |
|
|
2610 |
|
|
2611 To measure the benefits of the Comba method over the baseline method consider the number of operations that are required. If the |
|
|
2612 cost in terms of time of a multiply and addition is $p$ and the cost of a carry propagation is $q$ then a baseline multiplication would require |
|
|
2613 $O \left ((p + q)n^2 \right )$ time to multiply two $n$-digit numbers. The Comba method requires only $O(pn^2 + qn)$ time, however in practice, |
|
|
2614 the speed increase is actually much more. With $O(n)$ space the algorithm can be reduced to $O(pn + qn)$ time by implementing the $n$ multiply |
|
|
2615 and addition operations in the nested loop in parallel. |
|
|
2616 |
|
|
2617 EXAM,bn_fast_s_mp_mul_digs.c |
|
|
2618 |
|
|
2619 The memset on line @47,memset@ clears the initial $\hat W$ array to zero in a single step. Like the slower baseline multiplication |
|
|
2620 implementation a series of aliases (\textit{lines @67, tmpx@, @70, tmpy@ and @75,_W@}) are used to simplify the inner $O(n^2)$ loop. |
|
|
2621 In this case a new alias $\_\hat W$ has been added which refers to the double precision columns offset by $ix$ in each pass. |
|
|
2622 |
|
|
2623 The inner loop on lines @83,for@, @84,mp_word@ and @85,}@ is where the algorithm will spend the majority of the time, which is why it has been |
|
|
2624 stripped to the bones of any extra baggage\footnote{Hence the pointer aliases.}. On x86 processors the multiplication and additions amount to at the |
|
|
2625 very least five instructions (\textit{two loads, two additions, one multiply}) while on the ARMv4 processors they amount to only three |
|
|
2626 (\textit{one load, one store, one multiply-add}). For both of the x86 and ARMv4 processors the GCC compiler performs a good job at unrolling the loop |
|
|
2627 and scheduling the instructions so there are very few dependency stalls. |
|
|
2628 |
|
|
2629 In theory the difference between the baseline and comba algorithms is a mere $O(qn)$ time difference. However, in the $O(n^2)$ nested loop of the |
|
|
2630 baseline method there are dependency stalls as the algorithm must wait for the multiplier to finish before propagating the carry to the next |
|
|
2631 digit. As a result fewer of the often multiple execution units\footnote{The AMD Athlon has three execution units and the Intel P4 has four.} can |
|
|
2632 be simultaneously used. |
|
|
2633 |
|
|
2634 \subsection{Polynomial Basis Multiplication} |
|
|
2635 To break the $O(n^2)$ barrier in multiplication requires a completely different look at integer multiplication. In the following algorithms |
|
|
2636 the use of polynomial basis representation for two integers $a$ and $b$ as $f(x) = \sum_{i=0}^{n} a_i x^i$ and |
|
|
2637 $g(x) = \sum_{i=0}^{n} b_i x^i$ respectively, is required. In this system both $f(x)$ and $g(x)$ have $n + 1$ terms and are of the $n$'th degree. |
|
|
2638 |
|
|
2639 The product $a \cdot b \equiv f(x)g(x)$ is the polynomial $W(x) = \sum_{i=0}^{2n} w_i x^i$. The coefficients $w_i$ will |
|
|
2640 directly yield the desired product when $\beta$ is substituted for $x$. The direct solution to solve for the $2n + 1$ coefficients |
|
|
2641 requires $O(n^2)$ time and would in practice be slower than the Comba technique. |
|
|
2642 |
|
|
2643 However, numerical analysis theory indicates that only $2n + 1$ distinct points in $W(x)$ are required to determine the values of the $2n + 1$ unknown |
|
|
2644 coefficients. This means by finding $\zeta_y = W(y)$ for $2n + 1$ small values of $y$ the coefficients of $W(x)$ can be found with |
|
|
2645 Gaussian elimination. This technique is also occasionally refered to as the \textit{interpolation technique} (\textit{references please...}) since in |
|
|
2646 effect an interpolation based on $2n + 1$ points will yield a polynomial equivalent to $W(x)$. |
|
|
2647 |
|
|
2648 The coefficients of the polynomial $W(x)$ are unknown which makes finding $W(y)$ for any value of $y$ impossible. However, since |
|
|
2649 $W(x) = f(x)g(x)$ the equivalent $\zeta_y = f(y) g(y)$ can be used in its place. The benefit of this technique stems from the |
|
|
2650 fact that $f(y)$ and $g(y)$ are much smaller than either $a$ or $b$ respectively. As a result finding the $2n + 1$ relations required |
|
|
2651 by multiplying $f(y)g(y)$ involves multiplying integers that are much smaller than either of the inputs. |
|
|
2652 |
|
|
2653 When picking points to gather relations there are always three obvious points to choose, $y = 0, 1$ and $ \infty$. The $\zeta_0$ term |
|
|
2654 is simply the product $W(0) = w_0 = a_0 \cdot b_0$. The $\zeta_1$ term is the product |
|
|
2655 $W(1) = \left (\sum_{i = 0}^{n} a_i \right ) \left (\sum_{i = 0}^{n} b_i \right )$. The third point $\zeta_{\infty}$ is less obvious but rather |
|
|
2656 simple to explain. The $2n + 1$'th coefficient of $W(x)$ is numerically equivalent to the most significant column in an integer multiplication. |
|
|
2657 The point at $\infty$ is used symbolically to represent the most significant column, that is $W(\infty) = w_{2n} = a_nb_n$. Note that the |
|
|
2658 points at $y = 0$ and $\infty$ yield the coefficients $w_0$ and $w_{2n}$ directly. |
|
|
2659 |
|
|
2660 If more points are required they should be of small values and powers of two such as $2^q$ and the related \textit{mirror points} |
|
|
2661 $\left (2^q \right )^{2n} \cdot \zeta_{2^{-q}}$ for small values of $q$. The term ``mirror point'' stems from the fact that |
|
|
2662 $\left (2^q \right )^{2n} \cdot \zeta_{2^{-q}}$ can be calculated in the exact opposite fashion as $\zeta_{2^q}$. For |
|
|
2663 example, when $n = 2$ and $q = 1$ then following two equations are equivalent to the point $\zeta_{2}$ and its mirror. |
|
|
2664 |
|
|
2665 \begin{eqnarray} |
|
|
2666 \zeta_{2} = f(2)g(2) = (4a_2 + 2a_1 + a_0)(4b_2 + 2b_1 + b_0) \nonumber \\ |
|
|
2667 16 \cdot \zeta_{1 \over 2} = 4f({1\over 2}) \cdot 4g({1 \over 2}) = (a_2 + 2a_1 + 4a_0)(b_2 + 2b_1 + 4b_0) |
|
|
2668 \end{eqnarray} |
|
|
2669 |
|
|
2670 Using such points will allow the values of $f(y)$ and $g(y)$ to be independently calculated using only left shifts. For example, when $n = 2$ the |
|
|
2671 polynomial $f(2^q)$ is equal to $2^q((2^qa_2) + a_1) + a_0$. This technique of polynomial representation is known as Horner's method. |
|
|
2672 |
|
|
2673 As a general rule of the algorithm when the inputs are split into $n$ parts each there are $2n - 1$ multiplications. Each multiplication is of |
|
|
2674 multiplicands that have $n$ times fewer digits than the inputs. The asymptotic running time of this algorithm is |
|
|
2675 $O \left ( k^{lg_n(2n - 1)} \right )$ for $k$ digit inputs (\textit{assuming they have the same number of digits}). Figure~\ref{fig:exponent} |
|
|
2676 summarizes the exponents for various values of $n$. |
|
|
2677 |
|
|
2678 \begin{figure} |
|
|
2679 \begin{center} |
|
|
2680 \begin{tabular}{|c|c|c|} |
|
|
2681 \hline \textbf{Split into $n$ Parts} & \textbf{Exponent} & \textbf{Notes}\\ |
|
|
2682 \hline $2$ & $1.584962501$ & This is Karatsuba Multiplication. \\ |
|
|
2683 \hline $3$ & $1.464973520$ & This is Toom-Cook Multiplication. \\ |
|
|
2684 \hline $4$ & $1.403677461$ &\\ |
|
|
2685 \hline $5$ & $1.365212389$ &\\ |
|
|
2686 \hline $10$ & $1.278753601$ &\\ |
|
|
2687 \hline $100$ & $1.149426538$ &\\ |
|
|
2688 \hline $1000$ & $1.100270931$ &\\ |
|
|
2689 \hline $10000$ & $1.075252070$ &\\ |
|
|
2690 \hline |
|
|
2691 \end{tabular} |
|
|
2692 \end{center} |
|
|
2693 \caption{Asymptotic Running Time of Polynomial Basis Multiplication} |
|
|
2694 \label{fig:exponent} |
|
|
2695 \end{figure} |
|
|
2696 |
|
|
2697 At first it may seem like a good idea to choose $n = 1000$ since the exponent is approximately $1.1$. However, the overhead |
|
|
2698 of solving for the 2001 terms of $W(x)$ will certainly consume any savings the algorithm could offer for all but exceedingly large |
|
|
2699 numbers. |
|
|
2700 |
|
|
2701 \subsubsection{Cutoff Point} |
|
|
2702 The polynomial basis multiplication algorithms all require fewer single precision multiplications than a straight Comba approach. However, |
|
|
2703 the algorithms incur an overhead (\textit{at the $O(n)$ work level}) since they require a system of equations to be solved. This makes the |
|
|
2704 polynomial basis approach more costly to use with small inputs. |
|
|
2705 |
|
|
2706 Let $m$ represent the number of digits in the multiplicands (\textit{assume both multiplicands have the same number of digits}). There exists a |
|
|
2707 point $y$ such that when $m < y$ the polynomial basis algorithms are more costly than Comba, when $m = y$ they are roughly the same cost and |
|
|
2708 when $m > y$ the Comba methods are slower than the polynomial basis algorithms. |
|
|
2709 |
|
|
2710 The exact location of $y$ depends on several key architectural elements of the computer platform in question. |
|
|
2711 |
|
|
2712 \begin{enumerate} |
|
|
2713 \item The ratio of clock cycles for single precision multiplication versus other simpler operations such as addition, shifting, etc. For example |
|
|
2714 on the AMD Athlon the ratio is roughly $17 : 1$ while on the Intel P4 it is $29 : 1$. The higher the ratio in favour of multiplication the lower |
|
|
2715 the cutoff point $y$ will be. |
|
|
2716 |
|
|
2717 \item The complexity of the linear system of equations (\textit{for the coefficients of $W(x)$}) is. Generally speaking as the number of splits |
|
|
2718 grows the complexity grows substantially. Ideally solving the system will only involve addition, subtraction and shifting of integers. This |
|
|
2719 directly reflects on the ratio previous mentioned. |
|
|
2720 |
|
|
2721 \item To a lesser extent memory bandwidth and function call overheads. Provided the values are in the processor cache this is less of an |
|
|
2722 influence over the cutoff point. |
|
|
2723 |
|
|
2724 \end{enumerate} |
|
|
2725 |
|
|
2726 A clean cutoff point separation occurs when a point $y$ is found such that all of the cutoff point conditions are met. For example, if the point |
|
|
2727 is too low then there will be values of $m$ such that $m > y$ and the Comba method is still faster. Finding the cutoff points is fairly simple when |
|
|
2728 a high resolution timer is available. |
|
|
2729 |
|
|
2730 \subsection{Karatsuba Multiplication} |
|
|
2731 Karatsuba \cite{KARA} multiplication when originally proposed in 1962 was among the first set of algorithms to break the $O(n^2)$ barrier for |
|
|
2732 general purpose multiplication. Given two polynomial basis representations $f(x) = ax + b$ and $g(x) = cx + d$, Karatsuba proved with |
|
|
2733 light algebra \cite{KARAP} that the following polynomial is equivalent to multiplication of the two integers the polynomials represent. |
|
|
2734 |
|
|
2735 \begin{equation} |
|
|
2736 f(x) \cdot g(x) = acx^2 + ((a - b)(c - d) - (ac + bd))x + bd |
|
|
2737 \end{equation} |
|
|
2738 |
|
|
2739 Using the observation that $ac$ and $bd$ could be re-used only three half sized multiplications would be required to produce the product. Applying |
|
|
2740 this algorithm recursively, the work factor becomes $O(n^{lg(3)})$ which is substantially better than the work factor $O(n^2)$ of the Comba technique. It turns |
|
|
2741 out what Karatsuba did not know or at least did not publish was that this is simply polynomial basis multiplication with the points |
|
|
2742 $\zeta_0$, $\zeta_{\infty}$ and $-\zeta_{-1}$. Consider the resultant system of equations. |
|
|
2743 |
|
|
2744 \begin{center} |
|
|
2745 \begin{tabular}{rcrcrcrc} |
|
|
2746 $\zeta_{0}$ & $=$ & & & & & $w_0$ \\ |
|
|
2747 $-\zeta_{-1}$ & $=$ & $-w_2$ & $+$ & $w_1$ & $-$ & $w_0$ \\ |
|
|
2748 $\zeta_{\infty}$ & $=$ & $w_2$ & & & & \\ |
|
|
2749 \end{tabular} |
|
|
2750 \end{center} |
|
|
2751 |
|
|
2752 By adding the first and last equation to the equation in the middle the term $w_1$ can be isolated and all three coefficients solved for. The simplicity |
|
|
2753 of this system of equations has made Karatsuba fairly popular. In fact the cutoff point is often fairly low\footnote{With LibTomMath 0.18 it is 70 and 109 digits for the Intel P4 and AMD Athlon respectively.} |
|
|
2754 making it an ideal algorithm to speed up certain public key cryptosystems such as RSA and Diffie-Hellman. It is worth noting that the point |
|
|
2755 $\zeta_1$ could be substituted for $-\zeta_{-1}$. In this case the first and third row are subtracted instead of added to the second row. |
|
|
2756 |
|
|
2757 \newpage\begin{figure}[!here] |
|
|
2758 \begin{small} |
|
|
2759 \begin{center} |
|
|
2760 \begin{tabular}{l} |
|
|
2761 \hline Algorithm \textbf{mp\_karatsuba\_mul}. \\ |
|
|
2762 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
2763 \textbf{Output}. $c \leftarrow \vert a \vert \cdot \vert b \vert$ \\ |
|
|
2764 \hline \\ |
|
|
2765 1. Init the following mp\_int variables: $x0$, $x1$, $y0$, $y1$, $t1$, $x0y0$, $x1y1$.\\ |
|
|
2766 2. If step 2 failed then return(\textit{MP\_MEM}). \\ |
|
|
2767 \\ |
|
|
2768 Split the input. e.g. $a = x1 \cdot \beta^B + x0$ \\ |
|
|
2769 3. $B \leftarrow \mbox{min}(a.used, b.used)/2$ \\ |
|
|
2770 4. $x0 \leftarrow a \mbox{ (mod }\beta^B\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
2771 5. $y0 \leftarrow b \mbox{ (mod }\beta^B\mbox{)}$ \\ |
|
|
2772 6. $x1 \leftarrow \lfloor a / \beta^B \rfloor$ (\textit{mp\_rshd}) \\ |
|
|
2773 7. $y1 \leftarrow \lfloor b / \beta^B \rfloor$ \\ |
|
|
2774 \\ |
|
|
2775 Calculate the three products. \\ |
|
|
2776 8. $x0y0 \leftarrow x0 \cdot y0$ (\textit{mp\_mul}) \\ |
|
|
2777 9. $x1y1 \leftarrow x1 \cdot y1$ \\ |
|
|
2778 10. $t1 \leftarrow x1 - x0$ (\textit{mp\_sub}) \\ |
|
|
2779 11. $x0 \leftarrow y1 - y0$ \\ |
|
|
2780 12. $t1 \leftarrow t1 \cdot x0$ \\ |
|
|
2781 \\ |
|
|
2782 Calculate the middle term. \\ |
|
|
2783 13. $x0 \leftarrow x0y0 + x1y1$ \\ |
|
|
2784 14. $t1 \leftarrow x0 - t1$ \\ |
|
|
2785 \\ |
|
|
2786 Calculate the final product. \\ |
|
|
2787 15. $t1 \leftarrow t1 \cdot \beta^B$ (\textit{mp\_lshd}) \\ |
|
|
2788 16. $x1y1 \leftarrow x1y1 \cdot \beta^{2B}$ \\ |
|
|
2789 17. $t1 \leftarrow x0y0 + t1$ \\ |
|
|
2790 18. $c \leftarrow t1 + x1y1$ \\ |
|
|
2791 19. Clear all of the temporary variables. \\ |
|
|
2792 20. Return(\textit{MP\_OKAY}).\\ |
|
|
2793 \hline |
|
|
2794 \end{tabular} |
|
|
2795 \end{center} |
|
|
2796 \end{small} |
|
|
2797 \caption{Algorithm mp\_karatsuba\_mul} |
|
|
2798 \end{figure} |
|
|
2799 |
|
|
2800 \textbf{Algorithm mp\_karatsuba\_mul.} |
|
|
2801 This algorithm computes the unsigned product of two inputs using the Karatsuba multiplication algorithm. It is loosely based on the description |
|
|
2802 from Knuth \cite[pp. 294-295]{TAOCPV2}. |
|
|
2803 |
|
|
2804 \index{radix point} |
|
|
2805 In order to split the two inputs into their respective halves, a suitable \textit{radix point} must be chosen. The radix point chosen must |
|
|
2806 be used for both of the inputs meaning that it must be smaller than the smallest input. Step 3 chooses the radix point $B$ as half of the |
|
|
2807 smallest input \textbf{used} count. After the radix point is chosen the inputs are split into lower and upper halves. Step 4 and 5 |
|
|
2808 compute the lower halves. Step 6 and 7 computer the upper halves. |
|
|
2809 |
|
|
2810 After the halves have been computed the three intermediate half-size products must be computed. Step 8 and 9 compute the trivial products |
|
|
2811 $x0 \cdot y0$ and $x1 \cdot y1$. The mp\_int $x0$ is used as a temporary variable after $x1 - x0$ has been computed. By using $x0$ instead |
|
|
2812 of an additional temporary variable, the algorithm can avoid an addition memory allocation operation. |
|
|
2813 |
|
|
2814 The remaining steps 13 through 18 compute the Karatsuba polynomial through a variety of digit shifting and addition operations. |
|
|
2815 |
|
|
2816 EXAM,bn_mp_karatsuba_mul.c |
|
|
2817 |
|
|
2818 The new coding element in this routine, not seen in previous routines, is the usage of goto statements. The conventional |
|
|
2819 wisdom is that goto statements should be avoided. This is generally true, however when every single function call can fail, it makes sense |
|
|
2820 to handle error recovery with a single piece of code. Lines @61,if@ to @75,if@ handle initializing all of the temporary variables |
|
|
2821 required. Note how each of the if statements goes to a different label in case of failure. This allows the routine to correctly free only |
|
|
2822 the temporaries that have been successfully allocated so far. |
|
|
2823 |
|
|
2824 The temporary variables are all initialized using the mp\_init\_size routine since they are expected to be large. This saves the |
|
|
2825 additional reallocation that would have been necessary. Also $x0$, $x1$, $y0$ and $y1$ have to be able to hold at least their respective |
|
|
2826 number of digits for the next section of code. |
|
|
2827 |
|
|
2828 The first algebraic portion of the algorithm is to split the two inputs into their halves. However, instead of using mp\_mod\_2d and mp\_rshd |
|
|
2829 to extract the halves, the respective code has been placed inline within the body of the function. To initialize the halves, the \textbf{used} and |
|
|
2830 \textbf{sign} members are copied first. The first for loop on line @98,for@ copies the lower halves. Since they are both the same magnitude it |
|
|
2831 is simpler to calculate both lower halves in a single loop. The for loop on lines @104,for@ and @109,for@ calculate the upper halves $x1$ and |
|
|
2832 $y1$ respectively. |
|
|
2833 |
|
|
2834 By inlining the calculation of the halves, the Karatsuba multiplier has a slightly lower overhead and can be used for smaller magnitude inputs. |
|
|
2835 |
|
|
2836 When line @152,err@ is reached, the algorithm has completed succesfully. The ``error status'' variable $err$ is set to \textbf{MP\_OKAY} so that |
|
|
2837 the same code that handles errors can be used to clear the temporary variables and return. |
|
|
2838 |
|
|
2839 \subsection{Toom-Cook $3$-Way Multiplication} |
|
|
2840 Toom-Cook $3$-Way \cite{TOOM} multiplication is essentially the polynomial basis algorithm for $n = 2$ except that the points are |
|
|
2841 chosen such that $\zeta$ is easy to compute and the resulting system of equations easy to reduce. Here, the points $\zeta_{0}$, |
|
|
2842 $16 \cdot \zeta_{1 \over 2}$, $\zeta_1$, $\zeta_2$ and $\zeta_{\infty}$ make up the five required points to solve for the coefficients |
|
|
2843 of the $W(x)$. |
|
|
2844 |
|
|
2845 With the five relations that Toom-Cook specifies, the following system of equations is formed. |
|
|
2846 |
|
|
2847 \begin{center} |
|
|
2848 \begin{tabular}{rcrcrcrcrcr} |
|
|
2849 $\zeta_0$ & $=$ & $0w_4$ & $+$ & $0w_3$ & $+$ & $0w_2$ & $+$ & $0w_1$ & $+$ & $1w_0$ \\ |
|
|
2850 $16 \cdot \zeta_{1 \over 2}$ & $=$ & $1w_4$ & $+$ & $2w_3$ & $+$ & $4w_2$ & $+$ & $8w_1$ & $+$ & $16w_0$ \\ |
|
|
2851 $\zeta_1$ & $=$ & $1w_4$ & $+$ & $1w_3$ & $+$ & $1w_2$ & $+$ & $1w_1$ & $+$ & $1w_0$ \\ |
|
|
2852 $\zeta_2$ & $=$ & $16w_4$ & $+$ & $8w_3$ & $+$ & $4w_2$ & $+$ & $2w_1$ & $+$ & $1w_0$ \\ |
|
|
2853 $\zeta_{\infty}$ & $=$ & $1w_4$ & $+$ & $0w_3$ & $+$ & $0w_2$ & $+$ & $0w_1$ & $+$ & $0w_0$ \\ |
|
|
2854 \end{tabular} |
|
|
2855 \end{center} |
|
|
2856 |
|
|
2857 A trivial solution to this matrix requires $12$ subtractions, two multiplications by a small power of two, two divisions by a small power |
|
|
2858 of two, two divisions by three and one multiplication by three. All of these $19$ sub-operations require less than quadratic time, meaning that |
|
|
2859 the algorithm can be faster than a baseline multiplication. However, the greater complexity of this algorithm places the cutoff point |
|
|
2860 (\textbf{TOOM\_MUL\_CUTOFF}) where Toom-Cook becomes more efficient much higher than the Karatsuba cutoff point. |
|
|
2861 |
|
|
2862 \begin{figure}[!here] |
|
|
2863 \begin{small} |
|
|
2864 \begin{center} |
|
|
2865 \begin{tabular}{l} |
|
|
2866 \hline Algorithm \textbf{mp\_toom\_mul}. \\ |
|
|
2867 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
2868 \textbf{Output}. $c \leftarrow a \cdot b $ \\ |
|
|
2869 \hline \\ |
|
|
2870 Split $a$ and $b$ into three pieces. E.g. $a = a_2 \beta^{2k} + a_1 \beta^{k} + a_0$ \\ |
|
|
2871 1. $k \leftarrow \lfloor \mbox{min}(a.used, b.used) / 3 \rfloor$ \\ |
|
|
2872 2. $a_0 \leftarrow a \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
2873 3. $a_1 \leftarrow \lfloor a / \beta^k \rfloor$, $a_1 \leftarrow a_1 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
2874 4. $a_2 \leftarrow \lfloor a / \beta^{2k} \rfloor$, $a_2 \leftarrow a_2 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
2875 5. $b_0 \leftarrow a \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
2876 6. $b_1 \leftarrow \lfloor a / \beta^k \rfloor$, $b_1 \leftarrow b_1 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
2877 7. $b_2 \leftarrow \lfloor a / \beta^{2k} \rfloor$, $b_2 \leftarrow b_2 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
2878 \\ |
|
|
2879 Find the five equations for $w_0, w_1, ..., w_4$. \\ |
|
|
2880 8. $w_0 \leftarrow a_0 \cdot b_0$ \\ |
|
|
2881 9. $w_4 \leftarrow a_2 \cdot b_2$ \\ |
|
|
2882 10. $tmp_1 \leftarrow 2 \cdot a_0$, $tmp_1 \leftarrow a_1 + tmp_1$, $tmp_1 \leftarrow 2 \cdot tmp_1$, $tmp_1 \leftarrow tmp_1 + a_2$ \\ |
|
|
2883 11. $tmp_2 \leftarrow 2 \cdot b_0$, $tmp_2 \leftarrow b_1 + tmp_2$, $tmp_2 \leftarrow 2 \cdot tmp_2$, $tmp_2 \leftarrow tmp_2 + b_2$ \\ |
|
|
2884 12. $w_1 \leftarrow tmp_1 \cdot tmp_2$ \\ |
|
|
2885 13. $tmp_1 \leftarrow 2 \cdot a_2$, $tmp_1 \leftarrow a_1 + tmp_1$, $tmp_1 \leftarrow 2 \cdot tmp_1$, $tmp_1 \leftarrow tmp_1 + a_0$ \\ |
|
|
2886 14. $tmp_2 \leftarrow 2 \cdot b_2$, $tmp_2 \leftarrow b_1 + tmp_2$, $tmp_2 \leftarrow 2 \cdot tmp_2$, $tmp_2 \leftarrow tmp_2 + b_0$ \\ |
|
|
2887 15. $w_3 \leftarrow tmp_1 \cdot tmp_2$ \\ |
|
|
2888 16. $tmp_1 \leftarrow a_0 + a_1$, $tmp_1 \leftarrow tmp_1 + a_2$, $tmp_2 \leftarrow b_0 + b_1$, $tmp_2 \leftarrow tmp_2 + b_2$ \\ |
|
|
2889 17. $w_2 \leftarrow tmp_1 \cdot tmp_2$ \\ |
|
|
2890 \\ |
|
|
2891 Continued on the next page.\\ |
|
|
2892 \hline |
|
|
2893 \end{tabular} |
|
|
2894 \end{center} |
|
|
2895 \end{small} |
|
|
2896 \caption{Algorithm mp\_toom\_mul} |
|
|
2897 \end{figure} |
|
|
2898 |
|
|
2899 \newpage\begin{figure}[!here] |
|
|
2900 \begin{small} |
|
|
2901 \begin{center} |
|
|
2902 \begin{tabular}{l} |
|
|
2903 \hline Algorithm \textbf{mp\_toom\_mul} (continued). \\ |
|
|
2904 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
2905 \textbf{Output}. $c \leftarrow a \cdot b $ \\ |
|
|
2906 \hline \\ |
|
|
2907 Now solve the system of equations. \\ |
|
|
2908 18. $w_1 \leftarrow w_4 - w_1$, $w_3 \leftarrow w_3 - w_0$ \\ |
|
|
2909 19. $w_1 \leftarrow \lfloor w_1 / 2 \rfloor$, $w_3 \leftarrow \lfloor w_3 / 2 \rfloor$ \\ |
|
|
2910 20. $w_2 \leftarrow w_2 - w_0$, $w_2 \leftarrow w_2 - w_4$ \\ |
|
|
2911 21. $w_1 \leftarrow w_1 - w_2$, $w_3 \leftarrow w_3 - w_2$ \\ |
|
|
2912 22. $tmp_1 \leftarrow 8 \cdot w_0$, $w_1 \leftarrow w_1 - tmp_1$, $tmp_1 \leftarrow 8 \cdot w_4$, $w_3 \leftarrow w_3 - tmp_1$ \\ |
|
|
2913 23. $w_2 \leftarrow 3 \cdot w_2$, $w_2 \leftarrow w_2 - w_1$, $w_2 \leftarrow w_2 - w_3$ \\ |
|
|
2914 24. $w_1 \leftarrow w_1 - w_2$, $w_3 \leftarrow w_3 - w_2$ \\ |
|
|
2915 25. $w_1 \leftarrow \lfloor w_1 / 3 \rfloor, w_3 \leftarrow \lfloor w_3 / 3 \rfloor$ \\ |
|
|
2916 \\ |
|
|
2917 Now substitute $\beta^k$ for $x$ by shifting $w_0, w_1, ..., w_4$. \\ |
|
|
2918 26. for $n$ from $1$ to $4$ do \\ |
|
|
2919 \hspace{3mm}26.1 $w_n \leftarrow w_n \cdot \beta^{nk}$ \\ |
|
|
2920 27. $c \leftarrow w_0 + w_1$, $c \leftarrow c + w_2$, $c \leftarrow c + w_3$, $c \leftarrow c + w_4$ \\ |
|
|
2921 28. Return(\textit{MP\_OKAY}) \\ |
|
|
2922 \hline |
|
|
2923 \end{tabular} |
|
|
2924 \end{center} |
|
|
2925 \end{small} |
|
|
2926 \caption{Algorithm mp\_toom\_mul (continued)} |
|
|
2927 \end{figure} |
|
|
2928 |
|
|
2929 \textbf{Algorithm mp\_toom\_mul.} |
|
|
2930 This algorithm computes the product of two mp\_int variables $a$ and $b$ using the Toom-Cook approach. Compared to the Karatsuba multiplication, this |
|
|
2931 algorithm has a lower asymptotic running time of approximately $O(n^{1.464})$ but at an obvious cost in overhead. In this |
|
|
2932 description, several statements have been compounded to save space. The intention is that the statements are executed from left to right across |
|
|
2933 any given step. |
|
|
2934 |
|
|
2935 The two inputs $a$ and $b$ are first split into three $k$-digit integers $a_0, a_1, a_2$ and $b_0, b_1, b_2$ respectively. From these smaller |
|
|
2936 integers the coefficients of the polynomial basis representations $f(x)$ and $g(x)$ are known and can be used to find the relations required. |
|
|
2937 |
|
|
2938 The first two relations $w_0$ and $w_4$ are the points $\zeta_{0}$ and $\zeta_{\infty}$ respectively. The relation $w_1, w_2$ and $w_3$ correspond |
|
|
2939 to the points $16 \cdot \zeta_{1 \over 2}, \zeta_{2}$ and $\zeta_{1}$ respectively. These are found using logical shifts to independently find |
|
|
2940 $f(y)$ and $g(y)$ which significantly speeds up the algorithm. |
|
|
2941 |
|
|
2942 After the five relations $w_0, w_1, \ldots, w_4$ have been computed, the system they represent must be solved in order for the unknown coefficients |
|
|
2943 $w_1, w_2$ and $w_3$ to be isolated. The steps 18 through 25 perform the system reduction required as previously described. Each step of |
|
|
2944 the reduction represents the comparable matrix operation that would be performed had this been performed by pencil. For example, step 18 indicates |
|
|
2945 that row $1$ must be subtracted from row $4$ and simultaneously row $0$ subtracted from row $3$. |
|
|
2946 |
|
|
2947 Once the coeffients have been isolated, the polynomial $W(x) = \sum_{i=0}^{2n} w_i x^i$ is known. By substituting $\beta^{k}$ for $x$, the integer |
|
|
2948 result $a \cdot b$ is produced. |
|
|
2949 |
|
|
2950 EXAM,bn_mp_toom_mul.c |
|
|
2951 |
|
|
2952 -- Comments to be added during editing phase. |
|
|
2953 |
|
|
2954 \subsection{Signed Multiplication} |
|
|
2955 Now that algorithms to handle multiplications of every useful dimensions have been developed, a rather simple finishing touch is required. So far all |
|
|
2956 of the multiplication algorithms have been unsigned multiplications which leaves only a signed multiplication algorithm to be established. |
|
|
2957 |
|
|
2958 \newpage\begin{figure}[!here] |
|
|
2959 \begin{small} |
|
|
2960 \begin{center} |
|
|
2961 \begin{tabular}{l} |
|
|
2962 \hline Algorithm \textbf{mp\_mul}. \\ |
|
|
2963 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
2964 \textbf{Output}. $c \leftarrow a \cdot b$ \\ |
|
|
2965 \hline \\ |
|
|
2966 1. If $a.sign = b.sign$ then \\ |
|
|
2967 \hspace{3mm}1.1 $sign = MP\_ZPOS$ \\ |
|
|
2968 2. else \\ |
|
|
2969 \hspace{3mm}2.1 $sign = MP\_ZNEG$ \\ |
|
|
2970 3. If min$(a.used, b.used) \ge TOOM\_MUL\_CUTOFF$ then \\ |
|
|
2971 \hspace{3mm}3.1 $c \leftarrow a \cdot b$ using algorithm mp\_toom\_mul \\ |
|
|
2972 4. else if min$(a.used, b.used) \ge KARATSUBA\_MUL\_CUTOFF$ then \\ |
|
|
2973 \hspace{3mm}4.1 $c \leftarrow a \cdot b$ using algorithm mp\_karatsuba\_mul \\ |
|
|
2974 5. else \\ |
|
|
2975 \hspace{3mm}5.1 $digs \leftarrow a.used + b.used + 1$ \\ |
|
|
2976 \hspace{3mm}5.2 If $digs < MP\_ARRAY$ and min$(a.used, b.used) \le \delta$ then \\ |
|
|
2977 \hspace{6mm}5.2.1 $c \leftarrow a \cdot b \mbox{ (mod }\beta^{digs}\mbox{)}$ using algorithm fast\_s\_mp\_mul\_digs. \\ |
|
|
2978 \hspace{3mm}5.3 else \\ |
|
|
2979 \hspace{6mm}5.3.1 $c \leftarrow a \cdot b \mbox{ (mod }\beta^{digs}\mbox{)}$ using algorithm s\_mp\_mul\_digs. \\ |
|
|
2980 6. $c.sign \leftarrow sign$ \\ |
|
|
2981 7. Return the result of the unsigned multiplication performed. \\ |
|
|
2982 \hline |
|
|
2983 \end{tabular} |
|
|
2984 \end{center} |
|
|
2985 \end{small} |
|
|
2986 \caption{Algorithm mp\_mul} |
|
|
2987 \end{figure} |
|
|
2988 |
|
|
2989 \textbf{Algorithm mp\_mul.} |
|
|
2990 This algorithm performs the signed multiplication of two inputs. It will make use of any of the three unsigned multiplication algorithms |
|
|
2991 available when the input is of appropriate size. The \textbf{sign} of the result is not set until the end of the algorithm since algorithm |
|
|
2992 s\_mp\_mul\_digs will clear it. |
|
|
2993 |
|
|
2994 EXAM,bn_mp_mul.c |
|
|
2995 |
|
|
2996 The implementation is rather simplistic and is not particularly noteworthy. Line @22,?@ computes the sign of the result using the ``?'' |
|
|
2997 operator from the C programming language. Line @37,<<@ computes $\delta$ using the fact that $1 << k$ is equal to $2^k$. |
|
|
2998 |
|
|
2999 \section{Squaring} |
|
|
3000 \label{sec:basesquare} |
|
|
3001 |
|
|
3002 Squaring is a special case of multiplication where both multiplicands are equal. At first it may seem like there is no significant optimization |
|
|
3003 available but in fact there is. Consider the multiplication of $576$ against $241$. In total there will be nine single precision multiplications |
|
|
3004 performed which are $1\cdot 6$, $1 \cdot 7$, $1 \cdot 5$, $4 \cdot 6$, $4 \cdot 7$, $4 \cdot 5$, $2 \cdot 6$, $2 \cdot 7$ and $2 \cdot 5$. Now consider |
|
|
3005 the multiplication of $123$ against $123$. The nine products are $3 \cdot 3$, $3 \cdot 2$, $3 \cdot 1$, $2 \cdot 3$, $2 \cdot 2$, $2 \cdot 1$, |
|
|
3006 $1 \cdot 3$, $1 \cdot 2$ and $1 \cdot 1$. On closer inspection some of the products are equivalent. For example, $3 \cdot 2 = 2 \cdot 3$ |
|
|
3007 and $3 \cdot 1 = 1 \cdot 3$. |
|
|
3008 |
|
|
3009 For any $n$-digit input, there are ${{\left (n^2 + n \right)}\over 2}$ possible unique single precision multiplications required compared to the $n^2$ |
|
|
3010 required for multiplication. The following diagram gives an example of the operations required. |
|
|
3011 |
|
|
3012 \begin{figure}[here] |
|
|
3013 \begin{center} |
|
|
3014 \begin{tabular}{ccccc|c} |
|
|
3015 &&1&2&3&\\ |
|
|
3016 $\times$ &&1&2&3&\\ |
|
|
3017 \hline && $3 \cdot 1$ & $3 \cdot 2$ & $3 \cdot 3$ & Row 0\\ |
|
|
3018 & $2 \cdot 1$ & $2 \cdot 2$ & $2 \cdot 3$ && Row 1 \\ |
|
|
3019 $1 \cdot 1$ & $1 \cdot 2$ & $1 \cdot 3$ &&& Row 2 \\ |
|
|
3020 \end{tabular} |
|
|
3021 \end{center} |
|
|
3022 \caption{Squaring Optimization Diagram} |
|
|
3023 \end{figure} |
|
|
3024 |
|
|
3025 MARK,SQUARE |
|
|
3026 Starting from zero and numbering the columns from right to left a very simple pattern becomes obvious. For the purposes of this discussion let $x$ |
|
|
3027 represent the number being squared. The first observation is that in row $k$ the $2k$'th column of the product has a $\left (x_k \right)^2$ term in it. |
|
|
3028 |
|
|
3029 The second observation is that every column $j$ in row $k$ where $j \ne 2k$ is part of a double product. Every non-square term of a column will |
|
|
3030 appear twice hence the name ``double product''. Every odd column is made up entirely of double products. In fact every column is made up of double |
|
|
3031 products and at most one square (\textit{see the exercise section}). |
|
|
3032 |
|
|
3033 The third and final observation is that for row $k$ the first unique non-square term, that is, one that hasn't already appeared in an earlier row, |
|
|
3034 occurs at column $2k + 1$. For example, on row $1$ of the previous squaring, column one is part of the double product with column one from row zero. |
|
|
3035 Column two of row one is a square and column three is the first unique column. |
|
|
3036 |
|
|
3037 \subsection{The Baseline Squaring Algorithm} |
|
|
3038 The baseline squaring algorithm is meant to be a catch-all squaring algorithm. It will handle any of the input sizes that the faster routines |
|
|
3039 will not handle. |
|
|
3040 |
|
|
3041 \newpage\begin{figure}[!here] |
|
|
3042 \begin{small} |
|
|
3043 \begin{center} |
|
|
3044 \begin{tabular}{l} |
|
|
3045 \hline Algorithm \textbf{s\_mp\_sqr}. \\ |
|
|
3046 \textbf{Input}. mp\_int $a$ \\ |
|
|
3047 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
3048 \hline \\ |
|
|
3049 1. Init a temporary mp\_int of at least $2 \cdot a.used +1$ digits. (\textit{mp\_init\_size}) \\ |
|
|
3050 2. If step 1 failed return(\textit{MP\_MEM}) \\ |
|
|
3051 3. $t.used \leftarrow 2 \cdot a.used + 1$ \\ |
|
|
3052 4. For $ix$ from 0 to $a.used - 1$ do \\ |
|
|
3053 \hspace{3mm}Calculate the square. \\ |
|
|
3054 \hspace{3mm}4.1 $\hat r \leftarrow t_{2ix} + \left (a_{ix} \right )^2$ \\ |
|
|
3055 \hspace{3mm}4.2 $t_{2ix} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3056 \hspace{3mm}Calculate the double products after the square. \\ |
|
|
3057 \hspace{3mm}4.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
3058 \hspace{3mm}4.4 For $iy$ from $ix + 1$ to $a.used - 1$ do \\ |
|
|
3059 \hspace{6mm}4.4.1 $\hat r \leftarrow 2 \cdot a_{ix}a_{iy} + t_{ix + iy} + u$ \\ |
|
|
3060 \hspace{6mm}4.4.2 $t_{ix + iy} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3061 \hspace{6mm}4.4.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
3062 \hspace{3mm}Set the last carry. \\ |
|
|
3063 \hspace{3mm}4.5 While $u > 0$ do \\ |
|
|
3064 \hspace{6mm}4.5.1 $iy \leftarrow iy + 1$ \\ |
|
|
3065 \hspace{6mm}4.5.2 $\hat r \leftarrow t_{ix + iy} + u$ \\ |
|
|
3066 \hspace{6mm}4.5.3 $t_{ix + iy} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3067 \hspace{6mm}4.5.4 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
3068 5. Clamp excess digits of $t$. (\textit{mp\_clamp}) \\ |
|
|
3069 6. Exchange $b$ and $t$. \\ |
|
|
3070 7. Clear $t$ (\textit{mp\_clear}) \\ |
|
|
3071 8. Return(\textit{MP\_OKAY}) \\ |
|
|
3072 \hline |
|
|
3073 \end{tabular} |
|
|
3074 \end{center} |
|
|
3075 \end{small} |
|
|
3076 \caption{Algorithm s\_mp\_sqr} |
|
|
3077 \end{figure} |
|
|
3078 |
|
|
3079 \textbf{Algorithm s\_mp\_sqr.} |
|
|
3080 This algorithm computes the square of an input using the three observations on squaring. It is based fairly faithfully on algorithm 14.16 of HAC |
|
|
3081 \cite[pp.596-597]{HAC}. Similar to algorithm s\_mp\_mul\_digs, a temporary mp\_int is allocated to hold the result of the squaring. This allows the |
|
|
3082 destination mp\_int to be the same as the source mp\_int. |
|
|
3083 |
|
|
3084 The outer loop of this algorithm begins on step 4. It is best to think of the outer loop as walking down the rows of the partial results, while |
|
|
3085 the inner loop computes the columns of the partial result. Step 4.1 and 4.2 compute the square term for each row, and step 4.3 and 4.4 propagate |
|
|
3086 the carry and compute the double products. |
|
|
3087 |
|
|
3088 The requirement that a mp\_word be able to represent the range $0 \le x < 2 \beta^2$ arises from this |
|
|
3089 very algorithm. The product $a_{ix}a_{iy}$ will lie in the range $0 \le x \le \beta^2 - 2\beta + 1$ which is obviously less than $\beta^2$ meaning that |
|
|
3090 when it is multiplied by two, it can be properly represented by a mp\_word. |
|
|
3091 |
|
|
3092 Similar to algorithm s\_mp\_mul\_digs, after every pass of the inner loop, the destination is correctly set to the sum of all of the partial |
|
|
3093 results calculated so far. This involves expensive carry propagation which will be eliminated in the next algorithm. |
|
|
3094 |
|
|
3095 EXAM,bn_s_mp_sqr.c |
|
|
3096 |
|
|
3097 Inside the outer loop (\textit{see line @32,for@}) the square term is calculated on line @35,r =@. Line @42,>>@ extracts the carry from the square |
|
|
3098 term. Aliases for $a_{ix}$ and $t_{ix+iy}$ are initialized on lines @45,tmpx@ and @48,tmpt@ respectively. The doubling is performed using two |
|
|
3099 additions (\textit{see line @57,r + r@}) since it is usually faster than shifting,if not at least as fast. |
|
|
3100 |
|
|
3101 \subsection{Faster Squaring by the ``Comba'' Method} |
|
|
3102 A major drawback to the baseline method is the requirement for single precision shifting inside the $O(n^2)$ nested loop. Squaring has an additional |
|
|
3103 drawback that it must double the product inside the inner loop as well. As for multiplication, the Comba technique can be used to eliminate these |
|
|
3104 performance hazards. |
|
|
3105 |
|
|
3106 The first obvious solution is to make an array of mp\_words which will hold all of the columns. This will indeed eliminate all of the carry |
|
|
3107 propagation operations from the inner loop. However, the inner product must still be doubled $O(n^2)$ times. The solution stems from the simple fact |
|
|
3108 that $2a + 2b + 2c = 2(a + b + c)$. That is the sum of all of the double products is equal to double the sum of all the products. For example, |
|
|
3109 $ab + ba + ac + ca = 2ab + 2ac = 2(ab + ac)$. |
|
|
3110 |
|
|
3111 However, we cannot simply double all of the columns, since the squares appear only once per row. The most practical solution is to have two mp\_word |
|
|
3112 arrays. One array will hold the squares and the other array will hold the double products. With both arrays the doubling and carry propagation can be |
|
|
3113 moved to a $O(n)$ work level outside the $O(n^2)$ level. |
|
|
3114 |
|
|
3115 \newpage\begin{figure}[!here] |
|
|
3116 \begin{small} |
|
|
3117 \begin{center} |
|
|
3118 \begin{tabular}{l} |
|
|
3119 \hline Algorithm \textbf{fast\_s\_mp\_sqr}. \\ |
|
|
3120 \textbf{Input}. mp\_int $a$ \\ |
|
|
3121 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
3122 \hline \\ |
|
|
3123 Place two arrays of \textbf{MP\_WARRAY} mp\_words named $\hat W$ and $\hat {X}$ on the stack. \\ |
|
|
3124 1. If $b.alloc < 2a.used + 1$ then grow $b$ to $2a.used + 1$ digits. (\textit{mp\_grow}). \\ |
|
|
3125 2. If step 1 failed return(\textit{MP\_MEM}). \\ |
|
|
3126 3. for $ix$ from $0$ to $2a.used + 1$ do \\ |
|
|
3127 \hspace{3mm}3.1 $\hat W_{ix} \leftarrow 0$ \\ |
|
|
3128 \hspace{3mm}3.2 $\hat {X}_{ix} \leftarrow 0$ \\ |
|
|
3129 4. for $ix$ from $0$ to $a.used - 1$ do \\ |
|
|
3130 \hspace{3mm}Compute the square.\\ |
|
|
3131 \hspace{3mm}4.1 $\hat {X}_{ix+ix} \leftarrow \left ( a_{ix} \right )^2$ \\ |
|
|
3132 \\ |
|
|
3133 \hspace{3mm}Compute the double products.\\ |
|
|
3134 \hspace{3mm}4.2 for $iy$ from $ix + 1$ to $a.used - 1$ do \\ |
|
|
3135 \hspace{6mm}4.2.1 $\hat W_{ix+iy} \leftarrow \hat W_{ix+iy} + a_{ix}a_{iy}$ \\ |
|
|
3136 5. $oldused \leftarrow b.used$ \\ |
|
|
3137 6. $b.used \leftarrow 2a.used + 1$ \\ |
|
|
3138 \\ |
|
|
3139 Double the products and propagate the carries simultaneously. \\ |
|
|
3140 7. $\hat W_0 \leftarrow 2 \hat W_0 + \hat {X}_0$ \\ |
|
|
3141 8. for $ix$ from $1$ to $2a.used$ do \\ |
|
|
3142 \hspace{3mm}8.1 $\hat W_{ix} \leftarrow 2 \hat W_{ix} + \hat {X}_{ix}$ \\ |
|
|
3143 \hspace{3mm}8.2 $\hat W_{ix} \leftarrow \hat W_{ix} + \lfloor \hat W_{ix - 1} / \beta \rfloor$ \\ |
|
|
3144 \hspace{3mm}8.3 $b_{ix-1} \leftarrow W_{ix-1} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3145 9. $b_{2a.used} \leftarrow \hat W_{2a.used} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3146 10. if $2a.used + 1 < oldused$ then do \\ |
|
|
3147 \hspace{3mm}10.1 for $ix$ from $2a.used + 1$ to $oldused$ do \\ |
|
|
3148 \hspace{6mm}10.1.1 $b_{ix} \leftarrow 0$ \\ |
|
|
3149 11. Clamp excess digits from $b$. (\textit{mp\_clamp}) \\ |
|
|
3150 12. Return(\textit{MP\_OKAY}). \\ |
|
|
3151 \hline |
|
|
3152 \end{tabular} |
|
|
3153 \end{center} |
|
|
3154 \end{small} |
|
|
3155 \caption{Algorithm fast\_s\_mp\_sqr} |
|
|
3156 \end{figure} |
|
|
3157 |
|
|
3158 \textbf{Algorithm fast\_s\_mp\_sqr.} |
|
|
3159 This algorithm computes the square of an input using the Comba technique. It is designed to be a replacement for algorithm s\_mp\_sqr when |
|
|
3160 the number of input digits is less than \textbf{MP\_WARRAY} and less than $\delta \over 2$. |
|
|
3161 |
|
|
3162 This routine requires two arrays of mp\_words to be placed on the stack. The first array $\hat W$ will hold the double products and the second |
|
|
3163 array $\hat X$ will hold the squares. Though only at most $MP\_WARRAY \over 2$ words of $\hat X$ are used, it has proven faster on most |
|
|
3164 processors to simply make it a full size array. |
|
|
3165 |
|
|
3166 The loop on step 3 will zero the two arrays to prepare them for the squaring step. Step 4.1 computes the squares of the product. Note how |
|
|
3167 it simply assigns the value into the $\hat X$ array. The nested loop on step 4.2 computes the doubles of the products. This loop |
|
|
3168 computes the sum of the products for each column. They are not doubled until later. |
|
|
3169 |
|
|
3170 After the squaring loop, the products stored in $\hat W$ musted be doubled and the carries propagated forwards. It makes sense to do both |
|
|
3171 operations at the same time. The expression $\hat W_{ix} \leftarrow 2 \hat W_{ix} + \hat {X}_{ix}$ computes the sum of the double product and the |
|
|
3172 squares in place. |
|
|
3173 |
|
|
3174 EXAM,bn_fast_s_mp_sqr.c |
|
|
3175 |
|
|
3176 -- Write something deep and insightful later, Tom. |
|
|
3177 |
|
|
3178 \subsection{Polynomial Basis Squaring} |
|
|
3179 The same algorithm that performs optimal polynomial basis multiplication can be used to perform polynomial basis squaring. The minor exception |
|
|
3180 is that $\zeta_y = f(y)g(y)$ is actually equivalent to $\zeta_y = f(y)^2$ since $f(y) = g(y)$. Instead of performing $2n + 1$ |
|
|
3181 multiplications to find the $\zeta$ relations, squaring operations are performed instead. |
|
|
3182 |
|
|
3183 \subsection{Karatsuba Squaring} |
|
|
3184 Let $f(x) = ax + b$ represent the polynomial basis representation of a number to square. |
|
|
3185 Let $h(x) = \left ( f(x) \right )^2$ represent the square of the polynomial. The Karatsuba equation can be modified to square a |
|
|
3186 number with the following equation. |
|
|
3187 |
|
|
3188 \begin{equation} |
|
|
3189 h(x) = a^2x^2 + \left (a^2 + b^2 - (a - b)^2 \right )x + b^2 |
|
|
3190 \end{equation} |
|
|
3191 |
|
|
3192 Upon closer inspection this equation only requires the calculation of three half-sized squares: $a^2$, $b^2$ and $(a - b)^2$. As in |
|
|
3193 Karatsuba multiplication, this algorithm can be applied recursively on the input and will achieve an asymptotic running time of |
|
|
3194 $O \left ( n^{lg(3)} \right )$. |
|
|
3195 |
|
|
3196 If the asymptotic times of Karatsuba squaring and multiplication are the same, why not simply use the multiplication algorithm |
|
|
3197 instead? The answer to this arises from the cutoff point for squaring. As in multiplication there exists a cutoff point, at which the |
|
|
3198 time required for a Comba based squaring and a Karatsuba based squaring meet. Due to the overhead inherent in the Karatsuba method, the cutoff |
|
|
3199 point is fairly high. For example, on an AMD Athlon XP processor with $\beta = 2^{28}$, the cutoff point is around 127 digits. |
|
|
3200 |
|
|
3201 Consider squaring a 200 digit number with this technique. It will be split into two 100 digit halves which are subsequently squared. |
|
|
3202 The 100 digit halves will not be squared using Karatsuba, but instead using the faster Comba based squaring algorithm. If Karatsuba multiplication |
|
|
3203 were used instead, the 100 digit numbers would be squared with a slower Comba based multiplication. |
|
|
3204 |
|
|
3205 \newpage\begin{figure}[!here] |
|
|
3206 \begin{small} |
|
|
3207 \begin{center} |
|
|
3208 \begin{tabular}{l} |
|
|
3209 \hline Algorithm \textbf{mp\_karatsuba\_sqr}. \\ |
|
|
3210 \textbf{Input}. mp\_int $a$ \\ |
|
|
3211 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
3212 \hline \\ |
|
|
3213 1. Initialize the following temporary mp\_ints: $x0$, $x1$, $t1$, $t2$, $x0x0$ and $x1x1$. \\ |
|
|
3214 2. If any of the initializations on step 1 failed return(\textit{MP\_MEM}). \\ |
|
|
3215 \\ |
|
|
3216 Split the input. e.g. $a = x1\beta^B + x0$ \\ |
|
|
3217 3. $B \leftarrow \lfloor a.used / 2 \rfloor$ \\ |
|
|
3218 4. $x0 \leftarrow a \mbox{ (mod }\beta^B\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
3219 5. $x1 \leftarrow \lfloor a / \beta^B \rfloor$ (\textit{mp\_lshd}) \\ |
|
|
3220 \\ |
|
|
3221 Calculate the three squares. \\ |
|
|
3222 6. $x0x0 \leftarrow x0^2$ (\textit{mp\_sqr}) \\ |
|
|
3223 7. $x1x1 \leftarrow x1^2$ \\ |
|
|
3224 8. $t1 \leftarrow x1 - x0$ (\textit{mp\_sub}) \\ |
|
|
3225 9. $t1 \leftarrow t1^2$ \\ |
|
|
3226 \\ |
|
|
3227 Compute the middle term. \\ |
|
|
3228 10. $t2 \leftarrow x0x0 + x1x1$ (\textit{s\_mp\_add}) \\ |
|
|
3229 11. $t1 \leftarrow t2 - t1$ \\ |
|
|
3230 \\ |
|
|
3231 Compute final product. \\ |
|
|
3232 12. $t1 \leftarrow t1\beta^B$ (\textit{mp\_lshd}) \\ |
|
|
3233 13. $x1x1 \leftarrow x1x1\beta^{2B}$ \\ |
|
|
3234 14. $t1 \leftarrow t1 + x0x0$ \\ |
|
|
3235 15. $b \leftarrow t1 + x1x1$ \\ |
|
|
3236 16. Return(\textit{MP\_OKAY}). \\ |
|
|
3237 \hline |
|
|
3238 \end{tabular} |
|
|
3239 \end{center} |
|
|
3240 \end{small} |
|
|
3241 \caption{Algorithm mp\_karatsuba\_sqr} |
|
|
3242 \end{figure} |
|
|
3243 |
|
|
3244 \textbf{Algorithm mp\_karatsuba\_sqr.} |
|
|
3245 This algorithm computes the square of an input $a$ using the Karatsuba technique. This algorithm is very similar to the Karatsuba based |
|
|
3246 multiplication algorithm with the exception that the three half-size multiplications have been replaced with three half-size squarings. |
|
|
3247 |
|
|
3248 The radix point for squaring is simply placed exactly in the middle of the digits when the input has an odd number of digits, otherwise it is |
|
|
3249 placed just below the middle. Step 3, 4 and 5 compute the two halves required using $B$ |
|
|
3250 as the radix point. The first two squares in steps 6 and 7 are rather straightforward while the last square is of a more compact form. |
|
|
3251 |
|
|
3252 By expanding $\left (x1 - x0 \right )^2$, the $x1^2$ and $x0^2$ terms in the middle disappear, that is $x1^2 + x0^2 - (x1 - x0)^2 = 2 \cdot x0 \cdot x1$. |
|
|
3253 Now if $5n$ single precision additions and a squaring of $n$-digits is faster than multiplying two $n$-digit numbers and doubling then |
|
|
3254 this method is faster. Assuming no further recursions occur, the difference can be estimated with the following inequality. |
|
|
3255 |
|
|
3256 Let $p$ represent the cost of a single precision addition and $q$ the cost of a single precision multiplication both in terms of time\footnote{Or |
|
|
3257 machine clock cycles.}. |
|
|
3258 |
|
|
3259 \begin{equation} |
|
|
3260 5pn +{{q(n^2 + n)} \over 2} \le pn + qn^2 |
|
|
3261 \end{equation} |
|
|
3262 |
|
|
3263 For example, on an AMD Athlon XP processor $p = {1 \over 3}$ and $q = 6$. This implies that the following inequality should hold. |
|
|
3264 \begin{center} |
|
|
3265 \begin{tabular}{rcl} |
|
|
3266 ${5n \over 3} + 3n^2 + 3n$ & $<$ & ${n \over 3} + 6n^2$ \\ |
|
|
3267 ${5 \over 3} + 3n + 3$ & $<$ & ${1 \over 3} + 6n$ \\ |
|
|
3268 ${13 \over 9}$ & $<$ & $n$ \\ |
|
|
3269 \end{tabular} |
|
|
3270 \end{center} |
|
|
3271 |
|
|
3272 This results in a cutoff point around $n = 2$. As a consequence it is actually faster to compute the middle term the ``long way'' on processors |
|
|
3273 where multiplication is substantially slower\footnote{On the Athlon there is a 1:17 ratio between clock cycles for addition and multiplication. On |
|
|
3274 the Intel P4 processor this ratio is 1:29 making this method even more beneficial. The only common exception is the ARMv4 processor which has a |
|
|
3275 ratio of 1:7. } than simpler operations such as addition. |
|
|
3276 |
|
|
3277 EXAM,bn_mp_karatsuba_sqr.c |
|
|
3278 |
|
|
3279 This implementation is largely based on the implementation of algorithm mp\_karatsuba\_mul. It uses the same inline style to copy and |
|
|
3280 shift the input into the two halves. The loop from line @54,{@ to line @70,}@ has been modified since only one input exists. The \textbf{used} |
|
|
3281 count of both $x0$ and $x1$ is fixed up and $x0$ is clamped before the calculations begin. At this point $x1$ and $x0$ are valid equivalents |
|
|
3282 to the respective halves as if mp\_rshd and mp\_mod\_2d had been used. |
|
|
3283 |
|
|
3284 By inlining the copy and shift operations the cutoff point for Karatsuba multiplication can be lowered. On the Athlon the cutoff point |
|
|
3285 is exactly at the point where Comba squaring can no longer be used (\textit{128 digits}). On slower processors such as the Intel P4 |
|
|
3286 it is actually below the Comba limit (\textit{at 110 digits}). |
|
|
3287 |
|
|
3288 This routine uses the same error trap coding style as mp\_karatsuba\_sqr. As the temporary variables are initialized errors are redirected to |
|
|
3289 the error trap higher up. If the algorithm completes without error the error code is set to \textbf{MP\_OKAY} and mp\_clears are executed normally. |
|
|
3290 |
|
|
3291 \textit{Last paragraph sucks. re-write! -- Tom} |
|
|
3292 |
|
|
3293 \subsection{Toom-Cook Squaring} |
|
|
3294 The Toom-Cook squaring algorithm mp\_toom\_sqr is heavily based on the algorithm mp\_toom\_mul with the exception that squarings are used |
|
|
3295 instead of multiplication to find the five relations.. The reader is encouraged to read the description of the latter algorithm and try to |
|
|
3296 derive their own Toom-Cook squaring algorithm. |
|
|
3297 |
|
|
3298 \subsection{High Level Squaring} |
|
|
3299 \newpage\begin{figure}[!here] |
|
|
3300 \begin{small} |
|
|
3301 \begin{center} |
|
|
3302 \begin{tabular}{l} |
|
|
3303 \hline Algorithm \textbf{mp\_sqr}. \\ |
|
|
3304 \textbf{Input}. mp\_int $a$ \\ |
|
|
3305 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
3306 \hline \\ |
|
|
3307 1. If $a.used \ge TOOM\_SQR\_CUTOFF$ then \\ |
|
|
3308 \hspace{3mm}1.1 $b \leftarrow a^2$ using algorithm mp\_toom\_sqr \\ |
|
|
3309 2. else if $a.used \ge KARATSUBA\_SQR\_CUTOFF$ then \\ |
|
|
3310 \hspace{3mm}2.1 $b \leftarrow a^2$ using algorithm mp\_karatsuba\_sqr \\ |
|
|
3311 3. else \\ |
|
|
3312 \hspace{3mm}3.1 $digs \leftarrow a.used + b.used + 1$ \\ |
|
|
3313 \hspace{3mm}3.2 If $digs < MP\_ARRAY$ and $a.used \le \delta$ then \\ |
|
|
3314 \hspace{6mm}3.2.1 $b \leftarrow a^2$ using algorithm fast\_s\_mp\_sqr. \\ |
|
|
3315 \hspace{3mm}3.3 else \\ |
|
|
3316 \hspace{6mm}3.3.1 $b \leftarrow a^2$ using algorithm s\_mp\_sqr. \\ |
|
|
3317 4. $b.sign \leftarrow MP\_ZPOS$ \\ |
|
|
3318 5. Return the result of the unsigned squaring performed. \\ |
|
|
3319 \hline |
|
|
3320 \end{tabular} |
|
|
3321 \end{center} |
|
|
3322 \end{small} |
|
|
3323 \caption{Algorithm mp\_sqr} |
|
|
3324 \end{figure} |
|
|
3325 |
|
|
3326 \textbf{Algorithm mp\_sqr.} |
|
|
3327 This algorithm computes the square of the input using one of four different algorithms. If the input is very large and has at least |
|
|
3328 \textbf{TOOM\_SQR\_CUTOFF} or \textbf{KARATSUBA\_SQR\_CUTOFF} digits then either the Toom-Cook or the Karatsuba Squaring algorithm is used. If |
|
|
3329 neither of the polynomial basis algorithms should be used then either the Comba or baseline algorithm is used. |
|
|
3330 |
|
|
3331 EXAM,bn_mp_sqr.c |
|
|
3332 |
|
|
3333 \section*{Exercises} |
|
|
3334 \begin{tabular}{cl} |
|
|
3335 $\left [ 3 \right ] $ & Devise an efficient algorithm for selection of the radix point to handle inputs \\ |
|
|
3336 & that have different number of digits in Karatsuba multiplication. \\ |
|
|
3337 & \\ |
|
|
3338 $\left [ 3 \right ] $ & In ~SQUARE~ the fact that every column of a squaring is made up \\ |
|
|
3339 & of double products and at most one square is stated. Prove this statement. \\ |
|
|
3340 & \\ |
|
|
3341 $\left [ 2 \right ] $ & In the Comba squaring algorithm half of the $\hat X$ variables are not used. \\ |
|
|
3342 & Revise algorithm fast\_s\_mp\_sqr to shrink the $\hat X$ array. \\ |
|
|
3343 & \\ |
|
|
3344 $\left [ 3 \right ] $ & Prove the equation for Karatsuba squaring. \\ |
|
|
3345 & \\ |
|
|
3346 $\left [ 1 \right ] $ & Prove that Karatsuba squaring requires $O \left (n^{lg(3)} \right )$ time. \\ |
|
|
3347 & \\ |
|
|
3348 $\left [ 2 \right ] $ & Determine the minimal ratio between addition and multiplication clock cycles \\ |
|
|
3349 & required for equation $6.7$ to be true. \\ |
|
|
3350 & \\ |
|
|
3351 \end{tabular} |
|
|
3352 |
|
|
3353 \chapter{Modular Reduction} |
|
|
3354 MARK,REDUCTION |
|
|
3355 \section{Basics of Modular Reduction} |
|
|
3356 \index{modular residue} |
|
|
3357 Modular reduction is an operation that arises quite often within public key cryptography algorithms and various number theoretic algorithms, |
|
|
3358 such as factoring. Modular reduction algorithms are the third class of algorithms of the ``multipliers'' set. A number $a$ is said to be \textit{reduced} |
|
|
3359 modulo another number $b$ by finding the remainder of the division $a/b$. Full integer division with remainder is a topic to be covered |
|
|
3360 in~\ref{sec:division}. |
|
|
3361 |
|
|
3362 Modular reduction is equivalent to solving for $r$ in the following equation. $a = bq + r$ where $q = \lfloor a/b \rfloor$. The result |
|
|
3363 $r$ is said to be ``congruent to $a$ modulo $b$'' which is also written as $r \equiv a \mbox{ (mod }b\mbox{)}$. In other vernacular $r$ is known as the |
|
|
3364 ``modular residue'' which leads to ``quadratic residue''\footnote{That's fancy talk for $b \equiv a^2 \mbox{ (mod }p\mbox{)}$.} and |
|
|
3365 other forms of residues. |
|
|
3366 |
|
|
3367 Modular reductions are normally used to create either finite groups, rings or fields. The most common usage for performance driven modular reductions |
|
|
3368 is in modular exponentiation algorithms. That is to compute $d = a^b \mbox{ (mod }c\mbox{)}$ as fast as possible. This operation is used in the |
|
|
3369 RSA and Diffie-Hellman public key algorithms, for example. Modular multiplication and squaring also appears as a fundamental operation in |
|
|
3370 Elliptic Curve cryptographic algorithms. As will be discussed in the subsequent chapter there exist fast algorithms for computing modular |
|
|
3371 exponentiations without having to perform (\textit{in this example}) $b - 1$ multiplications. These algorithms will produce partial results in the |
|
|
3372 range $0 \le x < c^2$ which can be taken advantage of to create several efficient algorithms. They have also been used to create redundancy check |
|
|
3373 algorithms known as CRCs, error correction codes such as Reed-Solomon and solve a variety of number theoeretic problems. |
|
|
3374 |
|
|
3375 \section{The Barrett Reduction} |
|
|
3376 The Barrett reduction algorithm \cite{BARRETT} was inspired by fast division algorithms which multiply by the reciprocal to emulate |
|
|
3377 division. Barretts observation was that the residue $c$ of $a$ modulo $b$ is equal to |
|
|
3378 |
|
|
3379 \begin{equation} |
|
|
3380 c = a - b \cdot \lfloor a/b \rfloor |
|
|
3381 \end{equation} |
|
|
3382 |
|
|
3383 Since algorithms such as modular exponentiation would be using the same modulus extensively, typical DSP\footnote{It is worth noting that Barrett's paper |
|
|
3384 targeted the DSP56K processor.} intuition would indicate the next step would be to replace $a/b$ by a multiplication by the reciprocal. However, |
|
|
3385 DSP intuition on its own will not work as these numbers are considerably larger than the precision of common DSP floating point data types. |
|
|
3386 It would take another common optimization to optimize the algorithm. |
|
|
3387 |
|
|
3388 \subsection{Fixed Point Arithmetic} |
|
|
3389 The trick used to optimize the above equation is based on a technique of emulating floating point data types with fixed precision integers. Fixed |
|
|
3390 point arithmetic would become very popular as it greatly optimize the ``3d-shooter'' genre of games in the mid 1990s when floating point units were |
|
|
3391 fairly slow if not unavailable. The idea behind fixed point arithmetic is to take a normal $k$-bit integer data type and break it into $p$-bit |
|
|
3392 integer and a $q$-bit fraction part (\textit{where $p+q = k$}). |
|
|
3393 |
|
|
3394 In this system a $k$-bit integer $n$ would actually represent $n/2^q$. For example, with $q = 4$ the integer $n = 37$ would actually represent the |
|
|
3395 value $2.3125$. To multiply two fixed point numbers the integers are multiplied using traditional arithmetic and subsequently normalized by |
|
|
3396 moving the implied decimal point back to where it should be. For example, with $q = 4$ to multiply the integers $9$ and $5$ they must be converted |
|
|
3397 to fixed point first by multiplying by $2^q$. Let $a = 9(2^q)$ represent the fixed point representation of $9$ and $b = 5(2^q)$ represent the |
|
|
3398 fixed point representation of $5$. The product $ab$ is equal to $45(2^{2q})$ which when normalized by dividing by $2^q$ produces $45(2^q)$. |
|
|
3399 |
|
|
3400 This technique became popular since a normal integer multiplication and logical shift right are the only required operations to perform a multiplication |
|
|
3401 of two fixed point numbers. Using fixed point arithmetic, division can be easily approximated by multiplying by the reciprocal. If $2^q$ is |
|
|
3402 equivalent to one than $2^q/b$ is equivalent to the fixed point approximation of $1/b$ using real arithmetic. Using this fact dividing an integer |
|
|
3403 $a$ by another integer $b$ can be achieved with the following expression. |
|
|
3404 |
|
|
3405 \begin{equation} |
|
|
3406 \lfloor a / b \rfloor \mbox{ }\approx\mbox{ } \lfloor (a \cdot \lfloor 2^q / b \rfloor)/2^q \rfloor |
|
|
3407 \end{equation} |
|
|
3408 |
|
|
3409 The precision of the division is proportional to the value of $q$. If the divisor $b$ is used frequently as is the case with |
|
|
3410 modular exponentiation pre-computing $2^q/b$ will allow a division to be performed with a multiplication and a right shift. Both operations |
|
|
3411 are considerably faster than division on most processors. |
|
|
3412 |
|
|
3413 Consider dividing $19$ by $5$. The correct result is $\lfloor 19/5 \rfloor = 3$. With $q = 3$ the reciprocal is $\lfloor 2^q/5 \rfloor = 1$ which |
|
|
3414 leads to a product of $19$ which when divided by $2^q$ produces $2$. However, with $q = 4$ the reciprocal is $\lfloor 2^q/5 \rfloor = 3$ and |
|
|
3415 the result of the emulated division is $\lfloor 3 \cdot 19 / 2^q \rfloor = 3$ which is correct. The value of $2^q$ must be close to or ideally |
|
|
3416 larger than the dividend. In effect if $a$ is the dividend then $q$ should allow $0 \le \lfloor a/2^q \rfloor \le 1$ in order for this approach |
|
|
3417 to work correctly. Plugging this form of divison into the original equation the following modular residue equation arises. |
|
|
3418 |
|
|
3419 \begin{equation} |
|
|
3420 c = a - b \cdot \lfloor (a \cdot \lfloor 2^q / b \rfloor)/2^q \rfloor |
|
|
3421 \end{equation} |
|
|
3422 |
|
|
3423 Using the notation from \cite{BARRETT} the value of $\lfloor 2^q / b \rfloor$ will be represented by the $\mu$ symbol. Using the $\mu$ |
|
|
3424 variable also helps re-inforce the idea that it is meant to be computed once and re-used. |
|
|
3425 |
|
|
3426 \begin{equation} |
|
|
3427 c = a - b \cdot \lfloor (a \cdot \mu)/2^q \rfloor |
|
|
3428 \end{equation} |
|
|
3429 |
|
|
3430 Provided that $2^q \ge a$ this algorithm will produce a quotient that is either exactly correct or off by a value of one. In the context of Barrett |
|
|
3431 reduction the value of $a$ is bound by $0 \le a \le (b - 1)^2$ meaning that $2^q \ge b^2$ is sufficient to ensure the reciprocal will have enough |
|
|
3432 precision. |
|
|
3433 |
|
|
3434 Let $n$ represent the number of digits in $b$. This algorithm requires approximately $2n^2$ single precision multiplications to produce the quotient and |
|
|
3435 another $n^2$ single precision multiplications to find the residue. In total $3n^2$ single precision multiplications are required to |
|
|
3436 reduce the number. |
|
|
3437 |
|
|
3438 For example, if $b = 1179677$ and $q = 41$ ($2^q > b^2$), then the reciprocal $\mu$ is equal to $\lfloor 2^q / b \rfloor = 1864089$. Consider reducing |
|
|
3439 $a = 180388626447$ modulo $b$ using the above reduction equation. The quotient using the new formula is $\lfloor (a \cdot \mu) / 2^q \rfloor = 152913$. |
|
|
3440 By subtracting $152913b$ from $a$ the correct residue $a \equiv 677346 \mbox{ (mod }b\mbox{)}$ is found. |
|
|
3441 |
|
|
3442 \subsection{Choosing a Radix Point} |
|
|
3443 Using the fixed point representation a modular reduction can be performed with $3n^2$ single precision multiplications. If that were the best |
|
|
3444 that could be achieved a full division\footnote{A division requires approximately $O(2cn^2)$ single precision multiplications for a small value of $c$. |
|
|
3445 See~\ref{sec:division} for further details.} might as well be used in its place. The key to optimizing the reduction is to reduce the precision of |
|
|
3446 the initial multiplication that finds the quotient. |
|
|
3447 |
|
|
3448 Let $a$ represent the number of which the residue is sought. Let $b$ represent the modulus used to find the residue. Let $m$ represent |
|
|
3449 the number of digits in $b$. For the purposes of this discussion we will assume that the number of digits in $a$ is $2m$, which is generally true if |
|
|
3450 two $m$-digit numbers have been multiplied. Dividing $a$ by $b$ is the same as dividing a $2m$ digit integer by a $m$ digit integer. Digits below the |
|
|
3451 $m - 1$'th digit of $a$ will contribute at most a value of $1$ to the quotient because $\beta^k < b$ for any $0 \le k \le m - 1$. Another way to |
|
|
3452 express this is by re-writing $a$ as two parts. If $a' \equiv a \mbox{ (mod }b^m\mbox{)}$ and $a'' = a - a'$ then |
|
|
3453 ${a \over b} \equiv {{a' + a''} \over b}$ which is equivalent to ${a' \over b} + {a'' \over b}$. Since $a'$ is bound to be less than $b$ the quotient |
|
|
3454 is bound by $0 \le {a' \over b} < 1$. |
|
|
3455 |
|
|
3456 Since the digits of $a'$ do not contribute much to the quotient the observation is that they might as well be zero. However, if the digits |
|
|
3457 ``might as well be zero'' they might as well not be there in the first place. Let $q_0 = \lfloor a/\beta^{m-1} \rfloor$ represent the input |
|
|
3458 with the irrelevant digits trimmed. Now the modular reduction is trimmed to the almost equivalent equation |
|
|
3459 |
|
|
3460 \begin{equation} |
|
|
3461 c = a - b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor |
|
|
3462 \end{equation} |
|
|
3463 |
|
|
3464 Note that the original divisor $2^q$ has been replaced with $\beta^{m+1}$ where in this case $q$ is a multiple of $lg(\beta)$. Also note that the |
|
|
3465 exponent on the divisor when added to the amount $q_0$ was shifted by equals $2m$. If the optimization had not been performed the divisor |
|
|
3466 would have the exponent $2m$ so in the end the exponents do ``add up''. Using the above equation the quotient |
|
|
3467 $\lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor$ can be off from the true quotient by at most two. The original fixed point quotient can be off |
|
|
3468 by as much as one (\textit{provided the radix point is chosen suitably}) and now that the lower irrelevent digits have been trimmed the quotient |
|
|
3469 can be off by an additional value of one for a total of at most two. This implies that |
|
|
3470 $0 \le a - b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor < 3b$. By first subtracting $b$ times the quotient and then conditionally subtracting |
|
|
3471 $b$ once or twice the residue is found. |
|
|
3472 |
|
|
3473 The quotient is now found using $(m + 1)(m) = m^2 + m$ single precision multiplications and the residue with an additional $m^2$ single |
|
|
3474 precision multiplications, ignoring the subtractions required. In total $2m^2 + m$ single precision multiplications are required to find the residue. |
|
|
3475 This is considerably faster than the original attempt. |
|
|
3476 |
|
|
3477 For example, let $\beta = 10$ represent the radix of the digits. Let $b = 9999$ represent the modulus which implies $m = 4$. Let $a = 99929878$ |
|
|
3478 represent the value of which the residue is desired. In this case $q = 8$ since $10^7 < 9999^2$ meaning that $\mu = \lfloor \beta^{q}/b \rfloor = 10001$. |
|
|
3479 With the new observation the multiplicand for the quotient is equal to $q_0 = \lfloor a / \beta^{m - 1} \rfloor = 99929$. The quotient is then |
|
|
3480 $\lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor = 9993$. Subtracting $9993b$ from $a$ and the correct residue $a \equiv 9871 \mbox{ (mod }b\mbox{)}$ |
|
|
3481 is found. |
|
|
3482 |
|
|
3483 \subsection{Trimming the Quotient} |
|
|
3484 So far the reduction algorithm has been optimized from $3m^2$ single precision multiplications down to $2m^2 + m$ single precision multiplications. As |
|
|
3485 it stands now the algorithm is already fairly fast compared to a full integer division algorithm. However, there is still room for |
|
|
3486 optimization. |
|
|
3487 |
|
|
3488 After the first multiplication inside the quotient ($q_0 \cdot \mu$) the value is shifted right by $m + 1$ places effectively nullifying the lower |
|
|
3489 half of the product. It would be nice to be able to remove those digits from the product to effectively cut down the number of single precision |
|
|
3490 multiplications. If the number of digits in the modulus $m$ is far less than $\beta$ a full product is not required for the algorithm to work properly. |
|
|
3491 In fact the lower $m - 2$ digits will not affect the upper half of the product at all and do not need to be computed. |
|
|
3492 |
|
|
3493 The value of $\mu$ is a $m$-digit number and $q_0$ is a $m + 1$ digit number. Using a full multiplier $(m + 1)(m) = m^2 + m$ single precision |
|
|
3494 multiplications would be required. Using a multiplier that will only produce digits at and above the $m - 1$'th digit reduces the number |
|
|
3495 of single precision multiplications to ${m^2 + m} \over 2$ single precision multiplications. |
|
|
3496 |
|
|
3497 \subsection{Trimming the Residue} |
|
|
3498 After the quotient has been calculated it is used to reduce the input. As previously noted the algorithm is not exact and it can be off by a small |
|
|
3499 multiple of the modulus, that is $0 \le a - b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor < 3b$. If $b$ is $m$ digits than the |
|
|
3500 result of reduction equation is a value of at most $m + 1$ digits (\textit{provided $3 < \beta$}) implying that the upper $m - 1$ digits are |
|
|
3501 implicitly zero. |
|
|
3502 |
|
|
3503 The next optimization arises from this very fact. Instead of computing $b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor$ using a full |
|
|
3504 $O(m^2)$ multiplication algorithm only the lower $m+1$ digits of the product have to be computed. Similarly the value of $a$ can |
|
|
3505 be reduced modulo $\beta^{m+1}$ before the multiple of $b$ is subtracted which simplifes the subtraction as well. A multiplication that produces |
|
|
3506 only the lower $m+1$ digits requires ${m^2 + 3m - 2} \over 2$ single precision multiplications. |
|
|
3507 |
|
|
3508 With both optimizations in place the algorithm is the algorithm Barrett proposed. It requires $m^2 + 2m - 1$ single precision multiplications which |
|
|
3509 is considerably faster than the straightforward $3m^2$ method. |
|
|
3510 |
|
|
3511 \subsection{The Barrett Algorithm} |
|
|
3512 \newpage\begin{figure}[!here] |
|
|
3513 \begin{small} |
|
|
3514 \begin{center} |
|
|
3515 \begin{tabular}{l} |
|
|
3516 \hline Algorithm \textbf{mp\_reduce}. \\ |
|
|
3517 \textbf{Input}. mp\_int $a$, mp\_int $b$ and $\mu = \lfloor \beta^{2m}/b \rfloor, m = \lceil lg_{\beta}(b) \rceil, (0 \le a < b^2, b > 1)$ \\ |
|
|
3518 \textbf{Output}. $a \mbox{ (mod }b\mbox{)}$ \\ |
|
|
3519 \hline \\ |
|
|
3520 Let $m$ represent the number of digits in $b$. \\ |
|
|
3521 1. Make a copy of $a$ and store it in $q$. (\textit{mp\_init\_copy}) \\ |
|
|
3522 2. $q \leftarrow \lfloor q / \beta^{m - 1} \rfloor$ (\textit{mp\_rshd}) \\ |
|
|
3523 \\ |
|
|
3524 Produce the quotient. \\ |
|
|
3525 3. $q \leftarrow q \cdot \mu$ (\textit{note: only produce digits at or above $m-1$}) \\ |
|
|
3526 4. $q \leftarrow \lfloor q / \beta^{m + 1} \rfloor$ \\ |
|
|
3527 \\ |
|
|
3528 Subtract the multiple of modulus from the input. \\ |
|
|
3529 5. $a \leftarrow a \mbox{ (mod }\beta^{m+1}\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
3530 6. $q \leftarrow q \cdot b \mbox{ (mod }\beta^{m+1}\mbox{)}$ (\textit{s\_mp\_mul\_digs}) \\ |
|
|
3531 7. $a \leftarrow a - q$ (\textit{mp\_sub}) \\ |
|
|
3532 \\ |
|
|
3533 Add $\beta^{m+1}$ if a carry occured. \\ |
|
|
3534 8. If $a < 0$ then (\textit{mp\_cmp\_d}) \\ |
|
|
3535 \hspace{3mm}8.1 $q \leftarrow 1$ (\textit{mp\_set}) \\ |
|
|
3536 \hspace{3mm}8.2 $q \leftarrow q \cdot \beta^{m+1}$ (\textit{mp\_lshd}) \\ |
|
|
3537 \hspace{3mm}8.3 $a \leftarrow a + q$ \\ |
|
|
3538 \\ |
|
|
3539 Now subtract the modulus if the residue is too large (e.g. quotient too small). \\ |
|
|
3540 9. While $a \ge b$ do (\textit{mp\_cmp}) \\ |
|
|
3541 \hspace{3mm}9.1 $c \leftarrow a - b$ \\ |
|
|
3542 10. Clear $q$. \\ |
|
|
3543 11. Return(\textit{MP\_OKAY}) \\ |
|
|
3544 \hline |
|
|
3545 \end{tabular} |
|
|
3546 \end{center} |
|
|
3547 \end{small} |
|
|
3548 \caption{Algorithm mp\_reduce} |
|
|
3549 \end{figure} |
|
|
3550 |
|
|
3551 \textbf{Algorithm mp\_reduce.} |
|
|
3552 This algorithm will reduce the input $a$ modulo $b$ in place using the Barrett algorithm. It is loosely based on algorithm 14.42 of HAC |
|
|
3553 \cite[pp. 602]{HAC} which is based on the paper from Paul Barrett \cite{BARRETT}. The algorithm has several restrictions and assumptions which must |
|
|
3554 be adhered to for the algorithm to work. |
|
|
3555 |
|
|
3556 First the modulus $b$ is assumed to be positive and greater than one. If the modulus were less than or equal to one than subtracting |
|
|
3557 a multiple of it would either accomplish nothing or actually enlarge the input. The input $a$ must be in the range $0 \le a < b^2$ in order |
|
|
3558 for the quotient to have enough precision. If $a$ is the product of two numbers that were already reduced modulo $b$, this will not be a problem. |
|
|
3559 Technically the algorithm will still work if $a \ge b^2$ but it will take much longer to finish. The value of $\mu$ is passed as an argument to this |
|
|
3560 algorithm and is assumed to be calculated and stored before the algorithm is used. |
|
|
3561 |
|
|
3562 Recall that the multiplication for the quotient on step 3 must only produce digits at or above the $m-1$'th position. An algorithm called |
|
|
3563 $s\_mp\_mul\_high\_digs$ which has not been presented is used to accomplish this task. The algorithm is based on $s\_mp\_mul\_digs$ except that |
|
|
3564 instead of stopping at a given level of precision it starts at a given level of precision. This optimal algorithm can only be used if the number |
|
|
3565 of digits in $b$ is very much smaller than $\beta$. |
|
|
3566 |
|
|
3567 While it is known that |
|
|
3568 $a \ge b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor$ only the lower $m+1$ digits are being used to compute the residue, so an implied |
|
|
3569 ``borrow'' from the higher digits might leave a negative result. After the multiple of the modulus has been subtracted from $a$ the residue must be |
|
|
3570 fixed up in case it is negative. The invariant $\beta^{m+1}$ must be added to the residue to make it positive again. |
|
|
3571 |
|
|
3572 The while loop at step 9 will subtract $b$ until the residue is less than $b$. If the algorithm is performed correctly this step is |
|
|
3573 performed at most twice, and on average once. However, if $a \ge b^2$ than it will iterate substantially more times than it should. |
|
|
3574 |
|
|
3575 EXAM,bn_mp_reduce.c |
|
|
3576 |
|
|
3577 The first multiplication that determines the quotient can be performed by only producing the digits from $m - 1$ and up. This essentially halves |
|
|
3578 the number of single precision multiplications required. However, the optimization is only safe if $\beta$ is much larger than the number of digits |
|
|
3579 in the modulus. In the source code this is evaluated on lines @36,if@ to @44,}@ where algorithm s\_mp\_mul\_high\_digs is used when it is |
|
|
3580 safe to do so. |
|
|
3581 |
|
|
3582 \subsection{The Barrett Setup Algorithm} |
|
|
3583 In order to use algorithm mp\_reduce the value of $\mu$ must be calculated in advance. Ideally this value should be computed once and stored for |
|
|
3584 future use so that the Barrett algorithm can be used without delay. |
|
|
3585 |
|
|
3586 \begin{figure}[!here] |
|
|
3587 \begin{small} |
|
|
3588 \begin{center} |
|
|
3589 \begin{tabular}{l} |
|
|
3590 \hline Algorithm \textbf{mp\_reduce\_setup}. \\ |
|
|
3591 \textbf{Input}. mp\_int $a$ ($a > 1$) \\ |
|
|
3592 \textbf{Output}. $\mu \leftarrow \lfloor \beta^{2m}/a \rfloor$ \\ |
|
|
3593 \hline \\ |
|
|
3594 1. $\mu \leftarrow 2^{2 \cdot lg(\beta) \cdot m}$ (\textit{mp\_2expt}) \\ |
|
|
3595 2. $\mu \leftarrow \lfloor \mu / b \rfloor$ (\textit{mp\_div}) \\ |
|
|
3596 3. Return(\textit{MP\_OKAY}) \\ |
|
|
3597 \hline |
|
|
3598 \end{tabular} |
|
|
3599 \end{center} |
|
|
3600 \end{small} |
|
|
3601 \caption{Algorithm mp\_reduce\_setup} |
|
|
3602 \end{figure} |
|
|
3603 |
|
|
3604 \textbf{Algorithm mp\_reduce\_setup.} |
|
|
3605 This algorithm computes the reciprocal $\mu$ required for Barrett reduction. First $\beta^{2m}$ is calculated as $2^{2 \cdot lg(\beta) \cdot m}$ which |
|
|
3606 is equivalent and much faster. The final value is computed by taking the integer quotient of $\lfloor \mu / b \rfloor$. |
|
|
3607 |
|
|
3608 EXAM,bn_mp_reduce_setup.c |
|
|
3609 |
|
|
3610 This simple routine calculates the reciprocal $\mu$ required by Barrett reduction. Note the extended usage of algorithm mp\_div where the variable |
|
|
3611 which would received the remainder is passed as NULL. As will be discussed in~\ref{sec:division} the division routine allows both the quotient and the |
|
|
3612 remainder to be passed as NULL meaning to ignore the value. |
|
|
3613 |
|
|
3614 \section{The Montgomery Reduction} |
|
|
3615 Montgomery reduction\footnote{Thanks to Niels Ferguson for his insightful explanation of the algorithm.} \cite{MONT} is by far the most interesting |
|
|
3616 form of reduction in common use. It computes a modular residue which is not actually equal to the residue of the input yet instead equal to a |
|
|
3617 residue times a constant. However, as perplexing as this may sound the algorithm is relatively simple and very efficient. |
|
|
3618 |
|
|
3619 Throughout this entire section the variable $n$ will represent the modulus used to form the residue. As will be discussed shortly the value of |
|
|
3620 $n$ must be odd. The variable $x$ will represent the quantity of which the residue is sought. Similar to the Barrett algorithm the input |
|
|
3621 is restricted to $0 \le x < n^2$. To begin the description some simple number theory facts must be established. |
|
|
3622 |
|
|
3623 \textbf{Fact 1.} Adding $n$ to $x$ does not change the residue since in effect it adds one to the quotient $\lfloor x / n \rfloor$. Another way |
|
|
3624 to explain this is that $n$ is (\textit{or multiples of $n$ are}) congruent to zero modulo $n$. Adding zero will not change the value of the residue. |
|
|
3625 |
|
|
3626 \textbf{Fact 2.} If $x$ is even then performing a division by two in $\Z$ is congruent to $x \cdot 2^{-1} \mbox{ (mod }n\mbox{)}$. Actually |
|
|
3627 this is an application of the fact that if $x$ is evenly divisible by any $k \in \Z$ then division in $\Z$ will be congruent to |
|
|
3628 multiplication by $k^{-1}$ modulo $n$. |
|
|
3629 |
|
|
3630 From these two simple facts the following simple algorithm can be derived. |
|
|
3631 |
|
|
3632 \newpage\begin{figure}[!here] |
|
|
3633 \begin{small} |
|
|
3634 \begin{center} |
|
|
3635 \begin{tabular}{l} |
|
|
3636 \hline Algorithm \textbf{Montgomery Reduction}. \\ |
|
|
3637 \textbf{Input}. Integer $x$, $n$ and $k$ \\ |
|
|
3638 \textbf{Output}. $2^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
3639 \hline \\ |
|
|
3640 1. for $t$ from $1$ to $k$ do \\ |
|
|
3641 \hspace{3mm}1.1 If $x$ is odd then \\ |
|
|
3642 \hspace{6mm}1.1.1 $x \leftarrow x + n$ \\ |
|
|
3643 \hspace{3mm}1.2 $x \leftarrow x/2$ \\ |
|
|
3644 2. Return $x$. \\ |
|
|
3645 \hline |
|
|
3646 \end{tabular} |
|
|
3647 \end{center} |
|
|
3648 \end{small} |
|
|
3649 \caption{Algorithm Montgomery Reduction} |
|
|
3650 \end{figure} |
|
|
3651 |
|
|
3652 The algorithm reduces the input one bit at a time using the two congruencies stated previously. Inside the loop $n$, which is odd, is |
|
|
3653 added to $x$ if $x$ is odd. This forces $x$ to be even which allows the division by two in $\Z$ to be congruent to a modular division by two. Since |
|
|
3654 $x$ is assumed to be initially much larger than $n$ the addition of $n$ will contribute an insignificant magnitude to $x$. Let $r$ represent the |
|
|
3655 final result of the Montgomery algorithm. If $k > lg(n)$ and $0 \le x < n^2$ then the final result is limited to |
|
|
3656 $0 \le r < \lfloor x/2^k \rfloor + n$. As a result at most a single subtraction is required to get the residue desired. |
|
|
3657 |
|
|
3658 \begin{figure}[here] |
|
|
3659 \begin{small} |
|
|
3660 \begin{center} |
|
|
3661 \begin{tabular}{|c|l|} |
|
|
3662 \hline \textbf{Step number ($t$)} & \textbf{Result ($x$)} \\ |
|
|
3663 \hline $1$ & $x + n = 5812$, $x/2 = 2906$ \\ |
|
|
3664 \hline $2$ & $x/2 = 1453$ \\ |
|
|
3665 \hline $3$ & $x + n = 1710$, $x/2 = 855$ \\ |
|
|
3666 \hline $4$ & $x + n = 1112$, $x/2 = 556$ \\ |
|
|
3667 \hline $5$ & $x/2 = 278$ \\ |
|
|
3668 \hline $6$ & $x/2 = 139$ \\ |
|
|
3669 \hline $7$ & $x + n = 396$, $x/2 = 198$ \\ |
|
|
3670 \hline $8$ & $x/2 = 99$ \\ |
|
|
3671 \hline |
|
|
3672 \end{tabular} |
|
|
3673 \end{center} |
|
|
3674 \end{small} |
|
|
3675 \caption{Example of Montgomery Reduction (I)} |
|
|
3676 \label{fig:MONT1} |
|
|
3677 \end{figure} |
|
|
3678 |
|
|
3679 Consider the example in figure~\ref{fig:MONT1} which reduces $x = 5555$ modulo $n = 257$ when $k = 8$. The result of the algorithm $r = 99$ is |
|
|
3680 congruent to the value of $2^{-8} \cdot 5555 \mbox{ (mod }257\mbox{)}$. When $r$ is multiplied by $2^8$ modulo $257$ the correct residue |
|
|
3681 $r \equiv 158$ is produced. |
|
|
3682 |
|
|
3683 Let $k = \lfloor lg(n) \rfloor + 1$ represent the number of bits in $n$. The current algorithm requires $2k^2$ single precision shifts |
|
|
3684 and $k^2$ single precision additions. At this rate the algorithm is most certainly slower than Barrett reduction and not terribly useful. |
|
|
3685 Fortunately there exists an alternative representation of the algorithm. |
|
|
3686 |
|
|
3687 \begin{figure}[!here] |
|
|
3688 \begin{small} |
|
|
3689 \begin{center} |
|
|
3690 \begin{tabular}{l} |
|
|
3691 \hline Algorithm \textbf{Montgomery Reduction} (modified I). \\ |
|
|
3692 \textbf{Input}. Integer $x$, $n$ and $k$ \\ |
|
|
3693 \textbf{Output}. $2^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
3694 \hline \\ |
|
|
3695 1. for $t$ from $0$ to $k - 1$ do \\ |
|
|
3696 \hspace{3mm}1.1 If the $t$'th bit of $x$ is one then \\ |
|
|
3697 \hspace{6mm}1.1.1 $x \leftarrow x + 2^tn$ \\ |
|
|
3698 2. Return $x/2^k$. \\ |
|
|
3699 \hline |
|
|
3700 \end{tabular} |
|
|
3701 \end{center} |
|
|
3702 \end{small} |
|
|
3703 \caption{Algorithm Montgomery Reduction (modified I)} |
|
|
3704 \end{figure} |
|
|
3705 |
|
|
3706 This algorithm is equivalent since $2^tn$ is a multiple of $n$ and the lower $k$ bits of $x$ are zero by step 2. The number of single |
|
|
3707 precision shifts has now been reduced from $2k^2$ to $k^2 + k$ which is only a small improvement. |
|
|
3708 |
|
|
3709 \begin{figure}[here] |
|
|
3710 \begin{small} |
|
|
3711 \begin{center} |
|
|
3712 \begin{tabular}{|c|l|r|} |
|
|
3713 \hline \textbf{Step number ($t$)} & \textbf{Result ($x$)} & \textbf{Result ($x$) in Binary} \\ |
|
|
3714 \hline -- & $5555$ & $1010110110011$ \\ |
|
|
3715 \hline $1$ & $x + 2^{0}n = 5812$ & $1011010110100$ \\ |
|
|
3716 \hline $2$ & $5812$ & $1011010110100$ \\ |
|
|
3717 \hline $3$ & $x + 2^{2}n = 6840$ & $1101010111000$ \\ |
|
|
3718 \hline $4$ & $x + 2^{3}n = 8896$ & $10001011000000$ \\ |
|
|
3719 \hline $5$ & $8896$ & $10001011000000$ \\ |
|
|
3720 \hline $6$ & $8896$ & $10001011000000$ \\ |
|
|
3721 \hline $7$ & $x + 2^{6}n = 25344$ & $110001100000000$ \\ |
|
|
3722 \hline $8$ & $25344$ & $110001100000000$ \\ |
|
|
3723 \hline -- & $x/2^k = 99$ & \\ |
|
|
3724 \hline |
|
|
3725 \end{tabular} |
|
|
3726 \end{center} |
|
|
3727 \end{small} |
|
|
3728 \caption{Example of Montgomery Reduction (II)} |
|
|
3729 \label{fig:MONT2} |
|
|
3730 \end{figure} |
|
|
3731 |
|
|
3732 Figure~\ref{fig:MONT2} demonstrates the modified algorithm reducing $x = 5555$ modulo $n = 257$ with $k = 8$. |
|
|
3733 With this algorithm a single shift right at the end is the only right shift required to reduce the input instead of $k$ right shifts inside the |
|
|
3734 loop. Note that for the iterations $t = 2, 5, 6$ and $8$ where the result $x$ is not changed. In those iterations the $t$'th bit of $x$ is |
|
|
3735 zero and the appropriate multiple of $n$ does not need to be added to force the $t$'th bit of the result to zero. |
|
|
3736 |
|
|
3737 \subsection{Digit Based Montgomery Reduction} |
|
|
3738 Instead of computing the reduction on a bit-by-bit basis it is actually much faster to compute it on digit-by-digit basis. Consider the |
|
|
3739 previous algorithm re-written to compute the Montgomery reduction in this new fashion. |
|
|
3740 |
|
|
3741 \begin{figure}[!here] |
|
|
3742 \begin{small} |
|
|
3743 \begin{center} |
|
|
3744 \begin{tabular}{l} |
|
|
3745 \hline Algorithm \textbf{Montgomery Reduction} (modified II). \\ |
|
|
3746 \textbf{Input}. Integer $x$, $n$ and $k$ \\ |
|
|
3747 \textbf{Output}. $\beta^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
3748 \hline \\ |
|
|
3749 1. for $t$ from $0$ to $k - 1$ do \\ |
|
|
3750 \hspace{3mm}1.1 $x \leftarrow x + \mu n \beta^t$ \\ |
|
|
3751 2. Return $x/\beta^k$. \\ |
|
|
3752 \hline |
|
|
3753 \end{tabular} |
|
|
3754 \end{center} |
|
|
3755 \end{small} |
|
|
3756 \caption{Algorithm Montgomery Reduction (modified II)} |
|
|
3757 \end{figure} |
|
|
3758 |
|
|
3759 The value $\mu n \beta^t$ is a multiple of the modulus $n$ meaning that it will not change the residue. If the first digit of |
|
|
3760 the value $\mu n \beta^t$ equals the negative (modulo $\beta$) of the $t$'th digit of $x$ then the addition will result in a zero digit. This |
|
|
3761 problem breaks down to solving the following congruency. |
|
|
3762 |
|
|
3763 \begin{center} |
|
|
3764 \begin{tabular}{rcl} |
|
|
3765 $x_t + \mu n_0$ & $\equiv$ & $0 \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3766 $\mu n_0$ & $\equiv$ & $-x_t \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3767 $\mu$ & $\equiv$ & $-x_t/n_0 \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3768 \end{tabular} |
|
|
3769 \end{center} |
|
|
3770 |
|
|
3771 In each iteration of the loop on step 1 a new value of $\mu$ must be calculated. The value of $-1/n_0 \mbox{ (mod }\beta\mbox{)}$ is used |
|
|
3772 extensively in this algorithm and should be precomputed. Let $\rho$ represent the negative of the modular inverse of $n_0$ modulo $\beta$. |
|
|
3773 |
|
|
3774 For example, let $\beta = 10$ represent the radix. Let $n = 17$ represent the modulus which implies $k = 2$ and $\rho \equiv 7$. Let $x = 33$ |
|
|
3775 represent the value to reduce. |
|
|
3776 |
|
|
3777 \newpage\begin{figure} |
|
|
3778 \begin{center} |
|
|
3779 \begin{tabular}{|c|c|c|} |
|
|
3780 \hline \textbf{Step ($t$)} & \textbf{Value of $x$} & \textbf{Value of $\mu$} \\ |
|
|
3781 \hline -- & $33$ & --\\ |
|
|
3782 \hline $0$ & $33 + \mu n = 50$ & $1$ \\ |
|
|
3783 \hline $1$ & $50 + \mu n \beta = 900$ & $5$ \\ |
|
|
3784 \hline |
|
|
3785 \end{tabular} |
|
|
3786 \end{center} |
|
|
3787 \caption{Example of Montgomery Reduction} |
|
|
3788 \end{figure} |
|
|
3789 |
|
|
3790 The final result $900$ is then divided by $\beta^k$ to produce the final result $9$. The first observation is that $9 \nequiv x \mbox{ (mod }n\mbox{)}$ |
|
|
3791 which implies the result is not the modular residue of $x$ modulo $n$. However, recall that the residue is actually multiplied by $\beta^{-k}$ in |
|
|
3792 the algorithm. To get the true residue the value must be multiplied by $\beta^k$. In this case $\beta^k \equiv 15 \mbox{ (mod }n\mbox{)}$ and |
|
|
3793 the correct residue is $9 \cdot 15 \equiv 16 \mbox{ (mod }n\mbox{)}$. |
|
|
3794 |
|
|
3795 \subsection{Baseline Montgomery Reduction} |
|
|
3796 The baseline Montgomery reduction algorithm will produce the residue for any size input. It is designed to be a catch-all algororithm for |
|
|
3797 Montgomery reductions. |
|
|
3798 |
|
|
3799 \newpage\begin{figure}[!here] |
|
|
3800 \begin{small} |
|
|
3801 \begin{center} |
|
|
3802 \begin{tabular}{l} |
|
|
3803 \hline Algorithm \textbf{mp\_montgomery\_reduce}. \\ |
|
|
3804 \textbf{Input}. mp\_int $x$, mp\_int $n$ and a digit $\rho \equiv -1/n_0 \mbox{ (mod }n\mbox{)}$. \\ |
|
|
3805 \hspace{11.5mm}($0 \le x < n^2, n > 1, (n, \beta) = 1, \beta^k > n$) \\ |
|
|
3806 \textbf{Output}. $\beta^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
3807 \hline \\ |
|
|
3808 1. $digs \leftarrow 2n.used + 1$ \\ |
|
|
3809 2. If $digs < MP\_ARRAY$ and $m.used < \delta$ then \\ |
|
|
3810 \hspace{3mm}2.1 Use algorithm fast\_mp\_montgomery\_reduce instead. \\ |
|
|
3811 \\ |
|
|
3812 Setup $x$ for the reduction. \\ |
|
|
3813 3. If $x.alloc < digs$ then grow $x$ to $digs$ digits. \\ |
|
|
3814 4. $x.used \leftarrow digs$ \\ |
|
|
3815 \\ |
|
|
3816 Eliminate the lower $k$ digits. \\ |
|
|
3817 5. For $ix$ from $0$ to $k - 1$ do \\ |
|
|
3818 \hspace{3mm}5.1 $\mu \leftarrow x_{ix} \cdot \rho \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3819 \hspace{3mm}5.2 $u \leftarrow 0$ \\ |
|
|
3820 \hspace{3mm}5.3 For $iy$ from $0$ to $k - 1$ do \\ |
|
|
3821 \hspace{6mm}5.3.1 $\hat r \leftarrow \mu n_{iy} + x_{ix + iy} + u$ \\ |
|
|
3822 \hspace{6mm}5.3.2 $x_{ix + iy} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3823 \hspace{6mm}5.3.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
3824 \hspace{3mm}5.4 While $u > 0$ do \\ |
|
|
3825 \hspace{6mm}5.4.1 $iy \leftarrow iy + 1$ \\ |
|
|
3826 \hspace{6mm}5.4.2 $x_{ix + iy} \leftarrow x_{ix + iy} + u$ \\ |
|
|
3827 \hspace{6mm}5.4.3 $u \leftarrow \lfloor x_{ix+iy} / \beta \rfloor$ \\ |
|
|
3828 \hspace{6mm}5.4.4 $x_{ix + iy} \leftarrow x_{ix+iy} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3829 \\ |
|
|
3830 Divide by $\beta^k$ and fix up as required. \\ |
|
|
3831 6. $x \leftarrow \lfloor x / \beta^k \rfloor$ \\ |
|
|
3832 7. If $x \ge n$ then \\ |
|
|
3833 \hspace{3mm}7.1 $x \leftarrow x - n$ \\ |
|
|
3834 8. Return(\textit{MP\_OKAY}). \\ |
|
|
3835 \hline |
|
|
3836 \end{tabular} |
|
|
3837 \end{center} |
|
|
3838 \end{small} |
|
|
3839 \caption{Algorithm mp\_montgomery\_reduce} |
|
|
3840 \end{figure} |
|
|
3841 |
|
|
3842 \textbf{Algorithm mp\_montgomery\_reduce.} |
|
|
3843 This algorithm reduces the input $x$ modulo $n$ in place using the Montgomery reduction algorithm. The algorithm is loosely based |
|
|
3844 on algorithm 14.32 of \cite[pp.601]{HAC} except it merges the multiplication of $\mu n \beta^t$ with the addition in the inner loop. The |
|
|
3845 restrictions on this algorithm are fairly easy to adapt to. First $0 \le x < n^2$ bounds the input to numbers in the same range as |
|
|
3846 for the Barrett algorithm. Additionally if $n > 1$ and $n$ is odd there will exist a modular inverse $\rho$. $\rho$ must be calculated in |
|
|
3847 advance of this algorithm. Finally the variable $k$ is fixed and a pseudonym for $n.used$. |
|
|
3848 |
|
|
3849 Step 2 decides whether a faster Montgomery algorithm can be used. It is based on the Comba technique meaning that there are limits on |
|
|
3850 the size of the input. This algorithm is discussed in ~COMBARED~. |
|
|
3851 |
|
|
3852 Step 5 is the main reduction loop of the algorithm. The value of $\mu$ is calculated once per iteration in the outer loop. The inner loop |
|
|
3853 calculates $x + \mu n \beta^{ix}$ by multiplying $\mu n$ and adding the result to $x$ shifted by $ix$ digits. Both the addition and |
|
|
3854 multiplication are performed in the same loop to save time and memory. Step 5.4 will handle any additional carries that escape the inner loop. |
|
|
3855 |
|
|
3856 Using a quick inspection this algorithm requires $n$ single precision multiplications for the outer loop and $n^2$ single precision multiplications |
|
|
3857 in the inner loop. In total $n^2 + n$ single precision multiplications which compares favourably to Barrett at $n^2 + 2n - 1$ single precision |
|
|
3858 multiplications. |
|
|
3859 |
|
|
3860 EXAM,bn_mp_montgomery_reduce.c |
|
|
3861 |
|
|
3862 This is the baseline implementation of the Montgomery reduction algorithm. Lines @30,digs@ to @35,}@ determine if the Comba based |
|
|
3863 routine can be used instead. Line @47,mu@ computes the value of $\mu$ for that particular iteration of the outer loop. |
|
|
3864 |
|
|
3865 The multiplication $\mu n \beta^{ix}$ is performed in one step in the inner loop. The alias $tmpx$ refers to the $ix$'th digit of $x$ and |
|
|
3866 the alias $tmpn$ refers to the modulus $n$. |
|
|
3867 |
|
|
3868 \subsection{Faster ``Comba'' Montgomery Reduction} |
|
|
3869 MARK,COMBARED |
|
|
3870 |
|
|
3871 The Montgomery reduction requires fewer single precision multiplications than a Barrett reduction, however it is much slower due to the serial |
|
|
3872 nature of the inner loop. The Barrett reduction algorithm requires two slightly modified multipliers which can be implemented with the Comba |
|
|
3873 technique. The Montgomery reduction algorithm cannot directly use the Comba technique to any significant advantage since the inner loop calculates |
|
|
3874 a $k \times 1$ product $k$ times. |
|
|
3875 |
|
|
3876 The biggest obstacle is that at the $ix$'th iteration of the outer loop the value of $x_{ix}$ is required to calculate $\mu$. This means the |
|
|
3877 carries from $0$ to $ix - 1$ must have been propagated upwards to form a valid $ix$'th digit. The solution as it turns out is very simple. |
|
|
3878 Perform a Comba like multiplier and inside the outer loop just after the inner loop fix up the $ix + 1$'th digit by forwarding the carry. |
|
|
3879 |
|
|
3880 With this change in place the Montgomery reduction algorithm can be performed with a Comba style multiplication loop which substantially increases |
|
|
3881 the speed of the algorithm. |
|
|
3882 |
|
|
3883 \newpage\begin{figure}[!here] |
|
|
3884 \begin{small} |
|
|
3885 \begin{center} |
|
|
3886 \begin{tabular}{l} |
|
|
3887 \hline Algorithm \textbf{fast\_mp\_montgomery\_reduce}. \\ |
|
|
3888 \textbf{Input}. mp\_int $x$, mp\_int $n$ and a digit $\rho \equiv -1/n_0 \mbox{ (mod }n\mbox{)}$. \\ |
|
|
3889 \hspace{11.5mm}($0 \le x < n^2, n > 1, (n, \beta) = 1, \beta^k > n$) \\ |
|
|
3890 \textbf{Output}. $\beta^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
3891 \hline \\ |
|
|
3892 Place an array of \textbf{MP\_WARRAY} mp\_word variables called $\hat W$ on the stack. \\ |
|
|
3893 1. if $x.alloc < n.used + 1$ then grow $x$ to $n.used + 1$ digits. \\ |
|
|
3894 Copy the digits of $x$ into the array $\hat W$ \\ |
|
|
3895 2. For $ix$ from $0$ to $x.used - 1$ do \\ |
|
|
3896 \hspace{3mm}2.1 $\hat W_{ix} \leftarrow x_{ix}$ \\ |
|
|
3897 3. For $ix$ from $x.used$ to $2n.used - 1$ do \\ |
|
|
3898 \hspace{3mm}3.1 $\hat W_{ix} \leftarrow 0$ \\ |
|
|
3899 Elimiate the lower $k$ digits. \\ |
|
|
3900 4. for $ix$ from $0$ to $n.used - 1$ do \\ |
|
|
3901 \hspace{3mm}4.1 $\mu \leftarrow \hat W_{ix} \cdot \rho \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3902 \hspace{3mm}4.2 For $iy$ from $0$ to $n.used - 1$ do \\ |
|
|
3903 \hspace{6mm}4.2.1 $\hat W_{iy + ix} \leftarrow \hat W_{iy + ix} + \mu \cdot n_{iy}$ \\ |
|
|
3904 \hspace{3mm}4.3 $\hat W_{ix + 1} \leftarrow \hat W_{ix + 1} + \lfloor \hat W_{ix} / \beta \rfloor$ \\ |
|
|
3905 Propagate carries upwards. \\ |
|
|
3906 5. for $ix$ from $n.used$ to $2n.used + 1$ do \\ |
|
|
3907 \hspace{3mm}5.1 $\hat W_{ix + 1} \leftarrow \hat W_{ix + 1} + \lfloor \hat W_{ix} / \beta \rfloor$ \\ |
|
|
3908 Shift right and reduce modulo $\beta$ simultaneously. \\ |
|
|
3909 6. for $ix$ from $0$ to $n.used + 1$ do \\ |
|
|
3910 \hspace{3mm}6.1 $x_{ix} \leftarrow \hat W_{ix + n.used} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3911 Zero excess digits and fixup $x$. \\ |
|
|
3912 7. if $x.used > n.used + 1$ then do \\ |
|
|
3913 \hspace{3mm}7.1 for $ix$ from $n.used + 1$ to $x.used - 1$ do \\ |
|
|
3914 \hspace{6mm}7.1.1 $x_{ix} \leftarrow 0$ \\ |
|
|
3915 8. $x.used \leftarrow n.used + 1$ \\ |
|
|
3916 9. Clamp excessive digits of $x$. \\ |
|
|
3917 10. If $x \ge n$ then \\ |
|
|
3918 \hspace{3mm}10.1 $x \leftarrow x - n$ \\ |
|
|
3919 11. Return(\textit{MP\_OKAY}). \\ |
|
|
3920 \hline |
|
|
3921 \end{tabular} |
|
|
3922 \end{center} |
|
|
3923 \end{small} |
|
|
3924 \caption{Algorithm fast\_mp\_montgomery\_reduce} |
|
|
3925 \end{figure} |
|
|
3926 |
|
|
3927 \textbf{Algorithm fast\_mp\_montgomery\_reduce.} |
|
|
3928 This algorithm will compute the Montgomery reduction of $x$ modulo $n$ using the Comba technique. It is on most computer platforms significantly |
|
|
3929 faster than algorithm mp\_montgomery\_reduce and algorithm mp\_reduce (\textit{Barrett reduction}). The algorithm has the same restrictions |
|
|
3930 on the input as the baseline reduction algorithm. An additional two restrictions are imposed on this algorithm. The number of digits $k$ in the |
|
|
3931 the modulus $n$ must not violate $MP\_WARRAY > 2k +1$ and $n < \delta$. When $\beta = 2^{28}$ this algorithm can be used to reduce modulo |
|
|
3932 a modulus of at most $3,556$ bits in length. |
|
|
3933 |
|
|
3934 As in the other Comba reduction algorithms there is a $\hat W$ array which stores the columns of the product. It is initially filled with the |
|
|
3935 contents of $x$ with the excess digits zeroed. The reduction loop is very similar the to the baseline loop at heart. The multiplication on step |
|
|
3936 4.1 can be single precision only since $ab \mbox{ (mod }\beta\mbox{)} \equiv (a \mbox{ mod }\beta)(b \mbox{ mod }\beta)$. Some multipliers such |
|
|
3937 as those on the ARM processors take a variable length time to complete depending on the number of bytes of result it must produce. By performing |
|
|
3938 a single precision multiplication instead half the amount of time is spent. |
|
|
3939 |
|
|
3940 Also note that digit $\hat W_{ix}$ must have the carry from the $ix - 1$'th digit propagated upwards in order for this to work. That is what step |
|
|
3941 4.3 will do. In effect over the $n.used$ iterations of the outer loop the $n.used$'th lower columns all have the their carries propagated forwards. Note |
|
|
3942 how the upper bits of those same words are not reduced modulo $\beta$. This is because those values will be discarded shortly and there is no |
|
|
3943 point. |
|
|
3944 |
|
|
3945 Step 5 will propagate the remainder of the carries upwards. On step 6 the columns are reduced modulo $\beta$ and shifted simultaneously as they are |
|
|
3946 stored in the destination $x$. |
|
|
3947 |
|
|
3948 EXAM,bn_fast_mp_montgomery_reduce.c |
|
|
3949 |
|
|
3950 The $\hat W$ array is first filled with digits of $x$ on line @49,for@ then the rest of the digits are zeroed on line @54,for@. Both loops share |
|
|
3951 the same alias variables to make the code easier to read. |
|
|
3952 |
|
|
3953 The value of $\mu$ is calculated in an interesting fashion. First the value $\hat W_{ix}$ is reduced modulo $\beta$ and cast to a mp\_digit. This |
|
|
3954 forces the compiler to use a single precision multiplication and prevents any concerns about loss of precision. Line @101,>>@ fixes the carry |
|
|
3955 for the next iteration of the loop by propagating the carry from $\hat W_{ix}$ to $\hat W_{ix+1}$. |
|
|
3956 |
|
|
3957 The for loop on line @113,for@ propagates the rest of the carries upwards through the columns. The for loop on line @126,for@ reduces the columns |
|
|
3958 modulo $\beta$ and shifts them $k$ places at the same time. The alias $\_ \hat W$ actually refers to the array $\hat W$ starting at the $n.used$'th |
|
|
3959 digit, that is $\_ \hat W_{t} = \hat W_{n.used + t}$. |
|
|
3960 |
|
|
3961 \subsection{Montgomery Setup} |
|
|
3962 To calculate the variable $\rho$ a relatively simple algorithm will be required. |
|
|
3963 |
|
|
3964 \begin{figure}[!here] |
|
|
3965 \begin{small} |
|
|
3966 \begin{center} |
|
|
3967 \begin{tabular}{l} |
|
|
3968 \hline Algorithm \textbf{mp\_montgomery\_setup}. \\ |
|
|
3969 \textbf{Input}. mp\_int $n$ ($n > 1$ and $(n, 2) = 1$) \\ |
|
|
3970 \textbf{Output}. $\rho \equiv -1/n_0 \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3971 \hline \\ |
|
|
3972 1. $b \leftarrow n_0$ \\ |
|
|
3973 2. If $b$ is even return(\textit{MP\_VAL}) \\ |
|
|
3974 3. $x \leftarrow ((b + 2) \mbox{ AND } 4) << 1) + b$ \\ |
|
|
3975 4. for $k$ from 0 to $\lceil lg(lg(\beta)) \rceil - 2$ do \\ |
|
|
3976 \hspace{3mm}4.1 $x \leftarrow x \cdot (2 - bx)$ \\ |
|
|
3977 5. $\rho \leftarrow \beta - x \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3978 6. Return(\textit{MP\_OKAY}). \\ |
|
|
3979 \hline |
|
|
3980 \end{tabular} |
|
|
3981 \end{center} |
|
|
3982 \end{small} |
|
|
3983 \caption{Algorithm mp\_montgomery\_setup} |
|
|
3984 \end{figure} |
|
|
3985 |
|
|
3986 \textbf{Algorithm mp\_montgomery\_setup.} |
|
|
3987 This algorithm will calculate the value of $\rho$ required within the Montgomery reduction algorithms. It uses a very interesting trick |
|
|
3988 to calculate $1/n_0$ when $\beta$ is a power of two. |
|
|
3989 |
|
|
3990 EXAM,bn_mp_montgomery_setup.c |
|
|
3991 |
|
|
3992 This source code computes the value of $\rho$ required to perform Montgomery reduction. It has been modified to avoid performing excess |
|
|
3993 multiplications when $\beta$ is not the default 28-bits. |
|
|
3994 |
|
|
3995 \section{The Diminished Radix Algorithm} |
|
|
3996 The Diminished Radix method of modular reduction \cite{DRMET} is a fairly clever technique which can be more efficient than either the Barrett |
|
|
3997 or Montgomery methods for certain forms of moduli. The technique is based on the following simple congruence. |
|
|
3998 |
|
|
3999 \begin{equation} |
|
|
4000 (x \mbox{ mod } n) + k \lfloor x / n \rfloor \equiv x \mbox{ (mod }(n - k)\mbox{)} |
|
|
4001 \end{equation} |
|
|
4002 |
|
|
4003 This observation was used in the MMB \cite{MMB} block cipher to create a diffusion primitive. It used the fact that if $n = 2^{31}$ and $k=1$ that |
|
|
4004 then a x86 multiplier could produce the 62-bit product and use the ``shrd'' instruction to perform a double-precision right shift. The proof |
|
|
4005 of the above equation is very simple. First write $x$ in the product form. |
|
|
4006 |
|
|
4007 \begin{equation} |
|
|
4008 x = qn + r |
|
|
4009 \end{equation} |
|
|
4010 |
|
|
4011 Now reduce both sides modulo $(n - k)$. |
|
|
4012 |
|
|
4013 \begin{equation} |
|
|
4014 x \equiv qk + r \mbox{ (mod }(n-k)\mbox{)} |
|
|
4015 \end{equation} |
|
|
4016 |
|
|
4017 The variable $n$ reduces modulo $n - k$ to $k$. By putting $q = \lfloor x/n \rfloor$ and $r = x \mbox{ mod } n$ |
|
|
4018 into the equation the original congruence is reproduced, thus concluding the proof. The following algorithm is based on this observation. |
|
|
4019 |
|
|
4020 \begin{figure}[!here] |
|
|
4021 \begin{small} |
|
|
4022 \begin{center} |
|
|
4023 \begin{tabular}{l} |
|
|
4024 \hline Algorithm \textbf{Diminished Radix Reduction}. \\ |
|
|
4025 \textbf{Input}. Integer $x$, $n$, $k$ \\ |
|
|
4026 \textbf{Output}. $x \mbox{ mod } (n - k)$ \\ |
|
|
4027 \hline \\ |
|
|
4028 1. $q \leftarrow \lfloor x / n \rfloor$ \\ |
|
|
4029 2. $q \leftarrow k \cdot q$ \\ |
|
|
4030 3. $x \leftarrow x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
4031 4. $x \leftarrow x + q$ \\ |
|
|
4032 5. If $x \ge (n - k)$ then \\ |
|
|
4033 \hspace{3mm}5.1 $x \leftarrow x - (n - k)$ \\ |
|
|
4034 \hspace{3mm}5.2 Goto step 1. \\ |
|
|
4035 6. Return $x$ \\ |
|
|
4036 \hline |
|
|
4037 \end{tabular} |
|
|
4038 \end{center} |
|
|
4039 \end{small} |
|
|
4040 \caption{Algorithm Diminished Radix Reduction} |
|
|
4041 \label{fig:DR} |
|
|
4042 \end{figure} |
|
|
4043 |
|
|
4044 This algorithm will reduce $x$ modulo $n - k$ and return the residue. If $0 \le x < (n - k)^2$ then the algorithm will loop almost always |
|
|
4045 once or twice and occasionally three times. For simplicity sake the value of $x$ is bounded by the following simple polynomial. |
|
|
4046 |
|
|
4047 \begin{equation} |
|
|
4048 0 \le x < n^2 + k^2 - 2nk |
|
|
4049 \end{equation} |
|
|
4050 |
|
|
4051 The true bound is $0 \le x < (n - k - 1)^2$ but this has quite a few more terms. The value of $q$ after step 1 is bounded by the following. |
|
|
4052 |
|
|
4053 \begin{equation} |
|
|
4054 q < n - 2k - k^2/n |
|
|
4055 \end{equation} |
|
|
4056 |
|
|
4057 Since $k^2$ is going to be considerably smaller than $n$ that term will always be zero. The value of $x$ after step 3 is bounded trivially as |
|
|
4058 $0 \le x < n$. By step four the sum $x + q$ is bounded by |
|
|
4059 |
|
|
4060 \begin{equation} |
|
|
4061 0 \le q + x < (k + 1)n - 2k^2 - 1 |
|
|
4062 \end{equation} |
|
|
4063 |
|
|
4064 With a second pass $q$ will be loosely bounded by $0 \le q < k^2$ after step 2 while $x$ will still be loosely bounded by $0 \le x < n$ after step 3. After the second pass it is highly unlike that the |
|
|
4065 sum in step 4 will exceed $n - k$. In practice fewer than three passes of the algorithm are required to reduce virtually every input in the |
|
|
4066 range $0 \le x < (n - k - 1)^2$. |
|
|
4067 |
|
|
4068 \begin{figure} |
|
|
4069 \begin{small} |
|
|
4070 \begin{center} |
|
|
4071 \begin{tabular}{|l|} |
|
|
4072 \hline |
|
|
4073 $x = 123456789, n = 256, k = 3$ \\ |
|
|
4074 \hline $q \leftarrow \lfloor x/n \rfloor = 482253$ \\ |
|
|
4075 $q \leftarrow q*k = 1446759$ \\ |
|
|
4076 $x \leftarrow x \mbox{ mod } n = 21$ \\ |
|
|
4077 $x \leftarrow x + q = 1446780$ \\ |
|
|
4078 $x \leftarrow x - (n - k) = 1446527$ \\ |
|
|
4079 \hline |
|
|
4080 $q \leftarrow \lfloor x/n \rfloor = 5650$ \\ |
|
|
4081 $q \leftarrow q*k = 16950$ \\ |
|
|
4082 $x \leftarrow x \mbox{ mod } n = 127$ \\ |
|
|
4083 $x \leftarrow x + q = 17077$ \\ |
|
|
4084 $x \leftarrow x - (n - k) = 16824$ \\ |
|
|
4085 \hline |
|
|
4086 $q \leftarrow \lfloor x/n \rfloor = 65$ \\ |
|
|
4087 $q \leftarrow q*k = 195$ \\ |
|
|
4088 $x \leftarrow x \mbox{ mod } n = 184$ \\ |
|
|
4089 $x \leftarrow x + q = 379$ \\ |
|
|
4090 $x \leftarrow x - (n - k) = 126$ \\ |
|
|
4091 \hline |
|
|
4092 \end{tabular} |
|
|
4093 \end{center} |
|
|
4094 \end{small} |
|
|
4095 \caption{Example Diminished Radix Reduction} |
|
|
4096 \label{fig:EXDR} |
|
|
4097 \end{figure} |
|
|
4098 |
|
|
4099 Figure~\ref{fig:EXDR} demonstrates the reduction of $x = 123456789$ modulo $n - k = 253$ when $n = 256$ and $k = 3$. Note that even while $x$ |
|
|
4100 is considerably larger than $(n - k - 1)^2 = 63504$ the algorithm still converges on the modular residue exceedingly fast. In this case only |
|
|
4101 three passes were required to find the residue $x \equiv 126$. |
|
|
4102 |
|
|
4103 |
|
|
4104 \subsection{Choice of Moduli} |
|
|
4105 On the surface this algorithm looks like a very expensive algorithm. It requires a couple of subtractions followed by multiplication and other |
|
|
4106 modular reductions. The usefulness of this algorithm becomes exceedingly clear when an appropriate modulus is chosen. |
|
|
4107 |
|
|
4108 Division in general is a very expensive operation to perform. The one exception is when the division is by a power of the radix of representation used. |
|
|
4109 Division by ten for example is simple for pencil and paper mathematics since it amounts to shifting the decimal place to the right. Similarly division |
|
|
4110 by two (\textit{or powers of two}) is very simple for binary computers to perform. It would therefore seem logical to choose $n$ of the form $2^p$ |
|
|
4111 which would imply that $\lfloor x / n \rfloor$ is a simple shift of $x$ right $p$ bits. |
|
|
4112 |
|
|
4113 However, there is one operation related to division of power of twos that is even faster than this. If $n = \beta^p$ then the division may be |
|
|
4114 performed by moving whole digits to the right $p$ places. In practice division by $\beta^p$ is much faster than division by $2^p$ for any $p$. |
|
|
4115 Also with the choice of $n = \beta^p$ reducing $x$ modulo $n$ merely requires zeroing the digits above the $p-1$'th digit of $x$. |
|
|
4116 |
|
|
4117 Throughout the next section the term ``restricted modulus'' will refer to a modulus of the form $\beta^p - k$ whereas the term ``unrestricted |
|
|
4118 modulus'' will refer to a modulus of the form $2^p - k$. The word ``restricted'' in this case refers to the fact that it is based on the |
|
|
4119 $2^p$ logic except $p$ must be a multiple of $lg(\beta)$. |
|
|
4120 |
|
|
4121 \subsection{Choice of $k$} |
|
|
4122 Now that division and reduction (\textit{step 1 and 3 of figure~\ref{fig:DR}}) have been optimized to simple digit operations the multiplication by $k$ |
|
|
4123 in step 2 is the most expensive operation. Fortunately the choice of $k$ is not terribly limited. For all intents and purposes it might |
|
|
4124 as well be a single digit. The smaller the value of $k$ is the faster the algorithm will be. |
|
|
4125 |
|
|
4126 \subsection{Restricted Diminished Radix Reduction} |
|
|
4127 The restricted Diminished Radix algorithm can quickly reduce an input modulo a modulus of the form $n = \beta^p - k$. This algorithm can reduce |
|
|
4128 an input $x$ within the range $0 \le x < n^2$ using only a couple passes of the algorithm demonstrated in figure~\ref{fig:DR}. The implementation |
|
|
4129 of this algorithm has been optimized to avoid additional overhead associated with a division by $\beta^p$, the multiplication by $k$ or the addition |
|
|
4130 of $x$ and $q$. The resulting algorithm is very efficient and can lead to substantial improvements over Barrett and Montgomery reduction when modular |
|
|
4131 exponentiations are performed. |
|
|
4132 |
|
|
4133 \newpage\begin{figure}[!here] |
|
|
4134 \begin{small} |
|
|
4135 \begin{center} |
|
|
4136 \begin{tabular}{l} |
|
|
4137 \hline Algorithm \textbf{mp\_dr\_reduce}. \\ |
|
|
4138 \textbf{Input}. mp\_int $x$, $n$ and a mp\_digit $k = \beta - n_0$ \\ |
|
|
4139 \hspace{11.5mm}($0 \le x < n^2$, $n > 1$, $0 < k < \beta$) \\ |
|
|
4140 \textbf{Output}. $x \mbox{ mod } n$ \\ |
|
|
4141 \hline \\ |
|
|
4142 1. $m \leftarrow n.used$ \\ |
|
|
4143 2. If $x.alloc < 2m$ then grow $x$ to $2m$ digits. \\ |
|
|
4144 3. $\mu \leftarrow 0$ \\ |
|
|
4145 4. for $i$ from $0$ to $m - 1$ do \\ |
|
|
4146 \hspace{3mm}4.1 $\hat r \leftarrow k \cdot x_{m+i} + x_{i} + \mu$ \\ |
|
|
4147 \hspace{3mm}4.2 $x_{i} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
4148 \hspace{3mm}4.3 $\mu \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
4149 5. $x_{m} \leftarrow \mu$ \\ |
|
|
4150 6. for $i$ from $m + 1$ to $x.used - 1$ do \\ |
|
|
4151 \hspace{3mm}6.1 $x_{i} \leftarrow 0$ \\ |
|
|
4152 7. Clamp excess digits of $x$. \\ |
|
|
4153 8. If $x \ge n$ then \\ |
|
|
4154 \hspace{3mm}8.1 $x \leftarrow x - n$ \\ |
|
|
4155 \hspace{3mm}8.2 Goto step 3. \\ |
|
|
4156 9. Return(\textit{MP\_OKAY}). \\ |
|
|
4157 \hline |
|
|
4158 \end{tabular} |
|
|
4159 \end{center} |
|
|
4160 \end{small} |
|
|
4161 \caption{Algorithm mp\_dr\_reduce} |
|
|
4162 \end{figure} |
|
|
4163 |
|
|
4164 \textbf{Algorithm mp\_dr\_reduce.} |
|
|
4165 This algorithm will perform the Dimished Radix reduction of $x$ modulo $n$. It has similar restrictions to that of the Barrett reduction |
|
|
4166 with the addition that $n$ must be of the form $n = \beta^m - k$ where $0 < k <\beta$. |
|
|
4167 |
|
|
4168 This algorithm essentially implements the pseudo-code in figure~\ref{fig:DR} except with a slight optimization. The division by $\beta^m$, multiplication by $k$ |
|
|
4169 and addition of $x \mbox{ mod }\beta^m$ are all performed simultaneously inside the loop on step 4. The division by $\beta^m$ is emulated by accessing |
|
|
4170 the term at the $m+i$'th position which is subsequently multiplied by $k$ and added to the term at the $i$'th position. After the loop the $m$'th |
|
|
4171 digit is set to the carry and the upper digits are zeroed. Steps 5 and 6 emulate the reduction modulo $\beta^m$ that should have happend to |
|
|
4172 $x$ before the addition of the multiple of the upper half. |
|
|
4173 |
|
|
4174 At step 8 if $x$ is still larger than $n$ another pass of the algorithm is required. First $n$ is subtracted from $x$ and then the algorithm resumes |
|
|
4175 at step 3. |
|
|
4176 |
|
|
4177 EXAM,bn_mp_dr_reduce.c |
|
|
4178 |
|
|
4179 The first step is to grow $x$ as required to $2m$ digits since the reduction is performed in place on $x$. The label on line @49,top:@ is where |
|
|
4180 the algorithm will resume if further reduction passes are required. In theory it could be placed at the top of the function however, the size of |
|
|
4181 the modulus and question of whether $x$ is large enough are invariant after the first pass meaning that it would be a waste of time. |
|
|
4182 |
|
|
4183 The aliases $tmpx1$ and $tmpx2$ refer to the digits of $x$ where the latter is offset by $m$ digits. By reading digits from $x$ offset by $m$ digits |
|
|
4184 a division by $\beta^m$ can be simulated virtually for free. The loop on line @61,for@ performs the bulk of the work (\textit{corresponds to step 4 of algorithm 7.11}) |
|
|
4185 in this algorithm. |
|
|
4186 |
|
|
4187 By line @68,mu@ the pointer $tmpx1$ points to the $m$'th digit of $x$ which is where the final carry will be placed. Similarly by line @71,for@ the |
|
|
4188 same pointer will point to the $m+1$'th digit where the zeroes will be placed. |
|
|
4189 |
|
|
4190 Since the algorithm is only valid if both $x$ and $n$ are greater than zero an unsigned comparison suffices to determine if another pass is required. |
|
|
4191 With the same logic at line @82,sub@ the value of $x$ is known to be greater than or equal to $n$ meaning that an unsigned subtraction can be used |
|
|
4192 as well. Since the destination of the subtraction is the larger of the inputs the call to algorithm s\_mp\_sub cannot fail and the return code |
|
|
4193 does not need to be checked. |
|
|
4194 |
|
|
4195 \subsubsection{Setup} |
|
|
4196 To setup the restricted Diminished Radix algorithm the value $k = \beta - n_0$ is required. This algorithm is not really complicated but provided for |
|
|
4197 completeness. |
|
|
4198 |
|
|
4199 \begin{figure}[!here] |
|
|
4200 \begin{small} |
|
|
4201 \begin{center} |
|
|
4202 \begin{tabular}{l} |
|
|
4203 \hline Algorithm \textbf{mp\_dr\_setup}. \\ |
|
|
4204 \textbf{Input}. mp\_int $n$ \\ |
|
|
4205 \textbf{Output}. $k = \beta - n_0$ \\ |
|
|
4206 \hline \\ |
|
|
4207 1. $k \leftarrow \beta - n_0$ \\ |
|
|
4208 \hline |
|
|
4209 \end{tabular} |
|
|
4210 \end{center} |
|
|
4211 \end{small} |
|
|
4212 \caption{Algorithm mp\_dr\_setup} |
|
|
4213 \end{figure} |
|
|
4214 |
|
|
4215 EXAM,bn_mp_dr_setup.c |
|
|
4216 |
|
|
4217 \subsubsection{Modulus Detection} |
|
|
4218 Another algorithm which will be useful is the ability to detect a restricted Diminished Radix modulus. An integer is said to be |
|
|
4219 of restricted Diminished Radix form if all of the digits are equal to $\beta - 1$ except the trailing digit which may be any value. |
|
|
4220 |
|
|
4221 \begin{figure}[!here] |
|
|
4222 \begin{small} |
|
|
4223 \begin{center} |
|
|
4224 \begin{tabular}{l} |
|
|
4225 \hline Algorithm \textbf{mp\_dr\_is\_modulus}. \\ |
|
|
4226 \textbf{Input}. mp\_int $n$ \\ |
|
|
4227 \textbf{Output}. $1$ if $n$ is in D.R form, $0$ otherwise \\ |
|
|
4228 \hline |
|
|
4229 1. If $n.used < 2$ then return($0$). \\ |
|
|
4230 2. for $ix$ from $1$ to $n.used - 1$ do \\ |
|
|
4231 \hspace{3mm}2.1 If $n_{ix} \ne \beta - 1$ return($0$). \\ |
|
|
4232 3. Return($1$). \\ |
|
|
4233 \hline |
|
|
4234 \end{tabular} |
|
|
4235 \end{center} |
|
|
4236 \end{small} |
|
|
4237 \caption{Algorithm mp\_dr\_is\_modulus} |
|
|
4238 \end{figure} |
|
|
4239 |
|
|
4240 \textbf{Algorithm mp\_dr\_is\_modulus.} |
|
|
4241 This algorithm determines if a value is in Diminished Radix form. Step 1 rejects obvious cases where fewer than two digits are |
|
|
4242 in the mp\_int. Step 2 tests all but the first digit to see if they are equal to $\beta - 1$. If the algorithm manages to get to |
|
|
4243 step 3 then $n$ must be of Diminished Radix form. |
|
|
4244 |
|
|
4245 EXAM,bn_mp_dr_is_modulus.c |
|
|
4246 |
|
|
4247 \subsection{Unrestricted Diminished Radix Reduction} |
|
|
4248 The unrestricted Diminished Radix algorithm allows modular reductions to be performed when the modulus is of the form $2^p - k$. This algorithm |
|
|
4249 is a straightforward adaptation of algorithm~\ref{fig:DR}. |
|
|
4250 |
|
|
4251 In general the restricted Diminished Radix reduction algorithm is much faster since it has considerably lower overhead. However, this new |
|
|
4252 algorithm is much faster than either Montgomery or Barrett reduction when the moduli are of the appropriate form. |
|
|
4253 |
|
|
4254 \begin{figure}[!here] |
|
|
4255 \begin{small} |
|
|
4256 \begin{center} |
|
|
4257 \begin{tabular}{l} |
|
|
4258 \hline Algorithm \textbf{mp\_reduce\_2k}. \\ |
|
|
4259 \textbf{Input}. mp\_int $a$ and $n$. mp\_digit $k$ \\ |
|
|
4260 \hspace{11.5mm}($a \ge 0$, $n > 1$, $0 < k < \beta$, $n + k$ is a power of two) \\ |
|
|
4261 \textbf{Output}. $a \mbox{ (mod }n\mbox{)}$ \\ |
|
|
4262 \hline |
|
|
4263 1. $p \leftarrow \lceil lg(n) \rceil$ (\textit{mp\_count\_bits}) \\ |
|
|
4264 2. While $a \ge n$ do \\ |
|
|
4265 \hspace{3mm}2.1 $q \leftarrow \lfloor a / 2^p \rfloor$ (\textit{mp\_div\_2d}) \\ |
|
|
4266 \hspace{3mm}2.2 $a \leftarrow a \mbox{ (mod }2^p\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
4267 \hspace{3mm}2.3 $q \leftarrow q \cdot k$ (\textit{mp\_mul\_d}) \\ |
|
|
4268 \hspace{3mm}2.4 $a \leftarrow a - q$ (\textit{s\_mp\_sub}) \\ |
|
|
4269 \hspace{3mm}2.5 If $a \ge n$ then do \\ |
|
|
4270 \hspace{6mm}2.5.1 $a \leftarrow a - n$ \\ |
|
|
4271 3. Return(\textit{MP\_OKAY}). \\ |
|
|
4272 \hline |
|
|
4273 \end{tabular} |
|
|
4274 \end{center} |
|
|
4275 \end{small} |
|
|
4276 \caption{Algorithm mp\_reduce\_2k} |
|
|
4277 \end{figure} |
|
|
4278 |
|
|
4279 \textbf{Algorithm mp\_reduce\_2k.} |
|
|
4280 This algorithm quickly reduces an input $a$ modulo an unrestricted Diminished Radix modulus $n$. Division by $2^p$ is emulated with a right |
|
|
4281 shift which makes the algorithm fairly inexpensive to use. |
|
|
4282 |
|
|
4283 EXAM,bn_mp_reduce_2k.c |
|
|
4284 |
|
|
4285 The algorithm mp\_count\_bits calculates the number of bits in an mp\_int which is used to find the initial value of $p$. The call to mp\_div\_2d |
|
|
4286 on line @31,mp_div_2d@ calculates both the quotient $q$ and the remainder $a$ required. By doing both in a single function call the code size |
|
|
4287 is kept fairly small. The multiplication by $k$ is only performed if $k > 1$. This allows reductions modulo $2^p - 1$ to be performed without |
|
|
4288 any multiplications. |
|
|
4289 |
|
|
4290 The unsigned s\_mp\_add, mp\_cmp\_mag and s\_mp\_sub are used in place of their full sign counterparts since the inputs are only valid if they are |
|
|
4291 positive. By using the unsigned versions the overhead is kept to a minimum. |
|
|
4292 |
|
|
4293 \subsubsection{Unrestricted Setup} |
|
|
4294 To setup this reduction algorithm the value of $k = 2^p - n$ is required. |
|
|
4295 |
|
|
4296 \begin{figure}[!here] |
|
|
4297 \begin{small} |
|
|
4298 \begin{center} |
|
|
4299 \begin{tabular}{l} |
|
|
4300 \hline Algorithm \textbf{mp\_reduce\_2k\_setup}. \\ |
|
|
4301 \textbf{Input}. mp\_int $n$ \\ |
|
|
4302 \textbf{Output}. $k = 2^p - n$ \\ |
|
|
4303 \hline |
|
|
4304 1. $p \leftarrow \lceil lg(n) \rceil$ (\textit{mp\_count\_bits}) \\ |
|
|
4305 2. $x \leftarrow 2^p$ (\textit{mp\_2expt}) \\ |
|
|
4306 3. $x \leftarrow x - n$ (\textit{mp\_sub}) \\ |
|
|
4307 4. $k \leftarrow x_0$ \\ |
|
|
4308 5. Return(\textit{MP\_OKAY}). \\ |
|
|
4309 \hline |
|
|
4310 \end{tabular} |
|
|
4311 \end{center} |
|
|
4312 \end{small} |
|
|
4313 \caption{Algorithm mp\_reduce\_2k\_setup} |
|
|
4314 \end{figure} |
|
|
4315 |
|
|
4316 \textbf{Algorithm mp\_reduce\_2k\_setup.} |
|
|
4317 This algorithm computes the value of $k$ required for the algorithm mp\_reduce\_2k. By making a temporary variable $x$ equal to $2^p$ a subtraction |
|
|
4318 is sufficient to solve for $k$. Alternatively if $n$ has more than one digit the value of $k$ is simply $\beta - n_0$. |
|
|
4319 |
|
|
4320 EXAM,bn_mp_reduce_2k_setup.c |
|
|
4321 |
|
|
4322 \subsubsection{Unrestricted Detection} |
|
|
4323 An integer $n$ is a valid unrestricted Diminished Radix modulus if either of the following are true. |
|
|
4324 |
|
|
4325 \begin{enumerate} |
|
|
4326 \item The number has only one digit. |
|
|
4327 \item The number has more than one digit and every bit from the $\beta$'th to the most significant is one. |
|
|
4328 \end{enumerate} |
|
|
4329 |
|
|
4330 If either condition is true than there is a power of two $2^p$ such that $0 < 2^p - n < \beta$. If the input is only |
|
|
4331 one digit than it will always be of the correct form. Otherwise all of the bits above the first digit must be one. This arises from the fact |
|
|
4332 that there will be value of $k$ that when added to the modulus causes a carry in the first digit which propagates all the way to the most |
|
|
4333 significant bit. The resulting sum will be a power of two. |
|
|
4334 |
|
|
4335 \begin{figure}[!here] |
|
|
4336 \begin{small} |
|
|
4337 \begin{center} |
|
|
4338 \begin{tabular}{l} |
|
|
4339 \hline Algorithm \textbf{mp\_reduce\_is\_2k}. \\ |
|
|
4340 \textbf{Input}. mp\_int $n$ \\ |
|
|
4341 \textbf{Output}. $1$ if of proper form, $0$ otherwise \\ |
|
|
4342 \hline |
|
|
4343 1. If $n.used = 0$ then return($0$). \\ |
|
|
4344 2. If $n.used = 1$ then return($1$). \\ |
|
|
4345 3. $p \leftarrow \lceil lg(n) \rceil$ (\textit{mp\_count\_bits}) \\ |
|
|
4346 4. for $x$ from $lg(\beta)$ to $p$ do \\ |
|
|
4347 \hspace{3mm}4.1 If the ($x \mbox{ mod }lg(\beta)$)'th bit of the $\lfloor x / lg(\beta) \rfloor$ of $n$ is zero then return($0$). \\ |
|
|
4348 5. Return($1$). \\ |
|
|
4349 \hline |
|
|
4350 \end{tabular} |
|
|
4351 \end{center} |
|
|
4352 \end{small} |
|
|
4353 \caption{Algorithm mp\_reduce\_is\_2k} |
|
|
4354 \end{figure} |
|
|
4355 |
|
|
4356 \textbf{Algorithm mp\_reduce\_is\_2k.} |
|
|
4357 This algorithm quickly determines if a modulus is of the form required for algorithm mp\_reduce\_2k to function properly. |
|
|
4358 |
|
|
4359 EXAM,bn_mp_reduce_is_2k.c |
|
|
4360 |
|
|
4361 |
|
|
4362 |
|
|
4363 \section{Algorithm Comparison} |
|
|
4364 So far three very different algorithms for modular reduction have been discussed. Each of the algorithms have their own strengths and weaknesses |
|
|
4365 that makes having such a selection very useful. The following table sumarizes the three algorithms along with comparisons of work factors. Since |
|
|
4366 all three algorithms have the restriction that $0 \le x < n^2$ and $n > 1$ those limitations are not included in the table. |
|
|
4367 |
|
|
4368 \begin{center} |
|
|
4369 \begin{small} |
|
|
4370 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
4371 \hline \textbf{Method} & \textbf{Work Required} & \textbf{Limitations} & \textbf{$m = 8$} & \textbf{$m = 32$} & \textbf{$m = 64$} \\ |
|
|
4372 \hline Barrett & $m^2 + 2m - 1$ & None & $79$ & $1087$ & $4223$ \\ |
|
|
4373 \hline Montgomery & $m^2 + m$ & $n$ must be odd & $72$ & $1056$ & $4160$ \\ |
|
|
4374 \hline D.R. & $2m$ & $n = \beta^m - k$ & $16$ & $64$ & $128$ \\ |
|
|
4375 \hline |
|
|
4376 \end{tabular} |
|
|
4377 \end{small} |
|
|
4378 \end{center} |
|
|
4379 |
|
|
4380 In theory Montgomery and Barrett reductions would require roughly the same amount of time to complete. However, in practice since Montgomery |
|
|
4381 reduction can be written as a single function with the Comba technique it is much faster. Barrett reduction suffers from the overhead of |
|
|
4382 calling the half precision multipliers, addition and division by $\beta$ algorithms. |
|
|
4383 |
|
|
4384 For almost every cryptographic algorithm Montgomery reduction is the algorithm of choice. The one set of algorithms where Diminished Radix reduction truly |
|
|
4385 shines are based on the discrete logarithm problem such as Diffie-Hellman \cite{DH} and ElGamal \cite{ELGAMAL}. In these algorithms |
|
|
4386 primes of the form $\beta^m - k$ can be found and shared amongst users. These primes will allow the Diminished Radix algorithm to be used in |
|
|
4387 modular exponentiation to greatly speed up the operation. |
|
|
4388 |
|
|
4389 |
|
|
4390 |
|
|
4391 \section*{Exercises} |
|
|
4392 \begin{tabular}{cl} |
|
|
4393 $\left [ 3 \right ]$ & Prove that the ``trick'' in algorithm mp\_montgomery\_setup actually \\ |
|
|
4394 & calculates the correct value of $\rho$. \\ |
|
|
4395 & \\ |
|
|
4396 $\left [ 2 \right ]$ & Devise an algorithm to reduce modulo $n + k$ for small $k$ quickly. \\ |
|
|
4397 & \\ |
|
|
4398 $\left [ 4 \right ]$ & Prove that the pseudo-code algorithm ``Diminished Radix Reduction'' \\ |
|
|
4399 & (\textit{figure~\ref{fig:DR}}) terminates. Also prove the probability that it will \\ |
|
|
4400 & terminate within $1 \le k \le 10$ iterations. \\ |
|
|
4401 & \\ |
|
|
4402 \end{tabular} |
|
|
4403 |
|
|
4404 |
|
|
4405 \chapter{Exponentiation} |
|
|
4406 Exponentiation is the operation of raising one variable to the power of another, for example, $a^b$. A variant of exponentiation, computed |
|
|
4407 in a finite field or ring, is called modular exponentiation. This latter style of operation is typically used in public key |
|
|
4408 cryptosystems such as RSA and Diffie-Hellman. The ability to quickly compute modular exponentiations is of great benefit to any |
|
|
4409 such cryptosystem and many methods have been sought to speed it up. |
|
|
4410 |
|
|
4411 \section{Exponentiation Basics} |
|
|
4412 A trivial algorithm would simply multiply $a$ against itself $b - 1$ times to compute the exponentiation desired. However, as $b$ grows in size |
|
|
4413 the number of multiplications becomes prohibitive. Imagine what would happen if $b$ $\approx$ $2^{1024}$ as is the case when computing an RSA signature |
|
|
4414 with a $1024$-bit key. Such a calculation could never be completed as it would take simply far too long. |
|
|
4415 |
|
|
4416 Fortunately there is a very simple algorithm based on the laws of exponents. Recall that $lg_a(a^b) = b$ and that $lg_a(a^ba^c) = b + c$ which |
|
|
4417 are two trivial relationships between the base and the exponent. Let $b_i$ represent the $i$'th bit of $b$ starting from the least |
|
|
4418 significant bit. If $b$ is a $k$-bit integer than the following equation is true. |
|
|
4419 |
|
|
4420 \begin{equation} |
|
|
4421 a^b = \prod_{i=0}^{k-1} a^{2^i \cdot b_i} |
|
|
4422 \end{equation} |
|
|
4423 |
|
|
4424 By taking the base $a$ logarithm of both sides of the equation the following equation is the result. |
|
|
4425 |
|
|
4426 \begin{equation} |
|
|
4427 b = \sum_{i=0}^{k-1}2^i \cdot b_i |
|
|
4428 \end{equation} |
|
|
4429 |
|
|
4430 The term $a^{2^i}$ can be found from the $i - 1$'th term by squaring the term since $\left ( a^{2^i} \right )^2$ is equal to |
|
|
4431 $a^{2^{i+1}}$. This observation forms the basis of essentially all fast exponentiation algorithms. It requires $k$ squarings and on average |
|
|
4432 $k \over 2$ multiplications to compute the result. This is indeed quite an improvement over simply multiplying by $a$ a total of $b-1$ times. |
|
|
4433 |
|
|
4434 While this current method is a considerable speed up there are further improvements to be made. For example, the $a^{2^i}$ term does not need to |
|
|
4435 be computed in an auxilary variable. Consider the following equivalent algorithm. |
|
|
4436 |
|
|
4437 \begin{figure}[!here] |
|
|
4438 \begin{small} |
|
|
4439 \begin{center} |
|
|
4440 \begin{tabular}{l} |
|
|
4441 \hline Algorithm \textbf{Left to Right Exponentiation}. \\ |
|
|
4442 \textbf{Input}. Integer $a$, $b$ and $k$ \\ |
|
|
4443 \textbf{Output}. $c = a^b$ \\ |
|
|
4444 \hline \\ |
|
|
4445 1. $c \leftarrow 1$ \\ |
|
|
4446 2. for $i$ from $k - 1$ to $0$ do \\ |
|
|
4447 \hspace{3mm}2.1 $c \leftarrow c^2$ \\ |
|
|
4448 \hspace{3mm}2.2 $c \leftarrow c \cdot a^{b_i}$ \\ |
|
|
4449 3. Return $c$. \\ |
|
|
4450 \hline |
|
|
4451 \end{tabular} |
|
|
4452 \end{center} |
|
|
4453 \end{small} |
|
|
4454 \caption{Left to Right Exponentiation} |
|
|
4455 \label{fig:LTOR} |
|
|
4456 \end{figure} |
|
|
4457 |
|
|
4458 This algorithm starts from the most significant bit and works towards the least significant bit. When the $i$'th bit of $b$ is set $a$ is |
|
|
4459 multiplied against the current product. In each iteration the product is squared which doubles the exponent of the individual terms of the |
|
|
4460 product. |
|
|
4461 |
|
|
4462 For example, let $b = 101100_2 \equiv 44_{10}$. The following chart demonstrates the actions of the algorithm. |
|
|
4463 |
|
|
4464 \newpage\begin{figure} |
|
|
4465 \begin{center} |
|
|
4466 \begin{tabular}{|c|c|} |
|
|
4467 \hline \textbf{Value of $i$} & \textbf{Value of $c$} \\ |
|
|
4468 \hline - & $1$ \\ |
|
|
4469 \hline $5$ & $a$ \\ |
|
|
4470 \hline $4$ & $a^2$ \\ |
|
|
4471 \hline $3$ & $a^4 \cdot a$ \\ |
|
|
4472 \hline $2$ & $a^8 \cdot a^2 \cdot a$ \\ |
|
|
4473 \hline $1$ & $a^{16} \cdot a^4 \cdot a^2$ \\ |
|
|
4474 \hline $0$ & $a^{32} \cdot a^8 \cdot a^4$ \\ |
|
|
4475 \hline |
|
|
4476 \end{tabular} |
|
|
4477 \end{center} |
|
|
4478 \caption{Example of Left to Right Exponentiation} |
|
|
4479 \end{figure} |
|
|
4480 |
|
|
4481 When the product $a^{32} \cdot a^8 \cdot a^4$ is simplified it is equal $a^{44}$ which is the desired exponentiation. This particular algorithm is |
|
|
4482 called ``Left to Right'' because it reads the exponent in that order. All of the exponentiation algorithms that will be presented are of this nature. |
|
|
4483 |
|
|
4484 \subsection{Single Digit Exponentiation} |
|
|
4485 The first algorithm in the series of exponentiation algorithms will be an unbounded algorithm where the exponent is a single digit. It is intended |
|
|
4486 to be used when a small power of an input is required (\textit{e.g. $a^5$}). It is faster than simply multiplying $b - 1$ times for all values of |
|
|
4487 $b$ that are greater than three. |
|
|
4488 |
|
|
4489 \newpage\begin{figure}[!here] |
|
|
4490 \begin{small} |
|
|
4491 \begin{center} |
|
|
4492 \begin{tabular}{l} |
|
|
4493 \hline Algorithm \textbf{mp\_expt\_d}. \\ |
|
|
4494 \textbf{Input}. mp\_int $a$ and mp\_digit $b$ \\ |
|
|
4495 \textbf{Output}. $c = a^b$ \\ |
|
|
4496 \hline \\ |
|
|
4497 1. $g \leftarrow a$ (\textit{mp\_init\_copy}) \\ |
|
|
4498 2. $c \leftarrow 1$ (\textit{mp\_set}) \\ |
|
|
4499 3. for $x$ from 1 to $lg(\beta)$ do \\ |
|
|
4500 \hspace{3mm}3.1 $c \leftarrow c^2$ (\textit{mp\_sqr}) \\ |
|
|
4501 \hspace{3mm}3.2 If $b$ AND $2^{lg(\beta) - 1} \ne 0$ then \\ |
|
|
4502 \hspace{6mm}3.2.1 $c \leftarrow c \cdot g$ (\textit{mp\_mul}) \\ |
|
|
4503 \hspace{3mm}3.3 $b \leftarrow b << 1$ \\ |
|
|
4504 4. Clear $g$. \\ |
|
|
4505 5. Return(\textit{MP\_OKAY}). \\ |
|
|
4506 \hline |
|
|
4507 \end{tabular} |
|
|
4508 \end{center} |
|
|
4509 \end{small} |
|
|
4510 \caption{Algorithm mp\_expt\_d} |
|
|
4511 \end{figure} |
|
|
4512 |
|
|
4513 \textbf{Algorithm mp\_expt\_d.} |
|
|
4514 This algorithm computes the value of $a$ raised to the power of a single digit $b$. It uses the left to right exponentiation algorithm to |
|
|
4515 quickly compute the exponentiation. It is loosely based on algorithm 14.79 of HAC \cite[pp. 615]{HAC} with the difference that the |
|
|
4516 exponent is a fixed width. |
|
|
4517 |
|
|
4518 A copy of $a$ is made first to allow destination variable $c$ be the same as the source variable $a$. The result is set to the initial value of |
|
|
4519 $1$ in the subsequent step. |
|
|
4520 |
|
|
4521 Inside the loop the exponent is read from the most significant bit first down to the least significant bit. First $c$ is invariably squared |
|
|
4522 on step 3.1. In the following step if the most significant bit of $b$ is one the copy of $a$ is multiplied against $c$. The value |
|
|
4523 of $b$ is shifted left one bit to make the next bit down from the most signficant bit the new most significant bit. In effect each |
|
|
4524 iteration of the loop moves the bits of the exponent $b$ upwards to the most significant location. |
|
|
4525 |
|
|
4526 EXAM,bn_mp_expt_d.c |
|
|
4527 |
|
|
4528 Line @29,mp_set@ sets the initial value of the result to $1$. Next the loop on line @31,for@ steps through each bit of the exponent starting from |
|
|
4529 the most significant down towards the least significant. The invariant squaring operation placed on line @333,mp_sqr@ is performed first. After |
|
|
4530 the squaring the result $c$ is multiplied by the base $g$ if and only if the most significant bit of the exponent is set. The shift on line |
|
|
4531 @47,<<@ moves all of the bits of the exponent upwards towards the most significant location. |
|
|
4532 |
|
|
4533 \section{$k$-ary Exponentiation} |
|
|
4534 When calculating an exponentiation the most time consuming bottleneck is the multiplications which are in general a small factor |
|
|
4535 slower than squaring. Recall from the previous algorithm that $b_{i}$ refers to the $i$'th bit of the exponent $b$. Suppose instead it referred to |
|
|
4536 the $i$'th $k$-bit digit of the exponent of $b$. For $k = 1$ the definitions are synonymous and for $k > 1$ algorithm~\ref{fig:KARY} |
|
|
4537 computes the same exponentiation. A group of $k$ bits from the exponent is called a \textit{window}. That is it is a small window on only a |
|
|
4538 portion of the entire exponent. Consider the following modification to the basic left to right exponentiation algorithm. |
|
|
4539 |
|
|
4540 \begin{figure}[!here] |
|
|
4541 \begin{small} |
|
|
4542 \begin{center} |
|
|
4543 \begin{tabular}{l} |
|
|
4544 \hline Algorithm \textbf{$k$-ary Exponentiation}. \\ |
|
|
4545 \textbf{Input}. Integer $a$, $b$, $k$ and $t$ \\ |
|
|
4546 \textbf{Output}. $c = a^b$ \\ |
|
|
4547 \hline \\ |
|
|
4548 1. $c \leftarrow 1$ \\ |
|
|
4549 2. for $i$ from $t - 1$ to $0$ do \\ |
|
|
4550 \hspace{3mm}2.1 $c \leftarrow c^{2^k} $ \\ |
|
|
4551 \hspace{3mm}2.2 Extract the $i$'th $k$-bit word from $b$ and store it in $g$. \\ |
|
|
4552 \hspace{3mm}2.3 $c \leftarrow c \cdot a^g$ \\ |
|
|
4553 3. Return $c$. \\ |
|
|
4554 \hline |
|
|
4555 \end{tabular} |
|
|
4556 \end{center} |
|
|
4557 \end{small} |
|
|
4558 \caption{$k$-ary Exponentiation} |
|
|
4559 \label{fig:KARY} |
|
|
4560 \end{figure} |
|
|
4561 |
|
|
4562 The squaring on step 2.1 can be calculated by squaring the value $c$ successively $k$ times. If the values of $a^g$ for $0 < g < 2^k$ have been |
|
|
4563 precomputed this algorithm requires only $t$ multiplications and $tk$ squarings. The table can be generated with $2^{k - 1} - 1$ squarings and |
|
|
4564 $2^{k - 1} + 1$ multiplications. This algorithm assumes that the number of bits in the exponent is evenly divisible by $k$. |
|
|
4565 However, when it is not the remaining $0 < x \le k - 1$ bits can be handled with algorithm~\ref{fig:LTOR}. |
|
|
4566 |
|
|
4567 Suppose $k = 4$ and $t = 100$. This modified algorithm will require $109$ multiplications and $408$ squarings to compute the exponentiation. The |
|
|
4568 original algorithm would on average have required $200$ multiplications and $400$ squrings to compute the same value. The total number of squarings |
|
|
4569 has increased slightly but the number of multiplications has nearly halved. |
|
|
4570 |
|
|
4571 \subsection{Optimal Values of $k$} |
|
|
4572 An optimal value of $k$ will minimize $2^{k} + \lceil n / k \rceil + n - 1$ for a fixed number of bits in the exponent $n$. The simplest |
|
|
4573 approach is to brute force search amongst the values $k = 2, 3, \ldots, 8$ for the lowest result. Table~\ref{fig:OPTK} lists optimal values of $k$ |
|
|
4574 for various exponent sizes and compares the number of multiplication and squarings required against algorithm~\ref{fig:LTOR}. |
|
|
4575 |
|
|
4576 \begin{figure}[here] |
|
|
4577 \begin{center} |
|
|
4578 \begin{small} |
|
|
4579 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
4580 \hline \textbf{Exponent (bits)} & \textbf{Optimal $k$} & \textbf{Work at $k$} & \textbf{Work with ~\ref{fig:LTOR}} \\ |
|
|
4581 \hline $16$ & $2$ & $27$ & $24$ \\ |
|
|
4582 \hline $32$ & $3$ & $49$ & $48$ \\ |
|
|
4583 \hline $64$ & $3$ & $92$ & $96$ \\ |
|
|
4584 \hline $128$ & $4$ & $175$ & $192$ \\ |
|
|
4585 \hline $256$ & $4$ & $335$ & $384$ \\ |
|
|
4586 \hline $512$ & $5$ & $645$ & $768$ \\ |
|
|
4587 \hline $1024$ & $6$ & $1257$ & $1536$ \\ |
|
|
4588 \hline $2048$ & $6$ & $2452$ & $3072$ \\ |
|
|
4589 \hline $4096$ & $7$ & $4808$ & $6144$ \\ |
|
|
4590 \hline |
|
|
4591 \end{tabular} |
|
|
4592 \end{small} |
|
|
4593 \end{center} |
|
|
4594 \caption{Optimal Values of $k$ for $k$-ary Exponentiation} |
|
|
4595 \label{fig:OPTK} |
|
|
4596 \end{figure} |
|
|
4597 |
|
|
4598 \subsection{Sliding-Window Exponentiation} |
|
|
4599 A simple modification to the previous algorithm is only generate the upper half of the table in the range $2^{k-1} \le g < 2^k$. Essentially |
|
|
4600 this is a table for all values of $g$ where the most significant bit of $g$ is a one. However, in order for this to be allowed in the |
|
|
4601 algorithm values of $g$ in the range $0 \le g < 2^{k-1}$ must be avoided. |
|
|
4602 |
|
|
4603 Table~\ref{fig:OPTK2} lists optimal values of $k$ for various exponent sizes and compares the work required against algorithm~\ref{fig:KARY}. |
|
|
4604 |
|
|
4605 \begin{figure}[here] |
|
|
4606 \begin{center} |
|
|
4607 \begin{small} |
|
|
4608 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
4609 \hline \textbf{Exponent (bits)} & \textbf{Optimal $k$} & \textbf{Work at $k$} & \textbf{Work with ~\ref{fig:KARY}} \\ |
|
|
4610 \hline $16$ & $3$ & $24$ & $27$ \\ |
|
|
4611 \hline $32$ & $3$ & $45$ & $49$ \\ |
|
|
4612 \hline $64$ & $4$ & $87$ & $92$ \\ |
|
|
4613 \hline $128$ & $4$ & $167$ & $175$ \\ |
|
|
4614 \hline $256$ & $5$ & $322$ & $335$ \\ |
|
|
4615 \hline $512$ & $6$ & $628$ & $645$ \\ |
|
|
4616 \hline $1024$ & $6$ & $1225$ & $1257$ \\ |
|
|
4617 \hline $2048$ & $7$ & $2403$ & $2452$ \\ |
|
|
4618 \hline $4096$ & $8$ & $4735$ & $4808$ \\ |
|
|
4619 \hline |
|
|
4620 \end{tabular} |
|
|
4621 \end{small} |
|
|
4622 \end{center} |
|
|
4623 \caption{Optimal Values of $k$ for Sliding Window Exponentiation} |
|
|
4624 \label{fig:OPTK2} |
|
|
4625 \end{figure} |
|
|
4626 |
|
|
4627 \newpage\begin{figure}[!here] |
|
|
4628 \begin{small} |
|
|
4629 \begin{center} |
|
|
4630 \begin{tabular}{l} |
|
|
4631 \hline Algorithm \textbf{Sliding Window $k$-ary Exponentiation}. \\ |
|
|
4632 \textbf{Input}. Integer $a$, $b$, $k$ and $t$ \\ |
|
|
4633 \textbf{Output}. $c = a^b$ \\ |
|
|
4634 \hline \\ |
|
|
4635 1. $c \leftarrow 1$ \\ |
|
|
4636 2. for $i$ from $t - 1$ to $0$ do \\ |
|
|
4637 \hspace{3mm}2.1 If the $i$'th bit of $b$ is a zero then \\ |
|
|
4638 \hspace{6mm}2.1.1 $c \leftarrow c^2$ \\ |
|
|
4639 \hspace{3mm}2.2 else do \\ |
|
|
4640 \hspace{6mm}2.2.1 $c \leftarrow c^{2^k}$ \\ |
|
|
4641 \hspace{6mm}2.2.2 Extract the $k$ bits from $(b_{i}b_{i-1}\ldots b_{i-(k-1)})$ and store it in $g$. \\ |
|
|
4642 \hspace{6mm}2.2.3 $c \leftarrow c \cdot a^g$ \\ |
|
|
4643 \hspace{6mm}2.2.4 $i \leftarrow i - k$ \\ |
|
|
4644 3. Return $c$. \\ |
|
|
4645 \hline |
|
|
4646 \end{tabular} |
|
|
4647 \end{center} |
|
|
4648 \end{small} |
|
|
4649 \caption{Sliding Window $k$-ary Exponentiation} |
|
|
4650 \end{figure} |
|
|
4651 |
|
|
4652 Similar to the previous algorithm this algorithm must have a special handler when fewer than $k$ bits are left in the exponent. While this |
|
|
4653 algorithm requires the same number of squarings it can potentially have fewer multiplications. The pre-computed table $a^g$ is also half |
|
|
4654 the size as the previous table. |
|
|
4655 |
|
|
4656 Consider the exponent $b = 111101011001000_2 \equiv 31432_{10}$ with $k = 3$ using both algorithms. The first algorithm will divide the exponent up as |
|
|
4657 the following five $3$-bit words $b \equiv \left ( 111, 101, 011, 001, 000 \right )_{2}$. The second algorithm will break the |
|
|
4658 exponent as $b \equiv \left ( 111, 101, 0, 110, 0, 100, 0 \right )_{2}$. The single digit $0$ in the second representation are where |
|
|
4659 a single squaring took place instead of a squaring and multiplication. In total the first method requires $10$ multiplications and $18$ |
|
|
4660 squarings. The second method requires $8$ multiplications and $18$ squarings. |
|
|
4661 |
|
|
4662 In general the sliding window method is never slower than the generic $k$-ary method and often it is slightly faster. |
|
|
4663 |
|
|
4664 \section{Modular Exponentiation} |
|
|
4665 |
|
|
4666 Modular exponentiation is essentially computing the power of a base within a finite field or ring. For example, computing |
|
|
4667 $d \equiv a^b \mbox{ (mod }c\mbox{)}$ is a modular exponentiation. Instead of first computing $a^b$ and then reducing it |
|
|
4668 modulo $c$ the intermediate result is reduced modulo $c$ after every squaring or multiplication operation. |
|
|
4669 |
|
|
4670 This guarantees that any intermediate result is bounded by $0 \le d \le c^2 - 2c + 1$ and can be reduced modulo $c$ quickly using |
|
|
4671 one of the algorithms presented in ~REDUCTION~. |
|
|
4672 |
|
|
4673 Before the actual modular exponentiation algorithm can be written a wrapper algorithm must be written first. This algorithm |
|
|
4674 will allow the exponent $b$ to be negative which is computed as $c \equiv \left (1 / a \right )^{\vert b \vert} \mbox{(mod }d\mbox{)}$. The |
|
|
4675 value of $(1/a) \mbox{ mod }c$ is computed using the modular inverse (\textit{see \ref{sec;modinv}}). If no inverse exists the algorithm |
|
|
4676 terminates with an error. |
|
|
4677 |
|
|
4678 \begin{figure}[!here] |
|
|
4679 \begin{small} |
|
|
4680 \begin{center} |
|
|
4681 \begin{tabular}{l} |
|
|
4682 \hline Algorithm \textbf{mp\_exptmod}. \\ |
|
|
4683 \textbf{Input}. mp\_int $a$, $b$ and $c$ \\ |
|
|
4684 \textbf{Output}. $y \equiv g^x \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4685 \hline \\ |
|
|
4686 1. If $c.sign = MP\_NEG$ return(\textit{MP\_VAL}). \\ |
|
|
4687 2. If $b.sign = MP\_NEG$ then \\ |
|
|
4688 \hspace{3mm}2.1 $g' \leftarrow g^{-1} \mbox{ (mod }c\mbox{)}$ \\ |
|
|
4689 \hspace{3mm}2.2 $x' \leftarrow \vert x \vert$ \\ |
|
|
4690 \hspace{3mm}2.3 Compute $d \equiv g'^{x'} \mbox{ (mod }c\mbox{)}$ via recursion. \\ |
|
|
4691 3. if $p$ is odd \textbf{OR} $p$ is a D.R. modulus then \\ |
|
|
4692 \hspace{3mm}3.1 Compute $y \equiv g^{x} \mbox{ (mod }p\mbox{)}$ via algorithm mp\_exptmod\_fast. \\ |
|
|
4693 4. else \\ |
|
|
4694 \hspace{3mm}4.1 Compute $y \equiv g^{x} \mbox{ (mod }p\mbox{)}$ via algorithm s\_mp\_exptmod. \\ |
|
|
4695 \hline |
|
|
4696 \end{tabular} |
|
|
4697 \end{center} |
|
|
4698 \end{small} |
|
|
4699 \caption{Algorithm mp\_exptmod} |
|
|
4700 \end{figure} |
|
|
4701 |
|
|
4702 \textbf{Algorithm mp\_exptmod.} |
|
|
4703 The first algorithm which actually performs modular exponentiation is algorithm s\_mp\_exptmod. It is a sliding window $k$-ary algorithm |
|
|
4704 which uses Barrett reduction to reduce the product modulo $p$. The second algorithm mp\_exptmod\_fast performs the same operation |
|
|
4705 except it uses either Montgomery or Diminished Radix reduction. The two latter reduction algorithms are clumped in the same exponentiation |
|
|
4706 algorithm since their arguments are essentially the same (\textit{two mp\_ints and one mp\_digit}). |
|
|
4707 |
|
|
4708 EXAM,bn_mp_exptmod.c |
|
|
4709 |
|
|
4710 In order to keep the algorithms in a known state the first step on line @29,if@ is to reject any negative modulus as input. If the exponent is |
|
|
4711 negative the algorithm tries to perform a modular exponentiation with the modular inverse of the base $G$. The temporary variable $tmpG$ is assigned |
|
|
4712 the modular inverse of $G$ and $tmpX$ is assigned the absolute value of $X$. The algorithm will recuse with these new values with a positive |
|
|
4713 exponent. |
|
|
4714 |
|
|
4715 If the exponent is positive the algorithm resumes the exponentiation. Line @63,dr_@ determines if the modulus is of the restricted Diminished Radix |
|
|
4716 form. If it is not line @65,reduce@ attempts to determine if it is of a unrestricted Diminished Radix form. The integer $dr$ will take on one |
|
|
4717 of three values. |
|
|
4718 |
|
|
4719 \begin{enumerate} |
|
|
4720 \item $dr = 0$ means that the modulus is not of either restricted or unrestricted Diminished Radix form. |
|
|
4721 \item $dr = 1$ means that the modulus is of restricted Diminished Radix form. |
|
|
4722 \item $dr = 2$ means that the modulus is of unrestricted Diminished Radix form. |
|
|
4723 \end{enumerate} |
|
|
4724 |
|
|
4725 Line @69,if@ determines if the fast modular exponentiation algorithm can be used. It is allowed if $dr \ne 0$ or if the modulus is odd. Otherwise, |
|
|
4726 the slower s\_mp\_exptmod algorithm is used which uses Barrett reduction. |
|
|
4727 |
|
|
4728 \subsection{Barrett Modular Exponentiation} |
|
|
4729 |
|
|
4730 \newpage\begin{figure}[!here] |
|
|
4731 \begin{small} |
|
|
4732 \begin{center} |
|
|
4733 \begin{tabular}{l} |
|
|
4734 \hline Algorithm \textbf{s\_mp\_exptmod}. \\ |
|
|
4735 \textbf{Input}. mp\_int $a$, $b$ and $c$ \\ |
|
|
4736 \textbf{Output}. $y \equiv g^x \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4737 \hline \\ |
|
|
4738 1. $k \leftarrow lg(x)$ \\ |
|
|
4739 2. $winsize \leftarrow \left \lbrace \begin{array}{ll} |
|
|
4740 2 & \mbox{if }k \le 7 \\ |
|
|
4741 3 & \mbox{if }7 < k \le 36 \\ |
|
|
4742 4 & \mbox{if }36 < k \le 140 \\ |
|
|
4743 5 & \mbox{if }140 < k \le 450 \\ |
|
|
4744 6 & \mbox{if }450 < k \le 1303 \\ |
|
|
4745 7 & \mbox{if }1303 < k \le 3529 \\ |
|
|
4746 8 & \mbox{if }3529 < k \\ |
|
|
4747 \end{array} \right .$ \\ |
|
|
4748 3. Initialize $2^{winsize}$ mp\_ints in an array named $M$ and one mp\_int named $\mu$ \\ |
|
|
4749 4. Calculate the $\mu$ required for Barrett Reduction (\textit{mp\_reduce\_setup}). \\ |
|
|
4750 5. $M_1 \leftarrow g \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4751 \\ |
|
|
4752 Setup the table of small powers of $g$. First find $g^{2^{winsize}}$ and then all multiples of it. \\ |
|
|
4753 6. $k \leftarrow 2^{winsize - 1}$ \\ |
|
|
4754 7. $M_{k} \leftarrow M_1$ \\ |
|
|
4755 8. for $ix$ from 0 to $winsize - 2$ do \\ |
|
|
4756 \hspace{3mm}8.1 $M_k \leftarrow \left ( M_k \right )^2$ (\textit{mp\_sqr}) \\ |
|
|
4757 \hspace{3mm}8.2 $M_k \leftarrow M_k \mbox{ (mod }p\mbox{)}$ (\textit{mp\_reduce}) \\ |
|
|
4758 9. for $ix$ from $2^{winsize - 1} + 1$ to $2^{winsize} - 1$ do \\ |
|
|
4759 \hspace{3mm}9.1 $M_{ix} \leftarrow M_{ix - 1} \cdot M_{1}$ (\textit{mp\_mul}) \\ |
|
|
4760 \hspace{3mm}9.2 $M_{ix} \leftarrow M_{ix} \mbox{ (mod }p\mbox{)}$ (\textit{mp\_reduce}) \\ |
|
|
4761 10. $res \leftarrow 1$ \\ |
|
|
4762 \\ |
|
|
4763 Start Sliding Window. \\ |
|
|
4764 11. $mode \leftarrow 0, bitcnt \leftarrow 1, buf \leftarrow 0, digidx \leftarrow x.used - 1, bitcpy \leftarrow 0, bitbuf \leftarrow 0$ \\ |
|
|
4765 12. Loop \\ |
|
|
4766 \hspace{3mm}12.1 $bitcnt \leftarrow bitcnt - 1$ \\ |
|
|
4767 \hspace{3mm}12.2 If $bitcnt = 0$ then do \\ |
|
|
4768 \hspace{6mm}12.2.1 If $digidx = -1$ goto step 13. \\ |
|
|
4769 \hspace{6mm}12.2.2 $buf \leftarrow x_{digidx}$ \\ |
|
|
4770 \hspace{6mm}12.2.3 $digidx \leftarrow digidx - 1$ \\ |
|
|
4771 \hspace{6mm}12.2.4 $bitcnt \leftarrow lg(\beta)$ \\ |
|
|
4772 Continued on next page. \\ |
|
|
4773 \hline |
|
|
4774 \end{tabular} |
|
|
4775 \end{center} |
|
|
4776 \end{small} |
|
|
4777 \caption{Algorithm s\_mp\_exptmod} |
|
|
4778 \end{figure} |
|
|
4779 |
|
|
4780 \newpage\begin{figure}[!here] |
|
|
4781 \begin{small} |
|
|
4782 \begin{center} |
|
|
4783 \begin{tabular}{l} |
|
|
4784 \hline Algorithm \textbf{s\_mp\_exptmod} (\textit{continued}). \\ |
|
|
4785 \textbf{Input}. mp\_int $a$, $b$ and $c$ \\ |
|
|
4786 \textbf{Output}. $y \equiv g^x \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4787 \hline \\ |
|
|
4788 \hspace{3mm}12.3 $y \leftarrow (buf >> (lg(\beta) - 1))$ AND $1$ \\ |
|
|
4789 \hspace{3mm}12.4 $buf \leftarrow buf << 1$ \\ |
|
|
4790 \hspace{3mm}12.5 if $mode = 0$ and $y = 0$ then goto step 12. \\ |
|
|
4791 \hspace{3mm}12.6 if $mode = 1$ and $y = 0$ then do \\ |
|
|
4792 \hspace{6mm}12.6.1 $res \leftarrow res^2$ \\ |
|
|
4793 \hspace{6mm}12.6.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4794 \hspace{6mm}12.6.3 Goto step 12. \\ |
|
|
4795 \hspace{3mm}12.7 $bitcpy \leftarrow bitcpy + 1$ \\ |
|
|
4796 \hspace{3mm}12.8 $bitbuf \leftarrow bitbuf + (y << (winsize - bitcpy))$ \\ |
|
|
4797 \hspace{3mm}12.9 $mode \leftarrow 2$ \\ |
|
|
4798 \hspace{3mm}12.10 If $bitcpy = winsize$ then do \\ |
|
|
4799 \hspace{6mm}Window is full so perform the squarings and single multiplication. \\ |
|
|
4800 \hspace{6mm}12.10.1 for $ix$ from $0$ to $winsize -1$ do \\ |
|
|
4801 \hspace{9mm}12.10.1.1 $res \leftarrow res^2$ \\ |
|
|
4802 \hspace{9mm}12.10.1.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4803 \hspace{6mm}12.10.2 $res \leftarrow res \cdot M_{bitbuf}$ \\ |
|
|
4804 \hspace{6mm}12.10.3 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4805 \hspace{6mm}Reset the window. \\ |
|
|
4806 \hspace{6mm}12.10.4 $bitcpy \leftarrow 0, bitbuf \leftarrow 0, mode \leftarrow 1$ \\ |
|
|
4807 \\ |
|
|
4808 No more windows left. Check for residual bits of exponent. \\ |
|
|
4809 13. If $mode = 2$ and $bitcpy > 0$ then do \\ |
|
|
4810 \hspace{3mm}13.1 for $ix$ form $0$ to $bitcpy - 1$ do \\ |
|
|
4811 \hspace{6mm}13.1.1 $res \leftarrow res^2$ \\ |
|
|
4812 \hspace{6mm}13.1.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4813 \hspace{6mm}13.1.3 $bitbuf \leftarrow bitbuf << 1$ \\ |
|
|
4814 \hspace{6mm}13.1.4 If $bitbuf$ AND $2^{winsize} \ne 0$ then do \\ |
|
|
4815 \hspace{9mm}13.1.4.1 $res \leftarrow res \cdot M_{1}$ \\ |
|
|
4816 \hspace{9mm}13.1.4.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
4817 14. $y \leftarrow res$ \\ |
|
|
4818 15. Clear $res$, $mu$ and the $M$ array. \\ |
|
|
4819 16. Return(\textit{MP\_OKAY}). \\ |
|
|
4820 \hline |
|
|
4821 \end{tabular} |
|
|
4822 \end{center} |
|
|
4823 \end{small} |
|
|
4824 \caption{Algorithm s\_mp\_exptmod (continued)} |
|
|
4825 \end{figure} |
|
|
4826 |
|
|
4827 \textbf{Algorithm s\_mp\_exptmod.} |
|
|
4828 This algorithm computes the $x$'th power of $g$ modulo $p$ and stores the result in $y$. It takes advantage of the Barrett reduction |
|
|
4829 algorithm to keep the product small throughout the algorithm. |
|
|
4830 |
|
|
4831 The first two steps determine the optimal window size based on the number of bits in the exponent. The larger the exponent the |
|
|
4832 larger the window size becomes. After a window size $winsize$ has been chosen an array of $2^{winsize}$ mp\_int variables is allocated. This |
|
|
4833 table will hold the values of $g^x \mbox{ (mod }p\mbox{)}$ for $2^{winsize - 1} \le x < 2^{winsize}$. |
|
|
4834 |
|
|
4835 After the table is allocated the first power of $g$ is found. Since $g \ge p$ is allowed it must be first reduced modulo $p$ to make |
|
|
4836 the rest of the algorithm more efficient. The first element of the table at $2^{winsize - 1}$ is found by squaring $M_1$ successively $winsize - 2$ |
|
|
4837 times. The rest of the table elements are found by multiplying the previous element by $M_1$ modulo $p$. |
|
|
4838 |
|
|
4839 Now that the table is available the sliding window may begin. The following list describes the functions of all the variables in the window. |
|
|
4840 \begin{enumerate} |
|
|
4841 \item The variable $mode$ dictates how the bits of the exponent are interpreted. |
|
|
4842 \begin{enumerate} |
|
|
4843 \item When $mode = 0$ the bits are ignored since no non-zero bit of the exponent has been seen yet. For example, if the exponent were simply |
|
|
4844 $1$ then there would be $lg(\beta) - 1$ zero bits before the first non-zero bit. In this case bits are ignored until a non-zero bit is found. |
|
|
4845 \item When $mode = 1$ a non-zero bit has been seen before and a new $winsize$-bit window has not been formed yet. In this mode leading $0$ bits |
|
|
4846 are read and a single squaring is performed. If a non-zero bit is read a new window is created. |
|
|
4847 \item When $mode = 2$ the algorithm is in the middle of forming a window and new bits are appended to the window from the most significant bit |
|
|
4848 downwards. |
|
|
4849 \end{enumerate} |
|
|
4850 \item The variable $bitcnt$ indicates how many bits are left in the current digit of the exponent left to be read. When it reaches zero a new digit |
|
|
4851 is fetched from the exponent. |
|
|
4852 \item The variable $buf$ holds the currently read digit of the exponent. |
|
|
4853 \item The variable $digidx$ is an index into the exponents digits. It starts at the leading digit $x.used - 1$ and moves towards the trailing digit. |
|
|
4854 \item The variable $bitcpy$ indicates how many bits are in the currently formed window. When it reaches $winsize$ the window is flushed and |
|
|
4855 the appropriate operations performed. |
|
|
4856 \item The variable $bitbuf$ holds the current bits of the window being formed. |
|
|
4857 \end{enumerate} |
|
|
4858 |
|
|
4859 All of step 12 is the window processing loop. It will iterate while there are digits available form the exponent to read. The first step |
|
|
4860 inside this loop is to extract a new digit if no more bits are available in the current digit. If there are no bits left a new digit is |
|
|
4861 read and if there are no digits left than the loop terminates. |
|
|
4862 |
|
|
4863 After a digit is made available step 12.3 will extract the most significant bit of the current digit and move all other bits in the digit |
|
|
4864 upwards. In effect the digit is read from most significant bit to least significant bit and since the digits are read from leading to |
|
|
4865 trailing edges the entire exponent is read from most significant bit to least significant bit. |
|
|
4866 |
|
|
4867 At step 12.5 if the $mode$ and currently extracted bit $y$ are both zero the bit is ignored and the next bit is read. This prevents the |
|
|
4868 algorithm from having to perform trivial squaring and reduction operations before the first non-zero bit is read. Step 12.6 and 12.7-10 handle |
|
|
4869 the two cases of $mode = 1$ and $mode = 2$ respectively. |
|
|
4870 |
|
|
4871 FIGU,expt_state,Sliding Window State Diagram |
|
|
4872 |
|
|
4873 By step 13 there are no more digits left in the exponent. However, there may be partial bits in the window left. If $mode = 2$ then |
|
|
4874 a Left-to-Right algorithm is used to process the remaining few bits. |
|
|
4875 |
|
|
4876 EXAM,bn_s_mp_exptmod.c |
|
|
4877 |
|
|
4878 Lines @26,if@ through @40,}@ determine the optimal window size based on the length of the exponent in bits. The window divisions are sorted |
|
|
4879 from smallest to greatest so that in each \textbf{if} statement only one condition must be tested. For example, by the \textbf{if} statement |
|
|
4880 on line @32,if@ the value of $x$ is already known to be greater than $140$. |
|
|
4881 |
|
|
4882 The conditional piece of code beginning on line @42,ifdef@ allows the window size to be restricted to five bits. This logic is used to ensure |
|
|
4883 the table of precomputed powers of $G$ remains relatively small. |
|
|
4884 |
|
|
4885 The for loop on line @49,for@ initializes the $M$ array while lines @59,mp_init@ and @62,mp_reduce@ compute the value of $\mu$ required for |
|
|
4886 Barrett reduction. |
|
|
4887 |
|
|
4888 -- More later. |
|
|
4889 |
|
|
4890 \section{Quick Power of Two} |
|
|
4891 Calculating $b = 2^a$ can be performed much quicker than with any of the previous algorithms. Recall that a logical shift left $m << k$ is |
|
|
4892 equivalent to $m \cdot 2^k$. By this logic when $m = 1$ a quick power of two can be achieved. |
|
|
4893 |
|
|
4894 \begin{figure}[!here] |
|
|
4895 \begin{small} |
|
|
4896 \begin{center} |
|
|
4897 \begin{tabular}{l} |
|
|
4898 \hline Algorithm \textbf{mp\_2expt}. \\ |
|
|
4899 \textbf{Input}. integer $b$ \\ |
|
|
4900 \textbf{Output}. $a \leftarrow 2^b$ \\ |
|
|
4901 \hline \\ |
|
|
4902 1. $a \leftarrow 0$ \\ |
|
|
4903 2. If $a.alloc < \lfloor b / lg(\beta) \rfloor + 1$ then grow $a$ appropriately. \\ |
|
|
4904 3. $a.used \leftarrow \lfloor b / lg(\beta) \rfloor + 1$ \\ |
|
|
4905 4. $a_{\lfloor b / lg(\beta) \rfloor} \leftarrow 1 << (b \mbox{ mod } lg(\beta))$ \\ |
|
|
4906 5. Return(\textit{MP\_OKAY}). \\ |
|
|
4907 \hline |
|
|
4908 \end{tabular} |
|
|
4909 \end{center} |
|
|
4910 \end{small} |
|
|
4911 \caption{Algorithm mp\_2expt} |
|
|
4912 \end{figure} |
|
|
4913 |
|
|
4914 \textbf{Algorithm mp\_2expt.} |
|
|
4915 |
|
|
4916 EXAM,bn_mp_2expt.c |
|
|
4917 |
|
|
4918 \chapter{Higher Level Algorithms} |
|
|
4919 |
|
|
4920 This chapter discusses the various higher level algorithms that are required to complete a well rounded multiple precision integer package. These |
|
|
4921 routines are less performance oriented than the algorithms of chapters five, six and seven but are no less important. |
|
|
4922 |
|
|
4923 The first section describes a method of integer division with remainder that is universally well known. It provides the signed division logic |
|
|
4924 for the package. The subsequent section discusses a set of algorithms which allow a single digit to be the 2nd operand for a variety of operations. |
|
|
4925 These algorithms serve mostly to simplify other algorithms where small constants are required. The last two sections discuss how to manipulate |
|
|
4926 various representations of integers. For example, converting from an mp\_int to a string of character. |
|
|
4927 |
|
|
4928 \section{Integer Division with Remainder} |
|
|
4929 \label{sec:division} |
|
|
4930 |
|
|
4931 Integer division aside from modular exponentiation is the most intensive algorithm to compute. Like addition, subtraction and multiplication |
|
|
4932 the basis of this algorithm is the long-hand division algorithm taught to school children. Throughout this discussion several common variables |
|
|
4933 will be used. Let $x$ represent the divisor and $y$ represent the dividend. Let $q$ represent the integer quotient $\lfloor y / x \rfloor$ and |
|
|
4934 let $r$ represent the remainder $r = y - x \lfloor y / x \rfloor$. The following simple algorithm will be used to start the discussion. |
|
|
4935 |
|
|
4936 \newpage\begin{figure}[!here] |
|
|
4937 \begin{small} |
|
|
4938 \begin{center} |
|
|
4939 \begin{tabular}{l} |
|
|
4940 \hline Algorithm \textbf{Radix-$\beta$ Integer Division}. \\ |
|
|
4941 \textbf{Input}. integer $x$ and $y$ \\ |
|
|
4942 \textbf{Output}. $q = \lfloor y/x\rfloor, r = y - xq$ \\ |
|
|
4943 \hline \\ |
|
|
4944 1. $q \leftarrow 0$ \\ |
|
|
4945 2. $n \leftarrow \vert \vert y \vert \vert - \vert \vert x \vert \vert$ \\ |
|
|
4946 3. for $t$ from $n$ down to $0$ do \\ |
|
|
4947 \hspace{3mm}3.1 Maximize $k$ such that $kx\beta^t$ is less than or equal to $y$ and $(k + 1)x\beta^t$ is greater. \\ |
|
|
4948 \hspace{3mm}3.2 $q \leftarrow q + k\beta^t$ \\ |
|
|
4949 \hspace{3mm}3.3 $y \leftarrow y - kx\beta^t$ \\ |
|
|
4950 4. $r \leftarrow y$ \\ |
|
|
4951 5. Return($q, r$) \\ |
|
|
4952 \hline |
|
|
4953 \end{tabular} |
|
|
4954 \end{center} |
|
|
4955 \end{small} |
|
|
4956 \caption{Algorithm Radix-$\beta$ Integer Division} |
|
|
4957 \label{fig:raddiv} |
|
|
4958 \end{figure} |
|
|
4959 |
|
|
4960 As children we are taught this very simple algorithm for the case of $\beta = 10$. Almost instinctively several optimizations are taught for which |
|
|
4961 their reason of existing are never explained. For this example let $y = 5471$ represent the dividend and $x = 23$ represent the divisor. |
|
|
4962 |
|
|
4963 To find the first digit of the quotient the value of $k$ must be maximized such that $kx\beta^t$ is less than or equal to $y$ and |
|
|
4964 simultaneously $(k + 1)x\beta^t$ is greater than $y$. Implicitly $k$ is the maximum value the $t$'th digit of the quotient may have. The habitual method |
|
|
4965 used to find the maximum is to ``eyeball'' the two numbers, typically only the leading digits and quickly estimate a quotient. By only using leading |
|
|
4966 digits a much simpler division may be used to form an educated guess at what the value must be. In this case $k = \lfloor 54/23\rfloor = 2$ quickly |
|
|
4967 arises as a possible solution. Indeed $2x\beta^2 = 4600$ is less than $y = 5471$ and simultaneously $(k + 1)x\beta^2 = 6900$ is larger than $y$. |
|
|
4968 As a result $k\beta^2$ is added to the quotient which now equals $q = 200$ and $4600$ is subtracted from $y$ to give a remainder of $y = 841$. |
|
|
4969 |
|
|
4970 Again this process is repeated to produce the quotient digit $k = 3$ which makes the quotient $q = 200 + 3\beta = 230$ and the remainder |
|
|
4971 $y = 841 - 3x\beta = 181$. Finally the last iteration of the loop produces $k = 7$ which leads to the quotient $q = 230 + 7 = 237$ and the |
|
|
4972 remainder $y = 181 - 7x = 20$. The final quotient and remainder found are $q = 237$ and $r = y = 20$ which are indeed correct since |
|
|
4973 $237 \cdot 23 + 20 = 5471$ is true. |
|
|
4974 |
|
|
4975 \subsection{Quotient Estimation} |
|
|
4976 \label{sec:divest} |
|
|
4977 As alluded to earlier the quotient digit $k$ can be estimated from only the leading digits of both the divisor and dividend. When $p$ leading |
|
|
4978 digits are used from both the divisor and dividend to form an estimation the accuracy of the estimation rises as $p$ grows. Technically |
|
|
4979 speaking the estimation is based on assuming the lower $\vert \vert y \vert \vert - p$ and $\vert \vert x \vert \vert - p$ lower digits of the |
|
|
4980 dividend and divisor are zero. |
|
|
4981 |
|
|
4982 The value of the estimation may off by a few values in either direction and in general is fairly correct. A simplification \cite[pp. 271]{TAOCPV2} |
|
|
4983 of the estimation technique is to use $t + 1$ digits of the dividend and $t$ digits of the divisor, in particularly when $t = 1$. The estimate |
|
|
4984 using this technique is never too small. For the following proof let $t = \vert \vert y \vert \vert - 1$ and $s = \vert \vert x \vert \vert - 1$ |
|
|
4985 represent the most significant digits of the dividend and divisor respectively. |
|
|
4986 |
|
|
4987 \textbf{Proof.}\textit{ The quotient $\hat k = \lfloor (y_t\beta + y_{t-1}) / x_s \rfloor$ is greater than or equal to |
|
|
4988 $k = \lfloor y / (x \cdot \beta^{\vert \vert y \vert \vert - \vert \vert x \vert \vert - 1}) \rfloor$. } |
|
|
4989 The first obvious case is when $\hat k = \beta - 1$ in which case the proof is concluded since the real quotient cannot be larger. For all other |
|
|
4990 cases $\hat k = \lfloor (y_t\beta + y_{t-1}) / x_s \rfloor$ and $\hat k x_s \ge y_t\beta + y_{t-1} - x_s + 1$. The latter portion of the inequalility |
|
|
4991 $-x_s + 1$ arises from the fact that a truncated integer division will give the same quotient for at most $x_s - 1$ values. Next a series of |
|
|
4992 inequalities will prove the hypothesis. |
|
|
4993 |
|
|
4994 \begin{equation} |
|
|
4995 y - \hat k x \le y - \hat k x_s\beta^s |
|
|
4996 \end{equation} |
|
|
4997 |
|
|
4998 This is trivially true since $x \ge x_s\beta^s$. Next we replace $\hat kx_s\beta^s$ by the previous inequality for $\hat kx_s$. |
|
|
4999 |
|
|
5000 \begin{equation} |
|
|
5001 y - \hat k x \le y_t\beta^t + \ldots + y_0 - (y_t\beta^t + y_{t-1}\beta^{t-1} - x_s\beta^t + \beta^s) |
|
|
5002 \end{equation} |
|
|
5003 |
|
|
5004 By simplifying the previous inequality the following inequality is formed. |
|
|
5005 |
|
|
5006 \begin{equation} |
|
|
5007 y - \hat k x \le y_{t-2}\beta^{t-2} + \ldots + y_0 + x_s\beta^s - \beta^s |
|
|
5008 \end{equation} |
|
|
5009 |
|
|
5010 Subsequently, |
|
|
5011 |
|
|
5012 \begin{equation} |
|
|
5013 y_{t-2}\beta^{t-2} + \ldots + y_0 + x_s\beta^s - \beta^s < x_s\beta^s \le x |
|
|
5014 \end{equation} |
|
|
5015 |
|
|
5016 Which proves that $y - \hat kx \le x$ and by consequence $\hat k \ge k$ which concludes the proof. \textbf{QED} |
|
|
5017 |
|
|
5018 |
|
|
5019 \subsection{Normalized Integers} |
|
|
5020 For the purposes of division a normalized input is when the divisors leading digit $x_n$ is greater than or equal to $\beta / 2$. By multiplying both |
|
|
5021 $x$ and $y$ by $j = \lfloor (\beta / 2) / x_n \rfloor$ the quotient remains unchanged and the remainder is simply $j$ times the original |
|
|
5022 remainder. The purpose of normalization is to ensure the leading digit of the divisor is sufficiently large such that the estimated quotient will |
|
|
5023 lie in the domain of a single digit. Consider the maximum dividend $(\beta - 1) \cdot \beta + (\beta - 1)$ and the minimum divisor $\beta / 2$. |
|
|
5024 |
|
|
5025 \begin{equation} |
|
|
5026 {{\beta^2 - 1} \over { \beta / 2}} \le 2\beta - {2 \over \beta} |
|
|
5027 \end{equation} |
|
|
5028 |
|
|
5029 At most the quotient approaches $2\beta$, however, in practice this will not occur since that would imply the previous quotient digit was too small. |
|
|
5030 |
|
|
5031 \subsection{Radix-$\beta$ Division with Remainder} |
|
|
5032 \newpage\begin{figure}[!here] |
|
|
5033 \begin{small} |
|
|
5034 \begin{center} |
|
|
5035 \begin{tabular}{l} |
|
|
5036 \hline Algorithm \textbf{mp\_div}. \\ |
|
|
5037 \textbf{Input}. mp\_int $a, b$ \\ |
|
|
5038 \textbf{Output}. $c = \lfloor a/b \rfloor$, $d = a - bc$ \\ |
|
|
5039 \hline \\ |
|
|
5040 1. If $b = 0$ return(\textit{MP\_VAL}). \\ |
|
|
5041 2. If $\vert a \vert < \vert b \vert$ then do \\ |
|
|
5042 \hspace{3mm}2.1 $d \leftarrow a$ \\ |
|
|
5043 \hspace{3mm}2.2 $c \leftarrow 0$ \\ |
|
|
5044 \hspace{3mm}2.3 Return(\textit{MP\_OKAY}). \\ |
|
|
5045 \\ |
|
|
5046 Setup the quotient to receive the digits. \\ |
|
|
5047 3. Grow $q$ to $a.used + 2$ digits. \\ |
|
|
5048 4. $q \leftarrow 0$ \\ |
|
|
5049 5. $x \leftarrow \vert a \vert , y \leftarrow \vert b \vert$ \\ |
|
|
5050 6. $sign \leftarrow \left \lbrace \begin{array}{ll} |
|
|
5051 MP\_ZPOS & \mbox{if }a.sign = b.sign \\ |
|
|
5052 MP\_NEG & \mbox{otherwise} \\ |
|
|
5053 \end{array} \right .$ \\ |
|
|
5054 \\ |
|
|
5055 Normalize the inputs such that the leading digit of $y$ is greater than or equal to $\beta / 2$. \\ |
|
|
5056 7. $norm \leftarrow (lg(\beta) - 1) - (\lceil lg(y) \rceil \mbox{ (mod }lg(\beta)\mbox{)})$ \\ |
|
|
5057 8. $x \leftarrow x \cdot 2^{norm}, y \leftarrow y \cdot 2^{norm}$ \\ |
|
|
5058 \\ |
|
|
5059 Find the leading digit of the quotient. \\ |
|
|
5060 9. $n \leftarrow x.used - 1, t \leftarrow y.used - 1$ \\ |
|
|
5061 10. $y \leftarrow y \cdot \beta^{n - t}$ \\ |
|
|
5062 11. While ($x \ge y$) do \\ |
|
|
5063 \hspace{3mm}11.1 $q_{n - t} \leftarrow q_{n - t} + 1$ \\ |
|
|
5064 \hspace{3mm}11.2 $x \leftarrow x - y$ \\ |
|
|
5065 12. $y \leftarrow \lfloor y / \beta^{n-t} \rfloor$ \\ |
|
|
5066 \\ |
|
|
5067 Continued on the next page. \\ |
|
|
5068 \hline |
|
|
5069 \end{tabular} |
|
|
5070 \end{center} |
|
|
5071 \end{small} |
|
|
5072 \caption{Algorithm mp\_div} |
|
|
5073 \end{figure} |
|
|
5074 |
|
|
5075 \newpage\begin{figure}[!here] |
|
|
5076 \begin{small} |
|
|
5077 \begin{center} |
|
|
5078 \begin{tabular}{l} |
|
|
5079 \hline Algorithm \textbf{mp\_div} (continued). \\ |
|
|
5080 \textbf{Input}. mp\_int $a, b$ \\ |
|
|
5081 \textbf{Output}. $c = \lfloor a/b \rfloor$, $d = a - bc$ \\ |
|
|
5082 \hline \\ |
|
|
5083 Now find the remainder fo the digits. \\ |
|
|
5084 13. for $i$ from $n$ down to $(t + 1)$ do \\ |
|
|
5085 \hspace{3mm}13.1 If $i > x.used$ then jump to the next iteration of this loop. \\ |
|
|
5086 \hspace{3mm}13.2 If $x_{i} = y_{t}$ then \\ |
|
|
5087 \hspace{6mm}13.2.1 $q_{i - t - 1} \leftarrow \beta - 1$ \\ |
|
|
5088 \hspace{3mm}13.3 else \\ |
|
|
5089 \hspace{6mm}13.3.1 $\hat r \leftarrow x_{i} \cdot \beta + x_{i - 1}$ \\ |
|
|
5090 \hspace{6mm}13.3.2 $\hat r \leftarrow \lfloor \hat r / y_{t} \rfloor$ \\ |
|
|
5091 \hspace{6mm}13.3.3 $q_{i - t - 1} \leftarrow \hat r$ \\ |
|
|
5092 \hspace{3mm}13.4 $q_{i - t - 1} \leftarrow q_{i - t - 1} + 1$ \\ |
|
|
5093 \\ |
|
|
5094 Fixup quotient estimation. \\ |
|
|
5095 \hspace{3mm}13.5 Loop \\ |
|
|
5096 \hspace{6mm}13.5.1 $q_{i - t - 1} \leftarrow q_{i - t - 1} - 1$ \\ |
|
|
5097 \hspace{6mm}13.5.2 t$1 \leftarrow 0$ \\ |
|
|
5098 \hspace{6mm}13.5.3 t$1_0 \leftarrow y_{t - 1}, $ t$1_1 \leftarrow y_t,$ t$1.used \leftarrow 2$ \\ |
|
|
5099 \hspace{6mm}13.5.4 $t1 \leftarrow t1 \cdot q_{i - t - 1}$ \\ |
|
|
5100 \hspace{6mm}13.5.5 t$2_0 \leftarrow x_{i - 2}, $ t$2_1 \leftarrow x_{i - 1}, $ t$2_2 \leftarrow x_i, $ t$2.used \leftarrow 3$ \\ |
|
|
5101 \hspace{6mm}13.5.6 If $\vert t1 \vert > \vert t2 \vert$ then goto step 13.5. \\ |
|
|
5102 \hspace{3mm}13.6 t$1 \leftarrow y \cdot q_{i - t - 1}$ \\ |
|
|
5103 \hspace{3mm}13.7 t$1 \leftarrow $ t$1 \cdot \beta^{i - t - 1}$ \\ |
|
|
5104 \hspace{3mm}13.8 $x \leftarrow x - $ t$1$ \\ |
|
|
5105 \hspace{3mm}13.9 If $x.sign = MP\_NEG$ then \\ |
|
|
5106 \hspace{6mm}13.10 t$1 \leftarrow y$ \\ |
|
|
5107 \hspace{6mm}13.11 t$1 \leftarrow $ t$1 \cdot \beta^{i - t - 1}$ \\ |
|
|
5108 \hspace{6mm}13.12 $x \leftarrow x + $ t$1$ \\ |
|
|
5109 \hspace{6mm}13.13 $q_{i - t - 1} \leftarrow q_{i - t - 1} - 1$ \\ |
|
|
5110 \\ |
|
|
5111 Finalize the result. \\ |
|
|
5112 14. Clamp excess digits of $q$ \\ |
|
|
5113 15. $c \leftarrow q, c.sign \leftarrow sign$ \\ |
|
|
5114 16. $x.sign \leftarrow a.sign$ \\ |
|
|
5115 17. $d \leftarrow \lfloor x / 2^{norm} \rfloor$ \\ |
|
|
5116 18. Return(\textit{MP\_OKAY}). \\ |
|
|
5117 \hline |
|
|
5118 \end{tabular} |
|
|
5119 \end{center} |
|
|
5120 \end{small} |
|
|
5121 \caption{Algorithm mp\_div (continued)} |
|
|
5122 \end{figure} |
|
|
5123 \textbf{Algorithm mp\_div.} |
|
|
5124 This algorithm will calculate quotient and remainder from an integer division given a dividend and divisor. The algorithm is a signed |
|
|
5125 division and will produce a fully qualified quotient and remainder. |
|
|
5126 |
|
|
5127 First the divisor $b$ must be non-zero which is enforced in step one. If the divisor is larger than the dividend than the quotient is implicitly |
|
|
5128 zero and the remainder is the dividend. |
|
|
5129 |
|
|
5130 After the first two trivial cases of inputs are handled the variable $q$ is setup to receive the digits of the quotient. Two unsigned copies of the |
|
|
5131 divisor $y$ and dividend $x$ are made as well. The core of the division algorithm is an unsigned division and will only work if the values are |
|
|
5132 positive. Now the two values $x$ and $y$ must be normalized such that the leading digit of $y$ is greater than or equal to $\beta / 2$. |
|
|
5133 This is performed by shifting both to the left by enough bits to get the desired normalization. |
|
|
5134 |
|
|
5135 At this point the division algorithm can begin producing digits of the quotient. Recall that maximum value of the estimation used is |
|
|
5136 $2\beta - {2 \over \beta}$ which means that a digit of the quotient must be first produced by another means. In this case $y$ is shifted |
|
|
5137 to the left (\textit{step ten}) so that it has the same number of digits as $x$. The loop on step eleven will subtract multiples of the |
|
|
5138 shifted copy of $y$ until $x$ is smaller. Since the leading digit of $y$ is greater than or equal to $\beta/2$ this loop will iterate at most two |
|
|
5139 times to produce the desired leading digit of the quotient. |
|
|
5140 |
|
|
5141 Now the remainder of the digits can be produced. The equation $\hat q = \lfloor {{x_i \beta + x_{i-1}}\over y_t} \rfloor$ is used to fairly |
|
|
5142 accurately approximate the true quotient digit. The estimation can in theory produce an estimation as high as $2\beta - {2 \over \beta}$ but by |
|
|
5143 induction the upper quotient digit is correct (\textit{as established on step eleven}) and the estimate must be less than $\beta$. |
|
|
5144 |
|
|
5145 Recall from section~\ref{sec:divest} that the estimation is never too low but may be too high. The next step of the estimation process is |
|
|
5146 to refine the estimation. The loop on step 13.5 uses $x_i\beta^2 + x_{i-1}\beta + x_{i-2}$ and $q_{i - t - 1}(y_t\beta + y_{t-1})$ as a higher |
|
|
5147 order approximation to adjust the quotient digit. |
|
|
5148 |
|
|
5149 After both phases of estimation the quotient digit may still be off by a value of one\footnote{This is similar to the error introduced |
|
|
5150 by optimizing Barrett reduction.}. Steps 13.6 and 13.7 subtract the multiple of the divisor from the dividend (\textit{Similar to step 3.3 of |
|
|
5151 algorithm~\ref{fig:raddiv}} and then subsequently add a multiple of the divisor if the quotient was too large. |
|
|
5152 |
|
|
5153 Now that the quotient has been determine finializing the result is a matter of clamping the quotient, fixing the sizes and de-normalizing the |
|
|
5154 remainder. An important aspect of this algorithm seemingly overlooked in other descriptions such as that of Algorithm 14.20 HAC \cite[pp. 598]{HAC} |
|
|
5155 is that when the estimations are being made (\textit{inside the loop on step 13.5}) that the digits $y_{t-1}$, $x_{i-2}$ and $x_{i-1}$ may lie |
|
|
5156 outside their respective boundaries. For example, if $t = 0$ or $i \le 1$ then the digits would be undefined. In those cases the digits should |
|
|
5157 respectively be replaced with a zero. |
|
|
5158 |
|
|
5159 EXAM,bn_mp_div.c |
|
|
5160 |
|
|
5161 The implementation of this algorithm differs slightly from the pseudo code presented previously. In this algorithm either of the quotient $c$ or |
|
|
5162 remainder $d$ may be passed as a \textbf{NULL} pointer which indicates their value is not desired. For example, the C code to call the division |
|
|
5163 algorithm with only the quotient is |
|
|
5164 |
|
|
5165 \begin{verbatim} |
|
|
5166 mp_div(&a, &b, &c, NULL); /* c = [a/b] */ |
|
|
5167 \end{verbatim} |
|
|
5168 |
|
|
5169 Lines @37,if@ and @42,if@ handle the two trivial cases of inputs which are division by zero and dividend smaller than the divisor |
|
|
5170 respectively. After the two trivial cases all of the temporary variables are initialized. Line @76,neg@ determines the sign of |
|
|
5171 the quotient and line @77,sign@ ensures that both $x$ and $y$ are positive. |
|
|
5172 |
|
|
5173 The number of bits in the leading digit is calculated on line @80,norm@. Implictly an mp\_int with $r$ digits will require $lg(\beta)(r-1) + k$ bits |
|
|
5174 of precision which when reduced modulo $lg(\beta)$ produces the value of $k$. In this case $k$ is the number of bits in the leading digit which is |
|
|
5175 exactly what is required. For the algorithm to operate $k$ must equal $lg(\beta) - 1$ and when it does not the inputs must be normalized by shifting |
|
|
5176 them to the left by $lg(\beta) - 1 - k$ bits. |
|
|
5177 |
|
|
5178 Throughout the variables $n$ and $t$ will represent the highest digit of $x$ and $y$ respectively. These are first used to produce the |
|
|
5179 leading digit of the quotient. The loop beginning on line @113,for@ will produce the remainder of the quotient digits. |
|
|
5180 |
|
|
5181 The conditional ``continue'' on line @114,if@ is used to prevent the algorithm from reading past the leading edge of $x$ which can occur when the |
|
|
5182 algorithm eliminates multiple non-zero digits in a single iteration. This ensures that $x_i$ is always non-zero since by definition the digits |
|
|
5183 above the $i$'th position $x$ must be zero in order for the quotient to be precise\footnote{Precise as far as integer division is concerned.}. |
|
|
5184 |
|
|
5185 Lines @142,t1@, @143,t1@ and @150,t2@ through @152,t2@ manually construct the high accuracy estimations by setting the digits of the two mp\_int |
|
|
5186 variables directly. |
|
|
5187 |
|
|
5188 \section{Single Digit Helpers} |
|
|
5189 |
|
|
5190 This section briefly describes a series of single digit helper algorithms which come in handy when working with small constants. All of |
|
|
5191 the helper functions assume the single digit input is positive and will treat them as such. |
|
|
5192 |
|
|
5193 \subsection{Single Digit Addition and Subtraction} |
|
|
5194 |
|
|
5195 Both addition and subtraction are performed by ``cheating'' and using mp\_set followed by the higher level addition or subtraction |
|
|
5196 algorithms. As a result these algorithms are subtantially simpler with a slight cost in performance. |
|
|
5197 |
|
|
5198 \newpage\begin{figure}[!here] |
|
|
5199 \begin{small} |
|
|
5200 \begin{center} |
|
|
5201 \begin{tabular}{l} |
|
|
5202 \hline Algorithm \textbf{mp\_add\_d}. \\ |
|
|
5203 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
5204 \textbf{Output}. $c = a + b$ \\ |
|
|
5205 \hline \\ |
|
|
5206 1. $t \leftarrow b$ (\textit{mp\_set}) \\ |
|
|
5207 2. $c \leftarrow a + t$ \\ |
|
|
5208 3. Return(\textit{MP\_OKAY}) \\ |
|
|
5209 \hline |
|
|
5210 \end{tabular} |
|
|
5211 \end{center} |
|
|
5212 \end{small} |
|
|
5213 \caption{Algorithm mp\_add\_d} |
|
|
5214 \end{figure} |
|
|
5215 |
|
|
5216 \textbf{Algorithm mp\_add\_d.} |
|
|
5217 This algorithm initiates a temporary mp\_int with the value of the single digit and uses algorithm mp\_add to add the two values together. |
|
|
5218 |
|
|
5219 EXAM,bn_mp_add_d.c |
|
|
5220 |
|
|
5221 Clever use of the letter 't'. |
|
|
5222 |
|
|
5223 \subsubsection{Subtraction} |
|
|
5224 The single digit subtraction algorithm mp\_sub\_d is essentially the same except it uses mp\_sub to subtract the digit from the mp\_int. |
|
|
5225 |
|
|
5226 \subsection{Single Digit Multiplication} |
|
|
5227 Single digit multiplication arises enough in division and radix conversion that it ought to be implement as a special case of the baseline |
|
|
5228 multiplication algorithm. Essentially this algorithm is a modified version of algorithm s\_mp\_mul\_digs where one of the multiplicands |
|
|
5229 only has one digit. |
|
|
5230 |
|
|
5231 \begin{figure}[!here] |
|
|
5232 \begin{small} |
|
|
5233 \begin{center} |
|
|
5234 \begin{tabular}{l} |
|
|
5235 \hline Algorithm \textbf{mp\_mul\_d}. \\ |
|
|
5236 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
5237 \textbf{Output}. $c = ab$ \\ |
|
|
5238 \hline \\ |
|
|
5239 1. $pa \leftarrow a.used$ \\ |
|
|
5240 2. Grow $c$ to at least $pa + 1$ digits. \\ |
|
|
5241 3. $oldused \leftarrow c.used$ \\ |
|
|
5242 4. $c.used \leftarrow pa + 1$ \\ |
|
|
5243 5. $c.sign \leftarrow a.sign$ \\ |
|
|
5244 6. $\mu \leftarrow 0$ \\ |
|
|
5245 7. for $ix$ from $0$ to $pa - 1$ do \\ |
|
|
5246 \hspace{3mm}7.1 $\hat r \leftarrow \mu + a_{ix}b$ \\ |
|
|
5247 \hspace{3mm}7.2 $c_{ix} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
5248 \hspace{3mm}7.3 $\mu \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
5249 8. $c_{pa} \leftarrow \mu$ \\ |
|
|
5250 9. for $ix$ from $pa + 1$ to $oldused$ do \\ |
|
|
5251 \hspace{3mm}9.1 $c_{ix} \leftarrow 0$ \\ |
|
|
5252 10. Clamp excess digits of $c$. \\ |
|
|
5253 11. Return(\textit{MP\_OKAY}). \\ |
|
|
5254 \hline |
|
|
5255 \end{tabular} |
|
|
5256 \end{center} |
|
|
5257 \end{small} |
|
|
5258 \caption{Algorithm mp\_mul\_d} |
|
|
5259 \end{figure} |
|
|
5260 \textbf{Algorithm mp\_mul\_d.} |
|
|
5261 This algorithm quickly multiplies an mp\_int by a small single digit value. It is specially tailored to the job and has a minimal of overhead. |
|
|
5262 Unlike the full multiplication algorithms this algorithm does not require any significnat temporary storage or memory allocations. |
|
|
5263 |
|
|
5264 EXAM,bn_mp_mul_d.c |
|
|
5265 |
|
|
5266 In this implementation the destination $c$ may point to the same mp\_int as the source $a$ since the result is written after the digit is |
|
|
5267 read from the source. This function uses pointer aliases $tmpa$ and $tmpc$ for the digits of $a$ and $c$ respectively. |
|
|
5268 |
|
|
5269 \subsection{Single Digit Division} |
|
|
5270 Like the single digit multiplication algorithm, single digit division is also a fairly common algorithm used in radix conversion. Since the |
|
|
5271 divisor is only a single digit a specialized variant of the division algorithm can be used to compute the quotient. |
|
|
5272 |
|
|
5273 \newpage\begin{figure}[!here] |
|
|
5274 \begin{small} |
|
|
5275 \begin{center} |
|
|
5276 \begin{tabular}{l} |
|
|
5277 \hline Algorithm \textbf{mp\_div\_d}. \\ |
|
|
5278 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
5279 \textbf{Output}. $c = \lfloor a / b \rfloor, d = a - cb$ \\ |
|
|
5280 \hline \\ |
|
|
5281 1. If $b = 0$ then return(\textit{MP\_VAL}).\\ |
|
|
5282 2. If $b = 3$ then use algorithm mp\_div\_3 instead. \\ |
|
|
5283 3. Init $q$ to $a.used$ digits. \\ |
|
|
5284 4. $q.used \leftarrow a.used$ \\ |
|
|
5285 5. $q.sign \leftarrow a.sign$ \\ |
|
|
5286 6. $\hat w \leftarrow 0$ \\ |
|
|
5287 7. for $ix$ from $a.used - 1$ down to $0$ do \\ |
|
|
5288 \hspace{3mm}7.1 $\hat w \leftarrow \hat w \beta + a_{ix}$ \\ |
|
|
5289 \hspace{3mm}7.2 If $\hat w \ge b$ then \\ |
|
|
5290 \hspace{6mm}7.2.1 $t \leftarrow \lfloor \hat w / b \rfloor$ \\ |
|
|
5291 \hspace{6mm}7.2.2 $\hat w \leftarrow \hat w \mbox{ (mod }b\mbox{)}$ \\ |
|
|
5292 \hspace{3mm}7.3 else\\ |
|
|
5293 \hspace{6mm}7.3.1 $t \leftarrow 0$ \\ |
|
|
5294 \hspace{3mm}7.4 $q_{ix} \leftarrow t$ \\ |
|
|
5295 8. $d \leftarrow \hat w$ \\ |
|
|
5296 9. Clamp excess digits of $q$. \\ |
|
|
5297 10. $c \leftarrow q$ \\ |
|
|
5298 11. Return(\textit{MP\_OKAY}). \\ |
|
|
5299 \hline |
|
|
5300 \end{tabular} |
|
|
5301 \end{center} |
|
|
5302 \end{small} |
|
|
5303 \caption{Algorithm mp\_div\_d} |
|
|
5304 \end{figure} |
|
|
5305 \textbf{Algorithm mp\_div\_d.} |
|
|
5306 This algorithm divides the mp\_int $a$ by the single mp\_digit $b$ using an optimized approach. Essentially in every iteration of the |
|
|
5307 algorithm another digit of the dividend is reduced and another digit of quotient produced. Provided $b < \beta$ the value of $\hat w$ |
|
|
5308 after step 7.1 will be limited such that $0 \le \lfloor \hat w / b \rfloor < \beta$. |
|
|
5309 |
|
|
5310 If the divisor $b$ is equal to three a variant of this algorithm is used which is called mp\_div\_3. It replaces the division by three with |
|
|
5311 a multiplication by $\lfloor \beta / 3 \rfloor$ and the appropriate shift and residual fixup. In essence it is much like the Barrett reduction |
|
|
5312 from chapter seven. |
|
|
5313 |
|
|
5314 EXAM,bn_mp_div_d.c |
|
|
5315 |
|
|
5316 Like the implementation of algorithm mp\_div this algorithm allows either of the quotient or remainder to be passed as a \textbf{NULL} pointer to |
|
|
5317 indicate the respective value is not required. This allows a trivial single digit modular reduction algorithm, mp\_mod\_d to be created. |
|
|
5318 |
|
|
5319 The division and remainder on lines @44,/@ and @45,%@ can be replaced often by a single division on most processors. For example, the 32-bit x86 based |
|
|
5320 processors can divide a 64-bit quantity by a 32-bit quantity and produce the quotient and remainder simultaneously. Unfortunately the GCC |
|
|
5321 compiler does not recognize that optimization and will actually produce two function calls to find the quotient and remainder respectively. |
|
|
5322 |
|
|
5323 \subsection{Single Digit Root Extraction} |
|
|
5324 |
|
|
5325 Finding the $n$'th root of an integer is fairly easy as far as numerical analysis is concerned. Algorithms such as the Newton-Raphson approximation |
|
|
5326 (\ref{eqn:newton}) series will converge very quickly to a root for any continuous function $f(x)$. |
|
|
5327 |
|
|
5328 \begin{equation} |
|
|
5329 x_{i+1} = x_i - {f(x_i) \over f'(x_i)} |
|
|
5330 \label{eqn:newton} |
|
|
5331 \end{equation} |
|
|
5332 |
|
|
5333 In this case the $n$'th root is desired and $f(x) = x^n - a$ where $a$ is the integer of which the root is desired. The derivative of $f(x)$ is |
|
|
5334 simply $f'(x) = nx^{n - 1}$. Of particular importance is that this algorithm will be used over the integers not over the a more continuous domain |
|
|
5335 such as the real numbers. As a result the root found can be above the true root by few and must be manually adjusted. Ideally at the end of the |
|
|
5336 algorithm the $n$'th root $b$ of an integer $a$ is desired such that $b^n \le a$. |
|
|
5337 |
|
|
5338 \newpage\begin{figure}[!here] |
|
|
5339 \begin{small} |
|
|
5340 \begin{center} |
|
|
5341 \begin{tabular}{l} |
|
|
5342 \hline Algorithm \textbf{mp\_n\_root}. \\ |
|
|
5343 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
5344 \textbf{Output}. $c^b \le a$ \\ |
|
|
5345 \hline \\ |
|
|
5346 1. If $b$ is even and $a.sign = MP\_NEG$ return(\textit{MP\_VAL}). \\ |
|
|
5347 2. $sign \leftarrow a.sign$ \\ |
|
|
5348 3. $a.sign \leftarrow MP\_ZPOS$ \\ |
|
|
5349 4. t$2 \leftarrow 2$ \\ |
|
|
5350 5. Loop \\ |
|
|
5351 \hspace{3mm}5.1 t$1 \leftarrow $ t$2$ \\ |
|
|
5352 \hspace{3mm}5.2 t$3 \leftarrow $ t$1^{b - 1}$ \\ |
|
|
5353 \hspace{3mm}5.3 t$2 \leftarrow $ t$3 $ $\cdot$ t$1$ \\ |
|
|
5354 \hspace{3mm}5.4 t$2 \leftarrow $ t$2 - a$ \\ |
|
|
5355 \hspace{3mm}5.5 t$3 \leftarrow $ t$3 \cdot b$ \\ |
|
|
5356 \hspace{3mm}5.6 t$3 \leftarrow \lfloor $t$2 / $t$3 \rfloor$ \\ |
|
|
5357 \hspace{3mm}5.7 t$2 \leftarrow $ t$1 - $ t$3$ \\ |
|
|
5358 \hspace{3mm}5.8 If t$1 \ne $ t$2$ then goto step 5. \\ |
|
|
5359 6. Loop \\ |
|
|
5360 \hspace{3mm}6.1 t$2 \leftarrow $ t$1^b$ \\ |
|
|
5361 \hspace{3mm}6.2 If t$2 > a$ then \\ |
|
|
5362 \hspace{6mm}6.2.1 t$1 \leftarrow $ t$1 - 1$ \\ |
|
|
5363 \hspace{6mm}6.2.2 Goto step 6. \\ |
|
|
5364 7. $a.sign \leftarrow sign$ \\ |
|
|
5365 8. $c \leftarrow $ t$1$ \\ |
|
|
5366 9. $c.sign \leftarrow sign$ \\ |
|
|
5367 10. Return(\textit{MP\_OKAY}). \\ |
|
|
5368 \hline |
|
|
5369 \end{tabular} |
|
|
5370 \end{center} |
|
|
5371 \end{small} |
|
|
5372 \caption{Algorithm mp\_n\_root} |
|
|
5373 \end{figure} |
|
|
5374 \textbf{Algorithm mp\_n\_root.} |
|
|
5375 This algorithm finds the integer $n$'th root of an input using the Newton-Raphson approach. It is partially optimized based on the observation |
|
|
5376 that the numerator of ${f(x) \over f'(x)}$ can be derived from a partial denominator. That is at first the denominator is calculated by finding |
|
|
5377 $x^{b - 1}$. This value can then be multiplied by $x$ and have $a$ subtracted from it to find the numerator. This saves a total of $b - 1$ |
|
|
5378 multiplications by t$1$ inside the loop. |
|
|
5379 |
|
|
5380 The initial value of the approximation is t$2 = 2$ which allows the algorithm to start with very small values and quickly converge on the |
|
|
5381 root. Ideally this algorithm is meant to find the $n$'th root of an input where $n$ is bounded by $2 \le n \le 5$. |
|
|
5382 |
|
|
5383 EXAM,bn_mp_n_root.c |
|
|
5384 |
|
|
5385 \section{Random Number Generation} |
|
|
5386 |
|
|
5387 Random numbers come up in a variety of activities from public key cryptography to simple simulations and various randomized algorithms. Pollard-Rho |
|
|
5388 factoring for example, can make use of random values as starting points to find factors of a composite integer. In this case the algorithm presented |
|
|
5389 is solely for simulations and not intended for cryptographic use. |
|
|
5390 |
|
|
5391 \newpage\begin{figure}[!here] |
|
|
5392 \begin{small} |
|
|
5393 \begin{center} |
|
|
5394 \begin{tabular}{l} |
|
|
5395 \hline Algorithm \textbf{mp\_rand}. \\ |
|
|
5396 \textbf{Input}. An integer $b$ \\ |
|
|
5397 \textbf{Output}. A pseudo-random number of $b$ digits \\ |
|
|
5398 \hline \\ |
|
|
5399 1. $a \leftarrow 0$ \\ |
|
|
5400 2. If $b \le 0$ return(\textit{MP\_OKAY}) \\ |
|
|
5401 3. Pick a non-zero random digit $d$. \\ |
|
|
5402 4. $a \leftarrow a + d$ \\ |
|
|
5403 5. for $ix$ from 1 to $d - 1$ do \\ |
|
|
5404 \hspace{3mm}5.1 $a \leftarrow a \cdot \beta$ \\ |
|
|
5405 \hspace{3mm}5.2 Pick a random digit $d$. \\ |
|
|
5406 \hspace{3mm}5.3 $a \leftarrow a + d$ \\ |
|
|
5407 6. Return(\textit{MP\_OKAY}). \\ |
|
|
5408 \hline |
|
|
5409 \end{tabular} |
|
|
5410 \end{center} |
|
|
5411 \end{small} |
|
|
5412 \caption{Algorithm mp\_rand} |
|
|
5413 \end{figure} |
|
|
5414 \textbf{Algorithm mp\_rand.} |
|
|
5415 This algorithm produces a pseudo-random integer of $b$ digits. By ensuring that the first digit is non-zero the algorithm also guarantees that the |
|
|
5416 final result has at least $b$ digits. It relies heavily on a third-part random number generator which should ideally generate uniformly all of |
|
|
5417 the integers from $0$ to $\beta - 1$. |
|
|
5418 |
|
|
5419 EXAM,bn_mp_rand.c |
|
|
5420 |
|
|
5421 \section{Formatted Representations} |
|
|
5422 The ability to emit a radix-$n$ textual representation of an integer is useful for interacting with human parties. For example, the ability to |
|
|
5423 be given a string of characters such as ``114585'' and turn it into the radix-$\beta$ equivalent would make it easier to enter numbers |
|
|
5424 into a program. |
|
|
5425 |
|
|
5426 \subsection{Reading Radix-n Input} |
|
|
5427 For the purposes of this text we will assume that a simple lower ASCII map (\ref{fig:ASC}) is used for the values of from $0$ to $63$ to |
|
|
5428 printable characters. For example, when the character ``N'' is read it represents the integer $23$. The first $16$ characters of the |
|
|
5429 map are for the common representations up to hexadecimal. After that they match the ``base64'' encoding scheme which are suitable chosen |
|
|
5430 such that they are printable. While outputting as base64 may not be too helpful for human operators it does allow communication via non binary |
|
|
5431 mediums. |
|
|
5432 |
|
|
5433 \newpage\begin{figure}[here] |
|
|
5434 \begin{center} |
|
|
5435 \begin{tabular}{cc|cc|cc|cc} |
|
|
5436 \hline \textbf{Value} & \textbf{Char} & \textbf{Value} & \textbf{Char} & \textbf{Value} & \textbf{Char} & \textbf{Value} & \textbf{Char} \\ |
|
|
5437 \hline |
|
|
5438 0 & 0 & 1 & 1 & 2 & 2 & 3 & 3 \\ |
|
|
5439 4 & 4 & 5 & 5 & 6 & 6 & 7 & 7 \\ |
|
|
5440 8 & 8 & 9 & 9 & 10 & A & 11 & B \\ |
|
|
5441 12 & C & 13 & D & 14 & E & 15 & F \\ |
|
|
5442 16 & G & 17 & H & 18 & I & 19 & J \\ |
|
|
5443 20 & K & 21 & L & 22 & M & 23 & N \\ |
|
|
5444 24 & O & 25 & P & 26 & Q & 27 & R \\ |
|
|
5445 28 & S & 29 & T & 30 & U & 31 & V \\ |
|
|
5446 32 & W & 33 & X & 34 & Y & 35 & Z \\ |
|
|
5447 36 & a & 37 & b & 38 & c & 39 & d \\ |
|
|
5448 40 & e & 41 & f & 42 & g & 43 & h \\ |
|
|
5449 44 & i & 45 & j & 46 & k & 47 & l \\ |
|
|
5450 48 & m & 49 & n & 50 & o & 51 & p \\ |
|
|
5451 52 & q & 53 & r & 54 & s & 55 & t \\ |
|
|
5452 56 & u & 57 & v & 58 & w & 59 & x \\ |
|
|
5453 60 & y & 61 & z & 62 & $+$ & 63 & $/$ \\ |
|
|
5454 \hline |
|
|
5455 \end{tabular} |
|
|
5456 \end{center} |
|
|
5457 \caption{Lower ASCII Map} |
|
|
5458 \label{fig:ASC} |
|
|
5459 \end{figure} |
|
|
5460 |
|
|
5461 \newpage\begin{figure}[!here] |
|
|
5462 \begin{small} |
|
|
5463 \begin{center} |
|
|
5464 \begin{tabular}{l} |
|
|
5465 \hline Algorithm \textbf{mp\_read\_radix}. \\ |
|
|
5466 \textbf{Input}. A string $str$ of length $sn$ and radix $r$. \\ |
|
|
5467 \textbf{Output}. The radix-$\beta$ equivalent mp\_int. \\ |
|
|
5468 \hline \\ |
|
|
5469 1. If $r < 2$ or $r > 64$ return(\textit{MP\_VAL}). \\ |
|
|
5470 2. $ix \leftarrow 0$ \\ |
|
|
5471 3. If $str_0 =$ ``-'' then do \\ |
|
|
5472 \hspace{3mm}3.1 $ix \leftarrow ix + 1$ \\ |
|
|
5473 \hspace{3mm}3.2 $sign \leftarrow MP\_NEG$ \\ |
|
|
5474 4. else \\ |
|
|
5475 \hspace{3mm}4.1 $sign \leftarrow MP\_ZPOS$ \\ |
|
|
5476 5. $a \leftarrow 0$ \\ |
|
|
5477 6. for $iy$ from $ix$ to $sn - 1$ do \\ |
|
|
5478 \hspace{3mm}6.1 Let $y$ denote the position in the map of $str_{iy}$. \\ |
|
|
5479 \hspace{3mm}6.2 If $str_{iy}$ is not in the map or $y \ge r$ then goto step 7. \\ |
|
|
5480 \hspace{3mm}6.3 $a \leftarrow a \cdot r$ \\ |
|
|
5481 \hspace{3mm}6.4 $a \leftarrow a + y$ \\ |
|
|
5482 7. If $a \ne 0$ then $a.sign \leftarrow sign$ \\ |
|
|
5483 8. Return(\textit{MP\_OKAY}). \\ |
|
|
5484 \hline |
|
|
5485 \end{tabular} |
|
|
5486 \end{center} |
|
|
5487 \end{small} |
|
|
5488 \caption{Algorithm mp\_read\_radix} |
|
|
5489 \end{figure} |
|
|
5490 \textbf{Algorithm mp\_read\_radix.} |
|
|
5491 This algorithm will read an ASCII string and produce the radix-$\beta$ mp\_int representation of the same integer. A minus symbol ``-'' may precede the |
|
|
5492 string to indicate the value is negative, otherwise it is assumed to be positive. The algorithm will read up to $sn$ characters from the input |
|
|
5493 and will stop when it reads a character it cannot map the algorithm stops reading characters from the string. This allows numbers to be embedded |
|
|
5494 as part of larger input without any significant problem. |
|
|
5495 |
|
|
5496 EXAM,bn_mp_read_radix.c |
|
|
5497 |
|
|
5498 \subsection{Generating Radix-$n$ Output} |
|
|
5499 Generating radix-$n$ output is fairly trivial with a division and remainder algorithm. |
|
|
5500 |
|
|
5501 \newpage\begin{figure}[!here] |
|
|
5502 \begin{small} |
|
|
5503 \begin{center} |
|
|
5504 \begin{tabular}{l} |
|
|
5505 \hline Algorithm \textbf{mp\_toradix}. \\ |
|
|
5506 \textbf{Input}. A mp\_int $a$ and an integer $r$\\ |
|
|
5507 \textbf{Output}. The radix-$r$ representation of $a$ \\ |
|
|
5508 \hline \\ |
|
|
5509 1. If $r < 2$ or $r > 64$ return(\textit{MP\_VAL}). \\ |
|
|
5510 2. If $a = 0$ then $str = $ ``$0$'' and return(\textit{MP\_OKAY}). \\ |
|
|
5511 3. $t \leftarrow a$ \\ |
|
|
5512 4. $str \leftarrow$ ``'' \\ |
|
|
5513 5. if $t.sign = MP\_NEG$ then \\ |
|
|
5514 \hspace{3mm}5.1 $str \leftarrow str + $ ``-'' \\ |
|
|
5515 \hspace{3mm}5.2 $t.sign = MP\_ZPOS$ \\ |
|
|
5516 6. While ($t \ne 0$) do \\ |
|
|
5517 \hspace{3mm}6.1 $d \leftarrow t \mbox{ (mod }r\mbox{)}$ \\ |
|
|
5518 \hspace{3mm}6.2 $t \leftarrow \lfloor t / r \rfloor$ \\ |
|
|
5519 \hspace{3mm}6.3 Look up $d$ in the map and store the equivalent character in $y$. \\ |
|
|
5520 \hspace{3mm}6.4 $str \leftarrow str + y$ \\ |
|
|
5521 7. If $str_0 = $``$-$'' then \\ |
|
|
5522 \hspace{3mm}7.1 Reverse the digits $str_1, str_2, \ldots str_n$. \\ |
|
|
5523 8. Otherwise \\ |
|
|
5524 \hspace{3mm}8.1 Reverse the digits $str_0, str_1, \ldots str_n$. \\ |
|
|
5525 9. Return(\textit{MP\_OKAY}).\\ |
|
|
5526 \hline |
|
|
5527 \end{tabular} |
|
|
5528 \end{center} |
|
|
5529 \end{small} |
|
|
5530 \caption{Algorithm mp\_toradix} |
|
|
5531 \end{figure} |
|
|
5532 \textbf{Algorithm mp\_toradix.} |
|
|
5533 This algorithm computes the radix-$r$ representation of an mp\_int $a$. The ``digits'' of the representation are extracted by reducing |
|
|
5534 successive powers of $\lfloor a / r^k \rfloor$ the input modulo $r$ until $r^k > a$. Note that instead of actually dividing by $r^k$ in |
|
|
5535 each iteration the quotient $\lfloor a / r \rfloor$ is saved for the next iteration. As a result a series of trivial $n \times 1$ divisions |
|
|
5536 are required instead of a series of $n \times k$ divisions. One design flaw of this approach is that the digits are produced in the reverse order |
|
|
5537 (see~\ref{fig:mpradix}). To remedy this flaw the digits must be swapped or simply ``reversed''. |
|
|
5538 |
|
|
5539 \begin{figure} |
|
|
5540 \begin{center} |
|
|
5541 \begin{tabular}{|c|c|c|} |
|
|
5542 \hline \textbf{Value of $a$} & \textbf{Value of $d$} & \textbf{Value of $str$} \\ |
|
|
5543 \hline $1234$ & -- & -- \\ |
|
|
5544 \hline $123$ & $4$ & ``4'' \\ |
|
|
5545 \hline $12$ & $3$ & ``43'' \\ |
|
|
5546 \hline $1$ & $2$ & ``432'' \\ |
|
|
5547 \hline $0$ & $1$ & ``4321'' \\ |
|
|
5548 \hline |
|
|
5549 \end{tabular} |
|
|
5550 \end{center} |
|
|
5551 \caption{Example of Algorithm mp\_toradix.} |
|
|
5552 \label{fig:mpradix} |
|
|
5553 \end{figure} |
|
|
5554 |
|
|
5555 EXAM,bn_mp_toradix.c |
|
|
5556 |
|
|
5557 \chapter{Number Theoretic Algorithms} |
|
|
5558 This chapter discusses several fundamental number theoretic algorithms such as the greatest common divisor, least common multiple and Jacobi |
|
|
5559 symbol computation. These algorithms arise as essential components in several key cryptographic algorithms such as the RSA public key algorithm and |
|
|
5560 various Sieve based factoring algorithms. |
|
|
5561 |
|
|
5562 \section{Greatest Common Divisor} |
|
|
5563 The greatest common divisor of two integers $a$ and $b$, often denoted as $(a, b)$ is the largest integer $k$ that is a proper divisor of |
|
|
5564 both $a$ and $b$. That is, $k$ is the largest integer such that $0 \equiv a \mbox{ (mod }k\mbox{)}$ and $0 \equiv b \mbox{ (mod }k\mbox{)}$ occur |
|
|
5565 simultaneously. |
|
|
5566 |
|
|
5567 The most common approach (cite) is to reduce one input modulo another. That is if $a$ and $b$ are divisible by some integer $k$ and if $qa + r = b$ then |
|
|
5568 $r$ is also divisible by $k$. The reduction pattern follows $\left < a , b \right > \rightarrow \left < b, a \mbox{ mod } b \right >$. |
|
|
5569 |
|
|
5570 \newpage\begin{figure}[!here] |
|
|
5571 \begin{small} |
|
|
5572 \begin{center} |
|
|
5573 \begin{tabular}{l} |
|
|
5574 \hline Algorithm \textbf{Greatest Common Divisor (I)}. \\ |
|
|
5575 \textbf{Input}. Two positive integers $a$ and $b$ greater than zero. \\ |
|
|
5576 \textbf{Output}. The greatest common divisor $(a, b)$. \\ |
|
|
5577 \hline \\ |
|
|
5578 1. While ($b > 0$) do \\ |
|
|
5579 \hspace{3mm}1.1 $r \leftarrow a \mbox{ (mod }b\mbox{)}$ \\ |
|
|
5580 \hspace{3mm}1.2 $a \leftarrow b$ \\ |
|
|
5581 \hspace{3mm}1.3 $b \leftarrow r$ \\ |
|
|
5582 2. Return($a$). \\ |
|
|
5583 \hline |
|
|
5584 \end{tabular} |
|
|
5585 \end{center} |
|
|
5586 \end{small} |
|
|
5587 \caption{Algorithm Greatest Common Divisor (I)} |
|
|
5588 \label{fig:gcd1} |
|
|
5589 \end{figure} |
|
|
5590 |
|
|
5591 This algorithm will quickly converge on the greatest common divisor since the residue $r$ tends diminish rapidly. However, divisions are |
|
|
5592 relatively expensive operations to perform and should ideally be avoided. There is another approach based on a similar relationship of |
|
|
5593 greatest common divisors. The faster approach is based on the observation that if $k$ divides both $a$ and $b$ it will also divide $a - b$. |
|
|
5594 In particular, we would like $a - b$ to decrease in magnitude which implies that $b \ge a$. |
|
|
5595 |
|
|
5596 \begin{figure}[!here] |
|
|
5597 \begin{small} |
|
|
5598 \begin{center} |
|
|
5599 \begin{tabular}{l} |
|
|
5600 \hline Algorithm \textbf{Greatest Common Divisor (II)}. \\ |
|
|
5601 \textbf{Input}. Two positive integers $a$ and $b$ greater than zero. \\ |
|
|
5602 \textbf{Output}. The greatest common divisor $(a, b)$. \\ |
|
|
5603 \hline \\ |
|
|
5604 1. While ($b > 0$) do \\ |
|
|
5605 \hspace{3mm}1.1 Swap $a$ and $b$ such that $a$ is the smallest of the two. \\ |
|
|
5606 \hspace{3mm}1.2 $b \leftarrow b - a$ \\ |
|
|
5607 2. Return($a$). \\ |
|
|
5608 \hline |
|
|
5609 \end{tabular} |
|
|
5610 \end{center} |
|
|
5611 \end{small} |
|
|
5612 \caption{Algorithm Greatest Common Divisor (II)} |
|
|
5613 \label{fig:gcd2} |
|
|
5614 \end{figure} |
|
|
5615 |
|
|
5616 \textbf{Proof} \textit{Algorithm~\ref{fig:gcd2} will return the greatest common divisor of $a$ and $b$.} |
|
|
5617 The algorithm in figure~\ref{fig:gcd2} will eventually terminate since $b \ge a$ the subtraction in step 1.2 will be a value less than $b$. In other |
|
|
5618 words in every iteration that tuple $\left < a, b \right >$ decrease in magnitude until eventually $a = b$. Since both $a$ and $b$ are always |
|
|
5619 divisible by the greatest common divisor (\textit{until the last iteration}) and in the last iteration of the algorithm $b = 0$, therefore, in the |
|
|
5620 second to last iteration of the algorithm $b = a$ and clearly $(a, a) = a$ which concludes the proof. \textbf{QED}. |
|
|
5621 |
|
|
5622 As a matter of practicality algorithm \ref{fig:gcd1} decreases far too slowly to be useful. Specially if $b$ is much larger than $a$ such that |
|
|
5623 $b - a$ is still very much larger than $a$. A simple addition to the algorithm is to divide $b - a$ by a power of some integer $p$ which does |
|
|
5624 not divide the greatest common divisor but will divide $b - a$. In this case ${b - a} \over p$ is also an integer and still divisible by |
|
|
5625 the greatest common divisor. |
|
|
5626 |
|
|
5627 However, instead of factoring $b - a$ to find a suitable value of $p$ the powers of $p$ can be removed from $a$ and $b$ that are in common first. |
|
|
5628 Then inside the loop whenever $b - a$ is divisible by some power of $p$ it can be safely removed. |
|
|
5629 |
|
|
5630 \begin{figure}[!here] |
|
|
5631 \begin{small} |
|
|
5632 \begin{center} |
|
|
5633 \begin{tabular}{l} |
|
|
5634 \hline Algorithm \textbf{Greatest Common Divisor (III)}. \\ |
|
|
5635 \textbf{Input}. Two positive integers $a$ and $b$ greater than zero. \\ |
|
|
5636 \textbf{Output}. The greatest common divisor $(a, b)$. \\ |
|
|
5637 \hline \\ |
|
|
5638 1. $k \leftarrow 0$ \\ |
|
|
5639 2. While $a$ and $b$ are both divisible by $p$ do \\ |
|
|
5640 \hspace{3mm}2.1 $a \leftarrow \lfloor a / p \rfloor$ \\ |
|
|
5641 \hspace{3mm}2.2 $b \leftarrow \lfloor b / p \rfloor$ \\ |
|
|
5642 \hspace{3mm}2.3 $k \leftarrow k + 1$ \\ |
|
|
5643 3. While $a$ is divisible by $p$ do \\ |
|
|
5644 \hspace{3mm}3.1 $a \leftarrow \lfloor a / p \rfloor$ \\ |
|
|
5645 4. While $b$ is divisible by $p$ do \\ |
|
|
5646 \hspace{3mm}4.1 $b \leftarrow \lfloor b / p \rfloor$ \\ |
|
|
5647 5. While ($b > 0$) do \\ |
|
|
5648 \hspace{3mm}5.1 Swap $a$ and $b$ such that $a$ is the smallest of the two. \\ |
|
|
5649 \hspace{3mm}5.2 $b \leftarrow b - a$ \\ |
|
|
5650 \hspace{3mm}5.3 While $b$ is divisible by $p$ do \\ |
|
|
5651 \hspace{6mm}5.3.1 $b \leftarrow \lfloor b / p \rfloor$ \\ |
|
|
5652 6. Return($a \cdot p^k$). \\ |
|
|
5653 \hline |
|
|
5654 \end{tabular} |
|
|
5655 \end{center} |
|
|
5656 \end{small} |
|
|
5657 \caption{Algorithm Greatest Common Divisor (III)} |
|
|
5658 \label{fig:gcd3} |
|
|
5659 \end{figure} |
|
|
5660 |
|
|
5661 This algorithm is based on the first except it removes powers of $p$ first and inside the main loop to ensure the tuple $\left < a, b \right >$ |
|
|
5662 decreases more rapidly. The first loop on step two removes powers of $p$ that are in common. A count, $k$, is kept which will present a common |
|
|
5663 divisor of $p^k$. After step two the remaining common divisor of $a$ and $b$ cannot be divisible by $p$. This means that $p$ can be safely |
|
|
5664 divided out of the difference $b - a$ so long as the division leaves no remainder. |
|
|
5665 |
|
|
5666 In particular the value of $p$ should be chosen such that the division on step 5.3.1 occur often. It also helps that division by $p$ be easy |
|
|
5667 to compute. The ideal choice of $p$ is two since division by two amounts to a right logical shift. Another important observation is that by |
|
|
5668 step five both $a$ and $b$ are odd. Therefore, the diffrence $b - a$ must be even which means that each iteration removes one bit from the |
|
|
5669 largest of the pair. |
|
|
5670 |
|
|
5671 \subsection{Complete Greatest Common Divisor} |
|
|
5672 The algorithms presented so far cannot handle inputs which are zero or negative. The following algorithm can handle all input cases properly |
|
|
5673 and will produce the greatest common divisor. |
|
|
5674 |
|
|
5675 \newpage\begin{figure}[!here] |
|
|
5676 \begin{small} |
|
|
5677 \begin{center} |
|
|
5678 \begin{tabular}{l} |
|
|
5679 \hline Algorithm \textbf{mp\_gcd}. \\ |
|
|
5680 \textbf{Input}. mp\_int $a$ and $b$ \\ |
|
|
5681 \textbf{Output}. The greatest common divisor $c = (a, b)$. \\ |
|
|
5682 \hline \\ |
|
|
5683 1. If $a = 0$ and $b \ne 0$ then \\ |
|
|
5684 \hspace{3mm}1.1 $c \leftarrow b$ \\ |
|
|
5685 \hspace{3mm}1.2 Return(\textit{MP\_OKAY}). \\ |
|
|
5686 2. If $a \ne 0$ and $b = 0$ then \\ |
|
|
5687 \hspace{3mm}2.1 $c \leftarrow a$ \\ |
|
|
5688 \hspace{3mm}2.2 Return(\textit{MP\_OKAY}). \\ |
|
|
5689 3. If $a = b = 0$ then \\ |
|
|
5690 \hspace{3mm}3.1 $c \leftarrow 1$ \\ |
|
|
5691 \hspace{3mm}3.2 Return(\textit{MP\_OKAY}). \\ |
|
|
5692 4. $u \leftarrow \vert a \vert, v \leftarrow \vert b \vert$ \\ |
|
|
5693 5. $k \leftarrow 0$ \\ |
|
|
5694 6. While $u.used > 0$ and $v.used > 0$ and $u_0 \equiv v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
5695 \hspace{3mm}6.1 $k \leftarrow k + 1$ \\ |
|
|
5696 \hspace{3mm}6.2 $u \leftarrow \lfloor u / 2 \rfloor$ \\ |
|
|
5697 \hspace{3mm}6.3 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
5698 7. While $u.used > 0$ and $u_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
5699 \hspace{3mm}7.1 $u \leftarrow \lfloor u / 2 \rfloor$ \\ |
|
|
5700 8. While $v.used > 0$ and $v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
5701 \hspace{3mm}8.1 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
5702 9. While $v.used > 0$ \\ |
|
|
5703 \hspace{3mm}9.1 If $\vert u \vert > \vert v \vert$ then \\ |
|
|
5704 \hspace{6mm}9.1.1 Swap $u$ and $v$. \\ |
|
|
5705 \hspace{3mm}9.2 $v \leftarrow \vert v \vert - \vert u \vert$ \\ |
|
|
5706 \hspace{3mm}9.3 While $v.used > 0$ and $v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
5707 \hspace{6mm}9.3.1 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
5708 10. $c \leftarrow u \cdot 2^k$ \\ |
|
|
5709 11. Return(\textit{MP\_OKAY}). \\ |
|
|
5710 \hline |
|
|
5711 \end{tabular} |
|
|
5712 \end{center} |
|
|
5713 \end{small} |
|
|
5714 \caption{Algorithm mp\_gcd} |
|
|
5715 \end{figure} |
|
|
5716 \textbf{Algorithm mp\_gcd.} |
|
|
5717 This algorithm will produce the greatest common divisor of two mp\_ints $a$ and $b$. The algorithm was originally based on Algorithm B of |
|
|
5718 Knuth \cite[pp. 338]{TAOCPV2} but has been modified to be simpler to explain. In theory it achieves the same asymptotic working time as |
|
|
5719 Algorithm B and in practice this appears to be true. |
|
|
5720 |
|
|
5721 The first three steps handle the cases where either one of or both inputs are zero. If either input is zero the greatest common divisor is the |
|
|
5722 largest input or zero if they are both zero. If the inputs are not trivial than $u$ and $v$ are assigned the absolute values of |
|
|
5723 $a$ and $b$ respectively and the algorithm will proceed to reduce the pair. |
|
|
5724 |
|
|
5725 Step six will divide out any common factors of two and keep track of the count in the variable $k$. After this step two is no longer a |
|
|
5726 factor of the remaining greatest common divisor between $u$ and $v$ and can be safely evenly divided out of either whenever they are even. Step |
|
|
5727 seven and eight ensure that the $u$ and $v$ respectively have no more factors of two. At most only one of the while loops will iterate since |
|
|
5728 they cannot both be even. |
|
|
5729 |
|
|
5730 By step nine both of $u$ and $v$ are odd which is required for the inner logic. First the pair are swapped such that $v$ is equal to |
|
|
5731 or greater than $u$. This ensures that the subtraction on step 9.2 will always produce a positive and even result. Step 9.3 removes any |
|
|
5732 factors of two from the difference $u$ to ensure that in the next iteration of the loop both are once again odd. |
|
|
5733 |
|
|
5734 After $v = 0$ occurs the variable $u$ has the greatest common divisor of the pair $\left < u, v \right >$ just after step six. The result |
|
|
5735 must be adjusted by multiplying by the common factors of two ($2^k$) removed earlier. |
|
|
5736 |
|
|
5737 EXAM,bn_mp_gcd.c |
|
|
5738 |
|
|
5739 This function makes use of the macros mp\_iszero and mp\_iseven. The former evaluates to $1$ if the input mp\_int is equivalent to the |
|
|
5740 integer zero otherwise it evaluates to $0$. The latter evaluates to $1$ if the input mp\_int represents a non-zero even integer otherwise |
|
|
5741 it evaluates to $0$. Note that just because mp\_iseven may evaluate to $0$ does not mean the input is odd, it could also be zero. The three |
|
|
5742 trivial cases of inputs are handled on lines @25,zero@ through @34,}@. After those lines the inputs are assumed to be non-zero. |
|
|
5743 |
|
|
5744 Lines @36,if@ and @40,if@ make local copies $u$ and $v$ of the inputs $a$ and $b$ respectively. At this point the common factors of two |
|
|
5745 must be divided out of the two inputs. The while loop on line @49,while@ iterates so long as both are even. The local integer $k$ is used to |
|
|
5746 keep track of how many factors of $2$ are pulled out of both values. It is assumed that the number of factors will not exceed the maximum |
|
|
5747 value of a C ``int'' data type\footnote{Strictly speaking no array in C may have more than entries than are accessible by an ``int'' so this is not |
|
|
5748 a limitation.}. |
|
|
5749 |
|
|
5750 At this point there are no more common factors of two in the two values. The while loops on lines @60,while@ and @65,while@ remove any independent |
|
|
5751 factors of two such that both $u$ and $v$ are guaranteed to be an odd integer before hitting the main body of the algorithm. The while loop |
|
|
5752 on line @71, while@ performs the reduction of the pair until $v$ is equal to zero. The unsigned comparison and subtraction algorithms are used in |
|
|
5753 place of the full signed routines since both values are guaranteed to be positive and the result of the subtraction is guaranteed to be non-negative. |
|
|
5754 |
|
|
5755 \section{Least Common Multiple} |
|
|
5756 The least common multiple of a pair of integers is their product divided by their greatest common divisor. For two integers $a$ and $b$ the |
|
|
5757 least common multiple is normally denoted as $[ a, b ]$ and numerically equivalent to ${ab} \over {(a, b)}$. For example, if $a = 2 \cdot 2 \cdot 3 = 12$ |
|
|
5758 and $b = 2 \cdot 3 \cdot 3 \cdot 7 = 126$ the least common multiple is ${126 \over {(12, 126)}} = {126 \over 6} = 21$. |
|
|
5759 |
|
|
5760 The least common multiple arises often in coding theory as well as number theory. If two functions have periods of $a$ and $b$ respectively they will |
|
|
5761 collide, that is be in synchronous states, after only $[ a, b ]$ iterations. This is why, for example, random number generators based on |
|
|
5762 Linear Feedback Shift Registers (LFSR) tend to use registers with periods which are co-prime (\textit{e.g. the greatest common divisor is one.}). |
|
|
5763 Similarly in number theory if a composite $n$ has two prime factors $p$ and $q$ then maximal order of any unit of $\Z/n\Z$ will be $[ p - 1, q - 1] $. |
|
|
5764 |
|
|
5765 \begin{figure}[!here] |
|
|
5766 \begin{small} |
|
|
5767 \begin{center} |
|
|
5768 \begin{tabular}{l} |
|
|
5769 \hline Algorithm \textbf{mp\_lcm}. \\ |
|
|
5770 \textbf{Input}. mp\_int $a$ and $b$ \\ |
|
|
5771 \textbf{Output}. The least common multiple $c = [a, b]$. \\ |
|
|
5772 \hline \\ |
|
|
5773 1. $c \leftarrow (a, b)$ \\ |
|
|
5774 2. $t \leftarrow a \cdot b$ \\ |
|
|
5775 3. $c \leftarrow \lfloor t / c \rfloor$ \\ |
|
|
5776 4. Return(\textit{MP\_OKAY}). \\ |
|
|
5777 \hline |
|
|
5778 \end{tabular} |
|
|
5779 \end{center} |
|
|
5780 \end{small} |
|
|
5781 \caption{Algorithm mp\_lcm} |
|
|
5782 \end{figure} |
|
|
5783 \textbf{Algorithm mp\_lcm.} |
|
|
5784 This algorithm computes the least common multiple of two mp\_int inputs $a$ and $b$. It computes the least common multiple directly by |
|
|
5785 dividing the product of the two inputs by their greatest common divisor. |
|
|
5786 |
|
|
5787 EXAM,bn_mp_lcm.c |
|
|
5788 |
|
|
5789 \section{Jacobi Symbol Computation} |
|
|
5790 To explain the Jacobi Symbol we shall first discuss the Legendre function\footnote{Arrg. What is the name of this?} off which the Jacobi symbol is |
|
|
5791 defined. The Legendre function computes whether or not an integer $a$ is a quadratic residue modulo an odd prime $p$. Numerically it is |
|
|
5792 equivalent to equation \ref{eqn:legendre}. |
|
|
5793 |
|
|
5794 \begin{equation} |
|
|
5795 a^{(p-1)/2} \equiv \begin{array}{rl} |
|
|
5796 -1 & \mbox{if }a\mbox{ is a quadratic non-residue.} \\ |
|
|
5797 0 & \mbox{if }a\mbox{ divides }p\mbox{.} \\ |
|
|
5798 1 & \mbox{if }a\mbox{ is a quadratic residue}. |
|
|
5799 \end{array} \mbox{ (mod }p\mbox{)} |
|
|
5800 \label{eqn:legendre} |
|
|
5801 \end{equation} |
|
|
5802 |
|
|
5803 \textbf{Proof.} \textit{Equation \ref{eqn:legendre} correctly identifies the residue status of an integer $a$ modulo a prime $p$.} |
|
|
5804 An integer $a$ is a quadratic residue if the following equation has a solution. |
|
|
5805 |
|
|
5806 \begin{equation} |
|
|
5807 x^2 \equiv a \mbox{ (mod }p\mbox{)} |
|
|
5808 \label{eqn:root} |
|
|
5809 \end{equation} |
|
|
5810 |
|
|
5811 Consider the following equation. |
|
|
5812 |
|
|
5813 \begin{equation} |
|
|
5814 0 \equiv x^{p-1} - 1 \equiv \left \lbrace \left (x^2 \right )^{(p-1)/2} - a^{(p-1)/2} \right \rbrace + \left ( a^{(p-1)/2} - 1 \right ) \mbox{ (mod }p\mbox{)} |
|
|
5815 \label{eqn:rooti} |
|
|
5816 \end{equation} |
|
|
5817 |
|
|
5818 Whether equation \ref{eqn:root} has a solution or not equation \ref{eqn:rooti} is always true. If $a^{(p-1)/2} - 1 \equiv 0 \mbox{ (mod }p\mbox{)}$ |
|
|
5819 then the quantity in the braces must be zero. By reduction, |
|
|
5820 |
|
|
5821 \begin{eqnarray} |
|
|
5822 \left (x^2 \right )^{(p-1)/2} - a^{(p-1)/2} \equiv 0 \nonumber \\ |
|
|
5823 \left (x^2 \right )^{(p-1)/2} \equiv a^{(p-1)/2} \nonumber \\ |
|
|
5824 x^2 \equiv a \mbox{ (mod }p\mbox{)} |
|
|
5825 \end{eqnarray} |
|
|
5826 |
|
|
5827 As a result there must be a solution to the quadratic equation and in turn $a$ must be a quadratic residue. If $a$ does not divide $p$ and $a$ |
|
|
5828 is not a quadratic residue then the only other value $a^{(p-1)/2}$ may be congruent to is $-1$ since |
|
|
5829 \begin{equation} |
|
|
5830 0 \equiv a^{p - 1} - 1 \equiv (a^{(p-1)/2} + 1)(a^{(p-1)/2} - 1) \mbox{ (mod }p\mbox{)} |
|
|
5831 \end{equation} |
|
|
5832 One of the terms on the right hand side must be zero. \textbf{QED} |
|
|
5833 |
|
|
5834 \subsection{Jacobi Symbol} |
|
|
5835 The Jacobi symbol is a generalization of the Legendre function for any odd non prime moduli $p$ greater than 2. If $p = \prod_{i=0}^n p_i$ then |
|
|
5836 the Jacobi symbol $\left ( { a \over p } \right )$ is equal to the following equation. |
|
|
5837 |
|
|
5838 \begin{equation} |
|
|
5839 \left ( { a \over p } \right ) = \left ( { a \over p_0} \right ) \left ( { a \over p_1} \right ) \ldots \left ( { a \over p_n} \right ) |
|
|
5840 \end{equation} |
|
|
5841 |
|
|
5842 By inspection if $p$ is prime the Jacobi symbol is equivalent to the Legendre function. The following facts\footnote{See HAC \cite[pp. 72-74]{HAC} for |
|
|
5843 further details.} will be used to derive an efficient Jacobi symbol algorithm. Where $p$ is an odd integer greater than two and $a, b \in \Z$ the |
|
|
5844 following are true. |
|
|
5845 |
|
|
5846 \begin{enumerate} |
|
|
5847 \item $\left ( { a \over p} \right )$ equals $-1$, $0$ or $1$. |
|
|
5848 \item $\left ( { ab \over p} \right ) = \left ( { a \over p} \right )\left ( { b \over p} \right )$. |
|
|
5849 \item If $a \equiv b$ then $\left ( { a \over p} \right ) = \left ( { b \over p} \right )$. |
|
|
5850 \item $\left ( { 2 \over p} \right )$ equals $1$ if $p \equiv 1$ or $7 \mbox{ (mod }8\mbox{)}$. Otherwise, it equals $-1$. |
|
|
5851 \item $\left ( { a \over p} \right ) \equiv \left ( { p \over a} \right ) \cdot (-1)^{(p-1)(a-1)/4}$. More specifically |
|
|
5852 $\left ( { a \over p} \right ) = \left ( { p \over a} \right )$ if $p \equiv a \equiv 1 \mbox{ (mod }4\mbox{)}$. |
|
|
5853 \end{enumerate} |
|
|
5854 |
|
|
5855 Using these facts if $a = 2^k \cdot a'$ then |
|
|
5856 |
|
|
5857 \begin{eqnarray} |
|
|
5858 \left ( { a \over p } \right ) = \left ( {{2^k} \over p } \right ) \left ( {a' \over p} \right ) \nonumber \\ |
|
|
5859 = \left ( {2 \over p } \right )^k \left ( {a' \over p} \right ) |
|
|
5860 \label{eqn:jacobi} |
|
|
5861 \end{eqnarray} |
|
|
5862 |
|
|
5863 By fact five, |
|
|
5864 |
|
|
5865 \begin{equation} |
|
|
5866 \left ( { a \over p } \right ) = \left ( { p \over a } \right ) \cdot (-1)^{(p-1)(a-1)/4} |
|
|
5867 \end{equation} |
|
|
5868 |
|
|
5869 Subsequently by fact three since $p \equiv (p \mbox{ mod }a) \mbox{ (mod }a\mbox{)}$ then |
|
|
5870 |
|
|
5871 \begin{equation} |
|
|
5872 \left ( { a \over p } \right ) = \left ( { {p \mbox{ mod } a} \over a } \right ) \cdot (-1)^{(p-1)(a-1)/4} |
|
|
5873 \end{equation} |
|
|
5874 |
|
|
5875 By putting both observations into equation \ref{eqn:jacobi} the following simplified equation is formed. |
|
|
5876 |
|
|
5877 \begin{equation} |
|
|
5878 \left ( { a \over p } \right ) = \left ( {2 \over p } \right )^k \left ( {{p\mbox{ mod }a'} \over a'} \right ) \cdot (-1)^{(p-1)(a'-1)/4} |
|
|
5879 \end{equation} |
|
|
5880 |
|
|
5881 The value of $\left ( {{p \mbox{ mod }a'} \over a'} \right )$ can be found by using the same equation recursively. The value of |
|
|
5882 $\left ( {2 \over p } \right )^k$ equals $1$ if $k$ is even otherwise it equals $\left ( {2 \over p } \right )$. Using this approach the |
|
|
5883 factors of $p$ do not have to be known. Furthermore, if $(a, p) = 1$ then the algorithm will terminate when the recursion requests the |
|
|
5884 Jacobi symbol computation of $\left ( {1 \over a'} \right )$ which is simply $1$. |
|
|
5885 |
|
|
5886 \newpage\begin{figure}[!here] |
|
|
5887 \begin{small} |
|
|
5888 \begin{center} |
|
|
5889 \begin{tabular}{l} |
|
|
5890 \hline Algorithm \textbf{mp\_jacobi}. \\ |
|
|
5891 \textbf{Input}. mp\_int $a$ and $p$, $a \ge 0$, $p \ge 3$, $p \equiv 1 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
5892 \textbf{Output}. The Jacobi symbol $c = \left ( {a \over p } \right )$. \\ |
|
|
5893 \hline \\ |
|
|
5894 1. If $a = 0$ then \\ |
|
|
5895 \hspace{3mm}1.1 $c \leftarrow 0$ \\ |
|
|
5896 \hspace{3mm}1.2 Return(\textit{MP\_OKAY}). \\ |
|
|
5897 2. If $a = 1$ then \\ |
|
|
5898 \hspace{3mm}2.1 $c \leftarrow 1$ \\ |
|
|
5899 \hspace{3mm}2.2 Return(\textit{MP\_OKAY}). \\ |
|
|
5900 3. $a' \leftarrow a$ \\ |
|
|
5901 4. $k \leftarrow 0$ \\ |
|
|
5902 5. While $a'.used > 0$ and $a'_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
5903 \hspace{3mm}5.1 $k \leftarrow k + 1$ \\ |
|
|
5904 \hspace{3mm}5.2 $a' \leftarrow \lfloor a' / 2 \rfloor$ \\ |
|
|
5905 6. If $k \equiv 0 \mbox{ (mod }2\mbox{)}$ then \\ |
|
|
5906 \hspace{3mm}6.1 $s \leftarrow 1$ \\ |
|
|
5907 7. else \\ |
|
|
5908 \hspace{3mm}7.1 $r \leftarrow p_0 \mbox{ (mod }8\mbox{)}$ \\ |
|
|
5909 \hspace{3mm}7.2 If $r = 1$ or $r = 7$ then \\ |
|
|
5910 \hspace{6mm}7.2.1 $s \leftarrow 1$ \\ |
|
|
5911 \hspace{3mm}7.3 else \\ |
|
|
5912 \hspace{6mm}7.3.1 $s \leftarrow -1$ \\ |
|
|
5913 8. If $p_0 \equiv a'_0 \equiv 3 \mbox{ (mod }4\mbox{)}$ then \\ |
|
|
5914 \hspace{3mm}8.1 $s \leftarrow -s$ \\ |
|
|
5915 9. If $a' \ne 1$ then \\ |
|
|
5916 \hspace{3mm}9.1 $p' \leftarrow p \mbox{ (mod }a'\mbox{)}$ \\ |
|
|
5917 \hspace{3mm}9.2 $s \leftarrow s \cdot \mbox{mp\_jacobi}(p', a')$ \\ |
|
|
5918 10. $c \leftarrow s$ \\ |
|
|
5919 11. Return(\textit{MP\_OKAY}). \\ |
|
|
5920 \hline |
|
|
5921 \end{tabular} |
|
|
5922 \end{center} |
|
|
5923 \end{small} |
|
|
5924 \caption{Algorithm mp\_jacobi} |
|
|
5925 \end{figure} |
|
|
5926 \textbf{Algorithm mp\_jacobi.} |
|
|
5927 This algorithm computes the Jacobi symbol for an arbitrary positive integer $a$ with respect to an odd integer $p$ greater than three. The algorithm |
|
|
5928 is based on algorithm 2.149 of HAC \cite[pp. 73]{HAC}. |
|
|
5929 |
|
|
5930 Step numbers one and two handle the trivial cases of $a = 0$ and $a = 1$ respectively. Step five determines the number of two factors in the |
|
|
5931 input $a$. If $k$ is even than the term $\left ( { 2 \over p } \right )^k$ must always evaluate to one. If $k$ is odd than the term evaluates to one |
|
|
5932 if $p_0$ is congruent to one or seven modulo eight, otherwise it evaluates to $-1$. After the the $\left ( { 2 \over p } \right )^k$ term is handled |
|
|
5933 the $(-1)^{(p-1)(a'-1)/4}$ is computed and multiplied against the current product $s$. The latter term evaluates to one if both $p$ and $a'$ |
|
|
5934 are congruent to one modulo four, otherwise it evaluates to negative one. |
|
|
5935 |
|
|
5936 By step nine if $a'$ does not equal one a recursion is required. Step 9.1 computes $p' \equiv p \mbox{ (mod }a'\mbox{)}$ and will recurse to compute |
|
|
5937 $\left ( {p' \over a'} \right )$ which is multiplied against the current Jacobi product. |
|
|
5938 |
|
|
5939 EXAM,bn_mp_jacobi.c |
|
|
5940 |
|
|
5941 As a matter of practicality the variable $a'$ as per the pseudo-code is reprensented by the variable $a1$ since the $'$ symbol is not valid for a C |
|
|
5942 variable name character. |
|
|
5943 |
|
|
5944 The two simple cases of $a = 0$ and $a = 1$ are handled at the very beginning to simplify the algorithm. If the input is non-trivial the algorithm |
|
|
5945 has to proceed compute the Jacobi. The variable $s$ is used to hold the current Jacobi product. Note that $s$ is merely a C ``int'' data type since |
|
|
5946 the values it may obtain are merely $-1$, $0$ and $1$. |
|
|
5947 |
|
|
5948 After a local copy of $a$ is made all of the factors of two are divided out and the total stored in $k$. Technically only the least significant |
|
|
5949 bit of $k$ is required, however, it makes the algorithm simpler to follow to perform an addition. In practice an exclusive-or and addition have the same |
|
|
5950 processor requirements and neither is faster than the other. |
|
|
5951 |
|
|
5952 Line @59, if@ through @70, }@ determines the value of $\left ( { 2 \over p } \right )^k$. If the least significant bit of $k$ is zero than |
|
|
5953 $k$ is even and the value is one. Otherwise, the value of $s$ depends on which residue class $p$ belongs to modulo eight. The value of |
|
|
5954 $(-1)^{(p-1)(a'-1)/4}$ is compute and multiplied against $s$ on lines @73, if@ through @75, }@. |
|
|
5955 |
|
|
5956 Finally, if $a1$ does not equal one the algorithm must recurse and compute $\left ( {p' \over a'} \right )$. |
|
|
5957 |
|
|
5958 \textit{-- Comment about default $s$ and such...} |
|
|
5959 |
|
|
5960 \section{Modular Inverse} |
|
|
5961 \label{sec:modinv} |
|
|
5962 The modular inverse of a number actually refers to the modular multiplicative inverse. Essentially for any integer $a$ such that $(a, p) = 1$ there |
|
|
5963 exist another integer $b$ such that $ab \equiv 1 \mbox{ (mod }p\mbox{)}$. The integer $b$ is called the multiplicative inverse of $a$ which is |
|
|
5964 denoted as $b = a^{-1}$. Technically speaking modular inversion is a well defined operation for any finite ring or field not just for rings and |
|
|
5965 fields of integers. However, the former will be the matter of discussion. |
|
|
5966 |
|
|
5967 The simplest approach is to compute the algebraic inverse of the input. That is to compute $b \equiv a^{\Phi(p) - 1}$. If $\Phi(p)$ is the |
|
|
5968 order of the multiplicative subgroup modulo $p$ then $b$ must be the multiplicative inverse of $a$. The proof of which is trivial. |
|
|
5969 |
|
|
5970 \begin{equation} |
|
|
5971 ab \equiv a \left (a^{\Phi(p) - 1} \right ) \equiv a^{\Phi(p)} \equiv a^0 \equiv 1 \mbox{ (mod }p\mbox{)} |
|
|
5972 \end{equation} |
|
|
5973 |
|
|
5974 However, as simple as this approach may be it has two serious flaws. It requires that the value of $\Phi(p)$ be known which if $p$ is composite |
|
|
5975 requires all of the prime factors. This approach also is very slow as the size of $p$ grows. |
|
|
5976 |
|
|
5977 A simpler approach is based on the observation that solving for the multiplicative inverse is equivalent to solving the linear |
|
|
5978 Diophantine\footnote{See LeVeque \cite[pp. 40-43]{LeVeque} for more information.} equation. |
|
|
5979 |
|
|
5980 \begin{equation} |
|
|
5981 ab + pq = 1 |
|
|
5982 \end{equation} |
|
|
5983 |
|
|
5984 Where $a$, $b$, $p$ and $q$ are all integers. If such a pair of integers $ \left < b, q \right >$ exist than $b$ is the multiplicative inverse of |
|
|
5985 $a$ modulo $p$. The extended Euclidean algorithm (Knuth \cite[pp. 342]{TAOCPV2}) can be used to solve such equations provided $(a, p) = 1$. |
|
|
5986 However, instead of using that algorithm directly a variant known as the binary Extended Euclidean algorithm will be used in its place. The |
|
|
5987 binary approach is very similar to the binary greatest common divisor algorithm except it will produce a full solution to the Diophantine |
|
|
5988 equation. |
|
|
5989 |
|
|
5990 \subsection{General Case} |
|
|
5991 \newpage\begin{figure}[!here] |
|
|
5992 \begin{small} |
|
|
5993 \begin{center} |
|
|
5994 \begin{tabular}{l} |
|
|
5995 \hline Algorithm \textbf{mp\_invmod}. \\ |
|
|
5996 \textbf{Input}. mp\_int $a$ and $b$, $(a, b) = 1$, $p \ge 2$, $0 < a < p$. \\ |
|
|
5997 \textbf{Output}. The modular inverse $c \equiv a^{-1} \mbox{ (mod }b\mbox{)}$. \\ |
|
|
5998 \hline \\ |
|
|
5999 1. If $b \le 0$ then return(\textit{MP\_VAL}). \\ |
|
|
6000 2. If $b_0 \equiv 1 \mbox{ (mod }2\mbox{)}$ then use algorithm fast\_mp\_invmod. \\ |
|
|
6001 3. $x \leftarrow \vert a \vert, y \leftarrow b$ \\ |
|
|
6002 4. If $x_0 \equiv y_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ then return(\textit{MP\_VAL}). \\ |
|
|
6003 5. $B \leftarrow 0, C \leftarrow 0, A \leftarrow 1, D \leftarrow 1$ \\ |
|
|
6004 6. While $u.used > 0$ and $u_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
6005 \hspace{3mm}6.1 $u \leftarrow \lfloor u / 2 \rfloor$ \\ |
|
|
6006 \hspace{3mm}6.2 If ($A.used > 0$ and $A_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) or ($B.used > 0$ and $B_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) then \\ |
|
|
6007 \hspace{6mm}6.2.1 $A \leftarrow A + y$ \\ |
|
|
6008 \hspace{6mm}6.2.2 $B \leftarrow B - x$ \\ |
|
|
6009 \hspace{3mm}6.3 $A \leftarrow \lfloor A / 2 \rfloor$ \\ |
|
|
6010 \hspace{3mm}6.4 $B \leftarrow \lfloor B / 2 \rfloor$ \\ |
|
|
6011 7. While $v.used > 0$ and $v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
6012 \hspace{3mm}7.1 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
6013 \hspace{3mm}7.2 If ($C.used > 0$ and $C_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) or ($D.used > 0$ and $D_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) then \\ |
|
|
6014 \hspace{6mm}7.2.1 $C \leftarrow C + y$ \\ |
|
|
6015 \hspace{6mm}7.2.2 $D \leftarrow D - x$ \\ |
|
|
6016 \hspace{3mm}7.3 $C \leftarrow \lfloor C / 2 \rfloor$ \\ |
|
|
6017 \hspace{3mm}7.4 $D \leftarrow \lfloor D / 2 \rfloor$ \\ |
|
|
6018 8. If $u \ge v$ then \\ |
|
|
6019 \hspace{3mm}8.1 $u \leftarrow u - v$ \\ |
|
|
6020 \hspace{3mm}8.2 $A \leftarrow A - C$ \\ |
|
|
6021 \hspace{3mm}8.3 $B \leftarrow B - D$ \\ |
|
|
6022 9. else \\ |
|
|
6023 \hspace{3mm}9.1 $v \leftarrow v - u$ \\ |
|
|
6024 \hspace{3mm}9.2 $C \leftarrow C - A$ \\ |
|
|
6025 \hspace{3mm}9.3 $D \leftarrow D - B$ \\ |
|
|
6026 10. If $u \ne 0$ goto step 6. \\ |
|
|
6027 11. If $v \ne 1$ return(\textit{MP\_VAL}). \\ |
|
|
6028 12. While $C \le 0$ do \\ |
|
|
6029 \hspace{3mm}12.1 $C \leftarrow C + b$ \\ |
|
|
6030 13. While $C \ge b$ do \\ |
|
|
6031 \hspace{3mm}13.1 $C \leftarrow C - b$ \\ |
|
|
6032 14. $c \leftarrow C$ \\ |
|
|
6033 15. Return(\textit{MP\_OKAY}). \\ |
|
|
6034 \hline |
|
|
6035 \end{tabular} |
|
|
6036 \end{center} |
|
|
6037 \end{small} |
|
|
6038 \end{figure} |
|
|
6039 \textbf{Algorithm mp\_invmod.} |
|
|
6040 This algorithm computes the modular multiplicative inverse of an integer $a$ modulo an integer $b$. This algorithm is a variation of the |
|
|
6041 extended binary Euclidean algorithm from HAC \cite[pp. 608]{HAC}. It has been modified to only compute the modular inverse and not a complete |
|
|
6042 Diophantine solution. |
|
|
6043 |
|
|
6044 If $b \le 0$ than the modulus is invalid and MP\_VAL is returned. Similarly if both $a$ and $b$ are even then there cannot be a multiplicative |
|
|
6045 inverse for $a$ and the error is reported. |
|
|
6046 |
|
|
6047 The astute reader will observe that steps seven through nine are very similar to the binary greatest common divisor algorithm mp\_gcd. In this case |
|
|
6048 the other variables to the Diophantine equation are solved. The algorithm terminates when $u = 0$ in which case the solution is |
|
|
6049 |
|
|
6050 \begin{equation} |
|
|
6051 Ca + Db = v |
|
|
6052 \end{equation} |
|
|
6053 |
|
|
6054 If $v$, the greatest common divisor of $a$ and $b$ is not equal to one then the algorithm will report an error as no inverse exists. Otherwise, $C$ |
|
|
6055 is the modular inverse of $a$. The actual value of $C$ is congruent to, but not necessarily equal to, the ideal modular inverse which should lie |
|
|
6056 within $1 \le a^{-1} < b$. Step numbers twelve and thirteen adjust the inverse until it is in range. If the original input $a$ is within $0 < a < p$ |
|
|
6057 then only a couple of additions or subtractions will be required to adjust the inverse. |
|
|
6058 |
|
|
6059 EXAM,bn_mp_invmod.c |
|
|
6060 |
|
|
6061 \subsubsection{Odd Moduli} |
|
|
6062 |
|
|
6063 When the modulus $b$ is odd the variables $A$ and $C$ are fixed and are not required to compute the inverse. In particular by attempting to solve |
|
|
6064 the Diophantine $Cb + Da = 1$ only $B$ and $D$ are required to find the inverse of $a$. |
|
|
6065 |
|
|
6066 The algorithm fast\_mp\_invmod is a direct adaptation of algorithm mp\_invmod with all all steps involving either $A$ or $C$ removed. This |
|
|
6067 optimization will halve the time required to compute the modular inverse. |
|
|
6068 |
|
|
6069 \section{Primality Tests} |
|
|
6070 |
|
|
6071 A non-zero integer $a$ is said to be prime if it is not divisible by any other integer excluding one and itself. For example, $a = 7$ is prime |
|
|
6072 since the integers $2 \ldots 6$ do not evenly divide $a$. By contrast, $a = 6$ is not prime since $a = 6 = 2 \cdot 3$. |
|
|
6073 |
|
|
6074 Prime numbers arise in cryptography considerably as they allow finite fields to be formed. The ability to determine whether an integer is prime or |
|
|
6075 not quickly has been a viable subject in cryptography and number theory for considerable time. The algorithms that will be presented are all |
|
|
6076 probablistic algorithms in that when they report an integer is composite it must be composite. However, when the algorithms report an integer is |
|
|
6077 prime the algorithm may be incorrect. |
|
|
6078 |
|
|
6079 As will be discussed it is possible to limit the probability of error so well that for practical purposes the probablity of error might as |
|
|
6080 well be zero. For the purposes of these discussions let $n$ represent the candidate integer of which the primality is in question. |
|
|
6081 |
|
|
6082 \subsection{Trial Division} |
|
|
6083 |
|
|
6084 Trial division means to attempt to evenly divide a candidate integer by small prime integers. If the candidate can be evenly divided it obviously |
|
|
6085 cannot be prime. By dividing by all primes $1 < p \le \sqrt{n}$ this test can actually prove whether an integer is prime. However, such a test |
|
|
6086 would require a prohibitive amount of time as $n$ grows. |
|
|
6087 |
|
|
6088 Instead of dividing by every prime, a smaller, more mangeable set of primes may be used instead. By performing trial division with only a subset |
|
|
6089 of the primes less than $\sqrt{n} + 1$ the algorithm cannot prove if a candidate is prime. However, often it can prove a candidate is not prime. |
|
|
6090 |
|
|
6091 The benefit of this test is that trial division by small values is fairly efficient. Specially compared to the other algorithms that will be |
|
|
6092 discussed shortly. The probability that this approach correctly identifies a composite candidate when tested with all primes upto $q$ is given by |
|
|
6093 $1 - {1.12 \over ln(q)}$. The graph (\ref{pic:primality}, will be added later) demonstrates the probability of success for the range |
|
|
6094 $3 \le q \le 100$. |
|
|
6095 |
|
|
6096 At approximately $q = 30$ the gain of performing further tests diminishes fairly quickly. At $q = 90$ further testing is generally not going to |
|
|
6097 be of any practical use. In the case of LibTomMath the default limit $q = 256$ was chosen since it is not too high and will eliminate |
|
|
6098 approximately $80\%$ of all candidate integers. The constant \textbf{PRIME\_SIZE} is equal to the number of primes in the test base. The |
|
|
6099 array \_\_prime\_tab is an array of the first \textbf{PRIME\_SIZE} prime numbers. |
|
|
6100 |
|
|
6101 \begin{figure}[!here] |
|
|
6102 \begin{small} |
|
|
6103 \begin{center} |
|
|
6104 \begin{tabular}{l} |
|
|
6105 \hline Algorithm \textbf{mp\_prime\_is\_divisible}. \\ |
|
|
6106 \textbf{Input}. mp\_int $a$ \\ |
|
|
6107 \textbf{Output}. $c = 1$ if $n$ is divisible by a small prime, otherwise $c = 0$. \\ |
|
|
6108 \hline \\ |
|
|
6109 1. for $ix$ from $0$ to $PRIME\_SIZE$ do \\ |
|
|
6110 \hspace{3mm}1.1 $d \leftarrow n \mbox{ (mod }\_\_prime\_tab_{ix}\mbox{)}$ \\ |
|
|
6111 \hspace{3mm}1.2 If $d = 0$ then \\ |
|
|
6112 \hspace{6mm}1.2.1 $c \leftarrow 1$ \\ |
|
|
6113 \hspace{6mm}1.2.2 Return(\textit{MP\_OKAY}). \\ |
|
|
6114 2. $c \leftarrow 0$ \\ |
|
|
6115 3. Return(\textit{MP\_OKAY}). \\ |
|
|
6116 \hline |
|
|
6117 \end{tabular} |
|
|
6118 \end{center} |
|
|
6119 \end{small} |
|
|
6120 \caption{Algorithm mp\_prime\_is\_divisible} |
|
|
6121 \end{figure} |
|
|
6122 \textbf{Algorithm mp\_prime\_is\_divisible.} |
|
|
6123 This algorithm attempts to determine if a candidate integer $n$ is composite by performing trial divisions. |
|
|
6124 |
|
|
6125 EXAM,bn_mp_prime_is_divisible.c |
|
|
6126 |
|
|
6127 The algorithm defaults to a return of $0$ in case an error occurs. The values in the prime table are all specified to be in the range of a |
|
|
6128 mp\_digit. The table \_\_prime\_tab is defined in the following file. |
|
|
6129 |
|
|
6130 EXAM,bn_prime_tab.c |
|
|
6131 |
|
|
6132 Note that there are two possible tables. When an mp\_digit is 7-bits long only the primes upto $127$ may be included, otherwise the primes |
|
|
6133 upto $1619$ are used. Note that the value of \textbf{PRIME\_SIZE} is a constant dependent on the size of a mp\_digit. |
|
|
6134 |
|
|
6135 \subsection{The Fermat Test} |
|
|
6136 The Fermat test is probably one the oldest tests to have a non-trivial probability of success. It is based on the fact that if $n$ is in |
|
|
6137 fact prime then $a^{n} \equiv a \mbox{ (mod }n\mbox{)}$ for all $0 < a < n$. The reason being that if $n$ is prime than the order of |
|
|
6138 the multiplicative sub group is $n - 1$. Any base $a$ must have an order which divides $n - 1$ and as such $a^n$ is equivalent to |
|
|
6139 $a^1 = a$. |
|
|
6140 |
|
|
6141 If $n$ is composite then any given base $a$ does not have to have a period which divides $n - 1$. In which case |
|
|
6142 it is possible that $a^n \nequiv a \mbox{ (mod }n\mbox{)}$. However, this test is not absolute as it is possible that the order |
|
|
6143 of a base will divide $n - 1$ which would then be reported as prime. Such a base yields what is known as a Fermat pseudo-prime. Several |
|
|
6144 integers known as Carmichael numbers will be a pseudo-prime to all valid bases. Fortunately such numbers are extremely rare as $n$ grows |
|
|
6145 in size. |
|
|
6146 |
|
|
6147 \begin{figure}[!here] |
|
|
6148 \begin{small} |
|
|
6149 \begin{center} |
|
|
6150 \begin{tabular}{l} |
|
|
6151 \hline Algorithm \textbf{mp\_prime\_fermat}. \\ |
|
|
6152 \textbf{Input}. mp\_int $a$ and $b$, $a \ge 2$, $0 < b < a$. \\ |
|
|
6153 \textbf{Output}. $c = 1$ if $b^a \equiv b \mbox{ (mod }a\mbox{)}$, otherwise $c = 0$. \\ |
|
|
6154 \hline \\ |
|
|
6155 1. $t \leftarrow b^a \mbox{ (mod }a\mbox{)}$ \\ |
|
|
6156 2. If $t = b$ then \\ |
|
|
6157 \hspace{3mm}2.1 $c = 1$ \\ |
|
|
6158 3. else \\ |
|
|
6159 \hspace{3mm}3.1 $c = 0$ \\ |
|
|
6160 4. Return(\textit{MP\_OKAY}). \\ |
|
|
6161 \hline |
|
|
6162 \end{tabular} |
|
|
6163 \end{center} |
|
|
6164 \end{small} |
|
|
6165 \caption{Algorithm mp\_prime\_fermat} |
|
|
6166 \end{figure} |
|
|
6167 \textbf{Algorithm mp\_prime\_fermat.} |
|
|
6168 This algorithm determines whether an mp\_int $a$ is a Fermat prime to the base $b$ or not. It uses a single modular exponentiation to |
|
|
6169 determine the result. |
|
|
6170 |
|
|
6171 EXAM,bn_mp_prime_fermat.c |
|
|
6172 |
|
|
6173 \subsection{The Miller-Rabin Test} |
|
|
6174 The Miller-Rabin (citation) test is another primality test which has tighter error bounds than the Fermat test specifically with sequentially chosen |
|
|
6175 candidate integers. The algorithm is based on the observation that if $n - 1 = 2^kr$ and if $b^r \nequiv \pm 1$ then after upto $k - 1$ squarings the |
|
|
6176 value must be equal to $-1$. The squarings are stopped as soon as $-1$ is observed. If the value of $1$ is observed first it means that |
|
|
6177 some value not congruent to $\pm 1$ when squared equals one which cannot occur if $n$ is prime. |
|
|
6178 |
|
|
6179 \begin{figure}[!here] |
|
|
6180 \begin{small} |
|
|
6181 \begin{center} |
|
|
6182 \begin{tabular}{l} |
|
|
6183 \hline Algorithm \textbf{mp\_prime\_miller\_rabin}. \\ |
|
|
6184 \textbf{Input}. mp\_int $a$ and $b$, $a \ge 2$, $0 < b < a$. \\ |
|
|
6185 \textbf{Output}. $c = 1$ if $a$ is a Miller-Rabin prime to the base $a$, otherwise $c = 0$. \\ |
|
|
6186 \hline |
|
|
6187 1. $a' \leftarrow a - 1$ \\ |
|
|
6188 2. $r \leftarrow n1$ \\ |
|
|
6189 3. $c \leftarrow 0, s \leftarrow 0$ \\ |
|
|
6190 4. While $r.used > 0$ and $r_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
6191 \hspace{3mm}4.1 $s \leftarrow s + 1$ \\ |
|
|
6192 \hspace{3mm}4.2 $r \leftarrow \lfloor r / 2 \rfloor$ \\ |
|
|
6193 5. $y \leftarrow b^r \mbox{ (mod }a\mbox{)}$ \\ |
|
|
6194 6. If $y \nequiv \pm 1$ then \\ |
|
|
6195 \hspace{3mm}6.1 $j \leftarrow 1$ \\ |
|
|
6196 \hspace{3mm}6.2 While $j \le (s - 1)$ and $y \nequiv a'$ \\ |
|
|
6197 \hspace{6mm}6.2.1 $y \leftarrow y^2 \mbox{ (mod }a\mbox{)}$ \\ |
|
|
6198 \hspace{6mm}6.2.2 If $y = 1$ then goto step 8. \\ |
|
|
6199 \hspace{6mm}6.2.3 $j \leftarrow j + 1$ \\ |
|
|
6200 \hspace{3mm}6.3 If $y \nequiv a'$ goto step 8. \\ |
|
|
6201 7. $c \leftarrow 1$\\ |
|
|
6202 8. Return(\textit{MP\_OKAY}). \\ |
|
|
6203 \hline |
|
|
6204 \end{tabular} |
|
|
6205 \end{center} |
|
|
6206 \end{small} |
|
|
6207 \caption{Algorithm mp\_prime\_miller\_rabin} |
|
|
6208 \end{figure} |
|
|
6209 \textbf{Algorithm mp\_prime\_miller\_rabin.} |
|
|
6210 This algorithm performs one trial round of the Miller-Rabin algorithm to the base $b$. It will set $c = 1$ if the algorithm cannot determine |
|
|
6211 if $b$ is composite or $c = 0$ if $b$ is provably composite. The values of $s$ and $r$ are computed such that $a' = a - 1 = 2^sr$. |
|
|
6212 |
|
|
6213 If the value $y \equiv b^r$ is congruent to $\pm 1$ then the algorithm cannot prove if $a$ is composite or not. Otherwise, the algorithm will |
|
|
6214 square $y$ upto $s - 1$ times stopping only when $y \equiv -1$. If $y^2 \equiv 1$ and $y \nequiv \pm 1$ then the algorithm can report that $a$ |
|
|
6215 is provably composite. If the algorithm performs $s - 1$ squarings and $y \nequiv -1$ then $a$ is provably composite. If $a$ is not provably |
|
|
6216 composite then it is \textit{probably} prime. |
|
|
6217 |
|
|
6218 EXAM,bn_mp_prime_miller_rabin.c |
|
|
6219 |
|
|
6220 |
|
|
6221 |
|
|
6222 |
|
|
6223 \backmatter |
|
|
6224 \appendix |
|
|
6225 \begin{thebibliography}{ABCDEF} |
|
|
6226 \bibitem[1]{TAOCPV2} |
|
|
6227 Donald Knuth, \textit{The Art of Computer Programming}, Third Edition, Volume Two, Seminumerical Algorithms, Addison-Wesley, 1998 |
|
|
6228 |
|
|
6229 \bibitem[2]{HAC} |
|
|
6230 A. Menezes, P. van Oorschot, S. Vanstone, \textit{Handbook of Applied Cryptography}, CRC Press, 1996 |
|
|
6231 |
|
|
6232 \bibitem[3]{ROSE} |
|
|
6233 Michael Rosing, \textit{Implementing Elliptic Curve Cryptography}, Manning Publications, 1999 |
|
|
6234 |
|
|
6235 \bibitem[4]{COMBA} |
|
|
6236 Paul G. Comba, \textit{Exponentiation Cryptosystems on the IBM PC}. IBM Systems Journal 29(4): 526-538 (1990) |
|
|
6237 |
|
|
6238 \bibitem[5]{KARA} |
|
|
6239 A. Karatsuba, Doklay Akad. Nauk SSSR 145 (1962), pp.293-294 |
|
|
6240 |
|
|
6241 \bibitem[6]{KARAP} |
|
|
6242 Andre Weimerskirch and Christof Paar, \textit{Generalizations of the Karatsuba Algorithm for Polynomial Multiplication}, Submitted to Design, Codes and Cryptography, March 2002 |
|
|
6243 |
|
|
6244 \bibitem[7]{BARRETT} |
|
|
6245 Paul Barrett, \textit{Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor}, Advances in Cryptology, Crypto '86, Springer-Verlag. |
|
|
6246 |
|
|
6247 \bibitem[8]{MONT} |
|
|
6248 P.L.Montgomery. \textit{Modular multiplication without trial division}. Mathematics of Computation, 44(170):519-521, April 1985. |
|
|
6249 |
|
|
6250 \bibitem[9]{DRMET} |
|
|
6251 Chae Hoon Lim and Pil Joong Lee, \textit{Generating Efficient Primes for Discrete Log Cryptosystems}, POSTECH Information Research Laboratories |
|
|
6252 |
|
|
6253 \bibitem[10]{MMB} |
|
|
6254 J. Daemen and R. Govaerts and J. Vandewalle, \textit{Block ciphers based on Modular Arithmetic}, State and {P}rogress in the {R}esearch of {C}ryptography, 1993, pp. 80-89 |
|
|
6255 |
|
|
6256 \bibitem[11]{RSAREF} |
|
|
6257 R.L. Rivest, A. Shamir, L. Adleman, \textit{A Method for Obtaining Digital Signatures and Public-Key Cryptosystems} |
|
|
6258 |
|
|
6259 \bibitem[12]{DHREF} |
|
|
6260 Whitfield Diffie, Martin E. Hellman, \textit{New Directions in Cryptography}, IEEE Transactions on Information Theory, 1976 |
|
|
6261 |
|
|
6262 \bibitem[13]{IEEE} |
|
|
6263 IEEE Standard for Binary Floating-Point Arithmetic (ANSI/IEEE Std 754-1985) |
|
|
6264 |
|
|
6265 \bibitem[14]{GMP} |
|
|
6266 GNU Multiple Precision (GMP), \url{http://www.swox.com/gmp/} |
|
|
6267 |
|
|
6268 \bibitem[15]{MPI} |
|
|
6269 Multiple Precision Integer Library (MPI), Michael Fromberger, \url{http://thayer.dartmouth.edu/~sting/mpi/} |
|
|
6270 |
|
|
6271 \bibitem[16]{OPENSSL} |
|
|
6272 OpenSSL Cryptographic Toolkit, \url{http://openssl.org} |
|
|
6273 |
|
|
6274 \bibitem[17]{LIP} |
|
|
6275 Large Integer Package, \url{http://home.hetnet.nl/~ecstr/LIP.zip} |
|
|
6276 |
|
|
6277 \bibitem[18]{ISOC} |
|
|
6278 JTC1/SC22/WG14, ISO/IEC 9899:1999, ``A draft rationale for the C99 standard.'' |
|
|
6279 |
|
|
6280 \bibitem[19]{JAVA} |
|
|
6281 The Sun Java Website, \url{http://java.sun.com/} |
|
|
6282 |
|
|
6283 \end{thebibliography} |
|
|
6284 |
|
|
6285 \input{tommath.ind} |
|
|
6286 |
|
|
6287 \end{document} |
