|
282
|
1 \documentclass[b5paper]{book} |
|
|
2 \usepackage{hyperref} |
|
|
3 \usepackage{makeidx} |
|
|
4 \usepackage{amssymb} |
|
|
5 \usepackage{color} |
|
|
6 \usepackage{alltt} |
|
|
7 \usepackage{graphicx} |
|
|
8 \usepackage{layout} |
|
|
9 \def\union{\cup} |
|
|
10 \def\intersect{\cap} |
|
|
11 \def\getsrandom{\stackrel{\rm R}{\gets}} |
|
|
12 \def\cross{\times} |
|
|
13 \def\cat{\hspace{0.5em} \| \hspace{0.5em}} |
|
|
14 \def\catn{$\|$} |
|
|
15 \def\divides{\hspace{0.3em} | \hspace{0.3em}} |
|
|
16 \def\nequiv{\not\equiv} |
|
|
17 \def\approx{\raisebox{0.2ex}{\mbox{\small $\sim$}}} |
|
|
18 \def\lcm{{\rm lcm}} |
|
|
19 \def\gcd{{\rm gcd}} |
|
|
20 \def\log{{\rm log}} |
|
|
21 \def\ord{{\rm ord}} |
|
|
22 \def\abs{{\mathit abs}} |
|
|
23 \def\rep{{\mathit rep}} |
|
|
24 \def\mod{{\mathit\ mod\ }} |
|
|
25 \renewcommand{\pmod}[1]{\ ({\rm mod\ }{#1})} |
|
|
26 \newcommand{\floor}[1]{\left\lfloor{#1}\right\rfloor} |
|
|
27 \newcommand{\ceil}[1]{\left\lceil{#1}\right\rceil} |
|
|
28 \def\Or{{\rm\ or\ }} |
|
|
29 \def\And{{\rm\ and\ }} |
|
|
30 \def\iff{\hspace{1em}\Longleftrightarrow\hspace{1em}} |
|
|
31 \def\implies{\Rightarrow} |
|
|
32 \def\undefined{{\rm ``undefined"}} |
|
|
33 \def\Proof{\vspace{1ex}\noindent {\bf Proof:}\hspace{1em}} |
|
|
34 \let\oldphi\phi |
|
|
35 \def\phi{\varphi} |
|
|
36 \def\Pr{{\rm Pr}} |
|
|
37 \newcommand{\str}[1]{{\mathbf{#1}}} |
|
|
38 \def\F{{\mathbb F}} |
|
|
39 \def\N{{\mathbb N}} |
|
|
40 \def\Z{{\mathbb Z}} |
|
|
41 \def\R{{\mathbb R}} |
|
|
42 \def\C{{\mathbb C}} |
|
|
43 \def\Q{{\mathbb Q}} |
|
|
44 \definecolor{DGray}{gray}{0.5} |
|
|
45 \newcommand{\emailaddr}[1]{\mbox{$<${#1}$>$}} |
|
|
46 \def\twiddle{\raisebox{0.3ex}{\mbox{\tiny $\sim$}}} |
|
|
47 \def\gap{\vspace{0.5ex}} |
|
|
48 \makeindex |
|
|
49 \begin{document} |
|
|
50 \frontmatter |
|
|
51 \pagestyle{empty} |
|
|
52 \title{Multi--Precision Math} |
|
|
53 \author{\mbox{ |
|
|
54 %\begin{small} |
|
|
55 \begin{tabular}{c} |
|
|
56 Tom St Denis \\ |
|
|
57 Algonquin College \\ |
|
|
58 \\ |
|
|
59 Mads Rasmussen \\ |
|
|
60 Open Communications Security \\ |
|
|
61 \\ |
|
|
62 Greg Rose \\ |
|
|
63 QUALCOMM Australia \\ |
|
|
64 \end{tabular} |
|
|
65 %\end{small} |
|
|
66 } |
|
|
67 } |
|
|
68 \maketitle |
|
386
|
69 This text has been placed in the public domain. This text corresponds to the v0.39 release of the |
|
282
|
70 LibTomMath project. |
|
|
71 |
|
|
72 \begin{alltt} |
|
|
73 Tom St Denis |
|
|
74 111 Banning Rd |
|
|
75 Ottawa, Ontario |
|
|
76 K2L 1C3 |
|
|
77 Canada |
|
|
78 |
|
|
79 Phone: 1-613-836-3160 |
|
386
|
80 Email: [email protected] |
|
282
|
81 \end{alltt} |
|
|
82 |
|
|
83 This text is formatted to the international B5 paper size of 176mm wide by 250mm tall using the \LaTeX{} |
|
|
84 {\em book} macro package and the Perl {\em booker} package. |
|
|
85 |
|
|
86 \tableofcontents |
|
|
87 \listoffigures |
|
|
88 \chapter*{Prefaces} |
|
|
89 When I tell people about my LibTom projects and that I release them as public domain they are often puzzled. |
|
|
90 They ask why I did it and especially why I continue to work on them for free. The best I can explain it is ``Because I can.'' |
|
|
91 Which seems odd and perhaps too terse for adult conversation. I often qualify it with ``I am able, I am willing.'' which |
|
|
92 perhaps explains it better. I am the first to admit there is not anything that special with what I have done. Perhaps |
|
|
93 others can see that too and then we would have a society to be proud of. My LibTom projects are what I am doing to give |
|
|
94 back to society in the form of tools and knowledge that can help others in their endeavours. |
|
|
95 |
|
|
96 I started writing this book because it was the most logical task to further my goal of open academia. The LibTomMath source |
|
|
97 code itself was written to be easy to follow and learn from. There are times, however, where pure C source code does not |
|
|
98 explain the algorithms properly. Hence this book. The book literally starts with the foundation of the library and works |
|
|
99 itself outwards to the more complicated algorithms. The use of both pseudo--code and verbatim source code provides a duality |
|
|
100 of ``theory'' and ``practice'' that the computer science students of the world shall appreciate. I never deviate too far |
|
|
101 from relatively straightforward algebra and I hope that this book can be a valuable learning asset. |
|
|
102 |
|
|
103 This book and indeed much of the LibTom projects would not exist in their current form if it was not for a plethora |
|
|
104 of kind people donating their time, resources and kind words to help support my work. Writing a text of significant |
|
|
105 length (along with the source code) is a tiresome and lengthy process. Currently the LibTom project is four years old, |
|
|
106 comprises of literally thousands of users and over 100,000 lines of source code, TeX and other material. People like Mads and Greg |
|
|
107 were there at the beginning to encourage me to work well. It is amazing how timely validation from others can boost morale to |
|
|
108 continue the project. Definitely my parents were there for me by providing room and board during the many months of work in 2003. |
|
|
109 |
|
|
110 To my many friends whom I have met through the years I thank you for the good times and the words of encouragement. I hope I |
|
|
111 honour your kind gestures with this project. |
|
|
112 |
|
|
113 Open Source. Open Academia. Open Minds. |
|
|
114 |
|
|
115 \begin{flushright} Tom St Denis \end{flushright} |
|
|
116 |
|
|
117 \newpage |
|
|
118 I found the opportunity to work with Tom appealing for several reasons, not only could I broaden my own horizons, but also |
|
|
119 contribute to educate others facing the problem of having to handle big number mathematical calculations. |
|
|
120 |
|
|
121 This book is Tom's child and he has been caring and fostering the project ever since the beginning with a clear mind of |
|
|
122 how he wanted the project to turn out. I have helped by proofreading the text and we have had several discussions about |
|
|
123 the layout and language used. |
|
|
124 |
|
|
125 I hold a masters degree in cryptography from the University of Southern Denmark and have always been interested in the |
|
|
126 practical aspects of cryptography. |
|
|
127 |
|
|
128 Having worked in the security consultancy business for several years in S\~{a}o Paulo, Brazil, I have been in touch with a |
|
|
129 great deal of work in which multiple precision mathematics was needed. Understanding the possibilities for speeding up |
|
|
130 multiple precision calculations is often very important since we deal with outdated machine architecture where modular |
|
|
131 reductions, for example, become painfully slow. |
|
|
132 |
|
|
133 This text is for people who stop and wonder when first examining algorithms such as RSA for the first time and asks |
|
|
134 themselves, ``You tell me this is only secure for large numbers, fine; but how do you implement these numbers?'' |
|
|
135 |
|
|
136 \begin{flushright} |
|
|
137 Mads Rasmussen |
|
|
138 |
|
|
139 S\~{a}o Paulo - SP |
|
|
140 |
|
|
141 Brazil |
|
|
142 \end{flushright} |
|
|
143 |
|
|
144 \newpage |
|
|
145 It's all because I broke my leg. That just happened to be at about the same time that Tom asked for someone to review the section of the book about |
|
|
146 Karatsuba multiplication. I was laid up, alone and immobile, and thought ``Why not?'' I vaguely knew what Karatsuba multiplication was, but not |
|
|
147 really, so I thought I could help, learn, and stop myself from watching daytime cable TV, all at once. |
|
|
148 |
|
|
149 At the time of writing this, I've still not met Tom or Mads in meatspace. I've been following Tom's progress since his first splash on the |
|
|
150 sci.crypt Usenet news group. I watched him go from a clueless newbie, to the cryptographic equivalent of a reformed smoker, to a real |
|
|
151 contributor to the field, over a period of about two years. I've been impressed with his obvious intelligence, and astounded by his productivity. |
|
|
152 Of course, he's young enough to be my own child, so he doesn't have my problems with staying awake. |
|
|
153 |
|
|
154 When I reviewed that single section of the book, in its very earliest form, I was very pleasantly surprised. So I decided to collaborate more fully, |
|
|
155 and at least review all of it, and perhaps write some bits too. There's still a long way to go with it, and I have watched a number of close |
|
|
156 friends go through the mill of publication, so I think that the way to go is longer than Tom thinks it is. Nevertheless, it's a good effort, |
|
|
157 and I'm pleased to be involved with it. |
|
|
158 |
|
|
159 \begin{flushright} |
|
|
160 Greg Rose, Sydney, Australia, June 2003. |
|
|
161 \end{flushright} |
|
|
162 |
|
|
163 \mainmatter |
|
|
164 \pagestyle{headings} |
|
|
165 \chapter{Introduction} |
|
|
166 \section{Multiple Precision Arithmetic} |
|
|
167 |
|
|
168 \subsection{What is Multiple Precision Arithmetic?} |
|
|
169 When we think of long-hand arithmetic such as addition or multiplication we rarely consider the fact that we instinctively |
|
|
170 raise or lower the precision of the numbers we are dealing with. For example, in decimal we almost immediate can |
|
|
171 reason that $7$ times $6$ is $42$. However, $42$ has two digits of precision as opposed to one digit we started with. |
|
|
172 Further multiplications of say $3$ result in a larger precision result $126$. In these few examples we have multiple |
|
|
173 precisions for the numbers we are working with. Despite the various levels of precision a single subset\footnote{With the occasional optimization.} |
|
|
174 of algorithms can be designed to accomodate them. |
|
|
175 |
|
|
176 By way of comparison a fixed or single precision operation would lose precision on various operations. For example, in |
|
|
177 the decimal system with fixed precision $6 \cdot 7 = 2$. |
|
|
178 |
|
|
179 Essentially at the heart of computer based multiple precision arithmetic are the same long-hand algorithms taught in |
|
|
180 schools to manually add, subtract, multiply and divide. |
|
|
181 |
|
|
182 \subsection{The Need for Multiple Precision Arithmetic} |
|
|
183 The most prevalent need for multiple precision arithmetic, often referred to as ``bignum'' math, is within the implementation |
|
|
184 of public-key cryptography algorithms. Algorithms such as RSA \cite{RSAREF} and Diffie-Hellman \cite{DHREF} require |
|
|
185 integers of significant magnitude to resist known cryptanalytic attacks. For example, at the time of this writing a |
|
|
186 typical RSA modulus would be at least greater than $10^{309}$. However, modern programming languages such as ISO C \cite{ISOC} and |
|
|
187 Java \cite{JAVA} only provide instrinsic support for integers which are relatively small and single precision. |
|
|
188 |
|
|
189 \begin{figure}[!here] |
|
|
190 \begin{center} |
|
|
191 \begin{tabular}{|r|c|} |
|
|
192 \hline \textbf{Data Type} & \textbf{Range} \\ |
|
|
193 \hline char & $-128 \ldots 127$ \\ |
|
|
194 \hline short & $-32768 \ldots 32767$ \\ |
|
|
195 \hline long & $-2147483648 \ldots 2147483647$ \\ |
|
|
196 \hline long long & $-9223372036854775808 \ldots 9223372036854775807$ \\ |
|
|
197 \hline |
|
|
198 \end{tabular} |
|
|
199 \end{center} |
|
|
200 \caption{Typical Data Types for the C Programming Language} |
|
|
201 \label{fig:ISOC} |
|
|
202 \end{figure} |
|
|
203 |
|
|
204 The largest data type guaranteed to be provided by the ISO C programming |
|
|
205 language\footnote{As per the ISO C standard. However, each compiler vendor is allowed to augment the precision as they |
|
|
206 see fit.} can only represent values up to $10^{19}$ as shown in figure \ref{fig:ISOC}. On its own the C language is |
|
|
207 insufficient to accomodate the magnitude required for the problem at hand. An RSA modulus of magnitude $10^{19}$ could be |
|
|
208 trivially factored\footnote{A Pollard-Rho factoring would take only $2^{16}$ time.} on the average desktop computer, |
|
|
209 rendering any protocol based on the algorithm insecure. Multiple precision algorithms solve this very problem by |
|
|
210 extending the range of representable integers while using single precision data types. |
|
|
211 |
|
|
212 Most advancements in fast multiple precision arithmetic stem from the need for faster and more efficient cryptographic |
|
|
213 primitives. Faster modular reduction and exponentiation algorithms such as Barrett's algorithm, which have appeared in |
|
|
214 various cryptographic journals, can render algorithms such as RSA and Diffie-Hellman more efficient. In fact, several |
|
|
215 major companies such as RSA Security, Certicom and Entrust have built entire product lines on the implementation and |
|
|
216 deployment of efficient algorithms. |
|
|
217 |
|
|
218 However, cryptography is not the only field of study that can benefit from fast multiple precision integer routines. |
|
|
219 Another auxiliary use of multiple precision integers is high precision floating point data types. |
|
|
220 The basic IEEE \cite{IEEE} standard floating point type is made up of an integer mantissa $q$, an exponent $e$ and a sign bit $s$. |
|
|
221 Numbers are given in the form $n = q \cdot b^e \cdot -1^s$ where $b = 2$ is the most common base for IEEE. Since IEEE |
|
|
222 floating point is meant to be implemented in hardware the precision of the mantissa is often fairly small |
|
|
223 (\textit{23, 48 and 64 bits}). The mantissa is merely an integer and a multiple precision integer could be used to create |
|
|
224 a mantissa of much larger precision than hardware alone can efficiently support. This approach could be useful where |
|
|
225 scientific applications must minimize the total output error over long calculations. |
|
|
226 |
|
|
227 Yet another use for large integers is within arithmetic on polynomials of large characteristic (i.e. $GF(p)[x]$ for large $p$). |
|
|
228 In fact the library discussed within this text has already been used to form a polynomial basis library\footnote{See \url{http://poly.libtomcrypt.org} for more details.}. |
|
|
229 |
|
|
230 \subsection{Benefits of Multiple Precision Arithmetic} |
|
|
231 \index{precision} |
|
|
232 The benefit of multiple precision representations over single or fixed precision representations is that |
|
|
233 no precision is lost while representing the result of an operation which requires excess precision. For example, |
|
|
234 the product of two $n$-bit integers requires at least $2n$ bits of precision to be represented faithfully. A multiple |
|
|
235 precision algorithm would augment the precision of the destination to accomodate the result while a single precision system |
|
|
236 would truncate excess bits to maintain a fixed level of precision. |
|
|
237 |
|
|
238 It is possible to implement algorithms which require large integers with fixed precision algorithms. For example, elliptic |
|
|
239 curve cryptography (\textit{ECC}) is often implemented on smartcards by fixing the precision of the integers to the maximum |
|
|
240 size the system will ever need. Such an approach can lead to vastly simpler algorithms which can accomodate the |
|
|
241 integers required even if the host platform cannot natively accomodate them\footnote{For example, the average smartcard |
|
|
242 processor has an 8 bit accumulator.}. However, as efficient as such an approach may be, the resulting source code is not |
|
|
243 normally very flexible. It cannot, at runtime, accomodate inputs of higher magnitude than the designer anticipated. |
|
|
244 |
|
|
245 Multiple precision algorithms have the most overhead of any style of arithmetic. For the the most part the |
|
|
246 overhead can be kept to a minimum with careful planning, but overall, it is not well suited for most memory starved |
|
|
247 platforms. However, multiple precision algorithms do offer the most flexibility in terms of the magnitude of the |
|
|
248 inputs. That is, the same algorithms based on multiple precision integers can accomodate any reasonable size input |
|
|
249 without the designer's explicit forethought. This leads to lower cost of ownership for the code as it only has to |
|
|
250 be written and tested once. |
|
|
251 |
|
|
252 \section{Purpose of This Text} |
|
|
253 The purpose of this text is to instruct the reader regarding how to implement efficient multiple precision algorithms. |
|
|
254 That is to not only explain a limited subset of the core theory behind the algorithms but also the various ``house keeping'' |
|
|
255 elements that are neglected by authors of other texts on the subject. Several well reknowned texts \cite{TAOCPV2,HAC} |
|
|
256 give considerably detailed explanations of the theoretical aspects of algorithms and often very little information |
|
|
257 regarding the practical implementation aspects. |
|
|
258 |
|
|
259 In most cases how an algorithm is explained and how it is actually implemented are two very different concepts. For |
|
|
260 example, the Handbook of Applied Cryptography (\textit{HAC}), algorithm 14.7 on page 594, gives a relatively simple |
|
|
261 algorithm for performing multiple precision integer addition. However, the description lacks any discussion concerning |
|
|
262 the fact that the two integer inputs may be of differing magnitudes. As a result the implementation is not as simple |
|
|
263 as the text would lead people to believe. Similarly the division routine (\textit{algorithm 14.20, pp. 598}) does not |
|
|
264 discuss how to handle sign or handle the dividend's decreasing magnitude in the main loop (\textit{step \#3}). |
|
|
265 |
|
|
266 Both texts also do not discuss several key optimal algorithms required such as ``Comba'' and Karatsuba multipliers |
|
|
267 and fast modular inversion, which we consider practical oversights. These optimal algorithms are vital to achieve |
|
|
268 any form of useful performance in non-trivial applications. |
|
|
269 |
|
|
270 To solve this problem the focus of this text is on the practical aspects of implementing a multiple precision integer |
|
386
|
271 package. As a case study the ``LibTomMath''\footnote{Available at \url{http://math.libtomcrypt.com}} package is used |
|
282
|
272 to demonstrate algorithms with real implementations\footnote{In the ISO C programming language.} that have been field |
|
|
273 tested and work very well. The LibTomMath library is freely available on the Internet for all uses and this text |
|
|
274 discusses a very large portion of the inner workings of the library. |
|
|
275 |
|
|
276 The algorithms that are presented will always include at least one ``pseudo-code'' description followed |
|
|
277 by the actual C source code that implements the algorithm. The pseudo-code can be used to implement the same |
|
|
278 algorithm in other programming languages as the reader sees fit. |
|
|
279 |
|
|
280 This text shall also serve as a walkthrough of the creation of multiple precision algorithms from scratch. Showing |
|
|
281 the reader how the algorithms fit together as well as where to start on various taskings. |
|
|
282 |
|
|
283 \section{Discussion and Notation} |
|
|
284 \subsection{Notation} |
|
|
285 A multiple precision integer of $n$-digits shall be denoted as $x = (x_{n-1}, \ldots, x_1, x_0)_{ \beta }$ and represent |
|
|
286 the integer $x \equiv \sum_{i=0}^{n-1} x_i\beta^i$. The elements of the array $x$ are said to be the radix $\beta$ digits |
|
|
287 of the integer. For example, $x = (1,2,3)_{10}$ would represent the integer |
|
|
288 $1\cdot 10^2 + 2\cdot10^1 + 3\cdot10^0 = 123$. |
|
|
289 |
|
|
290 \index{mp\_int} |
|
|
291 The term ``mp\_int'' shall refer to a composite structure which contains the digits of the integer it represents, as well |
|
|
292 as auxilary data required to manipulate the data. These additional members are discussed further in section |
|
|
293 \ref{sec:MPINT}. For the purposes of this text a ``multiple precision integer'' and an ``mp\_int'' are assumed to be |
|
|
294 synonymous. When an algorithm is specified to accept an mp\_int variable it is assumed the various auxliary data members |
|
|
295 are present as well. An expression of the type \textit{variablename.item} implies that it should evaluate to the |
|
|
296 member named ``item'' of the variable. For example, a string of characters may have a member ``length'' which would |
|
|
297 evaluate to the number of characters in the string. If the string $a$ equals ``hello'' then it follows that |
|
|
298 $a.length = 5$. |
|
|
299 |
|
|
300 For certain discussions more generic algorithms are presented to help the reader understand the final algorithm used |
|
|
301 to solve a given problem. When an algorithm is described as accepting an integer input it is assumed the input is |
|
|
302 a plain integer with no additional multiple-precision members. That is, algorithms that use integers as opposed to |
|
|
303 mp\_ints as inputs do not concern themselves with the housekeeping operations required such as memory management. These |
|
|
304 algorithms will be used to establish the relevant theory which will subsequently be used to describe a multiple |
|
|
305 precision algorithm to solve the same problem. |
|
|
306 |
|
|
307 \subsection{Precision Notation} |
|
|
308 The variable $\beta$ represents the radix of a single digit of a multiple precision integer and |
|
|
309 must be of the form $q^p$ for $q, p \in \Z^+$. A single precision variable must be able to represent integers in |
|
|
310 the range $0 \le x < q \beta$ while a double precision variable must be able to represent integers in the range |
|
|
311 $0 \le x < q \beta^2$. The extra radix-$q$ factor allows additions and subtractions to proceed without truncation of the |
|
|
312 carry. Since all modern computers are binary, it is assumed that $q$ is two. |
|
|
313 |
|
|
314 \index{mp\_digit} \index{mp\_word} |
|
|
315 Within the source code that will be presented for each algorithm, the data type \textbf{mp\_digit} will represent |
|
|
316 a single precision integer type, while, the data type \textbf{mp\_word} will represent a double precision integer type. In |
|
|
317 several algorithms (notably the Comba routines) temporary results will be stored in arrays of double precision mp\_words. |
|
|
318 For the purposes of this text $x_j$ will refer to the $j$'th digit of a single precision array and $\hat x_j$ will refer to |
|
|
319 the $j$'th digit of a double precision array. Whenever an expression is to be assigned to a double precision |
|
|
320 variable it is assumed that all single precision variables are promoted to double precision during the evaluation. |
|
|
321 Expressions that are assigned to a single precision variable are truncated to fit within the precision of a single |
|
|
322 precision data type. |
|
|
323 |
|
|
324 For example, if $\beta = 10^2$ a single precision data type may represent a value in the |
|
|
325 range $0 \le x < 10^3$, while a double precision data type may represent a value in the range $0 \le x < 10^5$. Let |
|
|
326 $a = 23$ and $b = 49$ represent two single precision variables. The single precision product shall be written |
|
|
327 as $c \leftarrow a \cdot b$ while the double precision product shall be written as $\hat c \leftarrow a \cdot b$. |
|
|
328 In this particular case, $\hat c = 1127$ and $c = 127$. The most significant digit of the product would not fit |
|
|
329 in a single precision data type and as a result $c \ne \hat c$. |
|
|
330 |
|
|
331 \subsection{Algorithm Inputs and Outputs} |
|
|
332 Within the algorithm descriptions all variables are assumed to be scalars of either single or double precision |
|
|
333 as indicated. The only exception to this rule is when variables have been indicated to be of type mp\_int. This |
|
|
334 distinction is important as scalars are often used as array indicies and various other counters. |
|
|
335 |
|
|
336 \subsection{Mathematical Expressions} |
|
|
337 The $\lfloor \mbox{ } \rfloor$ brackets imply an expression truncated to an integer not greater than the expression |
|
|
338 itself. For example, $\lfloor 5.7 \rfloor = 5$. Similarly the $\lceil \mbox{ } \rceil$ brackets imply an expression |
|
|
339 rounded to an integer not less than the expression itself. For example, $\lceil 5.1 \rceil = 6$. Typically when |
|
|
340 the $/$ division symbol is used the intention is to perform an integer division with truncation. For example, |
|
|
341 $5/2 = 2$ which will often be written as $\lfloor 5/2 \rfloor = 2$ for clarity. When an expression is written as a |
|
|
342 fraction a real value division is implied, for example ${5 \over 2} = 2.5$. |
|
|
343 |
|
|
344 The norm of a multiple precision integer, for example $\vert \vert x \vert \vert$, will be used to represent the number of digits in the representation |
|
|
345 of the integer. For example, $\vert \vert 123 \vert \vert = 3$ and $\vert \vert 79452 \vert \vert = 5$. |
|
|
346 |
|
|
347 \subsection{Work Effort} |
|
|
348 \index{big-Oh} |
|
|
349 To measure the efficiency of the specified algorithms, a modified big-Oh notation is used. In this system all |
|
|
350 single precision operations are considered to have the same cost\footnote{Except where explicitly noted.}. |
|
|
351 That is a single precision addition, multiplication and division are assumed to take the same time to |
|
|
352 complete. While this is generally not true in practice, it will simplify the discussions considerably. |
|
|
353 |
|
|
354 Some algorithms have slight advantages over others which is why some constants will not be removed in |
|
|
355 the notation. For example, a normal baseline multiplication (section \ref{sec:basemult}) requires $O(n^2)$ work while a |
|
|
356 baseline squaring (section \ref{sec:basesquare}) requires $O({{n^2 + n}\over 2})$ work. In standard big-Oh notation these |
|
|
357 would both be said to be equivalent to $O(n^2)$. However, |
|
|
358 in the context of the this text this is not the case as the magnitude of the inputs will typically be rather small. As a |
|
|
359 result small constant factors in the work effort will make an observable difference in algorithm efficiency. |
|
|
360 |
|
|
361 All of the algorithms presented in this text have a polynomial time work level. That is, of the form |
|
|
362 $O(n^k)$ for $n, k \in \Z^{+}$. This will help make useful comparisons in terms of the speed of the algorithms and how |
|
|
363 various optimizations will help pay off in the long run. |
|
|
364 |
|
|
365 \section{Exercises} |
|
|
366 Within the more advanced chapters a section will be set aside to give the reader some challenging exercises related to |
|
|
367 the discussion at hand. These exercises are not designed to be prize winning problems, but instead to be thought |
|
|
368 provoking. Wherever possible the problems are forward minded, stating problems that will be answered in subsequent |
|
|
369 chapters. The reader is encouraged to finish the exercises as they appear to get a better understanding of the |
|
|
370 subject material. |
|
|
371 |
|
|
372 That being said, the problems are designed to affirm knowledge of a particular subject matter. Students in particular |
|
|
373 are encouraged to verify they can answer the problems correctly before moving on. |
|
|
374 |
|
|
375 Similar to the exercises of \cite[pp. ix]{TAOCPV2} these exercises are given a scoring system based on the difficulty of |
|
|
376 the problem. However, unlike \cite{TAOCPV2} the problems do not get nearly as hard. The scoring of these |
|
|
377 exercises ranges from one (the easiest) to five (the hardest). The following table sumarizes the |
|
|
378 scoring system used. |
|
|
379 |
|
|
380 \begin{figure}[here] |
|
|
381 \begin{center} |
|
|
382 \begin{small} |
|
|
383 \begin{tabular}{|c|l|} |
|
|
384 \hline $\left [ 1 \right ]$ & An easy problem that should only take the reader a manner of \\ |
|
|
385 & minutes to solve. Usually does not involve much computer time \\ |
|
|
386 & to solve. \\ |
|
|
387 \hline $\left [ 2 \right ]$ & An easy problem that involves a marginal amount of computer \\ |
|
|
388 & time usage. Usually requires a program to be written to \\ |
|
|
389 & solve the problem. \\ |
|
|
390 \hline $\left [ 3 \right ]$ & A moderately hard problem that requires a non-trivial amount \\ |
|
|
391 & of work. Usually involves trivial research and development of \\ |
|
|
392 & new theory from the perspective of a student. \\ |
|
|
393 \hline $\left [ 4 \right ]$ & A moderately hard problem that involves a non-trivial amount \\ |
|
|
394 & of work and research, the solution to which will demonstrate \\ |
|
|
395 & a higher mastery of the subject matter. \\ |
|
|
396 \hline $\left [ 5 \right ]$ & A hard problem that involves concepts that are difficult for a \\ |
|
|
397 & novice to solve. Solutions to these problems will demonstrate a \\ |
|
|
398 & complete mastery of the given subject. \\ |
|
|
399 \hline |
|
|
400 \end{tabular} |
|
|
401 \end{small} |
|
|
402 \end{center} |
|
|
403 \caption{Exercise Scoring System} |
|
|
404 \end{figure} |
|
|
405 |
|
|
406 Problems at the first level are meant to be simple questions that the reader can answer quickly without programming a solution or |
|
|
407 devising new theory. These problems are quick tests to see if the material is understood. Problems at the second level |
|
|
408 are also designed to be easy but will require a program or algorithm to be implemented to arrive at the answer. These |
|
|
409 two levels are essentially entry level questions. |
|
|
410 |
|
|
411 Problems at the third level are meant to be a bit more difficult than the first two levels. The answer is often |
|
|
412 fairly obvious but arriving at an exacting solution requires some thought and skill. These problems will almost always |
|
|
413 involve devising a new algorithm or implementing a variation of another algorithm previously presented. Readers who can |
|
|
414 answer these questions will feel comfortable with the concepts behind the topic at hand. |
|
|
415 |
|
|
416 Problems at the fourth level are meant to be similar to those of the level three questions except they will require |
|
|
417 additional research to be completed. The reader will most likely not know the answer right away, nor will the text provide |
|
|
418 the exact details of the answer until a subsequent chapter. |
|
|
419 |
|
|
420 Problems at the fifth level are meant to be the hardest |
|
|
421 problems relative to all the other problems in the chapter. People who can correctly answer fifth level problems have a |
|
|
422 mastery of the subject matter at hand. |
|
|
423 |
|
|
424 Often problems will be tied together. The purpose of this is to start a chain of thought that will be discussed in future chapters. The reader |
|
|
425 is encouraged to answer the follow-up problems and try to draw the relevance of problems. |
|
|
426 |
|
|
427 \section{Introduction to LibTomMath} |
|
|
428 |
|
|
429 \subsection{What is LibTomMath?} |
|
|
430 LibTomMath is a free and open source multiple precision integer library written entirely in portable ISO C. By portable it |
|
|
431 is meant that the library does not contain any code that is computer platform dependent or otherwise problematic to use on |
|
|
432 any given platform. |
|
|
433 |
|
|
434 The library has been successfully tested under numerous operating systems including Unix\footnote{All of these |
|
|
435 trademarks belong to their respective rightful owners.}, MacOS, Windows, Linux, PalmOS and on standalone hardware such |
|
|
436 as the Gameboy Advance. The library is designed to contain enough functionality to be able to develop applications such |
|
|
437 as public key cryptosystems and still maintain a relatively small footprint. |
|
|
438 |
|
|
439 \subsection{Goals of LibTomMath} |
|
|
440 |
|
|
441 Libraries which obtain the most efficiency are rarely written in a high level programming language such as C. However, |
|
|
442 even though this library is written entirely in ISO C, considerable care has been taken to optimize the algorithm implementations within the |
|
|
443 library. Specifically the code has been written to work well with the GNU C Compiler (\textit{GCC}) on both x86 and ARM |
|
|
444 processors. Wherever possible, highly efficient algorithms, such as Karatsuba multiplication, sliding window |
|
|
445 exponentiation and Montgomery reduction have been provided to make the library more efficient. |
|
|
446 |
|
|
447 Even with the nearly optimal and specialized algorithms that have been included the Application Programing Interface |
|
|
448 (\textit{API}) has been kept as simple as possible. Often generic place holder routines will make use of specialized |
|
|
449 algorithms automatically without the developer's specific attention. One such example is the generic multiplication |
|
|
450 algorithm \textbf{mp\_mul()} which will automatically use Toom--Cook, Karatsuba, Comba or baseline multiplication |
|
|
451 based on the magnitude of the inputs and the configuration of the library. |
|
|
452 |
|
|
453 Making LibTomMath as efficient as possible is not the only goal of the LibTomMath project. Ideally the library should |
|
|
454 be source compatible with another popular library which makes it more attractive for developers to use. In this case the |
|
|
455 MPI library was used as a API template for all the basic functions. MPI was chosen because it is another library that fits |
|
|
456 in the same niche as LibTomMath. Even though LibTomMath uses MPI as the template for the function names and argument |
|
|
457 passing conventions, it has been written from scratch by Tom St Denis. |
|
|
458 |
|
|
459 The project is also meant to act as a learning tool for students, the logic being that no easy-to-follow ``bignum'' |
|
|
460 library exists which can be used to teach computer science students how to perform fast and reliable multiple precision |
|
|
461 integer arithmetic. To this end the source code has been given quite a few comments and algorithm discussion points. |
|
|
462 |
|
|
463 \section{Choice of LibTomMath} |
|
|
464 LibTomMath was chosen as the case study of this text not only because the author of both projects is one and the same but |
|
|
465 for more worthy reasons. Other libraries such as GMP \cite{GMP}, MPI \cite{MPI}, LIP \cite{LIP} and OpenSSL |
|
|
466 \cite{OPENSSL} have multiple precision integer arithmetic routines but would not be ideal for this text for |
|
|
467 reasons that will be explained in the following sub-sections. |
|
|
468 |
|
|
469 \subsection{Code Base} |
|
|
470 The LibTomMath code base is all portable ISO C source code. This means that there are no platform dependent conditional |
|
|
471 segments of code littered throughout the source. This clean and uncluttered approach to the library means that a |
|
|
472 developer can more readily discern the true intent of a given section of source code without trying to keep track of |
|
|
473 what conditional code will be used. |
|
|
474 |
|
|
475 The code base of LibTomMath is well organized. Each function is in its own separate source code file |
|
|
476 which allows the reader to find a given function very quickly. On average there are $76$ lines of code per source |
|
|
477 file which makes the source very easily to follow. By comparison MPI and LIP are single file projects making code tracing |
|
|
478 very hard. GMP has many conditional code segments which also hinder tracing. |
|
|
479 |
|
|
480 When compiled with GCC for the x86 processor and optimized for speed the entire library is approximately $100$KiB\footnote{The notation ``KiB'' means $2^{10}$ octets, similarly ``MiB'' means $2^{20}$ octets.} |
|
|
481 which is fairly small compared to GMP (over $250$KiB). LibTomMath is slightly larger than MPI (which compiles to about |
|
|
482 $50$KiB) but LibTomMath is also much faster and more complete than MPI. |
|
|
483 |
|
|
484 \subsection{API Simplicity} |
|
|
485 LibTomMath is designed after the MPI library and shares the API design. Quite often programs that use MPI will build |
|
|
486 with LibTomMath without change. The function names correlate directly to the action they perform. Almost all of the |
|
|
487 functions share the same parameter passing convention. The learning curve is fairly shallow with the API provided |
|
|
488 which is an extremely valuable benefit for the student and developer alike. |
|
|
489 |
|
|
490 The LIP library is an example of a library with an API that is awkward to work with. LIP uses function names that are often ``compressed'' to |
|
|
491 illegible short hand. LibTomMath does not share this characteristic. |
|
|
492 |
|
|
493 The GMP library also does not return error codes. Instead it uses a POSIX.1 \cite{POSIX1} signal system where errors |
|
|
494 are signaled to the host application. This happens to be the fastest approach but definitely not the most versatile. In |
|
|
495 effect a math error (i.e. invalid input, heap error, etc) can cause a program to stop functioning which is definitely |
|
|
496 undersireable in many situations. |
|
|
497 |
|
|
498 \subsection{Optimizations} |
|
|
499 While LibTomMath is certainly not the fastest library (GMP often beats LibTomMath by a factor of two) it does |
|
|
500 feature a set of optimal algorithms for tasks such as modular reduction, exponentiation, multiplication and squaring. GMP |
|
|
501 and LIP also feature such optimizations while MPI only uses baseline algorithms with no optimizations. GMP lacks a few |
|
|
502 of the additional modular reduction optimizations that LibTomMath features\footnote{At the time of this writing GMP |
|
|
503 only had Barrett and Montgomery modular reduction algorithms.}. |
|
|
504 |
|
|
505 LibTomMath is almost always an order of magnitude faster than the MPI library at computationally expensive tasks such as modular |
|
|
506 exponentiation. In the grand scheme of ``bignum'' libraries LibTomMath is faster than the average library and usually |
|
|
507 slower than the best libraries such as GMP and OpenSSL by only a small factor. |
|
|
508 |
|
|
509 \subsection{Portability and Stability} |
|
|
510 LibTomMath will build ``out of the box'' on any platform equipped with a modern version of the GNU C Compiler |
|
|
511 (\textit{GCC}). This means that without changes the library will build without configuration or setting up any |
|
|
512 variables. LIP and MPI will build ``out of the box'' as well but have numerous known bugs. Most notably the author of |
|
|
513 MPI has recently stopped working on his library and LIP has long since been discontinued. |
|
|
514 |
|
|
515 GMP requires a configuration script to run and will not build out of the box. GMP and LibTomMath are still in active |
|
|
516 development and are very stable across a variety of platforms. |
|
|
517 |
|
|
518 \subsection{Choice} |
|
|
519 LibTomMath is a relatively compact, well documented, highly optimized and portable library which seems only natural for |
|
|
520 the case study of this text. Various source files from the LibTomMath project will be included within the text. However, |
|
|
521 the reader is encouraged to download their own copy of the library to actually be able to work with the library. |
|
|
522 |
|
|
523 \chapter{Getting Started} |
|
|
524 \section{Library Basics} |
|
|
525 The trick to writing any useful library of source code is to build a solid foundation and work outwards from it. First, |
|
|
526 a problem along with allowable solution parameters should be identified and analyzed. In this particular case the |
|
|
527 inability to accomodate multiple precision integers is the problem. Futhermore, the solution must be written |
|
|
528 as portable source code that is reasonably efficient across several different computer platforms. |
|
|
529 |
|
|
530 After a foundation is formed the remainder of the library can be designed and implemented in a hierarchical fashion. |
|
|
531 That is, to implement the lowest level dependencies first and work towards the most abstract functions last. For example, |
|
|
532 before implementing a modular exponentiation algorithm one would implement a modular reduction algorithm. |
|
|
533 By building outwards from a base foundation instead of using a parallel design methodology the resulting project is |
|
|
534 highly modular. Being highly modular is a desirable property of any project as it often means the resulting product |
|
|
535 has a small footprint and updates are easy to perform. |
|
|
536 |
|
|
537 Usually when I start a project I will begin with the header files. I define the data types I think I will need and |
|
|
538 prototype the initial functions that are not dependent on other functions (within the library). After I |
|
|
539 implement these base functions I prototype more dependent functions and implement them. The process repeats until |
|
|
540 I implement all of the functions I require. For example, in the case of LibTomMath I implemented functions such as |
|
|
541 mp\_init() well before I implemented mp\_mul() and even further before I implemented mp\_exptmod(). As an example as to |
|
|
542 why this design works note that the Karatsuba and Toom-Cook multipliers were written \textit{after} the |
|
|
543 dependent function mp\_exptmod() was written. Adding the new multiplication algorithms did not require changes to the |
|
|
544 mp\_exptmod() function itself and lowered the total cost of ownership (\textit{so to speak}) and of development |
|
|
545 for new algorithms. This methodology allows new algorithms to be tested in a complete framework with relative ease. |
|
|
546 |
|
|
547 \begin{center} |
|
|
548 \begin{figure}[here] |
|
|
549 \includegraphics{pics/design_process.ps} |
|
|
550 \caption{Design Flow of the First Few Original LibTomMath Functions.} |
|
|
551 \label{pic:design_process} |
|
|
552 \end{figure} |
|
|
553 \end{center} |
|
|
554 |
|
|
555 Only after the majority of the functions were in place did I pursue a less hierarchical approach to auditing and optimizing |
|
|
556 the source code. For example, one day I may audit the multipliers and the next day the polynomial basis functions. |
|
|
557 |
|
|
558 It only makes sense to begin the text with the preliminary data types and support algorithms required as well. |
|
|
559 This chapter discusses the core algorithms of the library which are the dependents for every other algorithm. |
|
|
560 |
|
|
561 \section{What is a Multiple Precision Integer?} |
|
|
562 Recall that most programming languages, in particular ISO C \cite{ISOC}, only have fixed precision data types that on their own cannot |
|
|
563 be used to represent values larger than their precision will allow. The purpose of multiple precision algorithms is |
|
|
564 to use fixed precision data types to create and manipulate multiple precision integers which may represent values |
|
|
565 that are very large. |
|
|
566 |
|
|
567 As a well known analogy, school children are taught how to form numbers larger than nine by prepending more radix ten digits. In the decimal system |
|
|
568 the largest single digit value is $9$. However, by concatenating digits together larger numbers may be represented. Newly prepended digits |
|
|
569 (\textit{to the left}) are said to be in a different power of ten column. That is, the number $123$ can be described as having a $1$ in the hundreds |
|
|
570 column, $2$ in the tens column and $3$ in the ones column. Or more formally $123 = 1 \cdot 10^2 + 2 \cdot 10^1 + 3 \cdot 10^0$. Computer based |
|
|
571 multiple precision arithmetic is essentially the same concept. Larger integers are represented by adjoining fixed |
|
|
572 precision computer words with the exception that a different radix is used. |
|
|
573 |
|
|
574 What most people probably do not think about explicitly are the various other attributes that describe a multiple precision |
|
|
575 integer. For example, the integer $154_{10}$ has two immediately obvious properties. First, the integer is positive, |
|
|
576 that is the sign of this particular integer is positive as opposed to negative. Second, the integer has three digits in |
|
|
577 its representation. There is an additional property that the integer posesses that does not concern pencil-and-paper |
|
|
578 arithmetic. The third property is how many digits placeholders are available to hold the integer. |
|
|
579 |
|
|
580 The human analogy of this third property is ensuring there is enough space on the paper to write the integer. For example, |
|
|
581 if one starts writing a large number too far to the right on a piece of paper they will have to erase it and move left. |
|
|
582 Similarly, computer algorithms must maintain strict control over memory usage to ensure that the digits of an integer |
|
|
583 will not exceed the allowed boundaries. These three properties make up what is known as a multiple precision |
|
|
584 integer or mp\_int for short. |
|
|
585 |
|
|
586 \subsection{The mp\_int Structure} |
|
|
587 \label{sec:MPINT} |
|
|
588 The mp\_int structure is the ISO C based manifestation of what represents a multiple precision integer. The ISO C standard does not provide for |
|
|
589 any such data type but it does provide for making composite data types known as structures. The following is the structure definition |
|
|
590 used within LibTomMath. |
|
|
591 |
|
|
592 \index{mp\_int} |
|
|
593 \begin{figure}[here] |
|
|
594 \begin{center} |
|
|
595 \begin{small} |
|
|
596 %\begin{verbatim} |
|
|
597 \begin{tabular}{|l|} |
|
|
598 \hline |
|
|
599 typedef struct \{ \\ |
|
|
600 \hspace{3mm}int used, alloc, sign;\\ |
|
|
601 \hspace{3mm}mp\_digit *dp;\\ |
|
|
602 \} \textbf{mp\_int}; \\ |
|
|
603 \hline |
|
|
604 \end{tabular} |
|
|
605 %\end{verbatim} |
|
|
606 \end{small} |
|
|
607 \caption{The mp\_int Structure} |
|
|
608 \label{fig:mpint} |
|
|
609 \end{center} |
|
|
610 \end{figure} |
|
|
611 |
|
|
612 The mp\_int structure (fig. \ref{fig:mpint}) can be broken down as follows. |
|
|
613 |
|
|
614 \begin{enumerate} |
|
|
615 \item The \textbf{used} parameter denotes how many digits of the array \textbf{dp} contain the digits used to represent |
|
|
616 a given integer. The \textbf{used} count must be positive (or zero) and may not exceed the \textbf{alloc} count. |
|
|
617 |
|
|
618 \item The \textbf{alloc} parameter denotes how |
|
|
619 many digits are available in the array to use by functions before it has to increase in size. When the \textbf{used} count |
|
|
620 of a result would exceed the \textbf{alloc} count all of the algorithms will automatically increase the size of the |
|
|
621 array to accommodate the precision of the result. |
|
|
622 |
|
|
623 \item The pointer \textbf{dp} points to a dynamically allocated array of digits that represent the given multiple |
|
|
624 precision integer. It is padded with $(\textbf{alloc} - \textbf{used})$ zero digits. The array is maintained in a least |
|
|
625 significant digit order. As a pencil and paper analogy the array is organized such that the right most digits are stored |
|
|
626 first starting at the location indexed by zero\footnote{In C all arrays begin at zero.} in the array. For example, |
|
|
627 if \textbf{dp} contains $\lbrace a, b, c, \ldots \rbrace$ where \textbf{dp}$_0 = a$, \textbf{dp}$_1 = b$, \textbf{dp}$_2 = c$, $\ldots$ then |
|
|
628 it would represent the integer $a + b\beta + c\beta^2 + \ldots$ |
|
|
629 |
|
|
630 \index{MP\_ZPOS} \index{MP\_NEG} |
|
|
631 \item The \textbf{sign} parameter denotes the sign as either zero/positive (\textbf{MP\_ZPOS}) or negative (\textbf{MP\_NEG}). |
|
|
632 \end{enumerate} |
|
|
633 |
|
|
634 \subsubsection{Valid mp\_int Structures} |
|
|
635 Several rules are placed on the state of an mp\_int structure and are assumed to be followed for reasons of efficiency. |
|
|
636 The only exceptions are when the structure is passed to initialization functions such as mp\_init() and mp\_init\_copy(). |
|
|
637 |
|
|
638 \begin{enumerate} |
|
|
639 \item The value of \textbf{alloc} may not be less than one. That is \textbf{dp} always points to a previously allocated |
|
|
640 array of digits. |
|
|
641 \item The value of \textbf{used} may not exceed \textbf{alloc} and must be greater than or equal to zero. |
|
|
642 \item The value of \textbf{used} implies the digit at index $(used - 1)$ of the \textbf{dp} array is non-zero. That is, |
|
|
643 leading zero digits in the most significant positions must be trimmed. |
|
|
644 \begin{enumerate} |
|
|
645 \item Digits in the \textbf{dp} array at and above the \textbf{used} location must be zero. |
|
|
646 \end{enumerate} |
|
|
647 \item The value of \textbf{sign} must be \textbf{MP\_ZPOS} if \textbf{used} is zero; |
|
|
648 this represents the mp\_int value of zero. |
|
|
649 \end{enumerate} |
|
|
650 |
|
|
651 \section{Argument Passing} |
|
|
652 A convention of argument passing must be adopted early on in the development of any library. Making the function |
|
|
653 prototypes consistent will help eliminate many headaches in the future as the library grows to significant complexity. |
|
|
654 In LibTomMath the multiple precision integer functions accept parameters from left to right as pointers to mp\_int |
|
|
655 structures. That means that the source (input) operands are placed on the left and the destination (output) on the right. |
|
|
656 Consider the following examples. |
|
|
657 |
|
|
658 \begin{verbatim} |
|
|
659 mp_mul(&a, &b, &c); /* c = a * b */ |
|
|
660 mp_add(&a, &b, &a); /* a = a + b */ |
|
|
661 mp_sqr(&a, &b); /* b = a * a */ |
|
|
662 \end{verbatim} |
|
|
663 |
|
|
664 The left to right order is a fairly natural way to implement the functions since it lets the developer read aloud the |
|
|
665 functions and make sense of them. For example, the first function would read ``multiply a and b and store in c''. |
|
|
666 |
|
|
667 Certain libraries (\textit{LIP by Lenstra for instance}) accept parameters the other way around, to mimic the order |
|
|
668 of assignment expressions. That is, the destination (output) is on the left and arguments (inputs) are on the right. In |
|
|
669 truth, it is entirely a matter of preference. In the case of LibTomMath the convention from the MPI library has been |
|
|
670 adopted. |
|
|
671 |
|
|
672 Another very useful design consideration, provided for in LibTomMath, is whether to allow argument sources to also be a |
|
|
673 destination. For example, the second example (\textit{mp\_add}) adds $a$ to $b$ and stores in $a$. This is an important |
|
|
674 feature to implement since it allows the calling functions to cut down on the number of variables it must maintain. |
|
|
675 However, to implement this feature specific care has to be given to ensure the destination is not modified before the |
|
|
676 source is fully read. |
|
|
677 |
|
|
678 \section{Return Values} |
|
|
679 A well implemented application, no matter what its purpose, should trap as many runtime errors as possible and return them |
|
|
680 to the caller. By catching runtime errors a library can be guaranteed to prevent undefined behaviour. However, the end |
|
|
681 developer can still manage to cause a library to crash. For example, by passing an invalid pointer an application may |
|
|
682 fault by dereferencing memory not owned by the application. |
|
|
683 |
|
|
684 In the case of LibTomMath the only errors that are checked for are related to inappropriate inputs (division by zero for |
|
|
685 instance) and memory allocation errors. It will not check that the mp\_int passed to any function is valid nor |
|
|
686 will it check pointers for validity. Any function that can cause a runtime error will return an error code as an |
|
|
687 \textbf{int} data type with one of the following values (fig \ref{fig:errcodes}). |
|
|
688 |
|
|
689 \index{MP\_OKAY} \index{MP\_VAL} \index{MP\_MEM} |
|
|
690 \begin{figure}[here] |
|
|
691 \begin{center} |
|
|
692 \begin{tabular}{|l|l|} |
|
|
693 \hline \textbf{Value} & \textbf{Meaning} \\ |
|
|
694 \hline \textbf{MP\_OKAY} & The function was successful \\ |
|
|
695 \hline \textbf{MP\_VAL} & One of the input value(s) was invalid \\ |
|
|
696 \hline \textbf{MP\_MEM} & The function ran out of heap memory \\ |
|
|
697 \hline |
|
|
698 \end{tabular} |
|
|
699 \end{center} |
|
|
700 \caption{LibTomMath Error Codes} |
|
|
701 \label{fig:errcodes} |
|
|
702 \end{figure} |
|
|
703 |
|
|
704 When an error is detected within a function it should free any memory it allocated, often during the initialization of |
|
|
705 temporary mp\_ints, and return as soon as possible. The goal is to leave the system in the same state it was when the |
|
|
706 function was called. Error checking with this style of API is fairly simple. |
|
|
707 |
|
|
708 \begin{verbatim} |
|
|
709 int err; |
|
|
710 if ((err = mp_add(&a, &b, &c)) != MP_OKAY) { |
|
|
711 printf("Error: %s\n", mp_error_to_string(err)); |
|
|
712 exit(EXIT_FAILURE); |
|
|
713 } |
|
|
714 \end{verbatim} |
|
|
715 |
|
|
716 The GMP \cite{GMP} library uses C style \textit{signals} to flag errors which is of questionable use. Not all errors are fatal |
|
|
717 and it was not deemed ideal by the author of LibTomMath to force developers to have signal handlers for such cases. |
|
|
718 |
|
|
719 \section{Initialization and Clearing} |
|
|
720 The logical starting point when actually writing multiple precision integer functions is the initialization and |
|
|
721 clearing of the mp\_int structures. These two algorithms will be used by the majority of the higher level algorithms. |
|
|
722 |
|
|
723 Given the basic mp\_int structure an initialization routine must first allocate memory to hold the digits of |
|
|
724 the integer. Often it is optimal to allocate a sufficiently large pre-set number of digits even though |
|
|
725 the initial integer will represent zero. If only a single digit were allocated quite a few subsequent re-allocations |
|
|
726 would occur when operations are performed on the integers. There is a tradeoff between how many default digits to allocate |
|
|
727 and how many re-allocations are tolerable. Obviously allocating an excessive amount of digits initially will waste |
|
|
728 memory and become unmanageable. |
|
|
729 |
|
|
730 If the memory for the digits has been successfully allocated then the rest of the members of the structure must |
|
|
731 be initialized. Since the initial state of an mp\_int is to represent the zero integer, the allocated digits must be set |
|
|
732 to zero. The \textbf{used} count set to zero and \textbf{sign} set to \textbf{MP\_ZPOS}. |
|
|
733 |
|
|
734 \subsection{Initializing an mp\_int} |
|
|
735 An mp\_int is said to be initialized if it is set to a valid, preferably default, state such that all of the members of the |
|
|
736 structure are set to valid values. The mp\_init algorithm will perform such an action. |
|
|
737 |
|
|
738 \index{mp\_init} |
|
|
739 \begin{figure}[here] |
|
|
740 \begin{center} |
|
|
741 \begin{tabular}{l} |
|
|
742 \hline Algorithm \textbf{mp\_init}. \\ |
|
|
743 \textbf{Input}. An mp\_int $a$ \\ |
|
|
744 \textbf{Output}. Allocate memory and initialize $a$ to a known valid mp\_int state. \\ |
|
|
745 \hline \\ |
|
|
746 1. Allocate memory for \textbf{MP\_PREC} digits. \\ |
|
|
747 2. If the allocation failed return(\textit{MP\_MEM}) \\ |
|
|
748 3. for $n$ from $0$ to $MP\_PREC - 1$ do \\ |
|
|
749 \hspace{3mm}3.1 $a_n \leftarrow 0$\\ |
|
|
750 4. $a.sign \leftarrow MP\_ZPOS$\\ |
|
|
751 5. $a.used \leftarrow 0$\\ |
|
|
752 6. $a.alloc \leftarrow MP\_PREC$\\ |
|
|
753 7. Return(\textit{MP\_OKAY})\\ |
|
|
754 \hline |
|
|
755 \end{tabular} |
|
|
756 \end{center} |
|
|
757 \caption{Algorithm mp\_init} |
|
|
758 \end{figure} |
|
|
759 |
|
|
760 \textbf{Algorithm mp\_init.} |
|
|
761 The purpose of this function is to initialize an mp\_int structure so that the rest of the library can properly |
|
|
762 manipulte it. It is assumed that the input may not have had any of its members previously initialized which is certainly |
|
|
763 a valid assumption if the input resides on the stack. |
|
|
764 |
|
|
765 Before any of the members such as \textbf{sign}, \textbf{used} or \textbf{alloc} are initialized the memory for |
|
|
766 the digits is allocated. If this fails the function returns before setting any of the other members. The \textbf{MP\_PREC} |
|
|
767 name represents a constant\footnote{Defined in the ``tommath.h'' header file within LibTomMath.} |
|
|
768 used to dictate the minimum precision of newly initialized mp\_int integers. Ideally, it is at least equal to the smallest |
|
|
769 precision number you'll be working with. |
|
|
770 |
|
|
771 Allocating a block of digits at first instead of a single digit has the benefit of lowering the number of usually slow |
|
|
772 heap operations later functions will have to perform in the future. If \textbf{MP\_PREC} is set correctly the slack |
|
|
773 memory and the number of heap operations will be trivial. |
|
|
774 |
|
|
775 Once the allocation has been made the digits have to be set to zero as well as the \textbf{used}, \textbf{sign} and |
|
|
776 \textbf{alloc} members initialized. This ensures that the mp\_int will always represent the default state of zero regardless |
|
|
777 of the original condition of the input. |
|
|
778 |
|
|
779 \textbf{Remark.} |
|
|
780 This function introduces the idiosyncrasy that all iterative loops, commonly initiated with the ``for'' keyword, iterate incrementally |
|
|
781 when the ``to'' keyword is placed between two expressions. For example, ``for $a$ from $b$ to $c$ do'' means that |
|
|
782 a subsequent expression (or body of expressions) are to be evaluated upto $c - b$ times so long as $b \le c$. In each |
|
|
783 iteration the variable $a$ is substituted for a new integer that lies inclusively between $b$ and $c$. If $b > c$ occured |
|
|
784 the loop would not iterate. By contrast if the ``downto'' keyword were used in place of ``to'' the loop would iterate |
|
|
785 decrementally. |
|
|
786 |
|
|
787 \vspace{+3mm}\begin{small} |
|
|
788 \hspace{-5.1mm}{\bf File}: bn\_mp\_init.c |
|
|
789 \vspace{-3mm} |
|
|
790 \begin{alltt} |
|
|
791 016 |
|
|
792 017 /* init a new mp_int */ |
|
|
793 018 int mp_init (mp_int * a) |
|
|
794 019 \{ |
|
|
795 020 int i; |
|
|
796 021 |
|
|
797 022 /* allocate memory required and clear it */ |
|
|
798 023 a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * MP_PREC); |
|
|
799 024 if (a->dp == NULL) \{ |
|
|
800 025 return MP_MEM; |
|
|
801 026 \} |
|
|
802 027 |
|
|
803 028 /* set the digits to zero */ |
|
|
804 029 for (i = 0; i < MP_PREC; i++) \{ |
|
|
805 030 a->dp[i] = 0; |
|
|
806 031 \} |
|
|
807 032 |
|
|
808 033 /* set the used to zero, allocated digits to the default precision |
|
|
809 034 * and sign to positive */ |
|
|
810 035 a->used = 0; |
|
|
811 036 a->alloc = MP_PREC; |
|
|
812 037 a->sign = MP_ZPOS; |
|
|
813 038 |
|
|
814 039 return MP_OKAY; |
|
|
815 040 \} |
|
|
816 041 #endif |
|
386
|
817 042 |
|
282
|
818 \end{alltt} |
|
|
819 \end{small} |
|
|
820 |
|
|
821 One immediate observation of this initializtion function is that it does not return a pointer to a mp\_int structure. It |
|
|
822 is assumed that the caller has already allocated memory for the mp\_int structure, typically on the application stack. The |
|
|
823 call to mp\_init() is used only to initialize the members of the structure to a known default state. |
|
|
824 |
|
|
825 Here we see (line 23) the memory allocation is performed first. This allows us to exit cleanly and quickly |
|
|
826 if there is an error. If the allocation fails the routine will return \textbf{MP\_MEM} to the caller to indicate there |
|
|
827 was a memory error. The function XMALLOC is what actually allocates the memory. Technically XMALLOC is not a function |
|
|
828 but a macro defined in ``tommath.h``. By default, XMALLOC will evaluate to malloc() which is the C library's built--in |
|
|
829 memory allocation routine. |
|
|
830 |
|
|
831 In order to assure the mp\_int is in a known state the digits must be set to zero. On most platforms this could have been |
|
|
832 accomplished by using calloc() instead of malloc(). However, to correctly initialize a integer type to a given value in a |
|
|
833 portable fashion you have to actually assign the value. The for loop (line 29) performs this required |
|
|
834 operation. |
|
|
835 |
|
|
836 After the memory has been successfully initialized the remainder of the members are initialized |
|
|
837 (lines 33 through 34) to their respective default states. At this point the algorithm has succeeded and |
|
|
838 a success code is returned to the calling function. If this function returns \textbf{MP\_OKAY} it is safe to assume the |
|
|
839 mp\_int structure has been properly initialized and is safe to use with other functions within the library. |
|
|
840 |
|
|
841 \subsection{Clearing an mp\_int} |
|
|
842 When an mp\_int is no longer required by the application, the memory that has been allocated for its digits must be |
|
|
843 returned to the application's memory pool with the mp\_clear algorithm. |
|
|
844 |
|
|
845 \begin{figure}[here] |
|
|
846 \begin{center} |
|
|
847 \begin{tabular}{l} |
|
|
848 \hline Algorithm \textbf{mp\_clear}. \\ |
|
|
849 \textbf{Input}. An mp\_int $a$ \\ |
|
|
850 \textbf{Output}. The memory for $a$ shall be deallocated. \\ |
|
|
851 \hline \\ |
|
|
852 1. If $a$ has been previously freed then return(\textit{MP\_OKAY}). \\ |
|
|
853 2. for $n$ from 0 to $a.used - 1$ do \\ |
|
|
854 \hspace{3mm}2.1 $a_n \leftarrow 0$ \\ |
|
|
855 3. Free the memory allocated for the digits of $a$. \\ |
|
|
856 4. $a.used \leftarrow 0$ \\ |
|
|
857 5. $a.alloc \leftarrow 0$ \\ |
|
|
858 6. $a.sign \leftarrow MP\_ZPOS$ \\ |
|
|
859 7. Return(\textit{MP\_OKAY}). \\ |
|
|
860 \hline |
|
|
861 \end{tabular} |
|
|
862 \end{center} |
|
|
863 \caption{Algorithm mp\_clear} |
|
|
864 \end{figure} |
|
|
865 |
|
|
866 \textbf{Algorithm mp\_clear.} |
|
|
867 This algorithm accomplishes two goals. First, it clears the digits and the other mp\_int members. This ensures that |
|
|
868 if a developer accidentally re-uses a cleared structure it is less likely to cause problems. The second goal |
|
|
869 is to free the allocated memory. |
|
|
870 |
|
|
871 The logic behind the algorithm is extended by marking cleared mp\_int structures so that subsequent calls to this |
|
|
872 algorithm will not try to free the memory multiple times. Cleared mp\_ints are detectable by having a pre-defined invalid |
|
|
873 digit pointer \textbf{dp} setting. |
|
|
874 |
|
|
875 Once an mp\_int has been cleared the mp\_int structure is no longer in a valid state for any other algorithm |
|
|
876 with the exception of algorithms mp\_init, mp\_init\_copy, mp\_init\_size and mp\_clear. |
|
|
877 |
|
|
878 \vspace{+3mm}\begin{small} |
|
|
879 \hspace{-5.1mm}{\bf File}: bn\_mp\_clear.c |
|
|
880 \vspace{-3mm} |
|
|
881 \begin{alltt} |
|
|
882 016 |
|
|
883 017 /* clear one (frees) */ |
|
|
884 018 void |
|
|
885 019 mp_clear (mp_int * a) |
|
|
886 020 \{ |
|
|
887 021 int i; |
|
|
888 022 |
|
|
889 023 /* only do anything if a hasn't been freed previously */ |
|
|
890 024 if (a->dp != NULL) \{ |
|
|
891 025 /* first zero the digits */ |
|
|
892 026 for (i = 0; i < a->used; i++) \{ |
|
|
893 027 a->dp[i] = 0; |
|
|
894 028 \} |
|
|
895 029 |
|
|
896 030 /* free ram */ |
|
|
897 031 XFREE(a->dp); |
|
|
898 032 |
|
|
899 033 /* reset members to make debugging easier */ |
|
|
900 034 a->dp = NULL; |
|
|
901 035 a->alloc = a->used = 0; |
|
|
902 036 a->sign = MP_ZPOS; |
|
|
903 037 \} |
|
|
904 038 \} |
|
|
905 039 #endif |
|
386
|
906 040 |
|
282
|
907 \end{alltt} |
|
|
908 \end{small} |
|
|
909 |
|
|
910 The algorithm only operates on the mp\_int if it hasn't been previously cleared. The if statement (line 24) |
|
|
911 checks to see if the \textbf{dp} member is not \textbf{NULL}. If the mp\_int is a valid mp\_int then \textbf{dp} cannot be |
|
|
912 \textbf{NULL} in which case the if statement will evaluate to true. |
|
|
913 |
|
|
914 The digits of the mp\_int are cleared by the for loop (line 26) which assigns a zero to every digit. Similar to mp\_init() |
|
|
915 the digits are assigned zero instead of using block memory operations (such as memset()) since this is more portable. |
|
|
916 |
|
|
917 The digits are deallocated off the heap via the XFREE macro. Similar to XMALLOC the XFREE macro actually evaluates to |
|
|
918 a standard C library function. In this case the free() function. Since free() only deallocates the memory the pointer |
|
|
919 still has to be reset to \textbf{NULL} manually (line 34). |
|
|
920 |
|
|
921 Now that the digits have been cleared and deallocated the other members are set to their final values (lines 35 and 36). |
|
|
922 |
|
|
923 \section{Maintenance Algorithms} |
|
|
924 |
|
|
925 The previous sections describes how to initialize and clear an mp\_int structure. To further support operations |
|
|
926 that are to be performed on mp\_int structures (such as addition and multiplication) the dependent algorithms must be |
|
|
927 able to augment the precision of an mp\_int and |
|
|
928 initialize mp\_ints with differing initial conditions. |
|
|
929 |
|
|
930 These algorithms complete the set of low level algorithms required to work with mp\_int structures in the higher level |
|
|
931 algorithms such as addition, multiplication and modular exponentiation. |
|
|
932 |
|
|
933 \subsection{Augmenting an mp\_int's Precision} |
|
|
934 When storing a value in an mp\_int structure, a sufficient number of digits must be available to accomodate the entire |
|
|
935 result of an operation without loss of precision. Quite often the size of the array given by the \textbf{alloc} member |
|
|
936 is large enough to simply increase the \textbf{used} digit count. However, when the size of the array is too small it |
|
|
937 must be re-sized appropriately to accomodate the result. The mp\_grow algorithm will provide this functionality. |
|
|
938 |
|
|
939 \newpage\begin{figure}[here] |
|
|
940 \begin{center} |
|
|
941 \begin{tabular}{l} |
|
|
942 \hline Algorithm \textbf{mp\_grow}. \\ |
|
|
943 \textbf{Input}. An mp\_int $a$ and an integer $b$. \\ |
|
|
944 \textbf{Output}. $a$ is expanded to accomodate $b$ digits. \\ |
|
|
945 \hline \\ |
|
|
946 1. if $a.alloc \ge b$ then return(\textit{MP\_OKAY}) \\ |
|
|
947 2. $u \leftarrow b\mbox{ (mod }MP\_PREC\mbox{)}$ \\ |
|
|
948 3. $v \leftarrow b + 2 \cdot MP\_PREC - u$ \\ |
|
|
949 4. Re-allocate the array of digits $a$ to size $v$ \\ |
|
|
950 5. If the allocation failed then return(\textit{MP\_MEM}). \\ |
|
|
951 6. for n from a.alloc to $v - 1$ do \\ |
|
|
952 \hspace{+3mm}6.1 $a_n \leftarrow 0$ \\ |
|
|
953 7. $a.alloc \leftarrow v$ \\ |
|
|
954 8. Return(\textit{MP\_OKAY}) \\ |
|
|
955 \hline |
|
|
956 \end{tabular} |
|
|
957 \end{center} |
|
|
958 \caption{Algorithm mp\_grow} |
|
|
959 \end{figure} |
|
|
960 |
|
|
961 \textbf{Algorithm mp\_grow.} |
|
|
962 It is ideal to prevent re-allocations from being performed if they are not required (step one). This is useful to |
|
|
963 prevent mp\_ints from growing excessively in code that erroneously calls mp\_grow. |
|
|
964 |
|
|
965 The requested digit count is padded up to next multiple of \textbf{MP\_PREC} plus an additional \textbf{MP\_PREC} (steps two and three). |
|
|
966 This helps prevent many trivial reallocations that would grow an mp\_int by trivially small values. |
|
|
967 |
|
|
968 It is assumed that the reallocation (step four) leaves the lower $a.alloc$ digits of the mp\_int intact. This is much |
|
|
969 akin to how the \textit{realloc} function from the standard C library works. Since the newly allocated digits are |
|
|
970 assumed to contain undefined values they are initially set to zero. |
|
|
971 |
|
|
972 \vspace{+3mm}\begin{small} |
|
|
973 \hspace{-5.1mm}{\bf File}: bn\_mp\_grow.c |
|
|
974 \vspace{-3mm} |
|
|
975 \begin{alltt} |
|
|
976 016 |
|
|
977 017 /* grow as required */ |
|
|
978 018 int mp_grow (mp_int * a, int size) |
|
|
979 019 \{ |
|
|
980 020 int i; |
|
|
981 021 mp_digit *tmp; |
|
|
982 022 |
|
|
983 023 /* if the alloc size is smaller alloc more ram */ |
|
|
984 024 if (a->alloc < size) \{ |
|
|
985 025 /* ensure there are always at least MP_PREC digits extra on top */ |
|
|
986 026 size += (MP_PREC * 2) - (size % MP_PREC); |
|
|
987 027 |
|
|
988 028 /* reallocate the array a->dp |
|
|
989 029 * |
|
|
990 030 * We store the return in a temporary variable |
|
|
991 031 * in case the operation failed we don't want |
|
|
992 032 * to overwrite the dp member of a. |
|
|
993 033 */ |
|
|
994 034 tmp = OPT_CAST(mp_digit) XREALLOC (a->dp, sizeof (mp_digit) * size); |
|
|
995 035 if (tmp == NULL) \{ |
|
|
996 036 /* reallocation failed but "a" is still valid [can be freed] */ |
|
|
997 037 return MP_MEM; |
|
|
998 038 \} |
|
|
999 039 |
|
|
1000 040 /* reallocation succeeded so set a->dp */ |
|
|
1001 041 a->dp = tmp; |
|
|
1002 042 |
|
|
1003 043 /* zero excess digits */ |
|
|
1004 044 i = a->alloc; |
|
|
1005 045 a->alloc = size; |
|
|
1006 046 for (; i < a->alloc; i++) \{ |
|
|
1007 047 a->dp[i] = 0; |
|
|
1008 048 \} |
|
|
1009 049 \} |
|
|
1010 050 return MP_OKAY; |
|
|
1011 051 \} |
|
|
1012 052 #endif |
|
386
|
1013 053 |
|
282
|
1014 \end{alltt} |
|
|
1015 \end{small} |
|
|
1016 |
|
|
1017 A quick optimization is to first determine if a memory re-allocation is required at all. The if statement (line 24) checks |
|
|
1018 if the \textbf{alloc} member of the mp\_int is smaller than the requested digit count. If the count is not larger than \textbf{alloc} |
|
|
1019 the function skips the re-allocation part thus saving time. |
|
|
1020 |
|
|
1021 When a re-allocation is performed it is turned into an optimal request to save time in the future. The requested digit count is |
|
|
1022 padded upwards to 2nd multiple of \textbf{MP\_PREC} larger than \textbf{alloc} (line 26). The XREALLOC function is used |
|
|
1023 to re-allocate the memory. As per the other functions XREALLOC is actually a macro which evaluates to realloc by default. The realloc |
|
|
1024 function leaves the base of the allocation intact which means the first \textbf{alloc} digits of the mp\_int are the same as before |
|
|
1025 the re-allocation. All that is left is to clear the newly allocated digits and return. |
|
|
1026 |
|
|
1027 Note that the re-allocation result is actually stored in a temporary pointer $tmp$. This is to allow this function to return |
|
|
1028 an error with a valid pointer. Earlier releases of the library stored the result of XREALLOC into the mp\_int $a$. That would |
|
|
1029 result in a memory leak if XREALLOC ever failed. |
|
|
1030 |
|
|
1031 \subsection{Initializing Variable Precision mp\_ints} |
|
|
1032 Occasionally the number of digits required will be known in advance of an initialization, based on, for example, the size |
|
|
1033 of input mp\_ints to a given algorithm. The purpose of algorithm mp\_init\_size is similar to mp\_init except that it |
|
|
1034 will allocate \textit{at least} a specified number of digits. |
|
|
1035 |
|
|
1036 \begin{figure}[here] |
|
|
1037 \begin{small} |
|
|
1038 \begin{center} |
|
|
1039 \begin{tabular}{l} |
|
|
1040 \hline Algorithm \textbf{mp\_init\_size}. \\ |
|
|
1041 \textbf{Input}. An mp\_int $a$ and the requested number of digits $b$. \\ |
|
|
1042 \textbf{Output}. $a$ is initialized to hold at least $b$ digits. \\ |
|
|
1043 \hline \\ |
|
|
1044 1. $u \leftarrow b \mbox{ (mod }MP\_PREC\mbox{)}$ \\ |
|
|
1045 2. $v \leftarrow b + 2 \cdot MP\_PREC - u$ \\ |
|
|
1046 3. Allocate $v$ digits. \\ |
|
|
1047 4. for $n$ from $0$ to $v - 1$ do \\ |
|
|
1048 \hspace{3mm}4.1 $a_n \leftarrow 0$ \\ |
|
|
1049 5. $a.sign \leftarrow MP\_ZPOS$\\ |
|
|
1050 6. $a.used \leftarrow 0$\\ |
|
|
1051 7. $a.alloc \leftarrow v$\\ |
|
|
1052 8. Return(\textit{MP\_OKAY})\\ |
|
|
1053 \hline |
|
|
1054 \end{tabular} |
|
|
1055 \end{center} |
|
|
1056 \end{small} |
|
|
1057 \caption{Algorithm mp\_init\_size} |
|
|
1058 \end{figure} |
|
|
1059 |
|
|
1060 \textbf{Algorithm mp\_init\_size.} |
|
|
1061 This algorithm will initialize an mp\_int structure $a$ like algorithm mp\_init with the exception that the number of |
|
|
1062 digits allocated can be controlled by the second input argument $b$. The input size is padded upwards so it is a |
|
|
1063 multiple of \textbf{MP\_PREC} plus an additional \textbf{MP\_PREC} digits. This padding is used to prevent trivial |
|
|
1064 allocations from becoming a bottleneck in the rest of the algorithms. |
|
|
1065 |
|
|
1066 Like algorithm mp\_init, the mp\_int structure is initialized to a default state representing the integer zero. This |
|
|
1067 particular algorithm is useful if it is known ahead of time the approximate size of the input. If the approximation is |
|
|
1068 correct no further memory re-allocations are required to work with the mp\_int. |
|
|
1069 |
|
|
1070 \vspace{+3mm}\begin{small} |
|
|
1071 \hspace{-5.1mm}{\bf File}: bn\_mp\_init\_size.c |
|
|
1072 \vspace{-3mm} |
|
|
1073 \begin{alltt} |
|
|
1074 016 |
|
|
1075 017 /* init an mp_init for a given size */ |
|
|
1076 018 int mp_init_size (mp_int * a, int size) |
|
|
1077 019 \{ |
|
|
1078 020 int x; |
|
|
1079 021 |
|
|
1080 022 /* pad size so there are always extra digits */ |
|
|
1081 023 size += (MP_PREC * 2) - (size % MP_PREC); |
|
|
1082 024 |
|
|
1083 025 /* alloc mem */ |
|
|
1084 026 a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size); |
|
|
1085 027 if (a->dp == NULL) \{ |
|
|
1086 028 return MP_MEM; |
|
|
1087 029 \} |
|
|
1088 030 |
|
|
1089 031 /* set the members */ |
|
|
1090 032 a->used = 0; |
|
|
1091 033 a->alloc = size; |
|
|
1092 034 a->sign = MP_ZPOS; |
|
|
1093 035 |
|
|
1094 036 /* zero the digits */ |
|
|
1095 037 for (x = 0; x < size; x++) \{ |
|
|
1096 038 a->dp[x] = 0; |
|
|
1097 039 \} |
|
|
1098 040 |
|
|
1099 041 return MP_OKAY; |
|
|
1100 042 \} |
|
|
1101 043 #endif |
|
386
|
1102 044 |
|
282
|
1103 \end{alltt} |
|
|
1104 \end{small} |
|
|
1105 |
|
|
1106 The number of digits $b$ requested is padded (line 23) by first augmenting it to the next multiple of |
|
|
1107 \textbf{MP\_PREC} and then adding \textbf{MP\_PREC} to the result. If the memory can be successfully allocated the |
|
|
1108 mp\_int is placed in a default state representing the integer zero. Otherwise, the error code \textbf{MP\_MEM} will be |
|
|
1109 returned (line 28). |
|
|
1110 |
|
|
1111 The digits are allocated and set to zero at the same time with the calloc() function (line @25,XCALLOC@). The |
|
|
1112 \textbf{used} count is set to zero, the \textbf{alloc} count set to the padded digit count and the \textbf{sign} flag set |
|
|
1113 to \textbf{MP\_ZPOS} to achieve a default valid mp\_int state (lines 32, 33 and 34). If the function |
|
|
1114 returns succesfully then it is correct to assume that the mp\_int structure is in a valid state for the remainder of the |
|
|
1115 functions to work with. |
|
|
1116 |
|
|
1117 \subsection{Multiple Integer Initializations and Clearings} |
|
|
1118 Occasionally a function will require a series of mp\_int data types to be made available simultaneously. |
|
|
1119 The purpose of algorithm mp\_init\_multi is to initialize a variable length array of mp\_int structures in a single |
|
|
1120 statement. It is essentially a shortcut to multiple initializations. |
|
|
1121 |
|
|
1122 \newpage\begin{figure}[here] |
|
|
1123 \begin{center} |
|
|
1124 \begin{tabular}{l} |
|
|
1125 \hline Algorithm \textbf{mp\_init\_multi}. \\ |
|
|
1126 \textbf{Input}. Variable length array $V_k$ of mp\_int variables of length $k$. \\ |
|
|
1127 \textbf{Output}. The array is initialized such that each mp\_int of $V_k$ is ready to use. \\ |
|
|
1128 \hline \\ |
|
|
1129 1. for $n$ from 0 to $k - 1$ do \\ |
|
|
1130 \hspace{+3mm}1.1. Initialize the mp\_int $V_n$ (\textit{mp\_init}) \\ |
|
|
1131 \hspace{+3mm}1.2. If initialization failed then do \\ |
|
|
1132 \hspace{+6mm}1.2.1. for $j$ from $0$ to $n$ do \\ |
|
|
1133 \hspace{+9mm}1.2.1.1. Free the mp\_int $V_j$ (\textit{mp\_clear}) \\ |
|
|
1134 \hspace{+6mm}1.2.2. Return(\textit{MP\_MEM}) \\ |
|
|
1135 2. Return(\textit{MP\_OKAY}) \\ |
|
|
1136 \hline |
|
|
1137 \end{tabular} |
|
|
1138 \end{center} |
|
|
1139 \caption{Algorithm mp\_init\_multi} |
|
|
1140 \end{figure} |
|
|
1141 |
|
|
1142 \textbf{Algorithm mp\_init\_multi.} |
|
|
1143 The algorithm will initialize the array of mp\_int variables one at a time. If a runtime error has been detected |
|
|
1144 (\textit{step 1.2}) all of the previously initialized variables are cleared. The goal is an ``all or nothing'' |
|
|
1145 initialization which allows for quick recovery from runtime errors. |
|
|
1146 |
|
|
1147 \vspace{+3mm}\begin{small} |
|
|
1148 \hspace{-5.1mm}{\bf File}: bn\_mp\_init\_multi.c |
|
|
1149 \vspace{-3mm} |
|
|
1150 \begin{alltt} |
|
|
1151 016 #include <stdarg.h> |
|
|
1152 017 |
|
|
1153 018 int mp_init_multi(mp_int *mp, ...) |
|
|
1154 019 \{ |
|
|
1155 020 mp_err res = MP_OKAY; /* Assume ok until proven otherwise */ |
|
|
1156 021 int n = 0; /* Number of ok inits */ |
|
|
1157 022 mp_int* cur_arg = mp; |
|
|
1158 023 va_list args; |
|
|
1159 024 |
|
|
1160 025 va_start(args, mp); /* init args to next argument from caller */ |
|
|
1161 026 while (cur_arg != NULL) \{ |
|
|
1162 027 if (mp_init(cur_arg) != MP_OKAY) \{ |
|
|
1163 028 /* Oops - error! Back-track and mp_clear what we already |
|
|
1164 029 succeeded in init-ing, then return error. |
|
|
1165 030 */ |
|
|
1166 031 va_list clean_args; |
|
|
1167 032 |
|
|
1168 033 /* end the current list */ |
|
|
1169 034 va_end(args); |
|
|
1170 035 |
|
|
1171 036 /* now start cleaning up */ |
|
|
1172 037 cur_arg = mp; |
|
|
1173 038 va_start(clean_args, mp); |
|
|
1174 039 while (n--) \{ |
|
|
1175 040 mp_clear(cur_arg); |
|
|
1176 041 cur_arg = va_arg(clean_args, mp_int*); |
|
|
1177 042 \} |
|
|
1178 043 va_end(clean_args); |
|
|
1179 044 res = MP_MEM; |
|
|
1180 045 break; |
|
|
1181 046 \} |
|
|
1182 047 n++; |
|
|
1183 048 cur_arg = va_arg(args, mp_int*); |
|
|
1184 049 \} |
|
|
1185 050 va_end(args); |
|
|
1186 051 return res; /* Assumed ok, if error flagged above. */ |
|
|
1187 052 \} |
|
|
1188 053 |
|
|
1189 054 #endif |
|
386
|
1190 055 |
|
282
|
1191 \end{alltt} |
|
|
1192 \end{small} |
|
|
1193 |
|
|
1194 This function intializes a variable length list of mp\_int structure pointers. However, instead of having the mp\_int |
|
|
1195 structures in an actual C array they are simply passed as arguments to the function. This function makes use of the |
|
|
1196 ``...'' argument syntax of the C programming language. The list is terminated with a final \textbf{NULL} argument |
|
|
1197 appended on the right. |
|
|
1198 |
|
|
1199 The function uses the ``stdarg.h'' \textit{va} functions to step portably through the arguments to the function. A count |
|
|
1200 $n$ of succesfully initialized mp\_int structures is maintained (line 47) such that if a failure does occur, |
|
|
1201 the algorithm can backtrack and free the previously initialized structures (lines 27 to 46). |
|
|
1202 |
|
|
1203 |
|
|
1204 \subsection{Clamping Excess Digits} |
|
|
1205 When a function anticipates a result will be $n$ digits it is simpler to assume this is true within the body of |
|
|
1206 the function instead of checking during the computation. For example, a multiplication of a $i$ digit number by a |
|
|
1207 $j$ digit produces a result of at most $i + j$ digits. It is entirely possible that the result is $i + j - 1$ |
|
|
1208 though, with no final carry into the last position. However, suppose the destination had to be first expanded |
|
|
1209 (\textit{via mp\_grow}) to accomodate $i + j - 1$ digits than further expanded to accomodate the final carry. |
|
|
1210 That would be a considerable waste of time since heap operations are relatively slow. |
|
|
1211 |
|
|
1212 The ideal solution is to always assume the result is $i + j$ and fix up the \textbf{used} count after the function |
|
|
1213 terminates. This way a single heap operation (\textit{at most}) is required. However, if the result was not checked |
|
|
1214 there would be an excess high order zero digit. |
|
|
1215 |
|
|
1216 For example, suppose the product of two integers was $x_n = (0x_{n-1}x_{n-2}...x_0)_{\beta}$. The leading zero digit |
|
|
1217 will not contribute to the precision of the result. In fact, through subsequent operations more leading zero digits would |
|
|
1218 accumulate to the point the size of the integer would be prohibitive. As a result even though the precision is very |
|
|
1219 low the representation is excessively large. |
|
|
1220 |
|
|
1221 The mp\_clamp algorithm is designed to solve this very problem. It will trim high-order zeros by decrementing the |
|
|
1222 \textbf{used} count until a non-zero most significant digit is found. Also in this system, zero is considered to be a |
|
|
1223 positive number which means that if the \textbf{used} count is decremented to zero, the sign must be set to |
|
|
1224 \textbf{MP\_ZPOS}. |
|
|
1225 |
|
|
1226 \begin{figure}[here] |
|
|
1227 \begin{center} |
|
|
1228 \begin{tabular}{l} |
|
|
1229 \hline Algorithm \textbf{mp\_clamp}. \\ |
|
|
1230 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1231 \textbf{Output}. Any excess leading zero digits of $a$ are removed \\ |
|
|
1232 \hline \\ |
|
|
1233 1. while $a.used > 0$ and $a_{a.used - 1} = 0$ do \\ |
|
|
1234 \hspace{+3mm}1.1 $a.used \leftarrow a.used - 1$ \\ |
|
|
1235 2. if $a.used = 0$ then do \\ |
|
|
1236 \hspace{+3mm}2.1 $a.sign \leftarrow MP\_ZPOS$ \\ |
|
|
1237 \hline \\ |
|
|
1238 \end{tabular} |
|
|
1239 \end{center} |
|
|
1240 \caption{Algorithm mp\_clamp} |
|
|
1241 \end{figure} |
|
|
1242 |
|
|
1243 \textbf{Algorithm mp\_clamp.} |
|
|
1244 As can be expected this algorithm is very simple. The loop on step one is expected to iterate only once or twice at |
|
|
1245 the most. For example, this will happen in cases where there is not a carry to fill the last position. Step two fixes the sign for |
|
|
1246 when all of the digits are zero to ensure that the mp\_int is valid at all times. |
|
|
1247 |
|
|
1248 \vspace{+3mm}\begin{small} |
|
|
1249 \hspace{-5.1mm}{\bf File}: bn\_mp\_clamp.c |
|
|
1250 \vspace{-3mm} |
|
|
1251 \begin{alltt} |
|
|
1252 016 |
|
|
1253 017 /* trim unused digits |
|
|
1254 018 * |
|
|
1255 019 * This is used to ensure that leading zero digits are |
|
|
1256 020 * trimed and the leading "used" digit will be non-zero |
|
|
1257 021 * Typically very fast. Also fixes the sign if there |
|
|
1258 022 * are no more leading digits |
|
|
1259 023 */ |
|
|
1260 024 void |
|
|
1261 025 mp_clamp (mp_int * a) |
|
|
1262 026 \{ |
|
|
1263 027 /* decrease used while the most significant digit is |
|
|
1264 028 * zero. |
|
|
1265 029 */ |
|
|
1266 030 while (a->used > 0 && a->dp[a->used - 1] == 0) \{ |
|
|
1267 031 --(a->used); |
|
|
1268 032 \} |
|
|
1269 033 |
|
|
1270 034 /* reset the sign flag if used == 0 */ |
|
|
1271 035 if (a->used == 0) \{ |
|
|
1272 036 a->sign = MP_ZPOS; |
|
|
1273 037 \} |
|
|
1274 038 \} |
|
|
1275 039 #endif |
|
386
|
1276 040 |
|
282
|
1277 \end{alltt} |
|
|
1278 \end{small} |
|
|
1279 |
|
|
1280 Note on line 27 how to test for the \textbf{used} count is made on the left of the \&\& operator. In the C programming |
|
|
1281 language the terms to \&\& are evaluated left to right with a boolean short-circuit if any condition fails. This is |
|
|
1282 important since if the \textbf{used} is zero the test on the right would fetch below the array. That is obviously |
|
|
1283 undesirable. The parenthesis on line 30 is used to make sure the \textbf{used} count is decremented and not |
|
|
1284 the pointer ``a''. |
|
|
1285 |
|
|
1286 \section*{Exercises} |
|
|
1287 \begin{tabular}{cl} |
|
|
1288 $\left [ 1 \right ]$ & Discuss the relevance of the \textbf{used} member of the mp\_int structure. \\ |
|
|
1289 & \\ |
|
|
1290 $\left [ 1 \right ]$ & Discuss the consequences of not using padding when performing allocations. \\ |
|
|
1291 & \\ |
|
|
1292 $\left [ 2 \right ]$ & Estimate an ideal value for \textbf{MP\_PREC} when performing 1024-bit RSA \\ |
|
|
1293 & encryption when $\beta = 2^{28}$. \\ |
|
|
1294 & \\ |
|
|
1295 $\left [ 1 \right ]$ & Discuss the relevance of the algorithm mp\_clamp. What does it prevent? \\ |
|
|
1296 & \\ |
|
|
1297 $\left [ 1 \right ]$ & Give an example of when the algorithm mp\_init\_copy might be useful. \\ |
|
|
1298 & \\ |
|
|
1299 \end{tabular} |
|
|
1300 |
|
|
1301 |
|
|
1302 %%% |
|
|
1303 % CHAPTER FOUR |
|
|
1304 %%% |
|
|
1305 |
|
|
1306 \chapter{Basic Operations} |
|
|
1307 |
|
|
1308 \section{Introduction} |
|
|
1309 In the previous chapter a series of low level algorithms were established that dealt with initializing and maintaining |
|
|
1310 mp\_int structures. This chapter will discuss another set of seemingly non-algebraic algorithms which will form the low |
|
|
1311 level basis of the entire library. While these algorithm are relatively trivial it is important to understand how they |
|
|
1312 work before proceeding since these algorithms will be used almost intrinsically in the following chapters. |
|
|
1313 |
|
|
1314 The algorithms in this chapter deal primarily with more ``programmer'' related tasks such as creating copies of |
|
|
1315 mp\_int structures, assigning small values to mp\_int structures and comparisons of the values mp\_int structures |
|
|
1316 represent. |
|
|
1317 |
|
|
1318 \section{Assigning Values to mp\_int Structures} |
|
|
1319 \subsection{Copying an mp\_int} |
|
|
1320 Assigning the value that a given mp\_int structure represents to another mp\_int structure shall be known as making |
|
|
1321 a copy for the purposes of this text. The copy of the mp\_int will be a separate entity that represents the same |
|
|
1322 value as the mp\_int it was copied from. The mp\_copy algorithm provides this functionality. |
|
|
1323 |
|
|
1324 \newpage\begin{figure}[here] |
|
|
1325 \begin{center} |
|
|
1326 \begin{tabular}{l} |
|
|
1327 \hline Algorithm \textbf{mp\_copy}. \\ |
|
|
1328 \textbf{Input}. An mp\_int $a$ and $b$. \\ |
|
|
1329 \textbf{Output}. Store a copy of $a$ in $b$. \\ |
|
|
1330 \hline \\ |
|
|
1331 1. If $b.alloc < a.used$ then grow $b$ to $a.used$ digits. (\textit{mp\_grow}) \\ |
|
|
1332 2. for $n$ from 0 to $a.used - 1$ do \\ |
|
|
1333 \hspace{3mm}2.1 $b_{n} \leftarrow a_{n}$ \\ |
|
|
1334 3. for $n$ from $a.used$ to $b.used - 1$ do \\ |
|
|
1335 \hspace{3mm}3.1 $b_{n} \leftarrow 0$ \\ |
|
|
1336 4. $b.used \leftarrow a.used$ \\ |
|
|
1337 5. $b.sign \leftarrow a.sign$ \\ |
|
|
1338 6. return(\textit{MP\_OKAY}) \\ |
|
|
1339 \hline |
|
|
1340 \end{tabular} |
|
|
1341 \end{center} |
|
|
1342 \caption{Algorithm mp\_copy} |
|
|
1343 \end{figure} |
|
|
1344 |
|
|
1345 \textbf{Algorithm mp\_copy.} |
|
|
1346 This algorithm copies the mp\_int $a$ such that upon succesful termination of the algorithm the mp\_int $b$ will |
|
|
1347 represent the same integer as the mp\_int $a$. The mp\_int $b$ shall be a complete and distinct copy of the |
|
|
1348 mp\_int $a$ meaing that the mp\_int $a$ can be modified and it shall not affect the value of the mp\_int $b$. |
|
|
1349 |
|
|
1350 If $b$ does not have enough room for the digits of $a$ it must first have its precision augmented via the mp\_grow |
|
|
1351 algorithm. The digits of $a$ are copied over the digits of $b$ and any excess digits of $b$ are set to zero (step two |
|
|
1352 and three). The \textbf{used} and \textbf{sign} members of $a$ are finally copied over the respective members of |
|
|
1353 $b$. |
|
|
1354 |
|
|
1355 \textbf{Remark.} This algorithm also introduces a new idiosyncrasy that will be used throughout the rest of the |
|
|
1356 text. The error return codes of other algorithms are not explicitly checked in the pseudo-code presented. For example, in |
|
|
1357 step one of the mp\_copy algorithm the return of mp\_grow is not explicitly checked to ensure it succeeded. Text space is |
|
|
1358 limited so it is assumed that if a algorithm fails it will clear all temporarily allocated mp\_ints and return |
|
|
1359 the error code itself. However, the C code presented will demonstrate all of the error handling logic required to |
|
|
1360 implement the pseudo-code. |
|
|
1361 |
|
|
1362 \vspace{+3mm}\begin{small} |
|
|
1363 \hspace{-5.1mm}{\bf File}: bn\_mp\_copy.c |
|
|
1364 \vspace{-3mm} |
|
|
1365 \begin{alltt} |
|
|
1366 016 |
|
|
1367 017 /* copy, b = a */ |
|
|
1368 018 int |
|
|
1369 019 mp_copy (mp_int * a, mp_int * b) |
|
|
1370 020 \{ |
|
|
1371 021 int res, n; |
|
|
1372 022 |
|
|
1373 023 /* if dst == src do nothing */ |
|
|
1374 024 if (a == b) \{ |
|
|
1375 025 return MP_OKAY; |
|
|
1376 026 \} |
|
|
1377 027 |
|
|
1378 028 /* grow dest */ |
|
|
1379 029 if (b->alloc < a->used) \{ |
|
|
1380 030 if ((res = mp_grow (b, a->used)) != MP_OKAY) \{ |
|
|
1381 031 return res; |
|
|
1382 032 \} |
|
|
1383 033 \} |
|
|
1384 034 |
|
|
1385 035 /* zero b and copy the parameters over */ |
|
|
1386 036 \{ |
|
|
1387 037 register mp_digit *tmpa, *tmpb; |
|
|
1388 038 |
|
|
1389 039 /* pointer aliases */ |
|
|
1390 040 |
|
|
1391 041 /* source */ |
|
|
1392 042 tmpa = a->dp; |
|
|
1393 043 |
|
|
1394 044 /* destination */ |
|
|
1395 045 tmpb = b->dp; |
|
|
1396 046 |
|
|
1397 047 /* copy all the digits */ |
|
|
1398 048 for (n = 0; n < a->used; n++) \{ |
|
|
1399 049 *tmpb++ = *tmpa++; |
|
|
1400 050 \} |
|
|
1401 051 |
|
|
1402 052 /* clear high digits */ |
|
|
1403 053 for (; n < b->used; n++) \{ |
|
|
1404 054 *tmpb++ = 0; |
|
|
1405 055 \} |
|
|
1406 056 \} |
|
|
1407 057 |
|
|
1408 058 /* copy used count and sign */ |
|
|
1409 059 b->used = a->used; |
|
|
1410 060 b->sign = a->sign; |
|
|
1411 061 return MP_OKAY; |
|
|
1412 062 \} |
|
|
1413 063 #endif |
|
386
|
1414 064 |
|
282
|
1415 \end{alltt} |
|
|
1416 \end{small} |
|
|
1417 |
|
|
1418 Occasionally a dependent algorithm may copy an mp\_int effectively into itself such as when the input and output |
|
|
1419 mp\_int structures passed to a function are one and the same. For this case it is optimal to return immediately without |
|
|
1420 copying digits (line 24). |
|
|
1421 |
|
|
1422 The mp\_int $b$ must have enough digits to accomodate the used digits of the mp\_int $a$. If $b.alloc$ is less than |
|
|
1423 $a.used$ the algorithm mp\_grow is used to augment the precision of $b$ (lines 29 to 33). In order to |
|
|
1424 simplify the inner loop that copies the digits from $a$ to $b$, two aliases $tmpa$ and $tmpb$ point directly at the digits |
|
|
1425 of the mp\_ints $a$ and $b$ respectively. These aliases (lines 42 and 45) allow the compiler to access the digits without first dereferencing the |
|
|
1426 mp\_int pointers and then subsequently the pointer to the digits. |
|
|
1427 |
|
|
1428 After the aliases are established the digits from $a$ are copied into $b$ (lines 48 to 50) and then the excess |
|
|
1429 digits of $b$ are set to zero (lines 53 to 55). Both ``for'' loops make use of the pointer aliases and in |
|
|
1430 fact the alias for $b$ is carried through into the second ``for'' loop to clear the excess digits. This optimization |
|
|
1431 allows the alias to stay in a machine register fairly easy between the two loops. |
|
|
1432 |
|
|
1433 \textbf{Remarks.} The use of pointer aliases is an implementation methodology first introduced in this function that will |
|
|
1434 be used considerably in other functions. Technically, a pointer alias is simply a short hand alias used to lower the |
|
|
1435 number of pointer dereferencing operations required to access data. For example, a for loop may resemble |
|
|
1436 |
|
|
1437 \begin{alltt} |
|
|
1438 for (x = 0; x < 100; x++) \{ |
|
|
1439 a->num[4]->dp[x] = 0; |
|
|
1440 \} |
|
|
1441 \end{alltt} |
|
|
1442 |
|
|
1443 This could be re-written using aliases as |
|
|
1444 |
|
|
1445 \begin{alltt} |
|
|
1446 mp_digit *tmpa; |
|
|
1447 a = a->num[4]->dp; |
|
|
1448 for (x = 0; x < 100; x++) \{ |
|
|
1449 *a++ = 0; |
|
|
1450 \} |
|
|
1451 \end{alltt} |
|
|
1452 |
|
|
1453 In this case an alias is used to access the |
|
|
1454 array of digits within an mp\_int structure directly. It may seem that a pointer alias is strictly not required |
|
|
1455 as a compiler may optimize out the redundant pointer operations. However, there are two dominant reasons to use aliases. |
|
|
1456 |
|
|
1457 The first reason is that most compilers will not effectively optimize pointer arithmetic. For example, some optimizations |
|
|
1458 may work for the Microsoft Visual C++ compiler (MSVC) and not for the GNU C Compiler (GCC). Also some optimizations may |
|
|
1459 work for GCC and not MSVC. As such it is ideal to find a common ground for as many compilers as possible. Pointer |
|
|
1460 aliases optimize the code considerably before the compiler even reads the source code which means the end compiled code |
|
|
1461 stands a better chance of being faster. |
|
|
1462 |
|
|
1463 The second reason is that pointer aliases often can make an algorithm simpler to read. Consider the first ``for'' |
|
|
1464 loop of the function mp\_copy() re-written to not use pointer aliases. |
|
|
1465 |
|
|
1466 \begin{alltt} |
|
|
1467 /* copy all the digits */ |
|
|
1468 for (n = 0; n < a->used; n++) \{ |
|
|
1469 b->dp[n] = a->dp[n]; |
|
|
1470 \} |
|
|
1471 \end{alltt} |
|
|
1472 |
|
|
1473 Whether this code is harder to read depends strongly on the individual. However, it is quantifiably slightly more |
|
|
1474 complicated as there are four variables within the statement instead of just two. |
|
|
1475 |
|
|
1476 \subsubsection{Nested Statements} |
|
|
1477 Another commonly used technique in the source routines is that certain sections of code are nested. This is used in |
|
|
1478 particular with the pointer aliases to highlight code phases. For example, a Comba multiplier (discussed in chapter six) |
|
|
1479 will typically have three different phases. First the temporaries are initialized, then the columns calculated and |
|
|
1480 finally the carries are propagated. In this example the middle column production phase will typically be nested as it |
|
|
1481 uses temporary variables and aliases the most. |
|
|
1482 |
|
|
1483 The nesting also simplies the source code as variables that are nested are only valid for their scope. As a result |
|
|
1484 the various temporary variables required do not propagate into other sections of code. |
|
|
1485 |
|
|
1486 |
|
|
1487 \subsection{Creating a Clone} |
|
|
1488 Another common operation is to make a local temporary copy of an mp\_int argument. To initialize an mp\_int |
|
|
1489 and then copy another existing mp\_int into the newly intialized mp\_int will be known as creating a clone. This is |
|
|
1490 useful within functions that need to modify an argument but do not wish to actually modify the original copy. The |
|
|
1491 mp\_init\_copy algorithm has been designed to help perform this task. |
|
|
1492 |
|
|
1493 \begin{figure}[here] |
|
|
1494 \begin{center} |
|
|
1495 \begin{tabular}{l} |
|
|
1496 \hline Algorithm \textbf{mp\_init\_copy}. \\ |
|
|
1497 \textbf{Input}. An mp\_int $a$ and $b$\\ |
|
|
1498 \textbf{Output}. $a$ is initialized to be a copy of $b$. \\ |
|
|
1499 \hline \\ |
|
|
1500 1. Init $a$. (\textit{mp\_init}) \\ |
|
|
1501 2. Copy $b$ to $a$. (\textit{mp\_copy}) \\ |
|
|
1502 3. Return the status of the copy operation. \\ |
|
|
1503 \hline |
|
|
1504 \end{tabular} |
|
|
1505 \end{center} |
|
|
1506 \caption{Algorithm mp\_init\_copy} |
|
|
1507 \end{figure} |
|
|
1508 |
|
|
1509 \textbf{Algorithm mp\_init\_copy.} |
|
|
1510 This algorithm will initialize an mp\_int variable and copy another previously initialized mp\_int variable into it. As |
|
|
1511 such this algorithm will perform two operations in one step. |
|
|
1512 |
|
|
1513 \vspace{+3mm}\begin{small} |
|
|
1514 \hspace{-5.1mm}{\bf File}: bn\_mp\_init\_copy.c |
|
|
1515 \vspace{-3mm} |
|
|
1516 \begin{alltt} |
|
|
1517 016 |
|
|
1518 017 /* creates "a" then copies b into it */ |
|
|
1519 018 int mp_init_copy (mp_int * a, mp_int * b) |
|
|
1520 019 \{ |
|
|
1521 020 int res; |
|
|
1522 021 |
|
|
1523 022 if ((res = mp_init (a)) != MP_OKAY) \{ |
|
|
1524 023 return res; |
|
|
1525 024 \} |
|
|
1526 025 return mp_copy (b, a); |
|
|
1527 026 \} |
|
|
1528 027 #endif |
|
386
|
1529 028 |
|
282
|
1530 \end{alltt} |
|
|
1531 \end{small} |
|
|
1532 |
|
|
1533 This will initialize \textbf{a} and make it a verbatim copy of the contents of \textbf{b}. Note that |
|
|
1534 \textbf{a} will have its own memory allocated which means that \textbf{b} may be cleared after the call |
|
|
1535 and \textbf{a} will be left intact. |
|
|
1536 |
|
|
1537 \section{Zeroing an Integer} |
|
|
1538 Reseting an mp\_int to the default state is a common step in many algorithms. The mp\_zero algorithm will be the algorithm used to |
|
|
1539 perform this task. |
|
|
1540 |
|
|
1541 \begin{figure}[here] |
|
|
1542 \begin{center} |
|
|
1543 \begin{tabular}{l} |
|
|
1544 \hline Algorithm \textbf{mp\_zero}. \\ |
|
|
1545 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1546 \textbf{Output}. Zero the contents of $a$ \\ |
|
|
1547 \hline \\ |
|
|
1548 1. $a.used \leftarrow 0$ \\ |
|
|
1549 2. $a.sign \leftarrow$ MP\_ZPOS \\ |
|
|
1550 3. for $n$ from 0 to $a.alloc - 1$ do \\ |
|
|
1551 \hspace{3mm}3.1 $a_n \leftarrow 0$ \\ |
|
|
1552 \hline |
|
|
1553 \end{tabular} |
|
|
1554 \end{center} |
|
|
1555 \caption{Algorithm mp\_zero} |
|
|
1556 \end{figure} |
|
|
1557 |
|
|
1558 \textbf{Algorithm mp\_zero.} |
|
|
1559 This algorithm simply resets a mp\_int to the default state. |
|
|
1560 |
|
|
1561 \vspace{+3mm}\begin{small} |
|
|
1562 \hspace{-5.1mm}{\bf File}: bn\_mp\_zero.c |
|
|
1563 \vspace{-3mm} |
|
|
1564 \begin{alltt} |
|
|
1565 016 |
|
|
1566 017 /* set to zero */ |
|
|
1567 018 void mp_zero (mp_int * a) |
|
|
1568 019 \{ |
|
|
1569 020 int n; |
|
|
1570 021 mp_digit *tmp; |
|
|
1571 022 |
|
|
1572 023 a->sign = MP_ZPOS; |
|
|
1573 024 a->used = 0; |
|
|
1574 025 |
|
|
1575 026 tmp = a->dp; |
|
|
1576 027 for (n = 0; n < a->alloc; n++) \{ |
|
|
1577 028 *tmp++ = 0; |
|
|
1578 029 \} |
|
|
1579 030 \} |
|
|
1580 031 #endif |
|
386
|
1581 032 |
|
282
|
1582 \end{alltt} |
|
|
1583 \end{small} |
|
|
1584 |
|
|
1585 After the function is completed, all of the digits are zeroed, the \textbf{used} count is zeroed and the |
|
|
1586 \textbf{sign} variable is set to \textbf{MP\_ZPOS}. |
|
|
1587 |
|
|
1588 \section{Sign Manipulation} |
|
|
1589 \subsection{Absolute Value} |
|
|
1590 With the mp\_int representation of an integer, calculating the absolute value is trivial. The mp\_abs algorithm will compute |
|
|
1591 the absolute value of an mp\_int. |
|
|
1592 |
|
|
1593 \begin{figure}[here] |
|
|
1594 \begin{center} |
|
|
1595 \begin{tabular}{l} |
|
|
1596 \hline Algorithm \textbf{mp\_abs}. \\ |
|
|
1597 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1598 \textbf{Output}. Computes $b = \vert a \vert$ \\ |
|
|
1599 \hline \\ |
|
|
1600 1. Copy $a$ to $b$. (\textit{mp\_copy}) \\ |
|
|
1601 2. If the copy failed return(\textit{MP\_MEM}). \\ |
|
|
1602 3. $b.sign \leftarrow MP\_ZPOS$ \\ |
|
|
1603 4. Return(\textit{MP\_OKAY}) \\ |
|
|
1604 \hline |
|
|
1605 \end{tabular} |
|
|
1606 \end{center} |
|
|
1607 \caption{Algorithm mp\_abs} |
|
|
1608 \end{figure} |
|
|
1609 |
|
|
1610 \textbf{Algorithm mp\_abs.} |
|
|
1611 This algorithm computes the absolute of an mp\_int input. First it copies $a$ over $b$. This is an example of an |
|
|
1612 algorithm where the check in mp\_copy that determines if the source and destination are equal proves useful. This allows, |
|
|
1613 for instance, the developer to pass the same mp\_int as the source and destination to this function without addition |
|
|
1614 logic to handle it. |
|
|
1615 |
|
|
1616 \vspace{+3mm}\begin{small} |
|
|
1617 \hspace{-5.1mm}{\bf File}: bn\_mp\_abs.c |
|
|
1618 \vspace{-3mm} |
|
|
1619 \begin{alltt} |
|
|
1620 016 |
|
|
1621 017 /* b = |a| |
|
|
1622 018 * |
|
|
1623 019 * Simple function copies the input and fixes the sign to positive |
|
|
1624 020 */ |
|
|
1625 021 int |
|
|
1626 022 mp_abs (mp_int * a, mp_int * b) |
|
|
1627 023 \{ |
|
|
1628 024 int res; |
|
|
1629 025 |
|
|
1630 026 /* copy a to b */ |
|
|
1631 027 if (a != b) \{ |
|
|
1632 028 if ((res = mp_copy (a, b)) != MP_OKAY) \{ |
|
|
1633 029 return res; |
|
|
1634 030 \} |
|
|
1635 031 \} |
|
|
1636 032 |
|
|
1637 033 /* force the sign of b to positive */ |
|
|
1638 034 b->sign = MP_ZPOS; |
|
|
1639 035 |
|
|
1640 036 return MP_OKAY; |
|
|
1641 037 \} |
|
|
1642 038 #endif |
|
386
|
1643 039 |
|
282
|
1644 \end{alltt} |
|
|
1645 \end{small} |
|
|
1646 |
|
|
1647 This fairly trivial algorithm first eliminates non--required duplications (line 27) and then sets the |
|
|
1648 \textbf{sign} flag to \textbf{MP\_ZPOS}. |
|
|
1649 |
|
|
1650 \subsection{Integer Negation} |
|
|
1651 With the mp\_int representation of an integer, calculating the negation is also trivial. The mp\_neg algorithm will compute |
|
|
1652 the negative of an mp\_int input. |
|
|
1653 |
|
|
1654 \begin{figure}[here] |
|
|
1655 \begin{center} |
|
|
1656 \begin{tabular}{l} |
|
|
1657 \hline Algorithm \textbf{mp\_neg}. \\ |
|
|
1658 \textbf{Input}. An mp\_int $a$ \\ |
|
|
1659 \textbf{Output}. Computes $b = -a$ \\ |
|
|
1660 \hline \\ |
|
|
1661 1. Copy $a$ to $b$. (\textit{mp\_copy}) \\ |
|
|
1662 2. If the copy failed return(\textit{MP\_MEM}). \\ |
|
|
1663 3. If $a.used = 0$ then return(\textit{MP\_OKAY}). \\ |
|
|
1664 4. If $a.sign = MP\_ZPOS$ then do \\ |
|
|
1665 \hspace{3mm}4.1 $b.sign = MP\_NEG$. \\ |
|
|
1666 5. else do \\ |
|
|
1667 \hspace{3mm}5.1 $b.sign = MP\_ZPOS$. \\ |
|
|
1668 6. Return(\textit{MP\_OKAY}) \\ |
|
|
1669 \hline |
|
|
1670 \end{tabular} |
|
|
1671 \end{center} |
|
|
1672 \caption{Algorithm mp\_neg} |
|
|
1673 \end{figure} |
|
|
1674 |
|
|
1675 \textbf{Algorithm mp\_neg.} |
|
|
1676 This algorithm computes the negation of an input. First it copies $a$ over $b$. If $a$ has no used digits then |
|
|
1677 the algorithm returns immediately. Otherwise it flips the sign flag and stores the result in $b$. Note that if |
|
|
1678 $a$ had no digits then it must be positive by definition. Had step three been omitted then the algorithm would return |
|
|
1679 zero as negative. |
|
|
1680 |
|
|
1681 \vspace{+3mm}\begin{small} |
|
|
1682 \hspace{-5.1mm}{\bf File}: bn\_mp\_neg.c |
|
|
1683 \vspace{-3mm} |
|
|
1684 \begin{alltt} |
|
|
1685 016 |
|
|
1686 017 /* b = -a */ |
|
|
1687 018 int mp_neg (mp_int * a, mp_int * b) |
|
|
1688 019 \{ |
|
|
1689 020 int res; |
|
|
1690 021 if (a != b) \{ |
|
|
1691 022 if ((res = mp_copy (a, b)) != MP_OKAY) \{ |
|
|
1692 023 return res; |
|
|
1693 024 \} |
|
|
1694 025 \} |
|
|
1695 026 |
|
|
1696 027 if (mp_iszero(b) != MP_YES) \{ |
|
|
1697 028 b->sign = (a->sign == MP_ZPOS) ? MP_NEG : MP_ZPOS; |
|
|
1698 029 \} else \{ |
|
|
1699 030 b->sign = MP_ZPOS; |
|
|
1700 031 \} |
|
|
1701 032 |
|
|
1702 033 return MP_OKAY; |
|
|
1703 034 \} |
|
|
1704 035 #endif |
|
386
|
1705 036 |
|
282
|
1706 \end{alltt} |
|
|
1707 \end{small} |
|
|
1708 |
|
|
1709 Like mp\_abs() this function avoids non--required duplications (line 21) and then sets the sign. We |
|
|
1710 have to make sure that only non--zero values get a \textbf{sign} of \textbf{MP\_NEG}. If the mp\_int is zero |
|
|
1711 than the \textbf{sign} is hard--coded to \textbf{MP\_ZPOS}. |
|
|
1712 |
|
|
1713 \section{Small Constants} |
|
|
1714 \subsection{Setting Small Constants} |
|
|
1715 Often a mp\_int must be set to a relatively small value such as $1$ or $2$. For these cases the mp\_set algorithm is useful. |
|
|
1716 |
|
|
1717 \newpage\begin{figure}[here] |
|
|
1718 \begin{center} |
|
|
1719 \begin{tabular}{l} |
|
|
1720 \hline Algorithm \textbf{mp\_set}. \\ |
|
|
1721 \textbf{Input}. An mp\_int $a$ and a digit $b$ \\ |
|
|
1722 \textbf{Output}. Make $a$ equivalent to $b$ \\ |
|
|
1723 \hline \\ |
|
|
1724 1. Zero $a$ (\textit{mp\_zero}). \\ |
|
|
1725 2. $a_0 \leftarrow b \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
1726 3. $a.used \leftarrow \left \lbrace \begin{array}{ll} |
|
|
1727 1 & \mbox{if }a_0 > 0 \\ |
|
|
1728 0 & \mbox{if }a_0 = 0 |
|
|
1729 \end{array} \right .$ \\ |
|
|
1730 \hline |
|
|
1731 \end{tabular} |
|
|
1732 \end{center} |
|
|
1733 \caption{Algorithm mp\_set} |
|
|
1734 \end{figure} |
|
|
1735 |
|
|
1736 \textbf{Algorithm mp\_set.} |
|
|
1737 This algorithm sets a mp\_int to a small single digit value. Step number 1 ensures that the integer is reset to the default state. The |
|
|
1738 single digit is set (\textit{modulo $\beta$}) and the \textbf{used} count is adjusted accordingly. |
|
|
1739 |
|
|
1740 \vspace{+3mm}\begin{small} |
|
|
1741 \hspace{-5.1mm}{\bf File}: bn\_mp\_set.c |
|
|
1742 \vspace{-3mm} |
|
|
1743 \begin{alltt} |
|
|
1744 016 |
|
|
1745 017 /* set to a digit */ |
|
|
1746 018 void mp_set (mp_int * a, mp_digit b) |
|
|
1747 019 \{ |
|
|
1748 020 mp_zero (a); |
|
|
1749 021 a->dp[0] = b & MP_MASK; |
|
|
1750 022 a->used = (a->dp[0] != 0) ? 1 : 0; |
|
|
1751 023 \} |
|
|
1752 024 #endif |
|
386
|
1753 025 |
|
282
|
1754 \end{alltt} |
|
|
1755 \end{small} |
|
|
1756 |
|
|
1757 First we zero (line 20) the mp\_int to make sure that the other members are initialized for a |
|
|
1758 small positive constant. mp\_zero() ensures that the \textbf{sign} is positive and the \textbf{used} count |
|
|
1759 is zero. Next we set the digit and reduce it modulo $\beta$ (line 21). After this step we have to |
|
|
1760 check if the resulting digit is zero or not. If it is not then we set the \textbf{used} count to one, otherwise |
|
|
1761 to zero. |
|
|
1762 |
|
|
1763 We can quickly reduce modulo $\beta$ since it is of the form $2^k$ and a quick binary AND operation with |
|
|
1764 $2^k - 1$ will perform the same operation. |
|
|
1765 |
|
|
1766 One important limitation of this function is that it will only set one digit. The size of a digit is not fixed, meaning source that uses |
|
|
1767 this function should take that into account. Only trivially small constants can be set using this function. |
|
|
1768 |
|
|
1769 \subsection{Setting Large Constants} |
|
|
1770 To overcome the limitations of the mp\_set algorithm the mp\_set\_int algorithm is ideal. It accepts a ``long'' |
|
|
1771 data type as input and will always treat it as a 32-bit integer. |
|
|
1772 |
|
|
1773 \begin{figure}[here] |
|
|
1774 \begin{center} |
|
|
1775 \begin{tabular}{l} |
|
|
1776 \hline Algorithm \textbf{mp\_set\_int}. \\ |
|
|
1777 \textbf{Input}. An mp\_int $a$ and a ``long'' integer $b$ \\ |
|
|
1778 \textbf{Output}. Make $a$ equivalent to $b$ \\ |
|
|
1779 \hline \\ |
|
|
1780 1. Zero $a$ (\textit{mp\_zero}) \\ |
|
|
1781 2. for $n$ from 0 to 7 do \\ |
|
|
1782 \hspace{3mm}2.1 $a \leftarrow a \cdot 16$ (\textit{mp\_mul2d}) \\ |
|
|
1783 \hspace{3mm}2.2 $u \leftarrow \lfloor b / 2^{4(7 - n)} \rfloor \mbox{ (mod }16\mbox{)}$\\ |
|
|
1784 \hspace{3mm}2.3 $a_0 \leftarrow a_0 + u$ \\ |
|
|
1785 \hspace{3mm}2.4 $a.used \leftarrow a.used + 1$ \\ |
|
|
1786 3. Clamp excess used digits (\textit{mp\_clamp}) \\ |
|
|
1787 \hline |
|
|
1788 \end{tabular} |
|
|
1789 \end{center} |
|
|
1790 \caption{Algorithm mp\_set\_int} |
|
|
1791 \end{figure} |
|
|
1792 |
|
|
1793 \textbf{Algorithm mp\_set\_int.} |
|
|
1794 The algorithm performs eight iterations of a simple loop where in each iteration four bits from the source are added to the |
|
|
1795 mp\_int. Step 2.1 will multiply the current result by sixteen making room for four more bits in the less significant positions. In step 2.2 the |
|
|
1796 next four bits from the source are extracted and are added to the mp\_int. The \textbf{used} digit count is |
|
|
1797 incremented to reflect the addition. The \textbf{used} digit counter is incremented since if any of the leading digits were zero the mp\_int would have |
|
|
1798 zero digits used and the newly added four bits would be ignored. |
|
|
1799 |
|
|
1800 Excess zero digits are trimmed in steps 2.1 and 3 by using higher level algorithms mp\_mul2d and mp\_clamp. |
|
|
1801 |
|
|
1802 \vspace{+3mm}\begin{small} |
|
|
1803 \hspace{-5.1mm}{\bf File}: bn\_mp\_set\_int.c |
|
|
1804 \vspace{-3mm} |
|
|
1805 \begin{alltt} |
|
|
1806 016 |
|
|
1807 017 /* set a 32-bit const */ |
|
|
1808 018 int mp_set_int (mp_int * a, unsigned long b) |
|
|
1809 019 \{ |
|
|
1810 020 int x, res; |
|
|
1811 021 |
|
|
1812 022 mp_zero (a); |
|
|
1813 023 |
|
|
1814 024 /* set four bits at a time */ |
|
|
1815 025 for (x = 0; x < 8; x++) \{ |
|
|
1816 026 /* shift the number up four bits */ |
|
|
1817 027 if ((res = mp_mul_2d (a, 4, a)) != MP_OKAY) \{ |
|
|
1818 028 return res; |
|
|
1819 029 \} |
|
|
1820 030 |
|
|
1821 031 /* OR in the top four bits of the source */ |
|
|
1822 032 a->dp[0] |= (b >> 28) & 15; |
|
|
1823 033 |
|
|
1824 034 /* shift the source up to the next four bits */ |
|
|
1825 035 b <<= 4; |
|
|
1826 036 |
|
|
1827 037 /* ensure that digits are not clamped off */ |
|
|
1828 038 a->used += 1; |
|
|
1829 039 \} |
|
|
1830 040 mp_clamp (a); |
|
|
1831 041 return MP_OKAY; |
|
|
1832 042 \} |
|
|
1833 043 #endif |
|
386
|
1834 044 |
|
282
|
1835 \end{alltt} |
|
|
1836 \end{small} |
|
|
1837 |
|
|
1838 This function sets four bits of the number at a time to handle all practical \textbf{DIGIT\_BIT} sizes. The weird |
|
|
1839 addition on line 38 ensures that the newly added in bits are added to the number of digits. While it may not |
|
|
1840 seem obvious as to why the digit counter does not grow exceedingly large it is because of the shift on line 27 |
|
|
1841 as well as the call to mp\_clamp() on line 40. Both functions will clamp excess leading digits which keeps |
|
|
1842 the number of used digits low. |
|
|
1843 |
|
|
1844 \section{Comparisons} |
|
|
1845 \subsection{Unsigned Comparisions} |
|
|
1846 Comparing a multiple precision integer is performed with the exact same algorithm used to compare two decimal numbers. For example, |
|
|
1847 to compare $1,234$ to $1,264$ the digits are extracted by their positions. That is we compare $1 \cdot 10^3 + 2 \cdot 10^2 + 3 \cdot 10^1 + 4 \cdot 10^0$ |
|
|
1848 to $1 \cdot 10^3 + 2 \cdot 10^2 + 6 \cdot 10^1 + 4 \cdot 10^0$ by comparing single digits at a time starting with the highest magnitude |
|
|
1849 positions. If any leading digit of one integer is greater than a digit in the same position of another integer then obviously it must be greater. |
|
|
1850 |
|
|
1851 The first comparision routine that will be developed is the unsigned magnitude compare which will perform a comparison based on the digits of two |
|
|
1852 mp\_int variables alone. It will ignore the sign of the two inputs. Such a function is useful when an absolute comparison is required or if the |
|
|
1853 signs are known to agree in advance. |
|
|
1854 |
|
|
1855 To facilitate working with the results of the comparison functions three constants are required. |
|
|
1856 |
|
|
1857 \begin{figure}[here] |
|
|
1858 \begin{center} |
|
|
1859 \begin{tabular}{|r|l|} |
|
|
1860 \hline \textbf{Constant} & \textbf{Meaning} \\ |
|
|
1861 \hline \textbf{MP\_GT} & Greater Than \\ |
|
|
1862 \hline \textbf{MP\_EQ} & Equal To \\ |
|
|
1863 \hline \textbf{MP\_LT} & Less Than \\ |
|
|
1864 \hline |
|
|
1865 \end{tabular} |
|
|
1866 \end{center} |
|
|
1867 \caption{Comparison Return Codes} |
|
|
1868 \end{figure} |
|
|
1869 |
|
|
1870 \begin{figure}[here] |
|
|
1871 \begin{center} |
|
|
1872 \begin{tabular}{l} |
|
|
1873 \hline Algorithm \textbf{mp\_cmp\_mag}. \\ |
|
|
1874 \textbf{Input}. Two mp\_ints $a$ and $b$. \\ |
|
|
1875 \textbf{Output}. Unsigned comparison results ($a$ to the left of $b$). \\ |
|
|
1876 \hline \\ |
|
|
1877 1. If $a.used > b.used$ then return(\textit{MP\_GT}) \\ |
|
|
1878 2. If $a.used < b.used$ then return(\textit{MP\_LT}) \\ |
|
|
1879 3. for n from $a.used - 1$ to 0 do \\ |
|
|
1880 \hspace{+3mm}3.1 if $a_n > b_n$ then return(\textit{MP\_GT}) \\ |
|
|
1881 \hspace{+3mm}3.2 if $a_n < b_n$ then return(\textit{MP\_LT}) \\ |
|
|
1882 4. Return(\textit{MP\_EQ}) \\ |
|
|
1883 \hline |
|
|
1884 \end{tabular} |
|
|
1885 \end{center} |
|
|
1886 \caption{Algorithm mp\_cmp\_mag} |
|
|
1887 \end{figure} |
|
|
1888 |
|
|
1889 \textbf{Algorithm mp\_cmp\_mag.} |
|
|
1890 By saying ``$a$ to the left of $b$'' it is meant that the comparison is with respect to $a$, that is if $a$ is greater than $b$ it will return |
|
|
1891 \textbf{MP\_GT} and similar with respect to when $a = b$ and $a < b$. The first two steps compare the number of digits used in both $a$ and $b$. |
|
|
1892 Obviously if the digit counts differ there would be an imaginary zero digit in the smaller number where the leading digit of the larger number is. |
|
|
1893 If both have the same number of digits than the actual digits themselves must be compared starting at the leading digit. |
|
|
1894 |
|
|
1895 By step three both inputs must have the same number of digits so its safe to start from either $a.used - 1$ or $b.used - 1$ and count down to |
|
|
1896 the zero'th digit. If after all of the digits have been compared, no difference is found, the algorithm returns \textbf{MP\_EQ}. |
|
|
1897 |
|
|
1898 \vspace{+3mm}\begin{small} |
|
|
1899 \hspace{-5.1mm}{\bf File}: bn\_mp\_cmp\_mag.c |
|
|
1900 \vspace{-3mm} |
|
|
1901 \begin{alltt} |
|
|
1902 016 |
|
|
1903 017 /* compare maginitude of two ints (unsigned) */ |
|
|
1904 018 int mp_cmp_mag (mp_int * a, mp_int * b) |
|
|
1905 019 \{ |
|
|
1906 020 int n; |
|
|
1907 021 mp_digit *tmpa, *tmpb; |
|
|
1908 022 |
|
|
1909 023 /* compare based on # of non-zero digits */ |
|
|
1910 024 if (a->used > b->used) \{ |
|
|
1911 025 return MP_GT; |
|
|
1912 026 \} |
|
|
1913 027 |
|
|
1914 028 if (a->used < b->used) \{ |
|
|
1915 029 return MP_LT; |
|
|
1916 030 \} |
|
|
1917 031 |
|
|
1918 032 /* alias for a */ |
|
|
1919 033 tmpa = a->dp + (a->used - 1); |
|
|
1920 034 |
|
|
1921 035 /* alias for b */ |
|
|
1922 036 tmpb = b->dp + (a->used - 1); |
|
|
1923 037 |
|
|
1924 038 /* compare based on digits */ |
|
|
1925 039 for (n = 0; n < a->used; ++n, --tmpa, --tmpb) \{ |
|
|
1926 040 if (*tmpa > *tmpb) \{ |
|
|
1927 041 return MP_GT; |
|
|
1928 042 \} |
|
|
1929 043 |
|
|
1930 044 if (*tmpa < *tmpb) \{ |
|
|
1931 045 return MP_LT; |
|
|
1932 046 \} |
|
|
1933 047 \} |
|
|
1934 048 return MP_EQ; |
|
|
1935 049 \} |
|
|
1936 050 #endif |
|
386
|
1937 051 |
|
282
|
1938 \end{alltt} |
|
|
1939 \end{small} |
|
|
1940 |
|
|
1941 The two if statements (lines 24 and 28) compare the number of digits in the two inputs. These two are |
|
|
1942 performed before all of the digits are compared since it is a very cheap test to perform and can potentially save |
|
|
1943 considerable time. The implementation given is also not valid without those two statements. $b.alloc$ may be |
|
|
1944 smaller than $a.used$, meaning that undefined values will be read from $b$ past the end of the array of digits. |
|
|
1945 |
|
|
1946 |
|
|
1947 |
|
|
1948 \subsection{Signed Comparisons} |
|
|
1949 Comparing with sign considerations is also fairly critical in several routines (\textit{division for example}). Based on an unsigned magnitude |
|
|
1950 comparison a trivial signed comparison algorithm can be written. |
|
|
1951 |
|
|
1952 \begin{figure}[here] |
|
|
1953 \begin{center} |
|
|
1954 \begin{tabular}{l} |
|
|
1955 \hline Algorithm \textbf{mp\_cmp}. \\ |
|
|
1956 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
1957 \textbf{Output}. Signed Comparison Results ($a$ to the left of $b$) \\ |
|
|
1958 \hline \\ |
|
|
1959 1. if $a.sign = MP\_NEG$ and $b.sign = MP\_ZPOS$ then return(\textit{MP\_LT}) \\ |
|
|
1960 2. if $a.sign = MP\_ZPOS$ and $b.sign = MP\_NEG$ then return(\textit{MP\_GT}) \\ |
|
|
1961 3. if $a.sign = MP\_NEG$ then \\ |
|
|
1962 \hspace{+3mm}3.1 Return the unsigned comparison of $b$ and $a$ (\textit{mp\_cmp\_mag}) \\ |
|
|
1963 4 Otherwise \\ |
|
|
1964 \hspace{+3mm}4.1 Return the unsigned comparison of $a$ and $b$ \\ |
|
|
1965 \hline |
|
|
1966 \end{tabular} |
|
|
1967 \end{center} |
|
|
1968 \caption{Algorithm mp\_cmp} |
|
|
1969 \end{figure} |
|
|
1970 |
|
|
1971 \textbf{Algorithm mp\_cmp.} |
|
|
1972 The first two steps compare the signs of the two inputs. If the signs do not agree then it can return right away with the appropriate |
|
|
1973 comparison code. When the signs are equal the digits of the inputs must be compared to determine the correct result. In step |
|
|
1974 three the unsigned comparision flips the order of the arguments since they are both negative. For instance, if $-a > -b$ then |
|
|
1975 $\vert a \vert < \vert b \vert$. Step number four will compare the two when they are both positive. |
|
|
1976 |
|
|
1977 \vspace{+3mm}\begin{small} |
|
|
1978 \hspace{-5.1mm}{\bf File}: bn\_mp\_cmp.c |
|
|
1979 \vspace{-3mm} |
|
|
1980 \begin{alltt} |
|
|
1981 016 |
|
|
1982 017 /* compare two ints (signed)*/ |
|
|
1983 018 int |
|
|
1984 019 mp_cmp (mp_int * a, mp_int * b) |
|
|
1985 020 \{ |
|
|
1986 021 /* compare based on sign */ |
|
|
1987 022 if (a->sign != b->sign) \{ |
|
|
1988 023 if (a->sign == MP_NEG) \{ |
|
|
1989 024 return MP_LT; |
|
|
1990 025 \} else \{ |
|
|
1991 026 return MP_GT; |
|
|
1992 027 \} |
|
|
1993 028 \} |
|
|
1994 029 |
|
|
1995 030 /* compare digits */ |
|
|
1996 031 if (a->sign == MP_NEG) \{ |
|
|
1997 032 /* if negative compare opposite direction */ |
|
|
1998 033 return mp_cmp_mag(b, a); |
|
|
1999 034 \} else \{ |
|
|
2000 035 return mp_cmp_mag(a, b); |
|
|
2001 036 \} |
|
|
2002 037 \} |
|
|
2003 038 #endif |
|
386
|
2004 039 |
|
282
|
2005 \end{alltt} |
|
|
2006 \end{small} |
|
|
2007 |
|
|
2008 The two if statements (lines 22 and 23) perform the initial sign comparison. If the signs are not the equal then which ever |
|
|
2009 has the positive sign is larger. The inputs are compared (line 31) based on magnitudes. If the signs were both |
|
|
2010 negative then the unsigned comparison is performed in the opposite direction (line 33). Otherwise, the signs are assumed to |
|
|
2011 be both positive and a forward direction unsigned comparison is performed. |
|
|
2012 |
|
|
2013 \section*{Exercises} |
|
|
2014 \begin{tabular}{cl} |
|
|
2015 $\left [ 2 \right ]$ & Modify algorithm mp\_set\_int to accept as input a variable length array of bits. \\ |
|
|
2016 & \\ |
|
|
2017 $\left [ 3 \right ]$ & Give the probability that algorithm mp\_cmp\_mag will have to compare $k$ digits \\ |
|
|
2018 & of two random digits (of equal magnitude) before a difference is found. \\ |
|
|
2019 & \\ |
|
|
2020 $\left [ 1 \right ]$ & Suggest a simple method to speed up the implementation of mp\_cmp\_mag based \\ |
|
|
2021 & on the observations made in the previous problem. \\ |
|
|
2022 & |
|
|
2023 \end{tabular} |
|
|
2024 |
|
|
2025 \chapter{Basic Arithmetic} |
|
|
2026 \section{Introduction} |
|
|
2027 At this point algorithms for initialization, clearing, zeroing, copying, comparing and setting small constants have been |
|
|
2028 established. The next logical set of algorithms to develop are addition, subtraction and digit shifting algorithms. These |
|
|
2029 algorithms make use of the lower level algorithms and are the cruicial building block for the multiplication algorithms. It is very important |
|
|
2030 that these algorithms are highly optimized. On their own they are simple $O(n)$ algorithms but they can be called from higher level algorithms |
|
|
2031 which easily places them at $O(n^2)$ or even $O(n^3)$ work levels. |
|
|
2032 |
|
|
2033 All of the algorithms within this chapter make use of the logical bit shift operations denoted by $<<$ and $>>$ for left and right |
|
|
2034 logical shifts respectively. A logical shift is analogous to sliding the decimal point of radix-10 representations. For example, the real |
|
|
2035 number $0.9345$ is equivalent to $93.45\%$ which is found by sliding the the decimal two places to the right (\textit{multiplying by $\beta^2 = 10^2$}). |
|
|
2036 Algebraically a binary logical shift is equivalent to a division or multiplication by a power of two. |
|
|
2037 For example, $a << k = a \cdot 2^k$ while $a >> k = \lfloor a/2^k \rfloor$. |
|
|
2038 |
|
|
2039 One significant difference between a logical shift and the way decimals are shifted is that digits below the zero'th position are removed |
|
|
2040 from the number. For example, consider $1101_2 >> 1$ using decimal notation this would produce $110.1_2$. However, with a logical shift the |
|
|
2041 result is $110_2$. |
|
|
2042 |
|
|
2043 \section{Addition and Subtraction} |
|
|
2044 In common twos complement fixed precision arithmetic negative numbers are easily represented by subtraction from the modulus. For example, with 32-bit integers |
|
|
2045 $a - b\mbox{ (mod }2^{32}\mbox{)}$ is the same as $a + (2^{32} - b) \mbox{ (mod }2^{32}\mbox{)}$ since $2^{32} \equiv 0 \mbox{ (mod }2^{32}\mbox{)}$. |
|
|
2046 As a result subtraction can be performed with a trivial series of logical operations and an addition. |
|
|
2047 |
|
|
2048 However, in multiple precision arithmetic negative numbers are not represented in the same way. Instead a sign flag is used to keep track of the |
|
|
2049 sign of the integer. As a result signed addition and subtraction are actually implemented as conditional usage of lower level addition or |
|
|
2050 subtraction algorithms with the sign fixed up appropriately. |
|
|
2051 |
|
|
2052 The lower level algorithms will add or subtract integers without regard to the sign flag. That is they will add or subtract the magnitude of |
|
|
2053 the integers respectively. |
|
|
2054 |
|
|
2055 \subsection{Low Level Addition} |
|
|
2056 An unsigned addition of multiple precision integers is performed with the same long-hand algorithm used to add decimal numbers. That is to add the |
|
|
2057 trailing digits first and propagate the resulting carry upwards. Since this is a lower level algorithm the name will have a ``s\_'' prefix. |
|
|
2058 Historically that convention stems from the MPI library where ``s\_'' stood for static functions that were hidden from the developer entirely. |
|
|
2059 |
|
|
2060 \newpage |
|
|
2061 \begin{figure}[!here] |
|
|
2062 \begin{center} |
|
|
2063 \begin{small} |
|
|
2064 \begin{tabular}{l} |
|
|
2065 \hline Algorithm \textbf{s\_mp\_add}. \\ |
|
|
2066 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
2067 \textbf{Output}. The unsigned addition $c = \vert a \vert + \vert b \vert$. \\ |
|
|
2068 \hline \\ |
|
|
2069 1. if $a.used > b.used$ then \\ |
|
|
2070 \hspace{+3mm}1.1 $min \leftarrow b.used$ \\ |
|
|
2071 \hspace{+3mm}1.2 $max \leftarrow a.used$ \\ |
|
|
2072 \hspace{+3mm}1.3 $x \leftarrow a$ \\ |
|
|
2073 2. else \\ |
|
|
2074 \hspace{+3mm}2.1 $min \leftarrow a.used$ \\ |
|
|
2075 \hspace{+3mm}2.2 $max \leftarrow b.used$ \\ |
|
|
2076 \hspace{+3mm}2.3 $x \leftarrow b$ \\ |
|
|
2077 3. If $c.alloc < max + 1$ then grow $c$ to hold at least $max + 1$ digits (\textit{mp\_grow}) \\ |
|
|
2078 4. $oldused \leftarrow c.used$ \\ |
|
|
2079 5. $c.used \leftarrow max + 1$ \\ |
|
|
2080 6. $u \leftarrow 0$ \\ |
|
|
2081 7. for $n$ from $0$ to $min - 1$ do \\ |
|
|
2082 \hspace{+3mm}7.1 $c_n \leftarrow a_n + b_n + u$ \\ |
|
|
2083 \hspace{+3mm}7.2 $u \leftarrow c_n >> lg(\beta)$ \\ |
|
|
2084 \hspace{+3mm}7.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2085 8. if $min \ne max$ then do \\ |
|
|
2086 \hspace{+3mm}8.1 for $n$ from $min$ to $max - 1$ do \\ |
|
|
2087 \hspace{+6mm}8.1.1 $c_n \leftarrow x_n + u$ \\ |
|
|
2088 \hspace{+6mm}8.1.2 $u \leftarrow c_n >> lg(\beta)$ \\ |
|
|
2089 \hspace{+6mm}8.1.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2090 9. $c_{max} \leftarrow u$ \\ |
|
|
2091 10. if $olduse > max$ then \\ |
|
|
2092 \hspace{+3mm}10.1 for $n$ from $max + 1$ to $oldused - 1$ do \\ |
|
|
2093 \hspace{+6mm}10.1.1 $c_n \leftarrow 0$ \\ |
|
|
2094 11. Clamp excess digits in $c$. (\textit{mp\_clamp}) \\ |
|
|
2095 12. Return(\textit{MP\_OKAY}) \\ |
|
|
2096 \hline |
|
|
2097 \end{tabular} |
|
|
2098 \end{small} |
|
|
2099 \end{center} |
|
|
2100 \caption{Algorithm s\_mp\_add} |
|
|
2101 \end{figure} |
|
|
2102 |
|
|
2103 \textbf{Algorithm s\_mp\_add.} |
|
|
2104 This algorithm is loosely based on algorithm 14.7 of HAC \cite[pp. 594]{HAC} but has been extended to allow the inputs to have different magnitudes. |
|
|
2105 Coincidentally the description of algorithm A in Knuth \cite[pp. 266]{TAOCPV2} shares the same deficiency as the algorithm from \cite{HAC}. Even the |
|
|
2106 MIX pseudo machine code presented by Knuth \cite[pp. 266-267]{TAOCPV2} is incapable of handling inputs which are of different magnitudes. |
|
|
2107 |
|
|
2108 The first thing that has to be accomplished is to sort out which of the two inputs is the largest. The addition logic |
|
|
2109 will simply add all of the smallest input to the largest input and store that first part of the result in the |
|
|
2110 destination. Then it will apply a simpler addition loop to excess digits of the larger input. |
|
|
2111 |
|
|
2112 The first two steps will handle sorting the inputs such that $min$ and $max$ hold the digit counts of the two |
|
|
2113 inputs. The variable $x$ will be an mp\_int alias for the largest input or the second input $b$ if they have the |
|
|
2114 same number of digits. After the inputs are sorted the destination $c$ is grown as required to accomodate the sum |
|
|
2115 of the two inputs. The original \textbf{used} count of $c$ is copied and set to the new used count. |
|
|
2116 |
|
|
2117 At this point the first addition loop will go through as many digit positions that both inputs have. The carry |
|
|
2118 variable $\mu$ is set to zero outside the loop. Inside the loop an ``addition'' step requires three statements to produce |
|
|
2119 one digit of the summand. First |
|
|
2120 two digits from $a$ and $b$ are added together along with the carry $\mu$. The carry of this step is extracted and stored |
|
|
2121 in $\mu$ and finally the digit of the result $c_n$ is truncated within the range $0 \le c_n < \beta$. |
|
|
2122 |
|
|
2123 Now all of the digit positions that both inputs have in common have been exhausted. If $min \ne max$ then $x$ is an alias |
|
|
2124 for one of the inputs that has more digits. A simplified addition loop is then used to essentially copy the remaining digits |
|
|
2125 and the carry to the destination. |
|
|
2126 |
|
|
2127 The final carry is stored in $c_{max}$ and digits above $max$ upto $oldused$ are zeroed which completes the addition. |
|
|
2128 |
|
|
2129 |
|
|
2130 \vspace{+3mm}\begin{small} |
|
|
2131 \hspace{-5.1mm}{\bf File}: bn\_s\_mp\_add.c |
|
|
2132 \vspace{-3mm} |
|
|
2133 \begin{alltt} |
|
|
2134 016 |
|
|
2135 017 /* low level addition, based on HAC pp.594, Algorithm 14.7 */ |
|
|
2136 018 int |
|
|
2137 019 s_mp_add (mp_int * a, mp_int * b, mp_int * c) |
|
|
2138 020 \{ |
|
|
2139 021 mp_int *x; |
|
|
2140 022 int olduse, res, min, max; |
|
|
2141 023 |
|
|
2142 024 /* find sizes, we let |a| <= |b| which means we have to sort |
|
|
2143 025 * them. "x" will point to the input with the most digits |
|
|
2144 026 */ |
|
|
2145 027 if (a->used > b->used) \{ |
|
|
2146 028 min = b->used; |
|
|
2147 029 max = a->used; |
|
|
2148 030 x = a; |
|
|
2149 031 \} else \{ |
|
|
2150 032 min = a->used; |
|
|
2151 033 max = b->used; |
|
|
2152 034 x = b; |
|
|
2153 035 \} |
|
|
2154 036 |
|
|
2155 037 /* init result */ |
|
|
2156 038 if (c->alloc < max + 1) \{ |
|
|
2157 039 if ((res = mp_grow (c, max + 1)) != MP_OKAY) \{ |
|
|
2158 040 return res; |
|
|
2159 041 \} |
|
|
2160 042 \} |
|
|
2161 043 |
|
|
2162 044 /* get old used digit count and set new one */ |
|
|
2163 045 olduse = c->used; |
|
|
2164 046 c->used = max + 1; |
|
|
2165 047 |
|
|
2166 048 \{ |
|
|
2167 049 register mp_digit u, *tmpa, *tmpb, *tmpc; |
|
|
2168 050 register int i; |
|
|
2169 051 |
|
|
2170 052 /* alias for digit pointers */ |
|
|
2171 053 |
|
|
2172 054 /* first input */ |
|
|
2173 055 tmpa = a->dp; |
|
|
2174 056 |
|
|
2175 057 /* second input */ |
|
|
2176 058 tmpb = b->dp; |
|
|
2177 059 |
|
|
2178 060 /* destination */ |
|
|
2179 061 tmpc = c->dp; |
|
|
2180 062 |
|
|
2181 063 /* zero the carry */ |
|
|
2182 064 u = 0; |
|
|
2183 065 for (i = 0; i < min; i++) \{ |
|
|
2184 066 /* Compute the sum at one digit, T[i] = A[i] + B[i] + U */ |
|
|
2185 067 *tmpc = *tmpa++ + *tmpb++ + u; |
|
|
2186 068 |
|
|
2187 069 /* U = carry bit of T[i] */ |
|
|
2188 070 u = *tmpc >> ((mp_digit)DIGIT_BIT); |
|
|
2189 071 |
|
|
2190 072 /* take away carry bit from T[i] */ |
|
|
2191 073 *tmpc++ &= MP_MASK; |
|
|
2192 074 \} |
|
|
2193 075 |
|
|
2194 076 /* now copy higher words if any, that is in A+B |
|
|
2195 077 * if A or B has more digits add those in |
|
|
2196 078 */ |
|
|
2197 079 if (min != max) \{ |
|
|
2198 080 for (; i < max; i++) \{ |
|
|
2199 081 /* T[i] = X[i] + U */ |
|
|
2200 082 *tmpc = x->dp[i] + u; |
|
|
2201 083 |
|
|
2202 084 /* U = carry bit of T[i] */ |
|
|
2203 085 u = *tmpc >> ((mp_digit)DIGIT_BIT); |
|
|
2204 086 |
|
|
2205 087 /* take away carry bit from T[i] */ |
|
|
2206 088 *tmpc++ &= MP_MASK; |
|
|
2207 089 \} |
|
|
2208 090 \} |
|
|
2209 091 |
|
|
2210 092 /* add carry */ |
|
|
2211 093 *tmpc++ = u; |
|
|
2212 094 |
|
|
2213 095 /* clear digits above oldused */ |
|
|
2214 096 for (i = c->used; i < olduse; i++) \{ |
|
|
2215 097 *tmpc++ = 0; |
|
|
2216 098 \} |
|
|
2217 099 \} |
|
|
2218 100 |
|
|
2219 101 mp_clamp (c); |
|
|
2220 102 return MP_OKAY; |
|
|
2221 103 \} |
|
|
2222 104 #endif |
|
386
|
2223 105 |
|
282
|
2224 \end{alltt} |
|
|
2225 \end{small} |
|
|
2226 |
|
|
2227 We first sort (lines 27 to 35) the inputs based on magnitude and determine the $min$ and $max$ variables. |
|
|
2228 Note that $x$ is a pointer to an mp\_int assigned to the largest input, in effect it is a local alias. Next we |
|
|
2229 grow the destination (37 to 42) ensure that it can accomodate the result of the addition. |
|
|
2230 |
|
|
2231 Similar to the implementation of mp\_copy this function uses the braced code and local aliases coding style. The three aliases that are on |
|
|
2232 lines 55, 58 and 61 represent the two inputs and destination variables respectively. These aliases are used to ensure the |
|
|
2233 compiler does not have to dereference $a$, $b$ or $c$ (respectively) to access the digits of the respective mp\_int. |
|
|
2234 |
|
|
2235 The initial carry $u$ will be cleared (line 64), note that $u$ is of type mp\_digit which ensures type |
|
|
2236 compatibility within the implementation. The initial addition (line 65 to 74) adds digits from |
|
|
2237 both inputs until the smallest input runs out of digits. Similarly the conditional addition loop |
|
|
2238 (line 80 to 90) adds the remaining digits from the larger of the two inputs. The addition is finished |
|
|
2239 with the final carry being stored in $tmpc$ (line 93). Note the ``++'' operator within the same expression. |
|
|
2240 After line 93, $tmpc$ will point to the $c.used$'th digit of the mp\_int $c$. This is useful |
|
|
2241 for the next loop (line 96 to 99) which set any old upper digits to zero. |
|
|
2242 |
|
|
2243 \subsection{Low Level Subtraction} |
|
|
2244 The low level unsigned subtraction algorithm is very similar to the low level unsigned addition algorithm. The principle difference is that the |
|
|
2245 unsigned subtraction algorithm requires the result to be positive. That is when computing $a - b$ the condition $\vert a \vert \ge \vert b\vert$ must |
|
|
2246 be met for this algorithm to function properly. Keep in mind this low level algorithm is not meant to be used in higher level algorithms directly. |
|
|
2247 This algorithm as will be shown can be used to create functional signed addition and subtraction algorithms. |
|
|
2248 |
|
|
2249 |
|
|
2250 For this algorithm a new variable is required to make the description simpler. Recall from section 1.3.1 that a mp\_digit must be able to represent |
|
|
2251 the range $0 \le x < 2\beta$ for the algorithms to work correctly. However, it is allowable that a mp\_digit represent a larger range of values. For |
|
|
2252 this algorithm we will assume that the variable $\gamma$ represents the number of bits available in a |
|
|
2253 mp\_digit (\textit{this implies $2^{\gamma} > \beta$}). |
|
|
2254 |
|
|
2255 For example, the default for LibTomMath is to use a ``unsigned long'' for the mp\_digit ``type'' while $\beta = 2^{28}$. In ISO C an ``unsigned long'' |
|
|
2256 data type must be able to represent $0 \le x < 2^{32}$ meaning that in this case $\gamma \ge 32$. |
|
|
2257 |
|
|
2258 \newpage\begin{figure}[!here] |
|
|
2259 \begin{center} |
|
|
2260 \begin{small} |
|
|
2261 \begin{tabular}{l} |
|
|
2262 \hline Algorithm \textbf{s\_mp\_sub}. \\ |
|
|
2263 \textbf{Input}. Two mp\_ints $a$ and $b$ ($\vert a \vert \ge \vert b \vert$) \\ |
|
|
2264 \textbf{Output}. The unsigned subtraction $c = \vert a \vert - \vert b \vert$. \\ |
|
|
2265 \hline \\ |
|
|
2266 1. $min \leftarrow b.used$ \\ |
|
|
2267 2. $max \leftarrow a.used$ \\ |
|
|
2268 3. If $c.alloc < max$ then grow $c$ to hold at least $max$ digits. (\textit{mp\_grow}) \\ |
|
|
2269 4. $oldused \leftarrow c.used$ \\ |
|
|
2270 5. $c.used \leftarrow max$ \\ |
|
|
2271 6. $u \leftarrow 0$ \\ |
|
|
2272 7. for $n$ from $0$ to $min - 1$ do \\ |
|
|
2273 \hspace{3mm}7.1 $c_n \leftarrow a_n - b_n - u$ \\ |
|
|
2274 \hspace{3mm}7.2 $u \leftarrow c_n >> (\gamma - 1)$ \\ |
|
|
2275 \hspace{3mm}7.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2276 8. if $min < max$ then do \\ |
|
|
2277 \hspace{3mm}8.1 for $n$ from $min$ to $max - 1$ do \\ |
|
|
2278 \hspace{6mm}8.1.1 $c_n \leftarrow a_n - u$ \\ |
|
|
2279 \hspace{6mm}8.1.2 $u \leftarrow c_n >> (\gamma - 1)$ \\ |
|
|
2280 \hspace{6mm}8.1.3 $c_n \leftarrow c_n \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2281 9. if $oldused > max$ then do \\ |
|
|
2282 \hspace{3mm}9.1 for $n$ from $max$ to $oldused - 1$ do \\ |
|
|
2283 \hspace{6mm}9.1.1 $c_n \leftarrow 0$ \\ |
|
|
2284 10. Clamp excess digits of $c$. (\textit{mp\_clamp}). \\ |
|
|
2285 11. Return(\textit{MP\_OKAY}). \\ |
|
|
2286 \hline |
|
|
2287 \end{tabular} |
|
|
2288 \end{small} |
|
|
2289 \end{center} |
|
|
2290 \caption{Algorithm s\_mp\_sub} |
|
|
2291 \end{figure} |
|
|
2292 |
|
|
2293 \textbf{Algorithm s\_mp\_sub.} |
|
|
2294 This algorithm performs the unsigned subtraction of two mp\_int variables under the restriction that the result must be positive. That is when |
|
|
2295 passing variables $a$ and $b$ the condition that $\vert a \vert \ge \vert b \vert$ must be met for the algorithm to function correctly. This |
|
|
2296 algorithm is loosely based on algorithm 14.9 \cite[pp. 595]{HAC} and is similar to algorithm S in \cite[pp. 267]{TAOCPV2} as well. As was the case |
|
|
2297 of the algorithm s\_mp\_add both other references lack discussion concerning various practical details such as when the inputs differ in magnitude. |
|
|
2298 |
|
|
2299 The initial sorting of the inputs is trivial in this algorithm since $a$ is guaranteed to have at least the same magnitude of $b$. Steps 1 and 2 |
|
|
2300 set the $min$ and $max$ variables. Unlike the addition routine there is guaranteed to be no carry which means that the final result can be at |
|
|
2301 most $max$ digits in length as opposed to $max + 1$. Similar to the addition algorithm the \textbf{used} count of $c$ is copied locally and |
|
|
2302 set to the maximal count for the operation. |
|
|
2303 |
|
|
2304 The subtraction loop that begins on step seven is essentially the same as the addition loop of algorithm s\_mp\_add except single precision |
|
|
2305 subtraction is used instead. Note the use of the $\gamma$ variable to extract the carry (\textit{also known as the borrow}) within the subtraction |
|
|
2306 loops. Under the assumption that two's complement single precision arithmetic is used this will successfully extract the desired carry. |
|
|
2307 |
|
|
2308 For example, consider subtracting $0101_2$ from $0100_2$ where $\gamma = 4$ and $\beta = 2$. The least significant bit will force a carry upwards to |
|
|
2309 the third bit which will be set to zero after the borrow. After the very first bit has been subtracted $4 - 1 \equiv 0011_2$ will remain, When the |
|
|
2310 third bit of $0101_2$ is subtracted from the result it will cause another carry. In this case though the carry will be forced to propagate all the |
|
|
2311 way to the most significant bit. |
|
|
2312 |
|
|
2313 Recall that $\beta < 2^{\gamma}$. This means that if a carry does occur just before the $lg(\beta)$'th bit it will propagate all the way to the most |
|
|
2314 significant bit. Thus, the high order bits of the mp\_digit that are not part of the actual digit will either be all zero, or all one. All that |
|
|
2315 is needed is a single zero or one bit for the carry. Therefore a single logical shift right by $\gamma - 1$ positions is sufficient to extract the |
|
|
2316 carry. This method of carry extraction may seem awkward but the reason for it becomes apparent when the implementation is discussed. |
|
|
2317 |
|
|
2318 If $b$ has a smaller magnitude than $a$ then step 9 will force the carry and copy operation to propagate through the larger input $a$ into $c$. Step |
|
|
2319 10 will ensure that any leading digits of $c$ above the $max$'th position are zeroed. |
|
|
2320 |
|
|
2321 \vspace{+3mm}\begin{small} |
|
|
2322 \hspace{-5.1mm}{\bf File}: bn\_s\_mp\_sub.c |
|
|
2323 \vspace{-3mm} |
|
|
2324 \begin{alltt} |
|
|
2325 016 |
|
|
2326 017 /* low level subtraction (assumes |a| > |b|), HAC pp.595 Algorithm 14.9 */ |
|
|
2327 018 int |
|
|
2328 019 s_mp_sub (mp_int * a, mp_int * b, mp_int * c) |
|
|
2329 020 \{ |
|
|
2330 021 int olduse, res, min, max; |
|
|
2331 022 |
|
|
2332 023 /* find sizes */ |
|
|
2333 024 min = b->used; |
|
|
2334 025 max = a->used; |
|
|
2335 026 |
|
|
2336 027 /* init result */ |
|
|
2337 028 if (c->alloc < max) \{ |
|
|
2338 029 if ((res = mp_grow (c, max)) != MP_OKAY) \{ |
|
|
2339 030 return res; |
|
|
2340 031 \} |
|
|
2341 032 \} |
|
|
2342 033 olduse = c->used; |
|
|
2343 034 c->used = max; |
|
|
2344 035 |
|
|
2345 036 \{ |
|
|
2346 037 register mp_digit u, *tmpa, *tmpb, *tmpc; |
|
|
2347 038 register int i; |
|
|
2348 039 |
|
|
2349 040 /* alias for digit pointers */ |
|
|
2350 041 tmpa = a->dp; |
|
|
2351 042 tmpb = b->dp; |
|
|
2352 043 tmpc = c->dp; |
|
|
2353 044 |
|
|
2354 045 /* set carry to zero */ |
|
|
2355 046 u = 0; |
|
|
2356 047 for (i = 0; i < min; i++) \{ |
|
|
2357 048 /* T[i] = A[i] - B[i] - U */ |
|
|
2358 049 *tmpc = *tmpa++ - *tmpb++ - u; |
|
|
2359 050 |
|
|
2360 051 /* U = carry bit of T[i] |
|
|
2361 052 * Note this saves performing an AND operation since |
|
|
2362 053 * if a carry does occur it will propagate all the way to the |
|
|
2363 054 * MSB. As a result a single shift is enough to get the carry |
|
|
2364 055 */ |
|
|
2365 056 u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1)); |
|
|
2366 057 |
|
|
2367 058 /* Clear carry from T[i] */ |
|
|
2368 059 *tmpc++ &= MP_MASK; |
|
|
2369 060 \} |
|
|
2370 061 |
|
|
2371 062 /* now copy higher words if any, e.g. if A has more digits than B */ |
|
|
2372 063 for (; i < max; i++) \{ |
|
|
2373 064 /* T[i] = A[i] - U */ |
|
|
2374 065 *tmpc = *tmpa++ - u; |
|
|
2375 066 |
|
|
2376 067 /* U = carry bit of T[i] */ |
|
|
2377 068 u = *tmpc >> ((mp_digit)(CHAR_BIT * sizeof (mp_digit) - 1)); |
|
|
2378 069 |
|
|
2379 070 /* Clear carry from T[i] */ |
|
|
2380 071 *tmpc++ &= MP_MASK; |
|
|
2381 072 \} |
|
|
2382 073 |
|
|
2383 074 /* clear digits above used (since we may not have grown result above) */ |
|
|
2384 |
|
|
2385 075 for (i = c->used; i < olduse; i++) \{ |
|
|
2386 076 *tmpc++ = 0; |
|
|
2387 077 \} |
|
|
2388 078 \} |
|
|
2389 079 |
|
|
2390 080 mp_clamp (c); |
|
|
2391 081 return MP_OKAY; |
|
|
2392 082 \} |
|
|
2393 083 |
|
|
2394 084 #endif |
|
386
|
2395 085 |
|
282
|
2396 \end{alltt} |
|
|
2397 \end{small} |
|
|
2398 |
|
|
2399 Like low level addition we ``sort'' the inputs. Except in this case the sorting is hardcoded |
|
|
2400 (lines 24 and 25). In reality the $min$ and $max$ variables are only aliases and are only |
|
|
2401 used to make the source code easier to read. Again the pointer alias optimization is used |
|
|
2402 within this algorithm. The aliases $tmpa$, $tmpb$ and $tmpc$ are initialized |
|
|
2403 (lines 41, 42 and 43) for $a$, $b$ and $c$ respectively. |
|
|
2404 |
|
|
2405 The first subtraction loop (lines 46 through 60) subtract digits from both inputs until the smaller of |
|
|
2406 the two inputs has been exhausted. As remarked earlier there is an implementation reason for using the ``awkward'' |
|
|
2407 method of extracting the carry (line 56). The traditional method for extracting the carry would be to shift |
|
|
2408 by $lg(\beta)$ positions and logically AND the least significant bit. The AND operation is required because all of |
|
|
2409 the bits above the $\lg(\beta)$'th bit will be set to one after a carry occurs from subtraction. This carry |
|
|
2410 extraction requires two relatively cheap operations to extract the carry. The other method is to simply shift the |
|
|
2411 most significant bit to the least significant bit thus extracting the carry with a single cheap operation. This |
|
|
2412 optimization only works on twos compliment machines which is a safe assumption to make. |
|
|
2413 |
|
|
2414 If $a$ has a larger magnitude than $b$ an additional loop (lines 63 through 72) is required to propagate |
|
|
2415 the carry through $a$ and copy the result to $c$. |
|
|
2416 |
|
|
2417 \subsection{High Level Addition} |
|
|
2418 Now that both lower level addition and subtraction algorithms have been established an effective high level signed addition algorithm can be |
|
|
2419 established. This high level addition algorithm will be what other algorithms and developers will use to perform addition of mp\_int data |
|
|
2420 types. |
|
|
2421 |
|
|
2422 Recall from section 5.2 that an mp\_int represents an integer with an unsigned mantissa (\textit{the array of digits}) and a \textbf{sign} |
|
|
2423 flag. A high level addition is actually performed as a series of eight separate cases which can be optimized down to three unique cases. |
|
|
2424 |
|
|
2425 \begin{figure}[!here] |
|
|
2426 \begin{center} |
|
|
2427 \begin{tabular}{l} |
|
|
2428 \hline Algorithm \textbf{mp\_add}. \\ |
|
|
2429 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
2430 \textbf{Output}. The signed addition $c = a + b$. \\ |
|
|
2431 \hline \\ |
|
|
2432 1. if $a.sign = b.sign$ then do \\ |
|
|
2433 \hspace{3mm}1.1 $c.sign \leftarrow a.sign$ \\ |
|
|
2434 \hspace{3mm}1.2 $c \leftarrow \vert a \vert + \vert b \vert$ (\textit{s\_mp\_add})\\ |
|
|
2435 2. else do \\ |
|
|
2436 \hspace{3mm}2.1 if $\vert a \vert < \vert b \vert$ then do (\textit{mp\_cmp\_mag}) \\ |
|
|
2437 \hspace{6mm}2.1.1 $c.sign \leftarrow b.sign$ \\ |
|
|
2438 \hspace{6mm}2.1.2 $c \leftarrow \vert b \vert - \vert a \vert$ (\textit{s\_mp\_sub}) \\ |
|
|
2439 \hspace{3mm}2.2 else do \\ |
|
|
2440 \hspace{6mm}2.2.1 $c.sign \leftarrow a.sign$ \\ |
|
|
2441 \hspace{6mm}2.2.2 $c \leftarrow \vert a \vert - \vert b \vert$ \\ |
|
|
2442 3. Return(\textit{MP\_OKAY}). \\ |
|
|
2443 \hline |
|
|
2444 \end{tabular} |
|
|
2445 \end{center} |
|
|
2446 \caption{Algorithm mp\_add} |
|
|
2447 \end{figure} |
|
|
2448 |
|
|
2449 \textbf{Algorithm mp\_add.} |
|
|
2450 This algorithm performs the signed addition of two mp\_int variables. There is no reference algorithm to draw upon from |
|
|
2451 either \cite{TAOCPV2} or \cite{HAC} since they both only provide unsigned operations. The algorithm is fairly |
|
|
2452 straightforward but restricted since subtraction can only produce positive results. |
|
|
2453 |
|
|
2454 \begin{figure}[here] |
|
|
2455 \begin{small} |
|
|
2456 \begin{center} |
|
|
2457 \begin{tabular}{|c|c|c|c|c|} |
|
|
2458 \hline \textbf{Sign of $a$} & \textbf{Sign of $b$} & \textbf{$\vert a \vert > \vert b \vert $} & \textbf{Unsigned Operation} & \textbf{Result Sign Flag} \\ |
|
|
2459 \hline $+$ & $+$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
2460 \hline $+$ & $+$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
2461 \hline $-$ & $-$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
2462 \hline $-$ & $-$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
2463 \hline &&&&\\ |
|
|
2464 |
|
|
2465 \hline $+$ & $-$ & No & $c = b - a$ & $b.sign$ \\ |
|
|
2466 \hline $-$ & $+$ & No & $c = b - a$ & $b.sign$ \\ |
|
|
2467 |
|
|
2468 \hline &&&&\\ |
|
|
2469 |
|
|
2470 \hline $+$ & $-$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
2471 \hline $-$ & $+$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
2472 |
|
|
2473 \hline |
|
|
2474 \end{tabular} |
|
|
2475 \end{center} |
|
|
2476 \end{small} |
|
|
2477 \caption{Addition Guide Chart} |
|
|
2478 \label{fig:AddChart} |
|
|
2479 \end{figure} |
|
|
2480 |
|
|
2481 Figure~\ref{fig:AddChart} lists all of the eight possible input combinations and is sorted to show that only three |
|
|
2482 specific cases need to be handled. The return code of the unsigned operations at step 1.2, 2.1.2 and 2.2.2 are |
|
|
2483 forwarded to step three to check for errors. This simplifies the description of the algorithm considerably and best |
|
|
2484 follows how the implementation actually was achieved. |
|
|
2485 |
|
|
2486 Also note how the \textbf{sign} is set before the unsigned addition or subtraction is performed. Recall from the descriptions of algorithms |
|
|
2487 s\_mp\_add and s\_mp\_sub that the mp\_clamp function is used at the end to trim excess digits. The mp\_clamp algorithm will set the \textbf{sign} |
|
|
2488 to \textbf{MP\_ZPOS} when the \textbf{used} digit count reaches zero. |
|
|
2489 |
|
|
2490 For example, consider performing $-a + a$ with algorithm mp\_add. By the description of the algorithm the sign is set to \textbf{MP\_NEG} which would |
|
|
2491 produce a result of $-0$. However, since the sign is set first then the unsigned addition is performed the subsequent usage of algorithm mp\_clamp |
|
|
2492 within algorithm s\_mp\_add will force $-0$ to become $0$. |
|
|
2493 |
|
|
2494 \vspace{+3mm}\begin{small} |
|
|
2495 \hspace{-5.1mm}{\bf File}: bn\_mp\_add.c |
|
|
2496 \vspace{-3mm} |
|
|
2497 \begin{alltt} |
|
|
2498 016 |
|
|
2499 017 /* high level addition (handles signs) */ |
|
|
2500 018 int mp_add (mp_int * a, mp_int * b, mp_int * c) |
|
|
2501 019 \{ |
|
|
2502 020 int sa, sb, res; |
|
|
2503 021 |
|
|
2504 022 /* get sign of both inputs */ |
|
|
2505 023 sa = a->sign; |
|
|
2506 024 sb = b->sign; |
|
|
2507 025 |
|
|
2508 026 /* handle two cases, not four */ |
|
|
2509 027 if (sa == sb) \{ |
|
|
2510 028 /* both positive or both negative */ |
|
|
2511 029 /* add their magnitudes, copy the sign */ |
|
|
2512 030 c->sign = sa; |
|
|
2513 031 res = s_mp_add (a, b, c); |
|
|
2514 032 \} else \{ |
|
|
2515 033 /* one positive, the other negative */ |
|
|
2516 034 /* subtract the one with the greater magnitude from */ |
|
|
2517 035 /* the one of the lesser magnitude. The result gets */ |
|
|
2518 036 /* the sign of the one with the greater magnitude. */ |
|
|
2519 037 if (mp_cmp_mag (a, b) == MP_LT) \{ |
|
|
2520 038 c->sign = sb; |
|
|
2521 039 res = s_mp_sub (b, a, c); |
|
|
2522 040 \} else \{ |
|
|
2523 041 c->sign = sa; |
|
|
2524 042 res = s_mp_sub (a, b, c); |
|
|
2525 043 \} |
|
|
2526 044 \} |
|
|
2527 045 return res; |
|
|
2528 046 \} |
|
|
2529 047 |
|
|
2530 048 #endif |
|
386
|
2531 049 |
|
282
|
2532 \end{alltt} |
|
|
2533 \end{small} |
|
|
2534 |
|
|
2535 The source code follows the algorithm fairly closely. The most notable new source code addition is the usage of the $res$ integer variable which |
|
|
2536 is used to pass result of the unsigned operations forward. Unlike in the algorithm, the variable $res$ is merely returned as is without |
|
|
2537 explicitly checking it and returning the constant \textbf{MP\_OKAY}. The observation is this algorithm will succeed or fail only if the lower |
|
|
2538 level functions do so. Returning their return code is sufficient. |
|
|
2539 |
|
|
2540 \subsection{High Level Subtraction} |
|
|
2541 The high level signed subtraction algorithm is essentially the same as the high level signed addition algorithm. |
|
|
2542 |
|
|
2543 \newpage\begin{figure}[!here] |
|
|
2544 \begin{center} |
|
|
2545 \begin{tabular}{l} |
|
|
2546 \hline Algorithm \textbf{mp\_sub}. \\ |
|
|
2547 \textbf{Input}. Two mp\_ints $a$ and $b$ \\ |
|
|
2548 \textbf{Output}. The signed subtraction $c = a - b$. \\ |
|
|
2549 \hline \\ |
|
|
2550 1. if $a.sign \ne b.sign$ then do \\ |
|
|
2551 \hspace{3mm}1.1 $c.sign \leftarrow a.sign$ \\ |
|
|
2552 \hspace{3mm}1.2 $c \leftarrow \vert a \vert + \vert b \vert$ (\textit{s\_mp\_add}) \\ |
|
|
2553 2. else do \\ |
|
|
2554 \hspace{3mm}2.1 if $\vert a \vert \ge \vert b \vert$ then do (\textit{mp\_cmp\_mag}) \\ |
|
|
2555 \hspace{6mm}2.1.1 $c.sign \leftarrow a.sign$ \\ |
|
|
2556 \hspace{6mm}2.1.2 $c \leftarrow \vert a \vert - \vert b \vert$ (\textit{s\_mp\_sub}) \\ |
|
|
2557 \hspace{3mm}2.2 else do \\ |
|
|
2558 \hspace{6mm}2.2.1 $c.sign \leftarrow \left \lbrace \begin{array}{ll} |
|
|
2559 MP\_ZPOS & \mbox{if }a.sign = MP\_NEG \\ |
|
|
2560 MP\_NEG & \mbox{otherwise} \\ |
|
|
2561 \end{array} \right .$ \\ |
|
|
2562 \hspace{6mm}2.2.2 $c \leftarrow \vert b \vert - \vert a \vert$ \\ |
|
|
2563 3. Return(\textit{MP\_OKAY}). \\ |
|
|
2564 \hline |
|
|
2565 \end{tabular} |
|
|
2566 \end{center} |
|
|
2567 \caption{Algorithm mp\_sub} |
|
|
2568 \end{figure} |
|
|
2569 |
|
|
2570 \textbf{Algorithm mp\_sub.} |
|
|
2571 This algorithm performs the signed subtraction of two inputs. Similar to algorithm mp\_add there is no reference in either \cite{TAOCPV2} or |
|
|
2572 \cite{HAC}. Also this algorithm is restricted by algorithm s\_mp\_sub. Chart \ref{fig:SubChart} lists the eight possible inputs and |
|
|
2573 the operations required. |
|
|
2574 |
|
|
2575 \begin{figure}[!here] |
|
|
2576 \begin{small} |
|
|
2577 \begin{center} |
|
|
2578 \begin{tabular}{|c|c|c|c|c|} |
|
|
2579 \hline \textbf{Sign of $a$} & \textbf{Sign of $b$} & \textbf{$\vert a \vert \ge \vert b \vert $} & \textbf{Unsigned Operation} & \textbf{Result Sign Flag} \\ |
|
|
2580 \hline $+$ & $-$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
2581 \hline $+$ & $-$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
2582 \hline $-$ & $+$ & Yes & $c = a + b$ & $a.sign$ \\ |
|
|
2583 \hline $-$ & $+$ & No & $c = a + b$ & $a.sign$ \\ |
|
|
2584 \hline &&&& \\ |
|
|
2585 \hline $+$ & $+$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
2586 \hline $-$ & $-$ & Yes & $c = a - b$ & $a.sign$ \\ |
|
|
2587 \hline &&&& \\ |
|
|
2588 \hline $+$ & $+$ & No & $c = b - a$ & $\mbox{opposite of }a.sign$ \\ |
|
|
2589 \hline $-$ & $-$ & No & $c = b - a$ & $\mbox{opposite of }a.sign$ \\ |
|
|
2590 \hline |
|
|
2591 \end{tabular} |
|
|
2592 \end{center} |
|
|
2593 \end{small} |
|
|
2594 \caption{Subtraction Guide Chart} |
|
|
2595 \label{fig:SubChart} |
|
|
2596 \end{figure} |
|
|
2597 |
|
|
2598 Similar to the case of algorithm mp\_add the \textbf{sign} is set first before the unsigned addition or subtraction. That is to prevent the |
|
|
2599 algorithm from producing $-a - -a = -0$ as a result. |
|
|
2600 |
|
|
2601 \vspace{+3mm}\begin{small} |
|
|
2602 \hspace{-5.1mm}{\bf File}: bn\_mp\_sub.c |
|
|
2603 \vspace{-3mm} |
|
|
2604 \begin{alltt} |
|
|
2605 016 |
|
|
2606 017 /* high level subtraction (handles signs) */ |
|
|
2607 018 int |
|
|
2608 019 mp_sub (mp_int * a, mp_int * b, mp_int * c) |
|
|
2609 020 \{ |
|
|
2610 021 int sa, sb, res; |
|
|
2611 022 |
|
|
2612 023 sa = a->sign; |
|
|
2613 024 sb = b->sign; |
|
|
2614 025 |
|
|
2615 026 if (sa != sb) \{ |
|
|
2616 027 /* subtract a negative from a positive, OR */ |
|
|
2617 028 /* subtract a positive from a negative. */ |
|
|
2618 029 /* In either case, ADD their magnitudes, */ |
|
|
2619 030 /* and use the sign of the first number. */ |
|
|
2620 031 c->sign = sa; |
|
|
2621 032 res = s_mp_add (a, b, c); |
|
|
2622 033 \} else \{ |
|
|
2623 034 /* subtract a positive from a positive, OR */ |
|
|
2624 035 /* subtract a negative from a negative. */ |
|
|
2625 036 /* First, take the difference between their */ |
|
|
2626 037 /* magnitudes, then... */ |
|
|
2627 038 if (mp_cmp_mag (a, b) != MP_LT) \{ |
|
|
2628 039 /* Copy the sign from the first */ |
|
|
2629 040 c->sign = sa; |
|
|
2630 041 /* The first has a larger or equal magnitude */ |
|
|
2631 042 res = s_mp_sub (a, b, c); |
|
|
2632 043 \} else \{ |
|
|
2633 044 /* The result has the *opposite* sign from */ |
|
|
2634 045 /* the first number. */ |
|
|
2635 046 c->sign = (sa == MP_ZPOS) ? MP_NEG : MP_ZPOS; |
|
|
2636 047 /* The second has a larger magnitude */ |
|
|
2637 048 res = s_mp_sub (b, a, c); |
|
|
2638 049 \} |
|
|
2639 050 \} |
|
|
2640 051 return res; |
|
|
2641 052 \} |
|
|
2642 053 |
|
|
2643 054 #endif |
|
386
|
2644 055 |
|
282
|
2645 \end{alltt} |
|
|
2646 \end{small} |
|
|
2647 |
|
|
2648 Much like the implementation of algorithm mp\_add the variable $res$ is used to catch the return code of the unsigned addition or subtraction operations |
|
|
2649 and forward it to the end of the function. On line 38 the ``not equal to'' \textbf{MP\_LT} expression is used to emulate a |
|
|
2650 ``greater than or equal to'' comparison. |
|
|
2651 |
|
|
2652 \section{Bit and Digit Shifting} |
|
|
2653 It is quite common to think of a multiple precision integer as a polynomial in $x$, that is $y = f(\beta)$ where $f(x) = \sum_{i=0}^{n-1} a_i x^i$. |
|
|
2654 This notation arises within discussion of Montgomery and Diminished Radix Reduction as well as Karatsuba multiplication and squaring. |
|
|
2655 |
|
|
2656 In order to facilitate operations on polynomials in $x$ as above a series of simple ``digit'' algorithms have to be established. That is to shift |
|
|
2657 the digits left or right as well to shift individual bits of the digits left and right. It is important to note that not all ``shift'' operations |
|
|
2658 are on radix-$\beta$ digits. |
|
|
2659 |
|
|
2660 \subsection{Multiplication by Two} |
|
|
2661 |
|
|
2662 In a binary system where the radix is a power of two multiplication by two not only arises often in other algorithms it is a fairly efficient |
|
|
2663 operation to perform. A single precision logical shift left is sufficient to multiply a single digit by two. |
|
|
2664 |
|
|
2665 \newpage\begin{figure}[!here] |
|
|
2666 \begin{small} |
|
|
2667 \begin{center} |
|
|
2668 \begin{tabular}{l} |
|
|
2669 \hline Algorithm \textbf{mp\_mul\_2}. \\ |
|
|
2670 \textbf{Input}. One mp\_int $a$ \\ |
|
|
2671 \textbf{Output}. $b = 2a$. \\ |
|
|
2672 \hline \\ |
|
|
2673 1. If $b.alloc < a.used + 1$ then grow $b$ to hold $a.used + 1$ digits. (\textit{mp\_grow}) \\ |
|
|
2674 2. $oldused \leftarrow b.used$ \\ |
|
|
2675 3. $b.used \leftarrow a.used$ \\ |
|
|
2676 4. $r \leftarrow 0$ \\ |
|
|
2677 5. for $n$ from 0 to $a.used - 1$ do \\ |
|
|
2678 \hspace{3mm}5.1 $rr \leftarrow a_n >> (lg(\beta) - 1)$ \\ |
|
|
2679 \hspace{3mm}5.2 $b_n \leftarrow (a_n << 1) + r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2680 \hspace{3mm}5.3 $r \leftarrow rr$ \\ |
|
|
2681 6. If $r \ne 0$ then do \\ |
|
|
2682 \hspace{3mm}6.1 $b_{n + 1} \leftarrow r$ \\ |
|
|
2683 \hspace{3mm}6.2 $b.used \leftarrow b.used + 1$ \\ |
|
|
2684 7. If $b.used < oldused - 1$ then do \\ |
|
|
2685 \hspace{3mm}7.1 for $n$ from $b.used$ to $oldused - 1$ do \\ |
|
|
2686 \hspace{6mm}7.1.1 $b_n \leftarrow 0$ \\ |
|
|
2687 8. $b.sign \leftarrow a.sign$ \\ |
|
|
2688 9. Return(\textit{MP\_OKAY}).\\ |
|
|
2689 \hline |
|
|
2690 \end{tabular} |
|
|
2691 \end{center} |
|
|
2692 \end{small} |
|
|
2693 \caption{Algorithm mp\_mul\_2} |
|
|
2694 \end{figure} |
|
|
2695 |
|
|
2696 \textbf{Algorithm mp\_mul\_2.} |
|
|
2697 This algorithm will quickly multiply a mp\_int by two provided $\beta$ is a power of two. Neither \cite{TAOCPV2} nor \cite{HAC} describe such |
|
|
2698 an algorithm despite the fact it arises often in other algorithms. The algorithm is setup much like the lower level algorithm s\_mp\_add since |
|
|
2699 it is for all intents and purposes equivalent to the operation $b = \vert a \vert + \vert a \vert$. |
|
|
2700 |
|
|
2701 Step 1 and 2 grow the input as required to accomodate the maximum number of \textbf{used} digits in the result. The initial \textbf{used} count |
|
|
2702 is set to $a.used$ at step 4. Only if there is a final carry will the \textbf{used} count require adjustment. |
|
|
2703 |
|
|
2704 Step 6 is an optimization implementation of the addition loop for this specific case. That is since the two values being added together |
|
|
2705 are the same there is no need to perform two reads from the digits of $a$. Step 6.1 performs a single precision shift on the current digit $a_n$ to |
|
|
2706 obtain what will be the carry for the next iteration. Step 6.2 calculates the $n$'th digit of the result as single precision shift of $a_n$ plus |
|
|
2707 the previous carry. Recall from section 4.1 that $a_n << 1$ is equivalent to $a_n \cdot 2$. An iteration of the addition loop is finished with |
|
|
2708 forwarding the carry to the next iteration. |
|
|
2709 |
|
|
2710 Step 7 takes care of any final carry by setting the $a.used$'th digit of the result to the carry and augmenting the \textbf{used} count of $b$. |
|
|
2711 Step 8 clears any leading digits of $b$ in case it originally had a larger magnitude than $a$. |
|
|
2712 |
|
|
2713 \vspace{+3mm}\begin{small} |
|
|
2714 \hspace{-5.1mm}{\bf File}: bn\_mp\_mul\_2.c |
|
|
2715 \vspace{-3mm} |
|
|
2716 \begin{alltt} |
|
|
2717 016 |
|
|
2718 017 /* b = a*2 */ |
|
|
2719 018 int mp_mul_2(mp_int * a, mp_int * b) |
|
|
2720 019 \{ |
|
|
2721 020 int x, res, oldused; |
|
|
2722 021 |
|
|
2723 022 /* grow to accomodate result */ |
|
|
2724 023 if (b->alloc < a->used + 1) \{ |
|
|
2725 024 if ((res = mp_grow (b, a->used + 1)) != MP_OKAY) \{ |
|
|
2726 025 return res; |
|
|
2727 026 \} |
|
|
2728 027 \} |
|
|
2729 028 |
|
|
2730 029 oldused = b->used; |
|
|
2731 030 b->used = a->used; |
|
|
2732 031 |
|
|
2733 032 \{ |
|
|
2734 033 register mp_digit r, rr, *tmpa, *tmpb; |
|
|
2735 034 |
|
|
2736 035 /* alias for source */ |
|
|
2737 036 tmpa = a->dp; |
|
|
2738 037 |
|
|
2739 038 /* alias for dest */ |
|
|
2740 039 tmpb = b->dp; |
|
|
2741 040 |
|
|
2742 041 /* carry */ |
|
|
2743 042 r = 0; |
|
|
2744 043 for (x = 0; x < a->used; x++) \{ |
|
|
2745 044 |
|
|
2746 045 /* get what will be the *next* carry bit from the |
|
|
2747 046 * MSB of the current digit |
|
|
2748 047 */ |
|
|
2749 048 rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1)); |
|
|
2750 049 |
|
|
2751 050 /* now shift up this digit, add in the carry [from the previous] */ |
|
|
2752 051 *tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK; |
|
|
2753 052 |
|
|
2754 053 /* copy the carry that would be from the source |
|
|
2755 054 * digit into the next iteration |
|
|
2756 055 */ |
|
|
2757 056 r = rr; |
|
|
2758 057 \} |
|
|
2759 058 |
|
|
2760 059 /* new leading digit? */ |
|
|
2761 060 if (r != 0) \{ |
|
|
2762 061 /* add a MSB which is always 1 at this point */ |
|
|
2763 062 *tmpb = 1; |
|
|
2764 063 ++(b->used); |
|
|
2765 064 \} |
|
|
2766 065 |
|
|
2767 066 /* now zero any excess digits on the destination |
|
|
2768 067 * that we didn't write to |
|
|
2769 068 */ |
|
|
2770 069 tmpb = b->dp + b->used; |
|
|
2771 070 for (x = b->used; x < oldused; x++) \{ |
|
|
2772 071 *tmpb++ = 0; |
|
|
2773 072 \} |
|
|
2774 073 \} |
|
|
2775 074 b->sign = a->sign; |
|
|
2776 075 return MP_OKAY; |
|
|
2777 076 \} |
|
|
2778 077 #endif |
|
386
|
2779 078 |
|
282
|
2780 \end{alltt} |
|
|
2781 \end{small} |
|
|
2782 |
|
|
2783 This implementation is essentially an optimized implementation of s\_mp\_add for the case of doubling an input. The only noteworthy difference |
|
|
2784 is the use of the logical shift operator on line 51 to perform a single precision doubling. |
|
|
2785 |
|
|
2786 \subsection{Division by Two} |
|
|
2787 A division by two can just as easily be accomplished with a logical shift right as multiplication by two can be with a logical shift left. |
|
|
2788 |
|
|
2789 \newpage\begin{figure}[!here] |
|
|
2790 \begin{small} |
|
|
2791 \begin{center} |
|
|
2792 \begin{tabular}{l} |
|
|
2793 \hline Algorithm \textbf{mp\_div\_2}. \\ |
|
|
2794 \textbf{Input}. One mp\_int $a$ \\ |
|
|
2795 \textbf{Output}. $b = a/2$. \\ |
|
|
2796 \hline \\ |
|
|
2797 1. If $b.alloc < a.used$ then grow $b$ to hold $a.used$ digits. (\textit{mp\_grow}) \\ |
|
|
2798 2. If the reallocation failed return(\textit{MP\_MEM}). \\ |
|
|
2799 3. $oldused \leftarrow b.used$ \\ |
|
|
2800 4. $b.used \leftarrow a.used$ \\ |
|
|
2801 5. $r \leftarrow 0$ \\ |
|
|
2802 6. for $n$ from $b.used - 1$ to $0$ do \\ |
|
|
2803 \hspace{3mm}6.1 $rr \leftarrow a_n \mbox{ (mod }2\mbox{)}$\\ |
|
|
2804 \hspace{3mm}6.2 $b_n \leftarrow (a_n >> 1) + (r << (lg(\beta) - 1)) \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
2805 \hspace{3mm}6.3 $r \leftarrow rr$ \\ |
|
|
2806 7. If $b.used < oldused - 1$ then do \\ |
|
|
2807 \hspace{3mm}7.1 for $n$ from $b.used$ to $oldused - 1$ do \\ |
|
|
2808 \hspace{6mm}7.1.1 $b_n \leftarrow 0$ \\ |
|
|
2809 8. $b.sign \leftarrow a.sign$ \\ |
|
|
2810 9. Clamp excess digits of $b$. (\textit{mp\_clamp}) \\ |
|
|
2811 10. Return(\textit{MP\_OKAY}).\\ |
|
|
2812 \hline |
|
|
2813 \end{tabular} |
|
|
2814 \end{center} |
|
|
2815 \end{small} |
|
|
2816 \caption{Algorithm mp\_div\_2} |
|
|
2817 \end{figure} |
|
|
2818 |
|
|
2819 \textbf{Algorithm mp\_div\_2.} |
|
|
2820 This algorithm will divide an mp\_int by two using logical shifts to the right. Like mp\_mul\_2 it uses a modified low level addition |
|
|
2821 core as the basis of the algorithm. Unlike mp\_mul\_2 the shift operations work from the leading digit to the trailing digit. The algorithm |
|
|
2822 could be written to work from the trailing digit to the leading digit however, it would have to stop one short of $a.used - 1$ digits to prevent |
|
|
2823 reading past the end of the array of digits. |
|
|
2824 |
|
|
2825 Essentially the loop at step 6 is similar to that of mp\_mul\_2 except the logical shifts go in the opposite direction and the carry is at the |
|
|
2826 least significant bit not the most significant bit. |
|
|
2827 |
|
|
2828 \vspace{+3mm}\begin{small} |
|
|
2829 \hspace{-5.1mm}{\bf File}: bn\_mp\_div\_2.c |
|
|
2830 \vspace{-3mm} |
|
|
2831 \begin{alltt} |
|
|
2832 016 |
|
|
2833 017 /* b = a/2 */ |
|
|
2834 018 int mp_div_2(mp_int * a, mp_int * b) |
|
|
2835 019 \{ |
|
|
2836 020 int x, res, oldused; |
|
|
2837 021 |
|
|
2838 022 /* copy */ |
|
|
2839 023 if (b->alloc < a->used) \{ |
|
|
2840 024 if ((res = mp_grow (b, a->used)) != MP_OKAY) \{ |
|
|
2841 025 return res; |
|
|
2842 026 \} |
|
|
2843 027 \} |
|
|
2844 028 |
|
|
2845 029 oldused = b->used; |
|
|
2846 030 b->used = a->used; |
|
|
2847 031 \{ |
|
|
2848 032 register mp_digit r, rr, *tmpa, *tmpb; |
|
|
2849 033 |
|
|
2850 034 /* source alias */ |
|
|
2851 035 tmpa = a->dp + b->used - 1; |
|
|
2852 036 |
|
|
2853 037 /* dest alias */ |
|
|
2854 038 tmpb = b->dp + b->used - 1; |
|
|
2855 039 |
|
|
2856 040 /* carry */ |
|
|
2857 041 r = 0; |
|
|
2858 042 for (x = b->used - 1; x >= 0; x--) \{ |
|
|
2859 043 /* get the carry for the next iteration */ |
|
|
2860 044 rr = *tmpa & 1; |
|
|
2861 045 |
|
|
2862 046 /* shift the current digit, add in carry and store */ |
|
|
2863 047 *tmpb-- = (*tmpa-- >> 1) | (r << (DIGIT_BIT - 1)); |
|
|
2864 048 |
|
|
2865 049 /* forward carry to next iteration */ |
|
|
2866 050 r = rr; |
|
|
2867 051 \} |
|
|
2868 052 |
|
|
2869 053 /* zero excess digits */ |
|
|
2870 054 tmpb = b->dp + b->used; |
|
|
2871 055 for (x = b->used; x < oldused; x++) \{ |
|
|
2872 056 *tmpb++ = 0; |
|
|
2873 057 \} |
|
|
2874 058 \} |
|
|
2875 059 b->sign = a->sign; |
|
|
2876 060 mp_clamp (b); |
|
|
2877 061 return MP_OKAY; |
|
|
2878 062 \} |
|
|
2879 063 #endif |
|
386
|
2880 064 |
|
282
|
2881 \end{alltt} |
|
|
2882 \end{small} |
|
|
2883 |
|
|
2884 \section{Polynomial Basis Operations} |
|
|
2885 Recall from section 4.3 that any integer can be represented as a polynomial in $x$ as $y = f(\beta)$. Such a representation is also known as |
|
|
2886 the polynomial basis \cite[pp. 48]{ROSE}. Given such a notation a multiplication or division by $x$ amounts to shifting whole digits a single |
|
|
2887 place. The need for such operations arises in several other higher level algorithms such as Barrett and Montgomery reduction, integer |
|
|
2888 division and Karatsuba multiplication. |
|
|
2889 |
|
|
2890 Converting from an array of digits to polynomial basis is very simple. Consider the integer $y \equiv (a_2, a_1, a_0)_{\beta}$ and recall that |
|
|
2891 $y = \sum_{i=0}^{2} a_i \beta^i$. Simply replace $\beta$ with $x$ and the expression is in polynomial basis. For example, $f(x) = 8x + 9$ is the |
|
|
2892 polynomial basis representation for $89$ using radix ten. That is, $f(10) = 8(10) + 9 = 89$. |
|
|
2893 |
|
|
2894 \subsection{Multiplication by $x$} |
|
|
2895 |
|
|
2896 Given a polynomial in $x$ such as $f(x) = a_n x^n + a_{n-1} x^{n-1} + ... + a_0$ multiplying by $x$ amounts to shifting the coefficients up one |
|
|
2897 degree. In this case $f(x) \cdot x = a_n x^{n+1} + a_{n-1} x^n + ... + a_0 x$. From a scalar basis point of view multiplying by $x$ is equivalent to |
|
|
2898 multiplying by the integer $\beta$. |
|
|
2899 |
|
|
2900 \newpage\begin{figure}[!here] |
|
|
2901 \begin{small} |
|
|
2902 \begin{center} |
|
|
2903 \begin{tabular}{l} |
|
|
2904 \hline Algorithm \textbf{mp\_lshd}. \\ |
|
|
2905 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
2906 \textbf{Output}. $a \leftarrow a \cdot \beta^b$ (equivalent to multiplication by $x^b$). \\ |
|
|
2907 \hline \\ |
|
|
2908 1. If $b \le 0$ then return(\textit{MP\_OKAY}). \\ |
|
|
2909 2. If $a.alloc < a.used + b$ then grow $a$ to at least $a.used + b$ digits. (\textit{mp\_grow}). \\ |
|
|
2910 3. If the reallocation failed return(\textit{MP\_MEM}). \\ |
|
|
2911 4. $a.used \leftarrow a.used + b$ \\ |
|
|
2912 5. $i \leftarrow a.used - 1$ \\ |
|
|
2913 6. $j \leftarrow a.used - 1 - b$ \\ |
|
|
2914 7. for $n$ from $a.used - 1$ to $b$ do \\ |
|
|
2915 \hspace{3mm}7.1 $a_{i} \leftarrow a_{j}$ \\ |
|
|
2916 \hspace{3mm}7.2 $i \leftarrow i - 1$ \\ |
|
|
2917 \hspace{3mm}7.3 $j \leftarrow j - 1$ \\ |
|
|
2918 8. for $n$ from 0 to $b - 1$ do \\ |
|
|
2919 \hspace{3mm}8.1 $a_n \leftarrow 0$ \\ |
|
|
2920 9. Return(\textit{MP\_OKAY}). \\ |
|
|
2921 \hline |
|
|
2922 \end{tabular} |
|
|
2923 \end{center} |
|
|
2924 \end{small} |
|
|
2925 \caption{Algorithm mp\_lshd} |
|
|
2926 \end{figure} |
|
|
2927 |
|
|
2928 \textbf{Algorithm mp\_lshd.} |
|
|
2929 This algorithm multiplies an mp\_int by the $b$'th power of $x$. This is equivalent to multiplying by $\beta^b$. The algorithm differs |
|
|
2930 from the other algorithms presented so far as it performs the operation in place instead storing the result in a separate location. The |
|
|
2931 motivation behind this change is due to the way this function is typically used. Algorithms such as mp\_add store the result in an optionally |
|
|
2932 different third mp\_int because the original inputs are often still required. Algorithm mp\_lshd (\textit{and similarly algorithm mp\_rshd}) is |
|
|
2933 typically used on values where the original value is no longer required. The algorithm will return success immediately if |
|
|
2934 $b \le 0$ since the rest of algorithm is only valid when $b > 0$. |
|
|
2935 |
|
|
2936 First the destination $a$ is grown as required to accomodate the result. The counters $i$ and $j$ are used to form a \textit{sliding window} over |
|
|
2937 the digits of $a$ of length $b$. The head of the sliding window is at $i$ (\textit{the leading digit}) and the tail at $j$ (\textit{the trailing digit}). |
|
|
2938 The loop on step 7 copies the digit from the tail to the head. In each iteration the window is moved down one digit. The last loop on |
|
|
2939 step 8 sets the lower $b$ digits to zero. |
|
|
2940 |
|
|
2941 \newpage |
|
|
2942 \begin{center} |
|
|
2943 \begin{figure}[here] |
|
|
2944 \includegraphics{pics/sliding_window.ps} |
|
|
2945 \caption{Sliding Window Movement} |
|
|
2946 \label{pic:sliding_window} |
|
|
2947 \end{figure} |
|
|
2948 \end{center} |
|
|
2949 |
|
|
2950 \vspace{+3mm}\begin{small} |
|
|
2951 \hspace{-5.1mm}{\bf File}: bn\_mp\_lshd.c |
|
|
2952 \vspace{-3mm} |
|
|
2953 \begin{alltt} |
|
|
2954 016 |
|
|
2955 017 /* shift left a certain amount of digits */ |
|
|
2956 018 int mp_lshd (mp_int * a, int b) |
|
|
2957 019 \{ |
|
|
2958 020 int x, res; |
|
|
2959 021 |
|
|
2960 022 /* if its less than zero return */ |
|
|
2961 023 if (b <= 0) \{ |
|
|
2962 024 return MP_OKAY; |
|
|
2963 025 \} |
|
|
2964 026 |
|
|
2965 027 /* grow to fit the new digits */ |
|
|
2966 028 if (a->alloc < a->used + b) \{ |
|
|
2967 029 if ((res = mp_grow (a, a->used + b)) != MP_OKAY) \{ |
|
|
2968 030 return res; |
|
|
2969 031 \} |
|
|
2970 032 \} |
|
|
2971 033 |
|
|
2972 034 \{ |
|
|
2973 035 register mp_digit *top, *bottom; |
|
|
2974 036 |
|
|
2975 037 /* increment the used by the shift amount then copy upwards */ |
|
|
2976 038 a->used += b; |
|
|
2977 039 |
|
|
2978 040 /* top */ |
|
|
2979 041 top = a->dp + a->used - 1; |
|
|
2980 042 |
|
|
2981 043 /* base */ |
|
|
2982 044 bottom = a->dp + a->used - 1 - b; |
|
|
2983 045 |
|
|
2984 046 /* much like mp_rshd this is implemented using a sliding window |
|
|
2985 047 * except the window goes the otherway around. Copying from |
|
|
2986 048 * the bottom to the top. see bn_mp_rshd.c for more info. |
|
|
2987 049 */ |
|
|
2988 050 for (x = a->used - 1; x >= b; x--) \{ |
|
|
2989 051 *top-- = *bottom--; |
|
|
2990 052 \} |
|
|
2991 053 |
|
|
2992 054 /* zero the lower digits */ |
|
|
2993 055 top = a->dp; |
|
|
2994 056 for (x = 0; x < b; x++) \{ |
|
|
2995 057 *top++ = 0; |
|
|
2996 058 \} |
|
|
2997 059 \} |
|
|
2998 060 return MP_OKAY; |
|
|
2999 061 \} |
|
|
3000 062 #endif |
|
386
|
3001 063 |
|
282
|
3002 \end{alltt} |
|
|
3003 \end{small} |
|
|
3004 |
|
|
3005 The if statement (line 23) ensures that the $b$ variable is greater than zero since we do not interpret negative |
|
|
3006 shift counts properly. The \textbf{used} count is incremented by $b$ before the copy loop begins. This elminates |
|
|
3007 the need for an additional variable in the for loop. The variable $top$ (line 41) is an alias |
|
|
3008 for the leading digit while $bottom$ (line 44) is an alias for the trailing edge. The aliases form a |
|
|
3009 window of exactly $b$ digits over the input. |
|
|
3010 |
|
|
3011 \subsection{Division by $x$} |
|
|
3012 |
|
|
3013 Division by powers of $x$ is easily achieved by shifting the digits right and removing any that will end up to the right of the zero'th digit. |
|
|
3014 |
|
|
3015 \newpage\begin{figure}[!here] |
|
|
3016 \begin{small} |
|
|
3017 \begin{center} |
|
|
3018 \begin{tabular}{l} |
|
|
3019 \hline Algorithm \textbf{mp\_rshd}. \\ |
|
|
3020 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
3021 \textbf{Output}. $a \leftarrow a / \beta^b$ (Divide by $x^b$). \\ |
|
|
3022 \hline \\ |
|
|
3023 1. If $b \le 0$ then return. \\ |
|
|
3024 2. If $a.used \le b$ then do \\ |
|
|
3025 \hspace{3mm}2.1 Zero $a$. (\textit{mp\_zero}). \\ |
|
|
3026 \hspace{3mm}2.2 Return. \\ |
|
|
3027 3. $i \leftarrow 0$ \\ |
|
|
3028 4. $j \leftarrow b$ \\ |
|
|
3029 5. for $n$ from 0 to $a.used - b - 1$ do \\ |
|
|
3030 \hspace{3mm}5.1 $a_i \leftarrow a_j$ \\ |
|
|
3031 \hspace{3mm}5.2 $i \leftarrow i + 1$ \\ |
|
|
3032 \hspace{3mm}5.3 $j \leftarrow j + 1$ \\ |
|
|
3033 6. for $n$ from $a.used - b$ to $a.used - 1$ do \\ |
|
|
3034 \hspace{3mm}6.1 $a_n \leftarrow 0$ \\ |
|
|
3035 7. $a.used \leftarrow a.used - b$ \\ |
|
|
3036 8. Return. \\ |
|
|
3037 \hline |
|
|
3038 \end{tabular} |
|
|
3039 \end{center} |
|
|
3040 \end{small} |
|
|
3041 \caption{Algorithm mp\_rshd} |
|
|
3042 \end{figure} |
|
|
3043 |
|
|
3044 \textbf{Algorithm mp\_rshd.} |
|
|
3045 This algorithm divides the input in place by the $b$'th power of $x$. It is analogous to dividing by a $\beta^b$ but much quicker since |
|
|
3046 it does not require single precision division. This algorithm does not actually return an error code as it cannot fail. |
|
|
3047 |
|
|
3048 If the input $b$ is less than one the algorithm quickly returns without performing any work. If the \textbf{used} count is less than or equal |
|
|
3049 to the shift count $b$ then it will simply zero the input and return. |
|
|
3050 |
|
|
3051 After the trivial cases of inputs have been handled the sliding window is setup. Much like the case of algorithm mp\_lshd a sliding window that |
|
|
3052 is $b$ digits wide is used to copy the digits. Unlike mp\_lshd the window slides in the opposite direction from the trailing to the leading digit. |
|
|
3053 Also the digits are copied from the leading to the trailing edge. |
|
|
3054 |
|
|
3055 Once the window copy is complete the upper digits must be zeroed and the \textbf{used} count decremented. |
|
|
3056 |
|
|
3057 \vspace{+3mm}\begin{small} |
|
|
3058 \hspace{-5.1mm}{\bf File}: bn\_mp\_rshd.c |
|
|
3059 \vspace{-3mm} |
|
|
3060 \begin{alltt} |
|
|
3061 016 |
|
|
3062 017 /* shift right a certain amount of digits */ |
|
|
3063 018 void mp_rshd (mp_int * a, int b) |
|
|
3064 019 \{ |
|
|
3065 020 int x; |
|
|
3066 021 |
|
|
3067 022 /* if b <= 0 then ignore it */ |
|
|
3068 023 if (b <= 0) \{ |
|
|
3069 024 return; |
|
|
3070 025 \} |
|
|
3071 026 |
|
|
3072 027 /* if b > used then simply zero it and return */ |
|
|
3073 028 if (a->used <= b) \{ |
|
|
3074 029 mp_zero (a); |
|
|
3075 030 return; |
|
|
3076 031 \} |
|
|
3077 032 |
|
|
3078 033 \{ |
|
|
3079 034 register mp_digit *bottom, *top; |
|
|
3080 035 |
|
|
3081 036 /* shift the digits down */ |
|
|
3082 037 |
|
|
3083 038 /* bottom */ |
|
|
3084 039 bottom = a->dp; |
|
|
3085 040 |
|
|
3086 041 /* top [offset into digits] */ |
|
|
3087 042 top = a->dp + b; |
|
|
3088 043 |
|
|
3089 044 /* this is implemented as a sliding window where |
|
|
3090 045 * the window is b-digits long and digits from |
|
|
3091 046 * the top of the window are copied to the bottom |
|
|
3092 047 * |
|
|
3093 048 * e.g. |
|
|
3094 049 |
|
|
3095 050 b-2 | b-1 | b0 | b1 | b2 | ... | bb | ----> |
|
|
3096 051 /\symbol{92} | ----> |
|
|
3097 052 \symbol{92}-------------------/ ----> |
|
|
3098 053 */ |
|
|
3099 054 for (x = 0; x < (a->used - b); x++) \{ |
|
|
3100 055 *bottom++ = *top++; |
|
|
3101 056 \} |
|
|
3102 057 |
|
|
3103 058 /* zero the top digits */ |
|
|
3104 059 for (; x < a->used; x++) \{ |
|
|
3105 060 *bottom++ = 0; |
|
|
3106 061 \} |
|
|
3107 062 \} |
|
|
3108 063 |
|
|
3109 064 /* remove excess digits */ |
|
|
3110 065 a->used -= b; |
|
|
3111 066 \} |
|
|
3112 067 #endif |
|
386
|
3113 068 |
|
282
|
3114 \end{alltt} |
|
|
3115 \end{small} |
|
|
3116 |
|
|
3117 The only noteworthy element of this routine is the lack of a return type since it cannot fail. Like mp\_lshd() we |
|
|
3118 form a sliding window except we copy in the other direction. After the window (line 59) we then zero |
|
|
3119 the upper digits of the input to make sure the result is correct. |
|
|
3120 |
|
|
3121 \section{Powers of Two} |
|
|
3122 |
|
|
3123 Now that algorithms for moving single bits as well as whole digits exist algorithms for moving the ``in between'' distances are required. For |
|
|
3124 example, to quickly multiply by $2^k$ for any $k$ without using a full multiplier algorithm would prove useful. Instead of performing single |
|
|
3125 shifts $k$ times to achieve a multiplication by $2^{\pm k}$ a mixture of whole digit shifting and partial digit shifting is employed. |
|
|
3126 |
|
|
3127 \subsection{Multiplication by Power of Two} |
|
|
3128 |
|
|
3129 \newpage\begin{figure}[!here] |
|
|
3130 \begin{small} |
|
|
3131 \begin{center} |
|
|
3132 \begin{tabular}{l} |
|
|
3133 \hline Algorithm \textbf{mp\_mul\_2d}. \\ |
|
|
3134 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
3135 \textbf{Output}. $c \leftarrow a \cdot 2^b$. \\ |
|
|
3136 \hline \\ |
|
|
3137 1. $c \leftarrow a$. (\textit{mp\_copy}) \\ |
|
|
3138 2. If $c.alloc < c.used + \lfloor b / lg(\beta) \rfloor + 2$ then grow $c$ accordingly. \\ |
|
|
3139 3. If the reallocation failed return(\textit{MP\_MEM}). \\ |
|
|
3140 4. If $b \ge lg(\beta)$ then \\ |
|
|
3141 \hspace{3mm}4.1 $c \leftarrow c \cdot \beta^{\lfloor b / lg(\beta) \rfloor}$ (\textit{mp\_lshd}). \\ |
|
|
3142 \hspace{3mm}4.2 If step 4.1 failed return(\textit{MP\_MEM}). \\ |
|
|
3143 5. $d \leftarrow b \mbox{ (mod }lg(\beta)\mbox{)}$ \\ |
|
|
3144 6. If $d \ne 0$ then do \\ |
|
|
3145 \hspace{3mm}6.1 $mask \leftarrow 2^d$ \\ |
|
|
3146 \hspace{3mm}6.2 $r \leftarrow 0$ \\ |
|
|
3147 \hspace{3mm}6.3 for $n$ from $0$ to $c.used - 1$ do \\ |
|
|
3148 \hspace{6mm}6.3.1 $rr \leftarrow c_n >> (lg(\beta) - d) \mbox{ (mod }mask\mbox{)}$ \\ |
|
|
3149 \hspace{6mm}6.3.2 $c_n \leftarrow (c_n << d) + r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3150 \hspace{6mm}6.3.3 $r \leftarrow rr$ \\ |
|
|
3151 \hspace{3mm}6.4 If $r > 0$ then do \\ |
|
|
3152 \hspace{6mm}6.4.1 $c_{c.used} \leftarrow r$ \\ |
|
|
3153 \hspace{6mm}6.4.2 $c.used \leftarrow c.used + 1$ \\ |
|
|
3154 7. Return(\textit{MP\_OKAY}). \\ |
|
|
3155 \hline |
|
|
3156 \end{tabular} |
|
|
3157 \end{center} |
|
|
3158 \end{small} |
|
|
3159 \caption{Algorithm mp\_mul\_2d} |
|
|
3160 \end{figure} |
|
|
3161 |
|
|
3162 \textbf{Algorithm mp\_mul\_2d.} |
|
|
3163 This algorithm multiplies $a$ by $2^b$ and stores the result in $c$. The algorithm uses algorithm mp\_lshd and a derivative of algorithm mp\_mul\_2 to |
|
|
3164 quickly compute the product. |
|
|
3165 |
|
|
3166 First the algorithm will multiply $a$ by $x^{\lfloor b / lg(\beta) \rfloor}$ which will ensure that the remainder multiplicand is less than |
|
|
3167 $\beta$. For example, if $b = 37$ and $\beta = 2^{28}$ then this step will multiply by $x$ leaving a multiplication by $2^{37 - 28} = 2^{9}$ |
|
|
3168 left. |
|
|
3169 |
|
|
3170 After the digits have been shifted appropriately at most $lg(\beta) - 1$ shifts are left to perform. Step 5 calculates the number of remaining shifts |
|
|
3171 required. If it is non-zero a modified shift loop is used to calculate the remaining product. |
|
386
|
3172 Essentially the loop is a generic version of algorithm mp\_mul\_2 designed to handle any shift count in the range $1 \le x < lg(\beta)$. The $mask$ |
|
282
|
3173 variable is used to extract the upper $d$ bits to form the carry for the next iteration. |
|
|
3174 |
|
|
3175 This algorithm is loosely measured as a $O(2n)$ algorithm which means that if the input is $n$-digits that it takes $2n$ ``time'' to |
|
|
3176 complete. It is possible to optimize this algorithm down to a $O(n)$ algorithm at a cost of making the algorithm slightly harder to follow. |
|
|
3177 |
|
|
3178 \vspace{+3mm}\begin{small} |
|
|
3179 \hspace{-5.1mm}{\bf File}: bn\_mp\_mul\_2d.c |
|
|
3180 \vspace{-3mm} |
|
|
3181 \begin{alltt} |
|
|
3182 016 |
|
|
3183 017 /* shift left by a certain bit count */ |
|
|
3184 018 int mp_mul_2d (mp_int * a, int b, mp_int * c) |
|
|
3185 019 \{ |
|
|
3186 020 mp_digit d; |
|
|
3187 021 int res; |
|
|
3188 022 |
|
|
3189 023 /* copy */ |
|
|
3190 024 if (a != c) \{ |
|
|
3191 025 if ((res = mp_copy (a, c)) != MP_OKAY) \{ |
|
|
3192 026 return res; |
|
|
3193 027 \} |
|
|
3194 028 \} |
|
|
3195 029 |
|
|
3196 030 if (c->alloc < (int)(c->used + b/DIGIT_BIT + 1)) \{ |
|
|
3197 031 if ((res = mp_grow (c, c->used + b / DIGIT_BIT + 1)) != MP_OKAY) \{ |
|
|
3198 032 return res; |
|
|
3199 033 \} |
|
|
3200 034 \} |
|
|
3201 035 |
|
|
3202 036 /* shift by as many digits in the bit count */ |
|
|
3203 037 if (b >= (int)DIGIT_BIT) \{ |
|
|
3204 038 if ((res = mp_lshd (c, b / DIGIT_BIT)) != MP_OKAY) \{ |
|
|
3205 039 return res; |
|
|
3206 040 \} |
|
|
3207 041 \} |
|
|
3208 042 |
|
|
3209 043 /* shift any bit count < DIGIT_BIT */ |
|
|
3210 044 d = (mp_digit) (b % DIGIT_BIT); |
|
|
3211 045 if (d != 0) \{ |
|
|
3212 046 register mp_digit *tmpc, shift, mask, r, rr; |
|
|
3213 047 register int x; |
|
|
3214 048 |
|
|
3215 049 /* bitmask for carries */ |
|
|
3216 050 mask = (((mp_digit)1) << d) - 1; |
|
|
3217 051 |
|
|
3218 052 /* shift for msbs */ |
|
|
3219 053 shift = DIGIT_BIT - d; |
|
|
3220 054 |
|
|
3221 055 /* alias */ |
|
|
3222 056 tmpc = c->dp; |
|
|
3223 057 |
|
|
3224 058 /* carry */ |
|
|
3225 059 r = 0; |
|
|
3226 060 for (x = 0; x < c->used; x++) \{ |
|
|
3227 061 /* get the higher bits of the current word */ |
|
|
3228 062 rr = (*tmpc >> shift) & mask; |
|
|
3229 063 |
|
|
3230 064 /* shift the current word and OR in the carry */ |
|
|
3231 065 *tmpc = ((*tmpc << d) | r) & MP_MASK; |
|
|
3232 066 ++tmpc; |
|
|
3233 067 |
|
|
3234 068 /* set the carry to the carry bits of the current word */ |
|
|
3235 069 r = rr; |
|
|
3236 070 \} |
|
|
3237 071 |
|
|
3238 072 /* set final carry */ |
|
|
3239 073 if (r != 0) \{ |
|
|
3240 074 c->dp[(c->used)++] = r; |
|
|
3241 075 \} |
|
|
3242 076 \} |
|
|
3243 077 mp_clamp (c); |
|
|
3244 078 return MP_OKAY; |
|
|
3245 079 \} |
|
|
3246 080 #endif |
|
386
|
3247 081 |
|
282
|
3248 \end{alltt} |
|
|
3249 \end{small} |
|
|
3250 |
|
|
3251 The shifting is performed in--place which means the first step (line 24) is to copy the input to the |
|
|
3252 destination. We avoid calling mp\_copy() by making sure the mp\_ints are different. The destination then |
|
|
3253 has to be grown (line 31) to accomodate the result. |
|
|
3254 |
|
|
3255 If the shift count $b$ is larger than $lg(\beta)$ then a call to mp\_lshd() is used to handle all of the multiples |
|
|
3256 of $lg(\beta)$. Leaving only a remaining shift of $lg(\beta) - 1$ or fewer bits left. Inside the actual shift |
|
|
3257 loop (lines 45 to 76) we make use of pre--computed values $shift$ and $mask$. These are used to |
|
|
3258 extract the carry bit(s) to pass into the next iteration of the loop. The $r$ and $rr$ variables form a |
|
|
3259 chain between consecutive iterations to propagate the carry. |
|
|
3260 |
|
|
3261 \subsection{Division by Power of Two} |
|
|
3262 |
|
|
3263 \newpage\begin{figure}[!here] |
|
|
3264 \begin{small} |
|
|
3265 \begin{center} |
|
|
3266 \begin{tabular}{l} |
|
|
3267 \hline Algorithm \textbf{mp\_div\_2d}. \\ |
|
|
3268 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
3269 \textbf{Output}. $c \leftarrow \lfloor a / 2^b \rfloor, d \leftarrow a \mbox{ (mod }2^b\mbox{)}$. \\ |
|
|
3270 \hline \\ |
|
|
3271 1. If $b \le 0$ then do \\ |
|
|
3272 \hspace{3mm}1.1 $c \leftarrow a$ (\textit{mp\_copy}) \\ |
|
|
3273 \hspace{3mm}1.2 $d \leftarrow 0$ (\textit{mp\_zero}) \\ |
|
|
3274 \hspace{3mm}1.3 Return(\textit{MP\_OKAY}). \\ |
|
|
3275 2. $c \leftarrow a$ \\ |
|
|
3276 3. $d \leftarrow a \mbox{ (mod }2^b\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
3277 4. If $b \ge lg(\beta)$ then do \\ |
|
|
3278 \hspace{3mm}4.1 $c \leftarrow \lfloor c/\beta^{\lfloor b/lg(\beta) \rfloor} \rfloor$ (\textit{mp\_rshd}). \\ |
|
|
3279 5. $k \leftarrow b \mbox{ (mod }lg(\beta)\mbox{)}$ \\ |
|
|
3280 6. If $k \ne 0$ then do \\ |
|
|
3281 \hspace{3mm}6.1 $mask \leftarrow 2^k$ \\ |
|
|
3282 \hspace{3mm}6.2 $r \leftarrow 0$ \\ |
|
|
3283 \hspace{3mm}6.3 for $n$ from $c.used - 1$ to $0$ do \\ |
|
|
3284 \hspace{6mm}6.3.1 $rr \leftarrow c_n \mbox{ (mod }mask\mbox{)}$ \\ |
|
|
3285 \hspace{6mm}6.3.2 $c_n \leftarrow (c_n >> k) + (r << (lg(\beta) - k))$ \\ |
|
|
3286 \hspace{6mm}6.3.3 $r \leftarrow rr$ \\ |
|
|
3287 7. Clamp excess digits of $c$. (\textit{mp\_clamp}) \\ |
|
|
3288 8. Return(\textit{MP\_OKAY}). \\ |
|
|
3289 \hline |
|
|
3290 \end{tabular} |
|
|
3291 \end{center} |
|
|
3292 \end{small} |
|
|
3293 \caption{Algorithm mp\_div\_2d} |
|
|
3294 \end{figure} |
|
|
3295 |
|
|
3296 \textbf{Algorithm mp\_div\_2d.} |
|
|
3297 This algorithm will divide an input $a$ by $2^b$ and produce the quotient and remainder. The algorithm is designed much like algorithm |
|
|
3298 mp\_mul\_2d by first using whole digit shifts then single precision shifts. This algorithm will also produce the remainder of the division |
|
|
3299 by using algorithm mp\_mod\_2d. |
|
|
3300 |
|
|
3301 \vspace{+3mm}\begin{small} |
|
|
3302 \hspace{-5.1mm}{\bf File}: bn\_mp\_div\_2d.c |
|
|
3303 \vspace{-3mm} |
|
|
3304 \begin{alltt} |
|
|
3305 016 |
|
|
3306 017 /* shift right by a certain bit count (store quotient in c, optional remaind |
|
|
3307 er in d) */ |
|
|
3308 018 int mp_div_2d (mp_int * a, int b, mp_int * c, mp_int * d) |
|
|
3309 019 \{ |
|
|
3310 020 mp_digit D, r, rr; |
|
|
3311 021 int x, res; |
|
|
3312 022 mp_int t; |
|
|
3313 023 |
|
|
3314 024 |
|
|
3315 025 /* if the shift count is <= 0 then we do no work */ |
|
|
3316 026 if (b <= 0) \{ |
|
|
3317 027 res = mp_copy (a, c); |
|
|
3318 028 if (d != NULL) \{ |
|
|
3319 029 mp_zero (d); |
|
|
3320 030 \} |
|
|
3321 031 return res; |
|
|
3322 032 \} |
|
|
3323 033 |
|
|
3324 034 if ((res = mp_init (&t)) != MP_OKAY) \{ |
|
|
3325 035 return res; |
|
|
3326 036 \} |
|
|
3327 037 |
|
|
3328 038 /* get the remainder */ |
|
|
3329 039 if (d != NULL) \{ |
|
|
3330 040 if ((res = mp_mod_2d (a, b, &t)) != MP_OKAY) \{ |
|
|
3331 041 mp_clear (&t); |
|
|
3332 042 return res; |
|
|
3333 043 \} |
|
|
3334 044 \} |
|
|
3335 045 |
|
|
3336 046 /* copy */ |
|
|
3337 047 if ((res = mp_copy (a, c)) != MP_OKAY) \{ |
|
|
3338 048 mp_clear (&t); |
|
|
3339 049 return res; |
|
|
3340 050 \} |
|
|
3341 051 |
|
|
3342 052 /* shift by as many digits in the bit count */ |
|
|
3343 053 if (b >= (int)DIGIT_BIT) \{ |
|
|
3344 054 mp_rshd (c, b / DIGIT_BIT); |
|
|
3345 055 \} |
|
|
3346 056 |
|
|
3347 057 /* shift any bit count < DIGIT_BIT */ |
|
|
3348 058 D = (mp_digit) (b % DIGIT_BIT); |
|
|
3349 059 if (D != 0) \{ |
|
|
3350 060 register mp_digit *tmpc, mask, shift; |
|
|
3351 061 |
|
|
3352 062 /* mask */ |
|
|
3353 063 mask = (((mp_digit)1) << D) - 1; |
|
|
3354 064 |
|
|
3355 065 /* shift for lsb */ |
|
|
3356 066 shift = DIGIT_BIT - D; |
|
|
3357 067 |
|
|
3358 068 /* alias */ |
|
|
3359 069 tmpc = c->dp + (c->used - 1); |
|
|
3360 070 |
|
|
3361 071 /* carry */ |
|
|
3362 072 r = 0; |
|
|
3363 073 for (x = c->used - 1; x >= 0; x--) \{ |
|
|
3364 074 /* get the lower bits of this word in a temp */ |
|
|
3365 075 rr = *tmpc & mask; |
|
|
3366 076 |
|
|
3367 077 /* shift the current word and mix in the carry bits from the previous |
|
|
3368 word */ |
|
|
3369 078 *tmpc = (*tmpc >> D) | (r << shift); |
|
|
3370 079 --tmpc; |
|
|
3371 080 |
|
|
3372 081 /* set the carry to the carry bits of the current word found above */ |
|
|
3373 082 r = rr; |
|
|
3374 083 \} |
|
|
3375 084 \} |
|
|
3376 085 mp_clamp (c); |
|
|
3377 086 if (d != NULL) \{ |
|
|
3378 087 mp_exch (&t, d); |
|
|
3379 088 \} |
|
|
3380 089 mp_clear (&t); |
|
|
3381 090 return MP_OKAY; |
|
|
3382 091 \} |
|
|
3383 092 #endif |
|
386
|
3384 093 |
|
282
|
3385 \end{alltt} |
|
|
3386 \end{small} |
|
|
3387 |
|
|
3388 The implementation of algorithm mp\_div\_2d is slightly different than the algorithm specifies. The remainder $d$ may be optionally |
|
|
3389 ignored by passing \textbf{NULL} as the pointer to the mp\_int variable. The temporary mp\_int variable $t$ is used to hold the |
|
|
3390 result of the remainder operation until the end. This allows $d$ and $a$ to represent the same mp\_int without modifying $a$ before |
|
|
3391 the quotient is obtained. |
|
|
3392 |
|
|
3393 The remainder of the source code is essentially the same as the source code for mp\_mul\_2d. The only significant difference is |
|
|
3394 the direction of the shifts. |
|
|
3395 |
|
|
3396 \subsection{Remainder of Division by Power of Two} |
|
|
3397 |
|
|
3398 The last algorithm in the series of polynomial basis power of two algorithms is calculating the remainder of division by $2^b$. This |
|
|
3399 algorithm benefits from the fact that in twos complement arithmetic $a \mbox{ (mod }2^b\mbox{)}$ is the same as $a$ AND $2^b - 1$. |
|
|
3400 |
|
|
3401 \begin{figure}[!here] |
|
|
3402 \begin{small} |
|
|
3403 \begin{center} |
|
|
3404 \begin{tabular}{l} |
|
|
3405 \hline Algorithm \textbf{mp\_mod\_2d}. \\ |
|
|
3406 \textbf{Input}. One mp\_int $a$ and an integer $b$ \\ |
|
|
3407 \textbf{Output}. $c \leftarrow a \mbox{ (mod }2^b\mbox{)}$. \\ |
|
|
3408 \hline \\ |
|
|
3409 1. If $b \le 0$ then do \\ |
|
|
3410 \hspace{3mm}1.1 $c \leftarrow 0$ (\textit{mp\_zero}) \\ |
|
|
3411 \hspace{3mm}1.2 Return(\textit{MP\_OKAY}). \\ |
|
|
3412 2. If $b > a.used \cdot lg(\beta)$ then do \\ |
|
|
3413 \hspace{3mm}2.1 $c \leftarrow a$ (\textit{mp\_copy}) \\ |
|
|
3414 \hspace{3mm}2.2 Return the result of step 2.1. \\ |
|
|
3415 3. $c \leftarrow a$ \\ |
|
|
3416 4. If step 3 failed return(\textit{MP\_MEM}). \\ |
|
|
3417 5. for $n$ from $\lceil b / lg(\beta) \rceil$ to $c.used$ do \\ |
|
|
3418 \hspace{3mm}5.1 $c_n \leftarrow 0$ \\ |
|
|
3419 6. $k \leftarrow b \mbox{ (mod }lg(\beta)\mbox{)}$ \\ |
|
|
3420 7. $c_{\lfloor b / lg(\beta) \rfloor} \leftarrow c_{\lfloor b / lg(\beta) \rfloor} \mbox{ (mod }2^{k}\mbox{)}$. \\ |
|
|
3421 8. Clamp excess digits of $c$. (\textit{mp\_clamp}) \\ |
|
|
3422 9. Return(\textit{MP\_OKAY}). \\ |
|
|
3423 \hline |
|
|
3424 \end{tabular} |
|
|
3425 \end{center} |
|
|
3426 \end{small} |
|
|
3427 \caption{Algorithm mp\_mod\_2d} |
|
|
3428 \end{figure} |
|
|
3429 |
|
|
3430 \textbf{Algorithm mp\_mod\_2d.} |
|
|
3431 This algorithm will quickly calculate the value of $a \mbox{ (mod }2^b\mbox{)}$. First if $b$ is less than or equal to zero the |
|
|
3432 result is set to zero. If $b$ is greater than the number of bits in $a$ then it simply copies $a$ to $c$ and returns. Otherwise, $a$ |
|
|
3433 is copied to $b$, leading digits are removed and the remaining leading digit is trimed to the exact bit count. |
|
|
3434 |
|
|
3435 \vspace{+3mm}\begin{small} |
|
|
3436 \hspace{-5.1mm}{\bf File}: bn\_mp\_mod\_2d.c |
|
|
3437 \vspace{-3mm} |
|
|
3438 \begin{alltt} |
|
|
3439 016 |
|
|
3440 017 /* calc a value mod 2**b */ |
|
|
3441 018 int |
|
|
3442 019 mp_mod_2d (mp_int * a, int b, mp_int * c) |
|
|
3443 020 \{ |
|
|
3444 021 int x, res; |
|
|
3445 022 |
|
|
3446 023 /* if b is <= 0 then zero the int */ |
|
|
3447 024 if (b <= 0) \{ |
|
|
3448 025 mp_zero (c); |
|
|
3449 026 return MP_OKAY; |
|
|
3450 027 \} |
|
|
3451 028 |
|
|
3452 029 /* if the modulus is larger than the value than return */ |
|
|
3453 030 if (b >= (int) (a->used * DIGIT_BIT)) \{ |
|
|
3454 031 res = mp_copy (a, c); |
|
|
3455 032 return res; |
|
|
3456 033 \} |
|
|
3457 034 |
|
|
3458 035 /* copy */ |
|
|
3459 036 if ((res = mp_copy (a, c)) != MP_OKAY) \{ |
|
|
3460 037 return res; |
|
|
3461 038 \} |
|
|
3462 039 |
|
|
3463 040 /* zero digits above the last digit of the modulus */ |
|
|
3464 041 for (x = (b / DIGIT_BIT) + ((b % DIGIT_BIT) == 0 ? 0 : 1); x < c->used; x+ |
|
|
3465 +) \{ |
|
|
3466 042 c->dp[x] = 0; |
|
|
3467 043 \} |
|
|
3468 044 /* clear the digit that is not completely outside/inside the modulus */ |
|
|
3469 045 c->dp[b / DIGIT_BIT] &= |
|
|
3470 046 (mp_digit) ((((mp_digit) 1) << (((mp_digit) b) % DIGIT_BIT)) - ((mp_digi |
|
|
3471 t) 1)); |
|
|
3472 047 mp_clamp (c); |
|
|
3473 048 return MP_OKAY; |
|
|
3474 049 \} |
|
|
3475 050 #endif |
|
386
|
3476 051 |
|
282
|
3477 \end{alltt} |
|
|
3478 \end{small} |
|
|
3479 |
|
|
3480 We first avoid cases of $b \le 0$ by simply mp\_zero()'ing the destination in such cases. Next if $2^b$ is larger |
|
|
3481 than the input we just mp\_copy() the input and return right away. After this point we know we must actually |
|
|
3482 perform some work to produce the remainder. |
|
|
3483 |
|
|
3484 Recalling that reducing modulo $2^k$ and a binary ``and'' with $2^k - 1$ are numerically equivalent we can quickly reduce |
|
|
3485 the number. First we zero any digits above the last digit in $2^b$ (line 41). Next we reduce the |
|
|
3486 leading digit of both (line 45) and then mp\_clamp(). |
|
|
3487 |
|
|
3488 \section*{Exercises} |
|
|
3489 \begin{tabular}{cl} |
|
|
3490 $\left [ 3 \right ] $ & Devise an algorithm that performs $a \cdot 2^b$ for generic values of $b$ \\ |
|
|
3491 & in $O(n)$ time. \\ |
|
|
3492 &\\ |
|
|
3493 $\left [ 3 \right ] $ & Devise an efficient algorithm to multiply by small low hamming \\ |
|
|
3494 & weight values such as $3$, $5$ and $9$. Extend it to handle all values \\ |
|
|
3495 & upto $64$ with a hamming weight less than three. \\ |
|
|
3496 &\\ |
|
|
3497 $\left [ 2 \right ] $ & Modify the preceding algorithm to handle values of the form \\ |
|
|
3498 & $2^k - 1$ as well. \\ |
|
|
3499 &\\ |
|
|
3500 $\left [ 3 \right ] $ & Using only algorithms mp\_mul\_2, mp\_div\_2 and mp\_add create an \\ |
|
|
3501 & algorithm to multiply two integers in roughly $O(2n^2)$ time for \\ |
|
|
3502 & any $n$-bit input. Note that the time of addition is ignored in the \\ |
|
|
3503 & calculation. \\ |
|
|
3504 & \\ |
|
|
3505 $\left [ 5 \right ] $ & Improve the previous algorithm to have a working time of at most \\ |
|
|
3506 & $O \left (2^{(k-1)}n + \left ({2n^2 \over k} \right ) \right )$ for an appropriate choice of $k$. Again ignore \\ |
|
|
3507 & the cost of addition. \\ |
|
|
3508 & \\ |
|
|
3509 $\left [ 2 \right ] $ & Devise a chart to find optimal values of $k$ for the previous problem \\ |
|
|
3510 & for $n = 64 \ldots 1024$ in steps of $64$. \\ |
|
|
3511 & \\ |
|
|
3512 $\left [ 2 \right ] $ & Using only algorithms mp\_abs and mp\_sub devise another method for \\ |
|
|
3513 & calculating the result of a signed comparison. \\ |
|
|
3514 & |
|
|
3515 \end{tabular} |
|
|
3516 |
|
|
3517 \chapter{Multiplication and Squaring} |
|
|
3518 \section{The Multipliers} |
|
|
3519 For most number theoretic problems including certain public key cryptographic algorithms, the ``multipliers'' form the most important subset of |
|
|
3520 algorithms of any multiple precision integer package. The set of multiplier algorithms include integer multiplication, squaring and modular reduction |
|
|
3521 where in each of the algorithms single precision multiplication is the dominant operation performed. This chapter will discuss integer multiplication |
|
|
3522 and squaring, leaving modular reductions for the subsequent chapter. |
|
|
3523 |
|
|
3524 The importance of the multiplier algorithms is for the most part driven by the fact that certain popular public key algorithms are based on modular |
|
|
3525 exponentiation, that is computing $d \equiv a^b \mbox{ (mod }c\mbox{)}$ for some arbitrary choice of $a$, $b$, $c$ and $d$. During a modular |
|
|
3526 exponentiation the majority\footnote{Roughly speaking a modular exponentiation will spend about 40\% of the time performing modular reductions, |
|
|
3527 35\% of the time performing squaring and 25\% of the time performing multiplications.} of the processor time is spent performing single precision |
|
|
3528 multiplications. |
|
|
3529 |
|
|
3530 For centuries general purpose multiplication has required a lengthly $O(n^2)$ process, whereby each digit of one multiplicand has to be multiplied |
|
|
3531 against every digit of the other multiplicand. Traditional long-hand multiplication is based on this process; while the techniques can differ the |
|
|
3532 overall algorithm used is essentially the same. Only ``recently'' have faster algorithms been studied. First Karatsuba multiplication was discovered in |
|
|
3533 1962. This algorithm can multiply two numbers with considerably fewer single precision multiplications when compared to the long-hand approach. |
|
|
3534 This technique led to the discovery of polynomial basis algorithms (\textit{good reference?}) and subquently Fourier Transform based solutions. |
|
|
3535 |
|
|
3536 \section{Multiplication} |
|
|
3537 \subsection{The Baseline Multiplication} |
|
|
3538 \label{sec:basemult} |
|
|
3539 \index{baseline multiplication} |
|
|
3540 Computing the product of two integers in software can be achieved using a trivial adaptation of the standard $O(n^2)$ long-hand multiplication |
|
|
3541 algorithm that school children are taught. The algorithm is considered an $O(n^2)$ algorithm since for two $n$-digit inputs $n^2$ single precision |
|
|
3542 multiplications are required. More specifically for a $m$ and $n$ digit input $m \cdot n$ single precision multiplications are required. To |
|
|
3543 simplify most discussions, it will be assumed that the inputs have comparable number of digits. |
|
|
3544 |
|
|
3545 The ``baseline multiplication'' algorithm is designed to act as the ``catch-all'' algorithm, only to be used when the faster algorithms cannot be |
|
|
3546 used. This algorithm does not use any particularly interesting optimizations and should ideally be avoided if possible. One important |
|
|
3547 facet of this algorithm, is that it has been modified to only produce a certain amount of output digits as resolution. The importance of this |
|
|
3548 modification will become evident during the discussion of Barrett modular reduction. Recall that for a $n$ and $m$ digit input the product |
|
|
3549 will be at most $n + m$ digits. Therefore, this algorithm can be reduced to a full multiplier by having it produce $n + m$ digits of the product. |
|
|
3550 |
|
|
3551 Recall from sub-section 4.2.2 the definition of $\gamma$ as the number of bits in the type \textbf{mp\_digit}. We shall now extend the variable set to |
|
|
3552 include $\alpha$ which shall represent the number of bits in the type \textbf{mp\_word}. This implies that $2^{\alpha} > 2 \cdot \beta^2$. The |
|
|
3553 constant $\delta = 2^{\alpha - 2lg(\beta)}$ will represent the maximal weight of any column in a product (\textit{see sub-section 5.2.2 for more information}). |
|
|
3554 |
|
|
3555 \newpage\begin{figure}[!here] |
|
|
3556 \begin{small} |
|
|
3557 \begin{center} |
|
|
3558 \begin{tabular}{l} |
|
|
3559 \hline Algorithm \textbf{s\_mp\_mul\_digs}. \\ |
|
|
3560 \textbf{Input}. mp\_int $a$, mp\_int $b$ and an integer $digs$ \\ |
|
|
3561 \textbf{Output}. $c \leftarrow \vert a \vert \cdot \vert b \vert \mbox{ (mod }\beta^{digs}\mbox{)}$. \\ |
|
|
3562 \hline \\ |
|
|
3563 1. If min$(a.used, b.used) < \delta$ then do \\ |
|
|
3564 \hspace{3mm}1.1 Calculate $c = \vert a \vert \cdot \vert b \vert$ by the Comba method (\textit{see algorithm~\ref{fig:COMBAMULT}}). \\ |
|
|
3565 \hspace{3mm}1.2 Return the result of step 1.1 \\ |
|
|
3566 \\ |
|
|
3567 Allocate and initialize a temporary mp\_int. \\ |
|
|
3568 2. Init $t$ to be of size $digs$ \\ |
|
|
3569 3. If step 2 failed return(\textit{MP\_MEM}). \\ |
|
|
3570 4. $t.used \leftarrow digs$ \\ |
|
|
3571 \\ |
|
|
3572 Compute the product. \\ |
|
|
3573 5. for $ix$ from $0$ to $a.used - 1$ do \\ |
|
|
3574 \hspace{3mm}5.1 $u \leftarrow 0$ \\ |
|
|
3575 \hspace{3mm}5.2 $pb \leftarrow \mbox{min}(b.used, digs - ix)$ \\ |
|
|
3576 \hspace{3mm}5.3 If $pb < 1$ then goto step 6. \\ |
|
|
3577 \hspace{3mm}5.4 for $iy$ from $0$ to $pb - 1$ do \\ |
|
|
3578 \hspace{6mm}5.4.1 $\hat r \leftarrow t_{iy + ix} + a_{ix} \cdot b_{iy} + u$ \\ |
|
|
3579 \hspace{6mm}5.4.2 $t_{iy + ix} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3580 \hspace{6mm}5.4.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
3581 \hspace{3mm}5.5 if $ix + pb < digs$ then do \\ |
|
|
3582 \hspace{6mm}5.5.1 $t_{ix + pb} \leftarrow u$ \\ |
|
|
3583 6. Clamp excess digits of $t$. \\ |
|
|
3584 7. Swap $c$ with $t$ \\ |
|
|
3585 8. Clear $t$ \\ |
|
|
3586 9. Return(\textit{MP\_OKAY}). \\ |
|
|
3587 \hline |
|
|
3588 \end{tabular} |
|
|
3589 \end{center} |
|
|
3590 \end{small} |
|
|
3591 \caption{Algorithm s\_mp\_mul\_digs} |
|
|
3592 \end{figure} |
|
|
3593 |
|
|
3594 \textbf{Algorithm s\_mp\_mul\_digs.} |
|
|
3595 This algorithm computes the unsigned product of two inputs $a$ and $b$, limited to an output precision of $digs$ digits. While it may seem |
|
|
3596 a bit awkward to modify the function from its simple $O(n^2)$ description, the usefulness of partial multipliers will arise in a subsequent |
|
|
3597 algorithm. The algorithm is loosely based on algorithm 14.12 from \cite[pp. 595]{HAC} and is similar to Algorithm M of Knuth \cite[pp. 268]{TAOCPV2}. |
|
|
3598 Algorithm s\_mp\_mul\_digs differs from these cited references since it can produce a variable output precision regardless of the precision of the |
|
|
3599 inputs. |
|
|
3600 |
|
|
3601 The first thing this algorithm checks for is whether a Comba multiplier can be used instead. If the minimum digit count of either |
|
|
3602 input is less than $\delta$, then the Comba method may be used instead. After the Comba method is ruled out, the baseline algorithm begins. A |
|
|
3603 temporary mp\_int variable $t$ is used to hold the intermediate result of the product. This allows the algorithm to be used to |
|
|
3604 compute products when either $a = c$ or $b = c$ without overwriting the inputs. |
|
|
3605 |
|
|
3606 All of step 5 is the infamous $O(n^2)$ multiplication loop slightly modified to only produce upto $digs$ digits of output. The $pb$ variable |
|
|
3607 is given the count of digits to read from $b$ inside the nested loop. If $pb \le 1$ then no more output digits can be produced and the algorithm |
|
|
3608 will exit the loop. The best way to think of the loops are as a series of $pb \times 1$ multiplications. That is, in each pass of the |
|
|
3609 innermost loop $a_{ix}$ is multiplied against $b$ and the result is added (\textit{with an appropriate shift}) to $t$. |
|
|
3610 |
|
|
3611 For example, consider multiplying $576$ by $241$. That is equivalent to computing $10^0(1)(576) + 10^1(4)(576) + 10^2(2)(576)$ which is best |
|
|
3612 visualized in the following table. |
|
|
3613 |
|
|
3614 \begin{figure}[here] |
|
|
3615 \begin{center} |
|
|
3616 \begin{tabular}{|c|c|c|c|c|c|l|} |
|
|
3617 \hline && & 5 & 7 & 6 & \\ |
|
|
3618 \hline $\times$&& & 2 & 4 & 1 & \\ |
|
|
3619 \hline &&&&&&\\ |
|
|
3620 && & 5 & 7 & 6 & $10^0(1)(576)$ \\ |
|
|
3621 &2 & 3 & 6 & 1 & 6 & $10^1(4)(576) + 10^0(1)(576)$ \\ |
|
|
3622 1 & 3 & 8 & 8 & 1 & 6 & $10^2(2)(576) + 10^1(4)(576) + 10^0(1)(576)$ \\ |
|
|
3623 \hline |
|
|
3624 \end{tabular} |
|
|
3625 \end{center} |
|
|
3626 \caption{Long-Hand Multiplication Diagram} |
|
|
3627 \end{figure} |
|
|
3628 |
|
|
3629 Each row of the product is added to the result after being shifted to the left (\textit{multiplied by a power of the radix}) by the appropriate |
|
|
3630 count. That is in pass $ix$ of the inner loop the product is added starting at the $ix$'th digit of the reult. |
|
|
3631 |
|
|
3632 Step 5.4.1 introduces the hat symbol (\textit{e.g. $\hat r$}) which represents a double precision variable. The multiplication on that step |
|
|
3633 is assumed to be a double wide output single precision multiplication. That is, two single precision variables are multiplied to produce a |
|
|
3634 double precision result. The step is somewhat optimized from a long-hand multiplication algorithm because the carry from the addition in step |
|
|
3635 5.4.1 is propagated through the nested loop. If the carry was not propagated immediately it would overflow the single precision digit |
|
|
3636 $t_{ix+iy}$ and the result would be lost. |
|
|
3637 |
|
|
3638 At step 5.5 the nested loop is finished and any carry that was left over should be forwarded. The carry does not have to be added to the $ix+pb$'th |
|
|
3639 digit since that digit is assumed to be zero at this point. However, if $ix + pb \ge digs$ the carry is not set as it would make the result |
|
|
3640 exceed the precision requested. |
|
|
3641 |
|
|
3642 \vspace{+3mm}\begin{small} |
|
|
3643 \hspace{-5.1mm}{\bf File}: bn\_s\_mp\_mul\_digs.c |
|
|
3644 \vspace{-3mm} |
|
|
3645 \begin{alltt} |
|
|
3646 016 |
|
|
3647 017 /* multiplies |a| * |b| and only computes upto digs digits of result |
|
|
3648 018 * HAC pp. 595, Algorithm 14.12 Modified so you can control how |
|
|
3649 019 * many digits of output are created. |
|
|
3650 020 */ |
|
|
3651 021 int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) |
|
|
3652 022 \{ |
|
|
3653 023 mp_int t; |
|
|
3654 024 int res, pa, pb, ix, iy; |
|
|
3655 025 mp_digit u; |
|
|
3656 026 mp_word r; |
|
|
3657 027 mp_digit tmpx, *tmpt, *tmpy; |
|
|
3658 028 |
|
|
3659 029 /* can we use the fast multiplier? */ |
|
|
3660 030 if (((digs) < MP_WARRAY) && |
|
|
3661 031 MIN (a->used, b->used) < |
|
|
3662 032 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) \{ |
|
|
3663 033 return fast_s_mp_mul_digs (a, b, c, digs); |
|
|
3664 034 \} |
|
|
3665 035 |
|
|
3666 036 if ((res = mp_init_size (&t, digs)) != MP_OKAY) \{ |
|
|
3667 037 return res; |
|
|
3668 038 \} |
|
|
3669 039 t.used = digs; |
|
|
3670 040 |
|
|
3671 041 /* compute the digits of the product directly */ |
|
|
3672 042 pa = a->used; |
|
|
3673 043 for (ix = 0; ix < pa; ix++) \{ |
|
|
3674 044 /* set the carry to zero */ |
|
|
3675 045 u = 0; |
|
|
3676 046 |
|
|
3677 047 /* limit ourselves to making digs digits of output */ |
|
|
3678 048 pb = MIN (b->used, digs - ix); |
|
|
3679 049 |
|
|
3680 050 /* setup some aliases */ |
|
|
3681 051 /* copy of the digit from a used within the nested loop */ |
|
|
3682 052 tmpx = a->dp[ix]; |
|
|
3683 053 |
|
|
3684 054 /* an alias for the destination shifted ix places */ |
|
|
3685 055 tmpt = t.dp + ix; |
|
|
3686 056 |
|
|
3687 057 /* an alias for the digits of b */ |
|
|
3688 058 tmpy = b->dp; |
|
|
3689 059 |
|
|
3690 060 /* compute the columns of the output and propagate the carry */ |
|
|
3691 061 for (iy = 0; iy < pb; iy++) \{ |
|
|
3692 062 /* compute the column as a mp_word */ |
|
|
3693 063 r = ((mp_word)*tmpt) + |
|
|
3694 064 ((mp_word)tmpx) * ((mp_word)*tmpy++) + |
|
|
3695 065 ((mp_word) u); |
|
|
3696 066 |
|
|
3697 067 /* the new column is the lower part of the result */ |
|
|
3698 068 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
|
|
3699 069 |
|
|
3700 070 /* get the carry word from the result */ |
|
|
3701 071 u = (mp_digit) (r >> ((mp_word) DIGIT_BIT)); |
|
|
3702 072 \} |
|
|
3703 073 /* set carry if it is placed below digs */ |
|
|
3704 074 if (ix + iy < digs) \{ |
|
|
3705 075 *tmpt = u; |
|
|
3706 076 \} |
|
|
3707 077 \} |
|
|
3708 078 |
|
|
3709 079 mp_clamp (&t); |
|
|
3710 080 mp_exch (&t, c); |
|
|
3711 081 |
|
|
3712 082 mp_clear (&t); |
|
|
3713 083 return MP_OKAY; |
|
|
3714 084 \} |
|
|
3715 085 #endif |
|
386
|
3716 086 |
|
282
|
3717 \end{alltt} |
|
|
3718 \end{small} |
|
|
3719 |
|
|
3720 First we determine (line 30) if the Comba method can be used first since it's faster. The conditions for |
|
|
3721 sing the Comba routine are that min$(a.used, b.used) < \delta$ and the number of digits of output is less than |
|
|
3722 \textbf{MP\_WARRAY}. This new constant is used to control the stack usage in the Comba routines. By default it is |
|
|
3723 set to $\delta$ but can be reduced when memory is at a premium. |
|
|
3724 |
|
|
3725 If we cannot use the Comba method we proceed to setup the baseline routine. We allocate the the destination mp\_int |
|
|
3726 $t$ (line 36) to the exact size of the output to avoid further re--allocations. At this point we now |
|
|
3727 begin the $O(n^2)$ loop. |
|
|
3728 |
|
|
3729 This implementation of multiplication has the caveat that it can be trimmed to only produce a variable number of |
|
|
3730 digits as output. In each iteration of the outer loop the $pb$ variable is set (line 48) to the maximum |
|
|
3731 number of inner loop iterations. |
|
|
3732 |
|
|
3733 Inside the inner loop we calculate $\hat r$ as the mp\_word product of the two mp\_digits and the addition of the |
|
|
3734 carry from the previous iteration. A particularly important observation is that most modern optimizing |
|
|
3735 C compilers (GCC for instance) can recognize that a $N \times N \rightarrow 2N$ multiplication is all that |
|
|
3736 is required for the product. In x86 terms for example, this means using the MUL instruction. |
|
|
3737 |
|
|
3738 Each digit of the product is stored in turn (line 68) and the carry propagated (line 71) to the |
|
|
3739 next iteration. |
|
|
3740 |
|
|
3741 \subsection{Faster Multiplication by the ``Comba'' Method} |
|
|
3742 |
|
|
3743 One of the huge drawbacks of the ``baseline'' algorithms is that at the $O(n^2)$ level the carry must be |
|
|
3744 computed and propagated upwards. This makes the nested loop very sequential and hard to unroll and implement |
|
|
3745 in parallel. The ``Comba'' \cite{COMBA} method is named after little known (\textit{in cryptographic venues}) Paul G. |
|
|
3746 Comba who described a method of implementing fast multipliers that do not require nested carry fixup operations. As an |
|
|
3747 interesting aside it seems that Paul Barrett describes a similar technique in his 1986 paper \cite{BARRETT} written |
|
|
3748 five years before. |
|
|
3749 |
|
|
3750 At the heart of the Comba technique is once again the long-hand algorithm. Except in this case a slight |
|
|
3751 twist is placed on how the columns of the result are produced. In the standard long-hand algorithm rows of products |
|
|
3752 are produced then added together to form the final result. In the baseline algorithm the columns are added together |
|
|
3753 after each iteration to get the result instantaneously. |
|
|
3754 |
|
|
3755 In the Comba algorithm the columns of the result are produced entirely independently of each other. That is at |
|
|
3756 the $O(n^2)$ level a simple multiplication and addition step is performed. The carries of the columns are propagated |
|
|
3757 after the nested loop to reduce the amount of work requiored. Succintly the first step of the algorithm is to compute |
|
|
3758 the product vector $\vec x$ as follows. |
|
|
3759 |
|
|
3760 \begin{equation} |
|
|
3761 \vec x_n = \sum_{i+j = n} a_ib_j, \forall n \in \lbrace 0, 1, 2, \ldots, i + j \rbrace |
|
|
3762 \end{equation} |
|
|
3763 |
|
|
3764 Where $\vec x_n$ is the $n'th$ column of the output vector. Consider the following example which computes the vector $\vec x$ for the multiplication |
|
|
3765 of $576$ and $241$. |
|
|
3766 |
|
|
3767 \newpage\begin{figure}[here] |
|
|
3768 \begin{small} |
|
|
3769 \begin{center} |
|
|
3770 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
3771 \hline & & 5 & 7 & 6 & First Input\\ |
|
|
3772 \hline $\times$ & & 2 & 4 & 1 & Second Input\\ |
|
|
3773 \hline & & $1 \cdot 5 = 5$ & $1 \cdot 7 = 7$ & $1 \cdot 6 = 6$ & First pass \\ |
|
|
3774 & $4 \cdot 5 = 20$ & $4 \cdot 7+5=33$ & $4 \cdot 6+7=31$ & 6 & Second pass \\ |
|
|
3775 $2 \cdot 5 = 10$ & $2 \cdot 7 + 20 = 34$ & $2 \cdot 6+33=45$ & 31 & 6 & Third pass \\ |
|
|
3776 \hline 10 & 34 & 45 & 31 & 6 & Final Result \\ |
|
|
3777 \hline |
|
|
3778 \end{tabular} |
|
|
3779 \end{center} |
|
|
3780 \end{small} |
|
|
3781 \caption{Comba Multiplication Diagram} |
|
|
3782 \end{figure} |
|
|
3783 |
|
|
3784 At this point the vector $x = \left < 10, 34, 45, 31, 6 \right >$ is the result of the first step of the Comba multipler. |
|
|
3785 Now the columns must be fixed by propagating the carry upwards. The resultant vector will have one extra dimension over the input vector which is |
|
|
3786 congruent to adding a leading zero digit. |
|
|
3787 |
|
|
3788 \begin{figure}[!here] |
|
|
3789 \begin{small} |
|
|
3790 \begin{center} |
|
|
3791 \begin{tabular}{l} |
|
|
3792 \hline Algorithm \textbf{Comba Fixup}. \\ |
|
|
3793 \textbf{Input}. Vector $\vec x$ of dimension $k$ \\ |
|
|
3794 \textbf{Output}. Vector $\vec x$ such that the carries have been propagated. \\ |
|
|
3795 \hline \\ |
|
|
3796 1. for $n$ from $0$ to $k - 1$ do \\ |
|
|
3797 \hspace{3mm}1.1 $\vec x_{n+1} \leftarrow \vec x_{n+1} + \lfloor \vec x_{n}/\beta \rfloor$ \\ |
|
|
3798 \hspace{3mm}1.2 $\vec x_{n} \leftarrow \vec x_{n} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
3799 2. Return($\vec x$). \\ |
|
|
3800 \hline |
|
|
3801 \end{tabular} |
|
|
3802 \end{center} |
|
|
3803 \end{small} |
|
|
3804 \caption{Algorithm Comba Fixup} |
|
|
3805 \end{figure} |
|
|
3806 |
|
|
3807 With that algorithm and $k = 5$ and $\beta = 10$ the following vector is produced $\vec x= \left < 1, 3, 8, 8, 1, 6 \right >$. In this case |
|
|
3808 $241 \cdot 576$ is in fact $138816$ and the procedure succeeded. If the algorithm is correct and as will be demonstrated shortly more |
|
|
3809 efficient than the baseline algorithm why not simply always use this algorithm? |
|
|
3810 |
|
|
3811 \subsubsection{Column Weight.} |
|
|
3812 At the nested $O(n^2)$ level the Comba method adds the product of two single precision variables to each column of the output |
|
|
3813 independently. A serious obstacle is if the carry is lost, due to lack of precision before the algorithm has a chance to fix |
|
|
3814 the carries. For example, in the multiplication of two three-digit numbers the third column of output will be the sum of |
|
|
3815 three single precision multiplications. If the precision of the accumulator for the output digits is less then $3 \cdot (\beta - 1)^2$ then |
|
|
3816 an overflow can occur and the carry information will be lost. For any $m$ and $n$ digit inputs the maximum weight of any column is |
|
|
3817 min$(m, n)$ which is fairly obvious. |
|
|
3818 |
|
|
3819 The maximum number of terms in any column of a product is known as the ``column weight'' and strictly governs when the algorithm can be used. Recall |
|
|
3820 from earlier that a double precision type has $\alpha$ bits of resolution and a single precision digit has $lg(\beta)$ bits of precision. Given these |
|
|
3821 two quantities we must not violate the following |
|
|
3822 |
|
|
3823 \begin{equation} |
|
|
3824 k \cdot \left (\beta - 1 \right )^2 < 2^{\alpha} |
|
|
3825 \end{equation} |
|
|
3826 |
|
|
3827 Which reduces to |
|
|
3828 |
|
|
3829 \begin{equation} |
|
|
3830 k \cdot \left ( \beta^2 - 2\beta + 1 \right ) < 2^{\alpha} |
|
|
3831 \end{equation} |
|
|
3832 |
|
|
3833 Let $\rho = lg(\beta)$ represent the number of bits in a single precision digit. By further re-arrangement of the equation the final solution is |
|
|
3834 found. |
|
|
3835 |
|
|
3836 \begin{equation} |
|
|
3837 k < {{2^{\alpha}} \over {\left (2^{2\rho} - 2^{\rho + 1} + 1 \right )}} |
|
|
3838 \end{equation} |
|
|
3839 |
|
|
3840 The defaults for LibTomMath are $\beta = 2^{28}$ and $\alpha = 2^{64}$ which means that $k$ is bounded by $k < 257$. In this configuration |
|
|
3841 the smaller input may not have more than $256$ digits if the Comba method is to be used. This is quite satisfactory for most applications since |
|
|
3842 $256$ digits would allow for numbers in the range of $0 \le x < 2^{7168}$ which, is much larger than most public key cryptographic algorithms require. |
|
|
3843 |
|
|
3844 \newpage\begin{figure}[!here] |
|
|
3845 \begin{small} |
|
|
3846 \begin{center} |
|
|
3847 \begin{tabular}{l} |
|
|
3848 \hline Algorithm \textbf{fast\_s\_mp\_mul\_digs}. \\ |
|
|
3849 \textbf{Input}. mp\_int $a$, mp\_int $b$ and an integer $digs$ \\ |
|
|
3850 \textbf{Output}. $c \leftarrow \vert a \vert \cdot \vert b \vert \mbox{ (mod }\beta^{digs}\mbox{)}$. \\ |
|
|
3851 \hline \\ |
|
|
3852 Place an array of \textbf{MP\_WARRAY} single precision digits named $W$ on the stack. \\ |
|
|
3853 1. If $c.alloc < digs$ then grow $c$ to $digs$ digits. (\textit{mp\_grow}) \\ |
|
|
3854 2. If step 1 failed return(\textit{MP\_MEM}).\\ |
|
|
3855 \\ |
|
|
3856 3. $pa \leftarrow \mbox{MIN}(digs, a.used + b.used)$ \\ |
|
|
3857 \\ |
|
|
3858 4. $\_ \hat W \leftarrow 0$ \\ |
|
|
3859 5. for $ix$ from 0 to $pa - 1$ do \\ |
|
|
3860 \hspace{3mm}5.1 $ty \leftarrow \mbox{MIN}(b.used - 1, ix)$ \\ |
|
|
3861 \hspace{3mm}5.2 $tx \leftarrow ix - ty$ \\ |
|
|
3862 \hspace{3mm}5.3 $iy \leftarrow \mbox{MIN}(a.used - tx, ty + 1)$ \\ |
|
|
3863 \hspace{3mm}5.4 for $iz$ from 0 to $iy - 1$ do \\ |
|
|
3864 \hspace{6mm}5.4.1 $\_ \hat W \leftarrow \_ \hat W + a_{tx+iy}b_{ty-iy}$ \\ |
|
|
3865 \hspace{3mm}5.5 $W_{ix} \leftarrow \_ \hat W (\mbox{mod }\beta)$\\ |
|
|
3866 \hspace{3mm}5.6 $\_ \hat W \leftarrow \lfloor \_ \hat W / \beta \rfloor$ \\ |
|
|
3867 \\ |
|
386
|
3868 6. $oldused \leftarrow c.used$ \\ |
|
|
3869 7. $c.used \leftarrow digs$ \\ |
|
|
3870 8. for $ix$ from $0$ to $pa$ do \\ |
|
|
3871 \hspace{3mm}8.1 $c_{ix} \leftarrow W_{ix}$ \\ |
|
|
3872 9. for $ix$ from $pa + 1$ to $oldused - 1$ do \\ |
|
|
3873 \hspace{3mm}9.1 $c_{ix} \leftarrow 0$ \\ |
|
282
|
3874 \\ |
|
386
|
3875 10. Clamp $c$. \\ |
|
|
3876 11. Return MP\_OKAY. \\ |
|
282
|
3877 \hline |
|
|
3878 \end{tabular} |
|
|
3879 \end{center} |
|
|
3880 \end{small} |
|
|
3881 \caption{Algorithm fast\_s\_mp\_mul\_digs} |
|
|
3882 \label{fig:COMBAMULT} |
|
|
3883 \end{figure} |
|
|
3884 |
|
|
3885 \textbf{Algorithm fast\_s\_mp\_mul\_digs.} |
|
|
3886 This algorithm performs the unsigned multiplication of $a$ and $b$ using the Comba method limited to $digs$ digits of precision. |
|
|
3887 |
|
|
3888 The outer loop of this algorithm is more complicated than that of the baseline multiplier. This is because on the inside of the |
|
|
3889 loop we want to produce one column per pass. This allows the accumulator $\_ \hat W$ to be placed in CPU registers and |
|
|
3890 reduce the memory bandwidth to two \textbf{mp\_digit} reads per iteration. |
|
|
3891 |
|
|
3892 The $ty$ variable is set to the minimum count of $ix$ or the number of digits in $b$. That way if $a$ has more digits than |
|
|
3893 $b$ this will be limited to $b.used - 1$. The $tx$ variable is set to the to the distance past $b.used$ the variable |
|
|
3894 $ix$ is. This is used for the immediately subsequent statement where we find $iy$. |
|
|
3895 |
|
|
3896 The variable $iy$ is the minimum digits we can read from either $a$ or $b$ before running out. Computing one column at a time |
|
|
3897 means we have to scan one integer upwards and the other downwards. $a$ starts at $tx$ and $b$ starts at $ty$. In each |
|
|
3898 pass we are producing the $ix$'th output column and we note that $tx + ty = ix$. As we move $tx$ upwards we have to |
|
|
3899 move $ty$ downards so the equality remains valid. The $iy$ variable is the number of iterations until |
|
|
3900 $tx \ge a.used$ or $ty < 0$ occurs. |
|
|
3901 |
|
|
3902 After every inner pass we store the lower half of the accumulator into $W_{ix}$ and then propagate the carry of the accumulator |
|
|
3903 into the next round by dividing $\_ \hat W$ by $\beta$. |
|
|
3904 |
|
|
3905 To measure the benefits of the Comba method over the baseline method consider the number of operations that are required. If the |
|
|
3906 cost in terms of time of a multiply and addition is $p$ and the cost of a carry propagation is $q$ then a baseline multiplication would require |
|
|
3907 $O \left ((p + q)n^2 \right )$ time to multiply two $n$-digit numbers. The Comba method requires only $O(pn^2 + qn)$ time, however in practice, |
|
|
3908 the speed increase is actually much more. With $O(n)$ space the algorithm can be reduced to $O(pn + qn)$ time by implementing the $n$ multiply |
|
|
3909 and addition operations in the nested loop in parallel. |
|
|
3910 |
|
|
3911 \vspace{+3mm}\begin{small} |
|
|
3912 \hspace{-5.1mm}{\bf File}: bn\_fast\_s\_mp\_mul\_digs.c |
|
|
3913 \vspace{-3mm} |
|
|
3914 \begin{alltt} |
|
|
3915 016 |
|
|
3916 017 /* Fast (comba) multiplier |
|
|
3917 018 * |
|
|
3918 019 * This is the fast column-array [comba] multiplier. It is |
|
|
3919 020 * designed to compute the columns of the product first |
|
|
3920 021 * then handle the carries afterwards. This has the effect |
|
|
3921 022 * of making the nested loops that compute the columns very |
|
|
3922 023 * simple and schedulable on super-scalar processors. |
|
|
3923 024 * |
|
|
3924 025 * This has been modified to produce a variable number of |
|
|
3925 026 * digits of output so if say only a half-product is required |
|
|
3926 027 * you don't have to compute the upper half (a feature |
|
|
3927 028 * required for fast Barrett reduction). |
|
|
3928 029 * |
|
|
3929 030 * Based on Algorithm 14.12 on pp.595 of HAC. |
|
|
3930 031 * |
|
|
3931 032 */ |
|
|
3932 033 int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) |
|
|
3933 034 \{ |
|
|
3934 035 int olduse, res, pa, ix, iz; |
|
|
3935 036 mp_digit W[MP_WARRAY]; |
|
|
3936 037 register mp_word _W; |
|
|
3937 038 |
|
|
3938 039 /* grow the destination as required */ |
|
|
3939 040 if (c->alloc < digs) \{ |
|
|
3940 041 if ((res = mp_grow (c, digs)) != MP_OKAY) \{ |
|
|
3941 042 return res; |
|
|
3942 043 \} |
|
|
3943 044 \} |
|
|
3944 045 |
|
|
3945 046 /* number of output digits to produce */ |
|
|
3946 047 pa = MIN(digs, a->used + b->used); |
|
|
3947 048 |
|
|
3948 049 /* clear the carry */ |
|
|
3949 050 _W = 0; |
|
|
3950 051 for (ix = 0; ix < pa; ix++) \{ |
|
|
3951 052 int tx, ty; |
|
|
3952 053 int iy; |
|
|
3953 054 mp_digit *tmpx, *tmpy; |
|
|
3954 055 |
|
|
3955 056 /* get offsets into the two bignums */ |
|
|
3956 057 ty = MIN(b->used-1, ix); |
|
|
3957 058 tx = ix - ty; |
|
|
3958 059 |
|
|
3959 060 /* setup temp aliases */ |
|
|
3960 061 tmpx = a->dp + tx; |
|
|
3961 062 tmpy = b->dp + ty; |
|
|
3962 063 |
|
|
3963 064 /* this is the number of times the loop will iterrate, essentially |
|
|
3964 065 while (tx++ < a->used && ty-- >= 0) \{ ... \} |
|
|
3965 066 */ |
|
|
3966 067 iy = MIN(a->used-tx, ty+1); |
|
|
3967 068 |
|
|
3968 069 /* execute loop */ |
|
|
3969 070 for (iz = 0; iz < iy; ++iz) \{ |
|
|
3970 071 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--); |
|
386
|
3971 072 |
|
|
3972 073 \} |
|
|
3973 074 |
|
|
3974 075 /* store term */ |
|
|
3975 076 W[ix] = ((mp_digit)_W) & MP_MASK; |
|
|
3976 077 |
|
|
3977 078 /* make next carry */ |
|
|
3978 079 _W = _W >> ((mp_word)DIGIT_BIT); |
|
|
3979 080 \} |
|
|
3980 081 |
|
|
3981 082 /* setup dest */ |
|
|
3982 083 olduse = c->used; |
|
|
3983 084 c->used = pa; |
|
|
3984 085 |
|
|
3985 086 \{ |
|
|
3986 087 register mp_digit *tmpc; |
|
|
3987 088 tmpc = c->dp; |
|
|
3988 089 for (ix = 0; ix < pa+1; ix++) \{ |
|
|
3989 090 /* now extract the previous digit [below the carry] */ |
|
|
3990 091 *tmpc++ = W[ix]; |
|
|
3991 092 \} |
|
|
3992 093 |
|
|
3993 094 /* clear unused digits [that existed in the old copy of c] */ |
|
|
3994 095 for (; ix < olduse; ix++) \{ |
|
|
3995 096 *tmpc++ = 0; |
|
|
3996 097 \} |
|
|
3997 098 \} |
|
|
3998 099 mp_clamp (c); |
|
|
3999 100 return MP_OKAY; |
|
|
4000 101 \} |
|
|
4001 102 #endif |
|
|
4002 103 |
|
282
|
4003 \end{alltt} |
|
|
4004 \end{small} |
|
|
4005 |
|
|
4006 As per the pseudo--code we first calculate $pa$ (line 47) as the number of digits to output. Next we begin the outer loop |
|
|
4007 to produce the individual columns of the product. We use the two aliases $tmpx$ and $tmpy$ (lines 61, 62) to point |
|
|
4008 inside the two multiplicands quickly. |
|
|
4009 |
|
386
|
4010 The inner loop (lines 70 to 73) of this implementation is where the tradeoff come into play. Originally this comba |
|
282
|
4011 implementation was ``row--major'' which means it adds to each of the columns in each pass. After the outer loop it would then fix |
|
|
4012 the carries. This was very fast except it had an annoying drawback. You had to read a mp\_word and two mp\_digits and write |
|
|
4013 one mp\_word per iteration. On processors such as the Athlon XP and P4 this did not matter much since the cache bandwidth |
|
|
4014 is very high and it can keep the ALU fed with data. It did, however, matter on older and embedded cpus where cache is often |
|
|
4015 slower and also often doesn't exist. This new algorithm only performs two reads per iteration under the assumption that the |
|
|
4016 compiler has aliased $\_ \hat W$ to a CPU register. |
|
|
4017 |
|
386
|
4018 After the inner loop we store the current accumulator in $W$ and shift $\_ \hat W$ (lines 76, 79) to forward it as |
|
|
4019 a carry for the next pass. After the outer loop we use the final carry (line 76) as the last digit of the product. |
|
282
|
4020 |
|
|
4021 \subsection{Polynomial Basis Multiplication} |
|
|
4022 To break the $O(n^2)$ barrier in multiplication requires a completely different look at integer multiplication. In the following algorithms |
|
|
4023 the use of polynomial basis representation for two integers $a$ and $b$ as $f(x) = \sum_{i=0}^{n} a_i x^i$ and |
|
|
4024 $g(x) = \sum_{i=0}^{n} b_i x^i$ respectively, is required. In this system both $f(x)$ and $g(x)$ have $n + 1$ terms and are of the $n$'th degree. |
|
|
4025 |
|
|
4026 The product $a \cdot b \equiv f(x)g(x)$ is the polynomial $W(x) = \sum_{i=0}^{2n} w_i x^i$. The coefficients $w_i$ will |
|
|
4027 directly yield the desired product when $\beta$ is substituted for $x$. The direct solution to solve for the $2n + 1$ coefficients |
|
|
4028 requires $O(n^2)$ time and would in practice be slower than the Comba technique. |
|
|
4029 |
|
|
4030 However, numerical analysis theory indicates that only $2n + 1$ distinct points in $W(x)$ are required to determine the values of the $2n + 1$ unknown |
|
|
4031 coefficients. This means by finding $\zeta_y = W(y)$ for $2n + 1$ small values of $y$ the coefficients of $W(x)$ can be found with |
|
|
4032 Gaussian elimination. This technique is also occasionally refered to as the \textit{interpolation technique} (\textit{references please...}) since in |
|
|
4033 effect an interpolation based on $2n + 1$ points will yield a polynomial equivalent to $W(x)$. |
|
|
4034 |
|
|
4035 The coefficients of the polynomial $W(x)$ are unknown which makes finding $W(y)$ for any value of $y$ impossible. However, since |
|
|
4036 $W(x) = f(x)g(x)$ the equivalent $\zeta_y = f(y) g(y)$ can be used in its place. The benefit of this technique stems from the |
|
|
4037 fact that $f(y)$ and $g(y)$ are much smaller than either $a$ or $b$ respectively. As a result finding the $2n + 1$ relations required |
|
|
4038 by multiplying $f(y)g(y)$ involves multiplying integers that are much smaller than either of the inputs. |
|
|
4039 |
|
|
4040 When picking points to gather relations there are always three obvious points to choose, $y = 0, 1$ and $ \infty$. The $\zeta_0$ term |
|
|
4041 is simply the product $W(0) = w_0 = a_0 \cdot b_0$. The $\zeta_1$ term is the product |
|
|
4042 $W(1) = \left (\sum_{i = 0}^{n} a_i \right ) \left (\sum_{i = 0}^{n} b_i \right )$. The third point $\zeta_{\infty}$ is less obvious but rather |
|
|
4043 simple to explain. The $2n + 1$'th coefficient of $W(x)$ is numerically equivalent to the most significant column in an integer multiplication. |
|
|
4044 The point at $\infty$ is used symbolically to represent the most significant column, that is $W(\infty) = w_{2n} = a_nb_n$. Note that the |
|
|
4045 points at $y = 0$ and $\infty$ yield the coefficients $w_0$ and $w_{2n}$ directly. |
|
|
4046 |
|
|
4047 If more points are required they should be of small values and powers of two such as $2^q$ and the related \textit{mirror points} |
|
|
4048 $\left (2^q \right )^{2n} \cdot \zeta_{2^{-q}}$ for small values of $q$. The term ``mirror point'' stems from the fact that |
|
|
4049 $\left (2^q \right )^{2n} \cdot \zeta_{2^{-q}}$ can be calculated in the exact opposite fashion as $\zeta_{2^q}$. For |
|
|
4050 example, when $n = 2$ and $q = 1$ then following two equations are equivalent to the point $\zeta_{2}$ and its mirror. |
|
|
4051 |
|
|
4052 \begin{eqnarray} |
|
|
4053 \zeta_{2} = f(2)g(2) = (4a_2 + 2a_1 + a_0)(4b_2 + 2b_1 + b_0) \nonumber \\ |
|
|
4054 16 \cdot \zeta_{1 \over 2} = 4f({1\over 2}) \cdot 4g({1 \over 2}) = (a_2 + 2a_1 + 4a_0)(b_2 + 2b_1 + 4b_0) |
|
|
4055 \end{eqnarray} |
|
|
4056 |
|
|
4057 Using such points will allow the values of $f(y)$ and $g(y)$ to be independently calculated using only left shifts. For example, when $n = 2$ the |
|
|
4058 polynomial $f(2^q)$ is equal to $2^q((2^qa_2) + a_1) + a_0$. This technique of polynomial representation is known as Horner's method. |
|
|
4059 |
|
|
4060 As a general rule of the algorithm when the inputs are split into $n$ parts each there are $2n - 1$ multiplications. Each multiplication is of |
|
|
4061 multiplicands that have $n$ times fewer digits than the inputs. The asymptotic running time of this algorithm is |
|
|
4062 $O \left ( k^{lg_n(2n - 1)} \right )$ for $k$ digit inputs (\textit{assuming they have the same number of digits}). Figure~\ref{fig:exponent} |
|
|
4063 summarizes the exponents for various values of $n$. |
|
|
4064 |
|
|
4065 \begin{figure} |
|
|
4066 \begin{center} |
|
|
4067 \begin{tabular}{|c|c|c|} |
|
|
4068 \hline \textbf{Split into $n$ Parts} & \textbf{Exponent} & \textbf{Notes}\\ |
|
|
4069 \hline $2$ & $1.584962501$ & This is Karatsuba Multiplication. \\ |
|
|
4070 \hline $3$ & $1.464973520$ & This is Toom-Cook Multiplication. \\ |
|
|
4071 \hline $4$ & $1.403677461$ &\\ |
|
|
4072 \hline $5$ & $1.365212389$ &\\ |
|
|
4073 \hline $10$ & $1.278753601$ &\\ |
|
|
4074 \hline $100$ & $1.149426538$ &\\ |
|
|
4075 \hline $1000$ & $1.100270931$ &\\ |
|
|
4076 \hline $10000$ & $1.075252070$ &\\ |
|
|
4077 \hline |
|
|
4078 \end{tabular} |
|
|
4079 \end{center} |
|
|
4080 \caption{Asymptotic Running Time of Polynomial Basis Multiplication} |
|
|
4081 \label{fig:exponent} |
|
|
4082 \end{figure} |
|
|
4083 |
|
|
4084 At first it may seem like a good idea to choose $n = 1000$ since the exponent is approximately $1.1$. However, the overhead |
|
|
4085 of solving for the 2001 terms of $W(x)$ will certainly consume any savings the algorithm could offer for all but exceedingly large |
|
|
4086 numbers. |
|
|
4087 |
|
|
4088 \subsubsection{Cutoff Point} |
|
|
4089 The polynomial basis multiplication algorithms all require fewer single precision multiplications than a straight Comba approach. However, |
|
|
4090 the algorithms incur an overhead (\textit{at the $O(n)$ work level}) since they require a system of equations to be solved. This makes the |
|
|
4091 polynomial basis approach more costly to use with small inputs. |
|
|
4092 |
|
|
4093 Let $m$ represent the number of digits in the multiplicands (\textit{assume both multiplicands have the same number of digits}). There exists a |
|
|
4094 point $y$ such that when $m < y$ the polynomial basis algorithms are more costly than Comba, when $m = y$ they are roughly the same cost and |
|
|
4095 when $m > y$ the Comba methods are slower than the polynomial basis algorithms. |
|
|
4096 |
|
|
4097 The exact location of $y$ depends on several key architectural elements of the computer platform in question. |
|
|
4098 |
|
|
4099 \begin{enumerate} |
|
|
4100 \item The ratio of clock cycles for single precision multiplication versus other simpler operations such as addition, shifting, etc. For example |
|
|
4101 on the AMD Athlon the ratio is roughly $17 : 1$ while on the Intel P4 it is $29 : 1$. The higher the ratio in favour of multiplication the lower |
|
|
4102 the cutoff point $y$ will be. |
|
|
4103 |
|
|
4104 \item The complexity of the linear system of equations (\textit{for the coefficients of $W(x)$}) is. Generally speaking as the number of splits |
|
|
4105 grows the complexity grows substantially. Ideally solving the system will only involve addition, subtraction and shifting of integers. This |
|
|
4106 directly reflects on the ratio previous mentioned. |
|
|
4107 |
|
|
4108 \item To a lesser extent memory bandwidth and function call overheads. Provided the values are in the processor cache this is less of an |
|
|
4109 influence over the cutoff point. |
|
|
4110 |
|
|
4111 \end{enumerate} |
|
|
4112 |
|
|
4113 A clean cutoff point separation occurs when a point $y$ is found such that all of the cutoff point conditions are met. For example, if the point |
|
|
4114 is too low then there will be values of $m$ such that $m > y$ and the Comba method is still faster. Finding the cutoff points is fairly simple when |
|
|
4115 a high resolution timer is available. |
|
|
4116 |
|
|
4117 \subsection{Karatsuba Multiplication} |
|
|
4118 Karatsuba \cite{KARA} multiplication when originally proposed in 1962 was among the first set of algorithms to break the $O(n^2)$ barrier for |
|
|
4119 general purpose multiplication. Given two polynomial basis representations $f(x) = ax + b$ and $g(x) = cx + d$, Karatsuba proved with |
|
|
4120 light algebra \cite{KARAP} that the following polynomial is equivalent to multiplication of the two integers the polynomials represent. |
|
|
4121 |
|
|
4122 \begin{equation} |
|
386
|
4123 f(x) \cdot g(x) = acx^2 + ((a + b)(c + d) - (ac + bd))x + bd |
|
282
|
4124 \end{equation} |
|
|
4125 |
|
|
4126 Using the observation that $ac$ and $bd$ could be re-used only three half sized multiplications would be required to produce the product. Applying |
|
|
4127 this algorithm recursively, the work factor becomes $O(n^{lg(3)})$ which is substantially better than the work factor $O(n^2)$ of the Comba technique. It turns |
|
|
4128 out what Karatsuba did not know or at least did not publish was that this is simply polynomial basis multiplication with the points |
|
386
|
4129 $\zeta_0$, $\zeta_{\infty}$ and $\zeta_{1}$. Consider the resultant system of equations. |
|
282
|
4130 |
|
|
4131 \begin{center} |
|
|
4132 \begin{tabular}{rcrcrcrc} |
|
|
4133 $\zeta_{0}$ & $=$ & & & & & $w_0$ \\ |
|
386
|
4134 $\zeta_{1}$ & $=$ & $w_2$ & $+$ & $w_1$ & $+$ & $w_0$ \\ |
|
282
|
4135 $\zeta_{\infty}$ & $=$ & $w_2$ & & & & \\ |
|
|
4136 \end{tabular} |
|
|
4137 \end{center} |
|
|
4138 |
|
|
4139 By adding the first and last equation to the equation in the middle the term $w_1$ can be isolated and all three coefficients solved for. The simplicity |
|
|
4140 of this system of equations has made Karatsuba fairly popular. In fact the cutoff point is often fairly low\footnote{With LibTomMath 0.18 it is 70 and 109 digits for the Intel P4 and AMD Athlon respectively.} |
|
386
|
4141 making it an ideal algorithm to speed up certain public key cryptosystems such as RSA and Diffie-Hellman. |
|
282
|
4142 |
|
|
4143 \newpage\begin{figure}[!here] |
|
|
4144 \begin{small} |
|
|
4145 \begin{center} |
|
|
4146 \begin{tabular}{l} |
|
|
4147 \hline Algorithm \textbf{mp\_karatsuba\_mul}. \\ |
|
|
4148 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
4149 \textbf{Output}. $c \leftarrow \vert a \vert \cdot \vert b \vert$ \\ |
|
|
4150 \hline \\ |
|
|
4151 1. Init the following mp\_int variables: $x0$, $x1$, $y0$, $y1$, $t1$, $x0y0$, $x1y1$.\\ |
|
|
4152 2. If step 2 failed then return(\textit{MP\_MEM}). \\ |
|
|
4153 \\ |
|
|
4154 Split the input. e.g. $a = x1 \cdot \beta^B + x0$ \\ |
|
|
4155 3. $B \leftarrow \mbox{min}(a.used, b.used)/2$ \\ |
|
|
4156 4. $x0 \leftarrow a \mbox{ (mod }\beta^B\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
4157 5. $y0 \leftarrow b \mbox{ (mod }\beta^B\mbox{)}$ \\ |
|
|
4158 6. $x1 \leftarrow \lfloor a / \beta^B \rfloor$ (\textit{mp\_rshd}) \\ |
|
|
4159 7. $y1 \leftarrow \lfloor b / \beta^B \rfloor$ \\ |
|
|
4160 \\ |
|
|
4161 Calculate the three products. \\ |
|
|
4162 8. $x0y0 \leftarrow x0 \cdot y0$ (\textit{mp\_mul}) \\ |
|
|
4163 9. $x1y1 \leftarrow x1 \cdot y1$ \\ |
|
386
|
4164 10. $t1 \leftarrow x1 + x0$ (\textit{mp\_add}) \\ |
|
|
4165 11. $x0 \leftarrow y1 + y0$ \\ |
|
282
|
4166 12. $t1 \leftarrow t1 \cdot x0$ \\ |
|
|
4167 \\ |
|
|
4168 Calculate the middle term. \\ |
|
|
4169 13. $x0 \leftarrow x0y0 + x1y1$ \\ |
|
386
|
4170 14. $t1 \leftarrow t1 - x0$ (\textit{s\_mp\_sub}) \\ |
|
282
|
4171 \\ |
|
|
4172 Calculate the final product. \\ |
|
|
4173 15. $t1 \leftarrow t1 \cdot \beta^B$ (\textit{mp\_lshd}) \\ |
|
|
4174 16. $x1y1 \leftarrow x1y1 \cdot \beta^{2B}$ \\ |
|
|
4175 17. $t1 \leftarrow x0y0 + t1$ \\ |
|
|
4176 18. $c \leftarrow t1 + x1y1$ \\ |
|
|
4177 19. Clear all of the temporary variables. \\ |
|
|
4178 20. Return(\textit{MP\_OKAY}).\\ |
|
|
4179 \hline |
|
|
4180 \end{tabular} |
|
|
4181 \end{center} |
|
|
4182 \end{small} |
|
|
4183 \caption{Algorithm mp\_karatsuba\_mul} |
|
|
4184 \end{figure} |
|
|
4185 |
|
|
4186 \textbf{Algorithm mp\_karatsuba\_mul.} |
|
|
4187 This algorithm computes the unsigned product of two inputs using the Karatsuba multiplication algorithm. It is loosely based on the description |
|
|
4188 from Knuth \cite[pp. 294-295]{TAOCPV2}. |
|
|
4189 |
|
|
4190 \index{radix point} |
|
|
4191 In order to split the two inputs into their respective halves, a suitable \textit{radix point} must be chosen. The radix point chosen must |
|
|
4192 be used for both of the inputs meaning that it must be smaller than the smallest input. Step 3 chooses the radix point $B$ as half of the |
|
|
4193 smallest input \textbf{used} count. After the radix point is chosen the inputs are split into lower and upper halves. Step 4 and 5 |
|
|
4194 compute the lower halves. Step 6 and 7 computer the upper halves. |
|
|
4195 |
|
|
4196 After the halves have been computed the three intermediate half-size products must be computed. Step 8 and 9 compute the trivial products |
|
386
|
4197 $x0 \cdot y0$ and $x1 \cdot y1$. The mp\_int $x0$ is used as a temporary variable after $x1 + x0$ has been computed. By using $x0$ instead |
|
282
|
4198 of an additional temporary variable, the algorithm can avoid an addition memory allocation operation. |
|
|
4199 |
|
|
4200 The remaining steps 13 through 18 compute the Karatsuba polynomial through a variety of digit shifting and addition operations. |
|
|
4201 |
|
|
4202 \vspace{+3mm}\begin{small} |
|
|
4203 \hspace{-5.1mm}{\bf File}: bn\_mp\_karatsuba\_mul.c |
|
|
4204 \vspace{-3mm} |
|
|
4205 \begin{alltt} |
|
|
4206 016 |
|
|
4207 017 /* c = |a| * |b| using Karatsuba Multiplication using |
|
|
4208 018 * three half size multiplications |
|
|
4209 019 * |
|
|
4210 020 * Let B represent the radix [e.g. 2**DIGIT_BIT] and |
|
|
4211 021 * let n represent half of the number of digits in |
|
|
4212 022 * the min(a,b) |
|
|
4213 023 * |
|
|
4214 024 * a = a1 * B**n + a0 |
|
|
4215 025 * b = b1 * B**n + b0 |
|
|
4216 026 * |
|
|
4217 027 * Then, a * b => |
|
386
|
4218 028 a1b1 * B**2n + ((a1 + a0)(b1 + b0) - (a0b0 + a1b1)) * B + a0b0 |
|
282
|
4219 029 * |
|
|
4220 030 * Note that a1b1 and a0b0 are used twice and only need to be |
|
|
4221 031 * computed once. So in total three half size (half # of |
|
|
4222 032 * digit) multiplications are performed, a0b0, a1b1 and |
|
386
|
4223 033 * (a1+b1)(a0+b0) |
|
282
|
4224 034 * |
|
|
4225 035 * Note that a multiplication of half the digits requires |
|
|
4226 036 * 1/4th the number of single precision multiplications so in |
|
|
4227 037 * total after one call 25% of the single precision multiplications |
|
|
4228 038 * are saved. Note also that the call to mp_mul can end up back |
|
|
4229 039 * in this function if the a0, a1, b0, or b1 are above the threshold. |
|
|
4230 040 * This is known as divide-and-conquer and leads to the famous |
|
|
4231 041 * O(N**lg(3)) or O(N**1.584) work which is asymptopically lower than |
|
|
4232 042 * the standard O(N**2) that the baseline/comba methods use. |
|
|
4233 043 * Generally though the overhead of this method doesn't pay off |
|
|
4234 044 * until a certain size (N ~ 80) is reached. |
|
|
4235 045 */ |
|
|
4236 046 int mp_karatsuba_mul (mp_int * a, mp_int * b, mp_int * c) |
|
|
4237 047 \{ |
|
|
4238 048 mp_int x0, x1, y0, y1, t1, x0y0, x1y1; |
|
|
4239 049 int B, err; |
|
|
4240 050 |
|
|
4241 051 /* default the return code to an error */ |
|
|
4242 052 err = MP_MEM; |
|
|
4243 053 |
|
|
4244 054 /* min # of digits */ |
|
|
4245 055 B = MIN (a->used, b->used); |
|
|
4246 056 |
|
|
4247 057 /* now divide in two */ |
|
|
4248 058 B = B >> 1; |
|
|
4249 059 |
|
|
4250 060 /* init copy all the temps */ |
|
|
4251 061 if (mp_init_size (&x0, B) != MP_OKAY) |
|
|
4252 062 goto ERR; |
|
|
4253 063 if (mp_init_size (&x1, a->used - B) != MP_OKAY) |
|
|
4254 064 goto X0; |
|
|
4255 065 if (mp_init_size (&y0, B) != MP_OKAY) |
|
|
4256 066 goto X1; |
|
|
4257 067 if (mp_init_size (&y1, b->used - B) != MP_OKAY) |
|
|
4258 068 goto Y0; |
|
|
4259 069 |
|
|
4260 070 /* init temps */ |
|
|
4261 071 if (mp_init_size (&t1, B * 2) != MP_OKAY) |
|
|
4262 072 goto Y1; |
|
|
4263 073 if (mp_init_size (&x0y0, B * 2) != MP_OKAY) |
|
|
4264 074 goto T1; |
|
|
4265 075 if (mp_init_size (&x1y1, B * 2) != MP_OKAY) |
|
|
4266 076 goto X0Y0; |
|
|
4267 077 |
|
|
4268 078 /* now shift the digits */ |
|
|
4269 079 x0.used = y0.used = B; |
|
|
4270 080 x1.used = a->used - B; |
|
|
4271 081 y1.used = b->used - B; |
|
|
4272 082 |
|
|
4273 083 \{ |
|
|
4274 084 register int x; |
|
|
4275 085 register mp_digit *tmpa, *tmpb, *tmpx, *tmpy; |
|
|
4276 086 |
|
|
4277 087 /* we copy the digits directly instead of using higher level functions |
|
|
4278 088 * since we also need to shift the digits |
|
|
4279 089 */ |
|
|
4280 090 tmpa = a->dp; |
|
|
4281 091 tmpb = b->dp; |
|
|
4282 092 |
|
|
4283 093 tmpx = x0.dp; |
|
|
4284 094 tmpy = y0.dp; |
|
|
4285 095 for (x = 0; x < B; x++) \{ |
|
|
4286 096 *tmpx++ = *tmpa++; |
|
|
4287 097 *tmpy++ = *tmpb++; |
|
|
4288 098 \} |
|
|
4289 099 |
|
|
4290 100 tmpx = x1.dp; |
|
|
4291 101 for (x = B; x < a->used; x++) \{ |
|
|
4292 102 *tmpx++ = *tmpa++; |
|
|
4293 103 \} |
|
|
4294 104 |
|
|
4295 105 tmpy = y1.dp; |
|
|
4296 106 for (x = B; x < b->used; x++) \{ |
|
|
4297 107 *tmpy++ = *tmpb++; |
|
|
4298 108 \} |
|
|
4299 109 \} |
|
|
4300 110 |
|
|
4301 111 /* only need to clamp the lower words since by definition the |
|
|
4302 112 * upper words x1/y1 must have a known number of digits |
|
|
4303 113 */ |
|
|
4304 114 mp_clamp (&x0); |
|
|
4305 115 mp_clamp (&y0); |
|
|
4306 116 |
|
|
4307 117 /* now calc the products x0y0 and x1y1 */ |
|
|
4308 118 /* after this x0 is no longer required, free temp [x0==t2]! */ |
|
|
4309 119 if (mp_mul (&x0, &y0, &x0y0) != MP_OKAY) |
|
|
4310 120 goto X1Y1; /* x0y0 = x0*y0 */ |
|
|
4311 121 if (mp_mul (&x1, &y1, &x1y1) != MP_OKAY) |
|
|
4312 122 goto X1Y1; /* x1y1 = x1*y1 */ |
|
|
4313 123 |
|
386
|
4314 124 /* now calc x1+x0 and y1+y0 */ |
|
|
4315 125 if (s_mp_add (&x1, &x0, &t1) != MP_OKAY) |
|
282
|
4316 126 goto X1Y1; /* t1 = x1 - x0 */ |
|
386
|
4317 127 if (s_mp_add (&y1, &y0, &x0) != MP_OKAY) |
|
282
|
4318 128 goto X1Y1; /* t2 = y1 - y0 */ |
|
|
4319 129 if (mp_mul (&t1, &x0, &t1) != MP_OKAY) |
|
386
|
4320 130 goto X1Y1; /* t1 = (x1 + x0) * (y1 + y0) */ |
|
282
|
4321 131 |
|
|
4322 132 /* add x0y0 */ |
|
|
4323 133 if (mp_add (&x0y0, &x1y1, &x0) != MP_OKAY) |
|
|
4324 134 goto X1Y1; /* t2 = x0y0 + x1y1 */ |
|
386
|
4325 135 if (s_mp_sub (&t1, &x0, &t1) != MP_OKAY) |
|
|
4326 136 goto X1Y1; /* t1 = (x1+x0)*(y1+y0) - (x1y1 + x0y0) */ |
|
282
|
4327 137 |
|
|
4328 138 /* shift by B */ |
|
|
4329 139 if (mp_lshd (&t1, B) != MP_OKAY) |
|
|
4330 140 goto X1Y1; /* t1 = (x0y0 + x1y1 - (x1-x0)*(y1-y0))<<B */ |
|
|
4331 141 if (mp_lshd (&x1y1, B * 2) != MP_OKAY) |
|
|
4332 142 goto X1Y1; /* x1y1 = x1y1 << 2*B */ |
|
|
4333 143 |
|
|
4334 144 if (mp_add (&x0y0, &t1, &t1) != MP_OKAY) |
|
|
4335 145 goto X1Y1; /* t1 = x0y0 + t1 */ |
|
|
4336 146 if (mp_add (&t1, &x1y1, c) != MP_OKAY) |
|
|
4337 147 goto X1Y1; /* t1 = x0y0 + t1 + x1y1 */ |
|
|
4338 148 |
|
|
4339 149 /* Algorithm succeeded set the return code to MP_OKAY */ |
|
|
4340 150 err = MP_OKAY; |
|
|
4341 151 |
|
|
4342 152 X1Y1:mp_clear (&x1y1); |
|
|
4343 153 X0Y0:mp_clear (&x0y0); |
|
|
4344 154 T1:mp_clear (&t1); |
|
|
4345 155 Y1:mp_clear (&y1); |
|
|
4346 156 Y0:mp_clear (&y0); |
|
|
4347 157 X1:mp_clear (&x1); |
|
|
4348 158 X0:mp_clear (&x0); |
|
|
4349 159 ERR: |
|
|
4350 160 return err; |
|
|
4351 161 \} |
|
|
4352 162 #endif |
|
386
|
4353 163 |
|
282
|
4354 \end{alltt} |
|
|
4355 \end{small} |
|
|
4356 |
|
|
4357 The new coding element in this routine, not seen in previous routines, is the usage of goto statements. The conventional |
|
|
4358 wisdom is that goto statements should be avoided. This is generally true, however when every single function call can fail, it makes sense |
|
|
4359 to handle error recovery with a single piece of code. Lines 61 to 75 handle initializing all of the temporary variables |
|
|
4360 required. Note how each of the if statements goes to a different label in case of failure. This allows the routine to correctly free only |
|
|
4361 the temporaries that have been successfully allocated so far. |
|
|
4362 |
|
|
4363 The temporary variables are all initialized using the mp\_init\_size routine since they are expected to be large. This saves the |
|
|
4364 additional reallocation that would have been necessary. Also $x0$, $x1$, $y0$ and $y1$ have to be able to hold at least their respective |
|
|
4365 number of digits for the next section of code. |
|
|
4366 |
|
|
4367 The first algebraic portion of the algorithm is to split the two inputs into their halves. However, instead of using mp\_mod\_2d and mp\_rshd |
|
|
4368 to extract the halves, the respective code has been placed inline within the body of the function. To initialize the halves, the \textbf{used} and |
|
|
4369 \textbf{sign} members are copied first. The first for loop on line 101 copies the lower halves. Since they are both the same magnitude it |
|
|
4370 is simpler to calculate both lower halves in a single loop. The for loop on lines 106 and 106 calculate the upper halves $x1$ and |
|
|
4371 $y1$ respectively. |
|
|
4372 |
|
|
4373 By inlining the calculation of the halves, the Karatsuba multiplier has a slightly lower overhead and can be used for smaller magnitude inputs. |
|
|
4374 |
|
|
4375 When line 150 is reached, the algorithm has completed succesfully. The ``error status'' variable $err$ is set to \textbf{MP\_OKAY} so that |
|
|
4376 the same code that handles errors can be used to clear the temporary variables and return. |
|
|
4377 |
|
|
4378 \subsection{Toom-Cook $3$-Way Multiplication} |
|
|
4379 Toom-Cook $3$-Way \cite{TOOM} multiplication is essentially the polynomial basis algorithm for $n = 2$ except that the points are |
|
|
4380 chosen such that $\zeta$ is easy to compute and the resulting system of equations easy to reduce. Here, the points $\zeta_{0}$, |
|
|
4381 $16 \cdot \zeta_{1 \over 2}$, $\zeta_1$, $\zeta_2$ and $\zeta_{\infty}$ make up the five required points to solve for the coefficients |
|
|
4382 of the $W(x)$. |
|
|
4383 |
|
|
4384 With the five relations that Toom-Cook specifies, the following system of equations is formed. |
|
|
4385 |
|
|
4386 \begin{center} |
|
|
4387 \begin{tabular}{rcrcrcrcrcr} |
|
|
4388 $\zeta_0$ & $=$ & $0w_4$ & $+$ & $0w_3$ & $+$ & $0w_2$ & $+$ & $0w_1$ & $+$ & $1w_0$ \\ |
|
|
4389 $16 \cdot \zeta_{1 \over 2}$ & $=$ & $1w_4$ & $+$ & $2w_3$ & $+$ & $4w_2$ & $+$ & $8w_1$ & $+$ & $16w_0$ \\ |
|
|
4390 $\zeta_1$ & $=$ & $1w_4$ & $+$ & $1w_3$ & $+$ & $1w_2$ & $+$ & $1w_1$ & $+$ & $1w_0$ \\ |
|
|
4391 $\zeta_2$ & $=$ & $16w_4$ & $+$ & $8w_3$ & $+$ & $4w_2$ & $+$ & $2w_1$ & $+$ & $1w_0$ \\ |
|
|
4392 $\zeta_{\infty}$ & $=$ & $1w_4$ & $+$ & $0w_3$ & $+$ & $0w_2$ & $+$ & $0w_1$ & $+$ & $0w_0$ \\ |
|
|
4393 \end{tabular} |
|
|
4394 \end{center} |
|
|
4395 |
|
|
4396 A trivial solution to this matrix requires $12$ subtractions, two multiplications by a small power of two, two divisions by a small power |
|
|
4397 of two, two divisions by three and one multiplication by three. All of these $19$ sub-operations require less than quadratic time, meaning that |
|
|
4398 the algorithm can be faster than a baseline multiplication. However, the greater complexity of this algorithm places the cutoff point |
|
|
4399 (\textbf{TOOM\_MUL\_CUTOFF}) where Toom-Cook becomes more efficient much higher than the Karatsuba cutoff point. |
|
|
4400 |
|
|
4401 \begin{figure}[!here] |
|
|
4402 \begin{small} |
|
|
4403 \begin{center} |
|
|
4404 \begin{tabular}{l} |
|
|
4405 \hline Algorithm \textbf{mp\_toom\_mul}. \\ |
|
|
4406 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
4407 \textbf{Output}. $c \leftarrow a \cdot b $ \\ |
|
|
4408 \hline \\ |
|
|
4409 Split $a$ and $b$ into three pieces. E.g. $a = a_2 \beta^{2k} + a_1 \beta^{k} + a_0$ \\ |
|
|
4410 1. $k \leftarrow \lfloor \mbox{min}(a.used, b.used) / 3 \rfloor$ \\ |
|
|
4411 2. $a_0 \leftarrow a \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
4412 3. $a_1 \leftarrow \lfloor a / \beta^k \rfloor$, $a_1 \leftarrow a_1 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
4413 4. $a_2 \leftarrow \lfloor a / \beta^{2k} \rfloor$, $a_2 \leftarrow a_2 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
4414 5. $b_0 \leftarrow a \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
4415 6. $b_1 \leftarrow \lfloor a / \beta^k \rfloor$, $b_1 \leftarrow b_1 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
4416 7. $b_2 \leftarrow \lfloor a / \beta^{2k} \rfloor$, $b_2 \leftarrow b_2 \mbox{ (mod }\beta^{k}\mbox{)}$ \\ |
|
|
4417 \\ |
|
|
4418 Find the five equations for $w_0, w_1, ..., w_4$. \\ |
|
|
4419 8. $w_0 \leftarrow a_0 \cdot b_0$ \\ |
|
|
4420 9. $w_4 \leftarrow a_2 \cdot b_2$ \\ |
|
|
4421 10. $tmp_1 \leftarrow 2 \cdot a_0$, $tmp_1 \leftarrow a_1 + tmp_1$, $tmp_1 \leftarrow 2 \cdot tmp_1$, $tmp_1 \leftarrow tmp_1 + a_2$ \\ |
|
|
4422 11. $tmp_2 \leftarrow 2 \cdot b_0$, $tmp_2 \leftarrow b_1 + tmp_2$, $tmp_2 \leftarrow 2 \cdot tmp_2$, $tmp_2 \leftarrow tmp_2 + b_2$ \\ |
|
|
4423 12. $w_1 \leftarrow tmp_1 \cdot tmp_2$ \\ |
|
|
4424 13. $tmp_1 \leftarrow 2 \cdot a_2$, $tmp_1 \leftarrow a_1 + tmp_1$, $tmp_1 \leftarrow 2 \cdot tmp_1$, $tmp_1 \leftarrow tmp_1 + a_0$ \\ |
|
|
4425 14. $tmp_2 \leftarrow 2 \cdot b_2$, $tmp_2 \leftarrow b_1 + tmp_2$, $tmp_2 \leftarrow 2 \cdot tmp_2$, $tmp_2 \leftarrow tmp_2 + b_0$ \\ |
|
|
4426 15. $w_3 \leftarrow tmp_1 \cdot tmp_2$ \\ |
|
|
4427 16. $tmp_1 \leftarrow a_0 + a_1$, $tmp_1 \leftarrow tmp_1 + a_2$, $tmp_2 \leftarrow b_0 + b_1$, $tmp_2 \leftarrow tmp_2 + b_2$ \\ |
|
|
4428 17. $w_2 \leftarrow tmp_1 \cdot tmp_2$ \\ |
|
|
4429 \\ |
|
|
4430 Continued on the next page.\\ |
|
|
4431 \hline |
|
|
4432 \end{tabular} |
|
|
4433 \end{center} |
|
|
4434 \end{small} |
|
|
4435 \caption{Algorithm mp\_toom\_mul} |
|
|
4436 \end{figure} |
|
|
4437 |
|
|
4438 \newpage\begin{figure}[!here] |
|
|
4439 \begin{small} |
|
|
4440 \begin{center} |
|
|
4441 \begin{tabular}{l} |
|
|
4442 \hline Algorithm \textbf{mp\_toom\_mul} (continued). \\ |
|
|
4443 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
4444 \textbf{Output}. $c \leftarrow a \cdot b $ \\ |
|
|
4445 \hline \\ |
|
|
4446 Now solve the system of equations. \\ |
|
|
4447 18. $w_1 \leftarrow w_4 - w_1$, $w_3 \leftarrow w_3 - w_0$ \\ |
|
|
4448 19. $w_1 \leftarrow \lfloor w_1 / 2 \rfloor$, $w_3 \leftarrow \lfloor w_3 / 2 \rfloor$ \\ |
|
|
4449 20. $w_2 \leftarrow w_2 - w_0$, $w_2 \leftarrow w_2 - w_4$ \\ |
|
|
4450 21. $w_1 \leftarrow w_1 - w_2$, $w_3 \leftarrow w_3 - w_2$ \\ |
|
|
4451 22. $tmp_1 \leftarrow 8 \cdot w_0$, $w_1 \leftarrow w_1 - tmp_1$, $tmp_1 \leftarrow 8 \cdot w_4$, $w_3 \leftarrow w_3 - tmp_1$ \\ |
|
|
4452 23. $w_2 \leftarrow 3 \cdot w_2$, $w_2 \leftarrow w_2 - w_1$, $w_2 \leftarrow w_2 - w_3$ \\ |
|
|
4453 24. $w_1 \leftarrow w_1 - w_2$, $w_3 \leftarrow w_3 - w_2$ \\ |
|
|
4454 25. $w_1 \leftarrow \lfloor w_1 / 3 \rfloor, w_3 \leftarrow \lfloor w_3 / 3 \rfloor$ \\ |
|
|
4455 \\ |
|
|
4456 Now substitute $\beta^k$ for $x$ by shifting $w_0, w_1, ..., w_4$. \\ |
|
|
4457 26. for $n$ from $1$ to $4$ do \\ |
|
|
4458 \hspace{3mm}26.1 $w_n \leftarrow w_n \cdot \beta^{nk}$ \\ |
|
|
4459 27. $c \leftarrow w_0 + w_1$, $c \leftarrow c + w_2$, $c \leftarrow c + w_3$, $c \leftarrow c + w_4$ \\ |
|
|
4460 28. Return(\textit{MP\_OKAY}) \\ |
|
|
4461 \hline |
|
|
4462 \end{tabular} |
|
|
4463 \end{center} |
|
|
4464 \end{small} |
|
|
4465 \caption{Algorithm mp\_toom\_mul (continued)} |
|
|
4466 \end{figure} |
|
|
4467 |
|
|
4468 \textbf{Algorithm mp\_toom\_mul.} |
|
|
4469 This algorithm computes the product of two mp\_int variables $a$ and $b$ using the Toom-Cook approach. Compared to the Karatsuba multiplication, this |
|
|
4470 algorithm has a lower asymptotic running time of approximately $O(n^{1.464})$ but at an obvious cost in overhead. In this |
|
|
4471 description, several statements have been compounded to save space. The intention is that the statements are executed from left to right across |
|
|
4472 any given step. |
|
|
4473 |
|
|
4474 The two inputs $a$ and $b$ are first split into three $k$-digit integers $a_0, a_1, a_2$ and $b_0, b_1, b_2$ respectively. From these smaller |
|
|
4475 integers the coefficients of the polynomial basis representations $f(x)$ and $g(x)$ are known and can be used to find the relations required. |
|
|
4476 |
|
|
4477 The first two relations $w_0$ and $w_4$ are the points $\zeta_{0}$ and $\zeta_{\infty}$ respectively. The relation $w_1, w_2$ and $w_3$ correspond |
|
|
4478 to the points $16 \cdot \zeta_{1 \over 2}, \zeta_{2}$ and $\zeta_{1}$ respectively. These are found using logical shifts to independently find |
|
|
4479 $f(y)$ and $g(y)$ which significantly speeds up the algorithm. |
|
|
4480 |
|
|
4481 After the five relations $w_0, w_1, \ldots, w_4$ have been computed, the system they represent must be solved in order for the unknown coefficients |
|
|
4482 $w_1, w_2$ and $w_3$ to be isolated. The steps 18 through 25 perform the system reduction required as previously described. Each step of |
|
|
4483 the reduction represents the comparable matrix operation that would be performed had this been performed by pencil. For example, step 18 indicates |
|
|
4484 that row $1$ must be subtracted from row $4$ and simultaneously row $0$ subtracted from row $3$. |
|
|
4485 |
|
|
4486 Once the coeffients have been isolated, the polynomial $W(x) = \sum_{i=0}^{2n} w_i x^i$ is known. By substituting $\beta^{k}$ for $x$, the integer |
|
|
4487 result $a \cdot b$ is produced. |
|
|
4488 |
|
|
4489 \vspace{+3mm}\begin{small} |
|
|
4490 \hspace{-5.1mm}{\bf File}: bn\_mp\_toom\_mul.c |
|
|
4491 \vspace{-3mm} |
|
|
4492 \begin{alltt} |
|
|
4493 016 |
|
|
4494 017 /* multiplication using the Toom-Cook 3-way algorithm |
|
|
4495 018 * |
|
|
4496 019 * Much more complicated than Karatsuba but has a lower |
|
|
4497 020 * asymptotic running time of O(N**1.464). This algorithm is |
|
|
4498 021 * only particularly useful on VERY large inputs |
|
|
4499 022 * (we're talking 1000s of digits here...). |
|
|
4500 023 */ |
|
|
4501 024 int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c) |
|
|
4502 025 \{ |
|
|
4503 026 mp_int w0, w1, w2, w3, w4, tmp1, tmp2, a0, a1, a2, b0, b1, b2; |
|
|
4504 027 int res, B; |
|
|
4505 028 |
|
|
4506 029 /* init temps */ |
|
|
4507 030 if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4, |
|
|
4508 031 &a0, &a1, &a2, &b0, &b1, |
|
|
4509 032 &b2, &tmp1, &tmp2, NULL)) != MP_OKAY) \{ |
|
|
4510 033 return res; |
|
|
4511 034 \} |
|
|
4512 035 |
|
|
4513 036 /* B */ |
|
|
4514 037 B = MIN(a->used, b->used) / 3; |
|
|
4515 038 |
|
|
4516 039 /* a = a2 * B**2 + a1 * B + a0 */ |
|
|
4517 040 if ((res = mp_mod_2d(a, DIGIT_BIT * B, &a0)) != MP_OKAY) \{ |
|
|
4518 041 goto ERR; |
|
|
4519 042 \} |
|
|
4520 043 |
|
|
4521 044 if ((res = mp_copy(a, &a1)) != MP_OKAY) \{ |
|
|
4522 045 goto ERR; |
|
|
4523 046 \} |
|
|
4524 047 mp_rshd(&a1, B); |
|
|
4525 048 mp_mod_2d(&a1, DIGIT_BIT * B, &a1); |
|
|
4526 049 |
|
|
4527 050 if ((res = mp_copy(a, &a2)) != MP_OKAY) \{ |
|
|
4528 051 goto ERR; |
|
|
4529 052 \} |
|
|
4530 053 mp_rshd(&a2, B*2); |
|
|
4531 054 |
|
|
4532 055 /* b = b2 * B**2 + b1 * B + b0 */ |
|
|
4533 056 if ((res = mp_mod_2d(b, DIGIT_BIT * B, &b0)) != MP_OKAY) \{ |
|
|
4534 057 goto ERR; |
|
|
4535 058 \} |
|
|
4536 059 |
|
|
4537 060 if ((res = mp_copy(b, &b1)) != MP_OKAY) \{ |
|
|
4538 061 goto ERR; |
|
|
4539 062 \} |
|
|
4540 063 mp_rshd(&b1, B); |
|
|
4541 064 mp_mod_2d(&b1, DIGIT_BIT * B, &b1); |
|
|
4542 065 |
|
|
4543 066 if ((res = mp_copy(b, &b2)) != MP_OKAY) \{ |
|
|
4544 067 goto ERR; |
|
|
4545 068 \} |
|
|
4546 069 mp_rshd(&b2, B*2); |
|
|
4547 070 |
|
|
4548 071 /* w0 = a0*b0 */ |
|
|
4549 072 if ((res = mp_mul(&a0, &b0, &w0)) != MP_OKAY) \{ |
|
|
4550 073 goto ERR; |
|
|
4551 074 \} |
|
|
4552 075 |
|
|
4553 076 /* w4 = a2 * b2 */ |
|
|
4554 077 if ((res = mp_mul(&a2, &b2, &w4)) != MP_OKAY) \{ |
|
|
4555 078 goto ERR; |
|
|
4556 079 \} |
|
|
4557 080 |
|
|
4558 081 /* w1 = (a2 + 2(a1 + 2a0))(b2 + 2(b1 + 2b0)) */ |
|
|
4559 082 if ((res = mp_mul_2(&a0, &tmp1)) != MP_OKAY) \{ |
|
|
4560 083 goto ERR; |
|
|
4561 084 \} |
|
|
4562 085 if ((res = mp_add(&tmp1, &a1, &tmp1)) != MP_OKAY) \{ |
|
|
4563 086 goto ERR; |
|
|
4564 087 \} |
|
|
4565 088 if ((res = mp_mul_2(&tmp1, &tmp1)) != MP_OKAY) \{ |
|
|
4566 089 goto ERR; |
|
|
4567 090 \} |
|
|
4568 091 if ((res = mp_add(&tmp1, &a2, &tmp1)) != MP_OKAY) \{ |
|
|
4569 092 goto ERR; |
|
|
4570 093 \} |
|
|
4571 094 |
|
|
4572 095 if ((res = mp_mul_2(&b0, &tmp2)) != MP_OKAY) \{ |
|
|
4573 096 goto ERR; |
|
|
4574 097 \} |
|
|
4575 098 if ((res = mp_add(&tmp2, &b1, &tmp2)) != MP_OKAY) \{ |
|
|
4576 099 goto ERR; |
|
|
4577 100 \} |
|
|
4578 101 if ((res = mp_mul_2(&tmp2, &tmp2)) != MP_OKAY) \{ |
|
|
4579 102 goto ERR; |
|
|
4580 103 \} |
|
|
4581 104 if ((res = mp_add(&tmp2, &b2, &tmp2)) != MP_OKAY) \{ |
|
|
4582 105 goto ERR; |
|
|
4583 106 \} |
|
|
4584 107 |
|
|
4585 108 if ((res = mp_mul(&tmp1, &tmp2, &w1)) != MP_OKAY) \{ |
|
|
4586 109 goto ERR; |
|
|
4587 110 \} |
|
|
4588 111 |
|
|
4589 112 /* w3 = (a0 + 2(a1 + 2a2))(b0 + 2(b1 + 2b2)) */ |
|
|
4590 113 if ((res = mp_mul_2(&a2, &tmp1)) != MP_OKAY) \{ |
|
|
4591 114 goto ERR; |
|
|
4592 115 \} |
|
|
4593 116 if ((res = mp_add(&tmp1, &a1, &tmp1)) != MP_OKAY) \{ |
|
|
4594 117 goto ERR; |
|
|
4595 118 \} |
|
|
4596 119 if ((res = mp_mul_2(&tmp1, &tmp1)) != MP_OKAY) \{ |
|
|
4597 120 goto ERR; |
|
|
4598 121 \} |
|
|
4599 122 if ((res = mp_add(&tmp1, &a0, &tmp1)) != MP_OKAY) \{ |
|
|
4600 123 goto ERR; |
|
|
4601 124 \} |
|
|
4602 125 |
|
|
4603 126 if ((res = mp_mul_2(&b2, &tmp2)) != MP_OKAY) \{ |
|
|
4604 127 goto ERR; |
|
|
4605 128 \} |
|
|
4606 129 if ((res = mp_add(&tmp2, &b1, &tmp2)) != MP_OKAY) \{ |
|
|
4607 130 goto ERR; |
|
|
4608 131 \} |
|
|
4609 132 if ((res = mp_mul_2(&tmp2, &tmp2)) != MP_OKAY) \{ |
|
|
4610 133 goto ERR; |
|
|
4611 134 \} |
|
|
4612 135 if ((res = mp_add(&tmp2, &b0, &tmp2)) != MP_OKAY) \{ |
|
|
4613 136 goto ERR; |
|
|
4614 137 \} |
|
|
4615 138 |
|
|
4616 139 if ((res = mp_mul(&tmp1, &tmp2, &w3)) != MP_OKAY) \{ |
|
|
4617 140 goto ERR; |
|
|
4618 141 \} |
|
|
4619 142 |
|
|
4620 143 |
|
|
4621 144 /* w2 = (a2 + a1 + a0)(b2 + b1 + b0) */ |
|
|
4622 145 if ((res = mp_add(&a2, &a1, &tmp1)) != MP_OKAY) \{ |
|
|
4623 146 goto ERR; |
|
|
4624 147 \} |
|
|
4625 148 if ((res = mp_add(&tmp1, &a0, &tmp1)) != MP_OKAY) \{ |
|
|
4626 149 goto ERR; |
|
|
4627 150 \} |
|
|
4628 151 if ((res = mp_add(&b2, &b1, &tmp2)) != MP_OKAY) \{ |
|
|
4629 152 goto ERR; |
|
|
4630 153 \} |
|
|
4631 154 if ((res = mp_add(&tmp2, &b0, &tmp2)) != MP_OKAY) \{ |
|
|
4632 155 goto ERR; |
|
|
4633 156 \} |
|
|
4634 157 if ((res = mp_mul(&tmp1, &tmp2, &w2)) != MP_OKAY) \{ |
|
|
4635 158 goto ERR; |
|
|
4636 159 \} |
|
|
4637 160 |
|
|
4638 161 /* now solve the matrix |
|
|
4639 162 |
|
|
4640 163 0 0 0 0 1 |
|
|
4641 164 1 2 4 8 16 |
|
|
4642 165 1 1 1 1 1 |
|
|
4643 166 16 8 4 2 1 |
|
|
4644 167 1 0 0 0 0 |
|
|
4645 168 |
|
|
4646 169 using 12 subtractions, 4 shifts, |
|
|
4647 170 2 small divisions and 1 small multiplication |
|
|
4648 171 */ |
|
|
4649 172 |
|
|
4650 173 /* r1 - r4 */ |
|
|
4651 174 if ((res = mp_sub(&w1, &w4, &w1)) != MP_OKAY) \{ |
|
|
4652 175 goto ERR; |
|
|
4653 176 \} |
|
|
4654 177 /* r3 - r0 */ |
|
|
4655 178 if ((res = mp_sub(&w3, &w0, &w3)) != MP_OKAY) \{ |
|
|
4656 179 goto ERR; |
|
|
4657 180 \} |
|
|
4658 181 /* r1/2 */ |
|
|
4659 182 if ((res = mp_div_2(&w1, &w1)) != MP_OKAY) \{ |
|
|
4660 183 goto ERR; |
|
|
4661 184 \} |
|
|
4662 185 /* r3/2 */ |
|
|
4663 186 if ((res = mp_div_2(&w3, &w3)) != MP_OKAY) \{ |
|
|
4664 187 goto ERR; |
|
|
4665 188 \} |
|
|
4666 189 /* r2 - r0 - r4 */ |
|
|
4667 190 if ((res = mp_sub(&w2, &w0, &w2)) != MP_OKAY) \{ |
|
|
4668 191 goto ERR; |
|
|
4669 192 \} |
|
|
4670 193 if ((res = mp_sub(&w2, &w4, &w2)) != MP_OKAY) \{ |
|
|
4671 194 goto ERR; |
|
|
4672 195 \} |
|
|
4673 196 /* r1 - r2 */ |
|
|
4674 197 if ((res = mp_sub(&w1, &w2, &w1)) != MP_OKAY) \{ |
|
|
4675 198 goto ERR; |
|
|
4676 199 \} |
|
|
4677 200 /* r3 - r2 */ |
|
|
4678 201 if ((res = mp_sub(&w3, &w2, &w3)) != MP_OKAY) \{ |
|
|
4679 202 goto ERR; |
|
|
4680 203 \} |
|
|
4681 204 /* r1 - 8r0 */ |
|
|
4682 205 if ((res = mp_mul_2d(&w0, 3, &tmp1)) != MP_OKAY) \{ |
|
|
4683 206 goto ERR; |
|
|
4684 207 \} |
|
|
4685 208 if ((res = mp_sub(&w1, &tmp1, &w1)) != MP_OKAY) \{ |
|
|
4686 209 goto ERR; |
|
|
4687 210 \} |
|
|
4688 211 /* r3 - 8r4 */ |
|
|
4689 212 if ((res = mp_mul_2d(&w4, 3, &tmp1)) != MP_OKAY) \{ |
|
|
4690 213 goto ERR; |
|
|
4691 214 \} |
|
|
4692 215 if ((res = mp_sub(&w3, &tmp1, &w3)) != MP_OKAY) \{ |
|
|
4693 216 goto ERR; |
|
|
4694 217 \} |
|
|
4695 218 /* 3r2 - r1 - r3 */ |
|
|
4696 219 if ((res = mp_mul_d(&w2, 3, &w2)) != MP_OKAY) \{ |
|
|
4697 220 goto ERR; |
|
|
4698 221 \} |
|
|
4699 222 if ((res = mp_sub(&w2, &w1, &w2)) != MP_OKAY) \{ |
|
|
4700 223 goto ERR; |
|
|
4701 224 \} |
|
|
4702 225 if ((res = mp_sub(&w2, &w3, &w2)) != MP_OKAY) \{ |
|
|
4703 226 goto ERR; |
|
|
4704 227 \} |
|
|
4705 228 /* r1 - r2 */ |
|
|
4706 229 if ((res = mp_sub(&w1, &w2, &w1)) != MP_OKAY) \{ |
|
|
4707 230 goto ERR; |
|
|
4708 231 \} |
|
|
4709 232 /* r3 - r2 */ |
|
|
4710 233 if ((res = mp_sub(&w3, &w2, &w3)) != MP_OKAY) \{ |
|
|
4711 234 goto ERR; |
|
|
4712 235 \} |
|
|
4713 236 /* r1/3 */ |
|
|
4714 237 if ((res = mp_div_3(&w1, &w1, NULL)) != MP_OKAY) \{ |
|
|
4715 238 goto ERR; |
|
|
4716 239 \} |
|
|
4717 240 /* r3/3 */ |
|
|
4718 241 if ((res = mp_div_3(&w3, &w3, NULL)) != MP_OKAY) \{ |
|
|
4719 242 goto ERR; |
|
|
4720 243 \} |
|
|
4721 244 |
|
|
4722 245 /* at this point shift W[n] by B*n */ |
|
|
4723 246 if ((res = mp_lshd(&w1, 1*B)) != MP_OKAY) \{ |
|
|
4724 247 goto ERR; |
|
|
4725 248 \} |
|
|
4726 249 if ((res = mp_lshd(&w2, 2*B)) != MP_OKAY) \{ |
|
|
4727 250 goto ERR; |
|
|
4728 251 \} |
|
|
4729 252 if ((res = mp_lshd(&w3, 3*B)) != MP_OKAY) \{ |
|
|
4730 253 goto ERR; |
|
|
4731 254 \} |
|
|
4732 255 if ((res = mp_lshd(&w4, 4*B)) != MP_OKAY) \{ |
|
|
4733 256 goto ERR; |
|
|
4734 257 \} |
|
|
4735 258 |
|
|
4736 259 if ((res = mp_add(&w0, &w1, c)) != MP_OKAY) \{ |
|
|
4737 260 goto ERR; |
|
|
4738 261 \} |
|
|
4739 262 if ((res = mp_add(&w2, &w3, &tmp1)) != MP_OKAY) \{ |
|
|
4740 263 goto ERR; |
|
|
4741 264 \} |
|
|
4742 265 if ((res = mp_add(&w4, &tmp1, &tmp1)) != MP_OKAY) \{ |
|
|
4743 266 goto ERR; |
|
|
4744 267 \} |
|
|
4745 268 if ((res = mp_add(&tmp1, c, c)) != MP_OKAY) \{ |
|
|
4746 269 goto ERR; |
|
|
4747 270 \} |
|
|
4748 271 |
|
|
4749 272 ERR: |
|
|
4750 273 mp_clear_multi(&w0, &w1, &w2, &w3, &w4, |
|
|
4751 274 &a0, &a1, &a2, &b0, &b1, |
|
|
4752 275 &b2, &tmp1, &tmp2, NULL); |
|
|
4753 276 return res; |
|
|
4754 277 \} |
|
|
4755 278 |
|
|
4756 279 #endif |
|
386
|
4757 280 |
|
282
|
4758 \end{alltt} |
|
|
4759 \end{small} |
|
|
4760 |
|
|
4761 The first obvious thing to note is that this algorithm is complicated. The complexity is worth it if you are multiplying very |
|
|
4762 large numbers. For example, a 10,000 digit multiplication takes approximaly 99,282,205 fewer single precision multiplications with |
|
|
4763 Toom--Cook than a Comba or baseline approach (this is a savings of more than 99$\%$). For most ``crypto'' sized numbers this |
|
|
4764 algorithm is not practical as Karatsuba has a much lower cutoff point. |
|
|
4765 |
|
|
4766 First we split $a$ and $b$ into three roughly equal portions. This has been accomplished (lines 40 to 69) with |
|
|
4767 combinations of mp\_rshd() and mp\_mod\_2d() function calls. At this point $a = a2 \cdot \beta^2 + a1 \cdot \beta + a0$ and similiarly |
|
|
4768 for $b$. |
|
|
4769 |
|
|
4770 Next we compute the five points $w0, w1, w2, w3$ and $w4$. Recall that $w0$ and $w4$ can be computed directly from the portions so |
|
|
4771 we get those out of the way first (lines 72 and 77). Next we compute $w1, w2$ and $w3$ using Horners method. |
|
|
4772 |
|
|
4773 After this point we solve for the actual values of $w1, w2$ and $w3$ by reducing the $5 \times 5$ system which is relatively |
|
|
4774 straight forward. |
|
|
4775 |
|
|
4776 \subsection{Signed Multiplication} |
|
|
4777 Now that algorithms to handle multiplications of every useful dimensions have been developed, a rather simple finishing touch is required. So far all |
|
|
4778 of the multiplication algorithms have been unsigned multiplications which leaves only a signed multiplication algorithm to be established. |
|
|
4779 |
|
|
4780 \begin{figure}[!here] |
|
|
4781 \begin{small} |
|
|
4782 \begin{center} |
|
|
4783 \begin{tabular}{l} |
|
|
4784 \hline Algorithm \textbf{mp\_mul}. \\ |
|
|
4785 \textbf{Input}. mp\_int $a$ and mp\_int $b$ \\ |
|
|
4786 \textbf{Output}. $c \leftarrow a \cdot b$ \\ |
|
|
4787 \hline \\ |
|
|
4788 1. If $a.sign = b.sign$ then \\ |
|
|
4789 \hspace{3mm}1.1 $sign = MP\_ZPOS$ \\ |
|
|
4790 2. else \\ |
|
|
4791 \hspace{3mm}2.1 $sign = MP\_ZNEG$ \\ |
|
|
4792 3. If min$(a.used, b.used) \ge TOOM\_MUL\_CUTOFF$ then \\ |
|
|
4793 \hspace{3mm}3.1 $c \leftarrow a \cdot b$ using algorithm mp\_toom\_mul \\ |
|
|
4794 4. else if min$(a.used, b.used) \ge KARATSUBA\_MUL\_CUTOFF$ then \\ |
|
|
4795 \hspace{3mm}4.1 $c \leftarrow a \cdot b$ using algorithm mp\_karatsuba\_mul \\ |
|
|
4796 5. else \\ |
|
|
4797 \hspace{3mm}5.1 $digs \leftarrow a.used + b.used + 1$ \\ |
|
|
4798 \hspace{3mm}5.2 If $digs < MP\_ARRAY$ and min$(a.used, b.used) \le \delta$ then \\ |
|
|
4799 \hspace{6mm}5.2.1 $c \leftarrow a \cdot b \mbox{ (mod }\beta^{digs}\mbox{)}$ using algorithm fast\_s\_mp\_mul\_digs. \\ |
|
|
4800 \hspace{3mm}5.3 else \\ |
|
|
4801 \hspace{6mm}5.3.1 $c \leftarrow a \cdot b \mbox{ (mod }\beta^{digs}\mbox{)}$ using algorithm s\_mp\_mul\_digs. \\ |
|
|
4802 6. $c.sign \leftarrow sign$ \\ |
|
|
4803 7. Return the result of the unsigned multiplication performed. \\ |
|
|
4804 \hline |
|
|
4805 \end{tabular} |
|
|
4806 \end{center} |
|
|
4807 \end{small} |
|
|
4808 \caption{Algorithm mp\_mul} |
|
|
4809 \end{figure} |
|
|
4810 |
|
|
4811 \textbf{Algorithm mp\_mul.} |
|
|
4812 This algorithm performs the signed multiplication of two inputs. It will make use of any of the three unsigned multiplication algorithms |
|
|
4813 available when the input is of appropriate size. The \textbf{sign} of the result is not set until the end of the algorithm since algorithm |
|
|
4814 s\_mp\_mul\_digs will clear it. |
|
|
4815 |
|
|
4816 \vspace{+3mm}\begin{small} |
|
|
4817 \hspace{-5.1mm}{\bf File}: bn\_mp\_mul.c |
|
|
4818 \vspace{-3mm} |
|
|
4819 \begin{alltt} |
|
|
4820 016 |
|
|
4821 017 /* high level multiplication (handles sign) */ |
|
|
4822 018 int mp_mul (mp_int * a, mp_int * b, mp_int * c) |
|
|
4823 019 \{ |
|
|
4824 020 int res, neg; |
|
|
4825 021 neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; |
|
|
4826 022 |
|
|
4827 023 /* use Toom-Cook? */ |
|
|
4828 024 #ifdef BN_MP_TOOM_MUL_C |
|
|
4829 025 if (MIN (a->used, b->used) >= TOOM_MUL_CUTOFF) \{ |
|
|
4830 026 res = mp_toom_mul(a, b, c); |
|
|
4831 027 \} else |
|
|
4832 028 #endif |
|
|
4833 029 #ifdef BN_MP_KARATSUBA_MUL_C |
|
|
4834 030 /* use Karatsuba? */ |
|
|
4835 031 if (MIN (a->used, b->used) >= KARATSUBA_MUL_CUTOFF) \{ |
|
|
4836 032 res = mp_karatsuba_mul (a, b, c); |
|
|
4837 033 \} else |
|
|
4838 034 #endif |
|
|
4839 035 \{ |
|
|
4840 036 /* can we use the fast multiplier? |
|
|
4841 037 * |
|
|
4842 038 * The fast multiplier can be used if the output will |
|
|
4843 039 * have less than MP_WARRAY digits and the number of |
|
|
4844 040 * digits won't affect carry propagation |
|
|
4845 041 */ |
|
|
4846 042 int digs = a->used + b->used + 1; |
|
|
4847 043 |
|
|
4848 044 #ifdef BN_FAST_S_MP_MUL_DIGS_C |
|
|
4849 045 if ((digs < MP_WARRAY) && |
|
|
4850 046 MIN(a->used, b->used) <= |
|
|
4851 047 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) \{ |
|
|
4852 048 res = fast_s_mp_mul_digs (a, b, c, digs); |
|
|
4853 049 \} else |
|
|
4854 050 #endif |
|
|
4855 051 #ifdef BN_S_MP_MUL_DIGS_C |
|
|
4856 052 res = s_mp_mul (a, b, c); /* uses s_mp_mul_digs */ |
|
|
4857 053 #else |
|
|
4858 054 res = MP_VAL; |
|
|
4859 055 #endif |
|
|
4860 056 |
|
|
4861 057 \} |
|
|
4862 058 c->sign = (c->used > 0) ? neg : MP_ZPOS; |
|
|
4863 059 return res; |
|
|
4864 060 \} |
|
|
4865 061 #endif |
|
386
|
4866 062 |
|
282
|
4867 \end{alltt} |
|
|
4868 \end{small} |
|
|
4869 |
|
|
4870 The implementation is rather simplistic and is not particularly noteworthy. Line 23 computes the sign of the result using the ``?'' |
|
|
4871 operator from the C programming language. Line 47 computes $\delta$ using the fact that $1 << k$ is equal to $2^k$. |
|
|
4872 |
|
|
4873 \section{Squaring} |
|
|
4874 \label{sec:basesquare} |
|
|
4875 |
|
|
4876 Squaring is a special case of multiplication where both multiplicands are equal. At first it may seem like there is no significant optimization |
|
|
4877 available but in fact there is. Consider the multiplication of $576$ against $241$. In total there will be nine single precision multiplications |
|
|
4878 performed which are $1\cdot 6$, $1 \cdot 7$, $1 \cdot 5$, $4 \cdot 6$, $4 \cdot 7$, $4 \cdot 5$, $2 \cdot 6$, $2 \cdot 7$ and $2 \cdot 5$. Now consider |
|
|
4879 the multiplication of $123$ against $123$. The nine products are $3 \cdot 3$, $3 \cdot 2$, $3 \cdot 1$, $2 \cdot 3$, $2 \cdot 2$, $2 \cdot 1$, |
|
|
4880 $1 \cdot 3$, $1 \cdot 2$ and $1 \cdot 1$. On closer inspection some of the products are equivalent. For example, $3 \cdot 2 = 2 \cdot 3$ |
|
|
4881 and $3 \cdot 1 = 1 \cdot 3$. |
|
|
4882 |
|
|
4883 For any $n$-digit input, there are ${{\left (n^2 + n \right)}\over 2}$ possible unique single precision multiplications required compared to the $n^2$ |
|
|
4884 required for multiplication. The following diagram gives an example of the operations required. |
|
|
4885 |
|
|
4886 \begin{figure}[here] |
|
|
4887 \begin{center} |
|
|
4888 \begin{tabular}{ccccc|c} |
|
|
4889 &&1&2&3&\\ |
|
|
4890 $\times$ &&1&2&3&\\ |
|
|
4891 \hline && $3 \cdot 1$ & $3 \cdot 2$ & $3 \cdot 3$ & Row 0\\ |
|
|
4892 & $2 \cdot 1$ & $2 \cdot 2$ & $2 \cdot 3$ && Row 1 \\ |
|
|
4893 $1 \cdot 1$ & $1 \cdot 2$ & $1 \cdot 3$ &&& Row 2 \\ |
|
|
4894 \end{tabular} |
|
|
4895 \end{center} |
|
|
4896 \caption{Squaring Optimization Diagram} |
|
|
4897 \end{figure} |
|
|
4898 |
|
|
4899 Starting from zero and numbering the columns from right to left a very simple pattern becomes obvious. For the purposes of this discussion let $x$ |
|
|
4900 represent the number being squared. The first observation is that in row $k$ the $2k$'th column of the product has a $\left (x_k \right)^2$ term in it. |
|
|
4901 |
|
|
4902 The second observation is that every column $j$ in row $k$ where $j \ne 2k$ is part of a double product. Every non-square term of a column will |
|
|
4903 appear twice hence the name ``double product''. Every odd column is made up entirely of double products. In fact every column is made up of double |
|
|
4904 products and at most one square (\textit{see the exercise section}). |
|
|
4905 |
|
|
4906 The third and final observation is that for row $k$ the first unique non-square term, that is, one that hasn't already appeared in an earlier row, |
|
|
4907 occurs at column $2k + 1$. For example, on row $1$ of the previous squaring, column one is part of the double product with column one from row zero. |
|
|
4908 Column two of row one is a square and column three is the first unique column. |
|
|
4909 |
|
|
4910 \subsection{The Baseline Squaring Algorithm} |
|
|
4911 The baseline squaring algorithm is meant to be a catch-all squaring algorithm. It will handle any of the input sizes that the faster routines |
|
|
4912 will not handle. |
|
|
4913 |
|
|
4914 \begin{figure}[!here] |
|
|
4915 \begin{small} |
|
|
4916 \begin{center} |
|
|
4917 \begin{tabular}{l} |
|
|
4918 \hline Algorithm \textbf{s\_mp\_sqr}. \\ |
|
|
4919 \textbf{Input}. mp\_int $a$ \\ |
|
|
4920 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
4921 \hline \\ |
|
|
4922 1. Init a temporary mp\_int of at least $2 \cdot a.used +1$ digits. (\textit{mp\_init\_size}) \\ |
|
|
4923 2. If step 1 failed return(\textit{MP\_MEM}) \\ |
|
|
4924 3. $t.used \leftarrow 2 \cdot a.used + 1$ \\ |
|
|
4925 4. For $ix$ from 0 to $a.used - 1$ do \\ |
|
|
4926 \hspace{3mm}Calculate the square. \\ |
|
|
4927 \hspace{3mm}4.1 $\hat r \leftarrow t_{2ix} + \left (a_{ix} \right )^2$ \\ |
|
|
4928 \hspace{3mm}4.2 $t_{2ix} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
4929 \hspace{3mm}Calculate the double products after the square. \\ |
|
|
4930 \hspace{3mm}4.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
4931 \hspace{3mm}4.4 For $iy$ from $ix + 1$ to $a.used - 1$ do \\ |
|
|
4932 \hspace{6mm}4.4.1 $\hat r \leftarrow 2 \cdot a_{ix}a_{iy} + t_{ix + iy} + u$ \\ |
|
|
4933 \hspace{6mm}4.4.2 $t_{ix + iy} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
4934 \hspace{6mm}4.4.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
4935 \hspace{3mm}Set the last carry. \\ |
|
|
4936 \hspace{3mm}4.5 While $u > 0$ do \\ |
|
|
4937 \hspace{6mm}4.5.1 $iy \leftarrow iy + 1$ \\ |
|
|
4938 \hspace{6mm}4.5.2 $\hat r \leftarrow t_{ix + iy} + u$ \\ |
|
|
4939 \hspace{6mm}4.5.3 $t_{ix + iy} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
4940 \hspace{6mm}4.5.4 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
4941 5. Clamp excess digits of $t$. (\textit{mp\_clamp}) \\ |
|
|
4942 6. Exchange $b$ and $t$. \\ |
|
|
4943 7. Clear $t$ (\textit{mp\_clear}) \\ |
|
|
4944 8. Return(\textit{MP\_OKAY}) \\ |
|
|
4945 \hline |
|
|
4946 \end{tabular} |
|
|
4947 \end{center} |
|
|
4948 \end{small} |
|
|
4949 \caption{Algorithm s\_mp\_sqr} |
|
|
4950 \end{figure} |
|
|
4951 |
|
|
4952 \textbf{Algorithm s\_mp\_sqr.} |
|
|
4953 This algorithm computes the square of an input using the three observations on squaring. It is based fairly faithfully on algorithm 14.16 of HAC |
|
|
4954 \cite[pp.596-597]{HAC}. Similar to algorithm s\_mp\_mul\_digs, a temporary mp\_int is allocated to hold the result of the squaring. This allows the |
|
|
4955 destination mp\_int to be the same as the source mp\_int. |
|
|
4956 |
|
|
4957 The outer loop of this algorithm begins on step 4. It is best to think of the outer loop as walking down the rows of the partial results, while |
|
|
4958 the inner loop computes the columns of the partial result. Step 4.1 and 4.2 compute the square term for each row, and step 4.3 and 4.4 propagate |
|
|
4959 the carry and compute the double products. |
|
|
4960 |
|
|
4961 The requirement that a mp\_word be able to represent the range $0 \le x < 2 \beta^2$ arises from this |
|
|
4962 very algorithm. The product $a_{ix}a_{iy}$ will lie in the range $0 \le x \le \beta^2 - 2\beta + 1$ which is obviously less than $\beta^2$ meaning that |
|
|
4963 when it is multiplied by two, it can be properly represented by a mp\_word. |
|
|
4964 |
|
|
4965 Similar to algorithm s\_mp\_mul\_digs, after every pass of the inner loop, the destination is correctly set to the sum of all of the partial |
|
|
4966 results calculated so far. This involves expensive carry propagation which will be eliminated in the next algorithm. |
|
|
4967 |
|
|
4968 \vspace{+3mm}\begin{small} |
|
|
4969 \hspace{-5.1mm}{\bf File}: bn\_s\_mp\_sqr.c |
|
|
4970 \vspace{-3mm} |
|
|
4971 \begin{alltt} |
|
|
4972 016 |
|
|
4973 017 /* low level squaring, b = a*a, HAC pp.596-597, Algorithm 14.16 */ |
|
|
4974 018 int s_mp_sqr (mp_int * a, mp_int * b) |
|
|
4975 019 \{ |
|
|
4976 020 mp_int t; |
|
|
4977 021 int res, ix, iy, pa; |
|
|
4978 022 mp_word r; |
|
|
4979 023 mp_digit u, tmpx, *tmpt; |
|
|
4980 024 |
|
|
4981 025 pa = a->used; |
|
|
4982 026 if ((res = mp_init_size (&t, 2*pa + 1)) != MP_OKAY) \{ |
|
|
4983 027 return res; |
|
|
4984 028 \} |
|
|
4985 029 |
|
|
4986 030 /* default used is maximum possible size */ |
|
|
4987 031 t.used = 2*pa + 1; |
|
|
4988 032 |
|
|
4989 033 for (ix = 0; ix < pa; ix++) \{ |
|
|
4990 034 /* first calculate the digit at 2*ix */ |
|
|
4991 035 /* calculate double precision result */ |
|
|
4992 036 r = ((mp_word) t.dp[2*ix]) + |
|
|
4993 037 ((mp_word)a->dp[ix])*((mp_word)a->dp[ix]); |
|
|
4994 038 |
|
|
4995 039 /* store lower part in result */ |
|
|
4996 040 t.dp[ix+ix] = (mp_digit) (r & ((mp_word) MP_MASK)); |
|
|
4997 041 |
|
|
4998 042 /* get the carry */ |
|
|
4999 043 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
|
|
5000 044 |
|
|
5001 045 /* left hand side of A[ix] * A[iy] */ |
|
|
5002 046 tmpx = a->dp[ix]; |
|
|
5003 047 |
|
|
5004 048 /* alias for where to store the results */ |
|
|
5005 049 tmpt = t.dp + (2*ix + 1); |
|
|
5006 050 |
|
|
5007 051 for (iy = ix + 1; iy < pa; iy++) \{ |
|
|
5008 052 /* first calculate the product */ |
|
|
5009 053 r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]); |
|
|
5010 054 |
|
|
5011 055 /* now calculate the double precision result, note we use |
|
|
5012 056 * addition instead of *2 since it's easier to optimize |
|
|
5013 057 */ |
|
|
5014 058 r = ((mp_word) *tmpt) + r + r + ((mp_word) u); |
|
|
5015 059 |
|
|
5016 060 /* store lower part */ |
|
|
5017 061 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
|
|
5018 062 |
|
|
5019 063 /* get carry */ |
|
|
5020 064 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
|
|
5021 065 \} |
|
|
5022 066 /* propagate upwards */ |
|
|
5023 067 while (u != ((mp_digit) 0)) \{ |
|
|
5024 068 r = ((mp_word) *tmpt) + ((mp_word) u); |
|
|
5025 069 *tmpt++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
|
|
5026 070 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
|
|
5027 071 \} |
|
|
5028 072 \} |
|
|
5029 073 |
|
|
5030 074 mp_clamp (&t); |
|
|
5031 075 mp_exch (&t, b); |
|
|
5032 076 mp_clear (&t); |
|
|
5033 077 return MP_OKAY; |
|
|
5034 078 \} |
|
|
5035 079 #endif |
|
386
|
5036 080 |
|
282
|
5037 \end{alltt} |
|
|
5038 \end{small} |
|
|
5039 |
|
|
5040 Inside the outer loop (line 33) the square term is calculated on line 36. The carry (line 43) has been |
|
|
5041 extracted from the mp\_word accumulator using a right shift. Aliases for $a_{ix}$ and $t_{ix+iy}$ are initialized |
|
|
5042 (lines 46 and 49) to simplify the inner loop. The doubling is performed using two |
|
|
5043 additions (line 58) since it is usually faster than shifting, if not at least as fast. |
|
|
5044 |
|
|
5045 The important observation is that the inner loop does not begin at $iy = 0$ like for multiplication. As such the inner loops |
|
|
5046 get progressively shorter as the algorithm proceeds. This is what leads to the savings compared to using a multiplication to |
|
|
5047 square a number. |
|
|
5048 |
|
|
5049 \subsection{Faster Squaring by the ``Comba'' Method} |
|
|
5050 A major drawback to the baseline method is the requirement for single precision shifting inside the $O(n^2)$ nested loop. Squaring has an additional |
|
|
5051 drawback that it must double the product inside the inner loop as well. As for multiplication, the Comba technique can be used to eliminate these |
|
|
5052 performance hazards. |
|
|
5053 |
|
|
5054 The first obvious solution is to make an array of mp\_words which will hold all of the columns. This will indeed eliminate all of the carry |
|
|
5055 propagation operations from the inner loop. However, the inner product must still be doubled $O(n^2)$ times. The solution stems from the simple fact |
|
|
5056 that $2a + 2b + 2c = 2(a + b + c)$. That is the sum of all of the double products is equal to double the sum of all the products. For example, |
|
|
5057 $ab + ba + ac + ca = 2ab + 2ac = 2(ab + ac)$. |
|
|
5058 |
|
|
5059 However, we cannot simply double all of the columns, since the squares appear only once per row. The most practical solution is to have two |
|
|
5060 mp\_word arrays. One array will hold the squares and the other array will hold the double products. With both arrays the doubling and |
|
|
5061 carry propagation can be moved to a $O(n)$ work level outside the $O(n^2)$ level. In this case, we have an even simpler solution in mind. |
|
|
5062 |
|
|
5063 \newpage\begin{figure}[!here] |
|
|
5064 \begin{small} |
|
|
5065 \begin{center} |
|
|
5066 \begin{tabular}{l} |
|
|
5067 \hline Algorithm \textbf{fast\_s\_mp\_sqr}. \\ |
|
|
5068 \textbf{Input}. mp\_int $a$ \\ |
|
|
5069 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
5070 \hline \\ |
|
|
5071 Place an array of \textbf{MP\_WARRAY} mp\_digits named $W$ on the stack. \\ |
|
|
5072 1. If $b.alloc < 2a.used + 1$ then grow $b$ to $2a.used + 1$ digits. (\textit{mp\_grow}). \\ |
|
|
5073 2. If step 1 failed return(\textit{MP\_MEM}). \\ |
|
|
5074 \\ |
|
|
5075 3. $pa \leftarrow 2 \cdot a.used$ \\ |
|
|
5076 4. $\hat W1 \leftarrow 0$ \\ |
|
|
5077 5. for $ix$ from $0$ to $pa - 1$ do \\ |
|
|
5078 \hspace{3mm}5.1 $\_ \hat W \leftarrow 0$ \\ |
|
|
5079 \hspace{3mm}5.2 $ty \leftarrow \mbox{MIN}(a.used - 1, ix)$ \\ |
|
|
5080 \hspace{3mm}5.3 $tx \leftarrow ix - ty$ \\ |
|
|
5081 \hspace{3mm}5.4 $iy \leftarrow \mbox{MIN}(a.used - tx, ty + 1)$ \\ |
|
|
5082 \hspace{3mm}5.5 $iy \leftarrow \mbox{MIN}(iy, \lfloor \left (ty - tx + 1 \right )/2 \rfloor)$ \\ |
|
|
5083 \hspace{3mm}5.6 for $iz$ from $0$ to $iz - 1$ do \\ |
|
|
5084 \hspace{6mm}5.6.1 $\_ \hat W \leftarrow \_ \hat W + a_{tx + iz}a_{ty - iz}$ \\ |
|
|
5085 \hspace{3mm}5.7 $\_ \hat W \leftarrow 2 \cdot \_ \hat W + \hat W1$ \\ |
|
|
5086 \hspace{3mm}5.8 if $ix$ is even then \\ |
|
|
5087 \hspace{6mm}5.8.1 $\_ \hat W \leftarrow \_ \hat W + \left ( a_{\lfloor ix/2 \rfloor}\right )^2$ \\ |
|
|
5088 \hspace{3mm}5.9 $W_{ix} \leftarrow \_ \hat W (\mbox{mod }\beta)$ \\ |
|
|
5089 \hspace{3mm}5.10 $\hat W1 \leftarrow \lfloor \_ \hat W / \beta \rfloor$ \\ |
|
|
5090 \\ |
|
|
5091 6. $oldused \leftarrow b.used$ \\ |
|
|
5092 7. $b.used \leftarrow 2 \cdot a.used$ \\ |
|
|
5093 8. for $ix$ from $0$ to $pa - 1$ do \\ |
|
|
5094 \hspace{3mm}8.1 $b_{ix} \leftarrow W_{ix}$ \\ |
|
|
5095 9. for $ix$ from $pa$ to $oldused - 1$ do \\ |
|
|
5096 \hspace{3mm}9.1 $b_{ix} \leftarrow 0$ \\ |
|
|
5097 10. Clamp excess digits from $b$. (\textit{mp\_clamp}) \\ |
|
|
5098 11. Return(\textit{MP\_OKAY}). \\ |
|
|
5099 \hline |
|
|
5100 \end{tabular} |
|
|
5101 \end{center} |
|
|
5102 \end{small} |
|
|
5103 \caption{Algorithm fast\_s\_mp\_sqr} |
|
|
5104 \end{figure} |
|
|
5105 |
|
|
5106 \textbf{Algorithm fast\_s\_mp\_sqr.} |
|
|
5107 This algorithm computes the square of an input using the Comba technique. It is designed to be a replacement for algorithm |
|
|
5108 s\_mp\_sqr when the number of input digits is less than \textbf{MP\_WARRAY} and less than $\delta \over 2$. |
|
|
5109 This algorithm is very similar to the Comba multiplier except with a few key differences we shall make note of. |
|
|
5110 |
|
|
5111 First, we have an accumulator and carry variables $\_ \hat W$ and $\hat W1$ respectively. This is because the inner loop |
|
|
5112 products are to be doubled. If we had added the previous carry in we would be doubling too much. Next we perform an |
|
|
5113 addition MIN condition on $iy$ (step 5.5) to prevent overlapping digits. For example, $a_3 \cdot a_5$ is equal |
|
|
5114 $a_5 \cdot a_3$. Whereas in the multiplication case we would have $5 < a.used$ and $3 \ge 0$ is maintained since we double the sum |
|
|
5115 of the products just outside the inner loop we have to avoid doing this. This is also a good thing since we perform |
|
|
5116 fewer multiplications and the routine ends up being faster. |
|
|
5117 |
|
|
5118 Finally the last difference is the addition of the ``square'' term outside the inner loop (step 5.8). We add in the square |
|
|
5119 only to even outputs and it is the square of the term at the $\lfloor ix / 2 \rfloor$ position. |
|
|
5120 |
|
|
5121 \vspace{+3mm}\begin{small} |
|
|
5122 \hspace{-5.1mm}{\bf File}: bn\_fast\_s\_mp\_sqr.c |
|
|
5123 \vspace{-3mm} |
|
|
5124 \begin{alltt} |
|
|
5125 016 |
|
|
5126 017 /* the jist of squaring... |
|
|
5127 018 * you do like mult except the offset of the tmpx [one that |
|
|
5128 019 * starts closer to zero] can't equal the offset of tmpy. |
|
|
5129 020 * So basically you set up iy like before then you min it with |
|
|
5130 021 * (ty-tx) so that it never happens. You double all those |
|
|
5131 022 * you add in the inner loop |
|
|
5132 023 |
|
|
5133 024 After that loop you do the squares and add them in. |
|
|
5134 025 */ |
|
|
5135 026 |
|
|
5136 027 int fast_s_mp_sqr (mp_int * a, mp_int * b) |
|
|
5137 028 \{ |
|
|
5138 029 int olduse, res, pa, ix, iz; |
|
|
5139 030 mp_digit W[MP_WARRAY], *tmpx; |
|
|
5140 031 mp_word W1; |
|
|
5141 032 |
|
|
5142 033 /* grow the destination as required */ |
|
|
5143 034 pa = a->used + a->used; |
|
|
5144 035 if (b->alloc < pa) \{ |
|
|
5145 036 if ((res = mp_grow (b, pa)) != MP_OKAY) \{ |
|
|
5146 037 return res; |
|
|
5147 038 \} |
|
|
5148 039 \} |
|
|
5149 040 |
|
|
5150 041 /* number of output digits to produce */ |
|
|
5151 042 W1 = 0; |
|
|
5152 043 for (ix = 0; ix < pa; ix++) \{ |
|
|
5153 044 int tx, ty, iy; |
|
|
5154 045 mp_word _W; |
|
|
5155 046 mp_digit *tmpy; |
|
|
5156 047 |
|
|
5157 048 /* clear counter */ |
|
|
5158 049 _W = 0; |
|
|
5159 050 |
|
|
5160 051 /* get offsets into the two bignums */ |
|
|
5161 052 ty = MIN(a->used-1, ix); |
|
|
5162 053 tx = ix - ty; |
|
|
5163 054 |
|
|
5164 055 /* setup temp aliases */ |
|
|
5165 056 tmpx = a->dp + tx; |
|
|
5166 057 tmpy = a->dp + ty; |
|
|
5167 058 |
|
|
5168 059 /* this is the number of times the loop will iterrate, essentially |
|
|
5169 060 while (tx++ < a->used && ty-- >= 0) \{ ... \} |
|
|
5170 061 */ |
|
|
5171 062 iy = MIN(a->used-tx, ty+1); |
|
|
5172 063 |
|
|
5173 064 /* now for squaring tx can never equal ty |
|
|
5174 065 * we halve the distance since they approach at a rate of 2x |
|
|
5175 066 * and we have to round because odd cases need to be executed |
|
|
5176 067 */ |
|
|
5177 068 iy = MIN(iy, (ty-tx+1)>>1); |
|
|
5178 069 |
|
|
5179 070 /* execute loop */ |
|
|
5180 071 for (iz = 0; iz < iy; iz++) \{ |
|
|
5181 072 _W += ((mp_word)*tmpx++)*((mp_word)*tmpy--); |
|
|
5182 073 \} |
|
|
5183 074 |
|
|
5184 075 /* double the inner product and add carry */ |
|
|
5185 076 _W = _W + _W + W1; |
|
|
5186 077 |
|
|
5187 078 /* even columns have the square term in them */ |
|
|
5188 079 if ((ix&1) == 0) \{ |
|
|
5189 080 _W += ((mp_word)a->dp[ix>>1])*((mp_word)a->dp[ix>>1]); |
|
|
5190 081 \} |
|
|
5191 082 |
|
|
5192 083 /* store it */ |
|
|
5193 084 W[ix] = (mp_digit)(_W & MP_MASK); |
|
|
5194 085 |
|
|
5195 086 /* make next carry */ |
|
|
5196 087 W1 = _W >> ((mp_word)DIGIT_BIT); |
|
|
5197 088 \} |
|
|
5198 089 |
|
|
5199 090 /* setup dest */ |
|
|
5200 091 olduse = b->used; |
|
|
5201 092 b->used = a->used+a->used; |
|
|
5202 093 |
|
|
5203 094 \{ |
|
|
5204 095 mp_digit *tmpb; |
|
|
5205 096 tmpb = b->dp; |
|
|
5206 097 for (ix = 0; ix < pa; ix++) \{ |
|
|
5207 098 *tmpb++ = W[ix] & MP_MASK; |
|
|
5208 099 \} |
|
|
5209 100 |
|
|
5210 101 /* clear unused digits [that existed in the old copy of c] */ |
|
|
5211 102 for (; ix < olduse; ix++) \{ |
|
|
5212 103 *tmpb++ = 0; |
|
|
5213 104 \} |
|
|
5214 105 \} |
|
|
5215 106 mp_clamp (b); |
|
|
5216 107 return MP_OKAY; |
|
|
5217 108 \} |
|
|
5218 109 #endif |
|
386
|
5219 110 |
|
282
|
5220 \end{alltt} |
|
|
5221 \end{small} |
|
|
5222 |
|
|
5223 This implementation is essentially a copy of Comba multiplication with the appropriate changes added to make it faster for |
|
|
5224 the special case of squaring. |
|
|
5225 |
|
|
5226 \subsection{Polynomial Basis Squaring} |
|
|
5227 The same algorithm that performs optimal polynomial basis multiplication can be used to perform polynomial basis squaring. The minor exception |
|
|
5228 is that $\zeta_y = f(y)g(y)$ is actually equivalent to $\zeta_y = f(y)^2$ since $f(y) = g(y)$. Instead of performing $2n + 1$ |
|
|
5229 multiplications to find the $\zeta$ relations, squaring operations are performed instead. |
|
|
5230 |
|
|
5231 \subsection{Karatsuba Squaring} |
|
|
5232 Let $f(x) = ax + b$ represent the polynomial basis representation of a number to square. |
|
|
5233 Let $h(x) = \left ( f(x) \right )^2$ represent the square of the polynomial. The Karatsuba equation can be modified to square a |
|
|
5234 number with the following equation. |
|
|
5235 |
|
|
5236 \begin{equation} |
|
386
|
5237 h(x) = a^2x^2 + \left ((a + b)^2 - (a^2 + b^2) \right )x + b^2 |
|
282
|
5238 \end{equation} |
|
|
5239 |
|
386
|
5240 Upon closer inspection this equation only requires the calculation of three half-sized squares: $a^2$, $b^2$ and $(a + b)^2$. As in |
|
282
|
5241 Karatsuba multiplication, this algorithm can be applied recursively on the input and will achieve an asymptotic running time of |
|
|
5242 $O \left ( n^{lg(3)} \right )$. |
|
|
5243 |
|
|
5244 If the asymptotic times of Karatsuba squaring and multiplication are the same, why not simply use the multiplication algorithm |
|
|
5245 instead? The answer to this arises from the cutoff point for squaring. As in multiplication there exists a cutoff point, at which the |
|
|
5246 time required for a Comba based squaring and a Karatsuba based squaring meet. Due to the overhead inherent in the Karatsuba method, the cutoff |
|
|
5247 point is fairly high. For example, on an AMD Athlon XP processor with $\beta = 2^{28}$, the cutoff point is around 127 digits. |
|
|
5248 |
|
|
5249 Consider squaring a 200 digit number with this technique. It will be split into two 100 digit halves which are subsequently squared. |
|
|
5250 The 100 digit halves will not be squared using Karatsuba, but instead using the faster Comba based squaring algorithm. If Karatsuba multiplication |
|
|
5251 were used instead, the 100 digit numbers would be squared with a slower Comba based multiplication. |
|
|
5252 |
|
|
5253 \newpage\begin{figure}[!here] |
|
|
5254 \begin{small} |
|
|
5255 \begin{center} |
|
|
5256 \begin{tabular}{l} |
|
|
5257 \hline Algorithm \textbf{mp\_karatsuba\_sqr}. \\ |
|
|
5258 \textbf{Input}. mp\_int $a$ \\ |
|
|
5259 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
5260 \hline \\ |
|
|
5261 1. Initialize the following temporary mp\_ints: $x0$, $x1$, $t1$, $t2$, $x0x0$ and $x1x1$. \\ |
|
|
5262 2. If any of the initializations on step 1 failed return(\textit{MP\_MEM}). \\ |
|
|
5263 \\ |
|
|
5264 Split the input. e.g. $a = x1\beta^B + x0$ \\ |
|
|
5265 3. $B \leftarrow \lfloor a.used / 2 \rfloor$ \\ |
|
|
5266 4. $x0 \leftarrow a \mbox{ (mod }\beta^B\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
5267 5. $x1 \leftarrow \lfloor a / \beta^B \rfloor$ (\textit{mp\_lshd}) \\ |
|
|
5268 \\ |
|
|
5269 Calculate the three squares. \\ |
|
|
5270 6. $x0x0 \leftarrow x0^2$ (\textit{mp\_sqr}) \\ |
|
|
5271 7. $x1x1 \leftarrow x1^2$ \\ |
|
386
|
5272 8. $t1 \leftarrow x1 + x0$ (\textit{s\_mp\_add}) \\ |
|
282
|
5273 9. $t1 \leftarrow t1^2$ \\ |
|
|
5274 \\ |
|
|
5275 Compute the middle term. \\ |
|
|
5276 10. $t2 \leftarrow x0x0 + x1x1$ (\textit{s\_mp\_add}) \\ |
|
386
|
5277 11. $t1 \leftarrow t1 - t2$ \\ |
|
282
|
5278 \\ |
|
|
5279 Compute final product. \\ |
|
|
5280 12. $t1 \leftarrow t1\beta^B$ (\textit{mp\_lshd}) \\ |
|
|
5281 13. $x1x1 \leftarrow x1x1\beta^{2B}$ \\ |
|
|
5282 14. $t1 \leftarrow t1 + x0x0$ \\ |
|
|
5283 15. $b \leftarrow t1 + x1x1$ \\ |
|
|
5284 16. Return(\textit{MP\_OKAY}). \\ |
|
|
5285 \hline |
|
|
5286 \end{tabular} |
|
|
5287 \end{center} |
|
|
5288 \end{small} |
|
|
5289 \caption{Algorithm mp\_karatsuba\_sqr} |
|
|
5290 \end{figure} |
|
|
5291 |
|
|
5292 \textbf{Algorithm mp\_karatsuba\_sqr.} |
|
|
5293 This algorithm computes the square of an input $a$ using the Karatsuba technique. This algorithm is very similar to the Karatsuba based |
|
|
5294 multiplication algorithm with the exception that the three half-size multiplications have been replaced with three half-size squarings. |
|
|
5295 |
|
|
5296 The radix point for squaring is simply placed exactly in the middle of the digits when the input has an odd number of digits, otherwise it is |
|
|
5297 placed just below the middle. Step 3, 4 and 5 compute the two halves required using $B$ |
|
|
5298 as the radix point. The first two squares in steps 6 and 7 are rather straightforward while the last square is of a more compact form. |
|
|
5299 |
|
386
|
5300 By expanding $\left (x1 + x0 \right )^2$, the $x1^2$ and $x0^2$ terms in the middle disappear, that is $(x0 - x1)^2 - (x1^2 + x0^2) = 2 \cdot x0 \cdot x1$. |
|
282
|
5301 Now if $5n$ single precision additions and a squaring of $n$-digits is faster than multiplying two $n$-digit numbers and doubling then |
|
|
5302 this method is faster. Assuming no further recursions occur, the difference can be estimated with the following inequality. |
|
|
5303 |
|
|
5304 Let $p$ represent the cost of a single precision addition and $q$ the cost of a single precision multiplication both in terms of time\footnote{Or |
|
|
5305 machine clock cycles.}. |
|
|
5306 |
|
|
5307 \begin{equation} |
|
|
5308 5pn +{{q(n^2 + n)} \over 2} \le pn + qn^2 |
|
|
5309 \end{equation} |
|
|
5310 |
|
|
5311 For example, on an AMD Athlon XP processor $p = {1 \over 3}$ and $q = 6$. This implies that the following inequality should hold. |
|
|
5312 \begin{center} |
|
|
5313 \begin{tabular}{rcl} |
|
|
5314 ${5n \over 3} + 3n^2 + 3n$ & $<$ & ${n \over 3} + 6n^2$ \\ |
|
|
5315 ${5 \over 3} + 3n + 3$ & $<$ & ${1 \over 3} + 6n$ \\ |
|
|
5316 ${13 \over 9}$ & $<$ & $n$ \\ |
|
|
5317 \end{tabular} |
|
|
5318 \end{center} |
|
|
5319 |
|
|
5320 This results in a cutoff point around $n = 2$. As a consequence it is actually faster to compute the middle term the ``long way'' on processors |
|
|
5321 where multiplication is substantially slower\footnote{On the Athlon there is a 1:17 ratio between clock cycles for addition and multiplication. On |
|
|
5322 the Intel P4 processor this ratio is 1:29 making this method even more beneficial. The only common exception is the ARMv4 processor which has a |
|
|
5323 ratio of 1:7. } than simpler operations such as addition. |
|
|
5324 |
|
|
5325 \vspace{+3mm}\begin{small} |
|
|
5326 \hspace{-5.1mm}{\bf File}: bn\_mp\_karatsuba\_sqr.c |
|
|
5327 \vspace{-3mm} |
|
|
5328 \begin{alltt} |
|
|
5329 016 |
|
|
5330 017 /* Karatsuba squaring, computes b = a*a using three |
|
|
5331 018 * half size squarings |
|
|
5332 019 * |
|
|
5333 020 * See comments of karatsuba_mul for details. It |
|
|
5334 021 * is essentially the same algorithm but merely |
|
|
5335 022 * tuned to perform recursive squarings. |
|
|
5336 023 */ |
|
|
5337 024 int mp_karatsuba_sqr (mp_int * a, mp_int * b) |
|
|
5338 025 \{ |
|
|
5339 026 mp_int x0, x1, t1, t2, x0x0, x1x1; |
|
|
5340 027 int B, err; |
|
|
5341 028 |
|
|
5342 029 err = MP_MEM; |
|
|
5343 030 |
|
|
5344 031 /* min # of digits */ |
|
|
5345 032 B = a->used; |
|
|
5346 033 |
|
|
5347 034 /* now divide in two */ |
|
|
5348 035 B = B >> 1; |
|
|
5349 036 |
|
|
5350 037 /* init copy all the temps */ |
|
|
5351 038 if (mp_init_size (&x0, B) != MP_OKAY) |
|
|
5352 039 goto ERR; |
|
|
5353 040 if (mp_init_size (&x1, a->used - B) != MP_OKAY) |
|
|
5354 041 goto X0; |
|
|
5355 042 |
|
|
5356 043 /* init temps */ |
|
|
5357 044 if (mp_init_size (&t1, a->used * 2) != MP_OKAY) |
|
|
5358 045 goto X1; |
|
|
5359 046 if (mp_init_size (&t2, a->used * 2) != MP_OKAY) |
|
|
5360 047 goto T1; |
|
|
5361 048 if (mp_init_size (&x0x0, B * 2) != MP_OKAY) |
|
|
5362 049 goto T2; |
|
|
5363 050 if (mp_init_size (&x1x1, (a->used - B) * 2) != MP_OKAY) |
|
|
5364 051 goto X0X0; |
|
|
5365 052 |
|
|
5366 053 \{ |
|
|
5367 054 register int x; |
|
|
5368 055 register mp_digit *dst, *src; |
|
|
5369 056 |
|
|
5370 057 src = a->dp; |
|
|
5371 058 |
|
|
5372 059 /* now shift the digits */ |
|
|
5373 060 dst = x0.dp; |
|
|
5374 061 for (x = 0; x < B; x++) \{ |
|
|
5375 062 *dst++ = *src++; |
|
|
5376 063 \} |
|
|
5377 064 |
|
|
5378 065 dst = x1.dp; |
|
|
5379 066 for (x = B; x < a->used; x++) \{ |
|
|
5380 067 *dst++ = *src++; |
|
|
5381 068 \} |
|
|
5382 069 \} |
|
|
5383 070 |
|
|
5384 071 x0.used = B; |
|
|
5385 072 x1.used = a->used - B; |
|
|
5386 073 |
|
|
5387 074 mp_clamp (&x0); |
|
|
5388 075 |
|
|
5389 076 /* now calc the products x0*x0 and x1*x1 */ |
|
|
5390 077 if (mp_sqr (&x0, &x0x0) != MP_OKAY) |
|
|
5391 078 goto X1X1; /* x0x0 = x0*x0 */ |
|
|
5392 079 if (mp_sqr (&x1, &x1x1) != MP_OKAY) |
|
|
5393 080 goto X1X1; /* x1x1 = x1*x1 */ |
|
|
5394 081 |
|
386
|
5395 082 /* now calc (x1+x0)**2 */ |
|
|
5396 083 if (s_mp_add (&x1, &x0, &t1) != MP_OKAY) |
|
282
|
5397 084 goto X1X1; /* t1 = x1 - x0 */ |
|
|
5398 085 if (mp_sqr (&t1, &t1) != MP_OKAY) |
|
|
5399 086 goto X1X1; /* t1 = (x1 - x0) * (x1 - x0) */ |
|
|
5400 087 |
|
|
5401 088 /* add x0y0 */ |
|
|
5402 089 if (s_mp_add (&x0x0, &x1x1, &t2) != MP_OKAY) |
|
|
5403 090 goto X1X1; /* t2 = x0x0 + x1x1 */ |
|
386
|
5404 091 if (s_mp_sub (&t1, &t2, &t1) != MP_OKAY) |
|
|
5405 092 goto X1X1; /* t1 = (x1+x0)**2 - (x0x0 + x1x1) */ |
|
282
|
5406 093 |
|
|
5407 094 /* shift by B */ |
|
|
5408 095 if (mp_lshd (&t1, B) != MP_OKAY) |
|
|
5409 096 goto X1X1; /* t1 = (x0x0 + x1x1 - (x1-x0)*(x1-x0))<<B */ |
|
|
5410 097 if (mp_lshd (&x1x1, B * 2) != MP_OKAY) |
|
|
5411 098 goto X1X1; /* x1x1 = x1x1 << 2*B */ |
|
|
5412 099 |
|
|
5413 100 if (mp_add (&x0x0, &t1, &t1) != MP_OKAY) |
|
|
5414 101 goto X1X1; /* t1 = x0x0 + t1 */ |
|
|
5415 102 if (mp_add (&t1, &x1x1, b) != MP_OKAY) |
|
|
5416 103 goto X1X1; /* t1 = x0x0 + t1 + x1x1 */ |
|
|
5417 104 |
|
|
5418 105 err = MP_OKAY; |
|
|
5419 106 |
|
|
5420 107 X1X1:mp_clear (&x1x1); |
|
|
5421 108 X0X0:mp_clear (&x0x0); |
|
|
5422 109 T2:mp_clear (&t2); |
|
|
5423 110 T1:mp_clear (&t1); |
|
|
5424 111 X1:mp_clear (&x1); |
|
|
5425 112 X0:mp_clear (&x0); |
|
|
5426 113 ERR: |
|
|
5427 114 return err; |
|
|
5428 115 \} |
|
|
5429 116 #endif |
|
386
|
5430 117 |
|
282
|
5431 \end{alltt} |
|
|
5432 \end{small} |
|
|
5433 |
|
|
5434 This implementation is largely based on the implementation of algorithm mp\_karatsuba\_mul. It uses the same inline style to copy and |
|
|
5435 shift the input into the two halves. The loop from line 53 to line 69 has been modified since only one input exists. The \textbf{used} |
|
|
5436 count of both $x0$ and $x1$ is fixed up and $x0$ is clamped before the calculations begin. At this point $x1$ and $x0$ are valid equivalents |
|
|
5437 to the respective halves as if mp\_rshd and mp\_mod\_2d had been used. |
|
|
5438 |
|
|
5439 By inlining the copy and shift operations the cutoff point for Karatsuba multiplication can be lowered. On the Athlon the cutoff point |
|
|
5440 is exactly at the point where Comba squaring can no longer be used (\textit{128 digits}). On slower processors such as the Intel P4 |
|
|
5441 it is actually below the Comba limit (\textit{at 110 digits}). |
|
|
5442 |
|
|
5443 This routine uses the same error trap coding style as mp\_karatsuba\_sqr. As the temporary variables are initialized errors are |
|
|
5444 redirected to the error trap higher up. If the algorithm completes without error the error code is set to \textbf{MP\_OKAY} and |
|
|
5445 mp\_clears are executed normally. |
|
|
5446 |
|
|
5447 \subsection{Toom-Cook Squaring} |
|
|
5448 The Toom-Cook squaring algorithm mp\_toom\_sqr is heavily based on the algorithm mp\_toom\_mul with the exception that squarings are used |
|
|
5449 instead of multiplication to find the five relations. The reader is encouraged to read the description of the latter algorithm and try to |
|
|
5450 derive their own Toom-Cook squaring algorithm. |
|
|
5451 |
|
|
5452 \subsection{High Level Squaring} |
|
|
5453 \newpage\begin{figure}[!here] |
|
|
5454 \begin{small} |
|
|
5455 \begin{center} |
|
|
5456 \begin{tabular}{l} |
|
|
5457 \hline Algorithm \textbf{mp\_sqr}. \\ |
|
|
5458 \textbf{Input}. mp\_int $a$ \\ |
|
|
5459 \textbf{Output}. $b \leftarrow a^2$ \\ |
|
|
5460 \hline \\ |
|
|
5461 1. If $a.used \ge TOOM\_SQR\_CUTOFF$ then \\ |
|
|
5462 \hspace{3mm}1.1 $b \leftarrow a^2$ using algorithm mp\_toom\_sqr \\ |
|
|
5463 2. else if $a.used \ge KARATSUBA\_SQR\_CUTOFF$ then \\ |
|
|
5464 \hspace{3mm}2.1 $b \leftarrow a^2$ using algorithm mp\_karatsuba\_sqr \\ |
|
|
5465 3. else \\ |
|
|
5466 \hspace{3mm}3.1 $digs \leftarrow a.used + b.used + 1$ \\ |
|
|
5467 \hspace{3mm}3.2 If $digs < MP\_ARRAY$ and $a.used \le \delta$ then \\ |
|
|
5468 \hspace{6mm}3.2.1 $b \leftarrow a^2$ using algorithm fast\_s\_mp\_sqr. \\ |
|
|
5469 \hspace{3mm}3.3 else \\ |
|
|
5470 \hspace{6mm}3.3.1 $b \leftarrow a^2$ using algorithm s\_mp\_sqr. \\ |
|
|
5471 4. $b.sign \leftarrow MP\_ZPOS$ \\ |
|
|
5472 5. Return the result of the unsigned squaring performed. \\ |
|
|
5473 \hline |
|
|
5474 \end{tabular} |
|
|
5475 \end{center} |
|
|
5476 \end{small} |
|
|
5477 \caption{Algorithm mp\_sqr} |
|
|
5478 \end{figure} |
|
|
5479 |
|
|
5480 \textbf{Algorithm mp\_sqr.} |
|
|
5481 This algorithm computes the square of the input using one of four different algorithms. If the input is very large and has at least |
|
|
5482 \textbf{TOOM\_SQR\_CUTOFF} or \textbf{KARATSUBA\_SQR\_CUTOFF} digits then either the Toom-Cook or the Karatsuba Squaring algorithm is used. If |
|
|
5483 neither of the polynomial basis algorithms should be used then either the Comba or baseline algorithm is used. |
|
|
5484 |
|
|
5485 \vspace{+3mm}\begin{small} |
|
|
5486 \hspace{-5.1mm}{\bf File}: bn\_mp\_sqr.c |
|
|
5487 \vspace{-3mm} |
|
|
5488 \begin{alltt} |
|
|
5489 016 |
|
|
5490 017 /* computes b = a*a */ |
|
|
5491 018 int |
|
|
5492 019 mp_sqr (mp_int * a, mp_int * b) |
|
|
5493 020 \{ |
|
|
5494 021 int res; |
|
|
5495 022 |
|
|
5496 023 #ifdef BN_MP_TOOM_SQR_C |
|
|
5497 024 /* use Toom-Cook? */ |
|
|
5498 025 if (a->used >= TOOM_SQR_CUTOFF) \{ |
|
|
5499 026 res = mp_toom_sqr(a, b); |
|
|
5500 027 /* Karatsuba? */ |
|
|
5501 028 \} else |
|
|
5502 029 #endif |
|
|
5503 030 #ifdef BN_MP_KARATSUBA_SQR_C |
|
|
5504 031 if (a->used >= KARATSUBA_SQR_CUTOFF) \{ |
|
|
5505 032 res = mp_karatsuba_sqr (a, b); |
|
|
5506 033 \} else |
|
|
5507 034 #endif |
|
|
5508 035 \{ |
|
|
5509 036 #ifdef BN_FAST_S_MP_SQR_C |
|
|
5510 037 /* can we use the fast comba multiplier? */ |
|
|
5511 038 if ((a->used * 2 + 1) < MP_WARRAY && |
|
|
5512 039 a->used < |
|
|
5513 040 (1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) \{ |
|
|
5514 041 res = fast_s_mp_sqr (a, b); |
|
|
5515 042 \} else |
|
|
5516 043 #endif |
|
|
5517 044 #ifdef BN_S_MP_SQR_C |
|
|
5518 045 res = s_mp_sqr (a, b); |
|
|
5519 046 #else |
|
|
5520 047 res = MP_VAL; |
|
|
5521 048 #endif |
|
|
5522 049 \} |
|
|
5523 050 b->sign = MP_ZPOS; |
|
|
5524 051 return res; |
|
|
5525 052 \} |
|
|
5526 053 #endif |
|
386
|
5527 054 |
|
282
|
5528 \end{alltt} |
|
|
5529 \end{small} |
|
|
5530 |
|
|
5531 \section*{Exercises} |
|
|
5532 \begin{tabular}{cl} |
|
|
5533 $\left [ 3 \right ] $ & Devise an efficient algorithm for selection of the radix point to handle inputs \\ |
|
|
5534 & that have different number of digits in Karatsuba multiplication. \\ |
|
|
5535 & \\ |
|
|
5536 $\left [ 2 \right ] $ & In section 5.3 the fact that every column of a squaring is made up \\ |
|
|
5537 & of double products and at most one square is stated. Prove this statement. \\ |
|
|
5538 & \\ |
|
|
5539 $\left [ 3 \right ] $ & Prove the equation for Karatsuba squaring. \\ |
|
|
5540 & \\ |
|
|
5541 $\left [ 1 \right ] $ & Prove that Karatsuba squaring requires $O \left (n^{lg(3)} \right )$ time. \\ |
|
|
5542 & \\ |
|
|
5543 $\left [ 2 \right ] $ & Determine the minimal ratio between addition and multiplication clock cycles \\ |
|
|
5544 & required for equation $6.7$ to be true. \\ |
|
|
5545 & \\ |
|
|
5546 $\left [ 3 \right ] $ & Implement a threaded version of Comba multiplication (and squaring) where you \\ |
|
|
5547 & compute subsets of the columns in each thread. Determine a cutoff point where \\ |
|
|
5548 & it is effective and add the logic to mp\_mul() and mp\_sqr(). \\ |
|
|
5549 &\\ |
|
|
5550 $\left [ 4 \right ] $ & Same as the previous but also modify the Karatsuba and Toom-Cook. You must \\ |
|
|
5551 & increase the throughput of mp\_exptmod() for random odd moduli in the range \\ |
|
|
5552 & $512 \ldots 4096$ bits significantly ($> 2x$) to complete this challenge. \\ |
|
|
5553 & \\ |
|
|
5554 \end{tabular} |
|
|
5555 |
|
|
5556 \chapter{Modular Reduction} |
|
|
5557 \section{Basics of Modular Reduction} |
|
|
5558 \index{modular residue} |
|
|
5559 Modular reduction is an operation that arises quite often within public key cryptography algorithms and various number theoretic algorithms, |
|
|
5560 such as factoring. Modular reduction algorithms are the third class of algorithms of the ``multipliers'' set. A number $a$ is said to be \textit{reduced} |
|
|
5561 modulo another number $b$ by finding the remainder of the division $a/b$. Full integer division with remainder is a topic to be covered |
|
|
5562 in~\ref{sec:division}. |
|
|
5563 |
|
|
5564 Modular reduction is equivalent to solving for $r$ in the following equation. $a = bq + r$ where $q = \lfloor a/b \rfloor$. The result |
|
|
5565 $r$ is said to be ``congruent to $a$ modulo $b$'' which is also written as $r \equiv a \mbox{ (mod }b\mbox{)}$. In other vernacular $r$ is known as the |
|
|
5566 ``modular residue'' which leads to ``quadratic residue''\footnote{That's fancy talk for $b \equiv a^2 \mbox{ (mod }p\mbox{)}$.} and |
|
|
5567 other forms of residues. |
|
|
5568 |
|
|
5569 Modular reductions are normally used to create either finite groups, rings or fields. The most common usage for performance driven modular reductions |
|
|
5570 is in modular exponentiation algorithms. That is to compute $d = a^b \mbox{ (mod }c\mbox{)}$ as fast as possible. This operation is used in the |
|
|
5571 RSA and Diffie-Hellman public key algorithms, for example. Modular multiplication and squaring also appears as a fundamental operation in |
|
|
5572 elliptic curve cryptographic algorithms. As will be discussed in the subsequent chapter there exist fast algorithms for computing modular |
|
|
5573 exponentiations without having to perform (\textit{in this example}) $b - 1$ multiplications. These algorithms will produce partial results in the |
|
|
5574 range $0 \le x < c^2$ which can be taken advantage of to create several efficient algorithms. They have also been used to create redundancy check |
|
|
5575 algorithms known as CRCs, error correction codes such as Reed-Solomon and solve a variety of number theoeretic problems. |
|
|
5576 |
|
|
5577 \section{The Barrett Reduction} |
|
|
5578 The Barrett reduction algorithm \cite{BARRETT} was inspired by fast division algorithms which multiply by the reciprocal to emulate |
|
|
5579 division. Barretts observation was that the residue $c$ of $a$ modulo $b$ is equal to |
|
|
5580 |
|
|
5581 \begin{equation} |
|
|
5582 c = a - b \cdot \lfloor a/b \rfloor |
|
|
5583 \end{equation} |
|
|
5584 |
|
|
5585 Since algorithms such as modular exponentiation would be using the same modulus extensively, typical DSP\footnote{It is worth noting that Barrett's paper |
|
|
5586 targeted the DSP56K processor.} intuition would indicate the next step would be to replace $a/b$ by a multiplication by the reciprocal. However, |
|
|
5587 DSP intuition on its own will not work as these numbers are considerably larger than the precision of common DSP floating point data types. |
|
|
5588 It would take another common optimization to optimize the algorithm. |
|
|
5589 |
|
|
5590 \subsection{Fixed Point Arithmetic} |
|
|
5591 The trick used to optimize the above equation is based on a technique of emulating floating point data types with fixed precision integers. Fixed |
|
|
5592 point arithmetic would become very popular as it greatly optimize the ``3d-shooter'' genre of games in the mid 1990s when floating point units were |
|
|
5593 fairly slow if not unavailable. The idea behind fixed point arithmetic is to take a normal $k$-bit integer data type and break it into $p$-bit |
|
|
5594 integer and a $q$-bit fraction part (\textit{where $p+q = k$}). |
|
|
5595 |
|
|
5596 In this system a $k$-bit integer $n$ would actually represent $n/2^q$. For example, with $q = 4$ the integer $n = 37$ would actually represent the |
|
|
5597 value $2.3125$. To multiply two fixed point numbers the integers are multiplied using traditional arithmetic and subsequently normalized by |
|
|
5598 moving the implied decimal point back to where it should be. For example, with $q = 4$ to multiply the integers $9$ and $5$ they must be converted |
|
|
5599 to fixed point first by multiplying by $2^q$. Let $a = 9(2^q)$ represent the fixed point representation of $9$ and $b = 5(2^q)$ represent the |
|
|
5600 fixed point representation of $5$. The product $ab$ is equal to $45(2^{2q})$ which when normalized by dividing by $2^q$ produces $45(2^q)$. |
|
|
5601 |
|
|
5602 This technique became popular since a normal integer multiplication and logical shift right are the only required operations to perform a multiplication |
|
|
5603 of two fixed point numbers. Using fixed point arithmetic, division can be easily approximated by multiplying by the reciprocal. If $2^q$ is |
|
|
5604 equivalent to one than $2^q/b$ is equivalent to the fixed point approximation of $1/b$ using real arithmetic. Using this fact dividing an integer |
|
|
5605 $a$ by another integer $b$ can be achieved with the following expression. |
|
|
5606 |
|
|
5607 \begin{equation} |
|
|
5608 \lfloor a / b \rfloor \mbox{ }\approx\mbox{ } \lfloor (a \cdot \lfloor 2^q / b \rfloor)/2^q \rfloor |
|
|
5609 \end{equation} |
|
|
5610 |
|
|
5611 The precision of the division is proportional to the value of $q$. If the divisor $b$ is used frequently as is the case with |
|
|
5612 modular exponentiation pre-computing $2^q/b$ will allow a division to be performed with a multiplication and a right shift. Both operations |
|
|
5613 are considerably faster than division on most processors. |
|
|
5614 |
|
|
5615 Consider dividing $19$ by $5$. The correct result is $\lfloor 19/5 \rfloor = 3$. With $q = 3$ the reciprocal is $\lfloor 2^q/5 \rfloor = 1$ which |
|
|
5616 leads to a product of $19$ which when divided by $2^q$ produces $2$. However, with $q = 4$ the reciprocal is $\lfloor 2^q/5 \rfloor = 3$ and |
|
|
5617 the result of the emulated division is $\lfloor 3 \cdot 19 / 2^q \rfloor = 3$ which is correct. The value of $2^q$ must be close to or ideally |
|
|
5618 larger than the dividend. In effect if $a$ is the dividend then $q$ should allow $0 \le \lfloor a/2^q \rfloor \le 1$ in order for this approach |
|
|
5619 to work correctly. Plugging this form of divison into the original equation the following modular residue equation arises. |
|
|
5620 |
|
|
5621 \begin{equation} |
|
|
5622 c = a - b \cdot \lfloor (a \cdot \lfloor 2^q / b \rfloor)/2^q \rfloor |
|
|
5623 \end{equation} |
|
|
5624 |
|
|
5625 Using the notation from \cite{BARRETT} the value of $\lfloor 2^q / b \rfloor$ will be represented by the $\mu$ symbol. Using the $\mu$ |
|
|
5626 variable also helps re-inforce the idea that it is meant to be computed once and re-used. |
|
|
5627 |
|
|
5628 \begin{equation} |
|
|
5629 c = a - b \cdot \lfloor (a \cdot \mu)/2^q \rfloor |
|
|
5630 \end{equation} |
|
|
5631 |
|
|
5632 Provided that $2^q \ge a$ this algorithm will produce a quotient that is either exactly correct or off by a value of one. In the context of Barrett |
|
|
5633 reduction the value of $a$ is bound by $0 \le a \le (b - 1)^2$ meaning that $2^q \ge b^2$ is sufficient to ensure the reciprocal will have enough |
|
|
5634 precision. |
|
|
5635 |
|
|
5636 Let $n$ represent the number of digits in $b$. This algorithm requires approximately $2n^2$ single precision multiplications to produce the quotient and |
|
|
5637 another $n^2$ single precision multiplications to find the residue. In total $3n^2$ single precision multiplications are required to |
|
|
5638 reduce the number. |
|
|
5639 |
|
|
5640 For example, if $b = 1179677$ and $q = 41$ ($2^q > b^2$), then the reciprocal $\mu$ is equal to $\lfloor 2^q / b \rfloor = 1864089$. Consider reducing |
|
|
5641 $a = 180388626447$ modulo $b$ using the above reduction equation. The quotient using the new formula is $\lfloor (a \cdot \mu) / 2^q \rfloor = 152913$. |
|
|
5642 By subtracting $152913b$ from $a$ the correct residue $a \equiv 677346 \mbox{ (mod }b\mbox{)}$ is found. |
|
|
5643 |
|
|
5644 \subsection{Choosing a Radix Point} |
|
|
5645 Using the fixed point representation a modular reduction can be performed with $3n^2$ single precision multiplications. If that were the best |
|
|
5646 that could be achieved a full division\footnote{A division requires approximately $O(2cn^2)$ single precision multiplications for a small value of $c$. |
|
|
5647 See~\ref{sec:division} for further details.} might as well be used in its place. The key to optimizing the reduction is to reduce the precision of |
|
|
5648 the initial multiplication that finds the quotient. |
|
|
5649 |
|
|
5650 Let $a$ represent the number of which the residue is sought. Let $b$ represent the modulus used to find the residue. Let $m$ represent |
|
|
5651 the number of digits in $b$. For the purposes of this discussion we will assume that the number of digits in $a$ is $2m$, which is generally true if |
|
|
5652 two $m$-digit numbers have been multiplied. Dividing $a$ by $b$ is the same as dividing a $2m$ digit integer by a $m$ digit integer. Digits below the |
|
|
5653 $m - 1$'th digit of $a$ will contribute at most a value of $1$ to the quotient because $\beta^k < b$ for any $0 \le k \le m - 1$. Another way to |
|
|
5654 express this is by re-writing $a$ as two parts. If $a' \equiv a \mbox{ (mod }b^m\mbox{)}$ and $a'' = a - a'$ then |
|
|
5655 ${a \over b} \equiv {{a' + a''} \over b}$ which is equivalent to ${a' \over b} + {a'' \over b}$. Since $a'$ is bound to be less than $b$ the quotient |
|
|
5656 is bound by $0 \le {a' \over b} < 1$. |
|
|
5657 |
|
|
5658 Since the digits of $a'$ do not contribute much to the quotient the observation is that they might as well be zero. However, if the digits |
|
|
5659 ``might as well be zero'' they might as well not be there in the first place. Let $q_0 = \lfloor a/\beta^{m-1} \rfloor$ represent the input |
|
|
5660 with the irrelevant digits trimmed. Now the modular reduction is trimmed to the almost equivalent equation |
|
|
5661 |
|
|
5662 \begin{equation} |
|
|
5663 c = a - b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor |
|
|
5664 \end{equation} |
|
|
5665 |
|
|
5666 Note that the original divisor $2^q$ has been replaced with $\beta^{m+1}$ where in this case $q$ is a multiple of $lg(\beta)$. Also note that the |
|
|
5667 exponent on the divisor when added to the amount $q_0$ was shifted by equals $2m$. If the optimization had not been performed the divisor |
|
|
5668 would have the exponent $2m$ so in the end the exponents do ``add up''. Using the above equation the quotient |
|
|
5669 $\lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor$ can be off from the true quotient by at most two. The original fixed point quotient can be off |
|
|
5670 by as much as one (\textit{provided the radix point is chosen suitably}) and now that the lower irrelevent digits have been trimmed the quotient |
|
|
5671 can be off by an additional value of one for a total of at most two. This implies that |
|
|
5672 $0 \le a - b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor < 3b$. By first subtracting $b$ times the quotient and then conditionally subtracting |
|
|
5673 $b$ once or twice the residue is found. |
|
|
5674 |
|
|
5675 The quotient is now found using $(m + 1)(m) = m^2 + m$ single precision multiplications and the residue with an additional $m^2$ single |
|
|
5676 precision multiplications, ignoring the subtractions required. In total $2m^2 + m$ single precision multiplications are required to find the residue. |
|
|
5677 This is considerably faster than the original attempt. |
|
|
5678 |
|
|
5679 For example, let $\beta = 10$ represent the radix of the digits. Let $b = 9999$ represent the modulus which implies $m = 4$. Let $a = 99929878$ |
|
|
5680 represent the value of which the residue is desired. In this case $q = 8$ since $10^7 < 9999^2$ meaning that $\mu = \lfloor \beta^{q}/b \rfloor = 10001$. |
|
|
5681 With the new observation the multiplicand for the quotient is equal to $q_0 = \lfloor a / \beta^{m - 1} \rfloor = 99929$. The quotient is then |
|
|
5682 $\lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor = 9993$. Subtracting $9993b$ from $a$ and the correct residue $a \equiv 9871 \mbox{ (mod }b\mbox{)}$ |
|
|
5683 is found. |
|
|
5684 |
|
|
5685 \subsection{Trimming the Quotient} |
|
|
5686 So far the reduction algorithm has been optimized from $3m^2$ single precision multiplications down to $2m^2 + m$ single precision multiplications. As |
|
|
5687 it stands now the algorithm is already fairly fast compared to a full integer division algorithm. However, there is still room for |
|
|
5688 optimization. |
|
|
5689 |
|
|
5690 After the first multiplication inside the quotient ($q_0 \cdot \mu$) the value is shifted right by $m + 1$ places effectively nullifying the lower |
|
|
5691 half of the product. It would be nice to be able to remove those digits from the product to effectively cut down the number of single precision |
|
|
5692 multiplications. If the number of digits in the modulus $m$ is far less than $\beta$ a full product is not required for the algorithm to work properly. |
|
|
5693 In fact the lower $m - 2$ digits will not affect the upper half of the product at all and do not need to be computed. |
|
|
5694 |
|
|
5695 The value of $\mu$ is a $m$-digit number and $q_0$ is a $m + 1$ digit number. Using a full multiplier $(m + 1)(m) = m^2 + m$ single precision |
|
|
5696 multiplications would be required. Using a multiplier that will only produce digits at and above the $m - 1$'th digit reduces the number |
|
|
5697 of single precision multiplications to ${m^2 + m} \over 2$ single precision multiplications. |
|
|
5698 |
|
|
5699 \subsection{Trimming the Residue} |
|
|
5700 After the quotient has been calculated it is used to reduce the input. As previously noted the algorithm is not exact and it can be off by a small |
|
|
5701 multiple of the modulus, that is $0 \le a - b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor < 3b$. If $b$ is $m$ digits than the |
|
|
5702 result of reduction equation is a value of at most $m + 1$ digits (\textit{provided $3 < \beta$}) implying that the upper $m - 1$ digits are |
|
|
5703 implicitly zero. |
|
|
5704 |
|
|
5705 The next optimization arises from this very fact. Instead of computing $b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor$ using a full |
|
|
5706 $O(m^2)$ multiplication algorithm only the lower $m+1$ digits of the product have to be computed. Similarly the value of $a$ can |
|
|
5707 be reduced modulo $\beta^{m+1}$ before the multiple of $b$ is subtracted which simplifes the subtraction as well. A multiplication that produces |
|
|
5708 only the lower $m+1$ digits requires ${m^2 + 3m - 2} \over 2$ single precision multiplications. |
|
|
5709 |
|
|
5710 With both optimizations in place the algorithm is the algorithm Barrett proposed. It requires $m^2 + 2m - 1$ single precision multiplications which |
|
|
5711 is considerably faster than the straightforward $3m^2$ method. |
|
|
5712 |
|
|
5713 \subsection{The Barrett Algorithm} |
|
|
5714 \newpage\begin{figure}[!here] |
|
|
5715 \begin{small} |
|
|
5716 \begin{center} |
|
|
5717 \begin{tabular}{l} |
|
|
5718 \hline Algorithm \textbf{mp\_reduce}. \\ |
|
|
5719 \textbf{Input}. mp\_int $a$, mp\_int $b$ and $\mu = \lfloor \beta^{2m}/b \rfloor, m = \lceil lg_{\beta}(b) \rceil, (0 \le a < b^2, b > 1)$ \\ |
|
|
5720 \textbf{Output}. $a \mbox{ (mod }b\mbox{)}$ \\ |
|
|
5721 \hline \\ |
|
|
5722 Let $m$ represent the number of digits in $b$. \\ |
|
|
5723 1. Make a copy of $a$ and store it in $q$. (\textit{mp\_init\_copy}) \\ |
|
|
5724 2. $q \leftarrow \lfloor q / \beta^{m - 1} \rfloor$ (\textit{mp\_rshd}) \\ |
|
|
5725 \\ |
|
|
5726 Produce the quotient. \\ |
|
|
5727 3. $q \leftarrow q \cdot \mu$ (\textit{note: only produce digits at or above $m-1$}) \\ |
|
|
5728 4. $q \leftarrow \lfloor q / \beta^{m + 1} \rfloor$ \\ |
|
|
5729 \\ |
|
|
5730 Subtract the multiple of modulus from the input. \\ |
|
|
5731 5. $a \leftarrow a \mbox{ (mod }\beta^{m+1}\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
5732 6. $q \leftarrow q \cdot b \mbox{ (mod }\beta^{m+1}\mbox{)}$ (\textit{s\_mp\_mul\_digs}) \\ |
|
|
5733 7. $a \leftarrow a - q$ (\textit{mp\_sub}) \\ |
|
|
5734 \\ |
|
|
5735 Add $\beta^{m+1}$ if a carry occured. \\ |
|
|
5736 8. If $a < 0$ then (\textit{mp\_cmp\_d}) \\ |
|
|
5737 \hspace{3mm}8.1 $q \leftarrow 1$ (\textit{mp\_set}) \\ |
|
|
5738 \hspace{3mm}8.2 $q \leftarrow q \cdot \beta^{m+1}$ (\textit{mp\_lshd}) \\ |
|
|
5739 \hspace{3mm}8.3 $a \leftarrow a + q$ \\ |
|
|
5740 \\ |
|
|
5741 Now subtract the modulus if the residue is too large (e.g. quotient too small). \\ |
|
|
5742 9. While $a \ge b$ do (\textit{mp\_cmp}) \\ |
|
|
5743 \hspace{3mm}9.1 $c \leftarrow a - b$ \\ |
|
|
5744 10. Clear $q$. \\ |
|
|
5745 11. Return(\textit{MP\_OKAY}) \\ |
|
|
5746 \hline |
|
|
5747 \end{tabular} |
|
|
5748 \end{center} |
|
|
5749 \end{small} |
|
|
5750 \caption{Algorithm mp\_reduce} |
|
|
5751 \end{figure} |
|
|
5752 |
|
|
5753 \textbf{Algorithm mp\_reduce.} |
|
|
5754 This algorithm will reduce the input $a$ modulo $b$ in place using the Barrett algorithm. It is loosely based on algorithm 14.42 of HAC |
|
|
5755 \cite[pp. 602]{HAC} which is based on the paper from Paul Barrett \cite{BARRETT}. The algorithm has several restrictions and assumptions which must |
|
|
5756 be adhered to for the algorithm to work. |
|
|
5757 |
|
|
5758 First the modulus $b$ is assumed to be positive and greater than one. If the modulus were less than or equal to one than subtracting |
|
|
5759 a multiple of it would either accomplish nothing or actually enlarge the input. The input $a$ must be in the range $0 \le a < b^2$ in order |
|
|
5760 for the quotient to have enough precision. If $a$ is the product of two numbers that were already reduced modulo $b$, this will not be a problem. |
|
|
5761 Technically the algorithm will still work if $a \ge b^2$ but it will take much longer to finish. The value of $\mu$ is passed as an argument to this |
|
|
5762 algorithm and is assumed to be calculated and stored before the algorithm is used. |
|
|
5763 |
|
|
5764 Recall that the multiplication for the quotient on step 3 must only produce digits at or above the $m-1$'th position. An algorithm called |
|
|
5765 $s\_mp\_mul\_high\_digs$ which has not been presented is used to accomplish this task. The algorithm is based on $s\_mp\_mul\_digs$ except that |
|
|
5766 instead of stopping at a given level of precision it starts at a given level of precision. This optimal algorithm can only be used if the number |
|
|
5767 of digits in $b$ is very much smaller than $\beta$. |
|
|
5768 |
|
|
5769 While it is known that |
|
|
5770 $a \ge b \cdot \lfloor (q_0 \cdot \mu) / \beta^{m+1} \rfloor$ only the lower $m+1$ digits are being used to compute the residue, so an implied |
|
|
5771 ``borrow'' from the higher digits might leave a negative result. After the multiple of the modulus has been subtracted from $a$ the residue must be |
|
|
5772 fixed up in case it is negative. The invariant $\beta^{m+1}$ must be added to the residue to make it positive again. |
|
|
5773 |
|
|
5774 The while loop at step 9 will subtract $b$ until the residue is less than $b$. If the algorithm is performed correctly this step is |
|
|
5775 performed at most twice, and on average once. However, if $a \ge b^2$ than it will iterate substantially more times than it should. |
|
|
5776 |
|
|
5777 \vspace{+3mm}\begin{small} |
|
|
5778 \hspace{-5.1mm}{\bf File}: bn\_mp\_reduce.c |
|
|
5779 \vspace{-3mm} |
|
|
5780 \begin{alltt} |
|
|
5781 016 |
|
|
5782 017 /* reduces x mod m, assumes 0 < x < m**2, mu is |
|
|
5783 018 * precomputed via mp_reduce_setup. |
|
|
5784 019 * From HAC pp.604 Algorithm 14.42 |
|
|
5785 020 */ |
|
|
5786 021 int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) |
|
|
5787 022 \{ |
|
|
5788 023 mp_int q; |
|
|
5789 024 int res, um = m->used; |
|
|
5790 025 |
|
|
5791 026 /* q = x */ |
|
|
5792 027 if ((res = mp_init_copy (&q, x)) != MP_OKAY) \{ |
|
|
5793 028 return res; |
|
|
5794 029 \} |
|
|
5795 030 |
|
|
5796 031 /* q1 = x / b**(k-1) */ |
|
|
5797 032 mp_rshd (&q, um - 1); |
|
|
5798 033 |
|
|
5799 034 /* according to HAC this optimization is ok */ |
|
|
5800 035 if (((unsigned long) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) \{ |
|
|
5801 036 if ((res = mp_mul (&q, mu, &q)) != MP_OKAY) \{ |
|
|
5802 037 goto CLEANUP; |
|
|
5803 038 \} |
|
|
5804 039 \} else \{ |
|
|
5805 040 #ifdef BN_S_MP_MUL_HIGH_DIGS_C |
|
|
5806 041 if ((res = s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) \{ |
|
|
5807 042 goto CLEANUP; |
|
|
5808 043 \} |
|
|
5809 044 #elif defined(BN_FAST_S_MP_MUL_HIGH_DIGS_C) |
|
|
5810 045 if ((res = fast_s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) \{ |
|
|
5811 046 goto CLEANUP; |
|
|
5812 047 \} |
|
|
5813 048 #else |
|
|
5814 049 \{ |
|
|
5815 050 res = MP_VAL; |
|
|
5816 051 goto CLEANUP; |
|
|
5817 052 \} |
|
|
5818 053 #endif |
|
|
5819 054 \} |
|
|
5820 055 |
|
|
5821 056 /* q3 = q2 / b**(k+1) */ |
|
|
5822 057 mp_rshd (&q, um + 1); |
|
|
5823 058 |
|
|
5824 059 /* x = x mod b**(k+1), quick (no division) */ |
|
|
5825 060 if ((res = mp_mod_2d (x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) \{ |
|
|
5826 061 goto CLEANUP; |
|
|
5827 062 \} |
|
|
5828 063 |
|
|
5829 064 /* q = q * m mod b**(k+1), quick (no division) */ |
|
|
5830 065 if ((res = s_mp_mul_digs (&q, m, &q, um + 1)) != MP_OKAY) \{ |
|
|
5831 066 goto CLEANUP; |
|
|
5832 067 \} |
|
|
5833 068 |
|
|
5834 069 /* x = x - q */ |
|
|
5835 070 if ((res = mp_sub (x, &q, x)) != MP_OKAY) \{ |
|
|
5836 071 goto CLEANUP; |
|
|
5837 072 \} |
|
|
5838 073 |
|
|
5839 074 /* If x < 0, add b**(k+1) to it */ |
|
|
5840 075 if (mp_cmp_d (x, 0) == MP_LT) \{ |
|
|
5841 076 mp_set (&q, 1); |
|
|
5842 077 if ((res = mp_lshd (&q, um + 1)) != MP_OKAY) |
|
|
5843 078 goto CLEANUP; |
|
|
5844 079 if ((res = mp_add (x, &q, x)) != MP_OKAY) |
|
|
5845 080 goto CLEANUP; |
|
|
5846 081 \} |
|
|
5847 082 |
|
|
5848 083 /* Back off if it's too big */ |
|
|
5849 084 while (mp_cmp (x, m) != MP_LT) \{ |
|
|
5850 085 if ((res = s_mp_sub (x, m, x)) != MP_OKAY) \{ |
|
|
5851 086 goto CLEANUP; |
|
|
5852 087 \} |
|
|
5853 088 \} |
|
|
5854 089 |
|
|
5855 090 CLEANUP: |
|
|
5856 091 mp_clear (&q); |
|
|
5857 092 |
|
|
5858 093 return res; |
|
|
5859 094 \} |
|
|
5860 095 #endif |
|
386
|
5861 096 |
|
282
|
5862 \end{alltt} |
|
|
5863 \end{small} |
|
|
5864 |
|
|
5865 The first multiplication that determines the quotient can be performed by only producing the digits from $m - 1$ and up. This essentially halves |
|
|
5866 the number of single precision multiplications required. However, the optimization is only safe if $\beta$ is much larger than the number of digits |
|
|
5867 in the modulus. In the source code this is evaluated on lines 36 to 43 where algorithm s\_mp\_mul\_high\_digs is used when it is |
|
|
5868 safe to do so. |
|
|
5869 |
|
|
5870 \subsection{The Barrett Setup Algorithm} |
|
|
5871 In order to use algorithm mp\_reduce the value of $\mu$ must be calculated in advance. Ideally this value should be computed once and stored for |
|
|
5872 future use so that the Barrett algorithm can be used without delay. |
|
|
5873 |
|
|
5874 \newpage\begin{figure}[!here] |
|
|
5875 \begin{small} |
|
|
5876 \begin{center} |
|
|
5877 \begin{tabular}{l} |
|
|
5878 \hline Algorithm \textbf{mp\_reduce\_setup}. \\ |
|
|
5879 \textbf{Input}. mp\_int $a$ ($a > 1$) \\ |
|
|
5880 \textbf{Output}. $\mu \leftarrow \lfloor \beta^{2m}/a \rfloor$ \\ |
|
|
5881 \hline \\ |
|
|
5882 1. $\mu \leftarrow 2^{2 \cdot lg(\beta) \cdot m}$ (\textit{mp\_2expt}) \\ |
|
|
5883 2. $\mu \leftarrow \lfloor \mu / b \rfloor$ (\textit{mp\_div}) \\ |
|
|
5884 3. Return(\textit{MP\_OKAY}) \\ |
|
|
5885 \hline |
|
|
5886 \end{tabular} |
|
|
5887 \end{center} |
|
|
5888 \end{small} |
|
|
5889 \caption{Algorithm mp\_reduce\_setup} |
|
|
5890 \end{figure} |
|
|
5891 |
|
|
5892 \textbf{Algorithm mp\_reduce\_setup.} |
|
|
5893 This algorithm computes the reciprocal $\mu$ required for Barrett reduction. First $\beta^{2m}$ is calculated as $2^{2 \cdot lg(\beta) \cdot m}$ which |
|
|
5894 is equivalent and much faster. The final value is computed by taking the integer quotient of $\lfloor \mu / b \rfloor$. |
|
|
5895 |
|
|
5896 \vspace{+3mm}\begin{small} |
|
|
5897 \hspace{-5.1mm}{\bf File}: bn\_mp\_reduce\_setup.c |
|
|
5898 \vspace{-3mm} |
|
|
5899 \begin{alltt} |
|
|
5900 016 |
|
|
5901 017 /* pre-calculate the value required for Barrett reduction |
|
|
5902 018 * For a given modulus "b" it calulates the value required in "a" |
|
|
5903 019 */ |
|
|
5904 020 int mp_reduce_setup (mp_int * a, mp_int * b) |
|
|
5905 021 \{ |
|
|
5906 022 int res; |
|
|
5907 023 |
|
|
5908 024 if ((res = mp_2expt (a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) \{ |
|
|
5909 025 return res; |
|
|
5910 026 \} |
|
|
5911 027 return mp_div (a, b, a, NULL); |
|
|
5912 028 \} |
|
|
5913 029 #endif |
|
386
|
5914 030 |
|
282
|
5915 \end{alltt} |
|
|
5916 \end{small} |
|
|
5917 |
|
|
5918 This simple routine calculates the reciprocal $\mu$ required by Barrett reduction. Note the extended usage of algorithm mp\_div where the variable |
|
|
5919 which would received the remainder is passed as NULL. As will be discussed in~\ref{sec:division} the division routine allows both the quotient and the |
|
|
5920 remainder to be passed as NULL meaning to ignore the value. |
|
|
5921 |
|
|
5922 \section{The Montgomery Reduction} |
|
|
5923 Montgomery reduction\footnote{Thanks to Niels Ferguson for his insightful explanation of the algorithm.} \cite{MONT} is by far the most interesting |
|
|
5924 form of reduction in common use. It computes a modular residue which is not actually equal to the residue of the input yet instead equal to a |
|
|
5925 residue times a constant. However, as perplexing as this may sound the algorithm is relatively simple and very efficient. |
|
|
5926 |
|
|
5927 Throughout this entire section the variable $n$ will represent the modulus used to form the residue. As will be discussed shortly the value of |
|
|
5928 $n$ must be odd. The variable $x$ will represent the quantity of which the residue is sought. Similar to the Barrett algorithm the input |
|
|
5929 is restricted to $0 \le x < n^2$. To begin the description some simple number theory facts must be established. |
|
|
5930 |
|
|
5931 \textbf{Fact 1.} Adding $n$ to $x$ does not change the residue since in effect it adds one to the quotient $\lfloor x / n \rfloor$. Another way |
|
|
5932 to explain this is that $n$ is (\textit{or multiples of $n$ are}) congruent to zero modulo $n$. Adding zero will not change the value of the residue. |
|
|
5933 |
|
|
5934 \textbf{Fact 2.} If $x$ is even then performing a division by two in $\Z$ is congruent to $x \cdot 2^{-1} \mbox{ (mod }n\mbox{)}$. Actually |
|
|
5935 this is an application of the fact that if $x$ is evenly divisible by any $k \in \Z$ then division in $\Z$ will be congruent to |
|
|
5936 multiplication by $k^{-1}$ modulo $n$. |
|
|
5937 |
|
|
5938 From these two simple facts the following simple algorithm can be derived. |
|
|
5939 |
|
|
5940 \newpage\begin{figure}[!here] |
|
|
5941 \begin{small} |
|
|
5942 \begin{center} |
|
|
5943 \begin{tabular}{l} |
|
|
5944 \hline Algorithm \textbf{Montgomery Reduction}. \\ |
|
|
5945 \textbf{Input}. Integer $x$, $n$ and $k$ \\ |
|
|
5946 \textbf{Output}. $2^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
5947 \hline \\ |
|
|
5948 1. for $t$ from $1$ to $k$ do \\ |
|
|
5949 \hspace{3mm}1.1 If $x$ is odd then \\ |
|
|
5950 \hspace{6mm}1.1.1 $x \leftarrow x + n$ \\ |
|
|
5951 \hspace{3mm}1.2 $x \leftarrow x/2$ \\ |
|
|
5952 2. Return $x$. \\ |
|
|
5953 \hline |
|
|
5954 \end{tabular} |
|
|
5955 \end{center} |
|
|
5956 \end{small} |
|
|
5957 \caption{Algorithm Montgomery Reduction} |
|
|
5958 \end{figure} |
|
|
5959 |
|
|
5960 The algorithm reduces the input one bit at a time using the two congruencies stated previously. Inside the loop $n$, which is odd, is |
|
|
5961 added to $x$ if $x$ is odd. This forces $x$ to be even which allows the division by two in $\Z$ to be congruent to a modular division by two. Since |
|
|
5962 $x$ is assumed to be initially much larger than $n$ the addition of $n$ will contribute an insignificant magnitude to $x$. Let $r$ represent the |
|
|
5963 final result of the Montgomery algorithm. If $k > lg(n)$ and $0 \le x < n^2$ then the final result is limited to |
|
|
5964 $0 \le r < \lfloor x/2^k \rfloor + n$. As a result at most a single subtraction is required to get the residue desired. |
|
|
5965 |
|
|
5966 \begin{figure}[here] |
|
|
5967 \begin{small} |
|
|
5968 \begin{center} |
|
|
5969 \begin{tabular}{|c|l|} |
|
|
5970 \hline \textbf{Step number ($t$)} & \textbf{Result ($x$)} \\ |
|
|
5971 \hline $1$ & $x + n = 5812$, $x/2 = 2906$ \\ |
|
|
5972 \hline $2$ & $x/2 = 1453$ \\ |
|
|
5973 \hline $3$ & $x + n = 1710$, $x/2 = 855$ \\ |
|
|
5974 \hline $4$ & $x + n = 1112$, $x/2 = 556$ \\ |
|
|
5975 \hline $5$ & $x/2 = 278$ \\ |
|
|
5976 \hline $6$ & $x/2 = 139$ \\ |
|
|
5977 \hline $7$ & $x + n = 396$, $x/2 = 198$ \\ |
|
|
5978 \hline $8$ & $x/2 = 99$ \\ |
|
386
|
5979 \hline $9$ & $x + n = 356$, $x/2 = 178$ \\ |
|
282
|
5980 \hline |
|
|
5981 \end{tabular} |
|
|
5982 \end{center} |
|
|
5983 \end{small} |
|
|
5984 \caption{Example of Montgomery Reduction (I)} |
|
|
5985 \label{fig:MONT1} |
|
|
5986 \end{figure} |
|
|
5987 |
|
386
|
5988 Consider the example in figure~\ref{fig:MONT1} which reduces $x = 5555$ modulo $n = 257$ when $k = 9$ (note $\beta^k = 512$ which is larger than $n$). The result of |
|
|
5989 the algorithm $r = 178$ is congruent to the value of $2^{-9} \cdot 5555 \mbox{ (mod }257\mbox{)}$. When $r$ is multiplied by $2^9$ modulo $257$ the correct residue |
|
282
|
5990 $r \equiv 158$ is produced. |
|
|
5991 |
|
|
5992 Let $k = \lfloor lg(n) \rfloor + 1$ represent the number of bits in $n$. The current algorithm requires $2k^2$ single precision shifts |
|
|
5993 and $k^2$ single precision additions. At this rate the algorithm is most certainly slower than Barrett reduction and not terribly useful. |
|
|
5994 Fortunately there exists an alternative representation of the algorithm. |
|
|
5995 |
|
|
5996 \begin{figure}[!here] |
|
|
5997 \begin{small} |
|
|
5998 \begin{center} |
|
|
5999 \begin{tabular}{l} |
|
|
6000 \hline Algorithm \textbf{Montgomery Reduction} (modified I). \\ |
|
386
|
6001 \textbf{Input}. Integer $x$, $n$ and $k$ ($2^k > n$) \\ |
|
282
|
6002 \textbf{Output}. $2^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
6003 \hline \\ |
|
386
|
6004 1. for $t$ from $1$ to $k$ do \\ |
|
282
|
6005 \hspace{3mm}1.1 If the $t$'th bit of $x$ is one then \\ |
|
|
6006 \hspace{6mm}1.1.1 $x \leftarrow x + 2^tn$ \\ |
|
|
6007 2. Return $x/2^k$. \\ |
|
|
6008 \hline |
|
|
6009 \end{tabular} |
|
|
6010 \end{center} |
|
|
6011 \end{small} |
|
|
6012 \caption{Algorithm Montgomery Reduction (modified I)} |
|
|
6013 \end{figure} |
|
|
6014 |
|
|
6015 This algorithm is equivalent since $2^tn$ is a multiple of $n$ and the lower $k$ bits of $x$ are zero by step 2. The number of single |
|
|
6016 precision shifts has now been reduced from $2k^2$ to $k^2 + k$ which is only a small improvement. |
|
|
6017 |
|
|
6018 \begin{figure}[here] |
|
|
6019 \begin{small} |
|
|
6020 \begin{center} |
|
|
6021 \begin{tabular}{|c|l|r|} |
|
|
6022 \hline \textbf{Step number ($t$)} & \textbf{Result ($x$)} & \textbf{Result ($x$) in Binary} \\ |
|
|
6023 \hline -- & $5555$ & $1010110110011$ \\ |
|
|
6024 \hline $1$ & $x + 2^{0}n = 5812$ & $1011010110100$ \\ |
|
|
6025 \hline $2$ & $5812$ & $1011010110100$ \\ |
|
|
6026 \hline $3$ & $x + 2^{2}n = 6840$ & $1101010111000$ \\ |
|
|
6027 \hline $4$ & $x + 2^{3}n = 8896$ & $10001011000000$ \\ |
|
|
6028 \hline $5$ & $8896$ & $10001011000000$ \\ |
|
|
6029 \hline $6$ & $8896$ & $10001011000000$ \\ |
|
|
6030 \hline $7$ & $x + 2^{6}n = 25344$ & $110001100000000$ \\ |
|
|
6031 \hline $8$ & $25344$ & $110001100000000$ \\ |
|
386
|
6032 \hline $9$ & $x + 2^{7}n = 91136$ & $10110010000000000$ \\ |
|
|
6033 \hline -- & $x/2^k = 178$ & \\ |
|
282
|
6034 \hline |
|
|
6035 \end{tabular} |
|
|
6036 \end{center} |
|
|
6037 \end{small} |
|
|
6038 \caption{Example of Montgomery Reduction (II)} |
|
|
6039 \label{fig:MONT2} |
|
|
6040 \end{figure} |
|
|
6041 |
|
386
|
6042 Figure~\ref{fig:MONT2} demonstrates the modified algorithm reducing $x = 5555$ modulo $n = 257$ with $k = 9$. |
|
282
|
6043 With this algorithm a single shift right at the end is the only right shift required to reduce the input instead of $k$ right shifts inside the |
|
|
6044 loop. Note that for the iterations $t = 2, 5, 6$ and $8$ where the result $x$ is not changed. In those iterations the $t$'th bit of $x$ is |
|
|
6045 zero and the appropriate multiple of $n$ does not need to be added to force the $t$'th bit of the result to zero. |
|
|
6046 |
|
|
6047 \subsection{Digit Based Montgomery Reduction} |
|
|
6048 Instead of computing the reduction on a bit-by-bit basis it is actually much faster to compute it on digit-by-digit basis. Consider the |
|
|
6049 previous algorithm re-written to compute the Montgomery reduction in this new fashion. |
|
|
6050 |
|
|
6051 \begin{figure}[!here] |
|
|
6052 \begin{small} |
|
|
6053 \begin{center} |
|
|
6054 \begin{tabular}{l} |
|
|
6055 \hline Algorithm \textbf{Montgomery Reduction} (modified II). \\ |
|
386
|
6056 \textbf{Input}. Integer $x$, $n$ and $k$ ($\beta^k > n$) \\ |
|
282
|
6057 \textbf{Output}. $\beta^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
6058 \hline \\ |
|
|
6059 1. for $t$ from $0$ to $k - 1$ do \\ |
|
|
6060 \hspace{3mm}1.1 $x \leftarrow x + \mu n \beta^t$ \\ |
|
|
6061 2. Return $x/\beta^k$. \\ |
|
|
6062 \hline |
|
|
6063 \end{tabular} |
|
|
6064 \end{center} |
|
|
6065 \end{small} |
|
|
6066 \caption{Algorithm Montgomery Reduction (modified II)} |
|
|
6067 \end{figure} |
|
|
6068 |
|
|
6069 The value $\mu n \beta^t$ is a multiple of the modulus $n$ meaning that it will not change the residue. If the first digit of |
|
|
6070 the value $\mu n \beta^t$ equals the negative (modulo $\beta$) of the $t$'th digit of $x$ then the addition will result in a zero digit. This |
|
|
6071 problem breaks down to solving the following congruency. |
|
|
6072 |
|
|
6073 \begin{center} |
|
|
6074 \begin{tabular}{rcl} |
|
|
6075 $x_t + \mu n_0$ & $\equiv$ & $0 \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6076 $\mu n_0$ & $\equiv$ & $-x_t \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6077 $\mu$ & $\equiv$ & $-x_t/n_0 \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6078 \end{tabular} |
|
|
6079 \end{center} |
|
|
6080 |
|
|
6081 In each iteration of the loop on step 1 a new value of $\mu$ must be calculated. The value of $-1/n_0 \mbox{ (mod }\beta\mbox{)}$ is used |
|
|
6082 extensively in this algorithm and should be precomputed. Let $\rho$ represent the negative of the modular inverse of $n_0$ modulo $\beta$. |
|
|
6083 |
|
|
6084 For example, let $\beta = 10$ represent the radix. Let $n = 17$ represent the modulus which implies $k = 2$ and $\rho \equiv 7$. Let $x = 33$ |
|
|
6085 represent the value to reduce. |
|
|
6086 |
|
|
6087 \newpage\begin{figure} |
|
|
6088 \begin{center} |
|
|
6089 \begin{tabular}{|c|c|c|} |
|
|
6090 \hline \textbf{Step ($t$)} & \textbf{Value of $x$} & \textbf{Value of $\mu$} \\ |
|
|
6091 \hline -- & $33$ & --\\ |
|
|
6092 \hline $0$ & $33 + \mu n = 50$ & $1$ \\ |
|
|
6093 \hline $1$ & $50 + \mu n \beta = 900$ & $5$ \\ |
|
|
6094 \hline |
|
|
6095 \end{tabular} |
|
|
6096 \end{center} |
|
|
6097 \caption{Example of Montgomery Reduction} |
|
|
6098 \end{figure} |
|
|
6099 |
|
|
6100 The final result $900$ is then divided by $\beta^k$ to produce the final result $9$. The first observation is that $9 \nequiv x \mbox{ (mod }n\mbox{)}$ |
|
|
6101 which implies the result is not the modular residue of $x$ modulo $n$. However, recall that the residue is actually multiplied by $\beta^{-k}$ in |
|
|
6102 the algorithm. To get the true residue the value must be multiplied by $\beta^k$. In this case $\beta^k \equiv 15 \mbox{ (mod }n\mbox{)}$ and |
|
|
6103 the correct residue is $9 \cdot 15 \equiv 16 \mbox{ (mod }n\mbox{)}$. |
|
|
6104 |
|
|
6105 \subsection{Baseline Montgomery Reduction} |
|
|
6106 The baseline Montgomery reduction algorithm will produce the residue for any size input. It is designed to be a catch-all algororithm for |
|
|
6107 Montgomery reductions. |
|
|
6108 |
|
|
6109 \newpage\begin{figure}[!here] |
|
|
6110 \begin{small} |
|
|
6111 \begin{center} |
|
|
6112 \begin{tabular}{l} |
|
|
6113 \hline Algorithm \textbf{mp\_montgomery\_reduce}. \\ |
|
|
6114 \textbf{Input}. mp\_int $x$, mp\_int $n$ and a digit $\rho \equiv -1/n_0 \mbox{ (mod }n\mbox{)}$. \\ |
|
|
6115 \hspace{11.5mm}($0 \le x < n^2, n > 1, (n, \beta) = 1, \beta^k > n$) \\ |
|
|
6116 \textbf{Output}. $\beta^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
6117 \hline \\ |
|
|
6118 1. $digs \leftarrow 2n.used + 1$ \\ |
|
|
6119 2. If $digs < MP\_ARRAY$ and $m.used < \delta$ then \\ |
|
|
6120 \hspace{3mm}2.1 Use algorithm fast\_mp\_montgomery\_reduce instead. \\ |
|
|
6121 \\ |
|
|
6122 Setup $x$ for the reduction. \\ |
|
|
6123 3. If $x.alloc < digs$ then grow $x$ to $digs$ digits. \\ |
|
|
6124 4. $x.used \leftarrow digs$ \\ |
|
|
6125 \\ |
|
|
6126 Eliminate the lower $k$ digits. \\ |
|
|
6127 5. For $ix$ from $0$ to $k - 1$ do \\ |
|
|
6128 \hspace{3mm}5.1 $\mu \leftarrow x_{ix} \cdot \rho \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6129 \hspace{3mm}5.2 $u \leftarrow 0$ \\ |
|
|
6130 \hspace{3mm}5.3 For $iy$ from $0$ to $k - 1$ do \\ |
|
|
6131 \hspace{6mm}5.3.1 $\hat r \leftarrow \mu n_{iy} + x_{ix + iy} + u$ \\ |
|
|
6132 \hspace{6mm}5.3.2 $x_{ix + iy} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6133 \hspace{6mm}5.3.3 $u \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
6134 \hspace{3mm}5.4 While $u > 0$ do \\ |
|
|
6135 \hspace{6mm}5.4.1 $iy \leftarrow iy + 1$ \\ |
|
|
6136 \hspace{6mm}5.4.2 $x_{ix + iy} \leftarrow x_{ix + iy} + u$ \\ |
|
|
6137 \hspace{6mm}5.4.3 $u \leftarrow \lfloor x_{ix+iy} / \beta \rfloor$ \\ |
|
|
6138 \hspace{6mm}5.4.4 $x_{ix + iy} \leftarrow x_{ix+iy} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6139 \\ |
|
|
6140 Divide by $\beta^k$ and fix up as required. \\ |
|
|
6141 6. $x \leftarrow \lfloor x / \beta^k \rfloor$ \\ |
|
|
6142 7. If $x \ge n$ then \\ |
|
|
6143 \hspace{3mm}7.1 $x \leftarrow x - n$ \\ |
|
|
6144 8. Return(\textit{MP\_OKAY}). \\ |
|
|
6145 \hline |
|
|
6146 \end{tabular} |
|
|
6147 \end{center} |
|
|
6148 \end{small} |
|
|
6149 \caption{Algorithm mp\_montgomery\_reduce} |
|
|
6150 \end{figure} |
|
|
6151 |
|
|
6152 \textbf{Algorithm mp\_montgomery\_reduce.} |
|
|
6153 This algorithm reduces the input $x$ modulo $n$ in place using the Montgomery reduction algorithm. The algorithm is loosely based |
|
|
6154 on algorithm 14.32 of \cite[pp.601]{HAC} except it merges the multiplication of $\mu n \beta^t$ with the addition in the inner loop. The |
|
|
6155 restrictions on this algorithm are fairly easy to adapt to. First $0 \le x < n^2$ bounds the input to numbers in the same range as |
|
|
6156 for the Barrett algorithm. Additionally if $n > 1$ and $n$ is odd there will exist a modular inverse $\rho$. $\rho$ must be calculated in |
|
|
6157 advance of this algorithm. Finally the variable $k$ is fixed and a pseudonym for $n.used$. |
|
|
6158 |
|
|
6159 Step 2 decides whether a faster Montgomery algorithm can be used. It is based on the Comba technique meaning that there are limits on |
|
|
6160 the size of the input. This algorithm is discussed in sub-section 6.3.3. |
|
|
6161 |
|
|
6162 Step 5 is the main reduction loop of the algorithm. The value of $\mu$ is calculated once per iteration in the outer loop. The inner loop |
|
|
6163 calculates $x + \mu n \beta^{ix}$ by multiplying $\mu n$ and adding the result to $x$ shifted by $ix$ digits. Both the addition and |
|
|
6164 multiplication are performed in the same loop to save time and memory. Step 5.4 will handle any additional carries that escape the inner loop. |
|
|
6165 |
|
|
6166 Using a quick inspection this algorithm requires $n$ single precision multiplications for the outer loop and $n^2$ single precision multiplications |
|
|
6167 in the inner loop. In total $n^2 + n$ single precision multiplications which compares favourably to Barrett at $n^2 + 2n - 1$ single precision |
|
|
6168 multiplications. |
|
|
6169 |
|
|
6170 \vspace{+3mm}\begin{small} |
|
|
6171 \hspace{-5.1mm}{\bf File}: bn\_mp\_montgomery\_reduce.c |
|
|
6172 \vspace{-3mm} |
|
|
6173 \begin{alltt} |
|
|
6174 016 |
|
|
6175 017 /* computes xR**-1 == x (mod N) via Montgomery Reduction */ |
|
|
6176 018 int |
|
|
6177 019 mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho) |
|
|
6178 020 \{ |
|
|
6179 021 int ix, res, digs; |
|
|
6180 022 mp_digit mu; |
|
|
6181 023 |
|
|
6182 024 /* can the fast reduction [comba] method be used? |
|
|
6183 025 * |
|
|
6184 026 * Note that unlike in mul you're safely allowed *less* |
|
|
6185 027 * than the available columns [255 per default] since carries |
|
|
6186 028 * are fixed up in the inner loop. |
|
|
6187 029 */ |
|
|
6188 030 digs = n->used * 2 + 1; |
|
|
6189 031 if ((digs < MP_WARRAY) && |
|
|
6190 032 n->used < |
|
|
6191 033 (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) \{ |
|
|
6192 034 return fast_mp_montgomery_reduce (x, n, rho); |
|
|
6193 035 \} |
|
|
6194 036 |
|
|
6195 037 /* grow the input as required */ |
|
|
6196 038 if (x->alloc < digs) \{ |
|
|
6197 039 if ((res = mp_grow (x, digs)) != MP_OKAY) \{ |
|
|
6198 040 return res; |
|
|
6199 041 \} |
|
|
6200 042 \} |
|
|
6201 043 x->used = digs; |
|
|
6202 044 |
|
|
6203 045 for (ix = 0; ix < n->used; ix++) \{ |
|
|
6204 046 /* mu = ai * rho mod b |
|
|
6205 047 * |
|
|
6206 048 * The value of rho must be precalculated via |
|
|
6207 049 * montgomery_setup() such that |
|
|
6208 050 * it equals -1/n0 mod b this allows the |
|
|
6209 051 * following inner loop to reduce the |
|
|
6210 052 * input one digit at a time |
|
|
6211 053 */ |
|
|
6212 054 mu = (mp_digit) (((mp_word)x->dp[ix]) * ((mp_word)rho) & MP_MASK); |
|
|
6213 055 |
|
|
6214 056 /* a = a + mu * m * b**i */ |
|
|
6215 057 \{ |
|
|
6216 058 register int iy; |
|
|
6217 059 register mp_digit *tmpn, *tmpx, u; |
|
|
6218 060 register mp_word r; |
|
|
6219 061 |
|
|
6220 062 /* alias for digits of the modulus */ |
|
|
6221 063 tmpn = n->dp; |
|
|
6222 064 |
|
|
6223 065 /* alias for the digits of x [the input] */ |
|
|
6224 066 tmpx = x->dp + ix; |
|
|
6225 067 |
|
|
6226 068 /* set the carry to zero */ |
|
|
6227 069 u = 0; |
|
|
6228 070 |
|
|
6229 071 /* Multiply and add in place */ |
|
|
6230 072 for (iy = 0; iy < n->used; iy++) \{ |
|
|
6231 073 /* compute product and sum */ |
|
|
6232 074 r = ((mp_word)mu) * ((mp_word)*tmpn++) + |
|
|
6233 075 ((mp_word) u) + ((mp_word) * tmpx); |
|
|
6234 076 |
|
|
6235 077 /* get carry */ |
|
|
6236 078 u = (mp_digit)(r >> ((mp_word) DIGIT_BIT)); |
|
|
6237 079 |
|
|
6238 080 /* fix digit */ |
|
|
6239 081 *tmpx++ = (mp_digit)(r & ((mp_word) MP_MASK)); |
|
|
6240 082 \} |
|
|
6241 083 /* At this point the ix'th digit of x should be zero */ |
|
|
6242 084 |
|
|
6243 085 |
|
|
6244 086 /* propagate carries upwards as required*/ |
|
|
6245 087 while (u) \{ |
|
|
6246 088 *tmpx += u; |
|
|
6247 089 u = *tmpx >> DIGIT_BIT; |
|
|
6248 090 *tmpx++ &= MP_MASK; |
|
|
6249 091 \} |
|
|
6250 092 \} |
|
|
6251 093 \} |
|
|
6252 094 |
|
|
6253 095 /* at this point the n.used'th least |
|
|
6254 096 * significant digits of x are all zero |
|
|
6255 097 * which means we can shift x to the |
|
|
6256 098 * right by n.used digits and the |
|
|
6257 099 * residue is unchanged. |
|
|
6258 100 */ |
|
|
6259 101 |
|
|
6260 102 /* x = x/b**n.used */ |
|
|
6261 103 mp_clamp(x); |
|
|
6262 104 mp_rshd (x, n->used); |
|
|
6263 105 |
|
|
6264 106 /* if x >= n then x = x - n */ |
|
|
6265 107 if (mp_cmp_mag (x, n) != MP_LT) \{ |
|
|
6266 108 return s_mp_sub (x, n, x); |
|
|
6267 109 \} |
|
|
6268 110 |
|
|
6269 111 return MP_OKAY; |
|
|
6270 112 \} |
|
|
6271 113 #endif |
|
386
|
6272 114 |
|
282
|
6273 \end{alltt} |
|
|
6274 \end{small} |
|
|
6275 |
|
|
6276 This is the baseline implementation of the Montgomery reduction algorithm. Lines 30 to 35 determine if the Comba based |
|
|
6277 routine can be used instead. Line 48 computes the value of $\mu$ for that particular iteration of the outer loop. |
|
|
6278 |
|
|
6279 The multiplication $\mu n \beta^{ix}$ is performed in one step in the inner loop. The alias $tmpx$ refers to the $ix$'th digit of $x$ and |
|
|
6280 the alias $tmpn$ refers to the modulus $n$. |
|
|
6281 |
|
|
6282 \subsection{Faster ``Comba'' Montgomery Reduction} |
|
|
6283 |
|
|
6284 The Montgomery reduction requires fewer single precision multiplications than a Barrett reduction, however it is much slower due to the serial |
|
|
6285 nature of the inner loop. The Barrett reduction algorithm requires two slightly modified multipliers which can be implemented with the Comba |
|
|
6286 technique. The Montgomery reduction algorithm cannot directly use the Comba technique to any significant advantage since the inner loop calculates |
|
|
6287 a $k \times 1$ product $k$ times. |
|
|
6288 |
|
|
6289 The biggest obstacle is that at the $ix$'th iteration of the outer loop the value of $x_{ix}$ is required to calculate $\mu$. This means the |
|
|
6290 carries from $0$ to $ix - 1$ must have been propagated upwards to form a valid $ix$'th digit. The solution as it turns out is very simple. |
|
|
6291 Perform a Comba like multiplier and inside the outer loop just after the inner loop fix up the $ix + 1$'th digit by forwarding the carry. |
|
|
6292 |
|
|
6293 With this change in place the Montgomery reduction algorithm can be performed with a Comba style multiplication loop which substantially increases |
|
|
6294 the speed of the algorithm. |
|
|
6295 |
|
|
6296 \newpage\begin{figure}[!here] |
|
|
6297 \begin{small} |
|
|
6298 \begin{center} |
|
|
6299 \begin{tabular}{l} |
|
|
6300 \hline Algorithm \textbf{fast\_mp\_montgomery\_reduce}. \\ |
|
|
6301 \textbf{Input}. mp\_int $x$, mp\_int $n$ and a digit $\rho \equiv -1/n_0 \mbox{ (mod }n\mbox{)}$. \\ |
|
|
6302 \hspace{11.5mm}($0 \le x < n^2, n > 1, (n, \beta) = 1, \beta^k > n$) \\ |
|
|
6303 \textbf{Output}. $\beta^{-k}x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
6304 \hline \\ |
|
|
6305 Place an array of \textbf{MP\_WARRAY} mp\_word variables called $\hat W$ on the stack. \\ |
|
|
6306 1. if $x.alloc < n.used + 1$ then grow $x$ to $n.used + 1$ digits. \\ |
|
|
6307 Copy the digits of $x$ into the array $\hat W$ \\ |
|
|
6308 2. For $ix$ from $0$ to $x.used - 1$ do \\ |
|
|
6309 \hspace{3mm}2.1 $\hat W_{ix} \leftarrow x_{ix}$ \\ |
|
|
6310 3. For $ix$ from $x.used$ to $2n.used - 1$ do \\ |
|
|
6311 \hspace{3mm}3.1 $\hat W_{ix} \leftarrow 0$ \\ |
|
|
6312 Elimiate the lower $k$ digits. \\ |
|
|
6313 4. for $ix$ from $0$ to $n.used - 1$ do \\ |
|
|
6314 \hspace{3mm}4.1 $\mu \leftarrow \hat W_{ix} \cdot \rho \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6315 \hspace{3mm}4.2 For $iy$ from $0$ to $n.used - 1$ do \\ |
|
|
6316 \hspace{6mm}4.2.1 $\hat W_{iy + ix} \leftarrow \hat W_{iy + ix} + \mu \cdot n_{iy}$ \\ |
|
|
6317 \hspace{3mm}4.3 $\hat W_{ix + 1} \leftarrow \hat W_{ix + 1} + \lfloor \hat W_{ix} / \beta \rfloor$ \\ |
|
|
6318 Propagate carries upwards. \\ |
|
|
6319 5. for $ix$ from $n.used$ to $2n.used + 1$ do \\ |
|
|
6320 \hspace{3mm}5.1 $\hat W_{ix + 1} \leftarrow \hat W_{ix + 1} + \lfloor \hat W_{ix} / \beta \rfloor$ \\ |
|
|
6321 Shift right and reduce modulo $\beta$ simultaneously. \\ |
|
|
6322 6. for $ix$ from $0$ to $n.used + 1$ do \\ |
|
|
6323 \hspace{3mm}6.1 $x_{ix} \leftarrow \hat W_{ix + n.used} \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6324 Zero excess digits and fixup $x$. \\ |
|
|
6325 7. if $x.used > n.used + 1$ then do \\ |
|
|
6326 \hspace{3mm}7.1 for $ix$ from $n.used + 1$ to $x.used - 1$ do \\ |
|
|
6327 \hspace{6mm}7.1.1 $x_{ix} \leftarrow 0$ \\ |
|
|
6328 8. $x.used \leftarrow n.used + 1$ \\ |
|
|
6329 9. Clamp excessive digits of $x$. \\ |
|
|
6330 10. If $x \ge n$ then \\ |
|
|
6331 \hspace{3mm}10.1 $x \leftarrow x - n$ \\ |
|
|
6332 11. Return(\textit{MP\_OKAY}). \\ |
|
|
6333 \hline |
|
|
6334 \end{tabular} |
|
|
6335 \end{center} |
|
|
6336 \end{small} |
|
|
6337 \caption{Algorithm fast\_mp\_montgomery\_reduce} |
|
|
6338 \end{figure} |
|
|
6339 |
|
|
6340 \textbf{Algorithm fast\_mp\_montgomery\_reduce.} |
|
|
6341 This algorithm will compute the Montgomery reduction of $x$ modulo $n$ using the Comba technique. It is on most computer platforms significantly |
|
|
6342 faster than algorithm mp\_montgomery\_reduce and algorithm mp\_reduce (\textit{Barrett reduction}). The algorithm has the same restrictions |
|
|
6343 on the input as the baseline reduction algorithm. An additional two restrictions are imposed on this algorithm. The number of digits $k$ in the |
|
|
6344 the modulus $n$ must not violate $MP\_WARRAY > 2k +1$ and $n < \delta$. When $\beta = 2^{28}$ this algorithm can be used to reduce modulo |
|
|
6345 a modulus of at most $3,556$ bits in length. |
|
|
6346 |
|
|
6347 As in the other Comba reduction algorithms there is a $\hat W$ array which stores the columns of the product. It is initially filled with the |
|
|
6348 contents of $x$ with the excess digits zeroed. The reduction loop is very similar the to the baseline loop at heart. The multiplication on step |
|
|
6349 4.1 can be single precision only since $ab \mbox{ (mod }\beta\mbox{)} \equiv (a \mbox{ mod }\beta)(b \mbox{ mod }\beta)$. Some multipliers such |
|
|
6350 as those on the ARM processors take a variable length time to complete depending on the number of bytes of result it must produce. By performing |
|
|
6351 a single precision multiplication instead half the amount of time is spent. |
|
|
6352 |
|
|
6353 Also note that digit $\hat W_{ix}$ must have the carry from the $ix - 1$'th digit propagated upwards in order for this to work. That is what step |
|
|
6354 4.3 will do. In effect over the $n.used$ iterations of the outer loop the $n.used$'th lower columns all have the their carries propagated forwards. Note |
|
|
6355 how the upper bits of those same words are not reduced modulo $\beta$. This is because those values will be discarded shortly and there is no |
|
|
6356 point. |
|
|
6357 |
|
|
6358 Step 5 will propagate the remainder of the carries upwards. On step 6 the columns are reduced modulo $\beta$ and shifted simultaneously as they are |
|
|
6359 stored in the destination $x$. |
|
|
6360 |
|
|
6361 \vspace{+3mm}\begin{small} |
|
|
6362 \hspace{-5.1mm}{\bf File}: bn\_fast\_mp\_montgomery\_reduce.c |
|
|
6363 \vspace{-3mm} |
|
|
6364 \begin{alltt} |
|
|
6365 016 |
|
|
6366 017 /* computes xR**-1 == x (mod N) via Montgomery Reduction |
|
|
6367 018 * |
|
|
6368 019 * This is an optimized implementation of montgomery_reduce |
|
|
6369 020 * which uses the comba method to quickly calculate the columns of the |
|
|
6370 021 * reduction. |
|
|
6371 022 * |
|
|
6372 023 * Based on Algorithm 14.32 on pp.601 of HAC. |
|
|
6373 024 */ |
|
|
6374 025 int fast_mp_montgomery_reduce (mp_int * x, mp_int * n, mp_digit rho) |
|
|
6375 026 \{ |
|
|
6376 027 int ix, res, olduse; |
|
|
6377 028 mp_word W[MP_WARRAY]; |
|
|
6378 029 |
|
|
6379 030 /* get old used count */ |
|
|
6380 031 olduse = x->used; |
|
|
6381 032 |
|
|
6382 033 /* grow a as required */ |
|
|
6383 034 if (x->alloc < n->used + 1) \{ |
|
|
6384 035 if ((res = mp_grow (x, n->used + 1)) != MP_OKAY) \{ |
|
|
6385 036 return res; |
|
|
6386 037 \} |
|
|
6387 038 \} |
|
|
6388 039 |
|
|
6389 040 /* first we have to get the digits of the input into |
|
|
6390 041 * an array of double precision words W[...] |
|
|
6391 042 */ |
|
|
6392 043 \{ |
|
|
6393 044 register mp_word *_W; |
|
|
6394 045 register mp_digit *tmpx; |
|
|
6395 046 |
|
|
6396 047 /* alias for the W[] array */ |
|
|
6397 048 _W = W; |
|
|
6398 049 |
|
|
6399 050 /* alias for the digits of x*/ |
|
|
6400 051 tmpx = x->dp; |
|
|
6401 052 |
|
|
6402 053 /* copy the digits of a into W[0..a->used-1] */ |
|
|
6403 054 for (ix = 0; ix < x->used; ix++) \{ |
|
|
6404 055 *_W++ = *tmpx++; |
|
|
6405 056 \} |
|
|
6406 057 |
|
|
6407 058 /* zero the high words of W[a->used..m->used*2] */ |
|
|
6408 059 for (; ix < n->used * 2 + 1; ix++) \{ |
|
|
6409 060 *_W++ = 0; |
|
|
6410 061 \} |
|
|
6411 062 \} |
|
|
6412 063 |
|
|
6413 064 /* now we proceed to zero successive digits |
|
|
6414 065 * from the least significant upwards |
|
|
6415 066 */ |
|
|
6416 067 for (ix = 0; ix < n->used; ix++) \{ |
|
|
6417 068 /* mu = ai * m' mod b |
|
|
6418 069 * |
|
|
6419 070 * We avoid a double precision multiplication (which isn't required) |
|
|
6420 071 * by casting the value down to a mp_digit. Note this requires |
|
|
6421 072 * that W[ix-1] have the carry cleared (see after the inner loop) |
|
|
6422 073 */ |
|
|
6423 074 register mp_digit mu; |
|
|
6424 075 mu = (mp_digit) (((W[ix] & MP_MASK) * rho) & MP_MASK); |
|
|
6425 076 |
|
|
6426 077 /* a = a + mu * m * b**i |
|
|
6427 078 * |
|
|
6428 079 * This is computed in place and on the fly. The multiplication |
|
|
6429 080 * by b**i is handled by offseting which columns the results |
|
|
6430 081 * are added to. |
|
|
6431 082 * |
|
|
6432 083 * Note the comba method normally doesn't handle carries in the |
|
|
6433 084 * inner loop In this case we fix the carry from the previous |
|
|
6434 085 * column since the Montgomery reduction requires digits of the |
|
|
6435 086 * result (so far) [see above] to work. This is |
|
|
6436 087 * handled by fixing up one carry after the inner loop. The |
|
|
6437 088 * carry fixups are done in order so after these loops the |
|
|
6438 089 * first m->used words of W[] have the carries fixed |
|
|
6439 090 */ |
|
|
6440 091 \{ |
|
|
6441 092 register int iy; |
|
|
6442 093 register mp_digit *tmpn; |
|
|
6443 094 register mp_word *_W; |
|
|
6444 095 |
|
|
6445 096 /* alias for the digits of the modulus */ |
|
|
6446 097 tmpn = n->dp; |
|
|
6447 098 |
|
|
6448 099 /* Alias for the columns set by an offset of ix */ |
|
|
6449 100 _W = W + ix; |
|
|
6450 101 |
|
|
6451 102 /* inner loop */ |
|
|
6452 103 for (iy = 0; iy < n->used; iy++) \{ |
|
|
6453 104 *_W++ += ((mp_word)mu) * ((mp_word)*tmpn++); |
|
|
6454 105 \} |
|
|
6455 106 \} |
|
|
6456 107 |
|
|
6457 108 /* now fix carry for next digit, W[ix+1] */ |
|
|
6458 109 W[ix + 1] += W[ix] >> ((mp_word) DIGIT_BIT); |
|
|
6459 110 \} |
|
|
6460 111 |
|
|
6461 112 /* now we have to propagate the carries and |
|
|
6462 113 * shift the words downward [all those least |
|
|
6463 114 * significant digits we zeroed]. |
|
|
6464 115 */ |
|
|
6465 116 \{ |
|
|
6466 117 register mp_digit *tmpx; |
|
|
6467 118 register mp_word *_W, *_W1; |
|
|
6468 119 |
|
|
6469 120 /* nox fix rest of carries */ |
|
|
6470 121 |
|
|
6471 122 /* alias for current word */ |
|
|
6472 123 _W1 = W + ix; |
|
|
6473 124 |
|
|
6474 125 /* alias for next word, where the carry goes */ |
|
|
6475 126 _W = W + ++ix; |
|
|
6476 127 |
|
|
6477 128 for (; ix <= n->used * 2 + 1; ix++) \{ |
|
|
6478 129 *_W++ += *_W1++ >> ((mp_word) DIGIT_BIT); |
|
|
6479 130 \} |
|
|
6480 131 |
|
|
6481 132 /* copy out, A = A/b**n |
|
|
6482 133 * |
|
|
6483 134 * The result is A/b**n but instead of converting from an |
|
|
6484 135 * array of mp_word to mp_digit than calling mp_rshd |
|
|
6485 136 * we just copy them in the right order |
|
|
6486 137 */ |
|
|
6487 138 |
|
|
6488 139 /* alias for destination word */ |
|
|
6489 140 tmpx = x->dp; |
|
|
6490 141 |
|
|
6491 142 /* alias for shifted double precision result */ |
|
|
6492 143 _W = W + n->used; |
|
|
6493 144 |
|
|
6494 145 for (ix = 0; ix < n->used + 1; ix++) \{ |
|
|
6495 146 *tmpx++ = (mp_digit)(*_W++ & ((mp_word) MP_MASK)); |
|
|
6496 147 \} |
|
|
6497 148 |
|
|
6498 149 /* zero oldused digits, if the input a was larger than |
|
|
6499 150 * m->used+1 we'll have to clear the digits |
|
|
6500 151 */ |
|
|
6501 152 for (; ix < olduse; ix++) \{ |
|
|
6502 153 *tmpx++ = 0; |
|
|
6503 154 \} |
|
|
6504 155 \} |
|
|
6505 156 |
|
|
6506 157 /* set the max used and clamp */ |
|
|
6507 158 x->used = n->used + 1; |
|
|
6508 159 mp_clamp (x); |
|
|
6509 160 |
|
|
6510 161 /* if A >= m then A = A - m */ |
|
|
6511 162 if (mp_cmp_mag (x, n) != MP_LT) \{ |
|
|
6512 163 return s_mp_sub (x, n, x); |
|
|
6513 164 \} |
|
|
6514 165 return MP_OKAY; |
|
|
6515 166 \} |
|
|
6516 167 #endif |
|
386
|
6517 168 |
|
282
|
6518 \end{alltt} |
|
|
6519 \end{small} |
|
|
6520 |
|
|
6521 The $\hat W$ array is first filled with digits of $x$ on line 50 then the rest of the digits are zeroed on line 54. Both loops share |
|
|
6522 the same alias variables to make the code easier to read. |
|
|
6523 |
|
|
6524 The value of $\mu$ is calculated in an interesting fashion. First the value $\hat W_{ix}$ is reduced modulo $\beta$ and cast to a mp\_digit. This |
|
|
6525 forces the compiler to use a single precision multiplication and prevents any concerns about loss of precision. Line 109 fixes the carry |
|
|
6526 for the next iteration of the loop by propagating the carry from $\hat W_{ix}$ to $\hat W_{ix+1}$. |
|
|
6527 |
|
|
6528 The for loop on line 108 propagates the rest of the carries upwards through the columns. The for loop on line 125 reduces the columns |
|
|
6529 modulo $\beta$ and shifts them $k$ places at the same time. The alias $\_ \hat W$ actually refers to the array $\hat W$ starting at the $n.used$'th |
|
|
6530 digit, that is $\_ \hat W_{t} = \hat W_{n.used + t}$. |
|
|
6531 |
|
|
6532 \subsection{Montgomery Setup} |
|
|
6533 To calculate the variable $\rho$ a relatively simple algorithm will be required. |
|
|
6534 |
|
|
6535 \begin{figure}[!here] |
|
|
6536 \begin{small} |
|
|
6537 \begin{center} |
|
|
6538 \begin{tabular}{l} |
|
|
6539 \hline Algorithm \textbf{mp\_montgomery\_setup}. \\ |
|
|
6540 \textbf{Input}. mp\_int $n$ ($n > 1$ and $(n, 2) = 1$) \\ |
|
|
6541 \textbf{Output}. $\rho \equiv -1/n_0 \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6542 \hline \\ |
|
|
6543 1. $b \leftarrow n_0$ \\ |
|
|
6544 2. If $b$ is even return(\textit{MP\_VAL}) \\ |
|
386
|
6545 3. $x \leftarrow (((b + 2) \mbox{ AND } 4) << 1) + b$ \\ |
|
282
|
6546 4. for $k$ from 0 to $\lceil lg(lg(\beta)) \rceil - 2$ do \\ |
|
|
6547 \hspace{3mm}4.1 $x \leftarrow x \cdot (2 - bx)$ \\ |
|
|
6548 5. $\rho \leftarrow \beta - x \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6549 6. Return(\textit{MP\_OKAY}). \\ |
|
|
6550 \hline |
|
|
6551 \end{tabular} |
|
|
6552 \end{center} |
|
|
6553 \end{small} |
|
|
6554 \caption{Algorithm mp\_montgomery\_setup} |
|
|
6555 \end{figure} |
|
|
6556 |
|
|
6557 \textbf{Algorithm mp\_montgomery\_setup.} |
|
|
6558 This algorithm will calculate the value of $\rho$ required within the Montgomery reduction algorithms. It uses a very interesting trick |
|
|
6559 to calculate $1/n_0$ when $\beta$ is a power of two. |
|
|
6560 |
|
|
6561 \vspace{+3mm}\begin{small} |
|
|
6562 \hspace{-5.1mm}{\bf File}: bn\_mp\_montgomery\_setup.c |
|
|
6563 \vspace{-3mm} |
|
|
6564 \begin{alltt} |
|
|
6565 016 |
|
|
6566 017 /* setups the montgomery reduction stuff */ |
|
|
6567 018 int |
|
|
6568 019 mp_montgomery_setup (mp_int * n, mp_digit * rho) |
|
|
6569 020 \{ |
|
|
6570 021 mp_digit x, b; |
|
|
6571 022 |
|
|
6572 023 /* fast inversion mod 2**k |
|
|
6573 024 * |
|
|
6574 025 * Based on the fact that |
|
|
6575 026 * |
|
|
6576 027 * XA = 1 (mod 2**n) => (X(2-XA)) A = 1 (mod 2**2n) |
|
|
6577 028 * => 2*X*A - X*X*A*A = 1 |
|
|
6578 029 * => 2*(1) - (1) = 1 |
|
|
6579 030 */ |
|
|
6580 031 b = n->dp[0]; |
|
|
6581 032 |
|
|
6582 033 if ((b & 1) == 0) \{ |
|
|
6583 034 return MP_VAL; |
|
|
6584 035 \} |
|
|
6585 036 |
|
|
6586 037 x = (((b + 2) & 4) << 1) + b; /* here x*a==1 mod 2**4 */ |
|
|
6587 038 x *= 2 - b * x; /* here x*a==1 mod 2**8 */ |
|
|
6588 039 #if !defined(MP_8BIT) |
|
|
6589 040 x *= 2 - b * x; /* here x*a==1 mod 2**16 */ |
|
|
6590 041 #endif |
|
|
6591 042 #if defined(MP_64BIT) || !(defined(MP_8BIT) || defined(MP_16BIT)) |
|
|
6592 043 x *= 2 - b * x; /* here x*a==1 mod 2**32 */ |
|
|
6593 044 #endif |
|
|
6594 045 #ifdef MP_64BIT |
|
|
6595 046 x *= 2 - b * x; /* here x*a==1 mod 2**64 */ |
|
|
6596 047 #endif |
|
|
6597 048 |
|
|
6598 049 /* rho = -1/m mod b */ |
|
386
|
6599 050 *rho = (unsigned long)(((mp_word)1 << ((mp_word) DIGIT_BIT)) - x) & MP_MAS |
|
|
6600 K; |
|
282
|
6601 051 |
|
|
6602 052 return MP_OKAY; |
|
|
6603 053 \} |
|
|
6604 054 #endif |
|
386
|
6605 055 |
|
282
|
6606 \end{alltt} |
|
|
6607 \end{small} |
|
|
6608 |
|
|
6609 This source code computes the value of $\rho$ required to perform Montgomery reduction. It has been modified to avoid performing excess |
|
|
6610 multiplications when $\beta$ is not the default 28-bits. |
|
|
6611 |
|
|
6612 \section{The Diminished Radix Algorithm} |
|
|
6613 The Diminished Radix method of modular reduction \cite{DRMET} is a fairly clever technique which can be more efficient than either the Barrett |
|
|
6614 or Montgomery methods for certain forms of moduli. The technique is based on the following simple congruence. |
|
|
6615 |
|
|
6616 \begin{equation} |
|
|
6617 (x \mbox{ mod } n) + k \lfloor x / n \rfloor \equiv x \mbox{ (mod }(n - k)\mbox{)} |
|
|
6618 \end{equation} |
|
|
6619 |
|
|
6620 This observation was used in the MMB \cite{MMB} block cipher to create a diffusion primitive. It used the fact that if $n = 2^{31}$ and $k=1$ that |
|
|
6621 then a x86 multiplier could produce the 62-bit product and use the ``shrd'' instruction to perform a double-precision right shift. The proof |
|
|
6622 of the above equation is very simple. First write $x$ in the product form. |
|
|
6623 |
|
|
6624 \begin{equation} |
|
|
6625 x = qn + r |
|
|
6626 \end{equation} |
|
|
6627 |
|
|
6628 Now reduce both sides modulo $(n - k)$. |
|
|
6629 |
|
|
6630 \begin{equation} |
|
|
6631 x \equiv qk + r \mbox{ (mod }(n-k)\mbox{)} |
|
|
6632 \end{equation} |
|
|
6633 |
|
|
6634 The variable $n$ reduces modulo $n - k$ to $k$. By putting $q = \lfloor x/n \rfloor$ and $r = x \mbox{ mod } n$ |
|
|
6635 into the equation the original congruence is reproduced, thus concluding the proof. The following algorithm is based on this observation. |
|
|
6636 |
|
|
6637 \begin{figure}[!here] |
|
|
6638 \begin{small} |
|
|
6639 \begin{center} |
|
|
6640 \begin{tabular}{l} |
|
|
6641 \hline Algorithm \textbf{Diminished Radix Reduction}. \\ |
|
|
6642 \textbf{Input}. Integer $x$, $n$, $k$ \\ |
|
|
6643 \textbf{Output}. $x \mbox{ mod } (n - k)$ \\ |
|
|
6644 \hline \\ |
|
|
6645 1. $q \leftarrow \lfloor x / n \rfloor$ \\ |
|
|
6646 2. $q \leftarrow k \cdot q$ \\ |
|
|
6647 3. $x \leftarrow x \mbox{ (mod }n\mbox{)}$ \\ |
|
|
6648 4. $x \leftarrow x + q$ \\ |
|
|
6649 5. If $x \ge (n - k)$ then \\ |
|
|
6650 \hspace{3mm}5.1 $x \leftarrow x - (n - k)$ \\ |
|
|
6651 \hspace{3mm}5.2 Goto step 1. \\ |
|
|
6652 6. Return $x$ \\ |
|
|
6653 \hline |
|
|
6654 \end{tabular} |
|
|
6655 \end{center} |
|
|
6656 \end{small} |
|
|
6657 \caption{Algorithm Diminished Radix Reduction} |
|
|
6658 \label{fig:DR} |
|
|
6659 \end{figure} |
|
|
6660 |
|
|
6661 This algorithm will reduce $x$ modulo $n - k$ and return the residue. If $0 \le x < (n - k)^2$ then the algorithm will loop almost always |
|
|
6662 once or twice and occasionally three times. For simplicity sake the value of $x$ is bounded by the following simple polynomial. |
|
|
6663 |
|
|
6664 \begin{equation} |
|
|
6665 0 \le x < n^2 + k^2 - 2nk |
|
|
6666 \end{equation} |
|
|
6667 |
|
|
6668 The true bound is $0 \le x < (n - k - 1)^2$ but this has quite a few more terms. The value of $q$ after step 1 is bounded by the following. |
|
|
6669 |
|
|
6670 \begin{equation} |
|
|
6671 q < n - 2k - k^2/n |
|
|
6672 \end{equation} |
|
|
6673 |
|
|
6674 Since $k^2$ is going to be considerably smaller than $n$ that term will always be zero. The value of $x$ after step 3 is bounded trivially as |
|
|
6675 $0 \le x < n$. By step four the sum $x + q$ is bounded by |
|
|
6676 |
|
|
6677 \begin{equation} |
|
|
6678 0 \le q + x < (k + 1)n - 2k^2 - 1 |
|
|
6679 \end{equation} |
|
|
6680 |
|
|
6681 With a second pass $q$ will be loosely bounded by $0 \le q < k^2$ after step 2 while $x$ will still be loosely bounded by $0 \le x < n$ after step 3. After the second pass it is highly unlike that the |
|
|
6682 sum in step 4 will exceed $n - k$. In practice fewer than three passes of the algorithm are required to reduce virtually every input in the |
|
|
6683 range $0 \le x < (n - k - 1)^2$. |
|
|
6684 |
|
|
6685 \begin{figure} |
|
|
6686 \begin{small} |
|
|
6687 \begin{center} |
|
|
6688 \begin{tabular}{|l|} |
|
|
6689 \hline |
|
|
6690 $x = 123456789, n = 256, k = 3$ \\ |
|
|
6691 \hline $q \leftarrow \lfloor x/n \rfloor = 482253$ \\ |
|
|
6692 $q \leftarrow q*k = 1446759$ \\ |
|
|
6693 $x \leftarrow x \mbox{ mod } n = 21$ \\ |
|
|
6694 $x \leftarrow x + q = 1446780$ \\ |
|
|
6695 $x \leftarrow x - (n - k) = 1446527$ \\ |
|
|
6696 \hline |
|
|
6697 $q \leftarrow \lfloor x/n \rfloor = 5650$ \\ |
|
|
6698 $q \leftarrow q*k = 16950$ \\ |
|
|
6699 $x \leftarrow x \mbox{ mod } n = 127$ \\ |
|
|
6700 $x \leftarrow x + q = 17077$ \\ |
|
|
6701 $x \leftarrow x - (n - k) = 16824$ \\ |
|
|
6702 \hline |
|
|
6703 $q \leftarrow \lfloor x/n \rfloor = 65$ \\ |
|
|
6704 $q \leftarrow q*k = 195$ \\ |
|
|
6705 $x \leftarrow x \mbox{ mod } n = 184$ \\ |
|
|
6706 $x \leftarrow x + q = 379$ \\ |
|
|
6707 $x \leftarrow x - (n - k) = 126$ \\ |
|
|
6708 \hline |
|
|
6709 \end{tabular} |
|
|
6710 \end{center} |
|
|
6711 \end{small} |
|
|
6712 \caption{Example Diminished Radix Reduction} |
|
|
6713 \label{fig:EXDR} |
|
|
6714 \end{figure} |
|
|
6715 |
|
|
6716 Figure~\ref{fig:EXDR} demonstrates the reduction of $x = 123456789$ modulo $n - k = 253$ when $n = 256$ and $k = 3$. Note that even while $x$ |
|
|
6717 is considerably larger than $(n - k - 1)^2 = 63504$ the algorithm still converges on the modular residue exceedingly fast. In this case only |
|
|
6718 three passes were required to find the residue $x \equiv 126$. |
|
|
6719 |
|
|
6720 |
|
|
6721 \subsection{Choice of Moduli} |
|
|
6722 On the surface this algorithm looks like a very expensive algorithm. It requires a couple of subtractions followed by multiplication and other |
|
|
6723 modular reductions. The usefulness of this algorithm becomes exceedingly clear when an appropriate modulus is chosen. |
|
|
6724 |
|
|
6725 Division in general is a very expensive operation to perform. The one exception is when the division is by a power of the radix of representation used. |
|
|
6726 Division by ten for example is simple for pencil and paper mathematics since it amounts to shifting the decimal place to the right. Similarly division |
|
|
6727 by two (\textit{or powers of two}) is very simple for binary computers to perform. It would therefore seem logical to choose $n$ of the form $2^p$ |
|
|
6728 which would imply that $\lfloor x / n \rfloor$ is a simple shift of $x$ right $p$ bits. |
|
|
6729 |
|
|
6730 However, there is one operation related to division of power of twos that is even faster than this. If $n = \beta^p$ then the division may be |
|
|
6731 performed by moving whole digits to the right $p$ places. In practice division by $\beta^p$ is much faster than division by $2^p$ for any $p$. |
|
|
6732 Also with the choice of $n = \beta^p$ reducing $x$ modulo $n$ merely requires zeroing the digits above the $p-1$'th digit of $x$. |
|
|
6733 |
|
|
6734 Throughout the next section the term ``restricted modulus'' will refer to a modulus of the form $\beta^p - k$ whereas the term ``unrestricted |
|
|
6735 modulus'' will refer to a modulus of the form $2^p - k$. The word ``restricted'' in this case refers to the fact that it is based on the |
|
|
6736 $2^p$ logic except $p$ must be a multiple of $lg(\beta)$. |
|
|
6737 |
|
|
6738 \subsection{Choice of $k$} |
|
|
6739 Now that division and reduction (\textit{step 1 and 3 of figure~\ref{fig:DR}}) have been optimized to simple digit operations the multiplication by $k$ |
|
|
6740 in step 2 is the most expensive operation. Fortunately the choice of $k$ is not terribly limited. For all intents and purposes it might |
|
|
6741 as well be a single digit. The smaller the value of $k$ is the faster the algorithm will be. |
|
|
6742 |
|
|
6743 \subsection{Restricted Diminished Radix Reduction} |
|
|
6744 The restricted Diminished Radix algorithm can quickly reduce an input modulo a modulus of the form $n = \beta^p - k$. This algorithm can reduce |
|
|
6745 an input $x$ within the range $0 \le x < n^2$ using only a couple passes of the algorithm demonstrated in figure~\ref{fig:DR}. The implementation |
|
|
6746 of this algorithm has been optimized to avoid additional overhead associated with a division by $\beta^p$, the multiplication by $k$ or the addition |
|
|
6747 of $x$ and $q$. The resulting algorithm is very efficient and can lead to substantial improvements over Barrett and Montgomery reduction when modular |
|
|
6748 exponentiations are performed. |
|
|
6749 |
|
|
6750 \newpage\begin{figure}[!here] |
|
|
6751 \begin{small} |
|
|
6752 \begin{center} |
|
|
6753 \begin{tabular}{l} |
|
|
6754 \hline Algorithm \textbf{mp\_dr\_reduce}. \\ |
|
|
6755 \textbf{Input}. mp\_int $x$, $n$ and a mp\_digit $k = \beta - n_0$ \\ |
|
|
6756 \hspace{11.5mm}($0 \le x < n^2$, $n > 1$, $0 < k < \beta$) \\ |
|
|
6757 \textbf{Output}. $x \mbox{ mod } n$ \\ |
|
|
6758 \hline \\ |
|
|
6759 1. $m \leftarrow n.used$ \\ |
|
|
6760 2. If $x.alloc < 2m$ then grow $x$ to $2m$ digits. \\ |
|
|
6761 3. $\mu \leftarrow 0$ \\ |
|
|
6762 4. for $i$ from $0$ to $m - 1$ do \\ |
|
|
6763 \hspace{3mm}4.1 $\hat r \leftarrow k \cdot x_{m+i} + x_{i} + \mu$ \\ |
|
|
6764 \hspace{3mm}4.2 $x_{i} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
6765 \hspace{3mm}4.3 $\mu \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
6766 5. $x_{m} \leftarrow \mu$ \\ |
|
|
6767 6. for $i$ from $m + 1$ to $x.used - 1$ do \\ |
|
|
6768 \hspace{3mm}6.1 $x_{i} \leftarrow 0$ \\ |
|
|
6769 7. Clamp excess digits of $x$. \\ |
|
|
6770 8. If $x \ge n$ then \\ |
|
|
6771 \hspace{3mm}8.1 $x \leftarrow x - n$ \\ |
|
|
6772 \hspace{3mm}8.2 Goto step 3. \\ |
|
|
6773 9. Return(\textit{MP\_OKAY}). \\ |
|
|
6774 \hline |
|
|
6775 \end{tabular} |
|
|
6776 \end{center} |
|
|
6777 \end{small} |
|
|
6778 \caption{Algorithm mp\_dr\_reduce} |
|
|
6779 \end{figure} |
|
|
6780 |
|
|
6781 \textbf{Algorithm mp\_dr\_reduce.} |
|
|
6782 This algorithm will perform the Dimished Radix reduction of $x$ modulo $n$. It has similar restrictions to that of the Barrett reduction |
|
|
6783 with the addition that $n$ must be of the form $n = \beta^m - k$ where $0 < k <\beta$. |
|
|
6784 |
|
|
6785 This algorithm essentially implements the pseudo-code in figure~\ref{fig:DR} except with a slight optimization. The division by $\beta^m$, multiplication by $k$ |
|
|
6786 and addition of $x \mbox{ mod }\beta^m$ are all performed simultaneously inside the loop on step 4. The division by $\beta^m$ is emulated by accessing |
|
|
6787 the term at the $m+i$'th position which is subsequently multiplied by $k$ and added to the term at the $i$'th position. After the loop the $m$'th |
|
|
6788 digit is set to the carry and the upper digits are zeroed. Steps 5 and 6 emulate the reduction modulo $\beta^m$ that should have happend to |
|
|
6789 $x$ before the addition of the multiple of the upper half. |
|
|
6790 |
|
|
6791 At step 8 if $x$ is still larger than $n$ another pass of the algorithm is required. First $n$ is subtracted from $x$ and then the algorithm resumes |
|
|
6792 at step 3. |
|
|
6793 |
|
|
6794 \vspace{+3mm}\begin{small} |
|
|
6795 \hspace{-5.1mm}{\bf File}: bn\_mp\_dr\_reduce.c |
|
|
6796 \vspace{-3mm} |
|
|
6797 \begin{alltt} |
|
|
6798 016 |
|
|
6799 017 /* reduce "x" in place modulo "n" using the Diminished Radix algorithm. |
|
|
6800 018 * |
|
|
6801 019 * Based on algorithm from the paper |
|
|
6802 020 * |
|
|
6803 021 * "Generating Efficient Primes for Discrete Log Cryptosystems" |
|
|
6804 022 * Chae Hoon Lim, Pil Joong Lee, |
|
|
6805 023 * POSTECH Information Research Laboratories |
|
|
6806 024 * |
|
|
6807 025 * The modulus must be of a special format [see manual] |
|
|
6808 026 * |
|
|
6809 027 * Has been modified to use algorithm 7.10 from the LTM book instead |
|
|
6810 028 * |
|
|
6811 029 * Input x must be in the range 0 <= x <= (n-1)**2 |
|
|
6812 030 */ |
|
|
6813 031 int |
|
|
6814 032 mp_dr_reduce (mp_int * x, mp_int * n, mp_digit k) |
|
|
6815 033 \{ |
|
|
6816 034 int err, i, m; |
|
|
6817 035 mp_word r; |
|
|
6818 036 mp_digit mu, *tmpx1, *tmpx2; |
|
|
6819 037 |
|
|
6820 038 /* m = digits in modulus */ |
|
|
6821 039 m = n->used; |
|
|
6822 040 |
|
|
6823 041 /* ensure that "x" has at least 2m digits */ |
|
|
6824 042 if (x->alloc < m + m) \{ |
|
|
6825 043 if ((err = mp_grow (x, m + m)) != MP_OKAY) \{ |
|
|
6826 044 return err; |
|
|
6827 045 \} |
|
|
6828 046 \} |
|
|
6829 047 |
|
|
6830 048 /* top of loop, this is where the code resumes if |
|
|
6831 049 * another reduction pass is required. |
|
|
6832 050 */ |
|
|
6833 051 top: |
|
|
6834 052 /* aliases for digits */ |
|
|
6835 053 /* alias for lower half of x */ |
|
|
6836 054 tmpx1 = x->dp; |
|
|
6837 055 |
|
|
6838 056 /* alias for upper half of x, or x/B**m */ |
|
|
6839 057 tmpx2 = x->dp + m; |
|
|
6840 058 |
|
|
6841 059 /* set carry to zero */ |
|
|
6842 060 mu = 0; |
|
|
6843 061 |
|
|
6844 062 /* compute (x mod B**m) + k * [x/B**m] inline and inplace */ |
|
|
6845 063 for (i = 0; i < m; i++) \{ |
|
|
6846 064 r = ((mp_word)*tmpx2++) * ((mp_word)k) + *tmpx1 + mu; |
|
|
6847 065 *tmpx1++ = (mp_digit)(r & MP_MASK); |
|
|
6848 066 mu = (mp_digit)(r >> ((mp_word)DIGIT_BIT)); |
|
|
6849 067 \} |
|
|
6850 068 |
|
|
6851 069 /* set final carry */ |
|
|
6852 070 *tmpx1++ = mu; |
|
|
6853 071 |
|
|
6854 072 /* zero words above m */ |
|
|
6855 073 for (i = m + 1; i < x->used; i++) \{ |
|
|
6856 074 *tmpx1++ = 0; |
|
|
6857 075 \} |
|
|
6858 076 |
|
|
6859 077 /* clamp, sub and return */ |
|
|
6860 078 mp_clamp (x); |
|
|
6861 079 |
|
|
6862 080 /* if x >= n then subtract and reduce again |
|
|
6863 081 * Each successive "recursion" makes the input smaller and smaller. |
|
|
6864 082 */ |
|
|
6865 083 if (mp_cmp_mag (x, n) != MP_LT) \{ |
|
|
6866 084 s_mp_sub(x, n, x); |
|
|
6867 085 goto top; |
|
|
6868 086 \} |
|
|
6869 087 return MP_OKAY; |
|
|
6870 088 \} |
|
|
6871 089 #endif |
|
386
|
6872 090 |
|
282
|
6873 \end{alltt} |
|
|
6874 \end{small} |
|
|
6875 |
|
|
6876 The first step is to grow $x$ as required to $2m$ digits since the reduction is performed in place on $x$. The label on line 51 is where |
|
|
6877 the algorithm will resume if further reduction passes are required. In theory it could be placed at the top of the function however, the size of |
|
|
6878 the modulus and question of whether $x$ is large enough are invariant after the first pass meaning that it would be a waste of time. |
|
|
6879 |
|
|
6880 The aliases $tmpx1$ and $tmpx2$ refer to the digits of $x$ where the latter is offset by $m$ digits. By reading digits from $x$ offset by $m$ digits |
|
|
6881 a division by $\beta^m$ can be simulated virtually for free. The loop on line 63 performs the bulk of the work (\textit{corresponds to step 4 of algorithm 7.11}) |
|
|
6882 in this algorithm. |
|
|
6883 |
|
|
6884 By line 70 the pointer $tmpx1$ points to the $m$'th digit of $x$ which is where the final carry will be placed. Similarly by line 73 the |
|
|
6885 same pointer will point to the $m+1$'th digit where the zeroes will be placed. |
|
|
6886 |
|
|
6887 Since the algorithm is only valid if both $x$ and $n$ are greater than zero an unsigned comparison suffices to determine if another pass is required. |
|
|
6888 With the same logic at line 84 the value of $x$ is known to be greater than or equal to $n$ meaning that an unsigned subtraction can be used |
|
|
6889 as well. Since the destination of the subtraction is the larger of the inputs the call to algorithm s\_mp\_sub cannot fail and the return code |
|
|
6890 does not need to be checked. |
|
|
6891 |
|
|
6892 \subsubsection{Setup} |
|
|
6893 To setup the restricted Diminished Radix algorithm the value $k = \beta - n_0$ is required. This algorithm is not really complicated but provided for |
|
|
6894 completeness. |
|
|
6895 |
|
|
6896 \begin{figure}[!here] |
|
|
6897 \begin{small} |
|
|
6898 \begin{center} |
|
|
6899 \begin{tabular}{l} |
|
|
6900 \hline Algorithm \textbf{mp\_dr\_setup}. \\ |
|
|
6901 \textbf{Input}. mp\_int $n$ \\ |
|
|
6902 \textbf{Output}. $k = \beta - n_0$ \\ |
|
|
6903 \hline \\ |
|
|
6904 1. $k \leftarrow \beta - n_0$ \\ |
|
|
6905 \hline |
|
|
6906 \end{tabular} |
|
|
6907 \end{center} |
|
|
6908 \end{small} |
|
|
6909 \caption{Algorithm mp\_dr\_setup} |
|
|
6910 \end{figure} |
|
|
6911 |
|
|
6912 \vspace{+3mm}\begin{small} |
|
|
6913 \hspace{-5.1mm}{\bf File}: bn\_mp\_dr\_setup.c |
|
|
6914 \vspace{-3mm} |
|
|
6915 \begin{alltt} |
|
|
6916 016 |
|
|
6917 017 /* determines the setup value */ |
|
|
6918 018 void mp_dr_setup(mp_int *a, mp_digit *d) |
|
|
6919 019 \{ |
|
|
6920 020 /* the casts are required if DIGIT_BIT is one less than |
|
|
6921 021 * the number of bits in a mp_digit [e.g. DIGIT_BIT==31] |
|
|
6922 022 */ |
|
|
6923 023 *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) - |
|
|
6924 024 ((mp_word)a->dp[0])); |
|
|
6925 025 \} |
|
|
6926 026 |
|
|
6927 027 #endif |
|
386
|
6928 028 |
|
282
|
6929 \end{alltt} |
|
|
6930 \end{small} |
|
|
6931 |
|
|
6932 \subsubsection{Modulus Detection} |
|
|
6933 Another algorithm which will be useful is the ability to detect a restricted Diminished Radix modulus. An integer is said to be |
|
|
6934 of restricted Diminished Radix form if all of the digits are equal to $\beta - 1$ except the trailing digit which may be any value. |
|
|
6935 |
|
|
6936 \begin{figure}[!here] |
|
|
6937 \begin{small} |
|
|
6938 \begin{center} |
|
|
6939 \begin{tabular}{l} |
|
|
6940 \hline Algorithm \textbf{mp\_dr\_is\_modulus}. \\ |
|
|
6941 \textbf{Input}. mp\_int $n$ \\ |
|
|
6942 \textbf{Output}. $1$ if $n$ is in D.R form, $0$ otherwise \\ |
|
|
6943 \hline |
|
|
6944 1. If $n.used < 2$ then return($0$). \\ |
|
|
6945 2. for $ix$ from $1$ to $n.used - 1$ do \\ |
|
|
6946 \hspace{3mm}2.1 If $n_{ix} \ne \beta - 1$ return($0$). \\ |
|
|
6947 3. Return($1$). \\ |
|
|
6948 \hline |
|
|
6949 \end{tabular} |
|
|
6950 \end{center} |
|
|
6951 \end{small} |
|
|
6952 \caption{Algorithm mp\_dr\_is\_modulus} |
|
|
6953 \end{figure} |
|
|
6954 |
|
|
6955 \textbf{Algorithm mp\_dr\_is\_modulus.} |
|
|
6956 This algorithm determines if a value is in Diminished Radix form. Step 1 rejects obvious cases where fewer than two digits are |
|
|
6957 in the mp\_int. Step 2 tests all but the first digit to see if they are equal to $\beta - 1$. If the algorithm manages to get to |
|
|
6958 step 3 then $n$ must be of Diminished Radix form. |
|
|
6959 |
|
|
6960 \vspace{+3mm}\begin{small} |
|
|
6961 \hspace{-5.1mm}{\bf File}: bn\_mp\_dr\_is\_modulus.c |
|
|
6962 \vspace{-3mm} |
|
|
6963 \begin{alltt} |
|
|
6964 016 |
|
|
6965 017 /* determines if a number is a valid DR modulus */ |
|
|
6966 018 int mp_dr_is_modulus(mp_int *a) |
|
|
6967 019 \{ |
|
|
6968 020 int ix; |
|
|
6969 021 |
|
|
6970 022 /* must be at least two digits */ |
|
|
6971 023 if (a->used < 2) \{ |
|
|
6972 024 return 0; |
|
|
6973 025 \} |
|
|
6974 026 |
|
|
6975 027 /* must be of the form b**k - a [a <= b] so all |
|
|
6976 028 * but the first digit must be equal to -1 (mod b). |
|
|
6977 029 */ |
|
|
6978 030 for (ix = 1; ix < a->used; ix++) \{ |
|
|
6979 031 if (a->dp[ix] != MP_MASK) \{ |
|
|
6980 032 return 0; |
|
|
6981 033 \} |
|
|
6982 034 \} |
|
|
6983 035 return 1; |
|
|
6984 036 \} |
|
|
6985 037 |
|
|
6986 038 #endif |
|
386
|
6987 039 |
|
282
|
6988 \end{alltt} |
|
|
6989 \end{small} |
|
|
6990 |
|
|
6991 \subsection{Unrestricted Diminished Radix Reduction} |
|
|
6992 The unrestricted Diminished Radix algorithm allows modular reductions to be performed when the modulus is of the form $2^p - k$. This algorithm |
|
|
6993 is a straightforward adaptation of algorithm~\ref{fig:DR}. |
|
|
6994 |
|
|
6995 In general the restricted Diminished Radix reduction algorithm is much faster since it has considerably lower overhead. However, this new |
|
|
6996 algorithm is much faster than either Montgomery or Barrett reduction when the moduli are of the appropriate form. |
|
|
6997 |
|
|
6998 \begin{figure}[!here] |
|
|
6999 \begin{small} |
|
|
7000 \begin{center} |
|
|
7001 \begin{tabular}{l} |
|
|
7002 \hline Algorithm \textbf{mp\_reduce\_2k}. \\ |
|
|
7003 \textbf{Input}. mp\_int $a$ and $n$. mp\_digit $k$ \\ |
|
|
7004 \hspace{11.5mm}($a \ge 0$, $n > 1$, $0 < k < \beta$, $n + k$ is a power of two) \\ |
|
|
7005 \textbf{Output}. $a \mbox{ (mod }n\mbox{)}$ \\ |
|
|
7006 \hline |
|
|
7007 1. $p \leftarrow \lceil lg(n) \rceil$ (\textit{mp\_count\_bits}) \\ |
|
|
7008 2. While $a \ge n$ do \\ |
|
|
7009 \hspace{3mm}2.1 $q \leftarrow \lfloor a / 2^p \rfloor$ (\textit{mp\_div\_2d}) \\ |
|
|
7010 \hspace{3mm}2.2 $a \leftarrow a \mbox{ (mod }2^p\mbox{)}$ (\textit{mp\_mod\_2d}) \\ |
|
|
7011 \hspace{3mm}2.3 $q \leftarrow q \cdot k$ (\textit{mp\_mul\_d}) \\ |
|
|
7012 \hspace{3mm}2.4 $a \leftarrow a - q$ (\textit{s\_mp\_sub}) \\ |
|
|
7013 \hspace{3mm}2.5 If $a \ge n$ then do \\ |
|
|
7014 \hspace{6mm}2.5.1 $a \leftarrow a - n$ \\ |
|
|
7015 3. Return(\textit{MP\_OKAY}). \\ |
|
|
7016 \hline |
|
|
7017 \end{tabular} |
|
|
7018 \end{center} |
|
|
7019 \end{small} |
|
|
7020 \caption{Algorithm mp\_reduce\_2k} |
|
|
7021 \end{figure} |
|
|
7022 |
|
|
7023 \textbf{Algorithm mp\_reduce\_2k.} |
|
|
7024 This algorithm quickly reduces an input $a$ modulo an unrestricted Diminished Radix modulus $n$. Division by $2^p$ is emulated with a right |
|
|
7025 shift which makes the algorithm fairly inexpensive to use. |
|
|
7026 |
|
|
7027 \vspace{+3mm}\begin{small} |
|
|
7028 \hspace{-5.1mm}{\bf File}: bn\_mp\_reduce\_2k.c |
|
|
7029 \vspace{-3mm} |
|
|
7030 \begin{alltt} |
|
|
7031 016 |
|
|
7032 017 /* reduces a modulo n where n is of the form 2**p - d */ |
|
|
7033 018 int mp_reduce_2k(mp_int *a, mp_int *n, mp_digit d) |
|
|
7034 019 \{ |
|
|
7035 020 mp_int q; |
|
|
7036 021 int p, res; |
|
|
7037 022 |
|
|
7038 023 if ((res = mp_init(&q)) != MP_OKAY) \{ |
|
|
7039 024 return res; |
|
|
7040 025 \} |
|
|
7041 026 |
|
|
7042 027 p = mp_count_bits(n); |
|
|
7043 028 top: |
|
|
7044 029 /* q = a/2**p, a = a mod 2**p */ |
|
|
7045 030 if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) \{ |
|
|
7046 031 goto ERR; |
|
|
7047 032 \} |
|
|
7048 033 |
|
|
7049 034 if (d != 1) \{ |
|
|
7050 035 /* q = q * d */ |
|
|
7051 036 if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) \{ |
|
|
7052 037 goto ERR; |
|
|
7053 038 \} |
|
|
7054 039 \} |
|
|
7055 040 |
|
|
7056 041 /* a = a + q */ |
|
|
7057 042 if ((res = s_mp_add(a, &q, a)) != MP_OKAY) \{ |
|
|
7058 043 goto ERR; |
|
|
7059 044 \} |
|
|
7060 045 |
|
|
7061 046 if (mp_cmp_mag(a, n) != MP_LT) \{ |
|
|
7062 047 s_mp_sub(a, n, a); |
|
|
7063 048 goto top; |
|
|
7064 049 \} |
|
|
7065 050 |
|
|
7066 051 ERR: |
|
|
7067 052 mp_clear(&q); |
|
|
7068 053 return res; |
|
|
7069 054 \} |
|
|
7070 055 |
|
|
7071 056 #endif |
|
386
|
7072 057 |
|
282
|
7073 \end{alltt} |
|
|
7074 \end{small} |
|
|
7075 |
|
|
7076 The algorithm mp\_count\_bits calculates the number of bits in an mp\_int which is used to find the initial value of $p$. The call to mp\_div\_2d |
|
|
7077 on line 30 calculates both the quotient $q$ and the remainder $a$ required. By doing both in a single function call the code size |
|
|
7078 is kept fairly small. The multiplication by $k$ is only performed if $k > 1$. This allows reductions modulo $2^p - 1$ to be performed without |
|
|
7079 any multiplications. |
|
|
7080 |
|
|
7081 The unsigned s\_mp\_add, mp\_cmp\_mag and s\_mp\_sub are used in place of their full sign counterparts since the inputs are only valid if they are |
|
|
7082 positive. By using the unsigned versions the overhead is kept to a minimum. |
|
|
7083 |
|
|
7084 \subsubsection{Unrestricted Setup} |
|
|
7085 To setup this reduction algorithm the value of $k = 2^p - n$ is required. |
|
|
7086 |
|
|
7087 \begin{figure}[!here] |
|
|
7088 \begin{small} |
|
|
7089 \begin{center} |
|
|
7090 \begin{tabular}{l} |
|
|
7091 \hline Algorithm \textbf{mp\_reduce\_2k\_setup}. \\ |
|
|
7092 \textbf{Input}. mp\_int $n$ \\ |
|
|
7093 \textbf{Output}. $k = 2^p - n$ \\ |
|
|
7094 \hline |
|
|
7095 1. $p \leftarrow \lceil lg(n) \rceil$ (\textit{mp\_count\_bits}) \\ |
|
|
7096 2. $x \leftarrow 2^p$ (\textit{mp\_2expt}) \\ |
|
|
7097 3. $x \leftarrow x - n$ (\textit{mp\_sub}) \\ |
|
|
7098 4. $k \leftarrow x_0$ \\ |
|
|
7099 5. Return(\textit{MP\_OKAY}). \\ |
|
|
7100 \hline |
|
|
7101 \end{tabular} |
|
|
7102 \end{center} |
|
|
7103 \end{small} |
|
|
7104 \caption{Algorithm mp\_reduce\_2k\_setup} |
|
|
7105 \end{figure} |
|
|
7106 |
|
|
7107 \textbf{Algorithm mp\_reduce\_2k\_setup.} |
|
|
7108 This algorithm computes the value of $k$ required for the algorithm mp\_reduce\_2k. By making a temporary variable $x$ equal to $2^p$ a subtraction |
|
|
7109 is sufficient to solve for $k$. Alternatively if $n$ has more than one digit the value of $k$ is simply $\beta - n_0$. |
|
|
7110 |
|
|
7111 \vspace{+3mm}\begin{small} |
|
|
7112 \hspace{-5.1mm}{\bf File}: bn\_mp\_reduce\_2k\_setup.c |
|
|
7113 \vspace{-3mm} |
|
|
7114 \begin{alltt} |
|
|
7115 016 |
|
|
7116 017 /* determines the setup value */ |
|
|
7117 018 int mp_reduce_2k_setup(mp_int *a, mp_digit *d) |
|
|
7118 019 \{ |
|
|
7119 020 int res, p; |
|
|
7120 021 mp_int tmp; |
|
|
7121 022 |
|
|
7122 023 if ((res = mp_init(&tmp)) != MP_OKAY) \{ |
|
|
7123 024 return res; |
|
|
7124 025 \} |
|
|
7125 026 |
|
|
7126 027 p = mp_count_bits(a); |
|
|
7127 028 if ((res = mp_2expt(&tmp, p)) != MP_OKAY) \{ |
|
|
7128 029 mp_clear(&tmp); |
|
|
7129 030 return res; |
|
|
7130 031 \} |
|
|
7131 032 |
|
|
7132 033 if ((res = s_mp_sub(&tmp, a, &tmp)) != MP_OKAY) \{ |
|
|
7133 034 mp_clear(&tmp); |
|
|
7134 035 return res; |
|
|
7135 036 \} |
|
|
7136 037 |
|
|
7137 038 *d = tmp.dp[0]; |
|
|
7138 039 mp_clear(&tmp); |
|
|
7139 040 return MP_OKAY; |
|
|
7140 041 \} |
|
|
7141 042 #endif |
|
386
|
7142 043 |
|
282
|
7143 \end{alltt} |
|
|
7144 \end{small} |
|
|
7145 |
|
|
7146 \subsubsection{Unrestricted Detection} |
|
|
7147 An integer $n$ is a valid unrestricted Diminished Radix modulus if either of the following are true. |
|
|
7148 |
|
|
7149 \begin{enumerate} |
|
|
7150 \item The number has only one digit. |
|
|
7151 \item The number has more than one digit and every bit from the $\beta$'th to the most significant is one. |
|
|
7152 \end{enumerate} |
|
|
7153 |
|
|
7154 If either condition is true than there is a power of two $2^p$ such that $0 < 2^p - n < \beta$. If the input is only |
|
|
7155 one digit than it will always be of the correct form. Otherwise all of the bits above the first digit must be one. This arises from the fact |
|
|
7156 that there will be value of $k$ that when added to the modulus causes a carry in the first digit which propagates all the way to the most |
|
|
7157 significant bit. The resulting sum will be a power of two. |
|
|
7158 |
|
|
7159 \begin{figure}[!here] |
|
|
7160 \begin{small} |
|
|
7161 \begin{center} |
|
|
7162 \begin{tabular}{l} |
|
|
7163 \hline Algorithm \textbf{mp\_reduce\_is\_2k}. \\ |
|
|
7164 \textbf{Input}. mp\_int $n$ \\ |
|
|
7165 \textbf{Output}. $1$ if of proper form, $0$ otherwise \\ |
|
|
7166 \hline |
|
|
7167 1. If $n.used = 0$ then return($0$). \\ |
|
|
7168 2. If $n.used = 1$ then return($1$). \\ |
|
|
7169 3. $p \leftarrow \lceil lg(n) \rceil$ (\textit{mp\_count\_bits}) \\ |
|
|
7170 4. for $x$ from $lg(\beta)$ to $p$ do \\ |
|
|
7171 \hspace{3mm}4.1 If the ($x \mbox{ mod }lg(\beta)$)'th bit of the $\lfloor x / lg(\beta) \rfloor$ of $n$ is zero then return($0$). \\ |
|
|
7172 5. Return($1$). \\ |
|
|
7173 \hline |
|
|
7174 \end{tabular} |
|
|
7175 \end{center} |
|
|
7176 \end{small} |
|
|
7177 \caption{Algorithm mp\_reduce\_is\_2k} |
|
|
7178 \end{figure} |
|
|
7179 |
|
|
7180 \textbf{Algorithm mp\_reduce\_is\_2k.} |
|
|
7181 This algorithm quickly determines if a modulus is of the form required for algorithm mp\_reduce\_2k to function properly. |
|
|
7182 |
|
|
7183 \vspace{+3mm}\begin{small} |
|
|
7184 \hspace{-5.1mm}{\bf File}: bn\_mp\_reduce\_is\_2k.c |
|
|
7185 \vspace{-3mm} |
|
|
7186 \begin{alltt} |
|
|
7187 016 |
|
|
7188 017 /* determines if mp_reduce_2k can be used */ |
|
|
7189 018 int mp_reduce_is_2k(mp_int *a) |
|
|
7190 019 \{ |
|
|
7191 020 int ix, iy, iw; |
|
|
7192 021 mp_digit iz; |
|
|
7193 022 |
|
|
7194 023 if (a->used == 0) \{ |
|
|
7195 024 return MP_NO; |
|
|
7196 025 \} else if (a->used == 1) \{ |
|
|
7197 026 return MP_YES; |
|
|
7198 027 \} else if (a->used > 1) \{ |
|
|
7199 028 iy = mp_count_bits(a); |
|
|
7200 029 iz = 1; |
|
|
7201 030 iw = 1; |
|
|
7202 031 |
|
|
7203 032 /* Test every bit from the second digit up, must be 1 */ |
|
|
7204 033 for (ix = DIGIT_BIT; ix < iy; ix++) \{ |
|
|
7205 034 if ((a->dp[iw] & iz) == 0) \{ |
|
|
7206 035 return MP_NO; |
|
|
7207 036 \} |
|
|
7208 037 iz <<= 1; |
|
|
7209 038 if (iz > (mp_digit)MP_MASK) \{ |
|
|
7210 039 ++iw; |
|
|
7211 040 iz = 1; |
|
|
7212 041 \} |
|
|
7213 042 \} |
|
|
7214 043 \} |
|
|
7215 044 return MP_YES; |
|
|
7216 045 \} |
|
|
7217 046 |
|
|
7218 047 #endif |
|
386
|
7219 048 |
|
282
|
7220 \end{alltt} |
|
|
7221 \end{small} |
|
|
7222 |
|
|
7223 |
|
|
7224 |
|
|
7225 \section{Algorithm Comparison} |
|
|
7226 So far three very different algorithms for modular reduction have been discussed. Each of the algorithms have their own strengths and weaknesses |
|
|
7227 that makes having such a selection very useful. The following table sumarizes the three algorithms along with comparisons of work factors. Since |
|
|
7228 all three algorithms have the restriction that $0 \le x < n^2$ and $n > 1$ those limitations are not included in the table. |
|
|
7229 |
|
|
7230 \begin{center} |
|
|
7231 \begin{small} |
|
|
7232 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
7233 \hline \textbf{Method} & \textbf{Work Required} & \textbf{Limitations} & \textbf{$m = 8$} & \textbf{$m = 32$} & \textbf{$m = 64$} \\ |
|
|
7234 \hline Barrett & $m^2 + 2m - 1$ & None & $79$ & $1087$ & $4223$ \\ |
|
|
7235 \hline Montgomery & $m^2 + m$ & $n$ must be odd & $72$ & $1056$ & $4160$ \\ |
|
|
7236 \hline D.R. & $2m$ & $n = \beta^m - k$ & $16$ & $64$ & $128$ \\ |
|
|
7237 \hline |
|
|
7238 \end{tabular} |
|
|
7239 \end{small} |
|
|
7240 \end{center} |
|
|
7241 |
|
|
7242 In theory Montgomery and Barrett reductions would require roughly the same amount of time to complete. However, in practice since Montgomery |
|
|
7243 reduction can be written as a single function with the Comba technique it is much faster. Barrett reduction suffers from the overhead of |
|
|
7244 calling the half precision multipliers, addition and division by $\beta$ algorithms. |
|
|
7245 |
|
|
7246 For almost every cryptographic algorithm Montgomery reduction is the algorithm of choice. The one set of algorithms where Diminished Radix reduction truly |
|
|
7247 shines are based on the discrete logarithm problem such as Diffie-Hellman \cite{DH} and ElGamal \cite{ELGAMAL}. In these algorithms |
|
|
7248 primes of the form $\beta^m - k$ can be found and shared amongst users. These primes will allow the Diminished Radix algorithm to be used in |
|
|
7249 modular exponentiation to greatly speed up the operation. |
|
|
7250 |
|
|
7251 |
|
|
7252 |
|
|
7253 \section*{Exercises} |
|
|
7254 \begin{tabular}{cl} |
|
|
7255 $\left [ 3 \right ]$ & Prove that the ``trick'' in algorithm mp\_montgomery\_setup actually \\ |
|
|
7256 & calculates the correct value of $\rho$. \\ |
|
|
7257 & \\ |
|
|
7258 $\left [ 2 \right ]$ & Devise an algorithm to reduce modulo $n + k$ for small $k$ quickly. \\ |
|
|
7259 & \\ |
|
|
7260 $\left [ 4 \right ]$ & Prove that the pseudo-code algorithm ``Diminished Radix Reduction'' \\ |
|
|
7261 & (\textit{figure~\ref{fig:DR}}) terminates. Also prove the probability that it will \\ |
|
|
7262 & terminate within $1 \le k \le 10$ iterations. \\ |
|
|
7263 & \\ |
|
|
7264 \end{tabular} |
|
|
7265 |
|
|
7266 |
|
|
7267 \chapter{Exponentiation} |
|
|
7268 Exponentiation is the operation of raising one variable to the power of another, for example, $a^b$. A variant of exponentiation, computed |
|
|
7269 in a finite field or ring, is called modular exponentiation. This latter style of operation is typically used in public key |
|
|
7270 cryptosystems such as RSA and Diffie-Hellman. The ability to quickly compute modular exponentiations is of great benefit to any |
|
|
7271 such cryptosystem and many methods have been sought to speed it up. |
|
|
7272 |
|
|
7273 \section{Exponentiation Basics} |
|
|
7274 A trivial algorithm would simply multiply $a$ against itself $b - 1$ times to compute the exponentiation desired. However, as $b$ grows in size |
|
|
7275 the number of multiplications becomes prohibitive. Imagine what would happen if $b$ $\approx$ $2^{1024}$ as is the case when computing an RSA signature |
|
|
7276 with a $1024$-bit key. Such a calculation could never be completed as it would take simply far too long. |
|
|
7277 |
|
|
7278 Fortunately there is a very simple algorithm based on the laws of exponents. Recall that $lg_a(a^b) = b$ and that $lg_a(a^ba^c) = b + c$ which |
|
|
7279 are two trivial relationships between the base and the exponent. Let $b_i$ represent the $i$'th bit of $b$ starting from the least |
|
|
7280 significant bit. If $b$ is a $k$-bit integer than the following equation is true. |
|
|
7281 |
|
|
7282 \begin{equation} |
|
|
7283 a^b = \prod_{i=0}^{k-1} a^{2^i \cdot b_i} |
|
|
7284 \end{equation} |
|
|
7285 |
|
|
7286 By taking the base $a$ logarithm of both sides of the equation the following equation is the result. |
|
|
7287 |
|
|
7288 \begin{equation} |
|
|
7289 b = \sum_{i=0}^{k-1}2^i \cdot b_i |
|
|
7290 \end{equation} |
|
|
7291 |
|
|
7292 The term $a^{2^i}$ can be found from the $i - 1$'th term by squaring the term since $\left ( a^{2^i} \right )^2$ is equal to |
|
|
7293 $a^{2^{i+1}}$. This observation forms the basis of essentially all fast exponentiation algorithms. It requires $k$ squarings and on average |
|
|
7294 $k \over 2$ multiplications to compute the result. This is indeed quite an improvement over simply multiplying by $a$ a total of $b-1$ times. |
|
|
7295 |
|
|
7296 While this current method is a considerable speed up there are further improvements to be made. For example, the $a^{2^i}$ term does not need to |
|
|
7297 be computed in an auxilary variable. Consider the following equivalent algorithm. |
|
|
7298 |
|
|
7299 \begin{figure}[!here] |
|
|
7300 \begin{small} |
|
|
7301 \begin{center} |
|
|
7302 \begin{tabular}{l} |
|
|
7303 \hline Algorithm \textbf{Left to Right Exponentiation}. \\ |
|
|
7304 \textbf{Input}. Integer $a$, $b$ and $k$ \\ |
|
|
7305 \textbf{Output}. $c = a^b$ \\ |
|
|
7306 \hline \\ |
|
|
7307 1. $c \leftarrow 1$ \\ |
|
|
7308 2. for $i$ from $k - 1$ to $0$ do \\ |
|
|
7309 \hspace{3mm}2.1 $c \leftarrow c^2$ \\ |
|
|
7310 \hspace{3mm}2.2 $c \leftarrow c \cdot a^{b_i}$ \\ |
|
|
7311 3. Return $c$. \\ |
|
|
7312 \hline |
|
|
7313 \end{tabular} |
|
|
7314 \end{center} |
|
|
7315 \end{small} |
|
|
7316 \caption{Left to Right Exponentiation} |
|
|
7317 \label{fig:LTOR} |
|
|
7318 \end{figure} |
|
|
7319 |
|
|
7320 This algorithm starts from the most significant bit and works towards the least significant bit. When the $i$'th bit of $b$ is set $a$ is |
|
|
7321 multiplied against the current product. In each iteration the product is squared which doubles the exponent of the individual terms of the |
|
|
7322 product. |
|
|
7323 |
|
|
7324 For example, let $b = 101100_2 \equiv 44_{10}$. The following chart demonstrates the actions of the algorithm. |
|
|
7325 |
|
|
7326 \newpage\begin{figure} |
|
|
7327 \begin{center} |
|
|
7328 \begin{tabular}{|c|c|} |
|
|
7329 \hline \textbf{Value of $i$} & \textbf{Value of $c$} \\ |
|
|
7330 \hline - & $1$ \\ |
|
|
7331 \hline $5$ & $a$ \\ |
|
|
7332 \hline $4$ & $a^2$ \\ |
|
|
7333 \hline $3$ & $a^4 \cdot a$ \\ |
|
|
7334 \hline $2$ & $a^8 \cdot a^2 \cdot a$ \\ |
|
|
7335 \hline $1$ & $a^{16} \cdot a^4 \cdot a^2$ \\ |
|
|
7336 \hline $0$ & $a^{32} \cdot a^8 \cdot a^4$ \\ |
|
|
7337 \hline |
|
|
7338 \end{tabular} |
|
|
7339 \end{center} |
|
|
7340 \caption{Example of Left to Right Exponentiation} |
|
|
7341 \end{figure} |
|
|
7342 |
|
|
7343 When the product $a^{32} \cdot a^8 \cdot a^4$ is simplified it is equal $a^{44}$ which is the desired exponentiation. This particular algorithm is |
|
|
7344 called ``Left to Right'' because it reads the exponent in that order. All of the exponentiation algorithms that will be presented are of this nature. |
|
|
7345 |
|
|
7346 \subsection{Single Digit Exponentiation} |
|
|
7347 The first algorithm in the series of exponentiation algorithms will be an unbounded algorithm where the exponent is a single digit. It is intended |
|
|
7348 to be used when a small power of an input is required (\textit{e.g. $a^5$}). It is faster than simply multiplying $b - 1$ times for all values of |
|
|
7349 $b$ that are greater than three. |
|
|
7350 |
|
|
7351 \newpage\begin{figure}[!here] |
|
|
7352 \begin{small} |
|
|
7353 \begin{center} |
|
|
7354 \begin{tabular}{l} |
|
|
7355 \hline Algorithm \textbf{mp\_expt\_d}. \\ |
|
|
7356 \textbf{Input}. mp\_int $a$ and mp\_digit $b$ \\ |
|
|
7357 \textbf{Output}. $c = a^b$ \\ |
|
|
7358 \hline \\ |
|
|
7359 1. $g \leftarrow a$ (\textit{mp\_init\_copy}) \\ |
|
|
7360 2. $c \leftarrow 1$ (\textit{mp\_set}) \\ |
|
|
7361 3. for $x$ from 1 to $lg(\beta)$ do \\ |
|
|
7362 \hspace{3mm}3.1 $c \leftarrow c^2$ (\textit{mp\_sqr}) \\ |
|
|
7363 \hspace{3mm}3.2 If $b$ AND $2^{lg(\beta) - 1} \ne 0$ then \\ |
|
|
7364 \hspace{6mm}3.2.1 $c \leftarrow c \cdot g$ (\textit{mp\_mul}) \\ |
|
|
7365 \hspace{3mm}3.3 $b \leftarrow b << 1$ \\ |
|
|
7366 4. Clear $g$. \\ |
|
|
7367 5. Return(\textit{MP\_OKAY}). \\ |
|
|
7368 \hline |
|
|
7369 \end{tabular} |
|
|
7370 \end{center} |
|
|
7371 \end{small} |
|
|
7372 \caption{Algorithm mp\_expt\_d} |
|
|
7373 \end{figure} |
|
|
7374 |
|
|
7375 \textbf{Algorithm mp\_expt\_d.} |
|
|
7376 This algorithm computes the value of $a$ raised to the power of a single digit $b$. It uses the left to right exponentiation algorithm to |
|
|
7377 quickly compute the exponentiation. It is loosely based on algorithm 14.79 of HAC \cite[pp. 615]{HAC} with the difference that the |
|
|
7378 exponent is a fixed width. |
|
|
7379 |
|
|
7380 A copy of $a$ is made first to allow destination variable $c$ be the same as the source variable $a$. The result is set to the initial value of |
|
|
7381 $1$ in the subsequent step. |
|
|
7382 |
|
|
7383 Inside the loop the exponent is read from the most significant bit first down to the least significant bit. First $c$ is invariably squared |
|
|
7384 on step 3.1. In the following step if the most significant bit of $b$ is one the copy of $a$ is multiplied against $c$. The value |
|
|
7385 of $b$ is shifted left one bit to make the next bit down from the most signficant bit the new most significant bit. In effect each |
|
|
7386 iteration of the loop moves the bits of the exponent $b$ upwards to the most significant location. |
|
|
7387 |
|
|
7388 \vspace{+3mm}\begin{small} |
|
|
7389 \hspace{-5.1mm}{\bf File}: bn\_mp\_expt\_d.c |
|
|
7390 \vspace{-3mm} |
|
|
7391 \begin{alltt} |
|
|
7392 016 |
|
|
7393 017 /* calculate c = a**b using a square-multiply algorithm */ |
|
|
7394 018 int mp_expt_d (mp_int * a, mp_digit b, mp_int * c) |
|
|
7395 019 \{ |
|
|
7396 020 int res, x; |
|
|
7397 021 mp_int g; |
|
|
7398 022 |
|
|
7399 023 if ((res = mp_init_copy (&g, a)) != MP_OKAY) \{ |
|
|
7400 024 return res; |
|
|
7401 025 \} |
|
|
7402 026 |
|
|
7403 027 /* set initial result */ |
|
|
7404 028 mp_set (c, 1); |
|
|
7405 029 |
|
|
7406 030 for (x = 0; x < (int) DIGIT_BIT; x++) \{ |
|
|
7407 031 /* square */ |
|
|
7408 032 if ((res = mp_sqr (c, c)) != MP_OKAY) \{ |
|
|
7409 033 mp_clear (&g); |
|
|
7410 034 return res; |
|
|
7411 035 \} |
|
|
7412 036 |
|
|
7413 037 /* if the bit is set multiply */ |
|
|
7414 038 if ((b & (mp_digit) (((mp_digit)1) << (DIGIT_BIT - 1))) != 0) \{ |
|
|
7415 039 if ((res = mp_mul (c, &g, c)) != MP_OKAY) \{ |
|
|
7416 040 mp_clear (&g); |
|
|
7417 041 return res; |
|
|
7418 042 \} |
|
|
7419 043 \} |
|
|
7420 044 |
|
|
7421 045 /* shift to next bit */ |
|
|
7422 046 b <<= 1; |
|
|
7423 047 \} |
|
|
7424 048 |
|
|
7425 049 mp_clear (&g); |
|
|
7426 050 return MP_OKAY; |
|
|
7427 051 \} |
|
|
7428 052 #endif |
|
386
|
7429 053 |
|
282
|
7430 \end{alltt} |
|
|
7431 \end{small} |
|
|
7432 |
|
|
7433 Line 28 sets the initial value of the result to $1$. Next the loop on line 30 steps through each bit of the exponent starting from |
|
|
7434 the most significant down towards the least significant. The invariant squaring operation placed on line 32 is performed first. After |
|
|
7435 the squaring the result $c$ is multiplied by the base $g$ if and only if the most significant bit of the exponent is set. The shift on line |
|
|
7436 46 moves all of the bits of the exponent upwards towards the most significant location. |
|
|
7437 |
|
|
7438 \section{$k$-ary Exponentiation} |
|
|
7439 When calculating an exponentiation the most time consuming bottleneck is the multiplications which are in general a small factor |
|
|
7440 slower than squaring. Recall from the previous algorithm that $b_{i}$ refers to the $i$'th bit of the exponent $b$. Suppose instead it referred to |
|
|
7441 the $i$'th $k$-bit digit of the exponent of $b$. For $k = 1$ the definitions are synonymous and for $k > 1$ algorithm~\ref{fig:KARY} |
|
|
7442 computes the same exponentiation. A group of $k$ bits from the exponent is called a \textit{window}. That is it is a small window on only a |
|
|
7443 portion of the entire exponent. Consider the following modification to the basic left to right exponentiation algorithm. |
|
|
7444 |
|
|
7445 \begin{figure}[!here] |
|
|
7446 \begin{small} |
|
|
7447 \begin{center} |
|
|
7448 \begin{tabular}{l} |
|
|
7449 \hline Algorithm \textbf{$k$-ary Exponentiation}. \\ |
|
|
7450 \textbf{Input}. Integer $a$, $b$, $k$ and $t$ \\ |
|
|
7451 \textbf{Output}. $c = a^b$ \\ |
|
|
7452 \hline \\ |
|
|
7453 1. $c \leftarrow 1$ \\ |
|
|
7454 2. for $i$ from $t - 1$ to $0$ do \\ |
|
|
7455 \hspace{3mm}2.1 $c \leftarrow c^{2^k} $ \\ |
|
|
7456 \hspace{3mm}2.2 Extract the $i$'th $k$-bit word from $b$ and store it in $g$. \\ |
|
|
7457 \hspace{3mm}2.3 $c \leftarrow c \cdot a^g$ \\ |
|
|
7458 3. Return $c$. \\ |
|
|
7459 \hline |
|
|
7460 \end{tabular} |
|
|
7461 \end{center} |
|
|
7462 \end{small} |
|
|
7463 \caption{$k$-ary Exponentiation} |
|
|
7464 \label{fig:KARY} |
|
|
7465 \end{figure} |
|
|
7466 |
|
|
7467 The squaring on step 2.1 can be calculated by squaring the value $c$ successively $k$ times. If the values of $a^g$ for $0 < g < 2^k$ have been |
|
|
7468 precomputed this algorithm requires only $t$ multiplications and $tk$ squarings. The table can be generated with $2^{k - 1} - 1$ squarings and |
|
|
7469 $2^{k - 1} + 1$ multiplications. This algorithm assumes that the number of bits in the exponent is evenly divisible by $k$. |
|
|
7470 However, when it is not the remaining $0 < x \le k - 1$ bits can be handled with algorithm~\ref{fig:LTOR}. |
|
|
7471 |
|
|
7472 Suppose $k = 4$ and $t = 100$. This modified algorithm will require $109$ multiplications and $408$ squarings to compute the exponentiation. The |
|
|
7473 original algorithm would on average have required $200$ multiplications and $400$ squrings to compute the same value. The total number of squarings |
|
|
7474 has increased slightly but the number of multiplications has nearly halved. |
|
|
7475 |
|
|
7476 \subsection{Optimal Values of $k$} |
|
|
7477 An optimal value of $k$ will minimize $2^{k} + \lceil n / k \rceil + n - 1$ for a fixed number of bits in the exponent $n$. The simplest |
|
|
7478 approach is to brute force search amongst the values $k = 2, 3, \ldots, 8$ for the lowest result. Table~\ref{fig:OPTK} lists optimal values of $k$ |
|
|
7479 for various exponent sizes and compares the number of multiplication and squarings required against algorithm~\ref{fig:LTOR}. |
|
|
7480 |
|
|
7481 \begin{figure}[here] |
|
|
7482 \begin{center} |
|
|
7483 \begin{small} |
|
|
7484 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
7485 \hline \textbf{Exponent (bits)} & \textbf{Optimal $k$} & \textbf{Work at $k$} & \textbf{Work with ~\ref{fig:LTOR}} \\ |
|
|
7486 \hline $16$ & $2$ & $27$ & $24$ \\ |
|
|
7487 \hline $32$ & $3$ & $49$ & $48$ \\ |
|
|
7488 \hline $64$ & $3$ & $92$ & $96$ \\ |
|
|
7489 \hline $128$ & $4$ & $175$ & $192$ \\ |
|
|
7490 \hline $256$ & $4$ & $335$ & $384$ \\ |
|
|
7491 \hline $512$ & $5$ & $645$ & $768$ \\ |
|
|
7492 \hline $1024$ & $6$ & $1257$ & $1536$ \\ |
|
|
7493 \hline $2048$ & $6$ & $2452$ & $3072$ \\ |
|
|
7494 \hline $4096$ & $7$ & $4808$ & $6144$ \\ |
|
|
7495 \hline |
|
|
7496 \end{tabular} |
|
|
7497 \end{small} |
|
|
7498 \end{center} |
|
|
7499 \caption{Optimal Values of $k$ for $k$-ary Exponentiation} |
|
|
7500 \label{fig:OPTK} |
|
|
7501 \end{figure} |
|
|
7502 |
|
|
7503 \subsection{Sliding-Window Exponentiation} |
|
|
7504 A simple modification to the previous algorithm is only generate the upper half of the table in the range $2^{k-1} \le g < 2^k$. Essentially |
|
|
7505 this is a table for all values of $g$ where the most significant bit of $g$ is a one. However, in order for this to be allowed in the |
|
|
7506 algorithm values of $g$ in the range $0 \le g < 2^{k-1}$ must be avoided. |
|
|
7507 |
|
|
7508 Table~\ref{fig:OPTK2} lists optimal values of $k$ for various exponent sizes and compares the work required against algorithm~\ref{fig:KARY}. |
|
|
7509 |
|
|
7510 \begin{figure}[here] |
|
|
7511 \begin{center} |
|
|
7512 \begin{small} |
|
|
7513 \begin{tabular}{|c|c|c|c|c|c|} |
|
|
7514 \hline \textbf{Exponent (bits)} & \textbf{Optimal $k$} & \textbf{Work at $k$} & \textbf{Work with ~\ref{fig:KARY}} \\ |
|
|
7515 \hline $16$ & $3$ & $24$ & $27$ \\ |
|
|
7516 \hline $32$ & $3$ & $45$ & $49$ \\ |
|
|
7517 \hline $64$ & $4$ & $87$ & $92$ \\ |
|
|
7518 \hline $128$ & $4$ & $167$ & $175$ \\ |
|
|
7519 \hline $256$ & $5$ & $322$ & $335$ \\ |
|
|
7520 \hline $512$ & $6$ & $628$ & $645$ \\ |
|
|
7521 \hline $1024$ & $6$ & $1225$ & $1257$ \\ |
|
|
7522 \hline $2048$ & $7$ & $2403$ & $2452$ \\ |
|
|
7523 \hline $4096$ & $8$ & $4735$ & $4808$ \\ |
|
|
7524 \hline |
|
|
7525 \end{tabular} |
|
|
7526 \end{small} |
|
|
7527 \end{center} |
|
|
7528 \caption{Optimal Values of $k$ for Sliding Window Exponentiation} |
|
|
7529 \label{fig:OPTK2} |
|
|
7530 \end{figure} |
|
|
7531 |
|
|
7532 \newpage\begin{figure}[!here] |
|
|
7533 \begin{small} |
|
|
7534 \begin{center} |
|
|
7535 \begin{tabular}{l} |
|
|
7536 \hline Algorithm \textbf{Sliding Window $k$-ary Exponentiation}. \\ |
|
|
7537 \textbf{Input}. Integer $a$, $b$, $k$ and $t$ \\ |
|
|
7538 \textbf{Output}. $c = a^b$ \\ |
|
|
7539 \hline \\ |
|
|
7540 1. $c \leftarrow 1$ \\ |
|
|
7541 2. for $i$ from $t - 1$ to $0$ do \\ |
|
|
7542 \hspace{3mm}2.1 If the $i$'th bit of $b$ is a zero then \\ |
|
|
7543 \hspace{6mm}2.1.1 $c \leftarrow c^2$ \\ |
|
|
7544 \hspace{3mm}2.2 else do \\ |
|
|
7545 \hspace{6mm}2.2.1 $c \leftarrow c^{2^k}$ \\ |
|
|
7546 \hspace{6mm}2.2.2 Extract the $k$ bits from $(b_{i}b_{i-1}\ldots b_{i-(k-1)})$ and store it in $g$. \\ |
|
|
7547 \hspace{6mm}2.2.3 $c \leftarrow c \cdot a^g$ \\ |
|
|
7548 \hspace{6mm}2.2.4 $i \leftarrow i - k$ \\ |
|
|
7549 3. Return $c$. \\ |
|
|
7550 \hline |
|
|
7551 \end{tabular} |
|
|
7552 \end{center} |
|
|
7553 \end{small} |
|
|
7554 \caption{Sliding Window $k$-ary Exponentiation} |
|
|
7555 \end{figure} |
|
|
7556 |
|
|
7557 Similar to the previous algorithm this algorithm must have a special handler when fewer than $k$ bits are left in the exponent. While this |
|
|
7558 algorithm requires the same number of squarings it can potentially have fewer multiplications. The pre-computed table $a^g$ is also half |
|
|
7559 the size as the previous table. |
|
|
7560 |
|
|
7561 Consider the exponent $b = 111101011001000_2 \equiv 31432_{10}$ with $k = 3$ using both algorithms. The first algorithm will divide the exponent up as |
|
|
7562 the following five $3$-bit words $b \equiv \left ( 111, 101, 011, 001, 000 \right )_{2}$. The second algorithm will break the |
|
|
7563 exponent as $b \equiv \left ( 111, 101, 0, 110, 0, 100, 0 \right )_{2}$. The single digit $0$ in the second representation are where |
|
|
7564 a single squaring took place instead of a squaring and multiplication. In total the first method requires $10$ multiplications and $18$ |
|
|
7565 squarings. The second method requires $8$ multiplications and $18$ squarings. |
|
|
7566 |
|
|
7567 In general the sliding window method is never slower than the generic $k$-ary method and often it is slightly faster. |
|
|
7568 |
|
|
7569 \section{Modular Exponentiation} |
|
|
7570 |
|
|
7571 Modular exponentiation is essentially computing the power of a base within a finite field or ring. For example, computing |
|
|
7572 $d \equiv a^b \mbox{ (mod }c\mbox{)}$ is a modular exponentiation. Instead of first computing $a^b$ and then reducing it |
|
|
7573 modulo $c$ the intermediate result is reduced modulo $c$ after every squaring or multiplication operation. |
|
|
7574 |
|
|
7575 This guarantees that any intermediate result is bounded by $0 \le d \le c^2 - 2c + 1$ and can be reduced modulo $c$ quickly using |
|
|
7576 one of the algorithms presented in chapter six. |
|
|
7577 |
|
|
7578 Before the actual modular exponentiation algorithm can be written a wrapper algorithm must be written first. This algorithm |
|
|
7579 will allow the exponent $b$ to be negative which is computed as $c \equiv \left (1 / a \right )^{\vert b \vert} \mbox{(mod }d\mbox{)}$. The |
|
|
7580 value of $(1/a) \mbox{ mod }c$ is computed using the modular inverse (\textit{see \ref{sec;modinv}}). If no inverse exists the algorithm |
|
|
7581 terminates with an error. |
|
|
7582 |
|
|
7583 \begin{figure}[!here] |
|
|
7584 \begin{small} |
|
|
7585 \begin{center} |
|
|
7586 \begin{tabular}{l} |
|
|
7587 \hline Algorithm \textbf{mp\_exptmod}. \\ |
|
|
7588 \textbf{Input}. mp\_int $a$, $b$ and $c$ \\ |
|
|
7589 \textbf{Output}. $y \equiv g^x \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7590 \hline \\ |
|
|
7591 1. If $c.sign = MP\_NEG$ return(\textit{MP\_VAL}). \\ |
|
|
7592 2. If $b.sign = MP\_NEG$ then \\ |
|
|
7593 \hspace{3mm}2.1 $g' \leftarrow g^{-1} \mbox{ (mod }c\mbox{)}$ \\ |
|
|
7594 \hspace{3mm}2.2 $x' \leftarrow \vert x \vert$ \\ |
|
|
7595 \hspace{3mm}2.3 Compute $d \equiv g'^{x'} \mbox{ (mod }c\mbox{)}$ via recursion. \\ |
|
|
7596 3. if $p$ is odd \textbf{OR} $p$ is a D.R. modulus then \\ |
|
|
7597 \hspace{3mm}3.1 Compute $y \equiv g^{x} \mbox{ (mod }p\mbox{)}$ via algorithm mp\_exptmod\_fast. \\ |
|
|
7598 4. else \\ |
|
|
7599 \hspace{3mm}4.1 Compute $y \equiv g^{x} \mbox{ (mod }p\mbox{)}$ via algorithm s\_mp\_exptmod. \\ |
|
|
7600 \hline |
|
|
7601 \end{tabular} |
|
|
7602 \end{center} |
|
|
7603 \end{small} |
|
|
7604 \caption{Algorithm mp\_exptmod} |
|
|
7605 \end{figure} |
|
|
7606 |
|
|
7607 \textbf{Algorithm mp\_exptmod.} |
|
|
7608 The first algorithm which actually performs modular exponentiation is algorithm s\_mp\_exptmod. It is a sliding window $k$-ary algorithm |
|
|
7609 which uses Barrett reduction to reduce the product modulo $p$. The second algorithm mp\_exptmod\_fast performs the same operation |
|
|
7610 except it uses either Montgomery or Diminished Radix reduction. The two latter reduction algorithms are clumped in the same exponentiation |
|
|
7611 algorithm since their arguments are essentially the same (\textit{two mp\_ints and one mp\_digit}). |
|
|
7612 |
|
|
7613 \vspace{+3mm}\begin{small} |
|
|
7614 \hspace{-5.1mm}{\bf File}: bn\_mp\_exptmod.c |
|
|
7615 \vspace{-3mm} |
|
|
7616 \begin{alltt} |
|
|
7617 016 |
|
|
7618 017 |
|
|
7619 018 /* this is a shell function that calls either the normal or Montgomery |
|
|
7620 019 * exptmod functions. Originally the call to the montgomery code was |
|
|
7621 020 * embedded in the normal function but that wasted alot of stack space |
|
|
7622 021 * for nothing (since 99% of the time the Montgomery code would be called) |
|
|
7623 022 */ |
|
|
7624 023 int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y) |
|
|
7625 024 \{ |
|
|
7626 025 int dr; |
|
|
7627 026 |
|
|
7628 027 /* modulus P must be positive */ |
|
|
7629 028 if (P->sign == MP_NEG) \{ |
|
|
7630 029 return MP_VAL; |
|
|
7631 030 \} |
|
|
7632 031 |
|
|
7633 032 /* if exponent X is negative we have to recurse */ |
|
|
7634 033 if (X->sign == MP_NEG) \{ |
|
|
7635 034 #ifdef BN_MP_INVMOD_C |
|
|
7636 035 mp_int tmpG, tmpX; |
|
|
7637 036 int err; |
|
|
7638 037 |
|
|
7639 038 /* first compute 1/G mod P */ |
|
|
7640 039 if ((err = mp_init(&tmpG)) != MP_OKAY) \{ |
|
|
7641 040 return err; |
|
|
7642 041 \} |
|
|
7643 042 if ((err = mp_invmod(G, P, &tmpG)) != MP_OKAY) \{ |
|
|
7644 043 mp_clear(&tmpG); |
|
|
7645 044 return err; |
|
|
7646 045 \} |
|
|
7647 046 |
|
|
7648 047 /* now get |X| */ |
|
|
7649 048 if ((err = mp_init(&tmpX)) != MP_OKAY) \{ |
|
|
7650 049 mp_clear(&tmpG); |
|
|
7651 050 return err; |
|
|
7652 051 \} |
|
|
7653 052 if ((err = mp_abs(X, &tmpX)) != MP_OKAY) \{ |
|
|
7654 053 mp_clear_multi(&tmpG, &tmpX, NULL); |
|
|
7655 054 return err; |
|
|
7656 055 \} |
|
|
7657 056 |
|
|
7658 057 /* and now compute (1/G)**|X| instead of G**X [X < 0] */ |
|
|
7659 058 err = mp_exptmod(&tmpG, &tmpX, P, Y); |
|
|
7660 059 mp_clear_multi(&tmpG, &tmpX, NULL); |
|
|
7661 060 return err; |
|
|
7662 061 #else |
|
|
7663 062 /* no invmod */ |
|
|
7664 063 return MP_VAL; |
|
|
7665 064 #endif |
|
|
7666 065 \} |
|
|
7667 066 |
|
|
7668 067 /* modified diminished radix reduction */ |
|
386
|
7669 068 #if defined(BN_MP_REDUCE_IS_2K_L_C) && defined(BN_MP_REDUCE_2K_L_C) && defin |
|
|
7670 ed(BN_S_MP_EXPTMOD_C) |
|
282
|
7671 069 if (mp_reduce_is_2k_l(P) == MP_YES) \{ |
|
|
7672 070 return s_mp_exptmod(G, X, P, Y, 1); |
|
|
7673 071 \} |
|
|
7674 072 #endif |
|
|
7675 073 |
|
|
7676 074 #ifdef BN_MP_DR_IS_MODULUS_C |
|
|
7677 075 /* is it a DR modulus? */ |
|
|
7678 076 dr = mp_dr_is_modulus(P); |
|
|
7679 077 #else |
|
|
7680 078 /* default to no */ |
|
|
7681 079 dr = 0; |
|
|
7682 080 #endif |
|
|
7683 081 |
|
|
7684 082 #ifdef BN_MP_REDUCE_IS_2K_C |
|
|
7685 083 /* if not, is it a unrestricted DR modulus? */ |
|
|
7686 084 if (dr == 0) \{ |
|
|
7687 085 dr = mp_reduce_is_2k(P) << 1; |
|
|
7688 086 \} |
|
|
7689 087 #endif |
|
|
7690 088 |
|
|
7691 089 /* if the modulus is odd or dr != 0 use the montgomery method */ |
|
|
7692 090 #ifdef BN_MP_EXPTMOD_FAST_C |
|
|
7693 091 if (mp_isodd (P) == 1 || dr != 0) \{ |
|
|
7694 092 return mp_exptmod_fast (G, X, P, Y, dr); |
|
|
7695 093 \} else \{ |
|
|
7696 094 #endif |
|
|
7697 095 #ifdef BN_S_MP_EXPTMOD_C |
|
|
7698 096 /* otherwise use the generic Barrett reduction technique */ |
|
|
7699 097 return s_mp_exptmod (G, X, P, Y, 0); |
|
|
7700 098 #else |
|
|
7701 099 /* no exptmod for evens */ |
|
|
7702 100 return MP_VAL; |
|
|
7703 101 #endif |
|
|
7704 102 #ifdef BN_MP_EXPTMOD_FAST_C |
|
|
7705 103 \} |
|
|
7706 104 #endif |
|
|
7707 105 \} |
|
|
7708 106 |
|
|
7709 107 #endif |
|
386
|
7710 108 |
|
282
|
7711 \end{alltt} |
|
|
7712 \end{small} |
|
|
7713 |
|
|
7714 In order to keep the algorithms in a known state the first step on line 28 is to reject any negative modulus as input. If the exponent is |
|
|
7715 negative the algorithm tries to perform a modular exponentiation with the modular inverse of the base $G$. The temporary variable $tmpG$ is assigned |
|
|
7716 the modular inverse of $G$ and $tmpX$ is assigned the absolute value of $X$. The algorithm will recuse with these new values with a positive |
|
|
7717 exponent. |
|
|
7718 |
|
|
7719 If the exponent is positive the algorithm resumes the exponentiation. Line 76 determines if the modulus is of the restricted Diminished Radix |
|
|
7720 form. If it is not line 69 attempts to determine if it is of a unrestricted Diminished Radix form. The integer $dr$ will take on one |
|
|
7721 of three values. |
|
|
7722 |
|
|
7723 \begin{enumerate} |
|
|
7724 \item $dr = 0$ means that the modulus is not of either restricted or unrestricted Diminished Radix form. |
|
|
7725 \item $dr = 1$ means that the modulus is of restricted Diminished Radix form. |
|
|
7726 \item $dr = 2$ means that the modulus is of unrestricted Diminished Radix form. |
|
|
7727 \end{enumerate} |
|
|
7728 |
|
|
7729 Line 69 determines if the fast modular exponentiation algorithm can be used. It is allowed if $dr \ne 0$ or if the modulus is odd. Otherwise, |
|
|
7730 the slower s\_mp\_exptmod algorithm is used which uses Barrett reduction. |
|
|
7731 |
|
|
7732 \subsection{Barrett Modular Exponentiation} |
|
|
7733 |
|
|
7734 \newpage\begin{figure}[!here] |
|
|
7735 \begin{small} |
|
|
7736 \begin{center} |
|
|
7737 \begin{tabular}{l} |
|
|
7738 \hline Algorithm \textbf{s\_mp\_exptmod}. \\ |
|
|
7739 \textbf{Input}. mp\_int $a$, $b$ and $c$ \\ |
|
|
7740 \textbf{Output}. $y \equiv g^x \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7741 \hline \\ |
|
|
7742 1. $k \leftarrow lg(x)$ \\ |
|
|
7743 2. $winsize \leftarrow \left \lbrace \begin{array}{ll} |
|
|
7744 2 & \mbox{if }k \le 7 \\ |
|
|
7745 3 & \mbox{if }7 < k \le 36 \\ |
|
|
7746 4 & \mbox{if }36 < k \le 140 \\ |
|
|
7747 5 & \mbox{if }140 < k \le 450 \\ |
|
|
7748 6 & \mbox{if }450 < k \le 1303 \\ |
|
|
7749 7 & \mbox{if }1303 < k \le 3529 \\ |
|
|
7750 8 & \mbox{if }3529 < k \\ |
|
|
7751 \end{array} \right .$ \\ |
|
|
7752 3. Initialize $2^{winsize}$ mp\_ints in an array named $M$ and one mp\_int named $\mu$ \\ |
|
|
7753 4. Calculate the $\mu$ required for Barrett Reduction (\textit{mp\_reduce\_setup}). \\ |
|
|
7754 5. $M_1 \leftarrow g \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7755 \\ |
|
|
7756 Setup the table of small powers of $g$. First find $g^{2^{winsize}}$ and then all multiples of it. \\ |
|
|
7757 6. $k \leftarrow 2^{winsize - 1}$ \\ |
|
|
7758 7. $M_{k} \leftarrow M_1$ \\ |
|
|
7759 8. for $ix$ from 0 to $winsize - 2$ do \\ |
|
|
7760 \hspace{3mm}8.1 $M_k \leftarrow \left ( M_k \right )^2$ (\textit{mp\_sqr}) \\ |
|
|
7761 \hspace{3mm}8.2 $M_k \leftarrow M_k \mbox{ (mod }p\mbox{)}$ (\textit{mp\_reduce}) \\ |
|
|
7762 9. for $ix$ from $2^{winsize - 1} + 1$ to $2^{winsize} - 1$ do \\ |
|
|
7763 \hspace{3mm}9.1 $M_{ix} \leftarrow M_{ix - 1} \cdot M_{1}$ (\textit{mp\_mul}) \\ |
|
|
7764 \hspace{3mm}9.2 $M_{ix} \leftarrow M_{ix} \mbox{ (mod }p\mbox{)}$ (\textit{mp\_reduce}) \\ |
|
|
7765 10. $res \leftarrow 1$ \\ |
|
|
7766 \\ |
|
|
7767 Start Sliding Window. \\ |
|
|
7768 11. $mode \leftarrow 0, bitcnt \leftarrow 1, buf \leftarrow 0, digidx \leftarrow x.used - 1, bitcpy \leftarrow 0, bitbuf \leftarrow 0$ \\ |
|
|
7769 12. Loop \\ |
|
|
7770 \hspace{3mm}12.1 $bitcnt \leftarrow bitcnt - 1$ \\ |
|
|
7771 \hspace{3mm}12.2 If $bitcnt = 0$ then do \\ |
|
|
7772 \hspace{6mm}12.2.1 If $digidx = -1$ goto step 13. \\ |
|
|
7773 \hspace{6mm}12.2.2 $buf \leftarrow x_{digidx}$ \\ |
|
|
7774 \hspace{6mm}12.2.3 $digidx \leftarrow digidx - 1$ \\ |
|
|
7775 \hspace{6mm}12.2.4 $bitcnt \leftarrow lg(\beta)$ \\ |
|
|
7776 Continued on next page. \\ |
|
|
7777 \hline |
|
|
7778 \end{tabular} |
|
|
7779 \end{center} |
|
|
7780 \end{small} |
|
|
7781 \caption{Algorithm s\_mp\_exptmod} |
|
|
7782 \end{figure} |
|
|
7783 |
|
|
7784 \newpage\begin{figure}[!here] |
|
|
7785 \begin{small} |
|
|
7786 \begin{center} |
|
|
7787 \begin{tabular}{l} |
|
|
7788 \hline Algorithm \textbf{s\_mp\_exptmod} (\textit{continued}). \\ |
|
|
7789 \textbf{Input}. mp\_int $a$, $b$ and $c$ \\ |
|
|
7790 \textbf{Output}. $y \equiv g^x \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7791 \hline \\ |
|
|
7792 \hspace{3mm}12.3 $y \leftarrow (buf >> (lg(\beta) - 1))$ AND $1$ \\ |
|
|
7793 \hspace{3mm}12.4 $buf \leftarrow buf << 1$ \\ |
|
|
7794 \hspace{3mm}12.5 if $mode = 0$ and $y = 0$ then goto step 12. \\ |
|
|
7795 \hspace{3mm}12.6 if $mode = 1$ and $y = 0$ then do \\ |
|
|
7796 \hspace{6mm}12.6.1 $res \leftarrow res^2$ \\ |
|
|
7797 \hspace{6mm}12.6.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7798 \hspace{6mm}12.6.3 Goto step 12. \\ |
|
|
7799 \hspace{3mm}12.7 $bitcpy \leftarrow bitcpy + 1$ \\ |
|
|
7800 \hspace{3mm}12.8 $bitbuf \leftarrow bitbuf + (y << (winsize - bitcpy))$ \\ |
|
|
7801 \hspace{3mm}12.9 $mode \leftarrow 2$ \\ |
|
|
7802 \hspace{3mm}12.10 If $bitcpy = winsize$ then do \\ |
|
|
7803 \hspace{6mm}Window is full so perform the squarings and single multiplication. \\ |
|
|
7804 \hspace{6mm}12.10.1 for $ix$ from $0$ to $winsize -1$ do \\ |
|
|
7805 \hspace{9mm}12.10.1.1 $res \leftarrow res^2$ \\ |
|
|
7806 \hspace{9mm}12.10.1.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7807 \hspace{6mm}12.10.2 $res \leftarrow res \cdot M_{bitbuf}$ \\ |
|
|
7808 \hspace{6mm}12.10.3 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7809 \hspace{6mm}Reset the window. \\ |
|
|
7810 \hspace{6mm}12.10.4 $bitcpy \leftarrow 0, bitbuf \leftarrow 0, mode \leftarrow 1$ \\ |
|
|
7811 \\ |
|
|
7812 No more windows left. Check for residual bits of exponent. \\ |
|
|
7813 13. If $mode = 2$ and $bitcpy > 0$ then do \\ |
|
|
7814 \hspace{3mm}13.1 for $ix$ form $0$ to $bitcpy - 1$ do \\ |
|
|
7815 \hspace{6mm}13.1.1 $res \leftarrow res^2$ \\ |
|
|
7816 \hspace{6mm}13.1.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7817 \hspace{6mm}13.1.3 $bitbuf \leftarrow bitbuf << 1$ \\ |
|
|
7818 \hspace{6mm}13.1.4 If $bitbuf$ AND $2^{winsize} \ne 0$ then do \\ |
|
|
7819 \hspace{9mm}13.1.4.1 $res \leftarrow res \cdot M_{1}$ \\ |
|
|
7820 \hspace{9mm}13.1.4.2 $res \leftarrow res \mbox{ (mod }p\mbox{)}$ \\ |
|
|
7821 14. $y \leftarrow res$ \\ |
|
|
7822 15. Clear $res$, $mu$ and the $M$ array. \\ |
|
|
7823 16. Return(\textit{MP\_OKAY}). \\ |
|
|
7824 \hline |
|
|
7825 \end{tabular} |
|
|
7826 \end{center} |
|
|
7827 \end{small} |
|
|
7828 \caption{Algorithm s\_mp\_exptmod (continued)} |
|
|
7829 \end{figure} |
|
|
7830 |
|
|
7831 \textbf{Algorithm s\_mp\_exptmod.} |
|
|
7832 This algorithm computes the $x$'th power of $g$ modulo $p$ and stores the result in $y$. It takes advantage of the Barrett reduction |
|
|
7833 algorithm to keep the product small throughout the algorithm. |
|
|
7834 |
|
|
7835 The first two steps determine the optimal window size based on the number of bits in the exponent. The larger the exponent the |
|
|
7836 larger the window size becomes. After a window size $winsize$ has been chosen an array of $2^{winsize}$ mp\_int variables is allocated. This |
|
|
7837 table will hold the values of $g^x \mbox{ (mod }p\mbox{)}$ for $2^{winsize - 1} \le x < 2^{winsize}$. |
|
|
7838 |
|
|
7839 After the table is allocated the first power of $g$ is found. Since $g \ge p$ is allowed it must be first reduced modulo $p$ to make |
|
|
7840 the rest of the algorithm more efficient. The first element of the table at $2^{winsize - 1}$ is found by squaring $M_1$ successively $winsize - 2$ |
|
|
7841 times. The rest of the table elements are found by multiplying the previous element by $M_1$ modulo $p$. |
|
|
7842 |
|
|
7843 Now that the table is available the sliding window may begin. The following list describes the functions of all the variables in the window. |
|
|
7844 \begin{enumerate} |
|
|
7845 \item The variable $mode$ dictates how the bits of the exponent are interpreted. |
|
|
7846 \begin{enumerate} |
|
|
7847 \item When $mode = 0$ the bits are ignored since no non-zero bit of the exponent has been seen yet. For example, if the exponent were simply |
|
|
7848 $1$ then there would be $lg(\beta) - 1$ zero bits before the first non-zero bit. In this case bits are ignored until a non-zero bit is found. |
|
|
7849 \item When $mode = 1$ a non-zero bit has been seen before and a new $winsize$-bit window has not been formed yet. In this mode leading $0$ bits |
|
|
7850 are read and a single squaring is performed. If a non-zero bit is read a new window is created. |
|
|
7851 \item When $mode = 2$ the algorithm is in the middle of forming a window and new bits are appended to the window from the most significant bit |
|
|
7852 downwards. |
|
|
7853 \end{enumerate} |
|
|
7854 \item The variable $bitcnt$ indicates how many bits are left in the current digit of the exponent left to be read. When it reaches zero a new digit |
|
|
7855 is fetched from the exponent. |
|
|
7856 \item The variable $buf$ holds the currently read digit of the exponent. |
|
|
7857 \item The variable $digidx$ is an index into the exponents digits. It starts at the leading digit $x.used - 1$ and moves towards the trailing digit. |
|
|
7858 \item The variable $bitcpy$ indicates how many bits are in the currently formed window. When it reaches $winsize$ the window is flushed and |
|
|
7859 the appropriate operations performed. |
|
|
7860 \item The variable $bitbuf$ holds the current bits of the window being formed. |
|
|
7861 \end{enumerate} |
|
|
7862 |
|
|
7863 All of step 12 is the window processing loop. It will iterate while there are digits available form the exponent to read. The first step |
|
|
7864 inside this loop is to extract a new digit if no more bits are available in the current digit. If there are no bits left a new digit is |
|
|
7865 read and if there are no digits left than the loop terminates. |
|
|
7866 |
|
|
7867 After a digit is made available step 12.3 will extract the most significant bit of the current digit and move all other bits in the digit |
|
|
7868 upwards. In effect the digit is read from most significant bit to least significant bit and since the digits are read from leading to |
|
|
7869 trailing edges the entire exponent is read from most significant bit to least significant bit. |
|
|
7870 |
|
|
7871 At step 12.5 if the $mode$ and currently extracted bit $y$ are both zero the bit is ignored and the next bit is read. This prevents the |
|
|
7872 algorithm from having to perform trivial squaring and reduction operations before the first non-zero bit is read. Step 12.6 and 12.7-10 handle |
|
|
7873 the two cases of $mode = 1$ and $mode = 2$ respectively. |
|
|
7874 |
|
|
7875 \begin{center} |
|
|
7876 \begin{figure}[here] |
|
|
7877 \includegraphics{pics/expt_state.ps} |
|
|
7878 \caption{Sliding Window State Diagram} |
|
|
7879 \label{pic:expt_state} |
|
|
7880 \end{figure} |
|
|
7881 \end{center} |
|
|
7882 |
|
|
7883 By step 13 there are no more digits left in the exponent. However, there may be partial bits in the window left. If $mode = 2$ then |
|
|
7884 a Left-to-Right algorithm is used to process the remaining few bits. |
|
|
7885 |
|
|
7886 \vspace{+3mm}\begin{small} |
|
|
7887 \hspace{-5.1mm}{\bf File}: bn\_s\_mp\_exptmod.c |
|
|
7888 \vspace{-3mm} |
|
|
7889 \begin{alltt} |
|
386
|
7890 016 #ifdef MP_LOW_MEM |
|
|
7891 017 #define TAB_SIZE 32 |
|
|
7892 018 #else |
|
|
7893 019 #define TAB_SIZE 256 |
|
|
7894 020 #endif |
|
|
7895 021 |
|
|
7896 022 int s_mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y, int redmod |
|
282
|
7897 e) |
|
386
|
7898 023 \{ |
|
|
7899 024 mp_int M[TAB_SIZE], res, mu; |
|
|
7900 025 mp_digit buf; |
|
|
7901 026 int err, bitbuf, bitcpy, bitcnt, mode, digidx, x, y, winsize; |
|
|
7902 027 int (*redux)(mp_int*,mp_int*,mp_int*); |
|
|
7903 028 |
|
|
7904 029 /* find window size */ |
|
|
7905 030 x = mp_count_bits (X); |
|
|
7906 031 if (x <= 7) \{ |
|
|
7907 032 winsize = 2; |
|
|
7908 033 \} else if (x <= 36) \{ |
|
|
7909 034 winsize = 3; |
|
|
7910 035 \} else if (x <= 140) \{ |
|
|
7911 036 winsize = 4; |
|
|
7912 037 \} else if (x <= 450) \{ |
|
|
7913 038 winsize = 5; |
|
|
7914 039 \} else if (x <= 1303) \{ |
|
|
7915 040 winsize = 6; |
|
|
7916 041 \} else if (x <= 3529) \{ |
|
|
7917 042 winsize = 7; |
|
|
7918 043 \} else \{ |
|
|
7919 044 winsize = 8; |
|
|
7920 045 \} |
|
|
7921 046 |
|
|
7922 047 #ifdef MP_LOW_MEM |
|
|
7923 048 if (winsize > 5) \{ |
|
|
7924 049 winsize = 5; |
|
|
7925 050 \} |
|
|
7926 051 #endif |
|
|
7927 052 |
|
|
7928 053 /* init M array */ |
|
|
7929 054 /* init first cell */ |
|
|
7930 055 if ((err = mp_init(&M[1])) != MP_OKAY) \{ |
|
|
7931 056 return err; |
|
|
7932 057 \} |
|
|
7933 058 |
|
|
7934 059 /* now init the second half of the array */ |
|
|
7935 060 for (x = 1<<(winsize-1); x < (1 << winsize); x++) \{ |
|
|
7936 061 if ((err = mp_init(&M[x])) != MP_OKAY) \{ |
|
|
7937 062 for (y = 1<<(winsize-1); y < x; y++) \{ |
|
|
7938 063 mp_clear (&M[y]); |
|
|
7939 064 \} |
|
|
7940 065 mp_clear(&M[1]); |
|
|
7941 066 return err; |
|
|
7942 067 \} |
|
|
7943 068 \} |
|
|
7944 069 |
|
|
7945 070 /* create mu, used for Barrett reduction */ |
|
|
7946 071 if ((err = mp_init (&mu)) != MP_OKAY) \{ |
|
|
7947 072 goto LBL_M; |
|
|
7948 073 \} |
|
|
7949 074 |
|
|
7950 075 if (redmode == 0) \{ |
|
|
7951 076 if ((err = mp_reduce_setup (&mu, P)) != MP_OKAY) \{ |
|
|
7952 077 goto LBL_MU; |
|
|
7953 078 \} |
|
|
7954 079 redux = mp_reduce; |
|
|
7955 080 \} else \{ |
|
|
7956 081 if ((err = mp_reduce_2k_setup_l (P, &mu)) != MP_OKAY) \{ |
|
|
7957 082 goto LBL_MU; |
|
|
7958 083 \} |
|
|
7959 084 redux = mp_reduce_2k_l; |
|
|
7960 085 \} |
|
|
7961 086 |
|
|
7962 087 /* create M table |
|
|
7963 088 * |
|
|
7964 089 * The M table contains powers of the base, |
|
|
7965 090 * e.g. M[x] = G**x mod P |
|
|
7966 091 * |
|
|
7967 092 * The first half of the table is not |
|
|
7968 093 * computed though accept for M[0] and M[1] |
|
|
7969 094 */ |
|
|
7970 095 if ((err = mp_mod (G, P, &M[1])) != MP_OKAY) \{ |
|
|
7971 096 goto LBL_MU; |
|
|
7972 097 \} |
|
|
7973 098 |
|
|
7974 099 /* compute the value at M[1<<(winsize-1)] by squaring |
|
|
7975 100 * M[1] (winsize-1) times |
|
|
7976 101 */ |
|
|
7977 102 if ((err = mp_copy (&M[1], &M[1 << (winsize - 1)])) != MP_OKAY) \{ |
|
|
7978 103 goto LBL_MU; |
|
|
7979 104 \} |
|
|
7980 105 |
|
|
7981 106 for (x = 0; x < (winsize - 1); x++) \{ |
|
|
7982 107 /* square it */ |
|
|
7983 108 if ((err = mp_sqr (&M[1 << (winsize - 1)], |
|
|
7984 109 &M[1 << (winsize - 1)])) != MP_OKAY) \{ |
|
|
7985 110 goto LBL_MU; |
|
|
7986 111 \} |
|
|
7987 112 |
|
|
7988 113 /* reduce modulo P */ |
|
|
7989 114 if ((err = redux (&M[1 << (winsize - 1)], P, &mu)) != MP_OKAY) \{ |
|
|
7990 115 goto LBL_MU; |
|
|
7991 116 \} |
|
|
7992 117 \} |
|
|
7993 118 |
|
|
7994 119 /* create upper table, that is M[x] = M[x-1] * M[1] (mod P) |
|
|
7995 120 * for x = (2**(winsize - 1) + 1) to (2**winsize - 1) |
|
|
7996 121 */ |
|
|
7997 122 for (x = (1 << (winsize - 1)) + 1; x < (1 << winsize); x++) \{ |
|
|
7998 123 if ((err = mp_mul (&M[x - 1], &M[1], &M[x])) != MP_OKAY) \{ |
|
|
7999 124 goto LBL_MU; |
|
|
8000 125 \} |
|
|
8001 126 if ((err = redux (&M[x], P, &mu)) != MP_OKAY) \{ |
|
|
8002 127 goto LBL_MU; |
|
|
8003 128 \} |
|
|
8004 129 \} |
|
|
8005 130 |
|
|
8006 131 /* setup result */ |
|
|
8007 132 if ((err = mp_init (&res)) != MP_OKAY) \{ |
|
|
8008 133 goto LBL_MU; |
|
|
8009 134 \} |
|
|
8010 135 mp_set (&res, 1); |
|
|
8011 136 |
|
|
8012 137 /* set initial mode and bit cnt */ |
|
|
8013 138 mode = 0; |
|
|
8014 139 bitcnt = 1; |
|
|
8015 140 buf = 0; |
|
|
8016 141 digidx = X->used - 1; |
|
|
8017 142 bitcpy = 0; |
|
|
8018 143 bitbuf = 0; |
|
|
8019 144 |
|
|
8020 145 for (;;) \{ |
|
|
8021 146 /* grab next digit as required */ |
|
|
8022 147 if (--bitcnt == 0) \{ |
|
|
8023 148 /* if digidx == -1 we are out of digits */ |
|
|
8024 149 if (digidx == -1) \{ |
|
|
8025 150 break; |
|
|
8026 151 \} |
|
|
8027 152 /* read next digit and reset the bitcnt */ |
|
|
8028 153 buf = X->dp[digidx--]; |
|
|
8029 154 bitcnt = (int) DIGIT_BIT; |
|
|
8030 155 \} |
|
|
8031 156 |
|
|
8032 157 /* grab the next msb from the exponent */ |
|
|
8033 158 y = (buf >> (mp_digit)(DIGIT_BIT - 1)) & 1; |
|
|
8034 159 buf <<= (mp_digit)1; |
|
|
8035 160 |
|
|
8036 161 /* if the bit is zero and mode == 0 then we ignore it |
|
|
8037 162 * These represent the leading zero bits before the first 1 bit |
|
|
8038 163 * in the exponent. Technically this opt is not required but it |
|
|
8039 164 * does lower the # of trivial squaring/reductions used |
|
|
8040 165 */ |
|
|
8041 166 if (mode == 0 && y == 0) \{ |
|
|
8042 167 continue; |
|
|
8043 168 \} |
|
|
8044 169 |
|
|
8045 170 /* if the bit is zero and mode == 1 then we square */ |
|
|
8046 171 if (mode == 1 && y == 0) \{ |
|
|
8047 172 if ((err = mp_sqr (&res, &res)) != MP_OKAY) \{ |
|
|
8048 173 goto LBL_RES; |
|
|
8049 174 \} |
|
|
8050 175 if ((err = redux (&res, P, &mu)) != MP_OKAY) \{ |
|
|
8051 176 goto LBL_RES; |
|
|
8052 177 \} |
|
|
8053 178 continue; |
|
|
8054 179 \} |
|
|
8055 180 |
|
|
8056 181 /* else we add it to the window */ |
|
|
8057 182 bitbuf |= (y << (winsize - ++bitcpy)); |
|
|
8058 183 mode = 2; |
|
|
8059 184 |
|
|
8060 185 if (bitcpy == winsize) \{ |
|
|
8061 186 /* ok window is filled so square as required and multiply */ |
|
|
8062 187 /* square first */ |
|
|
8063 188 for (x = 0; x < winsize; x++) \{ |
|
|
8064 189 if ((err = mp_sqr (&res, &res)) != MP_OKAY) \{ |
|
|
8065 190 goto LBL_RES; |
|
|
8066 191 \} |
|
|
8067 192 if ((err = redux (&res, P, &mu)) != MP_OKAY) \{ |
|
|
8068 193 goto LBL_RES; |
|
|
8069 194 \} |
|
|
8070 195 \} |
|
|
8071 196 |
|
|
8072 197 /* then multiply */ |
|
|
8073 198 if ((err = mp_mul (&res, &M[bitbuf], &res)) != MP_OKAY) \{ |
|
|
8074 199 goto LBL_RES; |
|
|
8075 200 \} |
|
|
8076 201 if ((err = redux (&res, P, &mu)) != MP_OKAY) \{ |
|
|
8077 202 goto LBL_RES; |
|
|
8078 203 \} |
|
|
8079 204 |
|
|
8080 205 /* empty window and reset */ |
|
|
8081 206 bitcpy = 0; |
|
|
8082 207 bitbuf = 0; |
|
|
8083 208 mode = 1; |
|
|
8084 209 \} |
|
|
8085 210 \} |
|
|
8086 211 |
|
|
8087 212 /* if bits remain then square/multiply */ |
|
|
8088 213 if (mode == 2 && bitcpy > 0) \{ |
|
|
8089 214 /* square then multiply if the bit is set */ |
|
|
8090 215 for (x = 0; x < bitcpy; x++) \{ |
|
|
8091 216 if ((err = mp_sqr (&res, &res)) != MP_OKAY) \{ |
|
|
8092 217 goto LBL_RES; |
|
|
8093 218 \} |
|
|
8094 219 if ((err = redux (&res, P, &mu)) != MP_OKAY) \{ |
|
|
8095 220 goto LBL_RES; |
|
|
8096 221 \} |
|
|
8097 222 |
|
|
8098 223 bitbuf <<= 1; |
|
|
8099 224 if ((bitbuf & (1 << winsize)) != 0) \{ |
|
|
8100 225 /* then multiply */ |
|
|
8101 226 if ((err = mp_mul (&res, &M[1], &res)) != MP_OKAY) \{ |
|
|
8102 227 goto LBL_RES; |
|
|
8103 228 \} |
|
|
8104 229 if ((err = redux (&res, P, &mu)) != MP_OKAY) \{ |
|
|
8105 230 goto LBL_RES; |
|
|
8106 231 \} |
|
|
8107 232 \} |
|
|
8108 233 \} |
|
|
8109 234 \} |
|
|
8110 235 |
|
|
8111 236 mp_exch (&res, Y); |
|
|
8112 237 err = MP_OKAY; |
|
|
8113 238 LBL_RES:mp_clear (&res); |
|
|
8114 239 LBL_MU:mp_clear (&mu); |
|
|
8115 240 LBL_M: |
|
|
8116 241 mp_clear(&M[1]); |
|
|
8117 242 for (x = 1<<(winsize-1); x < (1 << winsize); x++) \{ |
|
|
8118 243 mp_clear (&M[x]); |
|
|
8119 244 \} |
|
|
8120 245 return err; |
|
|
8121 246 \} |
|
|
8122 247 #endif |
|
|
8123 248 |
|
282
|
8124 \end{alltt} |
|
|
8125 \end{small} |
|
|
8126 |
|
386
|
8127 Lines 31 through 45 determine the optimal window size based on the length of the exponent in bits. The window divisions are sorted |
|
282
|
8128 from smallest to greatest so that in each \textbf{if} statement only one condition must be tested. For example, by the \textbf{if} statement |
|
386
|
8129 on line 37 the value of $x$ is already known to be greater than $140$. |
|
|
8130 |
|
|
8131 The conditional piece of code beginning on line 47 allows the window size to be restricted to five bits. This logic is used to ensure |
|
282
|
8132 the table of precomputed powers of $G$ remains relatively small. |
|
|
8133 |
|
386
|
8134 The for loop on line 60 initializes the $M$ array while lines 71 and 76 through 85 initialize the reduction |
|
|
8135 function that will be used for this modulus. |
|
282
|
8136 |
|
|
8137 -- More later. |
|
|
8138 |
|
|
8139 \section{Quick Power of Two} |
|
|
8140 Calculating $b = 2^a$ can be performed much quicker than with any of the previous algorithms. Recall that a logical shift left $m << k$ is |
|
|
8141 equivalent to $m \cdot 2^k$. By this logic when $m = 1$ a quick power of two can be achieved. |
|
|
8142 |
|
|
8143 \begin{figure}[!here] |
|
|
8144 \begin{small} |
|
|
8145 \begin{center} |
|
|
8146 \begin{tabular}{l} |
|
|
8147 \hline Algorithm \textbf{mp\_2expt}. \\ |
|
|
8148 \textbf{Input}. integer $b$ \\ |
|
|
8149 \textbf{Output}. $a \leftarrow 2^b$ \\ |
|
|
8150 \hline \\ |
|
|
8151 1. $a \leftarrow 0$ \\ |
|
|
8152 2. If $a.alloc < \lfloor b / lg(\beta) \rfloor + 1$ then grow $a$ appropriately. \\ |
|
|
8153 3. $a.used \leftarrow \lfloor b / lg(\beta) \rfloor + 1$ \\ |
|
|
8154 4. $a_{\lfloor b / lg(\beta) \rfloor} \leftarrow 1 << (b \mbox{ mod } lg(\beta))$ \\ |
|
|
8155 5. Return(\textit{MP\_OKAY}). \\ |
|
|
8156 \hline |
|
|
8157 \end{tabular} |
|
|
8158 \end{center} |
|
|
8159 \end{small} |
|
|
8160 \caption{Algorithm mp\_2expt} |
|
|
8161 \end{figure} |
|
|
8162 |
|
|
8163 \textbf{Algorithm mp\_2expt.} |
|
|
8164 |
|
|
8165 \vspace{+3mm}\begin{small} |
|
|
8166 \hspace{-5.1mm}{\bf File}: bn\_mp\_2expt.c |
|
|
8167 \vspace{-3mm} |
|
|
8168 \begin{alltt} |
|
|
8169 016 |
|
|
8170 017 /* computes a = 2**b |
|
|
8171 018 * |
|
|
8172 019 * Simple algorithm which zeroes the int, grows it then just sets one bit |
|
|
8173 020 * as required. |
|
|
8174 021 */ |
|
|
8175 022 int |
|
|
8176 023 mp_2expt (mp_int * a, int b) |
|
|
8177 024 \{ |
|
|
8178 025 int res; |
|
|
8179 026 |
|
|
8180 027 /* zero a as per default */ |
|
|
8181 028 mp_zero (a); |
|
|
8182 029 |
|
|
8183 030 /* grow a to accomodate the single bit */ |
|
|
8184 031 if ((res = mp_grow (a, b / DIGIT_BIT + 1)) != MP_OKAY) \{ |
|
|
8185 032 return res; |
|
|
8186 033 \} |
|
|
8187 034 |
|
|
8188 035 /* set the used count of where the bit will go */ |
|
|
8189 036 a->used = b / DIGIT_BIT + 1; |
|
|
8190 037 |
|
|
8191 038 /* put the single bit in its place */ |
|
|
8192 039 a->dp[b / DIGIT_BIT] = ((mp_digit)1) << (b % DIGIT_BIT); |
|
|
8193 040 |
|
|
8194 041 return MP_OKAY; |
|
|
8195 042 \} |
|
|
8196 043 #endif |
|
386
|
8197 044 |
|
282
|
8198 \end{alltt} |
|
|
8199 \end{small} |
|
|
8200 |
|
|
8201 \chapter{Higher Level Algorithms} |
|
|
8202 |
|
|
8203 This chapter discusses the various higher level algorithms that are required to complete a well rounded multiple precision integer package. These |
|
|
8204 routines are less performance oriented than the algorithms of chapters five, six and seven but are no less important. |
|
|
8205 |
|
|
8206 The first section describes a method of integer division with remainder that is universally well known. It provides the signed division logic |
|
|
8207 for the package. The subsequent section discusses a set of algorithms which allow a single digit to be the 2nd operand for a variety of operations. |
|
|
8208 These algorithms serve mostly to simplify other algorithms where small constants are required. The last two sections discuss how to manipulate |
|
|
8209 various representations of integers. For example, converting from an mp\_int to a string of character. |
|
|
8210 |
|
|
8211 \section{Integer Division with Remainder} |
|
|
8212 \label{sec:division} |
|
|
8213 |
|
|
8214 Integer division aside from modular exponentiation is the most intensive algorithm to compute. Like addition, subtraction and multiplication |
|
|
8215 the basis of this algorithm is the long-hand division algorithm taught to school children. Throughout this discussion several common variables |
|
|
8216 will be used. Let $x$ represent the divisor and $y$ represent the dividend. Let $q$ represent the integer quotient $\lfloor y / x \rfloor$ and |
|
|
8217 let $r$ represent the remainder $r = y - x \lfloor y / x \rfloor$. The following simple algorithm will be used to start the discussion. |
|
|
8218 |
|
|
8219 \newpage\begin{figure}[!here] |
|
|
8220 \begin{small} |
|
|
8221 \begin{center} |
|
|
8222 \begin{tabular}{l} |
|
|
8223 \hline Algorithm \textbf{Radix-$\beta$ Integer Division}. \\ |
|
|
8224 \textbf{Input}. integer $x$ and $y$ \\ |
|
|
8225 \textbf{Output}. $q = \lfloor y/x\rfloor, r = y - xq$ \\ |
|
|
8226 \hline \\ |
|
|
8227 1. $q \leftarrow 0$ \\ |
|
|
8228 2. $n \leftarrow \vert \vert y \vert \vert - \vert \vert x \vert \vert$ \\ |
|
|
8229 3. for $t$ from $n$ down to $0$ do \\ |
|
|
8230 \hspace{3mm}3.1 Maximize $k$ such that $kx\beta^t$ is less than or equal to $y$ and $(k + 1)x\beta^t$ is greater. \\ |
|
|
8231 \hspace{3mm}3.2 $q \leftarrow q + k\beta^t$ \\ |
|
|
8232 \hspace{3mm}3.3 $y \leftarrow y - kx\beta^t$ \\ |
|
|
8233 4. $r \leftarrow y$ \\ |
|
|
8234 5. Return($q, r$) \\ |
|
|
8235 \hline |
|
|
8236 \end{tabular} |
|
|
8237 \end{center} |
|
|
8238 \end{small} |
|
|
8239 \caption{Algorithm Radix-$\beta$ Integer Division} |
|
|
8240 \label{fig:raddiv} |
|
|
8241 \end{figure} |
|
|
8242 |
|
|
8243 As children we are taught this very simple algorithm for the case of $\beta = 10$. Almost instinctively several optimizations are taught for which |
|
|
8244 their reason of existing are never explained. For this example let $y = 5471$ represent the dividend and $x = 23$ represent the divisor. |
|
|
8245 |
|
|
8246 To find the first digit of the quotient the value of $k$ must be maximized such that $kx\beta^t$ is less than or equal to $y$ and |
|
|
8247 simultaneously $(k + 1)x\beta^t$ is greater than $y$. Implicitly $k$ is the maximum value the $t$'th digit of the quotient may have. The habitual method |
|
|
8248 used to find the maximum is to ``eyeball'' the two numbers, typically only the leading digits and quickly estimate a quotient. By only using leading |
|
|
8249 digits a much simpler division may be used to form an educated guess at what the value must be. In this case $k = \lfloor 54/23\rfloor = 2$ quickly |
|
|
8250 arises as a possible solution. Indeed $2x\beta^2 = 4600$ is less than $y = 5471$ and simultaneously $(k + 1)x\beta^2 = 6900$ is larger than $y$. |
|
|
8251 As a result $k\beta^2$ is added to the quotient which now equals $q = 200$ and $4600$ is subtracted from $y$ to give a remainder of $y = 841$. |
|
|
8252 |
|
|
8253 Again this process is repeated to produce the quotient digit $k = 3$ which makes the quotient $q = 200 + 3\beta = 230$ and the remainder |
|
|
8254 $y = 841 - 3x\beta = 181$. Finally the last iteration of the loop produces $k = 7$ which leads to the quotient $q = 230 + 7 = 237$ and the |
|
|
8255 remainder $y = 181 - 7x = 20$. The final quotient and remainder found are $q = 237$ and $r = y = 20$ which are indeed correct since |
|
|
8256 $237 \cdot 23 + 20 = 5471$ is true. |
|
|
8257 |
|
|
8258 \subsection{Quotient Estimation} |
|
|
8259 \label{sec:divest} |
|
|
8260 As alluded to earlier the quotient digit $k$ can be estimated from only the leading digits of both the divisor and dividend. When $p$ leading |
|
|
8261 digits are used from both the divisor and dividend to form an estimation the accuracy of the estimation rises as $p$ grows. Technically |
|
|
8262 speaking the estimation is based on assuming the lower $\vert \vert y \vert \vert - p$ and $\vert \vert x \vert \vert - p$ lower digits of the |
|
|
8263 dividend and divisor are zero. |
|
|
8264 |
|
|
8265 The value of the estimation may off by a few values in either direction and in general is fairly correct. A simplification \cite[pp. 271]{TAOCPV2} |
|
|
8266 of the estimation technique is to use $t + 1$ digits of the dividend and $t$ digits of the divisor, in particularly when $t = 1$. The estimate |
|
|
8267 using this technique is never too small. For the following proof let $t = \vert \vert y \vert \vert - 1$ and $s = \vert \vert x \vert \vert - 1$ |
|
|
8268 represent the most significant digits of the dividend and divisor respectively. |
|
|
8269 |
|
|
8270 \textbf{Proof.}\textit{ The quotient $\hat k = \lfloor (y_t\beta + y_{t-1}) / x_s \rfloor$ is greater than or equal to |
|
|
8271 $k = \lfloor y / (x \cdot \beta^{\vert \vert y \vert \vert - \vert \vert x \vert \vert - 1}) \rfloor$. } |
|
|
8272 The first obvious case is when $\hat k = \beta - 1$ in which case the proof is concluded since the real quotient cannot be larger. For all other |
|
|
8273 cases $\hat k = \lfloor (y_t\beta + y_{t-1}) / x_s \rfloor$ and $\hat k x_s \ge y_t\beta + y_{t-1} - x_s + 1$. The latter portion of the inequalility |
|
|
8274 $-x_s + 1$ arises from the fact that a truncated integer division will give the same quotient for at most $x_s - 1$ values. Next a series of |
|
|
8275 inequalities will prove the hypothesis. |
|
|
8276 |
|
|
8277 \begin{equation} |
|
|
8278 y - \hat k x \le y - \hat k x_s\beta^s |
|
|
8279 \end{equation} |
|
|
8280 |
|
|
8281 This is trivially true since $x \ge x_s\beta^s$. Next we replace $\hat kx_s\beta^s$ by the previous inequality for $\hat kx_s$. |
|
|
8282 |
|
|
8283 \begin{equation} |
|
|
8284 y - \hat k x \le y_t\beta^t + \ldots + y_0 - (y_t\beta^t + y_{t-1}\beta^{t-1} - x_s\beta^t + \beta^s) |
|
|
8285 \end{equation} |
|
|
8286 |
|
|
8287 By simplifying the previous inequality the following inequality is formed. |
|
|
8288 |
|
|
8289 \begin{equation} |
|
|
8290 y - \hat k x \le y_{t-2}\beta^{t-2} + \ldots + y_0 + x_s\beta^s - \beta^s |
|
|
8291 \end{equation} |
|
|
8292 |
|
|
8293 Subsequently, |
|
|
8294 |
|
|
8295 \begin{equation} |
|
|
8296 y_{t-2}\beta^{t-2} + \ldots + y_0 + x_s\beta^s - \beta^s < x_s\beta^s \le x |
|
|
8297 \end{equation} |
|
|
8298 |
|
|
8299 Which proves that $y - \hat kx \le x$ and by consequence $\hat k \ge k$ which concludes the proof. \textbf{QED} |
|
|
8300 |
|
|
8301 |
|
|
8302 \subsection{Normalized Integers} |
|
|
8303 For the purposes of division a normalized input is when the divisors leading digit $x_n$ is greater than or equal to $\beta / 2$. By multiplying both |
|
|
8304 $x$ and $y$ by $j = \lfloor (\beta / 2) / x_n \rfloor$ the quotient remains unchanged and the remainder is simply $j$ times the original |
|
|
8305 remainder. The purpose of normalization is to ensure the leading digit of the divisor is sufficiently large such that the estimated quotient will |
|
|
8306 lie in the domain of a single digit. Consider the maximum dividend $(\beta - 1) \cdot \beta + (\beta - 1)$ and the minimum divisor $\beta / 2$. |
|
|
8307 |
|
|
8308 \begin{equation} |
|
|
8309 {{\beta^2 - 1} \over { \beta / 2}} \le 2\beta - {2 \over \beta} |
|
|
8310 \end{equation} |
|
|
8311 |
|
|
8312 At most the quotient approaches $2\beta$, however, in practice this will not occur since that would imply the previous quotient digit was too small. |
|
|
8313 |
|
|
8314 \subsection{Radix-$\beta$ Division with Remainder} |
|
|
8315 \newpage\begin{figure}[!here] |
|
|
8316 \begin{small} |
|
|
8317 \begin{center} |
|
|
8318 \begin{tabular}{l} |
|
|
8319 \hline Algorithm \textbf{mp\_div}. \\ |
|
|
8320 \textbf{Input}. mp\_int $a, b$ \\ |
|
|
8321 \textbf{Output}. $c = \lfloor a/b \rfloor$, $d = a - bc$ \\ |
|
|
8322 \hline \\ |
|
|
8323 1. If $b = 0$ return(\textit{MP\_VAL}). \\ |
|
|
8324 2. If $\vert a \vert < \vert b \vert$ then do \\ |
|
|
8325 \hspace{3mm}2.1 $d \leftarrow a$ \\ |
|
|
8326 \hspace{3mm}2.2 $c \leftarrow 0$ \\ |
|
|
8327 \hspace{3mm}2.3 Return(\textit{MP\_OKAY}). \\ |
|
|
8328 \\ |
|
|
8329 Setup the quotient to receive the digits. \\ |
|
|
8330 3. Grow $q$ to $a.used + 2$ digits. \\ |
|
|
8331 4. $q \leftarrow 0$ \\ |
|
|
8332 5. $x \leftarrow \vert a \vert , y \leftarrow \vert b \vert$ \\ |
|
|
8333 6. $sign \leftarrow \left \lbrace \begin{array}{ll} |
|
|
8334 MP\_ZPOS & \mbox{if }a.sign = b.sign \\ |
|
|
8335 MP\_NEG & \mbox{otherwise} \\ |
|
|
8336 \end{array} \right .$ \\ |
|
|
8337 \\ |
|
|
8338 Normalize the inputs such that the leading digit of $y$ is greater than or equal to $\beta / 2$. \\ |
|
|
8339 7. $norm \leftarrow (lg(\beta) - 1) - (\lceil lg(y) \rceil \mbox{ (mod }lg(\beta)\mbox{)})$ \\ |
|
|
8340 8. $x \leftarrow x \cdot 2^{norm}, y \leftarrow y \cdot 2^{norm}$ \\ |
|
|
8341 \\ |
|
|
8342 Find the leading digit of the quotient. \\ |
|
|
8343 9. $n \leftarrow x.used - 1, t \leftarrow y.used - 1$ \\ |
|
|
8344 10. $y \leftarrow y \cdot \beta^{n - t}$ \\ |
|
|
8345 11. While ($x \ge y$) do \\ |
|
|
8346 \hspace{3mm}11.1 $q_{n - t} \leftarrow q_{n - t} + 1$ \\ |
|
|
8347 \hspace{3mm}11.2 $x \leftarrow x - y$ \\ |
|
|
8348 12. $y \leftarrow \lfloor y / \beta^{n-t} \rfloor$ \\ |
|
|
8349 \\ |
|
|
8350 Continued on the next page. \\ |
|
|
8351 \hline |
|
|
8352 \end{tabular} |
|
|
8353 \end{center} |
|
|
8354 \end{small} |
|
|
8355 \caption{Algorithm mp\_div} |
|
|
8356 \end{figure} |
|
|
8357 |
|
|
8358 \newpage\begin{figure}[!here] |
|
|
8359 \begin{small} |
|
|
8360 \begin{center} |
|
|
8361 \begin{tabular}{l} |
|
|
8362 \hline Algorithm \textbf{mp\_div} (continued). \\ |
|
|
8363 \textbf{Input}. mp\_int $a, b$ \\ |
|
|
8364 \textbf{Output}. $c = \lfloor a/b \rfloor$, $d = a - bc$ \\ |
|
|
8365 \hline \\ |
|
|
8366 Now find the remainder fo the digits. \\ |
|
|
8367 13. for $i$ from $n$ down to $(t + 1)$ do \\ |
|
|
8368 \hspace{3mm}13.1 If $i > x.used$ then jump to the next iteration of this loop. \\ |
|
|
8369 \hspace{3mm}13.2 If $x_{i} = y_{t}$ then \\ |
|
|
8370 \hspace{6mm}13.2.1 $q_{i - t - 1} \leftarrow \beta - 1$ \\ |
|
|
8371 \hspace{3mm}13.3 else \\ |
|
|
8372 \hspace{6mm}13.3.1 $\hat r \leftarrow x_{i} \cdot \beta + x_{i - 1}$ \\ |
|
|
8373 \hspace{6mm}13.3.2 $\hat r \leftarrow \lfloor \hat r / y_{t} \rfloor$ \\ |
|
|
8374 \hspace{6mm}13.3.3 $q_{i - t - 1} \leftarrow \hat r$ \\ |
|
|
8375 \hspace{3mm}13.4 $q_{i - t - 1} \leftarrow q_{i - t - 1} + 1$ \\ |
|
|
8376 \\ |
|
|
8377 Fixup quotient estimation. \\ |
|
|
8378 \hspace{3mm}13.5 Loop \\ |
|
|
8379 \hspace{6mm}13.5.1 $q_{i - t - 1} \leftarrow q_{i - t - 1} - 1$ \\ |
|
|
8380 \hspace{6mm}13.5.2 t$1 \leftarrow 0$ \\ |
|
|
8381 \hspace{6mm}13.5.3 t$1_0 \leftarrow y_{t - 1}, $ t$1_1 \leftarrow y_t,$ t$1.used \leftarrow 2$ \\ |
|
|
8382 \hspace{6mm}13.5.4 $t1 \leftarrow t1 \cdot q_{i - t - 1}$ \\ |
|
|
8383 \hspace{6mm}13.5.5 t$2_0 \leftarrow x_{i - 2}, $ t$2_1 \leftarrow x_{i - 1}, $ t$2_2 \leftarrow x_i, $ t$2.used \leftarrow 3$ \\ |
|
|
8384 \hspace{6mm}13.5.6 If $\vert t1 \vert > \vert t2 \vert$ then goto step 13.5. \\ |
|
|
8385 \hspace{3mm}13.6 t$1 \leftarrow y \cdot q_{i - t - 1}$ \\ |
|
|
8386 \hspace{3mm}13.7 t$1 \leftarrow $ t$1 \cdot \beta^{i - t - 1}$ \\ |
|
|
8387 \hspace{3mm}13.8 $x \leftarrow x - $ t$1$ \\ |
|
|
8388 \hspace{3mm}13.9 If $x.sign = MP\_NEG$ then \\ |
|
|
8389 \hspace{6mm}13.10 t$1 \leftarrow y$ \\ |
|
|
8390 \hspace{6mm}13.11 t$1 \leftarrow $ t$1 \cdot \beta^{i - t - 1}$ \\ |
|
|
8391 \hspace{6mm}13.12 $x \leftarrow x + $ t$1$ \\ |
|
|
8392 \hspace{6mm}13.13 $q_{i - t - 1} \leftarrow q_{i - t - 1} - 1$ \\ |
|
|
8393 \\ |
|
|
8394 Finalize the result. \\ |
|
|
8395 14. Clamp excess digits of $q$ \\ |
|
|
8396 15. $c \leftarrow q, c.sign \leftarrow sign$ \\ |
|
|
8397 16. $x.sign \leftarrow a.sign$ \\ |
|
|
8398 17. $d \leftarrow \lfloor x / 2^{norm} \rfloor$ \\ |
|
|
8399 18. Return(\textit{MP\_OKAY}). \\ |
|
|
8400 \hline |
|
|
8401 \end{tabular} |
|
|
8402 \end{center} |
|
|
8403 \end{small} |
|
|
8404 \caption{Algorithm mp\_div (continued)} |
|
|
8405 \end{figure} |
|
|
8406 \textbf{Algorithm mp\_div.} |
|
|
8407 This algorithm will calculate quotient and remainder from an integer division given a dividend and divisor. The algorithm is a signed |
|
|
8408 division and will produce a fully qualified quotient and remainder. |
|
|
8409 |
|
|
8410 First the divisor $b$ must be non-zero which is enforced in step one. If the divisor is larger than the dividend than the quotient is implicitly |
|
|
8411 zero and the remainder is the dividend. |
|
|
8412 |
|
|
8413 After the first two trivial cases of inputs are handled the variable $q$ is setup to receive the digits of the quotient. Two unsigned copies of the |
|
|
8414 divisor $y$ and dividend $x$ are made as well. The core of the division algorithm is an unsigned division and will only work if the values are |
|
|
8415 positive. Now the two values $x$ and $y$ must be normalized such that the leading digit of $y$ is greater than or equal to $\beta / 2$. |
|
|
8416 This is performed by shifting both to the left by enough bits to get the desired normalization. |
|
|
8417 |
|
|
8418 At this point the division algorithm can begin producing digits of the quotient. Recall that maximum value of the estimation used is |
|
|
8419 $2\beta - {2 \over \beta}$ which means that a digit of the quotient must be first produced by another means. In this case $y$ is shifted |
|
|
8420 to the left (\textit{step ten}) so that it has the same number of digits as $x$. The loop on step eleven will subtract multiples of the |
|
|
8421 shifted copy of $y$ until $x$ is smaller. Since the leading digit of $y$ is greater than or equal to $\beta/2$ this loop will iterate at most two |
|
|
8422 times to produce the desired leading digit of the quotient. |
|
|
8423 |
|
|
8424 Now the remainder of the digits can be produced. The equation $\hat q = \lfloor {{x_i \beta + x_{i-1}}\over y_t} \rfloor$ is used to fairly |
|
|
8425 accurately approximate the true quotient digit. The estimation can in theory produce an estimation as high as $2\beta - {2 \over \beta}$ but by |
|
|
8426 induction the upper quotient digit is correct (\textit{as established on step eleven}) and the estimate must be less than $\beta$. |
|
|
8427 |
|
|
8428 Recall from section~\ref{sec:divest} that the estimation is never too low but may be too high. The next step of the estimation process is |
|
|
8429 to refine the estimation. The loop on step 13.5 uses $x_i\beta^2 + x_{i-1}\beta + x_{i-2}$ and $q_{i - t - 1}(y_t\beta + y_{t-1})$ as a higher |
|
|
8430 order approximation to adjust the quotient digit. |
|
|
8431 |
|
|
8432 After both phases of estimation the quotient digit may still be off by a value of one\footnote{This is similar to the error introduced |
|
|
8433 by optimizing Barrett reduction.}. Steps 13.6 and 13.7 subtract the multiple of the divisor from the dividend (\textit{Similar to step 3.3 of |
|
|
8434 algorithm~\ref{fig:raddiv}} and then subsequently add a multiple of the divisor if the quotient was too large. |
|
|
8435 |
|
|
8436 Now that the quotient has been determine finializing the result is a matter of clamping the quotient, fixing the sizes and de-normalizing the |
|
|
8437 remainder. An important aspect of this algorithm seemingly overlooked in other descriptions such as that of Algorithm 14.20 HAC \cite[pp. 598]{HAC} |
|
|
8438 is that when the estimations are being made (\textit{inside the loop on step 13.5}) that the digits $y_{t-1}$, $x_{i-2}$ and $x_{i-1}$ may lie |
|
|
8439 outside their respective boundaries. For example, if $t = 0$ or $i \le 1$ then the digits would be undefined. In those cases the digits should |
|
|
8440 respectively be replaced with a zero. |
|
|
8441 |
|
|
8442 \vspace{+3mm}\begin{small} |
|
|
8443 \hspace{-5.1mm}{\bf File}: bn\_mp\_div.c |
|
|
8444 \vspace{-3mm} |
|
|
8445 \begin{alltt} |
|
|
8446 016 |
|
|
8447 017 #ifdef BN_MP_DIV_SMALL |
|
|
8448 018 |
|
|
8449 019 /* slower bit-bang division... also smaller */ |
|
|
8450 020 int mp_div(mp_int * a, mp_int * b, mp_int * c, mp_int * d) |
|
|
8451 021 \{ |
|
|
8452 022 mp_int ta, tb, tq, q; |
|
|
8453 023 int res, n, n2; |
|
|
8454 024 |
|
|
8455 025 /* is divisor zero ? */ |
|
|
8456 026 if (mp_iszero (b) == 1) \{ |
|
|
8457 027 return MP_VAL; |
|
|
8458 028 \} |
|
|
8459 029 |
|
|
8460 030 /* if a < b then q=0, r = a */ |
|
|
8461 031 if (mp_cmp_mag (a, b) == MP_LT) \{ |
|
|
8462 032 if (d != NULL) \{ |
|
|
8463 033 res = mp_copy (a, d); |
|
|
8464 034 \} else \{ |
|
|
8465 035 res = MP_OKAY; |
|
|
8466 036 \} |
|
|
8467 037 if (c != NULL) \{ |
|
|
8468 038 mp_zero (c); |
|
|
8469 039 \} |
|
|
8470 040 return res; |
|
|
8471 041 \} |
|
|
8472 042 |
|
|
8473 043 /* init our temps */ |
|
|
8474 044 if ((res = mp_init_multi(&ta, &tb, &tq, &q, NULL) != MP_OKAY)) \{ |
|
|
8475 045 return res; |
|
|
8476 046 \} |
|
|
8477 047 |
|
|
8478 048 |
|
|
8479 049 mp_set(&tq, 1); |
|
|
8480 050 n = mp_count_bits(a) - mp_count_bits(b); |
|
|
8481 051 if (((res = mp_abs(a, &ta)) != MP_OKAY) || |
|
|
8482 052 ((res = mp_abs(b, &tb)) != MP_OKAY) || |
|
|
8483 053 ((res = mp_mul_2d(&tb, n, &tb)) != MP_OKAY) || |
|
|
8484 054 ((res = mp_mul_2d(&tq, n, &tq)) != MP_OKAY)) \{ |
|
|
8485 055 goto LBL_ERR; |
|
|
8486 056 \} |
|
|
8487 057 |
|
|
8488 058 while (n-- >= 0) \{ |
|
|
8489 059 if (mp_cmp(&tb, &ta) != MP_GT) \{ |
|
|
8490 060 if (((res = mp_sub(&ta, &tb, &ta)) != MP_OKAY) || |
|
|
8491 061 ((res = mp_add(&q, &tq, &q)) != MP_OKAY)) \{ |
|
|
8492 062 goto LBL_ERR; |
|
|
8493 063 \} |
|
|
8494 064 \} |
|
|
8495 065 if (((res = mp_div_2d(&tb, 1, &tb, NULL)) != MP_OKAY) || |
|
|
8496 066 ((res = mp_div_2d(&tq, 1, &tq, NULL)) != MP_OKAY)) \{ |
|
|
8497 067 goto LBL_ERR; |
|
|
8498 068 \} |
|
|
8499 069 \} |
|
|
8500 070 |
|
|
8501 071 /* now q == quotient and ta == remainder */ |
|
|
8502 072 n = a->sign; |
|
|
8503 073 n2 = (a->sign == b->sign ? MP_ZPOS : MP_NEG); |
|
|
8504 074 if (c != NULL) \{ |
|
|
8505 075 mp_exch(c, &q); |
|
|
8506 076 c->sign = (mp_iszero(c) == MP_YES) ? MP_ZPOS : n2; |
|
|
8507 077 \} |
|
|
8508 078 if (d != NULL) \{ |
|
|
8509 079 mp_exch(d, &ta); |
|
|
8510 080 d->sign = (mp_iszero(d) == MP_YES) ? MP_ZPOS : n; |
|
|
8511 081 \} |
|
|
8512 082 LBL_ERR: |
|
|
8513 083 mp_clear_multi(&ta, &tb, &tq, &q, NULL); |
|
|
8514 084 return res; |
|
|
8515 085 \} |
|
|
8516 086 |
|
|
8517 087 #else |
|
|
8518 088 |
|
|
8519 089 /* integer signed division. |
|
|
8520 090 * c*b + d == a [e.g. a/b, c=quotient, d=remainder] |
|
|
8521 091 * HAC pp.598 Algorithm 14.20 |
|
|
8522 092 * |
|
|
8523 093 * Note that the description in HAC is horribly |
|
|
8524 094 * incomplete. For example, it doesn't consider |
|
|
8525 095 * the case where digits are removed from 'x' in |
|
|
8526 096 * the inner loop. It also doesn't consider the |
|
|
8527 097 * case that y has fewer than three digits, etc.. |
|
|
8528 098 * |
|
|
8529 099 * The overall algorithm is as described as |
|
|
8530 100 * 14.20 from HAC but fixed to treat these cases. |
|
|
8531 101 */ |
|
|
8532 102 int mp_div (mp_int * a, mp_int * b, mp_int * c, mp_int * d) |
|
|
8533 103 \{ |
|
|
8534 104 mp_int q, x, y, t1, t2; |
|
|
8535 105 int res, n, t, i, norm, neg; |
|
|
8536 106 |
|
|
8537 107 /* is divisor zero ? */ |
|
|
8538 108 if (mp_iszero (b) == 1) \{ |
|
|
8539 109 return MP_VAL; |
|
|
8540 110 \} |
|
|
8541 111 |
|
|
8542 112 /* if a < b then q=0, r = a */ |
|
|
8543 113 if (mp_cmp_mag (a, b) == MP_LT) \{ |
|
|
8544 114 if (d != NULL) \{ |
|
|
8545 115 res = mp_copy (a, d); |
|
|
8546 116 \} else \{ |
|
|
8547 117 res = MP_OKAY; |
|
|
8548 118 \} |
|
|
8549 119 if (c != NULL) \{ |
|
|
8550 120 mp_zero (c); |
|
|
8551 121 \} |
|
|
8552 122 return res; |
|
|
8553 123 \} |
|
|
8554 124 |
|
|
8555 125 if ((res = mp_init_size (&q, a->used + 2)) != MP_OKAY) \{ |
|
|
8556 126 return res; |
|
|
8557 127 \} |
|
|
8558 128 q.used = a->used + 2; |
|
|
8559 129 |
|
|
8560 130 if ((res = mp_init (&t1)) != MP_OKAY) \{ |
|
|
8561 131 goto LBL_Q; |
|
|
8562 132 \} |
|
|
8563 133 |
|
|
8564 134 if ((res = mp_init (&t2)) != MP_OKAY) \{ |
|
|
8565 135 goto LBL_T1; |
|
|
8566 136 \} |
|
|
8567 137 |
|
|
8568 138 if ((res = mp_init_copy (&x, a)) != MP_OKAY) \{ |
|
|
8569 139 goto LBL_T2; |
|
|
8570 140 \} |
|
|
8571 141 |
|
|
8572 142 if ((res = mp_init_copy (&y, b)) != MP_OKAY) \{ |
|
|
8573 143 goto LBL_X; |
|
|
8574 144 \} |
|
|
8575 145 |
|
|
8576 146 /* fix the sign */ |
|
|
8577 147 neg = (a->sign == b->sign) ? MP_ZPOS : MP_NEG; |
|
|
8578 148 x.sign = y.sign = MP_ZPOS; |
|
|
8579 149 |
|
|
8580 150 /* normalize both x and y, ensure that y >= b/2, [b == 2**DIGIT_BIT] */ |
|
|
8581 151 norm = mp_count_bits(&y) % DIGIT_BIT; |
|
|
8582 152 if (norm < (int)(DIGIT_BIT-1)) \{ |
|
|
8583 153 norm = (DIGIT_BIT-1) - norm; |
|
|
8584 154 if ((res = mp_mul_2d (&x, norm, &x)) != MP_OKAY) \{ |
|
|
8585 155 goto LBL_Y; |
|
|
8586 156 \} |
|
|
8587 157 if ((res = mp_mul_2d (&y, norm, &y)) != MP_OKAY) \{ |
|
|
8588 158 goto LBL_Y; |
|
|
8589 159 \} |
|
|
8590 160 \} else \{ |
|
|
8591 161 norm = 0; |
|
|
8592 162 \} |
|
|
8593 163 |
|
|
8594 164 /* note hac does 0 based, so if used==5 then its 0,1,2,3,4, e.g. use 4 */ |
|
|
8595 165 n = x.used - 1; |
|
|
8596 166 t = y.used - 1; |
|
|
8597 167 |
|
|
8598 168 /* while (x >= y*b**n-t) do \{ q[n-t] += 1; x -= y*b**\{n-t\} \} */ |
|
|
8599 169 if ((res = mp_lshd (&y, n - t)) != MP_OKAY) \{ /* y = y*b**\{n-t\} */ |
|
|
8600 170 goto LBL_Y; |
|
|
8601 171 \} |
|
|
8602 172 |
|
|
8603 173 while (mp_cmp (&x, &y) != MP_LT) \{ |
|
|
8604 174 ++(q.dp[n - t]); |
|
|
8605 175 if ((res = mp_sub (&x, &y, &x)) != MP_OKAY) \{ |
|
|
8606 176 goto LBL_Y; |
|
|
8607 177 \} |
|
|
8608 178 \} |
|
|
8609 179 |
|
|
8610 180 /* reset y by shifting it back down */ |
|
|
8611 181 mp_rshd (&y, n - t); |
|
|
8612 182 |
|
|
8613 183 /* step 3. for i from n down to (t + 1) */ |
|
|
8614 184 for (i = n; i >= (t + 1); i--) \{ |
|
|
8615 185 if (i > x.used) \{ |
|
|
8616 186 continue; |
|
|
8617 187 \} |
|
|
8618 188 |
|
|
8619 189 /* step 3.1 if xi == yt then set q\{i-t-1\} to b-1, |
|
|
8620 190 * otherwise set q\{i-t-1\} to (xi*b + x\{i-1\})/yt */ |
|
|
8621 191 if (x.dp[i] == y.dp[t]) \{ |
|
|
8622 192 q.dp[i - t - 1] = ((((mp_digit)1) << DIGIT_BIT) - 1); |
|
|
8623 193 \} else \{ |
|
|
8624 194 mp_word tmp; |
|
|
8625 195 tmp = ((mp_word) x.dp[i]) << ((mp_word) DIGIT_BIT); |
|
|
8626 196 tmp |= ((mp_word) x.dp[i - 1]); |
|
|
8627 197 tmp /= ((mp_word) y.dp[t]); |
|
|
8628 198 if (tmp > (mp_word) MP_MASK) |
|
|
8629 199 tmp = MP_MASK; |
|
|
8630 200 q.dp[i - t - 1] = (mp_digit) (tmp & (mp_word) (MP_MASK)); |
|
|
8631 201 \} |
|
|
8632 202 |
|
|
8633 203 /* while (q\{i-t-1\} * (yt * b + y\{t-1\})) > |
|
|
8634 204 xi * b**2 + xi-1 * b + xi-2 |
|
|
8635 205 |
|
|
8636 206 do q\{i-t-1\} -= 1; |
|
|
8637 207 */ |
|
|
8638 208 q.dp[i - t - 1] = (q.dp[i - t - 1] + 1) & MP_MASK; |
|
|
8639 209 do \{ |
|
|
8640 210 q.dp[i - t - 1] = (q.dp[i - t - 1] - 1) & MP_MASK; |
|
|
8641 211 |
|
|
8642 212 /* find left hand */ |
|
|
8643 213 mp_zero (&t1); |
|
|
8644 214 t1.dp[0] = (t - 1 < 0) ? 0 : y.dp[t - 1]; |
|
|
8645 215 t1.dp[1] = y.dp[t]; |
|
|
8646 216 t1.used = 2; |
|
|
8647 217 if ((res = mp_mul_d (&t1, q.dp[i - t - 1], &t1)) != MP_OKAY) \{ |
|
|
8648 218 goto LBL_Y; |
|
|
8649 219 \} |
|
|
8650 220 |
|
|
8651 221 /* find right hand */ |
|
|
8652 222 t2.dp[0] = (i - 2 < 0) ? 0 : x.dp[i - 2]; |
|
|
8653 223 t2.dp[1] = (i - 1 < 0) ? 0 : x.dp[i - 1]; |
|
|
8654 224 t2.dp[2] = x.dp[i]; |
|
|
8655 225 t2.used = 3; |
|
|
8656 226 \} while (mp_cmp_mag(&t1, &t2) == MP_GT); |
|
|
8657 227 |
|
|
8658 228 /* step 3.3 x = x - q\{i-t-1\} * y * b**\{i-t-1\} */ |
|
|
8659 229 if ((res = mp_mul_d (&y, q.dp[i - t - 1], &t1)) != MP_OKAY) \{ |
|
|
8660 230 goto LBL_Y; |
|
|
8661 231 \} |
|
|
8662 232 |
|
|
8663 233 if ((res = mp_lshd (&t1, i - t - 1)) != MP_OKAY) \{ |
|
|
8664 234 goto LBL_Y; |
|
|
8665 235 \} |
|
|
8666 236 |
|
|
8667 237 if ((res = mp_sub (&x, &t1, &x)) != MP_OKAY) \{ |
|
|
8668 238 goto LBL_Y; |
|
|
8669 239 \} |
|
|
8670 240 |
|
|
8671 241 /* if x < 0 then \{ x = x + y*b**\{i-t-1\}; q\{i-t-1\} -= 1; \} */ |
|
|
8672 242 if (x.sign == MP_NEG) \{ |
|
|
8673 243 if ((res = mp_copy (&y, &t1)) != MP_OKAY) \{ |
|
|
8674 244 goto LBL_Y; |
|
|
8675 245 \} |
|
|
8676 246 if ((res = mp_lshd (&t1, i - t - 1)) != MP_OKAY) \{ |
|
|
8677 247 goto LBL_Y; |
|
|
8678 248 \} |
|
|
8679 249 if ((res = mp_add (&x, &t1, &x)) != MP_OKAY) \{ |
|
|
8680 250 goto LBL_Y; |
|
|
8681 251 \} |
|
|
8682 252 |
|
|
8683 253 q.dp[i - t - 1] = (q.dp[i - t - 1] - 1UL) & MP_MASK; |
|
|
8684 254 \} |
|
|
8685 255 \} |
|
|
8686 256 |
|
|
8687 257 /* now q is the quotient and x is the remainder |
|
|
8688 258 * [which we have to normalize] |
|
|
8689 259 */ |
|
|
8690 260 |
|
|
8691 261 /* get sign before writing to c */ |
|
|
8692 262 x.sign = x.used == 0 ? MP_ZPOS : a->sign; |
|
|
8693 263 |
|
|
8694 264 if (c != NULL) \{ |
|
|
8695 265 mp_clamp (&q); |
|
|
8696 266 mp_exch (&q, c); |
|
|
8697 267 c->sign = neg; |
|
|
8698 268 \} |
|
|
8699 269 |
|
|
8700 270 if (d != NULL) \{ |
|
|
8701 271 mp_div_2d (&x, norm, &x, NULL); |
|
|
8702 272 mp_exch (&x, d); |
|
|
8703 273 \} |
|
|
8704 274 |
|
|
8705 275 res = MP_OKAY; |
|
|
8706 276 |
|
|
8707 277 LBL_Y:mp_clear (&y); |
|
|
8708 278 LBL_X:mp_clear (&x); |
|
|
8709 279 LBL_T2:mp_clear (&t2); |
|
|
8710 280 LBL_T1:mp_clear (&t1); |
|
|
8711 281 LBL_Q:mp_clear (&q); |
|
|
8712 282 return res; |
|
|
8713 283 \} |
|
|
8714 284 |
|
|
8715 285 #endif |
|
|
8716 286 |
|
|
8717 287 #endif |
|
386
|
8718 288 |
|
282
|
8719 \end{alltt} |
|
|
8720 \end{small} |
|
|
8721 |
|
|
8722 The implementation of this algorithm differs slightly from the pseudo code presented previously. In this algorithm either of the quotient $c$ or |
|
|
8723 remainder $d$ may be passed as a \textbf{NULL} pointer which indicates their value is not desired. For example, the C code to call the division |
|
|
8724 algorithm with only the quotient is |
|
|
8725 |
|
|
8726 \begin{verbatim} |
|
|
8727 mp_div(&a, &b, &c, NULL); /* c = [a/b] */ |
|
|
8728 \end{verbatim} |
|
|
8729 |
|
386
|
8730 Lines 108 and 113 handle the two trivial cases of inputs which are division by zero and dividend smaller than the divisor |
|
|
8731 respectively. After the two trivial cases all of the temporary variables are initialized. Line 147 determines the sign of |
|
|
8732 the quotient and line 148 ensures that both $x$ and $y$ are positive. |
|
|
8733 |
|
|
8734 The number of bits in the leading digit is calculated on line 151. Implictly an mp\_int with $r$ digits will require $lg(\beta)(r-1) + k$ bits |
|
282
|
8735 of precision which when reduced modulo $lg(\beta)$ produces the value of $k$. In this case $k$ is the number of bits in the leading digit which is |
|
|
8736 exactly what is required. For the algorithm to operate $k$ must equal $lg(\beta) - 1$ and when it does not the inputs must be normalized by shifting |
|
|
8737 them to the left by $lg(\beta) - 1 - k$ bits. |
|
|
8738 |
|
|
8739 Throughout the variables $n$ and $t$ will represent the highest digit of $x$ and $y$ respectively. These are first used to produce the |
|
386
|
8740 leading digit of the quotient. The loop beginning on line 184 will produce the remainder of the quotient digits. |
|
|
8741 |
|
|
8742 The conditional ``continue'' on line 186 is used to prevent the algorithm from reading past the leading edge of $x$ which can occur when the |
|
282
|
8743 algorithm eliminates multiple non-zero digits in a single iteration. This ensures that $x_i$ is always non-zero since by definition the digits |
|
|
8744 above the $i$'th position $x$ must be zero in order for the quotient to be precise\footnote{Precise as far as integer division is concerned.}. |
|
|
8745 |
|
386
|
8746 Lines 214, 216 and 222 through 225 manually construct the high accuracy estimations by setting the digits of the two mp\_int |
|
282
|
8747 variables directly. |
|
|
8748 |
|
|
8749 \section{Single Digit Helpers} |
|
|
8750 |
|
|
8751 This section briefly describes a series of single digit helper algorithms which come in handy when working with small constants. All of |
|
|
8752 the helper functions assume the single digit input is positive and will treat them as such. |
|
|
8753 |
|
|
8754 \subsection{Single Digit Addition and Subtraction} |
|
|
8755 |
|
|
8756 Both addition and subtraction are performed by ``cheating'' and using mp\_set followed by the higher level addition or subtraction |
|
|
8757 algorithms. As a result these algorithms are subtantially simpler with a slight cost in performance. |
|
|
8758 |
|
|
8759 \newpage\begin{figure}[!here] |
|
|
8760 \begin{small} |
|
|
8761 \begin{center} |
|
|
8762 \begin{tabular}{l} |
|
|
8763 \hline Algorithm \textbf{mp\_add\_d}. \\ |
|
|
8764 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
8765 \textbf{Output}. $c = a + b$ \\ |
|
|
8766 \hline \\ |
|
|
8767 1. $t \leftarrow b$ (\textit{mp\_set}) \\ |
|
|
8768 2. $c \leftarrow a + t$ \\ |
|
|
8769 3. Return(\textit{MP\_OKAY}) \\ |
|
|
8770 \hline |
|
|
8771 \end{tabular} |
|
|
8772 \end{center} |
|
|
8773 \end{small} |
|
|
8774 \caption{Algorithm mp\_add\_d} |
|
|
8775 \end{figure} |
|
|
8776 |
|
|
8777 \textbf{Algorithm mp\_add\_d.} |
|
|
8778 This algorithm initiates a temporary mp\_int with the value of the single digit and uses algorithm mp\_add to add the two values together. |
|
|
8779 |
|
|
8780 \vspace{+3mm}\begin{small} |
|
|
8781 \hspace{-5.1mm}{\bf File}: bn\_mp\_add\_d.c |
|
|
8782 \vspace{-3mm} |
|
|
8783 \begin{alltt} |
|
|
8784 016 |
|
|
8785 017 /* single digit addition */ |
|
|
8786 018 int |
|
|
8787 019 mp_add_d (mp_int * a, mp_digit b, mp_int * c) |
|
|
8788 020 \{ |
|
|
8789 021 int res, ix, oldused; |
|
|
8790 022 mp_digit *tmpa, *tmpc, mu; |
|
|
8791 023 |
|
|
8792 024 /* grow c as required */ |
|
|
8793 025 if (c->alloc < a->used + 1) \{ |
|
|
8794 026 if ((res = mp_grow(c, a->used + 1)) != MP_OKAY) \{ |
|
|
8795 027 return res; |
|
|
8796 028 \} |
|
|
8797 029 \} |
|
|
8798 030 |
|
|
8799 031 /* if a is negative and |a| >= b, call c = |a| - b */ |
|
|
8800 032 if (a->sign == MP_NEG && (a->used > 1 || a->dp[0] >= b)) \{ |
|
|
8801 033 /* temporarily fix sign of a */ |
|
|
8802 034 a->sign = MP_ZPOS; |
|
|
8803 035 |
|
|
8804 036 /* c = |a| - b */ |
|
|
8805 037 res = mp_sub_d(a, b, c); |
|
|
8806 038 |
|
|
8807 039 /* fix sign */ |
|
|
8808 040 a->sign = c->sign = MP_NEG; |
|
|
8809 041 |
|
386
|
8810 042 /* clamp */ |
|
|
8811 043 mp_clamp(c); |
|
282
|
8812 044 |
|
386
|
8813 045 return res; |
|
|
8814 046 \} |
|
282
|
8815 047 |
|
386
|
8816 048 /* old number of used digits in c */ |
|
|
8817 049 oldused = c->used; |
|
282
|
8818 050 |
|
386
|
8819 051 /* sign always positive */ |
|
|
8820 052 c->sign = MP_ZPOS; |
|
282
|
8821 053 |
|
386
|
8822 054 /* source alias */ |
|
|
8823 055 tmpa = a->dp; |
|
282
|
8824 056 |
|
386
|
8825 057 /* destination alias */ |
|
|
8826 058 tmpc = c->dp; |
|
|
8827 059 |
|
|
8828 060 /* if a is positive */ |
|
|
8829 061 if (a->sign == MP_ZPOS) \{ |
|
|
8830 062 /* add digit, after this we're propagating |
|
|
8831 063 * the carry. |
|
|
8832 064 */ |
|
|
8833 065 *tmpc = *tmpa++ + b; |
|
|
8834 066 mu = *tmpc >> DIGIT_BIT; |
|
|
8835 067 *tmpc++ &= MP_MASK; |
|
|
8836 068 |
|
|
8837 069 /* now handle rest of the digits */ |
|
|
8838 070 for (ix = 1; ix < a->used; ix++) \{ |
|
|
8839 071 *tmpc = *tmpa++ + mu; |
|
|
8840 072 mu = *tmpc >> DIGIT_BIT; |
|
|
8841 073 *tmpc++ &= MP_MASK; |
|
|
8842 074 \} |
|
|
8843 075 /* set final carry */ |
|
|
8844 076 ix++; |
|
|
8845 077 *tmpc++ = mu; |
|
|
8846 078 |
|
|
8847 079 /* setup size */ |
|
|
8848 080 c->used = a->used + 1; |
|
|
8849 081 \} else \{ |
|
|
8850 082 /* a was negative and |a| < b */ |
|
|
8851 083 c->used = 1; |
|
|
8852 084 |
|
|
8853 085 /* the result is a single digit */ |
|
|
8854 086 if (a->used == 1) \{ |
|
|
8855 087 *tmpc++ = b - a->dp[0]; |
|
|
8856 088 \} else \{ |
|
|
8857 089 *tmpc++ = b; |
|
|
8858 090 \} |
|
|
8859 091 |
|
|
8860 092 /* setup count so the clearing of oldused |
|
|
8861 093 * can fall through correctly |
|
|
8862 094 */ |
|
|
8863 095 ix = 1; |
|
|
8864 096 \} |
|
|
8865 097 |
|
|
8866 098 /* now zero to oldused */ |
|
|
8867 099 while (ix++ < oldused) \{ |
|
|
8868 100 *tmpc++ = 0; |
|
|
8869 101 \} |
|
|
8870 102 mp_clamp(c); |
|
282
|
8871 103 |
|
386
|
8872 104 return MP_OKAY; |
|
|
8873 105 \} |
|
|
8874 106 |
|
|
8875 107 #endif |
|
|
8876 108 |
|
282
|
8877 \end{alltt} |
|
|
8878 \end{small} |
|
|
8879 |
|
|
8880 Clever use of the letter 't'. |
|
|
8881 |
|
|
8882 \subsubsection{Subtraction} |
|
|
8883 The single digit subtraction algorithm mp\_sub\_d is essentially the same except it uses mp\_sub to subtract the digit from the mp\_int. |
|
|
8884 |
|
|
8885 \subsection{Single Digit Multiplication} |
|
|
8886 Single digit multiplication arises enough in division and radix conversion that it ought to be implement as a special case of the baseline |
|
|
8887 multiplication algorithm. Essentially this algorithm is a modified version of algorithm s\_mp\_mul\_digs where one of the multiplicands |
|
|
8888 only has one digit. |
|
|
8889 |
|
|
8890 \begin{figure}[!here] |
|
|
8891 \begin{small} |
|
|
8892 \begin{center} |
|
|
8893 \begin{tabular}{l} |
|
|
8894 \hline Algorithm \textbf{mp\_mul\_d}. \\ |
|
|
8895 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
8896 \textbf{Output}. $c = ab$ \\ |
|
|
8897 \hline \\ |
|
|
8898 1. $pa \leftarrow a.used$ \\ |
|
|
8899 2. Grow $c$ to at least $pa + 1$ digits. \\ |
|
|
8900 3. $oldused \leftarrow c.used$ \\ |
|
|
8901 4. $c.used \leftarrow pa + 1$ \\ |
|
|
8902 5. $c.sign \leftarrow a.sign$ \\ |
|
|
8903 6. $\mu \leftarrow 0$ \\ |
|
|
8904 7. for $ix$ from $0$ to $pa - 1$ do \\ |
|
|
8905 \hspace{3mm}7.1 $\hat r \leftarrow \mu + a_{ix}b$ \\ |
|
|
8906 \hspace{3mm}7.2 $c_{ix} \leftarrow \hat r \mbox{ (mod }\beta\mbox{)}$ \\ |
|
|
8907 \hspace{3mm}7.3 $\mu \leftarrow \lfloor \hat r / \beta \rfloor$ \\ |
|
|
8908 8. $c_{pa} \leftarrow \mu$ \\ |
|
|
8909 9. for $ix$ from $pa + 1$ to $oldused$ do \\ |
|
|
8910 \hspace{3mm}9.1 $c_{ix} \leftarrow 0$ \\ |
|
|
8911 10. Clamp excess digits of $c$. \\ |
|
|
8912 11. Return(\textit{MP\_OKAY}). \\ |
|
|
8913 \hline |
|
|
8914 \end{tabular} |
|
|
8915 \end{center} |
|
|
8916 \end{small} |
|
|
8917 \caption{Algorithm mp\_mul\_d} |
|
|
8918 \end{figure} |
|
|
8919 \textbf{Algorithm mp\_mul\_d.} |
|
|
8920 This algorithm quickly multiplies an mp\_int by a small single digit value. It is specially tailored to the job and has a minimal of overhead. |
|
|
8921 Unlike the full multiplication algorithms this algorithm does not require any significnat temporary storage or memory allocations. |
|
|
8922 |
|
|
8923 \vspace{+3mm}\begin{small} |
|
|
8924 \hspace{-5.1mm}{\bf File}: bn\_mp\_mul\_d.c |
|
|
8925 \vspace{-3mm} |
|
|
8926 \begin{alltt} |
|
|
8927 016 |
|
|
8928 017 /* multiply by a digit */ |
|
|
8929 018 int |
|
|
8930 019 mp_mul_d (mp_int * a, mp_digit b, mp_int * c) |
|
|
8931 020 \{ |
|
|
8932 021 mp_digit u, *tmpa, *tmpc; |
|
|
8933 022 mp_word r; |
|
|
8934 023 int ix, res, olduse; |
|
|
8935 024 |
|
|
8936 025 /* make sure c is big enough to hold a*b */ |
|
|
8937 026 if (c->alloc < a->used + 1) \{ |
|
|
8938 027 if ((res = mp_grow (c, a->used + 1)) != MP_OKAY) \{ |
|
|
8939 028 return res; |
|
|
8940 029 \} |
|
|
8941 030 \} |
|
|
8942 031 |
|
|
8943 032 /* get the original destinations used count */ |
|
|
8944 033 olduse = c->used; |
|
|
8945 034 |
|
|
8946 035 /* set the sign */ |
|
|
8947 036 c->sign = a->sign; |
|
|
8948 037 |
|
|
8949 038 /* alias for a->dp [source] */ |
|
|
8950 039 tmpa = a->dp; |
|
|
8951 040 |
|
|
8952 041 /* alias for c->dp [dest] */ |
|
|
8953 042 tmpc = c->dp; |
|
|
8954 043 |
|
|
8955 044 /* zero carry */ |
|
|
8956 045 u = 0; |
|
|
8957 046 |
|
|
8958 047 /* compute columns */ |
|
|
8959 048 for (ix = 0; ix < a->used; ix++) \{ |
|
|
8960 049 /* compute product and carry sum for this term */ |
|
|
8961 050 r = ((mp_word) u) + ((mp_word)*tmpa++) * ((mp_word)b); |
|
|
8962 051 |
|
|
8963 052 /* mask off higher bits to get a single digit */ |
|
|
8964 053 *tmpc++ = (mp_digit) (r & ((mp_word) MP_MASK)); |
|
|
8965 054 |
|
|
8966 055 /* send carry into next iteration */ |
|
|
8967 056 u = (mp_digit) (r >> ((mp_word) DIGIT_BIT)); |
|
|
8968 057 \} |
|
|
8969 058 |
|
|
8970 059 /* store final carry [if any] and increment ix offset */ |
|
|
8971 060 *tmpc++ = u; |
|
|
8972 061 ++ix; |
|
|
8973 062 |
|
|
8974 063 /* now zero digits above the top */ |
|
|
8975 064 while (ix++ < olduse) \{ |
|
|
8976 065 *tmpc++ = 0; |
|
|
8977 066 \} |
|
|
8978 067 |
|
|
8979 068 /* set used count */ |
|
|
8980 069 c->used = a->used + 1; |
|
|
8981 070 mp_clamp(c); |
|
|
8982 071 |
|
|
8983 072 return MP_OKAY; |
|
|
8984 073 \} |
|
|
8985 074 #endif |
|
386
|
8986 075 |
|
282
|
8987 \end{alltt} |
|
|
8988 \end{small} |
|
|
8989 |
|
|
8990 In this implementation the destination $c$ may point to the same mp\_int as the source $a$ since the result is written after the digit is |
|
|
8991 read from the source. This function uses pointer aliases $tmpa$ and $tmpc$ for the digits of $a$ and $c$ respectively. |
|
|
8992 |
|
|
8993 \subsection{Single Digit Division} |
|
|
8994 Like the single digit multiplication algorithm, single digit division is also a fairly common algorithm used in radix conversion. Since the |
|
|
8995 divisor is only a single digit a specialized variant of the division algorithm can be used to compute the quotient. |
|
|
8996 |
|
|
8997 \newpage\begin{figure}[!here] |
|
|
8998 \begin{small} |
|
|
8999 \begin{center} |
|
|
9000 \begin{tabular}{l} |
|
|
9001 \hline Algorithm \textbf{mp\_div\_d}. \\ |
|
|
9002 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
9003 \textbf{Output}. $c = \lfloor a / b \rfloor, d = a - cb$ \\ |
|
|
9004 \hline \\ |
|
|
9005 1. If $b = 0$ then return(\textit{MP\_VAL}).\\ |
|
|
9006 2. If $b = 3$ then use algorithm mp\_div\_3 instead. \\ |
|
|
9007 3. Init $q$ to $a.used$ digits. \\ |
|
|
9008 4. $q.used \leftarrow a.used$ \\ |
|
|
9009 5. $q.sign \leftarrow a.sign$ \\ |
|
|
9010 6. $\hat w \leftarrow 0$ \\ |
|
|
9011 7. for $ix$ from $a.used - 1$ down to $0$ do \\ |
|
|
9012 \hspace{3mm}7.1 $\hat w \leftarrow \hat w \beta + a_{ix}$ \\ |
|
|
9013 \hspace{3mm}7.2 If $\hat w \ge b$ then \\ |
|
|
9014 \hspace{6mm}7.2.1 $t \leftarrow \lfloor \hat w / b \rfloor$ \\ |
|
|
9015 \hspace{6mm}7.2.2 $\hat w \leftarrow \hat w \mbox{ (mod }b\mbox{)}$ \\ |
|
|
9016 \hspace{3mm}7.3 else\\ |
|
|
9017 \hspace{6mm}7.3.1 $t \leftarrow 0$ \\ |
|
|
9018 \hspace{3mm}7.4 $q_{ix} \leftarrow t$ \\ |
|
|
9019 8. $d \leftarrow \hat w$ \\ |
|
|
9020 9. Clamp excess digits of $q$. \\ |
|
|
9021 10. $c \leftarrow q$ \\ |
|
|
9022 11. Return(\textit{MP\_OKAY}). \\ |
|
|
9023 \hline |
|
|
9024 \end{tabular} |
|
|
9025 \end{center} |
|
|
9026 \end{small} |
|
|
9027 \caption{Algorithm mp\_div\_d} |
|
|
9028 \end{figure} |
|
|
9029 \textbf{Algorithm mp\_div\_d.} |
|
|
9030 This algorithm divides the mp\_int $a$ by the single mp\_digit $b$ using an optimized approach. Essentially in every iteration of the |
|
|
9031 algorithm another digit of the dividend is reduced and another digit of quotient produced. Provided $b < \beta$ the value of $\hat w$ |
|
|
9032 after step 7.1 will be limited such that $0 \le \lfloor \hat w / b \rfloor < \beta$. |
|
|
9033 |
|
|
9034 If the divisor $b$ is equal to three a variant of this algorithm is used which is called mp\_div\_3. It replaces the division by three with |
|
|
9035 a multiplication by $\lfloor \beta / 3 \rfloor$ and the appropriate shift and residual fixup. In essence it is much like the Barrett reduction |
|
|
9036 from chapter seven. |
|
|
9037 |
|
|
9038 \vspace{+3mm}\begin{small} |
|
|
9039 \hspace{-5.1mm}{\bf File}: bn\_mp\_div\_d.c |
|
|
9040 \vspace{-3mm} |
|
|
9041 \begin{alltt} |
|
|
9042 016 |
|
|
9043 017 static int s_is_power_of_two(mp_digit b, int *p) |
|
|
9044 018 \{ |
|
|
9045 019 int x; |
|
|
9046 020 |
|
|
9047 021 for (x = 1; x < DIGIT_BIT; x++) \{ |
|
|
9048 022 if (b == (((mp_digit)1)<<x)) \{ |
|
|
9049 023 *p = x; |
|
|
9050 024 return 1; |
|
|
9051 025 \} |
|
|
9052 026 \} |
|
|
9053 027 return 0; |
|
|
9054 028 \} |
|
|
9055 029 |
|
|
9056 030 /* single digit division (based on routine from MPI) */ |
|
|
9057 031 int mp_div_d (mp_int * a, mp_digit b, mp_int * c, mp_digit * d) |
|
|
9058 032 \{ |
|
|
9059 033 mp_int q; |
|
|
9060 034 mp_word w; |
|
|
9061 035 mp_digit t; |
|
|
9062 036 int res, ix; |
|
|
9063 037 |
|
|
9064 038 /* cannot divide by zero */ |
|
|
9065 039 if (b == 0) \{ |
|
|
9066 040 return MP_VAL; |
|
|
9067 041 \} |
|
|
9068 042 |
|
|
9069 043 /* quick outs */ |
|
|
9070 044 if (b == 1 || mp_iszero(a) == 1) \{ |
|
|
9071 045 if (d != NULL) \{ |
|
|
9072 046 *d = 0; |
|
|
9073 047 \} |
|
|
9074 048 if (c != NULL) \{ |
|
|
9075 049 return mp_copy(a, c); |
|
|
9076 050 \} |
|
|
9077 051 return MP_OKAY; |
|
|
9078 052 \} |
|
|
9079 053 |
|
|
9080 054 /* power of two ? */ |
|
|
9081 055 if (s_is_power_of_two(b, &ix) == 1) \{ |
|
|
9082 056 if (d != NULL) \{ |
|
|
9083 057 *d = a->dp[0] & ((((mp_digit)1)<<ix) - 1); |
|
|
9084 058 \} |
|
|
9085 059 if (c != NULL) \{ |
|
|
9086 060 return mp_div_2d(a, ix, c, NULL); |
|
|
9087 061 \} |
|
|
9088 062 return MP_OKAY; |
|
|
9089 063 \} |
|
|
9090 064 |
|
|
9091 065 #ifdef BN_MP_DIV_3_C |
|
|
9092 066 /* three? */ |
|
|
9093 067 if (b == 3) \{ |
|
|
9094 068 return mp_div_3(a, c, d); |
|
|
9095 069 \} |
|
|
9096 070 #endif |
|
|
9097 071 |
|
|
9098 072 /* no easy answer [c'est la vie]. Just division */ |
|
|
9099 073 if ((res = mp_init_size(&q, a->used)) != MP_OKAY) \{ |
|
|
9100 074 return res; |
|
|
9101 075 \} |
|
|
9102 076 |
|
|
9103 077 q.used = a->used; |
|
|
9104 078 q.sign = a->sign; |
|
|
9105 079 w = 0; |
|
|
9106 080 for (ix = a->used - 1; ix >= 0; ix--) \{ |
|
|
9107 081 w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]); |
|
|
9108 082 |
|
|
9109 083 if (w >= b) \{ |
|
|
9110 084 t = (mp_digit)(w / b); |
|
|
9111 085 w -= ((mp_word)t) * ((mp_word)b); |
|
|
9112 086 \} else \{ |
|
|
9113 087 t = 0; |
|
|
9114 088 \} |
|
|
9115 089 q.dp[ix] = (mp_digit)t; |
|
|
9116 090 \} |
|
|
9117 091 |
|
|
9118 092 if (d != NULL) \{ |
|
|
9119 093 *d = (mp_digit)w; |
|
|
9120 094 \} |
|
|
9121 095 |
|
|
9122 096 if (c != NULL) \{ |
|
|
9123 097 mp_clamp(&q); |
|
|
9124 098 mp_exch(&q, c); |
|
|
9125 099 \} |
|
|
9126 100 mp_clear(&q); |
|
|
9127 101 |
|
|
9128 102 return res; |
|
|
9129 103 \} |
|
|
9130 104 |
|
|
9131 105 #endif |
|
386
|
9132 106 |
|
282
|
9133 \end{alltt} |
|
|
9134 \end{small} |
|
|
9135 |
|
|
9136 Like the implementation of algorithm mp\_div this algorithm allows either of the quotient or remainder to be passed as a \textbf{NULL} pointer to |
|
|
9137 indicate the respective value is not required. This allows a trivial single digit modular reduction algorithm, mp\_mod\_d to be created. |
|
|
9138 |
|
|
9139 The division and remainder on lines 43 and @45,%@ can be replaced often by a single division on most processors. For example, the 32-bit x86 based |
|
|
9140 processors can divide a 64-bit quantity by a 32-bit quantity and produce the quotient and remainder simultaneously. Unfortunately the GCC |
|
|
9141 compiler does not recognize that optimization and will actually produce two function calls to find the quotient and remainder respectively. |
|
|
9142 |
|
|
9143 \subsection{Single Digit Root Extraction} |
|
|
9144 |
|
|
9145 Finding the $n$'th root of an integer is fairly easy as far as numerical analysis is concerned. Algorithms such as the Newton-Raphson approximation |
|
|
9146 (\ref{eqn:newton}) series will converge very quickly to a root for any continuous function $f(x)$. |
|
|
9147 |
|
|
9148 \begin{equation} |
|
|
9149 x_{i+1} = x_i - {f(x_i) \over f'(x_i)} |
|
|
9150 \label{eqn:newton} |
|
|
9151 \end{equation} |
|
|
9152 |
|
|
9153 In this case the $n$'th root is desired and $f(x) = x^n - a$ where $a$ is the integer of which the root is desired. The derivative of $f(x)$ is |
|
|
9154 simply $f'(x) = nx^{n - 1}$. Of particular importance is that this algorithm will be used over the integers not over the a more continuous domain |
|
|
9155 such as the real numbers. As a result the root found can be above the true root by few and must be manually adjusted. Ideally at the end of the |
|
|
9156 algorithm the $n$'th root $b$ of an integer $a$ is desired such that $b^n \le a$. |
|
|
9157 |
|
|
9158 \newpage\begin{figure}[!here] |
|
|
9159 \begin{small} |
|
|
9160 \begin{center} |
|
|
9161 \begin{tabular}{l} |
|
|
9162 \hline Algorithm \textbf{mp\_n\_root}. \\ |
|
|
9163 \textbf{Input}. mp\_int $a$ and a mp\_digit $b$ \\ |
|
|
9164 \textbf{Output}. $c^b \le a$ \\ |
|
|
9165 \hline \\ |
|
|
9166 1. If $b$ is even and $a.sign = MP\_NEG$ return(\textit{MP\_VAL}). \\ |
|
|
9167 2. $sign \leftarrow a.sign$ \\ |
|
|
9168 3. $a.sign \leftarrow MP\_ZPOS$ \\ |
|
|
9169 4. t$2 \leftarrow 2$ \\ |
|
|
9170 5. Loop \\ |
|
|
9171 \hspace{3mm}5.1 t$1 \leftarrow $ t$2$ \\ |
|
|
9172 \hspace{3mm}5.2 t$3 \leftarrow $ t$1^{b - 1}$ \\ |
|
|
9173 \hspace{3mm}5.3 t$2 \leftarrow $ t$3 $ $\cdot$ t$1$ \\ |
|
|
9174 \hspace{3mm}5.4 t$2 \leftarrow $ t$2 - a$ \\ |
|
|
9175 \hspace{3mm}5.5 t$3 \leftarrow $ t$3 \cdot b$ \\ |
|
|
9176 \hspace{3mm}5.6 t$3 \leftarrow \lfloor $t$2 / $t$3 \rfloor$ \\ |
|
|
9177 \hspace{3mm}5.7 t$2 \leftarrow $ t$1 - $ t$3$ \\ |
|
|
9178 \hspace{3mm}5.8 If t$1 \ne $ t$2$ then goto step 5. \\ |
|
|
9179 6. Loop \\ |
|
|
9180 \hspace{3mm}6.1 t$2 \leftarrow $ t$1^b$ \\ |
|
|
9181 \hspace{3mm}6.2 If t$2 > a$ then \\ |
|
|
9182 \hspace{6mm}6.2.1 t$1 \leftarrow $ t$1 - 1$ \\ |
|
|
9183 \hspace{6mm}6.2.2 Goto step 6. \\ |
|
|
9184 7. $a.sign \leftarrow sign$ \\ |
|
|
9185 8. $c \leftarrow $ t$1$ \\ |
|
|
9186 9. $c.sign \leftarrow sign$ \\ |
|
|
9187 10. Return(\textit{MP\_OKAY}). \\ |
|
|
9188 \hline |
|
|
9189 \end{tabular} |
|
|
9190 \end{center} |
|
|
9191 \end{small} |
|
|
9192 \caption{Algorithm mp\_n\_root} |
|
|
9193 \end{figure} |
|
|
9194 \textbf{Algorithm mp\_n\_root.} |
|
|
9195 This algorithm finds the integer $n$'th root of an input using the Newton-Raphson approach. It is partially optimized based on the observation |
|
|
9196 that the numerator of ${f(x) \over f'(x)}$ can be derived from a partial denominator. That is at first the denominator is calculated by finding |
|
|
9197 $x^{b - 1}$. This value can then be multiplied by $x$ and have $a$ subtracted from it to find the numerator. This saves a total of $b - 1$ |
|
|
9198 multiplications by t$1$ inside the loop. |
|
|
9199 |
|
|
9200 The initial value of the approximation is t$2 = 2$ which allows the algorithm to start with very small values and quickly converge on the |
|
|
9201 root. Ideally this algorithm is meant to find the $n$'th root of an input where $n$ is bounded by $2 \le n \le 5$. |
|
|
9202 |
|
|
9203 \vspace{+3mm}\begin{small} |
|
|
9204 \hspace{-5.1mm}{\bf File}: bn\_mp\_n\_root.c |
|
|
9205 \vspace{-3mm} |
|
|
9206 \begin{alltt} |
|
|
9207 016 |
|
|
9208 017 /* find the n'th root of an integer |
|
|
9209 018 * |
|
|
9210 019 * Result found such that (c)**b <= a and (c+1)**b > a |
|
|
9211 020 * |
|
|
9212 021 * This algorithm uses Newton's approximation |
|
|
9213 022 * x[i+1] = x[i] - f(x[i])/f'(x[i]) |
|
|
9214 023 * which will find the root in log(N) time where |
|
|
9215 024 * each step involves a fair bit. This is not meant to |
|
|
9216 025 * find huge roots [square and cube, etc]. |
|
|
9217 026 */ |
|
|
9218 027 int mp_n_root (mp_int * a, mp_digit b, mp_int * c) |
|
|
9219 028 \{ |
|
|
9220 029 mp_int t1, t2, t3; |
|
|
9221 030 int res, neg; |
|
|
9222 031 |
|
|
9223 032 /* input must be positive if b is even */ |
|
|
9224 033 if ((b & 1) == 0 && a->sign == MP_NEG) \{ |
|
|
9225 034 return MP_VAL; |
|
|
9226 035 \} |
|
|
9227 036 |
|
|
9228 037 if ((res = mp_init (&t1)) != MP_OKAY) \{ |
|
|
9229 038 return res; |
|
|
9230 039 \} |
|
|
9231 040 |
|
|
9232 041 if ((res = mp_init (&t2)) != MP_OKAY) \{ |
|
|
9233 042 goto LBL_T1; |
|
|
9234 043 \} |
|
|
9235 044 |
|
|
9236 045 if ((res = mp_init (&t3)) != MP_OKAY) \{ |
|
|
9237 046 goto LBL_T2; |
|
|
9238 047 \} |
|
|
9239 048 |
|
|
9240 049 /* if a is negative fudge the sign but keep track */ |
|
|
9241 050 neg = a->sign; |
|
|
9242 051 a->sign = MP_ZPOS; |
|
|
9243 052 |
|
|
9244 053 /* t2 = 2 */ |
|
|
9245 054 mp_set (&t2, 2); |
|
|
9246 055 |
|
|
9247 056 do \{ |
|
|
9248 057 /* t1 = t2 */ |
|
|
9249 058 if ((res = mp_copy (&t2, &t1)) != MP_OKAY) \{ |
|
|
9250 059 goto LBL_T3; |
|
|
9251 060 \} |
|
|
9252 061 |
|
|
9253 062 /* t2 = t1 - ((t1**b - a) / (b * t1**(b-1))) */ |
|
|
9254 063 |
|
|
9255 064 /* t3 = t1**(b-1) */ |
|
|
9256 065 if ((res = mp_expt_d (&t1, b - 1, &t3)) != MP_OKAY) \{ |
|
|
9257 066 goto LBL_T3; |
|
|
9258 067 \} |
|
|
9259 068 |
|
|
9260 069 /* numerator */ |
|
|
9261 070 /* t2 = t1**b */ |
|
|
9262 071 if ((res = mp_mul (&t3, &t1, &t2)) != MP_OKAY) \{ |
|
|
9263 072 goto LBL_T3; |
|
|
9264 073 \} |
|
|
9265 074 |
|
|
9266 075 /* t2 = t1**b - a */ |
|
|
9267 076 if ((res = mp_sub (&t2, a, &t2)) != MP_OKAY) \{ |
|
|
9268 077 goto LBL_T3; |
|
|
9269 078 \} |
|
|
9270 079 |
|
|
9271 080 /* denominator */ |
|
|
9272 081 /* t3 = t1**(b-1) * b */ |
|
|
9273 082 if ((res = mp_mul_d (&t3, b, &t3)) != MP_OKAY) \{ |
|
|
9274 083 goto LBL_T3; |
|
|
9275 084 \} |
|
|
9276 085 |
|
|
9277 086 /* t3 = (t1**b - a)/(b * t1**(b-1)) */ |
|
|
9278 087 if ((res = mp_div (&t2, &t3, &t3, NULL)) != MP_OKAY) \{ |
|
|
9279 088 goto LBL_T3; |
|
|
9280 089 \} |
|
|
9281 090 |
|
|
9282 091 if ((res = mp_sub (&t1, &t3, &t2)) != MP_OKAY) \{ |
|
|
9283 092 goto LBL_T3; |
|
|
9284 093 \} |
|
|
9285 094 \} while (mp_cmp (&t1, &t2) != MP_EQ); |
|
|
9286 095 |
|
|
9287 096 /* result can be off by a few so check */ |
|
|
9288 097 for (;;) \{ |
|
|
9289 098 if ((res = mp_expt_d (&t1, b, &t2)) != MP_OKAY) \{ |
|
|
9290 099 goto LBL_T3; |
|
|
9291 100 \} |
|
|
9292 101 |
|
|
9293 102 if (mp_cmp (&t2, a) == MP_GT) \{ |
|
|
9294 103 if ((res = mp_sub_d (&t1, 1, &t1)) != MP_OKAY) \{ |
|
|
9295 104 goto LBL_T3; |
|
|
9296 105 \} |
|
|
9297 106 \} else \{ |
|
|
9298 107 break; |
|
|
9299 108 \} |
|
|
9300 109 \} |
|
|
9301 110 |
|
|
9302 111 /* reset the sign of a first */ |
|
|
9303 112 a->sign = neg; |
|
|
9304 113 |
|
|
9305 114 /* set the result */ |
|
|
9306 115 mp_exch (&t1, c); |
|
|
9307 116 |
|
|
9308 117 /* set the sign of the result */ |
|
|
9309 118 c->sign = neg; |
|
|
9310 119 |
|
|
9311 120 res = MP_OKAY; |
|
|
9312 121 |
|
|
9313 122 LBL_T3:mp_clear (&t3); |
|
|
9314 123 LBL_T2:mp_clear (&t2); |
|
|
9315 124 LBL_T1:mp_clear (&t1); |
|
|
9316 125 return res; |
|
|
9317 126 \} |
|
|
9318 127 #endif |
|
386
|
9319 128 |
|
282
|
9320 \end{alltt} |
|
|
9321 \end{small} |
|
|
9322 |
|
|
9323 \section{Random Number Generation} |
|
|
9324 |
|
|
9325 Random numbers come up in a variety of activities from public key cryptography to simple simulations and various randomized algorithms. Pollard-Rho |
|
|
9326 factoring for example, can make use of random values as starting points to find factors of a composite integer. In this case the algorithm presented |
|
|
9327 is solely for simulations and not intended for cryptographic use. |
|
|
9328 |
|
|
9329 \newpage\begin{figure}[!here] |
|
|
9330 \begin{small} |
|
|
9331 \begin{center} |
|
|
9332 \begin{tabular}{l} |
|
|
9333 \hline Algorithm \textbf{mp\_rand}. \\ |
|
|
9334 \textbf{Input}. An integer $b$ \\ |
|
|
9335 \textbf{Output}. A pseudo-random number of $b$ digits \\ |
|
|
9336 \hline \\ |
|
|
9337 1. $a \leftarrow 0$ \\ |
|
|
9338 2. If $b \le 0$ return(\textit{MP\_OKAY}) \\ |
|
|
9339 3. Pick a non-zero random digit $d$. \\ |
|
|
9340 4. $a \leftarrow a + d$ \\ |
|
|
9341 5. for $ix$ from 1 to $d - 1$ do \\ |
|
|
9342 \hspace{3mm}5.1 $a \leftarrow a \cdot \beta$ \\ |
|
|
9343 \hspace{3mm}5.2 Pick a random digit $d$. \\ |
|
|
9344 \hspace{3mm}5.3 $a \leftarrow a + d$ \\ |
|
|
9345 6. Return(\textit{MP\_OKAY}). \\ |
|
|
9346 \hline |
|
|
9347 \end{tabular} |
|
|
9348 \end{center} |
|
|
9349 \end{small} |
|
|
9350 \caption{Algorithm mp\_rand} |
|
|
9351 \end{figure} |
|
|
9352 \textbf{Algorithm mp\_rand.} |
|
|
9353 This algorithm produces a pseudo-random integer of $b$ digits. By ensuring that the first digit is non-zero the algorithm also guarantees that the |
|
|
9354 final result has at least $b$ digits. It relies heavily on a third-part random number generator which should ideally generate uniformly all of |
|
|
9355 the integers from $0$ to $\beta - 1$. |
|
|
9356 |
|
|
9357 \vspace{+3mm}\begin{small} |
|
|
9358 \hspace{-5.1mm}{\bf File}: bn\_mp\_rand.c |
|
|
9359 \vspace{-3mm} |
|
|
9360 \begin{alltt} |
|
|
9361 016 |
|
|
9362 017 /* makes a pseudo-random int of a given size */ |
|
|
9363 018 int |
|
|
9364 019 mp_rand (mp_int * a, int digits) |
|
|
9365 020 \{ |
|
|
9366 021 int res; |
|
|
9367 022 mp_digit d; |
|
|
9368 023 |
|
|
9369 024 mp_zero (a); |
|
|
9370 025 if (digits <= 0) \{ |
|
|
9371 026 return MP_OKAY; |
|
|
9372 027 \} |
|
|
9373 028 |
|
|
9374 029 /* first place a random non-zero digit */ |
|
|
9375 030 do \{ |
|
|
9376 031 d = ((mp_digit) abs (rand ())) & MP_MASK; |
|
|
9377 032 \} while (d == 0); |
|
|
9378 033 |
|
|
9379 034 if ((res = mp_add_d (a, d, a)) != MP_OKAY) \{ |
|
|
9380 035 return res; |
|
|
9381 036 \} |
|
|
9382 037 |
|
|
9383 038 while (--digits > 0) \{ |
|
|
9384 039 if ((res = mp_lshd (a, 1)) != MP_OKAY) \{ |
|
|
9385 040 return res; |
|
|
9386 041 \} |
|
|
9387 042 |
|
|
9388 043 if ((res = mp_add_d (a, ((mp_digit) abs (rand ())), a)) != MP_OKAY) \{ |
|
|
9389 044 return res; |
|
|
9390 045 \} |
|
|
9391 046 \} |
|
|
9392 047 |
|
|
9393 048 return MP_OKAY; |
|
|
9394 049 \} |
|
|
9395 050 #endif |
|
386
|
9396 051 |
|
282
|
9397 \end{alltt} |
|
|
9398 \end{small} |
|
|
9399 |
|
|
9400 \section{Formatted Representations} |
|
|
9401 The ability to emit a radix-$n$ textual representation of an integer is useful for interacting with human parties. For example, the ability to |
|
|
9402 be given a string of characters such as ``114585'' and turn it into the radix-$\beta$ equivalent would make it easier to enter numbers |
|
|
9403 into a program. |
|
|
9404 |
|
|
9405 \subsection{Reading Radix-n Input} |
|
|
9406 For the purposes of this text we will assume that a simple lower ASCII map (\ref{fig:ASC}) is used for the values of from $0$ to $63$ to |
|
|
9407 printable characters. For example, when the character ``N'' is read it represents the integer $23$. The first $16$ characters of the |
|
|
9408 map are for the common representations up to hexadecimal. After that they match the ``base64'' encoding scheme which are suitable chosen |
|
|
9409 such that they are printable. While outputting as base64 may not be too helpful for human operators it does allow communication via non binary |
|
|
9410 mediums. |
|
|
9411 |
|
|
9412 \newpage\begin{figure}[here] |
|
|
9413 \begin{center} |
|
|
9414 \begin{tabular}{cc|cc|cc|cc} |
|
|
9415 \hline \textbf{Value} & \textbf{Char} & \textbf{Value} & \textbf{Char} & \textbf{Value} & \textbf{Char} & \textbf{Value} & \textbf{Char} \\ |
|
|
9416 \hline |
|
|
9417 0 & 0 & 1 & 1 & 2 & 2 & 3 & 3 \\ |
|
|
9418 4 & 4 & 5 & 5 & 6 & 6 & 7 & 7 \\ |
|
|
9419 8 & 8 & 9 & 9 & 10 & A & 11 & B \\ |
|
|
9420 12 & C & 13 & D & 14 & E & 15 & F \\ |
|
|
9421 16 & G & 17 & H & 18 & I & 19 & J \\ |
|
|
9422 20 & K & 21 & L & 22 & M & 23 & N \\ |
|
|
9423 24 & O & 25 & P & 26 & Q & 27 & R \\ |
|
|
9424 28 & S & 29 & T & 30 & U & 31 & V \\ |
|
|
9425 32 & W & 33 & X & 34 & Y & 35 & Z \\ |
|
|
9426 36 & a & 37 & b & 38 & c & 39 & d \\ |
|
|
9427 40 & e & 41 & f & 42 & g & 43 & h \\ |
|
|
9428 44 & i & 45 & j & 46 & k & 47 & l \\ |
|
|
9429 48 & m & 49 & n & 50 & o & 51 & p \\ |
|
|
9430 52 & q & 53 & r & 54 & s & 55 & t \\ |
|
|
9431 56 & u & 57 & v & 58 & w & 59 & x \\ |
|
|
9432 60 & y & 61 & z & 62 & $+$ & 63 & $/$ \\ |
|
|
9433 \hline |
|
|
9434 \end{tabular} |
|
|
9435 \end{center} |
|
|
9436 \caption{Lower ASCII Map} |
|
|
9437 \label{fig:ASC} |
|
|
9438 \end{figure} |
|
|
9439 |
|
|
9440 \newpage\begin{figure}[!here] |
|
|
9441 \begin{small} |
|
|
9442 \begin{center} |
|
|
9443 \begin{tabular}{l} |
|
|
9444 \hline Algorithm \textbf{mp\_read\_radix}. \\ |
|
|
9445 \textbf{Input}. A string $str$ of length $sn$ and radix $r$. \\ |
|
|
9446 \textbf{Output}. The radix-$\beta$ equivalent mp\_int. \\ |
|
|
9447 \hline \\ |
|
|
9448 1. If $r < 2$ or $r > 64$ return(\textit{MP\_VAL}). \\ |
|
|
9449 2. $ix \leftarrow 0$ \\ |
|
|
9450 3. If $str_0 =$ ``-'' then do \\ |
|
|
9451 \hspace{3mm}3.1 $ix \leftarrow ix + 1$ \\ |
|
|
9452 \hspace{3mm}3.2 $sign \leftarrow MP\_NEG$ \\ |
|
|
9453 4. else \\ |
|
|
9454 \hspace{3mm}4.1 $sign \leftarrow MP\_ZPOS$ \\ |
|
|
9455 5. $a \leftarrow 0$ \\ |
|
|
9456 6. for $iy$ from $ix$ to $sn - 1$ do \\ |
|
|
9457 \hspace{3mm}6.1 Let $y$ denote the position in the map of $str_{iy}$. \\ |
|
|
9458 \hspace{3mm}6.2 If $str_{iy}$ is not in the map or $y \ge r$ then goto step 7. \\ |
|
|
9459 \hspace{3mm}6.3 $a \leftarrow a \cdot r$ \\ |
|
|
9460 \hspace{3mm}6.4 $a \leftarrow a + y$ \\ |
|
|
9461 7. If $a \ne 0$ then $a.sign \leftarrow sign$ \\ |
|
|
9462 8. Return(\textit{MP\_OKAY}). \\ |
|
|
9463 \hline |
|
|
9464 \end{tabular} |
|
|
9465 \end{center} |
|
|
9466 \end{small} |
|
|
9467 \caption{Algorithm mp\_read\_radix} |
|
|
9468 \end{figure} |
|
|
9469 \textbf{Algorithm mp\_read\_radix.} |
|
|
9470 This algorithm will read an ASCII string and produce the radix-$\beta$ mp\_int representation of the same integer. A minus symbol ``-'' may precede the |
|
|
9471 string to indicate the value is negative, otherwise it is assumed to be positive. The algorithm will read up to $sn$ characters from the input |
|
|
9472 and will stop when it reads a character it cannot map the algorithm stops reading characters from the string. This allows numbers to be embedded |
|
|
9473 as part of larger input without any significant problem. |
|
|
9474 |
|
|
9475 \vspace{+3mm}\begin{small} |
|
|
9476 \hspace{-5.1mm}{\bf File}: bn\_mp\_read\_radix.c |
|
|
9477 \vspace{-3mm} |
|
|
9478 \begin{alltt} |
|
|
9479 016 |
|
|
9480 017 /* read a string [ASCII] in a given radix */ |
|
|
9481 018 int mp_read_radix (mp_int * a, const char *str, int radix) |
|
|
9482 019 \{ |
|
|
9483 020 int y, res, neg; |
|
|
9484 021 char ch; |
|
|
9485 022 |
|
386
|
9486 023 /* zero the digit bignum */ |
|
|
9487 024 mp_zero(a); |
|
|
9488 025 |
|
|
9489 026 /* make sure the radix is ok */ |
|
|
9490 027 if (radix < 2 || radix > 64) \{ |
|
|
9491 028 return MP_VAL; |
|
|
9492 029 \} |
|
|
9493 030 |
|
|
9494 031 /* if the leading digit is a |
|
|
9495 032 * minus set the sign to negative. |
|
|
9496 033 */ |
|
|
9497 034 if (*str == '-') \{ |
|
|
9498 035 ++str; |
|
|
9499 036 neg = MP_NEG; |
|
|
9500 037 \} else \{ |
|
|
9501 038 neg = MP_ZPOS; |
|
|
9502 039 \} |
|
|
9503 040 |
|
|
9504 041 /* set the integer to the default of zero */ |
|
|
9505 042 mp_zero (a); |
|
|
9506 043 |
|
|
9507 044 /* process each digit of the string */ |
|
|
9508 045 while (*str) \{ |
|
|
9509 046 /* if the radix < 36 the conversion is case insensitive |
|
|
9510 047 * this allows numbers like 1AB and 1ab to represent the same value |
|
|
9511 048 * [e.g. in hex] |
|
|
9512 049 */ |
|
|
9513 050 ch = (char) ((radix < 36) ? toupper (*str) : *str); |
|
|
9514 051 for (y = 0; y < 64; y++) \{ |
|
|
9515 052 if (ch == mp_s_rmap[y]) \{ |
|
|
9516 053 break; |
|
|
9517 054 \} |
|
|
9518 055 \} |
|
|
9519 056 |
|
|
9520 057 /* if the char was found in the map |
|
|
9521 058 * and is less than the given radix add it |
|
|
9522 059 * to the number, otherwise exit the loop. |
|
|
9523 060 */ |
|
|
9524 061 if (y < radix) \{ |
|
|
9525 062 if ((res = mp_mul_d (a, (mp_digit) radix, a)) != MP_OKAY) \{ |
|
282
|
9526 063 return res; |
|
|
9527 064 \} |
|
386
|
9528 065 if ((res = mp_add_d (a, (mp_digit) y, a)) != MP_OKAY) \{ |
|
|
9529 066 return res; |
|
|
9530 067 \} |
|
|
9531 068 \} else \{ |
|
|
9532 069 break; |
|
|
9533 070 \} |
|
|
9534 071 ++str; |
|
|
9535 072 \} |
|
|
9536 073 |
|
|
9537 074 /* set the sign only if a != 0 */ |
|
|
9538 075 if (mp_iszero(a) != 1) \{ |
|
|
9539 076 a->sign = neg; |
|
|
9540 077 \} |
|
|
9541 078 return MP_OKAY; |
|
|
9542 079 \} |
|
|
9543 080 #endif |
|
|
9544 081 |
|
282
|
9545 \end{alltt} |
|
|
9546 \end{small} |
|
|
9547 |
|
|
9548 \subsection{Generating Radix-$n$ Output} |
|
|
9549 Generating radix-$n$ output is fairly trivial with a division and remainder algorithm. |
|
|
9550 |
|
|
9551 \newpage\begin{figure}[!here] |
|
|
9552 \begin{small} |
|
|
9553 \begin{center} |
|
|
9554 \begin{tabular}{l} |
|
|
9555 \hline Algorithm \textbf{mp\_toradix}. \\ |
|
|
9556 \textbf{Input}. A mp\_int $a$ and an integer $r$\\ |
|
|
9557 \textbf{Output}. The radix-$r$ representation of $a$ \\ |
|
|
9558 \hline \\ |
|
|
9559 1. If $r < 2$ or $r > 64$ return(\textit{MP\_VAL}). \\ |
|
|
9560 2. If $a = 0$ then $str = $ ``$0$'' and return(\textit{MP\_OKAY}). \\ |
|
|
9561 3. $t \leftarrow a$ \\ |
|
|
9562 4. $str \leftarrow$ ``'' \\ |
|
|
9563 5. if $t.sign = MP\_NEG$ then \\ |
|
|
9564 \hspace{3mm}5.1 $str \leftarrow str + $ ``-'' \\ |
|
|
9565 \hspace{3mm}5.2 $t.sign = MP\_ZPOS$ \\ |
|
|
9566 6. While ($t \ne 0$) do \\ |
|
|
9567 \hspace{3mm}6.1 $d \leftarrow t \mbox{ (mod }r\mbox{)}$ \\ |
|
|
9568 \hspace{3mm}6.2 $t \leftarrow \lfloor t / r \rfloor$ \\ |
|
|
9569 \hspace{3mm}6.3 Look up $d$ in the map and store the equivalent character in $y$. \\ |
|
|
9570 \hspace{3mm}6.4 $str \leftarrow str + y$ \\ |
|
|
9571 7. If $str_0 = $``$-$'' then \\ |
|
|
9572 \hspace{3mm}7.1 Reverse the digits $str_1, str_2, \ldots str_n$. \\ |
|
|
9573 8. Otherwise \\ |
|
|
9574 \hspace{3mm}8.1 Reverse the digits $str_0, str_1, \ldots str_n$. \\ |
|
|
9575 9. Return(\textit{MP\_OKAY}).\\ |
|
|
9576 \hline |
|
|
9577 \end{tabular} |
|
|
9578 \end{center} |
|
|
9579 \end{small} |
|
|
9580 \caption{Algorithm mp\_toradix} |
|
|
9581 \end{figure} |
|
|
9582 \textbf{Algorithm mp\_toradix.} |
|
|
9583 This algorithm computes the radix-$r$ representation of an mp\_int $a$. The ``digits'' of the representation are extracted by reducing |
|
|
9584 successive powers of $\lfloor a / r^k \rfloor$ the input modulo $r$ until $r^k > a$. Note that instead of actually dividing by $r^k$ in |
|
|
9585 each iteration the quotient $\lfloor a / r \rfloor$ is saved for the next iteration. As a result a series of trivial $n \times 1$ divisions |
|
|
9586 are required instead of a series of $n \times k$ divisions. One design flaw of this approach is that the digits are produced in the reverse order |
|
|
9587 (see~\ref{fig:mpradix}). To remedy this flaw the digits must be swapped or simply ``reversed''. |
|
|
9588 |
|
|
9589 \begin{figure} |
|
|
9590 \begin{center} |
|
|
9591 \begin{tabular}{|c|c|c|} |
|
|
9592 \hline \textbf{Value of $a$} & \textbf{Value of $d$} & \textbf{Value of $str$} \\ |
|
|
9593 \hline $1234$ & -- & -- \\ |
|
|
9594 \hline $123$ & $4$ & ``4'' \\ |
|
|
9595 \hline $12$ & $3$ & ``43'' \\ |
|
|
9596 \hline $1$ & $2$ & ``432'' \\ |
|
|
9597 \hline $0$ & $1$ & ``4321'' \\ |
|
|
9598 \hline |
|
|
9599 \end{tabular} |
|
|
9600 \end{center} |
|
|
9601 \caption{Example of Algorithm mp\_toradix.} |
|
|
9602 \label{fig:mpradix} |
|
|
9603 \end{figure} |
|
|
9604 |
|
|
9605 \vspace{+3mm}\begin{small} |
|
|
9606 \hspace{-5.1mm}{\bf File}: bn\_mp\_toradix.c |
|
|
9607 \vspace{-3mm} |
|
|
9608 \begin{alltt} |
|
|
9609 016 |
|
|
9610 017 /* stores a bignum as a ASCII string in a given radix (2..64) */ |
|
|
9611 018 int mp_toradix (mp_int * a, char *str, int radix) |
|
|
9612 019 \{ |
|
|
9613 020 int res, digs; |
|
|
9614 021 mp_int t; |
|
|
9615 022 mp_digit d; |
|
|
9616 023 char *_s = str; |
|
|
9617 024 |
|
|
9618 025 /* check range of the radix */ |
|
|
9619 026 if (radix < 2 || radix > 64) \{ |
|
|
9620 027 return MP_VAL; |
|
|
9621 028 \} |
|
|
9622 029 |
|
|
9623 030 /* quick out if its zero */ |
|
|
9624 031 if (mp_iszero(a) == 1) \{ |
|
|
9625 032 *str++ = '0'; |
|
|
9626 033 *str = '\symbol{92}0'; |
|
|
9627 034 return MP_OKAY; |
|
|
9628 035 \} |
|
|
9629 036 |
|
|
9630 037 if ((res = mp_init_copy (&t, a)) != MP_OKAY) \{ |
|
|
9631 038 return res; |
|
|
9632 039 \} |
|
|
9633 040 |
|
|
9634 041 /* if it is negative output a - */ |
|
|
9635 042 if (t.sign == MP_NEG) \{ |
|
|
9636 043 ++_s; |
|
|
9637 044 *str++ = '-'; |
|
|
9638 045 t.sign = MP_ZPOS; |
|
|
9639 046 \} |
|
|
9640 047 |
|
|
9641 048 digs = 0; |
|
|
9642 049 while (mp_iszero (&t) == 0) \{ |
|
|
9643 050 if ((res = mp_div_d (&t, (mp_digit) radix, &t, &d)) != MP_OKAY) \{ |
|
|
9644 051 mp_clear (&t); |
|
|
9645 052 return res; |
|
|
9646 053 \} |
|
|
9647 054 *str++ = mp_s_rmap[d]; |
|
|
9648 055 ++digs; |
|
|
9649 056 \} |
|
|
9650 057 |
|
|
9651 058 /* reverse the digits of the string. In this case _s points |
|
|
9652 059 * to the first digit [exluding the sign] of the number] |
|
|
9653 060 */ |
|
|
9654 061 bn_reverse ((unsigned char *)_s, digs); |
|
|
9655 062 |
|
|
9656 063 /* append a NULL so the string is properly terminated */ |
|
|
9657 064 *str = '\symbol{92}0'; |
|
|
9658 065 |
|
|
9659 066 mp_clear (&t); |
|
|
9660 067 return MP_OKAY; |
|
|
9661 068 \} |
|
|
9662 069 |
|
|
9663 070 #endif |
|
386
|
9664 071 |
|
282
|
9665 \end{alltt} |
|
|
9666 \end{small} |
|
|
9667 |
|
|
9668 \chapter{Number Theoretic Algorithms} |
|
|
9669 This chapter discusses several fundamental number theoretic algorithms such as the greatest common divisor, least common multiple and Jacobi |
|
|
9670 symbol computation. These algorithms arise as essential components in several key cryptographic algorithms such as the RSA public key algorithm and |
|
|
9671 various Sieve based factoring algorithms. |
|
|
9672 |
|
|
9673 \section{Greatest Common Divisor} |
|
|
9674 The greatest common divisor of two integers $a$ and $b$, often denoted as $(a, b)$ is the largest integer $k$ that is a proper divisor of |
|
|
9675 both $a$ and $b$. That is, $k$ is the largest integer such that $0 \equiv a \mbox{ (mod }k\mbox{)}$ and $0 \equiv b \mbox{ (mod }k\mbox{)}$ occur |
|
|
9676 simultaneously. |
|
|
9677 |
|
|
9678 The most common approach (cite) is to reduce one input modulo another. That is if $a$ and $b$ are divisible by some integer $k$ and if $qa + r = b$ then |
|
|
9679 $r$ is also divisible by $k$. The reduction pattern follows $\left < a , b \right > \rightarrow \left < b, a \mbox{ mod } b \right >$. |
|
|
9680 |
|
|
9681 \newpage\begin{figure}[!here] |
|
|
9682 \begin{small} |
|
|
9683 \begin{center} |
|
|
9684 \begin{tabular}{l} |
|
|
9685 \hline Algorithm \textbf{Greatest Common Divisor (I)}. \\ |
|
|
9686 \textbf{Input}. Two positive integers $a$ and $b$ greater than zero. \\ |
|
|
9687 \textbf{Output}. The greatest common divisor $(a, b)$. \\ |
|
|
9688 \hline \\ |
|
|
9689 1. While ($b > 0$) do \\ |
|
|
9690 \hspace{3mm}1.1 $r \leftarrow a \mbox{ (mod }b\mbox{)}$ \\ |
|
|
9691 \hspace{3mm}1.2 $a \leftarrow b$ \\ |
|
|
9692 \hspace{3mm}1.3 $b \leftarrow r$ \\ |
|
|
9693 2. Return($a$). \\ |
|
|
9694 \hline |
|
|
9695 \end{tabular} |
|
|
9696 \end{center} |
|
|
9697 \end{small} |
|
|
9698 \caption{Algorithm Greatest Common Divisor (I)} |
|
|
9699 \label{fig:gcd1} |
|
|
9700 \end{figure} |
|
|
9701 |
|
|
9702 This algorithm will quickly converge on the greatest common divisor since the residue $r$ tends diminish rapidly. However, divisions are |
|
|
9703 relatively expensive operations to perform and should ideally be avoided. There is another approach based on a similar relationship of |
|
|
9704 greatest common divisors. The faster approach is based on the observation that if $k$ divides both $a$ and $b$ it will also divide $a - b$. |
|
|
9705 In particular, we would like $a - b$ to decrease in magnitude which implies that $b \ge a$. |
|
|
9706 |
|
|
9707 \begin{figure}[!here] |
|
|
9708 \begin{small} |
|
|
9709 \begin{center} |
|
|
9710 \begin{tabular}{l} |
|
|
9711 \hline Algorithm \textbf{Greatest Common Divisor (II)}. \\ |
|
|
9712 \textbf{Input}. Two positive integers $a$ and $b$ greater than zero. \\ |
|
|
9713 \textbf{Output}. The greatest common divisor $(a, b)$. \\ |
|
|
9714 \hline \\ |
|
|
9715 1. While ($b > 0$) do \\ |
|
|
9716 \hspace{3mm}1.1 Swap $a$ and $b$ such that $a$ is the smallest of the two. \\ |
|
|
9717 \hspace{3mm}1.2 $b \leftarrow b - a$ \\ |
|
|
9718 2. Return($a$). \\ |
|
|
9719 \hline |
|
|
9720 \end{tabular} |
|
|
9721 \end{center} |
|
|
9722 \end{small} |
|
|
9723 \caption{Algorithm Greatest Common Divisor (II)} |
|
|
9724 \label{fig:gcd2} |
|
|
9725 \end{figure} |
|
|
9726 |
|
|
9727 \textbf{Proof} \textit{Algorithm~\ref{fig:gcd2} will return the greatest common divisor of $a$ and $b$.} |
|
|
9728 The algorithm in figure~\ref{fig:gcd2} will eventually terminate since $b \ge a$ the subtraction in step 1.2 will be a value less than $b$. In other |
|
|
9729 words in every iteration that tuple $\left < a, b \right >$ decrease in magnitude until eventually $a = b$. Since both $a$ and $b$ are always |
|
|
9730 divisible by the greatest common divisor (\textit{until the last iteration}) and in the last iteration of the algorithm $b = 0$, therefore, in the |
|
|
9731 second to last iteration of the algorithm $b = a$ and clearly $(a, a) = a$ which concludes the proof. \textbf{QED}. |
|
|
9732 |
|
|
9733 As a matter of practicality algorithm \ref{fig:gcd1} decreases far too slowly to be useful. Specially if $b$ is much larger than $a$ such that |
|
|
9734 $b - a$ is still very much larger than $a$. A simple addition to the algorithm is to divide $b - a$ by a power of some integer $p$ which does |
|
|
9735 not divide the greatest common divisor but will divide $b - a$. In this case ${b - a} \over p$ is also an integer and still divisible by |
|
|
9736 the greatest common divisor. |
|
|
9737 |
|
|
9738 However, instead of factoring $b - a$ to find a suitable value of $p$ the powers of $p$ can be removed from $a$ and $b$ that are in common first. |
|
|
9739 Then inside the loop whenever $b - a$ is divisible by some power of $p$ it can be safely removed. |
|
|
9740 |
|
|
9741 \begin{figure}[!here] |
|
|
9742 \begin{small} |
|
|
9743 \begin{center} |
|
|
9744 \begin{tabular}{l} |
|
|
9745 \hline Algorithm \textbf{Greatest Common Divisor (III)}. \\ |
|
|
9746 \textbf{Input}. Two positive integers $a$ and $b$ greater than zero. \\ |
|
|
9747 \textbf{Output}. The greatest common divisor $(a, b)$. \\ |
|
|
9748 \hline \\ |
|
|
9749 1. $k \leftarrow 0$ \\ |
|
|
9750 2. While $a$ and $b$ are both divisible by $p$ do \\ |
|
|
9751 \hspace{3mm}2.1 $a \leftarrow \lfloor a / p \rfloor$ \\ |
|
|
9752 \hspace{3mm}2.2 $b \leftarrow \lfloor b / p \rfloor$ \\ |
|
|
9753 \hspace{3mm}2.3 $k \leftarrow k + 1$ \\ |
|
|
9754 3. While $a$ is divisible by $p$ do \\ |
|
|
9755 \hspace{3mm}3.1 $a \leftarrow \lfloor a / p \rfloor$ \\ |
|
|
9756 4. While $b$ is divisible by $p$ do \\ |
|
|
9757 \hspace{3mm}4.1 $b \leftarrow \lfloor b / p \rfloor$ \\ |
|
|
9758 5. While ($b > 0$) do \\ |
|
|
9759 \hspace{3mm}5.1 Swap $a$ and $b$ such that $a$ is the smallest of the two. \\ |
|
|
9760 \hspace{3mm}5.2 $b \leftarrow b - a$ \\ |
|
|
9761 \hspace{3mm}5.3 While $b$ is divisible by $p$ do \\ |
|
|
9762 \hspace{6mm}5.3.1 $b \leftarrow \lfloor b / p \rfloor$ \\ |
|
|
9763 6. Return($a \cdot p^k$). \\ |
|
|
9764 \hline |
|
|
9765 \end{tabular} |
|
|
9766 \end{center} |
|
|
9767 \end{small} |
|
|
9768 \caption{Algorithm Greatest Common Divisor (III)} |
|
|
9769 \label{fig:gcd3} |
|
|
9770 \end{figure} |
|
|
9771 |
|
|
9772 This algorithm is based on the first except it removes powers of $p$ first and inside the main loop to ensure the tuple $\left < a, b \right >$ |
|
|
9773 decreases more rapidly. The first loop on step two removes powers of $p$ that are in common. A count, $k$, is kept which will present a common |
|
|
9774 divisor of $p^k$. After step two the remaining common divisor of $a$ and $b$ cannot be divisible by $p$. This means that $p$ can be safely |
|
|
9775 divided out of the difference $b - a$ so long as the division leaves no remainder. |
|
|
9776 |
|
|
9777 In particular the value of $p$ should be chosen such that the division on step 5.3.1 occur often. It also helps that division by $p$ be easy |
|
|
9778 to compute. The ideal choice of $p$ is two since division by two amounts to a right logical shift. Another important observation is that by |
|
|
9779 step five both $a$ and $b$ are odd. Therefore, the diffrence $b - a$ must be even which means that each iteration removes one bit from the |
|
|
9780 largest of the pair. |
|
|
9781 |
|
|
9782 \subsection{Complete Greatest Common Divisor} |
|
|
9783 The algorithms presented so far cannot handle inputs which are zero or negative. The following algorithm can handle all input cases properly |
|
|
9784 and will produce the greatest common divisor. |
|
|
9785 |
|
|
9786 \newpage\begin{figure}[!here] |
|
|
9787 \begin{small} |
|
|
9788 \begin{center} |
|
|
9789 \begin{tabular}{l} |
|
|
9790 \hline Algorithm \textbf{mp\_gcd}. \\ |
|
|
9791 \textbf{Input}. mp\_int $a$ and $b$ \\ |
|
|
9792 \textbf{Output}. The greatest common divisor $c = (a, b)$. \\ |
|
|
9793 \hline \\ |
|
386
|
9794 1. If $a = 0$ then \\ |
|
|
9795 \hspace{3mm}1.1 $c \leftarrow \vert b \vert $ \\ |
|
282
|
9796 \hspace{3mm}1.2 Return(\textit{MP\_OKAY}). \\ |
|
386
|
9797 2. If $b = 0$ then \\ |
|
|
9798 \hspace{3mm}2.1 $c \leftarrow \vert a \vert $ \\ |
|
282
|
9799 \hspace{3mm}2.2 Return(\textit{MP\_OKAY}). \\ |
|
386
|
9800 3. $u \leftarrow \vert a \vert, v \leftarrow \vert b \vert$ \\ |
|
|
9801 4. $k \leftarrow 0$ \\ |
|
|
9802 5. While $u.used > 0$ and $v.used > 0$ and $u_0 \equiv v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
9803 \hspace{3mm}5.1 $k \leftarrow k + 1$ \\ |
|
|
9804 \hspace{3mm}5.2 $u \leftarrow \lfloor u / 2 \rfloor$ \\ |
|
|
9805 \hspace{3mm}5.3 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
9806 6. While $u.used > 0$ and $u_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
9807 \hspace{3mm}6.1 $u \leftarrow \lfloor u / 2 \rfloor$ \\ |
|
|
9808 7. While $v.used > 0$ and $v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
9809 \hspace{3mm}7.1 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
9810 8. While $v.used > 0$ \\ |
|
|
9811 \hspace{3mm}8.1 If $\vert u \vert > \vert v \vert$ then \\ |
|
|
9812 \hspace{6mm}8.1.1 Swap $u$ and $v$. \\ |
|
|
9813 \hspace{3mm}8.2 $v \leftarrow \vert v \vert - \vert u \vert$ \\ |
|
|
9814 \hspace{3mm}8.3 While $v.used > 0$ and $v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
9815 \hspace{6mm}8.3.1 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
9816 9. $c \leftarrow u \cdot 2^k$ \\ |
|
|
9817 10. Return(\textit{MP\_OKAY}). \\ |
|
282
|
9818 \hline |
|
|
9819 \end{tabular} |
|
|
9820 \end{center} |
|
|
9821 \end{small} |
|
|
9822 \caption{Algorithm mp\_gcd} |
|
|
9823 \end{figure} |
|
|
9824 \textbf{Algorithm mp\_gcd.} |
|
|
9825 This algorithm will produce the greatest common divisor of two mp\_ints $a$ and $b$. The algorithm was originally based on Algorithm B of |
|
|
9826 Knuth \cite[pp. 338]{TAOCPV2} but has been modified to be simpler to explain. In theory it achieves the same asymptotic working time as |
|
|
9827 Algorithm B and in practice this appears to be true. |
|
|
9828 |
|
386
|
9829 The first two steps handle the cases where either one of or both inputs are zero. If either input is zero the greatest common divisor is the |
|
282
|
9830 largest input or zero if they are both zero. If the inputs are not trivial than $u$ and $v$ are assigned the absolute values of |
|
|
9831 $a$ and $b$ respectively and the algorithm will proceed to reduce the pair. |
|
|
9832 |
|
386
|
9833 Step five will divide out any common factors of two and keep track of the count in the variable $k$. After this step, two is no longer a |
|
282
|
9834 factor of the remaining greatest common divisor between $u$ and $v$ and can be safely evenly divided out of either whenever they are even. Step |
|
386
|
9835 six and seven ensure that the $u$ and $v$ respectively have no more factors of two. At most only one of the while--loops will iterate since |
|
282
|
9836 they cannot both be even. |
|
|
9837 |
|
386
|
9838 By step eight both of $u$ and $v$ are odd which is required for the inner logic. First the pair are swapped such that $v$ is equal to |
|
|
9839 or greater than $u$. This ensures that the subtraction on step 8.2 will always produce a positive and even result. Step 8.3 removes any |
|
282
|
9840 factors of two from the difference $u$ to ensure that in the next iteration of the loop both are once again odd. |
|
|
9841 |
|
|
9842 After $v = 0$ occurs the variable $u$ has the greatest common divisor of the pair $\left < u, v \right >$ just after step six. The result |
|
|
9843 must be adjusted by multiplying by the common factors of two ($2^k$) removed earlier. |
|
|
9844 |
|
|
9845 \vspace{+3mm}\begin{small} |
|
|
9846 \hspace{-5.1mm}{\bf File}: bn\_mp\_gcd.c |
|
|
9847 \vspace{-3mm} |
|
|
9848 \begin{alltt} |
|
|
9849 016 |
|
|
9850 017 /* Greatest Common Divisor using the binary method */ |
|
|
9851 018 int mp_gcd (mp_int * a, mp_int * b, mp_int * c) |
|
|
9852 019 \{ |
|
|
9853 020 mp_int u, v; |
|
|
9854 021 int k, u_lsb, v_lsb, res; |
|
|
9855 022 |
|
|
9856 023 /* either zero than gcd is the largest */ |
|
386
|
9857 024 if (mp_iszero (a) == MP_YES) \{ |
|
282
|
9858 025 return mp_abs (b, c); |
|
|
9859 026 \} |
|
386
|
9860 027 if (mp_iszero (b) == MP_YES) \{ |
|
282
|
9861 028 return mp_abs (a, c); |
|
|
9862 029 \} |
|
|
9863 030 |
|
386
|
9864 031 /* get copies of a and b we can modify */ |
|
|
9865 032 if ((res = mp_init_copy (&u, a)) != MP_OKAY) \{ |
|
|
9866 033 return res; |
|
|
9867 034 \} |
|
|
9868 035 |
|
|
9869 036 if ((res = mp_init_copy (&v, b)) != MP_OKAY) \{ |
|
|
9870 037 goto LBL_U; |
|
|
9871 038 \} |
|
|
9872 039 |
|
|
9873 040 /* must be positive for the remainder of the algorithm */ |
|
|
9874 041 u.sign = v.sign = MP_ZPOS; |
|
|
9875 042 |
|
|
9876 043 /* B1. Find the common power of two for u and v */ |
|
|
9877 044 u_lsb = mp_cnt_lsb(&u); |
|
|
9878 045 v_lsb = mp_cnt_lsb(&v); |
|
|
9879 046 k = MIN(u_lsb, v_lsb); |
|
282
|
9880 047 |
|
386
|
9881 048 if (k > 0) \{ |
|
|
9882 049 /* divide the power of two out */ |
|
|
9883 050 if ((res = mp_div_2d(&u, k, &u, NULL)) != MP_OKAY) \{ |
|
|
9884 051 goto LBL_V; |
|
|
9885 052 \} |
|
|
9886 053 |
|
|
9887 054 if ((res = mp_div_2d(&v, k, &v, NULL)) != MP_OKAY) \{ |
|
|
9888 055 goto LBL_V; |
|
|
9889 056 \} |
|
|
9890 057 \} |
|
|
9891 058 |
|
|
9892 059 /* divide any remaining factors of two out */ |
|
|
9893 060 if (u_lsb != k) \{ |
|
|
9894 061 if ((res = mp_div_2d(&u, u_lsb - k, &u, NULL)) != MP_OKAY) \{ |
|
|
9895 062 goto LBL_V; |
|
|
9896 063 \} |
|
|
9897 064 \} |
|
|
9898 065 |
|
|
9899 066 if (v_lsb != k) \{ |
|
|
9900 067 if ((res = mp_div_2d(&v, v_lsb - k, &v, NULL)) != MP_OKAY) \{ |
|
|
9901 068 goto LBL_V; |
|
|
9902 069 \} |
|
|
9903 070 \} |
|
|
9904 071 |
|
|
9905 072 while (mp_iszero(&v) == 0) \{ |
|
|
9906 073 /* make sure v is the largest */ |
|
|
9907 074 if (mp_cmp_mag(&u, &v) == MP_GT) \{ |
|
|
9908 075 /* swap u and v to make sure v is >= u */ |
|
|
9909 076 mp_exch(&u, &v); |
|
282
|
9910 077 \} |
|
386
|
9911 078 |
|
|
9912 079 /* subtract smallest from largest */ |
|
|
9913 080 if ((res = s_mp_sub(&v, &u, &v)) != MP_OKAY) \{ |
|
|
9914 081 goto LBL_V; |
|
|
9915 082 \} |
|
|
9916 083 |
|
|
9917 084 /* Divide out all factors of two */ |
|
|
9918 085 if ((res = mp_div_2d(&v, mp_cnt_lsb(&v), &v, NULL)) != MP_OKAY) \{ |
|
|
9919 086 goto LBL_V; |
|
|
9920 087 \} |
|
|
9921 088 \} |
|
|
9922 089 |
|
|
9923 090 /* multiply by 2**k which we divided out at the beginning */ |
|
|
9924 091 if ((res = mp_mul_2d (&u, k, c)) != MP_OKAY) \{ |
|
|
9925 092 goto LBL_V; |
|
|
9926 093 \} |
|
|
9927 094 c->sign = MP_ZPOS; |
|
|
9928 095 res = MP_OKAY; |
|
|
9929 096 LBL_V:mp_clear (&u); |
|
|
9930 097 LBL_U:mp_clear (&v); |
|
|
9931 098 return res; |
|
|
9932 099 \} |
|
|
9933 100 #endif |
|
|
9934 101 |
|
282
|
9935 \end{alltt} |
|
|
9936 \end{small} |
|
|
9937 |
|
|
9938 This function makes use of the macros mp\_iszero and mp\_iseven. The former evaluates to $1$ if the input mp\_int is equivalent to the |
|
|
9939 integer zero otherwise it evaluates to $0$. The latter evaluates to $1$ if the input mp\_int represents a non-zero even integer otherwise |
|
|
9940 it evaluates to $0$. Note that just because mp\_iseven may evaluate to $0$ does not mean the input is odd, it could also be zero. The three |
|
386
|
9941 trivial cases of inputs are handled on lines 23 through 29. After those lines the inputs are assumed to be non-zero. |
|
|
9942 |
|
|
9943 Lines 32 and 36 make local copies $u$ and $v$ of the inputs $a$ and $b$ respectively. At this point the common factors of two |
|
|
9944 must be divided out of the two inputs. The block starting at line 43 removes common factors of two by first counting the number of trailing |
|
|
9945 zero bits in both. The local integer $k$ is used to keep track of how many factors of $2$ are pulled out of both values. It is assumed that |
|
|
9946 the number of factors will not exceed the maximum value of a C ``int'' data type\footnote{Strictly speaking no array in C may have more than |
|
|
9947 entries than are accessible by an ``int'' so this is not a limitation.}. |
|
|
9948 |
|
|
9949 At this point there are no more common factors of two in the two values. The divisions by a power of two on lines 61 and 67 remove |
|
|
9950 any independent factors of two such that both $u$ and $v$ are guaranteed to be an odd integer before hitting the main body of the algorithm. The while loop |
|
|
9951 on line 72 performs the reduction of the pair until $v$ is equal to zero. The unsigned comparison and subtraction algorithms are used in |
|
282
|
9952 place of the full signed routines since both values are guaranteed to be positive and the result of the subtraction is guaranteed to be non-negative. |
|
|
9953 |
|
|
9954 \section{Least Common Multiple} |
|
|
9955 The least common multiple of a pair of integers is their product divided by their greatest common divisor. For two integers $a$ and $b$ the |
|
|
9956 least common multiple is normally denoted as $[ a, b ]$ and numerically equivalent to ${ab} \over {(a, b)}$. For example, if $a = 2 \cdot 2 \cdot 3 = 12$ |
|
|
9957 and $b = 2 \cdot 3 \cdot 3 \cdot 7 = 126$ the least common multiple is ${126 \over {(12, 126)}} = {126 \over 6} = 21$. |
|
|
9958 |
|
|
9959 The least common multiple arises often in coding theory as well as number theory. If two functions have periods of $a$ and $b$ respectively they will |
|
|
9960 collide, that is be in synchronous states, after only $[ a, b ]$ iterations. This is why, for example, random number generators based on |
|
|
9961 Linear Feedback Shift Registers (LFSR) tend to use registers with periods which are co-prime (\textit{e.g. the greatest common divisor is one.}). |
|
|
9962 Similarly in number theory if a composite $n$ has two prime factors $p$ and $q$ then maximal order of any unit of $\Z/n\Z$ will be $[ p - 1, q - 1] $. |
|
|
9963 |
|
|
9964 \begin{figure}[!here] |
|
|
9965 \begin{small} |
|
|
9966 \begin{center} |
|
|
9967 \begin{tabular}{l} |
|
|
9968 \hline Algorithm \textbf{mp\_lcm}. \\ |
|
|
9969 \textbf{Input}. mp\_int $a$ and $b$ \\ |
|
|
9970 \textbf{Output}. The least common multiple $c = [a, b]$. \\ |
|
|
9971 \hline \\ |
|
|
9972 1. $c \leftarrow (a, b)$ \\ |
|
|
9973 2. $t \leftarrow a \cdot b$ \\ |
|
|
9974 3. $c \leftarrow \lfloor t / c \rfloor$ \\ |
|
|
9975 4. Return(\textit{MP\_OKAY}). \\ |
|
|
9976 \hline |
|
|
9977 \end{tabular} |
|
|
9978 \end{center} |
|
|
9979 \end{small} |
|
|
9980 \caption{Algorithm mp\_lcm} |
|
|
9981 \end{figure} |
|
|
9982 \textbf{Algorithm mp\_lcm.} |
|
|
9983 This algorithm computes the least common multiple of two mp\_int inputs $a$ and $b$. It computes the least common multiple directly by |
|
|
9984 dividing the product of the two inputs by their greatest common divisor. |
|
|
9985 |
|
|
9986 \vspace{+3mm}\begin{small} |
|
|
9987 \hspace{-5.1mm}{\bf File}: bn\_mp\_lcm.c |
|
|
9988 \vspace{-3mm} |
|
|
9989 \begin{alltt} |
|
|
9990 016 |
|
|
9991 017 /* computes least common multiple as |a*b|/(a, b) */ |
|
|
9992 018 int mp_lcm (mp_int * a, mp_int * b, mp_int * c) |
|
|
9993 019 \{ |
|
|
9994 020 int res; |
|
|
9995 021 mp_int t1, t2; |
|
|
9996 022 |
|
|
9997 023 |
|
|
9998 024 if ((res = mp_init_multi (&t1, &t2, NULL)) != MP_OKAY) \{ |
|
|
9999 025 return res; |
|
|
10000 026 \} |
|
|
10001 027 |
|
|
10002 028 /* t1 = get the GCD of the two inputs */ |
|
|
10003 029 if ((res = mp_gcd (a, b, &t1)) != MP_OKAY) \{ |
|
|
10004 030 goto LBL_T; |
|
|
10005 031 \} |
|
|
10006 032 |
|
|
10007 033 /* divide the smallest by the GCD */ |
|
|
10008 034 if (mp_cmp_mag(a, b) == MP_LT) \{ |
|
|
10009 035 /* store quotient in t2 such that t2 * b is the LCM */ |
|
|
10010 036 if ((res = mp_div(a, &t1, &t2, NULL)) != MP_OKAY) \{ |
|
|
10011 037 goto LBL_T; |
|
|
10012 038 \} |
|
|
10013 039 res = mp_mul(b, &t2, c); |
|
|
10014 040 \} else \{ |
|
|
10015 041 /* store quotient in t2 such that t2 * a is the LCM */ |
|
|
10016 042 if ((res = mp_div(b, &t1, &t2, NULL)) != MP_OKAY) \{ |
|
|
10017 043 goto LBL_T; |
|
|
10018 044 \} |
|
|
10019 045 res = mp_mul(a, &t2, c); |
|
|
10020 046 \} |
|
|
10021 047 |
|
|
10022 048 /* fix the sign to positive */ |
|
|
10023 049 c->sign = MP_ZPOS; |
|
|
10024 050 |
|
|
10025 051 LBL_T: |
|
|
10026 052 mp_clear_multi (&t1, &t2, NULL); |
|
|
10027 053 return res; |
|
|
10028 054 \} |
|
|
10029 055 #endif |
|
386
|
10030 056 |
|
282
|
10031 \end{alltt} |
|
|
10032 \end{small} |
|
|
10033 |
|
|
10034 \section{Jacobi Symbol Computation} |
|
|
10035 To explain the Jacobi Symbol we shall first discuss the Legendre function\footnote{Arrg. What is the name of this?} off which the Jacobi symbol is |
|
|
10036 defined. The Legendre function computes whether or not an integer $a$ is a quadratic residue modulo an odd prime $p$. Numerically it is |
|
|
10037 equivalent to equation \ref{eqn:legendre}. |
|
|
10038 |
|
|
10039 \textit{-- Tom, don't be an ass, cite your source here...!} |
|
|
10040 |
|
|
10041 \begin{equation} |
|
|
10042 a^{(p-1)/2} \equiv \begin{array}{rl} |
|
|
10043 -1 & \mbox{if }a\mbox{ is a quadratic non-residue.} \\ |
|
|
10044 0 & \mbox{if }a\mbox{ divides }p\mbox{.} \\ |
|
|
10045 1 & \mbox{if }a\mbox{ is a quadratic residue}. |
|
|
10046 \end{array} \mbox{ (mod }p\mbox{)} |
|
|
10047 \label{eqn:legendre} |
|
|
10048 \end{equation} |
|
|
10049 |
|
|
10050 \textbf{Proof.} \textit{Equation \ref{eqn:legendre} correctly identifies the residue status of an integer $a$ modulo a prime $p$.} |
|
|
10051 An integer $a$ is a quadratic residue if the following equation has a solution. |
|
|
10052 |
|
|
10053 \begin{equation} |
|
|
10054 x^2 \equiv a \mbox{ (mod }p\mbox{)} |
|
|
10055 \label{eqn:root} |
|
|
10056 \end{equation} |
|
|
10057 |
|
|
10058 Consider the following equation. |
|
|
10059 |
|
|
10060 \begin{equation} |
|
|
10061 0 \equiv x^{p-1} - 1 \equiv \left \lbrace \left (x^2 \right )^{(p-1)/2} - a^{(p-1)/2} \right \rbrace + \left ( a^{(p-1)/2} - 1 \right ) \mbox{ (mod }p\mbox{)} |
|
|
10062 \label{eqn:rooti} |
|
|
10063 \end{equation} |
|
|
10064 |
|
|
10065 Whether equation \ref{eqn:root} has a solution or not equation \ref{eqn:rooti} is always true. If $a^{(p-1)/2} - 1 \equiv 0 \mbox{ (mod }p\mbox{)}$ |
|
|
10066 then the quantity in the braces must be zero. By reduction, |
|
|
10067 |
|
|
10068 \begin{eqnarray} |
|
|
10069 \left (x^2 \right )^{(p-1)/2} - a^{(p-1)/2} \equiv 0 \nonumber \\ |
|
|
10070 \left (x^2 \right )^{(p-1)/2} \equiv a^{(p-1)/2} \nonumber \\ |
|
|
10071 x^2 \equiv a \mbox{ (mod }p\mbox{)} |
|
|
10072 \end{eqnarray} |
|
|
10073 |
|
|
10074 As a result there must be a solution to the quadratic equation and in turn $a$ must be a quadratic residue. If $a$ does not divide $p$ and $a$ |
|
|
10075 is not a quadratic residue then the only other value $a^{(p-1)/2}$ may be congruent to is $-1$ since |
|
|
10076 \begin{equation} |
|
|
10077 0 \equiv a^{p - 1} - 1 \equiv (a^{(p-1)/2} + 1)(a^{(p-1)/2} - 1) \mbox{ (mod }p\mbox{)} |
|
|
10078 \end{equation} |
|
|
10079 One of the terms on the right hand side must be zero. \textbf{QED} |
|
|
10080 |
|
|
10081 \subsection{Jacobi Symbol} |
|
|
10082 The Jacobi symbol is a generalization of the Legendre function for any odd non prime moduli $p$ greater than 2. If $p = \prod_{i=0}^n p_i$ then |
|
|
10083 the Jacobi symbol $\left ( { a \over p } \right )$ is equal to the following equation. |
|
|
10084 |
|
|
10085 \begin{equation} |
|
|
10086 \left ( { a \over p } \right ) = \left ( { a \over p_0} \right ) \left ( { a \over p_1} \right ) \ldots \left ( { a \over p_n} \right ) |
|
|
10087 \end{equation} |
|
|
10088 |
|
|
10089 By inspection if $p$ is prime the Jacobi symbol is equivalent to the Legendre function. The following facts\footnote{See HAC \cite[pp. 72-74]{HAC} for |
|
|
10090 further details.} will be used to derive an efficient Jacobi symbol algorithm. Where $p$ is an odd integer greater than two and $a, b \in \Z$ the |
|
|
10091 following are true. |
|
|
10092 |
|
|
10093 \begin{enumerate} |
|
|
10094 \item $\left ( { a \over p} \right )$ equals $-1$, $0$ or $1$. |
|
|
10095 \item $\left ( { ab \over p} \right ) = \left ( { a \over p} \right )\left ( { b \over p} \right )$. |
|
|
10096 \item If $a \equiv b$ then $\left ( { a \over p} \right ) = \left ( { b \over p} \right )$. |
|
|
10097 \item $\left ( { 2 \over p} \right )$ equals $1$ if $p \equiv 1$ or $7 \mbox{ (mod }8\mbox{)}$. Otherwise, it equals $-1$. |
|
|
10098 \item $\left ( { a \over p} \right ) \equiv \left ( { p \over a} \right ) \cdot (-1)^{(p-1)(a-1)/4}$. More specifically |
|
|
10099 $\left ( { a \over p} \right ) = \left ( { p \over a} \right )$ if $p \equiv a \equiv 1 \mbox{ (mod }4\mbox{)}$. |
|
|
10100 \end{enumerate} |
|
|
10101 |
|
|
10102 Using these facts if $a = 2^k \cdot a'$ then |
|
|
10103 |
|
|
10104 \begin{eqnarray} |
|
|
10105 \left ( { a \over p } \right ) = \left ( {{2^k} \over p } \right ) \left ( {a' \over p} \right ) \nonumber \\ |
|
|
10106 = \left ( {2 \over p } \right )^k \left ( {a' \over p} \right ) |
|
|
10107 \label{eqn:jacobi} |
|
|
10108 \end{eqnarray} |
|
|
10109 |
|
|
10110 By fact five, |
|
|
10111 |
|
|
10112 \begin{equation} |
|
|
10113 \left ( { a \over p } \right ) = \left ( { p \over a } \right ) \cdot (-1)^{(p-1)(a-1)/4} |
|
|
10114 \end{equation} |
|
|
10115 |
|
|
10116 Subsequently by fact three since $p \equiv (p \mbox{ mod }a) \mbox{ (mod }a\mbox{)}$ then |
|
|
10117 |
|
|
10118 \begin{equation} |
|
|
10119 \left ( { a \over p } \right ) = \left ( { {p \mbox{ mod } a} \over a } \right ) \cdot (-1)^{(p-1)(a-1)/4} |
|
|
10120 \end{equation} |
|
|
10121 |
|
|
10122 By putting both observations into equation \ref{eqn:jacobi} the following simplified equation is formed. |
|
|
10123 |
|
|
10124 \begin{equation} |
|
|
10125 \left ( { a \over p } \right ) = \left ( {2 \over p } \right )^k \left ( {{p\mbox{ mod }a'} \over a'} \right ) \cdot (-1)^{(p-1)(a'-1)/4} |
|
|
10126 \end{equation} |
|
|
10127 |
|
|
10128 The value of $\left ( {{p \mbox{ mod }a'} \over a'} \right )$ can be found by using the same equation recursively. The value of |
|
|
10129 $\left ( {2 \over p } \right )^k$ equals $1$ if $k$ is even otherwise it equals $\left ( {2 \over p } \right )$. Using this approach the |
|
|
10130 factors of $p$ do not have to be known. Furthermore, if $(a, p) = 1$ then the algorithm will terminate when the recursion requests the |
|
|
10131 Jacobi symbol computation of $\left ( {1 \over a'} \right )$ which is simply $1$. |
|
|
10132 |
|
|
10133 \newpage\begin{figure}[!here] |
|
|
10134 \begin{small} |
|
|
10135 \begin{center} |
|
|
10136 \begin{tabular}{l} |
|
|
10137 \hline Algorithm \textbf{mp\_jacobi}. \\ |
|
|
10138 \textbf{Input}. mp\_int $a$ and $p$, $a \ge 0$, $p \ge 3$, $p \equiv 1 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
10139 \textbf{Output}. The Jacobi symbol $c = \left ( {a \over p } \right )$. \\ |
|
|
10140 \hline \\ |
|
|
10141 1. If $a = 0$ then \\ |
|
|
10142 \hspace{3mm}1.1 $c \leftarrow 0$ \\ |
|
|
10143 \hspace{3mm}1.2 Return(\textit{MP\_OKAY}). \\ |
|
|
10144 2. If $a = 1$ then \\ |
|
|
10145 \hspace{3mm}2.1 $c \leftarrow 1$ \\ |
|
|
10146 \hspace{3mm}2.2 Return(\textit{MP\_OKAY}). \\ |
|
|
10147 3. $a' \leftarrow a$ \\ |
|
|
10148 4. $k \leftarrow 0$ \\ |
|
|
10149 5. While $a'.used > 0$ and $a'_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
10150 \hspace{3mm}5.1 $k \leftarrow k + 1$ \\ |
|
|
10151 \hspace{3mm}5.2 $a' \leftarrow \lfloor a' / 2 \rfloor$ \\ |
|
|
10152 6. If $k \equiv 0 \mbox{ (mod }2\mbox{)}$ then \\ |
|
|
10153 \hspace{3mm}6.1 $s \leftarrow 1$ \\ |
|
|
10154 7. else \\ |
|
|
10155 \hspace{3mm}7.1 $r \leftarrow p_0 \mbox{ (mod }8\mbox{)}$ \\ |
|
|
10156 \hspace{3mm}7.2 If $r = 1$ or $r = 7$ then \\ |
|
|
10157 \hspace{6mm}7.2.1 $s \leftarrow 1$ \\ |
|
|
10158 \hspace{3mm}7.3 else \\ |
|
|
10159 \hspace{6mm}7.3.1 $s \leftarrow -1$ \\ |
|
|
10160 8. If $p_0 \equiv a'_0 \equiv 3 \mbox{ (mod }4\mbox{)}$ then \\ |
|
|
10161 \hspace{3mm}8.1 $s \leftarrow -s$ \\ |
|
|
10162 9. If $a' \ne 1$ then \\ |
|
|
10163 \hspace{3mm}9.1 $p' \leftarrow p \mbox{ (mod }a'\mbox{)}$ \\ |
|
|
10164 \hspace{3mm}9.2 $s \leftarrow s \cdot \mbox{mp\_jacobi}(p', a')$ \\ |
|
|
10165 10. $c \leftarrow s$ \\ |
|
|
10166 11. Return(\textit{MP\_OKAY}). \\ |
|
|
10167 \hline |
|
|
10168 \end{tabular} |
|
|
10169 \end{center} |
|
|
10170 \end{small} |
|
|
10171 \caption{Algorithm mp\_jacobi} |
|
|
10172 \end{figure} |
|
|
10173 \textbf{Algorithm mp\_jacobi.} |
|
|
10174 This algorithm computes the Jacobi symbol for an arbitrary positive integer $a$ with respect to an odd integer $p$ greater than three. The algorithm |
|
|
10175 is based on algorithm 2.149 of HAC \cite[pp. 73]{HAC}. |
|
|
10176 |
|
|
10177 Step numbers one and two handle the trivial cases of $a = 0$ and $a = 1$ respectively. Step five determines the number of two factors in the |
|
|
10178 input $a$. If $k$ is even than the term $\left ( { 2 \over p } \right )^k$ must always evaluate to one. If $k$ is odd than the term evaluates to one |
|
|
10179 if $p_0$ is congruent to one or seven modulo eight, otherwise it evaluates to $-1$. After the the $\left ( { 2 \over p } \right )^k$ term is handled |
|
|
10180 the $(-1)^{(p-1)(a'-1)/4}$ is computed and multiplied against the current product $s$. The latter term evaluates to one if both $p$ and $a'$ |
|
|
10181 are congruent to one modulo four, otherwise it evaluates to negative one. |
|
|
10182 |
|
|
10183 By step nine if $a'$ does not equal one a recursion is required. Step 9.1 computes $p' \equiv p \mbox{ (mod }a'\mbox{)}$ and will recurse to compute |
|
|
10184 $\left ( {p' \over a'} \right )$ which is multiplied against the current Jacobi product. |
|
|
10185 |
|
|
10186 \vspace{+3mm}\begin{small} |
|
|
10187 \hspace{-5.1mm}{\bf File}: bn\_mp\_jacobi.c |
|
|
10188 \vspace{-3mm} |
|
|
10189 \begin{alltt} |
|
|
10190 016 |
|
|
10191 017 /* computes the jacobi c = (a | n) (or Legendre if n is prime) |
|
|
10192 018 * HAC pp. 73 Algorithm 2.149 |
|
|
10193 019 */ |
|
|
10194 020 int mp_jacobi (mp_int * a, mp_int * p, int *c) |
|
|
10195 021 \{ |
|
|
10196 022 mp_int a1, p1; |
|
|
10197 023 int k, s, r, res; |
|
|
10198 024 mp_digit residue; |
|
|
10199 025 |
|
|
10200 026 /* if p <= 0 return MP_VAL */ |
|
|
10201 027 if (mp_cmp_d(p, 0) != MP_GT) \{ |
|
|
10202 028 return MP_VAL; |
|
|
10203 029 \} |
|
|
10204 030 |
|
|
10205 031 /* step 1. if a == 0, return 0 */ |
|
|
10206 032 if (mp_iszero (a) == 1) \{ |
|
|
10207 033 *c = 0; |
|
|
10208 034 return MP_OKAY; |
|
|
10209 035 \} |
|
|
10210 036 |
|
|
10211 037 /* step 2. if a == 1, return 1 */ |
|
|
10212 038 if (mp_cmp_d (a, 1) == MP_EQ) \{ |
|
|
10213 039 *c = 1; |
|
|
10214 040 return MP_OKAY; |
|
|
10215 041 \} |
|
|
10216 042 |
|
|
10217 043 /* default */ |
|
|
10218 044 s = 0; |
|
|
10219 045 |
|
|
10220 046 /* step 3. write a = a1 * 2**k */ |
|
|
10221 047 if ((res = mp_init_copy (&a1, a)) != MP_OKAY) \{ |
|
|
10222 048 return res; |
|
|
10223 049 \} |
|
|
10224 050 |
|
|
10225 051 if ((res = mp_init (&p1)) != MP_OKAY) \{ |
|
|
10226 052 goto LBL_A1; |
|
|
10227 053 \} |
|
|
10228 054 |
|
|
10229 055 /* divide out larger power of two */ |
|
|
10230 056 k = mp_cnt_lsb(&a1); |
|
|
10231 057 if ((res = mp_div_2d(&a1, k, &a1, NULL)) != MP_OKAY) \{ |
|
|
10232 058 goto LBL_P1; |
|
|
10233 059 \} |
|
|
10234 060 |
|
|
10235 061 /* step 4. if e is even set s=1 */ |
|
|
10236 062 if ((k & 1) == 0) \{ |
|
|
10237 063 s = 1; |
|
|
10238 064 \} else \{ |
|
|
10239 065 /* else set s=1 if p = 1/7 (mod 8) or s=-1 if p = 3/5 (mod 8) */ |
|
|
10240 066 residue = p->dp[0] & 7; |
|
|
10241 067 |
|
|
10242 068 if (residue == 1 || residue == 7) \{ |
|
|
10243 069 s = 1; |
|
|
10244 070 \} else if (residue == 3 || residue == 5) \{ |
|
|
10245 071 s = -1; |
|
|
10246 072 \} |
|
|
10247 073 \} |
|
|
10248 074 |
|
|
10249 075 /* step 5. if p == 3 (mod 4) *and* a1 == 3 (mod 4) then s = -s */ |
|
|
10250 076 if ( ((p->dp[0] & 3) == 3) && ((a1.dp[0] & 3) == 3)) \{ |
|
|
10251 077 s = -s; |
|
|
10252 078 \} |
|
|
10253 079 |
|
|
10254 080 /* if a1 == 1 we're done */ |
|
|
10255 081 if (mp_cmp_d (&a1, 1) == MP_EQ) \{ |
|
|
10256 082 *c = s; |
|
|
10257 083 \} else \{ |
|
|
10258 084 /* n1 = n mod a1 */ |
|
|
10259 085 if ((res = mp_mod (p, &a1, &p1)) != MP_OKAY) \{ |
|
|
10260 086 goto LBL_P1; |
|
|
10261 087 \} |
|
|
10262 088 if ((res = mp_jacobi (&p1, &a1, &r)) != MP_OKAY) \{ |
|
|
10263 089 goto LBL_P1; |
|
|
10264 090 \} |
|
|
10265 091 *c = s * r; |
|
|
10266 092 \} |
|
|
10267 093 |
|
|
10268 094 /* done */ |
|
|
10269 095 res = MP_OKAY; |
|
|
10270 096 LBL_P1:mp_clear (&p1); |
|
|
10271 097 LBL_A1:mp_clear (&a1); |
|
|
10272 098 return res; |
|
|
10273 099 \} |
|
|
10274 100 #endif |
|
386
|
10275 101 |
|
282
|
10276 \end{alltt} |
|
|
10277 \end{small} |
|
|
10278 |
|
|
10279 As a matter of practicality the variable $a'$ as per the pseudo-code is reprensented by the variable $a1$ since the $'$ symbol is not valid for a C |
|
|
10280 variable name character. |
|
|
10281 |
|
|
10282 The two simple cases of $a = 0$ and $a = 1$ are handled at the very beginning to simplify the algorithm. If the input is non-trivial the algorithm |
|
|
10283 has to proceed compute the Jacobi. The variable $s$ is used to hold the current Jacobi product. Note that $s$ is merely a C ``int'' data type since |
|
|
10284 the values it may obtain are merely $-1$, $0$ and $1$. |
|
|
10285 |
|
|
10286 After a local copy of $a$ is made all of the factors of two are divided out and the total stored in $k$. Technically only the least significant |
|
|
10287 bit of $k$ is required, however, it makes the algorithm simpler to follow to perform an addition. In practice an exclusive-or and addition have the same |
|
|
10288 processor requirements and neither is faster than the other. |
|
|
10289 |
|
|
10290 Line 61 through 70 determines the value of $\left ( { 2 \over p } \right )^k$. If the least significant bit of $k$ is zero than |
|
|
10291 $k$ is even and the value is one. Otherwise, the value of $s$ depends on which residue class $p$ belongs to modulo eight. The value of |
|
|
10292 $(-1)^{(p-1)(a'-1)/4}$ is compute and multiplied against $s$ on lines 75 through 73. |
|
|
10293 |
|
|
10294 Finally, if $a1$ does not equal one the algorithm must recurse and compute $\left ( {p' \over a'} \right )$. |
|
|
10295 |
|
|
10296 \textit{-- Comment about default $s$ and such...} |
|
|
10297 |
|
|
10298 \section{Modular Inverse} |
|
|
10299 \label{sec:modinv} |
|
|
10300 The modular inverse of a number actually refers to the modular multiplicative inverse. Essentially for any integer $a$ such that $(a, p) = 1$ there |
|
|
10301 exist another integer $b$ such that $ab \equiv 1 \mbox{ (mod }p\mbox{)}$. The integer $b$ is called the multiplicative inverse of $a$ which is |
|
|
10302 denoted as $b = a^{-1}$. Technically speaking modular inversion is a well defined operation for any finite ring or field not just for rings and |
|
|
10303 fields of integers. However, the former will be the matter of discussion. |
|
|
10304 |
|
|
10305 The simplest approach is to compute the algebraic inverse of the input. That is to compute $b \equiv a^{\Phi(p) - 1}$. If $\Phi(p)$ is the |
|
|
10306 order of the multiplicative subgroup modulo $p$ then $b$ must be the multiplicative inverse of $a$. The proof of which is trivial. |
|
|
10307 |
|
|
10308 \begin{equation} |
|
|
10309 ab \equiv a \left (a^{\Phi(p) - 1} \right ) \equiv a^{\Phi(p)} \equiv a^0 \equiv 1 \mbox{ (mod }p\mbox{)} |
|
|
10310 \end{equation} |
|
|
10311 |
|
|
10312 However, as simple as this approach may be it has two serious flaws. It requires that the value of $\Phi(p)$ be known which if $p$ is composite |
|
|
10313 requires all of the prime factors. This approach also is very slow as the size of $p$ grows. |
|
|
10314 |
|
|
10315 A simpler approach is based on the observation that solving for the multiplicative inverse is equivalent to solving the linear |
|
|
10316 Diophantine\footnote{See LeVeque \cite[pp. 40-43]{LeVeque} for more information.} equation. |
|
|
10317 |
|
|
10318 \begin{equation} |
|
|
10319 ab + pq = 1 |
|
|
10320 \end{equation} |
|
|
10321 |
|
|
10322 Where $a$, $b$, $p$ and $q$ are all integers. If such a pair of integers $ \left < b, q \right >$ exist than $b$ is the multiplicative inverse of |
|
|
10323 $a$ modulo $p$. The extended Euclidean algorithm (Knuth \cite[pp. 342]{TAOCPV2}) can be used to solve such equations provided $(a, p) = 1$. |
|
|
10324 However, instead of using that algorithm directly a variant known as the binary Extended Euclidean algorithm will be used in its place. The |
|
|
10325 binary approach is very similar to the binary greatest common divisor algorithm except it will produce a full solution to the Diophantine |
|
|
10326 equation. |
|
|
10327 |
|
|
10328 \subsection{General Case} |
|
|
10329 \newpage\begin{figure}[!here] |
|
|
10330 \begin{small} |
|
|
10331 \begin{center} |
|
|
10332 \begin{tabular}{l} |
|
|
10333 \hline Algorithm \textbf{mp\_invmod}. \\ |
|
|
10334 \textbf{Input}. mp\_int $a$ and $b$, $(a, b) = 1$, $p \ge 2$, $0 < a < p$. \\ |
|
|
10335 \textbf{Output}. The modular inverse $c \equiv a^{-1} \mbox{ (mod }b\mbox{)}$. \\ |
|
|
10336 \hline \\ |
|
|
10337 1. If $b \le 0$ then return(\textit{MP\_VAL}). \\ |
|
|
10338 2. If $b_0 \equiv 1 \mbox{ (mod }2\mbox{)}$ then use algorithm fast\_mp\_invmod. \\ |
|
|
10339 3. $x \leftarrow \vert a \vert, y \leftarrow b$ \\ |
|
|
10340 4. If $x_0 \equiv y_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ then return(\textit{MP\_VAL}). \\ |
|
|
10341 5. $B \leftarrow 0, C \leftarrow 0, A \leftarrow 1, D \leftarrow 1$ \\ |
|
|
10342 6. While $u.used > 0$ and $u_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
10343 \hspace{3mm}6.1 $u \leftarrow \lfloor u / 2 \rfloor$ \\ |
|
|
10344 \hspace{3mm}6.2 If ($A.used > 0$ and $A_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) or ($B.used > 0$ and $B_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) then \\ |
|
|
10345 \hspace{6mm}6.2.1 $A \leftarrow A + y$ \\ |
|
|
10346 \hspace{6mm}6.2.2 $B \leftarrow B - x$ \\ |
|
|
10347 \hspace{3mm}6.3 $A \leftarrow \lfloor A / 2 \rfloor$ \\ |
|
|
10348 \hspace{3mm}6.4 $B \leftarrow \lfloor B / 2 \rfloor$ \\ |
|
|
10349 7. While $v.used > 0$ and $v_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
10350 \hspace{3mm}7.1 $v \leftarrow \lfloor v / 2 \rfloor$ \\ |
|
|
10351 \hspace{3mm}7.2 If ($C.used > 0$ and $C_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) or ($D.used > 0$ and $D_0 \equiv 1 \mbox{ (mod }2\mbox{)}$) then \\ |
|
|
10352 \hspace{6mm}7.2.1 $C \leftarrow C + y$ \\ |
|
|
10353 \hspace{6mm}7.2.2 $D \leftarrow D - x$ \\ |
|
|
10354 \hspace{3mm}7.3 $C \leftarrow \lfloor C / 2 \rfloor$ \\ |
|
|
10355 \hspace{3mm}7.4 $D \leftarrow \lfloor D / 2 \rfloor$ \\ |
|
|
10356 8. If $u \ge v$ then \\ |
|
|
10357 \hspace{3mm}8.1 $u \leftarrow u - v$ \\ |
|
|
10358 \hspace{3mm}8.2 $A \leftarrow A - C$ \\ |
|
|
10359 \hspace{3mm}8.3 $B \leftarrow B - D$ \\ |
|
|
10360 9. else \\ |
|
|
10361 \hspace{3mm}9.1 $v \leftarrow v - u$ \\ |
|
|
10362 \hspace{3mm}9.2 $C \leftarrow C - A$ \\ |
|
|
10363 \hspace{3mm}9.3 $D \leftarrow D - B$ \\ |
|
|
10364 10. If $u \ne 0$ goto step 6. \\ |
|
|
10365 11. If $v \ne 1$ return(\textit{MP\_VAL}). \\ |
|
|
10366 12. While $C \le 0$ do \\ |
|
|
10367 \hspace{3mm}12.1 $C \leftarrow C + b$ \\ |
|
|
10368 13. While $C \ge b$ do \\ |
|
|
10369 \hspace{3mm}13.1 $C \leftarrow C - b$ \\ |
|
|
10370 14. $c \leftarrow C$ \\ |
|
|
10371 15. Return(\textit{MP\_OKAY}). \\ |
|
|
10372 \hline |
|
|
10373 \end{tabular} |
|
|
10374 \end{center} |
|
|
10375 \end{small} |
|
|
10376 \end{figure} |
|
|
10377 \textbf{Algorithm mp\_invmod.} |
|
|
10378 This algorithm computes the modular multiplicative inverse of an integer $a$ modulo an integer $b$. This algorithm is a variation of the |
|
|
10379 extended binary Euclidean algorithm from HAC \cite[pp. 608]{HAC}. It has been modified to only compute the modular inverse and not a complete |
|
|
10380 Diophantine solution. |
|
|
10381 |
|
|
10382 If $b \le 0$ than the modulus is invalid and MP\_VAL is returned. Similarly if both $a$ and $b$ are even then there cannot be a multiplicative |
|
|
10383 inverse for $a$ and the error is reported. |
|
|
10384 |
|
|
10385 The astute reader will observe that steps seven through nine are very similar to the binary greatest common divisor algorithm mp\_gcd. In this case |
|
|
10386 the other variables to the Diophantine equation are solved. The algorithm terminates when $u = 0$ in which case the solution is |
|
|
10387 |
|
|
10388 \begin{equation} |
|
|
10389 Ca + Db = v |
|
|
10390 \end{equation} |
|
|
10391 |
|
|
10392 If $v$, the greatest common divisor of $a$ and $b$ is not equal to one then the algorithm will report an error as no inverse exists. Otherwise, $C$ |
|
|
10393 is the modular inverse of $a$. The actual value of $C$ is congruent to, but not necessarily equal to, the ideal modular inverse which should lie |
|
|
10394 within $1 \le a^{-1} < b$. Step numbers twelve and thirteen adjust the inverse until it is in range. If the original input $a$ is within $0 < a < p$ |
|
|
10395 then only a couple of additions or subtractions will be required to adjust the inverse. |
|
|
10396 |
|
|
10397 \vspace{+3mm}\begin{small} |
|
|
10398 \hspace{-5.1mm}{\bf File}: bn\_mp\_invmod.c |
|
|
10399 \vspace{-3mm} |
|
|
10400 \begin{alltt} |
|
|
10401 016 |
|
|
10402 017 /* hac 14.61, pp608 */ |
|
|
10403 018 int mp_invmod (mp_int * a, mp_int * b, mp_int * c) |
|
|
10404 019 \{ |
|
|
10405 020 /* b cannot be negative */ |
|
|
10406 021 if (b->sign == MP_NEG || mp_iszero(b) == 1) \{ |
|
|
10407 022 return MP_VAL; |
|
|
10408 023 \} |
|
|
10409 024 |
|
|
10410 025 #ifdef BN_FAST_MP_INVMOD_C |
|
|
10411 026 /* if the modulus is odd we can use a faster routine instead */ |
|
|
10412 027 if (mp_isodd (b) == 1) \{ |
|
|
10413 028 return fast_mp_invmod (a, b, c); |
|
|
10414 029 \} |
|
|
10415 030 #endif |
|
|
10416 031 |
|
|
10417 032 #ifdef BN_MP_INVMOD_SLOW_C |
|
|
10418 033 return mp_invmod_slow(a, b, c); |
|
|
10419 034 #endif |
|
|
10420 035 |
|
|
10421 036 return MP_VAL; |
|
|
10422 037 \} |
|
|
10423 038 #endif |
|
386
|
10424 039 |
|
282
|
10425 \end{alltt} |
|
|
10426 \end{small} |
|
|
10427 |
|
|
10428 \subsubsection{Odd Moduli} |
|
|
10429 |
|
|
10430 When the modulus $b$ is odd the variables $A$ and $C$ are fixed and are not required to compute the inverse. In particular by attempting to solve |
|
|
10431 the Diophantine $Cb + Da = 1$ only $B$ and $D$ are required to find the inverse of $a$. |
|
|
10432 |
|
|
10433 The algorithm fast\_mp\_invmod is a direct adaptation of algorithm mp\_invmod with all all steps involving either $A$ or $C$ removed. This |
|
|
10434 optimization will halve the time required to compute the modular inverse. |
|
|
10435 |
|
|
10436 \section{Primality Tests} |
|
|
10437 |
|
|
10438 A non-zero integer $a$ is said to be prime if it is not divisible by any other integer excluding one and itself. For example, $a = 7$ is prime |
|
|
10439 since the integers $2 \ldots 6$ do not evenly divide $a$. By contrast, $a = 6$ is not prime since $a = 6 = 2 \cdot 3$. |
|
|
10440 |
|
|
10441 Prime numbers arise in cryptography considerably as they allow finite fields to be formed. The ability to determine whether an integer is prime or |
|
|
10442 not quickly has been a viable subject in cryptography and number theory for considerable time. The algorithms that will be presented are all |
|
|
10443 probablistic algorithms in that when they report an integer is composite it must be composite. However, when the algorithms report an integer is |
|
|
10444 prime the algorithm may be incorrect. |
|
|
10445 |
|
|
10446 As will be discussed it is possible to limit the probability of error so well that for practical purposes the probablity of error might as |
|
|
10447 well be zero. For the purposes of these discussions let $n$ represent the candidate integer of which the primality is in question. |
|
|
10448 |
|
|
10449 \subsection{Trial Division} |
|
|
10450 |
|
|
10451 Trial division means to attempt to evenly divide a candidate integer by small prime integers. If the candidate can be evenly divided it obviously |
|
|
10452 cannot be prime. By dividing by all primes $1 < p \le \sqrt{n}$ this test can actually prove whether an integer is prime. However, such a test |
|
|
10453 would require a prohibitive amount of time as $n$ grows. |
|
|
10454 |
|
|
10455 Instead of dividing by every prime, a smaller, more mangeable set of primes may be used instead. By performing trial division with only a subset |
|
|
10456 of the primes less than $\sqrt{n} + 1$ the algorithm cannot prove if a candidate is prime. However, often it can prove a candidate is not prime. |
|
|
10457 |
|
|
10458 The benefit of this test is that trial division by small values is fairly efficient. Specially compared to the other algorithms that will be |
|
|
10459 discussed shortly. The probability that this approach correctly identifies a composite candidate when tested with all primes upto $q$ is given by |
|
|
10460 $1 - {1.12 \over ln(q)}$. The graph (\ref{pic:primality}, will be added later) demonstrates the probability of success for the range |
|
|
10461 $3 \le q \le 100$. |
|
|
10462 |
|
|
10463 At approximately $q = 30$ the gain of performing further tests diminishes fairly quickly. At $q = 90$ further testing is generally not going to |
|
|
10464 be of any practical use. In the case of LibTomMath the default limit $q = 256$ was chosen since it is not too high and will eliminate |
|
|
10465 approximately $80\%$ of all candidate integers. The constant \textbf{PRIME\_SIZE} is equal to the number of primes in the test base. The |
|
|
10466 array \_\_prime\_tab is an array of the first \textbf{PRIME\_SIZE} prime numbers. |
|
|
10467 |
|
|
10468 \begin{figure}[!here] |
|
|
10469 \begin{small} |
|
|
10470 \begin{center} |
|
|
10471 \begin{tabular}{l} |
|
|
10472 \hline Algorithm \textbf{mp\_prime\_is\_divisible}. \\ |
|
|
10473 \textbf{Input}. mp\_int $a$ \\ |
|
|
10474 \textbf{Output}. $c = 1$ if $n$ is divisible by a small prime, otherwise $c = 0$. \\ |
|
|
10475 \hline \\ |
|
|
10476 1. for $ix$ from $0$ to $PRIME\_SIZE$ do \\ |
|
|
10477 \hspace{3mm}1.1 $d \leftarrow n \mbox{ (mod }\_\_prime\_tab_{ix}\mbox{)}$ \\ |
|
|
10478 \hspace{3mm}1.2 If $d = 0$ then \\ |
|
|
10479 \hspace{6mm}1.2.1 $c \leftarrow 1$ \\ |
|
|
10480 \hspace{6mm}1.2.2 Return(\textit{MP\_OKAY}). \\ |
|
|
10481 2. $c \leftarrow 0$ \\ |
|
|
10482 3. Return(\textit{MP\_OKAY}). \\ |
|
|
10483 \hline |
|
|
10484 \end{tabular} |
|
|
10485 \end{center} |
|
|
10486 \end{small} |
|
|
10487 \caption{Algorithm mp\_prime\_is\_divisible} |
|
|
10488 \end{figure} |
|
|
10489 \textbf{Algorithm mp\_prime\_is\_divisible.} |
|
|
10490 This algorithm attempts to determine if a candidate integer $n$ is composite by performing trial divisions. |
|
|
10491 |
|
|
10492 \vspace{+3mm}\begin{small} |
|
|
10493 \hspace{-5.1mm}{\bf File}: bn\_mp\_prime\_is\_divisible.c |
|
|
10494 \vspace{-3mm} |
|
|
10495 \begin{alltt} |
|
|
10496 016 |
|
|
10497 017 /* determines if an integers is divisible by one |
|
|
10498 018 * of the first PRIME_SIZE primes or not |
|
|
10499 019 * |
|
|
10500 020 * sets result to 0 if not, 1 if yes |
|
|
10501 021 */ |
|
|
10502 022 int mp_prime_is_divisible (mp_int * a, int *result) |
|
|
10503 023 \{ |
|
|
10504 024 int err, ix; |
|
|
10505 025 mp_digit res; |
|
|
10506 026 |
|
|
10507 027 /* default to not */ |
|
|
10508 028 *result = MP_NO; |
|
|
10509 029 |
|
|
10510 030 for (ix = 0; ix < PRIME_SIZE; ix++) \{ |
|
|
10511 031 /* what is a mod LBL_prime_tab[ix] */ |
|
|
10512 032 if ((err = mp_mod_d (a, ltm_prime_tab[ix], &res)) != MP_OKAY) \{ |
|
|
10513 033 return err; |
|
|
10514 034 \} |
|
|
10515 035 |
|
|
10516 036 /* is the residue zero? */ |
|
|
10517 037 if (res == 0) \{ |
|
|
10518 038 *result = MP_YES; |
|
|
10519 039 return MP_OKAY; |
|
|
10520 040 \} |
|
|
10521 041 \} |
|
|
10522 042 |
|
|
10523 043 return MP_OKAY; |
|
|
10524 044 \} |
|
|
10525 045 #endif |
|
386
|
10526 046 |
|
282
|
10527 \end{alltt} |
|
|
10528 \end{small} |
|
|
10529 |
|
|
10530 The algorithm defaults to a return of $0$ in case an error occurs. The values in the prime table are all specified to be in the range of a |
|
|
10531 mp\_digit. The table \_\_prime\_tab is defined in the following file. |
|
|
10532 |
|
|
10533 \vspace{+3mm}\begin{small} |
|
|
10534 \hspace{-5.1mm}{\bf File}: bn\_prime\_tab.c |
|
|
10535 \vspace{-3mm} |
|
|
10536 \begin{alltt} |
|
|
10537 016 const mp_digit ltm_prime_tab[] = \{ |
|
|
10538 017 0x0002, 0x0003, 0x0005, 0x0007, 0x000B, 0x000D, 0x0011, 0x0013, |
|
|
10539 018 0x0017, 0x001D, 0x001F, 0x0025, 0x0029, 0x002B, 0x002F, 0x0035, |
|
|
10540 019 0x003B, 0x003D, 0x0043, 0x0047, 0x0049, 0x004F, 0x0053, 0x0059, |
|
|
10541 020 0x0061, 0x0065, 0x0067, 0x006B, 0x006D, 0x0071, 0x007F, |
|
|
10542 021 #ifndef MP_8BIT |
|
|
10543 022 0x0083, |
|
|
10544 023 0x0089, 0x008B, 0x0095, 0x0097, 0x009D, 0x00A3, 0x00A7, 0x00AD, |
|
|
10545 024 0x00B3, 0x00B5, 0x00BF, 0x00C1, 0x00C5, 0x00C7, 0x00D3, 0x00DF, |
|
|
10546 025 0x00E3, 0x00E5, 0x00E9, 0x00EF, 0x00F1, 0x00FB, 0x0101, 0x0107, |
|
|
10547 026 0x010D, 0x010F, 0x0115, 0x0119, 0x011B, 0x0125, 0x0133, 0x0137, |
|
|
10548 027 |
|
|
10549 028 0x0139, 0x013D, 0x014B, 0x0151, 0x015B, 0x015D, 0x0161, 0x0167, |
|
|
10550 029 0x016F, 0x0175, 0x017B, 0x017F, 0x0185, 0x018D, 0x0191, 0x0199, |
|
|
10551 030 0x01A3, 0x01A5, 0x01AF, 0x01B1, 0x01B7, 0x01BB, 0x01C1, 0x01C9, |
|
|
10552 031 0x01CD, 0x01CF, 0x01D3, 0x01DF, 0x01E7, 0x01EB, 0x01F3, 0x01F7, |
|
|
10553 032 0x01FD, 0x0209, 0x020B, 0x021D, 0x0223, 0x022D, 0x0233, 0x0239, |
|
|
10554 033 0x023B, 0x0241, 0x024B, 0x0251, 0x0257, 0x0259, 0x025F, 0x0265, |
|
|
10555 034 0x0269, 0x026B, 0x0277, 0x0281, 0x0283, 0x0287, 0x028D, 0x0293, |
|
|
10556 035 0x0295, 0x02A1, 0x02A5, 0x02AB, 0x02B3, 0x02BD, 0x02C5, 0x02CF, |
|
|
10557 036 |
|
|
10558 037 0x02D7, 0x02DD, 0x02E3, 0x02E7, 0x02EF, 0x02F5, 0x02F9, 0x0301, |
|
|
10559 038 0x0305, 0x0313, 0x031D, 0x0329, 0x032B, 0x0335, 0x0337, 0x033B, |
|
|
10560 039 0x033D, 0x0347, 0x0355, 0x0359, 0x035B, 0x035F, 0x036D, 0x0371, |
|
|
10561 040 0x0373, 0x0377, 0x038B, 0x038F, 0x0397, 0x03A1, 0x03A9, 0x03AD, |
|
|
10562 041 0x03B3, 0x03B9, 0x03C7, 0x03CB, 0x03D1, 0x03D7, 0x03DF, 0x03E5, |
|
|
10563 042 0x03F1, 0x03F5, 0x03FB, 0x03FD, 0x0407, 0x0409, 0x040F, 0x0419, |
|
|
10564 043 0x041B, 0x0425, 0x0427, 0x042D, 0x043F, 0x0443, 0x0445, 0x0449, |
|
|
10565 044 0x044F, 0x0455, 0x045D, 0x0463, 0x0469, 0x047F, 0x0481, 0x048B, |
|
|
10566 045 |
|
|
10567 046 0x0493, 0x049D, 0x04A3, 0x04A9, 0x04B1, 0x04BD, 0x04C1, 0x04C7, |
|
|
10568 047 0x04CD, 0x04CF, 0x04D5, 0x04E1, 0x04EB, 0x04FD, 0x04FF, 0x0503, |
|
|
10569 048 0x0509, 0x050B, 0x0511, 0x0515, 0x0517, 0x051B, 0x0527, 0x0529, |
|
|
10570 049 0x052F, 0x0551, 0x0557, 0x055D, 0x0565, 0x0577, 0x0581, 0x058F, |
|
|
10571 050 0x0593, 0x0595, 0x0599, 0x059F, 0x05A7, 0x05AB, 0x05AD, 0x05B3, |
|
|
10572 051 0x05BF, 0x05C9, 0x05CB, 0x05CF, 0x05D1, 0x05D5, 0x05DB, 0x05E7, |
|
|
10573 052 0x05F3, 0x05FB, 0x0607, 0x060D, 0x0611, 0x0617, 0x061F, 0x0623, |
|
|
10574 053 0x062B, 0x062F, 0x063D, 0x0641, 0x0647, 0x0649, 0x064D, 0x0653 |
|
|
10575 054 #endif |
|
|
10576 055 \}; |
|
|
10577 056 #endif |
|
386
|
10578 057 |
|
282
|
10579 \end{alltt} |
|
|
10580 \end{small} |
|
|
10581 |
|
|
10582 Note that there are two possible tables. When an mp\_digit is 7-bits long only the primes upto $127$ may be included, otherwise the primes |
|
|
10583 upto $1619$ are used. Note that the value of \textbf{PRIME\_SIZE} is a constant dependent on the size of a mp\_digit. |
|
|
10584 |
|
|
10585 \subsection{The Fermat Test} |
|
|
10586 The Fermat test is probably one the oldest tests to have a non-trivial probability of success. It is based on the fact that if $n$ is in |
|
|
10587 fact prime then $a^{n} \equiv a \mbox{ (mod }n\mbox{)}$ for all $0 < a < n$. The reason being that if $n$ is prime than the order of |
|
|
10588 the multiplicative sub group is $n - 1$. Any base $a$ must have an order which divides $n - 1$ and as such $a^n$ is equivalent to |
|
|
10589 $a^1 = a$. |
|
|
10590 |
|
|
10591 If $n$ is composite then any given base $a$ does not have to have a period which divides $n - 1$. In which case |
|
|
10592 it is possible that $a^n \nequiv a \mbox{ (mod }n\mbox{)}$. However, this test is not absolute as it is possible that the order |
|
|
10593 of a base will divide $n - 1$ which would then be reported as prime. Such a base yields what is known as a Fermat pseudo-prime. Several |
|
|
10594 integers known as Carmichael numbers will be a pseudo-prime to all valid bases. Fortunately such numbers are extremely rare as $n$ grows |
|
|
10595 in size. |
|
|
10596 |
|
|
10597 \begin{figure}[!here] |
|
|
10598 \begin{small} |
|
|
10599 \begin{center} |
|
|
10600 \begin{tabular}{l} |
|
|
10601 \hline Algorithm \textbf{mp\_prime\_fermat}. \\ |
|
|
10602 \textbf{Input}. mp\_int $a$ and $b$, $a \ge 2$, $0 < b < a$. \\ |
|
|
10603 \textbf{Output}. $c = 1$ if $b^a \equiv b \mbox{ (mod }a\mbox{)}$, otherwise $c = 0$. \\ |
|
|
10604 \hline \\ |
|
|
10605 1. $t \leftarrow b^a \mbox{ (mod }a\mbox{)}$ \\ |
|
|
10606 2. If $t = b$ then \\ |
|
|
10607 \hspace{3mm}2.1 $c = 1$ \\ |
|
|
10608 3. else \\ |
|
|
10609 \hspace{3mm}3.1 $c = 0$ \\ |
|
|
10610 4. Return(\textit{MP\_OKAY}). \\ |
|
|
10611 \hline |
|
|
10612 \end{tabular} |
|
|
10613 \end{center} |
|
|
10614 \end{small} |
|
|
10615 \caption{Algorithm mp\_prime\_fermat} |
|
|
10616 \end{figure} |
|
|
10617 \textbf{Algorithm mp\_prime\_fermat.} |
|
|
10618 This algorithm determines whether an mp\_int $a$ is a Fermat prime to the base $b$ or not. It uses a single modular exponentiation to |
|
|
10619 determine the result. |
|
|
10620 |
|
|
10621 \vspace{+3mm}\begin{small} |
|
|
10622 \hspace{-5.1mm}{\bf File}: bn\_mp\_prime\_fermat.c |
|
|
10623 \vspace{-3mm} |
|
|
10624 \begin{alltt} |
|
|
10625 016 |
|
|
10626 017 /* performs one Fermat test. |
|
|
10627 018 * |
|
|
10628 019 * If "a" were prime then b**a == b (mod a) since the order of |
|
|
10629 020 * the multiplicative sub-group would be phi(a) = a-1. That means |
|
|
10630 021 * it would be the same as b**(a mod (a-1)) == b**1 == b (mod a). |
|
|
10631 022 * |
|
|
10632 023 * Sets result to 1 if the congruence holds, or zero otherwise. |
|
|
10633 024 */ |
|
|
10634 025 int mp_prime_fermat (mp_int * a, mp_int * b, int *result) |
|
|
10635 026 \{ |
|
|
10636 027 mp_int t; |
|
|
10637 028 int err; |
|
|
10638 029 |
|
|
10639 030 /* default to composite */ |
|
|
10640 031 *result = MP_NO; |
|
|
10641 032 |
|
|
10642 033 /* ensure b > 1 */ |
|
|
10643 034 if (mp_cmp_d(b, 1) != MP_GT) \{ |
|
|
10644 035 return MP_VAL; |
|
|
10645 036 \} |
|
|
10646 037 |
|
|
10647 038 /* init t */ |
|
|
10648 039 if ((err = mp_init (&t)) != MP_OKAY) \{ |
|
|
10649 040 return err; |
|
|
10650 041 \} |
|
|
10651 042 |
|
|
10652 043 /* compute t = b**a mod a */ |
|
|
10653 044 if ((err = mp_exptmod (b, a, a, &t)) != MP_OKAY) \{ |
|
|
10654 045 goto LBL_T; |
|
|
10655 046 \} |
|
|
10656 047 |
|
|
10657 048 /* is it equal to b? */ |
|
|
10658 049 if (mp_cmp (&t, b) == MP_EQ) \{ |
|
|
10659 050 *result = MP_YES; |
|
|
10660 051 \} |
|
|
10661 052 |
|
|
10662 053 err = MP_OKAY; |
|
|
10663 054 LBL_T:mp_clear (&t); |
|
|
10664 055 return err; |
|
|
10665 056 \} |
|
|
10666 057 #endif |
|
386
|
10667 058 |
|
282
|
10668 \end{alltt} |
|
|
10669 \end{small} |
|
|
10670 |
|
|
10671 \subsection{The Miller-Rabin Test} |
|
|
10672 The Miller-Rabin (citation) test is another primality test which has tighter error bounds than the Fermat test specifically with sequentially chosen |
|
|
10673 candidate integers. The algorithm is based on the observation that if $n - 1 = 2^kr$ and if $b^r \nequiv \pm 1$ then after upto $k - 1$ squarings the |
|
|
10674 value must be equal to $-1$. The squarings are stopped as soon as $-1$ is observed. If the value of $1$ is observed first it means that |
|
|
10675 some value not congruent to $\pm 1$ when squared equals one which cannot occur if $n$ is prime. |
|
|
10676 |
|
|
10677 \begin{figure}[!here] |
|
|
10678 \begin{small} |
|
|
10679 \begin{center} |
|
|
10680 \begin{tabular}{l} |
|
|
10681 \hline Algorithm \textbf{mp\_prime\_miller\_rabin}. \\ |
|
|
10682 \textbf{Input}. mp\_int $a$ and $b$, $a \ge 2$, $0 < b < a$. \\ |
|
|
10683 \textbf{Output}. $c = 1$ if $a$ is a Miller-Rabin prime to the base $a$, otherwise $c = 0$. \\ |
|
|
10684 \hline |
|
|
10685 1. $a' \leftarrow a - 1$ \\ |
|
|
10686 2. $r \leftarrow n1$ \\ |
|
|
10687 3. $c \leftarrow 0, s \leftarrow 0$ \\ |
|
|
10688 4. While $r.used > 0$ and $r_0 \equiv 0 \mbox{ (mod }2\mbox{)}$ \\ |
|
|
10689 \hspace{3mm}4.1 $s \leftarrow s + 1$ \\ |
|
|
10690 \hspace{3mm}4.2 $r \leftarrow \lfloor r / 2 \rfloor$ \\ |
|
|
10691 5. $y \leftarrow b^r \mbox{ (mod }a\mbox{)}$ \\ |
|
|
10692 6. If $y \nequiv \pm 1$ then \\ |
|
|
10693 \hspace{3mm}6.1 $j \leftarrow 1$ \\ |
|
|
10694 \hspace{3mm}6.2 While $j \le (s - 1)$ and $y \nequiv a'$ \\ |
|
|
10695 \hspace{6mm}6.2.1 $y \leftarrow y^2 \mbox{ (mod }a\mbox{)}$ \\ |
|
|
10696 \hspace{6mm}6.2.2 If $y = 1$ then goto step 8. \\ |
|
|
10697 \hspace{6mm}6.2.3 $j \leftarrow j + 1$ \\ |
|
|
10698 \hspace{3mm}6.3 If $y \nequiv a'$ goto step 8. \\ |
|
|
10699 7. $c \leftarrow 1$\\ |
|
|
10700 8. Return(\textit{MP\_OKAY}). \\ |
|
|
10701 \hline |
|
|
10702 \end{tabular} |
|
|
10703 \end{center} |
|
|
10704 \end{small} |
|
|
10705 \caption{Algorithm mp\_prime\_miller\_rabin} |
|
|
10706 \end{figure} |
|
|
10707 \textbf{Algorithm mp\_prime\_miller\_rabin.} |
|
|
10708 This algorithm performs one trial round of the Miller-Rabin algorithm to the base $b$. It will set $c = 1$ if the algorithm cannot determine |
|
|
10709 if $b$ is composite or $c = 0$ if $b$ is provably composite. The values of $s$ and $r$ are computed such that $a' = a - 1 = 2^sr$. |
|
|
10710 |
|
|
10711 If the value $y \equiv b^r$ is congruent to $\pm 1$ then the algorithm cannot prove if $a$ is composite or not. Otherwise, the algorithm will |
|
|
10712 square $y$ upto $s - 1$ times stopping only when $y \equiv -1$. If $y^2 \equiv 1$ and $y \nequiv \pm 1$ then the algorithm can report that $a$ |
|
|
10713 is provably composite. If the algorithm performs $s - 1$ squarings and $y \nequiv -1$ then $a$ is provably composite. If $a$ is not provably |
|
|
10714 composite then it is \textit{probably} prime. |
|
|
10715 |
|
|
10716 \vspace{+3mm}\begin{small} |
|
|
10717 \hspace{-5.1mm}{\bf File}: bn\_mp\_prime\_miller\_rabin.c |
|
|
10718 \vspace{-3mm} |
|
|
10719 \begin{alltt} |
|
|
10720 016 |
|
|
10721 017 /* Miller-Rabin test of "a" to the base of "b" as described in |
|
|
10722 018 * HAC pp. 139 Algorithm 4.24 |
|
|
10723 019 * |
|
|
10724 020 * Sets result to 0 if definitely composite or 1 if probably prime. |
|
|
10725 021 * Randomly the chance of error is no more than 1/4 and often |
|
|
10726 022 * very much lower. |
|
|
10727 023 */ |
|
|
10728 024 int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result) |
|
|
10729 025 \{ |
|
|
10730 026 mp_int n1, y, r; |
|
|
10731 027 int s, j, err; |
|
|
10732 028 |
|
|
10733 029 /* default */ |
|
|
10734 030 *result = MP_NO; |
|
|
10735 031 |
|
|
10736 032 /* ensure b > 1 */ |
|
|
10737 033 if (mp_cmp_d(b, 1) != MP_GT) \{ |
|
|
10738 034 return MP_VAL; |
|
|
10739 035 \} |
|
|
10740 036 |
|
|
10741 037 /* get n1 = a - 1 */ |
|
|
10742 038 if ((err = mp_init_copy (&n1, a)) != MP_OKAY) \{ |
|
|
10743 039 return err; |
|
|
10744 040 \} |
|
|
10745 041 if ((err = mp_sub_d (&n1, 1, &n1)) != MP_OKAY) \{ |
|
|
10746 042 goto LBL_N1; |
|
|
10747 043 \} |
|
|
10748 044 |
|
|
10749 045 /* set 2**s * r = n1 */ |
|
|
10750 046 if ((err = mp_init_copy (&r, &n1)) != MP_OKAY) \{ |
|
|
10751 047 goto LBL_N1; |
|
|
10752 048 \} |
|
|
10753 049 |
|
|
10754 050 /* count the number of least significant bits |
|
|
10755 051 * which are zero |
|
|
10756 052 */ |
|
|
10757 053 s = mp_cnt_lsb(&r); |
|
|
10758 054 |
|
|
10759 055 /* now divide n - 1 by 2**s */ |
|
|
10760 056 if ((err = mp_div_2d (&r, s, &r, NULL)) != MP_OKAY) \{ |
|
|
10761 057 goto LBL_R; |
|
|
10762 058 \} |
|
|
10763 059 |
|
|
10764 060 /* compute y = b**r mod a */ |
|
|
10765 061 if ((err = mp_init (&y)) != MP_OKAY) \{ |
|
|
10766 062 goto LBL_R; |
|
|
10767 063 \} |
|
|
10768 064 if ((err = mp_exptmod (b, &r, a, &y)) != MP_OKAY) \{ |
|
|
10769 065 goto LBL_Y; |
|
|
10770 066 \} |
|
|
10771 067 |
|
|
10772 068 /* if y != 1 and y != n1 do */ |
|
|
10773 069 if (mp_cmp_d (&y, 1) != MP_EQ && mp_cmp (&y, &n1) != MP_EQ) \{ |
|
|
10774 070 j = 1; |
|
|
10775 071 /* while j <= s-1 and y != n1 */ |
|
|
10776 072 while ((j <= (s - 1)) && mp_cmp (&y, &n1) != MP_EQ) \{ |
|
|
10777 073 if ((err = mp_sqrmod (&y, a, &y)) != MP_OKAY) \{ |
|
|
10778 074 goto LBL_Y; |
|
|
10779 075 \} |
|
|
10780 076 |
|
|
10781 077 /* if y == 1 then composite */ |
|
|
10782 078 if (mp_cmp_d (&y, 1) == MP_EQ) \{ |
|
|
10783 079 goto LBL_Y; |
|
|
10784 080 \} |
|
|
10785 081 |
|
|
10786 082 ++j; |
|
|
10787 083 \} |
|
|
10788 084 |
|
|
10789 085 /* if y != n1 then composite */ |
|
|
10790 086 if (mp_cmp (&y, &n1) != MP_EQ) \{ |
|
|
10791 087 goto LBL_Y; |
|
|
10792 088 \} |
|
|
10793 089 \} |
|
|
10794 090 |
|
|
10795 091 /* probably prime now */ |
|
|
10796 092 *result = MP_YES; |
|
|
10797 093 LBL_Y:mp_clear (&y); |
|
|
10798 094 LBL_R:mp_clear (&r); |
|
|
10799 095 LBL_N1:mp_clear (&n1); |
|
|
10800 096 return err; |
|
|
10801 097 \} |
|
|
10802 098 #endif |
|
386
|
10803 099 |
|
282
|
10804 \end{alltt} |
|
|
10805 \end{small} |
|
|
10806 |
|
|
10807 |
|
|
10808 |
|
|
10809 |
|
|
10810 \backmatter |
|
|
10811 \appendix |
|
|
10812 \begin{thebibliography}{ABCDEF} |
|
|
10813 \bibitem[1]{TAOCPV2} |
|
|
10814 Donald Knuth, \textit{The Art of Computer Programming}, Third Edition, Volume Two, Seminumerical Algorithms, Addison-Wesley, 1998 |
|
|
10815 |
|
|
10816 \bibitem[2]{HAC} |
|
|
10817 A. Menezes, P. van Oorschot, S. Vanstone, \textit{Handbook of Applied Cryptography}, CRC Press, 1996 |
|
|
10818 |
|
|
10819 \bibitem[3]{ROSE} |
|
|
10820 Michael Rosing, \textit{Implementing Elliptic Curve Cryptography}, Manning Publications, 1999 |
|
|
10821 |
|
|
10822 \bibitem[4]{COMBA} |
|
|
10823 Paul G. Comba, \textit{Exponentiation Cryptosystems on the IBM PC}. IBM Systems Journal 29(4): 526-538 (1990) |
|
|
10824 |
|
|
10825 \bibitem[5]{KARA} |
|
|
10826 A. Karatsuba, Doklay Akad. Nauk SSSR 145 (1962), pp.293-294 |
|
|
10827 |
|
|
10828 \bibitem[6]{KARAP} |
|
|
10829 Andre Weimerskirch and Christof Paar, \textit{Generalizations of the Karatsuba Algorithm for Polynomial Multiplication}, Submitted to Design, Codes and Cryptography, March 2002 |
|
|
10830 |
|
|
10831 \bibitem[7]{BARRETT} |
|
|
10832 Paul Barrett, \textit{Implementing the Rivest Shamir and Adleman Public Key Encryption Algorithm on a Standard Digital Signal Processor}, Advances in Cryptology, Crypto '86, Springer-Verlag. |
|
|
10833 |
|
|
10834 \bibitem[8]{MONT} |
|
|
10835 P.L.Montgomery. \textit{Modular multiplication without trial division}. Mathematics of Computation, 44(170):519-521, April 1985. |
|
|
10836 |
|
|
10837 \bibitem[9]{DRMET} |
|
|
10838 Chae Hoon Lim and Pil Joong Lee, \textit{Generating Efficient Primes for Discrete Log Cryptosystems}, POSTECH Information Research Laboratories |
|
|
10839 |
|
|
10840 \bibitem[10]{MMB} |
|
|
10841 J. Daemen and R. Govaerts and J. Vandewalle, \textit{Block ciphers based on Modular Arithmetic}, State and {P}rogress in the {R}esearch of {C}ryptography, 1993, pp. 80-89 |
|
|
10842 |
|
|
10843 \bibitem[11]{RSAREF} |
|
|
10844 R.L. Rivest, A. Shamir, L. Adleman, \textit{A Method for Obtaining Digital Signatures and Public-Key Cryptosystems} |
|
|
10845 |
|
|
10846 \bibitem[12]{DHREF} |
|
|
10847 Whitfield Diffie, Martin E. Hellman, \textit{New Directions in Cryptography}, IEEE Transactions on Information Theory, 1976 |
|
|
10848 |
|
|
10849 \bibitem[13]{IEEE} |
|
|
10850 IEEE Standard for Binary Floating-Point Arithmetic (ANSI/IEEE Std 754-1985) |
|
|
10851 |
|
|
10852 \bibitem[14]{GMP} |
|
|
10853 GNU Multiple Precision (GMP), \url{http://www.swox.com/gmp/} |
|
|
10854 |
|
|
10855 \bibitem[15]{MPI} |
|
|
10856 Multiple Precision Integer Library (MPI), Michael Fromberger, \url{http://thayer.dartmouth.edu/~sting/mpi/} |
|
|
10857 |
|
|
10858 \bibitem[16]{OPENSSL} |
|
|
10859 OpenSSL Cryptographic Toolkit, \url{http://openssl.org} |
|
|
10860 |
|
|
10861 \bibitem[17]{LIP} |
|
|
10862 Large Integer Package, \url{http://home.hetnet.nl/~ecstr/LIP.zip} |
|
|
10863 |
|
|
10864 \bibitem[18]{ISOC} |
|
|
10865 JTC1/SC22/WG14, ISO/IEC 9899:1999, ``A draft rationale for the C99 standard.'' |
|
|
10866 |
|
|
10867 \bibitem[19]{JAVA} |
|
|
10868 The Sun Java Website, \url{http://java.sun.com/} |
|
|
10869 |
|
|
10870 \end{thebibliography} |
|
|
10871 |
|
|
10872 \input{tommath.ind} |
|
|
10873 |
|
|
10874 \end{document} |
