Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

9.2 Enhancements to modular arithmetic 449 Algorithm 9.2.5 (Montgomery product). This algorithm returns M(c, d) for integers 0 ≤ c, d < N, with N odd, and R =2 s >N. 1. [Montgomery mod function M] M(c, d) { x = cd; z = y/R; // From Theorem 9.2.1. 2. [Adjust result] if(z ≥ N) z = z − N; return z; } The [Adjust result] step in this algorithm always works because cd < RN by hypothesis. The only importance of the choice that R beapoweroftwois that fast arithmetic may be employed in the evaluation of z = y/R. Algorithm 9.2.6 (Montgomery powering). This algorithm returns x y mod N, for0 ≤ x0, andR chosen as in Algorithm 9.2.5. We denote by (y0,...,yD−1) the binary bits of y. 1. [Initialize] x =(xR) modN; // Via some divide/mod method. p = R mod N; // Via some divide/mod method. 2. [Power ladder] for(D − 1 ≥ j ≥ 0) { p = M(p, p); // Via Algorithm 9.2.5. if(yj == 1) p = M(p, x); } // Now p is x y . 3. [Final extraction of power] return M(p, 1); Later in this chapter we shall have more to say about general power ladders; the ladder here is exhibited primarily to show how one may call the M() function to advantage. The speed enhancements of an eventual powering routine all center on the M() function, in particular on the computation of z = y/R. Wehavenoted that to get z, two multiplies are required, as in equation (9.7). But the story does not end here; in fact, the complexity of the Montgomery mod operation can be brought (asymptotically, large N) down to that of one size-N multiply. (To state it another way, the composite operation M(x ∗ y) asymptotically requires two size-N multiplies, which can be thought of as one for the “∗” operation.) The details of the optimizations are intricate, involving various manifestations of the inner multiply loops of the M() function [Koç etal. 1996], [Bosselaers et al. 1994]. But these details stem at least in part from a wasted operation in equation (9.7): The right-shifting effectively destroys some of the bits generated by the two multiplies. We shall see this shifting phenomenon again in the next section. In actual program implementations of Montgomery’s scheme, one can assign a word-size base B =2 b ,sothat

450 Chapter 9 FAST ALGORITHMS FOR LARGE-INTEGER ARITHMETIC a convenient value R = B k may be used, whence the z value in Algorithm 9.2.5 can be obtained by looping k times and doing arithmetic (mod B) that is particularly convenient for the machine. Explicit word-oriented loops that achieve the optimal asymptotic complexity are laid out nicely in [Menezes et al. 1997]. 9.2.2 Newton methods We have seen in Section 9.1 that the div operation may be effected via additions, subtractions, and bit-shifts, although, as we have also seen, the algorithm can be bested by moving away from the binary paradigm into the domain of general base representations. Then we saw that the technique of Montgomery mod gives us an asymptotically efficient means for powering with respect to a fixed modulus. It is interesting, perhaps at first surprising, that general div and mod may be effected via multiplications alone; that is, even the small div operations attendant to optimized div methods are obviated, as are the special precomputations of the Montgomery method. One approach to such a general div and mod scheme is to realize that the classical Newton method for solving equations may be applied to the problem of reciprocation. Let us start with reciprocation in the domain of real numbers. If one is to solve f(x) = 0, one proceeds with an (adroit) initial guess for x, call this guess x0, and iterates xn+1 = xn − f(xn)/f ′ (xn), (9.9) for n =0, 1, 2 ..., whence—if the initial guess x0 is good enough—the sequence (xn) converges to the desired solution. So to reciprocate a real number a>0, one is trying to solve 1/x − a = 0, so that an appropriate iteration would be xn+1 =2xn − ax 2 n. (9.10) Assuming that this Newton iteration for reciprocals is successful (see Exercise 9.13), we see that the real number 1/a can be obtained to arbitrary accuracy with multiplies alone. To calculate a general real division b/a, onesimply multiplies b by the reciprocal 1/a, so that general division in real numbers can be done in this way via multiplies alone. But can the Newton method be applied to the problem of integer div? Indeed it can, provided that we proceed with care in the definition of a generalized reciprocal for integer division. We first introduce a function B(N), defined for nonnegative integers N as the number of bits in the binary representation of N, except that B(0) = 0. Thus, B(1) = 1,B(2) = B(3) = 2, and so on. Next we establish a generalized reciprocal; instead of reciprocals 1/a for real a, we consider a generalized reciprocal of integer N as the integer part of an appropriate large power of 2 divided by N. Definition 9.2.7. The generalized reciprocal R(N) is defined for positive integers N as ⌊4 B(N−1) /N ⌋.

9.2 Enhancements to modular arithmetic 449<br />

Algorithm 9.2.5 (Montgomery product). This algorithm returns M(c, d)<br />

for integers 0 ≤ c, d < N, with N odd, and R =2 s >N.<br />

1. [Montgomery mod function M]<br />

M(c, d) {<br />

x = cd;<br />

z = y/R; // From Theorem 9.2.1.<br />

2. [Adjust result]<br />

if(z ≥ N) z = z − N;<br />

return z;<br />

}<br />

The [Adjust result] step in this algorithm always works because cd < RN by<br />

hypothesis. The only importance of the choice that R beapoweroftwois<br />

that fast arithmetic may be employed in the evaluation of z = y/R.<br />

Algorithm 9.2.6 (Montgomery powering). This algorithm returns<br />

x y mod N, for0 ≤ x0, andR chosen as in Algorithm 9.2.5. We<br />

denote by (y0,...,yD−1) the binary bits of y.<br />

1. [Initialize]<br />

x =(xR) modN; // Via some divide/mod method.<br />

p = R mod N; // Via some divide/mod method.<br />

2. [Power ladder]<br />

for(D − 1 ≥ j ≥ 0) {<br />

p = M(p, p); // Via Algorithm 9.2.5.<br />

if(yj == 1) p = M(p, x);<br />

} // Now p is x y .<br />

3. [Final extraction of power]<br />

return M(p, 1);<br />

Later in this chapter we shall have more to say about general power ladders;<br />

the ladder here is exhibited primarily to show how one may call the M()<br />

function to advantage.<br />

The speed enhancements of an eventual powering routine all center on the<br />

M() function, in particular on the computation of z = y/R. Wehavenoted<br />

that to get z, two multiplies are required, as in equation (9.7). But the story<br />

does not end here; in fact, the complexity of the Montgomery mod operation<br />

can be brought (asymptotically, large N) down to that of one size-N multiply.<br />

(To state it another way, the composite operation M(x ∗ y) asymptotically<br />

requires two size-N multiplies, which can be thought of as one for the “∗”<br />

operation.) The details of the optimizations are intricate, involving various<br />

manifestations of the inner multiply loops of the M() function [Koç etal.<br />

1996], [Bosselaers et al. 1994]. But these details stem at least in part from<br />

a wasted operation in equation (9.7): The right-shifting effectively destroys<br />

some of the bits generated by the two multiplies. We shall see this shifting<br />

phenomenon again in the next section. In actual program implementations<br />

of Montgomery’s scheme, one can assign a word-size base B =2 b ,sothat

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!