Math 373/578: Using Matlab in Cryptography (Spring 2012)

Math 373/578: Using matlab in Cryptography (Spring 2012)

Place: Room 422, Armstrong Hall

Preparations: (1) visit http://www.math.wvu.edu/~hjlai/Math373_Matlab/ and download all the ﬁles into a folder (Math373-Matlab) (2) Open Matlab, change the current directory to this folder. (Click the logo at the right end of ”current Directory” for ”Browse for folder”, and change the folder). (3) Start working on the mathematics.

(4) Ordinary Computations (Review)

Example Compute 27 + 135/5.

>> 2^7 + 135/5 ans = 155

Example Compute 11(126/(9 + 7) − 2(72/12)).

>> 11*(126/9+7 - 2^(72/12)) ans = -473 √ Example Compute 62 − 1024.

>> 6^2 - \sqrt{1024} ans = 4

1 Part 1: Number Theory Basics

(1) Factor 123456 into primes. factor(123456)

(2) For x, y ∈ Z − {0}, ﬁnd gcd(x, y). gcd(x,y)

Example: Find gcd(23456, 987654). gcd(23456, 987654) Ans = 2 Thus 2 = gcd(23456, 987654).

(3) For x, y ∈ Z − {0}, ﬁnd u, v such that gcd(x, y) = ux + vy.

[a,b,c]=gcd(x,y)

Example: Find u, v such that gcd(23456, 987654) = 23456u + 987654v. >> [d,u,v]=gcd(23456, 987654) d = 2 u = -3158 v = 75 This means u = −3158 and v = 75. Thus 2 = gcd(23456, 987654) = 23456·(−3158)+987654·75.

(4) Solve equation ax + by = 1 when (a, b) = 1. Example a = 65337 and b = 3511, what is the relationship between this problem and the example in (3)? [d,u,v]=gcd(65337, 3511) How do you interpret the answers?

(5) Knowing n, we can ﬁnd φ(n) and factor n by n = 1234567 eulerphi(n) factor(n) This can be used for deciphering an RSA coded message in the future. However, Matlab may have trouble factoring numbers bigger than 109.

2 Part 2: Operations involving integers modulo m (1) Given m > 1 and a ∈ Z, ﬁnd b ∈ Z with 0 ≤ b < m such that a ≡ b (mod m). mod (a,m)

(2) Given m > 1 and a, b ∈ Z, ﬁnd c ∈ Z with 0 ≤ c < m such that a + b ≡ c (mod m). (Do the same for subtractions and multiplications) mod (a+b,m)

(3) Find multiplicative inverse of a (mod m) (assuming that we have already known that a and m are relatively prime). Example: Find the multiplicative inverse of 8787 (mod 91919).

>> powermod(8787, -1, 91919) ans = 71374

Thus 8787−1 ≡ 71734 (mod 91919).

(4) Find multiplicative inverse of a (mod m) (assuming that we do not know if a and m are relatively prime). Example: Determine if 23456 has an inverse mod 987654, if it does, ﬁnd it.

>> [d,u,v] = gcd(23456, 987654) d = 2 u = -3158 v = 75

This means the gcd(23456, 987654) = 2, and so the inverse does not exist.

Example: Determine if 23456 has an inverse mod 987651, if it does, ﬁnd it.

>> [d,u,v] = gcd(23456, 987651) d = 1 u = 256892 v = -6101

This means the gcd(23456, 987651) = 1 = 256892 · 23456 + (−6101) · 987651, and so 23456−1 ≡ 256892 (mod 987651).

(5) Find modular exponentiation. Example: Compute 234567 (mod 9871)

3 >> powermod(234, 567, 9871) ans = 5334

Thus 234567 ≡ 5334 (mod 9871).

(6) Solving equations. Example: Solve 7654x ≡ 2389 (mod 65537). What do we do? We first find the multiplicative inverse of the coefficient of x.

>> powermod(7654, -1, 65537) ans = 54637 >> mod(ans*2389, 65537) ans = 43626

Thus the answer is x ≡ 43626 (mod 65537).

(8) Computation modulo m (Reviews)

Example Compute (234)(456) (mod 789).

>> mod(234*456, 789) ans = 189

Example Compute 234 + 456 (mod 567).

>> mod(234*456, 789) ans = 123

Example Compute 234567 (mod 9871).

>> powermod(234, 456, 9871) ans = 5334

Example Compute multiplicative inverse of 8787 (mod 91919).

>> powermod(8787, -1, 91919) ans = 71374

(9) Shift Ciphers and Aﬃne Ciphers (A) Decoding with Shift-cipher Example Decrypt the Ceasar-encrypted message ’wklvverxogehtxlwhhdvb’

4 allshift(’wklvvkrxogehtxlwhhdvb’) wklvvkrxogehtxlwhhdvb xlmwwlsyphfiuymxiiewc ymnxxmtzqigjvznyjjfxd znoyynuarjhkwaozkkgye aopzzovbskilxbpallhzf bpqaapwctljmycqbmmiag cqrbbqxdumknzdrcnnjbh drsccryevnloaesdookci estddszfwompbfteppldj ftueetagxpnqcgufqqmek guvffubhyqordhvgrrnfl hvwggvcizrpseiwhssogm iwxhhwdjasqtfjxittphn jxyiixekbtrugkyjuuqio kyzjjyflcusvhlzkvvrjp lzakkzgmdvtwimalwwskq mabllahnewuxjnbmxxtlr nbcmmbiofxvykocnyyums ocdnncjpgywzlpdozzvnt pdeoodkqhzxamqepaawou qefppelriaybnrfqbbxpv rfgqqfmsjbzcosgrccyqw sghrrgntkcadpthsddzrx thisshouldbequiteeasy uijttipvmecfrvjuffbtz vjkuujqwnfdgswkvggcua A study of the output indicates that the plain text should be ’thisshouldbequiteeasy’ or ’this should be quite easy’

(B) Using Affine cipher to encode plain text. Example Encrypt the plain text ’meetmeinstlouis’ with an affine cipher E3,7(x) ≡ 3x + 7 in Z26. >> affinecrypt(’meetmeinstlouis’, 3, 7) ans = rttmrtfujmoxpfj (C) Using Affine cipher to decrypt cipher text. Example The cipher text ’rttmrtfujmoxpfj’ was encrypted using the affine function 3x + 7 in Z26. Decrypt it. (Step 1:) Solve y ≡ 3x + 7 (mod 26) for x. Since 1 = gcd(3, 26) = (9)(3) + (−1)(26), 3−1 ≡ 9 (mod 26). As (9)(7) ≡ 63 ≡ 11 (mod 26), multiplying both sides of the equation by 9 to get 9y ≡ x + 11 (mod 26), and so x ≡ 9y − 11 ≡ 9y + 15 (mod 26). This can also be done by using matlab: >> powermod(3, -1, 26)

5 and = 9 >> mod(-9*7, 26) ans = 15

(Step 2) Knowing that the decrypt function is x ≡ 9y + 15, we can decrypt the message by

>> affinecrypt(’rttmrtfujmoxpfj’, 9, 15) ans = meetmeinstlouis

6 Part 3: Numbers with diﬀerent bases (1) Converting and Base-b number to a base-10 number

To convert a base-b number n = (dk−1dk−2 ··· d1d0)b to base-10, by deﬁnition, the answer is

k−1 k−2 n = n = dk−1b + dk−2b + ··· + d1b + d0.

Example Convert a number-26 number (HP AC)26 to base-10. We can ﬁrst get the corre- sponding numerical values H = 7,P = 15,A = 0 and C = 2, and get the answer by

>> n = 7*26^3 + 15*26^2 + 2 n = 133174

(2) Converting and Base-10 number to a base-b number Example Convert the base-10 number n = 133174 to base-26.

>> n = 133174 n = 133174 >> d0 = mod(133174, 26) d0 = 2 >> n1 = (n - 2)/26 n1 = 5122 >>d1 = mod(n1, 26) d1 = 0 >> n2 = (n1 - 0)/26 n2 = 197 >>d2 = mod(n2, 26) d2 = 15 >> n3 = (n2 - 15)/26 n3 = 7 >>d3 = mod(n3, 26) d3 = 7

Thus the answer is n = (7 15 0 2)26 = (HP AC)26.

(3) Operations of base-b numbers There are many ways to perform the operations of base-b numbers. One way to use matlab is

7 to ﬁrst convert the base-b numbers to base-10, and use matlab to do the operations, then use matlab to convert the answers back to base-b.

Example Multiply HE by IS in Z26. Step 1: Convert HE = 7(26) + 4 = 186 and IS = 8(28) + 18 = 226. Step 2: Compute the base-10 multiplication. Step 3: Convert the answer back to Base-26.

8 Part 4: Discrete Log and RSA

(1) Find a Primitive Root

Example Find a primitive root for the prime p = 65537

>> primitiveroot(65537) ans = 3 Thus 3 is a primitive root for 65537. (Remark: the function ”primitiveroot” ﬁnds the small- est primitive root of the input number.)

13 (2) Example: Computing Discrete Log Find ind2 (7), or log2(7) (mod 13).

For n = 1:12; a = powermod(2,n,13); if a == 7; disp(n); end end n = 11

Therefore, log2(7) = 11 (mod 13). This can be veriﬁed by >> powermod(2,11,13) ans = 7

(3) Example: Pohlig-Hellman Exponentiation Cipher Choose p = 263, e = 73. Note that φ(263) = 262, and Euclidean Algorithm gives gcd(262, 73) = (−61)(73) + (17)(262) = 1.

>> [a,b,c] = gcd(73, 262) a = 1 b = -61 c = 17 Thus d = −17 ≡ 201 (mod 262) For the cipher text c = (246, 18, 156, 0, 256, 127, 18, 156, 96, 256, 235, 0, 132, 68), which will be decrypted by m = f −1(c) ≡ cd (mod 262). (Use powermod, for example). (Note: try to use positive d. Using negative d would sometimes cause computation errors).

>> d=201 d = 201

9 >> p=263 p = 263 >> c = [246 18 156 0 256 127 18 156 96 256 235 0 132 68] c = Columns 1 through 5 246 18 156 0 256 Columns 6 through 10 127 18 156 96 256 Columns 11 through 14 235 0 132 68 >> m = powermod(c, d, p) m = Columns 1 through 5 19 17 4 0 18 Columns 6 through 10 20 17 4 8 18 Columns 11 through 14 11 0 13 3

This process gives

246201 ≡ 19; 18201 ≡ 17; 156201 ≡ 4; 0201 ≡ 0; 256201 ≡ 18; 127201 ≡ 20; 18201 ≡ 17;

156201 ≡ 4; 96201 ≡ 8; 256201 ≡ 18; 235201 ≡ 11; 0201 ≡ 0; 132201 ≡ 13; 68201 ≡ 3. and so the cipher text is (19, 17, 4, 0, 18, 20, 17, 4, 8, 18, 11, 0, 13, 3), which means, with Z26 alphabet, treasure island.

(4) Example: Diﬃe-Hellman Key Exchange Let p = 907, a = 2, x = 32 and y = 153. To ﬁnd the exchange key, compute x ≡ 319 ≡ 3 >> p = 907 p = 907 >> a = primitiveroot(p) a = 2 >> x = 32 x = 32 >> xx = powermod(a, x, p) xx = 311 >> y = 153 y = 153 >> yy = powermod(a, y, p)

10 yy = 633 Thus x ≡ 232 ≡ 311 and y ≡ 2153 ≡ 633 (mod 907), and so the common key can be computed by k = xy (mod p) >> k = powermod(xx,y,p) k = 121 or by k = yx (mod p) >> k = powermod(yy,x,p) k = 121

(5) Example: Finding p and q when given n = pq and φ(n). Given n = pq = 1009427 and φ(n) = 1007400. To ﬁnd p and q, we compute >> n = 1009427 n = 1009427 >> f = eulerphi(n) f = 1007400 >> s = n - f + 1 s = 2028 >> d = sqrt(s^2 - 4*n) d = 274 >> p = (s + d)/2 p = 1151 >> q = (s-d)/2 q = 877 Therefore, p = 1151 and q = 877.

(6) Example: RSA with a single letter plain text Let p = 167, q = 547, n = 91349, e = 5 and cipher text c ≡ 88291 (mod n). To find plain text m, we first find φ(n) = 90636, >> n = 91349 n = 91349 >> eulerphi(n) ans = 90636

11 and compute (using Euclidean Algorithm) >> [a,b,c] = gcd(5, 90636) a = 1 b = -18127 c = 1

1 = gcd(5, 90636) = 5(−18127) + (1)(90636), and so d = −18127 ≡ 72509 (mod 90636). To ﬁnd m, compute >> powermod(88291, 72509, n) ans = 12345 or >> powermod(88291, -18127, n) ans = 12345 to get m = cd ≡ 8829172509 ≡ 12345 (mod n). (7) Example: (RSA signature scheme) Given the system parameters n = 466727, φ(n) = 465336 d = 296123, and m = 10101. If c = 369510 is received, decide whether the signature should be accepted and rejected. Solution: First ﬁnd e such that ed ≡ 1 (mod φ(n)). >> n = 466727 n = 466727 >> f = eulerphi(n) f = 465336 >> d = 296123 d = 296123 >> [a,b,c]=gcd(d,f) a = 1 b = 11 c = -7

12 Thus 1 = gcd(296123, 465336) = (11)(296123) + (−7)(465336), and so e ≡ 11. Then compute ce (mod n),

>> c = 369510 c = 369510 >> e = 11 e = 11 >> powermod(c,e,n) ans = 10101

Since m = 10101, the signature is accepted.

(8) Example: (ElGamal Cipher) Suppose A and B are using the ElGamal public-key cipher to communicate with p = 1213 and e = 15. Suppose A sends a cipher tex c = (661, 193) to B. Find the plain text m. Solution: Here t = 193 and r = 661. Compute

>> p = 1213 p = 1213 >> t=193 t = 193 >> r=661 r = 661 >> e = 15 e = 15 >> r1 = powermod(r, -e, p) r1 = 924 >> mod(t*r1, p) ans = 21

Therefore, m =≡ tr−e ≡ 193 · 924 ≡ 21 (mod 1213). (9) Example: (ElGamal signature scheme) Bob receives m = 121 from Alice, together with (i) sigk(m, r) = (h, g) = (480, 532), and (ii) sigk(m, r) = (h, g) = (480, 21), Bob downloads Alice’s KE = (p, a, b) = (641, 3, 88). Which signature should Bob accepts? which one he should reject?

13 Solution: (i) For sigk(m, r) = (h, g) = (480, 532), Bob recognizes that b = 88, h = 480, and g = 532. He computes

>> p = 641 p = 641 >> a = 3 a = 3 >> b = 88 b = 88 >> h = 480 h = 480 >> g = 532 g = 532 >> d = mod(powermod(b, h, p) * powermod(h, g, p), p) d = 191 >> m = 121 m = 121 >> s = powermod(a, m, p) s = 300

Since s 6≡ d (mod 641), this should be rejected. (ii) For sigk(m, r) = (h, g) = (480, 21), Bob uses the previous data except g = 21. So he does the following computation.

>> g = 21 g = 21 >> d = mod(powermod(b, h, p) * powermod(h, g, p), p) d = 300 >> s = powermod(a, m, p) s = 300

As d ≡ s (mod 641), Bob accepts it.

14 Part 5: Chinese Remainder Theorem

(1) Chinese Remainder Theorem Applications Example: Find a solution x for the system ( x ≡ 3 (mod 5) . x ≡ 2 (mod 7)

>> crt([3,2], [5,7]) ans = 23

15 Part 6: Operations involving matrices modulo m (1) Creating a Matrix; Computing Inverse of a Matrix mod 26

(A) Input a matrix  1 2 3    Example Create a matrix M =  4 5 6 . 7 8 10

>> M = [1 2 3; 4 5 6; 7 8 10] M = 1 2 3 4 5 6 7 8 10 (B) Example Compute the inverse of M mod 26. To do that, we ﬁrst compute the inverse of M as it is a real number matrix. Then converted it to an integer valued matrix. In the last step, we take mod 26 in every entry, as shown below. Step 1: Compute the inverse of M. (We need the comment ”format rat;” to out put the rational numbers. Without it, the output might be decimals, and the next step will not work out easily.) >> format rat; >> Minv = inv(M) Minv = -2/3 -4/3 1 -2/3 11/3 -2 1 -2 1 Step 2: Need to rationalize this matrix before we take modulo m. Note that every fractional entry of Minv has a denominator 3. Multiply everything by 3 to make it an integer valued matrix. (You can also multiply 27 here as 27 ≡ 1 (mod 26)). >> M1=(Minv*3) M1 = -2 -4 3 -2 11 -6 3 -6 3 Step 3: Find the inverse of M (mod 26) by modifying M1. Note that 3−1 ≡ 9 (mod 26) >> M2=round(mod(M1*9, 26)) M2 = 8 16 1 8 21 24 1 24 1 Then M −1 = M2.

16 (2) Matrix Computations in matlab Example 1 Create a matrix  1 13 2    A =  3 4 1  . −2 16 1 >> A = [1 13 2; 3 4 1; -2 16 1] A = 1 13 2 3 4 1 -2 16 1 Example 2 Define a row vector (1, 2, 4, 5, 6). >> x = [1, 2, 4, 5, 6] x = 1 2 4 5 6 Example 3 Define a column vector (1, 2, 4, 5, 6)T . >> y = [1; 2; 4; 5; 6] y = 1 2 4 5 6 Example 3 Compute the matrix multiplication  1 13 2   2 7 1       3 4 1   0 1 12  . −2 16 1 −2 0 1 We can first define these matrix and then multiply them together. >> A = [1 13 2; 3 4 1; -2 16 1] A = 1 13 2 3 4 1 -2 16 1 >> B = [2 7 1; 0 1 12; -2 0 1] B = 2 7 1 0 1 12 -2 0 1 >> C = A*B

If we want to compute the matrix multiplication in Zm, for example, computing AB in Z26, then we use the following comment. >> mod(A*B, 26)

17 Part 7: Ciphers using blocks of size larger than 1 (1) Example: (encryption using blocks of size 3, or trigraphs) Choice of Parameters: Let p = 281, q = 167. Then n = 46927. Pick e = 39423. Thus the enciphering key is (46927, 39423) and the deciphering key is (46927, 26767). In order to use the English Alphabet in the messages, Bob also tells Alice to use base-N representation of the numerics with N = 26. Alice can key in the encryption keys. >> n = 46927 n = 46927 >> e = 39423 e = 39423 Bob needs to compute the deciphering key: >> f = eulerphi(n) f = 46480 >> d = powermod(e, -1, f) d = 26767 Encoding Process: To send a message YES to Bob, Alice first finds the numerical equivalent 2 of YES = (24 4 18)26 7→ P = 24(26) + 4(26) + 18 = 16346 (in base-10). >> m = 24*(26)^2 + 4*(26) + 18 m = 16346 m 39423 Next, Alice computes C = P = 16346 ≡ 21166 (mod 46927) in Zn: >> c= powermod(m,e, n) c = 21166 Alice then converts C to Base-26 numbers (You can use matlab to combine all of the following steps. I write down these steps for you to see what we are actually doing). Find the first digit: >> mod(c, 26) ans = 2 Find the second digit >> c = (c-2)/26 c = 814 >> mod(c, 26) ans = 8

18 Find the third digit >> c = (c-8)/26 c = 31 >> mod(c, 26) ans = 5 (As long as the current value of c = 31 > 26, Alice needs to continue) to ﬁnd the four digit. Find the third digit >> c = (c-5)/26 c = 1 Alice now stops as the current value of c = 1 < 26. This is obtained:

c = 21166 = (1582)26 7→ BFIC, and so Alice sends BFIC to Bob.

Decoding Process: Bob receives BFIC, and converts it to a base-10 number c = 1(26)3 + 5(26)2 + 8(26) + 2 = 21166, by matlab: >> c = 1*(26)^3 + 5*(26)^2 + 8*(26) + 2 c = 21166 d Then as Bob knows KD = (n, d), he computes m = c ≡ 16346 (mod n) by matlab: >> m = powermod(c, d, n) m = 16346 Then Bob converts m to the base-26 numbers to ﬁnd their English equivalent. >> mod(m, 26) ans = 18 >> m = (m-18)/26 m = 628 >> mod(m, 26) ans = 4 >> m = (m-4)/26 m = 24

(Bob stops as the current value is less than 26). So the message is (24 4 18)26 7→ YES.

19 Part 8: Elliptic Curve Computations (1) Graph the elliptic curve y2 = x3 − x over the real number ﬁeld R.

>> v =’y^2 - x*(x-1)*(x+1)’ v = y^2 - x*(x-1)*(x+1) >> ezplot(v, [-1,3,-5,5])

(2) Determine the elements in an elliptic curve over a finite field. In this example, we are to determine all the elements on the elliptic curve over the finite field F = Z17: E = {(x, y): y2 = x3 + x (mod 17)} ∪ {O}. To do that, we first compute the square table over F , which tells us what element in F can have a square root. This can be done by using powermod in matlab.

>> for k = [1:16], [k; powermod(k,2,17)]’, end ans = 0 0 ans = 1 1 ans = 2 4 ans = 3 9 ans = 4 16 ans = 5 8 ans = 6 2 ans = 7 15 ans = 8 13 ans = 9 13 ans = 10 15 ans = 11 2 ans = 12 8 ans = 13 16 ans =

20 14 9 ans = 15 4 ans = 16 1

This generates the following square root table mod p (p = 17 here).

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 0 1 4 9 16 8 2 15 13 13 15 2 8 16 9 4 1

Clearly, (0, 0) ∈ E. Then, we compute x = 1, 2, ··· , 16 to solve the equation y2 = x3 + x 2 in Z17. For x = 1, y = 1 + 1 and so the square root table gives y = ±6. Hence (1, ±6) ∈ E. For x = 2, we have y2 = 8 + 2 = 10. the square root table tell us that there is no solution, and so we move onto the case x = 3. The following matlab comment computes all the needed information.

>> for x = [0:16], [x; mod(x^3+x, 17)]’, end ans = 0 0 ans = 1 2 ans = 2 10 ans = 3 13 ans = 4 0 ans = 5 11 ans = 6 1 ans = 7 10 ans = 8 10 ans = 9 7 ans = 10 7 ans = 11 16 ans = 12 6 ans = 13 0

21 ans = 14 4 ans = 15 7 ans = 16 15

In this way, we have

E = {(0, 0), (1, ±6), (3, ±8), (4, 0), (6, ±1), (11, ±4), (13, 0), (14, ±2), (16, ±7),O}.

(3) Add points (1, 3) + (3, 5) and (1, 3) + O on the curve y2 = x3 + 24x + 13 (mod 29). (Recall that O represent the inﬁnity).

>> addell([1,3], [3,5], 24, 13, 29) ans = 26 >> addell([1,3], [inf, inf], 24, 13, 29) ans = 1 3 >>

(4) Computing kP . For P = (1, 3) and an integer k > 0, we are to compute kP on the curve y2 = x3 + 24x + 13 (mod 29). If we want to compute k · P for one value of k, say k = 7, then we can do the following.

>> multell([1,3], 7, 24, 13, 29) ans = 15 6

Therefore, 7(1, 3) = (15, 6).

Now we compute k(1, 3) for each value of k = 1, 2, 3, ··· , 8.

>> multsell([1,3], 8, 24, 13, 29) ans = 1 3 11 10 23 28 0 10 19 7 18 19 15 6 20 24

Therefore,

2P = (11, 10) 3P = (23, 28)

22 4P = (0, 10) 5P = (19, 7) 6P = (18, 19) 7P = (15, 6) 8P = (20, 24)

(5) Example: What happens when P + −P ?

Let us add (1, 3) and (1, −3) on y2 ≡ x3 + 24x + 13 (mod 29).

>> addell([1,3], [1,-3], 24, 13, 29) ans = 1/0 1/0

Therefore, the answer is O = (inf, inf). Note that the 0 in the denominators is a 0 mod 29. (For example, the denominator could have been 58, as an integer).

(6) Computing nP by the double-and-add algorithm for the elliptic curve E below over F = Z1999: y2 = x3 + 1828x + 1675, with P = (1756, 348) and n = 11.

Initialization: Q = P = (1756, 348) and R = O.

Iteration: (Step 1) n = 11 is odd, R := R + Q = P + O = P = (1756, 348), Q := 2Q = (1526, 1612).

>> multell([1756,348],2,1828, 1675, 1999) ans = 1526 1612

Update n := b11/2c = 5.

(Step 2) n = 5 is odd, R := R + Q = (1756, 348) + (1526, 1612) = (1362, 998), Q := 2Q = (1675, 1579).

>> addell([1756,348], [1526,1612], 1828, 1675, 1999) ans = 1362 998 >> multell([1526,1612],2,1828, 1675, 1999) ans = 1657 1579

Update n := b5/2c = 2.

(Step 3) n = 2 is even, Q := 2Q = (1849, 225).

23 >> multell([1657,1579],2,1828, 1675, 1999) ans = 1849 225

Update n := b2/2c = 1.

(Step 4) n = 1 is odd, R := R + Q = (1362, 998) + (1849, 225) = (1068, 1540), Q := 2Q.

>> addell([1362,998], [1849,225], 1828, 1675, 1999) ans = 1068 1540

Update n := b1/2c = 0. (Since we know that n = 1 after the updating, we will stop at the next step and so there is no need to actually compute 2Q.)

(Step 5) n = 0, stop, and answer that 11 · P = R = (1068, 1540).