DOCSLIB.ORG

Reconfigurable Architectures for Cryptographic Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Reconfigurable Architectures for Cryptographic Systems Imperial College London Department of Computing Reconfigurable Architectures for Cryptographic Systems Adrien Le Masle Submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computing of Imperial College London and the Diploma of Imperial College London 12th January, 2013 Declaration I herewith certify that all material in this dissertation which is not my own work has been duly acknowledged. Adrien Le Masle 3 Abstract Field Programmable Gate Arrays (FPGAs) are suitable platforms for implementing cryp- tographic algorithms in hardware due to their flexibility, good performance and low power con- sumption. Computer security is becoming increasingly important and security requirements such as key sizes are quickly evolving. This creates the need for customisable hardware designs for cryptographic operations capable of covering a large design space. In this thesis we explore the four design dimensions relevant to cryptography { speed, area, power consumption and security of the crypto-system { by developing parametric designs for public-key generation and encryption as well as side-channel attack countermeasures. There are four contributions. First, we present new architectures for Montgomery multiplication and exponentiation based on variable pipelining and variable serial replication. Our implementations of these architectures are compared to the best implementations in the literature and the design space is explored in terms of speed and area trade-offs. Second, we generalise our Montgomery multiplier design ideas by developing a parametric model to allow rapid optimisation of a general class of algorithms containing loops with depen- dencies carried from one iteration to the next. By predicting the throughput and the area of the design, our model facilitates and speeds up design space exploration. Third, we develop new architectures for primality testing including the first hardware ar- chitecture for the NIST approved Lucas primality test. We explore the area, speed and power consumption trade-offs by comparing our Lucas architectures on CPU, FPGA and ASIC. Finally, we tackle the security issue by presenting two novel power attack countermea- sures based on on-chip power monitoring. Our constant power framework uses a closed-loop control system to keep the power consumption of any FPGA implementation constant. Our attack detection framework uses a network of ring-oscillators to detect the insertion of a shunt resistor-based power measurement circuit on a device's power rail. This countermeasure is lightweight and has a relatively low power overhead compared to existing masking and hiding countermeasures. Acknowledgements I would like to express my greatest gratitude to my supervisor Prof. Wayne Luk for pointing at the right direction and giving me invaluable guidance throughout my research at Imperial College London. I am grateful to my second supervisor Dr. Cristian Cadar for his insightful comments on my work. I would like to acknowledge Gary Chow for his help on designing the constant power frame- work presented in chapter6, in particular its proposed architecture for the power consumer. I am grateful to Professor Csaba Andras Moritz for giving me invaluable support and sug- gestions on my work, as well as all the people at BlueRISC: Sylvia Moritz, Kris Carver, Jeff Gummeson, Felipe Vilas-Boas and Alan Boulanger. I express my gratitude to my fellow colleagues in the Custom Computing Group of Imperial College London: Dr. Tobias Becker, Brahim Betkaoui, Thomas Chau, Kit Cheung, Gary Chow, Dr. Gabriel De Figueiredo Coutinho, Stewart Denholm, Dr. Andreas Fidjeland, Gordon Inggs, Maciej Kurek, Qiwei Jin, Nicholas Ng, Xinyu Niu, Dr. Timothy Todman, Dr. Anson Tse, and Dr. Brittle Tsoi for their friendly support. I would like to thank my family and my long-time friends Aur´elieVillaume, Emilie Dupetit- magneux, Yoann Gasque, and J´er^omeRaymond for their love and encouragement. Special thanks to all my UK friends for providing happiness and unforgettable memories to my PhD life, in particular: Nuri Purswani, Felipe Nascimento, Sofia Galligani, Sabine Wilke, Laith Sami, Magdalena Wiktoria Sliwinska, Ian Gladman, Cindy Bhagwandin, Florence Picoli, Tiffany Boutwood, Katy Evans, Joseph K. Ansah, Edward L. Albino Torres, and Kathleen Diane Gosling. The financial support of BlueRISC and UK EPSRC is gratefully acknowledged. 7 Contents Declaration 3 Abstract 5 Acknowledgements7 Contents 9 List of Figures 15 List of Tables 19 List of Algorithms 21 1 Introduction 23 1.1 Motivation....................................... 23 1.2 Contributions..................................... 25 1.3 Thesis organisation.................................. 28 1.4 Publications...................................... 29 2 Background 31 2.1 Field Programmable Gate Arrays (FPGAs)..................... 31 2.1.1 Device structure................................ 31 2.1.2 Tools...................................... 33 2.1.3 Applications.................................. 34 2.2 Symmetric-key cryptography............................. 36 9 2.2.1 Principles................................... 36 2.2.2 Cryptanalysis and brute-force attacks.................... 38 2.2.3 Data Encryption Standard (DES)...................... 40 2.2.4 Advanced Encryption Standard (AES)................... 43 2.3 Public-key cryptography............................... 48 2.3.1 Principles................................... 48 2.3.2 Requirements................................. 50 2.3.3 Key sizes................................... 51 2.3.4 RSA...................................... 51 2.4 Side-channel attacks................................. 54 2.4.1 FPGA power consumption.......................... 55 2.4.2 Power analysis................................ 57 2.4.3 Countermeasures............................... 59 2.5 Summary....................................... 60 3 Parametric Montgomery Multiplier Architecture 61 3.1 Motivation....................................... 61 3.2 Introduction to Montgomery Arithmetic...................... 62 3.2.1 Montgomery multiplication algorithm.................... 62 3.2.2 Hardware implementations of the Montgomery algorithm......... 66 3.2.3 Montgomery modular exponentiation.................... 69 3.3 Scalable Montgomery multiplier architecture.................... 70 3.4 Application to modular exponentiation....................... 74 3.4.1 Basic Montgomery exponentiator...................... 74 3.4.2 Adding interleaved exponentiation support................. 75 3.5 Design space exploration and comparison to existing architectures........ 78 3.6 Summary....................................... 86 4 Mapping Loop Structures onto Parametrised Hardware Pipelines 89 4.1 Motivation....................................... 89 10 4.2 Main idea....................................... 91 4.3 General bit by bit processing algorithm with loop-carried dependency...... 93 4.4 Mapping of the algorithm to the parametric hardware description........ 94 4.5 Modelling of the architecture............................. 98 4.5.1 Latency and throughput........................... 98 4.5.2 Frequency................................... 100 4.5.3 Area...................................... 101 4.5.4 Constraints.................................. 102 4.5.5 Throughput optimisation........................... 103 4.6 Optimising the design................................ 103 4.6.1 Determining the values of the parameters.................. 103 4.6.2 Design generation and optimisation process................ 105 4.7 Accuracy and design space exploration results................... 106 4.7.1 Accuracy of the model............................ 106 4.7.2 Design space exploration........................... 110 4.8 Summary....................................... 111 5 Novel Architectures for Probabilistic Primality Testing 113 5.1 Motivation....................................... 113 5.2 Probabilistic primality testing............................ 115 5.2.1 Fermat primality test............................. 115 5.2.2 Miller-Rabin primality test.......................... 116 5.2.3 Lucas primality test............................. 117 5.2.4 Combining tests................................ 121 5.3 Miller-Rabin primality test architecture....................... 122 5.4 Lucas primality test.................................. 123 5.4.1 Challenge 1: Jacobi symbol calculator................... 125 5.4.2 Challenge 2: Lucas sequence calculator................... 125 5.4.3 Challenge 3: scheduling........................... 128 5.4.4 Lucas prime tester.............................. 130 11 5.5 Speed/Area/Power trade-off of FPGA and ASIC implementations........ 131 5.5.1 FPGA implementation of our Miller-Rabin architecture.......... 131 5.5.2 FPGA and ASIC implementations of our Lucas architecture....... 132 5.6 Summary....................................... 136 6 Power Attacks Countermeasures Involving On-Chip Monitoring 139 6.1 Motivation....................................... 139 6.2 Power attack measurement settings......................... 141 6.3 On-chip power monitoring with ring oscillators................... 142 6.4 Constant power reconfigurable computing..................... 144 6.4.1 Principles................................... 144 6.4.2 On-chip power consumer........................... 147 6.4.3 Power controller................................ 147 6.4.4 Evaluation................................... 152 6.5 Detecting Power Attacks............................... 156 6.5.1 Principles..................................
Load more

Recommended publications
  • Efficient Regular Modular Exponentiation Using
    J Cryptogr Eng (2017) 7:245–253 DOI 10.1007/s13389-016-0134-5 SHORT COMMUNICATION Efficient regular modular exponentiation using multiplicative half-size splitting Christophe Negre1,2 · Thomas Plantard3,4 Received: 14 August 2015 / Accepted: 23 June 2016 / Published online: 13 July 2016 © Springer-Verlag Berlin Heidelberg 2016 Abstract In this paper, we consider efficient RSA modular x K mod N where N = pq with p and q prime. The private exponentiations x K mod N which are regular and con- data are the two prime factors of N and the private exponent stant time. We first review the multiplicative splitting of an K used to decrypt or sign a message. In order to insure a integer x modulo N into two half-size integers. We then sufficient security level, N and K are chosen large enough take advantage of this splitting to modify the square-and- to render the factorization of N infeasible: they are typically multiply exponentiation as a regular sequence of squarings 2048-bit integers. The basic approach to efficiently perform always followed by a multiplication by a half-size inte- the modular exponentiation is the square-and-multiply algo- ger. The proposed method requires around 16% less word rithm which scans the bits ki of the exponent K and perform operations compared to Montgomery-ladder, square-always a sequence of squarings followed by a multiplication when and square-and-multiply-always exponentiations. These the- ki is equal to one. oretical results are validated by our implementation results When the cryptographic computations are performed on which show an improvement by more than 12% compared an embedded device, an adversary can monitor power con- approaches which are both regular and constant time.
    [Show full text]
  • Miller-Rabin Primality Test (Java)
    Miller-Rabin primality test (Java) Other implementations: C | C, GMP | Clojure | Groovy | Java | Python | Ruby | Scala The Miller-Rabin primality test is a simple probabilistic algorithm for determining whether a number is prime or composite that is easy to implement. It proves compositeness of a number using the following formulas: Suppose 0 < a < n is coprime to n (this is easy to test using the GCD). Write the number n−1 as , where d is odd. Then, provided that all of the following formulas hold, n is composite: for all If a is chosen uniformly at random and n is prime, these formulas hold with probability 1/4. Thus, repeating the test for k random choices of a gives a probability of 1 − 1 / 4k that the number is prime. Moreover, Gerhard Jaeschke showed that any 32-bit number can be deterministically tested for primality by trying only a=2, 7, and 61. [edit] 32-bit integers We begin with a simple implementation for 32-bit integers, which is easier to implement for reasons that will become apparent. First, we'll need a way to perform efficient modular exponentiation on an arbitrary 32-bit integer. We accomplish this using exponentiation by squaring: Source URL: http://www.en.literateprograms.org/Miller-Rabin_primality_test_%28Java%29 Saylor URL: http://www.saylor.org/courses/cs409 ©Spoon! (http://www.en.literateprograms.org/Miller-Rabin_primality_test_%28Java%29) Saylor.org Used by Permission Page 1 of 5 <<32-bit modular exponentiation function>>= private static int modular_exponent_32(int base, int power, int modulus) { long result = 1; for (int i = 31; i >= 0; i--) { result = (result*result) % modulus; if ((power & (1 << i)) != 0) { result = (result*base) % modulus; } } return (int)result; // Will not truncate since modulus is an int } int is a 32-bit integer type and long is a 64-bit integer type.
    [Show full text]
  • RSA Power Analysis Obfuscation: a Dynamic FPGA Architecture John W
    Air Force Institute of Technology AFIT Scholar Theses and Dissertations Student Graduate Works 3-22-2012 RSA Power Analysis Obfuscation: A Dynamic FPGA Architecture John W. Barron Follow this and additional works at: https://scholar.afit.edu/etd Part of the Electrical and Computer Engineering Commons Recommended Citation Barron, John W., "RSA Power Analysis Obfuscation: A Dynamic FPGA Architecture" (2012). Theses and Dissertations. 1078. https://scholar.afit.edu/etd/1078 This Thesis is brought to you for free and open access by the Student Graduate Works at AFIT Scholar. It has been accepted for inclusion in Theses and Dissertations by an authorized administrator of AFIT Scholar. For more information, please contact [email protected]. RSA POWER ANALYSIS OBFUSCATION: A DYNAMIC FPGA ARCHITECTURE THESIS John W. Barron, Captain, USAF AFIT/GE/ENG/12-02 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base, Ohio APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. The views expressed in this thesis are those of the author and do not reflect the official policy or position of the United States Air Force, Department of Defense, or the United States Government. This material is declared a work of the U.S. Government and is not subject to copyright protection in the United States. AFIT/GE/ENG/12-02 RSA POWER ANALYSIS OBFUSCATION: A DYNAMIC FPGA ARCHITECTURE THESIS Presented to the Faculty Department of Electrical and Computer Engineering Graduate School of Engineering and Management Air Force Institute of Technology Air University Air Education and Training Command In Partial Fulfillment of the Requirements for the Degree of Master of Science in Electrical Engineering John W.
    [Show full text]
  • THE MILLER–RABIN PRIMALITY TEST 1. Fast Modular
    THE MILLER{RABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power ae % n. • (Initialize) Set (x; y; f) = (1; a; e). • (Loop) While f > 1, do as follows: { If f%2 = 0 then replace (x; y; f) by (x; y2 % n; f=2), { otherwise replace (x; y; f) by (xy % n; y; f − 1). • (Terminate) Return x. The algorithm is strikingly efficient both in speed and in space. To see that it works, represent the exponent e in binary, say e = 2f + 2g + 2h; 0 ≤ f < g < h: The algorithm successively computes (1; a; 2f + 2g + 2h) f (1; a2 ; 1 + 2g−f + 2h−f ) f f (a2 ; a2 ; 2g−f + 2h−f ) f g (a2 ; a2 ; 1 + 2h−g) f g g (a2 +2 ; a2 ; 2h−g) f g h (a2 +2 ; a2 ; 1) f g h h (a2 +2 +2 ; a2 ; 0); and then it returns the first entry, which is indeed ae. 2. The Fermat Test and Fermat Pseudoprimes Fermat's Little Theorem states that for any positive integer n, if n is prime then bn mod n = b for b = 1; : : : ; n − 1. In the other direction, all we can say is that if bn mod n = b for b = 1; : : : ; n − 1 then n might be prime. If bn mod n = b where b 2 f1; : : : ; n − 1g then n is called a Fermat pseudoprime base b. There are 669 primes under 5000, but only five values of n (561, 1105, 1729, 2465, and 2821) that are Fermat pseudoprimes base b for b = 2; 3; 5 without being prime.
    [Show full text]
  • Modular Exponentiation: Exercises
    Modular Exponentiation: Exercises 1. Compute the following using the method of successive squaring: (a) 250 (mod 101) (b) 350 (mod 101) (c) 550 (mod 101). 2. Using an example from this lecture, compute 450 (mod 101) with no effort. How did you do it? 3. Explain how we could have predicted the answer to problem 1(a) with no effort. 4. Compute the following using the method of successive squaring: 50 58 44 (a) (3) in Z=101Z (b) (3) in Z=61Z (c)(4) in Z=51Z. 5000 5. Compute (78) in Z=79Z, and explain why this calculation is so very trivial. 4999 What is (78) in Z=79Z? 60 6. Fermat's Little Theorem says that (3) = 1 in Z=61Z. Use this fact to 58 compute (3) in Z=61Z (see problem 4(b) above) without using successive squaring, but by computing the inverse of (3)2 instead, for instance by the Euclidean algorithm. Explain why this works. 7. We may see later on that the set of all a 2 Z=mZ such that gcd(a; m) = 1 is a group. Let '(m) be the number of elements in this group, which is often × × denoted by (Z=mZ) . It turns out that for each a 2 (Z=mZ) , some power × of a must be equal to 1. The order of any a in the group (Z=mZ) is by definition the smallest positive integer e such that (a)e = 1. × (a) Compute the orders of all the elements of (Z=11Z) . × (b) Compute the orders of all the elements of (Z=17Z) .
    [Show full text]
  • Lecture 19 1 Readings 2 Introduction 3 Shor's Order-Finding Algorithm
    C/CS/Phys 191 Shor’s order (period) finding algorithm and factoring 11/01/05 Fall 2005 Lecture 19 1 Readings Benenti et al., Ch. 3.12 - 3.14 Stolze and Suter, Quantum Computing, Ch. 8.3 Nielsen and Chuang, Quantum Computation and Quantum Information, Ch. 5.2 - 5.3, 5.4.1 (NC use phase estimation for this, which we present in the next lecture) literature: Ekert and Jozsa, Rev. Mod. Phys. 68, 733 (1996) 2 Introduction With a fast algorithm for the Quantum Fourier Transform in hand, it is clear that many useful applications should be possible. Fourier transforms are typically used to extract the periodic components in functions, so this is an immediate one. One very important example is finding the period of a modular exponential function, which is also known as order-finding. This is a key element of Shor’s algorithm to factor large integers N. In Shor’s algorithm, the quantum algorithm for order-finding is combined with a series of efficient classical computational steps to make an algorithm that is overall polynomial in the input size 2 n = log2N, scaling as O(n lognloglogn). This is better than the best known classical algorithm, the number field sieve, which scales superpolynomially in n, i.e., as exp(O(n1/3(logn)2/3)). In this lecture we shall first present the quantum algorithm for order-finding and then summarize how this is used together with tools from number theory to efficiently factor large numbers. 3 Shor’s order-finding algorithm 3.1 modular exponentiation Recall the exponential function ax.
    [Show full text]
  • Number Theory
    CS 5002: Discrete Structures Fall 2018 Lecture 5: October 4, 2018 1 Instructors: Tamara Bonaci, Adrienne Slaugther Disclaimer: These notes have not been subjected to the usual scrutiny reserved for formal publications. They may be distributed outside this class only with the permission of the Instructor. Number Theory Readings for this week: Rosen, Chapter 4.1, 4.2, 4.3, 4.4 5.1 Overview 1. Review: set theory 2. Review: matrices and arrays 3. Number theory: divisibility and modular arithmetic 4. Number theory: prime numbers and greatest common divisor (gcd) 5. Number theory: solving congruences 6. Number theory: modular exponentiation and Fermat's little theorem 5.2 Introduction In today's lecture, we will dive into the branch of mathematics, studying the set of integers and their properties, known as number theory. Number theory has very important practical implications in computer science, but also in our every day life. For example, secure online communication, as we know it today, would not be possible without number theory because many of the encryption algorithms used to enable secure communication rely heavily of some famous (and in some cases, very old) results from number theory. We will first introduce the notion of divisibility of integers. From there, we will introduce modular arithmetic, and explore and prove some important results about modular arithmetic. We will then discuss prime numbers, and show that there are infinitely many primes. Finaly, we will explain how to solve linear congruences, and systems of linear congruences. 5-1 5-2 Lecture 5: October 4, 2018 5.3 Review 5.3.1 Set Theory In the last lecture, we talked about sets, and some of their properties.
    [Show full text]
  • Lecture Slides
    CSE 291-I: Applied Cryptography Nadia Heninger UCSD Spring 2020 Lecture 8 Legal Notice The Zoom session for this class will be recorded and made available asynchronously on Canvas to registered students. Announcements 1. HW 3 is due today! Volunteer to grade! 2. HW 4 is due before class in 1 week, April 29. I fixed an error so check the web page again: API_KEY should be 256 bits. Last time: Authenticated encryption This time: Number theory review Fundamental theorem of arithemtic Theorem e e Every n Z n = 0 has unique factorization n = p 1 p 2 ...per 2 6 ± 1 2 r with pi distinct primes and ei positive integers. Division and remainder Theorem a, b Z, b > 0, unique q, r Z s.t. a = bq + r, 0 r < b. 2 9 2 r a mod bamod b = a b a ⌘ − b b c Because we’re in CS, we also write r = a mod b. b a a mod b = 0 | () a = b mod N: (a mod N)=(b mod N) a = b mod N N (a b) () | − - l isan ok N l (b-a) too l ) multiplier Proof. Let I = sa + rb r, s Z Let d be the smallest positive elt. of I . { | 2 } d divides every element of I : • 1. Choose c = sc a + rc b. 2. c = qd + r: r = c qd = s a r b q(ax +by )=(s qx)a+(r qy)b I − c − c − c − c − 2 Thus r = 0byminimalityofd, thus d c. | d is largest: Assume d > d s.t.
    [Show full text]
  • Phatak Primality Test (PPT)
    PPT : New Low Complexity Deterministic Primality Tests Leveraging Explicit and Implicit Non-Residues A Set of Three Companion Manuscripts PART/Article 1 : Introducing Three Main New Primality Conjectures: Phatak’s Baseline Primality (PBP) Conjecture , and its extensions to Phatak’s Generalized Primality Conjecture (PGPC) , and Furthermost Generalized Primality Conjecture (FGPC) , and New Fast Primailty Testing Algorithms Based on the Conjectures and other results. PART/Article 2 : Substantial Experimental Data and Evidence1 PART/Article 3 : Analytic Proofs of Baseline Primality Conjecture for Special Cases Dhananjay Phatak ([email protected]) and Alan T. Sherman2 and Steven D. Houston and Andrew Henry (CSEE Dept. UMBC, 1000 Hilltop Circle, Baltimore, MD 21250, U.S.A.) 1 No counter example has been found 2 Phatak and Sherman are affiliated with the UMBC Cyber Defense Laboratory (CDL) directed by Prof. Alan T. Sherman Overall Document (set of 3 articles) – page 1 First identification of the Baseline Primality Conjecture @ ≈ 15th March 2018 First identification of the Generalized Primality Conjecture @ ≈ 10th June 2019 Last document revision date (time-stamp) = August 19, 2019 Color convention used in (the PDF version) of this document : All clickable hyper-links to external web-sites are brown : For example : G. E. Pinch’s excellent data-site that lists of all Carmichael numbers <10(18) . clickable hyper-links to references cited appear in magenta. Ex : G.E. Pinch’s web-site mentioned above is also accessible via reference [1] All other jumps within the document appear in darkish-green color. These include Links to : Equations by the number : For example, the expression for BCC is specified in Equation (11); Links to Tables, Figures, and Sections or other arbitrary hyper-targets.
    [Show full text]
  • Download This PDF File
    International Journal of Electrical and Computer Engineering (IJECE) Vol. 10, No. 2, April 2020, pp. 1469~1476 ISSN: 2088-8708, DOI: 10.11591/ijece.v10i2.pp1469-1476 1469 The new integer factorization algorithm based on fermat’s factorization algorithm and euler’s theorem Kritsanapong Somsuk Department of Computer and Communication Engineering, Faculty of Technology, Udon Thani Rajabhat University, Udon Thani, 41000, Thailand Article Info ABSTRACT Article history: Although, Integer Factorization is one of the hard problems to break RSA, many factoring techniques are still developed. Fermat’s Factorization Received Apr 7, 2019 Algorithm (FFA) which has very high performance when prime factors are Revised Oct 7, 2019 close to each other is a type of integer factorization algorithms. In fact, there Accepted Oct 20, 2019 are two ways to implement FFA. The first is called FFA-1, it is a process to find the integer from square root computing. Because this operation takes high computation cost, it consumes high computation time to find the result. Keywords: The other method is called FFA-2 which is the different technique to find prime factors. Although the computation loops are quite large, there is no Computation loops square root computing included into the computation. In this paper, Euler’s theorem the new efficient factorization algorithm is introduced. Euler’s theorem is Fermat’s factorization chosen to apply with FFA to find the addition result between two prime Integer factorization factors. The advantage of the proposed method is that almost of square root Prime factors operations are left out from the computation while loops are not increased, they are equal to the first method.
    [Show full text]
  • LARGE PRIME NUMBERS This Writeup Is Modeled Closely on A
    LARGE PRIME NUMBERS This writeup is modeled closely on a writeup by Paul Garrett. See, for example, http://www-users.math.umn.edu/~garrett/crypto/overview.pdf 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power ae % n. (Here x % n denotes the element of f0; ··· ; n − 1g that is congruent to x modulo n. Note that x % n is not an element of Z=nZ since such elements are cosets rather than coset representatives.) • (Initialize) Set (x; y; f) = (1; a; e). • (Loop) While f > 0, do as follows: { If f%2 = 0 then replace (x; y; f) by (x; y2 % n; f=2), { otherwise replace (x; y; f) by (xy % n; y; f − 1). • (Terminate) Return x. The algorithm is strikingly efficient both in speed and in space. Especially, the operations on f (halving it when it is even, decrementing it when it is odd) are very simple in binary. To see that the algorithm works, represent the exponent e in binary, say e = 2g + 2h + 2k; 0 ≤ g < h < k: The algorithm successively computes (1; a; 2g + 2h + 2k) g (1; a2 ; 1 + 2h−g + 2k−g) g g (a2 ; a2 ; 2h−g + 2k−g) g h (a2 ; a2 ; 1 + 2k−h) g h h (a2 +2 ; a2 ; 2k−h) g h k (a2 +2 ; a2 ; 1) g h k k (a2 +2 +2 ; a2 ; 0); and then it returns the first entry, which is indeed ae. Fast modular exponentiation is not only for computers. For example, to compute 237 % 149, proceed as follows, (1; 2; 37) ! (2; 2; 36) ! (2; 4; 18) ! (2; 16; 9) ! (32; 16; 8) ! (32; −42; 4) ! (32; −24; 2) ! (32; −20; 1) ! ( 105 ; −20; 0): 2.
    [Show full text]
  • Modern Computer Arithmetic (Version 0.5. 1)
    Modern Computer Arithmetic Richard P. Brent and Paul Zimmermann Version 0.5.1 arXiv:1004.4710v1 [cs.DS] 27 Apr 2010 Copyright c 2003-2010 Richard P. Brent and Paul Zimmermann This electronic version is distributed under the terms and conditions of the Creative Commons license “Attribution-Noncommercial-No Derivative Works 3.0”. You are free to copy, distribute and transmit this book under the following conditions: Attribution. You must attribute the work in the manner specified • by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Noncommercial. You may not use this work for commercial purposes. • No Derivative Works. You may not alter, transform, or build upon • this work. For any reuse or distribution, you must make clear to others the license terms of this work. The best way to do this is with a link to the web page below. Any of the above conditions can be waived if you get permission from the copyright holder. Nothing in this license impairs or restricts the author’s moral rights. For more information about the license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ Contents Contents iii Preface ix Acknowledgements xi Notation xiii 1 Integer Arithmetic 1 1.1 RepresentationandNotations . 1 1.2 AdditionandSubtraction . .. 2 1.3 Multiplication . 3 1.3.1 Naive Multiplication . 4 1.3.2 Karatsuba’s Algorithm . 5 1.3.3 Toom-Cook Multiplication . 7 1.3.4 UseoftheFastFourierTransform(FFT) . 8 1.3.5 Unbalanced Multiplication . 9 1.3.6 Squaring.......................... 12 1.3.7 Multiplication by a Constant .
    [Show full text]