epfl-ic-iif-lacal marcelo e. kaihara april 27 th , 2007
DESCRIPTION
Algorithms for public-key cryptology Montgomery Arithmetic. EPFL-IC-IIF-LACAL Marcelo E. Kaihara April 27 th , 2007. Motivation. RSA:. ElGamal:. Most of the time computing modular multiplications. Need of efficient algorithms for modular multiplication . Notation. - PowerPoint PPT PresentationTRANSCRIPT
EPFL-IC-IIF-LACALMarcelo E. Kaihara
April 27th, 2007
Algorithms for public-key cryptology
Montgomery Arithmetic
RSA:
ElGamal:)k,x(:eK
Motivation
y:dK
x:eK m mod xy em mod yx d
p) mod x y , p mod y( k2
k1
)y,y(:d 21K p mod yyx a12
Need of efficient algorithms for modular multiplication
Most of the time computing modular multiplications
Radix representation
012s
2s1s
1s
1s
0i
ii
m Bm BmBm
Bmm
b2B 64or 32b
NotationMultiple-precision integer arithmetic
Radix
depending on the processor
0m if 0 (normalized)
General overview
v~u~
u~v~
uv
z
z~
vu
Ordinary Representation Montgomery Representation
Sequential multiplications performed in Montgomery representation
Montgomery Multiplication
Isomorphic
u
Ordinary Representation Montgomery Representation
)* ,( ),(
Montgomery radix
Montgomery Multiplication
m mod Ruu~
v
m mod )vu( vu m mod Rv~u~ v~*u~ 1
m mod Rvv~
1m)gcd(R, ,mBR s
Montgomery Multiplication
Definition
m mod Rv~u~v~*u~ 1
integer odd large :mDefinition:
)BR usually( smR
1B)gcd(m,, ZZ m/v~,u~
How to compute?m mod Rv~u~v~*u~ 1
*u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ then mz~ if
{
}
;v~u~z~z~ i
B; div )mqz~(z~ M
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ then mz~ if
{
}
;v~u~z~z~ i
B; div )mqz~(z~ M
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
How to compute?m mod Rv~u~v~*u~ 1
*u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
How to compute?m mod Rv~u~v~*u~ 1
*u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
} B mod m)B) mod mz~(z~( 1
00
B mod B)) mod mmz~(z~( 100
0B mod )z~z~( 0
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ then mz~ if
{
}
0i )1B(mz~
m2B)1B(m2
B)1B(m)1B(mz~
;v~u~z~z~ i
B; div )mqz~(z~ M
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ then mz~ if
{
}
1i m2z~0
)1B(mm2z~
B)1B(m)1B(mm2z~
m2B)1B1B2(m
;v~u~z~z~ i
B; div )mqz~(z~ M
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
How to compute?m mod Rv~u~v~*u~ 1
*u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
*
How to compute?m mod Rv~u~v~*u~ 1
u~v~
m
z~0;z~
)i1;-si0;(ifor
B; mod )mz~(q 100M
Algorithm
;v~u~z~z~ i
B; div )mqz~(z~ M
m;-z~z~ then mz~ if
{
}
How to compute?sBR
z~m mod Bv~u~m mod BBv~u~ ss1s
0i
ii
m mod B )Bv~u~Bv~u~Bv~u~Bv~u~( s00
11
2s2s
1s1s
m mod Bv~u~Bv~u~Bv~u~Bv~u~ s0
1s1
22s
11s
m mod m) mod B)v~u~m mod B)v~u~ m mod B)v~u~m mod Bv~u~((((
11s
12s
11
10
m mod Rv~u~v~*u~ 1
How to compute?m mod Rv~u~v~*u~ 1
*u~v~
m
*u~v~
m
mqM
mqM
mqM
mqM
mqM mqM
mqM mqM
Subtraction-less Montgomery multiplication
0;z~
)is;i0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ )mz~( if
{
}
1]-[0,2mv~,u~
m4R
m mod Rv~u~v~*u~ 1
0i )1B(m2z~
m4B)1B(m3 B
)1B(m)1B(m2z~
;v~u~z~z~ i
B; div )mqz~(z~ M
Subtraction-less Montgomery multiplication
0;z~
)is;i0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ )mz~( if
{
}
m mod Rv~u~v~*u~ 1
m4z~0
)1B(m2m4z~
B)1B(m)1B(m2m4z~
m4B)1B2B24(m
1]-[0,2mv~,u~
m4R
1i
;v~u~z~z~ i
B; div )mqz~(z~ M
Subtraction-less Montgomery multiplication
0;z~
)is;i0;(ifor
B; mod )mz~(q 100M
Algorithm
m;-z~z~ )mz~( if
{
}
m mod Rv~u~v~*u~ 1
1]-[0,2mv~,u~
m4R
*u~v~
m
z~si
m4z~0
B)1B(mm)12/B(m4z~
2/Bv~s
;v~u~z~z~ i
B; div )mqz~(z~ M
m2B)2B)2/3((mz~
)4B(
Ordinary Representation Montgomery Representation
Conversion back and forth from ordinary representation and Montgomery representation
u )m mod R(*u 2
m mod Ruu~
z 1*z~ m mod Rzz~
m mod Rv~u~v~*u~ 1
m mod R1)Rz( 1
m mod RRu - 12
How to compute R2 mod m ?
Ordinary Representation Montgomery Representation
Montgomery Bootstrapping
u )m mod R(*u 2
m mod Ruu~
m mod 2 ks
m mod 22 ks
m mod 2 m mod 222~ ks
~
m mod 2 ks
m mod Rm mod 22
m mod 2
2
ksks
ks
bits 64or 32k ks2R
What about modular inversion?Ordinary Representation Montgomery Representation
u m mod Ruu~
m mod u 1 m mod Ru 1
m mod RRRm) mod (R*m) mod R( 12222
m mod Ruu~ 111
m mod RRRum) mod R(*u~
1-311
31
Montgomery Bootstrapping
How to compute m0-1 mod B?
Montgomery Bootstrapping
0mB) (mod resultmproduct 0
1
1 10m
0 0 1 1 0 0 0 10 0 1 1 0 0 1 0
1 0 0 10
42B
0 0 1 10 0 1 1
1 0 0 1 0 0 1 10 0 1 1 1 0 0 0
0 0 0 10 1 0 1 0 1 1
0 1 0 0
maskshift0m
16) (mod 1131
product result.g.e
0 0 1 1 0 0 0 10 0 1 1 0 0 1 0
1 0 0 10
42B
0 0 1 10 0 1 1
1 0 0 1 0 0 1 10 0 1 1 1 0 0 0
0 0 0 10 1 0 1 0 1 1
0 1 0 0
maskshift0m
product result
16) (mod 1131
21uu12uu
Montgomery Squaring3u 2u 1u 0u
3u 2u 1u 0u
00uu01uu02uu03uu
10uu11uu13uu
20uu22uu23uu
30uu31uu32uu33uu
4w5w6w7w 0w1w2w3w
tionmultiplica Montgomery by required time the of 80% Around
RSA pseudorandom bit generator
2x simple ncomputatio make To 0
)2~ calculate to need (not 2x~ arithmetic Montgomery Using 0