52 Things: Number 22: How do you represent a number and multiply numbers in Montgomery arithmetic?

52 Things: Number 22: How do you represent a number and multiply numbers in Montgomery arithmetic?

52件事:数字22:在蒙哥马利算术中,你如何表示一个数字并将其相乘?

 
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This next blog continues the topic of 'Cryptographic Implementation Details'.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。下一篇博客继续主题“加密实现细节”。


Most of this blog is derived from [1].
这个博客的大部分内容来源于[1]。


Secure and Efficient? 安全高效?


While the goal of cryptography is to design highly secure cryptographic protocols, it must also be possible to implement these protocols efficiently so that they can be performed over and over again without slowing users down too much as they, for example, shop online or transfer money via internet banking. Therefore steps are taken to minimise the computational cost of each and every algorithm used in these protocols. One of the most expensive operations used in such algorithms is the reduction of integers modulo some n>0, since it is effectively a division operation.
虽然密码学的目标是设计高度安全的加密协议,但也必须能够有效地实现这些协议,以便它们可以一次又一次地执行,而不会让用户在网上购物或通过网上银行转账时放慢太多速度。因此,采取步骤来最小化这些协议中使用的每个算法的计算成本。在这种算法中使用的最昂贵的运算之一是整数模一些 n>0 的减少,因为它实际上是一种除法运算。


The Cost of Modular Reductions
模块化降低的成本


From now on we fix the notation that xmodn is the remainder after x has been divided by n, so it's a particular non-negative integer which is less than n (as opposed to the equivalence class of x in Z/nZ, etc.)
从现在起,我们修复了 xmodn 是 x 除以 n 后的余数的表示法,因此它是一个特定的非负整数,小于 n (与 Z/nZ 中#4的等价类相反,等等)


Let a,bZ and say we know amodn and bmodn. In many cryptographic applications we wish to compute the product abmodn. The naive approach is to compute the usual integer product ab and then reduce this modulo n. While this is fine for just one multiplication, we may need to carry out several consecutive multiplications which would lead to several (expensive) modular reductions. For example, in RSA the ciphertext of a message m is c=memodpq for some large primes p,q and a public exponent e. Computing c according to the naive approach means e iterations of multiplying by m and reducing modulo pq. It would be much better to somehow defer the tricky modular reduction to the end of the calculation. But at the same time, if we just compute me over the integers and then reduce modulo n at the end, we will have to store (and calculate with) extremely large numbers. So this requires a little more thought.
让 a,bZ 说我们知道 amodn 和 bmodn 。在许多加密应用程序中,我们希望计算乘积 abmodn 。天真的方法是计算通常的整数乘积#4,然后减少这个模 n 。虽然这只适用于一次乘法,但我们可能需要进行几次连续的乘法运算,这将导致几次(昂贵的)模缩减。例如,在RSA中,对于一些大素数 p,q 和公共指数 e ,消息 m 的密文是 c=memodpq 。根据朴素方法计算 c 意味着 e 乘以 m 并减少模 pq 的迭代。以某种方式将棘手的模块化简化推迟到计算结束会更好。但与此同时,如果我们只计算整数上的 me ,然后在最后减模 n ,我们将不得不存储(并使用)非常大的数字。所以这需要更多的思考。


"Montgomery Space" “蒙哥马利空间”

The insight, due to Montgomery, is to work over a convenient modulus, typically a power of 2. So to compute abmodn:
由于Montgomery,我们的见解是计算一个方便的模数,通常是2的幂。因此,要计算 abmodn :

  1. Move a and b into "Montgomery space" (remainders modulo some convenient r)
    将 a 和 b 移动到“Montgomery空间”(余数模一些方便的#2)
  2. Calculate products and perform modular reductions in this nicer space
    在这个更好的空间中计算产品并进行模块化缩减
  3. Convert the answer into the desired remainder modulo n.
    将答案转换为所需的余数模 n 。
Why is a power of 2 convenient? Say x is an integer written in binary (as is typical for computers) and r=2k for some integer k>0. Then,
为什么2的幂方便?假设 x 是一个用二进制书写的整数(这是计算机的典型情况), r=2k 表示某个整数 k>0 。然后

  • to compute xmodr you just discard all but the rightmost k bits of x
    要计算 xmodr ,只需丢弃#2中除最右边的 k 位以外的所有位#
  • to compute xr you just shift the digits of x by k places to the left
    要计算 xr ,只需将 x 的数字向左移动 k 位
  • to compute x/r you just shift the digits of x by k places to the right.
    要计算 x/r ,只需将 x 的数字向右移动 k 位。
The Algorithm 算法

Let a,b,n,r be positive integers with gcd(n,r)=1 and r>n. We compute abmodn as follows:
设 a,b,n,r 与 gcd(n,r)=1 和 r>n 为正整数。我们计算#3如下:

  1. Use the extended Euclidean algorithm to find integers r1,n with rr1=1+nn
    使用扩展的欧几里得算法查找具有#1的整数 r1,n #
  2. Compute a¯¯¯=armodn and b¯¯=brmodn 计算 a¯¯¯=armodn 和 b¯¯=brmodn
  3. Compute u=abrmodn via: 通过以下方式计算 u=abrmodn :
    1. ta¯¯¯b¯¯
    2. u(t+(ntmodr)n)/r
    3. If un then u(un) 如果 un ,则 u(un)
    4. Output u 输出 u
  4. Multiply u by r1 and reduce modulo n.
    将 u 乘以 r1 ,并减去模 n 。
Some remarks on speed:
关于速度的一些评论:

  • Step 1 is always possible since r is coprime to n, and can be done very quickly when r is a power of 2 and m is odd.
    步骤1总是可能的,因为 r 与 n 互素,并且当#2是2的幂并且#3是奇数时,步骤1可以非常快地完成。
  • In Step 2, while the integer multiplication (e.g. a×r) is quick (especially if r=2k), there is an expensive modular reduction for each multiplier a and b. There is also an expensive reduction in Step 4. So for just one multiplication this algorithm is probably slower than the naive approach. But calculating many products modulo n of a small number of multipliers (e.g. ambm modulo n for some integers m,m) is much better this way since we can reuse the outputs of Steps 2 and 3 in subsequent multiplications.
    在步骤2中,虽然整数乘法(例如 a×r )是快速的(特别是如果 r=2k ),但是对于每个乘法器#2和#3都存在昂贵的模缩减。在步骤4中也有昂贵的减少。因此,对于一次乘法,这种算法可能比简单的方法慢。但是,以这种方式计算少量乘法器的模#4的许多乘积(例如,对于一些整数 m,m , ambm 模 n )要好得多,因为我们可以在随后的乘法中重用步骤2和3的输出。
  • Step 3 involves three integer multiplications, one integer addition and, if r=2k, discarding all but k bits and a shift k places to the right. All these processes are efficient.
    步骤3包括三次整数乘法,一次整数加法,如果 r=2k ,则丢弃除 k 位以外的所有位,并向右移位 k 位。所有这些过程都是有效的。

Proof of Correctness  正确性证明
It should be clear that the algorithm does output abmodn provided that u=abrmodn as is claimed in Step 3. To prove this claim, let t=a¯¯¯b¯¯ so that
应该清楚的是,算法确实输出 abmodn ,前提是 u=abrmodn 如步骤3中所要求的那样。为了证明这一说法,让#2这样

u=abrmodn
=arbrr1modn
=tr1modn
=trr1/rmodn
=t(1+nn)/rmodn
=((t+nnt)/r+mn)modn=(t+(nt+mr)n)/rmodn, for any integer m.
=((t+nnt)/r+mn)modn=(t+(nt+mr)n)/rmodn ,用于任意整数 m 。

In particular, when m is chosen so that nt+mr=ntmodr, we find
特别地,当选择 m 使得 nt+mr=ntmodr 时,我们发现

u=abrmodn=(t+(ntmodr)n)/rmodn.

Note that the quantity computed in the algorithm is like the above but without the reduction modulo n. This is because, since n>r>0, we have
注意,在算法中计算的量与上述类似,但没有模 n 的减少。这是因为,自#1以来,我们

n2<rnn2+rn<2rn(n2+rn)/r<2n which shows that (t+(ntmodr)n)/r<2n since t is the product of two remainders modulo n. So instead of reducing (t+(ntmodr)n)/r modulo n we can just compare it against n (which is an efficient operation) and subtract n once if necessary (also quick). Thus the algorithm given is correct.
n2<rnn2+rn<2rn(n2+rn)/r<2n ,这表明 (t+(ntmodr)n)/r<2n ,因为 t 是模 n 的两个余数的乘积。因此,我们可以将其与 n (这是一种有效的运算)进行比较,并在必要时减去 n 一次,而不是减少#4模 n 。因此,给出的算法是正确的。
posted @ 2024-04-11 23:30  3cH0_Nu1L  阅读(5)  评论(0编辑  收藏  举报