660 likes | 893 Vues
Aritmética Computacional. Francisco Rodríguez Henríquez CINVESTAV e-mail: francisco@cs.cinvestav.mx. Fairy Tale : Chinese Emperor used to count his army by giving a series of tasks. All troops should form groups of 3. Report back the number of soldiers that were not able to do this.
E N D
Aritmética Computacional Francisco Rodríguez Henríquez CINVESTAV e-mail: francisco@cs.cinvestav.mx
Fairy Tale: Chinese Emperor used to count his army by giving a series of tasks. All troops should form groups of 3. Report back the number of soldiers that were not able to do this. Now form groups of 5. Report back. Now form groups of 7. Report back. Etc. At the end, if product of all group numbers is sufficiently large, can ingeniously figure out how many troops. Chinese Remainder Theorem
Chinese Remainder Theorem mod 3: N mod 3 = 1
Chinese Remainder Theorem mod 5: N mod 5 = 2
Chinese Remainder Theorem mod 7: N mod 7 = 2
Secret inversion formula (for N < 105 = 3·5·7): N a (mod 3) N b (mod 5) N c (mod 7) Implies that N =(-35a + 21b + 15c) mod 105. So in our case a = 1, b = 2, c = 2 gives: N = (-35·1+ 21·2+ 15·2)mod 105 = (-35+ 42+ 30)mod 105 = 37mod 105 = 37 Chinese Remainder Theorem
Find three numbers l,m,n with following properties l 1(mod 3), l 0(mod 5), l 0(mod 7) m0(mod 3), m 1(mod 5), m 0(mod 7) n 0(mod 3), n 0(mod 5), n 1(mod 7) Then y = al+bm +cn[secret formula] satisfies y al+bm +cn (mod 3) a·1+0 + 0 (mod 3) a (mod 3) Similarly, y b (mod 5) Similarly, y c (mod 7) This will imply x y (mod 3·5·7) CRT: Example
Find three numbers l,m,n: Standard trick. EG, to find l : Multiply together all modulii different from 3. Result: 5·7 = 35 Find an inverse of this number mod 3: In this case it’s easy. 35 2(mod 3) so find an inverse of 2 [2 or anything congruent to 2(mod 3)]. Practice shows that should choose inverse of smallest magnitude: –1. l is the product of (a) and (b): l = -35 l is 0 mod 5 and 7 since it’s divisible by 5·7. But (c) guarantees that it’s 1 modulo 3! CRT: Example
Similarly, m = 21 and n = 15. So our solution to all three congruences is: x = -35a + 21b + 15c If we want to guarantee a solution between 0 and 104, just compute x mod 105 . The same tricks can be generalized to prove: CRT: Example
THM (CRT): Let m1,m2, … ,mn be pairwise relatively prime positive integers. Then there is a unique solution x in [0,m1·m2···mn-1] to the system of congruences: x a1 (mod m1 ) x a2 (mod m2 ) x an(mod mn) Chinese Remainder Theorem
CRT: Conversion Algorithm Step 1. Compute using multi-precision arithmetic. Step 2. Compute the multiplicative inverses of modulo mi for 1 ≤ i ≤ n, i.e., compute the constants ci such that, Step 3. Compute u by performing the sum (in multiprecision arithmetic):
CRT: Conversion Algorithm Theorem. Given the moduli m1, m2,…, mn and the remainders u1, u2,…, un the number u can be computed in O(n2).
CRT: Mixed-Radix Conversion Algorithm Step 1. Compute constants cij for 1 ≤ i < j ≤ n such that, Step 2. Compute Step 3. Compute
CRT: Mixed-Radix Conversion Algorithm Computation of u using the above formula also requires O(n2) arithmetic operations. We now define Vij for 0 ≤ i < j ≤ n such that Voi = ui for 1 ≤ i ≤ n. These Vij are the temporary values of vj resulting from the operations in Step 2 of the mixed-radix conversion algorithm. This way, we build a triangular table of values with diagonal entries Vi = Vi-1,jfor0 ≤ i ≤ n. The entries of this table are named multiplied differences.
CRT: Mixed-Radix Conversion Algorithm An Example: For n = 4, it can be given as follows, Where [mi] stands for modulo mi.
Finite fields: Arithmetic operations FPfinite field operations : Addition, subtraction, multiplication, Squaring,inversion, exponentiation and Primality Testing
Modular Addition Input: A modulus p, and integers a, b in [0, p-1] Output: c = (a + b) mod p. • C0 = Add(a0, b0); • For i from 1 to t-1do: Ci = Add_with_carry(ai, bi); • If the carry bit is set, then subtract p from c = (ct-1,…, c2,c1,c0). (why??) • If c≥ p then c -= p; (why??) • Return(c);
Modular Subtraction Input: A modulus p, and integers a, b in [0, p-1] Output: c = (a - b) mod p. • C0 = Subtract(a0, b0); • For i from 1 to t-1do: Ci = Subtract_with_borrow(ai, bi); • If the carry bit is set, then add p to c = (ct-1,…, c2,c1,c0). (why??) • Return(c);
Modular Multiplication Computation of c = ab mod n can be performed by using: • Classical: Normal integer multiplication followed by reduction • Blakley’s method: The multiplication steps are interleaved with reduction steps. • Montgomery’s method: Uses predominantly modulo 2j arithmetic.
Integer Multiplication We perform the operations radix W = 2w: wordsize of the computer: We define (Carry, Sum) pairs. Our notation is:
Integer Multiplication • for i = 0 to s-1 do: • C:= 0 • for j = 0 to s-1 do: • (C, S) := ti+j + ajbi + C; • ti+j := S; • end • ti+j+1:= C; • end
Integer Multiplication This algorithm requires s2 = (k/w)2 inner product steps: (C, S) := ti+j+ajbi+C; In other words, O(k2) bit operations. The variables ti+j, aj, bi, C and S each hold a single-word, or a w-bit number. Notice that from the main operation in the loop we obtain a double-word, or a 2w-bit number since:
Integer Squaring A straightforward modification of the multiplication algorithm gives the following algorithm for squaring. There are roughly ½ fewer multiplication operations.
Integer Squaring [Guajardo and Paar] Input: An integer a [0, p-1], a = (at-1 at-2 … a1 a0) Output: c = a2. • for i from 0 to 2t-1 do: ci = 0; • for i from 0 to t-1 do • (uv) = c2i + ai2; • C2i=v; C1= u; C2 = 0; • for j from i+1 to t-1 do • (uv) = ci+j+ ai aj + C1; C1 = u; • (uv) = v + ai aj + C2; ci+j = v ; C2 = u; • (uv) = C1+C2, C2 = u; • (uv) = ci+t + v; ci+t= v; • ci+t+1= C2 + u; • return (c);
Integer Squaring [Classical] Input: An integer a [0, p-1], a = (at-1 at-2 … a1 a0) Output: c = a2. • r0 = r1 = r2 = 0; • for k from 0 to2(t-1) do • For each elmt. of {(i, j)| i+j = k, 0 ≤ i ≤ j < t} do • (uv) = ai aj; • If (i < j) then (uv) << 1; r2 = AddC(r2, 0); • r0 = Add(r0, v); r1 = AddC(r1, u); r2 = AddC(r2, 0); • ck = r0; r0 = r1; r1 = r2; r2 = 0; • c2t-1= r0; • return (c);
Reduction Given t, the computation of R which satisfies t = Qn + R With R < n. Here t is a 2k-bit number and n is a k-bit number. The number t and n are positive, so are the results Q and R. Since we are not interested in the quotient, steps of the division algorithm can be simplified.
Reduction Two algorithms of interest: • Restoring Division • Non-restoring division
Restoring Division • R0 := t; • n := 2kn; • for i = 1 to k do: • Ri := Ri-1-n; • if Ri<0 then Ri := Ri-1; • n := n/2; • end • Return Rk;
Restoring Division: An example • We give an example of the restoring division algorithm for computing 3019 mod 53, where, 3019 = (101111001011)2 53 = (110101)2 The result is: 51 = (110011)2
Non restoring Division Algorithm • The non-restoring division algorithm allows a negative remainder. • Suppose Ri:=Ri-1-n< 0, then the restoring algorithm assigns Ri:=Ri-1 and performs a subtraction with the shifted n, obtaining Ri+1:= Ri-n/2 = Ri-1-n/2; • However, if Ri = Ri-1 – n < 0, then the non-restoring algorithm lets Ri remain negative and adds the shifted n in the following cycle. Thus it obtains, Ri+1:= Ri+n/2 = (Ri-1-n)+n/2 = Ri-1-n/2; i.e., the same value (!!)
Non-Restoring Division Algorithm • R0 := t; • n := 2kn; • for i = 1 to k do: • if Ri-1<0 then Ri := Ri-1-n; • else Ri := Ri-1+n; • n := n/2; • end • Return Rk;
Non-Restoring Division Algorithm • Since the remainder is allowed to stay negative, we use 2’s complement coding to represent such numbers. • Also, note that the nonrestoring division algorithm may require a final restoration cycle in which a negative remainder is corrected by adding the last value of n back to it. • Example Computation of 51 = 3019 mod 53.
Barrett Reduction Barrett reduction computes r = x mod m given x and m. The algorithm requires the precomputation of the quantity, It is advantageous if many reductions are performed with a single modulus. Typically, the radix b is chosen to be a power of two closed to the word-size of the processor. Barrett reduction is based on the following fact: Given
Barrett Reduction Input: positive integers x = (x2k-1 … x1x0), p = (pk-1 … p1p0) Output: x mod p. • if r < 0 then • While r≥ p do: r= r-p; • Return(r);
Barrett Reduction Example: Let b = 4, k = 3, x = (313221)b, and p = (233)b(i.e., x = 3561, and p = 47). Then = |46/p| = 87 = (1113)b, |x/bk-1| = |(313221)b/42| = (3132)b, |x/bk-1| = (3132)b (1113)b = (10231302)b Hence q = (1023)b, r1 = (3221)b (why??) r2 = (1023)b (233)b mod b4 =(3011)b, and r = r1 – r2 = (210)b Thus x mod p = (210)b = 36
Barrett Reduction : Computational efficiency • All divisions performed in the algorithm are simple right-shifts of the base b representation. • Since the k+1 MSBs of x/bk-1| are not needed to determine q (why??), only a partial multiple-precision multiplication is necessary.
Reduction The arithmetic in Barrett reduction can be reduced by choosing b to be a power of 2. For primes p of special form, there exist very fast modular reduction techniques [For example, see “Software Implementation of the NIST Elliptic Curves Over Prime Fields”, Brown, Hankerson, López and Menezes].