A fast modular multiplication method based on the Lempel–Ziv binary tree

Computer Communications 22 (1999) 871–874

Research note

A fast modular multiplication method based on the Lempel–Ziv binary tree q C.-Y. Chen a,*, T.-C. Liu b a

Department of Information Engineering, I-Shou University, Kaohsiung County, Taiwan 84008 b Nan-Tai Institute of Technology, Tainan, Taiwan Received 21 September 1998; accepted 29 December 1998

Abstract In this article, a fast modular multiplication method is presented. The known fastest modular multiplication method by Su and Hwang (F.F. Su, T. Huang, Comments on iterative modular multiplication without magnitude comparison, Proceedings of the Sixth National Conference on Information Security, Taichung, Taiwan, 1996, pp. 21–22) requires n 1 11 additions on the average for an n-bit modulus. In Su and Hwang’s method, the computed values are not stored for use again. Our method uses the Lempel–Ziv binary tree to store the computed values. According to our analysis, our method is faster than Su and Hwang’s for n . 512. Further, our method only requires 0.6667n additions on the average for sufficiently large n. q 1999 Elsevier Science B.V. All rights reserved. Keywords: Modular multiplication; Modular exponentiation; The Lempel–Ziv binary tree

1. Introduction The speed of the modular exponentiation has an important influence on the RSA system [1]. To enhance the speed of the modular exponentiation, there are two orthogonal approaches: (1) computing modular multiplication faster [2–6]; and (2) computing a modular exponentiation using fewer multiplications [7]. In 1983, Blakley presented a traditional method for calculating the product A × B modulo N, where N is an n-bit modulus. Assume that both addition and subtraction have the same complexity and the shift operation is negligible as compared with an addition operation. Blakley’s method thus requires on the average 2n additions. Improving Blakley’s method, Chiou and Yang [4] presented an iterative modular multiplication method without magnitude comparison. Chiou and Yang’s method only checks the carry bit of the partial product P instead of comparing the partial product P with the modulus N. A carry generated in computing the partial product P means that the partial product P with a carry is greater than or equal to 2 n. If this is the case, the generated carry is discarded and

q This research was partially supported by the National Science Council (NSC), the Republic of China, under the contract of NSC-87-2213-E-214006. * Corresponding author. Tel.: 886-7-6563711-6519; fax: 886-76565974. E-mail address: [email protected] (C.-Y. Chen)

the partial product P is set to be (P 1 S), where S ˆ 2 n mod N is precomputed. Thus, the value of the partial product P is limited to be less than 2 n instead of N. Unfortunately, Su and Hwang [6] pointed out that there were errors in Chiou and Yang’s method. When the partial product P with a carry is greater than 2 n, that the new value (P 1 S) is less than 2 n cannot be guaranteed. Therefore, we compute the partial product P as (P 1 S) until it has no carry. According to the analysis of Su and Hwang, it requires n 1 11 additions on the average to compute an n-bit modular multiplication. Is there an n-bit modular multiplication method which needs less than n additions on the average? This motivates our article. In the presented modular multiplication methods, the computed values are not stored for use again. So, they spend much time to recompute these values. The primary idea of the article is that the Lempel–Ziv binary tree [8] is used to store the computed values. According to our analysis, our method requires 517 additions on the average and Su and Hwang’s method 523 additions when n ˆ 512. Obviously, our method is faster than Su and Hwang’s method when n $ 512. Further, the required average number of additions is close to 0.6667n for sufficiently large n. The rest of the article is organized as follows. Section 2 presents a new method to compute a modular multiplication and gives an example. In Section 3, the complexity of our method is estimated. Last, we conclude this article.

0140-3664/99/$ - see front matter q 1999 Elsevier Science B.V. All rights reserved. PII: S0140-366 4(99)00043-2

872

C.-Y. Chen, T.-C. Liu / Computer Communications 22 (1999) 871–874

Initial : i ˆ 1; h ˆ 1; L0 ˆ 0: S ˆ 2n mod N;

…1†

C‰1Š ˆ A mod N; C‰jŠ ˆ 0; for j . 1: X1 ˆ A mod N; {Set C‰jŠ be a array to store 2 j21 × A mod N.} while there are more digits in BR do begin Fig. 1. The structure of nodes in the Lempel–Ziv tree.

2. A new method based on the Lempel–Ziv tree Assume that we want to compute the product A × B mod N. Let BR ˆ bn21 bn22 …b0 be the binary representation form of the multiplier B. We first scan BR from right to left to construct a Lempel–Ziv binary tree. We then follow a fixed path of the constructed Lempel–Ziv tree to compute the product A × B mod N. In the tree, every node i contains ‰Xi ; Li21 ; Zi Š and links, including two child links and a back pointer. The path pi from the root to node i is a segment of BR. Xi represents the product of pi × A mod N. Li21 represents the length of the segment pi21 , and Zi represents the number of zeroes from the segment pi21 to the segment pi . The back pointers record the path of computing A × B mod N. The structure of nodes is shown in Fig. 1. The Lempel–Ziv binary tree is constructed by Algorithm 1. Following the back pointers of the constructed tree, Algorithm 2 computes A × B mod N. Further, to understand our method, an example is shown in Fig. 2.

Algorithm 1. begin

Construct the Lempel–Ziv binary tree T.

Li ˆ 1; Zi ˆ 0; Scan BR from the (i 2 1)th parse to the left. Scan the new digit f, Zi ˆ Zi 1 1; until f ± 0: {If T ˆ nil then construct a new root node of the corresponding tree and i ˆ i 1 1.} Start following the path of the tree T defined by BR, Li ˆ Li 1 1; until a leaf j is reached. Scan one more digits ‘‘f’’, f [ {0; 1}; Li ˆ Li 1 1; add a new arc from the last visited leaf, label it ‘‘f’’, add a new leaf and a new parse and label them ‘‘i’’. If f ˆ 1 then begin while h , Li then begin h ˆ h 1 1; C‰hŠ ˆ 2 × C‰h 2 1Š; while carry …C‰hŠ† do C‰hŠ ˆ C‰hŠ 1 S;

…2†

end; Xi ˆ Xj 1 C‰Li Š;

…3†

while carry …Xi † do Xi ˆ Xi 1 S;

…4†

end; else Xi ˆ Xj ;

Fig. 2. A × 715803 ˆ ……………5A† × 24 1 7A† × 23 1 3A† × 27 1 3A† × 22 1 A† × 2 1 A mod N.

C.-Y. Chen, T.-C. Liu / Computer Communications 22 (1999) 871–874

Store Xi together with Li21 ˆ upi21 u; and Zi in leaf i. i ˆ i 1 1: end_while; k ˆ i 2 1: {k means the number of nodes in the tree.}

Algorithm 2.

According to [9], a good concrete approximation for k is n=…log2 n 2 log2 log2 n 1 log2 log2 log2 n†: Before evaluating the cost of constructing the Lempel– Ziv tree, we estimate the average cost of performing the following expression while carry …P† do P ˆ P 1 S;

end.

Compute R ˆ A × B mod N:

Input: A, B, and N. Output: R. begin {Assume that, without loss of generality, following back pointers of the tree, nodes k; k 2 1; …; 1 are scanned.} P ˆ Xk ; S ˆ 2n mod N;

…5†

t ˆ Lk21 1 Zk ; for i ˆ k 2 1 down to 1 do

which is used in Expressions. (2), (4), (6), and (8). Assume that N is an n-bit random integer. We have 2n21 1 2n22 # N , 2n with probability 1=2 and 2n21 # N # 2n21 1 2n22 with probability 1=2. Case 1: 2n21 1 2n22 # N , 2n As S ˆ 2n mod N; we get S # 2n22 : Let pn21 pn22 …p0 be an n-bit binary representation of P. If carry …P† ˆ 0; no addition is needed. Otherwise, we consider the two bits pn21 pn22 of P as follows. …a† pn21 pn22 ˆ 11:

…b† pn21 pn22 ˆ 10 or pn21 pn22 ˆ 01 or pn21 pn22 ˆ 00 …6†

end; t ˆ Li21 1 Zi ; P ˆ P 1 Xi ;

…7†

while carry …P† do P ˆ P 1 S;

…8†

This implies that P , 2n21 1 2n22 : We know that P 1 S , 2n : Therefore, one addition is required in Expression (10). From relations (a) and (b), performing Expression (10) † ˆ 58 additions on the average. requires 12 … 2111111 4 Case 2: 2n21 # N , 2n21 1 2n22 We get S # 2n21 : If carry…P† ˆ 0; no addition is needed. Otherwise, we consider the two bits pn21 pn22 of P as follows. …a† pn21 pn22 ˆ 11:

end; {end of for i} if …P $ N† then R ˆ P 2 N else R ˆ P;

…10†

This implies that 2n21 1 2n22 # P , 2n : We know that P 1 S , 2n 1 2n22 : Let P 0 be P 1 S: Then P 0 have a carry and P 0 is less than 2n22 : We find that P 0 1 S , 2n21 : Therefore, at most 2 additions are required in Expression (10).

begin for j ˆ 1 to t do begin P ˆ 2 × P; while carry …P† do P ˆ P 1 S;

873

…9†

end.

Furthermore, to understand our method, an example of computing A × 715803 mod N is given in Fig. 2. Note that BR of 715803 ˆ …10101110110000011011†2 :

This implies that 2n21 1 2n22 # P , 2n : We know that P 1 S , 2n 1 2n21 : Let P 0 be P 1 S. Then P 0 have a carry and P 0 is less than 2 n21. We find that P 0 1 S , 2n : Therefore, at most two additions are required in Expression (10). …b† pn21 pn22 ˆ 10 This implies that 2n21 # P , 2n21 1 2n22 : We know that P 1 S , 2n 1 2n22 : Let P 0 be P 1 S. Then P 0 have a carry and P 0 is less than 2 n22. We find that P 0 1 S , 2n : Therefore, at most two additions are required in Expression (10). …c† pn21 pn22 ˆ 01 or pn21 pn22 ˆ 00

3. Complexity We first estimate the tree size for a random multiplier. We then find out the cost of constructing the Lempel–Ziv binary tree. Last, the complexity of computing a modular multiplication is estimated. Let h be the depth of the tree, k the number of nodes in the tree. Generally, we expect to get balanced tress for random numbers. Thus we get h ˆ log2 k:

This implies that P , 2n21 : We know that P 1 S , 2n : Therefore, one addition is required.From relations (a), (b), and (c), performing Expression (10) requires 1 2121111 † ˆ 34 additions on the average. 2… 4 From above two cases, given an n-bit random integer N, it requires on the average 12 … 58 † 1 12 … 34 † ˆ 11 16 additions to perform Expression (10).

874

C.-Y. Chen, T.-C. Liu / Computer Communications 22 (1999) 871–874

As N is a random integer, we have 2n21 1 t2n212i # N , 1 …t 1 1†2n212i with probability 1=2i and get S # 2 n21 2 t2n212i ; where t ˆ 0; 1; …; 2i 2 1: Like the above 2 analysis, Expression (10) needs 3=4 additions on the average if t ˆ 0: If 2j21 # t , 2j for some integer j ± 0; we find that Expression (10) requires … 34 2 22…i2j13† † additions on the average. Therefore, the average required additions of computing Expression (10) is 0 1  i  1 @3 X 3 1 2 1 2 1 2 i2j13 2j21 A ˆ 1 < : i 2i12 4 3 3 2 4 2 3×2 jˆ1 n21

In Algorithm 1, as Expresssion (2) needs 23 additions on the average, constructing an entire array C requires 23 h additions on the average. It needs 12 …1 1 23 † additions to perform Expressions (3) and (4) for each i. Thus, constructing the Lempel–Ziv binary tree requires 23 h 1 12 …1 1 23 †k 1 1 additions on the average, where the last one means the cost of Expression (1). In Algorithm 2, calculating the twice of the partial product P needs 23 …n 2 h=2† additions, where 23 means the cost of Expression (6) and h=2 the expected length of the last segment. Following the back pointers of the tree, we need …1 1 23 †k additions to handle one tree, where 1 and 23 mean the cost of Expressions (7) and (8), respectively. Therefore, Algorithm 2 needs 23 …n 2 h=2† 1 …1 1 23 †k 1 32 additions on the average, where 32 ; means the cost of Expressions (5) and (9). From the above analysis, computing the product A × B mod N; including construction of the Lempel–Ziv binary tree, requires 23 …n 1 h=2† 1 52 k 1 52 additions on the average. When n ˆ 512; our method requires 517 additions on the average and Su and Hwang’s method 523 additions. Obviously, our method is faster than Su and Hwang’s

method. Further, the required average number of additions is close to 23 n ˆ 0:6667n, as n becomes sufficiently large. 4. Conclusions In this article, we present a fast modular multiplication method which can speed up modular exponentiation. According to our analysis, it is faster than Su and Hwang’s method when n $ 512: Further, it only requires 0.6667n additions on the average for sufficiently large n . So, our method is suitable for RSA with a high-bit modulus. References [1] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Comm. ACM 21 (2) (1978) 120–126. [2] P.W. Baker, Fast computation of A*B modulo N, Electron. Lett. 23 (15) (1987) 794–795. [3] G.R. Blakley, A computer algorithm for calculating the product AB modulo M, IEEE Trans. C-32 (5) (1983) 497–500. [4] C.W. Chiou, T.C. Yang, Iterative modular multiplication algorithm without magnitude comparison, Electron. Lett. 30 (24) (1994) 2017– 2018. [5] R.L. Montgomery, Modular multiplication without trial division, Math. Comput. 44 (170) (1985) 519–521. [6] F.-F. Su, T. Hwang, Comments on iterative modular multiplication without magnitude comparison, Proceedings of The Sixth National Conference on Information Security, Taichung, Taiwan, 1996 pp. 21–22. [7] D.E. Knuth, The art of computer programming, 2, Seminumerical Algorithm, 2, Addison Wesley, Reading, MA, 1981. [8] X. Lempel, X. Ziv, Compression of individual sequences via variable rate coding, IEEE Trans. Inform. Theory IT-24 (5) (1978) 530–536. [9] Y. Yacobi, Exponentiating faster with addition chains, Proceedings of EUROCRYPT’90, 1990 pp. 205–212.