Fast modular multi-exponentiation using modified complex arithmetic

Applied Mathematics and Computation 186 (2007) 1065–1074 www.elsevier.com/locate/amc

Fast modular multi-exponentiation using modified complex arithmetic Chia-Long Wu a

a,*

, Der-Chyuan Lou

b,*

, Jui-Chang Lai b, Te-Jen Chang

b

Department of Aviation and Communication Electronics, Chinese Air Force Institute of Technology, Kaohsiung 82042, Taiwan, ROC b Department of Electrical Engineering, Chung Cheng Institute of Technology, National Defense University, Tahsi, Taoyuan 33509, Taiwan, ROC

Abstract Q Modular multi-exponentiation ni¼1 M Ei i ðmod N Þ is a very important but time-consuming operation in many modern cryptosystems. In this paper, a fast modular multi-exponentiation is proposed utilizing the binary-like complex arithmetic method, complement representation method and canonical-signed-digit recoding technique. By performing complements and canonical-signed-digit recoding technique, the Hamming weight (number of 1’s in the binary representation or number of non-zero digits in the binary signed-digit representations) of the exponents can be reduced. Based on these techniques, an algorithm with efficient modular multi-exponentiation is proposed. For modular multi-exponentiation, in average case, the proposed algorithm can reduce the number of modular multiplications (MMs) from 1.503k to 1.306k, where k is the bit-length of the exponent. We can therefore efficiently speed up the overall performance of the modular multi-exponentiation for cryptographic applications.  2006 Elsevier Inc. All rights reserved. Keywords: Complex arithmetic; Hamming weight; Signed-digit recoding; Multi-exponentiation; Public key cryptography

1. Introduction Qn Modular multi-exponentiation i¼1 M Ei i ðmod N Þ is a very important but time-consuming arithmetic operation in many modern cryptosystems. For example, the RSA public key cryptosystem [1] and the Diffie–Hellman key distribution scheme [2] are the cases for n = 1. The DSA (Digital Signature Algorithm) of the NIST (National Institute of Standards and Technology) [3], the Schnorr identification and signature for smart cards scheme [4], and the Brickell–McCurley interactive identification and digital signature scheme [5] are the cases for n = 2. The ElGamal digital signature scheme [6] is the case for n = 3. Modular multi-exponentiation is a very time-consuming arithmetic operation. Moreover, a significant problem is how to reduce the time needed to perform a modular multi-exponentiation operation. One of the most common solution of modular multi-exponentiation problems is to compute modular exponentiations *

Corresponding authors. E-mail addresses: [email protected] (C.-L. Wu), [email protected] (D.-C. Lou).

0096-3003/$ - see front matter  2006 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2006.08.051

1066

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

individually, then to multiply these computations together, finally performing modular operation, i.e., ðM E1 1 ðmod N ÞÞ  ðM E2 2 ðmod N ÞÞðmod N Þ. Besides, the modular exponentiation can be performed by a series of modular multiplications (MMs). There are several well-known algorithms for speeding up the modular exponentiation and the modular multiplication, such as the binary method (so-called the square-and-multiply method) [7], Montgomery reduction methods [8–10], signed-digit (SD) representation methods [11–18], folding-in-half methods [19,20], modular exponentiation methods [21–23], common-multiplicand–multiplication (CMM) methods [24–27] and modular multi-exponentiation methods [28–31]. A novel method for speeding up modular multi-exponentiation by using the binary-like complex arithmetic method, complement representation method and canonical-signed-digit (CSD) recoding technique is presented in this paper. The Hamming weight (number of ones in the binary representation or number of non-zero digits in the binary signed-digit representations) of the exponents plays an important role for the computation efficiency. By performing complements and canonical-signed-digit recoding technique, the Hamming weight of an exponent can be reduced. Based on these concepts, an algorithm with efficient modular multi-exponentiation is proposed. For modular multi-exponentiation, in average case, the proposed algorithm can reduce the number of modular multiplications (MMs) from 1.503k to 1.306k, where k is the bit-length of the exponent. We can therefore efficiently speed up the overall performance of modular multi-exponentiation. This paper is organized as follows. In Section 2, we introduce some related works for efficiently speeding up the modular multi-exponentiation. In Section 3, we describe the proposed algorithm for fast modular multiexponentiation. Then, the computational complexity of the proposed algorithm is analyzed in Section 4. Finally, we conclude this work and future works in Section 5.

2. Mathematical preliminaries 2.1. The complex arithmetic The computation of modular multi-exponentiation C = AXBY(mod N) is equivalent to find some vector addition chain for the vector (X, Y). Now, given a Gaussian integer z = X + Yi, find a set of Gaussian integers z0 = (1, 0), z1 = (0, 1), z2 = (1, 1), . . . , zr = (X, Y), such that for every l there exist integers p and q, l > p P q such that zl = zp + zq. In 1989, Pekmestzi [34] proposed an algorithm to compute multi-exponentiations of two base numbers, i.e., C = AXBY(mod N). The algorithm scans concurrently one bit of two exponents at each step. The binary-like representation of complex numbers: z¼

k1 X

d i  2i

d 2 ð0; 1; i; 1 þ iÞ:

ð1Þ

i¼0

The number representation can be considered as a binary representation with complex digits. The digit encoding is shown in Table 1. For example, by Eq. (1), let z = X + Yi = 2845 + 4584i, then 2845 ¼ ð0101100011101Þ2 ; 4584 ¼ ð1000111100000Þ2 ; Table 1 Digit encoding of complex digits Complex digit

Binary code

0 1 i 1+i

00 10 01 11

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

1067

and z = (i, 1, 0, 1, 1 + i, i, i, i, 1, 1, 1, 0, 1). Now, we can use the above encoding scheme for the complex digits to obtain the following representation of z: z ¼ ð01100010110101011010100010Þ: The following algorithm is the Pekmestzi algorithm, we consider the AX BY ðmod N Þ, where both the exponents X and Y are k-bit integers, i.e., k = dlog2max(X, Y)e. The Pekmestzi Algorithm Input: A, B, X, Y, N Output: C(=AXBYmod N) Begin k = dlog2 max(X, Y)e; X = (xk1, xk2, . . . , x0); Y = (yk1, yk2, . . . , y0); C = 1; D = A · B(mod N); L1: Case (xk1, yk1) (1, 0): C = C · A(mod N); (0, 1): C = C · B(mod N); (1, 1): C = C · D(mod N); Endcase; if k > 1 then C = C · C(mod N); k = k  1; if k > 0 then goto L1 else output C. End In the following, we use an example to illustrate how Pekmestzi algorithm works. Let A = 3, B = 5, X = 10 = (1010)2, Y = 6 = (0110)2, and N = 17, then k = dlog2 max(X, Y)e = 4, z = X + Yi = (10011100). Therefore, we have the result of modular multi-exponentiations as Table 2. The computational complexity of the modular multi-exponentiation algorithm depends on the numbers of square-and-multiply operations. The worst case appears when all of the complex digits of z = X + Yi are nonzero and in this case we have 2k modular multiplications. On average 12  12 ¼ 14 of the complex digits of z are expected to be zero, therefore the average number of modular multiplications is ð2  14Þk ¼ 74 k ¼ 1:75k, where k is the bit-length of exponent.

2.2. The Dimitrov–Jullien–Miller algorithm In 2000, Dimitrov et al. [28] proposed an algorithm to compute multi-exponentiations for two base numbers. The Dimitrov–Jullien–Miller algorithm using canonical-signed-digit binary representation and Pekmestzi scheme to speed up the modular multi-exponentiation operations. In 1961, Avizienis [13] proposed a signed-digit (SD) representation, also called redundant number representations for fast parallel arithmetic. In a signed-digit number with radix 2, three symbols f1; 0; 1g are allowed for the digit set, here the symbol  1 denotes 1. The recoding representation is called canonical if it contains no adjacent non-zero digits [12]. For example, when A = 28,604, we compute the canonical-signed-digit vector B as: Table 2 Example of the Pekmestzi algorithm

k=4 k=3 k=2 k=1

(xk1,yk1)

Endcase loop operations

C = C · C(mod N)

(1, 0) (0, 1) (1, 1) (0, 0)

C = C · A(mod N) = 3 C = C · B(mod N) = 11 C = C · D(mod N) = 13 No-operation

C = C · C(mod N) = 9 C = C · C(mod N) = 2 C = C · C(mod N) = 16 Output C = 16

1068

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

A ¼ ð0110111110111100Þ2 ; B ¼ ð100 100000 1000 100ÞSD : Note that the number A contains eleven non-zero bits and its canonically recoded version contains only four non-zero digits. It shows that the average Hamming weight (number of 1’s in the binary representation or number of non-zero digits in the signed-digit binary representation) of a k-bit canonically recoded binary number approaches 13 k, i.e., 23 k of the digits are zeros, as k becomes sufficiently large. The following algorithm is the Dimitrov–Jullien–Miller algorithm for computing the AX BY ðmod N Þ, where both the exponents X and Y are k bits. The Dimitrov–Jullien–Miller algorithm Input: A, B, X, Y, N; Output: C(=AXBY mod N) Begin Precompute a1 = AB(mod N); a2 = A1(mod N); a3 = B1(mod N); a4 = A1B(mod N); a5 = AB1(mod N); a6 = A1B1(mod N); k = dlog2 max(X,Y)e; Find the canonical-signed-digit binary representations of X and Y; C = 1; X = (xk,xk1, xk2, . . . ,x0)SD; Y = (yk, yk1, yk2, . . . , y0)SD; L1: Case (xk, yk) (1, 0): C = C · A(mod N); (0, 1): C = C · B(mod N); (1, 1): C = C · a1(mod N); ð 1; 0Þ : C ¼ C  a2 ðmod N Þ; ð0;  1Þ : C ¼ C  a3 ðmod N Þ; ð 1; 1Þ : C ¼ C  a4 ðmod N Þ; ð1;  1Þ : C ¼ C  a5 ðmod N Þ; ð 1;  1Þ : C ¼ C  a6 ðmod N Þ; Endcase; if k > =1 then C = C · C(mod N); k = k  1; if k >= 0 then goto L1 else output C. End In the following, we use an example to illustrate how Dimitrov–Jullien–Miller algorithm works. Let A = 3, B = 5, X = 10 = (1010)2 = (1010)SD, Y ¼ 6 ¼ ð0110Þ2 ¼ ð1010ÞSD and N = 17. We obtain k = dlog2max(X, Y)e = 4, Z ¼ X þ Y i ¼ ð11001 100Þ, where B1(mod N) is the multiplicative inverse of number B modulo N, in this case as 24, i.e., 1  5 · 24(mod 17). So, we can obtain: a5 ¼ AB1 ðmod N Þ ¼ 3  24ðmod 17Þ ¼ 4: Therefore, we have the result of modular multi-exponentiations as Table 3. The average proportion of zeros in the canonical-signed-digit binary representation of integers is 23; therefore the probability that a randomly chosen complex digit, z = X + Yi, is zero is ð23  23Þ ¼ 49. The average Table 3 Example of the Dimitrov–Jullien–Miller algorithm

k=4 k=3 k=2 k=1 k=0

(xk,yk)

Endcase loop operations

C = C · C(mod N)

(0, 0) (1, 1) (0, 0) ð1; 1Þ (0, 0)

No-operation C = C · a1(mod N) = 15 No-operation C = C · a5(mod N) = 13 No-operation

C = C · C(mod N) = 1 C = C · C(mod N) = 4 C = C · C(mod N) = 16 C = C · C(mod N) = 16 Output C = 16

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

1069

number of modular multiplication in this case is ð2  49Þk ¼ 149 k ¼ 1:556k, where k is the bit-length of exponent (X and Y). Moreover, if we use Dimitrov–Jullien–Miller reduction rules (Table 4) in this algorithm, then the average number of modular multiplication can be further reduced to 1.534k. 2.3. The complement recoding method In 2003, Chang et al. [32] proposed an efficient method to compute the general multiplication operation and for the common-multiplicand multiplication by performing complements. Assume the binary representation of multiplier B is bk1bk2. . .b1b0. Performing complements is advantageous in the speedup of multiplication computations. The complement process is shown as follows: B¼

k1 X

bi  2i ¼ ð10 . . . 0Þðkþ1Þbits  B  1;

ð2Þ

i¼0

where B ¼ bk1 bk2 . . . b0 ,  bi ¼ 0 if bi ¼ 1; and bi ¼ 1 if bi ¼ 0; for i = 0, 1, . . . , k  1. For example, B ¼ ð118Þ10 ¼ ð01110110Þ2 ¼ ð10 . . . 0Þð8þ1Þbits  B  1 ¼ ð10 . . . 0Þð8þ1Þbits  ð10001001Þ2  1 ¼ 256  137  1: Clearly, the Hamming weight of B can be reduced. Therefore, the multiplication computations will be speeded up. The Chang–Kuo–Lin algorithm is described as follows: The Chang–Kuo–Lin algorithm Input: Multiplicand: A; Multipliers: B1, B2; Output: M1 = A · B1; M2 = A · B2; Function: Mul_with_Com(A, B, k): M Begin Count the Hamming weight of B if HamðBÞ > k2 then M ¼ ðA n kÞ  A  B  A; else M = A · B; End M1 :¼ Mul_with_Com(A, B1, k); M2 :¼ Mul_with_Com(A, B2, k). where, the A n k denotes the integer which is obtained by the left-shift k bits from the multiplicand A. In the following, we use an example to illustrate how Chang–Kuo–Lin algorithm works. Let A = (178)10 = (10110010)2 and B = (123)10 = (01111011)2. Since the Hamming weight of B > 2k ¼ 4, where k Table 4 The Dimitrov–Jullien–Miller reduction rules Combination X 010 Y 10 1

010 101

 010 101

 010 101

101 010

101 010

101 010

 101 010

Reduction X Y

010 011

010 011

010 011

011 010

011  010

011 010

011  010

010 011

1070

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

is the bit-length of A and B. We perform a complement on B, i.e. B ¼ ð10000100Þ2 . Therefore, we have the result of multiplication as follows: P ¼ A  B ¼ A  ½ð10 . . . 0Þð8þ1Þbits  B  1 ¼ ðA n 8Þ  A  B  A ¼ ð1011001000000000Þ2  ð10110010Þ2  ð10000100Þ2  ð10110010Þ2 ¼ ð0101010110000110Þ2 ¼ 21; 894: To compute the modular exponentiation of C = ME mod N, we express the exponent E as a binary representation ek1ek2 . . . e1 e0. Performing complements is advantageous in the speedup of exponential computations. The equation is shown as follows: E¼

k1 X

ei  2i ¼ ð10 . . . 0Þðkþ1Þbits  E  1;

ð3Þ

i¼0

where E ¼ ek1 ek2 . . . e0 ,  ei ¼ 0 if ei ¼ 1; and ei ¼ 1 if ei ¼ 0 for i = 0, 1, . . . , k  1. For example, E ¼ ð249Þ10 ¼ ð11111001Þ2 ¼ ð10 . . . 0Þð8þ1Þbits  E  1 ¼ ð10 . . . 0Þð8þ1Þbits  ð00000110Þ2  1 ¼ 256  6  1: Clearly, the Hamming weight of E can be reduced. Therefore, the exponential computations will be speeded up while the binary method is used. 3. The proposed algorithm In Section 2, we describe the binary-like complex arithmetic, canonical-signed-digit binary recoding technique and complement representation respectively. The proposed algorithm is detailed depicted as follows: The Proposed Algorithm Input: A, B, X, Y, N; Output: C(=AXBY mod N) Begin Precompute k = dlog2 max(X, Y)e; a1 = AB(mod N); a2 = A1(mod N); a3 = B1(mod N); a4 = A1B(mod N); a5 = AB1(mod N); a6 = A1B1(mod N); k k k k a7 ¼ A2 ðmod N Þ; a8 ¼ B2 ðmod N Þ; a9 ¼ A2 B2 ðmod N Þ. Count the Hamming weight of X, denote as Ham(X). Count the Hamming weight of Y, denote as Ham(Y). if HamðX Þ > k2 then X ¼ ð10 . . . 0Þðkþ1Þbits  ðX ÞSD  1; X ¼ ðX ÞSD ; HWx = 1; else Perform the canonical-signed-digit of X is XSD; X = XSD; HWx = 0; if HamðY Þ > 2k then Y ¼ ð10 . . . 0Þðkþ1Þbits  ðY ÞSD  1; Y ¼ ðY ÞSD ; HWy = 1; else Perform the canonical-signed-digit of Y is YSD; Y = YSD; HWy = 0; C = 1; X = (xk,xk1,xk2, . . . ,x0)SD; Y = (yk,yk1, yk2, . . . ,y0)SD; L1: Case (Xk,Yk) (1, 0): C = C · A(mod N); (0, 1): C = C · B(mod N); (1, 1): C = C · a1(mod N); ð 1; 0Þ : C ¼ C  a2 ðmod N Þ;

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

1071

ð0;  1Þ : C ¼ C  a3 ðmod N Þ; ð 1; 1Þ : C ¼ C  a4 ðmod N Þ; ð1;  1Þ : C ¼ C  a5 ðmod N Þ; ð 1;  1Þ : C ¼ C  a6 ðmod N Þ; Endcase; if k > =1 then C = C · C(mod N); k = k  1; if k > =0 then go to L1 else Case (HWx, HWy) (0, 0): output C. (1, 0): output C = a7 · C · a2(mod N); (0, 1): output C = a8 · C · a3(mod N); (1, 1): output C = a9 · C · a6(mod N); Endcase; End In the following, we use four examples to illustrate how the proposed algorithm works. Example 1. Consider the evaluation of C = AXBY(mod N) = A240B15(mod N), where X = 240 = (11110000)2, Y = 15 = (00001111)2, and k = dlog2max(X, Y)e = 8. Since the HamðX Þ 6 2k and HamðY Þ 6 2k , we consider the canonical-signed-digit of X as X SD ¼ ð1000 100000ÞSD and the canonical-signed-digit of Y as Y SD ¼ ð00001000 1ÞSD . Therefore, we have the result of multi-exponentiation as follows: 



C ¼ AX BY ðmod N Þ ¼ A240 B15 ðmod N Þ ¼ A11110000 B00001111 ðmod N Þ ¼ A100010000 B000010001 ðmod N Þ: In this example, the complex number z = X + Yi = (1, 1, 1, 1, i, i, i, i) contains eight non-zero digits and its canonical-signed-digit binary recoded version z = XSD + YSDi = (1,0,0,0,  1 + i,0,0,0,  i) contains only three non-zero digits. So, the modular multiplication operation can be reduced, we can hence speed up the modular multi-exponentiation. Example 2. Consider the evaluation of C = AXBY(mod N) = A248B15(mod N), where X = 248 = (11111000)2, Y = 15 = (00001111)2 and k = dlog2max(X, Y)e = 8. Since the HamðX Þ > k2 and HamðY Þ 6 2k, we consider the complement of X as X ¼ ð00000111Þ2 , the canonical-signed-digit of X as ðX ÞSD ¼ ð000001001ÞSD and the canonical-signed-digit of Y as Y SD ¼ ð000010001ÞSD . Therefore, we have the result of multi-exponentiation as follows: C ¼ AX BY ðmod N Þ ¼ A248 B15 ðmod N Þ ¼ A11111000 B00001111 ðmod N Þ ¼ Að100000000000001111Þ B00001111 ðmod N Þ 







¼ Að1000000000000010011Þ B000010001 ðmod N Þ ¼ Að100000000þ0000010011Þ B000010001 ðmod N Þ 

8



¼ ðA2 ðmod N Þ  A000001001 B000010001 ðmod N Þ  A1 ðmod N ÞÞðmod N Þ: In this example, the complex number z = X + Yi = (1, 1, 1, 1, 1 + i, i, i, i) contains eight non-zero digits and its canonical-signed-digit binary recoded version z ¼ ðX ÞSD þ Y SD i ¼ ð0; 0; 0; 0; i; 1; 0; 0; 1  iÞ contains only 8 three non-zero digits. Since A is constant, therefore A2 ðmod N Þ and A1 ðmod N Þ can be precomputed in advance. Example 3. Consider the evaluation of C = AXBY(mod N) = A240B31(mod N), where X = 240 = (11110000)2, Y = 31 = (00011111)2 and k = dlog2max(X, Y)e = 8. Since the HamðX Þ 6 2k and HamðY Þ > 2k, we consider the canonical-signed-digit of X as X SD ¼ ð1000 100000ÞSD , the complement of Y as Y ¼ ð111000; 00Þ2 and the canonical-signed-digit of Y as ðY ÞSD ¼ ð100 100000ÞSD . Therefore, we have the result of multi-exponentiation as follows: C ¼ AX BY ðmod N Þ ¼ A240 B31 ðmod N Þ ¼ A11110000 B00011111 ðmod N Þ ¼ A11110000 Bð100000000111000001Þ ðmod N Þ 







¼ A100010000 Bð1000000001001000001Þ ðmod N Þ ¼ A100010000 Bð100000000þ1001000001Þ ðmod N Þ 8





¼ ðB2 ðmod N Þ  A100010000 B100100000 ðmod N Þ  B1 ðmod N ÞÞðmod N Þ:

1072

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

In this example, the complex number z = X + Yi = (1, 1, 1, 1 + i, i, i, i, i) contains eight non-zero digits and its canonical-signed-digit binary recoded version z ¼ X SD þ ððY ÞSD Þi ¼ ð1  i; 0; 0; i; 1; 0; 0; 0; 0Þ contains 8 only three non-zero digits. Since B are constants, therefore B2 ðmod N Þ and B1 ðmod N Þ can be precomputed in advance. Example 4. Consider the evaluation of C ¼ AX BY ðmod N Þ ¼ A248 B31 ðmod N Þ, where X = 248 = (11111000)2, Y = 31 = (00011111)2 and k = dlog2max(X, Y)e = 8. Since the HamðX Þ > 2k and HamðY Þ > 2k, we consider the complement of X as X ¼ ð00000111Þ2 , the canonical-signed-digit of X as ðX ÞSD ¼ ð000001001ÞSD , the complement of Y as Y ¼ ð11100000Þ2 and the canonical-signed-digit of Y as ðY ÞSD ¼ ð100100000ÞSD . Therefore, we have the result of multi-exponentiation as follows: C ¼ AX BY ðmod N Þ ¼ A248 B31 ðmod N Þ ¼ A11111000 B00011111 ðmod N Þ 



¼ Að100000000000001111Þ Bð100000000111000001Þ ðmod N Þ ¼ Að1000000000000010011Þ Bð1000000001001000001Þ ðmod N Þ 



¼ Að100000000þ0000010011Þ Bð100000000þ1001000001Þ ðmod N Þ 8

8





¼ ðA2 B2 ðmod N Þ  A000001001 B100100000 ðmod N Þ  A1 B1 ðmod N ÞÞðmod N Þ: In this example, the complex number z = X + Yi = (1, 1, 1, 1 + i, 1 + i, i, i, i) contains eight non-zero digits and its canonical-signed-digit binary recoded version z ¼ ððX ÞSD Þ þ ððY ÞSD Þi ¼ ði; 0; 0; i; 0; 1; 0; 0; 1Þ contains only four non-zero digits. So, the modular multiplication operation can be reduced, we can speed 8 8 up the modular multi-exponentiation. Since A and B are constants, therefore A2 B2 ðmod N Þ and 1 1 A B ðmod N Þcan be precomputed in advance.

4. Computational complexity analyses In this section, we will describe the computational complexity of the proposed algorithm. Assume both the exponents X and Y are k-bit unsigned binary number. Since the worst case appears when all of the complex digits of z = X + Yi are non-zero and in this case we have 2k modular multiplications. Besides, the average proportion of non-zeros in binary representation is 12 and in canonical-signed-digit binary representation is 13. So the average proportion of zeros in the proposed algorithm is ð1  12  13Þ ¼ 56. Therefore the probability that a randomly chosen complex digit, z = X + Yi, is zero is 56  56 ¼ 25 . The average 36 47 number of modular multiplications (MMs) in this case is ð2  25 Þk ¼ k  1:306k, as k becomes sufficiently 36 36 large. 5. Conclusions An efficient method to fast evaluate modular multi-exponentiation is proposed, which combines the binarylike complex arithmetic method, complement recoding method, and canonical-signed-digit binary recoding method. The computational complexity of the proposed algorithm is 1.306k MMs that are faster than 1.750k MMs in Shamir’s algorithm [6], 1.625k MMs in Yen–Lai–Lenstra algorithm (window size = 2) [30], Table 5 Complexities comparison among different algorithms Algorithms for multi-exponentiation

Computational complexity

Shamir algorithm [6] Yen–Lai–Lenstra algorithm [30] Dimitrov–Jullien–Miller algorithm [28] Yang–Guan–Laih algorithm [11] Solinas algorithm [33] The proposed algorithm

1.750k 1.625k 1.534k 1.509k 1.503k 1.306k

MMs MMs MMs MMs MMs MMs

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

1073

1.534k MMs in Dimitrov–Jullien–Miller algorithm (with reduction rules) [28], 1.509k in Yang–Guan–Laih algorithm [11], and 1.503k in Solinas’s algorithm [33]. Let k = 1024 bits, it costs 1539 modular multiplications for Solinas’s algorithm but only 1337 modular multiplications are required for the proposed algorithm. From the complexity analyses shown in Table 5, it is obvious that the proposed algorithm is much more efficient than some other existing proposed algorithms. References [1] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the ACM 21 (2) (1978) 120–126. [2] W. Diffie, M.E. Hellman, New directions in cryptographs, IEEE Transactions on Information Theory IT-22 (6) (1976) 644–654. [3] National Institute of Standards and Technology, A proposed federal information processing standard for digital signature standard (DSS), Federal Register 56 (169) (1991) 42980–42982. [4] C.P. Schnorr, Efficient identification and signature for smart cards, in: Advances in Cryptology-proceedings of Crypto’89, SpringerVerlag, New York, 1990, pp. 239–252. [5] E.F. Brickell, K.S. McCurley, Interactive identification and digital signature, AT&T Technical Journal (Nov./Dec.) (1991) 73–86. [6] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, IEEE Transactions on Information Theory 31 (4) (1985) 469–472. [7] D.E. Knuth, The Art of Computer Programming. Volume 2: Seminumerical Algorithms, third ed., Addison-Wesley, MA, 1997. [8] P.L. Montgomery, Modular multiplication without trial division, Mathematics of Computation 44 (170) (1985) 519–521. [9] A.F. Tenca, C.K. Koc, A scalable architecture for modular multiplication based on Montgomery’s algorithm, IEEE Transactions on Computers 52 (9) (2003) 1215–1221. [10] H. Thapliyal, A. Ramasahayam, V.R. Kotha, K. Gottimukkula, M.B. Srinivas, Modified Montgomery modular multiplication using 4:2 compressor and CSA adder, in: Proceedings of the Third IEEE International Workshop on Electronic Design, Test and Applications, January 2006, pp. 414–417. [11] W.-C. Yang, D.-J. Guan, C.-S. Laih, Algorithm of asynchronous binary signed-digit recoding on fast multi-exponentiation, Applied Mathematics and Computation 167 (1) (2005) 108–117. [12] C.K. Koc, S. Johnson, Multiplication of signed-digit numbers, Electronics Letters 30 (11) (1994) 840–841. [13] A. Avizienis, Signed-digit number representations for fast parallel arithmetic, IRE Transactions on Electronic Computers 10 (1961) 389–400. [14] S. Arno, F.S. Wheeler, Signed digit representations of minimal Hamming weight, IEEE Transactions on Computers 42 (8) (1993) 1007–1010. [15] M. Syuto, E. Satake, K. Tanno, O. Ishizuka, A high-speed binary to residue converter using a signed-digit number representation, IEICE Transaction on Information and Systems E85-D (5) (2002) 903–905. [16] C. Heuberger, H. Prodinger, Carry propagation in signed digit representations, European Journal of Combinatorics 24 (3) (2003) 293–320. [17] M. Joye, S.-M. Yen, Optimal left-to-right binary signed-digit recoding, IEEE Transactions on Computers 49 (7) (2000) 740–748. [18] I. Koren, Computer Arithmetic Algorithms, second ed., A.K. Peters, MA, 2002. [19] D.-C. Lou, C.-C. Chang, Fast exponentiation method obtained by folding the exponent in half, IEE Electronics Letters 32 (11) (1996) 984–985. [20] D.-C. Lou, C.-L. Wu, C.-Y. Chen, Fast exponentiation by folding the signed-digit exponent in half, International Journal of Computer Mathematics 80 (10) (2003) 1251–1259. [21] C.-L. Wu, D.-C. Lou, T.-J. Chang, An efficient exponentiation algorithm for cryptographic applications, Informatica 16 (3) (2005) 449–468. [22] N. Nedjah, L.M. Mourelle, Four hardware implementations for the M-ary modular exponentiation, in: Proceedings of the Third International Conference on Information Technology: New Generations, April 2006, pp. 210–215. [23] N. Nedjah, L.M. Mourelle, Three hardware architectures for the binary modular exponentiation: sequential, parallel and systolic, IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications 53 (March) (2006) 627–633. [24] S.-M. Yen, C.-S. Laih, Common-multiplicand–multiplication and its applications to public key cryptography, IEE Electronics Letters 29 (17) (1993) 1583–1584. [25] S.-M. Yen, Improved common-multiplicand–multiplication and fast exponentiation by exponent decomposition, IEICE Transaction on Fundamentals E80-A (6) (1997) 1160–1163. [26] T.-C. Wu, Y.-S. Chang, Improved generalization common-multiplicand–multiplications algorithm of Yen and Laih, IEE Electronics Letters 31 (20) (1995) 1738–1739. [27] J.C. Ha, S.J. Moon, A common-multiplicand method to the Montgomery algorithm for speeding up exponentiation, Information Processing Letters 66 (2) (1998) 105–107. [28] V.S. Dimitrov, G.A. Jullien, W.C. Miller, Complexity and fast algorithms for multi-exponentiations, IEEE Transactions on Computers 49 (2) (2000) 141–147. [29] C.-C. Chang, D.-C. Lou, Parallel computation of multi-exponentiation for cryptosystems, International Journal of Computer Mathematics 63 (1–2) (1997) 9–26.

1074

C.-L. Wu et al. / Applied Mathematics and Computation 186 (2007) 1065–1074

[30] S.-M. Yen, C.-S. Laih, A.K. Lenstra, Multi-exponentiation, IEE Proceeding—Computers and Digital Techniques 141 (6) (1994) 325– 326. [31] D.-C. Lou, C.-C. Chang, An efficient divide-and-conquer technique for parallel computation of modular multi-exponentiation, International Journal of Computer Systems Science & Engineering 15 (2) (2000) 111–117. [32] C.-C. Chang, Y.-T. Kuo, C.-H. Lin, Fast algorithms for common multiplicand multiplication and exponentiation by performing complements, in: Proceeding of 17th International Conference on Advanced Information Networking and Applications, March 2003, pp. 807–811. [33] J.A. Solinas, Low-weight binary representations for pairs of integers. Available from: . [34] K. Pekmestzi, Complex number multipliers, IEE Proceeding—Computers and Digital Techniques 136 (1989) 70–75.