Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fast Truncated Multiplication for Cryptographic Applications

Published byLeslie Benson Modified over 6 years ago

Similar presentations

Presentation on theme: "Fast Truncated Multiplication for Cryptographic Applications"— Presentation transcript:

1 Fast Truncated Multiplication for Cryptographic Applications
2002−2006 Laszlo Hars Seagate Research

2 Outline History of the paper, Applications Examples Truncated Products
Time complexity Carry Half products LS and MS products Middle-third products Squaring

3 History, Applications Written in 2002/03
’03 Missed deadline ’04 Reviewers failed to read ’05 Page and time limitations  ½ of accepted paper printed Applications:

4 Example: Reciprocal ⌊d 2n/x⌋ = Integer reciprocal of n-digit x
Newton Iteration doubles #accurate bits r  r ∙(2−r ∙x) r  r + r ∙(1+ r ∙(−x)) Proof: rk = 1/x ∙(1− ε)    rk+1 = 1/x ∙(1− ε2). r ∙x = 1− ε, only need digits2k +1 … 2k+1 of r ∙(-x) r2k = rk || rk  (rk  -x(2k+1)) School Karatsuba 0.5M 0.9039M 2’s complement concatenate Middle third of |3∙2k| product MS half of |2∙2k| product

5 Numerical Example: Reciprocal
x = , ⌊1016/ x⌋ = r = 11408, -x = 108 − x = (complement) r · (-x) = , y = r  -x = 3951 z = r · y = , r ⋉ y = 4507 r’ = r || r ⋉ y =

6 Examples: modular multiplication
Barrett multiplication: with µ = ⌊d 2n/m⌋ a b mod m = a b − ⌊a b / m⌋m = LS(a b) − ( MS(a b)  µ )  m With b constant, β := MS2n(b/m) a b mod m = (a  β )  m Montgomery multiplication, -m-1:=  inv of -m mod d n ab d −n mod m =  MS(a b) − (LS(a b)  (-m-1))  m With b constant, β := b  (-m-1) ab d −n mod m = a  b − (a   β )  m

7 Truncated Product Specialized algorithms
Cover with polygons of black-box algorithms Ignore extra digits Subtract overlap Pad input for excess area contiguous subsequence of the digits of the product

8 Time complexity Number of digit-multiplications
× is more expensive than +, −, <, load/store… Can be performed parallel to others Fast multiplication algorithms take ≈ nα time Speed relations: M1/M2 ≈ T1/T2 (Mult, TrctMult) No more auxiliary digit operations than at the corresponding black box multiplication!

9 Carry Omitted LS product-digits may cause carry
Some algorithms tolerate (Barrett, Newton iteration) Others must be accurate Maximal potential carry: at the main diagonal (n −1) d n+1 + (d −n −1) d n + 1 Last 2 digits can be “very” wrong Carry can propagate to the first digit (9→0, x→ x+1) Use 2 extra guard digits to the right Almost always they absorb carry If they are large (might not absorb) ⇒ full product

10 Half Product MS or LS half product Find optimal β, Speedup
Same speed ± linear term Find optimal β, Speedup

11 LS and MS products MS products faster calculated than the full product

12 Middle-third product Center Square + 2 small triangles
Karatsuba: direct recursion 4 overlapping smaller cases 3 are enough

13 Squaring Squaring short operands twice faster than mult
Complexity recursions end at short operands Speed relations of short square/mult is (almost) the same as at long ops Squaring ∉ Truncated Products

14 Conclusion Fast truncated multiplication algorithms
Black-box covering Optimal configurations Specialized algorithms Speed up many crypto algorithms Constant factor (≈ 20…50% typical) Encourage use of sub-quadratic algorithms No speedup for FFT-based algorithms?

Download ppt "Fast Truncated Multiplication for Cryptographic Applications"

Similar presentations

Numerical Computation Lecture 4: Root Finding Methods - II United International College.

Numerical Computation Lecture 4: Root Finding Methods - II United International College.
Microcomputer Systems 1

Microcomputer Systems 1
Integer & Fixed Point Addition and Multiplication CENG 329 Lab Notes By F. Serdar TAŞEL.

Integer & Fixed Point Addition and Multiplication CENG 329 Lab Notes By F. Serdar TAŞEL.
Fast Modular Reduction

Fast Modular Reduction
Using Carry-Save Adders For Radix- 4, Can Be Used to Generate 3a – No Booth’s Slight Delay Penalty from CSA – 3 Gates.

Using Carry-Save Adders For Radix- 4, Can Be Used to Generate 3a – No Booth’s Slight Delay Penalty from CSA – 3 Gates.
DIVIDE AND CONQUER. 2 Algorithmic Paradigms Greedy. Build up a solution incrementally, myopically optimizing some local criterion. Divide-and-conquer.

DIVIDE AND CONQUER. 2 Algorithmic Paradigms Greedy. Build up a solution incrementally, myopically optimizing some local criterion. Divide-and-conquer.
C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,

C. Walter, Data Integrity for Modular Arithmetic, CHES 2000 CHES 2000 Data Integrity in Hardware for Modular Arithmetic Colin Walter Computation Department,
1 EFFICIENT ADDERS TO SPEEDUP MODULAR MULTIPLICATION FOR CRYPTOGRAPHY Adnan Gutub Hassan Tahhan Computer Engineering Department KFUPM, Dhahran, SAUDI ARABIA.

1 EFFICIENT ADDERS TO SPEEDUP MODULAR MULTIPLICATION FOR CRYPTOGRAPHY Adnan Gutub Hassan Tahhan Computer Engineering Department KFUPM, Dhahran, SAUDI ARABIA.
Introduction to Scientific Computing ICE 26.466 / ICE 508 Prof. Hyuckjae Lee KAIST- ICC

Introduction to Scientific Computing ICE / ICE 508 Prof. Hyuckjae Lee KAIST- ICC
UNIVERSITY OF MASSACHUSETTS Dept

UNIVERSITY OF MASSACHUSETTS Dept
Richard Fateman CS 282 Lecture 31 Operations, representations Lecture 3.

Richard Fateman CS 282 Lecture 31 Operations, representations Lecture 3.
VLSI Arithmetic. Multiplication A = a n-1 a n-2 … a 1 a 0 B = b n-1 b n-2 … b 1 b 0  eg) 1 1 0 0 1 1 1 0 1 0 0 1  1 1 0 0 1 1 0 0 0 1 1 0 0 1 1 Shift.

VLSI Arithmetic. Multiplication A = a n-1 a n-2 … a 1 a 0 B = b n-1 b n-2 … b 1 b 0  eg)  Shift.
Princeton University COS 423 Theory of Algorithms Spring 2002 Kevin Wayne Reductions Some of these lecture slides are adapted from CLRS Chapter 31.5 and.

Princeton University COS 423 Theory of Algorithms Spring 2002 Kevin Wayne Reductions Some of these lecture slides are adapted from CLRS Chapter 31.5 and.
SCOTT MILLER, AMBROSE CHU, MIHAI SIMA, MICHAEL MCGUIRE ReCoEng Lab DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING UNIVERSITY OF.

SCOTT MILLER, AMBROSE CHU, MIHAI SIMA, MICHAEL MCGUIRE ReCoEng Lab DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING UNIVERSITY OF.
1 COMP541 Arithmetic Circuits Montek Singh Mar 20, 2007.

1 COMP541 Arithmetic Circuits Montek Singh Mar 20, 2007.
Arithmetic-Logic Units CPSC 321 Computer Architecture Andreas Klappenecker.

Arithmetic-Logic Units CPSC 321 Computer Architecture Andreas Klappenecker.
IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany IHP Im Technologiepark 25 15236 Frankfurt (Oder) Germany www.ihp-microelectronics.com © 2007 -

IHP Im Technologiepark Frankfurt (Oder) Germany IHP Im Technologiepark Frankfurt (Oder) Germany ©
M. Interleaving Montgomery High-Radix Comparison Improvement Adders CLA CSK Comparison Conclusion Improving Cryptographic Architectures by Adopting Efficient.

M. Interleaving Montgomery High-Radix Comparison Improvement Adders CLA CSK Comparison Conclusion Improving Cryptographic Architectures by Adopting Efficient.
Montgomery multiplication Algorithm Mohammad Farmani Under supervision of : Dr. S. Bayat-sarmadi 2 nd. Semister,1392-93 Sharif University of Technology.

Montgomery multiplication Algorithm Mohammad Farmani Under supervision of : Dr. S. Bayat-sarmadi 2 nd. Semister, Sharif University of Technology.
MATH 175: NUMERICAL ANALYSIS II Lecturer: Jomar Fajardo Rabajante IMSP, UPLB 2 nd Semester AY 2012-2013.

MATH 175: NUMERICAL ANALYSIS II Lecturer: Jomar Fajardo Rabajante IMSP, UPLB 2 nd Semester AY

Similar presentations

Ads by Google