2015-10-21 05:03:22 +02:00
|
|
|
Modular Reduction
|
|
|
|
|
|
|
|
|
|
Usually, modular reduction is accomplished by long division, using the
|
|
|
|
|
mp_div() or mp_mod() functions. However, when performing modular
|
|
|
|
|
exponentiation, you spend a lot of time reducing by the same modulus
|
|
|
|
|
again and again. For this purpose, doing a full division for each
|
|
|
|
|
multiplication is quite inefficient.
|
|
|
|
|
|
|
|
|
|
For this reason, the mp_exptmod() function does not perform modular
|
|
|
|
|
reductions in the usual way, but instead takes advantage of an
|
|
|
|
|
algorithm due to Barrett, as described by Menezes, Oorschot and
|
|
|
|
|
VanStone in their book _Handbook of Applied Cryptography_, published
|
|
|
|
|
by the CRC Press (see Chapter 14 for details). This method reduces
|
|
|
|
|
most of the computation of reduction to efficient shifting and masking
|
|
|
|
|
operations, and avoids the multiple-precision division entirely.
|
|
|
|
|
|
|
|
|
|
Here is a brief synopsis of Barrett reduction, as it is implemented in
|
|
|
|
|
this library.
|
|
|
|
|
|
|
|
|
|
Let b denote the radix of the computation (one more than the maximum
|
|
|
|
|
value that can be denoted by an mp_digit). Let m be the modulus, and
|
|
|
|
|
let k be the number of significant digits of m. Let x be the value to
|
|
|
|
|
be reduced modulo m. By the Division Theorem, there exist unique
|
|
|
|
|
integers Q and R such that:
|
|
|
|
|
|
|
|
|
|
x = Qm + R, 0 <= R < m
|
|
|
|
|
|
|
|
|
|
Barrett reduction takes advantage of the fact that you can easily
|
|
|
|
|
approximate Q to within two, given a value M such that:
|
|
|
|
|
|
|
|
|
|
2k
|
|
|
|
|
b
|
|
|
|
|
M = floor( ----- )
|
|
|
|
|
m
|
|
|
|
|
|
|
|
|
|
Computation of M requires a full-precision division step, so if you
|
|
|
|
|
are only doing a single reduction by m, you gain no advantage.
|
|
|
|
|
However, when multiple reductions by the same m are required, this
|
|
|
|
|
division need only be done once, beforehand. Using this, we can use
|
|
|
|
|
the following equation to compute Q', an approximation of Q:
|
|
|
|
|
|
|
|
|
|
x
|
|
|
|
|
floor( ------ ) M
|
|
|
|
|
k-1
|
|
|
|
|
b
|
|
|
|
|
Q' = floor( ----------------- )
|
|
|
|
|
k+1
|
|
|
|
|
b
|
|
|
|
|
|
|
|
|
|
The divisions by b^(k-1) and b^(k+1) and the floor() functions can be
|
|
|
|
|
efficiently implemented with shifts and masks, leaving only a single
|
|
|
|
|
multiplication to be performed to get this approximation. It can be
|
|
|
|
|
shown that Q - 2 <= Q' <= Q, so in the worst case, we can get out with
|
|
|
|
|
two additional subtractions to bring the value into line with the
|
|
|
|
|
actual value of Q.
|
|
|
|
|
|
|
|
|
|
Once we've got Q', we basically multiply that by m and subtract from
|
|
|
|
|
x, yielding:
|
|
|
|
|
|
|
|
|
|
x - Q'm = Qm + R - Q'm
|
|
|
|
|
|
|
|
|
|
Since we know the constraint on Q', this is one of:
|
|
|
|
|
|
|
|
|
|
R
|
|
|
|
|
m + R
|
|
|
|
|
2m + R
|
|
|
|
|
|
|
|
|
|
Since R < m by the Division Theorem, we can simply subtract off m
|
|
|
|
|
until we get a value in the correct range, which will happen with no
|
|
|
|
|
more than 2 subtractions:
|
|
|
|
|
|
|
|
|
|
v = x - Q'm
|
|
|
|
|
|
|
|
|
|
while(v >= m)
|
|
|
|
|
v = v - m
|
|
|
|
|
endwhile
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In random performance trials, modular exponentiation using this method
|
|
|
|
|
of reduction gave around a 40% speedup over using the division for
|
|
|
|
|
reduction.
|
|
|
|
|
|
|
|
|
|
------------------------------------------------------------------
|
2018-05-04 16:08:28 +02:00
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
|
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
