## Fast Modular Reduction With Precomputation

Venue: | In Proceedings of Korea-Japan Joint Workshop on Information Security and Cryptology, Lecture |

Citations: | 1 - 0 self |

### BibTeX

@INPROCEEDINGS{Lim_fastmodular,

author = {Chae Hoon Lim and Hyo Sun Hwang and Pil Joong Lee},

title = {Fast Modular Reduction With Precomputation},

booktitle = {In Proceedings of Korea-Japan Joint Workshop on Information Security and Cryptology, Lecture},

year = {}

}

### OpenURL

### Abstract

Multiplication and modular reduction of long integers are two primitive operations for the implementation of most public key crypto algorithms. Multiplication can be best performed using Karatsuba's divide-and-conquer technique. However, the modular reduction process is more complicated and time-consuming. Thus an efficient implementation of modular reduction operation is one of main factors affecting the performance of public key cryptosystems. In this paper, we investigate a method for speeding up modular reduction using more or less precomputation based on the modulus, and present implementation results of various algorithms including our proposed methods. 1 Introduction There are two approaches to reducing the computation time for modular exponentiation; reducing the number of modular multiplications required and reducing the computation time for modular multiplication. Since modular exponentiation requires hundreds of modular multiplications, a small improvement by the latter app...

### Citations

411 |
Modular Multiplication without Trial Division
- Montgomery
- 1985
(Show Context)
Citation Context ...duction Algorithms This section briefly reviews three well-known algorithms for modular reduction, i.e., the classical algorithm [12, section 4.3.1], Barret's algorithm [2] and Montgomery's algorithm =-=[16, 4]-=- (see [3] for more detailed comparison of these three algorithms). The objective of these algorithms is to reduce an l-bit number z modulo a k-bit number n. We assume that the target number z is at mo... |

164 | The Art of Computer - Knuth - 1973 |

63 |
Hardware implementation of montgomerys modular multiplication algorithm
- Eldridge, Walter
- 1993
(Show Context)
Citation Context ...e, the total number of multiplications required by Barret's algorithm is at most k(k + 4). The resulting algorithm is depicted in Figure 2. 2.3 Montgomery's Algorithm Montgomery's algorithm [16] (see =-=[5]-=- for its hardware implementation) uses a nonstandard way of representing residue classes modulo n to speed up modular reduction. Let R ? n be an integer for i = l to 2k \Gamma 1 step + 1 z i = 0; for ... |

30 | CryptoLib: cryptography in software - Lacy, Mitchell, et al. - 1993 |

28 | Signed digit representation of minimal hamming weight - Arno, Wheeler - 1993 |

26 | Minimum weight modified signed-digit representations and fast exponentation - Jedwab, Mitchell - 1989 |

24 | More on squaring and multiplying large integers
- Zuras
- 1994
(Show Context)
Citation Context ...s 2 In fact, generalizations of Karatsuba's method were shown to be faster than any other method, such as the Schonhage and Strassen FFT method, up to surprisingly large numbers, say millions of bits =-=[24]-=-. Now, suppose that k is even, say k = 2h, and let xH and x L be the higher and lower half of integer x. Thus we can write x and y as x = xH b h\Gamma1 + x L ; y = y H b h\Gamma1 + y L : Then z can be... |

16 |
Faster Modular Multiplication by Operand Scaling
- Walter
- 1992
(Show Context)
Citation Context ...k n \Delta 1 b k+1 c: 3 If this is not the case, we can shift z to the left until this condition holds and, after reduction, shift the remainder back to the right as many times as was done for z. See =-=[22] for-=- a little more involved kind of normalization, which allows easy estimation of q but increases the modulus size at least by one digit. u = P i+jk\Gamma1 �� i z j+k\Gamma1 b i+j ; q = b u b k+1 c; ... |

11 | An improved binary algorithm for RSA - Zhang - 1993 |

9 | New modular multiplication algorithms for fast modular exponentiation
- Hong, Oh, et al.
- 1996
(Show Context)
Citation Context ... precomputation table based on the modulus. There have been proposed several such algorithms (e.g., see [10, 6, 21, 11]). Among them, we briefly describe two methods, one from [21] and the other from =-=[11, 8]-=-, which are suitable for software implementations. The first method [21] intends to reduce a 2k-digit number z modulo a k-digit number n by first precomputing and storing the following values: n[j] = ... |

6 |
Modular Multiplication Algorithm with Triangle Addition
- Takagi
- 1993
(Show Context)
Citation Context ...21]). We describe in Figure 1 the classical algorithm formalized by Knuth. There are several other variations of the classical algorithm with slightly different ways of quotient estimation (e.g., see =-=[17, 20]-=-). The condition in the 8th line should actually be implemented as qn k\Gamma2 ? (z i b+z i\Gamma1 \Gamma qn k\Gamma1 )b+ z i\Gamma2 . Since z i b+z i\Gamma1 \Gammaqn k\Gamma1 ! n k , this step can be... |

5 |
Implementing the Rivest Shamir and Adleman public key encryption algorithm on a standard digital signal processor
- Barret
- 1987
(Show Context)
Citation Context ...speed. 2 Overview of Modular Reduction Algorithms This section briefly reviews three well-known algorithms for modular reduction, i.e., the classical algorithm [12, section 4.3.1], Barret's algorithm =-=[2]-=- and Montgomery's algorithm [16, 4] (see [3] for more detailed comparison of these three algorithms). The objective of these algorithms is to reduce an l-bit number z modulo a k-bit number n. We assum... |

5 |
R.Govaerts and J.Vandewalle, Comparison of three modular reduction functions
- Bosselaers
- 1994
(Show Context)
Citation Context ...ithms This section briefly reviews three well-known algorithms for modular reduction, i.e., the classical algorithm [12, section 4.3.1], Barret's algorithm [2] and Montgomery's algorithm [16, 4] (see =-=[3]-=- for more detailed comparison of these three algorithms). The objective of these algorithms is to reduce an l-bit number z modulo a k-bit number n. We assume that the target number z is at most 2k dig... |

5 |
A fast modular exponentiation algorithm
- Kawamura, Takabayashi, et al.
- 1991
(Show Context)
Citation Context ...ble Lookup Methods Since a fixed modulus is used throughout modular exponentiation, we may use a precomputation table based on the modulus. There have been proposed several such algorithms (e.g., see =-=[10, 6, 21, 11]-=-). Among them, we briefly describe two methods, one from [21] and the other from [11, 8], which are suitable for software implementations. The first method [21] intends to reduce a 2k-digit number z m... |

5 |
Fast algorithms for implementing RSA public key cryptosystem
- Mohan
- 1985
(Show Context)
Citation Context ... ! b k\Gammaffi ); for some positive integer ffi (i.e., the higher ffi digits are filled with all 1's). The possibility of using a DR modulus for fast reduction was first suggested by Mohan and Adiga =-=[15]-=-. They proposed to use an RSA modulus n of the form n = b k \Gamma n 0 with n 0 ! b k=2 . Modular reduction would then require just two multiplications of k 2 -digit numbers. However, Meister [14] sho... |

4 |
A design of a fast pipelined modular multiplier based on a diminished-radix algorithm
- ORTON, PEPPARD, et al.
- 1993
(Show Context)
Citation Context ...recision multiplications as the parallel reduction method described before, but requires only a single precomputed value. We note that there exists a modular multiplier design based on a similar idea =-=[18]-=-. With one more precomputed value we can slightly speed up the above reduction algorithm. For this we precompute and store another value n ? such that n ? = b 3k=2 mod n; where we assume that k is eve... |

3 |
B.A.Johnson, Modular exponentiation using recursive sums of residues
- Findlay
- 1990
(Show Context)
Citation Context ...ble Lookup Methods Since a fixed modulus is used throughout modular exponentiation, we may use a precomputation table based on the modulus. There have been proposed several such algorithms (e.g., see =-=[10, 6, 21, 11]-=-). Among them, we briefly describe two methods, one from [21] and the other from [11, 8], which are suitable for software implementations. The first method [21] intends to reduce a 2k-digit number z m... |

2 |
On an implementation of the Mohan-Adiga algorithm
- Meister
- 1991
(Show Context)
Citation Context ...iga [15]. They proposed to use an RSA modulus n of the form n = b k \Gamma n 0 with n 0 ! b k=2 . Modular reduction would then require just two multiplications of k 2 -digit numbers. However, Meister =-=[14]-=- showed that this choice of modulus may be insecure due to insufficient choices for prime factors of n. Our reduction algorithm can be speeded up only using a small value of ffi (in most cases it suff... |

2 |
C.H.Yang, A modular multiplication algorithm using lookahead determination
- Morita
- 1993
(Show Context)
Citation Context ...21]). We describe in Figure 1 the classical algorithm formalized by Knuth. There are several other variations of the classical algorithm with slightly different ways of quotient estimation (e.g., see =-=[17, 20]-=-). The condition in the 8th line should actually be implemented as qn k\Gamma2 ? (z i b+z i\Gamma1 \Gamma qn k\Gamma1 )b+ z i\Gamma2 . Since z i b+z i\Gamma1 \Gammaqn k\Gamma1 ! n k , this step can be... |

1 | the GNU bignum package, version 1.3.2a - Granlund - 1994 |

1 |
K.Hirano, A fast modular arithmetic algorithm using a residue table
- Kawamura
- 1988
(Show Context)
Citation Context ...ble Lookup Methods Since a fixed modulus is used throughout modular exponentiation, we may use a precomputation table based on the modulus. There have been proposed several such algorithms (e.g., see =-=[10, 6, 21, 11]-=-). Among them, we briefly describe two methods, one from [21] and the other from [11, 8], which are suitable for software implementations. The first method [21] intends to reduce a 2k-digit number z m... |

1 |
E.Okamoto, On modular exponentiation using a signal processor
- Tanaka
- 1987
(Show Context)
Citation Context |