Fast Truncated Multiplication for Cryptographic Applications

1
Fast Truncated Multiplication for Cryptographic
Applications

• 2002-2006
• Laszlo Hars (Laszlo_at_Hars.US)
• Seagate Research

2
Outline

• History of the paper, Applications
• Examples
• Truncated Products
• Time complexity
• Carry
• Half products
• LS and MS products
• Middle-third products
• Squaring

3
History, Applications

• Written in 2002/03
• 03 Missed deadline
• 04 Reviewers failed to read
• 05 Page and time limitations ? ½ of accepted
  paper printed
• Applications http//www.hars.us/Papers/TrunApps.p
  df

4
Example Reciprocal

• ?d 2n/x? Integer reciprocal of n-digit x
• Newton Iteration doubles accurate bitsr ? r
  (2-r x)r ? r  r (1 r (-x))
• Proof rk  1/x (1- e) ?   rk1  1/x
  (1- e2).
• r x 1- e, only need digits2k 1 2k1 of r
  (-x)
• r2k  rk  rk ? (rk ? -x(2k1))

School Karatsuba
0.5M 0.9039M
0.999...
2s complement
concatenate
Middle third of 32k product
MS half of 22k product
5
Numerical Example Reciprocal

• x 87654321, ?1016/ x? 114084507
• r 11408, -x 108 - x 12345679 (complement)
• r  (-x) 140839506032, y r ? -x 3951
• z r y 45073008, r ? y 4507
• r r r ? y 11408 4507

6
Examples modular multiplication

• Barrett multiplication with µ  ?d 2n/m?a b mod
  m  a b - ?a b / m?m LS(a b) - ( MS(a b) ?
  µ ) ? m
• With b constant, ß  MS2n(b/m)a b mod m
  (a ? ß ) ? m
• Montgomery multiplication, -m-1  inv of -m mod
  d nab d -n mod m   MS(a b) - (LS(a b) ?
  (-m-1)) ? m
• With b constant, ß  b ? (-m-1) ab d -n mod m
   a ? b - (a ?  ß ) ? m

7
Truncated Product

• Specialized algorithms
• Cover with polygons of black-box algorithms
• Ignore extra digits
• Subtract overlap
• Pad input for excess area

contiguous subsequence of the digits of the
product
8
Time complexity

• Number of digit-multiplications
• is more expensive than , -, lt, load/store
• Can be performed parallel to others
• Fast multiplication algorithms take na time

• Speed relations M1/M2 T1/T2 (Mult, TrctMult)
• No more auxiliary digit operations than at the
  corresponding black box multiplication!

9
Carry

• Omitted LS product-digits may cause carry
• Some algorithms tolerate (Barrett, Newton
  iteration)
• Others must be accurate
• Maximal potential carry at the main diagonal
  (n -1) d n1  (d -n -1) d n  1
• Last 2 digits can be very wrong
• Carry can propagate to the first digit (9?0, x?
  x1)
• Use 2 extra guard digits to the right
• Almost always they absorb carry
• If they are large (might not absorb) ? full
  product

10
Half Product

• MS or LS half product
• Same speed linear term
• Find optimal ß, Speedup

11
LS and MS products
MS products faster calculated than the full
product
12
Middle-third product

• Center Square 2 small triangles
• Karatsuba direct recursion
• 4 overlapping smaller cases
• 3 are enough

13
Squaring

• Squaring short operands twice faster than mult
• Complexity recursions end at short operands
• Speed relations of short square/mult is (almost)
  the same as at long ops

Squaring ? Truncated Products
14
Conclusion

• Fast truncated multiplication algorithms
• Black-box covering
• Optimal configurations
• Specialized algorithms
• Speed up many crypto algorithms
• Constant factor ( 2050 typical)
• Encourage use of sub-quadratic algorithms
• No speedup for FFT-based algorithms?