fast constant time gcd computation and modular inversion
play

Fast Constant-Time GCD Computation and Modular Inversion Daniel J. - PowerPoint PPT Presentation

Feb 24, 2023 •198 likes •431 views

Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1 University of Illinois at Chicago 2 Ruhr Universt at Bochum 3 Academia Sinica Monday, August 26, 2019 Summary: Fast, Safe GCD and Inversions

  1. Fast Constant-Time GCD Computation and Modular Inversion Daniel J. Bernstein 1,2 Bo-Yin Yang 3 1 University of Illinois at Chicago 2 Ruhr Universt¨ at Bochum 3 Academia Sinica Monday, August 26, 2019

  2. Summary: Fast, Safe GCD and Inversions Normally compute 1 / x in F p as x p − 2 . n 3+ o (1) bit ops using schoolbook multiplication n 2 . 58 ... + o (1) bit ops using Karatsuba multiplication n 2+ o (1) bit ops using FFT-based multiplication DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 2 / 15

  3. Summary: Fast, Safe GCD and Inversions Normally compute 1 / x in F p as x p − 2 . n 3+ o (1) bit ops using schoolbook multiplication n 2 . 58 ... + o (1) bit ops using Karatsuba multiplication n 2+ o (1) bit ops using FFT-based multiplication Why not use extensions of Euclid’s algorithm? n 2+ o (1) bit ops using schoolbook multiplication n 1 . 58 ... + o (1) bit ops using Karatsuba multiplication n 1+ o (1) bit ops using FFT-based multiplication DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 2 / 15

  4. Summary: Fast, Safe GCD and Inversions Normally compute 1 / x in F p as x p − 2 . n 3+ o (1) bit ops using schoolbook multiplication n 2 . 58 ... + o (1) bit ops using Karatsuba multiplication n 2+ o (1) bit ops using FFT-based multiplication Why not use extensions of Euclid’s algorithm? n 2+ o (1) bit ops using schoolbook multiplication n 1 . 58 ... + o (1) bit ops using Karatsuba multiplication n 1+ o (1) bit ops using FFT-based multiplication Usual answer: Need constant-time algorithm. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 2 / 15

  5. Summary: Fast, Safe GCD and Inversions Normally compute 1 / x in F p as x p − 2 . n 3+ o (1) bit ops using schoolbook multiplication n 2 . 58 ... + o (1) bit ops using Karatsuba multiplication n 2+ o (1) bit ops using FFT-based multiplication Why not use extensions of Euclid’s algorithm? n 2+ o (1) bit ops using schoolbook multiplication n 1 . 58 ... + o (1) bit ops using Karatsuba multiplication n 1+ o (1) bit ops using FFT-based multiplication Usual answer: Need constant-time algorithm. Our algorithm is constant-time; n 1+ o (1) bit ops; simpler than previous variable-time algorithms. No division subroutine between recursive calls. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 2 / 15

  6. Examples of Needing Inversions NTRU Key generation (where n is prime) Find inverse in F 3 [ X ] / ( X n − 1) Find inverse in ( Z / 2 k Z )[ X ] / ( X n − 1), which depends on inverse in F 2 [ X ] / ( X n − 1). DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 3 / 15

  7. Examples of Needing Inversions NTRU Key generation (where n is prime) Find inverse in F 3 [ X ] / ( X n − 1) Find inverse in ( Z / 2 k Z )[ X ] / ( X n − 1), which depends on inverse in F 2 [ X ] / ( X n − 1). NTRU Prime Key generation (where n is prime) Find inverse in F 4591 [ X ] / ( X n − X − 1) (= a field). Find inverse in F 3 [ X ] / ( X n − X − 1) DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 3 / 15

  8. Examples of Needing Inversions NTRU Key generation (where n is prime) Find inverse in F 3 [ X ] / ( X n − 1) Find inverse in ( Z / 2 k Z )[ X ] / ( X n − 1), which depends on inverse in F 2 [ X ] / ( X n − 1). NTRU Prime Key generation (where n is prime) Find inverse in F 4591 [ X ] / ( X n − X − 1) (= a field). Find inverse in F 3 [ X ] / ( X n − X − 1) Integer Modular Inversions in CSIDH Needs inverse modulo p = 4 p 1 p 2 p 3 · · · p 73 p 74 − 1, where p 1 · · · p 73 are the smallest 73 odd primes and p 74 = 587. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 3 / 15

  9. Examples of Needing Inversions NTRU Key generation (where n is prime) Find inverse in F 3 [ X ] / ( X n − 1) Find inverse in ( Z / 2 k Z )[ X ] / ( X n − 1), which depends on inverse in F 2 [ X ] / ( X n − 1). NTRU Prime Key generation (where n is prime) Find inverse in F 4591 [ X ] / ( X n − X − 1) (= a field). Find inverse in F 3 [ X ] / ( X n − X − 1) Integer Modular Inversions in CSIDH Needs inverse modulo p = 4 p 1 p 2 p 3 · · · p 73 p 74 − 1, where p 1 · · · p 73 are the smallest 73 odd primes and p 74 = 587. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 3 / 15

  10. An Example in F 7 [ X ] Euclid-Stevin Algorithm 2 y 7 + 7 y 6 + y 5 + 8 y 4 + 2 y 3 + 8 y 2 + y + 8 = R 0 3 y 6 + y 5 + 4 y 4 + y 3 + 5 y 2 + 9 y + 2 = R 1 R 0 − (3 y + 6) R 1 = 4 y 5 + 2 y 4 + 2 y 3 + 4 y + 3 = R 2 R 1 − (6 y + 6) R 2 = y 4 + 3 y 3 + 2 y 2 + 2 y + 5 = R 3 R 2 − (4 y + 4) R 3 = 3 y 3 + 5 y 2 + 4 y + 4 = R 4 = R 3 − (5 y + 2) R 4 = 2 y + 4 R 5 R 4 − (5 y 2 + 3 y + 3) R 5 = 6 = R 6 = R 5 − (5 y + 3) R 6 = 0 R 7 Non-Constant-Time An “ideal” Euclidean step has dividend of degree 1 higher than the divisor, resulting in a remainder of degree 1 lower than the divisor. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 4 / 15

  11. An Example in F 7 [ X ] Euclid-Stevin Algorithm 2 y 7 + 7 y 6 + y 5 + 8 y 4 + 2 y 3 + 8 y 2 + y + 8 = R 0 3 y 6 + y 5 + 4 y 4 + y 3 + 5 y 2 + 9 y + 2 = R 1 R 0 − (3 y + 6) R 1 = 4 y 5 + 2 y 4 + 2 y 3 + 4 y + 3 = R 2 R 1 − (6 y + 6) R 2 = y 4 + 3 y 3 + 2 y 2 + 2 y + 5 = R 3 R 2 − (4 y + 4) R 3 = 3 y 3 + 5 y 2 + 4 y + 4 = R 4 = R 3 − (5 y + 2) R 4 = 2 y + 4 R 5 R 4 − (5 y 2 + 3 y + 3) R 5 = 6 = R 6 = R 5 − (5 y + 3) R 6 = 0 R 7 Non-Constant-Time An “ideal” Euclidean step has dividend of degree 1 higher than the divisor, resulting in a remainder of degree 1 lower than the divisor. From R 4 to R 5 is non-ideal! DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 4 / 15

  12. #Subtractions = #Coeffs . − 1 − #Skips 15 coefficients to start, 1 to end = 14 steps? 2 y 7 + 7 y 6 + y 5 + 8 y 4 + 2 y 3 + 8 y 2 + y + 8 = R 0 3 y 6 + y 5 + 4 y 4 + y 3 + 5 y 2 + 9 y + 2 R 1 = R 0 − 3 yR 1 = 4 y 6 + 3 y 5 + 5 y 4 + y 3 + 2 y 2 + 2 y + 1 R 0 − (3 y + 6) R 1 = 4 y 5 + 2 y 4 + 2 y 3 + 4 y + 3 R 2 = R 1 − 6 yR 2 = 3 y 5 + 6 y 4 + y 3 + 2 y 2 + 5 y + 2 R 1 − (6 y + 6) R 2 = y 4 + 3 y 3 + 2 y 2 + 2 y + 5 R 3 = R 2 − 4 yR 3 = 4 y 4 + y 3 + 6 y 2 + 5 y + 3 R 2 − (4 y + 4) R 3 = 3 y 3 + 5 y 2 + 4 y + 4 R 4 = R 3 − 5 yR 4 = 6 y 3 + 3 y 2 + 3 y + 5 = R 3 − (5 y + 2) R 4 = 2 y + 4 R 5 R 4 − 5 y 2 R 5 = 6 y 2 + 4 y + 4 R 4 − (5 y 2 + 3 y ) R 5 = 6 y + 4 R 4 − (5 y 2 + 3 y + 3) R 5 = 6 = R 6 R 5 − 5 yR 6 = 4 = R 5 − (5 y + 3) R 6 = 0 R 7 DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 5 / 15

  13. A Euclidean Subtraction stage Starting from a Dividend of higher degree than Divisor “Regular” Subtraction Stage Subtract from Dividend correct multiple of Divisor. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 6 / 15

  14. A Euclidean Subtraction stage Starting from a Dividend of higher degree than Divisor “Regular” Subtraction Stage Subtract from Dividend correct multiple of Divisor. ◮ If “Dividend lead term” = 0, no problem! Decrement “Dividend” degree. If Divisor has higher degree than Dividend, Swap. What if “the Divisor lead term” = 0? Decrement Divisor Degree, do dummy Subtraction How did existing constant-time GCD do it? Do GCD in rising order from Constant term up Keep polynomial as arrays and track the degrees. DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 6 / 15

  15. A Better Subtraction Stage What we do differently Start the known (bigger) polynomial as “Divisor”!! ◮ We can ensure that its lead term is non-zero! Track δ = deg Divisor − deg Dividend. Can reverse polynomials (lead term = “constant”). Our Subtraction Stage: “divstep” If δ is positive, and Dividend has a non-zero lead (constant) term, then Swap & negate δ . Take appropriate linear combination of Divisor and Dividend. Shift Dividend (divide by x ), increment δ . DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 7 / 15

  16. What do we do exactly Details of computation with R 0 , R 1 ∈ k [ x ] , d = deg R 0 > deg R 1 Setting up “Divisor” f = x d R 0 (1 / x ), “Dividend” g = x d − 1 R 1 (1 / x ), “Degree Difference” δ = 1. Do 2 d − 1 divstep’s (and collect return values). divstep : Z × k [[ x ]] ∗ × k [[ x ]] → Z × k [[ x ]] ∗ × k [[ x ]], divstep( δ, f , g ) := � (1 − δ, g , ( g (0) f − f (0) g ) / x ) if δ > 0 and g (0) � = 0 , (1 + δ, f , ( f (0) g − g (0) f ) / x ) otherwise . DJB + B.-Y. Yang (UIC/RUB + Sinica) Fast Safe GCD + Inversions 2019.08.26 8 / 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on

Fixslicing: A New GIFT Representation Fast Constant-Time Implementations of GIFT and GIFT-COFB on ARM Cortex-M Alexandre Adomnicai 1,2 Zakaria Najm 1,2,3 Thomas Peyrin 1,2 1 Nanyang Technological University, Singapore 2 Temasek Laboratories,

457 views • 34 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work

969 views • 94 slides
McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for

McBits: Objectives fast constant-time Set new speed records code-based cryptography for public-key cryptography. D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou

746 views • 73 slides
Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!)

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!)

Fast and simple constant-time hashing to the BLS12-381 elliptic curve (and other curves, too!) Riad S. Wahby, Dan Boneh Stanford December 3 rd , 2019 Motivation Our initial motivation: BLS signatures [BLS01] Motivation Our initial

1.38k views • 126 slides
McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven,

McBits: fast constant-time code-based cryptography Tung Chou Technische Universiteit Eindhoven, The Netherlands October 13, 2015 Joint work with Daniel J. Bernstein and Peter Schwabe Outline Summary of Our Work Background Main

439 views • 32 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

625 views • 41 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

823 views • 46 slides
McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein

McBits: fast constant-time code-based cryptography (to appear at CHES 2013) D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter

643 views • 52 slides
McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at

McBits: fast constant-time code-based cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische Universiteit Eindhoven Peter Schwabe Radboud University

902 views • 43 slides
Fast 3D Helmholtz Solvers for Seismic Inversion in the Frequency Domain Russell J. Hewett

Fast 3D Helmholtz Solvers for Seismic Inversion in the Frequency Domain Russell J. Hewett

Fast 3D Helmholtz Solvers for Seismic Inversion in the Frequency Domain Russell J. Hewett Mathematics & CMDA, Virginia Tech Theory and Experience in Solving Inverse Problems in Geophysics Workshop Uppsala University April 10, 2019 RJH

1.48k views • 92 slides
Drying of complex fluids: Deformations and fractures L. Pauchard FAST Singularities inversion

Drying of complex fluids: Deformations and fractures L. Pauchard FAST Singularities inversion

Drying of complex fluids: Deformations and fractures L. Pauchard FAST Singularities inversion of curvature in shells crack patterns JC Gminard 10 1 m A. Davaille directional cracks propagation sea-urchin embryo Carlson (1967)

496 views • 20 slides
Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus

Constant-Overhead Secure Computation using Preprocessing Ivan Damgrd, Sarah Zakarias Aarhus University, Denmark Multiparty Computation Goal: Compute circuit UC-securely Unlike previous talk: I Interested in d i complexity of protocol

462 views • 21 slides
+ - Can be constant or time varying +/- indicates polarity Current Source Can be

+ - Can be constant or time varying +/- indicates polarity Current Source Can be

Review of Circuit Analysis Common Symbols Independent Sources Battery Constant voltage DC voltage source Voltage Source + - Can be constant or time varying +/- indicates polarity Current Source Can be constant or time

388 views • 14 slides
Context Free Languages and 1 constant memory computation. Grammars NFA + stack 2 context

Context Free Languages and 1 constant memory computation. Grammars NFA + stack 2 context

Algorithms & Models of Computation What stack got to do with it? CS/ECE 374, Fall 2017 Whats a stack but a second hand memory? DFA / NFA /Regular expressions. Context Free Languages and 1 constant memory computation. Grammars NFA +

435 views • 9 slides
Real Time & Embedded Systems C Language Programming Selected Topics Agenda A brief

Real Time & Embedded Systems C Language Programming Selected Topics Agenda A brief

Real Time & Embedded Systems C Language Programming Selected Topics Agenda A brief history of C Logical and Bit operations Shifting and Inversion Arrays and Pointers C Structures (struct) Constant qualifier (const)

765 views • 38 slides
Towards a Model Fusion: Case of . . . Numerical Example: . . . Fast, Practical Alternative

Towards a Model Fusion: Case of . . . Numerical Example: . . . Fast, Practical Alternative

Need to Combine Data . . . Joint Inversion: An . . . Proposed Solution . . . Towards a Model Fusion: Case of . . . Numerical Example: . . . Fast, Practical Alternative Model Fusion: Case of . . . Conclusions to Joint Inversion

667 views • 32 slides
Computing zeta functions of nondegenerate hypersurfaces in toric varieties Edgar Costa (Dartmouth

Computing zeta functions of nondegenerate hypersurfaces in toric varieties Edgar Costa (Dartmouth

Computing zeta functions of nondegenerate hypersurfaces in toric varieties Edgar Costa (Dartmouth College) May 16th, 2018 Presented at ICERM, Birational Geometry and Arithmetic Joint work with David Harvey (UNSW) and Kiran Kedlaya (UCSD) Slides

1.33k views • 99 slides
Outline Outline Conditional Distribution and Density Conditional Distribution and

Outline Outline Conditional Distribution and Density Conditional Distribution and

Outline Outline Conditional Distribution and Density Conditional Distribution and Density Expected Value and Moments Expected Value and Moments Moments of Normal Random Variable Moments of Normal Random Variable

184 views • 3 slides
Marginalization Simplest multivariate problem: X = ( X 1 , . . . , X p ) , Y = X 1 (or in general

Marginalization Simplest multivariate problem: X = ( X 1 , . . . , X p ) , Y = X 1 (or in general

Marginalization Simplest multivariate problem: X = ( X 1 , . . . , X p ) , Y = X 1 (or in general Y is any X j ). Theorem 1 If X has density f ( x 1 , . . . , x p ) and q < p then Y = ( X 1 , . . . , X q ) has density f Y ( x 1 , . . . , x q )

305 views • 9 slides
One year with GitLab Catalysts Samba Team Our journey today Bootstrap GitHub

One year with GitLab Catalysts Samba Team Our journey today Bootstrap GitHub

One year with GitLab Catalysts Samba Team Our journey today Bootstrap GitHub GitLab Background and statjstjcs Your custom image here Has it been it too hard to contribute to Samba? Where did our new contributors go?

655 views • 42 slides
Machine Code Sean Barker 1 From C to Executable Code text C program ( p1.c p2.c ) Compiler

Machine Code Sean Barker 1 From C to Executable Code text C program ( p1.c p2.c ) Compiler

Machine Code Sean Barker 1 From C to Executable Code text C program ( p1.c p2.c ) Compiler text Asm program ( p1.s p2.s ) Assembler binary Object program ( p1.o p2.o ) Libraries Linker binary Executable program ( p ) Sean Barker 2

284 views • 7 slides
1 One- Sided Chebyshevs Inequality Of the Midterm What Say You Chebyshev? Statistics from

1 One- Sided Chebyshevs Inequality Of the Midterm What Say You Chebyshev? Statistics from

Markovs Inequality Inequality, Probability, and Joviality In many cases, we dont know the true form of a Say X is a non-negative random variable probability distribution E [ X ] for all P ( X a ) , a 0

173 views • 3 slides
Logic as a Tool Chapter 4: Deductive Reasoning in First-Order Logic 4.3 Natural Deduction for

Logic as a Tool Chapter 4: Deductive Reasoning in First-Order Logic 4.3 Natural Deduction for

Logic as a Tool Chapter 4: Deductive Reasoning in First-Order Logic 4.3 Natural Deduction for First-Order Logic Valentin Goranko Stockholm University October 2016 Goranko Natural Deduction ND : System for structured deduction from a set

495 views • 12 slides
Process Models and Student Skills Paolo Ciancarini (with C. Dos and S. Zuppiroli) Department of

Process Models and Student Skills Paolo Ciancarini (with C. Dos and S. Zuppiroli) Department of

A Double Comparative Study: Process Models and Student Skills Paolo Ciancarini (with C. Dos and S. Zuppiroli) Department of Computer Science University of Bologna Italy 26th CSEE&T - S.Francisco, USA May 2013 Summary of the talk

369 views • 23 slides

More recommend