The 23rd Workshop on Combinatorial Mathematics and Computation Theory Computational Complexity Analyses of Modular Arithmetic for RSA Cryptosystem Chia-Long Wu*, Der-Chyuan Lou, and Te-Jen Chang * Department of Aviation & Communication Electronics, Chinese Air Force Institute of Technology, Kaohsiung 82042, Taiwan. E-mail: chialongwu@seed.net.tw Department of Electrical Engineering, Chung Cheng Institute of Technology, National Defense University, Tahsi, Taoyuan 33509, Taiwan. E-mail: dclou@ccit.edu.tw 1. Introduction Abstract Modular arithmetic is fundamental to several public-key cryptography systems such as the RSA encryption system, as well as the most dominant part of the computation performed. The operation is time-consuming for large operands. Many relevant papers about computer security are issued in many reports and journals to describe how to reduce the computational complexities in the cryptosystems. In this paper, we describe the modular arithmetics and some improved algorithms. These algorithms by using binary method, common multiplicand multiplication method (CMM method), signed-digit recoding method, etc. will be depicted respectively. We will analyze and compare the complexity of various algorithms for computing large modular exponentiation. security, public-key cryptosystem, exponentiation. world-wide computer network environment. RSA cipher is the most common cryptography currently. Since the pioneering work of public-key cryptosystem has been performed by [6], a lot of investigations and system developments on this subject have been done in the past decade, such as RSA algorithm [5], elliptic curve cryptography [7], etc. RSA (Rivest, Shamir, and Adleman) is one of the most widely used public-key cryptosystems and modular exponentiation is the main operation to RSA-based public-key cryptosystems. It is performed by successive modular multiplications. For fast cryptosystems, one needs to reduce total number of modular multiplications required [9]. In the rest of this paper, we will present and Keywords:Complexity analysis , modular arithmetic, computer Data encryption is more and more needed in the compare methods that attempt to minimize the numbers of multiplications. We will review the modular arithmetics including modular multiplication, modular squaring, modular exponentiation, and modular multi-exponentiation in Section 2. In Section 3, we present some modular exponent arithmetics, * This is the corresponding author of this paper. such as binary exponent-folding ~215~ method, CMM exponentiation, method, signed-digit The 23rd Workshop on Combinatorial Mathematics and Computation Theory recoding method, and high radix method. In Section 4, begin we will make tables and some experiments for the u[0] = 0; comparisons of computational complexities. Finally, /* R is 2n and N is an odd n-bit integer. */ some concise conclusions are given in Section 5. for (i = 0, 1, …, n –1) /* t is a factor of R 1 .*/ parbegin 2. Modular Arithmetic qi (u[i ] ai D ) mod 2 ; RSA cryptography (named for its inventors /* qi is a result of modulo 2. */ Rivest, Shamir, and Adelman) exploits properties and (u[i ] ai D qi N ) u[i 1] ; 2 interrelations of numbers, constructed as large powers of huge numbers. Through a neat mathematical trick parend; called modular arithmetic, the computer avoids if u[n] < N then t = u[n] working with the huge numbers themselves. As we know modular exponentiation is important in the else t = u[n] –N; end. modular arithmetic, it can be considered as a series of modular square-and-multiply operation. The squaring This operations can be regarded as a case of multiplication multiplication, operations. So we describe modular multiplication, t CDR 1 mod N ), while avoiding division by N. algorithm computes the modular CD mod N tR mod N (i.e. modular squaring, and modular exponentiation These three inputs A, B and N are n-bit integers. The respectively in Section 2.1 –Section 2.4. output is t with a factor of R 1 , where R is 2n . The qi is a result of modulo 2 as can be verified by simply checking the last bit of u[i] + aiD. The shift-to-right 2.1 Modular Multiplication The modular multiplication multiplies the input operands C and D and reduces the product modulo N. That is to say, it computes Q CD mod N . In 1985, operation can be considered as division by 2. More descriptions of Montgomery’ s algorithm are depicted in [13, 14]. Montgomery proposed an efficient algorithm for modular multiplications without trial division [13]. 2.2 Modular Squaring This algorithm does not perform division and Computations involving multiplying and multiplication, but uses digit operations of shift and squaring large integers are key factors in the addition. The Montgomery multiplication method is performance of many public key cryptosystems. In [2], described as follows. three algorithms (squaring computation which uses the standard multiplication algorithm, the Algorithm 1 (Montgomery’ s algorithm) Guajardo-Parr Input: C, D, N Yang-Hseih- Laih’ s algorithm) are compared by the /* CD mod N = tR mod N. */ 1 /*That means t CDR mod N .*/ Output: t squaring algorithm, and the numbers of the modular squaring. More descriptions will be depicted in [2]. The performance of the Yang-Hseih-Laih’ s algorithm is nearly 2.52 and 1.50 /* C and D are the factors of R mod N.*/ times faster than squaring computation by using the ~216~ The 23rd Workshop on Combinatorial Mathematics and Computation Theory standard multiplication Guajardo-Parr algorithm squaring and algorithm. the The /* R is 2n. */ begin C R N ; Q AR mod N ; Yang-Hseih-Laih’ s algorithm, which is the fastest among three algorithms, is described as follows. /* N is an odd n-bit integer */ k = h -1; /*X is in h bits */ Algorithm 2 (Yang-Hseih-Laih’ s algorithm) if ( k >= 0) Input: A ( an 1 , an 2 ,...a1 , a0 )b if xk 1 , then C = MA(A, C); if k 1 , then C = MA(C, C); 2 Output: D (d 2 n 1 , d 2 n 2 ,...d1 , d 0 )b A k = k –1. end. begin (d 2 n 1 , d 2 n 2 ,..., d1 , d 0 )b (0,0,..., 0,0)b ; for i = 0 to n-1 2.4 Modular Multi-Exponentiation c 0 In the computation of multi- exponentiation, for j = i + 1 to n-1 there are two or more bases and exponents. Unlike the (c, s ) di j a j * ai c ; d i j s ; computation of exponentiation, the multiplication operations need to be performed if any scanned digit d i n c ; D = 2D (shift D left 1 bit); of exponent presentation is non-zero. Thus it is c=0; important to consider the corresponding bits of other for i = 0 to n –1 exponents. The multiplication operation cannot be removed unless all corresponding bits of other (c, s ) D2i ai * ai c , d 2i s ; (c, s ) D2i 1 c , d 2i 1 s ; exponents are also zero. The computation time of a multi- exponentiation end. computation depends on the numbers of square-and-multiply operations [13]. In other words, 2.3 Modular Exponentiation those exponents with fewer non-zero bits might The modular exponentiation algorithm performs introduce a better performance. The Yen-La i h’ s in conjunction with the modular multiplication modular multi- exponentiation is given as follows. In algorithm as presented in Section 2.1. The algorithm Algorithm 4, the exponent with fewer bits, X or Y, will comes with the advantage of the Montgomery be padded with bits of zero from the most significant multiplication algorithm without trial division. For bit to make X and Y the same length, h bits. exponentiation computation, the exponent is scanned from left to right bit by bit [13]. The Lai-Chang’ s Algorithm 4 (Yen-La i h’ sa l g or i t hm) algorithm is described as follows. Input: A, B, X, Y, N /* X and Y h a v et h es a mel e ngt h“ h bi t s ” . */ Algorithm 3 (Lai-Chang’ s algorithm) X Y Output: C A B mod N Input: A, X, N /* A is the factor of R mod N. */ begin X = (xh-1, xh-2,…,x0);Y = (yh-1, yh-2, .., y0); Output: D = MA (C, 1) ~217~ The 23rd Workshop on Combinatorial Mathematics and Computation Theory /* h = Max(log2X, log2Y*/ scholars devoted to reducing the Hamming weight [17, C = 1; Q≡A*B mod N; 19] and the binary method is one of the fast and k = h –1; efficient methods which can improve the modular case (xk, yk) multiplications [20-23]. The binary method is given (1, 0): C≡C*A mod N, as follows [18]. (0, 1): C≡C*B mod N, (1, 1): C≡C*Q mod N, Algorithm 5 (Martinez-Luna-He n r i qu e z ’ sa l g or i t hm) endcase; /* M is a plaintext. */ Input: M, E, N if k >= 1, then C≡C*C mod N; Output: P≡M mod N /* E is an exponent. */ E k = k –1; /* N is a modulus. */ C:=M; P:=1; if (k >= 0), then do case (xk, yk), begin otherwise, Output C. for i := 0 to n-1 do if Ei := 1 then P≡P*C mod N end. C C * C mod N end for; 3. Modular Exponentiation Arithmetic end. As we know, the modular exponentiation, M e mod N , where M is a plaintext, e is an exponent, A simple example is given in the following to and N is a modulus, is one of the most important illustrate Algorithm 5. operations in most public key cryptosystems [15, 16]. It is more complicated and time-consuming. So many Example 1: researchers are devoted to finding ways to reduce the E = (10101010)2 = (170)10 can be evaluated as the time such as binary method, common-multiplicand following steps. multiplication method, signed-digit recoding method, and high-radix method, etc. We introduce these E methods respectively as follows. Step 3 (R) Step 4 (C) 0 1 (M) = M2 1 1*M2 = M2 (M2)2 = M4 0 M2 (M4)2 = M8 1 M2*M8 = M10 (M8)2 = M16 RSA (Rivest, Shamir, and Adleman) method [5] 0 M10 (M16)2 = M32 is one of the most widely used public-key 1 M10*M32 = M42 (M32)2 = M64 cryptosystems. This method is performed using 0 M42 (M64)2 = M128 successive modular 1 M42*M128 = M170 (M128)2 = M256 consuming for 3.1 Binary Method large multiplications operands [8] and and time the exponentiation operation is broken into a series of 3.2 Common-Multiplicand Multiplication Method squaring and multiplication operations by the use of the binary method [17]. The numbers of modular multiplications strongly depend on the Hamming weight of B, where B is the exponent [1]. So many 2 In 1993, Yen and Laih developed the technique of common-multiplicand- multiplication [22] and in 1996, Lou and Chang developed the exponent folding exponentiation method based on [24] to enhance the ~218~ The 23rd Workshop on Combinatorial Mathematics and Computation Theory performance of the famous right to left binary In 1996, Lou and Chang [24] proposed a fast exponentiation algorithm. Some public cryptosystems exponentiation method by using exponent- folding (the Diffie-Hellman method [6], the RSA method [5], exponentiation method. The basic idea of this method and DSA systems [25]) are also based on the CMM is to extract the common substring of the exponent E, method [22]. CMM method is described as follows and then save the numbers of multiplications required [26]. for the computation of common strings. Exponent-folding method is described as follows. Algorithm 6 (Wu-Chang’ s algorithm) Input: Exponent E (ek 1ek 2 ...e1e0 ) 2 ; Algorithm 7 (Lou-Chang’ s algorithm) /* M is message. */ Input: M, Ei, Ei+1, where i = 1, 2, …, 2n /* M is message. */ Output: Ciphertext C M E ; C1 = C2 = C3 =1; /* k k 1 2n E y (ey2 n ey ...e1y ) 2 */ S = x; Output: M Ei , M Ei 1 /* n is the folding-time of E.*/ C1 = C2 = C3 = 1; S = M; /* k is the bit length of E and E is the exponent. */ /* Ei , and Ei 1 , each of begin for b = 1 to begin k do 2n for b = 1 to /*scan from LSB to MSB*/ k do 2n /*scan for the exponent-folding parts*/ parbegin parbegin if ( eexcl _ j =1) then C1 = S * C1; b if ( eexcl _ i =1) then C1 = S * C1 /*multiply*/ if( eexcl _( i 1) = 1) then C2 = S * C2 /*multiply*/ if( ecommon _ i = 1) then C3 = S * C3 /*multiply*/ b /*multiply*/ if ( eexcl _( j 1) =1) then C2 = S * C2; b b /*multiply*/ if b ( ecom _ j k bits*/ 2 b =1) then C3 = S * C3; S = S * S; /*multiply*/ /* square*/ parend; S = S * S; C1 = C1 * C3; C2 = C2 * C3; parend; C1 = C1 * C3; end. C2 = C2 * C3; More detailed descriptions of Lou-Chang’ s algorithm are depicted in [24]. end. The results of x Ej and x E j 1 are kept in C1 and C2 respectively. More detailed descriptions of 3.4 Signed-Digit Recoding Method In 1993, Arno and Wheeler presented signed-digit Wu-Chang’ s algorithm are depicted in [26]. 3.3 Exponent-Folding Method recoding method [27]. The Arno-Wheeler’ s algorithm for signed-digit recoding method is depicted as ~219~ The 23rd Workshop on Combinatorial Mathematics and Computation Theory follows. At each step, the partial result is raised to the 2d power and multiplied with X F ( i ) , where F ( i ) is the Algorithm 8 (Arno-Wheeler’ s algorithm) Input: a S r with (a ) n ; value of the current bit section. High radix method is /* a is a redundant representation of n. */ Output: A( a ) S r ; /* A(a) denotes the action of this algorithm on a. */ t = 0; /* Sr denotes the set of all sequences: a (..., a2 , a1 , a0 ) */ described as follows. Algorithm 9 (Koc’ s algorithm) Input: M, N, E, n, d where n log 2 E 1 and n = kd for k 1. Output: C M E mod N . begin while (..., at 2 , at 1 , at ) (...,0,0,0) do Set X0 = 1 and X1 = M. /* ai {0, 1,..., (r 1)} */ Repeat parbegin for j = 2, 3, …, 2d –1. b = (...,sgn( at ), sgn( at ) * r ,0,..., 0) X j ( X j 1 * M ) mod N . /* nonzero at t and t+1 */ Repeat c a b ; for i = k –2, k -3, …, 0. if ct 1 0 then a = c; F (i ) r 0 E id r 2r . d 1 parend; t = t + 1; Set C X F ( k 1) . end. Repeat More detailed descriptions for i = k –2, k –3, …, 0. of Arno-Wheeler’ s Repeat algorithm are depicted in [22, 27]. for j = 0, 1, d –1. C C * C mod N 3.5 High Radix Method if F ( i ) 0 then C C * X Fi mod N . The binary method can be generalized to the high radix method which scans the digits of E expressed in Halt. radix m [10, 29]. We focus our attention to the case when m = 2d. The exponent E is partitioned into k sections of d bits for kd = n. If d does not divide n, the exponent is padded with at most d-1 zeros. Let d 1 end. More detailed descriptions of Koc’ s algorithm are depicted in [29]. F (i ) [ Eid d 1 Eid d 2 ...Eid ] Eid r 2r . 4. Complexity Analyses First, the values of X j M mod N for j =2, described as above will be compared and several r 0 In this section, the performance of many methods j 3, …, 2d –1 are computed. Then, the bits of E are scanned d bits at a time from the most significant to the least significant. presented methods [13-15] are also compared. As we know, the squaring operations can be regarded as a case of multiplication operations and for clarity, the ~220~ The 23rd Workshop on Combinatorial Mathematics and Computation Theory modular reductions are omitted. In order to measure 5. Conclusions and Future Works the speed of the modular multiplications, modular We know many researchers are devoted to squarings, and modular exponentiations, etc., we use reducing the number of multiplication in computer the numbers of modular multiplications to express the algorithms for information management and network speed-up efficiency [15]. As mentioned in the security usages. For example, Montgomery proposed previous modular an efficient algorithm for modular multiplications multiplications, where k is the bit-length of the without trial division. This can be simplified as the exponent E for the binary method. The modular operations of modular multiplication. Owing to the mul t i pl i c a t i on sf or Wa l t e r ’ s me t h od [21] and characteristic of no trial division in the Montgomery 4 Lou-Wu’ sme t h od[28] are needed log 2 k * and 3 algorithm, the algorithm can be easily implemented in 0.689k + 11 multiplications respectively. For In this paper, we investigate many different comparison, all the methods mentioned in [1, 14, methods to reduce the computational complexities for 21-27] are illustrated in Table 1. For a random modern cryptosystems. Now there are still many e x pon e n t s ,t h eWa l t e r ’ sme t h od t a k e s12 modu l a r novel methods [12, 30-32] issued in many computer multiplications to evaluate Me on average. Various security journals and reports for computer arithmetic representations of exponent e have been suggested operations and theoretical analyses. In the future, we with the same goal of reducing the number of can incorporate modular arithmetic and some novel multiplications involved. These presented algorithms methods (including hardware and software designs) to [13-15] to evaluate the modular exponentiation reduce the number of multiplications for modern computation M mod N are showed in Table 2 for cryptographic applications. section, it needs 1.5k E computer hardware or efficient software programs. the practical application to public cryptography, where k is the bit-length of binary exponent E. Table 1. Comparisons for computational complexities of modular multiplications. Items I II III IV V VI VII VIII IX X Methods Modular multiplications 4 3 Walter’ s method log 2 k * Lou-Wu’ s method Wu-Chang’ s method Yen’ s method Dimitrov and Jullien’ s method combining using joint sparse form Yang-Guan-Laih’ s method Dimitrov-Jullien’ s method Shamir’ s method combining minimal weight binary signed-digit recoding method Pekmestzi’ s method Shamir’ s method 0.689 k +11 1.219k 1.292 k +11 ~221~ 1.500 k 1.509 k 1.534 k 1.556 k 1.75 k 1.75 k The 23rd Workshop on Combinatorial Mathematics and Computation Theory Table 2. The average number of multiplications for different methods. Items I II III IV V VI VII VIII IX X multiplications log 2 k * k=512 4 3 0.689k+11 1.219 k 1.292 k +11 1.5 k 1.509 k 1.534 k 1.556 k 1.75 k 1.75 k k=1,024 k=2,048 k=4,096 k=8,192 k=16,834 12 13.333 14.667 16 17.333 18.667 363.768 624.128 672.504 768 772.608 785.408 796.672 896 896 716.536 1,248.256 1,334.008 1,536 1,545.216 1,570.816 1,593.344 1,792 1,792 1,422.072 2,496.512 2,657.016 3,072 3,090.432 3,141.632 3,186.688 3,584 3,584 2,833.144 4,993.024 5,303.032 6,144 6,180.864 6,283.264 6,373.376 7,168 7,168 5,655.288 9,986.048 10,595.064 12288 12,361.728 12,566.528 12,746.752 14,336 14,336 11,299.576 19,972.096 21,179.128 24,576 24,723.456 25,133.056 25,493.504 28,672 28,672 References cryptography,” Proceedings [1] Dimitrov V. S., Jullien G. A., and Miller W. C., International Symposium on Circuit and Systems, “ Complexity vol. 2, 365-368, 2004. and fast algorithms for multi-exponentiations,” IEEE Transactions on [2] [6] [7] Nedjih N., “ Efficient pre-processing for large Yang W.-C., Hseih P.-Y., and Laih C.-S., colony,”Informatica, vol. 29, 155-161, 2005. [9] Khabbazian M. and Gulliver T. A., “ A new Transactions on Fundamentals, vol. E87-A., no. 5, minimal average weight representation for 1189-1192, 2004. left-to-right point multiplication methods,”IEEE Yen S.-M., Laih C.-S., and Lenstra A. K., Transactions on Computers, vol. 54, no. 11, “ Multi-exponentiation,” 1454-1459, 2005. IEE Proceedings [10] Knuth D. E. The Art of Computer Programming, 325-326, 1994. vol. II: Seminumerical Algorithms. 3rd Edition, Yamk T., Savas E., and Koc C. K., “ Incomplete Addison-Wesley, MA., 1997. arithmetic,” IEE [11] Guan D. J., “ Montgomery algorithm for modular Proceedings: Computers and Digital Technique, multiplication,”IEEE Transactions on Computers, vol. 149, no. 2, 46-52, 2002. vol. 42, no. 6, 693-699, 2003. reduction [5] 2004 window-based modular exponentiation using ant Computer Digital Technology, vol. 141, no. 6, [4] the Computers, vol. 49, no. 2, 141-147, 2000. “ Efficient squaring of large integers,” IEICE [3] [8] of in modular Rivest R. L., Shamir A., and Adleman L., “ A [12] Hassan M. A., “ Efficient computation of method for obtaining digital signatures and multiplicative inverses for cryptographic public-key cryptosystems,”Communications of applications,” Proceedings of the 15th IEEE the ACM, vol. 21, 120-126, 1978. Symposium on Computer Arithmetic, 66-72, 2001. Diffie W. and Hellman M. E., “ New directions in [13] Lai Y.-P. and Chang C.-C., “ An efficient cryptography,”IEEE Transactions on Information multi-exponentiation scheme based on modified Theory, vol. 22, no. 6, 644-654, 1976. Booth’ s method,” Journal Katti R. and Ruan X., “ Left-to right binary Engineering, vol. 90, no. 3, 221-233, 2003. signed-digit recording for elliptic curve ~222~ of Electronics [14] Yang W.-C., Guan D. J., and Laih C.-S., The 23rd Workshop on Combinatorial Mathematics and Computation Theory “ Algorithm of asynchronous binary signed-digit techniques for exponentiation,” Computer recording on fast multi-exponentiation,”Applied Mathematics Application, vol. 30, no. 10, 17-24, Mathematics and Computation, vol. 167, 108-117, 1995. [24] Lou D.-C. and Chang C.-C., “ Fast exponentiation 2005. [15] Lou D.-C. and Wu C.-L., “ Parallel exponentiation method obtained by folding the exponent in Half,” using common- multiplicand-multiplication and Electronics Letters, vol. 32, no. 11, 984-985, signed- digit-folding techniques,”International 1996. Journal of Computer Mathematics, vol. 81, no. 10, 1187-1202, 2004. [16] Ha J.-C. multiplication and Moon common-multiplicand Montgomery for fast by exponent decomposition,”IEICE Transactions on to the Fundamentals, vol. E80-A, no. 6, 1160-1163, up 1997. speeding vol. 66, 105-107, 1998. [26] Wu T.-C. and Chang generalization [17] Joye M. and Yen S.-M., “ Optimal left-to-right signed-digit exponentiation “ A method algorithm and S.-J., exponentiation,”Information Proceeding Letters, binary [25] Yen S.-M., “ Improved common- multiplicand recording,” IEEE Transactions on Computers, vol. 49, no. 7, 740-748, 2000. Y.-S., “ Improved common-multiplicand multiplications algorithm of Yen and Laih,” Electronics Letters, vol. 31, no. 20, 1738-1739, 1995. [27] Arno S. and Wheeler F. S., “ Signed digit [18] Martinez M. A. G., Luna G. M., and Henriquez F. representations of minimal hamming weight,” R., “ Hardware implementation of the binary IEEE Transactions on Computers, vol. 42, no. 8, method 1007-1010, 1993. for exponentiation Proceedings of the 4 th in GF(2m),” Mexican International Conference on Computer Science, 131-134, 2003. [19] Koc C. K. and Johnson S., “ Multiplication of [28] Lou D.-C., Wu C.-L., and Chen C.-Y., exponentiation by Computer 30, no. 11, 840-841, 1994. 1251-1259, 2003. without trial division,” Mathematics of Computation, vol. 44, no. 170, 519-521, 1985. [21] Eldridge S. E. and Walter C. D., “ Hardware implementation signed-digit Mathematics, vol. 80, no. 10, [29] Koc C. K., “ High-radix and bit recording techniques for modular exponentiation,” International Journal of Computer Mathematics, vol. 40, 139-156, 1991. Montgomery’ s modular [30] Garbner P. J., Heuberger C., and Prodinger H., multiplication algorithm,”IEEE Transactions on “ Distribution results for low-weight binary Computers, vol. 42, no. 6, 693-699, 1993. representations for pairs of integers,”Theoretical [22] Yen S.-M. of the exponent in half,” International Journal of signed-digit numbers,”Electronics Letters, vol. [20] Montgomery P. L., “ Modular multiplication folding “ Fast and Laih C.-S., “ Common-multiplicand multiplication and its applications to public key cryptography,” Computer Science, vol. 319, 307-331, 2004. [31] Negre, C., “ Quadrinomial modular arithmetic using modified polynomial basis,”Proceedings of Electronics Letters, vol. 29, no. 17, 1583-1584, 2005 International Conference on Information 1993. Technology: [23] Koc C. K., “ Analysis of sliding window ~223~ Coding 1, 550-555, 2005. and Computing, vol. The 23rd Workshop on Combinatorial Mathematics and Computation Theory [32] Dempster A. G. and Macleod M. D., “ Generation of signed-digit representations for integer multiplication,” IEEE on Signal Processing Letters, vol. 11, no. 8, 663-665, 2004. ~224~