52 Things: Number 25: Methods for modular reduction using "special" primes that define GF(p) and GF(2n)
52件事:第25件:使用定义 GF(p) 和#1的“特殊”素数进行模归约的方法#
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. Continuing the section on implementation details, we discuss one method of implementing efficient modular reduction: using "special" primes modulo.这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的52件事”做密码学:这是一组问题,旨在让博士生在第一年结束时了解他们应该知道什么。继续关于实现细节的部分,我们讨论一种实现有效模归约的方法:使用“特殊”素数模。
As we have seen in the previous blogs, when implementing cryptographic schemes, one of the mostly frequently invoked operation is the modulo operation. Unfortunately, despite its massive usage modulo cannot be performed easily like some other arithmetic operations such as additions and multiplications. Montgomery representation provides one solution to this problem, and we will discuss another solution, Psudo-Mersenne Prime reduction.
正如我们在以前的博客中所看到的,在实现加密方案时,最频繁调用的操作之一是模运算。不幸的是,尽管模的使用量很大,但它不能像加法和乘法等其他算术运算一样容易地执行。Montgomery表示为这个问题提供了一种解决方案,我们将讨论另一种解决方法,Psudo-Mersenne素数约简。
Definition: A prime number p is called a Psudo-Mersenne Prime if p can be written in the form:
定义:素数 p 称为伪梅森素数,如果 p 可以写成以下形式:
p=bn−c
where 哪里
0<|c|<2⌊n/2⌋
Practically, b is always 2 and we pick c within a word size which is usually 32 or 64 bits.
实际上, b 总是 2 ,并且我们在通常为 32 或#4位的字大小内选择 c 。
It can then be easily derived from its definition that
然后可以很容易地从其定义中得出
Therefore given an integer z of k bits, we let z′ be its Least Significant n bits and z′′ its Most Significant k−n bits, i.e. z=z′′2n+z′, we can then rewrite zmodp as:
因此,给定 k 比特的整数 z ,我们让 z′ 是其最低有效#3比特,让#4是其最高有效 k−n 比特,即 z=z′′2n+z′ ,然后我们可以将 zmodp 重写为:
z≡z′′bn+z′≡z′′c+z′(modp)
The modulo of z can then be computed by recursively apply this until it yields in Zp.
z 的模然后可以通过递归地应用它来计算,直到它产生 Zp 。
There are several points might worth mentioned here:
这里有几点值得一提:
- Both z′ and z′′ can be computed efficiently by simply shifting z.
z′ 和 z′′ 都可以通过简单地移位 z 来有效地计算。 - Since c is picked within a word size, the multiplication can be done very efficiently.
由于 c 是在单词大小内选取的,因此可以非常有效地进行乘法运算。 - Each iteration shrinks the left hand side k bits to the right hand side max(k−n+w,n) bits where w is the word size.
每次迭代将左手侧 k 比特缩小到右手侧 max(k−n+w,n) 比特,其中#2是字大小。
因此,一般来说,当模是伪梅森素数时,可以非常有效地进行约简,因为它只需要移位、加法和乘法。
Nevertheless, drawback of using such method is also obvious as such implementation will usually requires multiple parties to use a fixed setup which will potentially results into both interoperability and security problems.
然而,使用这种方法的缺点也是显而易见的,因为这种实现通常需要多方使用固定的设置,这可能会导致互操作性和安全性问题。
More details about this solution can be found in [1] and [2].
有关此解决方案的更多详细信息,请参阅[1]和[2]。
GF(2n) is another filed of common usage in cryptography. Trinomial and pentanomial are the mostly used modular in this scenario. We will show how trinomial simplifies the reduction. Same technique can be applied to pentanomial straight forward.
GF(2n) 是密码学中另一个常用的领域。三项式和五项式是这种情况下最常用的模块。我们将展示三项式如何简化约简。同样的技术也可以应用于五项直线。
The idea is very similar to the prime field one. Presume we have the trinomial modulo f(x) such that
这个想法与素数域非常相似。假设我们有三项式模 f(x) ,这样
f(x)=xn+xt+1
where 0<t<n/2. 其中 0<t<n/2 。
We immediately have 我们立即有
xn≡xt+1(modf(x))
Given a polynomial z(x) with degree greater to n, we rewrite z(x) as
给定次数大于 n 的多项式 z(x) ,我们将 z(x) 重写为
z(x)=z′′(x)xn+z′(x)
where z′(x) is the polynomial represented by the Least Significant n−1 bits of z(x) and z′′(x) the others.
其中 z′(x) 是由#2和#3的最低有效 n−1 比特表示的多项式。
Then just like what we have done on GF(p), we compute the modular by
然后,就像我们在 GF(p) 上所做的那样,我们通过
This can be done very efficiently as t is a "small" number.
这可以非常有效地完成,因为 t 是一个“小”数字。
[2] also described another optimization to the standard reduction. Consider during a standard procedure of reducing z(x) of degree m to f(x) of degree n:
[2] 还描述了另一种对标准缩减的优化。在将 m 度的 z(x) 减少到 n 度的 f(x) 的标准过程中考虑:
z(x)=amxm+am−1xm−1+...a1x1+a0x0f(x)=xn+xt+1
When we try to reduce aixi, there are two cases:
当我们试图减少 aixi 时,有两种情况:
- If ai=0, then nothing will be changed to the remainder, or
如果 ai=0 ,则余数将不发生任何更改,或者 - If ai=1, then 1 will be added to the bits aligned to xt and 1 in f(x), namely ai−n+t and ai−n.
如果 ai=1 ,则 1 将被添加到与#4中的#2和#3对齐的比特,即 ai−n+t 和 ai−n 。
由于添加 0 不会改变余数,所以这两种情况可以概括为一种;因此,我们可以将标准还原过程写成:
INPUT: z(x) 输入: z(x)
OUTPUT: z(x) 输出: z(x)
1. for i=m to n by −1
1.对于 i=m 到 n ,由#2执行#
2. {
3. ai−n+t+=ai
4. ai−n+=ai
5. }
6. return z(x) 6.返回 z(x)
The advantage of using such algorithm does not seem obvious from a software perspective; however, it can be implemented very efficiently by hardware as it simply updates z(x) and requires no extra storage.
从软件的角度来看,使用这种算法的优势似乎并不明显;然而,它可以通过硬件非常有效地实现,因为它只需更新 z(x) 并且不需要额外的存储。
Another advantage is that such code requires only 0<t<n and can be executed in a constant time.
另一个优点是这样的代码只需要 0<t<n ,并且可以在恒定的时间内执行。 标签:25,Methods,比特,ai,modular,GF,reduction,bits From: https://www.cnblogs.com/3cH0-Nu1L/p/18106135