Fast Truncated Multiplication for Cryptographic Applications

2002−2006Laszlo Hars (Laszlo@Hars.US)

Seagate Research

Outline• History of the paper, Applications• Examples• Truncated Products• Time complexity• Carry• Half products• LS and MS products• Middle-third products• Squaring

History, Applications• Written in 2002/03

– ’03 Missed deadline– ’04 Reviewers failed to read– ’05 Page and time limitations ½ of accepted paper printed

• Applications: http://www.hars.us/Papers/TrunApps.pdf

Example: Reciprocal

• ⌊d 2n/x = Integer reciprocal of ⌋ n-digit x

• Newton Iteration doubles #accurate bitsr r ∙(2−r ∙x)r  r + r ∙(1+ r ∙(−x))

• Proof: rk = 1/x ∙(1− ε)    rk+1 = 1/x ∙(1− ε2).

• r ∙x = 1− ε, only need digits2k +1 … 2k+1 of r ∙(-x)

• r2k = rk || rk  (rk  -x(2k+1))concatenate

MS half of |2∙2k| productMiddle third of |3∙2k| product

School Karatsuba

0.5M 0.9039M

0.999...

2’s complement

Numerical Example: Reciprocal

• x = 87654321, 10⌊ 16/ x = ⌋ 114084507• r = 11408, -x = 108

− x = 12345679 (complement)

• r · (-x) = 140839506032, y = r -x = 3951

• z = r · y = 45073008, r ⋉ y = 4507

• r’ = r || r ⋉ y = 11408 4507

Examples: modular multiplication

• Barrett multiplication: with µ = ⌊d 2n/m⌋

a b mod m = a b − ⌊a b / m⌋m =

LS(a b) − ( MS(a b) µ )  m– With b constant, β := MS2n(b/m)

a b mod m = (a  β )  m

• Montgomery multiplication, -m-1:=  inv of -m mod d n

ab d −n

 mod m =  MS(a b) − (LS(a b) (-m-1)) m

– With b constant, β := b  (-m-1)

ab d −n mod m = a b − (a   β )  m

Truncated Product

a3 a2 a1 a0

b0 a3b0 a2b0 a1b0 a0b0

b1 a3b1 a2b1 a1b1 a0b1 c0

b2 a3b2 a2b2 a1b2 a0b2 c1

b3 a3b3 a2b3 a1b3 a0b3 c2

c7 c6 c5 c4 c3

contiguous subsequenceof the digits of the product

• Specialized algorithms

• Cover with polygons of black-box algorithms– Ignore extra digits– Subtract overlap– Pad input for excess area

Time complexity

• Number of digit-multiplications– × is more expensive than +, −, <, load/store…– Can be performed parallel to others

• Fast multiplication algorithms take ≈ nα time

• Speed relations: M1/M2 ≈ T1/T2 (Mult, TrctMult)

– No more auxiliary digit operations than at the corresponding black box multiplication!

Carry

• Omitted LS product-digits may cause carry– Some algorithms tolerate (Barrett, Newton iteration)– Others must be accurate

• Maximal potential carry: at the main diagonal

(n −1) d n+1 + (d −n −1) d n + 1– Last 2 digits can be “very” wrong– Carry can propagate to the first digit (9→0, x→ x+1)

• Use 2 extra guard digits to the right– Almost always they absorb carry– If they are large (might not absorb) ⇒ full product

Half Product• MS or LS half product

– Same speed ± linear term

• Find optimal β, Speedup

k = ß nn – k

LS and MS products

(1– p )·n p ·n (1– p )·n p ·n

MS products faster calculated than the full product

Middle-third product

• Center Square + 2 small triangles

• Karatsuba: direct recursion– 4 overlapping

smaller cases– 3 are enough

0n2 n

n2 n3 n

0

Squaring

• Squaring short operands twice faster than mult

• Complexity recursions end at short operands

• Speed relations of short square/mult is (almost) the same as at long ops

Squaring Truncated Products∉

Conclusion

• Fast truncated multiplication algorithms– Black-box covering

• Optimal configurations

– Specialized algorithms

• Speed up many crypto algorithms– Constant factor (≈ 20…50% typical)– Encourage use of sub-quadratic algorithms

• No speedup for FFT-based algorithms?