| |
 |
|
|
Science Forum Index » Cryptography Forum » alternative algorithm for modular inverse...
Page 1 of 1
|
| Author |
Message |
| Christian Siebert... |
 Posted: Tue May 13, 2008 6:33 am |
|
|
|
Guest
|
Hi all,
as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). The only alternative I've seen so far
utilizes Euler's totient function and direct modular exponentiation.
However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
Are there any other known algorithms? I ask because I've discovered a
plain method which is even easier (to understand as well as to
implement) than Euclid's algorithm (maybe some simplified version of
the eEa?). It's so simple that I wouldn't be surprised if this is
something that is already known ...
Regards,
Christian |
|
|
| Back to top |
|
| David Wagner... |
| Posted: Tue May 13, 2008 8:37 am |
|
|
|
Guest
|
Christian Siebert wrote:
Quote: as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). [...]
Are there any other known algorithms?
If I recall correctly, I _think_ you can use any extended-gcd algorithm
(e.g., the extended version of the binary gcd algorithm), though this is
a vague memory, I could be misremembering, and I really don't know this
area. |
|
|
| Back to top |
|
| bert... |
| Posted: Tue May 13, 2008 10:44 am |
|
|
|
Guest
|
On 13 May, 19:37, d... at (no spam) taverner.cs.berkeley.edu (David Wagner) wrote:
Quote: Christian Siebert wrote:
as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). [...]
Are there any other known algorithms?
If I recall correctly, I _think_ you can use any extended-gcd algorithm
(e.g., the extended version of the binary gcd algorithm), though this is
a vague memory, I could be misremembering, and I really don't know this
area.
That's perfectly correct in at least one case. I had no
difficulty in constructing a neat modular inverse routine
based on the binary GCD algorithm described in Knuth, in
which the fundamental operations are doubling and halving,
rather than general dividing-with-remainder.
Since the main routine only works for two odd numbers, it
needs an appropriate pair of outer routines to deal with
the general case, but they're even simpler.
-- |
|
|
| Back to top |
|
| James Waldby... |
| Posted: Tue May 13, 2008 12:58 pm |
|
|
|
Guest
|
On Tue, 13 May 2008 09:33:22 -0700, Christian Siebert wrote:
Quote: Hi all,
as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). The only alternative I've seen so far
utilizes Euler's totient function and direct modular exponentiation.
However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
In http://www-lipn.univ-paris13.fr/~sedjelmaci/abstract27.pdf
"The Accelerated Euclidean Algorithm", Sidi Mohamed Sedjelmaci
gives an algorithm said to have O(n (log n)^2 log log n)
complexity, for n-bit inputs. (Eg: if input = 2^256-7, then
n=256 and (log n)^2 log log n is equal to 256*8*8*3.)
Quote: Are there any other known algorithms? I ask because I've discovered a
plain method which is even easier (to understand as well as to
implement) than Euclid's algorithm (maybe some simplified version of the
eEa?). It's so simple that I wouldn't be surprised if this is something
that is already known ...
Both http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm
and http://mathworld.wolfram.com/EuclideanAlgorithm.html list
several different GCD algorithms; I don't know which ones provide
integers x and y such that ax+by = (a,b) giving a multiplicative
modular inverse for coprime a,b.
-jiw |
|
|
| Back to top |
|
| James Waldby... |
| Posted: Tue May 13, 2008 1:01 pm |
|
|
|
Guest
|
On Tue, 13 May 2008 12:58:53 -0500, James Waldby wrote:
....
................................ That should be: n (log n)^2 log log n
Quote: equal to 256*8*8*3.)
.... |
|
|
| Back to top |
|
| Christian Siebert... |
| Posted: Wed May 14, 2008 6:27 am |
|
|
|
Guest
|
On 13 Mai, 20:37, David Wagner wrote:
Quote: Christian Siebert wrote:
... the extended Euclidean algorithm seems to be the most common
algorithm for computing the modular multiplicative inverse
If I recall correctly, I _think_ you can use any extended-gcd
algorithm (e.g., the extended version of the binary gcd algorithm)
Yes, of course you're right (although the binary gcd is surely several
times slower on modern architectures). Nevertheless, the real question
is: why should we construct a modular inversion algorithm directly
upon a greatest common divisor algorithm? Fact is, the modular
inverse does only exist, if the given integer is nonzero and
relatively prime to the modulus. So all these 'gcd-class' algorithms
use Bezout's identity 'a*x + b*y = gcd(a, b) = 1'. Therefore they are
effectively computing two modular inverses instead of one, namely
'a^{-1} mod b' and 'b^{-1} mod a'.
Personally I like it simple and I (maybe only I) have to admit that I
neither keep the proof for B. identity nor the algorithm for the eEa
in my mind. In contrast, the underlying idea of my method is so simple
that any undergrad (just having the basic knowledge about modular
arithmetic) can easily derive the new algorithm, and fully proof it's
correctness within only a couple of trivial statements.
However, maybe it's not so obvious as I thought originally. So I will
continue my investigations and perhaps come up with a short paper
(something like "extended GCD revisited")? Any further comments or
contributions are always welcome ...
Many thanks,
Christian |
|
|
| Back to top |
|
| Blind Anagram... |
| Posted: Thu May 15, 2008 10:17 am |
|
|
|
Guest
|
"Christian Siebert" <iBBiS at (no spam) gmx.de> wrote in message
news:d777d678-e0be-460f-a1d3-d187714fe685 at (no spam) d77g2000hsb.googlegroups.com...
Quote: Hi all,
as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). The only alternative I've seen so far
utilizes Euler's totient function and direct modular exponentiation.
However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
Are there any other known algorithms? I ask because I've discovered a
plain method which is even easier (to understand as well as to
implement) than Euclid's algorithm (maybe some simplified version of
the eEa?). It's so simple that I wouldn't be surprised if this is
something that is already known ...
There is a paper here that covers this topic:
http://www.hindawi.com/GetArticle.aspx?doi=10.1155/ES/2006/32192&e=REF
Some of the references mention a new algorithms. |
|
|
| Back to top |
|
| Wolfgang Ehrhardt... |
| Posted: Thu May 15, 2008 1:25 pm |
|
|
|
Guest
|
On Tue, 13 May 2008 09:33:22 -0700 (PDT), Christian Siebert
<iBBiS at (no spam) gmx.de> wrote:
Quote: Hi all,
as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). The only alternative I've seen so far
utilizes Euler's totient function and direct modular exponentiation.
However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
This is normally reads O((log n)^3) and O((log n)^2.
Are there any other known algorithms? I ask because I've discovered a
plain method which is even easier (to understand as well as to
implement) than Euclid's algorithm (maybe some simplified version of
the eEa?). It's so simple that I wouldn't be surprised if this is
something that is already known ...
It will be much easier for the discussion if you give some more info
about your method.
- Is it "only" easier to implement and prove? Or is it more efficient
than the gcd algorithms?
- Is it suitable for multiple precision? How does it scale? How does
it compare to fast recursive GCD schemes?
- Is it for general moduli?
A comment to you second post: If the modulus m is odd you need not
calculate "both inverses", see e.g. HAC 14.64.
Wolfgang |
|
|
| Back to top |
|
| Bill Dubuque... |
| Posted: Fri May 16, 2008 2:17 am |
|
|
|
Guest
|
Christian Siebert <iBBiS at (no spam) gmx.de> wrote:
Quote:
as far as I can see, the extended Euclidean algorithm seems to be the
most common algorithm for computing the modular multiplicative inverse
(used in GMP, LibTomMath, ...). The only alternative I've seen so far
utilizes Euler's totient function and direct modular exponentiation.
However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
Are there any other known algorithms? I ask because I've discovered a
plain method which is even easier (to understand as well as to
implement) than Euclid's algorithm (maybe some simplified version of
the eEa?). It's so simple that I wouldn't be surprised if this is
something that is already known ...
Perhaps you rediscovered the recursive modular inversion algorithm that
arises immediately from the Chinese Remainder Algorithm (CRT), namely
(x,y) = 1 -> x (1/x mod y) + y (1/y mod x) = 1 (mod xy)
-> 1/x mod y = (1 - y (1/y mod x))/x
e.g. 1/60 mod 103 = (1 - 103 (1/103 mod 60))/60 = -12, via inverse below
1/103 = -1/17 mod 60 = (1 - 60 (1/60 mod 17))/17 = 7, via inverse below
1/60 = 1/9 mod 17 = (1 - 17 (1/17 mod 9))/9 = 2, now subst. above
See my prior post [1] for further details, including links to a prior
thread discussing such a rediscovery. This post also describes Gauss'
simple algorithm for computing inverses modulo prime p - the key step
allowing Gauss to give the first proof of unique factorization in Z.
--Bill Dubuque
[1] http://google.com/groups?selm=y8zu1hn1v14.fsf%40nestle.ai.mit.edu |
|
|
| Back to top |
|
| Christian Siebert... |
| Posted: Fri May 16, 2008 5:03 am |
|
|
|
Guest
|
Hi Wolfgang,
Quote: However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
This is normally reads O((log n)^3) and O((log n)^2.
yes, I'm sorry (it was just for the sake of brevity, i.e. 'n=log
x') ;-)
Quote: It will be much easier for the discussion if you give some more info
about your method.
I totally agree - however, it's not sooo simple once you have a
restrictive contract of employment 
.... just a bit more patience, please ...
Quote: - Is it "only" easier to implement and prove? Or is it more efficient
than the gcd algorithms?
I haven't checked this issue so far. I'd say: From a theoretical point
of view, it should be equivalent to a gcd algorithm. From a practical
point of view, it's simplicity might allow some improvements over the
hidden constant within the O-notation. Btw: can anyone of you give
some suggestions for a fair benchmark (especially because the
performance of most such algorithms depends on the given numbers and
not only their length).
Quote: - Is it suitable for multiple precision?
of course (already implemented/tested using GMP)
Quote: How does it scale? How does it compare to fast recursive GCD schemes?
TODO
Quote: - Is it for general moduli?
yes (at least for all 'm > 1'; current implementation returns the
smallest positive result)
And before the next question arises: it even detects properly if no
inverse exists (no separate check necessary).
Quote: A comment to you second post: If the modulus m is odd you need not
calculate "both inverses", see e.g. HAC 14.64.
thanks - I already noticed that Tom also has a fast inverse function
which seems to make use of this.
Christian |
|
|
| Back to top |
|
| Christian Siebert... |
| Posted: Fri May 16, 2008 5:19 am |
|
|
|
Guest
|
Hi Bill,
Quote: Perhaps you rediscovered the recursive modular inversion algorithm that
arises immediately from the Chinese Remainder Algorithm (CRT) [...]
That is great! However, for my method you do not even need to know the
CRT ...
I'd like to thank you and all the other posters for the references.
I'll go through them, as soon as I find some more spare time.
Best regards,
Christian |
|
|
| Back to top |
|
| Pubkeybreaker... |
| Posted: Fri May 16, 2008 6:30 am |
|
|
|
Guest
|
On May 15, 2:25 pm, Wolfgang.Ehrhardt.PLEASE.REM... at (no spam) munich.netsurf.de
(Wolfgang Ehrhardt) wrote:
Quote: On Tue, 13 May 2008 09:33:22 -0700 (PDT), Christian Siebert
<snip>
Quote: The only alternative I've seen so far
utilizes Euler's totient function and direct modular exponentiation.
However, this algorithm is generally much slower (O(n^3) VS O(n^2)).
This is normally reads O((log n)^3) and O((log n)^2.
This just depends whether n is the modulus or the number of bits in
the modulus. |
|
|
| Back to top |
|
| Pubkeybreaker... |
| Posted: Fri May 16, 2008 6:32 am |
|
|
|
Guest
|
On May 16, 11:03 am, Christian Siebert <iB... at (no spam) gmx.de> wrote:
Quote: - Is it "only" easier to implement and prove? Or is it more efficient
than the gcd algorithms?
I haven't checked this issue so far. I'd say: From a theoretical point
of view, it should be equivalent to a gcd algorithm. From a practical
point of view, it's simplicity might allow some improvements over the
hidden constant within the O-notation. Btw: can anyone of you give
some suggestions for a fair benchmark
Try the worst case; a pair of successive Fibonacci numbers. |
|
|
| Back to top |
|
| |
|
Page 1 of 1
All times are GMT - 5 Hours
The time now is Mon Oct 06, 2008 1:21 pm
|
|