CN117280316A - Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, method for determining a reduction of a given gaussian integer modulus, and cryptographic and error correction methods - Google Patents

Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, method for determining a reduction of a given gaussian integer modulus, and cryptographic and error correction methods Download PDF

Info

Publication number
CN117280316A
CN117280316A CN202280032003.6A CN202280032003A CN117280316A CN 117280316 A CN117280316 A CN 117280316A CN 202280032003 A CN202280032003 A CN 202280032003A CN 117280316 A CN117280316 A CN 117280316A
Authority
CN
China
Prior art keywords
integer
gaussian
gaussian integer
modulus
congruence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202280032003.6A
Other languages
Chinese (zh)
Inventor
F·德桑蒂斯
M·萨菲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from EP21178084.6A external-priority patent/EP4083782A1/en
Application filed by Siemens AG filed Critical Siemens AG
Priority claimed from PCT/EP2022/060901 external-priority patent/WO2022229103A1/en
Publication of CN117280316A publication Critical patent/CN117280316A/en
Pending legal-status Critical Current

Links

Landscapes

  • Complex Calculations (AREA)

Abstract

In a computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, a gaussian integer base raised to an integer modulus is considered having a norm less than or equal to the norm of the gaussian integer modulus and greater than the norm of the difference between the gaussian integer base raised to the integer modulus and the gaussian integer modulus, wherein a variable value candidate for the gaussian integer congruence is considered, i.e. initialized with the given gaussian integer first, and then the product of the gaussian integer modulus and the current value of the variable value candidate raised to the gaussian integer modulus and the gaussian integer congruence is iteratively decremented by the component rounded down quotient, provided that the quotient obtained does not disappear, after which the variable value candidate obtained for the gaussian integer congruence is determined as the gaussian integer congruence. In a computer-implemented method for determining a reduction of a given gaussian integer modulus of a gaussian integer, a gaussian integer congruence with a modular reduction of the given gaussian integer modulus of the gaussian integer is first determined using the method described above and further reduced using a final reduction. These methods are used for computer-implemented cryptographic methods and error correction methods.

Description

Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, method for determining a reduction of a given gaussian integer modulus, and cryptographic and error correction methods
Technical Field
The present invention relates to a computer-implemented method for determining a gaussian integer congruence (continuant) with a given gaussian integer modulus of a gaussian integer, and to a method for full modular reduction (reduction) of a given gaussian integer with a gaussian integer modulus. The invention further relates to a computer-implemented cryptographic method and to a computer-implemented error correction method.
Background
Gaussian integers are a subset of complex numbers with integers as real and imaginary parts. The gaussian integer sets together with the addition and multiplication modes of the gaussian integer modulus form a ring or domain, depending on the selection of the modulus. For this reason, gaussian integers find application in the fields of error correction coding theory, cryptography and other science.
For example, the addition and multiplication modes of a Gaussian integer set and a Gaussian integer modulus pi form a finite Gaussian integer domain if pi * The≡p is a prime number and is therefore a normal integer. Note that symbol pi Representing the complex conjugate of pi. In this case, the resulting heightThe span field is isomorphic to the prime field GF (p) on a common integer. This isomorphism exists for any prime number p congruent with 1 modulo 4.
As with the case of normal integers, the straightforward implementation of modulo reduction of a given gaussian integer is typically very inefficient, as it requires division by gaussian integers, followed by rounding of the result. Therefore, a more efficient reduction mechanism for gaussian integers is needed.
Disclosure of Invention
In the fields of cryptography and error correction codes, congruence solutions with smaller norms or absolute values than the original given gaussian integer are used in large numbers and are often relatively computationally inefficient.
The present invention aims to provide a method for efficient reduction of a given gaussian integer using gaussian integer modulus. Also, a method for determining a gaussian integer congruence with a given gaussian integer modulus with reduced complexity would be beneficial for many applications. Cryptographic methods and error correction methods would benefit significantly from the efficient reduction methods described above and are highly desirable.
The problem of the present invention is solved with a computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus of a gaussian integer modulus, with a method for reduction of a given gaussian integer with a gaussian integer modulus, with the features contained in claim 13, with a computer-implemented cryptographic method with the features contained in claim 14, and with a computer-implemented error correction method with the features contained in claim 15, with the features contained in claim 1.
Preferred and advantageous aspects of the invention are contained in the respective dependent claims and in the subsequent description.
The main idea of the present invention is to provide an efficient reduction method for a class of gaussian integer moduli of a special form, which is reduced to a series of basic bit operations, thus providing a very fast way to achieve modular reduction (both software and hardware) of a large class of gaussian integer moduli.
Classical and modular reduction for a given gaussian integer x-modulo gaussian integer modulus piDirect methods use subtraction, multiplication with constants, and division with rounding, as shown in the following equation: x mod pi = x- [ (x pi) * /(пп * )]•п。
Likewise, symbol pi * Represents the complex conjugate of pi and brackets represent rounding operations.
A more efficient method for performing modular reduction of a given gaussian integer modulus is described in the following article: safieh, malek; the composition of Freudenberger,: "Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6 (https:// doi.org/10.3390/cryptology 5010006).
Also, a special class of fast reduction methods for common integers is known. However, the efficient reduction method of gaussian integers is less developed. The invention thus solves in a particularly advantageous aspect the important use cases of a given gaussian integer which is not a normal integer.
According to the present invention, modular reduction can be performed in two parts: in a first part, a gaussian integer congruence is determined instead of a given gaussian integer, which is smaller than the given gaussian integer in terms of norm (such as absolute value), but congruent with the final reduction result. In the second part, the congruence results may be reduced to obtain a final result of modular reduction, which is a correct representation from a gaussian integer ring or domain. Both the determination of gaussian integer congruence and the complete reduction are the subject of the present invention.
In the present invention, an efficient algorithm for modular reduction of given gaussian integers in two parts as described above is disclosed. The first part is new and results in different algorithmic steps and arithmetic operations than those described in the prior art. This first part may be combined with a second part known from the following documents as steps 3 to 11 constituting algorithm 2 of the prior art: safieh, malek; the composition of Freudenberger,: "Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6 (https:// doi.org/10.3390/cryptology 5010006).
Both the first and second portions may be combined to perform complete modular reduction. In practice, however, the first part is performed more frequently, in particular during cryptographic computation, while the second part, which may also be referred to as "final reduction" throughout the present application, is performed only once at the end to obtain the final desired result, a representation of a so-called gaussian integer ring or domain, which is the result from modulo reduction. Furthermore, the second part is based on computationally intensive comparisons. Thus, the first part aims to reduce the number of these comparisons to reduce the overall complexity.
Thus, in particular, determining a novel portion of the gaussian integer congruence with a given gaussian integer modulo the gaussian integer modulus provides a major benefit in terms of the efficiency of modular reduction of the gaussian integer. Furthermore, it enables a final reduction with reduced complexity, i.e. as presented in steps 3 to 11 of algorithm 2 in the following article: safieh, malek; the composition of Freudenberger,: "Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6 (https:// doi.org/10.3390/cryptology 5010006).
The computer-implemented method according to the invention is a method for determining a gaussian integer congruence with a given gaussian integer modulus of a gaussian integer model.
In the method according to the invention, the gaussian integer base raised to the integer exponent is selected such that the gaussian integer base raised to the integer exponent has a norm that is less than or equal to the corresponding norm of the gaussian integer modulus and greater than the corresponding norm of the difference between the gaussian integer base raised to the integer exponent and the gaussian integer modulus. Later, particularly in the description of the preferred embodiment, the difference between the gaussian integer base and the gaussian integer modulus raised to the integer exponent can be denoted as e.
In the method according to the invention, a variable value candidate of a gaussian integer congruence is considered, which is first initialized with a given gaussian integer, and then iteratively decrements the product of the gaussian integer modulus and a quotient, which is the quotient of the current variable value candidate of the gaussian integer congruence and the component-wise rounding-down of the gaussian integer base multiplied to the integer exponent, as long as the quotient does not disappear (rounding). Thereafter, the resulting variable value candidates of the gaussian integer congruence determine the gaussian integer congruence with reduced norm or absolute value, which directly enables the use of the final reduction as presented in steps 3 to 11 of algorithm 2 in the following article: safieh, malek; the composition of Freudenberger,: "Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6 (https:// doi.org/10.3390/cryptology 5010006).
In this context, the term "gaussian integer congruence" means a gaussian integer congruence with a given gaussian integer modulo a gaussian integer modulus. The present invention may also be directed to determining a target of gaussian integer congruence having a norm less than the norm of a given gaussian integer. Determining such gaussian integer congruence directly enables the use of the final reduction presented by steps 3 to 11 of algorithm 2 as in the following article: safieh, malek; the composition of Freudenberger,: "Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6 (https:// doi.org/10.3390/cryptology 5010006).
Thus, in a particular aspect of the invention, the gaussian integer congruence determined with the method according to the invention has a norm less than the norm of a given gaussian integer.
Throughout this application, the following terms referred to have the following meanings:
the term gaussian integer modulus denotes a complex modulus having an integer real part and an integer imaginary part. In general, the present invention is applicable to many special forms of gaussian integer moduli. However, in one advantageous and preferred aspect of the invention, the invention is applied to such gaussian integer moduli that are not normal integers. Later, in particular in the description of the preferred embodiment, the gaussian integer modulus can also be denoted pi.
Throughout this application, the term given gaussian integer refers to gaussian integers and thus includes common integers. A given gaussian integer may be denoted as z' and variable value candidates may be initialized hereinafter, particularly in the description of the preferred embodiment.
Throughout this application, the term "gaussian integer base raised to an integer exponent" refers to a base that is a gaussian integer and raised to an exponent that is an integer. Note that, in general, a gaussian integer base representing the integer exponent from multiplication may be different from the given gaussian integer mentioned above, and will be referred to as a gaussian integer base hereinafter. Later, particularly in the description of the preferred embodiment, the gaussian integer base is denoted β and the integer exponent may be denoted n. Thus, the gaussian integer base raised to the integer exponent is denoted as β n . In a preferred and advantageous aspect of the invention, the gaussian integer base may be a gaussian integer that is not a normal integer. In an alternative and also advantageous aspect of the invention, the gaussian integer base can be a common integer.
Throughout this application, the term congruent variable value candidates denote congruent candidates, which may take on temporary and varying gaussian integer values during the determination of the method according to the invention. However, after each iteration of the product of the current variable value candidate decrementing the variable value candidate by the gaussian integer modulus and the gaussian integer congruence and the quotient rounded down by components raised to the gaussian integer base of the integer exponent is completed, the variable value candidate is always congruent to the given gaussian integer modulus. Later, congruent variable value candidates may be denoted by z', particularly in the description of the preferred embodiment.
It should be understood that the phrase "decrementing a variable value candidate by an amount" means subtracting the amount from the variable value candidate.
The method according to the invention allows to determine a gaussian integer congruence with a given gaussian integer modulus of the gaussian integer model more efficiently. Advantageously, the step of iteratively decrementing the product of the current variable value candidate of the gaussian integer modulus and gaussian integer congruence by the quotient of the component-wise rounding down of the gaussian integer base raised to the integer exponent can be performed computationally efficiently using truncation and digit shifting.
In the method according to the invention as described above, the gaussian integer base raised to the integer exponent is selected such that the gaussian integer base raised to the integer exponent has a norm that is less than or equal to the corresponding norm of the gaussian integer modulus and that is greater than the corresponding norm of the difference between the gaussian integer base raised to the integer exponent and the gaussian integer modulus. It will be appreciated that this step of the method may also optionally be restated (rephrase) such that taking into account the gaussian integer base squared to the integer exponent has a norm that is less than or equal to the norm of the gaussian integer modulus and greater than the norm of the difference between the gaussian integer base squared to the integer exponent and the gaussian integer modulus. In other words, taking into account the gaussian integer base raised to the integer exponent that satisfies the above condition may preferably be restated to select the gaussian integer base raised to the integer exponent that satisfies the above condition.
In a preferred and advantageous aspect of the invention, the norm represents the absolute value. Thus, in this aspect of the invention, the norm of the variable value candidate means the absolute value of the variable value candidate, and the norm of the given gaussian integer means the absolute value of the given gaussian integer. In alternative advantageous aspects of the invention, other norms, in particular the manhattan weights or absolute square values of the variable value candidates, may be used.
In a preferred aspect of the method according to the invention, the method is performed on a computer storing numbers in a position digital system having a radix (radix) equal to a gaussian integer base, which in this aspect of the invention constitutes a normal integer base. In this aspect of the invention, the radix of the position digital system directly matches the gaussian integer radix. Thus, many of the operations in the algorithm can be performed using the positional displacement of digits in a positional digital system. In this particularly useful aspect of the invention, the computational benefits provided by the invention are directly used and are appropriate when performing the present method.
In a particularly advantageous aspect of the method according to the invention, the gaussian integer base is a normal integer, in particular 2. Thus, the method can be directly applied to a computer that stores numbers as binary numbers. Since such position digital systems are widely used in the computing field, this aspect of the invention addresses, inter alia, almost all of the computing architectures currently available.
In a preferred aspect of the invention, the variable value candidates are decremented by subtracting the product of the gaussian integer base from the multiplier to the integer exponent and the quotient of the current value of the variable value candidate and the component-wise rounding of the gaussian integer base from the multiplier to the integer exponent. This operation can be performed particularly efficiently because the rounded-down quotient of the current value of the variable value candidate can be evaluated by shifting a digit in the rightward direction. In this regard, the integer exponent to which the gaussian integer base is raised is the number of bits by which the variable value candidates are shifted to evaluate the quotient. For binary digital systems with a gaussian integer base of 2 and with a gaussian integer base equal to the integer power of 2, this operation can be performed at lower computational cost by applying a conventional right bit shift by the number of bits matched to the integer exponent. Throughout this application, whenever the term integer exponent is used, the term refers to the integer exponent from which the gaussian base is multiplied.
In other words, in this aspect of the invention, subtracting the product of the gaussian integer base from the multiplier to the integer exponent and the quotient of the current value of the variable value candidate and the gaussian integer base from the multiplier to the integer exponent rounded down by component is equivalent to truncating the current value of the variable value candidate down to the rightmost digit, which is the integer exponent to which the gaussian integer base is from.
The per-component rounding down of the quotient can be readily achieved by separately applying a rightward digit shift.
In a likewise preferred aspect of the method according to the invention, the variable value candidates are iteratively decremented by adding the product of the variable value candidates and the component-wise rounded down quotient of the gaussian integer base raised to the integer exponent and the difference between the gaussian integer base raised to the integer exponent and the gaussian integer modulus. In the following, and in particular in the description of the preferred embodiment of the invention, this difference between the gaussian integer base and the gaussian integer modulus, which is raised to the integer exponent, is also denoted as e.
In general, the evaluation of the product of the current value of the variable value candidate of the difference between the gaussian integer base and the gaussian integer modulus raised to the integer exponent and the quotient rounded down by components of the gaussian integer base raised to the integer exponent involves complex multiplication, which may not result in too much computational cost in the case where the difference between the gaussian integer base and the gaussian integer modulus raised to the integer exponent is relatively small.
In a further and advantageous aspect of the method according to the invention, the decrementing of the variant value candidate of the gaussian integer congruence involves shifting bits equal to the number of integer bits from the gaussian integer base of the integer exponent and truncating down to the number of integer bits equal to the integer exponent. Later, this operation is denoted as z' -qβ n . As described in the foregoing aspects of the present invention, many advantageous operations in the application of this method involve bit shifting and bit truncation if performed on a conventional binary computer system.
In a further advantageous aspect of the method according to the invention, it is considered that the difference between the gaussian integer base raised to the integer exponent and the gaussian integer modulus consists of the sum of the first further gaussian integer base raised to the first integer superscript and the further gaussian integer base raised to the second integer superscript multiplied by the imaginary unit. In this aspect of the invention, the additional step of computing may be performed using a computationally efficient algorithm (calculus), such as a digital shift. Hereinafter, the first superscript may be denoted as r, and the second superscript may be denoted as j.
The term "integer superscript" throughout this application means "integer exponent" which is not necessarily equal to the integer exponent referred to previously in this application. Thus, to avoid confusion with the aforementioned integer exponents, the term integer superscript is used as a surrogate term for such additionally introduced integer exponents.
In a particularly advantageous aspect of the method according to the invention, the gaussian integer modulus is a gaussian integer modulus in which the multiplication of the modulus with its conjugate is a prime normal integer. This special case is particularly important for cryptography, such as for generating cryptographic keys and for encryption or decryption, since gaussian integer fields are considered in this case.
In a preferred method according to the invention, the gaussian integer base is the sum of the products of the additional normal integer raised to the superscript of the third integer and the imaginary unit, and the difference between the gaussian integer base raised to the integer exponent and the gaussian integer modulus is the normal integer or the additional gaussian integer. Later, particularly in the description of the preferred embodiment, the third superscript can also be denoted as k. In this particular aspect of the invention, the quotient rounded down by component can be evaluated computationally efficiently using the left-hand digit shift in the conventional digit notation.
In this advantageous aspect of the invention, for binary digital systems, and even where the difference between the gaussian integer base raised to the integer exponent and the gaussian integer modulus is not a power of 2 or the sum of the power of 2 and the product of the other power of 2 and the imaginary unit, calculating the product of the gaussian integer congruence and the component-wise rounded down quotient of the current value of the gaussian integer congruence variable value candidate may be performed with the application of a bit shift.
The aforementioned first, second and third integer superscripts represent further integer indices which are not necessarily identical to the integer indices described earlier in this description.
In particular cases, where the difference of the gaussian integer base and the gaussian integer modulus from the multiplication to the integer exponent is the sum of the additional normal integer base raised to the first integer superscript and the additional normal integer base raised to the second integer superscript, and where the gaussian integer base is the sum of the product of the additional normal integer base raised to the third superscript and the imaginary unit, the calculations necessary for the method according to the invention are particularly efficient in that the evaluation of the product of the current value of the gaussian integer congruent variable value candidate and the rounded-down quotient of the gaussian integer base raised to the integer exponent and the gaussian integer base raised to the integer exponent involves only truncation. Furthermore, the evaluation of the product of the current value of the variable value candidate of the gaussian integer congruence and the rounded-down quotient of the gaussian integer base raised to the integer exponent and the difference of the gaussian integer base raised to the integer exponent and the gaussian integer modulus only needs to be shifted to the left.
In a computer-implemented method of reduction of a given gaussian integer using a gaussian integer modulus, first a gaussian integer congruence with a modular reduction of the given gaussian integer using a gaussian integer modulus is determined using the method described above, followed by a further reduction of Jian Gaosi integer congruence using a final reduction. Part of Montgomery reduction, the final part given in steps 3 through 11 of algorithm 2 in the following article, safieh, malek; the composition of Freudenberger,"Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6 (https:// doi. Org/10.3390/cryptograph 5010006) constitute a known reduction combined with a method for determining a Gaussian integer congruence with a modular reduction of a given Gaussian integer modulus complex modulus, resulting in a computationally efficient reduction of Gaussian integers.
The computer-implemented cryptographic method according to the invention is in particular a method for generating cryptographic keys and/or for encrypting or decrypting. In the method according to the invention, congruence with a gaussian integer using modular reduction of a given gaussian integer of a gaussian integer modulus is evaluated using the method described above and/or reduction of a given gaussian integer using a complex modulus is evaluated using the method described above.
In a computer-implemented error correction method according to the invention, congruence of modular reduction of gaussian integers with gaussian integer moduli is evaluated using the method described above and/or reduction of gaussian integers with gaussian integer moduli is evaluated using the method described above.
Detailed Description
Hereinafter, embodiments of the present invention are described in more detail:
the reduction algorithm is described below as algorithm 1 and comprises in steps 1 to 6 the congruence method according to the invention for determining a modular reduction of a given gaussian integer with a gaussian integer modulus. The method represents the first part of algorithm 1. The second part of algorithm 1 consists of a final reduction to determine the correct representation from the gaussian integer loop or domain used in the montgomery method. Together, part 1 and part 2 form the method of the desired reduction of a given gaussian integer using gaussian integer modulus according to the invention.
The goal of the full reduction algorithm according to algorithm 1 is pi=β n Gaussian integer modulus in form of ∈where ∈ |<|β n |≤|π|:
Algorithm 1: efficient reduction of a given class of gaussian integers, where pi = β n E-shaped article the process comprises, wherein E.ident.beta n mod pi and I E I<|β n |≤|π|。
Function "divbeta n "describe division by beta n Is a simple integer division of (c). The simplified shifting and truncation operations of β=2 are applied to the real and imaginary parts, respectively. Note z' -qβ n +q∈=z′-qп。
_________________________________________________
Input: beta n Given a gaussian integer z', and rr=β n -∈。
And (3) outputting: gaussian integer z=z' mod pi.
1:q=z′divβ n For β=2, shift to the right by n bits
2:while(q≠0+0i)do
3:z″=z′-qβ n For beta=2, truncateBreaking to n bits
4: z' =z "+q e,// replacing qβ with q e n Because of [ epsilon ] < [ beta ] n |
5:q=z′divβ n For β=2, shift to the right by n bits
6:end while
7: final reduction using z' applications for providing z
In the first part of steps 1 to 6, a gaussian integer z' is determined, which is congruent with the correct result of the complete or desired common mode reduction. Because the gaussian integer base in algorithm 1 is equal to 2, the evaluation of step 5 requires only displacement bits in the right direction to obtain the real and imaginary parts. The second part in step 7, also referred to throughout this application as final reduction, uses the final reduction of gaussian integers as described in steps 3 to 11 of algorithm 2 in the following documents to uniquely determine the correct final result, which is the correct representation from the gaussian integer domain or loop: safieh, malek; the composition of Freudenberger,: "Montgomery Reduction for Gaussian Integers (Montgomery reduction of Gaussian integers)", cryptography 2021,5,6, as referenced in the foregoing description, the contents of which are incorporated herein by reference.
Several cases in which algorithm 1 may be applied are distinguished below:
in general, for a normal gaussian integer base β, where for example the normal integer β=2, step 3 in algorithm 1 involves only truncation. Furthermore, β of the gaussian integer base raised to the integer exponent n The difference e from the gaussian integer modulus pi is multiplied by the gaussian integer base beta to the integer exponent n The evaluation of the product of the component-wise rounded down quotient q with the current value of the variable value candidate z 'of the gaussian integer congruence z', i.e. the product q e required in step 4 of algorithm 1, involves complex multiplication, which does not lead to too much computational costs in case the above-mentioned difference e is relatively small.
However, the difference E is equal to the other integer base (such as 2 from the first superscript r) and the second superscript jThe sum of the products of the further integer radix 2 and the imaginary unit (hence e=2) r +2 j i) And the gaussian integer base β is the integer power of the further integer base 2, step 3 can be evaluated using truncation and q e is calculated with a left digit shift (here a bit shift), as described in algorithm 2 below.
This is explained in more detail below with a first example regarding algorithm 2.
Likewise, in case the above-mentioned difference e is not the sum of the further integer base raised to the first integer superscript and the further integer base raised to the second integer superscript and the gaussian integer base is the sum of the product of the further integer base raised to the third integer superscript and the imaginary unit, step 3 may be performed with the application of a digital shift such as a bit shift, while step 4 still requires a complex multiplication.
In particular cases, where the difference e of the gaussian integer base and the gaussian integer modulus from the multiplication to the integer exponent is the sum of the further integer base raised to the first integer superscript and the further integer base raised to the second integer superscript, and where the gaussian integer base is the sum of the product of the further integer base raised to the third integer superscript and the imaginary unit, step 3 of algorithm 1 requires a digital shift to obtain the product qβ of the current value of the gaussian integer congruent variable value candidate and the rounded-down quotient q of the gaussian integer base raised to the integer exponent and the product qβ of the gaussian integer base raised to the integer exponent n . In this case, the evaluation of the product q e of the current value of the gaussian integer congruence variable value candidate and the rounded-down quotient q and the difference of the gaussian integer base raised to the integer exponent only needs to be bit-shifted to the left.
This last case is explained with the second example detailed in the embodiment of the second example of algorithm 2 described below.
The final reduction step of algorithm 1 is expensive to implement. However, for several applications like cryptography, many intermediate results have to be computed for which a congruence solution is sufficient. Thus, for any congruence z', where
max(|Re{z′}|,|Im{z′}|)≤max(|Re{π}|,|Im{π}|),
The final reduction in step 7 of this algorithm 1 is negligible, where Re { x } and Im { x } represent the real and imaginary parts of the Gaussian integer x, respectively. We note that there are many such gaussian integers that are of interest for efficient error correction coding, cryptography, or other applications.
For a special form of gaussian integer modulus, the complexity of the newly derived first part in steps 1 to 6 of the algorithm can be reduced:
in the first example explained with algorithm 2, let the gaussian integer base β=b be a normal integer, and e=b r +b j i is a gaussian integer, where b is a convenient further gaussian integer base. For b=2, the integer division z' divβ n This can be achieved by shifting the real and imaginary parts of z' by n bits to the right, respectively. Similarly, z "=z' -qβ n This can be achieved by truncating the real and imaginary parts of z' by n bits, respectively. Because of the form of epsilon used, the complex multiplication in step 4, multiplication q epsilon, can be obtained with bit shifts r and j in the left direction. Steps 1 to 6 of the algorithm can therefore be calculated using truncation, addition, subtraction and shift operations, which is very efficient for implementation. This concept applies to certain gaussian integer rings and domains, which are not possible for rings and domains on common integers. The resulting reduction is summarized in algorithm 2 for a Gaussian integer z, which is a ring or domain of size or order pThe order p is the absolute square of the gaussian integer modulus:
algorithm 2: efficient reduction of a given gaussian integer to obtain z '≡z mod pi, where |re (z')| < 2 n And |im { z')| < 2 n Wherein a given Gaussian integerGaussian integer modulus pi=2 n -(2 r +2 j i) R and j are positive integers (or one of them is zero). Function mul (x, 2 n ) Indicating that x is shifted n bits to the left.
___________________________________________
Input: given a Gaussian integer z, n, r, and
and (3) outputting: z '≡z mod pi, where |Re { z')| < 2 n ,|Im{z′}|<2 n
After these steps, a final reduction may also be performed.
In the second example, let β= (b k +b k i) Is a gaussian integer and e is a normal or gaussian integer, where b is a convenient base.
For b=2, step 3 can be implemented using subtraction, and the second term qβ n This can be achieved with a bit shift in the left direction. Furthermore, the integer division in steps 1 and 5 of algorithm 1 can be defined as follows
Wherein (beta) n ) * Is beta n Is a complex conjugate of (a) and (b). Due to the used form of β, this operation can be implemented with simple displacement bits. Similarly, complex multiplication qβ in step 3 of algorithm 1 n Can be realized with a simple displacement bit in the left direction. Thus, the complexity of steps 1 to 6 of algorithm 1 is governed by complex multiplication q ε. As with the previous symbols, these multiplications provide low complexity for differences with low norm e values. Furthermore, for e=b r Or for ∈=b r +b j i, these multiplications can be achieved with a bit shift to the left.
Since the computational cost of the reduced first part comes mainly from the multiplication q e, the choice has a far smaller sizeEpsilon from the norm of the gaussian integer base raised to the integer exponent will result in significantly less computational cost, even if epsilon does not have epsilon=b r Or e=b r +b j i form. This multiplication can be performed more efficiently by shifting the left digits, especially when e of this particular class is selected.

Claims (15)

1. Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus of the gaussian integer modulus, wherein a gaussian integer base raised to the integer modulus is considered with a norm less than or equal to the norm of the gaussian integer modulus and greater than the norm of the difference between the gaussian integer base raised to the integer modulus and the gaussian integer modulus, and wherein a variable value candidate of the gaussian integer congruence, i.e. a gaussian integer congruence, is considered
First initialized with a given gaussian integer,
iteratively decrementing the product of the gaussian integer modulus with the component-wise rounding quotient of the current value of the gaussian integer base and the gaussian integer congruence variable value candidate raised to the integer exponent, as long as the quotient does not disappear,
the resulting variable value candidates for the gaussian integer congruence are thereafter determined as gaussian integer congruence.
2. The method of claim 1, wherein the determined norm of the gaussian integer congruence is less than the norm of the given gaussian integer.
3. Method according to one of the preceding claims, wherein the norm represents an absolute value.
4. A method according to claim 1 or 2, wherein the norm represents a manhattan weight or absolute square value.
5. The method according to one of the preceding claims, wherein the method is performed on a computer that stores numbers in a position number system having a base, wherein the base is equal to an integer base.
6. The method according to one of the preceding claims, wherein the gaussian integer base is a normal integer base, and preferably is 2.
7. The method of one of the preceding claims, wherein the variable value candidates are iteratively decremented involving subtracting the product of the gaussian integer modulus and the current value of the variable value candidate and the rounded down quotient by component of the gaussian integer base raised to the integer exponent.
8. The method of one of the preceding claims, wherein the variable value candidates are iteratively decremented involving adding the product of the variable value candidates and the difference between the rounded down quotient per component and the gaussian integer base raised to the integer exponent and the gaussian integer modulus.
9. The method of one of the preceding claims, wherein the variable value candidates are iteratively decremented involving shifting a bit number of integers equal to an integer exponent to which the gaussian integer base is multiplied and truncating down to an integer number of bits equal to the integer exponent.
10. The method according to one of the preceding claims, wherein the difference between the gaussian integer base raised to an integer power and the gaussian integer modulus consists of the sum of the first further integer base raised to the first superscript and the first further integer base raised to the second superscript multiplied by the imaginary unit.
11. The method of one of the preceding claims, wherein the gaussian integer modulus is a gaussian integer modulus in which the multiplication of the modulus with its conjugate is a prime normal integer.
12. The method of one of the preceding claims, wherein the gaussian integer base is a sum of a normal integer raised to a third integer superscript and a product of the imaginary unit and the normal integer raised to the third integer superscript.
13. A computer-implemented method for determining a reduction of a given gaussian integer modulus of a gaussian integer, wherein a gaussian integer congruence with a modular reduction of a given gaussian integer modulus of a gaussian integer is first determined by a method according to one of the preceding claims and further reduced by a final reduction.
14. A computer-implemented cryptographic method, in particular for generating a cryptographic key and/or for encryption or decryption, wherein a gaussian integer congruence with a modular reduction of a given gaussian integer modulus is determined using a method according to one of claims 1 to 12, and/or wherein a reduction of a given gaussian integer modulus is determined using a method according to claim 13.
15. A computer-implemented error correction method, wherein a congruence of a modular reduction of gaussian integers with gaussian integer moduli is determined using a method according to one of claims 1 to 12, and/or wherein a reduction of gaussian integer moduli of gaussian integer integers is determined using a method according to claim 13.
CN202280032003.6A 2021-04-30 2022-04-25 Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, method for determining a reduction of a given gaussian integer modulus, and cryptographic and error correction methods Pending CN117280316A (en)

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
DE102021204379.8 2021-04-30
DE102021204916.8 2021-05-14
EP21178084.6 2021-06-07
EP21178084.6A EP4083782A1 (en) 2021-04-30 2021-06-07 Computer-implemented method for determining a gaussian integer congruent to a given gaussian integer modulo a gaussian integer modulus, method for determining a reduction of a given gaussian integer modulo a gaussian integer modulus and cryptographic method and error-correction method
PCT/EP2022/060901 WO2022229103A1 (en) 2021-04-30 2022-04-25 Computer-implemented method for determining a gaussian integer congruent to a given gaussian integer modulo a gaussian integer modulus, method for determining a reduction of a given gaussian integer modulo a gaussian integer modulus and cryptographic method and error-correction method

Publications (1)

Publication Number Publication Date
CN117280316A true CN117280316A (en) 2023-12-22

Family

ID=89212855

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202280032003.6A Pending CN117280316A (en) 2021-04-30 2022-04-25 Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, method for determining a reduction of a given gaussian integer modulus, and cryptographic and error correction methods

Country Status (1)

Country Link
CN (1) CN117280316A (en)

Similar Documents

Publication Publication Date Title
US6263081B1 (en) Elliptic curve calculation apparatus capable of calculating multiples at high speed
US7904498B2 (en) Modular multiplication processing apparatus
CN109412786B (en) Integer cipher text arithmetic operation method based on homomorphic encryption
CN109039640B (en) Encryption and decryption hardware system and method based on RSA cryptographic algorithm
JP4662802B2 (en) Calculation method, calculation apparatus, and computer program
US6480606B1 (en) Elliptic curve encryption method and system
TW200413954A (en) Information processing method
JP4875686B2 (en) Accelerating finite field operations on elliptic curves
JP2001051832A (en) Multiplication residue arithmetic method and multiplication residue circuit
CN111897578A (en) Parallel processing method and device for scalar multiplication on elliptic curve with characteristic of 2
WO2023074133A1 (en) Cryptographic processing device, cryptographic processing method, and cryptographic processing program
JP2007187908A (en) Modular exponentiation calculation device and method having tolerance to side-channel attack
CN117280316A (en) Computer-implemented method for determining a gaussian integer congruence with a given gaussian integer modulus, method for determining a reduction of a given gaussian integer modulus, and cryptographic and error correction methods
JPH11212456A (en) Multiplication remainder calculation device using montgomery method
KR100330510B1 (en) Apparatus for high speed modular power exponentiation unit
JPWO2005013243A1 (en) Apparatus, method and program for calculating conversion parameter in Montgomery modular multiplication
Chung et al. Encoding of rational numbers and their homomorphic computations for FHE-based applications
JP4598269B2 (en) Fast finite field operations on elliptic curves
US10318245B2 (en) Device and method for determining an inverse of a value related to a modulus
Kim Efficient Algorithm for Multi-Bit Montgomery Inverse Using Refined Multiplicative Inverse Modular $2^ K$
WO2022229103A1 (en) Computer-implemented method for determining a gaussian integer congruent to a given gaussian integer modulo a gaussian integer modulus, method for determining a reduction of a given gaussian integer modulo a gaussian integer modulus and cryptographic method and error-correction method
EP4083782A1 (en) Computer-implemented method for determining a gaussian integer congruent to a given gaussian integer modulo a gaussian integer modulus, method for determining a reduction of a given gaussian integer modulo a gaussian integer modulus and cryptographic method and error-correction method
JP3055636B2 (en) Encryption communication encoding device and decoding device
EP4307102A1 (en) Computer-implemented method for determining a gaussian integer congruent to a given gaussian integer modulo a gaussian integer modulus, method for determining a reduction of a given gaussian integer modulo a gaussian integer modulus and cryptographic method and error-correction method
Rao et al. A novel modular multiplication algorithm and its application to RSA decryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination