tags:

views:

206

answers:

4
+5  Q: 

How to implement c=m^e mod n for enormous numbers?

Hi,

I'm trying to figure out how to implement RSA crypto from scratch (just for the intellectual exercise), and i'm stuck on this point:

For encryption, c = me mod n

Now, e is normally 65537. m and n are 1024-bit integers (eg 128-byte arrays). This is obviously too big for standard methods. How would you implement this?

I've been reading a bit about exponentiation here but it just isn't clicking for me:

http://en.wikipedia.org/wiki/Exponentiation_by_squaring

http://www.cacr.math.uwaterloo.ca/hac/about/chap14.pdf (see section 14.85)

Thanks.

edit: Also found this - is this more what i should be looking at? http://en.wikipedia.org/wiki/Modular_exponentiation

+3  A: 
sth  2010-07-07 00:47:49
+8  A: 

Exponentiation by squaring:

Let's take an example. You want to find 1723. Note that 23 is 10111 in binary. Let's try to build it up from left to right.

           // a      exponent in binary

a = 17     //17^1          1

a = a * a  //17^2         10

a = a * a  //17^4        100
a = a * 17 //17^5        101

a = a * a  //17^10      1010
a = a * 17 //17^11      1011

a = a * a  //17^22     10110
a = a * 17 //17^23     10111

When you square, you double the exponent (shift left by 1 bit). When you multiply by m, you add 1 to the exponent.

If you want to reduce modulo n, you can do it after each multiplication (rather than leaving it to the end, which would make the numbers get very large).

65537 is 10000000000000001 in binary which makes all of this pretty easy. It's basically

a = m
repeat 16 times:
    a = a * a
    a = a mod n
a = a * m
a = a mod n

where of course a, n and m are "big integers". a needs to be at least 2048 bits as it can get as large as (n-1)2.

Artelius  2010-07-07 00:52:34
Fantastic answer. I'm taking a while to soak it in though, it's taking a while!
Chris  2010-07-07 01:24:39
And, for implementations sake, all i need further is to implement a bignum for the multiplication and modulus steps above?
Chris  2010-07-07 01:51:50
You're almost sure to implement bignum incorrectly. The problem of multiplying big numbers and adding big numbers is almost as tricky as exponentation. Can you not use a language library that handles that automatically?
Stefan Kendall  2010-07-07 02:14:17
Adding big numbers is not terribly hard. Multiplying them is trickier although the Karatsuba Algorithm is not that hard to implement. I suggest starting with a library and then replacing it with your own implementation if you really want to.
Artelius  2010-07-07 02:29:16
This is a learning exercise, so i really want to implement it myself. I'll start by implementing the longhand version, then move on to karatsuba later possibly. I'm sure i'll get it wrong first time, that's never stopped me before!
Chris  2010-07-07 02:49:26
Ah, okay :). Slow multiplication will kill the exponentation by squaring method, so you'll want to get that right before you tackle the main problem. This exact set of problems was posed to my algorithms class when I attended university, and about 80% of the students slammed into a brick wall with multiplication.
Stefan Kendall  2010-07-07 03:05:27
Boo-yah! Got the multiplication to work pretty much first go :)
Chris  2010-07-07 05:00:32
Just wanted to point out that this solution only computes 1 exponent. For RSA you're going to need a general solution for the other key - see solution below :-)
phkahler  2010-07-07 11:30:34
+3  A: 
phkahler  2010-07-07 01:43:01
You forgot to e>>=1
Artelius  2010-07-07 01:46:39
Thanks for spotting that. Fixed.
phkahler  2010-07-07 11:26:08
Don't we have to start with the most significant bit? See VII.A here: http://people.csail.mit.edu/rivest/Rsapaper.pdf
Chris  2010-07-08 23:15:43
My mistake, you're using the right-to-left binary method, which is a different algorithm to what i was thinking: http://en.wikipedia.org/wiki/Modular_exponentiation#Right-to-left_binary_method
Chris  2010-07-08 23:40:02
I was going to write it scanning left to right, but at the time it seemed like a hassle. This way you don't need to find the MSB, but you do have to shift the whole exponent each loop. It's a small trade.
phkahler  2010-07-09 01:17:48
+1  A: 

If g(x) = x mod 2^k is faster to calculate for your bignum library than f(x) = x mod N for N not divisible by 2, then consider using Montgomery multiplication. When used with modular exponentiation, it avoids having to calculate modulo N at each step, you just need to do the "Montgomeryization" / "un-Montgomeryization" at the beginning and end.

Jason S  2010-07-07 22:53:32
N cannot be even, e.g. 26 cannot be used for Montgomery multiplication but 26 is not a power of 2.
GregS  2010-07-07 23:37:05
fixed... thanks!
Jason S  2010-07-08 00:45:48

related questions

What are some good rigid body dynamics references?
Algorithm to find a common multiplier to convert decimal numbers to whole numbers
How to test randomness (case in point - Shuffling)
What are the core mathematical concepts a good developer should know?
How to get the base 10 logarithm of a Fixnum in Ruby?
Can you be terrible at math and still a great programmer?
Modulus operation with negatives values - weird thing ??
How do I calculate a trendline for a graph?
Calculate Video Duration
Russell's Paradox
Popularity algorithm
How do I calculate distance between two latitude longitude points?
The Google Calculator Glitch, could float vs. double be a possible reason?
Calculating Distance Between 2 Cities
Prime factors
Where can I find a "Math topic dependency tree" to assist my self-guided refresher on the subject?
How to Round Up The Result Of Integer Division
Do you have to be good at math to be a good programmer?
Useful math for programmers
Puzzle: Find largest rectangle (maximal rectangle problem)
What does the term "BODMAS" mean?
Mapping latitude/longitude to a distorted map
A little diversion into floating point (im)precision, part 1
Solving a linear equation
What's the difference between Math.Floor() and Math.Truncate() in .NET?