2: Extended Euclid Algorithm - Figure 4.2 The operation of machine D

Figure 4.2 The operation of machine D

Algorithm 4. 2: Extended Euclid Algorithm

INPUT _{a, b}_{: integers with}_a_>_b _0;

OUTPUT integers l, m satisfying al + bm = gcd(a, b).

i 0; r–1 a; r 0 b;

l–1 1; m–1 0; l0 0; m0 1; (* initialize *)

while (ri = ali + bmi 0) do (* it always holds ali + bmi = ri *)

q ri–1 ÷ ri; (* ÷ denotes division in integers *)

a. li+1 l i–1 – qli; mi+1 mi–1 – qmi; (* sum up quotients *) b. c. 2. 3.

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. a. b. i i + 1; c. return( (li–1, mi–1) ). 3.

. Remark 4.1

In order to expose the working principle of Alg 4.1 and Alg 4.2 in an easily understandable way, we have chosen to sacrifice efficiency. In the next two sections (§4.3.2.3—§4.3.2.4) we will analyze their time complexities and contrast our result with the best known time complexity result for computing greatest common divisor.

4.3.2.3 Time Complexity of Euclid Algorithms

Let us now measure the time complexities for the two Euclid algorithms. It is clear that the number of recursive calls in Alg 4.1 is equal to the number of loops in Alg 4.2 which is in turn equal to k in (4.3.3).

Consider the case a > b and observe (4.3.7) for i = 0, 1, …, k – 1. We have either of the following two cases:

Equation 4.3.10

Equation 4.3.11

Further noticing ri+1 < ri, so case (4.3.10) also implies case (4.3.11), that is, case (4.3.11) holds

invariantly. This means that the maximum value for k is bounded by 2·|a|. If we consider the modulo operation as a basic operation which takes one unit of time, then the time complexity of gcd realized in Alg 4.1 is bounded by 2·|a|. This is a linear function in the size of a.

. Theorem 4.1

Greatest common divisor gcd(a, b) can be computed by performing no more than 2max(|a|, |b|) modulo operations. Therefore, Alg 4.1 and Alg 4.2 terminate within 2max(|a|, |b|) loops.

G. Lamé (1795–1870) was the first person who proved the first sentence in the statements of

Theorem 4.1. It is considered to be the first theorem ever proved about the theory of computational complexity (page 35 of [176]).

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

sequentiality characteristic in the computation of greatest common divisor. Since Euclid

discovered his algorithm (i.e., Alg 4.1), no significant improvement has been found to cut short this seemingly necessary sequential process.

4.3.2.4 Two Expressions for Computational Complexity

When we measure the computational complexity for an algorithm, it is often difficult or unnecessary to pinpoint exactly the constant coefficient in an expression that bounds the complexity measure. Order notation allows us to ease the task of complexity measurement.

Definition 4.2: Order NotationWe write O(f(n)) to denote a function g(n) such that there exists a constant c > 0 and a natural number N with |g(n)| c|f(n)| for all n N.

Using the notation O() we can express the time complexities of Alg 4.1 and Alg 4.2 as O(log a). Notice that in this expression we have replaced |a| with log a without explicitly giving the base of the logarithm (though we conventionally agree that the omitted base is natural base e). The reader may confirm that any base b > 1 will provide a correct measurement expression under the order notation (Exercise 4.10).

So far we have considered that computing one modulo operation costs one unit of time, that is, it has the time complexity O(1). As a matter of fact, modulo operation "a (mod b)" in the general case involves division a ÷ b, which is actually done in Alg 4.2 in order to keep the quotient. Therefore the time complexity of modulo operation, the same as that of division, should depend on the sizes of the two operands. In practical terms (for the meaning of "practical," see the end of §4.4.6), using O(1) to represent the time for a division is too coarse for a sensible resource management.

A simple modification of the order notation is to measure an arithmetic in terms of bitwise computation. In bitwise computation, all variables have the values 0 or 1, and the operations used are logical rather than arithmetic: they are (for AND), (for OR), (for XOR, i.e., "exclusive or"), and ¬ (for NOT).

In document Modern Cryptography Theory & Practice pdf (Page 120-122)