Enhanced Euclid Algorithm for Modular Multiplicative Inverse and Its Application in Cryptographic Protocols

doi:10.4236/ijcns.2010.312123

Paper Menu >>

Journal Menu >>

Int. J. Communications, Network and System Sciences, 2010, 3, 901-906

doi:10.4236/ijcns.2010.312123 Published Online December 2010 (http://www.SciRP.org/journal/ijcns)

Enhanced Euclid Algorithm for Modular Multiplicative

Inverse and Its Application in Cryptographic Protocols

Boris S. Verkhovsky

Computer Science Department, New Jersey Institute of Technology,

University Heights, Newark, USA

E-mail: verb@njit.edu

Received August 21, 2010; revised October 4, 2010; accepted November 16, 2010

Abstract

Numerous cryptographic algorithms (ElGamal, Rabin, RSA, NTRU etc) require multiple computations of

modulo multiplicative inverses. This paper describes and validates a new algorithm, called the Enhanced

Euclid Algorithm, for modular multiplicative inverse (MMI). Analysis of the proposed algorithm shows that

it is more efficient than the Extended Euclid algorithm (XEA). In addition, if a MMI does not exist, then it is

not necessary to use the Backtracking procedure in the proposed algorithm; this case requires fewer opera-

tions on every step (divisions, multiplications, additions, assignments and push operations on stack), than the

XEA. Overall, XEA uses more multiplications, additions, assignments and twice as many variables than the

proposed algorithm.

Keywords: Extended-Euclid Algorithm, Modular Multiplicative Inverse, Public-Key Cryptography, RSA

Cryptocol, Rabin Information Hiding Algorithm, ElGamal Encryption/Decryption, NTRU

Cryptosystem, Computer Simulation, Low Memory Devices

1. Introduction

Elements of modular arithmetic are essential for pub-

lic-key encryption algorithms such as the RSA crypto-

graphic algorithm [1-3], and RSA with digital signature

[4]; ElGamal cryptocol [5]; Rabin encryption/decryption

scheme based on extraction of square roots [6]; NTRU

cryptosystem [7]; and extensions of some of these algo-

rithms in Gaussian arithmetic require computation of a

modular multiplicative inverse (MMI) [8-10]. The MMI

is also computed for cryptanalysis of public-key crypto-

graphic protocols [11-13].

A new algorithm, called the Enhanced-Euclid Algo-

rithm (NEA), for modular multiplicative inverse (MMI)

is described and validated in this paper.

Definition 1: Given relatively prime integers and

, there exists an unique integer x such that 0



1modpx p



. (1)

Then x is defined as the modular multiplicative inverse

of 1

modulo or, for short, MMI.

The NEA finds for two relatively prime integers 0

and 1 an integer number x that satisfies the Equation

(1). And if and are not relatively prime, then

NEA finds a gcd(0,1). The Extended-Euclid algo-

rithm (XEA) also finds a MMI of modulo if

and only if gcd(,) = 1 [1,2,7].

0 1

This paper proves the validity o f NEA and provides its

analysis. The analysis demonstrates that NEA is faster

than the Extended Euclid algorithm. Preliminary results

of this paper are published in [8].

2. Basic Arrays and Their Properties

Let’s consider five finite integer arrays:











 

; ;

k k

t w



z;;

pc (2)

Definition 2: Let





p and





c be integer arrays

defined according to the following generating rules:

Given two relatively prime integers 0

p and 1

p su

that 0

p1iwhile i

p

1 , p, for do 2

ii 1

d;:

iiii

pcpp









o.





pp (3)

Definition 3: Let





t be an arbitrary integer array

for all ; let for initially specified 0 1 0

and 1 the following generating rules be defined for all

1k,w,w z

2k

902 B. S. VERKHOVSKY

11 2

kkk k

wwt w

 

;

and

11 2

kkk k

zzt z

 

. (4)

Proposition 1: Let’s define for 1k

:kk

kkk

Dzz



. (5)

Then





 D. (6)

Proof: Consider k and substitute in the left column

the values of k and defined in (4). After simpli-

fications we derive that

1kk





, which recursively

implies (6).

Proposition 2: Consider the integer arrays





, and (4)



where 00 1

:1; :wz0; :1z .

Then is a multiplicative inverse of





1k



modulo for every .

Proof: Indeed, since , then (5) implies that

D 1









kkk k

wz zwz





, (7)

or that

 

1111

kkk

wzzzwz











Then from (7) it follows that

 

11 1

111

kkk

wzzwz













i.e.,





 .

Proposition 3: If for all 0kr



kk

, and , (8) :





then and are the initial values that generate the

arrays



 





:and:

krkkr

tc wp





Remark 1: Notice that =



c and



wp,

where the superscript R means that the arrays





1kzz



and

are written in a reverse order.



Theorem 1: For all k = 1,, r, is the

inverse of modulo p.





1rk

Proof follows from Propositions 1-3.

p

Theorem 1 implies the following assertions:

1) if k is odd and ,

11z

then x:=> 0;

2) if k is even and ,

11z

then x:=< 0.

In the latter case select

pz. (9)

3. Enhanced Euclid Algorithm for MMI

The proposed algorithm uses stack as a data structure,

[2].

vars: r; L; M; S; t: all integer numbers; b: Boolean;

procedure Forward:

:Lp



; 1



; b: = 0; {r: = 0};

repeat :tLM







; :SLMt



;





:1; :1;bbrr



 (10)

push t {onto the top of the stack};

L: = M; M: = S; (11)

until S = 1;

Remark 2: if S = 0, then ; therefore

the MMI does not exist;



gcd ,pp t

procedure Backtracking:

S: = 0;





; {by (9) in the Theorem 1};

repeat pop t {from the top of the stack};

L: = Mt + S; (12)

:; :SMML;

until the stack is empty;

output x: = L; {if x < 0, then x: = x +}.

Remark 3: r is the height of the stack and is used be-

low for analysis of the proposed algorithm.

4. Two Illustrative Examples

Let’s demonstrate how NEA finds a multiplicative in-

verse x of 27,182,845 modulo 31,415,926. Table 1 be-

low shows the computation of remainders in the upper

row and stores the quotients in the middle row (the

stack). Then the Backtracking procedure is used to com-

pute from right to left until the stack is empty. The

inputs and MMI are shown in bold, and the stack val-

ues are in italics. Since the total number of steps (the

height of the stack) is equal to fourteen (i.e., even), then

x = 13,939,773.

Direct verification confirms that indeed

27182845 * 13939773 mod 31415926 = 1.

In the second numerical example we need to find the

MMI z of 27,319,913 modulo 177,276,627 {see Table

2}. Since the height of the stack is odd, then

z = 177276627-344 80855 = 14279577 2.

Direct computation verifies that z is indeed the MMI

of 27319913, since

27319913 * 142795772 mod 1772766 27 = 1.

5. Complexity Analysis of MMI Algorithm

Consider four non-negative integer arrays ,







B. S. VERKHOVSKY

903

Table 1. Modular multiplicative inverse algorithm in progress.

31415926 2718208730

2845

4233081 1784359 664363 455633

Stack 1 6

2 2 1 2

112084 18789 792920927

3939773 614821750 4789 2172 61

(continuation)

208730 38173 17865 2443151 9 7 2 1 764

2 5 2 7 3 5 16 1 3 ***

92 7 168 7927 1084 3 61933967 4 3

1 0

Table 2.nd numal illusion.

177276627 27319913 136 5 1

Secoerictrat

3357149 605615 33619 473

Stack 6 2

22 18 71 13 7 ***

353108 25907 114 6 4480855 388077953992 7 1 0

ed as fo

 

and



definllows: 11

kkk

dqq







; (13)

satisfy (3) and a

(14)

Then (3) and (14) imply that

mod

Hence both arrays and ar -

creasing, and all termcorresarrays

 

and

pc re defined as

11 11

:; :

iiikkkk

ppcqqqd

 

 



iiii

pppc









s of the



ponding

e strictly de







d are positive er num

Definition 4:



an integ bers.



is a (s + 1)-dimensional ve

consisting of the first s + 1 terms of actor,

n array

01 1

, ,...,,,

xxx

i.e.,





:,,...,,

…,

1 1

xxxx.



Theorem 2: Consider



and

 

cp

 

; ;1

sss



p.

Let pq

;

 

cd,

j = l suc

following in

i.e., for all j = 1,, s

eists at least one h that . Thor

al the

there xjs ll

l 1equalities hold:

if 11jl, then

cden f

pq

otherwise

pq. (15)

Proof: Assuming that the stat

, it can also be demonstrated by

Consi

ement (15) holds for all

induction that

1ij

(15) also holds for ij.

der

jjjjjj

j j

qqp p

q pp





tdc





 



 

 



 

(16)





 

If 1jl





lows: if , then else. Hence from (16)

it fol0

t

1 0

t



, then

pq otherwise

pq.

Since 00



, then (14) holds for all js. Q.E.D.

nsider af relatively prime

s an arr

Co pair o seeds 01

and pp

that generateay





1

ir of relatively prime seeds 01

and pq ge

. Consider also a

pa tha

an array

nothe

t nerates





d,

ual to one. Let r and s be the number of steps

respectively to find MMe first and the second

pair using either XEA or NEA. Thismption implies

that s

i.e l its

eq . such that

Is for th

not al

assu

required

rms are



. Then by Theorem 2







pq and

pq. Hence rs.

Corollary: A pair of seeds, that for a given 0

p re-

quires the maximal number of steps for computation of a

MMIrates an unary array of ., all

s in i.e, genequotients,

component







. Thus, as it follows )

an from (3

lowd (14), this pair of seeds must generate the foling

array of integer numbers: 201

:ppp;312

:ppp;;

rr r

pp p





. It is easy to verify that this array is

equivalent to the of Fibonacci numbers sequence





rr 432

,...,, ,



In other words, for every 0,...,ir 2

FFF





, [14].

Remark 4: The pair ;pF pF is

02r

) a unary a11r

rrayf qnot the

only one that generates auotients and

b) a decreasing integer array where the rth remainder

eq pairs of seeds hav

uals one.

Indeed, the followinge the same

B. S. VERKHOVSKY

904

of the Lucas

1

zero and negative

indices are computed in accdance with the formula:

property for all non-negative integer numbers t and u:

1) 02rr

pF tF



; 111rr

pF tF



 ; for t = 1





; ;

pL



is a sequence

2 1r

mbers 1, 3, 4, 7, 11, 18,[15];



021

ptF tF



 1t;

;L

L



1ptFtF ;

11rr

;pFtF t2

01rr1; 11

;

pFtF







rr r

ptFtFuF



 



1ptFtFuF

113rr r

Here the Fibonacci num.

bers with





.

For all pairs, listed above, exactly r steps are required

to find the MMI. However, all these pairs are special

cases of a pair of seeds where

b; and

Consider

01rr

pbFF



 and 112rr

pbFF



.

Therefore for all 0ir

1iriri

pbFF



, r

11

p.



15v 2 and



152w .

Using a z

kr -transform approach, we deduce that for all

 



pbvbv



 



. (17)

Then for a large r



510

pbvwwbv

 

since

1v. (18)

The relation (18) implies that for a large r

 

051

pwbv w





 



 . (19)

Let



:max ,,2

zrpbrp



.

Therefore





(20)

000

log 52log1

zpvp











implies that the height of a stack satisfies

the following inequality:

[8].

Example 3: In this example (see

Table 3 illustrates the case where the height of the

sta in the Inequality

Thus (20)



log 1

rp p











, (21)

the table below)

1919 mod31051364

.

Indeed, 1919 * 1364 mod3105 = 1.

ck is approaching the upper bound

1).

Remark 5: Although this upper bound is achievable if



and 112rr

pbFF







, for this pair of

inp

uts the MMI can be computed explicitly: indeed, it

equals





.

Remark If in RSA public-key encryption [3],

pc 6:

, thenc

100

010 100 / loglogrw

10 10



; therefore

479 logcr



.

housandemonstrate

Over one t computer simulations d

that the averaheight of the stack is actually almost

modulo

provided that gcd = 1, [2,7].

3 = g{there is n-

ve if = 1 return Y3 = gcd );

% smaller than the upper bound in (21).

6. Extended-Euclid Algorithm (XE

XEA also finds a multiplicative inverse of 1

00 1

1) Assign (X1, X2,X3):= (1, 0,0

p); (Y1,Y2,Y3)(0,1, 1

p);

2) if Y3 = 0 return Xcd(p,1

p);

p(p,p):=

rse};

3) Y3

o in

nv 1

rseelse Y2 is the multiplicative ie;

4) :3QXY3;







 (22)









3 3QY1,2,3 :11,22,T TTXQYXQYX ;(23)





,3 :1,2



1,2, 3

X Y; (24) X YY

)



 

1,2, 3:1, 2, 3YY YTTT;

7. Comparative analysis of NEA vs. XEA

for

ard

rocedure in (10), and Q in (22), respectively.

division,

Table 3. {Worst-case space co

3105 1919 1186 733 9 7 2 1

(25)

8) goto 2.

Both algorithms require equal number of steps r

computation of all quotients: values of t on the Forw

pIn addition, NEA requires r more steps on the Back-

tracking procedure to compute the values of L in (12).

Therefore each step of XEA requires one

ree multiplications, three long algebraic additions and

ten assignments, see (22)-(25).

mplexity}: Size of stack.

453 280 17310766 41 25 16

Stack 1 1 1 1 1 1 1 1 1 1 1 1 1 3 ***

1364 843 521 322 199 123 76 47 29 18 11 7 4 3 1 0

B. S. VERKHOVSKY

905

XEA Yet in boproures NEA

uses one division, two multiplications, two long additions,

o stacra, ( andht assign-

n NEA I

han XEA:

uses ten variables. th ced

mk opetionspushnd pop), a eig

ents, see (10)-(12). NEA uses four integer variables,

one binary variable and, in addition,



logwp of

memory to store the stack.

Notice that if a MMI does not exist, then there is no

need to use the Backtracking procedure i.nthis

case NEA requires even fewer operations tone

division, one multiplication, one addition, one push op-

eration and five assignments per every step. Yet XEA

still requires the same number of operations per step as

in the case if a MMI does exist. Hence, overall XEA uses

more multiplications, more additions, more assignments

and twice as many variables than the proposed algorithm.

8. Average Complexity of XEA and NEA

both inputs are chosen randomly, then the If 01

and pp

probability that



gcd ,1pp equals 2



[2].

Let us consider the following notations:

w-worst-case specific complexity (per step) of

XEA; ;

nea

w-worst-case specific complexity of NEA

a-average-case specific complexity of XEA;

nea

arage-case specific complexity of NEA;

let ;-ave on,

muations

push a

hen

; ; ;

masst

tttt be time complexities of divisi

ltipl

ication, addition, assignment and stack oper

nd pop respectively.

3 +3+10;

ea dmas

wt ttt (26)

2 +wt t 2+8+2;

nea dmasst

ttt (27)



t2 +2+8+2

++5+16

neadm a s

dma sst

atttt

ttt tt





 

Notice that

 (28)

ea xea

aw; and

9) implies

dm ass

tt ttt (29)

Then (27)-(2 that





:231.538 (30)

xea nea

Ra a





9. Conclusions

nalysis of the proposed algorithm (NEA) for modular

rse demonstrates that its execution

53.8% less time, than the execution

eed K-bit level for ublron algo-

rithm, where the inputs are integers on the

interval

multiplicative inve

quires on averagere

of the Extended Euclid algorithm.

Theoretical analysis of space complexity of the En-

hanced-Euclid algorithm shows that it requires relatively

small bit-storage for its execution. This storage does not

xcea 2a pic-key encypti

and pp





100 400

10,10.

ey mode

-Euclid algorithm

r implementation of encryption in low memory

of this

aper; and to A. Koripella for her assistance in running

. van Oorschot and S. A. Vanstone,

“Handbook of Applied Cryptography,” CRC Press, Boca

] R. L. Rivest, A. Shamir and L. Adleman, “A Method for

On the other hand, computer simulations demonstrate

that the average bit-storage is actually 40% smaller than

2K. Hence NEA can be executed if necessary by a cus-

tom-built chip with relativlst memory, [7]. This

property of the Enhanced is especially

useful fo

vironments such as smart or PC cards, cell phones,

wearable computers and other integrated devices.

10. Acknowledgements

I express my appreciation to R. Rubino, J. Runnells, M.

Sikorski, C. Washington and to anonymous reviewer for

comments and suggestions that improved the style

computer experiments.

11. References

[1] R. Crandall and C. Pomerance, “Prime Numbers: A

Computational Perspective,” Springer, Berlin, 2001.

[2] A. J. Menezes, P. C

Raton, 1997.

[3 Obtaining Digital Signature and Public-Key Cryptosys-

tems,” Communications of the ACM, Vol. 21, No. 2, 1978,

pp. 120-126.

[4] B. Verkhovsky, “Overpass-Crossing Scheme for Digital

Signature,” Keynote Address, Proceedings of Interna-

tional Conference on System Research, Informatics and

Cybernetics, Baden-Baden, 30 July-4 August 2001.

[5] T. ElGamal, “A Public-Key Cryptosystem and a Signa-

ture Scheme Based on Discrete Logarithms,” IEEE Trans-

actions on Information Theory, Vol. 31, No. 4, 1985, pp.

469-472.

[6] M. Rabin, “Digitized Signatures and Public Key Func-

tions as Intractable as Factorization,” Technical Report:

MIT/LCS/TR-212, MIT Laboratory for Computer Science,

Cambridge, 1979.

[7] J. Hoffstein, J. Pipher and J. H. Silverman, “An Introduc-

tion to Mathematical Cryptography,” Springer, Berlin,

2008.

[8] B. Verkhovsky, “Multiplicative Inverse Algorithm and Its

Complexity,” Proceedings of International Conference-

InterSYMP-99, Baden-Baden, July 1999, pp. 62-67.

[9] B. Verkhovsky, “Accelerated Cyber-Secure Communica-

tion Based on Reduced Encryption/Decryption and In-

formation Assurance Protocols,” Journal of Telecommu-

nications Management, Vol. 2, No. 3, 2009, pp. 284-293.

B. S. VERKHOVSKY

906

riza-

International Journal of Communications, Net-

p. 1-8.

. 276-288.

ppendix

omputer experiments

decimal-digit long integers A and B were

dul o A was computed; in

era

Table A1. Results of computer experiments.

Range of S

[10] B. Verkhov sky, “Hybrid Aut hentication Cybersy stem Based

on Discrete Logarithm, Entanglements and Facto

tion,” International Journal of Communications, Network

and System Sciences, Vol. 3, No. 7, 2010, 579-584.

[11] B. Verkhovsky, “Generalized Baby-Step Giant-Step Al-

gorithm for Discrete Logarithm Problem,” Advances in

Decision Technology and Intelligent Information Systems,

International Institute for Advanced Studies in Systems

Research and Cybernetics, Baden-Baden, 2008, pp. 88-

89.

[12] B. Verkhovsky, “Integer Factorization: Solution via Al-

gorithm for Constrained Discrete Logarithm Problem,”

Journal of Computer Science, 2009, Vol. 5, No. 9, 674-

679.

[13] B. Verkhovsky, “Potential Vulnerability of Encrypted

Messages: Decomposability of Discrete Logarithm Prob-

lems,”

work and System Sciences, Vol. 3, No. 8, 2010, pp.

639-644.

[14] R. B. McClenon, “Leonardo of Pisa and His Liber Quad-

ratorum,” American Mathematical Monthly, Vol. 26, No.

1, 1919, p

[15] D. Harkin, “On the Mathematical Works of Francois-

Edouard-Anatole Lucas,” Enseignement Mathematique,

Vol. 3, No. 2, 1957, pp

CN Average S

) Pairs of N1

generated randomly, where A >

2) Then MMI C of B mo

other words we found an integer C, for which holds BC

mod A = 1;

3) 125 experiments have been carried out for each

value of N = {6, 8, 10,,18, 20};

4) The values of S (size of stack-storage) for each N

were tabulated; (not shown in the Table A1).

5) The values of avge S for every N and the range

of S for each N are presented in the Table A1.

[min, max]

6 12.65 [7, 17]

8 16.20 [9, 21]

10 19.96 [14, 29]

12 24.91 [19, 33]

14 28.53 [18, 36]

16 32.30 [20, 41]

18 36.70 [23, 50]

20 40.29 [26, 54]