Introduction to RSA (IV.)--Inverse algorithm

Here the so-called inverse, refers to in the modular multiplication group to seek inverse.

The first section mentions the two definitions of coprime:

(1) p,q two integer coprime refers to the greatest common divisor of p,q 1.

(2) p.q two integer coprime refers to the existence of an integer A, b, making ap+bq=1.

As long as the Euclidean algorithm is understood, it is easy to find the greatest common divisor of two integers, and this is an algorithm that is learned in elementary school. This algorithm has a name that might make us more familiar, called the Euclidean method.

I often do not understand dividend and divisor, do not know if there will be someone like me. So I have to write here first, to prevent confusion, a division, Division sign before the call dividend, division sign after the foot divisor.

Single division, X=m*y+n,x is dividend, y is divisor, M is quotient, N is the remainder, X and y greatest common divisor equals Y and N greatest common divisor. Every round division of the greatest common divisor is divided by the divisor, the greatest common divisor of the divisor into the greatest common divisor of dividend and Yushu, and the greatest common divisor unchanged, the number becomes smaller. Until the remainder is 0, the greatest common divisor is the divisor of the most division.

By the way, the integer ring has the structure of this division method, but not all the rings have such a structure, you can do the division of the Ring called Euclid Ring (Euclidean domain), give a number of other examples, such as complex coefficient polynomial ring, real coefficient polynomial ring, integer coefficient polynomial ring ... Off the topic, stop there.

　　

In the second definition of coprime, if for the two positive integers of coprime p,q,p<q, I add a condition that requires 0<a<q, then A and B exist and are unique. At this time, A is the P-modulo inverse of the Q-element.

Can be used with the inverse of the division of the generation, the principle is roughly as follows:

If B0 and B1 begin to divide the method, the steps are as follows:

B0 = a0*b1 + b2

B1 = a1*b2 + B3

b2 = a2*b3 + B4

...

Bn-2 = An-2*bn-1 + bn

bn-1 = an-1*bn + bn+1

bn = An*bn+1

The remainder of the last step is 0, that is, greatest common divisor is bn+1, except for the last one, the remainder is written on the left.

(1) b2 = b0-a0*b1

(2) B3 = B1-a1*b2

(3) B4 = b2-a2*b3

...

(n-1) Bn=bn-2-an-2*bn-1

(n) bn+1 = bn-1-An-1*bn

We begin to analyze that (1) can be seen as a linear combination of B2 expressed as B0 and B1,

If the (1) type is brought into (2), then the B3 is represented as a linear combination of B0 and B1, in other words (2.1), for convenience, (1) Give the same representation (1.1),

When (1.1) and (2.1) are brought into (3), the B4 is represented as a linear combination of B0 and B1, called (3.1),

When (2,1) and (3.1) are brought into (4), the B5 is represented as a linear combination of B0 and B1, called (4.1),

...

Until the bn+1 is represented as a linear combination of B0 and B1

We are here to seek the inverse, if B0 and B1 coprime, then the bn+1 should be 1.

Bn+1 is expressed as a linear combination of B0 and B1, and the coefficients before the B1 are the inverse of B1 in B0 mode, of course the coefficients are divided by B0 to take a remainder.

Also, write a BC program to represent the algorithm.

　　

#!/usr/bin/bc-qdefine INV (B0, B1) {m=b0;        x0 = 1;        y0 = 0;        x1 = 0;        y1 = 1;                while (1) {a = B0/B1;                b = b0%b1;                                if (b==0) {if (b1==1) {y1 = y1% m;                                if (y1<0) {y1+=m;                        } return y1;                        } else {return-1;                }}/* tmp <= (x1,y1) (x1,y1) <= (x0,y0)-A (X1,Y1)                (X0,Y0) <= tmp */tmpx = x1;                Tmpy = y1;                x1 = x0-a*x1;                y1 = y0-a*y1;                x0 = tmpx;                y0 = Tmpy;                B0 = B1;        B1 = b; }}b0 = Read (); b1 = read (); c1 = INV (B0,B1) print "C1 =", inv (B0,B1), "\ n"Quit 

Of course, the algorithm x0,x1 is the coefficient of recording b0, in fact, for the calculation of B1 inverse of useless, so can be omitted. The average time complexity of the whole algorithm is linear.

In addition, the application of this inverse algorithm in RSA is not only to find the exponent of the private key, but also to optimize the modulo power algorithm.

Introduction to RSA (IV.)--Inverse algorithm