Modular Division and Inversion

Dr. Arunachalam V
Associate Professor, SENSE
 Introduction

• We have seen above that modular multiplication reduces to integer division,

since to compute , the classical method consists of dividing ab by N
to obtain = + , then = .
• In the same vein, modular division reduces to an (extended) integer gcd.
• More precisely, the division / is usually computed as . (1/
) , thus a modular inverse is followed by a modular multiplication.
• We concentrate on modular inversion in this section.
• We know that computing an extended gcd is expensive, both for small sizes,
where it usually costs the same as several multiplications, and for large sizes,
where it costs log .
• Therefore modular inversions should be avoided if possible.
• Algorithm 2.10 (ModularInverse) is just Algorithm ExtendedGcd, with
( , ) → ( , ) and the lines computing the cofactors of N omitted.
 Test the algorithm using b = 27 and N = 392 and u = -29 or 363
= 1; = 0; = 392; = 27 27,14 → 1, 13
27,392 → 0, 27 = −14 ; = 1 − 1 × −14 = 15;
=0; = 1 − 0 × 0 = 1; = 13; = 14
= 27; = 392 14,13 → 1, 1
= 15; = −14 − 1 × 15 = −29;
392,27 → 14, 14 = 1; = 13
=1; = 0 − 14 × 1 = −14;
13,1 → 13, 0
= 14; = 27
= −29; = 15 − 13 × −29 = 392;
= 0; = 1
 Complexity comparison
• Algorithm ModularInverse is the naive version of modular inversion, with
complexity if N takes n words in base .
• The sub-quadratic log algorithm is based on the HalfBinaryGcd
algorithm.
• When the modulus N has a special form, faster algorithms may exist.
• In particular for = , algorithms exist, based on Hensel lifting,
which can be seen as the p-adic variant of Newton’s method.
 Using special modulus
• To compute 1/ , we use a p-adic version of the iteration: = +
1− .
• Assume approximates 1/ to “p-adic precision” , i.e., =1+ , and
=2.
• Then, modulo : = 2− = 1+ 1− =1− .
• Therefore approximates 1/ to double precision (in the p-adic sense).
 Example
• As an example, assume one wants to compute the inverse of an odd integer b
modulo 2 .
• The initial approximation = 1 satisfies = 1/ 2, thus five
iterations are enough.
• The first iteration is = + 1− 2 ,
• which simplifies to = 2− 4 since = 1. Now whether =
1 4 or = 3 4, we have 2 − = 4, thus one can
immediately start the second iteration with = implicit:
• = 2− 2 ; = 2− 2 ;
= 2− 2 ; = 2− 2
• Consider for example = 17.
• The above algorithm yields = 1, = 241, = 61 681 and =
4 042 322 161.
 Implementation on a digital computer

• Of course, any computation might be computed modulo for ≥ .

• In particular, all the above computations might be performed modulo 2 .
• On a 32-bit computer, arithmetic on basic integer types is usually performed
modulo 2 , thus the reduction comes for free.
 Alternate implementation

• Another way to perform modular division when the modulus has a special
form is Hensel’s division.
• For a modulus = , given two integers A,B, we compute Q and R such that
= + .
• Therefore we have / = .
• While Montgomery’s modular multiplication only computes the remainder R
of Hensel’s division, modular division computes the quotient Q, thus Hensel’s
division plays a central role in modular arithmetic modulo .
 Reference
1. Chapter 2.5 of Richard P Brent and Paul Zimmerman, “Modern
Computer Arithmetic”, Cambridge University Press 2010.
Next Class

MODULAR EXPONENTIATION