Montgomery modular multiplication

Template:Short description In modular arithmetic computation, Montgomery modular multiplication, more commonly referred to as Montgomery multiplication, is a method for performing fast modular multiplication. It was introduced in 1985 by the American mathematician Peter L. Montgomery.^[1]^[2]

Montgomery modular multiplication relies on a special representation of numbers called Montgomery form. The algorithm uses the Montgomery forms of Template:Mvar and Template:Mvar to efficiently compute the Montgomery form of $ab mod N$ Script error: No such module "Check for unknown parameters".. The efficiency comes from avoiding expensive division operations. Classical modular multiplication reduces the double-width product $ab$ Script error: No such module "Check for unknown parameters". using division by Template:Mvar and keeping only the remainder. This division requires quotient digit estimation and correction. The Montgomery form, in contrast, depends on a constant Template:Mvar which is coprime to Template:Mvar, and the only division necessary in Montgomery multiplication is division by Template:Mvar. The constant Template:Mvar can be chosen so that division by Template:Mvar is easy, significantly improving the speed of the algorithm. In binary computers, Template:Mvar is always a power of two, since division by powers of two can be implemented by bit shifting.

The need to convert Template:Mvar and Template:Mvar into Montgomery form and their product out of Montgomery form means that computing a single product by Montgomery multiplication is slower than the conventional or Barrett reduction algorithms. However, when performing many multiplications in a row, as in modular exponentiation, intermediate results can be left in Montgomery form. Then the initial and final conversions become a negligible fraction of the overall computation. Many important cryptosystems such as RSA and Diffie–Hellman key exchange are based on arithmetic operations modulo a large odd number, and for these cryptosystems, computations using Montgomery multiplication with Template:Mvar a power of two are faster than the available alternatives.^[3]

Modular arithmetic

Let Template:Mvar denote a positive integer modulus. The quotient ring $Z / N Z$ Script error: No such module "Check for unknown parameters". consists of residue classes modulo Template:Mvar, that is, its elements are sets of the form

{a + k N : k \in 𝐙},

where Template:Mvar ranges across the integers. Each residue class is a set of integers such that the difference of any two integers in the set is divisible by Template:Mvar (and the residue class is maximal with respect to that property; integers aren't left out of the residue class unless they would violate the divisibility condition). The residue class corresponding to Template:Mvar is denoted $a$ Script error: No such module "Check for unknown parameters".. Equality of residue classes is called congruence and is denoted

\bar{a} \equiv \bar{b} (\mod N) .

Storing an entire residue class on a computer is impossible because the residue class has infinitely many elements. Instead, residue classes are stored as representatives. Conventionally, these representatives are the integers Template:Mvar for which $0 \leq a \leq N - 1$ Script error: No such module "Check for unknown parameters".. If Template:Mvar is an integer, then the representative of $a$ Script error: No such module "Check for unknown parameters". is written $a mod N$ Script error: No such module "Check for unknown parameters".. When writing congruences, it is common to identify an integer with the residue class it represents. With this convention, the above equality is written $a \equiv b mod N$ Script error: No such module "Check for unknown parameters"..

Arithmetic on residue classes is done by first performing integer arithmetic on their representatives. The output of the integer operation determines a residue class, and the output of the modular operation is determined by computing the residue class's representative. For example, if $N = 17$ Script error: No such module "Check for unknown parameters"., then the sum of the residue classes $7$ Script error: No such module "Check for unknown parameters". and $15$ Script error: No such module "Check for unknown parameters". is computed by finding the integer sum $7 + 15 = 22$ Script error: No such module "Check for unknown parameters"., then determining $22 mod 17$ Script error: No such module "Check for unknown parameters"., the integer between 0 and 16 whose difference with 22 is a multiple of 17. In this case, that integer is 5, so $7 + 15 \equiv 5 mod 17$ Script error: No such module "Check for unknown parameters"..

Montgomery form

If Template:Mvar and Template:Mvar are integers in the range $[0, N - 1]$ Script error: No such module "Check for unknown parameters"., then their sum is in the range $[0, 2 N - 2]$ Script error: No such module "Check for unknown parameters". and their difference is in the range $[- N + 1, N - 1]$ Script error: No such module "Check for unknown parameters"., so determining the representative in $[0, N - 1]$ Script error: No such module "Check for unknown parameters". requires at most one subtraction or addition (respectively) of Template:Mvar. However, the product $ab$ Script error: No such module "Check for unknown parameters". is in the range $[0, N 2 - 2 N + 1]$ Script error: No such module "Check for unknown parameters".. Storing the intermediate integer product $ab$ Script error: No such module "Check for unknown parameters". requires twice as many bits as either Template:Mvar or Template:Mvar, and efficiently determining the representative in $[0, N - 1]$ Script error: No such module "Check for unknown parameters". requires division. Mathematically, the integer between 0 and $N - 1$ Script error: No such module "Check for unknown parameters". that is congruent to $ab$ Script error: No such module "Check for unknown parameters". can be expressed by applying the Euclidean division theorem:

a b = q N + r,

where Template:Mvar is the quotient $⌊ a b / N ⌋$ and Template:Mvar, the remainder, is in the interval $[0, N - 1]$ Script error: No such module "Check for unknown parameters".. The remainder Template:Mvar is $ab mod N$ Script error: No such module "Check for unknown parameters".. Determining Template:Mvar can be done by computing Template:Mvar, then subtracting $qN$ Script error: No such module "Check for unknown parameters". from $ab$ Script error: No such module "Check for unknown parameters".. For example, again with $N = 17$ , the product $7 \cdot 15$ Script error: No such module "Check for unknown parameters". is determined by computing $7 \cdot 15 = 105$ , dividing $⌊ 105 / 17 ⌋ = 6$ , and subtracting $105 - 6 \cdot 17 = 105 - 102 = 3$ .

Because the computation of Template:Mvar requires division, it is undesirably expensive on most computer hardware. Montgomery form is a different way of expressing the elements of the ring in which modular products can be computed without expensive divisions. While divisions are still necessary, they can be done with respect to a different divisor Template:Mvar. This divisor can be chosen to be a power of two, for which division can be replaced by shifting, or a whole number of machine words, for which division can be replaced by omitting words. These divisions are fast, so most of the cost of computing modular products using Montgomery form is the cost of computing ordinary products.

The auxiliary modulus Template:Mvar must be a positive integer such that $gcd(R, N) = 1$ Script error: No such module "Check for unknown parameters".. For computational purposes it is also necessary that division and reduction modulo Template:Mvar are inexpensive, and the modulus is not useful for modular multiplication unless $R > N$ Script error: No such module "Check for unknown parameters".. The Montgomery form of the residue class $a$ Script error: No such module "Check for unknown parameters". with respect to Template:Mvar is $aR mod N$ Script error: No such module "Check for unknown parameters"., that is, it is the representative of the residue class $aR$ Script error: No such module "Check for unknown parameters".. For example, suppose that $N = 17$ Script error: No such module "Check for unknown parameters". and that $R = 100$ Script error: No such module "Check for unknown parameters".. The Montgomery forms of 3, 5, 7, and 15 are $300 mod 17 = 11$ Script error: No such module "Check for unknown parameters"., $500 mod 17 = 7$ Script error: No such module "Check for unknown parameters"., $700 mod 17 = 3$ Script error: No such module "Check for unknown parameters"., and $1500 mod 17 = 4$ Script error: No such module "Check for unknown parameters"..

Addition and subtraction in Montgomery form are the same as ordinary modular addition and subtraction because of the distributive law:

a R + b R = (a + b) R,

a R - b R = (a - b) R .

Note that doing the operation in Montgomery form does not lose information compared to doing it in the quotient ring $Z / N Z$ Script error: No such module "Check for unknown parameters".. This is a consequence of the fact that, because $gcd(R, N) = 1$ Script error: No such module "Check for unknown parameters"., multiplication by Template:Mvar is an isomorphism on the additive group $Z / N Z$ Script error: No such module "Check for unknown parameters".. For example, $(7 + 15) mod 17 = 5$ Script error: No such module "Check for unknown parameters"., which in Montgomery form becomes $(3 + 4) mod 17 = 7$ Script error: No such module "Check for unknown parameters"..

Multiplication in Montgomery form, however, is seemingly more complicated. The usual product of $aR$ Script error: No such module "Check for unknown parameters". and $bR$ Script error: No such module "Check for unknown parameters". does not represent the product of Template:Mvar and Template:Mvar because it has an extra factor of Template:Mvar:

(a R mod N) (b R mod N) mod N = (a b R) R mod N .

Computing products in Montgomery form requires removing the extra factor of Template:Mvar. While division by Template:Mvar is cheap, the intermediate product $(aR mod N)(bR mod N)$ Script error: No such module "Check for unknown parameters". is not divisible by Template:Mvar because the modulo operation has destroyed that property. So for instance, the product of the Montgomery forms of 7 and 15 modulo 17, with $R = 100$ Script error: No such module "Check for unknown parameters"., is the product of 3 and 4, which is 12. Since 12 is not divisible by 100, additional effort is required to remove the extra factor of Template:Mvar.

Removing the extra factor of Template:Mvar can be done by multiplying by an integer $R'$ Script error: No such module "Check for unknown parameters". such that $RR' \equiv 1 (mod N)$ Script error: No such module "Check for unknown parameters"., that is, by an $R'$ Script error: No such module "Check for unknown parameters". whose residue class is the modular inverse of Template:Mvar mod Template:Mvar. Then, working modulo Template:Mvar,

(a R mod N) (b R mod N) R^{'} \equiv (a R) (b R) R^{- 1} \equiv (a b) R (\mod N) .

The integer $R'$ Script error: No such module "Check for unknown parameters". exists because of the assumption that Template:Mvar and Template:Mvar are coprime. It can be constructed using the extended Euclidean algorithm. The extended Euclidean algorithm efficiently determines integers $R'$ Script error: No such module "Check for unknown parameters". and $N'$ Script error: No such module "Check for unknown parameters". that satisfy Bézout's identity: $0 < R' < N$ Script error: No such module "Check for unknown parameters"., $0 < N' < R$ Script error: No such module "Check for unknown parameters"., and:

R R^{'} - N N^{'} = 1 .

This shows that it is possible to do multiplication in Montgomery form. A straightforward algorithm to multiply numbers in Montgomery form is therefore to multiply $aR mod N$ Script error: No such module "Check for unknown parameters"., $bR mod N$ Script error: No such module "Check for unknown parameters"., and $R'$ Script error: No such module "Check for unknown parameters". as integers and reduce modulo Template:Mvar.

For example, to multiply 7 and 15 modulo 17 in Montgomery form, again with $R = 100$ Script error: No such module "Check for unknown parameters"., compute the product of 3 and 4 to get 12 as above. The extended Euclidean algorithm implies that $8\cdot100 - 47\cdot17 = 1$ Script error: No such module "Check for unknown parameters"., so $R' = 8$ Script error: No such module "Check for unknown parameters".. Multiply 12 by 8 to get 96 and reduce modulo 17 to get 11. This is the Montgomery form of 3, as expected.

The REDC algorithm

While the above algorithm is correct, it is slower than multiplication in the standard representation because of the need to multiply by $R'$ Script error: No such module "Check for unknown parameters". and divide by Template:Mvar. Montgomery reduction, also known as REDC, is an algorithm that simultaneously computes the product by $R'$ Script error: No such module "Check for unknown parameters". and reduces modulo Template:Mvar more quickly than the naïve method. Unlike conventional modular reduction, which focuses on making the number smaller than Template:Mvar, Montgomery reduction focuses on making the number more divisible by Template:Mvar. It does this by adding a small multiple of Template:Mvar which is sophisticatedly chosen to cancel the residue modulo Template:Mvar. Dividing the result by Template:Mvar yields a much smaller number. This number is so much smaller that it is nearly the reduction modulo Template:Mvar, and computing the reduction modulo Template:Mvar requires only a final conditional subtraction. Because all computations are done using only reduction and divisions with respect to Template:Mvar, not Template:Mvar, the algorithm runs faster than a straightforward modular reduction by division.

function REDC is
    input: Integers R and N with gcd(R, N) = 1,
           Integer N′ in [0, R − 1] such that NN′ ≡ −1 mod R,
           Integer T in the range [0, RN − 1].
    output: Integer S in the range [0, N − 1] such that S ≡ TR⁻¹ mod N

    m ← ((T mod R)N′) mod R
    t ← (T + mN) / R
    if t ≥ N then
        return t − N
    else
        return t
    end if
end function

To see that this algorithm is correct, first observe that Template:Mvar is chosen precisely so that $T + mN$ Script error: No such module "Check for unknown parameters". is divisible by Template:Mvar. A number is divisible by Template:Mvar if and only if it is congruent to zero mod Template:Mvar, and we have:

T + m N \equiv T + (((T mod R) N^{'}) mod R) N \equiv T + T N^{'} N \equiv T - T \equiv 0 (\mod R) .

Therefore, Template:Mvar is an integer. Second, the output is either Template:Mvar or $t - N$ Script error: No such module "Check for unknown parameters"., both of which are congruent to $t mod N$ Script error: No such module "Check for unknown parameters"., so to prove that the output is congruent to $TR -1 mod N$ Script error: No such module "Check for unknown parameters"., it suffices to prove that Template:Mvar is $TR -1 mod N$ Script error: No such module "Check for unknown parameters"., Template:Mvar satisfies:

t \equiv (T + m N) R^{- 1} \equiv T R^{- 1} + (m R^{- 1}) N \equiv T R^{- 1} (\mod N) .

Therefore, the output has the correct residue class. Third, Template:Mvar is in $[0, R - 1]$ Script error: No such module "Check for unknown parameters"., and therefore $T + mN$ Script error: No such module "Check for unknown parameters". is between 0 and $(RN - 1) + (R - 1) N < 2 RN$ Script error: No such module "Check for unknown parameters".. Hence Template:Mvar is less than $2 N$ Script error: No such module "Check for unknown parameters"., and because it's an integer, this puts Template:Mvar in the range $[0, 2 N - 1]$ Script error: No such module "Check for unknown parameters".. Therefore, reducing Template:Mvar into the desired range requires at most a single subtraction, so the algorithm's output lies in the correct range.

To use REDC to compute the product of 7 and 15 modulo 17, first convert to Montgomery form and multiply as integers to get 12 as above. Then apply REDC with $R = 100$ Script error: No such module "Check for unknown parameters"., $N = 17$ Script error: No such module "Check for unknown parameters"., $N' = 47$ Script error: No such module "Check for unknown parameters"., and $T = 12$ Script error: No such module "Check for unknown parameters".. The first step sets Template:Mvar to $12 \cdot 47 mod 100 = 64$ Script error: No such module "Check for unknown parameters".. The second step sets Template:Mvar to $(12 + 64 \cdot 17) / 100$ Script error: No such module "Check for unknown parameters".. Notice that $12 + 64 \cdot 17$ Script error: No such module "Check for unknown parameters". is 1100, a multiple of 100 as expected. Template:Mvar is set to 11, which is less than 17, so the final result is 11, which agrees with the computation of the previous section.

As another example, consider the product $7 \cdot 15 mod 17$ Script error: No such module "Check for unknown parameters". but with $R = 10$ Script error: No such module "Check for unknown parameters".. Using the extended Euclidean algorithm, compute $-5 \cdot 10 + 3 \cdot 17 = 1$ Script error: No such module "Check for unknown parameters"., so $N'$ Script error: No such module "Check for unknown parameters". will be $-3 mod 10 = 7$ Script error: No such module "Check for unknown parameters".. The Montgomery forms of 7 and 15 are $70 mod 17 = 2$ Script error: No such module "Check for unknown parameters". and $150 mod 17 = 14$ Script error: No such module "Check for unknown parameters"., respectively. Their product 28 is the input Template:Mvar to REDC, and since $28 < RN = 170$ Script error: No such module "Check for unknown parameters"., the assumptions of REDC are satisfied. To run REDC, set Template:Mvar to $(28 mod 10) \cdot 7 mod 10 = 196 mod 10 = 6$ Script error: No such module "Check for unknown parameters".. Then $28 + 6 \cdot 17 = 130$ Script error: No such module "Check for unknown parameters"., so $t = 13$ Script error: No such module "Check for unknown parameters".. Because $30 mod 17 = 13$ Script error: No such module "Check for unknown parameters"., this is the Montgomery form of $3 = 7 \cdot 15 mod 17$ Script error: No such module "Check for unknown parameters"..

Interpretation via the Chinese Remainder Theorem

Source:^[4]

Given the modulus Template:Mvar and the Montgomery radix Template:Mvar used in a Montgomery reduction, consider the residue ring

$ℤ / (N R) ℤ ≅ ℤ / N ℤ \times ℤ / R ℤ,$

an isomorphism that follows from the Chinese Remainder Theorem (CRT).

CRT reconstruction for an intermediate product

For an integer $T$ with $0 \leq T < N R$ (as is typical when $T$ arises from multiplying two residues), take its reductions

$T_{N} = T mod N, T_{R} = T mod R .$

The CRT gives the explicit reconstruction formula

$T \equiv T_{N} (R^{- 1} mod N) R + T_{R} (N^{- 1} mod R) N (\mod N R) .$

Because the right-hand side is already taken modulo $N R$ , this may also be written as

$T \equiv (T_{N} R^{- 1} mod N) R + (T_{R} N^{- 1} mod R) N (\mod N R) .$

Both summands lie in the half‑open interval $[0, N R)$ :

$0 \leq (T_{N} R^{- 1} mod N) R < N R, 0 \leq (T_{R} N^{- 1} mod R) N < N R .$

Hence, as integer equations (not merely congruences) we have

$T = (T_{N} R^{- 1} mod N) R + (T_{R} N^{- 1} mod R) N,$

or,

$T + N R = (T_{N} R^{- 1} mod N) R + (T_{R} N^{- 1} mod R) N .$

Isolating the term containing T mod N

To solve for $T_{N}$ , isolate the first summand:

$(T_{N} R^{- 1} mod N) R = {\begin{cases} T - (T_{R} N^{- 1} mod R) N, \\ T + N R - (T_{R} N^{- 1} mod R) N . \end{cases}$

Every quantity above is an integer, and the left‑hand side is a multiple of $R$ ; therefore each right‑hand side is divisible by $R$ . Dividing by $R$ yields

$T_{N} R^{- 1} mod N = {\begin{cases} \frac{T - (T_{R} N^{- 1} mod R) N}{R}, \\ \frac{T + N R - (T_{R} N^{- 1} mod R) N}{R} = \frac{T - (T_{R} N^{- 1} mod R) N}{R} + N . \end{cases}$

Resulting relations

Consequently,

$\frac{T - (T_{R} N^{- 1} mod R) N}{R} = {\begin{cases} T_{N} R^{- 1} mod N, \\ T_{N} R^{- 1} mod N + N . \end{cases}$

This gives two key facts:

Congruence

$\frac{T - (T_{R} N^{- 1} mod R) N}{R} \equiv T_{N} R^{- 1} (\mod N) .$

Numeric bound

$0 \leq \frac{T - (T_{R} N^{- 1} mod R) N}{R} < 2 N .$

Therefore, by reducing

$\frac{T - (T_{R} N^{- 1} mod R) N}{R}$

once more modulo Template:Mvar, one obtains the non‑negative residue representing $T_{N} R^{- 1} mod N$ .

Arithmetic in Montgomery form

Many operations of interest modulo Template:Mvar can be expressed equally well in Montgomery form. Addition, subtraction, negation, comparison for equality, multiplication by an integer not in Montgomery form, and greatest common divisors with Template:Mvar may all be done with the standard algorithms. The Jacobi symbol can be calculated as $(\frac{a}{N}) = (\frac{a R}{N}) / (\frac{R}{N})$ as long as $(\frac{R}{N})$ is stored.

When $R > N$ Script error: No such module "Check for unknown parameters"., most other arithmetic operations can be expressed in terms of REDC. This assumption implies that the product of two representatives mod Template:Mvar is less than Template:Mvar, the exact hypothesis necessary for REDC to generate correct output. In particular, the product of $aR mod N$ Script error: No such module "Check for unknown parameters". and $bR mod N$ Script error: No such module "Check for unknown parameters". is $REDC((aR mod N)(bR mod N))$ Script error: No such module "Check for unknown parameters".. The combined operation of multiplication and REDC is often called Montgomery multiplication.

Conversion into Montgomery form is done by computing $REDC((a mod N)(R 2 mod N))$ Script error: No such module "Check for unknown parameters".. Conversion out of Montgomery form is done by computing $REDC(aR mod N)$ Script error: No such module "Check for unknown parameters".. The modular inverse of $aR mod N$ Script error: No such module "Check for unknown parameters". is $REDC((aR mod N) -1 (R 3 mod N))$ Script error: No such module "Check for unknown parameters".. Modular exponentiation can be done using exponentiation by squaring by initializing the initial product to the Montgomery representation of 1, that is, to $R mod N$ Script error: No such module "Check for unknown parameters"., and by replacing the multiply and square steps by Montgomery multiplies.

Performing these operations requires knowing at least $N'$ Script error: No such module "Check for unknown parameters". and $R 2 mod N$ Script error: No such module "Check for unknown parameters".. When Template:Mvar is a power of a small positive integer Template:Mvar, $N'$ Script error: No such module "Check for unknown parameters". can be computed by Hensel's lemma: The inverse of Template:Mvar modulo Template:Mvar is computed by a naïve algorithm (for instance, if $b = 2$ Script error: No such module "Check for unknown parameters". then the inverse is 1), and Hensel's lemma is used repeatedly to find the inverse modulo higher and higher powers of Template:Mvar, stopping when the inverse modulo Template:Mvar is known; $N'$ Script error: No such module "Check for unknown parameters". is the negation of this inverse. The constants $R mod N$ Script error: No such module "Check for unknown parameters". and $R 3 mod N$ Script error: No such module "Check for unknown parameters". can be generated as $REDC(R 2 mod N)$ Script error: No such module "Check for unknown parameters". and as $REDC((R 2 mod N)(R 2 mod N))$ Script error: No such module "Check for unknown parameters".. The fundamental operation is to compute REDC of a product. When standalone REDC is needed, it can be computed as REDC of a product with $1 mod N$ Script error: No such module "Check for unknown parameters".. The only place where a direct reduction modulo Template:Mvar is necessary is in the precomputation of $R 2 mod N$ Script error: No such module "Check for unknown parameters"..

Montgomery arithmetic on multiprecision integers

Most cryptographic applications require numbers that are hundreds or even thousands of bits long. Such numbers are too large to be stored in a single machine word. Typically, the hardware performs multiplication mod some base Template:Mvar, so performing larger multiplications requires combining several small multiplications. The base Template:Mvar is typically 2 for microelectronic applications, 2⁸ for 8-bit firmware,^[5] or 2³² or 2⁶⁴ for software applications.

The REDC algorithm requires products modulo Template:Mvar, and typically $R > N$ Script error: No such module "Check for unknown parameters". so that REDC can be used to compute products. However, when Template:Mvar is a power of Template:Mvar, there is a variant of REDC which requires products only of machine word sized integers. Suppose that positive multi-precision integers are stored little endian, that is, Template:Mvar is stored as an array $x [0], ..., x [ℓ - 1]$ Script error: No such module "Check for unknown parameters". such that $0 \leq x [i] < B$ Script error: No such module "Check for unknown parameters". for all Template:Mvar and $x = \sum x [i] B i$ Script error: No such module "Check for unknown parameters".. The algorithm begins with a multiprecision integer Template:Mvar and reduces it one word at a time. First an appropriate multiple of Template:Mvar is added to make Template:Mvar divisible by Template:Mvar. Then a multiple of Template:Mvar is added to make Template:Mvar divisible by $B 2$ Script error: No such module "Check for unknown parameters"., and so on. Eventually Template:Mvar is divisible by Template:Mvar, and after division by Template:Mvar the algorithm is in the same place as REDC was after the computation of Template:Mvar.

function MultiPrecisionREDC is
    Input: Integer N with gcd(B, N) = 1, stored as an array of p words,
           Integer R = B^r,     --thus, r = log_B R
           Integer N′ in [0, B − 1] such that NN′ ≡ −1 (mod B),
           Integer T in the range 0 ≤ T < RN, stored as an array of r + p words.

    Output: Integer S in [0, N − 1] such that TR⁻¹ ≡ S (mod N), stored as an array of p words.

    Set T[r + p] = 0  (extra carry word)
    for 0 ≤ i < r do
        --loop1- Make T divisible by Bⁱ⁺¹

        c ← 0
        m ← T[i] ⋅ N′ mod B
        for 0 ≤ j < p do
            --loop2- Add the m ⋅ N[j] and the carry from earlier, and find the new carry

            x ← T[i + j] + m ⋅ N[j] + c
            T[i + j] ← x mod B
            c ← ⌊x / B⌋
        end for
        for p ≤ j ≤ r + p − i do
            --loop3- Continue carrying

            x ← T[i + j] + c
            T[i + j] ← x mod B
            c ← ⌊x / B⌋
        end for
    end for

    for 0 ≤ i ≤ p do
        S[i] ← T[i + r]
    end for

    if S ≥ N then
        return S − N
    else
        return Template:Var
    end if
end function

The final comparison and subtraction is done by the standard algorithms.

The above algorithm is correct for essentially the same reasons that REDC is correct. Each time through the Template:Mvar loop, Template:Mvar is chosen so that $T [i] + mN [0]$ Script error: No such module "Check for unknown parameters". is divisible by Template:Mvar. Then Template:Mvar is added to Template:Mvar. Because this quantity is zero mod Template:Mvar, adding it does not affect the value of $T mod N$ Script error: No such module "Check for unknown parameters".. If Template:Mvar denotes the value of Template:Mvar computed in the Template:Mvarth iteration of the loop, then the algorithm sets Template:Mvar to $T + (\sum m i B i) N$ Script error: No such module "Check for unknown parameters".. Because MultiPrecisionREDC and REDC produce the same output, this sum is the same as the choice of Template:Mvar that the REDC algorithm would make.

The last word of Template:Mvar, $T [r + p]$ Script error: No such module "Check for unknown parameters". (and consequently $S [p]$ Script error: No such module "Check for unknown parameters".), is used only to hold a carry, as the initial reduction result is bound to a result in the range of $0 \leq S < 2N$ Script error: No such module "Check for unknown parameters".. It follows that this extra carry word can be avoided completely if it is known in advance that $R \geq 2N$ Script error: No such module "Check for unknown parameters".. On a typical binary implementation, this is equivalent to saying that this carry word can be avoided if the number of bits of Template:Mvar is smaller than the number of bits of Template:Mvar. Otherwise, the carry will be either zero or one. Depending upon the processor, it may be possible to store this word as a carry flag instead of a full-sized word.

It is possible to combine multiprecision multiplication and REDC into a single algorithm. This combined algorithm is usually called Montgomery multiplication. Several different implementations are described by Koç, Acar, and Kaliski.^[6] The algorithm may use as little as $p + 2$ Script error: No such module "Check for unknown parameters". words of storage (plus a carry bit).

As an example, let $B = 10$ Script error: No such module "Check for unknown parameters"., $N = 997$ Script error: No such module "Check for unknown parameters"., and $R = 1000$ Script error: No such module "Check for unknown parameters".. Suppose that $a = 314$ Script error: No such module "Check for unknown parameters". and $b = 271$ Script error: No such module "Check for unknown parameters".. The Montgomery representations of Template:Mvar and Template:Mvar are $314000 mod 997 = 942$ Script error: No such module "Check for unknown parameters". and $271000 mod 997 = 813$ Script error: No such module "Check for unknown parameters".. Compute $942 \cdot 813 = 765846$ Script error: No such module "Check for unknown parameters".. The initial input Template:Mvar to MultiPrecisionREDC will be [6, 4, 8, 5, 6, 7]. The number Template:Mvar will be represented as [7, 9, 9]. The extended Euclidean algorithm says that $-299 \cdot 10 + 3 \cdot 997 = 1$ Script error: No such module "Check for unknown parameters"., so $N'$ Script error: No such module "Check for unknown parameters". will be 7.

i ← 0
m ← 6 ⋅ 7 mod 10 = 2

j T       c
- ------- -
0 0485670 2    (After first iteration of first loop)
1 0485670 2
2 0485670 2
3 0487670 0    (After first iteration of second loop)
4 0487670 0
5 0487670 0
6 0487670 0

i ← 1
m ← 4 ⋅ 7 mod 10 = 8

j T       c
- ------- -
0 0087670 6    (After first iteration of first loop)
1 0067670 8
2 0067670 8
3 0067470 1    (After first iteration of second loop)
4 0067480 0
5 0067480 0

i ← 2
m ← 6 ⋅ 7 mod 10 = 2

j T       c
- ------- -
0 0007480 2    (After first iteration of first loop)
1 0007480 2
2 0007480 2
3 0007400 1    (After first iteration of second loop)
4 0007401 0

Therefore, before the final comparison and subtraction, $S = 1047$ Script error: No such module "Check for unknown parameters".. The final subtraction yields the number 50. Since the Montgomery representation of $314 \cdot 271 mod 997 = 349$ Script error: No such module "Check for unknown parameters". is $349000 mod 997 = 50$ Script error: No such module "Check for unknown parameters"., this is the expected result.

When working in base 2, determining the correct Template:Mvar at each stage is particularly easy: If the current working bit is even, then Template:Mvar is zero and if it's odd, then Template:Mvar is one. Furthermore, because each step of MultiPrecisionREDC requires knowing only the lowest bit, Montgomery multiplication can be easily combined with a carry-save adder.

Side-channel attacks

Because Montgomery reduction avoids the correction steps required in conventional division when quotient digit estimates are inaccurate, it is mostly free of the conditional branches which are the primary targets of timing and power side-channel attacks; the sequence of instructions executed is independent of the input operand values. The only exception is the final conditional subtraction of the modulus, but it is easily modified (to always subtract something, either the modulus or zero) to make it resistant.^[5] It is of course necessary to ensure that the exponentiation algorithm built around the multiplication primitive is also resistant.Template:R^[7]

References

↑ Script error: No such module "Citation/CS1".
↑ Martin Kochanski, "Montgomery Multiplication" Template:Webarchive a colloquial explanation.
↑ Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Template:Isbn, chapter 14.
↑ Script error: No such module "citation/CS1".
↑ ^a ^b Script error: No such module "citation/CS1". (Presentation slides.)
↑ Script error: No such module "Citation/CS1".
↑ Marc Joye and Sung-Ming Yen. "The Montgomery Powering Ladder". 2002.

Script error: No such module "Check for unknown parameters".

External links

Template:Cite CiteSeerX

[montg1985-1] Script error: No such module "Citation/CS1".

[kochanski-2] Martin Kochanski, "Montgomery Multiplication" Template:Webarchive a colloquial explanation.

[3] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Template:Isbn, chapter 14.

[4] Script error: No such module "citation/CS1".

[kizhvatov-5] Script error: No such module "citation/CS1". (Presentation slides.)

[6] Script error: No such module "Citation/CS1".

[7] Marc Joye and Sung-Ming Yen. "The Montgomery Powering Ladder". 2002.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Montgomery modular multiplication

Contents

Modular arithmetic

Montgomery form

The REDC algorithm

Interpretation via the Chinese Remainder Theorem

CRT reconstruction for an intermediate product

Isolating the term containing T mod N

Resulting relations

Arithmetic in Montgomery form

Montgomery arithmetic on multiprecision integers

Side-channel attacks

See also

References

External links

Navigation menu

Montgomery modular multiplication

Modular arithmetic

Montgomery form

The REDC algorithm

Interpretation via the Chinese Remainder Theorem

CRT reconstruction for an intermediate product

Isolating the term containing T mod N

Resulting relations

Arithmetic in Montgomery form

Montgomery arithmetic on multiprecision integers

Side-channel attacks

See also

References

External links

Navigation menu

Search