Montgomery reduction
Encyclopedia
In arithmetic computation, Montgomery reduction is an algorithm
introduced in 1985 by Peter Montgomery
that allows modular arithmetic
to be performed efficiently when the modulus is large (typically several hundred bits).
A single application of the Montgomery algorithm (henceforth referred to as a "Montgomery step") is faster than a "naive" modular multiplication:
Because numbers have to be converted to and from a particular form suitable for performing the Montgomery step, a single modular multiplication performed using a Montgomery step is actually slightly less efficient than a "naive" one. However, modular exponentiation can be implemented as a sequence of Montgomery steps, with conversion only required once at the start and once at the end of the sequence. In this case the greater speed of the Montgomery steps far outweighs the need for the extra conversions.
is the modular inverse of R.
The algorithm used to calculate this value is much more efficient than the classical method of taking a product over the integers and reducing the result modulo n.
are based on arithmetic operations, such as multiplications, modulo a large number. The classical method of calculating a modular product involves first multiplying the numbers as if they were integer
s and then taking the modulo
of the result. However, modular reduction is very expensive computationally—equivalent to dividing two numbers.
The situation is even worse when the algorithm requires modular exponentiation. Classically, is calculated by repeatedly multiplying a by itself b times, each time reducing the result modulo n. Note that taking a single modulo at the end of the calculation will result in increasingly larger intermediate products—infeasible if b is very large.
Rather than working directly with a and b, we define the residue
and similarly for . The number is chosen both greater than and relatively prime to N, such that division and remainder operations are easy. A power of two is generally chosen so that these operations become bitwise masks and shifts respectively. The numbers R and N are guaranteed to be relatively prime if N is odd and R is a power of two, as is typical in cryptographic applications.
It can be easily shown that there is a one-to-one mapping between numbers and residues . Addition and subtraction operations are the same:
if and only if
This is important because converting between natural and residue representations is expensive, and we would prefer to work in one representation as much as possible and minimise conversions.
To define multiplication, define the modular inverse of R, such that
in other words
where k is an integer.
Now if
then
It turns out that this is cheap to calculate using the following algorithm.
Note that only additions, multiplications and integer divides and modulos by R are used – all of which are 'cheap' operations.
To understand why this gives the right answer, consider the following:
Therefore, we can say that
Using this method to calculate c is generally less efficient than a naive multiplication and reduction, as the cost of conversions to and from residue representation (multiplications by R and modulo N) outweigh the savings from the reduction step. The advantage of this method becomes apparent when dealing with a sequence of multiplications, as required for modular exponentiation (e.g. exponentiation by squaring
).
To calculate 0472 × a ÷ 10000:
It is easy to see that the result is 0.0472 × a, as required.
To turn this into a modular operation with a modulus r, add, immediately before each shift, whatever multiple of r is needed to make the value in the accumulator a multiple of 10.
The result will be that the final value in the accumulator will be an integer (since only multiples of 10 have ever been divided by 10) and equivalent (modulo r) to 472 × a ÷ 10000.
Finding the appropriate multiple of r is a simple operation of single-digit arithmetic. When working to base 2, it is trivial to calculate: if the value in the accumulator is even, the multiple is 0 (nothing needs to be added); if the value in the accumulator is odd, the multiple is 1 (r needs to be added).
The Montgomery step is faster than the methods of "naive" modular arithmetic because the decision as to what multiple of r to add is taken purely on the basis of the least significant digit of the accumulator. This allows the use of carry-save adders, which are much faster than the conventional kind but are not immediately able to give accurate values for the more significant digits of the result.
It can be seen that if we choose to represent integers by 10000 times themselves (let us temporarily call this a "Montgomery representation") then the result of a Montgomery step on the Montgomery representation of a and the Montgomery representation of b is the Montgomery representation of a × b.
Thus we can use a Montgomery step to perform a modular multiplication by "Montgomeryizing" both operands before the Montgomery step and "de-Montgomeryizing" the result after it.
To "de-Montgomeryize" a number—in other words, to take it from its representation as "12340000" to a conventional representation as "1234"—it suffices to do a single Montgomery step with the number and 1: 12340000×1÷10000=1234.
To "Montgomeryize" a number—in other words, to take it from its conventional representation to a representation as "12340000"—it suffices to do a single Montgomery step with the number and 100000000: 1234×100000000÷10000=12340000.
The value of 100000000 modulo r can be precomputed, since the same modulus r is usually used many times over.
The total budget for a single modular multiplication is thus two Montgomery steps: the first, on and , yields , and the second, on this product and , yields .
Usually, this is not a favorable trade-off for a single multiplication, as a conventional modular multiplication is faster than two Montgomery steps. However, Montgomery reduction is easier to make resistant to side-channel attacks, so in some circumstances the Montgomery technique may be preferable.
To fix our ideas, suppose that a particular modular exponentiation requires 800 multiplications. In that case 802 Montgomery steps will be needed: one to Montgomeryize the number being exponentiated, 800 to do the exponentiation, and one to de-Montgomeryize the result.
If a Montgomery step is even slightly faster than a conventional modular multiplication, the Montgomery algorithm will produce a faster result than conventional modular exponentiation.
Algorithm
In mathematics and computer science, an algorithm is an effective method expressed as a finite list of well-defined instructions for calculating a function. Algorithms are used for calculation, data processing, and automated reasoning...
introduced in 1985 by Peter Montgomery
Peter Montgomery
Peter Lawrence Montgomery is an American mathematician who has published widely in the more mathematical end of the field of cryptography. He is currently a researcher in the cryptography group at Microsoft Research....
that allows modular arithmetic
Modular arithmetic
In mathematics, modular arithmetic is a system of arithmetic for integers, where numbers "wrap around" after they reach a certain value—the modulus....
to be performed efficiently when the modulus is large (typically several hundred bits).
A single application of the Montgomery algorithm (henceforth referred to as a "Montgomery step") is faster than a "naive" modular multiplication:
Because numbers have to be converted to and from a particular form suitable for performing the Montgomery step, a single modular multiplication performed using a Montgomery step is actually slightly less efficient than a "naive" one. However, modular exponentiation can be implemented as a sequence of Montgomery steps, with conversion only required once at the start and once at the end of the sequence. In this case the greater speed of the Montgomery steps far outweighs the need for the extra conversions.
Formal statement
Let n be a positive integer, and let R and T be integers such that , , and . The Montgomery reduction of T modulo n with respect to R is defined as the valueis the modular inverse of R.
The algorithm used to calculate this value is much more efficient than the classical method of taking a product over the integers and reducing the result modulo n.
Use in cryptography
Many important cryptosystems such as RSA and DSADigital Signature Algorithm
The Digital Signature Algorithm is a United States Federal Government standard or FIPS for digital signatures. It was proposed by the National Institute of Standards and Technology in August 1991 for use in their Digital Signature Standard , specified in FIPS 186, adopted in 1993. A minor...
are based on arithmetic operations, such as multiplications, modulo a large number. The classical method of calculating a modular product involves first multiplying the numbers as if they were integer
Integer
The integers are formed by the natural numbers together with the negatives of the non-zero natural numbers .They are known as Positive and Negative Integers respectively...
s and then taking the modulo
Modulo operation
In computing, the modulo operation finds the remainder of division of one number by another.Given two positive numbers, and , a modulo n can be thought of as the remainder, on division of a by n...
of the result. However, modular reduction is very expensive computationally—equivalent to dividing two numbers.
The situation is even worse when the algorithm requires modular exponentiation. Classically, is calculated by repeatedly multiplying a by itself b times, each time reducing the result modulo n. Note that taking a single modulo at the end of the calculation will result in increasingly larger intermediate products—infeasible if b is very large.
Rationale
We wish to calculate c such that.Rather than working directly with a and b, we define the residue
and similarly for . The number is chosen both greater than and relatively prime to N, such that division and remainder operations are easy. A power of two is generally chosen so that these operations become bitwise masks and shifts respectively. The numbers R and N are guaranteed to be relatively prime if N is odd and R is a power of two, as is typical in cryptographic applications.
It can be easily shown that there is a one-to-one mapping between numbers and residues . Addition and subtraction operations are the same:
if and only if
This is important because converting between natural and residue representations is expensive, and we would prefer to work in one representation as much as possible and minimise conversions.
To define multiplication, define the modular inverse of R, such that
in other words
where k is an integer.
Now if
then
It turns out that this is cheap to calculate using the following algorithm.
Description of Algorithm
The Montgomery reduction algorithm Redc(T) calculates as follows:- if return else return t.
Note that only additions, multiplications and integer divides and modulos by R are used – all of which are 'cheap' operations.
To understand why this gives the right answer, consider the following:
- . But by the definition of and k, is a multiple of R, so . Therefore, ; in other words, is exactly divisible by R, so t is an integer.
- Furthermore, ; therefore, , as required.
- Assuming , (as ). Therefore the return value is always less than N.
Therefore, we can say that
Using this method to calculate c is generally less efficient than a naive multiplication and reduction, as the cost of conversions to and from residue representation (multiplications by R and modulo N) outweigh the savings from the reduction step. The advantage of this method becomes apparent when dealing with a sequence of multiplications, as required for modular exponentiation (e.g. exponentiation by squaring
Exponentiation by squaring
Exponentiating by squaring is a general method for fast computation of large integer powers of a number. Some variants are commonly referred to as square-and-multiply algorithms or binary exponentiation. In additive notation the appropriate term is double-and-add...
).
The Montgomery step
Working with n-digit numbers to base d, a Montgomery step calculates . The base d is typically 2 for microelectronic applications or 232 or 264 for software applications. For the purpose of exposition, we shall illustrate with d = 10 and n = 4.To calculate 0472 × a ÷ 10000:
- Zero the accumulator.
- Starting from the last digit; add 2a to the accumulator.
- Shift the accumulator one place to the right (thus dividing by 10).
- Add 7a to the accumulator.
- Shift the accumulator one place to the right.
- Add 4a to the accumulator.
- Shift the accumulator one place to the right.
- Add 0a to the accumulator.
- Shift the accumulator one place to the right.
It is easy to see that the result is 0.0472 × a, as required.
To turn this into a modular operation with a modulus r, add, immediately before each shift, whatever multiple of r is needed to make the value in the accumulator a multiple of 10.
The result will be that the final value in the accumulator will be an integer (since only multiples of 10 have ever been divided by 10) and equivalent (modulo r) to 472 × a ÷ 10000.
Finding the appropriate multiple of r is a simple operation of single-digit arithmetic. When working to base 2, it is trivial to calculate: if the value in the accumulator is even, the multiple is 0 (nothing needs to be added); if the value in the accumulator is odd, the multiple is 1 (r needs to be added).
The Montgomery step is faster than the methods of "naive" modular arithmetic because the decision as to what multiple of r to add is taken purely on the basis of the least significant digit of the accumulator. This allows the use of carry-save adders, which are much faster than the conventional kind but are not immediately able to give accurate values for the more significant digits of the result.
Modular multiplication
Consider the following pair of calculations:- 24 × 73 = 1752
- 240000 × 730000 ÷ 10000 = 17520000
It can be seen that if we choose to represent integers by 10000 times themselves (let us temporarily call this a "Montgomery representation") then the result of a Montgomery step on the Montgomery representation of a and the Montgomery representation of b is the Montgomery representation of a × b.
Thus we can use a Montgomery step to perform a modular multiplication by "Montgomeryizing" both operands before the Montgomery step and "de-Montgomeryizing" the result after it.
To "de-Montgomeryize" a number—in other words, to take it from its representation as "12340000" to a conventional representation as "1234"—it suffices to do a single Montgomery step with the number and 1: 12340000×1÷10000=1234.
To "Montgomeryize" a number—in other words, to take it from its conventional representation to a representation as "12340000"—it suffices to do a single Montgomery step with the number and 100000000: 1234×100000000÷10000=12340000.
The value of 100000000 modulo r can be precomputed, since the same modulus r is usually used many times over.
The total budget for a single modular multiplication is thus two Montgomery steps: the first, on and , yields , and the second, on this product and , yields .
Usually, this is not a favorable trade-off for a single multiplication, as a conventional modular multiplication is faster than two Montgomery steps. However, Montgomery reduction is easier to make resistant to side-channel attacks, so in some circumstances the Montgomery technique may be preferable.
Modular exponentiation
Raising a number to a k-bit exponent involves between k and 2k multiplications. In most applications of modular exponentiation the exponent is at least several hundred bits long.To fix our ideas, suppose that a particular modular exponentiation requires 800 multiplications. In that case 802 Montgomery steps will be needed: one to Montgomeryize the number being exponentiated, 800 to do the exponentiation, and one to de-Montgomeryize the result.
If a Montgomery step is even slightly faster than a conventional modular multiplication, the Montgomery algorithm will produce a faster result than conventional modular exponentiation.