Montgomery Reduction

To get the actual $c=a\cdot b \mod n$, we will have to additionally convert back from montgomery form using $\mathsf{fromMont}(\bar{c})$.

Definition 2. Montgomery Reduction is an efficient reduction method to calculate $T\cdot R^{-1}\mod n$ for a given $T < n\cdot R$. This operation can also be denoted as:

The key idea to perform Montgomery Reduction efficiently is to find an integer $m$ such that $T + m\cdot n$ is exactly divisible by $R$. Then the desired result can be computed as:

What will happen if we precompute $R^{-1}$ to compute this?

We need to find $m$ such that $T+m⋅n≡0 \mod R$

To calculate $m$ efficiently, we use a precomputed value $n'=−n^{−1} \mod R$. This $n'$ exists because $\mathsf{gcd}(n,R)=1$. Now, we have $m\coloneqq T\cdot n'\mod R$ and $\mathsf{REDC}$ can be defined as:

$T<n\cdot R$ so $(T\gg k)=T/R< n$

$m < R$ so $(m\cdot n \gg k) = n\cdot m / R< n$

Hence, $((T+m\cdot n)\gg k) < 2n$ so we just need to subtract $n$ once if $((T+m\cdot n)\gg k)\geq n$ to take the modulus.

Given $T < n\cdot R$, and precomputed $n' \coloneqq −n^{−1} \mod R$.

Calculate $m=(T⋅n') \mod R=\mathsf{lowbits}_k(\mathsf{lowbits}_k(T)\cdot n')$. (Effectively: multiply the lowest $k$ bits of $T$ by $n'$, take the lowest $k$ bits of the product).

Compute $x=(T+m⋅n)/R$. (Involves one multiplication $m\cdot n$, one addition, and one right shift by $k$).

Return $x−n$ if $x\geq n$, otherwise return $x$.

With some precomputation and using Montgomery Reduction $\mathsf{REDC}$, we can optimize the $\mathsf{doMontMul}(\bar{a}, \bar{b})$, $\mathsf{toMont}(x)$, and $\mathsf{fromMont}(\bar{x})$ operations as following:

Precompute $Rsq' := R^2 \mod n$ and $n':=-(n^{-1})\mod R$:

In a multi-precision setting, suppose the modulo $n$ has $l$ limbs. Let $R=B^l$, where $w$ is limb bit width and $B=2^w$. To calculate $T\cdot R^{-1}=T\cdot B^{-l}\mod n$, the multi-precision Montgomery Reduction operates iteratively on:

where $T_i$ represents limb values. At each iteration, the limbs of $T$ are reduced one by one which is done by partial reduction. The first partial reduction looks like so:

and so on. After $l$ iterations, we have $T\cdot B^{-l}\mod n$ with $l$ limbs. The values of limbs change at each round because $T^{(i)}_i \cdot B^{-1} \mod n$ is also a multi-precision integer.

How to multiply by the inverse of $B$?

At round $i$, we need to calculate $(T^{(i-1)}_{i-1}\cdot B^{-1} \mod n)$. This can be done efficiently, similar to the single-precision case by adding some multiple of $n$ to make it divisible by $B$:

Precompute $n'\coloneqq -n^{-1}\mod B$.

Calculate $m_i\coloneqq T^{(i-1)}_{i-1}\cdot n' \mod B$. Then we have $T^{(i-1)}_{i-1} + m_i\cdot n \equiv T^{(i-1)}_{i-1} -T^{(i-1)}_{i-1}\cdot n^{-1}\cdot n \equiv 0\mod B$

Calculate $T^{(i-1)}_{i-1}\cdot B^{-1} \equiv (T^{(i-1)}_{i-1} + m_i\cdot n)\cdot B^{-1}\equiv (T^{(i-1)}_{i-1} + m_i\cdot n)\gg w\mod n$ .

Since $m_i < B$ and $T^{(i-1)}_{i-1} < B$, we have

which means after step 3, we don't have to worry about subtracting $n$.

While trying to reduce, we add $m_i\cdot n$ every round which can cause potential overflow in the largest limb. Let's calculate how much we added in total. If we omit dividing by $B$, at each round, we can see that at each round $i$, we add $m_i \cdot n\cdot B^{i-1}$. This can be confusing but if you think of round $i$ as adding some value $m_i\cdot n$ to convert the $(i-1)$-th limb to 0, it can be more easier to see.

This gives that total sum can be $T+n\cdot R <R^2+n\cdot R < 2R^2=2\cdot2^{2lw}=2^{2lw+1}$ which needs $2l+1$ limbs. For $T$, we already need $2l$ limbs and after the first step, the least significant limb will be 0's which can be discarded. In the first round, we have a maximum value of $T+n<n\cdot R + n=n(R+1)\leq(R-1)(R+1)=R^2-1$ so it fits within the $2l$ limbs. So, if we discard the least significant limb after first round, we don't actually need extra limb space to handle the overflowing.

A complete round $i$ of partial reduction can be summarized by the following steps:

Compute $m_i=n' \cdot T^{(i-1)}_{i-1} \mod R$ (which costs $1\times 1$ limb multiplication).

Compute $m_i\cdot n$ (which costs $1 \times l$ limb multiplication).

Set $T^{(i)}=(T^{(i-1)} + m_i\cdot n ) \gg w$.

Now, let's calculate the upper bound on the final result of the reductions. First of all, we saw above that, the total added value has an upper bound of $n\cdot R$, and using $T<n\cdot R$, we have:

Therefore, the reduced value may require one additional subtraction to bring the value within the range $[0,\dots,n-1]$. Since we need $l+1$ limb multiplications for steps 1 and 2, over $l$ rounds, we will need a total of $l^2+l$ limb multiplications.

We have seen that we need to do $l^2+l$ multiplications per round for multi-precision Montgomery Reduction. However, that we can reduce it to $l^2+1$. Let's see what happens if we just precompute $B'=B^{-1} \mod n$ and multiply the free coefficients with $B'$. Then, the partial reduction round $i$ becomes:

Compute $m'_i=T^{(i-1)}_{i-1}\cdot B'$ which is $1\times l$ limb multiplication, resulting in a $l+1$ limb integer.

Set $T^{(i)}=(T^{(i-1)}\gg w) + m'_i$.

So it hasn't changed. Which means the upper bound on the value after $l$ reductions will also be the same:

This gives us the total cost of $l\cdot l =l^2$ limb multiplications. Ingonyama's article mentions that this reduction cannot be applied in the last step because $T^{(l)}=(T^{(l-1)}\gg w) + m'_i$ will result in a $l+1$ limb integer while in the traditional case, we have $l$ limbs. Indeed it is true since we add it after the bit shift unlike the original version but if the result is less than $2\cdot n$, it shouldn't matter.

In the SOS method above, we iteratively divided $t$ by $B$ $l$ times where $B$ denotes the limb base ($2^w$) and $l$ denotes the number of the limbs. $l$ iterations gives the desired result $t \cdot R^{-1} \mod n$ since $R = B^l$. Now we can discard the lower $l$ limbs, which is technically equivalent to dividing by $R$.

Multiply two large integers in Montgomery form using a .

Perform Montgomery reduction to produce $\bar{c} = \bar{a} \cdot \bar{b}$ from $\bar{a} \cdot \bar{b} \cdot R$.

Interleaving multiplication and reduction is valid since the value of $m$ in the $i$-th iteration of the outer loop for reduction depends only on the value $t[i]$, which is completely computed by the $i$-th iteration of the outer loop for the multiplication.

SOS with Ingonyama's optimization saves $l-1$ multiplications ($2l^2 + 1$ vs. $2l^2 + l$) whereas CIOS saves $l-1$ memory space compared to SOS ($2l+2$ vs. $l+3$) owing to not storing the total $t$. CIOS can be further optimized using .

Written by and from