Montgomery reduction

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In arithmetic computation, Montgomery reduction is an algorithm introduced in 1985 by Peter Montgomery [1] [2] that allows modular arithmetic to be performed efficiently when the modulus is large (typically several hundred bits).

A single application of the Montgomery algorithm (henceforth referred to as a "Montgomery step") is faster than a "naive" modular multiplication:

c \equiv a \times b \pmod n. \,

Because numbers have to be converted to and from a particular form suitable for performing the Montgomery step, a single modular multiplication performed using a Montgomery step is actually slightly less efficient than a "naive" one. However, modular exponentiation can be implemented as a sequence of Montgomery steps, with conversion only required once at the start and once at the end of the sequence. In this case the greater speed of the Montgomery steps far outweighs the need for the extra conversions.

Formal statement[edit]

Let N be a positive integer, R and T be integers such that R>N, \gcd(N,R)=1, and 0\leqslant T<NR, and let R^{-1} be the multiplicative inverse modulo N of R. The Montgomery reduction of T modulo N with respect to R is defined as the value

TR^{-1} \pmod{N}. \,

A systematic interpretation of Montgomery reduction and the definition of Montgomery multiplication operation is based on the 2nd generalized division algorithm; see Euclidean division#Generalized division algorithms.

The algorithm used to calculate this reduction is much more efficient than the classical method of taking a product over the integers and reducing the result modulo N.

Use in cryptography[edit]

Many important cryptosystems such as RSA and DSA are based on arithmetic operations, such as multiplications, modulo a large number. [3] The classical method of calculating a modular product involves first multiplying the numbers as if they were integers and then taking the modulo of the result. However, modular reduction is very expensive computationally—equivalent to dividing two numbers.

The situation is even worse when the algorithm requires modular exponentiation. Classically, a^b \pmod {N} is calculated by repeatedly multiplying a by itself b times, each time reducing the result modulo N. Note that taking a single modulo at the end of the calculation will result in increasingly larger intermediate products—infeasible if b is very large.

Rationale[edit]

We wish to calculate c such that

 c \equiv a \times b \pmod {N}.

Rather than working directly with a and b, we define the residue



\bar a  \equiv aR \pmod {N}

\bar b  \equiv bR \pmod {N}

The number R is chosen both greater than and relatively prime to N, such that division and remainder operations are easy. A power of two is generally chosen so that these operations become shifts and bitwise masks respectively. The numbers R and N are guaranteed to be relatively prime if N is odd and R is a power of two, as is typical in cryptographic applications.

Addition and subtraction operations are the same:

xR + yR \equiv zR \pmod{N}

if and only if

x + y \equiv z \pmod{N}.

This is important because converting between natural and residue representations is expensive, and we would prefer to work in one representation as much as possible and minimise conversions.

To define multiplication, define the modular inverse of R, R^{-1} such that

RR^{-1} \equiv 1 \pmod {N}

in other words

RR^{-1} = kN + 1

where k is a positive integer. Bezout's identity theorem claims such a R^{-1} and k exist and can be calculated by the Extended Euclidean algorithm. Now if

c \equiv a \times b \pmod {N}

then

 \bar c \equiv cR \equiv (a \times b)R \equiv (aR \times bR) R^{-1} \equiv (\bar a \times \bar b) R^{-1} \mod{N}

and then

 c \equiv \bar c R^{-1} \mod{N}.

It turns out that this is easy to calculate using the following algorithm.

Description of Algorithm[edit]

The Montgomery reduction algorithm Redc(T) calculates TR^{-1} \pmod{N} as follows:

m := (k (T \bmod R))\bmod {R}
t := (T + mN)/R
if  t \ge N return t - N else return t.

Note that only additions, subtractions, multiplications, and integer divides and modulos by R are used – all of which are 'cheap' operations.

To understand why this gives the right answer, consider the following:

  • mN \equiv TkN \pmod{R}. But by the definition of R^{-1} and k, kN + 1 is a multiple of R, so TkN \equiv -T \pmod{R}. Therefore, (T + mN) \equiv 0 \pmod{R}; in other words, (T + mN) is exactly divisible by R, so t is an integer.
  • Furthermore, tR = (T + mN) \equiv T \pmod {N}; therefore, t \equiv TR^{-1} \mod{N}, as required.
  • Assuming 0 \le T < RN, t < 2N (as m < R). Therefore the return value is always less than N.

Therefore, we can say that

\bar c = \mbox{Redc}(\bar a \times \bar b).

Using this method to calculate c is generally less efficient than a naive multiplication and reduction, as the cost of conversions to and from residue representation (multiplications by R and R^{-1} modulo N) outweigh the savings from the reduction step. The advantage of this method becomes apparent when dealing with a sequence of multiplications, as required for modular exponentiation (e.g. exponentiation by squaring).

Examples[edit]

The Montgomery step[edit]

Working with n-digit numbers to base d, a Montgomery step calculates a \times b \div d^n\pmod r. The base d is typically 2 for microelectronic applications, 28 for 8-bit firmware,[4] or 232 or 264 for software applications. For the purpose of exposition, we shall illustrate with d = 10 and n = 4.

To calculate 0472 × a ÷ 10000:

  1. Zero the accumulator.
  2. Starting from the last digit; add 2a to the accumulator.
  3. Shift the accumulator one place to the right (thus dividing by 10).
  4. Add 7a to the accumulator.
  5. Shift the accumulator one place to the right.
  6. Add 4a to the accumulator.
  7. Shift the accumulator one place to the right.
  8. Add 0a to the accumulator.
  9. Shift the accumulator one place to the right.

It is easy to see that the result is 0.0472 × a, as required.

To turn this into a modular operation with a modulus r, add, immediately before each shift, whatever multiple of r is needed to make the value in the accumulator a multiple of 10.

The result will be that the final value in the accumulator will be an integer (since only multiples of 10 have ever been divided by 10) and equivalent (modulo r) to 472 × a ÷ 10000.

Finding the appropriate multiple of r is a simple operation of single-digit arithmetic. When working to base 2, it is trivial to calculate: if the value in the accumulator is even, the multiple is 0 (nothing needs to be added); if the value in the accumulator is odd, the multiple is 1 (r needs to be added).

The Montgomery step is faster than the methods of "naive" modular arithmetic because the decision as to what multiple of r to add is taken purely on the basis of the least significant digit of the accumulator. This allows the use of carry-save adders, which are much faster than the conventional kind but are not immediately able to give accurate values for the more significant digits of the result.

Modular multiplication[edit]

Consider the following pair of calculations:

24 × 73 = 1752
240000 × 730000 ÷ 10000 = 17520000

It can be seen that if we choose to represent integers by 10000 times themselves (let us temporarily call this a "Montgomery representation") then the result of a Montgomery step on the Montgomery representation of a and the Montgomery representation of b is the Montgomery representation of a × b.

Thus we can use a Montgomery step to perform a modular multiplication by "Montgomeryizing" both operands before the Montgomery step and "de-Montgomeryizing" the result after it.

To "de-Montgomeryize" a number—in other words, to take it from its representation as "12340000" to a conventional representation as "1234"—it suffices to do a single Montgomery step with the number and 1: 12340000×1÷10000=1234.

To "Montgomeryize" a number—in other words, to take it from its conventional representation to a representation as "12340000"—it suffices to do a single Montgomery step with the number and 100000000: 1234×100000000÷10000=12340000.

The value of 100000000 modulo r can be precomputed, since the same modulus r is usually used many times over.

The total budget for a single modular multiplication is thus two Montgomery steps: the first, on a and b, yields ab/R, and the second, on this product and R^2, yields (ab/R)\cdot R^2/R = ab.

Usually, this is not a favorable trade-off for a single multiplication, as a conventional modular multiplication is faster than two Montgomery steps. However, Montgomery reduction is easier to make resistant to side-channel attacks, so in some circumstances the Montgomery technique may be preferable.

Modular exponentiation[edit]

Raising a number to a k-bit exponent involves between k and 2k multiplications. In most applications of modular exponentiation the exponent is at least several hundred bits long.

To fix our ideas, suppose that a particular modular exponentiation requires 800 multiplications. In that case 802 Montgomery steps will be needed: one to Montgomeryize the number being exponentiated, 800 to do the exponentiation, and one to de-Montgomeryize the result.

If a Montgomery step is even slightly faster than a conventional modular multiplication, the Montgomery algorithm will produce a faster result than conventional modular exponentiation .[5]

Side channel attacks[edit]

When using it as a part of a cryptographically secure algorithm, unmodified Montgomery reduction is vulnerable to side channel attacks, where the attacker can learn about the inner workings of the algorithm by studying the differences in time, power-consumption or any other parameter affected by the fact that the algorithm performs very different actions depending on the input. However it is simple to modify the algorithm or the hardware to make it resistant to such attacks.[4][6]

References[edit]

  1. ^ Peter Montgomery. Modular Multiplication Without Trial Division, Math. Computation, vol. 44, pp. 519–521, 1985.
  2. ^ Martin Kochanski, Montgomery Multiplication A colloquial explanation.
  3. ^ Chapter 14 of Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. ISBN 0-8493-8523-7.
  4. ^ a b Zhe Liu, Johann Großschädl, and Ilya Kizhvatov. "Efficient and Side-Channel Resistant RSA Implementation for 8-bit AVR Microcontrollers".
  5. ^ Cetin K. Koc, Tolga Acar, Analyzing and Comparing Montgomery Multiplication Algorithms 16 (3). 1996. pp. 26–33. CiteSeerX: 10.1.1.26.3120. 
  6. ^ Marc Joye and Sung-Ming Yen. "The Montgomery Powering Ladder". 2002.