You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/algebra/montgomery_multiplication.md
+14-23Lines changed: 14 additions & 23 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,12 @@
1
1
<!--?title Montgomery Multiplication -->
2
2
# Montgomery Multiplication
3
3
4
-
Many algorithms in number theory, like [prime testing](./algebra/primality_tests.html) or factorization, and in cryptography, like RSA, require lots of operations modulo a large number.
5
-
4
+
Many algorithms in number theory, like [prime testing](./algebra/primality_tests.html) or [integer factorization](./algebra/factorization.html), and in cryptography, like RSA, require lots of operations modulo a large number.
6
5
A multiplications like $x y \bmod{n}$ is quite slow to compute with the typical algorithms, since it requires a division to know how many times $n$ has to be subtracted from the product.
7
6
And division is a really expensive operation, especially with big numbers.
8
7
9
8
The **Montgomery (modular) multiplication** is a method that allows computing such multiplications faster.
10
-
Instead of dividing the product and subtracting $n$ multiple times, it adds multiples of $n$ to cancel out the lower bits and then just discards the lower bits.
9
+
Instead of dividing the product and subtracting the $n$ multiple times, it adds multiples of $n$ to cancel out the lower bits and then just discards the lower bits.
11
10
12
11
## Montgomery representation
13
12
@@ -16,7 +15,7 @@ The algorithm works only in the **Montgomery space**.
16
15
And we need to transform our numbers into that space, before we can start multiplying.
17
16
18
17
For the space we need a positive integer $r \ge n$ coprime to $n$, i.e. $\gcd(n, r) = 1$.
19
-
In practice we always choose $r$ to be $2^m$ for a positive integer $m$, since multiplications, divisions and modulo $r$ operations can then be efficiently implemented using shifts and other bit operations.
18
+
In practice we always choose $r$ to be $2^m$ for a positive integer $m$, since multiplications, divisions and modulo $r$ operations can then be efficiently implemented using shifts and bit operations.
20
19
$n$ will be an odd number in pretty much all applications, since it is not hard to factorize an even number.
21
20
So every power of $2$ will be coprime to $n$.
22
21
@@ -34,8 +33,7 @@ You can add two elements ($x \cdot r + y \cdot r \equiv (x + y) \cdot r \bmod n$
Both $r^{-1}$ and $n^{\prime}$ can be computed using the [Extended Euclidean algorithm](./algebra/extended-euclid-algorithm.html).
53
51
54
52
Using this identity we can write $x \cdot r^{-1}$ as:
55
-
$$\begin{aligned}
53
+
$$\begin{array}{rl}
56
54
x \cdot r^{-1} &= x \cdot r \cdot r^{-1} / r = x \cdot (-n \cdot n^{\prime} + 1) / r \\\\
57
55
&= (-x \cdot n \cdot n^{\prime} + x) / r \equiv (-x \cdot n \cdot n^{\prime} + l \cdot r \cdot n + x) / r \bmod n\\\\
58
56
&\equiv ((-x \cdot n^{\prime} + l \cdot r) \cdot n + x) / r \bmod n\\\\
59
-
\end{aligned}$$
57
+
\end{array}$$
60
58
61
59
The equivalences hold for any arbitrary integer $l$.
62
-
This means, that we can add or subtract an arbitrary multiple of $r$ to $x \cdot n^{\prime}$, or in other words, we can compute $q := x \cdot n^{\prime}$ modulo $r$.
60
+
This means, that we can add an arbitrary multiple of $r$ to $x \cdot n^{\prime}$, or in other words, we can compute $q := x \cdot n^{\prime}$ modulo $r$.
63
61
64
62
This gives us the following algorithm to compute $x \cdot r^{-1} \bmod n$:
65
63
66
-
```text
64
+
```
67
65
function reduce(x):
68
66
q = (x mod r) * n' mod r
69
67
a = (x - q * n) / r
70
68
if a < 0:
71
69
a += n
72
70
return a
71
+
endfunction
73
72
```
74
73
75
74
Since $x < n \cdot n < r \cdot n$ (even if $x$ is the product of a multiplication) and $q \cdot n < r \cdot n$ we know that $-n < (x - q \cdot n) / r < n$.
@@ -86,13 +85,13 @@ For computing the inverse $n^{\prime} := n^{-1} \bmod r$ efficiently, we can use
86
85
$$a \cdot x \equiv 1 \bmod 2^k \Longrightarrow a \cdot x \cdot (2 - a \cdot x) \equiv 1 \bmod 2^{2k}$$
87
86
This can easily be proven.
88
87
If we have $a \cdot x = 1 + m \cdot 2^k$, then we have:
89
-
$$\begin{aligned}
88
+
$$\begin{array}{rl}
90
89
a \cdot x \cdot (2 - a \cdot x) &= 2 \cdot a \cdot x - (a \cdot x)^2 \\\\
91
90
&= 2 \cdot (1 + m \cdot 2^k) - (1 + m \cdot 2^k)^2 \\\\
This means we can start with $x = 1$ as the inverse of $a$ modulo $2^1$, apply the trick a few times and in each iteration we double the number of correct bits of $x$.
98
97
@@ -170,27 +169,19 @@ There are faster ways.
170
169
171
170
You can notice the following relation:
172
171
$$\bar{x} := x \cdot r \bmod n = x \cdot r^2 / r = x * r^2$$
173
-
174
-
Transforming a number into the space is just a multiplication inside the space of the number with $r^2$.
172
+
Transforming a number into spaces is just a multiplication inside the space of the number with $r^2$.
175
173
Therefore we can precompute $r^2 \bmod n$ and just perform a multiplication instead of shifting the number 128 times.
176
174
177
-
In the following code we initialize `r2` with `-n % n`, which is equivalent to $r - n \equiv r \bmod n$, shift it 4 times to get $r \cdot 2^4 \bmod n$.
178
-
This number can be interpreted as $2^4$ in Montgomery space.
179
-
If we square it $5$ times, we get $(2^4)^{2^5} = (2^4)^{32} = 2^{128} = r$ in Montgomery space, which is exactly $r^2 \bmod n$.
0 commit comments