or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Syncing
xxxxxxxxxx-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
SubscribeMontgomery Multiplication
Algorithm
Consider prime field \(\mathbb{F}_p\), select power of two \(2^w\) such that \(R=2^w > p\), we know that mod by R can be computed by bit shifting.
Montgomery Form
For \(x \in \mathbb{F}_p\), define Montgomery form of \(x\) as,
\[\bar{x} = xR \pmod p\]
Transform To Montgomery Form
Transforming \(x\) to Montgomery form can be done by left-shift \(x\) by \(w\) and reduce modulo \(p\). In practice, \(x\) and \(y\) are transformed to Montgomery form at the beginning of a computation, and transformed back at the end.
Montgomery Form Arithmetic
Addition and subtraction in Montgomery form are the same as ordinary modular addition and subtraction because:
\[aR+bR=(a+b)R\\ aR−bR=(a−b)R\]
Define Montgomery multiplication \(mont\_mult(\bar{x}, \bar{y})\) as,
\[\text{mont_mult}(\bar{x}, \bar{y}) = \bar{x} \bar{y} R^{-1} \pmod p\]
Where \(R^{-1}\) is pre-computed from \(R\) such that,
\[ RR^{-1} = 1 \pmod p\]
We know that,
\[\text{mont_mult}(\bar{x}, \bar{y}) = xyR \pmod p = \overline{xy}\]
Transform From Montgomery Form
Finally, according to the definition of \(\bar{x}\), to tranform montgormery form \(\bar{x}\) back to normal form \(x\), we multiply \(\bar{x}\) by \(2^{-w}\) and reduce modulo \(p\)
\[x = \bar{x} R^{-1} \pmod p\]
Compute \(\bar{x} \bar{y} R^{-1} \pmod p\)
Computing muliply by \(R^{-1}\) then divide by \(p\) is slow. The
REDCalgorithm, aka Montgomery reduction, is used to simultaneously compute the product by \(R^{-1}\) and reduce modulo \(p\). Given \(T=\bar{x} \bar{y}\),\[\text{REDC}(T) = TR^{-1} \pmod p \\ = \bar{x} \bar{y}R^{-1} \pmod p = \text{mont_mult}(\bar{x}, \bar{y})\]
Intuition: Montgomery reduction focuses on making the number more divisible by \(R\). It does this by adding a small multiple of \(p\) which is chosen to cancel the residue modulo \(R\) (\(w\) bits of tailing \(0\)s). Dividing the result by \(R\) (right-shift) yields a much smaller number that is nearly the reduction modulo \(p\), and computing the reduction modulo \(p\) requires only a final conditional subtraction.
For correctness proof, please refer to [1].
Also note we can use \(\text{redc}(xR^2)\) to fast calculate \(\bar{x}\).
Implementation: Multi-Precision Reduce (mpReduce)
The algorithm begins with a multiprecision integer \(T\) and reduces it one word at a time. First an appropriate multiple of \(p\) is added to make \(T\) divisible by \(2^w\). Then a multiple of \(p\) is added to make \(T\) divisible by \(2^{2w}\), and so on. Eventually \(T\) is divisible by \(R\), and after division by \(R\) the algorithm is in the same place as
REDCwas after the computation of \(t\).References
[1] https://en.wikipedia.org/wiki/Montgomery_modular_multiplication
[2] https://hackmd.io/@chaosma/H1uSK1C35
[3] https://hackmd.io/@gnark/modular_multiplication
[4] https://www.microsoft.com/en-us/research/wp-content/uploads/1998/06/97Acar.pdf
tags:
msmzkppublic