3

I'm doing Montgomery arithmetic modulo $N = 2^{255}-19$ for the Curve25519, picking $R = 2^{256}$ for Montgomery.

After multiplying two numbers $0 \leq A,B < N$ in the Montgomery representation using MonMul, I would normally obtain the result $0 \leq C < N$ also in the Montgomery representation.

However, if I forget the conditional subtraction in MonMul I obtain some $0 \leq C^{\prime} < 2N$. In other words, I basically ended up in a different representation which is not unique anymore.

I could live with that and do all the additions/subtractions modulo $2^{256}-38$ instead afterwards. That means I basically postponed the conditional subtraction until the end of my whole computation.

But my question is what happens if I have to do MonMul again somewhere during my computation? It would mean that one (or both) of the input numbers for MonMul could be in fact between $N$ and $2N$.

Do I have to make the conditional subtraction before doing the MonMul again (to put my numbers back in the right representation)? Or can I still postpone it until the end? I realized that not doing the subtraction before any repeated multiplication didn't spoil the computation so far. Does it really hold universally for my $N$?

wythagoras
  • 207
  • 1
  • 6
NumberFour
  • 417
  • 5
  • 13

1 Answers1

2

Theorem 2 in [Dussé et al. 1991] states that, if we skip the final subtraction, then, for $N < R / 4$ and $0 \leq A, B < 2 N$, we have $0 \leq C = \text{MonMul}(A B) < 2 N$, while keeping $C \equiv A B R^{-1} \pmod N$. I think the condition $N < R / 4$ inherently holds in your case e.g. you are using larger $R$ value acutually.

y s
  • 21
  • 2