2

I have Montgomery exponentiation working, but it's working quite slow. I suspect there are two reasons for this - I implemented it bit size instead of word size (I didn't realize at the time that software implementation should use word size).

The second is how I select R. Given a modulus N with bit length n, I'm calculating R by raising 2 to the power of the bit length of N, n. i.e. This is way all the examples I've seen use, but they all use small numbers. Every number I'm dealing with here has at least 1024 bits. 

BigInteger R = new BigInteger("2").pow(n.bitLength());

I suspect this might be why my Montgomery is running slower than my Right-To-Left binary implementation - can anyone give me a more efficient way of selecting r? (In as simple English as possible please!)

Edit - the full code is at - https://codereview.stackexchange.com/questions/18199/optimization-of-exponentiation if anyone want to have a look at it.

Community
  • 1
Saf
  • 205
  • 2
  • 7

1 Answers1

5

Montgomery multiplication makes sense only with word sizes. If your word size is $w$ (e.g. $w = 32$ if you have 32-bit words), then $R = 2^{kw}$ for some integer $k$; you choose $k$ as small as possible, given that you must have $R \geq N$.

In plain words, if your modulus $N$ has size $n$ bits, then you look for the next multiple of $w$. For a 1024-bit modulus, which is already a multiple of 32, you use $R = 2^{1024}$. For a 1025-bit modulus, you would use $R = 2^{1056}$.

You really want to read chapter 14 of the Handbook of Applied Cryptography.

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Thomas Pornin
  • 88,324
  • 16
  • 246
  • 315