Where to apply Montgomery Multiplication in GF(2^n)

Question

I'm optimizing a Reed Solomon decoding library for several polynomials in $\operatorname{GF}(2^k)$, $k\in\{8,10,12\}$.

Reading about the Montgomery Multiplication from Çetin K. Koç & Tolga Acar's Montgomery Multiplication in $\operatorname{GF}(2^k)$ (in Designs, Codes and Cryptography, 1998), I'm wondering if and how the method could help in polynomial reduction after carry free multiplication.

1. $t(x) = a(x)b(x)$ is a full length (2k-1) polynomial from carryless multiplication
2. $u(x) = t(x)n'(x) \bmod r(x)$ returns lower half of the $\operatorname{GF}$ multiplication
3. $(u(x)n(x) + t(x)) / r(x)$ corresponds to the higher half of one $\operatorname{GF}$ multiplication and one XOR

Instead of calculating $a(x)b(x) \bmod n(x)$, I have now $a(x)b(x)r^{-1}(x) \bmod n(x)$, and there's just one place where I can imagine using it. In inversion by modular exponentiation, where instead of calculating $a(x)^{254}$, I can calculate $(a(x)r^{-1}(x))^{254}$ and multiply that with a constant $r^{254}(x)$.

But can it be used e.g. in polynomial evaluation (used e.g. in syndrome calculation) or for modular reduction after $\operatorname{GF}$ multiplication?

Answer 1

The usual motivation for using Montgomery multiplication is that it significantly reduces the cost of modular reduction by changing the representation of elements. In the Montgomery ring the polynomial $A(x)$ is instead represented by $a(x)=A(x)r(x)\pmod{n(x)}$ where $r(x)$ is a fixed element of the same degree as $n(x)$, but for which division is very efficient (e.g. $x^k$). If likewise we have $B(x)$ represented by $b(x)=B(x)r(x)$ then $a(x)b(x)r^{-1}(x)\equiv A(x)B(x)r(x)\pmod{n(x)}$ which is the representation that we would choose for $A(x)B(x)$ and so your algorithm is way of implementing modular multiplication of polynomials in this representation without having to do a modular reduction. Addition and subtraction do not need new algorithms. If you have an algorithm involving many modular multiplies, it can be worthwhile converting to Montgomery ring representation, using Montgomery arithmetic and then converting back.

To convert $a(x)$ back to $A(x)$ we need to multiply by $r^{-1}(x)$, so it can be useful to precompute and save $r^{-1}(x)\pmod{n(x)}$. I don't know of any way to avoid modular reduction in this final conversion.

Evaluating using the Montgomery representation is possible, but requires a little extra work: to evaluate $A(x)\pmod{n(x)}$ given its representation $a(x)$ we have to evaluate $a(x)\pmod{n(x)}$ and $r^{-1}(x)\pmod{n(x)}$ and multiply the two answers together. However, if many evaluations are needed for the same input $m$, the value $r^{-1}(m)$ can be reused and the overhead is not as great.

Answer 2

Where to apply Montgomery Multiplication in $GF(2^n)$?

This answer really depends on how you constructed the binary extension field $GF(2^n)$. If the irreducible polynomial is trinomial or pentanomial then the reduction is already efficient!

Modular Multiplication with trinomials

Let $GF(2^n)$ is constructed with the trinomial $P(x)=x^m+x^n+1$ where $\alpha$ is the root of this polynomial with $1<n<m/2$.

Now you want to calcualte $C'(x) = C(x) \bmod P(x) $ where

$$C(x) = A(x)\cdot B(x) = \left( \sum_{i=0}^{m-1} a_i x^i \right)\ \cdot \left( \sum_{i=0}^{m-1} b_i x^i \right)$$

To reduce the multiplication cost use Karatsuba-Ofman multiplier. This may require some tuning since it has recursive nature and diving to the end may not be the best choice.

Now, once you had a $$C(x) = \sum_{i=0}^{2m-2} c_i x^i$$ you need reduction. We can use the $P(\alpha)=0$, and write

$$\begin{align} \alpha^m &= 1 + \alpha^n\\ \alpha^{m+1} &= \alpha + \alpha^{n+1}\\ \vdots & \quad \vdots\\ \alpha^{2m-3} &= \alpha^{m-3} + \alpha^{m+n-3}\\ \alpha^{2m-2} &= \alpha^{m-2} + \alpha^{m+n-2}\\ \end{align}$$

By using this we can say

$$\begin{align} c'_0 &= c_0 + c_m\\ c'_1 &= c_1 + c_{m+1}\\ \vdots \;\;& \quad \vdots\\ c'_{n-1} &= c_{n-1} + c_{m+n-1} + c_{m+n-1}\\ c'_{n} &= c_{n} + c_{m+n} + c_{m+n}\\ c'_{n+1} &= c_{n+1} + c_{m+n+1} +c_{m+n+1}\\ \vdots \;\;& \quad \vdots\\ c'_{m-2} &= c_{m-2} + c_{2m-2} + c_{2m-n-2}\\ c'_{m-1} &= c_{m-1} + c_{2m-n-1}\\ c'_{m} &= c_{m-2} + c_{2m-n}\\ \vdots \;\;& \quad \vdots\\ c'_{m+n-3} &= c_{m+n-3} + c_{2m-3}\\ c'_{m+n-2} &= c_{m+n-2} + c_{2m-2}\\ \end{align}$$

If one look at the above one should notice those;

1. The reduction is not complete since there are still $m-n$ to reduce.
2. The operations are just x-or and mapping.
3. The mapping is actually a loop

The cost of multiplication is just $m^2$ and roughly at most $2m$ additional x-or for the reduction!

When we turned back to Montgomery modular multiplication is has cost $2m^2$ multiplications and $2m^2-3m-1$ x-or operations.

Modular Multiplication with arbitrary irreducible polynomial

When you have an arbitrary irreducible polynomial for the binary extension field, the above table is no longer effective. Then you can turn back to Montgomery.

Note that the Montgomery Modular multiplication can also use the Karatsuba-Ofman to reduce the cost of multiplication that we did not take into account here!.

Some notes:

1. See how How does Montgomery reduction work? for the details of Montgomery (Integer case, almost same as polynomials)

2. If you need one modular multiplication then you don't need to turn both of them into their Montgomery residue representation. You can achieve by; $$MonPro(a(x),MontPro(b(x),1))$$ You can also use Montgomery in modular square-and-multiply.

3. Usually we select the irreducible polynomial during the design. There are already a Table of Low-Weight Binary Irreducible Polynomials by HP and methods Finding irreducible polynomials over GF(2) with the fewest terms

4. Inversion with power and modulus is not an effective method. There is already Itoh-Tsujii algorithm that uses $t \ll m$ multiplications and $m-1$ squaring. This algorithm is already beating the Extended-GCD.

Answer 3

The key to Montgomery Multiplication is the prescaling of one or two of the inputs by $r^k$ as stated in this answer by kelalaka to How Does Montgomery Reduction Work.

In the case of polynomial evaluation of

$$p = a_0 + a_1b^1 + a_2b^2 + ... + a_mb^m \mod n$$

by Horner's scheme:

$$p = (((a_m * B) + a_{m-1}) * B + ...) * B + a_0$$ $$ = (((a_m b ) + a_{m-1}) b + ...)b +a_0 \mod n$$

we can use the Montgomery representation $B$ for $b$ and where $*$ stands for the Montgomery Multiplication.

It still seems, that Montgomery Multiplication does not beat partial reduction, where each step in Horner's scheme is carried with $2k-1$ bits:

$$p_n = a_n$$ $$ p_{j-1} = (p_j \mod r^k) b + (p_j / r^k) B + a_{j-1}$$ $$ p = p_0 \mod n(x) $$

The first term calculates full sized polynomial (or integer) multiplication from the least signicant $k$ bits of $p_j$, the other term partially reduces the top $k-1$ bits using again the full length polynomial multiplication. Thus the polynomial reduction is postponed as the last step of the evaluation.