Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [montgomery-multiplication]

A modular multiplication algorithm invented by Peter Montgomery that allows modular arithmetic to be performed efficiently when the modulus is large (typically several hundred bits).

The Montgomery reduction algorithm Redc(T) calculates TR^{-1} bmod {N} as follows:

m := (k (T mod R)) mod {R}
t := (T + mN)/R
if  t >= N return t - N else return t.

Using this method to calculate c is generally less efficient than a naive multiplication and reduction, as the cost of conversions to and from residue representation (multiplications by R and R^{-1} modulo N) outweigh the savings from the reduction step.

The advantage of this method becomes apparent when dealing with a sequence of multiplications, as required for modular exponentiation (e.g. exponentiation by squaring).

Many important cryptosystems such as RSA and DSA are based on arithmetic operations, such as multiplications, modulo a large number. The classical method of calculating a modular product involves first multiplying the numbers as if they were integers and then taking the modulus of the result. However, modular reduction is very expensive computationally—equivalent to dividing two numbers.

When several modular successive multiplications are required modulo the same modulus, as in modular exponentiation, the saving in modular reduction thanks to Montgomery reduction often outweigh the cost of conversion to and from Montgomery form.

47 questions
9
votes
1 answer

Which one is fastest? Karatsuba or Montgomery multiplication?

Is there any complexity analysis between Karatsuba and Montgomery multiplication algorithms? It seems that Karatsuba is more general in the sense that is not modulo tuned while Montgomery it is. Does a also a hybrid model using Karasuba and…
curious
  • 6,280
  • 6
  • 34
  • 48
9
votes
2 answers

RSA Timing Attack on "Extra" Montgomery Reduction

In "A practical implementation of the timing attack", the authors take advantage of a timing difference that stems from "extra reductions" that occur when multiplying numbers in the Montgomery form. After implementing a toy example of this attack, I…
kkl
  • 403
  • 2
  • 8
8
votes
1 answer

How does Montgomery reduction work?

I want to reduce a multi-precision integer $x$ modulo a prime $p$, very fast. Performing the traditional Euclidean division for only calculating the modulo, is inefficient and modular reduction is at the heart of many Cryptographic primitives like…
Aravind A
  • 1,090
  • 13
  • 22
5
votes
1 answer

Reverse engineering hardware crypto processor for modular multiplication

I'm currently working with an undocumented crypto offload processor that is capable of accelerating modular multiplication in some fashion. I need to figure out what operation it is implementing exactly in order to emulate it in software. The…
Hendi
  • 53
  • 3
5
votes
1 answer

Concrete example of Montgomery Multiplication

I have read about Montgomery Multiplication on several sites, but I haven't found any examples on specific numbers that explain the algorithm to someone who doesn't have a PhD in number theory. I know it involves converting the numbers into a…
Kevin Stefanov
  • 169
  • 1
  • 8
4
votes
1 answer

How to use Montgomery arithmetic for elliptic curves (FIAT cryptography)

Let us consider the source code for curve P-256 from BoringSSL. This source code can be found here. This source code uses the FIAT generated implementation for field arithmetic. This implementation can be found here. In the source generated by FIAT…
mip
  • 327
  • 2
  • 8
4
votes
1 answer

Efficient setup for a Montgomery multiplication

Montgomery described an efficient method to compute a modular multiplication. This works by using a special constant $R$ and assumes the inputs $a$ and $b$ have been made into a special representation (residues $aR\mod N$ and $bR\mod N$) and…
bob
  • 1,248
  • 10
  • 25
4
votes
2 answers

Why should $a,b < N$ for Montgomery Reduction?

In Montgomery reduction, when calculating $a \times b \mod N$, it is required that $a \lt N$ and $b \lt N$. I think $0 \le T \lt N \times R$ is enough for the Montgomery Reduction. Rationale: Let $a' = a \times R \mod N$, let $b' = b \times R \mod…
Alpha
  • 41
  • 1
4
votes
1 answer

Blockwise Montgomery multiplication

I have to implement a 256*256 bit Montgomery multiplier for pairing computations. The straightforward approach is to use a bit-serial version, but I would like to utilize the built-in 64*64 bits multipliers on soft cores of modern FPGA devices,…
Khalid
  • 307
  • 1
  • 5
3
votes
0 answers

No Final subtraction in Word-level Montgomery Multiplication

I am trying to make an RSA module in VHDL, which in turn will be deployed to an FPGA. I am trying to implement a full Montgomery algorithm which means that I am working with the Montgomery Exponetiation algorithm, and the Montgomery Multiplication…
TheJonaMr
  • 31
  • 3
3
votes
0 answers

Attack on Weierstrass Elliptic Curve

I have a naive question(as non specialist in this field). While reading Weierstrass Curve description,I found that it turns into 2 periodic tori on 2D complex plane. Is is it possible to create fast multiplication attack on this curve by…
user3116271
  • 31
  • 1
3
votes
1 answer

Questions about the Curve25519-donna implementation

I'm trying to understand the implementation of the following function: Please note questions in comments. int curve25519_donna(u8 *mypublic, const u8 *secret, const u8 *basepoint) { limb bp[5], x[5], z[5], zmone[5]; // why 5 elements in…
Vega4
  • 244
  • 2
  • 10
3
votes
0 answers

Montgomery modular multiplication – confusion with subtraction of modulus

I'm reading the paper “COMPARISON OF SCALABLE MONTGOMERY MODULAR MULTIPLICATION IMPLEMENTATIONS EMBEDDED IN RECONFIGURABLE HARDWARE” (PDF) on hardware algorithms for montgomery multiplication for modular exponentiation, and I'm confused as to how…
asmvolatile
  • 161
  • 4
3
votes
1 answer

What happens if no final subtraction is done in Montgomery multiplication?

I'm doing Montgomery arithmetic modulo $N = 2^{255}-19$ for the Curve25519, picking $R = 2^{256}$ for Montgomery. After multiplying two numbers $0 \leq A,B < N$ in the Montgomery representation using MonMul, I would normally obtain the result $0…
NumberFour
  • 417
  • 5
  • 13
3
votes
2 answers

Montgomery Reduction

I'm taking a hardware cryptography class and working on a problem that focuses on Montgomery Reduction. So by definition: Computing $a * b \text{ mod } N$ Pick $R$, s.t. $R > N$, $gcd(R,N) = 1$ Compute $N^{-1} \text{ mod }R$ $a’ = a * R \text{…
linos
  • 31
  • 1
  • 2
1
2 3 4