Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Montgomery modular multiplication
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== The REDC algorithm == While the above algorithm is correct, it is slower than multiplication in the standard representation because of the need to multiply by {{math|''R''′}} and divide by {{mvar|N}}. ''Montgomery reduction'', also known as REDC, is an algorithm that simultaneously computes the product by {{math|''R''′}} and reduces modulo {{mvar|N}} more quickly than the naΓ―ve method. Unlike conventional modular reduction, which focuses on making the number smaller than {{mvar|N}}, Montgomery reduction focuses on making the number more divisible by {{mvar|R}}. It does this by adding a small multiple of {{mvar|N}} which is sophisticatedly chosen to cancel the residue modulo {{mvar|R}}. Dividing the result by {{mvar|R}} yields a much smaller number. This number is so much smaller that it is nearly the reduction modulo {{mvar|N}}, and computing the reduction modulo {{mvar|N}} requires only a final conditional subtraction. Because all computations are done using only reduction and divisions with respect to {{mvar|R}}, not {{mvar|N}}, the algorithm runs faster than a straightforward modular reduction by division. '''function''' REDC '''is''' '''input:''' Integers ''R'' and ''N'' with {{nowrap|1=gcd(''R'', ''N'') = 1}}, Integer ''N''′ in {{nowrap|[0, ''R'' − 1]}} such that {{nowrap|''NN''′ β‘ −1 mod ''R''}}, Integer ''T'' in the range {{nowrap|[0, ''RN'' − 1]}}. '''output:''' Integer ''S'' in the range {{nowrap|[0, ''N'' − 1]}} such that {{nowrap|''S'' β‘ ''TR''<sup>−1</sup> mod ''N''}} ''m'' ← ((''T'' mod ''R'')''N''′) mod ''R'' ''t'' ← (''T'' + ''mN'') / ''R'' '''if''' ''t'' ≥ ''N'' '''then''' '''return''' {{nowrap|''t'' − ''N''}} '''else''' '''return''' ''t'' '''end if''' '''end function''' To see that this algorithm is correct, first observe that {{mvar|m}} is chosen precisely so that {{math|''T'' + ''mN''}} is divisible by {{mvar|R}}. A number is divisible by {{mvar|R}} if and only if it is congruent to zero mod {{mvar|R}}, and we have: :<math>T + mN \equiv T + (((T \bmod R)N') \bmod R)N \equiv T + T N' N \equiv T - T \equiv 0 \pmod{R}.</math> Therefore, {{mvar|t}} is an integer. Second, the output is either {{mvar|t}} or {{math|''t'' − ''N''}}, both of which are congruent to {{math|''t'' mod ''N''}}, so to prove that the output is congruent to {{math|''TR''<sup>−1</sup> mod ''N''}}, it suffices to prove that {{mvar|t}} is {{math|''TR''<sup>−1</sup> mod ''N''}}, {{mvar|t}} satisfies: :<math>t \equiv (T + mN)R^{-1} \equiv TR^{-1} + (mR^{-1})N \equiv TR^{-1} \pmod{N}.</math> Therefore, the output has the correct residue class. Third, {{mvar|m}} is in {{math|[0, ''R'' − 1]}}, and therefore {{math|''T'' + ''mN''}} is between 0 and {{math|(''RN'' − 1) + (''R'' − 1)''N'' < 2''RN''}}. Hence {{mvar|t}} is less than {{math|2''N''}}, and because it's an integer, this puts {{mvar|t}} in the range {{math|[0, 2''N'' − 1]}}. Therefore, reducing {{mvar|t}} into the desired range requires at most a single subtraction, so the algorithm's output lies in the correct range. To use REDC to compute the product of 7 and 15 modulo 17, first convert to Montgomery form and multiply as integers to get 12 as above. Then apply REDC with {{math|1=''R'' = 100}}, {{math|1=''N'' = 17}}, {{math|1=''N''′ = 47}}, and {{math|1=''T'' = 12}}. The first step sets {{mvar|m}} to {{math|1=12 β 47 mod 100 = 64}}. The second step sets {{mvar|t}} to {{math|(12 + 64 β 17) / 100}}. Notice that {{math|12 + 64 β 17}} is 1100, a multiple of 100 as expected. {{mvar|t}} is set to 11, which is less than 17, so the final result is 11, which agrees with the computation of the previous section. As another example, consider the product {{math|7 β 15 mod 17}} but with {{math|1=''R'' = 10}}. Using the extended Euclidean algorithm, compute {{math|1=−5 β 10 + 3 β 17 = 1}}, so {{math|''N''′}} will be {{math|1=−3 mod 10 = 7}}. The Montgomery forms of 7 and 15 are {{math|1=70 mod 17 = 2}} and {{math|1=150 mod 17 = 14}}, respectively. Their product 28 is the input {{mvar|T}} to REDC, and since {{math|1=28 < ''RN'' = 170}}, the assumptions of REDC are satisfied. To run REDC, set {{mvar|m}} to {{math|1=(28 mod 10) β 7 mod 10 = 196 mod 10 {{=}} 6}}. Then {{math|1=28 + 6 β 17 = 130}}, so {{math|1=''t'' = 13}}. Because {{math|1=30 mod 17 = 13}}, this is the Montgomery form of {{math|1=3 = 7 β 15 mod 17}}.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)