Montgomery modular multiplication

In modular arithmetic computation, Montgomery modular multiplication, more commonly referred to as Montgomery multiplication, is a method for performing fast modular multiplication. It was introduced in 1985 by the American mathematician Peter L. Montgomery.^[1]^[2]

Montgomery modular multiplication relies on a special representation of numbers called Montgomery form. The algorithm uses the Montgomery forms of $a$ and $b$ to efficiently compute the Montgomery form of $ab mod N$ . The efficiency comes from avoiding expensive division operations. Classical modular multiplication reduces the double-width product $ab$ using division by $N$ and keeping only the remainder. This division requires quotient digit estimation and correction. The Montgomery form, in contrast, depends on a constant $R > N$ which is coprime to $N$ , and the only division necessary in Montgomery multiplication is division by $R$ . The constant $R$ can be chosen so that division by $R$ is easy, significantly improving the speed of the algorithm. In practice, $R$ is always a power of two, since division by powers of two can be implemented by bit shifting.

The need to convert $a$ and $b$ into Montgomery form and their product out of Montgomery form means that computing a single product by Montgomery multiplication is slower than the conventional or Barrett reduction algorithms. However, when performing many multiplications in a row, as in modular exponentiation, intermediate results can be left in Montgomery form. Then the initial and final conversions become a negligible fraction of the overall computation. Many important cryptosystems such as RSA and Diffie–Hellman key exchange are based on arithmetic operations modulo a large odd number, and for these cryptosystems, computations using Montgomery multiplication with $R$ a power of two are faster than the available alternatives.^[3]

^ Montgomery, Peter (April 1985). "Modular Multiplication Without Trial Division" (PDF). Mathematics of Computation. 44 (170): 519–521. doi:10.1090/S0025-5718-1985-0777282-X.
^ Martin Kochanski, "Montgomery Multiplication" Archived 2010-03-27 at the Wayback Machine a colloquial explanation.
^ Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. ISBN 0-8493-8523-7, chapter 14.

[montg1985-1] Montgomery, Peter (April 1985). "Modular Multiplication Without Trial Division" (PDF). Mathematics of Computation. 44 (170): 519–521. doi:10.1090/S0025-5718-1985-0777282-X.

[kochanski-2] Martin Kochanski, "Montgomery Multiplication" Archived 2010-03-27 at the Wayback Machine a colloquial explanation.

[3] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. ISBN 0-8493-8523-7, chapter 14.

[1]

[2]

[3]