Generalised Mersenne numbers revisited

Abstract: Abstract. Generalised Mersenne Numbers (GMNs) were defined by Solinas in 1999 and feature in the NIST and SECG standards for use in elliptic curve cryptography. Their form is such that modular reduction is extremely efficient, thus making them an attractive choice for modular multiplication implementation. However, the issue of residue multiplication efficiency seems to have been overlooked. Asymptotically, using a cyclic rather than a linear convolution, residue multiplication modulo a Mersenne number is twi… Show more

“…More recently, prime moduli of the form 2 s ± δ have gained popularity where s, δ ∈ Z >0 and δ < 2 s such that δ is a (very) small integer. More precisely, the constant δ is small compared to the typical word-size of computer architectures used (e.g., less than 2 32 ) and often is chosen as the smallest integer such that one of 2 s ± δ is prime. One should be aware that the usage of such primes of a special form not only accelerates the cryptographic implementations, the cryptanalytic methods benefit as well.…”

“…Hence, this algorithm runs efficiently when using 2-way SIMD vector instructions as frequently found on modern computer architectures. For illustrative purposes we assume a radix-2 32 system, but this can be adjusted accordingly to any other radix system. Note that for efficiency considerations the choice of the radix system depends on the vector instructions available.…”

“…q ← µC mod 2 32 3. C ← (C + qN)/2 32 In order to reduce latency, we would like to compute the two 1 × n → (n + 1) word multiplications in parallel using vector instructions. This can be achieved by removing the dependency between these two multi-word multiplications by computing the value of q first.…”

“…This can be achieved by removing the dependency between these two multi-word multiplications by computing the value of q first. The first word c 0 of C = n−1 i=0 c i 2 32i is computed twice: once for the computation of q (in µC mod 2 32 ) and then again in the parallel computation of C + a i B. This is a relatively minor penalty of one additional one-word multiplication and addition per iteration to make these two multi-word multiplications independent of each other.…”

“…In order to rewrite the remaining operations, besides the multiplication, the authors of [17] suggest inverting the sign of the Montgomery constant µ, i.e., instead of using −N −1 mod 2 32 use µ = N −1 mod 2 32 . When computing the Montgomery product C = AB2 −32n mod N, one can compute D (which contains the sum of the products a i B) and E (which contains the sum of the products qN), separately and in parallel using the same arithmetic operations.…”

Montgomery Arithmetic from a Software Perspective

“…More recently, prime moduli of the form 2 s ± δ have gained popularity where s, δ ∈ Z >0 and δ < 2 s such that δ is a (very) small integer. More precisely, the constant δ is small compared to the typical word-size of computer architectures used (e.g., less than 2 32 ) and often is chosen as the smallest integer such that one of 2 s ± δ is prime. One should be aware that the usage of such primes of a special form not only accelerates the cryptographic implementations, the cryptanalytic methods benefit as well.…”

“…Hence, this algorithm runs efficiently when using 2-way SIMD vector instructions as frequently found on modern computer architectures. For illustrative purposes we assume a radix-2 32 system, but this can be adjusted accordingly to any other radix system. Note that for efficiency considerations the choice of the radix system depends on the vector instructions available.…”

“…q ← µC mod 2 32 3. C ← (C + qN)/2 32 In order to reduce latency, we would like to compute the two 1 × n → (n + 1) word multiplications in parallel using vector instructions. This can be achieved by removing the dependency between these two multi-word multiplications by computing the value of q first.…”

“…This can be achieved by removing the dependency between these two multi-word multiplications by computing the value of q first. The first word c 0 of C = n−1 i=0 c i 2 32i is computed twice: once for the computation of q (in µC mod 2 32 ) and then again in the parallel computation of C + a i B. This is a relatively minor penalty of one additional one-word multiplication and addition per iteration to make these two multi-word multiplications independent of each other.…”

“…In order to rewrite the remaining operations, besides the multiplication, the authors of [17] suggest inverting the sign of the Montgomery constant µ, i.e., instead of using −N −1 mod 2 32 use µ = N −1 mod 2 32 . When computing the Montgomery product C = AB2 −32n mod N, one can compute D (which contains the sum of the products a i B) and E (which contains the sum of the products qN), separately and in parallel using the same arithmetic operations.…”

Montgomery Arithmetic from a Software Perspective

Faster ECC over $$\mathbb {F}_{2^{521}-1}$$

Missing a trick: Karatsuba variations