An Efficient Implementation of Montgomery Modular Multiplication Using a Minimally Redundant Residue Number System

Abstract

This paper presents an implementation of modular multiplication based on Montgomery’s scheme within the Residue Number System (RNS). The key innovation of the proposed approach lies in utilizing minimally redundant residue arithmetic, where the rank of a number serves as the primary positional characteristic of the residue code. Additionally, integer numbers are represented in rank form during base extension operations. Due to the low computational complexity of rank calculation in minimally redundant RNS and the specific constraints imposed on the RNS moduli sets, the proposed modular multiplication method achieves up to a 1.5 times performance improvement over non-redundant RNS counterparts. This approach is particularly suited for applications in public key cryptosystems.

1. Introduction

Since the mid-1950s, RNS arithmetic has attracted significant attention from researchers and practitioners across various domains, including number-theoretic methods, computer technology, digital signal processing, cryptography, and communications [1,2,3,4,5,6,7,8,9].

RNS arithmetic is particularly valuable in parallel processing systems, where it enables fast and accurate computations. The inherent parallelism of modular computational structures provides several key advantages over positional numeral systems, especially for operations involving large numbers. These advantages include the following:

• performance time independence of parallel modular operations from the moduli number and, consequently, the length of the residue code;
• high adaptability of modular arithmetic algorithms to tabular calculations and pipeline processing;
• flexibility in using lookup table techniques for reconfiguring modular computational structures, among others.

A well-known application of modular arithmetic is in cryptographic systems, where multiplicative operations over large moduli form the foundation for various information security mechanisms [10,11,12,13,14,15,16,17,18,19,20,21,22,23]. These operations are extensively utilized in electronic signature schemes, public key cryptosystems based on RSA and Rabin’s method, and other cryptographic tasks. Therefore, advancing computational technologies that enhance modular multiplication and exponentiation efficiency over large-number ranges remains a crucial research direction.

One of the most promising approaches for achieving high-performance modular arithmetic is using RNS-based modular computational structures. As the degree of modularity in computational processes increases, the efficiency of these structures improves significantly. This effect is particularly evident when handling large-number arithmetic operations.

A notable example is the Montgomery multiplication (MM) algorithm implemented using RNS [10,11,12,13,22]. Montgomery multiplication replaces general division with an integer division operation, which is well suited for RNS configurations [24]. This property makes MM in RNS highly efficient.

However, a principal computational bottleneck in modular arithmetic is the residue code extension required in MM implementations. Optimizing these operations is a key challenge in developing high-performance cryptographic hardware and software for large-number computations. One promising solution is to use minimally redundant RNS, which allows for more efficient execution of fundamental non-modular operations such as base extension and reverse conversion based on the Chinese Remainder Theorem (CRT) [5,6,25,26,27,28].

This paper aims to take fundamental advantages of minimally redundant RNS arithmetic to optimize multiplication algorithms based on Montgomery’s scheme. By refining the base extension and conversion processes, we enhance the overall efficiency of MM in large-number cryptographic applications.

This paper provides a rigorous theoretical framework for optimizing modular multiplication in minimally redundant Residue Number Systems (RNSs), offering new insights into the computational efficiency of cryptographic operations. Using minimally redundant arithmetic, the study improves the performance of modular computations, which are fundamental in public-key cryptography, secure computing, and high-performance arithmetic.

Rather than focusing on software or hardware implementation, this work contributes by presenting formal algorithmic descriptions, mathematical proofs, and correctness guarantees. These theoretical foundations serve as a basis for future advances in secure computing, number-theoretic algorithms, and parallel processing architectures.

For clarity and reproducibility, the paper provides detailed algorithmic methodologies and mathematical derivations, making it accessible to researchers developing efficient cryptographic protocols, modular arithmetic techniques, and computational number theory applications. The structured formal approach to RNS-based Montgomery multiplication supports interdisciplinary applications in computer science, digital signal processing, and cryptographic engineering.

The remainder of this paper is structured as follows. Section 2 and Section 3 introduce the theoretical foundations of the research. Section 4 presents the mathematical background of the proposed method. Section 5 describes the MM algorithm and analyzes the impact of RNS moduli selection. Section 6 provides a discussion of the results. Section 7 concludes the paper.

2. Basic Principles of RNS Arithmetic

Residue Number System (RNS) arithmetic is based on abstract algebra and number theory [29,30].

In the set of integers $\mathbb{Z}$, an RNS is defined by a set of pairwise coprime natural moduli $m_1,m_2,\dots ,m_k$ where $m_i>2$ for $i=1,2,\dots ,k$ and $k\ge 2$. In this system, an integer $X\in \mathbb{Z}$ is represented by the k-tuple $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)$, where ${\chi }_i={\left|X\right|}_{m_i}$ is the residue of X modulo $m_i$, i.e., ${\chi }_i$ belongs to the set ${\mathbb{Z}}_{m_i}=\{0,1,\dots ,m_i-1\}$, ensuring $X\equiv {\chi }_i(mod{m}_i)$ for all $i=1,2,\dots ,k$

An RNS allows the unique representation of up to $M_k={\prod }_{i=1}^k{m}_i$ integers through their residue codes. The number range is typically defined by ${\mathbb{Z}}_{M_k}=\{0,1,\dots ,M_k-1\}$.

2.1. Arithmetic Operations in RNS

Due to the carry-free nature of RNS arithmetic, addition, subtraction, and multiplication can be executed in parallel, independently for each modulus, following the rule below:

$$A\circ B=\left({\alpha }_1,{\alpha }_2,\dots ,{\alpha }_k\right)\circ \left({\beta }_1,{\beta }_2,\dots ,{\beta }_k\right)=$$

$$=\left({\left|{\alpha }_1\circ {\beta }_1\right|}_{m_1},{\left|{\alpha }_2\circ {\beta }_2\right|}_{m_2},\dots ,{\left|{\alpha }_k\circ {\beta }_k\right|}_{m_k}\right),$$

where $\circ \in \left\{+,-,\times \right\}$ denotes modular arithmetic operations, with ${\alpha }_i={\left|A\right|}_{m_i}$ and ${\beta }_i={\left|B\right|}_{m_i}$ for $i=1,2,\dots ,k$.

2.2. Determining the Integer Value from Residue Representation

In RNS arithmetic, reconstructing the integer X from its residue code $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)$ is required for performing non-modular operations. This reconstruction relies on the so-called positional characteristics of the residue code.

There are two primary approaches to constructing RNS arithmetic based on these characteristics: (1) rank-based computation and (2) mixed-radix representation [7,8,9].

According to the Chinese Remainder Theorem [29,31], for a given RNS defined by the set $\{m_1,m_2,\dots ,m_k\}$ of pairwise relatively prime moduli, the integer X and its residue code $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)$ are related by the following equation:

$$X=\sum _{i=1}^k{M}_{i,k}{\chi }_{i,k}-{\rho }_k\left(X\right)M_k,$$

(1)

where $M_{i,k}=M_k/m_i$, and ${\chi }_{i,k}={\left|M_{i,k}^{-1}{\chi }_i\right|}_{m_i}$ is a normalized residue modulo $m_i$ for $i=1,2,\dots ,k$, with ${\left|Y^{-1}\right|}_m$ denoting the multiplicative inverse of Y modulo m.

The integer ${\rho }_k\left(X\right)$ and Equation (1) define the rank and rank form of X, respectively [2,3]. Equation (1) establishes an isomorphic mapping between $X\in {\mathbb{Z}}_{M_k}$ and its residue code $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)\in {\mathbb{Z}}_{m_1}\times {\mathbb{Z}}_{m_2}\times \dots \times {\mathbb{Z}}_{m_k}$. In this context, computing the rank ${\rho }_k\left(X\right)$ enables the realization of this isomorphic mapping.

2.3. Mixed-Radix Representation

In RNS arithmetic, the rank of a number is a positional characteristic of primary importance since it enables one to perform all the non-modular operations. In a Mixed Radix System (MRS) defined by a set $\left\{m_1,m_2,\dots ,m_k\right\}$ of pairwise relatively prime moduli, an integer $X\in {\mathbb{Z}}_{M_k}$ is represented by the k-tuple $⟨x_k,x_{k-1},\dots ,x_1⟩$ of mixed-radix digits, resulting in

$$X=\sum _{i=1}^k{x}_i{M}_{i-1},$$

(2)

where $x_i\in {\mathbb{Z}}_{m_i}$$(i=1,2,\dots ,k)$, $M_0=1$, $M_{i-1}={\prod }_{j=1}^{i-1}{m}_j$$(i=2,3\dots ,k)$ [8,9].

An MRS is advantageous over an RNS for non-modular operations such as magnitude comparison, sign determination, and overflow detection.

2.4. Computational Complexity and Optimization

In the conventional non-redundant RNS, calculating both the rank ${\rho }_k\left(X\right)$ and the digits $⟨x_k,x_{k-1},\dots ,x_1⟩$ of the mixed-radix representation of the number $X\in {\mathbb{Z}}_{M_k}$ from its residue code $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)$ reduces to the parallel summation of sets of small-bit-length residues corresponding to the RNS moduli $m_1,m_2,\dots ,m_k$, while accounting for the number of overflows that occur in the rings ${\mathbb{Z}}_{m_1},{\mathbb{Z}}_{m_2},\dots ,{\mathbb{Z}}_{m_k}$ during the modular addition operations.

At the same time, according to [25,27], the computational complexity of calculating the rank ${\rho }_k\left(X\right)$ is $O\left(k^2\right)$ in terms of modular addition operations and the number of required lookup tables. Consequently, this becomes computationally expensive as k increases, for instance, when implementing non-modular operations based on the rank form of integer representation (1), where operands and computational results belong to large numerical ranges.

One possible way to improve modular computational structures is to employ more efficient and optimized variants of RNS arithmetic compared to the traditional approach. As is well known, the use of code redundancy can improve the arithmetic properties of an RNS [5,6].

As demonstrated in [25,27], the use of a minimally redundant RNS enables the optimization and acceleration of the rank calculation. To this end, an additional redundant residue, ${\chi }_0={\left|X\right|}_{m_0}$, corresponding to an additional modulus $m_0=2$, is added to the original residue code $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)$ of the number $X\in {\mathbb{Z}}_{M_k}$. Thus, the non-redundant residue code is extended by just one bit, representing the parity of the number X.

This modification reduces the computational complexity of rank calculation from $O\left(k^2\right)$ to $O\left(k\right)$ [25,27].

Consequently, using minimally redundant RNS arithmetic not only optimizes but also improves the efficiency of non-modular operations that rely on the rank form of integers (1), such as the base extension operation.

2.5. Base Extension Operations

In applications involving modular computing structures, base extension operations play a fundamental role, as they serve as the foundation for synthesizing algorithms for nearly all non-modular operations, including general division, scaling, fractional multiplication, code transformations, and more. In information security systems, for instance, computationally intensive operations on large number ranges—such as Montgomery multiplication, modular exponentiation, and others—are implemented using base extension techniques [8,9].

The advantages of minimally redundant modular arithmetic in simplifying non-modular procedures are particularly evident in residue code extension operations.

Let an RNS be defined by the moduli set $\{m_1,m_2,\dots ,m_k\}$, and suppose that the residue code $({\chi }_1,{\chi }_2,\dots ,{\chi }_l)$ of a number X is given with respect to the basis ${\mathbb{M}}_1=\{m_1,m_2,\dots ,m_l\}$, where $1<l<k$. The task is to determine the residues corresponding to the basis ${\mathbb{M}}_2=\{m_{l+1},m_{l+2},\dots ,m_k\}$, i.e., the residue code $({\chi }_{l+1},{\chi }_{l+2},\dots ,{\chi }_k)$. This process constitutes the essence of the residue code extension operation from the moduli ${\mathbb{M}}_1$ to the remaining moduli in ${\mathbb{M}}_2$. For this operation, we use the conventional notation $\left({\chi }_{l+1},{\chi }_{l+2},\dots ,{\chi }_k\right)=\mathrm{BEX}(X;\{m_1,m_2,\dots ,m_l\},\{m_{l+1},m_{l+2},\dots ,m_k\})$, or, in a simplified form, $\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2)$.

A necessary condition for the correctness of the base extension is the uniqueness of the mapping ${\mathbb{Z}}_{m_1}\times {\mathbb{Z}}_{m_2}\times \dots \times {\mathbb{Z}}_{m_l}\to {\mathbb{Z}}_{M_l}$. This means that the code $\left({\chi }_1,{\chi }_2,\dots ,{\chi }_l\right)$ must uniquely determine the integer X. When this condition is satisfied, the number X can be represented in rank form with respect to the moduli $m_1,m_2,\dots ,m_l$, by analogy with Equation (1).

Determining the rank ${\rho }_l\left(X\right)$ is significantly simplified when the RNS defined over the basis ${\mathbb{M}}_1$ is minimally redundant. In comparison to non-redundant residue coding, this approach yields an approximately $l/2$-fold reduction in the number of required modular addition operations and the size of lookup tables [25,27]. This advantage becomes especially important when working with large numbers.

Therefore, for the number $X=\left({\chi }_1,{\chi }_2,\dots ,{\chi }_l\right)$, the base extension operation to the moduli $m_{l+1},m_{l+2},\dots ,m_k$ reduces to determining the rank ${\rho }_l\left(X\right)$ of the number X, and subsequently applying to its rank form the procedure for computing the residues with respect to the moduli in the basis ${\mathbb{M}}_2$:

$${\chi }_j={\left|\sum _{i=1}^l{\left|M_{i,l}{\chi }_{i,l}\right|}_{m_j}-{\left|{\rho }_l\left(X\right)M_l\right|}_{m_j}\right|}_{m_j}\left(j=l+1,l+2,\dots ,k\right).$$

3. Basic Computational Scheme for Montgomery Modular Multiplication

Let A and B be the operands of a multiplication operation modulo a large number p. The fundamental concept proposed by Montgomery [24] consists of an additive transformation of the product $C=AB$, allowing the division without remainder by a specially chosen auxiliary modulus $S>p$.

To achieve this, the following equation is established:

$$C^{\prime }=C+{\left|-C{p}^{-1}\right|}_{S}p.$$

(3)

Given that S and p are coprime, i.e., $gcd(S,p)=1$, Equation (3) guarantees that the integer $C^{\prime }$ is a multiple of the modulus S for any values of the operands A and B.

This property is at the core of Montgomery’s approach to constructing an efficient modular multiplication scheme [24]. The modularity of Equation (3) follows from the equality:

$${\left|C^{\prime }\right|}_S={\left|C+{\left|-C{p}^{-1}\right|}_{S}p\right|}_S={\left|C-C{p}^{-1}p\right|}_S=0.$$

(4)

Therefore, the number

$$C^{″}={\displaystyle \frac{C^{\prime }}{S}}={\displaystyle \frac{C+{\left|-C{p}^{-1}\right|}_{S}p}{S}}$$

(5)

is an integer.

Let $⌊x⌋$ denote the greatest integer less than or equal to x. Following Euclid’s Division Lemma [29,30], the number $C^{″}$ can be represented as

$$C^{″}={\left|C^{″}\right|}_p+⌊{\displaystyle \frac{C^{″}}{p}}⌋p,$$

(6)

Then, by reducing modulo p, Equation (5) simplifies to

$${\left|C^{″}\right|}_p={\left|{\displaystyle \frac{C^{\prime }}{S}}\right|}_p={\left|{\displaystyle \frac{C}{S}}\right|}_p={\left|{\displaystyle \frac{AB}{S}}\right|}_p.$$

(7)

Thus, taking into account (6) and (7), the integer number

$$\widehat{C}={\left|AB{S}^{-1}\right|}_p=C^{″}-Qp$$

(8)

represents the expected computed result. Here, the number

$$Q=⌊{\displaystyle \frac{C^{″}}{p}}⌋$$

(9)

is a uniquely determined integer factor for given operands A and B.

For $A,B\in {\mathbb{Z}}_p=\{0,1,\dots ,p-1\}$, according to Equation (3), the following inequality holds:

$$C^{\prime }\le {\left(p-1\right)}^2+\left(S-1\right)p<p^2+Sp.$$

Since $S>p$, Equation (5) implies the following estimation for the number $C^{″}$:

$$C^{″}<2p.$$

Thus, according to (9), the integer factor Q can take on only two values: 0 or 1. Hence, to determine Q, it is necessary to compare the integers $C^{″}$ and p.

Therefore, $Q=\mathrm{CMP}(C^{″},p)$, where

$$\begin{array}{c}\hfill \mathrm{CMP}(x,y)=\left\{\begin{array}{c}0,\mathrm{if}x<y\hfill \\ 1,\mathrm{if}x\ge y\hfill \end{array}\right.,\end{array}$$

(10)

denotes the result of comparing two integers x and y.

Based on this, the main steps of Montgomery Modular Multiplication (MM) can be summarized as follows:

$$⟨C=AB,X={\left|CY\right|}_S,C^{\prime }=C+Xp,C^{″}={\displaystyle \frac{C^{\prime }}{S}},\widehat{C}=C^{″}-Qp⟩,$$

(11)

where $Y=|-p^{-1}{|}_S$ and $Q\in \{0,1\}$.

As seen from Equation (11), in MM implementing in a positional number system, the main complexity arises from the multiplication of large numbers such as $AB$, $CY$, and $Xp$. That also holds for calculating the multiplicative inversion Y. However, its determination complexity is not fundamentally significant as this constant is a long-term parameter obtained during preliminary calculations.

In RNS arithmetic, all operations specified in (11) are modular. So, their performance is much simpler and faster than in conventional arithmetic. The inherent parallelism of RNS primarily determines the preference for using modular arithmetic for MM implementation.

4. Realization of Montgomery Modular Multiplication in Minimally Redundant RNS

Let a primary Residue Number System (RNS) be defined on the set $\mathbb{M}=\{m_1,m_2,\dots ,m_k\}$ of pairwise relatively prime odd moduli $m_i$ $(m_i>2,i=1,2,\dots ,k;k\ge 2)$, with an additional modulus $m_0=2$. Consequently, the moduli set $\{m_0,m_1,\dots ,m_k\}$ forms a minimally redundant RNS. The effective number range is given by the ring ${\mathbb{Z}}_{M_k}=\{0,1,\dots ,M_k-1\}$.

Let the operands A, B, and modulus p be represented by their minimally redundant residue codes:

$$A=\left({\alpha }_0,{\alpha }_1,\dots ,{\alpha }_k\right),B=\left({\beta }_0,{\beta }_1,\dots ,{\beta }_k\right),p=\left({\pi }_0,{\pi }_1,\dots ,{\pi }_k\right),$$

where ${\alpha }_i={\left|A\right|}_{m_i},{\beta }_i={\left|B\right|}_{m_i},{\pi }_i={\left|p\right|}_{m_i},$   and $i=0,1,\dots ,k.$

The complete moduli set $\mathbb{M}$ is a sum of moduli sets ${\mathbb{M}}_1=\{m_1,m_2,\dots ,m_l\}$ and ${\mathbb{M}}_2=\{m_{l+1},m_{l+2},\dots ,m_k\}$. Here, the auxiliary modulus S is defined as the product of the moduli in the set ${\mathbb{M}}_1$:

$$S=M_l=\prod _{i=1}^l{m}_i,\mathrm{where}1<l<k.$$

Since the multiplicative inversion $Y={|p^{-1}|}_{M_l}$ (see (11)) belongs to the ring ${\mathbb{Z}}_{M_l}=\{0,1,\dots ,M_l-1\}$, it is uniquely represented in a minimally redundant residue code as follows:

$$({\xi }_0,{\xi }_1,\dots ,{\xi }_l),$$

where ${\xi }_i={\left|-{\pi }_i^{-1}\right|}_{m_i}$ for $i=0,1,\dots ,l$.

Similarly, the number $X={\left|CY\right|}_{M_l}$ (see (11)) is represented in a minimally redundant residue code with respect to ${\mathbb{M}}_1$:

$$X=\left({\chi }_0,{\chi }_1,\dots ,{\chi }_l\right)=\left({\left|{\gamma }_0{\xi }_0\right|}_{m_0},{\left|{\gamma }_1{\xi }_1,\right|}_{m_1},\dots ,{\left|{\gamma }_l{\xi }_l\right|}_{m_l}\right),$$

(12)

where ${\chi }_i={\left|X\right|}_{m_i}$, ${\gamma }_i={\left|{\alpha }_i{\beta }_i\right|}_{m_i}$$\left(i=0,1,\dots ,l\right)$.

Following (11), we compute the residue code of $C^{\prime }=C+Xp$ with respect to the complete moduli set $\mathbb{M}$. Before proceeding, it is necessary to extend the residue code (12) to the moduli in ${\mathbb{M}}_2$.

Base extension is one of the most difficult non-modular operations in RNS arithmetic. Its implementation usually uses the rank form (1) [12,13,14,15,16].

Following (1), the number X with respect to ${\mathbb{M}}_1$ is represented by the following:

$$X=\sum _{i=1}^l{M}_{i,l}{\chi }_{i,l}-{\rho }_l\left(X\right)M_l,$$

(13)

where, based on the theorem for rank calculation in minimally redundant RNS [25,27],

$${\rho }_l\left(X\right)={\widehat{\rho }}_l\left(X\right)+{\delta }_l\left(X\right),$$

(14)

with ${\widehat{\rho }}_l\left(X\right)$ as the inexact rank of the number X, and ${\delta }_l\left(X\right)$ as a two-valued rank correction:

$${\widehat{\rho }}_l\left(X\right)\in {\mathbb{Z}}_l=\{0,1,\dots ,l-1\},{\delta }_l\left(X\right)\in {\mathbb{Z}}_2=\{0,1\}.$$

The inexact rank ${\widehat{\rho }}_l\left(X\right)$ is calculated as follows:

$${\widehat{\rho }}_l\left(X\right)=⌊{\displaystyle \frac{1}{m_l}}\sum _{i=1}^l{R}_{i,l}\left({\chi }_i\right)⌋,$$

(15)

where

$$R_{i,l}\left({\chi }_i\right)={\left|-{\displaystyle \frac{1}{m_i}}{\left|M_{i,l-1}^{-1}{\chi }_i\right|}_{m_i}\right|}_{m_l}\left(i\ne l\right),$$

(16)

$$R_{l,l}\left({\chi }_l\right)={\left|M_{l-1}^{-1}{\chi }_l\right|}_{m_l},$$

(17)

with $M_{l-1}=M_l/m_l$ and $M_{i,l-1}=M_{l-1}/m_i\left(i=1,2,\dots ,l-1\right)$.

Similarly, the rank correction ${\delta }_l\left(X\right)$ is computed using trivial addition operations modulo $m_0=2$:

$${\delta }_l\left(X\right)={\left|{\chi }_0+\sum _{i=1}^l{\chi }_{i,l}^{\left(0\right)}+{\widehat{\rho }}_l^{\left(0\right)}\right|}_{m_0},$$

(18)

where ${\chi }_{i,l}^{\left(0\right)}={\left|{\chi }_{i,l}\right|}_{m_0}$, ${\widehat{\rho }}_l^{\left(0\right)}={\left|{\widehat{\rho }}_l\left(X\right)\right|}_{m_0}$, and $i=1,2,\dots ,l$ [25,27].

Hence, according to (13) and (14), the required extension of the residue code (12) to the moduli of the set ${\mathbb{M}}_2$ is carried out by the following rule:

$${\chi }_j={\left|\sum _{i=1}^l{M}_{i,l}{\chi }_{i,l}-\left({\widehat{\rho }}_l\left(X\right)+{\delta }_l\left(X\right)\right)M_l\right|}_{m_j}(j=l+1,l+2,\dots ,k),$$

(19)

where ${\widehat{\rho }}_l\left(X\right)$ and ${\delta }_l\left(X\right)$ are calculated according to (15)–(17) and (18), respectively.

Let us denote this base extension operation as $\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2)$.

The number $C^{\prime }=C+Xp$ (see (11)) is represented by its minimally redundant residue code $({\gamma }_0^{\prime },{\gamma }_1^{\prime },\dots ,{\gamma }_k^{\prime })$ concerning the moduli of the complete set $\mathbb{M}$.

Since $S=M_l$, then, according to (4), the integer $C^{\prime }$ is divisible by $M_l$ without a remainder. Hence, its residues concerning the moduli of the set ${\mathbb{M}}_1$ are equal to 0:

$${\gamma }_i^{\prime }=0,i=1,2,\dots ,l.$$

At the same time, we compute the remaining residues using the following rule:

$${\gamma }_j^{\prime }={\left|{\gamma }_j+{\left|{\chi }_j{\pi }_j\right|}_{m_j}\right|}_{m_j},j=0,l+1,l+2,\dots ,k.$$

(20)

To obtain residue code $({\gamma }_0^{″},{\gamma }_1^{″},\dots ,{\gamma }_k^{″})$ of the number,

$$C^{″}={\displaystyle \frac{C^{\prime }}{M_l}}={\displaystyle \frac{C+Xp}{M_l}},$$

(21)

two computational stages are necessary:

• At the 1st stage, the residues ${\gamma }_j^{″}$$\left(j=l+1,l+2,\dots ,k\right)$ concerning moduli of the set ${\mathbb{M}}_2$ are calculated;
• At the 2nd stage, the extension of truncated residue code $({\gamma }_{l+1}^{″},{\gamma }_{l+2}^{″},\dots ,{\gamma }_k^{″})$ to the moduli of the set ${\mathbb{M}}_1$ are carried out.

As follows from (21), at the first stage, the residues of the integer $C^{″}$ are calculated according to the following rule:

$${\gamma }_j^{″}={\left|{\displaystyle \frac{1}{M_l}}{\gamma }_j^{\prime }\right|}_{m_j}={\left|{\displaystyle \frac{1}{M_l}}\left({\gamma }_j+{\left|{\chi }_j{\pi }_j\right|}_{m_j}\right)\right|}_{m_j}\left(j=l+1,l+2,\dots ,k\right).$$

(22)

At the same time, the two redundant residues ${\gamma }_0^{″}$ and ${\gamma }_0^{\prime }$ are equal. Since $m_1,m_2,\dots ,m_l$ are relatively prime odd moduli, we have ${\left|m_i\right|}_{m_0}=1$ for $i=1,2,\dots ,l$, which implies ${\left|M_l\right|}_{m_0}=1$. Therefore,

$${\gamma }_0^{″}={\left|{\displaystyle \frac{1}{M_l}}\left({\gamma }_0+{\left|{\chi }_0{\pi }_0\right|}_{m_0}\right)\right|}_{m_0}={\left|\left({\gamma }_0+{\left|{\chi }_0{\pi }_0\right|}_{m_0}\right)\right|}_{m_0}={\gamma }_0^{\prime }.$$

(23)

At the second stage, the residue code $({\gamma }_{l+1}^{″},{\gamma }_{l+2}^{″},\dots ,{\gamma }_k^{″})$ is extended to the moduli $m_1,m_2,\dots ,m_l$ using a rank form of the number $C^{″}$ concerning the moduli $m_{l+1},m_{l+2},\dots ,m_k$:

$$C^{″}=\sum _{j=l+1}^k{M}_{j,n}{\left|M_{j,n}^{-1}{\gamma }_j^{″}\right|}_{m_j}-({\widehat{\rho }}_n\left(C^{″}\right)+{\delta }_n\left(C^{″}\right))M_n,$$

(24)

where $n=k-l$, $M_n=M_k/M_l={\prod }_{j=l+1}^k{m}_j$, $M_{j,n}=M_n/m_j$, and $j=l+1,l+2,\dots ,k$. The integers ${\widehat{\rho }}_n\left(C^{″}\right)$ and ${\delta }_n\left(C^{″}\right)$ are the inexact rank and rank correction of the number $C^{″}$, respectively.

In this case, similar to (15)–(17), the inexact rank ${\widehat{\rho }}_n\left(C^{″}\right)$ is calculated as follows:

$${\widehat{\rho }}_n\left(C^{″}\right)=⌊{\displaystyle \frac{1}{m_k}}\sum _{j=l+1}^k{R}_{j,k}\left({\gamma }_j^{″}\right)⌋,$$

(25)

where

$$R_{j,k}\left({\gamma }_j^{″}\right)={\left|-{\displaystyle \frac{1}{m_j}}{\left|M_{j,n-1}^{-1}{\gamma }_j^{″}\right|}_{m_j}\right|}_{m_k}\left(j\ne k\right),$$

(26)

$$R_{k,k}\left({\gamma }_j^{″}\right)={\left|M_{n-1}^{-1}{\gamma }_k^{″}\right|}_{m_k},$$

(27)

while $M_{n-1}=M_n/m_k$ and $M_{j,n-1}=M_{n-1}/m_j$ for $j=l+1,l+2,\dots ,k-1$.

At the same time, the rank correction ${\delta }_n\left(C^{″}\right)\in \{0,1\}$ is calculated as follows:

$${\delta }_n\left(C^{″}\right)={\left|{\gamma }_0^{″}+\sum _{j=l+1}^k{\left|{\gamma }_{j,n}^{″}\right|}_{m_0}+{\left|{\widehat{\rho }}_n\left(C^{″}\right)\right|}_{m_0}\right|}_{m_0},$$

(28)

where ${\gamma }_{j,n}^{″}={\left|M_{j,n}^{-1}{\gamma }_j^{″}\right|}_{m_j}$ for $j=l+1,l+2,\dots ,k$.

Therefore, according to (24), the residues ${\gamma }_1^{″},{\gamma }_2^{″},\dots ,{\gamma }_l^{″}$ of the number $C^{″}$ with respect to the set ${\mathbb{M}}_1$ are calculated as follows:

$${\gamma }_i^{″}={\left|\sum _{j=l+1}^k{M}_{j,n}{\gamma }_{j,n}^{″}-({\widehat{\rho }}_n\left(C^{″}\right)+{\delta }_n\left(C^{″}\right))M_n\right|}_{m_i}\left(i=1,2,\dots ,l\right).$$

(29)

Let us denote this base extension operation as $\mathrm{BEX}(C^{″};{\mathbb{M}}_2,{\mathbb{M}}_1)$.

Thus, as a result of two-stage calculations, we have obtained the minimally redundant residue code $({\gamma }_0^{″},{\gamma }_1^{″},\dots ,{\gamma }_k^{″})$ of the number $C^{″}\in {\mathbb{Z}}_{2p}=\{0,1,\dots ,2p-1\}$.

Further, following the computational scheme (11), we compute the integer $\widehat{C}=C^{″}-Qp$ representing a result of MM, at that $\widehat{C}\in {\mathbb{Z}}_p=\{0,1,\dots ,p-1\}$. At the same time, its minimally redundant residue code $\left({\widehat{\gamma }}_0,{\widehat{\gamma }}_1,\dots ,{\widehat{\gamma }}_k\right)$ is computed according to the following rule:

$$\begin{array}{c}\hfill {\widehat{\gamma }}_i=\left\{\begin{array}{c}{\gamma }_i^{″},\mathrm{if}Q=0,\hfill \\ {\left|{\gamma }_i^{″}-{\pi }_i\right|}_{m_i},\mathrm{if}Q=1\hfill \end{array}\right.\end{array}$$

(30)

for $i=0,1,\dots ,k$.

To determine the integer factor $Q\in \{0,1\}$ according to (10), a magnitude comparison between the integers $C^{″}$ and p is performed using a mixed-radix system (MRS).

For this purpose, the number $C^{″}$ is converted into its mixed-radix representation, denoted as $C_{mrs}^{″}=⟨c_l^{″},c_{l-1}^{″},\dots ,c_1^{″}⟩$. We refer to this operation as $\mathrm{RC}\left(C^{″}\right)$. Its implementation relies on the parallel procedure proposed in [28].

Additionally, during a preliminary stage, we compute the mixed-radix digits $⟨p_l,p_{l-1},\dots ,p_1⟩$ for the modulus p.

5. Basic Algorithm of Montgomery Multiplication in Minimally Redundant RNS

According to the above, the implementation of the Montgomery multiplicative scheme (11) using minimally redundant RNS results in the following operational sequence:

$$\begin{array}{c}⟨C=AB=\left({\gamma }_0,{\gamma }_1,\dots ,{\gamma }_k\right);X={\left|CY\right|}_{M_l}=\left({\chi }_0,{\chi }_1,\dots ,{\chi }_l\right);\\ ({\chi }_{l+1},{\chi }_{l+2},\dots ,{\chi }_k)=\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2);C^{\prime }=C+Xp=({\gamma }_0^{\prime },{\gamma }_{l+1}^{\prime },\dots ,{\gamma }_k^{\prime });\\ C^{″}=C^{\prime }/M_l=({\gamma }_0^{″},{\gamma }_{l+1}^{″},\dots ,{\gamma }_k^{″});({\gamma }_1^{″},{\gamma }_2^{″},\dots ,{\gamma }_l^{″})=\mathrm{BEX}(C^{″};{\mathbb{M}}_2,{\mathbb{M}}_1);\\ \widehat{C}=C^{″}-\mathrm{CMP}(C^{″},p)p=({\widehat{\gamma }}_0,{\widehat{\gamma }}_1,\dots ,{\widehat{\gamma }}_k)⟩.\end{array}$$

(31)

A necessary and sufficient correctness condition for the two-stage process of calculating $C^{″}=({\gamma }_0^{″},{\gamma }_1^{″},\dots ,{\gamma }_k^{″})$, according to (22), (23) and (29), for $C=AB\in {\mathbb{Z}}_{M_k}$, is that the numbers X and $C^{″}$ should belong to the range ${\mathbb{Z}}_{M_n}=\{0,1,\dots ,M_n-1\}$ with respect to the moduli $m_{l+1},m_{l+2},\dots ,m_k$.

Since the inequality $0\le C^{″}=C^{\prime }/M_l<M_n$ implies the inequality $0\le C^{\prime }<M_k$, the condition $C^{″}\in {\mathbb{Z}}_{M_n}$ guarantees the fulfillment of the condition $C^{\prime }\in {\mathbb{Z}}_{M_k}$.

Now, let us explore the necessary conditions for $m_1,m_2,\dots ,m_k$ and p to ensure that $X,C^{″}\in {\mathbb{Z}}_{M_n}$.

Let $A,B\in {\mathbb{Z}}_p=\{0,1,\dots ,p-1\}$. Since, according to (12), $X<M_l$, then from (21) we obtain the inequality

$$C^{″}<(p^2+p{M}_l)/M_l=p(1+p/M_l).$$

(32)

From (32), it follows that $C^{″}\in {\mathbb{Z}}_{2p}=\{0,1,\dots ,2p-1\}$ only when $p/M_l<1$.

On the other hand, the numbers X and $C^{″}$ should be the elements of the range ${\mathbb{Z}}_{M_n}$ concerning moduli $m_{l+1},m_{l+2},\dots ,m_k$. Therefore, taking into account that $X<M_l$ and $C^{″}<2p$, this requirement leads to the following inequalities:

$$M_l<M_k/M_l$$

(33)

and

$$2p<M_k/M_l.$$

(34)

Thus, in the case when $A,B\in {\mathbb{Z}}_p$ and $C^{″}\in {\mathbb{Z}}_{2p}$, the correctness of the proposed MM scheme is ensured by the conditions (33) and (34).

As already noted, the magnitude comparison of the integers $C^{″}$ and p is performed using MRS, resulting in $\mathrm{CMP}(C^{″},p)$ (see (10)). Therefore, the correctness of the reverse conversion $C^{″}<2p$ is ensured by using the RNS number range that includes the range ${\mathbb{Z}}_{2p}$. As follows from (33) and (34), the number range ${\mathbb{Z}}_{M_k}$ significantly exceeds the range ${\mathbb{Z}}_{2p}$. To determine the integer factor Q, according to (10), it is sufficient to use the truncated RNS defined by the moduli set ${\mathbb{M}}_1$ with the number range ${\mathbb{Z}}_{M_l}$.

Based on the above, the following statement is true.

Theorem 1.

Let the moduli of the sets ${\mathbb{M}}_1=\{m_1,m_2,\dots ,m_l\}$ and ${\mathbb{M}}_2=\{m_{l+1},m_{l+2},\dots ,m_k\}$, together with the modulus p meet the conditions

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{M}_l<M_k/M_l,\hfill \\ 2p<M_k/M_l,\hfill \end{array}\right.\end{array}$$

(35)

and let the operands A, B of the multiplicative operation $\widehat{C}={\left|AB{M}_l^{-1}\right|}_p$ belong to the ring ${\mathbb{Z}}_p=\{0,1,\dots ,p-1\}$. Then, the integer $C^{″}$ (see (21)) is an element of the ring ${\mathbb{Z}}_{2p}=\{0,1,\dots ,2p-1\}$. At the same time, the integer $\widehat{C}\in {\mathbb{Z}}_p$ is calculated using the equality

$$\widehat{C}=C^{″}-\mathrm{CMP}(C^{″},p)p,$$

(36)

A similar result can also be obtained in the case when A and B belong to the range ${\mathbb{Z}}_{2p}$. Therefore, by analogy to (32), the following inequality

$$C^{″}<\left(4p^2+p{M}_l\right)⁄M_l=p\left(1+4p/M_l\right)$$

(37)

leads to the condition

$$M_l>4p.$$

(38)

Hence, the following statement is true.

Theorem 2.

Let the moduli of the sets ${\mathbb{M}}_1=\{m_1,m_2,\dots ,m_l\}$ and ${\mathbb{M}}_2=\{m_{l+1},m_{l+2},\dots ,m_k\}$ together with the modulus p meet the conditions

$$\begin{array}{c}\hfill \left\{\begin{array}{c}4p<M_l,\hfill \\ 2p<M_k/M_l,\hfill \end{array}\right.\end{array}$$

(39)

and let the operands A, B of the multiplicative operation $\widehat{C}={\left|AB{M}_l^{-1}\right|}_p$ belong to the ring ${\mathbb{Z}}_{2p}=\{0,1,\dots ,2p-1\}$. Then, the integer $C^{″}$ (see (21)) also belongs to the ring ${\mathbb{Z}}_{2p}$. At the same time, the integer $\widehat{C}$ is calculated according to (36).

Based on the optimized Montgomery multiplicative scheme (31) in minimally redundant RNS, an algorithm for multiplication over a large modulus is synthesized. This algorithm has a tabular configuration and possesses all the fundamental advantages of minimally redundant residue arithmetic, which most appear when operating in the ranges of large numbers. The developed algorithm is suitable for both software realization and implementation using parallel modular computational structures with a multiprocessor architecture.

Considering the aforementioned discussion, the implementation of MM in a minimally redundant RNS can be formally presented as Algorithm 1.

This algorithm’s key distinguishing feature is its inherent suitability for using lookup table techniques. In this case, the required set of lookup tables is generated during the preliminary stage, ensuring the minimization of the labor intensity of the real-time MM implementation.

Algorithm 1: Montgomery multiplication in minimally redundant RNS

Input: $A=\left({\alpha }_0,{\alpha }_1,\dots ,{\alpha }_k\right)$, $B=\left({\beta }_0,{\beta }_1,\dots ,{\beta }_k\right)$,    $p=\left({\pi }_0,{\pi }_1,\dots ,{\pi }_k\right)=⟨p_l,p_{l-1},\dots ,p_1⟩$ Output: $\widehat{C}={\left|AB{M}_l^{-1}\right|}_p$   1  $C=AB=\left({\gamma }_0,{\gamma }_1,\dots ,{\gamma }_k\right)$, ${\gamma }_i={\left|{\alpha }_i{\beta }_i\right|}_{m_i}\left(i=0,1,\dots ,k\right)$   2  $X={\left|CY\right|}_{M_l}=\left({\chi }_0,{\chi }_1,\dots ,{\chi }_l\right)$, ${\chi }_i={\left|{\gamma }_i{|-{{\pi }_i}^{-1}|}_{m_i}\right|}_{m_i}$, $\left(i=0,1,\dots ,l\right)$   3  ${\rho }_l\left(X\right)={\widehat{\rho }}_l\left(X\right)+{\delta }_l\left(X\right)$   4  $\left({\chi }_{l+1},{\chi }_{l+2},\dots ,{\chi }_k\right)=\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2)$   5  $C^{\prime }=C+Xp=({\gamma }_0^{\prime },{\gamma }_{l+1}^{\prime },\dots ,{\gamma }_k^{\prime })$, ${\gamma }_j^{\prime }={\left|{\gamma }_j+{\left|{\chi }_j{\pi }_j\right|}_{m_j}\right|}_{m_j}\left(j=0,l+1,l+2,\dots ,k\right)$   6  $C^{″}=C^{\prime }/M_l=({\gamma }_0^{″},{\gamma }_{l+1}^{″},\dots ,{\gamma }_k^{″})$, ${\gamma }_j^{″}={\left|M_l^{-1}{\gamma }_j^{\prime }\right|}_{m_j}\left(j=l+1,l+2,\dots ,k\right)$   7  ${\rho }_n\left(C^{″}\right)={\widehat{\rho }}_n\left(C^{″}\right)+{\delta }_n\left(C^{″}\right)$   8  $({\gamma }_1^{″},{\gamma }_2^{″},\dots ,{\gamma }_l^{″})=\mathrm{BEX}(C^{″};{\mathbb{M}}_2,{\mathbb{M}}_1)$   9  $⟨c_l^{″},c_{l-1}^{″},\dots ,c_1^{″}⟩=\mathrm{RC}\left(C^{″}\right)$ 10  $Q=\mathrm{CMP}(C^{″},p)$ 11  $\widehat{C}=C^{″}-Qp=\left({\widehat{\gamma }}_0,{\widehat{\gamma }}_1,\dots ,{\widehat{\gamma }}_k\right)$, ${\widehat{\gamma }}_j={\left|{\gamma }_j^{″}-Q{\pi }_j\right|}_{m_j}\left(j=0,1,\dots ,k\right)$

6. Discussion

Let us now discuss the theoretical and practical aspects of the proposed approach.

An analysis of well-established approaches to implementing Montgomery multiplication in RNS reveals that two primary methods for computing the rank—an essential step in performing the critical base extension operations—are commonly employed [8,9,12,14,15,16,17].

The first method enables the determination of the integer value of an RNS number by computing an integer correction factor, which essentially corresponds to the rank of the number. In this case, the implementation of the CRT yields an exact integer reconstruction. This approach involves the inclusion of an additional redundant modulus $m_{k+1}$, which depends on the number k of primary RNS moduli, into the original moduli-set $\{m_1,m_2,\dots ,m_k\}$.

As a result, this method requires an additional modular channel with a width of $⌊{log}_{2}k⌋+1$ bits, along with redundant lookup tables.

The main idea of an alternative approach is to represent the rank as the integer part of a sum of at most k proper fractions of the form ${\chi }_{i,k}/m_i$, where $i=1,2,\dots ,k$. The rank value is then estimated recursively by approximating these fractions. To eliminate division by the modulus $m_i$, each denominator $m_i$ is replaced by a power of 2, and the corresponding numerator ${\chi }_{i,k}$ is approximated using its most significant bits. Since division by powers of 2 is equivalent to simple bit shifts, the rank computation is reduced to a sequence of additions.

The main drawbacks of this method are as follows. First, it relies on recursive computations, as the algorithm evaluates the rank value in a sequential, bit-by-bit manner. Moreover, the number of required iterations depends on the bit length used for the approximation. As a result, this method leads to significantly prolonged computation times when dealing with large numbers. Additionally, due to the approximate nature of the algorithm, it does not always produce the correct rank value.

6.1. Computational Costs of Proposed MM Algorithm

In RNS arithmetic, the implementation of MM (see (31)) reduces to performing modular operations on small bit-length residues concerning the moduli of the sets ${\mathbb{M}}_1$ and ${\mathbb{M}}_2$ using the lookup tables technique.

To assess computational efficiency, we compare the computational costs presented in Table 1, where $N_{\mathrm{mo}}$ and $N_{\mathrm{mo}}^{*}$ represent the number of required modular operations at the corresponding steps of Algorithm 1 both in minimally redundant RNS and conventional non-redundant RNS, respectively. Additionally, $C_{mrs}^{″}$ and $p_{mrs}$ denote the mixed-radix representations of the integers $C^{″}$ and p, respectively.

Table 1. The number of required modular operation.

$\mathbf{Step}$	${\mathit{N}}_{\mathbf{mo}}$	${\mathit{N}}_{\mathbf{mo}}^{*}$
$C=AB$	$k+1$	k
$X={\left|CY\right|}_{M_l}$	$l+1$	l
${\rho }_l\left(X\right)={\widehat{\rho }}_l\left(X\right)+{\delta }_l\left(X\right)$	l	$(l^2+5l-10)/2$
$\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2)$	$l(k-l)$	$l(k-l)$
$C^{″}=(C+Xp)/M_l$	$k-l+1$	$k-l$
${\rho }_n\left(C^{″}\right)={\widehat{\rho }}_n\left(C^{″}\right)+{\delta }_n\left(C^{″}\right)$	$k-l$	$({(k-l)}^2+5(k-l)-10)/2$
$\mathrm{BEX}(C^{″};{\mathbb{M}}_2,{\mathbb{M}}_1)$	$(k-l)l$	$(k-l)l$
$C_{mrs}^{″}=\mathrm{RC}\left(C^{″}\right)$	$(l^2+3l-8)/2$	$(l^2+3l-8)/2$
$Q=\mathrm{CMP}(C_{mrs}^{″},p_{mrs})$	l	l
$\widehat{C}=C^{″}-Qp$	$k+1$	k

Computing the modular code of the number $C=AB$ requires $k+1$ modular operations in a minimally redundant RNS, and k operations in a conventional RNS.

Computing the modular code of the number $X={\left|CY\right|}_{M_l}$ with respect to the moduli $m_1,m_2,\dots ,m_l$ in the set ${\mathbb{M}}_1$ requires $l+1$ modular operations in a minimally redundant RNS, and l operations in a conventional RNS.

The modular operation costs required to compute the rank ${\rho }_l\left(X\right)$ of the number X with respect to the moduli in the set ${\mathbb{M}}_1$ are based on the results presented in [27], and amount to l and $(l^2+5l-10)/2$ modular operations, respectively (see Equations (14)–(18)).

The base extension operation $\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2)$, which extends the modular code of the number X from the moduli set ${\mathbb{M}}_1$ to ${\mathbb{M}}_2$, requires $l(k-l)$ modular operations in both minimally redundant and conventional RNS implementations (see Equation (19)).

Computing the modular code of the number $C^{″}=(C+Xp)/M_l$ with respect to the moduli set ${\mathbb{M}}_2$, while taking into account the redundant module $m_0$, requires $k-l+1$ modular operations in a minimally redundant RNS and $k-l$ operations in a conventional RNS (see Equations (19)–(23)).

Similarly, computing the rank ${\rho }_n\left(C^{″}\right)$ of the number $C^{″}$ with respect to the moduli set ${\mathbb{M}}_2$ requires $k-l$ modular operations in a minimally redundant RNS, and $({(k-l)}^2+5(k-l)-10)/2$ operations in a conventional RNS (see Equations (25)–(28) and [27]).

The base extension operation $\mathrm{BEX}(C^{″};{\mathbb{M}}_2,{\mathbb{M}}_1)$, which maps the modular code of the number $C^{″}$ from ${\mathbb{M}}_2$ back to ${\mathbb{M}}_1$, also requires $(k-l)l$ modular operations in both minimally redundant and conventional RNS implementations (see Equation (29)).

Calculating the mixed-radix representation $C_{mrs}^{″}$ of the number $C^{″}$ requires $(l^2+3l-8)/2$ modular operations, as shown in [28].

Comparing the numbers $C_{mrs}^{″}$ and $p_{mrs}$ in the MRS requires l modular operations.

In the final step, computing the modular code of the number $\widehat{C}=C^{″}-Qp$, taking into account the redundant modulus $m_0$, requires $k+1$ modular operations in a minimally redundant RNS, and k operations in a conventional RNS (see Equation (29)).

Without loss of generality and for simplicity, let us assume that the moduli of the sets ${\mathbb{M}}_1=\{m_1,m_2,\dots ,m_l\}$ and ${\mathbb{M}}_2=\{m_{l+1},m_{l+2},\dots ,m_k\}$ are selected such that $k=2l$.

Under these assumptions, when employing a minimally redundant RNS, the total number of required modular operations, as derived from Table 1, is given by

$$N_1\left(l\right)=(5l^2+21l)/2.$$

(40)

In contrast, for a conventional non-redundant RNS, the required number of modular operations is

$$N_1^{*}\left(l\right)=(7l^2+27l-28)/2.$$

(41)

Hence, when A, B and $\widehat{C}$ belong to ${\mathbb{Z}}_p$ (see Theorem 1), the reduction factor in computational complexity for implementing MM in a minimally redundant RNS, compared to a conventional non-redundant RNS, is given by

$$C_1\left(l\right)={\displaystyle \frac{N_1^{*}\left(l\right)}{N_1\left(l\right)}}=1+{\displaystyle \frac{2l^2+6l-28}{5l^2+21l}}.$$

(42)

For instance, the computed values of $C_1\left(l\right)$ for specific values of l are as follows: $C_1\left(10\right)\approx 1.33$, $C_1\left(15\right)\approx 1.36$, and $C_1\left(20\right)\approx 1.37$. Furthermore, as l increases, the factor $C_1\left(l\right)$ continues to grow, asymptotically approaching a limiting value of 1.40.

6.2. Basic Exponentiation Algorithm by Large Modulus

It is well known that MM is primarily used for computing powers of natural numbers with respect to a large modulus p:

$$F(X,E,p)={\left|X^E\right|}_p,$$

(43)

where the numbers X and E are represented by their residue and binary codes, respectively: $X=\left({\chi }_1,{\chi }_2,\dots ,{\chi }_k\right)$ and $E={\left(e_{b-1},e_{b-2},\dots ,e_0\right)}_2$, where $e_{b-1}$=1 and b denotes the bit-length of E.

The well-known method for computing (43) relies on the multiplicative decomposition of the exponentiation function:

$$F(X,E,p)={\left|X^{{\sum }_{j=0}^{b-1}{e}_j{2}^j}\right|}_p={\left|X^{e_0}{\left(X^{e_1}{(\dots {\left(X^{e_{b-2}}{\left(X^{e_{b-1}}\right)}^2\right)}^2\dots )}^2\right)}^2\right|}_p.$$

(44)

All multiplicative operations in (44) are performed within the framework of scheme (11), which allows the reuse of previously computed results as subsequent operands. In this case, the fact that the number $C^{″}$ belongs to the ring ${\mathbb{Z}}_{2p}$ when $A,B\in {\mathbb{Z}}_{2p}$ is ensured by condition (39). Consequently, the correction operation (36) needs to be applied only at the final step of the computation in accordance with (44).

In a minimally redundant RNS, the implementation of MM when $A,B,$ and $C^{″}$ belong to ${\mathbb{Z}}_{2p}$ requires

$$N_2\left(l\right)=2l^2+6l+3$$

(45)

modular operations (see Table 1).

In contrast, in a conventional non-redundant RNS, the number of required modular operations is given by

$$N_2^{*}\left(l\right)=3l^2+9l-10.$$

(46)

Thus, in the considered case, based on (45) and (46), the computational complexity reduction factor is expressed as

$$C_2\left(l\right)={\displaystyle \frac{N_2^{*}\left(l\right)}{N_2\left(l\right)}}=1+{\displaystyle \frac{l^2+3l-13}{2l^2+6l+3}}.$$

(47)

For example, the values of $C_2\left(l\right)$ for specific values of l are as follows: $C_2\left(10\right)\approx 1.46$, $C_2\left(15\right)\approx 1.48$, and $C_2\left(20\right)\approx 1.49$. Furthermore, as l increases, the reduction factor $C_2\left(l\right)$ (see (47)) continues to grow, asymptotically approaching the value 1.50.

It is important to note that the same reduction factor of computational complexity is also achieved when implementing the exponentiation procedure (44).

7. Conclusions

This paper presents an efficient implementation of MM in a minimally redundant RNS. The core feature of the proposed approach consists of using an advanced rank calculation method introduced by the author in [25,27].

The key contributions of this work are as follows:

• The use of minimally redundant RNS significantly reduces the computational cost of MM implementation compared to conventional non-redundant RNS. Moreover, the complexity of rank computation for the moduli sets ${\mathbb{M}}_1$ and ${\mathbb{M}}_2$ is reduced by a factor of $l/2$ and $(k-l)/2$, respectively. This optimization improves the efficiency of base extension operations $\mathrm{BEX}(X;{\mathbb{M}}_1,{\mathbb{M}}_2)$ and $\mathrm{BEX}(C^{″};{\mathbb{M}}_2,{\mathbb{M}}_1)$, as well as the overall MM procedure;
• The conditions used to choose the moduli sets ${\mathbb{M}}_1$ and ${\mathbb{M}}_2$ with respect to the operating modulus p are established (see Theorems 1 and 2). These conditions ensure the correctness of multiple accesses to the MM procedure when both operands and results reside in the ring ${\mathbb{Z}}_{2p}$. This property is particularly beneficial for implementing modular exponentiation procedures based on MM;
• A novel MM algorithm for minimally redundant RNS is introduced. This algorithm is well suited for efficient implementation using lookup table techniques. Moreover, the most computationally demanding operations required for generating lookup tables are organized as a preprocessing step, executed independently before the main computational procedure;
• The computational costs of the proposed MM scheme in a minimally redundant RNS are analyzed and compared with those of a non-redundant RNS. The results demonstrate that the minimally redundant RNS implementation requires 1.5 times fewer computational resources when operands and results belong to the ring ${\mathbb{Z}}_{2p}$. This advantage also extends to the modular exponentiation procedure based on MM.

In summary, the intrinsic parallelism and tabular nature of minimally redundant RNS arithmetic, combined with the simplicity of rank computation and base extension operations, significantly enhance the performance of Montgomery multiplication-based algorithms.