1. Introduction
Residue number system (RNS) is a non-positional representation of integers whose main advantage over its traditional positional 2
s complement counterpart is particularly efficient implementation of the basic arithmetic operations like addition and multiplication, which are executed on shorter operands by parallel independent circuits [
1,
2]. Unfortunately, non-modular arithmetic operations in RNS like number comparison, sign and overflow detection are known to be difficult, because they require involvement of all residues. That execution of these and some other difficult operations does not have to resort to restore RNS numbers to their positional notation involving cumbersome operations of finding the remainder of the division by a large and awkward number was first shown by Akushskii et al. [
3]. They introduced the core function whose major advantage is that it offers the possibility to reduce the range within which the remainder of the division is calculated and which contains some positional information about an RNS encoded number. Nevertheless, the main disadvantage of the core function remains that most of non-modular operations are hard to implement directly [
4].
The simplest approach to RNS number comparison relies on converting them to the positional representations, which are then handled using an ordinary number comparator [
1]. However, using a reverse converter for RNS number comparison involves computations modulo a very large modulus
M, which is both time- and power-consuming. Nevertheless, as for extra hardware, the latter has the advantage that only the ordinary
a-bit number comparator (
) is needed, because any RNS-based processor must use the reverse converter anyway. Since [
3], several attempts to design stand-alone comparators (for arbitrary RNS moduli sets) using more sophisticated approaches have been proposed [
5,
6,
7,
8,
9,
10,
11]. In [
5], the algorithm for comparison of signed RNS numbers, based on using the core function from [
3], was proposed. Unfortunately, it requires using a redundant modulus, which must be larger than the range of the core function used. Such a solution seems impractical due to its cost, because one extra residue datapath channel must be added just to allow for number comparison (although it can serve to facilitate execution of some other difficult RNS operations as well). Faster general RNS number comparators were based on using the diagonal function [
6,
7] and some monotone functions proposed in [
8], although the latter requires including the modulus of the form
. Some limitations of the comparators of [
6,
7] were pointed out in [
9], and they also apply to those of [
8]. The comparison algorithm suggested in [
10], allows one to reduce the maximum size of modulo addition from
M to approximately
, but it suffers from excessive delay compared to other methods. Finally, a new approach based on the Modified Diagonal Function (MDF) was proposed recently in [
11]. It allows replacing computations modulo a large and awkward
a-bit number
M with significantly simpler computations involving only a power of 2 modulus
, although
N is always larger than
a. The MDF is a kind of extension of Vu’s approach for sign detection and reverse conversion [
12], which also can be reduced to the computations modulo
[
13]. The comparator of [
11] was shown superior w.r.t. both area, speed, and power consumption compared to its existing counterparts.
The importance of availability of cost-efficient and fast RNS comparison algorithms stems from the following observations. Because comparison in RNS has been considered a complex operation, the most widespread applications of RNS are usually comparison-free. The potential improvement of the efficiency of RNS comparison techniques can have significant impact on novel applications of RNS wherein comparison cannot be avoided. These include image processing [
14], RNS-based convolutional neural networks [
15], and RNS-based error correction codes [
16]. However, cryptography and data security is the most promising emergent and dynamically developing area using RNS to improve performance of computations involving very large numbers, whose lengths are counted in thousands of bits. These include integrity verification in RNS-based verifiable secret sharing schemes [
17], RNS-based algorithms in cloud computing and in edge and fog devices [
16,
18], and modern post-quantum homomorphic cryptography algorithms based on algebraic lattices and Ring Learning With Errors (RLWE) assumption, whose execution can be accelerated using RNS [
18,
19,
20,
21,
22,
23,
24]. The magnitude comparison is required for integrity control in [
20,
22,
23,
24]. Because all cryptographic schemes require computations involving polynomials of very large degree and with very large coefficients, RNS representation of coefficients and operands could allow significantly increase processing performance for such schemes. Nevertheless, in this context using even modulus
with
might also have some drawbacks. Although computations modulo
are more efficient than modulo any other modulus, some cryptographic applications like homomorphic encryption algorithms based on RLWE (requiring comparison of encrypted numbers in RNS) are very sensitive to memory consumption, which can put executing computations on larger
N-bit rather than
a-bit operands on disadvantage. This is because such an approach requires a big amount of memory to represent ciphertext, the computations modulo
could not necessarily be advantageous (nevertheless, the approach based on the MDF from [
11] preserves its advantages, if applied to implement RNS algorithms involving smaller dynamic range size). All computations in RLWE-based cryptosystems (both in hardware and software) are based on some Number-Theoretic Transform (NTT) [
18,
25], since all ciphertexts are represented as polynomials in the cyclotomic ring. However, NTT requires representing numbers in RNS moduli sets composed only of prime numbers, so that involving any computations modulo
could not be supported in general.
In this paper, we will study monotonic core functions and, in particular, their properties which would make them suitable for efficient RNS number comparison. These newly discovered properties will provide the way for construction of the RNS comparison algorithm based on the core function with the smallest possible range. The general context is that all computations of a new function can be assumed as computations in the new RNS in which one of the moduli of the original RNS is excluded. It could serve as a theoretical basis for NTT-based cryptographic algorithms requiring the use of prime moduli only, aiming at accelerating such algorithms as homomorphic comparison of numbers in encrypted form.
The main contributions of this paper are twofold. One is a new systematic design approach to number comparison in RNS, which is based on the newly defined minimum-range monotonic core function and which is applicable to an arbitrary general RNS moduli set. Its major advantage is that its hardware implementation is less complex and in some cases it could be also faster than any previous similar design. Formulated will be the conditions of the monotonicity of the core function (necessary to execute comparison), which will also ensure its minimal range (essential to obtain the best characteristics of the comparator). The second is our finding that the diagonal function, previously used for number comparison in RNS and reverse conversion, is actually nothing else but the special case of the core function with all coefficients set to 1.
This paper is organized as follows.
Section 2 and
Section 3 present the basic properties of RNS and the core functions, respectively.
Section 4 details the theoretical background of the core functions, allowing for number comparison in RNS. Performance evaluation and comparison against existing circuits are provided in
Section 5. Finally, some conclusions and suggestions for future research are given in
Section 6.
2. Properties of RNS
The RNS is defined by the set of n pairwise prime moduli , which are here arranged in the increasing order (i.e., ). The dynamic range of this RNS is , i.e., any a-bit integer X () such that can be uniquely represented in RNS as , written , where (also written ) is the -bit remainder of an integer division of X by ().
Let
.
, the multiplicative inverse of
mod
(
) is such an integer that
. To obtain the number
X back from RNS to the positional form, the Chinese remainder theorem (CRT) can be used [
1]
where the set of
n CRT constants defined by
is called the orthogonal basis [
3].
3. Properties of the Core Function
The core function was defined [
3] as
or equivalently
where
,
, are integer constants which can be selected arbitrarily. For a given set of moduli, the core function can be characterized by:
The main attraction of the core function is that its range can vary and, similarly to
, it can be significantly smaller than
M. Replacing
X by
M in Equation (
4) yields
Because
for
, the constant coefficients
can be determined by the equation
Note that in Equation (
6), which also defines a residue class for each
i,
, the coefficients
can assume both positive or negative values.
Now we will show how to obtain a practically useful formula to compute
for any
X. As
, then setting
in Equation (
4) yields
Because Equation (
3) is not practical, the value of
can be calculated by using remainders of
X in the CRT according to Equation (
1)
where
. Substituting this expression in Equation (
4) and using Equation (
7) leads to
Then, setting
into Equation (
4) with
from Equation (
1) leads to
Now the most convenient formula for calculating
is obtained by substituting Equation (
9) in Equation (
8), which yields