Review of Modular Multiplication Algorithms over Prime Fields for Public-Key Cryptosystems

Abstract

Modular multiplication is a pivotal operation in public-key cryptosystems such as RSA, ElGamal, and ECC. Modular multiplication design is crucial for improving overall system performance due to the large-bit-width operation with high computational complexity. This paper provides a classification of integer multiplication algorithms based on their implementation principles. Furthermore, the core concepts, implementation challenges, and research advancements of multiplication algorithms are systematically summarized. This paper also gives a brief overview of modular reduction algorithms for various types of moduli and discusses the implementation principles, application scenarios, and current research results. Finally, the detailed research development of modular multiplication algorithms in four major classes over prime fields is deeply analyzed and summarized, making it essential as a guide for future research.

1. Introduction

The problem of information security in the era of big data is becoming severe, and cryptography has become the fundamental technology and essential support for network and information security. Public-key cryptosystems have been widely adopted due to their security foundations, which rely on complex mathematical problems, such as RSA based on the integer factorization problem, ElGamal and ECC based on the discrete logarithmic problem, etc. In practical applications, the 2014 Apple “goto fail” vulnerability exposed critical flaws in RSA signature verification implementations [1], driving substantial improvements in associated security protocols. Similarly, the 2018 ROCA vulnerability revealed fundamental weaknesses in RSA key generation algorithms [2], significantly accelerating the real-world adoption of Elliptic Curve Cryptography (ECC). These incidents not only demonstrate the persistent need for rigorous optimization of RSA implementations but also highlight ECC’s superior capability in mitigating contemporary security threats. Concurrently, the rapid development of quantum computing presents existential risks to conventional public-key cryptosystems. In response, the U.S. National Institute of Standards and Technology (NIST) has initiated and progressed the standardization process for Post-Quantum Cryptography (PQC). During this transitional period, traditional public-key algorithms will maintain their critical role within hybrid cryptographic architectures [3], ensuring a smooth transition toward quantum-resistant systems while providing essential backward compatibility.

Existing encryption algorithms rely on binary expansion fields GF($2^m$) or prime fields GF($p$), where $m$ denotes the number of expansions and $p$ represents the prime number. Compared to binary expansion fields, cryptographic algorithms based on prime fields offer more flexibility and security. However, they have high computational complexity and are difficult to implement in hardware. Modular multiplication is the core operation of public-key cryptosystems, and even the PQC that resists quantum attacks involves modular multiplication operations. Therefore, the study of modular multiplication algorithms is extremely important for improving the performance of cryptographic algorithms.

The modular multiplication can be represented as:

$$C=(A\times B)\mathrm{mod}p,0\le A,B<p$$

(1)

Modular multiplication consists of the multiplication that computes the product of two operands and the modular reduction that computes the remainder, which is implemented in two ways: multiplication followed by modular reduction, interleaving between multiplication and modular reduction. Due to the large operand bit-widths in cryptographic algorithms, modular multiplication operations commonly involve efficient multiplication and modular reduction algorithms. Multiplication algorithms in public-key cryptosystems include Schoolbook multiplication, Comba multiplication [4], Karatsuba multiplication [5], Toom–Cook multiplication [6,7], and NTT-based polynomial multiplication [8], as well as Booth encoding [9] and Redundant Signed Digit (RSD) representation [10] for optimizing the multiplication process. Modular reduction algorithms include Barrett reduction [11], Montgomery reduction [12], and fast reduction for Mersenne primes [13] and NTT polynomial coefficients. Through a deep analysis of the modular multiplication principle, it can be divided into addition and multiplication types. The addition-type modular multiplication algorithm refers to the interleaved modular multiplication algorithm based on Blakley [14], and the multiplication-type modular multiplication algorithm includes the Barrett modular multiplication algorithm adopting quotient estimation techniques, the Montgomery modular multiplication algorithm based on the residual system, and the fast modular multiplication algorithm for specific prime numbers. The classification of modular multiplication algorithms over prime fields for public-key cryptosystems is shown in Figure 1.

In this paper, we systematically investigate the modular multiplication algorithms over prime fields for public-key cryptosystems, comprehensively discuss various multiplication algorithms and modular reduction algorithms, and summarize the references from the dimensions of algorithmic principles, implementation difficulties, improvement schemes, and application scenarios. In addition, this paper organizes the relationship between various algorithms more clearly while considering the modular multiplication algorithm in the PQC. The main research projects are summarized as follows:

(1)

The commonly utilized multiplication algorithms are systematically analyzed and classified into four categories according to their implementation principles. Furthermore, the advantages and disadvantages of each multiplication algorithm are summarized.

(2)

A summary of modular reduction algorithms for modular multiplication algorithms is provided, with two categories based on different modulus forms and a focus on modular reduction algorithms for specific prime numbers. Furthermore, the advantages and disadvantages of each modular reduction algorithm are discussed.

(3)

Four types of modular multiplication algorithms are analyzed and reviewed, outlining the research progress for each algorithm. Furthermore, the hardware implementations of modular multiplication algorithms are analyzed and compared to provide some guidance for the analysis, design, and future research of modular multiplication algorithms.

2. Multiplication Algorithms

2.1. Basic Algorithms

2.1.1. Schoolbook Multiplication

The core idea of the Schoolbook algorithm is to multiply each bit of the multiplicand by the multiplier and sum the resulting product. For two $n$-bit operands, the Schoolbook algorithm requires approximately $n^2$ multiplication operations, 4$n^2$ addition operations, and $n^2+n$ store operations, resulting in computational complexity $O(n^2)$. If a bit of the multiplicand is 0, the corresponding computation can be skipped, thereby reducing the number of computations. The Schoolbook algorithm is the simplest method for performing multi-precision multiplication, but handling carries complicates parallelization.

2.1.2. Comba Multiplication

The Comba algorithm still has computational complexity $O(n^2)$. It differs in that it computes in columns, first merging the whole columns and then handling carries over the entire column, thus reducing the number of times handling carries from $n^2$ to $2n$. In addition, the Comba algorithm requires only $2n-1$ partial products to be computed and stored in memory, reducing the number of writes to memory compared to the Schoolbook algorithm. The Comba algorithm is often combined with other algorithms as a scheduling technique [15] to optimize the order of product calculation, and the design challenge is to improve parallelism. The difference between the Schoolbook algorithm and Comba algorithm is now mainly applicable to software design and negligible for hardware design. Specifically, the Comba algorithm is suitable for assembly language, while the Schoolbook algorithm is more suitable for high-level languages that support double-precision 32-bit integer data types. The Comba algorithm is shown in Algorithm 1.

Algorithm 1. Comba multiplication

Input: $x$,$y$ Output: $z=x\times y$

1:     for $i=0$ to $(2n-2)$ do 2:         if $i<n$ then 3:             $p{a}_i={\displaystyle {\sum }_{j=0}^i(x_j\times y_{i-j})}$ 4:         else 5:             $p{a}_i={\displaystyle {\sum }_{j=i-(n-1)}^{n-1}(x_j\times y_{i-j})}$ 6:         end if 7:     end for 8:     $z={\displaystyle {\sum }_{i=0}^{2n-2}(p{a}_i\times 2^i)}$ return $z$

2.2. Algorithms Based on Divide and Conquer

2.2.1. Karatsuba Multiplication

The Karatsuba algorithm uses a divide-and-conquer approach, splitting two n-bit multipliers into n/2-bit sub-sequences, recursively computing their products, and combining the results. The algorithm reduces the number of multiplication operations by performing additional addition, which requires approximately $3n^2/4$ multiplication operations, $3n^2+4n+2$ addition operations, and $3n^2/4+11n/2+1$ storage operations, decreasing the computational complexity from $O(n^2)$ to $O(n^{{{\log }_2}^3})$. As the input bit-width increases, the cost of addition decreases relative to multiplication. The Karatsuba algorithm exhibits better performance than the basic algorithm when the input bit-width exceeds 128-bit. In order to meet the different scenarios, Kang et al. designed a Karatsuba multiplier that supported variable large integers [16]. In addition, Rafferty et al. analyzed the hardware implementation of combined schemes [17]. The Karatsuba–Schoolbook combination is suitable for input bit-width less than 64-bit. In contrast, the Karatsuba–Comba combination achieves the lowest computational complexity for input bit-width ranging from 64-bit to 256-bit and the lowest latency for input bit-width more than 512-bit. The challenge in designing the Karatsuba algorithm involves determining the appropriate layering strategy for various bit-widths and optimizing the path delay introduced by addition operations. The Karatsuba algorithm for large integer multiplication is shown in Algorithm 2.

Algorithm 2. Karatsuba multiplication

Input: $x$,$y$, with $x=x_1\times 2^{n/2}+x_0$,$y=y_1\times 2^{n/2}+y_0$ Output: $z=x\times y$

1:     $z_0=x_0{y}_0$ 2:     $z_1=x_1{y}_1$ 3:     $s_1=x_1+x_0$ 4:     $s_2=y_1+y_0$ 5:     $s_{12}=s_1\times s_2$ 6:     $z_2=s_{12}-z_0-z_1$ 7:     $z=z_0+z_2\times 2^{n/2}+z_1\times 2^n$ return $z$

Polynomial multiplication can also be efficiently performed using the Karatsuba algorithm. First, the two input polynomials are evaluated, followed by the evaluation of the product polynomial. Finally, the product polynomial is reconstructed using interpolation. When evaluating an $n-1$ degree polynomial, $2n-1$ evaluation points need to be selected, with $0, 1, \mathrm{and} \infty$ being commonly used points. Further details on the Karatsuba algorithm and its optimal usage with minimal computation cost can be found in [18]. In recent years, many studies have employed the Karatsuba method to design polynomial multiplication architecture for hardware implementation. Wong et al. analyzed the advantages of Karatsuba-based polynomial multipliers in Saber [19]. Furthermore, they proposed a four-layer Karatsuba architecture that achieved low hardware resource consumption and high throughput by employing optimization strategies such as fully parallel and reusing intermediate registers. Heidarpur et al. combined the Schoolbook algorithm with Overlap-free Karatsuba multiplication to reduce the critical path delay and designed a high-speed polynomial multiplier based on lookup tables [20].

2.2.2. Toom–Cook Multiplication

The general form of the Toom–Cook algorithm is Toom–Cook-k, which divides into k segments and generates a polynomial of degree k−1 from k coefficients. For large k values, the procedure becomes extremely complex, so commonly used k values are below 6. To obtain the product result of degree 2(k−1) quickly, appropriate variable values should be chosen [21], converting the multiplication problem into solving the linear equation system problem. By solving the unknown coefficients within the matrix, shifting and summing them provides the product result. The Toom–Cook algorithm further reduces the number of multiplication operations and adopts a divide-and-conquer strategy, lowering the computational complexity to $O(n^{{{\log }_3}^5})\approx O(n^{1.464})$. However, compared to the Karatsuba algorithm, it introduces more addition operations and involves division operations that are difficult to implement in hardware. As a result, it is suitable for software implementations that do not consider the resource overhead.

Since the beginning of the NIST PQC Standardization process, the Toom–Cook algorithm has attracted attention due to its applicability to polynomial multiplication over rings. Bermudo et al. utilized precomputation and lazy interpolation techniques to reduce the overhead of evaluation and interpolation, which were applied to Saber [22]. Wang et al. utilized the Winograd algorithm to reduce the computation of the Low-degree Schoolbook step and reduce the density of the interpolation matrix as well as the merge post-processing to reduce the number of multiplications. The method can be applied to lattice-based cryptosystems with a modulus less than or equal to 32-bit [23]. In addition, Li et al. analyzed the leakage characteristics of the Toom–Cook algorithm for the first time and proposed some countermeasures to prevent side-channel attacks [24].

2.2.3. NTT Multiplication

The FFT method is more advantageous for high-degree polynomials, as it ensures efficient interpolation points for evaluation. It uses the $n$-th complex roots as evaluation points and transforms the polynomial coefficient representation into the point-value representation. Two efficient FFT algorithms are the Decimation-In-Time (DIT) Cooley–Tukey and the Decimation-In-Frequency (DIF) Gentleman–Sande algorithm. Both algorithms consist of multiple levels of iterative butterfly computations, utilizing the divide-and-conquer strategy to rapidly compute the Discrete Fourier Transform (DFT) with computational complexity of $O(n\log n)$. The butterfly unit of the DIT FFT algorithm performs modular multiplication followed by modular addition and subtraction. In contrast, the butterfly unit of the DIF FFT includes performing modular addition and subtraction followed by modular multiplication. Radix-2 [25], radix-4 [26], and split-radix FFT [27] algorithms can be selected based on the specific application scenario.

Number Theoretic Transform (NTT) is a variant of DFT in the finite field. Its operational process and computational complexity are equivalent to the FFT, with the difference that $n$-th primitive roots of unity are selected to calculate. The NTT algorithm eliminates the floating-point operation in FFT, making it more suitable for hardware implementation. The NTT-based polynomial multiplication algorithm is shown in Algorithm 3. Firstly, the higher-order parts of the two input vectors are complemented with the zero-padding operation to avoid the overflow of high-degree terms. Subsequently, the two expansion vectors respectively perform NTT, and the two obtained sequences perform pointwise multiplication, and then the result of the pointwise multiplication performs INTT (Inverse Number Theoretic Transform). Finally, carry operations are performed to obtain the multiplication result.

Algorithm 3. NTT-based polynomial multiplication

Input: $a$,$b$, with $a$,$b\in {\mathbb{Z}}_p[x]$ Output: $z=a\times b$

1:     $\overrightarrow{a}=(a_0,a_1,\dots ,a_{n-1},0_{m-1})$,$\overrightarrow{b}=(b_0,b_1,\dots ,b_{m-1},0_{n-1})$ 2:     $\widehat{a}=NTT(\overrightarrow{a})$,$\widehat{b}=NTT(\overrightarrow{b})$ 3:     $\widehat{z}=$$\widehat{a}\cdot \widehat{b}$ 4:     $z=INTT(\widehat{z})$ return $z$

Currently, research on hardware acceleration for NTT-based polynomial multiplication of PQC schemes is of great significance. There are three main methods to optimize NTT computational units: developing low computational complexity NTT/INTT algorithms to reduce the number of modular multiplication; optimizing precomputed twiddle factors to reduce the storage overhead; and designing a unified parallel NTT/INTT hardware architecture to minimize resource consumption. For the quotient ring ${\mathbb{Z}}_p[x]/f(x)$, ${\mathbb{Z}}_p[x]$ represents the set of all polynomials with coefficients in the ring of integers modulo a prime number $p$. If $f(x)$ = $x^n-1$, positive wrapped convolution (PWC) can be employed to avoid zero-padding. If $f(x)$ = $x^n+1$, negative wrapped convolution (NWC) can be utilized to achieve the same purpose. However, pre-processing (consisting of N modular multiplications) and post-processing (consisting of 2N modular multiplications) are necessary. Zhang et al. proposed a low-computational-complexity NTT/INTT algorithm that eliminates pre-processing and post-processing steps while removing the scaling factor $N^{-1}$ in the INTT [28]. Xing et al. eliminated the bit-reverse operation in the NTT/INTT by adjusting the loop structure [29]. Utilizing the optimization strategies in [28,29], the number of cycles required to complete one polynomial multiplication operation is reduced from $1.5n\lg \mathrm{n}+8n$ to $1.5n\lg n+n$. Guo et al. investigated the advantages of the split-radix NTT algorithm in Kyber and maximized the utilization of memory bandwidth of radix-2 butterfly units by adjusting the calculation order [30]. Li et al. proposed a mapping strategy to optimize the data flow between NTT and INTT stages, simplifying the routing overhead among processing units [31]. Mu et al. proposed scalable NTT hardware accelerators for any polynomial length and modulus, as well as the depth and width of processing element (PE) array [32]. They designed a conflict-free memory access scheme that supported variable PE arrays to meet different security parameters. Chen et al. eliminated the bit-reverse and additional memory overhead in NTT/INTT by readjusting the loop structure and reusing the twiddle factors [33]. Furthermore, they proposed a conflict-free memory mapping scheme that supported an arbitrary radix of NTT. However, the in-place NTT algorithm leads to complex conflict-free memory access patterns, which is not favorable to the scalability of multicore architectures. To address this problem, the constant-geometry (CG) NTT algorithm has the same memory access pattern at each stage but at the cost of doubling the memory overhead. Su et al. proposed a unified reconfigurable multicore CG NTT architecture that supported variable Pes [34]. In addition, the cyclic-sharing memory management pattern was designed to reduce 25% memory overhead. Liu et al. also proposed a conflict-free memory access pattern with a capacity of 1.5 $N$ but further decreased the utilization of BRAM by 66.7% [35].

2.3. Partial Product Optimization Techniques

2.3.1. Booth Encoding

The Booth encoding algorithm optimizes groups with consecutive 0s and 1s to reduce the number of partial products. In multiplication computations, applying Booth transformation to a multiplicand with a relatively high frequency of consecutive 0s can reduce the number of non-zero partial products, thereby optimizing the accumulation process of partial products. A brief description of the Booth algorithm is provided below:

The complement of the multiplier $y$ can be represented as:

$$y=-y_{n-1}{2}^{n-1}+\left({\displaystyle \sum _{i=0}^{n-2}{y}_i\times 2^i}\right)$$

(2)

By appending an auxiliary bit $y(-1)$ with the value of 0 to the Least Significant Bit (LSB) of the multiplier y, Equation (2) is equivalently transformed into Equations (3) and (4):

$$\begin{array}{l}y=-y_{n-1}{2}^{n-1}+y_{n-2}{2}^{n-2}+y_{n-3}{2}^{n-3}+\dots +y_1{2}^1+y_0{2}^0+y_{-1}\hfill \\ =(y_{n-2}-y_{n-1})2^{n-1}+(y_{n-3}-y_{n-2})2^{n-2}+\dots +(y_1-y_2)2^2+(y_0-y_1)2^1+(y_{-1}-y_0)2^0\end{array}$$

(3)

$$y=(-2y_{n-1}+y_{n-2}+y_{n-3})2^{n-2}+(-2y_{n-3}+y_{n-4}+y_{n-5})2^{n-4}+\dots +(-2y_1+y_0+y_{-1})$$

(4)

Equation (3) represents radix-2 Booth encoding, where the polynomial radix coefficients are derived by subtracting the adjacent bits of the multiplier $y$. This method reduces the number of non-zero partial products without changing the number of terms in the polynomial expression, indicating that the actual number of partial products remains unchanged.

Equation (4) represents radix-4 Booth encoding. Starting from the LSB of the multiplier, groups of three bits are formed (the LSB of the first group is the auxiliary bit $y[-1]$). Adjacent groups overlap by one bit, meaning the Most Significant Bit (MSB) of the lower group overlaps with the LSB of the higher group. The three bits in each group form polynomial radix coefficients according to a specific relationship, so the partial product operation corresponding to all value combinations of adjacent three bits can be obtained.

When $n$-bit multiplication is performed using radix-2 Booth encoding, $n$ partial products are generated. In contrast, radix-4 Booth encoding is equivalent to generating a partial product by multiplying two bits of the multiplier at each step, thereby reducing the number of partial products by half. Other high-radix encoding methods can be derived using a method similar to Equation (4). Although high-radix encoding techniques can reduce the number of partial products, the resulting circuits are more complex [36]. This complexity can be mitigated by introducing additional encoding parameters to improve the circuit logic.

2.3.2. RSD Representation

Common redundant representations include the Carry-Save (C-S) representation and the RSD representation.

In the C-S representation, a signed number $A$ can be expressed as the sum of two signed numbers:

$$A=A_c+A_s={\displaystyle {\sum }_{i=0}^{n-1}{a}_i{2}^i}={\displaystyle {\sum }_{i=0}^{n-1}(a_c+a_s)2^i}$$

(5)

In the RSD representation, a signed number A $A$ can be expressed as the difference between two unsigned numbers:

$$A=A_p-A_m={\displaystyle {\sum }_{i=0}^{n-1}{a}_i{2}^i}={\displaystyle {\sum }_{i=0}^{n-1}(a_p-a_m)2^i}$$

(6)

The RSD representation of a signed number $A$ is denoted as $a=\{a_{n-1},a_{n-2},\dots ,a_0\}$. Each bit is represented by the two bits $a_p$ and $a_m$, where $a_p$ and $a_m$ take the value 0 or 1, and $a_i$ takes the value −1, 0, or 1. In the RSD representation system, a negative integer can be achieved by changing the sign of non-zero bits in the encoding, toggling between −1 and 1.

The representation of signed numbers can reduce the carry propagation delay of the accumulation operations in multiplication. However, it requires additional bits in the signed number systems, and the signed numbers need to be converted back to the original number system after computation. Compared to the C-S representation, the RSD representation offers the following advantages [37]: the RSD encoding represents the difference between two unsigned numbers without requiring additional sign bits; the number 0 in the RSD encoding representation is easy to analyze and determine; and the negation operation in the RSD encoding representation only needs to exchange the position of $a_p$ and $a_m$, facilitating the implementation of subtraction operations.

2.4. Comparative Analysis of Multiplication Algorithms

This paper summarizes the multiplication algorithms in public-key cryptography and classifies them into three types. Schoolbook multiplication and Comba multiplication belong to basic algorithms. The Karatsuba, Toom–Cook, and NTT multiplication algorithms utilize the divide-and-conquer recursive approach. Booth encoding and RSD representation are partial product optimization techniques.

Table 1. Advantages and disadvantages of multiplication algorithms.

Multiplication		Advantages	Disadvantages
Basic algorithms	Schoolbook multiplication	The hardware implementation is straightforward.	High computational complexity and difficulty in parallel computation are possessed.
	Comba multiplication	The number of carry propagations and memory access are reduced.
Algorithms based on divide and conquer	Karatsuba multiplication	Binary recursive is utilized to reduce computational complexity.	Additional recursive and addition operations are introduced.
	Toom–Cook multiplication	The concept of dynamic divide-and-conquer recursion is utilized to further reduce computational complexity.	The hardware implementation of division operations is relatively challenging.
	NTT multiplication	The lowest computational complexity is achieved due to the point-value representation.	The length of the input operand and the modulus are limited.
Partial product optimization techniques	Booth encoding	The number of partial products is decreased.	The operational efficiency is reduced for multipliers containing non-contiguous 1s or 0s.
	RSD representation	The carry propagations of accumulation operations are decreased.	Redundancy phenomena are susceptible to generate.

summarizes the advantages and disadvantages of these multiplication algorithms.

3. Modular Reduction Algorithms

3.1. Modular Reduction for General Moduli

3.1.1. Barrett Reduction

Barrett reduction is the first estimator reduction algorithm without division operations. The central principle is to use multiplication and precomputation instead of division. Assuming the radix is denoted by $b=2^L$ and the word length is represented by $L$, the Barrett reduction algorithm is shown in Algorithm 4.

Algorithm 4. Barrett reduction

Input: $0\le z<b^{2k}$,$2^{k-1}<p<2^k$,$b\ge 3$,$\mu =⌊b^{2k}/p⌋$ Output: $r=z\mathrm{mod}p$

1:     $\widehat{q}=⌊⌊z/b^{k-1}⌋\mu /b^{k+1}⌋$ 2:     $r=(z\mathrm{mod}{b}^{k+1})-(\widehat{q}\cdot p\mathrm{mod}{b}^{k+1})$ 3:     if $r<0$ then 4:         $r=r+b^{k+1}$ 5:     end if 6:     while $r\ge p$ do 7:         $r=r-p$ return $r$

The value of $L$ in the Barrett reduction algorithm can be selected based on the modulus $p$. Since the modulus $p$ is constant during performing modular multiplication operation once, $\mu =⌊b^{2k}/p⌋$ can be precomputed, and at most two subtractions are required to keep the final result within $k+1$ digits.

3.1.2. Montgomery Reduction

The Montgomery reduction algorithm refers to generating $T{R}^{-1}\mathrm{mod}p$, where $p$ represents the modulus. In practical implementations, $R$ is typically chosen as a power of 2 to avoid time-consuming division operations, replaced by simple shift operations. The Montgomery reduction algorithm is shown in Algorithm 5.

Algorithm 5. Montgomery reduction

Input: $0\le T<Rp$,$p^{\prime }=(-p^{-1})\mathrm{mod}R$ Output: $r=T{R}^{-1}\mathrm{mod}p$

1:     $m=(T\mathrm{mod}R)p^{\prime }\mathrm{mod}R$ 2:     $r=(T+mp)/R$ 3:     if $r\ge p$ then 4:           $r=r-p$ 5:     end if return $r$

Since $(T+mp)/R<(p^2+Rp)/R<(Rp+Rp)/R=2p$, the final result can be constrained within the range $[0,p)$ with at most one subtraction.

3.2. Modular Reduction for Specific Prime Numbers

3.2.1. Fast Modular Reduction for Mersenne Primes

Mersenne primes are represented in $p=2^n-1$. Modular reduction can be performed quickly utilizing the congruence operation ($2^n\equiv 1\mathrm{mod}p$). Assuming the modulus $p$ is $n$-bit, the input operand $Z$ is $2n$-bit, the higher $n$-bit of $Z$ is $Z_H$, the lower $n$-bit of $Z$ is $Z_L$, and the intermediate result ($t=Z_H+Z_L$) can be obtained using the congruence operation. Therefore, the final result can be constrained within the range $[0,p)$ with at most one subtraction. Among the five prime field elliptic curves recommended by NIST, $p_{521}=2^{521}-1$ satisfies the Mersenne prime form. In addition, there are two variants of Mersenne primes: pseudo-Mersenne primes and generalized Mersenne primes.

Pseudo-Mersenne primes are represented as $p=2^n-c$, where $c$ is a small odd number. The modulus $p=2^{255}-19$ of the Curve25519 [38] satisfies the pseudo-Mersenne prime form, transforming modular reduction into multiplication and addition operations through the equivalence relation $2^{256}\equiv 38\mathrm{mod}p$. Yu et al. proposed a fast modular reduction algorithm for the Curve25519, representing the modulus $p=2^{255}-19$ as $2^{255}-2^4-2^2+1$ and transforming the 510-bit $Z$ into the form $Z_{254}{2}^{508}+Z_{253}{2}^{506}+Z_{252}{2}^{504}+\dots +Z_1{2}^2+Z_0$, where the width of $Z_i$ is 2-bit [39]. This algorithm involves two rounds: the first round only processes the higher 254-bit to obtain the residue term and $S$, while the second round reduces the highest two terms of $S$.

Generalized Mersenne primes are denoted as $p=2^n-c_1\cdot 2^{n-1}-\dots -c_i\cdot 2^{n-i}-\dots -c_n$, where $c_i$ is an integer with a smaller absolute value. The modular reduction operation can transform into a series of addition and subtraction using the congruence relation. Compared with the reduction process of pseudo-Mersenne primes, the shift and addition operation replace the multiplication operation with high complexity. In addition to the $p_{521}$ introduced in Mersenne primes, there are 192-bit, 256-bit, and 384-bit generalized Mersenne primes. Take the NIST curve $p_{256}$ as an example, where two integers are multiplied to get the 512-bit result $Z=z_{15}{2}^{480}+z_{14}{2}^{448}+\dots +z_1{2}^{32}+z_0$. The fast modular reduction algorithm of NIST curve $p_{256}$ is shown in Algorithm 6.

Algorithm 6. Fast modular reduction for $p_{256}$

Input: $Z=(z_{15}{z}_{14}{z}_{13}\dots z_2{z}_1{z}_0)2^{32}$ Output: $r=Z\mathrm{mod}{p}_{256}$

1:     $T=(z_7{z}_6{z}_5{z}_4{z}_3{z}_2{z}_1{z}_0)2^{32}$ 2:     $S_1=(z_{15}{z}_{14}{z}_{13}{z}_{12}{z}_{11}000)2^{32}$ 3:     $S_2=(0z_{15}{z}_{14}{z}_{13}{z}_{12}000)2^{32}$ 4:     $S_3=(z_{15}{z}_{14}000z_{10}{z}_9{z}_8)2^{32}$ 5:     $S_4=(z_8{z}_{13}{z}_{15}{z}_{14}{z}_{13}{z}_{11}{z}_{10}{z}_9)2^{32}$ 6:     $D_1=(z_{10}{z}_{8}000z_{13}{z}_{12}{z}_{11})2^{32}$ 7:     $D_2=(z_{11}{z}_{9}00z_{15}{z}_{14}{z}_{13}{z}_{12})2^{32}$ 8:     $D_3=(z_{12}0z_{10}{z}_9{z}_8{z}_{15}{z}_{14}{z}_{13})2^{32}$ 9:     $D_4=(z_{13}0z_{11}{z}_{10}{z}_{9}0z_{15}{z}_{14})2^{32}$ 10:$r=(T+2S_1+2S_2+S_3+S_4-D_1-D_2-D_3-D_4)\mathrm{mod}{p}_{256}$ return $r$

The fast modular reduction algorithm may require appending zeros to the higher bits due to carry or misalignment of the data undergoing reduction. The algorithm requires a large number of modular addition operations. In order to reduce the computational complexity, Choi et al. iteratively reduced the high part of the product result [40]. In addition, Choi et al. also proposed a novel method combining partial modular reduction with Montgomery reduction [41].

3.2.2. Modular Reduction in NTT Multiplication

Modular reduction is the core computational module of PQC algorithms based on RLWE and MLWE. In lattice-based cryptographic schemes, common moduli such as 3329, 7681, and 12,289 can be reduced by their special properties. Yaman et al. proposed a constant-time modular reduction algorithm, utilizing the property $2^{12}\equiv 2^9+2^8-1$ (mod 3329) to reduce higher-order bits to smaller bit-widths [42].

Aikata et al. proposed a unified architecture to perform modular reduction in Kyber and Dilithium. For the modulus 3329, they utilized the properties $2^{12}\equiv 2^9+2^8-1$ and $2^{11}\equiv -2^{10}-2^8-1$ to generate partial results. For the modulus 8,380,417, they recursively utilized the property $2^{23}\equiv 2^{13}-1$ [43].

Longa et al. proposed an efficient modular reduction method suitable for the NTT computation process, applicable to the modulus form $p=k\cdot 2^m+1$, in which $k$ is odd and $2^m>k$ [44]. This method is a kind of incomplete modular reduction algorithm, including two forms of K-RED and K-RED-2X. The K-RED algorithm is shown in Algorithm 7, where $Z$ is denoted as $Z=Z_h{2}^m+Z_l$, and fast reduction can be achieved by utilizing the property $k\cdot 2^m\equiv -1\mathrm{mod}p$. The algorithm requires one multiplication, one subtraction, two shifts, and one modular operation to complete a modular reduction operation, generating an output within the range $(-kp,p)$.

Algorithm 7. K-RED reduction

Input: $Z\in [0,p^2)$ Output: $r=Z\cdot k\mathrm{mod}p$

1:     $Z_l=Z\mathrm{mod}{2}^m$ 2:     $Z_h=Z/2^m$ 3:     $r=k{Z}_l-Z_h$ return $r$

The K-RED-2x algorithm can also reduce the intermediate result that leads to overflow, where $Z$ is represented as $Z_h{2}^{2m}+Z_m{2}^m+Z_l$$(0\le Z_l,Z_m<2^m)$. Bisheh-Niasar et al. proposed a K²-RED modular reduction algorithm, which performs K-RED operations twice [45]. For the modulus $3329$ in Kyber, K²-RED reduces one shift and addition operation compared to K-RED-2x. Li et al. optimized the parameters of the K²-RED algorithm for use in Dilithium, reducing hardware resource consumption by more than 50% compared to Barrett reduction and Montgomery reduction [46].

3.3. Comparative Analysis of Modular Reduction Algorithms

The traditional modular reduction algorithm obtains the remainder less than the modulus by time-consuming division operations, which is unsuitable for hardware implementation. This paper summarizes the modular reduction algorithms in public-key cryptosystems and divides them into two categories. It briefly discusses algorithm principles and improved forms of modular reduction for general moduli and fast modular reduction for specific prime numbers.

Table 2. Advantages and disadvantages of modular reduction algorithms.

Modular Reduction	Advantages	Disadvantages
Barrett reduction	Convert division operations into multiplication operations by utilizing quotient estimation techniques. One modular reduction operation requires two multiplications, one shift, and one subtraction.	Multiple result corrections need to be performed.
Montgomery reduction	Convert modular operations into shift operations by constructing residue systems. One modular reduction operation requires two multiplications, one shift, one addition, and two modular and subtraction operations.	The domain transformation operation is required.
Fast modular reduction for Mersenne primes	Convert modular operations into addition and subtraction operations after data reorganization.	Only applicable to specific types of moduli.
Modular reduction in NTT multiplication	Convert modular operations into addition, subtraction, and shift operations.

summarizes the advantages and disadvantages of the above-mentioned modular reduction algorithms.

4. Modular Multiplication Algorithms

4.1. Blakley-Based Interleaved Modular Multiplication

The Blakley-based interleaved modular multiplication algorithm, as shown in Algorithm 8, transforms modular multiplication into a series of addition operations by alternately performing multiplication and modular reduction. In each iteration, comparison and subtraction operations are required to ensure that the intermediate results remain within the modulus range.

Algorithm 8. Interleaved modular multiplication

Input: $A,B\in [1,p-1],p$ Output: $C=(A\times B)\mathrm{mod}p$

1:     $C=0;p2=2\times p;$ 2:     for $i=m-1$ down to 0 do 3:         $C1=C;C2=2\times C1;$ 4:         $I1=A[i]\times B$ 5:         $C3=C2+I1;C4=C3-p;C5=C3-p2;$ 6:         if $C3\ge p$ then 7:                                 $C6=C4$ 8:         else if $C3\ge p2$ then 9:                                  $C6=C5$ 10:       else $C6=C3$ 11:       end if 12:       $C=C6$ 13:   end for return $C$

The interleaved modular multiplication algorithm requires multiple iterations and addition operations. In recent years, researchers have utilized parallel techniques, Booth encoding, and high-radix forms to improve algorithmic performance. Hossain et al. proposed a radix-2 interleaved modular multiplication algorithm with precomputation, which performs two subtractions and two comparisons for each iteration and computes intermediate results in parallel [47]. Islam et al. utilized loop operations to reduce the computational complexity of the radix-2 interleaved modular multiplication algorithm. In addition, they designed a hardware architecture supporting five prime field elliptic curves for lightweight ECC processors [48]. Javeed et al. applied parallel techniques to the radix-2 interleaved modular multiplication algorithm at a lower hardware cost by reducing data dependencies between critical operations [49]. In addition, they utilized Booth encoding to decrease the number of iterations. Rahman et al. proposed an efficient interleaved modular multiplication algorithm and hardware architecture over 256-bit prime fields, achieving faster speed and higher throughput with minimum area consumption [50]. Kudithi et al. proposed simplifying the comparison chain in the radix-4 interleaved algorithm by comparing with 0 to select the smallest positive number [51]. Lin et al. employed a high-radix interleaved modular multiplication algorithm, calculating four bits at each iteration and adding the radix-4 Booth encoding values to the accumulator, thereby balancing overall computation time and hardware area [52]. Li et al. also adopted the Booth encoding technique and further optimized the serial addition structure by reducing the critical path to a single adder and two multiplexers, thereby significantly reducing the computation time [53].

4.2. Barrett Modular Multiplication

The Barrett modular multiplication algorithm, as shown in Algorithm 9, utilizes quotient estimation techniques to convert division operations into multiplication and shift operations. However, this algorithm has unique constraints for the modulus and requires precomputation.

Algorithm 9. Barrett modular multiplication

Input: $A,B\in {\mathbb{Z}}_p,$$k=⌈{\log }_{2}p⌉,$$\mu =⌊4^k/p⌋$ Output: $C=(A\times B)\mathrm{mod}p$

1:     $T=A\times B$ 2:     $T_h=T/2^{k-1}$ 3:     $q=(T_h\times \mu )/2^{k+1}$ 4:     $r=T-q\times p$ 7:     if $r>2p$ then 8:         $C=r-2p$ 9:     else if $r>p$ then 10:       $C=r-p$ 11:   else $C=r$ 12:   end if return $C$

In recent years, researchers have utilized modulus subsets optimization, multiplication decomposition, and full-width pipelined multiplication techniques to improve algorithmic performance. Dhem et al. further reduced the computational complexity of the Barrett modular multiplication algorithm by optimizing parameters, and most future research has been conducted on this foundation [54]. Hao et al. effectively applied the Toom–Cook algorithm to Barrett modular multiplication by adding redundant factors and modifying interpolation operations. In addition, they proposed a precomputation method to eliminate errors arising from redundant factors [55]. Yu et al. analyzed the Ed25519 algorithm of elliptic curve signature schemes and proposed a Barrett modular multiplication design scheme by reusing the 257-bit multiplier [56]. Agrawal et al. investigated the ECDSA algorithm of elliptic curve signature schemes, in which the modular multiplication unit first combined the Schoolbook algorithm and the Karatsuba algorithm to perform 258-bit integer multiplication, followed by the Barrett reduction algorithm [57]. Zhang et al. utilized C-S representation to optimize multiplication operations in each iteration and operation scheduling techniques to increase parallelism, thereby avoiding complex multiplication and large-bit-width addition operations in the Barrett modular multiplication algorithm [58]. Zhang et al. proposed an interleaved Barrett modular multiplication algorithm that leveraged compression and encoding techniques to replace multiplications and additions in each iteration, enhancing overall performance through parallel computation of quotient and intermediate results [59]. Zhang et al. designed a universal architecture for a Barrett modular multiplier, avoiding two cascaded large-bit-width multipliers employing binary expansion technology for encryption schemes based on residue number systems [60]. Zhang et al. applied the four-term Karatsuba algorithm to Barrett modular multiplication, reducing multiplication and addition operations on the critical path [61]. Compared with the Montgomery modular multiplication algorithm, the Barrett modular multiplication algorithm is more suitable for scenarios of fixed modulus [62,63]. For the modulus $3355037=2^{25}-2^{12}+1$ in Saber, Xu et al. utilized Barrett reduction in the NTT calculation, which converted the multiplication operation into a shift operation by controlling the input operand range and transforming the modulus [62]. Guo et al. proposed a mix-radix NTT algorithm for the modulus 3329 in Kyber [63]. The modular multiplication unit first reduced the bit-width of the product from 24-bit to 15-bit and then performed Barrett reduction.

4.3. Montgomery Modular Multiplication

The central principle of the Montgomery modular multiplication algorithm is to transform the modular operation into simple shift and addition operations by constructing a residue system of modulus. However, converting the original operands to the Montgomery domain incurs additional overhead.

In 1996, Koc et al. summarized various implementation methods of the Montgomery modular multiplication algorithm into five categories—Separated Operand Scanning (SOS), Finely Integrated Product Scanning (FIPS), Coarsely Integrated Operand Scanning (CIOS), Coarsely Integrated Hybrid Scanning (CIHS), and Finely Integrated Operand Scanning (FIOS)—with the CIOS and FIPS methods exhibiting superior performances [64]. Assuming the lengths of the input operands and modulus are $k$ bytes, the FIPS method requires $6k^2$ addition, $2k^2+k$ multiplication, and $2k+1$ storage operations, while the CIOS method requires $8k^2+4k$ addition, $2k^2+k$ multiplication, and $2k^2+3k$ storage operations. At present, most research focuses on these two implementation methods. Mrabet et al. designed a CIOS method with a systolic structure that reduced the number of modular multiplication cycles, suitable for RSA, ECC, and pairing-based cryptography [65]. Gallin et al. improved the CIOS method without final subtraction, leading to higher parallelism [66]. However, the hardware architecture was complex and failed to consider the number of pipelines for the digit multiplier. Botrel et al. optimized the CIOS method, reducing addition operations when the MSB of the modulus is 0 [67]. Buhrow et al. optimized the FIPS method to reduce the number of data loads and stores, achieving greater latency hiding by removing data dependency [68].

For the radix-2 Montgomery modular multiplication algorithm, Walter C D has proved that the final subtraction can be avoided [69]. Therefore, by zero-padding the highest bits of $X$ and $Y$, setting $R=2^l(l\ge n+2)$ with $l=n+2$, the final result can be constrained within the range of $[0,2N)$. In order to reduce the carry propagation delay, intermediate results are usually stored in C-S form. The radix-2 Montgomery modular multiplication algorithm is shown in Algorithm 10.

Algorithm 10. Radix-2 Montgomery modular multiplication

Input: $X={\displaystyle {\sum }_{i=0}^{n+1}{x}_i{2}^i},Y={\displaystyle {\sum }_{i=0}^{n+1}{y}_i{2}^i},0\le X,Y<2N,R=2^{n+2}$ Output: $Z=XY{2}^{-(n+2)}(\mathrm{mod}N)$

1:     $SS[0]=0;SC[0]=0$ 2:     for $i=0$ to $n+1$ do 3:         $q_i=(SS{[i]}_0+SC{[i]}_0+x_i{y}_0)\mathrm{mod}2$ 4:         $(SS[i+1],SC[i+1])=(SS[i]+SC[i]+x_{i}Y+q_{i}N)/2$ 5:     end for 6:     $Z=SS[n+2]+SC[n+2]$ return $Z$

Kuang et al. introduced the semi-carry-save (SCS) strategy into the radix-2 Montgomery modular multiplication algorithm, which reduced the critical path delay and clock cycles by improving the first-level CSA structure [70]. Coliban utilized fewer iterations to compute the radix-2 Montgomery modular multiplication while designing a three-input adder structure instead of two adders [71]. The method significantly improves the computation time, throughput, and maximum operating frequency. Abirami et al. proposed a radix-2 Montgomery modular multiplication algorithm for lightweight elliptic curve encryption systems [72]. The algorithm reduces loop iterations by precomputing an addition, avoiding unnecessary multiplication and subtraction operations.

In 1999, Tenca et al. proposed the multi-word radix-2 Montgomery modular multiplication algorithm and hardware implementation for the first time [73]. When the operand is $n$-bit, one Montgomery modular multiplication takes $2n$ cycles. The central principle of the word-based Montgomery modular multiplication algorithm involves segmenting the multiplier, multiplicand, and modulus into short integers for computation and subsequently concatenating these short integers. The algorithm mainly consists of two steps: the multiplicand $Y$ and the modulus $N$ are scanned word by word, and the multiplier $X$ is scanned bit by bit. Assuming $Z$, $Y$, and $N$ are split into $e$ words of $w$-bit, with $C$ as the carry, and ${Z_i}^{(k)}$ representing the $i$-th bit of the $k$-th word, the multi-word radix-2 Montgomery modular multiplication algorithm is shown in Algorithm 11.

Algorithm 11. Multi-word radix-2 Montgomery modular multiplication

Input: $X={\displaystyle {\sum }_{i=0}^{n-1}{x}_i{2}^i,Y={\displaystyle {\sum }_{j=0}^{e-1}{Y}^{(j)}{2}^{wj}}},N={\displaystyle {\sum }_{j=0}^{e-1}{N}^{(j)}{2}^{wj}}$     $0\le X,Y<N,R=2^n,e=⌈(n+1)/w⌉$ Output: $Z={\displaystyle {\sum }_{j=0}^{e-1}{Z}^{(j)}{2}^{wj}}=XY{R}^{-1}$,$0\le Z<2N$

1:     $Z=0$ 2:     for $i=0$ to $n-1$ do 3:           $q_i=(x_i{Y_0}^{(0)}+{Z_0}^{(0)})\mathrm{mod}2$ 4:         $(C,Z^{(0)})=x_i{Y_0}^{(0)}+q_i{N}^{(0)}+Z^{(0)}$ 5:         for $j=1$ to $e$ do 6:             $(C,Z^{(j)})=C+x_i{Y_0}^{(j)}+q_i{N}^{(j)}+Z^{(j)}$ 7:             $Z^{(j-1)}=({Z_0}^{(j)},Z_{w-\mathrm{1...1}}^{(j-1)})$ 8:             $Z^{(e)}=0$ 9:         end for 10:   end for return $Z$

Li et al. implemented a multi-word radix-2 Montgomery interleaved modular multiplication algorithm based on the pipelined structure by decomposing operands into small-bit-width words [74]. For NTT-friendly primes ($q=q_H\cdot 2^{{\log }_2(2n)}+1$), Mert et al. improved the word-based Montgomery modular multiplication algorithm to support various polynomial lengths and modulus bit-widths [75].

The high-radix Montgomery modular multiplication algorithm [76] can further reduce the complexity of the multi-word radix-2 Montgomery modular multiplication algorithm. Assuming the radix is $2^w$($w$ is the word length) and $R=2^{we}$, $N^{’}$ can be precomputed as $N^{’}={(-N)}^{-1}\mathrm{mod}{2}^w=(-{(N^{(0)})}^{-1})\mathrm{mod}2$. The high-radix Montgomery modular multiplication algorithm is shown in Algorithm 12.

Algorithm 12. High-radix Montgomery modular multiplication

Input: $X={\displaystyle {\sum }_{i=0}^{e-1}{X}^{(i)}{2}^{wi}},Y={\displaystyle {\sum }_{j=0}^{e-1}{Y}^{(j)}{2}^{wj}},N={\displaystyle {\sum }_{j=0}^{e-1}{N}^{(j)}{2}^{wj}}$     $0\le X,Y<2N,R=2^{we},e=⌈(n+1)/w⌉,n=⌊{{\log }_2}^N⌋+1$ Output: $Z={\displaystyle {\sum }_{j=0}^{e-1}{Z}^{(j)}{2}^{wj}}=XY{R}^{-1}$,$0\le Z<2N$

1:     $Z=0$ 2:     for $i=0$ to $e+1$ do 3:         $q_i=(Z^{(0)}+X^{(i)}{Y}^{(0)})N^{\prime }\mathrm{mod}{2}^w$ 4:         $(C,Z^{(0)})=X^{(i)}{Y}^{(0)}+q_i{N}^{(0)}+Z^{(0)}$ 5:         for $j=0$ to $e+1$ do 6:             $(C,Z^{(j)})=C+X^{(i)}{Y}^{(j)}+q_i{N}^{(j)}+Z^{(j)}$ 7:             $Z^{(j-1)}=Z^{(j)}$ 8:         end for 9:         $Z^{(e-1)}=C$ 10:   end for return $Z$

Due to the requirement of domain conversion in Montgomery modular multiplication, it is more suitable for numerous continuous modular multiplication applications, such as the RSA cryptosystem. Wu proposed a high-radix Montgomery modular multiplication algorithm with precomputation for the RSA cryptosystem [77]. Xiao et al. proposed a variable segmentation Montgomery modular multiplication algorithm, which can divide operands into segments of arbitrary bit-widths to match the given data width of DSPs [78]. Kolagatla et al. utilized lookup table techniques to compute the reduction part in high-radix Montgomery modular multiplication [79]. This method addresses the issue of the AT metric increasing with the radix for a given large modulus. Zhang et al. proposed a low-delay, high-radix, and scalable Montgomery modular multiplication algorithm, which simplified the multiplication operation in each iteration and employed Booth encoding to reduce the number of partial products [80]. Wu et al. proposed a Montgomery modular multiplication algorithm and structure with precomputation. By analyzing the relationship between the number of clock cycles of multiplication operation, the pipelined structure, and the number of multipliers, they maximized the utilization of multipliers and adders, significantly reducing the computation time [81]. Liu et al. employed the radix-$2^{32}$ Montgomery modular multiplication algorithm to design a modular multiplication unit that supported operand bit-widths of up to 544-bit [82]. Li et al. applied Redundant Binary Representation (RBR) to the Montgomery modular multiplication algorithm to eliminate the long carry propagation delay in multiplication calculations [83]. However, achieving an optimal balance between area and time becomes increasingly challenging as the input bit-widths increase. Zhang et al. proposed a Montgomery modular multiplication algorithm with parallel precomputation to reduce the area complexity when dealing with large input bit-widths [84].

In addition, researchers also apply the efficient multiplication algorithm to Montgomery modular multiplication. Zhang et al. applied the KO-3 algorithm to Montgomery modular multiplication and designed a 256-bit modular multiplier [85]. Gu et al. applied the division-free Toom–Cook-4 algorithm to Montgomery modular multiplication and designed 256-bit and 1024-bit modular multipliers [86]. Zhao et al. proposed a radix-2 Montgomery modular multiplication algorithm based on RSD, which improved the operation speed by reducing carry propagation and the number of addition rounds [87]. They further extended this approach to develop a high-performance radix-4 Montgomery algorithm, also leveraging RSD to eliminate long carry propagation delays [88]. To reduce idle cycles in critical computational units, Wang et al. designed a parallel and pipelined Montgomery multiplier that effectively shortens the critical path by employing carry-save adders and the Karatsuba algorithm [89].

4.4. Fast Modular Multiplication for Specific Prime Numbers

Barrett reduction and Montgomery reduction can perform modular reduction for any prime number, but specialized fast modular reduction algorithms can be designed for specific prime numbers to improve computational speed.

Marzouqi et al. introduced RSD encoding into the Karatsuba algorithm for the NIST curve $p_{256}$ and implemented an RSD-based ECC processor on FPGA for the first time [90]. Ding et al. combined the Karatsuba algorithm with a fast modular reduction algorithm for signed numbers. Furthermore, they employed a compact pipeline scheduling method to realize a reconfigurable ECC processor that supported elliptic curves over arbitrary prime fields [91]. In addition, Ding et al. combined the division-free Toom–Cook algorithm with a fast reduction algorithm. Furthermore, they introduced the NLP form to implement a high-speed ECC processor that supported primes recommended by NIST [92]. Park et al. proposed a fast modular multiplication algorithm for the NIST curve $p_{256}$. By introducing the Range-Shifted Representation (RSR), the reduction operation was integrated into the Karatsuba algorithm to optimize the intermediate results during the accumulation process, thereby reducing unnecessary memory accesses [93]. Hu et al. implemented an ECC processor that supported the NIST curve $p_{192}$, where the modular multiplication unit was completed using a divide-and-conquer Karatsuba multiplier, followed by fast modular reduction [94]. In addition, Hu et al. also proposed a two-stage fast modular reduction algorithm over the SCA-256 prime field, which reduced numerous repetitive addition and subtraction operations [95]. Liu et al. improved the operational scheduling of the Karatsuba algorithm and designed a fast reduction algorithm based on bit reorganization. Furthermore, they implemented a fast modular multiplier that supported secp256k1, secp256r1, and SCA-256 [96]. For specific moduli in Kyber, Zhang et al. designed a pipelined modular multiplier utilizing a fast lookup table. However, this structure required adjustments to the size of the lookup table and the division of the pipeline according to different moduli, limiting its flexibility [97]. Nguyen et al. employed low-complexity NTT and INTT to eliminate pre-processing and post-processing steps and proposed the Exact-KRED reduction algorithm to solve the resulting overflow [98]. For NTT-friendly primes, Hu et al. proposed a low-complexity fast modular multiplication algorithm suitable for modulus $q=2^{2N}-\delta (\delta \le 2^{⌊4N/3⌋})$ [99]. This algorithm expanded the range of available primes with low hardware overhead. Plantard proposed a modular multiplication algorithm for small moduli that reduced one multiplication operation compared to Barrett modular multiplication and Montgomery modular multiplication, suitable for scenarios involving constant multiplication [100]. Huang et al. analyzed the shortcomings of the original Plantard modular multiplication algorithm in lattice-based cryptographic schemes and proposed a signed Plantard modular multiplication algorithm [101]. This algorithm expanded the input range while narrowing the output range, facilitating lazy reduction. Subsequently, Huang et al. further expanded the input range and utilized memory optimization techniques to accelerate Kyber on Cortex-M3 and RISC-V platforms [102]. The Plantard modular multiplication algorithm has demonstrated excellent performance on software platforms, but its hardware implementation still requires further research.

4.5. Comparative Analysis of Modular Multiplication

Based on the design of various modular multiplication algorithms, it can be observed that fewer hardware resources and higher processing speed are two conflicting parameters. Some research attempts to minimize hardware utilization, some focuses on reducing latency, and other strives to balance performance and area.

Table 3. Performance comparison of modular multipliers implemented on FPGAs.

Reference	Year	Algorithm	Platform	Bit-Width	Clock Cycles	Frequency (MHz)	Area (SLICEs/LUTs/DSPs)			Time (µs)	AT (SLICEs × ms/LUTs × ms)		Throughput (Mbps)
[47]	2017	Radix-2 IMM	Kintex-7	224	225	130.49	365	-	-	1.71	0.63	-	130.99
				256	257	135.89	397	-	-	1.88	0.76	-	136.17
[48]	2020	Radix-2 IMM	Virtex-7	192	193	207.1	386	1151	-	0.93	0.36	1.07	206.0
				224	225	190.7	490	1409	-	1.18	0.58	1.66	189.9
				256	257	177.3	514	1491	-	1.45	0.75	2.16	176.6
				384	385	137.6	820	2355	-	2.80	2.30	6.59	137.2
				521	522	111.2	975	2496	-	4.69	4.57	11.71	111.0
[53]	2024	Radix-4 Booth-IMM	Virtex-7	192	97	238	586	1367	-	0.41	0.24	0.56	471
				256	129	210	741	2292	-	0.62	0.46	1.42	417
				384	193	168	1071	2527	-	1.15	1.23	2.91	334
				521	261	142	1268	2986	-	1.84	2.33	5.50	284
[59]	2024	Radix-$2^8$ BMM	Virtex-7	256	41	-	-	6459	-	0.13	-	0.84	80,757
				1024	137	-	-	25,034	-	0.50	-	12.52	279,019
[61]	2024	Karatsuba-BMM	Virtex-7	32	7	-	-	3862	-	0.023	-	0.09	9726
				64	8	-	-	10,032	-	0.027	-	0.28	18,659
[71]	2022	Radix-2 MMM	Virtex-7	192	-	310.0	-	717	-	0.62	-	0.45	308.47
				224	-	284.17	-	835	-	0.79	-	0.66	282.9
				256	-	271.29	-	955	-	0.94	-	0.90	270.24
				384	-	253.35	-	1499	-	1.51	-	2.26	252.69
				521	-	238.6	-	2414	-	2.18	-	5.26	238.14
[78]	2022	Radix-$2^{52}$ MMM	UltraScale-XCKU115	256	47	285.7	-	1223	39	0.17	-	0.20	24,899.7
				512	168	285.7	-	2348	71	0.59	-	1.38	13,931.9
				1024	345	285.7	-	4209	131	1.21	-	5.08	13,562.9
[81]	2022	Radix-$2^5$ MMM	Virtex-7	256	-	345	-	2900	-	0.32	-	0.93	802
				512	-	299	-	3700	-	1.04	-	3.84	494
		Radix-$2^6$ MMM		256	-	290	-	5500	-	0.21	-	1.18	1196
				512	-	290	-	9500	-	0.45	-	4.26	1143
[89]	2025	PPMMM	Virtex-7	256	28	228	-	2800	32	0.12	-	0.34	2098.36
				384	28	187	-	5164	48	0.15	-	0.77	2565.13
				512	28	147	-	5302	128	0.19	-	1.01	2688.09

IMM—interleaved modular multiplication; BMM—Barrett modular multiplication; MMM—Montgomery modular multiplication; PP—parallel and pipelined.

presents a performance comparison of several modular multipliers implemented on Field-Programmable Gate Arrays (FPGAs). Specifically, Refs. [47,48,53] all utilized interleaved modular multiplication. At the same time, Ref. [47] implemented a compact modular multiplier for ECC processors using Jacobian coordinates, while Ref. [48] focused on optimizing the trade-off between performance and area over five NIST prime fields for lightweight ECC. Ref. [53] adopts the radix-4 Booth encoding technique, achieving a balance between clock cycles and operating frequency. However, the area slightly increases due to architectural optimizations required to support reconfigurability for arbitrary prime fields and operand widths. Refs. [59,61] utilized Barrett modular multiplication. Ref. [59] employs novel compression and encoding techniques to optimize the critical path delay, demonstrating particularly superior performance in high-radix modular multiplication implementations. Ref. [61] implemented a high-throughput and low-area-efficiency Barrett modular multiplier, tailored to the bit-width requirements of fully homomorphic encryption systems. Refs. [71,78,81,89] all utilized Montgomery modular multiplication. Ref. [71] aimed to reduce computation time by optimizing the adder architecture and demonstrated that the proposed modular multiplication design achieved high performance over five NIST prime fields for ECC. Ref. [78] proposed a variable segmentation approach to design a high-throughput Montgomery modular multiplier for implementing RSA cryptosystems. Ref. [81] addressed the inefficiency of high-radix Montgomery modular multiplication in low-bit computations and achieved a high operating frequency by making full use of the multiplier. Ref. [89] presented an optimized modular multiplication implementation for 256-bit, 384-bit, and 512-bit operands. The design exhibits significant throughput improvements with increasing operand sizes, making it particularly suitable for security-sensitive applications.

In contrast,

Table 4. Performance comparison of modular multipliers implemented on ASICs.

Reference	Year	Algorithm	Technology	Bit-Width	Clock Cycles	Frequency (MHz)	Area	Time (ns)	AT
[47]	2017	Radix-2 IMM	65 nm	224	225	549.45	12.8 KGates	409	5.23 KGates × µs
				256	257	549.45	13.3 KGates	468	6.21 KGates × µs
[55]	2023	Toom–Cook-BMM	40 nm	256	-	613	64,877 µm2	57.05	3701 µm2 × µs
			65 nm	256	-	581	113,565 µm2	60.2	6836 µm2 × µs
			40 nm	1024	-	555	397,457 µm2	63	25,040 µm2 × µs
[83]	2021	RBR-MMM	65 nm	256	130	1000	21.5 KGates	130	2.80 KGates × µs
				1024	258	685	121.8 KGates	377	45.92 KGates × µs
				2048	514	654	224.8 KGates	786	176.70 KGates × µs
				8192	4098	870	568.7 KGates	4713	2680.29 KGates × µs
[84]	2022	RBR-MMM	65 nm	1024	114	617	222.4 KGates	185	41.09 KGates × µs
				2048	114	485	707.1 KGates	235	166.22 KGates × µs
				8192	788	428	1493.8 KGates	1842	2751.53 KGates × µs
[85]	2022	Karatsuba-MMM	65 nm	256	17	-	145,281 µm2	37.4	5430 µm2 × µs

provides a performance comparison of modular multipliers implemented on Application-Specific Integrated Circuits (ASICs). Ref. [55] applied Toom–Cook multiplication to Barrett modular multiplication, making it suitable for handling larger input bit-widths in ECC and RSA cryptographic systems. Refs. [83,84] utilized RBR-based Montgomery modular multiplication. Ref. [83] targeted a small area design, achieving smaller AT values at 256-bit and 8192-bit widths when the radix was 4 and at 1024-bit and 2048-bit widths when the radix was 16. Ref. [84] attained faster speed at the cost of hardware resources, achieving smaller AT values at a 1024-bit width when the radix was $2^{16}$ and at 2048-bit and 8192-bit widths when the radix was $2^{32}$. Ref. [85] applied multi-cycle Karatsuba multiplication to design a 256-bit pipeline Montgomery modular multiplier, achieving the computation in only 17 clock cycles.

Table 5. Comparative analysis of modular multiplication.

Modular Multiplication	Analysis
Blakley-based interleaved modular multiplication	Modular multiplication is transformed into a series of addition operations, but the low parallelism and large-bit-width addition operations result in a high path delay. This method is suitable for low-power scenarios.
Barrett modular multiplication	Modular multiplication is transformed into multiplication and shift operations, but estimation errors may result in multiple reduction operations to correct the results. This method is suitable for small-bit-width scenarios.
Montgomery modular multiplication	By utilizing residue systems, division can be converted into shift operations, but more resources are required to control the domain transformation. This method is suitable for large-bit-width scenarios.
Fast modular multiplication for specific prime numbers	Adopting a specially designed fast modular reduction algorithm results in high computational efficiency, but the hardware structure lacks generality. This method is suitable for specific modulus scenarios.

compares and analyzes four modular multiplication algorithms in public-key cryptosystems.

5. Conclusions

Public-key cryptographic algorithms involve large-bit-width operations, such as modular multiplication, modular exponentiation, and modular inverse. Due to their high computational complexity, large resource consumption, and long processing time, these operations have become the key designs. Since modular exponentiation and modular inversion operations are typically implemented via multiple modular multiplication operations, the efficient implementation of modular multiplication algorithms is crucial for improving the performance of cryptographic algorithms. This paper first provides a comprehensive review and analysis of multiplication algorithms in public-key cryptosystems and the encoding methods used to optimize multiplication algorithms. Subsequently, the modular reduction algorithms for general moduli and fast modular reduction algorithms for specific prime numbers in public-key cryptosystems are summarized and analyzed. Finally, four types of modular multiplication algorithms are summarized: the Blakley-based interleaved modular multiplication algorithm, the Barrett modular multiplication algorithm employing the quotient estimation, the Montgomery modular multiplication algorithm based on residue number systems, and the fast modular multiplication algorithm for specific prime numbers. A comprehensive review is conducted from the perspectives of algorithm principles, improved forms, hardware implementations, and application scenarios. Additionally, this paper summarizes the design difficulties of the algorithms above and provides a comparative analysis of their advantages and disadvantages, providing a reference for further research of the modular multiplication algorithm over prime fields for public-key cryptosystems.

Future research on modular multiplication algorithms in public-key cryptosystems should focus on the following areas: (1) With increasing security requirements, designing modular multipliers that support larger bit-widths will be critical to meeting the performance demands of next-generation cryptographic schemes. (2) Although current optimization techniques have improved the efficiency of modular multiplication, they still fall short in addressing idle cycles in the multiplier core caused by data dependencies. Future work should focus on optimizing data scheduling and dynamic resource allocation. (3) Future research should focus on the efficient application of high-radix Booth encoding and RSD representation techniques to reduce carry propagation delay without significantly increasing hardware complexity. (4) Most current research has focused on the efficient implementation of modular multiplication algorithms. Future work should explore power-efficient and high-throughput modular multiplication designs. (5) Future research should focus on the design optimization of NTT computation modules in post-quantum cryptographic algorithms. The study of modular multiplication units should emphasize efficient modular reduction techniques for moduli with specific prime structures, as well as the development of reconfigurable multiplication schemes, such as the combination of Barrett and Plantard modular multiplication algorithms. (6) Future research should continue to address side-channel attacks and defenses, with a particular focus on developing lightweight protection schemes to ensure the security of cryptographic algorithms.