Introduction to Modular

Arithmetic
Dr. Arunachalam V
Associate Professor, SENSE
 Introduction

• Objective is to compute efficiently modulo a given integer N.

• In most applications,the modulus N is fixed, and special-purpose algorithms
benefit from some precomputations, depending only on N, to speed up
arithmetic modulo N.
• Integer division and modular multiplication are closely related.
• In integer arithmetic algorithms where no (or only a few) precomputations
with respect to the modulus N are performed.
• But here we consider algorithms which benefit from such precomputations.
• Unless explicitly stated, we consider that the modulus N occupies n words in
the word-base . . ≤ < .
 Classical representation
• The classical representation stores a residue (class) a as an integer 0 ≤ < .
• Residues are thus always fully reduced, i.e., in canonical form.
• Another non-redundant form consists in choosing a symmetric representation,
say − /2 ≤ < /2.
• This form might save some reductions in additions or subtractions.
• Negative numbers might be stored either sign-magnitude representation or
with a 2’s complement representation.
• Since N takes n words in base , an alternative redundant representation
chooses 0 ≤ < to represent a residue class.
• An advantage of this representation is that, when adding two residues, it
suffices to compare their sum to in order to decide whether the sum has to
be reduced, and the result of this comparison is simply given by the carry bit of
the addition, instead of by comparing the sum with N.
• However, in the case that the sum has to be reduced, one or more further
comparisons are needed.
 Montgomery’s Form
• The main idea is to represent a residue a by = , where = ,
and N takes n words in base .
• Thus Montgomery is not concerned with the physical representation of a
residue class, but with the meaning associated to a given physical
representation.
• As a consequence, the different choices mentioned above for the physical
representation are all possible.
• Addition and subtraction are unchanged, but (modular) multiplication
translates to a different, much simpler, algorithm.
• In most applications using Montgomery’s form, all inputs are first converted to
Montgomery’s form, then all computations are performed in Montgomery’s
form, and finally all outputs are converted back to the classical form, using
= / .
• To ensure the existence of 1/R mod N, assume that (R,N) = 1, or ( ,N) = 1,
also is a power of two and N can be assumed to be odd.
 Residue Number System

• In a Residue Number System, a residue a is represented by a list of residues

, where the moduli are coprime and their product is N.
• The integers can be efficiently computed from a using a remainder tree, and
the unique integer 0 ≤ < = ∙ ∙ ∙ is computed from the by an
Explicit Chinese Remainder Theorem.
• The residue number system is interesting since addition and multiplication can
be performed in parallel on each small residue .
• This representation requires that N factors into convenient moduli , ,∙ ∙ ∙ ,
which is not always the case.
MSB vs LSB Algorithms
 Link with Polynomials

• A strong link exists between modular arithmetic and arithmetic on

polynomials.
• One way of implementing finite fields with = elements is to work
with polynomials in , which are reduced modulo a monic irreducible
polynomial ∈ of degree n.
• In this case modular reduction happens both at the coefficient level (in ) and
at the polynomial level (modulo ).
• Some algorithms work in the ring / , where N is a composite integer.
• An important case is the Sch ̈ nhage-Strassen multiplication algorithm, where
N has the form 2 + 1.
• In both domains and / , the Kronecker- Sch ̈ nhage trick can be
applied efficiently.
 Link with Polynomials

• In both domains and / , the Kronecker- Sch ̈ nhage trick can be

applied efficiently.
• Since the coefficients are known to be bounded, by p and N respectively, and
thus have a fixed size, the segmentation is quite efficient.
• If polynomials have degree d and coefficients are bounded by N, the product
coefficients are bounded by , and one obtains (
operations, instead of with the classical approach.
• Also, the implementation is simpler, because we only have to implement fast
arithmetic for large integers instead of fast arithmetic at both the polynomial
level and the coefficient level.
 Modular Addition

• Assuming that a and b are uniformly distributed in ∩ 0, − 1 , the

subtraction ← − is performed with probability 1 − 1/ /2.
• If we use instead a symmetric representation in [− /2, /2), the
probability that we need to add or subtract N drops to 1/4 + 1/
at the cost of an additional test.
• This extra test might be expensive for small N — say one or two words
— but should be relatively cheap if N is large enough, say at least ten
words.
 Reference
1. Chapter 2.1 and 2.2 of Richard P Brent and Paul Zimmerman, “Modern
Computer Arithmetic”, Cambridge University Press 2010.
Next Class

MODULAR MULTIPLICATION