Small Montgomery Reduction Algorithm: SmallMont

One problem of the FastBConv (i.e., the fast base conversion) operation is that it creates a non-negligible noise. Specifically, suppose we use FastBConv to convert the base of

x \in ℤ_{q}

(where

q = q_{1} \cdot q_{2} \cdot \dots \cdot q_{k}

moduli) into

c = x + 𝑢𝑞 mod b

(where

b = b_{1} \cdot b_{2} \cdot \dots \cdot b_{l}

moduli), where integer

| u | \leq \frac{k}{2} + 1

. Then, the noise generated by this conversion is between

- (\frac{k}{2} + 1) \cdot q mod b

and

(\frac{k}{2} + 1) \cdot q mod b

. To reduce this noise, we will explain the small Montgomery algorithm (SmallMont) which reduces the noise generated by fast base conversion from

𝑢𝑞

u^{'} q

, such that

u^{'} \in {- 1, 0, 1}

. The small Montgomery algorithm is designed as follows:

$⟨$ Summary D-5.7 $⟩$ Fast Modulo Reduction: SmallMont

Input: $c = (c_{1}, c_{2}, \dots, c_{l}, c_{l + 1}) \in ℤ_{b_{1}} \times ℤ_{b_{2}} \times \dots \times ℤ_{b_{l}} \times ℤ_{b_{α}}$ # $b_{α}$ is a prime and co-prime to $b$ , where $b = \prod_{i = 1}^{l} b_{i}$

, where $c = 𝖥𝖺𝗌𝗍𝖡𝖢𝗈𝗇𝗏 (| b_{α} \cdot x |_{q}, q, b b_{α}) = | b_{α} \cdot x |_{q} + 𝑢𝑞$ # where $x \in ℤ_{q}$ and integer $| u | \leq \frac{k}{2} + 1$

Main Steps

$𝖲𝗆𝖺𝗅𝗅𝖬𝗈𝗇𝗍 (c, b b_{α}, b_{α}, q) :$

1.: $c^{'} = | c \cdot q^{- 1} |_{b_{α}}$
2.: For each $i \in [1, l]$ , compute $r_{i} = | (c_{b_{i}} - | q |_{b_{i}} \cdot c^{'}) \cdot b_{α}^{- 1} |_{b_{i}}$

Output: $r = (\overset{l}{\overset{︷}{r_{1}, r_{2}, \dots, r_{l}}}) \in \overset{l}{\overset{︷}{ℤ_{b_{1}} \times ℤ_{b_{2}} \times \dots \times ℤ_{b_{l}}}}$ # without $r_{α} \in ℤ_{b_{α}}$

The output satisfies the relation: $r = x + u^{'} q mod b$ (where $u^{'} \in {- 1, 0, 1}$ )

Proof.

1.

Given

c^{'} = | c \cdot q^{- 1} |_{b_{α}}

, notice that

c - q \cdot c^{'}

is exactly divisible by

b_{α}

as shown below:

$c - q \cdot c^{'} mod b_{α}$

$= c - q \cdot | c \cdot q^{- 1} |_{b_{α}} mod b_{α}$ # substituting $c^{'} = | c \cdot q^{- 1} |_{b_{α}}$

$= c - c mod b_{α}$ # by canceling out $| q |_{b_{α}}$ and $| q |_{b_{α}}^{- 1}$

$= 0 mod b_{α}$

Since $c - q \cdot c^{'} = 0 mod b_{α}$ , this implies that $c - q \cdot c^{'}$ is a multiple of $b_{α}$ (i.e., $c - q \cdot c^{'}$ is exactly divisible by $b_{α}$ ). This also implies that $\frac{c - q \cdot c^{'}}{b_{α}}$ is an integer.

2.

Given

c = | b_{α} \cdot x |_{q} + 𝑢𝑞 mod b

and

c^{'} = | c \cdot q^{- 1} |_{b_{α}}

, we can express

\frac{c - q \cdot c^{'}}{b_{α}} mod b

as follows:

${| \frac{c - q \cdot c^{'}}{b_{α}} |}_{b}$

$= {| \frac{c - q \cdot | c \cdot q^{- 1} |_{b_{α}}}{b_{α}} |}_{b}$ # by substituting $c^{'} = | c \cdot q^{- 1} |_{b_{α}}$

$= {| \frac{| b_{α} \cdot x |_{q} + 𝑢𝑞 - q \cdot | | | b_{α} \cdot x |_{q} + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}}{b_{α}} |}_{b}$ # by substituting $c = | | b_{α} \cdot x |_{q} + 𝑢𝑞 |_{b}$

$= | \frac{b_{α} \cdot x + 𝑣𝑞 + 𝑢𝑞 - q \cdot | | b_{α} \cdot x + 𝑣𝑞 + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}}{b_{α}} |_{b}$ # by rewriting $| b_{α} \cdot x |_{q}$ as $b_{α} \cdot x + 𝑣𝑞$ (where $v$ is some integer representing the $q$ -overflows of $b_{α} \cdot x$ )

$= | x + \frac{𝑣𝑞 + 𝑢𝑞 - q \cdot | | b_{α} \cdot x + 𝑣𝑞 + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}}{b_{α}} |_{b}$ # since $x = \frac{b_{α} \cdot x}{b_{α}}$

$= | x + q \cdot \frac{v + u - | | b_{α} \cdot x + 𝑣𝑞 + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}}{b_{α}} |_{b}$ # taking out the common multiple $q$

The above computation result is guaranteed to be an integer (as we proved in the proof step 1). And $q$ and $b_{α}$ are co-prime (by the input definition). This leads to the conclusion that

$\frac{v + u - | | b_{α} \cdot + 𝑣𝑞 + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}}{b_{α}}$ is guaranteed to be an integer. Therefore, if we choose $b_{α}$ (i.e., a prime and co-prime to both $q$ and $b$ ) as a sufficiently large value, then $\frac{v + u - | | b_{α} \cdot x + 𝑣𝑞 + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}}{b_{α}}$ will converge to ${- 1, 0, 1}$ . This is because as $b_{α}$ increases: (1) $v$ grows slower than $b_{α}$ (since $| b_{α} \cdot x |_{q} = b_{α} \cdot x + 𝑣𝑞$ ); (2) the magnitude of $u$ stays smaller than $\frac{k}{2} + 1$ (as integer $| u | \leq \frac{k}{2} + 1$ ); and (3) $| | b_{α} \cdot x + 𝑣𝑞 + 𝑢𝑞 |_{b} \cdot q^{- 1} |_{b_{α}}$ is guaranteed to be an integer between $[- \frac{b_{α} + 1}{2}, \frac{b_{α}}{2} - 1]$ . In conclusion, if $b_{α}$ is sufficiently large, then we get the following relation:

${| \frac{c - q \cdot c^{'}}{b_{α}} |}_{b} = x + u^{'} q mod b$ # where $u^{'} \in {- 1, 0, 1}$

Also, the following is true:

$\frac{c - q \cdot c^{'}}{b_{α}} mod b = (c - q \cdot c^{'}) \cdot b_{α}^{- 1} mod b$ # because $b_{α}$ divides $c - q \cdot c^{'}$ and $b_{α}$ is co-prime to $b$

3.

It is possible to express the final output

x + u^{'} q mod b

as an RNS vector with the residues of the base moduli

(b_{1}, \dots, b_{l})

. For this, we convert

(c - q \cdot c^{'}) \cdot b_{α}^{- 1}

into the RNS vector

(r_{1}, r_{2}, \dots, r_{l}) \in ℤ_{b_{1}} \times ℤ_{b_{2}} \times \dots \times ℤ_{b_{l}}

by computing the following for each

i \in [1, l]

$r_{i} = | (c - q \cdot c^{'}) \cdot b_{α}^{- 1} |_{b_{i}}$

$= | (c_{b_{i}} - | q |_{b_{i}} \cdot c^{'}) \cdot b_{α}^{- 1} |_{b_{i}}$

□

D-5.7.1 Improving FastBConv by Using SmallMont

Notice that by using SmallMont in Summary D-5.7, the accuracy of the raw output of

𝖥𝖺𝗌𝗍𝖡𝖢𝗈𝗇𝗏 (x, q, b) = | x + 𝑢𝑞 |_{b}

(where integer

| u | \leq \frac{k}{2} + 1

) is improved to

| x + u^{'} q |_{b}

(where

u^{'} \in {- 1, 0, 1}

) as follows:

𝖲𝗆𝖺𝗅𝗅𝖬𝗈𝗇𝗍 (𝖥𝖺𝗌𝗍𝖡𝖢𝗈𝗇𝗏 (| b_{α} \cdot x |_{q}, q, b b_{α}), b b_{α}, b_{α}, q)

𝖲𝗆𝖺𝗅𝗅𝖬𝗈𝗇𝗍 (| | b_{α} \cdot x |_{q} + 𝑢𝑞 |_{b b_{α}}, b b_{α}, b_{α}, q)

D-5.7 Small Montgomery Reduction Algorithm: SmallMont

D-5.7.1 Improving FastBConv by Using SmallMont