Here’s a short note on the Montgomery reduction algorithm, which we explained in this audit report of p256. If you don’t know, this is an algorithm that is used to perform modular reductions in an efficient way. I invite you to read the explanations in the report, up until the section on word-by-word Montgomery reduction.

In this note, I wanted to offer a different explanation as to why most of the computation happens modulo $b$ instead of modulo $R$.

As a recap, we want to use $A$ (called $\overline{x}$ in the report’s explanations) in a base-$b$ decomposition so that in our implementation we can use limbs of size $b$:

Knowing that we can write the nominator part of $N/R$ as explained here as:

Grouping by $b^i$ terms we get the following terms:

but then why do algorithms compute $k_i=a_i{m}^{-1}\mathrm{mod}b$ at this point?

The trick is to notice that if a value is divisible by a power of 2, let’s say $2^l$, then it means that the first $l$ least-significant bits are 0.

As such, the value $A+k·m$ we are computing in the integers will have the first $n$ chunks sum to zero if it wants to be divisible by $R=b^n$ (where $b$ is a power of 2):

This means that:

• either $a_i+k_i·m=0$ (each term will separately be 0)
• or $a_i+k_i·m=b·\text{carry}$ (cancellation will occur with carries except for the last chunk that needs to be 0)

In both case, we can write: