1

I understand that when you are using RNS you need a co-prime moduli-set e.g. ${\{m_1, m_2, m_3\}}$, and the dynamic range is the product of each modulus in that set $M = m_1.m_2.m_3$. Also it's advantageous to select modulus values that are generalized mersenne numbers, so that operations in RNS are easier. And when you convert back out to an integer X you use the Chinese Remainder Theorem, something like this $ |X|_M=|\sum_{i=1}^n |r_iM_i^{-1}|_{m_i}M_i|_M$ (http://www.ccs.asia.edu.tw/ezfiles/2/1002/img/370/1203-3.pdf)

But the M / dynamic range would not necessarily be the prime you want to reduce by (for example the prime field in ECC), but all the papers I read don't really explain this, so not sure if it's something simple I'm missing or not?

For example say I have ${m_i}={2,3,5}$, this makes my $M=2.3.5=30$. So I start with value $X=7 = (1,1,2)$, do two squaring $(1,1,2)^2 = (1,1,4)^2 = (1,1,1)$, then convert out and I get $X=1$ (which is correct for $(7^2)^2$), but what if I wanted to do repeated squaring modulo a prime (e.g 23), is that possible?

bsdevlin
  • 85
  • 6
  • 1
    A good reference book: Residue Number Systems: Theory and Implementation – kelalaka Sep 26 '19 at 09:43
  • My limited understanding is that it is customary to convert from RNS to integer before results exceed $M$, then either A) compute the remainder and convert it back to RNS; B) compute the quotient, and perform the modular reduction in RNS. If there are other ways, I want to know! – fgrieu Sep 26 '19 at 10:19
  • @fgrieu In my archaic knowledge, for some residue systems, there is also division. However, one has to look for references. – kelalaka Sep 26 '19 at 11:01
  • @fgrieu As far as I understand, as long as you do the reduction mod for each $m_i$ (which isn't hard as we use generalized mersenne numbers), your result will stay within $M$ - but if you actually want it to be mod p (which you would for any ECC or RSA application) then you do have to do some extra work, like what they do here (sum of residues reduction) https://www.researchgate.net/publication/333468951_Improved_Sum_of_Residues_Modular_Multiplication_Algorithm , I was hoping there was a way around this but unless someone corrects me I don't think there is? – bsdevlin Sep 26 '19 at 14:39
  • Definitely, when we want computation modulo $p$ and that $p$ is coprime with $M$, we can not allow intermediary results to outgrow $M$ and ignore that issue. Some kind of extra work is required to prevent outgrowing $M$, or/and compensate for that. The only two methods that I'm familiar with are outlined in my previous comment. There are others. – fgrieu Sep 26 '19 at 15:30

0 Answers0