Efficient Large-Width Montgomery Modular Multiplier Design Based on Toom–Cook-5

Abstract

Toom–Cook-n multiplication is an efficient large-width multiplication algorithm based on a divide-and-conquer strategy, widely used in modular multiplication operations for cryptographic algorithms. Theoretically, as the degree n increases, Toom–Cook-n can split the multiplicands into more sub-terms to further enhance the performance of the multiplier. However, constrained by the computational burden brought by the growing size of the interpolation matrix as the degree increases, current research predominantly focuses on Toom–Cook-4 and Toom–Cook-3. This paper proposes a Montgomery modular multiplication design based on Toom–Cook-5, which alleviates the computational difficulty of the interpolation step by introducing an interpolation matrix pre-simplification strategy. Additionally, the design incorporates and optimizes carry–save adder and Karatsuba multiplication, enabling Toom–Cook-5 multiplication to be applied in practical and efficient hardware implementation. This paper presents the ASIC implementation results of the hardware architecture under a 90nm process, demonstrating superior performance compared to previous works.

1. Introduction

1.1. Background

In the field of cryptography, increasing security demands have led to larger key lengths in systems such as RSA and ECC [1,2]. For both of RSA and ECC over prime fields, up to 80% of the calculation latency arises from modular multiplication [3,4]. As a result, the design and optimization of large-width modular multipliers, particularly the underlying multiplier component, are critical for efficient hardware implementations of ECC and RSA in prime field systems [5]. The conventional Karatsuba multiplication [6] exhibits a time complexity of $O\left(W^{{log}_{2}3}\right)$, where W denotes the bit-width of operands. Karatsuba multiplication achieves enhanced performance with large-width multiplication, albeit at the cost of increased resource utilization [7]. In the GNU Multiple Precision Arithmetic Library [8], Toom–Cook-n multiplication [9] is used as the successor of Karatsuba multiplication and then followed by the application of more complex FFT-based multiplication [10]. Toom–Cook-n multiplication, which inherits Karatsuba’s divide-and-conquer strategy, offers a lower time complexity of $O\left(W^{{log}_n\left(2n-1\right)}\right)$, where n represents the degree of Toom–Cook-n.

1.2. Related Work

Toom–Cook-n multiplication can flexibly decompose the multiplicands to enhance calculation efficiency [11,12]. However, it faces two critical challenges in hardware implementation. First, as the degree increases, the time complexity of Toom–Cook-n multiplication decreases further, but this simultaneously makes the interpolation operations more challenging. Striking a balance between these two factors to achieve improved performance in multiplication operations becomes a key concern [13]. In prior research [14,15,16], greater attention has been devoted to the hardware optimization of Toom–Cook-3 and Toom–Cook-4 algorithms. While this work effectively addressed multiplications below 512-bit, it still demonstrates limitations when dealing with multiplications of 1024-bit and above. Recent work [17,18] proposed several optimization strategies for interpolation operations in the Toom–Cook-4 multiplication, which alleviates the computational burden on hardware while also bringing about more cycles. Second, the result of Toom–Cook-n multiplication retains an odd factor of redundancy. Directly eliminating this redundancy through division is computationally prohibitive [19]. In article [20], a Toom–Cook-n multiplier specifically designed for the NIST prime field was proposed, which employs a non-least-positive (NLP) approach to replace precise division with right-shift operations. Building upon this, Gu [21] and Hao [22], respectively, introduced division-free Toom–Cook-n multipliers that combine Montgomery modular multiplication and Barrett modular multiplication, resulting in a modular multiplier suitable for arbitrary prime fields.

1.3. Motivation and Contribution

In the latest RSA standards, it is acknowledged that 1024-bit RSA is no longer considered secure, leading to a more widespread adoption of 2048-bit RSA [23,24]. Similarly, ECC requires a 521-bit key for encryption [25]. As the key lengths of cryptographic algorithms increase, the corresponding modular multipliers need to process operands with wider bit-widths. In RSA, modular exponentiation is achieved through repeated modular multiplications, while in ECC, point addition and scalar multiplication operations similarly rely on modular multiplication calculations. Therefore, the modular multiplication operation directly determines the performance of cryptographic algorithms and is the primary bottleneck in improving computational efficiency. Existing multipliers [26], such as Toom–Cook-4, Toom–Cook-3, or Karatsuba, generally employ a divide-and-conquer approach to transform large-width multiplication into several smaller-width multiplications to simplify the calculation. However, even methods like Toom–Cook-4, splitting the multiplicands into four parts, still face the challenge of 256-bit multiplications in the context of 1024-bit multiplication. While recursive splitting can be employed to further reduce the bit-width, it inevitably leads to a increase in calculation latency.

In this paper, the main contributions are as follows:

• This paper analyzes the complete workflow of the Toom–Cook-n multiplication and elaborates on the impact of increasing the degree n at each step.
• This paper proposes a pre-simplification approach to address the complexity of the interpolation matrix in Toom–Cook-5. It significantly reduces the computational burden of the interpolation step without incurring additional clock cycles.
• This paper optimizes the traditional carry–save adder (CSA) architecture by decoupling the compressors and full adders, effectively eliminating unnecessary resource overhead caused by redundant full adders and improving area efficiency.
• This paper designs a two-stage pipelined 3-level Karatsuba multiplication architecture to optimize the timing of the post-splitting multiplications.
• This paper improves the addition processing in the Montgomery modular multiplication by nearly halving the bit-width of the addition operations.

2. Notations and Preliminaries

2.1. Toom–Cook-n Multiplication

In a integer multiplication operation with bit-width W, each multiplicand can be split into n sub-terms, where the bit-width of each sub-terms is $w=\lceil {\displaystyle \frac{W}{n}}\rceil$. Here, n is the degree in the Toom–Cook-n algorithm.

The polynomial representations of the multiplicands A and B are given by

$$A\left(N\right)=\sum _{i=0}^{n-1}{a}_i{N}^i=a_{n-1}{N}^{(n-1)}+a_{n-2}{N}^{(n-2)}+\dots +a_0{N}^0$$

(1)

$$B\left(N\right)=\sum _{i=0}^{n-1}{b}_i{N}^i=b_{n-1}{N}^{(n-1)}+b_{n-2}{N}^{(n-2)}+\dots +b_0{N}^0$$

(2)

where $N=2^w$ is the base word and $a_i$ is the coefficient.

Clearly, the product C resulting from multiplying A and B can be represented as a polynomial $C\left(N\right)$ with coefficients $c_i$:

$$C\left(N\right)=A\left(N\right)·B\left(N\right)=\left(\sum _{i=0}^{n-1}{a}_i{N}^i\right)·\left(\sum _{i=0}^{n-1}{b}_i{N}^i\right)=\sum _{i=0}^{2n-2}{c}_i{N}^i.$$

(3)

It is evident that changing the base word N does not affect the coefficients. The essence of the Toom–Cook-n algorithm lies in obtaining $2n-1$ linearly independent equations by varying the base word and determining the coefficients of $C\left(N\right)$ through these equations.

The Toom–Cook-n multiplication can typically be divided into five calculation steps: Splitting, Evaluation, Multiplication, Interpolation, and Recomposition.

Splitting: Split the multiplicands into n coefficients, each of bit-width W.

Evaluation: Substitute $2n-1$ sets of base words to construct a system of linearly independent equations. The selection of these base words will influence the computational complexity in subsequent steps; therefore, it is advantageous to choose base words with minimal absolute values to facilitate the calculations. To achieve this objective, the original base word N is replaced with a two-dimensional base word set $(\mu ,\nu )$, which can yield a greater number of base words with minimal absolute values. The polynomial representation in this new base word is given by Equation (4).

$$A\left(\mu ,\nu \right)=\sum _{i=0}^{n-1}{a}_i{\mu }^i{\nu }^{n-i-1}$$

(4)

Multiplication: Multiply $A(\mu ,\nu )$ and $B(\mu ,\nu )$ after substituting $2n-1$ sets of base words to obtain the value of $C(\mu ,\nu )$ as Equation (5). Since the base word is minimal in absolute value, the bit-width of the multiplicand in this step is only slightly greater than $\lceil {\displaystyle \frac{W}{n}}\rceil$. In the case of Toom–Cook-5 with base word $(1,1)$, the bit-width of $A(1,1)$ is $\lceil {\displaystyle \frac{W}{5}}\rceil +3$, where $A\left(1,1\right)=a_0+a_1+a_2+a_3+a_4$. This step constitutes the most computationally intensive part of the Toom–Cook-n, as the multiplication operations in this step demand significantly more area and incur higher latency compared to the addition operations in other steps. Furthermore, as the degree of the Toom–Cook-n algorithm increases, the bit-width of the multiplicand in this step decreases. However, this reduction in bit-width leads to the need for more iterations to complete the additional multiplication operations.

$$\left[\begin{array}{c}C\left({\mu }_0,{\upsilon }_0\right)\hfill \\ C\left({\mu }_1,{\upsilon }_1\right)\hfill \\ ⋮\hfill \\ C\left({\mu }_{2n-2},{\upsilon }_{2n-2}\right)\hfill \end{array}\right]=\left[\begin{array}{c}A\left({\mu }_0,{\upsilon }_0\right)B\left({\mu }_0,{\upsilon }_0\right)\hfill \\ A\left({\mu }_1,{\upsilon }_1\right)B\left({\mu }_1,{\upsilon }_1\right)\hfill \\ ⋮\hfill \\ A\left({\mu }_{2n-2},{\upsilon }_{2n-2}\right)B\left({\mu }_{2n-2},{\upsilon }_{2n-2}\right)\hfill \end{array}\right]$$

(5)

Interpolation: Determine the coefficients $c_i$ from $2n-1$ sets of $C(\mu ,\nu )$ and the interpolation matrix $M_b$. In addition to the form shown in Equation (5), $C(\mu ,\nu )$ can also be expressed as a polynomial form based on Equation (3), as shown in Equation (6).

$$\left[\begin{array}{c}C\left({\mu }_0,{\upsilon }_0\right)\hfill \\ C\left({\mu }_1,{\upsilon }_1\right)\hfill \\ ⋮\hfill \\ C\left({\mu }_{2n-2},{\upsilon }_{2n-2}\right)\hfill \end{array}\right]=M_b\left[\begin{array}{c}{c}_0\hfill \\ c_1\hfill \\ ⋮\hfill \\ c_{2n-2}\hfill \end{array}\right]$$

(6)

where the interpolation matrix $M_b$ is given as

$$M_b=\left[\begin{array}{cccc}{\nu }_0^{2n-2}& {\mu }_0{\nu }_0^{2n-3}& \cdots & {\mu }_0^{2n-2}\\ {\nu }_1^{2n-2}& {\mu }_1{\nu }_1^{2n-3}& \cdots & {\mu }_1^{2n-2}\\ ⋮& ⋮& ⋮& ⋮\\ {\nu }_{2n-2}^{2n-2}& {\mu }_{2n-2}{\nu }_{2n-2}^{2n-3}& \cdots & {\mu }_{2n-2}^{2n-2}\end{array}\right]$$

(7)

Thus, the coefficient vector $\overrightarrow{C}={[c_0,c_1,\cdots ,c_{2n-2}]}^T$ can be obtained by left-multiplying the inverse of $M_b$ to the left-hand side of Equation (6). Since the $(\mu ,\nu )$ are selected in advance, the inverse matrix $M_b^{-1}$ can be precomputed and stored in hardware for computational use.

Recomposition: Recompose the multiplication result C of A and B, leveraging left-shift and addition operations after obtaining the coefficient vector $\overrightarrow{C}$.

2.2. Karatsuba Multiplication

The Karatsuba multiplication is an efficient method for multiplying high-width integers. Similar to the Toom–Cook-n, it accelerates multiplication by decomposing high-width operations into smaller ones combined with additions. Given two integers X and Y of bit-width W, they can be represented as

$$X=x_1·2^{⌈{\displaystyle \frac{W}{2}}⌉}+x_0$$

(8)

$$Y=y_1·2^{⌈{\displaystyle \frac{W}{2}}⌉}+y_0$$

(9)

where $x_1$, $y_1$, and $x_0$, $y_0$ represent the higher and lower halves of X and Y, respectively.

By expressing X and Y in this manner and following the derivation as shown in Equation (10), the multiplication of W-bit can first be transformed into four $⌈{\displaystyle \frac{W}{2}}⌉$-bit multiplications. Then, it can be further reduced to three $⌈{\displaystyle \frac{W}{2}}⌉$-bit multiplications, along with six extra addition operations [27].

$$\begin{array}{cc}\hfill X·Y& =x_1{y}_1·2^{2⌈{\displaystyle \frac{W}{2}}⌉}+(x_0{y}_1+x_1{y}_0)·2^{⌈{\displaystyle \frac{W}{2}}⌉}+x_0{y}_0\hfill \\ \hfill & =x_1{y}_1·2^{2⌈{\displaystyle \frac{W}{2}}⌉}+\left((x_1+x_0)·(y_1+y_0)-x_1{y}_1-x_0{y}_0\right)·2^{⌈{\displaystyle \frac{W}{2}}⌉}+x_0{y}_0\hfill \end{array}$$

(10)

When the bit-width of $\lceil {\displaystyle \frac{W}{2}}\rceil$ remains high, recursive decomposition of the operands can be performed [28]. Specifically, the $\lceil {\displaystyle \frac{W}{2}}\rceil$-bit multiplication can leverage the Karatsuba multiplication once more, further reducing the bit-width required for multiplication.

2.3. Montgomery Modular Multiplication

The fundamental principle of Montgomery modular multiplication [29] is the introduction of the “Montgomery domain”, where modular operations leverage right-shift in place of division, significantly enhancing the efficiency of modular multiplication. The Montgomery modular multiplication is presented as Algorithm 1.

Algorithm 1 Montgomery Modular Multiplication

Parameter: $N,R.R=2^r\ge 4N,gcd(R,N)=1$ Precompute: $N^{\prime }\equiv -N^{-1}modR$ Input: $0\le X,Y<2N$ Output: $Z\equiv XY{R}^{-1}modN$   1: $T=XY$   2: $s=(TmodR)·N^{\prime }$   3: $t=(smodR)·N$   4: $Z=(T+t)\gg r$ Return: Z.

In what follows, the Montgomery modular multiplication will be denoted as MMM, and a complete derivation of the modular multiplication operation will be provided.

In the context of computing $XYmodN$, X and Y are first transformed into the Montgomery domain through Montgomery modular multiplication, as described in Equations (11) and (12).

$$X^{\prime }=\mathrm{MMM}(X,R^2,N,R)\equiv XRmodN$$

(11)

$$Y^{\prime }=\mathrm{MMM}(Y,R^2,N,R)\equiv YRmodN$$

(12)

Montgomery modular multiplication is then performed on $X^{\prime }$ and $Y^{\prime }$, yielding the result as presented in Equation (13).

$$\mathrm{MMM}(X^{\prime },Y^{\prime },N,R)\equiv X^{\prime }{Y}^{\prime }RmodN\equiv XYRmodN$$

(13)

Finally, to obtain the correct modular multiplication result, the inverse transformation is applied to exit the Montgomery domain, as shown in Equation (14):

$$\mathrm{MMM}(XYRmodN,1,N,R)\equiv XYmodN.$$

(14)

2.4. Carry–Save Adder

In the hardware implementation of multi-operand addition, the operation is typically performed through a series of two-operand additions, where the result of adding the first two operands is subsequently added to the third operand, and so on. This approach leads to a long carry chain, and it is challenging to complete the entire calculation within one clock cycle when the bit-width of the operands or the number of operands increases. The carry–save adder [30] provides an effective solution to the multi-operand addition problem, where the fundamental unit is the 3:2 compressor and the full adder.

The 3:2 compressor processes three operands using a parallel bitwise operation to derive two outputs, namely, CARRY and SAVE, as shown in Equations (15) and (16).

$$SAVE=In0\oplus In1\oplus In2$$

(15)

$$CARRY=In0·In1+In0·In2+In1·In2$$

(16)

where ⊕, ·, and + denote the XOR, AND, and OR operations, respectively.

By stacking multiple 3:2 compressors, a multi-operand compressor with low latency can be constructed [31], and the 5:2 compressor is shown in Figure 1. By feeding the SAVE and CARRY outputs of the compressor into the full adder, the final result can be obtained. In this multi-operand adder design, the critical path consists of nine two-input AND gates, nine two-input OR gates, and one two-input full adder. In large bit-width operations, the calculation latency can approach that of one two-input full adder.

3. Proposed Algorithms and Methods

Compared to lower-degree Toom–Cook-n algorithms, the Toom–Cook-5 multiplication significantly reduces the operand width during the “Multiplication” step, thereby enabling the design to operate at higher clock frequencies. However, this reduction in operand width leads to an increased complexity in both the dimensionality and data handling of the interpolation matrix, resulting in greater demands on logic resources. In response to these challenges posed by the complex interpolation matrix in Toom–Cook-5, this paper optimizes at the algorithmic level by proposing a series of strategies such as interpolated matrix pre-simplification and partial result precomputation. Additionally, we apply the Toom–Cook-5 multiplication method to Montgomery modular multiplication to eliminate the odd redundancy. Furthermore, we derive and simplify the addition operations in Montgomery modular multiplication, effectively halving the operand bit-width.

Subsequently, we first present mathematical derivation of the proposed algorithm by taking 1024-bit Toom–Cook-5 multiplication as an example. Then, we provide a detailed explanation of the Montgomery modular multiplication based on Toom–Cook-5 multiplication.

3.1. Proposed Toom–Cook-5 Multiplication

First, we split the 1024-bit multiplicands into vectors $\overrightarrow{A}$ and $\overrightarrow{B}$, each composed of five coefficients with 205-bit multiplicands. The coefficients in $\overrightarrow{A}$ and $\overrightarrow{B}$ are all unsigned numbers.

$$\overrightarrow{A}={[a_0,a_1,a_2,a_3,a_4]}^T$$

(17)

$$\overrightarrow{B}={[b_0,b_1,b_2,b_3,b_4]}^T$$

(18)

Second, adhering to the principle of minimizing absolute values, the following nine sets of base words $(\mu ,\nu )$ are selected: (0, 1), (1, 1), (−1, 1), (2, 1), (−2, 1), (1, 2), (1, −2), (4, 1), (1, 0). Substituting these nine sets of base words into Equation (4), we can calculate nine sets of $A(\mu ,\nu )$ and $B(\mu ,\nu )$ through left-shift and addition operations in parallel; here, the addition operation is implemented through two five-input carry–save adder operations. The representations of $A(\mu ,\nu )$ and $B(\mu ,\nu )$ are identical except for the coefficients. Here, the representation of $A(\mu ,\nu )$ is given as Equation (19).

$$\begin{array}{cc}\hfill A(0,1)& =a_0,\hfill \\ \hfill A(1,1)& =a_0+a_1+a_2+a_3+a_4,\hfill \\ \hfill A(-1,1)& =a_0-a_1+a_2-a_3+a_4,\hfill \\ \hfill A(2,1)& =a_0+2a_1+4a_2+8a_3+16a_4,\hfill \\ \hfill A(-2,1)& =a_0-2a_1+4a_2-8a_3+16a_4,\hfill \\ \hfill A(1,2)& =16a_0+8a_1+4a_2+2a_3+a_4,\hfill \\ \hfill A(1,-2)& =16a_0-8a_1+4a_2-2a_3+a_4,\hfill \\ \hfill A(4,1)& =a_0+4a_1+16a_2+64a_3+256a_4,\hfill \\ \hfill A(1,0)& =a_4.\hfill \end{array}$$

(19)

Next, the corresponding values of $A(\mu ,\nu )$ and $B(\mu ,\nu )$ obtained from the previous step are multiplied to produce $C(\mu ,\nu )$. This multiplication is performed utilizing the Karatsuba multiplication to reduce latency.

Based on the selected $(\mu ,\nu )$, the interpolation matrix $M_b$ can be determined, as shown in the Equation (20).

$$M_b=\left[\begin{array}{ccccccccc}1& 0& 0& 0& 0& 0& 0& 0& 0\\ 1& 1& 1& 1& 1& 1& 1& 1& 1\\ 1& -1& 1& -1& 1& -1& 1& -1& 1\\ 1& 2& 4& 8& 16& 32& 64& 128& 256\\ 1& -2& 4& -8& 16& -32& 64& -128& 256\\ 256& 128& 64& 32& 16& 8& 4& 2& 1\\ 256& -128& 64& -32& 16& -8& 4& -2& 1\\ 1& 4& 16& 64& 256& 1024& 4096& 16384& 65536\\ 0& 0& 0& 0& 0& 0& 0& 0& 1\end{array}\right]$$

(20)

Substituting the interpolation matrix $M_b$ into Equation (6), it can be observed that $c_0=C({\mu }_0,{\nu }_0)$ and $c_8=C({\mu }_8,{\nu }_8)$. In other words, there is no need to solve for these two coefficients by creating linearly independent equations, nor do they need to be included in the subsequent interpolation calculations. This allows the 9 × 9 interpolation matrix to be simplified to a 7 × 7 matrix, as shown in Equation (21).

$$\left[\begin{array}{c}{C}_1\\ C_2\\ C_3\\ C_4\\ C_5\\ C_6\\ C_7\end{array}\right]=\left[\begin{array}{c}C({\mu }_1,v_1)-c_0-c_{2n-2}\\ C({\mu }_2,v_2)-c_0-c_{2n-2}\\ C({\mu }_3,v_3)-c_0-256c_{2n-2}\\ C({\mu }_4,v_4)-c_0-256c_{2n-2}\\ C({\mu }_5,v_5)-256c_0-c_{2n-2}\\ C({\mu }_6,v_6)-256c_0-c_{2n-2}\\ C({\mu }_7,v_7)-c_0-65536c_{2n-2}\end{array}\right]=M_{b(7\times 7)}\left[\begin{array}{c}{c}_1\\ c_2\\ c_3\\ c_4\\ c_5\\ c_6\\ c_7\end{array}\right]$$

(21)

This step is primarily designed to simplify the subsequent interpolation calculations. The calculation of ${[C_1,C_2,C_3,\cdots ,C_7]}^T$ reuses the five-input adder employed in the previous evolution step, eliminating any additional logic resource overheads. Moreover, introducing this pre-simplification step incurs only one extra computational cycle. This is because, in the original algorithm, the subsequent operations cannot proceed until all $C(\mu ,\nu )$ calculations are completed. By comparison, the pre-simplification begins after the completion of the first $C(\mu ,\nu )$ calculation and continues until the next cycle following the the last $C(\mu ,\nu )$ calculation. Following this, the succeeding steps can be undertaken by leveraging a simplified interpolation matrix. This pre-simplification process provides significant advantages for the implementation of interpolation calculations, both in terms of area and latency. Detailed explanations will be provided in the following discussion.

The coefficient vector $\overrightarrow{C}={[c_1,c_2,c_3,\cdots ,c_7]}^T$ is obtained by left-multiplying the inverse of simplified interpolation matrix $M_{b(7\times 7)}^{-1}$ by the vector $[C_1,C_2,C_3,\cdots ,C_7]$, as shown in Equation (22). Some elements in the original inverse matrix $M_{b(7\times 7)}^{-1}$ have denominators containing odd numbers, which are extremely challenging to implement in hardware for division. To address this, we first scale the entire inverse matrix by the greatest odd common divisor of all the denominators, which is 2835 for Toom–Cook-5. Specifically, we employ $2835M_{b(7\times 7)}^{-1}$ to replace the original inverse matrix for interpolation, which causes the computed coefficients $c_i$ to be scaled by a factor of 2835. Later, when applying the Toom–Cook-5 to the modular multiplication algorithm, this redundant odd common factor can be eliminated. As a consequence, the denominators of all elements in the matrix $2835M_{b(7\times 7)}^{-1}$ are transformed into the form $2^x$ and can be implemented through simple right-shift operations.

$$\overrightarrow{C}=\left[\begin{array}{c}{c}_1\hfill \\ c_2\hfill \\ c_3\hfill \\ c_4\hfill \\ c_5\hfill \\ c_6\hfill \\ c_7\hfill \end{array}\right]=M_{b\left(7\times 7\right)}^{-1}\left[\begin{array}{c}{C}_1\hfill \\ C_2\hfill \\ C_3\hfill \\ C_4\hfill \\ C_5\hfill \\ C_6\hfill \\ C_7\hfill \end{array}\right]$$

(22)

The interpolation process essentially involves calculating several dot products. Since the interpolation matrix is fixed, the calculation can be reduced to constant multiplication followed by summation. In our design, the dot product is accomplished by employing a shift-and-add method. Specifically, the term $840a_1$ is converted into $512a_1+256a_1+64a_1+8a_1$, and similar transformations are applied to the other terms, which are then summed together. This approach, while eliminating the need for multipliers, requires the construction of an adder with a large number of inputs.

The inverse of the interpolation matrix $2835M_b^{-1}$ is shown in Figure 2. The outer frame represents the original 9 × 9 inverse matrix, while the inner frame shows the simplified 7 × 7 inverse matrix. It can be observed that the first and ninth columns of the matrix contain plenty of large numbers. By simplifying the interpolation matrix, these large numbers are excluded from subsequent calculations, thus reducing their impact on the interpolation process. The term “large numbers” here does not refer to their numerical size but rather to the fact that their binary representations contain a significant quantity of “1s”. For example, the number 59,535 corresponds to the binary value “1110100010001111”, which contains nine “1s”. This implies that if a shift-and-add strategy is employed to handle constant multiplication involving this number, a nine-input adder would be required. Since the design employs a set of adders for serially calculate seven dot products, we need to design this set of adders based on the worst-case scenario, which involves the maximum number of addends. By reducing the number of addends required for the dot products through matrix pre-simplification, the consumption of logic resources can be directly minimized.

From the perspective of the columns, the simplified inverse matrix contains several partial results that can be reused. For example, if $P_1=840C_1$ is precomputed, then $630C_1$ can be calculated as $\left(\left(12P_1\right)\gg 4\right)$, $3780C_1$ can be computed as $\left(\left(9P_1\right)\gg 1\right)$, and $5355C_1$ can be derived as $\left(\left(51P_1\right)\gg 3\right)$. This method effectively reduces redundant computations, thereby improving the efficiency of the interpolation operation. All the methods for calculating the partial results are shown in Equation (23).

$$\begin{array}{cc}\hfill P_1& =8C_1+64C_1+256C_1+512C_1\hfill \\ \hfill P_2& =512C_2-8C_2\hfill \\ \hfill P_3& =64C_3-C_3\hfill \\ \hfill P_4& =C_4+4C_4+16C_4\hfill \\ \hfill P_5& =2C_5+16C_5\hfill \\ \hfill P_6& =2C_6+4C_6+8C_6\hfill \\ \hfill P_7& =C_7+4C_7+16C_7\hfill \end{array}$$

(23)

Following this, a set of adders is utilized to obtain the final coefficient vector $\overrightarrow{C}$. This set of adders is composed of a total of four carry–save adders. Among them, two five-input adders, called $Adde{r}_0$ and $Adde{r}_1$, are reused from the evolution step, and one four-input adder is reused from the partial result calculation, called $Adde{r}_2$. A additional four-input adder is newly constructed. This four-input $Adde{r}_2$ does not include full adder, so it will produce two outputs: carry and save.

The combination of the first three adders are utilized to process up to 14 addends, reducing them to 4 addends, which are then passed as inputs to a four-input $Adde{r}_3$ to produce the final result. This design maximizes the reuse of previously utilized resources, minimizing logic resource waste while allowing for partial results from the previous step to be directly used as inputs for the next step of the calculation. The calculation formulae for each coefficient $c_i$ are provided in Equation (24), and the hardware implementation scheme for the adders will be detailed in the subsequent sections.

$$\begin{array}{cc}\hfill 16\times 2835c_1& =-16P_1+16P_2+8P_3-8P_4+16P_5-16P_6-4C_7\hfill \\ \hfill 16\times 2835c_2& =-4P_1-8P_1-4P_2-16P_2+2P_3+2P_4+4P_4+4P_5+8P_5+16P_5\hfill \\ \hfill & +4P_6+32P_6\hfill \\ \hfill 16\times 2835c_3& =8P_1+64P_1-64P_2-P_3-8P_3-32P_3+P_4+2P_4+4P_4+32P_4\hfill \\ \hfill & -4P_5-8P_5-16P_5+4P_6+8P_6+P_7\hfill \\ \hfill 16\times 2835c_4& =P_1+2P_1+16P_1+32P_1+P_2+4P_2+16P_2+64P_2-2P_3-8P_3\hfill \\ \hfill & -2P_4-4P_4-8P_4-16P_4-P_5-2P_5-32P_5-8P_6-32P_6\hfill \\ \hfill 16\times 2835c_5& =-P_1-32P_1-P_2+P_3+4P_3+32P_3-P_4-2P_4-8P_4-16P_4+2P_5\hfill \\ \hfill & +4P_5+8P_5+2P_6+4P_6-P_7\hfill \\ \hfill 16\times 2835c_6& =-4P_1-8P_1-4P_2-16P_2+8P_3+8P_4+16P_4+P_5+2P_5+4P_5\hfill \\ \hfill & +P_6+8P_6\hfill \\ \hfill 16\times 2835c_7& =4P_1+4P_2-4P_3-4P_4-2P_5-2P_6+4C_7\hfill \end{array}$$

(24)

Ultimately, the nine obtained coefficients are combined through shift-and-add operation to calculate the result $16\times 2835c_i$. The factor of 16 is used to eliminate the $2^x$ form denominators in the inverse matrix. After summing, the result is right-shifted by 4 bits to obtain $2835c_i$. The coefficients $2835c_i$, derived through Toom–Cook-5 interpolation, are not exactly in the 205-bit form, so they cannot be directly obtained by simple concatenation. We will shift this set of coefficients and arrange them in sequence, summing the overlapping parts. The maximum possible bit width for this set of coefficients is 424 bits, and the derivation of this bit width will be provided in the hardware architecture section.

Let $c_i^{\prime }$ represent $2835c_i$. Each $c_i^{\prime }$ is divided into three parts: the most significant 14-bit part, the middle 205-bit part, and the least significant 205-bit part. These parts are referred to as $\mathrm{high}\left(c_i^{\prime }\right)$, $\mathrm{mid}\left(c_i^{\prime }\right)$, and $\mathrm{low}\left(c_i^{\prime }\right)$, respectively. The summation operation proceeds from the low to the high parts, as illustrated in Figure 3. All overlapping parts are summed to obtain the corresponding $r_i$, and the concatenation of 10 results $r_i$ is $2835C$. A special case occurs with $c_8^{\prime }$, which is divided into only two parts, and the bit-width of $r_9$ in the result refers to a 218-bit width, while all other $r_i$ results are 205-bit.

The entire algorithmic process of the Toom–Cook-5 multiplication and the associated optimizations have been fully derived through the discussion above. The complete pre-simplified interpolation matrix for the Toom–Cook-5 multiplication is presented in Algorithm 2.

Algorithm 2 Interpolation Matrix Pre-simplified Toom–Cook-5 Multiplication

Parameter: $({\mu }_0,{\nu }_0)$, $({\mu }_1,{\nu }_1)$, …, $({\mu }_8,{\nu }_8)$, $2835M_{b(7\times 7)}^{-1}$ Input:  $0\le A,B<2^W$ Output:  $R=2835AB$   1: ${[a_0,a_1,a_2,a_3,a_4]}^T=\overrightarrow{A},{[b_0,b_1,b_2,b_3,b_4]}^T=\overrightarrow{B}$   2: for $i=0$ to 8 do   3:    $A({\mu }_i,{\nu }_i)={\sum }_{j=0}^4{a}_j{\mu }_i^j{\nu }_i^{4-j}$, $B({\mu }_i,{\nu }_i)={\sum }_{j=0}^4{b}_j{\mu }_i^j{\nu }_i^{4-j}$   4:    $C({\mu }_i,{\nu }_i)=A({\mu }_i,{\nu }_i)B({\mu }_i,{\nu }_i)$   5: end for   6: for $i=1$ to 7 do   7:    $C_i=C({\mu }_i,{\nu }_i)-{\mu }_i^{8}C({\mu }_8,{\nu }_8)-{\nu }_i^{8}C({\mu }_0,{\nu }_0)$   8: end for   9: $2835\overrightarrow{C}=2835M_{b(7\times 7)}^{-1}·[C_1,C_2,\dots ,C_7]$   10: $R=C_0+C_8\ll 1640+{\sum }_{j=0}^6(2835\overrightarrow{C}\left(j\right)\ll 205(j+1))$ Return: R.

3.2. Montgomery Modular Multiplication Based on Toom–Cook-5

Following the Toom–Cook-5 multiplication introduced in the previous discussion, the result is magnified by a factor of 2835. Earlier works have proposed the application of Toom–Cook-n multiplication in Montgomery modular multiplication or Barrett modular multiplication [32], with specialized techniques aimed at eliminating this factor without the need for division operations. The algorithm for Montgomery modular multiplication based on Toom–Cook-n, proposed in [22], is described in Algorithm 3. In this context, $\gamma$ denotes the redundant coefficient under Toom–Cook-n, and $TCn$ represents the Toom–Cook-n multiplication.

The output of Montgomery modular multiplication carries a redundant factor of $R^{-1}$. In a complete modular multiplication process, multiple Montgomery modular multiplications are required to eliminate this redundancy. When the multiplication operations in Algorithm 1 are executed, employing a Toom–Cook-n multiplication as in Algorithm 3, the final output will be associated with an additional factor of ${\gamma }^3$. Next, the product of $R^{-1}$ and ${\gamma }^3$ is treated as the redundant coefficient. By performing four Montgomery modular multiplications, as described in Section 2.3, both $R^{-1}$ and ${\gamma }^3$ can be simultaneously eliminated, yielding the final correct modular multiplication result.

Algorithm 3 Montgomery Modular Multiplication based on Toom–Cook-n

Parameter: $N,R,\gamma .R=2^r,gcd(R,N)=1$ Precompute: $N^{\prime }\equiv -N^{-1}modR$ Input: $0\le X,Y<2\gamma N$ Output: $Z\equiv {\gamma }^{3}XY{R}^{-1}modN$   1: $T=TCn(X,Y)$   2: $s=TCn((TmodR),N^{\prime })$   3: $t=TCn\left(\right(smodR),N)$   4: $Z=({\gamma }^{2}T+t)\gg r$ Return: Z.

To enhance the efficiency of Montgomery modular multiplication, we propose an optimized addition algorithm to handle step 4 of Algorithm 3. The result of $({\gamma }^{2}T+t)$ undergoes a right-shift by r -bit, meaning its lower r-bit values are not relevant to the calculation. According to the derivation of the Montgomery modular multiplication, the lower r-bit values of $({\gamma }^{2}T+t)$ are guaranteed to be all zeros. Based on this precondition, we conclude that a carry into the $(r+1)$-th bit will occur in all cases except when the lower r bits of ${\gamma }^{2}T$ and t are both all zeros.

Therefore, we decompose step 4 in Algorithm 3 into two separate operations. First, we check whether the lower r-bits of ${\gamma }^{2}T$ and t are all zeros. If they are, it suffices to calculate the sum of their components above the r-th bit. Otherwise, we calculate the sum of their components above the r-th bit and add 1. Compared to wide-width addition operations, an all-zero detector can be implemented in hardware circuits using only a series of OR gates. The complete Montgomery modular multiplication based on Toom–Cook-5 is shown in Algorithm 4.

Algorithm 4 Montgomery Modular Multiplication based on Toom–Cook-5

Parameter: $N,R.R=2^r,gcd(R,N)=1$ Precompute: $N^{\prime }\equiv -N^{-1}modR$ Input: $0\le X,Y<5670N$ Output: $Z\equiv {2835}^{3}XY{R}^{-1}modN$   1: $T=TC5(X,Y)$   2: $s=TC5((TmodR),N^{\prime })$   3: $t=TC5\left(\right(smodR),N)$   4: if  ${2835}^{2}T[r-1:0]==0\mathbf{and}t[r-1:0]==0$  then   5:    $Z={2835}^{2}T[:r]+t[:r]$   6: else   7:    $Z={2835}^{2}T[:r]+t[:r]+1$   8: end if Return: Z.

4. Hardware Architecture of Toom–Cook-5

4.1. Overall Architecture

The ASIC architecture of the Montgomery modular multiplication based on Toom–Cook-5 is shown in Figure 4. The overall architecture consists of a control unit, parameter RAM, and an arithmetic logic unit (ALU). The parameter RAM stores various precomputed parameters required for the modular multiplication operation, while the ALU is responsible for executing the entire modular multiplication algorithm. The control unit invokes the ALU sub-modules and manages data interactions according to the algorithm’s steps. It also retrieves the parameters necessary for calculation from RAM, upplying them to the ALU.

4.2. Decoupled Carry–Save Adder Architecture

In the hardware implementation of Toom–Cook-5, multi-operand adders are widely utilized in evolution, interpolation, and recomposition steps. And in our design, all multi-operand adders are constructed employing carry–save adders composed of compressors and full adders. By strategically arranging the calculation steps, it is possible to avoid equipping every compressor with a dedicated full adder. Instead, a single full adder can be shared among several compressors. In practice, we decoupled the carry–save adder to achieve independent compressor group and full adders. In this way, the architecture can flexibly adapt its configuration based on calculation needs. Figure 5 presents two exemplar transformations: a 14-input adder and parallel 5-input and 9-input adders.

In the evolution step, two five-input adders equipped with full adders operate in parallel to calculate two sets of addition operations. During the pre-simplification step, the additions initiated in the evolution step continue, while an additional four-input adder is introduced to perform the associated calculation simultaneously. In the interpolation step, the five-input adder with full adders can be paired with a 5:2 compressor and a 4:2 compressor, serving as the first stage of the addition process. This configuration can handle up to 14 inputs and produce 5 outputs. These five outputs are then fed into a 5:2 compressor with full adders. Thus, the compressor group combined with the full adders constitutes a 14-input adder.

Considering the large bit-width of the addends and the requirement to produce addition results within a single cycle, the carry select adder is employed to optimize the full adder. The original addends are evenly divided into four parts based on their bit-width. The lowest part is directly added, while the higher three parts are computed in parallel to generate two possible results: one assuming a carry-in and the other without. After the parallel addition of all four parts, the carry-out from the lowest part determines the selection of the appropriate outputs for the higher parts, which are then concatenated to form the final result. The schematic diagram of the entire architecture is shown in Figure 6. This addition design significantly shortens the carry chain, ensuring low-latency calculation for the entire decoupled carry–save adder architecture.

4.3. 3-Level Karatsuba Multiplication Architecture

In accordance with the formula derivation of the Karatsuba multiplication described in Section 2.3, recursively partitioning the multiplicands X and Y can progressively reduce the bit-width of the lowest-level multiplication operation. In our design, a 3-level Karatsuba multiplication architecture is implemented to perform high-width multiplication. To perform the resultant five-input addition after each level of partitioning, carry–save adders are employed. Additionally, registers are inserted after the output of the lowest-level multipliers to implement a two-stage pipeline.

The complete three-level Karatsuba multiplication architecture is illustrated in Figure 7, where $x_i$ and $y_i$ represent the partitioned components of the operands X and Y. Specifically, $x_1$ denotes the upper half obtained by splitting X into two segments; $x_{11}$ represents the upper half of $x_1$ after further splitting it into two segments; and $x_{110}$ refers to the lower half obtained by further partitioning $x_{11}$. Based on latency analysis, the entire multiplication architecture is divided into a two-stage pipelined structure: the multiplication and addition operations at the lowest level constitute the first stage, while the addition operations at the second and third levels form the second stage. To balance the latency of the two pipeline stages, the $3:2$ compressor is employed to optimize the timing of the five-input addition at the lowest level, while other addition and multiplication operations are directly implemented using the corresponding DW IPs.

4.4. Bit Width Derivation and Division Optimization for Interpolation

In this section, we derive the required adder bit-width for interpolation and analyze the error-free replacement of $2^n$ division with right-shift operations in $M_b^{-1}$.

By expanding the initial expression of $C(\mu ,\nu )$ based on the polynomial multiplication of $A(\mu ,\nu )$, we obtain Equation (25). Since the choice of the base word does not affect the derivation, the base word is represented as N for simplicity. Multiplying the coefficients associated with the base word by $2835\times 16$, yielding the theoretical coefficients in the Toom–Cook-5 interpolation step. Among these, the potential maximum value arises from the coefficient of $N^4$, denoted as $c_4=a_0{b}_4+a_1{b}_3+a_2{b}_2+a_3{b}_1+a_4{b}_0$. We assume that the bit-width of multiplicands A and B is W, where $a_i$ and $b_i$ are unsigned integers with a bit-width of $⌊{\displaystyle \frac{W}{5}}⌋$. Consequently, the maximum bit-width of $2835c_i$ is determined to be $2⌊{\displaystyle \frac{W}{5}}⌋+18$ bits; this also determines the bit-width of adders used in the interpolation step. Here, $2⌊{\displaystyle \frac{W}{5}}⌋$ is the bit-width of $a_i{b}_i$; and 18 is the additional bit-width due to the sum of five $a_i{b}_i$ terms corresponding to the coefficient $c_4$ and multiplied by $2835\times 16$.

$$\begin{array}{cc}\hfill \sum _{i=0}^8{c}_i{N}^i& =\left(\sum _{i=0}^4{a}_i{N}^i\right)·\left(\sum _{j=0}^4{b}_i{N}^i\right)\hfill \\ \hfill & =a_0{b}_0{N}^0+(a_0{b}_1+a_1{b}_0)N^1+(a_0{b}_2+a_1{b}_1+a_2{b}_0)N^2\hfill \\ \hfill & +(a_0{b}_3+a_1{b}_2+a_2{b}_1+a_3{b}_0)N^3+\cdots +a_4{b}_4{N}^8\hfill \end{array}$$

(25)

In earlier works on the Toom–Cook-n interpolation implementations of hardware, each element’s numerator in the inverse matrix was initially multiplied by corresponding components from vector ${[C_1,C_2,C_3,\dots ,C_7]}^T$. Subsequently, the division by $2^x$ in the denominator of the inverse matrix was replaced by a simple right-shift operation. However, replacing $2^x$ division directly with right-shift requires that the least significant x-bit values are all zero to avoid computational errors. Clearly, the computation of $2835M_b^{-1}·{[C_1,C_2,C_3,\cdots ,C_7]}^T$ does not satisfy this condition.

We derived and proposed an error-free alternative division strategy. First, we select the largest $2^x$ factor of the denominators in each row of the inverse matrix; then, we multiply the corresponding row by this factor. After completing the interpolation step, the result is processed through right-shift appropriately to restore the original values. Next, we provide a formal proof demonstrating that replacing division with right-shift in this manner does not introduce any computational errors.

It is sufficient to prove that the coefficients $c_i$ obtained after the division operation are always integers, thereby demonstrating that replacing division with right-shift does not introduce errors. According to Equation (26), for any $\mu ,\nu \in \mathbb{Z}$, $C(\mu ,\nu )$ satisfies the polynomial form:

$$C\left(\mu ,\nu \right)=\sum _{j=0}^{n-1}{c}_i{\mu }^i{\nu }^{n-j-1}.$$

(26)

Assuming that there exists a coefficient $c_i$ that is not an integer, it would then be possible to identify a pair $(\mu ,\nu )$ such that $C(\mu ,\nu )$, calculated from Equation (26), results in a non-integer. However, according to Equation (3), $C(\mu ,\nu )$ is expressed as the product $A(\mu ,\nu )·B(\mu ,\nu )$, where $A(\mu ,\nu ),B(\mu ,\nu )\in \mathbb{Z}$. This creates a contradiction as the product of two integers must necessarily be an integer. Hence, the initial assumption is invalid, proving that $c_i\in \mathbb{Z}$. Accordingly, the proposed right-shift approach as a substitute for division is error-free.

5. Implementation Results and Comparison

In this section, we present a thorough analysis and discussion of the hardware implementation results for the Toom–Cook-5 multiplier. Initially, we establish evaluation metrics for the multiplier to provide an objective benchmark for assessing its performance characteristics. Following this, we conduct an extensive comparison between our empirical results from the hardware implementation and those reported in related works in recent years, thereby substantiating the advantages and advancements of our proposed design.

In the ASIC implementation of modular multipliers, the primary concerns are the area and latency metrics. Among these, the calculation of latency is expressed by the following equation:

$$T=Cycle\times T_{\mathrm{clk}}.$$

(27)

Furthermore, the area–time product (ATP) is commonly utilized as a performance metric to evaluate the trade-off between hardware resource consumption and latency.

$$ATP=Area\times T$$

(28)

We implemented the 1024-bit Montgomery modular multiplication architecture based on Toom–Cook-5 using the Design Compiler tool from Synopsys (Sunnyvale, CA, USA), targeting 90 nm process nodes.

Table 1. Comparison of implementation under 90 nm process.

Design	Process	Area ($\mathsf{\mu }{\mathbf{m}}^2$)	Frequency (MHz)	Time (ns)	Power (mW)	ATP
[33]	90 nm	749,076	179	4570.3	70.6	3423
[34]	90 nm	498,379	250	3520	-	1754
[35]	90 nm	992,500	392	291	-	288
[36]	90 nm	54,587	472	4680	-	257
[21]	90 nm	1,799,451	257	85.58	402.93	154
[22]	90 nm	1,012,576	277	126	392.47	127
ours	90 nm	515,148	413	274.8	379.35	142

shows the performance results of our design, together with some recent designs. All listed results are for modular multiplication implementations. Overall, the proposed design demonstrates significant advantages in the ATP metric among existing 1024-bit modular multipliers, only ranking behind the $127{\mathrm{kum}}^2\times \mu \mathrm{s}$ achieved by [22].

The first four designs in Table 1 focus primarily on optimizing the Montgomery modular multiplication algorithm without improvements to the multiplication operations. Specifically, refs. [33,34,36] adopt an iterative approach to execute operations bit by bit. While this approach effectively reduces the area, it significantly increases the number of cycles required, resulting in intolerable latency. The design [35] improves the redundant binary representation and implements customized solutions tailored to different bit-widths and application scenarios, achieving a balance between latency and area. However, as the design does not specifically optimize the multiplier but relies on an existing multi-cycle multiplier for calculation, it ultimately leads to an unfavorable ATP result.

The focus of [21,22] is similar to that of the design presented in this paper, namely, optimizing the performance of modular multiplication by implementing Toom–Cook-n multipliers. Design [21] employs highly parallelized multiplication operations, saving a substantial number of computation cycles to achieve optimal computational latency. However, this performance is achieved at the cost of reduced system frequency and increased area. In contrast, the design presented in this paper occupies only about one-third of the area used by the design in [21], while achieving a significantly higher system frequency. Ref. [22] demonstrates superior ATP performance utilizing Barrett modular multiplication, which inherently requires fewer multiplications than Montgomery modular multiplication. However, it shows relatively weaker performance in multi-operand modular multiplication, which is disadvantageous for the implementation of encryption algorithms [37]. In terms of power consumption, due to the adoption of a lightweight design in this work, the overall power consumption is lower than that of larger-area designs [21,22]. Therefore, the design proposed in this paper is more suitable for area-sensitive applications, such as embedded edge devices. It strikes an excellent trade-off between area and latency, with a strong emphasis on optimizing area performance.

Toom–Cook-5 serves as an intermediate solution between Toom–Cook-4 and FFT-based multiplication, exhibiting excellent performance for bit-widths ranging from 1024 bits to 4096 bits. Comprehensive results demonstrate that the proposed design achieves operating frequencies of 339 MHz and 268 MHz for 2048-bit and 4096-bit workloads, respectively, with further performance improvements achievable through additional decomposition of Karatsuba multiplication. In this context, Toom–Cook-4 performs poorly as its simpler computational logic and partitioning scheme are more suited to multiplication operations involving smaller bit-widths, such as around 256 bits. On the other hand, FFT-based multiplication is constrained by the substantial overhead associated with complex preprocessing and point value transformation operations, which demand excessive logical resources. It is only within the realm of handling integer multiplication involving numbers exceeding one million bits that its complexity advantage becomes evident [38].

Regarding the resistance to side-channel attacks, considerations are typically made at the cryptographic algorithm level. However, as the most complex and critical computational unit at the hardware level, the design of the modular multiplier has a significant impact on higher-level attack resistance schemes. The proposed modular multiplier features a constant computational delay that is not affected by input data, effectively resisting timing analysis attacks. Additionally, in practical applications of cryptographic algorithms such as ECC or RSA, the operands involved in modular multiplication during encryption are transformed into the Toom–Cook domain. This transformation obscures the influence of input data on power consumption, making it difficult for power analysis attacks to obtain sensitive information through power monitoring. Therefore, our multiplier design not only achieves efficient computation but also enhances resistance to side-channel attacks, providing a more secure hardware foundation for higher-level cryptographic systems.

6. Conclusions

This paper presents a Montgomery modular multiplication algorithm based on Toom–Cook-5, along with its hardware optimization strategies. At the algorithmic level, a pre-simplification operation is introduced for an interpolation matrix of -5, and the addition operations in Montgomery modular multiplication are optimized. At the hardware implementation level, the design focuses on customized enhancements of the underlying multi-operand adders and multipliers, achieving significant improvements in both area and timing performance. Compared to existing works, the proposed design demonstrates a notable enhancement in ATP and achieves substantial advantages in terms of area efficiency.