Efficient Additions and Montgomery Reductions of Large Integers for SIMD

TL;DR

This paper introduces SIMD-optimized algorithms for large integer addition and Montgomery reduction, significantly improving the performance of post-quantum cryptography implementations on modern processors.

Contribution

A novel SIMD-friendly addition algorithm and precomputed Montgomery reduction techniques that outperform existing methods for large integers over 512 bits.

Findings

30% speed-up in CTIDH implementation

11% speed-up in CSIDH on AVX-512

7% speed-up for SIKEp503 on A64FX

Abstract

This paper presents efficient algorithms, designed to leverage SIMD for performing Montgomery reductions and additions on integers larger than 512 bits. The existing algorithms encounter inefficiencies when parallelized using SIMD due to extensive dependencies in both operations, particularly noticeable in costly operations like ARM's SVE. To mitigate this problem, a novel addition algorithm is introduced that simulates the addition of large integers using a smaller addition, quickly producing the same set of carries. These carries are then utilized to perform parallel additions on large integers. For Montgomery reductions, serial multiplications are replaced with precomputations that can be effectively calculated using SIMD extensions. Experimental evidence demonstrates that these proposed algorithms substantially enhance the performance of state-of-the-art implementations of several post-quantum cryptography algorithms. Notably, they deliver a 30% speed-up from the latest CTIDH implementation, an 11% speed-up from the latest CSIDH implementation in AVX-512 processors, and a 7% speed-up from Microsoft's standard PQCrypto-SIDH for SIKEp503 on A64FX.