On Polynomial Modular Number Systems over $\mathbb{Z}/p\mathbb{Z}$
Jean Claude Bajard, Jérémy Marrez, Thomas Plantard, Pascal Véron
TL;DR
This work broadens the parameterization of Polynomial Modular Number Systems (PMNS) beyond the classic $E(X)=X^n-\lambda$ by establishing a complete existence framework that ties the digit bound $\rho$ to the lattice's geometry, via the covering radius, for a generic reduction polynomial $E(X)$ with root $\gamma$ modulo $p$. It introduces practical strategies to minimize $\rho$ using short lattice bases and irreducible $E(X)$, and it enumerates rich classes of suitable polynomials (cyclic, quadrinomial/trinomial, binomial, Perron-type) with explicit irreducibility criteria and root-count behavior in $\mathbb{Z}/p\mathbb{Z}$. The paper then quantifies the number of PMNS possible for a given prime $p$ under various reduction polynomials, employing Cantor–Zassenhaus for the general case and illustrating the approach with concrete examples, including a large-scale 256-bit prime. Overall, the results provide a flexible toolkit to design efficient, carry-free PMNS for arbitrary moduli, with implications for secure and efficient modular arithmetic in cryptographic protocols and potential side-channel countermeasures.
Abstract
Since their introduction in 2004, Polynomial Modular Number Systems (PMNS) have become a very interesting tool for implementing cryptosystems relying on modular arithmetic in a secure and efficient way. However, while their implementation is simple, their parameterization is not trivial and relies on a suitable choice of the polynomial on which the PMNS operates. The initial proposals were based on particular binomials and trinomials. But these polynomials do not always provide systems with interesting characteristics such as small digits, fast reduction, etc. In this work, we study a larger family of polynomials that can be exploited to design a safe and efficient PMNS. To do so, we first state a complete existence theorem for PMNS which provides bounds on the size of the digits for a generic polynomial, significantly improving previous bounds. Then, we present classes of suitable polynomials which provide numerous PMNS for safe and efficient arithmetic.