Integer multiplication with generalized Fermat primes

Size: px

Start display at page:

Download "Integer multiplication with generalized Fermat primes"

Meagan Goodman
5 years ago
Views:

1 Integer multiplication with generalized Fermat primes CARAMEL Team, LORIA, University of Lorraine Supervised by: Emmanuel Thomé and Jérémie Detrey Journées nationales du Calcul Formel 2015 (Cluny) November 4, 2015

2 Summary 1 Fast Fourier Transform Naive multiplication Multiplying integer using polynomials FFT Schönhage-Strassen Some remarks 2 Fürer Factorization of FFT A new ring and a new cut 3 Using generalized Fermat primes Number-theoretic transform A Fürer-like number theoretic transform Comparison of complexities Integer multiplication with generalized Fermat primes November 4, / 23

3 Fast Fourier Transform 1 Fast Fourier Transform Naive multiplication Multiplying integer using polynomials FFT Schönhage-Strassen Some remarks 2 Fürer Factorization of FFT A new ring and a new cut 3 Using generalized Fermat primes Number-theoretic transform A Fürer-like number theoretic transform Comparison of complexities Integer multiplication with generalized Fermat primes November 4, / 23

4 Fast Fourier Transform Naive multiplication How to multiply two numbers a = (a 0 a N ) and b = (b 0 b N ) where a and b are given in binary representation? Integer multiplication with generalized Fermat primes November 4, / 23

5 Fast Fourier Transform Naive multiplication How to multiply two numbers a = (a 0 a N ) and b = (b 0 b N ) where a and b are given in binary representation? First idea: Sum all a i b using 2-shift. This method has a O(N 2 ) bit complexity. Integer multiplication with generalized Fermat primes November 4, / 23

6 Fast Fourier Transform Naive multiplication How to multiply two numbers a = (a 0 a N ) and b = (b 0 b N ) where a and b are given in binary representation? First idea: Sum all a i b using 2-shift. This method has a O(N 2 ) bit complexity. People believed long enough it was the best complexity we could reach (Kolmogorov). Karatsuba proved that it was wrong... Integer multiplication with generalized Fermat primes November 4, / 23

7 Fast Fourier Transform Multiplying integer using polynomials The fastest known algorithm is based on the evaluation-interpolation paradigm. Input: 2 numbers a and b of N bits. We decompose the input into 2 polynomials A = i a ix i and B = i b ix i (deg A = deg B = n, a i = b i = N/(2n) = k, and a i = b i = 0 for i > n). A(2 k ) =a k a a 2n 1 2 (2n 1)k = a B(2 k ) =b k b b 2n 1 2 (2n 1)k = b Integer multiplication with generalized Fermat primes November 4, / 23

8 Fast Fourier Transform Multiplying integer using polynomials The fastest known algorithm is based on the evaluation-interpolation paradigm. Input: 2 numbers a and b of N bits. We decompose the input into 2 polynomials A = i a ix i and B = i b ix i (deg A = deg B = n, a i = b i = N/(2n) = k, and a i = b i = 0 for i > n). A(2 k ) =a k a a 2n 1 2 (2n 1)k = a B(2 k ) =b k b b 2n 1 2 (2n 1)k = b We work in some ring R in which we have a 2n-th principal root of unity ω. Integer multiplication with generalized Fermat primes November 4, / 23

9 Fast Fourier Transform Multiplying integer using polynomials The fastest known algorithm is based on the evaluation-interpolation paradigm. Input: 2 numbers a and b of N bits. We decompose the input into 2 polynomials A = i a ix i and B = i b ix i (deg A = deg B = n, a i = b i = N/(2n) = k, and a i = b i = 0 for i > n). A(2 k ) =a k a a 2n 1 2 (2n 1)k = a B(2 k ) =b k b b 2n 1 2 (2n 1)k = b We work in some ring R in which we have a 2n-th principal root of unity ω. We compute the A(ω i ) and B(ω i ). Integer multiplication with generalized Fermat primes November 4, / 23

10 Fast Fourier Transform Multiplying integer using polynomials The fastest known algorithm is based on the evaluation-interpolation paradigm. Input: 2 numbers a and b of N bits. We decompose the input into 2 polynomials A = i a ix i and B = i b ix i (deg A = deg B = n, a i = b i = N/(2n) = k, and a i = b i = 0 for i > n). A(2 k ) =a k a a 2n 1 2 (2n 1)k = a B(2 k ) =b k b b 2n 1 2 (2n 1)k = b We work in some ring R in which we have a 2n-th principal root of unity ω. We compute the A(ω i ) and B(ω i ). We recover A B from the points A(ω i ) B(ω i ) with Lagrange interpolation for a polynomial of degree 2n 1. Integer multiplication with generalized Fermat primes November 4, / 23

11 Fast Fourier Transform Multiplying integer using polynomials The fastest known algorithm is based on the evaluation-interpolation paradigm. Input: 2 numbers a and b of N bits. We decompose the input into 2 polynomials A = i a ix i and B = i b ix i (deg A = deg B = n, a i = b i = N/(2n) = k, and a i = b i = 0 for i > n). A(2 k ) =a k a a 2n 1 2 (2n 1)k = a B(2 k ) =b k b b 2n 1 2 (2n 1)k = b We work in some ring R in which we have a 2n-th principal root of unity ω. We compute the A(ω i ) and B(ω i ). We recover A B from the points A(ω i ) B(ω i ) with Lagrange interpolation for a polynomial of degree 2n 1. The DFT algorithm allows one to compute the A(ω i ) and B(ω i ). Integer multiplication with generalized Fermat primes November 4, / 23

12 Fast Fourier Transform Multiplying integer using polynomials [a 0,..., a 2n 1 ] [b 0,..., b 2n 1 ] DFT DFT [x 0,..., x 2n 1 ] [y 0,..., y 2n 1 ] Component Multiply [x 0 y 0,..., x 2n 1 y 2n 1 ] inverse DFT Integer multiplication with generalized Fermat primes November 4, / 23

13 Fast Fourier Transform FFT P is a polynomial of degree 2n 1 (n is a power of 2) and ω is a 2n-th principal root of unity in R (C or Z/pZ for example), which means that j [0,2n 1] ωij = 0 for i [1, 2n 1]. Integer multiplication with generalized Fermat primes November 4, / 23

14 Fast Fourier Transform FFT P is a polynomial of degree 2n 1 (n is a power of 2) and ω is a 2n-th principal root of unity in R (C or Z/pZ for example), which means that j [0,2n 1] ωij = 0 for i [1, 2n 1]. FFT(P, ω, 2n 1) if n = 1 then return P 0 + P 1 + X (P 0 P 1 ) end if P even (P 2i ) i P odd (P 2i+1 ) i Q even FFT(P even, ω 2, n 1) Q odd FFT(P odd, ω 2, n 1) Q Q even (X ) + Q odd (ωx ) + X n (Q odd (X ) Q even (ωx )) return Q Integer multiplication with generalized Fermat primes November 4, / 23

15 Fast Fourier Transform FFT P is a polynomial of degree 2n 1 (n is a power of 2) and ω is a 2n-th principal root of unity in R (C or Z/pZ for example), which means that j [0,2n 1] ωij = 0 for i [1, 2n 1]. FFT(P, ω, 2n 1) if n = 1 then return P 0 + P 1 + X (P 0 P 1 ) end if P even (P 2i ) i P odd (P 2i+1 ) i Q even FFT(P even, ω 2, n 1) Q odd FFT(P odd, ω 2, n 1) Q Q even (X ) + Q odd (ωx ) + X n (Q odd (X ) Q even (ωx )) return Q Complexity: O(n log n) operations in R, among which multiplications by some powers of ω, additions and subtractions. Integer multiplication with generalized Fermat primes November 4, / 23

16 Fast Fourier Transform FFT P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 10 P 11 P 12 P 13 P 14 P 15 ω 0 ω 0 ω 0 ω 0 ω 4 ω 4 ω 4 ω 4 ω 0 ω 0 ω 2 ω 2 ω 4 ω 4 ω 6 ω 6 ω 0 ω 1 ω 2 ω 3 ω 4 ω 5 ω 6 ω 7 Q bitrev(0) Q bitrev(1) Q bitrev(2) Q bitrev(3) Q bitrev(4) Q bitrev(5) Q bitrev(6) Q bitrev(7) Q bitrev(8) Q bitrev(9) Q bitrev(10) Q bitrev(11) Q bitrev(12) Q bitrev(13) Q bitrev(14) Q bitrev(15) Integer multiplication with generalized Fermat primes November 4, / 23

17 Fast Fourier Transform Schönhage-Strassen 1 N: # bits of the integers that we multiply. 2 2n: degree of the polynomials A and B used to represent a and b. 3 k: # bits used to encode the coefficients of A and B: a = A(2 k ) and b = B(2 k ). Integer multiplication with generalized Fermat primes November 4, / 23

18 Fast Fourier Transform Schönhage-Strassen 1 N: # bits of the integers that we multiply. 2 2n: degree of the polynomials A and B used to represent a and b. 3 k: # bits used to encode the coefficients of A and B: a = A(2 k ) and b = B(2 k ). Examples: If R = C, then ω = exp(iπ/n). k = O(log N) is the best choice. Thus, the recursive calls are manipulating O(log N)-sized data during convolution step. Integer multiplication with generalized Fermat primes November 4, / 23

19 Fast Fourier Transform Schönhage-Strassen 1 N: # bits of the integers that we multiply. 2 2n: degree of the polynomials A and B used to represent a and b. 3 k: # bits used to encode the coefficients of A and B: a = A(2 k ) and b = B(2 k ). Examples: If R = C, then ω = exp(iπ/n). k = O(log N) is the best choice. Thus, the recursive calls are manipulating O(log N)-sized data during convolution step. If R = Z/(2 e + 1)Z, then, k e O( N) (smallest k possible). Then ω = 2 j with j = e/n. Multiplications by powers of ω are negacyclic permutations. Integer multiplication with generalized Fermat primes November 4, / 23

20 Fast Fourier Transform Schönhage-Strassen [a 0,..., a 2n 1 ] [b 0,..., b 2n 1 ] DFT DFT [x 0,..., x 2n 1 ] [y 0,..., y 2n 1 ] Component Multiply [x 0 y 0,..., x 2n 1 y 2n 1 ] inverse DFT Integer multiplication with generalized Fermat primes November 4, / 23

21 Fast Fourier Transform Schönhage-Strassen Modular Case [a 0,..., a 2n 1 ] [b 0,..., b 2n 1 ] DFT DFT Recursion [x 0,..., x 2n 1 ] [y 0,..., y 2n 1 ] Component Multiply [x 0 y 0,..., x 2n 1 y 2n 1 ] inverse DFT Integer multiplication with generalized Fermat primes November 4, / 23

22 Fast Fourier Transform Schönhage-Strassen Complex Case [a 0,..., a 2n 1 ] [b 0,..., b 2n 1 ] DFT > < DFT Recursion [x 0,..., x 2n 1 ] [y 0,..., y 2n 1 ] Component Multiply [x 0 y 0,..., x 2n 1 y 2n 1 ] inverse DFT Integer multiplication with generalized Fermat primes November 4, / 23

23 Fast Fourier Transform Some remarks C Z/(2 e + 1)Z Coefficients size? Coefficients size? O(log N) O( N) Expensive multiplications? Expensive multiplications? DFT, Convolution Convolution Integer multiplication with generalized Fermat primes November 4, / 23

24 Fast Fourier Transform Some remarks C Z/(2 e + 1)Z Coefficients size? Coefficients size? O(log N) O( N) Expensive multiplications? Expensive multiplications? DFT, Convolution Convolution Case Degree Mult. by a root Recursion Complexity C O(N/ log N) expensive O(log N) N log N log log N 2 O(log N) Z/(2 e + 1)Z O( N) cheap O( N) N log N log log N In C, computing an FFT in {1, 1, i, i} is quite easy. But less obvious for superior orders... Integer multiplication with generalized Fermat primes November 4, / 23

25 Fürer 1 Fast Fourier Transform Naive multiplication Multiplying integer using polynomials FFT Schönhage-Strassen Some remarks 2 Fürer Factorization of FFT A new ring and a new cut 3 Using generalized Fermat primes Number-theoretic transform A Fürer-like number theoretic transform Comparison of complexities Integer multiplication with generalized Fermat primes November 4, / 23

26 Fürer Factorization of FFT Here you can see the butterfly graph for 16-point transform. a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 Below, the matrix representation: a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 Integer multiplication with generalized Fermat primes November 4, / 23

27 Fürer Factorization of FFT We start by inner transforms. a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 Below, the matrix representation: a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 There are 4 4-points FFT. Integer multiplication with generalized Fermat primes November 4, / 23

28 Fürer Factorization of FFT Then the outer ones. a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 Below, the matrix representation: a 0 a 1 a 2 a 3 a 4 a 5 a 6 a 7 a 8 a 9 a 10 a 11 a 12 a 13 a 14 a 15 There are 4 4-points FFT. Integer multiplication with generalized Fermat primes November 4, / 23

29 Fürer A new ring and a new cut We use a polynomial ring R of the form R = C[x]/(x P + 1) or R = Z[x]/(q c, x P + 1)Z There exists a 2n-th root of unity ρ such that ρ n/p = x (Lagrange interpolation) The computation of 2n-points FFT is factored into the computation of log 2P 2n times n/p 2P-points FFT P = Θ(log N) and coefficients of elements of R are stored on Θ(log N) bits Integer multiplication with generalized Fermat primes November 4, / 23

30 Fürer A new ring and a new cut We use a polynomial ring R of the form R = C[x]/(x P + 1) or R = Z[x]/(q c, x P + 1)Z There exists a 2n-th root of unity ρ such that ρ n/p = x (Lagrange interpolation) The computation of 2n-points FFT is factored into the computation of log 2P 2n times n/p 2P-points FFT P = Θ(log N) and coefficients of elements of R are stored on Θ(log N) bits Case Degree Mult. by a root Recursion Complexity C O(N/ log N) expensive O(log N) N log N log log N 2 O(log N) Z/(2 e + 1)Z O( N) cheap O( N) N log N log log N C[x]/(x P + 1) O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Z[x]/(q c, x P + 1)Z O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Integer multiplication with generalized Fermat primes November 4, / 23

31 Using generalized Fermat primes 1 Fast Fourier Transform Naive multiplication Multiplying integer using polynomials FFT Schönhage-Strassen Some remarks 2 Fürer Factorization of FFT A new ring and a new cut 3 Using generalized Fermat primes Number-theoretic transform A Fürer-like number theoretic transform Comparison of complexities Integer multiplication with generalized Fermat primes November 4, / 23

32 Using generalized Fermat primes Number-theoretic transform Let us multiply integers by associating to them 2 polynomials of degree 2n 1 for which the coefficients are embedded in a finite field R = Z/qZ. Integer multiplication with generalized Fermat primes November 4, / 23

33 Using generalized Fermat primes Number-theoretic transform Let us multiply integers by associating to them 2 polynomials of degree 2n 1 for which the coefficients are embedded in a finite field R = Z/qZ. The prime q must verify: 2n q 1. Thus, there exists a 2n-th principal root of unity. Integer multiplication with generalized Fermat primes November 4, / 23

34 Using generalized Fermat primes Number-theoretic transform Let us multiply integers by associating to them 2 polynomials of degree 2n 1 for which the coefficients are embedded in a finite field R = Z/qZ. The prime q must verify: 2n q 1. Thus, there exists a 2n-th principal root of unity. 1 N: # bits of the integers that we multiply. 2 2n: degree of the polynomials A and B used to represent a and b. 3 k: # bits used to encode the coefficients of A and B: a = A(2 k ) and b = B(2 k ); this number is given by roughly 1 2 log 2 q. Integer multiplication with generalized Fermat primes November 4, / 23

35 Using generalized Fermat primes Number-theoretic transform Let us multiply integers by associating to them 2 polynomials of degree 2n 1 for which the coefficients are embedded in a finite field R = Z/qZ. The prime q must verify: 2n q 1. Thus, there exists a 2n-th principal root of unity. 1 N: # bits of the integers that we multiply. 2 2n: degree of the polynomials A and B used to represent a and b. 3 k: # bits used to encode the coefficients of A and B: a = A(2 k ) and b = B(2 k ); this number is given by roughly 1 2 log 2 q. A choice of q such that k = O(log N) is optimal. Integer multiplication with generalized Fermat primes November 4, / 23

36 Using generalized Fermat primes A Fürer-like number theoretic transform q is chosen such that q = b P + 1. There exists b such that b < P (log P) 1+ɛ for any ɛ > 0. Thus, log 2 q P log P. Let ρ be a 2n-th root of unity in Z/qZ such that ρ n/p = b. Integer multiplication with generalized Fermat primes November 4, / 23

37 Using generalized Fermat primes A Fürer-like number theoretic transform q is chosen such that q = b P + 1. There exists b such that b < P (log P) 1+ɛ for any ɛ > 0. Thus, log 2 q P log P. Let ρ be a 2n-th root of unity in Z/qZ such that ρ n/p = b. Working in radix b is like working with "polynomials" of degree P whose coefficients are bounded by b. Integer multiplication with generalized Fermat primes November 4, / 23

38 Using generalized Fermat primes A Fürer-like number theoretic transform q is chosen such that q = b P + 1. There exists b such that b < P (log P) 1+ɛ for any ɛ > 0. Thus, log 2 q P log P. Let ρ be a 2n-th root of unity in Z/qZ such that ρ n/p = b. Working in radix b is like working with "polynomials" of degree P whose coefficients are bounded by b. Naive Way New way x x X (b) = x 0 + x 1 b + x 2 b 2 x P 1 b P 1 y y Y (b) = y 0 + y 1 b + y 2 b 2 y P 1 b P 1 x y z = x y and x y = z mod q Z = X Y mod (X P + 1) and x y = Z(b) Integer multiplication with generalized Fermat primes November 4, / 23

39 Using generalized Fermat primes Comparison of complexities Using Fürer s algorithm, we got: Case Degree Mult. by a root Recursion Complexity C O(N/ log N) expensive O(log N) N log N log log N 2 O(log N) Z/(2 e + 1)Z O( N) cheap O( N) N log N log log N C[x]/(x P + 1) O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Z[x]/(q c, x P + 1)Z O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Integer multiplication with generalized Fermat primes November 4, / 23

40 Using generalized Fermat primes Comparison of complexities Using Fürer s algorithm, we got: Case Degree Mult. by a root Recursion Complexity C O(N/ log N) expensive O(log N) N log N log log N 2 O(log N) Z/(2 e + 1)Z O( N) cheap O( N) N log N log log N C[x]/(x P + 1) O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Z[x]/(q c, x P + 1)Z O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Using the last trick, we get the following data: Case Degree Mult. by a root Recursion Complexity C O(N/ log N) expensive O(log N) N log N log log N 2 O(log N) Z/(2 e + 1)Z O( N) cheap O( N) N log N log log N C[x]/(x P + 1) O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Z[x]/(q c, x P + 1)Z O(N/ log 2 N) it depends O(log 2 N) N log N 2 O(log N) Z/(b P + 1)Z O(N/(log N log log N)) it depends O(log N log log N) N log N 2 O(log N) Integer multiplication with generalized Fermat primes November 4, / 23

41 Conclusion Removing the polynomial layer improves the complexity of the algorithm. Integer multiplication with generalized Fermat primes November 4, / 23

42 Conclusion Removing the polynomial layer improves the complexity of the algorithm. With a careful complexity analysis, we get the following complexity estimate: N log N 4 log N (the same as the one obtained by Harvey, Lecerf and Van der Hoeven with Mersenne primes). Integer multiplication with generalized Fermat primes November 4, / 23

43 Conclusion Removing the polynomial layer improves the complexity of the algorithm. With a careful complexity analysis, we get the following complexity estimate: N log N 4 log N (the same as the one obtained by Harvey, Lecerf and Van der Hoeven with Mersenne primes). An efficient implementation has to be done. Integer multiplication with generalized Fermat primes November 4, / 23

44 Conclusion Removing the polynomial layer improves the complexity of the algorithm. With a careful complexity analysis, we get the following complexity estimate: N log N 4 log N (the same as the one obtained by Harvey, Lecerf and Van der Hoeven with Mersenne primes). An efficient implementation has to be done. Some limitations: efficient multiplication of two polynomials modulo X P + 1 (bilinear rank), strategy for choosing a good prime, an algorithm for the decompositions... Integer multiplication with generalized Fermat primes November 4, / 23

Integer multiplication and the truncated product problem

Integer multiplication and the truncated product problem David Harvey Arithmetic Geometry, Number Theory, and Computation MIT, August 2018 University of New South Wales Political update from Australia