Solinas prime

In mathematics, a Solinas prime, or generalized Mersenne prime, is a prime number that has the form f ( 2 m ) {\displaystyle f(2^{m})} $f(2^{m})$ , where f ( x ) {\displaystyle f(x)} $f(x)$ is a low-degree polynomial with small integer coefficients. These primes allow fast modular reduction algorithms and are widely used in cryptography. They are named after Jerome Solinas.

This class of numbers encompasses a few other categories of prime numbers:

Mersenne primes, which have the form 2 k − 1 {\displaystyle 2^{k}-1} $2^{k}-1$ ,
Crandall or pseudo-Mersenne primes, which have the form 2 k − c {\displaystyle 2^{k}-c} $2^{k}-c$ for small odd c {\displaystyle c} $c$ .

Modular reduction algorithm

Let f ( t ) = t d − c d − 1 t d − 1 − . . . − c 0 {\displaystyle f(t)=t^{d}-c_{d-1}t^{d-1}-...-c_{0}} $f(t)=t^{d}-c_{d-1}t^{d-1}-...-c_{0}$ be a monic polynomial of degree d {\displaystyle d} $d$ with coefficients in Z {\displaystyle \mathbb {Z} } $\mathbb {Z}$ and suppose that p = f ( 2 m ) {\displaystyle p=f(2^{m})} $p=f(2^{m})$ is a Solinas prime. Given a number n < p 2 {\displaystyle n<p^{2}} $n<p^{2}$ with up to 2 m d {\displaystyle 2md} $2md$ bits, we want to find a number congruent to n {\displaystyle n} $n$ mod p {\displaystyle p} $p$ with only as many bits as p {\displaystyle p} $p$ – that is, with at most m d {\displaystyle md} $md$ bits.

First, represent n {\displaystyle n} $n$ in base 2 m {\displaystyle 2^{m}} $2^{m}$ :

n = ∑ j = 0 2 d − 1 A j 2 m j {\displaystyle n=\sum _{j=0}^{2d-1}A_{j}2^{mj}}

n=\sum _{j=0}^{2d-1}A_{j}2^{mj}

Next, generate a d {\displaystyle d} $d$ -by- d {\displaystyle d} $d$ matrix X = ( X i , j ) {\displaystyle X=(X_{i,j})} $X=(X_{i,j})$ by stepping d {\displaystyle d} $d$ times the linear-feedback shift register defined over Z {\displaystyle \mathbb {Z} } $\mathbb {Z}$ by the polynomial f {\displaystyle f} $f$ : starting with the d {\displaystyle d} $d$ -integer register {\displaystyle } $\text{[math]}$ , shift right one position, injecting 0 {\displaystyle 0} $0$ on the left and adding (component-wise) the output value times the vector {\displaystyle } $\text{[math]}$ at each step (see for details). Let X i , j {\displaystyle X_{i,j}} $X_{i,j}$ be the integer in the j {\displaystyle j} $j$ th register on the i {\displaystyle i} $i$ th step and note that the first row of X {\displaystyle X} $X$ is given by ( X 0 , j ) = {\displaystyle (X_{0,j})=} $(X_{0,j})=$ . Then if we denote by B = ( B i ) {\displaystyle B=(B_{i})} $B=(B_{i})$ the integer vector given by:

( B 0 . . . B d − 1 ) = ( A 0 . . . A d − 1 ) + ( A d . . . A 2 d − 1 ) X {\displaystyle (B_{0}...B_{d-1})=(A_{0}...A_{d-1})+(A_{d}...A_{2d-1})X}

(B_{0}...B_{d-1})=(A_{0}...A_{d-1})+(A_{d}...A_{2d-1})X

it can be easily checked that:

∑ j = 0 d − 1 B j 2 m j ≡ ∑ j = 0 2 d − 1 A j 2 m j mod p {\displaystyle \sum _{j=0}^{d-1}B_{j}2^{mj}\equiv \sum _{j=0}^{2d-1}A_{j}2^{mj}\mod p}

\sum _{j=0}^{d-1}B_{j}2^{mj}\equiv \sum _{j=0}^{2d-1}A_{j}2^{mj}\mod p

Thus B {\displaystyle B} $B$ represents an m d {\displaystyle md} $md$ -bit integer congruent to n {\displaystyle n} $n$ .

For judicious choices of f {\displaystyle f} $f$ (again, see ), this algorithm involves only a relatively small number of additions and subtractions (and no divisions!), so it can be much more efficient than the naive modular reduction algorithm ( n − p ⋅ ( n / p ) {\displaystyle n-p\cdot (n/p)} $n-p\cdot (n/p)$ ).

Examples

Four of the recommended primes in NIST's document "Recommended Elliptic Curves for Federal Government Use" are Solinas primes:

p-192 2 192 − 2 64 − 1 {\displaystyle 2^{192}-2^{64}-1} $2^{192}-2^{64}-1$
p-224 2 224 − 2 96 + 1 {\displaystyle 2^{224}-2^{96}+1} $2^{224}-2^{96}+1$
p-256 2 256 − 2 224 + 2 192 + 2 96 − 1 {\displaystyle 2^{256}-2^{224}+2^{192}+2^{96}-1} $2^{256}-2^{224}+2^{192}+2^{96}-1$
p-384 2 384 − 2 128 − 2 96 + 2 32 − 1 {\displaystyle 2^{384}-2^{128}-2^{96}+2^{32}-1} $2^{384}-2^{128}-2^{96}+2^{32}-1$

Curve448 uses the Solinas prime 2 448 − 2 224 − 1. {\displaystyle 2^{448}-2^{224}-1.} $2^{448}-2^{224}-1.$

References

^ Solinas, Jerome A. (1999). Generalized Mersenne Numbers (PDF) (Technical report). Center for Applied Cryptographic Research, University of Waterloo. CORR-99-39.
^ Solinas, Jerome A. (2011). "Generalized Mersenne Prime". In Tilborg, Henk C. A. van; Jajodia, Sushil (eds.). Encyclopedia of Cryptography and Security. Springer US. pp. 509–510. doi:10.1007/978-1-4419-5906-5_32. ISBN 978-1-4419-5905-8.
^ US patent 5159632, Richard E. Crandall, "Method and apparatus for public key exchange in a cryptographic system", issued 1992-10-27, assigned to NeXT Computer, Inc.

v t e Prime number classes
By formula	Fermat (22n + 1) Mersenne (2p − 1) Double Mersenne (22p−1 − 1) Wagstaff (2p + 1)/3 Proth (k·2n + 1) Factorial (n! ± 1) Primorial (pn# ± 1) Euclid (pn# + 1) Pythagorean (4n + 1) Pierpont (2m·3n + 1) Quartan (x4 + y4) Solinas (2m ± 2n ± 1) Cullen (n·2n + 1) Woodall (n·2n − 1) Cuban (x3 − y3)/(x − y) Leyland (xy + yx) Thabit (3·2n − 1) Williams ((b−1)·bn − 1) Mills (⌊A3n⌋)
By integer sequence	Fibonacci Lucas Pell Newman–Shanks–Williams Perrin
By property	Wieferich (pair) Wall–Sun–Sun Wolstenholme Wilson Lucky Fortunate Ramanujan Pillai Regular Strong Stern Supersingular (elliptic curve) Supersingular (moonshine theory) Good Super Higgs Highly cototient Unique
Base-dependent	Palindromic Emirp Repunit (10n − 1)/9 Permutable Circular Truncatable Minimal Delicate Primeval Full reptend Unique Happy Self Smarandache–Wellin Strobogrammatic Dihedral Tetradic
Patterns	Twin (p, p + 2) Bi-twin chain (n ± 1, 2n ± 1, 4n ± 1, …) Triplet (p, p + 2 or p + 4, p + 6) Quadruplet (p, p + 2, p + 6, p + 8) k-tuple Cousin (p, p + 4) Sexy (p, p + 6) Chen Sophie Germain/Safe (p, 2p + 1) Cunningham (p, 2p ± 1, 4p ± 3, 8p ± 7, ...) Arithmetic progression (p + a·n, n = 0, 1, 2, 3, ...) Balanced (consecutive p − n, p, p + n)
By size	Mega (1,000,000+ digits) Largest known list
Complex numbers	Eisenstein prime Gaussian prime
Composite numbers	Pseudoprime Catalan Elliptic Euler Euler–Jacobi Fermat Frobenius Lucas Perrin Somer–Lucas Strong Carmichael number Almost prime Semiprime Sphenic number Interprime Pernicious
Related topics	Probable prime Industrial-grade prime Illegal prime Formula for primes Prime gap
First 60 primes	2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251 257 263 269 271 277 281
List of prime numbers

Solinas prime

Modular reduction algorithm

Examples

See also

References