Schönhage–Strassen Algorithm

The Schönhage–Strassen algorithm is an asymptotically fast multiplication algorithm for large integers, published by Arnold Schönhage and Volker Strassen in 1971. It works by recursively applying fast Fourier transform (FFT) over the integers modulo $2^n + 1$. The run-time bit complexity to multiply two -digit numbers using the algorithm is $O(n \cdot \log n \cdot \log \log n)$ in big notation.

The Schönhage–Strassen algorithm was the asymptotically fastest multiplication method known from 1971 until 2007. It is asymptotically faster than older methods such as Karatsuba and Toom–Cook multiplication, and starts to outperform them in practice for numbers beyond about 10,000 to 100,000 decimal digits. In 2007, Martin Fürer published an algorithm with faster asymptotic complexity. In 2019, David Harvey and Joris van der Hoeven demonstrated that multi-digit multiplication has theoretical $O(n\log n)$ complexity; however, their algorithm has constant factors which make it impossibly slow for any conceivable practical problem (see galactic algorithm).

Applications of the Schönhage–Strassen algorithm include large computations done for their own sake such as the Great Internet Mersenne Prime Search and approximations of , as well as practical applications such as Lenstra elliptic curve factorization via Kronecker substitution, which reduces polynomial multiplication to integer multiplication.

Description

This section has a simplified version of the algorithm, showing how to compute the product $ab$ of two natural numbers $a,b$, modulo a number of the form $2^n+1$, where $n=2^kM$ is some fixed number. The integers $a,b$ are to be divided into $D=2^k$ blocks of $M$ bits, so in practical implementations, it is important to strike the right balance between the parameters $M,k$. In any case, this algorithm will provide a way to multiply two positive integers, provided $n$ is chosen so that $ab < 2^n+1$.

Let $n=DM$ be the number of bits in the signals $a$ and $b$, where $D=2^k$ is a power of two. Divide the signals $a$ and $b$ into $D$ blocks of $M$ bits each, storing the resulting blocks as arrays $A,B$ (whose entries we shall consider for simplicity as arbitrary precision integers).

We now select a modulus for the Fourier transform, as follows. Let $M'$ be such that $DM'\ge 2M+k$. Also put $n'=DM'$, and regard the elements of the arrays $A,B$ as (arbitrary precision) integers modulo $2^+1$. Observe that since $2^ + 1 \ge 2^ + 1 = D2^+1$, the modulus is large enough to accommodate any carries that can result from multiplying $a$ and $b$. Thus, the product $ab$ (modulo $2^n+1$) can be calculated by evaluating the convolution of $A,B$. Also, with $g=2^$, we have $g^\equiv -1\pmod$, and so $g$ is a primitive $D$th root of unity modulo $2^+1$.

We now take the discrete Fourier transform of the arrays $A,B$ in the ring $\mathbb Z/(2^+1)\mathbb Z$, using the root of unity $g$ for the Fourier basis, giving the transformed arrays $\widehat A,\widehat B$. Because $D=2^k$ is a power of two, this can be achieved in logarithmic time using a fast Fourier transform.

Let $\widehat C_i=\widehat A_i\widehat B_i$ (pointwise product), and compute the inverse transform $C$ of the array $\widehat C$, again using the root of unity $g$. The array $C$ is now the convolution of the arrays $A,B$. Finally, the product $ab\pmod$ is given by evaluating
$ab\equiv \sum_j C_j2^\mod.$

This basic algorithm can be improved in several ways. Firstly, it is not necessary to store the digits of $a,b$ to arbitrary precision, but rather only up to $n'+1$ bits, which gives a more efficient machine representation of the arrays $A,B$. Secondly, it is clear that the multiplications in the forward transforms are simple bit shifts. With some care, it is also possible to compute the inverse transform using only shifts. Taking care, it is thus possible to eliminate any true multiplications from the algorithm except for where the pointwise product $\widehat C_i=\widehat A_i\widehat B_i$ is evaluated. It is therefore advantageous to select the parameters $D,M$ so that this pointwise product can be performed efficiently, either because it is a single machine word or using some optimized algorithm for multiplying integers of a (ideally small) number of words. Selecting the parameters $D,M$ is thus an important area for further optimization of the method.

Details

Every number in base B, can be written as a polynomial:

:$X = \sum_^N$

Furthermore, multiplication of two numbers could be thought of as a product of two polynomials:

:$XY = \left(\sum_^N \right)\left(\sum_^N \right)$

Because, for $B^k$: $c_k =\sum_ = \sum_^k$,
we have a convolution.

By using FFT (fast Fourier transform), used in the original version rather than NTT (Number-theoretic transform), with convolution rule; we get

:$\hat(a * b) = \hat\left(\sum_^k a_ib_ \right) = \hat(a) \bullet \hat(b).$
That is; $C_k = a_k \bullet b_k$, where $C_k$
is the corresponding coefficient in Fourier space. This can also be written as: $\text(a * b) = \text(a) \bullet \text(b)$.

We have the same coefficients due to linearity under the Fourier transform, and because these polynomials
only consist of one unique term per coefficient:

:$\hat(x^n) = \left(\frac\right)^n \delta^$ and
:$\hat(a\, X(\xi) + b\, Y(\xi)) = a\, \hat(\xi) + b\, \hat(\xi)$

Convolution rule: $\hat(X * Y) = \ \hat(X) \bullet \hat(Y)$

We have reduced our convolution problem
to product problem, through FFT.

By finding the FFT of the polynomial interpolation of each $C_k$, one can determine the desired coefficients.

This algorithm uses the divide-and-conquer method to divide the problem into subproblems.

Convolution under mod ''N''

: $c_k =\sum_ a_ib_j$, where $N(n) = 2^n + 1$.

By letting:

:$a_i' = \theta^i a_i$ and $b_j' = \theta^j b_j,$

where $\theta^N = -1$ is the n^th root, one sees that:

:
\begin
C_k & =\sum_ a_ib_j = \theta^ \sum_ a_i'b_j' \\ pt& = \theta^ \left(\sum_ a_i'b_j' + \sum_ a_i'b_j' \right) \\ pt& = \theta^\left(\sum_ a_ib_j\theta^k + \sum_ a_ib_j\theta^ \right) \\ pt& = \sum_ a_ib_j + \theta^n \sum_ a_ib_j.
\end

This mean, one can use weight $\theta^i$, and then multiply with $\theta^$ after.

Instead of using weight, as $\theta^N = -1$, in first step of recursion (when $n = N$), one can calculate:

:$C_k =\sum_ = \sum_ a_ib_j - \sum_ a_ib_j$

In a normal FFT which operates over complex numbers, one would use:

:$\exp \left(\frac\right) =\cos\frac + i \sin \frac n, \qquad k=0,1,\dots, n-1.$

:
\begin
C_k & = \theta^\left(\sum_ a_ib_j\theta^k + \sum_ a_ib_j \theta^ \right) \\ pt& = e^ \left(\sum_ a_ib_je^ +\sum_ a_ib_je^ \right)
\end

However, FFT can also be used as a NTT ( number theoretic transformation) in Schönhage–Strassen. This means that we have to use to generate numbers in a finite field (for example $\mathrm( 2^n + 1 )$).

A root of unity under a finite field , is an element a such that $\theta^ \equiv 1$ or $\theta^r \equiv \theta$. For example , where is a prime number,
gives $\$.

Notice that $2^n \equiv -1$ in $\operatorname(2^n + 1)$ and $\sqrt \equiv -1$ in $\operatorname(2^ + 1)$. For these candidates, $\theta^N \equiv -1$ under its finite field, and therefore act the way we want .

Same FFT algorithms can still be used, though, as long as is a root of unity of a finite field.

To find FFT/NTT transform, we do the following:

:
\begin
C_k' & = \hat(k) = \hat\left(\theta^\left(\sum_ a_ib_j\theta^k +\sum_ a_ib_j\theta^ \right) \right) \\ ptC_' & = \hat(k+k) = \hat \left(\sum_ a_i b_j \theta^k +\sum_ a_i b_j \theta^ \right) \\ pt& = \hat\left(\sum_ a_i b_j \theta^k + \sum_ a_i b_j \theta^ \right) \\ pt& = \hat\left(A_\right) \bullet \hat(B_) + \hat(A_) \bullet \hat(B_)
\end

First product gives contribution to $c_k$, for each . Second gives contribution to $c_k$, due to $(i+j)$ mod $N(n)$.

To do the inverse:

:$C_k = 2^\hat (\theta^ C_')$ or $C_k = \hat(\theta^ C_')$
depending whether data needs to be normalized.

One multiplies by $2^$ to normalize FFT data into a specific range, where $\frac \equiv 2^ \bmod N(n)$, where is found using the modular multiplicative inverse.

Implementation details

Why ''N'' = 2 + 1 mod ''N''

In Schönhage–Strassen algorithm, $N = 2^M + 1$. This should be thought of as a binary tree, where one have values in $0 \le \text \le 2^=2^$. By letting K \in ,M, for each one can find all $i+j = K$, and group all $(i,j)$ pairs into M different groups. Using $i+j = k$ to group $(i,j)$ pairs through convolution is a classical problem in algorithms.

Having this in mind, $N = 2^M + 1$ help us to group $(i,j)$ into $\frac$ groups for each group of subtasks in depth in a tree with $N = 2^ + 1$

Notice that $N = 2^M + 1 = 2^ + 1$, for some L. This makes N a Fermat number. When doing mod $N = 2^M + 1 = 2^ + 1$, we have a Fermat ring.

Because some Fermat numbers are Fermat primes, one can in some cases avoid calculations.

There are other ''N'' that could have been used, of course, with same prime number advantages. By letting $N = 2^k - 1$, one have the maximal number in a binary number with $k+1$ bits.
$N = 2^k - 1$ is a Mersenne number, that in some cases is a Mersenne prime. It is a natural candidate against Fermat number $N = 2^ + 1$

In search of another ''N''

Doing several mod calculations against different , can be helpful when it comes to solving integer product. By using the Chinese remainder theorem, after splitting into smaller different types of , one can find the answer of multiplication

Fermat numbers and Mersenne numbers are just two types of numbers, in something called generalized Fermat Mersenne number (GSM); with formula:

:$G_ = \sum_^p q^ = \frac$

:$M_ = G_$

In this formula, $M_$ is a Fermat number, and $M_$ is a Mersenne number.

This formula can be used to generate sets of equations, that can be used in CRT (Chinese remainder theorem):

:$g^ \equiv -1 \pmod$, where is a number such that there exists an where $x^2 \equiv g \pmod$, assuming $N = 2^n$

Furthermore; $g^ \equiv a^ \pmod$, where is an element that generates elements in $\$ in a cyclic manner.

If $N=2^t$, where $1 \le t \le n$, then $g_t = a^$.

How to choose ''K'' for a specific ''N''

The following formula is helpful, finding a proper (number of groups to divide bits into) given bit size by calculating efficiency :

$E = \frac$ is bit size (the one used in $2^N + 1$) at outermost level. gives $\frac$ groups of bits, where $K = 2^k$.

is found through and by finding the smallest , such that $2N/K +k \le n = K2^x$

If one assume efficiency above 50%, $\frac \le \frac, K \le n$ and is very small compared to rest of formula; one get

:$K \le 2\sqrt$

This means: When something is very effective; is bound above by $2\sqrt$ or asymptotically bound above by $\sqrt$

Pseudocode

Following algorithm, the standard Modular Schönhage-Strassen Multiplication algorithm (with some optimizations), is found in overview through

* T3MUL = Toom–Cook multiplication
* SMUL = Schönhage–Strassen multiplication
* Evaluate = FFT/IFFT

Further study

For implemantion details, one can read the book ''Prime Numbers: A Computational Perspective''.R. Crandall & C. Pomerance. ''Prime Numbers – A Computational Perspective''. Second Edition, Springer, 2005. Section 9.5.6: Schönhage method, p. 502. This variant differs somewhat from Schönhage's original method in that it exploits the discrete weighted transform to perform negacyclic convolutions more efficiently. Another source for detailed information is Knuth's ''The Art of Computer Programming''.

Optimizations

This section explains a number of important practical optimizations, when implementing Schönhage–Strassen.

Use of other multiplications algorithm, inside algorithm

Below a certain cutoff point, it's more efficient to use other multiplication algorithms, such as Toom–Cook multiplication.

Square root of 2 trick

The idea is to use $\sqrt$ as a root of unity of order $2^$ in finite field $\mathrm(2^ +1)$ ( it is a solution to equation $\theta^ \equiv 1 \pmod$), when weighting values in NTT (number theoretic transformation) approach. It has been shown to save 10% in integer multiplication time.

Granlund's trick

By letting $m = N + h$, one can compute
$uv \bmod$ and $(u \bmod )(v \bmod 2^h)$ in combination with CRT (Chinese Remainder Theorem) to
find exact values of multiplication .

References

{{DEFAULTSORT:Schonhage-Strassen Algorithm
Computer arithmetic algorithms
Multiplication