Solinas prime

In mathematics, a Solinas prime, or generalized Mersenne prime, is a prime number that has the form $f(2^m)$ , where $f(x)$ is a low-degree polynomial with small integer coefficients.^[1]^[2] These primes allow fast modular reduction algorithms and are widely used in cryptography. They are named after Jerome Solinas.

This class of numbers encompasses a few other categories of prime numbers:

Mersenne primes, which have the form $2^k-1$ ,
Crandall or pseudo-Mersenne primes, which have the form $2^k-c$ for small odd $c$ .^[3]

Modular reduction algorithm

Let $f(t) = t^d - c_{d-1}t^{d-1} - ... - c_0$ be a monic polynomial of degree $d$ with coefficients in $\mathbb{Z}$ and suppose that $p = f(2^m)$ is a Solinas prime. Given a number $n < p^2$ with up to $2md$ bits, we want to find a number congruent to $n$ mod $p$ with only as many bits as $p$ – that is, with at most $md$ bits.

First, represent $n$ in base $2^m$ :

n = \sum_{j=0}^{2d-1}A_j2^{mj}

Next, generate a $d$ -by- $d$ matrix $X = (X_{i,j})$ by stepping $d$ times the linear-feedback shift register defined over $\mathbb{Z}$ by the polynomial $f$ : starting with the $d$ -integer register $[0 | 0 |...| 0 | 1]$ , shift right one position, injecting $0$ on the left and adding (component-wise) the output value times the vector $[c_0,...,c_{d-1}]$ at each step (see [1] for details). Let $X_{i,j}$ be the integer in the $j$ th register on the $i$ th step and note that the first row of $X$ is given by $(X_{0,j}) = [c_0,...,c_{d-1}]$ . Then if we denote by $B = (B_i)$ the integer vector given by:

(B_0 ... B_{d-1}) = (A_0 ... A_{d-1}) + (A_d ... A_{2d-1})X

,

it can be easily checked that:

\sum_{j=0}^{d-1}B_j2^{mj}\equiv\sum_{j=0}^{2d-1}A_j2^{mj} \mod p

.

Thus $B$ represents an $md$ -bit integer congruent to $n$ .

For judicious choices of $f$ (again, see [1]), this algorithm involves only a relatively small number of additions and subtractions (and no divisions!), so it can be much more efficient than the naive modular reduction algorithm ( $n - p \cdot (n / p)$ ).

Examples

Four of the recommended primes in NIST's document "Recommended Elliptic Curves for Federal Government Use" are Solinas primes:

p-192 $2^{192} - 2^{64} - 1$
p-224 $2^{224} - 2^{96} + 1$
p-256 $2^{256} - 2^{224} + 2^{192} + 2^{96} -1$
p-384 $2^{384} - 2^{128} - 2^{96} + 2^{32} - 1$

Curve448 uses the Solinas prime $2^{448} - 2^{224} - 1.$

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ US patent 5159632, Richard E. Crandall, "Method and apparatus for public key exchange in a cryptographic system", issued 1992-10-27, assigned to NeXT Computer, Inc.

[1] Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] US patent 5159632, Richard E. Crandall, "Method and apparatus for public key exchange in a cryptographic system", issued 1992-10-27, assigned to NeXT Computer, Inc.

[1]

[2]

[3]

v t e Prime number classes
By formula	Fermat (2^2ⁿ + 1) Mersenne (2^p − 1) Double Mersenne (2^{2^p−1} − 1) Wagstaff (2^p + 1)/3 Proth (k·2ⁿ + 1) Factorial (n! ± 1) Primorial (p_n# ± 1) Euclid (p_n# + 1) Pythagorean (4n + 1) Pierpont (2^u·3^v + 1) Quartan (x⁴ + y⁴) Solinas (2^a ± 2^b ± 1) Cullen (n·2ⁿ + 1) Woodall (n·2ⁿ − 1) Cuban (x³ − y³)/(x − y) Carol (2ⁿ − 1)² − 2 Kynea (2ⁿ + 1)² − 2 Leyland (x^y + y^x) Thabit (3·2ⁿ − 1) Mills (floor(A^3ⁿ))
By integer sequence	Fibonacci Lucas Pell Newman–Shanks–Williams Perrin Partitions Bell Motzkin
By property	Wieferich (pair) Wall–Sun–Sun Wolstenholme Wilson Lucky Fortunate Ramanujan Pillai Regular Strong Stern Supersingular (elliptic curve) Supersingular (moonshine theory) Good Super Higgs Highly cototient
Base-dependent	Happy Dihedral Palindromic Emirp Repunit (10ⁿ − 1)/9 Permutable Circular Truncatable Strobogrammatic Minimal Weakly Full reptend Unique Primeval Self Smarandache–Wellin
Patterns	Twin (p, p + 2) Bi-twin chain (n − 1, n + 1, 2n − 1, 2n + 1, …) Triplet (p, p + 2 or p + 4, p + 6) Quadruplet (p, p + 2, p + 6, p + 8) k−Tuple Cousin (p, p + 4) Sexy (p, p + 6) Chen Sophie Germain (p, 2p + 1) Cunningham chain (p, 2p ± 1, …) Safe (p, (p − 1)/2) Arithmetic progression (p + a·n, n = 0, 1, …) Balanced (consecutive p − n, p, p + n)
By size	Titanic (1,000+ digits) Gigantic (10,000+) Mega (1,000,000+) Largest known
Complex numbers	Eisenstein prime Gaussian prime
Composite numbers	Pseudoprime Almost prime Semiprime Interprime
Related topics	Probable prime Industrial-grade prime Illegal prime Formula for primes Prime gap
First 100 primes	2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199 211 223 227 229 233 239 241 251 257 263 269 271 277 281 283 293 307 311 313 317 331 337 347 349 353 359 367 373 379 383 389 397 401 409 419 421 431 433 439 443 449 457 461 463 467 479 487 491 499 503 509 521 523 541
List of prime numbers

Solinas prime

Contents

Modular reduction algorithm

Examples

See also

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools