Schönhage–Strassen algorithm explained

2n+1

. The run-time bit complexity to multiply two -digit numbers using the algorithm is

O(nlognloglogn)

in big notation.

The Schönhage–Strassen algorithm was the asymptotically fastest multiplication method known from 1971 until 2007. It is asymptotically faster than older methods such as Karatsuba and Toom–Cook multiplication, and starts to outperform them in practice for numbers beyond about 10,000 to 100,000 decimal digits.[2] In 2007, Martin Fürer published an algorithm with faster asymptotic complexity.[3] In 2019, David Harvey and Joris van der Hoeven demonstrated that multi-digit multiplication has theoretical

O(nlogn)

complexity; however, their algorithm has constant factors which make it impossibly slow for any conceivable practical problem (see galactic algorithm).[4]

Applications of the Schönhage–Strassen algorithm include large computations done for their own sake such as the Great Internet Mersenne Prime Search and approximations of , as well as practical applications such as Lenstra elliptic curve factorization via Kronecker substitution, which reduces polynomial multiplication to integer multiplication.[5] [6]

Description

This section has a simplified version of the algorithm, showing how to compute the product

ab

of two natural numbers

a,b

, modulo a number of the form

2n+1

, where

n=2kM

is some fixed number. The integers

a,b

are to be divided into

D=2k

blocks of

M

bits, so in practical implementations, it is important to strike the right balance between the parameters

M,k

. In any case, this algorithm will provide a way to multiply two positive integers, provided

n

is chosen so that

ab<2n+1

.

Let

n=DM

be the number of bits in the signals

a

and

b

, where

D=2k

is a power of two. Divide the signals

a

and

b

into

D

blocks of

M

bits each, storing the resulting blocks as arrays

A,B

(whose entries we shall consider for simplicity as arbitrary precision integers).

We now select a modulus for the Fourier transform, as follows. Let

M'

be such that

DM'\ge2M+k

. Also put

n'=DM'

, and regard the elements of the arrays

A,B

as (arbitrary precision) integers modulo

2n'+1

. Observe that since

2n'+1\ge22M+k+1=D22M+1

, the modulus is large enough to accommodate any carries that can result from multiplying

a

and

b

. Thus, the product

ab

(modulo

2n+1

) can be calculated by evaluating the convolution of

A,B

. Also, with

g=22M'

, we have

gD/2\equiv-1\pmod{2n'+1}

, and so

g

is a primitive

D

th root of unity modulo

2n'+1

.

We now take the discrete Fourier transform of the arrays

A,B

in the ring

Z/(2n'+1)Z

, using the root of unity

g

for the Fourier basis, giving the transformed arrays

\widehatA,\widehatB

. Because

D=2k

is a power of two, this can be achieved in logarithmic time using a fast Fourier transform.

Let

\widehatCi=\widehatAi\widehatBi

(pointwise product), and compute the inverse transform

C

of the array

\widehatC

, again using the root of unity

g

. The array

C

is now the convolution of the arrays

A,B

. Finally, the product

ab\pmod{2n+1}

is given by evaluatingab\equiv \sum_j C_j2^\mod.

This basic algorithm can be improved in several ways. Firstly, it is not necessary to store the digits of

a,b

to arbitrary precision, but rather only up to

n'+1

bits, which gives a more efficient machine representation of the arrays

A,B

. Secondly, it is clear that the multiplications in the forward transforms are simple bit shifts. With some care, it is also possible to compute the inverse transform using only shifts. Taking care, it is thus possible to eliminate any true multiplications from the algorithm except for where the pointwise product

\widehatCi=\widehatAi\widehatBi

is evaluated. It is therefore advantageous to select the parameters

D,M

so that this pointwise product can be performed efficiently, either because it is a single machine word or using some optimized algorithm for multiplying integers of a (ideally small) number of words. Selecting the parameters

D,M

is thus an important area for further optimization of the method.

Details

Every number in base B, can be written as a polynomial:

X=

N
\sum
i=0
i}
{x
iB

Furthermore, multiplication of two numbers could be thought of as a product of two polynomials:

XY=

N
\left(\sum
i=0
N
{x
j=0
j}\right)
{y
iB

Because, for

Bk

:

ck=\sum(i,j):i+j=k{aibj}=

k
\sum
i=0

{aibk-i

} ,we have a convolution.

By using FFT (fast Fourier transform), used in the original version rather than NTT (Number-theoretic transform),[7] with convolution rule; we get

\hat{f}(a*b)=

k
\hat{f}\left(\sum
i=0

aibk-i\right)=\hat{f}(a)\bullet\hat{f}(b).

That is;

Ck=ak\bulletbk

, where

Ck

is the corresponding coefficient in Fourier space. This can also be written as:

fft(a*b)=fft(a)\bulletfft(b)

.

We have the same coefficients due to linearity under the Fourier transform, and because these polynomials only consist of one unique term per coefficient:

\hat{f}(xn)=\left(

i
2\pi

\right)n\delta(n)

and

\hat{f}(aX(\xi)+bY(\xi))=a\hat{X}(\xi)+b\hat{Y}(\xi)

Convolution rule:

\hat{f}(X*Y)=\hat{f}(X)\bullet\hat{f}(Y)

We have reduced our convolution problemto product problem, through FFT.

By finding the FFT of the polynomial interpolation of each

Ck

, one can determine the desired coefficients.

This algorithm uses the divide-and-conquer method to divide the problem into subproblems.

Convolution under mod N

ck=\sum(i,j):i+j

} a_ib_j , where

N(n)=2n+1

.

By letting:

ai'=\thetaiai

and

bj'=\thetajbj,

where

\thetaN=-1

is the nth root, one sees that:[8]

\begin{align} Ck&=\sum(i,j):i+j=k

} a_ib_j = \theta^ \sum_ a_i'b_j' \\[6pt]& = \theta^ \left(\sum_ a_i'b_j' + \sum_ a_i'b_j' \right) \\[6pt]& = \theta^\left(\sum_ a_ib_j\theta^k + \sum_ a_ib_j\theta^ \right) \\[6pt]& = \sum_ a_ib_j + \theta^n \sum_ a_ib_j.\end

This mean, one can use weight

\thetai

, and then multiply with

\theta-k

after.

Instead of using weight, as

\thetaN=-1

, in first step of recursion (when

n=N

), one can calculate:

Ck=\sum(i,j):i+j

} = \sum_ a_ib_j - \sum_ a_ib_j

In a normal FFT which operates over complex numbers, one would use:

\exp \left(\frac\right) =\cos\frac + i \sin \frac n, \qquad k=0,1,\dots, n-1.

\begin{align} Ck&=\theta-k\left(\sum(i,j):i+j=kaib

k
j\theta

+\sum(i,j):i+j=k+naibj\thetan+k\right)\\[6pt] &=e-i2\pi\left(\sum(i,j):i+j=kaib

i2\pik/n
je

+\sum(i,j):i+j=k+naib

i2\pi(n+k)/n
je

\right)\end{align}

However, FFT can also be used as a NTT (number theoretic transformation) in Schönhage–Strassen. This means that we have to use to generate numbers in a finite field (for example

GF(2n+1)

).

A root of unity under a finite field, is an element a such that

\thetar-1\equiv1

or

\thetar\equiv\theta

. For example, where is a prime number, gives

\{1,2,\ldots,p-1\}

.

Notice that

2n\equiv-1

in

\operatorname{GF}(2n+1)

and

\sqrt{2}\equiv-1

in

\operatorname{GF}(2n+2+1)

. For these candidates,

\thetaN\equiv-1

under its finite field, and therefore act the way we want .

Same FFT algorithms can still be used, though, as long as is a root of unity of a finite field.

To find FFT/NTT transform, we do the following:

\begin{align} Ck'&=\hat{f}(k)=\hat{f}\left(\theta-k\left(\sum(i,j):i+j=kaib

k
j\theta

+\sum(i,j):i+j=k+naib

n+k
j\theta

\right)\right)\\[6pt] Ck+k'&=\hat{f}(k+k)=\hat{f}\left(\sum(i,j):i+j=2kaibj\thetak+\sum(i,j):i+j=n+2kaibj\thetan+k\right)\\[6pt] &=\hat{f}\left(\sum(i,j):i+j=2kaibj\thetak+\sum(i,j):i+j=2k+naibj\thetan+k\right)\\[6pt] &=\hat{f}\left(Ak\right)\bullet\hat{f}(Bk)+\hat{f}(Ak)\bullet\hat{f}(Bk) \end{align}

First product gives contribution to

ck

, for each . Second gives contribution to

ck

, due to

(i+j)

mod

N(n)

.

To do the inverse:

Ck=2-m\hat{f-1

} (\theta^ C_') or

Ck=\hat{f-1

}(\theta^ C_') depending whether data needs to be normalized.

One multiplies by

2-m

to normalize FFT data into a specific range, where
1
n

\equiv2-m\bmodN(n)

, where is found using the modular multiplicative inverse.

Implementation details

Why N = 2 + 1 mod N

In Schönhage–Strassen algorithm,

N=2M+1

. This should be thought of as a binary tree, where one have values in

0\leindex\le2M=2i+j

. By letting

K\in[0,M]

, for each one can find all

i+j=K

, and group all

(i,j)

pairs into M different groups. Using

i+j=k

to group

(i,j)

pairs through convolution is a classical problem in algorithms.[9]

Having this in mind,

N=2M+1

help us to group

(i,j)

into
M
2k

groups for each group of subtasks in depth in a tree with

N=

M
2k
2

+1

Notice that

N=2M+1=

2L
2

+1

, for some L. This makes N a Fermat number. When doing mod

N=2M+1=

2L
2

+1

, we have a Fermat ring.

Because some Fermat numbers are Fermat primes, one can in some cases avoid calculations.

There are other N that could have been used, of course, with same prime number advantages. By letting

N=2k-1

, one have the maximal number in a binary number with

k+1

bits.

N=2k-1

is a Mersenne number, that in some cases is a Mersenne prime. It is a natural candidate against Fermat number

N=

2L
2

+1

In search of another N

Doing several mod calculations against different, can be helpful when it comes to solving integer product. By using the Chinese remainder theorem, after splitting into smaller different types of, one can find the answer of multiplication [10]

Fermat numbers and Mersenne numbers are just two types of numbers, in something called generalized Fermat Mersenne number (GSM); with formula:[11]

Gq,p,n=

p
\sum
i=1

q(p-i)n=

qpn-1
qn-1

Mp,n=G2,p,n

In this formula,

M
2,2k

is a Fermat number, and

Mp,1

is a Mersenne number.

This formula can be used to generate sets of equations, that can be used in CRT (Chinese remainder theorem):[12]

(Mp,n-1)
2
g

\equiv-1\pmod{Mp,n

}, where is a number such that there exists an where

x2\equivg\pmod{Mp,n

}, assuming

N=2n

Furthermore;

2(p-1)n-1
g

\equiv

2n-1
a

\pmod{Mp,n

}, where is an element that generates elements in

\{1,2,4,...2n-1,2n\}

in a cyclic manner.

If

N=2t

, where

1\let\len

, then

gt=

(2n-1)2n-t
a

.

How to choose K for a specific N

The following formula is helpful, finding a proper (number of groups to divide bits into) given bit size by calculating efficiency :[13]

E=

2N+k
K
n

is bit size (the one used in

2N+1

) at outermost level. gives
N
K

groups of bits, where

K=2k

.

is found through and by finding the smallest, such that

2N/K+k\len=K2x

If one assume efficiency above 50%,

n
2

\le

2N
K

,K\len

and is very small compared to rest of formula; one get

K\le2\sqrt{N}

This means: When something is very effective; is bound above by

2\sqrt{N}

or asymptotically bound above by

\sqrt{N}

Pseudocode

Following alogithm, the standard Modular Schönhage-Strassen Multiplication algorithm (with some optimizations), is found in overview through [14]

Further study

For implemantion details, one can read the book Prime Numbers: A Computational Perspective.[15] This variant differs somewhat from Schönhage's original method in that it exploits the discrete weighted transform to perform negacyclic convolutions more efficiently. Another source for detailed information is Knuth's The Art of Computer Programming.[16]

Optimizations

This section explains a number of important practical optimizations, when implementing Schönhage–Strassen.

Use of other multiplications algorithm, inside algorithm

Below a certain cutoff point, it's more efficient to use other multiplication algorithms, such as Toom–Cook multiplication.[17]

Square root of 2 trick

The idea is to use

\sqrt{2}

as a root of unity of order

2n+2

in finite field

GF(2n+2+1)

(it is a solution to equation
2n+2
\theta

\equiv1\pmod{2n+2+1}

), when weighting values in NTT (number theoretic transformation) approach. It has been shown to save 10% in integer multiplication time.[18]

Granlund's trick

By letting

m=N+h

, one can compute

uv\bmod{2N+1}

and

(u\bmod{2h})(v\bmod2h)

. In combination with CRT (Chinese Remainder Theorem) to find exact values of multiplication [19]

Notes and References

  1. Schönhage . Arnold . Arnold Schönhage . Strassen . Volker . Volker Strassen . 1971 . Schnelle Multiplikation großer Zahlen . de . Fast multiplication of large numbers . Computing . 7 . 3–4 . 281–292 . 10.1007/BF02242355 . 9738629 .
  2. Karatsuba multiplication has asymptotic complexity of about

    O(n1.58)

    and Toom–Cook multiplication has asymptotic complexity of about

    O(n1.46).

    Rodney . Van Meter . Kohei M. . Itoh . Fast Quantum Modular Exponentiation . Physical Review . 71 . 2005 . 5 . 052320. 10.1103/PhysRevA.71.052320 . quant-ph/0408006 . 2005PhRvA..71e2320V . 14983569 . A discussion of practical crossover points between various algorithms can be found in: Overview of Magma V2.9 Features, arithmetic section Luis Carlos Coronado García, " Can Schönhage multiplication speed up the RSA encryption or decryption? Archived", University of Technology, Darmstadt (2005)The GNU Multi-Precision Library uses it for values of at least 1728 to 7808 64-bit words (33,000 to 150,000 decimal digits), depending on architecture. See:Web site: FFT Multiplication (GNU MP 6.2.1). 2021-07-20. gmplib.org. Web site: MUL_FFT_THRESHOLD. GMP developers' corner. 3 November 2011. dead. https://web.archive.org/web/20101124062232/http://gmplib.org/devel/MUL_FFT_THRESHOLD.html. 24 November 2010. Web site: MUL_FFT_THRESHOLD. 2021-07-20. gmplib.org.
  3. Fürer's algorithm has asymptotic complexity O\bigl(n \cdot \log n \cdot 2^\bigr).Fürer . Martin . 2007 . Faster Integer Multiplication . Proc. STOC '07 . Symposium on Theory of Computing, San Diego, Jun 2007 . 57–66 . dead . https://web.archive.org/web/20070305200654id_/http://www.cse.psu.edu/~furer/Papers/mult.pdf . 2007-03-05 . Fürer . Martin . 2009 . Faster Integer Multiplication . SIAM Journal on Computing . 39 . 3 . 979–1005 . 10.1137/070711761 . 0097-5397. Fürer's algorithm is used in the Basic Polynomial Algebra Subprograms (BPAS) open source library. See: Book: Covanov . Svyatoslav . Mohajerani . Davood . Moreno Maza . Marc . Wang . Linxiao . Proceedings of the 2019 on International Symposium on Symbolic and Algebraic Computation . Big Prime Field FFT on Multi-core Processors . 2019-07-08 . https://dl.acm.org/doi/10.1145/3326229.3326273 . en . Beijing China . ACM . 106–113 . 10.1145/3326229.3326273 . 978-1-4503-6084-5. 195848601 .
  4. Harvey . David . van der Hoeven . Joris . Joris van der Hoeven . 10.4007/annals.2021.193.2.4 . 2 . . 4224716 . 563–617 . Second Series . Integer multiplication in time

    O(nlogn)

    . 193 . 2021. 109934776 .
  5. This method is used in INRIA's ECM library.
  6. Web site: ECMNET . 2023-04-09 . members.loria.fr.
  7. Web site: Becker . Hanno . Hwang . Vincent . J. Kannwischer . Matthias . Panny . 2022. Lorenz . Efficient Multiplication of Somewhat Small Integers using Number-Theoretic Transforms .
  8. Web site: Lüders . 2014. 26. Christoph . Fast Multiplication of Large Integers: Implementation and Analysis of the DKSS Algorithm .
  9. Book: Kleinberg . Jon . Tardos . Eva . Algorithm Design . 2005 . Pearson . 0-321-29535-8 . 237 . 1.
  10. Web site: Gaudry . Pierrick . Alexander . Kruppa . Paul . Zimmermann . A GMP-based implementation of Schönhage-Strassen's large integer multiplication algorithm . 6 . 2007.
  11. Web site: S. Dimitrov . Vassil . V. Cooklev . Todor . D. Donevsky . 2. 1994. Borislav . Generalized Fermat-Mersenne Number Theoretic Transform .
  12. Web site: S. Dimitrov . Vassil . V. Cooklev . Todor . D. Donevsky . 3. 1994. Borislav . Generalized Fermat-Mersenne Number Theoretic Transform .
  13. Web site: Gaudry . Pierrick . Kruppa . Alexander . Zimmermann . Paul . A GMP-based Implementation of Schönhage-Strassen's Large Integer Multiplication Algorithm . 2 . 2007.
  14. Web site: 2014 . 28 . Lüders . Christoph . Fast Multiplication of Large Integers: Implementation and Analysis of the DKSS Algorithm .
  15. R. Crandall & C. Pomerance. Prime Numbers – A Computational Perspective. Second Edition, Springer, 2005. Section 9.5.6: Schönhage method, p. 502.
  16. Book: Knuth, Donald E. . . 1997 . 2: Seminumerical Algorithms . 3rd . Addison-Wesley . 0-201-89684-2 . § 4.3.3.C: Discrete Fourier transforms . 305–311 . https://archive.org/details/artofcomputerpro0002knut_u2o0/page/305/ .
  17. Web site: Gaudry . Pierrick . Kruppa . Alexander . Zimmermann . Paul . 7. 2007. A GMP-based implementation of Schönhage-Strassen's large integer multiplication algorithm .
  18. Web site: Gaudry . Pierrick . Kruppa . Alexander . 6 . 2007 . Zimmermann . Paul . A GMP-based implementation of Schönhage-Strassen's large integer multiplication algorithm .
  19. Web site: Gaudry . Pierrick . Kruppa . 6. 2007. Alexander . Zimmermann . Paul . A GMP-based implementation of Schönhage-Strassen's large integer multiplication algorithm .

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Schönhage–Strassen algorithm".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2025, A B Cryer, All Rights Reserved. Cookie policy.