In modular arithmetic, Barrett reduction is a reduction algorithm introduced in 1986 by P.D. Barrett.[1]
A naive way of computing
c=a\bmodn
would be to use a fast division algorithm. Barrett reduction is an algorithm designed to optimize this operation assuming
n
a<n2
Historically, for values
a,b<n
ab\bmodn
ab
We call a function
\left[\right]:R\toZ
|\left[z\right]-z|\leq1
n
\left[\right]
mod\left[\right]n:Z\to(Z/nZ)
amod\left[\right]n=a-\left[a/n\right]n
\left[\right]
Generally, Barrett multiplication starts by specifying two integer approximations
\left[\right]0,\left[\right]1
ab\bmodn
ab-\left[
| ||||||
| R |
\right]1n
where
R
R
The case
b=1
\left[\right]0=\left[\right]1=\lfloor\rfloor
b
Barrett initially considered an integer version of the above algorithm when the values fit into machine words.We illustrate the idea for the floor-function case with
b=1
R=2k
When calculating
a\bmodn
n
However, division can be expensive and, in cryptographic settings, might not be a constant-time instruction on some CPUs, subjecting the operation to a timing attack. Thus Barrett reduction approximates
1/n
m/2k
2k
In order to calculate the best value for
m
2k
| m | |
| 2k |
=
| 1 | |
| n |
\Longleftrightarrow m=
| 2k | |
| n |
For
m
{2k}/{n}
m/2k
1/n
m=\lfloor{2k}/{n}\rfloor
Thus we can approximate the function above with the following:
However, since
m/2k\le1/n
q in that function can end up being one too small, and thus a is only guaranteed to be within [0,2n)
[0,n)
Suppose
b
\left\lfloor
| bR | |
| n |
\right\rfloor
a
ab
ab
\left\lfloor
| ||||||
| R |
\right\rfloorn
\left\lfloor
| ||||||
| R |
\right\rfloorn
n
ab-\left\lfloor
| ||||||
| R |
\right\rfloorn
ab\bmodn
Recall that unsigned Montgomery multiplication computes a representative of
ab\bmodn
| a\left(bR\bmodn\right)+\left(a\left(-bR\bmodn\right)n-1\bmodR\right)n | |
| R |
In fact, this value is equal to
ab-\left\lfloor
| ||||||
| R |
\right\rfloorn
We prove the claim as follows.
\begin{align} &&& ab-\left\lfloor
| ||||||
| R |
\right\rfloorn\\ &=&& ab-
| |||||||||
| R |
n\\ &=&& \left(
| abR | |
| n |
-a\left\lfloor
| bR | |
| n |
\right\rfloor+\left(a\left\lfloor
| bR | |
| n |
\right\rfloor\bmodR\right)\right)
| n | |
| R |
\\ &=&& \left(
| abR | |
| n |
-a
| bR-\left(bR\bmodn\right) | |
| n |
+\left(a\left\lfloor
| bR | |
| n |
\right\rfloor\bmodR\right)\right)
| n | |
| R |
\\ &=&& \left(
| a\left(bR\bmodn\right) | |
| n |
+\left(a\left\lfloor
| bR | |
| n |
\right\rfloor\bmodR\right)\right)
| n | |
| R |
\\ &=&& \left(
| a\left(bR\bmodn\right) | |
| n |
+\left(a\left(-bR\bmodn\right)n-1\bmodR\right)\right)
| n | |
| R |
\\ &=&&
| a\left(bR\bmodn\right)+\left(a\left(-bR\bmodn\right)n-1\bmodR\right)n | |
| R |
. \end{align}
Generally, for integer approximations
\left[\right]0,\left[\right]1
ab-\left[
| ||||||
| R |
\right]1n =
| |||||||||||||||
| R |
We bound the output with
ab-\left\lfloor
| ||||||
| R |
\right\rfloorn =
| a\left(bR\bmodn\right)+\left(a\left(-bR\bmodn\right)n-1\bmodR\right)n | \leq | |
| R |
| an+Rn | |
| R |
= n\left(1+
| a | |
| R |
\right)
Similar bounds hold for other kinds of integer approximation functions.For example, if we choose
\left[\right]0=\left[\right]1=\left\lfloor\right\rceil
\left|ab-\left\lfloor
| ||||||
| R |
\right\rceiln\right| =\left|
| a\left(bRmod\pmn\right)+\left(a\left(-bRmod\pmn\right)n-1mod\pmR\right)n | |
| R |
\right| \leq\left|
| \right| = | |||||||||
| R |
| n | |
| 2 |
\left(1+
| |a| | |
| R |
\right).
Barrett's primary motivation for considering reduction was the implementation of RSA, where the values in question will almost certainly exceed the size of a machine word. In this situation, Barrett provided an algorithm that approximates the single-word version above but for multi-word values. For details see section 14.3.3 of the Handbook of Applied Cryptography.[3]
It is also possible to use Barrett algorithm for polynomial division, by reversing polynomials and using X-adic arithmetic.[4]