Solinas prime explained

In mathematics, a Solinas prime, or generalized Mersenne prime, is a prime number that has the form

f(2^m)

, where

f(x)

is a low-degree polynomial with small integer coefficients.^[1] ^[2] These primes allow fast modular reduction algorithms and are widely used in cryptography. They are named after Jerome Solinas.

This class of numbers encompasses a few other categories of prime numbers:

Mersenne primes, which have the form

2^k-1

Crandall or pseudo-Mersenne primes, which have the form

2^k-c

for small odd

.^[3]

Modular reduction algorithm

Let

f(t)=t^d-c_d-1t^d-1-...-c₀

be a monic polynomial of degree

with coefficients in

and suppose that

p=f(2^m)

is a Solinas prime. Given a number

n<p²

with up to

2md

bits, we want to find a number congruent to

mod

with only as many bits as

– that is, with at most

bits.

First, represent

in base

2^m

	2d-1
\sum
	j=0

	mj
A
	j2

Next, generate a

-by-

matrix

X=(X_i,j)

by stepping

times the linear-feedback shift register defined over

by the polynomial

: starting with the

-integer register

[0|0|...|0|1]

, shift right one position, injecting

on the left and adding (component-wise) the output value times the vector

[c_0,...,c_d-1]

at each step (see [1] for details). Let

X_i,j

be the integer in the

th register on the

th step and note that the first row of

is given by

(X_0,j)=[c_0,...,c_d-1]

. Then if we denote by

B=(B_i)

the integer vector given by:

(B₀...B_d-1)=(A₀...A_d-1)+(A_d...A_2d-1)X

it can be easily checked that:

	d-1
\sum
	j=0

	mj
B
	j2

	2d-1
\equiv\sum
	j=0

	mj
A
	j2

\modp

Thus

represents an

-bit integer congruent to

For judicious choices of

(again, see [1]), this algorithm involves only a relatively small number of additions and subtractions (and no divisions!), so it can be much more efficient than the naive modular reduction algorithm (

n-p ⋅ (n/p)

Examples

Four of the recommended primes in NIST's document "Recommended Elliptic Curves for Federal Government Use" are Solinas primes:

p-192

2¹⁹²-2⁶⁴-1

p-224

2²²⁴-2⁹⁶+1

p-256

2²⁵⁶-2²²⁴+2¹⁹²+2⁹⁶-1

p-384

2³⁸⁴-2¹²⁸-2⁹⁶+2³²-1

Curve448 uses the Solinas prime

2⁴⁴⁸-2²²⁴-1.

Notes and References

Jerome A. . Solinas . Generalized Mersenne Numbers . CORR-99-39 . Center for Applied Cryptographic Research, University of Waterloo . 1999 .
Book: Solinas, Jerome A.. Encyclopedia of Cryptography and Security. limited. Henk C. A. van. Tilborg. Sushil. Jajodia. 2011. Springer US. 509–510. 10.1007/978-1-4419-5906-5_32. Generalized Mersenne Prime. 978-1-4419-5905-8.
US . 5159632 . patent . Method and apparatus for public key exchange in a cryptographic system . 1992-10-27 . 1991-09-17 . Richard E. Crandall . NeXT Computer, Inc. .

Solinas prime explained

Modular reduction algorithm

Examples

See also

Notes and References