User:Vincent B. Hwang/sandbox

In modular arithmetic, Barrett reduction is a reduction algorithm introduced in 1986 by P.D. Barrett.

A naive way of computing


 * $$c = a \,\bmod\, n \, $$

would be to use a fast division algorithm. Barrett reduction is an algorithm designed to optimize this operation assuming $$n$$ is constant, and $$a<n^2$$, replacing divisions by multiplications.

Historically, for values $$a, b < n$$, one computed $$a b \, \bmod\, n \, $$ by applying Barrett reduction to the full product $$a b $$. Recently, it was shown that the full product is unnecessary if we can perform precomputation on one of the operands .

General idea
We call a function $$\left[ \, \right]: \mathbb{R} \to \mathbb{Z}$$ an integer approximation if $$|\left[z\right] - z| \leq 1$$. For a modulus $$n$$ and an integer approximation $$\left[\,\right]$$, we define $$\text{mod}^{\left[\,\right]} \, n: \mathbb{Z} \to (\mathbb{Z}/n\mathbb{Z}) $$ as


 * $$ a \, \text{mod}^{\left[\,\right]} \, n = a - \left[a / n\right] n $$.

Common choices of $$\left[\,\right]$$ are floor, ceiling, and rounding functions.

Generally, Barrett multiplication starts by specifying two integer approximations $$\left[\,\right]_0, \left[\,\right]_1$$ and computes a reasonably close approximation of $$ab \, \bmod \, n$$ as


 * $$ a b - \left[ \frac{a \, \left[ \frac{b R}{n} \right]_0 }{R} \right]_1 n$$.

The case $$b = 1$$ was introduced by P.D. Barrett for the floor-function case $$\left[\,\right]_0 = \left[\,\right]_1 = \lfloor \, \rfloor$$. The general case for $$b$$ was found in NTL. The integer approximation view and the correspondence between Montgomery multiplication and Barrett multiplication was discovered by Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang.

Single-word Barrett reduction
Barrett initially considered an integer version of the above algorithm when the values fit into machine words. We illustrate the idea for the floor-function case.

When calculating $$a \,\bmod\, n$$ for unsigned integers, the obvious analog would be to use division by $$n$$:

However, division can be expensive and, in cryptographic settings, may not be a constant-time instruction on some CPUs. Thus Barrett reduction approximates $$1/n$$ with a value $$m/2^k$$ because division by $$2^k$$ is just a right-shift, and so it is cheap.

In order to calculate the best value for $$m$$ given $$2^k$$ consider:


 * $$\frac{m}{2^k} = \frac{1}{n} \;\Longleftrightarrow\; m = \frac{2^k}{n}$$

For $$m$$ to be an integer, we need to round $${2^k}/{n}$$ somehow. Rounding to the nearest integer will give the best approximation but can result in $$m/2^k$$ being larger than $$1/n$$, which can cause underflows. Thus $$m = \lfloor {2^k}/{n} \rfloor$$ is used for unsigned arithmetic.

Thus we can approximate the function above with the following:

However, since $$m/2^k \le 1/n$$, the value of  in that function can end up being one too small, and thus   is only guaranteed to be within $$[0, 2n)$$ rather than $$[0, n)$$ as is generally required. A conditional subtraction will correct this:

Single-word Barrett multiplication
Suppose $$b$$ is known in prior. This allows us to precompute $$\left\lfloor \frac{b R}{n} \right\rfloor$$ before accessing to $$a$$. Barrett multiplication computes $$a b$$, approximates the high part of $$a b$$ with $$ \left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rfloor}{R} \right\rfloor \, n $$, and subtracts the approximation. Since $$\left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rfloor}{R} \right\rfloor \, n$$ is a multiple of $$n$$, the resulting value $$a b - \left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rfloor}{R} \right\rfloor \, n$$ is a representative of $$a b \, \bmod \, n$$.

Correspondence between Barrett and Montgomery multiplications
Recall that unsigned Montgomery multiplication computes a representative of $$a b \, \bmod \, n$$ as

\frac{a \left(b R \, \bmod \, n \right) + \left( a \left( - b R \, \bmod \, n \right) n^{-1} \, \bmod \, R \right) n}{R} $$.

In fact, this value is equal to $$a b - \left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rfloor}{R} \right\rfloor \, n$$.

We prove the claim as follows.

\begin{align} & & & a b - \left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rfloor}{R} \right\rfloor \, n \\ & = & & a b - \frac{a \left\lfloor \frac{bR}{n} \right\rfloor - \left( a \left\lfloor \frac{bR}{n} \right\rfloor \, \bmod \, R \right) }{R} \, n \\ & = & & \left( \frac{a b R}{n} - a \left\lfloor \frac{bR}{n} \right\rfloor + \left( a \left\lfloor \frac{bR}{n} \right\rfloor \, \bmod \, R \right) \right) \frac{n}{R} \\ & = & & \left( \frac{a b R}{n} - a \frac{bR - \left(b R \, \bmod \, n \right)}{n} + \left( a \left\lfloor \frac{bR}{n} \right\rfloor \, \bmod \, R \right) \right) \frac{n}{R} \\ & = & & \left( \frac{a \left(b R \, \bmod \, n \right)}{n} + \left( a \left\lfloor \frac{bR}{n} \right\rfloor \, \bmod \, R \right) \right) \frac{n}{R} \\ & = & & \left( \frac{a \left(b R \, \bmod \, n \right)}{n} + \left( a \left( - b R \, \bmod \, n \right) n^{-1} \, \bmod \, R \right) \right) \frac{n}{R} \\ & = & & \frac{a \left(b R \, \bmod \, n \right) + \left( a \left( - b R \, \bmod \, n \right) n^{-1} \, \bmod \, R \right) n}{R}. \end{align} $$

Generally, for integer approximations $$\left[\,\right]_0, \left[\,\right]_1$$, we have



a b - \left[ \frac{a \, \left[ \frac{b R}{n} \right]_0 }{R} \right]_1 \, n = \frac{a \left( b R \, \text{mod}^{\left[\,\right]_0} \, n \right) + \left( a \left( - b R \, \text{mod}^{\left[\,\right]_0} \, q \right) n^{-1} \, \text{mod}^{\left[\,\right]_1} \, R \right) n}{R} $$.

Range of Barrett multiplication
We bound the output with $$ a b - \left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rfloor}{R} \right\rfloor \, n = \frac{a \left(b R \, \bmod \, n \right) + \left( a \left( - b R \, \bmod \, n \right) n^{-1} \, \bmod \, R \right) n}{R} \leq \frac{a n + R n}{R} = n \left(1 + \frac{a}{R}\right) $$.

Similar bounds hold for other kinds of integer approximation functions. For example, if we choose $$\left[\,\right]_0 = \left[\,\right]_1 = \left\lfloor\,\right\rceil$$, the rounding half up function, then we have

\left| a b - \left\lfloor \frac{a \left\lfloor \frac{b R}{n} \right\rceil}{R} \right\rceil \, n \right| = \left| \frac{a \left(b R \, \text{mod}^{\pm} \, n \right) + \left( a \left( - b R \, \text{mod}^{\pm} \, n \right) n^{-1} \, \text{mod}^{\pm} \, R \right) n}{R} \right| \leq \left| \frac{a \frac{n}{2} + \frac{R}{2} n}{R} \right| = \frac{n}{2} \left(1 + \frac{a}{R} \right). $$

Multi-word Barrett reduction
Barrett's primary motivation for considering reduction was the implementation of RSA, where the values in question will almost certainly exceed the size of a machine word. In this situation, Barrett provided an algorithm that approximates the single-word version above but for multi-word values. For details see section 14.3.3 of the Handbook of Applied Cryptography.

Barrett algorithm for polynomials
It is also possible to use Barrett algorithm for polynomial division, by reversing polynomials and using X-adic arithmetic.