Barrett reduction algorithm for model evaluation

Barrett Reduction is a method of reducing a number modulo another number. Barrett reduction, when used to reduce a single number, is slower than a normal divide algorithm. However, by precomputing some values, one can easily far exceed the speed of the normal modular reductions.

Because Barrett Reduction's benefits was most visible when it was used to reduce various numbers modulo a single number man Y times, for example, when doing modular exponentiation. Barrett reduction is not a particularly useful when used with small numbers (+ or + bits); It's benefits occur when using numbers that is implemented by multiple precision arithmetic libraries, such as when imple Menting the RSA cryptosystem, which uses modular exponentiation with large (> bits) numbers, to encrypt and decrypt.

So, how does it? First, keep in mind the following Restriction:barrett Reduction can only reduce numbers that is, at most, twice as long (in words) as the modulus. thats computer words; Usually these is-a-bits long (for example on x86 and PowerPC machines), and sometimes bits (as on the Alpha, ultras PARC, and MIPS R10000).

Some modulus, called M, which is K words long (numbered k-1 ... 0, with 0 being the least significant word). First, pre-calculate the value:

Mu = Floor (b^k/m)

where B is the "base" of the integers used. For example, if you represented the numbers as a sequence of 32-bit values, and B is 2^32, or 0x100000000. You'll keep this value mu across function calls (probably stored in a structure somewhere) so you can reuse it.

Now, given a number x, which are an arbitrary integer of size (in most) 2k words (2k-1 ... 0), this procedure (in pseudocode) would return the value of x mod m:

Q1 = Floor (x/b^ (k-1))

Q2 = Q1 * MU

Q3 = Floor (q2/b^ (k+1))

R1 = x mod b^ (k+1)

r2 = (Q3 * m) mod b^ (k+1)

r = R1-r2

if (R < 0)

R = r + b^ (k+1)

while (R >= m)

r = R-m

Return r

Note the divisions and modular reductions in this procedure can is replaced by right shifts and and operations (RESPE ctively) if (and only if) B are a power of 2 (which, by far, 'll be the most common choice). This results in the remaining operations being addition and multiplication, both of which is much cheaper than division F or multiple precision integers.

This algorithm are also specified in the Handbook of Applied Cryptography (good book!), and are implemented by some crypto L Ibraries. Another method of doing fast modular reductions is Montgomery Reduction.