Prime Numbers

496 Chapter 9 FAST ALGORITHMS FOR LARGE-INTEGER ARITHMETIC
}
carry = ⌊v/B⌋;
8. [Final modular adjustment]
Include possible carry > 0 as a high digit of z;
z = z mod Fn;
// Via another ’carry’ loop or via special-form mod methods.
return z;
Note that in the steps [Adjust carry in base B] and [Final modular
adjustment] the logic depends on the digits of the reconstructed integer z
being positive. We say this because there are efficient variants using balanceddigit
representation, in which variants care must be taken to interpret negative
digits (and negative carry) correctly.
This algorithm was used in the discoveries of new factors of F13,F15,F16,
and F18 [Brent et al. 2000] (see the Fermat factor tabulation in Section
1.3.2), and also to establish the composite character of F22, F24, and of
various cofactors for other Fn [Crandall et al. 1995], [Crandall et al. 1999]. In
more recent times, [Woltman 2000] has implemented the algorithm to forge
highly efficient factoring software for Fermat numbers (see remarks following
Algorithm 7.4.4).
Another DWT variant has been used in the discovery of eight Mersenne
primes 2 1398269 −1, 2 2976221 −1, 2 3021377 −1, 2 6972593 −1, 2 13466917 −1, 2 20996011 −
1, 2 24036583 −1, 2 25964951 −1 (see Table 1.2), the last of which being the largest
known explicit prime as of the present writing. For these discoveries, a network
of volunteer users ran extensive Lucas–Lehmer tests that involve vast numbers
of squarings modulo p =2 q − 1. The algorithm variant in question has been
called the irrational-base discrete weighted transform (IBDWT) [Crandall and
Fagin 1994], [Crandall 1996a] for the reason that a special digit representation
reminiscent of irrational-base expansion is used, which representation amounts
to a discrete rendition of an attempt to expand in an irrational base. Let
p =2 q − 1 and observe first that if an integer x be represented in base B =2
as
q−1
x = xj2 j ,
j=0
equivalently, x is the length-q signal (xj); and similarly for an integer y, then
the cyclic convolution x×y has, without carry, the digits of (xy) modp. Thus,
in principle, the standard FFT multiply could be effected in this way, modulo
Mersenne primes, without zero-padding. However, there are two problems with
this approach. First, the arithmetic is merely bitwise, not exploiting typical
machine advantages of word arithmetic. Second, one would have to invoke a
length-q FFT. This can certainly be done (see Exercises), but power-of-two
lengths are usually more efficient, definitely more prevalent.
It turns out that both of the obstacles to a not-zero-padded Mersenne
multiply-mod can be overcome, if only we could somehow represent integers
x in the irrational base B =2 q/D ,with1