Prime Numbers

9.5 Large-integer multiplication 503
if(Cj > (j + 1)22M ) Cj = Cj − (2n′ +1);
} // Cj now possibly negative.
9. [Composition]
Perform carry operations as in steps [Adjust carry in base B] forB =2 M
(the original decomposition base) and [Final modular adjustment] of
Algorithm 9.5.17 to return the desired sum:
xy mod (2 n +1)= D−1
j=0 Cj2 jM mod (2 n +1);
Note that in the [Decomposition] step, AD−1 or BD−1 may equal 2 M and
have M + 1 bits in the case where x or y equal 2 n . In Step [Prepare
DWT ...], each multiply can be done using shifts and subtractions only, as
2n′ ≡−1( mod 2n′ +1). In Step [Dyadic stage], one can use any multiplication
algorithm, for example a grammar-school stage, Karatsuba algorithm, or this
very Schönhage algorithm recursively. In Step [Normalization], the divisions
by a power of two again can be done using shifts and subtractions only. Thus
the only multiplication per se is in Step [Dyadic stage], and this is why the
method can attain, in principle, such low complexity. Note also that the two
FFTs required for the negacyclic result signal C can be performed in the order
DIF, DIT, for example by using parts of Algorithm 9.5.5 in proper order, thus
obviating the need for any bit-scrambling procedure.
As it stands, Algorithm 9.5.23 will multiply two integers modulo any
Fermat number, and such application is an important one, as explained in
other sections of this book. For general multiplication of two integers x and
y, one may call the Schönhage algorithm with n ≥⌈lg x⌉ + ⌈lg y⌉, and zeropadding
x, y accordingly, whence the product xy mod 2n +1 equals the integer
product. (In a word, the negacyclic convolution of appropriately zero-padded
sequences is the acyclic convolution—the product in essence. ) In practice,
Schönhage suggests using what he calls “suitable numbers,” i.e., n = ν2k with k − 1 ≤ ν ≤ 2k − 1. For example, 688128 = 21 · 215 is a suitable number.
Such numbers enjoy the property that if k = ⌈n/2⌉ +1, then n ′ = ⌈ ν+1
2 ⌉2k
is also a suitable number; here we get indeed n ′ =11· 2 8 = 2816. Of course,
one loses a factor of two initially with respect to modular multiplication, but
in the recursive calls all computations are performed modulo some 2 M +1, so
the asymptotic complexity is still that reported in Section 9.5.8.
9.5.7 Nussbaumer method
It is an important observation that a cyclic convolution of some even length
D can be cast in terms of a pair of convolutions, a cyclic and a negacyclic,
each of length D. The relevant identity is
2(x × y) =[(u+ × v+)+(u− ×− v−)] ∪ [(u+ × v+) − (u− ×− v−)], (9.36)
where u, v signals depend in turn on half-signals:
u± = L(x) ± H(x),
v± = L(y) ± H(y).