Solinas prime

In mathematics, a Solinas prime, or generalized Mersenne prime, is a prime number that has the form $f(2^{m})$ , where $f(x)$ is a low-degree polynomial with small integer coefficients.^[1]^[2] These primes allow fast modular reduction algorithms and are widely used in cryptography. They are named after Jerome Solinas.

This class of numbers encompasses a few other categories of prime numbers:

Mersenne primes, which have the form $2^{k}-1$ ,
Crandall or pseudo-Mersenne primes, which have the form $2^{k}-c$ for small odd $c$ ,^[3] including $c=$ 3 (sequence A050414 in the OEIS), 5 (sequence A059608 in the OEIS), 7 (sequence A059609 in the OEIS), 9 (sequence A059610 in the OEIS), etc.

Modular reduction algorithm

Let $f(t)=t^{d}-c_{d-1}t^{d-1}-...-c_{0}$ be a monic polynomial of degree $d$ with coefficients in $\mathbb {Z}$ and suppose that $p=f(2^{m})$ is a Solinas prime. Given a number $n<p^{2}$ with up to $2md$ bits, we want to find a number congruent to $n$ mod $p$ with only as many bits as $p$ – that is, with at most $md$ bits.

First, represent $n$ in base $2^{m}$ :

n=\sum _{j=0}^{2d-1}A_{j}2^{mj}

Next, generate a $d$ -by- $d$ matrix $X=(X_{i,j})$ by stepping $d$ times the linear-feedback shift register defined over $\mathbb {Z}$ by the polynomial $f$ : starting with the $d$ -integer register $[0|0|...|0|1]$ , shift right one position, injecting $0$ on the left and adding (component-wise) the output value times the vector $[c_{0},...,c_{d-1}]$ at each step (see [1] for details). Let $X_{i,j}$ be the integer in the $j$ th register on the $i$ th step and note that the first row of $X$ is given by $(X_{0,j})=[c_{0},...,c_{d-1}]$ . Then if we denote by $B=(B_{i})$ the integer vector given by:

(B_{0}...B_{d-1})=(A_{0}...A_{d-1})+(A_{d}...A_{2d-1})X

,

it can be easily checked that:

\sum _{j=0}^{d-1}B_{j}2^{mj}\equiv \sum _{j=0}^{2d-1}A_{j}2^{mj}\mod p

.

Thus $B$ represents an $md$ -bit integer congruent to $n$ .

For judicious choices of $f$ (again, see [1]), this algorithm involves only a relatively small number of additions and subtractions (and no divisions!), so it can be much more efficient than the naive modular reduction algorithm ( $n-p\cdot (n/p)$ ).

Examples

In 1999, NIST recommended four Solinas primes as moduli for elliptic curve cryptography:^[4]

curve p-192 uses modulus $2^{192}-2^{64}-1$
curve p-224 uses modulus $2^{224}-2^{96}+1$
curve p-256 uses modulus $2^{256}-2^{224}+2^{192}+2^{96}-1$
curve p-384 uses modulus $2^{384}-2^{128}-2^{96}+2^{32}-1$ .

A newer Curve448 uses modulus $2^{448}-2^{224}-1$ .

A Solinas prime that fits into a typical 64-bit unsigned integer is $2^{64}-2^{32}+1$ , it is $\Phi _{192}(2)$ where $\Phi$ is the cyclotomic polynomial, thus it is a unique prime in base 2 (with period length 192). This size is too small for cryptography, but finds use in implementing a number-theoretic transform for efficient multiplication of large numbers.^[5]

A complete list of $f(2^{k})=2^{m}-2^{n}\pm 1$ with $m\leq 2000$ , a small modular reduction weight $wt<15$ , and $k=8,16,32,64$ (i.e. multiples of a computer word size) was produced by José de Jesús Angel Angel and Guillermo Morales-Luna in 2010.^[6]

The Curve25519 uses $2^{255}-19$ , which has also been called pseudo-Mersenne.^[7]

References

^ Solinas, Jerome A. (1999). Generalized Mersenne Numbers (PDF) (Technical report). Center for Applied Cryptographic Research, University of Waterloo. CORR-99-39.
^ Solinas, Jerome A. (2011). "Generalized Mersenne Prime". In Tilborg, Henk C. A. van; Jajodia, Sushil (eds.). Encyclopedia of Cryptography and Security. Springer US. pp. 509–510. doi:10.1007/978-1-4419-5906-5_32. ISBN 978-1-4419-5905-8.
^ US patent 5159632, Richard E. Crandall, "Method and apparatus for public key exchange in a cryptographic system", issued 1992-10-27, assigned to NeXT Computer, Inc.
^ Recommended Elliptic Curves for Federal Government Use (PDF) (Technical report). NIST. 1999.
^ Craig-Wood, Nick. "Integer DWTs mod 2^64-2^32+1". www.craig-wood.com.
^ de Jesús Angel Angel, José; Morales-Luna, Guillermo (2010). "Solinas primes of small weight for fixed sizes". Cryptology ePrint Archive, Paper 2010/058.
^ Nath, Kaushik; Sarkar, Palash (2018), Efficient Arithmetic In (Pseudo-)Mersenne Prime Order Fields, 2018/985, retrieved 2025-05-10

[1] Solinas, Jerome A. (1999). Generalized Mersenne Numbers (PDF) (Technical report). Center for Applied Cryptographic Research, University of Waterloo. CORR-99-39.

[2] Solinas, Jerome A. (2011). "Generalized Mersenne Prime". In Tilborg, Henk C. A. van; Jajodia, Sushil (eds.). Encyclopedia of Cryptography and Security. Springer US. pp. 509–510. doi:10.1007/978-1-4419-5906-5_32. ISBN 978-1-4419-5905-8.

[3] US patent 5159632, Richard E. Crandall, "Method and apparatus for public key exchange in a cryptographic system", issued 1992-10-27, assigned to NeXT Computer, Inc.

[4] Recommended Elliptic Curves for Federal Government Use (PDF) (Technical report). NIST. 1999.

[5] Craig-Wood, Nick. "Integer DWTs mod 2^64-2^32+1". www.craig-wood.com.

[6] Jesús Angel Angel, José; Morales-Luna, Guillermo (2010). "Solinas primes of small weight for fixed sizes". Cryptology ePrint Archive, Paper 2010/058.

[7] Nath, Kaushik; Sarkar, Palash (2018), Efficient Arithmetic In (Pseudo-)Mersenne Prime Order Fields, 2018/985, retrieved 2025-05-10

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Solinas prime

Modular reduction algorithm

Examples

See also

References