Binary XGCD #761

erik-3milabs · 2025-02-14T16:28:22Z

Continuation of the work started in #755

dvdplm · 2025-03-19T14:37:48Z

src/modular/bingcd/xgcd.rs

+    /// **Warning**: this algorithm is only guaranteed to work for `self` and `rhs` for which the
+    /// msb is **not** set. May panic otherwise.


Can you elaborate a bit on where this restriction comes from and if it's a hard requirement or not? Skimming the example code for the paper doesn't seem to mention this.

It's a pretty limiting restriction; I think many applications will want to use full-fat uints with the MSB set.

Can you elaborate a bit on where this restriction comes from and if it's a hard requirement or not? Skimming the example code for the paper doesn't seem to mention this.

It's a pretty limiting restriction; I think many applications will want to use full-fat uints with the MSB set.

I was encountering integer overflows whenever the top bit was set. However, in the past two days I learned a fact and a trick that we can use:

The trick

Currently, I'm using an Ints inside the matrix representing the xgcd state. However, I learned this interesting fact that the signs of this state matrix will always occur in one of the following two patterns:

[ + - ] [ - + ] [ - + ] or [ + - ]

Because of this, I can refactor this matrix to use Uints instead, as long as it also holds a pattern: ConstChoice. Then, the multiplication M3 = M1 x M2 is computed as a standard matrix multiplication and M3.pattern = M1.pattern.eq(M2.pattern).

This saves one bit in the representation and, as a result, should prevent overflows.

The fact.

This morning, I learned that if a does not divide b (or the other way around), then the Bézout coefficients x,y such that ax + by = gcd are such that $$|x| \leq \lfloor\frac{b}{2 * gcd}\rfloor$$ and $$|y| \leq \lfloor\frac{a}{2 * gcd}\rfloor$$.

These two things combined should give us ample bits to compute the Bézout coefficients without overflowing.

I hope to work on this soon!

That is good news! Thank you for explaining.

Can you point me to a source on “the fact”?

But of course! It is stated as fact on Extended GCD Wikipedia page, at the end of the Description section. Not the world's greatest source, but all my experiments point in the same direction 🙈

erik-3milabs added 30 commits January 27, 2025 10:20

Impl new_inv_mod_odd

e8d8f4f

Modify new_inv_mod_odd algorithm

f46213d

Make as_limbs_mut const

378e2ee

Introduce const conditional_swap

45fc11d

Improve Int::checked_mul notation

4ba745c

Introduce new_gcd

02ceb4f

Get bingcd working

c6891f4

Fix fmt

b9fb154

65mus U1024::gcd

ffe7bb2

Clean up

dc6f517

Clean

a3253d8

Remove DOUBLE requirement

6b95681

Extract restricted xgcd.

b5c9951

Introduce const_min and const_max

09b9ee7

Clean up summarize

fbd39e6

Clean up compact

a7f8dae

Update ExtendedInt

41d32f6

Impl Matrix

e445ceb

Make new_odd_gcd constant time

30aabf1

Replace shr by proper div_2k

51b93f0

Remove ExtendedInt::abs

714d608

Update restricted_extended_gcd

6d9a3fe

Annotate new_gcd

32b8e9f

Refactor IntMatrix

cf064a4

Refactor ExtendedInt into ExtendedInt and ExtendeUint

e4f4359

Fix bug

4b84597

Inline ExtendedUint and ExtendedInt

e822db1

Expand Uint::gcd benchmarking

a1ff0a8

Expand Uint::new_gcd testing

46211cf

Annotate new_gcd.rs

a824a4d

erik-3milabs added 6 commits February 14, 2025 16:47

Fix clippy

7664f5f

Move Odd::BITS to better spot

237b0e0

Introduce const MINIMAL_BINGCD_ITERATIONS

c3d72fb

Polish bingcd test suite

81c8c46

Polish binxgcd test suite

11af836

Tweak bingcd threshold

3061a8c

erik-3milabs mentioned this pull request Feb 14, 2025

Binary GCD #755

Open

erik-3milabs added 20 commits February 14, 2025 17:44

Fix assert

58dee9e

Optimize xgcd threshold

d2e863f

Test binxgcd_nz

2ab41b0

Fix fmt

efc3fa0

Introduce extract_bezout_coefficients_vartime

d162477

Patch bug

c0fd905

Introduce extract_quotients

a6a9c92

Introduce RawBinXgcdOutput

ee4ee4b

Introduce OddBinXgcdOutput in preparation for quotients

ac327f0

Test quotients

4f9a7bb

Update docs

10055e5

minimal bezout coefficients

0dee8a0

Refactor Odd<Int>::Binxgcd

1e8a0a3

Refactor NonZero<Int>::Binxgcd

438d3f6

Refactor Int::binxgcd

79e6527

Introduce BinXgcdOutput::minimal_bezout_coefficients

f0bdb39

Clean up xgcd.rs

c2df6c0

Fix clippy

7631a24

Fix doc

2f35945

Minor div_2_mod_q speedup

292b48b

dvdplm reviewed Mar 19, 2025

View reviewed changes

erik-3milabs force-pushed the binxgcd branch from ed7cd7e to 292b48b Compare March 21, 2025 16:45

Merge branch 'master' into binxgcd

ba6b52a

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Binary XGCD #761

Binary XGCD #761

erik-3milabs commented Feb 14, 2025

dvdplm Mar 19, 2025

erik-3milabs Mar 20, 2025 •

edited

Loading

dvdplm Mar 20, 2025

erik-3milabs Mar 21, 2025

		/// Warning: this algorithm is only guaranteed to work for `self` and `rhs` for which the
		/// msb is not set. May panic otherwise.

Binary XGCD #761

Are you sure you want to change the base?

Binary XGCD #761

Conversation

erik-3milabs commented Feb 14, 2025

dvdplm Mar 19, 2025

Choose a reason for hiding this comment

erik-3milabs Mar 20, 2025 • edited Loading

Choose a reason for hiding this comment

The trick

The fact.

dvdplm Mar 20, 2025

Choose a reason for hiding this comment

erik-3milabs Mar 21, 2025

Choose a reason for hiding this comment

erik-3milabs Mar 20, 2025 •

edited

Loading