Fast modular exponentiation in CL?
Quote:
> More declarations? On cmucl, this:
> (defun his-expt-mod (number exponent modulus)
> (declare (fixnum number exponent modulus)
> (optimize (speed 3) (safety 0)))
> (setf number (mod number modulus))
> (loop :with result :of-type fixnum = 1
> :for i :of-type fixnum :from 0 :below (integer-length exponent)
> :for sqr = number :then (mod (the fixnum (* sqr sqr)) modulus)
> :when (logbitp i exponent) :do
> (setf result (mod (the fixnum (* result sqr)) modulus))
> :finally (return result)))
> seems to be about 4 times faster than the above. Of course, you then
> have to be certain that none of the operations will overflow for the
> parameters you pass in (basically this means (* modulus modulus) is a
> fixnum).
Yes sure, but as this function is used for finding big primes, or
cryptoalgorithms like RSA, ElGamal, Diffie Hellman it would not make much
sense to cut the arguments at fixnum lenght.
The encryption-exponent of RSA e.g coul easily be a number > 1e+400.
Maybe the calculating of primes is not more optimizable any more...
The my former posted implementation is 2 times faster than the former
implementation that used (floor exponent 2) to "walk" through the exponent.
I'll post some more code below so maybe the wizards of you can give me some
hints on making it better.
Quote:
>> I would also welcome completely different ideas on implementing this
>> modular exponentiation.
> I don't know of any radically different way of doing it; I'd write:
> (defun my-expt-mod (number exponent modulus)
> (declare (fixnum number exponent modulus)
> (optimize (speed 3) (safety 0)))
> (setf number (mod number modulus))
> (let ((result 1))
> (declare (fixnum result))
> (loop :while (not (zerop exponent))
> :if (oddp exponent)
> :do (setf result
> (mod (the fixnum (* result number)) modulus))
> :do (setf number (mod (the fixnum (* number number)) modulus)
> exponent (truncate exponent 2)))
> result))
> which seems to be a little quicker (on my machine, with my lisp, with
> this phase of the moon, etc), but it's basically doing the same thing.
Have not tried it yet, but one of my implementations used (floor ...) in a
similar manner as you used (truncate ...). This implementation was slower
and consed _much_ more. As we are working with bignums here, such an
operation might easily cons heavily. That is why I tried not to change the
exponent at all and only (logbitp'ing ) over it.
Here are some of the other functions:
;; The primes beyond 2000
(defparameter *primeset*
(coerce (make-array 302
:element-type 'fixnum
:initial-contents
'(3 5 7 11 13 17 19 23 29 31 37 41
43 47 53 59 61 67 71 73 79 83 89 97 101 103
107 109 113 127 131 137 139 149 151 157 163
167 173 179 181 191 193 197 199 211 223 227
229 233 239 241 251 257 263 269 271 277 281
283 293 307 311 313 317 331 337 347 349 353
359 367 373 379 383 389 397 401 409 419 421
431 433 439 443 449 457 461 463 467 479 487
491 499 503 509 521 523 541 547 557 563 569
571 577 587 593 599 601 607 613 617 619 631
641 643 647 653 659 661 673 677 683 691 701
709 719 727 733 739 743 751 757 761 769 773
787 797 809 811 821 823 827 829 839 853 857
859 863 877 881 883 887 907 911 919 929 937
941 947 953 967 971 977 983 991 997 1009 1013
1019 1021 1031 1033 1039 1049 1051 1061 1063
1069 1087 1091 1093 1097 1103 1109 1117 1123
1129 1151 1153 1163 1171 1181 1187 1193 1201
1213 1217 1223 1229 1231 1237 1249 1259 1277
1279 1283 1289 1291 1297 1301 1303 1307 1319
1321 1327 1361 1367 1373 1381 1399 1409 1423
1427 1429 1433 1439 1447 1451 1453 1459 1471
1481 1483 1487 1489 1493 1499 1511 1523 1531
1543 1549 1553 1559 1567 1571 1579 1583 1597
1601 1607 1609 1613 1619 1621 1627 1637 1657
1663 1667 1669 1693 1697 1699 1709 1721 1723
1733 1741 1747 1753 1759 1777 1783 1787 1789
1801 1811 1823 1831 1847 1861 1867 1871 1873
1877 1879 1889 1901 1907 1913 1931 1933 1949
1951 1973 1979 1987 1993 1997 1999))
'(simple-array fixnum (302))))
;;;Test if n is a prime
(defun primep (n &key (trials 15.))
(let ((+n (abs n)))
(cond ((< +n 2) nil)
((= +n 2) t)
((= +n 3) t)
; ((and (> +n 100)
; (not (= 1 (gcd +n 223092870)))) ;;= (* 2. 3. 5. 7. 11
; ;;13 17 19 23)
; nil)
((and (> +n 2000)
(not-primep +n)) nil)
(t (multiple-value-bind (r s) (%calc-r-s +n)
(loop repeat trials
for a of-type integer = (+ (random (- +n 3)) 2)
never (not (%miller-rabin-test +n a r s))))))))
In this function the candididate prime n is first divided through the
primes in *primeset* vie the function (not-primep..) If it is dividable
through one of this primes, it is a composited number and therefore we can
conclude for sure that n is not prime. This operation is made to speed up
the whole process...
The uncommented lines contain a similar approach to that, that uses the
(gcd ...) with a composited number of different primes.
;;; Cheap primetest by dividing n with all primes in *primeset*
(defun not-primep (n)
(declare (type (simple-array fixnum (*)) *primeset*))
(loop :for prime :of-type fixnum :across *primeset*
:thereis (zerop (mod n prime))))
;;; Calculate r and s so that: n-1 = 2^s * r | r is oddp
(defun %calc-r-s (n)
(loop :with n-1 of-type integer = (1- n)
:for s of-type fixnum :upfrom 0
:until (logbitp s n-1)
:finally (return (values (ash n-1 (- s)) s))))
;;; Return nil if n is a component number and t if it is (probably) a prime
(defun %miller-rabin-test (n a r s)
(let ((y (expt-mod a r n))
(n-1 (1- n)))
(if (and (/= y 1)
(/= y n-1))
(loop :for j of-type fixnum :upfrom 1
:while (and (<= j (1- s))
(/= y n-1))
:do (setf y (mod (* y y) n))
:never (= y 1)
:finally (return (= y n-1)))
t)))
;;; Search next prime iteratively
(defun find-prime (N &key (base 2) (test #'primep))
(let ((number (let ((rnd (random (expt base n))))
(if (oddp rnd)
rnd
(1+ rnd)))))
(loop for prime of-type integer = number then (+ prime 2)
until (funcall test prime)
finally (return prime))))
Here are two runs of the cmucl profiler:
Seconds | Consed | Calls | Sec/Call | Name:
------------------------------------------------------
27.050 | 1,582,254 | 27 | 1.00185 | EXPT-MOD
0.199 | -1,475,120 | 91 | 0.00219 | NOT-PRIMEP
0.020 | 59,614 | 27 | 0.00073 | %MILLER-RABIN-TEST
0.019 | 64,644 | 91 | 0.00021 | PRIMEP
0.000 | 1,026 | 13 | 0.00000 | %CALC-R-S
0.000 | 13,612 | 1 | 0.00000 | FIND-PRIME
------------------------------------------------------
27.288 | 246,030 | 250 | | Total
Seconds | Consed | Calls | Sec/Call | Name:
------------------------------------------------------
108.489 | 2,700,042 | 107 | 1.01392 | EXPT-MOD
0.737 | -2,959,914 | 547 | 0.00135 | NOT-PRIMEP
0.043 | 311,204 | 547 | 0.00008 | PRIMEP
0.039 | 188,924 | 107 | 0.00036 | %MILLER-RABIN-TEST
0.004 | 63,294 | 2 | 0.00222 | FIND-PRIME
0.000 | 8,098 | 79 | 0.00000 | %CALC-R-S
------------------------------------------------------
109.313 | 311,648 | 1,389 | | Total
The times depend on how wide the first random candidate-prime is away from
the next prime, but because of the uniform distribution of the primes, the
times to find a 1024 bit prime are mostly between 30 and 50 seconds on my
AMD-K6-2 300. The cmucl profiler seems to show clearly that the work lies
in EXPT-MOD which seems to need around a second/call.