Expand description
A constant-time reduction algorithm.
This is derived from Algorithm 1 of https://eprint.iacr.org/2022-466. Some typos have been accounted for. Algorithm 2 is a restatement of Algorithm 1 in an iterative fashion and accordingly may of more approximate structure to the following, yet this work was independently derived from Algorithm 1.
In order to be efficient, this does not always operate over the full amount of limbs of each number. Instead, as the reduction occurs (and as the numbers shrink), the amount of limbs operated over also reduce. This requires extensively arguing the bounds for inputs and the outputs of each function. This is done via brief proofs written in comments within each function.
Traitsยง
- Limbs ๐
- A collection of limbs and associated helper methods.
Functionsยง
- a_lte_c ๐
- Obtain the equivalent form
(a', b', c')for whicha' <= c'. - approximate_
a_ ๐lte_ c - Obtain the equivalent form
(a', b', c')for whichfloor(log_2(a')) <= floor(log_2(c')). - negate_
b ๐ - Conditionally negate the
bcoefficient for a binary quadratic form of odd discriminant. - normalize ๐
- Normalize an almost-reduced element.
- partial_
reduce ๐ - Partially reduce a positive definite binary quadratic form.
- reduce ๐
- Reduce an element.
- reduce_
to_ ๐next_ bit - Reduce the
bcoefficient by at least one bit or until reduced. - reduce_
to_ ๐upper_ bound - Reduce an element until either its reduced or $|b| < 2^{upper_bound}$.
- should_
reduce_ ๐to_ next_ bit_ except_ final - If
reduce_to_next_bitshould actually apply, except possibly incorrect. - should_
reduce_ ๐to_ next_ bit_ final - If
reduce_to_next_bitshould actually apply.