1407 3360 PDF
1407 3360 PDF
1407 3360 PDF
We give a new proof of Fürer's bound for the cost of multiplying n-bit integers in the bit
complexity model. Unlike Fürer, our method does not require constructing special coecient
rings with fast roots of unity. Moreover, we prove the more explicit bound O(n logn K log n)
with K = 8. We show that an optimised variant of Fürer's algorithm achieves only K = 16,
suggesting that the new algorithm is faster than Fürer's by a factor of 2log n. Assuming stan-
dard conjectures about the distribution of Mersenne primes, we give yet another algorithm
that achieves K = 4.
Keywords: Integer multiplication, algorithm, complexity bound, FFT
A.C.M. subject classification: G.1.0 Computer-arithmetic, F.2.1 Number-theoretic com-
A.M.S. subject classification: 68W30, 68Q17, 68W40
1. Introduction
Let I(n) denote the cost of multiplying two n-bit integers in the deterministic multitape Turing
model [38] (commonly called bit complexity). Previously, the best known asymptotic bound for
I(n) was due to Fürer [18, 19]. He proved that there is a constant K > 1 such that
I(n) = O(n log n K log
); (1.1)
where log x, for x 2 R, denotes the iterated logarithm, i.e.,
log x := min fk 2 N: logk x 6 1g; (1.2)
logk := log log:
The main contribution of this paper is a new algorithm that yields the following improvement.
Theorem 1.1. For n ! 1 we have
I(n) = O(n log n 8log
Fürer suggested several methods to minimise the value of K in his algorithm, but did not give
an explicit bound for K. In section 7 of this paper, we outline an optimised variant of Fürer's
algorithm that achieves K = 16. We do not know how to obtain K < 16 using Fürer's approach.
This suggests that the new algorithm is faster than Fürer's by a factor of 2log n.
The idea of the new algorithm is remarkably simple. Given two n-bit integers, we split them
into chunks of exponentially smaller size, say around log n bits, and thus reduce to the problem
of multiplying integer polynomials of degree O(n/log n) with coecients of bit size O(log n). We
multiply the polynomials using discrete Fourier transforms (DFTs) over C, with a working precision
of O(log n) bits. To compute the DFTs, we decompose them into short transforms of exponentially
smaller length, say length around log n, using the CooleyTukey method. We then use Bluestein's
chirp transform to convert each short transform into a polynomial multiplication problem over C,
and nally convert back to integer multiplication via Kronecker substitution. These much smaller
integer multiplications are handled recursively.
2 Even faster integer multiplication
The algorithm just sketched leads immediately to a bound of the form (1.1). A detailed proof
is given in section 4. We emphasise that the new method works directly over C, and does not need
special coecient rings with fast roots of unity, of the type constructed by Fürer. Optimising
parameters and keeping careful track of constants leads to Theorem 1.1, which is proved in sec-
tion 6. We also prove the following conditional result in section 9.
In [47], Schönhage and Strassen presented two FFT-based algorithms for integer multiplication.
In both algorithms, they rst use Kronecker segmentation to convert the problem to multiplication
of integer polynomials. They then embed these polynomials into R[X] for a suitable ring R and
multiply the polynomials by using FFTs over R. The rst algorithm takes R = C and ! =
exp(2 p i / 2k), and works with nite-precision approximations to elements of C. Multiplications
in C itself are handled recursively, by treating them as integer multiplications (after appropriate
scaling). The second algorithm, popularly known as the SchönhageStrassen algorithm, takes
R = Z / m Z where m = 22 + 1 is a Fermat number. This algorithm is the faster of the two, achieving
the bound I(n) = O(n log n log log n). It benets from the fact that ! = 2 is a principal 2k+1 -th
root of unity in R, and that multiplications by powers of ! can be carried out eciently, as they
correspond to simple shifts and negations. At around the same time, Pollard pointed out that one
can also work with R = Z / m Z where m is a prime of the form m = a 2k + 1, since then R contains
primitive 2k-th roots of unity [39] (although he did not give a bound for I(n)).
Schönhage and Strassen's algorithm remained the champion for more than thirty years, but was
recently superseded by Fürer's algorithm [18]. In short, Fürer managed to combine the advantages
of the two algorithms from [47], to achieve the bound I(n) = O(n log n 2O(log n)). Fürer's algorithm
r ¡1
is based on the ingenious observation that the ring R = C[X]/ (X 2 + 1) contains a small number
of fast principal 2 -th roots of unity, namely the powers of X, but also a large supply of much
higher-order roots of unity inherited from C. To evaluate an FFT over R, he decomposes it into
many short transforms of length at most 2r, using the CooleyTukey method. He evaluates the
short transforms with the fast roots of unity, pausing occasionally to perform slow multiplications
by higher-order roots of unity (twiddle factors). A slightly subtle point of the construction is that
k ¡r
we really need, for large k, a principal 2k-th root of unity ! 2 R such that ! 2 = X.
In [15] it was shown that the technique from [39] to compute modulo suitable prime numbers
of the form m = a 2k + 1 can be adapted to Fürer's algorithm. Although the complexity of this
algorithm is essentially the same as that of Fürer's algorithm, this method has the advantage that
it does not require any error analysis for approximate numerical operations in C.
In section 2, we start by recalling several classical techniques for completeness and later use:
sorting and array transposition algorithms, discrete Fourier transforms (DFTs), the CooleyTukey
algorithm, FFT multiplication and convolution, Bluestein's chirp transform, and Kronecker sub-
stitution and segmentation. In section 3, we also provide the necessary tools for the error analysis
of complex Fourier transforms. Most of these tools are standard, although our presentation is
somewhat ad hoc, being based on xed point arithmetic.
In section 4, we describe a simplied version of the new integer multiplication algorithm,
without any attempt to minimise the aforementioned constant K. As mentioned in the sketch
above, the key idea is to reduce a given DFT over C to a collection of short transforms, and then
to convert these short transforms back to integer multiplication by a combination of Bluestein's
chirp transform and Kronecker substitution.
The complexity analysis of Fürer's algorithm and the algorithm from section 4 involves func-
tional inequalities which contain post-compositions with logarithms and other slowly growing
functions. In section 5, we present a few systematic tools for analysing these types of inequalities.
For more information on this quite particular kind of asymptotic analysis, we refer the reader
to [44, 16].
In section 6, we present an optimised version of the algorithm from section 4, proving in
particular the bound I(n) = O(n log n 8log n) (Theorem 1.1), which constitutes the main result
of this paper. In section 7, we outline a similar complexity analysis for Fürer's algorithm. Even
after several optimisations of the original algorithm, we were unable to attain a bound better than
I(n) = O(n log n 16log n). This suggests that the new algorithm outperforms Fürer's algorithm by
a factor of 2log n.
This speedup is surprising, given that the short transforms in Fürer's algorithm involve only
shifts, additions and subtractions. The solution to the paradox is that Fürer has made the short
transforms too fast . Indeed, they are so fast that they make a negligible contribution to the overall
complexity, and his computation is dominated by the slow twiddle factor multiplications. In the
new algorithm, we push more work into the short transforms, allowing them to get slightly slower;
the quid pro quo is that we avoid the factor of two in zero-padding caused by Fürer's introduction
of articial fast roots of unity. The optimal strategy is actually to let the short transforms
dominate the computation, by increasing the short transform length relative to the coecient size.
Fürer is unable to do this, because in his algorithm these two parameters are too closely linked.
To underscore just how far the situation has been inverted relative to Fürer's algorithm, we point
out that in our presentation we can get away with using SchönhageStrassen for the twiddle factor
multiplications, without any detrimental eect on the overall complexity.
We have chosen to base most of our algorithms on approximate complex arithmetic. Instead,
following [39] and [15], we might have chosen to use modular arithmetic. In section 8, we will briey
indicate how our main algorithm can be adapted to this setting. This variant of our algorithm
presents several analogies with its adaptation to polynomial multiplication over nite elds [24].
The question remains whether there exists an even faster algorithm than the algorithm of
section 6. In an earlier paper [17], Fürer gave another algorithm of complexity O(n log n 2O(log n))
under the assumption that there exist suciently many Fermat primes, i.e., primes of the form
Fm = 22 + 1. It can be shown that a careful optimisation of this algorithm yields the bound
I(n) = O(n log n 4log n). Unfortunately, odds are high that F4 is the largest Fermat prime. In
section 9, we present an algorithm that achieves the bound I(n) = O(n log n 4log n) under the more
plausible conjecture that there exist suciently many Mersenne primes (Theorem 1.2). The main
technical ingredient is a variant of an algorithm of Crandall and Fagin [12] that permits ecient
multiplication modulo 2 q ¡ 1, despite q not being divisible by a large power of two.
It would be interesting to know whether the new algorithms could be useful in practice. We
have implemented an unoptimised version of the algorithm from section 8 in the Mathemagix
system [29] and found our implementation to be an order of magnitude slower than the Gmp
library [23]. There is certainly room for improvement, but we doubt that even a highly optimised
implementation of the new algorithm will be competitive in the near future. Nevertheless, the
variant for polynomial multiplication over nite elds presented in [24] seems to be a promising
avenue for achieving speedups in practical computations. This will be investigated in a forthcoming
David Harvey, Joris van der Hoeven, Grégoire Lecerf 5
Notations. We use Hardy's notations f g for f = o(g), and f g for f = O(g) and g = O(f ).
The symbol R> denotes the set of non-negative real numbers, and N denotes f0; 1; 2; :::g. We will
write lg n := dlog n/log 2e.
for all i 2 f1; :::; n ¡ 1g. In this case, we dene the discrete Fourier transform (or DFT) of an n-tuple
a = (a0; :::; an¡1) 2 Rn with respect to ! to be DFT!(a) = a^ = (a^0; :::; a^n¡1) 2 Rn where
That is, a^i is the evaluation of the polynomial A(X) := a0 + a1 X + + an¡1 X n¡1 at ! i.
If ! is a principal n-th root of unity, then so is its inverse ! ¡1 = ! n¡1, and we have
DFT! ¡1(DFT!(a)) = n a:
Remark 2.1. In all of the new algorithms introduced in this paper, we actually work over a eld,
whose characteristic does not divide n. In this setting, the concept of principal root of unity
coincides with the more familiar primitive root of unity . The more general principal root concept
is only needed for discussions of other algorithms, such as the SchönhageStrassen algorithm or
Fürer's algorithm.
6 Even faster integer multiplication
If A1 and A2 are algorithms for computing DFTs of length n1 and n2, we may use (2.2) to construct
an algorithm A1 A2 for computing DFTs of length n as follows.
For each k1 2 f0; :::; n1 ¡ 1g, the sum inside the brackets corresponds to the i2-th coecient
of a DFT of the n2-tuple (a0n1 +k1; :::; a(n2 ¡1)n1 +k1) 2 Rn2 with respect to !n1. Evaluating these
inner DFTs requires n1 calls to A2. Next, we multiply by the twiddle factors !k1 i2, at a cost of n
operations in R. (Actually, fewer than n multiplications are required, as some of the twiddle factors
are equal to 1. This optimisation, while important in practice, has no asymptotic eect on the
algorithms discussed in this paper.) Finally, for each i2 2 f0; :::; n2 ¡ 1g, the outer sum corresponds
to the i1-th coecient of a DFT of an n1-tuple in Rn1 with respect to !n2. These outer DFTs
require n2 calls to A1.
Denoting by FR(n) the number of ring operations needed to compute a DFT of length n, and
assuming that we have available a precomputed table of twiddle factors, we obtain
The corresponding algorithm is denoted A1 Ad. The operation is neither commutative
nor associative; the above expression will always be taken to mean (((A1 A2) A3) ) Ad.
Let B be the buttery algorithm that computes a DFT of length 2 by the formula (a0; a1) 7!
(a0 + a1; a0 ¡ a1). Then B k := B B computes a DFT of length n := 2k in time FR(2k) = O(k n).
Algorithms of this type are called fast Fourier transforms (or FFTs).
The above discussion requires several modications in the Turing model. Assume that elements
of R are represented by b bits.
First, for A1 A2, we must add a rearrangement cost of O(b n lg min (n1; n2)) to eciently
access the rows and columns for the recursive subtransforms (seeP section 2.1). For the general case
A1 Ad, the total rearrangement cost is bounded by O( i b n lg ni) = O(b n lg n).
Second, we will sometimes use non-algebraic algorithms to compute the subtransforms, so it
may not make sense to express their cost in terms of FR. The relation (2.3) therefore becomes
X n
F(n) 6 F(ni) + (d ¡ 1) n mR + O(b n lg n); (2.4)
where F(n) is the (Turing) cost of a transform of length n over R, and where mR is the cost of
a single multiplication in R.
Finally, we point out that A1 A2 requires access to a table of twiddle factors ! i1 i2, ordered
lexicographically by (i1; i2), for 0 6 i1 < n1, 0 6 i2 < n2. Assuming that we are given as input
a precomputed table of the form 1; !; :::; ! n¡1, we must show how to extract the required twiddle
factor table in the correct order. We rst construct a list of triples (i1; i2; i1 i2), ordered by (i1; i2),
in time O(n lg n); then sort by i1 i2 in time O(n lg2 n) (see section 2.1); then merge with the given
root table to obtain a table (i1; i2; ! i1 i2), ordered by i1 i2, in time O(n (b + lg n)); and nally sort
by (i1; i2) in time O(n lg n (b + lg n)). The total cost of the extraction is thus O(n lg n (b + lg n)).
David Harvey, Joris van der Hoeven, Grégoire Lecerf 7
The corresponding cost for A1 Ad is determined as follows. Assuming that the table
1; !; :::; ! n¡1 is given as input, we rst extract the subtables of (n1 ni)-th roots of unity for
i = d ¡ 1; :::; 2 in time O((n1 nd + + n1 n2) (b + lg n)) = O(n (b + lg n)). Extracting the twiddle
factor table for the decomposition (n1 ni¡1) ni then costs O(n1 ni lg n (b + lg n)); the total
over all i is again O(n lg n (b + lg n)).
Remark 2.2. An alternative approach is to compute the twiddle factors directly in the correct
order. When working over C, as in section 3, this requires a slight increase in the working precision.
Similar comments apply to the root tables used in Bluestein's algorithm in section 2.5.
where the product of the DFTs is taken pointwise. By construction, we have c^ = a^ b^, which
means that C(! i) = A(! i) B(! i) for all i 2 f0; :::; n ¡ 1g. The product S = s0 + + sn¡1 X n¡1
of A and B modulo X n ¡ 1 also satises S(! i) = A(! i) B(! i) for all i. Consequently, s^ = a^ b^,
s = DFT! ¡1(s^)/n = c, whence C = S.
For polynomials A; B 2 R[X] with deg A < n and deg B < n, we thus obtain an algorithm for
the computation of A B modulo X n ¡ 1 using at most 3 FR(n) + O(n) operations in R. Modular
products of this type are also called cyclic convolutions. If deg (A B) < n, then we may recover
the product A B from its reduction modulo X n ¡ 1. This multiplication method is called FFT
If one of the arguments (say B) is xed and we want to compute many products A B (or cyclic
convolutions) for dierent A, then we may precompute DFT!(b), after which each new product
A B can be computed using only 2 FR(n) + O(n) operations in R.
Now let F := f0 a0 + + fn¡1 an¡1 X n¡1, G := g0 + + gn¡1 X n¡1 and C := c0 + +
cn¡1 X n¡1 F G modulo X n ¡ 1. Then (2.5) implies that a^i = fi ci for all i 2 f0; :::; n ¡ 1g. In other
words, the computation of a DFT of even length n reduces to a cyclic convolution product of the
same length, together with O(n) additional operations in R. Notice that the polynomial G is xed
and independent of a in this product.
The only complication in the Turing model is the cost of extracting the fi in the correct order,
i.e., in the order 1; ; 4; 9; :::; (n¡1) , given as input a precomputed table 1; ; 2; :::; 2n¡1.
We may do this in time O(n lg n (b + lg n)) by applying the strategy from section 2.3 to the pairs
(i; i2 mod 2 n) for 0 6 i < n. Similar remarks apply to the gi.
8 Even faster integer multiplication
Remark 2.3. It is also possible to give variants of the new multiplication algorithms in which
Bluestein's transform is replaced by a dierent method for converting DFTs to convolutions, such
as Rader's algorithm [41].
Proof. We have
u ¡ z uj/2ez +eu = jb2¡p m m e ¡ 2¡p m m j 2¡p 6 p2 2¡p 6
jz z u z u
jz u ¡ z~ u~ j 6 jz j ju ¡ u~ j + jz ¡ z~j (juj + ju~ ¡ uj)
6 2ez "u + 2eu "z + "z "u
= (u + z + z u) 2ez +eu:
u ¡ z~ u~ j/2ez +eu 6 + + + 6 (1 + ) (1 + ) (1 + ) ¡ 1.
Consequently, jz
z u z u z u
Proposition 3.4. Let k > 1 and n := 2k. Let z 2 (C p 2ez)n and u 2 (C p 2eu)n. Dene the xed point
convolution z<dotast>u 2 (C p 2ez +eu +k)n by
$ '
m(z<dotast>u)i := 2 ¡p¡k
mzi1 mui2 ; 0 6 i < n:
i1 +i2 =i (mod n)
max (1 + (z<dotast>u)i) 6 max (1 + zi) max (1 + ui) (1 + ):
i i i
Proof. Let denote the exact convolution, and write z := max j zj and u := max j uj. As in the
proof of Proposition 3.3, we obtain j(z<dotast>u)i ¡ (z u)i j/2ez +eu +k 6 2 2¡p 6 and
j(z u)i ¡ (z~ u~)i j 6 jzi1 ui2 ¡ z~i1 u~i2j
i1 +i2 =i (mod n)
6 (z + u + z u) 2ez +eu +k:
The proof is concluded in the same way as Proposition 3.3.
10 Even faster integer multiplication
Lemma 3.5. Let z 2 H p, and assume that jz~j = 1 and z 6 3/8. Then p z 6 z + .
p p p
Proof. The mean value theorem implies that z~ ¡ z 6 "z maxw2D j1 / (2 w )j where
D := fw 2 H: jw ¡ z j 6 "z g. For w 2 D we have jwj > jz~j ¡ jz~ ¡ zj ¡ jz ¡ w j > 1 ¡ 3/8 ¡ 3/8 > 1/4;
p p p p p p
hence z~ ¡ z 6 "z = z. By construction j z ¡ z j 6 . We conclude that z ¡ z~ 6 z + .
Proposition 3.6. Let k 2 N and p > k, and let ! := e2i/2 . We may compute 1; !; ! 2; :::;
! 2 ¡1 2 C p, with !i 6 for all i, in time O(2k p log p log log p).
k ¡1 k ¡2
Proof. It suces to compute 1; !; :::; ! 2 ¡1 2 H p. Starting from ! 0 = 1 and p ! `+1 = i, for each
i2` i2` i2
` = k ¡ 3; k ¡ 4; :::; 0, we compute ! for i = 1; 3; :::; 2k ¡`¡1
¡ 1 using ! := ! if i < 2k¡`¡2
` ` k ¡2
and ! i2 := i ! i2 ¡2 otherwise. Performing all computations with temporarily increased precision
p 0 := p + lg p + 2 and corresponding 0 := 21¡ p , Lemma 3.5 yields !i 6 k 0 6 /4. This also shows
that the hypothesis !i 6 3/8 is always p satised, since /4 6 1/ 32 6 3/8. After rounding to p bits,
the relative error is at most /4 + 2 2¡p 6 .
Proposition 3.7. The buttery algorithm B that computes a DFT of length 2 using the formula
a1) is tight.
(a0; a1) 7! (a0 u a1; a0 ¡
Proposition 3.8. Let k1; k2 > 1, and let A1 and A2 be tight algorithms for computing DFTs of
lengths 2k1 and 2k2. Then A1 A2 is a tight algorithm for computing DFTs of length 2k1 +k2.
Proof. The inner and outer DFTs contribute factors of (1 + )3k1 ¡2 and (1 + )3k2 ¡2, and by
Proposition 3.3 the twiddle factor multiplications contribute a factor of (1 + )2. Thus
max (1 + a^i) 6 max (1 + ai) (1 + )(3k1 ¡2)+2 +(3k2 ¡2) 6 max (1 + ai) (1 + )3(k1 +k2)¡2:
i i i
Corollary 3.9. Let k > 1. Then B k is a tight algorithm for computing DFTs of length 2k
over C p, whose complexity is bounded by O(2k k I(p)).
Proposition 4.1. Let 1 6 r 6 p. There exists a tight algorithm Cr for computing DFTs of length 2r
over C p, whose complexity is bounded by O(I(2r p) + 2r I(p)).
Proof. Let n := 2r, and suppose that we wish to compute the DFT of a 2 (Cp 2e)n. Using
Bluestein's chirp transform (notation as in section 2.5), this reduces to computing a cyclic convolu-
tion of suitable F 2 (C p 2e)[X]/(X n ¡ 1) and G 2 Cp[X]/(X n ¡ 1). We assume that the fi and gi
have been precomputed with fi ; gi 6 ".
We may regard F 0 := 2 p¡e F and G 0 := 2 p G as cyclic polynomials with complex integer
P Pn¡1 0 i
coecients, i.e., as elements of Z[i][X]/(X n ¡ 1). Write F 0 = n¡1 0
i=0 Fi X and G =
i 0
i=0 Gi X ,
where Fi0; Gi0 2 Z[i] with jFi0j 6 2p and jGi0 j 6 2p. Now we compute the exact product H 0 :=
F 0 G 0 2 Z[i][X] / (X n ¡ 1) using Kronecker substitution. More precisely, we have jHi0j 6 22p+r, so
it suces to compute the cyclic integer product H 0(2b) = F 0(2b) G 0(2b) 2 (Z/(2nb ¡ 1) Z)[i], where
b := 2 p + r + 2 = O(p). Then H := H 0 2e¡2p is the exact convolution of F and G, and rounding H
to precision p yields F <dotast>G 2 (C p 2e+r)[X]/ (X n ¡ 1) in the sense of Proposition 3.4. A nal
multiplication by fi yields the Fourier coecients a^i 2 C p 2e+r.
To establish tightness, observe that 1 + Fi 6 (1 + ai) (1 + )2 and Gi 6 , so Proposition 3.4
yields 1 + (F <dotast>G)i 6 (1 + a) (1 + )4 where a := maxi ai; we conclude that 1 + a^i 6
(1 + a) (1 + )6. For r > 3, this means that the algorithm is tight; for r 6 2, we may take Cr := B r.
For the complexity, observe that the product in (Z / (2nb ¡ 1) Z)[i] reduces to three integer
products of size O(n p). These have cost O(I(n p)), and the algorithm also performs O(n) multi-
plications in Cp, contributing the O(n I(p)) term.
Remark 4.2. A crucial observation is that, for suitable parameters, the DFT algorithm in Propo-
sition 4.1 is actually faster than the conventional CooleyTukey algorithm of Corollary 3.9. For
example, if we assume that I(m) = m (log m)1+o(1), then to compute a transform of length n over Cp
with n p, the CooleyTukey approach has complexity n2 (log n)2+o(1), whereas Proposition 4.1
yields n2 (log n)1+o(1), an improvement by a factor of roughly log n.
Proof. We rst reduce our integer product to a polynomial product using Kronecker segmentation
(section 2.6). Splitting the two n-bit inputs into chunks of b := lg n bits, we need to compute
a product of polynomials u; v 2 Z[X] with non-negative b-bit coecients and degrees less than
m := dn / be = O(n / lg n). The coecients of h := u v have O(lg n) bits, and we may deduce the
desired integer product h(2b) in time O(n).
Let k := lg (2 m). To compute u v, we will use DFTs of length 2k = O(n/ lg n) over C p, where
p := 2 b + 2 k + lg k + 8 = O(lg n). Zero-padding u to obtain a sequence (u0; :::; u2k ¡1) 2 (Cp 2b)2 , and
k k
similarly for v, we compute the transforms u^; v^ 2 (C p 2b+k)2 with respect to ! := e2p i/2 as follows.
Let r := lg lg n and d := dk /re = O(lg n/lg lg n). Write k = r1 + + rd with ri := r for i 6 d ¡ 1
and rd := k ¡ (d ¡ 1) r 6 r. We use the algorithm A := A1 Ad (see section 2.3), where
for 1 6 i 6 d ¡ 1 we take Ai to be the tight algorithm Cr for DFTs of length 2r lg n given by
Proposition 4.1, and where Ad is B rd as in Corollary 3.9. In other words, we split the k usual
radix-2 layers of the FFT into groups of r layers, handling the transforms in each group with the
BluesteinKronecker reduction, and then using ordinary CooleyTukey for the remaining rd layers.
We next compute the pointwise products h^i := u^i v^i 2 Cp 22b+2k, and then apply an inverse
transform A 0 dened analogously to A. A nal division by 2k (which is really just an implicit
adjustment of exponents) yields approximations hi 2 Cp 22b+2k.
Since A and A 0 are tight by Propositions 3.8, 4.1 and Corollary 3.9, we have 1 + u^i 6 (1 + )3k¡2,
and similarly for v^. Thus 1 + h^i 6 (1 + )6k¡3, so 1 + hi 6 (1 + )9k¡5 6 exp(9 k ) 6
exp(25+lg k¡ p) 6 1 + 26+lg k ¡p after the inverse transform (since exp x 6 1 + 2 x for x 6 1). In
particular, "hi = 22b+2k hi 6 22b+2k+lg k¡ p+6 6 1/4, so we obtain the exact value of hi by rounding
to the nearest integer.
12 Even faster integer multiplication
Now we analyse the complexity. Using Proposition 3.6, we rst compute a table of roots 1;
!; :::; ! 2 ¡1 in time O(2k p log p log log p) = O(n lg n), and then extract the required twiddle factor
tables in time O(2k k (p + k)) = O(n lg n) (see section 2.3). For the Bluestein reductions, we may
extract a table of 2r+1 -th roots in time O(2k p) = O(n), and then rearrange them as required in
time O(2r r (p + r)) = O(lg2 n lg lg n) (see section 2.5). These precomputations are then all repeated
for the inverse transforms.
By Corollary 3.9, Proposition 4.1 and (2.4), each invocation of A (or A 0) has cost
Proof. Let T (n) := I(n) / (n lg n) for n > 2. By Theorem 4.3, there exists x0 > 2 and C > 1 such that
T (n) 6 C (T (lg2 n) + T (lg n) + 1)
for all n > x0. Let (x) := 4 log2 x for x 2 R, x > 1. Increasing x0 if necessary, we may assume
that (x) 6 x ¡ 1 for x > x0, so that the function (x) := min fj 2 N: j (x) 6 x0g is well-dened.
Increasing C if necessary, we may also assume that T (n) 6 3 C for all n 6 x0.
We prove by induction on (n) that T (n) 6 (3 C) (n)+1 for all n. If (n) = 0, then n 6 x0,
so the bound holds. Now suppose that (n) > 1. Since lg2 n 6 (n), we have (lg n) 6 (lg2 n) 6
((n)) = (n) ¡ 1, so by induction T (n) 6 C (3 C) (n) + C (3 C) (n) + C 6 (3 C) (n)+1 .
Finally, since ((x)) log x, we have (x) 6 2 log x + O(1), so T (n) = O(K log n) for
K := (3 C) .
is well-dened and satises (5.1) for all x > . It will sometimes be convenient to increase x0 so
that (x) 6 x ¡ 1 is satised on the whole domain of .
We say that is logarithmically slow if there exists an ` 2 N such that
for x! 1. For example, the functions log (2 x), 2 log x, (log x)2 and (log x)log log x are logarithmically
slow, with ` = 0; 1; 2; 3 respectively.
David Harvey, Joris van der Hoeven, Grégoire Lecerf 13
Lemma 5.1. Let : (x0; 1) ! R be a logarithmically slow function. Then there exists > x0 such
that (x) 6 x ¡ 1 for all x > . Consequently all logarithmically slow functions admit iterators.
Proof. The case ` = 0 is clear. For ` > 1, let := log exp. By induction (x) 6 x ¡ 1 for
large x, so (x) 6 exp(log x ¡ 1) = x/e 6 x ¡ 1 for large x.
In this paper, the main role played by logarithmically slow functions is to measure size reduction
in multiplication algorithms. In other words, multiplication of objects of size n will be reduced to
multiplication of objects of size n 0, where n 0 6 (n) for some logarithmically slow function (x).
The following result asserts that, from the point of view of iterators, such functions are more or
less interchangeable with log x.
Proof. First consider the case where ` = 0 in (5.2), i.e., assume that j(x) ¡ log xj 6 C for
some constant C > 0 and all x > x0. Increasing x0 and C if necessary, we may assume that
(x) = ((x)) + 1 for all x > x0, and that 2 e2C > x0.
We claim that
y log y
6 x 6 2 y =) 6 (x) 6 2 log y (5.3)
2 2
for all y > 4 e2C . Indeed, if 6 x 6 2 y, then
1 y ¡y
log y 6 log 2 ¡ C 6 2 6 (x) 6 (2 y) 6 log (2 y) + C 6 2 log y:
Now, given any x > 4 e2C , let k := min fk 2 N: logk x 6 4 e2C g, so k > 1. For any j = 0; :::; k ¡ 1
we have logj x > 4 e2C , so k-fold iteration of (5.3), starting with y = x, yields
logj x
6 j (x) 6 2 logj x (0 6 j 6 k):
Moreover this shows that j (x) > 2 e2C > x0 for 0 6 j < k, so (x) = (k(x)) + k. Since
k(x) 6 2 logk x 6 8 e2C and k = log x + O(1), we obtain (x) = log x + O(1).
Now consider the general case ` > 0. Let := log` exp`, so that := exp` is
an iterator of . By the above argument (x) = log x + O(1), and so (x) = (log` x) =
log(log` x) + O(1) = log x ¡ ` + O(1) = log x + O(1).
The next result, which generalises and renes the argument of Theorem 4.4, is our main tool
for converting recurrence inequalities into actual asymptotic bounds for solutions. We state it
in a slightly more general form than is necessary for the present paper, anticipating the more
complicated situation that arises in [24].
Proposition 5.3. Let K > 1, B > 0 and ` 2 N. Let x0 > exp`(1), and let : (x0; 1) ! R be
a logarithmically slow function such that (x) 6 x ¡ 1 for all x > x0. Then there exists a positive
constant C (depending on x0 , , K, B and `) with the following property.
Let > x0 and L > 0. Let S R, and let T : S ! R> be any function satisfying the following
recurrence. First, T (y) 6 L for all y 2 S, y 6 .PSecond, for all y 2 S, y > , there exist y1; :::; yd 2 S
with yi 6 (y), and weights
1; :::;
d > 0 with i
i = 1, such that
T (y) 6 K 1 +
i T (yi) + L:
log` y
log y ¡log
Then we have T (y) 6 C L K for all y 2 S, y > .
Proof. Let , L, S and T (x) be as above. Dene (x) := min fk 2 N: k(x) 6 g for x > x0. We
claim that there exists r 2 N, depending only on x0 and , such that
(x) 6 log x ¡ log + r (5.4)
14 Even faster integer multiplication
for all x > . Indeed, let (x) := min fj 2 N: j (x) 6 x0g. First suppose > x0, so that () > 1.
For any x > , we have ((x)¡1)(x) > , so
((x)¡1+ ()¡1)
(x) > ( ()¡1)
() > x0;
and hence (x) > (x) + () ¡ 2. This last inequality also clearly holds if = x0 (since 0 > ¡2).
By Lemma 5.2 we obtain (x) 6 (x) ¡ () + O(1) = log x ¡ log + O(1).
Dene a sequence of real numbers E1; E2; ::: by the formula
1+B if j 6 r + `;
E j :=
1 + B /exp(j ¡r ¡`¡1)(1) if j > r + `:
We claim that
1 + B /log` x 6 E(x) (5.5)
for all x > . Indeed, let j := (x). If j 6 r + ` then (5.5) holds as x > > x0 > exp`(1). If j > r + `
then log x > j ¡ r by (5.4), so x > exp(j ¡r ¡1)(1) and hence log` x > exp(j ¡r ¡`¡1)(1).
Now let y 2 S. We will prove by induction on j := (y) that
T (y) 6 E1 E j L (K j + + K + 1)
for all y > x0. The base case j := 0, i.e., y 6 , holds by assumption. Now assume P that j > 1, so
y > . By hypothesis there exist y1; :::; yd 2 S, yi 6 (y), and
1; :::;
d > 0 with i
i = 1, such that
T (y) 6 K E j
i T (yi) + L:
certainly converges, so we have T (y) 6 E L K / (K ¡ 1) for y > x0. Setting C := E K r+1 / (K ¡ 1),
j +1
Proof. We have n 6 (n) 6 n + 2(n), which implies (6.1). Since n / 2(n) 6 2lg n¡(n) and (n) 6 lg n,
we have n / 2(n) 6 2lg n¡(n) and thus (n) 6 2lg n, i.e., lg (n) = lg n. In particular ((n)) = (n),
so (n) is admissible. (In fact, one easily checks that (n) is the smallest admissible integer >n).
Remark 6.2. It is actually possible to drop the requirement that n be divisible by a high power
of two, by using the CrandallFagin method (see section 9). We prefer to avoid this approach in
this section, as it adds an unnecessary layer of complexity to the presentation.
Now let n be admissible, and consider the problem of computing t > 1 products u1 v; :::; ut v
with u1; :::; ut; v 2 (Z/(2n ¡ 1) Z)[i], i.e., t products with one xed operand. Denote the cost of this
operation by Ct(n). Our algorithm for this problem will perform t + 1 forward DFTs and t inverse
DFTs, so it is convenient to introduce the normalisation
C(n) := sup :
t>1 2t+1
This is well-dened since clearly Ct(n) 6 t C1(n). Roughly speaking, C(n) may be thought of as the
notional cost of a single DFT.
The problem of multiplying k-bit integers may be reduced to the above problem by using zero-
padding, i.e., by taking n := (2 k + 1) and t := 1. Since (2 k + 1) = O(k) and C1(n) 6 3 C(n), we
obtain I(k) 6 3 C(O(k)) + O(k). Thus it suces to obtain a good bound for C(n).
The recursive step in the main multiplication algorithm involves computing short DFTs via
the BluesteinKronecker device. As pointed out in section 2.5, this leads to a cyclic convolution
with one xed operand. To take advantage of the xed operand, let Bp;t(2r) denote the cost of
computing t independent DFTs of length 2r over Cp, and let Bp(2r) := supt>1 Bp;t(2r) / (2 t + 1).
Then we have the following renement of Proposition 4.1. As usual we assume that the necessary
Bluestein root table has been precomputed.
Proposition 6.3. Let r > 3, and assume that 2r divides n 0 := ((2 p + r + 2) 2r). Then there exists
a tight algorithm Cr0 for computing DFTs of length 2r over C p, with
Bp(2r) 6 C(n 0) + O(2r I(p)):
Proof. We use the same notation and algorithm as in the proof of Proposition 4.1, except that
in the Kronecker substitution we take b := n 0 / 2r > 2 p + r + 2, so that the resulting integer
multiplication takes place in (Z / (2n ¡ 1) Z)[i]. The proof of tightness is identical to that of
Proposition 4.1 (this is where we use the assumption r > 3). For the complexity bound, note that
n 0 is admissible by construction, so for any t > 1 we have Bp;t(2r) 6 Ct(n 0) + O(t 2r I(p)): Here we
have used the fact that G 0 is xed over all these multiplications. Dividing by 2 t + 1 and taking
suprema over t > 1 yields the result.
The next result gives the main recurrence satised by C(n) (compare with Theorem 4.3).
Theorem 6.4. There exists x0 > 3 and a logarithmically slow function : (x0; 1) ! R with the
following property. For all admissible n > x0 , there exists an admissible n 0 6 (n) such that
C(n) 1 C(n 0)
6 8+O + O(1): (6.2)
n lg n lg lg n n 0 lg n 0
16 Even faster integer multiplication
Proof. Let n be admissible and suciently large, and consider the problem of computing t > 1
products u1 v; :::; ut v, for u1; :::; ut; v 2 (Z/(2n ¡ 1) Z)[i]. Let k := (n) lg n, so that 2k j n, and let
b := n/2k lg2 n.
We cut the inputs into 2k chunks of size b, i.e., if w is one of the t + 1 inputs, we write
w = w0 + w1 2b + + w2k ¡1 2(2 ¡1)b, where wi 2 Z[i], and where the real and imaginary parts of wi
have absolute value at most 2b. Thus jwi j 6 2 2b < 2b+1 , and for any p > b + 1 we may encode w
as a polynomial W 2 (C p 2b+1 )[X]/(X 2 ¡ 1).
We will multiply the desired (cyclic) polynomials by using DFTs of length 2k over C p where
p := 2 b + 2 k + lg k + 10 = O(lg2 n). We construct the DFTs in a similar way to section 4. Let
r := (lg lg n)2 and d := dk /re = O(lg n /(lg lg n)2). Write k = r1 + + rd with ri := r for i 6 d ¡ 1
and rd := k ¡ (d ¡ 1) r 6 r. We use the tight algorithm A := A1 Ad, where for 1 6 i 6 d ¡ 1 we
take Ai to be the tight algorithm Cr0 for DFTs of length 2r given by Proposition 6.3, and where Ad
is B rd as in Corollary 3.9. Thus, for the rst d ¡ 1 groups of r layers, we use BluesteinKronecker
to reduce to complex integer convolution of size n 0 := ((2 p + r + 2) 2r), and the remaining layers
are handled using ordinary CooleyTukey. We write A 0 for the analogous inverse transform.
To check the hypothesis of Proposition 6.3, we observe that 2r j n 0 for suciently large n, as n 0
is divisible by 2k where k 0 := lg n 0 ¡ lg(lg2 n 0) + 1, and
0 n0 (2 p + r + 2) 2r b 2r (lg n)2 r
2k 2 2 2r :
lg n
2 0 lg ((2 p + r + 2) 2 ) (lg b + r)
r 2 (lg lg n)4
Denote by D the cost of a single invocation of A (or A 0). By Corollary 3.9 and (2.4), we have
D 6 (d ¡ 1) Bp; 2k ¡r(2r) + O(2k¡rd 2rd rd I(p)) + O(d 2k I(p)) + O(2k k b):
The last term is the rearrangement cost, and simplies to O(n lg n). The second term covers the
invocations of Ad, and simplies to O(r 2k I(p)), so is absorbed by the d 2k I(p) term. The rst
term covers the invocations of Cr0 . By denition Bp; 2k ¡r(2r) 6 (2 2k¡r + 1) Bp(2r), and since
2k¡r lg lg n, Proposition 6.3 yields
Bp; 2k ¡r(2r) 6 (2 + O(1/lg lg n)) 2k¡r C(n 0) + O(2k I(p)):
D 6 (2 + O(1/lg lg n)) d 2k ¡r C(n 0) + O(d 2k I(p)) + O(n lg n):
We will use SchönhageStrassen's algorithm for xed point multiplications in Cp. Since p =
O(lg2 n), we may take I(p) = O(lg2 n lg lg n lg lg lg n). Thus the d 2k I(p) term becomes
lg n n lg lg lg n
O lg n lg lg n lg lg lg n = O n lg n
= O(n lg n):
(lg lg n)2 lg2 n lg lg n
(We could of course use our algorithm recursively for these multiplications; however, it turns out
that SchönhageStrassen is fast enough, and leads to simpler recurrences. In fact, the algorithm
asymptotically spends more time rearranging data than multiplying in C p!)
Since (2 p + r + 2) 2r = (4 b + O(lg n)) 2r = (4 + O(1 / lg lg n)) b 2r, and since lg(b 2r) =
r + O(lg lg n) = (1 + O(1/lg lg n)) r lg lg n, by Lemma 6.1 we have
n 0 = (4 + O(1/lg lg n)) b 2r ;
lg n 0 = (1 + O(1/lg lg n)) r:
We also have k = lg n + O(lg lg n) and d = k /r + O(1), so
lg n = (1 + O(1/lg lg n)) k;
d = (1 + O(1/lg lg n)) k /r:
4 (2k b) d 1 n lg n
d 2k¡r = = 4 + O ;
(4 b 2r) lg lg n n 0 lg n 0
and consequently
1 n lg n
D 6 8+O C(n 0) + O(n lg n):
lg lg n n 0 lg n 0
David Harvey, Joris van der Hoeven, Grégoire Lecerf 17
To compute the desired t products, we must execute t + 1 forward transforms and t inverse
transforms. For each product, we must also perform O(2k) pointwise multiplications in C p, at
cost O(2k I(p)) = O(n lg n). As in the proof of Theorem 4.3, the cost of all necessary root table
precomputations is also bounded by O(2k I(p)) = O(n lg n). Thus we obtain
Ct(n) 6 (2 t + 1) D + O(t n lg n):
Dividing by (2 t + 1) n lg n and taking suprema yields the bound (6.2).
The error analysis is almost identical to the proof of Theorem 4.3, the only dierence being
that b is replaced by b + 1. Denoting one of the t products by h 2 (C p 22b+2k+2 )[X]/ (X 2 ¡ 1), we
have hi 6 26+lg k ¡ p exactly as in Theorem 4.3. Thus "hi 6 22b+2k+lg k ¡ p+8 6 1/4, and again we
obtain hi by rounding to the nearest integer.
Finally we show how to dene (x). We already observed that lg n 0 r (lg lg n)2. Thus there
exists a constant C > 0 such that log log log n 0 6 log log log log n + C for large n, so we may take
(x) := exp3(log4 x + C).
Proof of Theorem 1.1. Let x0 and (x) be as in Theorem 6.4. Increasing x0 if necessary, by
Lemma 5.1 we may assume that (x) 6 x ¡ 1 for x > x0, and that x0 > exp (exp (1)).
Let T (n) := C(n)/(n lg n) for admissible n > 3. By the theorem, there exist constants B ; L > 0
such that for all admissible n > x0, there exists an admissible n 0 6 (n) with
T (n) 6 8 1 + T (n 0) + L:
log log n
Increasing L if necessary, we may also assume that T (n) 6 L for all admissible n 6 x0. Taking
S to be the set of admissible integers, we apply Proposition 5.3 with K := 8, := x0, ` := 2, and
for each admissible n > x0 setting d := 1,
1 := 1, y := n and y1 := n 0 as above. We conclude that
T (n) = O(8log n), and hence C(n) = O(n lg n 8log n) as n runs over admissible integers. We already
did not give an explicit bound for K. In this section we sketch an argument showing that one may
achieve K = 16 in Fürer's algorithm, by reusing tools from previous sections, especially section 6.
r ¡1
At the core of Fürer's algorithm is the ring R = C[X]/ (X 2 + 1), which contains the principal
2r-th root of unity X. Note that R is a direct sum of 2r ¡1 copies of C, and hence not a eld (for
r > 2). A crucial observation is that X is a fast root of unity, in the sense that multiplication by
X and its powers can be achieved in linear time, as in SchönhageStrassen's algorithm. For any
k > r, we need to construct a 2k¡r-th root ! of X, which is itself a 2k-th principal root of unity.
We recall Fürer's construction of ! as follows.
2p i 2p i
Lemma 7.1. With R as above, let % = exp 2k
and = exp 2r
. Then
(X ¡ 2j+1 )
2i+1 Q
! := % 2R
i=0 j=
( 2i+1 ¡ 2j +1 )
As our basic recursive problem, we will consider multiplication in (Z/(2n + 1) Z)[i], where n is
divisible by a high power of two. We will refer to the last property as admissibility, but we will
not dene it precisely. We write Ct(n) for the cost of t > 1 such products with one xed argument,
and C(n) := supt>1 Ct(n)/(2 t + 1) for the normalised cost, exactly as in section 6.
18 Even faster integer multiplication
Fürer worked with Z/(2n + 1) Z rather than (Z/ (2n + 1) Z)[i], but, since we are interested in
constant factors, and since the recursive multiplication step involves multiplication of complex
quantities, it simplies the exposition to work systematically with complexied objects everywhere.
For suitable parameters r and k, we will encode elements of (Z / (2n + 1) Z)[i] as (nega)cyclic
¡ k r ¡1
polynomials in R[Y ] / Y 2 + 1 , where R := C[X]/ (X 2 + 1) as above. We choose the parameters
later; for now we require only that 2 k+r ¡2
divides n and that b := n / 2k+r ¡2 > lg n (so that the
coecients are not too small).
The encoding proceeds as follows. Given a 2 Z/ (2n + 1) Z, we split a into 2k parts a0; :::; a2k ¡1
of n / 2k bits. Each ai is cut into 2r ¡2 even smaller pieces ai;0; :::; ai;2r ¡2 ¡1 of b bits. Then a is
encoded as
k ¡2
2X ¡1 2rX ¡1
a~ := ai; j X j Y i ;
i=0 j =0
of X j are zero for 2r ¡2 6 j < 2r ¡1; this zero-padding is the price Fürer pays for introducing articial
roots of unity.)
We represent complex coecients by elements of C p 2e for a suitable precision parameter p. The
exponent e varies during the algorithm, as explained in [19]; nevertheless, additions and subtrac-
tions only occur for numbers with the same exponent, as in the algorithms from sections 4 and 6.
Given u; v 2 (Z / (2n + 1) Z)[i], to successfully recover the product u v from the polynomial
¡ k
product u~ v~ 2 R[Y ] / Y 2 + 1 , we must choose p > 2 b + k + r + h, where h is an allowance for
numerical error. Certainly r 6 k 6 lg n, and, as shown by Fürer, we may also take h = O(lg n) (an
analogous conclusion is reached in sections 4 and 6). Thus we may assume ¡ that p = 2 b + O(lg n).
We must now show how to compute a product u~ v~, for u~; v~ 2 R[Y ]/ Y 2 + 1 . Fürer handles
these types of multiplications using half-DFTs, i.e., DFTs that evaluate at odd powers of ,
k+1 ¡r
where 2 R is a principal 2k+1 -th root of unity such that 2 = X (Lemma 7.1). To keep
terminology and notation consistent with previous sections, we prefer to make the substitution
Pk P
U (X ; Y ) := u~(X ; Y ), i.e., writing u~ = 2i=0¡1 u~i(X) Y i, we put U := i (u~i i) Y i, and similarly
for v~ and V . This reduces the problem to computing the product U V in R[Y ] / (Y 2 ¡ 1). The
change of variable imposes a cost of O(2k mR), where mR is the cost of a multiplication in R.
k k ¡r
So now consider a product U V , where U ; V 2 R[Y ]/(Y 2 ¡ 1). Let ! := 2, so that ! 2 = X.
Let d := dk /re, and write k = r1 + + rd with ri := r for i 6 d ¡ 1 and rd := k ¡ (d ¡ 1) r 6 r. For
each i, let Ai be the algorithm for DFTs of length 2ri that applies the usual CooleyTukey method,
r ¡ri
taking advantage of the fast 2ri-th root of unity X 2 : The complexity of Ai is O(2ri +r ri p), since
it performs O(2 ri) linear-time operations on objects of bit size O(2r p). Let D be the complexity
of the algorithm A := A1 Ad for DFTs of length 2k over R. Then (2.4) yields
X k k
D 6 O 2 k¡ri ri +r
2 ri p + 2 mR + O(n lg n);
The rst term is bounded by O(d 2k 2r r p) = O((2k+r p) k) = O(n lg n), since p = O(b).
Let us now consider the second term dk / r e 2k mR, which describes the cost of the twiddle factor
multiplications. This term turns out to be the dominant one. Both Kronecker substitution and
FFT multiplication may be considered for multiplication in R, but it turns out that Kronecker
substitution is faster (a similar phenomenon was noted in Remark 4.2). So we reduce multiplication
in R to multiplication in (Z/(2n + 1) Z)[i] where n 0 > 2r ¡1 (2 p + r + 2) is admissible and divisible
by 2r ¡1. For any reasonable denition of admissibility we then have n 0 = (1 + o(1)) 2r p, provided
that r is somewhat smaller than p. (In the interests of brevity, we will not specify the o(1) terms
for the remainder of the argument. They can all be controlled along the lines of section 6.) Most
of the twiddle factors are reused many times, so we will assume that mR = (2 + o(1)) C(n 0), where
the factor 2 counts the two (rather than three) DFTs needed for each multiplication of size n 0. The
term of interest then becomes
k k r + lg p 2k+r p k
2 mR = (2 + o(1)) C(n 0):
r r n 0 lg n 0
David Harvey, Joris van der Hoeven, Grégoire Lecerf 19
lg n
Since p = 2 b + O(lg n) = 2 + O b b and 2k+r b = 4 n, this yields
lg n r + lg p n lg n
D 6 (16 + o(1)) 1 + O C(n 0) + O(n lg n):
b r n 0 lg n 0
To minimise the leading constant, we must choose b to grow faster than lg n, and r to grow faster
than lg p. For example, taking r := (lg lg n)2 and k := lg n ¡ r ¡ lg (lg2 n) leads to b = 4 n/2k+r lg2 n
and lg p lg b lg lg n. The function mapping n to n 0 is then bounded by a logarithmically slow
function, and a similar argument to section 6 shows that I(n) = O(n log n 16log n).
Roughly speaking, they replace the coecient ring C with the eld Q p of p-adic numbers, for
a suitable prime p. In this context, working to nite precision means performing computations
in Z/ p Z, where > 1 is a precision parameter.
The main advantage of this approach is that the error analysis becomes trivial; indeed Z/ p Z
is a ring (unlike our C p), and arithmetic operations never lead to precision loss (unless one divides
by p, which never happens in these algorithms). The main disadvantage is that there are certain
technical diculties associated with nding an appropriate p; this is discussed in section 8.2 below.
The aim of this section is to sketch an analogue of the algorithm of section 6 that achieves
I(n) = O(n log n 8log n) using modular arithmetic instead of C. We assume familiarity with p-adic
This choice ensures that lg(p) > 2 b + k, so knowledge of the product in (Z / p Z)[X]/(X 2 ¡ 1)
determines it unambiguously in Z[X]/(X 2 ¡ 1).
To compute each DFT, we rst use the CooleyTukey algorithm to decompose it into short
transforms of length 2r, where r := (lg lg n)2. (As in section 6, there are also residual transforms
of length 2rd for some rd 6 r, whose contribution to the complexity is negligible.) Multiplications
in Z/ p Z, such as the multiplications by twiddle factors, are handled using SchönhageStrassen's
algorithm, with the divisions by p being reduced to multiplication via Newton's method. We
then use Bluestein's algorithm to convert each short transform to a cyclic convolution of length 2r
over Z/ p Z, and apply Kronecker substitution to convert this to multiplication in Z/(2n ¡ 1) Z,
where n 0 is the smallest admissible integer exceeding 2r (2 lg p + r). This multiplication is then
handled recursively.
Now, since lg p = O(lg n), lg p > k, b lg2 n and k = O(lg n), we have = (2 + O(1/lg n)) b/lg p,
and hence n 0 = (4 + O(1 / lg lg n)) b 2r, just as in section 6. The rest of the complexity analysis
follows exactly as in the proof of Theorem 6.4, except for the computation of p and !, which is
considered below.
20 Even faster integer multiplication
Remark 8.1. The role of the precision parameter is to give some extra exibility regarding the
choice of p. If there was an ecient way to nd a prime p = 1 (mod 2k) larger than 22b+k (but not
too much larger), and an ecient way to nd a suitable 2k-th root of unity modulo p, then we
could always take := 1 and obtain an algorithm working directly over the nite eld F p.
Lemma 8.2. For all suciently large k we have p0(k) < 26k, and we may compute p0(k) in time
O(25k k O(1)).
Proof. This is a special case of Linnik's theorem [34, 35], which states that there exist constants
C and L such that for any a; b 2 N with gcd (a; b) = 1, there exists a prime number p = a (mod b)
with p < C bL. The best currently known estimate L 6 5.2 for L is due to Xylouris [53]. Applying
this result for a = 1 and b = 2k, we get the bound p < 26k for large enough k. The complexity bound
follows by testing 2k + 1; 2 2k + 1; 3 2k + 1; ::: for primality until we nd p, using a polynomial
time primality test [1].
The diculty with this result already noted in [15] is that the time required to nd p
greatly exceeds the time bound we are trying to prove for I(n)!
To avoid this problem, De et al suggested using a multivariate splitting, i.e., by encoding each
integer as a polynomial in Z[X1; :::; Xm] for suitable m, say m > 7. One then uses m-dimensional
DFTs to multiply the polynomials. Since the transform length is shorter, one can get away with
a smaller p. Unfortunately, this introduces further zero-padding and leads to a larger value of K,
ruining our attempt to achieve the bound O(n log n 8log n).
On the other hand, we note that the problem only really occurs at the top recursion level.
Indeed, at deeper recursion levels, there is exponentially more time available at the previous level
to compute p. So one possible workaround is to use a dierent, suciently fast algorithm at the
top level, such as Fürer's algorithm, and then switch to the algorithm sketched in section 8.1 for
the remaining levels. In this way one still obtains the bound O(n log n 8log n), and asymptotically
almost all of the computation is done using the algorithm of section 8.1.
If one insists on avoiding C entirely, there are still many choices: one could use the algorithm
of De et al at the top level, or use a multivariate version of the algorithm of section 8.1. One
could even use the SchönhageStrassen algorithm, whose main recursive step yields the bound
I(n) = O(n1/2 I(n1/2) + n log n); applying this three times gives I(n) = O(n7/8 I(n1/8) + n log n), and
then to multiply integers with n1/8 bits, one can nd a suitable prime using Lemma 8.2 in time
O(n3/4 +o(1)) = O(n).
Another way to work around the problem is to assume the generalised Riemann hypothesis
(GRH). De et al pointed out that under GRH, it is possible to nd a suitable prime eciently using
a randomised algorithm. Here we show that, under GRH, we can even use deterministic algorithms.
Lemma 8.3. Assume GRH. Then p0(k) = O(2 2k k 2), and we may compute p0(k) in time
O(2k k O(1)).
Proof. The rst bound is given in [26], and the complexity bound follows similarly to the proof
of Lemma 8.2.
To use this result, we must modify the algorithm of section 8.1 slightly. Choose a constant C > 3
so that we can compute p0(k) in time O(2k k C ), as in Lemma 8.3. Increase the coecient size from
(lg n)2 to (lg n)C ¡1, and change the denition of admissibility accordingly. The transform length
then decreases to 2k = O(n / (lg n)C ¡1), and the cost of computing p decreases to only O(n lg n). The
rest of the complexity analysis is essentially unchanged; the result is an algorithm with complexity
O(n log n 8log n), working entirely with modular arithmetic, in which the top recursion level does
Lemma 8.4. Given k; > 1 and a prime p = 1 (mod 2k), we may nd !~ 2 Z / p Z such that
!~ = ! (mod p) for some primitive 2k-th root of unity ! 2 Q p, in time O(p1/4 + + (k log p)1+)
for any > 0.
Proof. We may nd a generator g of (Z / p Z) deterministically in time O(p1/4 +) [48]. Then
!~0 = g(p¡1)/2 is a primitive 2k-th root of unity in Z / p Z, and there is a unique primitive 2k-th
root of unity ! 2 Q p congruent to !~0 modulo p. Given !~0, we may compute ! (mod p) using fast
Newton lifting in time O((k log p)1+) [9, Section 12.3].
In the context of section 8.1, we may assume that = O((lg n)O(1)) and k = O(lg n), so the
cost of nding ! is O(p1/4 +). This is certainly less than the cost of nding p itself, using either
Lemma 8.2 or Lemma 8.3.
than p. Happily, F p 0 contains suitable roots of 2, and this enables us to adapt their algorithm to
0 0
our setting. Moreover, since (p 0)2 ¡ 1 = 2 q +1 (2 q ¡1 ¡ 1), the eld F p 0[i] contains roots of unity of
high power-of-two order, namely of order 2q +1 , so we can perform FFTs over F p 0[i] very eciently.
22 Even faster integer multiplication
Finally, we can no longer use Kronecker substitution, as this would reintroduce the very zero-
padding we are trying to avoid. Instead, we take our basic problem to be polynomial multiplication
over (Z / p Z)[i] (where p = 2 q ¡ 1 is not necessarily prime). After the CrandallFagin splitting step,
we have a bivariate multiplication problem over F p 0[i], which is solved using 2-dimensional FFTs
over F p 0[i]. These FFTs are in turn reduced to 1-dimensional FFTs using standard methods; this
dimension reduction is, roughly speaking, the analogue of Kronecker substitution in this algorithm.
(Indeed, it is also possible to give an algorithm along these lines that works over C but avoids Kro-
necker substitution entirely; this still yields K = 8 because of the short product problem mentioned
above.) For the 1-dimensional transforms, we use the same technique as in previous sections: we
use CooleyTukey's algorithm to decompose them into short transforms of exponentially shorter
length, then use Bluestein's method to convert them to (univariate) polynomial products, and
nally evaluate these products recursively.
Conjecture 9.1. There exist constants 0 < a < b such that for all x > 3,
a log log x < m(x) < b log log x:
Proposition 9.2. Assume Conjecture 9.1 and let c := b / a. For any integer n > 2, there exists
a Mersenne prime p = 2 q ¡ 1 in the interval 2n < p < 2n . Given n, we may compute the smallest
such p, and nd a primitive 2q+1 -th root of unity in F p[i], in time O(n(3+o(1))c).
An integer of the form 2 q ¡ 1 may be tested for primality in time q 2+o(1) using the LucasLehmer
primality test [13]. A simple way to compute p is to apply this test successively for all q 2 fn + 1; :::;
bnc cg; this takes time O(n(3+o(1))c). A primitive 2q+1 -th root of unity ! may be computed by the
q ¡2 q ¡2
formula ! := 22 + (¡3)2 i 2 Fp[i] in time O(q 2+o(1)); see [43] or [14, Corollary 5].
We regard ui and vi as complex digits of u and v, where the base 2ei+1 ¡ei varies with the position i.
Notice that ei+1 ¡ ei takes only two possible values: bq /N c or dq /N e.
For 0 6 i < N , let
ci := N ei ¡ q i; (9.2)
so that 0 6 ci < N . For any 0 6 i1; i2 < N , dene i1;i 2 2 Z as follows. Choose 2 f0; 1g so that
i := i1 + i2 ¡ N lies in the interval 0 6 i < N , and put
i1;i 2 := ei1 + ei2 ¡ ei ¡ q:
From (9.2), we have
ci1 + ci2 ¡ ci = N (ei1 + ei2 ¡ ei) ¡ q (i1 + i2 ¡ i) = N i1;i 2:
Since the left hand side lies in the interval (¡N ; 2 N ), this shows that i1;i 2 2 f0; 1g. Now, since
2 q = 1 (mod p) and ei1 + ei2 = ei + i1;i 2 (mod q), we have
X ¡1 N
X ¡1 N
X ¡1
uv = ui1 vi2 2ei1 +ei2 = wi 2ei (mod p);
i1 =0 i2 =0 i=0
wi := 2i1;i 2 ui1 vi2:
i1 +i2 =i (mod N )
Since jui1j < 2 2dq/N e and similarly for vi2, we have wi 2 Z4dq/N e+1 N [i]. Note that we may
recover u v from w0; :::; wN ¡1 in time O(q), by a standard overlap-add procedure (provided that
N = O(q /lg q)).
Let h be the inverse of q 0 modulo N ; this inverse exists since we assumed gcd(N ; q 0) = 1. Let
:= 2h 2 F p 0, so that
N = 2hN = 2;
since 2 has order q 0 in F p 0. The quantity plays the same role as the real N -th root of 2 appearing
in CrandallFagin's algorithm.
Now dene polynomials U ; V 2 F p 0[i][Y ]/(Y N ¡ 1) by Ui := ci ui and Vi := ci vi for 0 6 i < N ,
and let W = W0 + + WN ¡1 Y N ¡1 := U V be their (cyclic) product. Then
X X c +c ¡c X
~i := ¡ci Wi =
w ¡ci Ui1 Vi2 = i1 i2 i ui1 vi2 = 2 i1;i 2 ui1 vi2
i1 +i2 =i (mod N )
Remark 9.3. The pair (ei+1 ; ci+1 ) can be computed from (ei ; ci) in O(lg q) bit operations, so
we may compute the sequences e0; :::; eN ¡1 and c0; :::; cN ¡1 in time O(N lg q). Moreover, since
ci+1 ¡ ci takes on only two possible values, we may compute the sequence c0; :::; cN ¡1 using O(N )
multiplications in F p 0[i].
Using the assumption that q 0 > 2 dq / N e + lg (M N ) + 3, we recover the coecients wi; j , and hence
the product u v, from the bivariate cyclic convolution product W = U V .
Proof. Let f (q) := (log2 q) (log2 log2 q). Using [6], we may construct a function g(q) such that
jg(q) ¡ f (q)j 6 1/ q for all q > 2, and which may be computed in time (log q)1+o(1). One checks that
1 1 1
f (q + 1) ¡ f (q) > 2/ q for all q > 2, so g(q + 1) > f (q + 1) ¡ q + 1 > f (q + 1) ¡ q > f (q) + q > g(q)
for q > 2. Thus g(q) is increasing, and (q) := bg(q) + 3/2c has the desired properties.
We say that an integer n > 2 is admissible if it is of the form n = q M where M := M (q) for some
q > 2. (This should not be confused with the notion of admissibility of section 6.) An element of
(Z / p Z)[i][X] / (X M ¡ 1) is then represented by 2 n bits. Note that q 7! q M(q) is strictly increasing,
so there is a one-to-one correspondence between integers q > 2 and admissible n. For x > 2 we
dene (x) to be the smallest admissible integer n > x.
Lemma 9.5. We have (n) = O(n) as n ! 1. Given n > 2, we may compute (n), and the
corresponding q, in time o(n).
Proof. From (9.3) we have (q + 1) M (q + 1) / (q M (q)) = O 2 (q+1)¡ (q) = O(1); this immediately
implies that (n) = O(n).
Suppose that we wish to compute (n) for some n. We assume that n is large enough that
the denition q0 := 2dlg n/(lg lg n¡lg lg lg n¡1)e makes sense and so that q0 > 2. One checks that
(log2 q0) (log2 log2 q0) > lg n, so (q0) > lg n and hence q0 M (q0) > n. To nd the smallest suitable q,
we may simply compute q M (q) for each q = 2; 3; :::; q0, and compare with n. This takes time
O q0 (log q0)1+o(1) = o(n).
Now let q > 2, p := 2 q ¡ 1 and M := M (q). Consider the problem of computing t > 1 products
u1 v; :::; ut v with u1; :::; ut; v 2 (Z/ p Z)[i][X] / (X M ¡ 1). We denote by Ct(n) the complexity of this
problem, where n := q M (q) is the admissible integer corresponding to q. As in section 6, we dene
C(n) := supt>1 Ct(n)/(2 t + 1).
Notice that multiplication of two integers of bit size 6k reduces to the above problem, for t = 1,
via a suitable Kronecker segmentation. Indeed, let n := (8 k) = q M (q) for some q, and encode
the integers as integer polynomials of degree less than M / 2 with coecients of bit size m :=
dk / (M /2)e. The desired product may be recovered from the product in (Z/ p Z)[i][X]/ (X M ¡ 1),
4k q
2 m + lg (M /2) 6 + (q) 6 + (q) 6 q ¡ 1
M 2
for large q. Thus, as in section 6, we have I(k) 6 3 C(O(k)) + O(k), and it suces to obtain a good
bound for C(n).
David Harvey, Joris van der Hoeven, Grégoire Lecerf 25
Now suppose additionally that p = 2 q ¡ 1 is prime. In this case (Z / p Z)[i] = F p[i] is a eld, and
as noted above, it contains 2 q+1 -th roots of unity, so we may dene DFTs of length 2r over F p[i]
for any r 6 q + 1. In particular, for r 6 q we may use Bluestein's algorithm to compute DFTs of
length 2r. Denote by Bq;t (2r) the cost of evaluating t independent DFTs of length 2r over F p[i],
and put B q(2r) := supt>1 B q;t (2r)/(2 t + 1). Here we assume as usual that a 2r+1 -th root of unity
is known, and that the corresponding Bluestein root table has been precomputed.
Let us apply these denitions in the case r := lg M ; this is permissible, as lg M 6 q for suciently
large q. Since convolution of length M over F p[i] is exactly the basic recursive problem, and since
one of the operands is xed, we have Bq;t (M ) 6 Ct(n) + O(t M I(q)), where n := q M , and hence
Bq(M ) 6 C(n) + O(M I(q)): (9.4)
Theorem 9.6. Assume Conjecture 9.1. Then there exists x0 > 2 and a logarithmically slow function
: (x0; 1) ! R with the following property. For all admissible n > x0 , there exists an admissible
n 0 6 (n) such that
C(n) 1 C(n 0)
6 4+O + O(1): (9.5)
n lg n lg lg lg n n 0 lg n 0
Proof. Let n := q M with M = M (q). Assume that we wish to compute t > 1 products with one
xed operand. Our goal is to reduce to a problem of the same form, but for exponentially smaller n.
0 2
Choose parameters. Let p 0 = 2 q ¡ 1 be the smallest Mersenne prime larger than 2(lg M ) . By
2 2c
Proposition 9.2, we have 2(lg M ) < p 0 < 2(lg M ) , whence (lg M )2 6 q 0 6 (lg M )2c, for some absolute
constant c > 1. Moreover, we may compute p 0, together with a primitive 2q +1 -th root of unity !
in F p 0[i], in time O((lg M )(6+o(1))c) = O(n lg n). We dene M 0 := M(q 0) and n 0 := q 0 M 0.
The algorithm must perform various multiplications in F p 0[i], at cost O(I(q 0)). For simplicity
we will use SchönhageStrassen's algorithm for these multiplications, i.e., we will take I(q 0) =
O(q 0 lg q 0 lg lg q 0). Since lg q 0 = O(lg lg M ) = O(lg lg n), we have
I(q 0) = O(q 0 lg lg n lg lg lg n):
CrandallFagin reduction. We use the framework of section 9.3 to reduce the basic multipli-
cation problem in (Z / p Z)[i][X]/ (X M ¡ 1) to multiplication in F p 0[i][X ; Y ]/(X M ¡ 1; Y N ¡ 1) for
suitable N . We take N := 2` s where
` := lg ;
q 0 lg lg q
s := 2 ` 0 + 1:
2 (q ¡ lg2 q)
We also write L := 2`. The denition of s makes sense for large q since q 0 > (lg M )2 (lg q lg lg q)2.
Let us check that the hypotheses of section 9.3 are satised for large q. We have L q /(q 0 lg lg q)
and hence s lg lg q; in particular, s = / q 0, so gcd(N ; q 0) = 1, and also N q / q 0 q / lg q.
Since N = L s > 2 q / (q ¡ lg q), we also have 2 dq / N e 6 q 0 ¡ lg2 q + O(1), and thus
0 2
Reduction to short transforms. Consider one of the long univariate DFTs of length 2k 2 fM ;
Lg over F p 0[i]. We decompose the DFT into short DFTs of length M 0 as follows. Let r :=
lg M 0 = O(lg lg n lg lg lg n) and d := dk / r e = O(lg n / (lg lg n lg lg lg n)), and write k = r1 + + rd where
ri := r for 1 6 i 6 d ¡ 1 and rd := k ¡ (d ¡ 1) r 6 r. We use the algorithm A := A1 Ad, where
for 1 6 i 6 d ¡ 1 we take Ai to be the algorithm based on Bluestein's method (discussed immediately
before (9.4)), and where Ad is the usual CooleyTukey algorithm over F p 0[i]. Let Dk be the cost
of a single invocation of A (or of the corresponding inverse transform A 0). By (2.4) we have
Dk 6 (d ¡ 1) Bq 0;2k ¡r(2r) + O(2k¡rd 2rd rd I(q 0)) + O(d 2k I(q 0)) + O(2k q 0 lg n):
The cost of precomputing the necessary root tables is only O(2k I(q 0)). By denition Bq 0;2k ¡r(2r) 6
(2 2k¡r + 1) B q 0(M 0). From (9.4) and the estimate 2k¡r lg lg n, the rst term becomes
(d ¡ 1) Bq 0;2k ¡r(2r) 6 (2 + O(1/lg lg n)) (d ¡ 1) 2k¡r C(n 0) + O(d 2k¡r M 0 I(q 0)):
The contribution to Dk from all terms involving I(q 0) is
lg n
O(2 (rd + d) I(q )) = O 2
k k
q lg lg n lg lg lg n = O(2k q 0 lg n);
lg lg n lg lg lg n
Dk 6 (2 + O(1/lg lg n)) (d ¡ 1) 2k¡r C(n 0) + O(2k q 0 lg n):
Denoting by D the cost of a bivariate DFT of length M L over R, we thus have (ignoring the
transposition costs, which were included earlier)
D = s L Dlg M + s M Dlg L
1 lg M M lg L L
6 2+O sL + s M C(n 0) + O(s L M q 0 lg n)
lg lg n lg M 0 M 0 lg M 0 M 0
1 lg (L M )
6 2+O sLM C(n 0) + O(s L M q 0 lg n)
lg lg n M 0 lg M 0
1 n lg n
6 4+O C(n 0) + O(n lg n):
lg lg n n 0 lg M 0
Moreover, since
lg n 0 lg q 0 1 1
= 1 + = 1 + O = 1 + O ;
lg M 0 lg M 0 lg lg q 0 lg lg lg n
we get
1 n lg n
D 6 4+O C(n 0) + O(n lg n):
lg lg lg n n 0 lg n 0
David Harvey, Joris van der Hoeven, Grégoire Lecerf 27
We must perform 2 t + 1 bivariate DFTs; the bound (9.5) then follows exactly as in the proof
of Theorem 6.4.
For large n, we have log q 0 = O(log log M ) = O(log log n), so log n 0 = log q 0 + O((q 0)) =
O(log q 0 log log q 0) = O(log log n log log log n). Thus there exists a constant C > 0 such that
log log log n 0 6 log log log log n + C for large n, and we may take (x) := exp3(log4 x + C).
Proof of Theorem 1.2. Follows from Theorem 9.6 and Proposition 5.3, analogously to the proof
of Theorem 1.1.
[1] M. Agrawal, N. Kayal, and N. Saxena. PRIMES is in P. Annals of Math., 160(2):781793, 2004.
[2] A. V. Aho, J. E. Hopcroft, and J. D. Ullman. The design and analysis of computer algorithms. Addison-
Wesley, 1974.
[3] L. I. Bluestein. A linear ltering approach to the computation of discrete Fourier transform. IEEE Transac-
tions on Audio and Electroacoustics, 18(4):451455, 1970.
[4] A. Bostan, P. Gaudry, and É. Schost. Linear recurrences with polynomial coecients and application to
integer factorization and Cartier-Manin operator. SIAM J. Comput., 36:17771806, 2007.
[5] C. B. Boyer. A History of Mathematics. Princeton Univ. Press, rst paperback edition, 1985.
[6] R. P. Brent. Fast multiple-precision evaluation of elementary functions. J. Assoc. Comput. Mach., 23(2):242
251, 1976.
[7] R. P. Brent and P. Zimmermann. Modern Computer Arithmetic. Cambridge University Press, 2010.
[8] P. Bürgisser, M. Clausen, and M. A. Shokrollahi. Algebraic complexity theory. Springer-Verlag, 1997.
[9] H. Cohen, G. Frey, R. Avanzi, Ch. Doche, T. Lange, K. Nguyen, and F. Vercauteren, editors. Handbook
of elliptic and hyperelliptic curve cryptography. Discrete Mathematics and its Applications. Chapman &
Hall/CRC, Boca Raton, FL, 2006.
[10] S. A. Cook. On the minimum computation time of functions. PhD thesis, Harvard University, 1966.
[11] J. W. Cooley and J. W. Tukey. An algorithm for the machine calculation of complex Fourier series. Math.
Computat., 19:297301, 1965.
[12] R. Crandall and B. Fagin. Discrete weighted transforms and large-integer arithmetic. Math. Comp.,
62(205):305324, 1994.
[13] R. Crandall and C. Pomerance. Prime numbers. A computational perspective. Springer, New York, 2nd
edition, 2005.
[14] R. Creutzburg and M. Tasche. Parameter determination for complex number-theoretic transforms using cyclo-
tomic polynomials. Math. Comp., 52(185):189200, 1989.
[15] A. De, P. P. Kurur, C. Saha, and R. Saptharishi. Fast integer multiplication using modular arithmetic. SIAM
J. Comput., 42(2):685699, 2013.
[16] J. Écalle. Introduction aux fonctions analysables et preuve constructive de la conjecture de Dulac. Hermann,
collection: Actualités mathématiques, 1992.
[17] M. Fürer. On the complexity of integer multiplication (extended abstract). Technical Report CS-89-17, Penn-
sylvania State University, 1989.
[18] M. Fürer. Faster integer multiplication. In Proceedings of the Thirty-Ninth ACM Symposium on Theory of
Computing, STOC 2007, pages 5766, New York, NY, USA, 2007. ACM Press.
[19] M. Fürer. Faster integer multiplication. SIAM J. Comp., 39(3):9791005, 2009.
[20] M. Fürer. How fast can we multiply large integers on an actual computer? Technical report,
http://arxiv.org/abs/1402.1811, 2014.
[21] J. von zur Gathen and J. Gerhard. Modern Computer Algebra. Cambridge University Press, 2nd edition, 2002.
[22] F. Q. Gouvêa. p-adic numbers. An introduction. Universitext. Springer-Verlag, Berlin, 1993.
[23] T. Granlund et al. GMP, the GNU multiple precision arithmetic library. http://gmplib.org, 1991. Latest
version 6.0.0 released in 2014.
[24] D. Harvey, J. van der Hoeven, and G. Lecerf. Faster polynomial multiplication over nite elds. Technical
report, HAL, 2014. http://hal.archives-ouvertes.fr.
[25] D. R. Heath-Brown. Almost-primes in arithmetic progressions and short intervals. Math. Proc. Cambridge
Philos. Soc., 83(3):357375, 1978.
[26] D. R. Heath-Brown. Zero-free regions for Dirichlet L-functions, and the least prime in an arithmetic progres-
sion. Proc. London Math. Soc. (3), 64(2):265338, 1992.
[27] M. T. Heideman, D. H. Johnson, and C. S. Burrus. Gauss and the history of the fast Fourier transform. Arch.
Hist. Exact Sci., 34(3):265277, 1985.
[28] J. van der Hoeven. Journées Nationales de Calcul Formel (2011), volume 2 of Les
cours du CIRM, chapter Calcul analytique. CEDRAM, 2011. Exp. No. 4, 85 pages,
http://ccirm.cedram.org/ccirm-bin/fitem?id=CCIRM_2011__2_1_A4_0 .
[29] J. van der Hoeven, G. Lecerf, B. Mourrain, et al. Mathemagix, 2002. http://www.mathemagix.org.
[30] A. Karatsuba and J. Ofman. Óìíîæåíèå ìíîãîçíà÷íûõ ÷èñåë íà àâòîìàòàõ. Doklady Akad. Nauk SSSR,
7:293294, 1962. English translation in [31].
28 Even faster integer multiplication
[31] A. Karatsuba and J. Ofman. Multiplication of multidigit numbers on automata. Soviet Physics Doklady,
7:595596, 1963.
[32] D. E. Knuth. The Art of Computer Programming, volume 2: Seminumerical Algorithms. Addison-Wesley,
[33] D. E. Knuth. The art of computer programming, volume 3: Sorting and Searching. Addison-Wesley, Reading,
MA, 1998.
[34] Yu. V. Linnik. On the least prime in an arithmetic progression I. The basic theorem. Rec. Math. (Mat.
Sbornik) N.S., 15(57):139178, 1944.
[35] Yu. V. Linnik. On the least prime in an arithmetic progression II. The Deuring-Heilbronn phenomenon. Rec.
Math. (Mat. Sbornik) N.S., 15(57):347168, 1944.
[36] R. E. Moore. Interval Analysis. Prentice Hall, Englewood Clis, N.J., 1966.
[37] O. Neugebauer. The Exact Sciences in Antiquity. Brown Univ. Press, Providence, R.I., 1957.
[38] C. H. Papadimitriou. Computational Complexity. Addison-Wesley, 1994.
[39] J. M. Pollard. The fast Fourier transform in a nite eld. Math. Comp., 25(114):365374, 1971.
[40] C. Pomerance. Recent developments in primality testing. Math. Intelligencer, 3(3):97105, 1980/81.
[41] C. M. Rader. Discrete Fourier transforms when the number of data samples is prime. Proc. IEEE, 56(6):1107
1108, June 1968.
[42] K. R. Rao, D. N. Kim, and J. J. Hwang. Fast Fourier Transform - Algorithms and Applications. Signals and
Communication Technology. Springer-Verlag, 2010.
[43] I. S. Reed and T. K. Truong. The use of nite elds to compute convolutions. IEEE Trans. Inform. Theory,
IT-21:208213, 1975.
[44] M. C. Schmeling. Corps de transséries. PhD thesis, Université Paris-VII, France, 2001.
[45] A. Schönhage. Multiplikation groÿer Zahlen. Computing, 1(3):182196, 1966.
[46] A. Schönhage. Storage modication machines. SIAM J. on Comp., 9:490508, 1980.
[47] A. Schönhage and V. Strassen. Schnelle Multiplikation groÿer Zahlen. Computing, 7:281292, 1971.
[48] I. Shparlinski. On nding primitive roots in nite elds. Theoret. Comput. Sci., 157(2):273275, 1996.
[49] D. E. Smith. History of Mathematics, volume 2. Dover, 1958.
[50] A. L. Toom. The complexity of a scheme of functional elements realizing the multiplication of integers. Soviet
Mathematics, 4(2):714716, 1963.
[51] A. L. Toom. Î ñëîæíîñòè ñõåìû èç ôóíêöèîíàëüíûõ ýëåìåíòîâ, ðåàëèçóþùåé óìíîæåíèå öåëûõ ÷èñåë.
Doklady Akad. Nauk SSSR, 150:496498, 1963. English translation in [50].
[52] S. Wagsta. Divisors of Mersenne numbers. Math. Comp., 40(161):385397, 1983.
[53] T. Xylouris. On the least prime in an arithmetic progression and estimates for the zeros of Dirichlet L-
functions. Acta Arith., 1:6591, 2011.