Divisions and Square Roots with Tight Error Analysis from Newton–Raphson Iteration in Secure Fixed-Point Arithmetic

Abstract

In this paper, we present new variants of Newton–Raphson-based protocols for the secure computation of the reciprocal and the (reciprocal) square root. The protocols rely on secure fixed-point arithmetic with arbitrary precision parameterized by the total bit length of the fixed-point numbers and the bit length of the fractional part. We perform a rigorous error analysis aiming for tight accuracy claims while minimizing the overall cost of the protocols. Due to the nature of secure fixed-point arithmetic, we perform the analysis in terms of absolute errors. Whenever possible, we allow for stochastic (or probabilistic) rounding as an efficient alternative to deterministic rounding. We also present a new protocol for secure integer division based on our protocol for secure fixed-point reciprocals. The resulting protocol is parameterized by the bit length of the inputs and yields exact results for the integral quotient and remainder. The protocol is very efficient, minimizing the number of secure comparisons. Similarly, we present a new protocol for integer square roots based on our protocol for secure fixed-point square roots. The quadratic convergence of the Newton–Raphson method implies a logarithmic number of iterations as a function of the required precision (independent of the input value). The standard error analysis of the Newton–Raphson method focuses on the termination condition for attaining the required precision, assuming sufficiently precise floating-point arithmetic. We perform an intricate error analysis assuming fixed-point arithmetic of minimal precision throughout and minimizing the number of iterations in the worst case.

1. Introduction

In this paper, we design and analyze protocols for secure fixed-point arithmetic as a practical alternative to secure floating-point arithmetic. From a numerical analysis perspective, floating-point arithmetic is very useful as floating-point numbers scale dynamically and relative errors can be controlled appropriately. Performance-wise, however, secure floating-point arithmetic is very demanding. Compared to secure integer arithmetic, for example, full support for secure floating-point numbers is usually orders of magnitude more costly. This holds across many frameworks for secure computation, ranging from all flavors of multiparty computation to fully homomorphic encryption and indistinguishability obfuscation.

Secure fixed-point arithmetic strikes a balance between performance and usability. Addition/subtraction is as efficient as for integers, whereas multiplication is costlier but relatively straightforward. Our focus in this paper is on more advanced operations such as division (via the reciprocal) and taking square roots. We present new protocols based on Newton–Raphson iteration, along with a detailed error analysis for strict accuracy guarantees at minimal cost. Moreover, turning the tables around, we show how to obtain efficient protocols for secure integer division and integer square roots from their secure fixed-point counterparts.

The Newton–Raphson method has been studied extensively in the literature on secure fixed-point arithmetic, starting with the paper by Algesheimer et al. [1]. This important paper contained the groundwork for the secure computation of the reciprocal, including a thorough error analysis, in fact aimed at a direct application to secure integer division. The works by Catrina et al. [2,3] presented the basic foundation for secure fixed-point arithmetic, also introducing probabilistic rounding as an efficient alternative to deterministic rounding. In this paper, we will closely follow the Newton–Raphson-based protocol for the reciprocal from [2]. However, we will fine-tune the use of probabilistic vs. deterministic rounding, limiting the number of truncated bits as much as possible, to guarantee an absolute error below $2^{-f}$ for any desired precision of f fractional bits.

In this paper, we will also use the Newton–Raphson method for the secure computation of the reciprocal square root. Prior work by Liedel [4] and follow-up work by Aly and Smart [5] used Goldschmidt’s method for the reciprocal square root. However, these papers lacked a complete error analysis and did not guarantee an absolute error below $2^{-f}$ for any desired precision of f fractional bits. In this paper, we will present a fine-tuned secure protocol for the reciprocal square root and a detailed error analysis, following the same approach as for the reciprocal. We will also extend this protocol to compute the square root, with the same guarantee for the absolute error.

We note that the error analysis of applications of the Newton–Raphson method commonly focuses on bounds for the relative error assuming floating-point arithmetic. Research into the accuracy of fixed-point arithmetic is in general rather limited. Sources like [6,7,8] (Section 4.2, in particular) have treated some basic aspects. For instance, Wilkinson [7] already covered the basic idea that the inner product of two vectors $\mathbf{x},\mathbf{y}$ can be computed accurately by accumulating the terms $x_i{y}_i$ exactly and only rounding the final sum to the desired precision; this idea carries over to the setting of secure computation, see Table 2 in [2]. A further aspect of the secure use of the Newton–Raphson method is that it should always be run for the same (worst-case) number of iterations to avoid leaking information about the input. In this paper, we present the first detailed analysis taking all these aspects into account.

We present our solutions in a generic way, assuming secure integer and fixed-point arithmetic with a small set of basic operations. Each basic operation needs to be implemented by means of a secure protocol, operating on either secret-shared, encrypted, or encoded values, depending on the underlying framework for secure computation. Although the performance of these protocols varies across frameworks, the relative performance behaves similarly between operations like secure addition, multiplication, or comparison, as well as the secure generation of random bits. For concreteness, we will focus on secure multiparty computation (MPC) as the underlying framework. Specifically, we consider the use of probabilistic rounding (versus deterministic rounding) to limit the cost of secure fixed-point multiplications. Many results, however, carry over to related areas in cryptography such as (fully) homomorphic encryption.

The paper is organized as follows. Above, we elaborated on the state of the art for the secure fixed-point computation of the reciprocal and the reciprocal square root, emphasizing the lack of detailed error analyses. Section 2 explains some basic aspects of MPC and provides a brief introduction to secure fixed-point arithmetic; in particular, some details about the use of probabilistic rounding are presented, and the basics of the Newton–Raphson method are highlighted. Section 3 presents our solution for the secure computation of the reciprocal, together with a tight error analysis achieving a given fixed-point precision while minimizing the computational cost. In Section 4, we demonstrate a direct application of the secure fixed-point reciprocal, namely for efficient secure integer division (with the remainder). Section 5 then presents our solution for the secure computation of the reciprocal square root, essentially following the same approach as for the reciprocal, although the details are more intricate. In Section 6 we demonstrate a direct application of the secure fixed-point reciprocal square root, namely for the efficient secure computation of fixed-point square roots with precise error bounds, which we use in turn for efficient secure integer square roots. We conclude in Section 7 and mention some applications and concurrent work on a related problem. Finally, Appendix A collects all lemmas and proofs left out of the main text; all theorems and proofs are included in the main text.

2. Preliminaries

Below, we provide the background on secure fixed-point arithmetic underlying all protocols in this paper. We also discuss the concept of probabilistic rounding and briefly review the Newton–Raphson method.

2.1. Secure Computation

We present our protocols for the secure computation of the reciprocal and the (reciprocal) square root in terms of an arithmetic black box (following, e.g., [9,10,11]). The protocols are specified in pseudocode, using a limited set of operations commonly supported in many MPC frameworks. The parties executing these operations are suppressed from the notation.

We use $\left[\right[a\left]\right]$ to denote a secure representation of value a. That is, $\left[\right[a\left]\right]$ can be thought of as either a secret-shared value a or a public-key (homomorphic) encryption of a value a. We let $\mathsf{Open}\left(\right[\left[a\right]\left]\right)$ denote the pooling of (decryption) shares to reveal the value of a in the clear. Secure arithmetic over a finite field (or finite ring) using $+,-,\ast ,/$ is assumed to be available. The common representation of integral and fixed-point numbers as ℓ-bit integers in a bounded range $[-2^{\ell -1},2^{\ell -1})\subset {\mathbb{Z}}_N$ is assumed, where $2^{\ell +\kappa }<N$ for security parameter $\kappa$. This allows for efficient secure comparisons $<,\le ,>,\ge ,=,\ne$. To denote a uniform randomly generated secure bit b, we write $\left[\left[b\right]\right]{\in }_R\{0,1\}$. Similarly, we write $\left[\left[r\right]\right]{\in }_R\{0,1,\dots ,2^{\ell +\kappa }-1\}$ to denote a secure integer r distributed sufficiently randomly such that the statistical distance $\Delta (r;2^{\ell }+r)<2^{-\kappa }$ is negligible as a function of $\kappa$.

As a more advanced primitive, we assume the availability of operation $\left[\right[v\left]\right]\leftarrow \mathsf{Scale}\left(\right[\left[a\right]\left]\right)$, for $a\ne 0$. Here, $v=\pm 2^k$, for some $k\in \mathbb{Z}$, is uniquely determined by the constraint $\frac{1}{2}\le av<1$. Similarly, we use $\left[\left[v\right]\right],[[v^{\frac{1}{2}}]]\leftarrow \mathsf{Scale}\left(\left[\left[a\right]\right]\right)$ to denote the same operation with the additional constraint that k is even.

Efficient implementations for these operations are assumed. The round complexity is typically either constant or logarithmic. To ensure logarithmic round complexity of $O(log\ell )$ for our protocols operating on ℓ-bit fixed-point numbers, it suffices that basic secure arithmetic $+,-,*,/$ takes $O\left(1\right)$ rounds and that secure comparison < and $\mathsf{Scale}\left(\right[\left[a\right]\left]\right)$ take $O(log\ell )$ rounds.

2.2. Secure Fixed-Point Arithmetic

We follow the model for secure fixed-point arithmetic put forth by Catrina et al. [2,3]. For $\ell >f\ge 0$, the set ${\mathbb{Q}}_{\ell ,f}$ of ℓ-bit fixed-point numbers with f fractional bits is defined as

$${\mathbb{Q}}_{\ell ,f}=\{\overline{x}{2}^{-f}:\overline{x}\in \mathbb{Z},-2^{\ell -1}\le \overline{x}<2^{\ell -1}\}.$$

The integer part of a fixed-point number thus consists of $e=\ell -f$ bits, of which the most significant bit represents the sign. Phrased differently, we use two’s complement for the binary representation of fixed-point numbers $x\in {\mathbb{Q}}_{\ell ,f}$:

$$x={(d_{e-1}\dots d_0.d_{-1}\dots d_{-f})}_2=-d_{e-1}{2}^{e-1}+\sum _{i=-f}^{e-2}{d}_i{2}^i,\mathrm{with} d_i\in \{0,1\}.$$

The value ${\delta }_f=2^{-f}$ corresponding to the least significant bit of x is also loosely referred to as the precision.

For the implementation of fixed-point arithmetic, a number $x=\overline{x}{2}^{-f}\in {\mathbb{Q}}_{\ell ,f}$ is simply represented by the integer $\overline{x}$. This integer representation is particularly convenient for the implementation of secure fixed-point arithmetic, e.g., when all computation is carried out with secret-shared numbers over a prime field. The factor $2^{-f}$ is publicly known and is only used when the results are output as fixed-point numbers. The actual calculations are performed with integer values only.

The sum of two fixed-point numbers x and y is obtained by adding their integer representations. That is, setting $\overline{x+y}=\overline{x}+\overline{y}$ gives the correct result:

$$\overline{x+y}{2}^{-f}=(\overline{x}+\overline{y})2^{-f}=\overline{x}{2}^{-f}+\overline{y}{2}^{-f}=x+y.$$

For the product of a fixed-point number x and an integer t, we set $\overline{tx}=t\overline{x}$ to obtain the desired result:

$$\overline{tx}{2}^{-f}=\left(t\overline{x}\right)2^{-f}=t\left(\overline{x}{2}^{-f}\right)=tx.$$

Computing the product of two fixed-point numbers, however, is slightly more involved. Simply multiplying the integer representations $\overline{x}$ and $\overline{y}$ does not yield a useful result for $\overline{xy}$:

$$\left|\overline{x}\overline{y}{2}^{-f}-xy\right|=\left|\left(x{2}^f\right)\left(y{2}^f\right)2^{-f}-xy\right|=\left|xy{2}^f-xy\right|\gg 0.$$

We therefore divide $\overline{x}\overline{y}$ by $2^f$ and apply some form of rounding to obtain an integral result. For instance, we may use $\lfloor \overline{x}\overline{y}{2}^{-f}\rceil$ as a close approximation of $\overline{xy}$, where $\lfloor ·\rceil$ denotes rounding to the nearest integer:

$$\left|\lfloor \overline{x}\overline{y}{2}^{-f}\rceil 2^{-f}-xy\right|=\left|\lfloor xy{2}^f\rceil 2^{-f}-xy\right|=\left|\lfloor xy{2}^f\rceil -xy{2}^f\right|2^{-f}\le \frac{1}{2}{2}^{-f}=\frac{1}{2}{\delta }_f.$$

By (deterministically) rounding to the nearest integer, the absolute error is limited to $\frac{1}{2}{\delta }_f$ in the worst case. For reasons of efficiency, however, we will often allow a slightly larger error of ${\delta }_f$ in the worst case by using probabilistic rounding.

Remark 1.

In the remainder of this paper, we will use the integer representation of fixed-point numbers in the pseudocode of the algorithms. For a better intuitive understanding, however, we consider the actual fixed-point numbers in the error analyses. Concretely, if we write x, this means x in the analyses but $\overline{x}$ in the algorithms.

2.3. Probabilistic Rounding

Apart from the primitives for secure computation introduced above, we will use two specific methods for rounding secure fixed-point numbers. Algorithm 1 covers both methods, referred to as deterministic and probabilistic rounding, respectively. Deterministic rounding is the common method of rounding a to the nearest integer $\lfloor a\rceil$. Probabilistic rounding [2,3] yields either $\lfloor a\rfloor$ or $\lceil a\rceil$ as a result, where the value closest to a tends to be more likely.

Remark 2.

Probabilistic (or stochastic) rounding is applied in various research fields, including machine learning, ODEs and PDEs, quantum computing, and digital signal processing, usually in combination with a severe limitation on numerical precision (see, for instance, [12,13,14,15]). The latter condition makes probabilistic rounding desirable in these cases, because it ensures zero-mean rounding errors and avoids the problem of stagnation, where small values are lost to rounding when they are added to an increasingly large accumulator [16]. However, the use of a randomness source may be expensive, as the number of random bits (entropy) varies with the probability distribution required for the rounding errors.

To make the distinction between deterministic rounding and probabilistic rounding more concrete, consider the following equation for the exact result of the product $xy$:

$$xy{2}^f=⌊xy{2}^f⌋+r.$$

The first term on the right-hand side captures the integer part of $xy$ together with the first f fractional bits, while r contains the remaining f fractional bits; hence, $r\in [0,1)$. The probabilistically rounded result ${\lfloor xy\rceil }_{\$}$ then yields

$${\lfloor xy\rceil }_{\$}=\left\{\begin{array}{cc}xy-r{\delta }_f\hfill & \mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h}\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{b}\mathrm{i}\mathrm{l}\mathrm{i}\mathrm{t}\mathrm{y}1-r,\hfill \\ xy+(1-r){\delta }_f\hfill & \mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h}\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{b}\mathrm{i}\mathrm{l}\mathrm{i}\mathrm{t}\mathrm{y}r.\hfill \end{array}\right.$$

The maximum difference ${\delta }_f$ between $xy$ and ${\lfloor xy\rceil }_{\$}$ occurs when $xy=⌊xy⌋$ and ${\lfloor xy\rceil }_{\$}=⌊xy⌋+{\delta }_f$, hence only when $r=0$. This happens with probability 0, so for the probabilistic rounding error e after a single multiplication, we have $|e|<{\delta }_f$. As always, for the deterministic rounding error e, we have $|e|\le \frac{1}{2}{\delta }_f$.

As can be seen from Algorithm 1, deterministic rounding in MPC is significantly more expensive than probabilistic rounding due to the use of the secure comparison $c^{\prime }<\left[\left[r\right]\right]$ in line 10. Given the bits $\left[\left[r_0\right]\right],\dots ,\left[\left[r_{\nu -1}\right]\right]$ of $\left[\right[r\left]\right]$ and the bits of $c^{\prime }$, a common implementation of $c^{\prime }<\left[\left[r\right]\right]$ takes approximately $\nu$ secure multiplications in ${log}_2\nu$ rounds, whereas the other parts of the algorithm commonly take $O\left(1\right)$ rounds (the asymptotic round complexity for secure comparison can be limited to $O\left(1\right)$ rounds following [10], but the hidden constant is too large for practical purposes). For the deterministic rounding of $a/2^{\nu }$ to the nearest integer, we first add $2^{\nu -1}$ to a and then truncate the $\nu$ least significant bits. The comparison $c^{\prime }<\left[\left[r\right]\right]$ is needed to obtain the correct output. For probabilistic rounding, we omit the corrections in lines 2 and 10, saving the work for a secure comparison.

Algorithm 1 ${\mathsf{Round}}_{\nu }(\left[\left[a\right]\right],\mathrm{m}\mathrm{o}\mathrm{d}\mathrm{e}=\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{b}\mathrm{i}\mathrm{l}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$		$-2^{\ell +\nu -1}\le a<2^{\ell +\nu -1}$
1:	if mode = deterministic then
2:	$\left[\left[a\right]\right]\leftarrow \left[\left[a\right]\right]+2^{\nu -1}$
3:	$\left[\left[r_0\right]\right],\dots ,\left[\left[r_{\nu -1}\right]\right]{\in }_R\{0,1\}$	▹$\nu$ random bits
4:	$\left[\left[r\right]\right]\leftarrow {\sum }_{i=0}^{\nu -1}\left[\left[r_i\right]\right]2^i$
5:	$\left[\left[r^{\prime }\right]\right]{\in }_R\{0,1,\dots ,2^{\kappa +\ell }-1\}$	▹ security parameter $\kappa$
6:	$c\leftarrow \mathsf{Open}(2^{\ell -1+\nu }+\left[\left[a\right]\right]+\left[\left[r\right]\right]+2^{\nu }\left[\left[r^{\prime }\right]\right])$
7:	$c^{\prime }\leftarrow cmod{2}^{\nu }$
8:	$\left[\left[b\right]\right]\leftarrow (\left[\left[a\right]\right]+\left[\left[r\right]\right]-c^{\prime })/2^{\nu }$	▹$b={\lfloor a/2^{\nu }\rceil }_{\$}$
9:	if mode = deterministic then
10:	$\left[\left[b\right]\right]\leftarrow \left[\left[b\right]\right]-(c^{\prime }<\left[\left[r\right]\right])$	▹$b=\lfloor a/2^{\nu }\rceil$
11:	return $\left[\right[b\left]\right]$	▹$-2^{\ell -1}\le b<2^{\ell -1}$

2.4. Newton–Raphson Method

The Newton–Raphson method (also known as Newton’s method) is a numerical procedure to find roots of functions. The method has been known for centuries and extensively studied and analyzed in the literature (see, e.g., ref. [17] for a general description of the method and [18] for a historical overview of its convergence properties). Without providing further details on the derivation, we simply state that, given an approximation $c_i$ to the root of a function $f\equiv f\left(c\right)$, better approximations may be found in an iterative fashion using the update formula:

$$c_{i+1}=c_i-\frac{f\left(c_i\right)}{f^{\prime }\left(c_i\right)}.$$

(1)

There are a few conditions that must be satisfied for the Newton–Raphson method to work. For the moment, it suffices to say that an important aspect of the method is that it requires an initial approximation, which needs to be of sufficient accuracy.

3. Reciprocal

In this section, we consider the secure computation of the reciprocal using the Newton–Raphson method. This approximation of the reciprocal will also serve as a basis for secure integer division in Section 4.

We perform a tight error analysis to guarantee an absolute error not exceeding ${\delta }_f=2^{-f}$ while minimizing the additional precision used during the computation.

3.1. Secure Computation

The reciprocal function evaluates $\left[\right[1/a\left]\right]$ for a secret-shared value $\left[\right[a\left]\right]$, $a\ne 0$, see Algorithm 2. As a first step towards a good initial approximation, $\left[\right[a\left]\right]$ is scaled to $\left[\right[b\left]\right]=\left[\right[a\left]\right]\left[\right[v\left]\right]$, where $v=\pm 2^k$ for some $k\in \mathbb{Z}$. The scaling factor v is chosen such that $b\in [0.5,1)$. In this interval, the line $3-2b$ is a good approximation for $1/b$, with equality at the endpoints $b=0.5$ and $b=1$, and the maximum error occurring at $b=1/\sqrt{2}$. Shifting this line a distance of half the maximum error downward halves the maximum (absolute) error and results in the initial approximation (as in [3], which in turn relies on [19]):

$$\left[\left[c_0\right]\right]=3-\alpha -2\left[\left[b\right]\right],$$

(2)

with $\alpha =3/2-\sqrt{2}\approx 0.085786$. Compared to $1/b$, $c_0$ has a maximum error of $\alpha$ (at $b=0.5$, $b=1/\sqrt{2}$, $b=1$). The constant term $3-\alpha$ may be truncated to whatever precision is used in the computations. The multiplication of $\left[\right[b\left]\right]$ by 2 is essentially free, as it can be performed locally by the parties without truncation.

Algorithm 2 $\mathsf{Reciprocal}\left(\right[\left[a\right]],n=0)$		$-2^{\ell -1}\le a<2^{\ell -1}$
1:	$\left[\right[v\left]\right]\leftarrow \mathsf{Scale}\left(\right[\left[a\right]\left]\right)$	▹$v=\pm 2^k,k\in \mathbb{Z}$
2:	$\left[\left[b\right]\right]\leftarrow {\mathsf{Round}}_{f-n}\left(\left[\left[a\right]\right]\left[\left[v\right]\right]\right)$	▹$2^{f+n-1}\le b<2^{f+n}$
3:	$\alpha \leftarrow 3/2-\sqrt{2}$
4:	$\theta \leftarrow \lceil {log}_2{log}_{\alpha }{2}^{-(f+n)}\rceil$
5:	$\left[\left[c_0\right]\right]\leftarrow (3-\alpha )2^f-2\left[\left[b\right]\right]$
6:	for $i=1$ to $\theta$ do
7:	$\left[\left[z\right]\right]\leftarrow 2-{\mathsf{Round}}_{f+n}\left(\left[\left[c_{i-1}\right]\right]\left[\left[b\right]\right]\right)$
8:	$\left[\left[c_i\right]\right]\leftarrow {\mathsf{Round}}_{f+n}\left(\left[\left[c_{i-1}\right]\right]\left[\left[z\right]\right]\right)$
9:	$\left[\left[d_{\theta }\right]\right]\leftarrow {\mathsf{Round}}_{f+n}(\left[\left[c_{\theta }\right]\right]\left[\left[v\right]\right],\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$
10:	return $\left[\left[d_{\theta }\right]\right]$	▹$-2^{\ell -1}\le d_{\theta }<2^{\ell -1}$

Given the initial approximation, successive approximations are then computed using

$$\left[\left[c_{i+1}\right]\right]=\left[\left[c_i\right]\right]\left(2-\left[\left[c_i\right]\right]\left[\left[b\right]\right]\right),$$

(3)

which is obtained by instantiating the Newton–Raphson method in (1) with $f\left(c\right)=b-1/c$.

After $\theta$ iterations, with $\theta$ independent of the input value a, the final approximation for $1/a$ is obtained from $c_{\theta }\approx 1/\left(av\right)$ as follows:

$$\left[\left[d_{\theta }\right]\right]=\left[\left[c_{\theta }\right]\right]\left[\left[v\right]\right].$$

The required number of iterations $\theta$ will be determined below such that the final error for $c_{\theta }$ does not exceed ${\delta }_f=2^{-f}$, assuming exact arithmetic. Subsequently, we will determine the required number of additional bits n for Algorithm 2, taking into account all (rounding) errors. For better readability, we will drop the secret-shared brackets in the remainder of this section.

Under the right circumstances, the Newton–Raphson method converges quadratically to the (nearest) root of a given function, as we will show next. First, with $c=1/b$, define ${ϵ}_i=c-c_i$ as the iteration error. Then, applying (3) and assuming exact arithmetic, we find

$${ϵ}_{i+1}=c-c_i(2-c_{i}b)=c-(c-{ϵ}_i)(2-(c-{ϵ}_i)b)={ϵ}_i^{2}b.$$

(4)

Since $b\in [0.5,1)$ and $|{ϵ}_0|\le \alpha <1$, we see that quadratic convergence is guaranteed from the start:

$$|{ϵ}_i|=b^{2^i-1}{|{ϵ}_0|}^{2^i}\le {\alpha }^{2^i}.$$

(5)

To achieve $|{ϵ}_{\theta }|\le {\delta }_f$, we thus set

$$\theta =⌈{log}_2{log}_{\alpha }{\delta }_f⌉.$$

(6)

Remark 3.

The behavior at $b=1$ determines the number of iterations. This observation motivates changing the slope and offset of the linear initial approximation such that the error is slightly smaller at $b=1$ than it is at $b=0.5$. If the difference is not too large, the solution at $b=0.5$ will “catch up” with the solution at $b=1$ within a certain number of iterations. In some cases, this may save an iteration. For instance, the initial approximation

$$\left[\left[{\varsigma }_0\right]\right]=2.8312530517578125-1.890625\left[\left[b\right]\right]$$

saves an iteration for various values of $f\ge 29$, including the most common choices for f in this range, namely $f=2^n$ with $n\in [5,10]$. For these larger values of f, rounding is most expensive, and thus saving iterations is most valuable. The approximation ${\varsigma }_0$ comes with two disadvantages. Firstly, b is multiplied by a number with six fractional digits, instead of an integer; still, the approximation is more efficient in those cases where an iteration is saved. Secondly, the required number of iterations is not as straightforward to compute as it is for $c_0$, because it is no longer determined by the situation at a single point. With ${\varsigma }_0$, the largest error is generally attained at a point close to the middle of $[0.5,1)$, which slowly shifts to the right for larger values of f.

We further note that quadratic polynomials are also an option. For instance, the following approximation is quite accurate and behaves well during the Newton–Raphson process:

$$\left[\left[{\omega }_0\right]\right]=3{\left[\left[b\right]\right]}^2-6.5\left[\left[b\right]\right]+4.51425.$$

Quadratic polynomials are more expensive due to the computation of ${\left[\left[b\right]\right]}^2$, which cannot be performed locally. This makes using quadratic polynomials only worthwhile when it saves iterations—and thus multiplications—in the computations that follow. Unfortunately, this is only true for relatively low values of f, in which cases we save exactly one multiplication in the entire computation. For higher values of f, despite leading to more accurate intermediate approximations, the same number of iterations is required, and hence there is no gain. Because of this, we will not study quadratic polynomials any further and stick to the simpler linear functions. Moreover, to keep things simple in our algorithms and analyses, we will stick to the approximation in (2).

3.2. Tight Error Analysis without Scaling

In this section, we analyze the error ${ϵ}_{\theta }=c-c_{\theta }$ in the computation of $c=1/b$ for $b\in [0.5,1)$. We determine a tight bound for $|{ϵ}_{\theta }|$ taking into account all (rounding) errors, assuming fixed-point arithmetic with f fractional bits in Algorithm 2 (i.e., with $n=0$). In Section 3.3, we will use this bound to determine the minimal number of additional bits n needed to guarantee that the absolute error for $1/a$ is limited to ${\delta }_f=2^{-f}$, also taking into account the errors due to scaling.

Because we use probabilistic rounding in Algorithm 2, each iteration adds a rounding error of $3{\delta }_f$ in the worst case, see Lemma A2. Due to the quadratic convergence, however, the influence of these rounding errors is limited for subsequent iterations. With the help of Lemma A1, which bounds the error $|{ϵ}_{\theta -1}|$ for the penultimate iteration, we are able to give a tight bound for the total error after $\theta$ iterations.

Theorem 1.

If the Newton–Raphson method is used to compute $1/b$ for $b\in [0.5,1)$, employing initial approximation (2), and computing the number of iterations θ with (6), then $|{ϵ}_{\theta }|<\rho {\delta }_f$, where $\rho =3.05$.

Proof. 

Clearly, if $\theta =0$, the initial error is already below ${\delta }_f$. Because no iterations are performed, no further errors are introduced, and the final error remains below ${\delta }_f$.

For the cases in which $\theta =1$ or $\theta =2$, we exhaustively compute the error for all possible inputs b, considering all rounding possibilities. This covers the values $4\le f\le 14$ and yields a maximum value for $|{ϵ}_{\theta }|$ of approximately $2.88{\delta }_f$.

For larger values of f, we follow a different approach: firstly, we derive an expression that bounds the absolute error as a function of f and $\theta$. Secondly, we compute the value of the error bound for $f=15$ ($\theta =3)$, which will be below $3.05{\delta }_f$. Thirdly, we show that for larger values of f, the value of the error bound will always be smaller than in the case $f=15$.

From Lemma A1, we know that in the case of exact arithmetic, the error at the start of the final iteration is bounded by $b^{2^{\theta -1}-1}\sqrt{{\delta }_f}$. Lemma A2 tells us that in the first iteration, the rounding error is bounded by $(c_0+1){\delta }_f$, while in every subsequent iteration it is bounded by $(1/b+1){\delta }_f$. Thus, for $\theta \ge 3$, we obtain the following bound for the total error at the start of the final iteration:

$$|{ϵ}_{\theta -1}|<b^{2^{\theta -1}-1}\sqrt{{\delta }_f}+(c_0+1){\delta }_f+(\theta -2)\left(\frac{1}{b}+1\right){\delta }_f.$$

Let $T_{\theta }=T_{\theta }\left(b\right)=(c_0+1)+(\theta -2)(1/b+1)$. Applying (A2) with $i=\theta -1$ gives

$$|{ϵ}_{\theta }|<{ϵ}_{\theta -1}^{2}b+\left(\frac{1}{b}+1\right){\delta }_f.$$

(7)

Hence, as an upper bound for $|{ϵ}_{\theta }|$ we get

$$E_{\theta ,f}\left(b\right){\delta }_f\stackrel{\mathrm{def}}{=}\left(b^{2^{\theta }-1}+2b^{2^{\theta -1}}{T}_{\theta }\sqrt{{\delta }_f}+b{T}_{\theta }^2{\delta }_f+\frac{1}{b}+1\right){\delta }_f.$$

For the case $f=15$, where $\theta =3$, this yields

$$E_{3,15}\left(b\right){\delta }_f=\left(b^7+2b^4{T}_3\sqrt{{\delta }_{15}}+b{T}_3^2{\delta }_{15}+\frac{1}{b}+1\right){\delta }_f,$$

for which a simple numerical analysis shows that the maximum value is slightly below $3.05{\delta }_f$.

We complete the proof by showing that $E_{\theta ,f}\left(b\right)<E_{3,15}\left(b\right)$ for $f>15$, with $\theta$ defined by (6). Since $\theta$ is increasing as a function of f, let $f_{\theta }$ be the lowest value of f such that $\theta =⌈{log}_2{log}_{\alpha }{\delta }_f⌉$. Then, $f_{\theta }$ is also increasing as a function of $\theta$.

Since it is clear that $E_{\theta ,f_{\theta }}>E_{\theta ,f}$ for all $f>f_{\theta }$, it suffices to bound $E_{\theta ,f_{\theta }}$. To that end, we will consider the three terms in the definition of $E_{\theta ,f}$ that depend on $\theta$ and f separately. The first term $b^{2^{\theta }-1}$ needs no complicated assessment. Clearly, with $0.5\le b<1$, this term decreases rapidly with $\theta$.

The second term is $2b^{2^{\theta -1}}{T}_{\theta }\sqrt{{\delta }_f}$. Using the definition of $\theta$, we can rewrite $\sqrt{{\delta }_f}$ as

$${log}_2{log}_{\alpha }{\delta }_f+\gamma =\theta \Rightarrow \sqrt{{\delta }_f}={\alpha }^{2^{\theta -\gamma -1}},$$

where the value of $\gamma$ depends on f and is determined by the ceiling operation. In any case, $0\le \gamma <1$, taking the derivative

$$\begin{array}{ccc}\hfill \frac{\mathrm{d}\left(2b^{2^{\theta -1}}{T}_{\theta }{\alpha }^{2^{\theta -\gamma -1}}\right)}{\mathrm{d}\theta }& =& 2b^{2^{\theta -1}}{\alpha }^{2^{\theta -\gamma -1}}\left(\frac{1}{b}+1+T_{\theta }{2}^{\theta -1}ln2(lnb+2^{-\gamma }ln\alpha )\right)\hfill \\ & <& 6b^{2^{\theta -1}}{\alpha }^{2^{\theta -\gamma -1}}\left(1+(\theta -1)2^{\theta -2}ln2ln\alpha \right),\hfill \end{array}$$

where we used $c_0\left(b\right)<2$ and $\mathrm{d}{T}_{\theta }/\mathrm{d}\theta <3$, so that $T_{\theta }<3(\theta -1)$. The factor before the outer parentheses is positive for any valid b and $\theta \ge 3$. With initial approximation (2), $\alpha =3/2-\sqrt{2}\approx 0.085786$, and it is easy to verify that the factor between the outer parentheses is negative for $\theta =3$. Moreover, the negative part will only increase in (absolute) size with $\theta$. Therefore, the derivative is, and will remain, negative. This shows that the original term is decreasing as a function of $\theta$.

The third term is $b{T}_{\theta }^2{\delta }_f$. Similarly, writing ${\delta }_f$ as a function of $\theta$ and taking the derivative, we find

$$\begin{array}{ccc}\hfill \frac{\mathrm{d}\left(b{T}_{\theta }^2{\alpha }^{2^{\theta -\gamma }}\right)}{\mathrm{d}\theta }& =& b{T}_{\theta }{\alpha }^{2^{\theta -\gamma }}\left(2(\frac{1}{b}+1)+T_{\theta }{2}^{\theta -\gamma }ln2ln\alpha \right)\hfill \\ & <& 6b{T}_{\theta }{\alpha }^{2^{\theta -\gamma }}\left(1+(\theta -1)2^{\theta -2}ln2ln\alpha \right).\hfill \end{array}$$

This resembles the bound for the second term. Indeed, the term before the outer parentheses is again positive for any valid b and $\theta \ge 3$, and with the known value for $\alpha$ it is easy to verify that the factor between the outer parentheses is negative for $\theta =3$. Moreover, the negative part will only increase in (absolute) size with $\theta$. Therefore, the derivative is always negative, which shows that the original term is decreasing as a function of $\theta$.

Combining these results shows that $E_{\theta ,f}\left(b\right)<E_{3,15}\left(b\right)<3.05$, for all $b\in [0.5,1)$ and $f>15$, which proves the statement. Note that we could tighten the bound even more by computing $E_{\theta ,f_{\theta }}$ for an arbitrary $\theta >3$. □

To limit the absolute error for the computation of $1/a$ to ${\delta }_f=2^{-f}$, we apply Algorithm 2 using n additional bits of precision. That is, we use fixed-point arithmetic with $f+n$ fractional bits in the core of Algorithm 2. The downside of using extra bits is that more bits need to be truncated after every multiplication, and secure truncation is a relatively expensive procedure. Notice that we may still directly apply Theorem 1 to find that $|{ϵ}_{\theta ,n}|<\rho {\delta }_{f+n}$. After finishing the Newton–Raphson iterations, the result should be rounded to the original precision, which may introduce more errors. We will evaluate these errors in the next section, together with the errors introduced in the scaling steps.

3.3. Tight Error Analysis

In this section, we analyze the errors due to the scaling steps in Algorithm 2. The input a is scaled to $b=av\in [0.5,1]$, and the output is obtained by scaling $c_{\theta }\approx 1/b$ to $d_{\theta }=c_{\theta }v\approx 1/a$. The scaling steps introduce additional errors or magnify existing errors. Up until this point, we silently assumed that the scaling $b=av$ was exact. This, however, may not be true if $|a|>1$. In this case, the radix point shifts to the left, and because we are working with fixed-point numbers, the least significant bits are lost. So, instead of $b=av$, we obtain

$$b^{*}={\lfloor av\rceil }_{\$}=av+{\eta }_1,$$

where ${\eta }_1$ is the error induced by the scaling from a to b. An important observation is that $|{\eta }_1|$ is smaller than the precision used in the computation. Moreover, $b^{*}$ can be computed with the same number of fractional bits as the intermediate results in the Newton–Raphson iterations (it would be a waste to scale down to f fractional bits if the computation is performed with $f+n$ fractional bits). Consequently, we know that

$$|{\eta }_1|<{\delta }_{f+n}=\frac{{\delta }_f}{2^n}.$$

After scaling, the reciprocal of $b^{*}$ is computed. As explained at the end of Section 3.2, these computations are performed with extra bits. However, at this point we do not yet reduce the precision back to ${\delta }_f$, but instead use

$$c_{\theta }^{*}=\frac{1}{b^{*}}-{ϵ}_{\theta ,n},$$

where $|{ϵ}_{\theta ,n}|<\rho {\delta }_{f+n}$. Recall that $\rho =3.05$, according to Theorem 1. This result is scaled back through another multiplication by v and subsequently rounded deterministically to the original precision:

$$d_{\theta }^{*}=c_{\theta }^{*}v+{\eta }_2,$$

where $|{\eta }_2|\le \frac{1}{2}{\delta }_f$. The absolute error then reads as:

$$\begin{array}{ccc}\hfill \left|d_{\theta }^{*}-d\right|& =& \left|\left(\frac{1}{av+{\eta }_1}-{ϵ}_{\theta ,n}\right)v+{\eta }_2-\frac{1}{a}\right|\hfill \\ & =& \left|\frac{1}{a}\frac{1}{1+\frac{{\eta }_1}{av}}-{ϵ}_{\theta ,n}v+{\eta }_2-\frac{1}{a}\right|\hfill \\ \hfill & =& \left|\frac{1}{a}\left(1-\frac{{\eta }_1}{av}+{\left(\frac{{\eta }_1}{av}\right)}^2-\dots \right)-{ϵ}_{\theta ,n}v+{\eta }_2-\frac{1}{a}\right|\hfill \\ \hfill & =& \left|\frac{1}{a}\left(\frac{-{\eta }_1}{b+{\eta }_1}\right)-{ϵ}_{\theta ,n}v+{\eta }_2\right|.\hfill \end{array}$$

(8)

A careful analysis, partly covered by Lemmas A3 and A4, leads to the following result:

Theorem 2.

If the Newton–Raphson method is used to compute $1/a$ for $a\in {\mathbb{Q}}_{2f,f}$, employing the approach in Algorithm 2, with $n\le f$, then the absolute error (8) is bounded by $2^{-n}$.

Proof. 

We distinguish three cases: (i) $a<2^{-n}$, (ii) $2^{-n}\le a<2^n$, and (iii) $a\ge 2^n$. In case (i), $v\ge 2^n$ and, consequently, both scaling steps introduce no rounding errors: ${\eta }_1={\eta }_2=0$. In case (ii), $2^{-n}\le v\le 2^{n-1}$. Due to the extra precision that is used, there is still no rounding error in the initial scaling step (${\eta }_1=0$), but there might be an error when the result is truncated to the original precision. In case (iii), $v\le 2^{-(n+1)}$, and both scaling steps may introduce errors.

In case (i), the absolute error simplifies to $|-{ϵ}_{\theta ,n}v|$. For such small values of a, the scaling factor v is large, and the absolute error is bounded by $2^{f-1}\rho {\delta }_{f+n}$. However, it can be shown to be tighter by noting that $v=2^{f-1}$ occurs only when $a={\delta }_f$. For this value of a, according to Lemma A3, $\rho$ may be replaced by 2. For the remaining values of a in case (i), ${ϵ}_{\theta ,n}$ may be approximately $1.5$ times as large (it is still bounded by $\rho {\delta }_{f+n}$), but the value for v is at most $2^{f-2}$, making the product $|-{ϵ}_{\theta ,n}v|$ strictly smaller. Thus, the exact bound for case (i) is $2^{f-1}2{\delta }_{f+n}=2^{-n}$.

In case (ii), the error simplifies to $|-{ϵ}_{\theta ,n}v+{\eta }_2|$, which is bounded by $2^{n-1}\rho {\delta }_{f+n}+\frac{1}{2}{\delta }_f=\frac{1}{2}(\rho +1){\delta }_f$. Using the value for $\rho$ given in Theorem 1, it is straightforward to deduce that the bound for case (i) exceeds that of case (ii) if $n\le f-2$:

$$2^{-n}\ge 2^{-(f-2)}=4{\delta }_f>\frac{\rho +1}{2}{\delta }_f.$$

The cases $n=f-1$ and $n=f$ are less straightforward and will be considered separately.

If $n=f-1$, case (i) contains only $a={\delta }_f$. As already derived, the error in this case is bounded by $2^{-n}=2{\delta }_f$. The first value in case (ii) is $2{\delta }_f$, for which we may replace $\rho {\delta }_{f+n}$ by $2{\delta }_{f+n}$, according to Lemma A3. The maximal error before applying ${\eta }_2$ then reads $2^{n-1}2{\delta }_{f+n}={\delta }_f$. With $a=2{\delta }_f$, $1/a=2^{f-1}$, which is a multiple of ${\delta }_f$. Consequently, the error cannot become larger than ${\delta }_f<2^{-n}$. The next value in case (ii) is $3{\delta }_f$, for which we may replace $\rho {\delta }_{f+n}$ by $\frac{7}{3}{\delta }_{f+n}$, according to Lemma A4. The maximal error before applying ${\eta }_2$ then reads $2^{n-1}\frac{7}{3}{\delta }_{f+n}=\frac{7}{6}{\delta }_f$. With $a=3{\delta }_f$, $1/a=\frac{1}{3}{2}^f$, which is a multiple of $\frac{1}{3}{\delta }_f$ (but not an integer multiple of ${\delta }_f$). Combining these results shows that the total error is bounded by $\frac{5}{3}{\delta }_f<2^{-n}$. For larger values of a, the error is simply bounded by $2^{n-2}\rho {\delta }_{f+n}+\frac{1}{2}{\delta }_f=1.2625{\delta }_f<2^{-n}$.

If $n=f$, case (i) ceases to exist. The first value in case (ii) is ${\delta }_f$. Similar to the case $a=2{\delta }_f$ when $n=f-1$, we know that in this case the maximal error is ${\delta }_f=2^{-n}$. The next value in case (ii) is $2{\delta }_f$, for which a similar derivation shows that the error is bounded by $\frac{1}{2}{\delta }_f<2^{-n}$. The third value in case (ii) is $3{\delta }_f$. Analogous to the situation with $n=f-1$, we may replace $\rho$ by $\frac{7}{3}{\delta }_{f+n}$ and find that the error before applying ${\eta }_2$ is bounded by $2^{n-2}\frac{7}{3}{\delta }_{f+n}=\frac{7}{12}{\delta }_f$. Knowing that the exact solution is a multiple of $\frac{1}{3}{\delta }_f$ (but not an integer multiple of ${\delta }_f$), we conclude that the total error, after applying ${\eta }_2$ (deterministically), is maximally $\frac{2}{3}{\delta }_f<{\delta }_f=2^{-n}$. Again, for larger values of a, the error is bounded by $2^{n-3}\rho {\delta }_{f+n}+\frac{1}{2}{\delta }_f=0.88125{\delta }_f<2^{-n}$.

Thus, for all $n\le f$, the errors in cases (i) and (ii) are bounded by $2^{-n}$. For even larger values of a, the error bound decreases rapidly, despite ${\eta }_1$ coming into play. In case (iii), the error is approximately bounded by $\frac{1}{2}(2^{-2n+2}+2^{-2n}\rho +1){\delta }_f$ (ignoring the ${\eta }_1$ term in the denominator that is small compared to b), which is significantly smaller than $2^{-n}$. □

Remark 4.

Concerning the relative error, given by the expression

$$\left|\frac{d_{\theta }^{*}-d}{d}\right|=\left|\frac{-{\eta }_1}{b+{\eta }_1}-{ϵ}_{\theta ,n}b+a{\eta }_2\right|,$$

we see that the tables have turned. For small values of a, the relative error is also small, while for larger values of a the error increases. If $a<2^{-n}$, the error is bounded by $2^{-n}\rho {\delta }_f$, while the bound increases to $(2^{-n}\rho +2^{n-1}){\delta }_f$ for $2^{-n}\le a<2^n$. For larger values of a, the last term on the right-hand side starts to dominate. In this domain, the error is bounded by $(1/(2^{n}b-{\delta }_f)+2^{-n}\rho +\frac{1}{2}(2^f-1)){\delta }_f<(2^{-n+1}+2^{-n}\rho +2^{f-1}){\delta }_f\approx 0.5$. Based on the results from numerical experiments, we suspect that the actual bound for the relative error lies at approximately $1/3$, due to the relation between a and ${\eta }_2$ (they do not attain their maximal values at the same time). Though this error may seem large, it is not an effect of the specific computational algorithms, but merely a behavior inherent to the use of fixed-point numbers.

Corollary 1.

If the Newton–Raphson method is used to compute $1/a$ for $a\in {\mathbb{Q}}_{2f,f}$, using the approach in Algorithm 2, then computing with $n=f$ additional bits guarantees that the absolute error (8) is bounded by ${\delta }_f$, while using $n=f+1$ bits guarantees that the absolute error is strictly smaller than ${\delta }_f$.

Proof. 

According to Theorem 2, if $n\le f$, the absolute error is bounded by $2^{-n}$. It follows directly that if $n=f$, the bound equals $2^{-f}={\delta }_f$. Note that from the proof of Theorem 2, it follows that this bound can only be attained when $a={\delta }_f$.

If $n=f+1$, then a proof similar to that of Theorem 2 shows that the error is strictly smaller than ${\delta }_f$. Recall that for small values of a, the error reads as $|-{ϵ}_{\theta ,n}v+{\eta }_2|$, and therefore the absolute error before applying ${\eta }_2$ is bounded by $2^{n-2}\rho {\delta }_{f+n}$. For $a={\delta }_f$, however, we may replace $\rho$ by $-{\delta }_{f+n}$ or $2{\delta }_{f+n}$, according to Lemma A3. This leads to errors $-2^{n-2}{\delta }_{f+n}=-\frac{1}{4}{\delta }_f$ and $2^{n-2}2{\delta }_{f+n}=\frac{1}{2}{\delta }_f$, respectively. Because ${\eta }_2$ is applied deterministically, both will be rounded to the analytical solution, and hence ${ϵ}_{\theta }=0$.

For larger values of a, the error is bounded by $2^{n-3}\rho {\delta }_{f+n}+\frac{1}{2}{\delta }_f=0.88125{\delta }_f<{\delta }_f$, which completes the proof. By considering the cases $a=2{\delta }_f$ and $a=3{\delta }_f$ separately from even larger values of a, it is possible to show that the error is actually strictly smaller than $0.7{\delta }_f$, but we will omit the proof here.    □

4. Integer Division

Secure integer division is an important primitive and appears in many applications. For integer inputs $\left[\right[g\left]\right],\left[\right[a\left]\right]$, performing integer division yields integers $\left[\right[q\left]\right],\left[\right[r\left]\right]$ such that $g=qa+r$ and $0\le r<a$. Formulated differently, we have $q=⌊g/a⌋$ and $r=g-qa$.

One possible way of computing $\left[\right[q\left]\right]$ is by applying the Newton–Raphson algorithm described in the previous section. To that end, $\left[\right[a\left]\right]$ needs to be converted from an integer to a fixed-point number. Subsequently, the reciprocal of $\left[\right[a\left]\right]$ is computed and multiplied by $\left[\right[g\left]\right]$. It turns out, however, that it is advantageous to perform the multiplication by $\left[\right[g\left]\right]$ before finalizing the computation of $1/\left[\right[a\left]\right]$. The resulting value $\left[\left[\tilde{q}\right]\right]$ is a good approximation to $\left[\right[q\left]\right]$ and can be used to compute the final, correct value of $\left[\right[q\left]\right]$. In the remainder of this section, we will omit the secret-shared brackets for better readability.

4.1. Error for Integer Division

In the case of integer division, the error analysis from Section 3.3 can be simplified. With a being an integer, there can only be nonzero bits to the left of the radix point. This means—assuming that there are an equal number of bits before and after the radix point, i.e., $\ell =2f$—that no information is lost in the initial scaling step: ${\eta }_1=0$. In other words, in the case of integer division, we have $b^{*}=b$. The error after computing the reciprocal of b (before rescaling and truncating to the original precision) is still bounded by ${ϵ}_{\theta ,n}$, such that we now have $c_{\theta }=1/\left(av\right)-{ϵ}_{\theta ,n}$.

At this point, we first multiply g and v. Since we have assumed that $\ell =2f$, there is no rounding error for this multiplication. The result is multiplied by $c_{\theta }$, after which we truncate to the original precision. This results in a generally nonintegral estimate to $g/a$, which we call $\tilde{q}$:

$$\begin{array}{ccc}\hfill \tilde{q}& =& \left(\frac{1}{av}-{ϵ}_{\theta ,n}\right)gv+{\eta }_2\hfill \\ & =& \frac{g}{a}-{ϵ}_{\theta ,n}gv+{\eta }_2.\hfill \end{array}$$

The resulting approach is summarized in Algorithm 3. In what follows, we will denote the error of $\tilde{q}$ (with respect to $g/a$) by $E_{\tilde{q}}$.

Algorithm 3 $\mathsf{IntDivFxp}\left(\right[\left[g\right]],[\left[a\right]],n=1)$		$-2^{\ell -1}\le g,a<2^{\ell -1}$, with $g,a\in 2^f\mathbb{Z}$
	Lines 1–8 of Algorithm 2
	Line 2 simplifies to $\left[\left[b\right]\right]\leftarrow 2^{-f+n}\left[\left[a\right]\right]\left[\left[v\right]\right]$
9:	$\left[\left[w\right]\right]\leftarrow 2^{-f}\left[\left[g\right]\right]\left[\left[v\right]\right]$
10:	$\left[\left[\tilde{q}\right]\right]\leftarrow {\mathsf{Round}}_{f+n}\left(\left[\left[c_{\theta }\right]\right]\left[\left[w\right]\right]\right)$
11:	return $\left[\left[\tilde{q}\right]\right]$	▹$-2^{\ell -1}\le \tilde{q}<2^{\ell -1}$

Theorem 3.

If the Newton–Raphson method is used to compute $g/a$, with g and a being integers, using the approach in Algorithm 3 and $n<f$, then $|E_{\tilde{q}}|\le 2^{-n}$.

Proof. 

To derive the error bound, we consider the error before the final truncation ${\eta }_2$ is applied: $-{ϵ}_{\theta ,n}gv$. Because a is an integer, we have $v\le 0.5$, with equality only when $a=1$. In the latter case, $b=0.5$, and according to Lemma A3 we have $|-{ϵ}_{\theta ,n}\left(0.5\right)|\le 2{\delta }_{f+n}$. It follows that $|-{ϵ}_{\theta ,n}v|\le {\delta }_{f+n}$. Furthermore, we know that $g\le 2^f-1$. Combining all this gives

$$\begin{array}{ccc}\hfill |-{ϵ}_{\theta ,n}gv|& \le & {\delta }_{f+n}(2^f-1)\hfill \\ & =& (1-2^{-f})2^{-n}\hfill \\ & <& 2^{-n}.\hfill \end{array}$$

Obviously, when $a=1$, $g/a$ is an integer, and therefore a multiple of ${\delta }_f$. Since $n<f$, $2^{-n}$ is also a multiple of ${\delta }_f$. From these observations, it follows that the final rounding ${\eta }_2$ cannot bring the error any further than $2^{-n}$.

The case $v=0.25$ occurs only for $a=2$ and $a=3$, leading to $b=0.5$ and $b=0.75$, respectively. Clearly, for $a=2$, we have again that $|{ϵ}_{\theta ,n}\left(0.5\right)|\le 2{\delta }_{f+n}$, leading to $|-{ϵ}_{\theta ,n}gv|<\frac{1}{2}{2}^{-n}$. Because $|{\eta }_2|<{\delta }_f\le \frac{1}{2}{2}^{-n}$, we know that $|-{ϵ}_{\theta ,n}gv+{\eta }_2|<2^{-n}$. For the case $a=3$, let us write $n=f-\gamma$, so that $2^{-n}=2^{\gamma }{\delta }_f$ ($\gamma =1,2,3,\dots$). According to Lemma A4, we have $|{ϵ}_{\theta ,n}\left(0.75\right)|\le \frac{7}{3}{\delta }_{f+n}$ when $n+f=6$, leading to $|-{ϵ}_{\theta ,n}gv|<\frac{7}{12}{2}^{-n}$. The final error can only be larger than $2^{-n}$ when $|{\eta }_2|>\frac{5}{12}{2}^{-n}=\frac{5}{12}{2}^{\gamma }{\delta }_f$, and because $|{\eta }_2|<{\delta }_f$, this is only possible if $\gamma =1$. However, the system $n+f=6$ and $n=f-1$ has no integer solutions, and therefore this scenario will never occur. Lemma A4 tells us that in all other cases $|-{ϵ}_{\theta ,n}\left(0.75\right)|\le \frac{5}{3}{\delta }_{f+n}$, leading to $|{ϵ}_{\theta ,n}gv|<\frac{5}{12}{2}^{-n}$. Now, the final error can only be larger than $2^{-n}$ when $|{\eta }_2|>\frac{7}{12}{2}^{-n}=\frac{7}{12}{2}^{\gamma }{\delta }_f$. Because $|{\eta }_2|<{\delta }_f$ and $\gamma \ge 1$, this is impossible.

For even larger values of a, $v\le 0.125$, and we have $|{ϵ}_{\theta ,n}|\le \rho {\delta }_{f+n}$, leading to $|-{ϵ}_{\theta ,n}gv|<\frac{1}{8}\rho 2^{-n}$. The final error can only be larger than $2^{-n}$ if $|{\eta }_2|>\frac{7}{8}\rho 2^{-n}=\frac{7}{8}\rho 2^{\gamma }{\delta }_f$. Again, because $|{\eta }_2|<{\delta }_f$, there are no solutions with $\gamma \ge 1$.    □

We emphasize that the above result holds even when ${\eta }_2$ is determined probabilistically, whereas throughout Section 3 it was assumed that the final rounding—to the original precision—was performed deterministically (which was especially relevant for the cases $n=f$ and $n=f+1)$.

4.2. From Fixed-Point Approximation to Integer Solution

The fixed-point value $\tilde{q}$ now needs to be rounded to an integer value $\overline{q}$. This can be achieved either deterministically or probabilistically.

Corollary 2.

Suppose $\tilde{q}$ is computed with Algorithm 3 using $n=1$. If $\tilde{q}$ is rounded to an integer $\overline{q}$ deterministically, then $\overline{q}\in \{q,q+1\}$. If $\tilde{q}$ is rounded to an integer $\overline{q}$ probabilistically, then $\overline{q}\in \{q-1,q,q+1\}$.

Proof. 

We apply Theorem 3 to find that the error on $\tilde{q}$ is bounded by $2^{-1}$. Since $q\le g/a<q+1$, this gives $q-0.5\le \tilde{q}<(q+1)+0.5$. It follows directly that for deterministic rounding, $\overline{q}\in \{q,q+1\}$. It also follows that for probabilistic rounding, $\overline{q}\in \{q-1,q,q+1,q+2\}$. It remains to be shown that $\overline{q}=q+2$ is not possible. To that end, first note that from $q\le g/a<q+1$, it follows that $q\le g/a\le q+1-1/a$. Therefore, for $\overline{q}=q+2$ to occur, it should be possible that $E_{\tilde{q}}>1/a$.

Suppose that $2^{m-1}\le a<2^m$ for some integer m. Then, $v=2^{-m}$ and $1/a=v/b$. At this point, we are only interested in solutions $\tilde{q}>g/a$ with negative errors, hence we have $|{ϵ}_{\theta ,n}|<(1/b+1){\delta }_{f+n}$. Maximizing the error $|-{ϵ}_{\theta ,n}gv|$ with $n=1$ then gives

$$\begin{array}{ccc}\hfill |-{ϵ}_{\theta ,1}gv|& \le & \left(1/b+1\right){\delta }_{f+1}(2^f-1)v\hfill \\ & =& \frac{1}{2}\left(1/b+1\right)(1-2^{-f})v\hfill \\ & <& \frac{1}{2}\left(1/b+1\right)v\hfill \\ & \le & v/b\hfill \\ & =& 1/a.\hfill \end{array}$$

Thus, the approximation before applying ${\eta }_2$ is still below $q+1$. Since $q+1$ is an integer and therefore a multiple of ${\delta }_f$, it follows that $|E_{\tilde{q}}|\le 1/a$. In other words, the rounding ${\eta }_2$ cannot push the error beyond $q+1$. Consequently, $\tilde{q}$ will never be rounded to $q+2$.    □

Remark 5.

If we were to calculate $\tilde{q}$ with Algorithm 2 instead of Algorithm 3 and multiply the result by g, we would find that

$$\begin{array}{ccc}\hfill \tilde{q}& =& \left(\left(\frac{1}{av}-{ϵ}_{\theta ,n}\right)v+{\eta }_2\right)g\hfill \\ & =& \frac{g}{a}-{ϵ}_{\theta ,n}gv+{\eta }_{2}g.\hfill \end{array}$$

Numerical simulations suggest that we would then find the same values for $\overline{q}$. That is, $\overline{q}\in \{q,q+1\}$ in the case of deterministic rounding and $\overline{q}\in \{q-1,q,q+1\}$ in the case of probabilistic rounding. However, this approach would require an extra secure comparison in the deterministic rounding step in line 9 of Algorithm 2.

If we were to replace this deterministic rounding with probabilistic rounding, then $|{\eta }_2|<{\delta }_f$ (instead of $|{\eta }_2|\le \frac{1}{2}{\delta }_f$ with deterministic rounding). Numerical simulations show that in this case, $\overline{q}\in \{q-1,q,q+1,q+2\}$, independent of whether rounding to an integer is performed deterministically or probabilistically. Hence, in this approach, at least one extra secure comparison is also required to find the correct value q. This proves that it is indeed advantageous to incorporate multiplication by g into the computation of $1/a$, as we did in Algorithm 3.

So far, we have computed $\tilde{q}$ using only probabilistic rounding. We found that $\overline{q}\in \{q,q+1\}$ if the rounding (to the nearest) is performed deterministically and $\overline{q}\in \{q-1,q,q+1\}$ if $\tilde{q}$ is rounded to $\overline{q}$ probabilistically. The final step is to recover the correct solution q.

This is achieved by one or two comparisons, depending on how $\tilde{q}$ is rounded to $\overline{q}$. According to Corollary 2, if $\tilde{q}$ is rounded deterministically, then $\overline{q}\in \{q,q+1\}$. Hence, we can compute $\overline{q}a-g$ and check the sign. If $\overline{q}a-g>0$, then $q=\overline{q}-1$; otherwise, $q=\overline{q}$. If $\tilde{q}$ is rounded probabilistically, then $\overline{q}\in \{q-1,q,q+1\}$. This time, we not only check the sign of $\overline{q}a-g$, but also that of $(\overline{q}+1)a-g$. If $\overline{q}a-g>0$, then $q=\overline{q}-1$. Otherwise, if $(\overline{q}+1)a-g>0$, then $q=\overline{q}$, or $q=\overline{q}+1$.

At first sight, it might not seem relevant if $\tilde{q}$ is rounded to $\overline{q}$ deterministically or probabilistically, because even though deterministic rounding requires an extra secure comparison, it saves a secure comparison in the computation of q. Rounding probabilistically to $\overline{q}$ does not require any secure comparisons, but two secure comparisons are needed to find the correct value for q. Hence, in both cases, we need exactly two secure comparisons. However, the secure comparison in Algorithm 1 is cheaper than a regular secure comparison, because the bits of the numbers that are compared are already available. Therefore, it is computationally advantageous to choose the option with deterministic rounding to $\overline{q}$ and only one comparison to find q. The complete procedure is summarized in Algorithm 4.

Algorithm 4 $\mathsf{IntDiv}\left(\right[\left[g\right]],[\left[a\right]\left]\right)$		$-2^{f-1}\le g,a<2^{f-1}$, with $g,a\in \mathbb{Z}$
1:	$\left[\left[\tilde{q}\right]\right]\leftarrow \mathsf{IntDivFxp}([[g{2}^f]],[[a{2}^f]])$	▹$-2^{\ell -1}\le \tilde{q}<2^{\ell -1}$
2:	$\left[\left[\overline{q}\right]\right]\leftarrow {\mathsf{Round}}_f(\left[\left[\tilde{q}\right]\right],\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$
3:	$\left[\left[q\right]\right]=\left[\left[\overline{q}\right]\right]-(\left[\left[\overline{q}\right]\right]\left[\left[a\right]\right]>\left[\left[g\right]\right])$
4:	return $\left[\right[q\left]\right]$	▹$-2^{f-1}\le q<2^{f-1}$

5. Reciprocal Square Root

To compute the reciprocal (or, inverse) square root securely, we follow the same approach as in Section 3 for the reciprocal. The overall goal is to guarantee an absolute error not exceeding ${\delta }_f=2^{-f}$ while minimizing the additional precision used during the computation. In Section 6, we will use this result for the secure computation of the square root with the same accuracy.

5.1. Secure Computation

The reciprocal square root function evaluates $1/\sqrt{\left[\right[a\left]\right]}$ for a secret-shared value $\left[\right[a\left]\right]$, $a>0$, see Algorithm 5. Upon initialization, $\left[\right[a\left]\right]$ is scaled to $\left[\right[b\left]\right]=\left[\right[a\left]\right]\left[\right[v\left]\right]$ such that $b\in [0.5,2)$. The interval for b is taken twice as large as that for the reciprocal, so that the scaling factor $v=2^k$, $k\in \mathbb{Z}$, can be chosen with k even. This ensures that scaling back by $\left[\left[v^{1/2}\right]\right]$ at the end introduces no additional rounding errors.

Algorithm 5 $\mathsf{RecSqrt}\left(\right[\left[a\right]],n=0)$		$-2^{\ell -1}\le a<2^{\ell -1}$
1:	$\left[\left[v\right]\right],[[v^{\frac{1}{2}}]]\leftarrow \mathsf{Scale}\left(\left[\left[a\right]\right]\right)$	▹$v=\pm 2^k,k\in \mathbb{Z}$, k even
2:	$\left[\left[b\right]\right]\leftarrow {\mathsf{Round}}_{f-n}\left(\left[\left[a\right]\right]\left[\left[v\right]\right]\right)$	▹$2^{f+n-1}\le b<2^{f+n+1}$
3:	$\beta \leftarrow (\sqrt{2}-1)/4$
4:	$\tau \leftarrow 3/\sqrt{2}$
5:	$\theta \leftarrow \lceil {log}_2{log}_{\tau \beta }\left(\tau 2^{-(f+n)}\right)\rceil$
6:	$\left[\left[c_0\right]\right]\leftarrow 3/2+\beta -{\mathsf{Round}}_1(\left[\left[b\right]\right]/2,\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$
7:	for $i=1$ to $\theta$ do
8:	$\left[\left[z_1\right]\right]\leftarrow {\mathsf{Round}}_{f+n}\left(\left[\left[c_{i-1}\right]\right]\left[\left[b\right]\right]\right))$
9:	$\left[\left[z_2\right]\right]\leftarrow 3-{\mathsf{Round}}_{f+n}\left(\left[\left[c_{i-1}\right]\right]\left[\left[z_1\right]\right]\right)$
10:	$\left[\left[c_i\right]\right]\leftarrow {\mathsf{Round}}_{f+n+1}\left(\frac{1}{2}\left[\left[c_{i-1}\right]\right]\left[\left[z_2\right]\right]\right)$
11:	$\left[\left[d_{\theta }\right]\right]\leftarrow {\mathsf{Round}}_{f+n}(\left[\left[c_{\theta }\right]\right][[v^{\frac{1}{2}}]],\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$
12:	return $\left[\left[d_{\theta }\right]\right]$	▹$-2^{\ell -1}\le d_{\theta }<2^{\ell -1}$

To find an initial approximation, following the same approach that led to (2) would give

$$\left[\left[c_0\right]\right]=\frac{\sqrt{2}}{6}(7-2\left[\left[b\right]\right])-{\alpha }^{*},$$

where ${\alpha }^{*}=(7-3\sqrt[3]{9})/\left(6\sqrt{2}\right)$. This initial approximation has a maximal absolute error of ${\alpha }^{*}\approx 0.089537$ (at $b=0.5$, $b=\sqrt[3]{9}/2$, and $b=2$). An integer factor in front of b—like in (2)—would be more efficient, but this is not really an option here. A factor $\frac{1}{2}$ is possible, essentially reducing the cost of truncation by a factor of f. Therefore, another good initial approximation is

$$\left[\left[c_0\right]\right]=\frac{1}{4}(5+\sqrt{2})-\frac{1}{2}\left[\left[b\right]\right],$$

(9)

which has a maximal absolute error of $\beta =\frac{1}{4}(\sqrt{2}-1)\approx 0.103553$ at $b=1$ and $b=2$ and only $\frac{1}{4}(3\sqrt{2}-4)\approx 0.060660$ at $b=0.5$. Obviously, this slightly higher initial error may lead to an extra iteration in some cases, but it turns out this is not the case for the most common values of f, namely $f=2^n$ with $n\in \{2,\dots ,10\}$. Compared to the initial approximation by Liedel [4], our approximation is slightly less accurate. This may be attributed to the fact that the approximation by Liedel was derived for the interval $[0.5,1)$, while ours is defined for $[0.5,2)$. Due to the quadratic convergence behavior of the Newton–Raphson method, however, the effect of the lower initial accuracy is rather small. On the other hand, our approximation is more efficient in terms of truncation, because (a) we only need to truncate a single bit to compute $c_0$, whereas Liedel needed many more, and (b) Liedel assumed that the input is scaled to $[0.5,1)$, so it is possible that the square root of the scaling factor is not an integral power of two. In these cases, another multiplication by $\sqrt{2}$ needs to be performed, leading to another expensive truncation. Because our approximation and method rely on the assumption that the input is scaled to $[0.5,2)$ in such a way that the scaling factor is always an even power of two, no such correcting multiplication is necessary. Aly and Smart [5] used an even more crude initial approximation. It required the position of the most significant bit, say t, which was then used to compute $2^{t/2}$, a rough approximation for the square root. Finding the most significant bit, however, is equivalent to our scaling step to find b, and once b is known, computing the more accurate approximation in (9) is basically free.

Given the initial approximation $\left[\left[c_0\right]\right]$, successive approximations are computed using

$$\left[\left[c_{i+1}\right]\right]=\frac{1}{2}\left[\left[c_i\right]\right]\left(3-{\left[\left[c_i\right]\right]}^2\left[\left[b\right]\right]\right),$$

(10)

which corresponds to the Newton–Raphson method in (1) applied to $f\left(c\right)=b-1/c^2$. After $\theta$ iterations, with $\theta$ independent of the input value, the scaling is inverted. The final approximation for $1/\sqrt{a}$ then reads

$$\left[\left[d_{\theta }\right]\right]=\left[\left[c_{\theta }\right]\right][[v^{\frac{1}{2}}]].$$

Now, we clearly see why the scaling factor v was chosen to be an even power of two: it also makes the inverse scaling an integral power of two.

The required number of iterations $\theta$ will be determined below such that the final error for $c_{\theta }$ does not exceed ${\delta }_f=2^{-f}$, assuming exact arithmetic. Subsequently, we will determine the required number of additional bits n for Algorithm 5, taking into account all (rounding) errors. For better readability, we will drop the secret-shared brackets in the remainder of this section.

Using $c=1/\sqrt{b}$ to denote the analytical solution and ${ϵ}_i=c-c_i$ to denote the iteration error, applying (10) gives

$${ϵ}_{i+1}=c-\frac{1}{2}{c}_i(3-c_i^{2}b)=c-\frac{1}{2}(c-{ϵ}_i)(3-{(c-{ϵ}_i)}^2)b)=\frac{3}{2}\sqrt{b}{ϵ}_i^2-\frac{1}{2}b{ϵ}_i^3.$$

(11)

Since $b\in [0.5,2)$ and $|{ϵ}_0|\le \beta <1$, we see that quadratic convergence is guaranteed right from the start. From (11), it follows directly that for those values of b where ${ϵ}_0\ge 0$, it holds that

$$|{ϵ}_i|\le {\left(\frac{3}{2}\sqrt{b}\right)}^{2^i-1}{ϵ}_0^{2^i}\le {\left(\tau \beta \right)}^{2^i}/\tau ,$$

where $\tau =3/\sqrt{2}$ and the convergence is slowest for $b=2$. To achieve $|{ϵ}_{\theta }|\le {\delta }_f$, we thus set

$$\theta =⌈{log}_2{log}_{\tau \beta }\left(\tau {\delta }_f\right)⌉.$$

(12)

For those values of b where ${ϵ}_0<0$, the third-order term in (11) cannot simply be ignored. However, we will not update (12) accordingly. Instead, we will handle these cases in the appropriate places in the proofs that follow.

5.2. Tight Error Analysis without Scaling

In this section, we analyze the error ${ϵ}_{\theta }=c-c_{\theta }$ in the computation of $c=1/\sqrt{b}$ for $b\in [0.5,2)$. Analogous to the analysis for the reciprocal, we determine a tight bound for $|{ϵ}_{\theta }|$ taking into account all (rounding) errors, assuming fixed-point arithmetic with f fractional bits in Algorithm 5 (thus with $n=0$). In Section 5.3, we will use this bound to determine the minimal number of additional bits n needed to guarantee that the absolute error for $1/\sqrt{a}$ is limited to ${\delta }_f=2^{-f}$, also taking into account the errors due to scaling.

With the help of Lemmas A5 and A6, we are able to give a bound on the total error for the reciprocal square root after $\theta$ iterations.

Theorem 4.

If the Newton–Raphson method is used to compute $1/\sqrt{b}$ for some $b\in [0.5,2)$, employing initial approximation (9) and with the number of iterations θ computed via (12), then $|{ϵ}_{\theta }|<\sigma {\delta }_f$, where $\sigma =2.71$.

Proof. 

Clearly, if $\theta =0$, the initial error is already below ${\delta }_f$. Because no iterations are performed, no further errors are introduced, and the final error remains below ${\delta }_f$.

For the cases in which $\theta \in \{1,2,3\}$, we exhaustively compute the error for all possible inputs b, taking into account all rounding possibilities. This covers the values $4\le f\le 18$ and yields a maximum value for $|{ϵ}_{\theta }|$ of approximately $2.60{\delta }_f$.

For larger values of f, we follow an analogous approach to that for the reciprocal: firstly, we derived an expression that bounds the absolute error as a function of f and $\theta$. Secondly, we compute the value of the error bound for $f=19$ ($\theta =4$), which will be below $2.71{\delta }_f$. Thirdly, we show that for larger values of f, the value of the error bound will always be smaller than in the case $f=19$.

Following Lemma A5, we know that in the case of exact arithmetic, the error at the start of the final iteration is bounded by ${\xi }^{2^{\theta -2}}{\sqrt{b/2}}^{2^{\theta -1}-1}\sqrt{{\delta }_f/\tau }$. Lemma A6 tells us that in the first iteration, the rounding error is bounded by $(c_0^2/2+c_0/2+1){\delta }_f$, while in every subsequent iteration it is bounded by $(1/\left(2b\right)+1/\left(2\sqrt{b}\right)+1){\delta }_f$. Thus, for $\theta \ge 4$, we obtain the following bound for the total error at the start of the final iteration:

$$|{ϵ}_{\theta -1}|<{\xi }^{2^{\theta -2}}{\sqrt{b/2}}^{2^{\theta -1}-1}\sqrt{{\delta }_f/\tau }+\left(\frac{c_0^2}{2}+\frac{c_0}{2}+1\right){\delta }_f+(\theta -2)\left(\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1\right){\delta }_f.$$

Let $T_{\theta }=T_{\theta }\left(b\right)=(c_0^2/2+c_0/2+1)+(\theta -2)(1/\left(2b\right)+1/\left(2\sqrt{b}\right)+1)$. Applying (A4) with $i=\theta -1$, and without the third-order term (since ${ϵ}_{\theta -1}>0$), gives

$$\begin{array}{ccc}\hfill |{ϵ}_{\theta }|& <& \frac{3}{2}\sqrt{b}{ϵ}_{\theta -1}^2+\left(\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1\right){\delta }_f\hfill \\ & <& \frac{3}{2}\sqrt{b}{\left({\xi }^{2^{\theta -2}}{\sqrt{b/2}}^{2^{\theta -1}-1}\sqrt{{\delta }_f/\tau }+T_{\theta }{\delta }_f\right)}^2+\left(\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1\right){\delta }_f\hfill \\ & =& \left(\sqrt{\xi }{\sqrt{b\xi /2}}^{2^{\theta }-1}+2{\sqrt{b\xi /2}}^{2^{\theta -1}}{T}_{\theta }\sqrt{\tau {\delta }_f}+\frac{3}{2}\sqrt{b}{T}_{\theta }^2{\delta }_f+\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1\right){\delta }_f\hfill \\ & \stackrel{\mathrm{def}}{=}& E_{\theta ,f}\left(b\right){\delta }_f.\hfill \end{array}$$

For the case $f=19$, where $\theta =4$, this yields

$$E_{4,19}\left(b\right){\delta }_f=\left(\sqrt{\xi }{\sqrt{b\xi /2}}^{15}+2{\sqrt{b\xi /2}}^8{T}_4\sqrt{\tau {\delta }_{19}}+\frac{3}{2}\sqrt{b}{T}_4^2{\delta }_{19}+\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1\right){\delta }_f,$$

for which a simple numerical analysis shows that the maximum value is slightly below $2.71{\delta }_f$.

We complete the proof by showing that $E_{\theta ,f}\left(b\right)<E_{4,19}\left(b\right)$ for $f>19$, with $\theta$ defined by (12). Since $\theta$ is increasing as a function of f, let $f_{\theta }$ be the lowest value of f such that $\theta =⌈{log}_2{log}_{\tau \beta }\left(\tau {\delta }_f\right)⌉$. Then, $f_{\theta }$ is also increasing as a function of $\theta$.

Since it is clear that $E_{\theta ,f_{\theta }}>E_{\theta ,f}$ for all $f>f_{\theta }$, it suffices to bound $E_{\theta ,f_{\theta }}$. To that end, we will consider the three terms in the definition of $E_{\theta ,f}$ that depend on $\theta$ and f separately.

To evaluate the first term $\sqrt{\xi }{\sqrt{b\xi /2}}^{2^{\theta }-1}$, we note that $\xi$ is defined to have the value 1.045 for $b_1<b<b_2$, with $b_2\approx 1.65$, while $\xi =1$ for $b>b_2$. It thus follows that $b\xi /2<1$, and as a result the entire term decreases rapidly with $\theta$.

For convenience, we use $\tilde{b}=b\xi /2$ and $\tilde{\alpha }=\tau \beta$ in the analysis below. The second term may then be written as $2{\tilde{b}}^{2^{\theta -2}}{T}_{\theta }\sqrt{\tau {\delta }_f}$. Using the definition of $\theta$, we get $\sqrt{\tau {\delta }_f}={\tilde{\alpha }}^{2^{\theta -\gamma -1}}$, where $\gamma$ satisfies ${log}_2{log}_{\tilde{\alpha }}\left(\tau {\delta }_f\right)+\gamma =\theta$ and $0\le \gamma <1$. Taking the derivative thus yields for the second term

$$\begin{array}{ccc}\hfill \frac{\mathrm{d}\left(2{\tilde{b}}^{2^{\theta -2}}{T}_{\theta }{\tilde{\alpha }}^{2^{\theta -\gamma -1}}\right)}{\mathrm{d}\theta }& =& 2{\tilde{b}}^{2^{\theta -2}}{\tilde{\alpha }}^{2^{\theta -\gamma -1}}\left(\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1+T_{\theta }{2}^{\theta -1}ln2(\frac{1}{2}ln\tilde{b}+2^{-\gamma }ln\tilde{\alpha })\right)\hfill \\ & <& 6{\tilde{b}}^{2^{\theta -2}}{\tilde{\alpha }}^{2^{\theta -\gamma -1}}\left(1+(\theta -1)2^{\theta -2}ln2ln\tilde{\alpha }\right),\hfill \end{array}$$

where $c_0\left(b\right)<3/2$ and $\mathrm{d}{T}_{\theta }/\mathrm{d}\theta <3$, so that $T_{\theta }<3(\theta -1)$. This bound is almost identical to the bound we found in the analysis for the reciprocal. The factor before the outer parentheses is now positive for any valid b and $\theta \ge 4$. Additionally, it is easy to verify that the factor within the outer parentheses is negative for $\theta =4$. Because the negative part will only increase in (absolute) size with $\theta$, the derivative is, and will remain, negative. This shows that the original term is decreasing as a function of $\theta$.

The third term is $\frac{3}{2}\sqrt{b}{T}_{\theta }^2{\delta }_f$. Writing $\tau {\delta }_f$ as a function of $\theta$, we may rewrite this term to $\sqrt{b/2}{T}_{\theta }^2{\tilde{\alpha }}^{2^{\theta -\gamma }}$. Taking the derivative, we find:

$$\begin{array}{ccc}\hfill \frac{\mathrm{d}\left(\sqrt{b/2}{T}_{\theta }^2{\tilde{\alpha }}^{2^{\theta -\gamma }}\right)}{\mathrm{d}\theta }& =& 2\sqrt{b/2}{T}_{\theta }{\tilde{\alpha }}^{2^{\theta -\gamma }}\left(\frac{1}{2b}+\frac{1}{2\sqrt{b}}+1+T_{\theta }{2}^{\theta -\gamma -1}ln2ln\tilde{\alpha }\right)\hfill \\ & <& 6\sqrt{b/2}{T}_{\theta }{\alpha }^{2^{\theta -\gamma }}\left(1+(\theta -1)2^{\theta -2}ln2ln\tilde{\alpha }\right).\hfill \end{array}$$

Again, this bound is very similar to the bound in the analysis for the reciprocal. The term before the outer parentheses is positive for any valid b and $\theta \ge 4$, and with the known value for $\tilde{\alpha }$ it is easy to verify that the term between the outer parentheses is negative for $\theta =4$. Additionally, the negative part will only increase in (absolute) size with $\theta$. Therefore, the derivative is always negative, which shows that the original term is decreasing as a function of $\theta$.

Combining these results shows that $E_{\theta ,f}\left(b\right)<E_{4,19}\left(b\right)<2.71$ for all $b\in [0.5,2)$ and $f>19$, which proves the statement. Note that we could tighten the bound even more by computing $E_{\theta ,f_{\theta }}$ for an arbitrary $\theta >4$.    □

Similar to the reciprocal, we will perform our computations with extra precision to control the effect of rounding. Therefore, in the following, we assume a total of $f+n$ fractional bits. Then, we apply Theorem 4 to find that ${ϵ}_{\theta ,n}<\sigma {\delta }_{f+n}$.

5.3. Tight Error Analysis

The analysis of scaling errors for the reciprocal square root is like that for the reciprocal. Again, we have that $b^{*}=av+{\eta }_1$, with $|{\eta }_1|<{\delta }_{f+n}$. And this time, we have

$$c_{\theta }^{*}=\frac{1}{\sqrt{b^{*}}}+{ϵ}_{\theta ,n},$$

where $|{ϵ}_{\theta ,n}|<\sigma {\delta }_{f+n}$ with $\sigma =2.71$, according to Theorem 4. Finally, $c^{*}$ is scaled back through the multiplication by $\sqrt{v}$ rounded (deterministically) to the original precision:

$$d_{\theta }^{*}=c_{\theta }^{*}\sqrt{v}+{\eta }_2,$$

where $|{\eta }_2|\le \frac{1}{2}{\delta }_f$. The absolute error for $d=1/\sqrt{a}$ then reads as

$$\begin{array}{ccc}\hfill \left|d_{\theta }^{*}-d\right|& =& \left|\left(\frac{1}{\sqrt{av+{\eta }_1}}+{ϵ}_{\theta ,n}\right)\sqrt{v}+{\eta }_2-\frac{1}{\sqrt{a}}\right|\hfill \\ \hfill & =& \left|\frac{1}{\sqrt{a}}\frac{1}{\sqrt{1+\frac{{\eta }_1}{av}}}+{ϵ}_{\theta ,n}\sqrt{v}+{\eta }_2-\frac{1}{\sqrt{a}}\right|\hfill \\ \hfill & =& \left|\frac{1}{\sqrt{a}}\left(1-\frac{1}{2}\frac{{\eta }_1}{av}+\frac{3}{8}{\left(\frac{{\eta }_1}{av}\right)}^2-\dots \right)+{ϵ}_{\theta ,n}\sqrt{v}+{\eta }_2-\frac{1}{\sqrt{a}}\right|\hfill \\ \hfill & \doteq & \left|-\frac{{\eta }_1}{2\sqrt{a}b}+{ϵ}_{\theta ,n}\sqrt{v}+{\eta }_2\right|.\hfill \end{array}$$

(13)

We are able to bound the overall error for $1/\sqrt{a}$ as follows, using Lemma A7 to bound the error for cases in which a is a specific power of 2.

Theorem 5.

If the Newton–Raphson method is used to compute $1/\sqrt{a}$ for $a\in {\mathbb{Q}}_{2f,f}$, employing the approach in Algorithm 5, with $\frac{1}{2}f\le n\le f-2$, then the absolute error (13) is bounded by $(2^{(f-1)/2-n}\sigma +\frac{1}{2}){\delta }_f$.

Proof. 

Similar to Theorem 2, we can make a distinction between three cases: (i) $a<2^{-2n}$, in which ${\eta }_1={\eta }_2=0$; (ii) $2^{-2n}\le a<2^{n+1}$, in which generally only ${\eta }_1=0$; and (iii) $a\ge 2^{n+1}$. However, since $\frac{1}{2}f\le n$, which is equivalent to $2n\ge f$, there exists no $a\in {\mathbb{Q}}_{2f,f}$ such that $a<2^{-2n}$. Therefore, we will only consider the cases (ii) and (iii).

In case (ii), the error simplifies to $|{ϵ}_{\theta ,n}\sqrt{v}+{\eta }_2|$. For the smallest value $a={\delta }_f$, we find that the error is bounded by $(2^{f/2}\sigma {\delta }_{f+n}+\frac{1}{2}{\delta }_f)$ in the case that f is even, and by $(2^{(f-1)/2}\sigma {\delta }_{f+n}+\frac{1}{2}{\delta }_f)$ if f is odd. However, if f is even and $a={\delta }_f$, we may replace $\sigma {\delta }_{f+n}$ by ${\delta }_{f+n}$, according to Lemma A7. Therefore, a tighter bound for even f is found by considering the next value, $a=2{\delta }_f$, for which the absolute error is bounded by $(2^{f/2-1}\sigma {\delta }_{f+n}+\frac{1}{2}{\delta }_f)$. However, the largest bound is found for an odd f and reads as $(2^{(f-1)/2-n}\sigma +\frac{1}{2}){\delta }_f$.

In case (iii), we need to take into account all error terms in (13). Without going into further detail, we state that the error is maximized by taking the lowest value of a in this range ($a=2^{n+1}$), which also has the largest value for v, with $n+1$ even, because it maximizes the combined value of the first and second error terms. The absolute error then reads as $(2^{-(n+1)/2}(\frac{1}{2}+\sigma )+\frac{1}{2}){\delta }_f$.

It can be easily verified that with $n\le f-2$, the bound in case (iii) is always below the (lowest) bound in case (ii). Therefore, for the given range of n, $(2^{(f-1)/2-n}\sigma +\frac{1}{2}){\delta }_f$ bounds the absolute error for all values of a.    □

Remark 6.

The relative error is found by dividing the absolute error by $d=1/\sqrt{a}$:

$$\left|\frac{d_{\theta }^{*}-d}{d}\right|\doteq \left|-\frac{{\eta }_1}{2b}+{ϵ}_{\theta ,n}\sqrt{b}+\sqrt{a}{\eta }_2\right|.$$

Here, ≐ means equality up to higher-order terms. Note that this only applies to the term involving ${\eta }_1$, for which quadratic and higher-order terms are ignored. However, these terms do not have a significant effect in the cases with the largest absolute errors.

The relative error is small for small values of a, while for larger values of a the error increases. If $a<2^{-2n}$, the error is bounded by $2^{1/2-n}\sigma {\delta }_f$, increasing to $(2^{1/2-n}\sigma +2^{(n-1)/2}){\delta }_f$ for $2^{-2n}\le a<2^{n+1}$. For $a\ge 2^{n+1}$, the error is (approximately) bounded by $(1+2^{1/2-n}\sigma +2^{f/2-1}){\delta }_f$.

Corollary 3.

If the Newton–Raphson method is used to compute $1/\sqrt{a}$ for $a\in {\mathbb{Q}}_{2f,f}$, employing the approach in Algorithm 5, then computing with $n=⌊(f+5)/2⌋$ additional bits guarantees that the absolute error (13) is strictly smaller than ${\delta }_f$.

Proof. 

According to Theorem 5, if $f/2\le n\le f-2$, the absolute error is bounded by $(2^{(f-1)/2-n}\sigma +1/2){\delta }_f$. Thus, for the final absolute error to be smaller than ${\delta }_f$, we need

$$(2^{(f-1)/2-n}\sigma +\frac{1}{2}){\delta }_f<{\delta }_f,$$

which gives that (approximately) $n>\frac{1}{2}f+1.94$. From this, it follows that $n=\frac{1}{2}f+2$ for even f, and $n=\frac{1}{2}f+\frac{5}{2}$ for odd f, which guarantees that the absolute error will be smaller than ${\delta }_f$. Bearing in mind the range of n for which Theorem 5 is valid, this results holds for $f\ge 8$.

What remains to be shown is that: (i) smaller values for n will not suffice to guarantee an error smaller than ${\delta }_f$, and (ii) the result also holds for $f<8$. Both are achieved by exhaustively checking all rounding combinations for increasing values of f. For (ii), this shows that the results hold for $f\ge 4$ (all f that require at least one iteration). To prove (i), we use $n=\frac{1}{2}f+1$ for even f and $n=\frac{1}{2}f+\frac{3}{2}$ for odd f, until a final absolute error larger than ${\delta }_f$ is found. All $f\le 300$ are checked, and several cases where the final error exceeds ${\delta }_f$ are identified, the first of which are $f=20$ and $f=223$. This proves that $n=⌊(f+5)/2⌋$ is not only a sufficient condition, but (in general) also a necessary one.    □

6. Square Root

Besides being a result in itself, the reciprocal square root can be used to compute the square root by multiplying it with the original input $\left[\right[a\left]\right]$. In fact, this seems the most efficient way to achieve this, as it provides a means to compute the square root with multiplications and additions only, whereas applying the Newton–Raphson method to the square root directly would lead to an algorithm that requires the computation of a reciprocal (and hence a full Newton–Raphson computation) in every iteration.

6.1. Error for Square Root

Looking back at the computation of the reciprocal square root, after computing $c_{\theta }^{*}$, we have several options. We could finish the computation of the reciprocal square root as we did before, multiplying $c_{\theta }^{*}$ by $\sqrt{v}$, and subsequently perform a rounding step. Because the multiplication by a will follow, it makes sense not to round to the original precision at this stage and keep the extra n bits to maintain a higher accuracy. Still, rounding to $f+n$ fractional bits induces an error that would be multiplied by a, which for large values of a would lead to a large error.

Instead, it is significantly better to multiply $c_{\theta }^{*}$ by a first, subsequently perform a rounding step, and only then multiply by $\sqrt{v}$. Even though the largest error is still attained for large values of a, at least we avoid multiplying the intermediate rounding error by this large a.

A third option, with an accuracy practically equal to the previous accuracy, is multiplying a and $\sqrt{v}$ separately (similar to multiplying g and v in Algorithm 3):

$$w=a\sqrt{v}+{\eta }_w.$$

Here, $|{\eta }_w|<{\delta }_{f+n}$. We then multiply $c_{\theta }^{*}$ with w and (deterministically) round the result to the original precision:

$$d_{\theta }^{*}=c_{\theta }^{*}w+{\eta }_2.$$

Again, $|{\eta }_2|<\frac{1}{2}{\delta }_f$. Subtracting the exact solution gives the absolute error:

$$\begin{array}{ccc}\hfill \left|d_{\theta }^{*}-\sqrt{a}\right|& =& \left|\left(\frac{1}{\sqrt{av+{\eta }_1}}+{ϵ}_{\theta ,n}\right)\left(a\sqrt{v}+{\tilde{\eta }}_1\right)+{\eta }_2-\sqrt{a}\right|\hfill \\ \hfill & =& \left|-\frac{\sqrt{a}{\eta }_1}{2av}\left(1-\frac{3}{4}\frac{{\eta }_1}{av}+\frac{5}{8}{\left(\frac{{\eta }_1}{av}\right)}^2-\dots \right)+{ϵ}_{\theta ,n}a\sqrt{v}+c^{*}{\tilde{\eta }}_1+{\eta }_2\right|\hfill \end{array}$$

(14)

$$\begin{array}{ccc}& <& \left|-\frac{\sqrt{a}{\eta }_1}{2b}\left(1+\frac{|{\eta }_1|}{b}\right)+\frac{{ϵ}_{\theta ,n}b}{\sqrt{v}}+c^{*}{\tilde{\eta }}_1+{\eta }_2\right|.\hfill \end{array}$$

(15)

The algorithm is summarized in Algorithm 6.

Algorithm 6 $\mathsf{Sqrt}\left(\right[\left[a\right]],n=0)$		$-2^{\ell -1}\le a<2^{\ell -1}$
	Lines 1–10 of Algorithm 5
11:	$\left[\left[w\right]\right]\leftarrow {\mathsf{Round}}_{f-n}(\left[\left[a\right]\right][[v^{\frac{1}{2}}]])$
12:	$\left[\left[d_{\theta }\right]\right]\leftarrow {\mathsf{Round}}_{f+2n}(\left[\left[c_{\theta }\right]\right]\left[\left[w\right]\right],\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$
13:	return $\left[\left[d_{\theta }\right]\right]$	▹$-2^{\ell -1}\le d_{\theta }<2^{\ell -1}$

Theorem 6.

If Algorithm 6 is used to compute $\sqrt{a}$ for $a\in {\mathbb{Q}}_{2f,f}$, with $n\ge \frac{1}{2}f$, then the absolute error (14) is bounded by $(2^{f/2-n}(\frac{1}{2}(1+{\delta }_{f+n})+\sigma )+\frac{1}{2}){\delta }_f$ for even f and by $(2^{f/2-n}(\frac{1}{4}(1+\frac{1}{2}{\delta }_{f+n})+\sqrt{2}\sigma )+\frac{1}{2}){\delta }_f$ for odd f, where $\sigma =2.71$.

Proof. 

For $a<2^n$, we have ${\eta }_1={\tilde{\eta }}_1=0$, and the error simplifies to $|{ϵ}_{\theta ,n}b/\sqrt{v}+{\eta }_2|$. This is bounded by $(2^{(2-n)/2}\sigma +\frac{1}{2}){\delta }_f$ for even n, and by $(2^{(1-n)/2}\sigma +\frac{1}{2}){\delta }_f$ for odd n. However, the error increases for a larger a. For $a\ge 2^n$, the first term in (15) comes into play and increases with a. At the same time, a larger a generally leads to a smaller v, which increases the second term as well. Since $n\ge \frac{1}{2}f$, we still have that ${\tilde{\eta }}_1=0$. Thus, the error bound simplifies to $E_{d_{\theta }^{*}}$, where

$$E_{d_{\theta }^{*}}=\left|-\frac{\sqrt{a}{\eta }_1}{2b}\left(1+\frac{|{\eta }_1|}{b}\right)+\frac{{ϵ}_{\theta ,n}b}{\sqrt{v}}+{\eta }_2\right|.$$

For $a\ge 2^{f-1}$ and even f, we have $v=2^{-f}$, and we can write $a=2^{f}b$, with $0.5\le b<1$. Substituting this into the above equation gives

$$\begin{array}{ccc}\hfill E_{d_{\theta }^{*}}& <& \left(\frac{\sqrt{2^{f}b}}{2b}\left(1+\frac{{\delta }_{f+n}}{b}\right)+\frac{\sigma b}{2^{-f/2}}\right){\delta }_{f+n}+\frac{1}{2}{\delta }_f\hfill \\ & =& 2^{f/2-n}\left(\frac{1}{2\sqrt{b}}\left(1+\frac{{\delta }_{f+n}}{b}\right)+\sigma b\right){\delta }_f+\frac{1}{2}{\delta }_f.\hfill \end{array}$$

The factor within the outer parentheses increases with b and can be bounded by choosing $b=1$, which leads to the bound for even f. Notice that if $2^{f-2}\le a<2^{f-1}$, then indeed $1\le b<2$. In this case, however, the $2^{f/2-n}$ factor would become $2^{f/2-n-1}$, making it twice as small, while the factor between parentheses would become less than twice as large. Thus, this would decrease the overall error.

For $a\ge 2^{f-1}$ and odd f, we have $v=2^{-(f-1)}$, and we can write $a=2^{f-1}b$, with $1\le b<2$. Substituting this into the same equation gives

$$E_{d_{\theta }^{*}}<2^{(f-1)/2-n}\left(\frac{1}{2\sqrt{b}}\left(1+\frac{{\delta }_{f+n}}{b}\right)+\sigma b\right){\delta }_f+\frac{1}{2}{\delta }_f.$$

Substituting $b=2$ then yields the bound stated for odd f. Note that in this case choosing a smaller a would lead to a lower value for the factor in front of the parentheses, as well as a lower value for the factor in parentheses, and therefore it need not be considered.    □

Corollary 4.

If Algorithm 6 is used to compute $\sqrt{a}$ for $a\in {\mathbb{Q}}_{2f,f}$, then computing with $n=⌊(f+7)/2⌋$ additional bits guarantees that the absolute error (14) is strictly smaller than ${\delta }_f$.

Proof. 

Using the result of Theorem 6 for the case that f is even, the absolute error is certainly smaller than ${\delta }_f$ if the following holds:

$$2^{f/2-n}\left(\frac{1}{2}(1+{\delta }_{f+n})+\sigma \right)+\frac{1}{2}<1.$$

To get rid of the ${\delta }_{f+n}$ term, we assign it a fairly large value, which, as we will see, does not matter much for the outcome. We choose ${\delta }_{f+n}=\frac{1}{16}$, which would be the correct value if $f+n=4$. It then follows that (approximately) $n>\frac{1}{2}f+2.69$, from which we conclude that $n=\frac{1}{2}f+3$ is sufficient to guarantee an error smaller than ${\delta }_f$. Based on simulation results, we suspect that $n=\frac{1}{2}f+2$ would already be sufficient, as we were unable to find a case in which the error exceeded ${\delta }_f$. However, since the largest error does not always occur for the same a value (as, for example, in the case of the reciprocal square root), simulations are very costly and could not be performed for large values of f. There are cases for which $n=\frac{1}{2}f+1$ leads to errors larger than ${\delta }_f$, so using this value for n clearly does not guarantee an error smaller than ${\delta }_f$.

For odd values of f, an analogous derivation shows that using $n=\frac{1}{2}f+\frac{7}{2}$ is guaranteed to keep the final absolute error below ${\delta }_f$. Also in this case, using one bit less seems already sufficient, since no counterexample could be found. Cases in which the error exceeded ${\delta }_f$ were found for $n=\frac{1}{2}f+\frac{3}{2}$, which shows that this value for n is certainly not sufficient.    □

6.2. Integer Square Root

A related primitive is the integer square root. For a given integer $\left[\right[a\left]\right]$, this function computes integer $\left[\right[q\left]\right]$ such that $q\le \sqrt{a}<q+1$; hence, $q=⌊\sqrt{a}⌋$. For this purpose, we may exploit the algorithm derived in the previous section.

Corollary 5.

Suppose Algorithm 6 is used to compute $\sqrt{a}$ for an integer $a\in {\mathbb{Q}}_{2f,f}$, with $f\ge 3$. If $\tilde{q}$ is rounded to an integer $\overline{q}$ deterministically, then no additional bits are required to guarantee that $\overline{q}\in \{q,q+1\}$.

Proof. 

With the input a now an integer, we have that ${\eta }_1=0$. Also, ${\eta }_w=0$. Thus, the error bound (15) simplifies to $|{ϵ}_{\theta ,n}b/\sqrt{v}+{\eta }_2|$. For even f, this is bounded by

$$\begin{array}{ccc}\hfill |{ϵ}_{\theta ,n}b/\sqrt{v}+{\eta }_2|& <& \frac{\sigma {\delta }_{f+n}}{\sqrt{v}}+\frac{1}{2}{\delta }_f\hfill \\ & =& 2^{-f/2-n}\sigma +\frac{1}{2}{\delta }_f.\hfill \end{array}$$

Even without any extra bits ($n=0$), this bound remains below $0.5$ for $f\ge 3$, so that $q-0.5<\tilde{q}<q+1.5$. Therefore, if $\tilde{q}$ is rounded deterministically to an integer $\overline{q}$, then $\overline{q}\in \{q,q+1\}$. Analogously, the same result can be shown to hold for odd f.    □

Remark 7.

The result of Corollary 5 holds even if the rounding in line 12 of Algorithm 6 is performed probabilistically.

After computing the square root of a and rounding to an integer, the correct solution q is recovered by a single secure comparison. The complete procedure is summarized in Algorithm 7.

Algorithm 7 $\mathsf{IntSqrt}\left(\right[\left[a\right]\left]\right)$		$-2^{f-1}\le a<2^{f-1}$, with $a\in \mathbb{Z}$
	Line 2 in Algorithm 6 simplifies to $\left[\left[b\right]\right]\leftarrow 2^{-f+n}\left[\left[a\right]\right]\left[\left[v\right]\right]$
1:	$\left[\left[\tilde{q}\right]\right]\leftarrow \mathsf{Sqrt}([[a{2}^f]],n=0)$	▹$-2^{\ell -1}\le \tilde{q}<2^{\ell -1}$
2:	$\left[\left[\overline{q}\right]\right]\leftarrow {\mathsf{Round}}_f(\left[\left[\tilde{q}\right]\right],\mathrm{d}\mathrm{e}\mathrm{t}\mathrm{e}\mathrm{r}\mathrm{m}\mathrm{i}\mathrm{n}\mathrm{i}\mathrm{s}\mathrm{t}\mathrm{i}\mathrm{c})$
3:	$\left[\left[q\right]\right]\leftarrow \left[\left[\overline{q}\right]\right]-({\left[\left[\overline{q}\right]\right]}^2>\left[\left[a\right]\right])$
4:	return $\left[\right[q\left]\right]$	▹$-2^{f-1}\le q<2^{f-1}$

7. Conclusions

Basic secure fixed-point arithmetic allows for efficient $+,-,*,<$ operations and often easily extends to efficient dot products and matrix multiplications. The availability of efficient solutions for secure reciprocals and square roots opens up a much broader scope of applications, such as efficient solutions for secure Gaussian elimination, secure linear programming, and secure Cholesky decomposition with appropriately scaled input matrices.

As announced at the end of Section 2.1, our protocols achieve logarithmic round complexity: the round complexity is dominated by the $\theta =O(logf)$ rounds for the for loops in Algorithms 2 and 5, as each iteration takes $O\left(1\right)$ rounds due to the use of probabilistic rounding. In concurrent work, we achieved similar results for the secure computation of sine and cosine in secure fixed-point arithmetic, relying on an iterative method very different from Newton-Raphson iteration, but also supporting any desired precision [20].

The use of secure fixed-point arithmetic is essential in many secure computation frameworks. As part of ongoing work, we are integrating all these solutions in the Python package MPyC [21], where the overall goal is to support all fixed-point arithmetic and functions with arbitrary (parameterized) precision expressed as the number of fractional bits f. Our solutions for secure integer division (see Section 4) and secure integer square roots (see Section 6.2) therefore apply to secure integer arithmetic over arbitrarily large ranges. In fact, we use this form of secure integer division as a building block for the implementation of secure class groups in MPyC, see [22].