Efficient regular modular exponentiation using multiplicative half-size splitting

Abstract

In this paper, we consider efficient RSA modular exponentiations \(x^K \mod N\) which are regular and constant time. We first review the multiplicative splitting of an integer x modulo N into two half-size integers. We then take advantage of this splitting to modify the square-and-multiply exponentiation as a regular sequence of squarings always followed by a multiplication by a half-size integer. The proposed method requires around 16 % less word operations compared to Montgomery-ladder, square-always and square-and-multiply-always exponentiations. These theoretical results are validated by our implementation results which show an improvement by more than 12 % compared approaches which are both regular and constant time.

Appendix

Proof of Lemma 1

• Proof of (i). We prove by induction on i that \((-1)^{i-1}a_i \ge 1\) for all \(i \ge 1\). For \(i=1\) we have \(a_1=1\) which implies \( (-1)^{i-1}a_i=1\) as required. For \(i=2\) we have \(a_2=-q_1a_1\) which implies \((-1)^1a_2=q_1a_1 \ge 1\). Now, we suppose that the inequality holds for \(i-1\) and i , i.e.,

  $$\begin{aligned} (-1)^{i-2}a_{i-1} \ge 1 \quad \text{ and }\quad (-1)^{i-1}a_i \ge 1, \end{aligned}$$

  (9)

  and we prove that the inequality is also true for \(i+1\). We starts with \( (-1)^{i}a_{i+1}\) and replace \(a_{i+1}\) by its expression in terms of \(a_i,a_{i-1},r_i\) and \(r_{i-1}\) in Algorithm 2. We obtain the following:

  $$\begin{aligned} (-1)^{i}a_{i+1}= & {} (-1)^{i} \left( a_{i-1}-\left\lfloor r_{i-1}/r_{i} \right\rfloor a_{i} \right) \\= & {} (-1)^{i} a_{i-1}- \left\lfloor r_{i-1}/r_{i} \right\rfloor (-1)^{i}a_{i}\\= & {} (-1)^{i-2} a_{i-1}+ \left\lfloor r_{i-1}/r_{i} \right\rfloor (-1)^{i-1}a_{i}\\\ge & {} 1 + \left\lfloor r_{i-1}/r_{i} \right\rfloor \qquad {(\hbox {Using}\,(9))} \end{aligned}$$

  Therefore, we have proven by induction that \( (-1)^{i}a_i \ge 1\) for all i.

• Proof of (ii). We follow the proof of [16]: we express the inductive expression of \(a_i\) and \(r_i\) as a \(2\times 2\) matrix product:

  $$\begin{aligned} \begin{pmatrix} a_{i+1} &{} r_{i+1} \\ a_{i} &{} r_{i} \end{pmatrix} = \begin{pmatrix} -\left\lfloor r_{i-1}/r_{i} \right\rfloor &{} 1\\ 1 &{} 0 \end{pmatrix} \begin{pmatrix} a_{i} &{} r_{i} \\ a_{i-1} &{} r_{i-1} \end{pmatrix}. \end{aligned}$$

  Now since for all i we have \(\det {\begin{pmatrix} -\left\lfloor r_{i-1}/r_{i} \right\rfloor &{} 1\\ 1 &{} 0 \end{pmatrix}} =-1\), we obtain by induction that

  $$\begin{aligned} \det {\begin{pmatrix} a_{i+1} &{} r_{i+1} \\ a_{i} &{} r_{i} \end{pmatrix}}= & {} (-1)^i \det {\begin{pmatrix} a_{1} &{} r_{1} \\ a_{0} &{} r_{0} \end{pmatrix}} \\= & {} (-1)^i \det {\begin{pmatrix} 1 &{} x \\ 0 &{} N \end{pmatrix}} \\= & {} (-1)^iN. \end{aligned}$$

  Finally we obtain that

  $$\begin{aligned} \forall i\ge 0, a_{i+1}r_i - a_i r_{i+1}=(-1)^i N. \end{aligned}$$