Short-Iteration Constant-Time GCD and Modular Inversion

Even theoretically secure cryptosystems, digital signatures, etc. may not be secure after being implemented on the Internet of Things (IoT) devices and PCs because of Side-Channel Attack (SCA). Since RSA key generation and ECDSA need GCD computations or modular inversions, which are often computed by Binary Euclidean Algorithm (BEA) or Binary Extended Euclidean Algorithm (BEEA), the SCA weakness of BEA and BEEA becomes serious. For countermeasures, the Constant-Time GCD (CT-GCD) and Constant-Time Modular Inversion (CTMI) algorithms are good choices. Modular inversion based on Fermat's Little Theorem (FLT) can work in constant time but it is not efficient for general inputs. Two CTMI algorithms, named BOS and BY in this paper, are proposed by Joppe W. Bos and Bernstein, Yang respectively, which are based on the idea of BEA. However, BOS has complicated computations during one iteration and BY uses more iterations. Small number of iterations and simple computations during one iteration are good characteristics of a constant-time algorithm. Based on this view, this paper proposes new short-iteration CT-GCD and CTMI algorithms over F-p borrowing a simple idea of BEA. Our algorithms are evaluated from the theoretical point of view. Compared with BOS, BY and the improved version of BY, our short-iteration algorithms are experimentally demonstrated to be faster than theirs.