0

When a modulo is 0, the result of squaring or multiplying modulo will always be 0 as well. Therefore the loop could break and return 0. It can be a mean to compute faster the result of square and multiply modular exponentiation at a negligible cost of comparing the modulo to 0. Perhaps, using large prime numbers like for RSA keys, there is no chance to have a modulo equal to 0?

Christophe Brun
  • 11
  • 1
  • Efficient function/algorithm/method to do modular exponentiation What are you trying to achieve? – kelalaka Dec 23 '23 at 08:11
  • 2
    When the modulus is $1$, the result of all well-defined modular operations is $0$. When the modulus is $0$, they are undefined. For example $a+b\bmod n$ is defined the be the integer $c$ with $0\le c$ and $c<n$ such that exists integer $k$ with $a+b=c+k,n$. There's no way to extend that to $n=0$, because the conditions $0\le c$ and $c<n$ leave no possible $c$. And if we remove these conditions, we are back to non-modular addition. – fgrieu Dec 23 '23 at 09:01
  • 1
    @fgrieu I think the OP trying to say let $a \in Z_n$ such that $a=0$ then the exponentiation is not necessary so that they though there is a speed up, however, we don't care since the side-channel... – kelalaka Dec 23 '23 at 11:53
  • @kelalaka indeed you get the point, it is probably not wise regarding side channel attacks, so this at least partially the answer. – Christophe Brun Dec 23 '23 at 20:25
  • @kelalaka your link is interesting, even if I kind roughly knew those issues and solutions, thank you. I don't know what I am trying to achieve, I would just like to understand, why, in your link, when result is 0, the function is not stopping and return 0. – Christophe Brun Dec 23 '23 at 20:30
  • An early exit can exhibit a significant leak. We don't want such designs. Constant time ( or better name Fixed-time) requires exponentiation operation must took the same time... – kelalaka Dec 23 '23 at 20:35
  • @fgrieu sorry I just an amateur at cryptography and my math are horrible. I probably did not manage to make you understand my question. I know what is the mod function. – Christophe Brun Dec 23 '23 at 20:38
  • OK @kelalaka, according to you the only good reason is side-channel attack? – Christophe Brun Dec 23 '23 at 20:39
  • What is the probability of getting the message = 0 in TextBook RSA? Tiny. What is the probability in RSA PKCS#1v1.5 padding or RSA-OAEP or RSA-PSS? Almost Zero. So there is no benefit at all. – kelalaka Dec 23 '23 at 20:44
  • @kelalaka Agreeing with you, I cannot validate your comment as answer, but those are the two points I see as well. They are surely the answer. – Christophe Brun Dec 23 '23 at 21:14

1 Answers1

0

TL;DR The modulus size defines the key size the key pair generator would be faulty if the modulus would be even a bit lower than that.

For RSA the modulus is $n = p \cdot q$. $p$ and $q$ should be random primes of about half the size of the modulus. Generally those primes are found by drawing a random value of about half the size and then find a prime near to that value, as the percentage of primes doesn't go down as fast as with the modulus size.

Now choosing a random that is about half the size of the modulus is best easily performed by simply setting the most significant bit of the prime to 1 (e.g. bit 2048 for a key size / modulus size, i.e. choosing a random between 2^2048 and 2^2049 exclusive) and randomizing the other bits, then choosing a range of integers starting from that value to test for primality (in the unlikely event that this fails restart). That way it is certain that the 4096th bit will be set, and there is still 4096 bits of randomness utilized.

However, as you can see, neither of these methods will ever generate an $n$ of zero, so the chance of that happening is also zero.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313