A Note on the Computation of the Modular Inverse for Cryptography

: In literature, there are a number of cryptographic algorithms (RSA, ElGamal, NTRU, etc.) that require multiple computations of modulo multiplicative inverses. In this paper, we describe the modulo operation and we recollect the main approaches to computing the modulus. Then, given a and n positive integers, we present the sequence ( z j ) j ≥ 0 , where z j = z j − 1 + a β j − n , a < n and GCD ( a , n ) = 1. Regarding the above sequence, we show that it is bounded and admits a simple explicit, periodic solution. The main result is that the inverse of a modulo n is given by a − 1 = (cid:98) im (cid:99) + 1 with m = n / a . The computational cost of such an index i is O ( a ) , which is less than O ( n ln n ) of the Euler’s phi function. Furthermore, we suggest an algorithm for the computation of a − 1 using plain multiplications instead of modular multiplications. The latter, still, has complexity O ( a ) versus complexity O ( n ) (naive algorithm) or complexity O ( ln n ) (extended Euclidean algorithm). Therefore, the above procedure is more convenient when a << n (e.g., a < ln n ).


Introduction
The modulo operation returns the remainder of a division, after one number is divided by another number called "modulus". In other terms, given two positive numbers a and n, a mod n is the remainder of the Euclidean division of the dividend a by the divisor n.
A modular multiplicative inverse of an integer a is an integer x such that the product ax is congruent to 1 with respect to the modulus n, and it is denoted as Modulo n is an equivalence relation. The equivalence class of the integer a, denoted by a n , is the set {. . . , a − 2n, a − n, a, a + n, a + 2n, . . .}. This set, consisting of all the integers congruent to a modulo n, is called congruence class or residue class of the integer a modulo n.
If a has an inverse modulo n, then there are an infinite number of solutions that belong to the congruence class with respect to the said modulus. In addition, any integer that is congruent to a will have any element of x's congruence class as a modular multiplicative inverse. In other terms, denoted with the symbol · n , the multiplication of equivalence classes modulo n, the modulo multiplicative inverse of the congruence class a is the congruence class x such that: a · n x = 1 .
This multiplication is the analogue of the multiplicative inverse in the set of real numbers where numbers are replaced by congruence classes. Therefore, a fundamental use of this operation is to solve (whenever possible) linear congruences of the form (1) The solution of Equation (1) has practical applications in the field of public-key cryptography and, in particular, in the Rivest-Shamir-Adleman (RSA) algorithm [1] where encryption and decryption are performed by using a pair of large prime numbers that are multiplicative inverses with respect to a selected modulus.
When invented, RSA was considered one of the most effective algorithms because there was no key exchange in the encryption and decryption processes. In the RSA algorithm, the strength depends on the factorization problem that is NP complete [2] and the key length was the only way to protect systems. However, the RSA key is broken from time to time due to the development of both software and computer speed. To counter that, developers have increased key length from one time to another to maintain a high security and privacy to systems that are protected by the RSA. Other countermeasures vary from using multiple public and private keys [3] to enhance and secure the RSA public key cryptosystem (ESRPKC) algorithm using the Chinese remainder theorem [4], from the use of a pair of random numbers and their modular multiplicative inverse [5] to the Cuckoo Search Optimization (CSA) algorithm for securing data integrity in the cloud [6]. For a survey, see Mumtaz et al. [7].
As mentioned, cryptographic algorithms rely on multiple computations of modulo multiplicative inverses. Examples are the RSA cryptographic algorithm by [8,9], RSA with digital signature [10], ElGamal cryptocol [11]; encryption and decryption schemes based on extraction of square roots [12], NTRU cryptosystem [13], modular multiplicative inverse (MMI) for cryptanalysis of public-key cryptographic protocols [14], etc. Recently, Boolean functions have gained attraction because of some interesting properties from a cryptographic point of view such as "nonlinearity, propagation criterion, resiliency, and balance" [15]. However, following similar research on RSA cryptographic algorithms, we focused on the problem of encrypting/decoding information based on the use of the vectormodular methods. For example, Yakymenko et al. [16] suggest a modular exponential to "replace the complex operation of modular multiplication with the addition operation, which increases the speed of the RSA cryptosystem". In our case, instead, we investigate the properties of the sequence (z j ) j≥0 in Definition 1, which we show to be useful for computing the inverse modulo. In particular, for the above sequence, we show that it is bounded and admits a simple explicit, periodic solution. Next, we illustrate that the inverse of a modulo n is given by a −1 = im + 1 with m = n/a. The advantage is that the computational cost of such an index i is O(a) versus O(n ln n) of the Euler's phi function. Finally, we suggest an algorithm for calculating a −1 using plain multiplications instead of modular multiplications. The latter, again, has complexity O(a) versus complexity O(ln n) of the extended Euclidean algorithm. Therefore, the above procedure is more convenient when a << n (e.g., a < ln n). Those results are new in literature.
This work is divided as follows: Section 2 describes the main approaches to the computation of modulus. Section 3 illustrates the sequence (z j ) j≥0 along with some of its properties. Section 4 presents the conclusions.

Main Approaches to the Computation of Modulus
In the following, we describe the most common methods to compute the inverse modulo n.

Naive Method (Recursive Multiplications)
This is the simplest way to compute the inverse of a positive integer a, modulo n, with a < n and greatest common divisor GCD(a, n) = 1. We have to multiply a by all the elements of N * n = {1, 2, ..., n − 1} and the first of them which gives a product equal to 1 (modulo n) will be the inverse of a. The complexity in this case is O(n). Example 1. To find the inverse of a = 6 modulo n = 7, we have to multiply a by every element of N * 7 = {1, 2, ..., 6}, i.e., Therefore, a −1 = 6 modulo 7.

Euler's Phi Function
The following approach was introduced in modern terms by Gauss with reference to Euler (even though the method has been reported before [17]). Given a positive integer n, the Euler's phi function Φ(n) (or Euler's totient function) counts the number of primes, up to n, which are relatively prime to n. It can be expressed as with p j 's being the primes dividing n. Given a positive integer a, with a < n and GCD(a, n) = 1, one has a Φ(n) ≡ 1 (mod n) due to the well-known Fermat's little theorem. The above relation provides an explicit formula for the inverse of a modulo n that is However, the calculation of Φ(n) is equivalent to doing the prime factorization of n, hence the complexity of Formula (2) is O(n ln n). Thus, despite (2) giving a closed formula, it is less convenient than a recursive algorithm (like those of Sections 2.1 and 2.3).

Extended Euclidean Algorithm
One of the ancient methods to compute the GCD between two integers a, b, with a > b, is given by the Euclidean algorithm. It is based on the following property: if both a and b divide a same integer c, then also their difference a − b divides c. The algorithm states that GCD(a, b) = b if the difference d = a − b is equal to b; otherwise, a, b are replaced by max{a − b, b} and min{a − b, b}, respectively, and the previous procedure is repeated by computing the new difference d. Table 1 describes the pseudocode of the algorithm.
An interesting extension of such method works with repeated divisions instead of the repeated differences. By computing the following quotients q i and remainders r i , . . .
it is possible to say that GCD(a, b) is the last non-zero remainder r i . The complexity of this method is O(ln n). The pseudocode of this procedure is reported in Table 2. 1. Initialize i = 0, a i = a, b i = b, and let q i , r i be the quotient and the remainder of a i /b i , respectively ; 2. if r 0 = 0 3. let GCD(a, b) = b; 4. else 5. while r i = 0 6. set i = i + 1, a i = b i−1 ,b i = r i−1 , and let q i , r i be the quotient and the remainder of a i /b i , respectively; 7. end 8. set GCD(a, b) = r i−1 .

end
The above method allows us to compute the inverse modulo n through the so-called Bézouts's identity which states that there exist two integer s, t such that The numbers s, t can be computed from the quotients q i (i ≥ 0), by reversing the order of the equations in the Euclidean algorithm (with repeated divisions). Beginning with the last non-zero remainder r i , we can write GCD(a, b) = r i = r i−2 − q i · r i−1 .
The quantity r i−1 , r i−2 may be likewise expressed in terms of their quotients and preceding remainders, i.e., Substituting these formulas into the first equation yields GCD(a, b) as a linear sum of r i−3 , r i−4 . The process of substituting remainders by formulas involving their predecessors can be continued until a and b are reached, as follows: . . .
After all the remainders r i (i ≥ 0) have been replaced, the final equation expresses GCD(a, b) as the linear combination s · a + t · b.
In the special case that GCD(a, b) = 1, then t is the multiplicative inverse of b, modulo a, or, equivalently, s is the multiplicative inverse of a, modulo b.
The pseudocode of this method is shown in Table 3. Table 3. Pseudocode of the inverse modulo n (through the extended Euclidean algorithm).
1. Compute q j , r j , −2 ≤ j ≤ i (where r −1 = a, r −2 = n and r i = 1 is the last remainder) by the extended Euclidean algorithm (see Table 2) between a and n; 2. for j = i : −1 : −2 3. write r j as linear combination of r j−1 and r j−2 ; 4. end 5. set a −1 equal to the coefficient multiplied by a in the final recursive relation. By rewriting the next steps backward, we obtain where −29 ≡ 363 (mod 392). Hence, we can conclude that 27 −1 ≡ 363 (mod 392).

The Sequence z j : Definition and Properties
In this section, given a and n positive integers, we define the sequence (z j ) j≥0 , where z j = z j−1 + aβ j − n, a < n and GCD(a, n) = 1. For the said sequence, we illustrate some properties and results useful to the computation of the inverse modulo.

Definitions and Main Results
Definition 1. Given two positive integers a, n with a < n and GCD(a, n) = 1, define the sequence (z j ) j≥0 as follows: starting from z 0 = 0, with with M being the ceiling part of m := n/a.
Observe that β j 's represent the (ceiling) difference between n and z j relative to a.
Next, the Proposition gives an explicit expression for the sequence (z j ) j≥0 .
Proposition 1. The explicit form of the sequence (z j ) j≥0 defined in (3) is given by Proof. The proof is immediate, indeed starting from definition (3), one has z 1 = aβ 1 − n, . . .
The following Proposition gives an explicit, and more convenient, expression for the sequence (β j ) j≥1 . Proposition 2. Let (β j ) j≥1 be the sequence defined in (4). For any j ≥ 1, it holds that with m = n/a. Moreover, j ∑ h=1 β h = jm + 1.
Proof. First of all, observe that (6) implies that the partial sum is (7), since Formula (6) can be proved by induction on j. Indeed, if j = 2, by relation (3), one has Now, if (6) holds true up to the index (j − 1), then, by relations (5) and (7), it is easy to see that Corollary 1. The sequence (z j ) j≥0 defined in (3) can be rewritten as Proof. The assertion results by combining relations (5) and (7). Now, we are able to state the main results of this section.
Theorem 1. Consider two positive integers a, n with a < n and GCD(a, n) = 1. Let (z j ) j≥0 be the sequence defined in (3) and i ≥ 1 the index such that z i = 1. Then, due to (8), the inverse of a modulo n is given by with m = n/a.

Proof.
Since GCD(a, n) = 1, from the Bézouts's identity, there exists an index i ≥ 1 such that z i = 1. Indeed, without loss of generality, there exist a pair of positive integers g, i such that 1 = ga − in.
Fixing i, from the above equation, we obtain where we denote by the fractional part function of jm. In particular, the last equality of (10) holds true because both g and im are positive integers. Thus, as ϕ i and 1 a belong to (0, 1) we can say that ϕ i + 1 a must be equal to 1. Hence, and, more specifically, a im + 1 ≡ 1 (mod n), where the last equality comes from Proposition 2. Finally, notice that im + 1 < n (see Corollary 2) and this concludes the proof.

Properties of the Sequence z j
To better understand the nature of the sequence (z j ) j≥0 , we illustrate the following properties.
Proposition 3. The sequence (z j ) j≥1 defined in (3) is periodic with a period equal to a.

Corollary 2.
The sequence (z j ) j≥0 defined in (3) is less than n. In particular, the modular inverse defined in (9) is also less than n.
Proof. From Proposition 3, we have to prove that z j < n for any 0 ≤ j ≤ a. For this purpose, distinguish the following three cases: (iii) The case j = a may be proved analogously to ii). Finally, it is clear that the modular inverse defined in (9), i.e., im + 1, is less than n since i ≤ a − 1.
To see what was observed up to now, we shall consider a numerical example.
modulo 621. Figure 1 shows the behavior of the sequence (z j ) j≥0 . In particular, the blue line denotes the series when 1 ≤ j ≤ 203, while those colored in red represent the entire sequence from two consecutive unitary z i 's (circled in red), i.e., i = 27 and i = 158. As proved, the series (z j ) j≥1 is periodic with a period equal to 131 and any value less than 621.

Limitations and Future Challenges
A limitation of the proposed approach is that we have left the problem of determining the index i unsolved. In fact, by virtue of Theorem 1, we need to compute z i = 1, such that a im + 1 − in = 1. (12) Observe that im = im − ϕ i , where ϕ i is defined by (11), and can be easily computed, as follows. (12); then, one has

Proposition 4. Let i be the solution of Equation
Proof. Equation (12) gives which implies Formula (13).

Example 5.
With reference to Example 4, we have m = 4.7405 and i = 27. By computing ϕ i directly from i, we obtain the value 0.9924, which coincides with that given by the a priori Formula (13).
The knowledge of ϕ i jointly with the periodicity information given by Proposition 4 suggests to solve the problem (12) by the simple algorithm described in Table 4. Table 4. Pseudocode of a simple algorithm to solve (12).