Some Properties of the Computation of the Modular Inverse with Applications in Cryptography

Abstract

In the field of cryptography, many algorithms rely on the computation of modular multiplicative inverses to ensure the security of their systems. In this study, we build upon our previous research by introducing a novel sequence, ${\left(z_j\right)}_{j\ge 0}$, that can calculate the modular inverse of a given pair of integers $(a,n)$, i.e., $a^{-1};mod,n$. The computational complexity of this approach is $\mathcal{O}\left(a\right)$, which is more efficient than the traditional Euler’s phi function method, $\mathcal{O}(n,\ln ,n)$. Furthermore, we investigate the properties of the sequence ${\left(z_j\right)}_{j\ge 0}$ and demonstrate that all solutions of the problem belong to a specific set, $\mathcal{I}$, that only contains the minimum values of ${\left(z_j\right)}_{j\ge 0}$. This results in a reduction of the computational complexity of our method, especially when $a\sim n$ and it also opens new opportunities for discovering closed-form solutions for the modular inverse.

1. Introduction

The modulo operation is a mathematical function that calculates the remainder of the division between two numbers, the dividend and the modulus. It is expressed as $a\mathrm{mod}n$, where a and n are two positive numbers. This operation uses the Euclidean division method to find the remainder of dividing the dividend a by the divisor n.

The modular multiplicative inverse of an integer a is a number x such that $ax$ is congruent to 1 modulo n, or in mathematical terms, $ax\equiv 1\left(\mathrm{mod}n\right)$. This means that the product of a and x gives a result that is equivalent to 1 when taken modulo n.

Modulo n forms an equivalence relation. The set of all integers equivalent to a modulo n, denoted by ${\overline{a}}_n$, is the set $\{\dots ,a-2n,a-n,a,a+n,a+2n,\dots \}$. This set is known as the congruence class or residue class of the integer a modulo n.

If an integer a has a modular multiplicative inverse modulo n, there are an infinite number of solutions that are equivalent to a with respect to the modulus n. Additionally, for any integer that is congruent to a modulo n, any element from the congruence class of x can serve as a modular multiplicative inverse. This can be represented as the multiplication of congruence classes modulo n, denoted by the symbol ${·}_n$, where the modular multiplicative inverse of the congruence class $\overline{a}$ is the congruence class $\overline{x}$ such that $\overline{a}{·}_n\overline{x}=\overline{1}$.

The multiplication of congruence classes modulo n, represented by the symbol ${·}_n$, is analogous to the concept of a multiplicative inverse in the set of real numbers. However, in this case, the numbers are replaced by congruence classes. This operation is used to solve linear congruences, such as Equation (1), where the goal is to find a solution for x that satisfies the equation and is equivalent to b modulo n:

$$ax\equiv b\left(\mathrm{mod}n\right),.$$

(1)

In the field of public-key cryptography, solving Equation (1) is crucial in the RSA algorithm [1], which employs two large prime numbers that are modular multiplicative inverses with respect to a specific modulus to perform secure encryption and decryption operations. Many cryptographic algorithms, such as RSA, ElGamal, and NTRU, heavily rely on the use of modular multiplicative inverses in their calculations. Examples of this can be found in references such as Crandall [2], Rivest [3], Verkhovsky [4,5], ElGamal [6], Rabin [7], and Hoffstein [8]. Additionally, in recent times, Boolean functions have gained attention due to their useful properties in cryptography, specifically regarding “nonlinearity, propagation criterion, resiliency, and balance” [9].

In our previous study [10,11], we examined a particular sequence ${\left(z_j\right)}_{j\ge 0}$ and its ability to determine the modular inverse for a given pair of integers $(a,n)$, or $a^{-1};mod,n$. We found that the complexity of this search was $\mathcal{O}\left(a\right)$, which is less than the classic Euler’s phi function method at $\mathcal{O}(n,\ln ,n)$. Additionally, we delved deeper into the properties of this sequence and discovered that all possible solutions of the problem belong to a set called $\mathcal{I}$, which only contains the minima of ${\left(z_j\right)}_{j\ge 0}$. This realization reduces the complexity of the algorithm, particularly when $a\sim n$, and opens the possibility of finding a closed formula for the modular inverse.

In this paper, we present a particular sequence ${\left(z_j\right)}_{j\ge 0}$ able to determine the modular inverse for a given pair of integers $(a,n)$, i.e., $a^{-1}modn$. The complexity required for this search is $\mathcal{O}\left(a\right)$, which is less than $\mathcal{O}\left(n\ln n\right)$ of the classic Euler’s phi function method. Moreover, we investigate more properties of such a sequence ${\left(z_j\right)}_{j\ge 0}$, concluding that all the possible solutions of the problem belong to a proper set, named $\mathcal{I}$, which contains only the minima of ${\left(z_j\right)}_{j\ge 0}$. This result reduces the complexity of our algorithm, especially when $a\sim n$, and opens the way to the calculation of a possible closed formula for the modular inverse. Last but not least, we compare the complexity of our method with that of the post-quantum encryption (PQC) algorithm.

This research is structured as follows. Section 2 briefly reports the literature with a particular mention of post-quantum cryptography. In Section 3, the different methods for computing the modulus are discussed. Section 4 explores different expressions of ${\beta }_j$ that can help in comprehending the behavior of the sequence ${\left(z_j\right)}_{j\ge 0}$ and in identifying the optimal approach for determining the critical index i. Section 5 discusses the results with particular attention to the sequence ${\left(z_j\right)}_{j\ge 0}$ and its properties. It then provides a comparison between the complexity of our algorithm and that of the PQC method. Finally, Section 6 summarizes the research and hints at future developments.

2. Literature

When it was first introduced, RSA was considered to be a highly effective algorithm due to the lack of key exchange in the encryption and decryption process. However, the security of RSA relies heavily on the difficulty of factoring large numbers, a problem that is known to be NP-complete [12]. As technology progressed and computer speed increased, RSA keys began to be broken more frequently. To counteract this, developers have increased the length of the encryption key to ensure the continued security and privacy of systems protected by RSA. There have been other alternative solutions suggested to improve security in RSA cryptography. Some of these include the use of multiple public and private keys (Mezher et al. [13]), an enhanced version of RSA (ESRPKC) that incorporates the Chinese remainder theorem (Kumar et al. [14]), the use of random numbers and their modular multiplicative inverse (Islam et al. [15]), and an optimization algorithm (Cuckoo Search Optimization or CSA) to maintain data integrity in the cloud (Raja et al. [16]). A comprehensive overview of these methods can be found in the study by Mumtaz et al. [17]. In addition, the literature has proposed many solutions for specific needs such as lightweight algorithms suitable for use on resource-constrained nodes in sensitive applications (Bayat-Sarmadi et al. [18]).

Fault attacks are a type of attack on cryptographic algorithms that take advantage of malicious or unintentional errors introduced during their computation. The concept of Differential Cryptanalysis [19], combined with the pioneering work of Boneh, DeMillo, and Lipton [20,21], has given rise to the field of Differential Fault Attacks (DFA). DFA has revealed that many ciphers can be compromised if the errors can be manipulated in a specific manner. The DFA attack has shown that several ciphers can be compromised if the faults can be suitably controlled, and it is not limited to old ciphers but can be a powerful attack vector even for modern ciphers such as the Advanced Encryption Standard (AES). For a review, see Ali et al. [22]. Finally, on fault-detection methods capable of detecting random faults in the cipher implementation and, at the same time, against intelligent fault attacks, see Dofe et al. [23].

With the advent of post-quantum cryptography, post-quantum cryptography (PQC) will replace ECC/RSA so that every security application from smartphones to blockchains will be affected. However, there are still some issues to solve. For example, the SIKE protocol is a post-quantum candidate for cryptography that is considered to be the best alternative to curve-based cryptography. Nevertheless, its long latency is a drawback, since the serial large-degree isogeny computation, which is dominated by modular multiplications, can make it less competitive compared to other popular post-quantum candidates. A possible solution has been recently suggested by Tian et al. [24] who described an optimized SIKE algorithm, with a focus on achieving high speed and low latency. Furthermore, the rise of quantum computing has driven researchers to develop new security systems that can withstand future attacks. These post-quantum cryptographic approaches include hash-based, code-based, lattice-based, multivariate-quadratic-equations, and secret-key cryptography. They are all potential candidates because they are thought to be resistant to both classical and quantum computers, and applying Shor’s algorithm [25], the quantum-computer discrete-logarithm algorithm that can break classical schemes, is believed to be infeasible. Mozaffari-Kermani [26] proposed a method for constructing reliable and error-detection hash trees for stateless hash-based signatures. Such signatures are considered one of the leading post-quantum cryptographic schemes, as they offer security proofs that are based on plausible properties of the underlying hash function.

CRYSTALS-Kyber is a significant public-key encryption and key encapsulation mechanism, as it has been chosen by NIST for standardization and recommended for national security systems by the NSA. Therefore its implementations need to be evaluated for their resistance to side-channel attacks. Dubrova et al. [27] introduced a neural network recursive learning for training to attack $\omega$-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU for message recovery. Last but not least, CRYSTALS-Dilithium has been selected by NIST as the new primary standard for quantum-safe digital signatures, and it has a constant-time implementation with consideration for side-channel resilience. For a profiling side-channel attack on the signature scheme CRYSTALS-Dilithium see Berzati et al. [28].

3. Preliminary Results

As is well known, there exists a unique (closed) formula in the literature for the computation of the modular inverse, which is related to Euler’s phi function

$$\mathsf{\Phi }\left(n\right)=n\prod _{p_j|n}\left(1-\frac{1}{p_j}\right),$$

i.e.,

$$a^{-1}=a^{\mathsf{\Phi }\left(n\right)-1}.$$

(2)

Equation (2) derives directly from Fermat’s little theorem, and its computation has complexity $\mathcal{O}\left(n\ln n\right)$. This is because Euler’s phi function is related to the prime factorization with complexity $\mathcal{O}\left(n\ln n\right)$. For a further comparison with other classic methods (and their complexities) about the modular inverse see ([10], Section 2) and

Table 1. Complexity comparison between the naive method (i.e., recursive multiplications), Euler’s phi function, extended Euclidean algorithm, and the suggested approach described by the pseudocode Algorithm 1.

Method	Naive	Euler’s phi Func.	Ext. Euclidean Algo.	Sugg. Algo.
Complexity	$\mathcal{O}\left(n\right)$	$\mathcal{O}\left(n\ln n\right)$	$\mathcal{O}\left(\ln n\right)$	$\mathcal{O}\left(a\right)$

.

Algorithm1. Pseudocode of the algorithm for solving (10).

1. Initialize $j=0$, $z_0=0$;

2. while $z_j\ne 1$

3. set $z_j=a\left(jm-\frac{a-1}{a}+1\right)-jn$ and $j=j+1$;

4. end

5. set $i=j-1$ and $a^{-1}=a\left(im-\frac{a-1}{a}+1\right)$.

We will begin by reviewing the important findings from a previous study by Bufalo et al. [10,11], as well as other relevant information that will be useful for our analysis. For the sake of notation, given $x\in \mathbb{Q}$, we denote by $\lfloor x\rfloor$ the floor integer part of x, and by $\left\{x\right\}$ the fractional one, i.e., $\left\{x\right\}=x-\lfloor x\rfloor$. We will also be using a sequence called ${\left(z_j\right)}_{j\ge 0}$ in our calculations for finding the modular inverse.

Definition 1.

Let $a,n$ be two integers with $0<a<n$ and $\mathit{GCD}(a,n)=1$. Define the sequence ${\left(z_j\right)}_{j\ge 0}$ recursively by the equation

$$\left\{\begin{array}{c}{z}_j=z_{j-1}+a{\beta }_j-n(j\ge 1),\hfill \\ z_0=0\hfill \end{array}\right.$$

(3)

with

$$\left\{\begin{array}{c}{\beta }_1=M\hfill \\ {\beta }_j=⌊\frac{n-z_{j-1}}{a}⌋+1j\ge 2,\hfill \end{array}\right.$$

(4)

where M is the ceiling part of $m:=n/a$.

The explicit representation of ${\left(z_j\right)}_{j\ge 0}$ can be found in the next proposition.

Proposition 1.

The solution of the difference Equation (3) is given by

$$z_j=a\sum _{h=1}^j{\beta }_h-jn.$$

(5)

Proof. 

For the proof, see ([10], Proposition 1).   □

Special care is deserved to the meaning and the mathematical form assumed by ${\beta }_j$’s, which allow giving other equivalent expressions of ${\left(z_j\right)}_{j\ge 0}$.

Proposition 2.

The sequence ${\left({\beta }_j\right)}_{j\ge 1}$ introduced in (4) may be written as

$${\beta }_j=\lfloor jm\rfloor -\lfloor (j-1)m\rfloor .$$

(6)

As a consequence, for any $j\ge 1$, we obtain

(i) 

$$\sum _{h=1}^j{\beta }_h=\lfloor jm\rfloor +1;$$

(7)

(ii) 

$$z_j=a\left(\lfloor jm\rfloor +1\right)-jn.$$

(8)

Proof. 

For the proof, see ([10], Proposition 2 and Corollary 1).    □

The above results imply the next fundamental theorem.

Theorem 1.

Let $a,n$ be two integers with $0<a<n$ and $\mathit{GCD}(a,n)=1$. If ${\left(z_j\right)}_{j\ge 0}$ is the sequence of Equation (3), define the "critical" index $i\ge 1$ such that $z_i=1$. Then the inverse of a modulo n is given by

$$a^{-1}=\lfloor im\rfloor +1.$$

(9)

Proof. 

See ([10], Theorem 1).    □

To illustrate the significance of Theorem 1, we will mention a related result.

Proposition 3.

The sequence ${\left(z_j\right)}_{j\ge 1}$ is periodic of period a.

Proof. 

See ([10], Proposition 3).    □

It is immediately clear that the unique limitation of Theorem 1 is the determination of such critical index i, which can be found by solving the following equation

$$a\left(\lfloor im\rfloor +1\right)-in=1.$$

(10)

Although Equation (10) is nonlinear, one observes that $\lfloor im\rfloor =im-\left\{im\right\}$, where $\left\{im\right\}=\frac{a-1}{a}$ (see [10], Proposition 4). The knowledge of $\left\{im\right\}$ jointly with the periodicity information provided by Proposition 3 suggests solving the modular problem (10) by the code detailed in Algorithm 1.

Observe that the complexity of the above algorithm is $\mathcal{O}\left(a\right)$. Hence, this procedure is more convenient when $a<<n$ (e.g., $a<\ln n$). Notice that, even in the worst case $a\sim n$ (i.e., complexity $\mathcal{O}\left(n\right)$), the algorithm of Table 1 and the resolving formula (9) is still better compared to the Euler’s phi formula (2), which has complexity $\mathcal{O}\left(n\ln n\right)$. Additionally, Section 5 delves further into the advantages of the algorithm when $a\sim n$.

At this point, we present some new properties of ${\left(z_j\right)}_{j\ge 0}$ which will be helpful in the next sections. In particular, we denote be $\mathcal{A}$ the set $[0,a]\cap \mathbb{N}$.

Proposition 4.

Let ${\left(z_j\right)}_{j\ge 0}$ be the sequence defined in Equation (3), then

(i) 

for any $j\in \mathcal{A}$, it holds $z_j\in [0,n]\cap \mathbb{N}$.

(ii) 

for any two different integers $j_1,j_2$ in $\mathcal{A}$, one has

$$z_{j_1}\ne z_{j_2}.$$

Proof. 

First of all, observe that Equation (8) may be rewritten as

$$z_j=a(1-\left\{jm\right\}).$$

(11)

(i)

By Definition 1 it is clear that ${\left(z_j\right)}_{j\ge 0}\in \mathbb{N}$ and its (absolute) minimum is given by 0. Moreover, Equation (11) implies that ${\left(z_j\right)}_{j\ge 0}$ is positive since $(1-\{jm\left\}\right)>0$.

(ii)

Without loss of generality, set $j_2=j_1+k$ ($k<a$). Observe that $z_{j_1}=z_{j_2}$ if and only if $\left\{j_{1}m\right\}=\left\{j_{2}m\right\}$, which is equivalent to say that $j_{2}m=j_{1}m+1$ (if $j_1<j_2$), or, equivalently $(j_2-j_1)n=a$, and this is true only if $(j_2-j_1)=\frac{1}{m}\in \mathbb{Q}$, which is absurd.

   □

4. New Results about ${\mathit{\beta }}_{\mathit{j}}$

In this section, we will study various equivalent formulations of ${\beta }_j$ to gain insight into the properties of the sequence ${\left(z_j\right)}_{j\ge 0}$ and to determine the best way to calculate the critical index i.

Proposition 5.

The coefficient ${\beta }_2$ defined in Equation (4) is given by

$${\beta }_2=\left\{\begin{array}{cc}M-1\hfill & \mathit{if}\left\{m\right\}<0.5\hfill \\ M\hfill & \mathit{if}\left\{m\right\}>0.5.\hfill \end{array}\right.$$

(12)

Proof. 

It is clear that

$$2\left\{m\right\}\left\{\begin{array}{cc}<1\hfill & \mathit{if}\left\{m\right\}<0.5\hfill \\ >1\hfill & \mathit{if}\left\{m\right\}>0.5;\hfill \end{array}\right.$$

so, one has

$$\lfloor 2m\rfloor =2\lfloor m\rfloor +\lfloor 2\left\{m\right\}\rfloor =\left\{\begin{array}{cc}2\lfloor m\rfloor \hfill & \mathit{if}\left\{m\right\}<0.5\hfill \\ 2\lfloor m\rfloor +1\hfill & \mathit{if}\left\{m\right\}>0.5,\hfill \end{array}\right.$$

which gives the assertion, being $M=\lfloor m\rfloor +1$.    □

Now, let us introduce the new quantity ${\left({\mathcal{M}}_j\right)}_{j\ge 1}$, as follows.

Definition 2.

Let $a,n$ be two positive integers $a,n$. For any $j\in N^{*}$ define

$${\mathcal{D}}_{j,k}:=\{\alpha \in {\mathbb{N}}^{*}\left|q\right|(jn-k),k\in {\mathbb{N}}^{*}\},$$

and

$${\mathcal{M}}_j:=\sum _{k=1}^{n-1}{\mathbb{1}}_{{\mathcal{D}}_{j,k}}\left(a\right)$$

(13)

which denotes the amount of multipliers of a in $\left[\right(j-1)n+1,jn]$.

Lemma 1.

Given two positive integers $p,q$, it holds

$$⌊\frac{p}{q}⌋-⌊\frac{p-1}{q}⌋=\left\{\begin{array}{cc}1\hfill & \mathit{if}q|p\hfill \\ 0\hfill & \mathit{otherwise}.\hfill \end{array}\right.$$

Proposition 6.

For any $j\in {\mathbb{N}}^{*}$, $j\ge 2$, the coefficients ${\beta }_j$ defined in Equation (4), may be rewritten as

$${\beta }_j={\mathcal{M}}_j,$$

where ${\mathcal{M}}_j$ is defined by Equation (13).

Proof. 

By virtue of Proposition 2, we have

$${\beta }_j=\lfloor jm\rfloor -\lfloor (j-1)m\rfloor (j\ge 2).$$

In particular, it is easy to see that

$$\lfloor jm\rfloor -\lfloor (j-1)m\rfloor =\sum _{k=0}^{n-1}⌊\frac{jn-k}{a}⌋-⌊\frac{jn-k-1}{a}⌋$$

where

$$⌊\frac{jn-k}{a}⌋-⌊\frac{jn-k-1}{a}⌋=\left\{\begin{array}{cc}1\hfill & \mathit{if}a\left|\right(jn-k)\hfill \\ 0\hfill & \mathit{otherwise},\hfill \end{array}\right.$$

due to Lemma 1, for any k. Therefore, with refer to Definition 2, we may write

$$\lfloor jm\rfloor -\lfloor (j-1)m\rfloor =\sum _{k=1}^{n-1}{𝟙}_{{\mathcal{D}}_{j,k}}\left(a\right),$$

that is ${\beta }_j={\mathcal{M}}_j$.    □

Proposition 7.

Consider two positive integers $a,n$, with $GCD(a,n)=1$ and let $m=n/a$. Fixed $j\in [2,a]\cap \mathbb{N}$, let ${\mathcal{M}}_j$ be the quantity defined by Definition 2.

(i) 

If $\left\{m\right\}<0.5$ and $\frac{h}{\left\{m\right\}}\ne a$ $(h\in {\mathbb{N}}^{*})$, then

$${\mathcal{M}}_j=\left\{\begin{array}{cc}\lfloor m\rfloor \hfill & \mathit{if}j\in \left(⌊\frac{h-1}{\left\{m\right\}}⌋+1,⌊\frac{h}{\left\{m\right\}}⌋+1\right)\cap \mathbb{N}\hfill \\ \lfloor m\rfloor +1\hfill & \mathit{if}j=⌊\frac{h}{\left\{m\right\}}⌋+1\hfill \end{array}\right.(h\in {\mathbb{N}}^{*}).$$

(14)

In particular, if there exists $\overline{h}\in {\mathbb{N}}^{*}$ such that $\frac{\overline{h}}{\left\{m\right\}}=a$, then

$${\mathcal{M}}_j=\left\{\begin{array}{cc}\lfloor m\rfloor \hfill & \mathit{if}j\in \left(⌊\frac{\overline{h}-1}{\left\{m\right\}}⌋+1,a\right)\cap \mathbb{N}\hfill \\ \lfloor m\rfloor +1\hfill & \mathit{if}j=a.\hfill \end{array}\right.$$

(ii) 

If $\left\{m\right\}>0.5$ and $\frac{h}{1-\left\{m\right\}}\ne a$ $(h\in {\mathbb{N}}^{*})$, then

$${\mathcal{M}}_j=\left\{\begin{array}{cc}\lfloor m\rfloor +1\hfill & \mathit{if}j\in \left(⌊\frac{h-1}{1-\left\{m\right\}}⌋+1,⌊\frac{h}{1-\left\{m\right\}}⌋+1\right)\cap \mathbb{N}\hfill \\ \lfloor m\rfloor \hfill & \mathit{if}j=⌊\frac{h}{1-\left\{m\right\}}⌋+1\hfill \end{array}\right.(h\in {\mathbb{N}}^{*}).$$

(15)

In particular, if there exists $\overline{h}\in {\mathbb{N}}^{*}$ such that $\frac{\overline{h}}{1-\left\{m\right\}}=a$, then

$${\mathcal{M}}_j=\left\{\begin{array}{cc}\lfloor m\rfloor +1\hfill & \mathit{if}j\in \left(⌊\frac{\overline{h}-1}{1-\left\{m\right\}}⌋+1,a\right)\cap \mathbb{N}\hfill \\ \lfloor m\rfloor \hfill & \mathit{if}j=a.\hfill \end{array}\right.$$

Proof. 

It is clear that ${\mathcal{M}}_j\in \{\lfloor m\rfloor ,\lfloor m\rfloor +1\}$, for any $j\in {\mathbb{N}}^{*}$. We prove Formulas (14) and (15) by induction on h.

(i)

If $\left\{m\right\}<0.5$, Propositions 5 and 6 yield that ${\mathcal{M}}_2=\lfloor m\rfloor$. Let us compute the smallest integer j $(j>2)$ such that ${\mathcal{M}}_j=\lfloor m\rfloor +1$. This is equivalent to solving the following equation:

$$\lfloor jm\rfloor =j\lfloor m\rfloor +1,$$

(16)

which may be rewritten as

$$\lfloor j\left\{m\right\}\rfloor =1,$$

being $\lfloor jm\rfloor =j\lfloor m\rfloor +\lfloor j\left\{m\right\}\rfloor$. The latter equation holds if

$$1\le j\left\{m\right\}<2,$$

therefore, the smallest integer j solving Equation (16) is given by $⌊\frac{1}{\left\{m\right\}}⌋+1$. This prove Formula (14) for $h=1$.

Now, assume that Formula (14) holds for $h-1$. Since ${\mathcal{M}}_{⌊\frac{h-1}{\left\{m\right\}}⌋+2}=\lfloor m\rfloor$, we want to compute the smallest integer j $\left(j>⌊\frac{h-1}{\left\{m\right\}}⌋\right)$ such that ${\mathcal{M}}_j=\lfloor m\rfloor +1$, that is equivalent to solve   

$$\lfloor jm\rfloor =j\lfloor m\rfloor +h,$$

(17)

or, equivalently,

$$\lfloor j\left\{m\right\}\rfloor =h.$$

Hence, the smallest integer j solving Equation (17) is given by $⌊\frac{h}{\left\{m\right\}}⌋+1$.

In particular, if there exists $\overline{h}\in {\mathbb{N}}^{*}$ such that $\frac{\overline{h}}{\left\{m\right\}}=a$, then the smallest integer j $\left(j>⌊\frac{\overline{h}-1}{\left\{m\right\}}⌋\right)$ solving

$$\lfloor j\left\{m\right\}\rfloor =\overline{h},$$

or, equivalently,

$$\overline{h}\le j\left\{m\right\}<\overline{h}+1,$$

is given by a (being $\overline{h}/\left\{m\right\}\in {\mathbb{N}}^{*}$).

(ii)

The assertion comes arguing similarly to the case ($i$). More specifically, here, Equation (17) is replaced by

$$\lfloor jm\rfloor =j\lfloor m+1\rfloor -h,$$

(18)

which is equivalent to

$$\lfloor j(1-\{m\left\}\right)\rfloor =h,$$

and the smallest integer j solving Equation (18) is given by $⌊\frac{h}{1-\left\{m\right\}}⌋+1$.

   □

5. Empirical Findings and Discussion

Fixed $h\in \mathcal{A}$, an interesting development inspired by Proposition 7 concerns the rule of the indices $⌊\frac{h}{\left\{m\right\}}⌋$ when $\left\{m\right\}<0.5$, or $⌊\frac{h}{1-\left\{m\right\}}⌋$ when $\left\{m\right\}>0.5$. In particular, as highlighted from Theorem 2, one has that

•

The sequence ${\left(z_j\right)}_{j\ge 0}$ admits local minimum at $⌊\frac{h}{\left\{m\right\}}⌋$ if $\left\{m\right\}<0.5$, or $⌊\frac{h}{1-\left\{m\right\}}⌋$ if $\left\{m\right\}>0.5$.

•

The critical index i coincides with one of such indices.

This result is confirmed by computational experiments, as one can see from Figure 1. For a better understanding of the figure, as explained in ([10], Example 4), the blue line represents the series $z_j$ for $a=91,n=131$, starting from $j=1$ and with a fixed (large) integer $j=200$. The red line represents the periodic part of $z_j$, which arises from the critical index $i=25$ and $(i+a)=116$ (highlighted by the red circles). In this example, $m=0.4396<0.5$, so all the minima are of type $⌊\frac{h}{m}⌋$, which are 2, 4, 6, 9, 11, 13, 15, 18, 20, 22, 25, and obviously, 25 is one of them. We will refer to the previous set as $\mathcal{I}$. It is worth noting that the 11th index of $\mathcal{I}$ corresponds to the critical index $i=25$, such that $z_{25}=1$. Figure 2 shows the set $\mathcal{I}$ for $h\le 30$.

Theorem 2.

The critical index i belongs to the set

$$\mathcal{I}=\left\{\begin{array}{cc}\{⌊\frac{h}{\left\{m\right\}}⌋\left|h\in \mathcal{A}\right\}\hfill & \mathit{if}\left\{m\right\}<0.5,\hfill \\ \{⌊\frac{h}{1-\left\{m\right\}}⌋\left|h\in \mathcal{A}\right\}\hfill & \mathit{if}\left\{m\right\}>0.5,\hfill \end{array}\right.$$

(19)

Proof. 

It is clear that the critical index i has to be a local minimum of the sequence ${\left(z_j\right)}_{j\ge 0}$ that assumes only integer values and has 0 as an absolute minimum (see Proposition 4). Hence, it remains to prove that $\mathcal{I}$ is the set of the local minimum of ${\left(z_j\right)}_{j\ge 0}$. Let us consider just the case $\left\{m\right\}<0.5$ for simplicity (the other one is analogous). It is easy to see, from Proposition 7, that

$$z_{⌊\frac{h}{\left\{m\right\}}⌋+1}-z_{⌊\frac{h}{\left\{m\right\}}⌋}=a{\beta }_{⌊\frac{h}{\left\{m\right\}}⌋+1}-n=a(\lfloor m\rfloor +1)-n>0,$$

and

$$z_{⌊\frac{h}{\left\{m\right\}}⌋}-z_{⌊\frac{h}{\left\{m\right\}}⌋-1}=a{\beta }_{⌊\frac{h}{\left\{m\right\}}⌋}-n=a\left(\lfloor m\rfloor \right)-n<0,$$

for any $h\in \mathcal{A}$, and this concludes the proof.    □

In light of the above results, Algorithm 2 can be rewritten as follows.

Algorithm2. Pseudocode of the optimized algorithm solving (10).

1. Initialize $h,j=0$; $z_0=0$; $m=n/a$;

2. while $z_j\ne 1$

3. if $\left\{m\right\}<0.5$

4. set $j=⌊\frac{h}{\left\{m\right\}}⌋$;

5. else

6. set $j=⌊\frac{h}{1-\left\{m\right\}}⌋$;

7. end

8. set $z_j=a\left(jm-\frac{a-1}{a}+1\right)-jn$ and $h=h+1$;

9. end

10. set $i=j-1$ and $a^{-1}=a\left(im-\frac{a-1}{a}+1\right)$.

Moreover, what is observed from an empirical point of view is that:

•

The sequences of the minimum of ${\left(z_j\right)}_{j\ge 0}$ oscillates till $j=i$ (see Figure 2);

•

The relative minimum defined in (19) belongs to the bundle of parallel straight lines (see Figure 3)

$$\mathcal{F}=\{y=\frac{z_{⌊\frac{h+1}{\left\{m\right\}}⌋}-z_{⌊\frac{h}{\left\{m\right\}}⌋}}{⌊\frac{h+1}{\left\{m\right\}}⌋-⌊\frac{h}{\left\{m\right\}}⌋}x+⌊\frac{h}{\left\{m\right\}}⌋+k\left|k\in [0,n]\cap \mathbb{N}\right\}(h\in \mathcal{A})$$

In particular, each line contains $⌊\frac{1}{\frac{1}{\left\{m\right\}}-⌊\frac{1}{\left\{m\right\}}⌋}⌋$ or $⌊\frac{1}{\frac{1}{\left\{m\right\}}-⌊\frac{1}{\left\{m\right\}}⌋}⌋+1$ minima.

Remark 1.

We end with a note about the complexity of our algorithm. In the spirit of Theorem 2, if we restrict the searching of the critical index i to the set $\mathcal{I}$, also the complexity of the algorithm is reduced by a factor $⌊\frac{1}{\left\{m\right\}}⌋$, i.e., from $\mathcal{O}\left(a\right)$ to $\mathcal{O}\left(⌊\frac{a}{⌊\frac{1}{\left\{m\right\}}⌋}⌋\right)$. As explained in Section 3, the complexity $\mathcal{O}\left(a\right)$ is very good with respect to the literature, especially when $a<<n$. However, even when $a\sim n$, the complexity $\mathcal{O}\left(⌊\frac{a}{⌊\frac{1}{\left\{m\right\}}⌋}⌋\right)$ sounds well. Indeed, in the extreme case $a=n-1$, one has $m=1+\frac{1}{n}$ and $⌊\frac{⌊\frac{1}{\left\{m\right\}}⌋}{a}⌋$ approaches to 1 for large n. In other words, when a tends to n, one has that the complexity reduction tends to 100%, so that the resulting complexity is a constant, i.e., $\mathcal{O}\left(1\right)$.

In the non-trivial case where $a=n-2$, a complexity reduction of approximately 50% is observed. For example, if $a=327$ and $n=329$, then $⌊\frac{1}{\left\{m\right\}}⌋=163$ and $\frac{163}{127}=0.4985$. In particular, in such case, the critical index i is just $⌊\frac{1}{\left\{m\right\}}⌋$.

Therefore, we can conclude that our algorithm runs very well when $a<<n$ or $a\sim n$, while the worst case is the middle one, i.e., $a\sim \frac{n}{2}$.

Post-Quantum Cryptography (PQC)

As is well known, the National Institute of Standards and Technology (NIST) has launched a program and competition to standardize one or more post-quantum cryptography (PQC) algorithms to fight against quantum attacks. In recent work, Huang [29] has conducted an early mathematical analysis of lattice-based and polynomial-based PQC. Such analysis can help businesses and organizations leverage NIST-selected PQC algorithms to safeguard their digital services from quantum attacks. In particular, the brute force failure probability for polynomial or multivariate PQC is calculated using Yitang Zhang’s Landau-Siegel zero bound according to [30].

In Figure 4 we compare the complexity of our optimized algorithm (see Algorithm 2) with those of coming from the post-quantum cryptography (PQC) architecture which was estimated by Huang [29] in Matlab. More specifically, Figure 4 represents the logarithm of complexity needed to encrypt/decrypt a message with a public/private key (modulus n). As shown, our proposed algorithm, in the best case, is better than the PCQ up to $n=3000$.

6. Conclusions

This research builds upon previous work [10,11] where we introduced the concept of the modulo operation and discussed the standard methods for determining the inverse modulo n.

In the above-mentioned research, we determined that to find a closed-form solution for the equation in Equation (10), it was necessary to study the properties of the sequence ${\left(z_j\right)}_{j\ge 0}$. In this article, we expand on our previous aforementioned research by introducing a new sequence, ${\left(z_j\right)}_{j\ge 0}$, which can efficiently calculate the modular inverse of a given pair of integers $(a,n)$, i.e., $a^{-1}\mathrm{mod}n$, particularly in the non-trivial case $a=n-2$. This new method has a computational complexity of $\mathcal{O}\left(a\right)$, which is more efficient than the traditional Euler’s phi function method, which has a computational complexity of $\mathcal{O}\left(n\ln n\right)$. Additionally, we examine the properties of the sequence $\left(z_j\right)j\ge 0$ and demonstrate that all solutions to the problem belong to a specific set, $\mathcal{I}$, that only contains the minimum values of ${\left(z_j\right)}_{j\ge 0}$. This leads to a reduction in the computational complexity of our method, especially when $a\sim n$, and also opens up new possibilities for finding closed-form solutions for the modular inverse.

Future studies will focus on the characteristics of the minimum sequences to understand the emergence of the critical index i, and to find a closed formula for the modular inverse.