Fast constant-time gcd computation and modular inversion

Abstract

This paper introduces streamlined constant-time variants of Euclid's algorithm, both for polynomial inputs and for integer inputs. As concrete applications, this paper saves time in (1) modular inversion for Curve25519, which was previously believed to be handled much more efficiently by Fermat's method, and (2) key generation for the ntruhrss701 and sntrup4591761 lattice-based cryptosystems.