Efficient random search for residue systems with small modular deviation

Establish that, for any RSA modulus N, any multiplication count m used in the controlled modular exponentiation, and any integer f ≥ 1, a randomized search over sets P of small primes can, in expected time O(2^f · poly(m · len N)), find a set P such that L = ∏_{p∈P} p satisfies L ≥ N^m and the modular deviation Δ_N(L) is less than 2^{-f}. This formalizes the efficiency of the proposed brute-force random search strategy for selecting residue systems used in truncated residue arithmetic, ensuring wraparound errors have negligible modular deviation relative to N.

Background

The paper replaces direct modular exponentiation with truncated residue arithmetic, summing contributions from residues modulo small primes and then reducing modulo N. To prevent error amplification when accumulating modulo a large composite L instead of modulo N, the author proposes choosing L = ∏_{p∈P} p so that L ≥ N^m and L mod N has negligible modular deviation, allowing truncated additions to approximate the most significant bits of the result.

Numerical evidence suggests that random sets of small primes produce L mod N values that are uniformly distributed, and that sampling O(2^f) such sets often finds an L with deviation below 2^{-f}. The author conjectures this behavior holds in general and codifies it as Assumption 1: that a suitable set P can be found with expected time O(2^f * poly(m * len N)). This assumption underpins the feasibility of the approximate residue arithmetic approach.