In the second paragraph of section 2.5 of the paper Remote Timing Attacks are Practical the authors write:
When $g$ is just below a multiple of $q$, then OpenSSL almost always uses fast Karatsuba multiplication. When $g$ is just over a multiple of $q$ then $g \bmod q$ is small and consequently most multiplications will be of integers with different lengths. Therefore, OpenSSL uses normal multiplication which is slower.
I am trying to understand exactly which multiplication the authors are writing about. Is there a reason why OpenSSL would not use Karatsuba in all cases?
If the integers are of different lengths, why not just pad the smaller one with zeros to get two numbers of the same length. Karatsuba should be able to work with numbers that start with 0. In fact, it might even be faster to calculate if half of a number is 0. If the claim is that Karatsuba is faster than the standard multiplication (therefore revealing some timing difference), then shouldn't padding with zeros be the simplest and best solution?
