JP2558687B2 - Modular multiplication - Google Patents

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a modular multiplication apparatus that executes modular multiplication used in cryptographic theory and code theory calculations.

2. Description of the Related Art A residue system operation is often used in operations in cryptography and code theory. For example, in RSA cryptography known as public key cryptography, a modular exponentiation operation is used, and the modular exponentiation operation is basically modular multiplication. Here, the modular multiplication is performed by using three positive integers a, b and n having a large word length.
Is obtained by dividing the product a · b by an integer n.

The conventional modular multiplication algorithm and modular multiplication device are
For example, G. Orton, LE Pippard, SE Tavaras, Afast Ancyclonas RSA encryption
Chip (G.Orton, LEPeppard and SETavares, “A Fa
st Asynchronous RSA Encription Chip), IEE Custom Integrated Circuit Conference, Rochester, NY (, IEEE Custom Integrated
Circuits Conference, Rochester, NY) MAY12-15, 1986
Is shown in.

Now, let the integers a, b, and n be positive integers represented by 512 bits respectively, and the integer n is normalized to 2 ⁵¹¹ ≤ n ≤ 2 ⁵¹² (1), and the integer a is preliminarily 0 <a <n ( 2). The remainder obtained by dividing the integer a by the integer n is represented by "a mod n". The integer b is
When written in k-bit binary number (K = 512). In this specification, "digit" is 2
It means the digit of a decimal number.

The first conventional modular multiplication device will be described below with reference to the drawings. FIG. 3 is a block diagram showing the first conventional modular multiplication device. In FIG. 3, 1 is the multiplicand a
Alternatively, a 512-bit register for storing the intermediate result of the operation, 2 is a left shifter for shifting the contents of register 1 to the left by 1 bit, 3 is a 512-bit register for storing an integer n that is a modulus, and 4 is an integer 2n. 513-bit register, 5
Is the integer n which is the content of the register 3 from the output of the left shifter 2.
A subtractor for subtracting 6 from the output of the subtractor 5 based on whether the output of the subtractor 5 is positive or negative, and selects the output of the subtractor 5;
If negative, a multiplexer that selects the output of the left shifter 2 and outputs it to the register 1, 7 is a subtractor that subtracts the integer 2n that is the contents of the register 4 from the output of the left shifter 2, and 8 is the multiplicand a or the subtractor 7 Is a 514-bit register that stores the output of the register, 9 is a 513-bit accumulation register, and 10 is based on whether the value of the accumulation register 9 is positive or negative. In this case, a multiplexer that selects and outputs the output of register 1, 11 is a right 1-bit shift register that stores a multiplier b, and 12 is an accumulation register 9
When the LSB of the shift register 11 is 1, the output of the multiplexer 10 is added, or when the value of the accumulation register 9 at the end of a predetermined calculation is negative, the value n of the register 3 is added to accumulate. It is an adder / subtractor that outputs to the arithmetic register 9.

Hereinafter, the value stored in the register 1 will be represented by Pa, the value stored in the register 8 will be represented by Na, and the value stored in the accumulation register 9 will be represented by s.

The algorithm of the first conventional example is first described in the C language style as follows.

Pa = Na = a; s = 0; for (i = 0; i <512; i ++) {if (s> = 0) s = s + b _i * Na; else s = s + b _i * Pa; N _a = 2P _a −2n; if (2Pa> = n) Pa = 2Pa−n; else Pa = 2Pa;} while (s <0) s = s + n; In the conventional remainder multiplication device configured as described above and executing the above algorithm. The operation will be described below.

(I) First, the multiplicand a is stored in the registers 1 and 8, the multiplier b is stored in the shift register 11, the modulo integer n is stored in the register 3, and the integer 2n is stored in the register 4. Also, the accumulation register 9 is reset to 0. here,
Pa = a, Na = a, s = 0.

(Ii) In the left shifter 2, set the content Pa of register 1 to 1
Shift left a bit to get 2Pa (2 immediately after (i)
a). The subtracter 5 subtracts the value n of the register 3 from the output 2Pa of the left shifter 2. The multiplexer 6 is the subtractor 5
When the output "2Pa-n" is positive or 0, the output "2Pa-n" of the subtractor 5 is selected, and when it is negative, the output 2Pa of the left shifter 2 is selected and output to the register 1. From the conditions of the expressions (1) and (2), the above processing is Pa = 2Pa mod n (3) 0 ≦ Pa <n (4). Note that mod n in the equation (3) means that the equation is calculated on the remainder field of n. The same expression will be used thereafter.

(Iii) At the same time as (ii), in the subtractor 7, the output 2Pa of the left shifter 2 (2a immediately after (i)) to the register 4
2n is subtracted and the output "2Pa-2n" is output to the register 8. The above processing is applied with Na = 2Pa-2n (5). Since 0 <2a <2n (6) 0 ≦ 2Pa <2n (7) according to the condition of the expression (2) or (4), −2n ≦ Na <0 (8). Therefore, Na is a negative value that is the same as Pa calculated by the equation (3) in the remainder system where the modulus is n.

(Iv) Simultaneously with (ii) and (iii), in the multiplexer 10, when the sign bit of the accumulation register 9 is 0, the value Na (<0) of the register 8 is selected, and the sign bit of the accumulation register 9 is 1 Sometimes, the value Pa (≧ 0) of the register 1 is selected and output to the adder / subtractor 12. (Immediately after (i), since the sign bit of the accumulation register 9 is 0, the register 8 is selected and its value, the multiplicand a, is output.) Adder / subtractor 12
In, if the LSB of the shift register 11 is 1, the output of the multiplexer 10 is added to the accumulation register 9, and if the LSB of the shift register 11 is 0, the value of the accumulation register 9 is changed. Do not update. That is, when the value s is positive or 0, the accumulation register 9 has Na (−2n ≦ Na <
0) is added, and when negative, Pa (0 ≦ Pa <n) is added.
Therefore, the value s of the accumulation register 9 is −2n ≦ s <n (9). After that, the shift register 11 is shifted right by 1 bit.

The above processes (ii), (iii), and (iv) are simultaneously executed in synchronization, and these processes are repeated a total of 512 times as a loop.

When the above processing is completed 512 times in total, s is a × bm
The number of cosets of od n and the modulus n is the same value and satisfies the expression (9). Therefore, if the value s of the accumulation register 9 is negative at this point in time, a × b mod n is obtained by adding the integer n only at most twice. To perform this addition, adder / subtractor 12 is used
The value n of the register 3 is added to the value of. In this way, the remainder multiplication a × b mod n is executed in this conventional example, and the result is stored in the accumulation register 9.

Therefore, in this conventional example, if the computation times of the subtracters 5 and 7 and the adder / subtractor 12 are all δ, a maximum time of (512 + 2) δ is required to execute the computation of a × b mod n. is there.

However, this processing time is not sufficient when it is considered that the modular exponentiation is performed by repeating such modular multiplication and used for the RSA cryptographic processing. In fact, when the 512-bit wide adder is constructed by using the carry look-ahead circuit for every 4 bits, δ is about 100 ns. A power-residue operation with a power of 512 bits requires a maximum of 1024 modular multiplications. As a result, the processing speed of RSA encryption is about 10 kbps, and as it is, it cannot support the required higher processing speed.

Therefore, the applicant proposes a remainder multiplication device which processes the multiplier b by 2 bits by using the quadratic Booth algorithm and has a processing speed twice as high as that of the first conventional example.

A conventional modular multiplication device proposed by the same applicant having such a feature will be described below as a second conventional example with reference to the drawings.

FIG. 4 is a block diagram of a conventional modular multiplication device proposed by the same applicant. In FIG. 4, 101 is a 513-bit register for storing the multiplicand a or the intermediate result of the operation, 1
02 is the left shifter that shifts the contents of register 1 by 4 times, that is, 2 bits to the left, 103 is the upper 4 bits of the 515 bits of the output of the left shifter 2, when t ₃ , t ₂ , t ₁ , t ₀ Let t = t ₃ · 2 ⁵¹⁴ + t ₂ · 2 ⁵¹³ + t ₁ · 2 ⁵¹² + t ₀ · 2 ⁵¹¹ (10) divided by n to be q, and store the product q · n of the quotient q and the modulus n. An 8-word memory that outputs the product q · n using the above 4 bits as an address, 104 is a subtracter that subtracts the output q · n of the memory 103 from the output of the left shifter 102, and 105 is a modulo integer n 512 Bit register, 106 is a 515 bit register that stores an integer 8n, 107 is a subtractor that subtracts the content 8n of the register 106 from the output of the left shifter 102, 108 is a 516 bit register that stores the output of the subtractor 107, 109 is a right 2-bit shift register that stores the multiplier b in the initial state, 110 is the lower 2 bits of the shift register 109 and its LS
Control lines c0 and c using 1 bit lower than B and 3 bits in total including the most significant bit shifted out by the previous shift
Booth encoder that generates 1, c2 (see Figure 5), 111
Is an EOR gate, 112 is a multiplexer which selects the output of the register 108 when the output of the EOR gate 111 is 0, and selects the output of the register 101 when the output of the EOR gate 111 is 1, and 113 is the control line c0 which is 1 When mux 1
Left shifter that shifts the output value of 12 to the left by 1 bit, 114 is 5
A 17-bit accumulation register, 115 adds the output of the left shifter 113 to the value of the accumulation register 114 when the control line c2 is 1 and the control line c1 is 0, and the control line c2 is 1 and the control is performed. When the line c1 is 1, the output of the left shifter 113 is subtracted, and the control line c2 is 0.
In the case of, the value of the accumulation register 114 is not updated, or the value n of the register 105 is added or subtracted according to the positive / negative of the accumulation register 114 at the end of a predetermined calculation, and the addition / subtractor outputs the value to the accumulation register 114. is there. Further, the EOR gate 111 receives the sign bit of the accumulation register 14 and the control line output c1 of the Booth encoder 110 as inputs.

For the multiplication method using the secondary Booth encoder, see, for example, “Tanaka,“ Looking at the circuit system of a multiplier by a parallel operation method that is becoming more LSI-compatible ””, Nikkei Electronics, 1978,
5, 29, pp 76-90 ". When this is applied to modular multiplication, a * b mod n is obtained by the following method.

Here, b _-1 = 0 (13) F ₂ (b _i ) = b _2i-1 + b _2i −2b _{2i + 1} (14).

The encoder 110 in such a secondary Booth system
FIG. 5 shows the value of F ₂ (b _i ) for each b _2i-1 , b _2i , b _{2i + 1} , the truth table of the control line outputs c0, c1, c2 and the operation diagram of the adder / subtractor 114. . As can be seen from FIG. 5, the control line c0 is
The control line c1 indicates that the absolute value of F ₂ (b _i ) is 2.
_A logic 1 indicates that the value of ₂ (b _i ) is negative and that the control line c2 indicates that the absolute value of F ₂ (b _i ) is not zero.

Further, hereinafter, the value stored in the register 101 is represented by Pa, the value stored in the register 108 is represented by Na, and the value stored in the accumulation register 114 is represented by s.

The algorithm of the second conventional example is first described in the C language style as follows.

s = 0; Pa = Na = a; for (i = 0; i <= 512; i ++ 2) {if ((b _i-1 + b _i −2 b _{i + 1} ) == 0) s = s; else if ( (Sign (s) ^ sign (b _i-1 + b _i −2 b _{i + 1} )) == 1) s = s + (b _i−1 + b _i −2 b _{i + 1} ) * Pa; else s = s + (b _i-1 + b _i −2b _{i + 1} ) * Na; N _a = 4 * P _a −q * n; P _a = 4 * P _a −q * n;} while (s <0) s = s + n; while (S> = n) s = s−n; where b ₅₁₂ = b ₅₁₃ = 0, and the symbol ^ indicates a bitwise exclusive OR operation. As a result, s = a × b mod n.

The operation of the second conventional modular multiplication device having the above-described configuration and implementing the above algorithm will be described below.

(I) First, the multiplicand a is stored in the registers 101 and 108, the multiplier b is stored in the shift register 109, the modulo integer n is stored in the register 105, and the integer 8n is stored in the register 106. Also, the accumulation register 114 is reset to 0.
Here, Pa = a, Na = a, and s = 0.

(Ii) In the left shifter 102, the content Pa of the register 102 is shifted to the left by 2 bits to obtain 4Pa (4a immediately after (i)). The memory 103 is accessed by using the upper 4 bits of the output 515 bits of the left shifter 102 as an address, and the memory 103 outputs the product q · n of the quotient q obtained by dividing the value t of the equation (10) by n and the modulus n. To do. In the subtractor 104, the output of the left shifter 102 is 4Pa
The output q · n of memory 3 is subtracted from the result, and the result is “4Pa-q
-N "is output to the register 101. Immediately after (i), this value is" 4a-qn ".

Here, if the lower 511 bits of the output of the left shifter 102 are set as a _s , and the remainder obtained by dividing t in equation (10) by n is set as r, then a _s <n (15) r <n (16) _{There, 4Pa = t + a s (} 17) t = q · n + r (18) (17), (18) from equation 4Pa = q · n + r + a s ∴4Pa-q · n = r + a s (19) (15), (16 ) value Pa which is stored in the register 101 updated by formula is represented by a and 513-bit number of the coset Pa = 4Pa-q · n = r + a s <2n (20) the results obtained by dividing the 4Pa with n Becomes a number.

Therefore, the processing here is performed by registering the equation (20).
This is stored in 101, and this value Pa is the number of the remainder system with n being the modulus of the number obtained by multiplying the original value of Pa by 4 and is 0 ≦ Pa <2n (21).

(Iii) At the same time as (ii), in the subtractor 107, from the output 4Pa of the left shifter 102 (4a immediately after (i)) to the register 10
The value 8n of 6 is subtracted and the output "4Pa-8n" is output to the register 108. This processing is applied with Na = 4Pa-8n (22). Here, since 0 ≦ 4Pa <8n (23) from the condition of the expression (21), −8n ≦ Na <0 (24). Therefore, Na is a negative value that is equivalent to Pa calculated by Eq. (20) in the remainder system modulo n.

(Iv) In the multiplexer 112, the output of the EOR gate 111 is 0 (that is, the value s of the accumulation register 114 is positive and F ₂ (b
_i ) is positive, or s is negative and F ₂ (b _i ) is negative), the value Na <0 in register 108 is selected and the EOR gate is selected.
The output of 111 is 1 (that is, the value s of the accumulation register 114 is positive and
When F ₂ (b _i ) is negative or when s is negative and F ₂ (b _i ) is positive), the value Pa of the register 101 is selected and output to the left shifter 113. In the left shifter 113, when the control line c0 is 1, that is, when the absolute value of F ₂ (b _i ) is 2, the output of the multiplexer 112 is doubled and given to the adder / subtractor 115, and when the control line c0 is 0, the multiplexer The output of 112 is multiplied by 1 and given to the adder / subtractor 115. In the adder / subtractor 115, if the control line c2
Is 1 and the control line c1 is 0, that is, when F ₂ (b _i ) is a positive value other than 0, the output of the left shifter 113 is added to the accumulation register 114, and the control line c2 is 1 and the control line c1 Is 1
When F ₂ (b _i ) is a non-zero negative value, the output of the left shifter 113 is subtracted from the accumulation register 114 and updated, and when the control line c2 is 0, the value of the accumulation register 114 is not updated. . As a result, a negative value is added when s is positive (including 0), and a positive value is added when s is negative. Therefore, the value s of the accumulation register 114 is −16n ≦ s <4n (25) according to the equations (21) and (24). After that, the shift register 109 is shifted right by 2 bits.

The above processes (ii), (iii), and (iv) are synchronously and simultaneously executed, and these processes are repeated 257 times in total as a loop.

When the above processing (loop) is executed 257 times in total,
s is a value that is the same as the number of remainder systems of a × b mod n and modulus n, and is a value that satisfies equation (25). Therefore, even at this point, if the value s of the accumulation register 114 is negative, a × b mod n is added by adding the integer n at most 16 times.
If the value s of the accumulation register 114 is greater than or equal to n, a × b MOD n can be obtained by subtracting the integer n only at most three times. This correction processing is performed by using the adder / subtractor 115 to add or subtract the value n of the register 105 to the value of the accumulation register 114.

Thus, in the second conventional example, the modular multiplication a ×
b mod n is executed and the result is stored in the accumulation register 114.

Therefore, in the second conventional example, the subtractors 104 and 10
7. If the calculation speed of the adder / subtractor 115 is δ, then a ×
In order to calculate b mod n, a maximum time of (257 + 16) δ is required, and a speed approximately twice that of the first conventional example can be realized.

Problems to be Solved by the Invention The processing speed of the RSA encryption when performing the modular exponentiation operation by repeating such conventional modular multiplication is about 20 kbps, which is twice as fast as that of the first conventional example. However, even so, it is not possible to cope with the higher processing speed required. In order to increase the processing speed, if a higher-order, for example, fourth-order Booth algorithm is used for the remainder multiplication device shown in the second conventional example, the value corresponding to the register 101 in FIG. Although Pa satisfies Expression (21) as in the case of the second conventional example, if the left shifter 102 is a 4-bit shifter (16-multiplier), the value corresponding to the value of the register 108 is the remainder of Pa and the modulus n. 32n must be stored in the register 106 in order to obtain the same negative value, so that the multiplexer 11 in FIG.
The value corresponding to the output of 2 is a number greater than or equal to −32n and less than 2n. Further, the output value of the multiplexer 112 is multiplied by 1 to 1
Instead of the bit left shifter 113, it is necessary to place a multiplier that multiplies its corresponding value by a factor of 1 to 8, so that the value s of the accumulation register 114 is -256n≤s <16n (26). Therefore, the number of loops is 129, which is 257 in the second embodiment.
Although it is half the number of times, it needs to be corrected up to 256 times to set the value of s to 0 ≦ s <n, and once because the multiplier is inserted at the position of the left shifter 113 as described above. The time required for the loop is "multiplication time of multiplier + δ". Therefore, even in this case, the calculation of a × b mod n requires a maximum time of (129 + 256) × (multiplication time of the multiplier + δ), which is faster than the processing speed of the second conventional example. It had a problem that it could not.

In view of such a point, the present invention processes the multiplier b by k bits larger than 2 bits by using the higher-order Booth algorithm to reduce the number of loops, and adds one processing time in one loop. It is an object of the present invention to provide a modular multiplication device having a high processing speed by setting the addition time δ of the multiplier.

Means for Solving the Problems According to the present invention, a first register, a k-bit left shifter for multiplying the value of the first register by the power of 2 (k <2), and an integer n of the outputs of the left shifter. The integer n is the value that has more digits than
An integer n of the output of the left shifter, where q is the quotient divided by
Product q with the bit pattern of more digits than
A storage unit that simultaneously outputs xn and a product (q + 2) × n; a first subtractor that subtracts the first output q × n of the storage unit from the output of the left shifter and outputs the result to a first register; A second subtractor for subtracting the second output (q + 2) × n of the storage unit from the output of the shifter, a second register for storing the output of the second subtractor, and a first accumulation register, The second accumulation register, the shift register, and the kth order from the value of the shift register
An encoder unit for generating first multiplex information and second multiplex information using Booth's algorithm, the output of the first accumulation register as one input, and the sign of the first accumulation register and the first accumulation register. A first arithmetic unit for selecting either the first register or the second register based on the multiple information and inputting the other input to the first accumulation register; and a second accumulation unit The output of the register is used as one input, and either the first register or the second register is selected based on the sign of the second accumulation register and the second multiple information, and the other input is used as the operation result. It is a modular multiplication device provided with a second arithmetic unit for outputting to a second accumulation register.

At the initial stage of operation, the integer a is stored in the first and second registers and the integer b is stored in the shift register, and the storage unit divides the value of the digit of the integer n of the output of the left shifter by the integer n. It is assumed that when the quotient is q, the product q × n and the product (q + 2) × n are simultaneously output using the bit pattern of the digits of the integer n or more of the outputs of the left shifter as an address. The left shifter multiplies the value in the first register by 2 to the power of k (k> 2). The first subtractor subtracts the first output q × 2 of the storage unit from the output of the left shifter and outputs the result to the first register. At the same time, the second subtractor subtracts the second output (q + 2) × n of the storage unit from the output of the left shifter and outputs the result to the second register. At the same time, the encoder unit calculates k from the value in the shift register.
The first Booth's algorithm is used to generate the first multiple information and the second multiple information, and the first arithmetic unit outputs the code of the first accumulation register to the output of the first accumulation register. And the first register or the second register based on the first multiple information.
The value of any one of the registers is controlled so that the absolute value of the first accumulation register does not increase, and the value is output to the first accumulation register. At the same time, the second arithmetic unit outputs the second accumulation register sign and the second accumulation register to the output of the second accumulation register.
The value of either the first register or the second register is used to control the absolute value of the accumulating register so as not to increase based on the multiple information, and the result is output to the second accumulating register. In this way, the first and second subtractors and the first and second arithmetic units operate in synchronization at the same time, and this processing is performed by (the number of digits of b / k +
1) Repeated once. Moreover, since the value range of the first register and the value range of the second register are the same (range of 2n) and smaller than the conventional one, the number of corrections thereafter becomes small.

Embodiment FIG. 1 is a block diagram of a modular multiplication device according to an embodiment of the present invention. In FIG. 1, 201 is a 513-bit register that stores the multiplicand a or the intermediate result of the operation, 202 is a left shifter that shifts the contents of register 1 16 times, that is, 4 bits to the left, and 203 is the output of the left shifter 2, 517. When the upper 6 bits of the bits are t ₅ , t ₄ , t ₃ , t ₂ , t ₁ , t ₀ , t = t ₅・ 2 ⁵¹⁶ + t ₄・ 2 ⁵¹⁵ ＋ t ₃・ 2 ⁵¹⁴ + t ₂・ 2 ⁵¹³ + t ₁ · 2 ⁵¹² + t ₀ · 2 ⁵¹¹ (27) is divided by n, and the quotient is q. The product q · n of the quotient q (q <32) and the modulus n is stored and the above 6 bits are used as the address. q
n and product (q + 2) · n are simultaneously output in a 2-port structure
34 word memory, 204 memory from output of left shifter 202
A subtracter that subtracts the output q · n of 203, 205 is a 512-bit register that stores a modulo integer n, and 207 is a left shifter 202.
, A subtracter for subtracting the output (q + 2) · n of the memory 203 from the output of 208, 208 is a 514-bit register for storing the output of the subtractor 207, 209 is a right 4-bit shift register for storing the multiplier b in the initial state, 210 Generates the control lines c0, c1, c2, c3, c4, c5 using the lower 5 bits of the shift register 209 and 1 bit lower than the LSB and the most significant bit shifted out by the previous shift. Booth encoder (see Fig. 2), 211 and 212 are EOR gates, 213 is
When the output of the EOR gate 211 is 0, the output of the register 208 is selected, and when the output of the EOR gate 211 is 1, the register 20 is selected.
Multiplexer that selects and outputs 1 output, 214 is EOR
A multiplexer that selects the output of the register 208 when the output of the gate 212 is 0 and selects and outputs the output of the register 201 when the output of the EOR gate 212 is 1, 215 is a 2-bit left shifter, 216 is a 3-bit left shifter, 217 is a 1-bit left shifter, 218 is a multiplexer that selects the output of the left shifter 215 when the control line c0 is 0, and selects and outputs the output of the left shifter 216 when the control line c0 is 1, and 219 is the control line c3 whose 0 is When the output of the multiplexer 214 is selected and the output of the left shifter 217 is selected and output when it is 1, 220 is a 517-bit accumulation register, 221 is a 515-bit accumulation register, 22
2 is a multiplexer when the control line c2 is 1 and the control line c1 is 0 and the output of the multiplexer 218 is added to the value of the accumulation register 220, and when the control line c2 is 1 and the control line c1 is 1. The output of 218 is subtracted, the value of the accumulation register 220 is not updated when the control line c2 is 0, or the value n of the register 205 or the accumulation register is determined according to the sign of the accumulation register 220 at the end of a predetermined operation. An adder / subtractor that adds or subtracts the value of 221 and outputs it to the accumulation register 220, 223 is an accumulation register
When the control line c5 is 0 for the value of 221, the value is not updated,
The adder / subtractor adds the output of the multiplexer 219 when the control line c5 is 1 and the control line c4 is 0, and subtracts the output of the multiplexer 219 when the control line c5 is 1 and the control line c4 is 1. Further, the EOR gate 211 receives the sign bit of the accumulation register 220 and the control line c1, and the EOR gate 212 receives the sign bit of the accumulation register 221 and the control line c4.

After that, the value stored in the register 201 is Pa, the register 208
Let Na be the value stored in, the value stored in accumulation register 220 be SL, and the value stored in accumulation register 220 be SR.

The remainder multiplication method using a fourth-order Booth encoder is to obtain a × b mod n by the following method.

Where b _-1 = 0 (30) F ₄ (b _i ) = (b _4i-1 + b _4i + 2b _{4i + 1} + 4b _{4i + 2} −8b _{4i + 3} )
(31)

B _4i−1 , b _4i , b in such a fourth-order Booth system
_{4i + 1, b 4i + 2} , b 4i + value of ₃ F ₄ for (b _i), F ₄ control lines of the decomposition process and the encoder 210 of the value of (b _i) output c0, c1, c2,
The truth table of c3, c4, c5 is shown in FIG. As shown in FIG. 2, the value of the multiplier F ₄ (b _i ) is decomposed into two values of FL (b _i ) and FR (b _i ) and the accumulation is performed independently. That is, (29)
Expression , And the first term of equation (32) is the accumulation register
At 220, the second term is simultaneously accumulated by the accumulation register 221. Moreover, the present invention independently adds to each accumulation register, a negative partial product when the value is positive, and adds a negative partial product when the value is positive to obtain each accumulation register. The value is controlled so as not to exceed a predetermined range.

As can be seen from FIG. 2, the control line c0 has an absolute value of FL (b _i ) of 8, the control line c1 has a negative FL (b _i ), and the control line c2 has a value of FL (b _i ). _A logical 1 indicates that the absolute value of _i ) is not 0. Further, the control line c3 is an absolute value of 2 for FR (b _i), the control line c4 is FR (b _i) is negative, the absolute value of the control line c5 is FR (b _i) is Not 0 is indicated by logic 1.

The algorithm of this embodiment is first described in C language style as follows.

Pa = Na = a; SL = SR = 0; for (i = 0; i <= 512; i ++ 4) {if ((FL (b _i ) == 0) SL = SL; else if ((sign (SL) ^ sign (FL (b _i )) == 1) SL = SL + (FL (b _i )) * Pa; else SL = SL + (FL (b _i )) * Na; if ((FR (b _i ) == 0) SR = SR; else if ((sign (SR) ^ sign (FR (b _i )) == 1) SR = SR + (FR (b _i )) * Pa; else SR = SR + (FR (b _i ) ) * Na; Na = 16 * P a - (q + 2) * n; P a = 16 * P a -q * n;} SL = SL + SR; while (SL <0) SL = SL + n; while (SL> = n As a result, SL = a × b mod n, where b ₅₁₂ = b
₅₁₃ = b ₅₁₄ = 0, and the symbol ^ indicates a bitwise exclusive OR operation.

The operation of the modular multiplication device of this embodiment configured as above and realizing the above algorithm will be described below.

(I) First, the multiplicand a is stored in the registers 201 and 208, the multiplier b is stored in the shift register 209, and the modulo integer n is stored in the register 205. Also the accumulation register 22
0 and 221 are reset to 0. Here, Pa = Na = a, SL =
SR = 0.

(Ii) In the left shifter 202, the content Pa of the register 202 is shifted to the left by 4 bits to obtain 16Pa (16a immediately after (i)). The memory 203 is accessed using the upper 6 bits of the output 517 bits of the left shifter 202 as an address. Memory 2
03 is the product of the quotient q obtained by dividing the value t in equation (27) by n and the modulus n.
n is output to the subtractor 204, and the product (q + 2) · n is subtracted by the subtractor 207.
Output to. In the subtractor 204, the output 16 of the left shifter 202
The output q · n of the memory 3 is subtracted from Pa and the result is “16Pa−
q.n "is output to the register 201. Immediately after (i), this value is" 16a-q.n ".

Here, if the lower 511 bits of the output of the left shifter 202 are set as a _s , and the remainder obtained by dividing t in Expression (27) by n is set as r, then a _s <n (28) r <n (29) _{There, 16Pa = t + a s (} 30) t = q · n + r (31) (30), (31) from equation 16Pa = q · n + r + a s ∴16Pa-q · n = r + a s (32) (28), (29 ) stored updated value Pa in the register 201 Pa = 16Pa-q · n = r + a s <2n (33) by equation results is the number of coset obtained by dividing 16 Pa at n 513
It is a number expressed in bits. Therefore, the processing here is to obtain the equation (33) and store it in the register 201, and this value Pa is the number of cosets with n being the modulus of the original value of Pa multiplied by 16 ≦ Pa <2n (34).

(Iii) At the same time as (ii), the subtractor 207 subtracts the output (q + 2) · n of the memory 3 from the output 16Pa of the left shifter 202, and as a result, “16Pa− (q + 2) · n” is stored in the register 208.
And output it as Na. That is, Na = 16Pa- (q + 2) .n = 16Pa-q.n-2n (33) is used, -2n≤Na <0 (35) Therefore, Na is (33) in the remainder system modulo n. It is a negative value that is equivalent to Pa calculated by the formula.

(Iv) In the multiplexer 213, the output of the EOR gate 211 is 0 (that is, the value SL of the accumulation register 220 is positive and FL (b
_{When i} ) is positive or SL is negative and FL (b _i ) is negative), the value Na <0 in register 208 is selected and the EOR gate is selected.
The output of 211 is 1 (that is, the value SL of the accumulation register 220 is positive and
When FL (b _i ) is negative, or SL is negative and FL (b _i ) is positive), the value Pa of the register 201 is selected. The left shifter 215 and the left shifter 216 multiply the output of the multiplexer 218 by 4 times and 8 times, respectively. In the multiplexer 218, when the control line c0 is 1, that is, the absolute value of FL (b _i ) is 8
When the control line c0 is 0, that is, when the absolute value of FL (b _i ) is 4 or 0, the left shifter 21 is selected.
The output of 5 is selected and given to the adder / subtractor 222. Adder / subtractor 222
In, if the control line c2 is 1 and the control line c1 is 0, that is, if FL (b _i ) is a non-zero positive value, the accumulation register
The output of the multiplexer 218 is added to 220, and the control line c2 becomes 1
When the control line c1 is 1, that is, when FL (b _i ) is a non-zero negative value, the output of the multiplexer 218 is subtracted from the accumulation register 220 and updated, and when the control line c2 is 0, Do not update the value in accumulation register 220. In this way, a negative value is added when SL is positive (including 0), and a positive value is added when SL is negative. Therefore, the value SL of the accumulation register 220 is −16n ≦ s <16n (36) according to the equations (34) and (35).

(V) In the multiplexer 214, the output of the EOR gate 212 is 0 (that is, the value SR of the accumulation register 221 is positive and FR (b
_{When i} ) is positive or SR is negative and FR (b _i ) is negative), the value Na <0 in register 208 is selected and the EOR gate is selected.
The output of 212 is 1 (that is, the value SR of the accumulation register 221 is positive and
When FR (b _i ) is negative, or SR is negative and FR (b _i ) is positive), the value Pa of the register 201 is selected. The left shifter 217 doubles the output of the multiplexer 217. In the multiplexer 219, when the control line c3 is 1, that is, FR (b
_When the absolute value of _i ) is 2, the output of the left shifter 217 is selected, and when the control line c3 is 0, that is, when the absolute value of FR (b _i ) is 1 or 0, the output of the multiplexer 214 is selected to add / subtract Give to 223. In the adder / subtractor 223, if the control line c5 is 1 and the control line c4 is 0, that is, if FR (b _i ) is a positive value other than 0, the output of the multiplexer 219 is added to the accumulation register 221 to control If the line c5 is 1 and the control line c4 is 1,
When FR (b _i ) is a non-zero negative value, the output of the multiplexer 219 is subtracted from the accumulation register 221 and updated, and the control line c5
Is 0, the value of the accumulation register 221 is not updated. Thus, a negative value is added when SR is positive (including 0), and a positive value is added when SR is negative. Therefore, the value SR of the accumulation register 221 is −4n ≦ SR <4n (37) according to the equations (34) and (35). After that, the shift register 209 is shifted to the right by 4 bits.

The above processes (ii), (iii), (iv), and (v) are synchronously and simultaneously executed, and these processes are repeated 129 times in total as a loop.

When the above processing (loop) is executed 129 times in total, the value of SR is added to SL and the result is obtained as a number of 0 or more and less than n. This correction is performed in the following procedure. That is, using the adder / subtractor 222, the accumulation register 220 is added to the accumulation register 221.
The value of is added. From equations (36) and (37), −20n ≦ SL <20n (38) If SL is negative, add integer n at most 20 times, and if negative, subtract integer n at most 19 times. By doing so, 0 ≦ SL <n (39). This correction processing is performed by using the adder / subtractor 222 to add or subtract the value n of the register 205 to the value of the accumulation register 220.

Thus, in this embodiment, the modular multiplication a × b mod
n is executed and the result is stored in the accumulation register 220.

Therefore, in the present embodiment, if the calculation speeds of the subtracters 204 and 207 and the adders / subtractors 222 and 223 are both δ, then a × bm
In order to calculate od n, only a maximum time of (129 + 20) δ is required, and a speed about twice that of the second conventional example can be realized.

As described above, according to the present embodiment, the positive value Pa and the negative value Na within the predetermined range are the same as the remainder with the modulus of ^{24 i} · a being n.
Can be generated using the same memory, and is a multiple F ₄ that occurs when the fourth-order booth algorithm is used.
(B _i ) is decomposed into two multiples FL (b _i ) and FR (b _i ), and the partial product FL (b _i ) 2 ⁴ⁱ and the partial product FR (b _i ) 2 ⁴ⁱ When the cumulative result so far is negative, the positive remainder of the partial product is added, and when the cumulative result so far is positive, the partial product By keeping the partial products within a certain range by adding the same number of negative remainders, and by using the operation speed of one loop as the operation speed of one adder without using a multiplier, It is possible to realize a modular multiplication device having twice the speed.

In this embodiment, the multiplier b is set to 4 per loop.
Although the fourth-order Booth algorithm is used by processing bit by bit, in the present invention, the processing width per loop is performed with an arbitrary bit width, and the partial product is obtained by using the higher-order Booth algorithm. May be divided and the same processing may be performed.

As described above, according to the present invention, the multiplier is processed bit by bit more than 2 bits by using the higher-order Booth algorithm to reduce the number of loops, and the processing time in one loop is reduced. By making the addition time of one stage, it is possible to obtain a modular multiplication device with a high processing speed, and its practical effect is extremely large.

[Brief description of drawings]

FIG. 1 is a block diagram of a modular multiplication device of an embodiment of the present invention, FIG. 2 is a truth table diagram of a Booth encoder 210 of an embodiment of the present invention, and FIG. 3 is a modular multiplication device of a first conventional example. FIG. 4, FIG. 4 is a block diagram of a remainder multiplication device of the second conventional example, and FIG. 5 is a truth table diagram of Booth encoder 110 of the remainder multiplication device of the second conventional example. 201,208 …… Register, 202 …… Left shifter, 203 …… Memory, 204,207 …… Subtractor, 209 …… Shift register, 210
...... Booth encoder, 220,221 …… Accumulation register, 213,
214 ... Multiplexer, 222, 223 ... Adder / subtractor.

Claims (1)

(57) [Claims] 1. When a, b, m are positive integers, a product a × b of the integer a and the integer b is a predetermined m-bit positive integer n.
A modular multiplication device for calculating a remainder divided by, wherein the value of the first register and the value of the first register are multiplied by 2 to the power of k (k
> 2) k-bit left shifter and the output of the above left shifter, the bit pattern higher than m bits is L,
When q is a quotient obtained by dividing t = L × 2 ^m-1 by an integer n, a storage unit that simultaneously outputs the product q × n and the product (q + 2) × n with L as an address, and the output of the left shifter From the output of the left shifter to the first output q × n of the storage unit and output to the first register, and the second output (q + 2) × n of the storage unit from the output of the left shifter. A second subtractor for subtracting, a second register for storing the output of the second subtractor, a first accumulation register, a second accumulation register,
From the shift register and the value of the above shift register,
An encoder section for generating first multiplex information and second multiplex information using Booth's algorithm, an output of the first accumulation register as one input, and a code of the first accumulation register. The first based on the first multiple information
Or the second register and selects the other input as the other input to output the operation result to the first accumulation register and the output of the second accumulation register. One of the inputs is selected and either the first register or the second register is selected based on the sign of the second accumulation register and the second multiple information, and the other input is selected. A modular multiplication device comprising a second arithmetic unit for outputting to the second accumulation register.