JP5840086B2 - Reduction device, reduction method, and program - Google Patents

Description

  The present invention relates to a calculation technique, and more particularly to a reduction calculation.

An operation on the extension field GF (2 ⁿ ) (where n is a positive integer) is realized by a remainder operation (contraction) modulo an n-order polynomial f (x) on a polynomial operation result (for example, a polynomial multiplication result). it can. In order to efficiently execute the remainder calculation using f (x), one having a small number of terms is usually selected as f (x). In general, f (x) = x ⁿ −f ₀ (x) (where deg f ₀ <n) can be written, but for many n, one that satisfies deg f ₀ <n / 2 can be selected. At this time, if a polynomial calculation result that is a polynomial of less than 2n order is r (x), the remainder calculation using f (x) as a modulus uses x ⁿ ≡f ₀ (x) (mod f (x)). Then, it can be described as follows (for example, see Non-Patent Document 1).

<Algorithm 1>
Input: r (x), f (x) = x ⁿ −f ₀ (x)
Output: R (x) = r (x) mod f (x)
1: h (x) × x ⁿ + k (x) ← r (x) (where deg k (x) <n)
2: r ′ (x) ← k (x) + h (x) × f ₀ (x)
3: H (x) × x ⁿ + k (x) ← r ′ (x)
4: R (x) ← k (x) + H (x) × f ₀ (x)

ただし、ｔは正整数であり、ｎ（ｉ）＝ｎ（ｔ−１），・・・，ｎ（１）はｎ／２＞ｎ（ｔ−１）＞・・・＞ｎ（１）＝０を満たす整数である。すると、ｆ（ｘ）を法とした剰余演算は、次のように記述できる。 Further, f ₀ (x) is set as follows.

However, t is a positive integer, and n (i) = n (t−1),..., N (1) is n / 2> n (t−1)>. It is an integer that satisfies 0. Then, the remainder operation modulo f (x) can be described as follows.

<Algorithm 2>
Input: r (x), f (x) = x ⁿ −f ₀ (x)
Output: R (x) = r (x) mod f (x)
1: h (x) × x ⁿ + k (x) ← r (x)
2: r ′ (x) ← k (x) + h (x) × (x ^{n (t−1)} +... + X ^{n (1)} )
3: H (x) × x ⁿ + k (x) ← r ′ (x)
4: R (x) ← k (x) + H (x) × (x ^{n (t−1)} +... + X ^{n (1)} )

  Further, it is assumed that the coefficient sequence r of r (x) is stored in a 2 × n-bit register, and the coefficient sequences of other polynomials are stored in an n-bit register. Then, the remainder operation modulo f (x) can be described as follows.

<Algorithm 3>
Input: rεGF (2) ^{2 × n} , n (t−1),..., N (1)
Output: coefficient sequence RεGF (2) ^{n of} r (x) mod f (x) ⁿ
1: h | k ← r (where h, kεGF (2) ⁿ )
2: k ′ ← k + h ^{<< n (1)} +... + H ^{<< n (t−1)} ∈GF (2) ⁿ
3: h ″ ← h ^{<< n−n (2)} +... + H ^{<< n−n (t−1)} ∈GF (2) ⁿ
4: R ← k ′ + h ″ ^{<< n (1)} +... + H ″ ^{<< n (t−1)} ∈GF (2) ⁿ
However, α ^>> j represents a right j shift operation for a column α∈GF (2) ⁿ consisting of elements of n finite fields GF (2), and α ^<< j is a left j for the column α∈GF (2) ⁿ Represents a shift operation. Α | β represents a connection (for example, bit connection) between the column α and the column β.

The processing of <algorithm 3> is illustrated in FIGS. 8A to 8C and FIG. 8A shows h | k ← r (step 1), FIG. 8B shows k ′ ← k + h ^{<< n (1)} +... + H ^{<< n (t−1)} (step 2), and FIG. 8C shows h ″ ← h. ^{<< n-n (2)} + ... + h ^{<< n-n (t-1)} (step 3), FIG. 9 shows R ← k '+ h''^{<< n (1)} + ... + h''^{<< n (T-1)} (Step 4) is represented respectively. The operator + in FIGS. 8A to 8C and FIG. 9 represents addition on the extension field GF (2 ⁿ ). As shown in FIGS. 8B and 8C, step 4 performs an operation on the values h (2),..., H (t−1) overflowing from the n-bit register by the left shift operation in step 3. Yes. Since deg f ₀ <n / 2, that is, n / 2> n (t−1), all the values overflowing from the n-bit register by the left shift operation in step 4 are 0 as shown in FIG. .

Darrel Hankerson, Julio Lopez Hernandez, Alfred Menezes, “Software Implementation of Elliptic Curve Cryptography over Binary Fields,” CHES 2000, LNCS 1965, pp. 1-24, 2000.

In algorithm 3, t−1 left n (i) shift operations (i = 1,..., T−1) and t−1 times addition on the extended field GF (2 ⁿ ) are each performed twice. Since each step is performed (steps 2 and 4), the calculation efficiency is poor.

  The present invention has been made in view of these points, and an object thereof is to provide a reduction technique with higher calculation efficiency than in the past.

R (x) mod f (x) is calculated as follows. However, q is an integer of 2 or more, n is an integer of 3 or more, t is an integer of 3 ≦ t ≦ n, GF ( q) is a finite field of order ^q, GF (q ⁿ ) Is an nth-order extension of the finite field GF (q), x is an indefinite element, and n (t−1),..., N (1) is n / 2> n (t−1)>. ...> n (1) = 0, an integer satisfying f ₀ (x) is a polynomial f ₀ (x) = x ^{n (t-1)} +... + X ^{n (1)} , and f ( x) = x ⁿ −f ₀ (x), and α ^>> j is a right j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q), and α ^<< j Is a left j shift operation on a sequence αεGF (q ⁿ ) consisting of elements of n finite fields GF (q).

First, the polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ⁿ⁻¹ +... + K ₀ × x ⁰ ) for a sequence of ⁿ elements h _n−1 ,..., H ₀ εGF (q) and n elements k _n−1 ,. Obtain a column kεGF (q ⁿ ) consisting of k ₀ εGF (q). Next, H = h + h ^{>> n- (2)} + ... + h ^{>> n- (t-1)} εGF (q ⁿ ) is obtained, and R = k + H ^{<< n (1)} + ... + H ^{<< n (t−1)} εGF (q ⁿ ) is obtained.

Since the shift operation and addition / subtraction on GF (q ⁿ ) are commutative, the sequence R obtained by the present invention is a coefficient sequence of r (x) mod f (x). In the present invention, t−1 left n (i) shift operations and additions on the extension field GF (2 ⁿ ), which conventionally had to be performed twice each, can be combined into one time. Reduction can be performed more efficiently.

FIG. 1A is a block diagram for explaining the configuration of the contracting device of the embodiment, and FIG. 1B is a flowchart for explaining the contracting method of the embodiment. FIG. 2 is a diagram showing a contraction method of the embodiment. FIG. 3A is a block diagram for explaining the configuration of the contracting device of the embodiment, and FIG. 3B is a flowchart for explaining the contracting method of the embodiment. FIG. 4 is a flowchart for explaining the contraction method of the embodiment. FIG. 5 is a flowchart for explaining the contraction method of the embodiment. FIG. 6 is a flowchart for explaining the contraction method of the embodiment. FIG. 7 is a flowchart for explaining the contraction method of the embodiment. 8A to 8C are views showing a conventional contraction method. FIG. 9 is a diagram showing a conventional reduction method.

Hereinafter, embodiments will be described with reference to the drawings.
[Definition]
Define terms and symbols.
GF (q) represents a finite field of order q, and GF (q ⁿ ) represents an nth-order extension field of the finite field GF (q). However, q is an integer (constant) of 2 or more, and n is an integer (constant) of 3 or more. For example, q = 2, GF (2) is a bit set {0, 1}, and GF (2 ⁿ ) is an n-bit bit string set {0, 1} ⁿ . Examples of n are n = 8, 64, 128, etc.

f (x) = x ⁿ −f ₀ (x), and f ₀ (x) represents the polynomial f ₀ (x) = x ^{n (t−1)} +... + x ^{n (1)} . T is an integer (constant) of 3 ≦ t ≦ n, x is an indefinite element, and n (t−1),..., N (1) is n / 2> n (t−1). >...> An integer satisfying n (1) = 0.

α ^>> j represents a right j shift operation on a sequence αεGF (q ⁿ ) composed of n ^elements α _n−1 ,..., α ₀ εGF (q). However, j is a positive integer. If α ^{>> j gives} a sequence β∈GF (q ⁿ ) consisting of ⁿ elements β _n−1 ,..., β ₀ ∈GF (q), then β _n−1 ,. _n−j is 0,..., 0, and β _n−1−j ,..., β ₀ are α _{n−1 ,.} α ^{>> 0} indicates no operation, and processing and configuration for α ^{>> 0} are not required.

α ^<< j is a left j shift operation on a sequence αεGF (q ⁿ ) composed of n ^elements α _n−1 ,..., α ₀ εGF (q). If α ^{<< j gives} a sequence βεGF (q ⁿ ) consisting of ⁿ elements β _n−1 ,..., β ₀ εGF (q), then β _n−1 ,. _j is α _n−1−j ,..., α ₀ , and β _j−1 ,..., β ₀ are 0,. Note that the right j shift operation and the left j shift operation may be executed by a shift instruction, or by a combination of addition instructions when a column consisting of elements of n finite fields GF (q) is regarded as an integer. May be. α ^{<< 0} represents no operation, and processing and configuration for α ^{<< 0} are not required.

を表す。 α + βεGF (q ⁿ ) represents the addition of the column α, βεGF (q ⁿ ) on the extension field GF (q ⁿ ). If the extension field GF (q ⁿ ) is a set of bit strings {0, 1} ⁿ , α + βεGF (q ⁿ ) becomes α (+) βε {0, 1} ⁿ . However, α (+) β is, the n-bit _{α n-1, ···, α} 0 ∈ bit string alpha and n bits beta _n-1 consisting of {0,1}, ···, β ₀ Bitwise exclusive OR operation with bit sequence β∈ {0,1} ⁿ consisting of ∈ {0,1}

Represents.

α & β is a bit string α composed of _n bits α _n−1 ,..., α ₀ ε {0, 1} and n bits β _n−1 ,..., β ₀ ε {0, 1} Represents a bitwise AND operation α _n−1 & β _n−1 ,..., Α ₀ & β ₀ with a bit string β∈ {0, 1} ⁿ .

[First Embodiment]
<Configuration>
As illustrated in FIG. 1A, the contracting device 1 according to the first embodiment includes an input unit 11, a division unit 12, calculation units 13 and 14 (first and second calculation units), an output unit 15, a control unit 16, and A storage unit 17 is included. The contracting device 1 is a special device configured by reading a predetermined program into a known or dedicated computer having, for example, a CPU (central processing unit), a register, a RAM (random-access memory), and a hard disk. is there. The contracting device 1 performs each process under the control of the control unit 16. Data input to the input unit 11 and data obtained in each process are stored in the storage unit 17 one by one. The data stored in the storage unit 17 is read out as necessary, input to each unit, and used for each process.

<Method>
As illustrated in FIG. 1B, the input unit 11 includes a polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ^n-1 +... + k ₀ × x ⁰ ) is specified. For example, a coefficient sequence h _n−1 ,..., H ₀ , k _n−1 ,..., K _{0 of} a polynomial r (x) is input as r. An example of the polynomial r (x) is a multiplication result of polynomials of order n or less (step S11).

Information r is input to the dividing unit 12. As illustrated in FIG. 2A, the dividing unit 12 includes a polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ⁿ⁻¹ +... + k ₀ × x ⁰ ), a sequence h∈GF (q ⁿ ) and n elements consisting of ⁿ elements h _n−1 ,..., h ₀ ∈GF (q) To obtain a column kεGF (q ⁿ ) consisting of elements k _n−1 ,..., K ₀ εGF (q) (h | k ← r), and outputs columns h and k. For example, when GF (q ⁿ ) is an n-bit bit string set {0, 1} ⁿ , the dividing unit 12 divides the bit string h | k to obtain an n-bit bit string h, kε {0, 1}. ⁿ is obtained, and bit strings h and k are output (step S12).

The column h is input to the calculation unit 13. As illustrated in FIG. 2B, the calculation unit 13 obtains a column H = h + h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} εGF (q ⁿ ), Output. That is, the calculation unit 13 outputs, as a column H, an addition value on the expanded field GF (q ⁿ ) of h ^{>> n−n (i)} (i = 1,..., T−1). For example, when GF (q ⁿ ) is an n-bit bit string set {0, 1} ⁿ , the arithmetic unit 13 sets the bit string H = h (+) h ^{>> n−n (2)} (+). (+) H ^{>> n−n (t−1)} ε {0, 1} ⁿ is obtained, and the bit string H is output. Note that h (i) in FIG. 2B represents a sequence of h _n−1 ,..., H _{n−n (i)} (step S13).

The column H and the column k are input to the calculation unit 14. As illustrated in FIG. 2C, the calculation unit 14 obtains a sequence R = k + H ^{<< n (1)} +... + H ^{<< n (t−1)} εGF (q ⁿ ) and outputs the sequence R. That is, the calculation unit 14 outputs, as a column R, an addition value on the expanded field GF (q ⁿ ) of k, H ^{<< n (1)} , ..., H ^{<< n (t-1)} . For example, when GF (q ⁿ ) is an n-bit bit string set {0, 1} ⁿ , the arithmetic unit 14 sets the bit string R = k (+) H ^{<< n (1)} (+) (+ ) H ^{<< n (t-1)} ε {0,1} ⁿ is obtained, and the bit string R is output (step S14).

  The output unit 15 outputs the column R obtained by the calculation unit 14 (step S15).

<Features of this embodiment>
In this embodiment, the left shift operation in steps 3 and 4 (FIGS. 8C and 9) of the conventional algorithm 3 and the operation (for example, exclusive OR operation) on GF (q ⁿ ) are performed in step S13 (FIG. 2B). ) Since the shift operation and the addition / subtraction (for example, exclusive OR operation) on GF (q ⁿ ) are commutative, the result obtained even if the order of these operations is changed is the same, and the sequence obtained in step S14 R is a coefficient sequence of r (x) mod f (x). Therefore, in this embodiment, the reduction calculation can be performed more efficiently and at a higher speed than in the past.

[Second Embodiment]
This embodiment is a modification of the first embodiment, and improves the calculation efficiency using a table in which precalculated values are stored. Further, in this embodiment, the pre-calculation target is devised to reduce the necessary table size. In the following description, the same reference numerals are used for the same parts as those already described, and the description is omitted.

<Configuration>
As illustrated in FIG. 1A, the contracting device 2 according to the second embodiment includes an input unit 11, a division unit 12, calculation units 23 and 14 (first and second calculation units), an output unit 15, a control unit 16, and storage. Unit 17 and table storage unit 28. The contracting device 2 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 2 performs each process under the control of the control unit 16. Data input to the input unit 11 and data obtained in each process are stored in the storage unit 17 one by one. The data stored in the storage unit 17 is read out as necessary, input to each unit, and used for each process.

[Table storage unit 28]
The table storage unit 28 selects γ ^{>> n−n (t−1} ) for q ⁿ types of columns γ∈GF (q ⁿ ) including ⁿ elements γ _n−1 ,..., Γ ₀ ∈GF (q). ^{) For} each of the q ^{n (t−1)} types of columns obtained by: γ = γ ^{>> n−n (2)} +... + Γ ^{>> n−n (t−1)} ∈GF (q ⁿ ) is stored. For example, when GF (q ⁿ ) is an n-bit bit string set {0, 1} ⁿ , the table storage unit 28 has n bits γ _n−1 ,..., Γ ₀ ε {0, 1 } For each of 2 ^{n (t−1)} types of bit sequences obtained by γ ^{>> n−n (t−1)} for 2 ⁿ types of bit sequences γ∈ {0, 1} ⁿ . γ ^{>> n−n (2)} +... + γ ^{>> n−n (t−1)} ε {0, 1} A table in which ⁿ is associated is stored.

γ ^{>> n−n (i)} is composed of 0,..., 0, γ _n−1 ,..., γ _{n−n (i)} , and γ ^{>> n−n (t−1)} is 0 ^,. .., 0, γ _n−1 ,..., Γ _{n−n (t−1)} . Column ^{Γ = γ »n-n (2} ) + ··· + γ »n-n (t-1) ^{is, q n (t-1)} column type _{γ n-1, ···, γ} n-n Depending on _(t-1) only, there are only q ^{n (t-1)} types of columns Γ. The table stored in the table storage unit 28 includes these q ^{n (t−1)} types of columns γ _n−1 ,..., Γ _{n−n (t−1)} and the corresponding column Γ. It is a correspondence. Here, since n / 2> n (t−1), the size of the table stored in the table storage unit 28 is a table for q ⁿ types of columns consisting of the original combinations of n GF (q). Small compared to the size of

<Method>
As illustrated in FIG. 1B, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 23. The calculation unit 23 refers to the table storage unit 28, and corresponds to the column h ^{>> n−n (2)} +... + H ^{>> n−n (t )} corresponding to the column obtained by h ^{>> n−n (t−1)} . ⁻¹⁾ εGF (q ⁿ ) (that is, a sequence h ^{>> n−n (2)} +... + H ^{>> n −n (t−1)} corresponding to h ^{>> n −n (t−1)} ) is obtained. . In other words, the arithmetic unit 23 ^{obtains a} sequence h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} from the ^input h, and a sequence h ^{>> n−n (2)} +. A sequence Γ = γ ^{>> nn− (2)} +... + Γ ^{>> n−n (t−1)} corresponding to + h ^{>> n −n (t−1)} , a column γ _n−1 corresponding to ^{n−n (t−1),.} ..., [Gamma] _{n-n (t-1)} is extracted from the table and ^obtained as h ^{>> n-n (2)} +... + H ^{>> n-n (t-1)} . Further, the calculation unit 23 uses the obtained h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} to obtain a sequence H = h + (h ^{>> n−n (2)} +. + H ^{>> n−n (t−1)} ) εGF (q ⁿ ) is obtained, and the column H is output (step S23).

  Thereafter, steps S14 and S15 described in the first embodiment are executed.

<Features of this embodiment>
In the present embodiment, a small-size table is used in which q ^{n (t−1)} types of columns γ _n−1 ,..., Γ _{n−n (t−1)} are associated with columns Γ corresponding thereto. , column ^{h »n-n} (2) corresponding to the column ^{h + ··· + h »n-n} (t-1) to extract, extraction column ^{h »n-n (2) +} ··· + h » ^The column H = h + (h ^{>> n−n (2)} +... + h ^{>> n−n (t−1)} ) is calculated using ^{n−n (t−1)} . Thereby, the calculation efficiency can be further improved without using a large-sized table.

[Third Embodiment]
This embodiment is a modification of the first and second embodiments. Polynomial _{r (x) = (h n} -1 × x n-1 + ··· + h 0 × x 0) × x n + (k n-1 × x n-1 + ··· + k 0 × x 0) Is known to be less than 2n−1 (ie, h _n−1 =... = H _nc = 0, c is an integer 1 ≦ c ≦ n), The size of the table stored in the table storage unit can be further reduced. For example, there is a case where the polynomial r (x) is a multiplication result of n-1 order polynomials.

<Configuration>
As illustrated in FIG. 1A, the contracting device 3 according to the third embodiment includes an input unit 11, a division unit 12, calculation units 33 and 14 (first and second calculation units), an output unit 15, a control unit 16, and storage. Unit 17 and table storage unit 38. The contracting device 3 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 3 performs each process under the control of the control unit 16. Data input to the input unit 11 and data obtained in each process are stored in the storage unit 17 one by one. The data stored in the storage unit 17 is read out as necessary, input to each unit, and used for each process.

[Table storage unit 38]
The table storage unit 38 selects γ ^{>> n−n (t} for q nc types of columns γ∈GF (q ⁿ ) composed of ⁿ elements γ _n−1 ,..., Γ ₀ ∈GF (q). ^-1) for each of the q ^{n (t-1) -c} types of columns obtained, the corresponding column Γ = γ ^{>> n−n (2)} +... + Γ ^{>> n−n (t−1)} A table in which εGF (q ⁿ ) is associated is stored. However, γ _n−1 =... = Γ _n−c = 0 and h _n−1 =... = H _n−c = 0. C is an integer of 1 ≦ c ≦ n, for example, c = 1.

γ ^{>> n−n (i)} is composed of 0,..., 0, γ _n−1 ,..., γ _{n−n (i)} , and γ ^{>> n−n (t−1)} is 0 ^,. .., 0, γ _n−1 ,..., Γ _{n−n (t−1)} . However, in the present embodiment, h _n−1 =... = H _n−c = 0, so that γ _n−1 =... = Γ _n−c = 0. In this case, the sequence Γ = γ ^{>> n−n (2)} +... + Γ ^{>> n−n (t−1)} is the sequence of q ^{n (t−1) −c} types of columns γ _n−c−1 ^,. .., Depends only on [gamma] _{n-n (t-1),} and there are only ^{qn (t-1) -c} types of columns [Gamma]. The table stored in the table storage unit 38 corresponds to each of these q ^{n (t-1) -c} types of columns γ _n−c−1 ,..., Γ _{n−n (t−1).} This is associated with the column Γ. The size of this table is smaller than that of the second embodiment.

<Method>
As illustrated in FIG. 1B, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 33. The computing unit 33 refers to the table storage unit 38, and corresponds to the column h ^{>> n−n (2)} +... + H ^{>> n−n (t )} corresponding to the column obtained by h ^{>> n−n (t−1)} . ⁻¹⁾ εGF (q ⁿ ) (that is, a sequence h ^{>> n−n (2)} +... + H ^{>> n −n (t−1)} corresponding to h ^{>> n −n (t−1)} ) is obtained. . In other words, the calculation unit 33 ^{obtains a} sequence h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} from the ^input h, and a sequence h ^{>> n−n (2)} +. A sequence Γ = γ ^{>> nn− (2)} +... + Γ ^{>> n−n (t−1)} corresponding to + h ^{>> n −n (t−1)} , a column γ _n−1 corresponding to ^{n−n (t−1),.} ..., [Gamma] _{n-n (t-1)} is extracted from the table and ^obtained as h ^{>> n-n (2)} +... + H ^{>> n-n (t-1)} . Further, the calculation unit 33 uses the obtained h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} to obtain H = h + (h ^{>> n−n (2)} +. + H ^{>> n−n (t−1)} ) ∈GF (q ⁿ ) is obtained, and the column H is output (step S23).

  Thereafter, steps S14 and S15 described in the first embodiment are executed.

<Features of this embodiment>
As described above, the polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ⁿ⁻¹ +... + K _When it is known that the order of ( ₀ × x ⁰ ) is less than 2n−1, the size of the table stored in the table storage unit 38 can be further reduced.

[Fourth Embodiment]
This embodiment is a modification of the first embodiment, in which the order of addition and shift operation on the extension field GF (q ⁿ ) is changed. That is, without calculating the column H = h + (h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} ) ∈GF (q ⁿ ) in step S13, the column k and the column h ^{<< n (1)} + ... + h ^{<< n (t-1)} εGF (qn) for h and the sequence h '= h ^{>> n-n (2)} + ... + h ^{>> n-n (T−1)} η = h ′ ^{<< n (1)} +... + H ′ ^{<< n (t−1)} ∈GF (q ⁿ ) for ∈GF (q ⁿ ), R = k + h ^{<< n ( 1)} + ... + h ^{<< n (t-1)} + η∈GF (q ⁿ ) is obtained.

<Configuration>
As illustrated in FIG. 3A, the contracting device 4 according to the fourth embodiment includes an input unit 11, a dividing unit 12, a calculation unit 44, an output unit 15, a control unit 16, and a storage unit 17. The contracting device 4 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 4 performs each process under the control of the control unit 16. Data input to the input unit 11 and data obtained in each process are stored in the storage unit 17 one by one. The data stored in the storage unit 17 is read out as necessary, input to each unit, and used for each process.

<Method>
As illustrated in FIG. 3B, first, steps S11 and S12 described in the first embodiment are executed.

Next, the columns h and k are input to the calculation unit 44. The calculation unit 44 obtains a sequence h ′ = h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} ∈GF (q ⁿ ), and obtains a sequence η = h ′ ^{<< n (1).} + ... + h ′ ^{<< n (t−1)} ∈GF (q ⁿ ), and the sequence R = k + h ^{<< n (1)} +... + H ^{<< n (t−1)} + η∈GF (q ⁿ ) And output the column R (step S44).

  Thereafter, S15 described in the first embodiment is executed.

<Features of this embodiment>
Since the shift operation and the addition / subtraction on GF (q ⁿ ) are commutative, the coefficient sequence R of r (x) mod f (x) can also be obtained by the method of this embodiment. Depending on the environment, the first embodiment The reduction operation can be performed more efficiently and faster than the above method.

[Modification 1 of Fourth Embodiment]
In the modification 1 of 4th Embodiment, the calculation efficiency is improved using the table in which the precomputed value was stored in 4th Embodiment.

<Configuration>
As illustrated in FIG. 3A, the contracting device 4 ′ of Modification 1 of the fourth embodiment includes an input unit 11, a division unit 12, a calculation unit 44 ′, an output unit 15, a control unit 16, a storage unit 17, and It has a table storage unit 48 '.

[Table storage unit 48 ']
The table storage unit 48 ′ stores γ ^{>> n−n (t−} ) for q ⁿ types of columns γεGF (q ⁿ ) including ⁿ elements γ _n−1 ,..., Γ ₀ εGF (q). ^{For each of the} q ^{n (t−1)} types of columns obtained by ¹⁾ , the corresponding sequence Γ ′ = γ ′ ^{<< n (1)} +... + Γ ′ ^{<< n (t−1)} ∈GF (q ⁿ ) is stored. However, a ^{γ '= γ »n-n (} 2) + ··· + γ »n-n (t-1) ∈GF (q n).

<Method>
As illustrated in FIG. 3B, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 44 ′. The computing unit 44 ′ refers to the table storage unit 48 ′, and η = h ′ ^{<< n (1)} +... + H ′ ^{<< n (} corresponding to the column obtained by h ^{>> n−n (t−1)} . ^t−1) εGF (q ⁿ ) (ie, column η corresponding to h ^{>> n−n (t−1)} ) is extracted. However, h ′ = h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} εGF (q ⁿ ). The column k is further input to the calculation unit 44 ′, and the calculation unit 44 ′ uses the columns k, h, and η to calculate the column R = k + h ^{<< n (1)} +... + H ^{<< n (t−1)} + η ΕGF (q ⁿ ) is obtained, and the column R is output (step S44 ′).

  Thereafter, S15 described in the first embodiment is executed.

<Features of this embodiment>
In this embodiment, for each of the q ^{n (t−1)} types of columns, the corresponding column Γ ′ = γ ′ ^{<< n (1)} +... + Γ ′ ^{<< n (t−1)} ∈GF (q ⁿ ) Can be used to perform the reduction operation more efficiently and at high speed.

[Modification 2 of the fourth embodiment]
Polynomial _{r (x) = (h n} -1 × x n-1 + ··· + h 0 × x 0) × x n + (k n-1 × x n-1 + ··· + k 0 × x 0) Is known to be less than 2n−1 (ie, h _n−1 =... = H _nc = 0, c is an integer 1 ≦ c ≦ n), The size of the table stored in the table storage unit can be further reduced.

<Configuration>
As illustrated in FIG. 3A, the contracting device 4 ″ according to the second modification of the fourth embodiment includes an input unit 11, a dividing unit 12, a calculation unit 44 ″, an output unit 15, a control unit 16, and a storage unit 17. And a table storage unit 48 ″.

[Table storage section 48 '']
Table storage unit 48 '' is, n number of elements γ _n-1, ···, consisting ^{_{γ 0 ∈GF (q) q n}} -c column type γ∈GF ^{(q n)} for ^{γ »n-n For each of the} q ^{n (t−1) -c} types of columns obtained by ^(t−1) , the corresponding column Γ ′ = γ ′ ^{<< n (1)} +... + Γ ′ ^{<< n (t−1 )} Store a table in which εGF (q ⁿ ) is associated. However, a ^{γ '= γ »n-n (} 2) + ··· + γ »n-n (t-1) ∈GF (q n), h n-1 = ··· = h n-c = 0, and γ _n−1 =... = Γ _n−c = 0. c is an integer of 1 ≦ c ≦ n, and an example of c is c = 1.

<Method>
As illustrated in FIG. 3B, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 44 ''. The computing unit 44 ″ refers to the table storage unit 48 ″, and the column η = h ′ ^{<< n (1)} +... + H ′ corresponding to the column obtained by h ^{>> n−n (t−1)} . ^{<< n (t-1)} εGF (q ⁿ ) (that is, column η corresponding to h ^{>> n−n (t−1)} ) is extracted. However, h ′ = h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} εGF (q ⁿ ). The column k is further input to the calculation unit 44 ″, and the calculation unit 44 ″ uses the columns k, h, and η to calculate the column R = k + h ^{<< n (1)} +... + H ^{<< n (t−1 )} + Η∈GF (q ⁿ ) is obtained, and the column R is output (step S44 ″).

  Thereafter, S15 described in the first embodiment is executed.

<Features of this embodiment>
As described above, the polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ⁿ⁻¹ +... + K If it is known that the order of ( ₀ × x ⁰ ) is less than 2n−1, the size of the table stored in the table storage unit 48 ″ can be further reduced.

[Fifth Embodiment]
This embodiment is a modification of the fourth embodiment. h _n-1 = 0, q = 2, t = 5, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0 (for example, f ₀ (x) = In the case of x ⁴ + x ³ + x + 1), the sequence η = h ′ ^{<< n (1)} +... + h ′ ^{<< n (t−1)} ∈GF (q ⁿ ) described in the fourth embodiment (where h ′ = h ^{>> n−n (2)} +... + h ^{>> n−n (t−1)} εGF (q ⁿ )) can be efficiently calculated. Note that when q = 2, f ₀ (x) = x ⁴ + x ³ + x + 1, n = 8, 64, 320, f (x) = x ⁿ −f ₀ (x) is an irreducible polynomial.

That is, when n (4) = 4, n (3) = 3, n (2) = 1, and n (1) = 0, the column η can be modified as follows.
η = h ′ + h ′ ^{<< 1} + h '^{<< 3} + h'^{<< 4} ∈GF (q ⁿ )
= (H '+ h'^{<< 1} ) + (h '+ h'^<< 1) ^{<< 3} (1)
Therefore, the amount of calculation can be reduced by calculating (h ′ + h ′ ^{<< 1} ) as an intermediate value and calculating the column η using the intermediate value.

Furthermore, in this embodiment, h _n−1 = 0 and the fact that all the elements in the sequence h ^>> _n−1 are 0 is used to efficiently calculate the intermediate value (h ′ + h ′ ^{<< 1} ). That is, in the case of the conditions of this embodiment, the column h ′ can be modified as follows.
h ′ = h ^{>> n−1} + h ^{>> n−3} + h ^{>> n −} 4∈GF (q ⁿ )
= H ^{>> n-3} + h ^{>> n-4}

Therefore, (h ′ + h ′ ^{<< 1} ) ∈GF (q ⁿ ) can be transformed as follows.
(H ′ + h ′ ^{<< 1} ) ∈GF (q ⁿ )
= (H ^{>> n-3} + h ^{>> n-4} ) + (h ^{>> n-3} + h ^{>> n-4} ) ^{<< 1}
= (H ^{>> n-4} ) ^<< 1+ (h ^{>> n-4} + (h ^{>> n-3} ) ^{<< 1} ) + h ^{>> n-3
= (H »n-4) «1} + t 0 + h »n-3 ... (2)
However, the column t ₀ εGF (q ⁿ ) is a column composed of ⁿ elements 0,..., 0, ε ₀ εGF (q), and h ^>> n ^-4 is n ^elements ε _{n. −1} ,..., Ε ₀ εGF (q).

Note that it can be easily confirmed that t ₀ = (h ^{>> n−4} + (h ^{>> n−3} ) ^{<< 1} ) when q = 2. For example, in the case of n = 64, if the column h = (a ₆₃ , a ₆₂ , a ₆₁ , a ₆₀ , a ₅₉ ,..., A ₀ ), the following holds.
_{^{h »n-4 = (0,}} ···, 0, a 63, a 62, a 61, a 60)
h ^{>> n−3} = (0,..., 0, a ₆₃ , a ₆₂ , a ₆₁ )
^{(H »n-3) «1 =} (0, ···, 0, a 63, a 62, a 61, 0)
^{_{t 0 = (h »n-4}} + (h »n-3) «1) = (0, ···, 0, a 60) ∈GF (2 n)

As described above, the column η can be efficiently obtained by calculating the intermediate value (h ′ + h ′ ^<< 1) using the equation (2) and calculating the equation (1) using the intermediate value.

<Configuration>
As illustrated in FIG. 1A, the contracting device 5 of the fifth embodiment includes an input unit 11, a dividing unit 12, a calculation unit 53 (second to fourth calculation units), a calculation unit 54 (first calculation unit), and an output. Unit 15, control unit 16, and storage unit 17. The contracting device 5 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 5 performs each process under the control of the control unit 16.

<Method>
As illustrated in FIG. 4, first, steps S11 and S12 described in the first embodiment are executed.

The column h is input to the calculation unit 53. The computing unit 53 obtains a sequence t ₁ = h ^{>> n −} 4εGF (q ⁿ ) and outputs a sequence t ₁ . However, h _n−1 = 0, t = 5, n (4) = 4, n (3) = 3, n (2) = 1, and n (1) = 0 (step S53−) 1).

Columns t ₁ and h are input to the calculation unit 53. The calculation unit 53 obtains a sequence t ₂ = t ₁ ^<< ₁ + t ₀ + h ^{>> n −} 3εGF (q ⁿ ), and outputs a sequence t ₂ . However, t ₁ is composed of _n elements ε _n−1 ,..., Ε ₀ εGF (q), and n elements 0,..., 0, ε ₀ εGF (q) Is t ₀ εGF (q ⁿ ). For example, when the extension field GF (q ⁿ ) is a set of bit strings {0, 1} ⁿ , t ₀ = t ₁ & (0,..., 0, 1) ∈ {0, 1} ⁿ is satisfied ( Step S53-2).

The column t ₂ is input to the calculation unit 53. The computing unit 53 obtains the sequence η = t ₂ + t ₂ ^{<< 3} εGF (q ⁿ ), and outputs the sequence η (step S53-3).

The arithmetic unit 54 receives the columns k, η, and h. The calculation unit 54 obtains a column R = k + h ^{<< n (1)} +... + H ^{<< n (t−1)} + η∈GF (q ⁿ ) using these, and outputs the column R (step S54).

  Thereafter, S15 described in the first embodiment is executed.

<Features of this embodiment>
In this embodiment, the amount of calculation can be reduced by calculating the intermediate value (h ′ + h ′ ^<< 1) using the equation (2) and calculating the equation (1) using the intermediate value.

[Modification of Fifth Embodiment]
When t = 5, n (4) = 4, n (3) = 3, n (2) = 1, and n (1) = 0, the column η can be transformed as follows.
η = h ′ + h ′ ^{<< 1} + h '^{<< 3} + h'^{<< 4} ∈GF (q ⁿ )
= (H '+ h'^{<< 1} ) + (h '+ h'^<< 1) ^{<< 3} (1)
= (H '+ h'^{<< 3} ) + (h '+ h'^<< 3) ^<< 1 (3)

Therefore, the calculation unit 53 calculates h ′ = h ^{>> n−1} + h ^{>> n−3} + h ^{>> n −} 4∈GF (q ⁿ ) instead of steps S53-1 and S53-2, and t ₂ ′. = H ′ + h ′ ^<< 1∈GF (q ⁿ ) or t ₂ ″ = h ′ + h ′ ^{<< 3} ∈GF (q ⁿ ) is calculated, and η = t ₂ ′ + t ₂ ′ instead of S53-3 ^<< 3εGF (q ⁿ ) or η = t ₂ ″ + t ₂ ″ ^{<< 1} may be calculated.

[Sixth Embodiment]
This embodiment is a modification of the fourth and fifth embodiments. When t = 5, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0 (for example, f ₀ (x) = x ⁴ + x ³ + x + 1), The sequence ρ = h ^{<< n (1)} +... + H ^{<< n (t−1)} ∈GF (q ⁿ ) can be efficiently calculated.

That is, when t = 5, n (4) = 4, n (3) = 3, n (2) = 1, and n (1) = 0, the column ρ can be transformed as follows.
ρ = h + h ^{<< 1} + h ^{<< 3} + h ^{<< 4} ∈GF (q ⁿ )
= (H + h ^{<< 1} ) + (h + h ^{<< 1} ) ^{<< 3} (4)
= (H + h ^{<< 3} ) + (h + h ^{<< 3} ) ^<< 1 (5)
Therefore, by calculating (h + h ^{<< 1} ) or (h + h ^{<< 3} ) as an intermediate value and calculating the expression (4) or (5) using the intermediate value, the amount of calculation can be reduced.

<Configuration>
As illustrated in FIG. 1A, the contracting device 6 of the sixth embodiment includes an input unit 11, a dividing unit 12, a calculation unit 63 (fifth and sixth calculation units), a calculation unit 64 (first calculation unit), and an output. Unit 15, control unit 16, and storage unit 17. The contracting device 6 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 6 performs each process under the control of the control unit 16.

<Method>
As illustrated in FIG. 5, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 63. The calculation unit 63 obtains the sequence η = h ′ ^{<< n (1)} +... + H ′ ^{<< n (t−1)} εGF (q ⁿ ), and outputs the column η. However, h ′ = h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} ∈GF (q ⁿ ), t = 5, and n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0. There is no limitation on the method of calculating the column η. For example, the calculation unit 63 obtains the sequence h ′ = h ^{>> n−1} + h ^{>> n−3} + h ^{>> n −} 4∈GF (q ⁿ ), and then obtains the sequence η = h ′ + h ′ ^{<< 1} + h ′ ^{<< 3} + h. '^<< 4εGF (q ⁿ ) may be obtained, or the sequence η may be obtained by the method described in the fifth embodiment (step S63-1).

The computing unit 63 obtains the column t ₃ = h + h ^{<< 1} εGF (q ⁿ ) or the column t ₄ = h + h ^{<< 3} εGF (q ⁿ ), and outputs the column t ₃ or the column t ₄ (Step S63-2). ).

Column t ₃ or column t ₄ is input to calculation unit 63. The calculation unit 63 obtains a sequence ρ = t ₃ + t ₃ ^<< ₃ ^∈GF (q ⁿ ) or a sequence ρ = t ₄ + t ₄ ^{<< 1} ∈GF (q ⁿ ), and outputs the sequence ρ (step S63-3). .

The columns k, η, and ρ are input to the calculation unit 64. The calculation unit 64 obtains a column R using the column η as h ′ + h ′ ^{<< 1} + h ′ ^{<< 3} + h ′ ^{<< 4} and the column ρ as h + h ^{<< 1} + h ^{<< 3} + h ^{<< 4} ∈GF (q ⁿ ), Output column R. That is, the calculation unit 64 obtains a column R = k + ρ + ηεGF (q ⁿ ) and outputs the column R (step S64).

  Thereafter, S15 described in the first embodiment is executed.

<Features of this embodiment>
In the present embodiment, the amount of calculation can be reduced by calculating (h + h ^{<< 1} ) or (h + h ^{<< 3} ) as an intermediate value and calculating the expression (4) or (5) using the intermediate value.

[Seventh Embodiment]
This embodiment is a modification of the fourth to sixth embodiments. When t = 5, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0 (for example, f ₀ (x) = x ⁴ + x ³ + x + 1), Column σ = (h ^{<< n (1)} + ... + h ^{<< n (t-1)} ) + (h '^{<< n (1)} + ... + h'^{<< n (t-1)} ) ∈GF (q ⁿ ) may be calculated efficiently.

That is, when t = 5, n (4) = 4, n (3) = 3, n (2) = 1, and n (1) = 0, the column σ can be transformed as follows.
σ = (h + h ^{<< 1} + h ^{<< 3} + h ^{<< 4} )
+ (H ′ + h ′ ^{<< 1} + h '^{<< 3} + h'^{<< 4} ) ∈GF (q ⁿ )
= {(H + h ') + (h + h') ^{<< 1} }
+ {(H + h ′) + (h + h ′) ^{<< 1} } ^{<< 3} (6)
= {(H + h ') + (h + h') ^{<< 3} }
+ {(H + h ') + (h + h') ^{<< 3} } ^<< 1 (7)
Therefore, (h + h ′) is calculated as the first intermediate value, and {(h + h ′) + (h + h ′) ^{<< 1} } or {(h + h ′) + (h + h ′) ^{<< 3} } is calculated using the first intermediate value. The calculation amount may be reduced by calculating as the second intermediate value and calculating Expression (6) or Expression (7) using the second intermediate value.

<Configuration>
As illustrated in FIG. 1A, the contracting device 7 of the seventh embodiment includes an input unit 11, a dividing unit 12, a calculation unit 73 (second to fourth calculation units), a calculation unit 74 (first calculation unit), and an output. Unit 15, control unit 16, and storage unit 17. The contracting device 7 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 7 performs each process under the control of the control unit 16.

<Method>
As illustrated in FIG. 6, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 73. The calculation unit 73 ^obtains h ′ = h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} εGF (q ⁿ ), and outputs a sequence h ′. However, t = 5, n (4) = 4, n (3) = 3, n (2) = 1, and n (1) = 0 (step S73-1).

The columns h and h ′ are input to the calculation unit 73. The calculation unit 73 obtains the sequence ν = h + h′εGF (q ⁿ ) and outputs the sequence ν (step S73-2).

The column ν is input to the calculation unit 73. The computing unit 73 obtains the sequence υ = ν + ν ^<< 1εGF (q ⁿ ) or the sequence ι = ν + ν ^<< 3εGF (q ⁿ ), and outputs the sequence υ or ι (step S73-3).

The column υ or ι is input to the calculation unit 73. The computing unit 73 obtains the sequence σ = υ + υ ^<< 3εGF (q ⁿ ) or the sequence σ = ι + ι ^<< 1εGF (q ⁿ ), and outputs the sequence σ (step S73-4).

The columns k and σ are input to the calculation unit 74. The calculation unit 74 ^obtains a column R = k + σεGF (q ⁿ ) using the column σ as h ^{<< n (1)} +... + H ^{<< n (t−1)} + ηεGF (q ⁿ ), R is output (step S74).

  Thereafter, S15 described in the first embodiment is executed.

<Features of this embodiment>
In this embodiment, (h + h ′) is calculated as the first intermediate value, and {(h + h ′) + (h + h ′) ^{<< 1} } or {(h + h ′) + (h + h ′) ^{<< 3} using the first intermediate value. } As the second intermediate value, and calculating the formula (6) or the formula (7) using the second intermediate value may reduce the amount of calculation.

[Eighth Embodiment]
When t = 5, n (4) = 7, n (3) = 2, n (2) = 1, and n (1) = 0, that is, f ₀ (x) is f ₀ (x) = x ⁷ When + x ² + x + 1 and h _n−1 = 0, the calculation can be made efficient as follows. When q = 2 and n = 128, 192, f (x) = x ⁿ −f ₀ (x) is an irreducible polynomial.

That is, when h _n-1 = 0, n (4) = 7, n (3) = 2, n (2) = 1, and n (1) = 0, the column H can be modified as follows. Since h _n-1 = 0 and all the elements in the column h ^>> _n−1 are 0, the column H can be modified as follows.
H = h + h ^{>> n−1} + h ^{>> n−2} + h ^{>> n −} 7∈GF (q ⁿ )
= H + h ^{>> n-1} + h ^{>> n-2} + h ^{>> n-7}
= H + h ^{>> n-2} + h ^{>> n-7}
Thus, column R can be calculated as follows:
R = k + H + H ^{<< 1} + H ^<< 2 + H ^<< 7 ∈GF (q ⁿ )

  As illustrated in FIG. 1A, the reduction device 8 of the eighth embodiment includes an input unit 11, a dividing unit 12, a calculation unit 83 (first calculation unit), a calculation unit 14 (second calculation unit), and an output unit 15. A control unit 16 and a storage unit 17. The contracting device 8 is a special device configured by, for example, reading a predetermined program into a known or dedicated computer. The contracting device 8 performs each process under the control of the control unit 16.

<Method>
As illustrated in FIG. 7, first, steps S11 and S12 described in the first embodiment are executed.

Next, the column h is input to the calculation unit 83. The calculation unit 83 obtains the column H = h + h ^{>> n−7} + h ^{>> n −} 2εGF (q ⁿ ), and outputs the column H (step S83).

  Thereafter, S14 and S15 described in the first embodiment are executed.

<Features of this embodiment>
In this embodiment, when h _n−1 = 0, n (4) = 7, n (3) = 2, n (2) = 1, and n (1) = 0, H = h + h ^{>> n−2.} Since the column H is obtained by + h ^{>> n−7} , the calculation amount can be reduced.

[Other variations, etc.]
The present invention is not limited to the embodiment described above. For example, the various processes described above are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Needless to say, other modifications are possible without departing from the spirit of the present invention.

  When the above configuration is realized by a computer, the processing contents of the functions that each device should have are described by a program. By executing this program on a computer, the above processing functions are realized on the computer. The program describing the processing contents can be recorded on a computer-readable recording medium. An example of a computer-readable recording medium is a non-transitory recording medium. Examples of such a recording medium are a magnetic recording device, an optical disk, a magneto-optical recording medium, a semiconductor memory, and the like.

  This program is distributed, for example, by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, this computer reads a program stored in its own recording device and executes a process according to the read program. As another execution form of the program, the computer may read the program directly from the portable recording medium and execute processing according to the program, and each time the program is transferred from the server computer to the computer. The processing according to the received program may be executed sequentially. The above-described processing may be executed by a so-called ASP (Application Service Provider) type service that realizes a processing function only by an execution instruction and result acquisition without transferring a program from the server computer to the computer. Good.

  In the above embodiment, the processing functions of the apparatus are realized by executing a predetermined program on a computer. However, at least a part of these processing functions may be realized by hardware.

Reduction device 1-8

Claims (15)

A reduction device for calculating r (x) mod f (x),
q is an integer of 2 or more, n is an integer of 3 or more, t is an integer of 3 ≦ t , GF (q) is a finite field of order q, and GF (q ⁿ ) is a finite field N-th extension of GF (q), x is an indefinite element, and n, t and n (t−1),..., N (1) are n / 2> n (t−1)>...> n (1) = 0, an integer satisfying f ₀ (x) is a polynomial f ₀ (x) = x ^{n (t-1)} +... + X ^{n (1)} , and f ( x) = x ⁿ −f ₀ (x), and α ^>> j is a right j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q), and α ^<< j Is a left j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q),
Polynomial _{r (x) = (h n} -1 × x n-1 + ··· + h 0 × x 0) × x n + (k n-1 × x n-1 + ··· + k 0 × x 0) relative, n elements _h n-1, ···, column consists _{h 0 ∈GF (q) h∈GF (} q n) and n elements _{k n-1, ···, k} 0 A dividing unit for obtaining a sequence kεGF (q ⁿ ) composed of εGF (q);
H = h + h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} ∈GF (q ⁿ )
A second operation unit that obtains R = k + H ^{<< n (1)} +... + H ^{<< n (t-1)} ∈GF (q ⁿ );
A reduction device having The contracting device of claim 1, comprising:
q ⁿ obtained by γ ^{>> n−n (t−1)} for q ⁿ types of columns γεGF (q ⁿ ) consisting of ⁿ elements γ _n−1 ,..., γ ₀ εGF (q) ^(T-1) Corresponding columns Γ = γ ^{>> n−n (2)} +... + Γ ^{>> n−n (t−1)} εGF (q ⁿ ) are associated with each of the types of columns. A table storage unit storing the table;
The first calculation unit refers to the table storage unit, and h ^{>> n −n (2)} +... + H ^{>> n−n (} corresponding to a column obtained by h ^{>> n−n (t−1)} . ^{t-1) A} reduction device that obtains εGF (q ⁿ ) and obtains H using the obtained h ^{>> n−n (2)} +... + h ^{>> n−n (t−1)} . The contracting device of claim 1, comprising:
c is an integer of 1 ≦ c ≦ n, h _n−1 =... = h _n−c = 0,
γ _n−1 =... = γ _n−c = 0, and q ^n−c types of columns γεGF consisting of ⁿ elements γ _n−1 ,..., γ ₀ εGF (q) For each of the q ^{n (t−1) -c} types of columns obtained by γ ^{>> n−n (t−1} ) for (q ⁿ ), the corresponding column Γ = γ ^{>> n−n (2)} +. A table storage unit that stores a table in which + γ ^{>> n−n (t−1)} εGF (q ⁿ ) is associated;
The first calculation unit refers to the table storage unit, and h ^{>> n −n (2)} +... + H ^{>> n−n (} corresponding to a column obtained by h ^{>> n−n (t−1)} . ^{t-1) A} reduction device that obtains εGF (q ⁿ ) and obtains H using the obtained h ^{>> n−n (2)} +... + h ^{>> n−n (t−1)} . A reduction device for calculating r (x) mod f (x),
q is an integer of 2 or more, n is an integer of 3 or more, t is an integer of 3 ≦ t , GF (q) is a finite field of order q, and GF (q ⁿ ) is a finite field N-order extension of GF (q), x is an indefinite element, n, t, and n (t−1),..., N (1) are n / 2> n (t−1) >...> is an integer satisfying n (1) = 0, f ₀ (x) is a polynomial f ₀ (x) = x ^{n (t−1)} +... + X ^{n (1)} , and f (X) = x ⁿ −f ₀ (x), and α ^>> j is a right j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q), and α ^{<< j} is a left j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q),
Polynomial _{r (x) = (h n} -1 × x n-1 + ··· + h 0 × x 0) × x n + (k n-1 × x n-1 + ··· + k 0 × x 0) relative, n elements _h n-1, ···, column consists _{h 0 ∈GF (q) h∈GF (} q n) and n elements _{k n-1, ···, k} 0 A dividing unit for obtaining a sequence kεGF (q ⁿ ) composed of εGF (q);
h ′ = h ^{>> n−n (2)} +... + h ^{>> n−n (t−1)} ∈GF (q ⁿ ) and η = h ′ ^{<< n (1)} +... + h ′ ^{<< n (t−1)} ∈ GF (q ⁿ ), and R = k + h ^{<< n (1)} +... + h ^{<< n (t−1)} + η∈GF (q ⁿ )
A reduction device having The contracting device of claim 4, comprising:
q ⁿ obtained by γ ^{>> n−n (t−1)} for q ⁿ types of columns γεGF (q ⁿ ) consisting of ⁿ elements γ _n−1 ,..., γ ₀ εGF (q) ^(T-1) Correspondence in the case of γ ′ = γ ^{>> n−n (2)} +... + Γ ^{>> n−n (t−1)} εGF (q ⁿ ) And further includes a table storage unit that stores a table in which columns Γ ′ = γ ′ ^{<< n (1)} +... + Γ ′ ^{<< n (t−1)} ∈GF (q ⁿ ) are associated with each other,
The first arithmetic unit refers to the table storage unit, obtains η corresponding to a column obtained by h ^{>> n−n (t−1)} , and obtains R using the obtained η. . The contracting device of claim 4, comprising:
c is an integer of 1 ≦ c ≦ n, h _n−1 =... = h _n−c = 0,
γ _n−1 =... = γ _n−c = 0, and q ^n−c types of columns γεGF consisting of ⁿ elements γ _n−1 ,..., γ ₀ εGF (q) For each of the q ^{n (t-1) -c} types of columns obtained by γ ^{>> n−n (t−1} ) for (q ⁿ ), γ ′ = γ ^{>> n−n (2)} +. + Γ ^{>> n−n (t−1)} ∈GF (q ⁿ ), corresponding column Γ ′ = γ ′ ^{<< n (1)} +... + Γ ′ ^{<< n (t−1)} ∈GF ( a table storage unit storing a table associated with q ⁿ ),
The first arithmetic unit refers to the table storage unit, obtains η corresponding to a column obtained by h ^{>> n−n (t−1)} , and obtains R using the obtained η. . The contracting device of claim 4, comprising:
h _n-1 = 0, t = 5, q = 2, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0 ,
a second computing unit for obtaining t ₁ = h ^>>n-4;
t ₁ is made up of n elements ε _n−1 ,..., ε ₀ εGF (q), and a sequence of n elements 0,..., 0, ε ₀ εGF (q) is t ₀ is ∈GF ^{(q _n),} and a third arithmetic unit for obtaining a _{^{t 2 = t 1 «1 + t}} 0 + h »n-3 ∈GF (q n),
a fourth operation unit that obtains η = t ₂ + t ₂ ^{<< 3} ∈GF (q ⁿ ),
The contraction device, wherein the first calculation unit obtains R using η obtained by the fourth calculation unit. The contracting device of claim 4, comprising:
t = 5, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0,
h ′ = h ^{>> n−1} + h ^{>> n−3} + h ^{>> n −} 4εGF (q ⁿ ) to obtain a second operation unit;
a third operation unit for obtaining t ₂ ′ = h ′ + h ′ ^{<< 1} ∈GF (q ⁿ ) or t ₂ ″ = h ′ + h ′ ^{<< 3} ∈GF (q ⁿ );
a fourth operation unit that obtains η = t ₂ ′ + t ₂ ′ ^<< 3∈GF (q ⁿ ) or η = t ₂ ″ + t ₂ ″ ^<< 1;
The contraction device, wherein the first calculation unit obtains R using η obtained by the fourth calculation unit. The contracting device according to any one of claims 4 to 8,
t = 5, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0,
a fifth operation unit that obtains t ₃ = h + h ^{<< 1} ∈GF (q ⁿ ) or t ₄ = h + h ^{<< 3} ∈GF (q ⁿ );
a sixth operation unit that obtains ρ = t ₃ + t ₃ ^<< ₃ ^∈GF (q ⁿ ) or ρ = t ₄ + t ₄ ^{<< 1} ∈GF (q ⁿ ),
The first arithmetic unit obtains R by using ρ obtained by the sixth arithmetic unit as h ^{<< n (1)} +... + H ^{<< n (t−1)} ∈GF (q ⁿ ). About equipment. The contracting device of claim 4, comprising:
t = 5, n (4) = 4, n (3) = 3, n (2) = 1, n (1) = 0,
a second arithmetic unit for obtaining ν = h + h′∈GF (q ⁿ );
a third operation unit for obtaining υ = ν + ν ^<< 1∈GF (q ⁿ ) or ι = ν + ν ^<< 3∈GF (q ⁿ );
a fourth operation unit for obtaining σ = υ + υ ^{<< 3} ∈GF (q ⁿ ) or σ = ι + ι ^{<< 1} ∈GF (q ⁿ ),
The first calculation unit obtains R by using σ obtained by the fourth calculation unit as h ^{<< n (1)} +... + H ^{<< n (t−1)} + η∈GF (q ⁿ ). Reduction device. The contracting device of claim 1, comprising:
h _n-1 = 0, n (4) = 7, n (3) = 2, n (2) = 1, n (1) = 0,
The contraction device, wherein the first arithmetic unit obtains the column H by h + h ^{>> n-7} + h ^{>> n -} 2εGF (q ⁿ ). A reduction device according to any of claims 1 to 11, comprising:
A reduction device, ^where q = 2, GF (2) is a bit set {0, 1}, and GF (2 ⁿ ) is a set of bit sequences {0, 1} ⁿ of n bits. A reduction method that is executed by a reduction device having a division unit, a first calculation unit, and a second calculation unit, and calculates r (x) mod f (x),
q is an integer of 2 or more, n is an integer of 3 or more, t is an integer of 3 ≦ t , GF (q) is a finite field of order q, and GF (q ⁿ ) is a finite field N-order extension of GF (q), x is an indefinite element, n, t, and n (t−1),..., N (1) are n / 2> n (t−1) >...> is an integer satisfying n (1) = 0, f ₀ (x) is a polynomial f ₀ (x) = x ^{n (t−1)} +... + X ^{n (1)} , and f (X) = x ⁿ −f ₀ (x), and α ^>> j is a right j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q), and α ^{<< j} is a left j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q),
In the dividing unit, the polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ⁿ⁻¹ +... + K ₀ × x ⁰ ), n elements h _n−1 ,..., H ₀ ∈GF (q), a sequence h∈GF (q ⁿ ) and n elements k _n−1 ,. A division step to obtain a sequence kεGF (q ⁿ ) consisting of k ₀ εGF (q);
A first step of obtaining H = h + h ^{>> n−2 (2)} +... + H ^{>> n−n (t−1)} εGF (q ⁿ ) in the first arithmetic unit;
A second step of obtaining R = k + H ^{<< n (1)} +... + H ^{<< n (t-1)} ∈GF (q ⁿ ) in the second arithmetic unit;
A contraction method. A reduction method that is executed by a reduction device having a division unit and an operation unit and calculates r (x) mod f (x),
q is an integer of 2 or more, n is an integer of 3 or more, t is an integer of 3 ≦ t , GF (q) is a finite field of order q, and GF (q ⁿ ) is a finite field N-order extension of GF (q), x is an indefinite element, n, t, and n (t−1),..., N (1) are n / 2> n (t−1) >...> is an integer satisfying n (1) = 0, f ₀ (x) is a polynomial f ₀ (x) = x ^{n (t−1)} +... + X ^{n (1)} , and f (X) = x ⁿ −f ₀ (x), and α ^>> j is a right j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q), and α ^{<< j} is a left j shift operation on a sequence α∈GF (q ⁿ ) consisting of elements of n finite fields GF (q),
In the dividing unit, the polynomial r (x) = (h _n−1 × x ⁿ⁻¹ +... + H ₀ × x ⁰ ) × x ⁿ + (k _n−1 × x ⁿ⁻¹ +... + K ₀ × x ⁰ ), n elements h _n−1 ,..., H ₀ ∈GF (q), a sequence h∈GF (q ⁿ ) and n elements k _n−1 ,. A division step to obtain a sequence kεGF (q ⁿ ) consisting of k ₀ εGF (q);
In the arithmetic unit, h ′ = h ^{>> n−n (2)} +... + H ^{>> n−n (t−1)} ∈GF (q ⁿ ) and η = h ′ ^{<< n (1)} +. ^.. + H ′ ^{<< n (t−1)} ∈GF (q ⁿ ), and R = k + h ^{<< n (1)} +... + H ^{<< n (t−1)} + η∈GF (q ⁿ ) Steps,
A contraction method.   The program for functioning a computer as each part of the contraction apparatus in any one of Claim 1 to 12.

Images