JPH05324277A - Code communication method - Google Patents

Abstract

PURPOSE:To provide the circuit executing the power residue arithmetic operation and the residue multiplication at high speed with smaller circuit by repeatedly executing the residue multiplication using both modulo N and prime R of the residue. CONSTITUTION:In the residue arithmetic circuit, the outputs for input pairs (A, RR), (B, RR), (AR, BR) (TR, 1) are AR, BR, TR, and Q. In this case, the power residue arithmetic operation and the residue multiplication are executed by repeating the operation of Z=X.Y.R<-1>mod N. Therefore, the required arithmetic operation is executed by the same or similar type arithmetic circuit. In performing the arithmetic operation with the use of the Montgomery residue multiplication Z=X.Y.R<-1>modN=(X.Y+S.N)/R, in this case, S=X.Y.N'modN, the residue multiplication and the power residue arithmetic operation can be executed while simply repeating the Montgomery residue multiplication by using the input value satisfying the condition.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption technique used for various communication services such as home bank, firm bank, electronic mail and electronic conference in a computer network. In particular, cryptographic communication using power-residue calculation and modular multiplication (RSA cryptography, Ergamal cryptography, etc.), key sharing schemes (DH type key sharing scheme, ID-based key sharing scheme, etc.), zero-knowledge proof scheme, etc. Regarding the system to do.

[0002]

2. Description of the Related Art In recent years, with the rapid development of information communication systems using computer networks, the importance of encryption technology for protecting data contents is increasing.
In particular, as the speed and capacity of computer networks have increased, high-speed encryption technology has become indispensable.

In such cryptographic techniques, the modular exponentiation operation and the modular multiplication are important operations used in various cryptographic techniques, and the following usage examples can be given.

First, it is known that there are a secret key cryptosystem and a public key cryptosystem as cryptosystems. In the public key cryptosystem, the encryption key and the decryption key are different, and the encryption key is open,
The decryption key is kept secret by the receiver, and it is difficult to deduce the decryption key from the publicly available encryption key. As the public key cryptosystem, a cipher based on a modular exponentiation operation and a modular multiplication such as RSA cipher and Ergamal cipher is often used. Furthermore, these ciphers
It is noted that there is another application called authentication besides the secret communication function. Authentication is a function of checking whether the sender of a message is correct, and is also called a digital signature. Digital signatures using these ciphers are safe because they can be signed with a private key known only to the sender and cannot be forged, and are widely used as authentication communication at financial institutions and the like.

As a secret key cryptosystem in which the same key is secretly shared by the sender and the receiver, the Vernam cipher which adds a random number to data is known, and as a random number, a modular exponentiation operation called a modular exponentiation and Random numbers based on modular multiplication are known.

Further, the secret key cryptosystem and the public key cryptosystem described above are often used together with a technique called a key distribution system or a key sharing system. As a key distribution method,
The DH-type key distribution system by Diffie and Hellman is well known, but this system also performs arithmetic using modular exponentiation and modular multiplication. Furthermore, ID-based is used as a key sharing method.
The key sharing system has been attracting attention, and exponentiation modular exponentiation and modular multiplication are used in various key sharing systems including this system.

Another cryptographic technique is called zero-knowledge proof. This tells me that I have some knowledge (= zero knowledge),
It is a method to convince the other party (= proof). Again, there are various techniques based on the modular exponentiation operation and the modular multiplication.

For details of the above cryptographic techniques, Shinichi Ikeno and Kenji Koyama “Modern Cryptography”, The Institute of Electronics, Information and Communication Engineers (1986) and Shigeo Tsujii, Masao Kasahara “Cryptography and Information Security”, Shokodo (1990) ) And the like.

Therefore, in order to efficiently construct various cryptographic systems, it has been desired to realize an efficient modular exponentiation and modular multiplication circuit. Further, if a high-speed modular exponentiation and modular multiplication circuit can be configured, various cryptographic systems can be speeded up.

By the way, as a method of calculating a modular multiplication modulo N, there is a method of using an integer R prime to N. For example, the method proposed by Montgomery (Montgomery method) (Montgomery, PL: “Modular mult
iplication without trial division, ”Math. of Comp
utation, Vol.44,1985, pp.519-521), Q = A ・ B mod
By calculating Q = A · B · R ⁻¹ mod N instead of N, the remainder multiplication can be calculated without performing division.

On the other hand, there is parallel processing as one method for speeding up the processing. A systolic array is known as a typical architecture. The systolic array realizes high-speed processing by executing processing by pipeline processing by several kinds of processing elements (processing elements: hereinafter PE). In addition, the control is local and is easy in PE units. Therefore, the systolic array has regularity of the whole structure and locality of PE unit,
It is known as an architecture that facilitates deviceization of large-scale processing such as VLSI. Such parallel processing method is considered to be suitable for speeding up modular exponentiation and modular multiplication for large integers that require large-scale processing, but among conventional methods, parallel processing such as systolic array Almost no processing techniques have been applied to modular exponentiation and modular multiplication.

Therefore, the applicant of the present invention has previously filed Japanese Patent Application No. 3-225986.
As the issue, we proposed a modular multiplication circuit using a systolic array, but it does not use the Montgomery method. On the other hand, an array using the Montgomery method has been proposed by Ibn. (Shimon Even: “Systolic mod
ular multiplication, ”Advances in Cryptology-CRYPT
O'90, pp.619-624, Springer-Verlag.)

[0013]

The integer used in the modular exponentiation operation and the modular multiplication used in the above-described cryptosystem is 512 in order to ensure sufficient security.
It is required to have more bits than bits. Thus, it has been difficult to perform high-speed modular exponentiation and modular multiplication for large integers using a normal computer.

Further, when the modular exponentiation calculation is executed by repeating the Montgomery method, the maximum number of bits of the output increases each time the modular multiplication is repeated, and it is difficult to execute the modular exponentiation calculation by the same circuit. In this regard, Ibn's array is not shown for a PE that performs processing when the number of bits of the modular multiplication output exceeds the number of bits of the input value, and becomes insufficient for the modular exponentiation operation. There is.

Further, in the conventional Montgomery method, as described later, before and after the calculation of Q = A · B · R ⁻¹ mod N,
It is necessary to perform another calculation for A, B, and Q, and several kinds of calculation means are necessary.

Further, in particular, the above-mentioned Ibn array is composed of an array for performing multiplication T = A · B and an array for performing a remainder operation Q = T · R ⁻¹ mod N for R treated as a constant. ing. Therefore, the Ibn systolic array is not efficient because two types of arrays are required to calculate T and Q. Furthermore, only the operation for each bit is proposed as the operation that can be performed in the PE, which lacks flexibility.

[0017]

SUMMARY OF THE INVENTION Therefore, an object of the present invention is to eliminate the above-mentioned drawbacks, and to perform a modular exponentiation operation and a modular multiplication in cryptographic communication, using a modulo R that is a modulo N modulo R. It is to provide a method of executing only by repeating multiplication.

Another object of the present invention is to realize a circuit for executing a modular exponentiation operation and a modular multiplication at high speed with a smaller circuit scale by using the Montgomery method.

In order to solve such a problem, according to the present invention, a modular multiplication Q = A · B mod of integers A and B modulo N.
In an encrypted communication method for encrypting or decrypting communication contents by using N, N is applied to input data U and V.
Using an integer R which is prime to Z = U · V · R ⁻¹ mod N
It has one or more calculation units for calculating and outputting.

According to another aspect of the present invention, a modular exponentiation operation for integers M and e modulo N: C = M ^e mo
In the encrypted communication method for encrypting or decrypting communication contents using dN, N is applied to input data U and V.
Using an integer R which is prime to Z = U · V · R ⁻¹ mod N
It has one or more calculation units for calculating and outputting.

According to another aspect of the present invention, the modular multiplication Q = A.multiplied to the input integers A and B modulo N.
In an encrypted communication method for encrypting or decrypting communication contents using B mod N, an integer R which is a prime to N is used to calculate A · R mod N from the input A and R. The calculation process with the result as A _R and the input B
And B · R mod N is calculated from R and the result is B
A calculation step of the _R, based on the calculation result A _R, B _R and the R, a calculation step of the result with T _R seeking ^{_{A R · B R · R -1}} mod N, said T _R By R and T
Calculates the _R · _R ^-1 mod N, as a result and a calculation step of calculating Q, the computation step of obtaining the T _R, divided for each v bits of the A _R the A _i by any integer v , Y =
2 ^v , T _i = (T _i-1 + A _i · B _R · Y + M _i-1 · N) / Y M _i-1 = (T _i-1 mod Y) · (-N ^-1 mod Y) mod And a calculation step executed by sequential calculation of Y 1.

Further, according to another aspect of the present invention, a modular multiplication Q = A.multiplied to the input integers A and B modulo N.
In an encrypted communication method for encrypting or decrypting communication contents using B mod N, an integer R which is a prime to N is used to calculate A · R mod N from the input A and R. The calculation process with the result as A _R and the input B
And B · R mod N is calculated from R and the result is B
A calculation step of the _R, based on the calculation result A _R, B _R and the R, a calculation step of the result with T _R seeking ^{_{A R · B R · R -1}} mod N, said T _R By R and T
Calculates the _R · _R ^-1 mod N, as a result and a calculation step of calculating Q, the computation step of obtaining the T _R, divided for each v bits of the A _R the A _i by any integer v , Y =
2 ^v , T _i = (T _i-1 / Y + A _i · B _R ) + M _i · N M _i-1 = ((T _i-1 / Y + A _i · B _R ) mod Y) · (-N ⁻¹ mod Y) Computation step executed by sequential computation of mod Y.

[0023]

With respect to the input data U and V, using one or more integers R that are prime to N, Z = U · V · R ⁻¹ mod N is calculated and output to one or more calculation units. A and R _R = R ² mod
Input N constant R _R and input A _R = A ・ R _R・ R ^-1 mod
N is output, B and the constant R _R are input, and B _R
= B · R _R · R ⁻¹ mod N is output, and the output A
Enter and said and _{R B R, T R = A} R · B R · R -1 mod
N is output, the output T _R and constant 1 are input, and T _R · 1 · R ⁻¹ mod N is output as Q, whereby the modular multiplication Q = A · B mod N is executed. To do.

With respect to the input data U and V, using one or more integer R, which is a prime to N, Z = U · V · R ⁻¹ mod N is calculated and output to one or more calculation units, M and R _R = R ²
Input the constant R _R mod _N and M _R = M · R _R · R ⁻¹
modN is output, and the binary representation of e is e = [e ^t , e ^t-1 , ...,
and e ^1], the initial value of C _R as ^{_{C R = R R · R -1}} modN, according to the value of e ⁱ from sequentially higher order bits, e ⁱ =
When it becomes 1, C _R and M _R are input to the arithmetic unit to output C _R · M _R · R ⁻¹ mod _N as a new C _R , and ⁱ in i i is 1 When it becomes larger, C is used as two input data to the arithmetic unit.
_R is input and C _R C _R R ^-1 mod N is output as a new C _R , and after the processing for all the e ⁱ is finished,
By inputting C _R and a constant 1 to the arithmetic unit, C = C
By outputting _R · 1 · R ⁻¹ mod N, the modular exponentiation operation C = M ^e mod N is executed.

For the input data U and V, an integer R that is a prime to N is used, and Z = U · V · R ⁻¹ mod N is calculated and output to one or more calculation units. M and R _R = R ²
Input the constant R _R mod _N and M _R = M · R _R · R ⁻¹
modN is output, and the binary representation of e is e = [e ^t , e ^t-1 , ...,
and e ^1], the initial value of C _R as ^{_{C R = R R · R -1}} modN, according to the value of e ⁱ from sequential low-order bits, e ⁱ =
When it becomes 1, C _R and M _R are input to the arithmetic unit to output C _R · M _R · R ⁻¹ mod _N as a new C _R , and further, ⁱ in e i is t. When it becomes smaller, M is used as two input data for the arithmetic unit.
_R is input and M _R , M _R , R ⁻¹ mod N is output as a new M _R , and after the processing for all the e ⁱ is finished,
By inputting C _R and a constant 1 to the arithmetic unit, C = C
By outputting _R · 1 · R ⁻¹ mod N, the modular exponentiation operation C = M ^e mod N is executed.

The remainder multiplication Q = A · B mod N modulo N to the input integers A and B is an integer R that is prime to N.
By using the input A and the R, A · R mod N
To calculate the result as A _R , calculate B · R mod N from the input B and _R, and set the result as B _R ,
Based on the calculation results A _R , B _R and R, A _R · B _R
- seeking R ^-1 mod N to the result with T _R, wherein T _R
And R, T _R · R ⁻¹ mod N is calculated, Q is obtained as a result, and the calculation of T _R is performed as follows.
_Assuming that A _i is a v-bit division of A _R by an arbitrary integer v, Y = 2 ^v , T _i = (T _i−1 + A _i · B _R · Y + M _i-1 · N) / Y M _{i- 1} = (T _i−1 mod Y) · (−N ⁻¹ mod Y) mod Y

The remainder multiplication Q = A · B mod N modulo N to the input integers A and B is an integer R that is prime to N.
By using the input A and the R, A · R mod N
To calculate the result as A _R , calculate B · R mod N from the input B and _R, and set the result as B _R ,
Based on the calculation results A _R , B _R and R, A _R · B _R
- seeking R ^-1 mod N to the result with T _R, wherein T _R
And R, T _R · R ⁻¹ mod N is calculated, Q is obtained as a result, and the calculation of T _R is performed as follows.
_Assuming that A _i is a v-bit division of A _R by an arbitrary integer v, Y = 2 ^v , T _i = (T _i-1 / Y + A _i · B _R ) + M _i · N M _i-1 = (( T _i-1 / Y + A _i · B _R ) mod Y) · (−N ⁻¹ mod Y) mod Y is executed in sequence.

[0028]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS A modular multiplication modulo N will be described below as an example of a modular multiplication (Montgomery method) proposed by Montgomery as a modular multiplication for a value using an integer R that is a prime to N. First, we show a cryptographic system that uses modular exponentiation and modular multiplication, and then the processing before and after the modular exponentiation and modular multiplication using the Montgomery method and the input / output consistency of the modular multiplication using the Montgomery method. About. Furthermore, a PE that executes the Montgomery method is shown, and a circuit that efficiently uses the modular exponentiation operation and the modular multiplication by using the PEs in parallel is shown.

[Cryptographic System] First, n to n shown in FIG.
The cryptographic system in the communication system will be described. Figure 1
Local area network (LAN)
Or a global communication network such as a telephone line. Here, A to Z are users, and a communication device (communication terminal) T for connecting to each of the communication networks.
Has been assigned. The encryption device encrypts input information and outputs it. For example, the communication device T
The communication device T may output the encrypted information, or the communication device T may be inserted between the communication device T and the communication network so that the output of the communication device T is encrypted and output to the communication network. Good. Further, it can be incorporated in a device which is connected to the communication device and outputs information to the communication device. Further, even if the encryption device is not always connected to the communication device, the encryption device is built in a portable device such as an IC card and connected to the communication device or a device connected to the communication device when necessary. May be With such an encryption device, secret communication, authentication communication, key sharing, zero-knowledge proof, and other encrypted communication can be performed.

As an example of the modular multiplication circuit or the modular exponentiation circuit required in such an encryption device, a plaintext M is used.
It is possible to consider a modular exponentiation operation circuit that outputs the cipher C = M ^e mod N, with E and N as other input or stored values. In this case, the modular exponentiation circuit is the encryption device itself. In the case of secret communication, the same encryption device may be used to perform decryption by the inverse operation M = C ^d mod N. In addition, the modular multiplication circuit or the modular exponentiation operation circuit is used as a part of the cryptographic device, and an external input to the cryptographic device or a processing result of another processing unit in the cryptographic device is input to this circuit to execute an operation. The calculation result may be output to the outside of the cryptographic device or input to another processing unit in the cryptographic device.

When the access to the storage medium is regarded as communication, the storage medium such as a magnetic disk and the access device to the recording medium correspond to a communication device, and the storage system is similar to the communication system. Also in the above, the cryptographic system can be utilized by the cryptographic device using the circuit according to the present invention.

[Montgomery's modular multiplication] The following theorem was derived by Montgomery.

Theorem 1: N and R are mutually prime integers, T is an arbitrary integer, N '=-N- ¹ mod R, and M = T.
When N ′ mod R, the following relationship is satisfied.

(T + M · N) / R = T · R ⁻¹ mod N (1) Proof: Approximately therefore, when performing modular multiplication: Q = A · B mod N, an integer R that is a prime to N Can be performed as follows.

A _R = A · R mod N (2) B _R = B · R mod N (3) T = A _R · B _R (4) T _R = T · R ⁻¹ mod N = (T + M · N ) / R (5) Q = T _R · R ^-1 mod N (6) Here, when the operations of the expressions (4) and (5) are called Montgomery's modular multiplication, Montgomery's modular multiplication is as follows. Can be expressed as

T _R = A _R · B _R · R ⁻¹ mod N = (A _R · B _R + M · N) / R (7) where M = A _R · B _R · N 'mod R (8) If N is odd in Montgomery's modular multiplication, R =
If 2 ⁿ (n is an arbitrary integer) is selected, R becomes an integer that is prime to N. In this case, since the division by R only requires a bit shift, the Montgomery's remainder multiplication of Expression (5) or Expression (7) can be executed only by multiplication.

At this time, the processing before and after the equations (2), (3) and (6) can also be executed as follows by the Montgomery's modular multiplication.

A _R = A · R mod N = A · R _R · R ⁻¹ mod N B _R = B · R mod N = B · R _R · R ⁻¹ mod N Q = T _R · R ⁻¹ mod N = T _R · 1 · R ⁻¹ mod N However, since R _R = R ² mod N _RR is a value uniquely determined by N, it is determined when N is determined and can be treated as a constant. Therefore, as shown in FIG. 2, the arithmetic circuits for executing Z = X · Y · R ⁻¹ mod N can be commonly used to execute the arithmetic operations of Expressions (2) to (6), and the required modular multiplication: Q = A · B mod N is calculated. FIG. 2 shows input groups (A, _RR ), (B, _RR ),
The outputs for (A _R , B _R ) and (T _R , 1) are A
_R , B _R , T _R , and Q.

[Montgomery's modular exponentiation 1] Also, using the Montgomery method, the modular exponentiation: C = M
^e mod N is also executed as follows.

INPUT M, e, N, R _R M _R = M · R _R · R ⁻¹ mod N (9) C _R = 1 · R _R · R ⁻¹ mod N (10) FOR i = t TO 1 IF e _i = 1 THEN C _R = C _R · M _R · R ^-1 mod N (11) IF i> 1 THEN C _R = C _R · C _R · R ^-1 mod N (12) NEXT C = C _R 1 · R ⁻¹ mod N (13) Therefore, the modular exponentiation operation can be performed only by the Montgomery modular multiplication. The initial value of C _R shown in equation (10) is determined by R _R and N, so it can be treated as a constant. Hereinafter, the modular exponentiation operation using only the Montgomery modular exponentiation will be referred to as a Montgomery modular exponentiation operation.

As described above, when the Montgomery's modular exponentiation operation is executed, one operation result is used as an input for the next operation, and the multiplication is repeated. Therefore, when each multiplication is to be realized with the same circuit configuration, If the maximum number of output bits exceeds the maximum number of input bits, it will be difficult to realize.

Therefore, in the Montgomery remainder multiplication of the equation (7), the condition for the maximum number of bits of the input and the output to be equal will be considered below.

Theorem 2: In equations (7) and (8), A _R <
When 2 ^{n + u} , B _R <2 ^{n + u} , N <2 ⁿ , and R = 2 ^{n + r} , in order to ^satisfy T _R <2 ^{n + u} , u = 1 and r> 1,
Alternatively, it is sufficient if u> 1 and r = u + 1.

Proof: If R = 2 ^{n + r} , then M <2 ^{n + r} . If A _R <2 ^{n + u} , B _R <2 ^{n + u} , N <2 ⁿ , then A _R · B _R <2 ^{2 (n + u)} , M · N <2 ^{2n + r} . In consideration of carry by carry, A _R · B _R + M · N <max (2 ^{2 (n + u) +1} , 2 ^{2n + r + 1} ). Therefore, T _R <max (2 ^{n + 2u + 1-r} , 2 ^{n + 1} ). Therefore, if 2 ^{n + 2u + 1-r} ≦ 2 ^{n + 1} : T _R <2 ^{n + 1} . ∴ u = 1, r> 1 (14) In the case of 2 ^{n + 2u + 1-r} > 2 ^{n + 1} : T _R <2 ^{n + 2u + 1-r} . ∴ u> 1, r = u + 1 (15) Here, max (A, B) is a function that selects the larger one of A and B.

At this time, if the conditions of equations (14) and (15) are satisfied, all Montgomery modular exponentiation operations can be realized by simple repetition of Montgomery modular multiplication. Therefore, as shown in FIG.
The power-residue calculation can be executed only by selecting an input with respect to (13) by the selector S.

In the circuit of FIG. 3, the two selectors S
C as one of the selectable feedback inputs
_R , and on the other hand, a memory for temporarily storing C _R and M _R shall be provided. It goes without saying that such a memory may be provided in front of the two selectors S so that both selectors S can be commonly used. In order to switch the input in the selector S as described above, for example, e is stored in the shift register, e _i is sequentially output from the upper bit, and e _i = 1 is received in response to the output. And i
It is only necessary to provide a control unit (which can be configured by a logic circuit, a counter, or the like) that determines whether> 1 and outputs a switching signal.

At this time, if the conditions of equations (14) and (15) are satisfied, all Montgomery modular exponentiation operations can be realized by simple repetition of Montgomery modular multiplication. However, since u> 0 from the expressions (14) and (15), only the calculation result C must be corrected so that C <N.

In the conventional Ibn's method, such a correction must be performed every time Montgomery's modular multiplication is performed, but in this method, the correction needs to be performed only once after the completion of Montgomery's modular exponentiation. Further, since this correction is a simple process, it has almost no effect on the circuit scale and the processing speed for the Montgomery modular exponentiation operation described below.

[Montgomery's modular exponentiation calculation 2] The modular exponentiation calculation: C = M ^e mod N can also be executed as follows.

[0050] _{INPUT M, e, N, R} R M R = M · R R · R -1 mod N C R = 1 · R R · R -1 mod N FOR i = 1 TO t IF e i = 1 THEN C _R = C _R · M _R · R ^-1 mod
N IF i <t THEN M _R = M _R · M _R · R ⁻¹ mod
N NEXT C = C _R · 1 · R ⁻¹ mod N In this case as well, it is clear that C can be calculated by a simple iteration of Montgomery's remainder multiplication by using the conditions of equations (14) and (15). In addition, in the circuit of FIG.
It is obvious that the power-residue calculation can be similarly performed by only one selector S making C _R and M _R selectable and two selectors S making both M _R selectable.

From the above, it has been shown that the modular exponentiation operation and the modular multiplication can be executed only by the arithmetic circuit for calculating the equation (16).

Z = X · Y · R ⁻¹ mod N (16) In addition, when this is calculated using the Montgomery's remainder multiplication shown in Expression (7), the conditions of Expressions (14) and (15) are satisfied. It was also shown that the remainder multiplication and the power-residue operation can be performed by simple iteration of the Montgomery's remainder multiplication by using input values satisfying

Since the expression (16) or the expression (7) is an integer operation, its operation circuit and method can be realized by various methods. For example, it is obvious that this can be easily realized by using a CPU or the like.

Therefore, various cryptographic systems using the modular multiplication and the modular exponentiation can be efficiently constructed by the common arithmetic circuit and method for executing the equation (16) or the equation (7).

[Example 1 of Montgomery's modular multiplication and modular exponentiation circuit] T _R = A _R · B _R · R ⁻¹ mod N (A _R ,
Consider the modular multiplication of B _R <2 ^{n + u} , R = 2 ^{n + r} , N <2 ⁿ integer, u and r satisfy the conditions of the expressions (14) and (15). When A _R is divided by v bits and B _R , N, T _R are divided by d bits, they can be expressed as follows. However, n + r ≦ m
d, n + r ≦ k · v, X = 2 ^d , Y = 2 ^v (v ≦ d).

A _R = A _k-1 · Y ^k-1 + A _k-2 · Y ^k-2 + ... + A ₁ · Y + A ₀ B _R = B _m-1 · X ^m-1 + B _m-2・ X ^m-2 + ・ ・ ・ + B ₁・ X + B ₀ N = N _m-1・ X ^m-1 + N _m-2・ X ^m-2 + ・ ・ ・ + N ₁・X + N ₀ T _R = T _m-1 · X ^m-1 + T _m-2 · X ^m-2 + ... + T ₁ · X + T ₀ (17) where A _i (i = 0 , ..., k-1, n + u <i and A _i = 0) is A _R
Represents a bit sequence obtained by dividing each of the lower digits by v bits,
B _j , N _j , and T _j (j = 0, ..., m-1) represent bit sequences obtained by dividing B _R , N, and T _{R by} d bits from the lower digit. In this case, Montgomery's modular multiplication does the following operation i =
It is calculated by repeating from 0 to k. However,
T_ _i means the value of T _R in the i-th calculation, and is expressed by the formula (1
Different from T _i in 6).

[0057] _{T_ i = (T_ i-1} + A i · B R · Y + M i-1 · N) / Y (18) _{However, M i-1 = (T_} i-1 mod Y) · N 0 'mod Y , T
Bj To achieve at _{_ -1 = 0, N 0 '} = N'mod Y parallel processing of this operation, B _R, a N
, Nj is expressed as follows.

Algorithm 1: FOR i = 0 TO k M _i-1 = dw _v (dw _v (Ti-1,0) N ₀ ') FOR j = 0 TO m-1 R _{i, j} = T _{i- 1, j} + L _{i-2, j + 1}・ X / Y ² + Y ・ A _i・ B _j
+ M _i−1 · N _j L _{i, j} = dw _v (R _{i, j} ) T _{i, j} = (R _{i, j} −L _{i, j} ) / Y NEXT NEXT However, dw _d (Z) = Z mod _{^{2 d up d (Z) =}} (Z-dw d (Z)) / 2 d T i, j, L i, the initial value of _j in all 0 algorithm _{1, Y · a i · B} j, L i- _{2, j + 1} x
/ Y ² , and T _{i, j} = (dw _{d + v} (R _{i, j} ) −L _{i, j} ).
Multiplication / division by constants X = 2 ^d and Y = 2 ^v such as / Y is realized by shifting bits with respect to other values. Thus, operations on T _{i, j} means that the value of the v-th bit with respect to R _{i, j} of the LSB to d + v-1 th bit T _i, and _j. However, L _{i, j} is a value from the LSB of R _{i, j} to the v−1th bit. Since the 1 / Y operation for obtaining T _{i, j} is realized by bit shifting to the lower order for each R _{i, j} in this way, L _{i-2, j + 1} calculates R _{i, j} . It is sometimes used, and it is calculated by adjusting the digits by X / Y ² .

FIG. 2 shows a circuit for executing the algorithm.
In Algorithm 1, i means a clock, j corresponds to the position of the register (R) in FIG. 3, and the registers from R _{i, 0} to R _{i, m−1} are shown from right to left.

For simplicity, the circuit and operation of FIG. 2 will be described below for the case of v = 1. In FIG. 2, B _j , N
_j (j = 0, ..., M-1) and N ₀ 'represent a d-bit multiplier having the value written in each as a multiplier, and can be realized by d ANDs. If N is an odd number, N ₀ ′ = 1, and therefore the multiplier for calculating M _i−1 can be omitted, and L of T _i−1,0 can be omitted.
SB is output as. The input and output of the adder indicated by + are as follows. The output M _i−1 · N _j from the lower multiplier is d bits, and the output A _i · B from the upper multiplier.
_{j is} also d bits, but in order to double that value, M _i-1.
Shift 1 bit to N _j and input it. The input T _i−1 , _j from the register is 2 from the LSB of R _i−1 , _j.
Shifts from the 1st bit to the lower bit by ₁ and outputs M _i-1 · N _j
And enter as the value of the peer. L _{i-2, j + 1} · 2 ^d-2 is the 1-bit output L _{i-2, j + 1} from the immediately preceding PE, which is L of M _i−1 · N _j .
This means inputting from the SB to the d-1th bit. In this case, if T _i−1 , _j <2 ^{d + 2} , the output from the adder is d + 3 bits. Therefore, the registers receiving the output from the adder are each a d + 3 bit register.

As described above, in the circuit of FIG.
The operation of 8) can be executed, and Montgomery's remainder multiplication can be executed by inputting A ₀ to A _K.

Although FIG. 2 has been described with v = 1,
It is obvious that Montgomery's modular multiplication can be executed for v with ≤d by the same method.

The Montgomery remainder multiplication circuit according to this embodiment realizes high-speed processing with a very small circuit scale.

[0064] The operation EXAMPLE 2 modulo multiplication and modulo exponentiation circuit Montgomery] To achieve systolic array, B _{R, N} and B _j, expressed with N _j as follows.

Algorithm 2: FOR i = 0 TO k M _i−1 = dw _v (dw _v (T _i-1,0 ) · N ₀ ′) FOR j = 0 TO m−1 R _{i, j} = T _{i -1} , _j + C _i , _j-1 + L _{i-2, j + 1}・ X / Y ² + Y ・ A
_{i · B j + M i-} 1 · N j L i, j = dw v (R i, j) T i, j = (dw d + v (R i, j) -L i, j) / Y C i _{, j = up d + v (} R i, j) NEXT NEXT _{however, dw d (Z) = Z} mod 2 d up d (Z) = (Z-dw d (Z)) / 2 d T i, j, Initial values of C _{i, j} and L _{i, j} are all 0. In Algorithm 2, C _{i, j-1} is a carry and R
Used when computing _{i, j} . In addition, Y · A _i · B _j ,
L _{i-2, j + 1} · X / Y ² , and T _{i, j} = (dw _{d + v} (R
_An operation having X and Y as constants such as _{i, j} ) -L _{i, j} ) / Y is realized by shifting bits with respect to other values. Thus, T _i, operations on _j is R _i, the value of T _i from v-th bit relative _j LSB to d + v-1 th _{bit, j}
Means to

However, L _{i, j} is v− from the LSB of R _{i, j.}
It is a value up to the first bit. Since the 1 / Y operation for obtaining T _{i, j} is realized by bit shifting to the lower order for each R _{i, j} in this way, L _{i-2, j + 1} calculates R _{i, j} . It is sometimes used, and it is calculated by adjusting the digits by X / Y ² .

FIG. 5 shows that R _{i, j} , L in Algorithm 2
_This is a circuit for calculating _{i, j} , T _{i, j} , and C _{i, j} . FIG. 6 shows the circuit of FIG. 5 as one PE (processing element).
As a, it is a systolic array in which it is connected in cascade. In Algorithm 2, j means a clock,
i corresponds to the position of PE in FIG. 6, and i = from left to right
PEs from 0 (# 1) to i = k (# k + 1) are shown.

In FIG. 6, the # i + 1th PE is A _i (i =
0, ..., k) is set in the internal register, and between PEs, B _in and B _out , D _in and D _out , T _in and T _out , L _in and L _out , M _in and M _out , N _in and N _out are connected to each other. Also, each B _j is the B _in, N _in the # 1 of PE, N
_j (j = 0, ..., m-1) are input in order from the lower digit, and D _in ,
T _in, L _in, each 0 is set to the input of the M _in.

For simplification, the circuit and operation of FIG. 5 will be described below for the case of v = 1. In FIG. 5, x indicates a multiplier, which can be realized by d AND gates. R1-R
Reference numeral 3 is a 1-bit register that holds A _i , M _i-1 , and N ₀ ′, respectively. If N is odd, R3 for holding the 'multipliers and N ₀ for computing the so is = 1' N ₀ is omitted, R2 is held as the LSB of the T _{i-1, 0.} In addition, R4, R5
Is the next PE after delaying the input from B _in and N _in by 1 clock.
Is a d-bit register for sending to. The input and output of the adder indicated by + are as follows. Although the output M _i-1 · N _j from the bottom of the multiplier is the output A _i · B _j be d bits from d bits, the upper part of the multiplier, M _i-1 · to doubling its value Shift 1 bit to N _j and input it. The input T _i−1 , _j from the previous PE is the LSB of R _i−1 , _j .
From the 2nd bit to the d + 1th bit is 1
The value is shifted to the lower bit and input as a value equal to M _i-1 · N _j . L _{i-2, j + 1} · 2 ^d-2 is the 1-bit output L _{i-2, j + 1} from the previous PE, and is input to the d−1 bit from the LSB of M _i−1 · N _j. Means to do. In this case, if C _{i, j-1} which is a carry bit is C _{i, j-1} <2 ^{d + 2} , the output from the adder is d + 3 bits, so C _{i, j-1} is 2 It is a bit value. Therefore, R6 receiving the output from the adder becomes a d + 3 bit register.

From the above, one PE in FIG.
It can be seen that the calculation of can be performed. By connecting this PE in a pipeline form of k + 1 pieces as shown in FIG. 6 and operating in synchronization with the clock, the Montgomery remainder multiplication can be executed at high speed.

However, the final output from the array of FIG. 6 is k
The output T _{k, j} L _{k, j} from the + 1st PE and the kth P
Since it is separated into the output L _{k-1, j + 1} from E, the following calculation is performed after the processing of Algorithm 2.

Algorithm 3: FOR j = 0 TO m-1 R _{k + 1, j} = T _{k, j +} C _{k + 1, j-1} + L _k-1 , _{j +} 1.X / Y ² T _{k + 1, j = dw d (R} k + 1, j) C k + 1, j = up d (R k + 1, j) T k + 2, j = T k + 1, j + C k + 2, j ₋₁ + L _{k, j + 1} · X / Y C _{k + 2, j} = up _d (T _{k + 2, j} ) NEXT Here, T _{k + 2, j} is a bit sequence T _j obtained by dividing T _R. (j = 0,
…, M-1). The calculation of R _{k + 1, j is the same as} the calculation when A _i = M _i-1 = 0 in Algorithm 2, and thus is realized by the PE in FIG. The calculation of T _{k + 2, j} is almost the same as the calculation of R _{k + 1, j} , but T _{k + 1, j} , C
_{For k + 1, j} , 1/2 operation is not performed, and L _{k, j + 1} is also added to L _k−1 , _{j + 1} in 1-bit upper digits. Therefore, as shown in FIG. 7, a half adder (HA) for one bit and a register (R) are added under the LSB of the PE adder and register R6 of FIG.
7) is prepared and HA outputs LSB of output R _i−1 , _j of the previous PE.
And input C _{k + 2, j-1} (at this time, C _{k + 2, j-1} is at most 1
(The value of the bit), and the carry bit is input as a carry to the adder to the newly prepared register. In this way, L _{k, j + 1} is automatically added as a 1-bit upper digit. Therefore, the PE that calculates T _{k + 2, j} is different from the other PEs, but only when i = k + 2, add a 1-bit selector that selects the carry from the half adder as the carry to the adder. 1
It can be realized with two PEs.

Therefore, in order to obtain T _R , the PE shown in FIG. 7 is used as the PE shown in FIG. 6, and P is added after the array shown in FIG.
Montgomery's modular multiplication is performed at high speed by an array using a total of k + 3 PEs with two Es added.

Although FIG. 5 and FIG. 7 have been described with v = 1, it is clear that Montgomery's modular multiplication can be executed for v with v ≦ d by a similar method.

[Third Embodiment of Montgomery's Residual Multiplication and Power Residue Circuit] Further, the following systolic array can be constructed. The calculation of Expression (17) is executed by the following algorithm.

Algorithm 4: FOR i = 0 TO k M _i−1 = dw _v (dw _v (T _i−1 , ₁ ) · N ₀ ′) FOR j = 0 TO m R _{i, j} = T _i-1 , _{j + 1} + C _{i, j-1} + A _i · B _j-1 + M _i-1 · N
_j T _{i, j} = dw _v (R _{i, j} ) C _{i, j} = up _v (R _{i, j} ) NEXT NEXT Algorithm 4 differs from R _{i, j} operation algorithm 2 in that M _i−1. The difference between the digits of A _i · B _j and T _i−1 , _j with respect to N _j is realized not by bit shift but by shifting the coefficient of j of B _j and T _{i, j to be} used. Therefore, the value L _{i, j} generated in Algorithm 2 due to the bit shift does not occur in Algorithm 4.

R _{i, j} , T _{i, j} , C _{i, j of} Algorithm 4
The PE and the systolic array for executing the calculation of FIG.
9 shows. The j and i of the algorithm 4 also correspond to the positions of the clock and PE, respectively. Also in FIG.
The value of A _i (i = 0, ..., k) is set in the internal register in the PE of i + 1, and B _in and B _out , and T _in and T are between PEs.
_out , M _in and M _out , and N _in and N _out are connected respectively. Further, although 0 is set to the input of T _in and M _in of PE of # 1, B _j and N _j (j = 0, j = 0, respectively) are set to B _in and N _in .
, M-1) are input in order from the lower digit. However, unlike the case of the algorithm I, B _j is input with a delay of 1 clock with respect to N _j .

For simplicity, the case of v = d will be described below. In FIG. 8, x indicates a d-bit / d-bit multiplier, and + indicates an adder. The input and output of the adder are as follows. Output from upper multiplier A _i · B _j-1
The outputs M _i−1 · N _j from the lower multiplier and the lower multiplier are 2 · d bits respectively, and the outputs T _i−1 , _{j + 1} from the previous PE are d-bit values. Therefore, if C _{i, j-1} is C _{i, j-1} <2 ^{2 · d + 1} , the output from the adder is a value of 2 · d + 2 bits. Further, R1 to R7 are d-bit registers, and R8 receiving the output from the adder is a 2 · d + 2 bit register. The register R8 sets T from the LSB to the d-th bit.
_It is output to the next PE as _i−1 , _{j + 1} , and the upper d + 2 bits are fed back to the adder as C _{i, j−1} .

In FIG. 8, N _j is input one clock before B _j , so that A _i · B _j-1 and M _i-1 · N _j are calculated at the same time. In addition, T _i−1 , _{j + 1} is A _i · B _j−1 and M _i−1 · N _j
In order to calculate at the same time, B input from B _in and N _in
j and N _j are delayed by 2 clocks and output to the next PE.

Therefore, according to the PE of FIG.
It can be seen that Montgomery's modular multiplication can be realized at high speed by the systolic array of FIG. In this case, the process corresponding to the algorithm is not necessary, and the array can be configured by m + 1 PEs as shown in FIG.

Although FIG. 8 has been described with v = d,
It is obvious that Montgomery's modular multiplication can be executed for v with d that is <d.

[Fourth Embodiment of Montgomery's Residual Multiplication and Power Residue Circuit] Further, when executing the algorithm 4 shown in the third embodiment, it is not necessary to set A _i in the PE in advance, and as shown in FIG. , A _i (i = 0, ..., k-1) from A _in is input in synchronization with N _j from the lower digit, and as shown in FIG.
_The configuration may be such that _in and A _out are connected and sent to the next PE. In this case, A _i (i = 0, ..., k-1) is input one clock ahead of B _j (j = 0, ..., m-1), so A ₀ is input in the # 1 PE. When A ₀ is held in the register of R1 at the same time, the operation of A ₀ · B _j (j = 0, ..., m-1) can be executed for all j. Also, B _j is input to the next PE after being delayed by 2 clocks, but A _i is delayed by only 1 clock, so that A _i is B _j (j = 0,
..., m-1), and if it could be held before
In E, A _{i + 1} can be input and held before B _j (j = 0, ..., m-1). Therefore, in PE of #i, A _{i + 1} · B can be easily
_{The operation of j} (j = 0, ..., m-1) can be executed. Therefore, the algorithm 4 shown in FIG. 1 is used without changing the circuit scale and the processing speed.
It can be realized also by PE of 0 and 11 and a systolic array.

[Embodiment 5 of Montgomery's modular multiplication and modular exponentiation circuit] Montgomery's modular exponentiation can be executed by repeating the calculation of equation (17). Figure 10
Since the PEs shown in FIGS. 8 and 10 can perform the operation of the equation (17), if one PE is combined with a memory as shown in FIG. 12, one PE is (3.t / 2 + 2) .q times (q Is the PE required to construct the Montgomery modular multiplication array
, The PE in FIG. 7 is k + 3, and in FIGS.
-2) can be used to process the Montgomery modular exponentiation operation. If p PEs are used, (3 · t / 2
It is possible to process Montgomery's modular exponentiation operation by repeating +2) · q / p times. Since the processing speed is inversely proportional to the number of repetitions, this method can make the processing speed proportional to the number of PEs, and the power of the same efficiency can be used for increasing the processing speed by the number of PEs or reducing the circuit size. A remainder arithmetic circuit can be configured.

Therefore, the device as shown in FIG. 13 can be realized. In FIG. 13, SYMC (Systolic Modular
Exponentiation Chip) is represented by p P
This is a chip formed by connecting Es in cascade. Since p is arbitrary as long as 1 ≦ p ≦ (3 · t / 2 + 2) · q, a chip having an arbitrary circuit scale can be configured.
In addition, SYMC has a regular circuit structure, so that it is very easy to make a device and a chip. Also, the processing speed is SY
Since the speed can be increased in proportion to the number of MCs, it is only necessary to connect SYMCs to the subordinates as shown in FIG. in this case,
Although it is necessary to change the number of times of SYMC processing, this can be easily realized by configuring the control circuit with an externally programmable ROM or the like.

[Other Embodiments of Montgomery's Residual Multiplication and Exponentiation Residue Arithmetic Circuit] In the algorithm according to the above embodiment, the processing performed by one PE is a simple integer arithmetic operation, so that it is possible to perform a normal PE operation even if the PE is not separately chipped. DSP or C
It is possible to easily implement Montgomery's modular exponentiation by using PU or the like.

Since the above-described embodiment is based on the systolic array, the circuit configuration is regular and the control and delay are local, so that it is suitable for practical use by VLSI.

It is also easy to realize the modular multiplication and the modular exponentiation operation by using the PE of the above-mentioned embodiment as an independent arithmetic element without being connected to the subordinates and controlling it by a well-known microprogramming method. ..

The PEs of FIGS. 5, 7 and 8 and 10 collectively execute the operation of the equation (18), but the equation (18)
The equation (18)
The present invention also includes the case of executing the calculation of.

When the present invention is implemented by a systolic array, a control signal can be input at the same time as data, and a PE including a control signal transmission register can also be used.

As described above, the method of constructing the modular exponentiation and modular multiplication circuit and method using the systolic array has been shown. This scheme provides a circuit and method that overcomes all the drawbacks of the Iven approach. As a result, an efficient cryptographic system having the following effects can be constructed.

When a high-speed cryptosystem is required, the exponentiation / residue calculation and the modular multiplication circuit according to the present invention may be configured by VLSI or the like. In this case, the modular exponentiation operation and modular multiplication according to the present invention have a simple PE rule structure, and the PE control and the delay time within the PE are local, which is optimal for VLSI. This constitutes a high speed encryption system.

When a cryptographic system using a small circuit is required rather than high speed, the power-residue calculation and the residue-multiplication circuit according to the present invention may be composed of several PEs. In this case as well, the features such as the regular structure by PE, the control, and the locality of the delay time are not lost, and the circuit can be easily formed. Further, since the operation performed in the PE is a simple integer operation, the operation procedure according to the present invention can realize a simple cryptographic system even by a software method such as a CPU or a DSP.

Further, even if high speed is required after the encryption device is composed of small circuits (SYMC etc.) consisting of several PEs, the small circuits should be connected in cascade as shown in FIG. If so, speeding up proportional to the circuit scale can be realized. Therefore, it is possible to realize an encryption system in which the speed can be easily increased as necessary simply by adding the encryption device without recreating the encryption device.

After the encryption system is constructed once,
Even when the number of integer bits to be calculated for increasing the strength of the cryptosystem is increased, the same circuit or a similar circuit with an increased number of PEs can be used. This is because the modular exponentiation and modular multiplication circuit of the present invention can easily trade off the circuit scale and the number of processings, and thus the difference in the number of bits of the integers to be calculated can result in the difference in the number of processings. Therefore, even if the cryptographic strength of the system is increased, it is not necessary to remake the cryptographic device. Further, even when the number of bits of the integer to be calculated is reduced, it is possible to realize a cryptographic system without recreating the cryptographic device.

As described in Japanese Patent Application No. 3-225986, the above-mentioned effects cannot be realized by the conventional cryptographic device based on modular exponentiation and modular multiplication. Therefore,
By using the modular exponentiation operation and the modular multiplication circuit and method according to the present invention, it is possible to construct a flexible and expandable cryptographic system.

Next, the systolic array of Japanese Patent Application No. 3-225986 (hereinafter referred to as array 0) and the systolic array (array 1) shown in the first embodiment of the present invention and the second and third embodiments are shown. Compare the systolic array (array 2).

Since the array 0 involves division, the remainder operation is performed by the remainder table (ROM or the like).
Since all can perform modular multiplication by multiplication, the processing time required for one clock is shorter than that of array 0, and therefore high-speed processing is possible. Further, the arrays 1 and 2 can be made to have a circuit scale like an AND gate without using a remainder table such as a ROM. Further, array 0 requires PEs for carrying bit processing, but arrays 1 and 2 do not require PEs, so the number of required PEs is smaller than that of array 0.
Therefore, using the same circuit scale, array 1,
2 can perform high speed processing several times as fast as array 0.

The array 1 has a smaller number of PEs than the array 0, and the PEs can be commonly used as shown in FIG. Further, the array 2 can be composed of only one type of PE.
Therefore, the arrays 1 and 2 can be formed into a circuit more easily than the array 0, and a circuit with less waste than the array 0 can be configured.

When the array 0 uses the remainder table, the arrays 1 and 2 are more flexible than the array 0 with respect to the increase in the number of bits of each integer to be calculated. This is because, when the array 0 uses a remainder table such as a ROM, the maximum capacity of the table limits the number of bits of each integer. On the other hand, since the modulos are calculated by multiplication in the arrays 1 and 2, there is no need for the modulo table and there is no limit to the number of integer bits to be calculated. However, when the number of bits of the integer to be calculated decreases (such as when using the Chinese Remainder Theorem), the flexibility of Array 0 to Array 2 is the same and there is no limitation. Therefore, unlike the array 0, the arrays 1 and 2 are not limited to changes in the number of bits of the integer to be calculated. Therefore, in the arrays 1 and 2, it is not necessary to remake a circuit such as SYMC even for an operation in which the number of integer bits to be operated is different.

As described above, the cryptographic apparatus using the modular multiplication and the modular exponentiation method according to the above-described embodiment can provide a cryptographic system that can achieve the above-mentioned effects with high speed and flexibility with the smallest circuit.

[Embodiment 6 of Montgomery's modular multiplication and modular exponentiation circuit] The value T_ of T _R in the i-th calculation
The _i, unlike T_ _i in equation _{(18), T_ i = (} T_ i-1 / Y + A i · B R) + M i · N (19) _{However, M i = ((T_ i} -1 / Y + A i _{· B R) mod Y) ·} N 0 '
mod Y, in order to achieve parallel processing by _{T_ -1 = 0, N 0 '} = N' mod Y plurality this operation PE, B _R, to decompose the N B _j, the N _j as follows Represent Algorithm 5: FOR i = 0 TO k-1 FOR j = 0 TO m-1 S _{i, j} = T _i-1 , _j / Y + A _i · B _j + C _{i, j-1} M _i = dw _v (dw _v (S _{i, 0} ) · N ₀ ′) R _{i, j} = S _{i, j} + M _i · N _j + L _i-1 , _{j + 1} · X L _{i, j} = dw _v (R _{i, j} ) T _{i , j} = dw _{d + v} (R _{i, j} ) −L _{i, j} C _{i, j} = up _{d + v} (R _{i, j} ) NEXT NEXT However, dw _d (Z) = Z mod 2 ^d up _d ( Z) = (Z−dw _d (Z)) / 2 ^d Initial values of T _{i, j} , C _{i, j} , L _{i, j} are all 0. In Algorithm 5, C _{i, j-1} is S as a carry.
Used when computing _{i, j} . Also, L _i−1 , _{j + 1} · X,
And operations having X, Y as constants such as T _i−1 , _j / Y can be realized by shifting bits with respect to other values. Therefore, in the operation regarding T _{i, j ,} the value from the v-th bit to the d + v−1-th bit with respect to the LSB of R _{i, j} is T
It means _{i, j} . However, L _{i, j} is a value from the LSB of R _{i, j} to the v−1th bit. In this way, the 1 / Y operation for obtaining T _{i, j} is realized by the bit shift to the lower order for each R _{i, j,} so that L _i−1 , _{j + 1} is R
_It is used when performing _{i, j} calculations, and is calculated by matching the digits by X.

In Algorithm 5, i is the number of processing times, j
Is a clock, it is only S _{i, j} and R _{i, j} that must be calculated for each j (L _{i, j} , T
_{i, j} and C _{i, j} are realized only by bit shift), S
_{i, j} and R _{i, j} are realized by the following operations of the same type.

F = d / y + ab + cx (20) However, y is 2 ^v or 1, x is 2 ^d or 1 x, y is the presence or absence of bit shift, and therefore the equation (20) is shown in FIG. It can be calculated by the PE shown.

For simplicity, the circuit and operation of FIG. 14 will be described below for the case of v = 1. In FIG. 14, x indicates a multiplier, which can be realized by d AND gates. R1 is a 1-bit register that holds a. S1 and S2 are selectors for selecting whether to bit shift the inputs d and c by y or x. The adder indicated by + adds the outputs a and b from the multiplier and the outputs d / y and c and x from the selector to calculate f. R2 is a register that holds the output from the adder. By the above, FIG.
It can be seen that the equation (20) can be calculated with the PE of 4.

Therefore, each operation of Algorithm 5 is shown in FIG.
It can be obtained by combining the two PEs shown in FIG. However, B _j and N _{in in} FIG.
It is assumed that N _j (j = 0, ..., M-1) are input in order from the lower digit.
In this case, the left PE calculates S _{i, j} and the right PE calculates R _{i
i, j} are calculated. Further, since v = 1, if N is an odd number, N ₀ ′ = 1, and the LSB of S _{i, 0} becomes M _i , which is held in the register R1 of the right PE. Also, R
_{i, j} is divided into C _{i, j} , T _{i, j} and L _{i, j} for display. Therefore, k in FIG. 15 or 2 PE in FIG.
It is clear that the algorithm 5 can be executed by using k. From the above, it can be seen that the PE of FIG. 14 can efficiently perform the parallel processing of Expression (19).

Although FIGS. 14 and 15 have been described with v = 1, it is clear that Montgomery's modular multiplication can be executed for v with v <d by the same method.

[Embodiment 7 of Montgomery's modular multiplication and modular exponentiation circuit] Further, the following systolic array can be constructed. The calculation of Expression (14) is executed by the following algorithm. Algorithm 6: FOR i = 0 TO k k FOR j = 0 TO m S _{i, j} = T _i-1 , _{j + 1} + up _v (S _{i, j-1} ) + A _i · B _j Mi = dw _v (dw _v (S _{i, 0} ) · N ₀ ′) R _{i, j} = dw _v (S _{i, j} ) + up _v (R _{i, j-1} ) + Mi · N _j T _{i, j} = dw _v (R _{i, j} ) The difference between the NEXT NEXT algorithm 6 and the algorithm 5 is that T _i-1 / Y in the equation (19) is realized by a clock shift, not a bit shift. Therefore, the value L _{i, j} generated in Algorithm 5 due to the bit shift does not occur in Algorithm 6.

A PE and systolic array implementing Algorithm 6 are shown in FIGS. Each of j and i in Algorithm 6 also corresponds to the clock and the number of times of processing. Further, each of the B _in, N _in the Figure _{17 B j, N j (j} =
0, ..., m-1) are input in order from the lower digit.

Hereinafter, for simplicity, the case of v = d will be described. First, in FIG. 16, x is d bits · d
A bit multiplier is shown, and + is an adder. R1 is A _i
Alternatively, R2 is a register that holds M _i , and R2 is a register that holds the output from the adder. The v-th bit and above are carried as a carry and fed back to the adder with a delay of one clock. As a result, in FIG. 17, S _{i, j} is calculated in the left PE and R _i is calculated in the right PE.
It can be seen that _{i, j} is calculated. At this time, M _i is multiplied by N ₀ 'by an external multiplier and output to the right PE. Therefore, it is understood that the PE in FIG. 7 is an efficient basic operator for realizing the algorithm 6 by parallel processing.

Although FIGS. 16 and 17 have been described with v = d, it is clear that Montgomery's modular multiplication can be executed for v with v <d by the same method.

[Embodiment 8 of Montgomery's modular multiplication and modular exponentiation circuit] Montgomery's modular exponentiation can be executed by repeating the calculation of equation (19). 14
And since the PE shown in FIG. 16 can perform the operation of the equation (19), if it is combined with a memory as shown in FIG. 18, one PE will be (3 · t / 2 + 2) · q times (q is Montgomery). The number of PEs required to form the remainder multiplication array of 2k in the PE of FIG. 14 and 2 in the PE of FIG.
-(K + 1) pieces can be used to process the Montgomery modular exponentiation operation. If p PEs are used, (3.
It is possible to process Montgomery's modular exponentiation operation by repeating t / 2 + 2) · q / p times. Since the processing speed is inversely proportional to the number of repetitions, this method can make the processing speed proportional to the number of PEs, and the power of the same efficiency can be used for increasing the processing speed by the number of PEs or reducing the circuit size. A remainder arithmetic circuit can be configured.

Therefore, a device as shown in FIG. 19 can be realized. In FIG. 19, MEC (Modular Exponentiati
On chip) is a chip formed by combining p PEs. p is 1 ≤ p ≤ (3 · t /
Since 2 + 2) · q is arbitrary, a chip having an arbitrary circuit scale can be configured. Further, since the MEC has regularity in the circuit configuration, it can be very easily made into a device and a chip. Further, since the processing speed can be increased in proportion to the number of MECs, a plurality of MECs may be used as shown in FIG. In this case, it is necessary to change the control of each MEC according to the number of chips, but this can be easily realized by configuring the control circuit with an externally programmable ROM or the like.

[Other Embodiments of Montgomery's Residual Multiplication and Exponentiation Residue Arithmetic Circuit] In the algorithm according to the present invention, the processing performed by one PE is a simple integer arithmetic operation. And CP
Even with U or the like, Montgomery's modular exponentiation operation can be easily realized.

The present invention has a regular circuit configuration,
Since the control and delay are local, it is suitable for practical use by VLSI.

It is also possible to combine the PEs shown in FIGS. 14 and 16 into one PE.

As described above, the method of constructing a modular exponentiation and modular multiplication circuit and method using PE has been shown. As a result, an efficient cryptographic system having the following effects can be constructed.

When a high-speed cryptosystem is required, the exponentiation and modular multiplication and modular multiplication circuit according to the present invention may be configured by VLSI or the like. In this case, the modular exponentiation operation and the modular multiplication according to the present invention have a simple PE rule structure, and are therefore suitable for VLSI. This constitutes a high speed encryption system.

If a cryptographic system with a small circuit is required rather than high speed, the power-residue calculation and the residue-multiplication circuit according to the present invention may be configured by several PEs. Also in this case, the feature such as the regular structure of PE is not lost and it is easy to form a circuit. Further, since the operation performed in PE is a simple integer operation, the operation procedure according to the present invention is performed by the CPU or D.
A simple encryption system can be realized by a software method such as SP.

Further, even if high speed is required after the encryption device is constructed by a small circuit (MEC or the like) consisting of several PEs, the circuit scale can be increased by using a plurality of such small circuits as shown in FIG. A proportional increase in speed can be realized. Therefore, it is possible to realize an encryption system in which the required speed can be easily increased by simply increasing the number of circuits without recreating the encryption device.

After the encryption system is constructed once,
Even when the number of integer bits to be calculated for increasing the strength of the cryptosystem is increased, the same circuit or a similar circuit with an increased number of PEs can be used. This is because the modular exponentiation and modular multiplication circuit of the present invention can easily trade off the circuit scale and the number of times of processing, so that the difference in the number of bits of the integers to be calculated can result in the difference in the number of times of processing. Therefore, even if the cryptographic strength of the system is increased, it is not necessary to remake the cryptographic device. Further, even when the number of bits of the integer to be calculated is reduced, it is possible to realize a cryptographic system without recreating the cryptographic device.

The above-described effects cannot be realized by the conventional cryptographic device based on modular exponentiation and modular multiplication that does not efficiently use parallel processing. Therefore, by using the modular exponentiation operation and the modular multiplication circuit and method according to the present invention, a flexible and expandable cryptosystem can be constructed.

[0122]

As described above, according to the present invention,
The modular exponentiation and the modular multiplication can be performed by the iterative calculation of Z = X · Y · R ⁻¹ mod N (16). Therefore, required arithmetic operations can be performed by the same or the same type of arithmetic circuit.

Further, when this is calculated using Montgomery's remainder multiplication Z = X · Y · R ⁻¹ mod N = (X · Y + S · N) / R, where S = X · Y · N ′ mod N For, by using an input value that satisfies the condition, the modular multiplication and the modular exponentiation operation can be executed by a simple iteration of Montgomery's modular multiplication.

Since the required operation is an integer operation,
The arithmetic circuit can now be easily realized.

Therefore, various cryptographic systems using the modular multiplication and the modular exponentiation can be efficiently constructed by the common arithmetic circuit and method.

The Montgomery remainder multiplication circuit according to the present invention realizes high-speed processing with a very small circuit scale.

By the modular exponentiation operation and the modular multiplication circuit using the systolic array according to the present invention, an efficient cryptosystem having the following effects can be constructed.

When a high-speed cryptosystem is required, the exponentiation and modular multiplication and modular multiplication circuit according to the present invention may be constructed by VLSI or the like. In this case, the modular exponentiation operation and modular multiplication according to the present invention have a simple PE rule structure, and the PE control and the delay time within the PE are local, which is optimal for VLSI. This constitutes a high speed encryption system.

Further, when the cryptographic system is required to have a smaller circuit scale rather than high speed, the power-residue arithmetic operation and the modular multiplication circuit according to the present invention may be constituted by several PEs.
In this case as well, the features such as the regular structure by PE, the control, and the locality of the delay time are not lost, and the circuit can be easily formed. Also, P
Since the operation performed in E is a simple integer operation, the operation procedure according to the present invention can realize a simple cryptographic system even by a software method such as a CPU or a DSP.

Further, even if high speed is required after the encryption device is constructed by a small circuit (SYMC or the like) made up of several PEs, the small circuits can be connected in cascade to achieve circuit scale. It is possible to realize speedup proportional to. Therefore, it is possible to realize an encryption system in which the speed can be easily increased as needed by simply adding the encryption devices without newly recreating them.

Further, since the circuit scale and the number of processings can be easily traded off, once the encryption system is constructed,
Even when increasing the number of bits of the integer to be calculated in order to increase the strength (security against decryption) of the cryptosystem, the difference in the number of bits of the integer to be calculated can be attributed to the difference in the number of processing times. A similar circuit with an increased number of PEs can be accommodated. Therefore, in this case, it is not necessary to recreate the encryption device. Further, even when the number of bits of the integer to be calculated is reduced, it is possible to deal with the cryptographic device without remaking it.

Therefore, by using the modular exponentiation operation and the modular multiplication circuit and method according to the present invention, it is possible to construct a flexible and expandable cryptographic system.

[Brief description of drawings]

FIG. 1 is a diagram showing a configuration example of a communication system using a cryptographic system.

FIG. 2 is a diagram showing an example of a modular multiplication circuit according to the present invention.

FIG. 3 is a diagram showing an example of a modular exponentiation arithmetic circuit according to the present invention.

FIG. 4 is a block configuration diagram of a modular multiplication circuit according to the embodiment.

FIG. 5 PE of the embodiment (processing element)
FIG.

6 is a diagram showing a systolic array using the PE of FIG.

FIG. 7 is a diagram showing a common PE.

FIG. 8 is a diagram showing a PE of another embodiment.

9 is a diagram showing a systolic array using the PE of FIG.

FIG. 10 is a diagram showing a PE of another embodiment.

11 is a diagram showing a systolic array using the PE of FIG. 10. FIG.

FIG. 12: Circuit combining PE and memory

FIG. 13 is a diagram showing a modular exponentiation operation and a modular multiplication circuit using SYMC.

14 is a diagram showing PE of Example 2. FIG.

15 is a diagram showing a circuit using the PE of FIG.

16 is a diagram showing PE of Example 2. FIG.

17 is a diagram showing a circuit using the PE shown in FIG.

18 is a diagram showing a circuit in which the circuit of FIG. 17 and a memory are combined.

FIG. 19 is a diagram showing a modular exponentiation operation and a modular multiplication circuit using MEC.

[Explanation of symbols]

T communication terminal S, SL selector R, Ri register H half adder + adder B _i multiplier N _i multiplier PE processing element MEC exponentiation residue calculation chip SYMC systolic exponentiation residue calculation chip

Claims (10)

[Claims] 1. Remainder multiplication of integers A and B modulo N = Q
In an encrypted communication method for encrypting or decrypting communication contents by using A · B mod N, an integer R which is a prime to N is used for input data U and V, and Z = U · V · One or more calculation units for calculating and outputting R ⁻¹ mod N are provided, and A and a constant R _R such that R _R = R ² mod N are input to the calculation unit, and A
_R = A · R _R · R ⁻¹ mod N is output, B and the constant R _R are input, and B _R = B · R _R · R ⁻¹
mod N is output, the output A _R and B _R are input, and T _R = A
_R · B _R · R ⁻¹ mod N is output, and the output T _R and constant 1 are input, and T _R · 1 · R
^-1 mod N is output as Q, whereby the modular multiplication Q = A · B mod N is executed. 2. A cryptographic communication method for encrypting or decrypting communication contents by using a modular exponentiation operation on integers M, e modulo N: C = M ^e mod N, wherein input data U, V On the other hand, by using an integer R that is a prime to N, one or more arithmetic units for calculating and outputting Z = U · V · R ⁻¹ mod N are provided, and M and R are provided for the arithmetic units. _R = R ² mod N, a constant R _R , is input, and M _R = M · R _R · R ⁻¹ mod N is output, and the binary representation of e is e = [e ^t , ^et-1 , ... , e ¹ ], and C _R
The initial value of C _R = R _R · R ⁻¹ mod N is set, and C _R and M _R are input to the arithmetic unit when e ⁱ = 1 according to the value of e ⁱ from the higher order bits. and, C _R · M _R · _R
^-1 modN to output as a new C _R, further, when the i in the e ⁱ is greater than 1, type both C _R as two input data to the arithmetic unit, C _R · C _R R ⁻¹ mod N is output as a new C _R , and after completion of the processing for all the e ⁱ , C _R and a constant 1 are input to the arithmetic unit, and C = C _R. R ^-1 m
By outputting od N, the modular exponentiation operation C
= M ^e mod N is executed. 3. A cryptographic communication method for encrypting or decrypting communication contents by using a modular exponentiation operation on integers M, e modulo N: C = M ^e mod N, wherein input data U, V On the other hand, by using an integer R that is a prime to N, one or more arithmetic units for calculating and outputting Z = U · V · R ⁻¹ mod N are provided, and M and R are provided for the arithmetic units. _R = R ² mod N, a constant R _R , is input, and M _R = M · R _R · R ⁻¹ mod N is output, and the binary representation of e is e = [e ^t , ^et-1 , ... , e ¹ ], and C _R
When the initial value of C _R = R _R · R ⁻¹ mod N is set and e ⁱ = 1 according to the value of e ⁱ from the lower order bits, C _R and M _R are input to the arithmetic unit. and, C _R · M _R · _R
⁻¹ mod _N is output as a new C _R , and when ⁱ in the e ⁱ is smaller than t, both M _R are input to the arithmetic unit as two input data, and M _R · M _R R ⁻¹ mod N is output as a new M _R , and after the processing for all the e ⁱ is completed, C _R and the constant 1 are input to the arithmetic unit, and C = C _R. R ^-1 m
By outputting od N, the modular exponentiation operation C
= M ^e mod N is executed. 4. The constant R _R and the constant 1 are input to the arithmetic unit, and the output R _R · 1 · R ⁻¹ mod _{N is used as} an initial value of C _R. The encrypted communication system described in. 5. When ^{n is} a value N <2 ⁿ , in the arithmetic unit, a constant R and input data U and V are u = 1 and r> 1, or u> 1 and r = u + 1. 5. The cryptographic communication system according to claim 1, wherein R = 2 ^{n + r} , U <2 ^{n + u} , and V <2 ^{n + u} are satisfied for u and r. 6. A cryptographic communication method for encrypting or decrypting communication contents by using a modular multiplication Q = A · B mod N modulo N for input integers A and B, wherein N
Using the integer R which is a prime number, A · R mod N is calculated from the input A and _R , the result is taken as A _R, and B · R mod N is calculated from the input B and R. And the result is B _R, and A _R · B _{R is} calculated based on the calculation results A _R , B _R and _R.
· R ^-1 seeking mod N to the result with T _R, calculates the T _R and the R and the T _R · R ^-1 mod N,
As a result, Q is obtained, and the operation for obtaining T _R is performed by dividing A _i by v bits of A _R by an arbitrary integer v, Y = 2 ^v , and T _i = (T _i-1 + A _i · _BR · Y + M _i−1 · N) / Y M _i−1 = (T _i−1 mod Y) · (−N ⁻¹ mod Y) mod Y Communication method. 7. Each one operation in the sequential operation,
7. The cryptographic communication method according to claim 6, wherein the cryptographic communication is performed by one arithmetic element, and the sequential arithmetic operation is entirely executed by pipeline processing. 8. The cryptographic communication method according to claim 6, wherein in the sequential operation, multiplication or division by Y is executed by shifting the bit position and performing addition in the addition. 9. In the sequential calculation, B _j and N _j are respectively divided into d B bits of B _R and N by an arbitrary integer d, and A _i · B _j-1 and M _i-1 · N _j. 7. The cryptographic communication method according to claim 6, wherein the calculation result and the previous sequential calculation result T _i-1 are added. 10. A cryptographic communication method for encrypting or decrypting communication content by using a modular multiplication Q = A · B mod N modulo N for input integers A and B,
Using an integer R that is a prime to N, calculate A · R mod N from the input A and R, take the result as A _R, and calculate B · R mod N from the input B and R Then, the result is set to B _R, and based on the calculation results A _R , B _R and R, A _R · B _R
· R ^-1 seeking mod N to the result with T _R, calculates the T _R and the R and the T _R · R ^-1 mod N,
As a result, Q is obtained, and the operation for obtaining T _R is performed by dividing A _i by v bits of A _R by an arbitrary integer v, and Y = 2 ^v . T _i = (T _i-1 / Y + A _i · B _R ) + M _i · N M _i-1 = ((T _i-1 / Y + A _i · B _R ) mod Y) · (−N ⁻¹ mod Y) mod Y Characterized cryptographic communication method.