DE10219164B4 - Device and method for calculating an integer quotient - Google Patents

Abstract

Device for calculating an integer quotient of a term (T) with respect to a module (N), the term having a product of a binary multiplier (M) and a multiplicand (C), with the following features:
a processing device (10) for processing bits of the multiplier (N) in a plurality of processing steps, the processing device (10) being designed to calculate, in one processing step, an intermediate result (Z) which is reduced in terms of the module and which of the one or more Binary multiplier bits that are considered in the one processing step;
means (12) for logging reduction information in the one processing step and for logging ordering information about one or more digits of the integer quotient affected by the one processing step; and
an evaluation device (14) for evaluating the reduction information and the order information from the processing steps in order to obtain the integer quotient (Q).

Description

The The present invention relates to computing algorithms and in particular on computational algorithms for cryptographic applications needed become.

In particular in public key cryptography, but also in other areas of cryptography the key lengths steadily. This is because that too the security requirements for such cryptographic algorithms increase more and more. Using the RSA procedure as a representative of a asymmetric cryptography concept, i.e. a public key process security towards so-called brute force attacks the key length used. Brute-force attacks are attacks on a cryptographic algorithm in which Try all of them possibilities on a key to be closed. It is immediately clear that with increasing Key length the Time theoretically for a brute force attack is needed for all possibilities to try, increases sharply.

In In this context it should be noted that RSA applications were used in earlier times with key lengths of 512 bits were considered sufficient. Due to technical and mathematical advances of the "opposite side" then became Key lengths for typical RSA applications increased to 1024 bits. Meanwhile, from some sides take the view that also this key length is not is sufficient so that RSA key lengths of 2048 bits are aimed for.

If on the other hand existing cryptographic coprocessors such as e.g. B. on SmartCards, can be seen that of course the There is also a desire for RSA applications with, for example, 2048 bits of key lengths on cryptographic To run circuits that are actually only for key lengths of z. B. 1024 bits have been developed. So it's just a hallmark of arithmetic coprocessors for existing SmartCard applications, that she for one fixed bit length have been developed that do not meet the latest security requirements are suitable, d. H. are too small. As a result, for example a 2048-bit RSA algorithm on 1024-bit coprocessors is not efficient can be handled. For RSA applications are, for example, the Chinese remainder sentence (CRT; CRT = Chinese Remainder Theorem), in which a modular Exponentiation with large Key length in two modular exponentiations with half the key length is broken down, after which the Results of the two modular half-length exponents accordingly summarized become.

In recently, Time has turned out that the Chinese remainder particularly vulnerable across from DFA (Differential Fault Analysis) attacks.

On The problem with many methods is therefore the "doubling" of the so-called modular multiplication, which is a key operation in cryptographic Calculations. So modular exponentiation can take many modular multiplications are broken down, d. H. into an operation in which a product of a first operand A and a second operand B in a residual class regarding of a module N is calculated. If operands A and B are each 2n bits, so arithmetic units are typically used that a length of 2n bits. These arithmetic units are due to their high Length as Long number arithmetic, in contrast to, for example, classic 8, 16, 32 or 64 bit architectures, the z. B. for PC or workstation processors are used.

Wishes exist therefore, a modular multiplication A · B mod Execute N with numbers A, B and N of bit length 2n on an n-bit arithmetic unit. This is very time-consuming, since the numbers A, B, N, ... are only fragmentary can be loaded why conventional methods, unless they fail completely, are organizationally complex and prone to errors. In technology there is several methods by which this problem has been solved so far is. These procedures are called Montgomery multiplication, normal multiplication, e.g. B. with Karatsuba-Ofman and later reduction, such as B. Barret reduction, known.

On another concept in which a Montgomery calculation is used in a "CRT window", is in P. Pailler, “Lowcost double size modular exponentiation or how to stretch your cryptocoprocessor ".

All Such concepts are expensive in terms of computing time and data organization and therefore not always efficient.

In the German patent application filed on the same day with the title “Device and method for calculating a result of a modular multiplication”, a concept is described in which a modular multiplication for operands of 2n bits is converted into several so-called MMD operations for which Operands of half the length, ie with n bits, are sufficient In addition to the remainder resulting from A × B mod N, an MMD operation also supplies the result of the corresponding integer division, i. H. the DIV operation, this result also being referred to as an integer quotient Q.

Generally leads the Operation T mod N to a residue R if a term T is related to a Module N is reduced. The operation T div N delivers the integer quotients with respect to the module N, so that the term T from Q × N + R can be reconstructed. The MMD operation (MMD = MultModDiv) serves hence a conversion of any term T into an integer Quotient Q and a remainder R with respect to a module N.

In the usual modular arithmetic used for cryptographic techniques the result of the DIV operation, So the integer quotient is not required and not calculated. However, the concept described above is based on it, also the DIV information, to use the integer quotient. So can too other applications in technology exist where not only the result of the MOD operation, i.e. the rest, is needed but also the integer quotient, i.e. the result of the DIV surgery needed becomes.

A Well-known, efficient and often used way to get the modular To calculate multiplication is technically called Montgomery multiplication known and z. B. in the "Handbook of Applied Cryptography ", Menezes, van Oorschot, Vanstone, CRC Press, pages 600-603. The Montgomery reduction is a technique that is an efficient implementation of the modular Multiplication allowed without the classic modular reduction step is carried out explicitly. Generally speaking, in the Montogomery reduction, the division operation is performed by simple displacement operations expressed.

An extension of the Montgomery multiplication operation to the elliptical body GF (2 ⁿ ) is now also known. This extension is described in "Montgomery Multiplication in GF (2 ^k )", Koc, Azar, Designs, Codes and Cryptography, Vol. 14, 1998, pp. 57-69. This extension is also described in "A Scalable and Unified Multiplier Architecture for Finite Fields Z / NZ and GF (2 ⁿ ) ", Erkay Savas et al., Cryptographic Hardware and Embedded Systems (CHESS 2000), pp. 281-289, Springer Lecture Notes.

A disadvantage of the Montgomery multiplication via Z / NZ or GF (2 ⁿ ) is the fact that although the hardware-poorly implementable division operation for modular reduction is bypassed by shifting operations, no look-ahead methods or look-ahead methods are used to accelerate the modular multiplication operation in terms of hardware.

The DE 3631992 C2 discloses a method in which modular multiplication over Z / NZ can be accelerated using a multiplication look-ahead method and using a reduction look-ahead method. That in the DE 3631992 C2 The method described is also referred to as the ZDN method and is based on 6 described in more detail. After a start 900 of the algorithm, the global variables M, C and N are initialized. The aim is to calculate the following modular multiplication: Z = M · C mod N.

M is referred to as the multiplier, while C as the multiplicand referred to as. Z is the result of modular multiplication, while N is the module.

Various local variables are initialized, which do not need to be discussed in more detail at first. Two look-ahead procedures are then used. In the multiplication look-ahead method GEN_MULT_LA, a multiplication shift value s _Z and a multiplication look-ahead parameter a are calculated using different look-ahead rules ( 910 ). The current content of the Z register is then subjected to a left shift operation by s _Z positions ( 920 ).

A reduction forecast procedure GEN_Mod_LA ( 930 ) to calculate a reduction shift value s _N and a reduction parameter b. In one step 940 the current content of the module register, i.e. N, is then shifted by s _N places to produce a shifted module value N '. The central three-operand operation of the ZDN method takes place in one step 950 instead of. Here, the intermediate result Z 'after the step 920 to the multiplicand C, which is multiplied by the multiplication look-ahead parameter a, and to the shifted module N ', which is multiplied by the reduction look-ahead parameter b. Depending on the current situation, the look-ahead parameters a and b can have a value of +1, 0 or -1.

One case is that the multiplication look-ahead parameter a is +1 and the reduction look-ahead parameter b is -1, so that the multiplicand C is added to a shifted intermediate result Z 'and the shifted module N 'is subtracted from it. Among other things, a will have a value equal to 0 if the multiplication look-ahead method would allow more than a preset number of individual left shifts, ie if s _{Z is} greater than the maximum permissible value of s _Z , which is also referred to as k becomes. In the event that a is equal to 0 and that Z 'is still quite small due to the preceding modular reduction, i.e. the preceding subtraction of the shifted module, and in particular is smaller than the shifted module N', no reduction has to take place, so that the parameter b is 0.

The steps 910 to 950 are carried out until all positions of the multiplicand have been processed, i.e. until m is 0, and also until a parameter n is 0, which indicates whether the shifted module N 'is still larger than the original module N, or whether Despite the fact that all positions of the multiplicand have already been processed, further reduction steps have to be carried out by subtracting the module from Z.

Finally, it is determined whether Z is less than 0. If this is the case, in order to achieve a final reduction, the module N must be added to Z so that the correct result Z of the modular multiplication is finally obtained. In one step 960 the modular multiplication by means of the ZDN method is ended.

The multiplication shift value s _Z and the multiplication parameter a, which in step 910 calculated by the multiplication look-ahead algorithm result from the topology of the multiplier and from the look-up rules used in the DE 3631992 C2 are described.

The reduction shift value s _N and the reduction parameter b are, as is also the case in FIG DE 3631992 C2 is determined by comparing the current content of the Z register with a value 2/3 times N. Because of this comparison, the ZDN method bears its name (ZDN = two thirds N).

The ZDN procedure as described in 6 the modular multiplication leads to a three-operand addition (block 950 in 6 ) back, using the multiplication look-ahead method and the associated reduction look-ahead method to increase the computing time efficiency. Compared to the Montgomery reduction for Z / NZ, a computing time advantage of a factor of the order of 3 can therefore be achieved.

adversely of the multiplication concepts described above is that only the modulo operation is calculated, but not the DIV operation is calculated, i.e. the operation that uses the integer quotient Q regarding of the module N of the product of the multiplier M and the multiplicand C returns, so that Product C × M = Q · N + Z represents. However, how it was done is the integer Quotient, however, for certain Applications useful using one of these applications as described above is a modular multiplication with numbers one certain length Execute efficiently on a half-length calculator.

The DE 699 00 127 T2 discloses an improved method of performing integer division in which a word is loaded into a first register, zeros are loaded into a second register, zeros are further loaded into a third register, and another word is loaded into one fourth register is loaded. This is followed by steps of an integer division, a loading of another word into a register and a shifting of contents from different registers, a subtraction of values, a decrementing or loading of the words into a register and a corresponding shifting, depending on the result of the subtraction, and further steps to finally get the result of an integer division.

The DE 698 02 016 T2 discloses a method and apparatus for performing an integer division operation with a modulo-arithmetic coprocessor based on the Montgomery method, wherein in the course of the division at least one of the words with a number of bits of the counter or the quotient bit by bit into a register for bit shift loading, and the word is entered into the register in a first order and bit by bit is output from the register in reverse order from the first order.

The The object of the present invention is to provide a concept for easily and efficiently implementable calculation of an integer quotient to accomplish.

This Task we by a device according to claim 1 or a method solved according to claim 16.

The present invention is based on the finding that in processors for calculating the remainder Z of a product from a multiplier and a multiplicand - and optionally from an addition of this product with a third operand multiplied by the factor 2 ⁿ - which the bits of the multiplier in Process or "scan" several processing steps sequentially, the integer quotient without intervention in the arithmetic unit itself and furthermore without any or minimal intervention can be extracted into the control section that controls the arithmetic unit.

at the usual modular arithmetic is the integer quotient, i.e. the result the DIV operation is always ignored due to a lack of appropriate use Service. According to the invention, the integer Quotient using a processor to calculate the remainder of a term regarding of a module, such that in each processing step, in which the processor is one regarding of the module reduced intermediate result calculated, reduction information on the one hand and order information on the other, which relates to Digits of the integer quotient related to each Processing step are affected, are logged. Then, after the multiplier bits by means of the multiple processing steps the reduction information logged is processed and order information is evaluated by the respective steps, to the integer without complex arithmetic operations To get quotients.

at a preferred embodiment in parallel with the processing of the multiplier bits by the processing device Log register kept, being bits of certain order, determined by the ordering information is determined using the reduction information after be set or not set in each processing step. Become two or more such protocol registers are used Device capable of evaluating, simply by adding or subtract the log registers after all have been processed Multiplier bits to get the integer quotient.

The Invention is particularly advantageous in that none Information needed be that over Information goes beyond that of such processing equipment anyway to calculate the modulo operation. The integer The quotient is thus "free of charge" to a certain extent (especially with regard to the Computing time) and without intervention in the arithmetic unit of the processing device receive. Only a logging device has to be provided be the ones needed Reduction information or order information at the end of each Processing step extracted from the control part.

at a final one Evaluation of the protocol information by an evaluation device the integer quotient then results without a single change on the hardwired calculator was.

This The fact is of particular importance in that cryptographic Arithmetic units are typically long-number arithmetic units that are specific Operations such as B. the modular multiplication are optimized. Interventions in such long number arithmetic units, which are typically added with 1024 or more individual adders or "bit slices" are in Draft complex, prone to errors and disadvantageous in that again complete function tests must be carried out. Especially for safety-critical ones Applications, for the usual Cryptography algorithms are used is the security aspect of particular importance as sensitive information, such as amounts of money or personal Information processed when e.g. B. on smart cards or is generally thought of smart cards.

The inventive method is also advantageous in that it also requires little computing time is what is particularly important when complex cryptographic Algorithms are to be calculated, using processors based on the fact that their chip area is limited when thinking again of chip cards Have computing and storage resources.

preferred embodiments of the present invention are hereinafter referred to the accompanying drawings explained in detail. Show it:

1 a block diagram of an inventive device for calculating an integer quotient;

2 a flow diagram of a simple modular multiplication algorithm;

3 a flowchart of the in 2 simple multiplication algorithm shown, in which the DIV operation is carried out in addition to the modulo operation;

4 a summarized flow diagram of the known ZDN algorithm;

5 a flowchart of the ZDN algorithm for additional calculation of the integer quotient; and

6 a detailed flow diagram of the known ZDN algorithm.

1 shows a block diagram of an inventive device for calculating an integer quotient of a term T with respect to a module N, the term being a product of a binary multiplier M and a binary multipli Candidate C. The device comprises a processing device 10 that are in an arithmetic unit 10a and a control part 10b breaks down. The arithmetic unit typically consists of a long number adder for two or more operands, while the control part 10b is designed to control the arithmetic unit so that it sequentially processes the multiplier bits and finally, when all multiplier bits have been processed, delivers the result Z of the modular reduction of the term having the product C · M.

The device according to the invention further comprises a logging device 12 for logging reduction information in the respective steps and for logging ordering information about positions of the integer quotient affected by one or more digits affected by the respective processing step. The logging facility 12 is effective with the control part 10b coupled to extract the logging information for each step. If the control part 10b an evaluation device also provided 14 signals that all multiplier bits have been processed and the end result Z is present, the evaluation device intervenes 14 to the logging facility 12 to evaluate the reduction information and the order information in order to finally output the integer quotient Q.

In terms of hardware, it is preferred to carry out the modular reduction by subtracting the module, in one processing step depending on the implementation of the arithmetic unit 10a one or more module subtractions can take place. If, as will be explained below, multiplication look-ahead algorithms and furthermore reduction look-ahead algorithms are used, the case may occur in one processing step that a module is added to the intermediate result. This reduction information, that is to say whether a module is subtracted, whether a module is added, or whether, which can also occur, neither an addition of the module nor a subtraction of the module occurs can be obtained from the logging device 12 be logged in every processing step. The order information relates to which positions of the quotient are affected by the respective processing step. The multiplier bits are typically processed or scanned from above, i.e. starting from the MSB (MSB = Most Significant Bit). In the case of simpler modular multiplication algorithms, the order information can correspond directly to the order of the multiplier bits considered in one step. If only a multiplication look-ahead algorithm is used, several bits of the multiplier are considered and processed in one processing step. In this case, the ordering information will depend on the multiple bits of the multiplier. In the case of coupled multiplication look-ahead algorithms and reduction look-ahead algorithms, the order information depends indirectly on the order of the multiplier bits considered in one processing step. As is typical of look-ahead algorithms, this relationship is on the one hand data-dependent and on the other hand determined by the previous history.

at a preferred embodiment of the The present invention is based on the logging device the hardware-technical simple implementation as a register set trained with one or more registers, which step by step be described and finally, after the processing of the complete multiplier by the evaluation device evaluated in a suitable manner, such as. B. added or subtracted, to get the integer quotient Q.

In the following, reference is made to 2 a simple multiplication algorithm is shown, which is also known as the "textbook algorithm". This algorithm receives as input the module N, the multiplicand C, which by definition is smaller than the module N, and the multiplier M, which consists of binary multiplier bits M ₀ (lsb) until M _m-1 (msb) exists and is greater than 0. This algorithm delivers Z = C × M mod N as output. In a first initialization step, the order of the multiplier i is initialized to m - 1. Furthermore, the Z register , which acts as an intermediate result register during processing and ultimately as a final result register, also initialized ( 20 ). This is done in one stage 21 examines whether the bit of the multiplier just considered, ie M _i is 0 or 1. If the bit is 0, then only a multiplication by a factor of 2 or a shift by one position in the Z register is carried out ( 22a ). If, on the other hand, the bit is 1, the content of the register is shifted to the left by one position, which corresponds to a multiplication by 2, and it also becomes like a block 22b it can be seen that the multiplicand C is added. The modular reduction takes place in such a way that initially in one stage 23 it is examined whether the content of the intermediate result register Z is greater than or equal to N. If this question is answered in the affirmative, the module N is subtracted for the first time from the intermediate result register Z ( 24 ). Then it is checked again whether the current content of the intermediate result register Z is greater than or equal to N ( 25 ). If this question is answered in the affirmative, module N is subtracted again ( 26 ). This procedure is repeated until i equals 0, which is in a block 27 is checked. If the question is answered with yes, the algorithm has ended. If, on the other hand, this question is answered with no, then i becomes egg a block 28 decremented by "1" and there is another iteration loop using the blocks 21 to 27 run through.

The following is based on 3 the inventive expansion of the in 2 algorithm shown, ie the functionality of the logging device 12 of 1 and the evaluation device 14 of 1 explained. Elements in 3 that have the same reference numerals as in 2 have the same function and are not explained again. In a preferred exemplary embodiment of the present invention, the logging device comprises for expanding the in 2 shown known "textbook algorithm" two auxiliary registers Q and Q 'in one step 20 ' be initialized. Depending on the answer to the question in the block 23 , so whether the interim result Z that by the step 22a and the step 22b obtained, is greater than or equal to N, bits of order i in the first auxiliary register Q _i or in the second auxiliary register Q ' _{i are written} with "0". The reduction information here consists of the "zeros" which are determined by the ordering information Make entries in the register. The intermediate result Z was less than N, as it was in the block 23 no module subtraction has been determined, which is immediately evident in the fact that the corresponding auxiliary register bits are set to 0. If, on the other hand, a module subtraction (step 24 ) is carried out, the bit i of the first auxiliary register Q is set to 1, while the bit of the second auxiliary register Q ' _{i is set} to 0, as in a block 30b you can see.

If a second module subtraction is carried out (block 26 of 3 ), both the bit i of the first auxiliary register Q and the bit i of the second auxiliary register Q 'are set to 1, as is done by a block 30c you can see. This procedure is carried out for each processing step, up to the block 27 it has been determined that i is 0. Then the evaluation device 14 of 1 active to add the two registers Q and Q 'as is in a block 32 is shown in order to finally obtain the integer quotient Q as a result. The functionality of the logging device is thus determined by the blocks 30a . 30b . 30c implemented while the functionality by the evaluation facility 14 of 1 through the block 32 in 3 is implemented.

Out 3 it can be seen that no change to the basic algorithm is required to obtain the quotient information. With regard 1 this means that both the arithmetic unit 10a as well as the control part 10b the processing device 10 do not have to be changed and therefore do not have to be newly developed and tested to calculate the quotient information.

Out 3 it can also be seen that the logging of the reduction information and the order information does not require any further calculation step. Only the evaluation device, which has to add the two registers, requires an addition cycle, which, however, is not significant if it is considered that the quantities N, C, M z. B. 1024 digits, which in 3 algorithm shown means that the iteration loop must be run through 1024 times.

The in 3 The algorithm shown can simply be expanded to process not only the term C × M, but a term C × M + D × 2 ⁿ . This can easily be achieved in that in the initialization step 20 ' the intermediate result Z is not initialized to 0, but is initialized to D. For this reason, the operation carried out by those in 3 shown circuit is executed, the name initialization MMD operation when the intermediate result register Z is initialized to a value D before the first iteration step. In this context MMD stands for MultModDiv to indicate that the in 3 The algorithm shown provides both the modularly reduced result of the term and the integer quotient of the term C × M + D × 2 ⁿ , where the usual multiplication results for D equal to 0.

4 shows a somewhat compressed representation of 6 , namely the known ZDN algorithm, which has been explained above. An initialization block 40 shows the quantities i, Z and c which are important for the present invention. Again, Z can be initialized to either 0 or D to perform either an MMD operation or an initialization MMD operation.

As represented by a subsequent block, the ZDN facility creates 910 . 920 . 930 of 6 a multiplication shift value s _Z , which is usually always greater than 0, a multiplier bit value s _M which indicates how many multiplier bits have been processed in a look-ahead step, the reduction shift value s _N , and the multiplication look-ahead parameter a and the reduction look-ahead parameter b. The multiplier bit ordinal number i is reduced by s _M after each step. The size c specifies the position of a buffer for the module with the comma of the module, i.e. the LSB of the original module. The size c is changed by c + s _N after each step.

In one step 940 then the module shift takes place, by multiplying the old content of the module register N by a factor 2 ^s _N can be represented. In one step 950 then find the one already referring to 6 described 3-operand addition instead, which continues until i is 0 and c is also 0 (block 42 ). If so, it will be in one step 44 examines whether the intermediate result register Z is less than 0. If this is the case, the module N is added again (block 46 ), since the rest of the modular multiplication, i.e. Z, must by definition be greater than 0. In contrast, becomes block 42 answered yes, where is another iteration carried out to process one or more multiplier bits, depending on the look-ahead property of the multiplier.

The following is based on 5 the extension of the invention in the 4 and 6 known ZDN algorithm shown. The same reference numerals in the 4 and 5 mean the same elements. For this reason, these elements are not explained again. The one through a block 910 . 920 . 930 designated ZDN processor again delivers s _Z , s _N , a and b. Then the in the initialization block 40 ' initialized quotient order value j, which has been initialized to m, in one block 50 reduced, namely by the difference between the multiplication shift value s _Z and the reduction shift value s _N. If the multiplication look-ahead algorithm, which is responsible for the multiplication shift value s _Z , determines that the intermediate result is to be shifted upwards, that is to say to higher-order bits, this becomes clear with regard to the order information of the logging device, which is indicated by block 50 is shown, taking into account that less significant bits of the quotient are affected. The order of a quotient bit in the current step is therefore (s _Z - s _N ) lower than the order of the corresponding quotient register bit from the previous step.

If, on the other hand, there is a positive reduction shift value s _N , this means that the content of the module register N is greater by a factor of 2 ^s _N than in the previous step. If such an "enlarged" module is subtracted, which is brought about by a reduction look-ahead parameter b of "-1", this is shown in the order information (block 50 , Parameter j) is taken into account to the effect that higher-order bits of the integer quotient are affected than in the previous iteration step.

The reduction information is tabulated in a block 52 of 5 shown. The logging device again uses two auxiliary registers Q and Q ', the bit values in the two registers depending on the reduction parameter b. If b has been calculated by the ZDN facility to be 0, no reduction takes place at all. Therefore, the order j bits of both registers Q and Q 'are set to 0. If, on the other hand, the reduction parameter b is "1", a module was added to the current intermediate result in the 3-operand operation. This is done in the block 52 thereby taking into account that the corresponding bit j of the second auxiliary register Q 'is set to 1, while the corresponding bit of the first auxiliary register is set to 0. If, on the other hand, a module is subtracted, that is to say a reduction is actually carried out, which is represented by a reduction parameter of “-1”, this is expressed in the two auxiliary registers to the effect that the corresponding bit j of the first auxiliary register Q is set to 1 while the corresponding bit j of the second auxiliary register Q 'is set to 0. In a block 54 a correction is carried out in a manner similar to the case where b is 1. If in the block 44 If it has been found that the intermediate result Z after the processing of all multiplier bits was less than 0, this means that a reduction has occurred too much. Z is in the block 46 therefore increased by N. This is taken into account in the reduction information in that in the block 54 the lowest bit Q _{0 of} the second auxiliary register Q 'is set to 1.

The evaluation facility 14 of 1 finally becomes active in that it subtracts the second auxiliary register Q 'from the first auxiliary register Q (block 56 ) to get the integer quotient Q in binary form. The subtraction in the block 56 It should be understood that the register Q contains a count for all module subtractions actually performed in the 3-operand operation, this number being too high if Z becomes less than 0 (block 44 ), so that the content of the second auxiliary register Q 'and in particular the least significant bit that is in the block 54 is set, must be deducted again. The same applies to the case where the reduction parameter b is 1. No module is subtracted here, but a module is added. This must again be taken into account in the integer quotient so that the auxiliary register is subtracted from the first auxiliary register. It will be apparent to those skilled in the art that if the bits of the second auxiliary register Q 'were set to "-1" instead of "+1", in the block 56 no subtraction, but an addition would have to be carried out by the evaluation device.

Out the above is for Experts can see that the Invention especially for a hardware implementation is suitable. This is beneficial because a software-technical implementation of the MMD command performance and administration costs.

The invention replaces such a software-technical implementation. In particular, it can The concept presented can be inexpensively integrated into existing crypto processors, only VHDL changes of the crypto controller being necessary here in order to insert both the logging device and the evaluation device into the existing processing device. The modular multiplication command that is usually present can thus be supplemented easily and less prone to errors by the result of the DIV operation, that is to say the integer quotient.

10

processing device

10a

calculator

10b

Control part

12

logging equipment

14

evaluation device

20

initialization

20 '

initialization

21

Bituntersuchungsschritt

22a, 22b

Interim results calculation

23

first module comparison

24

First modulus subtraction

25

second module comparison

26

Second modulus subtraction

27

Index study

28

Indexinkrementierung

30a

reduction information without module subtraction

30b

reduction information after module subtraction

30c

reduction information after two module subtractions

32

addition the auxiliary register

40

initialization

40 '

initialization

42

Iterationsuntersuchung

44

Intermediate result inquiry

46

module addition

50

Order information calculation

52

Reduction information calculating

54

Reduction information correction

56

subtraction the auxiliary register

900

begin of the ZDN algorithm

910

Multiplication look-ahead algorithm

920

Intermediate-result shift

930

Reduction look-ahead algorithm

940

module shift

950

3-operand operation

960

The End of the ZDN algorithm

Claims (16)

Device for calculating an integer quotient of a term (T) with respect to a module (N), the term having a product of a binary multiplier (M) and a multiplicand (C), with the following features: a processing device ( 10 ) for processing bits of the multiplier (N) in a plurality of processing steps, the processing device ( 10 ) is designed to calculate, in one processing step, an intermediate result (Z) which is reduced with respect to the module and which depends on the one or more bits of the binary multiplier which are considered in the one processing step; a facility ( 12 ) for logging reduction information in the one processing step and for logging ordering information about one or more digits of the integer quotient affected by the one processing step; and an evaluation device ( 14 ) for evaluating the reduction information and the ordering information from the processing steps in order to obtain the integer quotient (Q). Apparatus according to claim 1, wherein the processing device ( 10 ) a hard-wired arithmetic unit ( 10a ) for calculating the modularly reduced intermediate result (Z), in which the processing device also has a control part ( 10b ) to control the hard-wired arithmetic unit ( 10a ) having; and in which the logging device with the control part ( 10b ) is coupled to obtain the reduction information and the order information from the control part. Device according to Claim 1 or 2, in which an intermediate result register (Z) is initialized to 0 ( 20 '; 40 ' ), so that the term (T) is equal to the product of the first operand and the second operand. Device according to Claim 1 or 2, in which an intermediate result register ( 20 '; 40 ' ) can be initialized to a third operand (D) such that the term is C × M + D × 2 ⁿ , where C is the multiplicand, where M is the multiplier, where D is the third operand, and where n is a maximum Length of A, B and D is in bits. Device according to one of the preceding claims, in which the processing device ( 10 ) is designed to work from a most significant multiplier bit to a least significant multiplier bit. Device according to one of the preceding claims, in which the processing device is designed to process a bit in each processing step, in which the device for logging ( 30a . 30b . 30c ) a register device with two auxiliary registers (Q, Q '), the reduction information ( 30a . 30b . 30c ) determine whether or not one or more bits are set in the register device, and the order information determines which one or which several bits are affected in a processing step, and in which the evaluation device ( 32 ) is designed to evaluate the register device in order to output the integer quotient. Device according to one of the preceding claims, in which the processing device ( 10 ) is designed to process one bit of the multiplier in each processing step ( 28 ) to calculate an intermediate result depending on the multiplier bits ( 22a . 22b) to examine the calculated intermediate result ( 23 ) whether it is larger than the module, if it is larger than the module, to calculate a new intermediate result ( 24 ) by subtracting the module from the intermediate result to examine the new intermediate result ( 25 ) whether it is larger than the module and, if it is larger than the module, calculate another new intermediate result ( 26 ) by subtracting the module one more time. Apparatus according to claim 7, wherein the logging device ( 12 ) is designed to use the number of subtractions of the module as reduction information and to use an order (i) of the multiplier bit just processed as order information. Apparatus according to claim 7 or 8, wherein the logging device ( 12 ) is designed to set a bit with an order equal to an order of the processed multiplier bit of a first auxiliary register ( 30b ) when the module is subtracted for the first time ( 24 ) to set a bit of an order equal to an order of the multiplier bit of a second auxiliary register (Q ') being processed ( 30c ) if the module is subtracted a second time ( 26 ), and in which the evaluation device ( 14 ) is designed to add the first and the second auxiliary register ( 32 ) to get the integer quotient. Device according to one of Claims 1 to 5, in which the processing device ( 10 ) is designed to use a multiplication look-ahead algorithm ( 910 ) so that a plurality of multiplier bits are considered in one processing step if the plurality of multiplier bits has a property dependent on the look-ahead algorithm, and in which the logging device ( 12 ) is designed to use the multiplication look-ahead algorithm ( 910 ) to be taken into account. Apparatus according to claim 10, wherein the processing device ( 10 ) is designed in addition to the multiplication look-ahead algorithm ( 910 ) a reduction look ahead algorithm ( 930 ) and where the logging facility ( 12 ) is designed to take the reduction look ahead algorithm into account in the reduction information and the ordering information. Apparatus according to claim 11, wherein the processing device ( 10 ) is designed to calculate the reduced intermediate result (Z) using a 3-operand addition ( 950 ), where a first operand (Z) is an intermediate result from a previous processing step, a second operand is the multiplicand (C), and a third operand is the module (N), two of the three operands in the 3-operand -Addition are weighted with factors which are weighted by a factor 2 to the respective displacement values (s _Z , s _N ), and wherein the module (N) is acted upon by a reduction look-ahead parameter (b), the reduction -Look-ahead parameter (b) can have values of "0", "+1", "-1", and at which the logging device ( 12 ) is designed to store the order information ( 50 ) based on a displacement value (s _Z , s _N ), and the reduction information ( 52 ) on the basis of the reduction look ahead parameter (b). Device according to Claim 12, in which the logging device ( 12 ) has two auxiliary registers (Q, Q '), bits (j) of the at least two registers determined by the ordering information being set as reduction information as follows ( 52 ): if b is 0, then Q _j is Q ' _j is 0, if b is 1, then Q _j is 0, Q' _j is 1, and if b is -1, then Q _{j is} equal 1, Q ' _j is 0, where b is the reduction look-ahead parameter, Q _{j is} a bit j of the first auxiliary register (Q), and Q' _{j is} a bit j of the second auxiliary register (Q ') , Device according to Claim 12 or 13, in which a reduction shift value (s _N ) is assigned to the module (N), in which a multiplication shift value (s _Z ) is assigned to the intermediate result, and where the logging facility ( 12 ) is configured to order (j) the bits of the first auxiliary register and the second auxiliary register from a difference between order information of a previous step and a difference between the multiplication shift value (s _Z ) and the reduction shift value (s _N ) to determine. Device according to Claim 13 or 14, in which the evaluation device ( 14 ) is designed to, after the multiplier bits have been processed by the processing device ( 10 ) subtract the second auxiliary register (Q ') from the first auxiliary register (Q) ( 56 ) to get the integer quotient. Method for calculating an integer quotient of a term (T) with respect to a module (N), the term having a product of a binary multiplier (M) and a multiplicand (C), with the following steps: processing ( 10 ) of bits of the multiplier (N) in several processing steps, the processing device ( 10 ) is designed to calculate, in one processing step, an intermediate result (Z) which is reduced with respect to the module and which depends on the one or more bits of the binary multiplier which are considered in the one processing step; To log ( 12 ) reduction information in the one processing step and logging of order information about one or more digits of the integer quotient affected by the one processing step; and evaluation ( 14 ) the reduction information and the order information from the processing steps in order to obtain the integer quotient (Q).