DE3631992C2 - - Google Patents

Description

With the ever increasing spread of electronic Procedures of communication and information Storage is a requirement of confidentiality, especially the confidentiality of important documents, such as B. bank transfers, contracts and the like, become indispensable.

While the problem of data protection in legislation some consideration has already been found has the technical problems to carry out of data protection through the confidentiality of transmitting data so far is highly unsatisfactory solved. The transmission of data via radio or broadband cable is more or less public. In any case, the confidentiality of the No guarantee assumed. The danger misuse cannot be excluded.

With regard to the transmission of data via radio or This danger is not a cable with technical means to eliminate. The user himself must be responsible for the required Provide security. This also includes the Ensuring the authenticity of the sender and the Protection against manipulation of the message.

For security reasons, it is therefore important to transfer the data to be transmitted Encrypt information, data, texts, etc. d. i.e. convert such that an unauthorized person she can't understand. It can be general be said that encryption is all the more the more complicated encryption is, the more secure underlying operations are.

In the case of encryption, which can be described as classic Procedures are symmetrical methods, where the encryption and decryption Key of the same type, d. H. are identical or inverse. As long as the relevant key is secret, transmit the correspondingly encrypted message publicly will. So that the recipient of this message can understand, it is necessary that the The recipient of the secret coding key by one is delivered to trustworthy messengers. This kind the delivery of the secret key is cumbersome and time consuming, especially when there are several Recipient provided with a confidential message should be. Otherwise, it appears to be electronic Anachronistic age, couriers for the Use transmission of secret encryption keys.

In contrast, the encryption methods according to a so-called public key code process great progress. This public key code Procedures are through asymmetric encryption featured. That means that for shipping and Decrypt two different keys used will. The asymmetrical process ensures that one key is not without additional information can be calculated from the other. One the two keys can therefore be published. For this reason, these procedures are called "Public key code procedure" received.

If a user of the public networks wants to exchange messages with other subscribers using a public key code method, he has to generate two keys E and D once. He makes the key E for encryption accessible to all other users via a public register, he keeps the key D for decryption secret. In addition, the general computing rules for encryption are also disclosed in some methods, without thereby endangering the security of the confidentiality of the content of the encrypted messages. The authenticity of the message is also not a problem. The security of the asymmetric method is based on the fact that it is practically impossible to calculate D from E.

Anyone who wants to send a message to another user gets the key E from the published register, encrypts the message with it and transmits the code thus obtained in the insecure (possibly digital) network, for example the public telephone network. The addressed user (recipient) decrypts the received code with his secret key D and thus generates the original message. A secure transmission channel is therefore unnecessary both for the transmission of a key and for the transmission of the message itself. The addressed user only receives messages that have been encrypted with their own key. Therefore, he only needs to access his own key D.

With these methods there is therefore an easy availability the key reached. Likewise, the user managing an extensive personal Key register removed. The key management takes place only once, and centrally in everyone accessible Register, e.g. B. in the manner of electronic Phonebooks. With this transfer procedure you can all types of transmission networks (e.g. "ISDN") are secure be made.

In the embodiment of the public key code method described, the securing of the sender authenticity and the protection against manipulation of the message are not yet guaranteed. In principle, however, it is possible to transmit counterfeit-proof "signatures" in digital form, specifically when the order in which keys E and D are used is interchangeable. The sender can then generate a signature that is transmitted together with the encrypted message. The signature is an "extract" of the message encrypted with the secret sender key D. To check the authenticity of the sender, the recipient also generates the extract from the reconstructed message, decrypts the signature with the public sender key E and compares the two. If they are identical, the message must originate from the specified sender, since only the sender knows the key D that matches the sender key E and with which the signature was encrypted.

With the signature, the message is also free from manipulation protected. The sender can transfer the  Do not deny message as the recipient is in the possession of a signature of this message. On the other hand the recipient cannot receive the message change, since there is none for the falsified message Can generate signature. This depends on the extract not only from the sender, but also from the message from. This provides greater protection than through guarantees the signature under a document.

The probably best known public key code procedure is that after the initial letters of its inventor Rivest, Shamir and Adleman known RSA procedures. The security This RSA method is based on the fact that it is practical is impossible to use large numbers (e.g. 200 decimal places) to factorize, d. H. all prime numbers too find by dividing this large number with no remainder can be.

The RSA procedure works as follows: First, each user of the RSA system chooses two large prime numbers p and q and another large number E. The numbers can e.g. B. with the random number generator of a computer. Algorithms are available to answer the question of whether or not the number in question is a prime number (see, for example: Pomerance, C. "Recent Developments in Primality Testing", Department of Mathematics, University of Georgia , in "The Mathematical Intelligencer" pp. 97-104, Vol 3, No. 3, 1981).

The RSA procedure does not prescribe a certain minimum length for the prime numbers. Short numbers make the algorithm faster, but increase the risk that the product of the prime numbers can be factored. The reverse is true for long numbers. 100 decimal places are generally considered a good compromise. N is the product of the prime numbers p and q . The pair of numbers ( E, N ) is the public key, while the prime numbers p and q are only known to the recipient of a message.

To encrypt the message, the sender first converts his text into a chain of decimal numbers. This chain is then broken down into links P + _i ≦ ωτ N of equal length. These members are then individually ciphered by it rises respectively in the e -th power modulo N, and then forms, that is, there arise the numbers C _i = P modulo N. These numbers C _i are then sent over an insecure channel. To evaluate the numbers it is necessary to calculate their exponent modulo Φ ( N ), where Φ ( N ) = ( p - 1) · ( q - 1). Since only the recipient knows the prime numbers p and q , only he can calculate the decryption key D = E ^-1 modulo Φ ( N ). For this purpose, the receiver raises every received number C _i to the D- th power and reduces modulo N. Since C _i modulo N = P modulo N and ED modulo Φ ( N ) = 1, the operation P modulo N again results in the number blocks of the plain text.

Except for the "classic" encryption method also show the public Key code procedure serious shortcomings. Both software and hardware implementations have so far failed always in the immense effort and the associated high costs.

According to the current state of chip development, it is not possible, a universal computer in software with the RSA algorithm (based on 200 Decimal places) so that they are acceptable Encryption speeds or encryption rates can be achieved.

The RSA function (exponentiation with subsequent Modulo operation) not directly in a VLSI layout (VLSI = Very Large Scale Integration) implemented be because there are no direct exponentiation circuits gives. The knowledge described has been around since several years on the desire for special hardware Solutions led to the exponentiation in individual steps to disassemble that sufficient encryption speed or rate is possible.

The realizations of the public key known today However, code processes require a lot of computing time. Software solutions have encryption and decryption rates from 10 to 20 bit / sec. Also the first known hardware Solutions do not reach more than 1200 bits / sec. The the only one-chip solution implemented so far comes from Rivest (Rivest, R.L., "A Description of a Single Chip Implementation of the RSA Cipher ", Laboratory for Computer Sience, MIT, Cambridge, Massachusetts, in "LAMBDA Magazine 1 ", pp. 14-18, No. 3, 1980). In this The proposal became a relatively simple design method chosen, which is in particular that with a conventional arithmetic-logic unit cell a 512-bit arithmetic-logic unit (ALU) was constructed. This arithmetic-logical unit is constructed so that with it very different operations can be executed. The accepted one Redundancy translates into an encryption rate from 1200 bit / sec. low. Here is a 4 µm NMOS Technology has been used (extrapolated to a 2 µm CMOS technology would look at a key length of 660 bits an encryption rate in the range of 2500 bit / sec. result).

In practice, this solution is not acceptable, because the interfaces of the digital networks with work much higher data rates, e.g. B. work the ISDN interfaces with 64 bit / sec.

A cryptography processor has also already been proposed which consists of two chips, and with the help of 336 bit long numbers of the RSA algorithm can be worked up (Rieden, R. F., J. B. Snyder, R.J. Widman and W.J. Barnard, "A Two-Chip Implementation of the RSA Public-Key Encryption Algorithm ", Digest of Papers for the 1982 Government Microcircuit Applications Conference (November 1982), 24-27).

The fastest known RSA processor is with the proposal given by NEC / Miyaguchi (Miyaguchi, S., "Fast Encryption Algorithm for the RSA Cryptography System ", Proceedings COMPCON 82). It works 8 bits per cycle of the multiplier and reaches a speed of 29,000 bits / sec. But since it is for the practical Execution that requires a high number of 333 chips it is natural in economic terms completely out of the question.

A general disadvantage of multi-chip implementations does not consist only in the proportional with the number of required chips rising hardware costs, but especially in the lack of guarantee of security. If the signals transmitted from one chip to another become accessible, it can be based on the transferred Secret code signals are broken. That's why it is essential for reasons of cryptography security, that all cryptography algorithms if possible from one single chip could be protected by a safe.  

DE-PS 32 28 018 describes a key system for RSA Cryptography described, which is also an extreme requires high hardware requirements. In comparison with the original RSA algorithm is said to be used in the known Key system the encryption rate by the factor 4 increased, but only a modest improvement represents. For this purpose, a fixed Number of four bits processed simultaneously for what multiple multipliers are required, and for what a total of 14 adders can be specified.

Theoretically, it is conceivable that the processor for the known key system according to DE-PS 32 28 018 four times faster than direct use of the original RSA algorithm is there because of the signal paths are much larger than with a scan of a single bit each, is hardly in practice to expect an effective time saving.

Also a universal chip with an idea a 100-fold computer density would not be in the way able to process the well-known RSA algorithm. For this reason, only a special Cryptography chip in question, however, would do so set significant cooling problems, because with such would be highly specialized chips - in difference to universal chips - almost all transistor functions constantly in use. This is with considerable power losses connected, because of the adopted 100 times the computing density from a 100 times (loss) Power density would result.

That the associated cooling problems are not insignificant are the elaborate proposal shows the cooling by means of liquefied noble gases which are carried out by holes in the silicon chip flow through. On the other hand, it should be borne in mind that as a result insufficient cooling significantly reduced Lifetime of the chips and an increased error rate results in the encryption operations. Furthermore would the adopted universal chip with the high Computer density from the spatial dimensions turn out to be large that a workable application besides Should be kept in mind.

This is where the invention intervenes, which is based on the task lies in specifying a cryptography method, which is so fast with sufficient security Computing speed enables a commercial practical application of the known RSA process is possible. In addition, by the invention a cryptography processor for performing the method created to meet the requirements with small handy design or chip Allows dimensions.

The invention achieves this goal in terms of method the cryptography mentioned in the preamble of claim 1 Procedure by the in the characterizing part of claim 1 mentioned features, the requirements a digital interface of an ISDN Network is sufficient.

An essential aspect of the invention is that novel application of a look-ahead algorithm for the division. This step makes it possible a look-ahead procedure also for multiplication to apply. Thus, when processing several Bits only require simple additions and subtractions, d. H. an additional multiplication can be omitted.

Look-ahead algorithms have become well known by the reference "Automatic Digital Calculators" by Booth, A.D .; Booth, K.H .; Academic Press, Inc .; New York, 1956, as well as through the book "Logischer Design of digital systems "by W. Giloi, H. Liebig; Springer Verlag 1980, especially pages 177-178.

The advantages of the new process are based in detail insist that the entire cryptography algorithm suksessive so far broken down into smaller steps will until every arithmetic step in a simple way corresponds directly to a hardware design.

Advantageous further developments and practical refinements the invention are specified in the subclaims.

The comparison of the individual operations already shows the advantages of the arrangement according to the invention over the prior art. By converting the exponent algorithm into a sequence of multiplications, whereby a modulo operation is carried out after each individual multiplication, it is prevented that the intermediate results do not, as is usual with exponentiation, grow to astronomical values ( D and E each have 200 decimal places ).

In addition, multiplication in single steps is broken down, in which the multiplication in a sequence of additions is converted, the calculation done faster. This is how it is realized also requires less space on the chip.

The reduction in modulo operation explained below in a sequence of subtractions is with the same Addition logic calculated because a subtraction can be treated as an addition with the opposite sign will.

Since the multiplication in the ring is carried out over N , a modulo operation can be carried out after each addition. This also avoids large numbers and saves considerable computing time. All numbers in each step are now less than N. In this way, the maximum required size of the memory is reduced to the length of N , which is associated with a halving of the required chip area.

Considerable importance for the cryptography method lies in the advantageous use of look-ahead algorithms, since this further considerably reduces the maximum number of additions required for the multiplications and subtractions for the modulo operations. However, the fact that the introduction of the look-ahead algorithms pays off in terms of computing speed only results from the introduction of the new look-ahead algorithm according to the invention for the modulo operation, because the mere application of known look-ahead algorithms to the Multiplication would in no way save time. Only when the mean reduction in the computing effort associated with the modulo operation corresponds to the computing reduction possible with multiplication does an optimal algorithm result which reduces the computing time to about ½. This advantageous saving in computing time is related to the "swimming" explained below; while Z is shifted absolutely, N is shifted relative to Z , so that the two shift rates are decoupled from one another.

The final advantage in the chain of procedural steps consists in the combination of the multiplication resulting addition and that resulting from the modulo operation resulting subtraction to a single operation, the 3-operand addition. With their help, the cycle time takes not to be expanded because for  the 3-operand addition takes the same time as for one simple addition. This will double the computing speed.

On the one hand, time savings result from the advantageous ones Applications of mathematical transformations the individual process steps, on the other hand, result derive from the inventive architecture of cryptography Processor further improvements. Through the The individual can organize tree-like structures Elements at the same time a larger number of Process information. This also increases the computing time further shortened considerably.

The block structure according to the invention reduces the computing time for a 660-bit addition to the length a 20-bit addition.

In summary, it should be noted that the invention Cryptography processor encryption and decryption at a rate of 64,000 bits per second. This also applies to the worst case, where the Key should have a maximum length of 660 bits.

The advantages that can be achieved with the cryptography method according to the invention or with the corresponding cryptography processor become apparent when one compares its "overall efficiency" with that of a software implementation, e.g. B. compares on a 16 bit wide bit slice processor (BSP), which has been specially tailored to the encryption task: BSPs available today have a clock frequency of approx. 10 MHz. You can add or subtract two 16-bit words in one cycle and simultaneously shift the result by 1 bit. They do not have a barrel shifter, so a shift operation must be carried out serially. Under these conditions, a look-ahead has negative temporal effects. For the number A of cycles to perform an operation, it is assumed that the BSP needs only one cycle for each step of its main loop. It consists of (see Fig. 3):

• 1. Z [ i ]: = Z [ i ] + P [ i ] and
• 2. Z [ i ]: = Z [ i ] + - N [ i ], shift Z [ i ] by 1 bit.

The microprogram of the BSPs can be designed so that the loop is reduced to the second step if the first step can be omitted due to the test of the corresponding bit in the multiplier. Since the first step must be performed with a probability of 1/2, A has a value of 1.5. For the comparison follows:

The comparison shows that the cryptographic Processor even specialized voting from hardware and Software is superior to more than two orders of magnitude. Is the RSA algorithm on normal computer systems only software implemented, may differ in area of 10,000 can be assumed since the main loop at far less efficient.

Compared to the Rivest processor mentioned at the beginning this results in a 50-fold saving in encryption time despite a key length that is approx. 30% longer. These Huge increase in overall efficiency has been achieved with the application of new process steps according to the invention as well as a special chip architecture enables.

The cryptography processor according to the invention works as so-called coprocessor. It has two DMA channels for the data I / 0 and an 8 bit wide data bus. The Coding and I / 0 units work in parallel. Created a "cryptography box", in which the encryption and decryption cannot be influenced from outside, for which a signature is generated and for which the Only transfer keys in encrypted state need to be.

In the following cryptographic process of the invention and based thereon cryptographic processor code method Ivest with the aid of data after the public key of R, S and A Hamir dleman (RSA) encryption and are decrypted on the basis of an exemplary embodiment described in more detail.

In the first part of the description, which deals with the invention Cryptography procedures will be dealt with compared to the original RSA procedure Modifications explained. That is why often referring to the original RSA algorithm taken. Since the further object of the invention in the Realization of the procedure in an efficient VLSI Layout, it does not fail to appear already at the Description of the procedure on the corresponding Point out hardware possibilities. In particular complex operations so far in basic operations (Adding, subtracting, moving, etc.) disassembled until each step immediately in the later ones VLSI draft can be implemented. That is why the consideration plays of the algorithm from a hardware perspective important role. Many step sequences of the RSA algorithm are replaced by more advantageous ones.

Since the decryption is mathematically identical to that Encryption is, therefore, in the following on the the two processes were not dealt with separately.

The drawing shows:

FIG. 1a is a flowchart of an algorithm for the potentiation for the unlocking or encryption of a date after the original RSA method,

FIG. 1b is a flowchart of an algorithm for the potentiation of the decryption and encryption of the same date as shown in FIG. 1a, by the inventive process

FIG. 2 is a flow diagram of the serial algorithm for the multiplication required in FIG. 1, the multiplicants being elements of the natural numbers.

3a is a flow chart of the multiplication algorithm with an additional module step, whereby the multiplicand elements Fig. Here a residue class ring over N,

FIG. 3b is a flow chart according to Fig. 3a, with the module calculation is reduced to a subtraction,

Fig. 4 is a flowchart of a look-ahead algorithm for the multiplication of the look-ahead parameters calculated serially,

Fig. 5 is a flowchart of a look-ahead algorithm for the modulo operation, the look-ahead parameters calculated serially,

FIG. 6a is a flow chart of FIG. 1b, the multiplication and subsequent modulo operation are combined to form a MultMod step,

Fig. 6b is a flow chart of the inventive MultMod method used in Fig. 6a, carried out with look-ahead,

Fig. 7 is a unit cell for implementing a mult-mod loop in one step,

Fig. 8 shows the summary of four unit cells of Fig. 7 to a 4-cell block with a hierarchical carry-look-ahead (CLA) element,

Fig. 9 shows the hierarchical summary of five cells 4- blocks shown in FIG. 8 to a 20-cell block,

Fig. 10 is a complete encryption unit 20 with a plurality of cell blocks in FIG. 9, as well as with a control unit,

Fig. 11 is a block diagram of a cryptographic processor,

FIG. 12 shows a block diagram of a control unit according to FIG. 10 after the look-ahead algorithms according to FIGS . 4 and 5 have been specified, FIG.

Fig. 13 is a hierarchical carry-look-ahead element as it passes at the 4-cell blocks in FIG. 8 are used,

Fig. 14, the interconnection of the carry-look-ahead elements of FIG. 13 in the hierarchy of the 20 cell blocks,

FIG. 15 shows a state diagram with regard to some sequence of steps of the uppermost 20-cell block designed as a buffer in FIG. 10, FIG.

Fig. 16 is a schematic block structure for explaining the flow of information, and

Fig. 17 shows a floorplan of the array of unit cells on a chip.

With reference to FIG. 1, the method step for exponentiation is first explained below. When breaking down into simple basic operations, the exponentiation is broken down into an average of 1.5 · L ( E ) multiplications. E is the exponent and L ( x ) is defined as

L ( x ): = number of binary digits of x .

The time complexity of the algorithm is 0 ( L ( E )). His basic idea is to represent the exponent in binary form, i.e. to convert it into a sum of powers of two. With the power laws, the sum in the exponent is converted into a product of powers of the number P to be raised . The exponent of the e- th power has the e- th power of two or zero, depending on whether there is a 1 or a 0 at the e- th position in the original exponent. The factors are squares or the number 1.

P ^{2c + 1} = P ^{2 * 2e} = ( P ^2e ) ²

The position of the least significant bit is defined by zero. Therefore, the most significant bit is at position L ( E ) - 1.

The ( e + 1) th square can easily be calculated by squaring the e th. It is therefore advantageous to reserve a separate register C for the product. The contents of register P are then squared in each step and saved again. After the quadrature, P contains the e th square, since after the ( e - 1) th step in P the ( e - 1) th square was entered.

At the beginning of the intermediate register C there is 1. If there is a 1 in the exponent E at the e- th position, C is multiplied by P in the e- th step and stored again, otherwise C is not changed. Since the register P contains the e- th square at this time, the above product is computed P to E because of the equality. After the last step, the result is in register C.

The RSA method shown in the flow diagram of FIG. 1a contains the potentiating algorithm in the upper part. In the lower part of FIG. 1a, C mod N is calculated in the last step, ie the last step of the RAS algorithm. Because the remaining class arithmetic was omitted during exponentiation, C assumed an astronomical number of digits for large numbers.

This is prevented by the algorithm of the method according to the invention shown in FIG. 1b. He uses the congruence law

( a mod c ) ( b mod c ) ≡ ( a b ) mod c .

The resulting product is determined by the modulo calculation depicted on the representatives of the remaining class. The Representative is the element of the rest of the class, which is also an element of the ring is. This element is unique, i. H. it there is only one element in each residual class that meets the condition Fulfills.  

Relate to the algorithm

a, b products from step e - 1, and
c the module.

The statement of congruence is: the result of the calculation in step e falls in the same residual class,

• a) if the resulting products from step e - 1 are mapped onto their representatives and then in step e the representatives are multiplied together or
• b) if in step e the products from step e - 1 are multiplied together and then this product is represented on its representatives.

In the right algorithm ( Fig. 1b), case a is applied to the products with each loop pass. Case b is implemented in the left algorithm ( FIG. 1a), but only once as the last step of the algorithm. Due to the constant mapping, the registers used in the right algorithm have been given a predictable size. The numbers you have to save are a maximum of twice the length of the modulus. This is the case in the period between multiplication and the modulo calculation.

Leave the individual steps of the reshaped algorithm do not further decompose at the level of potentiation. There is no longer a need for it. The Chip area, which needs the exponentiation, has by the constant modulus calculation get an upper limit.

The method step for the multiplication is now explained below with reference to FIG. 2. In the method according to the invention, the multiplication is solved by a serial algorithm. It breaks down the multiplication into L ( M ) shift operations and an average of 0.5 · L ( M ) additions. In the following, the multiplier is designated with "M" .

The space requirement depends linearly on L ( M ), because an arithmetic lodic unit (ALU) of size L ( M ) is provided for this algorithm, so that the addition takes place in one step. The same applies to the shift operation. Both therefore need a constant time for their surgery. In addition, the addition can be carried out in parallel with the shift operation. It follows for the time complexity

T _Mul = L ( M ) max ( T _Shift , T _Add ) = c L ( M ).

Like the space requirement, it depends linearly on the length of M. However, if the space required exceeds the integration options, ie M and thus L ( M ) exceeds a certain value, this algorithm can only be used in a modified form. Since this is not the case with the envisaged size of 660 binary digits (200 decimal places), this problem is not discussed in this exemplary embodiment.

The serial algorithm for the multiplication shown as a flow chart in FIG. 2 is based, similarly to the algorithm for the exponentiation described previously with reference to FIG. 1, on the binary representation of an input parameter. Here it is the multiplier M :

The multiplication is broken down into additions. P is added to the intermediate result Z in step m if there is a 1 at the ( L ( M ) - m ) th position in the multiplier, otherwise Z remains unchanged. Then the loop is executed ( L ( M ) - m ) times. Because of the duplication of Z to the beginning of each loop iteration, the sum Z + P of the m-th step is (L (M) - m) times doubled. This corresponds to the multiplication by the power of two.

In summary, the algorithm takes advantage of the fact that multiplication by a binary digit results in either the multiplicant itself or zero. Furthermore, he attributes the multiplication with a power of two required in each step to a doubling of Z. In the binary representation, the doubling is a simple shift operation by one bit to the left (by definition, the least significant bit is on the right).

The modulo process step is shown schematically in FIG. 3. During the exponentiation, a modulo operation must be carried out after each multiplication in order to obtain a number that is congruent to the product from the residual class ring. The algorithm described in FIG. 2 considers the two multiplicants as elements of the natural numbers, not of the residual class ring over N. Therefore, a modulo step is carried out in the exponentiation algorithm after each multiplication.

According to the method according to the invention, the multiplication is also carried out in this residual class ring. The conventional algorithm was changed at one point: at the end of the loop, the intermediate result Z is mapped to its representatives.

This is necessary because, firstly, Z was doubled and secondly, P (in the worst case) was added to it. Therefore, Z can have values at the end of the loop that are greater than or equal to the modulus N.

If, on the other hand, a modulo step is added at the end, after leaving the loop, Z always has values that are within the permitted number range of the ring. The congruence law that allows the modulo step to be shifted from the exponentiation algorithm to the multiplication algorithm is

( a mod c ) + ( b mod c ) ≡ ( a + b ) mod c .

As with the exponentiation, the statement of congruence is also here: the result of the calculation in step m falls in the same residual class,

• a) if the resulting sum is mapped to its representative in step m -1 and then further calculated with this in step m or
• b) if in step m one adds something to the sum from step m - 1 and then maps this sum to its representative.

Since the multiplication has been converted into a sum sequence, the conclusion is: it gives the same result, two Multiply numbers and then do the modulus calculation, or after each addition in the disassembled multiplication to calculate modulo immediately.

The intermediate result Z of the flow chart shown in FIG. 3a cannot assume arbitrarily large values in the loop if it had a value smaller than N when the loop entered

N ≦ λτ Z, P = ≦ λτ · N ≦ λτ Z : = 2 Z + P.

In the method according to the invention is the conventional one Modular calculation replaced by a single subtraction.

If Z is greater than or equal to N at the end of the loop, only N or 2 N is subtracted from Z , and the value of Z is again less than N. These steps are included in the flow chart of Figure 3b.

No additional logic is required for subtraction, because after the negation of the subtrahent, it becomes one Addition and can be calculated with the addition logic:

a + b = a + (- b )

A number is negated by negating every single bit becomes. Finally, the number 1 must be added. This can be done in the VLSI design with one inverter per bit. However, since both information are in the memory cell present, the bit and the inverted bit, is on dispenses with an additional inverter.

When two numbers are added, the least significant are added Bits no carry bit transferred. Should now be subtracted the negated memory bits are sent to the Addition logic created and at the same time becomes the least significant Bits signals a carry bit.

This process step, which is the multiplication with the Modulo operation with each other in the manner according to the invention connects, is called MultMod in the following.

The increase in the computing speed by the look-ahead method can be explained with reference to FIG. 4. If you analyze the MultMod algorithm and consider the possibilities of parallelization, you can see that many steps are carried out for free. More precisely, entire loop runs (cycles) can be omitted if, apart from the first two inevitable steps, none of the conditional steps have to be carried out.

If a cycle is omitted, no step of the loop is carried out, not even the unconditional ones. This has to be considered in the next cycle that has not failed. But first you have to calculate how many cycles can be skipped. Let sz - 1 be the number of skipped cycles ( "sz" is the shift amount (shift amount) of the multiplication and retains this meaning in the following). With this information the first two steps of the skipped cycles can be carried out in the current cycle ( sz - 1 skipped cycles plus the current cycle results in sz cycles!):

• 1. Z is not shifted to the left by 1 bit (doubling), but by sz bits
• 2. m is not increased by 1, but by sz .

Shifting by sz bits can be done in one step with a barrel shifter (Conway; L., Mead, C., Introduction to VLSI Systems, Adison-Wesley Publishing Company, Inc., 1980).

Methods that allow unnecessary steps to be taken skip, look-ahead (predictive) procedures called. Such procedures need careful analysis be designed separately for each algorithm. It has to be done everything is checked whether the expected time saving is greater is the time to calculate skippable cycles. In the targeted hardware implementation of the whole Algorithm the time saving is not diminished by anything since the calculation of the look-ahead parameters parallel to longest step, the addition, happens.

A look-ahead algorithm has long been used for multiplication known. It has two states:

• 1. LA = 0, zeros in the multiplier are ignored and
• 2. LA = 1, ones in the multiplier are ignored.

The step sequence of the algorithm is:

• 1. Set sz : = 1.
• 2. Set m : = m + 1.
• 3. Set a : = 1 - 2 LA
• 4. The 3-bit string M [ L ( M ) - m . . L ( M ) - m - 2] considered. As long as not finished, depending on the 3-bit string and the LA value, execute the rule in the line.
• 5. The following must be carried out in the MultMod algorithm:
  • a. Shift Z left by sz bits.
  • b. Set Z : = Z + a P.

The Roman numerals in the brackets after the "Done" statement indicate the rules of this line, the first number stands for LA = 0 and the second for LA = 1. The 3-bit strings behind "Impossible" can do not appear, since rule II or III would have been applied to them in the previous step. The variable "a" only serves as a buffer for the information as to whether P is negated in the addition step or not. In this step, there is no multiplication in the implementation, since a can only take the values +1 and -1. Moving Z and increasing m has already been explained.

The look-ahead rules can be easily set using the Understand sum multiplication. it is

In the following calculations, "s" is to denote the position relative to L ( M ) - m at which, in the multiplier, calculated from the position L ( M ) - m - 1, the first bit is not equal to LA .

Rule I states that if there is an isolated 1 in a 0 string, add P to Z at this point. Expressed mathematically:

The summands of the second sum are zero except for the value lambda = m + s , since at the binary digits L ( M ) - m - 1. . L ( M ) - m - s of the multiplier 00. . . 01 stands.

Rule II is most easily understood in conjunction with Rule III. Rule II switches from a 0 string to a 1 string if the first 1 is followed by at least one second. P is added to Z at the position of the last 0. Rule III is dual to II. It switches from a 1 string to a 0 string if at least one second follows the first 0. In place of the last 1, P is subtracted from Z. If s 1 is the position of the first 1 and s 0 is the position of the first 0 that follows, both calculated relative to m , the following results:

Rules II and III follow directly from the last line. The Positions between the two switch points do not need to be considered, provided everyone is 1. An example should make this clearer.  

You save two additions (thus two cycles) if you not processing one bit of the multiplier after another, but considered 1-string as a geometric sum, calculates the sum and skips the insignificant bits.

If rule IV still remains, it says that there is an isolated 0 in a 1 string, then subtract P from Z at this point. The result is:

From the point of view of the look-ahead method, after subtracting P at position L ( M ) - ( m + s ), it looks as if the 1 string is not interrupted. The look-ahead can continue.

With the look-ahead algorithm for multiplication shown in the flow diagram of FIG. 4, which calculates the parameters serially, no time advantage can be achieved compared to the version without look-ahead, because only one bit of the multiplier can be tested per cycle. This flowchart therefore only serves to convert the rules into a functioning algorithm. On the other hand, this algorithm is intended for hardware implementation, but the look-ahead parameters are then calculated in one step parallel to the operations of other arithmetic units, so that at the end of one cycle the parameters are immediately available for the next one.

In this algorithm, the shift amount sz can have a maximum value of cur   accept k ( cur   k is the "name" of a variable). The shift amount indicates the number of places by which a register is shifted. A maximum of the shift amount is not required by theory, but by practice. The barrel shifter that pushes Z into the calculated position in one step can only do this up to a maximum amount "k" , which must be specified in the design. k is the maximum value that cur   k can assume. The value of cur   k is determined by the modulo look-ahead algorithm yet to be designed.

Is up to sz = cur   k no rule is applied, then Z is shifted to the left by k bits and a is given the value 0, ie P is neither added nor subtracted. The work that can be done in one step must be divided into several for cost and space reasons. Which value for k is a favorable compromise between the demands of speed increase and the reduction of the space required is clarified in one of the following sections.

The look-ahead extension to the modulo step now follows ( FIG. 5). Since multiplication was moved to the remainder of the class for reasons of efficiency, the improvement in multiplication by look-ahead found in the previous section is of little use, if not a method for generating look-ahead parameters can also be introduced for the modulo step. Otherwise, the modulo step slows down the entire process, since it can still only process one bit per cycle. The process is also restricted. The expected value of the shift amount per cycle should be approximately the same as that of the multiplication algorithm. If this is not the case, one look-ahead algorithm slows down the other.

The algorithm according to the invention, which fulfills the required conditions and combines the rules mentioned into one algorithm, is shown in the flow chart of FIG. 5. As before, this algorithm is serially described for the same reasons. In the hardware implementation, it has the same properties as the look-ahead algorithm of multiplication.

The general conditions for the modulo look-ahead algorithm require that the expected values of the two amounts, which are shifted per cycle, match. So far, N has not been shifted: Z has been shifted one bit to the left in each cycle and N relative to it to the right by one bit, ie N has maintained its position. In contrast, the look-ahead method will generate a parameter sn which specifies how many bits N are to be shifted to the right relative to Z. In the following, "sn" is the current shift amount of the modulo look-ahead algorithm, and "n" indicates how many binary positions N have been shifted absolutely to the left at the respective time. The register N therefore contains multiples of the module N. For this reason, Z will usually not be a residue class representative at the end of the MultMod loop. There are three cases:

• 1. sn ≦ λτ sz : N is shifted absolutely to the right by sn - sz digits. Precautions must be taken to ensure that n does not become less than 0, otherwise fractions of N and not multiples of N are expected. This destroys the congruence. sn is therefore calculated so that the value of n becomes a minimum of 0.
• 2. sn = sz there is nothing to consider.
• 3. sn ≦ ωτ sz : N is shifted absolutely by sz - sn places to the left. If there is a possibility that n will exceed a certain set value MAX in the next step, the multiplication look-ahead algorithm must be braked in such a way that n in any case assumes a value less than or equal to MAX . This prevents n from becoming arbitrarily large.

In the algorithm of FIG. 5, the limitation of the maximum shift amount of Z can be seen at the end. cur   k is set so that in the worst case ( sz = cur   k and sn = 1) of the next step n just assumes the value MAX .

Regardless of the rules used, a look-ahead for the modulo calculation requires that multiples of N can be expected. The advantage is that the multiplication and the modulus calculation generally do not interfere with each other. A disability only occurs if, in case 1 or case 3 above, the value of sn or sz is limited for one step. A disadvantage is that the registers have to store larger numbers than that of the module. A buffer must be provided for this overflow in the VLSI draft.

This disadvantage only applies to two registers: Z and N. In addition, the buffer size is limited by MAX . The VLSI design can therefore continue to assume constant sizes of all registers and now also of the buffer. The following section discusses the size of the buffers so that the expected values do not decrease too much.

The calculation rules for the look-ahead parameters still have to be described. The number ZDN is required for this. It is defined as two thirds of the value from register N :

The algorithm is:

• 1. Set sn : = 0.
• 2. Set b : = 0.
• 3. As long as the absolute amount of Z is less than or equal to ZDN , do:
  • a. Set sn : = sn + 1,
  • b. set n : = n - 1 and
  • c. shift ZDN to the right by 1 bit, ie divide ZDN by 2.
• 4. Set b: = 2 Z [sign] - 1. If the sign bit has the value 0, then Z is positive, otherwise Z is negative.
• 5. The following must be carried out in the MultMod algorithm:
  • a. Shift N to the right and sn by sn bits relative to Z
  • b. set Z : = Z + b N , ie if Z is positive, then N is subtracted from Z , otherwise N is added to Z.

In the last step, the hardware implementation does not multiply, since b can only take the values -1, 0 and +1: The value - N , 0 or + N is applied to the addition logic. The calculation of ZDN does not pose any difficulties either, because ZDN is not recalculated every time, but only once when the key is handed over and is then subjected to the same shift operation as N. So the relation N to ZDN is preserved.

After handing over the keys, however, ZDN must be calculated. Two thirds are shown in binary 0.101010101. . ZDN is therefore calculated as follows:

• 1. Set Z : = 0.
• 2. Set Z : = Z + N.
• 3. Shift Z 2 bits to the left.
• 4. Skip back to step 2 if ZDN is not yet calculated precisely enough.

The last step contains an unsharp termination condition. ZDN is determined exactly when each bit of the multiplier "two thirds" has been processed. The number of bits of "two thirds" that still affect the comparison of Z with ZDN is the same as the number of bits that the comparator that performs the comparison has. The width of the comparator is in turn determined by the required accuracy of the comparison. As shown in the next section, 10 bits are more than sufficient. It follows that ZDN can be calculated in a few steps.

As just mentioned, ZDN uses only a few of the most significant bits to compare with Z. Of course, this causes the comparator to give an incorrect result every now and then, because a 100% reliable comparison would have to take into account all L ( N ) bits. This is difficult to achieve due to space constraints. What is much more serious, however, is the fact that the comparison time then becomes similar to the normal addition time. The correct comparison would be a Phyrus victory.

But what effects does it have if the comparator has made the wrong decision? Then sn has the value 1 in the next cycle, otherwise sn would have had a value greater than 1. Accordingly, the current shift amount of the next cycle deteriorates to the value 1. Proof:

If the comparator has given correct results, then sn has been determined so that

is. N is now shifted to the right by sn bits, ie N is divided by 2 to the sn . Then, if Z is negative, N is added to Z , otherwise N is subtracted from Z. It follows that N is subtracted from the absolute value of Z. The result is saved again in Z.

Since the absolute value of Z is now less than or equal to one third of N , sn ≦ λτ 1 must be in the next cycle:

Part 2 is proven.

If, on the other hand, the comparator makes a wrong decision, inequality I is not fulfilled. A wrong decision will e.g. B. hit when ZDN has become somewhat smaller than two thirds of N due to rounding errors in the calculation. If Z is close, but still less than two thirds of N , the comparison statement is: ZDN is smaller than Z. In fact, however, this statement should only have been made one bit position later. It follows:

The requirement (1) is no longer met. It follows

So the effects of a comparator error are relatively harmless. This gives the designer a wide scope in the choice of the comparator width, because a small one Width only increases the number of cycles due to incorrect comparisons, but does not falsify the bill. So can a comparator small width, which is more common wrong, but because of the very quickly available result still brings a speed gain.

The probability of error must be known for this consideration. An error occurs either by rounding in the last bit of ZDN or in bits that are less significant than the least significant comparator bit. Let "d" be the comparator width, then the error rate is epsilon

To put it clearly, the expression says that an error can only occur if all the higher bits could not decide the comparison. This is the case with one of 2 ^d numbers.

Since only the probability-theoretical expected values of the look-ahead method match, they were necessarily decoupled from one another by the MultMod algorithm. Here, in each cycle Z is absolute and N shifted relative to Z. This decoupling is called "swimming" here and is explained in more detail below in connection with FIG. 15.

The state in which the cryptography processor is in each case is illustrated by means of steps a to e in FIG. 15. The transitions a, c and e illustrate the shifting process, while b and d mean additions or subtractions which are not explained in more detail. The rectangles (towers) shown represent registers C ( 14 ), N ( 18 ) and Z ( 20, 22, 24 ; registers of the cryptography processor). The height of the rectangles is 660 bits + 20 bits. 660 bits is the maximum word length and 20 bits is the size of a buffer that enables decoupling.

If, for example, the shift amount (shift amount; size of the shift) of the multiplication is greater than the shift amount of the modulo operation, the register M is shifted to the upper end by the difference of the shift amounts (cf. steps a and e ); the uppermost bits of register N are thus partially pushed into the buffer.

In the opposite case, N is pushed to the lower end (step c ). The monitoring that N does not exceed the buffer limits is explained in more detail below.

Before step a , N had already been shifted into the buffer by 10 bits. The shift amount sz then assumes the values "3", "1" and "2", as can be seen in FIG. 15 below. The values mentioned in this example are assumed one after the other. The shift amount si , which defines the shift from N relative to Z , takes on the values "2", "3" and "1" one after the other, which means that N has been shifted absolutely by sn = sz - si , ie sn is successively "1", "-2" and "1". After steps a, c and e , N has been shifted into the buffer by 11, 9 and 10 bits, respectively. This process represents what was referred to above with the term "swimming".

The influence of the look-ahead limit k for the case of k = 3 is illustrated in step c . Although the algorithm for si could have shifted by 4, N has only been shifted by 3 bits relative to Z , and then by 1 bit in step e . Therefore, N is neither added nor subtracted from Z in step d . This means that the sign b in FIG. 5 has the value "0".

The method step of 3-operand addition is explained below. FIG. 6 contrasts the complete RSA method ( FIG. 6a) with the now complete exemplary embodiment of the cryptography method according to the invention ( FIG. 6b).

Here, the queries that were still contained in the last version of the MultMod algorithm ( FIG. 3) are replaced by the calls of the two look-ahead algorithms. The look-ahead parameters are calculated in parallel. This is to be expressed by the parallel branches in which the calls take place.

In this version of the algorithm, a negative value can be in Z after the loop has been processed. For this reason, the result must be corrected in the end in the MultMod algorithm with Look-Ahead. If Z is negative, then Z + N is positive. This additional step is included in the flow chart of Fig. 6b.

The multiplication and modulo steps are also combined into a single step, the 3- Operand addition. It is from logic per step not two but three operands added at the same time, as can be seen below.

The 3-operand addition is divided into two sections. In the first section, a sum of the three bits of operands A, B and C is formed at each binary position. The sum of A [ i ], B [ i ] and C [ i ] can take the values 0 ... 3, so it can be represented in binary form with the two (1) bits S [1] and S [0]. Since the sum is formed at every point, two new numbers X and Y can be put together from the two sum bits ( i = 0 to max):

Y [ i ]: = S [0], Y [max + 1]: = 0 and X [ i + 1]: = S [1], X [0]: = 0.

In the second section, the two numbers are on the usual Way added. The extension by one bit poses no problems since the result is at least one bit shorter than the longest operand.

So that the addition logic does not consume too much energy has in several places Pullup transistors have been omitted. So it's in a metastable state. Then flip it over when adding in a stable state, so it cannot leave more independently. Therefore the logic must end a cycle with an external precharge signal again be brought into the metastable initial state. While the bit addition is inserted during this period.

The cryptography processor

This second part of the description of the invention deals with with the block diagram and the resulting floor plan of the processor.

A partial task of the invention is to represent the structure of a specialized unit cell ( 10 ) which optimally supports the RSA algorithm. With this structure, the block diagram of the processor is determined. This contains enough information to be able to design a coordinated floor plan of the processor.

How is the RSA algorithm supported efficiently? In order to answer this question, the individual steps of the algorithm must be checked for the property, whether they are rarely executed and / or require little time or whether the opposite is true. In the first case, it makes more sense to implement the steps using a micro program. In the case of the time-critical steps, however, the hardware implementation must be moved to the unit cell. The following steps are performed at the level of the RSA algorithm (see flow chart in Fig. 6):

• 1. The initialization; the start values are assigned to the two variables C and e .
• 2. The loop; there are two queries and the jumps induced thereby, two calls to the MultMod algorithm and the incrementation of the variable e .

Each of the listed steps is either performed only once during the calculation, or the operation is limited to a few bits, e.g. B. the binary query of an exponent bit. In addition, they are simple operations and therefore require little computing time. The steps are therefore implemented by a micro program. A simple control unit 42 will accomplish this problem ( Fig. 11).

The variables marked with a small letter all have a counter function. They work closely with the control unit 42 since its decisions depend on the counters and, on the other hand, the counters are decremented or incremented depending on the decisions of the control unit. They must therefore be placed in close proximity to the control unit. This is possible because their length has a value of ld ( L ( M )) bits (ld = logarithm dualis). With a key length of 660 bits, they are 10 bits long.

The same arguments apply to the queries and counters of the MultMod algorithm. However, these tasks are carried out by a separate other control unit 36 ( FIG. 10), since the calculation of the look-ahead parameters is very time-critical with regard to the sequence of the mult-mod calculation. The timely generation of the shift amounts sz and sn and the information as to whether and with which sign P and N are included in the 3-operand addition significantly influences the cycle time.

The operations which are carried out with the L ( N ) bit long numbers do not belong in this control unit. An elementary cell ( FIG. 7) was designed for its storage in the immediate vicinity of the executing logic and for the logic itself.

The required registers and the logic of the elementary cell 10 result from FIG. 7. The elementary cell 10 then comprises a register 12 , which contains a multiplier M , as well as a code register 14 and a date register 16 . A UD shift register 18 follows, which contains N and -2. . . +2 bit shifts.

Further components of the elementary cell 10 are a barrel shifter 20 , a bit adder 22 , and a full adder 24 , which is followed by a carry look ahead element 26 .

In the RSA and MultMod algorithm, there are five registers needs:

• 1. The register 12 for the respective multiplier M ; the length of the register is L ( N ).
• 2. The encrypted date register 14 ; it contains the variable C during the calculation, the value of which is the result of the encryption after the RSA algorithm has been processed. The length of the register is L ( N ).
• 3. The register 16 for the date to be encrypted; it contains the variable P during the calculation, which is assigned the value of the date to be encrypted at the start of the RSA algorithm. The length of the register is L ( N ).
• 4. Register 18 for module N ; it contains a multiple of the module during the calculation. Therefore the register has the length L ( N ) + MAX . In addition to the memory function, this register has the ability to shift the variable N by several places in one step. N is shifted by sn positions relative to Z to the right in each cycle. At the same time Z is shifted to the left by sz places, ie N is shifted absolutely by sn - sz places to the right. sz and sn can have the values 1. . . Assume 3 (the maximum look-ahead k has been set to 3). The absolute shift amount by which N is shifted to the right thus takes the values -2. . . 2 on. A negative shift amount to the right means that N is shifted to the left. Based on an LR shift register, the required function is implemented with the UD shift register ( U p D own) 18 , which can shift by 1 bit in each half cycle in every direction, i.e. by 2 bits in a full cycle.
• 5. The register Z (comprising 20, 22, 24 ) for the intermediate result Z of the MultMod algorithm; this register is read out at the beginning of each cycle and is written with the new intermediate result at the end. The register must therefore only store the variable Z for a short time. The simplest way to do this is to dynamically store each bit of Z on the input gate of an inverter. The length of the register is L ( N ) + MAX because the register 18 has this length and Z can take its value. The register Z is to be understood as part of the full adder 24 .

The first three registers 12, 14 and 16 are designed as static memories since they have to store information over longer periods of time.

In addition to the registers discussed, the elementary cell design includes:

• 1. A barrel shifter 20 , the result of the addition, the intermediate result Z , by 0. . Can shift 3 bits. The inclusion of the 0-bit shift in the capabilities of the barrel shifter is necessary because the multiplication is completed before the modulo calculation and then Z may no longer (!) Be shifted.
• 2. A bit adder 22 without a carry bit, which converts the 3 operand bits into a sum that can be represented with two bits.
• 3. A full adder 24 ; this is the name of a 2-bit adder that processes the carry bit of the next lower position and itself generates a carry bit for the next higher position.

Multiplication in the embodiment is explained below. The addition logic has read access to registers 16, 18 and 20, 22, 24 and can store a number in each register. P (register 16 ) is one of the two factors in every MultMod call of the RSA algorithm. If P is always chosen as a multiplicant and the other factor as a multiplier, then it is sufficient if the unit cell logic can only read registers 16, 18 and Z ( 20, 22 and 24 ) in order to perform the required shift operations and the 3-operand To be able to carry out addition.

The MultMod control unit 36 ( FIG. 10) solves the detailed task of generating the look-ahead parameters. For this reason, the multiplier M in the register 12 is shifted in parallel with the register Z. The MultMod control unit 36 has access to the uppermost bits of the register 12 (see FIG. 12). Depending on these bits, the MultMod control unit 36 generates the shift parameter sz , which, however, is not output directly, but is instead converted into corresponding control signals. These processes take place in the multiplication shift logic 50 in FIG .

Accordingly, the shift parameter sn is generated in the modulo shift logic 52 . A comparator 38 compares the upper bits of sz with 1/3, 1/6, 1/12. . . from N. According to the algorithm from FIG. 5, the comparison result is delivered to the modulo shift logic 52 . This value indicates the relative amount by which register 18 is shifted to the right relative to Z. The modulo shift logic 52 generated from this relative value, and the shift amount of the multiplication shift logic 50 sn the absolute shift parameters. Again, sn is not output, but immediately converted into corresponding control signals.

The limiters 54 and 56 shown in FIG. 12 have the task of limiting the shift amount sz or sn if the register 18 should exceed the buffer limits, which has already been mentioned above. The signals of the first limiter 54 and the second limiter 56 are also processed by the multiplication shift logic 50 and the modulo shift logic 52 .

The first counter 58 in FIG. 12 contains the variable m (cf. FIG. 6b), which indicates how many bits of the multiplier are still to be processed in the register 12 . The second counter 60 contains the variable n (see FIG. 6b and FIG. 5), which indicates how many bits the register 18 ( N ) has been pushed into the buffer.

After an elementary cell 10 is shown in FIG. 7, FIG. 8 shows how a 4-cell block 28 with a hierarchical carry-look-ahead element 30 is constructed from a plurality of elementary cells 10 in a hierarchical structure. According to FIG. 9, five 4-cell blocks 28 are built up in a further stage to form a 20-cell block 32 , and as FIG. 10 shows, in a further hierarchical structure there are several 20-cell blocks 32 , of which the The uppermost one is designed as a buffer 34 , combined to form an encryption unit 40 with a MultMod control unit 36 .

A unit cell 10 constructed according to FIG. 7, in cooperation with the MultMod control unit 36 , is able to carry out all steps of the MultMod loop according to FIG. 6b in one cycle, since for each step of the loop (shifting the modulus N by several bits in register 18 ( N ); shifting register Z ( 20, 22, 24 ) by several bits in barrel shifter 20 ; execution of the 3-operand operation by means of bit adder 22 and full adder 24 and the carry look -Ahead unit 26 ) contains special logic. The MultMod control unit 36 calculates ( FIG. 12) the parameters of the next cycle in parallel with the work of the unit cell 10 . This provides the direct implementation of the method according to the invention in the VLSI draft of the cryptography processor.

According to FIGS. 13 and 14, a carry look ahead element 30 has been developed which recognizes whether carry bits influence one another over larger distances. Since this is only so in one of 30,000 cases in the cryptography processor in the chosen solution, the cycle time of the addition logic is no longer determined by the duration of the longest (least significant carry bit influences the most significant), but by the average addition time.

The carry look ahead element (CLA) 30 is structured hierarchically. It processes the CLA signals of the lower level (left side) and generates a CLA signal for the higher level (right side).

A propagate signal of a position means that the transfer of this position is determined by the transfer of the next lower position. When all propagate signals are activated, the hierarchical carry look ahead element 30 generates the propagate output signal of this element. A kill signal indicates that this position has no carry. The kill output signal is activated when it can be decided in the subordinate elements that the most significant position of this element has no carry.

The carry-look-ahead elements 30 can be put together into a tree structure according to a modular principle. They each represent a larger number of carry bits. The advantage of the CLA is to replace the serial processing of the carry bits with a parallel serial (tree-like) processing. This considerably reduces the addition time.

In reality, multiplies with each additional one needed Level, however, the length of the signal paths, see above that from a certain tree depth the combination of neighboring Trees no longer profit. With the roots the transfer of these trees then becomes serial again processed.

The latter can be seen in FIG. 14, which shows the connection of the carry look-ahead elements 30 in connection with an interrupter 62 . The transfers are processed by the CLA tree within a block of 20 bits. The transfer is passed on in series from block to block.

This concept is slightly expanded in the cryptography processor 48 . The block propagate signal which has become useless is used to activate the interrupter 62 , which suppresses the clock signals for a period of 8 clocks. This is the time it takes to carry through the entire serial block chain.

If the carry of a block is determined by the next least significant block, the block propagate signal is automatically activated by the block CLA. The interrupter 62 is switched on and the block chain is given enough time to adjust itself correctly.

The cycle time can therefore be set so that it just enough to carry directly adjacent blocks to process. The advantage here is very large because it is independent from the number of digits only the time of a block Transfer needs to be taken into account. The duration the calculation of a 660-bit addition is therefore no longer than that of a 20-bit addition. Only in one of approximately 30,000 cases affect the carry bits over more than two blocks away. The CLA recognizes this. The Addition then requires not one but eight cycles.

The absolute number of steps required to encrypt a date (message) can be calculated from the decomposition of the RSA algorithm into basic operations and its implementation in a circuit according to the invention. The encryption rate can be derived directly from this in general form V _{RSA, generally} , expressed in coded bits per second:

she is

• - proportional to the frequency f of the processor,
• - proportional to the number of bits L ( N ) that are encrypted together,
• - inversely proportional to the number 3/2 · L ( N ) of MultMod calls
• - inversely proportional to the number L ( N ) / min ( Erw ( sz ), Ers ( sn )) of the additions or subtractions per MultMod call and
• - inversely proportional to the number L ( N ) · A / B of the individual steps into which the addition or subtraction of a large number is broken down. B is the width of the ALU (the wider the ALU is, the fewer operations are necessary to add two long word numbers) and A is the addition of the cycles to perform an operation.

For the new cryptography processor, Erw ( sz ) = Ers ( sn ) and A / B = 1 / L ( N ) because the data width of the ALU is equal to the length of the data to be encrypted and the ALU operation only requires one cycle . In this case, the encryption rate of the cryptography processor V _{RSA, KP} follows from this:

The frequency of 30 MHz results from an extrapolation a cycle time achieved in 5 µm NMOS technology of 100 ns (a prototype made as a laboratory sample consists of approx. 5000 transistors in 5 µm NMOS technology) to common 2 µm CMOS technologies today.

The described embodiment of the Cryptography processor according to the invention from approximately 80,000 Transistors in 2 µm CMOS technology. The chip area is then 5.2 mm x 5.2 mm. At the maximum key It encodes and decrypts a length of 660 bits in the worst case Fall data still at high speed of 64,000 bits / sec.

The logic block structure and the floor plan will be apparent from Fig. 16 and Fig. 17. Fig. 16 shows the block diagram of the cryptographic processor 48, 10 can be derived directly from the preceding explanations of the unit cell.

. When designing the floor plan provided for 17 different conditions must be noted: First, the structure of the unit cell 10 further communication between the unit cells with each other and finally ensuring the connection of all required control signals to the unit cells.

Four components of the unit cell 10 exchange information with the corresponding components of adjacent unit cells. This is firstly the UD shift register 18 (cf. FIG. 7), secondly the bit adder 22 , thirdly the barrel shifter 20 and fourthly the full adder 24 . This implies that the individual components of the unit cell are placed one above the other, because then there are no additional communication paths to neighboring unit cells. It follows from the relatively high number of components that the unit cell of the chosen embodiment of the processor has a low overall height and a large width.

Although the unit cell is flat, its necessary stacking results in a narrow, high tower, as can be seen on the left in FIG. 17. For manufacturing reasons, chips that are as square as possible are aimed for. Therefore, the tower is divided into individual stacks, which are then placed next to each other ( Fig. 17, right). Every second stack is upside down because then the unit cells, which were previously adjacent to each other at the dividing line, become lateral neighbors. The required 00515 00070 552 001000280000000200012000285910040400040 0002003631992 00004 00396en information is transmitted to the neighboring cells on the top and bottom of the stack.

The not yet placed units of the processor, main control unit 42 and I / O unit 44 , require so little space in relation to the encryption unit 40 that they can be placed anywhere on their edge.

Claims (18)

1. Cryptography method according to the public key code method by Rivest, Shamir and Adleman (RSA method), comprising the use of the following operations for encrypting or encrypting messages:

• Selection of two large prime numbers p and q and a further large number E ,
• - formation of the product N = p * q,
• Conversion of the messages to be encrypted into a chain of links P _i of preferably the same length, the value of which as a number is smaller than the value of the number N ,
• - Encryption of these terms by the respective elevation into the E- th power with subsequent formation of modulo N (ie, the numbers C _i = p modulo N arise),
• - wherein the exponentiation is replaced by a sequence of multiplications and after each multiplication is performed immediately a modulo operation (that is, it is multiplied in the remainder class ring over N),
• - The multiplication is broken down into individual steps, so that a sequence of additions arises from the multiplication, and
• the modulo operation is replaced by a sequence of subtractions according to the classic division algorithm,

characterized by the use of a first look-ahead method (pre-calculation method) for the division ( FIG. 5), so that the multiplication with a second look-ahead method ( FIG. 4) can also be carried out. 2. Cryptography method according to claim 1, characterized through look-ahead algorithms with which the maximum necessary number of additions or subtractions is reduced. 3. Cryptography method according to claim 2, characterized characterized that the first look-ahead method is chosen for the modulo operation so that the probability theory Expected value of the number of the operations skipped in the first look-ahead process is the same size as the probability theory Expected value, which in the second look-ahead Procedure for multiplying skipped operations. 4. cryptography method according to claim 3, characterized by a decoupling of the two look-ahead methods, wherein each of the two look-ahead methods generates a shift amount ( sz or sn ), which indicates how many bits the intermediate result ( Z ) the multiplication or the modulus ( N ) is shifted per cycle, the intermediate result ( Z ) being shifted absolutely by sz bits and the modulus ( N ) relative to the intermediate result ( Z ) by sn bits. 5. Cryptography method according to one of the preceding claims 1-4, characterized by the combination of the addition or subtraction of the multiplication and the modulo step into a single operation (3-operand addition), with not two but per step three operands are added as follows: and wherein this 3-operand addition is divided into two sections. 6. Cryptography method according to claim 5, characterized in that the first of the two sections is selected such that a sum of the three bits of the operands A, B and C is formed at each binary position, the sum of A [ i ] , B [ i ], and C [ i ] is between 0 and 3, so it can be represented in binary form with the two bits S 1 and S 0 , and two new numbers X and Y are compiled from the two sum bits in the following way: Y [ i ]: = least significant bit of A [ i ] + B [ i ] + C [ i ], Y [max + 1]: = 0, X [ i + 1]: = more significant bit of A [ i ] + B [ i ] + C [ i ] and X [0]: = 0. ( i = 0,..., Max). 7. Cryptography method according to claim 5 and 6, characterized in that the second section is selected so that the numbers X and Y are added in a manner known per se with carry (carry), and in contrast the bit addition without carry of the first Section is executed at a time when the normal addition logic is prepared for the next cycle by a precharge signal (preparation signal). 8. Cryptography method according to claim 7, characterized in that the addition comprises the following steps:

• a) dividing the long and large numbers X and Y into small blocks ( 32 ),
• b) simultaneous calculation of the carry bits within the blocks ( 32 ) according to a known carry-look-ahead method, and
• c) Forwarding the carry bit of one block to the subsequent block, in the event that the carry bits of adjacent blocks do not influence each other.

9. Cryptography method according to claim 8, characterized in that a by the blocks ( 32 ) activatable interrupter ( 62 ) is provided which, in the event that carry bits influence adjacent blocks, the time required for their calculation and provides for consideration ( Fig. 14). 10. cryptography processor for carrying out the cryptography method, characterized by a series of elementary cells ( 10 ) specialized for the calculation of the individual operations, wherein several elementary cells ( 10 ) step by step ( FIG. 8) to form larger blocks ( 32 ; FIG. 9) are combined, and each block ( 28; 32 ) is assigned a tree-like hierarchical carry-look-ahead element ( 30 ), which normally ensures that the time for adding two numbers is independent of the length of these numbers , and wherein in each block ( 32 ) the carry is performed in parallel. 11. Cryptography processor according to claim 10, characterized in that the elementary cells ( 10 ) contain the following registers and logic components:

• - a register ( 12 ) for the multiplier ( M ),
• - a code register ( 14 ),
• - a date register ( 16 ),
• - A UD shift register ( 18 ) in which there is a multiple of the modulus ( N ) during the calculation, and which in addition to the memory function has the ability to move the modulus ( N ) in one of the two directions by several places to postpone
• a barrel shifter ( 20 ) which can shift the result of the addition, an intermediate result ( Z ) by several bits,
• a bit adder ( 22 ) without a carry bit, which carries out the first step of the 3-operand operation,
• - a full adder ( 24 ) which adds the two numbers obtained in the bit adder ( 22 ) and stores them as an intermediate result ( Z ), and
• - A carry look ahead element ( 26 ) which calculates a carry bit.

12. Cryptography processor according to claim 11, characterized in that all components ( 12 - 26 ) work in parallel. 13. Cryptography processor according to one of the preceding claims 10-12, characterized in that a plurality of blocks ( 28 ) of unit cells ( 10 ) are combined to form larger blocks ( 32 ), the transfer being passed on serially from one block to the next, and wherein the carry-look-ahead elements ( 30 ) of the blocks ( 32 ) are in turn arranged in a tree-like manner, and wherein the carry is calculated simultaneously on each superordinate carry-look-ahead element ( 30 ) of a block ( 32 ), and that a resulting signal optionally drives an interrupter ( 62 ), the interrupter ( 62 ) processing the signals coming from the carry look-ahead elements ( 30 ) and interrupting the clocks for about eight cycles if a carry look Ahead element of a block ( 32 ) gives a signal. 14. Cryptography processor according to one of the preceding claims 10-13, characterized by a MultMod control unit ( 36 ; Fig. 12) for controlling the functions of the elementary cells ( 10 ), the MultMod control unit ( 36 ) comprising the following components:

• a sliding logic ( 50 ) for the multiplication,
• a sliding logic ( 52 ) for the modulo operation,
• a comparator ( 38 ) which compares the uppermost bits of the intermediate result ( Z ) of the full adder ( 24 ) with the uppermost bits of 1/3, 1/6, 1/12 etc. of modulus N in parallel,
• - a first limiter ( 54 ) for the multiplication, which limits the maximum shift amount of the intermediate result ( Z ) if necessary, and a second limiter ( 56 ) for the modulo operation, which limits the maximum shift amount of the UD shift register ( 18 ) limited if necessary, and
• - Two counters ( 58, 60 ), of which the first counter ( 58 ) indicates the bits of the register ( 12 ) still to be processed and of which the second counter ( 60 ) indicates the position of modulus N in a buffer ( 34 ).

15. A cryptography processor according to any one of the preceding claims 10-14, characterized by an elementary block designed as a buffer ( 34 ) with a length of approximately 20 bits, which the look-ahead algorithms for the multiplication and for the modulo operations from each other decoupled by N running into the buffer ( 34 ) and the MultMod control unit ( 36 ) ensuring through the delimiters ( 58, 60 ) that the modulus N does not run up or down over the buffer limit. 16. Cryptography processor according to claim 10, characterized in that twenty elementary cells ( 10 ) are combined to form a 20-cell block ( 32 ). 17. Cryptography processor according to claim 10, characterized by an encryption unit ( 40 ), a variably configurable register block ( 46 ), an input / output unit ( 44 ) and a main control unit ( 42 ) which are operatively connected to one another via data collection lines ( FIG. 11 ).