JP2003216032A - Device and method for operating residue - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To efficiently execute division by a residue operation system when the product of some basic elements of the residue operation system is a division modulus. <P>SOLUTION: Under the control of a control device 30, each of arithmetic units 20<SB>1</SB>to 20<SB>n</SB>subtracts xi (=x mod a<SB>i</SB>) from the value of each residue operation system expression of x as the multiple of a<SB>i</SB>and multiplies the subtraction result by the inverse element of multiplication to obtain a division result. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a residue calculation device and method for calculating a large integer operation at high speed by parallel processing based on a residue calculation system.

[0002]

2. Description of the Related Art With the increasing importance of public key cryptography, there is an increasing demand for a method and apparatus for efficiently performing a remainder operation of a large integer. For example, RSA (Rivest-Shamir), which is currently the de facto standard.
In the −Adleman) method, it is necessary to perform the remainder operation with an integer of 1,024 bits at high speed.

As one of high-speed calculation methods for this purpose, a residue number system is known.
This remainder arithmetic system prepares a pair of relatively small integers {a ₁ , a ₂ , ..., A _n } that are disjoint and expresses the remainder by dividing a large integer to be operated by these integers. Is. Hereinafter, this remainder set {a ₁ , a ₂ , ..., A _n } is referred to as a base of the remainder operation system, and the number n of elements forming the base is n.
Is called the base size. In addition, the set of bases is a =
It is represented by {a ₁ , a ₂ , ..., _An }.

For example, an integer x and a base {a ₁ , a ₂ , ...,
a _n } is given, the integer x is converted to the basis element a _i (i =
1, 2, ..., N) divided by the set of remainders x _i (x ₁ , x ₂ ,
..., x _n ) is the remainder arithmetic expression of x. Note that x _i =
x mod a _i . Here, the integer x can uniquely express the product _{A = a 1 a 2 ... a} n of all the elements of the base modulo. That is, when x is a positive integer less than A, x and its remainder operation system representation (x ₁ , x ₂ , ..., X _n ) have a one-to-one correspondence. This one-to-one correspondence is guaranteed by the Chinese Remainder Theorem.

In the remainder arithmetic system expression, two integers x,
When calculating the product of y, the product (x ₁ · y ₁ ,
, X _n · y _n ) and the obtained product divided by the corresponding basis a _i (x ₁ · y ₁ mod a ₁ , ..., x _n
-Calculate y _n mod a _n ).

In other words, this operation is generally expressed as calculating a product modulo the corresponding base a _i for each element to obtain a product modulo the product A of the base elements. To be done. The same applies to addition and subtraction. For elements x _i and y _i corresponding to the basis a _i , addition or subtraction modulo a _i may be performed.

For multiplication, addition, and subtraction in such a remainder operation system, since it is sufficient to perform an operation modulo the basis independently corresponding to each element, for example, a value within the word length of the computer is adopted as the basis. As a result, a very large integer operation can be realized by repeating single-precision operation.

Further, since these single precision operations can be executed independently for each base, parallel processing by a plurality of arithmetic units becomes possible. For example, when the base size is n, by operating n multipliers with a residue arithmetic function in parallel,
The multiplication modulo the product A of the base elements can be completed within the same time as one multiplication with a single-precision remainder.

In modern computers, binary representation is usually used. In the operation of a large integer based on the binary number representation, LSB (Least Significant Bit) to MSB (Mos
Carry propagates toward the t Significant Bit) and takes a processing time proportional to the total number of digits (or bit length) of a large integer. Therefore, the operation using the binary number representation is disadvantageous in terms of processing speed as compared with the parallel processing using the remainder operation system.

On the other hand, since the arithmetic operation by the remainder arithmetic system does not cause carry between words, it has long been known as a method for efficiently performing multiplication, addition, and subtraction of large integers as compared with the radix method represented by a binary number expression. Has been known.

However, in the remainder calculation system, division or 2
Compared to the radix method, there is no known efficient method for comparing numbers. For this reason, the modulo arithmetic system is considered to be suitable for applications such as public key cryptography that perform arithmetic on large integers at high speed, but the method of application to modulo arithmetic is not known.

On the other hand, the method of modular multiplication by the numerical values expressed in the modular system is Posch et al. (IEEE Transact
ion on Parallel and Distributed Systems, Vol.6, N
“Modulo Redu” published on May 5, 1995, pp.449-454.
ction in Residue Number Systems ”, and Computer &
“RN published in Security magazine Vol.17, pp.637-650, 1998.
S-Modulo Reduction Upon a Restricted Base Value S
et and its Applicability to RSA Cryptography ”),
It has been proposed by Kawamura (JP 2001-194993 A).

These methods use the Montgomery (Montgomery) method in order to avoid disadvantageous division in the operation in the remainder arithmetic system representation.
gomery) is Mathematics of Computation, Vol.44, No.
170, pp. 519-521, April, 1985, "Modular
By using the modular multiplication method proposed in "Multiplication without Trial Division" (hereinafter referred to as Montgomery multiplication), modular multiplication is realized without performing division in the modular arithmetic system.

However, in the Montgomery multiplication, it is necessary to multiply an integer by a constant called a Montgomery constant. However, calculation of this Montgomery constant requires division, and an efficient method for performing this division by a remainder arithmetic system is known. Because it is not
The Montgomery constant is calculated in base notation.

Although Montgomery multiplication has been taken as an example here, it is necessary to perform division not only in Montgomery multiplication but also in algorithms for performing remainder calculation.

[0016]

As described above,
Although there is a demand for an efficient algorithm for division in the remainder calculation system, the demand is still not satisfied.

The present invention has been made in consideration of the above circumstances, and an object of the present invention is to provide a remainder arithmetic device and method capable of efficiently performing division in a remainder arithmetic system.

Another object of the present invention is to efficiently perform division in the remainder arithmetic system, especially when the product of some elements of the base of the remainder arithmetic system is the modulus of the division. .

[0019]

A first invention is a remainder operation.
The basis of the system is {a₁, A_Two, ..., a_n} (N is an integer)
And A = a₁a_Two... a_nThen, when {a₁, A_Two，
…, A_n} Arbitrarily one base element a_i(1 ≦ i ≦
n) and select this a_iSelection information and positive integer less than A
When the number x is input, the x is a_iGive the quotient z divided by
Multiple calculation units with a remainder calculation function
In the remainder arithmetic device provided, based on the selection information
And each value x of the remainder arithmetic expression of x₁, ..., x_nFrom
The base element a _iThe value x corresponding to_iTo reduce
Note: subtraction control means for controlling each arithmetic unit, and the subtraction
Each value (x₁-X_i), ..., (x
_n-X_i) (However, (x_i-X_i) Except))
Base element a_iMultiplicative inverse element a_i ^-1To multiply by
Multiplication control means for controlling each arithmetic unit;
Output the multiplication result obtained by the control means as a quotient z
And a remainder calculation device including a force means.

Thus, by the control of the subtraction control means,
Each arithmetic unit calculates xi from each value of the remainder arithmetic system expression of x.
(= X mod a _i ) is subtracted and set as a multiple of a _i ,
Under the control of the multiplication control means, each arithmetic unit multiplies the subtraction result by the multiplicative inverse element to obtain the division result, so that the division can be efficiently executed in the remainder arithmetic system.

Although the first invention is expressed as "apparatus", it goes without saying that it may be expressed as "system", "method", "program", "storage medium" or the like.

[0022]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings. (First Embodiment) FIG. 1 is a schematic diagram showing a configuration of a main part of a remainder calculation device according to a first embodiment of the present invention.
The remainder arithmetic device 10 includes n arithmetic units 20 ₁ to 20 ₁ .
20 _n is connected to the control device 30.

Here, each of the arithmetic units 20 _{1 to} 20
_n is the corresponding subscript ROM 21 _{1 to} 21 _n ,
The RAMs 22 _{1 to} 22 _n and the sum of products circuits 23 ₁ to 23 _n are provided.

ROM 21₁~ 21_nTo the controller 30
Is a read-only memory that is read-controlled by
Sum circuit 23₁~ 23_nBase element a of the remainder operation system used in
₁, ..., a_n, And other base elements a_j(J ≠ 1, ...,
n) multiplicative inverse a_j ^-1Hold and hold contents control device
Under the control from 30, the corresponding product-sum circuit 23₁~ 23
_nIt is possible to transfer to.

It should be noted that the n base elements a ₁ ,
.., a _n are used as positive integers that are relatively prime to each other. In general the base element a ₁ of remainder operation _system, ..., and the number of a _n, may not coincide with the number of product-sum circuit 23 ₁ ~ 23 _n. Here, for simplicity includes n both To do. As the base, a power of 2 or a value close to the power of 2 is used.

Since the multiplicative inverse element value a _j ^-1 is a value determined when the basis of the remainder operation system is determined, it is precalculated and stored.
It may be stored not only in the OMs 21 _{1 to} 21 _n but also in the RAMs 22 _{1 to} 22 _n and other memories not shown (for example, EEPROM).

RAMs 22 _{1 to} 22 _n are occasional write / read memories which are read / write controlled by the controller 30.
Input data to the product-sum circuits 23 ₁ to 23 _n and the product-sum circuit 2
It is used to hold each data such as intermediate result data of the operations from 3 ₁ to 23 _n and output data to the outside of the operation units 20 _{1 to} 20 _n .

The control device 30 has a function of executing a predetermined operation by controlling each of the operation units 20 _{1 to} 20 _n and input / output data based on the division algorithm shown in FIG.

The units 20 ₁ to 2 as described above
0 _n and the device 30 can be configured by hardware, software, or a combination thereof. Here, when each of the units 20 _{1 to} 20 _n and the device 30 is configured by software, a residue calculation program for realizing each function described below is installed in advance in the computer of the residue calculation device 10. It should be noted that each unit 20 ₁
To 20 _n and the description of the device 30 that an individually configurable is
It is also applied to each of the following embodiments.

Next, the division operation of the remainder arithmetic device configured as described above will be described with reference to FIGS. 2 and 3. First, the principle will be described with reference to FIG. 2, and then the calculation example will be described with reference to FIG.

The remainder arithmetic unit 10 performs division in the remainder arithmetic system as shown on the left side of FIG. The right side of FIG. 2 shows a corresponding radix representation for convenience of explanation. For example, in Step 1, the expression of the remainder arithmetic system is (x ₁ , x ₂ ,
, X _i , ..., X _n-1 , x _n ), and indicates that the corresponding radix expression is x. As described in the related art, x _j = x mod a _j (j = 1,
2, ..., N). In this relationship, a positive integer x in radix representation is a product of all basis elements of the remainder arithmetic system A = a ₁ a
₂ ... is smaller than _{a n} (x _<A), the one-to-one correspondence.

Next, a method for obtaining a quotient of x / a _i from an input (x <A) and one arbitrarily selected base element a _i will be described along steps ST1 to ST5 of FIG.

(ST1) The controller 30 receives the input data
x₁~ X_nEach corresponding RAM 22 ₁~ 22_nWrite to
Mu.

(ST2) The controller 30 selects the selected base.
Bottom element a_iBased on the corresponding RAM 22_iValue within x
_iEach sum-of-products circuit 23₁~ 23_nRAM corresponding to
22 ₁~ 23_nValue within x₁~ X_nFrom x_iTo reduce
To order.

(ST3) Each product-sum circuit 23 _j (j = 1,
2, ..., N) executes y _j = x _j− x _i mod a _j and stores the result y _j in each RAM 22j. The corresponding operation in radix representation is y = x−x _i .

(ST4) The controller 30 multiplies the value y _j in the RAM 22j by a _{i for} the n-1 product-sum circuits 23j (j = 1, 2, ..., N, j ≠ i). Inverse element a _i ^-1
Command to multiply by mod a _j . However, this instruction is not given to the sum-of-products circuit 23i corresponding to x _i . The multiplication of the multiplicative inverse element in the remainder arithmetic system corresponds to division in the radix representation.

(ST5) Each product-sum circuit 23j (j = 1,
2, ..., N, j ≠ i) is z_j= Y _j× a_i ^-1 mod
a_jAnd the result z_jIs stored in each RAM 12j.
Note that y is from x to x as described above._i(= X mod
a_i) Is subtracted, so a_iIs a multiple of. others
Therefore, the division quotient y / a_iIs an integer. Therefore, z = y /
a_iIs the operation in the corresponding radix representation.

As a result of these 5 steps, RAM 22j (j
= 1, 2, ..., N, j ≠ i) calculation result z _j stored in
Is the remainder arithmetic expression of the quotient z. However, since the z component (z _i ) corresponding to the base element a _i has not been calculated (see FIG.
In step ST5 of (1), uncalculated is indicated, so that the part of z _i is marked with x), and the maximum number that can be represented by z _j is A / a _i . However, the quotient z = y / a _i ≦ x
Since / a _i <A / a _i , this calculation result z _j represents the correct value of the quotient z.

From the above, x / a _i is calculated by the remainder computing device 10
Can be calculated by

Next, the case where the number of selected base elements is two or more will be described. In this case as well, it can be realized by repeating the above-mentioned five steps for the number of selected base elements. Hereinafter, a specific example will be described with reference to FIG. As shown in FIG. 3, the number of elements of the base of the remainder arithmetic system is set to n = 4, and the values of the elements a ₁ , a ₂ , a ₃ , and a ₄ are 7, 11, and ₁ , respectively.
3 and 17. In this example, input x = 4567 <a
₁ a ₂ a ₃ a ₄ = 17017, which represents a procedure for selecting a ₁ and a ₄ from the base elements and obtaining a quotient 4567 / (7 × 17) = 38 in the remainder calculation system.

(ST1 ') The controller 30 controls the input data
RAM3,2,4,11 ₁~ 22_FourWrite to
Mu. In addition, each input data 3, 2, 4, 11 is input x =
4567 is a residue calculation system. For example x₁
= 4567 mod7 = 3, so a₁= 3 under 3
It has been described.

(ST2 ') The controller 30 _first selects one of the selected base elements a ₁ and a ₄ as the base element a _1.
Based on, reads the value _x 1 = 3 in the corresponding RAM22 _1, each product-sum circuit ₂₃ 1 to 23 _4, the corresponding RAM22
Commands from the value 3,2,4,11 of _{1-22 4} so as to reduce the 3.

(ST3 ') As a result, the value of each component becomes the value 0, 10, 1, 8 shown in step ST3'. The corresponding radix value is 4567-3 = 4564.

(ST4 ') The controller 30 produces three products.
Sum circuit 23_Two~ 23_FourIn contrast, RAM22_Two~ 22_Fourof
A modulo its base element to the value 10, 1, 8₁Multiplicative inverse
Ex 7 ^-1Order to multiply by. For example, a₁ ^-1 mod
a_Two= 8, a_TwoThe component of is 10 × 8 mod 1
1 = 3. However, the base element a₁For a₁Multiplication of
Since there is no inverse element, a₁Sum-of-products circuit corresponding to the components of
23₁I will not give you an order.

[0045] (ST5 ') The result of the multiplication of _{a 1} of multiplicative inverse _{a 1} ^-1, the value of each component step ST5' value × viewed in becomes 3,2,6. However, the component x of a ₁ is ignored.
In this case, the number that can be uniquely displayed in the remainder calculation system is a ₂ a
₃ a ₄ = 2431 constraint that to arrive, but the original input x
Since it was <a ₁ a ₂ a ₃ a ₄ , the result of division when a ₁ = 7 is x / a ₁ <a ₂ a ₃ a ₄ and can be expressed correctly. The corresponding radix value is 4564/7 = 652. The ignored component of a ₁ is not calculated below.

In the explanation of FIG. 2, the selected base element is 1
Since the number of the base elements is only 4, the division is completed. However, in the example of FIG. 3, since two base elements are selected, the same operation as in FIG. 2 is performed on the second selected base element a ₄ . . However, 1
Since the value represented by the base element a ₁ selected by the item is not calculated at the end of step ST5 ′, the calculation corresponding to this base element a ₁ will not be performed below.

(ST2 ") Next selected base element a ₄ =
Note 17 Since the component of a ₄ is 6, subtract 6 from each component.

(ST3 ") As a result, the value of each component becomes the value displayed in step ST3". The corresponding radix value is 652-6 = 646.

(ST4 ") The value of step ST3" is multiplied by the multiplicative inverse element 17 ^-1 of a ₄ = 17. However a so for the base element a ₄ no multiplicative inverse of a _4
No calculation is performed on the component of ₄ .

(ST5 ″) As a result of multiplication of the multiplicative inverse element 17 ⁻¹ of a ₄ , the value of each component becomes the value displayed in step ST5 ″. However, the value of a ₄ is ignored. The number that can be uniquely indicated by the remainder operation system's up _a 2 _{a 3,} but the step ST5 '
For the same reason as described above, the expression in these two bases can be correctly expressed. The corresponding radix value is 646/17 = 38.

Since the calculation is completed for all the base elements a ₁ and a ₄ selected above, the values (5 and 12) held in the base elements a ₂ and a ₃ are the bases of the quotient {a ₂ , a
₃ }, the remainder operation system expression is obtained.

As described above, according to the present embodiment, when the product of some elements of the base of the remainder operation system is the modulus of division, the remainder operation system can efficiently perform the division.

In addition, when performing an arithmetic operation with a remainder arithmetic system expression,
Even if a division process occurs in the middle of the process, the process can be performed in the remainder arithmetic system representation without changing to the radix representation, so that it is possible to expect a high speed process.

(Second Embodiment) FIG. 4 is a schematic diagram showing the structure of the main part of a remainder calculation device according to a second embodiment of the present invention. The same parts as those in FIG. A symbol (') is attached to the deformed portion to omit duplicate description, and different portions will be mainly described here. It should be noted that in each of the following embodiments as well, duplicated description will be omitted.

That is, this embodiment is a modification of the first embodiment and is intended to be applied to the bullet reduction algorithm. Specifically, as shown in FIG. Instead of the bullet reduction algorithm and Kawamura's method (Japanese Patent Laid-Open No. 2001-194).
993) is provided, and the bit selection unit 41 and the correction term calculation unit 42 described in the method of Kawamura are provided. Also, each sum-of-products circuit 23 ₁ ′-
23 _n ′ can be controlled by the correction term calculation unit 42.

First, the radix representation (b-adic number, b is a positive integer)
Barrett, “Implementing the Rivest, Sham.
ir and Adleman Public Key Encryption Algorithm on
a Standard Digital SignalProcessor ”, Advances in
Cryptology, Proc. Crypto '86, pp.311-323, 198
7.).

In the following explanation, the positive integer s is a b-ary
The numerical representation is s = (s_k-1 … S₁s ₀)_bExpress. this
Is s = s_k-1b^k-1+ ... + s₁b + s₀Means that
ing.

Bullet reduction is an algorithm for performing remainder calculation only by addition and multiplication without using trial division, and in the calculation of x mod N, when x is approximated by a multiple of N, high-order digits are used. There is a feature that it approximates. Specifically, Barrett reduction is x = (x _2k-1 ... x
_{When 1} x ₀ ) _b , N = (N _k-1 ... N ₁ N ₀ ) _b , N _k-1 ≠ 0 are input, z = x mod N is output.
It consists of the following eight steps ST11 to ST18.

Pre-calculation: μ = Quot (b ^2k / N) (ST11) q ₁ ← Quot (x / b ^k-1 ) (ST12) q ₂ ← q ₁ μ (ST13) q ₃ ← Quot (q ₂ / B ^{k + 1} ) (ST14) r ₁ ← x mod b ^{k + 1} (ST15) r ₂ ← q ₃ · m mod b ^{k + 1} (ST16) z ← r ₁ -r ₂ (ST17) If z <0 Then z ← z + b ^{k + 1} (ST18) While z ≧ N, z ← z−N where Quot (s / t) represents a quotient when s is divided by t.

In order to do this in the remainder calculation system, the following modifications are made.

First, {b ₁ , b ₂ , ..., B _k , b _{k + 1} ,
, B _2k , b _{2k + 1} } is the basis of the remainder operation system, and b _k <b
_{Set to 2k + 1} . N is b ₁ b ₂ ... b _k-1 <N <b ₁ b ₂ ... b
Let _k be an integer. At this time, for x with x <N ² , z = x mod N has the following 6 steps ST21 to ST
Calculated at 26.

Pre-calculation: μ = Quot (b ₁ b ₂ ... b _2k /
N) (ST21) q ₁ ← Quot (x / b ₁ b ₂ ... b _k-1 ) (ST22) q ₂ ← q ₁ · μ (ST23) q ₃ ← Quot (q ₂ / b _k b _{k + 1} ... b _2k ) (ST24) r ₂ ← q ₃ · N (ST25) z ← x−r ₂ (ST26) While z ≧ N, z ← z−N is a radix b compared with Barrett reduction in radix representation. The major difference is that is replaced by the base element of the remainder arithmetic system. In the radix representation, since the radix b is constant, the power of b is used in step ST11 and the like, but since the elements of the bases are different from each other in the remainder operation system, they are replaced by the product of the base elements as in step ST21. .

Considering that point, the pre-calculations of the above algorithm, steps ST21 to ST23, are operations corresponding to the bullet reduction in the radix representation. Although steps ST24 and ST25 correspond to steps ST14 to ST16 in the radix representation, since it is difficult to compare the magnitude relations in the remainder arithmetic system, m in the radix representation is represented.
The calculation corresponding to od b ^{k + 1} is omitted.

According to this embodiment, the comparison operation in step ST17 in the radix representation can be avoided by such an operation. Because q ₃ is the original quotient Q = Quot (x / N)
Is in the range of Q−2 ≦ q ₃ ≦ Q, the output z of the subtraction result of step ST25 is always positive.

From this evaluation formula of q ₃ , step ST
When the original x mod N is R, the output of 25 is
One of R, R + N, and R + 2N. R + N, R +
In the case of 2N, the correct R value is adjusted in step ST26.

All intermediate results of the calculation are the product of bases b ₁
b ₂ ... b _2k b _{2k + 1} or less, but b _k
Since b _{2k + 1} is selected so that <b _{2k + 1 holds} , it can be confirmed that this is also satisfied.

Barrett Lee in the remainder arithmetic system described above
For the method of performing the subtraction using the remainder arithmetic device 10 '
And explain. Here, the product-sum circuit 23 in FIG.₁’～
23 _n′ 'And the number of base elements of the remainder operation system 2k
Generally +1 does not have to match, but here it is easy
Therefore, n = 2k + 1.

Further, the expression of the remainder arithmetic system with integer x <N ² is x = (x ₁ , x ₂ , ..., X _2k , x _{2k +1} ). Here, x _i = x mod b _i is as described above.

(Preliminary calculation) μ = Quot (b ₁ b ₂ ... b
_2k / N) is realized by performing division under the radix representation. This result is expressed as a remainder operation system (μ ₁ , μ ₂ , ...,
μ _2k , μ _{2k + 1} ) respectively corresponding to the RAM 22 _{i of} FIG.
To store.

(ST21) The calculation for obtaining the quotient q ₁ is performed by the method described in the first embodiment. The input is the information that x and k−1 pieces of b ₁ , b ₂ , ..., B _k−1 are selected as the base elements. As the result q ₁ of this quotient calculation, the value q ₁ stored in each RAM 22 _i is set to ST2 in FIG.
Shown in 1.

The selected base elements are b ₁ , b ₂ , ..., B
_{Since it is k−1} , the value of the corresponding remainder arithmetic system expression is uncalculated as described above. In other words, the remainder operation system display of q ₁ is based on the basis {b _k , b _{k + 1} , ..., B _{2k + 1.} } (Q
_{1_k} , q _{1_ (k + 1)} , ..., q _{1_ (2k + 1)} ), and the base element b ₁ , b ₂ , ..., b _k-1 has the value of the residue arithmetic system representation of q _1. Not stored.

Therefore, according to Kawamura's base extension method,
From (q _{1_k} , q _{1_ (k + 1)} , ..., q _{1_ (2 k + 1)} ) to ST 21-2 of FIG. 5, q _{1 is set} to all bases {b ₁ ,
_{b 2, ..., b k,} b k + 1, ..., b 2k, b 2k + 1 determine the remainder operation based expressions which have been expanded}.

(ST22) The quotient q ₁ thus extended is multiplied by μ. This multiplication is performed by each product-sum circuit 23 ₁ ′-
It can be realized by parallel multiplication with 23 _n '.

(ST23) Again explained in the first embodiment
The input q_TwoAnd b as a base element_k, B
_{k + 1}, ..., b_2kQuotient with the selection information that you have selected k + 1
q_ThreeAsk for. The obtained quotient q3 is ST23 of FIG.
As shown, the basis {b₁, B _Two, ..., b_k-1, B_{2k + 1}}
Since it is the expression below, use the base extension as in ST21.
And all bases {b₁, B_Two, ..., b_k, B_{k + 1}, ..., b
_2k, B_{2k + 1}} Is used to represent the remainder operation system (FIG. 6: S
T23-2).

(ST24) q ₃ extended in this way
Is multiplied by N. This multiplication is performed by each product-sum circuit 23 ₁ ′ to 2
It can be realized by parallel multiplication with 3 _n '.

(ST25) Each product-sum circuit 23 ₁ ′ -23
_It can be realized by parallel subtraction at _n '.

(ST26) Since this operation has a size comparison, it is performed after the z obtained in step ST25 is returned to the radix representation.

As described above, according to this embodiment, x
Bullet reduction for finding mod N can be parallel-processed by a residue arithmetic system expression, and higher processing speed can be expected as compared with the case of radix expression.

(Third Embodiment) Next, a remainder calculation device according to a third embodiment of the present invention will be described with reference to FIG. 4 and FIG. This modulo arithmetic device is a device composed of the same elements as in FIG. 4, and performs a modular exponentiation operation used for RSA encryption or the like by using bullet reduction.

The modular exponentiation is expressed by the equation C = M ^E mod N. This calculation is generally performed as in the following five steps ST31 to ST35.

The binary representation of E is E = (E _m-1 E ₁ E
₀ ) ₂ and E _m-1 ≠ 0, (ST31) C ← 1 (ST32) i = m−1 to 0, the following ST33 and ST34 are looped (ST33) C ← C ² mod N (ST34) If E _i = 1 then C ← C × M mod
N (ST35) C is output In this embodiment, the arithmetic operations of steps ST33 and ST34 are performed by the remainder arithmetic system. Steps ST33, ST3
The remainder multiplication of 4 uses a method of obtaining a remainder in N after the multiplication. The multiplication can be realized by parallel multiplication in the remainder arithmetic system. When obtaining the remainder in N, the bullet reduction algorithms ST21 to ST described in the second embodiment are used.
26 is used.

(ST30) In FIG. 7, first, the power index E
M = (M ₁ , M ₂ , ..., M _{2k + 1} )
Enter.

(ST31) Next, (C ₁ , C ₂ , ..., C
_{2k + 1} ) is initialized to all 1.

(ST32) Under the initial setting of step ST31, a loop is executed from i = m-1 to 0.

(ST33-1) 2 multiplication (C ₁ , C ₂ ,
…, C _{2k + 1} ) ← (C ₁ , C ₂ ,…, C _{2k + 1} ) × (C ₁ ,
C ₂ , ..., C _{2k + 1} ). This can be realized by parallel multiplication in the residue arithmetic system. Bullet reduction BR is performed to mod N the result of 2 multiplication (ST33-
2).

(ST34-0) When E _i = 1 is calculated.

(ST34-1) Multiplication (C₁, C_Two，
…, C_{2k + 1}) ← (C₁, C_Two,,, C _{2k + 1}) × (M₁，
M_Two, ..., M_{2k + 1}) Can be realized by parallel multiplication in the remainder arithmetic system.
Wear. Multiply the mod N by bullet reduction
(ST34-2).

(ST35) When the loop is completed, (C ₁ , C ₂ , ..., C _{2k + 1} ) at that time is output.

However, when the bullet reduction explained in the second embodiment is used in the modular exponentiation, the remainder is determined by returning to the radix representation once in the last step ST26 of the bullet reduction and comparing the magnitudes. The advantage of improving the processing speed by parallel calculation in the remainder arithmetic system has not been fully utilized.

Therefore, the ST of the bullet reduction algorithm in the remainder operation system described in the second embodiment is
Try to finish at 25. In this case, the output z may be larger than N, so the bullet reduction algorithm is performed as follows.

That is, {b ₁ , b ₂ , ..., B _k , b
_{Let k + 1} , ..., b _2k , b _{2k + 1} } be the basis of the remainder operation system.
Law N _{is, b 1 b 2 ... b k} -1 <N, 9N <b 1 b 2 ... b k
Be an integer that satisfies.

At this time, the input x is 0 <x <9N ² <b ₁
If b ₂ ... B _2k is satisfied, z output by the algorithm below satisfies z = x mod N, 0 ≦ z <3N.

Pre-calculation: μ = Quot (b ₁ b ₂ ... b _2k /
N) (ST21) q ₁ ← Quot (x / b ₁ b ₂ ... b _k-1 ) (ST22) q ₂ ← q ₁ · μ (ST23) q ₃ ← Quot (q ₂ / b _k b _{k + 1} ... b _2k ) (ST24) r ₂ ← q ₃ · N (ST25) z ← x−r _{2 By} this algorithm, remainder multiplication z = xy mod N
Is executed by combining the multiplication of the remainder arithmetic system and the bullet reduction, if x <3N and y <3N, xy <9N
^Since it is ² , an output of z <3N is obtained. here,
Since the input and output ranges are the same, it is possible to repeatedly perform modular exponentiation in the modular exponentiation.

Also, when the final C is output in step ST35 of the modular exponentiation algorithm, the size is suppressed to C <3N in the last bullet reduction, so the number of times required by converting to the radix representation is required. By subtracting N by, the output C <N can be obtained.

As described above, according to this embodiment, ST
As shown in 30 to ST35, the modular exponentiation using the bullet reduction can be processed in parallel in the residue arithmetic system, and the processing speed can be expected to be higher than that in the case of using the radix representation.

Further, the effect of parallel calculation of the bullet reduction performed in the radix representation in the remainder arithmetic system is estimated as follows.

First, let us consider the amount of calculation per modular multiplication. The first multiplication requires one parallel multiplication. The remainder is calculated by the subsequent bullet reduction.

(ST21) To obtain the quotient, k−1 parallel multiplications and k−1 parallel additions are required. In addition, the base extension is k + 2 times in parallel multiplication and 2 (k + 1) in parallel addition.
Need to be repeated.

(ST22) One parallel multiplication is required.

(ST23) In order to obtain the quotient, k + 1 parallel multiplications and k + 1 parallel additions are required, and further base multiplication requires k parallel multiplications and 2 (k-1) parallel additions. .

(ST24) One parallel multiplication is required.

(ST25) One parallel addition is required.

Summarizing the above, per modular multiplication,
4k + 4 parallel multiplications and 6k + 1 parallel additions are required.

Here, the number of bits of N is 1,024 used in the current RSA encryption, and the size of the base element of the remainder operation system is 32 bits. At this time, if k = 33 is taken, it can be seen that a 1,024-bit number can be expressed, and that it is the minimum k for expressing. By substituting this value into the above equation, it can be seen that 137 parallel multiplications and 199 parallel additions are required per modular multiplication.

In general, multiplication is 2 bits of the operand bit length.
Since it takes time proportional to the power, 32-bit multiplication is 1,
It can be processed in 1/32 ² = 1 / 1,024 of multiplication of 024 bits. Therefore, the remainder multiplication using the bullet reduction in the remainder arithmetic system can be processed in about 137 / 1,024 = 0.13 as compared with the 1,024-bit multiplication.

Here, addition is ignored because it requires a smaller amount of processing than multiplication. In addition, since this comparison does not include the time of the remainder calculation with 1,024 bits, it can be expected that the processing can be performed in a smaller proportion of time than 0.13 estimated here.

The method described in each of the above embodiments is
As a program that can be executed by a computer, a magnetic disk (floppy (registered trademark) disk,
Hard disk, etc., Optical disk (CD-ROM, D
It can be stored in a storage medium such as a VD), a magneto-optical disk (MO), a semiconductor memory or the like and distributed.

The storage medium may have any storage format as long as it can store the program and can be read by a computer.

Also, an OS (operating system) running on the computer based on the instructions of the program installed in the computer from the storage medium,
MW such as database management software and network software
(Middleware) or the like may execute a part of each processing for realizing the present embodiment.

Further, the storage medium in the present invention is not limited to a medium independent of a computer, but includes a storage medium in which a program transmitted via a LAN or the Internet is downloaded and stored or temporarily stored.

Further, the number of storage media is not limited to one, and the case in which the processing in this embodiment is executed from a plurality of media is also included in the storage media of the present invention, and the medium configuration may be any configuration.

The computer according to the present invention executes each processing in the present embodiment based on the program stored in the storage medium, and one device such as a personal computer or a plurality of devices are connected to the network. It may have any configuration such as an established system.

The computer in the present invention means
Not only a personal computer but also an arithmetic processing unit, a microcomputer, and the like included in an information processing device, which collectively refer to a device and a device that can realize the functions of the present invention by a program.

The invention of the present application is not limited to the above-described embodiments, but can be variously modified at the stage of implementation without departing from the spirit of the invention. In addition, the respective embodiments may be implemented by being combined appropriately as far as possible, in which case the combined effects can be obtained. Further, the above-described embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent requirements. For example, when the invention is extracted by omitting some of the constituent elements shown in the embodiment, when omitting the extracted invention, the omitted portions are appropriately supplemented by well-known and common techniques. It is something that will be done.

Besides, the present invention can be variously modified and implemented without departing from the gist thereof.

[0116]

As described above, according to the present invention, when the product of some elements of the base of the remainder operation system is the object of division, the remainder operation system can efficiently perform the division.

[Brief description of drawings]

FIG. 1 is a schematic diagram showing a configuration of a main part of a remainder calculation device according to a first embodiment of the present invention.

FIG. 2 is a schematic diagram for explaining an operation in the same embodiment.

FIG. 3 is a schematic diagram for explaining a specific example of the operation in the same embodiment.

FIG. 4 is a schematic diagram showing a configuration of a main part of a remainder calculation device according to a second embodiment of the present invention.

FIG. 5 is a schematic diagram showing application of base extension in the same embodiment.

FIG. 6 is a schematic diagram showing application of base extension in the same embodiment.

FIG. 7 is a flowchart for explaining the operation of the remainder calculation device according to the third embodiment of the present invention.

[Explanation of symbols]

10, 10 '... Remainder arithmetic unit 20 _{1 to} 20 _n ... Arithmetic unit 21 _{1 to} 21 _n ... ROM 22 _{1 to} 22 _n ... RAM 23 ₁ to 23 _n , 23 ₁ ' to 23 _n '... Sum-of-products circuit 30, 30 '…Control device

Claims (16)

[Claims] 1. The basis of the remainder arithmetic system is {a ₁ , a ₂ , ...,
a _n} when (n is an integer) as a and _{A = a 1 a 2 ... a} n _{and, {a 1, a 2,} ..., 1 single base element _a i (1 ≦ i ≦ arbitrarily from _{a n}} n) is selected, and when the selection information of a _i and a positive integer x less than A are input, the x is a
_In a residue arithmetic device having a plurality of arithmetic units having a residue arithmetic function capable of outputting a quotient z divided by _i , based on the selection information, each value x ₁ , ..., Of the residue arithmetic system expression of x, a value x corresponding to the base element a _i from x _n
subtraction control means for controlling each arithmetic unit so as to reduce _i, and each value (x ₁ −x _i ) obtained by the subtraction control means,
, (X _n −x _i ) (excluding (x _i −x _i )) is multiplied by the multiplicative inverse element a _i ⁻¹ of the base element a _i , and each arithmetic unit is controlled. A modular multiplication device comprising: a multiplication control means; and an output means for outputting the multiplication result obtained by the multiplication control means as a quotient z. 2. The basis of the remainder arithmetic system is {a ₁ , a ₂ , ...,
a _n} when (n is an integer) as a and _{A = a 1 a 2 ... a} n _{and, {a 1, a 2,} ..., k pieces (2 ≦ arbitrarily from _{a n}}
k ≦ n) basis elements a _i , a _j , ... _Are selected, and when the selection information of these basis elements a _i , a _j ,. _In a remainder arithmetic device having a plurality of arithmetic units having a remainder arithmetic function capable of outputting a quotient z divided by _i · a _j ···, any one of the selected base elements a _i , a _j ,. Reselecting means for reselecting one or more basis elements a _h , and a value x _h corresponding to the basis element a _h reselected by the reselecting means for each value x ₁ of the remainder arithmetic system expression of x. ，
..., subtraction control means for controlling each arithmetic unit so as to be subtracted from _xn , and each value (x ₁ −x _i ) obtained by the subtraction control means,
, (X _n −x _i ) (excluding (x _h −x _h )), the multiplicative inverse element a _h ^{−1 of the} reselected basis element a _h.
Multiplication control means for controlling each arithmetic unit, and all of the selected base elements a _i , a _j , ... Are sequentially processed by the reselection means, the subtraction control means, and the multiplication control means. And a means for outputting the multiplication result obtained by the control of the multiplication control means with respect to the last reselected basis element as a quotient z. 3. The residue computing device according to claim 1, wherein the base uses a value of 2 or a value close to the power of 2. 4. The residue arithmetic device according to claim 1, further comprising a base extension unit for expressing the quotient with n bases by base extension. Remainder calculation device. 5. The modulo arithmetic device according to claim 1, wherein when a positive integer N and an integer x satisfying x <N ² are input, x mod N is output. A bullet that controls each of the arithmetic units to perform bullet reduction.
A residue calculation device comprising reduction control means. 6. The modulo arithmetic apparatus according to claim 1, wherein when positive integer N and integer x satisfying x <9N ² are input, x mod N, x mod. N + N, or x m
A remainder arithmetic device comprising bullet reduction control means for controlling each arithmetic unit so as to perform a bullet reduction that outputs od N + 2N. 7. The modulo arithmetic apparatus according to claim 6, wherein the bullet reduction control means uses the subtraction control means and the multiplication control means when performing modulo multiplication including the bullet reduction algorithm. The remainder computing device is characterized by controlling each of the computing units. 8. The remainder arithmetic device according to claim 6, wherein the bullet reduction control means includes the bullet reduction algorithm, and the subtraction control means and the multiplication control means when performing modular exponentiation. A modular arithmetic unit characterized by controlling each said arithmetic unit using. 9. The basis of the remainder operation system is {a ₁ , a ₂ , ...,
a _n} when (n is an integer) as a and _{A = a 1 a 2 ... a} n _{and, {a 1, a 2,} ..., 1 single base element _a i (1 ≦ i ≦ arbitrarily from _{a n}} n) is selected, and when the selection information of a _i and a positive integer x less than A are input, the x is a
_{In a} residue calculation method using a plurality of calculation units having a residue calculation function capable of outputting a quotient z divided by _i , each value x ₁ , ..., X of the residue calculation system expression of x is based on the selection information. a value x corresponding to the base element a _i from _n
a subtraction control step of controlling each arithmetic unit so as to reduce _i , each value (x ₁ −x _i ), obtained by the subtraction control step,
, (X _n −x _i ) (excluding (x _i −x _i )) is multiplied by the multiplicative inverse element a _i ⁻¹ of the base element a _i , and each arithmetic unit is controlled. A remainder calculation method comprising: a multiplication control step; and an output step of outputting the multiplication result obtained by the multiplication control step as a quotient z. 10. A base of a remainder arithmetic system is {a₁, A_Two，
…, A_n} (N is an integer) and A = a₁a_Two... a_nWhen
When doing, {a₁, A_Two, ..., a_n} Arbitrarily k
(2 ≦ k ≦ n) basis element a_i, A_j，… Is selected,
Their base element a _i, A_j, ... selection information and less than A
When a positive integer x is input, the x is a _i・ A_j・ ・ ・ ・
Plural with remainder calculation function that can output the quotient z divided by
In the remainder calculation method using the calculation unit of The selected base element a_i, A_j,, of which
Or one base element a_hA reselection step of reselecting The base element a reselected by the reselection step_hCorresponding to
Value x_hIs the value x of the remainder arithmetic expression of x₁，
…, X_nControl each arithmetic unit to reduce
A subtraction control step to Each value (x₁-X_i),
…, (X_n-X_i) (However, (x_h-X_h) Except)
On the other hand, the reselected base element a_hMultiplicative inverse element a_h ^-1
Multiplying control that controls each of the arithmetic units so that
Your process, The selected base element a_i, A_j,… All of the above
The selection step, the subtraction control step, and the multiplication control step
The last reselected base element when processed sequentially
Regarding the multiplication result obtained by the control of the multiplication control step
An output step for outputting as a quotient z, A remainder calculation method comprising: 11. The remainder calculation method according to claim 9 or 10, wherein the base is a power of 2 or a value close to a power of 2. 12. The method according to any one of claims 9 to 11.
The remainder calculation method according to the paragraph (4), including a base extension step for expressing the quotient with n bases by base extension. 13. The method according to any one of claims 9 to 12.
In the remainder arithmetic method described in the paragraph, when a positive integer N and an integer x that satisfies x <N ² are input, a bullet for controlling each arithmetic unit to perform a bullet reduction that outputs x mod N.・
A residue calculation method comprising a reduction control step. 14. The method according to any one of claims 9 to 12.
In the remainder calculation method described in the paragraph, when a positive integer N and an integer x satisfying x <9N ² are input, x mod N, x mod N + N, or x m
A remainder arithmetic method comprising: a bullet reduction control step of controlling each arithmetic unit so as to perform a bullet reduction that outputs od N + 2N. 15. The remainder calculation method according to claim 14, wherein the bullet reduction control step uses the subtraction control step and the multiplication control step when performing remainder multiplication including the bullet reduction algorithm. And controlling each of the arithmetic units. 16. The remainder calculation method according to claim 14, wherein the bullet reduction control step includes the bullet reduction algorithm, and the subtraction control step and the multiplication control step are performed when performing modular exponentiation. Controlling each of the arithmetic units by using