JP2003233309A - Greatest common divisor arithmetic unit, inverse element arithmetic unit, arithmetic program recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To decrease the number of times of an arithmetic operation by realizing binary gcd calculation based upon arithmetic bit units (w) of a computer. <P>SOLUTION: For inputs X and Y, gcd(X, Y)=gcd(U<SB>0</SB>, V<SB>0</SB>)2<SP>z0</SP>and such U<SB>0</SB>and V<SB>0</SB>that gcd (U<SB>0</SB>, V<SB>0</SB>) is not divisible by 2 are initially computed (S1) and it is judged whether U<SB>0</SB>=1 or whether V<SB>0</SB>=1; when neither one is 1, a value (i) having a larger bit size between U<SB>0</SB>and V<SB>0</SB>is found (S3). Then it is judged whether i≤w and when (i) is larger than (w), u<SB>u</SB>, u<SB>v</SB>, v<SB>v</SB>, and v<SB>u</SB>satisfying gcd (|u<SB>u</SB>U<SB>0</SB>-u<SB>v</SB>V<SB>0</SB>|/2<SP>w</SP>' and |u<SB>v</SB>V<SB>0</SB>-v<SB>u</SB>U<SB>0</SB>|/2<SP>w</SP>') are computed (S5) and then U<SB>1</SB>=|u<SB>u</SB>U<SB>0</SB>-u<SB>v</SB>V<SB>0</SB>|/2<SP>w</SP>' and V<SB>1</SB>=|v<SB>v</SB>V<SB>0</SB>-v<SB>u</SB>U<SB>0</SB>|/2<SP>w</SP>' are found to let U<SB>1</SB>→U<SB>0</SB>and V<SB>1</SB>→V<SB>0</SB>(S6); and it is judged whether V<SB>0</SB>=0 and when not, a return to the step (S3) is made. When V<SB>0</SB>=0, gcd is found as to U<SB>0</SB>and V<SB>0</SB>and multiplied by 2<SP>z0</SP>and outputted. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to operations on finite fields, and particularly realizes error correction codes (algebraic geometric codes, etc.) and information security technologies (encryption key generation, digital signatures, blind signatures, elliptic codes, etc.). The present invention relates to a greatest common divisor arithmetic device, a remainder inverse element arithmetic device, an arithmetic device, and a program recording medium thereof.

[0002]

2. Description of the Related Art As methods for obtaining the greatest common divisor (gcd), (1) Euclid's mutual division method, (2) binary gcd arithmetic method, and (3) arithmetic method L are known. Algorithm L is Euclid for large numbers
It is a method in which the mutual division method of is efficient. (1) Euclid's mutual division method Euclid's mutual division method is gcd (X _i , Y _i ) ＝ gcd (Y _i , R _i ) (2) when X _i ＝ Q _i Y _i ＋ R _i (1) We use the fact that X _{i + 1} = Y _i , Y _{i + 1} = R _i (3), and the formula (1) is repeatedly applied to obtain X ₀ , Y ₀ to X _i , Y _i.
And gcd (X ₀ , Y ₀ ) ＝ gcd (X ₁ , Y ₁ ) ＝ ・ ・ ・ ＝ gcd (X _j , 0) ＝ X _j (4) by using equation (2) (X ₀ , Y ₀ ) can be obtained.
(See the document “DEKnuth (Translated by Keisuke Nakagawa):“ Quasi-Numerical Arithmetic / Arithmetic Operation (THE ART OF COMPUTER PROGRAMMING 4th Volume) ”pp. 157, Arithmetic A, Science Co., 1986”). In the Euclid mutual division method, the following operations are performed on integers X ₀ = 24 and Y ₀ = 9. X ₁ ← Y ₀ = 9, Y ₁ ← X ₀ mod Y ₀ = 6 X ₂ ← Y ₁ = 6, Y ₂ ← X ₁ mod Y ₁ = 3 X ₃ ← Y ₂ = 3, Y ₃ ← X ₂ mod Y ₂ = 0 As a result, gcd (X ₀ , Y ₀ ) = gcd (X ₃ , Y ₃ ) = gcd (3, 0) = 3
Is required. The Euclid mutual division apparatus can be configured by a combination of a division apparatus and a subtraction apparatus.

(2) Binary gcd algorithm The binary gcd algorithm is: when X is an odd number and Y is an even number: gcd (X, Y) = gcd (X, Y / 2)
When X is even and Y is odd: gcd (X, Y) = gcd (X / 2, Y)
When X is odd and Y is odd: gcd (X, Y) = gcd (X, Y−
X) When X is an even number and Y is an even number: gcd (X, Y) = 2gcd (X / 2, Y
/ 2) is a method to obtain gcd by utilizing the fact that That is, when either X _i or Y _i is an odd number, the following processing is performed. (A) When X _i is an odd number and Y _i is an even number: X _{i + 1} ← X _i ; Y _{i + 1}
← Y _i / 2 (B) When X _i is even and Y _i is odd: X _{i + 1} ← X _i / 2; Y _{i + 1}
← Y _i (C) When X _i is odd and Y _i is odd: X _{i + 1} ← X _i ; Y _{i + 1}
← For X _{i + 1} and Y _{i + 1} obtained by performing X _i −Y _i , the following equation, gcd (X _{i + 1} , Y _{i + 1} ) ＝ gcd (X _i , Y _i ) (5) Take advantage of what is made up. Above processing (A), (B)
And (C) are repeatedly applied to obtain X _i and Y _i from X ₀ and Y ₀ , and gcd (X ₀ , Y ₀ ) = gcd (X ₁ , Y ₁ ) = Since == gcd (X _j , 0) = X _j , gcd (X ₀ , Y ₀ ) can be obtained.
(See the document “DEKnuth (Translated by Keisuke Nakagawa):“ Quasi-Numerical Arithmetic / Arithmetic Operation (THE ART OF COMPUTER PROGRAMMING 4th Volume) ”pp. 158, Arithmetic B, Science Co., 1986”). In the binary gcd arithmetic method, the following operations are performed on integers X ₀ = 24 and Y ₀ = 9. X ₁ ← X _0/2 ³ = 3; Y ₁ ← Y ₀ = 9 X ₂ ← X ₁ = 3; Y ₂ ← (Y ₁ −X ₁ ) / 2 = 3 X ₃ ← X ₂ = 3; Y ₃ ← (Y ₂ −X ₂ ) / 2 = 0 As a result, gcd (X ₀ , Y ₀ ) = gcd (X ₃ , Y ₃ ) = gcd (3, 0) = 3
Is required.

The binary gcd arithmetic method can be realized by a process as shown in FIG. 1, for example. In this example, the processing is performed as follows using the variables U and V corresponding to the inputs X and Y. Step S1: U and V with X and Y as initial values respectively
And the initial value 1 is set to the shift count z. Step S2: It is determined whether both U and V are even, that is,
Determine if the least significant bit is "0". Step S3: When both U and V are even numbers, U / 2 and V / 2 are set to U and V, respectively, and the shift count is doubled (1 bit shift), and the process returns to step S2. Step S4: It is determined whether V is an even number. Step S5: If V is an even number, set V / 2 to V and return to step S4. Step S6: When V is an odd number, it is determined whether U is an even number. Step S7: If U is an even number, set U / 2 to U and return to step S6. Step S8: When both U and V are odd numbers, it is determined whether U> V. Step S9: If U> V, set (UV) / 2 to V and return to step S4. Step S10: If U ≦ V, set (VU) / 2 to V. Step S11: It is determined whether V = 0, and if it is not 0, the process returns to step S4. Step S12: If V = 0, U × z is output as the calculation result of gcd (X, Y).

An apparatus for performing the binary gcd arithmetic can be configured only by division by 2 and subtraction. Since multiplication and division by 2 is equivalent to 1-bit shift, there is an advantage that it can be easily implemented in an electronic circuit or computer. In the Euclid mutual division method and the binary gcd arithmetic method, when the input values X and Y are large integers, the large integers are bit-shifted, subtracted, and divided a plurality of times. For example, consider the case of performing binary gcd arithmetic on integers X and Y that can be represented by 512 bits.
The number of loops k of the binary gcd algorithm is twice the size of the input value (512 to 1024 times in this case), and k bit shifts and maximum k times (average k / 2 times) are subtracted ( (Corresponding to step S9 or S10 in FIG. 1). Further, the time required for one bit shift and addition / subtraction also increases in proportion to the bit size of the calculated value (U, V in this case).
For this reason, it is possible to reduce the number of times a large integer is calculated.
This leads to faster d-calculation. One of the methods for reducing the number of operations on a large integer is an operation method using the pseudo-calculation method described below. This is to perform a pseudo gcd arithmetic method by an operation using a small integer instead of performing an operation using a large integer in a loop, and then use a value obtained by the pseudo arithmetic method to perform an operation on a large integer. It is a method to carry out collectively.

(3)Algorithm L Those who have applied pseudo arithmetic to Euclid's mutual division method
There was a law. (For example, the document “D.E.Knuth (Keisuke Nakagawa
Translated by: "The quasi-numerical method / arithmetic operation (THE ART OF COMPUTER
PROGRAMMING 4th volume) ”pp.166, Algorithm L, Cayenne
S., 1986 ") Here is a specific example. In arithmetic L, a large integer X₀= 91234567890123456789 Y₀= 2000000000000000001 For example, the upper 4 of them and their 4 digits
The value obtained by adding 1 to the value of
number x0₀= 9123 x1₀= 9124 y0₀= 2000 y1₀= 2001 Decide as. X_{i + 1}= Y_i; Y_{i + 1}= X_imodY_i x0_{i + 1}= Y1_i; Y1_{i + 1}= X0_imody1_i x1_{i + 1}= Y0_i; Y0_{i + 1}= X1_imody0_i Then,       x0_i/ y1_i<X_i/ Y_i<X1_i/ y0_i                      (6) Holds. In arithmetic L, X_i， Y_iUsing Euclid to divide
X0 instead of doing the law _i， Y1_i， X1_i， Y0_iWith Eucl
Perform id division method. That is, the integer parts on the right and left sides of equation (6)
An integer x0 that is small as long as the minutes have the same value_i， Y1_i， X1_i， Y
0_iAsk for. This is called a pseudo operation. After that, the performance
A large integer X using the value obtained by arithmetic_i， Y_iCalculation of
To do. This allows large integer operations to be performed together.
You can get the same effect as saying (for example, x
0_i， X1_i， Y0_i， Y1_iIf is 10 digits, calculation of about 12 times
Can be summarized at once). In addition, this method
It is also possible to apply to the base gcd algorithm.

[0007]

The problem of the algorithm L is that the Euclid's mutual division method using x0 _i and y1 _i is used in the pseudo operation.
It is necessary to perform both Euclid's mutual division methods using x1 _i and y0 _i, and the number of operations that can be combined at one time varies. An ordinary computer has a readable / writable storage device in units of M bits (M is 8, 16, 32, etc.) (condition 1). From this,
It is efficient to perform the operation in units of M bits. For example, 2
In the base gcd arithmetic method, a large integer is shifted by 1 bit. However, under condition 1, a shift of 1 bit is the same as or more costly to shift M bits at a time. Furthermore, modern computers have M-bit (M is 8, 16, 32, etc.) shifters, adder-subtractors, multipliers, and the like (condition 2). In this case, it takes the same time to perform an operation of less than M bits once and an operation of M bits once. For this reason, it is efficient to perform the operation in units of M bits. On the other hand, in the arithmetic method L, the number of bits of the calculation that can be performed collectively changes depending on the time, so that the merit (effect) of the collective calculation decreases.

[0008]

In the present invention, the binary gcd is used.
A pseudo algorithm is used for the algorithm, which will be described in detail below.
It is realized without calculating the error range. In algorithm L,
X_i， Y_iInstead of a small integer x0_i， X1_i， Y0_i， Y1_iFor
And perform a pseudo operation. x0_iAnd x1_iRespectively X_iProfitable
Represents the lower and upper limits of the value _iAnd y1_iIs Y_iof
It represents the lower and upper limits of possible values. The difference between the upper and lower limits
Pseudo operation is continued until (error range) opens to some extent. This
Invention, X_iA small integer representing the value of
The middle value of the limit x_aOnly Also, calculate the error range
Instead, the pseudo operation is performed a predetermined number of times w '.

There are two advantages to this. (1) Compared with the method using the error range, many pseudo operations can be performed at one time, and the number of operations of multiple precision is reduced. (2) A fixed value w'bit shift operation can be performed. These enable speeding up of the binary gcd algorithm.
The algorithm L performs the same operation as the operation of the Euclid mutual division method or the binary gcd operation method, but in the present invention, the same operation may not be performed. For example, in the binary gcd arithmetic method, the magnitude of U and V is compared in a loop. If the U and V values are far apart, the magnitude comparison can be made by looking only at the upper few digits. However, when the values of U and V are close to each other, a small integer u _a , v that simulates the operation of U and V.
_It may not be possible to determine which is larger only by _a (corresponding to the upper digits of U and V). In such cases, the algorithm L
Then, the pseudo operation was once ended, the values of U and V were recalculated, and then the magnitude was judged. In the present invention, the pseudo operation is continued even in that case. Therefore, in the present invention, the magnitude relationship may be erroneous. If the magnitude relation is wrong, U and V will take negative values (these cases do not occur in the algorithm L). However, by setting gcd (U, V) = gcd (| U |, | V |), the present invention prevents an incorrect answer from being output. As a result, the present invention increases the number of operations to be put together at one time and reduces the number of multiple precision operations, as compared with the algorithm L. Further, according to the present invention, it is possible to perform an operation for each predetermined number of bits (w 'bits).

Gcd arithmetic algorithm In order to facilitate understanding of the extended binary gcd arithmetic device according to the present invention, first, the principle of the present invention will be described with reference to a normal binary gc arithmetic device.
The algorithm when applied to d operation is shown. Step S1 (initial setting of multiple length value): U ← Y; V ← X; S ← 0; T ← 1. Step S2 (initial setting of single precision value): i ← max (size of V; size of U) v _a ← upper w bit of V; u _a ← upper w bit of U v _x ← lower w bit of V; u _x ← Lower w bit of U

[Equation 1] If i ≦ w, go to step S5. Step S3 (single precision operation loop): The following is repeated w times: (1) If u _x is an even number

[Equation 2] (2) If v _x is even

[Equation 3] (3) If v _x , u _x are odd and u _a > v _a

[Equation 4] (4) If v _x , u _x are odd and u _a ≤ v _a

[Equation 5] Step S4 (multi-precision value recalculation):

[Equation 6] U ← | U '| / 2 ^w ; V ← | V' | / 2 ^w If V = 0, go to step S5; otherwise, go to step S5.
Go to 2. Step S5 (final processing calculation): If V = 0, output U. If V ≠ 0, gcd (U, V) is obtained and output (operation with single precision w bits or less) Proposition of validity of the above algorithm Proposition 1: When the above algorithm ends, gcd (X, Y) is output. Proof: gcd (U, V) ＝ gcd (X, Y) always in the above algorithm
Is established. We will prove this by induction.

1. In step S1, since U = X and V = Y, gcd (U, V) = gcd (X, Y) holds. 2. In steps S3 and S4, if U is even: U ← U / 2 If V is even: V ← V / 2 If both U and V are odd and U> V: U ← (UV) / 2 U, V If both are odd and U ≦ V: An operation corresponding to one of V ← (VU) / 2 is performed. That is, if gcd (U, V) = gcd (X, Y) at the start of step S3, gcd (U, V) = gcd (X, Y) holds at the end of step S4. However, here gcd (U, V) ＝ gcd (｜ U ｜, ｜ V ｜)
And From the above 1 and 2, gcd (X, Y) is output when the above algorithm is completed. Grounds for ending the above algorithm Proposition 2: If w ≧ 4, the above algorithm ends in a finite time. Proof: The values of U and V at the time of step S2 are U ₀ and V ₀
And U and V recalculated in step S4 are U ₁ ,
V ₁ At this time, it is sufficient to show U ₀ + V ₀ > U ₁ + V ₁ . In the above algorithm, U + V monotonically decreases, and when U + V <2 ^w , step S5 is executed and the process ends. The inventor can prove that the above equation holds, but it is omitted here.

[0012]

BEST MODE FOR CARRYING OUT THE INVENTION gcd arithmetic unit A gcd arithmetic unit 1000 will be described with reference to FIGS. 2 and 3. This device 1000 is a device for inputting X and Y from the input unit 101 and outputting gcd (X, Y) from the output unit 102. The device 1000 includes a gcd calculation initial setting unit 110, a gcd calculation pseudo calculation unit 120, and a gcd calculation pseudo calculation unit 120. Multiplication arithmetic unit 130, gc
The d operation final operation unit 140, the control device 150, and the storage unit 160 are provided, and the operation is performed as follows. Step S1: gcd calculation initial setting unit 110, input X, Y relative gcd (X, Y) = 2 Z0 gcd (U, V) U satisfying (7), V, of the z _0, the z ₀ The maximum value is obtained, and U and V at that time are set as U ₀ and V ₀ , respectively, and passed to the control device 150, and z ₀ is passed to the gcd operation final processing unit 140 via the control device 150. Step S2: The control device 150 checks whether the inputs U ₀ and V ₀ are U ₀ = 1 or V ₀ = 1. When the inspection is passed, that is, when U ₀ = 1 or V ₀ = 1 is passed, U ₀ and V ₀ are passed to the gcd operation final processing unit 140. Step S3: If not, the control device 150
For the inputs U ₀ and V ₀ , the larger value i of the bit size
Ask for. Step S4: Check whether the bit size i is w bits or less. If the inspection is passed, U ₀ and V ₀ are passed to the gcd operation final processing unit 140. If the bit size i is not equal to or smaller than w, upper w bits of v _a = V ₀ (i-th bit to i-w + 1th bit) u _a = upper w bits of U ₀ (i-th bit) From the eye to the i-w + 1th bit) v _x = V ₀ lower w bits u _x = U ₀ lower w bits each value is passed to the gcd operation pseudo operation unit 120, and U ₀ and V ₀ are gcd It is passed to the arithmetic multiple precision arithmetic unit 130.

Step S5: gcd operation pseudo operation unit 1
20 is U₀， V₀Upper and lower w bits of v_a， U_a， V_x，
u_xAs will be described later with reference to FIGS.
Simulate the gcd operation. The resulting value u_u， U_v， V_u，
v_vIs passed to the gcd operation multiple precision operation unit 130. Step S6: The gcd arithmetic multiple precision arithmetic unit 130 U₀← ｜ u_uU₀−u_vV₀｜ / 2^w; V₀← ｜ v_vV₀−v_uU₀｜ / 2^w Calculate and update each U₀， V₀As a control device
Pass it to the storage 150. Step S7: The control device 150 is V₀= 0 is checked,
If it is not 0, the process returns to step S3 and V₀If = 0
U₀， V₀Is passed to the gcd operation final operation unit 140. Step S8: The gcd operation final operation unit 140 inputs
U₀， V₀， Z₀Against 2 ^Z0gcd (U₀， V₀) And output
It V₀If = 0, then 2^z0gcd (U₀, 0) = U₀2^z0Can be output
Becomes Therefore, the control device 150 has a U₀= 1 or V₀=
Initial determination means for inspecting 1 1-20, V₀， U₀Bit size
Bit size acquisition means 1-30 for obtaining the larger value i of
Bit size to check if bit size i is smaller than w
Inspection means 1-40, V₀Final inspection means 1-7
0, V in step 4 above₀， U₀To each upper w bit, each lower
Equipped with operation bit extracting means 1-41 for extracting the position w bits,
In addition, this gcd arithmetic unit 1000 has various data and arithmetic,
Storage unit 1 for storing data required for control and processing
60 is provided.

[0014] gcd calculation initialization unit 110 FIG. 4 and with reference to FIG. 5 for explaining the operation of the gcd calculation initial setting unit 110. Step S1: The counting units 111 and 112 input
The number of consecutive zeros from the least significant bit of each of X and Y is counted, and the values x ₀ and y ₀ are output to the comparison unit 113 (for example, if the binary representation of the input is 101000, the output is 3). . Step S2: The comparison unit 113 inputs the input values x ₀ , y _0.
Are compared and the smaller one is output as z ₀ . Step S3: Division parts 114 and 11 by powers of 2
Input 5 inputs inputs X, Y and z ₀ , respectively, performs division by 2 ^Z0 on the input values X and Y, and outputs the division results U ₀ and V ₀ . gcd calculation initial setting 11
0 outputs U ₀ , V ₀ and z ₀ .

[0015]gcd operation pseudo operation unit 120 Referring to FIG. 6 and FIG. 7, the gcd operation pseudo operation unit 120
The operation will be described. Step S1: From controller 150_a， U_a， V_x， U_xof
When each value is input to the control unit 121, the memory 122
Decided u_u， U_v， V_u， V_v, C to the initial value of the control unit 121
Send to. Step S2: The control unit 121 controls the data α = {v_a，
u_a， V_x， U_x， U_u， U_v， V_u， V_v, C} is input, u_x
Check if is even. If even, case 1
To the data 123 to α = {v_a， U_a， V_x， U_x， U_u， U_v， V_u，
v_v, C} is sent. Step S3: u_xIf is an even number, case 1 unit 12
3 is u_a← [u_a/ 2] ； u_x← u_x/ 2 v_u← 2v_u; V_v← 2v_v Of the data α ′ = {v_a，
u_a， V_x， U_x， U_u， U_v， V_u， V _v, C} is sent. Step S4: u_xIs not an even number, the control unit 121
Is v_xCheck if is even. If even, case 2
Data to the unit 124 α = {v_a， U_a， V_x， U_x， U_u，
u_v， V_u， V_v, C} is sent. Step S5: u_xIs an odd number v_xIf is even, 2 cases
The knit 124 is v_a← [v_a/ 2]; v_x← v_x/ 2 u_u← 2u_u; U_v← 2u_v Of the data α ′ = {v_a，
u_a， V_x， U_x， U_u， U_v， V_u， V_v, C} is sent.

Step S6: The control unit 121 makes u_x， V_x
If both are odd, u_aAnd v_aCompare the size of. u_a> V_a
If so, the data α = {v_a， U_a，
v_x， U_x， U_u， U_v， V_u， V_v, C}, u_x， V_xBoth strange
Number and u_a≤v_aIf so, the data α to the case 4 unit 126
= {V_a， U_a， V_x， U_x， U_u， U_v， V_u， V_v, C} is sent. Step S7: u_x, v_xIs an odd number, u_a> V_aIf, if
The 3-unit device 125 u_a← [(u_a−v_a) / 2]; u_x← (u_x−v_x) / 2 u_u← u_u＋ v_u; U_v← u_v＋ v_v v_u← 2v_u; V_v← 2v_v Of the data α ′ = {v_a，
u_a， V_x， U_x， U_u， U_v， V_u， V _v, C} is sent. Step S8: u_x, v_xIs odd and u_a≤v_aIf, case 4
Unit 126 is v_a← [(v_a−u_a) / 2]; v_x← (v_x−u_x) / 2 v_u← v_u＋ u_u; V_v← v_v＋ u_v u_u← 2u_u; U_v← 2u_v Of the data α ′ = {v_a，
u_a， V_x， U_x， U_u， U_v， V_u， V _v, C} is sent. Step S9: Case 1 Unit 123 to Case 4 Uni
The data α has been processed by one of the
When it is returned to the control unit 121 as α ′, the control unit 121
Increase the value of c by 1.

Step S10: Compare the c and w ', and if c <w', return to step S2. If c = w ', {u _u , u _v , v _u , v _v } are calculated by gcd. The pseudo calculation unit 120 outputs the gcd calculation multiple length calculation unit 130. Control unit 12
1 is processed by the state determination means 6-21, which of the case 1 unit 123 to the case 4 unit 126, and the case units 123 to 126, from the input states of u _x , v _x , u _a , and v _a . A processing result storage means 6-22 for storing the result, a counting means 6-23 for counting the number of times of processing c, and a processing end judging means 6-24 for judging whether the processing is ended, that is, whether c = w '. I have it. The gcd calculation pseudo computing section 120 U _0, V ₀ the lower w bits of the value u _x of the v _x, a judgment U _0, V ₀ is whether an even number, respectively, each of U _0, V ₀ Value u _{a of} the upper w bits,
U ₀ and V ₀ are compared by v _a , and based on these, the same processing as the conventional binary gcd arithmetic method is performed.
This can be immediately understood by comparing the processing procedure of FIG. 7 with the processing procedure of the conventional binary gcd algorithm shown in FIG. In addition, the following equation gcd (U ₀ , V ₀ ) ＝ gcd (| u _u U ₀ −u _v V ₀ | / 2 ^{w ′} , | v _v V ₀ −v _u U ₀ | / 2 ^{w ′} ) (8 ), U _u , u _v , v _u , and v _v are satisfied.

[0018]gcd multiple precision arithmetic unit 130 The operation of the gcd multiple precision arithmetic unit 130 will be described with reference to FIG.
To do. In FIG. 8, the gcd multiple precision arithmetic unit 130 is controlled.
Control device 150 to U₀， V₀Is a gcd operation pseudo operation unit 12
0 to u_u， U_v， V_u， V_vAre input respectively. Multiplier 1
3a to 13d are the product u_uU₀， U_vV_v， V_uU₀， V_vV₀Total
Calculate and output. The subtracters 13e and 13f are different from each other.
U₁= u_uU₀−u_vV₀And V₁= v_vV₀−v_uU₀Calculate the absolute value 1
Output to 3g and 13h. Absolute value gauge 13g and 13h
Respectively input U₁And V₁Calculate the absolute value of
To the dividers 13i and 13j. Power of 2
The dividers 13i and 13j are respectively input | U₁｜ and ｜
V₁| Of 2 ^{w '}Calculate division by₀And V₀As g
The output of the cd multiple precision arithmetic unit 130. 8 gcd many
The processing of the double arithmetic unit 130 is summarized below. Step S1: V₁= (-V_uU₀＋ v_vV₀) / 2^{w '} U₁= (U_uU₀−u_vV₀) / 2^{w '} Is calculated. Step S2: V₁← ｜ V₁|; U₁← ｜ U₁｜ Step S3: V₀ ← V₁   ; U₀ ← U₁ In FIG. 8, 2^{w '} After obtaining the absolute value by dividing by
However, as shown in step S1 above, 2^{w '} To
The division by may be performed before obtaining the absolute value. Obtained
U₀， V₀Is input to the control device 150 and described in FIG.
Like V₀= 0 is checked.

[0019] Referring to the gcd calculation final processing unit 140 FIG. 9 for explaining the operation of the gcd calculation final processing unit 140. The gcd calculation final processing unit 140 includes a control device 15
0 to U ₀ and V ₀ are input, and z ₀ is input from the initial setting unit 110. The small number of gcd calculators 141 inputs U ₀ ,
The gcd of V ₀ is calculated and output to the power of 2 multiplication unit 142. The power-of-two multiplication unit 142 calculates 2 ^z0 gcd (U ₀ , V ₀ ) using the inputs gcd (U ₀ , V ₀ ) and z _0, and outputs it as the output of the final processing unit 140. In other words, it is the output of the gcd arithmetic unit 1000.
As shown in FIG. 10, the gcd arithmetic final processing device 140 basically has the same procedure as the conventional binary gcd arithmetic method shown in FIG. 1 except that the final step S10 is performed by multiplying and correcting 2 ^Z0 . is there. More specifically, steps S1 to S9 of FIG. 10 are the same as the processing for u _x , u _u , v _x , v _u , v _v in steps S1 to S9 of FIG. As described above, the greatest common divisor of inputs X and Y can be obtained. In addition, except for the gcd operation final processing unit 140, all the operation units are w or w'bits, so that it is possible to carry out with a small amount of processing as a whole. As will be understood from the description of FIGS. 2 and 3, each unit in FIG. 2 is sequentially processed. Therefore, in FIG. 6, the control unit 121 is provided for convenience of description. Controller 15
0, the other units are also controlled by the control device 150, and the storage unit (memory) required for each process in each unit can use the storage unit 160 in FIG.

Extended Binary gcd Arithmetic Unit 2000 The extended binary gcd arithmetic unit 2000 will be described with reference to FIG. This device 2000 accepts gcd (X, Y) for X, Y inputs.
And S = 2 ^k X ^-1 mod Y and k are output. This device 2000 includes an extended gcd operation initial setting unit 210, an extended gcd operation pseudo operation unit 220, an extended gcd operation multiple length operation unit 230, an extended gcd operation final operation unit 240, and a control device 250, and as shown in FIG. The following operations are performed. Step S1: The extended gcd calculation initial setting unit 210
For inputs X and Y, gcd (X, Y) = 2 ^z0 gcd (U ₀ , V ₀ ) (9) is satisfied. Among U ₀ , V ₀ , and z ₀ , the one with the maximum z ₀ is obtained. The initial values S ₀ = 0, T ₀ = 1 and k = 0 of S, T and k are passed together with U ₀ and V ₀ to the control device 250, and z ₀ is expanded through the control device 250 to the final gcd calculation final processing unit 240. Hand over to. Step S2: The controller 250 inputs U ₀ , V ₀ , S ₀ ,
For T ₀ , k, check if U ₀ = 1 or V ₀ = 1. If the inspection is passed, U ₀ , V ₀ , S ₀ , T ₀ , k are passed to the extended gcd operation final processing unit 240. Step S3: The control device 250, if U ₀ = 1 or V ₀ = 1 is not satisfied, with respect to the inputs U ₀ , V ₀ , S ₀ , T ₀ , k, the bit size of U ₀ and V ₀ is larger. The bit size value i of one is calculated. Step S4: The controller 250 checks if the value i is less than or equal to w bits. If the inspection passed,
In the extended gcd calculation final processing unit 240, U ₀ , V ₀ , S ₀ , T ₀ ,
pass k. The case did not pass in either test, v _a = (from the i-th bit to the i-w + 1 bit) upper w bits of V ₀ u _a = upper U ₀ w bits (the i From the bit to the i-w + 1th bit) v _x = V ₀ lower w bits u _x = U ₀ lower w bits each value is passed to the extended gcd operation pseudo operation unit 220, and U ₀ ,
V ₀ , S ₀ , and T ₀ are passed to the extended gcd arithmetic multiple precision arithmetic unit 230. Add w'to k.

Step S5: The extended gcd operation pseudo operation unit 220 has v _a , u _a , which are upper and lower w bits of U ₀ , V ₀ .
Simulate the extended gcd operation using each value of v _x and u _x . The resulting values u _u , u _v , v _u , and v _v are extended gcd
It is passed to the arithmetic multiple precision arithmetic unit 230. Step S6: Extended gcd arithmetic multiple precision arithmetic unit 230
U ′ = (u _u U ₀ −u _v V ₀ ) / 2 ^{w ′} , V ′ = (v _v V ₀ −v _u U ₀ ) / 2 ^{w ′} , as will be described later with reference to FIG. Calculate S ′ = u _u S ₀ + u _v T ₀ , T ′ = v _v T ₀ + v _u S ₀ . If V'is negative, the signs of V'and T'are reversed, and if U'is negative, the signs of U'and S'are reversed. U ′, V ′, S ′, T ′ obtained as a result of the calculation are passed to the control device 250 as U ₀ , V ₀ , S ₀ , T ₀ . Step S7: The control device 250 checks whether V ₀ = 0,
If not 0, the process returns to step S3, and if 0, the extended gc
The operation of the d operation final operation unit 240 is performed. Step S8: The extended gcd operation final operation unit 240
If V ₀ ≠ 0, 2 ^Z0 gcd (U ₀ , V ₀ ) is calculated for the inputs U ₀ , V ₀ , and z ₀ and output. Further, if V ₀ = 0, S, k that satisfies S = 2 ^k X ^-1 mod Y is obtained and output.

Although not particularly shown in FIG. 11, the extended gcd arithmetic unit 2000 also has the initial judgment means shown in FIG.
1-20, bit size acquisition means 1-30, bit size inspection means 1-40, operation bit extraction means 1-41, final determination means 1-70,
A unit corresponding to the storage unit 160 is provided. Expansion g
The cd calculation initial setting unit 210 has the functional configuration shown in FIG. 4 similarly to the gcd calculation initial setting unit 110 in FIG. 2 and performs the processing shown in FIG. 5, but the points different from these are stored in the storage unit. Stored initial values of S, T, k S ₀ = 0, T ₀ = 1,
Output k = 0 and pass it to the controller 250. The functional configuration of the extended gcd operation pseudo operation unit 220 is almost the same as that of the gcd operation pseudo operation unit 120 shown in FIG. 6, and its processing is almost the same as the process shown in FIG. In step S9 of 7, the process of increasing the value of k by 1 is also performed as shown in parentheses. That is, u _u , u _v , v _u , and v _v obtained by the pseudo operation unit 120 are output and k
Is added with w to output. Therefore extended gcd
The control unit of the arithmetic pseudo arithmetic unit 220 is also provided with a unit for counting k. Instead of incrementing k + 1 by 1 in step S9, k + w = k may be set when c = w in step S10.

Extended gcd multiple precision arithmetic unit 230 Referring to FIGS. 13 and 14, extended gcd multiple precision arithmetic unit 23
The operation of 0 will be described. The arithmetic unit 230 receives U ₀ , V ₀ , S ₀ and T ₀ from the control device 250 in FIG.
u _u , u _v , v _u , and v _v are input from the cd operation pseudo operation unit 220. Multipliers 23a to 23h have products u _u U ₀ , u _v V ₀ , and
Calculate and output v _u U ₀ , v _v V ₀ , u _u S ₀ , u _v T ₀ , v _u S ₀ , v _v T ₀ . Subtracter 23i and 23j each difference _{U '= u u U 0 -u} v
Calculate and output V ₀ and V ′ = v _u V ₀ −u _v U ₀ . Adder 23
k and 23l are sums S ′ = u _u S ₀ + u _v T ₀ and T ′ = v _v T _{0, respectively.}
Calculate + v _u S ₀ and output. The control unit 23m receives inputs U'and S '
On the other hand, if U '<0, U'and S'are output to the sign inverter 23o, and -U' and -S 'are received as new inputs U "and S" from the sign inverter 23o. If U ′ ≧ 0, U ′ is output to the power of 2 divider 23q, and S ′ is set to S ₀ , and the arithmetic unit 230
Output more. The control unit 23n receives V'for input V'and T '
If <0, V'and T'are output to the sign inverter 23p, and -V 'and -T' are received as new inputs V "and T" from the sign inverter 23p. If V ′ ≧ 0, V ′ is a power of 2 divider 2
3 ′, and T ′ is output from the arithmetic unit 230 as T ₀ .

The divider 23q by the power of 2 has a value of 2 at the input U '.
^The quotient U ₁ based on ^{w ′} is calculated and used as U ₀ as the output of the calculation unit 230. Divider according to powers of 2 23r is an output of the arithmetic unit 230 as V ₀ by calculating the quotient V ₁ by '2 ^w' of the input V.
The processing of the extended gcd multiple precision arithmetic unit 230 described above is shown in FIG. Is calculated. Step S2: It is determined whether V ₁ is smaller than 0, and if it is not smaller than 0, the process directly proceeds to step S4. Step S3: If V ₁ is smaller than 0, V ₁ ← -V ₁ and
The sign is changed by T ₁ ← -T ₁ . Step S4: It is determined whether U ₁ is smaller than 0, and if it is not smaller than 0, the process directly proceeds to step S6. Step S5: If U ₁ is smaller than 0, U ₁ ← -U ₁ and
The sign is changed by S ₁ ← -S ₁ . Step S6: The obtained V ₁ , U ₁ , S ₁ , T ₁ are updated
Output as V ₀ , U ₀ , S ₀ , T ₀ . The output of the extended gcd operation multiple precision arithmetic unit 230 is input to the control device 250.

[0025]Extended gcd operation final processing unit 240 The extended gcd calculation final processing section 240 is the final processing shown in FIG.
It has almost the same functional configuration as that of the science unit 140, and the input U₀，
V₀Gcd (U, V) is calculated with the initial value of, and the calculation result
And gcd (U, V) and z₀Using 2^z0gcd (U, V) is calculated and output
I will be forced. The difference from the final processing unit 140 is that this final processing is performed.
S in the science department 240₀， T₀, K are also input and are shown in FIG.
As shown in FIG. 15, a part of the gcd calculation process is performed in step S
Step S8-1 for incrementing k by 1 after 3, S5, S7, S8
Is performed and then the process proceeds to step S9. Step S9
At v_x= 0, S = (u_uS₀＋ u_vT₀)
It calculates and outputs the result S and k. This S is S = 2^kX
^-1It matches the calculation result of modY. This extended gcd calculator
The device 2000 is also a single control device like the gcd arithmetic device 1000.
250 can process each part,
The reason can also be performed by deciphering and executing the program. So
In the case of
Read from, or retrieved from the buffer that was temporarily stored
Moreover, the calculation result can be written in the storage means or in the buffer.
It will provide a step to temporarily store. This
In this embodiment, when the inputs X and Y are both even, gcd
(X, Y) = 2^z0u_x Is output, and one of X and Y is odd and g
When cd (X, Y) = 1, S and k are output.
Therefore, in the extended gcd calculation initial setting unit 210, X, Y
First, which is an odd number, and if it is an odd number, z₀Ask for
U without X₀, Y to V₀And w, S₀= 0, T₀= 1,
You may make it output k = 0. But for example the reverse
If you want to find the element, it is required that one of X and Y is not an odd number.
Absent. That is, one of the input values must be odd in advance.
If it is known, the extended gcd calculation initial setting unit 210
Then just U₀= X, V₀= Y, S₀= 0, T₀= 1 and k = 0
Only the initial settings need to be made. That is, X to U₀As Y
To V₀As well as S₀= 0, T₀= 1 and k = 0 from memory
It may be read and output.

In the above description, the number of bits that can be calculated at one time is w and w ', but the pseudo calculation unit (120, 22)
0) the amount w'calculated at once and the multiple precision arithmetic unit (130, 2
30) and the amount w calculated at one time may be the same value. As described above, the extended binary gcd arithmetic unit can be combined with the division unit by the power of 2 to form an inverse element arithmetic unit on the remainder ring Z / NZ. FIG. 16 shows a case where a normal inverse element arithmetic unit is constructed using the extended binary gcd arithmetic unit of the present invention. As shown in the figure, integers X and N are input to this device 3000, and first, the extended binary gc described in FIG.
An extended binary gcd operation is performed by the d operation unit 315, and S = X
^-1 2 ^k mod N and k are output, and these S, k and N are input to the division unit 318 by the power of 2 on Z / NZ, and S · 2 ^-k mod N
Is calculated, and as a result of the calculation, X ⁻¹ mod N, that is, X
The inverse element operation result on Z / NZ of is obtained.

In FIG. 17, half Montgomery (Ka
liski) shows an inverse element arithmetic unit 3100 when the extended gcd arithmetic unit of the present invention is applied to the inverse element arithmetic. The integers X and N are input to this device 3100, and the operation is performed on the X and N by the extended gcd operation device 315 described with reference to FIG. 11, and the result S = X ⁻¹ 2 ^k mod N and k and the input N are input. And are input to the division device 320 by the power of 2 on Z / NZ, and S ・ 2
^-(kn) modN is calculated (n is the number of bits of N), and X ^-1 2 ⁿ modN is obtained as a result. Figure 18 shows Montgome on Z / NZ
The inverse element arithmetic unit 3200 when the extended binary gcd arithmetic unit of the present invention is applied to the ry inverse element arithmetic is shown. As shown in the figure,
Extended gcd arithmetic unit 31 for input integers X and N
In step 5, S = X ^-1 2 ^k modN and k are obtained, and on the other hand, in the power-of-two multiplier 325 on Z / NZ, S · 2 ^2n-k mod ^N is calculated to calculate X ^-1 2
It is also possible to obtain ²ⁿ mod N.

FIG. 19 shows an apparatus 5000 in which the extended gcd arithmetic unit of the present invention is applied to a Montgomery inverse element arithmetic unit on Z / NZ. As shown in FIG. 19, under the control of the control unit 510, first, a division device 51 by a power of 2 on Z / NZ is used.
X ′ = X · 2 ^−t modN is calculated in step S4, and S = X− ¹ 2 ^k modN is calculated by the extended gcd calculator 515 for the calculation results X ′ and N.
And k. These S and k are input to the comparison device 517 to determine the positive or negative of 2n-kt from the bit lengths n, k and t of N, and if negative, k '=-2n + k + t and S' = S Input to the divider 518A by the power of 2 on Z / NZ to calculate T = S'2 ^{-k '} mod N. If 2n-kt is positive, set k '= 2n-kt and S' = S to 2 on Z / NZ.
It is input to the multiplier 518B according to the power of, and T = S'2 ^{k '} mod N is calculated. The output unit 519 outputs one of the T of the calculation unit 518A and 518B as the operation result of the X ^-1 2 ²ⁿ modN. The program for causing the computer to function as the greatest common divisor or extended greatest common divisor computing device or inverse element computing device according to the present invention described above is stored in the main storage device 13 in the computing device 10A shown in FIG. To be done. The arithmetic unit 10A is realized by, for example, a computer,
A CPU 11, a RAM 12, a main storage device 13 and the like are configured, and a keyboard 14 and a display device 15 are connected. When a 16-bit chip set that performs an operation 16 bits at a time is used as the CPU 11,
As described in the embodiments of the present invention, it is preferable to collectively perform 16-bit multiplication / division by powers of 2.

The CPU 11 executes the greatest common divisor or extended greatest common divisor operation or inverse element operation according to the operation program in the main memory 13. The RAM 12 holds various parameter values and variable values required for these calculations, and holds intermediate and final results of the calculations. The user A inputs a program execution command from the keyboard 14, and the progress of calculation is displayed on the display device 15. Here, a case where the inverse element operation device of the present invention is used in a digital signature which is an example of security technology will be described. User A
The computing device 10A is connected to the computing device 10B of the user B via the network NW, for example, and the user A attaches the digital signature S to the document m and transmits the document m to the computing device 10B of the user B for use. Person B verifies the validity of the received signature S. Here, as a digital signature, ESIG
The case of using the N method will be described. In this case, users A and B
Shares the system parameter k with the public key n, and the transmitting side party A holds the secret keys p and q of prime numbers in secret. However, n = pq. A program 13P for executing the digital signature method ESIGN is stored in the main storage device 13. As a part of the program 13P, a partial program for executing an expression including an inverse element operation used in one process of digital signature generation by the operation method of the present invention.
13PP is provided.

First, the arithmetic unit 10A of the user A generates a random number x. Then put the document m into the hash function
h (m) is generated, and the following equation w = [{h (m) −x ^k mod n} / p · q] (10) is calculated. Next, the following equation S = x + {w / (k · x ^k−1 ) mod p} p · q (11) is obtained. W / (k · x ^k−1 ) mod p in the equation (11) is the same as the inverse element operation described above. Therefore, as described above, if expressed as y = w (k · x ^k−1 ) ⁻¹ mod p = w · X ⁻¹ mod p (12), the inverse element processing procedure shown in the explanation of FIG. Y can be obtained by Using y thus obtained, S = x + y · p · q (13) is calculated and (S, m) is transmitted to the arithmetic unit 10B of the user B. In the device 10B of the user B, the following equation S ^k −2 ^a ≦ h (m) ≦ S ^k is used by using the received S and m, ^where a = [(2/3) log ₂ n] (14) holds. If yes, the signature S for the document m
Admit that is correct. The case where the recording medium of the inverse element calculation program of the present invention is stored in the main storage device 13 of the calculation device and is used is shown, but such a program is stored in any other form of recording medium. Obviously, it may be used.

[0031]

According to the binary gcd arithmetic unit of the present invention, a pseudo integer binary gcd arithmetic method is performed by an arithmetic operation using a small integer to reduce the arithmetic operation of a large integer at a rate proportional to 1 / w. The binary gcd algorithm can be performed at high speed. (W is the number of bits that a computer can handle at once 8, 16, 32, etc.) Also, "actual gc
The efficiency of the pseudo operation is improved by introducing the method of "performing a predetermined number of pseudo operations even if there is no guarantee that the d algorithm is correctly simulated." Thereby, for example, the conventional arithmetic method L simulates about 12 rounds by a pseudo arithmetic method using a 32-bit single precision integer, but the apparatus of the present invention uses a pseudo arithmetic method using a 32-bit single precision integer. It is possible to simulate 32 rounds. In this case, g is the number of large integer operations less than half the algorithm L.
Can perform cd calculation.

[Brief description of drawings]

FIG. 1 is a flowchart showing a calculation procedure of a conventional binary gcd algorithm.

FIG. 2 is a diagram showing a functional configuration of a gcd arithmetic unit according to the present invention.

3 is a flow chart showing a flow of operation of the apparatus of FIG.

FIG. 4 is a diagram showing a functional configuration of a gcd calculation initial setting unit 110 in FIG.

5 is a flowchart showing a flow of operation of the initial setting section 110 in FIG.

FIG. 6 is a diagram showing a functional configuration of a gcd operation pseudo operation unit 120 in FIG.

7 is a flowchart showing a flow of operations of the pseudo operation unit 120 of FIG.

FIG. 8 is a diagram showing a functional configuration of a gcd arithmetic multiple precision arithmetic unit 130 shown in FIG. 2;

9 is a diagram showing a functional configuration of a gcd operation final operation unit 140 in FIG.

10 is a diagram showing a flow of operations of a final calculation unit 140 in FIG.

FIG. 11 is a diagram showing a functional configuration of an extended binary greatest common divisor calculation device which is a modified example of the present invention.

FIG. 12 is a diagram showing a flow of operations of the extended binary greatest common divisor calculation device of FIG. 11;

FIG. 13 is an extended gcd arithmetic multiple precision arithmetic unit 23 in FIG.
The figure which shows the functional structure of 0.

14 is a diagram showing the flow of operations of the multiple precision arithmetic unit 230 of FIG.

FIG. 15 is a diagram showing a part of the flow of operations of the final arithmetic unit 240 in FIG. 11.

FIG. 16 is a diagram showing a functional configuration of a normal inverse element arithmetic unit to which the extended binary gcd of the present invention is applied.

FIG. 17 is a diagram showing a functional configuration of a half-Montgomery (Kaliski) inverse element operation device to which the extended binary gcd of the present invention is applied.

FIG. 18 is a Montgo to which the extended binary gcd of the present invention is applied.
The figure which shows the function structure of a mery inverse element arithmetic unit.

FIG. 19 is Montgo to which the extended binary gcd of the present invention is applied.
The figure which shows the other functional structure of a mery inverse element arithmetic unit.

FIG. 20 is a block diagram showing a functional configuration example for causing a computer to operate the device of the present invention by using the arithmetic program recording medium according to the present invention.

Claims (13)

[Claims] 1. Input means for inputting input values X and Y, storage means for respectively storing these X and Y, and gcd (X, Y) = gcd (U ₀ , V ₀ ) from the input values X and Y. and gcd calculation initial setting means 2 ^Z0 and that z ₀ is for calculating the U _0, V _0, z ₀ to the maximum, gcd (a, B) represents the greatest common divisor of a and B, the input value U _0, V _{From 0} , gcd (U ₀ , V ₀ ) = gcd (| u _u U ₀ −u _v V ₀ | / 2 ^{w ′} , | v _v V ₀ −v _u for a predetermined integer w ′ ≧ 4. U ₀
| / 2 ^{w '} ) satisfying u _u , u _v , v _v , v _u, and a gcd pseudo operation means, and input values U ₀ , V ₀ , u _u , u _v , v _v , v _u to U _{'= | u u U 0 -u} v V 0 | / 2 w' V '= | v v V 0 -v u U 0 | / 2 w' and calculates the U _0, is output as V ₀ gcd calculation multi Gc for calculating gcd (U ₀ , V ₀ ) 2 ^Z0 from input values U ₀ , V ₀ , z ₀
d arithmetic operation final processing means, output means for outputting the operation result gcd (X, Y), and control means for sequentially operating each of the above means to perform reading and writing to the storage means, etc. . 2. The apparatus according to claim 1, wherein the control means is a bit size acquisition means for obtaining a larger value i of the bit sizes of the input values U ₀ and V ₀ , and whether the value i is w or less. It is determined whether or not, and if it is not w or less, the gcd arithmetic pseudo arithmetic means is executed, and if it is less than w, the bit size checking means for executing the gcd arithmetic final processing means, and the above w is a predetermined 4 It is the above integer, and final determination means for determining whether or not V _{0 in} the output of the gcd arithmetic multiple precision arithmetic means is 0, and if the determination by the final determination means is not V ₀ = 0, gcd
The outputs U ₀ and V ₀ of the arithmetic multiple precision arithmetic means are input to the bit size acquisition means and executed, and when V ₀ = 0, the gcd operation final processing means is executed. A greatest common divisor arithmetic unit characterized by including. 3. The apparatus according to claim 2, wherein the control means determines whether the input from the gcd calculation initializing means is V ₀ = 1 or U ₀ = 1 and if this is satisfied, the input is performed. A greatest common divisor arithmetic unit having an initial judging means for inputting the values U ₀ , V ₀ to the gcd arithmetic final arithmetic means without inputting them to the gcd arithmetic pseudo arithmetic means. 4. The apparatus according to claim 1, 2 or 3, wherein said control means outputs u _a and v _a of each upper w bit and u _x and v _x of each lower w bit from said U ₀ and V ₀ , respectively. The gcd operation pseudo operation means has an operation bit extracting means for extracting, and the gcd operation pseudo operation means has the above u _a , v _a , u _x , v _x and initial values u _u = 1, u _v = 0, v _u = 1, v
_v = 0 is input to determine whether u _x is even, v _x is even, or u _a > v _a u _x ,
v _x , u _a , v _a state determination means, and operation of u _a = [u _a / 2], u _x = u _x / 2, v _u = 2v _u , v _v = 2v _v with u _x being an even number, If v _x is even, v _a = [v _a / 2], v _x = v _x / 2, u _u ＝ 2u _u , u _v ＝ 2u _v , u _a ＞ v _a u _a ＝ [(u _a −v _a ) / 2], u _x ＝ (u _x −v _x ) / 2, and u _u ＝
u _u + v _u , u _v = u _v + v _v , v _u = 2v _u , v _v = 2v _v operation, otherwise v _a = [(v _a −u _a ) / 2], v _x = ( v _x −u _x ) / 2, and v _u = v _u + u _u , v _v = v _v + u _v , u _u = 2u _u , u _v = 2u _v ,
Update operation means for executing any of the above to update u _u , v _v , u _v , v _u , a counting means for counting the number of times c calculated by the update operation means, and the number of times c becomes w ′. Up to the above u _x , v _x , u _a , v _a state determination means, the update calculation means, and means for repeatedly executing the counting means, the greatest common divisor operation device. 5. An input means for inputting input values X and N, one of which is an odd number, a storage means for respectively storing these X and N, and U ₀ = X, V ₀ = N, S ₀ = 0, Extended gcd calculation initial setting means for initializing T ₀ = 1 and k = 0, and gcd (U, V) = gcd (| u _u U ₀ − for a predetermined w ′ from input values U and V. u _v V ₀ | / 2 ^w , | v _v V ₀ −v _u U ₀ | /
2 u ^' ), u _u , u _v , v _v , v _u are calculated, and w'is added to k,
Extended gcd operation pseudo operation means and input values U, V, S, T, u _u , u _v , v _v , v _u to U ′ = (u _u U ₀ −u _v V ₀ ) / 2 ^{w ′} , S '= U _u S ₀ + u _v T ₀ or U' =-(u _u U ₀ -u _v V ₀ ) / 2 ^{w '} , S' =-(u _u S ₀ + u _v T ₀ ), and V '= (v _v V ₀ −v _u U ₀ ) / 2 ^{w ′} , T ′ = v _v T ₀ + v _u S ₀ or V ′ = − (v _v V ₀ −v _u U ₀ ) / 2 ^{w ′} , T ′ =-(V _v T ₀ + v _u S ₀ ) and outputs U ', V', S'and T'as U ₀ , V ₀ , S ₀ and T ₀ respectively Extended gcd operation Multiple precision operation Means and input values U ₀ , V ₀ , S ₀ , T ₀ | u _u U ₀ −u _v V ₀ | / 2 ^c = gcd (U, V) | v _v V ₀ −v _u U ₀ | / 2 Extended gcd operation final process of computing u _u , u _v , v _v , v _u , c that satisfies ^c = 0, computing S ′ = u _u S ₀ + u _v T ₀ , and adding c to k Means and the result of the operation of the extended gcd operation final processing means is S = X ^{-12 k} (m
An extended greatest common divisor arithmetic unit including: output means for outputting the arithmetic result of odN) and k; and control means for sequentially operating each of the above means to perform reading and writing to the storage means. 6. The apparatus according to claim 5, wherein the control means is a bit size acquisition means for obtaining a larger value i of the bit sizes of the input values U ₀ and V ₀ , and whether the value i is w or less. It is determined whether or not, and if it is not w or less, the extended gcd operation pseudo operation means is executed, and if it is w or less, a bit size checking means for executing the extended gcd operation final processing means, and the extended gcd operation multiple length Final judgment means for judging whether V _{0 in} the output of the calculation means is 0 or not, and if the judgment by the final judgment means is not V ₀ = 0, the expansion g
means for inputting the outputs U ₀ , V ₀ of the cd operation multi-precision arithmetic means to the bit size acquisition means for execution, and if V ₀ = 0, for executing the extended gcd operation final processing means,
An extended greatest common divisor arithmetic unit characterized by including and. 7. The device according to claim 5 or 6, wherein:
The above means U₀， V₀To u of each upper w bit_a， V_aAnd each
U of lower w bits_x， V_xOperation bit extraction
Have means, The extended gcd operation pseudo operation means is the u_a， V_a， U_x，
v_xAnd the initial value u_u= 1, u _v= 0, v_u= 1, v_v= 0 and k are entered
Is u_xIs even or v_xIs even or u_a> V_aJudge u_x， V_x，
u_a， V_aState determination means, u_xIs even and u_a= [U_a/ 2], u_x= U_x/ 2, v_u= 2v_u， V_v= 2v_vof
Calculation, v_xIs even and v_a= [V_a/ 2], v_x= V_x/ 2, u_u= 2u_u， U_v= 2u_vof
Calculation, u_a> V_aIn u_a= [(U_a−v_a) / 2], u_x= (U_x−v_x) / 2, and u_u=
u_u＋ v_u， U_v= U_v＋ v_v， V_u= 2v_u， V_v= 2v_vArithmetic of, V in all other cases_a= [(V_a−u_a) / 2], v_x= (V_x−u_x) / 2, and
And v_u= V_u＋ u_u， V_v= V_v＋ u_v， U_u= 2u_u， U_v= 2u_vArithmetic of,
Do either of u_u， V_u， U_v， V_vUpdate operator to update
Dan, Counting means for counting the number of times c calculated by the update calculation means
When, The above u until the number of times c becomes w '_x， V_x， U_a， V_aStatus judgment
Means, the update calculation means, and the counting means
Repeatedly executed, k is k + w 'when the number of times c is w'
Means for updating to, and an extended maximum public
A factor calculator. 8. A computer-readable recording medium recording a program for causing a computer to function as the greatest common divisor calculating device according to any one of claims 1 to 4. 9. A computer-readable recording medium in which a program for causing a computer to function as the extended greatest common divisor calculating device according to any one of claims 5 to 7 is recorded. 10. An inverse element arithmetic unit on a residue ring Z / NZ for outputting X ⁻¹ mod N with respect to inputs X and N, and further comprising:
And an extended greatest common divisor arithmetic unit according to any one of
An inverse element calculation device having a division device by a power of 2 on NZ. 11. For n-bit inputs X and N, X ⁻¹ 2 ²ⁿ
A Montgomery inverse element arithmetic unit on a remainder ring Z / NZ that outputs mod N, wherein the extended greatest common divisor arithmetic unit according to any one of claims 5 to 7 and multiplication by a power of 2 on the remainder ring Z / NZ. An inverse element arithmetic unit characterized by having a unit and a division unit by a power of 2 on the remainder ring Z / NZ. 12. X- ¹ 2 ^nm for n-bit inputs X and N
Half-Montgomery (Kalisk) on the remainder ring Z / NZ that outputs odN
i) It is an inverse element operation device, and has the extended greatest common divisor operation device according to any one of claims 5 to 7 and a division device by a power of 2 on the remainder ring Z / NZ. And the inverse element calculation device. 13. For n-bit inputs X and N, X ⁻¹ 2 ²ⁿ
A Montgomery inverse element arithmetic unit on a remainder ring Z / NZ that outputs mod N, wherein the extended greatest common divisor arithmetic unit according to any one of claims 5 to 7 and multiplication by a power of 2 on the remainder ring Z / NZ. An inverse element operation device comprising: a device.