JP2007034927A - Exponentiation arithmetic unit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an exponentiation arithmetic unit capable of making a calculation with a small number of operations by reducing a prior calculation processing amount and a table size. <P>SOLUTION: In the exponentiation arithmetic unit for calculating x<SP>e</SP>from inputted two integers x and e, a prior calculation module 403 preliminarily calculates x^ä1_i} and stores the x^ä1_i} in a prior calculation numerical value storage part 404 about each of L candidate exponent strings ä1_i} (0≤i≤L-1) stored in a candidate exponent storage part 402, a dividing module 405 divides e into a plurality of numerical values äf_1} (0≤i≤F-1) so as to make j, k satisfying 1_i±1_k exist as to whether to coincide with any of candidate exponents ä1_i}, and a sequential processing module 406 uses the x^ä1_i} to sequentially update calculation results c stored in a calculation result storage part 407 about äf_i} and outputs the updated calculation results c as x<SP>e</SP>about all of the äf_i}. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a power arithmetic device that performs a power-residue operation.

The power-residue operation x ^e (mod N) is an operation used in the ElGamal encryption, the DSA signature, the Diffie-Hellman key sharing method, etc. as well as the RSA encryption / signature. It is used not only for signing and decrypting files, but also for securing communication channels such as SSL, and it is necessary to perform computations interactively for communication requests, and the processing efficiency greatly affects cryptographic processing time. To do.

The power-residue operation can be composed of a) a quadratic residue operation x ² (mod N) and b) a multiplication residue operation xu (mod N). Several methods have been proposed for speeding up the overall processing time by reducing the number of multiplication operations a) and b) required to calculate x ^e (mod N) for a given e. ing.

The addition chain (Addition, _chain), an integer column leading eventually _a n = e starts from _a 1 = 1, _{a i} is the number of the sum appearing before that (i.e. _a i _{= a} j + _{a k} (J, k <i)) is satisfied. For example, when e = 55, {1, 2, 3, 6, 12, 13, 26, 27, 54, 55} is an example. This by carrying out calculation of a) and b) as ^{x → x 2 → x 3 →} x 6 → x 12 → x 13 → x 26 → x 27 → x 54 → x 55, ^{the x 55} can be calculated Represents. This means that the amount of calculation can be reduced as compared to using only the operation of b) like {1, 2, 3, 4,..., 52, 53, 54, 55}. Thus, for a given index e (55 in the above example), an algorithm that finds a shorter summing chain is useful. However, the problem of finding the shortest (most efficient) summing chain for a given input e is known as the NP complete problem. For this reason, although not theoretically the shortest, various methods have been proposed to reduce the amount of calculation as much as possible. Some conventional examples are shown below.

[Binary Method]
The Binary Method is one of algorithms for performing a power operation with an addition chain configured based on a certain rule, and is introduced in Non-Patent Document 1.

The Binary Method is an algorithm that performs the following processing. A given exponent e (k bit length) is expressed in binary as Σ _i−0 ,..., _K−1 2 ⁱ * e_i (e_i is 0 or 1). The algorithm in which the inputs are x, e, N and the output C is x ^e (mod N) is as follows.

1) if e_ (k−1) = 1 then C: = x else C: = 1
2) for i = k-2 downto 0
2-1) C: = C * C (mod N)
2-2) if e_i = 1 then C: = C * x (mod N)
3) return C
In the above, “for” in 2) indicates that the variable i is reduced by 1 from k−2 to 0 and the loop processing is performed on 2-1) and 2-2). FIG. 2 shows a process in which x ⁵⁵ (mod N) is calculated as described above using the binary method when e = 55. At this time, the addition chain is {1, 2, 3, 6, 12, 13, 26, 27, 54, 55}.

[M-ary Method]
The m-ary Method is an extension of the Binary Method, and is a method for performing processing of 2 bits or more at a time. The algorithm in which the inputs are x, e, N and the output C is x ^e (mod N) is as follows. However, a given index e is k bits long, and e is s r (= log ₂ m) bit strings F_0,..., F_ (s−1) (where s is an integer not exceeding k / r). Assume that it has been disassembled.

0) Calculate x ^w (mod N) in advance for w = 2,..., M−1 1) Let C: = x ^∧ {F_ (s−1)} (mod N).

2) for i = s-2 downto 0
2-1) C: = C ^m (mod N)
2-2) if F_i ≠ 0 then C : = C * x ∧ {F_i} (mod N)
3) return C
m-ary Method is called Quaternary Method when m = 4. FIG. 3 shows the processing of the Quaternary Method when e = 55. When e is expressed in binary, it is (110111) ₂ , but when this is broken down into r = 2 bits, it is (11 01 11) ₂ and is processed as shown in FIG. At this time, the addition chain is {1, 2, 3, 6, 12, 13, 26, ⁵² , ⁵⁵ }, and the length of the addition chain is one shorter than the binary method, and therefore x ⁵⁵ is calculated. This means that there is less remainder operation.

[Constant Length Nonzero Windows (registered trademark) (CLNW)]
One of the extensions of the m-ary Method is Constant Length Nonzero Windows (registered trademark) (CLNW). CLNC is sometimes referred to as Sliding Windows (registered trademark) Methods / Techniques. This algorithm is configured by moving between two states NW and ZW, and the initial state is assumed to be in ZW. The NW checks one bit at a time from the beginning of the input e. If it is not 0, the state is transferred to the ZW. In ZW, a predetermined number of fixed-length bits are obtained from the input e, and the same processing as step 2 in the m-ary method is performed. Thereafter, the first 1 bit is checked, and if it is 0, the state is moved to NW, and if it is 1, the same processing is performed again.

  CLNW will be explained based on the m-ary Method algorithm. For the input e, variable length data F_0,..., F_ (s-1), a) F_i is composed of all 0s, i) F_i is r bits and F_i = 0 is not one of the two conditions Divide to satisfy. When the bit length for F_i is described as L (F_i), the CLNW processing is performed as follows.

0) Calculate x ^w (mod N) in advance for w = 1, 2,..., M−1 1) Let C: = x ^∧ {F_ (s−1)} (mod N).

2) for i = s-2 downto 0
^{2-1) C: = C ∧ L} (F_i) (mod N)
2-2) if F_i ≠ 0 then C : = C * x ∧ {F_i} (mod N)
3) return C
When CLNC is applied to the input e = (111001010001) ₂ (r = 3), it is divided into (111 00 101 0 001) ₂ . Here, in the CLNC of r = 3, it is necessary to pre-calculate X ^ 3, X ^ 5, and X ^ 7 in order to calculate the calculation result for the odd power of {3, 5, 7}, that is, X ^ e. There is.

[Variable Length Nonzero Windows (registered trademark) (VLNC)]
In the algorithm introduced above, the input e is divided into fixed lengths for sequential processing, but a method of dividing the input e into variable lengths is also conceivable. Variable Length Non-Windows (registered trademark) (VLNC) is an example, and it should be an odd number with a bit length of r (where r = log 2 m) or less, that is, {1, 3, 5,. . . , M−1} are pre-computed. For the input e, variable length data F_0,..., F_ (s-1), a) F_i is composed of all 0s, i) F_i is less than r bits, and the first bit and the last bit are 1. Are divided so as to satisfy one of the two conditions. When the bit length for F_i is described as L (F_i), the VLNC processing is performed as follows.

0) Calculate x ^w (mod N) in advance for w = 1, 3,..., M−1 1) Let C: = x ^∧ {F_ (s−1)} (mod N).

2) for i = s-2 downto 0
^{2-1) C: = C ∧ L} (F_i) (mod N)
2-2) if F_i ≠ 0 then C : = C * x ∧ {F_i} (mod N)
3) return C
Compared to the m-ary Method, there is a merit that the amount of pre-computation is small (because only odd powers are calculated), and the portion where the bit is 0 can be skipped, so that the amount of calculation in Step 2 can be reduced.

When VLNC is applied to input e = (111001010001) ₂ (r = 3), it is divided into (111 00 101 000 1) ₂ .

[Adaptive m-ary method]
Non-Patent Document 2 introduces a method of performing only the necessary pre-calculation in the algorithm introduced above after analyzing the input e. As an example, consider input e = (0001000100010001) ₂ . At this time, when the m-ary method of r = 4 is applied, it is divided into (0001 0001 0001 0001) _2. However, when calculating M ^ e, M ^ 2, M ^ 3, which are pre-calculations, are divided. ... M ^ 15 is unnecessary and is a wasteful process. Thus, precalculating only necessary data according to the form of the input e has the effect of reducing the calculation cost.
D. E. Knuth. The Art of Computer Programming: Seminal Algorithms, volume 2, Reading, MA: Addison-Wesley, Second edition, 1981. High-Speed RSA Implementation, RSA Laboratories, 1994.

  In the above-described prior art, the binary method does not need to perform pre-calculation and has an advantage that it is not necessary to have a table for storing the pre-calculation result. However, when e is displayed in binary, if the number of bits with 1 standing is large, there is a disadvantage that the calculation processing is increased. The m-ary method, CLNC, and VLNC have the advantage of reducing the amount of calculation compared to the binary method, but have the disadvantage of increasing the amount of calculation of the pre-calculation processing for performing table reference. On the other hand, in the adaptive m-ary method, unlike the method of sequentially processing the input e as a stream, such as m-ary method, CLNC, VLNC, etc., once the input e is scanned, the calculation is performed in advance. It is necessary to generate the necessary data. In general, the logic of the division processing and the processing for calculating the addition chain so as to match the input e is complicated, and is not suitable when the input e is not known in advance and e changes dynamically. In calculation cost evaluation, efficiency is discussed after ignoring the processing related to "data generation necessary for pre-calculation", and when implemented, it is thought that there is a big difference from the theoretical value.

  The present invention does not calculate all the pre-calculation processes required in the m-ary method, CLNC, and VLNC, but calculates only a part of them and scans the input e to find the necessary portions. Adopt the method of filling. This hybrid method is a characteristic feature of the present invention, and the present invention provides a power calculation method that has the advantages of reducing the amount of pre-calculation processing and the table size, and being able to calculate with a smaller number of operations than the conventional method. . In addition, the process of generating all necessary data for pre-calculation after scanning all the input e, such as Adaptive m-ary method, and the complicated logic to calculate the addition chain to match the input e well are unnecessary. This is not only easy to implement, but also suitable when the input e changes dynamically each time.

  As described above, according to the present invention, assuming that a bit string having a characteristic in the bit string when e is displayed in binary number appears, the bit string is set as a candidate index, and pre-calculation is performed only on them. By doing so, it is possible to provide a power calculation method capable of reducing the amount of pre-calculation processing and calculating with a smaller number of operations compared to the conventional method.

  In addition, since the number of numerical values to be pre-calculated is reduced, it has the advantage of reducing the table size for storing the pre-calculated numerical values, and the memory area for table reference can be reduced.

  Next, details of the present invention will be described in accordance with the description of the embodiments.

  Embodiments of the present invention will be described below with reference to the drawings.

  The present invention is applied to an information processing apparatus (host computer) 100 as shown in FIG. The information processing apparatus 100 according to the present embodiment includes a computer such as a personal computer and realizes a power operation function.

  That is, as shown in FIG. 1, the information processing apparatus 100 includes a modem 118 such as a public line, a monitor 102 as a display unit, a CPU 103, a ROM 104, a RAM 105, an HD 106, a network connection unit 107, a CD 108, an FD 109, a DVD 110, An interface (I / F) 117 of the printer 115 and an interface (I / F) 111 such as a mouse 112 and a keyboard 113 as an operation unit are connected to each other via a bus 116 so as to communicate with each other.

  The mouse 112 and the keyboard 113 are operation units for the user to input various instructions to the information processing apparatus 100. This input information (operation information) is taken into the information processing apparatus 100 via the interface 111.

  Various information (character information, image information, etc.) in the information processing apparatus 100 can be printed out by the printer 115.

  The monitor 102 displays various instruction information to the user and various information such as character information or image information.

  The CPU 103 controls the operation of the entire information processing apparatus 100. That is, the CPU 103 controls the entire information processing apparatus 100 by reading and executing a processing program (software program) from the HD (hard disk) 106 or the like. In particular, in the present embodiment, the CPU 103 reads out and executes a power calculation program from the HD 106 or the like, thereby executing processing to be described later.

  The ROM 104 stores various processing programs such as a power calculation program and various data used by the processing programs.

  The RAM 105 is used as a work area or the like for temporarily storing a processing program and information to be processed for various processes in the CPU 103.

  The HD 106 is a component as an example of a large-capacity storage device, and stores character information, image information, a processing program transferred to the RAM 105 or the like when various processes are executed, and the like.

  The CD (CD drive) 108 has a function of reading data stored in a CD (CD-R) as an example of an external storage medium and writing data to the CD.

  Similar to the CD 108, the FD (flexible disk drive) 109 has a function of reading data stored in an FD as an example of an external storage medium and writing data to the FD.

  Similar to the CD 108 and the FD 109, the DVD (digital video disk drive) 110 has a function of reading data stored in a DVD as an example of an external storage medium and writing data to the DVD.

  For example, when an editing program or a printer driver is stored in an external storage medium such as a CD, FD, or DVD, these are installed in the HD 106 and transferred to the RAM 105 as necessary. May be.

  The interface (I / F) 111 is for receiving input from the user through the mouse 112 and the keyboard 113.

  The modem 118 is a communication modem, and is connected to an external network through an interface (I / F) 119 through, for example, a public line.

  The network connection unit 107 is connected to an external network via an interface (I / F) 114.

  FIG. 4 illustrates the function (power calculation function) that is characteristic in the information processing apparatus 100 of FIG. As illustrated in FIG. 4, the information processing apparatus 100 includes a candidate index storage unit 402, a pre-calculation module 403, a pre-calculation numerical value storage unit 404, a division module 405, a sequential processing module 406, and a calculation result storage unit 407. Each module 403, 405, 406 represents a functional unit (module) realized by the CPU 103 executing a predetermined program. The storage units 402, 404, and 407 are stored in the RAM 105 and the HD 106, and are read and written as necessary.

Input values x, N (400), and e (401) are input to the information processing apparatus 100 from the outside. The information processing apparatus 100 is an apparatus that performs a power-residue operation from an input value and outputs c = x ^e (mod N) (408) as a result.

  The candidate index storage unit 402 includes in advance a candidate index sequence {l_i} (0 ≦ i ≦ L−1), which is a numerical sequence satisfying the following two conditions for the parameter r (described later).

A) Candidate index sequence {l_i} constitutes an addition chain (that is, an integer sequence starting from l_0 = 1 to finally l_ (L−1), where l_i is the sum of the numbers appearing before that ( That is, l_i = 1_j + l_k (j, k <i)) is satisfied),
I) For any positive number g less than or equal to (2 ^ r) -1, g is included in the candidate index sequence {l_i} (0 ≦ i ≦ L−1) or 0 ≦ satisfies g = l_j + l_k j, k ≦ L−1 exists. The pre-calculation module 403 performs pre-calculation from the input value (400) and the candidate index storage unit 402, and stores the pre-calculation result in the pre-calculation numerical value storage unit 404 in the HD 106, for example. In the m-ary method, x ^ w (mod N) is pre-calculated for w∈ {1, 2, 3,... (2 ^ r) -1}. X ^ w (mod N) is pre-calculated for {l_i} (0 ≦ i ≦ L−1). If the above two conditions a) and i) are satisfied, even if g is not included in the candidate index sequence {l_i}, 0 ≦ j and k ≦ L−1 satisfying g = l_j + l_k exist. It can be seen that x ^ g can be obtained by a single multiplication from the formula ^ g = x ^ (l_j + l_k) = (x ^ l_j) * (x ^ l_k). The division module 405 divides the input value 401 and stores the input value 401 and the divided numerical values in the HD 106, for example. The sequential processing module 406 sequentially processes the calculation result storage unit 407 in the HD 106, for example, and stores the calculation result 408 in the HD 106, for example. The calculation result is output through the monitor 102, the FD 109, the network I / F 114, the printer 115, and the like.

  FIG. 5 is a flowchart for explaining a power-residue calculation processing procedure in the information processing apparatus 100 having the configuration shown in FIG. For example, the CPU 103 reads and executes a processing program corresponding to the flowchart of FIG. Thereby, the information processing apparatus 100 operates as follows.

Step S500:
The inputted input value e (k bit length) is expressed in binary as Σ _i−0 ,..., _K−1 2 ⁱ * e_i (e_i is 0 or 1). The input values x, N, e are stored in the HD 106, for example.

Step S501:
Input value x, the N, for each of the L candidate index columns in the candidate exponent storage unit 402 {l_i} (0 ≦ i ≦ L-1), calculated in advance x ^∧ {l_i}, precomputed Stored in the numerical value storage unit 404.

Step S502:
The exponent e (bit length k) is divided into a plurality of numerical values {f_i} (0 ≦ i ≦ F−1) having a bit length r. At this time, if the bit length of f_i is b_i, it is divided so that k = Σ _{i− 0} ,..., _F−1 b_i. Here, the parameter r is an integer that varies depending on the bit length of the input e, and is referenced from, for example, a table as shown in FIG.

Step S503:
First, C: = x ^∧ f — 0 (mod N) is set in the calculation result storage unit 407. At this time, if f_0 is not included in the candidate index sequence {l_i}, the following processes 2-1) to 2-3) (however, i = 0) are performed. Next, the following sequential processing is performed for each f_i (0 ≦ i ≦ F−1).

for i = 1 to F-1
^{1) C: = C ∧ (} 2 ∧ b_i) (mod N)
2) if f_i is not included in {l_i}
{
2-1) g = l_j + l_k satisfy 0 ≦ j, calculates k ≦ L-1 2-2) x ∧ f_i = (x ^ l_j) * (x ^ l_k) (mod N) calculated 2-3) x ^∧ Add to {L_i} the f_i}
3) if f_i ≠ 0 then C : = C * x ∧ f_i (mod N)
Step S504:
The output value c = x ^e (mod N) obtained in step S503 is output to the outside.

  Here, in step 503 process 2-1), it is assumed to have an “exponential table” for outputting two values with one input as shown in FIG. This exponent table is stored in the candidate exponent storage unit 402, for example. As an example, an index table in the case of r = 4, L = 6, {l_i} = {1, 2, 3, 4, 5, 10} is shown. “NULL” is stored in output when input = 3, and this indicates that 3 is already included in the candidate index sequence {l_i} and x ^ 3 is pre-calculated. In the case of input = 6, “1, 5” is stored in the output, but this is not included in the candidate index sequence {l_i}, and x ^ 1 and x ^ 5 are pre-calculated. Therefore, x ^ 6 can be obtained by multiplication of (x ^ 1) * (x ^ 5) (mod N) (processing 2-2)). In the process 2-3), the exponent table is rewritten at the same time. When x ^ 6 is calculated in the above example, rewriting from FIG. 6 to FIG. 7 is performed. In FIG. 7, by changing the output in the case of input = 6 to “NULL”, x ^ 6 can be obtained from the candidate exponent string {l_i} in the subsequent loop.

FIG. 8 shows an application example when e = (1010 0110 0001 0110) ₂ , r = 4, L = 6, {l_i} = {1, 2, 3, 4, 5, 10}. Processing is performed in the same manner as the m-ary method while acquiring r bits (here, 4 bits) from the beginning of e. First, since the first 4 bits (1010) ₂ are included in the candidate exponent string {l_i}, step 503 process 2) is skipped, and step 503 process 3) is performed using x ^ 10 already calculated. Since the next 4 bits (0110) ₂ are not included in the candidate exponent string {l_i}, by referring to the exponent table, the two pre-computed values x ^ 1, x ^ 5 are converted into (x ^ 1) * ( x ^ 6 (mod N) is obtained from the multiplication x ^ 5) (mod N), and the exponent table change and x ^ 6 (mod N) are added to the candidate exponent string {l_i}. Thereafter, step 503 processing 3) is performed. In the next 4 bits (0001) ₂ , step 503 processing 2) is skipped and processing 3) is performed. Since x ^ 6 has already been calculated for the last 4 bits (0110) _2, step 503 processing 2) can be skipped and processing 3) is performed. In the m-ary method (r = 4), it was necessary to perform 14 pre-calculations from x ^ 2 to x ^ 15. In this example, x ^ 2, x ^ 3, x ^ 4, x ^ 5 , X ^ 10 and x ^ 6 midway calculation, i.e., a total of six pre-calculations, indicate that the calculation of x ^ e has been completed, indicating that it is more efficient.

  FIG. 9 shows an example in which the index table and the candidate index string {l_i} are described in one table. The input i has two output values, the second column is two integers having the same value as the output of the exponent table as shown in FIGS. 6 and 7, and the third column is x ^. The value of i. This table can be used when adding to the candidate index sequence. For example, from the example “x ^ 1, x ^ 5 to (x ^ 1) * (x ^ 5) (mod N)", x ^ 6 is obtained from the multiplication, and the exponent table change and x ^ 6 are set as candidate indices. Considering the case of “add to column {l_i}”, the second column stores “NULL” and the third column stores x ^ 6 (mod N).

  As described above, by adopting “a method in which only a part is calculated and calculated as necessary” in the m-ary method, it is possible to eliminate the waste of pre-processing and shorten the calculation processing time.

When the input value N is not input from the outside, the exponentiation operation c = x ^e is performed. Since this is considered to be a special case of the exponentiation remainder calculation, in this embodiment, the exponentiation remainder calculation x ^e (mod N) is calculated. Only a description of the equipment to be performed was given. It goes without saying that a method of outputting a power operation c = x ^e when no input value N is input from the outside is included in the embodiment of the present invention.

  In the first embodiment, when x ^ g (mod N) is not pre-computed, calculation is performed as needed, but in that case, an index table is used to select candidate indices in the initial state. An integer of l_j and l_k is obtained such that 0 ≦ j and k ≦ L−1 satisfying g = l_j + l_k exist in the column {l_i} (0 ≦ i ≦ L−1). These numerical values are called addition preliminary values for g, and are composed of a first preliminary value l_j and a second preliminary value l_k. At this time, x ^ g (mod N) is obtained by multiplying (x ^ l_j) * (x ^ l_k) (mod N), but the amount of calculation depends on whether the multiplication operation is a square operation or not. The difference is described in Non-Patent Document 2, and it is known that the square calculation has a smaller amount of calculation than multiplication of different numerical values. Therefore, by configuring the spare value in the exponent table so that the first spare value and the second spare value are the same, it is possible to reduce the amount of computation in the calculation of x ^ g.

  As an example, the index table is reconstructed from the index table shown in FIG. 6 so that the first reserve value and the second reserve value are as similar as possible as shown in FIG. 6 and 10 are different at locations where the inputs are 6 and 8. In FIG. 10, 6 = 3 + 3 and 8 = 4 + 4 hold, so that the first reserve value and the second reserve value are the same. It can be seen that it is configured. In this way, it is possible to speed up the processing by the square calculation.

  Similarly, when g is an even number and x ^ g (mod N) is calculated, g / 2 is included in the candidate exponent string rather than performing a multiplication operation with the reserve value by referring to the reserve value in the exponent table. If it exists, the processing speed can be increased by giving priority to the process of performing the square operation of x ^ (g / 2).

  In the above embodiment, only positive numbers are dealt with as candidate index sequences. However, a case will be described in which calculation is performed by eliminating this restriction and taking negative numbers into account. The candidate index of Example 1 was r = 4, L = 6, {l_i} = {1, 2, 3, 4, 5, 10}. The sum of these numerical values covers integers from 1 to 15, but when a negative number is entered here, the amount of calculation can be reduced by performing reciprocal calculation instead of multiplication. As an example, index candidates in the case of r = 4 as in the above example are shown. L = 7, {l_i} = {1, 2, 3, 6, 12, −1, −2} is a candidate index including two negative numbers. {1, 2, 3, 6, 12}, which extracts only positive numbers, forms an addition chain, and the negative number selects the addition chain with the same absolute value. The index table in this example is shown in FIG. 11, and FIG. 12 is a schematic diagram thereof. It can be seen that the items of −1 and −2 are increasing, and the power is used at the places where the power numbers are 10 and 11. For example, the calculation of g ^ 10 may be performed by multiplying g ^ (-2) * g ^ 12.

  For the calculation of the negative exponent, an extended Euclidean algorithm is used, and x ^ (-g) (mod N) is calculated from x ^ g (mod N). In the above example, g ^ (-1) and g ^ (-2) are used for calculation. This method is effective because the extended Euclidean algorithm requires much less computation than the multiplication operation. In the above example, five multiplication operations and two reciprocal operations are performed in the index candidate calculation, but in FIG. 6, six multiplication operations are required.

  The parameter r may be changed depending on the length of input e (here, k bits). In the m-ary method, the average of the total calculation amount is calculated by 2 ^ r-2 + kr- (k / r-1) (1-2 ^ (-r)). A parameter r that minimizes this value for the parameter k can be determined. The same technique can be used in the present invention, but an example of an exponent table when r is 3 to 6 will be shown below. These tables are designed to reduce the amount of pre-computation.

When r = 3: {1, 2, 3, 4}
When r = 4: {1, 2, 3, 6, 12, -1, -2} (FIG. 11)
When r = 5: {1, 2, 3, 4, 7, 14, 21, 28, -1, -2} (FIG. 13)
When r = 6: {1, 2, 3, 4, 5, 10, 20, 30, 40, 50, 60, -1, -2, -3, -4} (FIG. 14)
(Other examples)
The present invention may be applied as a part of a system composed of a plurality of devices (for example, a host computer) or a part of a system composed of one device.

  In addition, a software program for realizing the functions of the above-described embodiments for an apparatus connected to the various devices or a computer in the system so as to operate the various devices so as to realize the functions of the above-described embodiments. Implementations by supplying a code and operating the various devices according to a program stored in a computer (CPU or MPU) of the system or apparatus are also included in the scope of the present invention.

  In this case, the program code of the software itself realizes the functions of the above-described embodiments, and the program code itself constitutes the present invention. As a transmission medium of the program code, a communication medium (wired line such as an optical fiber or wireless line) in a computer network (LAN, WAN such as the Internet, wireless communication network, etc.) system for propagating and supplying program information as a carrier wave Etc.) can be used.

  Further, means for supplying the program code to the computer, for example, a recording medium storing the program code constitutes the present invention. As a recording medium for storing the program code, for example, a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a magnetic tape, a nonvolatile memory card, a ROM, or the like can be used.

  Further, by executing the program code supplied by the computer, not only the functions of the above-described embodiments are realized, but also the OS (operating system) or other application software in which the program code is running on the computer, etc. Needless to say, the program code is also included in the embodiment of the present invention even when the functions of the above-described embodiment are realized in cooperation with the embodiment.

  Further, after the supplied program code is stored in the memory of the function expansion board of the computer or the function expansion unit connected to the computer, the CPU of the function expansion board or function expansion unit is provided based on the instruction of the program code. Needless to say, the present invention includes the case where the functions of the above-described embodiment are realized by performing part or all of the actual processing.

It is a block diagram which shows the structure of the information processing apparatus of embodiment. It is a figure showing the process by the Binary Method which is a prior art example. It is a figure showing the process by the m-ary Method (m = 4) which is a prior art example. It is a block diagram which shows the function structure of the information processing apparatus in 1st Embodiment. It is a flowchart for demonstrating the process procedure of the power-residue calculation in 1st Embodiment. It is a figure showing the index table of the initial state in 1st Embodiment. It is a figure showing the index table after the change in 1st Embodiment. It is a figure which shows the example of the sequential calculation in 1st Embodiment. It is a figure showing the example which described the index table and candidate index sequence in 1st Embodiment by one table. It is a figure showing the index | exponent table in 2nd Embodiment. It is a figure showing the index | exponent table in 3rd Embodiment. It is the figure which modeled the index table in 3rd Embodiment. It is a figure showing the index | exponent table in 4th Embodiment. It is a figure showing the index | exponent table in 4th Embodiment.

Explanation of symbols

100 Information processing apparatus 102 Monitor 103 CPU
104 ROM
105 RAM
106 HD
107 Network Connection 108 CD Drive 109 FD Drive 110 DVD Drive 111 Interface 112 Mouse 113 Keyboard 114 Interface 115 Printer 116 Bus 117 Interface 118 Modem 119 Interface 400 Input Value x, N
401 Input value e
402 Candidate index storage unit 403 Pre-calculation module 404 Pre-calculation numerical value storage unit 405 Division module 406 Sequential processing module 407 Calculation result storage unit 408 Calculation result c

Claims (1)

In a power arithmetic unit that calculates x ^e from two integers x and e,
An input means for inputting two integers x and e;
candidate index storage means for storing L candidate indices {l_i} (0 ≦ i ≦ L−1) represented by r bits;
For each of the candidate exponent stored in the candidate index storage means {L_i}, and pre-calculating means to be calculated in advance x ^∧ {l_i} from the input integer x,
A pre-calculated numerical storage means for storing precomputed numerical x ^∧ {l_i},
A dividing means for dividing the input integer e into a plurality of numerical values {f_i} (0 ≦ i ≦ F−1);
A calculation result storage means for storing the calculation result c;
For divided numerical {f_i} (0 ≦ i ≦ F-1), and sequential processing means for sequentially updating a calculation result c using precomputed numerical x ^∧ {l_i},
Output means for outputting the updated calculation result c as x ^e for all the numerical values {f_i}, and the candidate index {l_i} is an integer sequence starting from l_0 = 1 and finally reaching l_ (L−1) And l_i satisfies the sum of the numbers that appeared before (ie, l_i = 1_j + l_k (j, k <i)), and for any positive number g less than (2 ^ r) −1, g is { l_i} (0 ≦ i ≦ L−1) or 0 ≦ j, k ≦ L−1 satisfying g = l_j ± l_k exists.

Images