JP2009258502A - Multiplication device and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To execute multiplication at high speed by using a small memory size when a processing unit (g) is large. <P>SOLUTION: In a multiplication device 10, an input/output part 12 inputs respective input values A(x), B(x), F(x), a multiplication device control part 13 partitions an input value B(x)(=x<SP>(s-1)g</SP>B<SB>S-1</SB>(x)+x<SP>(s-2)g</SP>B<SB>S-2</SB>(x)+...+x<SP>ig</SP>B<SB>i</SB>(x)+...+x<SP>g</SP>B<SB>1</SB>(x)+B<SB>0</SB>(x)) for each processing unit (g), values of (s) pieces B<SB>s-1</SB>(x), ..., B<SB>0</SB>(x) are created, and a M table creating part 14 creates an M table composed the calculation result of M[i]=A(x)x<SP>ig</SP>mod F(x) of for each order (i) of values B<SB>i</SB>(x). A T table creating part 15 refers to the M table, and creates a T table composed the calculation result of T[i]=M[i]B<SB>i</SB>(x) mod F(x) of for each order (i). A multiplication executing part 16 calculates the sum total of the calculation result T[s-1], ..., T[0] of the T table, and outputs it as a multiplication result P(x)=A(x)B(x) mod F(x). <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a multiplication apparatus and program capable of executing multiplication on a finite field at high speed.

  In recent years, there is a demand for transmitting and receiving various data such as document data and image data via an open network such as the Internet. These pieces of data to be transmitted / received contain a lot of data to be kept secret. For this reason, an encryption technique for transmitting and receiving data in an encrypted state so that a third party does not know it has become widespread.

As one of this kind of encryption technology, there is a method using an operation on a finite field. The encryption technique is generally realized by using an operation defined on a finite field GF (p ^m ) for encryption and signature. Here, in order to realize high-speed encryption and signature, it is necessary to execute operations on a finite field at high speed. The calculation to be accelerated includes, for example, multiplication on a finite field.

  As a high-speed execution method for multiplication on a finite field, Hasan table reference method is known (for example, see Non-Patent Document 1).

In this table reference method, the input values A (x) and B (x) are divided into m bits B (x) for every g bits, and the obtained values B _s-1 , B _s-2 , ... B _i , ... B ₁ and B ₀ are used to perform multiplication processing. In this multiplication process, two types of tables, M table and T table, are referred to. Here, B _i is an i-th value obtained by dividing m bits of B (x) every g bits. s is a natural number smaller than m (s = m / g). Further, the input value B (x) is a value on the finite field GF (p ^m ), and is represented by the following expression, for example.

^{B (x) = x (s} -1) g B s-1 (x) + x (s-2) g B s-2 (x) + ... + x g B 1 (x) + B 0 (x)
The other input value A (x) is also a value on the finite field GF (p ^m ), and is represented by the following equation, for example.

A (x) = a _m-1 x ^m-1 + a _m-2 x ^m-2 + ... + a ₁ x + a ₀
Here, m coefficients {a _m−1 , a _m−2 ,..., A ₁ , a ₀ } are respectively elements {0,..., P−1} on the finite field GF (p). It is. However, in Non-Patent Document 1, the finite fields GF (p ^m ) and GF (p) are finite fields GF (2 ⁿ ) and GF (2), respectively.

At this time, Hasan's table reference algorithm is executed as shown in the left column of FIG. That is, when A (x), B (x), F (x) and M table are input, a T table is created (step 1). Next, based on the s−1th value B _s−1 obtained by dividing the input B (x), P (x) is obtained by referring to the T table (step 2). Further, as the For statement, the following operations τ ₁ , τ ₂ , τ _3, and P (x) are executed for each i-th B _i (x) from s−2 to 0 (step 3). ).

τ ₁ = x ^g P ₁ (x),
τ ₂ = M [P ₂ (x)],
τ ₃ = T [B _i (x)],
P (x) = τ ₁ + τ ₂ + τ ₃
Here, it is assumed that P (x), M table (M-table), T table (T-table), and F (x) are expressed by the following equations.

  Thereafter, the calculation result of P (x) = A (x) B (x) mod F (x) is output.

  Here, the Hasan algorithm as described above will be briefly described.

In the Hasan algorithm, when the multiplication process is executed by dividing the order of B _i (x) every x ^g , the order is divided into B _i (x) and x ^g terms. In other words, not all the P (x) that are intermediate calculation results are multiplied by B _i (x), but only the (m−g) -order or higher terms that require a remainder operation on P (x) are used. It is divided into. Therefore, P (x) is divided into a term (P ₁ (x)) less than the (m−g) order and a term (P ₂ (x)) higher than the (m−g) order.

Then, the (m-g) is computed for the next higher order terms obtained by table reference using M table and calculated results with reference to the T table for processing to apply a B _i (x) to A (x) And the process is executed for all B _i (x) divided every x ^g to obtain a multiplication result.

In other words, Hasan's algorithm can be explained by changing the formula as follows.

As described above, the calculation of A (x) B _i (x) mod F (x) is performed with reference to the T table. The multiplication of the calculation result of the T table and x ^g obtains the calculation result while referring to the M table for the (m−g) th and higher terms that require a remainder operation. The algorithm is executed while repeatedly adding these calculation results.

  However, it is known that Hasan's algorithm exponentially increases the memory size required for each table as the value of the processing unit g increases. Regarding the Hasan algorithm, the memory size required for the M table and the T table can be evaluated by the following equation.

<General case>
M table = (g + d) × 2 ^g
T table = m × g [when 2 ^g <s] or m × 2 ^g [others]
<When m = 160, g = 16, s = 10>
M table = (16 + d) × 2 ¹⁶ , T table = 160 × 2 ¹⁶
<When m = 160, g = 4, s = 40>
M table = (4 + d) × 2 ⁴ , T table = 160 × 4
MA Hasan, “Look-Up Table-Based Large Finite Field Multiplication in Memory Constrained Cryptosystems”, IEEE Transactions on Computers, 2000

As described above, when the processing unit g is increased, the memory size of each table increases exponentially. In particular, the M table requires a large memory amount of (g + d) × 2 ^g bits regardless of input.

  On the other hand, considering the bit size of the CPU in recent years, the operation can be efficiently executed on the computer by increasing the processing unit g.

In addition, when the processing unit g is increased, the number s (= m / g) of B _i (x) decreases, and consequently the number of executions of the For statement of the algorithm decreases. Therefore, the processing unit also from the viewpoint of the algorithm execution efficiency. It is better to increase g.

  Therefore, there is a demand for a multiplication method that can perform multiplication at high speed with a small memory size when the processing unit g is large.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a multiplication apparatus and program capable of performing multiplication at high speed with a small memory size when the processing unit g is large.

The first aspect of the present invention executes multiplication processing on a finite field based on the first input value A (x), the second input value B (x), and the third input value F (x), and the multiplication result A multiplier that outputs P (x) = A (x) B (x) mod F (x) for inputting the input values A (x), B (x), and F (x). input means, the second input value ^{B (x) (= x (} s-1) g B s-1 (x) + x (s-2) g B s-2 (x) + ... + x ig B i ( x) +... + x ^g B ₁ (x) + B ₀ (x)) is divided into processing units g, and s values B _s-1 (x), B _s-2 (x) _,. x),..., B ₁ (x), B ₀ (x), the first input value A (x), the third input value F (x), and the value B _i (x) based on the number s of the calculation of M for each order i of the value _{B i (x) [i]} = a (x) x ig mod F (x) Means for creating a M table of results, a table storage means for storing the M table above created with reference to the M table in the table storage unit, the value B _{i (x)} and the third input value Means for creating a T table composed of calculation results of T [i] = M [i] B _i (x) mod F (x) for each order i of the values B _i (x) based on F (x); , Means for writing the created T table into the table storage means, and all calculation results T [s-1], T [s-2],..., T [i], T table in the table storage means ..., means for calculating the sum of T [1], T [0], and means for outputting the calculation result of the sum as the multiplication result P (x) = A (x) B (x) mod F (x) And a multiplication device.

The second aspect of the present invention executes a multiplication process on a finite field based on the first input value A (x), the second input value B (x), and the third input value F (x), and the multiplication result A multiplier that outputs P (x) = A (x) B (x) mod F (x), wherein the first input value A (x), the third input value F (x), and the first second input value ^{B (x) (= x (} s-1) g B s-1 (x) + x (s-2) g B s-2 (x) + ... + x ig B i (x) + ... + x g Based on the number s of s values B _i (x) obtained by dividing B ₁ (x) + B ₀ (x)) for each processing unit g (where i = s−1, s−2,...). , 1, 0) and M [i] = A (x) ^xig mod F (x) for each order i of the values B _i (x), if this M table is created in advance, this M A table and the input values A (x), B (x), and F (x) are input. Input means because the separated input second input value B (x) to each processing unit g s number of values _{B s-1 (x),} B s-2 (x), ..., B i (X),..., B ₁ (x), B ₀ (x), a table storage unit that stores the input M table, and an M table in the table storage unit, Based on the value B _i (x) and the third input value F (x), T [i] = M [i] B _i (x) mod F (x) for each order i of the value B _i (x). ) For creating a T table comprising the calculation results of (1), a means for writing the created T table into the table storage means, and all the calculation results T [s−1], T for the T table in the table storage means [S-2],..., T [i],..., T [1], T [0] And outputting as a multiplication result P (x) = A (x) B (x) mod F (x), a multiplication device provided with.

  Although the first and second aspects are expressed as devices, the present invention is not limited to devices, and may be expressed as a method, a program, or a computer-readable storage medium storing a program.

In the first and second aspects, the T table is composed of the calculation results of T [i] = M [i] B _i (x) mod F (x). In this case, the T table is composed of the calculation results of T [i] = M [i] B _i (x), and the operation of mod F (x) is P (x) = A (x) B (x) mod It is also possible to further reduce the amount of calculation of mod F (x) by carrying out collectively at the time of calculating F (x). In this case, the flowchart is obtained by removing mod F (x) in step ST13 of FIGS.

(Function)
According to the first aspect, the M table is configured to be independently calculated for each order i depending on the input value A (x), and unlike the conventional case, when the processing unit g is large, Multiplication can be performed at high speed with a small memory size. In the conventional M table, values in all cases are prepared in advance regardless of the input value A (x), and therefore the table size increases exponentially in proportion to the processing unit g.

  According to the second aspect, when one input value A (x) is a fixed value, depending on the input value A (x), an M table calculated in advance independently for each order i is input. Unlike the conventional case, even when one input value is a fixed value, when the processing unit g is large, multiplication can be executed at high speed with a small memory size.

  As described above, according to the present invention, when the processing unit g is large, multiplication can be executed at high speed with a small memory size.

  Each embodiment of the present invention will be described below with reference to the drawings, but before that, an outline of each embodiment will be described.

(Outline of the first embodiment)
In the first embodiment, multiplication is executed as shown in the center column of FIG. That is, when A (x), B (x), and F (x) are input, an M table is created based on M [i] = A (x) ^xig mod F (x) (step 0 ). Note that the M table indicates the calculation result of A (x) ^xig mod F (x) for each order i of values B _i obtained by dividing the input B (x).

Next, a T table is created based on T [i] = M [i] B _i (x) mod F (x) (step 1). Note that the T table shows the calculation result of M [i] B _i (x) mod F (x) for each order i of the values B _i .

Subsequently, 0 is substituted into the calculation result P (x) in the middle (step 2). Furthermore, as a For sentence, the reference result T [i] of the T table for every order i is cumulatively added for all B _i (step 3). Thereafter, the calculation result of P (x) = A (x) B (x) mod F (x) is output.

  From the above, it is possible to provide a multiplication method with a small memory usage when the processing unit g is large.

The algorithm of the first embodiment can be evaluated by the following equation.

In the first embodiment, the M table is created by calculating A (x) ^xig mod F (x) independently for each order i for the input values A (x) and F (x). The memory size of the prepared M table can be reduced, and as a result, the required memory size can be reduced. For example, in the M table, the m-bit calculation result only needs to be of the x ^ig power type, and since the order i is from 0th to s−1th, there are only s m-bit calculation results. . Here, the memory size of the M table is m × s bits. The T table only needs to store the calculation results of the M table and B _i (x), and only s m-bit calculation results are required as in the M table.

On the other hand, the Hasan table reference method, which is a conventional method, recursively reflects high-order calculation results in low-order calculation results, but previously stores M tables including all calculation results within a computable range. Since it needs to be stored, a memory size of (g + d) × 2 ^g bits is required as shown in FIG. Here, d means the second largest degree d in the following polynomial F (x).

M is the degree of the polynomial F (x).

  Regarding the memory size, as shown in FIG. 10, in the first embodiment, when g is small (g <6), the memory size is large, but even if g is large, the memory size only increases in a polynomial manner. . On the other hand, in the Hasan table reference method, when g is small (g <6), the memory size is small, but when g is large (6 <g), the memory size increases exponentially. For example, the memory size when g = 16 is clearly smaller in the first embodiment. The term “memory size” may be read as “memory amount”.

Regarding the amount of calculation, as shown in FIG. 9, the first embodiment needs to create two types of tables, T table and M table, but the memory size of each table is as small as m × s bits. Short table creation time. On the other hand, in the Hasan table reference method, when g = 16, the memory size of the T table is as large as m × 2 ¹⁶ bits, so that the table creation time is longer than that in the first embodiment.

  Regarding the processing time of the For sentence, it is considered that the processing time is almost equivalent between the first embodiment and the Hasan table reference method although the processing contents are different.

  In summary, in the first embodiment, when the processing unit g is increased, the memory size and the calculation amount of table creation increase only in a polynomial manner. On the other hand, in the Hasan table reference method, when the processing unit g is increased, the memory size and the calculation amount of table creation increase exponentially.

  Therefore, in the first embodiment, when the processing unit g is large, multiplication can be executed at high speed with a small memory size.

  Also, in the first embodiment, unlike the Hasan table reference method, the M table is not required after the T table is created, so that the memory size required when executing the For statement can be reduced.

(Outline of the second embodiment)
The second embodiment is a modification of the first embodiment, and performs multiplication at high speed with a small memory size when the processing unit g is large even if one of the input values is a fixed value.

In the second embodiment, multiplication is executed as shown in the right column of FIG. That is, A (x), B (x), F (x), and M table are input. Note that since the input value A (x) is a fixed value, the M table is created in advance based on M [i] = A (x) ^xig mod F (x).

Next, a T table is created based on T [i] = M [i] B _i (x) mod F (x) (step 1). Note that the T table shows the calculation result of M [i] B _i (x) mod F (x) for each order i of the values B _i .

Subsequently, 0 is substituted into the calculation result P (x) in the middle (step 2). Furthermore, as a For sentence, the reference result T [i] of the T table for every order i is cumulatively added for all B _i (step 3). Thereafter, the calculation result of P (x) = A (x) B (x) mod F (x) is output.

  The second embodiment as described above is different from the first embodiment in that the M table creation process (step 0) is omitted and a previously created M table is input. The algorithm after the M table is input is executed in the same way as in the first embodiment.

  At this time, FIG. 11 shows a result of comparing the memory size and the calculation amount between the second embodiment and the Hasan table reference method.

  In the second embodiment, the memory size is the same as that in the first embodiment, but the amount of calculation required for creating the M table is reduced as compared with the first embodiment.

  That is, in the second embodiment, in the same way as the first embodiment, when the processing unit g is increased, the memory size and the calculation amount of table creation increase only in a polynomial manner. Unlike the above embodiment, the calculation amount can be further reduced by the configuration in which one input value is a fixed value. However, in the Hasan table reference method, as described above, when the processing unit g is increased, the memory size and the calculation amount of table creation increase exponentially.

  Therefore, in the second embodiment, even when one input value is a fixed value, if the processing unit g is large, multiplication can be executed at high speed with a small memory size.

  The above is the outline of each embodiment. Next, each embodiment of the present invention will be specifically described.

(Specific configuration of the first embodiment)
FIG. 1 is a schematic diagram showing a configuration of a multiplication apparatus according to the first embodiment of the present invention. The multiplication device 10 executes multiplication processing on a finite field based on the first input value A (x), the second input value B (x), and the third input value F (x), and the multiplication result P (x ) = A (x) B (x) mod F (x) is output.

  Specifically, the multiplication device 10 includes a table storage unit 11, an input / output unit 12, a multiplication device control unit 13, an M table creation unit 14, a T table creation unit 15, and a multiplication execution unit 16.

  Here, the table storage unit 11 is a storage device that can be read / written from each of the units 12 to 16, and stores an M table and a T table as shown in FIG.

Here, the M table is a reference table in which the calculation result of M [i] = A (x) ^xig mod F (x) is associated with each order i of values B _i (x) described later. Here, the values B _i (x) are values B _s-1 (x), B _s-2 (x),..., B obtained by dividing the m-bit input value B (x) for each processing unit g. _i (x),..., B ₁ (x), B ₀ (x). The order i is an arbitrary integer from s−1 to 0.

The T table is a reference table that associates the calculation results of T [i] = M [i] B _i (x) mod F (x) for each order i of the values B _i (x).

  The input / output unit 12 has a data input / output function between the outside and the multiplier control unit 13. For example, each input value A (x), B (x), F (x) is multiplied by the multiplier. It has a function to input to the control unit 13 and a function to output the multiplication result sent from the multiplication device control unit 13.

The multiplication device control unit 13 has a function of transmitting / receiving data to / from the input / output unit 12 and a function of controlling the units 11, 12, and 14 to 16. For example, the operation shown in the flowchart of FIG. In order to execute, the m-bit input value B (x) is divided into processing units g, and s values B _s-1 (x), B _s-2 (x), ..., B _i (x), ..., B ₁ (x), a function of creating B ₀ (x), a function of sending the input values A (x), F (x), and the number s of values B _i to the M table creating unit 14, When a process end notification is received from the M table creation unit 14, a function for sending the values B _i (x) and F (x) to the T table creation unit 15 and a process end notification from the T table creation unit 15 are received. , A function for starting the multiplication execution unit 16 and a multiplication result P (x) = A (x) B (x) mod F (received from the multiplication execution unit 16 ) And a function of outputting to the output unit 12.

M table creation unit 14, an input value received from the multiplication unit controller 13 A (x), F ( x), on the basis of the number s of the value _B i (x), the order of the value _B i (x) i A function of creating an M table composed of the calculation results of M [i] = A (x) ^xig mod F (x) for each and writing it to the table storage unit 11, and after this writing, the multiplication device control unit 13 and a function to notify.

Upon receipt of the values B _i (x) and F (x) from the multiplication device control unit 13, the T table creation unit 15 refers to the M tables in the table storage unit 11 and refers to each B _i (x), F ( Based on x), the table storage unit 11 creates a T table composed of the calculation results of T [i] = M [i] B _i (x) mod F (x) for each order i of the values B _i (x). And a function for notifying the multiplication device control unit 13 of the end of processing.

  When the multiplication execution unit 16 is activated by the multiplication device control unit 13, all the calculation results T [s-1], T [s-2],..., T [i] of the T table in the table storage unit 11 are displayed. ,..., T [1], T [0], a function for calculating the sum, and a multiplication device control unit with the result of the sum as a multiplication result P (x) = A (x) B (x) mod F (x) 13 and the function of outputting to Specifically, when activated, the multiplication execution unit 16 is activated based on the function of substituting 0 for the calculation result P (x) in the middle, the function of initializing the order i to 0, and the current order i. A function of adding the obtained calculation result T [i] to the current calculation result P (x) with reference to the T table in the table storage unit 11 and whether or not the current order i is s-1. If the determination result is negative and the determination result is negative (i ≠ s−1), the current order i is updated by +1 and the process returns to the reference to the T table. As a result of the determination, the order i indicates s−1. In the case (i = s-1), the current calculation result P (x) = T [s-1] + T [s-2] + ... + T [i] + ... + T [1] + T [0] is multiplied by the result P (X) = A (x) B (x) mod F (x) is output to the multiplier control unit 13 and the process is terminated.

  Note that the multiplication device 10 as described above can be implemented with either a hardware configuration or a combination configuration of hardware resources and software. As the software of the combination configuration, a program that is installed in advance in a computer of a corresponding device from a network or a storage medium and that realizes the function of the multiplication device 10 is used. Thus, the fact that the multiplication device 10 can be implemented with a hardware configuration or a configuration using a program is the same in the following embodiments.

  Next, the operation of the multiplication apparatus configured as described above will be described with reference to the flowchart of FIG.

(ST11) In the multiplier 10, the input values A (x), B (x), and F (x) are input to the multiplier controller 13 by the input / output unit 12. The multiplier control unit 13 divides the m-bit input value B (x) for each processing unit g, and s values B _s-1 (x), B _s-2 (x), ..., B _i (x ,..., B ₁ (x), B ₀ (x) are created. Thereafter, the multiplication device control unit 13, the input value A (x), and F (x), and sends the number s of values _{B i} to M table creation unit 14.

(ST12) The M table creation unit 14 sets the values B _i (x) for each order i based on the input values A (x), F (x), the number s of values B _i (x), and the following equation: M table composed of the calculation result of the following formula is created and written in the table storage unit 11.

M [i] = A (x) ^xig mod F (x)
The order i is obtained as all integers (s-1, s-2, ..., i, ..., 1, 0) from s-1 to 0 based on the number s.

  Thereafter, the M table creation unit 14 notifies the multiplication device control unit 13 of the end of processing. The multiplier control unit 13 receives the notification of the end of the process.

(ST13) Subsequently, the multiplier control unit 13 sends the values B _i (x) and F (x) to the T table creation unit 15. The T table creation unit 15 creates a T table based on each B _i (x), F (x) and the following expression while referring to the M table in the table storage unit 11 and stores it in the table storage unit 11. Write.

T [i] = M [i] B _i (x) mod F (x)
Thereafter, the T table creation unit 15 notifies the multiplication device control unit 13 of the end of the process. The multiplier control unit 13 receives the notification of the end of the process.

  (ST14) The multiplication device control unit 13 activates the multiplication execution unit 16. The multiplication execution unit 16 substitutes 0 for the calculation result P (x) on the way.

  (ST15) The multiplication execution unit 16 initializes the order i to 0.

  (ST16) The multiplication execution unit 16 refers to the T table in the table storage unit 11 based on the current order i, and uses the obtained calculation result T [i] as the following calculation result P (x ).

P (x) + = T [i]
(ST17) The multiplication execution unit 16 determines whether or not the current order i is s-1.

  (ST18) When the determination result in step ST17 is negative (i ≠ s−1), the multiplication execution unit 16 updates the current order i by +1, and returns to step ST16.

  (ST19) If the order i indicates s−1 as a result of the determination in step ST17 (i = s−1), the multiplication execution unit 16 determines the current calculation result P (x) = T [s−1] + T [ s−2] +... + T [i] +... + T [1] + T [0] is output to the multiplier control unit 13 as the multiplication result P (x) = A (x) B (x) mod F (x). The process is terminated.

  Note that the total T [s−1] + T [s−2] +... + T [i] +... + T [1] + T [[T] of all the calculation results T [i] (0 ≦ i ≦ s−1) of the T table. 0] corresponds to the multiplication result P (x) = A (x) B (x) mod F (x). That is, P (x) = T [s-1] + T [s-2] + ... + T [i] + ... + T [1] + T [0] = A (x) B (x) mod F (x) It has become.

  As described above, according to the present embodiment, since the M table is calculated independently for each order i depending on the input value A (x), the processing unit g is large unlike the conventional case. In this case, multiplication can be executed at high speed with a small memory size.

In the above description, the T table is composed of the calculation result of T [i] = M [i] B _i (x) mod F (x). The table is composed of the calculation results of T [i] = M [i] B _i (x), and mod F (x) is calculated by P (x) = A (x) B (x) mod F (x) It is also possible to reduce the amount of calculation of mod F (x) by carrying out all at the same time. As shown in FIG. 4, the flowchart in this case is obtained by removing mod F (x) in step ST13 of FIG.

  In this case, steps ST13 and ST19 are executed as the following steps ST13 'and ST19', respectively.

(ST13 ′) The multiplier control unit 13 sends the values B _i (x) and F (x) to the T table creation unit 15. The T table creation unit 15 creates a T table based on each B _i (x), F (x) and the following expression while referring to the M table in the table storage unit 11 and stores it in the table storage unit 11. Write.

T [i] = M [i] B _i (x)
(ST19 ′) As a result of the determination in step ST17, when the order i indicates s−1 (i = s−1), the multiplication execution unit 16 determines the current calculation result P (x) = T [s−1] + T. [S−2] +... + T [i] +... + T [1] + T [0] is subjected to a remainder operation with the input value F (x), and the obtained remainder operation result is multiplied by the multiplication result P (x) = A (x ) B (x) mod F (x) is output to the multiplier control unit 13 and the process is terminated.

  In the case of the operation shown in FIG. 4, the sum T [s−1] + T [s−2] +... + T [i] of all the calculation results T [i] (0 ≦ i ≦ s−1) of the T table. +... + T [1] + T [0] corresponds to a part P (x) ′ = A (x) B (x) of the multiplication result P (x). Therefore, P (x) = P (x) ′ mod F (x) = {T [s−1] + T [s−2] +... + T [i] +... + T [1] + T [0]} mod F (x) = A (x) B (x) mod F (x) was required.

(Specific configuration of the second embodiment)
FIG. 5 is a schematic diagram showing the configuration of the multiplication apparatus according to the second embodiment of the present invention. The same functional units as those in FIG. Mainly stated.

  The second embodiment is a modification of the first embodiment. When one input value A (x) is a fixed value, an M table created in advance is used as input values A (x), B (x), By inputting together with F (x), the M table creation unit 14 is omitted.

  Accordingly, the multiplication device control unit 13a omits the functions related to the M table creation unit 14 as compared with the multiplication device control unit 13 described above.

  Next, the operation of the multiplier configured as described above will be described with reference to the flowchart of FIG. Since this embodiment is a modification of ST11 to ST12 among the above-described steps ST11 to ST19, step ST11a is used instead of the above-described steps ST11 to ST12. That is, steps ST13 to ST59 described above are executed after step ST11a.

First, the M table is created in advance because the input value A (x) is a fixed value. That is, for example, in an external device (not shown), one input value A (x) and F (x) and the other input value B (x) (= x ^{(s-1) g} B _s-1 (x) + x ^{( s-2) g} B _s-2 (x) +... + ^xig B _i (x) +... + x ^g B ₁ (x) + B ₀ (x)) divided into processing units g Based on the number s of B _i (x) (where i = s−1, s−2,..., 1, 0), M [i] = A (for each order i of the value B _i (x). x) ^{Assume that} an M table composed of calculation results of x ^ig mod F (x) is created in advance.

  (ST11a) In the multiplier 10a, the input values A (x), B (x), F (x), and the M table are input to the multiplier controller 13 by the input / output unit 12.

The multiplier control unit 13a writes this M table into the table storage unit 11. Further, the multiplier control unit 13a divides the m-bit input value B (x) for each processing unit g, and obtains the obtained values B _s-1 (x), B _s-2 (x) _,. (X),..., B ₁ (x), B ₀ (x) are created.

  (ST13 to ST19) After the execution of step ST11a, the multiplier 10a executes the processing of steps ST13 to ST19 as described above.

  As described above, according to the present embodiment, the M table calculated in advance independently for each order i depending on the input value A (x) is input. Even if the input value is a fixed value, when the processing unit g is large, multiplication can be executed at high speed with a small memory size.

  Note that the method described in the above embodiment includes a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a magneto-optical disk (MO) as programs that can be executed by a computer. ), And can be distributed in a storage medium such as a semiconductor memory.

  In addition, as long as the storage medium can store a program and can be read by a computer, the storage format may be any form.

In the above description, the T table is composed of the calculation result of T [i] = M [i] B _i (x) mod F (x). The table is composed of the calculation results of T [i] = M [i] B _i (x), and mod F (x) is calculated by P (x) = A (x) B (x) mod F (x) It is also possible to reduce the amount of calculation of mod F (x) by carrying out all at the same time. As shown in FIG. 7, the flowchart in this case is obtained by removing mod F (x) in step ST13 of FIG. In this case, the multiplying device 10a executes the processes of steps ST13 ′, ST14 to ST18, and ST19 ′ as described above.

  In addition, an OS (operating system) running on a computer based on an instruction of a program installed in the computer from a storage medium, MW (middleware) such as database management software, network software, and the like realize the above-described embodiment. A part of each process may be executed.

  Furthermore, the storage medium in the present invention is not limited to a medium independent of a computer, but also includes a storage medium that downloads and stores or temporarily stores a program transmitted via a LAN, the Internet, or the like.

  Further, the number of storage media is not limited to one, and the case where the processing in the above embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the media configuration may be any configuration.

  The computer according to the present invention executes each process in the above-described embodiment based on a program stored in a storage medium, and is a single device such as a personal computer or a system in which a plurality of devices are connected to a network. Any configuration may be used.

  In addition, the computer in the present invention is not limited to a personal computer, but includes an arithmetic processing device, a microcomputer, and the like included in an information processing device, and is a generic term for devices and devices that can realize the functions of the present invention by a program. .

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine the component covering different embodiment suitably.

It is a block diagram which shows the structure of the multiplication apparatus which concerns on the 1st Embodiment of this invention. It is a schematic diagram for demonstrating the table memory | storage part in the embodiment. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the modification of the operation | movement in the embodiment. It is a block diagram which shows the structure of the multiplication apparatus which concerns on the 2nd Embodiment of this invention. It is a flowchart for demonstrating the operation | movement in the embodiment. It is a flowchart for demonstrating the modification of the operation | movement in the embodiment. It is a figure for demonstrating the algorithm of each embodiment of this invention and a conventional method. It is a figure for demonstrating the memory size and calculation amount of the 1st Embodiment of this invention and a conventional method. It is a figure which shows the relationship between memory size and a processing unit between each embodiment of this invention, and the conventional method. It is a figure for demonstrating the memory size and calculation amount of the 2nd Embodiment of this invention and a conventional method.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10,10a ... Multiplier, 11 ... Table memory | storage part, 12 ... Input-output part, 13, 13a ... Multiplier control part, 14 ... M table creation part, 15 ... T table creation part, 16 ... Multiplication execution part.

Claims (6)

A multiplication process on a finite field is executed based on the first input value A (x), the second input value B (x), and the third input value F (x), and the multiplication result P (x) = A (x) A multiplier that outputs B (x) mod F (x),
Input means for inputting each of the input values A (x), B (x), F (x);
The second input value ^{B (x) (= x (} s-1) g B s-1 (x) + x (s-2) g B s-2 (x) + ... + x ig B i (x) + ... + X ^g B ₁ (x) + B ₀ (x)) for each processing unit g, and s values B _s-1 (x), B _s-2 (x),..., B _i (x),. , B ₁ (x), B ₀ (x),
And the first input value A (x) and the third input value F (x), on the basis of the number s of the value _B i (x), M for each order i of the value _B i (x) [i ] = A (x) ^xig mod F (x) means for creating an M table comprising the calculation results;
Table storage means for storing the created M table;
While referring to the M table in the table storage means, based on the value B _i (x) and the third input value F (x), T [i] = for each order i of the value B _i (x) = T table creating means for creating a T table composed of the calculation results of M [i] B _i (x) mod F (x);
Means for writing the created T table into the table storage means;
Calculate the sum of all the calculation results T [s-1], T [s-2], ..., T [i], ..., T [1], T [0] of the T table in the table storage means. Means,
Output means for outputting the calculation result of the sum as the multiplication result P (x) = A (x) B (x) mod F (x);
A multiplication apparatus comprising: A multiplication process on a finite field is executed based on the first input value A (x), the second input value B (x), and the third input value F (x), and the multiplication result P (x) = A (x) A multiplier that outputs B (x) mod F (x),
The first input value A (x) and the third input value F (x), and the second input value B (x) (= x ^{(s-1) g} B _s-1 (x) + x ^{(s- 2) g} B _s-2 (x) +... + X ^ig B _i (x) +... + X ^g B ₁ (x) + B ₀ (x)) is divided into processing units g and s values B _i are obtained. Based on the number s of (x) (where i = s−1, s−2,..., 1, 0), M [i] = A (x) for each order i of the values B _i (x). When an M table including the calculation result of x ^ig mod F (x) is created in advance, this M table and the input values A (x), B (x), and F (x) are input. Input means;
The input second input value B (x) is divided into processing units g, and s values B _s-1 (x), B _s-2 (x),..., B _i (x),. Means for creating B ₁ (x), B ₀ (x);
Table storage means for storing the input M table;
While referring to the M table in the table storage means, based on the value B _i (x) and the third input value F (x), T [i] = for each order i of the value B _i (x) = T table creating means for creating a T table composed of the calculation results of M [i] B _i (x) mod F (x);
Means for writing the created T table into the table storage means;
Calculate the sum of all the calculation results T [s-1], T [s-2], ..., T [i], ..., T [1], T [0] of the T table in the table storage means. Means,
Output means for outputting the calculation result of the sum as the multiplication result P (x) = A (x) B (x) mod F (x);
A multiplication apparatus comprising: The multiplication apparatus according to claim 1 or 2,
Instead of the T table creation means and the output means,
While referring to the M table in the table storage means, based on the value B _i (x) and the third input value F (x), T [i] = for each order i of the value B _i (x) = Means for creating a T table comprising the calculation results of M [i] B _i (x);
The calculation result of the sum is subjected to a residue operation using the third input value F (x), and the obtained residue operation result is output as the multiplication result P (x) = A (x) B (x) mod F (x). Means to
A multiplication apparatus comprising: Based on the first input value A (x), the second input value B (x), and the third input value F (x), a multiplication process on a finite field is executed and the multiplication result P (x) = A (x) B (x) mod F (x) is a program that is used in a multiplication apparatus that includes table storage means,
The multiplication device;
Input means for inputting each of the input values A (x), B (x), F (x);
The second input value ^{B (x) (= x (} s-1) g B s-1 (x) + x (s-2) g B s-2 (x) + ... + x ig B i (x) + ... + X ^g B ₁ (x) + B ₀ (x)) for each processing unit g, and s values B _s-1 (x), B _s-2 (x),..., B _i (x),. , B ₁ (x), B ₀ (x),
And the first input value A (x) and the third input value F (x), on the basis of the number s of the value _B i (x), M for each order i of the value _B i (x) [i ] = A (x) x ^ig mod F (x) means for creating an M table composed of calculation results;
Means for writing the created M table into the table storage means;
While referring to the M table in the table storage means, based on the value B _i (x) and the third input value F (x), T [i] = for each order i of the value B _i (x) = Means for creating a T table consisting of the calculation results of M [i] B _i (x) mod F (x);
Means for writing the created T table into the table storage means;
The sum of all the calculation results T [s-1], T [s-2], ..., T [i], ..., T [1], T [0] of the T table in the table storage means is calculated. means,
Means for outputting the calculation result of the sum as the multiplication result P (x) = A (x) B (x) mod F (x);
Program to function as. Based on the first input value A (x), the second input value B (x), and the third input value F (x), a multiplication process on a finite field is executed and the multiplication result P (x) = A (x) B (x) mod F (x) is a program that is used in a multiplication apparatus that includes table storage means,
The multiplication device;
The first input value A (x) and the third input value F (x), and the second input value B (x) (= x ^{(s-1) g} B _s-1 (x) + x ^{(s- 2) g} B _s-2 (x) +... + X ^ig B _i (x) +... + X ^g B ₁ (x) + B ₀ (x)) is divided into processing units g and s values B _i are obtained. Based on the number s of (x) (where i = s−1, s−2,..., 1, 0), M [i] = A (x) for each order i of the values B _i (x). When an M table including the calculation result of x ^ig mod F (x) is created in advance, this M table and the input values A (x), B (x), and F (x) are input. Input means,
The input second input value B (x) is divided into processing units g, and s values B _s-1 (x), B _s-2 (x),..., B _i (x),. Means for creating B ₁ (x), B ₀ (x);
Means for writing the inputted M table into the table storage means;
While referring to the M table in the table storage means, based on the value B _i (x) and the third input value F (x), T [i] = for each order i of the value B _i (x) = Means for creating a T table consisting of the calculation results of M [i] B _i (x) mod F (x);
Means for writing the created T table into the table storage means;
Calculate the sum of all the calculation results T [s-1], T [s-2], ..., T [i], ..., T [1], T [0] of the T table in the table storage means. means,
Means for outputting the calculation result of the sum as the multiplication result P (x) = A (x) B (x) mod F (x);
Program to function as. In the program according to claim 4 or 5,
The multiplication device;
Instead of the T table creation means and the output means,
While referring to the M table in the table storage means, based on the value B _i (x) and the third input value F (x), T [i] = for each order i of the value B _i (x) = Means for creating a T table composed of the calculation results of M [i] B _i (x);
The calculation result of the sum is subjected to a residue operation using the third input value F (x), and the obtained residue operation result is output as the multiplication result P (x) = A (x) B (x) mod F (x). Means to
Program to function as.

Images