JP3137599B2 - Circuit for calculating the remainder of B raised to the power of C modulo n - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

TECHNICAL FIELD The present invention relates to an RSA (Rives
The present invention relates to an apparatus for processing a t (Shamir and Adelman) encryption system at a high speed, and more particularly to an apparatus for calculating a modulo n modulo B ^C required in an RSA encryption system at a high speed.

[0002]

2. Description of the Related Art To process an RSA encryption system, 51
The following three numbers n, B, about 2 to 1024 bits
For C, a calculation of B ^C (mod n) (1) is required. The value of equation (1) is a prime number where n is greater than B and becomes 1 when C is equal to (n-1). Also, when C is n, it becomes B. That is, it becomes as follows. B ^n-1 ≡1 (mod n) B ⁿ ≡B (mod n) These are known as Fermat's little theorem.

When n is the product of two prime numbers p and q,
Equation (1) becomes 1 when B is relatively prime to (p-1) and (q-1) and C is equal to (p-1). (Q-1). When the remainder after dividing by (p-1). (Q-1) becomes 1, the value of the expression (1) becomes equal to the original value B. That is, it can be factorized into two prime numbers such that n = p · q, and if (B, k) = 1 (note: the greatest common divisor is 1), k
For k = (p−1) · (q−1), B ^k ≡1 (mod n) B ^{k + 1} ≡B (mod n) holds. This is called Euler's theorem. Fermat's little theorem is part of Euler's theorem.

Here, if the following e and d exist, ed ・ 1 (mod k) e can be used as a key for encryption and d as a key for decryption. That is, what is encrypted with e can be decrypted with d. Conversely, it is also possible to decrypt the data encrypted with d with e, so that communication can be performed between the specific two parties while confirming the other party.

[0005] For example, when sending encrypted is a B, B ^e ≡M a (mod n) is calculated, and transmits the M. Then, on the receiving side, M ^d ≡B ^ed ≡B (mod n) is calculated, and B is decoded. However, (B,
e) = 1, (B, d) = 1.

In the process of authentication for confirming the other party, both parties calculate a known X, and the transmitting side calculates X ^d ≡N and transmits N. Then, the receiving side calculates N ^e, and if X can be derived from N ^e ≡X ^ed ≡X, it can be confirmed that communication is being performed with the correct partner. However, (B, e) = 1, (B, d) = 1
It is.

When one such pair of e and d is found,
Each raised to the nth power is also a new key set. Such a pair of keys (em, dm) exists in the order of (p−1) · (q−1), and the number is sufficiently large. Can be allocated. Where n
Is determined, a set of (em, dm) modulo (p-1). (Q-1) = k can be created with the same hardware. That is, ^{e m ≡em (mod k) d} m ≡dm (mod k).

[0008] The RSA encryption system is widely used because encryption and decryption can be performed by the same hardware, reversibility is high, and encryption is difficult to decrypt for those who do not know the key.

Japanese Patent Publication No. 7-86822 discloses an example of an apparatus for actually executing a calculation using such a principle. Here, the following description is prepared. For example, it is immediately apparent that the remainder modulo 8 × 9 is 2. When this calculation is expressed in binary, 1000 ×
This means that the remainder is modulo 0111 of 1001.
When this is simply calculated, first multiplication is performed as shown in FIG. When such a calculation is performed, a 7-bit register is required for multiplication of 4 bits, so that the calculation of a larger number of bits requires a large burden when performed by hardware. Therefore, as shown in FIG.
Take (8) and take the mod of 0111 (0111
Of the two's complement 1001) to obtain 0001. Then, in step 2, 0001 is shifted (doubled) to 0.
010, and the modulo 0111 of 0010 is calculated. Here, since 0010 is smaller than 0111, 00 is used as it is.
10 is the result. In step 3, 0010 is shifted to 0100, and the modulus 0111 of 0100 is calculated. Here, 0100 is smaller than 0111, so 0
100 is the result. In step 4, 0100 is shifted to 1000, a modulo 0111 of 1000 is calculated, and 0001 is obtained as a result. Then, the result 0 of step 1 corresponding to the LSB in which “1” exists in 1001 (9)
001 and the st corresponding to the MSB in which “1” also exists
By adding the result 0001 of ep4, 0010 (2) can be obtained, and the above-described calculation can always be performed using a register of 4 bits (5 bits including an increase in digit). In addition, the result of the shift and the Mod calculation corresponding to the bit position where “1” exists in 1001 (9) is added, but the remainder modulo 7 of 1001 (9) is first obtained (here, 0010). The result is the same (here, 0010) even if the result of the shift and the Mod calculation (here, the result of step 2) corresponding to the bit position where “1” exists in the remainder is added.

[0010] Based on the above points, Japanese Patent Publication No. 7-8682
The apparatus disclosed in Japanese Patent Publication No. 2 will be described with reference to FIG. Here ^Me
Since (mod n) = C is calculated, it will be followed. M is input from the numerical input, and the multiplicand register 1
Is input to The output of this register 1 is
, Where the shift and mod calculations described above are performed. In order to calculate Mod, n is input to the divisor register 2 as a divisor input. However, since subtraction is performed, the 2's complement of n is input. And the remainder arithmetic unit 3
Is output to the multiplicand register 1 via the multiplicand selector 11.
Is input to This process is repeated by the number of M bits.

M is set in a multiplier register 10 via an input register 7, a number register 8, and a multiplier selector 9, and the remainder arithmetic unit 3 corresponding to a bit in which "1" exists from the LSB of M is set. Is input to the accumulated remainder arithmetic unit 4 via the remainder register 12. The accumulated remainder calculator 4 adds the result of the accumulated remainder register 5 to calculate the remainder of n, and stores the result in the accumulated remainder register. This corresponds to the addition processing described at the end of the 8 × 9 (mod 7) example described above. When the above processing is performed for M bits, M × M (mod n) is calculated, and the result is output to the accumulation remainder register 5. If M ² is the desired calculation, the result is input to the output register 13 and the process is terminated.

However, the calculation is normally performed according to the bit of the exponent e input to the exponent register 6. Therefore, for the exponentiation operation, the multiplier selector 9 sequentially responds to each bit output from the most significant bit (MSB) to the least significant bit (LSB) of the exponent register 6 and when its logical value is "0", the exponentiation is performed. The previous power residue value S stored in the remainder register 5 (which is stored in the multiplicand register 1) is set in the multiplier register 10. As a result, S × S (mod n)
Is performed. When the logical value is “1”, first, the previous accumulated remainder value S is set in the multiplier register and S × S
(mod n) is obtained, and then the value M, which is the content of the input register 7, is set in the multiplier register, and ΔS × S (mod n)
× M｝ (mod n) is obtained.

In such a device, the processing can be speeded up for the time being. However, as described in the previous paragraph, the calculation is performed from the MSB of the index e, and the calculation is different between "0" and "1". However, when the operation in this processing is analyzed, there is a disadvantage that the key may be exposed.

[0014]

SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to calculate a remainder modulo B raised to the power of C at a high speed using minimum hardware resources while ensuring the security of a key. It is an object of the present invention to provide a device that performs

Another object is to reduce power consumption.

[0016]

In order to achieve the above object, the present invention calculates the remainder of B modulo n, executes processing for holding the calculation result B1, and calculates the value to be held. A first circuit that repeats a process of calculating a congruent value by modulating n and holding the calculation result, a first register that stores B1 as an initial value, and a bit of a bit at a predetermined position of the first register. When the value is 1, the second circuit that accumulates the calculation result of the first circuit, the second register that stores 1 as an initial value, the C output circuit that outputs C, and the output value of the C output circuit is 1 And a third circuit for accumulating the calculation result of the first circuit when the value of the bit at the predetermined position of the second register is 1. Then, the bits at predetermined positions of the first register and the second register are shifted in the MSB direction from the LSB of the stored value, and when the processing for the MSB of the value stored in the first register is completed,
(A) A value congruent modulo n of the accumulated result of the second circuit is set as a value to be held in the first circuit and stored in the first register. (B) The output of the C output circuit is obtained from the LSB of C to M
(C) If the output value of the C output circuit is 1, a congruent value is stored in the second register by modulating n of the accumulation result of the third circuit. In this way, the second circuit generates B ² , B ⁴ , B ⁸ ,. . Is calculated.
Further, the required exponentiation calculation is performed by the third circuit, and C
If processing is performed on all the C bits output from the output circuit, the final result is stored in the second register.

The first register, the second register, and the C output circuit may be shift registers, or the position of the pointer may be moved by a normal register. In particular, the C output circuit is LFSR (Linear F
eedback Shift Register).

Further, the second circuit may include a circuit for calculating a remainder modulo n of the accumulated value every time the calculation result of the first circuit is accumulated. The same applies to the third circuit.

However, if the value of the bit at the predetermined position of the first register is 0 and the cumulative value of the second circuit is a positive value, the second circuit calculates xn (x is a positive integer) from the cumulative value. If the subtraction is performed and the MSB of the value stored in the first register is processed, it is determined whether or not the cumulative value of the second circuit is a positive value. If it is determined that the cumulative value is positive, the cumulative value is determined. Is subtracted xn until becomes negative, and if it is determined to be negative, y is subtracted until it becomes positive
Alternatively, n (y is a positive integer) may be added. By doing so, the number of mod calculations can be reduced. These can perform the same function by changing the value to be added by one adding circuit.

Also in the case of the third circuit, when the output value of the C output circuit is 1, the value of a bit at a predetermined position of the second register is 0, and the cumulative value of the third circuit is a positive value ,
Xn (x is a positive integer) is subtracted from the accumulated value, and the output value of the C output circuit is 1 and M of the value stored in the second register is obtained.
When the process for SB is completed, it is determined whether or not the cumulative value of the third circuit is a positive value. If it is determined that the cumulative value is positive, xn is subtracted until the cumulative value becomes negative. If it is determined that there is, yn (y is a positive integer) may be added until it becomes positive.

Further, in the processing for calculating the remainder of B modulo n and holding the calculation result B 1, the n register stores n as M
N is shifted in the MSB direction so that the first bit that becomes 1 when viewed from the SB becomes the MSB, and then the shifted value is shifted one bit at a time until the value becomes the same as B in the LSB direction. The values can be sequentially output to the first circuit, and the first circuit can obtain the values by subtracting the shifted values obtained from the registers for B to n if they can be subtracted. This has the advantage that the remainder of B modulo n can be calculated by changing the value input to the adder circuit in the same hardware.

Further, various modifications can be considered for the first circuit. For example, when the value held by the first circuit is positive, a calculation is performed in which the value held is shifted and pn (p is a positive integer) is reduced, and the value held is negative. It is also conceivable to execute a calculation for shifting the held value and adding q · n (q is a positive integer). As described above, by allowing the first circuit to hold not only a positive value but also a negative value, there is an effect that the configuration of the second and third circuits is simplified.

The first circuit includes a first register and a second register.
If the value of the bit at the predetermined position of the register and the output value of the C output circuit are such that the second circuit and the third circuit do not perform accumulation, the value to be held is r bits (r is a positive value). It is also conceivable to calculate a congruent value modulo n). The second and third circuits have periods in which operation is unnecessary depending on the values of the first and second registers and the C output circuit. In order to skip these periods, the number of bits to be shifted in the first circuit is changed, and By changing the value to be subtracted (added value) accordingly,
The processing speed of the entire circuit can be increased.

Further, when r is 2 and the value held by the first circuit is positive, the value held is multiplied by 4 and based on the value held and the value of n, n or 2n or 3n
When the value to be held is negative, the calculation to multiply the held value by 4 and add n or 2n or 3n based on the value to be held and the value of n is performed. It is also possible to do. By doing so, the processing can be speeded up by shifting by 2 bits during an unnecessary period. However, it is necessary to generate 3n.

Further, when r is 1, and the value to be held is positive, the first circuit executes a calculation of doubling the value to be held and subtracting n, and based on the calculation result, It is determined whether or not to further double the calculation result. If the value to be held is negative, a calculation to double the value to be held and add n is performed, and based on the calculation result, the calculation result is calculated. May be determined to be further doubled. This eliminates the need to generate 3n, but reduces the effect of improving the processing speed.

In addition to the modifications described above, numerous modifications can be derived from the embodiments of the present invention described below.

[0027]

DESCRIPTION OF THE PREFERRED EMBODIMENTS First, the basic policy of calculation of the present invention will be described. ^{C of} B ^C (mod n) is represented by a binary number,
Let each bit be written as (c (m-1) ...., c4, c3, c2, c1, c0). That is, numbers are sequentially assigned from 0 to the MSB from the LSB of C. In this case, B ^C
(mod n) can be decomposed as follows. That is, B ^C (mod n) = (B ^{(.., 0,0,0, c0)} (mod n) × B
^{(.., 0,0, c1,0)} (mod n) × B ^{(.., 0, c2,0,0)} (mod n) ×
B ^{(.., 0, c3,0,0,0)} (mod n) × B ^{(.., 0, c4,0,0,0,0)} (m
od n) × .......) (mod n)

Therefore, first, B ^{(.., 0,0,0,1)} (mod n), B
^{(.., 0,0,1,0)} (mod n), B ^{(.., 0,1, 0,0)} (mod n), B
^{(.., 0,1,0,0,0)} (mod n), B ^{(.., 0,1,0,0,0,0)} (mod
n),. . . . Are generated in order. This is called a square calculation.
Then, only the bits corresponding to x in which cx = 1 (x is an integer of 0 or more and the number of bits of C or less) are multiplied by the calculation result of the power of B. This is called exponentiation calculation.

For example, if B ^(1101001) (mod n) is calculated, B ^(0000001) (mod n), B ^{( 0000010)} (mod n),
B ^(0000100) (mod n), B ^(0001000) (mod n), B
^(0010000) (mod n), B ^(0100000) (mod n), B ^(1000000)
(mod n) in order. And B ^(0000001) (mod
When n) and B ^(0001000) (mod n) are generated, they are multiplied, and a remainder modulo n of the result of the multiplication is calculated. This result is defined as S1. And B
^{(0100000) When} (mod n) is generated, multiplication with S1 is performed, and a remainder modulo n of the result of the multiplication is calculated. This result is defined as S2. Furthermore, B ^(1000000) (mod
When n) is generated, multiplication with S2 is performed, and a remainder modulo n of the result of the multiplication is calculated. In this way, B ^{(1101001 )} (mod n) can be calculated.

However, each square calculation and exponentiation calculation is performed by the shift and mod calculations, and the addition and mod calculations described in the section of the prior art. That is, the multiplicand is shifted (doubled) m times the number of bits of the multiplicand (exactly m-1 times as described in the example of the related art), and the remainder is calculated modulo n. Then, the shift and Mod calculation results corresponding to the order in which the bits of the multiplier that are “1” are counted from the LSB are sequentially added, and the remainder modulo n of the result is calculated.

The configuration of the present invention will be described with reference to FIG. The SHIFT & MOD circuit 100 includes a first ADD & M
Connected to OD circuit 110. This SHIFT & MOD
The circuit 100 includes the B to be encrypted or the first ADD.
The output from the & MOD circuit 110 is input. The SHIFT & MOD circuit 100 is connected to an n register 130 in order to obtain n used for Mod calculation. The first ADD & MOD circuit 110 is connected to a first register 120 that is a shift register, and receives the LSB 120a of the first register 120 as an input. First ADD & M to perform Mod calculation
The OD circuit 110 is connected to the register 130 for n.

The SHIFT & MOD circuit 100
The second ADD & MOD circuit 150 is connected. Second
The ADD & MOD circuit 150 includes a shift register C
The LSB is received from the register 140. The circuit 150 is connected to the register 130 for n for mod calculation. The output of the second ADD & MOD circuit 150 is input to a second register 160 which is a shift register. On the contrary, the LSB 160 a of the second register 160 is connected to the second ADD & MOD circuit 1.
50. The initial value of the second register 160 is 1.

Next, the operation of the circuit shown in FIG. 1 will be described. First, B to be encrypted is SHIFT & M
When input to the OD circuit 100, the SHIFT & MOD circuit 100 receives n from the n register
Is calculated modulo n. This result is designated as B11. It should be noted that no shift operation is performed in the first step. This B11 is the first A
The data is output to the first register 120 via the DD & MOD circuit 110.

B11 is input to the first register 120 via the first ADD & MOD circuit 110. 1st ADD &
At this time, the MOD circuit 110 receives and holds the LSB of B11. Then, a bit obtained by removing the LSB from B11 is input to the first register 120. By doing so, the number of bits of the first register 120 can be reduced. However, B11 may be directly input to the first register 120. Also, as described briefly in the section of the prior art, B
This may be input to the first register 120.

As described above, this SHIFT & MO
The first calculation result B11 of the D circuit 100 is SHIFT
& MOD circuit 100, and the first ADD
& MOD circuit 110. 1st ADD & MOD
The circuit 110 first receives the LSB of B11 from the SHIFT & MOD circuit 100 or from the first register 120. If this LSB is "1", the calculation result B11 of the SHIFT & MOD circuit 100 is transferred to the first ADD & MOD circuit 11
Load to 0. That is, the calculation result B11 is simply held. Normally, the addition and the remainder modulo n are calculated, but when the LSB (which may be the output from the LSB 120a) first becomes "1", it is an addition with 0 and the SHI
Since the FT & MOD circuit 100 also calculates the remainder modulo n, it is only necessary to load the remainder. However, addition and n
The solution does not change even if the remainder is calculated modulo. If the LSB of B11 is "0", SHIFT & MOD
The input from the circuit 100 is ignored. For the calculation of the remainder modulo n, the output from the register 130 for n is used, as in the SHIFT & MOD circuit 100.

Next, the SHIFT & MOD circuit 100
The previous calculation result B11 is shifted (doubled), and the remainder modulo n of the result is calculated. This calculation result is defined as B12. This B12 is held in the SHIFT & MOD circuit 100 and output to the first ADD & MOD circuit 110. The first ADD & MOD circuit 110 refers to the value of the LSB 120a of the first register 120. The first register 120 outputs the bit present in the LSB 120a when the LSB of B11 is removed and is input, and shifts one bit when the B11 itself is input and enters the LSB 120a by the shift. Outputs the bit value. The shift direction is a direction from the MSB to the LSB. If the value of the LSB 120a of the first register 120 is "1", B12 is added to the value held in the first ADD & MOD circuit 110. That is, the LSB of B11
Is "1", the calculation results B11 and B12 are added, and B11
If the LSB of is "0", 0 and B12 are added. As described above, when the output of the LSB 120a first becomes "1", it may be simply loaded. Then, a remainder modulo n of the addition result is calculated, and this value is held. If the value of the LSB 120a is "0", nothing is performed.

Then, the SHIFT & MOD circuit 100
Shifts (doubles) the previous calculation result B12 and calculates the remainder of the result modulo n. This calculation result is B13
And This B13 is held in the SHIFT & MOD circuit 100 and output to the first ADD & MOD circuit 110. The first ADD & MOD circuit 110 refers to the value of the LSB 120a of the first register 120. The first register 120 shifts one bit from the previous processing,
The bit value input to the LSB 120a by the shift is output. If the value of the LSB 120a is "1", the value held in the first ADD & MOD circuit 110 is added to B13 to calculate a remainder modulo n. If it is "0", do nothing.

The above processing is performed using B1m (m is the number of bits of B)
Is repeated by the first ADD & MOD circuit. When the processing of B1m is first 1ADD & MOD circuit 110 performs, B ² (mod n) is thus generated. B ² (mod
n) is output to the SHIFT & MOD circuit 100 and is also output to the first register 120. This is B ⁴ (mod
n). However, as described above, when reducing the number of bits of the first register 120,
The LSB of B ² (mod n) is added to the first ADD & MOD circuit 110
And outputs the bit obtained by removing the LSB from B ² (mod n) to the first register 120. In addition, B ²
(mod n) may be output to the first register 120 and held.

SHIFT & M receiving B ² (mod n)
The OD circuit 100 holds the value. This is because the remainder modulo n has already been calculated. Then, the first ADD & MOD circuit 110 outputs the value of the LSB 120 a of the first register 120 or the L of the stored B ² (mod n).
Referring to the value of SB, B ² (mod n) is held (in the case of “1”), or B ² (mod n) is cleared and held in 0 (in the case of “0”). This step is merely performing addition with 0, since modulo n have also been calculated, B ²
You only need to decide whether to keep (mod n) or not. B ² (m
od n) is B21.

Next, the SHIFT & MOD circuit 100
The stored B21 is shifted by one bit (doubled), and the remainder modulo n is calculated. This calculation result B22 is the first ADD
& MOD circuit 110. 1st ADD & MOD
If the circuit 110 holds the value of the LSB 120a of the first register 120 (B ² (mod n) as it is,
If the value after performing the bit shift operation is “1”, the value is added to the value held by the first ADD & MOD circuit 110, and the remainder modulo n is calculated. Then, the result is held. If "0", do nothing and SHI
The output of the FT & MOD circuit 100 is ignored.

Thereafter, the process is repeated until B ⁴ (mod n) is generated, that is, until B 2m is generated and processed (when ignored, the process of ignoring is performed).
Then, B ⁸ (mod n), B ¹⁶ (mod n),. . . Are generated one after another.

Now, the cooperation between the SHIFT & MOD circuit 100 and the second ADD & MOD circuit 150 will be described. 1 is input to the second register 160 as an initial value.
The second ADD & MOD circuit 150 receives the exponent C of B ^C (mod n) stored in the C register 140 as an input from the LSB, and switches the operation. Similarly, the second register 160 outputs a bit from the LSB, and the second ADD & MOD circuit 150 switches the operation according to the value. The above two registers are shift registers and shift bits from the MSB to the LSB.

First, the second ADD & MOD circuit 150
The C LSB is received from the C register 140, and it is determined whether the output from the SHIFT & MOD circuit 100 is to be received and processed m times. That is, the LS of C
If B is "1", m outputs will be received and processed, and if "0", m outputs will not be received. Then, when the LSB of C is “1”, the output of the LSB 160 a of the second register 160 is referred to next.
If the output of the LSB 160a of the second register 160 is "1", the second ADD & MOD circuit 150
The output from the HIFT & MOD circuit 100 is added to the held value (the initial value is 0), and the remainder modulo n is calculated. Then, the calculation result is held. Second register 16
If the output of the 0 LSB 160a is "0", nothing is done. This is repeated for the number of bits of the second register (same as the number of bits of B). When repeating, a second
The register 160 is shifted one bit at a time. However, when the output of the LSB of the C register 140 first becomes “1”, since the second register 160 holds “1” only in the LSB, the first SHIFT & MOD circuit 1
Only the output of 00 simply loads without calculating the addition and the remainder modulo n. Such processing is performed because the second register 160 holds the value of the power at which the bit of C first becomes “1” counted from the LSB. For example, when calculating B ^(1101001) (mod n), B
^This is performed to input ^(0000001) (mod n) to the second register 160.

When the output of the SHIFT & MOD circuit 100 is processed by the second ADD & MOD circuit 150 m times (including the case where the output is not received), the C register 140 shifts the stored bit to the 1-bit LSB side. Then, the second ADD & MOD circuit 150 clears the value held by itself after outputting the calculation result to the second register 160. Then, the second ADD & MOD circuit 15
The value “0” refers to the LSB of the C register 140 to determine whether the bit is “1” or “0”. if,"
If it is "1", the output of the SHIFT & MOD circuit 100 will be received m times from now on, and there will be a possibility of performing addition and calculating the remainder modulo n. The output of the SHIFT & MOD circuit 100 times is not received and ignored.

If the output of the C register 140 is "1", then the second ADD & MOD circuit 150 refers to the LSB 160a of the second register 160, and if the value is "1", performs addition. Calculate the remainder modulo n. Then, the result is held. However, the first process is, as described above, an addition with 0, and the calculation of the remainder modulo n is also performed in the SHIFT & MOD circuit 100.
The value may simply be retained without doing anything. If the LSB 160a of the second register 160 is "0", the second A
The DD & MOD circuit 150 does nothing. This is repeated for the bits of the second register 160 (m times). At this time, the second register 150 stores each SHIFT & MOD circuit 100
Is shifted to the LSB side by 1 bit for each input.

When calculating B ^(1101001) (mod n),
After storing B ^(0000001) (mod n) in the second register 160, the output of the SHIFT & MOD circuit 100 is ignored for 2m times and then the output of the next m times SHIFT & MOD circuit 100 is received, and B ^(0000001) ( With reference to the LSB 160a of the second register 160 (mod n) (which does not always look at the same bit because a shift operation is performed for each process), the addition and the calculation of the remainder modulo n are performed. Do or do nothing. Then, after receiving the output from the m-th SHIFT & MOD circuit 100 and performing the addition and calculating the remainder modulo n or doing nothing, the second ADD
The value held by & MOD circuit 150 is input to second register 160. Then, the second ADD & MOD circuit 1
Clear the value held by 50.

Hereinafter, the LSB value of the second register 160 is similarly referred by referring to the value of the LSB of the C register 140 after the shift operation.
Depending on the value of SB 160a, addition and calculation of the remainder modulo n are performed or nothing is repeated. Then, the m-th second ADD & MOD circuit 150 sets SH
When the output is received from the IFT & MOD circuit 100 and processing is performed, the held value is input to the second register 160, and the held value is cleared. For example, B
^{(1101001) When} calculating (mod n), after the part described above, the output from the SHIFT & MOD circuit 100 is not received m times, the next m times are received, and the value of the LSB 160a of the second register 160 is received. And the result is stored in the second register 160 again. The output from the SHIFT & MOD circuit 100 is received next m times, the processing is performed according to the value of the LSB 160 a of the second register, and the result is input to the second register 160. The processing for this calculation ends here. The final result is stored in the second register 160. That is, the C register 1
If the above operation is repeated until the value stored in 40 is lost by the shift operation, the final result is stored in the second register 16.
Can be obtained within zero.

FIG. 2 shows the details of the SHIFT & MOD circuit 100. The initial input B is to be input to the register 200, and the register 200
It is connected to the D & MOD circuit 110 and the addition circuit 210. The input to this adder circuit 210 is made from the register for n 130, and the output is returned to the register 200. Further, as described above, after the first ADD & MOD circuit 110 executes the processing m times (SHIFT & MOD circuit).
(Including the process of ignoring the output of the circuit 100)
The output of the ADD & MOD circuit 110 is input to the register 200.

Next, the operation of the SHIFT & MOD circuit 100 will be described. The initial input B is input to register 2
00, and the addition circuit 2
It is output to 10. Only when this initial input B is processed, the register for n 130 stores the MS of the held bit.
B is checked, and if "0", 1 bit LSB is shifted from MSB. After this shift operation, the MSB is checked again, and if it is "0", it is shifted to the 1-bit MSB again. In this way, “0” from the MSB to the bit before the bit position where “1” first appears in n is removed. This value is defined as n1. Then, the register for n 130 outputs this n1 to the adding circuit 210. The addition circuit 210
This is a circuit for calculating the remainder modulo n. To calculate the remainder modulo n, add the two's complement of n. Therefore, upon receiving n1 from the register 130 for n, the adding circuit 210 inverts (NOT processing) each bit of n1 and adds 1 and B to the inverted result. As a result of the addition, if a carry occurs, the addition has succeeded, that is, the subtraction has succeeded, and the subtraction result b1 is stored in the register 20.
Enter 0. If no carry occurs, the subtraction fails, that is, n1> B, so B is held in the register 200 as it is.

Next, the register for n 130 sets n1 to LS.
B is shifted by one bit, and the result is added to an adder 210
Output to This value is defined as n2. The addition circuit 210
Receives the value it holds from register 200,
The value (b1 or B), the value obtained by inverting each bit of n2, and 1 are added. If a carry occurs as a result of the addition, the subtraction is successful, and the result b2 of the subtraction is stored in the register 200. If the subtraction fails, the value stored in the register 200 is held.

Such processing is performed by nx (x is a positive integer)
= N, and this is repeated until this n is processed by the adding circuit 210. In this way, B (mod n) can be executed with a small amount of hardware.

An example of the above processing will be described. B = 1000
1, n = 00111, the remainder modulo n is 00
011. First, when n is shifted to the MSB side,
n1 = 1100. The value obtained by inverting each bit of 11100 is 00011. Therefore, 00011 and 0
When 0001 (= 1) and 10001 are added, no carry is generated, so the register 200 stores B = 1000
Hold 1 Next, n1 = 11100 is converted to 1-bit LS
Shift to the B side to obtain n2 = 01110. 0111
The value obtained by inverting each bit of 0 is 10001. Therefore, 10001 and 00001 and 1 from the register 200
When 0001 is added, carry occurs, and 00011
Can be obtained. Therefore, this value is stored in register 200
To be stored. Next, n2 = 0110 is converted to 1-bit LSB.
To obtain n3 = 00111. This n3 is n
When the processing of n3 is completed, n of B
The remainder modulo is calculated. The value obtained by inverting each bit of 00111 is 11000, and 0000 is obtained.
When 1 is added to 00011 stored in the register 200, no carry occurs. Therefore, register 200
Holds the value stored in. Since the process is now completed, 00011 is the remainder of B modulo n, which is consistent with the value shown first, indicating that there is no problem in the above process.

The remainder of B modulo n is B11.
This B11 is composed of the first ADD & MOD circuit 110 and the second A
Output to DD & MOD circuit 150. The processing to be performed next is to shift B11 by one bit to the MSB side (that is, double it) and input the result to the addition circuit 210. Then, the adder circuit 210 outputs the n register 1
N is obtained from 30 and the value obtained by inverting each bit of n and the value obtained by shifting 1 and B11 are added. If a carry occurs, the subtraction is successful and the result of the subtraction is stored in the register 200. If no carry occurs, the value obtained by shifting B11 is stored in the register 200. The value stored in the register 200 is B12. This B12 is the first and second A
Output to DD & MOD circuit. In this shift operation, the register 200 may operate as a shift register, or the addition circuit 210 may receive the value of the register 200 in a form shifted by one bit.

The above processing is repeated until B1m is generated. When the processing of B1m in the first ADD & MOD circuit 110 is completed, the result of the processing is input to the register 200. The register 200 holds the processing result and outputs the result to the second ADD & MOD circuit 150. This processing result is B21. First ADD & MOD circuit 110
Has B21 and may not be processed. And
As described above, B21 is shifted to the MSB side by one bit, and the adder 210 adds the shift result and a value obtained by inverting each bit of 1 and n. If a carry occurs in the addition, the result of the addition is stored in the register 200, and if no carry occurs, the result of the shift is stored in the register 200. This value is B22. This B22 is output to the first and second ADD & MOD circuits. The above processing is repeated until B2m and Bmm are generated.

Next, the details of the first ADD & MOD circuit 110 are shown in FIG. The first ADD & MOD circuit 110 includes an accumulator 250 and a switching circuit 260. Accumulator 250 includes an adder circuit 250a and a register in which the result of the addition is stored. 1st ADD
Since the & MOD circuit 110 performs addition calculation and Mod calculation, the addition circuit 250a has inputs from both the SHIFT & MOD circuit 100 and the register 130 for n. The switching circuit 260 is connected to the adding circuit 250a. The output of the accumulator 250 is the first register 1
20 and the SHIFT & MOD circuit 100.

Next, the operation of this circuit will be described. First S
An initial input B11 is received from the HIFT & MOD circuit.
This B11 may be output to the first register 120 with the LSB removed as described above, or may be output as it is. When the value of the LSB of B11 is 1, the adding circuit 250a adds B11 to the value (here, 0) of a register (not shown). LSB of B11
Is zero, the adding circuit 250a does not operate. Usually, this switching is instructed by switching circuit 260.
However, when the LSB of B11 is output to the first register 120 with the LSB removed, the value of this LSB is used as the output of the switching circuit 260. Otherwise, LSB 120
The switching circuit 260 switches the operation according to the value input via a.

When 0 is stored in the register in the accumulator 250, the input from the SHIFT & MOD circuit 100 has already calculated the remainder modulo n, so that the addition circuit is not operated at all. The switching circuit 260 can also instruct the register in the accumulator 250 to store the received value (when the value of the LSB or LSB 120a of B11 is 1).

When the value of the LSB or LSB 120a of B11 is 1
, Then, the switching circuit 260
a is instructed to use the value from the register 130 for n. The calculation of the remainder modulo n is the addition of two's complement of n as described above, and the addition circuit 250a
n and the value obtained by inverting each bit of n, 1 and the accumulator 25
The value held in the register within 0 is added. As a result of the addition, if a carry occurs, the addition result is stored in a register in accumulator 250; otherwise, the value of the register in accumulator 250 is held.

Further, when B12 is input, the switching circuit 260 refers to the value of the LSB 120a and determines whether or not to hold the accumulator 250. LSB120
If the value of a is 1, the switching circuit 260 instructs to receive B12, and the accumulator 2
Add to the register in 50. After the addition, the switching circuit 2
60 instructs to receive the output from the register for n 130 to calculate the remainder modulo n. Hereinafter, the operation is the same.

B1m is input, and the switching circuit 260 is instructed to execute addition and calculation of the remainder modulo n or to hold the held value. The value held in the register is output to the first register 120 and the SHIFT & MOD circuit 100. At this time, the LSB can be output to the first register 120 in the same manner as when B11 is input, or can be output as it is. Anyway, since the B1m is processed B ² (mod n) is the calculated, if the value of the LSB is 1 the B ² (mod n), held in the register in the accumulator 250 The value is kept without clearing. On the other hand, B ² (mod n)
, The value of the register in the accumulator 250 is cleared. This completes the process for B21.

Then, such processing is repeated until the processing for Bmm. The above configuration is an example, and the input from the register for n 130 needs to be processed before being input to the addition circuit 250a. Therefore, the input may be processed and input by the switching circuit 260 and the like. . When the output of the LSB 120a indicates 0, the switching circuit 260 can also instruct the accumulator 250 not to input the clock or to skip the clock. In this way, power consumption can be reduced.

If the Mod calculation is performed every time the addition is performed, the operation becomes slow. Therefore, a modification can be made so that calculations for the remainder modulo n are collectively performed. Since the accumulator 250 does not operate when the value of the LSB 120a is 0, this time is used. First, the switching circuit 260 confirms that the value of the LSB 120a is 0, and further checks the accumulator 250
Check that the value stored in the register inside is positive. If both conditions are satisfied, for example, 4n
Command to subtract. This subtraction of 4n multiplies the value taken out from the register 130 for n by 4 (2-bit MSB).
Side), inverting each bit of this value, and adding the value resulting from the inversion to 1 and the value of the register in the accumulator 250. The number 4 is arbitrary and can generally be multiplied by a positive integer. However, it is simple if n can be obtained by performing a shift process, so that 2, 4, 8, 16,. . . You should double it. However, if an excessively large value is subtracted, the number of bits of the register in the accumulator increases accordingly. In addition, if a value that is too small is subtracted, the processing must be performed many times, so that power consumption increases. Therefore, B
The size should be determined in consideration of the number of bits and the like. Also, this may be performed when the output of the LSB 120a is 1,
Since the processing is performed after the addition, the processing time is slightly increased as compared with the case where the processing is performed at "0".

After subtracting 4n in this manner, the next LSB
Until the value of the register 120a is 0 and the value of the register in the accumulator 250 becomes positive, only SHIFT & MOD
The output from the circuit 100 may be added (LSB 120
when the value of a is 1). Therefore, the switching circuit 260
Once the subtraction of 4n is performed, it is not instructed to switch the operation to the processing for calculating the remainder modulo n until the above condition is satisfied again. And B1m, B2m, B3
m. . . Is input, and the processing is performed by the accumulator 25.
If 0 is performed (it is also assumed that no processing is performed), the switching circuit 260 checks the value stored in the register in the accumulator 250. That is, if the value stored in the register in the accumulator 250 is a negative value, the switching circuit 260 adds the value of the register from the register for n 130 to the adding circuit 250a until the value becomes positive. Order to do so. If it is positive, the switching circuit 260 commands the subtraction of 4n from the value stored in the register in the accumulator 250. If the result of the subtraction is not negative, 4n is subtracted until the result becomes negative. After becoming negative, the switching circuit 260 instructs the adding circuit 250a to add n until it becomes positive. The value to be added is
Instead of n, it may be yn (y is a positive integer).

Although the processing becomes slightly complicated, this reduces the number of times of calculating the remainder modulo n, so that the overall processing speed is increased and the power consumption is reduced. In addition, since an irregular correction operation is performed at the end, it is difficult to steal a key. However, the number of bits of the register in the accumulator 250 is slightly increased.

From the viewpoint of reducing power consumption, the first register 120 can be devised. In the description above,
The first register 120 is a shift register, and the first ADD &
The shift is performed every time the output of the SHIFT & MOD circuit 100 is input to the MOD circuit 110. However, if the number of bits of the register to be shifted increases, the power consumption increases. Therefore, for example, only 8 bits from the LSB are shifted one bit at a time, and if all these 8 bits have been shifted, the remaining bits are all shifted by 8 bits. Further, when only the 8 bits are shifted from the LSB by one bit at a time and all the 8 bits are shifted, the remaining bits are all shifted by 8 bits, so that the power consumption can be reduced. it can. Note that the second register 160 and the C register 140 can have the same configuration.
Note that 8 bits is arbitrary and generally 2 bits
These are the above integer bits. However, if the value is too small, the effect is reduced.

Next, the details of the second ADD & MOD circuit 150 are shown in FIG. Basic configuration is 1st ADD & MOD
The circuit is similar to the circuit 110 except that the LSB of C is input from the C register 140 to the switching circuit 310. As described above, the second ADD & MOD circuit 15
This is because “0” switches the processing according to the LSB of C from the C register 140. That is, if the LSB (including the shifted LSB) of C is 0,
Second ADD & MO from SHIFT & MOD circuit 100
The input to the D circuit 150 is not processed m times, and 1
Then, the input from the SHIFT & MOD circuit 100 is processed m times. After that, it is determined whether the addition and the Mod calculation are actually performed according to the value of the LSB 160a.

Also, as in the first ADD & MOD circuit 110, B1m, B2m, B3m,. . SHIFT &
There is no feedback to the MOD circuit 100. Further, B1m, B2m, B3m,. . After outputting the processing result to the second register 160, the value of the register (not shown) in the accumulator 300 is always cleared. Further, the initial value B11 is not input to the second register 160. This is because the initial value has already been given to the second register 160. Subsequent operation is the first
And the second ADD & MOD circuit does not differ.

Here, accumulator 300 does not operate at all according to the value of LSB of register 140 for C. In such a case, switching circuit 310 stops the clock input to accumulator 300 to save extra time. Power consumption can be prevented.

The SHIFT & MOD circuit 100 may be modified. In the example described above, in a normal cycle, n is subtracted (added by -n) after one bit shift, and if the value is positive, the value after n is stored and negative is stored. If so, the result of the 1-bit shift has been stored. This processing is represented by simple pseudo code as follows. Here, DB is the value of the register 200. Since n in the RSA operation is an odd number, DB = 0 does not hold, and the actual DB range is 0 <DB <n.

On the other hand, in this case, positive and negative values are allowed for DB, and the value is within the range of -n ≦ DB <n. That is, the calculation represented by the following pseudo code is performed by SHIF
The T & MOD circuit 100 is modified to execute. However, since n is an odd number, actually -n <DB <n.

This eliminates the need to determine the result of 2DB-n and store 2DB-n or 2DB in the register 200 as in the above-described embodiment. The addition or the subtraction can be determined in advance. Therefore, the processing speed is increased.
Further, in the above embodiment, the first and second ADD & MOD circuits unilaterally add a positive number (DB). Therefore, it is necessary to perform a correction such as reducing n each time the addition is performed or appropriately reducing 4n. there were. On the other hand, in this modification, the DB alternates between a positive value and a negative value. Therefore, even if the correction is not performed as it is, the value is almost close to a desired value after the calculation is completed. Therefore,
This eliminates the need for performing a correction operation on the way, thereby reducing power consumption and increasing the processing speed of the first and second ADD & MOD circuits.

When the correction of -4n is performed, 2 of n is used.
Although bit shift wiring is required, this wiring is not required, and the effect of simplifying the configuration of the adder circuit is also achieved. In addition, since the parasitic capacitance can be reduced depending on the circuit layout, a higher speed can be expected.

In the above embodiment, the SHIFT & MOD circuit 100 always performs 2DB (mod n) calculation. However, the first ADD & MOD circuit 110 outputs 2DB (mo) only when the LSB 120a of the first register 120 is 1.
dn), and the second ADD & MOD circuit 150 determines that the LSB of the C register 140 is 1 and the second register 16
Since 2DB (mod n) is added only when the LSB 160a of 0 is 1, there is also a case where both the first and second ADD & MOD circuits do not add. Therefore, when the addition is not performed in this way, it is not necessary to calculate 2DB (mod n). If this calculation is skipped and 4DB (mod n) is calculated, the number of clocks required for the calculation is reduced. Can be reduced. SHIFT & MOD circuit 100 is 4D
The conditions under which B (mod n) may be calculated are described below. (1) When the LSB of the C register 140 is 0,
When the LSB 120a of the register 120 is 0. (2) Although the LSB of the C register 140 is 1, the first
The case where the LSB 120a of the register 120 is 0 and the LSB 160a of the second register 160 is also 0. The probability that such a condition will occur is about 30%, and the processing speeds up accordingly.

Then, when calculating 4DB (mod n), S
The processing of the HIFT & MOD circuit 100 will be described.
Note that the range of DB is -n ≦ DB <n. Also, DB
Is a signed binary number, so if the leading sign bit is 0, it is a positive or 0 number, and if it is 1, it is a negative number. Since n can only take a positive value, there is no sign bit. Therefore, S
The HIFT & MOD circuit 100 performs the calculations shown in the table below.

[Table 1] (A) shows the case where DB is positive or 0, and (b) shows the case where DB is negative. The row of DB in Table 1 shows the case of the value of the first 4 bits (including the sign bit) of DB, and n
Indicates the case of the value of the first two bits (substantially the case of the value of the second bit). In Table 1, x is 0
Or 1.

By performing such processing, D
B is in the range of -n ≦ DB <n, and the first and second
A period during which the ADD & MOD circuit does not operate can be omitted. Heretofore, B, C and n are, for example, 102
It has been shown that each register has 4 bits and the number of bits corresponding to each register. However, if the number of bits of the input data is less than the register length, the data is usually packed from the LSB side and stored in the register, so that it is not possible to determine the type of operation by inspecting several bits from the MSB as shown in Table 1. Therefore, in such a case, the data is packed from the MSB side, and 0 is filled in the surplus LSB side. Assuming that the number of the padded zeros is q, such a method of padding the value into the register means that the operation is performed on a method multiplied by ^2q . In this case, dividing by ^2q at the end does not change the result. For example, 8 (m
od 3) = 2, but 800 (mod 300) = 200 and 1
If it is 1/100, it becomes 2 and it can be seen that this logic is correct.

When the data is stored in the register from the LSB side, the sign of the DB is switched between positive and negative, so that the extra bits on the MSB side are inverted from '000 ...' and '111 ...'. repeat. On the other hand, when the data is packed and stored in the register from the MSB side, the extra bits on the LSB side are '... 0
It does not reverse from 00 ', which leads to a reduction in power consumption. As described above, the first 4 bits of the DB and 2 from the top of n
The operation content can be determined by referring to the five bits in total.

In some cases, instead of calculating 4DB, 6
While it may be possible to calculate DB (3 bit shift) and 8DB (4 bit shift),
Just as 3n is required when performing a 2-bit shift, 5n, 6n, 7n, 8n, 9n, 10n, etc. are required, which is not very practical.

Further, it is possible to modify the calculation method of Table 1. In Table 1, since 3n is required, the modification is not used. That is, the processing indicated by the following pseudo code is performed by the SHIFT & MOD circuit 100. '000xxx' or '111xxx' means that the upper 3 bits of the calculation result are checked. In this condition, the value finally stored in the register 200 is [-n, n).
Is the condition of whether or not it falls within the range. If you enter this range,
It can be further doubled, otherwise it cannot be doubled and 2DB-n is stored. It is considered that the effect of performing such processing is about 10%.

The addition circuit used in the present invention handles a long bit length at high speed. When connecting 1024 stages of full adders, for example, it takes about 1 μsec only by the gate delay, and the operation speed is limited to 1 MHz. When the two values to be added are separated as 1, 2, 3, 4,..., 44, 45, and the addition is completed in the separated sections, and then corrected by 1 incrementer to the correct value, the full adders are arranged. With a circuit size slightly more than twice as large as that of the circuit, an operating speed of about 20 times can be obtained with 1024 bits. The total number of bits is 1. . . N is added, so 0.5
If N (N + 1)> 1024 is divided, an adder can be formed with N stages of gate delays. That is, in the case of 512 bits, the adder has 32 stages of delay and 1
34 steps delay with 2 delays by incrementer, 102
In the case of 4 bits, there is a 45-stage delay, and in the case of 2048 bits, there is a 66-stage delay. This technique is described, for example, in Information Processing Vol. 37, No. 1, p80-85, published by the Information Processing Society of Japan, January 1996.

In this way, a simple and fast B ^C
A circuit for calculating (mod n) can be configured. However, you must ensure that your secret key is not stolen. For this purpose, the chip on which the circuit is mounted is destroyed when dissected, and the ABI
Use ST (Automatic Built In Self Test) to make the circuit highly testable and difficult to read, or take measures such as making the operation of the circuit unstable when analyzing by lowering the operating frequency using a dynamic latch. Should. Further, it is more effective to scramble the secret key by LSFR or the like. In this case, a circuit (LFSR) for generating C is required instead of being stored in the register for C.

The circuit described above is used as a part of an encryption system as described in the section of the prior art. For example, as shown in FIG.
100 and the decoding device 1200 can be easily constructed. This network 1000
May be connected to another encryption / decryption device. R
According to the SA encryption method, in the encryption device 1100, the message M is converted into C = ^Me (mod n) using the public key e of the decryption device 1200. The circuit described above is very useful for this process. And the encryption device 110
0 transmits C to the decryption device 1200 via the network 1000. In the decryption device 1200, the decryption device 120
With a secret key d of 0, M = C ^d (mod n) is calculated. The circuit described above is also very useful in this process. Note that the encryption method is not limited to RSA.
It can be used in many public key cryptosystems such as the Gamal system. Furthermore, B ^C (mond n) is also used for electronic signatures.
May be required and the circuit is still useful.

[0082]

As described above, it is possible to provide a device for calculating the remainder of B raised to the power of C at a high speed with minimum hardware resources while ensuring the security of the key.

[Brief description of the drawings]

FIG. 1 is a block diagram of the present invention.

FIG. 2 is a block diagram showing details of a SHIFT & MOD circuit 100;

FIG. 3 is a block diagram showing details of a first ADD & MDO circuit 110;

FIG. 4 is a block diagram showing details of a second ADD & MOD circuit 150;

FIG. 5 is a diagram for explaining multiplication of binary numbers.

FIG. 6 is a diagram for explaining binary multiplication;

FIG. 7 is a block diagram of a cryptographic system.

FIG. 8 is a diagram for explaining a conventional technique.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 SHIFT & MOD circuit 110 First ADD & MOD circuit 120 First register 130 Register for n 140 Register for C 150 Second ADD & MOD circuit 160 Second register 1000 Network 1100 Encryption device 1200 Decryption device

──────────────────────────────────────────────────の Continued on the front page (72) Inventor Satoru Sato 1623-14 Shimotsuruma, Yamato-shi, Kanagawa Prefecture IBM Japan, Ltd.Tokyo Basic Research Laboratory (72) Inventor Hideto Niijima Shimotsuruma, Yamato-shi, Kanagawa 1623-14 IBM Japan, Ltd. Tokyo Research Laboratory (56) References JP-A-2-12290 (JP, A) JP-A-1-302288 (JP, A) JP-A-56-42852 ( JP, A) (58) Fields investigated (Int. Cl. ⁷ , DB name) G06F 7/72 G09C 1/00 620 G09C 1/00 650

Claims (17)

(57) [Claims] 1. A circuit for calculating a remainder of B raised to the power of C modulo n, performing a process of calculating the remainder of B raised to n modulo and holding the calculation result B1. A first circuit for repeating a process of shifting a value and calculating a congruent value modulo n and holding the calculation result; a first register for storing B1 as an initial value; and a predetermined position of the first register A second circuit for accumulating the calculation result of the first circuit; a second register for storing 1 as an initial value; a C output circuit for outputting C; A third circuit that accumulates the calculation result of the first circuit when an output value of the first register is 1 and a value of a bit at a predetermined position of the second register is 1. The bit at the predetermined position of the second register is the LSB of the stored value. In the MSB direction, and when the processing for the MSB of the value stored in the first register is completed, (a) a value which is congruent modulo n of the accumulation result of the second circuit is set to the first value. Storing in the first register the value to be held in the circuit, and (b)
The output of the C output circuit changes from the LSB of C to a value shifted in the MSB direction. (C) If the output value of the C output circuit is 1, the output of the C output circuit is combined modulo n of the cumulative result of the third circuit. A circuit for calculating a remainder modulo n of B raised to the power of C, wherein the remainder is stored in the second register. 2. The circuit according to claim 1, wherein said first register is a shift register. 3. The circuit according to claim 1, wherein said second register is a shift register. 4. The circuit according to claim 1, wherein said C output circuit is a shift register. 5. The circuit according to claim 1, wherein said second circuit includes a circuit for calculating a remainder modulo n each time the calculation result of said first circuit is accumulated. A circuit for calculating the remainder modulo n. 6. The C-th power of B according to claim 1, wherein said third circuit includes a circuit for calculating a remainder modulo n each time the calculation result of said first circuit is accumulated. A circuit for calculating the remainder modulo n. 7. When the value of a bit at a predetermined position of the first register is 0 and the cumulative value of the second circuit is a positive value, the second circuit calculates xn (x 2. The circuit for calculating a remainder modulo n of B raised to the power of C according to claim 1, wherein subtraction is performed. 8. When the second circuit finishes processing on the MSB of the value stored in the first register, the second circuit determines whether or not the accumulated value of the second circuit is a positive value. If it is determined, xn is subtracted until the accumulated value becomes negative. If it is determined that the accumulated value is negative, yn (y
8. The circuit for calculating a remainder modulo n of B raised to the power of C according to claim 7, wherein the sum is a positive integer. 9. The third circuit, wherein the output value of the C output circuit is 1, the value of a bit at a predetermined position of the second register is 0, and the accumulated value of the third circuit is positive. 2. The circuit according to claim 1, wherein xn (x is a positive integer) is subtracted from the accumulated value if the value is the value of (b). 10. When the output of the C output circuit is 1 and the process for the MSB of the value stored in the second register is completed, the third circuit calculates the accumulated value of the third circuit. It is determined whether or not the value is a positive value. If the value is determined to be positive, a circuit for subtracting xn until the accumulated value becomes negative. yn (y
10. The circuit for calculating a remainder modulo n of B raised to the power of C according to claim 9, wherein n is a positive integer. 11. An n-register for storing n, wherein a remainder of said B modulo n is calculated, and said calculation result B
In the process of holding 1, the register for n shifts n in the MSB direction so that the first bit that becomes 1 when viewed from the MSB is the MSB, and then shifts the shifted value in the LSB direction. Is shifted one bit at a time until it becomes the same as above, and each shifted value is sequentially output to the first circuit. If the first circuit can subtract each shifted value obtained from B from the n register, 2. The circuit for calculating a remainder modulo n of B raised to the power C according to claim 1, wherein the subtraction is performed. 12. The first circuit, if the value to be held is positive, shifts the value to be held and performs a calculation to reduce pn (p is a positive integer), 2. The method according to claim 1, further comprising, when the value to be calculated is negative, performing a calculation of shifting the held value and adding q · n (q is a positive integer). n
A circuit that calculates the remainder modulo. 13. The first circuit, the second circuit and the third circuit accumulate a value of a bit at a predetermined position of the first register and the second register and an output value of the C output circuit. If the value is not to be stored, the value to be held is r bits (r is a positive integer)
2. The circuit for calculating the remainder of a B raised to the power of C modulo n according to claim 1, wherein congruent values are calculated modulo n. 14. The r is 2, and when the value held by the first circuit is positive, the value held by the first circuit is multiplied by 4 and based on the value of the held value and the value of n. n or 2
When the value to be retained is negative, the value to be retained is multiplied by 4 and n or 2 is calculated based on the value to be retained and the value of n.
The circuit for calculating a remainder of modulating B to the power of C according to claim 13, wherein the circuit performs a calculation for adding n or 3n. 15. The r is 1, and the first circuit executes, when the held value is positive, a calculation of doubling the held value and subtracting n. Based on the result, it is determined whether or not the calculation result is further doubled. If the held value is negative, the calculation is performed by doubling the held value and adding n. 14. The circuit for calculating the remainder of modulating B to the power of C according to claim 13, wherein it is determined whether or not the calculation result is further doubled based on the following equation. 16. A cryptographic device, comprising: calculating a remainder of B modulo n, executing a process of retaining the computation result B1, shifting a retained value, and congruent modulo n. A first circuit that repeats a process of calculating the value and holding a result of the calculation, a first register that stores B1 as an initial value, and a first register that stores a value of 1 at a predetermined position of the first register. A second circuit for accumulating a calculation result of the circuit, a second register for storing 1 as an initial value, a C output circuit for outputting C, and an output value of the C output circuit being 1, wherein the second register A third circuit for accumulating the calculation result of the first circuit when a value of a bit at a predetermined position of the first register is 1, and a bit at a predetermined position of the first register and the second register is a stored value. From the LSB to the MSB direction, When the processing for the MSB of the value stored in the first register is completed, (a) a value which is congruent modulo n of the accumulation result of the second circuit is set as the value to be held in the first circuit; Storing in the first register, (b)
The output of the C output circuit changes from the LSB of C to a value shifted in the MSB direction. (C) If the output value of the C output circuit is 1, the output of the C output circuit is combined modulo n of the cumulative result of the third circuit. A cryptographic apparatus having a circuit for calculating a remainder modulo n of B raised to the power of C, which stores a proper value in the second register. 17. A network system including an encryption device and a decryption device, wherein at least one of the encryption device and the decryption device calculates a remainder of B modulo n and holds the calculation result B1. A first circuit for executing processing, shifting a value to be held, calculating a congruent value modulo n, and repeating the process of holding the calculation result; a first register for storing B1 as an initial value; When the value of a bit at a predetermined position of the first register is 1, a second circuit that accumulates the calculation result of the first circuit, a second register that stores 1 as an initial value, and a C output that outputs C And a third circuit that accumulates a calculation result of the first circuit when an output value of the C output circuit is 1 and a value of a bit at a predetermined position of the second register is 1. The first register and And the bit at a predetermined position of the second register is shifted in the MSB direction from the LSB of the stored value, and when the processing for the MSB of the value stored in the first register is completed, (a) the second (B) storing a value that is congruent modulo n of the accumulated result of the circuit as the held value in the first circuit and in the first register;
The output of the C output circuit changes from the LSB of C to a value shifted in the MSB direction. (C) If the output value of the C output circuit is 1, the output of the C output circuit is combined modulo n of the cumulative result of the third circuit. A network for calculating a remainder modulo n of B raised to the power of C, storing the value in the second register.