JP5127241B2 - Residue calculation device and residue calculation method - Google Patents

Description

  The present invention relates to a residue calculation device and a residue calculation method. The present invention particularly relates to a multiple length arithmetic unit and a control method (processing method) thereof in a remainder arithmetic apparatus.

  Currently, RSA (registered trademark) (Rivest, Shamir, Adleman) public key cryptosystem (hereinafter referred to as “RSA cipher”) is used in electronic commerce and network communication. The RSA cipher requires a power-residue calculation process. In general, it is known that the remainder calculation to be used in the RSA encryption takes a very long processing time because the data to be calculated has a large size such as 512 bits or 1024 bits.

  As a calculation method for efficiently performing power-residue calculation on hardware, P.I. L. An algorithm called Montgomery multiplication proposed by Montgomery is generally known. In this Montgomery multiplication, the division processing necessary for the remainder operation can be replaced with a bit shift. Non-Patent Document 1 discloses an algorithm for efficiently calculating Montgomery multiplication even when a circuit has latency. The Montgomery multiplication algorithm described in Non-Patent Document 1 will be described below.

As a conventional method using the Montgomery multiplication hardware, Non-Patent Document 1 discloses a configuration example using a 4-2 adder. Further, in Non-Patent Document 2, a systolic array having an arithmetic unit composed of a RAM (Random, Access, and Memory) of an FPGA (Field, Programmable, Gate, and Array) and an adder as a basic structural unit. The configuration is shown. Non-Patent Document 3 shows a configuration of a systolic array using an FPGA built-in multiplier. As an FPGA, for example, there is one as shown in Non-Patent Document 4.
H. Orup, “Simplicating Quotient Determination in High-Radix Modular Multiplication”, Proc. of the 12th Symposium on Computer Arithmetic, 1995 T.A. Blum, C.I. Paar, “High-Radix Modular Modular Exponentialation on Reconfigurable Hardware”, IEEE Transactions on Computers, Vol. 50, no. 7, pp. 759-764, July 2001 S. H. Tang, K.K. S. Tsui, P .; H. W. Leong, “Modular Exponentializing Parallel Multipliers”, Proceedings. 2003 IEEE International Conference on Field-Programmable Technology (FPT), pp. 52-59, December 2003 Xilinx, Inc. "Virtex-4 User Guide", September 12, 2005, Internet <URL: http: // direct. xilinx. com / bvdocs / userguides / j_ug070. pdf>

  Various functions have been expanded in recent FPGAs. For example, in general, a dedicated circuit for performing multiplication processing of multiple-length data at high speed is pre-installed, and thus a device that efficiently performs multiplication processing can be easily realized using these circuits. Can do. Also, for example, there are some in which a plurality of basic elements of a DSP (Digital / Signal / Processor) which are generally widely used in processing of voices and images are incorporated, such as an FPGA of Non-Patent Document 4. Since the conventional method based on the hardware of Montgomery multiplication as described above is not configured assuming such a function expansion of the FPGA, even if the conventional method is simply implemented in the function-extended FPGA, the FPGA has it. There was a problem that the function could not be fully extracted.

  The present invention enables a high-speed operation with fewer circuit resources by adopting a circuit configuration and processing method adapted to the function expansion of the FPGA in the cryptographic processing circuit that performs the cryptographic operation by performing the remainder operation, The purpose is to increase the versatility of the circuit.

A remainder calculation apparatus according to one aspect of the present invention is provided.
The remainder for obtaining the result of the Montgomery multiplication based on the addition result of the multiplication result of A and B, the multiplication result of M and Q, and the intermediate result S, where the multiplicand is A, the multiplier is B, the modulus is M, and the intermediate value is Q. In the arithmetic unit,
A multiple length multiplication unit that performs multiplication processing of A and B and multiplication processing of M and Q by a multiplier at an operation frequency that is twice the predetermined operation frequency, and outputs each multiplication result;
A multiple length addition unit that performs addition processing of two multiplication results output by the multiple length multiplication unit and S at the predetermined operating frequency with a plurality of adders, and outputs the addition result for each adder When,
A remainder calculation unit that obtains a result of Montgomery multiplication by concatenating the addition results for each adder output by the multiple length addition unit ;
The multiple length multiplication unit performs multiplication processing of a predetermined bit length in each cycle of the double operating frequency,
The multiple length adder performs an addition process of a length twice the predetermined bit length in each cycle of the predetermined operating frequency .

According to one aspect of the present invention, the multiplicand is A, the multiplier is B, the modulus is M, the intermediate value is Q, and the multiplication result of A and B, the multiplication result of M and Q, and the intermediate result S are added. Based on this, in the remainder arithmetic unit that obtains the result of the Montgomery multiplication, the multiple length multiplication unit multiplies the A and B multiplication processes and the M and Q multiplication processes at an operating frequency that is twice the predetermined operating frequency. performed in a vessel, and outputs the respective multiplication results, multiple length adder portion, wherein at a predetermined operating frequency, said multiple length multiplied two output by the unit multiplication result S and adding process multiple of An adder outputs an addition result for each adder, and a remainder calculation unit concatenates the addition results for each adder output by the multiple-length adder to obtain a Montgomery multiplication result , In a cryptographic processing circuit that performs computation and processes cryptographic algorithms It enables high-speed operation with less circuit resource, further improves the versatility of the circuit.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
The cryptographic processing circuit according to the present embodiment realizes high-speed processing and circuit miniaturization, in particular, by effectively utilizing FPGA resources in order to perform a remainder operation and process cryptographic algorithms. is there.

  FIG. 1 is a block diagram illustrating a configuration of a security chip 101 using an FPGA as an example of a device using the cryptographic processing circuit according to the present embodiment. The security chip 101 is incorporated in a communication device such as a small terminal such as a mobile phone, an IC (Integrated Circuit) card, or an IC card reader / writer, or a network router, and used for encryption processing of communication data.

  In FIG. 1, a security chip 101 includes a CPU 102 (Central Processing Unit), an internal memory 103, an external interface 104, and a cryptographic processing circuit memory 105, which are connected by a bus 106. The security chip 101 also includes a Montgomery multiplication circuit 201 as an encryption processing circuit according to the present embodiment.

  The CPU 102 is a processor (processing device) that executes a program for controlling input / output with respect to the Montgomery multiplication circuit 201, reading / writing data in the internal memory 103, communicating with an external device via the external interface 104, and the like. The internal memory 103 includes a RAM (Random / Access / Memory) used as a work area of the CPU 102 and a ROM (Read / Only / Memory) for storing various programs and setting parameters, and is one of the functions of the FPGA. It is assumed to be implemented with some built-in memory. The external interface 104 is various interfaces such as serial communication and LAN (local area network), and inputs / outputs data processed by the Montgomery multiplication circuit 201 to the security chip 101. The cryptographic processing circuit memory 105 is used as an interface between the Montgomery multiplication circuit 201 and the bus 106.

  The Montgomery multiplication circuit 201 is an example of a remainder calculation device. The Montgomery multiplication circuit 201 makes it possible to perform more efficient calculation than the conventional method by utilizing the functions and characteristics of the FPGA for encryption processing using Montgomery multiplication. Details of the Montgomery multiplication circuit 201 will be described below.

  First, an algorithm implemented in the Montgomery multiplication circuit 201 is shown below. The following algorithm is an improvement of the Montgomery multiplication algorithm described in Non-Patent Document 1 in consideration of the functions and characteristics of the FPGA.

  In the pseudo code of the above algorithm, “|” means bit concatenation. Further, carry_k means an intermediate value of k bits and carry_1 means 1 bit. The variables p [i] [j], u [i] [j], v [i] [j], and s [i] [j] are each set to k bits, and the initial value is 0.

  The pseudo code is characterized in that the multiplication process is divided into two multiplication processes every k bits, a multiple multiplication process (1), and a multiple multiplication process (2), and the addition process is performed every 2 k bits. Are divided into two addition processing, multiple length addition processing (1), and multiple length addition processing (2). As another feature, in the multiple length multiplication process (2), the q derivation process can be performed at high speed by changing the process only when j = 0. These reasons and details will be described later.

  FIG. 2 is a block diagram showing the configuration of the Montgomery multiplication circuit 201. The entire pseudo code described above is processed by the entire Montgomery multiplication circuit 201 shown in FIG.

  In FIG. 2, the Montgomery multiplication circuit 201 includes four types of arithmetic circuits: an arithmetic circuit A301, an arithmetic circuit B401, an arithmetic circuit C501, and an arithmetic circuit D601. The arithmetic circuit A301 and the arithmetic circuit D601 are an example of a multiple length multiplication unit, and are arithmetic circuits that perform multiple length multiplication processing (1) and multiple length multiplication processing (2) of pseudo code. The arithmetic circuit B401 and the arithmetic circuit C501 are examples of a multiple length multiplication unit, and are arithmetic circuits that sequentially perform multiple length addition processing (1) and multiple length addition processing (2) of pseudo code. Before describing the overall configuration and operation of the Montgomery multiplication circuit 201, each type of arithmetic circuit will be described first.

  FIG. 3 is a block diagram illustrating an example of the configuration of the arithmetic circuit A301.

  The arithmetic circuit A301 shown in FIG. 3 includes j = 0 to j = (2t−1) among the loop processes in the multiple-precision multiplication process (1) and the multiple-precision multiplication process (2) of the pseudo code described above. The process is performed. The processing of the arithmetic circuit A301 can be expressed by the following pseudo code (hereinafter referred to as “pseudo code A”).

  Here, the correspondence between the pseudo code A and each part of the arithmetic circuit A301 will be described.

  First, a [j] and a [j + 1] of pseudo code A or m [j] and m [j + 1] are simultaneously input from the input port 302. Therefore, the input port 302 has a 2k bit bus width. Further, b [i] of pseudo code A is input from the input port 303. Further, q [id] of pseudo code A is input from the input port 304. Data input from the input ports 302, 303, and 304 are stored in the input registers 309, 310, 311 and 312 respectively.

  When the data stored in the input registers 309 and 310 are a [j] and a [j + 1], one of them is selected by the multiplexer 306 and stored in the intermediate register 313. Similarly, when the data stored in the input registers 309 and 310 are m [j] and m [j + 1], one of them is selected by the multiplexer 306 and stored in the intermediate register 313. Further, b [i] and q [id] stored in the input registers 311 and 312 are selected by the multiplexer 307 and stored in the intermediate register 314. The data in the intermediate register 314 is output to the output port 319.

  The data stored in the intermediate register 313 and the intermediate register 314 is multiplied by the multiplier 316, and the result is stored in the intermediate register 315. Here, since the intermediate register 315 stores a multiplication result of k bits × k bits, the intermediate register 315 is a 2 k bit register. The data stored in the intermediate register 315 is added by the adder 317 with the upper k bits of the data supplied from the input port 305 and stored in the input register 308 or stored in the output register 322, and the result Is stored in the output register 322. Here, the multiplexer 318 selects the upper k bits of the data stored in the input register 308 and the data stored in the output register 322. The output register 322 is a 2 k-bit register, the upper k bits are connected to the input of the multiplexer 318 and the output port 320, and the lower k bits are connected to the output port 321.

  Next, detailed operation of the arithmetic circuit A301 will be described. Here, the operation clock outside the dotted line in FIG. 3 is denoted as clk1x, and the operation clock within the dotted line is denoted as clk2x. It is assumed that clk2x has an operating frequency twice that of clk1x. A dotted line in FIG. 3 indicates a multiple length multiplication circuit 323 provided in advance in the security chip 101 which is an FPGA. As described above, the FPGA includes a dedicated circuit for such multiplication processing. As one of the characteristics of the FPGA, such a dedicated circuit can generally operate at a high frequency.

  First, a [1] | a [0] is input from the input port 302 with reference to clk1x. Thereafter, data is continuously input from the input port 302 every cycle up to a [2t−1] | a [2t−2] with reference to clk1x. Hereinafter, this processing is referred to as input processing a. Subsequently, m [1] | m [0] is input from the input port 302 in the cycle after the cycle in which a [2t-1] | a [2t-2] is input. Thereafter, data is continuously input from the input port 302 every cycle up to m [2t−1] | m [2t−2] with reference to clk1x. Hereinafter, the process after the end of the input process a will be referred to as an input process m. After the input process m ends, the input process a and the input process m are repeatedly executed again. This series of processing is repeatedly executed a predetermined number of times (from i = 0 to i = n + d).

  In synchronization with the input process a and the input process m, b [i] is input from the input port 303 and q [id] is input from the input port 304 with reference to clk1x.

  The multiplexer 306 alternately selects the data stored in the input register 309 and the input register 310 with reference to clk2x. The multiplexer 307 selects b [i], which is the data stored in the input register 311, when the data of the input process a is stored in the input register 309 and the input register 310. On the other hand, when the data of the input process m is stored in the input register 309 and the input register 310, q [id] that is the data stored in the input register 312 is selected. That is, when a [j] or a [j + 1] is stored in the intermediate register 313, b [i] is stored in the intermediate register 314, and m [j] or m [j + 1] is stored in the intermediate register 313. If it is, q [id] is stored in the intermediate register 314.

  Thus, the multiplier 316 processes b [i] · a [j] (“·” represents a multiplication process, but may be omitted) corresponding to the input process a, and corresponds to the input process m. Then q [id] · m [j] is processed. The processing result is stored in the intermediate register 315.

  Next, when b [i] · a [0] is stored in the intermediate register 315, the value of the input register 308 is set to 0, the value of the input register 308 is selected by the multiplexer 318, and the adder 317 Executes the process of b [i] · a [0] +0. After that, the value of the upper k bits of the output register 322 is selected by the multiplexer 318, and the adder 317 executes the process b [i] · a [j] + carry_k. On the other hand, when q [id] · m [0] is stored in the intermediate register 315, the value of the input register 308 is set to p [i] [0], and the value of the input register 308 is set by the multiplexer 318. When selected, the adder 317 executes a process of q [id] · m [0] + p [i] [0]. Thereafter, the value of the upper k bits of the output register 322 is selected by the multiplexer 318, and the adder 317 executes the process of q [id] · m [j] + carry_k.

  Through the above processing, p [i] [0] to p [i] [2t−1] are output from the output port 321 corresponding to the input processing a, and v [i] is output corresponding to the input processing m. U [i] [2t-1] is output from [0] and u [i] [1]. Also, carry_k corresponding to the output port 321 is output to the output port 320. Each data is output to the output ports 320 and 321 for each cycle with reference to clk2x.

  As described above, in the arithmetic circuit A301, the input of data to the input ports 302 and 303 is based on clk1x, while the multiplication processing and the addition processing itself are based on clk2x. In the present embodiment, with such a configuration, an external circuit connected to the input ports 302 and 303 can be configured with reference to clk1x, and multiplication processing and addition processing itself can be processed with reference to clk2x. As described above, in this embodiment, since the external circuit can be configured with a low operating frequency, the timing constraint is relaxed and the design conditions of the external circuit can be relaxed.

  In recent FPGAs to which various functions are expanded, a dedicated circuit for multiplication processing and addition processing such as the multiple-length multiplication circuit 323 shown in FIG. 3 is incorporated as a hard macro. In general, such a dedicated circuit can be operated at a high operating frequency. On the other hand, when it is assumed that the FPGA circuit is operated at an operating frequency equivalent to that of the dedicated circuit with respect to parts other than the dedicated circuit, it is difficult to mount a complicated circuit because the timing constraint becomes severe. In this embodiment, only the dedicated circuit portion can be operated at a high operating frequency and the other portions can be operated at a low operating frequency without degrading the overall performance, so that efficient processing can be realized. .

  FIG. 4 is a block diagram showing an example of the configuration of an arithmetic circuit that performs q derivation processing of pseudo code of the algorithm described above.

  The arithmetic circuit shown in FIG. 4 excluding the arithmetic circuit A301 is an example of the intermediate value deriving unit. In this arithmetic circuit, s [i] [1] is input from the input port 205. Then, the input register 202 captures s [i] [1] in synchronization with clk1x. The intermediate register 203 captures data at the timing when v [i] [0] is output from the output port 321 of the arithmetic circuit A301 illustrated in FIG. As a result, v [i] [0] is stored in the intermediate register 203. The adder 204 processes v [i] [0] + s [i] [1] and outputs q [i + 1] as a result. The adder 204 is connected to the input port 304 of the arithmetic circuit A301, and the input register 312 takes in q [i + 1] from the input port 304 at a predetermined timing. Although not shown, a buffer is provided between the adder 204 and the input port 304 of the arithmetic circuit A301, and this buffer adds a delay d to q [i + 1] output from the adder 204. The timing is adjusted. As a result, as shown in FIG. 3, q [id] is input from the input port 304 of the arithmetic circuit A301. The output port 321 of the arithmetic circuit A301 is connected to the input register 308 via the input port 305, and the input port 305 is output when p [i] [0] is output from the output port 321. Import data from. As a result, p [i] [0] is stored in the input register 308.

  The process of calculating v [i] [0] only when j = 0 in the multiple-precision multiplication process (2) of the pseudo code described above is the same as the process performed by the arithmetic circuit shown in FIG. This is because the result of the addition process (1) can be started without waiting. Thereby, q [i + 1] can be derived at high speed. If the derivation of q [i + 1] is fast, the input process a and the input process m, which are repetitive processes, can be performed continuously. Conversely, if the derivation of q [i + 1] is slow, even if the input process m is executed, the multiplication process cannot be started until the multiplication target q [i + 1] is input, and the subsequent processes are continued. And will not be able to do it.

  FIG. 5 is a block diagram illustrating an example of the configuration of the arithmetic circuit B401.

  The arithmetic circuit B401 shown in FIG. 5 performs processing from j = 0 to j = t-1 in the loop processing in the multiple-length addition processing (1) of the pseudo code of the algorithm described above.

  It should be noted that the arithmetic circuit A301 shown in FIG. 3 performs 2t loop processing, whereas the arithmetic circuit B401 shown in FIG. 5 performs t loop processing. The arithmetic circuit B401 operates with reference to clk1x. For this reason, the arithmetic circuit B401 processes most of the number of loops of the arithmetic circuit A301 operating with clk2x.

  The input port 402 is connected to the output port 321 of the arithmetic circuit A301. Of the data output from the output port 321, the output when the value of j in the loop processing in the arithmetic circuit A 301 is an even number is stored in the intermediate register 404. Similarly, the output when the value of j is an odd number is stored in the intermediate register 406. The intermediate register 405 stores the output of the intermediate register 404. At this time, the intermediate register 404 and the intermediate registers 405 and 406 are registers that operate at opposite edges. That is, if the intermediate register 404 is a register that operates at the rising edge of clk1x, the intermediate registers 405 and 406 are registers that operate at the falling edge of clk1x. With such a configuration, the intermediate registers 405 and 406 receive p [i] [j + 1] | p [i] [j] or u [i] [j + 1] that are values obtained by connecting adjacent intermediate values at the same timing. ] [U [i] [j] is output. For example, at the timing when the intermediate register 405 outputs p [i] [0], the intermediate register 406 outputs p [i] [1], and at the timing when the intermediate register 405 outputs p [i] [2]. The intermediate register 406 outputs p [i] [3]. At the timing when the intermediate register 405 outputs u [i] [2], the intermediate register 406 outputs u [i] [3]. However, as described above, the pseudo register multiple multiplication process (2) performs the process of calculating v [i] [0] only when j = 0, so that the intermediate register 405 has v [i]. Note that the intermediate register 406 outputs u [i] [1] at the timing of outputting [0].

  When the intermediate registers 405 and 406 output p [i] [j] | p [i] [j + 1], mask processing is performed so that the outputs of the AND gates 407 and 408 become zero. Therefore, the outputs of the adders 410 and 411 are p [i] [j] | p [i] [j + 1]. When the adders 410 and 411 output p [i] [j] | p [i] [j + 1], the variable shift registers 412 and 413 capture the outputs of the adders 410 and 411. As a result, p [i] [j] | p [i] [j + 1] is stored in the variable shift registers 412 and 413. Next, when the intermediate registers 405 and 406 output u [i] [j] | u [i] [j + 1], the variable shift registers 412 and 413 store p [i] [j] | p [I] [j + 1] is output. At this time, the mask processing is not performed in the AND gates 407 and 408, and the outputs of the variable shift registers 412 and 413 are input to the adders 410 and 411 via the AND gates 407 and 408. Then, the adders 410 and 411 receive p [i] [1] + u [i] [1] or (p [i] [j + 1] | p [i] [j]) + (u [i] [j + 1] | U [i] [j]) + carry_1. Here, carry_1 is the value of the output register 416. When the process of p [i] [1] + u [i] [1] is executed, 0 is input from the input port 403, and 0 from the input port 403 is selected by the multiplexer 409 and input to the adder 410. Is done. In other cases, the value of the output register 416 is selected by the multiplexer 409 and input to the adder 410. V [i] [j] and v [i] [j + 1], which are the results of the addition processing by the adders 410 and 411, and carry_1, which is the carry value generated during the addition processing, are stored in the output registers 414 to 416, respectively. And output to the output ports 417 to 419.

  Here, the variable shift registers 412 and 413 are shift registers whose latency can be changed, and the latency is determined by the value of t. For example, when t = 0, the latency is 1, and when t = 1, the latency is 2. Thus, the variable shift registers 412 and 413 are set to have a latency of t + 1. Note that the variable shift registers 412 and 413 are one of the functions of the FPGA, and it is easy to realize such functions on the FPGA.

  FIG. 6 is a block diagram showing an example of the configuration of the arithmetic circuit C501.

  The arithmetic circuit C501 shown in FIG. 6 performs the processing from j = 0 to j = t-1 in the loop processing in the multiple addition processing (2) of the pseudo code of the algorithm described above.

  Note that the arithmetic circuit A301 illustrated in FIG. 3 performs 2t loop processing, whereas the arithmetic circuit C501 illustrated in FIG. 6 performs t loop processing. The arithmetic circuit C501 operates with reference to clk1x. For this reason, the arithmetic circuit C501 processes half the number of loops of the arithmetic circuit A301 in which most circuits operate on clk2x.

  The input port 502 is connected to the output port 417 of the arithmetic circuit B401 shown in FIG. The input port 503 is connected to the output port 418 of the arithmetic circuit B401. V [i] [j + 1] | v [i] [j] input from the input ports 502 and 503 is added to the output of the variable shift register 512 and the variable shift register 513 or the data input from the input port 504. Adders 510 and 511 perform addition processing. This addition processing corresponds to the processing of (v [i] [j + 1] | v [i] [j]) + (s [i] [j + 2] | s [i] [j + 1]) + carry_1 of the pseudo code. Adders 510 and 511 output addition results s [i + 1] [j], s [i + 1] [j + 1], and carry_1, which is a carry value generated during the addition process. The output data is stored in output registers 514 to 516, respectively. Further, s [i + 1] [j] and s [i + 1] [j + 1] are also stored in the variable shift registers 512 and 513. In the process of i = 0, since s [i] [0],..., s [i] [t], the addition process is (v [0] [j + 1] | v [0] [j]) It needs to be +0. Therefore, in this processing, the AND gates 506 and 507 are controlled so that the outputs of the AND gates 506 and 507 become 0, 0 is input from the input port 505, and 0 from the input port 505 is selected by the multiplexer 508. Input to adder 510.

  Next, details of the addition processing will be described.

  As described above, the variable shift registers 512 and 513 store s [i + 1] [j] and s [i + 1] [j + 1]. When t = 1, after the process of i = 0, s [1] [0] is stored in the variable shift register 512, and s [1] [1] is stored in the variable shift register 513. When i = 1, s [1] [1] is required as an input to the adder 510 and s [1] [2] is required as an input to the adder 511. At this time, since s [1] [1] is stored in the variable shift register 513, it is input to the adder 510 via the AND gate 506, whereas s [1] [2] is input port Assume that the input is made from 504. The carry value generated during the addition process for s [1] [1] and s [1] [2] is stored in the output register 516 and then output to the output port 519. The processing after i = 2 is performed in the same manner.

  In the case of t = 2, after the process of i = 0, s [1] [0], s [1] [2] are stored in the variable shift register 512, and s [1] [1], s [1] [3] is stored in the variable shift register 513. When i = 1, s [1] [1] and s [1] [3] are required as inputs to the adder 510, and s [1] [2] and s [ 1] [4] are required. At this time, as in the case of t = 1, data necessary for processing in the adder 510 is stored in the variable shift register 513 and is input to the adder 510 via the AND gate 506. Of the data necessary for processing in the adder 511, s [1] [2] is stored in the variable shift register 512, so that it is input to the adder 511 via the multiplexer 509 and the AND gate 507. In contrast, s [1] [4] is input from the input port 504. The carry value generated during the addition process for s [1] [1] and s [1] [2] is stored in the output register 516, and then the next s [1] [3] and s [1] [4] ] Is input to the adder 510 via the multiplexer 508 as the value of carry_1 necessary for the addition process. The carry value generated during the addition process for s [1] [3] and s [1] [4] is stored in the output register 516 and then output to the output port 519. The processing after i = 2 is performed in the same manner.

  Also in the case of t = 3 or more, as in the case of t = 2, the value of s already stored in the variable shift registers 512 and 513 is input to the adder 510 via the AND gate 506 as described above. The adder 510 performs addition processing using the input value of s. Then, the value of s that is not stored in the variable shift registers 512 and 513 is input from the input port 504 as described above, and the adder 510 performs addition processing using the input value of s.

  Next, the input / output relationship between the arithmetic circuit shown in FIG. 4 and the arithmetic circuit C501 shown in FIG. 6 will be described.

  The output port 518 of the arithmetic circuit C501 shown in FIG. 6 is connected to the input port 205 of the arithmetic circuit shown in FIG. As a result, the value of s [i] [1] necessary for the q derivation process, that is, the process of v [i] [0] + s [i] [1] is output to the input register 202 at the timing when it is output to the output port 518. Q [i + 1] can be derived by storing and adding by the adder 204.

  FIG. 7 is a block diagram showing an example of the configuration of the arithmetic circuit D601.

  The arithmetic circuit D601 shown in FIG. 7 includes j = 2t to j = (4t−1) among the loop processing in the multiple-precision multiplication processing (1) and the multiple-precision multiplication processing (2) of the pseudo code of the algorithm described above. ). Here, t is a positive integer (t ≠ 0). The processing of the arithmetic circuit D601 can be expressed by the following pseudo code (hereinafter referred to as “pseudo code D”).

  Here, carry_k on the right side in the pseudo code D is assumed to be a carry value generated in the process when j = 2t−1 by the arithmetic circuit A301 shown in FIG. Hereinafter, the correspondence between the pseudo code D and each part of the arithmetic circuit D601 will be described.

  First, a [j] and a [j + 1] of pseudo code D or m [j] and m [j + 1] are simultaneously input from input port 602. Therefore, the input port 602 has a bus width of 2k bits. Also, b [i] and q [id] of the pseudo code D are input from the input port 603. The input port 603 is connected to the multiplier 614 and the output port 616 via the intermediate registers 608 and 609. That is, the data input from the input port 603 is multiplied by the multiplier 614 with a latency of 2, and is output to the output port 616.

  In the input ports 602 and 603, data input processing is performed in the same manner as the arithmetic circuit A301 shown in FIG. That is, the input process a and the input process m are alternately performed every 2t cycles with reference to clk2x.

  The multiplexer 611 alternately selects the data stored in the input register 605 and the input register 606 with reference to clk2x. The intermediate register 607 stores the data selected by the multiplexer 611. When the data of the input process a is stored in the intermediate register 607, b [i] is input from the intermediate register 609 to the multiplier 614 at the same timing as that data. On the other hand, when the data of the input process m is stored in the intermediate register 607, q [id] is input from the intermediate register 609 to the multiplier 614 at the same timing as that data.

  Thereby, the multiplier 614 processes b [i] · a [j] corresponding to the input process a, and processes q [id] · m [j] corresponding to the input process m. . The processing result is stored in the intermediate register 610.

  Next, adder 615 performs addition processing of the result of multiplication processing by multiplier 614 stored in intermediate register 610 and carry_k. Only when j = 2t, the value input from the input port 604 as the value of carry_k is selected by the multiplexer 612 and used by the adder 615. In other cases, the carry value generated in the addition process one cycle before is selected by the multiplexer 612 and used in the adder 615, as in the arithmetic circuit A301 shown in FIG.

  Through the above processing, p [i] [2t-1] is output from the output port 618 corresponding to the input process a to p [i] [4t-1], and u [i] is output corresponding to the input process m. U [i] [4t-1] is output from [2t]. Also, carry_k corresponding to the output port 618 is output to the output port 617. Each data is output to the output ports 617 and 618 every cycle with reference to clk2x.

  As shown in FIG. 2, the circuit of the loop processing in the multiple length addition processing (1) from j = 2t to j = (4t-1) is the same circuit as the arithmetic circuit B401 shown in FIG. 7 is connected to the arithmetic circuit D601 shown in FIG. Further, the loop processing circuit in the multiple length addition processing (2) from j = 2t to j = (4t−1) is further connected to the same circuit as the arithmetic circuit C501 shown in FIG. Configure.

  Further, the processing after j = 4t is configured by preparing the arithmetic circuit D601 shown in FIG. 7, the arithmetic circuit B401 shown in FIG. 5, and the arithmetic circuit C501 shown in FIG.

  2, in the circuit configuration of the Montgomery multiplication circuit 201, most of the arithmetic circuit A301 and the arithmetic circuit D601 (the multiple length multiplication circuit 323 in FIG. 3 and the multiple length multiplication circuit 619 in FIG. 7) and the arithmetic circuit A301. The intermediate register 203 that stores the output performs processing with reference to clk2x, and the other circuits perform processing with reference to clx1x. Therefore, input / output in the entire Montgomery multiplication circuit 201 is performed with reference to clk1x. Thereby, since the external circuit can be configured with a low operating frequency, the timing constraint is relaxed and the design conditions of the external circuit can be relaxed. For example, read / write processing for a memory incorporated in an FPGA can be used for an external circuit. In addition, the processing circuit A301 and the processing circuit D601 use a dedicated circuit for multiplication processing and addition processing incorporated as a function expansion in recent FPGAs, so that processing using the high operating frequency at which the dedicated circuit can operate is used as it is. This makes it possible to realize high-speed and efficient processing.

  Next, the operation of the entire Montgomery multiplication circuit 201 shown in FIG. 2 will be described.

  First, the arithmetic circuit A301 starts the processing described with reference to FIG. After the arithmetic circuit A301 completes the input process a at i = 0, that is, after 2t cycles from the start of the process, using clk2x as a reference (after t cycles if clk1x is used as a reference), the arithmetic connected to the arithmetic circuit A301 The circuit D601 starts the input process a. Similarly, the adjacent arithmetic circuit D601 sequentially starts the input process a every 2t cycles with reference to clk2x. Thereafter, each arithmetic circuit performs processing until the processing of the entire pseudo code of the algorithm is completed. The calculation result is output from s [n + d + 1] [1] | s [n + d + 1] [0] to s [n + d + 1] [2t−1] | s [n + d + 1] [2t−2 by the leftmost arithmetic circuit C501 in FIG. ], 2 k bits are output sequentially for t cycles with reference to clk1x. After this output, the operation circuit C501 on the right next continues from s [n + d + 1] [2t + 1] | s [n + d + 1] [2t] to s [n + d + 1] [4t−1] | s [n + d + 1] [4t−2]. Sequentially, 2k bits are output for t cycles with reference to clk1x. Thereafter, the calculation result is sequentially output for t cycles by the adjacent calculation circuit C501 with reference to clk1x. In addition, s [n + d] [1],..., S [n + 1] [1] necessary as calculation results are output by the leftmost calculation circuit C501.

  FIG. 8 is a flowchart showing the operation (residue calculation method) of the Montgomery multiplication circuit 201.

Here, in the pseudo code of the algorithm described above,
Multiplicand _{A = {A n + d,} ···, A 1, A 0} (A n + d, ···, each of the values of _{A n} 0),
Multiplier B = {B _{n + d} ,..., B ₁ , B ₀ } (each value of B _{n + d} ,..., B _n is 0),
M ′ ″ == {M ₀ , M ₁ ,..., M _{n + d} },
Intermediate value Q = {Q _{n + d + 1} ,..., Q ₁ , Q ₀ , Q _{−1 ,.}
Intermediate result S = {S _{n + d + 1} ,..., S ₁ , S ₀ },
Multiplication result of A and B P = {P _{n + d} ,..., P ₁ , P ₀ },
M and Q multiplication results U = {U _{n + d} ,..., U ₁ , U ₀ },
The addition result of P and U is V = {V _{n + d} ,..., V ₁ , V ₀ }.

Montgomery multiplication circuit 201 (residue arithmetic device), stores the value of _{S 0} is set to 0, for example, in the memory (step S101). Further, the Montgomery multiplication circuit 201 sets each value of Q ₀ , Q ₋₁ ,..., Q _−d to 0 and stores it in, for example, a memory (step S102).

  The Montgomery multiplication circuit 201 sets the counter i to 0 and starts loop processing (step S103).

The arithmetic circuit A301 and the arithmetic circuit D601 (multiple-length multiplier) perform multiplication processing of A and B _i in the i-th processing at the operating frequency clk2x that is twice the predetermined operating frequency clk1x. In step 614, the multiplication result _Pi is output (step S104: part of the multiple length multiplication step). The arithmetic circuit A301 and the arithmetic circuit D601 is at twice the operating frequency clk2x, in i-th processing, performed by the multiplier 316,614 a process of multiplying the M '''and _{Q i-d,} the multiplication The result U _i is output (step S105: part of the multiple multiplication step). In this step S105, as will be described later, the arithmetic circuit A301 and the arithmetic circuit D601 use the Q _i-d obtained by delaying Q _i output in step S108 of the (i−1) -th process to use M ′ ″. And Q _i-d are multiplied. In this embodiment, in step S105, the arithmetic circuit A301 is a i-th process, after the process of multiplying the first k bits and Q _i-d of M ''', the multiplication result and the step S104 The adder 317 performs addition processing with the first k bits of P _i output in step S3, and outputs the addition result as the first k bits of V _i .

Arithmetic circuit B 401 (multiple length adder unit) at a predetermined operating frequency clk1x, in i-th processing, the adder an addition process between the outputted _{U i} at _{P i} and step S105 which is output in step S104 carried out at 410 and 411, and outputs the addition result _{V i} (step S106: part of multiple length adding step). Thereafter, the arithmetic circuit C501 (multiple length adder unit) is the first process, an addition process between the _{S 0} stored in the memory at _{V 0} and step S101 which is output in step S106 in the adder 510, 511 performed, and outputs the sum as S _1. In addition, in the second and subsequent i-th processing, the arithmetic circuit C501 performs addition processing of V _i output in step S106 and S _i output in the _i− 1th processing by the adders 510 and 511, The addition result is output as S _{i + 1} (step S107: part of the multiple length addition step). In the present embodiment, in step S107, the arithmetic circuit C501 performs the addition process of V _i and S _{i in} the i-th process, and then stores S _{i + 1} in the variable shift registers 512 and 513. After adjusting the timing according to the size, S _{i + 1} is output from the variable shift registers 512 and 513.

The arithmetic circuit (intermediate value deriving unit) shown in FIG. 4 performs the first k bits of V _i output in step S105 and the second k bits of S _i output in step S107 in the _i- th process. Are added by the adder 204, and the addition result is output as Q _{i + 1} (step S108: intermediate value deriving step). Here, the arithmetic circuit shown in FIG. 4 may perform addition processing of the first k bits of V _i and the second k bits of S _i using V _i output in step S106. In this case, in step S105, the arithmetic circuit A301 may not calculate the first k bits of V _i .

  The Montgomery multiplication circuit 201 increments i by 1 until the counter i reaches n + d, and repeats the above process n + d + 1 times (step S109).

After the loop processing ends, the arithmetic circuit C501 (remainder operation unit) outputs S _{n + d + 1} output in step S107 immediately before (that is, n + d + 1 processing) and d processing (reverse in time). In order, the bit string S _{n + d + 2} ≡ABR ⁻¹ mod (M) by concatenating the second k bits from S _{n + d} to S _{n + 1} output in step S107 ₍ from _{n + d} to _{n + 1} ). the obtained (step S110: remainder operation step). S _{n + d + 2} ≡ABR ⁻¹ mod (M) is the result of Montgomery multiplication. As described above, Montgomery multiplication is a remainder operation in which division processing is replaced with bit shift.

  As described above, the remainder calculation apparatus according to the present embodiment separates the multiple length multiplication process and the multiple length addition process, and the multiple length multiplication process is executed at twice the operating frequency of the multiple length addition process. It is characterized by being.

  The remainder calculation device is characterized in that in the multiple length addition process, the bit length processed per cycle is twice as long as the multiple length multiplication process.

  The remainder arithmetic unit has the circuit configuration shown in FIGS. 3 and 7 for the multiple length multiplication process.

  The remainder arithmetic unit has the circuit configuration shown in FIGS. 5 and 6 for the multiple length addition process.

  The remainder calculating device performs only the first k-bit processing in the multiple length addition processing in the multiple length multiplication processing circuit, and accelerates the derivation of the intermediate value necessary for the multiple length multiplication processing. Features.

  The remainder arithmetic unit stores the result of the multiple length addition process in the variable shift register in the circuit for the multiple length addition process, and outputs the stored value from the variable shift register at a timing required for the multiple length addition process. By doing so, it is possible to deal with an arbitrary number of loops. That is, in the remainder calculation apparatus according to the present embodiment, the number of loops can be adjusted according to the bit length of the input data.

It is a block diagram which shows the structure of the security chip using FPGA. It is a block diagram which shows the structure of a Montgomery multiplication circuit. It is a block diagram which shows an example of a structure of the arithmetic circuit A which performs a multiple length multiplication process (1) and a multiple length multiplication process (2). It is a block diagram which shows an example of a structure of the arithmetic circuit which performs q derivation | leading-out process. It is a block diagram which shows an example of a structure of the arithmetic circuit B which performs a multiple length addition process (1). It is a block diagram which shows an example of a structure of the arithmetic circuit C which performs a multiple length addition process (2). It is a block diagram which shows an example of the structure of the arithmetic circuit D which performs a multiple length multiplication process (1) and a multiple length multiplication process (2). It is a flowchart which shows operation | movement of a Montgomery multiplication circuit.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 101 Security chip, 102 CPU, 103 Internal memory, 104 External interface, 105 Encryption processing memory, 201 Montgomery multiplication circuit, 202 Input register, 203 Intermediate register, 204 Adder, 205 Input port, 301 Arithmetic circuit A, 302, 303, 304, 305 Input port, 306, 307 Multiplexer, 308, 309, 310, 311, 312 Input register, 313, 314, 315 Intermediate register, 316 Multiplier, 317 Adder, 318 Multiplexer, 319, 320, 321 Output Port, 322 output register, 323 multiple length multiplication circuit, 401 arithmetic circuit B, 402, 403 input port, 404, 405, 406 intermediate register, 407, 408 AND gate, 409 Chipplexer, 410, 411 adder, 412, 413 variable shift register, 414, 415, 416 output register, 417, 418 output port, 501 arithmetic circuit C, 502, 503, 504, 505 input port, 506, 507 AND gate, 508, 509 Multiplexer, 510, 511 Adder, 512, 513 Variable shift register, 514, 515, 516 Output register, 517, 518, 519, 520 Output port, 601 Arithmetic circuit D, 602, 603, 604 Input port, 605 , 606 input register, 607, 608, 609, 610 intermediate register, 611, 612 multiplexer, 613 output register, 614 multiplier, 615 adder, 616, 617, 618 output port, 619 multiple length multiplication times .

Claims (7)

The remainder for obtaining the result of the Montgomery multiplication based on the addition result of the multiplication result of A and B, the multiplication result of M and Q, and the intermediate result S, where the multiplicand is A, the multiplier is B, the modulus is M, and the intermediate value is Q. In the arithmetic unit,
A multiple length multiplication unit that performs multiplication processing of A and B and multiplication processing of M and Q by a multiplier at an operation frequency that is twice the predetermined operation frequency, and outputs each multiplication result;
A multiple length addition unit that performs addition processing of two multiplication results output by the multiple length multiplication unit and S at the predetermined operating frequency with a plurality of adders, and outputs the addition result for each adder When,
A remainder calculation unit that obtains a result of Montgomery multiplication by concatenating the addition results for each adder output by the multiple length addition unit;
The multiple length multiplication unit performs multiplication processing of a predetermined bit length in each cycle of the double operating frequency,
The multiple-precision adding unit performs addition processing of a length twice as long as the predetermined bit length in each cycle of the predetermined operating frequency. The remainder for obtaining the result of the Montgomery multiplication based on the addition result of the multiplication result of A and B, the multiplication result of M and Q, and the intermediate result S, where the multiplicand is A, the multiplier is B, the modulus is M, and the intermediate value is Q. In the arithmetic unit,
A multiple length multiplication unit that performs multiplication processing of A and B and multiplication processing of M and Q by a multiplier at an operation frequency that is twice the predetermined operation frequency, and outputs each multiplication result;
A multiple length addition unit that performs addition processing of two multiplication results output by the multiple length multiplication unit and S at the predetermined operating frequency with a plurality of adders, and outputs the addition result for each adder When,
A remainder calculation unit that obtains a result of Montgomery multiplication by concatenating the addition results for each adder output by the multiple length addition unit;
The remainder calculation device is:
The bit length of B is k bits × n, the delay parameter is d,
_{B = {B n + d,} ···, B 1, B 0}, B n + d, ···, a value of each of _{B n} is 0,
Q = {Q _{n + d + 1} ,..., Q ₁ , Q ₀ , Q ₋₁ ,..., Q _−d }, Q ₀ , Q _{−1 ,.} ,
M ′ ″ = (M ″ +1) / 2 ^{k (d + 1)} , M ″ = M ′ (mod (2 ^{k (d + 1)} )) M, (−MM ′) mod (2 ^{k (d + 1)} ) = 1 and
S = {S _{n + d + 1} ,..., S ₁ , S ₀ }, S ₀ is set to 0,
2 ^kn R ⁻¹ mod (M) = 1,
The multiplication result of A and B is P = {P _{n + d} ,..., P ₁ , P ₀ },
The multiplication result of M and Q is U = {U _{n + d} ,..., U ₁ , U ₀ },
The addition result of P and U is V = {V _{n + d} ,..., V ₁ , V ₀ },
Perform a loop process that increments the counter i by 1 from 0 to n + d and repeats n + d + 1 times,
The multiple length multiplication unit performs multiplication processing of A and B _i in each processing at the twice operating frequency, outputs the multiplication result P _i , and performs M ′ in each processing. '' And Q _i-d are multiplied, the multiplication result U _i is output,
The multiple length adder unit, said at a predetermined operating frequency, each time the process performs the addition of the P _i and U _i output by the multiple length multiplication unit, the addition result output V _i After that, in the first process, V ₀ and S ₀ are added, and the addition result is output as S _{1. In the} second and subsequent processes, V _i and S _i output in the previous process are output. Addition process is performed, and the addition result is output as S _{i + 1} .
The remainder calculation device further includes:
In each process, an adder performs addition processing of the first k bits of V _i and the second k bits of S _i , and includes an intermediate value deriving unit that outputs the addition result as Q _{i + 1} .
The multiple length multiplication unit, each time the process, using the Q _i-d delayed the Q _i output by the previous processing by said intermediate value derivation unit, and M '''and Q _i-d The multiplication process of
The remainder operation unit, n + after d + 1 th processing, the multiple length adder unit by the outputted _{S n + d + 1} and _{S n + d} after connecting the second k bits of each of up to _{S n + 1} bit sequence _{S n + d + 2} ≡ A remainder calculation apparatus characterized by obtaining ABR ⁻¹ mod (M). The multiple length multiplication unit performs a multiplication process of the first k bits of M ′ ″ and Q _i-d in each process, and then adds the multiplication result and the first k bits of P _i. Processing is performed by an adder, and the addition result is output as the first k bits of V _i .
The intermediate value deriving unit uses the first k bits of V _i output by the multiple length multiplication unit in each processing, and uses the first k bits of V _i and the second k bits of S _i. The remainder calculation apparatus according to claim 2, wherein addition processing is performed. The multiple length addition unit performs addition processing of V _i and S _i in each process, and then stores S _{i + 1} in the variable shift register and adjusts the timing for outputting S _{i + 1} from the variable shift register. The remainder calculation apparatus according to claim 2, wherein: The remainder calculation device is implemented by an FPGA (Field / Programmable / Gate / Array) preliminarily provided with a multiple-precision multiplication circuit that performs multiplication processing of multiple-precision data at the double operating frequency.
5. The remainder calculation device according to claim 1, wherein the multiple length multiplication unit performs multiplication processing by the multiple length multiplication circuit. The remainder for obtaining the result of the Montgomery multiplication based on the addition result of the multiplication result of A and B, the multiplication result of M and Q, and the intermediate result S, where the multiplicand is A, the multiplier is B, the modulus is M, and the intermediate value is Q. In the calculation method,
A multiple length multiplication step of performing multiplication processing of A and B and multiplication processing of M and Q at an operation frequency twice as high as a predetermined operation frequency, and outputting each multiplication result;
Multiple- precision addition step of performing addition processing of two multiplication results output in the multiple-precision multiplication step and S at the predetermined operating frequency with a plurality of adders and outputting the addition results for each adder When,
A remainder calculation step of obtaining a result of Montgomery multiplication by concatenating the addition results for each adder output in the multiple length addition step,
In the multiple length multiplication step, a multiplication process of a predetermined bit length is performed in each cycle of the double operating frequency,
In the multiple length addition step, an addition process of a length twice the predetermined bit length is performed in each cycle of the predetermined operating frequency. The remainder for obtaining the result of the Montgomery multiplication based on the addition result of the multiplication result of A and B, the multiplication result of M and Q, and the intermediate result S, where the multiplicand is A, the multiplier is B, the modulus is M, and the intermediate value is Q. In the calculation method,
A multiple length multiplication step of performing multiplication processing of A and B and multiplication processing of M and Q at an operation frequency twice as high as a predetermined operation frequency, and outputting each multiplication result;
Multiple- precision addition step of performing addition processing of two multiplication results output in the multiple-precision multiplication step and S at the predetermined operating frequency with a plurality of adders and outputting the addition results for each adder When,
A remainder calculation step of obtaining a result of Montgomery multiplication by concatenating the addition results for each adder output in the multiple length addition step,
The remainder calculation method is:
The bit length of B is k bits × n, the delay parameter is d,
_{B = {B n + d,} ···, B 1, B 0}, B n + d, ···, a value of each of _{B n} is 0,
Q = {Q _{n + d + 1} ,..., Q ₁ , Q ₀ , Q ₋₁ ,..., Q _−d }, Q ₀ , Q _{−1 ,.} ,
M ′ ″ = (M ″ +1) / 2 ^{k (d + 1)} , M ″ = M ′ (mod (2 ^{k (d + 1)} )) M, (−MM ′) mod (2 ^{k (d + 1)} ) = 1 and
S = {S _{n + d + 1} ,..., S ₁ , S ₀ }, S ₀ is set to 0,
2 ^kn R ⁻¹ mod (M) = 1,
The multiplication result of A and B is P = {P _{n + d} ,..., P ₁ , P ₀ },
The multiplication result of M and Q is U = {U _{n + d} ,..., U ₁ , U ₀ },
The addition result of P and U is V = {V _{n + d} ,..., V ₁ , V ₀ },
Perform a loop process that increments the counter i by 1 from 0 to n + d and repeats n + d + 1 times,
In the multiple length multiplication step, multiplication processing of A and B _i is performed in each processing at the double operating frequency, and the multiplication result P _i is output, and in each processing, M ′ '' And Q _i-d are multiplied, the multiplication result U _i is output,
In the multiple length adding step, wherein at a predetermined operating frequency, each time the process performs the addition of the P _i and U _i output by the multiple-precision multiplication step, the addition result output V _i After that, in the first process, V ₀ and S ₀ are added, and the addition result is output as S _{1. In the} second and subsequent processes, V _i and S _i output in the previous process are output. Addition process is performed, and the addition result is output as S _{i + 1} .
The remainder calculation method further includes:
In each process, an adder performs an addition process of the first k bits of V _i and the second k bits of S _i , and includes an intermediate value derivation step for outputting the addition result as Q _{i + 1} .
In the multiple-length multiplication step, M ′ ″ and Q _i-d are obtained by using Q _i-d obtained by delaying Q _i output in the previous process in the intermediate value derivation step in each process. The multiplication process of
In the remainder calculating step, after n + d + 1-th processing, S _{n + d + 1} output in the multiple length addition step and each second k bit from S _{n + d} to S _{n + 1} are connected to form a bit string S _{n + d + 2} ≡ A remainder calculation method characterized by obtaining ABR ⁻¹ mod (M).

Images