JPH04277789A - Arithmetic unit and ciphered communication method using the same - Google Patents

Abstract

PURPOSE:To calculate the residue calculation of integers consisting of a large number of figures and to perform ciphering and deciphering for an ciphered communication by using it. CONSTITUTION:The arithmetic unit which calculates a residue by dividing the product of 1st and 2nd given integer by a 3rd integer is provided with ROMS 15-18 as storage means for holding values, multipliers 11-14 which input the 1st integer by a specific number of bits at a time in order and multiply the 2nd integer, and an arithmetic means which adds the inputs from the ROMs 15-18 and the inputs from the multipliers 11-14, finds the residue for the 3rd integer as to values exceeding the maximum figure of the 3rd integer among the values of the ROMs 15-18, and outputs the result to storage means.

Description

Detailed Description of the Invention [0001] [Industrial Application Field] The present invention relates to an operation for multiplying two integers and further dividing the result by another integer to obtain a remainder;
That is, for the integers A, B, and N, A・B mod
The present invention relates to an integer arithmetic device that performs N multiplications and divisions. In particular, R
It relates to an arithmetic device that performs multiplication and division of large-digit integers suitable for encryption techniques such as SA cryptography (Shinichi Ikeno, Kenji Koyama: "Modern Cryptography Theory", Institute of Electronics, Information and Communication Engineers, 1986, Chapter 6). . [0002] The present invention also relates to an encrypted communication method that is performed by encryption using the above-mentioned arithmetic unit and is used for various communication services such as a home bank, a farm bank, and e-mail and e-mail in a computer network. [0003] Conventionally, na.m bit integers A and nb.
R= by m-bit integer B and nn・m-bit integer N
There are two main types of multiplication/division circuits for large-digit integers that perform A/B mod N operations. One is a method that divides multiplication and division into two parts: multiplication of C=A・B and remainder calculation of D=C mod N, and the other is a method that divides A into each bit and performs an-i(i =1...na・m)
For R=2・R+an−i・B mod N(i
=1...na・m) partial product operation and remainder operation are performed by na・
This method is repeated m times. [0004] The former method often takes a configuration in which the multiplication circuit and the remainder calculation circuit are pipelined, and the configuration and control are relatively simple. However, this method requires independent memory for temporarily storing the multiplication result C and circuits for multiplication and remainder calculation, making it difficult to realize a device with a small circuit scale. Furthermore, since the latter method involves a partial product operation and a remainder operation therefor, the circuit can be made relatively compact. However, there were problems such as the carry delay time for one partial product remainder calculation and how to determine R>N for executing mod N. [0006] Regarding multiplication, an
Calculation is often performed by adding B to 2・R only when −i = 1; in this case, at least na・m
There was also the problem that it required more than the clock, which slowed down the processing speed. [0007] Furthermore, when an-i is made into multiple bits, a multiplier or divider with a large number of digits is required, and there is a problem that a multiplier or divider with a large number of digits does not have a ROM or cell library. . When designing a multiplier or divider with a large number of digits yourself, if you simply extended the circuit configuration of a multiplier or divider with a small number of digits, the circuit configuration would become extremely complex and difficult to implement. As described above, the conventional system has various problems, and it has been difficult to realize an efficient multiplication/division circuit. [0009] Therefore, the present invention eliminates the above-mentioned drawbacks and
It is an object of the present invention to provide an arithmetic device that efficiently executes multiplication and division regarding large-digit integers with a small circuit scale at high speed. Means for Solving the Problems In order to achieve the above object, the present invention provides an arithmetic device that calculates the remainder obtained by dividing the product of given first and second integers by a third integer. a storage means for holding a value; a multiplication means for sequentially inputting the first integer bit by bit and multiplying the second integer by the second integer; and an input from the storage means and an input from the multiplication means. and calculating means for calculating a remainder with respect to the third integer for the portion of the value in the storage means that exceeds the maximum digit of the third integer, and outputting the result to the storage means. I can do it. [Example] (Example 1) For simplicity, na = nb =
The explanation will be made assuming that nn = n. Let us assume that three n·m-bit integers are A, B, and N, and perform the operation A·B mod N=R. Here, a multiplier that performs the multiplication a·b=c of two small m-bit integers a and b can be easily realized with a known configuration. It is clear that it can be easily constructed using a ROM as an example. When A, B, and N are each divided into n parts every m bits, it can be expressed as follows. A=An-1・Xn-1 +An-2・Xn-2+...
・ +A1・X+A0B=Bn-1・Xn-1 +Bn
-2・Xn-2+... +B1・X+B0N=Nn-
1・Xn-1 +Nn-2・Xn-2+... +N1
・X+N0 Here, let X = 2m, and the bit series divided from the upper digit every m bits for A, B, and N is each An
-i, Bn-i, Nn-i (i=1...n). In this case, A, B, and N can be regarded as polynomials,
R=A・B mod N can be expressed as follows. R=A・B−Q・N (Q=[A・B/N])
However, [Z] represents an integer not exceeding Z. [0013] Therefore, R can be determined by the following example. (Algorithm 1) R0 =0 FOR j=1 TO n
Rj = Rj-1・X+An-j・B-Qj-1・
N = Rj-1・X+An-j
・B+Ej-1 −Lj-1・Xn NEXT IF Rn >N THEN Rn =Rn −
Qn・N However, Lj−1 = [Rj−1 ・
X/Xn]=[Rj-1/Xn-1]
Qj-1 = [Lj-1・Xn /N
], Qn = [Rn /N]
Lj-1・Xn=Qj-1・N+Ej-1 (
Ej-1 <N) Algorithm 1 does not judge R>N, so if Rj-1 exceeds Xn-1, which is the maximum digit of N,
Mod N is performed on the value Lj-1.Xn of 1.X. That is, R exceeding Xn-1 bitwise
Since mod N is applied to the coefficients of , it is not necessary to determine whether R>N. Also, Lj-1・Xn mod N
Instead of executing −Qj−1・N, Lj−1・N
Xn is subtracted and its remainder Ej-1 is added. That is, Lj-1 is converted to Ej-1 and added. This allows all subtractions by mod N to be performed by additions. However, in this case, Rn only once at the end.
>N and perform the calculation Rn = Rn -Qn・N, but this is done after the iterative calculation shown above is completed, and unlike the conventional method, R
>N does not need to be determined, so it can be done in a separate circuit, etc., and the overall processing speed is not affected. [0015] Next, there is a problem that the delay time associated with the calculation of Rj is large. In order to eliminate that delay time,
In Algorithm 1, Rj is decomposed into Rj,ni and B is decomposed into Bn-i and expressed as in Algorithm 2 below. (Algorithm 2) FOR j=1 TO n FOR i=0 TO n
Rj, n-i = Dj-1, n-i-1 +Cj-
1, n-i-2 +dwm (An-j・Bn-i
) +upm(A
n-j・Bn-i-1)+Ej-1, n-i
Dj, n-i = dwm (Rj, n-i
) Cj, n-i = upm (Rj,
n-i) NEXT NEXT However, Rj-1, n・Xn =Qj-1・N+Ej-
1, Qj-1 = [Rj-1, n・Xn/N] (1
) Ej-1 = Ej-1, n-1・Xn-1 +E
j-1,n-2・Xn-2 +... +Ej-1,1
・X +Ej-1
,0
(2) D
0, n-i-1 = C0, n-i-2 = E0, n-i
=Bn =B-1=0 dwm (Z
): Value of 2m digit or less of Z upm (
Z): Means the value obtained by dividing the value of Z greater than or equal to 2m+1 by 2m+1. Basically, Algorithm 1 and Algorithm 2
are the same, but Algorithm 2 expresses the operation of the actual circuit more closely. Here, considering the case where n=4, a multiplier/divider is constructed using a circuit as shown in FIG. 1 in Algorithm 2. FIG. 1 shows m for calculating An-j·Bn-i.
*From n multipliers of m bits and the value of Rj-1,n (
1), (2), n ROMs each outputting the value of Ej-1, n-i, 4-input m-bit adder or 5-input adder n+1 with 2-bit carry, and Rj
, n-i. The lower m bits of this register are Rj,n-
The lower m digits of i (dwm (Rj, n-i) = Dj,
n-i), and the upper 2 bits are the value of m+1 or more digits of Rj, n-i (upm (Rj, n-i) = Cj
, n-i). As a result, the carry for each adder is absorbed by Cj,ni at each clock, and is added together with the lower m bits of the register on the right as a carry in the next clock. Therefore, the delay time associated with the calculation of Rj as in algorithm (1) can be eliminated. As mentioned above, Dj, n-i, Rj, n-
i, Cj, n-i represent the state of the register, the subscript j means the clock, and n-i indicates the position of the circuit from right to left in Figure 1 from i = 0 to i = n. . Therefore, in the initial state (j=0), R0,0 is as shown in Figure 1.
means the leftmost register of R0,n-1 =R0,3
means the rightmost register. However, R0,n =
R0,4 means the output from the rightmost adder. Next, the operation of FIG. 1 will be explained. In FIG. 1, the initial state of each register (R0
, n-i-1) are all 0. At this time, R0,
Since n-i-1 = 0, D0, n-i-1 = C0
, n-i-2 =0. When A3 is input at the first clock (j=1), A3·Bn-i (i=1...4) is output from each multiplier. The value is divided into upper and lower m digits, added by each adder, and stored in each register (R1, n-i: i=1...n). At this time, R1, n-i (i=1...4)
The lower m bits are stored in the register as D1, n-i, and if there is a carry, the m+1 bits or more are stored in the register as C1, n-i. When A2 is input at the next clock (j=2), A2·Bn-i (i=1...4) are similarly output from the upper multiplier for each of the upper and lower m bits. . At this time, R1,4=upm (A3·B3) is output from the rightmost register through the adder, and in response to this, the value of E1,ni is output from each ROM to each adder. At that time, the lower m bits Dj-1, n-i-1 (i=2...4) of the register to the left of the adder are also input to the adder, but The upper two bits Cj-1 and n-i-2 are input to the same adder as a carry carry. Therefore, the adder is configured as a 4-input m-bit adder or a 5-input adder with 2 bits of carry and returns an output of m+2 bits. Therefore,
The register consists of m+2 bit registers. Furthermore, when A1 is input at the next clock (j=3), A1·Bn-i (i=1...4) are output from the upper multiplier every m bits of upper and lower m bits. Ru. At this time, R2,4 = upm(A2・B3)+dwm
(A3·B3)+E1,3 is output from the rightmost register through the adder. Similarly, in response to this, the value of E2, n-i is output from each ROM to each adder,
The lower m bits of the register to the left of the adder, and 2
The upper two bits of the register to the left are input to the same adder. Furthermore, when A0 is input at the clock of j=4, the same operation is performed, and as a result, it can be seen that the value stored in each register is Rn. (Embodiment 2) Algorithm 2 of Embodiment 1 converts the output from the multiplier into dwm (An-j·Bn-i)
It is decomposed into two outputs: and upm(An-j・Bn-i-1), but if B can be treated as a constant, as shown in Figure 2 and Algorithm 3, after receiving the input of An-j, - Divide the value of j・B into several ROMs and write AB
It can also be output as j, n−i. (Algorithm 3) FOR j=1 TO n FOR i=0 TO n
Rj, n-i = Dj-1, n-i-1 +Cj-
1, n-i-2 +ABj, n-i +Ej-1, n-
i Dj, ni = dwm (Rj
, n-i) Cj, n-i = upm
(Rj, n-i) NEXT NEXT However, An-j・B=ABj-1, n・Xn +AB
j-1, n-1・Xn-1 +... +ABj-1,
(Third Embodiment) Next, an example will be described in which the multiplication of multiple bits using a ROM or the like is not performed, and the remainder multiplication is realized using only an AND circuit and an adder. (Algorithm 4) ##EQU00001## An example of the configuration of this device is shown in FIG. In this example, An-j
=(aj・m+m−1 ,... aj・m+1 ,
m bits of aj・m) are simultaneously inputted bit by bit independently, and aj・m−k・B (k=0...m−1) are independently inputted by AND circuits 38(1) to 38(m). Output. At this time, aj・m−k・B is aj・m−k
When is 0, it is 0, and when it is 1, it is B. Modulo multiplication can be realized by adding this output, the lower bits of the register on the left, the upper bits of the register further to the left, and the output from the ROM using an adder with m+3 inputs. At this time, the size of each register 44 to 47 is m
Since it is the sum of m+3 terms of bit values, m+log2(
m+3) or more is sufficient. Furthermore, in FIGS. 1 to 3, the value of Rj,n may be latched once in a register. In this case, the maximum processing time of one clock required to latch the value of Rj,n in the register once is only the time required for multiplication or division, and the operations of Algorithms 2 to 4 are repeated at short intervals. be able to. Corresponding circuit configurations are shown in FIGS. 4-6. Furthermore, instead of Algorithm 1, the following algorithm can also be used. (Algorithm 5) R0 = 0 FOR j = 1 TO n
Rj = Rj-1・X+An-j・B-Qj-1・
N・X=Rj−1・X+A
n-j・B+(Ej-1 −Lj-1・Xn)・X
NEXT IF Rn >N THEN Rn =Rn −
Qn・N However, Lj-1 = [Rj-1 /
Xn ] Qj−1 = [Lj
-1・Xn+1/N], Qn = [Rn /N]
Lj-1・Xn+1 = (Qj-1
・N+Ej-1 )・X (Ej-1 <N)
Here, X is necessary to shift the output of the remainder Ej-1 with respect to the output An-j·B from the multiplier, and thereby The adder can be eliminated. 7 to 9 show circuit configurations corresponding to the above algorithm. Furthermore, if c registers are added to the right end of each circuit in FIGS. 7 to 9, -Qj-1·N·Xc =
(-Lj-1.Xn+1 +Ej-1).Xc, so it is also possible to shift the remainder output Ej-1 arbitrarily. As described above, it has been shown that an n·m bit multiplication/division circuit can be efficiently realized when an input value is input after being divided into n parts every m bits. This means that na ≠ n,
It is clear that a multiplication/division circuit can be realized with a similar circuit configuration also in the case of nb≠n and nn≠n. In the circuit of the embodiment described above, Cj,n-
Since the carry is once held by i, there is no delay time related to the carry, and the operations of Algorithms 2 to 4 can be repeated at short intervals. Furthermore, since mod N is performed for the value Lj-1·Xn of Rj-1 that exceeds Xn-1, which is the maximum digit of N, it is not necessary to determine whether R>N. Also, instead of executing -Qj-1・N, -Qj-
Ej- where 1.N=-Lj-1.Xn +Ej-1
By adding 1, all remainder operations are performed by addition. In addition, multiplication can be performed by decomposing it into small digits (algorithm 2), if B is a constant, it can be constructed from ROM (algorithm 3), or multiplication can be performed using only an AND and an adder without using a multiplier. (Algorithm 4)
By doing so, multiplication can be performed without using a multiplier that performs multiplication of large digits. Therefore, if a small digit multiplier can be easily used due to TTL or a cell library, algorithm 2, if B can be treated as a constant, algorithm 3, and if there is no ROM or cell library multiplier, algorithm A multiplication/division circuit corresponding to 4 is suitable. [0034] Furthermore, the configuration in which the same arithmetic elements are repeated as shown in FIGS. 1 to 9 has the advantage that it is easy to configure a large-scale circuit such as a VLSI. (Embodiment 5) Next, a method of encrypted communication using the above-mentioned arithmetic device will be explained. Assuming that the plaintext to be communicated is M, the ciphertext is C, the public encryption key is e, the decryption key is d, and the published modulus is N, the encryption and decryption of RSA encryption is expressed by the following exponentiation and remainder operation. be done. Encryption: C=Me mod N Decryption: M=
Cd mod N Therefore, encryption and decryption of the RSA encryption can be realized by a similar modular exponentiation calculation circuit. Therefore, only encryption will be explained below. Power remainder operation: C=Me mod N can be realized by simply performing remainder multiplication of two numbers, but M,
When e is large, the amount of calculation becomes enormous. Therefore, in the present invention, calculations are performed according to the following algorithm. However, e is an integer consisting of k bits, and e
=ek, ek-1,..., e2, e1. INPUT M,e,N
(input) C=
1
(Initial setting) FOR
i=k TO 1 IF ei=1 THEN C=C
・M mod N (operation 1)
IF i > 1 THEN C=C・C
mod N (operation 2) NEXT Therefore, in this case, the exponentiation remainder operation is C=C・
This is realized by repeating modular multiplication of B mod N (B is M or C). This remainder multiplication can be realized by a circuit as shown in FIG. A circuit that efficiently executes this algorithm is shown in FIG. 101 and 102 are M and e, respectively.
, is a shift register that stores the values of 103, 10
4 is a register that stores the values of N and C, respectively. Also,
105 and 106 are selector switches for selecting input;
07 is a multiplexer that selects the value of C in the register 104 every m bits (m is an arbitrary integer) from the upper digit and outputs it serially, and 108 is a remainder multiplication circuit that executes the operation of C=C・B mod N. . 109 is a controller that determines whether ei = 1 or i > 1 and controls the execution of calculations 1 and 2, and controls clear signals and preset signals of selectors and registers during input and initial setting, and controls the counter and ROM. This can be easily realized using some logic circuits. Next, the operation of this circuit will be explained. The inputs are plaintext M and public keys e and N. Therefore, M, e, and N are input to registers 101 to 103 serially or in parallel. At this time, selector 1
05 inputs M into the register 101 by selecting M. At the same time, instead of inputting the value of C to the register 104, it is initialized so that C=1 by a register clear signal or a preset signal. [0041] When the input and initial settings are completed, calculation 1,
The remainder multiplication shown in 2 is started. Here, operations 1 and 2
The difference is in the remainder multiplication C=C・B mod N,
The difference is whether B is M or C. Therefore, when executing operation 1, selector 106 selects serial output M for every m bits from register 101, and when executing operation 2, selects C, which is serial output for every m bits from multiplexer 107. controlled to do so. Further, the serial output M of every m bits from the shift register 101 is inputted to the shift register 101 again via the selector 105. The configuration and operation of the remainder multiplication circuit 108 are as described above. By inputting C output from the remainder multiplication circuit 108 in parallel to the register 104 and using it for the next remainder multiplication, operations 1 and 2 are efficiently repeated. In addition, in this device, instead of M and e, C
, d, the ciphertext can be decrypted. [0043] As explained above, the arithmetic device of the present invention has the advantage of being able to execute modular multiplication at high speed with a small circuit scale. Furthermore, since the arithmetic device of the present invention is constructed by repeating the same arithmetic elements, it has the advantage that it is easy to realize circuitization using VLSI or the like. Further, according to the present invention, there is an effect that an encryption/decryption device for encrypted communication can be realized with a small circuit scale.

[Brief explanation of the drawing]

FIG. 1 is a diagram showing an example of a circuit configuration of an arithmetic device of the present invention.

FIG. 2 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 3 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 4 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 5 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 6 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 7 is a diagram showing an example of a circuit configuration of an arithmetic device of the present invention.

FIG. 8 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 9 is a diagram showing an example of the circuit configuration of the arithmetic device of the present invention.

FIG. 10 is a diagram showing a configuration example of an encryption/decryption device.

[Explanation of symbols]

11-14 Multipliers 15-18 ROM 19-23 Adders 24-27 Registers 28-32 ROM 33-37 Adder 38(1)-38(m) AND circuits 39-43
Adders 44-50 Registers 101, 102 Shift registers 103, 104 Registers 105-106 Selector 107 Multiplexer 108 Remainder multiplication circuit

Claims (7)

[Claims] 1. An arithmetic device that calculates a remainder when a product of given first and second integers is divided by a third integer,
a storage means for holding a value; a multiplication means for sequentially inputting the first integer bit by bit and multiplying the second integer by the second integer; and adding the input from the storage means and the input from the multiplication means. and calculating means for calculating a remainder with respect to the third integer for a portion of the value in the storage means that exceeds the maximum digit of the third integer, and outputting the result to the storage means. Characteristic computing device. 2. In the calculation means, in order to perform the calculation for the remainder, the remainder is added in place of the portion of the value in the storage means that exceeds the maximum digit of the third integer. The arithmetic device according to claim 1, characterized in that: 3. The storage means has a plurality of registers, the calculation means includes a plurality of adders each adding predetermined digit parts, and the register has a plurality of registers, each of which adds a predetermined digit part. 2. The arithmetic device according to claim 1, wherein the upper digit part and the lower digit part are output to different adders. 4. The multiplication means includes a plurality of multipliers that perform multiplication between the predetermined number of bits, and each multiplier outputs an upper digit part and a lower digit part of the multiplication result to a different adder. The arithmetic device according to claim 3, characterized in that: 5. The multiplication means includes a logic circuit that outputs the product of each bit of the first integer inputted in units of the predetermined number of bits and the second integer. computing device. 6. An encrypted communication method in which a cipher C=Me mod N is determined from given integers e and N for information M to be transmitted, and the cipher C is transmitted, the encryption device comprising:
An arithmetic device that calculates a remainder when a product of given first and second integers is divided by a third integer, the device comprising: a storage means for holding a value; and a predetermined bit of the first integer that is sequentially inputted. a multiplication means for multiplying the second integer by adding the input from the storage means and the input from the multiplication means, and for the part of the value in the storage means that exceeds the maximum digit of the third integer; , and arithmetic means for performing an arithmetic operation to obtain a remainder with respect to the third integer and outputting the result to the storage means. Claim 7: For the received cipher C, obtain information M=Cd mod N from given integers d and N, and calculate the cipher C.
In an encrypted communication method for decoding information M into information M, the decoding device is provided with an arithmetic device that calculates a remainder when the product of given first and second integers is divided by a third integer, a storage means for holding; a multiplication means for sequentially inputting the first integer bit by bit and multiplying the second integer; and adding the input from the storage means and the input from the multiplication means;
and an arithmetic device for calculating a remainder with respect to the third integer for a portion of the value in the storage means that exceeds the maximum digit of the third integer, and outputting the result to the storage means. An encrypted communication method characterized by: