JPH07200267A - Power residue operation method/circuit - Google Patents

Abstract

PURPOSE:To provide a power residue operation method by which the power residue operation of Y=alpha**x modp when a base alpha is a constant is efficiently executed. CONSTITUTION:In the power residue operation method for executing the power residue operation of Y=alpha**x modp ((p), (a) and X are integers and **a power exponent), the number of bits where '1' is given to X is counted in a judgment step. Thus, it is judged whether or not the count concerned is larger than k/2 ((k) is the number of bits of X), and the value of alpha**m and alpha**-m (m=2**i, i=0, 1...k-1) is calculated in accordance with (i) in advance and either alpha**m or alpha**-m is sequentially outputted corresponding to (i) in accordance with the judged result of the judgment step in an output step. Then, C=C.Ai modp is calculated in accordance with the binary code Xi of X with output in the output step as Ai in an operation step.

Description

Detailed Description of the Invention

[0001]

The present invention relates to the case where Y is a constant when the base α is a constant.
= Α ** x modp (p, α, X are integers, ** is a power exponent), and a modular exponentiation calculation circuit for performing the calculation.

[0002]

2. Description of the Related Art A modular exponentiation operation for performing an operation of Y = α ** x modp is often used in the field of cryptography. In the field of cryptography, α is a variable and α is a constant. In the case of the RSA cryptosystem, which is a typical public key cryptosystem, α is handled as a variable, and the well-known Diffie
In the public key distribution method by and Hellman, α is treated as a constant.

By the way, in the public key distribution system by Diffie and Hellman, a method is adopted in which users of a communication network share a secret key by using a public key. In this system,
The security is based on the difficulty of solving the discrete logarithm problem on the finite field GF (p). In this public key distribution system, users A to B of the communication network are:
The key is delivered to. Procedure 1) Define a prime number p and a fixed primitive root α with a finite field GF (p), and notify all users of the communication network as a public key. Procedure 2) User A randomly selects an integer XA of 0 <XA <p and keeps it secret, calculates Formula 1, and calculates YA as User B.
Send to.

YA = α ** XA modp User B randomly selects an integer XB of 0 <XB <p and holds it secretly, calculates Equation 2 and sends YB to user A.

[Formula 2] YB = α ** XB modp Procedure 3) After exchanging YA and YB, user A shares key K
Is calculated based on Equation 3.

## EQU00003 ## K = YB ** XA modp = .alpha. ** XAXB modp User B calculates the shared key K based on Equation 4 after the exchange of YA and YB.

## EQU00004 ## K = YAXB modp = .alpha. ** XAXB modp In this manner, the keys K = .alpha. ** XAXB modp can be secretly shared by the users A and B. In this case, the base α is fixed in the modular exponentiation operation and can be treated as a constant.

In this case, it is often practiced that p is a power of 2 instead of a prime number. By the way, Y = α
In the calculation of ** x modp, if p = 2 ** k, the number of bits of X for 0 <X <p is k at most, and the procedure 2
It is known that the power-residue calculation of can be expressed by the following algorithm. However, X = [Xk, Xk-
1 ... X1]

INPUT α, X, p (input) C = 1 (initial setting) FOR i = k TO 1 IF Xi = 1 THEN C = C · α modp (Operation 1) IF i> 1 THEN C = C · C modp (Operation 2) NEXT Y = C In this case, it is necessary to execute the operation 1 and the operation 2 k times, and a total of 2k modular multiplication is performed.

Since α is a primitive root of GF (2 ** k), α ** 2 is the k-th power of 1, and α ** X = 1 / α **-x
= 1 / α ** u (where u = 2 ** k−X), and the fact that this is (1 / α) raised to the u-th power is known as the following high-speed arithmetic method.

INPUT α, X, p (input) C = 1 (initial setting) IF HW (X)> k / 2 THEN X = 2 ** k−X (judgment 1) IF HW (X)> k / 2 THEN α = α **-1 (judgment 2) FOR i = k T0 1 IF Xi = 1 THEN C = C · α modp (Calculation 1) IF i> 1 THEN C = C · C modp (Calculation 2) NEXT Y = C where HW (X) is the Hamming weight of the bit sequence X (the number of bits for which 1 is set).

In this algorithm, HW (X)> k /
When 2, the conversion of X ← 2k−X and α ← α **-1 is performed, but α ** X = 1 / α ** u (however, u = 2 ** k−X), which is (1 / Α) to the u-th power, so the original α **
Since X and the converted α ** X are the same, it is only necessary to obtain the converted α ** X. In this case, 2 ** k
= [1,0 ... 0], the number of 0's is k, and 2 ** k-X for X = [Xk, Xk-1 ... X1]
= [| Xk |, | Xk-1 | ... | X1 |] (| Xi | is Xi
Xi = 0 → | Xi | = 1, Xi = 1 → |
Since Xi | = 0, HW (X) <k / 2 due to conversion (X ← 2 ** k−X) when HW (X)> k / 2.

[0009]

According to the above-mentioned conventional high-speed arithmetic method, since Xi = 1 is k / 2 or less, the maximum number of arithmetic operations is k / 2, which is 1.5k in total. The remainder multiplication of is sufficient. However, since the fact that α can be treated as a constant is not used here, it cannot be said to be a very efficient method. In other words, if X is expressed by a code that represents binary, 2 **
Since a factor term of k-1, 2 ** k-2 ... 2 ** 0 appears, the same operation is repeatedly performed, which is not very efficient.

The present invention has been made in view of the current state of the conventional modular exponentiation operation described above, and its first object is to obtain a base α.
It is to provide a method of modular exponentiation for efficiently performing modular exponentiation of Y = α ** x modp when is a constant.

A second object of the present invention is to provide a power-residue calculation circuit that efficiently performs a power-residue calculation of Y = α ** x modp when the base α is a constant.

[0012]

In order to achieve the first object, the first invention according to claim 1 provides: Y = α **
In a power-residue calculation method for performing a power-residue calculation of x modp (p, α, X is an integer), the count value is set to k by counting the number of bits in which 1 of X is set.
/ 2 (k is the number of bits of X) and a determination step for determining whether or not α ** m and α **-m (m = 2 ** i, i)
= 0, 1 ... k-1) is calculated in advance corresponding to i, and α ** m is calculated according to the result of the determination in the determination step.
Or an output step of sequentially outputting any one of α **-m according to i, and an output at the output step is Ai, X
And a calculation step for calculating C = C · Ai modp according to the binary code Xi.

Similarly, in order to achieve the first object,
The second invention according to claim 2 is Y = α ** x mod
In a modular exponentiation method for performing a modular exponentiation operation of p (p, α, X is an integer), the number of bits for which 1 of X is set is counted, so that the count value is k / 2 (k is the bit of X). Number) and a determination step for determining whether or not it is larger than α ** m and α **-m (m = 2 ** i, i = 0, 1 ·
.. The value of k-1) is calculated in advance corresponding to i, and α ** m, α **-m or 1 of α ** m, α **-m or 1 is calculated according to the determination result in the determination step and the binary code Xi of X. An output step of sequentially outputting any one of i and an output at the output step is Ai, and C = C · A according to the binary code Xi of X.
and a calculation step for calculating i modp.

Further, in order to achieve the second object,
A third invention according to claim 3 is Y = α ** x mod
In a power-residue arithmetic circuit that performs a power-residue calculation of p (p, α, X is an integer), by counting the number of bits for which 1 of X is raised, the count value is k / 2 (k is the bit of X). And a determination means for determining whether or not it is larger than (number), and α ** m and α **-m (m = 2 ** i, i = 0, 1 ...
The value of k-1) is calculated and stored in advance corresponding to i, and α ** m or α **-m depending on the judgment result by the judgment means.
And output means for sequentially outputting any of the above in accordance with i, and arithmetic means for calculating C = C · Ai modp according to the binary code Xi of X, with the output from the output means as Ai. It is characterized by.

Similarly, in order to achieve the second object,
A fourth invention according to claim 4 is Y = α ** x mod.
In a power-residue arithmetic circuit that performs a power-residue calculation of p (p, α, X is an integer), by counting the number of bits in which X is 1, the count value is k / 2 (k is the bit of X). And a determination means for determining whether or not it is larger than (number), and α ** m and α **-m (m = 2 ** i, i = 0, 1 ...
The value of (k-1) is calculated and stored in advance corresponding to i, and according to the judgment result of the judgment means and the binary code Xi of X,
C = C according to the binary code xi of X, with an output means for sequentially outputting any one of α ** m, α **-m or 1 according to i, and an output by the output means as Ai.・ Ai mod
and a calculation means for calculating p.

[0016]

According to the first invention, Y = α ** x modp
(P, α, X are integers) In a modular exponentiation method for performing modular exponentiation, the count value is counted as k / 2 (k is It is determined whether or not it is larger than the number of bits of X), and in the output step, α ** m and α **-
The value of m (m = 2 ** i, i = 0, 1 ... k-1) is calculated in advance in correspondence with i, and α ** m or One of α **-m is sequentially output according to i, and in the calculation step, the output at the output step is Ai, and C is calculated according to the binary code Xi of X.
= C · Ai modp is calculated.

According to the second invention, Y = α ** x mo
In a modular exponentiation calculation method for performing modular exponentiation of dp (p, α, X is an integer), the count value is counted as k / 2 (k Is greater than the number of bits of X), and in the output step, α ** m and α
The value of **-m (m = 2 ** i, i = 0, 1 ... k-1) is calculated in advance corresponding to i, and the judgment result at the judgment step and the binary code of X Α ** m, α * depending on Xi
Either * -m or 1 is sequentially output according to i, and in the calculation step, C = C · Ai mod is set according to the binary code Xi of X, where the output at the output step is Ai.
p is calculated.

According to the third invention, Y = α ** x mo
In a modular exponentiation operation circuit that performs a modular exponentiation operation of dp (p, α, X is an integer), the number of bits in which 1 of X is set is counted by the determination means, and the count value is k / 2 (k Is larger than the number of bits of X), and the output means determines α ** m and α **-m.
The value of (m = 2 ** i, i = 0, 1 ... k-1) is calculated and stored in advance corresponding to i, and α ** m or α * is determined according to the determination result by the determination means. One of * -m is sequentially output according to i, and the output of the output means is Ai by the arithmetic means.
As C = C · Ai m according to the binary code Xi of X
odp is calculated.

According to the fourth invention, Y = α ** x mo
In a modular exponentiation operation circuit that performs a modular exponentiation operation of dp (p, α, X is an integer), the determination unit counts the number of bits for which 1 of X is set, and the count value is k / 2 (k Is larger than the number of bits of X), and the output means determines α ** m and α **-m (m
= 2 ** i, i = 0, 1 ... k-1) is calculated and stored in advance in correspondence with i, and α is set in accordance with the result of the judgment by the judging means and the binary code Xi of X. Any one of ** m, α **-m or 1 is sequentially output according to i, and the output of the output means is Ai by the computing means, and C = C.multidot.C according to the binary code Xi of X. Ai modp is calculated.

[0020]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to FIGS. FIG. 1 is a block diagram showing the configuration of a modular exponentiation calculation circuit used for executing the modular exponentiation calculation method according to the first embodiment of the present invention, and FIG. 2 is a block diagram showing the modular exponentiation calculation method according to the second embodiment. FIG. 3 is a block diagram showing the configuration of the modular exponentiation operation circuit used, and FIG. 3 is a block diagram showing the configuration of the logic circuit used in the circuit of FIG.

[First Embodiment] Y = when the base α is a constant
In the process of performing modular exponentiation of α ** x modp, α ** m or α **-m (m = 2 ** i, i = 0, 1,
The calculation of k-1) is repeatedly executed. Therefore, α ** m = ALi and α **-m = BLi (m = 2 ** i,
If the values of i = 0, 1, ..., K−1) are calculated and stored in advance according to i and are output according to i, the calculation can be executed efficiently. In this embodiment, Y = α ** x modp is calculated by the following algorithm.
Performs modular exponentiation of.

INPUT α, X, p (input) C = 1 (initial setting) IF HW (X)> k / 2 THEN X = 2 ** k−X (judgment 1) FOR i = k−1 TO 0 IF HW (X)> k / 2 THEN Ai = BLi ELSE Ai = ALi (judgment 2) IF Xi = 1 THEN C = C · Ai modp (calculation) NEXT Y = C

Thus, according to this embodiment, the AL
It is possible to calculate i and BLi in advance and store them, select and use these calculated values, suppress the number of modulo multiplication operations to k / 2 or less, and efficiently execute the modular exponentiation operation. become.

FIG. 1 shows a modular exponentiation operation circuit for executing the algorithm of the present embodiment. In FIG. 1, reference numeral 1 is a storage circuit for inputting and storing X and sequentially outputting it to the logic circuit 3 in bit units, such as a buffer or a shift register. It is configured, and in this storage circuit 1,
Comprised of a counter or decoder and a comparator, X
The determination circuit 2 for determining whether the bit for which 1 is set is larger than k / 2 is connected. This determination circuit 2
Is greater than the number of 1-bits of X output from the storage circuit 1 is larger than k / 2 {HW (X)> k / 2}
1 is output to and the number of bits for which 1 of X is set is k /
When it is smaller than 2, {HW (X)> k / 2} has a function of outputting 0. A logic circuit 3 formed of an exclusive OR circuit is connected to the determination circuit 2 and the storage circuit 1. The logic circuit 3 is output from the storage circuit 1 when the output of the determination circuit 2 is 1. It has a function of inverting and outputting Xi, and when the output of the determination circuit 2 is 0, the output from the storage circuit 1 is output as it is.

An output circuit 4 is connected to the judging circuit 2, and the output circuit 4 has a ROM which stores precalculated ALi and BLi. The output circuit 4 has an address i. In accordance with the above, when the output of the determination circuit 2 is 0, ALi is read from the ROM and output, and when the output of the determination circuit 2 is 1, BLi is read from the ROM and output. A remainder multiplication circuit 5 is connected to the output circuit 4 and the logic circuit 3. The remainder multiplication circuit 5 is output from the output circuit 4 when C = 1 is initially set and the output from the logic circuit 3 is 1. C = C based on ALi or BLi
It has a function of executing the modular exponentiation of Ai modp and storing the result.

In the modular exponentiation operation circuit having such a configuration, the determination circuit 2 is applied to the X output from the storage circuit 1.
Determines whether HW (X)> k / 2, and then HW (X)
When it is determined that> k / 2, 1 is output from the determination circuit 2. Based on this output, the logic circuit 3 inverts Xi output from the storage circuit 1 and inputs it to the remainder multiplication circuit 5. At this time, the output circuit 4 outputs BLi to the remainder multiplication circuit 5 corresponding to i. In the remainder multiplication circuit 5, when the inverted Xi, that is, | Xi | is 1, it is input from the output circuit 4. Based on BLi, a modular exponentiation of C = C · Ai modp is executed. When the determination circuit 2 determines that X output from the storage circuit 1 is not HW (X)> k / 2, the determination circuit 2 outputs 0. Based on this output, the logic circuit 3 inputs the Xi output from the storage circuit 1 to the remainder multiplication circuit 5 as it is. This time,
The output circuit 4 outputs ALi corresponding to i to the remainder multiplication circuit 5, and when Xi is 1, the remainder multiplication circuit 5 outputs Ci = C · Ai mo based on ALi input from the output circuit 4.
Executes the modular exponentiation of dp.

According to the modular exponentiation operation of FIG. 1, ALi and BLi used for the operation are calculated in advance and R0M of the output circuit 4 is calculated.
Stored in the output circuit 4, based on the determination of the determination circuit 2 whether HW (X)> k / 2, ALi or BLi is selected and fetched from the output circuit 4, and the remainder multiplication of C = C · Aimodp is performed. And the calculation of the remainder multiplication is suppressed to k / 2 times or less at the maximum,
The modular exponentiation operation can be efficiently executed.

[Second Embodiment] Similar to the first embodiment, in the process of performing modular exponentiation of Y = α ** x modp when the base a is a constant, α ** m or α *
The calculation of * -m (m = 2 ** i, i = 0, 1 ... k-1) is repeatedly executed. Therefore, α ** m = LAi and α
**-m = BLi (m = 2 ** i, i = 0, 1 ... k-
If the value of 1) is calculated and stored in advance and is output according to i, the calculation can be executed efficiently. In this embodiment, the following algorithm is used.
Perform a modular exponentiation operation of Y = α ** x modp.

INPUT a, X, p (input) C = 1 (initial setting) IF HW (X)> k / 2 THEN X = 2 ** k−X (judgment 1) FOR i = k−1 TO 0 IF HW (X)> k / 2 THEN Ai = BLi ELSE Ai = ALi (judgment 2) IF Xi = 0 THEN Ai = 1 (judgment 3) C = C · Ai modp (calculation) NEXT Y = C

Also in this embodiment, ALi and BLi are calculated and stored in advance, these calculated values are selectively used, the number of modulo multiplication operations is suppressed to k / 2 or less, and the modular exponentiation is performed. It becomes possible to execute it efficiently.

FIG. 2 shows a modular exponentiation operation circuit for executing the algorithm of this embodiment. In FIG. 2, reference numeral 1 is a storage circuit which inputs and stores X and sequentially outputs it to the logic circuit 3A bit by bit in a buffer or a shift register. Configured, this storage circuit 1
Further, a judgment circuit 2 which is composed of a counter or a decoder and a comparator and judges whether or not the bit in which 1 of X is set is larger than k / 2 is connected. When the number of 1-bits of X output from the storage circuit 1 is larger than k / 2, the determination circuit 2 {HW (X)> k /
It has a function of outputting 1 to 2} and outputting 0 to {HW (X)> k / 2} when the number of bits in which 1 of X is set is smaller than k / 2. As shown in FIG. 3, a logic circuit 3A including a NAND circuit 6, an inverting circuit 7 and a NAND circuit 8 is connected to the storage circuit 1 and the determination circuit 2.

In this logic circuit 3A, the input terminal of the NAND circuit 6 is connected to the output terminal of the storage circuit 1 and the output terminal of the determination circuit 2, and the input terminal of the NAND circuit 8 is connected to the output terminal of the storage circuit 1. The output terminal of the inverting circuit 7 is connected,
The output terminal of the determination circuit 2 is connected to the input terminal of the inverting circuit 7. The logic circuit 3A outputs [00] when the output Xi from the storage circuit 1 is Xi = 0, the output Xi from the storage circuit 1 is Xi = 1, and the output from the determination circuit 2 is 0.
At the time of [01], the output Xi from the storage circuit 1 is Xi = 1
Then, it has a function of outputting [10] when the output of the determination circuit 2 is 1.

An output circuit 4 is connected to the logic circuit 3A, and the output circuit 4 is provided with a ROM. The ROM stores precomputed ALi and BLi.
Has a function of outputting 1 when the output of the logic circuit 3 is [00] and ALi or BLi according to i when the output is [01] or [10]. Then, the output circuit 4 is first set to C = 1 and based on ALi or BLi output from the output circuit 4, performs a modular multiplication operation of C = C · Ai modp and stores the result. The circuit 5 is connected.

In the modular exponentiation circuit having such a configuration, for the X output from the storage circuit 1, the determination circuit 2 outputs HW.
It is determined whether or not (X)> k / 2, and HW (X)> k /
When it is determined that the value is 2, the determination circuit 2 outputs 1. When 1 is output from the determination circuit 2, if the Xi output from the storage circuit 1 is 1, the logic circuit 3A outputs [10]. When the determination circuit 2 determines that X output from the storage circuit 1 does not satisfy HW (X)> k / 2, the determination circuit 2 outputs 0.
When the determination circuit 2 outputs 0, the logic circuit 3A
From that, if Xi output from the storage circuit 1 is 1,
[01] is output. When Xi output from the storage circuit 1 is 0, [00] is output from the logic circuit 2A.

In the output circuit 4, the output of the logic circuit 3A is [0
When the output of the logic circuit 3A is [01] or [10], ALi or BLi corresponding to i is output to the remainder multiplication circuit 5 when 0].
Then, in the remainder multiplication circuit 5, C = C · Ai mo based on 1, ALi or BLi input from the output circuit 4.
Executes the modular exponentiation of dp.

According to the modular exponentiation operation of FIG. 2, ALi and BLi used in the operation are calculated in advance and stored in R0M of the output circuit 4, and whether or not HW (X)> k / 2 of the determination circuit 2 is satisfied. The output circuit 4 outputs ALi, BLi or 1 to the remainder multiplication circuit 5 according to the signal output from the logic circuit 3A based on the determination of the above and whether Xi output from the storage circuit 1 is 1 or 0. The multiplication circuit 5 performs modulo multiplication of C = C · Ai modp, and the modulo multiplication operation can be suppressed to k / 2 times or less at maximum, and the exponentiation modulo operation can be efficiently executed.

[0037]

According to the modular exponentiation calculation method of the first invention, Y = α ** x modp (p, a, x are integers)
When calculating the modular exponentiation of α ** m and α **-m (m =
2 ** i, i = 0, 1 ... k-1) is calculated in advance corresponding to i, and the number of bits in which 1 of X is set is k / 2.
Based on the determination as to whether or not (k is the number of bits of X), either α ** m or α **-m is sequentially output according to i. Since C = C · Ai modp is calculated according to the decimal code Xi, the number of modulo multiplication operations is suppressed to k / 2 or less, and Y = α **
It is possible to efficiently execute the modular multiplication operation of x modp.

According to the modular exponentiation method according to the second aspect of the present invention, in the modular exponentiation operation of Y = α ** x modp (p, a, x is an integer), α ** m and α **-m (m = 2
The value of ** i, i = 0, 1 ... k-1) is calculated in advance corresponding to i, and the number of bits in which 1 of X is set is k / 2 (k
Is greater than the number of bits of X) and X is 2
Depending on the decimal code Xi, either α ** m, α **-m or 1 is sequentially output according to i, and according to this output,
Since C = C · Ai modp is calculated, the number of modulo multiplication operations is suppressed to k / 2 or less, and Y = α ** x mod
It is possible to efficiently execute the modular exponentiation of dp.

According to the modular exponentiation operation circuit of the third invention, when the modular exponentiation operation of Y = α ** x modp (p, a, x is an integer) is performed, α ** m and α **-m (m = 2
The value of ** i, i = 0, 1 ... k-1) is calculated in advance corresponding to i, and the number of bits in which 1 of X is set is k / 2 (k
Is larger than the number of bits of X),
Either α ** m or α **-m is sequentially output according to i, and C = C · Ai modp is calculated according to the binary code Xi of X with this output as Ai. The number of modular multiplication operations is suppressed to k / 2 or less, and Y = α ** x
It becomes possible to efficiently execute modulo modular exponentiation.

According to the modular exponentiation operation circuit of the fourth invention, when performing modular exponentiation operation of Y = α ** x modp (p, a, x is an integer), α ** m and α **- m (m
= 2 ** i, i = 0, 1 ... k-1) is calculated in advance corresponding to i, and the number of bits in which 1 of X stands is k / 2.
(K is the number of bits of X)
Either α ** m, α **-m or 1 is sequentially output according to i according to the binary code Xi of C and C = C · Ai modp is calculated according to this output. Therefore, the number of modulo multiplication operations is suppressed to k / 2 or less, and Y = α ** x
It becomes possible to efficiently execute the modular exponentiation operation of modp.

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of a modular multiplication calculation circuit used in a first embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration of a modular multiplication calculation circuit used in the second embodiment of the present invention.

3 is a block diagram showing a configuration of a logic circuit of FIG.

[Explanation of symbols]

 1 Storage Circuit 2 Judgment Circuit 3, 3A Logic Circuit 4 Output Circuit 5 Residue Multiplication Circuit 6, 8 NAND Circuit 7 Inversion Circuit

Claims (4)

[Claims] 1. A power-residue calculation method for performing a power-residue calculation of Y = α ** x modp (p, α, X are integers, and ** is a power exponent). By determining whether the count value is larger than k / 2 (k is the number of bits of X), and α ** m and α **-m (m = 2 ** i , I = 0, 1 ... k
The value of -1) is calculated in advance corresponding to i, and α ** m or α **-depending on the determination result in the determination step.
It has an output step of sequentially outputting any of m according to i, and an operation step of calculating C = C · Ai modp according to the binary code Xi of X, with the output at the output step as Ai. A modular exponentiation method characterized by the following. 2. A power-residue calculation method for performing a power-residue calculation of Y = α ** x modp (p, α, X are integers, and ** is a power exponent). A determination step of determining whether or not the count value is larger than k / 2 (k is the number of bits of X), and α ** m and α **-m (m = 2 ** i , I = 0, 1 ...
The value of k-1) is calculated in advance in correspondence with i, and α ** m, α **-m or 1 of α ** m, α **-m or 1 is calculated according to the determination result in the determination step and the binary code Xi of X. It has an output step of sequentially outputting any of them in accordance with i, and an arithmetic step of computing C = C · Ai modp in accordance with the binary code Xi of X, with the output in the output step being Ai. A characteristic modular exponentiation method. 3. A number of bits for which 1 of X is set in a power-residue arithmetic circuit for performing a power-residue arithmetic operation of Y = α ** x modp (p, α, X are integers, and ** is a power exponent). By determining whether the count value is greater than k / 2 (k is the number of bits of X), α ** m and α **-m (m = 2 ** i). , I = 0, 1 ...
An output that stores in advance the value of k-1) corresponding to i, and sequentially outputs either α ** m or α **-m according to i according to the determination result by the determination means. A modular exponentiation operation circuit comprising: means and an operation means for calculating C = C · Aimodp in accordance with a binary code Xi of X, with an output from the output means being Ai. 4. A number of bits for which 1 of X is set in a power-residue arithmetic circuit for performing a power-residue arithmetic operation of Y = α ** x modp (p, α, X are integers, and ** is a power exponent). By determining whether or not the count value is larger than k / 2 (k is the number of bits of X), α ** m and α **-m (m = 2 ** i , I = 0, 1 ... k
The value of -1) is calculated and stored in advance corresponding to i, and α * is determined according to the result of the determination by the determination means and the binary code Xi of X.
Output means for sequentially outputting either * m, α **-m or 1 according to i, and C = C · Aimodp according to the binary code xi of X, where Ai is the output from the output means. A modular exponentiation operation circuit, comprising: