JPH11316544A - Remainder multiplying device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To enable a fast operation with a small circuit scale. SOLUTION: Relating to a remainder multiplying device 100 which calculates A*BmodP, a multiplier division part 11 outputs a partial multiplier b(i) obtained by dividing a multiplier B into every 8 bits from the low-order side and a remainder calculation part 12 outputs intermediate number C(i) represented as recursion formulas C(1)=A (A is a multiplicand) and C(i)=C(i-1)*2<8> modP (P is a modulus, 160 bits). Then ROM tables 308 and 309 are stored with remainders corresponding to the high-order part of a carry value C(i-1)*2<8> and a remainder calculation part 12 calculates C(i) by adding a remainder read out of a ROM to the low-order part. A partial product calculation part 13 calculates a partial product C(i)*b(i). An accumulation part 14 accumulates the partial partial product C(i)*b(i). A correction part 15 subtracts an integral multiple of P from the accumulated value of the accumulation part 14 to correct the accumulated value.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a modular multiplication device for performing modular multiplication with a high-speed and small-scale circuit configuration.

[0002]

2. Description of the Related Art In recent years, with the development of encryption technology in the communication field, the demand for various arithmetic devices used for encryption has been increasing. For example, in the elliptic cryptosystem, a modular multiplication device for performing modular multiplication is used. Here, the remainder multiplication means (a *) for three integers a, b, and p.
b) To perform a modp operation. Where a
Is a multiplicand, b is a multiplier, and p is a modulus.

FIG. 17 shows a configuration of a conventional remainder multiplication device. Note that a, b, p
Uses a small value represented by 4 bits for simplicity of explanation. The remainder multiplication device 1 includes a product calculation unit 2, a remainder calculation unit 3, and a control unit 4. The product calculator 2 includes a multiplicand register 5 (4 bits), an adder 6
(4 bits), a product register 7 (9 bits), and the product a of the multiplicand a and the multiplier b is controlled by the control unit 4.
* Calculate b.

The processing procedure of the control unit 4 for the product calculation unit 2 will be described below. Step 1: As initial settings, the multiplicand register 5 holds the multiplicand a, the lower 4 bits of the product register 7 (8 bits) hold the multiplier b, and the upper 5 bits of the product register 7 hold 0. Step 2: It is determined whether the least significant bit of the product register 7 is 0 or 1, and if it is 1, the adder 6
In the above, the value held in 4 bits except the most significant bit of the upper 5 bits of the product register 7 is added to the multiplicand a held in the multiplicand register 7, and the added value is held in the upper 4 bits of the product register 7 .

Step 3: The product register 7 is shifted one bit to the right. Step 4: The processing of steps 2-3 is repeated four times. When the loop processing of steps 2 and 3 is repeated four times as described above, the product a * b is held in the product register 7. The remainder calculator 3 includes a modulo register 8 (4 bits), an adder 9 (5 bits), and a remainder register 10 (13 bits).
And the remainder (a * b) of the product a * b by the modulus p in a manner equivalent to handwritten handwriting under the control of the control unit 4.
Modp is calculated. The remainder calculated by the remainder calculation unit 3 is a signed 5-bit value.

The processing procedure of the control unit 4 for the remainder calculation unit 3 will be described below. Step 5: The modulo register 8 holds modulo p as an initial setting, and the lower 8 bits of the remainder register 10 store the product register 7
Is held, and 0 is held in the upper 5 bits. Step 6: The remainder register 10 is shifted one bit to the left.

Step 7: The adder 9 calculates the modulo register 8 from the value held in the upper 5 bits of the remainder register 10.
Is subtracted from the modulo p held in the remainder register 10 and held in the upper 5 bits. Step 8: The sign of the upper 5 bits of the remainder register 10 is determined from the value of the most significant bit, and the result is negative (the most significant bit is 1).
Is determined in the adder 9, the remainder register 10
Is added to the modulo p of the modulo register 8 to restore the value of the remainder register 10 (ie,
Return to the value before being subtracted in step 7).

Step 9: The processing of steps 6 to 8 is repeated eight times. When the loop processing of steps 6 to 8 is repeated eight times as described above, the remainder (a
* B) modp will be retained. As described above, the remainder multiplication device 1 calculates the partial product of the multiplicand a and each bit of the multiplier b in the product calculation unit 2 from the lower side of b to the multiplicand a.
The product a * b is calculated by sequentially accumulating the calculated partial products. In the remainder calculating unit 3, the product a * b calculated in the product calculating unit 2
To calculate the remainder (a * b) modp by subtracting the modulus p from a * b while adjusting the digit of the modulus p from the upper digit to the lower digit of the product a * b.

[0009]

In the remainder multiplication apparatus 1 of the prior art, since a, b, and p are small values of 4 bits, the adders 6 and 9 can perform 4-bit addition. In addition, the number of times of loop processing is as small as four in the product calculation unit 2 and as small as eight in the remainder calculation unit 3. On the other hand, a used for actual elliptic cryptography,
b and p are considerably large values, for example, 160 bits.
Therefore, the conventional remainder multiplication device 1 is converted into 160-bit a, b,
In the case where the calculation is performed using p, the adder 6 and the adder 9 need to perform 160-bit addition, and there is a problem that the circuit scale becomes large. Further, the number of times of the loop processing is repeated 160 times in the product calculation unit 2 and 320 times in the remainder calculation unit 3, and there is a problem that it takes a long calculation time.

As described above, the remainder multiplication apparatus 1 according to the prior art
Is assumed to correspond to an operation using all values, the larger the number of bits of the value, the larger the number of bits of addition performed by the adder, so that the circuit size of the adder is increased, and the number of loop processes is There is a problem that the calculation time becomes longer due to the increase. Another conventional technique for solving the problem of the operation time of the remainder multiplication apparatus 1 is “UnitedStates
Patent 5,144,574 Modular multiplication method
and the system for processing data.

In this remainder multiplication method, a partial product of a multiplicand a and a 2-bit multiplier b is calculated sequentially in correspondence with the multiplicand a by two bits from the upper side of the multiplier b. This is a method of calculating a partial remainder of the partial product by the modulus p by subtracting an integer multiple of the modulus p from the partial product, and calculating the (a * b) modp by accumulating the partial remainder.

In an apparatus using such a modular multiplication method, the modular multiplication apparatus 1 calculates a partial product by associating each bit of a multiplier b with a multiplicand a, whereas a multiplicand a and a multiplier Since the partial product of each two bits of b is calculated, the number of loop processes for calculating the partial product is reduced, and the calculation time is reduced. Thus, the remainder multiplication method
Mainly, the calculation time is reduced by calculating a partial product in which the multiplicand a and the two bits of the multiplier b are associated with each other. However, in the remainder multiplication method, when calculating the partial product, the number of bits of the multiplier b corresponding to the multiplicand a is as small as at most 2 bits, and when a, b, and p are large values, the calculation time is significantly reduced. The effect of shortening cannot be obtained.

SUMMARY OF THE INVENTION In view of the above problems, an object of the present invention is to provide a modular multiplication device that performs a high-speed operation while suppressing the circuit scale.

[0014]

In order to solve the above problem, a modular multiplication apparatus according to the present invention comprises a multiplicand a and a multiplier b (b is kb
A modulo multiplication device for calculating the product of the remainder of the product by the modulus p (p is k-bit data) and the product thereof as the accumulated value of the following equation: accumulated value = ΣC ( i) * b [s * i + s-1: s * i] (where Σ indicates an accumulation from i = 0 to [[kb / s]].
b / s]] is the integer part of the quotient kb / s, and i ranges from 0 to [[k / s]]
C (i) is represented by a recurrence formula, and when i = 0, C (i)
When (i) = a, i> = 1, C (i) ≡ (C (i-1) * 2 ^s ) mod p (≡ indicates that the values on both sides are congruent in the modulus p)) b [s * i + s-1: s * i] is a partial multiplier of s bits from the order of 2 ^{s * i + s-1} to the order of 2 ^{s * i} in the multiplier b of k bits, The remainder multiplication device includes, for each value represented by m (m is an integer equal to or greater than s) bits, a table means for storing in advance a remainder of the value by a modulus p with respect to 2 ^k times the value, and a first time (i = 0)
Outputs the multiplicand a as an intermediate number C (0). From the second time (i> 0), the intermediate number C (i-1) output last time is carried by s bits, and the intermediate number after carry is output. An intermediate number calculating means for reading the remainder for the upper m bits excluding the lower k bits from the table means, and calculating a new intermediate number (i) by adding the read remainder and the lower k bits; Partial product C (i) * b [s * i + s-1: of each calculated intermediate number C (i) and its corresponding partial multiplier b [s * i + s-1: s * i]: s * i] are sequentially accumulated to calculate the accumulated value.

The intermediate number calculating means is stored in the first storing means in correspondence with the first storing means for storing the intermediate number and the partial multiplier b [s * i + s-1: s * i]. A carry means for carrying the intermediate number by s bits, and converting the carried intermediate number into a higher-order data and a lower k-bit part which are m-bit parts higher than the lower k bits in the carried intermediate number. Dividing means for dividing the data into lower-order data, reading means for reading the remainder of the higher-order data by the modulo p from the preceding table means, and adding the remainder read from the table means and the lower-order data by the dividing means. The first holding means updates the held content to a new intermediate number each time a new intermediate number is obtained by the adding means, and the first multiplicand Output as an intermediate number Wherein arranged to output an intermediate number new updated in second and subsequent.

The remainder multiplying device further includes a post-processing means for obtaining the remainder of the accumulated value by the modulus p by using the dividing means, the reading means and the adding means. Further, the table means inputs an address corresponding to each value represented by m bits, and stores in a storage area indicated by the address a remainder by a modulus p for 2 ^k times the value of the m bit corresponding to the address in advance. It has a memory element for storing.

The m bits are lower m1 bits and upper m2 bits.
Bits (m = m1 + m2), and each value represented by the m bits corresponds to a combination of a value represented by the m1 bits and a value represented by the m2 bits, and the table means , M1 bits, the first partial table means for storing in advance the remainder of modulo p for 2 ^k times of the value, and for each value represented by m2 bits, 2 ^{k + m1} Second partial table means for storing in advance a remainder of the double by a modulus p, wherein the adding means adds each of the remainders read from the first and second partial tables to the lower-order data. To obtain a new intermediate number. The m bits are t (3 ≦ t ≦ m) partial bits m1 from the lower side,
.., Mt, and each value represented by the m bits corresponds to a combination of values (t) represented by each mi (i is an integer from 1 to t) bits, and the table means Is 2 ^{k + x} times of each value represented by partial bits mi bits (where x = m1 +... + M (i−1)
), And t adding sub-tables Ti in advance to store the remainder of the modulo p with respect to.
It is configured to obtain a new intermediate number by adding the lower order data.

The remainder multiplying device further includes an accumulating means and a correcting means, wherein the accumulating means has 0 as an initial value.
And a third register holding the partial product C (i) * b [s * i + s-1: s *
i] and the accumulated value held in the third register, and an adder for outputting the addition result as a new accumulated value to the third register and holding the added result. Correction value holding means for holding a correction value having a double value;
If the accumulated value held in the register is equal to or greater than a predetermined value,
And a correction control means for causing the adder to subtract the correction value held by the correction value holding means.

Further, the third register has a sign bit, and the correction control means, if the accumulated value of the third register is positive, adds the accumulated value and the partial product to the adder. At the same time, the correction value is subtracted, and the correction value is an integer multiple of p, and its absolute value is the maximum value (t + 1) (2 ^s
-1) It is characterized in that the value is not more than p. The method p satisfies the relationship of p = 2 ^k -α, and each partial table means Ti
Stores the remainder as k3-bit data, where k3 is the number of bits of t * 2 ^m * α, and α is k3 = k
It is a constant determined to be smaller.

Each partial table means Ti has 2 ^mi corresponding to a value from 0 to (2 ^mi -1) represented by mi bits.
.. ^{+ M (i−1)} * α. The j-th entry (j is 0 to 2 ^mi ) stores j * 2 ^{m1 +} ... ^{+ M (i−1)} * α. The modular multiplication apparatus according to the present invention is a modular multiplication apparatus for calculating a congruent number to a remainder by a modulus p (p is k-bit data) for a product of a multiplicand and a multiplier, wherein the multiplier is s (s
Is an integer of 2 or more). An output means for sequentially outputting s-bit partial multipliers obtained in units of bits from the lower side, and carrying the multiplicand in accordance with the order of each partial multiplier, and adding the multiplicand after the carry On the other hand, a first calculating means for calculating a number (hereinafter referred to as an intermediate number) congruent with the remainder by the modulus p, a partial multiplier outputted by the output means, and a first calculating means corresponding to the partial multiplier by the first calculating means Second calculating means for calculating a product of the intermediate number obtained as a partial product, accumulating means for accumulating the partial product calculated by the second calculating means, and an accumulated value accumulated by the accumulating means Correction means for correcting the accumulated value so as not to exceed a predetermined number of bits by adding or subtracting an integer multiple of p to
Until all partial multipliers are output by the output means, the first
Control means for repeatedly performing the calculation of the intermediate number by the calculation means, the calculation of the partial product by the second calculation means, the accumulation by the accumulation means, and the correction by the correction means;
For each value represented by m (m is an integer equal to or more than s) bits, the calculating means stores in advance the remainder of the value by modulo p for 2 ^k times the value, and in the first iteration of the control means, calculates the multiplicand as the intermediate number In the second and subsequent times, the intermediate number output last time is carried by s bits, the table means is read out for m bits higher than the lower k bits of the carried intermediate number, and the read number and the lower k bits are read out. Is added to calculate a new intermediate number.

The control means controls the pipeline processing including the first to third stages. In the first stage, the output means outputs a partial multiplier and the first calculation means outputs an intermediate number. In the stage, the second calculating means calculates the partial product, and in the third stage, the accumulating means accumulates and the correcting means corrects the partial product. The output means firstly holds the multiplier, and outputs the lower s bits of the held value as a partial multiplier; and shifts the value held by the multiplier holding means to s bits lower. , And a shift means for outputting the shifted value to the multiplier holding means and holding it.

Further, the second generation means may generate an i-th (i is 1 or
(S-1) is used as the first calculating means.
Digit of the intermediate number calculated by i-bit left shift
First to (s-1) th shift means for raising
The first generating means calculates the first value calculated by the first calculating means.
An s-th shift to carry the intermediate number by s-bit left shift
Means for generating a one's complement of the intermediate number
And a constant output means for outputting a constant 1;
The two-addition means is provided when all bits are determined to be 1.
The output of the s-th shift means and the output of the complement generation means.
Selected 1's complement and constant 1 and all bits are 1
Is not determined, the partial multiplier of 2 ⁰Is ranked
If 1 ", the intermediate number is selected, and 2 of the partial multiplier is selected.ⁱRank
Is "1", the carry result of the i-th shift means is selected.
Adding the selection means to be selected and the selection result of the selection means
And an adder for calculating the partial product.

[0023]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS <First Embodiment> A remainder multiplication apparatus according to the present embodiment will be described below with reference to the drawings.
The remainder multiplication device according to the present embodiment is a device used for an operation of elliptic curve cryptography or the like. When a multiplicand A (160 bits) and a multiplier B (160 bits) are input, the product A * shown in (Equation 1) is obtained. The remainder R (= A * BmodP) by the modulus P of P (160-bit prime number) or the same value as the remainder R in the remainder field is calculated. Here, the modulus P is a value that satisfies P = 2 ¹⁶⁰ −α when α is a value of 54 bits or less.

The remainder multiplication apparatus is configured based on (formula 2) obtained by modifying (formula 1). Note that details of the transformation process from (Equation 1) to (Equation 2) are shown at the end of the embodiment of the present invention just in case.

[0025]

(Equation 3)

[0026]

(Equation 4)

<Explanation of the arithmetic expression>
Is the same value in the remainder field of R and modulo P. Here, R and R1 have the same value in the modulo P
Indicates that the difference between 1 and R is an integer multiple of P. R
1 is C (i) * b (i) from i = 1 to k / s
Is calculated by accumulating. Where k is a multiplier B
Is the number of bits. s is the number of bits of each partial multiplier when the multiplier B is divided into partial multipliers of several bits. That is, k / s is the same value as the number of partial multipliers. Here, k and s are determined such that k is divisible by s.

B (i) = b [s * i-1: s * is)]
Indicates a partial multiplier obtained by dividing the multiplier B into s bits at a time from the lower order. When i = 1, b (1) = b [s−1: 0], i
= 2, b (2) = b [2s−1: s], i = 3, b (3) = [3s−1: 2s],. . . Becomes Here, when the multiplier B of k bits is expressed in a binary number, bk-1b
k-2. . . It shall be represented as b2b1b0. Also b
[X: y] is y from the (x + 1) th bit from the lower order of the multiplier B
It indicates a bit string up to the + 1st bit (where x> y). Therefore, for example, b [15: 8] indicates a partial multiplier from the lower 16th bit to the 9th bit of the multiplier B,
B15b14b13b12b11b1 in binary notation
0b9b8.

C (i) is C (1) = A when i = 1
(A is a multiplicand) When 2 <= i <= k / s, C (i) ≡
It is represented by a recurrence formula C (i-1) * 2 ^s modP. That is, C (i) is C (1) = A (multiplicand), C (i)
^{(2) ≡A * 2 s modP} , C (3) ≡ (A * 2 s mod
P) * 2 ^s modP,... In this recurrence formula, 2 ^s is an s-bit partial multiplier b
This corresponds to the carry of (i). C (i) is the remainder of the value obtained by carrying s bits higher than the previous value C (i-1) by modulo P. Hereinafter, C (i) is hereinafter referred to as an intermediate number.

Thus, in (Equation 2), R1 is i =
Between 1 and k / s, for the multiplicand A, the remainder of the value obtained by carrying s bits carried by the modulo P is recursively calculated as the intermediate number C (i), and the multiplier B is a partial multiplier of s bits at a time from the lower order. b (i) and their partial products C (i) * b (i)
Is calculated by repeatedly performing k / s times. Hereinafter, the calculation for calculating R1 is k
Repeating / s times is called a repetition process. <Structure of Remainder Multiplier> FIG. 1 is a block diagram showing a schematic structure of a remainder multiplier 100 according to the present embodiment.

In FIG. 1, the remainder multiplying device 100 includes a multiplier division unit 11, a remainder calculation unit 12, a partial product calculation unit 13, an accumulation unit 14, a correction unit 15, and a control unit 16. The remainder multiplication device 100 is configured based on (Equation 2) when k = 160 and s = 8. Multiplier division unit 11
Is a partial multiplier b (i) = b [8i-1:
8i-8] (i = 1,..., 19, 20) are sequentially output from the lower side of the multiplier B.

The remainder calculator 12 calculates the intermediate number C (i) (i =
1,... 19, 20) are recursively calculated. That is, the remainder calculating unit 12 calculates the multiplicand A for the first time (i = 1)
Output as (1). From the second time (i = 2,
3,. . . , 20) the previous and the intermediate number C (i-1) was increased 8-bit digits, the carry value C (i-1) * 2 8 modulo P to by the remainder of the intermediate number C (i) (i = 2,3, ...,
20). More specifically, the remainder calculation unit 1
2, the first time A, 2 round of A * 2 ⁸ modP, 3 round of ^{(A * 2 8 modP) *} 2 8 modP, 4 th is ((A *
2 ⁸ modP) * 2 ⁸ modP) * 2 ⁸ modP,. . .
Is calculated as an intermediate number C (i). Here, the remainder calculation unit 1
C (i) calculated by 2 is a carry value C (i-1) * ^28.
It may be a value that is congruent with and is larger than P.

The remainder calculating section 12 has a ROM table 308 and a ROM table 309 so that the calculation of the remainder can be performed at a high speed. These ROM will be described in detail later, but the lower the carry value C (i-1) * 2 8 16
The remainder from the modulus P corresponding to the portion excluding 0 bits, that is, the portion exceeding 160 bits due to carry, is stored in advance. The remainder calculator 12 calculates the carry value C (i−1) * 2 ⁸
Of these ROMs
It refers to the intermediate number C by adding the remainder corresponding to a portion exceeding the 160 bits obtained from the ROM, and the lower 160 bits of the partial carry value C (i-1) * 2 8
(I) is calculated.

The partial product calculator 13 calculates the partial product C (i) * b () of the intermediate number C (i) output from the remainder calculator 12 and the partial multiplier b (i) output from the multiplier divider 11. Output i). The accumulator 14 accumulates the partial products C (i) * b (i) output from the partial product calculator 13.

The correcting section 15 corrects the accumulated value by adding or subtracting a value of an integral multiple of P to the accumulated value according to the result of the accumulation by the accumulating section 14, whereby the accumulation in the accumulating section 14 is performed. Prevent value overflow. The control unit 16 controls the remainder calculation unit 1
2. The repetition processing of the calculation performed 20 times i = 1 to 20 in the partial product calculation unit 13, the accumulation unit 14, and the correction unit 15 is controlled. The control unit 16 performs the first step of calculating the intermediate number by the remainder calculation unit 12 and the calculation of the partial multiplier by the multiplier division unit 11, and performs the second step of calculating the partial product by the partial product calculation unit 13 in the second step.
The pipeline control is performed with the calculation of the accumulated value by the accumulator 14 and the correction of the accumulated value by the corrector 15 as the third stage. Further, after the operation is repeated 20 times, if the final accumulated value in the accumulating unit 14 is larger than P, the control unit 16 inputs the accumulated value to the remainder calculating unit 12 and outputs the accumulated value. The remainder from P is calculated.

FIG. 2 is a more detailed block diagram of the remainder calculator 12. In the figure, the remainder calculation unit 12
01, register A302, shifter 303, selector 30
4. Remainder operation unit 311 Selector 301
Is initially set (i = 1) under the control of the control unit 16.
A multiplicand A input from outside as a register A302
After the initial setting (2 <= i <= 20), the intermediate number C (i) input from the remainder operation unit 311 is stored in the register A3.
02.

The register A302 is a 161-bit register. The register A302 holds a multiplicand A (= C (1)) externally input via the selector 301 as an initial setting (i = 1). <= I <= 20) is the adder 31
An intermediate number C input from 0 through the selector 301
Hold (i). The output side of the register A302 is connected to the partial product calculation unit 13 and the shifter 303, and updates the held intermediate number to a newly input intermediate number in accordance with an instruction of the control unit 16, and calculates the partial product. Section 13 and shifter 30
3 and output.

The shifter 303 is a 169-bit width shifter for shifting the input to the left by 8 bits.
161-bit intermediate number C (i-1) input from
Shift left by 169 bits and carry 169 bits C (i-
1) to the * 2 ^8. As described above, the shifter 303
By performing a left shift on the bits, the intermediate number C (i−
An 8-bit carry is performed for 1).

The selector 304 carries the carry value C (i-1) * 2 ⁸ inputted from the shifter 303 during the repetitive processing.
Is output to the remainder operation unit 311, and after the repetition processing, the accumulated value input from the accumulation unit 14 is output to the remainder operation unit 311. The remainder operation unit 311 stores the ROM table 308, R
OM table 309 is composed of the adder 310, according to the law P of accumulated values input from the carry input through the selector 304 from the shifter 303 value C (i-1) * 2 8 or accumulator 14 Output remainder or congruent value. This remainder or congruent value is 161 bits.

The remainder operation unit 311 includes a selector 304
A bus 305 for inputting the lower 160 bits of the 169-bit value input from the adder 310 to the adder 310;
A bus 306 for inputting a bit into a ROM table 308
And a bus 307 for inputting the 166th to 169th bits to the ROM table 309. These buses, a carry value C (i-1) * 2 8 or accumulated value from the lower side 16
The adder 31 is divided into a 0-bit portion (hereinafter referred to as a lower portion), a 5-bit portion (hereinafter referred to as a 5-bit portion), and a 4-bit portion (hereinafter referred to as a 4-bit portion).
0, ROM table 308, and ROM table 309.

FIGS. 3A and 3B show the ROM table 30.
9 and the contents stored in the ROM table 308. FIG. 3B shows the contents stored in the ROM table 308. R
The OM table 308 stores a value represented by 5 bits (00
000) ₂ to (11111) ₂ input values and associates and stores them each value as an output value the remainder by modulo P for 2 ¹⁶⁰ times the value. In FIG. 3B, α is P =
Α = 2 ¹⁶⁰ modP because the relationship of 2 ¹⁶⁰ −α is satisfied. Therefore, the output values 0, 1 * α, 2 * in FIG.
alpha, ... 31 * alpha is a remainder by law P of the input value (5 bits portion) 2 ¹⁶⁰ times the value. Here, since α is a value of 54 bits or less and the input value is 5 bits, the output of the ROM table 308 is at most 59 bits. The ROM table 308 reads and outputs the remainder corresponding to the 5-bit portion input from the bus 306 when the read signal is input from the control unit 16.

FIG. 9A shows the contents stored in the ROM table 309. ROM table 309, the input value is the value (0000) ₂ - (1111) ₂ represented by 4 bits, are mapped and stored them each value as an output value the remainder by modulo P for 2 ¹⁶⁵ times the value. Where α = 2
Since it is ¹⁶⁰ modP, the output value 0 in FIG.
* 32 * α, 2 * 32 * α, ... 15 * 32 * α is the remainder by law P values were 2 ¹⁶⁵ times an input value (4 bits). α is a value of 54 bits or less, and the input value is 4 bits, 3 bits.
Since 2 is 5 bits, the output of the ROM table 309 is at most 63 bits. ROM table 309 is
When a read signal is input from the control unit 16, the bus 30
The remainder corresponding to the 4-bit portion input from 7 is read and output.

As described above, in the remainder operation unit 311, the portion exceeding 160 bits due to the carry is read from the ROM
Since the remainder is obtained by using the table 308 and the ROM table 309, the processing is faster than the conventional configuration in which the remainder is obtained by subtraction. ROM table 308, R
By dividing into two ROMs of the OM table 309, the number of input values is ^{25 in the} ROM table 308,
Table 309 is reduced 2 ^4. This allows RO
In the M table 308 and the ROM table 309, the search for the input value corresponding to each of the 5-bit portion and the 4-bit portion is faster, and the calculation of the remainder is faster.

The adder 310 adds the lower part of 160 bits, the remainder of the 5-bit part output from the ROM table 308 (59 bits), and the remainder of the 4-bit part output from the ROM table 309 (63 bits). and it outputs the C (i-1) * 2 8 modP or congruent values by. And a modulo P on the remainder field. The value output by the adder 310 is 161 bits.

FIG. 4 shows a more detailed configuration of the multiplier division unit 11. In the figure, the multiplier division unit 11 includes a shifter 50
3, a selector 501 and a register B502. The selector 501 outputs the multiplier B input from the outside to the register B502 as an initial setting (i = 1) under the control of the control unit 16, and after the initial setting (2 <= i),
The value input from the shifter 503 is output to the register B502.

The register B 502 is a 160-bit register and holds a multiplier B input from the outside via the selector 501 as an initial setting. After the initial setting, a value input from the shifter 503 via the selector 501 is set. Hold. The output side of the register B502 is connected to the shifter 503, and the lower 8 bits are connected to the partial product calculation unit 13. The multiplier division unit 11 includes the control unit 1
The value held by the control of No. 6 is updated to a value newly input from the shifter 503 via the selector 501.
The value held in the register B 502 is the shifter 503
And the lower 8 bits are output to the partial product calculation unit 13
Output to

The shifter 503 is a 160-bit shifter that shifts the value input from the register B 502 by 8 bits to the right and outputs it. With such a configuration, the multiplier division unit 11 generates a partial multiplier b of 8 bits at a time from the lower order of the multiplier B.
(I) = b [8i-1: 8i-8] (i = 1,... 1
9, 20) are sequentially output to the partial product calculation unit 13.

FIG. 5 shows a more detailed configuration of the partial product calculator 13. In the figure, the partial product calculation unit 13 includes a shifter unit 512, a selector unit 513, an adder 522, and an adder 52.
3, a register Ca524 and a register Cb525. The operation in the partial product calculation unit 13 is represented by an expression (Expression 3).

[0049]

(Equation 5)

In this equation, for convenience, the multiplier division unit 1
The binary notation of the partial multiplier b (i) input from 1 is bi7
bi6bi5bi4bi3bi2bi1bi0. As shown in the equation, the partial product calculation unit 13 first converts the intermediate number C (i) input from the remainder calculation unit 12 into a digit of 0 to 7 bits corresponding to each bit of the partial multiplier b (i). Carry (same expression), and then add a partial multiplier b to each value carried
The shifter 512 multiplies each bit of (i) (same equation) and adds them at the end (same equation).
And shifters 505 to 511 that shift the input values to the left by 1 to 7 bits, respectively, and perform an operation corresponding to the same equation.

That is, the shifter unit 512 is
The intermediate unit C (i) input from 2 is carried according to the weight of each bit of the partial multiplier b (i), and the selector unit 51
Output to 3. The shifters 505 to 511 input the C
This shifter shifts left by 1 to 7 bits for (i). That is, the shifters 505 to 511 respectively output C (i) * 2 ^{1 to} C
(I) * 2 ⁷ to output. Bus 504 has intermediate number C
(I) is output to the selector unit 513 as it is.

The selector section 513 includes selectors 514 to 5
21 and performs an operation corresponding to the same equation. Selector 5
14 to 521 are C (i) from the shifter unit 512 respectively.
* 2 ⁰~ C (i) * 2⁷Is input from the multiplier division unit 11
Each bit bi0 to bi7 of b (i) is input. Sele
514-521 are the partial multipliers respectively input
According to the value of each bit bi0 to bi7 of b (i),
C (i) * 2 input to each⁰~ C (i) * 2⁷Or 0
Select and output either. That is, the selector 51
4 to 521 are input bins (n = 0, 1,...,
If the value of 7) is 1, C (i) * 2ⁿ(N = 0,
1, ..., 7) and outputs 0 when the value of bin is 0
Output.

The adder 522 performs an operation corresponding to the above, and outputs a value obtained by adding four values input from the selectors 514 to 517 (hereinafter referred to as a partial product a) to the register Ca 524. The adder 523 is an adder that performs an operation corresponding to, and outputs a value obtained by adding four values input from the selectors 518 to 521 (hereinafter, referred to as a partial product b) to the register Cb 525.

Register Ca524, Register Cb525
Holds the partial product a and the partial product b, respectively.
Is updated to the newly input value. The output sides of the register Ca 524 and the register Cb 525 are connected to the accumulating unit 14, and the register Ca 524 and the register Cb 525 output the held partial products a and b to the accumulating unit 14.

The sum of the partial product a and the partial product b corresponds to the partial product C (i) * b (i). FIG. 6 shows a detailed configuration of the accumulation unit 14 and the correction unit 15. Accumulator 1
4 comprises an adder 601 and a register S602. The register S602 is a 170-bit register that holds the accumulated value, and updates the held accumulated value to a new accumulated value input from the adder 601 under the control of the control unit 16. Here, the most significant bit of the register S602 is a sign bit indicating the sign of the accumulated value.

The adder 601 calculates the accumulated value held in the register S602 and the registers Ca524 and Cb5.
The partial product a and the partial product b held in the register 25 and the correction value input from the correction unit 15 are added and output to the register S602. The correction unit 15 includes a register E603, an inverter 6
06, a selector 604, and a selector 605.

The register E603 holds a value that is larger than and closest to the maximum value of the combined value of the partial products a and b. Inverter 606 has an inverted value of 510 * P held in register E603 (hereinafter referred to as $ 5
10 * P). The selector 604 is
According to the control of the control unit 16, 0, 510 * P and $ 510
Any one of * P is selected as a correction value and supplied to the adder 601.

The selector 605 supplies 0 or 1 to the adder 601 under the control of the control unit 16. Here, the control unit 16 causes the selector 604 to select a correction value according to the sign of the accumulated value held in the register S602, and causes the selector 605 to select 0 or 1 to supply the selected value to the adder 601.

More specifically, the control unit 16 sets the register S602
Is 0 in the selector 604,
0 * P is selected, and the selector 605 selects 1.
As a result, when the accumulated value held in the register S602 is positive (the most significant bit is 0), the register E60
From # 3 via inverter 606 and selector 604 to $ 5
10 * P, and 1 via the selector 605
01 is supplied. Due to this, in the next addition of the adder 601, 510 * P is subtracted, and overflow in the adder 601 and the register S602 is prevented.

When the accumulated value held in the register S602 is negative (the most significant bit is 1), the control unit 16
The selector 604 selects 0, and the selector 605 selects 0. When the repetition processing of i = 1 to 20 is completed and the value held in the register S602 is updated to the final accumulated value, the control unit 16 determines whether the most significant bit of the accumulated value is 1 or 0. If it is 1 (indicating a negative value), 510 * P is assigned to the selector 604 and the selector 605
At the adder 601 and the register S60
Then, a correction for adding 510 * P to the accumulated value held in 2 is performed. Thereby, the control unit 16 corrects the final accumulated value to be positive. When the most significant bit of the final accumulated value is 0 (indicating a positive value), the control unit 16 causes the selector 604 to select 0 and the selector 605 to select 0, and the accumulated value is not corrected. To do. <Second Embodiment> A remainder multiplication device according to a second embodiment will be described below with reference to the drawings.

When the multiplicand A (160 bits) and the multiplier B (161 bits) are input, the remainder multiplication device in this embodiment calculates the remainder R (= A *) by the modulus P (160 bits) of the product A * B. BmodP) or the remainder R and the same value on the remainder field are calculated. Here, the modulus P is obtained by setting α to 54
When the value is equal to or smaller than the bit, the value satisfies P = 2 ¹⁶⁰ −α.

The remainder multiplication device of the present embodiment is also configured based on (Equation 2) in the same manner as in the first embodiment. However, s = 8 in the first embodiment, whereas s = 9 in the second embodiment. The part of k / s is
Since k / s = 161/9 is not divisible when actually calculated, the k / s portion is replaced with 18 in this embodiment.

FIG. 7 is a block diagram showing a schematic configuration of a remainder multiplication device 200 according to the second embodiment. In the figure, the remainder multiplication device 200 includes a multiplier division unit 81, a remainder calculation unit 82, a partial product calculation unit 83, an accumulation unit 84, a correction unit 85,
It comprises a control unit 86. The remainder multiplication device 200 of FIG.
Is different from the remainder calculator 12 in that the remainder calculator 82 has only one ROM table. FIG.
As described in detail below, the partial product calculation unit 83 is configured to reduce the number of inputs to the internal adder to the partial product calculation unit 13 so that the circuit scale of the adder becomes smaller. I have. Although more digits mentioned values C (i-1) * 2 8 calculation of the remainder calculation unit 12 in the modular multiplication device 100 is performing the carry value C in the modular multiplication device 200
Calculation of (i-1) * 2 ^9, the partial product calculating unit 83 instead of the remainder calculation unit 82 is performed.

In addition, the multiplier division unit 81, the accumulation unit 84, the correction unit 85, and the control unit 86 are different from the first embodiment in that the multiplier B is 161 bits and s is 9 bits, and the number of bits is different from that of the first embodiment. Although the number of input / output bits and the number of bits of registers and the like in the elements are different, except for that point, the first
The multiplier division unit 81 having the same configuration as that of the embodiment includes a partial multiplier b (i) = b [9i-1: 9i-9] in 9-bit units.
(I = 1,..., 17, 18) are sequentially output from the lower side of the multiplier B.

The remainder calculator 82 calculates the intermediate number C (i) (i =
1,... 17, 18) are recursively calculated. In other words, the remainder calculating unit 82 sets the multiplicand A to the intermediate number C for the first time (i = 1).
Output as (i). From the second time (i = 2,... 1)
7, 18) is a 9-bit carry been carry value C (i-1) * 2 9 residue C by law P of ^{(i-1) * 2 9} modP previous intermediate number C (i-1) It is calculated as an intermediate number C (i). More specifically, the remainder calculation unit 82 determines that the first time is A, the second time is A * 2 ⁹ modP, and the third time is (A * 2 ⁹ mod
dP) * 2 ⁹ modP, the fourth time is ((A * 2 ⁹ mod)
^{P) * 2 9 modP) *} 2 9 modP, intermediate number ... C
It is calculated as (i). However, the remainder calculation unit 82 does not carry 9 bits to the intermediate number C (i-1),
Carry value C (i−i) calculated by partial product calculation section 83
1) Remainder C (i-1) by modulo P using * 2 ⁹
* 2 Calculate ⁹ modP.

The remainder calculating section 82 has a ROM table 904 in order to calculate the remainder at high speed.
The ROM table 904 stores the carry value C (i-1) * 2 ⁹
, The remainder of the modulus P corresponding to the portion excluding the lower 160 bits, that is, the portion exceeding 160 bits due to carry, is stored in advance. The remainder calculator 82 calculates the carry value C (i
-1) * 2 RO for the part exceeding 160 bits of ⁹
Referring to M table 904, an intermediate number C by calculating the remainder corresponding to a portion exceeding the 160 bits obtained by the ROM, and the lower 160 bits of the partial carry value C (i-1) * 2 9 (I) is calculated.

The partial product calculation unit 83 calculates the partial product C (i) * b () of the intermediate number C (i) output from the remainder calculation unit 82 and the partial multiplier b (i) output from the multiplier division unit 81. Output i). Further, the partial product calculation unit 83 calculates a 9-bit carry value of the intermediate number C (i−1) output from the remainder calculation unit 82 and outputs the result to the remainder calculation unit 82. The accumulator 84
Partial product C (i) * b output by partial product calculation section 83
(I) is accumulated.

The correcting unit 85 corrects the accumulated value by adding or subtracting an integral multiple of P to the accumulated value according to the result of the accumulation by the accumulating unit 84. Prevent value overflow. The control unit 86 controls the multiplier division unit 8
1, remainder calculation unit 82, partial product calculation unit 83, accumulation unit 84,
The correction unit 85 controls the repetitive processing of the calculation performed 18 times for i = 1 to 18. The control unit 86 performs the first step of calculating the intermediate number by the remainder calculation unit 82 and the calculation of the partial multiplier by the multiplier division unit 81, the second step of calculating the partial product by the partial product calculation unit 83, and the accumulation unit 84. , And the correction of the accumulated value by the correction unit 85 is the third stage, and the pipeline control is performed. If the final accumulated value in accumulator 84 is greater than P after 18 repetitions, control unit 86 inputs the accumulated value to remainder calculator 82 and calculates P of accumulated value. Is calculated.

FIG. 8 shows a more detailed configuration of the remainder calculator 82. In the figure, the remainder calculation unit 82 includes a selector 90
1, register A906, selector 902, remainder operation unit 9
07. Under the control of the control unit 86, the selector 901 first outputs an externally input multiplicand A as an initial setting (i = 1) to the register A 906, and after the initial setting (i = 2,. Remainder operation unit 907
This is a selector that outputs the intermediate number C (i) input thereto to the selector 901.

The register A 906 is a 161-bit register, holds the multiplicand A (= C (1)) input from the outside via the selector 901 as the initial setting (i = 1), = 2, ... 17,18)
The intermediate number C (i) input from the adder 905 via the selector 901 is held. The output side of the register A 906 is connected to the partial product calculating unit 83, updates the held intermediate number to a newly input intermediate number in accordance with an instruction from the control unit 86, and outputs the updated intermediate number to the partial product calculating unit 83. I do. Register A
906 finally holds the remainder multiplied value R.

During the repetition processing, the selector 902 carries the carry value C (i−1) * input from the partial product calculation unit 83.
2 ⁹ is output to the remainder operation unit 907, and after the repetition processing,
The accumulated value input from the accumulation unit 84 is output to the remainder operation unit 907. The remainder operation unit 907 includes a ROM table 904
And is an adder 905, partial calculating unit 83 from 170 bits input via the selector 902 carry value C (i-1) * 2 9 or 1 input from the accumulator 84
The remainder or congruent value of the 70-bit accumulated value by the modulus P is output. This remainder or congruent value is 161 bits.

The remainder operation unit 907 outputs a bus 908 for outputting the lower 160 bits of the 170-bit value input from the selector 902 to the adder 905 and the upper 10 bits (161 to 170 bits) excluding the lower 160 bits. RO
A bus 909 for outputting to the M table 904. These buses 908 and 909 divide the 170-bit value into lower 160 bits (hereinafter referred to as a lower part) and upper 10 bits (hereinafter referred to as an upper part), and add a lower part and an upper part to an adder, respectively. 905 and ROM table 9
04 and input.

FIG. 9 shows the contents stored in the ROM table 904.
Is shown. Referring to FIG.
Each value expressed as a number (000000000000)_Two~
(11111111111)_TwoAre input values, and each of those values
2 ¹⁶⁰The output value is the remainder of modulo P for the multiplied value.
And stored in association with each other. ROM table 904 controls
When the read signal is input from the unit 86, the bus 909
Reads and outputs the remainder corresponding to the upper part input
I do.

The adder 905 adds the remainder to the upper part output from the ROM table 904 and the lower part to generate C (i-1) * 2 ⁹ mo of 161 bits.
Output dP or its congruent value. As described above, in the remainder operation unit 907, a carry of 9 bits
The remainder beyond the bits is determined using the ROM table 904, and the remainder and the lower 160 bits are added to determine the remainder or congruent value of the carry value C (i-1) * 2.

If the internal configuration of the remainder calculation unit 907 is similar to the configuration of the remainder calculation unit 3 in the prior art, the remainder calculation unit 907 performs a plurality of loop processes (steps 6 to 8) as described in the prior art. And the calculation of the remainder takes time. On the other hand, the remainder operation unit 907 of the present embodiment calculates the remainder only by performing one reading in the ROM table 904 and one addition in the adder 905, and thus is faster than the conventional configuration.

FIG. 10 shows a more detailed configuration of the multiplier division unit 81. In the figure, the multiplier division unit 81 includes a selector 8
01, a register B 802, and a shifter 803. The selector 801 outputs the multiplier B input from the outside to the register B 802 as the initial setting (i = 1) under the control of the control unit 86, and after the initial setting (i = 2,.
8) stores the value input from the shifter 803 in the register B8.
02 is output.

The register B 802 is a 161-bit register and holds a multiplier B input from the outside via the selector 801 as an initial setting. After the initial setting, a value input from the shifter 803 via the selector 801 is set. Hold. The output side of the register B 802 is connected to the shifter 803, and the lower 9 bits are connected to the partial product calculator 83. The register B 802 updates the value held under the control of the control unit 16 to a value newly input from the shifter 803 via the selector 801. The value held in the register B 802 is the shifter 8
03 and the lower 9 bits are output to the partial product calculator 83.

The shifter 803 is a 161-bit shifter that shifts the value input from the register B 802 by 9 bits to the right and outputs it. With such a configuration, the remainder calculation unit 82 calculates the partial multiplier b of the lower 9 bits of the multiplier B in units of 9 bits.
(I) = b [9i-1: 9i-9] (i = 1,... 1
7, 18) are sequentially output to the partial product calculation unit 83. <Partial Product Calculation Method> Before describing the detailed configuration of the partial product calculation unit 83, two product calculation methods that are the basis of the configuration of the partial product calculation unit 83 will be described.

The multiplicand X and the 3-bit multiplier Y (= y2y1
The product with y0) is expanded as in (Equation 4).

[0080]

(Equation 6)

That is, in equation (4), the product X * Y is obtained by multiplying the weight (2 ² , 2 ¹ , 2 ⁰ ) of each digit of the multiplicand X and the multiplier Y by the value (y2, y1, y0) of each digit. (X * 2
² * y2, X * 2 ¹ * y1, X * 2 ⁰ * y0, hereinafter referred to as a bit product). Specifically, for example, when Y = 101 (Equation 4), X * Y = X * 2
² * y2 + X * 2 ⁰ * y0, and X * Y is calculated by adding two values (hereinafter referred to as a bit product). Y = 1
When 10 (Equation 4) is ^{X * Y = X * 2 2} * y2 + X * 2 1
* Y1, and X * Y is calculated by adding two bit products. When Y = 111 (Equation 4), X * Y = X *
2 ² * y2 + X * 2 ¹ * y1 + X * 2 ⁰ * y0 and X
* Y is calculated by adding three bit products.

The method of calculating the product by adding the bit product obtained by multiplying the multiplicand by the weight of each digit of the multiplier and the value of each digit is referred to as a general calculation method. The remainder calculation unit 12 in the first embodiment is also configured based on this method. By the way, 111 = 2 ³ −
It is one. Therefore, when Y = 111, the product X * Y can also be calculated by multiplying the multiplicand X by 2 ³ -1 instead of multiplying by 111. The product of the multiplicand X and 2 ³ -1 is expanded as follows.

[0083]

(Equation 7)

That is, when Y = 111 in (Equation 5), the product X * Y is calculated by subtracting the multiplicand X from the value obtained by multiplying the multiplicand X by 2 ³ . Also, Y ′ = 11100
When 0, Y '= Y * 2 3 a is because the product X * Y' can also be calculated by multiplying the 2 ^{6-2 3} instead of multiplying the 111000 to the multiplicand X.

[0085] 2 ^p's place in the multiplier by more than (p + 1 bit from the low-order) from 2 ^{q (q} + 1 bit from the low-order)
When all places (where p> q) are 1, the product in that part is obtained by multiplying the multiplicand by 2 ^{p + 1} (hereinafter also referred to as the ^divisor ) and multiplying the multiplicand by 2 ^q (hereinafter also referred to as the decrement). It can be calculated by subtracting the value. This method is called a special calculation method.

In the adder, the subtraction value st of s and t is calculated by replacing the inverted value of s and t (1's complement) with the constant 1. Therefore, the multiplier is 2
^p of the place from 2 ^q (lower from (p + 1 bit from the low-order) q +
When the order of the first bit) (where p> q) is all 1,
Assuming that the product is to be calculated for that part by a special calculation method, the adder simply adds a constant 1 and an inverted value (hereinafter simply referred to as an inverted value) of 2 ^{p + 1} times the multiplicand and 2 ^q times the multiplicand. Is fine. Moreover, the addition of the constant 1 can be realized by using the carry-in of the lower bit of the adder. That is, when calculating the product by the special calculation method, the adder only needs to perform two additions and carry-in.

On the other hand, when all bits of the n-bit multiplier are 1, if the product is calculated by the general calculation method, the adder needs to add n bit products. From the above, when three or more 1s in the multiplier are consecutively arranged, the number of additions in the adder can be reduced by calculating the product by the special calculation method rather than by the general calculation method. It is possible to reduce the size of the container and reduce the load on the amount of addition. Partial product calculator 8
3 is a partial product C (i) * b based on the above two methods.
(I) is calculated.

The partial product calculation unit 83 applies a special calculation method to a part where 1s are continuous in the bit string of the partial multiplier b (i), and applies a general calculation method to the other parts. More specifically, the partial product calculation unit 83 calculates a case where the 9-bit partial multiplier b (i) is 111111111, a case where the upper 6 bits or lower 6 bits of the partial multiplier b (i) is 111111, Upper 3 bits or middle 3
If the bit or the lower three bits are 111, the special calculation method is applied to that part, and otherwise the general calculation method is applied.

For example, if the partial multiplier b (i) is 111111
In the case of 011, the partial product calculation unit 83 applies the special calculation method to the upper 6 bits 111111,
Applying the general calculation method to the bit 010, the product C
(I) * b (i). However this time, the upper 6 bits 111111 are the 3-bit carry value from the lower (2 ³ times the value), partial product calculating section 83, the upper 6 bits when applying a special calculation method It must be performed 2 ³ of carry for the part.

Specifically, it is expanded as shown in (Equation 6).

[0091]

(Equation 8)

As shown in (Equation 6), the upper 6 bits 11
It is expanded as in the equation by the application of a special calculation method and the 2 ³ carry about 1111. That is, the partial product calculation unit 83 adds the value obtained by carrying the intermediate number C (i) by 9 bits, the value obtained by carrying the intermediate number C (i) by 3 bits, and the constant 1 to the upper 6 bits 111111. Calculate the product. The lower three bits 011 are developed as in the same equation by applying the general calculation method. That is, the partial product calculation unit 83 adds the value obtained by raising the intermediate number C (i) by one bit and the intermediate number C (i) in accordance with the value of 011 of the lower 3 bits to obtain the 011 part of the lower 3 bits. Is calculated.

FIG. 11 shows a more detailed configuration of the partial product calculator 83. In the figure, the partial product calculation unit 83 includes a shifter unit 51, a selection unit 52, an OR circuit 513, and an adder A70.
1, adder B702, register Ca844, register C
b845. The shifter unit 51 includes a bus 830
And shifters 831 to 839. The bus 830 outputs the input 161-bit intermediate number C (i) to the selection unit 52 as it is. The shifters 831 to 839 shift the input intermediate number C (i) to the left by 1 to 9 bits, thereby raising the intermediate number C (i) by 1 to 9 bits, and C (i) * 2, C ^{(i) * 2 2, C} (i) * 2 3, C
(I) * ²⁴ , C (i) * ²⁵ , C (i) * ²⁶ , C
(I) * ²⁷ , C (i) * ²⁸ , and C (i) * ²⁹ are generated and output to the selection unit 52. The shifter 839 outputs an intermediate number C (i) and simultaneously outputs to the selection unit 52 by 9-bit shift to the left, the remainder calculation unit 82 that value as the carry value C (i-1) * 2 9 .

In shifter section 51, outputs of bus 830 and shifters 831 to 838, ie, C (i) and C (i)
* 2 ¹ C,. . . , C (i) * 2 ⁸ is a candidate to become the value of the bit product during calculation by the general calculation method. Shifter 83
3, 836, 839, ie C (i) * 2 ³ ,
C (i-1) * 2 6, C (i-1) * 2 9 is a candidate to become the value of the minuend during calculation by special calculation method. The outputs of the bus 830 and the shifters 833 and 836, that is, C
(I), C (i) * ²³ , and C (i-1) * ²⁶ are values that are candidates for the reduction in the calculation by the special calculation method. Hereinafter, these candidate values will be referred to as candidate values.

The selector 52 has a value obtained by carrying 0 to 9 bits from the shifter 51 and a partial multiplier b from the multiplier divider 81.
When (i) is input, a 9-bit partial multiplier b (i)
Is 111111111 or not, the partial multiplier b (i)
It is determined whether the upper 6 bits or lower 6 bits are 111111, and whether the upper 3 bits, middle 3 bits or lower 3 bits are 111. Next, the selection unit 52
Selects some of the candidate values input from the shifter unit 51 according to the determination. More specifically, the selection unit 52 selects a minuend and a subtrahend corresponding to the part, from the candidate values, for the part determined to be positive.
The selection unit 52 selects a bit product corresponding to the part from the candidate values for the part determined to be negative.
The selecting unit 52 determines whether the minuend and the bit product among the selected candidate values are the adder A701 or the adder B7.
02 is output. The selection unit 52 generates an inverted value obtained by inverting the value of the subtraction value among the selected candidate values and a constant 1, and outputs the generated value to the adder A 701 or the adder B 702.

The selection section 52 has operation value selectors 840 and 84.
1, 842. FIG. 12 shows an operation value selector 840,
The detailed configuration of 841 and 842 is shown. Calculation value selector 84
0 is an inverter 1301, selectors 1302, 130
3. A control circuit 1304 is provided. The operation value selector 84
0 has input terminals S, Z, I0, I1, I2, I3 and output terminals F, O0, O1.

When the candidate value C (i) is input as a subtraction from the input terminal I0, the inverter 1301 outputs an inverted value obtained by inverting the subtraction to the selector 1303. Selector 1303 receives input terminal #I from inverter 1301.
0, the inverted value of the candidate value C (i) is 0 from the input terminal Z, and the candidate value C (i) from the input terminal I0 is the input terminal I
When the candidate value C (i) * 2 ¹ is input from 1, one of these input terminals is selected according to the input / output logic of the control circuit 1304, and the value input from the selected input terminal is output to the output terminal. Output from O0.

The selector 1302 receives 0 from the input terminal Z.
But if the candidate value C from the input terminal I1 (i) * 2 ¹ is the candidate value C (i) * ² 2 from the input terminal I2, the input terminal I3 candidate value C (i) * 2 ³ is input , Control circuit 130
4 of these input terminals according to the input / output logic of 4.
One is selected, and the value input from the selected input terminal is output from the output terminal O1.

When the partial multiplier b (i) is input from the input terminal S, the control circuit 1304 causes the selectors 1302 and 1303 to select one of the input terminals based on the input / output logic shown in FIG. Then, the value input from the input terminal is output from the output terminals O1 and O0. When the selector 1303 selects the input terminal # I0, the control circuit 1304 outputs 1 from the output terminal F. Otherwise, the control circuit 1304 outputs 0 from the output terminal F.

FIG. 13C shows the partial multiplier b (i) input to the control circuit 1304 and the input / output logic. The first column in FIG. 9C shows the partial multiplier b (i) input from the input terminal S. “−” Indicates an arbitrary value of 1 or 0, and “####” indicates an arbitrary value other than “111”.
The second column shows input terminals to be selected by the selector 1302. The third column shows input terminals to be selected by the selector 1303. The fourth column indicates a value output from the output terminal F by the control circuit 1304, and indicates a constant 1 when the value is 1.

For example, the control circuit 1304 calculates the partial multiplier b
If it is determined that all the lower 6 bits of (i) are 1, 0 is output from the output terminal O1 and C (i) is output from the output terminal O0.
And outputs a constant 1 from an output terminal F. If it is not determined that all of the lower 6 bits are 1 and if it is determined that all of the lower 3 bits are 1, the control circuit 1304 outputs a C signal from the output terminal O1.
(I) Output * 2 ³ , output C (i) from the output terminal O0, and select a constant 1 from the output terminal F. In other cases, the control circuit 1304 determines the lower three bits of the partial multiplier b (i).
C (i) * from output terminals O1 and O0 according to the bit value
Any one of 2 ² , C (i) * 2 ¹ , C (i), 0
Output two values.

The operation value selector 841 is connected to the inverter 130
1, a selector 1302, 1303, and a control circuit 1305. The operation value selector 841 has input terminals S, Z,
It has I0, I1, I2, I3 and output terminals F, O0, O1. The operation value selector 841 is different from the operation value selector 840 in that a control circuit 1305 is provided instead of the control circuit 1304. When the partial multiplier b (i) is input from the input terminal S to the control circuit 1305, FIG.
Selectors 1302 and 13 based on the input / output logic
03 is made to select one of the input terminals, and the value input from the input terminal is output from the output terminals O1 and O0. The other components are the same as those of the operation value selector 840, and a description thereof will be omitted.

The operation value selector 842 is connected to the inverter 130
1, a selector 1302, 1303, and a control circuit 1306. The operation value selector 842 includes input terminals S, Z,
It has I0, I1, I2, I3 and output terminals F, O0, O1. The operation value selector 842 differs from the operation value selector 840 in that a control circuit 1306 is provided instead of the control circuit 1304. When the partial multiplier b (i) is input from the input terminal S, the control circuit 1306 enters the state shown in FIG.
Selectors 1302 and 13 based on the input / output logic
03 is made to select one of the input terminals, and the value input from the input terminal is output from the output terminals O1 and O0. The other components are the same as those of the operation value selector 840, and a description thereof will be omitted.

The OR circuit 513 ORs the output values of the output terminals F of the operation value selectors 840 and 841. As can be seen from FIGS. 13B and 13C, in the operation value selectors 840 and 841, when one output of the output terminal F is a constant 1, the other output is always 0. Therefore, the OR circuit 513 combines the two values into one by taking a logical sum, thereby reducing the number of outputs of the selector 52.

The adder A 701 is connected to the output values of the output terminals O 1, O 0, F of the operation value selector 842 and the operation value selector 841.
And the output value of the output terminal O1 is added to obtain a partial product c
Is output to the register Ca844. The adder B702 is
The output value of output terminal O0 of operation value selector 841, the output values of output terminals O1, O0 of operation value selector 840, and OR circuit 5
13 and the output value obtained by adding the 13 output values, and the resultant partial product d is output to the register Ca845.

Here, a value obtained by adding the partial product c and the partial product d is a partial product C (i) * b (i). The register Ca844 and the register Cb845 each have a partial product c
And the partial product d and the partial product c and the partial product d stored under the control of the control unit 86 are updated to newly input values. The output side of the register Ca844 and the register Cb845 is connected to the accumulator 84, and the register Ca84
The four register Cb845 outputs the held partial products c and d to the accumulator 84.

FIG. 14 shows a more detailed configuration of the accumulating section 84 and the correcting section 85. In the figure, the accumulator 84 includes an adder 705 and a register S707. The register S707 is a 171-bit register that holds the accumulated value, and updates the held accumulated value to a new accumulated value input from the selector 706 under the control of the control unit 86. Here, the most significant bit of the register S707 is a sign bit representing the sign of the accumulated value.

The adder 705 calculates the accumulated value held in the register S707 and the registers Ca844 and Cb8.
The partial product c and the partial product d held in 45 and the correction value input from the correction unit 85 are added and output to the register S707. The correction unit 85 includes a register E703 and an inverter 7
08, a selector 704, and a selector 706.

The register E703 holds a value that is larger than and closest to the maximum value of the sum of the partial products c and d. Specifically, the register E703
Holds 122 * P. Inverter 708 outputs an inverted value of 1022 * P held in register E703 (hereinafter, referred to as # 1022 * P).

The selector 704 selects one of 0, 1022 * P and $ 1022 * P as a correction value and supplies it to the selector 706 under the control of the control unit 86. The selector 706 outputs 0 according to the control of the control unit 86.
Alternatively, 1 is supplied to the selector 706. Here, the control unit 8
6 causes the selector 704 to select a correction value according to the sign of the accumulated value held in the register S707, and causes the selector 706 to select 0 or 1 to supply it to the adder 705.

More specifically, the control unit 86 sets the register S707
Is 0, the selector 704 supplies $ 10
22 * P, and the selector 706 selects 1. As a result, if the accumulated value held in the register S707 is positive (the most significant bit is 0), the register E
From 703, # 1022 * P is supplied to the adder 705 via the inverter 708 and the selector 704, and 1 is supplied via the selector 706. Thanks to this adder 705
In the next addition, 1022 * P is subtracted, and overflow in the adder 705 and the register S707 is prevented.

When the accumulated value held in the register S707 is negative (the most significant bit is 1), the control unit 86
The selector 704 selects 0, and the selector 706 selects 0. When the repetition processing of i = 1 to 18 is completed and the value held in the register S707 is updated to the final accumulated value, the control unit 86 determines whether the most significant bit of the accumulated value is 1 or 0. If it is 1 (indicating a negative value), 1022 * P is assigned to the selector 704 and the selector 70
6 is set to 0, and the adder 705 selects the register S7
Correction of adding 1022 * P to the accumulated value held in 07 is performed. Thereby, the control unit 86 corrects the final accumulated value to be positive. Also, the control unit 86
When the most significant bit of the final accumulated value is 0 (indicating a positive value), the selector 704 selects 0 and the selector 706 selects 0, so that the accumulated value is not corrected.

The partial product calculating section 83 may be configured as shown in FIG. This figure is different from FIG.
7 and the shifter 846, and the operation value selector 84
Operation value selectors 850, 8 instead of 0, 841, 842
51 and 852 are different. Shifter 847
Outputs the partial multiplier b (i) shifted right by 3 bits.

Shifter 846 shifts partial multiplier b (i) to the left by 3 bits and outputs the result. FIG. 16 shows the input / output logic of the control circuit common to the operation value selectors 850, 851, and 852. Thus, the partial product calculation unit 83 shown in FIG.
By providing the shifters 847 and 846,
The selector 52 inputs the partial multiplier b (i) shifted right by 3 bits, the partial multiplier b (i) itself, and the partial multiplier b (i) shifted left by 3 bits. In this way, the operation value selectors 850, 851, and 852 can apply the same input / output logic. Further, since the same input / output logic can be applied to all of the operation value selectors 850, 851, and 852, a single control circuit may be used.

Although the remainder calculation unit 12 has two ROM tables in the first embodiment and the remainder calculation unit 82 has one ROM table in the second embodiment, three or more ROM tables may be provided. You may. <Expansion of Equation> From (Equation 1) to (Equation 2) in the first embodiment.
The deformation process of is described below.

[0116]

(Equation 9)

[0117]

The remainder multiplication apparatus according to the present invention employs a modulo p for a product of a multiplicand a and a multiplier b (b is kb-bit data).
A remainder multiplication device that calculates a value congruent with a remainder (where p is k-bit data) as an accumulated value of the following equation: accumulated value = ΣC (i) * b [s * i + s-1: s * i] (where Σ indicates the accumulation from i = 0 to [[kb / s]]. [[kb
/ s]] is the integer part of the quotient kb / s, i is an integer from 0 to [[k / s]], and C (i) is represented by a recurrence formula and C when i = 0
When (i) = a, i> = 1, C (i) ≡ (C (i-1) * 2 ^s ) mod p (≡ indicates that the values on both sides are congruent in the modulus p)) b [s * i + s-1: s * i] is a partial multiplier of s bits from the order of 2 ^{s * i + s-1} to the order of 2 ^{s * i} in the multiplier b of k bits, The remainder multiplication device includes, for each value represented by m (m is an integer equal to or greater than s) bits, a table means for storing in advance a remainder of the value by a modulus p with respect to 2 ^k times the value, and a first time (i = 0)
Outputs the multiplicand a as an intermediate number C (0). From the second time (i> 0), the intermediate number C (i-1) output last time is carried by s bits, and the intermediate number after carry is output. An intermediate number calculating means for reading the remainder for the upper m bits excluding the lower k bits from the table means, and calculating a new intermediate number (i) by adding the read remainder and the lower k bits; Partial product C (i) * b [s * i + s-1: of each calculated intermediate number C (i) and its corresponding partial multiplier b [s * i + s-1: s * i]: s * i] are sequentially accumulated to calculate the accumulated value.

According to this configuration, the table means previously stores, for each value represented by m bits, that is, each value corresponding to 0 to 2 ^m −1, the remainder by modulo p of 2 ^K times those values. I do. The intermediate number calculating means calculates i> = 1
, First, the remainder of the upper m bits excluding the lower k bits of the intermediate number after the carry, that is, 2 ^{k of the} upper m bits
The remainder of the double by the modulus p is read from the table means. Next, the intermediate number calculating means calculates the remainder or congruent value of the intermediate number after carry by the modulus p by adding the remainder read from the table means and the lower k bits.

Here, the lower k bits of the intermediate number after the carry are the value of the remainder itself according to the modulus p or a value congruent with the remainder according to the modulus p. This congruent value is a value larger than the remainder and closer to the remainder. Therefore, in order to obtain a remainder or a congruent value according to the modulus p with respect to the intermediate number after the carry, which is closer to the remainder, the intermediate number calculating means must calculate the upper m
What is necessary is to obtain the remainder for the bits and add this to the lower k bits. The intermediate number calculation means calculates the remainder or congruent value of the intermediate number after carry by the modulus p in a shorter time by reading the remainder of the upper m bits from the table means.

If it is assumed that the remainder is obtained by the modulo p of the intermediate number after carry using the same procedure as that of the remainder calculation in the remainder calculation unit 3 of the remainder multiplication apparatus 1 of the prior art, the intermediate number calculation unit Must repeat the loop processing of steps 6 to 8 a plurality of times. More specifically, the number of times of this loop processing corresponds to the number of bits of the intermediate number after carry.
On the other hand, the intermediate number calculating unit according to the present invention can calculate the remainder or the congruent value of the intermediate number after carry by a single reading and one addition of the table unit, and can calculate the remainder at high speed. Calculation can be realized.

Further, the intermediate number calculating means calculates the remainder of the value obtained by carrying the previous intermediate number recursively as an intermediate number, whereby the intermediate number calculating means determines the increase in the number of bits of the calculated intermediate number. Preventing. This prevention prevents the number of bits of the partial product calculated using the intermediate number from increasing. As a result, in the accumulation of the partial products, the addition may be performed using the partial products in which the number of bits is suppressed, so that the circuit scale of the adder can be reduced.

The intermediate number calculating means is held in the first holding means for holding the intermediate number and the first holding means corresponding to the partial multiplier b [s * i + s-1: s * i]. A carry means for carrying the intermediate number by s bits, and converting the carried intermediate number into a higher-order data and a lower k-bit part which are m-bit parts higher than the lower k bits in the carried intermediate number. Dividing means for dividing the data into lower-order data, reading means for reading the remainder of the higher-order data by the modulo p from the preceding table means, and adding the remainder read from the table means and the lower-order data by the dividing means. The first holding means updates the held content to a new intermediate number each time a new intermediate number is obtained by the adding means, and the first multiplicand Output as an intermediate number Wherein arranged to output an intermediate number new updated in second and subsequent.

According to this configuration, each component in the intermediate number calculation means can be easily configured using a general-purpose hardware element. That is, the first holding means is a register, the carry means is a shifter, the dividing means is an m-bit bus and a k-bit bus connected to the upper m-bit part and the lower k-bit part of the shifter, and the adder means is an adder. With these components, the intermediate number calculating means
An intermediate number C (i) is recursively calculated.

The remainder multiplying device further includes post-processing means for obtaining the remainder of the accumulated value by the modulus p by using the dividing means, the reading means, and the adding means. According to this configuration, the post-processing means obtains the remainder of the last accumulated value by the modulus p, thereby making the last accumulated value smaller than p.

The table means inputs an address corresponding to each value represented by m bits, and stores, in a storage area indicated by the address, a remainder by modulo p with respect to 2 ^k times the value of the m bit corresponding to the address. Is stored in advance. According to this configuration, the table means can be realized by one memory element. The memory element previously stores a remainder of 2 ^k times modulo p for each value represented by m bits, that is, each value corresponding to a decimal number from 0 to 2 ^m -1. The addresses pointing to these surplus storage areas have the same value as each value. When the upper m bits are input from the reading means to the memory element, the value is used as an address, and the remainder of the storage area indicated by the address is read by the reading means. Thus, the intermediate number calculating means can obtain the remainder corresponding to the upper m bits in a short time only by performing one reading from the memory element.

The m bits are the lower m1 bits and the upper m2 bits.
Bits (m = m1 + m2), and each value represented by the m bits corresponds to a combination of a value represented by the m1 bits and a value represented by the m2 bits, and the table means , M1 bits, the first partial table means for storing in advance the remainder of modulo p for 2 ^k times of the value, and for each value represented by m2 bits, 2 ^{k + m1} Second partial table means for storing in advance a remainder of the double by a modulus p, wherein the adding means adds each of the remainders read from the first and second partial tables to the lower-order data. To obtain a new intermediate number.

According to this configuration, the table means has the first partial table means corresponding to the upper m1 bit of the m bits and the second partial table means corresponding to the lower m2 bits. The first partial table means stores 2 ^m1 remainders corresponding to the upper m1 bits, and the second partial table means stores the remainder corresponding to the lower m2 bits as 2 bits.
Remember ^m2 . As can be seen from this number, the storage number of the remainder combined with the first and second partial table means is even smaller than in the case of one memory element. Thus, the table means can be constituted by two memory elements having a small storage capacity.

The m bits are t (3 ≦ t ≦ m) from the lower side.
, Mt, and each value represented by the m bits is each mi (i is an integer from 1 to t).
Corresponding to a combination of the values (t) represented by bits, the table means calculates, for each value represented by the partial bit mi bits, 2 ^{k + x} times the value (where x = m1 +...). + M (i-1)), and t partial table means Ti for preliminarily storing the remainder of the modulus p with respect to the modulo p. And the lower order data are added to obtain a new intermediate number.

As described above, the table means has t partial table means Ti corresponding to respective values of t partial bits obtained by dividing m bits. Thus, the table means has a plurality of partial table means Ti, thereby reducing the number of surplus storage in each partial table means Ti.
The remainder multiplying device further includes accumulating means and correcting means, wherein the accumulating means includes a third register for holding 0 as an initial value, and a partial product C (i) * b [s * i + s- 1: s * i] and the accumulated value held in the third register, and the adder outputs the addition result as a new accumulated value to the third register and holds the sum. , A correction value holding means for holding a correction value having an integer multiple of p, and a correction value held by the correction value holding means if the accumulated value held in the third register is equal to or larger than a predetermined value. And correction control means for causing the adder to subtract

According to this configuration, the correction control means causes the adder to subtract the correction value from the accumulated value if the accumulated value is equal to or greater than the predetermined value, thereby preventing overflow in the third register. The third register has a sign bit, and the correction control means, if the accumulated value of the third register is positive, adds the accumulated value and the partial product to the adder simultaneously with the correction. The correction value is an integer multiple of p, and its absolute value is the maximum value of the partial product (t + 1) (2 ^s -1) p
It is characterized by the following values.

According to this configuration, when the sign bit of the accumulated value held in the third register is 1 (the accumulated value indicates a positive value), the correction control means outputs the correction value from the accumulated value to the adder. , The overflow of the third register is prevented. Further, since the correction value is an integer multiple of p and is equal to or less than the maximum value (t + 1) (2s-1) p of the partial product, it is determined whether the final value of the accumulated value is smaller than p. Or a value close to p is set.

The modulus p satisfies the relationship of p = 2 ^k -α, and each partial table means Ti stores the remainder as k3 bit data, where k3 is a bit of t * 2 ^m * α. Wherein α is a constant determined such that k3 is smaller than k. According to this configuration, the relationship of p = 2 ^k -α is satisfied, and α is a constant whose upper limit is determined so that k3 is smaller than k. Thus, the remainder stored in the partial table means Ti can be limited to k3 bits, and the number of output bits from the partial table can be reduced. Since the number of bits of the remainder output from the partial table means Ti is equal to or less than k3 bits, the bit width of the adder can be limited accordingly.

Each partial table means Ti stores 2 ^mi corresponding to a value from 0 to (2 ^mi -1) represented by mi bits.
.. ^{+ M (i−1)} * α. The j-th entry (j is 0 to 2 ^mi ) stores j * 2 ^{m1 +} ... ^{+ M (i−1)} * α. In this configuration, the partial table means Ti
The number of entries to be stored can be limited to 2 ^mi -1 and the size of the partial table can be reduced.

If α is u bits,
The number of bits of the j-th entry j * 2 ^{m1 +} ... ^{+ m (i-1)} * α is m1 + m2 +.
It is possible to limit the value to the sum of (i-1) and u bits. The adding means for adding the remainder output from the partial table means Ti can limit the bit width.

The remainder multiplication apparatus according to the present invention is a remainder multiplication apparatus for calculating a number congruent with a remainder by a modulus p (p is k-bit data) for a product of a multiplicand and a multiplier.
(S is an integer of 2 or more) output means for sequentially outputting, from the lower side, a partial multiplier of s bits obtained in units of bits;
First calculating means for carrying the multiplicand in accordance with the order of each partial multiplier, and calculating a number (hereinafter referred to as an intermediate number) which is the same as the remainder of the multiplicand after the carry by the modulus p; And the first multiplier corresponding to the partial multiplier
Second calculating means for calculating the product of the intermediate number calculated by the calculating means as a partial product, accumulating means for accumulating the partial product calculated by the second calculating means, and accumulating in the accumulating means. Adding and subtracting an integral multiple of p to the accumulated value to correct the accumulated value so that the accumulated value does not exceed a predetermined number of bits; and until all partial multipliers are output by the output unit.
Control means for repeatedly performing the calculation of the intermediate number by the first calculating means, the calculation of the partial product by the second calculating means, the accumulation by the accumulating means, and the correction by the correcting means; Is stored in advance for each value represented by m (m is an integer of s or more) bits, modulo p for 2 ^k times of the value, and outputs the multiplicand as an intermediate number at the first time of repetition by the control means. In the second and subsequent times, the previously output intermediate number is carried by s bits, the table means is read out for m bits higher than the lower k bits of the carried intermediate number, and the read number and the lower k bits are compared. It is configured to calculate a new intermediate number by adding.

According to this configuration, in the second and subsequent iterations of the repetition by the control means, the first calculating means sets the table means for the upper m bits excluding the lower k bits of the intermediate number after s bit carry. By reading the corresponding remainder and adding the remainder and the lower k bits,
The remainder or congruent value of the intermediate number after carry by the modulus p is calculated as the intermediate number. As a result, the first calculating means calculates the remainder at high speed.

The second calculating means calculates a partial product of the partial multiplier and the intermediate number for each s-bit partial multiplier. Since the partial product is calculated for each of the partial multipliers of a plurality of digits in this way, the calculation of the partial product may be performed by the number of the partial multipliers, and the number of repetitions in the second calculating means is reduced. Faster than compared. The control means controls the pipeline processing including the first to third stages. In the first stage, the output means outputs a partial multiplier and the first calculation means outputs an intermediate number. 2
The calculation means is configured to calculate the partial product, and in the third stage, the accumulation is performed by the accumulation means and the correction is performed by the correction means.

According to this configuration, since the remainder multiplication apparatus performs the pipeline processing, the processing in each component is efficiently performed, and the processing speed of the operation is further increased. The output means firstly holds the multiplier, and outputs the lower s bits of the held value as a partial multiplier; and shifts the value held by the multiplier holding means to s bits lower. , And a shift means for outputting the shifted value to the multiplier holding means and holding it.

According to this configuration, the output means stores the multiplier.
Register and the held multiplier to lower s bits
Can be easily configured by shifting shifters
You. Further, the second generation means may generate the ith (i is 1 to (s−
The shift means of 1) is calculated by the first calculating means.
Carry the intermediate number by i-bit left shift
First to (s-1) th shift means, wherein the first
Generating means for calculating the intermediate number calculated by the first calculating means.
s-th shift means for carrying by s-bit left shift
And complement generation means for generating a one's complement of the intermediate number;
Constant output means for outputting a constant 1;
The means is configured to, when all bits are determined to be 1 to be s-th,
And the output of the one generated by the complement generation means.
Complement and constant 1 are selected and all bits are determined to be 1.
Otherwise, the partial multiplier of 2 ⁰Is "1"
If the intermediate number is selected, the partial multiplier 2ⁱIs "1"
If there is, select to select the carry result of the i-th shift means
Means, by adding the selection result of the selection means,
An adder for calculating a partial product.

According to this configuration, the first to (s-1) th
Is realized by a shifter that shifts left by 1 to (s-1) bits. The s-th shift means is realized by a shifter that performs s-bit left shift. The complement generation means is realized by an inverter. As described above, the first generation unit and the second generation unit can be configured by general-purpose hardware elements. These components generate in advance the values of the candidates to be added by the adding means. The selecting means selects a value to be added to the adding means from the candidate values according to the value of the partial multiplier. The addition means
A partial product is calculated by adding the values of the selected candidates. With such a configuration, the second calculating unit can calculate the partial product of the intermediate number and the partial multiplier of a plurality of digits at high speed.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating a schematic configuration of a remainder multiplication device 100 according to a first embodiment.

FIG. 2 shows a more detailed configuration diagram of a remainder calculation unit 12.

FIG. 3A shows the storage contents of a ROM table 309. (B) Shows the storage contents of the ROM table 308.

FIG. 4 shows a more detailed configuration of the multiplier division unit 11;

FIG. 5 shows a more detailed configuration of a partial product calculator 13;

FIG. 6 shows a detailed configuration of an accumulation unit 14 and a correction unit 15.

FIG. 7 is a block diagram illustrating a schematic configuration of a remainder multiplication device 200 according to a second embodiment.

FIG. 8 shows a more detailed configuration of a remainder calculator 82.

FIG. 9 shows storage contents of a ROM table 904.

FIG. 10 shows a more detailed configuration of a multiplier division unit 81.

FIG. 11 shows a more detailed configuration of a partial product calculator 83.

FIG. 12 shows a detailed configuration of operation value selectors 840, 841, and 842.

13A shows the correspondence between the partial multiplier b (i) input to the control circuit 1306 and the input / output logic of the control circuit 1306. FIG. (B) shows the correspondence between the partial multiplier b (i) input to the control circuit 1305 and the input / output logic of the control circuit 1305. (C) shows the correspondence between the partial multiplier b (i) input to the control circuit 1304 and the input / output logic of the control circuit 1304.

FIG. 14 shows a more detailed configuration of an accumulation unit 84 and a correction unit 85.

FIG. 15 may be configured as shown in FIG.

FIG. 16 shows input / output logic of a control circuit common to operation value selectors 850, 851, and 852.

FIG. 17 shows a configuration of a conventional remainder multiplication device.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 remainder multiplication unit 11 multiplier division unit 12 remainder calculation unit 13 partial product calculation unit 14 accumulation unit 15 correction unit 16 control unit 308 ROM table 309 ROM table 301 selector 302 register A 303 shifter 304 selector 310 adder 311 remainder calculation unit

Claims (31)

[Claims] For a product of a multiplicand a and a multiplier b (b is kb-bit data), a value congruent with a remainder by a modulus p (p is k-bit data) is calculated as an accumulated value of the following equation. A modular multiplication device, comprising: Here, [[kb / s]] is an integer part of the quotient kb / s, i is an integer from 0 to [[k / s]], and C (i) is represented by a recurrence formula and i = 0 when C (i) = a, when i> = 1 C
(i) ≡ (C (i-1) * 2 ^s ) modp (≡ indicates that the values on both sides are congruent in the modulus p), and b [s * i + s-1: s * i] Is a partial multiplier of s bits from the order of 2 ^{s * i + s−1} to the order of 2 ^{s * i} in the multiplier b of k bits, and the remainder multiplication device is m (m is an integer equal to or more than s) ) For each value represented by bits, table means for storing in advance the remainder of the value by 2 ^k times the modulus p, and in the first time (i = 0), output the multiplicand a as the intermediate number C (0), After the first time (i> 0), the intermediate number C (i-1) previously output
Is carried out by s bits, and the remainder of the upper m bits excluding the lower k bits of the carried intermediate number is read from the table means, and the read remainder and the lower k bits are added to obtain a new intermediate number. (i) is calculated, and the calculated intermediate numbers C (i) and the corresponding partial multipliers b are provided.
The cumulative value is calculated by sequentially accumulating the partial product C (i) * b [s * i + s-1: s * i] with [s * i + s-1: s * i] A residue multiplication device characterized by the above-mentioned. 2. The intermediate number calculating means includes: a first holding means for holding an intermediate number; and a first holding means corresponding to a partial multiplier b [s * i + s-1: s * i]. A carry means for carrying the carried intermediate number by s bits, and converting the carried intermediate number into a lower k in the carried intermediate number.
Dividing means for dividing the data into higher-order data, which is an m-bit part higher than bits, and lower-order data, which is a lower-order k-bit part; Adding means for obtaining a new intermediate number by adding the remainder read from the table means and lower-order data obtained by the dividing means, wherein the first holding means obtains a new intermediate number in the adding means. 2. The method according to claim 1, further comprising: updating the held content to a new intermediate number each time, outputting the multiplicand as an intermediate number at the first time, and outputting a new intermediate number after the update at the second time and thereafter. Multiplication unit. 3. The remainder multiplication apparatus further includes a post-processing unit that obtains a remainder of the accumulated value by a modulus p by using the dividing unit, the reading unit, and the adding unit. Item 3. The modular multiplication device according to Item 2. 4. The table means receives an address corresponding to each value represented by m bits, and stores the address in a storage area indicated by the address by a modulus p for 2 ^k times the value of the m bit corresponding to the address. 4. The remainder multiplication apparatus according to claim 2, further comprising a memory element for storing the remainder in advance. 5. The m bits are divided into lower m1 bits and upper m2 bits (m = m1 + m2), and each value represented by m bits is represented by a value represented by m1 bits and m2 bits. corresponding to a combination of the value represented, the table means, for each value represented by m1 bits, 2 ^k of the value
First partial table means for storing beforehand the remainder of the modulo p, and for each value represented by m2 bits, 2
second partial table means for storing in advance the remainder of the modulus p for ^{k + m1} times, wherein the adding means calculates each remainder read from the first and second partial tables and the lower data. 4. The remainder multiplication device according to claim 2, wherein a new intermediate number is obtained by adding the remainder. 6. The m bits are divided into t (3 ≦ t ≦ m) partial bits m1,..., Mt from the lower side, and each value represented by the m bits is mi (i is 1). Table means, for each value represented by the partial bit mi bits, 2 ^{k + x} times (here, , X = m1 +... + M (i-1)). The t partial table means Ti for preliminarily storing the remainder of the modulus p with respect to the modulo p, and the adding means is read from the t partial table means Ti. 3. A new intermediate number is obtained by adding the t remainders and the lower order data.
And the modular multiplication device according to 3. 7. The m bits are divided into t (2 ≦ t ≦ m) partial bits m1,..., Mt from the lower side, and the table means: when x is represented by the following equation, Means Ti
Is provided with t partial table means Ti (i is an integer from 1 to t) for storing in advance for each value represented by the partial bit mi bits the remainder of the value by 2 ^{k + x} times the modulus p. Here, x is represented by the following equation. 4. The remainder according to claim 2, wherein the addition means obtains a new intermediate number by adding the t remainders read from the t partial table means Ti and the lower order data. Multiplication device. 8. The remainder multiplication device according to claim 7, wherein each partial table means Ti stores the remainder as k-bit data. 9. The remainder multiplication device further includes accumulating means and correcting means, wherein the accumulating means includes a third register for holding 0 as an initial value, and a partial product C (i) * b [s * i + s-1: s * i] and the accumulated value held in the third register, and the adder outputs the addition result as a new accumulated value to the third register and holds the sum. The correction means includes: a correction value holding means for holding a correction value having an integer multiple of p; and a correction value holding means if the accumulated value held in the third register is a predetermined value or more. 9. The remainder multiplication apparatus according to claim 8, further comprising: a correction control unit that causes the adder to subtract the held correction value. 10. The third register has a sign bit.
The correction control means may determine whether the accumulated value of the third register is positive.
If the addition of the accumulated value and the partial product is
Is subtracted from the correction value, and the correction value is an integral multiple of p and its absolute value is
The maximum value of the product (t + 1) (2 ^s -1) is characterized by a value less than or equal to p
The remainder multiplication device according to claim 9, wherein 11. The modulus p satisfies the relationship p = 2 ^k −α, and each partial table means Ti stores the remainder as k3 bit data, where k3 is t * 2 ^m * α The modular multiplication apparatus according to claim 7, wherein the number of bits is a, and α is a constant determined so that k3 is smaller than k. 12. Each partial table means Ti has 2 ^mi corresponding to a value from 0 to (2 ^mi -1) represented by mi bits.
J entries (j is from 0 to 2 ^mi ), and the j-th entry is j * 2 ^{m1 +} .
^{2. The method according} to claim 1, wherein ^{+ m (i-1)} * α is stored.
2. The modular multiplication device according to 1. 13. The remainder multiplication device further includes accumulating means and correcting means, wherein the accumulating means includes a third register for holding 0 as an initial value, and a partial product C (i) * b [s * i + s-1: s * i] and the accumulated value held in the third register, and the adder outputs the addition result as a new accumulated value to the third register and holds the sum. The correction means includes: a correction value holding means for holding a correction value having an integer multiple of p; and a correction value holding means if the accumulated value held in the third register is a predetermined value or more. The remainder multiplication apparatus according to claim 12, further comprising: a correction control unit configured to cause the adder to subtract the held correction value. 14. The third register has a sign bit, and the correction control means adds the accumulated value and the partial product to the adder if the accumulated value of the third register is positive. At the same time, the correction value is subtracted. The correction value is an integral multiple of p and is the maximum value of the partial product.
14. A value not more than (2 ^{s + 1} -2) p.
A modular multiplication device as described. 15. The modulo p (p) for the product of the multiplicand and the multiplier
Is a remainder multiplication device that calculates a congruent number with a remainder by k-bit data. An output that outputs a partial multiplier of s bits obtained by dividing the multiplier into s (s is an integer of 2 or more) bits in order from the lower side. A first calculating means for carrying the multiplicand in accordance with the order of each partial multiplier, and calculating, for the multiplicand after the carry, a number (hereinafter referred to as an intermediate number) which is the same as the remainder of the modulus p A second calculating means for calculating, as a partial product, a product of the partial multiplier output by the output means and the intermediate number calculated by the first calculating means corresponding to the partial multiplier; Accumulating means for accumulating the calculated partial product, and adding or subtracting an integral multiple of p to the accumulated value accumulated in the accumulating means so that the accumulated value does not exceed a predetermined number of bits. Correction means to correct and all partial multipliers by output means Until the force, the first
Control means for repeatedly performing the calculation of the intermediate number by the calculating means, the calculation of the partial product by the second calculating means, the accumulation by the accumulating means, and the correction by the correcting means, wherein the first calculating means comprises: For each value represented by m (m is an integer equal to or greater than s) bits, the remainder of modulo p for 2 ^k times the value is stored in advance, and the multiplicand is output as an intermediate number in the first iteration of the control means, In the second and subsequent times, the intermediate number output last time is carried up by s bits, and the table means is read out for m bits higher than the lower k bits of the carried intermediate number,
A remainder multiplication apparatus for calculating a new intermediate number by adding the read number and the lower k bits. 16. The first calculating means includes: a first holding means for holding a multiplicand; and an intermediate number held by the first holding means corresponding to a partial multiplier output from the output means for the second time and thereafter. carry means for carrying s bits; and upper data which is an m-bit part higher than the lower k bits in the intermediate number after the carry and a lower data which is a part of the lower k bits. Dividing means, reading means for reading the remainder of the higher-order data with respect to the higher-order data by the dividing means from the table means, and adding the remainder read from the table means and the lower-order data by the dividing means to form a new data. Adding means for obtaining an intermediate number, wherein the first holding means updates the held content to a new intermediate number each time a new intermediate number is obtained by the adding means,
In the first time, the multiplicand is output as an intermediate number, and in the second and subsequent times, an updated new intermediate number is output. The second calculating means calculates the partial product using the content held in the first holding means as an intermediate number. Claim 15
A modular multiplication device as described. 17. The control means controls pipeline processing including first to third stages. In the first stage, the output means outputs a partial multiplier and the first calculation means outputs an intermediate number. 17. The remainder multiplication apparatus according to claim 16, wherein in the second stage, the second calculating means calculates a partial product, and in the third stage, the accumulating means accumulates the partial product and the correcting means corrects the partial product. 18. A multiplier holding means for first holding a multiplier and outputting the lower s bits of the held value as a partial multiplier, and a s bit lower value for the value held in the multiplier holding means. 18. A shift means for shifting the value to the side and outputting and holding the shifted value to the multiplier holding means.
A modular multiplication device as described. 19. The multiplying means for calculating the partial product from the intermediate number held in the first holding means and the partial multiplier output from the multiplier holding means, and the second calculating means calculates the partial product. 19. The modular multiplication apparatus according to claim 18, further comprising: a second holding unit that holds a partial product. 20. The accumulating means adds a third holding means for holding the accumulated value, a partial product held in the second holding means, and the accumulated value held in the third holding means. 20. The remainder multiplication apparatus according to claim 19, further comprising an adder that performs the addition, wherein the third holding unit holds the addition result as a new accumulated value. 21. A correction value holding means for holding a correction value having an integer multiple of p, a correction value holding means for holding a correction value having an integral multiple of p, wherein the effective bit number of the accumulated value held by the third holding means is a predetermined bit number. 21.The correction device according to claim 20, further comprising: a correction control unit that adds / subtracts the correction value held by the correction value holding unit to the adder at the same time as the addition of the partial product and the accumulated value. Remainder multiplier. 22. The control unit, wherein the first holding means and the multiplier holding means are pipeline latches from a first stage to a second stage, and the second holding means is pipeline pipeline latches from a second stage to a third stage. 22. The remainder multiplication device according to claim 21, wherein the remainder multiplication device controls line processing. 23. The table means, wherein an address corresponding to each value represented by m bits is input, and a modulo p for 2 ^k times the value of the m bit corresponding to the address is stored in a storage area indicated by the address. 18. The remainder multiplication device according to claim 17, further comprising a memory element that stores a remainder in advance. 24. The m bits include lower m1 bits and upper m2 bits.
Bits (m = m1 + m2), and each value represented by the m bits corresponds to a combination of a value represented by the m1 bits and a value represented by the m2 bits. , M1 bits, for each value 2 ^k
First partial table means for storing beforehand the remainder of the modulo p, and for each value represented by m2 bits, 2
second partial table means for storing in advance the remainder of the modulus p for ^{k + m1} times, wherein the adding means calculates each remainder read from the first and second partial tables and the lower data. 18. The remainder multiplication device according to claim 17, wherein the addition is performed. 25. The m bits are t (3 ≦ t ≦ m) from the lower side.
, Mt, and each value represented by the m bits is a combination of values (t) represented by each mi (i is an integer from 1 to t) bits. Correspondingly, the table means previously stores, for each value represented by the partial bit mi bits, the remainder of 2 ^{k + x} times (here, x = m1 +... + M (i-1)) by the modulus p. T partial table means T
18. The remainder multiplication apparatus according to claim 17, further comprising: i, wherein the addition means adds the t remainders read from the t partial table means Ti and the lower order data. 26. The second calculating means determines whether or not all bits of the partial multiplier of s bits output from the output means are 1, and the intermediate calculated by the first calculating means. First generating means for generating a value obtained by multiplying the number by the s power of 2 and a negative value of the multiplicand; generating, for each bit of the partial multiplier, a product of a bit weight in the partial multiplier and the intermediate number; This product is obtained by adding the second generation means, which is a number obtained by carrying the intermediate number by the bit weight, and each value generated by the first generation means when it is determined that all the bits are 1, so that all the bits are obtained. If it is not determined to be 1, among the products generated by the second generation means,
17. The modular multiplication apparatus according to claim 16, further comprising second adding means for adding a bit corresponding to a bit of "1" in the partial multiplier. 27. The i-th (i is an integer from 1 to (s−1)) shift means,
First to (s-1) th shift means for carrying the intermediate number calculated by the first calculation means by i-bit left shift; and wherein the first generation means is calculated by the first calculation means. S-th shift means for carrying the intermediate number by s-bit left shift; complement generation means for generating a one's complement of the intermediate number; constant output means for outputting a constant 1; The means includes: when all bits are determined to be 1, the output of the s-th shift means, the one's complement generated by the complement generation means,
Select constant 1, when all the bits are not determined to be 1, if the 2 ^{zero-position} of the partial multiplier "1" to select the intermediate speed, the position of 2 ⁱ of portions multiplier " 1 "
27. The modular multiplication apparatus according to claim 26, further comprising: a selection unit that selects a carry result of the i-th shift unit; and an adder that calculates the partial product by adding the selection result of the selection unit. . 28. The s is a multiple of 3 (3n) bits, and the partial multiplier is represented by n pieces of 3-bit data sn,..., S1 divided by 3 bits. The j-th (j is an integer from 1 to n) determining means determines whether the 3-bit data sj is "111" by the first to n-th determining means and the j-th determining means. If it is determined to be 111 ", the value obtained by multiplying the intermediate number by" 1000 "and the order 2 ^{3 (j-1)} of the 3-bit data sj, and the negative value of the multiplicand by the 3-bit data sj The first to n-th special generation means for generating a value multiplied by the order 2 ^{3 (j-1)} and the ^j- th determination means, when it is determined that the value is not "111", the 3-bit data sj of For each bit, a first value for generating a product of the logical value of the bit, the weight of each bit in the s-bit partial multiplier, and the intermediate number And the value generated by the special generation unit corresponding to the n-th general generation unit, the sj determined to be “111”, and the sj determined to be not “111”.
17. The remainder multiplication device according to claim 16, further comprising: an addition unit that adds the product generated by the general generation unit corresponding to (i). 29. The second calculating means, wherein the i-th (i is an integer of 1 to s) shifting means includes first to s-th shifting means for carrying the intermediate number by i-bit left shift. The first general generation unit uses the shift result of the first and second shift units, and the j-th general generation unit except the first uses the (3j-
3) using the shift result by the (3j-2) th and (3j-1) th shift means; the jth special generation means using the shift result by the (3j) th shift means; 29. The modular multiplication apparatus according to claim 28, wherein the j special generation unit and the (j + 1) th general generation unit share the (3j) th shift unit. 30. The j-th special generation means, a complement generation means for generating the one's complement of the intermediate number or the result of the shift by the (3j-3) th shift means, and a constant output means for outputting a constant 1. The addition means includes: when sj is determined to be "111",
j) the output of the shift means, the one's complement generated by the complement generation means in the j-th special generation means, and the constant 1 output by the constant output means in the j-th special generation means. If s1 is not determined to be "111", the intermediate number and the outputs of the (3j-2) th and (3j-1) th shift means are selected, and sj excluding s1 is "111". Are not determined, the (3j-3) th, (3j-2) th, (3j-
30. The modular multiplication apparatus according to claim 29, further comprising: a selection unit that selects an output of the shift unit of 3); and an adder that calculates the partial product by adding a selection result of the selection unit. 31. A post-processing unit for obtaining a remainder of the corrected last accumulated value by a modulus p by using the dividing unit, the reading unit, and the adding unit. 16. The modular multiplication device according to claim 16.