KR100486697B1 - Modular arithmetic apparatus and method thereof - Google Patents

Abstract

The present invention relates to a modular computing device for use in public key encryption / decryption and digital signature systems. The apparatus for calculating a has a storage capacity of k bits, A memory means for storing A, B, N, respectively, B memory means, N memory means; A multiplier that receives two values of w bits in parallel and outputs the result of 2w bits multiplied in parallel; An adder for receiving two 2w bit values in parallel and outputting the sum result in parallel; an accumulator having a storage capacity of k + 2w bits, determining 2w bits among the clocks and outputting them as an adder, and storing the value input from the adder at the position of the output bits; J memory means having a storage capacity of w bits and storing N ₀ ^-1 mod 2 ^w precomputed; q memory means having a storage capacity of w bits and storing high order w bits from the output of the multiplier; First selecting means for selecting one of a J memory means, a B memory means, and an N memory means to connect to a multiplier; Second selecting means for selecting one of an A memory means, a q memory means, and an accumulator and connecting the multiplier; And third selecting means for selecting one of the q memory means and the adder to connect the multiplier.

According to the present invention, a digital signature is implemented by simply implementing a circuit for calculating A · B · 2 ^−k mod N, which is a circuit for calculating the modular multiplication or modular power required by a digital signature device and a public key encryption / decryption device. The cost required to manufacture devices and public key encryption / decryption devices can be reduced.

Description

Modular arithmetic apparatus and method

TECHNICAL FIELD The present invention relates to a modular computing device, and more particularly, to a modular computing device and a method for use in a public key encryption / decryption and digital signature system.

In 1976, Diffie and Hellman introduced the concept of the Public Key Cryptosystem for the first time using a one-sided problem of mathematically very difficult problems to prepare a new biography of modern cryptography. Conventional or symmetric cryptosystems have disadvantages such as difficult to manage keys and difficult to implement digital signatures because two users who want to communicate must share the same secret key. However, in the public key cryptosystem, the public key and the private key are calculated using one-sided problems that are difficult to solve mathematically, the public key is open to everyone, and only the private key is kept by each user. Therefore, anyone who has the public key of the other party who has been disclosed can perform secret communication with the other party.

The most widely used difficult problems in public key cryptosystems are the discrete logarithm problem and the prime factorization problem. Representative public key cryptosystems include ElGamal cryptosystems based on discrete algebra and Revest Shamir Adleman (RSA) cryptosystems based on prime factorization. International standards such as the International Organization for Standardization (ISO) / the International Electrotechnical Commission (IEC) 9796, the DSA in the United States, and the GOST in Russia In Korea, there is KC-DSA.

Most of these public key cryptosystems require modular exponentiation (M ^e mod N) operations, and it is essential to perform modular multiplication (AB mod N).

Algorithms for modular multiplication are proposed as classical algorithms, Barrett's algorithms, and Montgomery algorithms.

The classical algorithm is a method of modular reduction by repeating the process of estimating the quotient by one digit and calculating the remainder as if it is usually divided by a pencil to obtain the remainder. This is the most common modular reduction algorithm that can be applied in either case because there is no restriction on law M and no pre or post calculation is required. However, the estimation of the quotient requires a division (slower than multiplication), and if the estimated quotient is not an exact value, additional addition or subtraction is required, which is relatively slow.

Barrett's algorithm estimates the total quotient at once using precomputed values for a fixed method and performs modular reduction by multiplication alone. This gives better performance than the classical algorithm when the law M is fixed or when a modular power operation requires a large number of modular multiplications for the same law.

Montgomery's algorithm is the most widely used algorithm for public key cryptography that requires modular power because it is faster than other algorithms. In other words, a given number is converted to a different water system, which can be modularly reduced, and then reduced to a modular water system, and then converted back to the original water system to obtain a desired result. In the calculation of the modular power required by most public key cryptosystems, this algorithm shows very good performance compared to other algorithms because these pre / post calculations have little effect on the overall performance.

An object of the present invention is to provide a modular arithmetic device and method which can efficiently perform modular power and modular multiplication operations used for public key cryptography / decryption and digital signature using Montgomery algorithm. .

In order to achieve the above object, the modular operation according to the present invention An apparatus for calculating a memory has an storage capacity of k bits, A memory means for receiving the A value in parallel, shifting in a lower bit direction in units of w bits for a predetermined clock, and outputting the least significant w bits in parallel; B memory means having a storage capacity of k bits, receiving the B value in parallel, rotating in the lower bit direction in units of w bits per predetermined clock, and outputting the least significant w bits in parallel; an N memory means having a storage capacity of k bits, receiving the N values in parallel, rotating each of the predetermined clocks in a lower bit direction in units of w bits, and outputting the least significant w bits in parallel; A multiplier that receives two values of w bits in parallel and outputs the result of 2w bits multiplied in parallel; An adder for receiving two 2w bit values in parallel and outputting the sum result in parallel; an accumulator having a storage capacity of k + 2w bits, determining 2w bits among the clocks and outputting them to the adder, and storing the value input from the adder at the position of the output bit; J memory means having a storage capacity of w bits and inputting in parallel N ₀ ^-1 mod 2 ^w and outputting them in parallel (where N ₀ is the least significant bit of N); q memory means having a storage capacity of w bits and receiving the upper order w bits in parallel from the output of the multiplier and outputting them in parallel; First selecting means for selecting one output from among the w-bit outputs of the J memory means, the B memory means, and the N memory means and transferring the output to the multiplier; Second selection means for selecting one output from among the w-memory means of the A memory means, the q memory means, and the accumulator and transferring the output to the multiplier; And third selecting means for selecting one of the q memory means and the adder to deliver the output of the multiplier (where k = w · s, where k, w, s are all 2). Integer greater than or equal to).

In order to achieve the above another object, the modular operation using the modular operation device according to the present invention The method of calculating (a) stores A, B, and N, which are k bits, in the A memory means, the B memory means, and the N memory means, respectively, and calculates N ₀ ^-1 mod 2 ^w in advance to store the J memory. Storing in the means and initializing the accumulator to '0'; (b) (b.1) said multiplier performing multiplication of A ₀ of least significant w bits stored in said A memory means and B ₀ of least significant w bits stored in said B memory means; And (b.2) wherein the adder is calculated and the result S _i S _i-1 bits of the accumulator 2w one of the multipliers S _i S in addition to the value stored in the (where, i denotes the number of repetitions), the accumulator storing _i-1 (where i denotes the number of repetitions), shifting the B memory means to the w bit lower bit side every clock, and shifting the input / output position of the accumulator to the w bit upper bit side. Repeating s times while calculating A ₀ B value; (c) the multiplier multiplying the least significant w bits S ₀ of the accumulator by J ₀ of the J memory means and storing in the q memory means; (d) (d.1) said multiplier performing multiplication of N ₀ of least significant w bits stored in said N memory means with q ₀ stored in said q memory means; And (d.2), the adder and the calculation result S _i S _i-1 bits of the accumulator 2w one of the multipliers S _i S in addition to the value stored in the (where, i denotes the number of repetitions), the accumulator storing in _i-1 (where i denotes the number of repetitions), shifting the N memory means to the lower bit side of the w bit at every clock, and shifting the input / output position of the accumulator to the upper bit side of the w bit; Repeating s times while calculating q ₀ N values; (e) shifting the value stored in the accumulator to the w bit lower bit side; (f) performing steps (b) to (e) s times while shifting the A value stored in the A memory means to the w bit lower bit side; And (g) if the value stored in the accumulator is greater than N, performing S = S-N.

Hereinafter, the present invention will be described in detail with reference to the accompanying drawings.

The present invention is a number of k bits each

For the purpose of efficiently implementing A · B mod N using the Montgomery algorithm. Where A, B, and N are It can be represented by a large number, and can be represented by s words having w bits. That is, when r = ^2w , k = s * w and k, w, s are all integers of 2 or more. The Montgomery function f _m (A, B, N) is a function that calculates A · B · R ⁻¹ mod N (where R = 2 ^k ).

To perform the modular multiplication A · B mod N using the Montgomery function f _m (·), calculate P = R ² mod N and store it in advance. T = f _m (A, B, N) = A · B · After calculating R ^-1 mod N, P-T-R ^-1 mod N = A-B mod N can be calculated.

According to the Montgomery algorithm, T = f _m (A, B, N) = A, B, R ^-1 mod N can be calculated as However, r = 2 ^w , R = r ^s , J ₀ ≡ N ₀ ^-1 mod r, and S is an accumulator that stores an intermediate value.

S = 0

for i = 0 to s-1

S = S + A _i × B

q _i = S ₀ × J ₀ mod r

S = S + q _i × N

S = S / 2 ^w

endfor

if S> N then S = S-N

The present invention proposes a method using several registers (or memory), MUX, w-bit parallel multiplier, and 2-w bit adder to implement the above algorithm in hardware.

According to FIG. 1, the modular computing device according to the present invention is configured using only one multiplier and one adder to minimize hardware complexity.

The A memory means 10, the B memory means 12, and the N memory means 14 are each implemented with k-bit registers or similar types of memory. 10 shifts to the right, and the B memory means 12 and the N memory means 14 each rotate to the right.

The accumulator 20 is a register of k + 2w bits and stores a temporary value of the calculation process, and reads and writes in the unit of 2w bits with the adder 18 in one clock.

The J memory means 22 is implemented with a w bit register or similar type of memory that stores a precalculated value, and the q memory means 24 is a w bit register or similar type that stores a value calculated every clock. Is implemented in memory.

The multiplier 16 receives two values of w bits in parallel and calculates a result of 2w bits in one clock.

Reference numerals 26 and 28 are multiplexers, respectively, and reference numeral 30 is a demultiplexer.

Hereinafter will be described the operation of the modular operation device according to the present invention.

The modular arithmetic unit according to the present invention receives A, B, and N each consisting of s words each having w bits, and calculates A · B · R ⁻¹ mod N in the s · (2s + 4) clock.

1 is a circuit for calculating T = f _m (A, B, N) = A, B, R- ¹ mod N, based on the following algorithm.

S = 0

for i = 0 to s-1

for j = 0 to s-1

S = S + A _i × B _j

endfor

q _i = S ₀ × J ₀ mod r

for j = 0 to s-1

S = S + q _i × N _j

endfor

S = S / 2 ^w

endfor

if S> N then S = S-N

Next, a process of calculating T = f _m (A, B, N) = A · B · R ⁻¹ mod N will be described based on FIG. 1.

(a) First, k, A, B, and N bits are stored in the A memory means 10, the B memory means 12, and the N memory means 14, respectively, as initialization steps. The accumulator 20 is initialized to '0'.

(b) When all data is input to each memory means (10, 12, 14), the first multiplexer 26 is of w bits stored in the B memory means (12), B _0, the second multiplexer A memory means Select A ₀ of w bit stored in (10).

(c) The multiplier 16 performs multiplication by inputting the values stored in A ₀ and B ₀ in parallel, and the result A ₀ × B ₀ is transferred to the adder 18 selected by the demultiplexer 30 to accumulate ( It is added to the value stored in the 2w bit S _i S _i-1 of 20), where i represents the number of repetitions. At this time, the added result is stored in S _i S _i-1 (where i represents a repetition count) of the accumulator 20 at the next clock, and a carry value is stored for the next addition.

(d) The B memory means 12 is shifted to the right of the w bit at every clock, and the processes of (b) and (c) are repeated s times to calculate the A ₀ B value. During this process, the accumulator 20 transfers data to and from the adder 18 to the upper bit side in units of w bits every clock.

(e) After calculating the A ₀ B value, select the S ₀ value using the second multiplexer, select the J ₀ value using the first multiplexer, and then set the q ₀ value by the multiplier 16 at the s-th clock. Is calculated and then stored in the q memory means 24 selected by the demultiplexer 30 on the next clock.

(f) The first multiplexer selects N stored in the N memory means 14, and the second multiplexer selects a q ₀ value stored in the q memory means 24.

(g) Calculate q ₀ N similarly to calculate A ₀ B in steps (b) to (d) during the other clocks.

(h) The value stored in the accumulator 20 is shifted to the right of the w bit, which is a word unit.

(i) If the A value stored in the A memory means 10 is shifted to the right side of the w bit, which is a word unit, and the steps (b) to (h) are performed s times, the accumulator 20 has T = f _m (A , B, N) = A · B · R ^-1 mod N value is stored.

(j) If the value stored in the accumulator 20 is larger than N, S = S-N is performed.

In the present invention, all the elements except the memory means are implemented as a simple combination circuit, so in order to prevent incorrect operation of the circuit, it is necessary to provide a clock sufficient to ensure the propagation delay time of the connected combination circuit.

2 shows the timing relationship of this calculation process.

Therefore, the process of calculating the modular multiplication A · B mod N using the modular operation device according to the present invention is as follows.

(1) First, calculate P = 2 ^2k mod N in advance.

(2) Next, C = ^{A.B.2 -k} mod N is calculated using the circuit shown in FIG.

(3) Finally, P · C · 2 ^−k mod N = A · B mod N is calculated.

The process of calculating the modular power m ^e mod N using the modular operation device of FIG. 1 is as follows.

(1) Store the exponent e in a register or similar form of memory.

(2) Store law N in register N.

(3) Initialize accumulator S to '0'.

(4) Montgomery Modular Multiplication Do this. However, the base P of the power operation is the same value as the value calculated in advance in the process of calculating the modular multiplication.

(5) Load m 'into register B.

(6) Modular square operation is performed using the value loaded in register B. At this time, A required for Montgomery modular multiplication is loaded from register B.

(7) Ignore '1', the most significant bit (MSB) of exponent e, and make the next bit the current bit.

(8) Modular square operation is performed by using the value stored in register B as a multiplier and a multiplicand. The result is loaded into register B.

(9) When the current bit of the exponent e is' 1 ', the modular multiplication operation is performed with the base m' of the power operation as a multiplier and the value of the register B as a multiplier. The result is loaded into register B.

(10) After performing steps (8) to (9) for all bits of the exponent e, a modular multiplication operation is performed by setting 1 to a multiplier and a value of register B as a multiplier.

After performing steps (1) to (10), the value remaining in the accumulator S becomes the final modular power m ^e mod N.

According to the present invention, a digital signature is implemented by simply implementing a circuit for calculating A · B · 2 ^−k mod N, which is a circuit for calculating the modular multiplication or modular power required by a digital signature device and a public key encryption / decryption device. The cost required to manufacture devices and public key encryption / decryption devices can be reduced.

1 is a block diagram of a modular computing device according to the present invention.

FIG. 2 is a timing diagram of the modular computing device of FIG. 1.

Claims (4)

Modular operations In the device for calculating A memory means having a storage capacity of k bits, receiving the A value in parallel, shifting in a lower bit direction in units of w bits per predetermined clock, and outputting the least significant w bits in parallel; B memory means having a storage capacity of k bits, receiving the B value in parallel, rotating in the lower bit direction in units of w bits per predetermined clock, and outputting the least significant w bits in parallel; an N memory means having a storage capacity of k bits, receiving the N values in parallel, rotating each of the predetermined clocks in a lower bit direction in units of w bits, and outputting the least significant w bits in parallel; A multiplier that receives two values of w bits in parallel and outputs the result of 2w bits multiplied in parallel; An adder for receiving two 2w bit values in parallel and outputting the sum result in parallel; an accumulator having a storage capacity of k + 2w bits, determining 2w bits among the clocks and outputting them to the adder, and storing the value input from the adder at the position of the output bit; J memory means having a storage capacity of w bits and inputting in parallel N ₀ ^-1 mod 2 ^w and outputting them in parallel (where N ₀ is the least significant bit of N); q memory means having a storage capacity of w bits and receiving the upper order w bits in parallel from the output of the multiplier and outputting them in parallel; First selecting means for selecting one output from among the w-bit outputs of the J memory means, the B memory means, and the N memory means and transferring the output to the multiplier; Second selection means for selecting one output from among the w-memory means of the A memory means, the q memory means, and the accumulator and transferring the output to the multiplier; And And a third selecting means for selecting one of the q memory means and the adder to deliver the output of the multiplier (where k = w · s, where k, w, s is Are all integers greater than or equal to 2). The apparatus of claim 1, wherein the adder and the multiplier are respectively A modular computing device for performing addition and multiplication within one clock. The method of claim 1, wherein the first selecting means and the second selecting means are respectively. Is a multiplexer, The third selecting means is Modular operation unit, characterized in that the demultiplexer. Modular operation using the modular computing device of claim 1 In the method for calculating (a) storing A, B, and N, which are k bits, in the A memory means, the B memory means, and the N memory means, respectively, calculating N ₀ ^-1 mod 2 ^w in advance and storing them in the J memory means, Initializing the accumulator to '0'; (b) (b.1) said multiplier performing multiplication of A ₀ of least significant w bits stored in said A memory means and B ₀ of least significant w bits stored in said B memory means; And (b.2) In addition to the result of the adder's calculation of the multiplier and the value stored in 2w bits of S _i S _i-1 (where i represents the number of repetitions) of the accumulator, S _i S _i of the accumulator _-1 (where i denotes the number of repetitions), while shifting the B memory means to the w bit lower bit side every clock, and moving the input / output position of the accumulator to the w bit upper bit side. Repeating s times to calculate A ₀ B (c) the multiplier multiplying the least significant w bits S ₀ of the accumulator by J ₀ of the J memory means and storing in the q memory means; (d) (d.1) said multiplier performing multiplication of N ₀ of least significant w bits stored in said N memory means with q ₀ stored in said q memory means; And (d.2) In addition to the result of the adder's calculation of the multiplier and the value stored in 2w bits of S _i S _i-1 (where i denotes the number of repetitions) of the accumulator, S _i S _i of the accumulator _-1 (where i denotes the number of repetitions), while shifting the N memory means to the w bit lower bit side every clock, and shifting the input / output position of the accumulator to the w bit upper bit side. repeating s times to calculate the q ₀ N value; (e) shifting the value stored in the accumulator to the w bit lower bit side; (f) performing steps (b) to (e) s times while shifting the A value stored in the A memory means to the w bit lower bit side; And (g) if the value stored in the accumulator is greater than the N value, subtracting the N value from the value stored in the accumulator, and storing the result value in the accumulator. .