KR100632928B1 - The Modular multiplier - Google Patents

Abstract

In the present invention, a new modular multiplier circuit is proposed to process the modular power required at high speed in providing an information security service.

In order to solve the carry propagation problem according to the present invention, a carry storage type adder utilizing CPA is designed to guarantee the maximum carry propagation within one clock time. The time to print was reduced.

In addition, according to the reduced multiplier according to the present invention, the addition circuit is reduced to 1 / k and designed to perform multiplication on a large integer even under a limited design condition, and the adder is repeatedly used.

Multiplier, Montgomery multiplier, modular

Description

Modular multiplier

1 is a block diagram of a conventional Montgomery multiplier.

2 is a block diagram of another conventional Montgomery multiplier.

Figure 3 is a block diagram of a carry storage multiplier according to the present invention.

4 is a detailed block diagram illustrating the CPA shown in FIG. 3 in more detail.

5 is a block diagram of a Montgomery multiplier using a reduced adder in accordance with the present invention.

The present invention relates to a multiplier for performing multiplication according to the Montgomery algorithm, and more particularly, to a Montgomery multiplier using a carry storage type adder or a reduced adder using CPA.

Public-key cryptography systems require modular exponentiation operations on large integers of more than 512 or 1024 bits, most of which can be handled by repeating hundreds of modular multiplications. In particular, even in a physically limited design space such as a cryptographic IC card, there is a case where a high speed, low capacity modular multiplication circuit is required for real time information protection service.

Many modular multipliers developed to date are based on the Montgomery algorithm. The Montgomery algorithm has a structure in which the internal operation of the multiplier is regular and the data flow is constant, making the hardware easy to implement.

Multipliers using the Montgomery algorithm include Arazi's Digital Signature Device (DSD) and Walter's planar systolic array. Arazi's proposed DSD multiplier can perform Montgomery modular multiplication by using only adders, registers, and multiplexers (MUX), but it does not present a specific adder used to solve the carry propagation problem. You can't say that completely.

은 두 수 A,B를 곱한 결과를 N으로 나눈 나머지를 취하는 연산이다. 몽고메리 모듈라 곱셈은

가 아닌

을 수행하는데 여기서 R은 N과 서로 소인 N보다 큰 정수이다. 본 명세서에서 A, B 및 N를 모두 n비트라고 가정한다. 또, 각 정수를 기저(base) r로 표현하면

,

및

과 같이 l자리로 나타낼 수 있는데 r=2인 경우에는 l자리는 n비트와 같아진다.The modular power A ^E mod N used in the public key cryptosystem is a repetition of modular multiplication. General Modular Multiplication

Is an operation that takes the remainder of multiplying two numbers A and B by N. Montgomery Modular Multiplication

Not

Where R is an integer greater than N and the prime of N mutually. It is assumed herein that A, B, and N are all n bits. In addition, if each integer is expressed in base r,

,

And

As shown in the figure below, when r = 2, l places equals n bits.

이나

을 간단히 계산할 수 있도록 R=rⁿ으로 하는 것이 일반적이다. 본 명세서에서 r=2이라 가정하며 몽고메리 곱셈은

으로 구체화한다. 따라서 몽고 메리 모듈라 곱셈 알고리듬은 r=2이고, N이 홀수인 경우, 아래와 같이 간단히 나타낼 수 있다. The Montgomery algorithm first selects N greater than N

or

It is common to make R = r ⁿ to simplify the calculation of. In the present specification, it is assumed that r = 2, and Montgomery multiplication

To embody. Therefore, if the Mongolian Mary's modular multiplication algorithm is r = 2 and N is odd, we can simply write

(1) T = 0

(2) for i = 0 to n-1 step 1 {

  (2a) C [i] = (T [0] + A [i] B [0]) mod 2

  (2b) T = T + A [i] B

  (2c) T = T + C [i] N

  (2d) T = T / 2}

(3) return (T)

Step 2b above is an iterative process for multiplying A and B and step 2c is an iterative step for modular reduction. Also, steps 2c and 2d are equivalent to simply shifting T 'to the right when C [i] = 0, and shifting to the right after N is added to T when C [i] = 1. The algorithm can be implemented in hardware by looping n loops and using two n-bit adders for each loop and shifting this output to the right. In the algorithm, it can be seen that the final calculated value after the nth loop becomes T = AB2- ⁿ mod N.

을 계산한다.FIG. 1 shows a modular multiplier 100 designed according to the Montgomery modular multiplication algorithm. The n-bit adder 130 of this multiplier adds the output T and A [i] B of the register 110, which stores the intermediate calculation value, and the n-bit adder 140 adds the output of the previous adder 130 to C [. i] is added to C [i] N depending on the value. That is, the n bit adder 130 performs step 2b of the Montgomery algorithm, and the n bit adder 140 performs step 2c of the Montgomery algorithm. Except for the last bit Tout of the output thus obtained, it is fed back to the input of the n-bit adder 130, which has the same effect as shifting the bit by one bit to the right, so that step 2d of the Montgomery algorithm Will be performed. This process is repeated n times according to each bit A [i] of the multiplicand A.

Calculate

In the multiplier structure, two adders are used to add a large integer. If CPA is used, a carry propagation problem occurs. In particular, considering that the number used in the calculation is a large integer of 512 bits or more, it is practically difficult to use CPA due to the carry propagation problem. The CSA can be used to solve the carry propagation problem. The CSA divides the sum of these values into a carry and sum for three bit inputs and outputs the result value in two bits. By using the CSA as an adder, each bit can be processed independently, so that carry propagation can be solved, but the disadvantage is that the carry and sum must be added again to obtain the correct final calculation value.

2 shows a Montgomery multiplier 200 using CSA.

에 해당하는 캐리와 합의 값을 얻을 수 있다. Looking at the operation of Figure 2 in detail. First, the first CSA 230 adds a multiplier B to an intermediate calculated value T according to A [i], which is each bit of multiplier A. At this time, the added value is represented as a sum with a carry which is the output of the CSA, and in the second CSA 240, N is added according to C [i]. Then, at the output of the CSA 240, the last bit CO [1] for the carry to the last bit CI [0] of the next input, the last bit 0 for the sum, and the second bit TO [1]. By feeding back the last bit TI [0] of the next input, the same effect is obtained by shifting the resulting bit down one bit. All of this is done in one clock, and this process is repeated for all bits of multiplicand A, so that only the number of bits in A, n clock

You can get the value of the agreement with the carry.

The use of CSA solves the carry propagation problem, but each time a multiplication is done, the carry and sum must be corrected to the final value to use this result for the next operation. In other words, each time multiplication is done, a separate circuit or a microprocessor is required to obtain the correct result. However, here's how to add carry and sum to get the correct end result without any additional circuitry or microprocessor operation.

클럭 동안은 두 수의 모듈라 곱셈을 수행하고 다음

클럭 동안은 캐리와 합을 더하는 과정을 수행하면, 별도의 회로를 추가하지 않고 곱셈기 자체를 반복적으로 이용함으로써 2n클럭 후에 최종 결과를 얻을 수 있다. 이와 같은 방법은 별도의 회로나 마이크로프로세서의 운영없이 최종 결과를 2n클럭 후에 얻을 수 있지만 실제 연산을 위한 클럭에 비해 최종 결과로 보정하는데 추가되는 클럭이 많아 수행 시간 측면에서는 효과적이지 못하다.If after n clocks, both A [i] and N [i] are entered as 0 and one more clock is applied, it simply adds the carry and sum to divide by 2 and the final result in Tout of FIG. The least significant bit is output. If this process is repeated for n clocks, the final result plus all carry and sum is output one bit to Tout terminal. After all, first

During the clock, we do two modular multiplications and then

During the clock, the carry and the summation process can be used to obtain the final result after 2n clocks by repeatedly using the multiplier itself without adding a separate circuit. This method can achieve the final result after 2n clocks without the operation of a separate circuit or microprocessor, but it is not effective in terms of execution time because more clocks are added to correct the final result compared to the clock for actual operation.

The present invention is to solve the above problems and to provide a circuit structure of a modular multiplier with high speed and low hardware burden. The multiplier according to the present invention includes a carry propagation adder (CPA) of a suitable bit to allow carry propagation within one clock in order to solve the carry propagation problem that occurs during general modular multiplication and to increase the operation speed. Use a carry saved type adder.

In addition, most of the multipliers presented so far use n-bit adders, which process n-bit additions in one clock. This is sometimes difficult to apply when the operation bit is large but the design conditions are limited.

In view of the above, the present invention is to design a w-bit adder to repeatedly use an adder of w (where w ≦ n) bit size even when an operation bit is n. Therefore, the multiplier according to the present invention is designed to be tradeoffs in consideration of computation time and circuit complexity in a system where hardware implementation conditions are insufficient or fixed.

In this way, the carry storage adder using CPA is considered as a method of improving the speed delay problem caused by the carry and consensus correction process. The basic circuit of the carry storage adder using CPA for n-bit multiplication is shown in FIG. 3, and has a carry storage adder structure as a whole. However, the inside thereof binds n FA (Full Adder) by b and divides them into m = n / b blocks, and each block is configured using CPA. However, m is assumed to be an integer, and in FIG. 3, TIi and TOi are sum data composed of b bits, and CI [i], CO [i], DI [i], DO [i], and the like carry data of one bit. Means. It should be noted that the number of FAs in a block should be considered under the condition that the time required for calculation in one block does not exceed one clock including carry propagation. For example, assuming that the execution time for passing one FA is 1 ms and b = 32, the time taken to pass one block of the CPA in this case is about 32 ns. If the main clock of the multiplier is 10 MHz, one clock time is 100 ns, and all operations including carry propagation are completed in one clock, which is enough time for the carry propagation to not be affected. Therefore, carry propagation within each block is less than one clock time, so carry propagation is not a problem. Therefore, CPA can be designed using more FAs within a range of b less than 100.

4 shows a detailed circuit diagram between the CPA composed of the b bits and the adjacent CPA. In the example of FIG. 4, two stages are taken from the LSB as the CPA composed of three FAs with b = 3. As shown in FIG. 4, a CPA composed of b FAs generates b sums and one carry. The generated carry is not added to the upper FA but is shifted one bit to the right, so it is stored in the register and added to the CPA's MSB when the next clock comes in. The FA input bit located on the MSB side of the CPA is determined by XORing the carry from the previous clock and the carry from its lower FA.

의 결과가 생성된다. 그러나 그 결과의 형태는 n비트의 합(sum)과 m비트의 캐리 형태로 출력된다. 따라서 A[i]=N[i]=0인 상태에서 m번의 클럭을 추가하면 최종 결과는 매 클럭마다 Tout으로 한 비트씩 출력되어 모두 m비트가 나오고 나머지 (n-m)비트는 n비트 저장용 레지스터에 LSB부터 저장된다. 따라서 최종 결과 값은(n+m)클럭만에 최하위단(m비트)과 레지스터((n-m)비트)에 저장된다. 또한 중간 결과값, 즉, 캐리를 저장하기 위한 레지스터용 D 플립플롭의 개수도 도 2의 2n개에 비해 n+2m로 줄어들게 된다. In this case, in case of using the carry storage adder 400 composed of blocks of m CPAs, after n clocks,

Result is generated. However, the result is output in the form of a sum of n bits and a carry of m bits. Therefore, if m [clock] is added with A [i] = N [i] = 0, the final result is outputted one bit to Tout every clock so that all m bits come out and the remaining (nm) bits are n bit storage registers. Are stored from the LSB. Therefore, the final result is stored in the lowest order (m bits) and register ((nm) bits) only with (n + m) clocks. In addition, the intermediate result value, that is, the number of D flip-flops for registers for storing a carry is reduced to n + 2m compared to 2n of FIG. 2.

The multiplier can solve the carry propagation problem, but can be applied only when n bits of fixed size are used. If you design a circuit that requires 1024-bit multiplication, you need to create a new circuit to do more than n. In addition, the size of the adder has a disadvantage that increases in proportion to the size of the number to be calculated. This multiplier structure must multiply integers of large length, but it is difficult to use them where the design space is constant. If the available gate is constantly limited, computational circuits requiring more gates cannot be constructed. Therefore, there is a need for a multiplier design method capable of multiplying large integers even in a limited design space.

Accordingly, the present invention provides a method of flexibly using the multiplier described above even in a limited design environment. Assuming modular multiplication for n bits, the adder for large integers, the core circuit of the multiplier, is not designed to handle n bits, but the adder is reduced to 1 / k (where k = 1, 2). , 4, 8, ... are assumed to be in the form of 2 ⁱ ). In this case, if the size of the w bits (w = n / k ≤ n) is designed, the calculation time is increased by k times, but the adder required for the design is about w bits, which can be reduced by 1 / k times. However, it is effective to design w = n / k to be an integer in order to simplify the circuit here. For example, if a 1024-bit adder is reduced to k = 4 and a w = 256-bit adder is implemented, the 1024-bit adder is used four times to perform a 1024-bit add operation. However, when k = n / w is a divisor of m = n / b, it is effective.

, 및

로 표현할 수 있다. 여기서 BW[j]와 NW[j]는 n비트를 w비트의 워드로 나눈 것으로 가정할 때 j번째의 워드에 있는 계수(coefficient)를 의미한다. To this end, first, B and N are each grouped by w bits to form a word and processed sequentially. Thus, A, B, and N are each

, And

Can be expressed as Here, BW [j] and NW [j] mean coefficients in the jth word, assuming n bits are divided by words of w bits.

The Montgomery algorithm described above in two-dimensional form for word-by-word processing of integers B and N is shown below. The addition of small integers from 2b to 2d in the above Montgomery algorithm corresponds to the following 2b to 2d, respectively. An important feature of the algorithm below is that T [j] and CN [j] are simultaneously T [j] by allowing maximum of one bit for carry (CW1) generated in process 2b and carry (CW2) generated in 2c. Is to design the carry process more easily than If A [i] B [j] and CN [j] are added to T [j] at the same time, the carry is maximum 2 bits, so it is not easy to carry in hardware implementation.

(1) T = 0

(2) for i = 0 to n-1 step 1 {

(2a) C [i] = (T [0] + A [i] B [0]) mod 2

         CW1 [0] = CW2 [0] = 0

          for j = 0 to k-1 step 1 {

(2b) CW1 [j + 1] = (T [j] + A [i] B [j] + CW1 [j]) / 2 ^w

T [j] = (T [j] + A [i] B [j] + CW1 [j]) mod 2 ^w

(2c) CW2 [j + 1] = (T [j] + C [i] NW [j] + CW2 [j]) / 2 ^w

T [j] = (T [j] + C [i] N [j] + CW2 [j]) mod 2 ^w

(2d) T [j] = T [j] / 2

            }

         }

(3) return (T)

5 is a block diagram of a multiplier 500 for implementing Algorithm 2 of Equation 2. Compared with FIG. 1, FIG. 1 shows that FIG. 5 adds k bits smaller than n by k times, compared to adding n bits by one big adder when adding a large integer. Can be. In FIG. 5, the k registers 510 and the adders 530 and 540 for storing T process data in w bits, that is, word units. In addition, A [i] is input n times in units of bits, and each time BW [j] and NW [j] are input in units of words. As a result, the size of the adder can be reduced to 1 / k, while the number of clocks required is increased so that there is a buffer between them.

Consider the w-bit adder structure in the multiplier structure of FIG. If the CSA shown in FIG. 2 is used, the number of clocks to obtain the final result requires 2nk clocks, and if the carry storage type adder using the CPA shown in FIG. 3 is used, the clock required for one multiplication is (n + m). Only (n + m) k clocks, k times the clock, are needed.

In the present invention, a modular multiplier circuit is designed by using a method of repeatedly adding a small integer to a small size adder. In addition, the simulation was confirmed by the schematic method using ALTERA MAX + PLUS II, a VLSI design tool. An important part of the circuit implementation is the two w-bit adder circuits used in FIG.

As a concrete example, assuming that Montgomery modular multiplication of n = 1024 bits is required and the design space is limited, an adder of about 256 bits can be designed, and k = 4. If you use a 10MHz main clock, you can allow carry propagation for a clock time of about 100ns. In this case, m = 1024/64 = 16 because b = 64 less than 100 can be chosen, which means that the signal passing through FA is 1 ns. Therefore, in one multiplication, (n + m) k × 100ns becomes 416ms. In addition, a 40MHz main clock allows carry propagation for clock times as high as 25ns. In this case, m = 1024/16 = 64 because b = 16 less than 25 can be selected on the assumption that the signal passing through FA is 1ns. Therefore, to perform one multiplication, (n + m) k × 25ns becomes 109ms.

Table 1 compares a conventional DSD multiplier and a multiplier using iterative addition according to the present invention. However, here we do not consider the registers for storing A, B, and N, which are basically used in both methods to understand the correct circuit improvement. In the case of DSD, the execution time is indicated as n + 1 clock, but this is the case when CPA is used for DSD, which can be difficult to solve in large integer operation. When using the CSA, as noted, circuitry is needed to correct the results of the agreement with Carry to the correct values. The multiplier according to the present invention can greatly reduce the capacity of the register among the hardware components, and can reduce the integrated logic gate much since no MUX is used.

For reference, suppose you need five basic logic gates for D flip-flop, five gates for FA, and ten gates for 4: 1 MUX. The method of calculating the required gate for each method is as follows.

① DSD:

D flip-flop (3 n ) + FA ( n ) + MUX ( n ) = (15 + 5 + 10) n = 30 n gate

② When using n-bit adder (ie k = 1, m = n / b):

D flip-flop ( n + 2 m ) + FA (2 n ) + AND / XOR (2 n + 4 m ) = (5 + 10 + 2) n + (10 + 4) m = 17 n +14 m gate

   ③ The multiplier used after reducing the adder to 1 / k (ie k = n / w, m = n / b, w> = b):

D flip-flop ( n + 2 m ) + FA (2 n / k ) + AND / XOR (2 n / k + 4 m ) = 5 n + 10 n / k + 2 n / k + 14 m

= 5 n + 12 n / k + 14 m gates

 (m = n / b, k = n / w and w> = b, especially when k = 1 in ③, same as using n-bit adder)

As shown in the above formula, it can be seen that the multiplier according to the present invention has fewer gates for designing the circuit than the DSD method. If the adder in the multiplication method according to the present invention has an n-bit size as it is, k = 1, which is similar to the case of using a carry storage type adder using CPA. If the divider is added by 1 / k, the gate count of the parts (FA and AND) except the register is reduced to 1 / k. On the contrary, it can be seen that the multiplication time of the multiplier according to the present invention is increased by about k times.

Comparison of conventional multipliers and multipliers according to the present invention DSD Multiplier according to the present invention Execution time (clock) n +One  (Carry propagation resolution problem) (n + m) k (k = n / w: number of divisions, m = w / b: number of CPAs) Hardware components Register (D flip-flop) ^* 3n n + 2m FA n 2n / k 4: 1 MUX n 0 AND / XOR gate 0 2n / k + 4m Total (Default Gate) 30n 5 n + 12 n / k + 14 m

*: Common registers for storing A, B, and N

In the present invention, a new modular multiplier circuit is proposed to process the modular power required at high speed in providing an information security service.

In order to solve the carry propagation problem according to the present invention, a carry storage type adder utilizing CPA is designed to guarantee the maximum carry propagation within one clock time. The time to print was reduced.

In addition, according to the reduced multiplier according to the present invention, the addition circuit is reduced to 1 / k and designed to perform multiplication on a large integer even under a limited design condition, and the adder is repeatedly used. The circuit structure used in the adder may use the carry storage adder using the CPA in consideration of the speed of the main clock, the hardware design space, the calculation time, and the carry propagation, and the circuit size may be flexibly selected. However, since the tradeoffs between the design space and the execution time are applied, it is k times longer than the case where the design of the addition circuit is reduced to 1 / k. Finally, in an n-bit modular multiplication circuit, the adder is reduced to 1 / k and the adder uses m (where m = n / b = k = n / w) CPA (n + m) k clocks only. You can get a complete multiplication result. Therefore, the multiplier according to the present invention can be designed in various ways according to the design conditions of the circuit, that is, the number of gates required, and thus can be usefully used in applications such as cryptographic IC cards.

Claims (2)

In the carry storage adder using CPA for n-bit multiplication, a carry storage adder in which n full adders are grouped by b and divided into m = n / b blocks, and each block is constructed using CPA. In a multiplier implementing the Montgomery algorithm, a multiplier that reduces the adder used for modular multiplication of n bits to 1 / k, configures the adder and the register with n / k = w bits, and repeats k times to perform multiplication.

Images