KR101128505B1 - method and apparatus for modular multiplication - Google Patents

Abstract

Provided are a modular multiplication operation method and a computing device for omitting separate comparison and subtraction processes for correcting the magnitudes of the intermediate and final result values of the Montgomery modular multiplication operation. By eliminating the separate calculation process for calculating the word-based Montgomery correction factor, and using the adder that operates independently during the operation of the modular operator, the size of the result of the modular multiplication is always kept smaller than the modulus N. Improves speed while minimizing hardware footprint.

Modular Multiplication, Montgomery, RSA

Description

Modular multiplication operation method and apparatus

Embodiments of the present invention relate to a modular multiplication operation method and a computing device for omitting separate comparison and subtraction processes for correcting the magnitudes of the intermediate and final resultant values of Montgomery modular multiplication operations.

The present invention is derived from a study conducted as part of the IT growth engine technology development project of the Ministry of Knowledge Economy and the Ministry of Information and Communication Research and Development. [Task management number: 2006-S-041-03, Assignment name: Security and trust of next generation mobile terminal Develop common security core modules for services.

The Rivest Shamir Adleman (RSA) cryptographic algorithm is implemented by performing modula multiplication, which is possible through iterative modular multiplication. Montgomery's algorithm is mainly used to perform this modular multiplication quickly.

To implement RSA encryption on systems with limited hardware resources, such as mobile TPMs, IC cards, and USIMs, word-base Montgomery does not process the entire data at once, but divides it into arbitrary word units. An algorithm is used.

However, since the modular multiplier designed by applying the word-based Montgomery algorithm processes a word-by-word operation, the calculation process for obtaining the Montgomery correction factor and the magnitude of the intermediate value and the resultant value in each calculation process are smaller than the modulus. A comparison and calculation process to calibrate additionally is required. Since these additional computations are often handled in software, the time delays that result are one of the major causes of poor overall modular multiplication and RSA performance.

In order to solve this problem, a method of not separately calculating Montgomery correction factors has been suggested. This is a principle that receives the entire data as it is and processes it. For example, in order to process data with more than 1024 bits, the area of hardware increases accordingly, so it is applied to small embedded systems such as mobile TPM, IC card, and USIM. There is a problem that is difficult to do.

In addition, a method of omitting the correction of the intermediate value and the result value has been proposed through the expansion of the entire data. For example, in the case of a system using a 32-bit system bus, a minimum 32-bit extension is required for the 2-bit extension. This is because both hardware and software have implementation problems due to redundancy.

In other words, hardware must inevitably increase the size of the modular multiplier. For example, to implement a 1024-bit modular operation, a 128-bit modular arithmetic unit can be used as long as the arbitrary number of bits is considered to be 128-bit. You may implement it. However, considering data expansion, to achieve similar performance, a 160-bit modular operator must be implemented, which increases the hardware area of the modular operator. In the case of software, when processing various data input / output and other related software operation, it should be processed in 1120-bit (160-bit * 7) data unit, not in 1024-bit data unit. Will result.

The present invention has been proposed to solve the above problems, to provide a modular multiplication method and apparatus for omitting the calculation process for the size correction of the intermediate value and the result of the operation in word-based modular multiplication for RSA encryption do.

One aspect of the present invention for achieving the above object, relates to a word-based Montgomery modular multiplication operation method for obtaining a modular multiplication result R for multiplier A, multiplicand B, modulus N, the sum (S) And a first step of initializing by dividing and carry (C), a second step of starting a loop for word order i of B, and starting a loop for the word order j of A in the i loop, A third step of initializing R, a fourth step of performing modular word multiplication of the A and B in the j loop, and a word unit addition in the j loop according to a predetermined condition. A fifth step of performing a maximum of three times; a sixth step of ending the j-loop and the i-loop, and adding the word unit twice; and if the final result value T is greater than the N, the N is determined from the final result value. Output the subtracted value, Value (T) comprises a seventh step of returning a final result is smaller than the N.

Another aspect of the present invention relates to a word-based Montgomery modular multiplication operation device for obtaining a modular multiplication result R for multiplier A, multiplicand B, and modulus N, wherein R is divided into sum (S) and carry (C). Initialize the loop, start the loop for word order i of B and the loop for word order j of A, and use the initialized R in word units for the A and B in the j loop. An operation unit for performing a modular multiplication, outputting a value obtained by subtracting N from a final result value if the final result value T is greater than N, and returning a final result value if the final result value T is less than N; and And an adder configured to perform word unit addition up to three times in the j loop according to a predetermined condition, to terminate the j loop and the i loop and to add the unit of word twice.

According to the present invention, in designing a modular multiplier that performs word-by-word operation to implement RSA encryption on small embedded systems such as mobile TPM, IC card, and USIM that simultaneously require low area and high speed, Even without additional software operation, the size of the result of modular multiplication can always be kept smaller than N by using an adder that operates independently during the operation of the modular operator. Eliminating delays can simplify the overall RSA operation.

DETAILED DESCRIPTION Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art may easily implement the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and like reference numerals designate like parts throughout the specification.

Throughout the specification, when a part is said to "include" a certain component, it means that it can further include other components, without excluding other components unless specifically stated otherwise. In addition, the terms “… unit”, “… unit”, “module”, etc. described in the specification mean a unit that processes at least one function or operation, which may be implemented by hardware or software or a combination of hardware and software. have.

First, the Montgomery modular multiplication algorithm used in the embodiment of the present invention will be described. An operation for obtaining the resultant R for the multiplier A, the multiplicand B, and the modulus N as shown in Equation 1 is called modular multiplication.

R = A * B mod N

Various algorithms exist for efficiently performing modular multiplication. Among them, Montgomery's algorithm uses the modular multiplication algorithm to calculate the calculation by moving the calculation from the integer Z _n area to the rZ _n area using the surplus coefficient r, which enables modular operation without using the classical division of the quotient and the remainder.

In this case, an additional operation for moving the region is required, but modular multiplication through repetitive modular multiplication such as Rivest Shamir Adleman (RSA) is not a single modular multiplication, but a main purpose of the modular multiplier. In the case of modular multiplication, the movement of the area is not performed every time, but only at the beginning and the end of the overall multiplication. In addition, since the movement of the region can also be performed by Montgomery modular multiplication, the Montgomery modular arithmetic method is very suitable for the implementation of the modular multiplier.

The surplus coefficient r has a value of 2 ⁿ for the number n of bits of data, and the result of the Montgomery modular multiplication algorithm is shown in Equation 2.

R = A * B * r ^-1 mod N

A general Montgomery algorithm for implementing Equation 2 may be represented as Equation 3.

Step 1: R = 0

Step 2: R = R + A * B

Step 3: m = R * N'mod r (where r * r ^-1 -N * N '= 1)

Step 4: R = (R + m * N) / r

Step 5: if (R> N) R = R-N

Step 6: return (R)

In Equation 3, the division operation of step 4 may be simply implemented as a shift operation.

As such, the Montgomery algorithm simplifies the division operation required for modular multiplication with only the multiplication operation and the shift operation. However, an operation process for obtaining the Montgomery correction factor m performed in step 3 must be additionally implemented, and additional operation time is required as much as this calculation amount. Therefore, it is more efficient not to perform a separate operation for obtaining the factor m.

The basic algorithm for performing modular multiplication without calculating the Montgomery correction factor m is shown in Equation 4.

Step 1: R = 0

Step 2: for i = 0 to n-1 {

R = R + A _i * B

R = R + R ₀ * N

R = R / 2

}

Step 3: if (R> N) R = R-N

Step 4: return (R)

Equation 4 can perform all modular multiplications only in the process of step 2 without additional computation to find the Montgomery factor m. This is an operation method that is applied when the entire data is input as it is and processed.

On the other hand, it is possible to consider a method of calculating by dividing the entire data to be processed in any word unit without performing at once. Equation (5) is a stepwise representation of Montgomery modular multiplication for such word-by-word operations.

Step 1: R = 0

Step 2: for i = 0 to p-1 {

Step 3: R = R + A * B _i (B _i is a w-bit word)

m = R ₀ * N ₀ 'mod 2 ^w (N ₀ * N ₀ '= -1 mod 2 ^w )

R = R + N * m

R = R / 2 ^w

}

Step 4: if (R> N) R = R-N

Step 5: return (R)

Looking at the performance of one column (A * B _i ) in Equation 5, A is divided into p w-bit words like B _i is multiplied by p word units, the performance of (N * m) Also divided into p w-bit word unit is multiplied by p word units. In general, the number of bits of a word is determined to be 32 bits or an integer multiple of the bits, considering the fact that the data size of the system bus of the system is 32 bits.

Therefore, since the apparatus implementing the algorithm of Equation 5 in hardware includes an arithmetic module in units of w-bit words and a module for controlling the same, the hardware area is reduced compared to the case of processing all data bits at once.

Another embodiment of Montgomery modular multiplication for wordwise operations is that each wordwise operation is performed independently of the previous result of the operation, storing the shifted value in each partial operation and adding it to the result of the previous word operation. You can do this in a way.

In this case, the multiplication result in word units is always maintained in the size of w-bit, and the addition process for obtaining the result value in each partial operation is preferably implemented as a separate module. The Montgomery modular multiplication algorithm of the present embodiment may be expressed as in Equation 6.

Step 1: R = 0, T = 0

Step 2: for i = 0 to p-1 {

Pre_c = 0, Next_c = 0

Step 3: for j = 0 to p-1 {

If (i == 0) R _j = 0 (R _j is the size of w + 1 bits)

Else R _j = T _j (T _j is the size of w bits)

Step 4: for b = 0 to w-1 {where b is the order of bits

R _j = R _j + A _jb * B _i

if (j == 0) m _b = R _j0 (m is the size of w bits)

else m _b = m _b

R _j = R _j + m _b * N _j

shift_data _b = R _j0 (shift_data is the size of w bits)

R _j = R _j / 2

} end for b

Step 5: (Pre_c, T _j ) = R _j + Pre_c

(Next_c, T _{j -1} ) = T _{j -1} + shift_data + Next_c

} end for j

} end for i

Step 6: If (T> N) T = T-N (where T is the size of n + 1 bits including the last Next_c)

Step 7: return (T)

For more efficient implementation, when determining an arbitrary number of bits w in Equation 6, the number of bits n '(n' ≥ n + 2) two or more bits larger than the total bits n as the total number of bits n '= w Implement in the form of * p. At this time, p is an arbitrary integer and the value of the bit larger than n is 0. This is because the result of a modular operation is always less than 2N, so that the result can be represented within a given bit size. Considering that the modular multiplier is a device for modular multiplication only, the calculation is performed with a bit number larger than 2 bits so that if the result of the modular multiplication operation is greater than N, the comparison of subtracting N from the result value is not necessary. The result always results in a value less than N. If a single result of modular multiplication is required, the comparison process can be performed separately outside the proposed computing device. Therefore, step (6) in the equation (6) can be omitted when implemented in hardware by using the data expansion in this way.

Another embodiment of Montgomery's modular multiplication for word-wise operations is that two full bits are obtained by subtracting the modulus N in addition to the result of each partial operation and the final result. By choosing one of the magnitude results, you can always keep the result of the modular multiplication less than N without any additional data expansion. The equation for this is shown in Equation 7 below.

In the following description, 111. The expression 1 means that all bits of the corresponding value are 1. In addition, S and C mean the sum and carry value of R, respectively.

Step 1: R = (S, C) = (0,0), T = 0, T '= 0

Step 2: for i = 0 to p-1 {

pre_c = 0, next_c = 0, sign_c = 1 (all three carry have 1 bit)

Step 3: for j = 0 to p-1 {

If (i == 0) R = (S, C) = (0,0) (R is w + 1 bit size, S, C is w bit size)

else {

If (j == p-1) {

If (check_ovf0 == 1) (S, C) = (T _j , 111… 1)

Else if (check_ovf1 == 1) (S, C) = (1, 111… 1)

Else (S, C) = (T _j , 0)

}

else (S, C) = (T _j , 0)

                }

Step 4: for b = 0 to w-1 {(where b is the order of bits)

R = R + A _jb * B _i

if (j == 0) m _b = R ₀ (m is the size of w bits, m _b is the bth bit of m, R ₀ is the 0th bit of R)

else m _b = m _b

R = R + m _b * N _j

If (j == 0) shift_data _b = 0

else shift_data _b = R ₀ (shift_data is the size of w bits, shift_data _b is the bth bit of shift_data)

R = R / 2

} end for b

Step 5: (pre_c, T _j ) = S + C + pre_c,

If (j == p-1) check_ovf0 = pre_c

If (j == 0) shift_data = pre_c

(next_c, T _{j -1} ) = T _{j -1} + shift_data + next_c (If j == 0, T _{j -1} = T _{p -1} ),

If (j == 0 && i! = 0) check_ovf1 = next_c

If (i == p-1 && j! = 0) (sign_c, T ' _j-1 ) = T _{j -1} + ~ N _{j -1} + sign_c

} end for j

} end for i

Step 5-1: (next_c, T _{p -1} ) = T _{p -1} + next_c,

check_ovf1 = next_c

(Sign_c, T ' _p-1 ) = T _{p -1} + ~ N _{p -1} + sign_c

          check_sign = check_ovf0 | check_ovf1 | sign_c

Step 6: If (check_sign == 1) return (T ')

        else return (T)

In Equation 7, j and i, which control sequential iteration operations, are the word order of A and the word order of B, respectively. In Equation 7, for the i-th word of B, A is multiplied from 0 to p-1 word, and the next multiplication is performed for the i + 1th word of B again. At this time, the multiplication result of each B-th word and A, that is, the result of one column (A * B _i ) is input as an initial value of the next multiplication operation as an intermediate value.

The difference between Equation 7 compared to Equation 6 is the addition process performed in Step 5, in which Equation 6 performs two addition processes, whereas Equation 7 performs up to three addition processes. In the process of obtaining the intermediate value, two addition processes are performed, but in the process of obtaining the final result value, that is, in the process of obtaining the result value when i is p-1, the N values in the order corresponding to the result value of each word unit By subtracting, another final result T 'is obtained.

All these addition processes are performed independently of the modular multiplication operation in step 4, and can be designed so that the addition process can be performed within the time when the modular multiplication is performed. Since the subtraction process can be performed by adding two's complement, the process of addition is performed by adding an initial value of N's 1's complement and a carry value sign_c as 1. Step 5-1 is a process added to obtain a result for the most significant word value since the last modular multiplication operation.

The reason why the addition method can always limit the median and the final result to a value smaller than N is as follows.

First, in the case of the intermediate value, the input and output of the modular multiplication operation performed in step 4 in Equation 7 is R. In fact, since the output range of the modular multiplication operation is 0 <R <2N, a value one bit larger than N may be output. When R is divided into S and C and stored, each S and C may have the same number of bits as N. However, in the case of the median value, T is obtained through two additions, and T is again 0 <T <2N. Therefore, Equation 7 uses check_ovf0 and check_ovf1 to control this.

First, when overflow occurs in the first addition to obtain the most significant word T _{p -1} , the carry value pre_c is written to check_ovf0. To give pre_c an initial value for the next i-loop operation, we take advantage of the fact that the initial value of R can be distinguished by (S, C).

In other words, if the overflow value is divided into S and C, it can be expressed as (111… 1, 1). Therefore, in the second addition to obtain the median value T _{p -1} , 1 is added in advance, and p-1 of the next i loop operation By providing (T _{p -1} , 111... 1) to the initial value of the first operation, the intermediate value of the overflow can be provided as the initial value of the next operation.

At this time, T _{p -1} after generating pre_c is 111. If it is 1, adding 1 in the second addition can cause overflow again. However, in order for this case to occur, the most significant word value of modulus N, Np-1, is 111. It should be 1, but in the case of modulus N as a parameter for RSA encryption, if the word size is 128 bits, the modulus having all 1s of 128 bits as a parameter does not occur, so it is not necessary to consider this case.

If an overflow occurs in the second addition process of obtaining T _{p -1} , the carry next_c value is written to check_ovf1 and sent as the initial value to the next i loop operation. In this case, (1, 111, ..., 1) is provided to the initial value of R of the p-1th operation, because check_ovf0 and check_ovf1 cannot occur at the same time as described above. If check_ovf1 is 1, the inputs of the second addition operation, T _{p -1} and next_c, are respectively 111. Since it should be 1 and 1, you can provide it as the initial value of the next operation.

Through the above process, the intermediate value is controlled, and one more addition process is added in the step of deriving the final result value where i is p-1. This is because when the final result is larger than N, T 'is used as the result. To this end, add the final addition process, subtract the N value of the word for the result value in each word unit and store this value as T '. After the last addition process, if check_ovf0 or check_ovf1 is 1, the final result is determined as T 'rather than T.

In addition, the overflow of the larger number of bits does not occur, but only the final result value is larger than N without increasing the number of bits. In this case, since the final value of the carry_sign_c stored in the subtraction process is 1, the final result is determined to be T 'instead of T when one of three values such as check_ovf0, check_ovf1, and sign_c becomes 1. Just do it. All three values can be zero or only one of the three values can be 1.

Therefore, the structure proposed in the embodiment of the present invention can always maintain the size of the result of modular multiplication to less than N by using an adder that operates independently in the operation process of the modular operator without additional data expansion. have.

Hereinafter, with reference to the accompanying drawings, preferred embodiments of the present invention will be described in detail.

FIG. 1 is a flowchart sequentially illustrating a modular multiplication (A * B mod N) method described in Equation 7. FIG.

When the operation starts, R, the input / output value of the word unit modular multiplication operation in the operation process, is divided into S and C, respectively, and is initialized to 0, and the word order of A and i, which is word order of A, are also initialized to 0 (S100). . Next, the i loop starts. At this time, each carry pre_c and next_c are initialized to 0, and sign_c is initialized to 1 (S200).

Now the j loop for any i runs from 0 to p-1, which first sets the initial value R = (S, C) for performing modular multiplication in word units. First, it is checked whether i value is 0 (S300), and if (S, C) = 0, it is set to (0, 0) (S301). If (S, C) ≠ 0, check whether j is p-1, that is, modular multiplication of the last word of A (S302). If j ≠ p-1, the initial value is (T _j , 0) (S303).

If j = p-1, an initial value should be set according to whether overflow occurs. First, it is checked whether check_ovf0 is 1 (S304). If check_ovf0 is 1, (T _j , 111... 1) is set to an initial value (S305). If check_ovf0 is not 1, it is checked whether check_ovf1 is 1 (S306). If check_ovf1 is 1, (1, 111… 1) is set to an initial value (S307). If check_ovf1 is not 1, an overflow does not occur, so the initial value is set to (T _j , 0). (S308).

When the initial value R is set, word-based modular multiplication of Aj * Bi mod N _j is performed according to the initial value and the current i value and j value (S400). Modular multiplication in word units follows the same scheme as in Equation 6, but an addition method for dividing R into S and C is applied.

When the operation is completed, the result value R is output, and the Montgomery correction factors m and shift_data are also output after the operation. The Montgomery correction factor m is stored for the next word-by-word modular multiplication, and R and shift_data are provided as input to the subsequent addition operation.

The addition process first adds the S, C and pre_c values output in any j-th loop, and outputs (pre_c, T _j ) (S500), where the addition result T _j is still in the middle. Not a value.

Next, it is checked whether the current j value is p-1, that is, the last A word (S501). If j = p-1, pre_c is stored in check_ovf0 (S502), and if j ≠ p-1. Check again whether the current j value is 0 (S503).

This check process is the next second addition process when j is 0, which is the process of finding the complete median value of T _j when the previous j is p-1, so if check_ovf0 is 1 In addition, to get the median T _{p -1} . However, since the shift_data value is 0 when the complete median value of T _{p -1} is 0, the addition of a pre_c value to this shift_data has an effect of adding 1 when an overflow occurs and an overflow does not occur. 0 can be maintained as it is (S504).

If j is not 0, the shift_data output is used as it is. Then, shift_data is previously added to T _{j -1} obtained with next_c, and (next_c, T _j-1 ) is output as an intermediate value (S505). In this case, when j is 0 and i is not 0 (S506), since T _{p -1} is output as an intermediate value, the next_c output is stored in check_ovf1 to check whether an overflow occurs in T _{p -1} . (S507).

If the addition output is required only up to the median, i.e. i is not p-1, you only need to do S507 and run a new loop, but the add output is an intermediate process to get the final result, i.e. the last time i is p-1. In the case of the operation on the word B, one more addition is required. To this end, it is checked whether i is p-1 and j is not 0 (S508). This is why j is not 0 because when j is 0, the second addition outputs the intermediate value T _{p -1} .

As a result, if i is p-1 and j is not 0, a third addition process is performed to obtain T ' _j-1 for the obtained T _{j -1} , which is actually a process of subtracting N values. As explained in Equation 7, subtraction is performed by adding ~ N _{j - 1} (1's complement of N _j-1 ) to T _{j -1} and adding the initial value of sign_c (when j is 1) to 1. (sign_c, T ' _j-1 ) is output (S509).

While the above processes are sequentially performed, it is checked whether j is p-1 (S309), and if j is not p-1, the process returns to step S300 again, and if j is p-1, is i again p-1? Check (S201). If i is not p-1, the process returns to step S200, but if i is p-1, it means that there is no more word-by-word modular multiplication to be performed. do.

In the final addition process, since the final result is obtained until T _{p -2} after the final loop, the final word result is T _{p -1} and T ' _{p -1} . This proceeds in the same manner as the second addition process and the third addition process, and the final check_ovf1 is obtained through the last addition process. In this case, however, the final result value is obtained instead of the median value. Therefore, the pre_c is added to shift_data as in the second addition process. The check_sign, which is a value for checking whether the final result value is greater than N, has a value of 1 when any one of check_ovf0, check_ovf1, and c_sign is 1 (S510).

When T and T 'are obtained through the final addition process, it is checked whether the previously obtained check_sign is 1 (S600). If 1, T' (S601) is returned. If not 1, T (S602) is returned as the final output. , Ends this modular multiplication.

2 is a block diagram showing the configuration of a modular multiplication apparatus according to an embodiment of the present invention. The modular multiplication apparatus according to the embodiment of the present invention includes a system bus 100, a register group 200, a control unit 300, an operation unit 400, and an adder 500.

If a modular multiplication is required for the RSA operation, the system drives the modular multiplication apparatus, provides the necessary input values (A, B, N, T), and is provided with an output value (T, T '). Via bus 100.

The register group 200 stores necessary input values and output values in word units, and may include registers necessary for other internal operations.

The operation unit 400 performs modular multiplication in word units, which is the most core operation, and the adder 500 performs addition to obtain an intermediate value and a final result value after modular multiplication in word units. Control of the operation of all these internal modules and interface control with the system is performed in the controller 300. The operation of the above components will be described with reference to FIG. 1.

First, the input word units A, B, N, T, etc. are stored in the register group 200. In this case, A, B, and N are sequentially input to each register of the register group 200 as the j loop and the i loop progress.

The controller 300 controls the register group 200 to initialize pre_c, next_c, and sign_c (S200), and initializes R (S300 to S308).

Modular multiplication (S400) in word units is performed by the operation unit 400, and subsequent addition processes S500 to S509 are performed by the adder 500 under the control of the control unit 300. Here, the adder 500 is responsible for S500, S505, and S509, which are processes of outputting one word and carry by adding two words and one carry.

The adder 500 may separately include separate adders for three additions, but may also perform three additions using one adder that adds two words and one carry. In the latter case, for three additions, the adder 500 stores corresponding input values in predetermined registers in the register group 200 in each order, and adds the stored values to the control unit 300 according to control. Use the method. The final addition process, S510, is done in the same way.

The adder 500 performs three addition processes while one word modular multiplication of the calculator 400 is performed, and operates independently of the calculator 400. In this case, since the operation unit 400 and the adder 500 are operated at the same time, a time delay due to the operations S500 to S509 of the adder 500 does not occur.

The embodiments of the present invention described above are not implemented only through the apparatus and the method, but may be implemented through a program for realizing a function corresponding to the configuration of the embodiment of the present invention or a recording medium on which the program is recorded. Implementations can be readily implemented by those skilled in the art from the description of the above-described embodiments.

In addition, although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present invention defined in the following claims are also provided. It belongs to the scope of the invention.

1 is a flowchart sequentially illustrating a modular multiplication method according to an embodiment of the present invention.

2 is a block diagram showing the configuration of a modular multiplication apparatus according to an embodiment of the present invention.

Claims (9)

In the word-based Montgomery modular multiplication operation method for obtaining a modular multiplication result R for multiplier A, multiplicand B, modulus N, A first step of initializing the R into a sum S and a carry C; Starting a loop for word order i of B; Starting a loop for word order j of A in the i loop and initializing R; Performing a modular multiplication by word for A and B in the j loop; A fifth step of performing word-based addition up to three times in the j loop; A sixth step of terminating the j-loop and the i-loop to add two word units; And A seventh step of outputting a value obtained by subtracting the N from the final result value if the final result value T is greater than the N, and returning the final result value if the final result value T is less than the N value; Modular multiplication operation method comprising a. The method of claim 1, wherein the third step, Setting the initial value of R to (S, C) = (0, 0) if i indicates the operation of the first word of B (i = 0); Setting the initial value of R to (T _j , 0) if i is not 0 and j does not indicate the operation of the last word of A (j ≠ p-1); Setting an initial value of R to (T _j , 111... 1) when j is p-1 and overflow occurs in the last word operation of A; If j is p-1 and no overflow occurs in the last word operation of A, checking whether an overflow occurs in the shift operation of the last word operation of A; Setting an initial value of R to (1, 111... 1) when an overflow occurs in the shift operation of the last word operation of A; And If no overflow occurs in the shift operation of the last word operation of A, setting an initial value of R to (T _j , 0) Modular multiplication operation method comprising a. The method of claim 2, wherein the modular multiplication operation of the fourth step Performing two addition operations by a carry storage addition method; And Calculating the R, the shift_data factor for the shift operation, and the Montgomery correction factor m Modular multiplication operation method comprising a. The method of claim 3, wherein the fifth step A first addition step of outputting (pre_c, T _j ) by adding the S, C and line carry factors (pre_c) by using the output R of the fourth step as an input. Modular multiplication operation method comprising a. The method of claim 4, wherein the fifth step If j is p-1, a check factor (check_ovf0) indicating whether an operation overflows with respect to the last word of A is set to the pre_c, If j is 0, set shift_data to pre_c, A second addition step of outputting (next_c, T _{j -1} ) by adding T _{j -1} , shift_data and the next carry factor (next_c) by inputting the output T _{j - 1} of the first addition step. Modular multiplication operation method comprising a. The method of claim 5, wherein the fifth step If the second addition step is a final median addition for the last word of A (j = 0, i ≠ 0), a check factor for checking whether an overflow of the final median addition for the last word of A occurs (check_ovf1) Set to next_c above, When the second addition step is the final result value addition (i = p-1, j ≠ 0), T _j-1 outputted in the second addition step is input, and T _j-1 , N _j-1 Third addition step of adding the complement of 1 (~ N _j-1 ), sign_c and outputting (sign_c, T ' _j-1 ) Modular multiplication operation method comprising a. The method of claim 6, wherein the fifth step If multiplication of A * B _i columns is not finished (j ≠ p-1), returning to the third step; when j = p-1 and i ≠ p-1, returning to the second step; And when j = p-1 and i = p-1, exiting the i loop and j loop Modular multiplication operation method further comprising. The method of claim 7, wherein A first addition step of adding T _{p -1} and next_c and outputting (next_c, T _{p -1} ) to obtain the last word T _{p -1} of the final result value; Sets the output next_c to the check_ovf1, A second addition step of adding T _{p −1} , ˜N _{p −1} , and sign_c by inputting the output T _{p −1} and outputting (sign_c, T ′ _p-1 ); And check_ovf0 | check_ovf1 | setting the result of the c_sign operation to check_sign to determine whether the final result is greater than N. Modular multiplication operation method further comprising. In the word-based Montgomery modular multiplication operation device for obtaining a multiplication result R, multiplier A, multiplicand B, modulus N, Initialize the R into a sum (S) and a carry (C), and start the loop for the word order i of B and the loop for the word order j of A, and initialize the j using the initialized R. In the loop, modular multiplication is performed on the A and B in word units, and when the final result value T is greater than N, the final result value T is output, and the final result value T is An operation unit for returning a final result value if less than N; And And an adder configured to perform word unit addition up to three times in the j loop, end the j loop and the i loop, and add word unit twice.

Images