TW200400442A - Apparatus and method for calculating an integer quotient - Google Patents

Abstract

An apparatus for calculating an integer quotient of term (T) with regard to a modulus (N), wherein the term comprises a product of a binary multiplier (M) and a multiplicand (C), comprises a processing means (10) for processing the bits of the multiplier in several processing steps. The processing means is formed to calculate an intermediate result (Z) reduced with regard to modulus in a processing step, which depends from one or several bits of the binary multiplier, which are considered in the processing step. The apparatus further comprises a log means for logging reduction information in the respective processing steps and order information about one or several digits of the integer quotient concerned means (14) for evaluating the order information and the reduction information from the processing steps to obtain the integer quotient (Q). By logging the reduction information and the order information in the processing steps, a command for performing a modular multiplication usually implemented in hardware can be supplemented in that it outputs also the output of the DIV operation, which means the integer quotient. This is advantageously possible without interventions into a hard-wired calculating unit (10a) and hardly requires any computing time.

Description

700400442

FIELD OF THE INVENTION Algorithm Algorithm In particular, the present invention is related to the present invention. The present invention relates to the calculations required for encryption applications. Known technology Coherence = in = = in and in secret, the key length requirements will continue to increase. With the use of the two-to-two :: = m method for security as an asymmetric encryption concept, plus this method, the method can also increase the relative brute-force attack). The brute force attack (lattack) is an attack on a cryptographic algorithm: zhong t i ί Nai is inferred by all possible attempts. This is why, although the key length increases, theoretically, the time required for a brute force attack (bak—, f: r, ce attack) to try all possibilities increases. It should be clearly noted that in this architecture, RSA applications using 5 i 2-bit key lengths have been considered sufficient in the past. However, with the advancement of technology and arithmetic on the other side (hacker), the typical RSa usage subsequently increased the key length to 1024 bits. From time to time, various people have also argued that even a key length of 10-24 bits is not enough to resist this attack. Therefore, the key length of RSA applications will be increased to 2048 bits again. On the other hand, when considering existing encryption coprocessors (such as smart cards), it is understandable that most people will certainly want : I

900400442 V. Description of the invention (2) For example, RSA applications with 20 48-bit key length can also be executed only for this purpose. For example, the encryption circuit with 4-bit key length is used in the past. Therefore, the arithmetic coprocessor of the existing smart card applications will appear as follows: These existing smart card applications are usually targeted for a specific bit and are not suitable for most of the current security requirements ( Alas, the length is too short). This phenomenon may lead to the following; namely, for example, an RSA algorithm with a 20 48-bit key length, etc., and the method is effectively processed on a 1024-bit coprocessor. For KbA applications, the Chinese Remainder Theorem (CRT) is a conventional concept. Its,:, 'modulus index with a large key length can be subdivided into two modulus indices with a length of half a gold record respectively. The two can be combined by taking the modulus index results of a key length f. /, ^ Get closer, some people have confirmed that the Chinese Remainder Theorem (CRT should not be easily affected by the differential failure analysis attack (DFA aUack).) Therefore, one of the problems related to many methods is the so-called modular multiplication, , A plus 仵 doubl ing ”", which is the core operation of cryptographic calculations. In this way,-can be subdivided into many modular multiplications, that is: subdivided into-dull, eighth, the first operand A and the second operation Calculation in the remaining categories of multiplication of element B). # These operands a: have a bit length of 2n 'because' ten arithmetic units will usually also have a ::: by, its length 'these calculation units can usually be called It is a long integer $ # as early as 7L, as opposed to the one used by a personal computer (pc) or workstation processor, for example, a stand-alone bit, 32-bit, or 64-bit architecture. 700400442 V. Description of the invention (3) In view of this, the main purpose of the present invention is to implement a modular multiplication A of integers A, B, and N having a bit length 2η on a calculation unit having a bit length η. * B mod N. This modular multiplication is very time consuming, Because these integers A, B, and N may only be loaded in fragments, this is also the main reason why traditional methods require a lot of organization and error-prone, if these loading fragments cannot be completely discarded. It is known that there are currently several Methods can solve this problem. These methods can be found using the following keywords, including: Montgomery multiplication, normal multiplication (^ pjW: Karatsuba —

Of man), and subsequent reductions (for example: Barret reduction). Another concept using Montgomery calculations in the "China Remainder Theorem (CRT) Window" has been published in: P. Pailler, ', Low-cost double size modular exponent i at i on or how to stretch your cryptocoprocessor 丨' ° The calculation time and data organization of a concept are all expensive, and therefore, the efficiency of this concept may not be acceptable for various applications. This German application (which has the same filing date and the invention name is V 〇rrichtungund V erfahrenzu in Berechneneines Ergebnisses einer modularen Multiplikation ") is a concept that reveals the concept of modular multiplication of operands with a bit length of 2n Into several so-called MMD operations, and these mmd operations only need to be suitable for half-bit length operands. Unlike the remainder of A * B mod N 'MMD operations can also provide individual integer division (ie ... 〇 丨 v operation) result 'where, this result can also be called the integer quotient q. Usually' this operation T m〇d N can produce a remainder r, when an item

700400442

T is the time when the contract is made with respect to a modulus N. However, this operation 廿 i v N can provide an integer quotient q relative to this modulus N, so that this term \ ντ can be reconstructed using Q X N + R. In this way, this MM] D operation (MultModDiv) is used to convert any item τ into a relative modulus n integer quotient Q and a remainder R. '' In general modulo arithmetic, which is usually used in encryption technology, we usually do not need to use the result of the DIV operation (that is, the integer quotient), so this result is usually not calculated. However, the above concept will still use this DIV information, that is: the integer quotient / In addition, there are other applications in the technical field, which not only need the result of the MOD operation (ie: the remainder), but also This integer quotient is required (ie: the result of this DIV operation). It is known that a known, efficient, and frequently used method for calculating modulus multiplication is called Montgomery multiplication, and, for example, this method has been disclosed in the following manual `` Handbook of Applied Cryptographyf, Menexes, van Oorschot, Vanstone, CRC press, pp 60 0 — 6 0 3 ° Montgomery reduction is a technique that can obtain an effective implementation of modulo multiplication without performing the traditional modulo reduction step. Generally speaking, in this Monj gj JJJ r y reduction, this division operation can be expressed as several simple translation operations. At the same time, the extension of this Montgomery multiplication operation on the elliptical body GF (2n) is also known. This extension has been revealed in the following thesis ‘’ Montgomery Multiplication in GF (2n) n, Koc,

Azar, Designs, Codes and Cryptography, volume 14,

Page 10 200400442 V. Description of the invention (5) 1998, pp 57-69. In addition, this extension is further disclosed in the following language: 1 A Scalable and Unified Multiplier Architecture for Finite Field Z / NZ and GF (2n) " Erkay Savas u. A. 5 Cryptographic Hardware and

Embedded Systems (CHESS 2000), pp 281 -289,

Springer Lecture Notes. Montgomery multiplication on Z / NZ or GF (2n) will have the following disadvantages, that is, the division operation of the modulus reduction (which is difficult to implement by hardware) Although the translation operation can be used to avoid this,

Montgomery multiplication does not use look-ahead methods to speed up the modulo multiplication operation in hardware. The DE 3 63 1 9 92 C2 system discloses a method in which the number multiplication system at z / Nz uses a multiplication preview method, and uses this multiplication preview method to accelerate the speed. The method described in DE 3 63 1 99 2 C2 is also called the ZDN method. Second, the ZDN method will be described in detail with reference to FIG. 6 as follows. After such a step 3, the global variables M, C, and N should be initialized before step 900. The purpose of this step is to calculate the following modulo multiplication:

Z mod C Among them, M is called the multiplier, C is called the multiplicand I, a 1VT / Mody, ..., and N is called the modulus. Bright. ; :::: f regional changes should be given initiation, which does not require detailed moxibustion, & ZDN methods will apply two preview methods Preview method GEN MULT Η〆 ~ UL 丨 ―The multiplication method S7 in LA and a premature number A are using different pre-ashamed fingers, and 4 ^ + value 2 Handing looks different according to the preview rule (9 1 0). Immediately, this $

Page 11 700400442 V. Description of the invention (6) ---- The current contents of the z register will perform a left shift operation of the Sz bit (92). In addition, while executing this preview method, a reduction preview method GEN —Mod —LA (93 0) will also be executed to calculate a reduction translation number —reduction parameter B. In step 94 (), the valley A of the modulo register n is shifted by s N bits, thereby generating a shifted modulo value n ,. The main three-operand operation of the ZDN method occurs at step 950. Here, after step 920, the intermediate result 2 will be added to the multiplicand ^, which takes the multiplication preview parameter A, and adds to the translation modulus n, which is multiplied by the reduction Preview parameter B. According to the current situation, these preview parameters A and B may have the following values: +1, 0, or -1. / In one case, the multiplication preview parameter A is +1, and the reduction preview parameter B is ~ 1, so that the multiplicand c can be added to the translation intermediate result Z ', and the translation modulus N can be subtracted from this translation intermediate result Z '. In particular, the multiplication preview parameter a will have a value of 0. When the multiplication preview method can tolerate more than a predetermined number of individual left f steps, that is, when sz is greater than its maximum allowable value (also known as k ) Time. In the case where the multiplication preview parameter A is equal to 0 and the translation intermediate result 2 'is still very small due to the previous modulus reduction (especially, less than this = shift modulus N'), this method does not require Reduction is performed, so this reduction preview parameter B is equal to zero. A step 9 10 and 9 50 will continue until all the bits 70 of the multiplicand have been processed (that is, until the multiplication preview parameter A is also equal to 0), which means: the translation modulus N, Is it greater than the original modulus N, or even when all the bits of this multiplicand have been processed, I

Page 12 700400442 V. Description of the invention (7) Do we still need to subtract this modulus from the intermediate result Z and perform an additional reduction step? Finally, 'determines whether this intermediate result z is less than zero. If the intermediate result Z is less than 0, the modulo N must be added to the intermediate result z to obtain a final reduction, thereby obtaining the correct result Z of the modulo multiplication. In step 960, the modulo multiplication of this ZDN method is ended. The multiplication shift value sz and the multiplication parameter! "It is calculated by using this multiplication look-ahead algorithm in step 91 0, which is derived from the topology of this multiplier and from the look-ahead rules used, as described in DE 3631992 C2 Described. As described in DE 3631992 C2, the reduction translation value sN and the reduction parameter B can be determined by using the current contents of the z register and a value of 2/3/3 times N. Based on this comparison step, this ZDN method was named (ZDN = Zwei Drittl N = two thirds N). This ZDN method, as shown in Figure 6, is to reduce this modulo multiplication to a one-three operator addition (box 95 in Figure 6). Among them, this multiplication preview method and this reduction The preview method is used to increase the calculation time. As a result, the similarity is reduced to Montgomery reduction on Z / NZ, this method will achieve twice the computing time advantage. The disadvantage of this concept of multiplication is that this method only counts # f adopted, but does not calculate the DIV operation (that is, provides the integer quotient of the product of this multiplier N and the multiplicand T relative to the modulus N The operation of Q) is multiplied by: the book F} fine ... The stone product table is not: CxM = Q? N + Z. However, as mentioned previously, ^ integer quotients Q are very useful in specific applications. For example, one application is to multiply a modulus with a specific bit length by

200400442 V. Description of the invention (8) On a calculation unit with half bit length. In view of this, the main object of the present invention is to provide a concept by which the calculation of an integer quotient is implemented simply and efficiently. The above and other objects of the present invention are based on the device described in item i of the scope of patent application, and the method described in item 6 of the scope of patent application. The present invention is based on the understanding that, in a processor that calculates the product of a multiplier and a multiplicand (and optionally adds this product to a third operation 乘 multiplied by a factor 2n),, the Is to sequentially scan the bits of this multiplier in several processing steps, the extraction of this integer quotient is not

Second, it is necessary to intervene in the computing unit itself, and it is not even necessary to interfere with the control unit that controls the computing unit. In general modulo arithmetic, this integer quotient (the result of this DIV operation) is often ignored due to the lack of proper utilization. Calculate the remainder of an item relative to a modulus according to this integer integer quotient to obtain the intermediate result (which is the relative modulus to reduce to 3) in this processing step, and log in at the same time The reduction information and sequence information refer to each bit of this integer quotient and are related to individual processing steps. Now, 'multiple bits are processed using several steps, and individual steps are used.

= The reduction information and order information of the price registration, so that this integer quotient can be obtained using simple arithmetic operations. First, in a preferred embodiment of the present invention, when this processing device processes multipliers, the register must be retained, in which the specific order (determined by the order information) of the bits will be after each processing step 2. Use the reduction information to set or not set. Also, if using two or more logins

Page 14 700400442 V. Description of the invention (9) _ ^ temporary register, the evaluation device can also deal with the addition or subtraction of these registered temporary storage crying numbers 7L, the simple Dingkou port to this Integer quotient. The concept of the present invention will be particularly advantageous, because any f1 output from the processing device does not need this kind of method. Therefore, this integer quotient can be regarded as the _D operation. Because of this), and this method counts time and unit. In addition, this method only requires the calculation of the fixed processing device. At the end of each processing step, a registration device is used, which is reduction information or sequence information. The two control components capture the necessary finally, and use the evaluation device to make any changes to the calculation unit; the information is recorded in order to avoid any consequences. Under k, it is also very important to get this integer quotient. The long integer calculation unit, Fatanghe · Encryption and Management, S Α β t) is obtained and converted. In addition, intervention, such as: modulo multiplication will have 1,024 or more addition crying, long integer calculation units (its general responsibility, error-prone, and must be re-tested;; yuan) The calculation is also very expensive In all-related devices (which are usually functional with Ertian Jin. Especially *, the Anf sign is especially important, because in the secret algorithm), the security is likely to handle all kinds of sensitive information. In the case of chip cards, our newsletter = = the amount of money or personal expenses. In addition, the advantages of the method of the present invention a, the method of bifurcation set, which is not calculated when using a limited number of methods (due to its chip area limitation), I , And the processing of memory information crying _ 叩 叩 叩 blame the encryption algorithm, will;

700400442

very important. Detailed description of the preferred embodiment

FIG. 1 is a block diagram of the device of the present invention for calculating an integer quotient of an item τ relative modulus N, where the item is a product of a binary multiplier M and a binary multiplicand c. This device comprises a processing device 10, which is cut into a computing unit 丨 a and a control unit 丨 0b. Normally: the arithmetic unit includes a long integer adder, which has two or more operands, and the control unit i 0b will be formed to control the arithmetic unit, thereby sequentially processing these multiplier bits, And after all the multipliers π have been processed, the result of the modulus reduction of the item Z ′ is finally provided, which includes the product C? M.

In addition, the device of the present invention also includes a registration device 12 for registering reduction information in individual processing steps, and registering sequence information of one or several bits of integer quotients associated with the individual processing steps. The registration device 2 can be effectively connected to the control unit 10b to retrieve the registration information of each processing step. When the control unit 1 Ob sends a signal to the additionally provided evaluation device 14 (which is used to process all multiplier bits and generate / final result Z), the evaluation device 14 will access the login envy and price this The reduction information and the sequence information are used to finally & output the integer quotient Q. As far as hardware is concerned, this modulus reduction can best be achieved by subtracting this modulus. It is true that in a processing step, the present invention can also be implemented according to the implementation of this accounting unit 10a. One or several times modulo ^ to go. As described below, if the present invention uses a multiplication preview algorithm and

700400442 V. Description of the invention (11) Other reduction plans, A »If you can add this class, if there are processing steps,-modulus can also-modulus or add fruit; a? The integer m (which indicates whether or not C is subtracted) can be an integer quotient without the KVt number added in each processing step;: sequence:: is used to compare the processing or d relative to the individual processing steps. Because = 2 some multiplier bits usually start with the simpler multiplication calculation above = "" yuan. In the -processing step, the number: sequence information can directly correspond to the preview algorithm in the multiplication :: then J Niu = Bu '* This invention will only be a single digit 7L, so consider and deal with it. In the case of two: I, the number of multipliers will depend on the number of bits in this multiplier. In the case of '4 sequential data methods and reduction look-ahead algorithms, J two-by-multiple look-ahead calculations The multiplication = sequence information considered in the -processing step depends indirectly on the connection, such as the typical preview method, a sequence of 70. This aspect is determined by historical resources. The relationship is related to the data itself. In addition, in a preferred embodiment of the present invention, this registration device can be designed as a simple implementable register group with two hardware, which is explained step by step, and is implemented in two, two, or several registers. For the time being, the evaluation device performs an appropriate evaluation (such as after the polynumerization process is completed, and uses the integer quotient Q to add or subtract), so that in the following, a simple multiplication, language, ... is described below, which can also be called " Teaching Ke Kui: The law system cooperates with Figure 2 in detail algor i thm) π. This algorithm is based on the Ling / Xiu Yi method (text — book ′), accepts this modulus N, and this multiplied

700400442 V. Description of the invention (12) ^ (according to the definition, it must be less than modulo N), this multiplier is 3 multiplier bits M. (LSB) to Mra !! (MSB) and greater than the input. This algorithm provides Z = Cx M mOd N as the replacement ^: In the initial step, the order of this multiplier i will start as ^. In the first Z register (which is used as an intermediate result during processing:, f is used as the final result register), the starter% and the current considerations of 'testing this multiplier in step 亦 will also be added. Bit Mi J :. , = 1. The right bit is equal to 0 ', then you only need to perform a multiplication by this factor ^ 1, or you need to shift the Z register to the left by one bit (as in square J-23), but' if this bit Is equal to], then the temporarily crying inner valley must be shifted to the left by one bit (which corresponds to the multiplication of the factor 2), and then the multiplicand C is added (as shown in block 22b). Next, the rod,, and modulus are reduced: first, in step 23, test this intermediate result temporarily: whether the content of crying is greater than or equal to N. If the answer to this question is π 9 ,,, ^ subtract the modulus N from the intermediate result register Z once (2 4). After the bran, test again whether the current content of the intermediate result register ζ is equal to, or equal to N (2 5). If the answer to this question is still, yes, then, subtract this modulus N (2 6) from the intermediate result register ζ. The person + step is repeated until i is equal to 0 (tested in box 27) σ. The answer to this question is, if yes, then the algorithm will end. However, if the answer to this question is "No", then i must be decremented in box 28 ,,,,

Perform another recursion of blocks 21 to 27. I In the following, the extension of the invention of the algorithm shown in FIG. 3 (which is not the function of the registration device 12 in FIG. 1 and the evaluation device in FIG. 1) is coordinated with the first

Page 18 700400442 V. Description of the invention (13) " 3 pictures, detailed description is as follows. The components of FIG. 3 have the same drawing symbols as those of FIG. 2 and will have the same functions and will not be described in detail. In a preferred embodiment of the present invention, this registration device has two auxiliary registers Q and Q ′, which are initialized in step 20, respectively, for the known use shown in FIG. 2, , Textbook algorithm "extension. According to the answer to the question in block 23 (which means: use step 2 2a and 221) whether the intermediate result ^ is greater than or equal to N), the first auxiliary register Qi or the second auxiliary ί The bits of the sequence i in the register Q ^ i will be described as, 0, .... The reduction information includes these 0s, which are input to the temporary crying bit i determined by the sequence information. If this The intermediate result Z is less than N. As determined by block 23, ^ does not need to perform other modulo subtraction, which means that these individual auxiliary temporary write bits 疋 will be set to 0. However, if a modulo subtraction is performed (as in step 24) No), the bit i of the first auxiliary register will be set to 15 and the bit i of the second auxiliary register Q, will be set to 0, as shown in block 3 0 b. If executed The second modulo subtraction (as shown in box 26 in Figure 3), then this first auxiliary Bit i of register Q and bit i of this second auxiliary register Q will be set to 1, as shown in block 3 0c. This program will be executed in each processing step 'until block 2 7 determines i It is equal to 0. Then, the evaluation device 14 shown in Fig. 1 becomes active, and the two auxiliary registers Q and Q 'are added, as shown in block 32, and then the integer quotient Q is obtained as Result. In this way, the function of this registration device is implemented by using the evaluation device 14 of FIG. 1 and implemented in block 32 of FIG. 3. As can be seen from FIG. 3, this algorithm does not need to perform any changes to

Page 700 700 442

V. Description of the invention (14) Obtain this integer quotient information. Please refer to Figure 丨, which means that the calculation unit 10a and control unit 10b of this device 10 do not need to be changed, and the design or retesting is not required for this integer business education and calculation. J Leaf In addition, as shown in Fig. 3, registering this reduction information and this information does not require an additional calculation step. In addition, in this method, the evaluation device that only adds the two auxiliary registers requires an additional addition:, period. However, compared with these values N, c, and M, the example is w 1024 bits, which means: the recursive step in Figure 3 must be performed Λ 1 〇 2 4 times, this cycle It seems trivial. Ding Gong In addition, the algorithm shown in Figure 3 can not only be extended to deal with this = mesh C X Μ, but also can be extended to deal with this item c χ M + D X. An extension can be thought of strictly in step 20, instead of starting the intermediate result Z as D, but getting the intermediate result 2 as D and getting it easily. Therefore, the operation performed by the ^ == way can also be referred to as starting the M0 operation. When the second temporary C is started with the value d before the step of recursive steps. In this architecture, the MMD is MultM0dDiv, which means: No. 3, the algorithm can provide the modulus reduction result of this item and the integer quotient CX μ + β X 2n of this fixed item, where, When D is equal to 0, this algorithm is the result of general multiplication. Figure 4 shows a partial reduction of Figure 6 (known ZDN algorithm and already explained above). A starting block 40 is used to start these values 1'Z, and C ', which are very important for the present invention. Once again, z can start at 0 or D 'to perform MMD operation or start MMI operation.

Page 20, 700, 400, 442 5. Description of the invention (15) As shown in the last performance box, the ZDN device 910, 920, and 930 in Figure 6 ^ multiply translation value sz (which is usually greater than ^), one multiplier bit value, two one Represents: the number of multiplier bits processed in a preview step), the translation ^ value%, and the multiplication preview parameter A and the reduction preview β. The number of multiplier bits will be reduced after each processing step. The fixed value C is a comma representing the modulus. The effective bit (LSB) of the original modulus is located in the buffer of this modulus. That one. After each processing step, this value C will be changed to c + ,. In the temporary storage, a modulo shift is performed, which can be expressed by multiplying the modulo 9 50 in °°, old = capacity and the factor 2SN. In this step, "Echi"> order the three operator addition, which has been described in conjunction with Figure 6, so; continue until 1 equals 0 and c is equal to 0 (such as box 42 middle sister 7 right e1 equals 〇 and c is also equal to 〇, then in step 44, check whether this 桓 盍 3 is less than 〇. If the intermediate result z is less than 0, then add 2 again / (as shown in step 46), because this The remainder of the modulo multiplication is repeated and returned. However, if the answer to block 42 is, yes, then another multiplier is executed to process one or the number extension system based on the preview characteristics of this multiplier. ^ ^ The extended Z-σ 5 diagram of the present invention with the known ZDN algorithm shown in Figs. 4 and 6 is described in detail below. The same diagram symbols in Figs. 4 and 5 are used. Therefore, these components It will not be described in detail. Another sN, A, and I are that the ZDN processors of blocks 9 10, 9 0, and 930 provide Sz, j (1 P), that is, the starting integer quotient in starting block 40, The ordinal value starts with m), then you can use this multiplication in block 50

200400442 V. Description of the invention (16) ϊίΓ: Reduce the difference between the reduction and translation values ~. If, the multiplication preview algorithm (which is g + ^ plus + Qiu, Xi Youting will be translated to the upper and lower shell (;:; method: two more values,) * fixed this move), then here The order of login registration is two: = yuan shift is not), the lower of this integer quotient is ϋ50, the integer quotient of the current step 1 ^ will have "relationship. For example, the integer quotient register bit order reaches 7 :, _5 will) will be lower than the individual steps in the previous steps, $, bZ, SN j, and 7C. However, if a positive reduction translation number register N appears, 2SN will be the female private land, and soil L⑴ It means that there is a modulo plus quotient, which is from the step of… /: financial steps. If you subtract this type and add it to the sequence information (方 ^) & Cheng, the most significant bit will be Combine 1 female 4 A-number j) 'Comparison of this integer quotient: there is a higher correlation, compared to the previous recursive step in box 52 in Figure 5, this reduction information is two table steps . $ Type. In addition, 'this board is a table talent. Q', where the rain is using two auxiliary registers Q and parameter B. If ZD "is set: Ϊ: = 疋 The value depends on This Reduction reduction. Because of the parameter 'then * need to perform any two temporary storage and Q, the order of j bits will be set to 0. The second parameter = this reduction parameter β is equal to 1, then this modulus must be added to this Intermediate results. In block 52, two temporary storage rules, the individual bit j is set to 1, and the second :: other bit j is set to 0. However, if you subtract a modulo auxiliary _ no. I only perform a reduction, and use the reduction parameter " -i "矣 :) 'then set two bits in these two auxiliary registers] Is 1, and the second auxiliary register Q, is ::; =: 200400442 V. Description of the invention (17) " '------- = 0 is' perform a correction step' in block 54 For example, if the parameter b is equal to []. In box 44 'If this intermediate result c is less than 0 after processing, it means that the reduction has been performed more than once. Because &, 46, Z must increase by N. In the reduction information At block 54, the least significant bit 9 of the auxiliary register Q 'is set to 丨. Yi Yifu. Subsequently, the evaluation device 14 of FIG. 1 will be activated to subtract from the first auxiliary register Q. The second auxiliary register Q, (block 56), to obtain the integer quotient of the binary. With regard to the subtraction of block 56, this is stored; Among them, when z is less than 0 (block 44), this number will be too high, so the content of the second auxiliary register Q, especially the least significant bit, which is ^ Set in block 54) must be subtracted again. The reduction parameter 8 is equal to i / h. ^ The same is true. Here, we do not need to subtract the modulus, but add the f. In addition, in this integer quotient In the second auxiliary register, we must reconsider that the second auxiliary register is included in the first auxiliary register. Those skilled in the art will know that when the second auxiliary register Q is set to "_Γ" instead of When + Γ ′, in block 56, the evaluation device performs addition, not subtraction. In summary, those skilled in the art should understand that the concept of the present invention is particularly applicable to hardware implementations. This is because software implementation of MMD commands will require additional performance and management tasks. Therefore, the inventive concept can replace software implementations. In particular, the concept of the present invention can also be integrated into an existing encryption processor, because we can only need to change the VHDL of the encryption controller to add this registration device and this evaluation device to the existing processing device at the same time. Therefore, existing modulo multiplication commands will be available

Page 23 200400442 V. Description of the invention (18) It is easy to add, and due to the result of the DIV operation (integer quotient), there are almost no errors. IB · Page 24,200400442 Brief description of the diagram. The first diagram shows the calculation of the integer quotient of the present invention. The second diagram shows the simple modular multiplication algorithm. The third diagram shows the simple multiplication algorithm shown in the second diagram. Operate with a different modulus than DVI operation. Figure 4 is a generalized flowchart of the known ZDN algorithm. Figure 5 is an additional integer calculation of the known ZDN algorithm. Figure 6 is a detailed flowchart of the known ZDN algorithm. Symbol description 10 Processing device 10a Calculation unit 10b Control unit 12 Registration device 14 Evaluation device 20 Start step 20 'Start 21 bit check steps 22a, 22b Intermediate result calculation 23 First modulus comparison 2 4 First modulus subtraction 25 Second modulus comparison 26 Second modulus subtraction 27 Block diagram of indicator check i. L 程 图. The flow chart of the law is also the flow chart of the consultation.

200400442 Brief description of the drawing 28 Index increment 3 0a Reduction information after modulo subtraction 30b Reduction information after modulo subtraction 30c Reduction information after two modulo subtraction 32 Addition of auxiliary register 40, 40 '40 Repeat check 44 Intermediate result check 46 Modulus addition 50 Sequential information calculation 52 Reduction information calculation 54 Reduction information correction 56 Subtraction of auxiliary register 900 Start ZDN algorithm 910 Multiplication preview algorithm 920 Intermediate result translation 930 Reduction Preview algorithm 940 Modulus translation 950 Two operand operations 960 End ZDN > algorithm

Page 26

Claims (1)

200400442 VI. Scope of patent application 1. A device for calculating an integer quotient of an item (T) relative to a modulus (N), wherein the item includes a binary multiplier (M) and a multiplicand (C) a product, the device includes: a processing device (1 0) for processing the bits of the multiplier (M) in a plurality of steps, wherein the processing device (1 0) is formed to In the processing step, calculating an intermediate result (Z) relative to the modulus to reduce, which depends on the one or more bits of the binary multiplier, which is considered in the processing step; A device (1 2) for registering reduction information in the processing step and sequence information for one or more of the integer quotient considered in the processing step; and an evaluation device (1 4) for The reduction information and the sequence information of the processing steps are evaluated to obtain the integer quotient (Q). 2. The device according to item 1 of the scope of patent application, wherein the processing device (10) includes a fixed line calculation unit (1 Oa) for calculating the intermediate result of the modulus reduction (Z); wherein, The processing device further includes a control unit (1 Ob) for controlling the fixed-line computing unit (1 0a); and A registration device is coupled to the control unit (1 Ob), and is used to obtain the reduction information and the sequence information from the control unit. 3. The device as described in item 1 of the scope of patent application, wherein an intermediate result register (Z) starts at 0 (2 0 '; 4 0'), so that the item T is equal to the first operation Product of the second operand and the second operand 0 Page 27 900400442 VI. Patent Application Scope 4. The device described in item 1 of the scope of patent application, iI tube one: two result register (20 ,; 40,) can start as one: 1 2 number: by which the item is equal to Cx M + Dx 2n, where C is a mouthful of%, which is the multiplier, where D is the third operation, and where η is A, B, and 0 of _ Old ^ 5 · The device as described in claim 1 of the patent scope, wherein the processing device is formed to # 5 田 M 七 (1 0) is formed from a highest effective multiplier bit to a low effective multiplier bit The meta begins operation. . Bit 6 · The device as described in item 1 of the scope of patent application, wherein the processing device is formed to process one bit in each processing step; the bean recording device (30a, 30b, 30c) in the eighth includes a temporary Register device 'which has one or more auxiliary temporary storage (q, q,) ·, where the reduction information (3., 3 2 [心 ^ 疋 is set in the register device; and where The sequence information determines which—or those bits to consider; and, in a logical step, the evaluation device (32) is formed to evaluate to output the integer quotient. Jie Zi ’s device uses 7 The device described in item 1, the second, and the "processing device (10)" are formed to process each bit of the multiplier (28); in the embedding step, calculation is based on the multiplier bits (22a, 22b) One in n · test the intermediate result of the calculation (2 3) to determine the result of # 3 1; to determine the intermediate result of the calculation is 700400442 6. Whether the scope of patent application is greater than the modulus; if the intermediate result is greater than the modulus, subtract the modulus from the intermediate result to calculate a new intermediate result (2 4); test the new intermediate result (2 5) to determine whether the new intermediate result is greater than the modulus; and if the new intermediate result is greater than the modulus, subtract the modulus from the new intermediate result to calculate (2 6) another new intermediate result. 8. The device described in item 7 of the scope of patent application, Among them, the registration device (12) is formed by using the subtraction of the modulus as reduction information, and using one of the previously processed multiplier bits (1) as sequence information. 9 The device as described in item 7 of the scope of patent application, wherein the registration device (12) is set to (30a) -bits, which has a sequence of subtracting (24) the first time The modulus is equal to one order of the processing multiplier bits of a first auxiliary register, wherein the registration device (2) is formed by setting (3 0 c) -bits, which has-order, A sequence of the previously processed multiplier bits equal to a first > auxiliary register (Q,) when the modulus (26) is subtracted a second time; and The evaluation device (4) is formed to add the first auxiliary register and the second auxiliary register to obtain the integer quotient. W 1 〇 · The device described in the first item of Shen Qing's patent scope: Among them, the processing device (1 〇) is formed to execute a multiplication preview algorithm (91 〇), so as to consider in a processing night Complex multiplier bit, when the 200400442 VI, patent application range and other multiplier bit 1 right box one of the algorithms of the algorithm; in i, Xi eight :: depends on the pre-y to be used in the reduction information and two Rather, the registration device (i 2) is formed > and the order — ,, and 1 L 丄 z ”you ... consider the multiplication preview algorithm 1 1 in the information, ^ device 91〇) 11 · Ru Shen 凊As described in item 10 of the patent scope, where 'the processing clothes π 0) is formed using a reduction preview algorithm (93 °) other than (91 °); and wherein the registration device (12) is formed The reduction look-ahead algorithm is considered in the reduction message and information (910). 12 · The device according to item 11 of the scope of patent application, wherein the processing device (1 0) is formed to calculate the reduction intermediate result (ζ) by using a two-way difference element, wherein a first operand 1 An intermediate result of a previous processing step, a first heterogeneous element is the _ (C), and a third arithmetic element is the modulus (N), wherein one of the elements is a heterogeneous element using a factor in In the three-way heteroelement, the weighting is 'a factor of 2 and is weighted with the power of the individual translation values (Sz, sN), where' the modulus (N) has a reduction preview parameter (b); where, the The approximation preview parameter (b) is that y has the values f 0 '', 1 H Μ 1 and I _ in this multiplication preview algorithm, the order addition,: Z) is by the multiplier three operation system and its + -Γ and wherein the registration device (12) is formed to determine the order information (50) based on a translation value (sz, sN), and to determine the reduction based on the reduction preview parameter (b). Information (52). 1 3 · The device as described in item 12 of the scope of the patent application, wherein the registration device (12) is a secondary storage register (Q, Q), and using the sequence information, the at least one temporary storage Specific bit 900400442 VI. Patent Application Range # News: Yuan (j) is set as the following reduction negative " When b equals 1, then Q j · equals 0, Q When b equals 0, Qj equals Q, j equals 0 m · 々々A ，; # 于 1 乂 and n, 彳 # 于 〇 When b is equal to 1, then Q j is equal to 1, QJ, 〇i ^ ^ ^ ^ where b is the number of reductions to look at, Fight for ^, register--bit], and QJ is a bit of the-auxiliary register (0 '): 1 ·. Meng Jin, 1 4 · As described in No. 12 of the scope of patent application, wherein a reduction translation value (Sn) is related to the modulus (N); wherein a multiplication translation value (Sz) is related to the middle The result; and wherein, the registration device (丨 2) is formed by a difference between the "multiplication shift value (SZ)" and the reduction shift value (SN) in the sequence of a previous step to determine the first The order of the auxiliary temporary bits is f-and the "secondary register 15", such as the scope of the patent application! Item 3 贝. Placement (Η) is formed by the third "charm" A device, wherein the evaluation is provided with an auxiliary register (Q,) for obtaining the integer quotient after: the register (Q) subtracts the second digit. The processing unit (10) processes the The method of multiplication is used to calculate an item (quotient method), in which the item 2 is one of a modulus (N); a product of a multiplier ⑷, the = bracket, a binary multiplier (Μ): ί in the plural step The middle treatment (10) diagnosis system includes: The physical management device (10) is formed with: two J (M) bits, wherein the number is reduced to one Result (2), in the processing step, the calculation relative to the modulo / depends on the binary multiplier 700400442 6. The one or more bits in the scope of the patent application, which are considered in the processing step; in the Register (1 2) reduction information in a processing step, and sequence information of one or more of the integer quotient considered by the processing step; and evaluate (1 4) the reduction information of the processing steps and the Order information to get the integer quotient (Q). Page 32