1. Field of the Invention
The present invention relates to a modular arithmetic apparatus and method for performing an arithmetic operation of a large integer effectively by selecting a base (of a base size) in a plurality of base parameter sets in an arithmetic operation on the basis of a residue number system (RNS).
2. Description of the Related Art
The residue number system (RNS) is well known as one technique for efficiently performing operations involving large integers. In the residue number system, a set of small integers {a1, a2, . . . , an} that are prime to each other is prepared in advance. The set of integers {a1, a2, . . . , an} is called a base of the residue number system. Each element of the set of integers {a1, a2, . . . , an} is called a base element. The number n of base elements is called a base size.
In the case of expressing a large integer x in a residue number system, the large integer x is represented by a set of residues {x1, x2, . . . , xn} obtained when the large integer x is divided by the respective base elements of a base {a1, a2, . . . , an}. In this case, if the integer x is a positive integer that is smaller than the product A (=a1a2 . . . an) of the base elements, then the integer x is uniquely represented by the residues {x1, x2, . . . , xn}. In other words, the integer x and its residue number system representation {x1, x2, . . . , xn} correspond to each other one to one.
In a residue number system, the product of two integers x and y is calculated in the following manner. First, the products {x1y1, xy2y2, . . . , xnyn} of the elements of a residue number system representation {x1, x2, . . . , xn} of the integer x and the elements of a residue number system representation {y1, y2, . . . , yn) of the integer y, respectively, are calculated. Then, residues (x1y1 mod a1, x2y2 mod a2, . . . , xnyn mod an} are obtained by dividing the products {x1y1, x2y2, . . . , xnyn} by the base elements a1 (i=1, 2, . . . , n), respectively. Addition and subtraction can be performed in similar manners; an intended result is obtained by adding elements xi and yi corresponding to a base element ai or subtracting one from the other using the base element ai as a modulus.
As described above, in an operation using a residue number system, an intended result of each of multiplication, addition, and subtraction can be obtained by performing multiplication, addition, or subtraction independently on an element-by-element basis using a corresponding base element as a modulus. If the length of each base element is shorter than or equal to the word length of a computer, an operation involving very large integers can be performed by repeating single precision operations. This enables parallel processing in performing an operation (addition, subtraction, or multiplication) on large integers in a residue number system.
An algorithm obtained by combining the residue number system and the Montgomery multiplication and its hardware implementation (called “RNS Montgomery multiplier”) are proposed, as a method for performing, at high speed, a modular exponentiation (and modular multiplication) that is a basic operation of the public key cryptosystem, in S. Kawamura, M. Koike, F. Sano, and A. Shimbo, “Cox-Rower Architecture for Fast Montgomery Multiplication,” Lecture Notes in Computer Science 1807, Advances in Cryptology—EUROCRYPT 2000, pp. 523–538, 2000.
The RNS Montgomery multiplier uses a base to express an integer as a residue number system representation. The base is a set of small base elements whose lengths are shorter than or equal to an operation word length. The product of the base elements needs to have a length that is longer than or equal to the block size=key length, e.g., 1,024 bits) of a public key cryptosystem.
A method for performing operations in such a manner that the number of operation units of an RNS Montgomery multiplier is set equal to the base size and a method for performing operations in such a manner that the number of operation units is set equal to a divisor of base size and each operation unit is associated with a plurality of base elements are proposed in U.S. patent application Ser. No. 09-699,481 (Oct. 31, 2000).
The amount of calculation of the RNS Montgomery multiplication is proportional to the square of the base size (=n)used. The amount of calculation of the modular exponentiation corresponds to an amount of calculation of RNS Montgomery multiplications performed a number of times that is proportional to the bit length of an exponent.
Because of the recent advancement of decryption technology and diversification in the degree of security and other factors, the key length that is required in the public key cryptosystem is not necessarily fixed. Therefore, a single piece of hardware device needs to deal with a plurality of key lengths.
In hardware device implementation, the number of operation units provided in the hardware is fixed and the upper limit of the number of operation units that operate simultaneously is thereby determined. Therefore, in hardware device designing, it is necessary to determine key lengths to be handled and set the number of operation units at a proper number.
Where operation units are prepared in the same number as the base size that corresponds to a maximum key length, if modular exponentiations are performed while varying the key length, the amount of calculation decreases and the processing time can be shortened as the exponent becomes smaller. However, in view of the fact that the amount of calculation of a modular exponentiation in which binary representation is employed is proportional to the third power of the bit size (key length), the calculation amount varies to a large extent and the above processing time shortening effect is not sufficient.
Where the word size of each operation unit is equal to 32 bits, 65 base elements are necessary to deal with a key length of 2,048 bits in RSA (Rivest-Shamir-Adlemarl) type public key cryptsystem processing. The method of preparing base elements in a number corresponding to a maximum key length is inefficient because 65 base elements are excessive to perform modular exponentiation with a key length of 512 bits, for example.
However, no operation device configuration capable of operating efficiently for different key lengths has been provided yet in the art.