1. Field of the Invention
The present invention relates to a computation method for computing a value relating to a Montgomery conversion parameter to be used in a Montgomery multiplication remainder operation, a computing device to which the computation method is applied and a computer program for realizing the computing device and, in particular, to a computation method, a computing device and a computer program for increasing the computational speed.
2. Description of Related Art
It is expected that services which use electronic money or an information network such as the Basic Resident Register Network become widely used with the future development of the information society. An information security technology is indispensable for managing these services safely, and a cryptographic technology is used as a basic technology of information security. By using the cryptographic technology, it is possible to realize functions such as cryptography, digital signature and certification and to protect personal information against unauthorized access from a third party.
A variety of systems have been known until today as a cryptosystem for realizing a cryptographic technology and these systems can be classified broadly into two types of a common key cryptosystem and a public key cryptosystem. What is referred to as a common key cryptosystem is a system which uses the identical key (common key) in encryption and decryption and maintains security by setting, as this common key, information which is unknown to third parties other than the transmitter and the receiver. The public key cryptosystem is a system which uses different keys in encryption and decryption and maintains security by setting, as a key (secret key) for decrypting ciphertext, confidential information owned only by the receiver, instead of making a key (public key) for encryption available to the public. When the common key cryptosystem is used, it is necessary to share the common key mentioned above in a safe manner which is unknown to third parties other than the transmitter and the receiver. On the other hand, the public key cryptosystem has an advantage that it is needless to share confidential information between the transmitter and the receiver but has a disadvantage that the amount of computation for performing processes is extremely large in comparison to the common key cryptosystem. Accordingly, speeding up of a computation process is a major issue in the public key cryptosystem.
Known as representative systems of the public key cryptosystem are RSA cryptography and elliptic curve cryptography. A process using an exponentiation remainder operation is performed in the RSA cryptography while a process using an operation which is referred to as point scalar multiplication is performed in the elliptic curve cryptography. Either of these two operations use, as the basic operation, a multiplication remainder operation represented by an expression y=a×b (mod n) which uses an integer n that denotes a divisor of a remainder and integers a and b that satisfy 0≦a, b<n.
When the multiplication remainder operation is directly implemented in hardware or software, however, the processing time becomes long and the processing efficiency becomes low. Accordingly, widely used is computing using an operation method which is referred to as a Montgomery multiplication remainder that uses integers a, b and n represented by the following expression, instead of the multiplication remainder operation. By using the Montgomery multiplication remainder operation represented by the following expression, it is possible to realize a quicker process than a normal multiplication remainder operation. It should be noted that the sign “*” in the following expression and the following explanation denotes the multiplication symbol “×”.y=a×b×R−1 (mod n)                wherein n: integer denoting a divisor of a remainder        a, b: integers which satisfy 0≦a, b<n        R: constant represented by 2m*k         k: bit length per 1 word        m: the minimum number of words necessary for representing n        
FIG. 1 is an explanatory view showing the algorithm of a Montgomery multiplication remainder operation. It should be noted that x=(xm−1, . . . , x1, x0) in the algorithm shown in FIG. 1 shows a format for representing an integer x as m word values xi (i=m−1, . . . , 1, 0, 0≦xi<2k). On the basis of a, b and n respectively represented by m word values as shown in FIG. 1, a Montgomery multiplication remainder operation y=a×b×R−1 (mod n) of a case where a value y represented by m words is calculated is described as y=REDC (a, b)n or just REDC in the following explanation. Moreover, the sign “:=” in the following drawings including FIG. 1 and the following explanation denotes to assign a numerical value or an expression on the right-hand side to the left-hand side.
As described above, the Montgomery multiplication remainder operation is a×b×R−1 (mod n) and performs an operation different from a normal multiplication remainder operation a×b (mod n). Accordingly, in order to execute an exponentiation remainder operation properly, it is necessary to convert input data to be given to the Montgomery multiplication remainder into data which is referred to as Montgomery system. When arbitrary input data to be given to a normal multiplication remainder operation is represented as x, data obtained by converting x into Montgomery system is represented as x′, conversion (Montgomery conversion) from x into x′ is represented as x′=Mont (x) and conversion (Montgomery inversion) from x′ to x is represented as x=Mont−1 (x′), these are given by the following expressions.Montgomery conversion: x′=Mont(x)=x×R(mod n)Montgomery inversion: x=Mont−1(x′)=x′×R−1(mod n)
The Montgomery conversion and the Montgomery inversion represented by the above expressions can be represented by the following expressions using REDC. Here, H is a value which is referred to as a Montgomery conversion parameter represented as H=R2 (mod n) and is obtained by prior computation.Montgomery conversion: x′=REDC(x, H)n=x×R2×R−1=x×R(mod n)                wherein H=R2 (mod n)Montgomery inversion: x=REDC(x′, 1)n=x′×1×R−1=x′×R−1(mod n)        
The following description will explain the algorithm of an exponentiation remainder operation which uses a Montgomery multiplication remainder based on the above expressions. FIG. 2 is an explanatory view showing the algorithm of an exponentiation remainder operation which uses a Montgomery multiplication remainder operation. FIG. 2 shows the algorithm of a Montgomery multiplication remainder operation based on an exponentiation remainder operation which is referred to as a binary method and computes an exponentiation remainder operation result y=ad (mod n) from the input values a, d and n. The process in the first line in FIG. 2 denotes to give 1 as an initial value of y. The process in the second line denotes to compute a Montgomery conversion parameter H=R2 (mod n). The process in the third line denotes to perform Montgomery conversion for y and a to obtain y′ and a′. The loop in the fourth to seventh lines denotes to repeat a process of performing the Montgomery multiplication remainder once or twice according to the bit value of d, from the least significant bit of d to the most significant bit. The process in the eighth line denotes to perform Montgomery inversion for y′ computed in the loop in the fourth to seventh lines to obtain a final operation result y.
The following description will explain a computation method of a Montgomery conversion parameter H=R2 (mod n) to be performed in the second line of the algorithm shown in FIG. 2. FIG. 3 is an explanatory view showing the algorithm of a computation method of a Montgomery conversion parameter. The computation method of a Montgomery conversion parameter shown in FIG. 3 is a method for computing H=R2 (mod n) corresponding to a case of R=2x by repeating addition, comparison and subtraction. The process in the first line denotes to compute H=R (mod n). Although there are a variety of methods for computing H=R (mod n), for example, it is possible to compute simply by R (mod n)=0−n when the significant bit length of n is x for R=2x. The loop in the second to fifth lines computes H+H for H=R (mod n) and then subtracts n when the result is larger than or equal to n, so as to perform an addition remainder (double remainder) of H+H (mod n). It should be noted that computation of H+H may be also realized by a one-bit left shift operation. The algorithm shown in FIG. 3 calculates R×2x (mod n)=R2 (mod n) by repeating the above addition remainder operation x times.
The algorithm of the computation method of a Montgomery conversion parameter shown in FIG. 3, however, has a drawback that the processing speed is low since the addition remainder is repeated x times in the second to fifth lines. For example, in a case of an RSA operation for n of 1024 bit, R=21024, which means that it is necessary to perform an addition remainder operation 1024 times, and the amount of computation becomes enormous, causing lowering of the processing speed.
Therefore, some methods have been proposed to increase the computational speed of a Montgomery conversion parameter H=R2 (mod n), by combining an REDC operation, a shift operation and subtraction. The following description will explain these methods as Conventional Methods 1 to 3. It should be noted that the bit length per 1 word is denoted as k, a value represented by m word values is denoted as n, and the number of successive “0” from the most significant digit of n is denoted as q in the explanation of the following Conventional Method 1 to Conventional Method 3. For example, in a case of k=8, m=2 and q=2 when the bit string of n is “00101011 11001111” while m=3 and q=0 when the bit string of n is “10001001 11100110 11100101”.
Conventional Method 1.
FIG. 4 is a flowchart showing a computation method of a Montgomery conversion parameter in Conventional Method 1. In the Conventional Method 1 shown in FIG. 4, a divisor n of a remainder is inputted and R2 (mod n) is outputted. Here, R=2m*k (mod n). The Conventional Method 1 is mainly composed of a step A1 and a step B1. The step A1 is a step of computing H0=2v×R (mod n) using a shift operation and subtraction. Here, v is a natural number. The step B1 is a step of computing H=R2 (mod n) from H0 using an REDC operation.
In the step S101 of the step A1, “n” and “0” are respectively given as initial values to a first register REG1 and a second register REG2. It should be noted that the significant word length of n is m and the number of successive “0” from the most significant bit of the initial value n stored in the first register REG1 in a right-aligned manner is denoted as q. It should be noted that a value stored in the first register REG1 is denoted as REG1 and a value stored in the second register REG2 is denoted as REG2 in the following explanation.
In the step S102 of the step A1, a one-bit left shift operation is repeated q times for the first register REG1 to compute REG1=n′=n×2q.
In the step S103 of the step A1, a value computed by REG2−REG1 is stored in the second register REG2 to give REG2=n′=n×2q.
In the step S104 of the step A1, a one-bit left shift operation for the second register REG2, true/false judgment of REG2≧REG1, and a process of storing the operation result of REG2−REG1 in the second register REG2 when REG2≧REG1 is true are repeated v+q times to give REG2=2m*k+v+q. Here, v is an integer which satisfies v≧1 and gives (m×k)/v that is an exponential of 2 for m and k.
In the step S105 of the step A1, a one-bit right shift operation is repeated q times for the first register REG1 and the second register REG2 to compute REG1=n and REG2=H0=2m*k+v (mod n).
In the step S106 of the step B1, a process of storing the result of an REDC operation represented as REDC (REG2, REG2)n in the second register REG2 is repeated p times to compute REG2=H=22*m*k (mod n)=R2 (mod n). Here, p is an integer which satisfies p=log2 ((m×k)/v) and REDC (REG2, REG2)n represents a Montgomery multiplication remainder operation REDC (A, B)n=2−m*k×A×B (mod n).
In the step S107, REG2=R2 (mod n), which is the result of computation, is outputted and the process ends.
FIG. 5 is a chart showing the number of operation times necessary for a computation method of a Montgomery conversion parameter in the Conventional Method 1. FIG. 5 shows the number of operation times necessary for a computation method of the Conventional Method 1 shown using FIG. 4, by type and step of operations. It should be noted that SFT denotes a shift operation of performing one-bit shift, SUB denotes subtraction, CMP denotes a comparison operation and REDC denotes a Montgomery multiplication remainder operation in FIG. 5.
In order to satisfy the condition in the step S106 that p must be an integer which satisfies p=log2 ((m×k)/v), there is a limitation that (m×k)/v must have a value represented by (m×k)/v=2x using an integer x, i.e. a value which is an exponential of 2. Since selection of the value of v in the Conventional Method 1 is limited due to this limitation, the value of v needs to be increased depending on the significant bit length of n. As seen from the chart shown in FIG. 5, the total amount of computation is increased by increasing v since the number of computation times of SFT, SUB and CMP depends on v.
Next, an example of the number of operation times of the computation method in the Conventional Method 1 will be described with reference to the chart shown in FIG. 5.