FR2791157A1 - Integrated circuit comprises means for effecting modular operations according to Montgomery's method for use in cryptography, has a single multiplication accumulator circuit - Google Patents

Abstract

The circuit comprises a coprocessor (200) for effecting modular operations according to Montgomery's methods. The coprocessor has a single multiplication accumulator circuit (231). An Independent claim is made for a procedure for carrying out a modular operation using Montgomery's method.

Description

Device and method for carrying out an operation

  elementary modular according to Montgomery's method.

  The invention relates to a device and a method for implementing an elementary modular operation according to the Montgomery method. This method allows you to perform modular calculations in a finite field (or Galois body) without dividing. Conventionally, modular operations in finite fields are used in cryptography for applications such as message authentication,

  the identification of a user and the exchange of keys.

  Examples of such applications are described, for example

  in the patent application FR-A-2 679 054 (hereinafter D1).

  Commercially available integrated circuits dedicated to such applications, for example the product manufactured by STMicroelectronics SA and referenced STl6CF54, built around an association of CPU type - arithmetic coprocessor, and dedicated to the implementation of modular calculations . The coprocessor used makes it possible to process modular multiplications, using the Montgomery method. It is the subject of

  patent application EP-A-0 601 907 (hereinafter D2).

  The basic operation, called Pfield, consists, from three binary data, A (multiplicand), B (multiplier less than N) and N (modulo), coded on an integer n of bits, to produce a binary data denoted P (A, B) N coded on n bits, such that P (A, B) N = A * B * I mod N, with I = 2-n mod N. For this, it is considered that the data are coded on m words of k bits, with m * k = n, and the words A and B are supplied to a multiplication circuit having a serial input, an input

parallel and a serial output.

  For the coprocessor described in D2, we have k = 32 and m = 8 or 16. FIG. 1 represents the modular arithmetic coprocessor disclosed by D2. This coprocessor comprises the following elements: three shift registers 10, 11, and 12, of m * k bits, intended to receive respectively the multiplier B, the result S, and the modulo N, - multiplexers 13 to 15 whose outputs are respectively connected to the inputs of the registers 10 to 12, - three shift registers 16, 17, and 18, of k bits, having a serial input and a parallel output, intended to receive respectively k bits of the multiplicand A, a parameter of a calculation denoted J0, an intermediate result denoted by Y0, two multiplication circuits 19 and 20 each having a serial input, a parallel input of k bits and a serial output, two parallel latches 21 and 22 of k bits which serve as a buffer for multiplication circuits 19 and, - a multiplexer 23 which serves to connect the register 22 either to the register 17 or to the register 18, - three multiplexers 24, 25 and 26 serving to route the data on the inputs of the multiplier circuits. cation 19 and 20, three subtraction circuits 27, 28, and 29 each having two series inputs and one series output, two addition circuits 30 and 31, each having two series inputs and one series output, three delay cells. 32, 33 and 34 which are in fact k-bit shift registers, and which serve to delay the data of k clock cycles to mask the calculation time of the multiplication circuits 19 and, - a comparison circuit 35, two multiplexers 36 and 37 which allow the control of the subtraction circuits 27 and 28, a multiplexer 38, and

a demultiplexer 39.

  For more details on the realization of these

  elements we can refer to D2.

  To carry out a PField elementary operation PField (A, B) N = A * B * I mod N, A and B being coded on m words of k bits, and I being an error equal to 2-m * k, the following loop iteration is carried out m times with i an index varying from 0 to m-1: X = S (i-1) + Ai * B, Y0 = (X * J0) mod 2k,

Z = X + (N * Y0)

  S (i) = Z \ 2k, \ being an integer division, if S (i) is greater than N then we subtract N to S (i) before the next iteration, with S (-1) = 0, where Ai is the word of k bits of weight i, J0 being a k-bit word defined by the equation

((N * J0) + 1) mod 2k = 0.

  The coprocessor of FIG. 1 makes it possible to carry out a complete iteration by a simultaneous shift of m * k bits of the registers 10 to 12 respectively containing B, S (i-1) and N followed by a 2 * k bits offset of register 12 to memorize S (i), the word Ai being loaded in the register 21, and the word J0 being loaded into the register 17. To perform the complete calculation of PField (A, B) N, simply repeat m times each iteration by changing the word Ai contained in the register 21 during each iteration. The operation "X = S (i-1) + Ai * B" is done by means of the multiplication circuits 19 and the addition circuit 30. The operation "Y0 = (X * J0) mod 2k" is performed during the first k offsets in the multiplication circuit 20, having taken care to store J0 in the register 22, the result Y0 being stored in the register 18. The operation "Z = X + (N * Y0)" , N and X having been delayed by k bits in the delay cells 32 and 34 and YO0 having been set in the register 22, is carried out by means of the multiplication and addition circuits 31. The operation " S (i) = Z \ 2k "is performed by k-bit shift. The comparison of S (i) with N is carried out by the subtraction of N to S (i) in the subtraction circuit 29, N being delayed by k bits in the cell 33, a possible overflow being detected and stored in the circuit 35 for the result of the comparison. The subtraction of N to S (i) occurring during the next iteration in

the subtraction circuit 28.

  Many improvements have been made on this circuit. The improvements are intended to go faster and / or reduce the size of the circuit and / or reduce the consumption of the circuit and / or provide additional functionality without increasing the size of the circuit significantly. The person skilled in the art can refer inter alia to the publications of the European patent applications EP-0 712 070, EP-0 712

  071, EP - 0 712 072, EP - 0 778 518, EP - 0 784 262, EP -

  0 785 502, EP-0 785 503, EP-0 793 165, EP-0 853

  275, and also to the publication of the application for

International Patent WO / 97 25668.

  It is also known, from the publication of the European patent application EP-0 566 498 (hereinafter D3), another circuit making it possible to calculate the elementary operation P (A, B) N = A * B * I mod N, with I = 2-n and n the size of A, B or N. The D3 circuit uses a single parallel / series multiplication circuit, represented in D3 as a parallel adder coupled to a shift register . The circuit of D3 does not exactly reproduce the Montgomery algorithm and uses an intermediate data equal to (N-1) / 2 + 1. The circuit of D3 uses a multiplication circuit having a parallel input of n bits and is limited to fixed-size calculation operands. Moreover, the size of the circuit of D3 is proportional to the size of the operands used, the surface thus occupied being considerable. The present invention aims to improve the state of the art by providing a coprocessor whose processing speed performance is improved compared to the D2 circuit, while occupying a smaller area of silicon. The coprocessor of the invention uses a single architecture multiplication circuit close to D3. The present invention also relates to the calculation method implemented for

perform a modular operation.

  The invention relates to an integrated circuit comprising a modular arithmetic coprocessor comprising storage means for storing and supplying in series first and second operands A and B, a modulo N and a result S, with A an integer coded on a * k bits, a being a non-zero integer at most equal to m, and with B, N and S being integers coded on at most m * k bits, m and k being integers greater than 1, and means method for performing modular operations according to the Montgomery method, characterized in that the calculating means comprise a circuit for calculating an intermediate data Yo; a first k-bit latch for storing a word Ai of k bits of A; a second k-bit latch for storing either the least significant word of N or Y0; a connected addition parallel circuit for adding the words contained in the first and second latches; a selection device coupled to the outputs of the first and second flip-flops and the parallel addition circuit to provide on a parallel output either the word contained in the first flip-flop, or the word contained in the second flip-flop, or the sum of the words contained in the first and second flip-flops, ie "zero", as a function of one part of a bit of B, and on the other hand of either a bit of Y0 or a bit of N; an accumulator circuit which adds, shifts by one bit and stores the words successively supplied by the selection device with a bit of an updated result S, the bit coming out of the circuit

  accumulator becoming a new updated result.

  An improvement of the invention consists in that the calculation means comprise a first k-bit shift register for receiving on the one hand a k-bit word of A and transmitting said word in parallel to the first flip-flop and on the other hand N share in order to delay N of

k cycles of a clock signal.

  The invention also relates to a method for performing a modular operation according to the Montgomery method by series shifting of first and second operands A and B, a modulo N and an updated result through calculation means, with A an integer coded on a * k bits, a being a non-zero integer at most equal to m, and with B, N and S being integers encoded on at most m * k bits, m and k being integers greater than 1, characterized in it comprises the repetition of the following steps, i being an index varying from 0 to ml: storing a word Ai of k bits corresponding to the weight word i of A in a first flip-flop of k bits; calculating an intermediate data Y0 such that Y0 = ((S (i-1) + (Ai * B)) * J0) mod 2k, with S (i-1) corresponding to the (i-1) -th result updated, S (-1) being equal to 0, and J0 being a k-bit word solving the equation ((J0 * N) + 1) mod 2k = 0; storing the word of k least significant bits of N and Y0 in a second flip-flop of k bits; adding in a parallel addition circuit the words contained in the first and second latches; selecting and supplying either the word contained in the first flip-flop, or the word contained in the second flip-flop, or the sum of the words contained in the first and second flip-flops, or "zero", depending on one hand a bit B, and on the other hand either a bit of Y0 or a bit of N; Successive additions in an accumulator circuit of the words supplied by the selection device for each pair of bits of B and N, the result of each addition being added to a bit of the previous updated result S (i-1) and then shifted by one bit and stored between each addition, the bit coming out of the accumulator during the shift corresponding to a

new updated result S (i).

  An improvement consists in that a comparison is made of the output of the accumulator with N delayed by k cycles of a clock signal, and that the same first k-bit shift register is used. to delay N and to be able to load the words Ai in the first flip-flop. In addition, the memorization of a word Ai in the first flip-flop is performed by k offsets of the word Ai in the first register and then parallel loading in the first flip-flop after the word Ai has been loaded in full in the first register. The calculation of each bit of the intermediate data Y0 is carried out one clock cycle before

each of these bits is needed.

  The invention will be better understood and other features and advantages will become apparent on reading

  the description that follows, the description

  1 represents a modular arithmetic coprocessor according to the state of the art, FIG. 2 represents a modular arithmetic coprocessor according to the invention, and FIGS. 3 to 7 represent in detail

  different elements of the coprocessor of FIG.

  FIG. 1 having been described above and representing the state of the art, it will not be

described in more detail.

  Fig. 2 shows coprocessor 200 of modular arithmetic, according to a preferred embodiment. In order not to overload the diagram, only the data flow has been represented in this FIG. 2. A state machine (not shown) sends the necessary control signals to the various functional elements of the coprocessor 200. The coprocessor 200 comprises the elements following: - First to fourth storage devices 201 to 204 respectively containing data A, B, N and S. The data A, B, N and S are data encoded on at most m words of k bits. The storage devices 201 to 204 make it possible to independently supply any k-bit word of the stored data item. Each storage device 201 to 204 has first and second

  serial inputs and serial data output.

  The first input of each storage device

  201 to 204 is connected to a Din input terminal.

  First and second series-type subtraction circuits 205 and 206 have first and second inputs and a serial type output. The first input of the first subtraction circuit 205 is connected to the output of the second storage device 202. The first input of the second subtraction circuit 206 is connected to the output of the second

  fourth storage device 204.

  First and second multiplexers 207 and 208 are respectively coupled to the second inputs of the

  first and second subtraction circuits 205 and 206.

  The first and second multiplexers 207 and 208 have two inputs each, one of the inputs receiving a "zero" logic, and the other of the inputs being connected to the output of the third storage device 203. The association of the first and second second subtraction circuits 205 and 206 with the first and second multiplexers 207 and 208 allows subtracting either "zero" or the outgoing data from the third storage device 203 to the outgoing data of the second and fourth storage devices 202 and 204. - First Fourth delay circuits 211 to 214 serve to synchronize the data by delaying them by one cycle of a clock signal. Each of the delay circuits 211 to 214 has an input and an output, each delay circuit consisting for example of a simple D-type synchronous flip-flop. The input of the first delay circuit 211 is connected to

  the output of the first subtraction circuit 205.

  The input of the second delay circuit 212 is connected

  at the output of the third storage device 203.

  The input of the third delay circuit 213 is connected to the output of the second delay circuit 212. The input of the fourth delay circuit 214 is connected to the

  output of the second subtraction circuit 206.

  A first k-bit shift register 221 has a serial input, a serial output and a parallel output. This first register 221 serves firstly as a buffer register for the words of A and secondly as a timer for k clock cycles for N. - A second k-bit offset register 222 has a serial input and a parallel output. This second register 222 serves firstly as a buffer register for the word No of the weakest weight of N and other

  share for an intermediate data Y0.

  A third multiplexer 223 is associated with the first register 221. The third multiplexer 223 has three inputs and one output, the output being connected to the input of the first register 221. One of the inputs of the third multiplexer 223 is connected. at the output of the first storage device 201. Another of the inputs of the third multiplexer is connected to the output of the first subtraction circuit 205. The last of the inputs of the third multiplexer 223 is

  connected to the output of the third delay circuit 213.

  A fourth multiplexer 224 is associated with the second register 222. The fourth multiplexer 224 has first and second inputs and an output, the output being connected to the input of the second register 222. The first input of the fourth multiplexer 224 is

  connected to the output of the third delay circuit 213.

  First and second latches 225 and 226 with a lock of k bits serve to memorize during the calculation on the one hand a word of A and on the other hand the word No of

  lowest weight of N or intermediate data Y0.

  Each of the flip-flops 225 and 226 has a parallel input and a parallel output, the inputs of the first and second flip-flops 225 and 226 being respectively connected to the parallel outputs of the flip-flops.

  first and second registers 221 and 222.

  An addition circuit 227, having two parallel inputs and a parallel output, has its two inputs respectively connected to the outputs of the first and second flip-flops 225 and 226. The output of the addition circuit 227 thus provides the sum of the

  contents of the first and second flip-flops 225 and 226.

  A selection device 228 is connected to the outputs of the first and second flip-flops 225 and 226 and to the output of the addition circuit 227 in order to be able to provide on a parallel output either the contents of the first flip-flop 225 or the contents of the second flip-flop 226, the sum of the contents of the first and second latches 225 and 226, or "zero". The selection device 228 further has first and second selection inputs which respectively receive a first selection signal SELA and a second selection signal SELY. When the first and second selection signals SELA and SELY are both at a "zero" logic level, then the output of the selection device 228 provides on its output the number "zero" encoded on k + 1 bits. When the first selection signal Il SELA is at a logic level "one" and the second selection signal SELY is at a logic level "zero", then the output of the selection device 228 provides on its output the contents of the first flip-flop 225. When the first selection signal SELA is at a logic level "zero" and the second selection signal SELY is at a logic level "one", then the output of the selection device 228 provides on its output the content of the second flip-flop 226. When the first and second selection signals SELA and SELY are both at a "one" logic level, then the output of the selection device 228 provides on its output the sum of the contents of the first and second

flip-flops 225 and 226.

  A fifth multiplexer 229, having two inputs and an output, has its output connected to the first selection input of the selection device 228. one of the inputs of the fifth multiplexer 229 is

  connected to the output of the first delay circuit 211.

  The other of the inputs of the fifth multiplexer 229 receives

a logical "zero"

  A sixth multiplexer 230, having first to third inputs and an output, has its output connected to the second selection input of the selection device 228. The first input of the sixth multiplexer 230 receives a logical "zero". The second input of the sixth multiplexer 230 is connected to the

  output of the third delay circuit 213.

  - An accumulator circuit 231 performs a double multiplication by successive addition of the words leaving the selection device 228. The accumulator circuit 231 comprises a parallel input connected to the output of the selection device 228, a serial input connected to the output of the fourth circuit delay 214, a result output and three outputs of internal values denoted I0 to I2. During each cycle of the coprocessor sequencing clock 200, the accumulator circuit adds a bit present at the serial input with a word present at the parallel input and with an internal result. The new result is then shifted to become a new internal result. A seventh multiplexer 233 has two inputs and one output. One of the inputs of the seventh multiplexer 233 is connected to the result output of the accumulator circuit 231. The output of the seventh multiplexer 233 is connected to the second inputs of the second multiplexer 233.

  storage devices 201 to 204.

  An AND gate 234 has first and second inputs and an output. The first input of the AND gate 234 is connected to the output of the first subtraction circuit 205. The second input of the AND gate 234 is connected to a conductor of the parallel output of the first flip-flop 225 which corresponds to the least significant bit.

  weaker of the word contained in the first flip-flop 225.

  - Exclusive OR gate 235 has first to fifth inputs and an output. A first input of the exclusive-OR gate 235 is connected to the output of the AND gate 234. a second input of the exclusive-OR gate 235 is connected to the output of the second subtraction circuit 206. the third to fifth inputs of the gate OR Exclusive 235 are respectively connected to the three internal value outputs of the accumulator circuit 231. - An eighth multiplexer 236 has two inputs and one output. One of the inputs of the eighth multiplexer 236 is connected to the serial output of the first register 221. The other of the inputs of the eighth multiplexer 236 is connected to the serial output of the first delay circuit 211. The output of the eighth multiplexer 236 is connected at the other entrance of

seventh multiplexer 233.

  A comparison circuit 232 having two inputs compares bit-by-bit the output from the accumulator circuit 231 with the data output in series from the eighth multiplexer 236. The result of the comparison is then transmitted to a management circuit (not shown) coprocessor 200. Figure 2 shows a data path between different functional elements. The path represented with the aid of the connection conductors and the various multiplexers can have many variants, the important thing being to ensure data exchanges between the different elements of calculation and storage. Some elements of Figure 2 do not exactly correspond to standard elements commonly used by those skilled in the art. Figures 3 to 7

  specify the structure of these different elements.

  FIG. 3 corresponds to one of the storage devices 201 to 204. The storage device 201 comprises two multiplexers 301 and 302 and

  m-th shift registers 303 also denoted Ri to Rm.

  The multiplexer 301 has first to fourth inputs and an output. The first and second inputs of the multiplexer 301 constitute the first and second inputs of the storage device 201. The third input of the multiplexer 301 receives a logical "zero". The first to mth registers 303 are k-bit shift registers which have a serial input and a serial output. The inputs from the first to the mth registers 303 are connected together

at the output of the multiplexer 301.

  Multiplexer 302 has first to mth inputs and an output. The first m-th inputs of the multiplexer 302 are respectively connected to the outputs of the first to mth registers 303. The output of the multiplexer 302 is connected to the fourth input of the multiplexer 302.

multiplexer 301.

  Control signals (not shown) serve to select the inputs of the multiplexers 301 and 302 and to validate the offset independently in each of the registers 303. When it is desired to store a data item of m * k bits in the storage device 201, said data is stored by word of k bits in each of the registers 303. To store the data, it suffices to carry out k offsets of the first register 303, then k offsets of the second register 303 and so on up to n register 303, the multiplexer 301

  selecting the source of the data.

  To provide data coded on m * k bits, it is sufficient to shift one after the other the registers

  303 in the order of storing the data.

  The looping of the output of the multiplexer 302 on the fourth input of the multiplexer 301 makes it possible to enter in one of the registers 303 the k-bit word which is output simultaneously. This looping ensures the storage of data that is output for multiple uses. As can be seen it is possible to use independently any word of

  k bits of a data item comprising several words of k bits.

  It is also possible to enter a k-bit word in one of the registers 303 while

  k-bit word of another 303 registers.

  Figure 4 shows the first (or second) subtraction circuit 205 (or 206). The subtraction circuit 205 comprises two inverters 401 and 402, an elementary adder and two latches 404 and 405 of type D storage connected by a technique

  known as shown in Figure 4.

  This subtraction circuit 205 produces a systematic delay of a clock cycle on the data passing therethrough. The second delay circuit 212 serves to compensate for the delays produced on the data coming out of the third storage device 203. Similarly, the delays on the output of the first storage device 201 could also be compensated. However, the outgoing data of the first memory device 201 do not need to be synchronize

with the other data.

  The use of subtraction circuit 205 as shown in Figure 4 also eliminates the first, third and fourth delay circuits 211, 213 and 214. Indeed, the latch 404 produces an identical delay. It is sufficient to extract the signal at the input of the flip-flop 404 and to invert it to obtain the next outgoing bit. A disadvantage is not to have a stable signal from the active edge of the clock signal. For systems operating with a low clock frequency, this saves three D flip-flops. The circuit of FIG. 5 represents the comparison circuit 232 in detail. The comparison circuit 232 corresponds to a subtraction circuit on which the stored hold is extracted and the data which arrives at the first input of the subtraction circuit, the subtraction circuit being obviously simplified. The stored hold is reversed and then enters a logical OR with the data present on the first entry. The output of the logical OR when all the data is entered in the comparison circuit 232 allows to know which of the two data is greater than the other. The result is

stored in a D flip-flop 501.

  D flip-flop 501 has a data input, a clock input, a forcing input at "one",

  a "zero" forcing input, and an output.

  The data input receives the data output from the logical OR, the clock input receives a load signal LD whose rising edge corresponds to the moment when it is desired to obtain the result of the comparison. The "one" and "zero" forcing inputs receive prepositioning signals ST and RST to initialize the comparison circuit 232. The output of the flip-flop 501 is connected to a device of FIG.

  sequencing (not shown) of the coprocessor 200.

  FIG. 6 represents an element of the selection device 228. The selection device comprises k + 1 elements of this type. This element consists of three AND gate 601 to 603 with three inputs, two AND gates 601 and 603 having an inverting input, and an OR gate 604 with three inputs. The role of this element is the same as that of a four-input multiplexer whose fourth input receives a logical "zero". In the selection device 228, the element corresponding to the most significant bit comprises only the central AND gate 602 because the first and second latches 224 and

225 only have k bits.

  FIG. 7 represents an assembly constituted by the accumulator circuit 231 and the selection device 228. The assembly thus constituted produces two multiplications with the addition of the two products and the addition of another serial datum. If we call LATCHA the data present in the first latch 225, LATCHY the data present in the second flip-flop 226, SELA the data arriving in series on the first selection input of the selection device 228, SELY the data arriving in series on the second selecting input of the selection device, ES the data arriving in series on the serial input of the accumulator 231, and RES the result coming out of the accumulator 231, then the following operation is carried out:

  RES = (SELY * LATCHY) + (SELA * LATCHA) + ES

  The structure of the accumulator circuit 231 corresponds to a standard battery structure. Said circuit 231 comprises: from first to kth accumulation latches 701 to 704, for example of type D, each having a data input and an output, the data input of the first flip-flop 701 being connected the driver with the strongest weight (that is to say, weight k) of the parallel output of the selection device 228; from first to (k + 1) second latch latches 705 to 709, for example of type D, each having a data input and an output; a result latch 710, for example of type D, having a data input and an output, the output of this result flip-flop corresponding to the output of the accumulator 231; - from first to (k + 1) -theaders 711 to 715 standard (or full adder) each having first to third inputs, a result output, and a carry output, the first inputs of the first to k-th adders 711 to 714 being connected to the selection device 228 for respectively receiving the bits of weight k-1 to 0, the second inputs of the first to k-th adders 711 to 714 being respectively connected to the outputs of the first to k- the second input of the (k + 1) adder 715 being connected to the output output of the k-th adder 714, the second input of the corresponding (k + 1) adder 715 at the serial input of the accumulator 231 which receives the data ES, the third inputs of the first to (k + 1) -th adders 711 to 715 being respectively connected to the outputs of the first to (k + 1) th flip-flops of hold 705 to 7 09, the result outputs of the first through (k-1) th adders 711 to 713 being respectively connected to the data inputs of the second to kth accumulating latches 702 to 704, the result output of the (k + 1 the second adder 715 being connected to the input of the result latch 710, the retaining outputs of the first to (k + 1) th adders 711 to 715 being respectively connected to the data inputs of the first to (k + 1 The second internal latches 705 to 709. The internal outputs I0 to I2 respectively correspond to the retaining outputs of the k + l-th and k-th adders 715 and 714 and to the output of

  result of the (k-1) th adder 713.

  In practice, the restraint, accumulation and result latches 701 to 710 comprise

  also clock entries and forcing at zero.

  All clock inputs of said flip-flops 701 to 710 are connected together and receive the same clock signal. Likewise, all zero forcing inputs are connected together to be reset simultaneously before each calculation. These entries are not shown so as not to overload the drawings unnecessarily. The operation of the device described in this Figure 7 is relatively simple. During each cycle of the clock signal which synchronizes the coprocessor, one successively adds either LATCHA, LATCHY or LACHA + LATCHY, or zero with the contents of the latches 705 to 709 and with the bit coming from the data ES to the contents of the accumulation latches 701 to 704, the word contained in the accumulation latches 701 to 704 being shifted successively, so that the bit contained in the flip-flop of result 710 corresponds to the bit that comes out of

the accumulator 231.

  Before starting a calculation, all the accumulation, holding and result latches 701 to 710 are reset. Then, the double multiplication is then carried out by simultaneously shifting the data SELA, SELY and ES to each cycle of the clock signal. The bits of SELA and SELY determine which data (s) among LATCHA and LATCHY should be accumulated (see the operation of the selection device 228). When all the bits of the data SELA and SELY have been shifted (ie after m * k clock cycles), "0" (during k + 1 clock cycles) are provided in place of the data SELA, SELY and ES in order to get out the end of the result still contained in the

accumulation latches 701 to 704.

  If these data are coded on different numbers of bits, each data must be completed.

using "0".

  Now that the structural description and

  the coprocessor component elements have been made, it is now necessary to explain the overall operation of the coprocessor. The explanations that follow will enable the skilled person to synchronize globally the coprocessor to obtain the desired operations. Subsequently, we use the data A, B and N which are non-zero integers coded on respectively a * k, b * k and n * k bits, with a, b and n non-zero integers less than m. In

  At first, we consider N odd.

  Elementary operation Pfield (A, B) N = A * B * I mod N: A) Initialization of the coprocessor: - The data A, B, N are respectively loaded in the first to third storage devices 201 to 203; Zeros are loaded in the fourth storage device 204, the data being called S (-1); - The comparison device 232 is initialized so that the last comparison indicates that N is greater than

S (-1).

  B) Repetition of the following computation loop at a time, with i an index varying from 0 to al: B1). The lower-most i-word A i is simultaneously loaded with A in the first register 221 and the word No of the weight. weaker N in the

second register 222.

  B-2) Then, the words Ai and No respectively are loaded simultaneously in the first and second flip-flops 225 and 226. B-3) The subtraction circuits 205 and 206, the delay circuits 211 to 214, the subtraction circuits are initialized to zero. first register 221 and all

  latches 701 to 710 of the accumulator 231.

  B-4) The words B, N and S (i-1) contained in the second to fourth storage devices 202 to 204 are simultaneously shifted by two units, zeros being provided on the first and fourth

  second inputs of the selection device 228.

  B-5) Successive shifts are performed on the second to fourth storage devices 202 to 204 on the first and second registers 221 and 222. The output of the exclusive-OR gate 235 successively supplies the k bits of a data Y0, with Y0 = ((S (i-1) + Ai * B) * J0) mod 2k, J0

  being defined by the equation ((N * Jo) +1) mod 2k = 0.

  The output of the Exclusive OR gate is connected firstly to the input of the second register 222 and secondly to the second selection input of the selection device 228. The data B is supplied to the first selection input of the selection device. The input of the first register 221 receives bit by bit the word N of low weight of N. The serial input of the accumulator receives S (i-1) if the last comparison indicates that S (i-1) <N, or receives S (i-1) -N if the last comparison indicates that S (i-1) 2 N (the subtraction taking place in the second subtraction circuit 206). The output of the accumulator 231 provides k bits equal to zero

which are not memorized.

  B-6) The contents of the second register 222 are transferred

  equal to Y0 in the second flip-flop 226.

  B-7) Successive shifts are made (n-l) * on the second to fourth storage devices 202 to 204 and on the first register 221. The data B is supplied to the first selection input of the selection device. The n-1 words N1 to Nn-1 of most significant of N are provided bit by bit on the one hand at the input of the first register o10 221 and secondly on the second input of

  selection of the selection device 228.

  The serial input of the accumulator circuit 231 receives S (i-1) if the last comparison indicates that S (i-1) <N, or receives S (i-1) - N if the last comparison indicates that S (il) 2 N (the subtraction taking place in the second subtraction circuit 206). The output of the accumulator circuit 231 supplies the (n-1) * k least significant bits of S (i) which are stored

  in the fourth storage device 204.

  The (n-1) * k least significant bits of S (i) are compared with the (n-1) * k least significant bits

  N in the comparison circuit 232.

  B-8) k + 1 successive offsets are performed on the fourth storage device 204 and on the first register 221. The first and second selection inputs of the selection device 228 receive zeros to be able to supply the k most significant bits of S (i) and finish the comparison of S (i) with N. The result of the comparison is stored for the next iteration. C) At the end of the last iteration, the result S (a1) stored in the fourth storage device undergoes a new subtraction of N if S (a-1) 2 N. The subtraction is carried out by simultaneous shift of S (a-1) and N in the second subtraction circuit 206. To recover the result of the subtraction, zeros are supplied to the selection inputs of the selection device 228 in order to make transparent the accumulator circuit 231. The skilled person can notice that the calculation data J0 is no longer calculated. In fact, the connections made on the inputs of the exclusive OR gate make it possible to directly calculate Y0 with an offset

  of a clock cycle with respect to the calculation of S (i).

  Similarly, one skilled in the art can notice that one begins the calculation with No in the second flip-flop 222 and that No is replaced by Y0. The result is exactly the same as if we had Y0 in the second flip-flop 222 supplying N in series on the second

  selection input from the beginning of the calculation.

  Those skilled in the art can remark that advantageously the first register 221 is used on the one hand to transfer a word in the first flip-flop 225, and

  on the other hand to delay N of k clock cycles.

  Modular Multiplication: To perform a modular multiplication, it is sufficient to perform two Pfield elementary operations by introducing an error correction parameter H. We thus do either Pfield (H, Pfield (A, B) N) N, or Pfield (A, Pfield (H, B) N) N, with H = 2 (a + n) * k mod N. Calculation of Ac mod N We put C an integer coded on c bits and whose bit of weight 2c1 is equal to 1. We consider that A and N are encoded on the same number of bit equal to n * k bits. If A is smaller than N, then we complete A with

zeros in most significant bits.

  a) calculating H = 22 * n * k mod N. b) calculating R (1) = Pfield (H, A), and storing R (1) in the first and second storage devices 201 and 202, the the contents of the first device 201 being called A, and the second device content 202 being called B. c) a loop indexed by an index i ranging from 2 to c: cl is performed. A Pfield (B, B) N operation is performed. , loading the words of B in place of the words of A in step B-1. The result is stored in

  the second storage device 202.

  c-2) If the weight bit 2c-i of C is equal to 1 then Pfield (A, B) N is also performed, and the result is stored in the second device

memorizing 202.

  d) We load "1" coded on n * k bits in the first

storage device 201.

  e) Perform a Pfield (l, B) N operation to obtain the

final result.

  Calculation of H = 2 (n + p) * k mod N, where p is an integer To perform the calculation of H, a portion of the elements of the coprocessor 200 are neutralized. The fifth multiplexer 229 is set to provide "zero" on its exit. A data item equal to "1" coded on k bits is loaded into the second flip-flop 226. The sixth multiplexer 230 is positioned to connect the output of the third delay circuit 213 to the second selection input of the selection device 228. The eighth multiplexer 236 is positioned to connect the input of the comparator 232 to the output of the first delay circuit 211. The resulting set of these different neutralizations converts the coprocessor 200 into a circuit for calculating H by successive subtractions. Such a circuit is described in European Application No. 601907.

Claims (8)

  An integrated circuit comprising a coprocessor (200) of modular arithmetic comprising: - storage means (201 to 204) for storing and supplying in series first and second operands A and B, a modulo N and a result S, with An integer coded on a * k bits, where a is a non-zero integer at most equal to m, and with B, N and S which are integers coded on at most m * k bits, m and k being integers greater than 1; computing means for performing modular operations according to the Montgomery method, characterized in that the computing means comprise: - a circuit (234, 235) for calculating an intermediate data Y0; a first flip-flop (225) of k bits for storing a word Ai of k bits of A; a second flip-flop (226) of k bits for storing either the least significant word of N or Yo; - an addition parallel circuit (227) connected to add the words contained in the first and second flip-flops (225, 226); a selection device (228) coupled to the outputs of the first and second flip-flops (225, 226) and the parallel addition circuit (227) for providing on a parallel output the word contained in the first flip-flop (225), either the word contained in the second flip-flop (226), or the sum of the words contained in the first and second flip-flops (225, 226), or "zero", as a function, on the one hand, of a bit of B, and on the other hand, either a bit of Y0 or a bit of N; an accumulator circuit (231) which adds, shifts by one bit and stores the words successively supplied by the selection device (228) with a bit of an updated result S, the bits leaving the accumulator circuit (231) becoming a new updated result. 2. Circuit according to claim 1, characterized in that the calculation means comprise a first register (221) with a shift of k bits to receive on the one hand a word of k bits of A and transmit said word in parallel to the first flip-flop (225) and on the other hand N   to delay N of k cycles of a clock signal.   Circuit according to Claim 1, characterized in that the circuit for calculating the data Y0 consists of a five-input exclusive OR gate (235) which receives a first data item from a logical AND gate ( 234) between the least significant bit of the word of A present in the first flip-flop (225) and the next bit of B to be supplied to the selection device (228), a second datum corresponding to the next bit of S to be supplied to the accumulator circuit (231), and third to fifth data which correspond to values   internals of the accumulator circuit (231).   4. A method for performing a modular operation according to the Montgomery method by series shift of first and second operands A and B, a modulo N and an updated result through calculation means, with A an integer coded on a * k bits, a being a non-zero integer at most equal to m, and with B, N and S being integers coded on at most m * k bits, m and k being integers greater than 1, characterized in that it comprises the repetition of the following steps, i being an index varying from 0 to m-1: storing a word Ai of k bits corresponding to a word of weight i of A in a first flip-flop (226) of k bits ; calculating an intermediate data Y0 such that Yo = ((S (i-1) + (Ai * B)) * J0) mod 2k, with S (i-1) corresponding to (i-1) an updated result, S (-1) being equal to 0, and OJ being a word of k bits solving the equation ((J0 * N) + 1) mod 2k = 0; storing the word of k least significant bits of N and then Y0 in a second flip-flop (226) of k bits; adding in a parallel addition circuit (227) the words contained in the first and second latches (225, 226); selecting and supplying either the word contained in the first flip-flop (225) or the word contained in the second flip-flop (226), or the sum of the words contained in the first and second flip-flops (225, 226), or "zero ", as a function of a bit of B, and secondly of a bit of Y0 or a bit of N; Successive additions in an accumulator circuit (231) of the words supplied by the selection device (228) for each pair of bits of B and N, the result of each addition being added to a bit of the previous updated result S (i). 1) then shifted by one bit and stored between each addition, the bit coming out of the accumulator (231) during the shift corresponding to a new updated result S (i).   5. Method according to claim 4, characterized in that a comparison is made of the output of the accumulator (231) with N delayed by k cycles of a clock signal, and in that one uses the same first register (221) with a shift of k bits to delay N and to be able to load the words Ai in the first flip flop (225).   6. Method according to one of claims 4 or 5,   characterized in that the memorization of a word Ai in the first flip-flop (225) is effected by k offsets of the word Ai in the first register (221) and then parallel loading in the first flip-flop (225) after the word Ai has been loaded in full in the first register (221).   7. Method according to one of claims 4 to 6,   characterized in that the calculation of each bit of the intermediate data Y0 is carried out one clock cycle   before we need that each bit.   8. The method according to claim 4, wherein the following steps are performed: A) initialization of the coprocessor: loading of the data A, B, N respectively in first to third storage devices (201 to 203);   - loading zeros in a fourth storage device (204), the data being called S (-1); initializing a comparison device (232) so that a last comparison indicates that N is greater than S (-1); B) repetition of the next loop with i, an index varying from 0 to a-1: B1) simultaneous loading of the i-th least significant word Ai of A in a first register (221) of k bits and the word The lowest weight number of N in a second register (222) of k bits; B-2) then, simultaneous loading of the words Ai and No respectively in the first and second latches (225, 226); B-3) initializing the subtraction circuits (205, 206), the delay circuits (211 to 214), the first register (221) and the accumulator circuit (231); B-4) simultaneously shifting the words B, N and S (i-1) contained in the second to fourth storage devices (202 to 204), zeros being provided to the selection device (228);   B-5) performing k successive offsets on the second to fourth storage devices (202 to 204), on the first and second registers (221, 222), computing means successively supplying the k bits of the data Y0 d ' a part to the second register (222) and secondly to the selection device (228), the data B being also supplied to the selection device (228), the first register (221) receiving bit by bit the word No of k least significant bits of N, the accumulator (231) receiving in series S (i-1) if the last comparison indicates O10 as S (i-1) <N, or receiving in series S (i-1) - N if the last comparison indicates that S (i-1) 2 N; B-6) transferring the contents of the second register (222) equal to Y0 in the second flip-flop (226); B-7) performing (nl) * k successive offsets on the second to fourth storage devices (202 to 204) and on the first register (221), the data B being supplied to the selection device (228), the n -1 words N1 to Nn-1 of k most significant bits of N being supplied bit by bit on the one hand to the first register (221) and on the other hand to the selection device (228), the accumulator (231) receiving in series S (i-1) if the last comparison indicates that S (i-1) <N or receiving in series S (i-1) - N if the last comparison indicates that S (i-1) 2 N, l accumulator (231) supplying the (n-1) * k least significant bits of S (i) which are stored in the fourth storage device (204), the (nl) * k least significant bits of S (i) ) being compared with the (nl) * k least significant bits of N in the comparison circuit (232);   B-8) performing k + 1 successive offsets on the fourth storage device (204) and on the first register (221), in order to be able to memorize the k most significant bits of S (i) and to finish the comparison of S ( i) with N, the result of the comparison being stored for the next iteration.