Abstract: One embodiment of the present invention provides a system that performs modular division. This system contains a number of registers, including: a register A that is initialized with a value X; a register U that is initialized with a value Y; a register B that is initialized with a value M; and a register V that is initialized with a value 0. The system also includes a temporary register H, and a temporary register L. An updating mechanism is configured to iteratively reduce the contents of registers A and B to a value of one by applying a plurality of operations to registers A, B, U and V. During operation, this updating mechanism temporarily stores A+B in the temporary register H, and temporarily stores U+V in the temporary register L.

Abstract: A general finite-field multiplier and the method of the same are disclosed for the operation of the finite-field multipliers of various specifications. In the multiplier, AND gates and XOR gates are used as primary components, and the inputs include two elements A and B to be multiplied and the coefficients of a variable polynomial p(x). This multiplier can be applied to the finite-field elements of different bit number. After all the coefficients of the A, B and p(x) are input, the values of a desired C can be obtained rapidly. Since the output values are parallel output, the application is very convenient. Furthermore, the multiplier can be used in the RS chip for different specifications.

Abstract: A circuit for the implementation of modular multiplication of numbers comprises an alternative formation of the algorithm first proposed by R. C. Montgomery. The modified Montgomery algorithm is implemented in one of a plurality of circuits comprising full adders, half adders, registers and gates.

Abstract: An improved apparatus and method for modular multiplication and exponentiation to achieve efficient computation involved in Montgomery multiplication is provided. Currently employed conventional iteration methods involve carry look-ahead additions. To overcome the time taken by carry look-ahead additions, there is thus provided, in accordance with a preferred embodiment of the present invention, an apparatus and method for separately storing and tracking the sum and the carry of the addition involved in Montgomery multiplication. In such a manner, the present invention achieves fast addition times since they are not dependent on the time to compute the carries. As a result, the iterations are carried out much faster than previously possible. By representing the value A in the Montgomery multiplication algorithm with a redundant notation, the sum and the carry of the addition are separately stored and tracked, thereby avoiding the delays involved in the computation of the carries.

Abstract: One embodiment of the present invention provides a system that performs modular division. This system contains a number of registers, including: a register A that is initialized with a value X; a register U that is initialized with a value Y; a register B that is initialized with a value M; and a register V that is initialized with a value 0. The system also includes a counter CA that indicates an upper bound for the most-significant non-zero bit of register A. It also includes a counter CB that indicates an upper bound for the most-significant non-zero bit of register B. The system additionally includes a temporary register H, and a temporary register L. An updating mechanism is configured to iteratively reduce the contents of registers A and B to a value of one by applying a plurality of operations to registers A, B, U and V. During operation, this updating mechanism temporarily stores A+B in the temporary register H, and temporarily stores U+V in the temporary register L.

Abstract: A random number generating unit generates a random number t. An elliptic curve setting unit defines an elliptic curve E: y^2=x^3?3x+t. An elliptic curve finitude judging unit judges whether orders m1 and m2 of respective elliptic curves Ep1 and Ep2 produced by reducing the elliptic curve E on a rational number field modulo primes p1 and p2 are relatively prime. An elliptic curve order computing unit computes an order of the elliptic curve E. An elliptic curve condition judging unit judges the security of the elliptic curve E based on the computed order.

Abstract: A microprocessor (10) comprises a compiler (4), which, for a source program including an integer division q=int(a÷b)(int( ) is a function discarding figures below decimal point in parentheses) for dividing integer a, expressed in N bits, by integer constant b, causes a computer to execute a first process for calculating mb=int(m÷b) (where m=2N), and a second process for generating an object code, which stores the mb in a first register (24), calculates qx=int(a×mb÷m), calculates rx=a?qx×b, set a quotient q to q=qx when rx<b, or q=qx+1 when rx>=b; and a microprocessor having an arithmetic circuit (11), which comprises the first register, a multiplier (14), and an adder-subtractor (16), and which executes the object code generated by the compiler.

Abstract: A fast, scalable, systolic modular multiplier is presented. Linear throughput scalability with respect to consumed hardware resources is achieved through simultaneous parallel processing of multiple independent data streams. Optimal clock rates are attained by virtue of systolic properties of limited fan-out of all signal paths and nearest neighbor interconnections. Signal sharing among input and output busses and a common control interface for all independent data streams is made possible, thus benefiting integrated circuit implementations.

Abstract: A modulo mi adder and a modulo mi,j scaling unit for use with an RNS. The adder includes a modulo mi barrel shifter, and a dynamic storage unit coupled to the barrel shifter to store the output of the barrel shifter. In a preferred embodiment, the dynamic storage unit includes one dynamic latch for each output line of the barrel shifter, with each of the dynamic latches including a clocked inverter in cascade with an inverter. One modulo mi,j scaling unit includes a modified modulo mi barrel shifter that performs both residue conversion and an arithmetic operation. The residue conversion is performed without using combinational logic. In one preferred embodiment, the modified barrel shifter performs the residue conversion though mi-mj additional columns that replicate normal columns for all modulo mi input lines that are congruent modulo mj.

Abstract: A fast, parallel modular multiplier is presented which is scalable according to available hardware resources. Linear throughput increases with respect to consumed resources is achieved. Multiple independent data streams may be processed simultaneously, and optimal clock rates are attained by virtue of limited fan-out of all signal paths and nearest neighbor interconnections. Integrated circuit implementation is benefited by the potential for signal sharing among input and output busses and a common control interface for all independent data streams.

Abstract: In an inverse calculation, x is road out of a storage means, [x/2] is calculated and stored therein as b, a lent significant bit of b is stored as a, [(ax+b)/2] is calculated and stored as updated b, and low-order two bits of x are stored as y. Then, for i=1, 2, . . . , n?1, by is calculated, a is updated with ?by, [(b+ax)/(2^(2i))] is calculated and stored as updated b, and y+a2^(2i) is calculated and stored as updated y, where y is road out as the result of inverse calculation.

Abstract: A method for calculating greatest common divisors uses an approximate division in its reduction step. The result of this approximate division is then compared to determine if it is valid. If not, then the method applies a correction to the first approximate division to determine corrected values that have a reduced number of bits. If, during this correction step, the result is again not valid, then another method is applied to reduce the number of bits in the values. The approximate division is applied only when the number of significant bits in the two values differ by at least a predetermined number. When the number of bits in the two values differ by less than this number, an alternative GCD algorithm is applied but only to reduce the number of bits in the intermediate values.

Abstract: A method for power reduction and increasing computation speed for a Montgomery modulus multiplication module for performing a modulus multiplication. A coding scheme reduces the need for an adder or memory element for obtaining multiple modulus values, and the use of carry save addition with carry propagation addition increases the computational speed of the multiplication module.

Abstract: The present invention provides a method for performing a point doubling operation with only one modular division and no multiply per operation. As a result, the invention reduces the number of mathematical operations needed to perform point doubling operations in elliptic curve computation. An elliptic curve cryptosystem using the present invention can be made to operate more efficiently using the present invention. An elliptic curve crypto-accelerator can be implemented using the present invention to dramatically enhance the performance of the elliptic curve cryptosystem. The invention derives the slope of a curve independently of the y-coordinate. By avoiding the calculation of the y term, one additional multiply is eliminated from each point-doubling operation. Using the invention, n consecutive point doublings can be reduced to n modular divisions and 1 multiply. This avoids the 2n multiplies of prior art approaches.

Abstract: Montgomery exponentiators and methods modulo exponentiate a generator (g) to a power of an exponent (e). The Montgomery exponentiators and methods include a first multiplier that is configured to repeatedly square a residue of the generator, to produce a series of first multiplier output values at a first multiplier output. A second multiplier is configured to multiply selected ones of the series of first multiplier output values that correspond to a bit of the exponent that is binary one, by a partial result, to produce a series of second multiplier output values at a second multiplier output. By providing two multipliers that are serially coupled as described above, Montgomery exponentiation can be accelerated.

Abstract: In a modular arithmetic apparatus including a plurality of product-sum circuits having a modular arithmetic function and parallelly arranged, and a correction term calculation unit for calculating a correction term to be used for modular arithmetic operation in the product-sum circuits, the correction term calculation unit sequentially calculates the correction term in units of bits, and each of the product-sum circuits sequentially reflects the correction term calculated by the correction term calculation unit and performs base conversion or base extension.

Abstract: The modular exponentiation function used in public key encryption and decryption systems is implemented in a standalone engine having at its core modular multiplication circuits which operate in two phases which share overlapping hardware structures. The partitioning of large arrays in the hardware structure, for multiplication and addition, into smaller structures results in a multiplier design which includes a series of nearly identical processing elements linked together in a chained fashion. As a result of the two-phase operation and the chaining together of partitioned processing elements, the overall structure is operable in a pipelined fashion to improve throughput and speed. The chained processing elements are constructed so as to provide a partitionable chain with separate parts for processing factors of the modulus. In this mode, the system is particularly useful for exploiting characteristics of the Chinese Remainder Theorem to perform rapid exponentiation operations.

Abstract: A document or message is protected against forgery or repudiation by processing a selected part or parts of the text of the document or message to form a hash, usually of fewer characters than the selected part or parts of the text. The processing comprises retrieving numerical values which define the respective characters of the selected part or parts of the text and making a calculation using the numerical values of the successive characters. Preferably the hash is added to the text.

Abstract: The invention provides a method for performing modular division adapted for division in integer fields. Integer modular divisions are used in the computation of Elliptic Curve digital signature generation and verification. The algorithm can be implemented to provide division in integer fields completed in 2(m−1) steps. This method provides a solution to the elliptical curve cryptosystems based on prime integer fields.

Abstract: A method for calculating greatest common divisors and modular inverses using the extended Jebelean GCD algorithm keeps track of the number of times that U3 and V3 have been divided by two in the process of calculating the greatest common divisor and correct the modular inverse for these divisions. The shifting of the binary values representing U3 that occurs during the calculation of the GCD is accomplished by changing the position of respective pointers to bit positions in the binary values rather than implementing a shifting operation.

Abstract: The modular exponentiation function used in public key encryption and decryption systems is implemented in a standalone engine having at its core modular multiplication circuits which operate in two phases which share overlapping hardware structures. The partitioning of large arrays in the hardware structure, for multiplication and addition, into smaller structures results in a multiplier design comprising a series of nearly identical processing elements linked together in a chained fashion. As a result of the two-phase operation and the chaining together of partitioned processing elements, the overall structure is operable in a pipelined fashion to improve throughput and speed. The chained processing elements are constructed so as to provide a partitionable chain with separate parts for processing factors of the modulus. In this mode, the system is particularly useful for exploiting characteristics of the Chinese Remainder Theorem to perform rapid exponentiation operations.

Abstract: Techniques are provided for performing modular arithmetic on a key composed of many bits. One circuit implementation includes a distributor, one or more lookup tables and a plurality of adders. The distributor segments the key into a plurality of partitions. Each partition is based on a polynomial expression corresponding to a fixed size key. Each of the bits contained within the partitions are routed on a partition basis to one or more lookup tables, the routed bits acting as indices into the one or more tables. The lookup tables store precomputed values based upon the polynomial expression. The outputted precomputed values from one or more lookup tables are outputted to the plurality of adders. The plurality of adders add the bits from a portion of the routed partitions and the outputted precomputed values from the one or more lookup tables to form the binary residue.

Abstract: This invention discloses apparatus and methods for accelerating processing, loading and unloading of data, from and to a plurality of memory addresses in a CPU having an accumulator, and to a memory-mapped coprocessing device for continuous integer computations.

Abstract: Processing exponents with a square-and-multiply technique that uses a flexible number of bits in the multiply stages. Multiple bits of the exponent can be handled in a single multiply operation, thus reducing the total number of multiply operations required to raise a number to a specified power. By examining prior and subsequent bits in the exponent in addition to the current bit, the quantity of bits that are handled in a particular multiply operation can be adjusted to the particular pattern of 1's and 0's in the exponent.

Abstract: A technique for modular reduction of multi-precision numbers involves providing a table of pre-computed residues and reducing a large number to smaller modular equivalent using the table.

Abstract: A linear systolic array Montgomery multiplier circuit that concurrently processes two separate Montgomery multiplications on alternate clock cycles, without a requirement to have any common parameters between the two multiplications. Multiples of two different parameters are stored in storage elements for each multiplication. Two sets of these multiples, one set for each of the two multiplications, are stored in separate storage banks and accessed on alternate clock cycles by each processing element in the array. Two sequences of control codes for the two multiplications are interleaved as they are fed into a first processing element.

Abstract: Apparatus for determining a remainder of a modulo division of a binary number made up of a string of bits, including a first plurality of substantially similar cells coupled in a linear sequence, the first plurality of cells including at least a first cell and a last cell. Each cell of the first plurality includes a second plurality of binary input terminals, the input terminals of the first cell being coupled to receive a pre-determined input, and a second plurality of binary output terminals, each coupled, except for the output terminals of the last cell, to a respective one of the input terminals of a subsequent cell in the sequence. Each cell of the first plurality further includes a control input terminal, coupled to receive one of the bits in the string corresponding to a position of the cell in the sequence. The remainder is generated at the output terminals of the last cell in the sequence.

Abstract: A method of factoring numbers in a non-binary computation scheme and more particularly, a method of factoring numbers utilizing a digital multistate phase change material. The method includes providing energy in an amount characteristic of the number to be factored to a phase change material programmed according to a potential factor of the number. The programming strategy provides for the setting of the phase change material once for each time a multiple of a potential factor is present in the number to be factored. By counting the number of multiples and assessing the state of the phase change material upon execution of the method, a determination of whether a potential factor is indeed a factor may be made. A given volume of phase change material may be reprogrammed for different factors or separate volumes of phase change material may be employed for different factors.

Abstract: A method and a circuit for masking digital data handled by an algorithm and factorized by a residue number system based on a finite base of numbers or polynomials prime to one another, comprising making the factorization base variable.

Abstract: The invention relates to a method for speeding up the time required to perform a Montgomery product calculation by applying the High-Radix Montgomery method on computing hardware. A loop of operations (72) is performed consisting in repeating successive operations, i.e.: a first addition operation (76) involving the addition of a value of one of several first products, designated <o>ai</o>.<o>b</o>, and a value of one variable, designated u, according to a first relationship u:=u+<o>ai</o>.<o>b</o>; and a second addition operation (80) involving the addition of a value of one of several second products, designated m.n, and a value of variable u according to a second relationship u:=u+m.n. At least the first and second addition operations are Carry-Save addition operations in order to speed up the time required to perform an addition.

Abstract: In a modular arithmetic apparatus including a plurality of product-sum circuits having a modular arithmetic function and parallelly arranged, and a correction term calculation unit for calculating a correction term to be used for modular arithmetic operation in the product-sum circuits, the correction term calculation unit sequentially calculates the correction term in units of bits, and each of the product-sum circuits sequentially reflects the correction term calculated by the correction term calculation unit and performs base conversion or base extension.

Abstract: A method and device are provided that allow computation of multiple modulus conversion (MMC) outputs using little or no division operations. Instead of division operations, multiplication and logical shift operations are used to produce pseudo-quotients and pseudo-remainders, which may be corrected in a final step to produce correct MMC outputs. This allows for more efficient implementation, since division is typically less efficient than multiplication and logical shift. The method and device operate on MMC inputs that may be partitioned into sub-quotients of varying numbers of digits in any numbering system. The multiplication and logical shift operations are performed on each of the sub-quotients according to a procedure derived from long-division techniques.

Abstract: Montgomery multipliers and methods modular multiply a residue multiplicand by a residue multiplier to obtain a residue product, using a scalar multiplier, a first vector multiplier and a second vector multiplier. A controller is configured to control the scalar multiplier, the first vector multiplier and the second vector multiplier, to overlap scalar multiplies using a selected digit of the multiplier and vector multiplies using a modulus and the multiplicand. The scalar multiplier is configured to multiply a least significant digit of the multiplicand by a first selected digit of the multiplier, to produce a scalar multiplier output. The first vector multiplier is configured to multiply the scalar multiplier output by a modulus, to produce a first vector multiplier output. The second vector multiplier is configured to multiply a second selected digit of the multiplier by the multiplicand, to produce a second vector multiplier output.

Abstract: An integer Z101 is divided by an integer I102 to obtain a remainder R109. The integer I102 includes a polynomial of power of a basic operational unit of a computer. In this way, the integer I for divisor is limited based on the basic operational unit of the computer, thus a shift operation, which is required for a conventional operation method, can be eliminated. The remainder can be calculated by only addition and subtraction. Accordingly, a code size becomes compact and the remainder of the integer can be calculated at a high speed.

Abstract: A fast, scalable, systolic modular multiplier based on functional array partitioning and high-radix modular reduction is presented. Systolic paradigms of limited fan-out on all signal paths and nearest neighbor interconnections guarantee optimally fast clock rates. Linear throughput scalability with respect to consumed hardware resources is achieved through simultaneous parallel processing of multiple independent data streams. Signal sharing among input and output busses and a common control interface for all independent data streams is made possible, thus benefiting integrated circuit implementations. Reductions in number of delay registers and required number of independent data streams for a given throughput requirement are achieved when interconnection delay does not dominate over processing element delay.

Abstract: In a modular arithmetic apparatus including a plurality of product-sum circuits having a modular arithmetic function and parallelly arranged, and a correction term calculation unit for calculating a correction term to be used for modular arithmetic operation in the product-sum circuits, the correction term calculation unit sequentially calculates the correction term in units of bits, and each of the product-sum circuits sequentially reflects the correction term calculated by the correction term calculation unit and performs base conversion or base extension.

Abstract: A coprocessor (200) is proposed, using a single multiplication circuit (228 and 231) coupled to a computation circuit (240) dedicated to the computation of Y0, with Y0=(X*J0)mod 2k, J0 being defined by the equation ((N*J0)+1)mod 2k=0. The computation of Y0 is done bit by bit, during one half-cycle of a clock signal before the use of each bit. A method is also proposed for the computation of a modular operation using the circuit (240) for the computation of Y0.

Abstract: An emod operation is a computational substitute for a traditional modulus operation, one that is computationally less expensive but also less precise. Where a modulus operation may be defined for some base number n, the emod operation determines a modulus of an operand using a “phantom modulus,” one that is an integer multiple of n. The phantom modulus is chosen to make emod calculations computationally inexpensive when compared to a modulus operation. Thus, the emod operation is particularly useful for multiplications or exponential operations using very large operands. Upon conclusion of interstitial processing associated with the multiplications or exponential operations, a single, traditional modulus operation may be used to obtain a final result.

Abstract: The present invention provides a residue computing device on a Galois Field GF(2{circumflex over ( )}m), for calculating a residue R of a product of a multiplier factor X and a multiplicand Y under a modulo Z, which comprises a gate G1 for allowing the multiplier factor X to pass therethrough when a leading bit MSB of the multiplicand Y is 1, an adder ADD for adding a temporary residue R′ and a value obtained by the passage, a gate G2 for allowing the modulo Z to pass therethrough when a leading bit MSB of a summed value SUM of the adder is 1, and a subtractor SUB for subtracting the modulo Z from the summed value SUM of the adder when the leading bit MSB of the summed value SUM is 1, wherein a process for setting a value obtained by shifting a subtracted value of the subtractor by one bit, as the temporary residue R′ on the basis of the next clock is repeatedly performed for each clock to thereby calculate the residue R.

Abstract: A Montgomery multiplier circuit with a chain of processing elements uses less circuit logic in each processing element by propagating an initial parameter through registers used for other purposes. An accumulation register in each processing element is used to propagate the initial parameter through the chain. In one embodiment the initial parameter is first propagated through address registers until it reaches the end of the chain, and is then looped back through the accumulation registers in the reverse direction. In one embodiment, multiples of at least one parameter used in a Montgomery multiplication are pre-calculated in the processing elements of the Montgomery multiplier using the same logic elements used in performing the Montgomery multiplication.

Abstract: A method and device are provided that allow computation of multiple modulus conversion (MMC) outputs using little or no division operations. Instead of division operations, multiplication and logical shift operations are used to produce pseudo-quotients and pseudo-remainders, which may be corrected in a final step to produce correct MMC outputs. This allows for more efficient implementation, since division is typically less efficient than multiplication and logical shift. The method and device operate on MMC inputs that may be partitioned into sub-quotients of varying numbers of digits in any numbering system. The multiplication and logical shift operations are performed on each of the sub-quotients according to a procedure derived from long-division techniques.

Abstract: As part of a process to generate a private key for RSA™ digital signature generation on a smartcard, it is necessary to determine a modular inverse e−1 mod m of a data value e. In order to determine the modular inverse from a data value e and a value of m for the inversion, the value of m mod e is calculated by determining a remainder value r of m divided by e and then an inverse t=r−1 mod e is determined. The modular inverse e−1 mod m is then determined utilising at least the value t by determining a value w=e−t and then determining e−1 mod m by computing (q*w)+1+the integer part of ((w*r)/e).

Abstract: A logic circuit for performing modular multiplication of a first multi-bit binary number and a second multi-bit binary number is provided. Combination logic combines the second multi-bit binary value with a group of W bits of the first multi-bit binary value every jth input cycle to generate W multi-bit binary combination values every jth input cycle, where the W bits comprise bits jW to (jW+W−1), W>1, j is the cycle index from 0 to k−1, k=N/W, and N is the number of bits of the first multi-bit binary value. Thus in this way a plurality of multi-bit binary combinations are input every cycle in a parallel manner. Accumulation logic holds a plurality of multi-bit binary values accumulated over previous cycles. Reduction logic generates a W bit value &Lgr; in a current cycle for use in the next cycle. A multi-bit modulus binary value is received and combined with the W bit value &Lgr; generated in a current cycle to generate W multi-bit binary values for use in the next cycle.

Abstract: The present invention provides a system, method and computer program for performing a modular multiplication a*b*2−N modulo n, where a, b and n are N-bit integers. The system comprises a multiplier for multiplying a Y-bit number by a Z-bit number, and partitioning logic for partitioning the integer a into a plurality of first sections, each first section being of a size which is a multiple of Y, and for partitioning the integer b into a plurality of second sections, each second section being of a size which is a multiple of Z. A multiplication unit is then provided to apply operations to control the multiplier to perform a sequence of multiplications to multiply one of said first sections by one of said second sections in order to generate a number of output operands for use in subsequent operations performed by the multiplication unit.

Abstract: A self-timed data processing circuit module is provided. Data is provided to the data processing circuit along with a Req handshaking input. The data processing circuit has an isochronous processing delay for all data inputs. An example of a data processing circuit with isochronous processing delay is a One Hot Residue Number System arithmetic processing circuit. The data processing circuit processes the input data while the Req input propagates through a delay circuit that has substantially the same processing delay as the data processing circuit. Thus, the propagation delay of the Req signal is substantially equal to the data processing circuit's processing time. This allows the output of the delay circuit to be used to both latch the output of the data processing circuit and provide a “data ready” output.

Abstract: A technique which implements a primitive for computing, e.g., a checksum. Specifically, this primitive replaces a mod(M) operation with a series of simple elementary register operations. These operations include mod 2n multiplications, order manipulations (e.g., byte or word swaps), and additions—all of which are extremely simple to implement and require very few processing cycles to execute. Hence, use of our inventive technique can significantly reduce the processing time to compute various cryptographic parameters, such as, e.g., a message authentication code (MAC), or to implement a stream cipher, over that conventionally required. This technique has both invertible and non-invertible variants.

Abstract: There is provided an apparatus for summing bivectors, e.g. double vectors (alternatively referred to as bivectors) each having a plurality of pairs of elements selected from a predetermined finite field, the apparatus including (a) a device for inputting bivectors X1 and X2, and parameters A (e.g., a3 to a13) for defining a curve therethrough, (b) a first memory for storing the bivector X1 therein, (c) a second memory for storing the bivector X2 therein, (d) a third memory for storing the parameters A therein, and (e) a device for reading the bivectors X1 and X2, and the parameters A out of the first, second and third memories, respectively, and, when the bivectors X1 and X2 are supposed to be coordinate value rows of points in point-sets Q1 and Q2 on the curve defined with the parameters A, operating a bivector X3 comprised of coordinate value row of points in a point-set Q3 equal to a sum of the point-sets Q1 and Q2 in Jacobian group of the curve defined with the parameters A.

Abstract: An information processing system that is configured in such a manner that computational processing is performed on input data in accordance with a processing sequence, for outputting data, comprises: a plurality of arithmetic units (7-1 to 7-x), each computing at an arithmetic precision 2m bits (where m is a natural number) based on the processing sequence; and a plurality of cascade connection terminals for cascading these arithmetic units each other. When the maximum arithmetic precision that is required during computational processing is 2n bits (where n is a natural number and is fixed), x numbers of (where x is a natural number) the arithmetic units are cascaded in a manner such that the inequality x≧2n/2m is satisfied. When an arithmetic precision of 2n1 bits (where n1≦n, and n1 is variable) is necessary during computational processing, x1 numbers of the arithmetic units are cascaded in a manner such that the inequality x1≧2n1/2m (where x1 is a natural number and is variable) is satisfied.

Abstract: In a data processing method, a remainder R that is produced during the division of an integer A by a prescribed integer B is calculated recursively. For this purpose, a data symbol word representing the integer A is decomposed into K data symbol part-words W0, W1, WK−1 of word length L, and in each recursion step a function F determined by the numbers B and L is applied to an argument that depends on the function value Fi−1 obtained in the preceding recursion step, and on a data symbol part-word WK−i.

Abstract: In a Montgomery reduction apparatus for receiving positive integers C and p and calculating D=C·R−1 mod p by using R defined as R=2n using an integer n falling within the range n≧L with a bit length being represented by L when p is expressed in binary notation, this invention includes an (&agr;, &bgr;) extraction section for calculating an integer pair (&agr;, &bgr;) satisfying C=&agr;R+&bgr; on the basis of C and R, a multiplication section for obtaining &egr;&bgr; by multiplying &egr; satisfying R−1=&egr;(mod p) and &bgr; calculated by the (&agr;, &bgr;) extraction section, an addition section for obtaining &agr;+&egr;&bgr; by adding &agr; calculated by the (&agr;, &bgr;) extraction section and &egr;&bgr; calculated by the multiplication section, and a calculation section for obtaining a remainder D=&agr;+&bgr;·&egr;(mod p) which is congruent to &agr;+&egr;&bgr; obtained by the addition section with respect to p as a modulus