Abstract: A method and apparatus for performing modular exponentiation is disclosed. An apparatus in accordance with one embodiment of the present invention includes a first modular exponentiator and a second modular exponentiator and a coupling device interposed between the first modular exponentiator and the second modular exponentiator to receive a control signal and to selectively couple the first modular exponentiator to the second modular exponentiator in response to a state of the control signal. In one embodiment, the apparatus has a first mode of operation corresponding to a first state of the control signal wherein the first modular exponentiator is operably separated from the second modular exponentiator and a second mode of operation corresponding to a second state of the control signal wherein the first modular exponentiator is operably coupled to the second modular exponentiator via the coupling device.

Abstract: A fast, iterative techique for evaluating M modulo J which may be easily implemented in hardware. In the illustrative embodiment, the invention includes a first circuit (10) for decomposing M into two integers A and B=M−A; a second circuit (20) for evaluating (A modulo J); a third circuit (30) for evaluating M′=(A modulo J)+B; and, a fourth circuit (40) for determining whether to output M′ as the final answer, or to feedback M′ to said first means to evaluate M′ modulo J.

Abstract: A linear systolic array Montgomery multiplier circuit that concurrently processes two separate Montgomery multiplications on alternate clock cycles, without a requirement to have any common parameters between the two multiplications. Multiples of two different parameters are stored in storage elements for each multiplication. Two sets of these multiples, one set for each of the two multiplications, are stored in separate storage banks and accessed on alternate clock cycles by each processing element in the array. Two sequences of control codes for the two multiplications are interleaved as they are fed into a first processing element.

Abstract: A Montgomery multiplier circuit with a chain of processing elements uses less circuit logic in each processing element by propagating an initial parameter through registers used for other purposes. An accumulation register in each processing element is used to propagate the initial parameter through the chain. In one embodiment the initial parameter is first propagated through address registers until it reaches the end of the chain, and is then looped back through the accumulation registers in the reverse direction. In one embodiment, multiples of at least one parameter used in a Montgomery multiplication are pre-calculated in the processing elements of the Montgomery multiplier using the same logic elements used in performing the Montgomery multiplication.

Abstract: An improved apparatus and method for modular multiplication and exponentiation to achieve efficient computation involved in Montgomery multiplication is provided. Currently employed conventional iteration methods involve carry look-ahead additions. To overcome the time taken by carry look-ahead additions, there is thus provided, in accordance with a preferred embodiment of the present invention, an apparatus and method for separately storing and tracking the sum and the carry of the addition involved in Montgomery multiplication. In such a manner, the present invention achieves fast addition times since they are not dependent on the time to compute the carries. As a result, the iterations are carried out much faster than previously possible. By representing the value A in the Montgomery multiplication algorithm with a redundant notation, the sum and the carry of the addition are separately stored and tracked, thereby avoiding the delays involved in the computation of the carries.

Abstract: A power-residue calculating unit includes: a first register group holding a first kind of data; a second register group holding a kind of data to be referred to concurrently with the data held in the first register group; a first internal bus connected to the first register group; a second internal bus connected to the second register group; a Montgomery multiplication residue calculation executing portion connected to the first and second internal buses for concurrently referring to the data held in the first and second register groups and executing a Montgomery multiplication residue calculation; and a power-residue calculation executing portion connected to the first and second internal buses and the Montgomery multiplication residue calculation executing portion for concurrently referring to the data held in the first and second register groups, communicating data with the Montgomery multiplication residue calculation executing portion, and executing a power-residue calculation.

Abstract: An integrated cryptographic system (24) executes a mathematical algorithm that computes equations for public-key cryptography. An arithmetic processor (22) receives data values stored in a temporary storage memory (14) and computes both the Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) algorithms. Multiplication cells (270 and 280) have an INT/POLY terminal that selects a C-register (246) for computing RSA modular exponentiation or ECC elliptic curve point multiplication.

Abstract: A multi-function modulo processor architecture is capable of performing multiple modulo mathematic operations. The modulo processor includes a pipeline processing portion that iteratively computes a running partial modulo product using the operands of a modulo mathematic argument to obtain one or more final partial modulo products. The final partial modulo product is post-processed to obtain the final result.

Abstract: An integer Z101 is divided by an integer I102 to obtain a remainder R109. The integer I102 includes a polynomial of power of a basic operational unit of a computer. In this way, the integer I for divisor is limited based on the basic operational unit of the computer, thus a shift operation, which is required for a conventional operation method, can be eliminated. The remainder can be calculated by only addition and subtraction. Accordingly, a code size becomes compact and the remainder of the integer can be calculated at a high speed.

Abstract: A coprocessor including a first multiplication circuit and a second multiplication circuit with a series input to receive n bits and a series output to give n+k bits. The coprocesser also includes addition and multiplexing circuits enabling the data elements produced by the multiplication circuits to be added up with one another and with other data elements encoded on n bits. The invention makes parallel use of the multiplication circuits to carry out modular or non-modular operations on pieces of binary data having n bits or more.

Abstract: A method for calculating greatest common divisors and modular inverses using the extended Jebelean GCD algorithm keeps track of the number of times that U3 and V3 have been divided by two in the process of calculating the greatest common divisor and correct the modular inverse for these divisions. The shifting of the binary values representing U3 that occurs during the calculation of the GCD is accomplished by changing the position of respective pointers to bit positions in the binary values rather than implementing a shifting operation.

Abstract: A random number generator is provided that includes a plurality of bit generators for generating a first to last (e.g., 0'th to 30th) sum bits, a carry bit conversion section that receives a plurality of final output carries from a final bit generator of the plurality of bit generators and converts the received value to a prescribed-bit (e.g., 3-bit) signal, and a random number generation section adding the prescribed-bit signal outputted from the carry bit conversion section to the plurality of sum bits generated from the bit generation section to generate a random number. The random number generator is generated, for example, by adding a final output carry to a final sum generated from respective 31 bit generators to prevent wrap-around application of output carries of the final (e.g., 30th) a first bit generator to a 0'th bit generator.

Abstract: The subject invention relates to a method and apparatus for multiplication of numbers. In a specific embodiment, the subject invention can be used to perform sequential multiplication. The subject invention also pertains to a method and apparatus for modular reduction processing of a number or product of two numbers. In a specific embodiment, sequential multiplication can be incorporated to perform modular reduction processing. The subject method and apparatus can also be utilized for modular exponentiation of large numbers. In a specific embodiment, numbers larger than or equal to 2128 or even higher can be exponentiated. For example, the subject invention can be used for exponentiation of number as large as 21024, 22048, 24096, or even larger.

Abstract: A method for performing in a modular arithmetic coprocessor an integer division of a first binary data element by a second binary data element. The result is obtained by making an iterative loop of operations including an integer division of the first data element by a most significant word of the second data element. A test is performed to determine if the result of the division performed corresponds to a word of the final result sought. The first data element is modified by subtracting from it a data element produced by multiplying the second data element by the word of the final result sought that has been previously produced.

Abstract: The Euclid mutual division arithmetic circuit relating to the present invention comprises first, second, and third register portions and control portion. Each register portion is constituted so as to be able to selectively perform a Euclid mutual division, perform Euclid mutual division using a divisor and dividend, supply the divisor used in the Euclid mutual division operation, and supply the dividend used in the Euclid mutual division operation. The control portion operates so that, in a kth operation, the first register portion supplies the dividend, the second register portion performs the division operation, and the third register portion supplies the divisor supplying function; in a (k+1)th operation, the first register performs the division operation, the second register portion supplies the divisor, and the third register portion performs the dividend.

Abstract: The subject of the disclosed technology is shown in the following. In the information processing device such as an IC card the overflow processing which occurs in the case of a modular multiplication operation to be performed during crypto-processing inside shows a particular pattern of a consumption current. It is the subject of the present invention to decrease the relationship between data processing and the pattern of the consumption current.

Abstract: In an IC card incorporating residual multiplier hardware for implementing a high-speed algorithm for a residual multiplication arithmetic, a method and a device capable of executing public key encryption processing such as an elliptic curve encryption processing at a high speed. Residual arithmetic succeeding to generation of a random number and residual arithmetic in a signature generating processing can be executed by using a residual multiplier. Further, in order to use effectively the residual multiplier for arithmetic operation on an elliptic curve, the point on the elliptic curve is transformed from a two-dimensional affine coordinate system to a three-dimensional coordinate system. Additionally, multiplicative inverse arithmetic for realizing reverse transformation from the three-dimensional coordinate system to the two-dimensional affine coordinate system as well as for determining a signature s can be executed only with the residual multiplication arithmetic.

Abstract: One embodiment of the present invention provides a system that performs modular division. This system contains a number of registers, including: a register A that is initialized with a value X; a register U that is initialized with a value Y; a register B that is initialized with a value M; and a register V that is initialized with a value 0. The system also includes a counter CA that indicates an upper bound for the most-significant non-zero bit of register A. It also includes a counter CB that indicates an upper bound for the most-significant non-zero bit of register B. The system additionally includes a temporary register H, and a temporary register L. An updating mechanism is configured to iteratively reduce the contents of registers A and B to a value of one by applying a plurality of operations to registers A, B, U and V. During operation, this updating mechanism temporarily stores A+B in the temporary register H, and temporarily stores U+V in the temporary register L.

Abstract: One embodiment of the present invention provides a system that performs modular division. This system contains a number of registers, including: a register A that is initialized with a value X; a register U that is initialized with a value Y; a register B that is initialized with a value M; and a register V that is initialized with a value 0. The system also includes a temporary register H, and a temporary register L. An updating mechanism is configured to iteratively reduce the contents of registers A and B to a value of one by applying a plurality of operations to registers A, B, U and V. During operation, this updating mechanism temporarily stores A+B in the temporary register H, and temporarily stores U+V in the temporary register L.

Abstract: Apparatus for determining a remainder of a modulo division of a binary number made up of a string of bits, including a first plurality of substantially similar cells coupled in a linear sequence, the first plurality of cells including at least a first cell and a last cell. Each cell of the first plurality includes a second plurality of binary input terminals, the input terminals of the first cell being coupled to receive a pre-determined input, and a second plurality of binary output terminals, each coupled, except for the output terminals of the last cell, to a respective one of the input terminals of a subsequent cell in the sequence. Each cell of the first plurality further includes a control input terminal, coupled to receive one of the bits in the string corresponding to a position of the cell in the sequence. The remainder is generated at the output terminals of the last cell in the sequence.

Abstract: The present invention provides a method for performing a point doubling operation with only one modular division and no multiply per operation. As a result, the invention reduces the number of mathematical operations needed to perform point doubling operations in elliptic curve computation. An elliptic curve cryptosystem using the present invention can be made to operate more efficiently using the present invention. An elliptic curve crypto-accelerator can be implemented using the present invention to dramatically enhance the performance of the elliptic curve cryptosystem. The invention derives the slope of a curve independently of the y-coordinate. By avoiding the calculation of the y term, one additional multiply is eliminated from each point-doubling operation. Using the invention, n consecutive point doublings can be reduced to n modular divisions and 1 multiply. This avoids the 2n multiplies of prior art approaches.

Abstract: The modular exponentiation function used in public key encryption and decryption systems is implemented in a standalone engine having at its core modular multiplication circuits which operate in two phases which share overlapping hardware structures. The partitioning of large arrays in the hardware structure, for multiplication and addition, into smaller structures results in a multiplier design comprising a series of nearly identical processing elements linked together in a chained fashion. As a result of the two-phase operation and the chaining together of partitioned processing elements, the overall structure is operable in a pipelined fashion to improve throughput and speed. The chained processing elements are constructed so as to provide a partitionable chain with separate parts for processing factors of the modulus. In this mode, the system is particularly useful for exploiting characteristics of the Chinese Remainder Theorem to perform rapid exponentiation operations.

Abstract: The modular exponentiation function used in public key encryption and decryption systems is implemented in a standalone engine having at its core modular multiplication circuits which operate in two phases which share overlapping hardware structures. The partitioning of large arrays in the hardware structure, for multiplication and addition, into smaller structures results in a multiplier design comprising a series of nearly identical processing elements linked together in a chained fashion. As a result of the two-phase operation and the chaining together of partitioned processing elements, the overall structure is operable in a pipelined fashion to improve throughput and speed. The chained processing elements are constructed so as to provide a partitionable chain with separate parts for processing factors of the modulus. In this mode, the system is particularly useful for exploiting characteristics of the Chinese Remainder Theorem to perform rapid exponentiation operations.

Abstract: The modular exponentiation function used in public key encryption and decryption systems is implemented in a standalone engine having at its core modular multiplication circuits which operate in two phases which share overlapping hardware structures. The partitioning of large arrays in the hardware structure, for multiplication and addition, into smaller structures results in a multiplier design comprising a series of nearly identical processing elements linked together in a chained fashion. As a result of the two-phase operation and the chaining together of partitioned processing elements, the overall structure is operable in a pipelined fashion to improve throughput and speed. The chained processing elements are constructed so as to provide a partitionable chain with separate parts for processing factors of the modulus. In this mode, the system is particularly useful for exploiting characteristics of the Chinese Remainder Theorem to perform rapid exponentiation operations.

Abstract: A computationally efficient multiplication method and apparatus for modular exponentiation. The apparatus uses a preload register, coupled to a multiplier at a second input port via a KN bit bus to load the value of the “a” multiplicand in the multiplier in a single clock pulse. The “b” multiplicand (which is also KN bits long) is supplied to the multiplier N bits at a time from a memory output port via an N bit bus coupled to a multiplier first input port. The multiplier multiplies the N bits of the “b” multiplicand by the KN bits of the “a” multiplicand and provides that product at a multiplier output N bits at a time, where it can be supplied to the memory via a memory input port.

Abstract: A power-residue calculating circuit includes: an I/F (interface) circuit with respect to an external bus; an e register holding a key e; a Y register holding a multiplier Y for Montgomery conversion; an N register holding a key N; a B2N register holding a value of (2B+N) calculated during the Montgomery conversion; an X register holding a plaintext X; a calculating circuit performing calculations for encryption and decryption; a P register holding a calculation result P; a power-residue control circuit serving as a state machine when the power-residue calculation is performed; a Montgomery multiplication residue/residue control circuit serving as a state machine when the Montgomery multiplication residue calculation and residue calculation are performed; and an addition/subtraction control circuit controlling calculations addition and subtraction.

Abstract: A modular arithmetic apparatus has a plurality of base parameter sets in read only memories. A base selection unit in the modular arithmetic apparatus selects one of the base parameters sets according to an input modulus p. A plurality of operation units 30, in the modular arithmetic apparatus, perform an arithmetic operation according to the selected base parameter set in parallel and obtain an arithmetic result.

Abstract: In a remainder calculating method and a modular-multiplication method on the basis of a Montgomery method, a number expressed by N (N=c2d±1) is used as a divisor N. In order to calculate a remainder in the case of dividing a dividend Y by a divisor N on the basis of a Montgomery method, a number expressed by a condition of N=c2d−1 is used as the divisor N, and the following steps are repeatedly carried out; the steps includes: a step of adding a product of a least digit value yo of the dividend Y and c to a lower d-bit position of the dividend Y; and a step of setting a portion excluding the least digit of the additive result as a next dividend.

Abstract: An IC card having a storage memory including a program storage unit for storing a program and a data storage unit for storing data and a central processing unit for executing a predetermined process in accordance with the program to process the data, the program including one or more data process units each having a process instruction for giving an execution instruction to the central processing unit, wherein a data process order is randomly exchanged and a dummy process is added to thereby reduce the dependency of consumption current of an IC chip upon the data process.

Abstract: Methods and apparatus for modular arithmetic operations with respect to a modulus p include representing operands as a series of s w-bit numbers, wherein 1 s = ⌈ k w ⌉ .

Abstract: A new method and apparatus for speeding up cryptographic calculations relies on faster methods for automatically calculating the solutions of certain equations. This includes a faster method for modular division, and a faster method for solving quadratic equations in characteristic 2 fields. The improvement speeds up key exchange, encryption, and digital signatures.

Abstract: The invention provides a method for performing modular division adapted for division in integer fields. Integer modular divisions are used in the computation of Elliptic Curve digital signature generation and verification. The algorithm can be implemented to provide division in integer fields completed in 2(m−1) steps. This method provides a solution to the elliptical curve cryptosystems based on prime integer fields.

Abstract: The modular multiplication apparatus includes a residue calculating unit, a multiplier division unit, a partial product calculation unit, an accumulation unit, a correction unit, and a control unit. The residue calculating unit recurrently calculates intermediate values in sequence. The residue calculating unit obtains the multiplicand as the intermediate value first time, and at the second time and after, calculates residues or congruent values of the modulo P multiplication of the intermediate values being preceding intermediate values left-shifted s bits. The multiplier division unit divides the multiplier into a plurality of s-bit partial multipliers in order from lower bits. The partial product calculation unit calculates partial products of intermediate values and partial multipliers in sequence. The accumulation unit and the correction unit accumulate the partial products while correcting them under the control of the control unit. The residue calculating unit includes a table unit.

Abstract: A device of the present invention is an exponential calculation device for calculating x{circumflex over ( )}(a/b) (where a and b are each an integer constant) for a given input value of x. The device includes: an input control section for outputting a value of x′, wherein x′=x when x≦A (where A is a threshold value within a variable range of x) and x′=x/2{circumflex over ( )}b when x>A; a core section for outputting a value of z′=x′{circumflex over ( )}(a/b); and an output control section for outputting a value of z, wherein z=z′ when x≦A and z=z′*2{circumflex over ( )}a when x>A.

Abstract: A processor includes an address generation unit (AGU) which adds address operands and the segment base. The AGU may add the segment base and the displacement while other address operands are being read from the register file. The sum of the segment base and the displacement may subsequently be added to the remaining address operands. The AGU receives the addressing mode of the instruction, and if the addressing mode is 16 bit, the AGU zeros the carry from the sixteenth bit to the seventeenth bit of the sums generated therein. Additionally, in parallel, the AGU determines if a carry from the sixteenth bit to the seventeenth bit would occur if the logical address were added to the segment base. In one embodiment, the sum of the address operands and the segment base, with carries from the sixteenth bit to the seventeenth bit zeroed, and the carry generated in parallel are provided to a translation lookaside buffer (TLB), which stores translations in the same format (sum and carry).

Abstract: A co-processor (44) executes a mathematical algorithm that computes modular exponentiation equations for encrypting or decrypting data. A pipelined multiplier (56) receives sixteen bit data values stored in an A/B RAM (72) and generates a partial product. The generated partial product is summed in an adder (58) with a previous partial product stored in a product RAM (64). A modulo reducer (60) causes a binary data value N to be aligned and added to the summed value when a particular data bit location of the summed value has a logic one value. An N RAM (70) stores the data value N that is added in a modulo reducer (60) to the summed value. The co-processor (44) computes the Foster-Montgomery Reduction Algorithm and reduces the value of (A*B mod N) without having to first compute the value of &mgr; as is required in the Montgomery Reduction Algorithm.

Abstract: Montgomery multipliers and methods modular multiply a residue multiplicand by a residue multiplier to obtain a residue product, using a scalar multiplier, a first vector multiplier and a second vector multiplier. A controller is configured to control the scalar multiplier, the first vector multiplier and the second vector multiplier, to overlap scalar multiplies using a selected digit of the multiplier and vector multiplies using a modulus and the multiplicand. The scalar multiplier is configured to multiply a least significant digit of the multiplicand by a first selected digit of the multiplier, to produce a scalar multiplier output. The first vector multiplier is configured to multiply the scalar multiplier output by a modulus, to produce a first vector multiplier output. The second vector multiplier is configured to multiply a second selected digit of the multiplier by the multiplicand, to produce a second vector multiplier output.

Abstract: Montgomery exponentiators and methods modulo exponentiate a generator (g) to a power of an exponent (e). The Montgomery exponentiators and methods include a first multiplier that is configured to repeatedly square a residue of the generator, to produce a series of first multiplier output values at a first multiplier output. A second multiplier is configured to multiply selected ones of the series of first multiplier output values that correspond to a bit of the exponent that is binary one, by a partial result, to produce a series of second multiplier output values at a second multiplier output. By providing two multipliers that are serially coupled as described above, Montgomery exponentiation can be accelerated.

Abstract: The computation time of modular operations on large-format data is improved by using a computation circuit integrated as a modular arithmetic coprocessor. The computation circuit carries out an S=A*B+C type operation, with S and C encoded on 2*Bt bits, and A and B encoded on Bt bits. To carry out this operation, a storage flip-flop circuit enables the storage of a possible overflow carry value at the end of an elementary computation, and reinserts this carry value during the following computation.

Abstract: A syndrome polynomial calculating circuit and a Reed-Solomon decoding circuit capable of performing a high-speed operation. Higher-order signals I1, I2 and I3 are inputted to first to third Galois field multiplication circuits. For each of S0, S1, S2 and S3, the multipliers are a a6, a9, a12; a2, a4, a6, a8; a, a2, a3, a4. Outputs of first to third multiplication circuits and I4 are sent to an exclusive-OR gate, an output of which is sent to a D-F/F. An output of the D-F/F is sent to a fourth Galois field multiplication circuit and to an AND gate. For each of S0, S1, S2 and S3, multipliers of the fourth multiplication circuit are a4, a8, a12, a16. An output of the fourth multiplication circuit is sent to a fifth input of the exclusive OR gate. Clocks are input to the D-F/F and to a counter. The counter value is reset by the inputting of a frame pulse. The counter value is L or H for the counter value of 0 to 4 or 5, respectively. A counter output is sent to the AND gate.

Abstract: Method and apparatus for calculating the modular multiplicative inverse of an element of a Galois Field GF(2n).

Abstract: A system and method are provided for performing modulo multiplication of two numbers N bits long with a modulus of 2N+1, where the resulting modulus is determined without a need to perform successive reductions. Without a need to perform successive reductions, a hardware implementation does not require a divider circuit.

Abstract: An apparatus to calculate a remainder of Bc modulo n at high speed with minimum hardware resources, while securing safety of a key comprises: a first circuit to execute a process of calculating B (mod n) and holding the calculation result B1 and to repeat a process of shifting a holding value and calculating a value congruent to the shifted holding value modulo n and holding the calculation result; a first register for storing the B1 as an initial value; a second circuit to cumulate the calculation result of the first circuit when a value of a bit at a predetermined position of the first register is equal to 1; a second register to store 1 as an initial value; a C output circuit to output C; a third circuit to cumulate the calculation result of the first circuit when an output value from said C output circuit is equal to 1 and a value of a bit at a predetermined position of the second register is equal to 1.

Abstract: Apparatus in form of a microelectronic assembly including an integrated circuit (IC) for execution of an embedded modular exponentiation program utilizing a square-and-multiply algorithm, wherein in the modular exponentiation program a secret exponent having a plurality of bits characterizes a private key, a method of providing a digital signature to prevent the detection of the secret exponent when monitoring power variations during the IC execution, the method comprising the steps of for a first operation in the modular exponentiation, selecting at least one predetermined bit, wherein the at least one predetermined bit is a bit other than a least significant bit (LSB) and the most significant bit (MSB); using the square-and-multiply algorithm, sequentially selecting bits to the left of the at least one predetermined bit for exponentiation until the MSB is selected; subsequent to selecting the MSB, sequentially selecting bits to the right of the at least one predetermined bit for exponentiation until the LSB

Abstract: A computationally efficient multiplication method and apparatus for modular exponentiation. The apparatus uses a preload register, coupled to a multiplier at a second input port via a KN bit bus to load the value of the “a” multiplicand in the multiplier in a single clock pulse. The “b” multiplicand (which is also KN bits long) is supplied to the multiplier N bits at a time from a memory output port via an N bit bus coupled to a multiplier first input port. The multiplier multiplies the N bits of the “b” multiplicand by the KN bits of the “a” multiplicand and provides that product at a multiplier output N bits at a time, where it can be supplied to the memory via a memory input port.

Abstract: The integers involved in the computation are embedded into a modular system whose index (i.e., its modulus) is an integer M that is bigger than all of these integers involved. In other words, these integers are treated not as belonging to ordinary integers anymore, but as “modular integers” belonging to the modular system indexed by M. Having completed the embedding, CRT provides the bridge which connects the single modular system indexed by M (ZM) with a collection of k modular systems indexed by m1,m2, . . . , mk respectively (Zm1, Zm2, . . . , Zmk), where M factorizes as m1*m2*m3* . . . *mk, and where each mi is slightly smaller than single precision. Then, after numbers are manipulated within modular arithmetic, the answer is reconstructed via the algorithm of CRT, also known as CRA. Finally, the present invention introduces the process of dinking that overcomes the major weakness of implementing division with modular arithmetic.

Abstract: A method and apparatus for performing high-speed computation of a Montgomery value defined as 22k mod(n) for an arbitrary modulus n is disclosed. After loading the value of 2(h*m)+1 into a first register and the value of the modulus n in a second register, the bits of modulus n are shifted in a most significant bit direction before a repeated modular reduction and squaring process. This allows the computation of the Montgomery value for modulus values of arbitrary sizes while reducing the number of computations required by a processor with a limited operand size.

Abstract: The invention provides for robust efficient distributed generation of RSA keys. An efficient protocol is one which is independent of the primality test “circuit size”, while a robust protocol allows correct completion even in the presence of a minority of arbitrarily misbehaving malicious parties. The disclosed protocol is secure against any minority of malicious parties (which is optimal). The disclosed method is useful in establishing sensitive distributed cryptographic function sharing services (certification authorities, signature schemes with distributed trust, and key escrow authorities), as well as other applications besides RSA (namely: composite ElGamal, identification schemes, simultaneous bit exchange, etc.). The disclosed method can be combined with proactive function sharing techniques to establish the first efficient, optimal-resilience, robust and proactively-secure RSA-based distributed trust services where the key is never entrusted to a single entity (i.e.

Abstract: A modular arithmetic coprocessor comprises a circuit for the computation of an error correction parameter H=2x mod N associated with the Montgomery method. This computation circuit comprises a first register, a second register, and a first circuit for the series subtraction of either zero, N, twice N, or three times N from the contents of the first register. A multiplication circuit carries out a multiplication by four. A second circuit compares the result with N, twice N or three times N.

Abstract: A co-processor (FIG. 2) for performing modular multiplication comprising: means for receiving B and N binary data streams (bstr, nstr); means for receiving a data value A; adder means (Add1, Add2), subtractor means (Sub1, Sub2, Sub3) and multiplier means (Mul1, Mul2) coupled to sequentially process the B and N binary data streams and the data value A to produce a modulo-reduced multiplication value (A*B) mod N; and further including exponentiation means (FIG. 6) comprising: random access memory (E-RAM) for holding an exponent value; parallel-serial interface means for receiving in parallel from the random access memory the exponent value and for producing therefrom a binary data stream E; control means (CONTROL) for receiving the binary data stream E and for initiating a squaring or a multiply operation in dependence on the value of each bit thereof.