1. Field of the Invention
The present invention relates to high performance digital arithmetic circuitry, and more particularly to a high-radix multiplier-divider implemented in hardware for efficiently computing combined multiplication and division operations, e.g., computing ((A·B)÷D), as well as modulo multiplication, e.g., (A·B) mod D.
2. Description of the Related Art
Many of the recent computer intensive applications, e.g., multimedia and public-key cryptosystems, have been witnessing a continuous increase in demand for more computational power. For example, public-key cryptosystems make heavy use of the modulo multiplication operation, which comprises a multiplication operation together with a division/reduction operation. The key size of RSA public-key cryptosystems has been continuously getting larger, from 512 bits to 1024 bits, and most recently to 2048 bits, causing increased demand for more computational power. There exists a quite extensive literature that describes the theory and design of high speed multiplication and division algorithms. Division algorithms are divided into five classes: (1) digit recurrence; (2) functional iteration; (3) very high radix; (4) table lookup; and (5) variable latency.
Digit recurrence is the oldest class of high speed division algorithms, and, as a result, a significant quantity of literature has been written proposing digit recurrence algorithms, implementations, and techniques. The most common implementation of digit recurrence division in modern processors has been the Sweeney, Robertson, Tocher (SRT) method.
Digit recurrence algorithms retire a fixed number of quotient bits in every iteration. Implementations of digit recurrence algorithms are typically low complexity, utilize small area, and have relatively large latencies. The fundamental choices in the design of a digit recurrence divider are the radix, the allowed quotient digits, and the representation of the partial remainder (residue). The radix determines how many bits of quotient are retired in an iteration, which fixes the division latency. Larger radices can reduce the latency, but increase the time for each iteration. Judicious choice of the allowed quotient digits can reduce the time for each iteration, but with a corresponding increase in complexity and hardware. Similarly, different representations of the partial remainder (residue) can reduce iteration time, but with corresponding increases in complexity.
Digit recurrence division algorithms use iterative methods to calculate quotients one digit per iteration. SRT is the most common digit recurrence division algorithm. The input operands are represented in a normalized floating point format with w-bit significands in sign and magnitude representation. Assuming floating point representation, the algorithm is applied only to the magnitudes of the significands of the input operands. Techniques for computing the resulting exponent and sign are straightforward. The most common format found in modern computers is the IEEE 754 standard for binary floating point arithmetic. This standard defines single and double precision formats.
In a division operation (N/D), N is a 2 w-bit dividend, while D is a w-bit divisor. The division result is a w-bit quotient Q (Q=0·q−1 q−2 . . . q−n) and a w-bit remainder R such that N=QD+R and |R|<|D|. The w-bit quotient is defined to consist of n radix-r digits with r=2m, (w=n×m). A division algorithm that retires m quotient bits per iteration is said to be a radix-r algorithm. Such an algorithm requires n iterations to compute the result. For no overflow, i.e., so that Q is w-bits, the condition |N|<|D| must be satisfied when dividing fractions. The following recurrence is used in every iteration of the SRT algorithm;
Rj=rRj-1−q−jD j=1,2,3, . . . , n; where
After n iterations, the final value of the quotient Q and the remainder R are computed from Rn as follows:
The critical path of the basic SRT digit recurrence algorithm comprises the following steps: (1) determination of the next quotient digit q−j using the quotient digit selection function, a look-up table typically implemented as a PLA, or read only memory (ROM); (2) generation of the product q−jD; and (3) subtraction of Q−jD from the shifted partial residue rRj-1. Each of these steps contributes to the algorithm cost and performance.
A common method to decrease the overall latency of the algorithm (in machine cycles) is to increase the radix r of the algorithm. Assuming the same quotient precision, the number of iterations of the algorithm required to compute the quotient is reduced by a factor f when the radix is increased from r=2m to r=2mf. For example, a radix-4 algorithm retires two bits of quotient in every iteration. Increasing to a radix-16 algorithm allows for retiring four bits in every iteration, halving the latency.
This reduction does not come for free. As the radix increases, the quotient-digit selection becomes more complicated and, accordingly, slower to compute. Since the quotient selection logic is on the critical path of the basic algorithm, using higher radices causes the total cycle time of the division iteration to increase. The number of cycles, however, is reduced for higher radices. As a result, the total time required to compute a w-bit quotient may not be reduced as expected. Furthermore, the generation of divisor multiples may become impractical or infeasible for higher radices. Thus, these two factors can offset some of the performance gained by using higher radices.
Typically, for a system with radix r, a redundant signed digit set (Da) is used to increase the performance of the algorithm. To be redundant, the size of the digit set should be greater than r, including both negative and positive digits. Thus, q−jεDα={−α, −α+1, . . . , −1, 0, 1, . . . , β−1, β}, where the number of allowed digits (α+β+1) is greater than r. It is fairly common to choose a symmetric digit set where α=β, in which case the size of the digit set (2α+1)>r, which implies that a must satisfy the condition α≧┌r/2┐. The degree of redundancy is measured by the value of the redundancy factor h, where h=α/r−1. Redundancy is maximal when α=r−1, in which case h=1, while it is minimal when α=r/2 (i.e., ½<h≦1).
For the computed Rj value to be bounded, the value of the quotient digit must be selected such that |Rj|<hD. Using larger values of h (i.e., large α) reduces the complexity and latency of the quotient digit selection function. This, however, results in a more complex generation of the divisor multiples. Divisor multiples that are powers of two can be formed by simple shifting, while those that are not powers of two (e.g., three) require additional add/subtract steps. The complexity of the quotient digit selection function and that of the generating divisor multiples must be balanced.
To define the quotient digit selection function, a containment condition is used to determine the selection intervals. A selection interval is the region defined by the values of the shifted partial residue (rRj-1) values and the divisor (D) in which a particular quotient digit may be selected. The selection interval is defined by the upper (Uk) and lower (Lk) bounds for the shifted partial residue (rRj-1) values in which a value of quotient digit qj=k may be selected to keep the partial residue Rj bounded. These are given by:
Uk=(h+k)D
and
Lk=(−h+k)D.
The P-D diagram is a useful tool in defining the quotient-digit selection function. It plots the shifted partial residue (P=rRj-1) versus the divisor D. The Uk and Lk straight lines are drawn on this plot to define selection interval bounds for various values of k.
There is a need for a digital multiplier-divider unit that can efficiently compute
where the multiplicand A, the multiplier B, and the divisor D are w-bit unsigned numbers. Computing S yields a w-bit quotient and a w-bit remainder R such that:
A·B=Q·D+R
and
|R|<|D|.
Conventionally, S would be computed using two independent operations: a multiplication operation, and a division operation. Whereas digit recurrence relations for these two operations have been proposed and are in common use by digital processors, no single recurrence relation has been proposed to simultaneously perform the multiplication and division operations as needed to efficiently compute
Thus, a high-radix multiplier-divider solving the aforementioned problems is desired.
The high-radix multiplier-divider provides a system and method utilizing an SRT digit recurrence algorithm that provides for simultaneous multiplication and division using a single recurrence relation. When A, B, D and Q are fractions (e.g., Q=0·q−1 q−2 . . . q−n), then the algorithm provides for computing
to yield a w-bit quotient Q and w-bit remainder R by: (1) determining the next quotient digit q−j using a quotient digit selection function; (2) generating the product q−jD; and (3) performing the triple addition of rRj-1, (−q−jD) and
where R0=b−1Ar−1. The recurrence relation may be implemented with carry-save adders for computation using bitwise logical operators (AND, OR, XOR).
These and other features of the present invention will become readily apparent upon further review of the following specification and drawings.
Similar reference characters denote corresponding features consistently throughout the attached drawings.
The present invention provides a digit recurrence (SRT) multiplier-divider apparatus and method that utilizes a single recurrence relation. The method includes an algorithm that may be implemented in software, but is preferably implemented in hardware for greater speed.
The apparatus includes a circuit configured to carry out the algorithm. The circuit may be incorporated into the architecture of a computer processor, into a security coprocessor integrated on a motherboard with a main microprocessor, into a digital signal processor, into an application specific integrated circuit (ASIC), or other circuitry associated with a computer, electronic calculator, or the like. The method may be modified so that the circuit may include carry-propagate adders, or the circuit may include carry-save adders, or it may include compressors, e.g., (4-2) compressors.
The method can perform simultaneous multiplication and division. Roth the apparatus and the method may be utilized in a variety of applications, including but not limited to, networked computers, public-key cryptosystems, multimedia applications, digital communication devices, and the like, where the method and circuitry provide for high speed performance of modular arithmetic operations involved in the encryption and decryption of messages, where the method and the circuitry provide increased speed for greater circuit efficiency, increased productivity, and lower network, processor, system overload and costs.
It is desired to provide a digital multiplier-divider unit that can efficiently compute
where the multiplicand A, the multiplier B, and the divisor D are w-bit unsigned numbers. Computing S yields a w-bit quotient Q and a w-bit remainder R such that:
A·B=Q·D+R; (1)
|R|<|D|. (2)
In one embodiment, in order to speed-up the computation
the recurrence relation of the present invention uses a high radix r=2m where m≧1. The operands A, B, and D are n-digit integers, i.e., A=(an−1, . . . a1, a0), B=(bn−1, . . . b1, b0), and D=(dn−1, . . . d1, d0), where
and ai, bi, diε{0, 1, . . . , r−1}.
Thus, the present invention provides for an enhanced multiply-divide recurrence relation given by:
Rj=rRj-1−qn−jDrn+bn−j-1Arn−1 j=1, 2, . . . , n (3)
where,
qi is the ith quotient digit
bi is the ith digit of B
b−1=0,
Rj is the jth running partial remainder and
R0=bn−1Arn−1.
The final quotient Q and remainder R results are given by:
If Rn<0 then the following correction step is performed:
Q=Q−ulp, where ulp designates a unit in the least significant position,
and Rn=Rn+D, with
The following shows that executing the n iterations of the proposed recurrence relation yields the desired Q & R values as defined by equations (1) and (2):
Accordingly,
and accordingly,
AB=DQ+R.
If the digits of Q are chosen such that the magnitude of the partial residue Rj is maintained less than the magnitude of D, then Q is effectively the required quotient of the division operation: AB/D. Since AB=DQ+R and |R|<|D|, then R is indeed the division operation final remainder.
The previous recurrence relation (equation 3) can be rewritten assuming A, B, D, and Q to be fractions of the form B=0·b−1 b−2 . . . b−n, and Q=0·q−1 q−2 . . . q−n. This does not change the computation procedure in any way, and integer operations can be readily mapped to the fractional form. The fractional formulas are more convenient in mathematical representation, however, since they are readily adaptable to floating point representations. The fractional form is obtained from the integer form as follows:
A=Ainteger*r−n
B=Binteger*r−n
D=Dinteger*r−n
R=Rinteger*r−n. (6)
Following is the modified fractional multiply-divide recurrence relation:
Alternatively, the same recurrence relation may be used with R0=0. In this case, an extra iteration step of the recurrence relation is needed. Thus;
Rj=rRj-1−q−jD+b−j−1Ar−1 for j=1, 2, . . . , n+1 (11)
R0=0
q0=0
b−i=0 for i>n
Rn+1=rnR. (12)
The final quotient Q and remainder R are given by:
The previous formulae can be implemented in hardware using shift and add operations. Although the operand size is w-bits (w=mn), the minimum possible size in radix r (r=2m) implementation is w+2 m+1; w-bits for the actual operand, m-bits for the left shift required by the first term (rRj-1), another m-bits for the right shift required by the third term (b−jAr−1), and finally one extra bit for the sign.
Just as in the case of division, we must have AB<D to guarantee that no overflow may occur (since AB=DQ+R).
The following analysis assumes the use of equations 7-10 with the understanding that similar analysis holds true if the alternative formulae of equations 11-14 are used instead.
Referring to the recurrence relation of equation (7), each iteration includes the following steps: (1) determining the next quotient digit q−j using some quotient digit selection function (q−j=SEL(rRj-1, D), which may typically be implemented as a look-up table or as a PLA; (2) generating the product q−jD; and (3) performing the triple addition of rRj-1, (−q−jD) and
The resulting partial residue (Rj) must guarantee that |Rj|<|D|. Satisfaction of the condition |Rj|<|D| depends on the proper choice of the quotient digit (q−j).
When performing a multiply-divide operation, we are adding a multiple of the input operand A in each step. The resulting residue thus obtained (Rj) cannot be known as predictably as in the case of high radix division. However, we may still restrict the value range of (Rj) by placing some restrictions on the value of A. One possible restriction is to impose the constraint that |A|<|D|. This restricts the range of Rj as follows:
Let A=ωD where, ω<1.
Rj=rRj-1−q−jD+b−j−1Ar−1
Since Max(bi)=(r−1), we have:
where Rj(division) is the residue of a regular high radix division. This shows that the deviation in the remainder curve of the Robertson diagram from the case of pure division can be as high as
The minimum value of Rj, however, is independent of A and is given by:
Rj min(q−j)=rRj-1−q−jD=Rj(division).
Since
its upper bound value given by Amax/Dmin must be less than 1.
To guarantee satisfaction of this constraint, a pre-processing step shifting A by z-bits to the right is performed. Thus, if the input operand is A′ processing is actually performed on A=A′/2z rather than the input operand A′ itself. Accordingly, the method of the present invention computes S=AB/D and a post-processing step will finally compute S′=A′B/D=S*A′/A=S2z. For floating point number representation, an x-bit normalized signific and will result in a ratio of Amax/Dmin that equals [2−2−(x−1)] and accordingly, the upper bound of ω is given by:
Since for typical values of n and m, the quantity (1−2−nm)<<1, we define the parameter ωmax=21-z as the upper bound for ω such that ω<ωmax where:
ωmax=21-z≦1. (15)
The multiply-divide recurrence relation can be implemented in hardware using shift and add operations. Although the problem size is w bits (w=nm), the minimum possible size in radix-r implementations is [(n+2)m+z+1] bits where r=2m. Referring to the high-radix multiplier-divider recurrence relation (equation 7), a total of n-digits are needed to accommodate the input operand size, two more digits are needed to account for the left and right shifts (rRj-1 & b−j−1Ar−1), z extra bits are needed since computations are performed on the constrained parameter A (A=A′/2z) rather than the input operand A′, and a sign bit is required, since the partial residue Rj may be either positive or negative.
Multiplication-division can alternately be performed using a dedicated w×w multiplier producing the 2 w-bit product A×B followed by a dedicated divider to divide the resulting product by D. In addition to the dedicated w×w multiplier, the divider hardware requires adders of [2w+m+1] bits. As an example, consider the case of w=52 bits and r=16 (i.e., m=4 and n=13), with a value of z=8 the multiplier-divider of the present invention requires adders of only 69-bits. The alternate solution of using a dedicated multiplier followed by dedicated conventional divider hardware requires both a 52×52 multiplier, and a divider which uses adders of 109-bits. Furthermore, with floating point input operands, the merged operation of multiplication-division of the present invention requires only one rounding operation. The alternate solution with a dedicated multiplication operation followed by a division operation requires two rounding operations.
Due to the pre-processing step where the input operand A′ is shifted right by Z bit positions, i.e., A=A′/2z, a post-processing step where the result S is shifted left by Z bit positions is needed, i.e., S′=S2z. In other words, since the resulting quotient and remainder values (Q & R) satisfy the relation AB=QD+R, i.e., (A′*2−z)B=QD+R, the true quotient Q′ and remainder R′ that satisfy A′B=Q′D+R′ are computed in a post-processing step by:
Q′=Q*2z,
and
R=R*2z.
Thus, it is expected that the first Z bits of the resulting quotient (Q) will be zeros. Accordingly, if n-significant digits of Q′ are required, the number of required iterations of the recurrence relation (equation 7) must be raised to
To define the quotient digit selection function, we need to determine the upper and lower bounds of the shifted partial residue (P=rRj-1) for which a given quotient digit value may be selected such that |Rj|<|D|. The assumptions under which these bounds can be derived are:
For a feasible implementation of the high-radix multiplier-divider recurrence relation (equation 7), when the shifted partial residue rRj-1 equals its maximum value (rh+D) and b−j−1 is also maximum (=r−1), a value of q−j=α should guarantee that Rj≦h+D), thus:
Alternatively, we can write
By replacing ω by ωmax in the above equation, we obtain a lower bound expression for h+ that guarantees satisfaction of the constraint Rj≦h+D. Thus, h+ is taken as:
Equation 16 clearly shows that the upper bound for α is (r−1), in which case
Likewise, when the shifted partial residue rRj-1 equals its minimum value (—rh−D) and b−j−1 is also minimum (=0), a value of q−j=−α should guarantee that Rj≧−h−D, thus:
(−rh−D+αD+0)≧−h−D
∴∴α≧(r−1)h−
Alternatively, we can write: h−≧α/(r−1)<1.
Thus, to guarantee satisfaction of the constraint Rj≧−h−D and for maximum overlap regions on the P-D diagram (and accordingly simpler quotient digit selection logic), we use the highest value for h− given by:
where h is the redundancy factor, and we can re-write the equation of h+ as follows:
In a P-D diagram, we need to determine the selection interval defined by the upper (Uk) and lower (Lk) bounds of the shifted partial residue (P=rRj-1) for which a given quotient digit value (q−j=k) may be selected such that the next partial residue (Rj) satisfies −h−D≦Rj≦+h+D.
From equation (7), we can write P=rRj-1=Rj+q−jD−b−j−1Ar−1. Accordingly, we define Uk as the upper bound of P (=rRj-1) for which q−j=k yields a valid Rj value −h−D≦Rj≦+h+D. Thus:
Likewise, we define Lk as the lower bound of P (=rRj-1) for which q−j=k yields a valid Rj value −h−D≦Rj≦+h+D. Thus:
Lk=Rjmin+kD−b(−j-1)minAr−1,
or
Lk=(k−h−)D=(k−h)D. (20)
Using all bits of P and D(2 w+2m+Z+1) bits as input to the quotient digit selection function {SEL(P, D)} requires huge ROM or PLA sizes. For example if w=24 bits, r=8 (i.e., m=3), and Z=6, the quotient digit selection function will have a minimum of 61 input bits, assuming non-redundant representation of both P and D. With such large number of input bits, the hardware complexity of the SEL function is bound to be enormous. For example, if a ROM is used to store this function, the required ROM size (261×4-bits) is prohibitively large.
Accordingly, it is advantageous to minimize the number of input bits to the quotient digit selection function. Effectively, we need to use truncated values of P and D, with the smallest possible number of bits as input to the quotient digit selection function. Let these truncated values be Pt and Dt and let the number of fractional bits of these parameters be np and nD, respectively. Thus, the maximum truncation error values for P and D are 2−np and 2−nD respectively. Using a 2's complement representation, the introduced truncation errors are always positive, i.e., P≧Pt and D≧Dt. We now derive expressions for the optimal values of np, nD and z in terms of the radix r, the redundancy factor h, and the digit set α.
Thus, the selection function defines for each interval of the divisor D [di, di+1), where di+1=di+2−nD, comparison constants mk(i) within the overlap region for all values of kε{−(α−1), −(α−2), . . . , −1, 0, +1, . . . , +α}. Since P is represented in the 2's complement system, then P≧Pt. Accordingly, any given value of Pt represents a range of P that is defined by: Pt≦P<Pt+2−nP. Likewise, D≧Dt. Accordingly, any given value of Dt represents a range of D that is defined by Dt≦D<Dt+2−nd.
The set of comparison constants for each range of D is determined such that a given value of P is compared to these constants, based upon which a proper value of q−j is chosen. Thus, for the ith range of D, define the comparison constants mk(i)[k=−(α−1), (α−2), . . . , −1,0,1, . . . , +α] such that:
IF mk(i)≦P≦mk+1(i) then q−j=k. (21)
The P-D diagram is used to help determine these comparison constants. The comparison constants mk(i) are chosen within the overlap regions where a choice of a q−j value of either k or k−1 satisfies the constraint −h−D≦Rj≦+h+D. Since any value within the overlap region may be used as a comparison constant for this region, the choice should be made such that (np+nD) is minimized.
Two conditions must be satisfied when determining the comparison constants: (1) containment, where Lk≦mk≦Uk; and (2) continuity, so that if P=(mk−2−nP), then q−j must equal k−1, which implies that mk−2−nP≦Uk−1. Written differently, we must have mk≦Uk−1+2−nP as well as satisfy the containment constraint. Accordingly, mk should satisfy Lk≦mk≦Uk−1+2−nP.
For a given value of Pt the uncertainty in the value of P has an upper bound of ΔP=2−nP, i.e., Pt≦P<Pt+ΔP; accordingly, the upper bound for mk must be reduced by ΔP and accordingly mk should satisfy:
Lk≦mk≦Uk−1. (22)
For a feasible mk value, the height of the overlap region (Δy) at a given divisor value (D) must be greater than or equal to the minimum grid 2−np; thus Δy=Uk−1−Lk=(2h−1−ωmax)D. At D=Dmin, the height of the overlap region Δy is minimum (Δymin), defining the upper bound for 2−nP, i.e.,
For a feasible solution, we must have ωmax<(2h−1), i.e.,
2z>1/(h−0.5).
Thus, the minimum value of np is given by:
The lower bound of np(min) is reached at very high values of Z (Z→∞), in which case (ωmax→0) and is given by:
We define Z1 as the value of Z at which np(min) is equal to its lower bound value as follows:
to determine the overlap region between Uk−1 and Lk, based upon which we define the comparison constants that determine the value of the next quotient digit q−j (it should be noted that the negative (P<0) and positive (P>0) overlap regions are not symmetric, and should be considered independently).
The overlap region for a given divisor value, D, is the range of P values where the next quotient digit q−j may be assigned either a value of k−1 or k yielding a value of the next partial residue (Rj) which satisfies the range constraint −h−D≦Rj≦+h+D in either case. As defined by equation (22), this range is bounded between Uk−1 and Lk.
Plower=Lk(D+2−n
Pupper=Uk−1(D)=(k+h−1−ωmax)D. 1≦k≦α (28)
Thus, the selection constants mk(i) are determined for the P>0 range such that mk(i) is an integer multiple of 2−nP and:
(k−h)(D+2−n
PositiveOverlapk=Δy+=Pupper−Plower≧0 (29)
Δy+=(2h−1−ωmax)D−(k−h)2−n
For negative overlap regions where P<0, shown in the diagram 500 of
Plower=Lk(D)=(k−h)D −(α−1)≦k≦0 (31)
Pupper=Uk−1(D+2−n
Thus, the selection constants mk(i) are determined for the P<0 range such that mk(i) is an integer multiple of 2−nP and:
(k−h−)D≦mk≦(k+h−1−ωmax)(D+2−n
NegativeOverlapk=Δy−=Pupper−Plower≧0
Δy−=(2h−1−ωmax)D+(k+h−1−ωmax)2−n
−(α−1)≦k≦0. (34)
Valid mk(i) are shown in the shaded regions 505. It should be understood that the present invention contemplates an overlap range (Δy+ or Δy−) that is smaller for smaller values of D. Higher values of |k| yield smaller overlap regions for both Δy+ and Δy−. For worst case analysis, the smallest value of D (i.e., Dmin) and the highest value of |k| (k=α for Δy+ or k=−(α−1) for Δy−) should be used to yield the minimum overlap. Additionally, worst case analysis is performed on Δy−(k=−(α−1), D=Dmin), since this is where the overlap region is smallest. This yields the following relations:
The lower bound of nD is reached at very high values of Z (Z→∞) in which case (ωmax→0) and is given by:
We define Z2 as the value of Z at which nD(min) is equal to its lower bound value as follows:
The value of Z to be used is the maximum of either Z1 or Z2, i.e.,
Z=MAX(Z1,Z2). (39)
Carry-Save Adders (CSAs) may be used to evaluate the partial residue (Rj) of the recurrence relation, in which case Rj is represented in a redundant form as two quantities; a sum and a carry. Assuming 2's complement number representation, and using only np fractional bits, the truncation error is always positive. A fast carry-propagate adder (CPA) may be used to add the most significant bits of the CSA, which may be used as input to the quotient digit selection function.
Assuming np to be the number of fractional bits of P used as input to the CPA, the error introduced due to the use of CSA's is less than 2−np. In this case, the upper bound for the comparison constants should be reduced by the same amount, and accordingly equation (22) is modified for CSA's to become:
Lk≦mk≦Uk−1−2n
The overlap region for a given divisor value, D, is the range of P values where the next quotient digit q−j may be assigned either a value of k−1 or k, yielding a value of the next partial residue (Rj) which satisfies the range constraint −h−D≦Rj≦+h+D.
Plower=Lk(D+2−n
Pupper=Uk→1(D)=(k+h−1−ωmax)D−2−n
On the other hand, when P<0, the bounds are:
Plower=Lk(D)=(k−h)D −(α−1)≦k≦0 (42)
Pupper=Uk−1(D+2−n
Comparing heights of the overlap regions for CSA's (equations 40-43) and CPA's (equations 31-34), it can be seen that the overlap region height for CSA's is lower by 2−n
With CSA's, the selection constants mk(i) are determined such that mk(i) is an integer multiple of 2−n
(k−h)(D+2−n
(k−h)D≦mk≦(k+h−1−ωmax)(D+2−n
To derive mathematical expressions for optimal parameter values, we consider the worst case overlap region, i.e., Δymin−, at the smallest value of D (i.e., Dmin) and the most negative value of k (i.e., k=−(α−1)).
To have a feasible solution, the denominator of equation (45) must be greater than zero. Thus:
Thus, the minimum feasible value of nP is given by:
The lower bound of the minimum nP is reached at very high values of z (z→∞) and is given by:
Let z1 be the minimum value of z at which np(min)=nP(Low_Bound), thus:
Multiplying both sides of equation (45) by 2n
To reduce the complexity of the quotient digit selection hardware, (nP+nD) must be minimized or, equivalently, the value of 2np+nD must be minimized. Defining Y=2n
Differentiating equation (51) with respect to X and equating
we get:
In general,
yields a non-integer value. Accordingly, the actual optimal np value may be either the rounded up or rounded down to the integer value nearest to the value computed by equation (53). Since equation (53) yields a value for np that is higher only by 1 than the minimum np value defined by equation (46), it is clear that the optimal np value may either equal the minimum value specified by equation (46), or it may be larger by just one bit. The optimum no value may be computed from equation (45):
The lower bound of the optimal nD value is reached at very high values of z (z→∞) and is given by:
nD(Low_Bound)=1+|Log2{α−h}−Log2{(2h−1)Dmin}|. (55)
Let z2 be the minimum value of z at which nD(opt)=nD(Low_Bound), Using equation (54), z2 can be derived as follows:
The optimal value of z(zopt) is the larger of z1 or z2; thus:
Zopt=MAX(z1,z2). (57)
The value of Z is chosen as the higher of two values, Z1 and Z2 that are derived from the lower bound values of np and nD. Expressions for Z1 and Z2 have been derived for the case where carry-propagate adders are used, as well as the case where carry-save adders are used.
Whether carry-propagate or carry-save adders are used, the value of Z1 is the same, since the expressions for nP(Low_Bound) and Z1 are identical in both cases, as can be readily seen by comparing equations (25) and (26) on the one hand with equations (48) and (49) on the other.
For the case of carry-save adders, the low bound value of nD as given by equation (54) is higher by 1 than its value for the carry-propagate adder case as given by equation (37). Accordingly, the value of Z2 for both the CPA and CSA cases as computed by equations (38) and (55), respectively, are the same.
Accordingly, the value of Z is independent of the type of adder that is used for implementation. Thus, the equations to derive Z are summarized below:
It should be noted that at α=r−1, the redundancy factor h=1, and the equation of Z1 yields an infinite value. Likewise, the expression of Z2 may yield infeasible values for certain cases, e.g., r=4 and α=2. Table II, Table III, and Table IV show the values of Z1 and Z2 for several radixes r=2m at α=r/2 (minimal redundancy), α=r−2, and α=r−1 (maximal redundancy).
The tables show that the maximum Z value occurs under minimal redundancy conditions (α=r/2), and is equal to (2 m+1). For cases where the expression of either Z1 or Z2 yields an infeasible value, some choice criterion may be used to define the value of Z. For example, Z may be chosen equal to the feasible value of either Z1 or Z2 totally neglecting the one with infeasible value. An alternative strategy is: if Z1 has an infeasible value, increment the value of nP(Low_Bound) by 1 and recompute Z1; or if Z2 has an infeasible value, increment the value of nD(Low_Bound) by 1 and recompute Z2.
Alternative approaches are also possible, e.g., adopting values of the closest higher system, e.g., for the case of Z2 with r=4 and α=r−2=2, we set Z2=5 corresponding to the system with r=8 and α=r−2=6.
Based on the above developed theory, given the system radix r, and the quotient digit set parameter α, the optimal parameters for the high-radix multiplier-divider may be determined as follows:
The comparison constants mk(i) are determined to satisfy the following:
The m most significant bits of the k-bit B-register constitute the current digit (b−j−1) of B. In each iteration register B is shifted left by m-bits. The selection function is implemented either as a ROM 105 or a PLA where the truncated values of P and D (i.e., Pt and Dt) are the input to this ROM 105 (or PLA) for a total of (nD+nP+m) bits. The output of the ROM/PLA 105 is the (m+1)-bit signed value of q−j.
The value of P(=rRj) uses a redundant representation in the form of a SUM component (PS), and a CARRY component (PC), which are held in the registers PSR 120 and PCR 118, respectively. Accordingly there are four quantities that need to be added in each iteration (i.e., each execution of the recurrence relation of equation (7) Rj=rRj-1−q−j+1D+b−jAr−1; namely PS, PC, (−q−j*D), and (b−j−1*A/r).
The multiplexer MUXa 110 generates the k+m bits (b−j−1*A′), which is left appended by 1+Z+m bits of 0 value to generate the signed quantity (b−j−1*A/r), where A=A′/2z. The multiplexer MUXd 107 generates k+m+1 bits of the signed 1's complement of the quantity (−q−j*D), i.e., if q−j is positive, (
A Carry-Lookahead Adder 135 (CLA) is used to add the (1+m+nP) most significant bits of the sum and carry components of the shifted partial residue (PS & PC). The resulting summation is the truncated Pt value used as input to the ROM/PLA 105. Adding the 4 quantities PS, PC, (−q−j*D), and (b−j−1*A/r) is done using two Carry-Save adders, CSA1112 and CSA2115. CSA1112 adds PS, PC, and (b−j−1*A/r) yielding two outputs: a partial sum component (Sum 1), and a partial carry component (Cry 1). The second CSA, CSA2115 adds Sum1, Cry1, and (−q−j*D). For a correct result, the 1's complement representation of (−q−j*D) is turned into a 2's complement by forcing bit 0 of Cry 1 to equal the sign bit value of (−q−j*D). CSA2115 yields two outputs; a partial sum component (Sum2), and a partial carry component (Cry2).
An m-bit left-shifted version of Sum2 and an m-bit left-shifted version of Cry2 are stored in two registers, PSR 120 and PCR 118 to represent (rRj). The outputs of PSR 120 and PCR 118 are fed-back as input to CSA1112, representing the shifted partial residue (rRj), while the (1+m+nP) most significant bits of PSR 120 and PCR 118 are added using the CLA 135 to yield the value of Pt.
At the last iteration, a second CLA 125 is used to assimilate the sum and carry components of the shifted partial residue (PS & PC) to yield the value of P. This CLA 125 may via last cycle AND gate 130, or, alternatively, may not utilize the (1+m+nP)-bit first CLA 135 as part of it to yield the (1+m+nP) most-significant bits of the result, as shown in
If Carry-Propagate Adders (CPA) are used, compute AB/D=(0.1110—1001)*(0.10011100)/(0.1101—1110) using radix r=4, and Dmin=0.5. Let A′=0.1110—1001, B=0.10011100, and D=0.1101—1110.
h=⅔=0.667, nP(Low_Bound)=3, nD(Low_Bound)=3, Z1=5, Z2 computed at [nD(Low_Bound)+1] is 4. Thus, Z=Max(Z1, Z2)=5, ωmax=2−4=0.0625,
Considering the worst case of D=Dmin=0.5, and computing Lk and Uk−1 at various values of k, it can be shown that no solution is possible for nP=3 and nD=4. However, a solution exists for the case of nP=3 and nD=5. The table below lists the values of Lk and Uk−1 for various values of k at D=Dmin=0.5, in addition to possible values of the comparison constants mk for this case.
For the example at hand since nD=5, the truncated value of D is given by Dt=0.11011=27/32. Table VI gives the computed values of Lk and Uk−1 for various values of k, together with the selected values of comparison constants for the range D=27/32:28/32.
The pre-processing steps are given below:
In Tables VIII and IX, below, values of b−j are noted as b(−1), b(−2) etc., values of q−j are notes as q(−1), q(−2), etc., and values of Rj are noted as R0, R1, etc.
From the above, the resulting quotient may be expressed as:
Q=[0.00111(−2)(−1)]4=0.0000—0—1010—0011—1=2−5*(0.1010—0011—1)2
In the foregoing, it is noted that Q has nine significant bits, whereas only eight bits are required. The remainder may be expressed as:
R7=000.0110—0110—0000—000
R=r−7R7=2−15*(0.1100—1100)
The validity of the result may be verified from the following considerations:
A*B=2−5*(0.1000—1101—1111—11)
Q*D=2−5*(0.1000—1101—1100—1001)
R=r−7R7=2−5*2−10*(0.1100—1100)
Q*D+R=A*B=2−5*(0.1000—1101—1111—11)
Since the required accuracy is only 8 bits, a correction step is required. In the correction step, Q=Q−ulp=2−5*(0.1010—0011)2.
But, AB=DQ+R=D*(Q−ulp)+(R+D*ulp).
Therefore, the corrected quotient is Q=Q−ulp=2−5*(0.1010—0011) and the corrected remainder is:
R=R+D*ulp=2−15*(0.1100—1100)+2−14*(0.1101—1110)=2−13*(0.1010—0010)
In a required correction step, since the original operand is A′=0.1110—1001=A*2z=A*25, the actual quotient Q′ and remainder R′ are given by:
Q′=Q*25=0.1010—0011
R′=R*25=2−8*(0.1010—0010)
Using Carry-Save Adders (CSA), compute AB/D=(0.1110—1001)*(0.10011100)/(0.1101—1110) using radix r=4, Dmin=0.5.
Let A′=0.1110—1001, B=0.10011100, and D=0.1101—1110. h=⅔=0.667, nP(Low_Bound)=3, nD(Low_Bound)=4, Z1=5, Z2=4. Thus,
Considering the worst case of D=Dmin=0.5, and computing Lk and Uk−1 at various values of k, it can be shown that no solution is possible for np=3 and nD=4. However, a solution exists for the case of np=4 and nD=6. Table X below lists the values of Lk and Uk−1 for various values of k at D=Dmin=0.5, in addition to possible values of the comparison constants mk for this case.
For the example at hand since nD=6, the truncated value of D is given by Dt=0.110111=55/64. Table XI gives the computed values of Lk and Uk−1 for various values of k, together with the selected values of comparison constants for the range D=55/64:56/64.
Interim calculated values for each iteration are shown in the table 700 in
Q=[0.001102(−1)]4=0.0000—0—1010—0011—1=2−5*(0.1010—0011—1)2
In the foregoing, it is noted that Q has nine significant bits, whereas only eight bits are required. The remainder may be expressed as:
R7=000.0110—0110—0000—000
R=r−7R7=2−15*(0.1100—1100)
The validity of the result may be verified from the following considerations:
A*B=2−5*(0.1000—1101—1111—11)
Q*D=2−5*(0.1000—1101—1100—1001)
r=r−7R7=2−5*2−10*(0.1100—1100)
Q*D+R=A*B=2−5*(0.1000—1101—1111—11)
The required accuracy is 8 bits, but the computed accuracy is 9 bits. Therefore, the following correction step is needed:
Q=Q−ulp=2−5*(0.1010—0011)2.
But, AB=DQ+R=D*(Q−ulp)+(R+D*ulp).
Therefore, the corrected quotient is Q=Q−ulp=2−5*(0.1010—0011) and the corrected remainder is:
R=R+D*ulp=2−15*(0.1100—1100)+2−14*(0.1101—1110)=2−13*(0.1010—0010)
In a required correction step, since the original operand is A′=0.1110—1001=A*2z=A*25, the actual quotient Q′ and remainder R′ are given by:
Q′=Q*25=0.1010—0011
R′=R*25=2−8*(0.1010—0010)
Compute AB/D=(1.110—1001)*(1.001—1100)/(1.101—1110) using radix r=4, Dmin=1.0 and Carry-Save Adders.
Let A′=1.110—1001, B=1.001—1100 and
h=⅔=0.667, nP(Low_Bound)=2, nD(Low_Bound)=3, Z1=5, Z2=4, Z=Max(Z1, Z2)=5, ωmax=2−4=0.0625.
Considering the worst case of D=Dmin=1.0, and computing Lk and Uk−1 at various values of k, it can be shown that a solution exists for the case of np=3 and nD=5. Table XII below lists the values of Lk and Uk−1 for various values of k at D=Dmin=1.0, in addition to possible values of the comparison constants mk for this case.
For the example at hand, since nD=5, the truncated value of D is given by Dt=1.1011=1 11/16. Table XIII gives the computed values of Lk and Uk−1 for various values of k, together with the selected values of comparison constants for the range
Processor size is 8+(2*2)+5+1=18 bits. The number of iterations is 4+┌5/2┐=7. The results of intermediate calculations per iteration are shown in the table 800 of
Compared to a pure divider, the size requirements of the quotient digit selection logic may be larger in the multiplier-divider 100 due to the reduced overlap regions in its P-D diagrams. Overall, it is expected that the area of multiplier-divider 100 will be slightly larger than that of a divider only.
It should be noted that the circuit of
As noted above, the circuit may be incorporated into the architecture of a computer processor, into a security coprocessor integrated on a motherboard with a main microprocessor, into a digital signal processor, into an application specific integrated circuit (ASIC), or other circuitry associated with a computer, electronic calculator, or the like. It should be understood that the calculations may be performed by any suitable computer system, such as that diagrammatically shown in
Processor 114 may be associated with, or incorporated into, any suitable type of computing device, for example, a personal computer or a programmable logic controller. The display 118, the processor 114, the memory 112 and any associated computer readable recording media are in communication with one another by any suitable type of data bus, as is well known in the art.
Examples of computer-readable recording media include a magnetic recording apparatus, an optical disk, a magneto-optical disk, and/or a semiconductor memory (for example, RAM, ROM, etc.). Examples of magnetic recording apparatus that may be used in addition to memory 112, or in place of memory 112, include a hard disk device (HDD), a flexible disk (ED), and a magnetic tape (MT). Examples of the optical disk include a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc-Read Only Memory), and a CD-R (Recordable)/RW.
It should be noted that, in the above method, the multiplicand is both arbitrary and input to the system.
It is to be understood that the present invention is not limited to the embodiment described above, but encompasses any and all embodiments within the scope of the following claims.
This application is a continuation-in-part of U.S. patent application Ser. No. 11/819,749, filed Jun. 28, 2007.
Number | Name | Date | Kind |
---|---|---|---|
5105378 | Mori | Apr 1992 | A |
5132925 | Kehl et al. | Jul 1992 | A |
5144574 | Morita | Sep 1992 | A |
5646877 | Mahant-Shetti et al. | Jul 1997 | A |
5793659 | Chen et al. | Aug 1998 | A |
5999962 | Makino | Dec 1999 | A |
6151393 | Jeong | Nov 2000 | A |
6625633 | Hirairi | Sep 2003 | B1 |
6847986 | Inui | Jan 2005 | B2 |
7057440 | Yang et al. | Jun 2006 | B2 |
20010025293 | Inui | Sep 2001 | A1 |
20020114449 | Cheng et al. | Aug 2002 | A1 |
20030018678 | Matula et al. | Jan 2003 | A1 |
20040010530 | Freking et al. | Jan 2004 | A1 |
Number | Date | Country |
---|---|---|
4-54633 | Feb 1992 | JP |
6-230938 | Aug 1994 | JP |
Entry |
---|
Atkins, D., “Higher-Radix Division Using Estimates of the Divisor and Partial Remainders”, IEEE Transactions on Computers, vol. C-17, No. 10, Oct. 1968, pp. 925-934. |
Amin, A. and Shinwari, M.W., “High-Radix Multiplier-Dividers: Theory, Design and Hardware”, IEE Transactions on Computers, vol. 59, No. 8, Aug. 2010, pp. 1009-1022. |
http://islab.oregonstate.edu/papers/04Tawalbeh.pdf “A Novel Unified Algorithm and Hardware Architecture for Integrated Modular Division and Multiplication in GF(p) and GF(2″) Suitable for Public Key Cryptography” retrieved on Jul. 17, 2006. |
Lang et al., “Very High Radix Division with Selection by Rounding and Prescaling”, IEEE, 1993, pp. 112-119. |
Antelo et al., “Digit-Recurrence Dividers with Reduced Logical Depth”, IEEE Transactions on Computers, vol. 54, No. 7, Jul. 2005, pp. 837-851. |
Ercegovac, “On-the-Fly Rounding”, IEEE Transactions on Computers, vol. 41, No. 12, Dec. 1992, pp. 1497-1503. |
Pan et al., “High-Radix SRT Division with Speculation of Quotient Digits”, IEEE, 1995, pp. 479 484. |
Number | Date | Country | |
---|---|---|---|
20110231468 A1 | Sep 2011 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 11819749 | Jun 2007 | US |
Child | 13151099 | US |