KR20020087331A - AES Rijndael Encryption and Decryption Circuit with Subround-Level Pipeline Scheme - Google Patents

Abstract

The present invention relates to a method and apparatus for hardware implementation of Rijndael encryption and decryption algorithm, which is an Advanced Encryption Standard (AES) symmetric encryption algorithm, in which the present invention relates to a 128-bit input register, a 256-bit key register, and a round required for encryption and decryption operations. Round key generation unit for generating keys, round processing unit for performing round operations, control unit for generating control signals, and output registers for storing 128-bit output results, and for 256-bit decoding with keys for the first round during decoding operations. It consists of a key register.

The present invention has the effect of maximizing the resource sharing and realizing high-speed operation by maximizing resource sharing through the on-line calculation of the round key, the partial inter-round pipeline calculation technique, and the implementation of a single round operation using multiple clocks.

Description

AES Rijndael Encryption and Decryption Circuit with Subround-Level Pipeline Scheme

An object of the present invention is to provide an AES Rijndael cipher and decryption circuit having excellent characteristics in terms of hardware size and operation speed so that it can be used for internet security, network security, and smart card security.

The present invention relates to a hardware implementation of the Rijndael cryptographic algorithm, and in particular, splits the round operation of the Rijndael cryptographic and decryption algorithm into two partial rounds, inter-partial pipeline processing, hardware sharing during encryption and decryption operations, and online round key calculation. AES Rijndael cryptography and decryption circuit that reduces the amount of hardware using the scheme and improves the operation speed.

The hardware implementation of the conventional Rijndael cryptographic algorithm implements one round of operation in one clock cycle, so that hardware sharing is impossible and thus requires a lot of hardware. We also use a precomputation technique that calculates (Nr + 1) round keys before starting encryption and decryption operations. Where Nr represents the number of rounds. This technique has the drawback that separate (Nr + 1) 256-bit registers are needed to hold (Nr + 1) round keys. The AES Rijndael algorithm uses three (128, 192, and 256-bit) keys. Since the conventional hardware has hardware that supports only one key, a separate circuit is needed to use a system having a different size key. Is needed.

In order to apply AES Rijndael cryptographic algorithm to various symmetric key applications such as network and electronic commerce, it is necessary to minimize the amount of hardware and high encryption / decryption rate. In the present invention, in order to solve many hardware problems of the conventional method, hardware sharing is enabled through a method of processing each round operation into two partial rounds each of which two or four clocks are allocated and a round key online calculation technique. . In addition, in order to solve the problem of low operation speed of the conventional method, a high operation speed and a high encryption / decryption rate are enabled by using a partial round-round pipeline technique in the encryption and decryption operation. In addition, three keys can be simultaneously supported in one circuit, so that they can be applied to various applications with different keys without any additional hardware.

1 is a block diagram showing the structure of the entire system of the present invention.

2 is a scheme of dividing one round operation of the Rijndael cryptographic algorithm into two partial rounds and implementing a partial inter-round pipeline.

3 is a Rijndael decoding algorithm for simplifying online round key calculation in a decoding operation.

4 is a round processing block diagram

5 is a circuit for implementing the ShiftRow and InvShiftRow operations required for cryptographic and decryption operations.

6 is a GF ((2 ⁸ ) ⁴ ) multiplier structure for performing MixColumn and InvMixComun operations

7 is a MUL (·) circuit for performing GF (2 ⁸ ) multiplication.

8 is a block diagram of an online round key generation unit

9 is a key scheduler circuit

■ Explanation of symbols used in main part of drawing ■

10: input register to store password and decrypted data

11: round processing unit implementing one round of Rijndael cryptography and decryption algorithm

12: output register to store password and decrypted result

13: master key register to store 128, 192, 256-bit foreign keys

14: round key generation unit

15: control unit for generating a control signal

16: Decoding key register that stores the first round key of the decoding operation.

17: start key selection circuit for encryption and decryption operation

18: Circuit for selecting external input data and intermediate round result during encryption and decryption operation

19: Circuit to select the row to be operated in ByteSub and InvByteSub operation

20: 4 S boxes to perform ByteSub operation with 4 clocks

21: Four SI Boxes for InvByteSub Operation with Four Clocks

22: Circuit for selecting the result of ByteSub and InvByteSub in the operation of encryption and decryption

23: ShiftRow circuit for encryption and decryption operation

24: partial round intermediate result register

25: Round key selection circuit for decoding

26: A circuit that generates 16-bit constants required for MixColumn and InvMixColumn operations during cipher and angle operations.

27: Four GF_MUL Circuits Performing MixColumn and InvMixColumn Operations

28: round key selection circuit for encryption

29: Round Result Register

30: GF_MUL circuit to perform GF ((2 ⁸ ) ⁴ ) multiplication

31: MUL (·) circuit which performs GF (2 ⁸ ) multiplication

32: Encoder circuit for generating four polynomials according to the contracted polynomial m (x) = x ⁸ + x ⁴ + x ³ + x + 1

33: middle round key selection circuit for selecting the middle round key during the round key generation operation

34: key scheduler

35: round key register

36: 32 bit Exclusive-OR circuit

37: 6 input 32 bit multiplexer circuit

38: Circuit implementing 1 byte left circular shift

39: Rcon generation unit

Hereinafter, the configuration and operation of the AES Rijndael cipher and decryption circuit for achieving the above object will be described with reference to the accompanying drawings.

1 is a complete block diagram of a Rijndael cipher and decryption circuit according to the present invention.

Referring to FIG. 1, the entire Rijndael cipher and decryption circuit includes an input register 10 and a master key register 13 which store external data and a key, and a decryption key which stores a key for the first round during a decryption operation. The register 16, the control unit 15 for receiving the operation mode and the start signal and generating the necessary control signal, the round key generation unit 14 for generating the round key required for the encryption and decryption operation by an online calculation technique, and the Nr round operation. The round processing unit 11 for implementing a, and an output register 12 for storing the result value. Where Nr represents the number of rounds, and when the key value has 128, 192, or 256 values, the Nr values have 10, 12, and 14, respectively.

The Rijndael cryptographic algorithm consists of one round operation consisting of ByteSub, ShiftRow, MixColumn, and AddRoundKey (Add_RK) operations. Rounds are implemented with four clocks for hardware sharing and represent a technique where the pipeline is applied between the second half of the current round (partial round 2) and the first half of the next round (partial round 1) to improve operation speed. Here, the first half round implements BytsSub and ShiftRow actions, and the MixColumns and AddRoundKey constitute second half round actions. However, the first round has an AddRoundKey action added to the input part, and the last round has an operation characteristic without MixColumn action compared to the existing round action. The Rijndael encryption and decryption algorithm repeats the round operation of FIG. 2 times Nr times to generate an encryption or decryption result. However, in the case of the decoding operation, the application order of the round keys is reversed. With this partial round splitting scheme and the partial round-round pipelined scheme, the number of cycles required for cryptographic operations is Nr × 5 clocks. Since the round key is required for each round operation in the second half of the round, the round key of the corresponding round can be generated online for the first four clocks. 2. (2) is an extension of the above scheme, which implements a partial round with two clocks, each of which requires eight S box, SI box, and GF_MUL circuits, and clocks for encryption and decryption operations. The number becomes Nr × 3.

3 shows an operation technique for the decoding operation for the Rijndael algorithm. In order to simplify the round key generation of hardware sharing and decryption operations, we use only the InvByteSub and InvShiftRow operations to reverse the order of the encryption operation. Here, the Inv subscript of InvByteSub indicates the inverse operation of the ByteSub operation required for encryption.

4 shows a round processing unit that implements a round operation of an encryption / decryption operation according to the schemes of FIGS. However, the 128-bit input value is represented and processed as a two-dimensional byte array in a column-first manner. Referring to FIG. 2. (1), in the case of implementing each round with one clock as in the conventional method, the S box 20, the SI box 21, the ShiftRow circuit 23, and the GF_MUL circuit 27 are respectively. ) Increases the size 4 times. On the other hand, in FIG. 4, since the partial round operation is performed at 4 clocks, a selection circuit for hardware sharing of the encryption / decoding operation and sequential intermediate result selection is required. In addition, the partial round middle result register 24 has a structure in which a 96 bit register and a 128 bit register are paired for the partial round pipeline processing. The S-box 20 and the SI box 21 are constituted by ROM of 2 ⁸ x 8-bit Look-Up Table type which implements ByteSub and InvByteSub.

5 is a circuit that implements the ShiftRow and InvShiftRow operations during encryption and decryption operations, and performs a cyclic rotation movement operation of the left direction of a predetermined byte size for the selected row data. In the encryption operation, the left circular movement of 0,1,2,3 bytes is performed for the sequentially selected rows. In the decryption operation, the left circular movement of 0,3,2,1 bytes are sequentially performed for the sequentially selected rows. Do this.

6 performs a role of performing the MixColumn and InvMixColumn operation, consists of a Galois field (Galois Field) GF ((2 8) 4) 4 of GF_MUL circuit which performs a multiplication operation. The GF MUL 30 circuit is internally composed of four GF (2 ⁸ ) multipliers, a MUL (·) 31 and three 8 bit XOR circuits. However, in order to be able to perform the first half of the next round and the pipeline operation, the output of the unit is not the column, so the column of the middle part of the round is used using four GF MUL circuits. The value and the 16-bit constant value generated by the encryption / decoding constant generator are input, and the intermediate result values required for the next round are sequentially generated in units of rows according to the counter value indicating the operation time of the partial round.

Fig. 7 shows the internal structure of the GF (2 ⁸ ) multiplier MUL (·) 31 circuit. In FIG. 7, the encoder 32 is a (x), a (x) x, a () for the input value a (x) according to the contract polynomial m (x) = x ⁸ + x ⁴ + x ³ + x + 1. Calculate x) x ² , a (x) x ³ .

8 shows a block diagram of a circuit for generating a round key in an online manner. However, during encryption operation, it is possible to calculate the round key for each round online by receiving the 128/192/256 bits of the externally provided master key.However, during the decryption operation, the start required for the decryption operation is performed from the externally provided master key. Since the round key cannot be directly derived, in the case of the decryption operation, the online round key generation operation must be performed by inputting the master key, and the final round key of the encryption operation is calculated in advance and stored in the decryption key register 16. The pre-processing operation is required once. The Rijndael algorithm supports three round keys of 128, 192, and 256 bits. Therefore, the round key calculation process generates 128, 192, and 256 bit round keys according to the key size. However, since the round key size actually required for each round is 128 bits, only the upper 128 bits are selected and provided to the round processor. The key scheduler of Fig. 9 generates the next round key of 256 bits by using the start round key or the middle round key according to the encryption / decryption operation mode and the master key size. However, since four clocks can be allocated to the round key generation according to FIG. 2, the sequential calculation is possible. However, since the round key calculation has the serial arithmetic characteristic, when the sequential calculation is used, the key scheduler uses the encryption / decoding circuit. Can be the worst-case delay path. Therefore, to eliminate this problem, we have a combinatorial logic circuit that generates a 256-bit intermediate round key at four clocks. In this structure, four S boxes and Rcon generating circuits 39 are included therein. The Rcon generation circuit is a circuit for generating an appropriate 32 bit Rcon constant value according to the current round value, key size and mode information. The control unit consists of a finite state machine and two counters (key counter and round counter) to control the partial round-to-round pipeline characteristics. By receiving the operation mode, key size information, and start signal from the outside, appropriate control signals for the round processor and the round key generator are generated.

As described above, the present invention allocates one clock to one round processing through the partial round processing of the online calculation round operation of the round key and the partial inter-round pipeline processing when using the method of FIG. Compared to the conventional method, the required hardware size is reduced to about one quarter. In the case of FIG. In addition, the on-line computing nature of the round key eliminates the memory that stores the round key. In addition, since the round key generation circuit can generate a round key for a master key of 128, 192, and 256 bits according to the key size, the round key generation circuit can be applied to the field using three master keys with the same hardware. It also has the maximum hardware sharing feature that allows encryption and decryption functions on the same hardware. By allocating 2 or 4 clocks to the round key calculation, the problem of round key calculation becoming the worst delay propagation path can be eliminated.

Claims (4)

Implement one round of AES Rijndael into two partial rounds, implement each partial round into two or four clocks, and use the pipeline method between the partial rounds. Generating intermediate output row by row using four GF ((2 ⁸ ) ⁴ ) multipliers for MixColumn and InvMixColumn operations GF ((2 ⁸ ) ⁴ ) multiplier circuit of claim 2 Online round key generation circuit that has key scheduler of combination circuit structure and integrates round key for three (128, 192, 256 bit) keys into one circuit