[go: up one dir, main page]

WO2009142190A1 - Coding or decoding circuit structure with error detecting capability - Google Patents

Coding or decoding circuit structure with error detecting capability Download PDF

Info

Publication number
WO2009142190A1
WO2009142190A1 PCT/JP2009/059167 JP2009059167W WO2009142190A1 WO 2009142190 A1 WO2009142190 A1 WO 2009142190A1 JP 2009059167 W JP2009059167 W JP 2009059167W WO 2009142190 A1 WO2009142190 A1 WO 2009142190A1
Authority
WO
WIPO (PCT)
Prior art keywords
partial
encoding
decoding
stage
data
Prior art date
Application number
PCT/JP2009/059167
Other languages
French (fr)
Japanese (ja)
Inventor
証 佐藤
健 菅原
尚文 本間
孝文 青木
Original Assignee
独立行政法人産業技術総合研究所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 独立行政法人産業技術総合研究所 filed Critical 独立行政法人産業技術総合研究所
Publication of WO2009142190A1 publication Critical patent/WO2009142190A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/004Countermeasures against attacks on cryptographic mechanisms for fault attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • the present invention relates to a circuit configuration for encoding / decoding processing, and relates to a novel circuit configuration having error detection capability.
  • the error detection / correction code is mainly used for the purpose of detecting / correcting an error occurring on a communication channel or a recording medium, or requesting retransmission at a transmission destination. Therefore, when an error occurs in the encoding or decoding apparatus itself, data that cannot be corrected is generated, and the error cannot be detected.
  • encryption technology can ensure the security of transmitted or recorded data, it cannot cope with data loss due to a failure of an encryption device or an attack using the data. Therefore, a technique for ensuring the reliability of the device itself for encoding / decoding data is required.
  • FIG. 1 is a diagram for explaining a conventional method for detecting an error generated in a circuit during an encoding process.
  • error detection during the decoding process the encoding and decoding processes in the figure may be replaced with each other.
  • input data is encoded by the left-side pass, and then a parity equal to or smaller than the bit width of the output is generated.
  • the expected value circuit directly generates parity and detects the occurrence of an error depending on whether the two parities match.
  • the expected value circuit is smaller than that for generating parity after encoding, but since it is a comparison based on parity, not all occurrences of errors can be detected.
  • the method described with reference to FIG. 1B is a method in which two same encoding circuits are prepared, the same operation is simultaneously performed in both, and the results are compared. Of course, the cost of the circuit is doubled.
  • encoding and decoding processing are supported by separate circuit blocks. Simultaneously with storing the input data in the register 2, the encoded data is stored in the register 1. In the next cycle, new input data can be encoded. In parallel with this, the data in the register 1 is decoded and compared with the data stored in the register 2 to detect an error.
  • the encoding and decoding processing circuits often share arithmetic components, and in this case, they cannot be applied. Even if they are independent, it is impossible to perform encoding and decoding on different data at the same time. For example, when performing bidirectional communication of data, since encoding and decoding processing cannot be performed simultaneously, the cost of the circuit is eventually doubled.
  • the method described with reference to FIG. 1D is a method in which the same processing is repeated twice in one encoding circuit and the results are compared. First, input data is encoded and the result is stored in the register 1. In the next cycle, the same data is encoded again, and it is detected whether the result matches the data stored in the register 1.
  • this method can detect a temporary error due to power supply noise or the like, it has a drawback that it cannot be detected when the same error always occurs due to a defect in a transistor or wiring. In addition, since the same encoding process is repeated twice, the operation speed is reduced to 1 ⁇ 2.
  • the method described with reference to FIG. 1 (e) is a method in which encoding and decoding processing are performed by the same circuit block. Simultaneously with storing the input data in the register 2, first, the encoded data is held in the register 1. In the next cycle, the data in register 1 is decoded and compared with the data stored in register 2. Since only one data can be processed in two cycles, the throughput is halved as compared to the case of FIG. However, although the same calculation block is used, since different processes such as encoding and decoding processes are performed and it is confirmed that the original data can be restored, detection is not possible due to a circuit defect as shown in FIG. Possible errors are unlikely to occur.
  • the method described with reference to FIG. 1 (f) is an implementation in which the encoding circuit in the case of FIG. The result is compared twice before and after the two registers. Pipelining improves operating frequency and improves speed penalty due to error detection. However, as in the case of FIG. 1D, the problem that an error cannot be detected when there is a circuit defect has not been solved.
  • the conventional error detection method at the time of circuit operation has a defect that there is a problem in the error detection rate, the circuit scale is doubled, or the operation speed is halved. .
  • Patent Documents 1 and 2 disclose a method of mounting an encryption circuit, but this is a circuit configuration in which an error error detection / correction circuit is added to a data register, not an arithmetic unit.
  • the present invention develops a new method for reliably detecting errors during the operation of the encoding / decoding processing circuit and minimizing the penalty for circuit scale and operation speed. It was made.
  • the present invention has a circuit configuration in which encoding and decoding processes are performed by pipeline processing, and each pipeline stage is not only a partial encoding process that is a part of the encoding process, but also a partial process thereof.
  • the circuit configuration includes a partial encoding / decoding block for executing a partial decoding process which is an inverse process, and an encoding circuit and a decoding circuit are configured.
  • the partial encoding and partial decoding processes may be simply referred to as encoding and decoding, respectively, within a range that does not cause confusion.
  • the decoding process as the verification of the encoding process in the immediately preceding cycle is performed in parallel in the preceding stage. Executed.
  • the decoded data is compared with the data to be encoded in the immediately preceding cycle to check whether they match.
  • the previously encoded data is decoded and it is checked whether or not it matches the data before the encoding.
  • the encoding process proceeds on the previously encoded data at the next stage (output from the circuit if there is no next stage), and a new stage is added to the previous stage. Data is input and an encoding process is performed.
  • the encoding / decoding circuit is configured as a pipeline processing circuit including a plurality of encoding / decoding blocks, and each encoding / decoding block performs encoding processing and decoding processing for each cycle. Switch. Therefore, as a whole, not only data processing proceeds in each cycle, but also verification of processing in the previous cycle is performed at the same time.
  • decoding processing is performed for verification
  • encoding is performed for verification.
  • the encoding and decoding processes are divided and pipeline processing is performed, and verification processing is also performed in parallel with the progress of processing, so that error detection can be performed during the processing.
  • This ability is particularly effective in defending against attacks that intentionally generate errors and steal information, such as failure use analysis attacks on common key cryptography, and immediately stops processing when an error is detected. It can be used for such purposes.
  • the circuit configuration according to the present invention since the processing of each encoding / decoding block is switched between encoding and decoding every cycle, data can be input only once every two cycles.
  • the operation frequency can be improved by dividing the operation block into a plurality of blocks and performing pipeline processing. For this reason, the decrease in processing performance is limited.
  • the circuit scale does not increase so much because the operation block that was originally one is only divided into a plurality of blocks.
  • the additional circuit may also be a pipeline processing register and selector, and an error detection comparator.
  • circuit configuration disclosed here is not dependent on the encoding / decoding calculation method, and can be widely applied to various methods.
  • the embodiment of the present invention includes the following encoding circuit.
  • This circuit is an encoding circuit that performs encoding processing by pipeline processing of a plurality of stages including at least stage X and stage Y that is the next stage of stage X,
  • Each of the plurality of stages includes a partial encoding / partial decoding block capable of executing a partial encoding process that is a part of the encoding process and a partial decoding process that is an inverse process of the partial process,
  • a cycle In the stage Y, the data partially encoded in the stage X in the cycle immediately before the certain cycle is partially encoded, In the stage X, the data partially encoded in the stage X in the previous cycle is partially decoded, The previously stored data before partial encoding at the stage X in the previous cycle is compared with the partially decoded data; In the next cycle of the certain cycle, In the stage Y, the data partially encoded in the stage Y in the certain cycle is partially decoded, The pre-stored data before
  • the embodiment of the present invention includes the following decoding circuit.
  • This circuit is a decoding circuit that performs decoding processing by pipeline processing of a plurality of stages including at least stage X and stage Y that is the next stage of stage X,
  • Each of the plurality of stages includes a partial encoding / partial decoding block capable of executing a partial decoding process that is a part of the decoding process and a partial encoding process that is a reverse process of the part,
  • a cycle In the stage Y, the data partially decoded in the stage X in the cycle immediately before the certain cycle is partially decoded, In the stage X, the data partially decoded in the stage X in the previous cycle is partially encoded, The previously stored data before partial decoding at the stage X in the previous cycle is compared with the partially encoded data; In the next cycle of the certain cycle, In the stage Y, the data partially decoded in the stage Y in the certain cycle is partially encoded, The pre-stored data before partial decoding at
  • the present invention is useful for general and business electronic information devices that handle digital data, and is particularly useful for information devices related to digital contents, encryption technology, and information security. Therefore, the embodiment of the present invention not only includes an encoding circuit, a decoding circuit, and a semiconductor chip including these circuits, but also an electronic device including these circuits, for example, a personal computer, a communication device, a digital TV recorder. IC cards and network devices are also included.
  • an encoding circuit and a decoding circuit that embody the technical idea disclosed in this specification can be implemented not only as non-reconfigurable hardware, but also as a reconfigurable programmable logic device such as an FPGA.
  • the embodiment of the present invention can be implemented, and includes a program for expressing the technical idea disclosed in the present specification on a programmable logic device.
  • FIG. 6 is a diagram for explaining a processing flow of an encoding circuit 200. It is a figure for demonstrating the principal part of the circuit structure of the encoding / decoding circuit 400 demonstrated as 2nd Example. It is a figure for demonstrating a mode when the encoding / decoding circuit 400 operate
  • FIG. 10 is a diagram for explaining a modification of the encoding / decoding circuit 400. It is a figure for demonstrating the example of the encryption / decryption circuit of AES which does not have an error detection function.
  • the present invention relates to a circuit configuration having an error detection capability for encoding / decoding operations.
  • pipeline processing is used. Therefore, first, an example of the simplest embodiment in which pipeline processing consists of only two stages will be described.
  • FIG. 2 is a diagram for explaining an important part of the circuit configuration of the encoding circuit 200 according to the embodiment to be described.
  • the encoding circuit 200 includes two partial encoding / partial decoding blocks 202 and 204, and performs encoding operation by pipeline processing using these two blocks.
  • the first partial encoding / partial decoding block 202 is in charge of the calculation of the first half of the entire encoding process by the encoding circuit 200
  • the second partial encoding / partial decoding block 204 is the entire encoding process. responsible for the second half of the calculation.
  • the partial encoding / partial decoding blocks 202 and 204 are configured to be able to perform partial decoding operations that are inverse operations of the respective partial encoding operations.
  • the first half of the entire decoding operation is the inverse operation of the latter half of the encoding operation
  • the latter half of the entire decoding operation is the inverse operation of the first half of the encoding operation. Therefore, the first partial encoding / partial decoding block 202 processes the latter half of the decoding operation, and the second partial encoding / partial decoding block 204 processes the first half of the decoding operation.
  • the partial encoding / decoding blocks 202 and 204 As described above, it is possible for those skilled in the art to easily configure both processing of partial encoding and partial decoding with a single processing circuit.
  • the encoding circuit 200 stores a register 206 for the partial encoding / partial decoding blocks 202 and 204 to store the result of the arithmetic processing, and a copy of input data to the partial encoding / partial decoding blocks 202 and 204.
  • a register 208 is provided. Therefore, the registers 206 and 208 are shared by the partial encoding / partial decoding blocks 202 and 204.
  • the encoding circuit 200 is provided with a comparator 210.
  • the comparator 210 is also shared by the partial encoding / partial decoding blocks 202 and 204 and is used for comparing the result of the arithmetic processing with the data stored in the register 208.
  • three selectors 212a, 212b, and 212c are provided.
  • the processing flow of the encoding circuit 200 will be described in detail with reference to the calculation cycles (a) to (d) and the equations shown in FIG.
  • the function is expressed as ENC pre (), and the function when decoding is performed as DEC post ().
  • a function when encoding is expressed as ENC post () and a function when decoding is performed as DEC pre ().
  • the first half of the encoding process is performed on the input data D0 by the partial encoding / decoding block 202, and an intermediate result E0 pre is obtained as in the following equation.
  • E0 pre ENC pre (D0)
  • the result of the operation is prepared to be stored in the register 206 in the next cycle (b).
  • the input data D0 is also prepared to be stored in the register 208 in the next cycle (b).
  • the partial encoding / partial decoding block 202 performs the latter half of the decoding on the E0 pre stored in the register 206, and if the circuit is operating correctly, Obtain D0 as follows.
  • the comparator 210 compares the data D0 decoded by the partial encoding / partial decoding block 202 with D0 held in the register 208. If the comparison results match, no error exists, and if they do not match, an error exists and verification is possible.
  • ENC pre () ⁇ ENC post () is the order of encoding functions executed in two cycles, and DEC pre () ⁇ DEC post () is used for decoding, so ENC pre ( ) ⁇ ENC post () ⁇ DEC pre () ⁇ DEC post () to return to the original data. Accordingly, the sets of ENC pre () and DEC post () and ENC post () and DEC pre () are respectively inverse functions.
  • the result E0 is stored in the register 206, and the input data E0 pre to the partial encoding / partial decoding block 204 in the previous cycle is stored in the register 208. Then, the encoding result E0 is output from the register 206.
  • the partial encoding / partial decoding block 204 performs the first half of the decoding on the value E0 held in the register 206 as follows, and the comparator 210 determines whether or not the value E0 matches the value E0 pre held in the register 208.
  • E1 pre ENC pre (D1)
  • E1 pre and D1 are prepared to be stored in registers 206 and 208, respectively, in the next cycle.
  • the encoding circuit 200 performs encoding and decoding in the same circuit block, but performs different processing such as encoding and decoding, and confirms that the original data can be restored, so it cannot be detected due to a circuit defect. The possibility of a serious error is very low. In addition, since it is confirmed that encoding and decoding are performed to return to the original data, it can be said that this is an error detection method with higher reliability than a parity check with an error that cannot be detected.
  • the encoding circuit 200 can input data only once every two cycles, twice the number of cycles is required as compared with the case where error detection is not performed.
  • the operation frequency is approximately doubled by dividing the calculation block into two, the degradation of the processing performance is limited.
  • the additional circuit may be only a pipeline processing register and selector and an error detection comparator. There are two operation blocks, but since only one was originally divided, there is no need to add a new operation unit as in the case of duplication in the method of FIG. The increase in scale is also very limited.
  • the circuit configuration exemplified in the encoding circuit 200 makes it possible to reliably detect an error during the operation of the encoding / decoding circuit and to reduce the penalty for the circuit scale and the operation speed. Furthermore, since the circuit configuration described here is not a configuration depending on the encoding calculation method, it also has a feature that the application range is wide.
  • the encoding process is divided into a plurality of stages, and in each cycle, the partial operation of the encoding and the cycle one cycle before A decoding operation as a verification process of the encoded partial operation is performed simultaneously.
  • the operation processing is divided into two for simplicity, or when pipeline processing is possible, the number of divisions is increased to 3, 4, 5,. It is possible to improve further than in the case of division. As the number of divisions is increased, the delay time of the processing unit is shortened. However, since there is a fixed delay time in other parts, the operating frequency does not gradually improve.
  • additional circuits such as pipeline registers and comparators increase, it is necessary to select the number of divisions according to the characteristics of the encoding process while looking at the balance between processing capability and circuit scale.
  • the circuit 200 has been described as an encoding circuit.
  • the circuit 200 operates as a decoding circuit only by changing the order of use of the partial encoding / decoding blocks 202 and 204. Can be made. That is, it is possible to realize a decoding circuit having a circuit configuration in which verification is performed by performing encoding processing in parallel as reverse processing to decoding processing of the previous stage while performing decoding processing of a certain stage.
  • Many of the embodiments of the present invention can operate as both an encoding circuit and a decoding circuit. Therefore, an embodiment in which the number of divisions is four will be described with reference to the decoding process in detail.
  • FIG. 4A is a diagram for explaining the main part of the circuit configuration of the encoding / decoding circuit 400 described as the second embodiment.
  • the encoding / decoding circuit 400 is configured to perform pipeline processing of encoding operations and decoding operations in four stages 410, 420, 430, and 440.
  • Each stage includes partial encoding / decoding blocks (412, 422, 432, 442), and is in charge of different stages of encoding / decoding processing.
  • the block 412 is responsible for the first stage of the encoding process and the fourth stage of the decoding process
  • the block 422 is responsible for the second stage of the encoding process and the third stage of the decoding process
  • the block 432 is the third stage of the encoding process.
  • the stage and the second stage of the decoding process are in charge, and the block 442 is in charge of the fourth stage of the encoding process and the first stage of the decoding process.
  • the encoding process and the decoding process performed in each of the partial encoding / decoding blocks 412 to 442 have an inverse function relationship. As illustrated in FIG. 4B, when the input data is processed in the order of blocks 412, 422, 432, and 442, the encoding / decoding circuit 400 operates as an encoding circuit, and the input data is processed into blocks 442 and 432. , 422, 412 operate as a decoding circuit.
  • Each encoding / decoding block holds the first register (413, 423, 433, 443) for holding the data processed in the block and the previous cycle data for error detection.
  • a second register (414, 424, 434, 444) is provided.
  • a comparator that determines whether the data held in the second register (414, 424, 434, 444) and the data restored by performing the inverse process are the same for each encoding / decoding block.
  • the encoding / decoding circuit 400 is provided with selectors (411, 421, 431, 441) for controlling data input for the respective encoding / decoding blocks (412, 422, 432, 442). .
  • each encoding / decoding block (412, 422, 432, 442) is Switching between encoding processing and decoding processing. In a cycle in which a certain encoding / decoding block performs encoding processing, adjacent blocks perform decoding processing.
  • the decoding process is performed for error detection. Conversely, when the encoding / decoding circuit 400 operates as a decoding circuit, the encoding process is performed for error detection.
  • the data partially processed in each stage is held in the first register (413, 423, 433, 443), passed to the right stage if it is encoded in the next cycle, and passed to the left stage if it is decoded. You can continue.
  • reverse processing for error detection is performed at the same stage, and the data of the previous cycle held in the second register (414, 424, 434, 444) matches the data after reverse processing. It is checked by a comparator (415, 425, 435, 445).
  • FIG. 5 is a diagram depicting a state where the encoding / decoding circuit 400 operates as a decoding circuit.
  • the upper (a) shows the operation in a certain cycle, and the lower (b) shows the operation in the next cycle of (a).
  • the state of the operation of the encoding / decoding circuit 400 in the next cycle of (b) returns to (a).
  • Data to be decoded is input from the upper right of the figure, and decoded data is output at the lower left.
  • the partial encoding / partial decoding block 442 performs decoding processing in the cycle (a), but performs encoding processing as verification of the decoding processing in the cycle (b). Similar relationships can be seen for any of the partial encoding / decoding blocks 412, 422, 432, 442.
  • encoding is performed in parallel in order to verify the result of decoding one cycle before. For example, looking at the partial encoding / partial decoding block 432 and the partial encoding / partial decoding block 442 in (b), the partial encoding / partial decoding block 432 executes the second stage decoding operation. In the partial encoding / partial decoding block 442, a fourth-stage encoding process as an inverse operation of the first-stage decoding operation is executed for error detection. The same relationship can be seen in the partial encoding / partial decoding blocks 422 and 432 in (a) and the partial encoding / partial decoding blocks 412 and 422 in (b).
  • hatched components and broken-line buses indicate portions where processing is not performed, and it can be understood that half of the registers and comparators are not used in each cycle. This indicates that the register and the comparator can be shared in two stages.
  • the encoding / decoding circuit 600 described with reference to FIG. 6 is an embodiment that utilizes this fact and halves the register and the comparator in the encoding / decoding circuit 400.
  • the encoding circuit 200 described with reference to FIG. 2 only two registers (206, 208) and one comparator (210) are provided for the two partial encoding / decoding blocks 202, 204. It was not provided for the same reason.
  • An encoding / decoding circuit 600 depicted in FIG. 6 is a modification of the encoding / decoding circuit 400, and is characterized in that adjacent encoding / decoding blocks share a register and a comparator. Is. As can be seen by comparing FIG. 6 and FIG. 4, the registers 413 and 423 depicted in FIG. 4 are replaced with one register 613 in FIG. 6, and the registers 414 and 424 in FIG. 614. Also, the comparators 415 and 425 depicted in FIG. 4 are replaced with one comparator 615 in FIG. The same applies to the relationship between the registers 433 and 443 in FIG. 4 and the register 633 in FIG. 6, the registers 434 and 444 in FIG. 4 and the register 634 in FIG. 6, the comparatively 435 and 445 in FIG. .
  • the encoder / decoder circuit 600 has selectors 616, 617, 626, and 627 added to the encoder / decoder circuit 400 in order to share registers and comparators. Since the device can be shared in two stages, the overall circuit scale can be smaller than that of the encoding / decoding circuit 400.
  • AES Advanced Encryption Standard
  • the cipher has a characteristic that if even one bit of original data is different, it is converted into completely different data. For this reason, when an arithmetic error occurs, it results in a very serious problem that data cannot be restored at all. Since cryptography is also used for money-related applications such as IC cards, it is necessary to cope with malfunctions caused by unauthorized application of noise to power supplies and clocks by malicious users trying to steal secret information. There is. For this reason, the encryption circuit is required to have particularly high reliability among the encoding / decoding circuits, and a high-performance error detection mechanism is indispensable.
  • FIG. 7 is a schematic diagram of an example of an AES encryption / decryption circuit that uses a 128-bit secret key and does not have an error detection function.
  • a round function 10 times for 128-bit data normally, only one round function block is prepared as in the data conversion unit on the left side of this figure, A loop architecture that uses it 10 times in one encryption (or decryption) is used.
  • the round function is mainly composed of four parts, and is expressed as ShiftRows, SubBytes, MixColumns, and AddRoundKey in the case of encryption.
  • Decoding is performed by processing that is an inverse function of these, and is represented as InvShiftRows, InvSubBytes, InvMixColumns, and AddRoundKey, respectively.
  • MixColumns and InvMixColumns are represented as MixCol. And InvMixCol., Respectively.
  • the functions corresponding to encryption and decryption share a circuit. Even if the same input data is converted by the same function, completely different data is output by changing the secret key. The secret key is input 10 times to the round function while being simply converted by the right key scheduler.
  • a data register 712 is used to hold the processing result of each loop in order to perform loop processing. Processing of ShiftRows and its inverse function InvShiftRows is performed at block 714, and processing of SubBytes and its inverse function InvSubByte is performed at block 716. MixColumns and its inverse function InvMixColumns are processed in block 718 and AddRoundKey is processed in block 720.
  • FIG. 8 shows a circuit configuration in which the two-part configuration described with reference to FIG. 2 is applied to the AES circuit of FIG.
  • the round function is divided into 2 blocks that combine ShiftRows / InvShiftRows and SubBytes / InvSubByte, and MixColumns / InvMixColumns and AddRoundKey. That is, when FIG. 2 is compared with FIG. 8, the partial encoding / partial decoding block 202 in FIG. 2 corresponds to the ShiftRows / InvShiftRows block 714 and SubBytes / InvSubByte block 716 in FIG.
  • the decryption block 204 corresponds to the MixColumns / InvMixColumns block 718 and the AddRoundKey blocks 820 and 821 in FIG. 2 corresponds to the register 712 in FIG. 8, and the register 208 in FIG. 2 corresponds to the register 812 in FIG. 2 corresponds to the comparator 210 in FIG. Further, in the AES circuit of FIG. 8, selectors 824 and 826 corresponding to the selectors 212b and 212c of FIG. 2 are provided in order to make the AES circuit of FIG. 7 into two stages.
  • FIG. 2 In the configuration of FIG. 2, encoding was performed once in two cycles.
  • the circuit of FIG. 7 performs encryption (encoding) in 10 cycles
  • FIG. 8 performs error detection by performing inverse transformation for each round function of each cycle, so that encryption is performed once in 20 cycles. Will do.
  • the coincidence signal 1 in FIG. 8 outputs an error check result of half round function processing for each cycle.
  • the XOR gate is not shared by changing the order of the AddRoundKey block and the InvMixColumns block. Therefore, in FIG. 7, there is one AddRoundKey block (720), whereas in FIG. 8, there are two (820, 821).
  • the round function block that is a critical path can be shortened by sharing the XOR gate, but instead, the MixColumns block is required in the key scheduler unit.
  • the balance between the circuit scale and the operation speed is better when the MixColumns block of the key scheduler unit is omitted without sharing the XOR.
  • the delay time of the round function block is shortened by the division, the key scheduler unit becomes a critical path. Therefore, a register is also inserted in the key scheduler unit so that one round is processed with two clocks.
  • the input plaintext and the encryption initial key K0 are XORed and written as D0 in the data register 712, and the data that has passed through the paths of the ShiftRrows block 714 and the SubBytes block 716 in the first half of the encryption process. Is fed back as D1X.
  • the data D0 is passed to the comparison register 812.
  • the first round key K1 is generated from the initial key K0 on the fly.
  • decryption is performed in the path used for encryption in (a) for verification, and the data D1X written in the data register 712 is inversely converted by the InvShirtRows block 714 and InvSubBytes block 716, and then compared.
  • the comparator 828 compares the value D 0 held in the comparison register 812.
  • the same data D1X is converted to D1 by the MixColumns block 718 and the AddroundKey block 820 (XOR with the round key K1) in another path.
  • the value D1 of the data register 712 is converted to D2X in the same path as in (a), and at the same time, in the right path, D1X in the InvMixColumns block 718 and AddroundKey block 821 (XOR with the round key K1).
  • the value of the comparison register 812 is compared. Similarly, encryption and verification are repeated until the ninth round.
  • processing of the InvShiftrows block and InvSubBytes block is performed for error detection, and XOR processing with the key K10 of the final tenth round, which is the final processing of encryption, is performed.
  • the processing block is bypassed. Since it is the final round, it is checked that 10 rounds have been processed properly by comparing K10 of the round key register generated on-the-fly with K10 of the encryption key register 732 by pre-calculation.
  • the table of FIG. 10 shows the results of designing the circuits of FIG. 7 and FIG. 8 and evaluating the circuit scale and operation speed by logic synthesis using a 90 nm CMOS standard cell library.
  • the cycle number is 21 because the design is such that one cycle interval is inserted to enter the next data after the encryption is completed as described above.
  • the optimization at the time of logic synthesis is also implemented to maximize the circuit efficiency that is the throughput per unit gate. It was.
  • the circuit scale and operation speed vary greatly depending on the conditions of logic synthesis. The smaller the size, the slower the speed, and the higher the speed, the larger the circuit scale. difficult.
  • circuit efficiency is optimal as an index for simple comparison.
  • the present invention is 145.51 kbps / gate, which is 85.5% of 169.48 kbps / gate without error detection. That is, it can be seen that the AES circuit to which the present invention is applied is an excellent technique capable of reliably detecting an error with an overhead of only about 15% at the maximum.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Error Detection And Correction (AREA)
  • Compression, Expansion, Code Conversion, And Decoders (AREA)

Abstract

Provided are a coding circuit and a decoding circuit that reliably detect errors in operation mode, and reduce penalties to the circuit scale and operational speed.  When a coding process is executed at one stage, the coding circuit and decoding circuit execute a decoding process, at a preceding stage, as verification of the coding process in a directly previous cycle in parallel.  Decoded data is compared with data to be coded in the previous cycle to check if they match.  In the next cycle, data coded earlier at the stage is decoded, and is checked against data before the coding to check if they match.  A coding process is performed on the previously coded data at the next stage while new data is input to be subjected to a coding process at the preceding stage in parallel.

Description

誤り検出機能を備える符号化又は復号処理のための回路構成Circuit configuration for encoding or decoding processing with error detection function
 本発明は、符号化・復号処理のための回路構成であって、誤り検出能力を有する新規な回路構成に関するものである。 The present invention relates to a circuit configuration for encoding / decoding processing, and relates to a novel circuit configuration having error detection capability.
 VLSIの高速化・高集積化技術の進歩による情報機器の高性能化と、ブロードバンド・ネットワークの急速な普及にともなって、業務だけでなく日常生活のあらゆる場面で大量のデータをやりとりするようになっている。データバンド幅の拡大や記憶デバイス容量の削減のためにはデータ圧縮技術が用いられ、また誤り検出・訂正符号や暗号技術によって、情報の信頼性と通信の安全性の確保が行われている。データ圧縮技術は音声画像といったデジタルコンテンツへの利用が盛んであるが、このようなデータは多少のエラーが発生しても大きな問題とならず機密性も低い場合が多い。それに対して、サーバーからダウンロードして使用するプログラムや金銭情報やプライバシー情報などは、誤りを生じたり、内容が漏洩したり、すると大きな損害を生じる恐れがある。 With the advancement of VLSI high-speed and high-integration technology, the performance of information equipment and the rapid spread of broadband networks have led to the exchange of large amounts of data not only in business but in every aspect of daily life. ing. Data compression techniques are used to expand the data bandwidth and reduce the storage device capacity, and the reliability of information and the safety of communications are ensured by error detection / correction codes and encryption techniques. Data compression technology is widely used for digital contents such as audio images, but such data often does not become a big problem even if some errors occur, and its confidentiality is low. On the other hand, programs that are downloaded from the server and used, monetary information, privacy information, etc. may cause serious damage if they cause errors or content leaks.
 誤り検出・訂正符号は、主に通信路や記録メディア上で発生したエラーを検出・訂正したり、送信先に再送を求めたりするといった用途で用いられる。従って、その符号化あるいは復号処理の装置自体にエラーが発生した場合には、元々訂正不可能なデータが生成されてしまい、エラーが検出できないといったことが起きる。暗号技術も、送信あるいは記録されるデータの安全性を確保することはできても、暗号装置の故障によるデータの損失や、それを利用した攻撃に対処することはできない。そこで、データを符号化・復号する装置自体の信頼性を確保する技術が必要となる。 The error detection / correction code is mainly used for the purpose of detecting / correcting an error occurring on a communication channel or a recording medium, or requesting retransmission at a transmission destination. Therefore, when an error occurs in the encoding or decoding apparatus itself, data that cannot be corrected is generated, and the error cannot be detected. Although encryption technology can ensure the security of transmitted or recorded data, it cannot cope with data loss due to a failure of an encryption device or an attack using the data. Therefore, a technique for ensuring the reliability of the device itself for encoding / decoding data is required.
 図1は、符号化の過程で回路に発生するエラーを検出する従来の方式を説明するための図である。復号処理の時のエラー検出については、図の符号化と復号処理を互いに置き換えて考えればよい。図1(a)により説明する方式では、入力されたデータを左側のパスで符号化した後に、その出力のビット幅以下のパリティを生成する。それと同時に期待値回路ではパリティを直接生成し、2つのパリティが一致しているかどうかでエラーの発生を検出する。期待値回路は符号化後にパリティを生成するよりも小さい回路となるが、パリティによる比較なので、エラーの発生を全て検出できるわけではない。 FIG. 1 is a diagram for explaining a conventional method for detecting an error generated in a circuit during an encoding process. As for error detection during the decoding process, the encoding and decoding processes in the figure may be replaced with each other. In the method described with reference to FIG. 1 (a), input data is encoded by the left-side pass, and then a parity equal to or smaller than the bit width of the output is generated. At the same time, the expected value circuit directly generates parity and detects the occurrence of an error depending on whether the two parities match. The expected value circuit is smaller than that for generating parity after encoding, but since it is a comparison based on parity, not all occurrences of errors can be detected.
 図1(b)により説明する方式は、同じ符号化回路を2つ用意して、両者で同時に同じ演算を行って、その結果を比較する方式である。当然のことながら、回路のコストは2倍に増加する。図1(c)により説明する方式では、符号化と復号処理が別の回路ブロックでサポートされている。入力データをレジスタ2にストアするのと同時に、符号化したデータをレジスタ1にストアする。次のサイクルで、新しい入力データの符号化が可能であり、それと並行してレジスタ1のデータを復号処理し、レジスタ2にストアしたデータと比較してエラー検出を行う。しかし、符号化と復号処理の回路は演算コンポーネントを共有している場合が多く、その場合には適用することができない。また、独立していた場合でも、別のデータに対して符号化と復号処理を同時に行うことはできなくなってしまう。例えばデータの双方向通信を行うときに、符号化と復号処理を同時行うことができないため、結局、回路のコスト的は2倍に増加していることに等しい。 The method described with reference to FIG. 1B is a method in which two same encoding circuits are prepared, the same operation is simultaneously performed in both, and the results are compared. Of course, the cost of the circuit is doubled. In the method described with reference to FIG. 1C, encoding and decoding processing are supported by separate circuit blocks. Simultaneously with storing the input data in the register 2, the encoded data is stored in the register 1. In the next cycle, new input data can be encoded. In parallel with this, the data in the register 1 is decoded and compared with the data stored in the register 2 to detect an error. However, the encoding and decoding processing circuits often share arithmetic components, and in this case, they cannot be applied. Even if they are independent, it is impossible to perform encoding and decoding on different data at the same time. For example, when performing bidirectional communication of data, since encoding and decoding processing cannot be performed simultaneously, the cost of the circuit is eventually doubled.
 図1(d)により説明する方式は、一つの符号化回路で同じ処理を2回繰り返してその結果を比較するものである。まず、入力データを符号化して結果をレジスタ1にストアする。次のサイクルでも同じデータをもう一度符号化して、その結果がレジスタ1にストアしたデータと一致するかどうかを検出する。この方式は、電源ノイズなどに起因する一時的なエラーは検出できるものの、トランジスタや配線の欠陥によって常に同じエラーが発生する場合は検出できないという欠点を持つ。また、同じ符号化の処理を2回繰り返すため動作速度は1/2に低下してしまう。 The method described with reference to FIG. 1D is a method in which the same processing is repeated twice in one encoding circuit and the results are compared. First, input data is encoded and the result is stored in the register 1. In the next cycle, the same data is encoded again, and it is detected whether the result matches the data stored in the register 1. Although this method can detect a temporary error due to power supply noise or the like, it has a drawback that it cannot be detected when the same error always occurs due to a defect in a transistor or wiring. In addition, since the same encoding process is repeated twice, the operation speed is reduced to ½.
 図1(e)により説明する方式は、符号化と復号処理が同じ回路ブロックで処理される方式である。入力データをレジスタ2にストアするのと同時に、まず、符号化したデータをレジスタ1に保持する。次のサイクルではレジスタ1のデータを復号処理してレジスタ2にストアしているデータと比較する。2サイクルで1つのデータしか処理できないので、エラー検出を行わない場合に対してスループットが1/2になるのは図1(d)の場合と同様である。しかし、同じ演算ブロックを使用しているものの、符号化と復号処理といった異なる処理を行い、元のデータが復元できることを確認しているため、図1(d)のように回路の欠陥によって検出不可能なエラーが起こる可能性は低い。 The method described with reference to FIG. 1 (e) is a method in which encoding and decoding processing are performed by the same circuit block. Simultaneously with storing the input data in the register 2, first, the encoded data is held in the register 1. In the next cycle, the data in register 1 is decoded and compared with the data stored in register 2. Since only one data can be processed in two cycles, the throughput is halved as compared to the case of FIG. However, although the same calculation block is used, since different processes such as encoding and decoding processes are performed and it is confirmed that the original data can be restored, detection is not possible due to a circuit defect as shown in FIG. Possible errors are unlikely to occur.
 図1(f)により説明する方式は、図1(d)の場合の符号化の回路部を2分割してレジスタを挟み、パイプライン処理する実装である。2つのレジスタの前後で2回結果の比較を行っている。パイプライン化したことで動作周波数が向上し、エラー検出による速度へのペナルティが改善される。しかしながら、図1(d)の場合と同様に、回路の欠陥があった場合にエラーを検出できないという問題は解決されていない。 The method described with reference to FIG. 1 (f) is an implementation in which the encoding circuit in the case of FIG. The result is compared twice before and after the two registers. Pipelining improves operating frequency and improves speed penalty due to error detection. However, as in the case of FIG. 1D, the problem that an error cannot be detected when there is a circuit defect has not been solved.
 以上のように、従来における回路動作時のエラー検出手法は、エラーの検出率に問題があったり、回路規模が2倍あるいは動作速度が1/2になったりしてしまうといった欠点を持っている。 As described above, the conventional error detection method at the time of circuit operation has a defect that there is a problem in the error detection rate, the circuit scale is doubled, or the operation speed is halved. .
 上記のエラー検出方式に準じた暗号回路は、非特許文献1にまとめられている。また特許文献1及び2において、暗号回路の実装方法が開示されているが、これは演算部ではなく、データレジスタに誤りエラー検出・訂正回路を付加する回路構成である。 The encryption circuit conforming to the above error detection method is summarized in Non-Patent Document 1. Patent Documents 1 and 2 disclose a method of mounting an encryption circuit, but this is a circuit configuration in which an error error detection / correction circuit is added to a data register, not an arithmetic unit.
特開2007-174024号公報JP 2007-174024 A 特開2007-325219号公報JP 2007-325219 A
 以上のような背景の下、本発明は、符号化・復号処理の回路の動作時のエラー検出を確実に行い、かつ回路規模と動作速度に対するペナルティを軽微なものとする新たな手法を開発すべくなされたものである。 In the background as described above, the present invention develops a new method for reliably detecting errors during the operation of the encoding / decoding processing circuit and minimizing the penalty for circuit scale and operation speed. It was made.
 本発明は、符号化及び復号処理をパイプライン処理で行う方式とする回路構成とし、各パイプライン・ステージは、符号化処理の一部である部分符号化処理だけでなく、その一部処理の逆処理となる部分復号処理を実行する部分符号化・部分復号ブロックを含む回路構成とし、符号化回路及び復号回路を構成する。以下では混乱をきたさない範囲で,部分符号化及び部分復号処理をそれぞれ単純に,符号化及び復号と記す場合がある。 The present invention has a circuit configuration in which encoding and decoding processes are performed by pipeline processing, and each pipeline stage is not only a partial encoding process that is a part of the encoding process, but also a partial process thereof. The circuit configuration includes a partial encoding / decoding block for executing a partial decoding process which is an inverse process, and an encoding circuit and a decoding circuit are configured. Hereinafter, the partial encoding and partial decoding processes may be simply referred to as encoding and decoding, respectively, within a range that does not cause confusion.
 本発明の符号化回路における具現化形態では、あるステージにおいて符号化処理が実行されている時、その1つ前段のステージでは、直前のサイクルにおける符号化処理の検証としての復号処理が並行して実行される。復号処理されたデータは、直前のサイクルにおいて符号化の対象となったデータと比較されて、一致しているかどうかが調べられる。その次のサイクルでは、前回符号化処理を行った同じステージにおいて、先に符号化されたデータが復号処理され、符号化される前のデータと一致しているかどうかが調べられる。並行して、当該先に符号化されたデータに対して、次段のステージで符号化処理が進められ(次段のステージがない場合には回路から出力され)、前段のステージには新たなデータが入力されて符号化処理が行われる。 In the embodiment of the encoding circuit of the present invention, when the encoding process is executed in a certain stage, the decoding process as the verification of the encoding process in the immediately preceding cycle is performed in parallel in the preceding stage. Executed. The decoded data is compared with the data to be encoded in the immediately preceding cycle to check whether they match. In the next cycle, in the same stage where the previous encoding process was performed, the previously encoded data is decoded and it is checked whether or not it matches the data before the encoding. In parallel, the encoding process proceeds on the previously encoded data at the next stage (output from the circuit if there is no next stage), and a new stage is added to the previous stage. Data is input and an encoding process is performed.
 本発明の復号回路における具現化形態では、上記の符号化回路における符号化と復号処理の順番や役割が逆転する。 In the embodiment of the decoding circuit of the present invention, the order and roles of the encoding and decoding processes in the above encoding circuit are reversed.
 すなわち、本発明に基づく符号化・復号回路は、複数の符号化・復号ブロックからなるパイプライン処理回路として構成され、各符号化・復号ブロックは、1サイクル毎に、符号化処理と復号処理を切り替える。従って、全体としては、各サイクルにおいてデータの処理が進行するだけでなく、前のサイクルにおける処理の検証も同時に行われる。符号化回路として動作する場合には、復号処理が検証のために行われ、復号回路として動作する場合には、符号化が検証のために行われる。 That is, the encoding / decoding circuit according to the present invention is configured as a pipeline processing circuit including a plurality of encoding / decoding blocks, and each encoding / decoding block performs encoding processing and decoding processing for each cycle. Switch. Therefore, as a whole, not only data processing proceeds in each cycle, but also verification of processing in the previous cycle is performed at the same time. When operating as an encoding circuit, decoding processing is performed for verification, and when operating as a decoding circuit, encoding is performed for verification.
 本発明によれば、符号化及び復号処理を分割して、パイプライン処理すると共に、処理を進めるのと並行して検証処理も行うため、処理の途中でエラー検出を行うことができる。このような能力は、特に、故意にエラーを発生させて情報を盗むような攻撃、例えば、共通鍵暗号に対する故障利用解析攻撃に対する防御に有効であり、エラーを検出した場合に直ちに処理を停止させるなどの目的に利用することができる。 According to the present invention, the encoding and decoding processes are divided and pipeline processing is performed, and verification processing is also performed in parallel with the progress of processing, so that error detection can be performed during the processing. This ability is particularly effective in defending against attacks that intentionally generate errors and steal information, such as failure use analysis attacks on common key cryptography, and immediately stops processing when an error is detected. It can be used for such purposes.
 また、本発明においては、符号化と復号処理が同じ回路ブロックで処理されるものの、符号化と復号処理といった異なる処理を行い、元のデータが復元できることを確認しているため、回路の欠陥によって検出不可能なエラーが起こる可能性は非常に低い。これらのことから、本発明による誤り検出機能は、非常に強力かつ信頼性の高いものであると言える。 In the present invention, although encoding and decoding processes are performed in the same circuit block, it is confirmed that the original data can be restored by performing different processes such as encoding and decoding processes. The possibility of undetectable errors is very low. From these facts, it can be said that the error detection function according to the present invention is very powerful and highly reliable.
 一方、本発明による回路構成では、各符号化・復号ブロックの処理を1サイクル毎に符号化と復号処理とで切り替えるため、データの入力は多くとも2サイクルに1回しか行うことができない。しかしながら、演算ブロックを複数のブロックに分割し、パイプライン処理することで、動作周波数を向上させることができる。このため、処理性能の低下は限定的である。回路規模の点でも、もともと一つであった演算ブロックを複数に分割しただけであるので、回路規模はそれほど増加しない。付加回路も、パイプライン処理用のレジスタとセレクタ、そしてエラー検出用の比較器だけでよい。 On the other hand, in the circuit configuration according to the present invention, since the processing of each encoding / decoding block is switched between encoding and decoding every cycle, data can be input only once every two cycles. However, the operation frequency can be improved by dividing the operation block into a plurality of blocks and performing pipeline processing. For this reason, the decrease in processing performance is limited. In terms of the circuit scale, the circuit scale does not increase so much because the operation block that was originally one is only divided into a plurality of blocks. The additional circuit may also be a pipeline processing register and selector, and an error detection comparator.
 このため、本発明によれば、強力かつ信頼性の高い誤り検出機能を回路に持たせつつ、回路規模と動作速度への悪影響を最小限に抑えることができる。 For this reason, according to the present invention, it is possible to minimize adverse effects on the circuit scale and the operation speed while providing the circuit with a powerful and highly reliable error detection function.
 また、ここで開示される回路構成は、符号化・復号の演算方式に依存した構成ではないため、様々な方式に対して広く適用することが可能である。 Also, the circuit configuration disclosed here is not dependent on the encoding / decoding calculation method, and can be widely applied to various methods.
 本発明の実施形態は、次のような符号化回路を含む。この回路は、ステージX及び前記ステージXの次のステージであるステージYを少なくとも含む複数のステージのパイプライン処理によって符号化処理を行う符号化回路であって、
 前記複数のステージの各々は、符号化処理の一部である部分符号化処理及び該一部の逆処理となる部分復号処理を実行しうる部分符号化・部分復号ブロックを含み、
 或るサイクルにおいて、
・ 前記ステージYにおいて、前記或るサイクルの1つ前のサイクルにおいて前記ステージXで部分符号化されたデータが部分符号化され、
・ 前記ステージXにおいて、前記1つ前のサイクルにおいて前記ステージXで部分符号化されたデータが部分復号され、
・ 予め記憶されていた、前記1つ前のサイクルにおいて前記ステージXで部分符号化される前のデータと、前記部分復号されたデータとが比較され、
 前記或るサイクルの次のサイクルにおいて、
・ 前記ステージYにおいて、前記或るサイクルにおいて前記ステージYで部分符号化されたデータが部分復号され、
・ 予め記憶されていた、前記或るサイクルにおいて前記ステージYで部分符号化される前のデータと、前記ステージYで部分復号されたデータとが比較され、
・ 前記ステージXにおいて、別のデータが部分符号化される、
回路として構成される符号化回路である。 The embodiment of the present invention includes the following encoding circuit. This circuit is an encoding circuit that performs encoding processing by pipeline processing of a plurality of stages including at least stage X and stage Y that is the next stage of stage X,
Each of the plurality of stages includes a partial encoding / partial decoding block capable of executing a partial encoding process that is a part of the encoding process and a partial decoding process that is an inverse process of the partial process,
In a cycle
In the stage Y, the data partially encoded in the stage X in the cycle immediately before the certain cycle is partially encoded,
In the stage X, the data partially encoded in the stage X in the previous cycle is partially decoded,
The previously stored data before partial encoding at the stage X in the previous cycle is compared with the partially decoded data;
In the next cycle of the certain cycle,
In the stage Y, the data partially encoded in the stage Y in the certain cycle is partially decoded,
The pre-stored data before partial encoding at the stage Y in the certain cycle is compared with the data partially decoded at the stage Y,
In stage X, another data is partially encoded
An encoding circuit configured as a circuit.
 また本発明の実施形態は、次のような復号回路を含む。この回路は、ステージX及び前記ステージXの次のステージであるステージYを少なくとも含む複数のステージのパイプライン処理によって復号処理を行う復号回路であって、
 前記複数のステージの各々は、復号処理の一部である部分復号処理及び該一部の逆処理となる部分符号化処理を実行しうる部分符号化・部分復号ブロックを含み、
 或るサイクルにおいて、
・ 前記ステージYにおいて、前記或るサイクルの1つ前のサイクルにおいて前記ステージXで部分復号されたデータが部分復号され、
・ 前記ステージXにおいて、前記1つ前のサイクルにおいて前記ステージXで部分復号されたデータが部分符号化され、
・ 予め記憶されていた、前記1つ前のサイクルにおいて前記ステージXで部分復号される前のデータと、前記部分符号化されたデータとが比較され、
 前記或るサイクルの次のサイクルにおいて、
・ 前記ステージYにおいて、前記或るサイクルにおいて前記ステージYで部分復号されたデータが部分符号化され、
・ 予め記憶されていた、前記或るサイクルにおいて前記ステージYで部分復号される前のデータと、前記ステージYで部分符号化されたデータとが比較され、
・ 前記ステージXにおいて、別のデータが部分復号される、
回路として構成される復号回路である。 The embodiment of the present invention includes the following decoding circuit. This circuit is a decoding circuit that performs decoding processing by pipeline processing of a plurality of stages including at least stage X and stage Y that is the next stage of stage X,
Each of the plurality of stages includes a partial encoding / partial decoding block capable of executing a partial decoding process that is a part of the decoding process and a partial encoding process that is a reverse process of the part,
In a cycle
In the stage Y, the data partially decoded in the stage X in the cycle immediately before the certain cycle is partially decoded,
In the stage X, the data partially decoded in the stage X in the previous cycle is partially encoded,
The previously stored data before partial decoding at the stage X in the previous cycle is compared with the partially encoded data;
In the next cycle of the certain cycle,
In the stage Y, the data partially decoded in the stage Y in the certain cycle is partially encoded,
The pre-stored data before partial decoding at the stage Y in the certain cycle is compared with the data partially encoded at the stage Y,
In stage X, another data is partially decoded
A decoding circuit configured as a circuit.
 本発明は、デジタルデータを扱う一般及び業務用の電子情報機器全般に対して有用であり、特に、デジタルコンテンツや暗号技術、情報セキュリティに関係する情報機器に対して有用である。従って本発明の実施形態は、単に、符号化回路や復号回路及びこれらの回路を含む半導体チップを含むだけでなく、これらの回路を含む電子機器、例えば、パーソナルコンピュータや通信機器、デジタルTV・レコーダ、ICカードやネットワーク機器等をも含むものである。また、本明細書に開示される技術思想を具体化した符号化回路や復号回路は、再構成不可能なハードウェアとして実装されうるのみならず、FPGA等の再構成可能なプログラマブルロジックデバイスとしても実装可能なものであり、本発明の実施形態は、本明細書に開示される技術思想をプログラマブルロジックデバイス上に表現するためのプログラムをも含む。 The present invention is useful for general and business electronic information devices that handle digital data, and is particularly useful for information devices related to digital contents, encryption technology, and information security. Therefore, the embodiment of the present invention not only includes an encoding circuit, a decoding circuit, and a semiconductor chip including these circuits, but also an electronic device including these circuits, for example, a personal computer, a communication device, a digital TV recorder. IC cards and network devices are also included. In addition, an encoding circuit and a decoding circuit that embody the technical idea disclosed in this specification can be implemented not only as non-reconfigurable hardware, but also as a reconfigurable programmable logic device such as an FPGA. The embodiment of the present invention can be implemented, and includes a program for expressing the technical idea disclosed in the present specification on a programmable logic device.
 本発明の好適な具現化した形態のいくつかの例が、添付の特許請求の範囲に定義されている。また、以下の実施例の説明にも、いくつかの好適な具現化した形態の例が説明されている。しかしながら、本発明の具現化した形態は、特許請求の範囲や実施例の説明に現れる形態に限定されるものではなく、本発明の範囲を逸脱することなく、様々なバリエーションをとることができることには留意されたい。また、本発明の技術的範囲は、特許請求の範囲や明細書、図面に明示的又は黙示的に現れる、全ての新規かつ有用な特徴及びそれらの組合せを包含することを申し述べる。 Some examples of preferred implementations of the invention are defined in the appended claims. Also, in the following description of the embodiments, examples of some preferred embodiments are described. However, the embodied form of the present invention is not limited to the form appearing in the claims and the description of the embodiments, and various variations can be made without departing from the scope of the present invention. Please note. In addition, it is stated that the technical scope of the present invention includes all new and useful features and combinations thereof that appear explicitly or implicitly in the claims, specification, and drawings.
従来のエラー検出回路の方式を説明するための図である。It is a figure for demonstrating the system of the conventional error detection circuit. 第1実施例として説明する符号化回路200の回路構成の重要な部分を説明するための図である。It is a figure for demonstrating the important part of the circuit structure of the encoding circuit 200 demonstrated as 1st Example. 符号化回路200の処理の流れを説明するための図である。FIG. 6 is a diagram for explaining a processing flow of an encoding circuit 200. 第2実施例として説明する符号化・復号回路400の回路構成の主要な部分を説明するための図である。It is a figure for demonstrating the principal part of the circuit structure of the encoding / decoding circuit 400 demonstrated as 2nd Example. 符号化・復号回路400が復号回路として動作する場合の様子を説明するための図である。It is a figure for demonstrating a mode when the encoding / decoding circuit 400 operate | moves as a decoding circuit. 符号化・復号回路400の変形例を説明するための図である。FIG. 10 is a diagram for explaining a modification of the encoding / decoding circuit 400. エラー検出機能を有しないAESの暗号化・復号回路の例を説明するための図である。It is a figure for demonstrating the example of the encryption / decryption circuit of AES which does not have an error detection function. 本発明の第3実施例として紹介する、AESの暗号化・復号回路を説明するための図である。It is a figure for demonstrating the encryption / decryption circuit of AES introduced as 3rd Example of this invention. 図8のAES回路の動作を説明するための図である。It is a figure for demonstrating operation | movement of the AES circuit of FIG. 図7と図8のAES回路の性能を比較するための図である。It is a figure for comparing the performance of the AES circuit of FIG. 7 and FIG.
 以下、本発明の理解に資するために、添付図面を参照しつつ本発明の実施形態を例示して説明する。前述のように、本発明は、符号化・復号演算のための、誤り検出能力を有する回路構成に関するものであり、この回路構成では、パイプライン処理を利用している。そこでまず、パイプライン処理が2つのステージのみからなる、最も簡単な実施形態の例について説明する。 Hereinafter, in order to help understanding of the present invention, embodiments of the present invention will be described with reference to the accompanying drawings. As described above, the present invention relates to a circuit configuration having an error detection capability for encoding / decoding operations. In this circuit configuration, pipeline processing is used. Therefore, first, an example of the simplest embodiment in which pipeline processing consists of only two stages will be described.
 図2は、これから説明する実施形態に係る符号化回路200の回路構成の重要な部分を説明するための図である。符号化回路200は、二つの部分符号化・部分復号ブロック202及び204を有し、これらの二つのブロックによって符号化演算をパイプライン処理によって行う。第1の部分符号化・部分復号ブロック202は、符号化回路200による符号化処理全体の前半部分の演算を担当し、第2の部分符号化・部分復号ブロック204は、当該符号化処理全体の後半部分の演算を担当する。また、部分符号化・部分復号ブロック202及び204は、それぞれの部分符号化演算の逆演算となる部分復号演算を行ないうるように構成される。この場合、復号演算全体の前半部分は符号化演算の後半部分の逆演算となり、復号演算全体の後半部分は符号化演算の前半部分の逆演算となる。したがって、第1の部分符号化・部分復号ブロック202は、復号演算の後半部分を処理し、第2の部分符号化・部分復号ブロック204は復号演算の前半部分を処理する。なお、背景技術の項でも説明したように、符号化回路と復号回路は演算コンポーネントを共有して一つの処理回路にまとめられていることが多いので、部分符号化・部分復号ブロック202及び204のように、一つの処理回路で部分符号化及び部分復号の両方の演算を処理するように構成することは、当業者であれば困難なくできる。 FIG. 2 is a diagram for explaining an important part of the circuit configuration of the encoding circuit 200 according to the embodiment to be described. The encoding circuit 200 includes two partial encoding / partial decoding blocks 202 and 204, and performs encoding operation by pipeline processing using these two blocks. The first partial encoding / partial decoding block 202 is in charge of the calculation of the first half of the entire encoding process by the encoding circuit 200, and the second partial encoding / partial decoding block 204 is the entire encoding process. Responsible for the second half of the calculation. Also, the partial encoding / partial decoding blocks 202 and 204 are configured to be able to perform partial decoding operations that are inverse operations of the respective partial encoding operations. In this case, the first half of the entire decoding operation is the inverse operation of the latter half of the encoding operation, and the latter half of the entire decoding operation is the inverse operation of the first half of the encoding operation. Therefore, the first partial encoding / partial decoding block 202 processes the latter half of the decoding operation, and the second partial encoding / partial decoding block 204 processes the first half of the decoding operation. As described in the background art section, since the encoding circuit and the decoding circuit often share a calculation component and are combined into one processing circuit, the partial encoding / decoding blocks 202 and 204 As described above, it is possible for those skilled in the art to easily configure both processing of partial encoding and partial decoding with a single processing circuit.
 符号化回路200には、部分符号化・部分復号ブロック202及び204が演算処理の結果をストアするためのレジスタ206と、部分符号化・部分復号ブロック202及び204への入力データのコピーをストアするためのレジスタ208が設けられる。したがって、レジスタ206及び208は、部分符号化・部分復号ブロック202及び204によって共用される。また符号化回路200には、比較器210が設けられる。比較器210も、部分符号化・部分復号ブロック202及び204で共用されて、演算処理の結果とレジスタ208にストアされているデータとの比較を行うために用いられる。レジスタ206,208及び比較器210を共用するために、三つのセレクタ212a,212b,212cが設けられる。 The encoding circuit 200 stores a register 206 for the partial encoding / partial decoding blocks 202 and 204 to store the result of the arithmetic processing, and a copy of input data to the partial encoding / partial decoding blocks 202 and 204. A register 208 is provided. Therefore, the registers 206 and 208 are shared by the partial encoding / partial decoding blocks 202 and 204. The encoding circuit 200 is provided with a comparator 210. The comparator 210 is also shared by the partial encoding / partial decoding blocks 202 and 204 and is used for comparing the result of the arithmetic processing with the data stored in the register 208. In order to share the registers 206 and 208 and the comparator 210, three selectors 212a, 212b, and 212c are provided.
 次に、符号化回路200の処理の流れを、図3に示す演算サイクル(a)~(d)と式を追って詳細に説明する。以下の説明においては、部分符号化・部分復号ブロック202で符号化が行われるとき、その関数をENCpre()、復号が行われるときの関数をDECpost()で表すことにする。また、部分符号化・部分復号ブロック204についても、同様に、符号化が行われるときの関数をENCpost()、復号が行われるときの関数をDECpre()と表す。 Next, the processing flow of the encoding circuit 200 will be described in detail with reference to the calculation cycles (a) to (d) and the equations shown in FIG. In the following description, when encoding is performed in the partial encoding / partial decoding block 202, the function is expressed as ENC pre (), and the function when decoding is performed as DEC post (). Similarly, for the partial encoding / decoding block 204, a function when encoding is expressed as ENC post () and a function when decoding is performed as DEC pre ().
 最初の演算サイクル(a)では、入力されたデータD0に対して、部分符号化・部分復号ブロック202で符号化の前半処理を施し、次式のように、途中結果E0preを求める。
 
E0pre=ENCpre(D0)
 
演算の結果は、次のサイクル(b)において、レジスタ206にストアされるべく準備される。また入力データD0も、次のサイクル(b)において、レジスタ208にストアされるべく準備される。 In the first calculation cycle (a), the first half of the encoding process is performed on the input data D0 by the partial encoding / decoding block 202, and an intermediate result E0 pre is obtained as in the following equation.

E0 pre = ENC pre (D0)

The result of the operation is prepared to be stored in the register 206 in the next cycle (b). The input data D0 is also prepared to be stored in the register 208 in the next cycle (b).
 次のサイクル(b)では、新たなデータの入力は行われないが、前のサイクルにおける演算結果E0preがレジスタ206に、前のサイクルにおける入力データD0がレジスタ208にストアされる。そして、レジスタ206にストアされた演算結果E0preに対し、符号化・復号ブロック204で符号化の後半処理が行われ、次のように符号化結果E0が得られる。
 
E0=ENCpost(E0pre
 
結果E0は、次のサイクルでレジスタ206にストアされるべく準備される。また、部分符号化・部分復号ブロック204への入力データE0preも、次のサイクルでレジスタ208にストアされるべく準備される。 In the next cycle (b), no new data is input, but the operation result E0 pre in the previous cycle is stored in the register 206, and the input data D0 in the previous cycle is stored in the register 208. Then, the encoding / decoding block 204 performs the latter half of the encoding process E0 pre stored in the register 206, and the encoding result E0 is obtained as follows.

E0 = ENC post (E0 pre )

Result E0 is prepared to be stored in register 206 in the next cycle. The input data E0 pre to the partial encoding / decoding block 204 is also prepared to be stored in the register 208 in the next cycle.
 部分符号化・部分復号ブロック204による処理と同時に、部分符号化・部分復号ブロック202は、レジスタ206にストアされたE0preに対して復号の後半処理を行い、回路が正しく動作していれば、次のようにD0を得る。
 
D0=DECpost(E0pre)=DECpost(ENCpre(D0))
  At the same time as the processing by the partial encoding / partial decoding block 204, the partial encoding / partial decoding block 202 performs the latter half of the decoding on the E0 pre stored in the register 206, and if the circuit is operating correctly, Obtain D0 as follows.

D0 = DEC post (E0 pre ) = DEC post (ENC pre (D0))
 比較器210では、部分符号化・部分復号ブロック202により復号されたデータD0を、レジスタ208が保持しているD0と比較する。この比較結果が一致すればエラーは存在せず、一致しなければエラーが存在することになり、検証が可能となる。 The comparator 210 compares the data D0 decoded by the partial encoding / partial decoding block 202 with D0 held in the register 208. If the comparison results match, no error exists, and if they do not match, an error exists and verification is possible.
 念のために記しておくと、2サイクルで実行される符号化の関数の順番をENCpre()→ENCpost()、復号をDECpre()→DECpost()としたので、ENCpre()→ENCpost()→DECpre()→DECpost()で元のデータに戻ることになる。従って、ENCpre()とDECpost()及びENCpost()とDECpre()の組が、それぞれ逆関数になっている。 To make sure, ENC pre () → ENC post () is the order of encoding functions executed in two cycles, and DEC pre () → DEC post () is used for decoding, so ENC pre ( ) → ENC post () → DEC pre () → DEC post () to return to the original data. Accordingly, the sets of ENC pre () and DEC post () and ENC post () and DEC pre () are respectively inverse functions.
 次のサイクル(c)では、レジスタ206に結果E0がストアされると共に、レジスタ208には前のサイクルにおける部分符号化・部分復号ブロック204への入力データE0preがストアされる。そして、レジスタ206からは符号化結果E0が出力される。同時に、レジスタ206が保持する値E0に対し、部分符号化・部分復号ブロック204によって復号の前半処理が次のように行われ、レジスタ208が保持する値E0preと一致するかどうかが比較器210でチェックされる。
 
E0pre=DECpre(E0)=DECpre(ENCpost(E0pre))
  In the next cycle (c), the result E0 is stored in the register 206, and the input data E0 pre to the partial encoding / partial decoding block 204 in the previous cycle is stored in the register 208. Then, the encoding result E0 is output from the register 206. At the same time, the partial encoding / partial decoding block 204 performs the first half of the decoding on the value E0 held in the register 206 as follows, and the comparator 210 determines whether or not the value E0 matches the value E0 pre held in the register 208. Checked.

E0 pre = DEC pre (E0) = DEC pre (ENC post (E0 pre ))
 また、これらの処理と同時に新たなデータD1が入力され、部分符号化・部分復号ブロック20による次の符号化処理によって途中結果E0preが計算される。
 
E1pre=ENCpre(D1)
 
E1pre,D1は、それぞれ次のサイクルにおいてレジスタ206,208にストアされるべく準備される。 Also, new data D1 is input simultaneously with these processes, and the intermediate result E0pre is calculated by the next encoding process by the partial encoding / partial decoding block 20.

E1 pre = ENC pre (D1)

E1 pre and D1 are prepared to be stored in registers 206 and 208, respectively, in the next cycle.
 次のサイクル(d)では、上述のサイクル(b)と同様に、レジスタ206の途中結果E1preに次のように符号化の後半処理と、検証処理としての復号処理が行われ、以下、新たなデータ入力がある度に、同様の処理が繰り返されていく。
 
E1=ENCpost(E1pre
 
D1=DECpost(E1pre
  In the next cycle (d), as in the cycle (b) described above, the latter half of the encoding process and the decoding process as the verification process are performed on the intermediate result E1 pre of the register 206 as follows. The same process is repeated each time there is a correct data input.

E1 = ENC post (E1 pre )

D1 = DEC post (E1 pre )
 符号化回路200は、符号化と復号が同じ回路ブロックで処理されるものの、符号化と復号といった異なる処理を行い、元のデータが復元できることを確認しているため、回路の欠陥によって検出不可能なエラーが起こる可能性は非常に低い。また、符号化と復号を行って元のデータに戻ることを確認しているため、検出できないエラーのあるパリティ・チェック等に比べて信頼性が高いエラー検出方式であると言える。 The encoding circuit 200 performs encoding and decoding in the same circuit block, but performs different processing such as encoding and decoding, and confirms that the original data can be restored, so it cannot be detected due to a circuit defect. The possibility of a serious error is very low. In addition, since it is confirmed that encoding and decoding are performed to return to the original data, it can be said that this is an error detection method with higher reliability than a parity check with an error that cannot be detected.
 一方、符号化回路200では、データの入力を2サイクルに1回しか行うことができないので、エラー検出を行わない場合に対して2倍のサイクル数が必要となる。しかしながら、演算ブロックを2分割したことで、動作周波数がおよそ2倍に向上するため、処理性能の低下は限定的である。付加回路もパイプライン処理用のレジスタとセレクタ、そしてエラー検出用の比較器だけでよい。演算ブロックは2つになっているが、もともと1つだったものを分割しただけなので、図1(c)の方式における二重化のように、演算部を丸ごと新たに加えるようなことはなく、回路規模の増加も極めて限定的である。 On the other hand, since the encoding circuit 200 can input data only once every two cycles, twice the number of cycles is required as compared with the case where error detection is not performed. However, since the operation frequency is approximately doubled by dividing the calculation block into two, the degradation of the processing performance is limited. The additional circuit may be only a pipeline processing register and selector and an error detection comparator. There are two operation blocks, but since only one was originally divided, there is no need to add a new operation unit as in the case of duplication in the method of FIG. The increase in scale is also very limited.
 すなわち符号化回路200に例示される回路構成は、符号化・復号回路の動作時のエラー検出を確実に行い、且つ回路規模と動作速度に対するペナルティを軽微なものとすることを可能とする。さらに、ここで説明された回路構成は、符号化の演算方式に依存した構成ではないため、適用範囲が広いという特長をも有している。 That is, the circuit configuration exemplified in the encoding circuit 200 makes it possible to reliably detect an error during the operation of the encoding / decoding circuit and to reduce the penalty for the circuit scale and the operation speed. Furthermore, since the circuit configuration described here is not a configuration depending on the encoding calculation method, it also has a feature that the application range is wide.
 以上の説明で理解されるように、符号化処理に係る本発明の実施形態においては、符号化処理が複数のステージに分割され、各サイクルにおいて、符号化の部分演算と、その1サイクル前における符号化部分演算の検証処理としての復号演算が同時に行われる。符号化回路200を用いた例では、簡単のため演算処理を2分割としたか、パイプライン処理が可能な場合は、3,4,5,…と分割数を増やすことで、動作周波数を2分割の場合よりもさらに向上させることが可能である。分割数を増やすほど処理部の遅延時間は短縮されるが、他の部分の固定の遅延時間があるため、動作周波数は次第に向上しなくなる。またその反面、パイプラインレジスタと比較器といった付加回路が増えていくため、処理能力と回路規模のバランスを見ながら、符号化の処理の特性に応じて分割数を選択する必要がある。 As understood from the above description, in the embodiment of the present invention related to the encoding process, the encoding process is divided into a plurality of stages, and in each cycle, the partial operation of the encoding and the cycle one cycle before A decoding operation as a verification process of the encoded partial operation is performed simultaneously. In the example using the encoding circuit 200, the operation processing is divided into two for simplicity, or when pipeline processing is possible, the number of divisions is increased to 3, 4, 5,. It is possible to improve further than in the case of division. As the number of divisions is increased, the delay time of the processing unit is shortened. However, since there is a fixed delay time in other parts, the operating frequency does not gradually improve. On the other hand, since additional circuits such as pipeline registers and comparators increase, it is necessary to select the number of divisions according to the characteristics of the encoding process while looking at the balance between processing capability and circuit scale.
 図2,図3を用いた上述の説明では、回路200を符号化回路として説明したが、部分符号化・部分復号ブロック202と204の使用の順序を入れ替えるだけで、回路200を復号回路として動作させることができる。すなわち、あるステージの復号処理を行いながら、その前ステージの復号処理に対する逆処理として、符号化処理を並行して行うことで検証を行う回路構成の復号回路が実現できる。本発明の実施形態の多くは、符号化回路としても、復号回路としても動作することができる。そこで次に、分割数を4つとした実施例について、復号処理についても詳しく触れつつ説明する。 In the above description using FIG. 2 and FIG. 3, the circuit 200 has been described as an encoding circuit. However, the circuit 200 operates as a decoding circuit only by changing the order of use of the partial encoding / decoding blocks 202 and 204. Can be made. That is, it is possible to realize a decoding circuit having a circuit configuration in which verification is performed by performing encoding processing in parallel as reverse processing to decoding processing of the previous stage while performing decoding processing of a certain stage. Many of the embodiments of the present invention can operate as both an encoding circuit and a decoding circuit. Therefore, an embodiment in which the number of divisions is four will be described with reference to the decoding process in detail.
 図4(a)は、第2実施例として説明する符号化・復号回路400の回路構成の主要な部分を説明するための図である。図示するように、この符号化・復号回路400は、符号化演算及び復号演算を、四つのステージ410,420,430,440でパイプライン処理するように構成されている。各ステージは、それぞれ部分符号化・部分復号ブロック(412,422,432,442)を備えており、符号化・復号処理の異なる段階を担当する。ブロック412は符号化処理の1段目と復号処理の4段目を担当し、ブロック422は符号化処理の2段目と復号処理の3段目を担当し、ブロック432は符号化処理の3段目と復号処理の2段目を担当し、ブロック442は符号化処理の4段目と復号処理の1段目を担当する。各部分符号化・部分復号ブロック412~442で処理される符号化処理と復号処理は互いに逆関数の関係になっている。図4(b)に描かれるように、入力データをブロック412,422,432,442の順で処理する場合、符号化・復号回路400は符号化回路として動作し、入力データをブロック442,432,422,412の順で処理する場合は復号回路として動作する。 FIG. 4A is a diagram for explaining the main part of the circuit configuration of the encoding / decoding circuit 400 described as the second embodiment. As shown in the figure, the encoding / decoding circuit 400 is configured to perform pipeline processing of encoding operations and decoding operations in four stages 410, 420, 430, and 440. Each stage includes partial encoding / decoding blocks (412, 422, 432, 442), and is in charge of different stages of encoding / decoding processing. The block 412 is responsible for the first stage of the encoding process and the fourth stage of the decoding process, the block 422 is responsible for the second stage of the encoding process and the third stage of the decoding process, and the block 432 is the third stage of the encoding process. The stage and the second stage of the decoding process are in charge, and the block 442 is in charge of the fourth stage of the encoding process and the first stage of the decoding process. The encoding process and the decoding process performed in each of the partial encoding / decoding blocks 412 to 442 have an inverse function relationship. As illustrated in FIG. 4B, when the input data is processed in the order of blocks 412, 422, 432, and 442, the encoding / decoding circuit 400 operates as an encoding circuit, and the input data is processed into blocks 442 and 432. , 422, 412 operate as a decoding circuit.
 各符号化・復号ブロックには、それぞれ当該ブロックで処理されたデータを保持するための第1レジスタ(413,423,433,443)と、エラー検出のために一つ前のサイクルのデータを保持するための第2レジスタ(414,424,434,444)が設けられる。また、第2レジスタ(414,424,434,444)に保持されたデータと、逆処理を行なって元に戻したデータとの一致・不一致を判定する比較器が、各符号化・復号ブロックに設けられる(415,425,435,445)。このほか符号化・復号回路400は、各符号化・復号ブロック(412,422,432,442)について、それぞれにデータの入力をコントロールするためのセレクタ(411,421,431,441)が設けられる。 Each encoding / decoding block holds the first register (413, 423, 433, 443) for holding the data processed in the block and the previous cycle data for error detection. A second register (414, 424, 434, 444) is provided. In addition, a comparator that determines whether the data held in the second register (414, 424, 434, 444) and the data restored by performing the inverse process are the same for each encoding / decoding block. Provided (415, 425, 435, 445). In addition, the encoding / decoding circuit 400 is provided with selectors (411, 421, 431, 441) for controlling data input for the respective encoding / decoding blocks (412, 422, 432, 442). .
 符号化・復号回路400が符号化回路として動作するときであっても復号回路として動作するときであっても、各符号化・復号ブロック(412,422,432,442)は、1サイクルごとに、符号化処理と復号処理を切り替える。ある符号化・復号ブロックが符号化処理を行うサイクルにおいて、隣接するブロックは復号処理を行う。符号化・復号回路400が符号化回路として動作するとき、復号処理はエラー検出のために行われる。反対に、符号化・復号回路400が復号回路として動作するときは、符号化処理はエラー検出のために行われる。 Whether the encoding / decoding circuit 400 operates as an encoding circuit or a decoding circuit, each encoding / decoding block (412, 422, 432, 442) is Switching between encoding processing and decoding processing. In a cycle in which a certain encoding / decoding block performs encoding processing, adjacent blocks perform decoding processing. When the encoding / decoding circuit 400 operates as an encoding circuit, the decoding process is performed for error detection. Conversely, when the encoding / decoding circuit 400 operates as a decoding circuit, the encoding process is performed for error detection.
 各ステージにおいて部分処理されたデータは第1レジスタ(413,423,433,443)に保持され、次のサイクルで符号化ならば右のステージに、復号ならば左のステージに渡されて処理が続けられる。これと同時に、同じステージではエラー検出のための逆処理が行われ、第2レジスタ(414,424,434,444)に保持される一つ前のサイクルのデータと逆処理後のデータが一致するかどうかが比較器(415,425,435,445)でチェックされる。 The data partially processed in each stage is held in the first register (413, 423, 433, 443), passed to the right stage if it is encoded in the next cycle, and passed to the left stage if it is decoded. You can continue. At the same time, reverse processing for error detection is performed at the same stage, and the data of the previous cycle held in the second register (414, 424, 434, 444) matches the data after reverse processing. It is checked by a comparator (415, 425, 435, 445).
 図5は、符号化・復号回路400が復号回路として動作する場合の様子を描いた図である。上段の(a)があるサイクルにおける動作を示し、下段の(b)が(a)の次のサイクルにおける動作を示している。また、(b)の次のサイクルにおける符号化・復号回路400の動作の様子は、また(a)に戻る。図の右上から復号すべきデータが入力され、左下に復号されたデータが出力される。 FIG. 5 is a diagram depicting a state where the encoding / decoding circuit 400 operates as a decoding circuit. The upper (a) shows the operation in a certain cycle, and the lower (b) shows the operation in the next cycle of (a). The state of the operation of the encoding / decoding circuit 400 in the next cycle of (b) returns to (a). Data to be decoded is input from the upper right of the figure, and decoded data is output at the lower left.
 図5に描かれるように、各ステージでは、復号と、符号化による検証(エラー検出)が交互に行われる。たとえば、部分符号化・部分復号ブロック442は、(a)のサイクルでは復号処理を行うが、(b)のサイクルではその復号処理の検証としての符号化処理を行なっている。同様の関係が、いずれの部分符号化・部分復号ブロック412,422,432,442についても見ることができる。 As shown in FIG. 5, at each stage, decoding and verification (error detection) by encoding are performed alternately. For example, the partial encoding / partial decoding block 442 performs decoding processing in the cycle (a), but performs encoding processing as verification of the decoding processing in the cycle (b). Similar relationships can be seen for any of the partial encoding / decoding blocks 412, 422, 432, 442.
 また、復号が行われるステージの隣のステージでは、1サイクル前の復号の結果を検証すべく、符号化が並行的に行われる。たとえば、(b)における部分符号化・部分復号ブロック432と部分符号化・部分復号ブロック442を見ると、部分符号化・部分復号ブロック432が2段目の復号演算を実行しているのに対し、部分符号化・部分復号ブロック442では、1段目の復号演算の逆演算としての4段目の符号化処理を、エラー検出のために実行している。同様の関係が、(a)における部分符号化・部分復号ブロック422と432、(b)における部分符号化・部分復号ブロック412と422にも見ることができる。 Also, in a stage adjacent to the stage where decoding is performed, encoding is performed in parallel in order to verify the result of decoding one cycle before. For example, looking at the partial encoding / partial decoding block 432 and the partial encoding / partial decoding block 442 in (b), the partial encoding / partial decoding block 432 executes the second stage decoding operation. In the partial encoding / partial decoding block 442, a fourth-stage encoding process as an inverse operation of the first-stage decoding operation is executed for error detection. The same relationship can be seen in the partial encoding / partial decoding blocks 422 and 432 in (a) and the partial encoding / partial decoding blocks 412 and 422 in (b).
 図5において、ハッチングして示したコンポーネントと破線のバスは、処理が行われていない部分を示しており、各サイクルで、半分のレジスタと比較器が使用されていないことが理解できる。これはすなわち、二つのステージでレジスタと比較器を共有することができることを示している。次に図6で説明する符号化・復号回路600は、このことを利用し、符号化・復号回路400におけるレジスタと比較器を半分にした実施例である。また、図2を用いて説明された符号化回路200において、二つの部分符号化・部分復号ブロック202,204に対してレジスタ(206,208)が二つ及び比較器(210)が一つしか設けられていなかったのも、同様の理由による。 In FIG. 5, hatched components and broken-line buses indicate portions where processing is not performed, and it can be understood that half of the registers and comparators are not used in each cycle. This indicates that the register and the comparator can be shared in two stages. Next, the encoding / decoding circuit 600 described with reference to FIG. 6 is an embodiment that utilizes this fact and halves the register and the comparator in the encoding / decoding circuit 400. In the encoding circuit 200 described with reference to FIG. 2, only two registers (206, 208) and one comparator (210) are provided for the two partial encoding / decoding blocks 202, 204. It was not provided for the same reason.
 図6に描かれる符号化・復号回路600は、符号化・復号回路400の変形例であり、隣接する符号化・復号ブロックで、レジスタと比較器を共用するように構成したことを特徴とするものである。図6と図4を比較すると分かるように、図4に描かれるレジスタ413と423が、図6においては一つのレジスタ613に置き換えられており、図4におけるレジスタ414と424が、図6ではレジスタ614に置き換えられている。また、図4に描かれる比較器415と425は、図6では一つの比較器615に置き換えられている。図4におけるレジスタ433及び443と図6のレジスタ633、図4におけるレジスタ434及び444と図6のレジスタ634、図4における比較的435及び445と図6の比較器635の関係についても同様である。 An encoding / decoding circuit 600 depicted in FIG. 6 is a modification of the encoding / decoding circuit 400, and is characterized in that adjacent encoding / decoding blocks share a register and a comparator. Is. As can be seen by comparing FIG. 6 and FIG. 4, the registers 413 and 423 depicted in FIG. 4 are replaced with one register 613 in FIG. 6, and the registers 414 and 424 in FIG. 614. Also, the comparators 415 and 425 depicted in FIG. 4 are replaced with one comparator 615 in FIG. The same applies to the relationship between the registers 433 and 443 in FIG. 4 and the register 633 in FIG. 6, the registers 434 and 444 in FIG. 4 and the register 634 in FIG. 6, the comparatively 435 and 445 in FIG. .
 符号化・復号回路600には、レジスタ及び比較器を共有するために、符号化・復号回路400に比べてセレクタ616,617,626,627が追加されているが、二つのレジスタ及び一つの比較器が二つのステージで共有されることができるので、全体としての回路規模は、符号化・復号回路400に比べて小さくて済む。 The encoder / decoder circuit 600 has selectors 616, 617, 626, and 627 added to the encoder / decoder circuit 400 in order to share registers and comparators. Since the device can be shared in two stages, the overall circuit scale can be smaller than that of the encoding / decoding circuit 400.
[AESへの応用例]
 次に、本発明の具体的な実施例として、国際標準暗号AES(Advanced Encryption Standard)回路へ適用した例を示す。暗号は、元のデータが1ビットでも異なると、まったく異なるデータに変換されるという特性を有する。このため、演算エラーが発生すると、データがまったく復元できなくなるという極めて深刻な問題を生じる結果となる。また、暗号は、ICカードなど金銭に関係するアプリケーションにも使用されるため、秘密の情報を盗み出そうとする悪意の利用者による電源やクロックへの不正なノイズ印加による誤動作にも対応する必要がある。このため、暗号回路は符号化・復号回路の中でも特に高い信頼性が要求され、高性能なエラー検出機構が不可欠である。 [Application example to AES]
Next, as a specific embodiment of the present invention, an example applied to an international standard encryption AES (Advanced Encryption Standard) circuit is shown. The cipher has a characteristic that if even one bit of original data is different, it is converted into completely different data. For this reason, when an arithmetic error occurs, it results in a very serious problem that data cannot be restored at all. Since cryptography is also used for money-related applications such as IC cards, it is necessary to cope with malfunctions caused by unauthorized application of noise to power supplies and clocks by malicious users trying to steal secret information. There is. For this reason, the encryption circuit is required to have particularly high reliability among the encoding / decoding circuits, and a high-performance error detection mechanism is indispensable.
 図7は、128ビットの秘密鍵を用いた、エラー検出機能を有さないAESの暗号化・復号回路例の概略図である。128ビットのデータにラウンド関数と呼ばれる変換を10回繰り返して暗号化と復号を行うため、通常は、この図の左側のデータ変換部にあるように、ラウンド関数ブロックを1つだけ用意して、それを1回の暗号化(または復号)で10回利用するループアーキテクチャが用いられる。ラウンド関数は大きく4つの部分から構成され、暗号化の場合にそれぞれShiftRows、SubBytes、MixColumns、AddRoundKeyと表される。復号はこれらの逆関数となる処理によって行われ、それぞれInvShiftRows、InvSubBytes、InvMixColumns、AddRoundKeyと表記される。(なお、図中MixColumnsとInvMixColumnsはそれぞれMixCol.とInvMixCol.と表記されている。)暗号化と復号で対応する関数はそれぞれ回路を共有している。同じ入力データを同じ関数で変換しても、秘密鍵を変えることによってまったく異なるデータが出力される。秘密鍵は右側の鍵スケジューラで簡単な変換が行われながら、ラウンド関数に10回入力される。 FIG. 7 is a schematic diagram of an example of an AES encryption / decryption circuit that uses a 128-bit secret key and does not have an error detection function. In order to perform encryption and decryption by repeating a conversion called a round function 10 times for 128-bit data, normally, only one round function block is prepared as in the data conversion unit on the left side of this figure, A loop architecture that uses it 10 times in one encryption (or decryption) is used. The round function is mainly composed of four parts, and is expressed as ShiftRows, SubBytes, MixColumns, and AddRoundKey in the case of encryption. Decoding is performed by processing that is an inverse function of these, and is represented as InvShiftRows, InvSubBytes, InvMixColumns, and AddRoundKey, respectively. (In the figure, MixColumns and InvMixColumns are represented as MixCol. And InvMixCol., Respectively.) The functions corresponding to encryption and decryption share a circuit. Even if the same input data is converted by the same function, completely different data is output by changing the secret key. The secret key is input 10 times to the round function while being simply converted by the right key scheduler.
 図7において、データレジスタ712は、ループ処理を行うために、各ループの処理結果を保持するために用いられる。ShiftRows及びその逆関数InvShiftRowsの処理は、ブロック714で行われ、SubBytes及びその逆関数InvSubByteの処理は、ブロック716で行われる。MixColumns及びその逆関数InvMixColumnsの処理は、ブロック718で行われ、AddRoundKeyの処理はブロック720で行われる。 In FIG. 7, a data register 712 is used to hold the processing result of each loop in order to perform loop processing. Processing of ShiftRows and its inverse function InvShiftRows is performed at block 714, and processing of SubBytes and its inverse function InvSubByte is performed at block 716. MixColumns and its inverse function InvMixColumns are processed in block 718 and AddRoundKey is processed in block 720.
 図8は、図2を用いて説明した2分割構成を、図7のAES回路に適用した回路構成である。ラウンド関数はShiftRows/InvShiftRowsとSubBytes/InvSubByte、そしてMixColumns/InvMixColumnsとAddRoundKeyをまとめた2ブロックに分割されている。すなわち、図2と図8を比較すると、図2の部分符号化・部分復号ブロック202が、図8におけるShiftRows/InvShiftRowsブロック714及びSubBytes/InvSubByteブロック716に対応し、図2の部分符号化・部分復号ブロック204が、図8におけるMixColumns/InvMixColumnsブロック718及びAddRoundKeyブロック820,821に対応する。また、図2のレジスタ206は図8のレジスタ712に対応し、図2のレジスタ208は図8のレジスタ812に対応する。図2の比較器210に対応するものは、図8では比較器828である。さらに図8のAES回路では、図7のAES回路を2ステージ化するために、図2のセレクタ212b,212cに対応するセレクタ824,826が設けられている。 FIG. 8 shows a circuit configuration in which the two-part configuration described with reference to FIG. 2 is applied to the AES circuit of FIG. The round function is divided into 2 blocks that combine ShiftRows / InvShiftRows and SubBytes / InvSubByte, and MixColumns / InvMixColumns and AddRoundKey. That is, when FIG. 2 is compared with FIG. 8, the partial encoding / partial decoding block 202 in FIG. 2 corresponds to the ShiftRows / InvShiftRows block 714 and SubBytes / InvSubByte block 716 in FIG. The decryption block 204 corresponds to the MixColumns / InvMixColumns block 718 and the AddRoundKey blocks 820 and 821 in FIG. 2 corresponds to the register 712 in FIG. 8, and the register 208 in FIG. 2 corresponds to the register 812 in FIG. 2 corresponds to the comparator 210 in FIG. Further, in the AES circuit of FIG. 8, selectors 824 and 826 corresponding to the selectors 212b and 212c of FIG. 2 are provided in order to make the AES circuit of FIG. 7 into two stages.
 図2の構成では2サイクルで1回の符号化を行っていた。一方、図7の回路は10サイクルで暗号化(符号化)を行い、図8はその各サイクルのラウンド関数毎に逆変換を行ってエラー検出を行うので、20サイクルで一回の暗号化を行うことになる。しかしながら、1回のラウンド関数変換を1回の符号化と考えれば、図5と基本的に等価である。図8の一致信号1はサイクル毎に、半分のラウンド関数処理のエラーチェック結果が出力される。 In the configuration of FIG. 2, encoding was performed once in two cycles. On the other hand, the circuit of FIG. 7 performs encryption (encoding) in 10 cycles, and FIG. 8 performs error detection by performing inverse transformation for each round function of each cycle, so that encryption is performed once in 20 cycles. Will do. However, if one round function conversion is considered as one encoding, it is basically equivalent to FIG. The coincidence signal 1 in FIG. 8 outputs an error check result of half round function processing for each cycle.
 図8のアーキテクチャでは、AddRoundKeyブロックとInvMixColumnsブロックの順序を入れ替えてXORゲートを共有することは行っていない。このため、図7においてはAddRoundKeyブロックが1つ(720)であるのに対し、図8においては2つ(820,821)となっている。図7のアーキテクチャではXORゲートを共有することでクリティカルパスであるラウンド関数ブロックを短くできるが、その代わりに鍵スケジューラ部においてMixColumnsブロックが必要となる。これに対してラウンド関数を2分割する提案方式の実装では、XORを共有しないで鍵スケジューラ部のMixColumnsブロックを省略したほうが回路規模と動作速度のバランスが良かったためである。ところでラウンド関数ブロックの遅延時間が分割によって短くなると,鍵スケジューラ部がクリティカルパスとなってくる。そこで,鍵スケジューラ部についても1ラウンドを2クロックで処理するようにレジスタを挿入している。 In the architecture of FIG. 8, the XOR gate is not shared by changing the order of the AddRoundKey block and the InvMixColumns block. Therefore, in FIG. 7, there is one AddRoundKey block (720), whereas in FIG. 8, there are two (820, 821). In the architecture of FIG. 7, the round function block that is a critical path can be shortened by sharing the XOR gate, but instead, the MixColumns block is required in the key scheduler unit. On the other hand, in the implementation of the proposed method that divides the round function into two, the balance between the circuit scale and the operation speed is better when the MixColumns block of the key scheduler unit is omitted without sharing the XOR. By the way, when the delay time of the round function block is shortened by the division, the key scheduler unit becomes a critical path. Therefore, a register is also inserted in the key scheduler unit so that one round is processed with two clocks.
 ラウンド関数は正しく動作していても、鍵スケジューラ部の処理においてエラーが発生したり、または、制御カウンタの故障によって本来10ラウンドの繰り返し処理が1回で終了してしまうといったことも考えられる。これを防ぐために、最終ラウンドの処理が終了したときにオンザフライで生成された鍵を調べ、暗号化であれば復号鍵レジスタと、復号であれば暗号化鍵レジスタとの一致を比較器830で確認している。攻撃者がカウンタの値を飛ばすことができたとしても、値が不明の鍵スケジューラの128ビットまで正しく飛ばすことは不可能である。 Even if the round function is operating correctly, an error may occur in the processing of the key scheduler unit, or the 10-round repetitive processing may be terminated once by a failure of the control counter. To prevent this, the key generated on-the-fly when the last round of processing is completed is checked with the comparator 830 for a match between the decryption key register for encryption and the encryption key register for decryption. is doing. Even if the attacker can skip the value of the counter, it is impossible to correctly skip up to 128 bits of the key scheduler whose value is unknown.
 図9を参照しつつ、図8に示した構成のAES回路の暗号化時の動作例を説明する。矢印の頭部が黒く塗りつぶされている場合は処理の流れがあることを示し、白抜きになっている場合は処理の流れがないことを示す。暗号化用の初期鍵K0は暗号化鍵レジスタ732に入力され、右側の鍵スケジューラ部で復号用の初期鍵(=暗号化用の最終鍵)K10に変換されて復号鍵レジスタ734に既にセットされているものとする。 Referring to FIG. 9, an operation example at the time of encryption of the AES circuit having the configuration shown in FIG. 8 will be described. When the head of the arrow is painted black, it indicates that there is a processing flow, and when it is outlined, there is no processing flow. The initial key K0 for encryption is input to the encryption key register 732, converted into an initial key for decryption (= final key for encryption) K10 by the right key scheduler unit, and already set in the decryption key register 734. It shall be.
 まず(a)では、入力された平文と暗号化用の初期鍵K0がXORされてデータレジスタ712にD0として書き込まれ、暗号化処理の前半のShiftRrowsブロック714とSubBytesブロック716のパスを通ったデータがD1Xとしてフィードバックされる。それと同時にデータD0は比較用レジスタ812に渡される。また鍵スケジューラでは、オンザフライで初期鍵K0から第1ラウンドの鍵K1が生成される。(b)では、検算のために(a)で暗号化に使用したパスで復号が行われ、データレジスタ712に書き込まれたデータD1XがInvShirtRowsブロック714とInvSubBytesブロック716によって逆変換された後、比較器828において、比較用レジスタ812に保持されている値D0と比較される。一方、同じデータD1Xは、別のパスでMixColumnsブロック718とAddroundKeyブロック820(ラウンド鍵K1とのXOR)によりD1に変換される。(c)では、(a)と同じパスでデータレジスタ712の値D1がD2Xに変換されるのと同時に、その右のパスではInvMixColumnsブロック718とAddroundKeyブロック821(ラウンド鍵K1とのXOR)でD1Xに戻されて比較用レジスタ812の値と比較される。以下同様に、第9ラウンドまで暗号化と検算が繰り返される。 First, in (a), the input plaintext and the encryption initial key K0 are XORed and written as D0 in the data register 712, and the data that has passed through the paths of the ShiftRrows block 714 and the SubBytes block 716 in the first half of the encryption process. Is fed back as D1X. At the same time, the data D0 is passed to the comparison register 812. In the key scheduler, the first round key K1 is generated from the initial key K0 on the fly. In (b), decryption is performed in the path used for encryption in (a) for verification, and the data D1X written in the data register 712 is inversely converted by the InvShirtRows block 714 and InvSubBytes block 716, and then compared. The comparator 828 compares the value D 0 held in the comparison register 812. On the other hand, the same data D1X is converted to D1 by the MixColumns block 718 and the AddroundKey block 820 (XOR with the round key K1) in another path. In (c), the value D1 of the data register 712 is converted to D2X in the same path as in (a), and at the same time, in the right path, D1X in the InvMixColumns block 718 and AddroundKey block 821 (XOR with the round key K1). And the value of the comparison register 812 is compared. Similarly, encryption and verification are repeated until the ninth round.
 (d)ではエラー検出のためにInvShiftrowsブロックとInvSubBytesブロックの処理、そして暗号化の最後の処理である最終第10ラウンドの鍵K10とのXORの処理が行われる。図3でも示したように、最終ラウンドではMixColumnsブロックの処理は行われないので、その処理ブロックはバイパスされる。最終ラウンドなので、オンザフライで生成されたラウンド鍵レジスタのK10と事前計算による暗号化鍵レジスタ732のK10との比較により、10ラウンドきちんと処理されたことのチェックが行われる。ここで暗号文D10の出力も可能であるが、最後に(e)でD10Xに戻ることが確認された後に出力している。この最終チェックが済むまで次の平文は入力されないため、1ブロックの暗号化に要するクロック数は、20クロック(=10ラウンド×2クロック)に(e)の1クロック分が加算され、21クロックとなる。 In (d), processing of the InvShiftrows block and InvSubBytes block is performed for error detection, and XOR processing with the key K10 of the final tenth round, which is the final processing of encryption, is performed. As shown in FIG. 3, since the MixColumns block is not processed in the final round, the processing block is bypassed. Since it is the final round, it is checked that 10 rounds have been processed properly by comparing K10 of the round key register generated on-the-fly with K10 of the encryption key register 732 by pre-calculation. Although the ciphertext D10 can be output here, the ciphertext D10 is output after it is finally confirmed that the process returns to D10X in (e). Since the next plaintext is not input until this final check is completed, the number of clocks required for encryption of one block is 20 clocks (= 10 rounds × 2 clocks) plus one clock of (e), which is 21 clocks. Become.
 図7と図8の回路をそれぞれ設計し、90nmのCMOSスタンダードセル・ライブラリを用いた論理合成で回路規模と動作速度を評価した結果を図10の表に示す。なお、図8の回路においては、前述のように暗号化が終了してから次のデータを入れるのに1サイクルインターバルを入れる設計としているため、サイクル数は21となっている。論理合成時の最適化は、回路規模(ゲート)を最小とするものと動作速度(スループット)を最大とする2種類の他に、単位ゲートあたりのスループットである回路効率を最大とする実装も行った。論理合成の条件によって回路規模と動作速度は大きく変動し、小型化するほど速度は遅くなり、高速化するほど回路規模は大きくなるので、その値を単純比較しても実装の優劣をつけることは難しい。そこで、回路効率が単純比較の指標としては最適である。図10の表からわかるように、回路規模最適化と動作速度最適化の双方において、エラー検出なしと本発明の回路効率は同等である。規模と速度のバランスが最適な実装においても、エラー検出なしの169.48kbps/gateに対して本発明はその85.5%の145.01kbps/gateであった。つまり、本発明を適用したAES回路は、最大でもわずか15%程度のオーバーヘッドで、確実なエラー検出が可能である優れた手法であることがわかる。 The table of FIG. 10 shows the results of designing the circuits of FIG. 7 and FIG. 8 and evaluating the circuit scale and operation speed by logic synthesis using a 90 nm CMOS standard cell library. In the circuit of FIG. 8, the cycle number is 21 because the design is such that one cycle interval is inserted to enter the next data after the encryption is completed as described above. In addition to the two types that minimize the circuit scale (gate) and the maximum operation speed (throughput), the optimization at the time of logic synthesis is also implemented to maximize the circuit efficiency that is the throughput per unit gate. It was. The circuit scale and operation speed vary greatly depending on the conditions of logic synthesis. The smaller the size, the slower the speed, and the higher the speed, the larger the circuit scale. difficult. Therefore, circuit efficiency is optimal as an index for simple comparison. As can be seen from the table of FIG. 10, in both the circuit scale optimization and the operation speed optimization, no error detection and the circuit efficiency of the present invention are equivalent. Even in an implementation in which the balance between the scale and the speed is optimum, the present invention is 145.51 kbps / gate, which is 85.5% of 169.48 kbps / gate without error detection. That is, it can be seen that the AES circuit to which the present invention is applied is an excellent technique capable of reliably detecting an error with an overhead of only about 15% at the maximum.
 以上、本発明の実施形態の例を説明してきたが、これらの実施形態は本発明の範囲を限定する意図でなされたものではなく、あくまで本発明の深い理解に資するためのものである。本発明は、その思想の範囲を逸脱することなく、本明細書に説明した実施形態以外にも様々な実施形態を取りうるものである。特許請求の範囲に記載される実施形態は、本発明の好適な実施形態ではあるが、本発明の実施形態はそれに止まるものではなく、本願の出願書類及び技術常識から当業者が感得しうる全ての構成を含むものである。 The embodiments of the present invention have been described above. However, these embodiments are not intended to limit the scope of the present invention, but are intended to contribute to a deep understanding of the present invention. The present invention can take various embodiments other than the embodiments described in the present specification without departing from the scope of the idea. The embodiments described in the claims are preferred embodiments of the present invention, but the embodiments of the present invention are not limited thereto, and can be felt by those skilled in the art from the application documents and common general knowledge of the present application. Includes all configurations.
200 符号化回路
200 符号化回路
202,204 部分符号化・部分復号ブロック
206,208 レジスタ
208 レジスタ
210 比較器
212a-212c セレクタ
400 符号化・復号回路
410,420,430,440 ステージ
411,421,431,441 セレクタ
412,422,432,442 部分符号化・部分復号ブロック
413,423,433,443 レジスタ
414,424,434,444 レジスタ
415,425,435,445 比較器
600 符号化・復号回路
613 レジスタ
614 レジスタ
615 比較器
616,617,626,627 セレクタ
633 レジスタ
634 レジスタ
635 比較器 200 Encoding Circuit 200 Encoding Circuit 202, 204 Partial Encoding / Partial Decoding Block 206, 208 Register 208 Register 210 Comparator 212a-212c Selector 400 Encoding / Decoding Circuit 410, 420, 430, 440 Stages 411, 421, 431 , 441 Selector 412, 422, 432, 442 Partial encoding / decoding block 413, 423, 433, 443 Register 414, 424, 434, 444 Register 415, 425, 435, 445 Comparator 600 Encoding / decoding circuit 613 Register 614 Register 615 Comparator 616, 617, 626, 627 Selector 633 Register 634 Register 635 Comparator

Claims (8)

  1.  ステージX及び前記ステージXの次のステージであるステージYを少なくとも含む、複数のステージのパイプライン処理によって符号化処理を行う符号化回路であって、
     前記複数のステージの各々は、符号化処理の一部である部分符号化処理及び該一部の逆処理となる部分復号処理を実行しうる部分符号化・部分復号ブロックを含み、
     或るサイクルにおいて、
    ・ 前記ステージYにおいて、前記或るサイクルの1つ前のサイクルにおいて前記ステージXで部分符号化されたデータが部分符号化され、
    ・ 前記ステージXにおいて、前記1つ前のサイクルにおいて前記ステージXで部分符号化されたデータが部分復号され、
    ・ 予め記憶されていた、前記1つ前のサイクルにおいて前記ステージXで部分符号化される前のデータと、前記部分復号されたデータとが比較され、
     前記或るサイクルの次のサイクルにおいて、
    ・ 前記ステージYにおいて、前記或るサイクルにおいて前記ステージYで部分符号化されたデータが部分復号され、
    ・ 予め記憶されていた、前記或るサイクルにおいて前記ステージYで部分符号化される前のデータと、前記ステージYで部分復号されたデータとが比較され、
    ・ 前記ステージXにおいて、別のデータが部分符号化される
    回路として構成される符号化回路。     An encoding circuit that performs encoding processing by pipeline processing of a plurality of stages, including at least stage X and stage Y that is the next stage of stage X,
    Each of the plurality of stages includes a partial encoding / partial decoding block capable of executing a partial encoding process that is a part of the encoding process and a partial decoding process that is an inverse process of the partial process,
    In a cycle
    In the stage Y, the data partially encoded in the stage X in the cycle immediately before the certain cycle is partially encoded,
    In the stage X, the data partially encoded in the stage X in the previous cycle is partially decoded,
    The previously stored data before partial encoding at the stage X in the previous cycle is compared with the partially decoded data;
    In the next cycle of the certain cycle,
    In the stage Y, the data partially encoded in the stage Y in the certain cycle is partially decoded,
    The pre-stored data before partial encoding at the stage Y in the certain cycle is compared with the data partially decoded at the stage Y,
    An encoding circuit configured as a circuit in which another data is partially encoded in the stage X;
  2.  ステージX及び前記ステージXの次のステージであるステージYを少なくとも含む、複数のステージのパイプライン処理によって復号処理を行う復号回路であって、
     前記複数のステージの各々は、復号処理の一部である部分復号処理及び該一部の逆処理となる部分符号化処理を実行しうる部分符号化・部分復号ブロックを含み、
     或るサイクルにおいて、
    ・ 前記ステージYにおいて、前記或るサイクルの1つ前のサイクルにおいて前記ステージXで部分復号されたデータが部分復号され、
    ・ 前記ステージXにおいて、前記1つ前のサイクルにおいて前記ステージXで部分復号されたデータが部分符号化され、
    ・ 予め記憶されていた、前記1つ前のサイクルにおいて前記ステージXで部分復号される前のデータと、前記部分符号化されたデータとが比較され、
     前記或るサイクルの次のサイクルにおいて、
    ・ 前記ステージYにおいて、前記或るサイクルにおいて前記ステージYで部分復号されたデータが部分符号化され、
    ・ 予め記憶されていた、前記或るサイクルにおいて前記ステージYで部分復号される前のデータと、前記ステージYで部分符号化されたデータとが比較され、
    ・ 前記ステージXにおいて、別のデータが部分復号される
    回路として構成される復号回路。     A decoding circuit that performs decoding processing by pipeline processing of a plurality of stages, including at least stage X and stage Y that is the next stage of stage X,
    Each of the plurality of stages includes a partial encoding / partial decoding block capable of executing a partial decoding process that is a part of the decoding process and a partial encoding process that is a reverse process of the part,
    In a cycle
    In the stage Y, the data partially decoded in the stage X in the cycle immediately before the certain cycle is partially decoded,
    In the stage X, the data partially decoded in the stage X in the previous cycle is partially encoded,
    The previously stored data before partial decoding at the stage X in the previous cycle is compared with the partially encoded data;
    In the next cycle of the certain cycle,
    In the stage Y, the data partially decoded in the stage Y in the certain cycle is partially encoded,
    The pre-stored data before partial decoding at the stage Y in the certain cycle is compared with the data partially encoded at the stage Y,
    A decoding circuit configured as a circuit in which another data is partially decoded in the stage X.
  3.  前記ステージXが、暗号化において反復実行されるランダム化関数の一部である部分暗号化処理及び該一部の逆関数となる部分復号処理を実行しうる部分暗号化・部分復号ブロックを含み、前記ステージYが、前記ランダム化関数の残部である部分暗号化処理及び該残部の逆関数である部分復号処理を実行しうる部分暗号化・部分復号処理ブロックを含むことを特徴とする請求項1に記載の符号化回路。 The stage X includes a partial encryption / partial decryption block capable of executing a partial encryption process that is a part of a randomizing function that is repeatedly executed in encryption and a partial decryption process that is an inverse function of the part, 2. The stage Y includes a partial encryption / partial decryption processing block capable of executing a partial encryption process that is the remainder of the randomizing function and a partial decryption process that is an inverse function of the remainder. The encoding circuit described in 1.
  4. 前記ステージXが、復号において反復実行されるランダム化関数の一部である部分復号処理及び該一部の逆関数となる部分暗号化処理を実行しうる部分復号・部分暗号化ブロックを含み、前記ステージYが、前記ランダム化関数の残部である部分復号処理及び該残部の逆関数である部分暗号化処理を実行しうる部分復号・暗号化処理ブロックを含む
    ことを特徴とする請求項1に記載の復号回路。     The stage X includes a partial decryption / partial encryption block capable of executing a partial decryption process that is a part of a randomizing function that is repeatedly executed in decryption and a partial encryption process that is an inverse function of the part, The stage Y includes a partial decryption / encryption processing block capable of executing a partial decryption process that is the remainder of the randomizing function and a partial encryption process that is an inverse function of the remainder. Decoding circuit.
  5. (a) 符号化処理をNステージ(Nは2以上の整数)のパイプライン処理で行う符号化回路であって、
    (b) 各ステージは、符号化処理の一部である部分符号化処理及び該一部の逆処理となる部分復号処理を実行しうる部分符号化・部分復号ブロックを含み、
    (c) 前記部分符号化・部分復号ブロックの各々に対し、該部分符号化・部分復号ブロックの部分符号化処理の結果をストアするためのレジスタである第1レジスタと、該部分符号化・部分復号ブロックへの入力データのコピーをストアするためのレジスタである第2レジスタと、比較器とが割り当てられ、
    (d) i番目(2≦i≦N)の前記部分符号化・部分復号ブロックによる部分符号化処理が行われるサイクルにおいて、
      (d-1) i-1番目の前記部分符号化・部分復号ブロックに関する前記第1レジスタにストアされたデータを入力データとして、前記i番目の部分符号化・部分復号ブロックによる部分符号化処理が実行され、
      (d-2) 前記部分符号化処理を施されたデータが、前記サイクルの次のサイクルにおいて、前記i番目の部分符号化・部分復号ブロックに関する前記第1レジスタにストアされるように準備され、
      (d-3) 前記入力データが、前記次のサイクルにおいて、前記i番目の部分符号化・部分復号ブロックに関する前記第2レジスタにストアされるように準備され、
      (d-4) 前記i-1番目の前記部分符号化・部分復号ブロックに関する前記第1レジスタにストアされたデータに対し、前記i-1番目の部分符号化・部分復号ブロックによる部分復号処理が実行され、
      (d-5) 前記部分復号処理を施されたデータと、前記i-1番目の部分符号化・部分復号ブロックに関する前記第2レジスタにストアされたデータとの比較処理が、前記i-1番目の部分符号化・部分復号ブロックに関する前記比較器による実行され、
    (e) 前記次のサイクルにおいて、
      (e-1) 前記i番目の部分符号化・部分復号ブロックに関する前記第1及び第2レジスタに対するストア処理が実行され、
      (e-2) 前記i番目の部分符号化・部分復号ブロックに関する前記第1レジスタにストアされたデータに対し、前記i番目の部分符号化・部分復号ブロックによる部分復号処理が実行され、
      (e-3) 前記(e-2)における部分復号処理を施されたデータと、前記i番目の部分符号化・部分復号ブロックに関する前記第2レジスタにストアされたデータとの比較処理が、前記i番目の部分符号化・部分復号ブロックに関する前記比較器によって実行され、
      (e-4) 別のデータに対して前記i-1番目の部分符号化・部分復号ブロックによる部分符号化処理が実行される
    回路として構成される符号化回路。     (A) An encoding circuit that performs encoding processing by pipeline processing of N stages (N is an integer of 2 or more),
    (B) Each stage includes a partial encoding / partial decoding block capable of executing a partial encoding process that is a part of the encoding process and a partial decoding process that is an inverse process of the partial process.
    (C) For each of the partial encoding / partial decoding blocks, a first register that is a register for storing a result of partial encoding processing of the partial encoding / partial decoding block, and the partial encoding / partial A second register, which is a register for storing a copy of the input data to the decoding block, and a comparator are allocated;
    (D) In a cycle in which partial encoding processing by the i-th (2 ≦ i ≦ N) partial encoding / partial decoding block is performed,
    (D-1) Using the data stored in the first register relating to the i−1th partial encoding / partial decoding block as input data, the partial encoding process by the i th partial encoding / partial decoding block is performed. Executed,
    (D-2) The data subjected to the partial coding process is prepared to be stored in the first register related to the i-th partial coding / partial decoding block in the next cycle of the cycle,
    (D-3) The input data is prepared to be stored in the second register related to the i-th partial coding / decoding block in the next cycle,
    (D-4) For the data stored in the first register relating to the i−1th partial coding / partial decoding block, partial decoding processing by the i−1th partial coding / partial decoding block is performed. Executed,
    (D-5) The comparison process between the data subjected to the partial decoding process and the data stored in the second register regarding the i−1th partial encoding / partial decoding block is the i−1th Executed by the comparator with respect to the partial encoding / decoding block of
    (E) In the next cycle,
    (E-1) A store process for the first and second registers related to the i-th partial coding / decoding block is executed,
    (E-2) A partial decoding process by the i-th partial coding / partial decoding block is executed on the data stored in the first register relating to the i-th partial coding / partial decoding block,
    (E-3) The comparison process between the data subjected to the partial decoding process in (e-2) and the data stored in the second register relating to the i-th partial coding / partial decoding block includes: executed by the comparator for the i th partial encoding / decoding block;
    (E-4) An encoding circuit configured as a circuit that executes partial encoding processing on the other data by the i-1th partial encoding / decoding block.
  6. (a) 復号処理をNステージ(Nは2以上の整数)のパイプライン処理で行う復号回路であって、
    (b) 各ステージは、復号処理の一部である部分復号処理及び該一部の逆処理となる部分符号化処理を実行しうる部分符号化・部分復号ブロックを含み、
    (c) 前記部分符号化・部分復号ブロックの各々に対し、該部分符号化・部分復号ブロックの部分復号処理の結果をストアするためのレジスタである第1レジスタと、該部分符号化・部分復号ブロックへの入力データのコピーをストアするためのレジスタである第2レジスタと、比較器とが割り当てられ、
    (d) i番目(2≦i≦N)の前記部分符号化・部分復号ブロックによる部分復号処理が行われるサイクルにおいて、
      (d-1) i-1番目の前記部分符号化・部分復号ブロックに関する前記第1レジスタにストアされたデータを入力データとして、前記i番目の部分符号化・部分復号ブロックによる部分復号処理が実行され、
      (d-2) 前記部分復号処理を施されたデータが、前記サイクルの次のサイクルにおいて前記i番目の部分符号化・部分復号ブロックに関する前記第1レジスタにストアされるように準備され、
      (d-3) 前記入力データが、前記次のサイクルにおいて前記i番目の部分符号化・部分復号ブロックに関する前記第2レジスタにストアされるように準備され、
      (d-4) i-1番目の前記部分符号化・部分復号ブロックに関する前記第1レジスタにストアされたデータに対し、前記i-1番目の部分符号化・部分復号ブロックによる部分符号化処理が実行され、
      (d-5) 前記部分符号化処理を施されたデータと、前記i-1番目の部分符号化・部分復号ブロックに関する前記第2レジスタにストアされたデータとの比較処理が、前記i-1番目の部分符号化・部分復号ブロックに関する前記比較器によって実行され、
    (e) 前記次のサイクルにおいて、
      (e-1) 前記i番目の部分符号化・部分復号ブロックに関する前記第1及び第2レジスタに対するストア処理が実行され、
      (e-2) 前記i番目の部分符号化・部分復号ブロックに関する前記第1レジスタにストアされたデータに対し、前記i番目の部分符号化・部分復号ブロックによる部分符号化処理が実行され、
      (e-3) 前記(e-2)における部分符号化処理を施されたデータと、前記i番目の部分符号化・部分復号ブロックに関する前記第2レジスタにストアされたデータとの比較処理が、前記i番目の部分符号化・部分復号ブロックに関する前記比較器によって実行され、
      (e-4) 別のデータに対して前記i-1番目の部分符号化・部分復号ブロックによる部分復号処理が実行される
    回路として構成される復号回路。     (A) A decoding circuit that performs decoding processing by pipeline processing of N stages (N is an integer of 2 or more),
    (B) Each stage includes a partial encoding / decoding block that can execute a partial decoding process that is a part of the decoding process and a partial encoding process that is a reverse process of the partial process,
    (C) For each of the partial coding / partial decoding blocks, a first register that is a register for storing a result of partial decoding processing of the partial coding / partial decoding block, and the partial coding / partial decoding A second register, which is a register for storing a copy of input data to the block, and a comparator are allocated;
    (D) In a cycle in which partial decoding processing by the i-th (2 ≦ i ≦ N) partial encoding / partial decoding block is performed,
    (D-1) The partial decoding process by the i-th partial encoding / partial decoding block is executed using the data stored in the first register relating to the i-1th partial encoding / partial decoding block as input data. And
    (D-2) The data subjected to the partial decoding process is prepared to be stored in the first register related to the i-th partial coding / decoding block in a cycle subsequent to the cycle,
    (D-3) The input data is prepared to be stored in the second register related to the i-th partial coding / decoding block in the next cycle,
    (D-4) For the data stored in the first register relating to the i−1th partial coding / partial decoding block, partial coding processing by the i−1th partial coding / partial decoding block is performed. Executed,
    (D-5) The comparison process between the data subjected to the partial encoding process and the data stored in the second register relating to the i−1th partial encoding / decoding block is the i−1 Executed by the comparator for the th partial encoding / decoding block;
    (E) In the next cycle,
    (E-1) A store process for the first and second registers related to the i-th partial coding / decoding block is executed,
    (E-2) For the data stored in the first register relating to the i-th partial coding / partial decoding block, a partial coding process by the i-th partial coding / partial decoding block is executed,
    (E-3) A process of comparing the data subjected to the partial encoding process in (e-2) and the data stored in the second register relating to the i-th partial encoding / decoding block, Executed by the comparator for the i th partial encoding / decoding block;
    (E-4) A decoding circuit configured as a circuit for executing partial decoding processing on the other data by the i-1th partial encoding / decoding block.
  7.  前記第1レジスタ、前記第2レジスタ、前記比較器の少なくとも1つ以上が、2つの前記部分符号化・部分復号ブロックによって共有される回路として構成される請求項5に記載の符号化回路。 The encoding circuit according to claim 5, wherein at least one of the first register, the second register, and the comparator is configured as a circuit shared by the two partial encoding / decoding blocks.
  8.  前記第1レジスタ、前記第2レジスタ、前記比較器の少なくとも1つ以上が、2つの前記部分符号化・部分復号ブロックによって共有される回路として構成される請求項6に記載の復号回路。 The decoding circuit according to claim 6, wherein at least one of the first register, the second register, and the comparator is configured as a circuit shared by the two partial encoding / partial decoding blocks.
PCT/JP2009/059167 2008-05-19 2009-05-19 Coding or decoding circuit structure with error detecting capability WO2009142190A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2008130361A JP5164154B2 (en) 2008-05-19 2008-05-19 Circuit configuration for encoding or decoding processing with error detection function
JP2008-130361 2008-05-19

Publications (1)

Publication Number Publication Date
WO2009142190A1 true WO2009142190A1 (en) 2009-11-26

Family

ID=41340123

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2009/059167 WO2009142190A1 (en) 2008-05-19 2009-05-19 Coding or decoding circuit structure with error detecting capability

Country Status (2)

Country Link
JP (1) JP5164154B2 (en)
WO (1) WO2009142190A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114442913A (en) * 2020-11-02 2022-05-06 慧荣科技股份有限公司 Data access method, memory controller, and advanced encryption standard processing circuit

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5433498B2 (en) * 2010-05-27 2014-03-05 株式会社東芝 Cryptographic processing device
JP5677207B2 (en) * 2011-06-13 2015-02-25 株式会社富士通アドバンストエンジニアリング Communication system including an abnormal event occurrence cause identification function
WO2015008335A1 (en) 2013-07-16 2015-01-22 三菱電機株式会社 Semiconductor device
JP2017130849A (en) 2016-01-21 2017-07-27 富士通株式会社 Transmission apparatus and failure detection method
CN107402824B (en) * 2017-05-31 2020-06-02 创新先进技术有限公司 Data processing method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03177120A (en) * 1989-12-06 1991-08-01 Fujitsu Ltd Test system for sound encoding circuit
JP2003298426A (en) * 2002-04-02 2003-10-17 Sony Corp Error correcting apparatus and method
JP2005285270A (en) * 2004-03-30 2005-10-13 Elpida Memory Inc Semiconductor device and testing method
JP2007221346A (en) * 2006-02-15 2007-08-30 Toshiba Corp Data signal monitoring apparatus and signal monitoring method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03177120A (en) * 1989-12-06 1991-08-01 Fujitsu Ltd Test system for sound encoding circuit
JP2003298426A (en) * 2002-04-02 2003-10-17 Sony Corp Error correcting apparatus and method
JP2005285270A (en) * 2004-03-30 2005-10-13 Elpida Memory Inc Semiconductor device and testing method
JP2007221346A (en) * 2006-02-15 2007-08-30 Toshiba Corp Data signal monitoring apparatus and signal monitoring method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114442913A (en) * 2020-11-02 2022-05-06 慧荣科技股份有限公司 Data access method, memory controller, and advanced encryption standard processing circuit
CN114442913B (en) * 2020-11-02 2024-03-08 慧荣科技股份有限公司 Data access method, memory controller and advanced encryption standard processing circuit

Also Published As

Publication number Publication date
JP2009278576A (en) 2009-11-26
JP5164154B2 (en) 2013-03-13

Similar Documents

Publication Publication Date Title
Karpovsky et al. Robust protection against fault-injection attacks on smart cards implementing the advanced encryption standard
US8737603B2 (en) Cryptographic processing apparatus, cryptographic processing method, and computer program
US9363074B2 (en) Encryption processing apparatus, encryption processing method, and computer program
US7694156B2 (en) Cryptographic unit and method for operating a crytographic unit
Dunkelman et al. A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony
Satoh et al. High-performance concurrent error detection scheme for AES hardware
KR101770874B1 (en) Cryptographic processing device, cryptographic processing method, computer readable recording medium, and information processing device
JP5164154B2 (en) Circuit configuration for encoding or decoding processing with error detection function
US9083507B2 (en) Data processing device, data processing method, and program
US8489897B2 (en) Method and circuitry for detecting a fault attack
US9722805B2 (en) Integrated security device and signal processing method used for an integrated security device
Di Natale et al. A reliable architecture for parallel implementations of the advanced encryption standard
Li et al. Related-tweak statistical saturation cryptanalysis and its application on QARMA
JP5327493B1 (en) Encryption processing circuit and decryption processing circuit, method and program thereof
Vialar Fast side-channel key-recovery attack against elephant dumbo
CN109450614B (en) An encryption and decryption method suitable for high-speed data transmission path
CN104158650A (en) AES encryption/decryption circuit based on data redundancy error detection mechanism
Courtois Security evaluation of GOST 28147-89 in view of international standardisation
Yu et al. A compact ASIC implementation of the advanced encryption standard with concurrent error detection
US20100183144A1 (en) Cipher processing apparatus
JP6292107B2 (en) Cryptographic processing apparatus, cryptographic processing method, and program
Yu et al. A hybrid approach to concurrent error detection for a compact ASIC implementation of the advanced encryption standard
WO2013190782A1 (en) Encryption processing circuit and decryption processing circuit
Keren et al. On resilience of security-oriented error detecting architectures against power attacks: A theoretical analysis
JP2024143045A (en) Semiconductor Device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09750552

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09750552

Country of ref document: EP

Kind code of ref document: A1