|Publication number||US20080031454 A1|
|Application number||US 11/786,191|
|Publication date||Feb 7, 2008|
|Filing date||Apr 10, 2007|
|Priority date||Apr 24, 2002|
|Also published as||US7221763, US20030202658|
|Publication number||11786191, 786191, US 2008/0031454 A1, US 2008/031454 A1, US 20080031454 A1, US 20080031454A1, US 2008031454 A1, US 2008031454A1, US-A1-20080031454, US-A1-2008031454, US2008/0031454A1, US2008/031454A1, US20080031454 A1, US20080031454A1, US2008031454 A1, US2008031454A1|
|Original Assignee||Ingrid Verbauwhede|
|Export Citation||BiBTeX, EndNote, RefMan|
|Referenced by (25), Classifications (9), Legal Events (2)|
|External Links: USPTO, USPTO Assignment, Espacenet|
1. Field of the Invention
This invention relates to the field of encryption systems, and particularly to advanced encryption standard (AES) architectures.
2. Description of the Related Art
The advanced encryption standard (AES) is a new encryption standard which implements the Rijndael algorithm. The Rijndael algorithm accepts data blocks and key sizes of 128, 192, or 256 bits; the AES implementation is a symmetric block cipher with 128 bit data blocks and a key size that can be chosen from 128, 192, or 256 bits.
Several possible implementation modes of the AES standard are shown in
Ideally, an implementation of the AES standard will have a high data rate. Several AES designs have been proposed to achieve a high data rate based on pipelined architectures. These work well when employing the AES algorithm as an ECB, with no feedback. However, the AES standard is most often used in the feedback modes of operation; in these modes, the output of the AES algorithm is fed back to the input. Unfortunately, this arrangement is incompatible with pipeline structures, due to the long latency of each pipeline path.
An AES architecture is presented which overcomes the problems noted above. High throughput is achieved, even when the AES algorithm is employed with one of the feedback modes of operation.
The present invention is a low latency, non-pipelined AES architecture. Hardware is provided for one encryption round, which is re-used as needed to complete the encryption process. This permits feedback modes to be used without adversely affecting AES throughput.
The present architecture requires a maximum parallel encryption module, which is arranged to implement one round of the AES algorithm in one clock cycle. It also requires a maximum parallel key scheduling module, arranged to generate sub keys in one clock cycle in parallel with the encryption module. The encryption and key scheduling modules are preferably made from combinatorial logic blocks, replicated as necessary to achieve one round per clock cycle.
A controller controls the operation of the encryption and key scheduling modules such that one round of the AES algorithm is completed per clock cycle. The controller is preferably part of a hierarchical distributed control scheme comprising communicating finite state machines (FSMs).
Further features and advantages of the invention will be apparent to those skilled in the art from the following detailed description, taken together with the accompanying drawings.
An AES architecture in accordance with the present invention is shown in
The key scheduling module 12 is also made maximum parallel, such that the sub-keys required by encryption module 10 are generated in one clock cycle, in parallel with the encryption module.
Encryption module 10 and key scheduling module 12 are controlled via controller 14. The controller is adapted to operate encryption module 10 and key scheduling module 12 to perform one round of the AES algorithm in one clock cycle. Controller 14 is preferably part of a hierarchical distributed control scheme comprising communicating finite state machines (FSMs), such as an input FSM 15 and an output FSM 16 which control the operation of an input buffer 17 and an output buffer 18, respectively. The controller preferably also communicates with the outside world via input commands and output status bits. The control scheme preferably also includes FSMs 19 and 20, which control the operation of encryption module 10 and key scheduling module 12, respectively, and may be internal or external to their respective modules. Controller 14 preferably also includes an FSM 22; the controller's implementation is discussed in more detail in relation to
The key is provided to key scheduling module 12 either via the input port and encryption module, or (as shown in
When arranged as described above, the present AES architecture provides low latency and high throughput, even when used with feedback modes of operation.
The architecture also preferably includes asynchronous input and output buffers, which implement a full handshake. Asynchronous input buffer 17 loads X-bit data bytes to be encrypted (P), places them in parallel in an N-bit internal register 24, and presents the N bits to the input of encryption module 10 simultaneously. Similarly, asynchronous output buffer 18 receives the N-bit output from encryption module 10 and outputs encoded X-bit data bytes (C) to an output bus. This arrangement decouples the external I/O operations, i.e., the loading and unloading of data, from the internal operation of the encryption core (modules 10 and 12). This allows the input and output busses to be any width compared to the internal input and output registers. Thus, the encryption core can be used in an environment in which the number of pins is limited (e.g., an 8-bit bus or a serial link), as well as with high speed parallel busses (e.g., 64, 128 or 256 bits). Another benefit afforded by the preferred asynchronous input and output buffers is that they enable a slow input and/or output to still be combined with fast internal operation, with the handshaking stretched over a large number of clock cycles to accommodate the slow interface.
One possible implementation for encryption module 10 is shown in
For substitution sub-module 30, the incoming data bits are preferably divided into 8-bit bytes, each of which is used to address an S-box lookup table. Each S-box contains 256 8-bit entries. To provide maximum parallelism and to finish one round of encryption in one clock cycle, the same S-box is replicated 32 times for an expected data block length of 256 bits. The S-box is replicated 16 or 24 times for expected data block lengths of 128 or 192 bits, respectively.
For shift row sub-module 32, the 256 bits of incoming data (assuming a maximum expected data block length of 256 bits) are preferably divided into four 64 bit chunks, each of which is called a “row” and contains eight bytes. Byte-wise cyclic shifts are performed on each row, with the amount of shift determined by the block length through a lookup table, as defined in the AES standard.
For mix column sub-module 34, matrix multiplication is performed on the shifted bytes in accordance with the mix column definition specified in the AES standard, using combinatorial logic; four, six, or eight blocks are used for data block lengths of 128, 192, or 256 bits, respectively.
Finally, key addition sub-module 36 exclusive-OR's the mix column output with the sub-keys received from key scheduling module 12, as prescribed by the AES standard, to generate the encrypted output. Sub-module 36 uses 128, 192 or 256 exclusive-OR gates to produce an output of 128, 192 or 256 bits, respectively.
Maximum parallel key scheduling module 12 has a data path wide enough to accommodate the maximum expected key length. Sub-keys are generated on the fly, in one clock cycle and in parallel with the encryption module. Key scheduling module 12 is arranged to accommodate the different key and block lengths allowed by the Rijndael algorithm or the AES standard, as necessary. The Rijndael algorithm allows block lengths and key lengths of 128, 192 and 256 bits, while the AES standard limits the block length to 128 bits. For the former case, the key scheduling module 12 is arranged to accommodate the nine different key length and block length combinations, and operates as defined in the Rijndael algorithm. For the latter case, only three combinations must be accommodated, with operation of the key scheduling module defined in the AES standard.
The present architecture can support a chosen combination of key-length k and data block length N, which may require differing numbers of key schedule iterations and round transformations. As noted above, one round transformation per clock cycle is required. Consequently, the speed of the key-scheduling process must be adapted as k and N change. Depending on the parameter values, it may be necessary to complete 0, 1 or 2 key scheduling iterations per clock cycle to keep up with 1 round transformation per clock cycle. For example, when 256 bit data blocks and 128 bit sub-keys (N=256, k=128), then 2 key schedule iterations are needed for each data block. Non-integral rates can also occur: for example, if N=128 and k=192, 1.5 key schedule iterations are required per data block.
One key scheduling architecture capable of accommodating these combinations is shown in
A simplified key scheduling architecture may be used when only three key and block length combinations must be accommodated; such an architecture is shown in
As noted above, controller 14 is preferably part of a hierarchical distributed control scheme comprising communicating finite state machines (FSMs); this avoids having the controller logic in the critical path, which might slow down the system. Such a control scheme is shown in
Note that the implementations of the control scheme, key scheduling module, and encryption module shown above are merely exemplary. Other designs could be used to implement these functions in accordance with the definitions given in the AES standard, as long as the encryption and key scheduling modules are made maximum parallel, and the architecture can implement one round of the AES algorithm in one clock cycle.
As noted above, the present AES architecture can be used with one of the feedback modes of operation. This is illustrated in
While particular embodiments of the invention have been shown and described, numerous variations and alternate embodiments will occur to those skilled in the art. Accordingly, it is intended that the invention be limited only in terms of the appended claims.
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7502943||Apr 16, 2004||Mar 10, 2009||Via Technologies, Inc.||Microprocessor apparatus and method for providing configurable cryptographic block cipher round results|
|US7519833||Apr 16, 2004||Apr 14, 2009||Via Technologies, Inc.||Microprocessor apparatus and method for enabling configurable data block size in a cryptographic engine|
|US7529367||Apr 16, 2004||May 5, 2009||Via Technologies, Inc.||Apparatus and method for performing transparent cipher feedback mode cryptographic functions|
|US7529368||Apr 16, 2004||May 5, 2009||Via Technologies, Inc.||Apparatus and method for performing transparent output feedback mode cryptographic functions|
|US7532722||Dec 4, 2003||May 12, 2009||Ip-First, Llc||Apparatus and method for performing transparent block cipher cryptographic functions|
|US7536560||Apr 16, 2004||May 19, 2009||Via Technologies, Inc.||Microprocessor apparatus and method for providing configurable cryptographic key size|
|US7539876||Apr 16, 2004||May 26, 2009||Via Technologies, Inc.||Apparatus and method for generating a cryptographic key schedule in a microprocessor|
|US7542566||Apr 16, 2004||Jun 2, 2009||Ip-First, Llc||Apparatus and method for performing transparent cipher block chaining mode cryptographic functions|
|US7844053||Dec 5, 2003||Nov 30, 2010||Ip-First, Llc||Microprocessor apparatus and method for performing block cipher cryptographic functions|
|US7900055||Mar 15, 2004||Mar 1, 2011||Via Technologies, Inc.||Microprocessor apparatus and method for employing configurable block cipher cryptographic algorithms|
|US7925891 *||Mar 25, 2005||Apr 12, 2011||Via Technologies, Inc.||Apparatus and method for employing cryptographic functions to generate a message digest|
|US8060755||Mar 15, 2004||Nov 15, 2011||Via Technologies, Inc||Apparatus and method for providing user-generated key schedule in a microprocessor cryptographic engine|
|US8233620||Feb 27, 2009||Jul 31, 2012||Inside Secure||Key recovery mechanism for cryptographic systems|
|US8355499||Dec 12, 2008||Jan 15, 2013||Micron Technology, Inc.||Parallel encryption/decryption|
|US8681974 *||Mar 17, 2011||Mar 25, 2014||Altera Corporation||Array encryption core|
|US9065654||Jan 15, 2013||Jun 23, 2015||Micron Technology, Inc.||Parallel encryption/decryption|
|US20040208318 *||Mar 15, 2004||Oct 21, 2004||Via Technologies Inc.||Apparatus and method for providing user-generated key schedule in a microprocessor cryptographic engine|
|US20040223610 *||Apr 16, 2004||Nov 11, 2004||Via Technologies Inc.||Apparatus and method for performing transparent cipher block chaining mode cryptographic functions|
|US20040228481 *||Dec 4, 2003||Nov 18, 2004||Ip-First, Llc||Apparatus and method for performing transparent block cipher cryptographic functions|
|US20040228483 *||Apr 16, 2004||Nov 18, 2004||Via Technologies Inc.||Apparatus and method for performing transparent cipher feedback mode cryptographic functions|
|US20040252841 *||Apr 16, 2004||Dec 16, 2004||Via Technologies Inc.||Microprocessor apparatus and method for enabling configurable data block size in a cryptographic engine|
|US20040252842 *||Apr 16, 2004||Dec 16, 2004||Via Technologies Inc.||Microprocessor apparatus and method for providing configurable cryptographic block cipher round results|
|US20040255129 *||Mar 15, 2004||Dec 16, 2004||Via Technologies Inc.||Microprocessor apparatus and method for employing configurable block cipher cryptographic algorithms|
|US20040255130 *||Apr 16, 2004||Dec 16, 2004||Via Technologies Inc.||Microprocessor apparatus and method for providing configurable cryptographic key size|
|US20050188216 *||Mar 25, 2005||Aug 25, 2005||Via Technologies, Inc.||Apparatus and method for employing cyrptographic functions to generate a message digest|
|U.S. Classification||380/277, 380/28|
|International Classification||H04L9/28, H04L9/06, H04L9/00|
|Cooperative Classification||H04L9/0631, H04L2209/24, H04L2209/125|
|Jun 22, 2007||AS||Assignment|
Owner name: SILICON STORAGE TECHNOLOGY, INC., CALIFORNIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SST COMMUNICATIONS, CORP.;REEL/FRAME:019466/0168
Effective date: 20070619
|May 3, 2011||AS||Assignment|
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SILICON STORAGE TECHNOLOGY, INC.;REEL/FRAME:026213/0515
Owner name: MICROCHIP TECHNOLOGY INCORPORATED, ARIZONA
Effective date: 20110428