JP2006235440A - Semiconductor integrated circuit - Google Patents

Abstract

A circuit scale that achieves a desired processing throughput by sharing processing in encryption and decryption of AES system between hardware centered on a logic circuit and a microprocessor that operates based on software. Alternatively, a semiconductor integrated circuit with reduced power consumption is provided.
In a semiconductor integrated circuit, a microprocessor for generating at least one key and a plurality of control signals used in cryptographic processing, and a selection for selecting one of a plurality of input data groups and a plurality of feedback data groups A circuit, a storage circuit for storing a plurality of data groups output from the selection circuit, and generating a plurality of feedback data groups as preprocessing and supplying them to the feedback loop, and then sequentially using the plurality of feedback data groups And a logic circuit that performs encryption or decryption processing on a plurality of input data groups by converting the operation results performed with reference to the conversion table.
[Selection] Figure 2

Description

  The present invention generally relates to a semiconductor integrated circuit that performs encryption processing, and more particularly to a semiconductor integrated circuit that performs encryption processing of an AES (Advanced Encryption Standard) system that is a next-generation standard encryption system.

  With the recent development of electronic commerce and electronic communication technology, the importance of cryptographic technology is increasing. Encryption methods are roughly classified into common key encryption and public key encryption. Common key cryptography (also called secret key cryptography) is an encryption method that uses the same key (common key) for encryption and decryption. In common key cryptography, it is necessary to share a common key in advance between a data sender and a receiver via a secure path. On the other hand, public key cryptography is an encryption method in which data is encrypted and decrypted with two corresponding keys: a private key managed by the principal and a public key that is disclosed to others. In public key cryptography, data encrypted with a private key cannot be decrypted except for the corresponding public key, and data encrypted with the public key can be decrypted with other than the corresponding private key. Therefore, encryption strength is relatively high and key management is easy.

  In general, common key cryptography is suitable for use in encrypting large-capacity data, but is less reliable in terms of cryptographic strength than public key cryptography and other methods. Therefore, with the recent increase in bandwidth and sophistication of computer networks and the digitization of television broadcasts and radio broadcasts, high encryption is used to protect large amounts of transmitted and received data and prevent unauthorized use by third parties. A cryptographic algorithm that has strength and can reduce resources required for implementation is desired.

  Conventionally, in the United States and many other countries, DES (Data Encryption Standard) is used as a standard common key encryption algorithm. DES was developed by IBM Corporation (USA) and adopted as a Federal Information Processing Standard by the National Institute of Standards and Technology (NIST). This cryptographic algorithm is very high performance at the time of development, and has long secured commercial communication and document security. However, the reliability of DES is decreasing with the recent advancement of computer technology and the development of cryptographic theory. Therefore, NIST selected a common key encryption algorithm of the Rijndael method as AES by soliciting an encryption method to replace DES.

  The line dahl common key encryption algorithm is a block encryption method that handles a data sequence by dividing it into fixed-length blocks. The key word length-block word length combinations are 128 bits-128 bits, 192 bits-128 bits, In addition, it is characterized in that it can be specified independently from 256 bits to 128 bits. Another feature is that an SPN (substitution permutation network) structure is adopted in bit conversion. In the SPN structure, one round of processing is constituted by substitution processing (substitution) and transposition processing (permutation). In addition, a structure in which one round process includes substitution processing, transposition processing, and substitution processing is called a two-round SPN structure. For details on AES, refer to the AES specification (Internet <URL: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf>, search February 4, 2005 ).

  The AES encryption processing circuit as described above has already been put into practical use by being incorporated in, for example, a high-performance network device or a wireless LAN device for enterprises. Patent Document 1 below discloses a cryptographic circuit capable of reducing the circuit scale and realizing a certain level of high-speed processing when an AES cryptographic circuit is mounted.

  The round processing unit of the encryption circuit includes a first round key addition circuit that adds the value of the round key to the input data, and an intermediate register and shift that temporarily stores the output of the first round key addition circuit and executes shift row conversion. Row conversion circuit, Byte Sub conversion circuit that executes the Byte Sub conversion when the value of the intermediate register / Shift Row conversion circuit is input, and the value of the intermediate register / Shift Row conversion circuit is input and the Round Key value is added Second Round Key addition circuit, Mix Column conversion circuit that performs Mix Column conversion on the output of the second Round Key addition circuit, First selector, Intermediate register / Shift Row conversion circuit, Byte Sub conversion circuit, Mix Column conversion circuit And a second selector for outputting any one of the outputs to the second round key adding circuit (first page, FIG. 4).

In Patent Document 1, it is assumed that AES encryption is incorporated into a smart card (page 3, paragraph 0014). Some general-purpose processors for personal computers (PCs) have built-in hardware for AES encryption processing. For example, a C3 processor manufactured by VIA Technology (Taiwan) incorporates an AES encryption processing engine named PadLock. For details on PadLock, please refer to the VIA Technology website (Internet <URL: http://www.via.com.tw/en/products/processors/c3/>, search February 4, 2005)
Japanese Patent Laid-Open No. 2003-15522 (first and third pages, FIG. 4)

  Targets of devices on which the AES encryption processing circuit as described above is mounted are, for example, network communication devices where processing throughput is more important than cost, and, for example, IC cards are smaller than performance. There is a tendency to be polarized to the field where emphasis is placed on. In the former, there are many cases where processing throughput of the order of gigabits / second is required. On the other hand, in the latter case, it is considered that a processing throughput of about several megabits / second at most is sufficient.

  In general, in order to obtain processing throughput of the order of gigabit / second, it is necessary to implement a large-scale dedicated hardware logic that can process 128-bit data in one cycle. Actually, it is realized by installing a dedicated LSI that is hardware logic for most of the processing including generation of round keys (keys used in one round of processing and differ for each round). There are many cases.

  On the other hand, in order to obtain processing throughput of several megabits / second at most, only processing that requires a significant number of cycles is implemented in hardware, such as SubBytes conversion and MixColumns conversion, but other than that, Many of the arithmetic processes are realized by software.

  In the future, in order to actively introduce AES encryption in the so-called digital home appliance field, a mounting technique that can sufficiently secure the required encryption processing throughput while suppressing the cost as much as possible is desired. For example, since a data stream in Japanese digital high-definition broadcasting is 24 Mbps, all devices having a function for AES encryption and decryption of such a data stream must satisfy the above-described effective throughput.

  However, in recent digital home appliances, many functions are realized in a system LSI by integrating various functions into a system LSI, so that cost reduction is achieved without degrading performance. Therefore, a dedicated hardware LSI is used only for AES encryption. It is difficult to add, and it is not recommended in order to prevent the encryption key and decrypted data from being intentionally read from the outside. Further, even if an AES encryption process is to be realized by a microprocessor built in a system LSI and software for operating the microprocessor, such a microprocessor has an operating frequency and an ALU (arithmetic and logic unit) structure. For the reason, it is very difficult to satisfy the conditions regarding the cryptographic processing throughput.

  Therefore, in view of the above points, the present invention distributes the processing in encryption and decryption to hardware centered on a logic circuit and a microprocessor operating based on software, thereby achieving a desired processing throughput. An object of the present invention is to provide a semiconductor integrated circuit with reduced circuit scale or power consumption while realizing the above.

  In order to solve the above problems, a semiconductor integrated circuit according to the present invention includes a microprocessor that operates based on software and generates at least one key and a plurality of control signals used in cryptographic processing, and input text. A selection circuit that selects one of a plurality of input data groups obtained by dividing the bit length of the received data and a plurality of feedback data groups supplied via a feedback loop according to a control signal; and An operation is performed by sequentially using a storage circuit for storing a plurality of data groups to be output, and a plurality of input data groups output from the storage circuit and at least one key generated by the microprocessor as preprocessing according to a control signal. To generate a plurality of feedback data groups, supply them to the feedback loop, and then output from the storage circuit Performs encryption or decryption processing on multiple input data groups by converting the operation results obtained by sequentially using multiple feedback data groups with reference to the conversion table, and generates the converted data and the microprocessor A logic circuit that generates a plurality of feedback data groups and supplies them to the feedback loop by performing an operation using the at least one key sequentially.

  Here, the logic circuit converts the operation result performed using each feedback data group with reference to the conversion table, and uses the converted data and at least one key generated by the microprocessor. A plurality of feedback data groups generated by calculation and supplied to the feedback loop may be repeated a predetermined number of times.

  In addition, when the logic circuit finishes the encryption or decryption process for a plurality of input data groups, as a post-process, a calculation result obtained by sequentially using a plurality of feedback data groups output from the storage circuit is converted into a conversion table. A plurality of data groups to be output may be generated by converting with reference to FIG.

  Further, the logic circuit may include an exclusive OR circuit that obtains an exclusive OR of data converted with reference to the conversion table and at least one key generated by the microprocessor.

  The semiconductor integrated circuit may further include a first memory area for storing a conversion table used in the encryption process and a second memory area for storing the conversion table used in the decryption process. .

  In addition, the semiconductor integrated circuit may further include a second storage circuit that stores at least one feedback data group supplied to the feedback loop, or may perform an operation of a logic circuit to perform pipeline processing. A third storage circuit inserted in the middle of the data path may be further provided.

  In the above, this semiconductor integrated circuit may perform AES (Advanced Encryption Standard) encryption processing, and the microprocessor may generate a round key used in AES encryption processing.

  According to the present invention configured as described above, a microprocessor that generates at least one key and a plurality of control signals used in encryption processing, and a logic circuit that performs encryption or decryption processing by referring to a conversion table Thus, the circuit scale can be reduced while realizing a desired processing throughput.

Hereinafter, the best mode for carrying out the present invention will be described in detail with reference to the drawings. The same constituent elements are denoted by the same reference numerals, and the description thereof is omitted.
FIG. 1 is a block diagram showing a configuration of a semiconductor integrated circuit according to an embodiment of the present invention. This semiconductor integrated circuit (system LSI) includes a microprocessor 1 that operates based on software, and an accelerator 2 that includes a logic circuit that performs hardware processing and a memory. The microprocessor 1 and the accelerator 2 cooperate to perform AES encryption and decryption processing.

  Further, in the AES system encryption and decryption processing, it is necessary to access the memory area in which the round key is stored every processing cycle. Therefore, the buffer memory 3 for storing the round key is provided in the microprocessor 1. It is desirable to provide outside. The buffer memory 3 is a ring buffer memory in which reading and writing are each performed in only one direction, and the access address is incremented or decremented sequentially, and is a kind of FIFO. Writing to the buffer memory 3 is performed by the microprocessor 1 and reading is performed by the accelerator 2. Each memory line of the buffer memory 3 is composed of parallel 32 bits.

  In the present embodiment, the accelerator 2 is disposed in the vicinity of the microprocessor 1, and when viewed from the microprocessor 1, the accelerator 2 is higher than the main storage device in terms of the storage hierarchy, and is located inside the microprocessor 1. It is located lower than the register. In other words, the access between the accelerator 2 and the microprocessor 1 is slower than the internal register of the microprocessor 1 but faster than the main memory.

  As an example, the accelerator 2 is configured as an IP (intellectual property) for supporting AES encryption processing. Here, IP refers to a group of circuit blocks for realizing a predetermined function. Further, the accelerator 2 is suitable for being arranged in the vicinity of the microprocessor 1 built in the system LSI, for example, in a coprocessor interface.

  That is, the accelerator 2 functions as a virtual interface 4 for text input / output, control, and round key input, thereby realizing a coprocessor module 5. From the microprocessor 1, the coprocessor module 5 is registered. It looks as a type interface.

  As shown in FIG. 1, the accelerator 2 includes a register 6 for temporarily storing input data and data to be output, an arithmetic data path circuit 7 that performs hardware arithmetic regarding AES encryption processing, And a control circuit 8 for controlling the calculation operation in the calculation data path circuit 7 and controlling the input of the round key. In the present invention, all computations related to AES encryption processing are not implemented in hardware, but text processing with the largest computation amount is automatically performed by the accelerator 2, but key expansion ( The round key generation process is regarded as incidental and software processing is performed.

  FIG. 2 is a detailed block diagram showing an arithmetic data path circuit used in one embodiment of the present invention. According to the AES encryption specification, text input / output is based on 128 bits, but in the arithmetic data path circuit 7, 32 bits are used as a basic arithmetic unit. Accordingly, the 128-bit input text is input to the arithmetic data path circuit 7 over 4 cycles. In the present embodiment, one word is composed of 32-bit data. In FIG. 2, the thick line represents 128-bit data, and the thin line represents 32-bit data.

  In the arithmetic data path circuit 7, the four selectors 11 to 14 select data to be fed back from the input text or the temporary vector registers 121 to 123 through the feedback loop according to the control signal C 1. . First, an input text is selected, and a 128-bit (32 bits × 4 cycles) input text (svin) is sequentially selected by these selectors 11-14.

  Specifically, according to the control signal C1, the selector 11 selects data [127: 96], the selector 12 selects data [95:64], the selector 13 selects data [63:32], and the selector 14 selects data [31:00]. Here, [n: m] means data of bit numbers n to m. In this embodiment, in general, the bit number of the least significant bit is set to “0”, and the bit number is counted toward the upper bit.

  Data sequentially output from the selectors 11-14 is stored in 32-bit × 4 status vector registers 21-24. From the state vector registers 21 to 24, 32-bit data selected according to the control signal C2 is output together with 128-bit data. The 128-bit data output from the state vector registers 21 to 24 includes a first shift and select circuit (ShiftRows & Word Selector) 31, a direct word selector (Direct Word Selector) 32, and a second shift and select circuit. (InvShiftRows & Word Selector) 33.

  A first shift and select circuit (ShiftRows & Word Selector) 31 performs a ShiftRows conversion described in chapters 2.2 and 5.1.2 of the AES specification on 128-bit data, and generates a control signal. According to C3, one line is selected from the four lines obtained by dividing the converted 128-bit data into four, and is output to the selector. Here, ShiftRows conversion refers to conversion that is performed by cyclically shifting the last three rows in the state by a different offset with respect to the state (State) in the encryption process of the AES method. In addition, the state is an intermediate encryption result expressed as a two-dimensional matrix (rectangular array) of a plurality of bytes, and this two-dimensional matrix has 4 rows and Nb columns (for example, Nb = 4).

  The direct word selector (Direct Word Selector) 32 selects and outputs one word from 128-bit data (four words) in preprocessing or the like according to the control signal C6. The second shift and select circuit (InvShiftRows & Word Selector) 33 performs InvShiftRows conversion described in chapters 2.2 and 5.3.1 of the AES specification on 128-bit data, According to the control signal C 4, one line is selected from four lines obtained by dividing the converted 128-bit data into four, and is output to the first main selector 60. Here, InvShiftRows conversion refers to reverse conversion of ShiftRows conversion performed in the AES decoding process.

  On the other hand, 32-bit data output from one of the state vector registers 21 to 24 in accordance with the control signal C2 is input to the selector 42 and the transposition processing circuit (RotWord) 41. The transposition processing circuit 41 performs RotWord processing described in chapters 2.2 and 5.2 of the AES specification on the 32-bit data, that is, one word data. Here, RotWord refers to a function of extracting 4 bytes (1 word) of data and performing a cyclic transposition process in the key expansion process. Specifically, 32-bit data is rotated by 8 bits in the left direction (MSB direction).

  The selector 42 performs one-word data output from one of the state vector registers 21 to 24 according to the control signal C5, one line of data selected by the first shift and select circuit 31, and transposition processing. The 32-bit data is selected from the one-word data subjected to the cyclic transposition processing by the circuit 41, and the selected data is output to the first conversion table (S-box) 51.

  The first conversion table (S-box) 51 is a non-linear conversion processing table used for performing 1: 1 conversion processing of byte values in several types of byte conversion processing conversion and key expansion processing in AES encryption processing. It is. The first conversion table 51 is realized, for example, by arranging four ROMs using 8-bit address and 8-bit data in parallel with the input, and the input data is used as an address. Data corresponding to the address is read from the ROM. Data output from the first conversion table 51 is input to the first main selector 60.

  One line of data selected by the second shift and select circuit 33 is input to a second conversion table (InvS-box) 52. The second conversion table (InvS-box) 52 is a non-linear substitution processing table used for performing 1: 1 substitution processing of byte values in the AES decoding process. The second conversion table 52 is realized, for example, by arranging four ROMs using an 8-bit address and 8-bit data in parallel with the input, and the input data is used as an address. Data corresponding to the address is read from the ROM. Data output from the second conversion table 52 is input to the first main selector 60.

  The first main selector 60 includes 1-word data output from the first conversion table 51, 1-word data output from the direct word selector 32, and 1-word output from the second conversion table 52. The data of 1 word is selected from the data of 1 in accordance with the control signal C7, the selected 1 word of data is output to the exclusive OR (XOR) circuit 70 and the second main selector 80, and 128 bits ( It is output sequentially as output text (svout) of 32 bits × 4 cycles.

  The control circuit 8 shown in FIG. 1 supplies a 32-bit round key (rdkey) to the arithmetic data path circuit 7 together with the control signals C1 to S10. The XOR circuit 70 obtains an exclusive OR of the data output from the first main selector 60 and the round key in the decryption process and the pre-process / post-process, and outputs the exclusive OR to the second main selector 80.

  The second main selector 80 selects one of the data output from the first main selector 60 and the data output from the XOR circuit 70 in accordance with the control signal C8, and the selected data is subjected to column mixing. Output to the circuit (MixCol & InvMixCol) 90 and the third main selector 110.

  The column mixing circuit 90 converts the input data into MixColumns conversion described in chapters 2.2 and 5.1.3 of the AES specification, and chapters 2.2 and 5.3 of the AES specification. Perform one of the InvMixColumns conversions described in Chapter 3. Here, MixColumns conversion refers to conversion in which all columns in a state are taken and a new column is created by mixing these data in an AES encryption process. InvMixColumns conversion refers to reverse conversion of MixColumns conversion in the AES decoding process. Since the arithmetic expression for MixColumns conversion is included in the arithmetic expression for InvMixColumns conversion, the column mixing circuit 90 is integrated into one circuit. The column mixing circuit 90 outputs MixColumns-converted data to the input data to the XOR circuit 100 and outputs InvMixColumns-converted data to the third main selector 110.

  In the encryption process, the XOR circuit 100 obtains an exclusive OR of the MixColumns conversion data output from the column mixing circuit 90 and the round key, and outputs it to the third main selector 110. In accordance with the control signal C9, the third main selector 110 includes data output from the second main selector 80, data output from the XOR circuit 100, and InvMixColumns conversion data output from the column mixing circuit 90. Is selected as data representing the operation result in the operation data path, and the selected data is sequentially output to the 96-bit width temporary vector registers 121 to 123 and the feedback loop.

  Specifically, according to the control signal C10, data [127: 96] is stored in the temporary vector register 121, data [95:64] is stored in the temporary vector register 122, and data [63:32] is stored in the temporary vector register 123. ] And these data are sequentially supplied to the feedback loop together with the data [31:00] output directly to the feedback loop. Note that data storage in the temporary vector registers 121, 122, and 123 is individually controlled by the control signal C10. Data supplied to the selectors 11 to 14 through the feedback loop is sequentially copied to the state vector registers 21 to 24. Thereby, one cycle of processing is completed.

  In the encryption and decryption processing as described above, a period of 4 cycles is required to perform one unit of processing on 128-bit data. In this process, the 96-bit width temporary vector registers 121 to 123 are used as a buffer for three words. A 32-bit (1 word) operation is repeated in each cycle, and the operation results of the first to third cycles are stored in the temporary vector registers 121 to 123. When the calculation result of the fourth cycle is obtained, the 128-bit calculation result is supplied and copied to the state vector registers 11 to 14 through the feedback loop, thereby completing one unit of processing.

  One unit of processing is performed 11 times when the key length is 128 bits in the basic mode, 13 times when the key length is 192 bits, and when the key length is 256 bits. Is executed 15 times, the encryption or decryption processing of one text block is completed. Therefore, for encryption or decryption processing of one text block, the key length is 44 cycles when the key length is 128 bits, and the key length is 192 bits when the key length is 52 cycles. If the length is 256 bits, 60 cycles are required.

  In the arithmetic data path circuit shown in FIG. 2, sequential logic circuits (registers) are used only at both ends, and the other parts are composed of combinational logic circuits and memories. Loss does not occur. Further, the circuit configuration is simple and the substrate area can be reduced.

  Further, in the arithmetic data path circuit shown in FIG. 2, there is a feedback loop from the right end portion to the left end portion, but there is no local feedback loop, so there is a degree of freedom in the circuit configuration. For example, the processing speed can be doubled or quadrupled by expanding the scale of the combinational logic circuit so that 2-word or 4-word data can be processed in parallel. In that case, the number of words to be processed in parallel may be changed from the viewpoint of processing throughput and power consumption required during operation.

  The encryption process in the arithmetic data path circuit shown in FIG. 2 will be described with reference to FIGS. In the present embodiment, the input text having a basic key word length of 128 bits is divided into four data groups # 0 to # 3 every 32 bits, and in each step, these data groups # 0 to # 3 correspond to these. The process of 4 cycles is repeated.

  FIG. 3 is a flowchart showing encryption processing in the arithmetic data path circuit shown in FIG. First, in step S11, the control circuit 8 shown in FIG. 1 sets the value of the control signal C1, so that the selectors 11 to 14 sequentially select the four data groups # 0 to # 3 in the input text, Stored in the state vector registers 21 to 24, respectively.

  In step S12, preprocessing is performed using four data groups # 0 to # 3 sequentially output from the direct word selector 32 in accordance with the control signal C6. That is, the data output from the direct word selector 32 is selected in the first main selector 60, the data output from the XOR 70 is selected in the second main selector 80, and the data output from the XOR 70 is selected in the third main selector 110. The data output from the second main selector 80 is selected.

  During the processing of the first to third data groups # 0 to # 2, the current states of the selectors 11 to 14 and the state vector registers 21 to 24 are maintained, and the respective operation results are sequentially stored in the temporary vector registers 121 to 123. Stored. During the processing of the fourth data group # 3, the current state of the temporary vector registers 121 to 123 is maintained, and the four data groups # 0 to # 3 supplied to the selectors 11 to 14 through the feedback loop are in the state. Copied to vector registers 21-24.

In steps S13 to S14, an encryption process is performed.
In step S13, the data of lines # 0 to # 3 are sequentially output from the first shift and select circuit 31 according to the control signal C3, and data conversion is performed by referring to the first conversion table 51. That is, the selector 42 selects the data output from the first shift and select circuit 31, the first main selector 60 selects the data output from the first conversion table 51, and the second main In the selector 80, data output from the first main selector 60 is selected, and in the third main selector 110, data output from the XOR 100 is selected. Here, the XOR 100 obtains an exclusive OR of the data subjected to the Mixcolumns processing in the column mixing circuit 90 and the round key.

  During the processing of the first to third data groups # 0 to # 2, the current states of the selectors 11 to 14 and the state vector registers 21 to 24 are maintained, and the respective operation results are sequentially stored in the temporary vector registers 121 to 123. Stored. During the processing of the fourth data group # 3, the current state of the temporary vector registers 121 to 123 is maintained, and the four data groups # 0 to # 3 supplied to the selectors 11 to 14 through the feedback loop are in the state. Copied to vector registers 21-24.

  In step S14, it is determined whether or not a predetermined number of processes have been completed for each of the four data groups # 0 to # 3. Here, the predetermined number of times is 8 when the basic key word length is 128 bits, 10 times when the basic key word length is 192 bits, and the basic key word length is 256 bits. There are 12 times. If the predetermined number of processes has not been completed, the process returns to step S13 and the encryption process is repeated. If the predetermined number of processes have been completed, the process proceeds to step S15.

  In step S15, post-processing is performed using data of lines # 0 to # 3 sequentially output from the first shift and select circuit 31 according to the control signal C3. That is, the selector 42 selects the data output from the first shift and select circuit 31, the first main selector 60 selects the data output from the first conversion table 51, and the second main In the selector 80, data output from the XOR 70 is selected, and in the third main selector 110, data output from the second main selector 80 is selected.

  During the processing of the first to third data groups # 0 to # 2, the current states of the selectors 11 to 14 and the state vector registers 21 to 24 are maintained, and the respective operation results are sequentially stored in the temporary vector registers 121 to 123. Stored. During the processing of the fourth data group # 3, the current state of the temporary vector registers 121 to 123 is maintained, and the four data groups # 0 to # 3 supplied to the selectors 11 to 14 through the feedback loop are in the state. Copied to vector registers 21-24.

  In step S 16, the encrypted text is output from the first main selector 60. That is, the current state of the selectors 11 to 14 and the state vector registers 21 to 24 is maintained, and in the direct word selector 32, the first to fourth data groups # 0 to # 3 output from the state vector registers 21 to 24 are sequentially supplied. The first main selector 60 selects the data output from the direct word selector 32.

  Decoding processing in the arithmetic data path circuit shown in FIG. 2 will be described with reference to FIGS. In the present embodiment, the input text having a basic key word length of 128 bits is divided into four data groups # 0 to # 3 every 32 bits, and in each step, these data groups # 0 to # 3 correspond to these. The process of 4 cycles is repeated.

  FIG. 4 is a flowchart showing a decoding process in the arithmetic data path circuit shown in FIG. First, in step S21, the control circuit 8 shown in FIG. 1 sets the value of the control signal C1, so that the selectors 11 to 14 sequentially select the four data groups # 0 to # 3 in the input text, Stored in the state vector registers 21 to 24, respectively.

  In step S22, preprocessing is performed using the four data groups # 0 to # 3 sequentially output from the direct word selector 32 in accordance with the control signal C6. That is, the data output from the direct word selector 32 is selected in the first main selector 60, the data output from the XOR 70 is selected in the second main selector 80, and the data output from the XOR 70 is selected in the third main selector 110. The data output from the second main selector 80 is selected.

  During the processing of the first to third data groups # 0 to # 2, the current states of the selectors 11 to 14 and the state vector registers 21 to 24 are maintained, and the respective operation results are sequentially stored in the temporary vector registers 121 to 123. Stored. During the processing of the fourth data group # 3, the current state of the temporary vector registers 121 to 123 is maintained, and the four data groups # 0 to # 3 supplied to the selectors 11 to 14 through the feedback loop are in the state. Copied to vector registers 21-24.

In steps S23 to S24, a decoding process is performed.
In step S23, the data of lines # 0 to # 3 are sequentially output from the second shift and select circuit 32 in accordance with the control signal C4, and data conversion is performed by referring to the second conversion table 52. That is, the selector 42 selects the data output from the second shift and select circuit 32, the first main selector 60 selects the data output from the second conversion table 52, and the second main In the selector 80, data output from the XOR 70 is selected, and in the third main selector 110, data that has been subjected to InvMixcolumns processing in the column mixing circuit 90 is selected. Here, the XOR 70 obtains an exclusive OR of the data output from the first selector 60 and the round key.

  During the processing of the first to third data groups # 0 to # 2, the current states of the selectors 11 to 14 and the state vector registers 21 to 24 are maintained, and the respective operation results are sequentially stored in the temporary vector registers 121 to 123. Stored. During the processing of the fourth data group # 3, the current state of the temporary vector registers 121 to 123 is maintained, and the four data groups # 0 to # 3 supplied to the selectors 11 to 14 through the feedback loop are in the state. Copied to vector registers 21-24.

  In step S24, it is determined whether or not a predetermined number of processes have been completed for each of the four data groups # 0 to # 3. Here, the predetermined number of times is 8 when the basic key word length is 128 bits, 10 times when the basic key word length is 192 bits, and the basic key word length is 256 bits. There are 12 times. If the predetermined number of processes have not been completed, the process returns to step S23 and the decoding process is repeated. If the predetermined number of processes have been completed, the process proceeds to step S25.

  In step S25, post-processing is performed using data of lines # 0 to # 3 sequentially output from the second shift and select circuit 33 in accordance with the control signal C4. That is, the selector 42 selects the data output from the second shift and select circuit 33, the first main selector 60 selects the data output from the second conversion table 52, and the second main In the selector 80, data output from the XOR 70 is selected, and in the third main selector 110, data output from the second main selector 80 is selected.

  During the processing of the first to third data groups # 0 to # 2, the current states of the selectors 11 to 14 and the state vector registers 21 to 24 are maintained, and the respective operation results are sequentially stored in the temporary vector registers 121 to 123. Stored. During the processing of the fourth data group # 3, the current state of the temporary vector registers 121 to 123 is maintained, and the four data groups # 0 to # 3 supplied to the selectors 11 to 14 through the feedback loop are in the state. Copied to vector registers 21-24.

  In step S <b> 26, the decrypted text is output from the first main selector 60. That is, the current state of the selectors 11 to 14 and the state vector registers 21 to 24 is maintained, and in the direct word selector 32, the first to fourth data groups # 0 to # 3 output from the state vector registers 21 to 24 are sequentially supplied. The first main selector 60 selects the data output from the direct word selector 32.

Next, a modified example of the arithmetic data path circuit used in one embodiment of the present invention will be described.
FIG. 5 is a detailed block diagram showing a modification of the arithmetic data path circuit used in the embodiment of the present invention. This arithmetic data path circuit has a pipeline register 130 inserted in an intermediate portion of the arithmetic data path circuit shown in FIG.

  As shown in FIG. 5, by inserting a 32-bit wide pipeline register 130 immediately after the first main selector 60, two phases are provided in each phase of preprocessing, encryption processing, decryption processing, and postprocessing. Since the stage pipeline processing can be realized, the operation speed is expected to be improved. As described above, according to the present invention, the data path can be pipelined by appropriately inserting the intermediate register, so that the processing speed in the arithmetic data path circuit can be easily increased according to the operating frequency of the microprocessor. is there.

1 is a block diagram showing a configuration of a semiconductor integrated circuit according to an embodiment of the present invention. The block diagram which shows the calculation data path circuit in one Embodiment of this invention. The flowchart which shows the encryption process in the calculation data path circuit shown in FIG. 3 is a flowchart showing a decoding process in the arithmetic data path circuit shown in FIG. 2. The block diagram which shows the modification of the arithmetic data path circuit in one Embodiment of this invention.

Explanation of symbols

1 microprocessor, 2 accelerator, 3 buffer memory, 4 virtual interface, 5 coprocessor module, 6 registers, 7 arithmetic data path circuit, 8 control circuit, 11-14, 42 selector, 21-24 status vector register, 31st 1 shift and select circuit, 32 direct word selector, 33 second shift and select circuit, 41 transposition processing circuit, 51 first conversion table, 52 second conversion table, 60 first main selector, 70, 100 XOR circuit, 80 second main selector, 90 column mixing circuit, 110 third main selector, 121-123 temporary vector register, 130 pipeline register

Claims (8)

A microprocessor that operates based on software and generates at least one key and a plurality of control signals used in cryptographic processing;
Selection that selects one of a plurality of input data groups obtained by dividing the bit length of data included in the input text and a plurality of feedback data groups supplied via a feedback loop according to a control signal Circuit,
A storage circuit for storing a plurality of data groups output from the selection circuit;
According to the control signal, as a pre-processing, a plurality of feedback data groups are generated by performing an operation by sequentially using a plurality of input data groups output from the storage circuit and at least one key generated by the microprocessor. To the feedback loop, and then, with respect to the plurality of input data groups by converting the calculation results obtained by sequentially using the plurality of feedback data groups output from the storage circuit with reference to the conversion table A plurality of feedback data groups are generated by performing an operation using encryption or decryption processing, sequentially using the converted data and at least one key generated by the microprocessor, and supplying the plurality of feedback data groups to the feedback loop Logic circuit;
A semiconductor integrated circuit comprising:   The logic circuit converts an operation result performed using each feedback data group with reference to the conversion table, and uses the converted data and at least one key generated by the microprocessor. The semiconductor integrated circuit according to claim 1, wherein a plurality of feedback data groups are generated by operation and supplied to the feedback loop is repeated a predetermined number of times.   When the logic circuit finishes encryption or decryption processing for a plurality of input data groups, as a post-processing, a calculation result obtained by sequentially using a plurality of feedback data groups output from the storage circuit is converted into a conversion table. The semiconductor integrated circuit according to claim 1, wherein a plurality of data groups to be output are generated by converting with reference to FIG.   The logic circuit includes an exclusive OR circuit that calculates an exclusive OR of data converted with reference to the conversion table and at least one key generated by the microprocessor. The semiconductor integrated circuit according to any one of claims.   5. The apparatus according to claim 1, further comprising: a first memory area that stores a conversion table used in the encryption process; and a second memory area that stores a conversion table used in the decryption process. The semiconductor integrated circuit as described.   The semiconductor integrated circuit according to claim 1, further comprising a second storage circuit that stores at least one feedback data group supplied to the feedback loop.   The semiconductor integrated circuit according to claim 6, further comprising a third storage circuit inserted in the middle of an arithmetic data path of the logic circuit to perform pipeline processing.   8. The semiconductor integrated circuit according to claim 1, wherein the semiconductor integrated circuit performs AES (Advanced Encryption Standard) encryption processing, and the microprocessor generates a round key used in AES encryption processing. Semiconductor integrated circuit.

Images