CN101114903B - High grade encrypting criterion encrypter in Gbpassive optical network system and implementing method thereof - Google Patents
High grade encrypting criterion encrypter in Gbpassive optical network system and implementing method thereof Download PDFInfo
- Publication number
- CN101114903B CN101114903B CN2007101304023A CN200710130402A CN101114903B CN 101114903 B CN101114903 B CN 101114903B CN 2007101304023 A CN2007101304023 A CN 2007101304023A CN 200710130402 A CN200710130402 A CN 200710130402A CN 101114903 B CN101114903 B CN 101114903B
- Authority
- CN
- China
- Prior art keywords
- module
- data
- counter value
- key
- frame
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an advanced encryption standard (AES) encryption device of a gigabit passive optical network which comprises a data writing buffer module to save temporarily an encrypted source data, an encrypted information cache module to save temporarily a frame length encrypted with plaintext, an initial counter value and an initial key, an AES processing module to carry out data encryption, a data reading buffer module to save temporarily an encrypted data security data, an encrypted scheduling module to read and save temporarily a key and a frame length from the encrypted information cache module, to generate a counter value stream, to schedule the AES processing module, to input the processed counter value, security and source data into AES processing module and then transmit the encrypted data to the data reading buffer module. The invention further discloses a realizing method of the encryption device. The invention solves the problem that the prior art cannot adjust to higher needs of a bandwidth and a system frequency in a GPON high-speed system and satisfies the requirement of a fixed encryption delay in the GPON high-speed system at the same time.
Description
Technical field
The present invention relates to communication field, relate in particular to the middle-and-high-ranking encryption standard encryption device of a kind of Gbit passive optical network system and its implementation.
Background technology
Since calendar year 2001 aes algorithm standardization, many in the world research institutions have proposed the hardware implementation mode of multiple aes algorithm, but also there is not a kind of mode under the condition that guarantees certain logic scale, to possess higher encryption bandwidth at present, and the interface that they provide also is difficult to combine with the actual conditions of GPON chip, therefore can't satisfy the actual demand of GPON chip.
Adopting aes algorithm to encrypt is in order to satisfy the demand of GPON system for fail safe and reliability.Because common aes algorithm is realized complicated, it is huge to consume logic, therefore takes a kind of good implementation that control chip logic scale is had very important meaning.
In existing implementation method, all be adopt fixed clock in the cycle (as 22 clock cycle) finish the encryption of fixed data length (as 128bits), single encrypting module is difficult to the encryption bandwidth that reaches higher, if adopt a plurality of encrypting modules can expend a large amount of resources again, be not suitable at GPON etc. and realize in to the High Speed System of encrypting bandwidth higher demand being arranged.
Summary of the invention
The technical problem to be solved in the present invention just provides the middle-and-high-ranking encryption standard encryption device of a kind of Gbit passive optical network system and its implementation, overcome and encrypted bandwidth deficiency and the too much shortcoming of logical resource consumption in the prior art, solve the demand of can't adapting to that exists in the prior art, satisfy the requirement of fixed-encryption time delay in the GPON system simultaneously as higher encryption bandwidth and system frequency in the High Speed Systems such as GPON.
In order to solve the problems of the technologies described above, the invention provides the middle-and-high-ranking encryption standard encryption device of a kind of Gbit passive optical network system, comprising:
Write data buffer zone module W-FIFOs is used for the clear data that buffer memory need be encrypted;
The enciphered message cache module is used for the frame length that buffer memory needs each frame of encrypting plaintext, initial counter value and initial key;
Advanced Encryption Standard AES processing module is used to finish data encryption;
Read data buffer module R-FIFOs is used for the encrypt data after encrypting is carried out buffer memory;
Encrypt scheduler module, be used for extracting frame length, initial key, the initial counter value of enciphered message cache module, read clear data from the write data buffer zone module, generate the Counter Value of encrypting needs according to initial counter value, the frame length of the clear data of Jia Miing produces and encrypts enable signal as required, key, Counter Value and clear data are sent into the AES processing module encrypt, and the data encrypted of AES processing module output is sent into the read data buffer module.
Further, the write data buffer zone module comprises:
Write fifo circuit at least two, be used to store the clear data that writes;
The write pointer counter is used for indication in turn and writes fifo circuit;
The shift enable control circuit is used for the value according to the write pointer counter, writes fifo circuit by the displacement turn enable, is enabled state when writing fifo circuit, then clear data can be write this and write in the fifo circuit.
Further, the fifo circuit of writing of write data buffer zone module is 4, and each bit wide is 32.
Further, described enciphered message cache module buffer memory two frame informations use the two-stage d type flip flop to realize that wherein, every frame information comprises the frame length of each frame, initial counter value and initial key.
Further, described encryption scheduler module comprises:
Cipher key frame long letter breath memory module is used to store the frame length that reads out from the enciphered message cache module and the key of current encrypted frame;
Scheduler module is used for receiving, transmitting control signal, and reads the frame length of cipher key frame long letter breath memory module buffer memory and the key of current encrypted frame, send to the AES processing module, and the control counter generation module generates Counter Value;
The counter generation module is used for reading initial counter value from the enciphered message cache module, generates Counter Value, sends to the AES processing module.
Further, at least 2 of described AES processing modules, each AES processing module includes:
The first XOR module is used for the key sum counter value of input is carried out XOR;
First d type flip flop is used to latch the output result of the first XOR module;
First selector, the output that is used for selecting first d type flip flop when the 1st takes turns cryptographic calculation are as input value, and in 9 computings of taking turns, the output of selecting 3d flip-flop is as input value in the back;
Second d type flip flop is used to latch the output result of first selector;
Byte conversion and row shift module are used for the data that receive are carried out byte conversion and row shifting function;
Row hybrid operation module is used for the data that receive are carried out the row hybrid operation;
Second selector is used for taking turns outputs that computing selects row hybrid operation module as input value preceding 9, in the end 1 take turns in the computing, with the output of byte conversion and row shift module as input value;
Cipher key expansion module is used for obtaining current key by getting wheel constant table respective column and last key XOR;
The second XOR module is used for XOR is carried out in the output of second selector and the output of cipher key expansion module;
3d flip-flop is used to latch the output result of the second XOR module;
The 3rd XOR module is used for carrying out XOR to encrypting back Counter Value and clear data;
Four d flip-flop is used to latch the output result of the 3rd XOR module.
Further, getting the wheel constant table in the described cipher key expansion module uses initial value to be respectively two shift registers of hexadecimal number 001 and hexadecimal number 06c, by using these two shift registers of wheel counter gating, ring shift left under the control of wheel counter produces wheel constant table respective column.
Further, described read data buffer module comprises:
Read fifo circuit at least two, be used to store the encrypt data that writes after the encryption;
The read pointer counter is used for indication in turn and reads fifo circuit;
The shift enable control circuit is used for the value according to the read pointer counter, reads fifo circuit by the displacement turn enable, is enabled state when reading fifo circuit, then encrypt data can be read; When data were read sky, the first in first out spacing wave was read in the output of read data buffer module, suspends sense data.
Further, the fifo circuit of reading of described read data buffer module is 4, and each bit wide is 32.
In order to solve the problems of the technologies described above, the present invention also provides the implementation method of the middle-and-high-ranking encryption standard encryption device of a kind of Gbit passive optical network system, comprises the steps:
(1) the write data buffer zone module receives and buffer memory clear data to be encrypted, and enciphered message cache module buffer memory needs the frame length of each frame of encrypting plaintext, initial counter value and initial key;
(2) the encryption scheduler module is extracted frame length, initial key, the initial counter value in the enciphered message cache module, read clear data from the write data buffer zone module, generate the Counter Value of encrypting needs according to initial counter value, according to frame length, key, Counter Value and clear data are sent into the AES processing module encrypt;
(3) ciphertext after the encryption scheduler module will be encrypted is sent into the read data buffer module and is carried out buffer memory.
Further, the write data buffer zone module receives and buffer memory clear data to be encrypted in the described step (1), comprising:
Receive when the write data buffer zone module and to write enable signal, then write fifo circuit in the turn enable write data buffer zone module, in turn clear data to be encrypted is write fifo circuit.
Further, described step (2) comprises the steps:
(a) encrypt scheduler module and extract frame length, initial key, initial counter value from the enciphered message cache module;
(b) encrypt scheduler module and calculate the piece number that needs are encrypted, produce the corresponding enable signal of encrypting according to frame length;
(c) encrypt scheduler module initial key, initial counter value are sent into the AES processing module, the AES processing module is encrypted key sum counter value;
(d) encrypt scheduler module clear data is sent into the AES processing module, carry out XOR, the ciphertext after obtaining encrypting with Counter Value after encrypting.
Further, encrypt scheduler module key, Counter Value are divided into a plurality of 128 pieces, form the key sum counter value of many groups 128 * 2.
Further, described Counter Value comprises frame inside counting device value, interframe Counter Value, encrypt after scheduler module is merged into 46 bit widths with 16 frame inside counting device value and 30 s' interframe Counter Value, again this value of 46 is duplicated 3 times, be spliced into 138 bit wides, remove high 10, remaining 128 as Counter Value.
Further, encrypt scheduler module, use key identical same frame data, 128 of every encryptions, frame inside counting device value adds fixed length 1, does not need carry.
Further, in the described step (c), the AES processing module also generates new key according to initial key: by getting wheel constant table respective column and last key XOR, obtain current key.
Further, after described step (3) is carried out, if receiving, described read data buffer module reads enable signal, then the fifo circuit of reading of read data buffer module is sent data in turn successively, when data are read sky, the first in first out spacing wave is read in the output of read data buffer module, suspends sense data.
Adopt the method for the invention, can guarantee descending encryption bandwidth 2.4Gbits/s, consume 3146 ALUT, only take 2194 registers, compared with prior art, reach the cipher round results of GPON system requirements, obtained higher encryption bandwidth, save logical resource, improved the system works frequency.
Description of drawings
Fig. 1 is the principle of aes algorithm counter mode;
Fig. 2 is the aes algorithm calculation procedure under the counter mode;
Fig. 3 is an embodiment of the invention structured flowchart;
Fig. 4 is the write data buffer zone module structured flowchart of the embodiment of the invention;
Fig. 5 is the write data buffer zone module correlation timing of the embodiment of the invention;
Fig. 6 is the encryption scheduler module structured flowchart of the embodiment of the invention;
Fig. 7 is the key signal sequential of the encryption scheduler module of the embodiment of the invention;
Fig. 8 is the AES processing module structured flowchart of the embodiment of the invention;
Fig. 9 is the key signal sequential of the AES processing module of the embodiment of the invention;
Figure 10 is the read data buffer modular structure block diagram of the embodiment of the invention.
Embodiment
The embodiment of the invention combines the application background of GPON system, in ciphering process, introduce two-stage flowing water, once can encrypt two 128 bit data, be complementary with the shortest frame length 32 bytes of GPON system, make full use of streamline length simultaneously, and multiplexing two encrypted circuits, operation simultaneously, improve and encrypt bandwidth, satisfy system requirements, in the cipher key expansion module of AES cryptographic algorithm, realize the function of Rcon (wheel constant table) in addition, saved logical resource by designing two shift registers of 10 ' h001 and 10 ' h06c.Implementation method is as follows:
A) realization of input metadata cache.The write data buffer zone module is used for buffer memory incoming frame data.System descending frame rate peak value is 4Gbits/s, and the maximum processing bandwidth of encrypting scheduler module is that 3.2Gbits/s speed does not each other all match, therefore buffering area need be set carries out smoothly data stream, here adopt the FIFO (fifo circuit) of 4 bit wide 32bits to carry out buffer memory, finish of the splicing of incoming frame data 32bit bit wide simultaneously, improve and encrypt bit wide to encrypting plaintext data 128bits bit wide.
B) realization of enciphered message buffer memory.The enciphered message cache module is the frame length of unit each frame of buffer memory, initial counter value and initial key with the frame.Because only need buffer memory two frame informations, so adopt two-stage d type flip flop buffer memory, realize saving readout time of cache information with d type flip flop, save resource.Also can come buffer memory with RAM, RAM is than the buffer memory that is more suitable for bulk information.
C) encrypt the realization of dispatching.Encrypting scheduler module is design key, it is responsible for reading and buffer memory key and frame length, generation Counter Value stream, finish the scheduling of two AES processing modules and read clear data and send into the AES processing module, and AES processing module encrypted ciphertext is sent into output buffers.When new frame to be encrypted arrives, at first extract the information of frame length, initial key, initial counter value, the frame length of the clear data of encrypting as required produces and encrypts enable signal again, simultaneously key, Counter Value is delivered to the AES processing module together and encrypts.The data of going out from the encryption scheduler module have not just had the notion of frame, but organize 128 * 2 Counter Value more.In order to make full use of flowing water, carry out sending into one group of 256 new bit data when last is taken turns immediately at encrypted circuit, begin next group encryption computing.
D) realization of AES encryption.The AES processing module is introduced two-stage flowing water under the control of encrypting scheduler module, the process that initial counter value that provides according to system and initial key are finished data encryption.Ciphering process need be divided into 10 takes turns circulation and carries out, and whenever takes turns circulation and comprises processes such as byte is replaced, line feed operation, rank transformation, key XOR, and wherein last takes turns the operation that does not have rank transformation.Each key of taking turns is all different, all is to obtain new key as cipher key spreading on the basis of last round of key.The data encrypted that obtains behind Counter Value after the encryption and the clear data XOR.
E) realization of dateout buffer memory.The read data buffer module is carried out buffer memory with data encrypted, and wait is called.Adopt the FIFO of 4 bit wide 32bit to carry out buffer memory, finish simultaneously and encrypt of the conversion of back data 128bit bit wide, return reliable encrypted result to output frame data 32bit bit wide.
The present invention is described in further detail below in conjunction with accompanying drawing:
Aes algorithm has 5 kinds of mode of operations: electronic codebook mode, password packet train, cipher feedback, output feedback and counter mode.What GPON adopted is the counter mode that is fit to express network, can produce random cipher stream in this way easily, is difficult to more be decrypted, and present embodiment adopts following 128 aes algorithms of counter mode to realize.
The principle of aes algorithm counter mode as shown in Figure 1.
K is a key, and ctr0-ctrn is a Counter Value; P0-Pn is the plaintext before encrypting, and each all is 128 expressly, and in this example, n is 128, the value of counter, key, expressly, ciphertext all is 1 of 1 correspondence; C0-Cn is the ciphertext after encrypting.Under counter mode, what carry out the AES encryption is not expressly, but the value of counter.Value after ciphertext is encrypted by counter and plaintext be XOR and producing mutually.
Aes algorithm calculation procedure under the counter mode as shown in Figure 2.
Only carry out key during initialization and add computing, just with Counter Value and key XOR mutually.The 1st takes turns to the 9th takes turns, more than the result that adds of a round key for the basis, carry out byte conversion → row displacement → row hybrid operation → expanded keys add operation.Last is taken turns and takes turns slightly differently with front 9, and row hybrid operation operation has only byte conversion → row displacement → expanded keys add operation.After step was in front finished (also promptly the encryption of Counter Value being finished), Counter Value and corresponding plaintext XOR after will encrypting obtained ciphertext output again.
As shown in Figure 3, the AES encryption device of present embodiment comprises that write data buffer zone module W-FIFOs, enciphered message cache module, read data buffer module R-FIFOs encrypt scheduler module and two AES processing modules are AES processing module a and AES processing module b.Be-encrypted data is buffer memory in the W-FIFOs of encryption device earlier, the frame length of each frame, initial counter value and initial key be buffer memory in the enciphered message cache module, scheduler module is sent be-encrypted data, Counter Value and initial key into AES processing module a or AES processing module b carries out encryption by encrypting then, puts into read data buffer module R-FIFOs again and wait for data after subordinate's module reading encrypted after handling.
As shown in Figure 4, write data buffer zone module W_FIFOs mainly by 4 bit wides be 32, the degree of depth is 16 fifo circuit FIFO (write fifo circuit W_FIFO1~W_FIFO4) and write pointer counter, the shift enable control circuit is formed.Writing end is to cooperate 32 data/address bus to write 32 data at every turn, and four FIFO write in turn; Read end because the encryption bit wide of AES is 128, reading 128 data at every turn simultaneously.
The relevant control that writes end is described below: four FIFO take turns back operations; next frame should begin to write from first FIFO after a frame is handled; and the write signal of higher level's module therefore compose buffer be about to full and suspend and write, need to adopt the write pointer protection this moment but not write pointer resets.In order to address this problem, having adopted the method for displacement control to realize that data select the function that writes: 4 of the shift enable shift_reg sign of the shift register in the shift enable control circuit respectively corresponding four FIFO write enable signal, write in higher level's module and to enable the valid period, realize wheel back operations different FIFO by displacement; Then it goes without doing handles to the data passage, directly is connected to each FIFO and gets final product.When frame data were handled, shift_reg resetted; If in a frame process, interrupt, just suspend displacement, when treating higher level's module recovery write operation, follow original FIFO position again and continue to write new data.
Correlation timing as shown in Figure 5, wherein:
Clk1: expression system clock;
Wren, data_in: writing of expression higher level module enables and write data;
Wfifo_1_wren, wfifo_2_wren, wfifo_3_wren, wfifo_4_wren: writing of 4 FIFO of expression enables;
Shift_reg: the shift enable sign of expression shift register;
Cnt_clr: the reset signal of expression shift register;
Data_cnt: the value of the counter of data fifo is write in expression;
Data_length: the data length that expression higher level module writes.
Concrete operations are as follows: when higher level's module needs write data, send the wren enable signal, and data data_in and the data length data_length that writes provided simultaneously, the write data buffer zone module enables to put 1 with writing of 4 FIFO respectively according to the difference of the value of shift enable sign, after finishing this write operation of taking turns, provide the reset signal cnt_clr of shift register, shift register is clear 0, prepare next data writing operation.
Encrypt that scheduler module is responsible for reading and buffer memory key and frame length, response higher level module, produce Counter Value stream and the scheduling of two AES processing modules.As shown in Figure 6, encrypt scheduler module and comprise cipher key frame long letter breath memory module, scheduler module, counter generation module.Key, frame length information storage module are used for storing the frame length that reads out from the enciphered message cache module and the key of current encrypted frame.The counter generation module is used for reading initial counter value from the enciphered message cache module, generates corresponding Counter Value, sends to the AES processing module.Scheduler module is used for receiving, transmitting control signal, and reads key, the frame length of frame length information storage module buffer memory and the key of current encrypted frame, send to the AES processing module, and the control counter generation module generates Counter Value.
Encrypt scheduler module when new encrypted frame arrives, at first extract Counter Value between frame length, initial key, initial frame inside counting device value, initial frame from the enciphered message cache module, because encrypting, AES carries out according to piece, need calculate how many pieces of needs according to frame length so encrypt scheduler module, produce the corresponding enable signal of encrypting then, simultaneously, key, Counter Value being delivered to the AES processing module together encrypts.From encrypting coded signal that scheduler module goes out and just do not had the notion of frame, but a long frame is cut into the piece of a plurality of 128bits, forms the key sum counter values of many groups 128 * 2.Send into the Counter Value bit wide 128 of counter generation module, be that interframe Counter Value by 16 frame inside counting device value and 30 is merged into after 46 bit widths, again this value of 46 duplicated 3 times, be spliced into 138 bit wides, removing high 10, remaining 128 is exactly Counter Value.What encrypting module was encrypted is the value of counter, because encryption period length is fixed (22 clock cycle), so the Counter Value that can predict after the encryption is effective constantly at what, can in advance the plaintext in the input data cache module be read, with encrypt after the Counter Value XOR after, give the dateout cache module and preserve.
Following method is deferred in scheduling:
A) key of same frame data is identical, 128 of every encryptions, and frame inside counting device value adds fixed length 1;
B) encrypt at least 2 clock cycle of interval that enable encrypt_reqa, encrypt_reqb (encrypt enable signal a, encrypt enable signal b);
C) if AES processing module a and b are idle, preferential calling module a;
When d) adding fixed length 1, do not consider carry for frame inside counting device value.
The key signal sequential of encrypting scheduler module as shown in Figure 7, wherein,
Clk: expression system clock;
Encrypt_req: expression enciphered message request signal;
Encrypt_reqa: the encryption request signal of expression AES processing module a;
Encrypt_reqb: the encryption request signal of expression AES processing module b;
Aes_ready_a: expression AES processing module a idle signal;
Aes_ready_b: expression AES module b idle signal;
Cnt_in_a: the value of the frame inside counting device of AES module a is given in expression;
Cnt_in_b: the value of the frame inside counting device of AES module b is given in expression;
Frame_length: the length of expression scrambled data frame;
Frame_l_cnt: expression enciphered data data counter.
When Frame need be encrypted, send enciphered message request signal encrypt_req, encrypt scheduler module is taken out frame to be encrypted from the enciphered message cache module information such as frame length, initial counter value and initial key.Initial counter value comprises interframe counter and frame inside counting device, and the counter generation module produces the Counter Value that is used for cryptographic algorithm according to the value of these two counters.Scheduler module provides encryption request signal encrypt_reqa or encrypt_reqb according to the idle signal of AES module, provide the value cnt_in_a of frame inside counting device simultaneously, the data frame_l_cnt of a 128bits of every encryption adds 4, the value of the value cnt_in_a of frame inside counting device adds 1, finishes up to enciphered data.
Owing to the encryption bandwidth that an AES circuit provides has only 1.6Gbits/s, so present embodiment has used two identical AES processing modules to handle to reach the processing bandwidth of 3.2Gbits/s.The structure of each AES circuit as shown in Figure 8.
The AES processing module mainly comprises 4 d type flip flops (DFF1~DFF4), 2 selectors, 3 XOR modules, and byte conversion and row shift module, row hybrid operation module, cipher key expansion module.
Wherein,
The first XOR module is used for the key sum counter value of input is carried out XOR;
First d type flip flop is used to latch the output result of the first XOR module;
First selector, the output that is used for selecting first d type flip flop when the 1st takes turns cryptographic calculation are as input value, and in 9 computings of taking turns, the output of selecting 3d flip-flop is as input value in the back;
Second d type flip flop is used to latch the output result of first selector module;
Byte conversion and row shift module are used for the data that receive are carried out byte conversion and row shifting function;
Row hybrid operation module is used for the data that receive are carried out the row hybrid operation;
Second selector is used for taking turns outputs that computing selects row hybrid operation module as input value preceding 9, in the end 1 take turns in the computing, with the output of byte conversion and row shift module as input value;
Cipher key expansion module is used for obtaining current key by getting wheel constant table respective column and last key XOR;
The second XOR module is used for the output of second selector and XOR is carried out in the output of cipher key expansion module;
3d flip-flop is used to latch the output result of the second XOR module;
The 3rd XOR module is used for carrying out XOR to encrypting back Counter Value and clear data;
Four d flip-flop is used to latch the output result of the 3rd XOR module.
The startup of AES processing module is by encryption enable signal encrypt_reqa that encrypts scheduler module output and encrypt_reqb control.After the AES processing module started, two 128 Counter Value entered the AES processing module successively, finished Initial Round (first round) computing with the initial key XOR earlier, carried out 10 interative computations of taking turns afterwards, obtained ciphertext output with the plaintext XOR more at last.Every next AES processing module output ciphertext, this module receives the data of 128bits respectively with regard to continuous two clocks, as can be seen from the figure come, the circulation of 1-9 wheel is in DFF2 (d type flip flop 2) and DFF3 (d type flip flop 3) boundary, and promptly streamline has been located at DFF2 and DFF3.
The key signal sequential of AES processing module as shown in Figure 9.Encrypting after scheduler module will encrypt request encrpty_req signal and put height, the AES processing module is ready to the aes_ready signal with AES and drags down this module of expression and temporarily can not accept new data, and while AES processing module begins enabling counting device aes_cnt.After cryptographic operation was finished, this module was write data and is studied in buffering area, aes_cnt is put 0, drew high aes_ready and represented to handle new data.Since after starting each to handle what data constantly all be known, so available aes_cnt produces relevant control signal: selector mux1 is 1 and selected the input of the output of DFF1 as DFF2 at 2 o'clock at aes_cnt, other the time select the input of the output of DFF3 as DFF2; Selector mux2 is the sub_bytes﹠amp of selection byte conversion in 20 o'clock and row shift module at aes_cnt; The output of shift_rows operation, other the time select the output of the mix_column of row hybrid operation module to participate in XOR; When being 21 and 22, aes_cnt sends out the enable signal of reading of writing buffering; When aes_cnt is 21, the aes_ready signal drawn high and show and to receive new enciphered data.
Cipher key expansion module is responsible for realizing the expansion of key, produces every needed key of interative computation of taking turns.The startup of this module is also by the encrypt_req signal controlling, and when this signal arrived, module started, and reads in initial key, and according to the characteristics of AES processing module two-stage flowing water, per two clock cycle are upgraded a secondary key.The main points of cipher key expansion module design are the realizations of Rcon.Rcon is a table as shown in the table in fact, and (first round is got first row, and second takes turns and get secondary series, participates in by that analogy) XOR (key of catching up with once carries out XOR, produces key next time) to take out respective column during the expansion of each round key.Because the value of Rcon is fixed, so traditional AES realizes it being that it is cured among the ROM.By observing the structure of Rcon, except that first column element, all the other elements all are 0, and first row element is between the first eight and shifted relationship arranged between latter two, therefore can add simple control signal again by shift register realizes: define two shift registers respectively and be used to produce the first eight data and latter two data, their initial value is respectively 10 ' h001 and 10 ' h06c, realizes ring shift left under the control of wheel counter, simultaneously with these two shift registers of wheel counter gating.So just can realize the function of Rcon by less logical resource.
The Rcon structure
| 01 | 02 | 04 | 08 | 10 | 20 | 40 | 80 | |
36 |
| 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
| 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
| 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 | 00 |
Similar with the write data buffer zone module, read data buffer module R_FIFOs also mainly by 4 bit wides be 32, the degree of depth is 16 FIFO and read pointer counter, shift enable control circuit are formed.Data concurrent write after having encrypted through the AES circuit is studied in buffering area; After enable signal is read in the downstream module transmission,, make it sequentially data to be read by the generation of read pointer counter controls shift enable signal.Its circuit structure as shown in figure 10.For fear of too high burst read rate, be provided with and read fifo spacing wave r_fifo_aempty signal, when buffering area is read sky soon, tell subordinate's module to suspend read data by this signal.The difficult point of reading the buffering area design is that also its sequential is similar to compose buffer sequential principle to reading the control of end.
The present invention is with the logic scale of some design tactics control circuits, make the encrypted circuit operating frequency up to 125MHz, descending encryption bandwidth 2.4Gbits/s, meet GPON system interface standard fully, overcome in the prior art encrypt the bandwidth deficiency, logical resource consumes shortcomings such as too much, be adapted at using in the High Speed System such as GPON.
Claims (17)
1. the middle-and-high-ranking encryption standard encryption device of Gbit passive optical network system is characterized in that, comprising:
Write data buffer zone module W-FIFOs is used for the clear data that buffer memory need be encrypted;
The enciphered message cache module is used for the frame length that buffer memory needs each frame of encrypting plaintext, initial counter value and initial key;
Advanced Encryption Standard AES processing module is used to finish data encryption;
Read data buffer module R-FIFOs is used for the encrypt data after encrypting is carried out buffer memory;
Encrypt scheduler module, be used for extracting frame length, initial key, the initial counter value of enciphered message cache module, read clear data from the write data buffer zone module, generate the Counter Value of encrypting needs according to initial counter value, the frame length of the clear data of Jia Miing produces and encrypts enable signal as required, key, Counter Value and clear data are sent into the AES processing module encrypt, and the data encrypted of AES processing module output is sent into the read data buffer module.
2. encryption device according to claim 1 is characterized in that, the write data buffer zone module comprises:
Write fifo circuit at least two, be used to store the clear data that writes;
The write pointer counter is used for indication in turn and writes fifo circuit;
The shift enable control circuit is used for the value according to the write pointer counter, writes fifo circuit by the displacement turn enable, is enabled state when writing fifo circuit, then clear data can be write this and write in the fifo circuit.
3. encryption device according to claim 2 is characterized in that, the fifo circuit of writing of write data buffer zone module is 4, and each bit wide is 32.
4. encryption device according to claim 1 is characterized in that, described enciphered message cache module buffer memory two frame informations use the two-stage d type flip flop to realize that wherein, every frame information comprises the frame length of each frame, initial counter value and initial key.
5. encryption device according to claim 1 is characterized in that, at least 2 of described AES processing modules, and each AES processing module includes:
The first XOR module is used for the key sum counter value of input is carried out XOR;
First d type flip flop is used to latch the output result of the first XOR module;
First selector, the output that is used for selecting first d type flip flop when the 1st takes turns cryptographic calculation are as input value, and in 9 computings of taking turns, the output of selecting 3d flip-flop is as input value in the back;
Second d type flip flop is used to latch the output result of first selector;
Byte conversion and row shift module are used for the data that receive are carried out byte conversion and row shifting function;
Row hybrid operation module is used for the data that receive are carried out the row hybrid operation;
Second selector is used for taking turns outputs that computing selects row hybrid operation module as input value preceding 9, in the end 1 take turns in the computing, with the output of byte conversion and row shift module as input value;
Cipher key expansion module is used for obtaining current key by getting wheel constant table respective column and last key XOR;
The second XOR module is used for XOR is carried out in the output of second selector and the output of cipher key expansion module;
3d flip-flop is used to latch the output result of the second XOR module;
The 3rd XOR module is used for carrying out XOR to encrypting back Counter Value and clear data;
Four d flip-flop is used to latch the output result of the 3rd XOR module.
6. encryption device according to claim 5, it is characterized in that, getting the wheel constant table in the described cipher key expansion module uses initial value to be respectively two shift registers of hexadecimal number 001 and hexadecimal number 06c, by using these two shift registers of wheel counter gating, ring shift left under the control of wheel counter produces wheel constant table respective column.
7. encryption device according to claim 1 is characterized in that, described read data buffer module comprises:
Read fifo circuit at least two, be used to store the encrypt data that writes after the encryption;
The read pointer counter is used for indication in turn and reads fifo circuit;
The shift enable control circuit is used for the value according to the read pointer counter, reads fifo circuit by the displacement turn enable, is enabled state when reading fifo circuit, then encrypt data can be read; When data were read sky, the first in first out spacing wave was read in the output of read data buffer module, suspends sense data.
8. encryption device according to claim 7 is characterized in that, the fifo circuit of reading of described read data buffer module is 4, and each bit wide is 32.
9. encryption device according to claim 1 is characterized in that, described encryption scheduler module comprises:
Cipher key frame long letter breath memory module is used to store the frame length that reads out from the enciphered message cache module and the key of current encrypted frame;
Scheduler module is used for receiving, transmitting control signal, and reads the frame length of cipher key frame long letter breath memory module buffer memory and the key of current encrypted frame, send to the AES processing module, and the control counter generation module generates Counter Value;
The counter generation module is used for reading initial counter value from the enciphered message cache module, generates Counter Value, sends to the AES processing module.
10. the implementation method of the middle-and-high-ranking encryption standard encryption device of Gbit passive optical network system comprises the steps:
(1) the write data buffer zone module receives and buffer memory clear data to be encrypted, and enciphered message cache module buffer memory needs the frame length of each frame of encrypting plaintext, initial counter value and initial key;
(2) the encryption scheduler module is extracted frame length, initial key, the initial counter value in the enciphered message cache module, read clear data from the write data buffer zone module, generate the Counter Value of encrypting needs according to initial counter value, according to frame length, key, Counter Value and clear data are sent into the AES processing module encrypt;
(3) ciphertext after the encryption scheduler module will be encrypted is sent into the read data buffer module and is carried out buffer memory.
11. implementation method according to claim 10 is characterized in that, the write data buffer zone module receives and buffer memory clear data to be encrypted in the described step (1), comprising:
Receive when the write data buffer zone module and to write enable signal, then write fifo circuit in the turn enable write data buffer zone module, in turn clear data to be encrypted is write fifo circuit.
12. implementation method according to claim 10 is characterized in that, described step (2) comprises the steps:
(a) encrypt scheduler module and extract frame length, initial key, initial counter value from the enciphered message cache module;
(b) encrypt scheduler module and calculate the piece number that needs are encrypted, produce the corresponding enable signal of encrypting according to frame length;
(c) encrypt scheduler module initial key, initial counter value are sent into the AES processing module, the AES processing module is encrypted key sum counter value;
(d) encrypt scheduler module clear data is sent into the AES processing module, carry out XOR, the ciphertext after obtaining encrypting with Counter Value after encrypting.
13. implementation method according to claim 12 is characterized in that, encrypts scheduler module key, Counter Value are divided into a plurality of 128 pieces, forms the key sum counter value of many groups 128 * 2.
14. implementation method according to claim 13, it is characterized in that, described Counter Value comprises frame inside counting device value, interframe Counter Value, encrypt after scheduler module is merged into 46 bit widths with 16 frame inside counting device value and 30 s' interframe Counter Value, again this value of 46 is duplicated 3 times, be spliced into 138 bit wides, remove high 10, remaining 128 as Counter Value.
15. implementation method according to claim 12 is characterized in that, described Counter Value comprises frame inside counting device value, interframe Counter Value, encrypt scheduler module to same frame data, use key identical, 128 of every encryptions, frame inside counting device value adds fixed length 1, does not need carry.
16. implementation method according to claim 12 is characterized in that, in the described step (c), the AES processing module also generates new key according to initial key: by getting wheel constant table respective column and last key XOR, obtain current key.
17. implementation method according to claim 10, it is characterized in that, after described step (3) is carried out, if receiving, described read data buffer module reads enable signal, then the fifo circuit of reading of read data buffer module is sent data in turn successively, when data were read sky, the first in first out spacing wave was read in the output of read data buffer module, suspends sense data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101304023A CN101114903B (en) | 2007-03-05 | 2007-07-18 | High grade encrypting criterion encrypter in Gbpassive optical network system and implementing method thereof |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200710080026 | 2007-03-05 | ||
| CN200710080026.1 | 2007-03-05 | ||
| CN2007101304023A CN101114903B (en) | 2007-03-05 | 2007-07-18 | High grade encrypting criterion encrypter in Gbpassive optical network system and implementing method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101114903A CN101114903A (en) | 2008-01-30 |
| CN101114903B true CN101114903B (en) | 2011-10-26 |
Family
ID=39023044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101304023A Active CN101114903B (en) | 2007-03-05 | 2007-07-18 | High grade encrypting criterion encrypter in Gbpassive optical network system and implementing method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101114903B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8194854B2 (en) | 2008-02-27 | 2012-06-05 | Intel Corporation | Method and apparatus for optimizing advanced encryption standard (AES) encryption and decryption in parallel modes of operation |
| CN101782956B (en) * | 2010-02-09 | 2012-06-13 | 杭州晟元芯片技术有限公司 | Method and device for protecting data on basis of AES real-time encryption |
| CN102035642B (en) * | 2010-12-20 | 2013-02-13 | 西安西电捷通无线网络通信股份有限公司 | Selection and synchronization method for counter in block cipher counter running mode |
| CN102647711B (en) * | 2011-02-17 | 2015-10-21 | 中兴通讯股份有限公司 | A kind of data encryption system and method |
| CN102346716B (en) * | 2011-09-20 | 2015-03-18 | 记忆科技(深圳)有限公司 | Encryption method and decryption method of hard disk storage device and encryption and decryption system used for hard disk storage device |
| CN103338447B (en) * | 2013-07-09 | 2016-06-29 | 东南大学 | A kind of self-access encryption and decryption circuit being applied to short-distance transmission |
| CN103679061A (en) * | 2013-11-22 | 2014-03-26 | 北京民芯科技有限公司 | Implementation method and device for extendable throughput rate of SM4 cryptographic algorithm |
| US20150363334A1 (en) * | 2014-06-16 | 2015-12-17 | Texas Instruments Incorporated | Speculative cryptographic processing for out of order data |
| CN105447417A (en) * | 2015-11-06 | 2016-03-30 | 天津津航计算技术研究所 | Hardware encryption method applied to high-speed data storage |
| CN107733590A (en) * | 2017-11-28 | 2018-02-23 | 成都蓉威电子技术有限公司 | The data transmission device and method of a kind of high-speed bus |
| CN108494547B (en) * | 2018-02-13 | 2021-04-13 | 中山大学 | AES encryption system and chip |
| CN109587155B (en) * | 2018-12-14 | 2020-06-16 | 浙江大学 | Wireless vehicle brake test system for guaranteeing information safety |
| WO2020186125A1 (en) | 2019-03-13 | 2020-09-17 | The Research Foundation For The State University Of New York | Ultra low power core for lightweight encryption |
| CN111464564B (en) * | 2020-05-08 | 2022-12-23 | 郑州信大捷安信息技术股份有限公司 | Data high-speed encryption and decryption method and device based on symmetric cryptographic algorithm |
| CN113392432A (en) * | 2021-06-11 | 2021-09-14 | 山东华宇工学院 | Encryption storage device and electronic equipment |
| CN113849867B (en) * | 2021-08-31 | 2024-02-23 | 浪潮电子信息产业股份有限公司 | Encryption chip |
| CN113742753B (en) * | 2021-09-15 | 2023-09-29 | 北京宏思电子技术有限责任公司 | Data stream encryption and decryption method, electronic equipment and chip system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6981153B1 (en) * | 2000-11-28 | 2005-12-27 | Xilinx, Inc. | Programmable logic device with method of preventing readback |
| CN1758591A (en) * | 2004-01-19 | 2006-04-12 | 三星电子株式会社 | In encryption system, handle method, circuit and the program product of masked data |
| CN1761185A (en) * | 2005-11-18 | 2006-04-19 | 清华大学 | AES encrypted circuit structure for data stream executed in desequencing |
-
2007
- 2007-07-18 CN CN2007101304023A patent/CN101114903B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6981153B1 (en) * | 2000-11-28 | 2005-12-27 | Xilinx, Inc. | Programmable logic device with method of preventing readback |
| CN1758591A (en) * | 2004-01-19 | 2006-04-12 | 三星电子株式会社 | In encryption system, handle method, circuit and the program product of masked data |
| CN1761185A (en) * | 2005-11-18 | 2006-04-19 | 清华大学 | AES encrypted circuit structure for data stream executed in desequencing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101114903A (en) | 2008-01-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101114903B (en) | High grade encrypting criterion encrypter in Gbpassive optical network system and implementing method thereof | |
| CN101969376B (en) | Self-adaptive encryption system and method with semantic security | |
| CN101854353B (en) | Multi-chip parallel encryption method based on FPGA | |
| CN105119715B (en) | Digital circuit is interconnected between a kind of virtual IO pieces of FPGA based on re-encryption algorithm | |
| CN105007154B (en) | A kind of encrypting and decrypting device based on aes algorithm | |
| CN103413094A (en) | Telemetering encryption system applicable to spacecraft CPU (central processing unit) | |
| CN113078996B (en) | FPGA (field programmable Gate array) optimization realization method, system and application of SM4 cryptographic algorithm | |
| CN105391701A (en) | Data encryption method and system | |
| CN108809642A (en) | A kind of encryption certification high-speed transfer implementation method of multi-channel data 10,000,000,000 based on FPGA | |
| CN105337728A (en) | Data encryption method and system | |
| CN101827107A (en) | IEEE802.1AE protocol-based GCM high-speed encryption and decryption equipment | |
| CN103346878A (en) | Secret communication method based on FPGA high-speed serial IO | |
| CN101729242A (en) | Method and device for generating symmetric block ciphers | |
| CN104219045B (en) | RC4 stream cipher generators | |
| CN103607275A (en) | Encryption method and device with safety adapted to speed changes | |
| CN105429748A (en) | Data encryption method and system | |
| US9594928B1 (en) | Multi-channel, multi-lane encryption circuitry and methods | |
| CN101588234B (en) | Encryption and decryption multiplexing method of row mixing conversion module in AES | |
| El-meligy et al. | 130nm Low power asynchronous AES core | |
| CN114584297B (en) | Encryption and decryption system and encryption and decryption method based on physical unclonable technology | |
| Nabil et al. | Design and implementation of pipelined aes encryption system using FPGA | |
| CN109714151A (en) | Chip data processing method and system based on AES-GCM | |
| CN101355423B (en) | Method for generating stream cipher | |
| CN114679252A (en) | Resource sharing method for MACsec AES algorithm | |
| CN203119915U (en) | Device based on hardware encryption data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20151116 Address after: 518057 Nanshan District Guangdong high tech Industrial Park, South Road, science and technology, ZTE building, Ministry of Justice Patentee after: ZTE Corp. Patentee after: SANECHIPS TECHNOLOGY Co.,Ltd. Address before: 518057 Nanshan District high tech Industrial Park, Guangdong, South Road, science and technology, ZTE building, legal department Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20221201 Address after: 518055 Zhongxing Industrial Park, Liuxian Avenue, Xili street, Nanshan District, Shenzhen City, Guangdong Province Patentee after: SANECHIPS TECHNOLOGY Co.,Ltd. Address before: 518057 Ministry of justice, Zhongxing building, South Science and technology road, Nanshan District hi tech Industrial Park, Shenzhen, Guangdong Patentee before: ZTE Corp. Patentee before: SANECHIPS TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |