WO2010004335A2 - Data security devices and methods - Google Patents

Data security devices and methods Download PDF

Info

Publication number
WO2010004335A2
WO2010004335A2 PCT/GB2009/050814 GB2009050814W WO2010004335A2 WO 2010004335 A2 WO2010004335 A2 WO 2010004335A2 GB 2009050814 W GB2009050814 W GB 2009050814W WO 2010004335 A2 WO2010004335 A2 WO 2010004335A2
Authority
WO
WIPO (PCT)
Prior art keywords
bit
message
hash value
module
hash
Prior art date
Application number
PCT/GB2009/050814
Other languages
French (fr)
Other versions
WO2010004335A3 (en
Inventor
Maire Patricia O'neill
Original Assignee
The Queen's University Of Belfast
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The Queen's University Of Belfast filed Critical The Queen's University Of Belfast
Publication of WO2010004335A2 publication Critical patent/WO2010004335A2/en
Publication of WO2010004335A3 publication Critical patent/WO2010004335A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Definitions

  • the invention relates to data security devices and methods that implement a hash algorithm.
  • Various methodologies have been used to implement these security services.
  • One such methodology is the use of hash functions, for example the suite of Secure Hash Algorithms (SHAs) devised by the US National Institute of Standard and Technology, which are particularly used to provide the authentication security service.
  • SHAs Secure Hash Algorithms
  • Any device which is used to provide one or more of the security services there are various criteria which need to be considered in order to give a device which can provide the or each security service to a required level in an efficient and realisable manner.
  • One such criterion is the size of the device, and the area of material, for example, silicon which it uses. If the area is large, this has cost implications, and the device may be physically too big to be used in some applications, for example RFID tags.
  • a hash value computation device for computing a hash value for a message using a hash algorithm that defines a key
  • the device comprising a message schedule element having an input module which receives the message in 8-bit segments, a plurality of 8-bit memory modules which store the 8-bit segments of the message, an 8-bit message schedule value module which uses the 8-bit message segments and the hash algorithm to provide an 8-bit message schedule value for each 8-bit message segment, and an output module which outputs the 8-bit message schedule values
  • a hash value computation element comprising a first input module which receives the 8-bit message schedule values, a second input module which receives 8-bit segments of the key defined by the hash algorithm, a plurality of 8-bit memory modules which store the 8-bit segments of the key, a hash value computation module which uses the 8-bit message schedule values and the 8-bit key segments to compute a hash value for the message, and an output module which outputs the hash value
  • the hash value computation device may operate over n clock cycles to compute the hash value for the message.
  • the message schedule element may operate over the n clock cycles to calculate n message schedule values.
  • the hash value computation module may operate over the n clock cycles to use the n message schedule values to compute the hash value for the message.
  • the hash value computation device may receive the message in a format appropriate for the hash algorithm used to compute the hash value. Alternatively, the hash value computation device may receive the message in a different format and change this to a format appropriate for the hash algorithm used to compute the hash value.
  • the hash value computation device may comprise a message formatting module, which formats the message into a format appropriate for the hash algorithm used to compute the hash value.
  • the message format may comprise N x-bit message blocks, where x is equal to or greater than 8, for example the message format may comprise N 512-bit message blocks.
  • the message formatting module may format the message into N 512-bit message blocks, by padding the message, as appropriate, to a length of 448 mod 512, appending the length of the padded message as a 64-bit number to the padded message, and parsing the resultant message into N 512-bit data message blocks.
  • the input module of the message schedule element may receive the or each x-bit message block in 8-bit message segments.
  • the input module may comprise a multiplexer. In each clock cycle of a first subset of the n clock cycles, the multiplexer may be configured to receive an 8-bit message segment and pass the 8-bit message segment to a first memory module of the plurality of 8-bit memory modules.
  • the plurality of 8-bit memory modules of the message schedule element may be arranged in a linear array, with a first 8-bit memory module connected to a second 8-bit memory module, the second 8-bit memory module connected to a third 8-bit memory module, etc.
  • the first 8-bit memory module in the array may also be connected to the input module.
  • the array of 8-bit memory modules may comprise a number of memory modules sufficient such that each memory module stores an 8-bit message segment of an x-bit message block of the message.
  • the first 8-bit memory module in the array may receive a first 8-bit message segment, in a second clock cycle of the first subset of the n clock cycles, the first 8-bit memory module in the array may receive a second 8-bit message segment, and the second 8-bit memory module in the array may receive the first 8-bit message segment, etc. for each of the clock cycles in the subset of clock cycles.
  • Each of the plurality of 8-bit memory modules may comprise an 8-bit shift register.
  • the 8-bit message schedule value module may provide 8-bit message schedule values determined using modifications of a message schedule value definition specified by the hash algorithm.
  • the modifications may change the message schedule value definition from a definition formulated to use 32-bit data segments to a definition formulated to use 8-bit data segments.
  • the modified message schedule value definition may comprise
  • the 8-bit message schedule value module may use a first part of the modified message schedule value definition to provide a first set of 8-bit message schedule values which each comprise an 8-bit message segment of the message.
  • the 8-bit message schedule value module may use a second part of the modified message schedule value definition to provide a second set of 8-bit message schedule values calculated using one or more functions carried out on one or more previously-determined message schedule values.
  • the functions may comprise one or more logical functions, such as one or more XOR functions.
  • the functions may comprise one or more rotate functions.
  • the 8-bit message schedule value module may comprises an 8-bit XOR module which carries out the one or more XOR functions of the second part of the modified message schedule value definition.
  • the XOR module may receive one or more previously-determined 8-bit message schedule values and carry out the one or more XOR functions on these, to provide one or more 8-bit XOR values.
  • the 8-bit message schedule value module may comprise a rotate module which carries out the one or more rotate functions of the second part of the modified message schedule value definition.
  • the one or more rotate functions may comprise a rotate to the left by one place rotate function.
  • the rotate module may receive a plurality of 8-bit XOR values and carry out the one or more rotate functions on these, to provide a plurality of 8-bit message schedule values.
  • the rotate module may receive at least one set of four 8-bit XOR values and carry out the one or more rotate functions on the set, to provide four 8-bit message schedule values.
  • the four 8-bit message schedule values may, on concatenation, give a 32-bit value which is the same as a 32-bit value obtained by an unmodified message schedule value definition of the hash algorithm carried out on a 32-bit value comprising the four 8-bit XOR values.
  • the rotate module may comprise a data splitter, a first multiplexer, a register, a data combiner and a second multiplexer.
  • the 8-bit message schedule value module may comprise a control module which is used to control the operation of the rotate module.
  • the control module may be used to control the operation of the first multiplexer and the second multiplexer of the rotate module.
  • the hash value computation module may compute a hash value for the message comprising a concatenation of a plurality of hash variables, preferably five 32-bit hash variables.
  • the hash value computation module may compute the hash variables using modifications of hash variable definitions specified by the hash algorithm. The modifications may change the hash variable definitions from definitions formulated to use 32-bit message schedule values and 32-bit key segments to definitions formulated to use 8-bit message schedule values and 8-bit key segments.
  • the modified hash variable definitions may comprise
  • the hash value computation module may compute the hash value using 8- bit key segments of initial values of the hash variables defined by the hash algorithm.
  • the hash value computation module may comprise a rotate hash variable b module and a T computation module.
  • the T computation module may comprise a rotate hash variable a module, an F computation module, an add device and a carry register.
  • the hash algorithm may be a Secure Hash Algorithm (SHA, such as SHA- 1 , SHA-2, etc.
  • a method of computing a hash value for a message using a hash algorithm that defines a key comprising using a message schedule element of the hash value computation device of the first aspect of the invention to determine a plurality of 8-bit message schedule values, and using a hash value computation element of the hash value computation device of the first aspect of the invention to compute the hash value for the message using the message schedule values.
  • a data security device comprising a hash value computation device according to the first aspect of the invention.
  • the data security device may comprise an RFID tag.
  • the hash value computation device of the invention has been designed as an 8-bit architecture and to operate using 8-bit data segments.
  • Such an 8- bit architecture allows the use of less silicon for the components thereof, and thus achieves a small area and low cost architecture, in comparison to all previous 32-bit architectures.
  • Figure 1 is a schematic representation of a hash value computation device according to the invention
  • Figure 2 is a schematic representation of a message schedule element of the hash value computation device of Figure 1 ;
  • Figure 3 is a schematic representation of a rotate function carried out by the message schedule element of Figure 2;
  • Figure 4 is a schematic representation of a hash value computation element of the hash value computation device of Figure 1 ;
  • Figure 5 is a schematic representation of a rotate function carried out by the hash value computation element of Figure 4, and
  • Figure 6 is a schematic representation of a further rotate function carried out by the hash value computation element of Figure 4.
  • the hash value computation device 1 comprises an input element 3, a message schedule element 5, a hash value computation element 7 and an output element 9.
  • the various elements are shown as being separate, however it will be appreciated that one or more of them could be combined, for example the input element 3 may be integral with the message schedule element 5, and the output element 9 may be integral with the hash value computation element 7.
  • the hash value computation device receives a message, i.e. data, and uses this to calculate a hash value, employing, in this embodiment, a hash algorithm comprising the SHA-1 . This algorithm comprises three principal steps: message pre-processing, message schedule value calculation and hash value computation. The message is received by the input element 3.
  • the message may have already undergone the pre-processing step, to place it in a format appropriate for SHA-1 computation, or the input element 3 may receive a 'raw' message and perform the pre-processing step to place the message into the appropriate format.
  • the pre-processing step may be performed using a software module.
  • the pre-processing comprises padding the message, as appropriate, to a length of 448 mod 512, appending the length of the padded message as a 64-bit number to the padded message, and parsing the resultant message into N 512-bit message blocks. Each 512-bit message block is fed into the message schedule element 5 of the hash value computation device 1 , and used in the computation of a final hash value.
  • Each of the elements of the hash value computation device of the invention are designed to work on 8-bit data segments.
  • SHA-1 specifies definitions for the determination of the message schedule values and the computation of the hash values, These definitions having been devised to be performed on 32-bit data segments.
  • the hash value computation device of the invention implements modifications of these definitions, the modifications being such that the definitions can be performed using 8-bit data segments.
  • the message schedule element 3 comprises an input module comprising an input multiplexer 1 1 , a plurality of 8-bit memory modules comprising an array 13 of sixty four 8-bit shift registers (W63 to WO), a message schedule value module comprising an XOR module 15, a rotate module 17 and a control module 19, and an output module 21 .
  • the message schedule element 5 receives the 512-bit message blocks, in turn, from the input element 3.
  • the message schedule value module provides 8-bit message schedule values determined using modifications of a message schedule value definition specified by the SHA-1 . The modifications change the message schedule value definition from a definition formulated to use 32-bit data segments to a definition formulated to use 8-bit data segments.
  • the modified message schedule value definition comprises
  • the message schedule values determined using the above definition are then output to the hash value computation element 7, where they are used in the computation of the hash value for the message.
  • the input multiplexer 1 1 comprises a first data input 1 1 1 , a second data input 1 12, a control input 1 13 and an output 1 14.
  • the input multiplexer 1 1 receives 8-bit data either on the first data input 1 1 1 or the second data input 1 12, according to the value of a control signal received from the control module 19 on the control input 1 13.
  • 8-bit data is output by the input multiplexer 1 1 to the first shift register W63 of the array of shift registers 13.
  • the shift registers in the array of shift registers 13 are connected in a linear array as shown in Figure 2.
  • any 8-bit data contained in the shift registers W63, W62 and W60 to W1 is passed to shift registers W62, W61 and W59 to WO respectively.
  • the seven MSBs are passed to a first input of shift register W60, and the LSB is passed to a multiplexer. The output of the multiplexer is fed to a second input of the shift register W60. The data received on the first and second inputs of the shift register W60 is then concatenated.
  • the shift registers W52, W32, W8 and WO are each connected to the XOR module 15.
  • any 8-bit data contained in these shift registers is passed to the XOR module 15. This comprises an 8-bit XOR module, and uses the 8-bit data received from the shift registers to calculate an 8-bit XOR value, according to the above equation, which is fed to the rotate module 17.
  • the rotate module 17 comprises a data splitter 171 , a first multiplexer 172, a register 173, a data combiner 174 and a second multiplexer 175.
  • an 8-bit XOR value received from the XOR module 15 is input into the data splitter 171 .
  • the first part comprises the seven least significant bits (LSBs) of the 8-bit value, and is fed to the data combiner 174.
  • the second part comprises the most significant bit (MSB) of the 8-bit value, and is fed to the first multiplexer 172.
  • the first multiplexer comprises a data input, a control input and two outputs as shown.
  • the 1 -bit data received by the data input is output either to the register 173 or the second multiplexer 175, according to the value of a control signal received from the control module 19 on the control input.
  • the register 173 is connected to the data combiner 174.
  • 1 -bit data contained in the register is fed to the data combiner 174, where it is combined with the seven LSBs of the 8-bit XOR value received by the rotate module 17.
  • the combined 8-bit data is fed to the second data input 1 12 of the input multiplexer 1 1 .
  • the second multiplexer 175 comprises a first data input connected to the shift register W61 , a second data input connected to the first multiplexer 172, a control input connected to the control module 19, and an output connected to the shift register W60. .
  • the second multiplexer 175 receives 1 -bit data either on the first data input or the second data input, according to the value of a control signal received from the control module 19 on the control input.
  • the 1 -bit data received from the shift register W61 comprises the LSB of the 8-bit data contained in the register W62.
  • the second multiplexer 175 outputs the 1 -bit data to the shift register W60.
  • the output module 21 is connected between the shift registers W60 and W59, as shown.
  • 8-bit data passed to the register W59 from the register W60 is also passed to the output module 21 , and output from the message schedule element 5 to the hash value computation element 7.
  • a first 512-bit message block is prepared for loading into the message schedule element 5, by splitting it into 64 8-bit segments.
  • the message schedule element 5 is operated over 320 clock cycles to receive the 8-bit segments and use them to generate the 320 message schedule values.
  • the control module 19 Prior to the start of the 320 clock cycles, the control module 19 is operated to send control signals to the input multiplexer 1 1 , the first multiplexer 172 of the rotate module 17 and the second multiplexer 175 of the rotate module 17.
  • the control signal received by the input multiplexer 1 1 causes it to receive data on the first data input 1 1 1 .
  • the control signal received by the first multiplexer 172 of the rotate module 17 causes this multiplexer to output data on its first data output to the register 173.
  • the control signal received by the second multiplexer 175 of the rotate module 17 causes this multiplexer to receive data on its first data input from the shift register W61 .
  • the shift registers W63 to WO are initialised, so that they comprise data equating to zero.
  • the zero data in shift register W63 is fed to shift register W62, and the zero data in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the zero data in shift register W61 are fed straight to the first input of the shift register W60, and the LSB of the zero data in shift register W61 is fed to the second multiplexer 175.
  • the zero data in shift registers W60 to W1 is fed to shift registers W59 to WO.
  • Data output from shift registers W52, W32, W8 and WO is processed by the XOR module 15 and the rotate module 17, and is output to the second data input 1 12 of the input multiplexer 1 1 .
  • this multiplexer is configured to ignore data received on this input.
  • the output module 21 receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the first clock cycle of this element.
  • a second 8-bit segment Si of the first 512- bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63.
  • the first 8-bit segment S 0 in shift register W63 is fed to shift register W62, and the zero data in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the zero data in shift register W61 are fed straight to the first input of the shift register W60, and the LSB of the zero data in shift register W61 is fed to the shift register W60 as before where they are concatenated.
  • the zero data in shift registers W60 to W1 is fed to shift registers W59 to WO. Data output from shift registers W52, W32, W8 and WO is processed as above.
  • the output module 21 again receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the second clock cycle of this element.
  • a third 8-bit segment S 2 of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63.
  • the second 8-bit segment Si in shift register W63 is fed to shift register W62, and the first 8-bit segment S 0 in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the zero data in shift register W61 are fed straight to the first input of the shift register W60, and the LSB of the zero data in shift register W61 is fed to the shift register W60 as before where they are concatenated.
  • the zero data in shift registers W60 to W1 is fed to shift registers W59 to WO. Data output from shift registers W52, W32, W8 and WO is processed as before.
  • the output module 21 again receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the third clock cycle of this element.
  • a fourth 8-bit segment S 3 of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63.
  • the third 8-bit segment S 2 in shift register W63 is fed to shift register W62, and the second 8-bit segment Si in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the first 8-bit segment S 0 in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the first 8-bit segment So in shift register W61 is fed to the second multiplexer 175.
  • the zero data in shift registers W60 to W1 is fed to shift registers W59 to WO.
  • Data output from shift registers W52, W32, W8 and WO is processed as before.
  • the output module 21 again receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the fourth clock cycle of this element.
  • a fifth 8-bit segment S 4 of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63.
  • the fourth 8-bit segment S 3 in shift register W63 is fed to shift register W62, and the third 8-bit segment S 2 in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the second 8-bit segment Si in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the second 8-bit segment S 1 in shift register W61 is fed to the second multiplexer 175.
  • the output module 21 receives the first 8-bit segment S 0 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value.
  • the first 8-bit segment S 0 is the first message schedule value W 0 .
  • t 64
  • the sixty fourth 8-bit message segment S 6 3 in shift register W63 is fed to shift register W62
  • the sixty third 8-bit segment S 62 in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the sixty second 8-bit segment S 6 i in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the sixty second 8-bit segment S 6 i in shift register W61 is fed to the second multiplexer 175. This is still configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the sixty second 8-bit segment S 6 i are concatenated therein.
  • the 8-bit segments, S 6 o to Si, in shift registers W60 to W1 are fed to shift registers W59 to WO.
  • the output module 21 receives the sixty first 8-bit segment S 6 o from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value.
  • the sixty first 8-bit segment S 6 o is the sixty first message schedule value W 6 o- Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15.
  • This data comprises the 8-bit message segments S 52 , S 32 , S 8 and S 0 , i.e. the message schedule values W 52 , W 32 , W 8 and W 0 .
  • t 65
  • the first rotate result in shift register W63 is fed into shift register W62
  • the sixty fourth 8-bit segment S 6 3 in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the sixty third 8-bit segment S 62 in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the sixty third 8-bit segment S 62 in shift register W61 is fed to the second multiplexer 175. This is still configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the sixty third 8-bit segment S 62 are concatenated therein.
  • the 8-bit segments, S 6 i to S 2 , in shift registers W60 to W1 are fed to shift registers W59 to WO.
  • the output module 21 receives the sixty second 8-bit segment S 6 i from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value.
  • the sixty second 8-bit segment S 6 i is the sixty second message schedule value W 6 i.
  • Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S53, S33, S 9 and Si , i.e. the message schedule values W 53 , W 33 , W 9 and W 1 .
  • the seven MSBs of the sixty fourth 8-bit segment S 6 3 in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the sixty fourth 8-bit segment S 6 3 in shift register W61 is fed to the second multiplexer 175. This is still configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the sixty fourth 8-bit segment S 6 3 are concatenated therein.
  • the 8-bit segments, S 62 to S 3 , in shift registers W60 to W1 are fed to shift registers W59 to WO.
  • the output module 21 receives the sixty third 8-bit segment S 62 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value.
  • the sixty third 8-bit segment S 62 is the sixty third message schedule value W 62 - Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15.
  • This data comprises the 8-bit message segments S 54 , S 34 , Si 0 and S 2 , i.e. the message schedule values W 54 , W 34 , W 10 and W 2 .
  • These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17.
  • the XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 .
  • the input multiplexer 1 1 is still configured to receive data on its second data input 1 12, this third rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63.
  • the control module 19 sends a control signal to the second multiplexer 175 of the rotate module 17, which control signal causes the second multiplexer 175 to receive data on its second data input, from the first multiplexer 173 of the rotate module 17.
  • the third rotate result in shift register W63 is fed into shift register W62, and the second rotate result in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the first rotate result in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the first rotate result is fed to the first data input of the second multiplexer 175. This is now configured to ignore data received on its first data input, and to receive data on its second data input.
  • the data received from the first multiplexer 173 on the second data input of the second multiplexer 175, is output to the shift register W60.
  • the seven MSBs of the first rotate result and the data received from the first multiplexer 173 are concatenated in the shift register W60.
  • the 8-bit segments, S 6 3 to S 4 , in shift registers W60 to W1 are fed to shift registers W59 to WO.
  • the output module 21 receives the sixty fourth 8-bit segment S 63 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value.
  • the sixty fourth 8-bit segment S 6 3 is the sixty fourth message schedule value W 6 3- Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15.
  • This data comprises the 8-bit message segments S55, S35, Sn and S 3 , i.e. the message schedule values W 55 , W 35 , W 11 and W 3 .
  • These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17.
  • the XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 .
  • the input multiplexer 1 1 is still configured to receive data on its second data input 1 12, this fourth rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63.
  • the control module 19 sends a control signal to the second multiplexer 175 of the rotate module 17, which control signal causes the second multiplexer 175 to swap back to receiving data on its first data input, from the shift register W61 .
  • the fourth rotate result in shift register W63 is fed into shift register W62, and the third rotate result in shift register W62 is fed to shift register W61 .
  • the seven MSBs of the second rotate result in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the second rotate result is fed to the first data input of the second multiplexer 175. This is now configured to receive data on this first data input, and the LSB of the second rotate function is output to the shift register W60.
  • the seven MSBs of the first rotate result and the LSB are concatenated in the shift register W60.
  • the sixty fifth message schedule value, W 64 , and 8-bit segments, S 63 to S 5 , in shift registers W60 to W1 are fed to shift registers W59 to WO.
  • the output module 21 receives the sixty fifth message schedule value W 64 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value.
  • Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S 56 , S 3 6, Si 2 and S 4 , i.e.
  • the first data input of the second multiplexer 175 is active, and the data received by the shift register W60 is the seven MSBs of the second, third or fourth rotate result, and the data received on the first data input of the second multiplexer 175, which is the LSB of the second, third or fourth rotate result respectively.
  • These are concatenated in the shift register W60, and form a message schedule value. This sequence of processing of the rotate results is repeated for each subsequent set of 4 rotate results.
  • the processing of the rotate results in the above manner is a consequence of using an 8-bit architecture for the calculation of the message schedule values W 64 onwards.
  • the SHA-1 has been formulated assuming that each 512-bit message block processed by the message schedule element is split up into sixteen 32-bit message segments. In the invention, each 512-bit message block is split up into sixty four 8-bit message segments.
  • the message schedule value calculations of the invention are carried out on 8-bit message segments, using a modified SHA-1 message schedule value definition. It is important that this modified SHA-1 message schedule value definition yields the same results as would be achieved using an unmodified SHA-1 message schedule value definition on 32-bit message segments comprising four 8-bit message segments, i.e.
  • message schedule values W 64 onwards involves using the modified SHA-1 message schedule value definition, comprising XOR functions and a rotate to the left by one place function.
  • XOR functions are carried out over four clock cycles on four 8-bit message segments or message schedule values or a combination of these, this yields the same overall result as if the XOR functions were carried out on a 32-bit segment comprising the four 8-bit message segments / schedule values. This is not the case for the rotate function.
  • the message schedule element 5 of the invention is provided with the rotate module 17.
  • the register 174 of the rotate module 17 is initialised to zero.
  • the control module 19 sends a control signal to the first multiplexer 173 of the rotate module 17, and the control signal causes the first multiplexer 173 to output data to the register 174.
  • this first XOR result comprises the first eight LSBs of the 32-bit data segment given above (01 10 0100).
  • the first XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 0100) are passed to the data combiner of the rotate module 17, and the MSB thereof (0) is passed to the first multiplexer 173.
  • the first multiplexer 173 is configured to pass the MSB (0) to the register 174.
  • the MSB replaces the data (0) already stored in the register, and this data is passed to the data combiner, where it is combined with the seven LSBs of the first XOR function, to form the first rotate result (1 100 1000) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63.
  • This data comprises the 8-bit message segments S53, S33, S 9 and Si, i.e. the message schedule values W 53 , W 33 , W 9 and W 1 .
  • this second XOR result comprises the second eight LSBs of the 32-bit data segment given above (01 10 001 1 ).
  • the second XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 001 1 ) are passed to the data combiner of the rotate module 17, and the MSB thereof (O) is passed to the first multiplexer 173.
  • the first multiplexer 173 is still configured to pass the MSB (0) to the register 174.
  • the MSB replaces the data (0) already stored in the register, and this data (which is the MSB (0) of the first XOR result) is passed to the data combiner, where it is combined with the seven LSBs of the second XOR function, to form the second rotate result (1 10O 01 10) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63.
  • t 66
  • data which is output from shift registers W52, W32, W8 and WO is passed to the XOR module 15.
  • This data comprises the 8-bit message segments S 54 , S 34 , S 1 0 and S 2 , i.e. the message schedule values W 54 , W 34 , W 10 and W 2 .
  • These message schedule values again undergo XOR functions according to the SHA-1 equation given above, and the XOR result, is output to the rotate module 17.
  • this third XOR result comprises the third eight LSBs of the 32-bit data segment given above (01 10 0010).
  • the third XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 0010) are passed to the data combiner of the rotate module 17, and the MSB thereof (0) is passed to the first multiplexer 173.
  • the first multiplexer 173 is still configured to pass the MSB (0) to the register 174.
  • the MSB replaces the data (0) already stored in the register, and this data (which is the MSB (0) of the second XOR result) is passed to the data combiner, where it is combined with the seven LSBs of the third XOR function, to form the third rotate result (1 100 0100) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63.
  • the second rotate result (1 100 01 10) is passed from shift register W63 to shift register W62, and the first rotate result (1 100 1000) is passed from shift register W62 to shift register W61 .
  • row t 66 of Figure 3. It can be seen that the seven LSBs of the third XOR result are combined with the MSB of the second XOR result.
  • the control module 19 sends a control signal to the first multiplexer 173 of the rotate module 17, which control signal causes the first multiplexer 173 to output data which it receives to the second multiplexer 175 of the rotate module 17.
  • Data which is output from shift registers W52, W32, W8 and WO is passed to the XOR module 15.
  • This data comprises the 8-bit message segments S 55 , S 35 , S 11 and S 3 , i.e. the message schedule values W 55 , W 35 , W 11 and W 3 .
  • These message schedule values undergo XOR functions according to the SHA-1 equation given above, and the XOR result, is output to the rotate module 17.
  • this fourth XOR result comprises the fourth eight LSBs of the 32-bit data segment given above (1 1 10 0001 ).
  • the fourth XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 0001 ) are passed to the data combiner of the rotate module 17, and the MSB thereof (1 ) is passed to the first multiplexer 173.
  • the first multiplexer 173 is now configured to pass the MSB (1 ) to the second multiplexer 175.
  • the data already stored in the register which is the MSB (0) of the third XOR result, is passed to the data combiner, where it is combined with the seven LSBs of the fourth XOR function, to form the fourth rotate result (1 100 0010) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63.
  • the third rotate result (1 100 0100) is passed from shift register W63 to shift register W62, and the second rotate result (1 100 01 10) is passed from shift register W62 to shift register W61 .
  • the seven MSBs of the first rotate result (1 100 100) in shift register W61 are fed straight to the first input of the shift register W60.
  • the LSB of the first rotate result is fed to the first data input of the second multiplexer 175. This is now configured to ignore data received on its first data input, and to receive data on its second data input, from the first multiplexer 173.
  • the data received from the first multiplexer 173 comprises the MSB (1 ) of the fourth rotate result, and this is output to the shift register W60.
  • the shift registers W63 to W60 contain 1 100 0010, 1 100 0100, 1 100 01 10 and 1 100 1001 , respectively. It can be seen that the original 32-bit data segment output in four 8-bit XOR results by the XOR module 15, has been rotated one place to the left, i.e. each of the digits, apart from the MSB, have been shifted one place to the left, and the MSB has been placed at the end of the segment, i.e. becomes the LSB, as a result of the rotate operations carried out by the rotate module 17. In subsequent clock cycles, these rotate results are output from the message schedule element 5, and form message schedule values W 64 to W 67 .
  • control signals are sent to the first multiplexer 173 causing it to send the MSB of the fourth rotate result to the second multiplexer 175.
  • This multiplexer is configured to pass the MSB to shift register W60, where it is concatenated with the seven MSBs of the first rotate result.
  • every four 8-bit XOR results are treated as a 32-bit segment, and a 32-bit rotate one place to the left function is carried out, as required for the calculation of appropriate message schedule values.
  • the hash value computation element 7 receives 320 message schedule values for each 512-bit data block, and uses the message schedule values in the computation of a hash value for each data block. As each data block hash value is computed, it is used in the computation of the next data block hash value. The hash value for the last data block depends upon the hash values for each of the preceding data blocks, and forms the final hash value.
  • the hash value For each set of message schedule values, W t , and hence each 512-bit data block, the hash value comprises a concatenation of five 32-bit hash variables, a, b, c, d and e.
  • the initial values of the hash variables used in the hash value computation for the first data block comprise the key defined by the SHA-1.
  • the hash value computation module computes the hash variables using modifications of hash variable definitions specified by the SHA-1. The modifications change the hash variable definitions from definitions formulated to use 32-bit message schedule values and 32-bit key segments to definitions formulated to use 8-bit message schedule values and 8-bit key segments.
  • the modified hash variable definitions comprise
  • the hash value computation element 7 comprises an input multiplexer 710, twenty 8-bit shift registers 720, a rotate hash variable b module 730 and a T computation module 740.
  • the T computation module 740 comprises a rotate hash variable a module 750, an F computation module 760, an add device 770 and a carry register 780.
  • the input multiplexer 710 is configured to receive data on a first data input.
  • the initial values of each of the 32-bit hash variables a to e, set by the SHA-1 are input into the first data input of the input multiplexer 710, and from there into the shift registers 720, in four 8-bit segments for each hash variable.
  • the hash variable segments are loaded into the shift registers 720 starting with hash variable segment e3, such that after 20 clock cycles, the shift registers 720 reading from left to right of Figure 4 contain the hash variable segments a ⁇ , a1 , a2, a3, b ⁇ , b1 , b2, b3, cO, c1 , c2, c3, dO, d1 , d2, d3, e ⁇ , e1 , e2, e3.
  • a direct connection is provided between shift register number 8 and shift register number 9, from the left, i.e. between the shift register which, at the end of the 20 clock cycles, contains b3 and the shift register which contains cO.
  • the input multiplexer 710 receives a control signal which causes it to accept data received on its second data input and to output this data to the shift registers 720.
  • the contents of shift register e3 is output to the add device 770 of the T computation module 740.
  • the add device 770 also receives the first message schedule value W 0 , and a first value K 0 of a constant K t specified by the SHA-1 .
  • the add device 770 further receives F 0 , which has been calculated according to the equation given above, using the outputs of shift registers b3, c3 and d3, which are the initial values of b3, c3 and d3 respectively, set by the SHA-1 .
  • F 0 is calculated using 8-bit hash variable segments of 32-bit hash variables. As the calculation of F 0 involves only XOR, AND, OR and NOT functions, using 8-bit hash variable segments will achieve an equivalent result to that which would be achieved using 32-bit hash variables.
  • the add device 770 further receives an output from the rotate 'a' module 750.
  • the add device 770 then has all of the parameters necessary to compute T 0 using the equation for T given above.
  • T 0 is computed by adding the 8-bit parameters which it receives, using modulo 2 32 arithmetic. When performing this addition using 8-bit parameters, it is desired to obtain the same result as would be obtained if the addition were performed using 32- bit parameters. To achieve this, a carry value from the carry register 780 is used as appropriate.
  • the computed T 0 is then output from the T computation module 740 to the second data input of the input multiplexer 710, and is input into the shift register a ⁇ .
  • the computation of T involves a rotate to the left by 5 places function operated on 8-bit hash variable segments aO to a3.
  • the rotate 'a' module 750 is used. This comprises a multiplexer 751 which has a first data input connected to the output of shift register aO, a second data input connected to the output of the shift register b ⁇ , and an output connected to a first input of a data combiner 752.
  • a second input of the data combiner 752 is connected to the shift register a3, and an output of the data combiner is connected to the add device 770.
  • the rotate 'a' module 750 operates over four clock cycles to perform the rotate function on the 8-bit hash variable segments aO to a3, and to obtain the same result as rotating an equivalent 32-bit hash variable, as illustrated in Figure 5.
  • the first row of Figure 5 shows the initial values of the hash variable segments aO to a3, i.e.
  • a3 01 10 0100) are placed in shift register b ⁇ , the three LSBs of a3 (100) are output to the first input of the data combiner 752, and the five MSBs of the contents of bO are output to the second data input of the multiplexer 751 .
  • this multiplexer is configured to accept data received on its first data input, and to output this to the second data input of the data combiner 752.
  • the data combiner 752 receives the three LSBs of a3 (100) and the five MSBs of aO (01 10 0), and concatenates them to get the first byte of the rotate result (1000 1 100), which is output to the add device 770.
  • shift register aO T 0
  • the five MSBs of T 0 are output to the first input of the multiplexer 751
  • shift register a3 the contents of shift register a3 (i.e.
  • this multiplexer is configured to accept data received on its second data input, and to output this to the second data input of the data combiner 752.
  • the data combiner 752 receives the three LSBs of a2 (01 1 ) and the five MSBs of a3 (01 10 0), and concatenates them to get the second byte of the rotate result (01 10 1 100), which is output to the add device 770.
  • hash variable segments cO to c3 involve a rotate to the left by 30 places function operating on the hash variable segments bO to b3. Again, it is desired to obtain the same result for the rotate function using the 8-bit hash variable segments as would be obtained if a 32-bit hash variable were to be rotated. This is achieved using the rotate 'b' module 730. This comprises a multiplexer 731 , a first register 732, a second register 733, a third register 734, a data splitter 735 and a data combiner 736.
  • a first data input of the multiplexer 731 is connected to the output of the shift register b2, a second data input of the multiplexer 731 is connected to the output of the third register 734, and an output of the multiplexer is connected to a first data input of the data combiner 736.
  • a data input of the data splitter 735 is connected to the output of the shift register b3.
  • a first output of the data splitter 735 is connected to an input of the first register 732, and a second data output of the data splitter 735 is connected to a second input of the data combiner 736.
  • An output of the first register 732 is connected to an input of the second register 733, and an output of the second register 733 is connected to an input of the third register 734.
  • the contents of the first, second and third registers 732, 733, 734 are initialised to zero.
  • the rotate 'b' module 730 operates over four clock cycles to perform the rotate function on the 8-bit hash variable segments bO to b3, and to obtain the same result as rotating an equivalent 32-bit hash variable, as illustrated in Figure 6.
  • the first row of Figure 6 shows the initial values of the hash variable segments bO to b3, i.e.
  • this multiplexer is configured to accept data received on its first data input, and to output this to the first data input of the data combiner 736.
  • the data combiner 736 receives the two LSBs of b2 (1 1 ) and the six MSBs of b3 (01 10 01 ), and concatenates them to get the first byte of the rotate result (1 101 1001 ), which is output to the shift register cO.
  • shift register bO the contents of shift register bO are placed in shift register b1
  • the two LSBs of b1 (10) are output to the first data input of the multiplexer 731
  • the contents of shift register b3 i.e.
  • b2 01 10 001 1 ) are output to the input of the data splitter 735, the two LSBs of b2 (1 1 ) are output to the first register 732, the six MSBs of b2 (01 10 00) are output to the second data input of the data combiner 736, the contents (the two LSBs of b3 (00) stored there in the first clock cycle) of the first register 732 are output to the second register 733, the contents (0) of the second register 733 are output to the third register 734, and the contents (0) of the third register 734 are output to the second data input of the multiplexer 731 .
  • this multiplexer is also configured to accept data received on its first data input, and to output this to the first data input of the data combiner 736.
  • the data combiner 736 receives the two LSBs of b1 (10) and the six MSBs of b2 (01 10 00), and concatenates them to get the second byte of the rotate result (1001 1000), which is output to the shift register cO.
  • the same process is carried out in the third clock cycle, to get the third byte of the rotate result (0101 1000), which is output to the shift register cO.
  • the contents of shift register bO are placed in shift register b1
  • the contents of shift register b1 are placed in shift register b2
  • the contents of shift register b2 are placed in shift register b3
  • the two LSBs of the contents of shift register b2 are output to the first data input of the multiplexer 731
  • the contents of shift register b3 i.e.
  • bO 01 10 0001 ) are output to the input of the data splitter 735, the two LSBs of bO (01 ) are output to the first register 732, the six MSBs of bO (01 10 00) are output to the second data input of the data combiner 736, the contents (the two LSBs of b1 stored there in the third clock cycle) of the first register 732 are output to the second register 733, the contents (the two LSBs of b2 stored there in the second clock cycle) of the second register 733 are output to the third register 734, and the contents (the two LSBs of b3 (00) stored there in the first clock cycle) of the third register 734 are output to the second data input of the multiplexer 731 .
  • this multiplexer is configured to accept data received on its second data input, and to output this to the first data input of the data combiner 736.
  • the data combiner 736 receives the two LSBs of b3 (00) and the six MSBs of bO (01 10 00), and concatenates them to get the fourth byte of the rotate result (0001 1000), which is output to the shift register cO.
  • the rotate function is carried out on the four 8-bit hash variable segments bO to b3 to give the 8-bit hash variable segments cO to c3.
  • the final hash variable segments aO to e3 for the first 512-bit data block are then input into the input multiplexer 710 of the hash value computation element 7 in 20 clock cycles as before, and are used in the computation of the final hash variable segments aO to e3 for the second 512-bit data block.
  • the 8-bit hash value computation device architecture has been implemented using the Faraday UMC 180 nm (L180 GII) and UMC 130 nm (L130 LL) CMOS libraries. It has been tested using Modelsim, synthesised using Synopsys Physical Compiler Version 2006.06 and its power consumption obtained from Synopsys PrimeTime PX Version 2007.06.
  • the performance results of the 8-bit hash value computation device of the invention are an area of 5527 gates, power consumption of 2,32 ⁇ W at 100 kHz, and timing of 344 cycles.
  • the shift registers used to store the message schedule values in the hash value computation device of the invention account for 2560 gates and 46% of the overall architecture, when implemented on 130 nm technology. It is important that the power consumption of the architecture of the hash value computation device of the invention meets the limitations imposed by
  • RFID tags when it is used in this application.
  • the current consumption of a security architecture for implementation on RFID tags should not exceed 15 ⁇ A.
  • the proposed 8-bit hash value computation device meets these power constraints comfortably.
  • the silicon area requirement significantly impacts the cost and the cost per mn? of silicon is estimated at 4 cent. Therefore, it is vital that the silicon area overhead resulting from the inclusion of security on low-cost tags is kept to a minimum.
  • the hash value computation device architecture of the invention is within close reach of current RFID tag deployment.
  • an RFID tag In relation to timing, an RFID tag must response to a reader's request within 32 ⁇ s in accordance with the ISO/IEC 18000 standard. An interleaved challenge- response protocol could be used, in which the response time is 18 ms. This corresponds to 1800 clock cycles when operating with a clock frequency of 100 kHz.
  • the hash value computation device of the invention also satisfies this requirement.

Abstract

A hash value computation device for computing a hash value for a message using a hash algorithm that defines a key is provided, the device comprising a message schedule element having an input module which receives the message in 8-bit segments, a plurality of 8-bit memory modules which store the 8-bit segments of the message, an 8-bit message schedule value module which uses the 8-bit message segments and the hash algorithm to provide an 8-bit message schedule value for each 8-bit message segment, and an output module which outputs the 8-bit message schedule values, and a hash value computation element comprising a first input module which receives the 8-bit message schedule values, a second input module which receives 8-bit segments of the key defined by the hash algorithm, a plurality of 8-bit memory modules which store the 8-bit segments of the key, a hash value computation module which uses the 8- bit message schedule values and the 8-bit key segments to compute a hash value for the message, and an output module which outputs the hash value.

Description

Data Security Devices and Methods
The invention relates to data security devices and methods that implement a hash algorithm.
Many devices and methods have been developed for application to data security. It is often desirable to provide a number of data security services, such as confidentiality (protecting the data from disclosure to unauthorised bodies), authentication (assuring that received data was transmitted by the body identified as the source), integrity (maintaining data consistency and ensuring that data has not been altered by unauthorised persons) and non-repudiation (preventing the originator of a message from denying transmission). Services such as these can be used, for example, in data communication networks, where each of the services may be provided, and in identification devices, such as radio frequency identification (RFID) tags, where authentication may be the most important service.
Various methodologies have been used to implement these security services. One such methodology is the use of hash functions, for example the suite of Secure Hash Algorithms (SHAs) devised by the US National Institute of Standard and Technology, which are particularly used to provide the authentication security service. In any device which is used to provide one or more of the security services, there are various criteria which need to be considered in order to give a device which can provide the or each security service to a required level in an efficient and realisable manner. One such criterion is the size of the device, and the area of material, for example, silicon which it uses. If the area is large, this has cost implications, and the device may be physically too big to be used in some applications, for example RFID tags. According to a first aspect of the present invention there is provided a hash value computation device for computing a hash value for a message using a hash algorithm that defines a key, the device comprising a message schedule element having an input module which receives the message in 8-bit segments, a plurality of 8-bit memory modules which store the 8-bit segments of the message, an 8-bit message schedule value module which uses the 8-bit message segments and the hash algorithm to provide an 8-bit message schedule value for each 8-bit message segment, and an output module which outputs the 8-bit message schedule values, and a hash value computation element comprising a first input module which receives the 8-bit message schedule values, a second input module which receives 8-bit segments of the key defined by the hash algorithm, a plurality of 8-bit memory modules which store the 8-bit segments of the key, a hash value computation module which uses the 8-bit message schedule values and the 8-bit key segments to compute a hash value for the message, and an output module which outputs the hash value.
The hash value computation device may operate over n clock cycles to compute the hash value for the message. The message schedule element may operate over the n clock cycles to calculate n message schedule values. The hash value computation module may operate over the n clock cycles to use the n message schedule values to compute the hash value for the message.
The hash value computation device may receive the message in a format appropriate for the hash algorithm used to compute the hash value. Alternatively, the hash value computation device may receive the message in a different format and change this to a format appropriate for the hash algorithm used to compute the hash value. The hash value computation device may comprise a message formatting module, which formats the message into a format appropriate for the hash algorithm used to compute the hash value. The message format may comprise N x-bit message blocks, where x is equal to or greater than 8, for example the message format may comprise N 512-bit message blocks. The message formatting module may format the message into N 512-bit message blocks, by padding the message, as appropriate, to a length of 448 mod 512, appending the length of the padded message as a 64-bit number to the padded message, and parsing the resultant message into N 512-bit data message blocks.
The input module of the message schedule element may receive the or each x-bit message block in 8-bit message segments. The input module may comprise a multiplexer. In each clock cycle of a first subset of the n clock cycles, the multiplexer may be configured to receive an 8-bit message segment and pass the 8-bit message segment to a first memory module of the plurality of 8-bit memory modules.
The plurality of 8-bit memory modules of the message schedule element may be arranged in a linear array, with a first 8-bit memory module connected to a second 8-bit memory module, the second 8-bit memory module connected to a third 8-bit memory module, etc. The first 8-bit memory module in the array may also be connected to the input module. The array of 8-bit memory modules may comprise a number of memory modules sufficient such that each memory module stores an 8-bit message segment of an x-bit message block of the message. In a first clock cycle of the first subset of the n clock cycles, the first 8-bit memory module in the array may receive a first 8-bit message segment, in a second clock cycle of the first subset of the n clock cycles, the first 8-bit memory module in the array may receive a second 8-bit message segment, and the second 8-bit memory module in the array may receive the first 8-bit message segment, etc. for each of the clock cycles in the subset of clock cycles. Each of the plurality of 8-bit memory modules may comprise an 8-bit shift register.
The 8-bit message schedule value module may provide 8-bit message schedule values determined using modifications of a message schedule value definition specified by the hash algorithm. The modifications may change the message schedule value definition from a definition formulated to use 32-bit data segments to a definition formulated to use 8-bit data segments.
The modified message schedule value definition may comprise
Messaget 0 < t < 63 W' i (Wt_n ® Wt_32 ®Wt_56 ® Wt_64) 64 < f < 319
Figure imgf000005_0001
The 8-bit message schedule value module may use a first part of the modified message schedule value definition to provide a first set of 8-bit message schedule values which each comprise an 8-bit message segment of the message. The 8-bit message schedule value module may use a second part of the modified message schedule value definition to provide a second set of 8-bit message schedule values calculated using one or more functions carried out on one or more previously-determined message schedule values. The functions may comprise one or more logical functions, such as one or more XOR functions. The functions may comprise one or more rotate functions.
The 8-bit message schedule value module may comprises an 8-bit XOR module which carries out the one or more XOR functions of the second part of the modified message schedule value definition. The XOR module may receive one or more previously-determined 8-bit message schedule values and carry out the one or more XOR functions on these, to provide one or more 8-bit XOR values.
The 8-bit message schedule value module may comprise a rotate module which carries out the one or more rotate functions of the second part of the modified message schedule value definition. The one or more rotate functions may comprise a rotate to the left by one place rotate function. The rotate module may receive a plurality of 8-bit XOR values and carry out the one or more rotate functions on these, to provide a plurality of 8-bit message schedule values. The rotate module may receive at least one set of four 8-bit XOR values and carry out the one or more rotate functions on the set, to provide four 8-bit message schedule values. The four 8-bit message schedule values may, on concatenation, give a 32-bit value which is the same as a 32-bit value obtained by an unmodified message schedule value definition of the hash algorithm carried out on a 32-bit value comprising the four 8-bit XOR values. The rotate module may comprise a data splitter, a first multiplexer, a register, a data combiner and a second multiplexer.
The 8-bit message schedule value module may comprise a control module which is used to control the operation of the rotate module. The control module may be used to control the operation of the first multiplexer and the second multiplexer of the rotate module.
The hash value computation module may compute a hash value for the message comprising a concatenation of a plurality of hash variables, preferably five 32-bit hash variables. The hash value computation module may compute the hash variables using modifications of hash variable definitions specified by the hash algorithm. The modifications may change the hash variable definitions from definitions formulated to use 32-bit message schedule values and 32-bit key segments to definitions formulated to use 8-bit message schedule values and 8-bit key segments.
The modified hash variable definitions may comprise
T = ROTLEFT-5 (a) + Ft(b, c, d) + e + Kt + Wt e = d d = c c = ROTLEFT-30 (b) b = a a = T
' ' C' ~
Figure imgf000007_0001
where a, b, c, d and e are the hash variables.
The hash value computation module may compute the hash value using 8- bit key segments of initial values of the hash variables defined by the hash algorithm.
The hash value computation module may comprise a rotate hash variable b module and a T computation module. The T computation module may comprise a rotate hash variable a module, an F computation module, an add device and a carry register. The hash algorithm may be a Secure Hash Algorithm (SHA, such as SHA- 1 , SHA-2, etc.
According to a second aspect of the invention there is provided a method of computing a hash value for a message using a hash algorithm that defines a key, comprising using a message schedule element of the hash value computation device of the first aspect of the invention to determine a plurality of 8-bit message schedule values, and using a hash value computation element of the hash value computation device of the first aspect of the invention to compute the hash value for the message using the message schedule values.
According to a third aspect of the invention there is provided a data security device comprising a hash value computation device according to the first aspect of the invention.
The data security device may comprise an RFID tag.
The hash value computation device of the invention has been designed as an 8-bit architecture and to operate using 8-bit data segments. Such an 8- bit architecture allows the use of less silicon for the components thereof, and thus achieves a small area and low cost architecture, in comparison to all previous 32-bit architectures.
An embodiment of the hash value computation device of the invention will now be described, by way of example only, with reference to the following drawings, in which: Figure 1 is a schematic representation of a hash value computation device according to the invention;
Figure 2 is a schematic representation of a message schedule element of the hash value computation device of Figure 1 ;
Figure 3 is a schematic representation of a rotate function carried out by the message schedule element of Figure 2;
Figure 4 is a schematic representation of a hash value computation element of the hash value computation device of Figure 1 ;
Figure 5 is a schematic representation of a rotate function carried out by the hash value computation element of Figure 4, and
Figure 6 is a schematic representation of a further rotate function carried out by the hash value computation element of Figure 4.
Referring to Figure 1 , the hash value computation device 1 comprises an input element 3, a message schedule element 5, a hash value computation element 7 and an output element 9. The various elements are shown as being separate, however it will be appreciated that one or more of them could be combined, for example the input element 3 may be integral with the message schedule element 5, and the output element 9 may be integral with the hash value computation element 7. The hash value computation device receives a message, i.e. data, and uses this to calculate a hash value, employing, in this embodiment, a hash algorithm comprising the SHA-1 . This algorithm comprises three principal steps: message pre-processing, message schedule value calculation and hash value computation. The message is received by the input element 3. The message may have already undergone the pre-processing step, to place it in a format appropriate for SHA-1 computation, or the input element 3 may receive a 'raw' message and perform the pre-processing step to place the message into the appropriate format. The pre-processing step may be performed using a software module. The pre-processing comprises padding the message, as appropriate, to a length of 448 mod 512, appending the length of the padded message as a 64-bit number to the padded message, and parsing the resultant message into N 512-bit message blocks. Each 512-bit message block is fed into the message schedule element 5 of the hash value computation device 1 , and used in the computation of a final hash value.
Each of the elements of the hash value computation device of the invention are designed to work on 8-bit data segments. SHA-1 specifies definitions for the determination of the message schedule values and the computation of the hash values, These definitions having been devised to be performed on 32-bit data segments. The hash value computation device of the invention implements modifications of these definitions, the modifications being such that the definitions can be performed using 8-bit data segments.
Referring to Figure 2, the message schedule element 3 comprises an input module comprising an input multiplexer 1 1 , a plurality of 8-bit memory modules comprising an array 13 of sixty four 8-bit shift registers (W63 to WO), a message schedule value module comprising an XOR module 15, a rotate module 17 and a control module 19, and an output module 21 . The message schedule element 5 receives the 512-bit message blocks, in turn, from the input element 3. The message schedule element 5 operates over 320 clock cycles, t = 0 to 319, to provide 320 message schedule values, Wt. The message schedule value module provides 8-bit message schedule values determined using modifications of a message schedule value definition specified by the SHA-1 . The modifications change the message schedule value definition from a definition formulated to use 32-bit data segments to a definition formulated to use 8-bit data segments.
The modified message schedule value definition comprises
J Messaget 0 < t < 63 W' = {32bitROTLEFT i (Wt_n ® Wt_32 ®Wt_56 ® Wt_64) 64 < f < 319
The message schedule values determined using the above definition are then output to the hash value computation element 7, where they are used in the computation of the hash value for the message.
The input multiplexer 1 1 comprises a first data input 1 1 1 , a second data input 1 12, a control input 1 13 and an output 1 14. In each clock cycle, the input multiplexer 1 1 receives 8-bit data either on the first data input 1 1 1 or the second data input 1 12, according to the value of a control signal received from the control module 19 on the control input 1 13. In each clock cycle, 8-bit data is output by the input multiplexer 1 1 to the first shift register W63 of the array of shift registers 13. The shift registers in the array of shift registers 13 are connected in a linear array as shown in Figure 2. In each clock cycle, any 8-bit data contained in the shift registers W63, W62 and W60 to W1 is passed to shift registers W62, W61 and W59 to WO respectively. For any 8-bit data contained in shift register W61 , the seven MSBs are passed to a first input of shift register W60, and the LSB is passed to a multiplexer. The output of the multiplexer is fed to a second input of the shift register W60. The data received on the first and second inputs of the shift register W60 is then concatenated. The shift registers W52, W32, W8 and WO are each connected to the XOR module 15. In each clock cycle, any 8-bit data contained in these shift registers is passed to the XOR module 15. This comprises an 8-bit XOR module, and uses the 8-bit data received from the shift registers to calculate an 8-bit XOR value, according to the above equation, which is fed to the rotate module 17.
The rotate module 17 comprises a data splitter 171 , a first multiplexer 172, a register 173, a data combiner 174 and a second multiplexer 175. In each clock cycle, an 8-bit XOR value received from the XOR module 15 is input into the data splitter 171 . This splits the 8-bit value into the two parts. The first part comprises the seven least significant bits (LSBs) of the 8-bit value, and is fed to the data combiner 174. The second part comprises the most significant bit (MSB) of the 8-bit value, and is fed to the first multiplexer 172. The first multiplexer comprises a data input, a control input and two outputs as shown. The 1 -bit data received by the data input is output either to the register 173 or the second multiplexer 175, according to the value of a control signal received from the control module 19 on the control input. The register 173 is connected to the data combiner 174. 1 -bit data contained in the register is fed to the data combiner 174, where it is combined with the seven LSBs of the 8-bit XOR value received by the rotate module 17. The combined 8-bit data is fed to the second data input 1 12 of the input multiplexer 1 1 . The second multiplexer 175 comprises a first data input connected to the shift register W61 , a second data input connected to the first multiplexer 172, a control input connected to the control module 19, and an output connected to the shift register W60. . In each clock cycle, the second multiplexer 175 receives 1 -bit data either on the first data input or the second data input, according to the value of a control signal received from the control module 19 on the control input. The 1 -bit data received from the shift register W61 comprises the LSB of the 8-bit data contained in the register W62. The second multiplexer 175 outputs the 1 -bit data to the shift register W60. The output module 21 is connected between the shift registers W60 and W59, as shown. In each clock cycle, 8-bit data passed to the register W59 from the register W60 is also passed to the output module 21 , and output from the message schedule element 5 to the hash value computation element 7.
The operation of the message schedule element 5 to generate 320 message schedule values, Wt, will now be described in detail, with reference to Figures 2 and 3.
A first 512-bit message block is prepared for loading into the message schedule element 5, by splitting it into 64 8-bit segments. The message schedule element 5 is operated over 320 clock cycles to receive the 8-bit segments and use them to generate the 320 message schedule values. Prior to the start of the 320 clock cycles, the control module 19 is operated to send control signals to the input multiplexer 1 1 , the first multiplexer 172 of the rotate module 17 and the second multiplexer 175 of the rotate module 17. The control signal received by the input multiplexer 1 1 causes it to receive data on the first data input 1 1 1 . The control signal received by the first multiplexer 172 of the rotate module 17 causes this multiplexer to output data on its first data output to the register 173. The control signal received by the second multiplexer 175 of the rotate module 17 causes this multiplexer to receive data on its first data input from the shift register W61 . The shift registers W63 to WO are initialised, so that they comprise data equating to zero. In the first clock cycle, t = O, a first 8-bit segment, S0, of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63. The zero data in shift register W63 is fed to shift register W62, and the zero data in shift register W62 is fed to shift register W61 . The seven MSBs of the zero data in shift register W61 are fed straight to the first input of the shift register W60, and the LSB of the zero data in shift register W61 is fed to the second multiplexer 175. This has been configured to output the LSB of the zero data to the shift register W60, and the seven MSBs and the LSB of the zero data are concatenated therein. The zero data in shift registers W60 to W1 is fed to shift registers W59 to WO. Data output from shift registers W52, W32, W8 and WO is processed by the XOR module 15 and the rotate module 17, and is output to the second data input 1 12 of the input multiplexer 1 1 . However, this multiplexer is configured to ignore data received on this input. The output module 21 receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the first clock cycle of this element.
In the second clock cycle, t = 1 , a second 8-bit segment Si of the first 512- bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63. The first 8-bit segment S0 in shift register W63 is fed to shift register W62, and the zero data in shift register W62 is fed to shift register W61 . The seven MSBs of the zero data in shift register W61 are fed straight to the first input of the shift register W60, and the LSB of the zero data in shift register W61 is fed to the shift register W60 as before where they are concatenated. The zero data in shift registers W60 to W1 is fed to shift registers W59 to WO. Data output from shift registers W52, W32, W8 and WO is processed as above. The output module 21 again receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the second clock cycle of this element.
In the third clock cycle, t = 2, a third 8-bit segment S2 of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63. The second 8-bit segment Si in shift register W63 is fed to shift register W62, and the first 8-bit segment S0 in shift register W62 is fed to shift register W61 . The seven MSBs of the zero data in shift register W61 are fed straight to the first input of the shift register W60, and the LSB of the zero data in shift register W61 is fed to the shift register W60 as before where they are concatenated. The zero data in shift registers W60 to W1 is fed to shift registers W59 to WO. Data output from shift registers W52, W32, W8 and WO is processed as before. The output module 21 again receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the third clock cycle of this element.
In the fourth clock cycle, t = 3, a fourth 8-bit segment S3 of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63. The third 8-bit segment S2 in shift register W63 is fed to shift register W62, and the second 8-bit segment Si in shift register W62 is fed to shift register W61 . The seven MSBs of the first 8-bit segment S0 in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the first 8-bit segment So in shift register W61 is fed to the second multiplexer 175. This has been configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the first 8-bit segment S0 are concatenated therein. The zero data in shift registers W60 to W1 is fed to shift registers W59 to WO. Data output from shift registers W52, W32, W8 and WO is processed as before. The output module 21 again receives zero data from the shift register W60, and outputs this to the hash value computation element 7, where it is ignored in the fourth clock cycle of this element.
In the fifth clock cycle, t = 4, a fifth 8-bit segment S4 of the first 512-bit message block is fed into the input multiplexer 1 1 and from there to the first shift register W63. The fourth 8-bit segment S3 in shift register W63 is fed to shift register W62, and the third 8-bit segment S2 in shift register W62 is fed to shift register W61 . The seven MSBs of the second 8-bit segment Si in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the second 8-bit segment S1 in shift register W61 is fed to the second multiplexer 175. This has been configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the second 8-bit segment S1 are concatenated therein. The first 8-bit segment So in shift register W60 is fed to shift register W59. The zero data in shift registers W59 to W1 is fed to shift registers W58 to WO. Data output from shift registers W52, W32, W8 and WO is processed as before. The output module 21 receives the first 8-bit segment S0 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value. The first 8-bit segment S0 is the first message schedule value W0.
The above process is repeated until the sixty fourth clock cycle, t = 63, where all of the sixty four 8-bit message segments of the first 512-bit message block have been loaded into the message schedule element 5, the sixty fourth 8-bit message segment S63 being contained in the shift register W63, and so on, to the first 8-bit message segment S0 contained in the shift register WO. Data output from shift registers W52, W32, W8 and WO is processed by the XOR module 15 and the rotate module 17, as before. The output of the message schedule element 5 over these 64 clock cycles, is 0, 0, 0, 0, followed by the message segments S0 to S59, which comprise the message schedule values W0 to W59. These are passed to the hash value computation element 7.
The control module 19 comprises a clock, and therefore is able to ascertain when clock cycle t = 63 has been reached. When this occurs, the control module 19 sends a new control signal to the input multiplexer 1 1 . The control signal received by the input multiplexer 1 1 causes it to switch to receiving data on its second data input 1 12.
In the sixty fifth clock cycle, t = 64, the sixty fourth 8-bit message segment S63 in shift register W63 is fed to shift register W62, and the sixty third 8-bit segment S62 in shift register W62 is fed to shift register W61 . The seven MSBs of the sixty second 8-bit segment S6i in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the sixty second 8-bit segment S6i in shift register W61 is fed to the second multiplexer 175. This is still configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the sixty second 8-bit segment S6i are concatenated therein. The 8-bit segments, S6o to Si, in shift registers W60 to W1 are fed to shift registers W59 to WO. The output module 21 receives the sixty first 8-bit segment S6o from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value. The sixty first 8-bit segment S6o is the sixty first message schedule value W6o- Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S52, S32, S8 and S0, i.e. the message schedule values W52, W32, W8 and W0. These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17. The XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 . As the input multiplexer 1 1 is now configured to receive data on its second data input 1 12, this first rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63.
In the sixty sixth clock cycle, t = 65, the first rotate result in shift register W63 is fed into shift register W62, and the sixty fourth 8-bit segment S63 in shift register W62 is fed to shift register W61 . The seven MSBs of the sixty third 8-bit segment S62 in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the sixty third 8-bit segment S62 in shift register W61 is fed to the second multiplexer 175. This is still configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the sixty third 8-bit segment S62 are concatenated therein. The 8-bit segments, S6i to S2, in shift registers W60 to W1 are fed to shift registers W59 to WO. The output module 21 receives the sixty second 8-bit segment S6i from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value. The sixty second 8-bit segment S6i is the sixty second message schedule value W6i. Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S53, S33, S9 and Si , i.e. the message schedule values W53, W33, W9 and W1. These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17. The XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 . The input multiplexer 1 1 is still configured to receive data on its second data input 1 12, this second rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63. In the sixty seventh clock cycle, t = 66, the second rotate result in shift register W63 is fed into shift register W62, and the first rotate result in shift register W62 is fed to shift register W61 . The seven MSBs of the sixty fourth 8-bit segment S63 in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the sixty fourth 8-bit segment S63 in shift register W61 is fed to the second multiplexer 175. This is still configured to output the LSB to the shift register W60, and the seven MSBs and the LSB of the sixty fourth 8-bit segment S63 are concatenated therein. The 8-bit segments, S62 to S3, in shift registers W60 to W1 are fed to shift registers W59 to WO. The output module 21 receives the sixty third 8-bit segment S62 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value. The sixty third 8-bit segment S62 is the sixty third message schedule value W62- Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S54, S34, Si0 and S2, i.e. the message schedule values W54, W34, W10 and W2. These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17. The XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 . The input multiplexer 1 1 is still configured to receive data on its second data input 1 12, this third rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63.
In the sixty eighth clock cycle, t = 67, the control module 19 sends a control signal to the second multiplexer 175 of the rotate module 17, which control signal causes the second multiplexer 175 to receive data on its second data input, from the first multiplexer 173 of the rotate module 17. The third rotate result in shift register W63 is fed into shift register W62, and the second rotate result in shift register W62 is fed to shift register W61 . The seven MSBs of the first rotate result in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the first rotate result is fed to the first data input of the second multiplexer 175. This is now configured to ignore data received on its first data input, and to receive data on its second data input. The data received from the first multiplexer 173 on the second data input of the second multiplexer 175, is output to the shift register W60. The seven MSBs of the first rotate result and the data received from the first multiplexer 173 are concatenated in the shift register W60. This forms the sixty fifth message schedule value, W64. The 8-bit segments, S63 to S4, in shift registers W60 to W1 are fed to shift registers W59 to WO. The output module 21 receives the sixty fourth 8-bit segment S63 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value. The sixty fourth 8-bit segment S63 is the sixty fourth message schedule value W63- Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S55, S35, Sn and S3, i.e. the message schedule values W55, W35, W11 and W3. These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17. The XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 . The input multiplexer 1 1 is still configured to receive data on its second data input 1 12, this fourth rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63.
In the sixty ninth clock cycle, t = 68, the control module 19 sends a control signal to the second multiplexer 175 of the rotate module 17, which control signal causes the second multiplexer 175 to swap back to receiving data on its first data input, from the shift register W61 . The fourth rotate result in shift register W63 is fed into shift register W62, and the third rotate result in shift register W62 is fed to shift register W61 . The seven MSBs of the second rotate result in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the second rotate result is fed to the first data input of the second multiplexer 175. This is now configured to receive data on this first data input, and the LSB of the second rotate function is output to the shift register W60. The seven MSBs of the first rotate result and the LSB are concatenated in the shift register W60. This forms the sixty sixth message schedule value, W65. The sixty fifth message schedule value, W64, and 8-bit segments, S63 to S5, in shift registers W60 to W1 are fed to shift registers W59 to WO. The output module 21 receives the sixty fifth message schedule value W64 from the shift register W60, and outputs this to the hash value computation element 7, where it is used to compute a final hash value. Data which is output from shift registers W52, W32, W8 and WO is also passed to the XOR module 15. This data comprises the 8-bit message segments S56, S36, Si2 and S4, i.e. the message schedule values W56, W36, W12 and W4. These message schedule values undergo XOR functions according to the equation given above, and the XOR result is output to the rotate module 17. The XOR result is operated upon by the rotate module 17, and the rotate result is passed to the second data input 1 12 of the input multiplexer 1 1 . The input multiplexer 1 1 is still configured to receive data on its second data input 1 12, this fifth rotate result is fed into the input multiplexer 1 1 , and from there is fed to the first shift register W63.
The procedure for clock cycle t = 68, is repeated for clock cycles t = 69 and t=70. Thus it can be seen that when the first rotate result is transferred from shift register W61 to W60, the second data input of the second multiplexer 175 is active, and the data received by the shift register W60 is the seven MSBs of the first rotate result, and the data received on the second data input of the second multiplexer 175 (which is received from the first multiplexer 173). These are concatenated in the shift register W60, and form a message schedule value. When the second, third and fourth rotate results are transferred from shift register W61 to W60, the first data input of the second multiplexer 175 is active, and the data received by the shift register W60 is the seven MSBs of the second, third or fourth rotate result, and the data received on the first data input of the second multiplexer 175, which is the LSB of the second, third or fourth rotate result respectively. These are concatenated in the shift register W60, and form a message schedule value. This sequence of processing of the rotate results is repeated for each subsequent set of 4 rotate results.
The processing of the rotate results in the above manner is a consequence of using an 8-bit architecture for the calculation of the message schedule values W64 onwards. The SHA-1 has been formulated assuming that each 512-bit message block processed by the message schedule element is split up into sixteen 32-bit message segments. In the invention, each 512-bit message block is split up into sixty four 8-bit message segments. The message schedule value calculations of the invention are carried out on 8-bit message segments, using a modified SHA-1 message schedule value definition. It is important that this modified SHA-1 message schedule value definition yields the same results as would be achieved using an unmodified SHA-1 message schedule value definition on 32-bit message segments comprising four 8-bit message segments, i.e. for example that concatenation of message schedule values Wx to Wx+3 calculated using four 8-bit message segments would be the same as message schedule value Wx calculated using a 32- bit message segment comprising the four 8-bit message segments. The calculation of message schedule values W64 onwards involves using the modified SHA-1 message schedule value definition, comprising XOR functions and a rotate to the left by one place function. When the XOR functions are carried out over four clock cycles on four 8-bit message segments or message schedule values or a combination of these, this yields the same overall result as if the XOR functions were carried out on a 32-bit segment comprising the four 8-bit message segments / schedule values. This is not the case for the rotate function. If a rotate to the left by one place function is carried out separately on each of four 8-bit XOR values, this will not yield the same result as carrying out a rotate to the left by one place function on a 32-bit value formed from concatenation of the four 8-bit XOR values. In order for this to be achieved, the message schedule element 5 of the invention is provided with the rotate module 17.
The operation of the rotate module 17 will be described with reference to Figure 3, which illustrates the operation of the rotate function on four 8-bit data segments as follows.
1 1 10 0001 01 10 0010 01 10 001 1 01 10 0100
If these data segments are treated as a 32-bit segment, to rotate this one place to the left, each of the digits, apart from the MSB, are shifted one place to the left, and the MSB is placed at the end of the segment, i.e. becomes the LSB. The rotated data segment will be:
1 100 0010 1 100 0100 1 100 01 10 1 100 1 001
It can be seen that if each of the 8-bit data segments are individually rotated to the left by one place, the result will be: 1 100 001 1 1 100 0100 1 100 01 10 1 100 1000
which is not the same result achieved when the data segments are treated as a 32- bit data segment.
The rotate module 17 of the message schedule element 5 operates to achieve the same result as follows. As described above, when the sixty fifth clock cycle, t = 64, is reached, the message schedule values start to be calculated using the XOR and rotate functions of the SHA-1 equation. The register 174 of the rotate module 17 is initialised to zero. The control module 19 sends a control signal to the first multiplexer 173 of the rotate module 17, and the control signal causes the first multiplexer 173 to output data to the register 174. In the sixty fifth clock cycle, t = 64, data which is output from shift registers W52, W32, W8 and WO is passed to the XOR module 15. This data comprises the 8-bit message segments S52, S32, S8 and S0, i.e. the message schedule values W52, W32, W8 and W0. These message schedule values undergo XOR functions according to the equation given above, and the XOR result, is output to the rotate module 17. In this example, this first XOR result comprises the first eight LSBs of the 32-bit data segment given above (01 10 0100). The first XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 0100) are passed to the data combiner of the rotate module 17, and the MSB thereof (0) is passed to the first multiplexer 173. The first multiplexer 173 is configured to pass the MSB (0) to the register 174. The MSB replaces the data (0) already stored in the register, and this data is passed to the data combiner, where it is combined with the seven LSBs of the first XOR function, to form the first rotate result (1 100 1000) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63. This is illustrated in row t = 64 of Figure 3. In the sixty sixth clock cycle, t = 65, data which is output from shift registers W52, W32, W8 and WO is passed to the XOR module 15. This data comprises the 8-bit message segments S53, S33, S9 and Si, i.e. the message schedule values W53, W33, W9 and W1. These message schedule values undergo XOR functions according to the SHA-1 equation given above, and the XOR result, is output to the rotate module 17. In this example, this second XOR result comprises the second eight LSBs of the 32-bit data segment given above (01 10 001 1 ). The second XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 001 1 ) are passed to the data combiner of the rotate module 17, and the MSB thereof (O) is passed to the first multiplexer 173. The first multiplexer 173 is still configured to pass the MSB (0) to the register 174. The MSB replaces the data (0) already stored in the register, and this data (which is the MSB (0) of the first XOR result) is passed to the data combiner, where it is combined with the seven LSBs of the second XOR function, to form the second rotate result (1 10O 01 10) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63. The first rotate result (1 100 1000) is passed from shift register W63 to shift register W62. This is illustrated in row t = 65 of Figure 3. It can be seen that the seven LSBs of the second XOR result are combined with the MSB of the first XOR result.
In the sixty seventh clock cycle, t = 66, data which is output from shift registers W52, W32, W8 and WO is passed to the XOR module 15. This data comprises the 8-bit message segments S54, S34, S10 and S2, i.e. the message schedule values W54, W34, W10 and W2. These message schedule values again undergo XOR functions according to the SHA-1 equation given above, and the XOR result, is output to the rotate module 17. In this example, this third XOR result comprises the third eight LSBs of the 32-bit data segment given above (01 10 0010). The third XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 0010) are passed to the data combiner of the rotate module 17, and the MSB thereof (0) is passed to the first multiplexer 173. The first multiplexer 173 is still configured to pass the MSB (0) to the register 174. The MSB replaces the data (0) already stored in the register, and this data (which is the MSB (0) of the second XOR result) is passed to the data combiner, where it is combined with the seven LSBs of the third XOR function, to form the third rotate result (1 100 0100) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63. The second rotate result (1 100 01 10) is passed from shift register W63 to shift register W62, and the first rotate result (1 100 1000) is passed from shift register W62 to shift register W61 . This is illustrated in row t = 66 of Figure 3. It can be seen that the seven LSBs of the third XOR result are combined with the MSB of the second XOR result.
In the sixty eighth clock cycle, t = 67, the control module 19 sends a control signal to the first multiplexer 173 of the rotate module 17, which control signal causes the first multiplexer 173 to output data which it receives to the second multiplexer 175 of the rotate module 17. Data which is output from shift registers W52, W32, W8 and WO is passed to the XOR module 15. This data comprises the 8-bit message segments S55, S35, S11 and S3, i.e. the message schedule values W55, W35, W11 and W3. These message schedule values undergo XOR functions according to the SHA-1 equation given above, and the XOR result, is output to the rotate module 17. In this example, this fourth XOR result comprises the fourth eight LSBs of the 32-bit data segment given above (1 1 10 0001 ). The fourth XOR result is passed to the data splitter of the rotate module 17, where it is split and the seven LSBs thereof (1 10 0001 ) are passed to the data combiner of the rotate module 17, and the MSB thereof (1 ) is passed to the first multiplexer 173. The first multiplexer 173 is now configured to pass the MSB (1 ) to the second multiplexer 175. The data already stored in the register, which is the MSB (0) of the third XOR result, is passed to the data combiner, where it is combined with the seven LSBs of the fourth XOR function, to form the fourth rotate result (1 100 0010) which is passed to the second data input 1 12 of the input multiplexer 1 1 , and from there to shift register W63. The third rotate result (1 100 0100) is passed from shift register W63 to shift register W62, and the second rotate result (1 100 01 10) is passed from shift register W62 to shift register W61 . The seven MSBs of the first rotate result (1 100 100) in shift register W61 are fed straight to the first input of the shift register W60. The LSB of the first rotate result is fed to the first data input of the second multiplexer 175. This is now configured to ignore data received on its first data input, and to receive data on its second data input, from the first multiplexer 173. The data received from the first multiplexer 173 comprises the MSB (1 ) of the fourth rotate result, and this is output to the shift register W60. The seven MSBs of the first rotate result (1 100 100) and the MSB (1 ) of the fourth rotate result are concatenated in the shift register W60, to form the sixty fifth message schedule value, W64, (1 100 1001 ). This is illustrated in row t = 67 of Figure 3.
Thus at the sixty eighth clock cycle, t = 67, the shift registers W63 to W60 contain 1 100 0010, 1 100 0100, 1 100 01 10 and 1 100 1001 , respectively. It can be seen that the original 32-bit data segment output in four 8-bit XOR results by the XOR module 15, has been rotated one place to the left, i.e. each of the digits, apart from the MSB, have been shifted one place to the left, and the MSB has been placed at the end of the segment, i.e. becomes the LSB, as a result of the rotate operations carried out by the rotate module 17. In subsequent clock cycles, these rotate results are output from the message schedule element 5, and form message schedule values W64 to W67. The process for clock cycles t = 65 to 67 is repeated for clock cycles t = 69 to 319. Every fourth clock cycle, control signals are sent to the first multiplexer 173 causing it to send the MSB of the fourth rotate result to the second multiplexer 175. This multiplexer is configured to pass the MSB to shift register W60, where it is concatenated with the seven MSBs of the first rotate result. Thus every four 8-bit XOR results are treated as a 32-bit segment, and a 32-bit rotate one place to the left function is carried out, as required for the calculation of appropriate message schedule values.
At clock cycle t = 319, all of the first 512-bit data block has been fed into the message schedule element 5, and has been used to calculate the message schedule values. The message schedule element 5 has output 0,0,0,0 followed by message schedule values W0 to W315. Message schedule values W316 to W319 are still contained in shift registers W63 to W60. The clock then resets, and the entire process is started again. A second 512-bit data block is fed into the shift registers of the message schedule element 5, and used to calculate a second series of message schedule values. As the second data block is being fed into the shift registers, the message schedule values, W316 to W319, for the first data block are output from the message schedule element 5. The message schedule values calculated for each 512-bit data block are passed to the hash value computation element 7, and used to compute a final hash value as follows.
The hash value computation element 7 receives 320 message schedule values for each 512-bit data block, and uses the message schedule values in the computation of a hash value for each data block. As each data block hash value is computed, it is used in the computation of the next data block hash value. The hash value for the last data block depends upon the hash values for each of the preceding data blocks, and forms the final hash value.
For each set of message schedule values, Wt, and hence each 512-bit data block, the hash value comprises a concatenation of five 32-bit hash variables, a, b, c, d and e. The initial values of the hash variables used in the hash value computation for the first data block comprise the key defined by the SHA-1. The hash value computation module computes the hash variables using modifications of hash variable definitions specified by the SHA-1. The modifications change the hash variable definitions from definitions formulated to use 32-bit message schedule values and 32-bit key segments to definitions formulated to use 8-bit message schedule values and 8-bit key segments.
The modified hash variable definitions comprise
T = ROTLEFT-5 (a) + Ft(b, c, d) + e + Kt + Wt e = d d=c c = ROTLEFT-30 (b) b = a a= T
(b ANDc) OR (b ANDd) 0≤ t≤79 b@c@d 80< f< 159
' 'C' ~ }φ AND c) OR φ ANDd) OR (c ANDd) 160< f<239 b®c®d 240< f<319
Referring to Figure 4, the hash value computation element 7 comprises an input multiplexer 710, twenty 8-bit shift registers 720, a rotate hash variable b module 730 and a T computation module 740. The T computation module 740 comprises a rotate hash variable a module 750, an F computation module 760, an add device 770 and a carry register 780. The input multiplexer 710 is configured to receive data on a first data input. The initial values of each of the 32-bit hash variables a to e, set by the SHA-1 , are input into the first data input of the input multiplexer 710, and from there into the shift registers 720, in four 8-bit segments for each hash variable. The hash variable segments are loaded into the shift registers 720 starting with hash variable segment e3, such that after 20 clock cycles, the shift registers 720 reading from left to right of Figure 4 contain the hash variable segments aθ, a1 , a2, a3, bθ, b1 , b2, b3, cO, c1 , c2, c3, dO, d1 , d2, d3, eθ, e1 , e2, e3. During these clock cycles, a direct connection is provided between shift register number 8 and shift register number 9, from the left, i.e. between the shift register which, at the end of the 20 clock cycles, contains b3 and the shift register which contains cO.
The hash value computation element 7 then operates over 320 clock cycles, t = 0 to 319, to receive 320 message schedule values W0 to W319 calculated using the first 512-bit data block, and to compute values for the hash variable segments aO to e3 for the first data block. The input multiplexer 710 receives a control signal which causes it to accept data received on its second data input and to output this data to the shift registers 720. In the first clock cycle, t = 0, with the exception of shift register e3, the contents of each of the shift registers 720 are output to the shift register immediately to the right. The contents of shift register e3 is output to the add device 770 of the T computation module 740. The add device 770 also receives the first message schedule value W0, and a first value K0 of a constant Kt specified by the SHA-1 . The add device 770 further receives F0, which has been calculated according to the equation given above, using the outputs of shift registers b3, c3 and d3, which are the initial values of b3, c3 and d3 respectively, set by the SHA-1 . F0 is calculated using 8-bit hash variable segments of 32-bit hash variables. As the calculation of F0 involves only XOR, AND, OR and NOT functions, using 8-bit hash variable segments will achieve an equivalent result to that which would be achieved using 32-bit hash variables. The add device 770 further receives an output from the rotate 'a' module 750. The add device 770 then has all of the parameters necessary to compute T0 using the equation for T given above. T0 is computed by adding the 8-bit parameters which it receives, using modulo 232 arithmetic. When performing this addition using 8-bit parameters, it is desired to obtain the same result as would be obtained if the addition were performed using 32- bit parameters. To achieve this, a carry value from the carry register 780 is used as appropriate. The computed T0 is then output from the T computation module 740 to the second data input of the input multiplexer 710, and is input into the shift register aθ.
The computation of T involves a rotate to the left by 5 places function operated on 8-bit hash variable segments aO to a3. As explained above, it is desired to obtain the same result for the rotate function using 8-bit hash variable segments as would be obtained if a 32-bit hash variable were to be rotated. To achieve this, the rotate 'a' module 750 is used. This comprises a multiplexer 751 which has a first data input connected to the output of shift register aO, a second data input connected to the output of the shift register bθ, and an output connected to a first input of a data combiner 752. A second input of the data combiner 752 is connected to the shift register a3, and an output of the data combiner is connected to the add device 770. The rotate 'a' module 750 operates over four clock cycles to perform the rotate function on the 8-bit hash variable segments aO to a3, and to obtain the same result as rotating an equivalent 32-bit hash variable, as illustrated in Figure 5. The first row of Figure 5 shows the initial values of the hash variable segments aO to a3, i.e.
01 10 0001 01 10 0010 01 10 001 1 01 10 0100
If this is treated as a single 32-bit hash variable and rotated 5 places to the left, the result will be
00101100 01001100 01101100 10001100
The same result is achieved over four clock cycles using the rotate 'a' module 750, as follows. In the first clock cycle, the contents of shift register aO (i.e. aO = 01 10 0001 ) are placed in shift register a1 , the five MSBs of aO (01 10 0) are output to the first input of the multiplexer 751 , the contents of shift register a1 (i.e. a1 = 01 10 0010) are placed in shift register a2, the contents of shift register a2 (i.e. a2 = 01 10 001 1 ) are placed in shift register a3, the contents of shift register a3 (i.e. a3 = 01 10 0100) are placed in shift register bθ, the three LSBs of a3 (100) are output to the first input of the data combiner 752, and the five MSBs of the contents of bO are output to the second data input of the multiplexer 751 . In this clock cycle, this multiplexer is configured to accept data received on its first data input, and to output this to the second data input of the data combiner 752. Thus the data combiner 752 receives the three LSBs of a3 (100) and the five MSBs of aO (01 10 0), and concatenates them to get the first byte of the rotate result (1000 1 100), which is output to the add device 770.
In the second clock cycle, the contents of shift register aO (T0) is placed in shift register a1 , the five MSBs of T0 are output to the first input of the multiplexer 751 , the contents of shift register a1 (i.e. aO = 01 10 0001 ) are placed in shift register a2, the contents of shift register a2 (i.e. a1 = 01 10 0010) are placed in shift register a3, the contents of shift register a3 (i.e. a2 = 01 10 001 1 ) are placed in shift register bθ, the three LSBs of a2 (01 1 ) are output to the first input of the data combiner 752, and the five MSBs of the contents of bO (i.e. the five MSBs of a3, 01 10 0) are output to the second data input of the multiplexer 751 . In this clock cycle, this multiplexer is configured to accept data received on its second data input, and to output this to the second data input of the data combiner 752. Thus the data combiner 752 receives the three LSBs of a2 (01 1 ) and the five MSBs of a3 (01 10 0), and concatenates them to get the second byte of the rotate result (01 10 1 100), which is output to the add device 770.
In the third and fourth clock cycles, the same procedure as in the second clock cycle is followed, as can be seen from Figure 5, to get the third and fourth bytes of the rotate result, which are also output to the add device 770. Thus the rotate function is carried out on the four 8-bit hash variable segments a0 to a3.
The computation of hash variable segments cO to c3 according to the SHA-1 , involve a rotate to the left by 30 places function operating on the hash variable segments bO to b3. Again, it is desired to obtain the same result for the rotate function using the 8-bit hash variable segments as would be obtained if a 32-bit hash variable were to be rotated. This is achieved using the rotate 'b' module 730. This comprises a multiplexer 731 , a first register 732, a second register 733, a third register 734, a data splitter 735 and a data combiner 736. A first data input of the multiplexer 731 is connected to the output of the shift register b2, a second data input of the multiplexer 731 is connected to the output of the third register 734, and an output of the multiplexer is connected to a first data input of the data combiner 736. A data input of the data splitter 735 is connected to the output of the shift register b3. A first output of the data splitter 735 is connected to an input of the first register 732, and a second data output of the data splitter 735 is connected to a second input of the data combiner 736. An output of the first register 732 is connected to an input of the second register 733, and an output of the second register 733 is connected to an input of the third register 734. The contents of the first, second and third registers 732, 733, 734 are initialised to zero. The rotate 'b' module 730 operates over four clock cycles to perform the rotate function on the 8-bit hash variable segments bO to b3, and to obtain the same result as rotating an equivalent 32-bit hash variable, as illustrated in Figure 6. The first row of Figure 6 shows the initial values of the hash variable segments bO to b3, i.e.
01 10 0001 01 10 0010 01 10 001 1 01 10 0100
For a 32-bit data element, a rotate to the left by 30 places function is equivalent to a rotate to the right by 2 places. If the four 8-bit hash variable segments are treated as a single 32-bit hash variable and rotated 2 places to the right, the result will be
0001 1000 0101 1000 1001 1000 1 101 1001
The same result is achieved over four clock cycles using the rotate 'b' module 730, as follows. In the first clock cycle, the contents of shift register bO (i.e. bO = 01 10 0001 ) are placed in shift register b1 , the contents of shift register b1 (i.e. b1 = 01 10 0010) are placed in shift register b2, the contents of shift register b2 (i.e. b2 = 01 10 001 1 ) are placed in shift register b3, the two LSBs of b2 (1 1 ) are output to the first data input of the multiplexer 731 , the contents of shift register b3 (i.e. b3 = 01 10 0100) are output to the input of the data splitter 735, the two LSBs of b3 (00) are output to the first register 732, the six MSBs of b3 (01 10 01 ) are output to the second data input of the data combiner 736, the contents (0) of the first register 732 are output to the second register 733, the contents (0) of the second register 733 are output to the third register 734, and the contents (0) of the third register 734 are output to the second data input of the multiplexer 731 . In this clock cycle, this multiplexer is configured to accept data received on its first data input, and to output this to the first data input of the data combiner 736. Thus the data combiner 736 receives the two LSBs of b2 (1 1 ) and the six MSBs of b3 (01 10 01 ), and concatenates them to get the first byte of the rotate result (1 101 1001 ), which is output to the shift register cO.
In the second clock cycle, the contents of shift register bO are placed in shift register b1 , the contents of shift register b1 (i.e. bO = 01 10 0001 ) are placed in shift register b2, the contents of shift register b2 (i.e. b1 = 01 10 0010) are placed in shift register b3, the two LSBs of b1 (10) are output to the first data input of the multiplexer 731 , the contents of shift register b3 (i.e. b2 = 01 10 001 1 ) are output to the input of the data splitter 735, the two LSBs of b2 (1 1 ) are output to the first register 732, the six MSBs of b2 (01 10 00) are output to the second data input of the data combiner 736, the contents (the two LSBs of b3 (00) stored there in the first clock cycle) of the first register 732 are output to the second register 733, the contents (0) of the second register 733 are output to the third register 734, and the contents (0) of the third register 734 are output to the second data input of the multiplexer 731 . In this clock cycle, this multiplexer is also configured to accept data received on its first data input, and to output this to the first data input of the data combiner 736. Thus the data combiner 736 receives the two LSBs of b1 (10) and the six MSBs of b2 (01 10 00), and concatenates them to get the second byte of the rotate result (1001 1000), which is output to the shift register cO. The same process is carried out in the third clock cycle, to get the third byte of the rotate result (0101 1000), which is output to the shift register cO.
In the fourth clock cycle, the contents of shift register bO are placed in shift register b1 , the contents of shift register b1 are placed in shift register b2, the contents of shift register b2 are placed in shift register b3, the two LSBs of the contents of shift register b2 are output to the first data input of the multiplexer 731 , the contents of shift register b3 (i.e. bO = 01 10 0001 ) are output to the input of the data splitter 735, the two LSBs of bO (01 ) are output to the first register 732, the six MSBs of bO (01 10 00) are output to the second data input of the data combiner 736, the contents (the two LSBs of b1 stored there in the third clock cycle) of the first register 732 are output to the second register 733, the contents (the two LSBs of b2 stored there in the second clock cycle) of the second register 733 are output to the third register 734, and the contents (the two LSBs of b3 (00) stored there in the first clock cycle) of the third register 734 are output to the second data input of the multiplexer 731 . In this clock cycle, this multiplexer is configured to accept data received on its second data input, and to output this to the first data input of the data combiner 736. Thus the data combiner 736 receives the two LSBs of b3 (00) and the six MSBs of bO (01 10 00), and concatenates them to get the fourth byte of the rotate result (0001 1000), which is output to the shift register cO. Thus the rotate function is carried out on the four 8-bit hash variable segments bO to b3 to give the 8-bit hash variable segments cO to c3.
The above process of moving the contents of the shift registers 720 one place to the right and computing T and c, is carried out for the clock cycles t = 0 to 319, and results in final hash variable segments aO to e3 for the first 512-bit data block, which have been correctly computed using the message schedule values W0 to W319 of the first 512-bit data block. The final hash variable segments aO to e3 for the first 512-bit data block are then input into the input multiplexer 710 of the hash value computation element 7 in 20 clock cycles as before, and are used in the computation of the final hash variable segments aO to e3 for the second 512-bit data block. This is repeated until final hash variable segments aO to e3 have been computed for the last 512-bit data block. These final hash variable segments aO to e3 for the last 512-bit data block are output from the hash value computation element 7, and are then concatenated to form a 160-bit hash value for the message. The hash value is output to the output module 9.
The 8-bit hash value computation device architecture has been implemented using the Faraday UMC 180 nm (L180 GII) and UMC 130 nm (L130 LL) CMOS libraries. It has been tested using Modelsim, synthesised using Synopsys Physical Compiler Version 2006.06 and its power consumption obtained from Synopsys PrimeTime PX Version 2007.06. The performance results of the 8-bit hash value computation device of the invention are an area of 5527 gates, power consumption of 2,32 μW at 100 kHz, and timing of 344 cycles. The shift registers used to store the message schedule values in the hash value computation device of the invention account for 2560 gates and 46% of the overall architecture, when implemented on 130 nm technology. It is important that the power consumption of the architecture of the hash value computation device of the invention meets the limitations imposed by
RFID tags when it is used in this application. The current consumption of a security architecture for implementation on RFID tags should not exceed 15 μA. For 1 .3 V and 1.8 V CMOS technologies, this is equivalent to 18 μW and 27 μW respectively. The proposed 8-bit hash value computation device meets these power constraints comfortably. In RFID tags the silicon area requirement significantly impacts the cost and the cost per mn? of silicon is estimated at 4 cent. Therefore, it is vital that the silicon area overhead resulting from the inclusion of security on low-cost tags is kept to a minimum. The hash value computation device architecture of the invention is within close reach of current RFID tag deployment. This is achieved by using an 8-bit architecture, which reduces the previous 32-bit XOR, AND, NOT and OR functions to equivalent 8-bit functions with no logic overhead, and the previous 32-bit addition modulo 232 and previous rotate functions to equivalent 8-bit functions with minimal control logic overhead. Using this design methodology, the overall saving is approximately 1200 gates. In relation to timing, an RFID tag must response to a reader's request within 32 μs in accordance with the ISO/IEC 18000 standard. An interleaved challenge- response protocol could be used, in which the response time is 18 ms. This corresponds to 1800 clock cycles when operating with a clock frequency of 100 kHz. The hash value computation device of the invention also satisfies this requirement.

Claims

1 . A hash value computation device for computing a hash value for a message using a hash algorithm that defines a key, the device comprising a message schedule element having an input module which receives the message in 8-bit segments, a plurality of 8-bit memory modules which store the 8-bit segments of the message, an 8-bit message schedule value module which uses the 8-bit message segments and the hash algorithm to provide an 8-bit message schedule value for each 8-bit message segment, and an output module which outputs the 8-bit message schedule values, and a hash value computation element comprising a first input module which receives the 8-bit message schedule values, a second input module which receives 8-bit segments of the key defined by the hash algorithm, a plurality of 8-bit memory modules which store the 8-bit segments of the key, a hash value computation module which uses the 8-bit message schedule values and the 8-bit key segments to compute a hash value for the message, and an output module which outputs the hash value.
2. A hash value computation device according to claim 1 , in which the hash value computation device comprises a message formatting module, which formats the message into a format appropriate for the hash algorithm used to compute the hash value.
3. A hash value computation device according to claim 1 or claim 2, in which the message schedule element operates over the n clock cycles to calculate n message schedule values, and the hash value computation module operates over the n clock cycles to use the n message schedule values to compute the hash value for the message.
4. A hash value computation device according to claim 3, in which the input module of the message schedule element comprises a multiplexer, and in each clock cycle of a first subset of the n clock cycles, the multiplexer is configured to receive an 8-bit message segment and pass the 8-bit message segment to a first memory module of the plurality of 8- bit memory modules.
5. A hash value computation device according to any preceding claim, in which the plurality of 8-bit memory modules of the message schedule element are arranged in a linear array.
6. A hash value computation device according to claim 5, in which in a first clock cycle of the first subset of the n clock cycles, the first 8-bit memory module in the array receives a first 8-bit message segment, in a second clock cycle of the first subset of the n clock cycles, the first 8-bit memory module in the array receives a second 8-bit message segment, and the second 8-bit memory module in the array receives the first 8-bit message segment, etc. for each of the clock cycles in the subset of clock cycles.
7. A hash value computation device according to any preceding claim, in which each of the plurality of 8-bit memory modules comprises an 8-bit shift register.
8. A hash value computation device according to any preceding claim, in which the 8-bit message schedule value module provides 8-bit message schedule values determined using modifications of a message schedule value definition specified by the hash algorithm.
9. A hash value computation device according to claim 8, in which the modifications change the message schedule value definition from a definition formulated to use 32-bit data segments to a definition formulated to use 8-bit data segments.
10. A hash value computation device according to claim 8 or claim 9, in which the modified message schedule value definition comprises
J Message t 0 < t < 63
W< = ] 32bitROTLEFT l (Wt_n ® Wt_32 ® Wt_56 ® Wt_64) 64 < f < 319
1 1 . A hash value computation device according to claim 10, in which the 8-bit message schedule value module uses a first part of the modified message schedule value definition to provide a first set of 8-bit message schedule values which each comprise an 8-bit message segment of the message.
12. A hash value computation device according to claim 10 or claim 1 1 , in which the 8-bit message schedule value module uses a second part of the modified message schedule value definition to provide a second set of 8-bit message schedule values calculated using one or more functions carried out on one or more previously-determined message schedule values.
13. A hash value computation device according to claim 12, in which the functions comprise one or more logical functions, comprising any of one or more XOR functions, one or more rotate functions.
14. A hash value computation device according to claim 13, in which the 8-bit message schedule value module comprises an 8-bit XOR module which carries out one or more XOR functions of the second part of the modified message schedule value definition.
15. A hash value computation device according to claim 14, in which the 8-bit XOR module receives one or more previously-determined 8-bit message schedule values and carries out the one or more XOR functions on these, to provide one or more 8-bit XOR values.
16. A hash value computation device according to claim 13, in which the 8-bit message schedule value module comprises a rotate module which carries out one or more rotate functions of the second part of the modified message schedule value definition.
17. A hash value computation device according to claim 16, in which the one or more rotate functions comprises a rotate to the left by one place rotate function.
18. A hash value computation device according to claim 16 or claim 17, in which the rotate module receives a plurality of 8-bit XOR values and carries out the one or more rotate functions on these, to provide a plurality of 8-bit message schedule values.
19. A hash value computation device according to any of claims 16 to
18, in which the rotate module comprises a data splitter, a first multiplexer, a register, a data combiner and a second multiplexer.
20. A hash value computation device according to any of claims 16 to
19, in which the 8-bit message schedule value module comprises a control module which is used to control the operation of the rotate module.
21 . A hash value computation device according to any preceding claim, in which the hash value computation module computes a hash value for the message comprising a concatenation of a plurality of hash variables.
22. A hash value computation device according to claim 21 , in which the hash value computation module computes the hash variables using modifications of hash variable definitions specified by the hash algorithm.
23. A hash value computation device according to claim 22, in which the modifications change the hash variable definitions from definitions formulated to use 32-bit message schedule values and 32-bit key segments to definitions formulated to use 8-bit message schedule values and 8-bit key segments.
24. A hash value computation device according to claim 22 or claim 23, in which the modified hash variable definitions comprises
T = ROTLEFT-5 (a) + Ft(b, c, d) + e + Kt + Wt e = d d = c c = ROTLEFT-30 (b) b = a a = T
' ' C' ~
Figure imgf000043_0001
where a, b, c, d and e are hash variables.
25. A hash value computation device according to any of claims 21 to 24, in which the hash value computation module computes the hash value using 8-bit key segments of initial values of the hash variables defined by the hash algorithm.
26. A hash value computation device according to claim 24, in which the hash value computation module comprises a rotate hash variable b module and a T computation module.
27. A hash value computation device according to claim 26, in which the T computation module comprises a rotate hash variable a module, an F computation module, an add device and a carry register.
28. A hash value computation device according to any preceding claim, in which the hash algorithm is a Secure Hash Algorithm.
29. A method of computing a hash value for a message using a hash algorithm that defines a key, comprising using a message schedule element of the hash value computation device of any of claims 1 to 28 to determine a plurality of 8-bit message schedule values, and using a hash value computation element of the hash value computation device of any of claims 1 to 28 to compute the hash value for the message using the message schedule values.
30. A data security device comprising a hash value computation device according to any of claims 1 to 28.
31 . A data security device according to claim 30 which comprises an RFID tag.
PCT/GB2009/050814 2008-07-09 2009-07-09 Data security devices and methods WO2010004335A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0812593.2 2008-07-09
GB0812593A GB0812593D0 (en) 2008-07-09 2008-07-09 Data security devices and methods

Publications (2)

Publication Number Publication Date
WO2010004335A2 true WO2010004335A2 (en) 2010-01-14
WO2010004335A3 WO2010004335A3 (en) 2010-03-04

Family

ID=39722025

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2009/050814 WO2010004335A2 (en) 2008-07-09 2009-07-09 Data security devices and methods

Country Status (2)

Country Link
GB (1) GB0812593D0 (en)
WO (1) WO2010004335A2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101872338A (en) * 2010-06-04 2010-10-27 杭州电子科技大学 Modified SHA-1 hash algorithm
US9760709B2 (en) 2012-11-15 2017-09-12 The Queen's University Of Belfast Authentication method using physical unclonable functions

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070110230A1 (en) * 2000-04-13 2007-05-17 Broadcom Corporation Authentication engine architecture and method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070110230A1 (en) * 2000-04-13 2007-05-17 Broadcom Corporation Authentication engine architecture and method

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MARTIN FELDHOFER ET AL: "A Case Against Currently Used Hash Functions in RFID Protocols" 1 January 2006 (2006-01-01), ON THE MOVE TO MEANINGFUL INTERNET SYSTEMS 2006: OTM 2006 WORKSHOPS LECTURE NOTES IN COMPUTER SCIENCE;;LNCS, SPRINGER, BERLIN, DE, PAGE(S) 372 - 381 , XP019050445 ISBN: 9783540482697 the whole document *
MOOSEOP KIM ET AL: "Power Efficient Hardware Architecture of SHA-1 Algorithm for Trusted Mobile Computing" 12 December 2007 (2007-12-12), INFORMATION AND COMMUNICATIONS SECURITY; [LECTURE NOTES IN COMPUTER SCIENCE], SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 375 - 385 , XP019084536 ISBN: 9783540770473 the whole document *
YONGJE CHOI ET AL: "Low power implementation of SHA-1 algorithm for RFID system" CONSUMER ELECTRONICS, 2006. ISCE '06. 2006 IEEE TENTH INTERNATIONAL SY MPOSIUM ON ST. PETERSBURG, RUSSIA 28-01 JUNE 2006, PISCATAWAY, NJ, USA,IEEE, 28 June 2006 (2006-06-28), pages 1-5, XP010936862 ISBN: 978-1-4244-0216-8 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101872338A (en) * 2010-06-04 2010-10-27 杭州电子科技大学 Modified SHA-1 hash algorithm
CN101872338B (en) * 2010-06-04 2012-08-29 杭州电子科技大学 Method for obtaining safe information abstract in authentication header
US9760709B2 (en) 2012-11-15 2017-09-12 The Queen's University Of Belfast Authentication method using physical unclonable functions

Also Published As

Publication number Publication date
WO2010004335A3 (en) 2010-03-04
GB0812593D0 (en) 2008-08-20

Similar Documents

Publication Publication Date Title
US7295671B2 (en) Advanced encryption standard (AES) hardware cryptographic engine
EP1440535B1 (en) Memory encrytion system and method
US7697681B2 (en) Parallelizable integrity-aware encryption technique
CA2449662C (en) Block encryption device using auxiliary conversion
US6691921B2 (en) Information processing device
EP3075097B1 (en) Construction and uses of variable-input-length tweakable ciphers
US8787563B2 (en) Data converter, data conversion method and program
US8301905B2 (en) System and method for encrypting data
US7657757B2 (en) Semiconductor device and method utilizing variable mode control with block ciphers
US20030091185A1 (en) Key stream cipher device
WO2009031883A1 (en) Encryption processor
Gueron Advanced encryption standard (AES) instructions set
MX2011001228A (en) Method for generating a cipher-based message authentication code.
US11695542B2 (en) Technology for generating a keystream while combatting side-channel attacks
WO2003077119A1 (en) Hardware implementation of the secure hash standard
US20020101985A1 (en) Single-cycle hardware implementation of crypto-function for high throughput crypto-processing
US6990199B2 (en) Apparatus and method for cipher processing system using multiple port memory and parallel read/write operations
KR20050087271A (en) Key schedule apparatus for generating an encryption round key and a decryption round key selectively corresponding to initial round key having variable key length
WO2010004335A2 (en) Data security devices and methods
US20120163587A1 (en) Intergrated cryptographic module providing confidentiality and integrity
Chiţu et al. An FPGA implementation of the AES-Rijndael in OCB/ECB modes of operation
US7873161B2 (en) Small hardware implementation of the subbyte function of rijndael
US7103180B1 (en) Method of implementing the data encryption standard with reduced computation
EP1629626B1 (en) Method and apparatus for a low memory hardware implementation of the key expansion function
WO2009034393A1 (en) Aes-encryption apparatus and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09785293

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09785293

Country of ref document: EP

Kind code of ref document: A2