CN112532377B - Hardware implementation device and method for Espresso stream cipher and its variant - Google Patents

Hardware implementation device and method for Espresso stream cipher and its variant Download PDF

Info

Publication number
CN112532377B
CN112532377B CN202011420424.5A CN202011420424A CN112532377B CN 112532377 B CN112532377 B CN 112532377B CN 202011420424 A CN202011420424 A CN 202011420424A CN 112532377 B CN112532377 B CN 112532377B
Authority
CN
China
Prior art keywords
espresso
bit
shift register
state
stream cipher
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011420424.5A
Other languages
Chinese (zh)
Other versions
CN112532377A (en
Inventor
杨刚强
石正源
魏斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University
Original Assignee
Shandong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University filed Critical Shandong University
Priority to CN202011420424.5A priority Critical patent/CN112532377B/en
Publication of CN112532377A publication Critical patent/CN112532377A/en
Application granted granted Critical
Publication of CN112532377B publication Critical patent/CN112532377B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • H04L9/0668Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator producing a non-linear pseudorandom sequence
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06CDIGITAL COMPUTERS IN WHICH ALL THE COMPUTATION IS EFFECTED MECHANICALLY
    • G06C3/00Arrangements for table look-up, e.g. menstruation table
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30098Register arrangements
    • G06F9/3012Organisation of register space, e.g. banked or distributed register file
    • G06F9/30134Register stacks; shift registers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06MCOUNTING MECHANISMS; COUNTING OF OBJECTS NOT OTHERWISE PROVIDED FOR
    • G06M1/00Design features of general application
    • G06M1/27Design features of general application for representing the result of count in the form of electric signals, e.g. by sensing markings on the counter drum
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Abstract

The invention relates to a hardware realization device and a method of an Espresso stream cipher and a variant thereof, aiming at providing an FPGA hardware realization scheme, an area optimization method and a throughput rate optimization method of the Espresso stream cipher and a Fibonacci variant Espresso-F thereof, and a linear feedback shift register variant Espresso-L, and providing reference for different application scenes aiming at performance parameters of different design schemes, so that the Espresso stream cipher occupies smaller area on hardware realization and has higher data throughput rate.

Description

Hardware implementation device and method for Espresso stream cipher and its variant
Technical Field
The invention relates to a hardware implementation device and method of an Espresso stream cipher and a variant thereof, belonging to the technical field of communication.
Background
With the development of the fifth generation mobile communication technology, the information service terminal gradually develops towards marginalization and intellectualization, so that new requirements on the cost, power consumption, throughput rate and safety of the wireless communication technology are provided by emerging applications.
The Espresso stream cipher is an encryption algorithm designed aiming at 5G scenes with high throughput and low area, is released in 2015, is estimated to occupy an area smaller than 1500GE on a special chip, and is the cipher with the highest operating frequency under the same order of magnitude.
The Espresso cipher supports 128-bit keys, and comprises a 256-bit Nonlinear Feedback Shift Register (NFSR) and a feedback function and a key output function thereof, and is different from the traditional stream cipher, the nonlinear feedback shift register of the Espresso is of a Galois type, namely, the feedback functions with a plurality of parallel relations are used for state updating, so that the maximum operation frequency of the cipher is improved in design.
Edge interconnection is used as a large application of the 5G communication technology, and an edge terminal of the Internet of things urgently needs an encryption algorithm which is low in delay, high in throughput rate, strong in safety and compact in design to guarantee information safety, so that Espresso can be widely applied to the field by virtue of outstanding advantages. Currently, the related research on the Espresso algorithm is limited to the cryptology security analysis, such as the patent document cn201480084020. The application of the algorithm is inevitably not realized by hardware, so the invention aims to design a corresponding hardware realization device and a working method aiming at application scenes with different requirements, including a compact-area terminal and a low-delay high-throughput terminal, according to the Espresso stream cipher and the variation thereof.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a hardware implementation device and a hardware implementation method of an Espresso stream cipher and a variant thereof, aiming at providing an FPGA hardware implementation scheme and a method of the Espresso stream cipher and the variant thereof, aiming at performance parameters of different design schemes, providing references for different application scenes, wherein the Espresso design is more compact, the occupied area on the hardware implementation is smaller, and the operation frequency is higher.
The technical scheme of the invention is as follows:
a hardware implementation device of Espresso stream cipher comprises a control unit, a Galois NFSR and a key output function with 20-bit input (h (x));
the control unit comprises a counter and a state machine, and is used for coordinating an Espresso algorithm to load an initial state, initialize an internal state and generate a key stream; the control unit controls the encryption algorithm to sequentially pass through an initial state loading stage, an initialization stage and a key stream output stage;
the counter has 9 bits in total, namely the counting range is 0-511; resetting and then adding 1 in each clock cycle, wherein the counter is used for providing input signals for the state machine;
the state machine has 4 states: IDLE, LOAD, INIT, and WORK for stage indication;
after the device is reset, the state machine enters an IDLE state and then enters a LOAD state in the next clock cycle; when the state machine indicates the LOAD state and the counter is 255, the INIT state is entered in the next clock cycle; when the state machine indicates the INIT state and the counter is 511, the next clock cycle enters the WORK state, and meanwhile, the 9-bit counter naturally overflows; the state machine then maintains the WORK state until a reset signal arrives; therefore, the LOAD state corresponds to the initial state loading stage, the INIT state corresponds to the initialization stage, and the WORK state corresponds to the key stream output stage;
the Galois NFSR includes a 256 bit memory structure and 14 nonlinear feedback functions,
said 256-bit storage structure is denoted xi256 bits total, i is 0,1, …, 255; the area optimization method is used for storing 256-bit internal states, and in the area optimization method, a 256-bit storage structure is realized in a mode of combining a trigger (FF) and a shift register lookup table, so that the area of an FPGA (field programmable gate array) is saved; in the throughput rate optimization method, a 256-bit storage structure is completely realized by a trigger (FF) to improve the maximum operating frequency of hardware;
said non-linear feedback function is denoted as gi(x) Is used to update xi14 nonlinear feedback functions are g255(x),g251(x),g247(x),g243(x),g239(x),g235(x),g231(x),g217(x),g213(x),g209(x),g205(x),g201(x),g197(x),g193(x) (ii) a When the state machine indicates INIT state, the device is in initialization phase, function g217(x) And g255(x) Respectively exclusive-or h (x);
the 14 nonlinear feedback functions are used for updating the internal state of the 256-bit storage structure, and the updating process is synchronous with the clock, namely when the rising edge of the clock comes, the 14 nonlinear feedback functions simultaneously update the current result in the internal state of the 14-bit 256-bit storage structure;
the 14 nonlinear feedback functions are:
Figure GDA0003489024360000031
Figure GDA0003489024360000032
Figure GDA0003489024360000033
Figure GDA0003489024360000034
Figure GDA0003489024360000035
Figure GDA0003489024360000036
Figure GDA0003489024360000037
Figure GDA0003489024360000038
Figure GDA0003489024360000039
Figure GDA00034890243600000310
Figure GDA00034890243600000311
Figure GDA00034890243600000312
Figure GDA00034890243600000313
Figure GDA00034890243600000314
the key output function h (x) with 20-bit input is realized by a combinational logic circuit, the combinational logic circuit is realized by a lookup table resource in the FPGA, and the combinational logic circuit is used for extracting 20 specific bits in the nonlinear feedback shift register and generating a key stream through AND/OR operation;
the h (x) is composed of a 6-bit input linear function and a 14-bit input nonlinear function, and is realized by:
Figure GDA00034890243600000315
a hardware implementation device of Epresso stream cipher Fibonacci type variant Epresso-F includes a control unit, a Fibonacci type nonlinear feedback shift register (Fibonacci NFSR) and a 20-bit input key output function (h (x));
the Fibonacci nonlinear feedback shift register (FibonacciNFSR) comprises a 256-bit storage structure and 2 nonlinear feedback functions f255(x) And f217(x);
The 256-bit storage structure in the Fibonacci nonlinear feedback shift register (FibonacciNFSR) is the same as the 256-bit storage structure of the Galois NFSR in the hardware implementation device of the Espresso stream cipher;
the 2 nonlinear feedback functions are used for updating the internal state of the 256-bit storage structure, and the updating process is synchronous with the clock, namely when the rising edge of the clock comes, the 2 nonlinear feedback functions simultaneously update the current result in the internal state of the 2-bit 256-bit storage structure.
The 2 nonlinear feedback functions are respectively realized as follows:
Figure GDA00034890243600000316
Figure GDA00034890243600000317
the control unit and the key output function h (x) with 20-bit input are the same as the hardware implementation device of the Espresso stream cipher.
A hardware implementation device of an Espresso stream cipher linear feedback shift register variant Espresso-L comprises a control unit, a Fibonacci type Linear Feedback Shift Register (LFSR) and a key output function hl (x) with 104-bit input;
the control unit is the same as a hardware realization device of the Espresso stream cipher;
the Fibonacci Linear Feedback Shift Register (LFSR) comprises a 256-bit storage structure and 1 linear feedback function fl255(x);
The 256-bit storage structure in the Fibonacci Linear Feedback Shift Register (LFSR) is the same as the 256-bit storage structure of the Galois NFSR in the hardware implementation device of the Espresso stream cipher;
the 1 linear feedback function is used to update the internal state of the 256-bit storage structure, and the updating process is synchronized with the clock, that is, when the rising edge of the clock comes, the 1 nonlinear feedback function simultaneously updates the current result in the internal state of the 1-bit 256-bit storage structure.
The linear feedback function fl255(x) The realization method comprises the following steps:
Figure GDA0003489024360000041
the key output function hl (x) with 104-bit input is realized by a combinational logic circuit, and the combinational logic circuit is realized by a lookup table resource in the FPGA and is used for extracting 104 specific bits in the nonlinear feedback shift register and generating a key stream through AND/OR operation. The key output function for a 104-bit input is implemented as:
Figure GDA0003489024360000042
wherein the content of the first and second substances,
Figure GDA0003489024360000043
denotes xkThe supplementary items of (1) are respectively:
Figure GDA0003489024360000044
Figure GDA0003489024360000045
Figure GDA0003489024360000046
Figure GDA0003489024360000047
Figure GDA0003489024360000048
Figure GDA0003489024360000049
Figure GDA00034890243600000410
Figure GDA00034890243600000411
Figure GDA00034890243600000412
Figure GDA00034890243600000413
Figure GDA00034890243600000414
an area optimization method for a hardware implementation device using the Espresso stream cipher and the variants thereof can reduce the occupation of hardware resources as much as possible;
the occupied area in the FPGA is estimated by the number of occupied basic units Slices, and each Slice comprises a lookup table (LUT) and a trigger (FF), so that each Slice is fully utilized on the premise of reducing the occupied Slices. When the ratio of LUT and FF occupied by the design circuit is close to the ratio of LUT and FF in the FPGA device fuses, the method is considered to be fully utilized as much as possible.
The shift register lookup table (SRL) is essentially a lookup table (LUT) that functions to implement a sequential shift register, but developers cannot obtain every bit in its internal state, and only the current lowest bit.
The SRL includes a parameter n, denoted as SRLnThis indicates that the SRL can realize the maximum length of the shift register. SRL is contained in most common FPGA devices16And SRL32
Defining the continuous segment as the continuous segment without extracting internal state in the nonlinear or linear feedback shift register, and marking as the continuous segment P (i, j), removing the lowest bit x of the continuous segmentiAnd the highest bit xjIn addition, the rest bits xk,i<k<j does not appear in the independent or dependent variable of any feedback function or key output function;
defining a continuous segment P (i, j) may instead be of length j-i, the continuous segment may be implemented with 1 LUT replacement, saving j-i FFs at most.
In particular, in hardware implementations of Espresso stream ciphers, such as contiguous segment P (252,255), where x252As a non-linear feedback function g251(x) Independent variable of (2), x255As a non-linear feedback function g255(x) Dependent variable of (1), the rest x253,x254Neither appear in the feedback function nor in the key output function, and thereforeAn alternative length for the continuous segment P (252,255) is 255-.
In the above example, one SRL may be used16Or SRL32Instead of 3 bits of storage structure in the non-linear feedback shift register originally implemented by FF, 1 LUT may be added to reduce the occupation of 3 FFs, i.e. 1 LUT is used to replace 3 FFs in the continuous segment P (252, 255). After replacement, the input of the SRL is x255With the output terminal as x252The feedback function and the key output function are connected.
The hardware device related by the invention does not occupy special resources such as BRAM and DSP in FPGA.
The area optimization method comprises the following specific steps:
according to the cryptology description of the variant, all continuous segments of the variant are obtained and are sorted from large to small according to the length of the continuous segments;
in the design, the use of a trigger is reduced as much as possible, and the ratio of the LUT to the FF is balanced to reduce the area occupation, so that the optimal effect of reducing the ratio of the trigger to the LUT to the FF can be achieved by sequentially replacing continuous segments with a plurality of LUTs from large to small in length;
meanwhile, the number of the LUTs is adjusted and increased according to the principle that the LUTs and FFs in different devices of the FPGA have different ratios, so that the optimal purpose is achieved.
A hardware implementation device using the Espresso stream cipher and its variants has a throughput rate optimization method, the hardware implementation device can generate a multi-bit key stream in a single period, thereby improving the throughput rate;
the key parameter is the parallel width w, namely when the parallel width is w, a key stream of w bits is output in each clock cycle;
under the throughput optimization method, the hardware implementation device of the Espresso stream cipher and the hardware implementation device of the Espresso stream cipher Fibonacci type variant Espresso-F need to copy the key output function w times, i.e. j is added to the argument indexes of w functions respectively, j is 0,1, … and w-1 form h0(x),h1(x),…,hw-1(x);
Under the throughput rate optimization method, w key output functions are respectively:
Figure GDA0003489024360000061
Figure GDA0003489024360000062
……
Figure GDA0003489024360000063
according to the replication method, a key output function is replicated w times, namely j is added to argument indexes of w functions respectively, j is 0,1, … and w-1 are added to form hl0(x),hl1(x),…,hlw-1(x);
Under the throughput rate optimization method, according to the replication method, w times of nonlinear feedback functions need to be replicated and are recorded as w groups of nonlinear feedback functions; therefore, for a hardware implementation of the Espresso stream cipher, it is necessary to duplicate w times 14 non-linear feedback functions, i.e. a total of w x 14 feedback functions,
Figure GDA0003489024360000064
Figure GDA0003489024360000065
wherein j is 0,1, …, w-1
A hardware implementation of the Espresso stream cipher fibonacci variant Espresso-F requires the replication of w times 2 non-linear feedback functions, i.e. a total of w x 2 feedback functions,
Figure GDA0003489024360000066
wherein j is 0,1, …, w-1
A hardware implementation device of Espresso stream cipher linear feedback shift register variant Espresso-L needs to copy w times by 1 lineA linear feedback function, i.e. a total of w x 1 feedback functions,
Figure GDA0003489024360000067
wherein j is 0,1, …, w-1
The Espresso algorithm fully considers the safety and the parallelization during the design, and the hardware implementation efficiency is evaluated. The invention designs an FPGA encryption hardware scheme based on Espresso stream ciphers, which not only comprises Galois Espresso and Fibonacci Espresso variants, but also designs an Espresso variant hardware scheme containing a linear Fibonacci feedback shift register. Also, the present invention contemplates parallel implementations for improving throughput based on the above described cryptographic algorithms and variations thereof. In conclusion, the invention simply and efficiently realizes the Espresso stream cipher and the variants thereof, and ensures the miniaturization and high throughput of the Espresso.
The invention has the beneficial effects that:
the hardware implementation device and method of the Espresso stream cipher and the multiple variants thereof have the following advantages:
1. espresso stream ciphers, Espresso stream ciphers Fibonacci type variants (Espresso-F), and Espresso linear feedback shift register variants (Espresso-L) hardware implementations were designed.
2. An implementation method for designing an Espresso stream cipher FPGA comprises an area optimization method and a throughput rate optimization method.
3. The area optimization method can effectively reduce the occupied area of the nonlinear feedback shift register storing the internal state in the stream cipher, realize the continuous unused register segments as a lookup table and achieve the minimum area in all the schemes of the invention. Under the area optimization method, the Espresso stream cipher realization device on the Spartan-3FPGA occupies 62 pieces, and the maximum operating frequency is 198.5 MHz; the Espresso stream cipher Fibonacci type variant (Espresso-F) realizes the minimum occupied area of the device, only 52Slices, and the highest frequency is 195.4 MHz; the area of the Espresso Linear feedback Shift register variant (Espresso-L) is 303Slices, with a maximum frequency of 113.8 MHz. Under the area optimization method, on a Virtex-7FPGA, the hardware implementation device area occupation of an Espresso stream cipher, an Espresso stream cipher Fibonacci type variant (Espresso-F) and an Espresso linear feedback shift register variant (Espresso-L) are respectively as follows: 25Slices, 22Slices and 72Slices, wherein the maximum operating frequency is respectively as follows: 491.4MHz, 427.2MHz and 275.3 MHz.
4. The throughput rate optimization method can optimize single-bit per-cycle key stream output into multi-bit per-cycle key stream output, the throughput rate of a password in a key stream output stage can be improved by the mixed design method, and the highest throughput rate of an Espresso stream password Fibonacci type variant (Espresso-F) hardware implementation device adopting the method reaches 1.90Gbps on spark-3 and 4.09Gbps on Virtex-7.
Therefore, the FPGA implementation device and method of the Espresso stream cipher and the variants thereof provided by the invention can basically meet the application requirements of low cost, miniaturization and high throughput.
Drawings
FIG. 1 is a diagram of an Espresso hardware architecture;
FIG. 2 is a diagram of an Espresso-F hardware architecture;
FIG. 3 is a diagram of an Espresso-L hardware architecture;
fig. 4 is a flowchart of the hardware implementation apparatus.
Detailed Description
The present invention will be further described by way of examples, but not limited thereto, with reference to the accompanying drawings.
Example 1:
as shown in fig. 1, a hardware implementation of the espress stream cipher includes a control unit, a galois field nonlinear feedback shift register (galois nfsr) (containing 14 nonlinear feedback functions g), and a key output function h (x) with 20-bit input.
The control unit comprises a counter and a state machine, and is used for coordinating an Espresso algorithm to load an initial state, initialize an internal state and generate a key stream; the control unit controls the encryption algorithm to sequentially pass through an initial state loading stage, an initialization stage and a key stream output stage;
said galois field nonlinear feedback shift register (galois nfsr) comprises a 256 bit memory structure and 14 nonlinear feedback functions,
said 256-bit storage structure is denoted xi256 bits total, i is 0,1, …, 255; the area optimization method is used for storing 256-bit internal states, and in the area optimization method, a 256-bit storage structure is realized in a mode of combining a trigger (FF) and a shift register lookup table, so that the area of an FPGA (field programmable gate array) is saved; in the throughput rate optimization method, a 256-bit storage structure is completely realized by a trigger (FF) to improve the maximum operating frequency of hardware;
said non-linear feedback function is denoted as gi(x) Is used to update xi
An update set U ═ {255,251,247,243,239,235,231,217,213,209,205,201,197,193}, where i ∈ U }, is defined
The key output function h (x) with 20-bit input is realized by a combinational logic circuit, the combinational logic circuit is realized by a lookup table resource in the FPGA, and the combinational logic circuit is used for extracting 20 specific bits in the nonlinear feedback shift register and generating a key stream through AND/OR operation;
as shown in fig. 4, under the control of the control unit, the hardware structure is first loaded into an initial state for 256 clock cycles, and then enters an initialization phase in which the nonlinear feedback function f is applied217(x) And f255(x) Exclusive-or the results of the current time h (x) (in Espresso-L, fl exclusive-or hl (x)) for 256 cycles; and then entering a key stream output stage, wherein the result z of h (x) (hl (x) in Espresso-L) is used as a pseudorandom key stream for encryption, when the required length of the key stream is reached, the device receives a reset signal and finishes the encryption process, otherwise, the internal state is continuously updated and the key stream is output.
Under the control of the control unit, the device is initially in an initial state loading stage after being reset, and 256-bit initial state is loaded in series, and the initial state comprises a key (key)iI-0, 1, …,127), initial vector (iv)iI-0, 1, …,95 and a 32-bit constant vector (D)iI ═ 0,1, …, 31); after the initial state loading stage is completed, the internal state of the 256-bit feedback shift register is: { key0,key1,…,key127,iv0,iv1,…,iv95,D0,D1,…,D31},key0Is the lowest order.
The constant vector can ensure that an all-zero state does not occur in the encryption process;
the device then enters an initialization phase in which the 217 and 255 bit feedback functions of the shift register, i.e., g, are fed back each cycle217(x)、g255(x) The exclusive or is needed for h (x) of the current period, and the function result is used for feeding back the updating of the shift register.
The feedback shift register update is expressed as:
Figure GDA0003489024360000081
the initialization phase is performed for 256 clock cycles, and the device then enters the keystream output phase, which feeds back the feedback function g of the shift register217(x)、g255(x) No exclusive or h (x) is required and the 1-bit result per period h (x) is used as a keystream to encrypt 1-bit plaintext while still performing feedback shift register updates per period.
Under the throughput rate optimization method with the parallel width of w, each period h0(x),h1(x),…,hw-1(x) The w-bit result is output as a key stream for encrypting w-bit plaintext.
Under the throughput optimization method with the parallel width w, the feedback shift register update per cycle is expressed as:
Figure GDA0003489024360000091
the hardware device maintains the keystream output phase until the device is reset.
Example 2:
as shown in fig. 2, a hardware implementation apparatus of an Espresso stream cipher fibonacci type variant Espresso-F includes a control unit, a fibonacci type nonlinear feedback shift register (fibonacci nfsr) (including 2 nonlinear feedback functions F), and a 20-bit input key output function h (x);
the control unit is the same as the hardware implementation device of the Espresso stream cipher in the embodiment 1;
the 256-bit storage structure in the fibonacci-type nonlinear feedback shift register (FibonacciNFSR) is the same as the 256-bit storage structure of the galois nfsr in the hardware implementation apparatus of the Espresso stream cipher in embodiment 1,
said 2 nonlinear feedback functions are denoted as fi(x) Is used to update xi
Definition update set UF{255,271}, where i ∈ UF
The key output function h (x) with 20-bit input is the same as the hardware implementation device of the Espresso stream cipher in the embodiment 1;
as shown in fig. 4, under the control of the control unit, the device is initially in an initial state loading stage after reset, and an initial state of 256 bits is serially loaded, which is the same as a hardware implementation device of the Espresso stream cipher.
The device then enters an initialization phase in which the feedback function f217(x)、f255(x) The exclusive or is needed for h (x) of the current period, and the function result is used for feeding back the updating of the shift register.
The feedback shift register update is expressed as:
Figure GDA0003489024360000092
the initialization phase is performed for 256 clock cycles, and the device then enters the keystream output phase, which feeds back the feedback function f of the shift register217(x)、f255(x) No exclusive or h (x) is required and the 1-bit result per period h (x) is used as a keystream to encrypt 1-bit plaintext while still performing feedback shift register updates per period.
Under the throughput rate optimization method with the parallel width of w, each period h0(x),h1(x),…,hw-1(x) Outputting w bit results as a keystream for use in a secure communication systemW bits of plaintext are encrypted.
Under the throughput optimization method with the parallel width w, the feedback shift register update per cycle is expressed as:
Figure GDA0003489024360000093
the hardware device maintains the keystream output phase until the device is reset.
Example 3:
as shown in fig. 3, a hardware implementation apparatus of an espress stream cipher linear feedback shift register variant espress-L includes a control unit, a fibonacci type Linear Feedback Shift Register (LFSR) (including 1 linear feedback function fl), and a key output function hl (x) with 104-bit input;
the control unit is the same as a hardware realization device of the Espresso stream cipher;
the 256-bit storage structure in the Linear Feedback Shift Register (LFSR) is the same as the 256-bit storage structure of galois nfsr in hardware implementation of Espresso stream ciphers,
the 1 linear feedback function is recorded as fl255(x) Is used to update x255
The key output function hl (x) with 104 bit inputs is realized by a combinational logic circuit and is used for extracting 104 specific bits in the nonlinear feedback shift register and generating a key stream through AND/OR operation
As shown in fig. 4, under the control of the control unit, the device is initially in an initial state loading stage after reset, and an initial state of 256 bits is serially loaded, which is the same as a hardware implementation device of the Espresso stream cipher.
The device then enters an initialization phase in which the feedback function fl is used255(x) The hl (x) of the current cycle needs to be xored, and the function result is used for the feedback shift register update.
The feedback shift register update is expressed as:
Figure GDA0003489024360000101
the initialization stage executes for 256 clock cycles, and the device then enters the keystream output stage, which feeds back the feedback function fl of the shift register255(x) No exclusive or hl (x) is required and the 1-bit result per period hl (x) is used as a keystream to encrypt 1-bit plaintext while still performing feedback shift register updates per period.
Under the throughput rate optimization method with the parallel width of w, hl is used per period0(x),hl1(x),…,hlw-1(x) The w-bit result is output as a key stream for encrypting w-bit plaintext.
Under the throughput optimization method with the parallel width w, the feedback shift register update per cycle is expressed as:
Figure GDA0003489024360000102
the hardware device maintains the keystream output phase until the device is reset.

Claims (5)

1. A hardware realization device of Espresso stream cipher is characterized in that the hardware realization device comprises a control unit, a Galois type nonlinear feedback shift register and a key output function h (x) with 20-bit input;
the control unit comprises a counter and a state machine, and is used for coordinating an Espresso algorithm to load an initial state, initialize an internal state and generate a key stream; the control unit controls the encryption algorithm to sequentially pass through an initial state loading stage, an initialization stage and a key stream output stage;
the counter has 9 bits in total, and the counting range is 0-511; resetting and then adding 1 in each clock cycle, wherein the counter is used for providing input signals for the state machine;
the state machine has 4 states: IDLE, LOAD, INIT, and WORK for stage indication;
after the device is reset, the state machine enters an IDLE state and then enters a LOAD state in the next clock cycle; when the state machine indicates the LOAD state and the counter is 255, the INIT state is entered in the next clock cycle; when the state machine indicates the INIT state and the counter is 511, the next clock cycle enters the WORK state, and meanwhile, the 9-bit counter naturally overflows; the state machine then maintains the WORK state until a reset signal arrives; therefore, the LOAD state corresponds to the initial state loading stage, the INIT state corresponds to the initialization stage, and the WORK state corresponds to the key stream output stage;
the galois field nonlinear feedback shift register includes a 256 bit storage structure and 14 nonlinear feedback functions,
said 256-bit storage structure is denoted xi256 bits total, i is 0,1, …, 255; for storing the 256-bit internal state,
said non-linear feedback function is denoted as gi(x) Is used to update xi14 nonlinear feedback functions are g255(x),g251(x),g247(x),g243(x),g239(x),g235(x),g231(x),g217(x),g213(x),g209(x),g205(x),g201(x),g197(x),g193(x) (ii) a When the state machine indicates INIT state, the device is in initialization phase, function g217(x) And g255(x) Respectively exclusive-or h (x);
the 14 nonlinear feedback functions are used for updating the internal state of the 256-bit storage structure, the updating process is synchronous with the clock, and when the rising edge of the clock comes, the 14 nonlinear feedback functions simultaneously update the current result in the internal state of the 14-bit 256-bit storage structure;
the 14 nonlinear feedback functions are:
Figure FDA0003497931090000021
Figure FDA0003497931090000022
Figure FDA0003497931090000023
Figure FDA0003497931090000024
Figure FDA0003497931090000025
Figure FDA0003497931090000026
Figure FDA0003497931090000027
Figure FDA0003497931090000028
Figure FDA0003497931090000029
Figure FDA00034979310900000210
Figure FDA00034979310900000211
Figure FDA00034979310900000212
Figure FDA00034979310900000213
Figure FDA00034979310900000214
the key output function h (x) with 20-bit input is realized by a combinational logic circuit, the combinational logic circuit is realized by a lookup table resource in the FPGA, and the combinational logic circuit is used for extracting 20 specific bits in the nonlinear feedback shift register and generating a key stream through AND/OR operation;
the h (x) is composed of a 6-bit input linear function and a 14-bit input nonlinear function, and is realized by:
Figure FDA00034979310900000215
2. a hardware realization device of Espresso stream cipher Fibonacci type variant Espresso-F is characterized in that the hardware realization device comprises a control unit, a Fibonacci type nonlinear feedback shift register and a 20-bit input key output function h (x);
the Fibonacci nonlinear feedback shift register comprises a 256-bit storage structure and 2 nonlinear feedback functions f255(x) And f217(x);
The 256-bit storage structure in the fibonacci nonlinear feedback shift register is the same as the 256-bit storage structure in the galois nonlinear feedback shift register in the hardware implementation apparatus of the Espresso stream cipher in claim 1;
the 2 nonlinear feedback functions are used for updating the internal state of the 256-bit storage structure, the updating process is synchronous with the clock, and when the rising edge of the clock comes, the 2 nonlinear feedback functions simultaneously update the current result in the internal state of the 2-bit 256-bit storage structure;
the 2 nonlinear feedback functions are respectively realized as follows:
Figure FDA00034979310900000216
Figure FDA00034979310900000217
the control unit, the key output function h (x) with 20-bit input is the same as the hardware implementation of the Espresso stream cipher in claim 1.
3. A hardware realization device of Espresso stream cipher linear feedback shift register variant Espresso-L is characterized by comprising a control unit, a Fibonacci type linear feedback shift register and a key output function hl (x) with 104-bit input;
the control unit is the same as a hardware realization device of the Espresso stream cipher;
the Fibonacci linear feedback shift register comprises a 256-bit storage structure and 1 linear feedback function fl255(x);
The 256-bit storage structure in the fibonacci linear feedback shift register is the same as the 256-bit storage structure in the galois nonlinear feedback shift register in the hardware implementation apparatus of the Espresso stream cipher in claim 1;
the 1 linear feedback function is used for updating the internal state of the 256-bit storage structure, the updating process is synchronous with the clock, and when the rising edge of the clock comes, the 1 nonlinear feedback function simultaneously updates the current result in the internal state of the 1-bit 256-bit storage structure;
the linear feedback function fl255(x) The realization method comprises the following steps:
Figure FDA0003497931090000031
the key output function hl (x) with 104-bit input is realized by a combinational logic circuit, the combinational logic circuit is realized by a lookup table resource in the FPGA, and the combinational logic circuit is used for extracting 104 specific bits in the nonlinear feedback shift register and generating a key stream through AND/OR operation; the key output function for a 104-bit input is implemented as:
Figure FDA0003497931090000032
wherein the content of the first and second substances,
Figure FDA0003497931090000033
denotes xkComplementary item of (1), xkThe k-th bit of the nonlinear feedback shift register is represented as follows:
Figure FDA0003497931090000034
4. a method for area optimization using a hardware-implemented device of the Espresso stream cipher or its variants according to any of claims 1-3, characterized by;
the occupied area in the FPGA is estimated by the number of basic units Slices which comprise a lookup table and a trigger and have the functions of realizing a continuous shift register,
defining the continuous segment as the continuous segment without extracting internal state in the nonlinear or linear feedback shift register, and marking as the continuous segment P (i, j), removing the lowest bit x of the continuous segmentiAnd the highest bit xjIn addition, the rest bits xk,i<k<j does not occur in the independent or dependent variable of any feedback function or key output function, i is the lowest order xiJ is the highest bit xjK is the remaining number of bits;
defining the replaceable length of the continuous segment P (i, j) as j-i, and replacing the continuous segment with 1 LUT to realize the continuous segment, thereby saving j-i FFs at most, wherein the FF is a trigger;
the area optimization method comprises the following specific steps:
according to the cryptology description of the variant, all continuous segments of the variant are obtained and are sorted from large to small according to the length of the continuous segments;
successive segments of length from large to small are replaced in turn by a number of LUTs.
5. A throughput optimization method for a hardware-implemented device using the espress stream cipher or its variant of any of claims 1-3, wherein the throughput optimization method comprises the steps of;
the key parameter is the parallel width w, and when the parallel width is w, a key stream of w bits is output in each clock cycle;
under the throughput optimization method, a hardware implementation device of the Espresso stream cipher and a hardware implementation device of the Espresso stream cipher Fibonacci type variant Espresso-F need to copy a key output function w times, j is added to independent variable indexes of the w functions respectively, j is a number added by the independent variable indexes, j is 0,1, … and w-1 form h0(x),h1(x),…,hw-1(x) Respectively representing an original Espresso key output function, an Espresso key output function copied by adding 1 to an argument index, and an Espresso key output function copied by adding w-1 to the argument index;
under the throughput rate optimization method, w key output functions are respectively:
Figure FDA0003497931090000041
Figure FDA0003497931090000042
……
Figure FDA0003497931090000043
according to the replication method, a key output function is replicated w times, j is added to argument indexes of the w functions respectively, j is 0,1, … and w-1 to form hl0(x),hl1(x),…,hlw-1(x) (ii) a Respectively representing an original Espresso-L key output function, an Espresso-L key output function copied by adding 1 to an independent variable index, and an Espresso-L key output function copied by adding w-1 to the independent variable index;
under the throughput rate optimization method, according to the replication method, w times of nonlinear feedback functions need to be replicated and are recorded as w groups of nonlinear feedback functions; therefore, for a hardware implementation of the Espresso stream cipher, it is necessary to duplicate w times 14 non-linear feedback functions, i.e. a total of w x 14 feedback functions,
Figure FDA0003497931090000051
Figure FDA0003497931090000052
wherein j is 0,1, …, w-1;
a hardware implementation of the Espresso stream cipher fibonacci variant Espresso-F requires the replication of w times 2 non-linear feedback functions, i.e. a total of w x 2 feedback functions,
Figure FDA0003497931090000053
wherein j is 0,1, …, w-1;
the hardware implementation of the linear feedback shift register variant of the Espresso stream cipher, Espresso-L, requires the replication of w times 1 linear feedback functions, i.e. a total of w x 1 feedback functions,
Figure FDA0003497931090000054
wherein j is 0,1, …, w-1.
CN202011420424.5A 2020-12-08 2020-12-08 Hardware implementation device and method for Espresso stream cipher and its variant Active CN112532377B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011420424.5A CN112532377B (en) 2020-12-08 2020-12-08 Hardware implementation device and method for Espresso stream cipher and its variant

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011420424.5A CN112532377B (en) 2020-12-08 2020-12-08 Hardware implementation device and method for Espresso stream cipher and its variant

Publications (2)

Publication Number Publication Date
CN112532377A CN112532377A (en) 2021-03-19
CN112532377B true CN112532377B (en) 2022-04-26

Family

ID=74998070

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011420424.5A Active CN112532377B (en) 2020-12-08 2020-12-08 Hardware implementation device and method for Espresso stream cipher and its variant

Country Status (1)

Country Link
CN (1) CN112532377B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612609B (en) * 2021-08-27 2022-05-27 山东大学 Hardware implementation device and method for Fruit-80 ultra-lightweight encryption algorithm
CN115208553B (en) * 2022-07-15 2024-02-27 山东大学 Chip implementation device and method for TRIAD lightweight stream cipher encryption algorithm

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2001263028A1 (en) * 2000-05-09 2001-11-20 Northeastern University Stream-cipher method and apparatus
CN110011798A (en) * 2019-04-08 2019-07-12 中国科学院软件研究所 The initial method and device and communication means of a kind of ZUC-256 stream cipher arithmetic

Also Published As

Publication number Publication date
CN112532377A (en) 2021-03-19

Similar Documents

Publication Publication Date Title
Rezk et al. Reconfigurable chaotic pseudo random number generator based on FPGA
Li et al. Chaotic encryption scheme for real-time digital video
Kowsalya et al. Low Area PRESENT Cryptography in FPGA Using TRNGPRNG Key Generation
CN112532377B (en) Hardware implementation device and method for Espresso stream cipher and its variant
Barakat et al. Generalized Hardware Post‐processing Technique for Chaos‐Based Pseudorandom Number Generators
EP2909712B1 (en) Chaos-based pseudo-random number generation
JP2005215688A (en) Hardware encryption/decryption apparatus using s-box operation, and method for the same
Hwang et al. Comparison of FPGA-targeted hardware implementations of eSTREAM stream cipher candidates
Mane et al. High speed area efficient FPGA implementation of AES algorithm
CN112906043B (en) Image encryption method based on chaotic mapping and chaotic S-box substitution
Ramalingam et al. Chaos triggered image encryption-a reconfigurable security solution
Gupta et al. Efficient hardware implementation of pseudo-random bit generator using dual-CLCG method
Cai et al. A novel multi-wing chaotic system with FPGA implementation and application in image encryption
Wang et al. A hardware implementation of ZUC-256 stream cipher
Baby et al. Encryption and Decryption in Complex Parallelism
Baby et al. High Efficient Complex Parallelism for Cryptography
Wang et al. Low latency parallel implementation of traditionally-called stochastic circuits using deterministic shuffling networks
Negi et al. High level synthesis of chaos based text encryption using modified hill cipher algorithm
Pyrgas et al. A very compact architecture of CLEFIA block cipher for secure IoT systems
CN111258549B (en) Quantum random number post-processing device based on nonlinear feedback shift register
Neelima et al. FPGA-Based implementation of AES algorithm using MIX column
Pandian et al. Five decade evolution of feedback shift register: algorithms, architectures and applications
Senthilkumar et al. High Security and Low Power AES Crypto Processor Security Algorithm for Image Encryption
Phoon et al. LED and SIMECK FPGA Implementation
Nambiar et al. Fpga implementation of multibit lfsr as key generator for aes encryption

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant