CN114826562A - Data encryption method and device, electronic equipment and storage medium - Google Patents

Data encryption method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114826562A
CN114826562A CN202210547596.1A CN202210547596A CN114826562A CN 114826562 A CN114826562 A CN 114826562A CN 202210547596 A CN202210547596 A CN 202210547596A CN 114826562 A CN114826562 A CN 114826562A
Authority
CN
China
Prior art keywords
data
encryption
encrypted
ciphertext
byte
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210547596.1A
Other languages
Chinese (zh)
Inventor
华伟
孔令波
郇一恒
苏帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing MinoSpace Technology Co Ltd
Anhui Minospace Technology Co Ltd
Beijing Guoyu Xingkong Technology Co Ltd
Hainan Minospace Technology Co Ltd
Shaanxi Guoyu Space Technology Co Ltd
Original Assignee
Beijing MinoSpace Technology Co Ltd
Anhui Minospace Technology Co Ltd
Beijing Guoyu Xingkong Technology Co Ltd
Hainan Minospace Technology Co Ltd
Shaanxi Guoyu Space Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing MinoSpace Technology Co Ltd, Anhui Minospace Technology Co Ltd, Beijing Guoyu Xingkong Technology Co Ltd, Hainan Minospace Technology Co Ltd, Shaanxi Guoyu Space Technology Co Ltd filed Critical Beijing MinoSpace Technology Co Ltd
Priority to CN202210547596.1A priority Critical patent/CN114826562A/en
Publication of CN114826562A publication Critical patent/CN114826562A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]

Abstract

The application provides a data encryption method, a data encryption device, electronic equipment and a storage medium, wherein an encryption mode of data to be encrypted is determined according to the byte number or encryption priority of the received data to be encrypted; if the encryption mode is determined to be the first encryption mode, generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data; and if the encryption mode is determined to be the second encryption mode, generating second ciphertext data according to the acquired operator data and the acquired key data, and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted so as to improve the efficiency and the compatibility of data encryption.

Description

Data encryption method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of data encryption technologies, and in particular, to a data encryption method and apparatus, an electronic device, and a storage medium.
Background
In the prior art, when an AES encryption algorithm is realized based on an FPGA, if an AES256-ECB encryption method is adopted, the realization difficulty is low, the stability is good, but the encryption efficiency is low; if the AES256-CTR encryption method is adopted, the CTR operator can be repeatedly used, the encryption efficiency is high, but the security is poor, and the requirements on the time sequence of the key, the CTR operator and the plaintext data stream are high. Especially, in the communication process of high-speed data, if the CTR operator is not well encrypted when the plaintext data stream arrives, the plaintext data stream needs to be blocked to wait for the CTR operator to complete encryption. The blocking of data encryption can cause a large amount of data caching requirements, so that the existing data encryption has low efficiency and low compatibility.
Disclosure of Invention
In view of the above, an object of the present application is to provide a data encryption method, apparatus, electronic device and storage medium, so as to improve efficiency and compatibility of data encryption.
In a first aspect, the present application provides a data encryption method, including: determining an encryption mode of the data to be encrypted according to the number of bytes of the received data to be encrypted or the encryption priority; if the encryption mode is determined to be the first encryption mode, generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data; and if the encryption mode is determined to be the second encryption mode, generating second ciphertext data according to the acquired operator data and the acquired key data, and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted.
Preferably, the step of determining the encryption mode of the data to be encrypted according to the number of bytes of the received data to be encrypted specifically includes: determining the size of the effective byte quantity and the preset byte quantity of the data to be encrypted; if the number of effective bytes of the data to be encrypted is less than the preset number of bytes, generating a first mode selection signal to indicate that the encryption mode is a first encryption mode; and if the number of the effective bytes of the data to be encrypted is greater than the preset number of bytes, generating a second mode selection signal to indicate that the encryption mode is the second encryption mode.
Preferably, the step of determining the encryption mode of the data to be encrypted according to the encryption priority of the received data to be encrypted specifically includes: determining the encryption priority of data to be encrypted and the size of a preset encryption priority; if the encryption priority of the data to be encrypted is smaller than the preset encryption priority, generating a second mode selection signal to indicate that the encryption mode is the second encryption mode; if the encryption priority of the data to be encrypted is greater than the preset encryption priority, a first mode selection signal is generated to indicate that the encryption mode is the first encryption mode.
Preferably, the first ciphertext data or the second ciphertext data is generated by: determining an initial value and initial input data corresponding to N, wherein the initial value of N is 0, and when N is 0, the input data corresponding to N is data to be encrypted or operator data; generating a first key matrix corresponding to N according to the key data, and calculating according to the first key matrix corresponding to N and initial input data to obtain output data, wherein N is N +1, and the output data is used as the current initial input data corresponding to N; determining whether the current N reaches a preset value; if not, skipping to the step of generating a first key matrix corresponding to the N according to the key data to continue execution; and if so, taking the current output data as the first ciphertext data or the second ciphertext data.
Preferably, the third ciphertext data is generated by: determining a second ciphertext matrix corresponding to each byte to be encrypted according to the second ciphertext data; for each byte of data to be encrypted, encrypting the byte according to the second ciphertext matrix corresponding to the byte to generate fourth ciphertext data corresponding to the byte; and taking the fourth ciphertext data corresponding to all bytes of the data to be encrypted as third ciphertext data.
Preferably, each byte of the data to be encrypted includes multi-bit first target data, the second ciphertext data includes multi-bit second target data, and for each byte of the data to be encrypted, fourth ciphertext data corresponding to the byte is generated in the following manner: and for each bit of first target data in the byte, carrying out exclusive OR on the first target data and second target data on the same bit in the second ciphertext data to generate fourth ciphertext data corresponding to the byte.
Preferably, the third ciphertext data is output by: and determining effective bytes of the data to be encrypted, and outputting data at a position corresponding to the effective bytes of the data to be encrypted in the third ciphertext data as third ciphertext data.
In a second aspect, the present application provides a data encryption apparatus, comprising:
the processing module is used for determining the encryption mode of the data to be encrypted according to the byte number or the encryption priority of the received data to be encrypted;
the first encryption module is used for generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data if the encryption mode is determined to be the first encryption mode;
and the second encryption module is used for generating second ciphertext data according to the acquired operator data and the key data and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted if the encryption mode is determined to be the second encryption mode.
In a third aspect, the present application further provides an electronic device, including: the electronic device comprises a processor, a memory and a bus, wherein the memory stores machine readable instructions executable by the processor, the processor and the memory are communicated through the bus when the electronic device runs, and the machine readable instructions are executed by the processor to execute the steps of the data encryption method.
In a fourth aspect, the present application also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the data encryption method as described above.
According to the data encryption method, the data encryption device, the electronic equipment and the storage medium, the encryption mode of the data to be encrypted is determined according to the number of bytes or the encryption priority corresponding to the received data to be encrypted. And if the encryption mode is determined to be the first encryption mode, generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data. And if the encryption mode is determined to be the second encryption mode, generating second ciphertext data according to the acquired operator data and the acquired key data, and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted. Compared with the method using a single encryption form in the prior art, the method can use a more appropriate encryption mode for encryption in a targeted manner according to the attributes of different data to be encrypted, has better compatibility, shortens the encryption time, and has higher data encryption efficiency.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
Fig. 1 is a flowchart of an AES256 encryption algorithm provided in an embodiment of the present application;
FIG. 2 is a schematic diagram of an algorithm of an AES256-ECB encryption mode according to an embodiment of the present application;
FIG. 3 is a schematic diagram of an algorithm of an AES256-CTR encryption mode according to an embodiment of the present application;
fig. 4 is a flowchart of a data encryption method according to an embodiment of the present application;
FIG. 5 is a flowchart illustrating a process for determining an encryption mode according to an embodiment of the present application;
FIG. 6 is a flowchart of another step for determining an encryption mode according to an embodiment of the present application;
FIG. 7 is a block diagram of a dual-mode encryption algorithm module according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a data encryption apparatus according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. Every other embodiment that can be obtained by a person skilled in the art without making creative efforts based on the embodiments of the present application falls within the protection scope of the present application.
First, an application scenario to which the present application is applicable will be described. The method and the device can be applied to data encryption in the FPGA chip.
Advanced Encryption Standard (AES) is a symmetric Encryption algorithm, i.e., the Encryption key is consistent with the decryption key. The encryption key can be divided into three types of AES 128, AES 192 and AES256 according to the length of the encryption key. The data length of plaintext and ciphertext in an AES256 encryption type is 16 bytes, the key length of an AES256 encryption mode is 32 bytes (256bits), encryption circulation is carried out for 14 times, and the reliability of the ciphertext is highest.
The main flow of the AES256 encryption algorithm is shown in fig. 1. The main processes comprise key expansion, round key addition, S box transformation, row shift transformation, column confusion transformation and the like. The round key adding step is used for expanding a key K into 60 groups of round key matrixes W through a preset algorithm 0 ~W 59 Every four groups are used as a first key matrix for round key addition process of plaintext in one cycle. The plaintext P is the data to be encrypted, and the ciphertext C is the first encrypted data or the second encrypted data.
FIG. 2 is a schematic diagram of the algorithm of AES256-ECB encryption mode. FIG. 3 is a schematic diagram of the AES256-CTR encryption mode algorithm. The AES256-CTR is an application mode of AES256 encryption, and the precondition is that an AES-256 encryption algorithm process and a changed operator CTR are available. As shown in FIG. 3, the operation process of the AES256-CTR algorithm module is that the operator CTR is encrypted through the AES-256 algorithm, and then the plaintext P is directly subjected to XOR operation with the encrypted CTR value to obtain the ciphertext C. Therefore, the encryption object of AES256-CTR is a CTR operator, and the CTR operator is encrypted and then subjected to exclusive OR operation with plaintext to obtain ciphertext.
For the AES256-ECB mode, it is the basic process of AES256 encryption. The advantages are that: (1) the basic algorithm flow of the AES256 is realized in any mode, so that the ECB mode is the lowest difficulty in all AES256 encryption modes; (2) when the AES256-ECB encrypted data is decrypted, only one item of key is needed except the ciphertext, other variables which can cause decryption failure do not exist, and the stability is good. However, the AES256-ECB mode has a disadvantage that the plaintext must be 16 bits each time, and if the valid data of the plaintext is not 16 bits enough, the data of the plaintext needs to be completed first and then encrypted, which not only increases the workload, but also affects the encryption speed.
The significance of CTR mode design is as follows: (1) when the CTR operator is not changed in a period of time, and the numerical value of the encrypted CTR is not changed at the moment, the AES-256 encryption process does not need to be operated again, but the bitwise XOR operation is carried out on the plaintext data arriving each time and the encrypted CTR, so that the encryption efficiency is greatly improved; (2) under the condition that the CTR operator and the secret key are known on the ground, the value of the encrypted CTR can be calculated in advance, and the decryption operation can be completed by carrying out one-time synchronization or calculation after the data are received on the ground.
However, the mode disadvantages of CTR are also evident: (1) if the CTR operator has more changes, the AES256 algorithm still needs to be operated for many times, the encryption algorithm needs to be completed before the plaintext data is prepared, and certain requirements are imposed on the matching of the secret key, the CTR operator and the plaintext data stream; (2) if the CTR operator changes less times, the value of the XOR encryption CTR of the plaintext is kept unchanged within a period of time, and if the ciphertext has a certain rule, a part of data can be reversely cracked; (3) when the CTR algorithm is used, besides the key value, the CTR key value corresponding to each segment of data is known, and the source of the CTR operator and data downloading provide certain requirements. However, in the AES256-CTR mode, even if the valid data of the plaintext is less than 16 bits, the plaintext can be successfully decrypted by the decryption side, and the encryption process only needs one time of a synchronous clock.
Therefore, for data to be encrypted with different attributes, it is necessary to select an appropriate encryption mode to improve encryption efficiency, especially in communication of high-speed data.
Based on this, the embodiment of the application provides a data encryption method, a data encryption device, an electronic device and a storage medium.
Referring to fig. 4, fig. 4 is a flowchart of a data encryption method according to an embodiment of the present disclosure. As shown in fig. 4, a data encryption method provided in an embodiment of the present application includes:
s101, determining an encryption mode of the data to be encrypted according to the number of bytes of the received data to be encrypted or the encryption priority.
In one embodiment, as shown in fig. 5, a flowchart of the steps for determining the encryption mode is provided in the embodiments of the present application. The method for determining the encryption mode of the data to be encrypted according to the number of bytes of the received data to be encrypted specifically comprises the following steps:
s1010, determining the effective byte number and the preset byte number of the data to be encrypted.
S1030, if the number of valid bytes of the data to be encrypted is less than the preset number of bytes, generating a first mode selection signal to indicate that the encryption mode is the first encryption mode.
And S1050, if the number of the effective bytes of the data to be encrypted is greater than the preset number of bytes, generating a second mode selection signal to indicate that the encryption mode is the second encryption mode.
In this embodiment, the encryption mode may be determined according to the number of valid bytes of the received data to be encrypted. The preset number of bytes may be 15 bytes, and when the valid identifier of the received data to be encrypted (plaintext) indicates that the valid number of bytes of the data to be encrypted is 16 bytes, the AES256-ECB encryption mode (i.e., the second encryption mode) may be selected. At this time, 15 time intervals are needed to output the encryption result, the encryption result is not easy to be cracked by a third party, and the decryption party only needs to obtain the corresponding key data to decrypt the information of the data to be encrypted.
If the number of the received effective bytes of the data to be encrypted is only 8 bits due to data loss and the like, the data to be encrypted can be encrypted through an AES256-CTR encryption mode, and because the CTR operator is encrypted before the data to be encrypted arrives and can be directly used, the encryption result can be output only by a time interval of one synchronous clock.
In one embodiment, as shown in fig. 6, there is provided a flowchart of another step of determining an encryption mode according to an embodiment of the present application. The method for determining the encryption mode of the data to be encrypted according to the encryption priority of the received data to be encrypted specifically comprises the following steps:
s1020, determining the encryption priority of the data to be encrypted and the size of the preset encryption priority.
And S1040, if the encryption priority of the data to be encrypted is smaller than the preset encryption priority, generating a second mode selection signal to indicate that the encryption mode is the second encryption mode.
S1060, if the encryption priority of the data to be encrypted is greater than the preset encryption priority, generating a first mode selection signal to indicate that the encryption mode is the first encryption mode.
In this embodiment, an encryption priority may be set for each piece of data to be encrypted according to factors such as the importance of the piece of data to be encrypted, and a corresponding encryption priority identification mark may be generated on the piece of data to be encrypted. For example, if the data to be encrypted is important data and the requirement on the reliability of encryption is high, the encryption priority of the data to be encrypted may be the first priority. At this time, the preset encryption priority can be a second priority, and if the encryption priority of the data to be encrypted is smaller than the preset encryption priority, the data to be encrypted is encrypted by adopting an AES256-ECB encryption mode, so that the reliability of the encryption of the data to be encrypted is ensured.
Specifically, the encryption mode of the data to be encrypted can be judged together by combining the byte number and the encryption priority of the plasticizer to be encrypted, so that a proper encryption mode is selected for the data to be encrypted, the data encryption efficiency is further ensured, and the data encryption compatibility is improved.
The mode selection signal here is used to indicate the encryption mode of the data to be encrypted.
And S102, if the encryption mode is determined to be the first encryption mode, generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data.
The first encryption mode here may be an AES256-CTR encryption mode.
And S103, if the encryption mode is determined to be the second encryption mode, generating second ciphertext data according to the acquired operator data and the acquired key data, and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted.
The second encryption mode here may be an AES256-ECB encryption mode.
Compared with the method using a single encryption form in the prior art, the data encryption method provided by the embodiment of the application can be used for encrypting in a more appropriate encryption mode in a targeted manner according to the attributes of different data to be encrypted, the compatibility is better, the encryption time is shortened, and the data encryption efficiency is higher.
In the first encryption mode, first ciphertext data is generated according to data to be encrypted and key data, and in the second encryption mode, second ciphertext data is generated according to operator data and key data, and the encryption flow of AES256 shown in fig. 1 can be adopted. Specifically, in the FPGA, the implementation may be in a pipeline form.
In this embodiment, a pipelined encryption algorithm module is provided for implementing pipelined AES256 encryption. The pipeline encryption algorithm module can comprise a key expansion module and 15 circulation algorithm modules, which respectively correspond to 15 circulation in the encryption process.
In the pipeline encryption algorithm module, finite field addition and finite field multiplication can be realized in an FPGA (field programmable gate array) for a fundamental algorithm of a finite field. This is because finite field addition is essentially an exclusive-or process, and finite field multiplication is a shift and exclusive-or process with conditional judgment, which can be implemented for logic gate circuits of an FPGA. For S-box transforms, the essence is a byte operation. However, if a module with byte-form S-box transformation is designed, 16 times of S-box addressing sub-modules need to be called during each matrix transformation, which is disadvantageous to both algorithm design and FPGA internal register design. In addition, in the process of using the actual algorithm, the S-box transformation operates on a 4-word matrix, so that the FPGA designs the form of the S-box transformation into a 16-byte matrix. For row shift conversion, only the shift operation of data is carried out in the FPGA, and other algorithm supports are not needed. For column obfuscation transformation, finite field multiplication which is a conditional constraint can be realized by calling a module for finite field multiplication for multiple times. For round key addition, bitwise exclusive or operation of data is performed in the FPGA, and other algorithm support is not needed. The key expansion process and the AES-256 encryption process are realized by relying on the design of the sub-module algorithm, so that the whole algorithm flow is feasible in the FPGA.
Specifically, the first ciphertext data or the second ciphertext data is generated by:
and determining an initial value and initial input data corresponding to N, wherein the initial value of N is 0, and when N is 0, the input data corresponding to N is data to be encrypted or operator data. And generating a first key matrix corresponding to the N according to the key data, calculating according to the first key matrix corresponding to the N and the initial input data to obtain output data, wherein N is N +1, and combining the output data as the current initial input data corresponding to the N. And determining whether the current N reaches a preset value, if not, skipping to the step of generating a first key matrix corresponding to the N according to the key data to continue execution, and if so, taking the current output data as first ciphertext data or second ciphertext data.
It will be appreciated that the group round key matrix W is here first expanded 60 based on the current key data 0 ~W 59 Every fourth group acts as a first key matrix. Taking the second encryption mode as an example, the current data to be encrypted and W are first encrypted 0 ~W 4 And inputting the first round algorithm module, and performing round key addition calculation on the first round algorithm according to the input data to output first output data. Then the first output data is combined with W 5 ~W 8 And the second algorithm module is used for respectively carrying out S box transformation, row shift transformation, column confusion transformation and round key addition calculation according to the input data so as to output second output data. At this time, the first round robin algorithm module may output first output data corresponding to the next data to be encrypted according to the next data to be encrypted and the corresponding first key matrix. Therefore, the time interval output between the encryption result of the current data to be encrypted and the encryption result of the next data to be encrypted is only one synchronous clock.
Compared with the mode that the next data to be encrypted can be encrypted only after the current data to be encrypted is encrypted in the prior art, the pipeline encryption algorithm module is adopted, the shortest time interval output between the two data to be encrypted is only one synchronous clock, and the shortest time interval output between the two data to be encrypted in the prior art needs 15 synchronous clocks, so that the pipeline encryption algorithm module can be selected in the process of generating the first ciphertext data or the second ciphertext data, the data encryption efficiency is improved, the data blockage is avoided, and the data cache pressure is reduced.
In the embodiment of the application, in the AES256-CTR mode, the CTR operator and the key are input into the pipeline encryption algorithm module to obtain the encrypted CTR operator (i.e., the second ciphertext data), and then the second ciphertext data and the data to be encrypted are input into the xor calculation module, so that the final encryption result (i.e., the third ciphertext data) is output.
Specifically, the third ciphertext data is generated by:
and determining a second ciphertext matrix corresponding to each byte to be encrypted according to the second ciphertext data. And for each byte of the data to be encrypted, encrypting the byte according to the second ciphertext matrix corresponding to the byte to generate fourth ciphertext data corresponding to the byte. And taking the fourth ciphertext data corresponding to all bytes of the data to be encrypted as third ciphertext data.
The exclusive or here may be an exclusive or calculation of each byte of the second ciphertext data with a byte at a corresponding position in the second ciphertext matrix. Illustratively, the CTR operator data is 128 bits wide, can be equally divided into 16 bytes of data with 8 bits wide, and are independent of each other. In the data flow algorithm, after each CTR operator (operator data) is encrypted, 128-bit wide encrypted C _ CTR data (second encrypted data) is obtained, if the number of valid bytes of the data to be encrypted is 8 bytes, the second encrypted data is subjected to exclusive or operation with the plaintext 8-bit wide from the lower 8 bits, and an exclusive or object when the plaintext comes next time is intercepted from the upper bit by taking each 8-bit wide as a unit. Namely, the CTR is encrypted by an AES256 algorithm to obtain an encrypted C _ CTR operator, and the bit width is 128 bits. When P (0) [7:0] arrives, C _ CTR [7:0] is selected to be XOR'd with P (0) [7:0] and C (0) [7:0] is obtained, where 7:0 indicates 8 bits of data in the first byte of data. When a clock comes in the data stream, P (1) [7:0] selects C _ CTR [15:8] to carry out exclusive OR; next, P (2) [7:0] selects C _ CTR [23:16] for XOR; exclusive OR of P (3) [7:0] and C _ CTR [31:24 ]; exclusive OR of P (4) [7:0] with C _ CTR [39:32 ]; exclusive OR of P (5) [7:0] with C _ CTR [47:40 ]; exclusive OR of P (6) [7:0] with C _ CTR [55:48 ]; exclusive OR of P (7) [7:0] and C _ CTR [63:56 ]; p (8) [7:0] selects C _ CTR [71:64] to be subjected to exclusive OR; next, P (9) [7:0] selects C _ CTR [79:72] for XOR; exclusive OR of P (10) [7:0] and C _ CTR [87:80 ]; exclusive OR of P (11) [7:0] with C _ CTR [95:88 ]; exclusive OR of P (12) [7:0] with C _ CTR [103:96 ]; exclusive OR of P (13) [7:0] with C _ CTR [111:104 ]; exclusive OR of P (14) [7:0] with C _ CTR [119:112 ]; p (15) 7:0 is XORed with C _ CTR 127: 120. Each xor corresponds to an input data clock edge. Under the action of 16 times of 8-bit data input clocks, 128-bit width of the C _ CTR is fully utilized, and then the values of the next group of CTR and the C _ CTR need to be replaced.
According to the logic, the encryption operator C _ CTR obtained by the AES256 algorithm for each set of CTRs can correspond to 16 times of encryption operation for 8-bit wide data. In the data stream system, the updating frequency of the CTR operator is 1/16 of the input clock of the data stream by taking the input clock of the data stream as a reference. A counter is arranged in the FPGA for triggering, and when 16 times of data stream input clock counting is detected, the values of CTR and C _ CTR are updated, and the effect is equivalent to one time of clock triggering for an encryption algorithm of AES 256.
In the AES256-CTR mode, CTR is generally used as a self-increment operator, i.e., each CTR input is the last input plus 1. Therefore, the value of the encryption operator C _ CTR is updated after every 128-bit wide valid data (16 bytes) is passed, and the validity of encryption is ensured.
Specifically, each byte of the data to be encrypted includes multi-bit first target data, the second ciphertext data includes multi-bit second target data, and for each byte of the data to be encrypted, fourth ciphertext data corresponding to the byte is generated in the following manner:
and for each bit of first target data in the byte, carrying out exclusive OR on the first target data and second target data on the same bit in the second ciphertext data to generate fourth ciphertext data corresponding to the byte.
It is to be understood that, for 8-bit data in one byte in the data to be encrypted, the bit data at the corresponding position is exclusive-ored with 8-bit data in the corresponding byte of the second ciphertext data.
Specifically, in the embodiment of the present application, the third ciphertext data may be output in the following manner:
and determining effective bytes of the data to be encrypted, and outputting data at a position corresponding to the effective bytes of the data to be encrypted in the third ciphertext data as third ciphertext data.
In this step, if the valid byte of the data to be encrypted is 8 bits, the decryption side can complete decryption only according to the last 8 bytes of the third ciphertext data and the CTR operator data, and then only the last 8 bytes can be output to the decryption side, so that the resource consumption of the system is reduced.
In one embodiment, as shown in fig. 7, a block diagram of a dual-mode encryption algorithm module is provided for the embodiments of the present application. The dual-Mode encryption Module (AES 256Double Mode Module) is configured to determine an operating encryption Module according to the received encryption Mode selection signal, and encrypt the input data to be encrypted to output an encryption result. The CLK channel is used to receive the synchronous clock signal and the pText [127:0] channel is used to receive the data to be encrypted. Key [255:0] is used to receive Key data. The pText _ EN is used to receive a plaintext valid flag indicating the amount of valid data of the data to be processed. The CTR [127:0] channel is used to receive CTR operator data. The CTR _ EN is used for receiving the CTR operator valid identifier, the CTR operator valid identifier is used for indicating the valid data quantity of the CTR operator, the valid data of the CTR operator needs to be 126 bits, and otherwise, error reporting can be performed. The Mode channel is used for receiving an encryption Mode selection signal, and specifically, the two modes can be distinguished by high and low levels. The cText [127:0] channel is used to output either the first ciphertext data or the third ciphertext data. The cText _ EN is used for receiving the ciphertext valid identifier, and the ciphertext valid identifier is used for indicating the valid data quantity of ciphertext data or third ciphertext data.
Based on the same inventive concept, the embodiment of the present application further provides a data encryption device corresponding to the data encryption method, and as the principle of solving the problem of the device in the embodiment of the present application is similar to the data encryption method in the embodiment of the present application, the implementation of the device may refer to the implementation of the method, and repeated details are not repeated.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a data encryption device according to an embodiment of the present disclosure. As shown in fig. 8, the data encryption apparatus 800 includes:
the processing module 810 is configured to determine an encryption mode of the data to be encrypted according to the number of bytes of the received data to be encrypted or the encryption priority;
a first encryption module 820, configured to generate and output first ciphertext data according to the acquired data to be encrypted and the key data if it is determined that the encryption mode is the first encryption mode;
and the second encryption module 830 is configured to generate second ciphertext data according to the obtained operator data and the key data if it is determined that the encryption mode is the second encryption mode, and generate and output third ciphertext data according to the second ciphertext data and the data to be encrypted.
In a preferred embodiment, the processing module 810 is specifically configured to determine the size of the valid byte number and the preset byte number of the data to be encrypted; if the number of effective bytes of the data to be encrypted is less than the preset number of bytes, generating a first mode selection signal to indicate that the encryption mode is a first encryption mode; and if the number of the effective bytes of the data to be encrypted is greater than the preset number of bytes, generating a second mode selection signal to indicate that the encryption mode is the second encryption mode.
In a preferred embodiment, the processing module 810 specifically determines the encryption priority of the data to be encrypted and the size of the preset encryption priority; if the encryption priority of the data to be encrypted is smaller than the preset encryption priority, generating a second mode selection signal to indicate that the encryption mode is a second encryption mode; and if the encryption priority of the data to be encrypted is greater than the preset encryption priority, generating a first mode selection signal to indicate that the encryption mode is the first encryption mode.
In a preferred embodiment, the first encryption module 820 or the second encryption module 830 is specifically configured to determine an initial value and initial input data corresponding to N, where the initial value of N is 0, and when N is 0, the input data corresponding to N is to-be-encrypted data or operator data; generating a first key matrix corresponding to N according to the key data, and calculating according to the first key matrix corresponding to N and initial input data to obtain output data, wherein N is N +1, and the output data is used as the current initial input data corresponding to N; determining whether the current N reaches a preset value; if not, skipping to the step of generating a first key matrix corresponding to the N according to the key data to continue execution; and if so, taking the current output data as the first ciphertext data or the second ciphertext data.
In a preferred embodiment, the second encryption module 830 is specifically configured to determine, according to the second ciphertext data, a second ciphertext matrix corresponding to each byte to be encrypted; for each byte of data to be encrypted, encrypting the byte according to the second ciphertext matrix corresponding to the byte to generate fourth ciphertext data corresponding to the byte; and taking the fourth ciphertext data corresponding to all bytes of the data to be encrypted as third ciphertext data.
In a preferred embodiment, the second encryption module 830 is specifically configured to enable each byte of the data to be encrypted to include multi-bit first target data, enable the second ciphertext data to include multi-bit second target data, and generate, for each byte of the data to be encrypted, fourth ciphertext data corresponding to the byte by: and for each bit of first target data in the byte, carrying out exclusive OR on the first target data and second target data on the same bit in the second ciphertext data to generate fourth ciphertext data corresponding to the byte.
In a preferred embodiment, the processing module 810 is specifically configured to determine valid bytes of the data to be encrypted, and output data at a position corresponding to the valid bytes of the data to be encrypted in the third ciphertext data as the third ciphertext data.
Referring to fig. 9, fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 9, the electronic device 900 includes a processor 910, a memory 920, and a bus 930.
The memory 920 stores machine-readable instructions executable by the processor 910, when the electronic device 900 runs, the processor 910 communicates with the memory 920 through the bus 930, and when the machine-readable instructions are executed by the processor 910, the steps of the data encryption method in the above method embodiment may be executed.
The embodiments of the present application further provide a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the data encryption method in the foregoing method embodiments may be executed.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer-readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the exemplary embodiments of the present application, and are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A method for data encryption, the method comprising:
determining an encryption mode of the data to be encrypted according to the number of bytes or the encryption priority corresponding to the received data to be encrypted;
if the encryption mode is determined to be the first encryption mode, generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data;
and if the encryption mode is determined to be the second encryption mode, generating second ciphertext data according to the acquired operator data and the acquired key data, and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted.
2. The method according to claim 1, wherein the step of determining the encryption mode of the data to be encrypted according to the number of bytes corresponding to the received data to be encrypted specifically includes:
determining the size of the effective byte quantity and the preset byte quantity of the data to be encrypted;
if the number of the effective bytes of the data to be encrypted is less than the preset number of bytes, generating a first mode selection signal to indicate that the encryption mode is a first encryption mode;
and if the number of the effective bytes of the data to be encrypted is greater than the preset number of bytes, generating a second mode selection signal to indicate that the encryption mode is the second encryption mode.
3. The method according to claim 1, wherein the step of determining the encryption mode of the data to be encrypted according to the encryption priority corresponding to the received data to be encrypted specifically comprises:
determining the encryption priority of the data to be encrypted and the size of a preset encryption priority;
if the encryption priority of the data to be encrypted is smaller than the preset encryption priority, generating a second mode selection signal to indicate that the encryption mode is a second encryption mode;
and if the encryption priority of the data to be encrypted is greater than the preset encryption priority, generating a first mode selection signal to indicate that the encryption mode is the first encryption mode.
4. The method according to any one of claims 1 to 3, wherein the first ciphertext data or the second ciphertext data is generated by:
determining an initial value and initial input data corresponding to N, wherein the initial value of N is 0, and when N is 0, the input data corresponding to N is the data to be encrypted or the operator data;
generating a first key matrix corresponding to N according to the key data, and calculating according to the first key matrix corresponding to N and the initial input data to obtain output data, wherein N is N +1, and the output data is used as the current initial input data corresponding to N;
determining whether the current N reaches a preset value;
if not, skipping to the step of generating a first key matrix corresponding to the N according to the key data to continue execution;
and if so, taking the current output data as the first ciphertext data or the second ciphertext data.
5. The method of claim 1, wherein the third ciphertext data is generated by:
determining a second ciphertext matrix corresponding to each byte to be encrypted according to the second ciphertext data;
for each byte of the data to be encrypted, encrypting the byte according to a second ciphertext matrix corresponding to the byte to generate fourth ciphertext data corresponding to the byte;
and taking the fourth ciphertext data corresponding to all bytes of the data to be encrypted as the third ciphertext data.
6. The method according to claim 5, wherein each byte of the data to be encrypted comprises a plurality of bits of first target data, the second ciphertext data comprises a plurality of bits of second target data, and for each byte of the data to be encrypted, fourth ciphertext data corresponding to the byte is generated by:
and for each bit of first target data in the byte, carrying out exclusive OR on the first target data and second target data on the same bit in the second ciphertext data to generate fourth ciphertext data corresponding to the byte.
7. The method according to claim 2, wherein the third ciphertext data is output by:
and determining the effective byte of the data to be encrypted, and outputting data at a position corresponding to the effective byte of the data to be encrypted in the third ciphertext data as the third ciphertext data.
8. An apparatus for encrypting data, the apparatus comprising:
the processing module is used for determining an encryption mode of the data to be encrypted according to the byte number or encryption priority of the received data to be encrypted;
the first encryption module is used for generating and outputting first ciphertext data according to the acquired data to be encrypted and the acquired key data if the encryption mode is determined to be the first encryption mode;
and the second encryption module is used for generating second ciphertext data according to the acquired operator data and the key data if the encryption mode is determined to be the second encryption mode, and generating and outputting third ciphertext data according to the second ciphertext data and the data to be encrypted.
9. An electronic device, comprising: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is operating, the processor executing the machine-readable instructions to perform the steps of the data encryption method according to any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that a computer program is stored on the computer-readable storage medium, which computer program, when being executed by a processor, performs the steps of the data encryption method according to any one of claims 1 to 7.
CN202210547596.1A 2022-05-18 2022-05-18 Data encryption method and device, electronic equipment and storage medium Pending CN114826562A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210547596.1A CN114826562A (en) 2022-05-18 2022-05-18 Data encryption method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210547596.1A CN114826562A (en) 2022-05-18 2022-05-18 Data encryption method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114826562A true CN114826562A (en) 2022-07-29

Family

ID=82514846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210547596.1A Pending CN114826562A (en) 2022-05-18 2022-05-18 Data encryption method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114826562A (en)

Similar Documents

Publication Publication Date Title
JP5822970B2 (en) Encryption device for pseudo-random generation, data encryption, and message encryption hashing
ES2805125T3 (en) Flexible architecture and instructions for Advanced Encryption Standard (AES)
EP1440535B1 (en) Memory encrytion system and method
US8238557B2 (en) Method and apparatus for key expansion to encode data
ES2863676T3 (en) Encrypted message with authentication instruction
EP2196937A1 (en) Methods and devices for instruction level software encryption
US20130077790A1 (en) Encryption processing apparatus
US11258579B2 (en) Method and circuit for implementing a substitution table
US11695542B2 (en) Technology for generating a keystream while combatting side-channel attacks
EP3667647A1 (en) Encryption device, encryption method, decryption device, and decryption method
US9418245B2 (en) Encryption processing device, encryption processing method, and program
CN112054896B (en) White box encryption method, white box encryption device, terminal and storage medium
CN116488794B (en) Method and device for realizing high-speed SM4 password module based on FPGA
US9696965B2 (en) Input-dependent random number generation using memory arrays
US20220085974A1 (en) Method and circuit for performing a substitution operation
CN109804596B (en) Programmable block cipher with masked input
US8774402B2 (en) Encryption/decryption apparatus and method using AES rijndael algorithm
US11146387B1 (en) Random position cipher encryption using an aperiodic pseudo-random number generator
CN114826562A (en) Data encryption method and device, electronic equipment and storage medium
JP6631989B2 (en) Encryption device, control method, and program
KR20020087331A (en) AES Rijndael Encryption and Decryption Circuit with Subround-Level Pipeline Scheme
KR100494560B1 (en) Real time block data encryption/decryption processor using Rijndael block cipher and method therefor
Abbas et al. Dictionary Attack on TRUECRYPT with RIVYERA S3-5000
CN112487448B (en) Encryption information processing device, method and computer equipment
US9246681B2 (en) Use of 32-bit random numbers to produce cipher key stream for 8-bit data stream

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination