CN114969849A - Information security chip - Google Patents

Information security chip Download PDF

Info

Publication number
CN114969849A
CN114969849A CN202210597796.8A CN202210597796A CN114969849A CN 114969849 A CN114969849 A CN 114969849A CN 202210597796 A CN202210597796 A CN 202210597796A CN 114969849 A CN114969849 A CN 114969849A
Authority
CN
China
Prior art keywords
encryption
decryption
target
data stream
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210597796.8A
Other languages
Chinese (zh)
Inventor
朱敏
范炯
孙进军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuxi Muchuang Integrated Circuit Design Co ltd
Original Assignee
Wuxi Muchuang Integrated Circuit Design Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuxi Muchuang Integrated Circuit Design Co ltd filed Critical Wuxi Muchuang Integrated Circuit Design Co ltd
Priority to CN202210597796.8A priority Critical patent/CN114969849A/en
Publication of CN114969849A publication Critical patent/CN114969849A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/20Handling requests for interconnection or transfer for access to input/output bus
    • G06F13/28Handling requests for interconnection or transfer for access to input/output bus using burst mode transfer, e.g. direct memory access DMA, cycle steal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses an information security chip, relating to the technical field of encryption, wherein a processor sends an encryption and decryption request data packet carrying encryption and decryption configuration parameters including a target encryption and decryption computational core IP, a target function, a target working mode and additional parameters to a controller comprising a preprocessing unit and an encryption and decryption unit, the preprocessing unit reads an original data stream according to a data structure corresponding to the encryption and decryption configuration parameters and carries out preprocessing according to a data stream processing method corresponding to the encryption and decryption configuration parameters, the encryption and decryption unit enables the target encryption and decryption computational core IP in a plurality of built-in encryption and decryption computational core IPs according to the encryption and decryption configuration parameters and carries out target function by combining a secret key to complete data processing, the chip utilizes the cooperation of an encryption and decryption algorithm, the working mode and data stream processing, and the chip ensures that the hardware encryption chip has high speed, low cost and high speed, On the basis of the advantage of high security, overcome the defect that the decryption mode is single and the development degree of difficulty is big.

Description

Information security chip
Technical Field
The invention relates to the technical field of encryption, in particular to an information security chip.
Background
In 2020, the password law' original year, and under the promotion of new capital construction and information creation background, the password industry meets new development opportunities and faces new challenges. Currently, there are two main types of encryption methods: (1) and encrypting software, and realizing multi-call OpenSSL and GMssl. (2) Hardware encryption is generally implemented by using a special encryption chip. Software encryption is low in cost and easy to implement, but a storage scheme is low in efficiency and weak in safety. The hardware encryption chip has high speed and high safety, but has strong specificity, single encryption mode and higher difficulty in development and iterative update. Therefore, the traditional software encryption and hardware encryption have the advantages and the disadvantages, and along with the strong demand of various application scenes on high-performance encryption, the traditional software and hardware encryption methods are gradually difficult to meet the actual use demand.
Disclosure of Invention
The inventor provides an information security chip aiming at the problems and the technical requirements, and the technical scheme of the invention is as follows:
an information security chip, comprising: the encryption and decryption device comprises a processor, a controller, an input memory and an output memory, wherein the controller comprises a preprocessing unit and an encryption and decryption unit, the input memory and the output memory are first-in first-out memories, the preprocessing unit is connected with the output end of the input memory and the input end of the output memory, the processor is connected with the controller, the encryption and decryption unit comprises a plurality of encryption and decryption computing core IPs, different encryption and decryption computing core IPs adopt different encryption and decryption algorithms, and each encryption and decryption computing core IP has an encryption function and a decryption function;
the processor sends an encryption and decryption request data packet carrying encryption and decryption configuration parameters to the controller, wherein the encryption and decryption request data packet comprises a key field, an algorithm configuration parameter field, a mode configuration parameter field and an additional parameter field, the key field indicates a key, the algorithm configuration parameter field indicates a target encryption and decryption computational core IP and a target function thereof, the target function is an encryption function or a decryption function, the mode configuration parameter field indicates a target working mode used by an encryption and decryption algorithm, and the additional parameter field indicates an additional parameter;
the preprocessing unit reads an original data stream from the input memory according to a data structure corresponding to the encryption and decryption configuration parameters, processes the original data stream into a computation input data stream adapted to the encryption and decryption configuration parameters according to a data stream processing method corresponding to the encryption and decryption configuration parameters, and sends the computation input data stream to the encryption and decryption unit;
the encryption and decryption unit enables the target encryption and decryption computation core IP according to the encryption and decryption configuration parameters, invokes the target encryption and decryption computation core IP to execute a target function in combination with the secret key to complete encryption processing or decryption processing on the computation core input data stream to obtain a computation core output data stream, and sends the computation core output data stream to the preprocessing unit;
and the preprocessing unit processes the data stream output by the computation core into a processed data stream according to the data stream processing method corresponding to the encryption and decryption configuration parameters and writes the processed data stream into the output memory.
The method comprises the following steps that a preprocessing unit carries out end-sequence conversion on an original data stream according to a data stream processing method corresponding to an encryption and decryption configuration parameter, and/or carries out end-sequence conversion on a processed data stream according to a data stream processing method corresponding to an encryption and decryption configuration parameter, wherein the byte length of the data stream aimed at by the end-sequence conversion is related to a target encryption and decryption computing core IP and a target working mode.
The method comprises the following steps that the additional parameters further comprise an initialization vector, the target encryption and decryption computation core IP depends on the initialization vector in the target working mode, the preprocessing unit carries out end-sequence conversion on the initialization vector, the original data stream and intermediate parameters in the operation processing process of the initialization vector and the original data stream according to a data stream processing method corresponding to the encryption and decryption configuration parameters, and the byte length of the data stream for the end-sequence conversion is related to the target encryption and decryption computation core IP and the target working mode.
The further technical scheme is that the additional parameters also comprise the length of a data packet, and the data structure of the original data stream read by the preprocessing unit is related to the target encryption and decryption computational core IP, the target working mode and the length of the data packet.
The method comprises the following steps that a target encryption and decryption computation core IP also has a configurable key expansion function, encryption and decryption configuration parameters also comprise a target expansion mode indicated by an algorithm configuration parameter field, and the target expansion mode indicates to execute the key expansion function or skip the key expansion function; if the target expansion mode indicates to execute the key expansion function, the encryption and decryption unit calls a target encryption and decryption computing core IP to execute the key expansion function and the target function; if the target expansion mode indicates that the key expansion function is skipped, the encryption and decryption unit only calls the target encryption and decryption computing core IP to execute the target function.
The encryption and decryption unit also comprises an expanded key memory shared by a plurality of encryption and decryption computation cores IP, and when the target expansion mode indicates to execute the key expansion function:
after receiving the encryption and decryption request data packet and analyzing the encryption and decryption request data packet to obtain encryption and decryption configuration parameters, the encryption and decryption unit enables and calls a target encryption and decryption computing core IP to execute a key expansion function in combination with a key to obtain an expanded key, and the expanded key is stored in an expanded key storage;
and for each group of acquired input data streams of the computation cores, the encryption and decryption unit calls the target encryption and decryption computation core IP to execute the target function by using the expanded key in the expanded key storage to complete encryption processing or decryption processing on the input data streams of the computation cores.
If the key in the encryption and decryption request data packet received by the encryption and decryption unit is the same as the key in the last encryption and decryption request data packet received by the encryption and decryption unit, the encryption and decryption unit directly calls a target encryption and decryption computational core IP to execute a target function by using an expanded key in an expanded key storage to finish encryption processing or decryption processing on each group of acquired computational core input data streams, wherein the expanded key in the expanded key storage is obtained by the key in the last encryption and decryption request data packet;
if the key in the encryption and decryption request data packet received by the encryption and decryption unit is different from the key in the last encryption and decryption request data packet received by the encryption and decryption unit, the encryption and decryption unit enables and calls the target encryption and decryption computation core IP to perform the key expansion function in combination with the key to obtain an expanded key after receiving and analyzing the encryption and decryption request data packet to obtain encryption and decryption configuration parameters, updates the expanded key into an expanded key storage, calls the target encryption and decryption computation core IP to perform the target function by using the updated expanded key in the expanded key storage to complete encryption processing or decryption processing on each group of the obtained computation core input data streams.
The processor writes an original data stream into the input memory, and reads a processed data stream from the output memory;
or, the information security chip further comprises a DMA, the DMA reads the original data stream from the first preset address of the other device and writes the original data stream into the input memory, and the DMA outputs the processed data stream in the output memory and writes the processed data stream into the second preset address of the other device.
When the preprocessing unit detects that the input memory is in a non-empty state, the output memory is in a non-full state and the encryption and decryption unit is in an idle state, the preprocessing unit reads an original data stream from the input memory according to a data structure corresponding to the encryption and decryption configuration parameters; when all the encryption and decryption computation cores IP in the encryption and decryption unit are not enabled, the encryption and decryption unit is in an idle state.
The further technical scheme is that the preprocessing unit feeds back running state parameters to the processor, and the running state parameters indicate that the encryption and decryption unit is in an idle state or a working state; when the running state parameter received by the processor indicates that the encryption and decryption unit is in an idle state, sending a next encryption and decryption request data packet to the preprocessing unit and the encryption and decryption unit, and otherwise, waiting until the running state parameter indicates that the encryption and decryption unit is in the idle state;
when all the encryption and decryption computation cores IP in the encryption and decryption unit are not enabled, the encryption and decryption unit is in an idle state, otherwise, the encryption and decryption unit is in a working state.
The beneficial technical effects of the invention are as follows:
the application discloses an information security chip, which enables an encryption and decryption computation core IP and a working mode to be separately designed and developed through combination of a hardware architecture and a software method, and can be combined to form a plurality of different processing methods through cooperative work of an encryption and decryption algorithm, the working mode and data stream processing, so that multiple encryption and decryption algorithms and multiple working modes can be adapted, and the flexibility of the encryption and decryption functions of the information security chip is higher. And because the encryption and decryption computational core IP and the working mode can be designed and developed separately, the development difficulty can be greatly reduced, and the defects of single decryption mode and high development difficulty can be overcome on the basis of keeping the advantages of high speed and high safety of a hardware encryption chip.
The information security chip utilizes the preprocessing unit to perform adaptive data processing aiming at the working requirements of different encryption and decryption computing cores IP and working modes, so that the information security chip can accurately and normally work when realizing different encryption and decryption functions, and the data stability can be further ensured by matching with a double FIFO memory.
The information security chip optimizes the key expansion function, can meet the application requirements of different scenes through mode control, and can effectively reduce the key expansion times. And the area of a chip can be saved and the encryption and decryption performance can be improved by designing a plurality of encryption and decryption computing cores IP to share the KEY _ RAM.
Drawings
FIG. 1 is an architecture diagram of an information security chip, in one embodiment.
FIG. 2 is a schematic diagram of a workflow of an information security chip in one embodiment.
FIG. 3 is a flow diagram of information that may be processed by the preprocessing unit and the encryption/decryption unit in one embodiment.
FIG. 4 is a flow diagram illustrating the operation of implementing key expansion functionality in one embodiment.
Detailed Description
The following further describes the embodiments of the present invention with reference to the drawings.
The present application discloses an information security chip, please refer to fig. 1, the information security chip includes: the encryption and decryption device comprises a processor, a controller, an encryption and decryption unit, an input memory IFIFO and an output memory OFIFO, wherein the controller comprises a preprocessing unit and an encryption and decryption unit. The input memory IFIFO and the output memory OFIFO are both First-In First-Out memories (FIFOs). The preprocessing unit is connected to the output of the input memory IFIFO for reading data and to the input of the output memory IFIFO for writing data. The input memory IFIFO and the output memory OFIFO may typically use 128 bits of data bit width.
The preprocessing unit and the encryption and decryption unit can perform data interaction, the encryption and decryption unit comprises a plurality of encryption and decryption computing core IPs, different encryption and decryption computing core IPs adopt different encryption and decryption algorithms, and each encryption and decryption computing core IP has an encryption function and a decryption function. The encryption and decryption algorithms mainly comprise four types: the encryption and decryption algorithm can be international universal encryption and decryption algorithm, domestic universal encryption and decryption algorithm, and can also be self-developed encryption and decryption algorithm. Among them, the symmetric algorithms commonly include AES, SM1, SM4, SM7, and the compression algorithms commonly include SM3, SHA1, SHA256, SHA384, SHA512, and the HASH-SHA series compression algorithms, and so on. The stream key algorithm commonly includes ZUC (ZUC), and the public key algorithm commonly includes SM 2. The encryption and decryption unit of the information security chip of the present application may include the encryption and decryption computation cores IP of any of the above-mentioned multiple encryption and decryption algorithms, and the encryption and decryption computation cores IP included may belong to one or more types of encryption and decryption algorithms. For example, fig. 1 illustrates one possible example.
The processor is connected with the controller, completes encryption and decryption processing on data in the input memory IFIFO, and writes the data into the output memory IFO, and the processor can be realized by adopting CPUs of ARM series and RISCV series.
The data update in the input memory IFIFO and the output memory OFIFO has two ways:
(1) the original DATA stream DATA _ IN is written by the processor into the input memory IFIFO and the processed DATA stream DATA _ OUT is read by the processor from the output memory IFIFO. The processor is connected to the input of the input memory IFIFO and to the output of the output memory OFIFO as shown in fig. 1.
(2) In addition to the conventional processor Access mode, the present application may also be adapted to a DMA data transfer mode, and as shown in fig. 1, the information security chip further includes a DMA (Direct Memory Access). The user first configures the raw DATA stream DATA _ IN on the other device, such as the DDR, the processor initiates a DMA request, reads the raw DATA stream DATA _ IN from a first predetermined address of the other device and writes it into the input memory IFIFO, and outputs and writes the processed DATA stream DATA _ OUT IN the output memory IFIFO to a second predetermined address of the other device.
Under the condition of large-scale DATA volume, the DATA reading and writing speed of the DMA is higher than the speed of encryption and decryption processing, when the DMA detects that the input memory IFIFO is IN a full state, the writing of the original DATA stream DATA _ IN is suspended until the input memory IFIFIFO is IN a non-full state and space is available for continuously receiving DATA transmitted by the DMA, so that the DATA at the input end is ensured not to be lost. When the DMA detects that the output memory is in an empty state, the read-OUT of the processed DATA stream DATA _ OUT is suspended until the output memory is in a non-empty state, so that the DATA can be ensured not to be transmitted more.
No matter which of the above-mentioned methods is used to read and write data from the IFIFO and the OFIFO, the working process of the information security chip includes the following steps, please refer to the flowchart shown in fig. 2:
(1) the processor sends an encryption and decryption request data packet carrying encryption and decryption configuration parameters to the controller, the encryption and decryption request data packet is used for requesting encryption and decryption processing on data, the controller can obtain the encryption and decryption configuration parameters by analyzing the encryption and decryption request data packet, and therefore a preprocessing unit and an encryption and decryption unit in the controller can both obtain the encryption and decryption configuration parameters.
The encryption and decryption request data packet comprises a KEY field KEY, an algorithm configuration parameter field MODE, a MODE configuration parameter field ALG and an additional parameter field. Wherein:
the KEY field KEY indicates the KEY.
The algorithm configuration parameter field MODE indicates a target encryption and decryption computation core IP and a target function thereof, and the target encryption and decryption computation core IP is one of a plurality of decryption computation core IPs integrated in the information security chip and is a decryption computation core IP required to be used in the encryption and decryption processing. The target function is an encryption function or a decryption function, and indicates whether encryption processing or decryption processing is required at this time.
The mode configuration parameter field ALG indicates the target operating mode used by the encryption and decryption algorithm. In the application, the mode configuration parameter field ALG has at least two different field parameters to indicate different working modes, different working modes can be adopted to execute the encryption and decryption algorithm by adjusting the field parameters of the mode configuration parameter field ALG, and the target working mode is the working mode used by the encryption and decryption processing at this time and is one of multiple working modes supported by the information security chip. The target working mode is a general working mode or a self-defined working mode, the general working mode comprises ECB, CBC, CTR, CFB, OFB and XTS, and the self-defined working mode can be the working mode of various self-developed encryption and decryption algorithms of users.
The additional parameter field indicates an additional parameter. In particular, the additional parameters include an initialization vector IV, a packet length PKG _ LEN, and a START. The partial encryption and decryption computation core IP needs to use the initialization vector IV when operating in the partial operation mode, for example, AES needs to use the initialization vector IV in the CBC mode, but in some cases, the initialization vector IV is not needed, and at this time, the initialization vector IV may be set to a default value. The packet length PKG _ LEN indicates the length of the original DATA stream DATA _ IN for each encryption/decryption process, and is generally required to be used when the partial encryption/decryption core IP operates IN the partial operation mode, for example, the ZUC algorithm is required, but IN some cases, the packet length PKG _ LEN is not required, and may be set as a default value. START indicates that the operation is started, and the parameters are configured after the target encryption/decryption kernel IP, the target operating mode, PKG _ LEN, and the like are configured.
(2) The preprocessing unit reads an original DATA stream DATA _ IN from the input memory according to a DATA structure corresponding to the encryption and decryption configuration parameters, and processes the original DATA stream DATA _ IN into an arithmetic core input DATA stream ALG _ DATA _ IN which is adaptive to the encryption and decryption configuration parameters according to a DATA stream processing method corresponding to the encryption and decryption configuration parameters, and sends the arithmetic core input DATA stream ALG _ DATA _ IN to the encryption and decryption unit. Please refer to the information flow diagram shown in fig. 3.
The DATA structure of the original DATA stream DATA _ IN read by the preprocessing unit is related to the target encryption and decryption computation cores IP, the target working mode and the DATA packet length, and the DATA structure of the original DATA stream DATA _ IN corresponding to each combination of the target encryption and decryption computation cores IP, the target working mode and the DATA packet length is configured and set IN advance. The association of the DATA structure of the original DATA stream DATA _ IN with the three parameters also has different meanings for different types of encryption and decryption algorithms, IN particular: (a) for various encryption and decryption computation cores IP belonging to a symmetric algorithm, an original DATA stream DATA _ IN adopts a single-IN single-out DATA structure, and the bit number of a specific DATA stream is configured IN advance according to actual conditions. (b) For various encryption and decryption computing cores IP belonging to a compression algorithm, an original DATA stream DATA _ IN adopts a block-shaped DATA structure, namely the original DATA stream DATA _ IN comprises a plurality of DATA with a plurality of digits, parameters of the block-shaped DATA structure correspond to a target encryption and decryption computing core IP, the relevance between the parameters and a target working mode and the length of a DATA packet is low, and the block-shaped DATA structures corresponding to different encryption and decryption computing cores IP may be different. For example, the raw DATA streams DATA _ IN corresponding to SM3, SHA1, SHA256 include 4 pieces of 128-bit DATA, while the raw DATA streams DATA _ IN corresponding to SHA384 and SHA512 include 8 pieces of 128-bit DATA. (c) For various encryption and decryption algorithm IPs belonging to a public key algorithm, the DATA structure of the original DATA stream DATA _ IN corresponds to the target encryption and decryption algorithm IP and the target working mode, and the relevance with the DATA packet length is low. Taking the example of using SM2 as the destination encryption/decryption kernel IP as well, when the destination operating modes used are different, the DATA structure of the original DATA stream DATA _ IN will also be different. (d) For each type of encryption and decryption computation cores IP belonging to the stream key algorithm, similar to the symmetric algorithm, the original DATA stream DATA _ IN adopts a single-IN single-out DATA structure and the DATA structure of the original DATA stream DATA _ IN is indicated by the DATA packet length PKG _ LEN, that is, when it is determined that the target encryption and decryption computation cores IP belong to the stream key algorithm, the bits of the original DATA stream DATA _ IN are determined according to the DATA packet length regardless of the target operating mode. Taking ZUC as an example, the packet length PKG _ LEN indicates a DATA length of 128 bits, and the raw DATA stream DATA _ IN read by the preprocessing unit is a 128-bit DATA.
When the target encryption/decryption computing cores IP are different and/or the target operation mode adopted is different, the characteristics of the adapted DATA stream may be different, and the original DATA stream DATA _ IN directly read by the preprocessing unit may not meet the requirements. Therefore, the processing is performed according to the DATA stream processing method corresponding to the encryption/decryption configuration parameters, so that the original DATA stream DATA _ IN is processed into the arithmetic input DATA stream ALG _ DATA _ IN adapted to the encryption/decryption configuration parameters. IN practical applications, the original DATA stream DATA _ IN may not be suitable for the current encryption/decryption configuration parameters, and the processed input DATA stream ALG _ DATA _ IN is a different DATA stream from the original DATA stream DATA _ IN. Alternatively, the original DATA stream DATA _ IN may also be adapted to the current encryption/decryption configuration parameters, and this step is processed without performing an actual conversion process, and the resulting kernel input DATA stream ALG _ DATA _ IN may be the same DATA stream as the original DATA stream DATA _ IN.
IN one embodiment, the DATA stream processing method executed by the preprocessing unit on the original DATA stream DATA _ IN mainly includes performing endian conversion on the original DATA stream DATA _ IN, where the byte length of a DATA stream targeted by the endian conversion corresponds to the encryption/decryption configuration parameter, specifically to the target encryption/decryption computation core IP and the target operating mode, and the correspondence is configured IN advance according to the algorithm requirement. Common endian conversion targets data streams having Byte lengths including 32 bytes, 16 bytes, 8 bytes, and 4 bytes. For example, the information security chip is actually used to complete encryption processing on the DATA stream of M1M2M3M4, but the M1M2M3M4 is actually stored IN other devices according to M4M3M2M1, so that the DATA DMA-carried to the IFIFO is also M4M3M2M1, the original DATA stream DATA _ IN read from the IFIFO by the preprocessing unit is also M4M3M2M1, if the M4M3M2M1 is directly processed by the encryption and decryption unit, the actual requirement is not met, so that the obtained arithmetic core input DATA stream ALG _ DATA _ IN needs to be subjected to 4Byte conversion on the obtained M4M3M2M1 according to the DATA stream processing method corresponding to the encryption and decryption configuration parameters to obtain M1M2M3M4 as the arithmetic core input DATA stream ALG _ DATA _ IN, and the arithmetic core input DATA stream ALG _ DATA _ IN obtained at this time is adapted to the actual encryption and decryption configuration parameters.
Except for the most basic endian conversion, in some target working modes of a certain target encryption and decryption computing core IP, the initialization vector IV needs to be used for executing encryption and decryption processing, and the using process of the initialization vector IV in different scenes may be the same or different, for example, the AES algorithm is also used, the initialization vector IV needs to be used in both OFB mode and CFB mode, but the using process of the initialization vector IV is different. Therefore, when the target encryption and decryption computation core IP is determined to depend on the initialization vector IV IN the target working mode, the preprocessing unit carries out end-sequence conversion on the initialization vector IV, the original DATA stream DATA _ IN and intermediate parameters IN the operation processing process of the initialization vector IV and the original DATA stream DATA _ IN according to a DATA stream processing method corresponding to the encryption and decryption configuration parameters, the byte length of the DATA stream for which the end-sequence conversion is aimed is related to the target encryption and decryption computation core IP and the target working mode, and the corresponding relation is configured according to algorithm requirements IN advance. The specific operation processing process of the initialization vector IV and the original DATA stream DATA _ IN is determined by the algorithm principle of the target encryption and decryption computing core IP IN the target working mode, intermediate parameters IN the operation processing process of the initialization vector IV and the original DATA stream DATA _ IN have different actual meanings according to different algorithm principles, and specifically, the terminal sequence conversion needs to be performed on the intermediate parameters, and the pre-configuration can be performed according to the algorithm principle.
For example, in one example, it is assumed that the target encryption/decryption computation core IP employs the AES algorithm, and the target operation mode employs the XTS mode. The data flow in the IFIFO takes the form of small-end storage data, and the target encryption and decryption computing core IP executes the form of large-end storage data. Taking the example of encrypting the two 16Byte raw DATA streams DATA _ IN, the process is described as follows:
for a first original data stream: the preprocessing unit performs 16Byte end-to-end conversion on the initialization vector IV to obtain IV _ R, and inputs a target encryption and decryption computing core IP (namely, an AES computing core IP) to obtain T1. The preprocessing unit carries out 16-Byte endian conversion on the read original DATA stream DATA _ INP1 of the first 16-Byte to obtain P1_ R, and then carries out XOR on the P1_ R and the T1 to obtain PP1 which is used as a computing core input DATA stream ALG _ DATA _ IN to be sent to the encryption and decryption unit.
For the second raw data stream: according to the algorithm principle of the XTS mode of AES, the preprocessing unit needs to perform 16Byte end sequence conversion on an intermediate parameter T1 generated in the operation process of the algorithm to obtain C0_ R, and then perform Galois field multiplication 2 and other processing to obtain T2. The preprocessing unit performs 16Byte endian conversion on the read original DATA stream DATA _ INP2 of the second 16Byte to obtain P2_ R, and then performs XOR on P2_ R and T2 to obtain PP2 which is used as a check input DATA stream ALG _ DATA _ IN and sent to the encryption and decryption unit.
Therefore, IN order to adapt the endian of the original DATA stream DATA _ IN the IFIFO between the target encryption/decryption computing core IP and the endian requirement of the target working mode, the preprocessing unit repeatedly uses endian conversion to process the DATA stream according to the algorithm principle, so that the subsequent encryption/decryption processing can be successfully completed.
(3) The encryption and decryption unit enables the target encryption and decryption computation core IP according to the encryption and decryption configuration parameters, invokes the target encryption and decryption computation core IP to execute a target function IN combination with the key to complete encryption processing or decryption processing on the computation core input DATA stream ALG _ DATA _ IN, and obtains a computation core output DATA stream ALG _ DATA _ OUT and sends the computation core output DATA stream ALG _ DATA _ OUT to the preprocessing unit. IN general, the encryption/decryption unit may receive and parse the encryption/decryption request packet to obtain the encryption/decryption configuration parameters, i.e., the encryption/decryption computing core IP is capable of performing the processing on DATA _ IN synchronously with the preprocessing unit.
Therefore, the information security chip can realize different combination modes of the built-in encryption and decryption computation core IP and the working mode, and completes encryption processing or decryption processing of data. For example, in the XTS mode of the AES algorithm exemplified in step (2), when the preprocessing unit processes the first original data stream into PP1 as an input data stream of the core and sends the input data stream to the encryption/decryption unit, the encryption/decryption unit calls the AES core IP to encrypt PP1 to obtain CC1, and then performs xor on CC1 and T1 to obtain C1 as an output data stream of the core and returns the output data stream to the preprocessing unit.
(4) And the preprocessing unit processes the DATA stream ALG _ DATA _ OUT output by the arithmetic core into a processed DATA stream DATA _ OUT according to a DATA stream processing method corresponding to the encryption and decryption configuration parameters and writes the processed DATA stream DATA _ OUT into the output memory.
Similar to the processing of the original DATA stream DATA _ IN, since the characteristics of the adapted DATA stream may be different when the target encryption/decryption computing cores IP are different and/or the adopted target operating modes are different, and the directly obtained computing core output DATA stream ALG _ DATA _ OUT may not necessarily meet the DATA storage requirement of the OFIFO, it is necessary to process the computing core output DATA stream ALG _ DATA _ OUT into DATA that can be stored IN the OFIFO according to the DATA stream processing method corresponding to the encryption/decryption configuration parameters. In practical application, the core output DATA stream ALG _ DATA _ OUT cannot be directly stored in the OFIFO, and the processed DATA stream ALG _ DATA _ OUT is different from the core output DATA stream ALG _ DATA _ OUT. Alternatively, the core output DATA stream ALG _ DATA _ OUT may be directly stored in the OFIFO, and in this step, no actual conversion processing is performed during processing, and the obtained processed DATA stream DATA _ OUT and the core output DATA stream ALG _ DATA _ OUT are the same processing stream. Similarly, the DATA stream processing method executed by the preprocessing unit on the core output DATA stream ALG _ DATA _ OUT mainly includes performing endian conversion on the core output DATA stream ALG _ DATA _ OUT, where the byte length of a DATA stream targeted by the endian conversion is related to the target encryption/decryption core IP and the target working mode.
For example, corresponding to the above example, when the core input DATA stream ALG _ DATA _ IN of M1M2M3M4 is input to the encryption/decryption unit, and the encryption/decryption unit completes the encryption/decryption process to obtain the core output DATA stream ALG _ DATA _ OUT of C1C2C3C4, the end-sequence conversion of C1C2C3C 4by 4Byte is changed into the processed DATA stream DATA _ OUT of C4C3C2C1 and written into the output memory.
In one embodiment, the preprocessing unit receives the output DATA stream ALG _ DATA _ OUT of each of the cores and writes the output processed DATA stream DATA _ OUT into the OFIFO. Or in other embodiments, after receiving the output DATA streams ALG _ DATA _ OUT of the multiple cores through several clock cycles, the pre-processing unit combines the output DATA streams ALG _ DATA _ OUT as a processed DATA stream DATA _ OUT and writes the processed DATA stream DATA _ OUT into the offset. For example, taking the ZUC algorithm IN the above example as an example, the 128-bit original DATA stream DATA _ IN is read and converted into the 128-bit kernel input DATA stream ALG _ DATA _ IN, which is sent to the encryption and decryption unit. In each clock cycle, the encryption and decryption unit calls a target encryption and decryption arithmetic core IP corresponding to the ZUC algorithm to complete processing on 32-bit DATA streams in the arithmetic core IP to obtain 32-bit arithmetic core output DATA streams ALG _ DATA _ OUT, and sends the 32-bit arithmetic core output DATA streams ALG _ DATA _ OUT to the preprocessing unit, and the preprocessing unit combines and processes the 4 32-bit arithmetic core output DATA streams ALG _ DATA _ OUT into a piece of 128-bit processed DATA stream DATA _ OUT which is written into OFIFO. That is, each time the preprocessing unit reads a 128-bit DATA _ IN, it needs to wait four clock cycles before outputting a corresponding 128-bit DATA _ OUT.
After the preprocessing unit writes the processed DATA stream DATA _ OUT into the output memory OFIFO, the processing of one original DATA stream IFIFO is completed. In response to an encryption/decryption request packet sent by the processor, the preprocessing unit and the encryption/decryption unit may only need to process one original data stream or may need to process a plurality of original data streams, and if there are unprocessed original data streams, the preprocessing unit continues to read the next original data stream and repeats the above processing until the encryption/decryption request packet is completed.
Optionally, after the encryption and decryption unit enables the target encryption and decryption operator IP, a feedback signal in an operating state, such as busy =1, may be fed back to the preprocessing unit, and when the encryption and decryption unit does not enable any encryption and decryption operator IP, a feedback signal in an idle state, such as busy =0, may be fed back to the preprocessing unit. When the preprocessing unit detects that the input memory IFIFO is IN a non-empty state, the output memory IFIFO is IN a non-full state, and the encryption and decryption unit is IN an idle state, the preprocessing unit continues to read the original DATA stream DATA _ IN from the input memory according to the DATA structure corresponding to the encryption and decryption configuration parameters, that is, until the encryption and decryption unit completes processing the current core input DATA stream ALG _ DATA _ IN, the preprocessing unit continues to read the next original DATA stream DATA _ IN from the IFIFO for processing.
After the preprocessing unit and the encryption and decryption unit have completed the encryption and decryption tasks of one encryption and decryption request data packet, the processor can continue to send the next encryption and decryption request data packet. Optionally, the preprocessing unit may further feed back an operation status parameter to the processor, where the operation status parameter indicates that the encryption and decryption unit is in an idle state or a working state, for example, BUSY =1 indicates that the encryption and decryption unit is in the working state, and BUSY =0 indicates that the encryption and decryption unit is in the idle state, where the working state and the idle state of the encryption and decryption unit are defined as above. And if the running state parameter received by the processor indicates that the encryption and decryption unit is in an idle state, sending a next encryption and decryption request data packet to the preprocessing unit and the encryption and decryption unit, otherwise, waiting until the running state parameter indicates that the encryption and decryption unit is in an idle state, namely, after the current encryption and decryption request data packet is finished, continuing sending the next encryption and decryption request data packet.
In the information security chip of the application, the encryption and decryption core IP in the encryption and decryption unit has a key expansion function, for example, the core IP of a partial symmetric algorithm needs key expansion. The encryption and decryption computation cores IP with the key expansion function in the present application include two types: one class has configurable key expansion functionality and the other class has non-configurable key expansion functionality. The encryption and decryption computation core IP with the configurable key expansion function means that the key expansion function of the encryption and decryption computation core IP has corresponding function selection bits, the key expansion function can be configured and executed or the key expansion function is skipped, and the encryption and decryption computation core IP can be a self-research computation core or a general computation core with open function selection bits. The encryption and decryption computing core IP with the non-configurable key expansion function is that the encryption and decryption computing core IP can only execute the key expansion function in a default mode.
If the target encryption and decryption computing core IP has an unconfigurable key expansion function, the target encryption and decryption computing core IP must execute a key expansion function, and generally according to a conventional method, the key expansion function and the encryption function are executed simultaneously, each encryption can execute the key expansion and then execute round encryption, for example, if a three-round key needs to be expanded, a first round of key expansion is firstly performed, then a first round of key expansion and a second round of key expansion are executed simultaneously by using the first round of key, then a second round of key expansion and a third round of key expansion are executed simultaneously by using the second round of key, and finally a third round of key expansion is executed by using the third round of key.
If the target encryption and decryption computing core IP has a configurable key expansion function, the encryption and decryption unit may control whether the target encryption and decryption computing core IP executes the key expansion function according to the encryption and decryption configuration parameters, so in this embodiment, the encryption and decryption configuration parameters further include a target expansion MODE indicated by the algorithm configuration parameter field MODE, and the target expansion MODE indicates to execute the key expansion function or skip the key expansion function. If the target expansion mode indicates to execute the key expansion function, the encryption and decryption unit calls the target encryption and decryption computing core IP to execute the key expansion function and the target function, namely, the key expansion and encryption can be executed, or the key expansion and decryption can be executed. If the target expansion mode indicates that the key expansion function is skipped, the encryption and decryption unit only calls the target encryption and decryption computing core IP to execute the target function, namely only encryption or decryption is executed, and the key expansion is not executed.
For the encryption and decryption computation core IPs with the key expansion function, when the key expansion function is executed, the key expansion result may be externally read or may not be externally read, for example, for some directly purchased computation core IPs, the key expansion result may not be externally read. In consideration of actual use, the whole encryption and decryption request data packet is generally encrypted by a group of keys, so that the encryption and decryption computing core IP which can be read externally according to the key expansion result optimizes the key expansion method, the key expansion function is executed only once according to each encryption and decryption request data packet, the key expansion function and the encryption function are not executed simultaneously like the conventional method, and each encryption can execute the key expansion and then execute round encryption. Specifically, after the encryption and decryption unit receives and analyzes the encryption and decryption request data packet to obtain the encryption and decryption configuration parameters, if the target encryption and decryption computing core IP is determined to have the configurable key expansion function, the key expansion result can be read externally, and the target expansion mode indicates to execute the key expansion function, the target encryption and decryption computing core IP is enabled and called to combine with the key to execute the key expansion function to obtain an expanded key, and the expanded key is stored in an expanded key storage. Subsequently, for each group of acquired input DATA streams ALG _ DATA _ IN of the computation cores, the encryption and decryption unit calls the target encryption and decryption computation core IP to directly utilize the expanded key IN the expanded key storage to execute the target function to complete encryption processing or decryption processing on the input DATA streams ALG _ DATA _ IN of the computation cores without expanding the key. That is, for the encryption and decryption request data packet, the key expansion function is executed only when the target encryption and decryption computation core IP is called for the first time, and the expanded key is read directly in each round corresponding to the storage space during encryption without direct key expansion in each round, so that the times of key expansion are reduced.
In the above process, the expanded key storage may be a storage space corresponding to the inside of the core IP, that is, the encryption and decryption unit calls the target encryption and decryption core IP to obtain the expanded key and then stores the expanded key in the core IP for subsequent reading. Or further, in order to save the storage space, the encryption and decryption unit further includes an extended KEY storage KEY _ RAM shared by the multiple encryption and decryption computing cores IP, that is, the encryption and decryption unit calls the target encryption and decryption computing core IP to obtain an extended KEY and then stores the extended KEY in the KEY _ RAM shared by the computing core IP and other encryption and decryption computing cores IP, so that the multiple encryption and decryption algorithms can share the KEY _ RAM, and the chip area is saved.
Furthermore, after the current encryption and decryption request data packet is completed, the expansion KEY stored in the KEY _ RAM does not need to be emptied. If the KEY in the next encryption and decryption request data packet is the same as the KEY in the current encryption and decryption request data packet, the expanded KEY in the KEY _ RAM can be directly used. Specifically, referring to the flowchart shown IN fig. 4, on the basis of the foregoing embodiment, assuming that an extended KEY obtained from a KEY IN a previous encryption/decryption request DATA packet is already stored IN the KEY _ RAM, when the KEY IN the encryption/decryption request DATA packet received by the encryption/decryption unit is the same as the KEY IN the previous encryption/decryption request DATA packet received by the encryption/decryption unit, the encryption/decryption unit directly calls the target encryption/decryption computation core IP to perform the target function using the extended KEY IN the extended KEY storage to complete encryption processing or decryption processing on each obtained set of computation core input DATA streams ALG _ DATA _ IN, that is, the KEY extension function does not need to be performed when the target encryption/decryption computation core IP is called for the first time, and the extended KEY IN the KEY _ RAM is directly read and used. But when the encryption/decryption unit receives a different encryption/decryption request packet from the encryption/decryption unit that the encryption/decryption request packet received last, after the encryption and decryption unit receives the encryption and decryption request data packet and analyzes the encryption and decryption request data packet to obtain the encryption and decryption configuration parameters, the encryption and decryption unit needs to enable and call the target encryption and decryption computational core IP to execute the key expansion function in combination with the key to obtain an expanded key in the same way as the above process, and updating the expanded KEY into an expanded KEY memory KEY _ RAM, and calling the target encryption and decryption computation cores IP to execute a target function by using the updated expanded KEY IN the expanded KEY memory to finish encryption processing or decryption processing on each group of the obtained computation core input DATA streams ALG _ DATA _ IN, namely IN the situation, executing the KEY expansion function to obtain the expanded KEY for the current encryption and decryption request DATA packet when the target encryption and decryption computation cores IP is called for the first time.
What has been described above is only a preferred embodiment of the present application, and the present invention is not limited to the above embodiment. It is to be understood that other modifications and variations directly derivable or suggested by those skilled in the art without departing from the spirit and concept of the present invention are to be considered as included within the scope of the present invention.

Claims (10)

1. An information security chip, comprising: the encryption and decryption device comprises a processor, a controller, an input memory and an output memory, wherein the controller comprises a preprocessing unit and an encryption and decryption unit, the input memory and the output memory are first-in first-out memories, the preprocessing unit is connected with the output end of the input memory and the input end of the output memory, the processor is connected with the controller, the encryption and decryption unit comprises a plurality of encryption and decryption computing core IPs, different encryption and decryption computing core IPs adopt different encryption and decryption algorithms, and each encryption and decryption computing core IP has an encryption function and a decryption function;
the processor sends an encryption and decryption request data packet carrying encryption and decryption configuration parameters to the controller, wherein the encryption and decryption request data packet comprises a key field, an algorithm configuration parameter field, a mode configuration parameter field and an additional parameter field, the key field indicates a key, the algorithm configuration parameter field indicates a target encryption and decryption computational core IP and a target function thereof, the target function is an encryption function or a decryption function, the mode configuration parameter field indicates a target working mode used by an encryption and decryption algorithm, and the additional parameter field indicates an additional parameter;
the preprocessing unit reads an original data stream from the input memory according to a data structure corresponding to the encryption and decryption configuration parameters, processes the original data stream into a computation input data stream matched with the encryption and decryption configuration parameters according to a data stream processing method corresponding to the encryption and decryption configuration parameters, and sends the computation input data stream to the encryption and decryption unit;
the encryption and decryption unit enables a target encryption and decryption computation core IP according to the encryption and decryption configuration parameters, invokes the target encryption and decryption computation core IP to execute the target function in combination with the key to complete encryption processing or decryption processing on the computation core input data stream to obtain a computation core output data stream, and sends the computation core output data stream to the preprocessing unit;
and the preprocessing unit processes the data stream output by the computation core into a processed data stream according to the data stream processing method corresponding to the encryption and decryption configuration parameters and writes the processed data stream into the output memory.
2. The information security chip according to claim 1, wherein the preprocessing unit performs endian conversion on the original data stream according to the data stream processing method corresponding to the encryption/decryption configuration parameter, and/or performs endian conversion on the processed data stream according to the data stream processing method corresponding to the encryption/decryption configuration parameter, and a byte length of a data stream targeted by the endian conversion is related to the target encryption/decryption computing core IP and the target operating mode.
3. The information security chip according to claim 1, wherein the additional parameters further include an initialization vector, and the target encryption/decryption computing core IP depends on the initialization vector in the target operating mode, the preprocessing unit performs an endian conversion on the initialization vector, the original data stream, and an intermediate parameter in the computing process of the initialization vector, the original data stream, and the intermediate parameter according to a data stream processing method corresponding to the encryption/decryption configuration parameter, where a byte length of a data stream for the endian conversion is related to the target encryption/decryption computing core IP and the target operating mode.
4. The information security chip of claim 2, wherein the additional parameters further include a packet length, and the data structure of the original data stream read by the preprocessing unit is related to the target encryption/decryption computing core IP, the target operating mode and the packet length.
5. The information security chip according to claim 1, wherein the target encryption/decryption computing core IP further has a configurable key expansion function, the encryption/decryption configuration parameters further include a target expansion mode indicated by the algorithm configuration parameter field, and the target expansion mode indicates to perform the key expansion function or skip the key expansion function; if the target expansion mode indicates to execute the key expansion function, the encryption and decryption unit calls a target encryption and decryption computational core IP to execute the key expansion function and the target function; and if the target expansion mode indicates that the key expansion function is skipped, the encryption and decryption unit only calls the target encryption and decryption computational core IP to execute the target function.
6. The information security chip of claim 5, wherein the encryption/decryption unit further comprises an expanded key memory shared by a plurality of encryption/decryption computing cores IP, and when the target expansion mode indicates to perform the key expansion function:
after the encryption and decryption unit receives and analyzes an encryption and decryption request data packet to obtain encryption and decryption configuration parameters, the encryption and decryption unit enables and calls a target encryption and decryption computation core IP to execute a key expansion function in combination with the key to obtain an expanded key, and the expanded key is stored in the expanded key storage;
for each group of acquired input data streams of the computation cores, the encryption and decryption unit calls a target encryption and decryption computation core IP to execute the target function by using the expanded key in the expanded key storage to complete encryption processing or decryption processing on the input data streams of the computation cores.
7. The information security chip according to claim 6, wherein if the key in the encryption/decryption request data packet received by the encryption/decryption unit is the same as the key in the last encryption/decryption request data packet received, the encryption/decryption unit directly calls a target encryption/decryption computing core IP to perform the target function by using an expanded key in the expanded key storage to perform encryption processing or decryption processing on each set of the obtained computing core input data streams, and the expanded key in the expanded key storage is obtained from the key in the last encryption/decryption request data packet;
if the key in the encryption and decryption request data packet received by the encryption and decryption unit is different from the key in the last encryption and decryption request data packet received by the encryption and decryption unit, after the encryption and decryption request data packet is received and analyzed by the encryption and decryption unit to obtain the encryption and decryption configuration parameters, the encryption and decryption unit enables and calls the target encryption and decryption kernel IP to perform the key expansion function in combination with the key to obtain an expanded key, updates the expanded key into the expanded key storage, and calls the target encryption and decryption kernel IP to perform the target function by using the updated expanded key in the expanded key storage to complete encryption processing or decryption processing on each group of acquired kernel input data streams.
8. The information security chip of claim 1,
the processor writes an original data stream into the input memory, and reads a processed data stream from the output memory;
or, the information security chip further includes a DMA, the DMA reads an original data stream from a first predetermined address of another device and writes the original data stream into the input memory, and the DMA outputs a processed data stream in the output memory and writes the processed data stream into a second predetermined address of the another device.
9. The information security chip according to claim 1, wherein when the preprocessing unit detects that the input memory is in a non-empty state, the output memory is in a non-full state, and the encryption and decryption unit is in an idle state, the preprocessing unit reads an original data stream from the input memory according to a data structure corresponding to the encryption and decryption configuration parameter; when all the encryption and decryption computing cores IP in the encryption and decryption unit are not enabled, the encryption and decryption unit is in an idle state.
10. The information security chip of claim 1, wherein the preprocessing unit feeds back an operation status parameter to the processor, and the operation status parameter indicates that the encryption and decryption unit is in an idle state or a working state; when the running state parameters received by the processor indicate that the encryption and decryption unit is in an idle state, sending a next encryption and decryption request data packet to the preprocessing unit and the encryption and decryption unit, and otherwise, waiting until the running state parameters indicate that the encryption and decryption unit is in the idle state;
when all the encryption and decryption computation cores IP in the encryption and decryption unit are not enabled, the encryption and decryption unit is in an idle state, otherwise, the encryption and decryption unit is in a working state.
CN202210597796.8A 2022-05-30 2022-05-30 Information security chip Pending CN114969849A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210597796.8A CN114969849A (en) 2022-05-30 2022-05-30 Information security chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210597796.8A CN114969849A (en) 2022-05-30 2022-05-30 Information security chip

Publications (1)

Publication Number Publication Date
CN114969849A true CN114969849A (en) 2022-08-30

Family

ID=82958519

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210597796.8A Pending CN114969849A (en) 2022-05-30 2022-05-30 Information security chip

Country Status (1)

Country Link
CN (1) CN114969849A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024114264A1 (en) * 2022-11-28 2024-06-06 苏州元脑智能科技有限公司 Encryption and decryption architecture, method, processor, and server

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024114264A1 (en) * 2022-11-28 2024-06-06 苏州元脑智能科技有限公司 Encryption and decryption architecture, method, processor, and server

Similar Documents

Publication Publication Date Title
US20200349866A1 (en) Lightweight cryptographic engine
JP4684550B2 (en) Cryptographic device that supports multiple modes of operation
US8020006B2 (en) Pipeline for high-throughput encrypt functions
US8355499B2 (en) Parallel encryption/decryption
JP3789454B2 (en) Stream processor with cryptographic coprocessor
AU2005332284B8 (en) Data-mover controller with plural registers for supporting ciphering operations
US6920562B1 (en) Tightly coupled software protocol decode with hardware data encryption
CN111193591B (en) Encryption and decryption method and system based on CPU+FPGA
US12010209B2 (en) Memory-efficient hardware cryptographic engine
TW200830327A (en) System and method for encrypting data
US20040250095A1 (en) Semiconductor device and method utilizing variable mode control with block ciphers
WO2024114264A1 (en) Encryption and decryption architecture, method, processor, and server
CN112152782A (en) Post-quantum public key signature operation for reconfigurable circuit devices
CN111492353A (en) Safe data transfer device, system and method
US9152589B2 (en) Memory data transfer method and system
US11301153B2 (en) High-throughput out-of-order cipher text stealing
CN114969849A (en) Information security chip
US8938072B2 (en) Cryptographic key derivation device and method therefor
US20210006391A1 (en) Data processing method, circuit, terminal device and storage medium
KR101126596B1 (en) Dual mode aes implementation to support single and multiple aes operations
CN110034918B (en) SM4 acceleration method and device
US11386029B2 (en) Direct memory access controller
US20240163077A1 (en) Apparatus for Cryptographic Operations on Information and Associated Methods
KR20030083100A (en) Block encrypting device for fast session switching and method of operating the same
WO2023185230A1 (en) Data processing method and apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination