CN116506106B - Configurable key SM4 encryption and decryption system based on FPGA - Google Patents
Configurable key SM4 encryption and decryption system based on FPGA Download PDFInfo
- Publication number
- CN116506106B CN116506106B CN202310235785.XA CN202310235785A CN116506106B CN 116506106 B CN116506106 B CN 116506106B CN 202310235785 A CN202310235785 A CN 202310235785A CN 116506106 B CN116506106 B CN 116506106B
- Authority
- CN
- China
- Prior art keywords
- module
- key
- encryption
- data
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000005540 biological transmission Effects 0.000 claims abstract description 54
- 238000013461 design Methods 0.000 claims abstract description 40
- 230000009466 transformation Effects 0.000 claims abstract description 24
- 238000004364 calculation method Methods 0.000 claims abstract description 11
- 238000004891 communication Methods 0.000 claims abstract description 8
- 238000012545 processing Methods 0.000 claims abstract description 8
- 238000006243 chemical reaction Methods 0.000 claims description 47
- 238000000034 method Methods 0.000 claims description 13
- 230000006870 function Effects 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 7
- 239000000284 extract Substances 0.000 claims description 3
- 230000003139 buffering effect Effects 0.000 claims description 2
- 238000000605 extraction Methods 0.000 claims description 2
- 230000008878 coupling Effects 0.000 abstract description 2
- 238000010168 coupling process Methods 0.000 abstract description 2
- 238000005859 coupling reaction Methods 0.000 abstract description 2
- 230000001133 acceleration Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 238000010009 beating Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012858 packaging process Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 230000001131 transforming effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0631—Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/125—Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a configurable key SM4 encryption and decryption system based on an FPGA, and belongs to the technical field of computer system security protection. The system comprises an SM4 encryption and decryption algorithm realization module, a fixed and transformation key interface design module and a streaming data transmission architecture module. The SM4 encryption and decryption algorithm realization module is used for completing encryption and decryption under two modes of a fixed key and a transformation key. The fixed and transformed key interface design module is used for connecting the streaming data transmission architecture module and the SM4 encryption and decryption algorithm realization module, is responsible for starting/suspending data transmission, and analyzes the data stream according to the key mode, thereby driving the SM4 to work. The streaming data transmission architecture module is used for data communication between the upper computer and the FPGA. The system ensures the correctness of data transmission and processing, can quickly build an application scheme, easily complete a calculation task, fully utilize bandwidth, reduce system delay, reduce the coupling degree of a receiving and calculating part and ensure the independence of application.
Description
Technical Field
The invention relates to a configurable key SM4 encryption and decryption system based on an FPGA, and belongs to the technical field of computer hardware.
Background
With the rapid development of big data, artificial intelligence and 5G fields, security and reliability of communication, processing and storage of data are required to be higher and higher. Data encryption is a common means for guaranteeing information security, and traditional methods comprise software encryption or acceleration by using a GPU, however, the throughput rate is low, which becomes a bottleneck of data transmission. Under new application scenarios, such as network traffic, development of secure encryption machines is also required to have real-time encryption capabilities.
The cryptographic calculation amount of the SM4 cryptographic algorithm is large, and the application of the cryptographic algorithm in an actual scene is limited. When handling such computationally intensive tasks, a significant amount of CPU and memory resources are often consumed. Therefore, the SM4 encryption and decryption calculation task is transferred to the hardware accelerator, and the method becomes an effective solution.
The FPGA is realized by virtue of the parallelism and low latency of hardware, instructions are not needed during execution, memory sharing is not needed, the limitation of sequential execution is broken, and the efficiency and the performance are effectively improved. The SM4 algorithm structure can be fully combined with the characteristics of the FPGA device, and is optimized in a targeted manner. And the encryption process is isolated from an external computer, so that the data protection capability is high.
Disclosure of Invention
Aiming at the defects and shortcomings of the prior art, the invention provides a configurable key SM4 encryption and decryption system based on an FPGA, which aims to solve the technical problems that an SM4 encryption and decryption method is difficult to meet the requirements of high speed, low delay and large quantity in practical application, and seriously occupies computer resources, has high power consumption and is insufficient in flexibility.
In order to solve the technical problems, the invention is realized by adopting the following technical scheme.
A configurable key SM4 encryption and decryption system based on FPGA comprises an SM4 encryption and decryption algorithm realization module, a fixed and transformed key interface design module and a streaming data transmission architecture module.
And the SM4 encryption and decryption algorithm realization module is used for completing encryption and decryption under two modes of a fixed key and a transformation key. The part comprises a control module, a key expansion module, a key inversion module and an encryption module. The control module coordinates other modules according to the key mode and the encryption and decryption functions, and ensures the synchronization and correctness of data processing. The key expansion module realizes a key expansion algorithm to obtain an encryption round key. And the key inversion module performs reverse order transformation on the encryption round key to obtain the decryption round key. And the encryption module uses the generated round key to carry out encryption and decryption algorithm operation. In the fixed key mode, the control module only starts the encryption module; in the transform key mode, the control module starts all other modules. The key expansion module and the encryption module work in parallel to realize that each original text adopts different keys. By the key inversion module, the random switching between the encryption mode and the decryption mode is realized.
Preferably, the key expansion module and the encryption module both adopt pipeline structures, so that the encryption and decryption process is ensured to be continuous and uninterrupted, and each period can encrypt and decrypt one data.
The fixed and transformed key interface design module is used for connecting the streaming data transmission architecture module and the SM4 encryption and decryption algorithm realization module, is responsible for starting/suspending data transmission, and analyzes the data stream according to the key mode, thereby driving the SM4 to work.
Preferably, the fixed and transformation key interface design module starts/pauses data transmission according to the data stream signal in the stream data transmission architecture module, meanwhile, analyzes the data stream in a fixed or transformation key mode according to the control signal in the stream data transmission architecture module, extracts the key and the original text from the data stream, transmits the key and the original text to the SM4 along with the control signal, and repackages the SM4 calculation result into the data stream for transmission. The fixed key mode takes the data stream as original and uses encryption and decryption round keys stored in the FPGA LUT unit. The key mode is changed to take the data stream as a head+original text, wherein the head consists of encryption and decryption function bits, a key, an original text length and reserved bits, and information extraction is carried out according to a stipulated format.
The streaming data transmission architecture module is used for data communication between the upper computer and the FPGA. The data Stream may be transmitted using AXI Stream and the control signal may be transmitted using AXI Lite. The upper computer is composed of PCIE drivers and routine sequences. The PCIE driver may be an XDMA driver of Xilinx. The sending and receiving of data is realized by routine sequences and the modification of the SM4 function is realized. The FPGA end comprises a data receiving and transmitting module, a buffer memory module, a bit width conversion module and a control signal module.
Preferably, the data transceiver module may be implemented based on XDMA IP, and complete receiving and transmitting data packets and receiving control signals on PCIE links. The buffer module can buffer the data stream and convert the asynchronous clock domain based on the asynchronous FIFO, and the buffer module comprises an input buffer module and an output buffer module. The bit width conversion module is used for carrying out bit width conversion on the data stream and comprises an input bit width conversion module and an output bit width conversion module. The control signal module stores the destination address of the control signal into a corresponding register according to the destination address.
Advantageous effects
1. The SM4 encryption and decryption algorithm is realized based on an FPGA, a multi-stage pipeline structure is adopted, a plurality of modules work in parallel, the fixed transformation key mode and the encryption and decryption function can be switched at any time, each original text adopts different keys, the encryption and decryption process is continuous and uninterrupted, and each period can encrypt and decrypt one data. The time sequence is improved, and the device can be operated under a high-frequency clock to achieve extremely high throughput rate.
2. The invention relates to a design of a fixed and a transformation key interfaces, which respectively analyzes and encapsulates data streams aiming at two modes of a fixed key and a transformation key. The method establishes a general communication bridge between the streaming data transmission architecture and an acceleration target represented by the SM4 encryption and decryption algorithm, provides a mechanism for starting and suspending transmission, creatively defines a data stream format, and ensures the correctness of data transmission and processing.
3. The streaming data transmission architecture realizes data communication between the upper computer and the FPGA. The PCIE and FPGA data interaction acceleration architecture scheme is universal and efficient, an application scheme can be quickly built, and computing tasks can be easily completed. And an AXI Stream high-speed Stream data transmission protocol is adopted, so that the DDR storage process is avoided, the bandwidth is fully utilized, and the system delay is reduced. Data buffering, time sequence and bit width conversion are introduced in the transmission process, so that the coupling degree of a receiving and calculating part can be reduced, and the application independence is ensured.
Drawings
FIG. 1 is a schematic view of the overall structure of the present invention;
fig. 2 is a schematic diagram of a fixed and variable key interface design in accordance with the present invention.
Detailed Description
The technical scheme of the present invention will be clearly and completely described in the following with reference to the accompanying drawings and examples. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in FIG. 1, the FPGA-based configurable key SM4 encryption and decryption system comprises an SM4 encryption and decryption algorithm realization module, a fixed and transformation key interface design module and a streaming data transmission architecture module.
The SM4 encryption and decryption algorithm realization module comprises a control module, a key expansion module, a key inversion module and an encryption module.
The fixed and transformed key interface design module is connected with the streaming data transmission architecture module and the SM4 encryption and decryption algorithm implementation module, is responsible for starting/suspending data transmission, and analyzes the data stream according to the key mode so as to drive the SM4 to work. The streaming data transmission architecture module realizes data communication between the upper computer and the FPGA. The upper computer is composed of PCIE drivers and routine sequences. PCIE drivers are Xilinx official XDMA drivers. The sending and receiving of data is realized by routine sequences and the modification of the SM4 function is realized. The FPGA comprises a data receiving and transmitting module, a buffer memory module, a bit width conversion module and a control signal module.
As an implementation mode of the invention, the SM4 encryption and decryption algorithm module is realized based on an FPGA and comprises a control module, a key expansion module, a round key inversion module and an encryption module, so that encryption and decryption functions under two modes of fixed keys and conversion keys are realized. The control module is connected with the design of the fixed and the transformation key interfaces, is responsible for receiving keys and texts and outputting calculation results, and coordinates the work of other modules according to the requirements of the design of the fixed and the transformation key interfaces. The fixed key mode only focuses on the control module and the encryption module, and the control module directly inputs the fixed parameter encryption and decryption round keys to the encryption module, so that encryption and decryption operations of the original text are performed. The key conversion mode requires the control module to transmit the key to the key expansion module to obtain the encryption round key, and then transmit the encryption round key to the encryption module for plaintext encryption. If the decryption operation is performed, the encryption round key generated by the key expansion module is required to be input into the key inversion module for temporary storage and reverse order conversion, so that the decryption round key is obtained, and then the decryption round key is transmitted to the encryption module for decryption. And finally, returning the calculation result of the encryption module to the control module. The operation steps in each module conform to the SM4 algorithm flow, and the operations comprise exclusive OR, shift and replacement. Specifically, the key expansion module and the encryption module both adopt a 32-stage pipeline architecture, and under the condition that the pipeline is not broken, each period can encrypt and decrypt a 128-bit original document. The encryption waiting period is 34, and the decryption waiting period is 67.
As one implementation mode of the invention, the fixed and transformation key interface design module starts and pauses data transmission according to the data Stream signals in the Stream data transmission architecture, meanwhile, analyzes the data Stream transmitted on the AXI Stream bus in a fixed or transformation key mode according to the control signals in the Stream data transmission architecture module, extracts keys and original text from the data Stream, transmits the keys and the original text to the SM4 along with the control signals, and repackages the SM4 calculation result into an AXI Stream format for return transmission. Specifically, the interface design determines whether to receive data according to the data valid signal of the input bit width conversion module and the overflow signal of the output buffer module. If the data is ready and the output does not result in overflow, data transfer is started and format parsing is performed. The fixed key mode takes the stream data as original and uses encryption and decryption round keys stored in the FPGA LUT unit. The transform key mode treats the data stream as a header + original composition. The header size is 64 bytes, i.e., 512 bits, which corresponds to the data bit width of the data transceiver module. Wherein the 0 th bit of the first 128 bits indicates whether the mode bit encrypts 0 or decrypts 1, and the rest is reserved bits. The second 128 bits are also reserved bits, the third 128bit key, and the fourth 128bit is the length of the subsequent text in bytes. The header needs to extract information according to a contracted format, specifically, a counter is used to determine which part of the header the currently read 128-bit data is, and the data is transferred to the SM4 corresponding parameter.
As one implementation mode of the invention, the streaming data transmission architecture module is used for realizing data communication between the upper computer and the FPGA. The upper computer is connected with the FPGA through a PCIE bus. The upper computer is composed of PCIE drivers and routine sequences. PCIE drivers are Xilinx official XDMA drivers. The method is realized by a C language through routine sequences, and the PCIE driver is read and written to realize the sending and receiving of data and the changing of SM4 functions. The FPGA end is realized as the main content of a transmission architecture and comprises a data receiving and transmitting module, a cache module, a bit width conversion module and a control signal module. The data receiving and transmitting module is realized based on XDMA IP, and completes the receiving and transmitting of the data packet and the receiving of the control signal on the PCIE link, wherein the data frequency is 250 Mhz, the data Stream is transmitted through an AXI Stream bus, the data width is 512 bits, the control signal is transmitted in an AXI Lite protocol format, and the data width is 1 bit. The data transceiver module provides at most 4 read channels and 4 write channels on the data stream interface, and each pair of read and write channels can be established and connected with all other modules to realize 4 transmission loops. Fig. 1 shows only one example of a transmission loop. Correspondingly, the upper computer can select different read-write channels to transmit data to corresponding loops, and the transmission content and the speed of each loop are not affected. The buffer module is based on asynchronous FIFO realization, can buffer the data stream from the data receiving and transmitting module and the bit width conversion module, and provides buffer overflow signals to the fixed and conversion key interface design module. And meanwhile, asynchronous clock domain conversion is carried out between the data receiving and transmitting module and SM4 encryption and decryption algorithm realization, so that SM4 can work at any frequency, for example 300 Mhz. The bit width conversion module is used for carrying out bit width conversion on the data stream, and ensures that the transceiving data width of the fixed and conversion key interface design module is 128 bits. The control signal module receives all control signals and distributes the control signals as AXI Interconnect IP. And according to the destination address of the control signal, the control signal carried in the AXI Lite is respectively stored in a corresponding register, and then is provided for the fixed and conversion key interface design module.
The connection relation between the modules is as follows:
the streaming data transmission architecture module transmits data to the fixed and conversion key interface design module, and the fixed and conversion key interface design module transmits the data to the SM4 encryption and decryption algorithm implementation module for processing and generating a result. The SM4 encryption and decryption algorithm realization module transmits the result to the fixed and transformation key interface design module, and the fixed and transformation key interface design module transmits the result to the streaming data transmission architecture module.
The output end of the upper computer module is connected with the PCIE input end of the data receiving and transmitting module, and the input end of the upper computer is connected with the PCIE output end of the data receiving and transmitting module. And the AXI Lite output end of the data receiving and transmitting module is connected with the input end of the control signal module. The output end of the control signal module is connected with the AXI Lite input end of the fixed and conversion key interface design module (interface design). And the AXI Stream output end of the data receiving and transmitting module is connected with the input end of the input buffer module. The output end of the input buffer module is connected with the input end of the input bit width conversion module. And the output end of the input bit width conversion module is connected with the AXI Stream input end of the fixed and conversion key interface design module. The fixed and transformed key interface design module communicates data to the control module, which communicates data to the key expansion module and the encryption module. The key expansion module communicates data to the key inversion module and the encryption module. The key inversion module transfers data to the encryption module. The encryption module processes and generates a result, the result is transmitted to the control module, and the control module transmits the result to the fixed and transformation key interface design module. And the AXI Stream output end of the fixed and transformation key interface design module is connected to the input end of the output bit width conversion module. The output end of the output bit width conversion module is connected to the input end of the output buffer module. And the output end of the output buffer module is connected to the AXI Stream input end of the data receiving and transmitting module.
The implementation process of the system comprises the following steps:
step 1: and inserting the FPGA card into a PCIE slot of the upper computer.
Step 2: the XDMA driver is compiled and loaded on the upper computer.
Step 3: and in the upper computer operation routine sequence, 4 sending threads are created to continuously send data, and 4 receiving threads are created to continuously receive SM4 encryption and decryption results.
Step 3.1: before sending data, the upper computer needs to specify the key mode and encryption and decryption functions sent at this time, specifically, write a command to a driving device file corresponding to the XDMA, where the command is implemented by distinguishing different SMs 4 through different target addresses, and different modes and functions.
Step 3.2: each sending thread opens an XDMA drive device file, i.e. a write channel, belonging to itself to write data.
The data can be transmitted to the FPGA only by writing the data in the correct format into the writing channel and waiting for the completion of the function execution.
Step 3.3: the receiving threads need to start before the sending thread, and each receiving thread opens an XDMA drive device file, i.e. a read channel, belonging to itself for reading data. The data can be read back from the FPGA only by reading the data with correct size from the read channel and waiting for the completion of the function execution.
Step 4: the FPGA end receives data sent by the upper computer through the data receiving and transmitting module and sends the data to the input buffer module. Meanwhile, the data receiving and transmitting module receives and outputs the result of the buffer module and returns the result to the upper computer.
The data receiving and transmitting module is based on an XDMA IP module, the data frequency is 250 Mhz, wherein the data Stream is transmitted through an AXI Stream bus, the data width is 512 bits, the control signal is transmitted in an AXI Lite protocol format, and the data width is 1 bit. And the data transceiver module is provided with 4 read channels and 4 write channels, which correspond to the read-write channels of the upper computer respectively. Each pair of read-write interfaces can create and connect all other modules so that a maximum of 4 transmission loops can be implemented. Fig. 1 shows only one example of a transmission loop.
Step 5: the buffer module is realized based on AXI4-Stream Data FIFO IP, and can set the data width and depth of the FIFO to 512bit and 2048 bit respectively. The clock frequency at the left end of the buffer memory module is set to be 250 Mhz, and the clock frequency is consistent with the data transceiver module. The right hand clock frequency is 300 Mhz, which is determined by the operating frequency of SM4 as with the other modules. The output buffer module is provided with an overflow detection signal, and the signal is pulled up when the data quantity of the buffer area exceeds 2000. The input buffer module receives the data stream transmitted by the data receiving and transmitting module and transmits the data stream to the input bit width conversion module. The output buffer module receives the data stream transmitted by the output bit width conversion module and transmits the data stream to the data receiving and transmitting module.
Step 6: the input bit width conversion module and the output bit width conversion module are realized based on AXI4-Stream Data Width Converter IP, and can set the data width of input and output, namely 512 bits on the left, keep consistency with the data transceiver module, 128 bits on the right, and keep consistency with the interface design. The input bit width conversion module receives the data stream transmitted by the input buffer module and transmits the data stream to the interface design. The output bit width conversion module receives the data stream transmitted by the interface design and transmits the data stream to the output buffer module.
Step 7: the interface design receives the data stream transmitted by the input bit width conversion module, starts and pauses data transmission according to the data stream signal, transmits the parsed data to the SM4, receives the calculation result of the SM4, and transmits the calculation result to the output bit width conversion module.
Preferably, the internal implementation of the interface design is as shown in fig. 2, and is specifically as follows:
first, transmission start and suspension are judged. And determining whether the SM4 receives data according to the data valid signal s_axis_tvalid provided by the input bit width conversion module and the overflow signal prog_full of the output buffer module. If the data is ready and the output does not overflow, it is judged whether the signal s_axis_process ready for reception by SM4 is 1, if it is 0, setting to 1 indicates that data transmission is started, and if it is 1, the transmitted data s_axis_tdata needs to be subjected to subsequent processing.
Step 7.2: and carrying out corresponding format analysis according to the key mode mk_mode provided by the control signal module. In the FIXED key mode, the parameter enable_fixed_rk of the SM4 module is directly set to 1, which means that the FIXED key encryption and decryption are adopted, and meanwhile, the values of the parameters fixed_rk_en and fixed_rk_de are the corresponding encrypted and decrypted round keys. And the encryption and decryption signal en_de_mode provided by the control signal module is input to the SM4 for encryption or decryption operation. The data s_axis_tdata transmitted from the input bit width conversion module is directly assigned to the original input ud_rdata of SM4, and the data valid signal ud_ rde is set to 1. In the transform key mode, if count is 0, which means that this is the first 128 bits of data, then bit 0 is taken as the value of en_de_mode, while count is incremented by 1. If count is 1, it is indicated as padding data, count is incremented by 1. If count is 2, the data is a key, s_axis_tdata is assigned to mk_i, meanwhile, a key valid signal mk_valid_i is set to 1, and finally count is added with 1. If count is 3, indicating that the data indicates the length of the original text which needs to be encrypted and decrypted subsequently, s_axis_tdata is assigned to max_cnt, and count is increased by 1. The other value of count then directly assigns s_axis_tdata to the input ud_rdata of SM4, setting the data valid signal ud_ rde to 1, count plus 1. At the same time, the count is compared with max_cnt, and if the data stream is processed at this time, the count is set to 0.
Step 7.3: in the packaging process, the encryption and decryption result result_out and the result valid signal ready_out output by the SM4 are directly assigned to m_axis_tdata and m_axis_tvalid in the AXI Stream data Stream. For the signals m_axis_tlast and m_axis_tkeep in the data stream, both are obtained by beating s_axis_tlast and s_axis_tkeep, the number of clock cycles for which the beating is delayed is determined according to en_de_mode. The encapsulated data stream is passed to an output bit width conversion module.
Step 7.4: if data is ready but the data buffer is about to overflow, the current value of s_axis_treat is judged, if 0, no operation is performed, if 1, s_axis_treat is set to 0, and further the subsequent transmission is stopped.
Step 8: the control module in the SM4 receives the information such as the original text, the secret key and the like transmitted by the interface design. Under the fixed key mode, the control module directly sends the encrypted and decrypted round key and the original text to the encryption module for encryption and decryption, receives the result of the encryption module, and then returns the result to the interface design. In the key conversion mode, the control module transmits the key to the key expansion module to calculate the encryption round key, transmits the original text to the encryption module to encrypt, and receives the encryption and decryption results of the encryption module. The key expansion module receives the key of the control module, generates a corresponding encryption round key, and transmits the encryption round key to the encryption module and the key inversion module. The key inversion module works when the decryption function is used, and is used for temporarily storing and inversely sequence transforming the encryption round key to generate the decryption round key, and finally transmitting the decryption round key to the encryption module for decryption. The encryption module encrypts the original text by using the encryption round key in the encryption mode, decrypts the original text by using the decryption round key in the decryption mode, and transmits the result to the control module.
In the description of the present specification, the descriptions of the terms "one embodiment," "example," "specific example," and the like, mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing has shown and described the basic principles, principal features and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims.
Claims (4)
1. The FPGA-based configurable key SM4 encryption and decryption system is characterized in that an FPGA end comprises an SM4 encryption and decryption algorithm realization module, a fixed and transformed key interface design module and a streaming data transmission architecture module;
the SM4 encryption and decryption algorithm realization module is based on FPGA realization and is used for completing encryption and decryption under two modes of a fixed key and a transformation key;
the SM4 encryption and decryption algorithm realization module consists of a control module, a key expansion module, a key inversion module and an encryption module; the control module coordinates the key expansion module, the key inversion module and the encryption module according to the key mode and the encryption and decryption function, so that the synchronization and the correctness of data processing are ensured; the key expansion module realizes a key expansion algorithm to obtain an encryption round key; the key inversion module performs reverse order transformation on the encryption round key to obtain a decryption round key; the encryption module uses the generated round key to carry out encryption and decryption algorithm operation; in the fixed key mode, the control module only starts the encryption module; in a key conversion mode, the control module starts a key expansion module, a key inversion module and an encryption module; the key expansion module and the encryption module work in parallel to realize that each original text adopts different keys; the key inversion module is used for realizing the switching between the encryption mode and the decryption mode at any time;
the fixed and transformed key interface design module receives the data transmitted by the streaming data transmission architecture module, is responsible for starting/suspending data transmission, analyzes the data according to a key mode, and drives the SM4 encryption and decryption algorithm to realize the work of the module; the fixed and transformation key interface design module starts/pauses data transmission according to the data signals in the stream data transmission architecture module, analyzes data in a fixed or transformation key mode according to the control signals in the stream data transmission architecture module, extracts keys and texts therefrom, transmits the keys and texts to the SM4 encryption and decryption algorithm realization module along with the control signals, and repackages the calculation results of the SM4 encryption and decryption algorithm realization module and returns the calculation results to transmission; the fixed key mode takes the data as original text and uses encryption and decryption round keys stored in the FPGA LUT unit; the key mode is changed to take the data as a head+original text, wherein the head consists of encryption and decryption function bits, a key, an original text length and reserved bits, information extraction is carried out according to a stipulated format, and the data is transmitted to the corresponding parameters of an SM4 encryption and decryption algorithm realization module;
the streaming data transmission architecture module is used for data communication between the upper computer and the FPGA end; compiling and loading an XDMA driver on an upper computer, and enabling the upper computer to read and write the XDMA driver by using a routine sequence to realize data transmission and reception; before the upper computer sends data, the key mode and encryption and decryption functions sent at this time are specified by writing commands into the corresponding driving files of the XDMA driver;
the stream data transmission architecture module comprises a data receiving and transmitting module, a buffer memory module, a bit width conversion module and a control signal module; the buffer module is used for buffering data and converting an asynchronous clock domain and comprises an input buffer module and an output buffer module; the bit width conversion module is used for carrying out bit width conversion on data and comprises an input bit width conversion module and an output bit width conversion module; the control signal module stores the control signal into a corresponding register according to the destination address of the control signal;
the streaming data transmission architecture module transmits the data to the fixed and conversion key interface design module, and the fixed and conversion key interface design module transmits the data to the SM4 encryption and decryption algorithm realization module for processing and generating a result; the SM4 encryption and decryption algorithm realization module transmits the result to the fixed and transformation key interface design module, and the fixed and transformation key interface design module transmits the result to the streaming data transmission architecture module.
2. The system for encrypting and decrypting the configurable key SM4 based on the FPGA as claimed in claim 1, wherein the key expansion module and the encryption module adopt pipeline structures, so that the encryption and decryption process is ensured to be continuous and uninterrupted, and each period can encrypt and decrypt one data.
3. The FPGA-based configurable key SM4 encryption and decryption system of claim 1, wherein the caching module is implemented based on an asynchronous FIFO.
4. The FPGA-based configurable key SM4 encryption/decryption system as set forth in claim 1, wherein in the streaming data transmission architecture module, the data transceiver module is implemented based on XDMA IP to complete receiving and sending of data on the PCIE link and receiving of control signals, wherein the data is transmitted through an AXI Stream bus, and the control signals are transmitted in an AXI Lite protocol format.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310235785.XA CN116506106B (en) | 2023-03-13 | 2023-03-13 | Configurable key SM4 encryption and decryption system based on FPGA |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310235785.XA CN116506106B (en) | 2023-03-13 | 2023-03-13 | Configurable key SM4 encryption and decryption system based on FPGA |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116506106A CN116506106A (en) | 2023-07-28 |
| CN116506106B true CN116506106B (en) | 2023-11-03 |
Family
ID=87325640
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310235785.XA Active CN116506106B (en) | 2023-03-13 | 2023-03-13 | Configurable key SM4 encryption and decryption system based on FPGA |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116506106B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117113442B (en) * | 2023-08-28 | 2024-04-05 | 哈尔滨理工大学 | Acceleration system of homomorphic encryption algorithm Paillier-oriented data path |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109902043A (en) * | 2019-01-30 | 2019-06-18 | 中国科学院声学研究所 | A kind of national secret algorithm acceleration processing system based on FPGA |
| CN113078996A (en) * | 2021-02-25 | 2021-07-06 | 西安电子科技大学 | FPGA (field programmable Gate array) optimization realization method, system and application of SM4 cryptographic algorithm |
| WO2022143536A1 (en) * | 2020-12-31 | 2022-07-07 | 杭州趣链科技有限公司 | Apsoc-based state cipher calculation method, system, device, and medium |
-
2023
- 2023-03-13 CN CN202310235785.XA patent/CN116506106B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109902043A (en) * | 2019-01-30 | 2019-06-18 | 中国科学院声学研究所 | A kind of national secret algorithm acceleration processing system based on FPGA |
| WO2022143536A1 (en) * | 2020-12-31 | 2022-07-07 | 杭州趣链科技有限公司 | Apsoc-based state cipher calculation method, system, device, and medium |
| CN113078996A (en) * | 2021-02-25 | 2021-07-06 | 西安电子科技大学 | FPGA (field programmable Gate array) optimization realization method, system and application of SM4 cryptographic algorithm |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116506106A (en) | 2023-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109902043B (en) | FPGA-based national cryptographic algorithm accelerated processing system | |
| US7336783B2 (en) | Cryptographic systems and methods supporting multiple modes | |
| CN116506106B (en) | Configurable key SM4 encryption and decryption system based on FPGA | |
| CN107103472B (en) | Algorithm processing module for block chain | |
| CN108898033B (en) | Data encryption and decryption system based on FPGA | |
| US20060078108A1 (en) | Hardware-based encryption/decryption employing dual ported memory and fast table initialization | |
| US9003202B2 (en) | Memory control device, semiconductor memory device, memory system, and memory control method | |
| CN112329038B (en) | Data encryption control system and chip based on USB interface | |
| US7552344B2 (en) | Hardware-based encryption/decryption employing dual ported key storage | |
| CN102664729A (en) | Field programmable gate array (FPGA)-based advanced encryption standard (AES) encryption and decryption network communication device and implementation method thereof | |
| CN112367155B (en) | FPGA-based ZUC encryption system IP core construction method | |
| CN104660615A (en) | High-efficiency data compression and encryption system | |
| CN108809642B (en) | FPGA-based multi-channel data trillion encryption authentication high-speed transmission implementation method | |
| CN105391701A (en) | Data encryption method and system | |
| CN111566987B (en) | Data processing method, circuit, terminal device and storage medium | |
| CN114547663B (en) | Method for realizing data encryption, decryption and reading of high-speed chip based on USB interface | |
| CN105337728A (en) | Data encryption method and system | |
| WO2022143536A1 (en) | Apsoc-based state cipher calculation method, system, device, and medium | |
| CN102739393A (en) | Hardware encrypting UART (Universal Asynchronous Receiver Transmitter) device based on APB (Advanced Peripheral Bus) bus | |
| CN116070292B (en) | SM4 encryption heterogeneous acceleration system based on FPGA | |
| CN103777918A (en) | Hardware accelerator | |
| CN103077362B (en) | There is the GPIO IP kernel of security mechanism | |
| Yao et al. | A dynamic reconfigurable design of multiple cryptographic algorithms based on FPGA | |
| CN106209370A (en) | Elliptic curve cipher device, system and data cache control method | |
| EP4095704A1 (en) | Processing system, related integrated circuit, device and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |