JP2005534973A - Method and apparatus for manipulating data within a finite body - Google Patents

Abstract

The embodiment of the present invention converts GF (2 ^2s ) into a GF ((2 ^s ) ² ) expression (102), and performs an operation equivalent to the case of GF (2 ^2s ) in the GF ((2 ^s ) ² ) expression. the run by ^{(104), GF (2 2s} ) for manipulating the data given by the expression, for example, GF ^{(2 2s)} at least some of the AES encryption for data given by the expression and / or A method and apparatus for performing a decoding operation is provided.

Description

  The present invention relates to calculations within a finite body and conversion between representations of a finite field.

The Advanced Encryption Standard (AES) provides a Rijndael block cipher algorithm (“Rijndahl algorithm”), which includes byte sub (ByteSub) bit-level operations on the input byte x. The byte sub-operation includes an encryption mode and a decryption mode. The encryption mode includes a combination of inverse operation and affine transformation. For example, when A and b are predetermined parameters, x is converted to Ax ⁻¹ + b. The decoding mode includes a combination of affine transformation and subsequent inverse operation. For example, x is converted to (A ⁻¹ (x + b)) ⁻¹ . According to AES, the inverse transform is pre-formed on the Galois field GF (2 ⁸ ). The field is represented in polynomial form using the reduction polynomial p (t) = t ⁸ + t ⁴ + t ³ + t + 1.

In addition, there is a known block cipher algorithm that performs an inverse operation on GF (2 ⁸ ). For example, K.K. "Specification of Camellia-a 128-bit Block Cipher" by Aoki et al., Http: // info. isl. ntt. co. the Camellia encryption algorithm described in jp / cameria / Lee, “Zodiac Block Cipher Proposal”, http: // www. safedigm. com / productpds / download / Safedigm_Zodiac. The Zodiac cryptographic algorithm described in pdf is included.

One method of AES implements two lookup tables called S-boxes, and when using GF (2 ⁸ ), each table corresponds to 256 possible values of x. Contains 256 values. The encryption S box includes 256 values of Ax ⁻¹ + b, and the decryption S box includes 256 values of (A ⁻¹ (x + b)) ⁻¹ . Another method of AES is, x the inverse element, ^i.e., containing 256 values of ^{x -1,} implement one of the tables represented by F (x). This method not only needs to store one table containing 256 values, but also performs encryption / decryption affine transformation by multiplying x by A or A ^-1 and adding b Requires additional circuitry to do that. Thus, conventional implementations of AESS boxes with a set of calculations defined by the Rheindahl algorithm are not fully efficient overall.

  Since the conventional hardware implementation of AES requires multiple, for example, 16 S-boxes, the complexity of AES implementation can be significantly reduced if a more efficient S-box is designed. Will.

V. “Efficient implementation of the Rijndael S-Box” by Rijmen, http: // www. esat. kuleuven. ac. be / ~ rijmen / rijndael / sbox. It has been suggested in pdf (“Limen literature”) that the efficiency of the AES S box can be improved by using a set of calculations based on the representation of GF (2 ⁸ ) as an extension of GF (2 ⁴ ). . However, the Leimen literature does not disclose, suggest or suggest how such an expression can be realized. Furthermore, in the Limen literature, even if an AES S box based on the extended GF (2 ⁴ ) could be implemented, it would be concluded that such an implementation would not be practical if a good VHDL compiler was used. ing. Thus, the Leimen document does not teach the search for a way to implement an AES S box based on the expanded GF (2 ⁴ ).

The embodiment of the present invention converts GF (2 ^2s ) data into a GF ((2 ^s ) ² ) expression, and performs an operation equivalent to the case of GF (2 ^2s ) in the GF ((2 ^s ) ² ) expression. For efficiently manipulating data given in GF (2 ^2s ) representation, for example, at least some AES encryption and / or decryption operations on data given in GF (2 ^2s ) representation Methods and apparatus for performing are provided.

The exemplary embodiment of the present invention is more fundamental in implementing AES S boxes based on the extended GF (2 ⁴ ), for example, the overall procedure of transformation and computation is more efficient than conventional implementations. Thus, it is possible to solve a specific problem when attempting to efficiently convert GF (2 ⁸ ) representation data into GF ((2 ⁴ ) ² ) representation.

A method for manipulating data according to an embodiment of the present invention may include converting GF (2 ^2s ) data to corresponding data in a GF ((2 ^s ) ² ) representation. This can be accomplished by acting on the GF (2 ^2s ) data with a conversion operator associated with a given expression conversion from the GF (2 ^2s ) representation to the GF ((2 ^s ) ² ) representation. For example, the transformation operator can include a combination of linear transformation and a predetermined expression transformation. In some embodiments, the conversion operator can be associated with representation conversion only. The transformation operator can include a representation transformation matrix corresponding to the desired transformation. The expression conversion matrix can be selected from a set of possible expression conversion matrices in light of a desired criterion, for example, minimization of circuit mounting area. Each matrix belonging to the set of matrices is defined by two field generators, that is, a root of an irreducible polynomial in the GF (2 ^2s ) representation and a field generator of the GF ((2 ^s ) ² ) representation. Can do. GF ^{((2 s) 2)} representation, and irreducible reduction polynomial over GF ^{(2 s),} expanded polynomial over GF ^{(2 s),} for example, a second-order irreducible polynomial over GF ^{(2 s)} Can be defined by

According to some embodiments, the above method also performs at least one operation on the GF ((2 ^s ) ² ) data equivalent to at least one desired operation in the GF (2 ^2s ) representation. And obtaining the processed GF ((2 ^s ) ² ) data. The method also includes translating the processed GF ((2 ^s ) ² ) data into a GF (2 ^2s ) representation. This can be achieved by applying an inverse transformation operator associated with a given expression transformation to the processed GF ((2 ^s ) ² ) data. For example, the inverse transformation operator can include a combination of linear transformation and inverse transformation of a predetermined expression transformation.

According to some embodiments of the invention, a method for determining a representation transformation matrix is provided. The method may include synthesizing and / or simulating a plurality of circuits, each circuit representing an expression transformation matrix from a GF (2 ^2s ) representation to a GF ((2 ^s ) ² ) representation. , And / or the inverse of its representation transformation matrix. The method also includes selecting one of the set of matrices in light of a predetermined optimization criterion, such as a minimum circuit area.

In accordance with some exemplary embodiments of the present invention, methods, systems, and apparatus are provided for performing at least some AES S box encryption and / or decryption operations. According to some exemplary embodiments of the present invention, GF (2 ⁸ ) input data that is encrypted and / or decrypted by an AES device is derived from a GF (2 ⁸ ) representation to GF ((2 ⁴ ) ² ) Can be converted into representation data. According to some embodiments, the transformation can include a linear transformation and / or a predetermined representation transformation from a GF (2 ⁸ ) representation to a GF ((2 ⁴ ) ² ) representation. A GF (2 ⁴ ) operation equivalent to a GF (2 ⁸ ) AES encryption and / or decryption operation is performed on GF ((2 ⁴ ) ² ) and processed GF ((2 ⁴ ) ² ) Data can be acquired. The processed GF ((2 ⁴ ) ² ) data can later be converted back to a GF (2 ⁸ ) representation. According to these embodiments, for example, data is converted into a GF ((2 ⁴ ) ² ) representation, an equivalent encryption / decryption operation is performed, and the processed data is converted into a GF (2 ⁸ ) representation. The hardware implementation of the entire process, such as re-conversion, can be significantly more efficient than the conventional hardware implementation of the AESS box.

In accordance with a further exemplary embodiment of the present invention, a secure memory storage device suitable for implementing an AES S box is provided. The storage device can include an input conversion module adapted to convert the stored GF (2 ⁸ ) data into a GF ((2 ⁴ ) ² ) representation. The input conversion module can include a decryption conversion circuit and a cryptographic conversion circuit. Memory device further, GF ^{((2 4) 2)} performs operations on the data, the treated GF ^{((2 4) 2)} data may include an operational module is adapted to provide. The operations performed by the operation module can be equivalent to GF (2 ⁸ ) AES encryption / decryption operations. The storage device can further include an output inverse transform module adapted to transform the processed GF ((2 ⁴ ) ² ) data back into a GF (2 ⁸ ) representation. The output reverse conversion module can include a decryption reverse conversion circuit and a cryptographic reverse conversion circuit.

  The subject matter which is regarded as the invention is pointed out with particularity and clearly claimed in the concluding portion of the specification. However, the present invention may be best understood by referring to the following detailed description in conjunction with the accompanying drawings in terms of its structure and method of operation, as well as its objects, features, and advantages.

  It should be understood that the elements shown in the figures are not necessarily drawn to scale or scale for the sake of simplicity and clarity. For example, for the sake of clarity, the size of some elements may be exaggerated compared to other elements or multiple physical components contained in one element. In addition, where considered appropriate, the same reference numbers are used in multiple figures to indicate corresponding or similar elements. It should be understood that these figures present examples of embodiments of the invention and are not intended to limit the scope of the invention.

  In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, those skilled in the art will appreciate that the invention may be practiced without these specific details. In other instances, well known methods, procedures, and components have not been described in detail so that the present invention does not stand out.

In the following detailed description, the notation GF ^{(2 2s)} is, p (t) is composed of a plurality of polynomials over GF (2) modulo, GF of order ^{2 2s} of an enlarged body (2) It is expressed as a Galois field (GF). However, p (t) is an irreducible polynomial of degree 2s on GF (2). A polynomial in GF (2 ^2s ) representation can be represented by a sequence of 2s bits. The element x of the GF (2 ^2s ) representation is a 2s-digit binary number x = [x _2s-1 x _2s-2 . . . x ₁ x ₀ ]. Where x _i is a corresponding polynomial, such as x _2s-1 t ^2s-1 + x _2s-2 t ^2s-2 +. . . It is a coefficient of ^{t i} in + _x 1 t + _{x 0.}

GF notation ^{((2 s) 2)} is, r (t) is composed of a plurality of polynomials over GF ^{(2 s)} modulo, GF ^{(2 s)} of order ^{2 2s} of GF of an enlarged body Let it be an expression. However, r (t) is an irreducible polynomial of degree 2 on GF (2 ^s ), that is, when α and β are elements of GF (2 ^s ), r (t) = t ² + αt + β Become. GF (2 ^s ) is expressed as an extension field of GF (2) composed of a plurality of polynomials on GF (2) modulo q (t). Where q (t) is an irreducible polynomial of degree s on GF (2). The element z of the GF ((2 ^s ) ² ) expression represents a linear polynomial z _<m> t + z _<l> , a 2s-digit binary number z = [z _2s−l z _{2s− 2} . . . z ₁ z ₀ ], z _<m> = [z _2s−1 . . . z _{s + 1} z _s ] and z _<l> = [z _s−1 . . . z ₁ z ₀ ] is an element of GF (2 ^s ) represented by a polynomial modulo q (t).

Reference is made to FIG. 1, which schematically illustrates a flowchart of a method for manipulating data, according to an embodiment of the present invention.
As shown in block 102, the method converts GF (2 ^2s ) representation data to GF (2 ^2s ) by applying a transformation operator to the GF (2 ^2s ) data, as described in detail below. Converting to corresponding data in the GF ((2 ^s ) ² ) representation corresponding to the expansion of.

As shown in block 104, the method also includes at least equivalent to at least one desired operation in the GF (2 ^2s ) representation on the GF ((2 ^s ) ² ) data, as described in detail below. Performing one operation to obtain processed GF ((2 ^s ) ² ) data.

As indicated at block 106, the method further includes converting the processed GF ((2 ^s ) ² ) data into a GF (2 ^2s ) representation, as will be described in detail below.
According to some embodiments of the invention, the GF (2 ^2s ) data may include two or more data blocks. According to these embodiments, the above method comprises at least 1 in a GF ((2 ^s ) ² ) representation equivalent to at least one desired operation in GF (2 ^2s ) representation with two or more data blocks. It can be implemented to perform one operation.

  According to some exemplary embodiments of the present invention, the above method can be implemented by performing at least some AES S box encryption / decryption operations, for example, as described below. It can be used as part of data encryption and / or decryption.

  The scope of the present invention is not limited in terms of the above, but for ease of explanation, as part of the description of some embodiments of the present invention, an apparatus and / or method for encrypting data is provided. May be mentioned. Furthermore, embodiments of the present invention are also described with respect to an apparatus and / or method for decoding data. However, it will be clear to those skilled in the art, unless otherwise stated, how the apparatus and / or method described below can be modified for both encryption and decryption, or a combination thereof. Let's go.

According to some exemplary embodiments of the invention, s is equal to 4. These embodiments are useful for converting GF (2 ⁸ ) representation data into corresponding data in the GF ((2 ⁴ ) ² ) representation.

Although the scope of the present invention is not limited in terms of the above, for ease of explanation, the description of some exemplary embodiments of the present invention is that s is equal to 4, ie, GF (2 ⁸ ) relates to a method and / or apparatus for converting representation data into a GF ((2 ⁴ ) ² ) representation. However, it will be apparent to those skilled in the art how to modify the methods and / or apparatus described below for other suitable values of s. According to some embodiments of the invention, if s is a value, the conversion from the GF (2 ^2s ) representation to the GF ((2 ^s ) ² ) representation is one or more, as described below. It can be executed stepwise or recursively by using multiple intermediate conversion operators.

According to some exemplary embodiments of the present invention, the above method can be used to perform at least some AES S box encryption operations where s equals 4. In these embodiments, the input data to be encrypted is, as described below, from an expanded GF representation, eg, GF (2 ⁸ ), to a new representation, eg, GF corresponding to an extension of GF (2 ⁴ ). ((2 ⁴ ) ² ). According to these embodiments, a GF (2 ⁴ ) operation that can be substantially equivalent to the corresponding AES operation on GF (2 ⁸ ) is performed on the GF ((2 ⁴ ) ² ) data. , The level of computational complexity can be significantly reduced. The processed data can later be converted back to the AES GF (2 ⁸ ) representation as described below.

Some descriptions of some embodiments of the invention use, for example, specific electrical circuits to convert input data x from a GF (2 ^2s ) representation to a GF ((2 ^s ) ² ) representation. However, it should be understood that the present invention is not limited in this regard, although it is done with the implementation of the transformation operator. Rather, as part of some embodiments of the present invention, the conversion operators, other operations, and processes described below are now known, such as suitable hardware and / or software implementations, for example. It can also be implemented by various other implementations, including implementations or implementations that will be devised in the future.

As part of some embodiments of the present invention, the above methods can be implemented in various combinations and adaptations. According to exemplary embodiments of the present invention, the encryption block that performs encryption and / or the decryption block that performs decryption is implemented by, for example, a built-in electrical circuit of a type that can be used in a smart card. be able to. A conversion operator that can be used to convert data from AES GF (2 ⁸ ) representation to GF ((2 ⁴ ) ² ) representation and vice versa must be pre-programmed into the smart card. Can do. Additionally or alternatively, other configurations can be used.

According to some exemplary embodiments of the invention, the conversion operator may relate to a representation conversion from a GF (2 ^2s ) representation to a GF ((2 ^s ) ² ) representation. The conversion operator may be related to an expression conversion matrix corresponding to the expression conversion. The representation transformation matrix can be selected from a set of possible representation transformation matrices in light of desired criteria, such as minimizing circuit mounting area, as described below. Each matrix belonging to the set of matrices has a root of an irreducible polynomial in GF (2 ^2s ) representation such as GF (2 ⁸ ) and GF ((2 ^s ) ² ) representation such as GF ((2 ⁴ ) ² ). It can be defined by the source of body enlargement.

Polynomial representation in GF on GF ⁽²⁾ (2 ⁴⁾ is defined, GF ^{(2 4)} 3 single irreducible simplification polynomial over, for ^example, by each of the ^{1 + t + t 4, 1} + t 3 + t 4, 1 + t + t 2 + t 3 + t 4 can do.

According to embodiments of the present invention, the field expansion of one or more polynomial representations of GF (2 ⁴ ) in GF (2 ⁸ ) is an irreducible expansion polynomial, eg, β and when the α an element of GF ^{(2 4),} can be calculated using ^{t 2} + ^αt + ^β is such that about a previously over ^{GF (2 4), t 2} + αt + β type polynomials.

According to some exemplary embodiments of the present invention, there may be 15 different βs and 8 different αs that give 120 possible irreducible polynomials of the form t ² + αt + β. From three different reduction polynomials and 120 irreducible expansion polynomials, 360 GF ((2 ⁴ ) ² ) representations of GF (2 ⁸ ), which is an extension of GF (2), are obtained.

According to some exemplary embodiments of the present invention, the number of irreducible expansion polynomials of type t ² + αt + β can be reduced. This reduction can be achieved, for example, by using only irreducible expansion polynomials of type t ² + αt + β where α = 1, as will be explained below. Therefore, the total number of related GF ((2 ⁴ ) ² ) expressions can be reduced from 360 to 24. However, it should be noted that the present invention is not limited in this respect. Furthermore, the description of some embodiments of the present invention is limited to the context of using an irreducible expansion polynomial of type t ² + αt + β where α = 1, but any expansion polynomial of type t ² + αt + β It will be apparent to those skilled in the art how to adapt such methods when used.

Thus, as part of some exemplary embodiments of the present invention, a total of 24 GF ((2 ⁴ ) to convert standard AES representation data to GF ((2 ⁴ ) ² ) representation. ² ) The expression can be calculated. Each of the 24 GF ((2 ⁴ ) ² ) representations is defined by one of the reduction polynomials on GF (2 ⁴ ) and one of the extension polynomials of type t ² + αt + β such that α = 1, for example. be able to.

As is known in the art, any two finite fields of the same size are isomorphic, so that two GF (2 ⁿ ) representations (n = 2s) denoted Rep ₁ and Rep ₂ respectively. There can be isomorphisms in between. Each of the two representations can be an n-dimensional linear space over GF (2), and each isomorphism can be a linear transformation between the representations. Thus, as part of some embodiments of the present invention, an n × n type binary representation transformation matrix M to transform Rep ₁ elements into corresponding Rep ₂ elements, eg, by matrix multiplication. Can be calculated. Since the transformation between the two body representations can be reversed, there can be an inverse representation transformation matrix M ^{−1 for} each representation transformation. Rep ₁ can be expressed by an irreducible polynomial p ₀ having n roots. Each root of p ₀ is a generator of GF (2 ⁿ ) and is invariant under the field isomorphism. Therefore, there are n corresponding representation conversion matrices for each body extension. Because multiplicative group of GF ^{(2 n)} is cyclic, the generator of corresponding pair of representations Rep ₁ and Rep _2, it is possible to uniquely determine the isomorphism between Rep ₁ and Rep _2. Accordingly, when the generation source of Rep ₁ is r ₁ and the generation source of Rep ₂ is r ₂ , the corresponding expression conversion matrix M must satisfy Mr ₁ = r ₂ . Since the two body representations are isomorphic and r ₁ and r ₂ are generators of GF (2 ⁿ ), for any k (k = 1... 2 ⁿ ), the following simultaneous equations satisfy M It must be.

M (r ₁ ) ^k = (r ₂ ) ^k (1)
_{However, (r} ^{i) k,} in order to produce an element _(r ^{1) k} representation Rep _i, indicates k-th power somatic origin _{r i} in the expression Rep _i, expressed Rep ₁ body element _{(r 1} ) ^K can be treated as a vector in an n-dimensional linear space on GF (2), and M (r ₁ ) ^k can be obtained by multiplying the expression transformation matrix M.

The simultaneous equation 1 includes 2 ⁿ linear forms, and by solving them, the expression conversion matrix M corresponding to the pair of generators r ₁ and r ₂ can be determined. The simultaneous equation 1 may include redundant equations, and the number of calculations can be reduced by excluding them. For example, only the first n equations can be used to obtain one representation transformation matrix. Another representation transformation matrix can be obtained by solving simultaneous equations 1 using different pairs of generators r ₁ and r ₂ . Thus, there can be n different simultaneous equations that correspond to n different generators of Rep ₂ that are images of r ₁ and give n different representation transformation matrices from Rep ₁ to Rep ₂ . .

In an exemplary embodiment of the invention, each irreducible polynomial over GF (2 ⁸ ), eg, each root of p (t) = t ⁸ + t ⁴ + t ³ + t + 1, is the origin of the GF (2 ⁸ ) field. Can be. Accordingly, eight possible representation transformation matrices corresponding to the eight roots of the irreducible polynomial can be calculated for each GF (2 ⁸ ) field expansion. Thus, according to these exemplary embodiments, if α = 1, there can be a set of 192 possible representation transformation matrices corresponding to 24 body expansions. According to some embodiments of the present invention, each of the possible representation transformation matrices is derived from a standard AES representation, with a different GF ((2 ⁸ ) of GF (2 ⁸ ) corresponding to a different extension of GF (2 ⁴ ) ((2 ^{4 2} ) Conversion to expression can be made possible.

According to these exemplary embodiments, the input data x of the AES expression can be converted into a GF ((2 ⁴ ) ² ) expression by applying an expression conversion, for example, an expression conversion matrix M. The operation x> x ^{−1 in} the GF ((2 ⁴ ) ² ) representation represented by T (x) can be performed on the transformation data, for example M x. The transformation F (x) to GF (2 ⁸ ) can be obtained by performing an inverse transformation of the expression transformation, for example, M- ¹ . Thus, according to an exemplary embodiment of the present invention, F (x) and T (M x) can be given by the following nonlinear equations:

F (x) = M ⁻¹ T (M x) (2)
Equation 2 can be rewritten as follows.
MT (x) = F (Mx) (3)
According to these embodiments, Equation 3 represents eight possible isomorphisms between two representations, eg, an AES GF (2 ⁸ ) representation and a corresponding GF ((2 ⁴ ) ² ) representation: Can have 8 solutions. An isomorphism between two representations can be determined by selecting a generator that maps from one representation to a specific origin of the other representation, as described below.

The following is an exemplary list of matrix strings corresponding to 192 (24 × 8) possible representation transformation matrices, shown in hexadecimal format. These can be calculated as described above.
Reduction polynomial: t ⁴ + t + 1
(A) Expansion polynomial: t ² + t + 8
01 e1 5c 0c af 1b e3 85, 01 e1 5c 0c ae fa bf 89, 01 5c e0 50 a2 02 b8 db, 01 5c e0 50 a3 5e 58 8b, 01 e0 5 d 0 e4 f0 df, 01 5d e1 ed 42 10 a7 92, 01 5d e1 ed 43 4d 46 7f
(B) Expanded polynomial: t ² + t + 9
01 e1 5c 0c 12 4b 0f d8, 01 e1 5c 0c 13 aa 53 d4, 01 5c e0 50 1e b2 b5 3a, 01 5c e0 50 1f ee 55 6a, 01 e0 5d 0 e9 fc 33, 01 5d e1 ed fe 1c 16 72, 01 5d e1 ed ff 41 f7 9f
(C) Extended polynomial: t ² + t + 10
01 e1 5c 0c 43 46 0e 39, 01 e1 5c 0c 42 a7 52 35, 01 5c e0 50 ae bf 54 36, 01 5c e0 50 af e3 b4 66, 01 e0 5d b0 0d 3e b8 a0 63, 01 5d e1 ed f2 ad f6 c2, 01 5d e1 ed f3 f0 17 2f
(D) Extended polynomial: t ² + t + 11
01 e1 5c 0c fe 16 e2 64, 01 e1 5c 0c ff f7 be 68, 01 5c e0 50 12 0f 59 d7, 01 5c e0 50 13 53 b9 87, 01 e0 5d b0 87 b5 ac 8f, 01 5d e1 ed 4e a1 47 22, 01 5d e1 ed 4f fc a6 cf
(E) Extended polynomial: t ² + t + 1 ²
01 e1 5c 0c a2 1a 02 d9, 01 e1 5c 0c a3 fb 5e d5, 01 5c e0 50 f3 03 e4 3b, 01 5c e0 50 f2 5f 04 6b, 01 e0 5 d 0 4 d e5 10 82, 01 5d e1 ed ae 11 fa 73, 01 5d e1 ed af 4c 1b 9e
(F) Expanded polynomial: t ² + t + 13
01 e1 5c 0c 1f 4a ee 84, 01 e1 5c 0c 1e ab b2 88, 01 5c e0 50 4f b3 e9 da, 01 5c e0 50 4e ef 09 8a, 01 e0 e8 1c 6e, 01 5d e1 ed 12 1d 4b 93, 01 5d e1 ed 13 40 aa 7e
(G) Expanded polynomial: t ² + t + 14
01 e1 5c 0c 4e 47 ef 65, 01 e1 5c 0c 4f a6 b3 69, 01 5c e0 50 ff be 08 d6, 01 5c e0 50 fe e 2 e8 86, 01 e0 5d 0e b9 40 3e, 01 5d e1 ed 1e ac ab 23, 01 5d e1 ed 1f f1 4a ce
(H) Extended polynomial: t ² + t + 15
01 e1 5c 0c f3 17 03 38, 01 e1 5c 0c f2 f6 5f 34, 01 5c e0 50 43 0e 05 37, 01 5c e0 50 42 52 e5 67, 01 e0 5d b11 e 54 d b4 4c d2, 01 5d e1 ed a2 a0 1a c3, 01 5d e1 ed a3 fd fb 2e
Reduction polynomial: t ⁴ + t ³ +1
(A) Expansion polynomial: t ² + t + 2
01 b1 ec 0c 4f 7c 80 69, 01 b1 ec 0c 4e cd 6c 65, 01 ec 0d 50 ff 60 97 d6, 01 ec 0d 50 fe 8c 9a 86, 01 0d 51 c94 ca c5 8e, 01 51 b1 ed 1e 24 91 23, 01 51 b1 ed 1f 75 20 ce
(B) Expanded polynomial: t ² + t + 3
01 b1 ec 0c f3 2c dc 38, 01 b1 ec 0c f2 9d 30 34, 01 ec 0d 50 43 3c 7a 37, 01 ec 0d 50 42 d0 77 67, 01 0d 51 b0 0 51 51 b0 2a c9 d2, 01 51 b1 ed a3 28 70 2e, 01 51 b1 ed a2 79 c1 c3
(C) Extended polynomial: t ² + t + 4
01 b1 ec 0c ff 21 60 68, 01 b1 ec 0c fe 90 8c 64, 01 ec 0d 50 13 6d c7 87, 01 ec 0d 50 12 81 ca d7, 01 0d 51 f0 1e 0d 51 0 0 51 51 0 9b 75 3f, 01 51 b1 ed 4f 95 7c cf, 01 51 b1 ed 4e c4 cd 22
(D) Expanded polynomial: t ² + t + 5
01 b1 ec 0c 43 71 3c 39, 01 b1 ec 0c 42 c0 d0 35, 01 ec 0d 50 af 31 2a 66, 01 ec 0d 50 ae dd 27 36, 01 0d 51 b0 a3 d 7b 79 63, 01 51 b1 ed f2 99 9d c2, 01 51 b1 ed f3 c8 2c 2f
(E) Expansion polynomial: t ² + t + 8
01 b1 ec 0c af 7d 31 85, 01 b1 ec 0c ae cc dd 89, 01 ec 0d 50 a2 61 7b db, 01 ec 0d 50 a3 8d 76 8b, 01 0d 51c 0 cb c8 df, 01 51 b1 ed 42 25 c0 92, 01 51 b1 ed 43 74 71 7f
(F) Expanded polynomial: t ² + t + 9
01 b1 ec 0c 13 2d 6d d4, 01 b1 ec 0c 12 9c 81 d8, 01 ec 0d 50 1e 3d 96 3a, 01 ec 0d 50 1f d1 9b 6a, 01 0d 51 b 0a 2b c4 83, 01 51 b1 ed ff 29 21 9f, 01 51 b1 ed fe 78 90 72
(G) Expanded polynomial: t ² + t + 14
01 b1 ec 0c 1f 20 d1 84, 01 b1 ec 0c 1e 91 3d 88, 01 ec 0d 50 4e 6c 2b 8a, 01 ec 0d 50 4f 80 26 da, 01 0d 51 b0 9a 78 6e, 01 51 b1 ed 13 94 2d 7e, 01 51 b1 ed 12 c5 9c 93
(H) Extended polynomial: t ² + t + 15
01 b1 ec 0c a3 70 8d d5, 01 b1 ec 0c a2 c1 61 d9, 01 ec 0d 50 f2 30 c6 6b, 01 ec 0d 50 f3 dc cb 3b, 01 0d 42 7a 74 32, 01 51 b1 ed ae 98 cc 73, 01 51 b1 ed af c9 7d 9e
Reduction polynomial: t ⁴ + t ³ + t ² + t + 1
(A) Expansion polynomial: t ² + t + 2
01 50 b0 0c a3 8b d3 d5, 01 50 b0 0c a2 db 63 d9, 01 b0 ed 50 f2 6f c2 6b, 01 b0 ed 50 f3 df 2f 3b, 01 ed 0c b0 92 35 82, 01 0c 50 ed af 85 66 9e, 01 0c 50 ed ae 89 36 73
(B) Expanded polynomial: t ² + t + 3
01 50 b0 0c 1e 3a 8f 88, 01 50 b0 0c 1f 6a 3f 84, 01 b0 ed 50 4f 33 cf da, 01 b0 ed 50 4e 83 222 8a, 01 ed 0c 72 f0 9f 68 de, 01 0c 50 ed 13 d4 87 7e, 01 0c 50 ed 12 d8 d7 93
(C) Extended polynomial: t ² + t + 4
01 50 b0 0c f3 3b df 38, 01 50 b0 0c f2 6b 6f 34, 01 b0 ed 50 43 32 7f 37, 01 b0 ed 50 42 82 9267, 01 ed 0c b0 ae 73 9e 85 d2, 01 0c 50 ed a3 d5 8b 2e, 01 0c 50 ed a2 d9 db c3
(D) Expanded polynomial: t ² + t + 5
01 50 b0 0c 4e 8a 83 65, 01 50 b0 0c 4f da 33 69, 01 b0 ed 50 fe 6e 72 86, 01 b0 ed 50 ff de 9f d6, 01 ed 0c b0 13 7e 0c b01 13e 93 d8 8e, 01 0c 50 ed 1f 84 6a ce, 01 0c 50 ed 1e 88 3a 23
(E) Expansion polynomial: t ² + t + 8
01 50 b0 0c ae 36 62 89, 01 50 b0 0c af 66 d2 85, 01 b0 ed 50 a2 63 c3 db, 01 b0 ed 50 a3 d3 2e 8b, 01 ed 0c b0 f3 f 0 c2 34 6f, 01 0c 50 ed 42 35 67 92, 01 0c 50 ed 43 39 37 7f
(F) Expanded polynomial: t ² + t + 9
01 50 b0 0c 13 87 3e d4, 01 50 b0 0c 12 d7 8e d8, 01 b0 ed 50 1f 3 fce 6a, 01 b0 ed 50 1e 8f 23 3a, 01 ed 0c b65 4e 0 cf 69 33, 01 0c 50 ed fe 64 86 72, 01 0c 50 ed ff 68 d6 9f
(G) Expanded polynomial: t ² + t + 14
01 50 b0 0c fe 86 6e 64, 01 50 b0 0c ff d6 de 68, 01 b0 ed 50 13 3e 7e 87, 01 b0 ed 50 12 8e 93 d7, 01 ed 0c b0 1e 23 88 ce 84 3f, 01 0c 50 ed 4e 65 8a 22, 01 0c 50 ed 4f 69 da cf
(H) Extended polynomial: t ² + t + 15
01 50 b0 0c 43 37 32 39, 01 50 b0 0c 42 67 82 35, 01 b0 ed 50 ae 62 73 36, 01 b0 ed 50 af d2 9e 66, 01 ed 0c b0 a3 2e d0 d3 c3 d9 63, 01 0c 50 ed f2 34 6b c2, 01 0c 50 ed f3 38 3b 2f
The above list shows that each group of 8 matrix string values is one of the extended polynomials of type t ² + αt + β and 3 of the irreducible reduced polynomials on GF (2 ⁴ ), as described above. Configured to be associated with each other. Matrix string values are enumerated in the form of 8 pairs of values in hexadecimal format, representing an 8 × 8 type bi-advanced sequence. In order to find a value corresponding to the i-th (1 ≦ i ≦ 192) expression conversion matrix M from the list, the following simultaneous equations can be solved.

i-1 = Q1 * 64 + R1 (4)
R1 = Q2 × 8 + R2
However,
0 ≦ R1 ≦ 64 (5)
0 ≦ R2 <8
A set of values Q1, Q2, R1, and R2 corresponding to a desired i-th expression conversion matrix can be obtained from the simultaneous expression (4) having the boundary condition of the simultaneous expression (5). The position in the above list of the desired expression transformation matrix, for example, the i-th matrix can be determined as the R2 + 1-th matrix string in the Q2 + 1-th expanded polynomial in the Q1 + 1-th reduced polynomial. Matrix string values can be converted to a transformed matrix representation by dividing the matrix string into pairs of numbers in hexadecimal format. In that case, each column of the transformation matrix can be represented using a corresponding hexadecimal pair of binary representations, for example, an 8-digit binary number.

Some embodiments of the invention include an AES compatible S box. The AES compatible S box can be configured to perform operations equivalent to the AES S box, for example, encryption operations and / or decryption operations on GF ((2 ^s ) ² ). The AES compatible S box may include a conversion circuit that allows data conversion from, for example, a representation on a standard AES S box to a GF ((2 ^s ) ² ) representation as described above. An AES compatible S box can also include a computation module, which includes a computation circuit and / or software for processing the conversion data, eg, performing AES equivalent operations on the conversion data. Can do. The AES compatible S box can also include an inverse transform circuit to convert the processed data back to an AES representation.

  A conventional AESS box can perform an affine transformation based on the following equation:

Where A and b are AES S box parameter matrices known in the art.

Therefore, according to the embodiment of the present invention, by substituting each equation 3 into equation 6 and 7, to convert the x in GF ^{((2 s) 2)} representation, GF ^{((2 s) 2)} by the expression The following equation can be obtained for performing the operation and converting the resulting data back to the corresponding data in the AES representation.

According to some embodiments of the invention, the transformation circuit or software may include circuitry that implements the representation transformation matrix M. According to some of these embodiments, the circuit or software that implements the representation transformation matrix M can be combined with a circuit or software that performs a linear transformation, eg, an AES S box parameter such as A. According to a further embodiment of the invention, the conversion circuit or software includes four multiplication modules for each multiplication by M, AM, M ⁻¹ , (AM ⁻¹ ), for example as described below. be able to. Therefore, the conversion circuit can be configured by using a combination of linear conversion and predetermined expression conversion. For example, the conversion circuit can perform the addition of the AES S box parameter b by, for example, an XOR circuit to obtain a sum x + b, which can be further multiplied by an inverse matrix of AM. The transformation circuit may also implement other combinations of linear transformations and representation transformation matrices, such as the specific implementations described herein. By using such an arithmetic module, the efficiency of the conversion circuit can be increased.

Matrix multiplication hardware implementations can include any hardware implementation of matrix multiplication known in the art. For example, i = 1. . . Assuming 8 and D is a fixed 8 × 8 type bi-advanced sequence, the value y _{i of the} block y defined by y = Dx can be calculated using the following equation:

Thus, the value of y can be calculated using Equation 10. This can be achieved by determining which elements of row D _{i, j} are non-zero and performing an XOR operation with the corresponding value of x _j .

  In accordance with exemplary embodiments of the present invention, operations that are equivalent to AES operations, such as inverse operations, additions, and / or multiplications, can be defined in a new representation, as described below.

The element x of GF (2 ⁸ ) can be defined by an 8-digit binary number x = [x ₇ x ₆ x ₅ x ₄ x ₃ x ₂ x ₁ x ₀ ], and the element z of GF (2 ⁴ ) Can be defined by a 4-digit binary number z = [z ₃ z ₂ z ₁ z ₀ ].

As is known in the art, GF (2 ⁴ ) has a polynomial representation defined by a reduced polynomial over GF (2), for example, z = [z ₃ z ₂ z ₁ z ₀ ] is , The polynomial z ₀ + z ₁ t + z ₂ t ² + z ₃ t ³ . The multiplication of the elements of GF can be defined by multiplying the polynomials representing the elements and reducing the result modulo the reduction polynomial. In the following description, the inverse operation x ⁻¹ of x in AES GF (2 ⁸ ) is expressed as F = F (x), and the inverse operation z ⁻¹ of z in the new expression is expressed as T = T (z). Can be written.

According to an embodiment of the present invention, the bit octet z = [z ₇ z ₆ z ₅ z ₄ z ₃ z ₂ z ₁ z ₀ ] of GF (2 ⁸ ) is z _<m> = [z ₇ z ₆ z _{If 5} z ₄ ] and z _<l> = [z ₃ z ₂ z ₁ z ₀ ] are elements of GF (2 ⁴ ), they can be similar to the linear polynomial z _<m> t + z _<l> . Thus, the new representation can include the elements z _<m> and z _<l> of GF (2 ⁴ ).

As part of some embodiments of the invention, multiplication and addition in the new representation can be defined by operations on GF (2 ⁴ ). The following provides one possible definition of multiplication and addition in the new representation with operations on GF (2 ⁴ ). It will be appreciated that other definitions may be used as part of some embodiments of the present invention.

Addition and subtraction with a new representation of two elements, eg, a, dεGF (2 ⁸ ), can be defined as a bitwise XOR of the two elements, as is known in the art. . The product of the two elements a and d can be defined by a product of polynomials modulo (t ² + αt + β) (a _<m> t + a _<l> ) × (d _<m> t + d _<l> ). However, multiplication and addition of polynomial coefficients can be defined by operations on GF (2 ⁴ ) using a given representation. Thus, the product of elements a and d can be calculated using the following equation:

However,

Therefore, the product of elements a and d of AES GF (2 ⁸ ) can be defined as r = [r ₇ r ₆ r ₅ r ₄ r ₃ r ₂ r ₁ r ₀ ].

To determine the inverse element x ⁻¹ = (c _<m> t + c _<l> ) of the data element x = (a _<m> t + a _<l> ), (x _<m> x + x _<l> ) is It is necessary to satisfy the formula.

  Equation 13 can be converted to the following simultaneous line format on GF (2).

Therefore, in order to calculate the inverse element x ⁻¹ of the data element x, as described above, it is only necessary to calculate C _<m> and C _<l> .

According to an embodiment of the present invention, to calculate the simultaneous equations 14 directly, two square calculations, for example, a ² _<m> and a ² _<l> , five multiplications, one inverse operation, and three All additions need to be done on GF (2 ⁴ ). However, as part of some embodiments of the present invention, the number of these calculations can be reduced as described below.

According to embodiments of the present invention, the addition on GF (2 ⁴ ) can be implemented as an XOR circuit, as is known in the art. According to another embodiment of the present invention, multiplication on GF (2 ^4), as described below, to define a plurality of GF (2 ⁴⁾ multipliers, select the appropriate multipliers for each case By doing so, it can be executed more efficiently.

According to these exemplary embodiments, two elements of GF (2 ⁴ ), eg, a = [a ₃ , a ₂ , a ₁ , a ₀ ] and d = [d ₃ , d ₂ , d ₁ , D ₀ ] on GF (2 ⁴ ) a × d = [a ₃ , a ₂ , a ₁ , a ₀ ] × [d ₃ , d ₂ , d ₁ , d ₀ ] As described above, for each given reduction polynomial, for example, it can be defined as a series of bitwise operations such as addition (XOR) and multiplication (AND). Therefore, the calculation method of multiplication of two elements is as follows.
Reduction polynomial: t ⁴ + t + 1
[A ₃ , a ₂ , a ₁ , a ₀ ] × [d ₃ , d ₂ , d ₁ , d ₀ ] =
_{[A 1 d 2 + a 3} d 3 + a 3 d 0 + a 2 d 1 + a 0 d 3, a 2 d 3 + a 0 d 2 + a 3 d 3 + a 2 d 0 + a 1 d 1 + d 2 a 3, a 1 d ₃ + d ₂ a ₃ + a ₀ d ₁ + a ₂ d ₂ + a ₂ d ₃ + a ₁ d ₀ + a ₃ d ₁ , a ₀ d ₀ + a ₁ d ₃ + a ₂ d ₂ + a ₃ d ₁ ]
Reduction polynomial: t ⁴ + t ³ +1
[A ₃ , a ₂ , a ₁ , a ₀ ] × [d ₃ , d ₂ , d ₁ , d ₀ ] =
_{[A 0 d 3 + a 1} d 3 + a 3 d 2 + a 2 d 3 + a 3 d 1 + a 2 d 1 + a 1 d 2 + a 3 d 3 + a 3 d 0 + a 2 d 2, a 0 d 2 + a 3 d 3 _{+ a 1 d 1 + a 2} d 0, a 0 d 1 + a 3 d 2 + a 3 d 3 + a 1 d 0 + a 2 d 3, a 1 d 3 + a 0 d 0 + a 2 d 3 + a 3 d 2 + a 2 d 2 + A ₃ d ₁ + a ₃ d ₃ ]
Reduction polynomial: t ⁴ + t ³ + t ² + t + 1
[A ₃ , a ₂ , a ₁ , a ₀ ] × [d ₃ , d ₂ , d ₁ , d ₀ ] =
_{[A 2 d 1 + a 3} d 0 + a 3 d 1 + a 1 d 2 + a 1 d 3 + a 2 d 2 + a 0 d 3, a 3 d 1 + a 2 d 2 + a 1 d 1 + a 2 d 0 + a 0 d 2 _{+ a 1 d 3, a 0} d 1 + a 1 d 3 + a 1 d 0 + a 3 d 1 + a 3 d 3 + a 2 d 2, a 3 d 2 + a 1 d 3 + a 0 d 0 + a 2 d 3 + a 2 d 2 + A ₃ d ₁ ]
Note that in each of the above calculations, some of the element multiplications are the same for more than one output bit. For example, the expression a ₁ d ₃ + a ₂ d ₂ + a ₃ d ₁ appears twice in the calculation method listed above, thus minimizing hardware requirements using, for example, XOR gates and AND gates. Only one calculation is required. The GF (2 ⁴ ) multiplier for each second reduction polynomial is calculated using the two-element multiplication calculation of GF (2 ⁴ ) using each of the three second order reduction polynomials described above. Those skilled in the art will appreciate that they can be configured. Such a multiplier can be implemented in hardware and / or software, as is known in the art. An appropriate GF (2 ⁴ ) multiplier can be constructed for a given representation transformation matrix. Each representation transformation matrix can be defined by combining one of the three irreducible reduction polynomials on GF (2 ⁴ ) and the expansion polynomial as described above, so that the GF (2 ⁴ ) multiplier Can be determined in advance. One skilled in the art will appreciate that other suitable implementations of the GF (2 ⁴ ) multiplier may be used in addition or alternatively in accordance with exemplary embodiments of the present invention.

The inverse operation denoted INV and the square operation denoted SQR in GF (2 ⁴ ) is performed by two separate relatively small look-up tables (LUTs) of size 8 bytes each, ie 16 nibbles. Can be implemented. According to some embodiments of the invention, the coefficient β can be determined in advance. Therefore, the value β × g ² (denoted as βSQR) corresponding to the element gεGF (2 ⁴ ) can also be stored in the 8-byte LUT, so that it is necessary to calculate the simultaneous equation 14 One multiplication can be removed from a set of calculations. According to alternative embodiments, SQR, INV, and / or βSQR at GF (2 ⁴ ) can be implemented by any suitable circuit known in the art. For example, the SQR circuit can be implemented by setting a = d in the calculation method for multiplication of two elements as described above. Therefore, the SQR circuit can be implemented by the following calculation method.
Reduction polynomial: t ⁴ + t + 1
[A ₃ , a ₂ , a ₁ , a ₀ ] ² = [a ₃ , a ₃ + a ₁ , a ₂ , a ₀ + a ₂ ]
Reduction polynomial: t ⁴ + t ³ +1
[A ₃ , a ₂ , a ₁ , a ₀ ] ² = [a ₂ + a ₃ , a ₁ + a ₃ , a ₃ , a ₀ + a ₂ + a ₃ ]
Reduction polynomial: t ⁴ + t ³ + t ² + t + 1
[A ₃ , a ₂ , a ₁ , a ₀ ] ² = [a ₂ , a ₁ + a ₂ , a ₂ + a ₃ , a ₀ + a ₂ ]
It should be noted that the circuit implementation of embodiments of the present invention can be more compact than the corresponding LUT implementation. However, in some S-box implementations, the LUT can perform more efficient data processing.

According to an exemplary embodiment of the present invention, the 129th representation conversion matrix, that is, the matrix represented as M = 01, 50, b0, 0c, a3, 8b, d3, d5 in hexadecimal notation is It is possible to select from the 192 expression conversion matrices listed in the above. Thus, the corresponding expanded reduction polynomial is p (t) = t ⁴ + t ³ + t ² + t + 1, r (t) = t ² + t + 2, ie β = 2. According to this exemplary embodiment, the multiplier circuit is [a ₃ , a ₂ , a ₁ , a ₀ ] × [d ₃ , d ₂ , d ₁ , d ₀ ] = [a ₂ d ₁ + a ₃ d _{0 + a 3 d 1 + a} 1 d 2 + a 1 d 3 + a 2 d 2 + a 0 d 3, a 3 d 1 + a 2 d 2 + a 1 d 1 + a 2 d 0 + a 0 d 2 + a 1 d 3, a 0 d ₁ + a ₁ d ₃ + a ₁ d ₀ + a ₃ d ₁ + a ₃ d ₃ + a ₂ d ₂ , a ₃ d ₂ + a ₁ d ₃ + a ₀ d ₀ + a ₂ d ₃ + a ₂ d ₂ + a ₃ d ₁ ].

According to this exemplary embodiment of the present invention, using the following LUT shown in hexadecimal notation, SQR, βSQR, and / or INV corresponding to an input number l between 0 and 15: Individual values can be calculated.
SQR = 0, 1, 4, 5, f, e, b, a, 2, 3, 6, 7, d, c, 9, 8
βSQR = 0, 2, 8, a, 1, 3, 9, b, 4, 6, c, e, 5, 7, d, f
INV = 0, 1, f, a, 8, 6, 5, 9, 4, 7, 3, e, d, c, b, 2
However, the output of each table can be the l-th entry of the table. Alternatively, SQR, βSQR, and / or INV can be calculated using a circuit implementation, as described above, eg, the SQR circuit can be [a ₃ , a ₂ , a ₁ , a ₀ ] ² = [a ₂ , a ₁ + a ₂ , a ₂ + a ₃ , a ₀ + a ₂ ].

Referring to FIG. 2, a circuit implementation of an AES compatible S-box 200 for encrypting / decrypting data is shown according to some exemplary embodiments of the present invention.
The S box 200 may be implemented to provide an output sbox [x] or sbox ⁻¹ [x] corresponding to the block data x based on equations 8 and 9, as described below.

The S box 200 is input data x in AES representation, for example, 8-bit data expressed as x = [x ₇ x ₆ x ₅ x ₄ x ₃ x ₂ x ₁ x ₀ ] (x∈GF (2 ⁸ )). And the like, and as described above, an input conversion module 221 may be included that converts this data into GF ((2 ⁴ ) ² ) representation data using a conversion operator. For decoding mode operations, the transform module 221 can also perform a decrypted affine transform on x, as described below. The S box 200 processes the converted data and executes the processed GF ((2 ^{4 4} ), for example, by executing an encryption / decryption operation equivalent to GF (2 ⁸ ) as described below. ² ) An arithmetic module 230 that provides data may also be included. The S box 200 can also include an output inverse transform module 223 that transforms the processed data back into an AES representation, as described below. Module 223 can also perform encrypted affine transformations on the output of module 230, as described below.

According to these exemplary embodiments, the module 221 includes a first data input path 202 corresponding to the operation of the encryption mode, i.e. performing the transformation sbox [x] as described above. be able to. The module 221 may also include a second data input path 204 corresponding to the decoding mode operation, ie, performing the transformation sbox ⁻¹ [x].

According to an exemplary embodiment of the present invention, the module 221 can include a cryptographic conversion circuit 214 and a decryption conversion circuit 210. Circuit 214, so to apply a conversion operator in x, for example, can include M ^-1 multiplier is adapted to perform a multiplication that multiplies a M ^-1 to x. The circuit 210 can be adapted to operate a transformation operator on x, for example, the circuit 210 performs an XOR operation on x and b and outputs (AM) to the output of the module 216. ) multiplied by ^-1 performs multiplication ^(AM) may include a ^-1 multiplier. Thus, the output of circuit 214 can be M ⁻¹ x corresponding to the expression in parentheses in Equation 8. The output of circuit 210 corresponds to the expression in parentheses in equation 9.

Can be.
According to an exemplary embodiment of the present invention, module 221 also includes a multiplexer 220, which can have two inputs associated with the outputs of circuits 214 and 210, respectively. Multiplexer 220 can be used to select these two inputs, and the output of multiplexer 220 can include one output of conversion data 231 corresponding to the selected input. Multiplexer 220 can include any suitable circuit known in the art for selecting two inputs. For example, the multiplexer 220 can include a control register (not shown). The control register can store an instruction bit for indicating the requested operation mode. For example, the instruction bit is set to 0 in the encryption operation mode, and the instruction bit is set to 1 in the decryption operation mode. Can be equal. The output of the multiplexer 220 can be selected based on the value of the indicator bit, as is known in the art. The value of the instruction bit can be set before performing an encryption operation or a decryption operation on a plurality of data blocks. The transformed GF ((2 ⁴ ) ² ) data 231 can include, for example, 8 bits passed by an 8-bit parallel wire (not shown) as is known in the art. The eight electric wires can be divided into two sets each consisting of four electric wires. Therefore, as described above, the 8 bits of the conversion data 231 are two 4-bit data values corresponding to the 8-bit value of the conversion data 231, that is, z _<m> = [z ₇ z ₆ indicated by 235. z ₅ z ₄ ] and z _<l> = [z ₃ z ₂ z ₁ z ₀ ] (z _<m> , z _<l> ∈GF ((2 ⁴ ) ² )) indicated by 231 Can do.

Module 230 processes the data values z _<m> and z _<l> , as described below, and processed by T (x) = c _<m> t + c _<l> described above. Circuitry for providing data can be included. The values of c _<m> and c _<l> can be given by simultaneous equations 14, in which case a _<m> and a _<l> are replaced by z _<m> and z _<l> , α = 1.

According to an exemplary embodiment of the present invention, the arithmetic module 230 may include an arithmetic circuit for performing an AES equivalent operation on the conversion data 231 as described above. The arithmetic circuit can include a first 8-bit bitwise XOR box 232 and a second 8-bit bitwise XOR box 234. The arithmetic circuit may also include three identical GF (2 ⁴ ) multipliers 236, 238, 240 as described above. The arithmetic circuit may include three circuits / 8 byte tables that respectively execute INV242, SQR244, and βSQR246 as described above. Circuits / tables 242, 244, 246 and multipliers 236, 238, 240 can be pre-determined based on the selected reduction polynomial, as described above. Accordingly, the output _{c <m>} are each output _{c <l>} and multiplier 238 of the multiplier _{240, (z <l> +} z <m>) (z 2 <m> β + z 2 <l> + z <l> z _< M _> ) ⁻¹ , z _<m> (z ² _<m> β + z ² _<l> + z _<l> z _<m> ) ⁻¹ .

The 4-bit output of multiplier 240 and the 4-bit output of multiplier 238 may be recombined at output 230 to form one 8-bit data output corresponding to operation T performed on transformed data 231. it can. Thus, for cryptographic mode operations, the output of module 230 can include a value T [M ⁻¹ × x] based on Equation 8. For decoding mode operations, the output of module 230 is a value based on Equation 9

Can be included. The output of module 230 can be received by module 223.

The module 223 may include a first data path 272 corresponding to the encryption mode operation and a second data path 274 corresponding to the decryption mode operation. The module 223 can include an encryption reverse conversion circuit 285 and a decryption reverse conversion circuit 282. Circuit 282 may include an M multiplier associated with path 272. The circuit 282 converts the processed GF ((2 ⁴ ) ² ) data back into the AES representation in decoding mode, for example, based on Equation 9

Can be used to obtain. Circuit 285 can include an AM multiplier 284 associated with path 274 and an XOR block 286 associated with the output of multiplier 284. Multiplier 284 is combined with XOR block 286 in operation encryption mode to convert the processed GF ((2 ⁴ ) ² ) data back to AES representation, for example, based on Equation 8:

Can be used to obtain. According to an exemplary embodiment of the present invention, module 223 also includes a multiplexer 290, which may have two inputs associated with the output of XOR block 286 and multiplier 282, respectively. Multiplexer 290 can be used to select these two inputs, and the output of multiplexer 290 can include one output corresponding to the operational mode. Multiplexer 290 can include any suitable circuit known in the art for selecting two inputs. For example, multiplexer 290 can include circuitry similar to that of multiplexer 220 as described above.

  An example of the operation of the S box 200 is presented below. The first example specifically illustrates the step of encrypting data using an AES compatible S-box according to an embodiment of the present invention. The second example specifically illustrates data decoding according to another embodiment. In the example presented, the 129th representation conversion matrix of the set of matrices listed above is used, and data having the value 67 is selected as the input data x. The representation transformation matrix and input data in these examples are chosen randomly for illustration only and are intended to limit the scope of the invention to a particular selected representation transformation matrix or a particular input data value. Note that there is no.

Initially, input data, represented in this exemplary embodiment by a hexadecimal value 67 (T1), is loaded via the input path 202. The input data is multiplied by M− ¹ by the multiplier 214 to calculate 2e (T3). Next, T3 is input to the multiplexer 220 set to the encryption mode. Thus, T3 is divided into two 4-bit values: T7 = 2 and T6 = e. Next, in the XOR box 232, the XOR of the two 4-bit values is calculated,

Is calculated. T7 is input to the βSQR circuit / table 246, and T10 = 2 · 2 ² = 8 is calculated. The multiplier 236 is used to generate T9 = T7 · T6 = 2 · e = 3 by the multiplier described above. T6 is input to the SQR circuit / table 244, and T8 = e ² = 9 is calculated. In the XOR box 234, the XOR of the values T8, T9, T10 is calculated,

Is generated. Next, T12 is input to the INV circuit / table 242, and T13 = T12 ⁻¹ = f is calculated. The multiplier 238 receives the inputs T11 and T13, T14 = T11 · T13 = 6 is calculated, and the multiplier 240 receives the inputs T7 and T13, and T15 = T7 · T13 = 1 is calculated. T15 and T14 are then combined to produce a single 8-bit data value, ie T16 = 16. The single 8-bit data value is input to the multiplier 284, and T18 = (AM) · 16 = e6 is calculated. Finally, in the XOR box 286, the XOR of T18 and b is calculated,

Is generated. The multiplexer 258 selects T20 = T19 = 85 as an output. Therefore, the output sbox [x] of the S box is 85.

  An example of using the S box to decrypt the (encrypted) output of the S box described in the above example is given below. First, a data value T1 = 85 is input to the S box. In box 216, the XOR of T1 and b is calculated,

Is calculated. T2 is multiplied by (AM) ⁻¹ by the multiplier 218 to calculate T4 = (AM) ⁻¹ · e6 = 16. T4 is then selected by multiplexer 220 (set to decoding mode) to obtain T5. T5 is divided into T6 = 6 and T7 = 1. Next, in box 232, an XOR of the two 4-bit values is calculated,

Is calculated. Next, using the circuit / table βSQR246, SQR244, and multiplier 236, the values T10 = β · T7 ² = 2; T9 = T6 · T7 = 6 and T8 = T6 ² = b are calculated. In box 234, the XOR of outputs T10, T9, T8 is calculated,

Is calculated. Next, T12 is input to the INV table 242, and T13 = T12 ⁻¹ = 2 is calculated. Multiplier 238 receives inputs T11 and T13, and multiplier 240 receives inputs T7 and T13. The output results of the multiplier 240 and the multiplier 238 are T14 = T11 · T13 = e and T15 = T7 · T13 = 2, respectively. T15 and T14 are then combined to produce a single 8-bit data value T16 = 2e. T16 is multiplied by M in the multiplier 582, and T17 = M · 2e = 67 is generated. Finally, the multiplexer 290 selects T20 = T17 = 67 as an output.

Referring to FIG. 3, an arithmetic module 330 is schematically shown according to a further exemplary embodiment of the present invention.
According to some exemplary embodiments of the present invention, module 230 (FIG. 2) of the S box (FIG. 2) is replaced with module 330 so that an AES equivalent operation with α ≠ 1 can be performed. Can do. Module 330 may include an alpha multiplier 332 for multiplying the value 235 by α. The output of multiplier 332 can be provided to the inputs of XOR block 232 and multiplier 236, respectively. Thus, the output c _<m> of multiplier 238 and the output c _<l> of multiplier 240 can be provided based on simultaneous equations 14 as described above.

According to some embodiments of the invention, a method is provided for determining a representation transformation matrix from a set of representation transformations. The method may include synthesizing and / or simulating a plurality of circuits, each circuit having a GF ((2 ^s ) ² from a GF (2 ^2s ) representation, as described above. ) Corresponds to the expression conversion matrix to expression. The method also includes selecting one of the set of matrices in the light of a predetermined optimization criterion, such as a minimum circuit area, as described below.

According to an exemplary embodiment of the present invention, possible representation transformation matrices, eg, each representation transformation matrix M of the set of 192 representation transformation matrices described above are derived from an AES representation as described above. It can be implemented to allow conversion to the GF ((2 ⁴ ) ² ) representation. Each representation transformation matrix can be implemented, for example, by appropriate electrical circuitry as described above, and / or appropriate software, and can have different performance characteristics, as described below. Thus, according to embodiments of the present invention, the representation transformation matrix can be selected from a set of matrices in the light of some desired criteria, as described below.

  According to embodiments of the present invention, operating parameters that are conditions for circuit testing can affect the associated results of the circuit. Thus, the optimality of the circuit or process can depend on the operating parameters used, as will be explained below. Further, the determination of whether a circuit or process is optimal can vary depending on the criteria used to evaluate the circuit / process. Thus, different operating parameters and / or criteria may determine that different circuits / processes are optimal.

  According to some exemplary embodiments of the present invention, the comparison criteria require each of the circuits / processes to transform sample data and perform AES equivalent operations as described above. The number of gates and / or power consumption can be included. According to other embodiments of the invention, any other desired optimization criterion may be utilized.

  According to an exemplary embodiment of the present invention, a set of circuits, eg, 192 circuits each corresponding to 192 possible transformation matrices, corresponds to, for example, the S box 200 (FIG. 2) described above. Can be created to do. According to these exemplary embodiments, the individual circuits can be synthesized using DC Shell 2001.08-sp1 (DC Expert) sold by Synopsis. The target library TSMC 0.18μ (SAAG-X Artisane) can be used. The synthesis can be performed at various timings, eg, the propagation delay time is any time in the range of, for example, 12 nanoseconds to 6 nanoseconds. These parameters can be enabled to use different discrete frequencies, for example in the range of 66.7 MHz to 111 MHz, by adding a margin, eg, a 3 nanosecond margin. According to these exemplary embodiments, the results of the method described above can be summarized by the following table.

However, the numbers in parentheses represent circuits corresponding to the expression conversion matrix as described above using the numbers as index numbers. Therefore, for example, when the timing = 12, No. When the matrix of 82 is used, a circuit with the smallest area is obtained. When 45 matrices are used, the largest area circuit is obtained.

As can be seen from Table 1, some circuits appear to be more desirable than others with respect to the minimum area required for implementation and other criteria and / or under certain operating parameters. As can be further seen, the performance of each circuit can depend on the operating parameters of the circuit. By changing certain operating parameters, individual circuits can be affected in a similar manner. However, it should be understood that some circuits can produce optimal results when operated under certain operating parameters, and that changing operating parameters may produce results that are far from optimal. For example, the circuit area can increase with frequency, regardless of the selected representation transformation matrix, but at different frequencies, different circuits may produce optimal results, for example, different optimal areas required to implement the circuit. Can be provided. The difference in performance, at least in part, caused the AES S box equivalent LUT to have different levels of complexity, and the calculation of GF (2 ⁸ ) in the GF ((2 ⁴ ) ² ) representation is It can be caused differently by different circuits and various operating parameters.

According to some embodiments of the present invention, some of the circuits are less sensitive to changes in frequency and may exhibit nearly constant good results when operated under various operating parameters. it can. For example, circuits 82, 105, 124, 128 that separately correspond to equivalent representation transformation matrices as described above can exhibit desirable results under various operating parameters. The differences in performance of the various circuits, and the desirability of some circuits in very many cases, are the INV circuit / table, SQR circuit / table, and GF (2 ⁴ ) It can be related to three types of multipliers. Further, different circuits may require different βSQR circuits / tables, and multiplication by M, AM, M ⁻¹ , (AM) ⁻¹ may be different as described above.

According to a further exemplary embodiment of the present invention, the conversion from a GF (2 ^2s ) representation to a GF ((2 ^s ) ² ) representation is performed by utilizing one or more intermediate conversion operators. Can be executed automatically or recursively. For example, when s = 2u, the operation in GF (2 ^s ) representation can be similar to the operation in GF (2 ^2u ). An operation on GF (2 ^2u ) can be executed with a GF ((2 ^u ) ² ) expression. Therefore, the data in the GF ((2 ^s ) ² ) expression can be converted into the corresponding data in the GF ((2 ^u ) ² ) expression using an intermediate conversion operator. If necessary, the second intermediate conversion operator is used to convert the data of the GF (2 ^u ) expression into the corresponding data of the GF ((2 ^v ) ² ) expression (u = 2v), etc. Such operation can be further continued. Therefore,

The operation in the expression (q is an odd number) is performed in the GF ((.. (((2 ^q ) ² ) ² ).) ² ) expression by using the operation in the GF (2 ^q ) expression. Can be performed using. The transformation from a GF representation to another GF representation, for example half the size, can be designed in light of specific implementation efficiency criteria such as, for example, circuit efficiency and / or power efficiency.

  Those skilled in the art will appreciate that the present invention is not limited to the exemplary embodiments of the invention presented herein and described with reference to the accompanying drawings. While several features of the invention have been illustrated and described, many modifications, substitutions, changes, and equivalents will occur to those skilled in the art. Accordingly, it is to be understood that the appended claims are intended to cover all such modifications and changes as fall within the true spirit of the invention.

4 is a flowchart of a method for manipulating data according to an embodiment of the present invention. FIG. 6 is a schematic diagram of a circuit implementing an AESS box for encrypting and / or decrypting data according to some exemplary embodiments of the present invention. FIG. 6 is a schematic diagram of a computing module, according to a further exemplary embodiment of the present invention.

Claims (29)

Converting the data of GF ^{(2 2s)} representation, by the action of conversion operator associated with predetermined conversion on the data of the GF ^{(2 2s)} representation, corresponding GF ^{((2 s) 2)} the data representation A data manipulation method including a step of performing.   The method of claim 1, wherein the transformation operator is associated with an expression transformation matrix corresponding to the transformation.   The method of claim 2, wherein the transformation operator is an inverse matrix of the representation transformation matrix.   The method of claim 2, wherein the transformation operator comprises a combination of a linear transformation and the representation transformation matrix.   The method of claim 4, wherein the transformation operator comprises an inverse matrix of a matrix product of the representation transformation matrix and an AES S box parameter matrix. The GF ^{((2 s) 2)} representation is defined by the expansion polynomial over GF ^{(2 s)} on irreducible reduction polynomial and GF ^{(2 s),} according to any one of claims 1 to 5 Method. The expansion polynomial over GF ^{(2 s)} comprises 2 order irreducible polynomial over GF ^{(2 s),} The method of claim 6.   The method according to any of claims 2 to 7, wherein the representation transformation matrix is selected from a set of possible representation transformation matrices in light of predetermined criteria. 9. Each matrix of the set of matrices is defined by a root of an irreducible polynomial on the GF (2 ^2s ) representation and a field generator of the GF ((2 ^s ) ² ) representation. Method. The GF ((2 ^s ) ² ) representation data is processed by performing at least one operation equivalent to at least one desired operation in the GF (2 ^2s ) representation, and processed GF ( The method according to claim 1, comprising the step of obtaining (2 ^s ) ² ) data. The data of the GF (2 ^2s ) representation includes two or more data blocks, and the method ^converts the data of the GF ((2 ^s ) ² ) representation into at least one desired in the GF (2 ^2s ) representation. computing equivalent the GF ^{((2 s) 2)} at least one operation in the expression and processing by executing with respect to the two or more data blocks were processed GF ^{((2 s) 2)} 10. A method according to any preceding claim, comprising obtaining data. The treated GF a ^{((2 s) 2)} data, by the action of the inverse transform operator associated with said predetermined conversion the treated GF in ^{((2 s) 2)} data, the GF (2 ^12. The method according to claim 10 or 11, comprising the step of converting back to ^2s ) representation.   13. A method according to any preceding claim, wherein s is equal to 4. A secure memory storage device suitable for implementing an AES S box,
An input conversion module that converts GF (2 ^{2 s} ) representation data into corresponding GF ((2 ^s ) ² ) representation data;
An arithmetic module that performs at least one operation equivalent to at least one desired operation in the GF (2 ^2s ) representation to obtain processed GF ((2 ^s ) ² ) data;
An output conversion module that converts the processed GF ((2 ^s ) ² ) data back into the GF (2 ^2s ) representation. The apparatus of claim 14, wherein the input transformation module includes a multiplier for multiplying a linear transformation of the GF (2 ^2s ) data by a matrix associated with an expression transformation matrix.   The apparatus of claim 14 or 15, wherein the at least one desired operation comprises an inverse operation. The output transform module includes a multiplier for multiplying a linear transformation of the processed GF ((2 ^s ) ² ) data by a matrix associated with an expression transformation matrix. apparatus.   18. A method according to any of claims 14 to 17, wherein s is equal to 4. A method for determining a representation transformation,
Synthesizing a plurality of circuits respectively corresponding to a plurality of expression conversions from a GF (2 ^2s ) expression to a GF ((2 ^s ) ² ) expression;
Selecting one of the plurality of representation transformations against at least one optimization criterion.   The method of claim 19, wherein combining the plurality of circuits includes assembling the plurality of circuits.   21. A method according to claim 19 or 20, wherein the step of synthesizing the plurality of circuits comprises simulating the plurality of circuits.   The method according to any of claims 19 to 21, wherein s is equal to 4.   23. A method according to any of claims 19 to 22, wherein the plurality of representation matrices comprises 192 matrices.   24. A method according to any of claims 19 to 23, wherein the at least one criterion comprises circuit area.   24. A method according to any of claims 19 to 23, wherein the at least one criterion comprises power consumption. The GF (2 ^2s ) representation data is converted into the corresponding GF ((2 ^s ) ² ) data by applying a decoding transformation operator related to a predetermined transformation to the GF (2 ^2s ) representation data. Converting, and
The GF ((2 ^s ) ² ) representation data is processed by performing at least one operation equivalent to a desired decoding operation in the GF (2 ^2s ) representation, and processed GF (( 2 ^s ) ² ) acquiring data;
Transforming the processed GF ((2 ^s ) ² ) data into the GF (2 ^2s ) representation. The data of GF ^{(2 2s)} representation, and converting by applying a predetermined conversion to the data of the GF ^{(2 2s)} representation, corresponding GF ^{((2 s) 2)} the data representation,
The GF ((2 ^s ) ² ) representation data is processed by performing at least one operation equivalent to a desired encryption operation on the GF (2 ^2s ) representation, and processed GF ((( 2 ^s ) ² ) acquiring data;
The processed GF ((2 ^s ) ² ) data is processed by applying a cryptographic conversion operator related to the predetermined conversion to the processed GF ((2 ^s ) ² ) data. ^2s ) a method for encrypting the data comprising the step of converting it back into a representation. The step of applying the conversion operator applies one or more intermediate conversion operators to recursively convert the data of the GF (2 ^2s ) expression into the data of the GF ((2 ^s ) ² ) expression. 14. A method according to any preceding claim, comprising the step of converting. An input conversion module that includes a decryption conversion circuit and a cryptographic conversion circuit, and converts data in a GF (2 ^2s ) representation into corresponding data in a GF ((2 ^s ) ² ) representation;
An operation module that performs at least one operation equivalent to a desired encryption / decryption operation in the GF (2 ^2s ) representation to obtain processed GF ((2 ^s ) ² ) data;
An encryption / decryption device including a decryption inverse conversion circuit and a cryptographic inverse conversion circuit, and including an output conversion module that converts the processed GF ((2 ^s ) ² ) data back into the GF (2 ^2s ) representation .

Images