JP2008203306A - Encryption processor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption processor which can improve the encrypting/decoding speed while suppressing the degrading of the encryption reliability. <P>SOLUTION: This encryption processor divides the plain sentence to be encrypted into as many sections as the steps in the pipeline encryption calculator 20 to set up the data groups; divides those data groups into plain sentence blocks of 128 bits based on the AES specifications; and continuously inputs the plain sentence block N and the plain sentence block N+1 to the XOR calculator 21 following the timing rule to separate into steps more than the steps in the pipeline encryption calculator 20. The XOR calculator 21 calculates the sequentially input plain sentence block N+1 and the ciphertext block N' output from the pipeline encryption calculator 20. The pipeline encryption calculator 20 applies pipeline processing to the calculation results by performing parallel encrypting calculation through the encryption calculator of two or more steps connected through a pipeline structure. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a cryptographic processing apparatus that performs plaintext encryption or decryption of ciphertext.

  In general, data encryption is required to be strong in security and capable of high-speed processing. The mainstream of the encryption method is shifting from DES (Data Standard Encryption Method, Data Encryption Standard) to AES (Next Generation Standard Encryption Method, Advanced Encryption Standard), and the encryption strength is getting stronger. The AES encryption method is a block cipher that encrypts / decrypts data in block length units of 128 bits, and has a plurality of types of modes, and is selected according to the purpose and usage method.

  For example, FIG. 8 shows a configuration example of an encryption circuit 200 in CBC (Cipher Block Chaining) mode, FIG. 9 shows a configuration example of a decryption circuit 210 in CBC mode, and FIG. 10 shows encryption in the CBC mode. Fig. 4 illustrates the encryption / decryption process.

  As shown in FIG. 8, the encryption circuit 200 performs an encryption operation based on the AES standard on the input value and outputs an operation result (encryption vector), and inputs the result to the AES encryption operation unit 201. A KEY register 202 for holding an encryption key, an input register 203 for holding a data block to be encrypted, and an IV register for holding an initial encryption vector (initial vector) used for the first cryptographic operation 204, a selector 205 that selects one of the cipher vector output as the operation result of the AES cipher operation unit 201 and the initial vector held in the IV register 204, the output of the input register 203, and the output of the selector 205 An XOR operation unit 206 that calculates the exclusive OR of the two values and gives them to the input of the AES encryption operation unit 201, and AES And an output register 207 which holds the output of the No. calculation unit 201 (the result of the encryption as generated data blocks).

  As shown in FIG. 9, the decoding circuit 210 performs decoding operations based on the AES standard on the input values and outputs an operation result (decoding vector), and inputs them to the AES decoding operation unit 211. A KEY register 212 for holding an encryption key, an input register 213 for holding a data block to be decrypted, and an IV register for holding an initial encryption vector (initial vector) used for the first decryption operation 214, a selector 215 that selects one of the data block held in the input register 213 and the initial vector held in the IV register 214, and the output of the AES decoding arithmetic unit 211 and the output of the selector 215 are exclusive. XOR operation unit 216 that calculates a logical OR, and the output of XOR operation unit 216 (generated as a result of decoding And an output register 217 for holding the data blocks).

  As shown in FIG. 10A, at the first T1 of the encryption process, the data block (plaintext 1) to be encrypted and held in the input register 203 in the encryption circuit 200 and the IV register 204 are held. The initial vector IV is input to the XOR operation unit 206, and the XOR operation unit 206 performs an exclusive OR operation between the data block to be encrypted and the initial vector IV, and the operation result is obtained from the AES encryption operation unit 201. Output to. The AES encryption operation unit 201 performs encryption operation based on the AES standard between the operation result input from the XOR operation unit 206 and the encryption key (KEY) held in the KEY register 202, and the operation result is encrypted. The resultant data block (ciphertext 1) is held in the output register 207. The operation result output from the AES encryption operation unit 201 is also input to the XOR operation unit 206 at the second time T2 as an encryption vector.

  After the second time (T2, T3,... Tn), the XOR operation unit 206 and the encryption target data block (plaintext 2, plaintext 3,... Plaintext n) held in the input register 203 An exclusive OR operation with the previous encryption vector input from the AES encryption operation unit 201 is performed, and the operation result is output to the AES encryption operation unit 201. The AES cipher operation unit 201 performs an operation based on the AES standard between the operation result input from the XOR operation unit 206 and the encryption key held in the KEY register 202, and the operation result is a data block of an encryption result It is held in the output register 207 as (ciphertext 2, ciphertext 3,... Ciphertext n). In the second and subsequent times, the calculation result output from the AES encryption calculation unit 201 is input to the XOR calculation unit 206 as the next encryption vector.

  As shown in FIG. 10B, at the first T1 of the decryption process, the data block (ciphertext 1) to be decrypted held in the input register 213 in the decryption circuit 210 and the KEY register 212 are stored. The held encryption key (KEY) is input to the AES decryption operation unit 211. The AES decryption operation unit 211 performs a decryption operation based on the AES standard between the data block to be decrypted and the encryption key, and the operation result Is output to the XOR operation unit 216. At the first time T1, the XOR operation unit 216 performs exclusive OR operation between the operation result input from the AES decoding operation unit 211 and the initial vector IV held in the IV register 214, and the operation result is the result of decoding. Is stored in the output register 217 as a data block (plaintext 1).

  From the second time (T2, T3,... Tn), the data block (ciphertext 2, ciphertext 3,... Ciphertext n) held in the input register 213 and the KEY The encryption key held in the register 212 is input to the AES decryption operation unit 211. The AES decryption operation unit 211 performs a decryption operation based on the AES standard between the data block to be decrypted and the encryption key, and the operation result Is output to the XOR operation unit 216. The XOR operation unit 216 includes the operation result input from the AES decryption operation unit 211 and the previous data block (ciphertext 1, ciphertext 2,... Ciphertext n-1) held in the input register 213. And the result of the operation is held in the output register 217 as a data block (plain text 2, plain text 3,... Plain text n) as a result of decryption.

  FIG. 11 is a timing chart relating to the input timing of the data block (plain text) to be encrypted in the CBC mode encryption process and the output timing of the data block (cipher text) as a result of encryption. As described with reference to FIG. 10A, the exclusive OR operation (XOR) is performed on the plaintext 1 and the initial vector IV for the first time, and the operation result is input to the AES cipher operation unit 201 to generate the ciphertext 1 ′. Is done. The second time, an exclusive OR operation (XOR) is performed on the plaintext 2 and the ciphertext 1 ′, and the operation result is input to the AES cipher operation unit 201 to generate a ciphertext 2 ′. Similarly, after the third time, an exclusive OR operation (XOR) is performed on the plaintext 3 and the ciphertext 2 ′, and the operation result is input to the AES cipher operation unit 201 to generate the ciphertext 3 ′. Performs an exclusive OR operation (XOR) on plaintext n and ciphertext (n−1) ′, and inputs the result to the AES cipher operation unit 201 to generate ciphertext n ′.

  FIG. 12 is a timing chart regarding the input timing of the data block (ciphertext) to be decrypted in the decryption process in the CBC mode and the output timing of the data block (plaintext) as a result of the decryption. As described with reference to FIG. 10B, the ciphertext 1 ′ is first input to the AES decryption operation unit 211 to perform a decryption operation, and an exclusive OR operation (XOR) is performed between the operation result and the initial vector IV. A plaintext 1 is generated. The second time, the ciphertext 2 ′ is input to the AES decryption operation unit 211 to perform a decryption operation, and an exclusive OR operation (XOR) is performed on the operation result and the ciphertext 1 ′ to generate plaintext 2. Similarly, after the third time, the ciphertext 3 ′ is input to the AES decryption operation unit 211 to perform a decryption operation, and an exclusive OR operation (XOR) is performed between the operation result and the ciphertext 2 ′ to generate a plaintext 3 In the final round, the ciphertext n ′ is input to the AES decryption operation unit 211 to perform a decryption operation, and an exclusive OR operation (XOR) is performed between the operation result and the ciphertext (n−1) ′ to obtain a plaintext. n is generated.

  FIG. 13 shows a block diagram of a non-pipeline circuit 220 constituting the AES encryption operation unit 201 of the encryption circuit 200 and the AES decryption operation unit 211 of the decryption circuit 210. FIG. 14 shows the non-pipeline circuit 220. 2 shows an output timing chart of the processing data output from.

  As shown in FIG. 13, the non-pipeline circuit 220 of the AES encryption system replaces (step S301), rearranges (step S302), matrix operation (step S303), XOR for the input data block (indata). Four processes of calculation (step S304) are performed in one round, and this one round is processed with one clock (CLK) and repeated 11 times. Finally, 1 clock is input, a block length of 128 bits is processed in a total of 12 clocks, and a processed data block (outdata) is output.

  Accordingly, as shown in FIG. 14, the output timing of the data block processed by the non-pipeline circuit 220 takes 12 clocks until the first data block (data1) is output, and thereafter, the data block is output every 11 clocks. (Data2, data3...) Are output (see FIGS. 11 and 12).

  In such encryption / decryption processing by the non-pipeline circuit 220, a fixed-length (128 bits) data block is encrypted / decrypted each time to process a long-bit plaintext or ciphertext. Since a large number of times are processed in time series, the processing time becomes long.

  On the other hand, for example, the position information (block number) of the plaintext block and the initial vector (IV) are calculated to obtain scrambled data, and a plurality of calculation results obtained by calculating exclusive OR of the scrambled data and the plaintext block are obtained. When encrypting / decrypting a large amount of data by generating a ciphertext block by encrypting it by pipeline processing with a stage encryption circuit, and decrypting the ciphertext block by pipeline processing There is a technique for increasing the processing speed (see, for example, Patent Document 1).

JP-A-5-249891

  In the encryption / decryption technology using the above pipeline processing, the plaintext is scrambled without feeding back the ciphertext to the input side in order to facilitate the pipeline of the encryption circuit. The CBC mode is not supported. Therefore, the encryption strength is reduced as compared with the CBC mode in which the encryption strength is increased by returning the ciphertext to the input and using it for encryption of the next plaintext.

  The present invention is intended to solve the above-described problem, and an object of the present invention is to provide an encryption processing apparatus capable of improving the processing speed of encryption / decryption while suppressing a decrease in encryption strength. Yes.

  The gist of the present invention for achieving the object lies in the inventions of the following items.

[1] A pipeline encryption processing unit in which a plurality of encryption processing units are connected in a pipeline structure;
An arithmetic unit that calculates the unit data to be input and the encrypted data output from the pipeline encryption processing unit, and inputs the operation result to the pipeline encryption processing unit;
The data group to be encrypted is divided into unit data, and one unit data and subsequent unit data are separated by at least the number of stages of the pipeline structure of the pipeline encryption processing unit according to the timing rule. A control unit that inputs to the computation unit;
A cryptographic processing apparatus comprising:

  In the above invention, the control unit divides the data group to be encrypted into unit data, and separates one unit data and subsequent unit data by the number of stages of the pipeline structure of the pipeline encryption processing unit. Input to the arithmetic unit according to the timing rule. The calculation unit calculates the encrypted data output from the pipeline encryption processing unit and the unit data input by the control unit, and inputs the calculation result to the pipeline encryption processing unit. The pipeline encryption processing unit performs cryptographic operations for the number of stages by a plurality of encryption processing units connected in a pipeline structure with respect to the operation result input from the operation unit to generate encrypted data.

  Since the pipeline encryption processing unit has a pipeline structure, it is possible to input data of operation results one after another from the operation unit and execute cryptographic operations in parallel for the number of stages. However, since the encryption processing for the number of stages is performed in the pipeline encryption processing unit, the encryption data of one unit data is delayed by the number of pipeline stages from the time when one unit data is input to the pipeline encryption processing unit. Output from the pipeline encryption processing unit. For this reason, when unit data subsequent to one unit data is continuously input to one unit data and input to the calculation unit, for example, the encrypted data N ′ and unit data N + 1 of the unit data N are calculated by the calculation unit and piped. It cannot be input to the line encryption processing unit.

  Therefore, if one unit data (N) and the following unit data (N + 1) are input to the arithmetic unit with a timing rule that is more than the number of stages of the pipeline encryption processing unit, the unit data N + 1 is converted into the unit data N The encrypted data N ′ is input to the arithmetic unit after the time when the encrypted data N ′ is output from the pipeline encryption processing unit, and the input timing to the arithmetic unit can be matched with the encrypted data N ′. By matching this input timing, encrypted data (encryption vector) of one unit data is fed back to the input side, and subsequent unit data can be encrypted.

  In this way, by returning the encrypted data output from the pipeline encryption processing unit to the input and using it for the encryption of the next unit data, it becomes a strong encryption process (encryption algorithm), Compared with an encryption process in which the next unit data is not encrypted by returning to the input, it is possible to suppress a decrease in encryption strength.

  In addition, even if the operation result is continuously input from the operation unit, the pipeline encryption processing unit executes the encryption operation for the number of stages on the operation result that is continuously input in parallel, and performs pipeline processing. Can be generated and output continuously. For example, if the operation of inputting unit data to the arithmetic unit according to the above timing rule for a plurality of data groups is performed in parallel, the encryption for the plurality of data groups can be performed simultaneously, so that a single non-pipeline The encryption processing speed can be improved as compared with the case where the encryption processing unit is used to perform encryption processing such that the encryption operation of one unit data is repeated a predetermined number of times.

[2] A holding register for holding an initial vector;
When the first encryption for the data group is performed, a switching unit that inputs an initial vector held in the holding register instead of the encrypted data to the arithmetic unit;
The cryptographic processing apparatus according to [1], further comprising:

  In the above invention, when the first encryption is performed, the switching unit inputs the initial vector held in the holding register instead of the encrypted data to the arithmetic unit, and when the second and subsequent encryptions are performed. The encrypted data output from the pipeline encryption processing unit is input to the arithmetic unit. Thereby, encryption of the first unit data of the data group is executed using the initial vector, and encryption of the second and subsequent unit data of the data group is executed using the encrypted data.

[3] The control unit inputs the subsequent unit data to the arithmetic unit at a timing when the encrypted data of the one unit data is returned to the arithmetic unit via the pipeline encryption processing unit. The cryptographic processing device according to [1] or [2].

  In the above invention, in the arithmetic unit, the encrypted data N ′ of the unit data N that is returned to the arithmetic unit via the pipeline encryption processing unit, and the unit data N + 1 that is input at the timing when the encrypted data N ′ is returned to the arithmetic unit, Is calculated. As a result, it is possible to encrypt the unit data subsequent to the one unit data using the encrypted data of the one unit data.

[4] The control unit continuously arranges the encrypted data of the one unit data and the encrypted data of the subsequent unit data that are output from the pipeline encryption processing unit separated by the timing rule. The cryptographic processing device according to any one of [1] to [3], which is characterized.

  In the above invention, the unit data N and the unit data N + 1 are matched with the input timing of the unit data N + 1 and the encrypted data N ′ of the unit data N returned to the operation unit via the pipeline encryption processing unit. Is input to the arithmetic unit with a timing rule (discontinuous) that is more than the number of pipeline stages, and the encrypted data N ′ and the encrypted data (N + 1) ′ are separated from the pipeline encryption process part by more than the number of pipeline stages. Output according to the timing rule (non-continuous). By continuously arranging the encrypted data output at a distance, the encrypted data is arranged in a general-purpose CBC mode in units of data groups.

  For example, when performing encrypted transmission of data, even if the encryption processing device on the receiving side has only a general-purpose (non-pipeline) decryption processing unit in the CBC mode, the encryption generated by the pipeline encryption processing unit By sending timing information (information indicating the first position of each data group) indicating the use timing of the initial vector in the encryption process in addition to the data, the receiving side cryptographic processor can perform non-pipeline decryption. The processing unit can decrypt the encrypted data into the original data. Therefore, compatibility with the decoding process in the general-purpose CBC mode can be maintained.

[5] The controller inputs the unit data divided from one data group to the arithmetic unit sequentially according to the timing rule, and inputs the unit data to the arithmetic unit for a plurality of data groups. The encryption processing apparatus according to any one of [1] to [4], wherein the timing of performing the processing is different for each data group and is performed in parallel.

  In the above invention, the control unit, for example, inputs the unit data N of the data group N to the calculation unit and before the unit data N + 1 is input to the calculation unit according to the above timing rule. M is input to the calculation unit. After this input, the unit data N + 1 of the data group N is input to the arithmetic unit with the above timing rule with respect to the unit data N, and further, the unit data M + 1 of the data group M is input with respect to the unit data M according to the above timing rule. Input to the calculation unit.

  From the calculation unit, the calculation result of the unit data N is output after the calculation result of the unit data N is output until the calculation result of the unit data N + 1 is output according to the above timing rule. After this output, the operation result of the unit data N + 1 is output with respect to the operation result of the unit data N according to the above timing rule, and the operation result of the unit data M + 1 is output with respect to the operation result of the unit data M with the above timing rule. Is output.

  As a result, the pipeline encryption processing unit performs a cryptographic operation on the operation result of the unit data N from when the operation result of the unit data N is input to when the operation result of the unit data N + 1 is input. In the meantime, the operation result of the unit data M is input, and the cryptographic operations are executed in parallel. Further, the cryptographic operation on the operation result of the unit data N is finished, the encrypted data N ′ is output, and the operation result of the unit data N + 1 is input while performing the cryptographic operation on the operation result of the unit data M. Execute cryptographic operations in parallel. Further, the cryptographic operation on the operation result of the unit data M is finished and the encrypted data M ′ is output. While the cryptographic operation on the operation result of the unit data N + 1 is being performed, the operation result of the unit data M + 1 is input. Execute cryptographic operations in parallel.

  In this way, the operation of sequentially inputting the unit data divided from one data group to the arithmetic unit according to the above timing rule, the timing of inputting the unit data to the arithmetic unit for a plurality of data groups, the data group By performing different operations in parallel, each unit data is encrypted in parallel in the pipeline encryption processing unit, and the encryption processing speed for a plurality of data groups to be encrypted is improved.

[6] The cryptographic processing apparatus according to any one of [1] to [5], wherein the data group is image data for one page.

  In the above invention, the data group to be encrypted is set as image data for one page, the image data for one page is divided into unit data, and the encryption operation of each unit data of each page is pipeline encrypted. It is executed in parallel by the processing unit and encrypted (pipeline processing). Thus, in encryption, for each page (each data group), the initial vector can be used for the cryptographic operation of the first unit data, and the previous cryptographic data can be used for the cryptographic operation of the second and subsequent unit data. When this encrypted data is decrypted, if it is treated as being encrypted in units of pages, the initial vector is used to decrypt the first encrypted data of each page, and the second and subsequent encrypted data Decryption can be performed by using the previous encrypted data, and can be decrypted by a non-pipeline decryption processing unit.

[7] The cryptographic processing device according to any one of [1] to [5], wherein the data group is configured by dividing a series of data into a plurality of pieces.

  In the above invention, if a series of data is divided into a plurality of data groups to be encrypted, and the encryption of the plurality of data groups is processed in parallel by pipeline processing, the time required to encrypt the series of data is reduced. Shortened.

  For example, by dividing image data for one page into a plurality of data groups and performing parallel processing in the pipeline encryption processing unit, the encryption processing speed is improved.

[8] The data group is configured by equally dividing a series of data into the same number of stages of the pipeline structure of the pipeline encryption processing unit. The cryptographic processing device according to claim 1.

  In the above invention, a series of data is equally divided into the number of stages of the pipeline encryption processing unit to form a data group, each data group is divided into unit data, and the cryptographic operation of each unit data of each data group Are executed in parallel by the pipeline encryption processing unit and encrypted (pipeline processing).

  For example, when a series of data is divided into less than the number of stages in the pipeline encryption processing unit to form a data group and perform pipeline processing, the pipeline encryption processing unit has stages that do not perform cryptographic operations As a result, processing efficiency decreases. In addition, when a series of data is divided more than the number of stages of the pipeline encryption processing unit to form a data group and pipeline processing is performed, the number of uses of the initial vector increases and the encryption strength decreases. .

  On the other hand, if a series of data is divided into the number of stages of the pipeline encryption processing unit to form a data group, encrypted data N ′ of unit data N of the same data group is output from the pipeline encryption processing unit. Since the timing at which the data is returned to the calculation unit coincides with the timing at which the unit data N + 1 is input to the calculation unit, the unit data can be continuously input without leaving a gap, thereby enabling efficient processing.

  In this way, a series of data is equally divided into the number of stages of the pipeline encryption processing unit to form a plurality of data groups, and encryption is performed to minimize the number of times the initial vector is used. It is possible to perform efficient processing (optimization processing) in accordance with the number of stages of the pipelined encryption processing unit while suppressing a decrease in the number of times.

[9] A pipeline decoding processing unit in which a plurality of decoding processing units are connected in a pipeline structure;
A first holding unit for holding an initial vector;
The same encrypted data as the encrypted data input to the pipeline decryption processing unit is retained, and the retention is performed at a timing when an operation result for the encrypted data next to the encrypted data is output from the pipeline decryption processing unit. A second holding unit for outputting the encrypted data
A switching unit that receives timing information indicating the use timing of the initial vector, and switches the output to the initial vector held in the first holding unit or the encrypted data output from the second holding unit based on the timing information When,
A calculation unit that calculates a calculation result output from the pipeline decryption processing unit and an initial vector or encrypted data output from the switching unit;
A cryptographic processing apparatus comprising:

  In the above invention, the pipeline decryption processing unit performs decryption operation for the number of stages of the pipeline structure on the decrypted encryption data by the plurality of decryption processing units connected in the pipeline structure. The first holding unit holds an initial vector. The second holding unit holds the same encrypted data as the encrypted data input to the pipeline decryption processing unit, and the timing at which the operation result for the next encrypted data of the encrypted data is output from the pipeline decryption processing unit Output the encrypted data stored in. The arithmetic unit switches the output to the initial vector held in the first holding unit or the encrypted data output from the second holding unit based on the input timing information indicating the use timing of the initial vector. The computing unit computes the computation result output from the pipeline decryption processing unit and the initial vector or encrypted data output from the switching unit to generate decrypted data.

  In this way, by pipelining a decryption processing unit that decrypts encrypted data, the encrypted data is continuously input to the pipeline decryption processing unit, and decryption operations for the number of stages are executed in parallel. Line processing is possible. As a result, the decoding processing speed can be improved as compared with a case where a single non-pipeline decoding processing unit is used to perform a decoding process in which a decoding operation of one unit data is repeated a predetermined number of times. it can.

  In addition, the conventional decoding circuit is configured to use the initial vector only for the first decoding process. However, the timing information indicating the use timing of the initial vector is input, and the initial vector is based on the timing information. By switching the use timing, it is possible to cope with the case where decryption with the initial vector is required in the middle of the encrypted data. For example, even when encrypted data is divided into a plurality of data groups and encrypted (the initial vector is used only for the first time in each data group), information indicating the first position (boundary position) of each data group Etc., the encrypted data can be continuously decrypted using the initial vector for the initial decryption of each data group.

  Further, for example, when performing encrypted transmission of data, even if the transmitting-side encryption processing apparatus has only a general-purpose (non-pipeline) encryption processing unit in the CBC mode, the receiving-side encryption processing apparatus is connected to the pipe. The line decryption processing unit can decrypt the encrypted data to the original data by a general operation using the initial vector only for the first time and the encrypted data after the second time. Therefore, compatibility with the encryption process in the general-purpose CBC mode can be maintained.

[10] The timing information includes period information indicating a use period of the initial vector,
The switching unit outputs an initial vector held in the first holding unit for the first time based on the cycle information, and then performs an operation of switching output to encrypted data output from the second holding unit. The encryption processing device according to [9], wherein the encryption processing device is repeatedly performed in a cycle.

  In the above invention, for example, when the encrypted data decrypted by using the initial vector at a predetermined cycle in the encryption process is decrypted, the switching unit is based on the cycle information indicating the use cycle of the initial vector. Then, after the initial vector held in the first holding unit is output for the first time, the operation of switching the output to the encrypted data output from the second holding unit is repeatedly performed at a predetermined cycle, so that the initial vector is correctly decrypted.

[11] The number of times that an operation result is output from the pipeline decryption processing unit in one cycle is encrypted in the cryptographic processing device according to any one of [1] to [8]. It is the number of unit data which comprises a data group. The encryption processing apparatus as described in [10] characterized by the above-mentioned.

  In the above invention, as in the encryption processing device according to any one of [1] to [8], the encryption processing unit is pipelined and the data group to be encrypted is divided into unit data. In the case of encryption by inputting one unit data and subsequent unit data to the operation unit with a timing rule that is separated by the number of stages of the pipeline structure of the pipeline encryption processing unit, for example, a data group It is possible to perform encryption for each data group by using the initial vector for the first unit data and encrypting the remaining unit data using the previous encrypted data.

  For the encrypted data generated by such an encryption process, the number of unit data constituting the data group is set to the number of times the operation result is output from the pipeline decryption processing unit in one cycle. That is, by matching the use cycle of the initial vector with the cycle in which the pipeline decryption processing unit processes all unit data of one data group, the initial decryption of the first encrypted data of each data group The vector is used, and the previous encrypted data is used to decrypt the remaining encrypted data, and the initial vector and the encrypted data are switched for each data group in accordance with the encryption process. Therefore, it is possible to correctly decrypt the encrypted data encrypted by the cryptographic processing device according to any one of [1] to [8].

  The encryption processing apparatus according to the present invention can improve the processing speed of encryption / decryption while suppressing a decrease in encryption strength.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 is a block diagram showing the configuration of a cryptographic processing apparatus 10 according to an embodiment of the present invention. The cryptographic processing apparatus 10 is mounted on an image forming apparatus such as a digital multifunction machine having a copy function for reading a document and forming and outputting a corresponding image on a recording sheet, and a scanner function, a printer function, a facsimile function, and the like. The image forming apparatus has a function of encrypting / decrypting image data and the like when performing various operations.

  As shown in FIG. 1, the cryptographic processing apparatus 10 includes a central processing unit (CPU) 11, a read only memory (ROM) 12, a random access memory (RAM) 13, an encryption circuit 14, and a decryption circuit 15. And a rearrangement circuit 16.

  The CPU 11 has an arithmetic processing function and also functions as a control unit (central processing unit) that controls the overall operation of the cryptographic processing device 10. The ROM 12 stores programs executed by the CPU 11 and various fixed data. The RAM 13 is a work memory that temporarily stores various data when the CPU 11 executes a program, a series of encryption target data (plain text) to be encrypted, and a series of decryption target data (to be decrypted) It functions as a data memory for storing (ciphertext).

  The encryption circuit 14 has a function of performing encryption processing on data to be encrypted stored in the RAM 13 in units of 128-bit block length based on the AES standard. The decryption circuit 15 has a function of performing decryption processing on the data to be decrypted stored in the RAM 13 in units of a 128-bit block length based on the AES standard. In addition to the data block (unit data) that performs the operation in units of the block length, the encryption circuit 14 and the decryption circuit 15 also perform an initial vector and an encryption key, which will be described later, in units of 128 bits based on the AES standard. Configured to do.

  The rearrangement circuit 16 divides the data to be encrypted stored in the RAM 13 into data groups composed of a plurality of data blocks (plaintext blocks) when the encryption circuit 14 performs encryption processing, and each data group A function of rearranging the data blocks in the order of jumping and inputting the data blocks to the encryption circuit 14, and a sequence of data blocks (ciphertext blocks) encrypted and output from the encryption circuit 14 in the original order A function of storing the ciphertext in the RAM 13 is provided. Furthermore, in the header of the ciphertext stored in the RAM 13, the encryption mode information (pipeline encryption mode information indicating that encryption has been performed by the pipeline method) and IV indicating the use timing of the initial vector IV in the encryption process are included. It also has a function of adding usage timing information (position information indicating the first position of each data group) and the like.

  Further, the rearrangement circuit 16 arranges the data blocks (ciphertext blocks) of the data to be decrypted stored in the RAM 13 into the decryption circuit 15 in order from the top when the decryption circuit 15 performs the decryption process. A function of inputting and a function of arranging data blocks (plaintext blocks) decrypted and output from the decryption circuit 15 in the order of output and storing them in the RAM 13 are provided.

  2 shows a circuit configuration of the encryption circuit 14, FIG. 3 shows a circuit configuration of the decryption circuit 15, and FIG. 4 shows a pipeline circuit included in the encryption circuit 14 and the decryption circuit 15. 40 shows a block diagram.

  As shown in FIG. 2, the encryption circuit 14 includes a pipeline encryption operation unit 20 as a pipeline encryption processing unit, an XOR operation unit 21, a selector 22, a selector control circuit 23, an input register 24, , An output register 25, a KEY register 26, and an IV register 27 are provided.

  The pipeline encryption operation unit 20 is a circuit that performs a pipeline block cipher operation based on the AES standard, and executes a cipher operation of data blocks that are continuously input in parallel and continuously outputs operation results. It has a function.

  More specifically, the encryption circuit 14 includes 11 stages of non-pipeline circuits 41 (encryption operation units) connected in series as in the pipeline circuit 40 shown in FIG. Each non-pipeline circuit 41, like the conventional non-pipeline circuit 220 (see FIG. 13), replaces the input data block (indata) (step S101), rearranges (step S102), and a matrix. Four processes of calculation (step S103) and XOR calculation (step S104) are performed in one round, and this one round is processed in one clock (CLK). Therefore, the pipeline circuit 40 having 11 stages of the non-pipeline circuit 41 performs an arithmetic process on the input data block by the non-pipeline circuit 41 of the first stage P1 at the first clock, and the second stage P2 at the second clock. Processing is performed by the non-pipeline circuit 41,... Processing is performed by the non-pipeline circuit 41 of the 11th stage P11 which is the final stage at the 11th clock, and the processed data block which is the calculation result at the 12th clock (Outdata) is output.

  In addition, when data blocks are continuously input for each clock, the pipeline circuit 40 performs the calculation for the number of stages in parallel by the 11 non-pipeline circuits 41 on the continuously input data blocks. Then, an operation (pipeline processing) for continuously outputting processed data blocks for each clock is performed.

  The KEY register 26 (see FIG. 2) is a register for holding an encryption key used in the encryption operation, and the encryption key held in the KEY register 26 is input to the pipeline encryption operation unit 20. The IV register 27 is a register for holding arbitrary data serving as the initial vector IV input to the pipeline encryption operation unit 20.

  The selector control circuit 23 controls the operation of the selector 22, and the selector 22 performs an XOR operation on either the initial vector IV held in the IV register 27 and the operation result (encryption vector) of the pipeline encryption operation unit 20. A function of selectively outputting to the unit 21 is provided.

  The input register 24 is a register that holds an encryption target data block (plaintext block) input by the rearrangement circuit 16. The XOR operation unit 21 has a function of calculating an exclusive OR between the data block to be encrypted output from the input register 24 and the initial vector IV or encryption vector output from the selector 22. The output register 25 is a register that holds an encrypted data block (ciphertext block) that is output as an operation result of the pipeline encryption operation unit 20.

  As shown in FIG. 3, the decoding circuit 15 includes a pipeline decoding operation unit 30 as a pipeline decoding processing unit, an XOR operation unit 31, a selector 32, a selector control circuit 33, an input register 34, , An output register 35, a KEY register 36, an IV register 37, and a holding register 38.

  The pipeline decoding arithmetic unit 30 is a circuit that performs a pipeline block decoding operation based on the AES standard. The pipeline decoding arithmetic unit 30 executes a decoding operation on continuously input data blocks in parallel and continuously outputs the operation results. It has a function. The pipeline decryption operation unit 30 has the same configuration as the pipeline circuit 40 described in the pipeline encryption operation unit 20 and operates in the same manner.

  The input register 34 is a register that holds a decryption target data block (ciphertext block) input by the rearrangement circuit 16, and the data block held in the input register 34 is held by the pipeline decryption operation unit 30. Input to the register 38.

  The holding register 38 is composed of, for example, a FIFO (First-In First-Out) or the like, and has a function of internally holding the data blocks input from the input register 34 and outputting them in the order of input. The holding register 38 is one stage higher than the number of stages of the pipeline decoding arithmetic unit 30 (12-stage FIFO), and at the timing when the operation result of the data block is output from the pipeline decoding arithmetic unit 30 A data block immediately preceding the data block (a previously input data block) is output.

  The KEY register 36 is a register for holding an encryption key used in the decryption operation, and the encryption key held in the KEY register 36 is input to the pipeline decryption operation unit 30. The IV register 37 is a register for holding arbitrary data to be the initial vector IV input to the pipeline decoding arithmetic unit 30.

  The selector control circuit 33 controls the operation of the selector 32, and the selector 32 sends either the initial vector IV held in the IV register 37 or the data block output from the holding register 38 to the XOR operation unit 31. It has a function to select and output.

  The XOR operation unit 31 calculates an exclusive OR of the operation result output from the pipeline decoding operation unit 30 and the initial vector IV or data block output from the selector 32. The output register 35 is a register that holds a decrypted data block (a plaintext block) that is an operation result of the XOR operation unit 31.

  The CPU 11 also functions to control the operation sequence of the encryption circuit 14, the decryption circuit 15, and the rearrangement circuit 16, and also sets data in the KEY registers 26 and 36 and the IV registers 27 and 37. Various data such as an initial vector and an encryption key used in the encryption / decryption processing are stored in an auxiliary storage device (not shown), for example, and the CPU 11 reads the data from the auxiliary storage device when the encryption processing device 10 is activated. Is set to.

  Furthermore, when performing the encryption process, the CPU 11 causes the rearrangement circuit 16 to start address information indicating the start address of the memory area where the encryption target data exists, data size information indicating the size of the encryption target data, and encryption target. Data division number information indicating the number of data divisions is output, and stage number information indicating the number of stages of the pipeline encryption operation unit 20 is output to the selector control circuit 23 of the encryption circuit 14. When performing the decryption process, IV use timing information indicating the use timing of the initial vector IV in the encryption process of the data to be decrypted is output to the selector control circuit 33 of the decryption circuit 15.

  The IV use timing information may be any information that can recognize the initial position (boundary position) of each data group configured by dividing the data to be encrypted. For example, the cycle information indicating the use cycle of the initial vector IV. , Data block number information indicating the number of data blocks constituting each data group, data size information indicating the data size of each data group, and when the data group is image data for one page, data for one page The size information, the data size of the data to be decoded and the number of divisions thereof, offset information indicating the initial position of each data group by the offset amount from the head position of the data to be decoded, and the like can be used.

  Next, the operation of encryption / decryption processing by the cryptographic processing apparatus 10 will be described.

  FIG. 5 is an operation explanatory diagram showing the operation of the encryption processing by the encryption processing apparatus 10, and FIG. 6 is a diagram of the input timing of the plaintext block to be encrypted in the encryption processing and the ciphertext block as a result of the encryption. It is a timing chart which shows an output timing.

  In the encryption processing by the encryption processing device 10, the rearrangement circuit 16 performs an operation based on the top address information, data size information, and data division number information sent from the CPU 11, and the encryption target data stored in the RAM 13. Are equally divided into the same number as the number of stages of the pipeline encryption operation unit 20 (11 equal parts) to form 11 data groups each having the same size. Further, each data group is divided into 128-bit data blocks based on the AES standard.

  In the example of FIG. 5, in order to make the explanation easy to understand, plaintext, which is data to be encrypted, stored in a predetermined area (plaintext memory area) of the RAM 13 is divided into 11 data groups (data groups 1 to 11). Each data group is divided into 100 plaintext blocks (data group 1: plaintext blocks 1 to 100, data group 2: plaintext blocks 101 to 200, data group 3: plaintext blocks 201 to 300,..., Data group 11 : Plaintext blocks 1001 to 1100).

  With respect to the data to be encrypted stored in the RAM 13, the rearrangement circuit 16 rearranges the plaintext blocks continuously arranged from 1 to 1100 in the order of skipping and inputs them to the encryption circuit 14.

  For example, as shown in FIG. 5 and FIG. 6, the first plaintext block 1 of the data group 1, the first plaintext block 101 of the data group 2, the first plaintext block 201 of the data group 3,. A first plaintext block 1001 of group 11, a second plaintext block 2 of data group 1, a second plaintext block 102 of data group 2, a second plaintext block 202 of data group 3,. The 100th plaintext block 990, the 100th plaintext block 1000 of the data group 10, the 100th plaintext block 1100 of the data group 11, and so on are rearranged in the order of skipping the 100th plaintext block 1 to the encryption circuit. 14 In addition, the rearranged plaintext blocks are set to 11 as one set, and the set is processed in one cycle.

  The input register 24 of the encryption circuit 14 holds plaintext blocks that are rearranged in the above-described order and sequentially outputs the held plaintext blocks to the XOR operation unit 21 in that order.

  On the other hand, the selector control circuit 23 performs an operation based on the stage number information of the pipeline encryption operation unit 20 sent from the CPU 11 and determines the use timing of the initial vector IV.

  For example, for the data to be encrypted (plaintext) in FIG. 5, the initial vector IV is input to the XOR operation unit 21 only in the first cycle, and the encryption output from the pipeline encryption operation unit 20 in the second cycle and thereafter. The selector 22 is switched so that the sentence block is input to the XOR operation unit 21 as an encryption vector. As a result, the selector 22 inputs the initial vector IV held in the IV register 27 to the XOR operation unit 21 in the first cycle (see FIG. 6).

  In the first cycle, the XOR operation unit 21 selects the first set of plaintext block 1, plaintext block 101, plaintext block 201,..., Plaintext block 1001, and selector 22 from the IV register 27. An exclusive OR operation is performed on the initial vector IV input via the network, and the operation result of each plaintext block is sequentially output to the pipeline encryption operation unit 20.

  The pipeline encryption operation unit 20 applies an encryption key held in the KEY register 26 and an 11-stage encryption operation unit to the operation result of each plaintext block in the first set sequentially input from the XOR operation unit 21. The cipher operations based on the AES standard for the number of stages are executed in parallel, and ciphertext blocks as the operation results are sequentially output to the output register 25 and the selector 22.

  As shown in FIGS. 5 and 6, the output register 25 sequentially holds the first set of ciphertext block 1 ′, ciphertext block 101 ′, ciphertext block 201 ′,..., Ciphertext block 1001 ′. The rearrangement circuit 16 rearranges the ciphertext blocks held in the output register 25 in the original order and stores them in another area (ciphertext memory area) of the RAM 13. Specifically, the ciphertext block 1 ′ is stored first in the data group 1 ′, the ciphertext block 101 ′ is stored first in the data group 2 ′, and the ciphertext block 201 ′ is stored in 1 of the data group 3 ′. The ciphertext block 1001 ′ is stored in the first of the data group 11 ′.

  Since the number of stages of the pipeline encryption operation unit 20 is 11, the ciphertext block 1 ′ obtained by encrypting the plaintext block 1 input at the beginning of the first cycle (first clock) is the first cycle. After the plaintext block 11 is input to the pipeline encryption operation unit 20 at the end of the first cycle (11th clock), the first plaintext block 2 in the second cycle is input to the XOR operation unit 21 (12th clock) Is output from the pipeline encryption operation unit 20. Similarly, the ciphertext blocks 101 ′, 201 ′,..., 1001 ′ obtained by encrypting the plaintext blocks 101, 201,. The 100th and subsequent plaintext blocks 102, 202,..., 1002 are output from the pipeline encryption operation unit 20 at the timing (13th, 14th,..., 22nd clock) input to the XOR operation unit 21.

  In the second cycle, the selector 22 inputs the ciphertext blocks 101 ′, 201 ′,..., 1001 ′ output from the pipeline encryption operation unit 20 to the XOR operation unit 21 as cipher vectors (see FIG. 6). ).

  In the second cycle, the XOR operation unit 21 receives a second set of plaintext blocks 2, 102, 202,..., 1002 that are sequentially input from the input register 24, and the pipeline encryption operation unit 20 via the selector 22. Performs an exclusive OR operation with the ciphertext blocks 101 ′, 201 ′,..., 1001 ′ as input cipher vectors, and sequentially outputs the operation result of each plaintext block to the pipeline encryption operation unit 20. .

  In this way, the plaintext block N and the plaintext block N + 1 are input to the XOR operation unit 21 with a timing rule that is separated by the number of stages of the pipeline encryption operation unit 20, and the plaintext block N + 1 is a ciphertext block obtained by encrypting the plaintext block N. N ′ is input to the XOR operation unit 21 at the timing output from the pipeline encryption operation unit 20, and the input timing to the ciphertext block N ′ and the XOR operation unit 21 can be matched. Thereby, encryption of the plaintext block N + 1 performed by feeding back the ciphertext block N ′ as an encryption vector to the input side is realized.

  Similar to the first cycle, the pipeline encryption operation unit 20 applies the encryption key held in the KEY register 26 to the operation results of the second set of plaintext blocks sequentially input from the XOR operation unit 21. The 11-stage encryption operation unit executes the encryption operation based on the AES standard for the number of stages in parallel, and sequentially outputs the ciphertext block as the operation result to the output register 25 and the selector 22.

  As shown in FIGS. 5 and 6, the second set of ciphertext blocks 2 ′, 102 ′, 202 ′,..., 1002 ′ are sequentially held in the output register 25, and the rearrangement circuit 16 outputs The ciphertext blocks held in the register 25 are rearranged in the original order and stored in another area of the RAM 13. Specifically, the ciphertext block 2 ′ is stored in the second data group 1 ′, the ciphertext block 102 ′ is stored in the second data group 2 ′, and the ciphertext block 202 ′ is stored in the second data group 3 ′. The ciphertext block 1002 ′ is stored in the second of the data group 11 ′.

  Similarly to the second cycle, the ciphertext blocks in the previous set are input to the XOR operation unit 21 as the cipher vector in the third and subsequent cycles, and each plaintext data in the next set is encrypted, and a pipeline encryption operation is performed. The ciphertext blocks sequentially output from the unit 20 and held in the output register 25 are rearranged in the original order and stored in the RAM 13, and the encryption of a total of 1100 plaintext blocks is completed in 100 cycles. As a result, the ciphertext blocks 1 ′ to 1100 ′ are sequentially arranged in the RAM 13 and stored as a series of ciphertexts. The ciphertext header includes pipeline encryption mode information indicating that the reordering circuit 16 has encrypted the data in the pipeline method, and IV usage indicating the use timing of the initial vector IV in the encryption process. Timing information (position information indicating the first position of each data group) is added. In the decryption of the ciphertext, the determination of the decryption mode (pipeline / non-pipeline) and the use timing of the initial vector IV are determined based on the information added to the header.

  FIG. 7 is a timing chart showing the input timing of the decrypted ciphertext block and the output timing of the decrypted plaintext block in the decryption process.

  In the decryption processing by the cryptographic processing device 10, the rearrangement circuit 16 inputs the ciphertext blocks of the data to be decrypted stored in the RAM 13 to the decryption circuit 15 in order from the top. For example, as shown in FIG. 7, the first ciphertext block 1 ′, the second ciphertext block 2 ′, the third ciphertext block 3 ′, etc. are decrypted in order from the top. Input to the circuit 15.

  The input register 34 of the decryption circuit 15 holds the ciphertext blocks input in the above order, and sequentially outputs the held ciphertext blocks to the pipeline decryption operation unit 30 and the holding register 38 in that order.

  For each ciphertext block sequentially input from the input register 34, the pipeline decryption operation unit 30 uses the encryption key held in the KEY register 36 and the AES standard corresponding to the number of stages in the 11-stage decryption operation unit. The decoding operation based on the data is executed in parallel, and the data block of the operation result is sequentially output to the XOR operation unit 31.

  Since the number of stages of the pipeline decryption operation unit 30 is 11, the operation result (plaintext block 1 XOR initial vector IV) obtained by decrypting the ciphertext block 1 ′ (N ′) input first is After the ciphertext block 11 ′ is input to the pipeline decryption operation unit 30, the pipeline decryption is performed at the timing when the next ciphertext block 12 ′ (N ′ + 11) is input to the pipeline decryption operation unit 30. Output from the arithmetic unit 30. After this output, the operation result obtained by decrypting the ciphertext block 2 ′ input after the second (plaintext block 2 XOR ciphertext block 1 ′) and the operation result obtained by decrypting the ciphertext block 3 ′ (plaintext block 3) XOR ciphertext block 2 ′)... Are continuously output from the pipeline encryption operation unit 20.

  The holding register 38 holds the ciphertext block input from the input register 34 and outputs the ciphertext block in the input order, and outputs the operation result of the ciphertext block (N ′ + 1) from the pipeline decryption operation unit 30. At the timing, the ciphertext block (N ′) immediately before the ciphertext block is output.

  On the other hand, the selector control circuit 33 determines the use timing of the initial vector IV based on the IV use timing information sent from the CPU 11 and indicating the use timing of the initial vector IV in the encryption process of the data to be decrypted.

  For example, in the case of the encrypted data encrypted in the example of FIG. 5, the first ciphertext block 1 ′, the 101st ciphertext block 101 ′, the 201st ciphertext block 201 ′,. In the ciphertext block 1001 ′, the initial vector IV is input to the XOR operation unit 31 by skipping the number 100 from the ciphertext block 1 ′, and the ciphertext output from the holding register 38 for the other ciphertext blocks. The selector 32 is controlled so as to input the block to the XOR operation unit 31. Thereby, the selector 32 inputs the initial vector IV held in the IV register 37 only to the ciphertext blocks 1 ′, 101 ′, 201 ′,..., 1001 ′ to the XOR operation unit 31, For other ciphertext blocks, the ciphertext block output from the holding register 38 is input to the XOR operation unit 31.

  The XOR operation unit 31 operates on the operation results of the ciphertext blocks 1 ′, 101 ′, 201 ′,..., 1001 ′ among the operation results of the ciphertext blocks sequentially input from the pipeline decryption operation unit 30. The exclusive OR operation with the initial vector IV input from the IV register 37 via the selector 32 is performed, and the operation result of the other ciphertext block (N ′ + 1) is obtained from the holding register 38. An exclusive OR operation with the ciphertext block (N ′) to be output is performed, and the decrypted plaintext block as the operation result of each ciphertext block is sequentially output to the output register 35.

  The decrypted plaintext blocks 1, 2, 3,... Are sequentially held in the output register 35, and the rearrangement circuit 16 arranges the plaintext blocks held in the output register 35 in the order of output and stores them in the RAM 13. Thereby, the plaintext blocks 1 to 1100 are sequentially arranged and stored in the RAM 13 in order.

  As described above, in the encryption processing apparatus 10 of the present embodiment, in the encryption process, the ciphertext block output from the pipeline encryption operation unit 20 is returned to the input and used for encryption of the next plaintext block. As a result, the encryption process has a high strength, and a decrease in the encryption strength can be suppressed as compared with an encryption process in which the ciphertext block is returned to the input and the next plaintext block is not encrypted.

  In addition, since the encryption operation unit of the encryption circuit 14 that performs the encryption operation of the plaintext block is pipelined, the pipeline encryption operation unit 20 receives the operation results continuously from the XOR operation unit 21. In addition, it is possible to execute cryptographic operations for the number of stages in parallel on the operation results that are continuously input, perform pipeline processing, and continuously generate and output encrypted data. For example, as described with reference to FIG. 5, if encryption is performed with a plurality of sets of data groups, a single non-pipeline encryption operation unit is used to repeat encryption operations for one plaintext block a predetermined number of times. Compared to the encryption process, the encryption processing speed can be improved.

  In particular, in the present embodiment, a series of data to be encrypted is equally divided into the same number as the number of stages of the pipeline encryption operation unit 20 to form 11 data groups, and each data group is a block data based on the AES standard. By dividing each block data and performing encryption operations on each block data of each data group in parallel by the pipeline encryption operation unit 20 (pipeline processing), for example, a series of data to be encrypted As in the case where the number of stages is less than the number of stages, the pipeline encryption operation unit 20 generates a stage in which the cryptographic operation is not performed and the processing efficiency is reduced, or a series of data is compared with the number of stages of the pipeline encryption operation unit 20. As in the case where the number of divided initial vectors IV is increased, the number of times the initial vector IV is used and the encryption strength is reduced.

  If the number of data groups formed by dividing a series of data to be encrypted is equal to or greater than the number of stages of the pipeline encryption operation unit 20, plaintext blocks are continuously transmitted to the pipeline encryption operation unit 20 without leaving a gap. Since the pipeline processing can be repeatedly performed by inputting, the processing efficiency is improved. On the other hand, the smaller the number of data groups, the smaller the number of uses of the initial vector IV, and the lowering of the encryption strength can be suppressed. Therefore, in order to perform efficient pipeline processing while minimizing the number of uses of the initial vector IV and maintaining high encryption strength, the number of data groups is changed to a pipeline encryption operation unit as in this embodiment. Most preferably, the number of stages is equal to 20, and the optimization process is realized by this condition.

  Further, the initial vector IV is used only in the first cycle for continuously encrypting the first block data of each data group, and the second cycle for continuously encrypting the second and subsequent block data of each data group. Thereafter, since it is sufficient to perform encryption using encrypted data, the management of switching between the initial vector IV and the encrypted data is also simplified.

  In the decryption circuit 15, the decryption operation unit that performs the decryption operation on the ciphertext block is pipelined. In the decryption process, the ciphertext block is continuously input to the pipeline decryption operation unit 30. Decoding operations for the number of stages can be executed in parallel to perform pipeline processing. As a result, the decryption processing speed can be improved as compared with a decryption process in which a decryption operation of one ciphertext block is repeated a predetermined number of times using a single non-pipeline decryption operation unit.

  Also, in the decryption process, by matching the use timing of the initial vector IV with the encryption process, it is possible to decrypt any ciphertext block encrypted by either the pipeline or non-pipeline encryption operation unit. Thus, compatibility with the encryption process in the general-purpose CBC mode can be maintained.

  Note that when printing scanned image data in a multi-function peripheral, it is suitable to encrypt with a pipeline circuit and decrypt with a pipeline circuit. When scanning scanned image data over a network, the pipeline circuit It is suitable to encrypt with the non-pipeline circuit. In addition, when printing data received by FAX, it is suitable to encrypt with a non-pipeline circuit and decrypt with a pipeline circuit.

  The embodiment of the present invention has been described with reference to the drawings. However, the specific configuration is not limited to that shown in the embodiment, and there are changes and additions within the scope of the present invention. Are also included in the present invention.

  For example, in the encryption process in the embodiment, the plaintext block N and the subsequent plaintext block N + 1 are input to the XOR operation unit 21 with a timing rule that is separated by the number of stages of the pipeline encryption operation unit 20. However, it may be inputted to the XOR operation unit 21 with a timing rule that is separated from the number of stages of the pipeline encryption operation unit 20. In that case, by providing a circuit for delaying the input timing of the ciphertext block N ′ obtained by encrypting the plaintext block N to the XOR operation unit 21, the XOR operation unit 21 between the ciphertext block N ′ and the plaintext block N + 1 is provided. The input timing is adjusted.

  In addition, the entire data to be encrypted is equally divided into the number of stages of the pipeline encryption operation unit 20 and the pipeline processing of the encryption operation is performed, but from the number of stages of the pipeline encryption operation unit 20 It is also possible to divide the number into large numbers and perform cryptographic computation pipeline processing. The most efficient processing in the encryption processing using the pipeline circuit is the number of data groups formed by dividing the data to be encrypted = the number of stages of the pipeline encryption operation unit 20, but the number of data groups However, even if the number of stages of the pipeline encryption operation unit 20 is different, for example, after the second cycle, pipeline processing can be performed by shifting the input timing of the initial vector IV and the ciphertext block.

  Further, in an image forming apparatus such as a digital multi-function peripheral as in the embodiment, a data group to be encrypted is used as image data for one page, and the image data for one page is each plaintext block having a predetermined block length. In other words, the encryption operation of each plaintext block of each page may be executed in parallel by the pipeline encryption operation unit 20 and encrypted. As a result, for encryption, for each page (each data group), the initial vector IV is used for the cipher operation of the first plaintext block, and the previous ciphertext block is used for the cipher operation of the second and subsequent plaintext blocks. When this encrypted data is decrypted, if it is treated as being encrypted in units of pages, the initial vector IV is used to decrypt the first ciphertext block of each page, and the second The subsequent ciphertext block can be decrypted by using the previous ciphertext block, and can be decrypted even by a device that does not perform switching control based on the IV use timing information.

It is a block diagram which shows the structure of the encryption processing apparatus which concerns on embodiment of this invention. It is a circuit block diagram which shows the encryption circuit which concerns on embodiment of this invention. It is a circuit block diagram which shows the decoding circuit which concerns on embodiment of this invention. It is a block diagram which shows the pipeline circuit which concerns on embodiment of this invention. It is explanatory drawing which shows the operation | movement of the encryption process by the encryption processing apparatus which concerns on embodiment of this invention. It is a timing chart which shows the operation timing of the encryption process by the encryption processing apparatus which concerns on embodiment of this invention. It is a timing chart which shows the operation timing of the decoding process by the encryption processing apparatus which concerns on embodiment of this invention. It is a circuit block diagram which shows the conventional encryption circuit. It is a circuit block diagram which shows the conventional decoding circuit. (A) is a process diagram showing an encryption process in the CBC mode, and (B) is a process diagram showing a decryption process in the CBC mode. It is a timing chart which shows the operation timing of the encryption process by the conventional encryption circuit. It is a timing chart which shows the operation timing of the decoding process by the conventional decoding circuit. It is a block diagram which shows the conventional nonpipeline circuit. It is a timing chart which shows the data output timing by the conventional nonpipeline circuit.

Explanation of symbols

10: Cryptographic processing device 11 ... CPU
12 ... ROM
13 ... RAM
DESCRIPTION OF SYMBOLS 14 ... Encryption circuit 15 ... Decryption circuit 16 ... Rearrangement circuit 20 ... Pipeline encryption operation part 21 ... XOR operation part 22 ... Selector 23 ... Selector control circuit 24 ... Input register 25 ... Output register 26 ... KEY register 27 ... IV register 30 ... Pipeline decoding arithmetic unit 31 ... XOR arithmetic unit 32 ... Selector 33 ... Selector control circuit 34 ... Input register 35 ... Output register 36 ... KEY register 37 ... IV register 38 ... Holding register 40 ... Pipeline circuit 41 ... Non-pipeline circuit

Claims (11)

A pipeline encryption processing unit in which a plurality of encryption processing units are connected in a pipeline structure;
An arithmetic unit that calculates the unit data to be input and the encrypted data output from the pipeline encryption processing unit, and inputs the operation result to the pipeline encryption processing unit;
The data group to be encrypted is divided into unit data, and one unit data and subsequent unit data are separated by at least the number of stages of the pipeline structure of the pipeline encryption processing unit according to the timing rule. A control unit that inputs to the computation unit;
A cryptographic processing apparatus comprising: A holding register to hold the initial vector;
When the first encryption for the data group is performed, a switching unit that inputs an initial vector held in the holding register instead of the encrypted data to the arithmetic unit;
The cryptographic processing apparatus according to claim 1, further comprising: The control unit inputs the subsequent unit data to the arithmetic unit at a timing when the encrypted data of the one unit data is returned to the arithmetic unit via the pipeline encryption processing unit. 3. The cryptographic processing apparatus according to 1 or 2. The control unit sequentially arranges the encrypted data of the one unit data and the encrypted data of the subsequent unit data that are output separately from the pipeline encryption processing unit according to the timing rule. The cryptographic processing apparatus according to any one of claims 1 to 3. The control unit performs an operation of sequentially inputting unit data divided from one data group to the arithmetic unit according to the timing rule, and a timing for inputting the unit data to the arithmetic unit for a plurality of data groups. The encryption processing apparatus according to claim 1, wherein the encryption processing apparatuses are performed in parallel with different data groups. The encryption processing apparatus according to claim 1, wherein the data group is image data for one page. The cryptographic processing apparatus according to any one of claims 1 to 5, wherein the data group is configured by dividing a series of data into a plurality of pieces. 6. The data group according to claim 1, wherein the data group is configured by equally dividing a series of data into the same number of stages of the pipeline structure of the pipeline encryption processing unit. The cryptographic processing device according to 1. A pipeline decoding processing unit in which a plurality of decoding processing units are connected in a pipeline structure;
A first holding unit for holding an initial vector;
The same encrypted data as the encrypted data input to the pipeline decryption processing unit is retained, and the retention is performed at a timing when an operation result for the encrypted data next to the encrypted data is output from the pipeline decryption processing unit. A second holding unit for outputting the encrypted data
A switching unit that receives timing information indicating the use timing of the initial vector, and switches the output to the initial vector held in the first holding unit or the encrypted data output from the second holding unit based on the timing information; ,
A calculation unit that calculates a calculation result output from the pipeline decryption processing unit and an initial vector or encrypted data output from the switching unit;
A cryptographic processing apparatus comprising: The timing information includes period information indicating a use period of the initial vector,
The switching unit outputs an initial vector held in the first holding unit for the first time based on the cycle information, and then performs an operation of switching output to encrypted data output from the second holding unit. The encryption processing apparatus according to claim 9, wherein the encryption processing apparatus is repeatedly performed in a cycle. The number of times that the operation result is output from the pipeline decryption processing unit in the one cycle is the number of data groups to be encrypted in the cryptographic processing device according to any one of claims 1 to 8. The encryption processing apparatus according to claim 10, wherein the number of unit data is configured.

Images