JP2015173497A - Electronic apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic apparatus that downsizes an arithmetic unit.SOLUTION: An electronic apparatus is constituted by: a storage unit: an arithmetic unit; and an interface unit electrically connected to an external apparatus. The arithmetic unit comprises: an arithmetic section for executing first arithmetic processing and second arithmetic processing used in an encryption method on data to be target data of the first arithmetic processing and the second arithmetic processing; a control section 111 which controls the arithmetic section so that the first arithmetic processing and the second arithmetic processing are executed in order specified by the encryption method and outputs specific information showing a work region of the storage unit or a data type to be used by the first arithmetic processing and the second arithmetic processing; and a generation section 114 for generating an address in the storage unit to be used by the first arithmetic processing and the second arithmetic processing, on the basis of a first counter value of the first arithmetic processing and a second counter value of the second arithmetic processing whose number of times of update agrees with that of the first counter value and the specific information.

Description

  Embodiments described herein relate generally to an electronic apparatus.

AES (Advanced Encryption Standard) is an American standard encryption method and is used in various fields. Various studies have been conducted on the downsizing (reducing the circuit scale of hardware) of a circuit (AES arithmetic circuit) that executes AES.

M. Feldhofer, J. Wolkerstorfer, and V. Rijmen, "AES Implem entation on a Grain of Sand", IEE Proceedings Information Security, vol. 152, pp. 13-20, 2005.

  There are cases in which miniaturization is insufficient with the methods of the prior art.

The electronic device according to the embodiment executes the first arithmetic processing and the second arithmetic processing used in the storage device and the encryption method on the data that is the target of the first arithmetic processing and the second arithmetic processing. And controlling the arithmetic unit so that the first arithmetic processing and the second arithmetic processing are executed in the order determined by the encryption method, and the first arithmetic processing and the second arithmetic processing A control unit for outputting specific information indicating the work area of the storage device or the type of data used for the second arithmetic processing, the first counter value of the first arithmetic processing, the first counter value, and the number of updates. A generating unit configured to generate an address in the storage device used for the first calculation process and the second calculation process based on the matching second counter value of the second calculation process and the specific information; A computing device comprising: Having an interface unit which is part device electrically connected, the.

The block diagram of the electronic device containing the encryption apparatus concerning 1st Embodiment. 1 is a block diagram of an encryption device according to a first embodiment. The figure for demonstrating the meaning of each command in a pseudo code. The block diagram of ALU concerning a 1st embodiment. The figure which shows the example of a process of ld instruction | indication. The figure which shows the process example of st instruction. The figure which shows the process example of a xor instruction. The figure which shows the process example of a sbox and xtime instruction | indication. The block diagram of the encryption process part concerning 1st Embodiment. The figure which shows the address space used in 1st Embodiment. FIG. 3 is a block diagram of an address generation unit according to the first embodiment. The figure which shows the input / output of the function corresponded to each circuit of FIG. The flowchart of the encryption process in 1st Embodiment. The detailed version of pseudo code is rewritten as a state transition table. The figure showing how to read each item of a state transition table. The block diagram of the address generation part concerning the modification of 1st Embodiment. The figure which shows the input / output of the function corresponded to each circuit of FIG. The block diagram of the decoding apparatus concerning 2nd Embodiment. The block diagram of ALU concerning a 2nd embodiment. The flowchart of the decoding process in 2nd Embodiment.

Exemplary embodiments of an arithmetic device according to the present invention will be described below in detail with reference to the accompanying drawings. Below, the example which applied the arithmetic unit to the encryption apparatus (1st Embodiment) and decryption apparatus (2nd Embodiment) of an AES encryption system is demonstrated. Note that applicable apparatuses are not limited to this.

(First embodiment)
So far, research on downsizing the AES arithmetic circuit has focused on reducing the size of the entire AES arithmetic circuit including the memory element. If the AES arithmetic circuit is used alone, it is meaningful to reduce the size of the entire AES arithmetic circuit. In reality, the AES arithmetic circuit is used by being incorporated in some device (electronic device). For this reason, it is necessary to reduce the size of the AES arithmetic circuit in consideration of such a use situation. But until now, AE
There has been no research on downsizing considering that the S arithmetic circuit is incorporated in another device (system).

In general, a system includes a storage device intended to be used for other purposes, for example, a communication buffer (RAM (Random Access Memory) or the like). Therefore, the encryption device according to the first embodiment diverts such a storage device when using the AES arithmetic circuit. Thereby, it is not necessary to provide a storage device in the AES arithmetic circuit, and further miniaturization can be realized.

In this way, if the storage device in the system in which the AES arithmetic circuit is incorporated is diverted, it is meaningful to reduce the size of the AES arithmetic circuit excluding the storage element in view of the entire system. There has never been an example considering miniaturization of the AES arithmetic circuit based on such a viewpoint.

Next, an outline of the configuration of the encryption apparatus according to this embodiment will be described. In the AES cipher, operation processing is basically executed in units of bytes. ShiftRows is a 16-byte rearrangement. In order to actually rearrange with ShiftRows, a storage device as a buffer is required in addition to 16 bytes. MixColumns is conversion in units of 4 bytes. However, conversion cannot be executed unless 4 bytes of input are prepared.

In the present embodiment, AES is realized with only five types of necessary instructions (pseudo instructions). 5
The types of instructions include three types of arithmetic processing instructions (sbox, xtime, and xor) and two types of memory access instructions (ld (load) and st (store)). An 8-bit accumulator is provided as a register for storing the operation result.
In addition, a control unit that is a sequential machine that executes the AES cipher with hardware according to these instructions is provided. Details of the command and each component will be described later.

FIG. 1 is a block diagram illustrating an example of a configuration of an electronic device 10 including an encryption device 100 according to the first embodiment. As shown in FIG. 1, the electronic device 10 includes an encryption device 100, an input / output interface (input / output IF) 200, a storage device 300, and a key storage device 400.

The storage device 300 stores various data handled by the electronic device 10. The storage device 300 is a storage medium that can access the data by designating an address for storing the data. The storage device 300 can be constituted by a RAM, for example.

The input / output IF is an interface for transmitting / receiving data to / from the outside in accordance with an instruction from a control circuit (not shown). The key storage device 400 stores key information used in the encryption process. The encryption device 100 is connected to the storage device 300 and executes an AES encryption method. The storage device 300 may use a page buffer RAM. The key storage device 400 may use a NAND flash. The storage device 300 is a volatile memory or a nonvolatile memory. The key storage device 400 is a nonvolatile memory. Further, the storage device 300 and the key storage device 400 may use physically the same memory.

  For example, the control circuit executes AES encryption as follows.

(1) Data to be encrypted (message) is read via the input / output IF, and the storage device 300
Write to.

(2) Read key information from the key storage device 400 and write it to the storage device 300.

(3) Instruct the encryption apparatus 100 to perform computation. As a result, the ciphertext that is the processing result of the operation is written in the storage device 300.

FIG. 2 is a block diagram illustrating an example of the configuration of the encryption device 100 according to the first embodiment. As illustrated in FIG. 2, the encryption device 100 includes an encryption processing unit 110 and an arithmetic unit A.
An LU (Arithmetic Logic Unit) 120 and an accumulator 130 are provided.

The encryption processing unit 110 controls the operation of the AES encryption processing according to the control signal from the control circuit of the electronic device 10 described with reference to FIG. 1, and outputs a status signal indicating the state of the operation. Details of the encryption processing unit 110 will be described later.

The ALU 120 performs an operation in accordance with information indicating the function selected by the encryption processing unit 110 (“function selection” in FIG. 2). The ALU 120 encrypts the encryption processing unit 110 as necessary.
The operation is performed on the data at the address specified by.

The accumulator 130 is a register for storing the calculation result by the ALU 120. Data stored in the accumulator 130 is written into the storage device 300 in response to an instruction from the encryption processing unit 110.

The encryption device 100 uses a part of the storage area of the storage device 300 to perform AES.
Perform cryptographic operations. The breakdown of the storage area required in the storage device 300 is as follows.

The size of the entire storage area to be used = 49 bytes. Input message m = 16 bytes. Input key k = 16 bytes. Work area w = 16 bytes. Round constant rc = 1 byte. The sentence is overwritten on message m.

  The usage method of the encryption apparatus 100 of FIG. 2 is as follows.

-Input data (message m (16 bytes) and key k (16 bytes) in the storage device 300
The execution of the encryption device 100 is started. The execution of the encryption device 100 is awaited. The calculation result is written in the storage device 300, so the calculation result is read from the storage device 300. Here, according to the present embodiment A pseudo code of the encryption process of the AES encryption method will be described. First, a simplified pseudo code (simplified pseudo code) is described.

// m = AES (m, k)
// input m: message, k: key
round = 0
rc = 0x01
m = AK (m, k) // AddRoundKey
while (1) {
k = KS (k) // KeyExpansion
m = SB (m) // SubBytes
w = SR (m) // ShiftRows
round = round + 1
if (round == 10) break; // exit while loop
m = MC (w) // MixColumns
m = AK (m, k) // AddRoundKey
rc = xtime (rc) // rc update
}
m = AK (w, k) // AddRoundKey
Each function in the pseudo code corresponds to a function defined by the AES cipher as follows. The functions defined in each AES cipher are each FIPS197 (Federal Information Processing Sta
ndards Publication 197, the National Institute of Standards and Technology (NIST
)) Is a function defined.

AK: AddRoundKey
KS: KeyExpansion
MC: MixColumns
SB: SubBytes
SR: ShiftRows
Next, detailed AES pseudo code (detailed version pseudo code) is described. The detailed version pseudo code includes a code that embodies each function (AK, KS, SB, SR, MC, etc.) of the simplified version pseudo code.

round = 0
rc = 0x01
// AddRoundKey: m = AK (m, k)
for (i = 0; i <16; i ++) {
ld m [i]
xor k [i]
st m [i]
}
while (1) {
// KeyExpansion: k = KS (k)
for (i = 0; i <16; i ++) {
ld k [kp (i)]
if (i <4) {
sbox
if (i == 0) xor rc
}
xor k [i]
st k [i]
}
// SubBytes: m = SB (m)
for (i = 0; i <16; i ++) {
ld m [i]
sbox
st m [i]
}
// ShiftRows: w = SR (m)
for (i = 0; i <16; i ++) {
ld m [sr (i)]
st w [i]
}
// loop control
round = round + 1
if (round == 10) break; // exit while loop
// MixColumns: m = MC (w)
for (i = 0; i <16; i ++) {
ld w [i]
xor w [ofs1 (i)]
xtime
xor w [ofs1 (i)]
xor w [ofs2 (i)]
xor w [ofs3 (i)]
st m [i]
}
// AddRoundKey: m = AK (m, k)
for (i = 0; i <16; i ++) {
ld m [i]
xor k [i]
st m [i]
}
// rc update: rc = xtime (rc)
ld rc
xtime
st rc
}
// AddRoundKey: m = AK (w, k)
for (i = 0; i <16; i ++) {
ld w [i]
xor k [i]
st m [i]
}
// end
FIG. 3 is a diagram for explaining the meaning of each instruction in the pseudo code. FIG. 3 describes an expression (separate expression) representing each instruction in a different expression, and an explanation representing the contents of the instruction. Acc in FIG. 3 corresponds to the accumulator 130. 3 corresponds to the data of the designated address in the storage device 300.

The XTIME function is an 8-bit input / output function, for example, and is represented by the following equation (1). msb (x) represents the most significant bit of x.

(Msb (x) == 0)? (X << 1): (x << 1) ^ 0x1b (1)
Thus, in this embodiment, five types of instructions, sbox, xtime, and xor
, Ld, and st realize AES.

FIG. 4 is a block diagram illustrating an example of the configuration of the ALU 120 according to the first embodiment.
As shown in FIG. 4, the ALU 120 includes an XTIME 121, an SBOX 122, and an XOR1.
23 and a selector 124. XTIME 121, SBOX 122, and XOR 123 are the above-described three types of arithmetic processing (sbox, xtime, and
xor). The selector 124 selects the data (LD) read from the storage device 300, the calculation result of the XTIME 121, the calculation result of the SBOX 122, and the XOR.
One of the operation results of 123 is selected and output. In this way, the ALU 120 follows the designation of function selection by the encryption processing unit 110, and ld, xtime, sbox, and
One of the four arithmetic processes of xor is executed.

Next, a flow of processing in the encryption device 100 when five types of instructions are executed is shown in FIG.
Will be described with reference to FIG. FIG. 5 is a diagram illustrating a processing example in the encryption device 100 when the ld instruction is executed.

In the ld instruction, an address is specified (output) from the encryption processing unit 110, and the storage device 300
The data at the designated address is read out, and the accumulator 1 is transmitted via the ALU 120.
30 is written. “Acc-we” in FIG. 5 represents a signal instructing writing to the accumulator 130. “Read” in FIG. 5 represents a signal instructing reading of data from the storage device 300.

FIG. 6 is a diagram illustrating a processing example in the encryption device 100 when the st instruction is executed. s
In the t instruction, an address is designated (output) from the encryption processing unit 110, and the accumulator 13
Data stored in 0 is written to a specified address in the storage device 300. In order to show that the data stored in the accumulator 130 is not changed, in FIG.
The c-we signal is overlined to indicate negation. “Write” represents a signal instructing data writing to the storage device 300.

FIG. 7 is a diagram illustrating a processing example in the encryption device 100 when the xor instruction is executed.
In the xor instruction, an address is designated (output) from the encryption processing unit 110, and the result of the exclusive OR operation between the data stored in the accumulator 130 and the data at the designated address in the storage device 300 is the accumulator. 130 is written.

FIG. 8 is a diagram illustrating a processing example in the encryption device 100 when the sbox and xtime instructions are executed. Although the functions used in sbox and xtime are different, the operations are the same, and are therefore collectively shown in the same figure. In the sbox instruction (xtime instruction), the result of applying the SBOX function (XTIME function) to the data stored in the accumulator 130 is written back to the accumulator 130.

FIG. 9 is a block diagram illustrating an example of the configuration of the encryption processing unit 110 according to the first embodiment. As shown in FIG. 9, the encryption processing unit 110 includes a control unit 111, a round counter 1
12, an index register 113, and an address generation unit 114.

The control unit 111 outputs various control signals in accordance with control signals from an external device such as a control circuit (not shown) of the electronic device 10, and performs encryption processing according to a procedure determined according to the AES encryption method. Control operations. A dotted line in FIG. 9 represents that a control signal is output from the control unit 111 to each unit. Details of this control signal will be described later.

For example, a control signal such as a signal for resetting the calculation of the AES encryption and a signal for instructing the start of the calculation is input to the control unit 111. The control unit 111 outputs a status signal (busy, completion, etc.) indicating the processing state to, for example, a control signal input source.

The ALU function selection represents a signal indicating which function (calculation) is to be executed on the ALU 120. Acc writing represents a signal for designating whether or not to write data to the accumulator 130. The memory R / W reads data from the storage device 300 (R),
It represents a signal for designating whether to write data to the storage device 300 (W).

The round counter 112 is a counter for counting the number of rounds of AES encryption. The round counter 112 can be configured by a flip-flop, for example.

The index register 113 is a register that stores a counter value (ix) used by the address generation unit 114 to generate an address. In the present embodiment, the index register 113 stores a 4-bit counter value.

The address generation unit 114 generates and outputs a 6-bit address from the 2-bit value (page) output from the control unit 111 and the 4-bit counter value ix of the index register 113.

Here, the address space of the storage area in the storage device 300 used in the encryption device 100 of this embodiment will be described. FIG. 10 is a diagram illustrating an example of an address space used in the first embodiment.

FIG. 10 shows an example in which addresses that are consecutive in the order of message m, key k, work area w, and round constant rc are used. The order of addresses is not limited to this.
For example, if the address of each byte of 16-byte data (message m, key k) or 16-byte work area w is continuous, the address of each data or work area may not be continuous.

FIG. 11 is a block diagram illustrating an example of the configuration of the address generation unit 114 according to the first embodiment. As shown in FIG. 11, the address generation unit 114 includes kp1001 and sr100.
2, ofs1 (1011) (hereinafter simply referred to as ofs1), ofs2 (1012) (
Hereinafter, it is simply referred to as ofs2), ofs3 (1013) (hereinafter simply referred to as ofs3), and a selector 1021.

kp1001, sr1002, ofs1, ofs2, and ofs3 are circuits that respectively convert a 4-bit counter value ix input from the index register. FIG. 12 is a diagram illustrating an example of input / output of a function corresponding to each circuit of FIG.

For example, kp (x) is “1” when the counter value ix (corresponding to x in the table of FIG. 12) is “0”.
3 "is output. In the function kp (x), the data access order in the key expansion process (KeyExpansion) is 13, 14, 15, 12, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 1
1 is reflected. sr (x) reflects the processing contents of ShiftRows for rearranging 16 bytes.

ofs1 (x) to ofs3 (x) are functions in which 2 bits 1 to 3 are added to the lower 2 bits of x, but the upper 2 bits of x are unchanged.

The selector 1021 selects any one of 0, the count value ix, the output of kp1001, the output of sr1002, the output of ofs1, the output of ofs2, and the output of ofs3 according to the instruction from the control unit 111 (dotted line in FIG. 9). Select and output.

As shown in the upper right of FIG. 11, the address generation unit 114 receives 2 input from the control unit 111.
Bit page and 4-bit value output from selector 1021 (corresponding to offset)
The address that is combined with is output. In this way, the page becomes the upper 2 bits of the address. For example, the result of transforming the index register with each function becomes the lower 4 bits of the address. The page is used as identification information for identifying the type of data used for the arithmetic processing and the work area in the storage device 300 used for the arithmetic processing. For example, a page takes four values to specify four: message m, key k, work area w, and round constant rc. For this reason, in this embodiment, a page is represented by 2 bits.

Next, an encryption process performed by the encryption apparatus 100 according to the first embodiment configured as described above will be described with reference to FIG. FIG. 13 is a flowchart showing the overall flow of the encryption processing in the first embodiment. FIG. 13 corresponds to a diagram in which the simplified pseudo code of the AES is described as a flowchart.

First, the round number counter (round) and the round constant (rc) are each 0.
And 1 are initialized (step S101). Next, AddRoundKey is executed and the message m is updated (step S102). Next, KeyExpansion (step S103),
SubBytes (step S104) and ShiftRows (step S105) are sequentially executed, and 1 is added to the number of rounds (step S106).

When the number of rounds does not reach 10 (step S107: No), MixColumns (step S108), AddRoundKey (step S109), and xtime (step S110)
) Is executed. Thereafter, the process returns to step S103 and is repeated. 1 round
When the value reaches 0 (step S107: Yes), AddRoundKey is executed (step S1).
11) The encryption process ends.

SR (Shift Rows) is a 16-byte rearrangement, but if overwritten, the original value disappears, so the rearrangement is performed while copying to a work area w which is another area (step S105). When this process (step S105) is described in C language, the following code is obtained.

for (i = 0; i <16; i ++) {
w [i] = m [sr [i]];
}
The variable sr in the above code is
int sr [16] = {0,5,10,15,4,9,14,3,8,13,2,7,12,1,6,11};
Therefore, the above code is
w [0] = m [0]
w [1] = m [5]
w [2] = m [10]
w [3] = m [15]
w [4] = m [4]
w [5] = m [9]
w [6] = m [14]
w [7] = m [3]
w [8] = m [8]
w [9] = m [13]
w [10] = m [2]
w [11] = m [7]
w [12] = m [12]
w [13] = m [1]
w [14] = m [6]
w [15] = m [11]
Is the same as substituting.

If you try to execute sequentially with only one variable, the necessary value will be overwritten and deleted, so the order is changed while copying to another variable.

MC (MixColumns) is also converted while being copied to another variable because there is a problem that the value is overwritten (step S108).

In the AES encryption standard (FIPS-197),
m [0] = xtime (w [0]) ^ xtime (w [1]) ^ w [1] ^ w [2] ^ w [3]
It is stipulated to calculate as follows. On the other hand, since xtime (a) ^ xtime (b) = xtime (a ^ b), xtime can be calculated as follows.

m [0] = xtime (w [0] ^ w [1]) ^ w [1] ^ w [2] ^ w [3]
The whole MC will calculate as follows.

m [0] = xtime (w [0] ^ w [1]) ^ w [1] ^ w [2] ^ w [3]
m [1] = xtime (w [1] ^ w [2]) ^ w [2] ^ w [3] ^ w [0]
m [2] = xtime (w [2] ^ w [3]) ^ w [3] ^ w [0] ^ w [1]
m [3] = xtime (w [3] ^ w [0]) ^ w [0] ^ w [1] ^ w [2]
m [4] = xtime (w [4] ^ w [5]) ^ w [5] ^ w [6] ^ w [7]
m [5] = xtime (w [5] ^ w [6]) ^ w [6] ^ w [7] ^ w [4]
m [6] = xtime (w [6] ^ w [7]) ^ w [7] ^ w [4] ^ w [5]
m [7] = xtime (w [7] ^ w [4]) ^ w [4] ^ w [5] ^ w [6]
m [8] = xtime (w [8] ^ w [9]) ^ w [9] ^ w [10] ^ w [11]
m [9] = xtime (w [9] ^ w [10]) ^ w [10] ^ w [11] ^ w [8]
m [10] = xtime (w [10] ^ w [11]) ^ w [11] ^ w [8] ^ w [9]
m [11] = xtime (w [11] ^ w [8]) ^ w [8] ^ w [9] ^ w [10]
m [12] = xtime (w [12] ^ w [13]) ^ w [13] ^ w [14] ^ w [15]
m [13] = xtime (w [13] ^ w [14]) ^ w [14] ^ w [15] ^ w [12]
m [14] = xtime (w [14] ^ w [15]) ^ w [15] ^ w [12] ^ w [13]
m [15] = xtime (w [15] ^ w [12]) ^ w [12] ^ w [13] ^ w [14]
In consideration of the subscript sequence, the present embodiment calculates xtime as follows.

m [i] = xtime (w [i] ^ w [ofs1 (i)]) ^ w [ofs1 (i)] ^ w [ofs2 (i)] ^ w [ofs3 (i)]
FIG. 14 is a diagram in which the detailed version pseudo code is rewritten as a state transition table. FIG. 15 is a diagram illustrating how to read each item of the state transition table. The code is a code of a function (instruction) executed in each state among five kinds of instructions. “read” is set to 1 when data is read from the storage device 300, and is set to 0 when data is not read. write is the storage device 30.
1 is set when data is written to 0, and 0 is set when data is not written. fun
For c, any one of LD, XTIME, SBOX, XOR, and arbitrary (the operation by the ALU 120 is not executed) is set. acc-we is set to 1 when data is written to the accumulator 130, and is set to 0 when data is not written.

For example, in state = S01, the code ld m [i] is executed. At that time, read signal is 1
, Set the write signal to 0, set func to LD, and set acc_we to 1. The output of the address generation unit 114 is that the page is PM and the offset is ix. Since the ix and round fields are blank, nothing is done. Since the control column is “↓”, the process proceeds to the next state S02.

In S03, the ix column is ix + 1, and the control is if (ix! = 15) S01. This means that the value of ix is incremented by 1 and updated to ix + 1, and if the value before the update of ix is not 15, transition is made to S01. If ix is 15, the process proceeds to the next state S04. As illustrated in FIG. 14, ix is updated at a timing at which data to be subjected to each arithmetic processing is changed.

(Modification)
FIG. 16 is a block diagram illustrating an example of the configuration of the address generation unit 114-2 according to the modification of the first embodiment. As illustrated in FIG. 16, the address generation unit 114-2 includes the kp100.
1, sr 1002, ofs 1010, and selector 1021-2.

In this modification, three circuits that output offsets, ofs1, ofs2, and
Instead of ofs3, a single ofs1010 is provided. The ofs 1010 is a circuit that converts the counter value ix using one of the three functions ofs (x, 1), ofs (x, 2), and ofs (x, 3). Three functions ofs (x, 1), ofs (x, 2), ofs
A signal (“1 to 3” in FIG. 16) that designates which of (x, 3) to use is designated from the control unit 111, for example. FIG. 17 is a diagram illustrating an example of input / output of a function corresponding to each circuit of FIG.

In accordance with an instruction from the control unit 111, the selector 1021-2 is 0, the count value ix, kp
One of the output of 1001, the output of sr1002, and the output of ofs1010 is selected and output. Even with such a configuration, the same function as in FIG. 11 can be realized.

As described above, the arithmetic device (encryption device) according to the first embodiment uses the storage device outside the device, and controls to store the data used in the calculation in the storage device. Thereby, it is not necessary to provide a storage device in the AES arithmetic circuit, and further miniaturization becomes possible.
In the present embodiment, the ALU has a minimum circuit (a circuit for performing arithmetic processing used for encryption) (
Since only XTIME, SBOX, and XOR) are provided, the apparatus can be downsized in this respect as well. In the present embodiment, each calculation process used for encryption is executed in a predetermined number of times. For example, every time the count value of the index register reaches 15, that is, 1
Each calculation is executed in units of 6 times. For this reason, the control circuit required when the number of times does not match is not required, and further miniaturization can be realized.

(Second Embodiment)
In the second embodiment, an example in which an arithmetic device is applied to a decryption device of the AES encryption method will be described.
FIG. 18 is a block diagram illustrating an example of the configuration of the decoding device 100-2 according to the second embodiment. As illustrated in FIG. 18, the decoding device 100-2 includes a decoding processing unit 110-2, an ALU (Arithmetic Logic Unit) 120-2 as an arithmetic unit, and an accumulator 130.

The decryption processing unit 110-2 controls the operation of the AES encryption decryption process and outputs a status signal indicating the state of the operation. The accumulator 130 is a register for storing the calculation result by the ALU 120.

The ALU 120-2 performs an operation according to information representing the function selected by the decryption processing unit 110-2. The ALU 120-2 performs an operation on the data at the address specified by the decryption processing unit 110-2 as necessary.

A pseudo code of the decryption process of the AES encryption method according to the present embodiment will be described. less than,
A pseudo code (simplified pseudo code) that simplifies the decoding process is described.

// m = invAES (m, k)
// input m: ciphertext k: decryption key
round = 0;
rc = 0x36;
m = AK (m, k) // AddRoundKey
while (1) {
k = iKS (k) // invKeyExpansion
m = iSB (m) // invSubBytes
w = iSR (m) // invShiftRows
round = round + 1
if (round == 10) break; // exit while loop
w = AK (w, k) // AddRoundKey
m = iMC (w) // invMixColumns
rc = ixtime (rc) // rc update
}
m = AK (w, k) // AddRoundKey
A function with “i” added to the head of a function used in the encryption process means an inverse function of the function used in the encryption process. For example, iSB is an inverse function of SB.

iKS can be created with sbox and xor. iSB requires the inverse of sbox (isbox). iMC x
Can be created by time. ixtime can be created by xtime. Therefore, the ALU 120-2 only needs to include a circuit that can execute the following five operations.

(1) LD
(2) XTIME
(3) SBOX
(4) ISBOX
(5) XOR
FIG. 19 is a block diagram showing an example of the configuration of the ALU 120-2 according to the second embodiment configured as described above. As shown in FIG. 19, ALU 120-2 is XTIME 12.
1, SBOX 122, XOR 123, selector 124-2, and ISBOX 125. The ISBOX 125 is a circuit that executes an operation corresponding to the inverse function of the SBOX 122.

The decoding processing unit 110-2 is configured so that the pseudo code decoding process is realized by the ALU 120-
2 operations are controlled. The decryption processing unit 110-2 is the same control unit 11 as the encryption processing unit 110.
1, round counter 112, index register 113, and address generation unit 1
14. The decryption processing unit 110-2 may perform the AES cipher decryption process in the same manner as the encryption processing unit 110 performs the encryption process. Note that ALU1 shown in FIG.
It is also possible to perform encryption processing with the configuration of 2-2. In this case, the operation described with reference to FIG. 4 is performed, and ISBOX function selection is not designated.

Next, the decoding process performed by the decoding apparatus 100-2 according to the second embodiment configured as described above will be described with reference to FIG. FIG. 20 is a flowchart illustrating an overall flow of the decoding process according to the second embodiment.

First, the round number counter (round) and the round constant (rc) are each 0.
And 0x36 (hexadecimal 36) (step S201). Then reverse AddRou
The ndKey (iAK) is executed and the message m is updated (step S202). Then reverse Ke
yExpansion (iKS) (step S203), inverse SubBytes (iSB) (step S204), inverse S
hiftRows (iSR) (step S205) is sequentially executed, and 1 is added to the number of rounds (step S206).

If the number of rounds does not reach 10 (step S207: No), AddRoundKey (
Step S208), inverse MixColumns (iMC) (Step S209), and inverse xtime (ixti)
me) (step S210) is executed. Thereafter, the process returns to step S203 and is repeated. When the number of rounds reaches 10 (step S207: Yes), AddRoundKey is executed (step S211), and the decoding process ends.

As described above, according to the first and second embodiments, it is not necessary to provide a storage device for storing data used for arithmetic processing in the arithmetic device, and the device can be downsized. For example, when the AES arithmetic circuit is provided in the memory card, further downsizing of the AES arithmetic circuit can be realized.

Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

DESCRIPTION OF SYMBOLS 10 Electronic device 100 Encryption apparatus 100-2 Decryption apparatus 110 Encryption processing part 110-2 Decryption processing part 111 Control part 112 Round counter 113 Index register 114 Address generation part 120, 120-2 ALU
130 accumulator 300 storage device 400 key storage device

Claims (6)

A storage device;
An arithmetic unit that executes the first arithmetic processing and the second arithmetic processing used in the encryption method on the data that is the target of the first arithmetic processing and the second arithmetic processing, and the first arithmetic processing And the control unit is controlled so that the second calculation process is executed in the order determined by the encryption method, and the storage device used for the first calculation process and the second calculation process A control unit that outputs specific information indicating a work area or the type of the data, a first counter value of the first calculation process, and a second of the second calculation process in which the first counter value matches the number of updates. An arithmetic device comprising: a generation unit that generates an address in the storage device used for the first arithmetic processing and the second arithmetic processing based on the counter value and the specific information;
An interface unit electrically connected to an external device;
With electronic equipment. The storage device stores a first area used for a communication buffer, a second area in which the work area and the data, and key information used for encryption of the data are stored, unlike the first area. And including
The electronic device according to claim 1, wherein the generation unit generates the address in the second area. The generation unit outputs the generated address to the control unit,
The control unit refers to the address and controls the calculation unit to perform the first calculation process or the second calculation process on the data at the address. The electronic device as described in. The first area is divided into a storage area for storing the data, the work area used for the first calculation process and the second calculation process, and a key area for holding the key information. The arithmetic unit according to claim 3. The generation unit generates the address in the storage device used for the first arithmetic processing based on the high-order bits of the data address and the key address and the first counter value. The electronic device according to claim 4. An arithmetic circuit for processing arithmetic used in the encryption method;
An electronic device that generates an address that refers to the number of calculations of the calculation and determines a storage position of a storage device in which data targeted for the first calculation is stored.

Images