JP3709760B2 - Hash device - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a technique for ensuring network security, and more particularly to a hash device that implements a hash function SHA that converts original data into an irreversible hash value by hardware.
[0002]
[Prior art]
Conventionally, the SHA algorithm, which is one of hash functions, is realized by software. Hereinafter, the SHA algorithm will be described. The initial values Ainit, Binit, Cinit, Dinit, Dinit, Einit of 32-bit variables A, B, C, D, E are set in hexadecimal as follows.
Ainit = 0x67452301
Binit = 0xEFCDAB89
Cinit = 0x98BADCFE
Dinit = 0x10325476
Einit = 0xC3D2E1F0
[0003]
The original data divided into n pieces of 512 bits is assumed to be M1, M2,. The following processing is repeated for i = 1 to n.
(A) The original data Mi is divided into 16 in 32 bits, and W1, W2,.
(B) A = Ainit, B = Binit, C = Cinit, D = Dinit, E = Einit.
[0004]
(C) The following processing is repeated for t = 1, 2,.
TEMP = S (5, A) + f (B, C, D) + E + W + K
Here, TEMP is a temporary variable, S (m, x) is a cyclic shift of the upper mbit of the 32-bit variable x to the lower side, and f (B, C, D) and K are given by the following equations.
・ When 1 ≦ t ≦ 20,
f (B, C, D) = (B AND C) OR ((NOT B) AND D)
K = 0x5A828999
・ When 21 ≦ t ≦ 40,
f (B, C, D) = B XOR C XOR D
K = 0x6ED9EBA1
・ When 41 ≦ t ≦ 60,
f (B, C, D) = (B AND C) OR (B AND D) OR (C AND D)
K = 0x8F1BBCDC
・ When 61 ≦ t ≦ 80,
f (B, C, D) = B XOR C XOR D
K = 0xCA62C1D6
[0005]
The original data W is given by the following equation.
・ When 1 ≦ t ≦ 16,
W = Wt
・ If 17 ≦ t ≦ 80,
Let W = S (1, W _t−3 XOR W _t−8 XOR W _t−14 XOR W _t−16 ).
After obtaining the temporary variable TEMP by the above equation, it is assumed that E = D, D = C, C = S (30, B), B = A, A = TEMP.
[0006]
(D) Finally, initial values are added to the variables A, B, C, D, and E. That is,
A = Ainit + A
B = Binit + B
C = Cinit + C
D = Dinit + D
E = Einit + E
And Thereby, the value of the hash function (32 × 5 = 160 bits) is calculated. The 160-bit data is used as a message digest (summary function) that summarizes the original message.
[0007]
[Problems to be solved by the invention]
A user who uses a hash function has a greater trust in a hash function SHA implemented in hardware than a hash function SHA implemented in software, so that a high-speed and small-area hash device can be realized early by hardware. It is desired.
[0008]
[Means for Solving the Problems]
According to the first aspect of the present invention, by limiting the maximum number of adders to be used at the same time to two for processing of one cycle of the SHA algorithm having a periodic structure, the hash value can be obtained at high speed with a small circuit area. Can be generated. That is, the invention of claim 1 is a hash device including first to fifth registers A to E for obtaining a 160-bit hash value from original data using a SHA algorithm, as shown in FIG. A first rotation processing unit 4 that cyclically shifts the upper 5 bits of the first register A to the lower side, and a logical operation f (B, C, D) based on the second, third, and fourth registers B, C, and D Data obtained by dividing or arithmetically processing the original data for obtaining the hash value, the logical operation processing unit 5 that executes the above, the first adder 6 that adds the output of the first rotation processing unit 4 and the value of the fifth register E A first stage including an original data setting processing unit 7 for setting W and a constant setting processing unit 8 for setting a predetermined constant K; a first stage logic operation processing unit 5; and a first adder 6 and original data setting A second stage including a second adder 9 for adding any two of the outputs of the processing unit 7 and the constant setting processing unit 8 and a third adder 10 for adding the remaining two; , A third stage including a fourth adder 11 for adding the outputs of the second adder 9 and the third adder 10 of the second stage, and fourth, fifth, and fourth registers E and D, The values of the third registers D and C are substituted, and the output of the second rotation processing unit 12 that cyclically shifts the upper 30 bits of the second register B to the lower side is substituted into the third register C. A circuit block including a fourth stage including a process of substituting the value of the first register A and substituting the output of the fourth adder 11 of the third stage into the first register A as shown in FIG. Connected, first to fifth registers A to E of the first stage circuit block First to fifth initial values Ainit to Einit are set, and the first to fifth initial values Ainit to Einit are added to the outputs of the first to fifth registers A to E of the final stage circuit block, respectively. It is characterized by connecting an adder. In the configuration of FIG. 2, an adder that simultaneously adds the first to fifth initial values Ainit to Einit to the outputs of the first to fifth registers A to E of the circuit block in the final stage is also used simultaneously. The maximum number is limited to two, A = Ainit + A, B = Binit + B is executed in one stage, C = Cinit + C, D = Dinit + D is executed in the next one stage, and E = Einit + E is executed in the next one stage. . Therefore, as will be described later, the number of adders to be provided in the hash device of the present invention is two, and the circuit area can be reduced.
[0009]
According to the second aspect of the present invention, in order to maintain the structural periodicity even in the final stage processing in which the periodicity is only disordered among the structurally periodic SHA algorithms, By replacing this circuit with a circuit as shown in FIG. 4, a hash value can be generated at a high speed with a minimum circuit area. That is, in the second aspect of the present invention, as shown in FIG. 4, the value of the fourth register D and the fifth initial value Einit are added to the fourth stage of the 79th stage circuit block of the first aspect of the present invention. The fifth adder 13 is provided, the sixth adder 14 for adding the value of the third register C and the fourth initial value Dinit is provided to the first stage of the 80th stage circuit block, and the 80th stage circuit block A seventh adder 15 for adding the value of the first register A and the second initial value Binit is provided in three stages, and the upper 30 bits of the second register B are moved to the lower side in the fourth stage of the 80th stage circuit block. The output of the second adder 11 that adds the output of the second rotation processing unit 12 that performs cyclic shift and the third initial value Cinit, the output of the fourth adder 11 of the third stage of the 80th stage circuit block, and the first Initial value of Aini The fifth adder is further provided in the 80th stage circuit block, and in the fifth stage, the output of the fifth adder 13 is sent to the fifth register E. The output of the sixth adder 14 is in the fourth register D, the output of the eighth adder 16 is in the third register C, the output of the seventh adder 15 is in the second register B, and the output of the ninth adder 17 is in the The first to fifth initial values Ainit to Einit are added to the outputs of the first to fifth registers A to E of the circuit block at the final stage by substituting each into the first register A, respectively. 9 adders 13 to 17 are used. This eliminates the need to add five adders as shown in FIG. 2 to the output of the final stage circuit block as shown in FIG.
[0010]
According to the invention of claim 3, in claim 1 or 2, the counter 1 that can count from 1 to 80 is allocated to the circuit blocks of the first stage to the 80th stage as shown in FIGS. 6 and 7. A counter 2 that can count from 1 to 4 for each stage of the first to 79th circuit blocks, and can count from 1 to 5 for each stage of the 80th circuit block, As shown in FIG. 8, a counter 3 that can count from 1 to 4 is assigned to the values of 1 to 20, 21 to 39, 41 to 59, and 61 to 80 of the counter 1, so that FIG. The circuit block shown in FIG. 5 can be reused, and a hash value can be generated at a high speed with a minimum circuit area. That is, in the invention of claim 3, all or part of the first to 80th circuit blocks shown in FIG. 2 or FIG. 5 includes a plurality of arithmetic circuits for one stage including at least two adders. A first counter 1 that counts how many circuit blocks the arithmetic circuit is processing, and a second counter 2 that divides each circuit block into a plurality of stages. And a third counter 3 for distinguishing the 1st to 20th stages, the 21st to 40th stages, the 41st to 60th stages, and the 61st to 80th stages from the value of the first counter. The processing content of the arithmetic circuit is changed according to each stage of the circuit block of each stage.
[0011]
According to the fourth aspect of the present invention, a circuit capable of generating a hash value with a small area can be realized by generating and supplying 80 types of substitution values used in the SHA algorithm with 16 registers. That is, in the invention of claim 4, in any one of claims 1 to 3, the original data setting processing unit 7 for setting the data W obtained by dividing or calculating the original data for obtaining the hash value is as shown in FIG. The first to sixteenth original data registers W1 to W16 that store the original 512-bit data divided into 16 parts and output the original data as the original data of the first to sixteenth stage circuit blocks, and the 17th to 80th stage circuits. An arithmetic circuit that obtains and outputs an exclusive OR of the values of the first, third, ninth, and fourteenth original data registers as the original data of the block, and the second to sixteenth original data after the calculation by the arithmetic circuit The values of the registers W2 to W16 are sequentially substituted into the first to fifteenth original data registers W1 to W15, and the sixteenth original data register W16 receives the output of the arithmetic circuit. It is characterized in being configured to include a means for substituting the data obtained by cyclically shifting the upper 1bit the lower side.
[0012]
DETAILED DESCRIPTION OF THE INVENTION
As described above, the SHA algorithm repeats a similar process 80 times. Paying attention to the structural periodicity of such an algorithm, in order to realize a hash function SHA capable of high-speed processing with a minimum area, in the invention of claim 1, the circuit block as shown in FIG. In such a case, it is divided into four stages so that there are two or less adders in one stage. The above circuit block is referred to as a circuit block K. In the first stage of the circuit block K, the initial values A, B, C, D, and E stored in the A, B, C, D, and E registers (Ainit, Binit, Cinit, Dinit, Einit, execution of operation f (B, C, D) and retention of value (a) obtained by execution f (B, C, D) by the value derived from the previous block after the second stage block, and cyclic shift of the upper 5 bits of value A Execution of addition of the value E and the value E, retention of the value (b) obtained thereby, execution of an operation W [t] performed based on 16 values (W1 to W16) given in advance, and The value (c) obtained thereby is held, and the value K selected and inputted by the block number (the value is assumed to be (d)) is held.
[0013]
In the second stage of the circuit block K, execution of (a) + (b) and retention of the value (e) obtained from the result obtained in the first stage, execution of (c) + (d), and that The value (f) obtained by the above is held.
In the third stage of the circuit block K, (e) + (f) is executed from the result obtained in the second stage and the value (g) obtained thereby is held.
[0014]
In the fourth stage of the circuit block K, the result (g) obtained in the third stage is stored in the A register, the original A register value is stored in the B register, and the upper 30 bits of the original B register value is stored in the lower order. The original C register value is stored in the D register, and the original D register value is stored in the E register. Thereby, the update of the values of the A, B, C, D, and E registers is completed.
[0015]
80 circuit blocks K are connected in series, and A = Ainit + A, B = Binit + B, C = Cinit + C, D = Dinit + D, with respect to A, B, C, D, E output by the 80th block. E = Einit + E is calculated. The overall circuit configuration for performing the above processing is as shown in FIG.
[0016]
According to the second aspect of the present invention, the circuit block as shown in FIG. 4 is formed as one block, and is divided into five stages so that the number of adders in one stage is two or less. The above circuit block is referred to as a circuit block Z, and is connected after the 79th stage circuit block K as shown in FIG. In the circuit block Z, in order to make the maximum number of adders included in one stage two, Einit and the fourth stage D register of the 79th stage block are added to the fourth stage of the 79th stage block of the circuit block K. Is added to the first stage of the 80th block, and the adder 14 is added to add the fourth stage C register of the 79th block to the third stage of the 80th block. The stage is provided with an adder 15 for adding Binit and the A register of the fourth stage of the 79th stage block, and Cinit and the B register of the fourth stage of the 79th stage block are added to the fourth stage of the 80th stage block. Add the output of the adder 16 that adds the cyclic shift of the upper 30 bits to the lower side, and the output of the adder 11 of the third stage of the Ainit and 80th block. An adder 17 to be provided.
[0017]
Thus, the circuit block Z has a structure in which one adder is added to each of the first stage and the third stage and two adders are added to the fourth stage based on the circuit block K. In addition, the circuit block Z is performed in one block. Since processing such as value derivation and cyclic shift is executed at the same stage as other blocks, the structure of the circuit block Z is kept similar to the circuit block K.
[0018]
According to the invention of claim 3, a counter 1 capable of counting from 1 to 80, a counter 2 capable of counting from 1 to 5, and a counter 3 capable of counting from 1 to 4 are added to the circuit of FIG. 1 to 79 of the counter 1 indicate the circuit block K, and 80 of the counter 1 indicates the circuit block Z. A necessary circuit block is selected by the counter 1. The counters 1 to 4 indicate the stages 1 to 4 of the circuit block K and the circuit block Z, respectively. Further, 5 of the counter 2 indicates the fifth stage of the circuit block Z. In the circuit block K and the circuit block Z, the number of adders appearing in each stage is two or less, and by determining the stage being processed using the counter 2 and changing the connection of the input / output terminals of the adder The adder can be reused, and thus the number of adders provided in the hash device can be reduced to two. 1 of the counter 3 corresponds to 1 to 20 of the counter 1, 2 corresponds to 21 to 40 of the counter 1, 3 corresponds to 41 to 60 of the counter 1, and 4 corresponds to 61 to 80 of the counter 1.
[0019]
The circuit block K and the circuit block Z have similar circuit configurations, but the values and expressions to be substituted at each stage are different from 1 to 4 of the counter 3. Therefore, the value and expression to be substituted are selected using the counter 3. By combining these three types of counters, it is determined which stage of which block of the SHA algorithm is currently processed, and an assignment value, an assignment expression, and input / output selection of an adder are performed. For the circuit block K, the relationship between the counter 1 and the counter 2 is shown in FIG. FIG. 8 shows the relationship between the counter 1 and the counter 2 for the circuit block Z. The relationship between the counter 1 and the counter 3 is shown in FIG.
[0020]
According to the invention of claim 4, the substitution value W used in the above circuit is output corresponding to each of all circuit blocks (1st to 80th stages) indicated by the counter 1. The hash function SHA requires 80 types of original data W. In order to generate all of them, 16 registers (W1 to W16) are provided, and when the value of the counter 1 is 1 to 16, the counter 1 Wt corresponding to the value t is output as it is, and when the value t of the counter 1 is 17 to 80, W = W _t-3 XOR W _t-8 XOR W _t-14 XOR W _t-16 is calculated, Thereafter, the most significant bit is cyclically shifted to the lower side and stored in W16. At this time, the values originally stored in W2 to W16 were respectively shifted to the lower registers W1 to W15 (Wn → Wn−1; n = 2, 3,..., 16) and stored in W1. The value is erased. This is shown in FIG. As a result, all of the 80 types of original data W [1] to W [80] necessary for generating the hash value can be generated with only the 16 registers W1 to W16.
[0021]
【The invention's effect】
According to the first aspect of the present invention, since the hash function SHA can be obtained using two or less adders in one stage, a high-speed hash device can be provided with a small circuit area.
According to the second aspect of the present invention, the initial value required in the final stage is added using the stage in which the adder is left in the final stage and the preceding circuit block. The speed can be further improved.
[0022]
According to the third aspect of the present invention, the first counter for determining the number of circuit blocks, the second counter for determining which stage, and the logical expression used in the logical operation processing unit and the constant setting processing unit should be set. Since the third counter for selecting a constant is provided, an operation of repeatedly using a common circuit block including two or less adders in one stage can be easily realized.
According to the fourth aspect of the present invention, since 80 types of original data required in each of the 80-stage circuit blocks can be set by 16 registers, the circuit area of the hash device can be reduced.
[Brief description of the drawings]
FIG. 1 is a circuit diagram showing a basic circuit block in a hash device of the present invention.
FIG. 2 is a circuit diagram showing an overall configuration of a hash device according to an embodiment of claim 1;
FIG. 3 is a circuit diagram showing a circuit block of each stage of the hash device according to an embodiment of the first aspect of the present invention.
FIG. 4 is a circuit diagram showing a circuit block at the final stage of the hash device according to one embodiment of the present invention;
FIG. 5 is a circuit diagram showing an overall configuration of a hash device according to an embodiment of claim 2;
FIG. 6 is an explanatory diagram showing the relationship between the circuit blocks in the first to 79th stages and the first and second counters according to claim 3;
FIG. 7 is an explanatory diagram showing the relationship between the 80th stage circuit block of claim 3 and first and second counters;
FIG. 8 is an explanatory diagram showing a relationship between first and third counters according to claim 3;
FIG. 9 is an explanatory diagram showing a configuration and operation of an original data setting processing unit according to claim 4;
[Explanation of symbols]
4 First Rotation Processing Unit 5 Logical Operation Processing Unit 6 First Adder 7 Original Data Setting Processing Unit 8 Constant Setting Processing Unit 9 Second Adder 10 Third Adder 11 Fourth Adder 12 Second Rotation Processing Unit

Claims (4)

A hash device including first to fifth registers for obtaining a 160-bit hash value from original data using a SHA algorithm, wherein the first rotation process for cyclically shifting the upper 5 bits of the first register to the lower side , A logical operation processing unit that performs logical operations based on the second, third, and fourth registers, a first adder that adds the output of the first rotation processing unit and the value of the fifth register, and a hash value A first stage including an original data setting processing unit for setting data obtained by dividing or calculating original data to be obtained, a constant setting processing unit for setting a predetermined constant, and a logical operation of the first stage A second adder that adds any two of the outputs of the processing unit, the first adder, the original data setting processing unit, and the constant setting processing unit, and a third adder that adds the remaining two A third stage including a second adder that adds the outputs of the second adder and the third adder of the second stage, and fifth and fourth registers. The values of the fourth and third registers are substituted into the second register, the output of the second rotation processing unit that cyclically shifts the upper 30 bits of the second register to the lower side is substituted into the third register, and the first register is assigned to the second register. And a circuit block including a fourth stage including a process of substituting the output of the fourth adder of the third stage into the first register is cascade-connected to 80 stages of the first stage circuit block. The first to fifth initial values are set in the fifth to fifth registers, and adders for adding the first to fifth initial values to the outputs of the first to fifth registers of the final stage circuit block are connected. It is characterized by Mesh devices. 5. The fifth adder for adding the value of the fourth register and the fifth initial value is provided in the fourth stage of the 79th stage circuit block according to claim 1, and the third stage is provided in the first stage of the 80th stage circuit block. A sixth adder for adding the register value and the fourth initial value is provided, and a seventh adder for adding the first register value and the second initial value is provided in the third stage of the 80th stage circuit block. , The fourth stage of the 80th stage circuit block is an eighth adder that adds the output of the second rotation processing unit that cyclically shifts the upper 30 bits of the second register to the lower side and the third initial value; A stage including the output of the fourth adder of the third stage of the circuit block of the stage and a ninth adder for adding the first initial value, and further providing a fifth stage in the circuit block of the 80th stage, In the fifth stage, the output of the fifth adder is 5 register, 6th adder output to 4th register, 8th adder output to 3rd register, 7th adder output to 2nd register, 9th adder output to 1st register And the fifth to ninth adders perform the process of adding the first to fifth initial values to the outputs of the first to fifth registers of the final stage circuit block, respectively. Hash device to perform. 3. The circuit block according to claim 1, wherein all or part of the first to 80th stage circuit blocks are configured by repeatedly using an arithmetic circuit for one stage including at least two adders. A first counter that counts which stage of the circuit block the arithmetic circuit is processing; a second counter that divides each circuit block into a plurality of stages; and 1 to 20 stages from the value of the first counter A third counter for distinguishing the first, 21st to 40th stages, the 41st to 60th stages, and the 61st to 80th stages, and depending on the value of each counter, the processing contents of the arithmetic circuit correspond to each stage of each stage circuit block Hashing device characterized by being changed. 4. The original data setting processing unit for setting data obtained by dividing or computing the original data for obtaining the hash value according to claim 1, wherein the original 512-bit data is divided into 16 parts and stored. First to sixteenth original data registers to be output as original data of the stage circuit block, and first, third, ninth and fourteenth original data registers as original data of the 17th to 80th stage circuit blocks. An arithmetic circuit that obtains and outputs an exclusive OR of the values; sequentially substitutes the values of the second to sixteenth original data registers into the first to fifteenth original data registers after the calculation by the arithmetic circuit; The original data register includes means for substituting data obtained by cyclically shifting the most significant 1 bit of the output of the arithmetic circuit to the lower side. Gerhard apparatus.

Images