TW202409827A - Hardware-based galois multiplication - Google Patents

Abstract

A processor includes an instruction fetch unit that fetches instructions to be executed, an architected register file including a plurality of registers for storing source and destination operands, and an execution unit for executing a Galois multiply instruction. The execution unit includes a carryless multiplier configured to multiply operands of the Galois multiply instruction to generate a product. The execution unit further includes a modular reduction circuit configured to receive the product and determine, based on a logical combination of the product and a fixed polynomial, a reduced product having a fewer number of bits than the product. The execution unit is configured to store the reduced product to the architected register file as a result of the Galois multiply instruction.

Description

Hardware-based Galois multiplication

The present invention relates generally to data processing, and in particular to Galois multiplication.

An important aspect of data security is the protection of data at rest (e.g., when stored in a data storage device) or data in transition (e.g., during transmission) through encryption. Generally speaking, encryption involves converting unencrypted data (called plaintext) into encrypted data (called ciphertext) by combining the plaintext with one or more encryption keys using an encryption function. To recover plaintext from ciphertext, the ciphertext is processed by a decryption function using one or more decryption keys. Encryption therefore provides data security by requiring that an additional secret (i.e., a decryption key) be known to a party before that party can access the protected plaintext.

In many implementations, data encryption is performed in software running on a general-purpose processor. While implementing encryption in software offers the advantages of being able to choose between different encryption functions and easily adapting the chosen encryption algorithm to work with plaintext and encryption key lengths of varying lengths, performing encryption in software has the attendant disadvantage of relatively poor performance. As the size of data sets continues to increase dramatically in the "Big Data" era, the performance achieved by implementing encryption in software can be unacceptable when encrypting large data sets. Therefore, it is often desirable to provide support for encryption in hardware to achieve improved performance.

Another prior art solution particularly useful for disk encryption is the implementation of a physical encryption engine coupled to the memory hierarchy. Physical encryption engines coupled to the memory hierarchy can be more expensive to implement than hardware solutions in the processor core. Additionally, such solutions are generally not suitable for data in flight.

The present invention understands that multiple commonly used encryption functions, such as the Advanced Encryption Standard (Advanced Encryption Standard; AES)-Galois Counter Mode (GCM) and the XEX-based fine-tuned codebook mode with ciphertext theft (XEX -based tweaked-codebook mode with ciphertext stealing; AES-XTS), which uses Galois multiplication (i.e., carry-free multiplication and modular reduction) to logically combine cryptographic operands. For example, both AES-GCM and AES-XTS use Galois in the GF(2^128) domain defined by the fixed polynomial g(x) = 1 + X + x^2 + x^7+ x^128 multiplication. In AES-GCM, Galois multiplication is used to generate a signature of the encrypted message, which can be used during decryption to detect whether the ciphertext or signature has been tampered with. In AES-XTS, Galois multiplication is used as part of the encryption and decryption of the message itself. Various embodiments of circuits for implementing Galois multiplication in hardware and associated Galois multiplication instructions are disclosed.

In one embodiment, a processor includes: an instruction fetch unit that fetches instructions for execution; an architectural register file that includes a plurality of registers for storing source and destination operands; and An execution unit for executing a Galois multiplication instruction. The execution unit includes a carry-less multiplier configured to multiply operands of the Galois multiplication instruction to generate a product. The execution unit further includes a modular reduction circuit configured to receive the product and determine based on a logical combination of the product with a fixed polynomial that the product has a reduction of a smaller number of bits than Simple product. The execution unit is configured to store the reduced product as a result of the Galois multiplication instruction to the architectural register file.

In some embodiments, the processor may form part of a larger data processing system or may be implemented as a design embodied in a machine-readable storage device.

According to one data processing method, an instruction fetch unit of a processor fetches instructions to be executed by the processor, including a Galois multiplication instruction. Based on receiving the Galois multiplication instruction, an execution unit of the processor executes the Galois multiplication instruction. Executing the Galois multiplication instruction includes multiplying the operands of the Galois multiplication instruction by a carryless multiplier to generate a product. Executing the instructions further includes a modular reduction circuit receiving the product and determining a reduced product having a smaller number of bits than the product based on a logical combination of the product and a fixed polynomial. The processor then stores the reduced product as a result of the Galois multiplication instruction to an architectural register file of the processor.

In at least one embodiment, the fixed polynomial is g(x) = 1 + X + x^2 + x^7+ x^128.

In at least one embodiment, the product of the carry-free multiplication includes a high portion including high-order bits of the product and a low portion including low-order bits of the product, and the modular reduction circuit is configured to The calculation is equivalent to a first result of a carry-free multiplication of the high part and one of the fixed polynomials. The modular reduction circuit includes: shift circuitry that applies multiple different bit position shifts to the high portion of the product consistent with established bits in the fixed polynomial; and bit-wise mutual exclusion or (XOR) circuitry that logically combines multiple instances of the high portion of the product with different individual bit position shifts applied by the shift circuitry.

In at least one embodiment, the shift circuitry is further configured to apply a plurality of different bit position shifts to a high portion of the first result consistent with established bits in the fixed polynomial; and the Bitwise exclusive OR (XOR) circuitry further configured to logically combine multiple instances of the high portion of the first result with different respective bit position shifts applied by the shift circuitry to obtain a second result. The bitwise XOR circuitry generates the reduced product based on the first result, the second result, and the low portion of the product.

In at least one embodiment, the bitwise exclusive OR (XOR) circuitry includes at least two stages of bitwise XOR circuitry.

In at least one embodiment, the processor includes a conditional bit-flip circuit configured to multiply the operands based on a pattern indicated by the Galois multiplication instruction. Conditionally reverses the bit ordering of the bytes in one of the operands.

In at least one embodiment, the carryless multiplier is a first multiply-by engine, the execution unit includes a second multiply-by engine, both the first multiply-by engine and the second multiply-by engine. There is a first data width, and the operands include first and second operands having a second data width that is an integer multiple of the first data width. In this case, the first multiply-multiply engine and the second multiply-multiply engine are configured to multiply a subset of the first operand and the second operand in parallel.

Referring now to the drawings and specifically to FIG. 1 , shown is a high-level block diagram of a data processing system 100 according to one embodiment. In some implementations, data processing system 100 may be, for example, a server computer system (such as one of the POWER series of servers available from International Business Machines Corporation), a mainframe computer system, a mobile computing device (such as a smart phone) mobile phone or tablet), laptop or desktop PC system, or embedded processor system.

As shown, data processing system 100 includes one or more processors 102 that process instructions and data. As is known in the art, each processor 102 may be implemented as a respective integrated circuit having a semiconductor substrate in which the integrated circuit system is formed. In at least some embodiments, processor 102 may generally implement any of a number of commercially available processor architectures, such as POWER, ARM, Intel x86, NVidia, Apple silicon, etc. In the depicted example, each processor 102 includes one or more processor cores 104 and a cache memory 106 that provides low latency access to instructions and operands that are likely to be read and/or written by processor core 104 . Processors 102 are coupled for communication via a system interconnect 110 , which in various implementations may include one or more buses, switches, bridges, and/or hybrid interconnects.

Data processing system 100 may additionally include several other components coupled to system interconnect 110 . For example, these components may include memory controller 112 that controls access to system memory 114 by processor 102 and other components of data processing system 100 . Additionally, data processing system 100 may include: an input/output (I/O) adapter 116 for coupling one or more I/O devices to system interconnect 110 ; a non-volatile storage system 118 ; and a network adapter 120 for coupling the data processing system 100 to a communication network (eg, a wired or wireless local area network and/or the Internet).

Those skilled in the art will also appreciate that the data processing system 100 shown in FIG . 1 may include many additional components that are not shown. Because such additional components are not necessary for understanding the described embodiments, they are not shown in FIG. 1 or further discussed herein. However, it should also be understood that the enhancements described herein are applicable to data processing systems and processors of different architectures and are in no way limited to the generalized data processing system architecture shown in FIG . 1 .

Referring now to FIG. 2 , depicted is a high-level block diagram of an exemplary processor core 200 in accordance with one embodiment. Processor core 200 may be used to implement any of processor cores 104 of FIG . 1 .

In the depicted example, processor core 200 includes means for fetching one or more instruction streams from storage 230 (which may include, for example, cache 106 and/or system memory 114 from FIG . 1 ). Instruction fetch unit 202 of instructions. In a typical implementation, each instruction has a format defined by the instruction set architecture of processor core 200 and includes, at a minimum, specifying an operation to be performed by processor core 200 (e.g., fixed-point or floating-point arithmetic operations, vector operations, matrix operations, etc. Operation code/opcode field for operations, logical operations, branch operations, memory access operations, encryption operations, etc.). Certain instructions may additionally include one or more operand fields that directly specify operands or implicitly or explicitly reference one or more operands that store the source operand to be used in the execution of the instruction. A plurality of registers and one or more registers for storing destination operands generated by instruction execution. Instruction decoding unit 204 , which may be incorporated with instruction fetch unit 202 in some embodiments, decodes instructions fetched from memory 230 by instruction fetch unit 202 and forwards branch instructions that control execution flow to branch processing unit 206 . In some embodiments, processing of branch instructions performed by branch processing unit 206 may include speculating on the results of conditional branch instructions. The results of branch processing (both speculative and non-speculative) by branch processing unit 206 may then be used to redirect one or more streams of instruction fetches by instruction fetch unit 202 .

Instruction decode unit 204 passes instructions that are not branch instructions (often referred to as "sequential instructions") to mapper circuit 210 . Mapper circuit 210 is responsible for assigning physical registers within the register file of processor core 200 to instructions as necessary to support instruction execution. Mapper circuit 210 preferably implements register renaming. Thus, for at least some classes of instructions, mapper circuit 210 creates a set of logical (or architected) registers referenced by the instruction and a larger set of physical registers within the register file of processor core 200 transient mapping between. As a result, processor core 200 can avoid unnecessary serialization of instructions that are not data dependent, which might otherwise occur due to reusing a limited set of architected registers for instructions near program order.

Still referring to Figure 2 , processor core 200 additionally includes a dispatch circuit 216 that is configured to ensure that any data dependencies between instructions are observed and that sequential instructions are dispatched when sequential instructions become ready for execution. Instructions dispatched by dispatch circuit 216 are temporarily buffered in issue queue 218 until the execution units of processor core 200 have resources available to execute the dispatched instructions. When appropriate execution resources become available, issue queue 218 issues instructions from issue queue 218 to the execution units of processor core 200 opportunistically and possibly out of order relative to the original program order of the instructions.

In the depicted example, processor core 200 includes several different types of execution units for executing respective different classes of instructions. In this example, the execution units include: one or more fixed-point units 220 for executing instructions that access fixed-point operands; one or more floating-point units 222 for executing instructions that access floating-point operands; one or more load-store units 224 for loading data from and storing data to memory 230 ; and one or more vector-scalar units 226 for executing instructions that access vector and/or scalar operands. In a typical embodiment, each execution unit is implemented as a multi-stage pipeline, in which multiple instructions can be processed simultaneously at different execution stages. Each execution unit preferably includes at least one register file or is coupled to access at least one register file, the at least one register file including a plurality of physical registers for temporarily buffering operands accessed during or generated by instruction execution.

Those skilled in the art will appreciate that processor core 200 may include additional components not shown, such as logic configured to manage the completion and retirement of instructions targeted by the completion of execution of execution units 220 through 226. Because these additional components are not necessary for understanding the described embodiments, they are not shown in FIG. 2 or discussed further herein.

Referring now to FIG. 3 , a high-level block diagram of an exemplary execution unit of the processor 102 according to one embodiment is shown. In this example, the vector-scalar unit 226 of the processor core 200 is shown in greater detail. In the embodiment of FIG. 3 , the vector-scalar unit 226 is configured to perform operations on different types of operators and generate multiple different classes of instructions for different types of operators. For example, the vector-scalar unit 226 is configured to perform operations on vector and scalar source operators and generate a first class of instructions for vector and scalar destination operators. The vector-scalar unit 226 executes instructions of this first class of instructions in functional units 302-312 , which in the depicted embodiment include: an arithmetic logic unit /rotate unit 302 for performing addition, subtraction, and rotate operations, a multiplication unit 304 for performing binary multiplication, a division unit 306 for performing binary division, an encryption unit 308 for performing encryption functions, a permutation unit 310 for performing operand permutations, and a binary coded decimal (BCD) unit 312 for performing decimal math operations. The vector and scalar source operators on which these operations are performed, and the vector and scalar destination operators generated by these operations, are buffered in physical registers of the architectural register file 300 .

In this example, vector-scalar unit 226 is additionally configured to execute instructions that operate on matrix operands and generate a second class of matrix operands. Vector-scalar unit 226 executes instructions in this second category of instructions in matrix multiply accumulate (MMA) unit 314 . The matrix operands on which these operations are performed and the matrix operands generated by these operations are buffered and accumulated in the physical registers of the non-architectural register file 316 .

In operation, vector-scalar unit 226 autonomously issues queue 218 to receive instructions. If the instruction is within the first category of instructions (e.g., vector-scalar instructions), then a link between the logical registers and the physical registers established by the mapper circuit 210 is utilized in the architectural register file 300 The mapping accesses the relevant source operand for the instruction and then forwards it along with the instruction to one of the relevant functional units 302 to 312 for execution. The destination operands generated by this execution are then stored back into the physical registers of the architectural register file 300 for the mapping decision established by the mapper circuit 210 . On the other hand, if the instruction is in the second category of instructions (eg, MMA instructions), the instruction is forwarded to the MMA unit 314 for information about the instruction buffered in the designated physical register of the unarchitected register file 316. Operands are executed. In this case, execution by MMA unit 314 includes performing a matrix multiplication operation and then accumulating (eg, summing) the resulting product with the contents of one or more designated physical registers in unarchitected register file 316 .

Referring now to Figure 4 , depicted is a more detailed block diagram of an exemplary encryption unit 308 in accordance with one embodiment. In this example, encryption unit 308 includes circuitry for performing encryption and decryption in hardware according to Advanced Encryption Standard (AES). AES is defined, for example, in the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) Standard 18033-3 (2nd Edition, December 15, 2010), which is incorporated herein by reference. As shown, this circuitry includes AES encryption/decryption circuitry 400 that combines the encryption key with the plaintext to obtain the ciphertext and the decryption key with the ciphertext to obtain the plaintext. Encryption unit 308 additionally includes AES key generation circuitry 402 that generates keys utilized by AES encryption/decryption circuitry 400 to encrypt and decrypt material. Encryption unit 308 also includes carry-less multiplication circuit 404 , as described in detail below. The carry-less multiplication circuit 404 may be used, for example, in a program that generates signatures used to authenticate encrypted messages in AES-GCM (Galois Counter Multiplication). The carryless multiplication circuit 404 can also be used to perform Galois multiplication in programs that encrypt and decrypt messages, such as in AES-XTS (XEX-based fine-tuned codebook mode with ciphertext stealing).

Referring now to FIG. 5 , a time-space diagram of an encryption and authentication process 500 using Advanced Encryption Standard - Galois Counter Mode (AES-GCM) is shown. AES-GCM is used to encrypt n plaintext blocks 502 (each a 128-bit input string) to obtain n 128-bit ciphertext blocks 522 and a signature 532 that can be used to authenticate that the n ciphertext blocks 522 have not been modified. AES-GCM is therefore suitable for securing data in flight.

In addition to plaintext 502 , encryption process 500 begins with initial value 504 (e.g., a random value expanded to 128 bits), encryption key K 506 (here assumed to be a 128-bit value), authentication data 508 (here assumed to be a single 128-bit block), 128-bit authentication key H 510 , and a positive integer n determined by the number of 128-bit blocks in the plaintext (and ciphertext). Initial value 504 is a 128-bit value used to initialize the value of counter 0 512. The value of counter 0 512 is repeatedly incremented n times by increment function 514 to generate a sequence of 128-bit counter values identified as counter 1 512 to counter n 512 in FIG . Each of these n +1 counter values and encryption key K 506 are processed in one of the n +1 instances of AES encryption function 516 to produce a respective 128-bit encrypted output of n +1 128-bit encrypted outputs X0 to Xn 518 .

5 , plaintext 1 502 is logically combined with the encrypted output X1 518 by an exclusive OR (XOR) function 520 to generate ciphertext 1 522. Plaintext 2 502 is similarly logically combined with the encrypted output X2 by an XOR function 520 to generate ciphertext 2. This process continues for n iterations until the final ciphertext n 522 is obtained.

The authentication data 508 and the authentication key H 510 form the two inputs of the Galois counter multiplication (GCM) 0 function 524 , which generates a 128-bit authentication value Y1 526. This authentication value Y1 526 is logically combined with the ciphertext 1 522 by the XOR function 528 to generate the input of the next GCM multiplication 1 function 524. The GCM multiplication 1 function 524 multiplies this input by the authentication key H 510. This process is repeated for n rounds of multiplication until the authentication value Yn +1 526 is obtained. The authentication value Yn +1 is logically combined by an XOR function 528 with a 128-bit length indicator 530 formed by concatenating the length of the authentication data 508 with the length of the ciphertext 522. The output of this XOR function 528 provides the first input to a GCM multiply n +1 function 524 , which multiplies this input by the authentication key H 510. The 128-bit product produced by the GCM multiply n + 1 function 524 is then logically combined by the XOR function 528 with the encrypted output X0 518 to obtain a signature 532 that can be used to authenticate the n -block ciphertext.

As mentioned above, performance issues necessitate providing direct support for encryption algorithms in processor hardware such as the AES-GCM function depicted in Figure 5 . A complication in implementing hardware support for encryption algorithms is the use of different bit and byte endianness between various processor hardware and various encryption algorithms. For example, Table I below summarizes the bit and byte endianness for three common encryption functions (i.e., AES, GCM, and XTS). As shown, under AES, the leading (leftmost) byte in each byte is the most significant byte, and the leading (leftmost) byte in each data word is the most significant byte. This combination of bit and byte ordering may be called Big-Big Endian (BBE). GCM, on the other hand, specifies that the leading bit before each byte and the leading bit before each data word are least significant. This endianness is called Little-Little Endian (LLE). XTS uses the third type of endianness, which is called Big-Little Endian (BLE). The leading bit before each byte is the most significant bit, but the leading bit before the data word is the most significant bit. Least significant byte. Table I Endianness bit Byte AES big big BBE GCM Small Small LLE XTS big Small BLE

Generally, each physical processor implements one of these three endian options natively, with BBE and BLE hardware being the most common commercially. Regardless of which native endian is implemented by hardware, some data reformatting is required to compensate for the endian differences to provide hardware support for encryption algorithms with different endianness (e.g., AES, GCM, and XTS). Generally, data reformatting may be achieved, for example, when data is passed from the AES counter encryption portion of process 500 (shown to the left of the dashed line) to the authentication portion of the process (shown to the right of the dashed line) either directly before and after each GCM function 524 or as part of the GCM function 524 itself.

Encryption and authentication are often implemented as separate functions in cryptographic software libraries. In this type of software implementation, the encrypted output X0 518 and ciphertext 1 to ciphertext n are passed through the memory, and these data are automatically reformatted as part of memory read and memory write access. However, for hardware implementations of cryptographic functions, data reformatting must be applied to the register file data to obtain acceptable performance. In the following description, embodiments of a processor with native BBE endianness and hardware support for Galois multiplication employed in AES-GCM and AES-XTS are described in detail. The processor accepts data in the machine's native endian (e.g., BBE) and performs Galois multiplication in LLE or BLE format. Based on the following description, those skilled in the art will understand that the disclosed technology may also be applied to processors with native BLE endianness by implementing circuitry to reverse the ordering of bits in a byte for GCM encryption. .

For example, the Galois multiplication employed in the GCM multiplication function 524 of Figure 5 involves carry-free multiplication followed by modular reduction. For example, in one embodiment, a carry-free multiplication of two 128-bit input operands A and B produces a 255-bit product P. Modular reduction The modular polynomial g(x) reduces P to a 128-bit number through an iterative process.

For ease of understanding, the reduction of natural numbers modulo G is first explained, and then applied to the reduction modulo the Galois field (GF) (2^128) modulo g(x). In the following reduction, the variables G and J are first defined as follows: G = 2^128 + (2^7 + 2^2 + 2^1 + 1) = 2^128 + J, where J = 2^7 + 2^2 + 2^1 + 1

Given these definitions of G and J, the first step of modular reduction is to divide any 255-bit number P into a 128-bit low part PL and a 127-bit high part PH, where PL < G. This division results in the following relationships: P = PH * 2^128 + PL In the second step of the reduction, P is reduced to a number T with at most 135 bits according to the following set of relations: P = PL + PH * ( 2^128 + (J - J)) = PL + PH * (G - J) == PL + PH * (-J) = T Where "==" means equivalence modulo G (rather than equality). In the third step of reduction, T is divided again into a 7-bit high part (TH) and a 128-bit low part (TL), as given by: T = TL + TH * 2^128 Finally, in the fourth step of reduction, T is reduced to T' in the same way as in step 2 to obtain a result less than G through the following relationship: T' = TL + TH * (-J)

With this understanding of the modular reduction process in mind, reference is now made to FIG. 6 , which is a block diagram of a modular reduction circuit 600 for performing modular reduction in a Galois field having a polynomial g(x), according to one embodiment.

In the Galois field, the multiplication system has no carry operation, and bitwise XOR is used to perform addition and subtraction. Carry-free multiplication of two w -bit numbers produces a (2 w -1)-bit product. So, for example, the multiplication of two 128-bit numbers produces a product P of 255 bits. As described above, in the first step of reduction, the product P is divided into a 128-bit low-order part PL 602 and a 127-bit high-order part PH 604 . PH 604 forms the input to carry-less multiplier 606a , which multiplies PH 604 by the equivalent (-J). For GF(2^128) with LLE format, this multiplier is R= '1110.0001'. The carry-free multiplication of PH 604 and R 608 generates a 134-bit product T 610 , which is divided into a 128-bit low-order part TL 610a and a 6-bit high-order part TH 610b . A second carryless multiplier 606b multiplies TH 610b by R 608 , producing a 13-bit product T' 614 . Bitwise XOR circuit 612 performs a left-aligned bitwise exclusive OR of PL 602 , TL 610a , and T' 614 to produce the fully reduced 128-bit product M 618 . In various embodiments, carry-less multipliers 606a and 606b may be implemented using full-size 128×128-bit LLE multipliers or using 127×8-bit multipliers and 6×8-bit multipliers, respectively. When using different 8-bit values of R, the modular reduction circuit 600 of Figure 6 can also be used for other Galois fields (2^ k ) with f( x ), as long as k is less than or equal to 128 and f( x ) has The form f( x ) = x ^ k + a7 * x ^7 + a6 * x ^6 .... + a1 * x ^1 + a0, where all a(i) are in the set {0, 1, -1} .

Referring now to FIG. 7 , a further optimization of carry-less multiplication according to one embodiment is illustrated. As shown, the carry-less multiplication of the 127-bit PH 604 and the 8-bit constant R 608 will produce eight partial products PP 700a to 700h . However, because R 608 is a constant with exactly four ones (i.e., “1110.0001”), the carry-less multiplication of PH 604 and R 608 may discard four partial products PP 700d to 700g multiplied by zero. Therefore, the product can be obtained from the residual partial products PP 700a to PP 700c and PP 700h using a four-input bitwise XOR circuit 702 that performs the following exclusive OR operation: PL*R = PL XOR (PL>>1) XOR (PL>>2) XOR (PL>>7), where ">>" indicates a shift to the right by a specified number of bit positions. This optimization can reduce the hardware cost of implementing the carry-less multiplier 606a of Figure 6 by more than two times.

FIG. 8 depicts the carry-less multiplication technique shown in FIG . 7 applied to the modular reduction circuit 600 of FIG . 6 . Specifically, Figure 8 illustrates that multiplication of PH*R by carryless multiplier 606a results in four reduction terms: PH 802 , PH 804 shifted right by 1 bit position, PH 804 shifted right by 2 bits PH 806 at the position, and PH 808 shifted to the right by 7 bit positions. The most significant bit of PH 806 and the most significant 6 bits of PH 808 are combined to form TH 610b , which is the higher-order portion of the first reduction result. More precisely, TH(0) = PH(126) XOR PH(121) and TH(1:5) = PH(122:126)

The second reduction term T' = TH * R 614 can be similarly expanded to four terms, namely, TH 610b , TH 812 shifted right by 1 bit position, TH 814 shifted right by 2 bit positions, and TH 816 shifted right by 7 bit positions. These four reduction terms (the four reduction terms of the reduction result T 610 and PL 602 ) form a set of all reduction terms 818 , which are logically combined by the bit-by-bit XOR circuit 612 according to the value of each of the 128 bit positions to produce the fully reduced product M 618. The details of an embodiment of a modular reduction circuit that implements the carry-less multiplication technique given in FIG . 8 are described below with reference to FIG. 12 .

Referring now to Figure 9 , a schematic representation of an exemplary 128-bit by 128-bit multiplication array 900 is shown showing the locations of the high-order product bits and low-order product bits involved in the carry-less multiplication technique of Figure 8 . As shown, the high-order product bits 902 that form TH 610b and the low-order product bits 904 that combine with TH 610b to form T' 614 are located at the extreme ends of the multiplication array 900 where the gates are at their shallowest depth. Therefore, the calculation of product bit 902 and the logical combination of product bit 902 and product bit 904 are not limiting factors in the execution of the carry-less multiplication performed by modular reduction circuit 600 .

Referring now to FIG. 10 , depicted is a high-level block diagram of a carry-less multiplication circuit 404 according to one embodiment. The carryless multiplication circuit 404 that implements Galois multiplication supports both GCM and XTS and is connected to the architectural register file 300 that holds the operand data in native BBE format. As mentioned above, GCM and XTS interpret data in LLE format and BLE format respectively.

In the depicted embodiment, the carry-less multiplication circuit 404 includes two conditional bit-flipping circuits 1002a , 1002b at its input ports and one additional conditional bit-flipping circuit 1002c at its output port. The conditional bit-flipping circuits 1002a , 1002b are each coupled to receive one of two 128-bit operands A and B from registers XA and XB in the architectural register file 300 , respectively, and conditionally flip the order of bits within bytes of operands A and B based on, for example, a mode input indicating whether the carry-less multiplication circuit 404 is being used to perform multiplication for GCM or XTS. The conditional bit inversion circuits 1002a and 1002b output a 128-bit multiplicand 1004a and a 128-bit multiplier 1004b respectively.

The carry-less multiplication circuit 404 includes a carry-less multiplier 1006 that performs a 128-bit by 128-bit multiplication of the multiplicand 1004a and the multiplier 1004b to produce a 255-bit product P 1008. The product P 1008 is received and reduced to a 128-bit reduced product M 618 by a modular reduction circuit 1010 , one embodiment of which is shown in more detail in FIG . 12. This reduced product M 618 is then stored back to register XT of the architectural register file 300 after possible bit order inversion by the conditional bit inversion circuit 1002c .

In the illustrated embodiment, the architected register file 300 and the data operands in the carry-less multiplier 1006 implement the BBE data format. The LLE carry-less multiplication required for GCM can be performed in the BBE formatted carry-less multiplier 1006 simply by performing a BBE formatted multiplication followed by a left shift of the product P 1008 by one bit position. Because the product P 1008 flows directly into the modular reduction circuit 1010 , the 1-bit left shift can be conveniently implemented by the modular reduction circuit 1010 .

On the other hand, for XTS, operands A and B are reformatted by conditional bit reversal circuits 1002a , 1002b to match the LLE data format of GCM. (As mentioned above in Table I, GCM and LLE share the same byte ordering, but have different bit orderings.) Conditional bit reversal circuit 1002c similarly reverses the bit ordering of the reduced product M 1012 of the XTS multiplication before writing the reduced product M 1012 to register XT in the architectural register file 300 .

Referring now to FIG. 11 , a more detailed block diagram of an exemplary embodiment of a conditional bit inversion circuit 1100 that may be used to implement any of the conditional bit inversion circuits 1002 a - 1002 c of FIG . 10 is depicted. In this example, the conditional bit inversion circuit 1100 has a 128-bit (i.e., 16-bit) input 1102 coupled to one input of a dual-input 128-bit multiplexer 1106. Each of the sixteen bytes of the 128-bit input 1102 is further coupled to a respective one of the sixteen bit inversion circuits 1104 , which may be implemented, for example, by routing the ordering of the bits in the associated byte of the input 1102 . The outputs of all bit inversion circuits 1104 together form the second 128-bit input of multiplexer 1106 .

Multiplexer 1106 selects between the data presented at its two inputs based on a pattern input indicating whether large or small endian bit ordering is to be applied. The mode input may be determined, for example, by the corresponding field of the Galois multiplication instruction, as described in greater detail below with reference to FIG . 13 . The data selected by multiplexer 1106 is presented on 128-bit output 1108 .

Referring now to FIG. 12 , there is shown a more detailed block diagram of an exemplary embodiment of the analog reduction circuit 1010 of FIG . 10 . This exemplary circuit closely implements the two-stage reduction described with respect to FIG . 6 using the optimization discussed with reference to FIG . 8 .

Modular reduction circuit 1010 receives as input a 255-bit product P 1008 generated by carry-less multiplier 1006 as shown in FIG10 . As discussed above with reference to FIG6 , product P 1008 includes a 128-bit low portion PL 602 and a 127-bit high portion PH 604. After preliminary bit shifting and padding, modular reduction circuit 1010 reduces product P 1008 to a reduced product M 618 using four bit-wise XOR circuits 1200 , 1202 , 1204 , and 612 operating on left-aligned inputs.

The bitwise XOR circuit 1200 includes three 128-bit inputs coupled to receive the first through third simplifications 818 from FIG. 8 , namely, PL 602 , PH 802 (which is PH 604 filled by fill circuit 1210 with trailing zeros in bit position 127), and PH 804 (which is PH 604 shifted right by one bit position by shift circuit 1212 ). The bitwise exclusive OR of these three inputs produces the first 128-bit input of the bitwise XOR circuit 612 .

The bitwise XOR circuit 1202 similarly logically combines the fourth and fifth reduced terms 818 , i.e., PH 806 (which is PH 604 shifted right by two bit positions by shift circuit 1214 ) and PH 808 (which is PH 604 shifted right by seven bit positions by shift circuit 1216 ). The exclusive OR of these two inputs generates a 134-bit result. Bits 0:127 of this XOR result form TL 610a , which is the second 128-bit input of the bitwise XOR circuit 612. Bits 128:133 of the XOR result generated by the bitwise XOR circuit 1202 form TH 610b , which is passed to the bitwise XOR circuit 1204 and shift circuits 1216 , 1218 , and 1220 .

The bitwise XOR circuit 1204 logically combines the sixth to ninth reduction terms 818 to form the second reduction result T' 614. That is, the bitwise XOR circuit 1204 logically combines TH 610b , TH 810 (which is TH 610b shifted right by one bit position by the shift circuit 1216 ), TH 812 (which is TH 610b shifted right by one bit position by the shift circuit 1218 ), and TH 814 (which is TH 610b shifted right by one bit position by the shift circuit 1220 ). The bitwise exclusive OR of these four inputs (which is the 13-bit second reduction result 614' ) forms the third input of the bitwise XOR circuit 612 . Bitwise XOR circuit 612 performs a left-aligned bitwise exclusive OR on its three inputs to produce a reduced product M 618 .

Referring now to FIG. 13 , an exemplary Galois multiplication instruction 1300 is illustrated according to one embodiment. In a preferred embodiment, a single Galois multiplication instruction 1300 may be executed in the encryption unit 308 of the vector-scalar unit 226 to cause the carry-less multiplication circuit 404 of FIG. 10 to perform carry-less multiplication and modular reduction on the polynomial g(x), as described with reference to FIG . 12 .

In this example, the Galois multiplication instruction 1300 includes an operation code field 1302 that specifies an architecture-specific operation code indicating a Galois carry-less multiplication and modular reduction. The Galois multiplication instruction 1300 further includes an operand field 1304 that directly or indirectly indicates one or more registers XA, XB, XT of the architectural register file 300 for storing source and destination operands for the Galois carry-less multiplication and modular reduction operation. Finally, the Galois multiplication instruction 1300 includes a mode field 1306 that specifies a data format (e.g., BLE/XTS or LLE/GCM) applicable to the Galois carry-less multiplication and modular reduction operation. As mentioned above, the setting of mode field 1306 may be utilized by conditional bit inversion circuit 1100 to select whether to apply bit order inversion to bytes of an input data word.

The foregoing description has described aspects of the disclosed invention with reference to a carryless multiplication circuit 404 having a wide (eg, 128 bits by 128 bits in the present technology) carryless multiplier 1006 . However, some commercial processors may not include a wide carry-less multiplier, but instead include multiple narrower carry-less multipliers operating in parallel on smaller data elements. For example, FIG. 14 illustrates a prior art single instruction multiple data (SIMD) multiply-multiply engine 1400 that includes two 64-bit carryless multipliers 1406 operating in series on 128-bit SIMD operands A 1402 and B 1404 , 1408 . In this example, the SIM multiply-multiply instruction causes carryless multiplier 1406 to multiply the 64-bit high portions of SIMD operands 1402 , 1404 to generate the 128-bit high portion of the product PH 1414 , causing carry-less multiplier 1408 to The 64-bit low parts of SIMD operands 1402 and 1404 are multiplied to generate the 128-bit low part of the product PL 1416 , and the bitwise XOR circuit 1410 performs the 128-bit bitwise mutual exclusion of PH 1414 and PL 1416 or to produce the product Q 1412 . Of course, this conventional SIMD architecture can be extended to add additional lanes to support larger data widths (eg, 256-bit operands).

According to one or more embodiments, the conventional SIMD architecture presented in Figure 14 can also be extended to support Galois multiplication as described above. For example, FIG. 15 depicts an exemplary SIMD carry-less multiplication circuit 1500 supporting Galois multiplication as described herein.

SIMD carry-less multiplication circuit 1500 includes conditional bit-reversal circuits 1506 and 1508 that conditionally reverse the order of bits in each bit group of SIMD operands A 1502 and B 1504 , respectively. Each of conditional bit-reversal circuits 1506 and 1508 may be implemented by conditional bit-reversal circuit 1100 as described above with reference to FIG . 11 .

SIMD carry-less multiplication circuit 1500 further includes two 128-bit SIMD multiply-multiply engines 1512 , 1514 , each of which can be implemented, for example, using the prior art multiply-multiply engine 1400 of FIG . 14. Multiply-multiply engine 1512 multiplies operands 1502 , 1504 (i.e., AH, AL and BH, BL) to generate a 255-bit product P1 including a 127-bit high portion P1H and a 128-bit low portion P1L. The exclusive or of P1H and P1L is the result Q1. To compensate for the data format difference between BBE and LLE, bit 0 is discarded from P1H to achieve a 1-bit left shift. Multiply-multiply engine 1514 has a first input coupled to receive SIMD operator A 1502 (i.e., AH, AL) and a second input coupled to receive the output of swap doubleword circuit 1510 , which swaps the high and low 64-bit doublewords of SIMD operator B 1504 (i.e., BL, BH). Multiply-multiply engine 1514 multiplies these two inputs in a carry-less manner and combines them to generate a 128-bit result Q2 (where Q2 corresponds to AL*BH + AH*BL, i.e., corresponds to a 128b result of a 64-bit multiply-multiply operation with inverted B operator).

The SIMD carry-less multiplication circuit 1500 additionally includes: a reduction circuit 1516 , which reduces the 255-bit product P derived from the result Q2 and the partial products P1L, P1H to 128 bits; and a multiplexer 1518 , which in the reduction circuit Select between the 128-bit result Q1 of 1516 and the 128-bit output as the result 1520 of the SIMD carry-less multiplication circuit 1500 . As further shown in Figure 15 , reduction circuit 1516 logically combines products P1H, P1L, and Q2 using a left-aligned 255-bit bitwise XOR circuit 1534 using three inputs: 127-bit P1H, by using The shift circuit 1530 applies a 127-bit right shift to the 255-bit value obtained by P1L, and the shift circuit 1532 applies a 63-bit right shift to the 191-bit value obtained by Q2. These three left-aligned inputs are logically combined by bitwise XOR circuit 1534 to generate the 255-bit carry-less product P. This 255-bit carry-free product P is reduced to a 128-bit reduced product M by the modular reduction circuit 1010 as previously described with reference to FIG. 10 . The bit ordering within each byte of the reduced product M is conditionally inverted by conditional bit inversion circuit 1536 to produce a 128-bit output that forms the second input of multiplexer 1518 . If the SIMD carry-less multiply circuit 1500 is used to execute the SIMD multiply instruction, the multiplexer 1518 selects the result Q1 as the result 1520 , and if the SIMD carry-less multiply circuit 1500 is used to execute the Galois multiply instruction, the multiplexer 1518 selects the reduction The output of circuit 1516 is result 1520 .

Those skilled in the art will appreciate that SIMD carry-less multiplication circuit 1500 employs optimizations (and may employ additional optimizations) to reduce circuit size. For example, SIMD carry-less multiplication circuit 1500 may employ the Karatsuba algorithm to simplify the calculation of AH*BL + AL*BH to (AH+AL) * (BH+BL) + PH + PL. This simplification may be computed using a 64-bit carry-less multiplier, two 64-bit bitwise XOR circuits operating on operands A and B, and a three-way 128-bit XOR of three product terms. Further optimization may be performed by combining conditional bit flip circuits 1506 , 1508 and swap double word circuit 1510 and by combining conditional bit flip circuit 1536 with multiplexer 1518. In general, if the Karatsuba algorithm is implemented for 128-bit SIMD, the carry-less multiplication circuit 404 of FIG. 10 may be implemented in an area no greater than 1.5 times the area of the multiply-multiply engine 1400 of FIG . 14, and the SIMD carry-less multiplication circuit 1500 of FIG . 15 may be implemented in an area no greater than twice the area of the multiply-multiply engine 1400. If a 64-bit multiply-multiply engine is used in 256-bit or higher SIMD, 128-bit Galois multiplication may be implemented with less hardware overhead. The two 128-bit multiply-multiply engines in this 256-bit SIMD engine can be combined along the lines of Figure 15 to perform 128-bit Galois multiplication on either the upper or lower 128-bit SIMD elements. The only overhead is the multiplexing and conditional bit reversal of the operands for the Galois multiplication and reduction circuit 1516 .

Referring now to FIG. 16 , a high-level logic flow chart of an exemplary method of Galois multiplication according to one embodiment is depicted. For ease of understanding, the process of FIG . 16 is described with reference to the embodiment of the carry-less multiplication circuit 404 given in FIG . 10 .

The illustrated process begins at block 1600 and then proceeds to block 1602 , which illustrates the vector-scalar unit 226 of the processor core 200 receiving an instruction requiring a Galois multiplication, such as the Galois multiplication of Figure 13 Watt multiplication instructions 1300 . In response to receiving the instruction, vector-scalar unit 226 reads operands A and B from architectural register file 300 and passes operands A and B to the input port of carry-less multiplication circuit 404 (block 1604 ). At block 1606 , vector-scalar unit 226 determines whether the instruction specifies (eg, in mode field 1306 ) an XTS mode that requires BLE data format rather than LLE data format. In response to a positive determination at block 1606 , vector-scalar unit 226 utilizes conditional bit inversion circuits 1002a , 1002b of carryless multiplication circuit 404 to invert the bits in each byte of operands A and B. Sorting (block 1608 ).

After block 1608 or in response to a negative determination at block 1606 , the vector-scalar unit 226 performs a carry-less multiplication of operators A and B using the carry-less multiplier 1006 to obtain a 255-bit product P 1008 (block 1610 ). The multiplication uses the BBE data format. At block 1612 , the vector-scalar unit 226 reduces the product P according to the polynomial g(x) through two or more bitwise XOR stages to obtain a reduced product M 618 , as shown in Figure 12 . As shown at blocks 1614-1616 , if the instruction specifies XTS mode requiring BLE data format instead of LLE data format, the vector-scalar unit 226 again utilizes the conditional bit flip circuit 1002c to flip the bit order in each bit group of the reduced product M 618. After block 1616 or if the instruction does not specify XTS mode, the vector-scalar unit 226 writes the reduced product M back to the register file 300 (block 1618 ). After block 1618 , the process of FIG. 16 ends at block 1620 .

Referring now to FIG. 17 , a block diagram of an exemplary design flow 1700 for use in, for example, semiconductor IC logic design, simulation, testing, layout, and manufacturing is shown. The design flow 1700 includes a program, machine, and/or mechanism for processing a design structure or device to generate a logically or otherwise functionally equivalent representation of the design structure and/or device described above and shown herein. The design structure processed and/or generated by the design flow 1700 may be encoded on a machine-readable transmission or storage medium to include data and/or instructions that, when executed or otherwise processed on a data processing system, generate a logically, structurally, mechanically, or otherwise functionally equivalent representation of a hardware component, circuit, device, or system. A machine includes, but is not limited to, any machine used in an IC design process, such as designing, manufacturing, or simulating a circuit, component, device, or system. For example, a machine may include: a lithography machine, a machine and/or equipment for generating masks (e.g., an electron beam writer), a computer or equipment for simulating a design structure, any equipment for a manufacturing or testing process, or any machine for programming a functionally equivalent representation of a design structure into any medium (e.g., a machine for programming a programmable gate array).

The design process 1700 may vary depending on the type of representation being designed. For example, a design flow 1700 for building an application-specific IC (ASIC) may be different than a design flow 1700 for designing standard components or different from a design flow 1700 for materializing a design into a programmable array. The programmable array is, for example, a programmable gate array (PGA) or a field programmable gate array (FPGA) provided by Altera® or Xilinx®.

FIG. 17 illustrates a plurality of such design structures including an input design structure 1020 that is preferably processed by a design program 1710 . Design structure 1720 may be a logical simulation design structure generated by design program 1710 and processed to produce a logically equivalent functional representation of the hardware device. Design structure 1720 may also or alternatively include data and/or program instructions that, when processed by design program 1710 , generate a functional representation of the physical structure of the hardware device. Whether representing functional and/or structural design features, the design structure 1720 may be generated using, for example, electronic computer-aided design (ECAD) implemented by a core developer/designer. When encoded on a machine-readable data transmission, gate array, or storage medium, the design structure 1720 may be accessed and processed by one or more hardware and/or software modules within the design program 1710 to simulate or otherwise function. The above refers to electronic components, circuits, electronic or logic modules, devices, devices or systems, such as those shown herein. Thus, design structure 1720 may include files or other data structures that include human and/or machine readable source code, compiled structures, and computer executable code structures that are generated from design or simulation data. Processing systems process circuits or other levels that functionally simulate or otherwise represent hardware logic designs. Such data structures may include Hardware Description Language (HDL) design entities or be consistent with lower-level HDL design languages (such as Verilog and VHDL) and/or higher-level design languages (such as C or C++) and/or with lower-level HDL design language and/or other data structures compatible with higher-level design languages.

Design process 1710 preferably employs and incorporates hardware and/or software modules for synthesizing, translating, or otherwise processing design/simulation functional equivalents of components, circuits, devices, or logic structures shown herein to generate a wiring lookup table 1780 that may contain design structures such as design structure 1720. Wiring lookup table 1780 may include, for example, a compiled or otherwise processed data structure representing a list of wires, discrete components, logic gates, control circuits, I/O devices, models, etc. that describe connections to other components and circuits in an integrated circuit design. Wiring lookup table 1780 may be synthesized using an iterative process in which wiring lookup table 1780 is resynthesized one or more times depending on the design specifications and parameters for the device. As with other types of designs described herein, the wiring lookup table 1780 may be recorded on a machine readable storage medium or programmed into a programmable gate array. The medium may be a non-volatile storage medium such as a disk drive or optical disk drive, a programmable gate array, a CF card (compact flash) or other flash memory. Additionally or alternatively, the medium may be system or cache memory or buffer space.

The design program 1710 may include hardware and software modules for processing various input data structure types including the wiring lookup table 1780 . Such data structure types may reside, for example, within library element 1730 and include a collection of commonly used components, circuits, and devices for a given manufacturing technology (e.g., different technology nodes: 32 nm, 45 nm, 170 nm, etc.), Includes model, layout and symbolic representation. The data structure type may further include design specifications 1740 , characterization data 1750 , verification data 1760 , design rules 1790 , and test data files 1785. The test data files may include input test patterns, output test results, and other test information. The design program 1710 may further include, for example, standard mechanical design programs such as stress analysis, thermal analysis, mechanical event simulation, program simulation for operations such as casting, molding, compression forming, and the like. Those skilled in the art of mechanical design can appreciate the range of possible mechanical design tools and applications for use in the design process 1710 without departing from the scope and spirit of the invention. Design program 1710 may also include modules for performing standard circuit design procedures such as timing analysis, verification, design rule checking, placement and routing operations, and the like.

The design program 1710 employs and incorporates logical and physical design tools such as HDL compilers and simulation model building tools to process the design structure 1720 along with some or all of the depicted supporting data structures and any additional mechanical design or data, if applicable, to generate a second design structure 1790. The design structure 1790 resides on a storage medium or programmable gate array in a data format for exchanging data of mechanical devices and structures (e.g., information stored in IGES, DXF, Parasolid XT, JT, DRG, or any other suitable format for storing or presenting such mechanical design structures). Similar to design structure 1720 , design structure 1790 preferably includes one or more files, data structures, or other computer-encoded data or instructions that reside on a transmission or data storage medium and that, when processed by an ECAD system, generate a logically or otherwise functionally equivalent form of one or more of the embodiments of the invention presented herein. In one embodiment, design structure 1790 may include a compiled, executable HDL simulation model that functionally simulates a device presented herein.

The design structure 1790 may also adopt a data format and/or symbolic data format used to exchange layout data of integrated circuits (e.g., in GDSII (GDS2), GL1, OASIS, mapping files, or any other used to store such design data structures). information stored in other suitable formats). Design structure 1790 may include information such as, for example, symbol data, mapping files, test data files, design content files, manufacturing data, layout parameters, wires, metal levels, vias, shapes, data for routing through manufactured lines and any other information necessary by manufacturers or other designers/developers to produce devices or structures as described above and illustrated herein. The design structure 1790 may then proceed to stage 1795 , where, for example, the design structure 1790 : proceeds to tape-out, is released to manufacturing, is released to the mask room, is sent to another design room, is Send back to client etc.

As described, in at least one embodiment, a processor includes: an instruction fetch unit that fetches instructions to be executed; an architected register file that includes a plurality of registers for storing source and destination operands; and an execution unit that executes a Galois multiplication instruction. The execution unit includes a carry-less multiplier configured to multiply the operands of the Galois multiplication instruction to generate a product. The execution unit further includes a modular reduction circuit that is configured to receive the product and determine a reduced product having a fewer number of bits than the product based on a logical combination of the product and a fixed polynomial. The execution unit is configured to store the reduced product as a result of the Galois multiplication instruction in the architected register file.

In some embodiments, the processor may form part of a larger data processing system or may be implemented as a design structure embodied in a machine-readable storage device.

According to one data processing method, an instruction fetch unit of a processor fetches instructions to be executed by the processor, including a Galois multiplication instruction. Based on receiving the Galois multiplication instruction, an execution unit of the processor executes the Galois multiplication instruction. Executing the Galois multiplication instruction includes multiplying the operands of the Galois multiplication instruction by a carryless multiplier to generate a product. Executing the instructions further includes a modular reduction circuit receiving the product and determining a reduced product having a smaller number of bits than the product based on a logical combination of the product and a fixed polynomial. The processor then stores the reduced product as a result of the Galois multiplication instruction to an architectural register file of the processor.

In at least one embodiment, the fixed polynomial is g(x) = 1 + X + x^2 + x^7+ x^128.

In at least one embodiment, the product of the carry-less multiplication includes a high portion including high-order bits of the product and a low portion including low-order bits of the product, and the modular reduction circuit is configured to compute a first result equivalent to a carry-less multiplication of the high portion and the fixed polynomial. The modular reduction circuit includes: shift circuitry that applies a plurality of different bit position shifts to the high portion of the product consistent with established bits in the fixed polynomial; and bitwise exclusive OR (XOR) circuitry that logically combines multiple instances of the high portion of the product having different respective bit position shifts applied by the shift circuitry.

In at least one embodiment, the shift circuitry is further configured to apply a plurality of different bit position shifts to a high portion of the first result that is consistent with established bits in the fixed polynomial; and the bitwise exclusive OR (XOR) circuitry is further configured to logically combine a plurality of instances of the high portion of the first result having different respective bit position shifts applied by the shift circuitry to obtain a second result. The bitwise XOR circuitry generates the reduced product based on the first result, the second result, and the low portion of the product.

In at least one embodiment, the bitwise exclusive OR (XOR) circuitry includes at least two stages of bitwise XOR circuitry.

In at least one embodiment, the processor includes a conditional bit-flip circuit configured to conditionally flip a bit ordering of bytes in one of the operands based on a mode indicated by the Galois multiplication instruction before the operands are multiplied.

In at least one embodiment, the carry-less multiplier is a first multiply-multiply engine, the execution unit includes a second multiply-multiply engine, the first carry-less multiply-multiply engine and the second carry-less multiply-multiply engine both have a first data width, and the operands include first and second operands having a second data width that is an integer multiple of the first data width. In this case, the first multiply-multiply engine and the second multiply-multiply engine are configured to multiply subsets of the first operand and the second operand in parallel.

Although various embodiments have been particularly shown and described, those skilled in the art will appreciate that various changes in form and detail may be made therein without departing from the spirit and scope of the appended claims, and such alternative implementations are intended to be within the scope of the appended claims. For example, although the invention has been described with respect to specific cryptographic algorithms (e.g., AES, GCM, XTS) and data widths, those skilled in the art will appreciate that the disclosed invention is also applicable to other encryption algorithms and data widths.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the invention. In this regard, each block in the flowchart or block diagram may represent a module, section, or portion of instructions that contains one or more executable instructions for implementing the specified logical function. In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may in fact execute substantially concurrently, or the blocks may sometimes execute in the reverse order, depending on the functionality involved. It should also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be configured by a combination of special purpose hardware and computer instructions to perform the specified functions or actions or perform special purpose hardware System implementation based on special purpose hardware.

Additionally, although aspects have been described with respect to a computer system executing program code directing the functions of the present invention, it should be understood that the present invention may alternatively be implemented as a program product including a computer-readable storage device storing program code that can be processed by a data processing system. The computer-readable storage device may include volatile or non-volatile memory, an optical or magnetic disk, or the like. However, as used herein, "storage device" is specifically defined to include only legal products and excludes the signal medium itself, the transient propagating signal itself, and the energy itself.

The program product may include data and/or instructions that, when executed or otherwise processed on a data processing system, generate the logic, functionality, or functionality of the hardware components, circuits, devices, or systems disclosed herein. Structurally or otherwise functionally equivalent representations (including simulation models). Such data and/or instructions may include Hardware Description Language (HDL) design entities or conform to lower level HDL design languages (such as Verilog and VHDL) and/or higher level design languages (such as C or C++) and/or with The lower-level HDL design language and/or other data structures compatible with the higher-level design language. In addition, data and/or instructions may also be in data formats and/or symbolic data formats used to exchange layout data for integrated circuits (e.g., in GDSII (GDS2), GL1, OASIS, mapping files or used to store such designs). information stored in any other suitable format of the data structure).

100: Data processing system 102: Processor 104: Processor core 106: Cache memory 110: System interconnect 112: Memory controller 114: System memory 116: Input/output (I/O) adapter 118: Non-volatile storage system 120: Network adapter 200: Processor core 202: Instruction fetch unit 204: Instruction decode unit 206: Branch processing unit 210: Mapper circuit 216: Dispatch circuit 218: Issue queue 220: Fixed point unit 222: Floating point unit 224: Load-store unit 226: Vector-scalar unit 230: Storage 300: Architectural register file 302: Function unit/arithmetic logic unit/rotation unit 304: Function unit/multiplication unit 306: Function unit/division unit 308: Function unit/encryption unit 310: Function unit/permutation unit 312: Function unit/binary coded decimal (BCD) unit 314: matrix multiplication and accumulation (MMA) unit 316: Non-architectural register file 400: AES encryption/decryption circuit 402: AES key generation circuit 404: carry-less multiplication circuit 500: encryption and authentication program 502: plain text block 504: initial value 506: encryption key K 508: Authentication data 510: 128-bit authentication key H 512: Counter 0/Counter 1/Counter n 514: Increment function 516: AES encryption function 518: 128-bit encrypted output X0 to Xn 520: Exclusive OR (XOR) function 522: 128-bit ciphertext block/ciphertext 1/final ciphertext n 524: Galois counter multiplication (GCM) 0 function/GCM multiplication 1 function 526: 128-bit authentication value Y1/authentication value Y n +1 528: XOR function 530: 128-bit length indicator 532: Signature 600: Modulus reduction circuit 602: 128-bit low-level part PL 604: 127-bit high-level part PH 606a: carry-less multiplier 606b: carry-less multiplier 608: R 610: 134-bit product T 610a: 128-bit low-order part TL 610b: 6-bit high-order part TH 612: bit-by-bit XOR circuit 614: 13-bit product T'/second reduced result T' 618: 128-bit reduced product M 700a: partial product PP 700b: partial product PP 700c: partial product PP 700d: partial product PP 700e: partial product PP 700f: partial product PP 700g: partial product PP 700h: partial product PP 702: four-input bit-by-bit XOR circuit 802: PH 804: PH shifted right by 1 bit position 806: PH shifted right by 2 bit positions 808: PH shifted right by 7 bit positions 812: TH shifted right by 1 bit position 814: TH shifted right by 2 bit positions 816: TH shifted right by 7 bit positions 818: First to third simplified terms/fourth and fifth simplified terms/sixth to ninth simplified terms 900: 128-bit by 128-bit multiplication array 902: high-order product bits 904: low-order product bits 1002a: conditional bit inversion circuit 1002b: conditional bit inversion circuit 1002c: additional conditional bit inversion circuit 1004a: 128-bit multiplicand 1004b: 128-bit multiplier 1006: carry-less multiplier 1008: 255-bit product P 1010: Modular reduction circuit 1100: Conditional bit reversal circuit 1102: 128-bit input 1104: Bit reversal circuit 1106: Dual input 128-bit multiplexer 1108: 128-bit output 1200: Bitwise XOR circuit 1202: Bitwise XOR circuit 1204: Bitwise XOR circuit 1210: Fill circuit 1212: Shift circuit 1214: Shift circuit 1216: Shift circuit 1218: Shift circuit 1220: Shift circuit 1300: Galois multiplication instruction 1302: Operation code field 1304: Operand field 1306: Mode field 1400: Prior art single instruction multiple data (SIMD) multiply-multiply engine 1402: 128-bit SIMD operator A 1404: 128-bit SIMD operator B 1406: 64-bit carry-less multiplier 1408: 64-bit carry-less multiplier 1410: bitwise XOR circuit 1412: product Q 1414: 128-bit high part PH 1416: 128-bit low part PL 1500: SIMD carry-less multiplication circuit 1502: SIMD operator A 1504: SIMD operator B 1506: conditional bit reversal circuit 1508: conditional bit reversal circuit 1510: swap double word circuit 1512: 128-bit SIMD multiply-multiply engine 1514: 128-bit SIMD multiply-multiply engine 1516: reduction circuit 1518: multiplexer 1520: result 1530: shift circuit 1532: shift circuit 1534: bitwise XOR circuit 1536: conditional bit reversal circuit 1600: block 1602: block 1604: block 1606: Block 1608: Block 1610: Block 1612: Block 1614: Block 1616: Block 1618: Block 1620: Block 1700: Design flow 1710: Design procedure 1720: Design structure 1730: Library component 1740: Design specification 1750: Characterization data 1760: Verification data 1780: Wiring comparison table 1785: Test data file 1790: Design rules/second design structure 1795: Phase

FIG1 is a high-level block diagram of a data processing system including a processor according to one embodiment;

FIG2 is a high-level block diagram of a processor core according to one embodiment;

Figure 3 is a high-level block diagram of an exemplary execution unit of a processor core according to one embodiment;

FIG4 is a more detailed block diagram of an encryption unit within a processor core according to one embodiment;

FIG5 is a time-space diagram of the encryption and authentication process using Advanced Encryption Standard - Galois Counter Mode (AES-GCM);

FIG6 is a block diagram of a modular reduction circuit for performing modular reduction in a Galois field according to one embodiment;

Figure 7 illustrates optimization of carry-free multiplication according to one embodiment;

Figure 8 depicts the carry-less multiplication technique of Figure 7 applied to the circuit of Figure 6 ;

FIG9 is a schematic diagram of an exemplary multiplication array showing the positions of a first set of carry-free product bits subjected to one modular reduction stage and a second set of carry-free product bits subjected to two modular reduction stages;

FIG10 is a high-level block diagram of a carry-less multiplication circuit according to one embodiment;

FIG11 is a more detailed block diagram of an exemplary embodiment of the conditional bit flip circuit of FIG10 ;

Figure 12 is a more detailed block diagram of an exemplary embodiment of the modular reduction circuit of Figure 10 ;

Figure 13 depicts an exemplary Galois multiplication instruction according to one embodiment;

FIG. 14 illustrates a prior art single instruction multiple data (SIMD) carry-less multiplication circuit;

FIG. 15 depicts an exemplary SIMD carry-less multiplication circuit supporting Galois multiplication according to one embodiment;

FIG16 is a high-level logic flow chart of an exemplary method of Galois multiplication according to one embodiment; and

Figure 17 depicts an exemplary design procedure according to one embodiment.

300: Architectural register file

404: Carry-free multiplication circuit

1002a: Conditional bit inversion circuit

1002b: Conditional bit inversion circuit

1002c: Additional conditional bit inversion circuit

1004a: 128-bit multiplicand

1004b: 128-bit multiplier

1006: Carry-free multiplier

1008:255-bit product P

1010: Modular reduction circuit

Claims (20)

A processor containing: An instruction fetch unit that fetches instructions to be executed; an architectural register file that includes a plurality of registers for storing source and destination operands; and An execution unit for executing a Galois multiplication instruction, wherein the execution unit includes: a carry-less multiplier configured to multiply the operands of the Galois multiplication instruction to produce a product; and A modular reduction circuit configured to receive the product and determine a reduced product having a smaller number of bits than the product based on a logical combination of the product and a fixed polynomial, wherein the execution unit is configured state to store the reduced product in the architectural register file as one of the results of the Galois multiplication instruction. The processor of claim 1, wherein the fixed polynomial is g(x) = 1 + X + x^2 + x^7+ x^128. The processor of claim 1, wherein: the product includes a high portion including high-order bits of the product and a low portion including low-order bits of the product; the modular reduction circuit is configured to compute a first result equivalent to a carry-less multiplication of the high portion and the fixed polynomial, wherein the modular reduction circuit includes: shift circuitry that applies multiple different bit position shifts to the high portion of the product consistent with established bits in the fixed polynomial; and bitwise exclusive OR (XOR) circuitry that logically combines multiple instances of the high portion of the product having different respective bit position shifts applied by the shift circuitry. The processor of claim 3, wherein: the shift circuitry is further configured to apply a plurality of different bit position shifts to a high portion of the first result that is consistent with established bits in the fixed polynomial; the bitwise exclusive OR (XOR) circuitry is further configured to logically combine a plurality of instances of the high portion of the first result having different respective bit position shifts applied by the shift circuitry to obtain a second result, wherein the bitwise XOR circuitry generates the reduced product based on the first result, the second result, and the low portion of the product. A processor as claimed in claim 3, wherein the bitwise exclusive OR (XOR) circuit system includes at least two stages of bitwise XOR circuit system. The processor of claim 1, further comprising: A conditional bit reversal circuit configured to conditionally reverse a bit ordering of bytes in one of the operands based on an endian mode indicated by the Galois multiplication instruction before the operands are multiplied. A processor as claimed in claim 1, wherein: the carry-less multiplier is a first multiply-multiply engine; the execution unit includes a second multiply-multiply engine, wherein the first multiply-multiply engine and the second multiply-multiply engine have a first data width; the operands include first and second operands having a second data width that is an integer multiple of the first data width; and the first multiply-multiply engine and the second multiply-multiply engine are configured to multiply subsets of the first operands and the second operands in parallel. A data processing system comprising: a plurality of processors, including the processor of claim 1; a shared memory; and a system interconnect coupling the shared memory and the plurality of processors in a communicative manner. A method of performing data processing in a processor, the method comprising: Fetching instructions to be executed by the processor by an instruction fetch unit, wherein the instructions include a Galois multiplication instruction; and Based on receiving the Galois multiplication instruction, an execution unit of the processor executes the Galois multiplication instruction, where the execution includes: Multiply the operands of the Galois multiplication instruction by a carryless multiplier to generate a product; A modular reduction circuit receives the product and determines a reduced product that has a smaller number of bits than the product based on a logical combination of the product and a fixed polynomial; and The reduced product is stored in an architectural register file of the processor as a result of the Galois multiplication instruction. Such as the method of request item 9, where the fixed polynomial is g(x) = 1 + X + x^2 + x^7+ x^128. Such as the method of request item 9, wherein: the product includes a high part including the high-order bits of the product and a low part including the low-order bits of the product; Determining the reduced product includes computing a first result equivalent to a carry-free multiplication of the high part and one of the fixed polynomials, wherein the computing includes: applying a plurality of different bit position shifts to the high portion of the product consistent with established bits in the fixed polynomial by shifting circuitry; and Multiple instances of the high portion of the product having different individual bit position shifts applied by the shift circuitry are logically combined by bitwise exclusive OR (XOR) circuitry. The method of claim 11, further comprising: applying a plurality of different bit position shifts by the shift circuit system to a high portion of the first result consistent with the established bits in the fixed polynomial; and logically combining by the bitwise exclusive OR (XOR) circuit system a plurality of instances of the high portion of the first result having different respective bit position shifts applied by the shift circuit system to obtain a second result; wherein determining the reduced product comprises determining the reduced product based on the first result, the second result, and the low portion of the product. For example, the method of request item 9 further includes: Before multiplying the operands, a bit ordering of the bytes in one of the operands is conditionally reversed based on an endian mode indicated by the Galois multiplication instruction. Such as the method of request item 9, wherein: The carry-less multiplier is a first multiply-multiply engine; The execution unit includes a second multiply-by engine, wherein the first multiply-by engine and the second multiply-by engine have a first data width; The operands include first and second operands having a second data width that is an integer multiple of the first data width; and Multiplying the operands includes the first multiply-multiply engine and the second multiply-multiply engine multiplying a subset of the first operands and the second operands in parallel. A design structure, tangibly embodied in a machine-readable storage device, for designing, manufacturing, or testing an integrated circuit, the design structure comprising: a processor, comprising: an instruction fetch unit that fetches instructions to be executed; an architectural register file that includes a plurality of registers for storing source and destination operands; and an execution unit for executing a Galois multiplication instruction, wherein the execution unit includes: a carry-less multiplier configured to multiply the operands of the Galois multiplication instruction to generate a product; and A modular reduction circuit configured to receive the product and determine a reduced product having a fewer number of bits than the product based on a logical combination of the product and a fixed polynomial, wherein the execution unit is configured to store the reduced product as a result of the Galois multiplication instruction to the architected register file. For example, in the design structure of request item 15, the fixed polynomial is g(x) = 1 + X + x^2 + x^7+ x^128. The design structure of claim 15, wherein: the product includes a high portion including high-order bits of the product and a low portion including low-order bits of the product; the modular reduction circuit is configured to compute a first result equivalent to a carry-less multiplication of the high portion and the fixed polynomial, wherein the modular reduction circuit includes: a shift circuit system that applies multiple different bit position shifts to the high portion of the product that are consistent with established bits in the fixed polynomial; and a bitwise exclusive OR (XOR) circuit system that logically combines multiple instances of the high portion of the product having different respective bit position shifts applied by the shift circuit system. The design structure of claim 17, wherein: the shift circuit system is further configured to apply multiple different bit position shifts to the high portion of the first result that is consistent with the established bits in the fixed polynomial; the bitwise exclusive OR (XOR) circuit system is further configured to logically combine multiple instances of the high portion of the first result having different respective bit position shifts applied by the shift circuit system to obtain a second result, wherein the bitwise XOR circuit system generates the reduced product based on the first result, the second result, and the low portion of the product. The design structure of claim 15, further comprising: A conditional bit reversal circuit configured to conditionally reverse a bit ordering of bytes in one of the operands based on an endian mode indicated by the Galois multiplication instruction before the operands are multiplied. The design structure of claim 15, wherein: the carry-less multiplier is a first multiply-multiply engine; the execution unit includes a second multiply-multiply engine, wherein the first multiply-multiply engine and the second multiply-multiply engine have a first data width; the operands include first and second operands having a second data width that is an integer multiple of the first data width; and the first multiply-multiply engine and the second multiply-multiply engine are configured to multiply subsets of the first operand and the second operand in parallel.