TWI235582B - Apparatus for supporting advanced encryption standard encryption and decryption - Google Patents

Apparatus for supporting advanced encryption standard encryption and decryption Download PDF

Info

Publication number
TWI235582B
TWI235582B TW92134464A TW92134464A TWI235582B TW I235582 B TWI235582 B TW I235582B TW 92134464 A TW92134464 A TW 92134464A TW 92134464 A TW92134464 A TW 92134464A TW I235582 B TWI235582 B TW I235582B
Authority
TW
Taiwan
Prior art keywords
output
data
code
multiplexer
mutex
Prior art date
Application number
TW92134464A
Other languages
Chinese (zh)
Other versions
TW200520496A (en
Inventor
Chih-Chung Lu
Original Assignee
Ind Tech Res Inst
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ind Tech Res Inst filed Critical Ind Tech Res Inst
Priority to TW92134464A priority Critical patent/TWI235582B/en
Priority to US10/839,168 priority patent/US20040202318A1/en
Publication of TW200520496A publication Critical patent/TW200520496A/en
Application granted granted Critical
Publication of TWI235582B publication Critical patent/TWI235582B/en
Priority to US11/892,454 priority patent/US20070291935A1/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

An apparatus for supporting advanced encryption standard encryption and decryption combines bytes substitution and inverse bytes substitution operations, and includes first and second matrix operation devices, first and second exclusive-OR operation modules, first and second multiplexers, and a table-look-up device. The first multiplexer selects one from the outputs of the first matrix operation device and first exclusive-OR operation module. The second multiplexer selects one from the outputs of the second matrix operation device and second exclusive-OR operation module. The table-look-up device applies a common look-up table so as to save operation resources. In addition, the elements of the encryption apparatus are connected in a way such that the entire critical paths and complexity are reduced, thus improving the speed of the apparatus.

Description

1235582 玖、發明說明: 【發明所屬之技術領域】 本發明是有關於一種加解密裝置,且特別是有關於一種可支 援先進加密標準(AES)之加解密裝置。 【先前技術】 由於近年來電子商務與線上交易發展得相當蓬勃,因此對於 資料加密的要求也益加嚴謹,繼資料加密標準(Data Encryption Standard,DES)後更發展出先進加密標準(Advanced Encryption Standard, AES)的密碼系統,使資料的保密性更上層樓。另一方 面,AES密碼系統屬於對稱式加密系統,也就是說,加解密時所 使用的是同一把金鑰,金鑰的長度可以是128位元、192位元或 256位元等,而明文(Plaintext)及密文(Cipher text)則只可以是 128位元,為方便說明起見,下文之明文、密文及金鑰等均以128 位元的長度為例並說明之。 AES密碼系統進行加密運算時的演算法:1235582 发明 Description of the invention: [Technical field to which the invention belongs] The present invention relates to an encryption and decryption device, and more particularly to an encryption and decryption device that supports the Advanced Encryption Standard (AES). [Previous technology] As e-commerce and online transactions have developed vigorously in recent years, the requirements for data encryption have become more stringent. Following the Data Encryption Standard (DES), the Advanced Encryption Standard has been developed. , AES) password system to make the confidentiality of the information even higher. On the other hand, the AES cryptosystem is a symmetric encryption system, that is, the same key is used for encryption and decryption. The length of the key can be 128 bits, 192 bits, or 256 bits. (Plaintext) and cipher text (Cipher text) can only be 128-bit. For the sake of convenience, the following text will use 128-bit length as an example for the plaintext, ciphertext, and key. Algorithm of AES cryptosystem when performing encryption operation:

AddRoundKey for round二1 to Nr-1 KeyExpansion SubBytes Shi ftRows MixColuraes AddRoundKey end forAddRoundKey for round 2 to Nr-1 KeyExpansion SubBytes Shi ftRows MixColuraes AddRoundKey end for

SubBytes ShiftRows 1235582SubBytes ShiftRows 1235582

AddRoundKey 首先會執行「加入循環金鑰」(以下簡稱AddRoundKey)的步 驟,此時系統會將明文與第一把次金鑰(次金鑰為金鑰經過特定 運算產生,以下簡稱SubKey)進行互斥或(X0R)運算後輸出,並進 入以下的迴圈;為方便說明起見,暫且將明文與第一把SubKey 進行互斥或運算後的資料稱為加密輸入資料。迴圈的數目設定為 Nr-1,Nr的大小則依照AES的規定設定之。迴圈内的「金鑰更迭」 (以下簡稱KeyExpansion)運算會根據前一把SubKey來產生出後 一把SubKey,也就是在第一次執行迴圈時會根據第一把SubKey 產生出第二把SubKey,在第二次執行迴圈時會根據第二把SubKey 產生出第三把SubKey,依此類推。接著將加密輸入資料進行「次 位元運算」(以下簡稱SubBytes)、「列移轉運算」(以下簡稱 ShiftRows)及「行混合運算」(以下簡稱MixColumes)後再與目前 的SubKey(因已執行KeyExpansion,故此時為第二把SubKey)進 行互斥或運算,再次執行上述步驟直到迴圈結束。迴圈結束後, 系統會將此時的資料進行SubBytes、ShiftRows及AddRoundKey 等運算後,完成加密步驟。下文將繼續說明解密運算時的演算法。 AES密碼系統進行解密運算時的演算法:AddRoundKey first executes the steps of "Adding a Recurring Key" (hereinafter referred to as AddRoundKey). At this time, the system will mutually exclude the plaintext with the first secondary key (the secondary key is a key generated through a specific operation, hereinafter referred to as SubKey). OR (X0R) is output after the operation, and enters the following loop; for the sake of explanation, the data after the mutual exclusion or operation of the plaintext and the first SubKey is called encrypted input data. The number of loops is set to Nr-1, and the size of Nr is set in accordance with AES regulations. The "KeyExpansion" (hereinafter referred to as "KeyExpansion") operation in the loop will generate the next SubKey based on the previous SubKey, that is, the second time the first SubKey is generated when the loop is executed for the first time. SubKey, when the second loop is executed, a third SubKey will be generated based on the second SubKey, and so on. The encrypted input data is then subjected to "sub-bit operations" (hereinafter referred to as SubBytes), "column transfer operations" (hereinafter referred to as ShiftRows), and "row mixed operations" (hereinafter referred to as MixColumes), and then the current SubKey (because it has been executed KeyExpansion, so this time is the second SubKey) to perform an exclusive OR operation, and perform the above steps again until the end of the loop. After the loop is over, the system will perform operations such as SubBytes, ShiftRows, and AddRoundKey to complete the encryption step. The following will continue to describe the algorithm used in the decryption operation. Algorithm of AES cryptosystem when performing decryption operation:

AddRoundKey for roundel to Nr-1 InvKeyExpansion InvShiftRows InvSubBytes AddRoundKey InvMixColumes end for 1235582AddRoundKey for roundel to Nr-1 InvKeyExpansion InvShiftRows InvSubBytes AddRoundKey InvMixColumes end for 1235582

InvShi ftRowsInvShi ftRows

InvSubBytesInvSubBytes

AddRoundKey 基本上,解密的運算程序為加密時的逆運算。首先系統會執 行InvAddRoundKey的步驟,將密文與最後一把,例如是第十把 SubKey進行位元互斥或(X0R)運算後輸出,並進入以下的迴圈; 為方便說明起見,暫且將密文與第十把SubKey進行互斥或運算 後的資料稱為解密輸入資料。需要注意的是,由於互斥或運算的 特性,使得InvAddRoundKey的運算與AddRoundKey相同,因此 在下文的說明中此二者將不再加以區隔而統一以AddRoundKey稱 之。執行迴圈時,迴圈内的「逆金鑰更迭」(以下簡稱 InvKeyExpansion)運算會根據後一把SubKey來產生出前一把 SubKey,也就是在第一次執行迴圈時會根據第十把SubKey產生 出第九把SubKey,在第二次執行迴圈時會根據第九把SubKey產 生出第八把SubKey,依此類推。接著將解密輸入資料進行「逆次 位元運算」(以下簡稱InvSubBytes)、「逆列移轉運算」(以下簡 稱InvShiftRows)及「逆行混合運算」(以下簡稱InvMixColumes) 後再與目前的SubKey(因已執行InvKeyExpansion,故此時為第 九把SubKey)進行互斥或運算,再次執行上述步驟直到迴圈結 束。迴圈結束後,系統會將此時的資料進行InvSubBytes、 InvShiftRows及AddRoundKey等運算後,完成解密步驟。 如上文所述,加解密的過程中有五個主要的資料處理步驟, 分別為 AddRoundKey, KeyExpansion,SubBytes,ShiftRows, MixColumes,以下將針對這些處理程序——加以說明;需要注意 的是,由於上述資料處理步驟環環相扣,前一步驟的輸出資料 (out)即為下一步驟的輸入資料(in),為簡化圖式及便於說明起 1235582 見,將不再另行定義輸入資料及輸出資料的名稱;此外,下文中 所有的加號(+)係表示互斥或運算而並非單純的加法運算,爾後 不再重複說明。 明文、密文、次金鑰的資料型態為4x4的矩陣,矩陣中每個 元素(Element)為8位元,故此三者均為128位元的資料長度。 請參照第1圖,其繪示了 AddRoundKey的資料處理情形,很明顯 的,這個步驟是將輸入資料(in)與次金鑰進行互斥或運算後 求得輸出資料(out),而後續的運算可繼續針對輸出資料加以處 理。由互斥或基本的運算原理可知,將輸出資料與次金鑰進行互 斥或運算後即可反推回輸入資料。接著請參照第2圖,其繪示 ShiftRows的資料處理情形。這個步驟是將輸入資料(例如是經 AddRoundKey運算後的輸出資料)中的每一列規則性地移轉數個 位元,例如將第一列向右移轉〇B(Byte)、將第二列向右移轉1B、 將第三列向右移轉2B、將第四列向右移轉3B,然後將結果輸出。 若加密時如此處理,那麼解密時所進行的InvShiftRows就必須 反其道而行,也就是將第一列向左移轉〇B、將第二列向左移轉 1B、將第三列向左移轉2B、將第四列向左移轉3B。 請參照第3圖,其繪示MixColumns/InvMixColumns的資料 處理情形。MixColumns的執行方式是將輸入資料(例如是經 ShiftRows運算後的輸出資料)中的每一行做矩陣相乘的運算後 求得輸出資料;反之,若將輸出資料執行反矩陣運算即玎反推回 輪入資料,亦即執行InvMixColumns與MixColumns所採用的矩 陣互為反矩陣。 請參照第4圖,其繪示SubBytes/InvSubBytes的資科處里 情形。SubBytes中的主要運算單元稱為S-Box,每個S-B〇x之輸 入資料(圖式中標示為in,即第1式中的X)與輸出資料(廣1式中 1235582 標示為out,即第1式中的y)皆為lbyte (8bits)之資料,貝1 y= Μ * multiplicative一inverse(x) + c· (1)AddRoundKey Basically, the decryption algorithm is the inverse operation during encryption. First, the system will execute the steps of InvAddRoundKey, and output the ciphertext and the last one, such as the tenth SubKey, after performing a bit mutex or (X0R) operation, and enter the following loop; for the sake of explanation, for the time being, The ciphertext and the tenth mutually exclusive or calculated data of the SubKey are called decrypted input data. It should be noted that, due to the characteristics of mutual exclusion or operation, the operation of InvAddRoundKey is the same as AddRoundKey. Therefore, in the following description, the two will no longer be separated and will be collectively referred to as AddRoundKey. When performing a loop, the "inverse key change" (hereinafter referred to as "InvKeyExpansion") operation in the loop will generate the previous SubKey based on the next SubKey, that is, the first time the loop is executed according to the tenth SubKey The ninth SubKey is generated, and the eighth SubKey is generated according to the ninth SubKey during the second loop, and so on. The decrypted input data is then subjected to "inverse sub-bit operations" (hereinafter referred to as InvSubBytes), "inverse column transfer operations" (hereinafter referred to as InvShiftRows), and "retrograde mixed operations" (hereinafter referred to as InvMixColumes), and then the current SubKey (cause InvKeyExpansion has been executed, so at this time, the ninth SubKey) is mutually exclusive ORed, and the above steps are performed again until the end of the loop. After the loop is over, the system will perform operations such as InvSubBytes, InvShiftRows, and AddRoundKey to complete the decryption step. As mentioned above, there are five main data processing steps in the process of encryption and decryption, which are AddRoundKey, KeyExpansion, SubBytes, ShiftRows, and MixColumes. These processing procedures will be described below-it should be noted that due to the above information The processing steps are intertwined. The output data (out) of the previous step is the input data (in) of the next step. To simplify the diagram and facilitate the description, see 1235582. The input data and output data will not be defined separately. Name; In addition, all the plus signs (+) in the following represent mutually exclusive OR operations, not pure addition operations, and will not be repeated hereafter. The data type of the plaintext, ciphertext, and secondary key is a 4x4 matrix. Each element in the matrix is 8 bits. Therefore, all three are 128-bit data length. Please refer to Figure 1, which shows the data processing situation of AddRoundKey. Obviously, this step is to obtain the output data (out) after the mutual exclusion or operation of the input data (in) and the secondary key. The calculation can continue to be processed on the output data. It can be known from the principle of mutual exclusion or basic operation that after mutually exclusive or operation of the output data and the secondary key, the input data can be pushed back. Please refer to Figure 2 for the data processing situation of ShiftRows. This step is to regularly shift each column of input data (such as the output data after AddRoundKey operation) by several bits, such as shifting the first row to the right by 0B (Byte), and the second row. Shift 1B to the right, shift the third column to the right 2B, shift the fourth column to the right 3B, and then output the result. If this is done during encryption, the InvShiftRows performed during decryption must be reversed, that is, the first column is shifted to the left by 0B, the second column is shifted to the left by 1B, and the third column is shifted to the left. Shift 2B, shift the fourth column to the left by 3B. Please refer to Figure 3, which shows the data processing situation of MixColumns / InvMixColumns. The execution method of MixColumns is to multiply each row in the input data (for example, the output data after ShiftRows operation) to obtain the output data; otherwise, if the output data is subjected to an inverse matrix operation, it will be reversed back. Rotate the data, that is, the matrix used to execute InvMixColumns and MixColumns is the inverse of each other. Please refer to Figure 4, which shows the situation in the SubBytes / InvSubBytes asset department. The main computing unit in SubBytes is called S-Box. The input data (in the figure is marked as X in Formula 1) and the output data (1235582 in Canton 1 is labeled as out for each SB0x), that is, Y) in the formula 1 is all data of lbyte (8bits), 1 y = Μ * multiplicative_inverse (x) + c · (1)

f 泰 1Xf Thai 1X

II MII M

11 cu11 1x 11 n-JU n-JU 1X 11 1x 1X nnju ghwu c「v1i li 11 11 11 o OJU Ί*-11 1X li il c-。 nlu 11 11 11 1i 11 ο o 11 li 1-x 1x T1 o τ—H lx I- < i i nlu CUJ o f * -*!丄 1X 1X Π—u 【η0 1-i 11 c 數 常 ο11 cu11 1x 11 n-JU n-JU 1X 11 1x 1X nnju ghwu c 「v1i li 11 11 11 o OJU Ί * -11 1X li il c-. Nlu 11 11 11 1i 11 ο o 11 li 1-x 1x T1 o τ—H lx I- < ii nlu CUJ of *-*! 丄 1X 1X Π—u [η0 1-i 11 c

τ I -1 II 其中乘法反向(multiplicative 一 inverse)為一很複雜的函 數(function),因此大部份的作法係直接利用查表法求解,所以 會有y=Table一A(x)的查表資料,Table一A即圖式中的次位元表, 也就是AES標準内的S-BOX表。同樣的,要求得丨nverse s-Box 來完成 InvSubBytes function,所以會需要另一個表 x=Table 一 B(y),Table 一B即圖式中的逆次位元表,也就是AES標 準内的inv-S-B0X表。但這兩個表勢必會佔去报大的硬體空間, 在使用上相當不經濟。 如上文所述,傳統加解密處理步驟除了執行流程不同外, Inverse function也是個問題,尤其是其中的跟τ I -1 II where multiplicative-inverse is a very complex function, so most of the methods are directly solved by look-up table method, so there will be y = Table-A (x) Looking at the table data, Table-A is the sub-bit table in the figure, which is also the S-BOX table in the AES standard. Similarly, it is required to have an inverse s-Box to complete the InvSubBytes function, so another table x = Table-B (y) is required, and Table-B is the inverse bit table in the diagram, which is also the AES standard. inv-S-B0X table. However, these two watches are bound to occupy a large amount of hardware space, which is quite uneconomical in use. As mentioned above, in addition to the different execution processes of traditional encryption and decryption processing steps, the inverse function is also a problem, especially the following

InvSubBytes為兩個查表的function,在高效率的設計要求下會 伯用很大的記憶體空間(2*16* 256 *8阶);此外,1(:〇1_5 跟InvMixColunms兩個function内容為矩陣的乘法若不能有InvSubBytes is a function of two lookup tables. Under the design requirements of high efficiency, it will use a large amount of memory space (2 * 16 * 256 * 8 steps); In addition, 1 (: 〇1_5 and InvMixColunms two function content is If the multiplication of a matrix cannot be

效地加以整合勢必也會耗費相當的運算資源,是個須要加以考量 並重新設計的模組。 S 【發明内容】 有鑑於此’本發明之目的旨在提供_種可支援先進加密標 之加解密裝置的整合型電路模組,心選擇性地執行次位元運 1235582 及逆次位元運算(SubBytes/InvSubBytes operaton),在進行運 算時利用共用的對應表資料以節省運算資源以外,藉由簡化的電 路結構,能達成兼具整體關鍵路徑(critical paths)減化及低複 雜度的需求,使得此運算模組之速度能有所提高。 本發明之另一目的旨在提供一種可支援先進加密標準之循 環運算模組(round module),整合次位元運算及逆次位元運算、 列移轉(ShiftRows)/逆列移轉(InvShiftRows)運算,及行混合/ 逆行混合運算等於同一模組中,用以選擇性地執行加密及解密的 循環運算(a round);藉由使用此循環運算模組,先進加密標準 之加解密裝置之硬體實作能符合高運算速度及兼具低複雜度的 需求。 根據上述之發明目的,本發明提出一種可支援先進加密標準 (Advanced Encryption Standard, AES)之整合型次位元 (SubBytes) /逆次位元(InvSubBytes)運算裝置,用以針對一輸 入資料碼,選擇性地進行次位元和逆次位元運算後輸出一欲求之 輸出資料碼,此整合型次位元/逆次位元運算裝置包括: 一第一矩陣運算器,用以針對此輸入資料碼進行一第一矩陣 運算,並輸出此第一矩陣運算之結果;一第一互斥或 (exclusive-OR)運算模組,用以針對此輸入資料碼進行一第一互 斥或運算,並輸出此第一互斥或運算之結果; 一第一多工器, 與此第一矩陣運算器及此第一互斥或運算模組耗接,此第一多工 器係依據一選擇信號,自此第一矩陣運算之結果及此第一互斥或 運算之結果二者間擇一輸出,以作為此第一多工器之輸出資料 碼;一查表運算裝置,與此第一多工器搞接,用以依據此第一多 工器之輸出資料碼,進行一查表運算後輸出一查表資料碼;一第 二矩陣運算器,用以針對此查表資料碼進行一第二矩陣運算,並 1235582 輸出此第二矩陣運算之結果;__第二互斥或運算模組用以針對 此查表資料碼進行—第二互斥或運算,並輸出此第二互斥或運算 之結果二以及-第二多工器,與此第二矩陣運算模組及此第二互 斥或運具模組純,此第二多卫器係依據此選擇信號自此第二矩 陣運算之結果及此第二互斥或運算之結果二者間擇—輸出,以作 為此第二多工器之輸出資料碼;其中,此第二多工器之輸出資料 碼即為此欲求之輸出資料碼。 此整合型次位元/逆次位元運算裝置,係於此選擇信號代表 需要進行加密時,進行次位元運算,其中此第一多工器選擇此第 一互斥或運算之結果,此第二多工器選擇此第二互斥或運算之結 果。當此選擇信號代表需要進行解密時,此整合型次位元/逆次 位元運算裝置進行逆次位元運算,其中此第一多工器選擇此第一 矩陣運算之結果,此第二多工器選擇此第二矩陣運算之結果。 根據上述之另一發明目的,本發明提出一種可支援先進加密 標準之循環運算模組(round module),用以依據一輸入資料碼及 一次金鑰選擇性地進行加密/解密運算後產生一輸出資料碼,此 循環運算模組包括: 一互斥或閘,用以將此輸入資料碼與此次金鑰進行互斥或運 算後產生此互斥或閘之輸出碼;一第一多工器,與此互斥或閘耦 接,此第一多工器具有一第一輸入端及一第二輸入端,此第一輸 入端係用以接收一待解密資料碼且此第二輸入端用以接收此互 斥或閘之輸出碼,其中,此第一多工器係依據一選擇信號自此待 解密資料碼與此互斥或閘之輸出碼二者間擇一輸出此第一多工 器之輸出碼;一次位元/逆次位元運算裝置,辆接至此第一多工 器’用以將此第一多工器之輸出碼進行次位元/逆次位元運算後 輸出一替代運算輸出碼;一列移轉(ShiftRows)/逆列移轉 1235582 (InvShiftRows)運算裝置,耦接至此次位元/逆次位元運算裝 置,用以將此替代運算輸出碼進行列移轉/逆列移轉運算後輸出 一移轉運算輸出碼;一第二多工器,與此互斥或閘及此列移轉/ 逆列移轉運算裝置搞接’此第二多工器具有一第一輸入端及一第 二輸入端,此第一輸入端係用以接收此互斥或閘之輸出碼且此第 一輸入端用以接收此移轉運算輸出碼,其中,此第二多工器係依 據此選擇信號自此互斥或閘之輪出碼與此移轉運算輸出碼二者 間擇一輸出此第二多工器之輸出碼;一行混合/逆行混合運算裝 置,與此第二多工器耦接,用以將此第二多工器之輸出碼進行行 混合/逆行混合運算後輸出一混合運算輸出碼;一第三多工器, 與此第二多工器及此行混合/逆行混合運算裝置耦接,此第三多 工器具有一第一輸入端及一第二輸入端,此第一輸入端係用以接 收此第一多工器之輸出碼且此第二輸入端用以接收此混合運算 輸出碼,其中,此第三多工器係依據一加解密盡判斷信號自此第 二多工器之輸出碼與此混合運算輸出碼二者間擇一輸出,且此第 二多工器之輸出碼即為此待解密資料碼;一第四多工器,與此第 三多工器及此列移轉/逆列移轉運算裝置耦接,此第四多工器具 有一第一輸入端及一第二輸入端,此第一輸入端係用以接收此移 轉運算輸出碼且此第二輸入端用以接收此待解密資料碼,其中, 此第四多工器係依據此選擇信號自此移轉運算輸出碼與此待解 密資料碼二者間擇一輸出此第四多工器之輸出碼;以及一第五多 工器,與此第四多工器及此互斥或閘耦接,此第五多工器具有一 第一輸入端及一第二輸入端,此第一輸入端係用以接收此第四多 工器之輸出碼且此第二輸入端用以接收此互斥或閘之輸出碼,其 中,此第五多工器係依據一回合盡判斷信號自此第四多工器之輸 出碼與此互斥或閘之輸出碼二者間擇一輸出,以作為此第五多工 12 1235582 器之輸出碼;其中,此第五多工器之輸出碼即為此輸出資料碼。 此次位元/逆次位元運算裝置包括··一第一矩陣運算器,用 以針對此第一多工器之輸出碼進行一第一矩陣運算,並輸出此第 一矩陣運算之結果;一第一互斥或(exclusive-OR)運算模組,用 以針對此第一多工器之輸出碼進行一第一互斥或運算,並輸出此 第一互斥或運算之結果;一第一選擇器,與此第一矩陣運算器及 此第一互斥或運算模組耦接,此第一選擇器係依據此選擇信號, 自此第一矩陣運算之結果及此第一互斥或運算之結果二者間擇 一輸出,以作為此第一選擇器之輸出碼;一查表運算裝置,耦接 至此第一選擇器,用以依據此第一選擇器之輸出碼,進行一查表 運算後輸出一查表資料碼;一第二矩陣運算器,用以針對此查表 資料碼進行一第二矩陣運算,並輸出此第二矩陣運算之結果;一 第二互斥或運算模組,用以針對此查表資料碼進行一第二互斥或 運算,並輸出此第二互斥或運算之結果;以及一第二選擇器,與 此第二矩陣運算器及此第二互斥或運算模組耦接,此第二選擇器 係依據此選擇信號自此第二矩陣運算之結果及此第二互斥或運 算之結果二者間擇一輸出,以作為此替代運算輸出碼。 又根據另一發明目的,本發明提出一種先進加密標準之加解 密裝置,用以選擇性的針對一輸入資料碼進行先進加密標準之加 密或解密的動作,以輸出一輸出資料碼,此加解密裝置包括: 一循環運算裝置,與此金鑰儲存裝置耦接,用以撰擇性地進 行加密及解密之一在進行中所需之循環運算,依據輸入此循環運 算裝置之一輸入碼及一次金鑰以輸出一循環運算之輸出碼;一次 金鑰更迭運算裝置,與此循環運算裝置耦接,用以撰擇性地產生 進行加密及解密之一時,循環運算所需之此次金输,其中此次金 鑰係基於輸此次金鑰更迭運算裝置之一已知次金鑰而得之一待 13 AJU 11 1i 11 11 11 nl^ 1X IX il 1i 11 11 11 11 11 o 1X 1X τ < - * i*o f-*1X , ▲ 1丄 nlu o '1 1i 1i 11 Au 1i 11 11 IX Au 11 11 11 1i Aw 1i 1i 1i 1i 數 常Effective integration is bound to consume considerable computing resources. It is a module that needs to be considered and redesigned. [Summary of the Invention] In view of this, the purpose of the present invention is to provide an integrated circuit module capable of supporting advanced encryption and decryption devices, and selectively perform sub-bit operations 1235582 and inverse sub-bit operations. (SubBytes / InvSubBytes operaton), using shared correspondence table data to save computing resources while performing calculations. With a simplified circuit structure, it can meet the requirements of both the reduction of overall critical paths and low complexity. So that the speed of this computing module can be improved. Another object of the present invention is to provide a round module capable of supporting advanced encryption standards, integrating sub-bit operations and inverse sub-bit operations, ShiftRows / InvShiftRows ) Operations, and line blending / reverse blending operations are equivalent to the same module, which is used to selectively perform a round operation of encryption and decryption (a round); by using this loop operation module, the encryption and decryption device of the advanced encryption standard The hardware implementation can meet the requirements of high computing speed and low complexity. According to the above-mentioned object of the invention, the present invention provides an integrated subbytes / invsubbytes (InvSubBytes) computing device capable of supporting Advanced Encryption Standard (AES), which is used for an input data code. After performing sub-bit and inverse-bit operations selectively, outputting a desired output data code, the integrated sub-bit / inverse-bit computing device includes: a first matrix operator for responding to the input data The code performs a first matrix operation, and outputs the result of the first matrix operation. A first exclusive-OR operation module is used to perform a first mutually exclusive OR operation on the input data code, and Output the result of the first mutex or operation; a first multiplexer, connected to the first matrix operator and the first mutex or operation module, the first multiplexer is based on a selection signal, Choose an output from the result of the first matrix operation and the result of the first mutex or operation to use as the output data code of the first multiplexer; a table lookup computing device, and the first multiplexer Device to connect Based on the output data code of the first multiplexer, a table lookup data code is output after performing a table lookup operation; a second matrix operator is used to perform a second matrix operation on the table lookup data code and output 1235582 The result of this second matrix operation; __ The second mutex or operation module is used to perform the second lookup data code—the second mutex or operation, and output the result of the second mutex or operation. Two multiplexers, which are pure with the second matrix operation module and the second mutually exclusive or carrier module. The second multiplexer is based on the selection signal from the result of the second matrix operation and the second mutual operation. The result of the exclusive OR operation is selected or outputted as the output data code of the second multiplexer. Among them, the output data code of the second multiplexer is the desired output data code. The integrated sub-bit / inverse bit-computing device performs sub-bit operations when the selection signal represents the need for encryption. The first multiplexer selects the result of the first mutex or operation. The second multiplexer selects the result of this second mutex or operation. When the selection signal indicates that decryption is required, the integrated sub-bit / inverse bit-computing device performs inverse-bit operations. The first multiplexer selects the result of the first matrix operation, and the second multi-bit The worker selects the result of the second matrix operation. According to another object of the present invention, the present invention proposes a round module capable of supporting an advanced encryption standard, which is used to selectively perform an encryption / decryption operation based on an input data code and a key to generate an output. Data code, this loop computing module includes: a mutex or gate, used to mutually exclusive or calculate the input data code with the current key to generate the mutex or gate output code; a first multiplexer Coupled with this mutex or gate, the first multiplexer has a first input terminal and a second input terminal. The first input terminal is used to receive a data code to be decrypted and the second input terminal is used to Receive the output code of the mutex or gate, wherein the first multiplexer outputs the first multiplexer between the data code to be decrypted and the output code of the mutex or gate according to a selection signal Output code; one-bit / inverse-bit computing device, connected to this first multiplexer 'to perform sub-bit / inverse-bit operation on the output code of this first multiplexer and output a substitute Operation output code; ShiftRows / inverse column The 1235582 (InvShiftRows) computing device is coupled to this bit / inverse bit computing device to perform a column shift / inverse column shift operation on this substitute operation output code and output a shift operation output code; The second multiplexer is connected to this mutually exclusive OR gate and the column shift / inverse column shift computing device. The second multiplexer has a first input terminal and a second input terminal. The first input terminal Is used to receive the output code of the mutex or gate and the first input terminal is used to receive the output code of the transfer operation, wherein the second multiplexer is output from the mutex or gate according to the selection signal Choose one of the code and this shift operation output code to output the output code of this second multiplexer; a line of hybrid / reverse line hybrid computing device is coupled to this second multiplexer to use this second multiplexer The output code of the processor performs a line blending / reverse blending operation and outputs a blending output code; a third multiplexer is coupled to the second multiplexer and the line blending / reverse line hybrid computing device, and the third multiplexer The device has a first input terminal and a second input terminal. The first input terminal is The second multiplexer receives the output code of the first multiplexer and the second input terminal receives the mixed operation output code. The third multiplexer is based on an encryption and decryption determination signal from the second multiplexer. The output code and the mixed operation output code are output alternately, and the output code of this second multiplexer is the data code to be decrypted; a fourth multiplexer, this third multiplexer, and this row The transfer / inverse transfer computing device is coupled. The fourth multiplexer has a first input terminal and a second input terminal. The first input terminal is used to receive the transfer operation output code and the second input. The terminal is used to receive the data code to be decrypted, wherein the fourth multiplexer is to switch between the operation output code and the data code to be decrypted according to the selection signal and output the output of the fourth multiplexer Code; and a fifth multiplexer coupled to this fourth multiplexer and this mutually exclusive or gate, this fifth multiplexer has a first input terminal and a second input terminal, the first input terminal is Used to receive the output code of the fourth multiplexer and the second input terminal is used to receive the mutex or The output code, in which the fifth multiplexer is output based on a round-of-judgment signal from the output code of the fourth multiplexer and the output code of the mutex or gate. The output code of the multiplexer 12 1235582; among them, the output code of the fifth multiplexer is the output data code for this. This time bit / inverse bit operation device includes a first matrix operator for performing a first matrix operation on the output code of the first multiplexer and outputting the result of the first matrix operation; A first exclusive-OR operation module, configured to perform a first exclusive-exclusive OR operation on the output code of the first multiplexer, and output the result of the first exclusive-exclusive OR operation; a first A selector coupled to the first matrix operator and the first mutex or operation module. The first selector is based on the selection signal, and the result of the first matrix operation and the first mutex or The result of the operation selects one of the two outputs as the output code of the first selector; a table lookup computing device is coupled to the first selector to perform a check based on the output code of the first selector After the table calculation, a table lookup data code is output; a second matrix operator is used to perform a second matrix operation on the table lookup data code and output the result of the second matrix operation; a second mutually exclusive or operation mode Group for performing a second interaction on this table lookup data code OR operation, and output the result of the second mutually exclusive OR operation; and a second selector coupled to the second matrix operator and the second mutual exclusion OR operation module, the second selector is based on this The selection signal is output from one of the result of the second matrix operation and the result of the second mutually exclusive OR operation as the alternative operation output code. According to another object of the invention, the present invention provides an encryption / decryption device of an advanced encryption standard for selectively performing an encryption or decryption operation of the advanced encryption standard on an input data code to output an output data code. The device includes: a loop computing device, coupled to this key storage device, for writing a loop operation that is required to perform encryption and decryption selectively, according to the input code and one input to one of the loop computing devices. The key is used to output an output code of a cyclic operation; a key replacement operation device is coupled to this cyclic operation device, and is used to selectively generate one of encryption and decryption, the golden input required for the cyclic operation, The key this time is based on the input of one of the known secondary keys of the key-change operation device. This is waiting for 13 AJU 11 1i 11 11 11 nl ^ 1X IX il 1i 11 11 11 11 11 o 1X 1X τ <-* i * o f- * 1X, ▲ 1 丄 nlu o '1 1i 1i 11 Au 1i 11 11 IX Au 11 11 11 1i Aw 1i 1i 1i 1i

τ I-1 1X 1235582 解次金鑰;以及一金鑰儲存裝置,與此循環運算裝置及此次金鑰 更迭運算裝置耦接,用以作次金鑰的暫存及分配,以便此次金鑰 更迭運算裝置及此循環運算裝置進行循環運算。另外,此循環運 算裝置包括一次位元/逆次位元運算裝置,其結構如上所述。 此外,此金鑰儲存裝置接收此循環運算輸出碼及此次金鑰更 迭運算裝置輸出之此次金鑰;此次金鑰更迭運算裝置之此已知次 金鑰及此循環運算裝置之此輸入碼係為此金鑰儲存裝置所輸 出。此金錄儲存裝置暫存此輸入資料碼,進行金錄之分配及暫 存,接收此循環運算裝置及此次金鑰更迭運算裝置之輸出以進行 循壞運异’並輸出此輸出資料碼。 為讓本發明之上述目的、特徵、和優點能更明顯易懂,下文 特舉一較佳實施例,並配合所附圖式,作詳細說明如下。 【實施方式】 實施例一 實施例一主要是將次位元(SubBytes)運算與逆次位元 (InvSubBytes)運算加以整合,並利用適當的硬體予以實現。在 說明之前,我們先將第(1)式再複習一次: y= Μ * multiplicative」nverse(x) + c· (1) 若加密與解密分別採用兩個不同的表將佔去很大的硬體空 間,因此接下來我們再繼續推導,由第(1 )式可得:τ I-1 1X 1235582 deciphers the secondary key; and a key storage device, which is coupled to this loop computing device and this time key replacement computing device, for temporary storage and distribution of the secondary key, so that The key replacement computing device and the loop computing device perform loop computing. In addition, this cyclic operation device includes a primary bit / inverse bit operation device, and its structure is as described above. In addition, the key storage device receives the cyclic operation output code and the key output by the key replacement operation device; the known secondary key of the key replacement operation device and the input by the cyclic operation device The code is output by this key storage device. The gold record storage device temporarily stores the input data code, allocates and temporarily stores the gold record, receives the output of the loop computing device and the key replacement computing device for cyclical bad luck, and outputs the output data code. In order to make the above-mentioned objects, features, and advantages of the present invention more comprehensible, a preferred embodiment is hereinafter described in detail with reference to the accompanying drawings. [Embodiment] Embodiment 1 Embodiment 1 mainly integrates SubBytes operation and InvSubBytes operation, and realizes it by using appropriate hardware. Before explaining, let's review the formula (1) again: y = Μ * multiplicative "nverse (x) + c · (1) If two separate tables are used for encryption and decryption, it will take a lot of hard work. Body space, so we continue to derive from equation (1):

14 1235582 χ = multiplicative—inverse—1 (Μ — * (y + c))· (2) 因為 multiplicative__inverse()與 multiplicative_inverse_1()是相等的,所以第(2)式可改寫為: x=mul tipi icat ive 一 inverse(M-1 *(y + c))· (3) 經由反矩陣運算的推導後我們得到: Μ· = Μ·1 =14 1235582 χ = multiplicative_inverse—1 (Μ — * (y + c)) · (2) Because multiplicative__inverse () and multiplicative_inverse_1 () are equal, equation (2) can be rewritten as: x = mul tipi icat ive a inverse (M-1 * (y + c)) · (3) After deriving from the inverse matrix operation, we get: Μ · = Μ · 1 =

(4) /01010010 \ 00101001 10010100 01001010 00100101 10010010 01001001 Ι\ΐοιοοιοο /1 所以第(3)式可記為: x=multipi icative—inverse(M'*(y+c))· (5) 由第(1)式與第(5)式我們發現兩個equation可共用同樣的 對應表(即multipl icative_inverse〇),所以我們可將S-box與 inverse S-box加以整合,以降低硬體需求。 請參照第5A圖,其繪示採用同一對應表以實現一種可支援 先進加密標準(Advanced Encryption Standard,AES)之整合型 次位元/逆次位元運算裝置方塊圖。如圖所示,整合型次位元/逆 次位元運算裝置500A包括矩陣運算器510、多工器520、乘法反 向運算裝置530、矩陣運算器540及多工器550,其中乘法反向 運算裝置 530 可執行 data=inultiplicativejnverse(addr)的運 算,一般是利用查表的方式加以實現,即依據輸入資料查表後將 查表資料輸出。矩陣運算器510負責執行(in+c)*M,的運算,矩 陣運算器540則負責執行data*M+c的運算,矩陣μ及M-1的型 態如上文所述。 當需要執行SubBytes運算時,選擇信號ec設定為一定值, 15 1235582 例如1,以代表需要進行加密動作。此時輸入資料in經由多工器 520饋入乘法反向運算裝置530,經過查表後,反向運算裝置530 將查表資料 data (即 multiplicative—inverse(in))輸出。而後 矩陣運算器540再針對查表資料進行out=data*M+c的運算,其 結果經由多工器550選擇並輸出;如此,SubBytes運算即告完成。(4) / 01010010 \ 00101001 10010100 01001010 00100101 10010010 01001001 Ι \ ΐοιοοιοο / 1 So formula (3) can be written as: x = multipi icative—inverse (M '* (y + c)) · (5) Equation 1) and Equation (5) We find that two equations can share the same correspondence table (ie, multipl icative_inverse〇), so we can integrate S-box and inverse S-box to reduce hardware requirements. Please refer to FIG. 5A, which shows a block diagram of an integrated sub-bit / inverse-bit computing device that uses the same correspondence table to implement an Advanced Encryption Standard (AES). As shown in the figure, the integrated sub-bit / inverse sub-bit computing device 500A includes a matrix operator 510, a multiplexer 520, a multiplication inverse operation device 530, a matrix operator 540, and a multiplexer 550, in which the multiplication is reversed The computing device 530 may perform the operation of data = inultiplicativejnverse (addr), which is generally implemented by using a table lookup method, that is, outputting the table lookup data according to the input data. The matrix operator 510 is responsible for performing (in + c) * M, and the matrix operator 540 is responsible for performing data * M + c. The types of the matrix μ and M-1 are as described above. When the SubBytes operation needs to be performed, the selection signal ec is set to a certain value, 15 1235582, such as 1, to indicate that an encryption operation is required. At this time, the input data in is fed into the multiplication inverse computing device 530 via the multiplexer 520. After the table lookup, the inverse computing device 530 outputs the table lookup data data (ie, multiplicative_inverse (in)). Then the matrix operator 540 performs an out = data * M + c operation on the table lookup data, and the result is selected and output by the multiplexer 550; thus, the SubBytes operation is completed.

另一方面,當需要執行InvSubBytes運算時,選擇信號ec 設定另一定值,例如為0,以代表需要進行解密動作。此時,輸 入資料in饋入矩陣運算器510以進行(in+c)*Mf的運算,運算結 果再經由多工器520饋入乘法反向運算裝置530查表後產生查表 資料,此結果最後經由多工器550輸出;如此,InvSubBytes運 算即告完成。 很明顯的,整合型次位元/逆次位元運算裝置500A同時具有 S-box與inverse S-box的功能,但只需要一個表,在實現On the other hand, when the InvSubBytes operation needs to be performed, the selection signal ec is set to another fixed value, such as 0, to indicate that a decryption action is required. At this time, the input data in is fed into the matrix operator 510 to perform the (in + c) * Mf operation, and the result of the operation is fed into the multiplication inverse operation device 530 through the multiplexer 520 to look up the table. Finally, it is output via the multiplexer 550; thus, the InvSubBytes operation is completed. Obviously, the integrated sub-bit / inverse bit-computing device 500A has the functions of S-box and inverse S-box at the same time, but only one table is needed.

Subbytes與InvSubBytes兩個function上的硬體需求降到了原 來的57%,有著非常明顯的改良。 接下來,我們可以再把第5A圖右端的多工器550路徑做一 些改進。第一步,先將前一級輸出到此多工器550之下方輸入之The hardware requirements of the Subbytes and InvSubBytes functions have been reduced to 57%, which is a very significant improvement. Next, we can make some improvements to the multiplexer 550 path at the right end of Figure 5A. The first step is to output the previous stage below the input of this multiplexer 550.

直接連線部分,可以插入一個運算模組 X = multiplicative一inverse(M”*(y+c丨丨))(5.1) 其中,y 為 input,X 為 output,For the direct connection part, you can insert a computing module X = multiplicative_inverse (M ”* (y + c 丨 丨)) (5.1) where y is input and X is output,

/ 1 0000000 \/ 1 0000000 \

01000000 00100000 00010000 00001000 00000100 00000010 0000000 1 /1 但不影響第5A圖之運算結果,接下來我們定義新的運算模組: 16 1235582 x = multiplicative一inverse(M(e)*(y+c(e))) (5· 2) 其中 M(e)= / leeeeOOO \ (0) 0 1 e e e e 0 0 e OOleeeeO e 000 1 eeee c(e) = 0 eOOO 1 eee 0 eeOOO 1 ee 0 eeeOOO 1 e e \eeee0001 / 將第5A圖右端多工器550及矩陣運算器540部分用此運算模組 取代,我們可得新的 Modified Inverse-optional S-box 模組。 上述針對第5A圖之電路結構之改進,是從減少元件的數量 的角度來思考的,並沒有明顯的減少critical path及模組元件 的複雜度。 接下來,我們跟據本發明的技術思想,進一步將整合型次位 元/逆次位元運算裝置500A的設計作改良,以達到減少critical path及模組元件複雜度的結果,讓整體加解密的運算速度提高。 首先’我們把第5A圖左邊之+c與1運算動作之順序對調, 也就是 (in+c)*M~l= in*M_1 + c^M-1 - in^M'1 + c5 其中 c’ = c*M一1 ; 接著,由於在AES standard中,+號代表位元之x〇R操作, 所以: in = in + c, + c,; 藉上述兩種方式,第5A圖之可以改變成第5β圖之整合型次 位元/逆次位元運算裝置500Β的架構,但其整體操作及結果不變; 再來,我們將第5Β圖左邊多工器前相同之+c,運算移到多工 器後面作,而第5B圖右下方之路徑,因為 17 1235582 data = data ^ M ^ M-1 5 我們可以在第5B圖右下方之路徑插入與*M_1運算動作,同樣 不影響計算結果,所以可以得到如第5C圖所示之整合型次位元/ 逆次位元運算裝置500C ; 同理,第5C圖右邊多工器後面之兩個運算移到多工器前 與乘法反向運算裝置530之間來操作,可得如第5D圖之整合型 次位元/逆次位元運算裝置500D電路; 最後,我們將第5D圖中間如虛線框内所示之三個運算操作 之輸出入結果事先算好,並存於一新的對照表中,最後架構如第 5E圖所示。 第5E圖是一種可支援先進加密標準之整合型次位元/逆次 位元運算裝置500E,用以針對一輸入資料碼in,選擇性地進行 次位元和逆次位元運算後輸出一欲求之輸出資料碼out,此整合 型次位元/逆次位元運算裝置500E包括:第一矩陣運算器561、 第一互斥或(exclusive-OR)運算模組565、第一多工器520、查 表運算裝置590、第二矩陣運算器571、第二互斥或運算模組575, 以及第二多工器550。 第一矩陣運算器561,用以針對此輸入資料碼in進行第一 矩陣運算,如本例中的運算,並輸出此第一矩陣運算之結果。 第一互斥或(exclusive-OR)運算模組565,用以針對此輸入資料 碼in進行第一互斥或運算,如本例中的+c’運算,並輸出此第一 互斥或運算之結果。第一多工器520,與此第一矩陣運算器561 及此第一互斥或運算模組565耦接,此第一多工器520係依據選 擇信號ec,自此第一矩陣運算之結果及此第一互斥或運算之結果 二者間擇一輸出,以作為此第一多工器之輸出資料碼。查表運算 裝置590,與此第一多工器520耦接,用以依據此第一多工器之 1235582 輸出資料碼,進行一查表運算後輸出一查表資料碼data。第二矩 陣運算器571,用以針對此查表資料碼data進行第二矩陣運算, 如本例中的*ΛΓ1運算,並輸出此第二矩陣運算之結果。第二互斥 或運算模組575,用以針對此查表資料碼進data行第二互斥或運 算,如本例中的+c運算,並輸出此第二互斥或運算之結果。第二 多工器530,與此第二矩陣運算模組571及此第二互斥或運算模 組575耦接,此第二多工器550係依據此選擇信號ec自此第二 矩陣運算之結果及此第二互斥或運算之結果二者間擇一輸出,以 作為此第二多工器之輸出資料碼;其中,此第二多工器之輸出資 料碼即為此欲求之輸出資料碼out。 此整合型次位元/逆次位元運算裝置500E,係於此選擇信號 ec代表需要進行加密時,進行次位元運算,其中此第一多工器 520選擇此第一互斥或運算之結果,此第二多工器550選擇此第 二互斥或運算之結果。當此選擇信號ec代表需要進行解密時, 此整合型次位元/逆次位元運算裝置500E進行逆次位元運算,其 中此第一多工器520選擇此第一矩陣運算之結果,此第二多工器 550選擇此第二矩陣運算之結果。 在本實施例一中:第一矩陣運算與第二矩陣運算實質上相 同,即*M_1運算。而且,此第一互斥或運算包含一運算元,c’運 算元,此運算元之值係基於此第一矩陣運算(如ΝΓ1運算)及此第二 互斥或運算(如+c運算)所得者。再來,此查表運算模組590包含 一對照表,此對照表係基於一乘法反向運算(mu 11 iρ 1 icat ive inverse operation)、此第一互斥或運算,及此第一矩陣運算所 得者。在本例中,此對照表係基於+c’、Mulplicative_inverse(), 及*Μ運算而得者。 最後我們將第5Ε圖之架構與原來的第5Α圖做比較,主要有 19 1235582 兩項改進: (1) 整體之關鍵路徑(critical paths)變短,加電路運算之速度 可以提昇; (2) *M_1運算比運算,複雜度較低,因為矩陣Γ1内之元素1的 個數只有矩陣Μ之元素1的3/5,所以複雜度也可降低; 綜合此二優點,我們可以得到比第5Α圖之架構更快速更低複雜 度的整合型次位元/逆次位元運算裝置500Ε。 實施例二 實施例二提供一種整合型加解密運算的演算法及利用循環 運算在硬體上的實現,加解密運算流程為: if(ec==0) for (i=0;i<Nr;i++)01000000 00100000 00010000 00001000 00000100 00000010 0000000 1/1 but does not affect the calculation result of Figure 5A. Next we define a new calculation module: 16 1235582 x = multiplicative-inverse (M (e) * (y + c (e) )) (5 · 2) where M (e) = / leeeeOOO \ (0) 0 1 eeee 0 0 e OOleeeeO e 000 1 eeee c (e) = 0 eOOO 1 eee 0 eeOOO 1 ee 0 eeeOOO 1 ee \ eeee0001 / By replacing the multiplexer 550 and matrix operator 540 in the right end of Figure 5A with this computing module, we can get a new Modified Inverse-optional S-box module. The above-mentioned improvement of the circuit structure of FIG. 5A is considered from the perspective of reducing the number of components, and has not significantly reduced the complexity of the critical path and module components. Next, according to the technical idea of the present invention, we further improved the design of the integrated sub-bit / inverse bit-computing device 500A to achieve the result of reducing the complexity of the critical path and module components, and allowing the overall encryption and decryption. The operation speed is increased. First, 'we reverse the order of + c and 1 on the left of Figure 5A, which is (in + c) * M ~ l = in * M_1 + c ^ M-1-in ^ M'1 + c5 where c '= c * M-1; Then, in the AES standard, the + sign represents the x〇R operation of the bit, so: in = in + c, + c, By the above two methods, Figure 5A can The structure of the integrated sub-bit / inverse sub-bit computing device 500B of Figure 5β is changed, but its overall operation and result remain unchanged. Then, we will use the same + c before the multiplexer on the left of Figure 5B to compute Move to the back of the multiplexer, and the bottom right path in Figure 5B, because 17 1235582 data = data ^ M ^ M-1 5 We can insert the * M_1 operation in the bottom right path in Figure 5B, which also does not affect The calculation result, so you can get the integrated sub-bit / inverse bit arithmetic device 500C shown in Figure 5C; Similarly, the two operations behind the multiplexer on the right in Figure 5C are moved to the front of the multiplexer and multiplied. By operating between the inverse operation devices 530, an integrated sub-bit / inverse bit operation device 500D circuit as shown in Fig. 5D can be obtained. Finally, we will center the 5D picture. Three arithmetic output operation of the results shown within the dashed box calculated in advance, and stored at a new lookup table, as shown in the final architecture of FIG. 5E. Figure 5E is an integrated sub-bit / inverse bit-computing device 500E that supports advanced encryption standards, and is used to selectively perform sub-bit and inverse sub-bit operations on an input data code in and output one. The desired output data code out, this integrated sub-bit / inverse-bit computing device 500E includes: a first matrix operator 561, a first exclusive-OR operation module 565, and a first multiplexer 520. Table lookup computing device 590, second matrix computing unit 571, second mutex or computing module 575, and second multiplexer 550. The first matrix operator 561 is configured to perform a first matrix operation on the input data code in, such as the operation in this example, and output a result of the first matrix operation. A first exclusive-OR operation module 565 is configured to perform a first exclusive-exclusive OR operation on the input data code in, such as + c 'operation in this example, and output the first exclusive-exclusive OR operation. The result. A first multiplexer 520 is coupled to the first matrix operator 561 and the first mutex or operation module 565. The first multiplexer 520 is based on the selection signal ec and the result of the first matrix operation since And the output of the first mutex or operation is selected as an output data code of the first multiplexer. The table lookup calculation device 590 is coupled to the first multiplexer 520, and is configured to output a data code according to 1235582 of the first multiplexer, and output a lookup table data code data after performing a table lookup operation. The second matrix operator 571 is configured to perform a second matrix operation on the table lookup data code data, such as the * ΛΓ1 operation in this example, and output the result of the second matrix operation. A second mutex or operation module 575 is used to perform a second mutex or operation on the data for the table lookup data code, such as + c operation in this example, and output the result of the second mutex or operation. The second multiplexer 530 is coupled to the second matrix operation module 571 and the second mutually exclusive OR operation module 575. The second multiplexer 550 is operated from the second matrix according to the selection signal ec. Choose one of the result and the result of the second mutex or operation as the output data code of the second multiplexer; where the output data code of the second multiplexer is the desired output data Code out. The integrated sub-bit / inverse bit computing device 500E performs sub-bit operations when the selection signal ec represents encryption. The first multiplexer 520 selects the first mutually exclusive OR operation. As a result, the second multiplexer 550 selects the result of the second exclusive OR operation. When the selection signal ec indicates that decryption is required, the integrated sub-bit / inverse bit operation device 500E performs an inverse bit operation. The first multiplexer 520 selects a result of the first matrix operation. The second multiplexer 550 selects a result of the second matrix operation. In the first embodiment, the first matrix operation and the second matrix operation are substantially the same, that is, the * M_1 operation. Moreover, the first mutex operation includes an operand, c 'operand, and the value of this operand is based on the first matrix operation (such as NΓ1 operation) and the second mutex operation (such as + c operation) The winner. Furthermore, the look-up table operation module 590 includes a look-up table based on a multiplication inverse operation (mu 11 iρ 1 icat ive inverse operation), the first mutual exclusion or operation, and the first matrix operation The winner. In this example, the lookup table is based on + c ', Mulplicative_inverse (), and * M operations. Finally, we compare the structure of Figure 5E with the original Figure 5A. There are two improvements: 19 1235582: (1) The overall critical paths have been shortened, and the speed of adding circuits can be increased; (2) * M_1 operation is less complex than operation, because the number of element 1 in matrix Γ1 is only 3/5 of that of element 1 in matrix M, so the complexity can also be reduced; combining these two advantages, we can get better than the 5A The architecture of the figure is faster and lower complexity integrated sub-bit / inverse bit computing device 500E. Embodiment 2 Embodiment 2 provides an integrated encryption and decryption algorithm and the implementation on a hardware using a loop operation. The encryption and decryption operation flow is: if (ec == 0) for (i = 0; i <Nr; i ++)

Inv—Opt—keyexpansion(key, 1); //inverse key for (1=0;i<=Nr;i++) { addroundkey; if (i==Nr) break;Inv—Opt—keyexpansion (key, 1); // inverse key for (1 = 0; i < = Nr; i ++) {addroundkey; if (i == Nr) break;

Inv—Opt—keyexpansion(key,ec); if (ec==l) { Inv—Opt_subbytes(ec);Inv—Opt—keyexpansion (key, ec); if (ec == l) {Inv—Opt_subbytes (ec);

Inv_Opt_shi ftrows(ec); if (i<(Nr-l)) Inv—Opt—mixcolumns(ec); } else { if (i>0) Inv—Opt—mixcolumns(ec); Inv_Opt_subbytes(ec);Inv_Opt_shi ftrows (ec); if (i < (Nr-l)) Inv—Opt—mixcolumns (ec);} else {if (i > 0) Inv—Opt—mixcolumns (ec); Inv_Opt_subbytes (ec);

Inv—Opt_shi ftrows(ec); 1235582 其中,Nr是循環運算的次數(number of rounds),在進行128位 元之AES加解密時,Nr之值為10 ;在進行192位元及256位元 之AES加解密時,Nr分別為12及14。 接著請參照第9圖,其繪示依照本發明之實施例二所提供的 一種可支援先進加密標準之循環運算裝置,用以支援上述先進加 密標準之加解密演算流程。循環運算裝置900包括互斥或閘90、 次位元/逆次位元運算裝置95、列移轉/逆列移轉運算裝置97、 行混合/逆行混合運算裝置99及數個多工器910、920、930、940 及950,其中次位元/逆次位元運算裝置95的實作方式係如第5E 圖所示者。 當需要進行加密運算時,令選擇信號ec為1,以改變循環 運算裝置900的運作組態以進行加密動作。首先,輸入資料碼 in(此時為明文)與一 SubKey饋入互斥或閘90執行AddRoundKey 運算之後將結果輸出。接著經多工器910,此AddRoundKey運算 結果被饋入次位元/逆次位元運算裝置95以進行次位元運算。接 著將次位元運算後的結果饋入列移轉/逆列移轉運算裝置97進行 列移轉運算。之後,列移轉運算後的結果經多工器920饋入行混 合/逆行混合運算裝置99以進行行混合運算。行混合運算前與運 算後的資料分別饋入多工器930的輸入端(0)與輸入端(1),多工 器930則依據「加解密盡判斷信號」自兩輸入資料中擇一輸出。 加解密盡判斷信號係對應到上述之加解密演算法之判斷方式,對 於128位元之AES加解密來說,Nr為10,則此信號係可依據下 列之判斷式或經由電路實作而產生: 〜((ec&(i=4’d9))|(〜ec&(i==4’d0))) 因此當加解密盡判斷信為1時多工器930會將行混合/逆行混合 21 1235582 運异裝置99的輸出資料輸出 ®,田加解密盡判斷信為〇時多工器 930則會將多工器920的輪出資袓认h山 t ㈤貝枓輪出,為方便說明起見,茲將 多工器930的輸出資料稱為待觫宓次λ〇 ^解在…貝料93。如圖所示,待解密資 料93係同時饋入多工器910之耠人,山“夕 入端(〇)及多工器94〇之輸入端 (1 ),此時多工器940可將:a:絡山s ,、輸出至多工器950之輸入端(〇)。多 工器95G之輸人端⑴係接收互斥或閘9()之輸出資料,且多工器 950係依據「回合盡判斷信號」自兩輸入資料中擇—輸出。回合 盡判斷信號係由判斷循環運算之次數是否已到達Nr而產生,在 此例中,可記為(i=4,dl0)。因此當回合盡判斷信號為〇時多工 器950會將多工态940的輸出資料輸出,此多工器94〇的輸出資 料會被饋入循環運算裝置900作為下一循環運算(next r〇und)之 輸入 > 料碼(in)。此外,經由 Inv一Opt—keyexpansion(key,ec), 執行Key Expansion的運算,以產生出下一 SubKey。依照上述演 算法之迴圈設計’循環運鼻裝置900重複上述AddRoundKeyInv—Opt_shi ftrows (ec); 1235582 Among them, Nr is the number of rounds (number of rounds), when performing 128-bit AES encryption and decryption, the value of Nr is 10; when performing 192-bit and 256-bit When AES encryption and decryption, Nr is 12 and 14 respectively. Next, please refer to FIG. 9, which illustrates a cyclic computing device capable of supporting an advanced encryption standard according to the second embodiment of the present invention to support the encryption and decryption calculation process of the above-mentioned advanced encryption standard. The loop computing device 900 includes a mutually exclusive OR gate 90, a sub-bit / inverse bit-bit computing device 95, a column shift / inverse column shift computing device 97, a row blending / inverse blending computing device 99, and several multiplexers 910 , 920, 930, 940, and 950, in which the implementation method of the sub-bit / inverse sub-bit computing device 95 is as shown in FIG. 5E. When an encryption operation is required, the selection signal ec is set to 1 to change the operation configuration of the loop computing device 900 to perform an encryption operation. First, the input data code in (plaintext at this time) and a SubKey are fed into a mutex OR gate 90 to perform the AddRoundKey operation and then output the result. Then, via the multiplexer 910, the result of this AddRoundKey operation is fed to the sub-bit / inverse bit-bit operation device 95 to perform sub-bit operations. Then, the result of the sub-bit operation is fed to a column transfer / inverse column transfer operation device 97 to perform a column transfer operation. After that, the result of the column transfer operation is fed to the row blending / inverse row blending operation device 99 via the multiplexer 920 to perform the row blending operation. The data before and after the mixed operation are fed to the input terminal (0) and input terminal (1) of the multiplexer 930 respectively. The multiplexer 930 selects one of the two input data and outputs it according to the "encryption and decryption determination signal". . The encryption / decryption determination signal corresponds to the above-mentioned encryption / decryption algorithm. For 128-bit AES encryption / decryption, Nr is 10, and this signal can be generated according to the following judgment formula or implemented by circuit : ~ ((Ec & (i = 4'd9)) | (~ ec & (i == 4'd0))) So when the encryption and decryption judgment letter is 1, the multiplexer 930 will mix the lines / reverse 21 1235582 The output data of the different device 99 is output ®. When Tianjia decrypts it, the multiplexer 930 judges the rounds of the multiplexer 920 to confirm the investment. For convenience of explanation, See, hereby the output data of the multiplexer 930 is referred to as the to-be-resolved λ〇 ^ solution in ... 93. As shown in the figure, the data to be decrypted 93 is fed into the multiplexer 910 at the same time, and the input terminal (1) of the multiplexer 940 and the multiplexer 940, at this time the multiplexer 940 can : a: Luoshan s, output to the input terminal (0) of the multiplexer 950. The input terminal of the multiplexer 95G does not receive the output data of the mutex or gate 9 (), and the multiplexer 950 is based on " Judgment signal for each round "select from two input data-output. The round-trip judgment signal is generated by judging whether the number of loop operations has reached Nr. In this example, it can be recorded as (i = 4, dl0). Therefore, when the determination signal of the round is 0, the multiplexer 950 will output the output data of the multiplex state 940, and the output data of the multiplexer 940 will be fed into the loop computing device 900 as the next loop operation (next r). und) input> material code (in). In addition, via Inv_Opt_keyexpansion (key, ec), Key Expansion operation is performed to generate the next SubKey. According to the loop design of the above algorithm, the cyclic nose device 900 repeats the above AddRoundKey

SubBytes、ShiftRows、MixColumns 等步驟,進行一系列的循環 運算,直到i==4’d9時,多工器930直接將多工器920的輸出資 料經多工器940、多工器950輸出,以作為下一個輸入資料碼in; 而後i==4’dl0,此輸入資料碼in與SubKey進行AddRoundKey運 算後直接由多工器950輸出’加密程序即告結束,其中,此輸出 之結果即為卻求之密文。 當需要進行解密運算時,令選擇信號ec為0,以改變循環 運算裝置900的運作組態以進行解密動作。首先’輸入資料in(此 時為密文)與SubKey饋入互斥或閘90執行AddRoundKey運算之 後將結果輸出。接著經多工器920,此AddRoundKey運算之結果 被饋入行混合/逆行混合運算裝置99以進行逆行混合運算。逆行 混合運算前與運算後的資料分別被饋入多工器9別的輸入端(〇) 22 1235582 與輸入端(1),多工器930則依據加解密盡判斷信號自兩輸入資 料中擇一輸出,其中加解密盡判斷信號的型態如上文所述。當加 解密盡判斷信號為1時,多工器930會將行混合/逆行混合運算 裝置99的輸出資料輸出;當加解密盡判斷信號為0時多工器930 會將多工器920的輸出資料輸出。多工器920的輸出即待解密資 料93,待解密資料93可經多工器910饋入次位元/逆次位元運算 裝置95以進行逆次位元運算,接著將逆次位元運算後的結果饋 入列移轉/逆列移轉運算裝置97進行逆列移轉運算後經多工器 940將結果輸出。另一方面,多工器950可依據回合盡判斷信號 自兩輸入資料中擇一輸出,當回合盡判斷信號為0時多工器950 會將多工器940的輸出資料輸出。此多工器940的輸出資料會被 饋入循環運算裝置900作為下一循環運算(next round)之輸入資 料碼(in)。此外,經由 Inv_0pt—keyexpansion(key,ec),執行 Key Expans ion的運算,以產生出下一 SubKey。並依照上述演算 法之迴圈設計,循環運算裝置900重複上述AddRoundKey、 InvMixColumns、InvSubBytes 及 InvShiftRows 等步驟,進行一 系列的循環運算,直到i==4’d9時,多工器930便將多工器920 的輸出資料經多工器910饋入次位元/逆次位元運算裝置95,其 結果之後饋入列移轉/逆列移轉運算裝置97並加以運算後,透過 多工器940及多工器950加以輸出,以作為下一個輸入資料碼 in ;而後 i==4’dl0,此輸入資料 in 與 SubKey 進行 AddRoundKey 運算後直接由多工器950輸出,解密程序即告結束,其中,此輸 出之結果即為卻求之明文。 實施例三 基於上述的循環運算裝置,我們依據本發明,提出AES之加 23 1235582 解密裝置的架構,用以選擇性的進行AES加密或解密的動作& 參考第10圖,此AES加解密裝置1〇〇〇,包括次金鑰更、失、μ狀 置800、循環運算裝置900及金鑰儲存裝置1100。金鑰= = = = 1100包含三個記憶裝置1110、U2〇及1130,例‘ 9 α 、 w如是暫存器 (registers),它們分別用以存放Data、Key,及 ackup key , 整體架構如第10圖所示。當中,din是代表輸入的 、斜碼,dout 疋代表輸出的資料碼。 金鍮儲存裝置1100與循環運算裝置900及次金輪更迭運μ 裝置800耦接,用以作次金鑰的暫存及分配,以便 ^ 八i鱗更迭運 异裝置800及循環運算裝置900進行循環運算。金鑰儲存裝 1100提供循環運算裝置900輸入資料碼in,接收及暫存循 算装置900所輸出的輸出資料碼〇ut於記憶裝置1丨1〇 ;金錄储疒 裝置1100亦用於提供次金鑰更迭運算裝置800輪 接收及二人金鑰更迭運算裝置8〇〇所輸出的輸出資料碼於記憔 裝置1120中,其中此次金錄更迭運算裝置酬所輪出的輸出; 料碼0Ut,即subkey,會饋入到循環運算裝置900之key俨,以 作為循環運算裝置900之次金鑰之用。 而 f需要進行加密運算時,令選擇信號eC為1,以改變 :解社裝置1000之運作組態以進行加密動作。此外,由上 貫:例一及實施例二可知,循環運算裝置_及循環運算裝置_ 之次位元/逆次位元逯瞀* 心丹衣1 yuu … 裝置95亦因此改變其運作組態以進行加 算的:4循%運异裝置_之⑽以端,即用以輸人目前循環運 加密後的密Υ。111代表明文’而d〇Ut是經過廳加解密裝置1000SubBytes, ShiftRows, MixColumns, etc., perform a series of loop operations until i == 4'd9, the multiplexer 930 directly outputs the output data of the multiplexer 920 via the multiplexer 940, multiplexer 950, and As the next input data code in; and then i == 4'dl0, this input data code in and SubKey perform the AddRoundKey operation and are directly output by the multiplexer 950. The encryption process ends, and the result of this output is Ask for the cipher. When a decryption operation is required, the selection signal ec is set to 0 to change the operation configuration of the loop computing device 900 to perform a decryption operation. First, the input data in (in this case, the ciphertext) is fed into the mutex with the SubKey or the gate 90 performs the AddRoundKey operation and then outputs the result. Then, via the multiplexer 920, the result of the AddRoundKey operation is fed to the row mixing / reverse mixing operation device 99 to perform the reverse mixing operation. The data before and after the backward hybrid operation are fed to the other input terminals (0) 22 1235582 and input terminals (1) of the multiplexer, and the multiplexer 930 selects from the two input data according to the encryption and decryption judgment signals. An output, in which the type of the encryption / decryption determination signal is as described above. When the encryption / decryption determination signal is 1, the multiplexer 930 outputs the output data of the line blending / reverse mixing operation device 99; when the encryption / decryption determination signal is 0, the multiplexer 930 outputs the output of the multiplexer 920 Data output. The output of the multiplexer 920 is the data to be decrypted 93. The data to be decrypted 93 can be fed into the sub-bit / inverse bit-operation device 95 through the multiplexer 910 to perform inverse-bit operations, and then perform inverse-bit operations The resulting results are fed into a column shift / inverse column shift computing device 97 to perform a reverse column shift operation and output the results via a multiplexer 940. On the other hand, the multiplexer 950 can select one of the two input data according to the round end judgment signal. When the round end judgment signal is 0, the multiplexer 950 will output the output data of the multiplexer 940. The output data of the multiplexer 940 will be fed into the loop computing device 900 as the input data code (in) of the next round operation. In addition, via Inv_0pt_keyexpansion (key, ec), a Key Expansion operation is performed to generate the next SubKey. According to the loop design of the above algorithm, the loop computing device 900 repeats the above steps of AddRoundKey, InvMixColumns, InvSubBytes, and InvShiftRows, and performs a series of loop operations until i == 4'd9. The output data of the multiplexer 920 is fed into the sub-bit / inverse bit-bit computing device 95 through the multiplexer 910, and the result is then fed into the column shift / inverse-bit shift computing device 97 and is calculated. And the multiplexer 950 to output it as the next input data code in; then i == 4'dl0, this input data in and SubKey are directly output by the multiplexer 950 after the AddRoundKey operation is performed, and the decryption process ends, where , The result of this output is the plaintext requested. Embodiment 3 Based on the above-mentioned loop computing device, we propose the architecture of the AES plus 23 1235582 decryption device according to the present invention to selectively perform the AES encryption or decryption action. Referring to FIG. 10, this AES encryption and decryption device 100, including the secondary key change, loss, μ-like setting 800, loop computing device 900 and key storage device 1100. The key = = = = 1100 includes three memory devices 1110, U20, and 1130. For example, '9 α and w are registers, which are used to store the Data, Key, and ackup key, respectively. Figure 10 shows. Among them, din represents the input, oblique code, and dout 疋 represents the output data code. The gold storage device 1100 is coupled to the loop computing device 900 and the secondary gold wheel altering μ device 800 for temporary storage and distribution of the secondary key, so that the ^ i scale alternate transporting different device 800 and the loop computing device 900 can cycle Operation. The key storage device 1100 provides the input data code in of the loop computing device 900, and receives and temporarily stores the output data code output by the counting device 900 in the memory device 1 丨 10; the gold record storage device 1100 is also used to provide times The key change operation device receives 800 rounds, and the output data code output by the two-person key change operation device 800 is recorded in the recording device 1120. Among them, the output of the gold record change operation device reward is output; the material code is 0Ut. , That is, the subkey, will be fed to the key 俨 of the loop computing device 900 as the secondary key of the loop computing device 900. When f needs to perform the encryption operation, the selection signal eC is set to 1 to change the operation configuration of the Xie Society Device 1000 to perform the encryption operation. In addition, it can be seen from the previous examples: Example 1 and Example 2 that the sub-bit / inverse bit of the loop computing device _ and the loop computing device _ * Xindanyi 1 yuu… device 95 also changes its operating configuration To be added: 4 cycle% transport different device _ the beginning of the end, that is, used to enter the current encrypted password of the loop. 111 stands for plaintext ’and dooUt passes through the hall encryption and decryption device 1000

二⑦要進行解密運算時,令選擇信號α為。,以 加解密裝置1000之運补 曼AES 乍、、且悲以進行解密動作。此時,din代表密 24 1235582 文,而dmit是經過AES加解密裝置ι000解密後的明文。 因為作加密或解密所用之subkey順序剛好相反,所以在開 始加解密之前,有必要作subkey之備份工作,以利加解密之順 利進行。subkey之備份規則如表(1)所示,當將要執行的動作(加 密或解密)與上一次動作相同時,作Reg:Key <= Reg:KeyU之動 作;而不同時則作 Reg:KeyU <= Reg:Key。在 key register 中 subkey在每個循環運算(each round)之變化情形如表(2)所示, 其中係以AES-128為例。如此,在每_次的加解密完成後, sub一keyO與sub—keylO會存在於兩個key register中,下一次 要加密或解密,就可以很方便的選取所需的sub key。 表(1): subkey之備份規則 開始(Start) 金鑰轉移程序(Key transfer process) Current一ec == previous一ec Reg:Key <= Reg:KeyU Current一ec != previous一ec Reg:KeyU <= Reg:Key 表(2):每個循環運算(round)中,key resigter中之sub key變 化情形。 加密 解密 循環運算 Reg: Key Reg: KeyU Reg: Key Reg: KeyU 開始(金鑰備份, key backup) sub—key_0 sub一key—0 sub一key_10 sub_key_l0 1 sub—key」 sub_key—〇 sub-key—9 sub—key」0 2 sub_key一2 sub一key—^^ sub—key—8 sub—key」0 3 sub_key—3 sub_key—〇 sub一 key__7 sub一key」0 4 sub_key_4 sub—key一〇 sub一key一6 sub 一 key」0 25 1235582 5 sub—key—5 sub_key一0 sub_key_5 sub_key_10 6 sub_key—6 sub_key_0 sub_key_4 sub—key_10 7 sub一key一7 sub_key一0 sub—key_3 sub_key一10 8 sub 一key一8 sub_key_0 sub—key_2 sub_key_10 9 sub—key_9 sub_key_0 sub_key_l sub_key_10 10,(結束) sub_key_10 sub_key_0 sub—key_0 sub—key_10 接下來,我們針對第9圖中的行混合/逆行混合運算裝置 99,及第10圖中的次金鑰更迭運算裝置800,提出可行的實施方 式。 本例中,主要是將行混合(MixColumns)運算與逆行混合 (InvMixColumns)運算加以整合,並利用適當的硬體予以實現行 混合/逆行混合運算裝置。在MixColumns與InvMixColumns的運 算過程中,兩個function之主要運算為·· outx = [2 3 1 1]*[a b c d]T (6) outy = [14 11 13 9]*[a b c d]T (7) 在數學上我們作以下的拆解: outx = 2(a + b) + b + (c + d) (8) outy = 4(2(a + b) + 2(c + d) + (a + c)) +2(a+b)+ b + (c + d)· (9) 第(8)式與第(9)式之運算過程如表(3)所示,由前面五個步 驟可以求得outx,然後在加上5個步驟可以求得outy,所以前 面5個步驟的硬體可以共用,設計出來的硬體第6圖所繪示,將 兩function之重覆部份整合,可減少不必要之硬體浪費。 步驟 操作方式 1 wl = a + b 26 1235582 2 w2 = a + c 3 w3 二 c + d 4 w4 = 2 * wl 5 outx = b + w3 + w4 6 w5 = 2 * w3 7 w6 = w2 + w4 + w5 8 w7 = 2 * w6 9 w8 = 2 * w7 10 outy = w8 + outx 表(3)To perform the decryption operation, let the selection signal α be. In order to perform the decryption operation, the AES is complemented by the operation of the encryption and decryption device 1000. At this time, din represents the secret 24 1235582 text, and dmit is the plain text decrypted by the AES encryption and decryption device ι000. Because the order of the subkeys used for encryption or decryption is just the reverse, it is necessary to make a backup of the subkeys before the encryption and decryption starts, so that the encryption and decryption can be performed smoothly. The backup rules for subkey are shown in Table (1). When the action to be performed (encryption or decryption) is the same as the previous action, perform Reg: Key < = Reg: KeyU; otherwise, perform Reg: KeyU < = Reg: Key. The change of the subkey in each round operation in the key register is shown in Table (2), where AES-128 is taken as an example. In this way, after each encryption and decryption is completed, sub_keyO and sub_keylO will exist in two key registers. The next time you want to encrypt or decrypt, you can easily select the required sub key. Table (1): Subkey backup rules start (Key transfer process) Current_ec == previous_ec Reg: Key < = Reg: KeyU Current_ec! = Previous_ec Reg: KeyU < = Reg: Key Table (2): In each round operation (round), the sub key changes in the key resigter. Encryption and decryption loop operation Reg: Key Reg: KeyU Reg: Key Reg: KeyU start (key backup) sub_key_0 sub_key_0 sub_key_10 sub_key_l0 1 sub_key ”sub_key_〇sub-key—9 sub_key ”0 2 sub_key_ 2 sub_key _ ^ _ sub_key_8 sub_key” 0 3 sub_key_3 sub_key_〇sub_key__7 sub_key ”0 4 sub_key_4 sub_key_0 sub_key One 6 sub one key '' 0 25 1235582 5 sub_key-5 sub_key one 0 sub_key_5 sub_key_10 6 sub_key-6 6 sub_key_0 sub_key_4 sub_key_10 7 sub one key one 7 sub_key one 0 sub_key_3 sub_key one 10 8 sub one key one 8 sub_key_0 sub_key_2 sub_key_10 9 sub_key_9 sub_key_0 sub_key_l sub_key_10 10, (end) sub_key_10 sub_key_0 sub_key_0 sub_key_10 Next, we will refer to the row blending / reverse blending computing device 99 in Figure 9, and The secondary key replacement operation device 800 proposes a feasible implementation manner. In this example, the line mixing (MixColumns) operation and the inverse mixing (InvMixColumns) operation are integrated and the appropriate hardware is used to implement the line mixing / inverse mixing operation device. In the operation of MixColumns and InvMixColumns, the main operation of the two functions is · outx = [2 3 1 1] * [abcd] T (6) outy = [14 11 13 9] * [abcd] T (7) Mathematically we do the following disassembly: outx = 2 (a + b) + b + (c + d) (8) outy = 4 (2 (a + b) + 2 (c + d) + (a + c)) +2 (a + b) + b + (c + d) · (9) The calculation process of equations (8) and (9) is shown in Table (3). Find outx, and then add 5 steps to get outy, so the hardware of the previous 5 steps can be shared. The designed hardware is shown in Figure 6. The overlapping parts of the two functions are integrated. Reduce unnecessary hardware waste. Step operation method 1 wl = a + b 26 1235582 2 w2 = a + c 3 w3 two c + d 4 w4 = 2 * wl 5 outx = b + w3 + w4 6 w5 = 2 * w3 7 w6 = w2 + w4 + w5 8 w7 = 2 * w6 9 w8 = 2 * w7 10 outy = w8 + outx Table (3)

請參照第6圖,其繪示依照本發明之所提供的一種可支援先 進加密標準之整合型行混合/逆行混合運算裝置方塊圖。如圖所 示,整合型行混合/逆行混合運算裝置600包括多個互斥或閘及 倍增器,互斥或閘用來將兩輸入資料進行互斥或運算後輸出,倍 增器則用來將輸入資料乘2後輸出。為了簡化說明起見,以下僅 針對整合型行混合/逆行混合運算裝置600的運作方式加以說明。Please refer to FIG. 6, which illustrates a block diagram of an integrated line hybrid / reverse line hybrid computing device supporting an advanced encryption standard according to the present invention. As shown in the figure, the integrated line hybrid / retrograde hybrid computing device 600 includes a plurality of mutually exclusive or gates and multipliers. The mutually exclusive or gates are used to mutually exclusive or calculate two input data and output. Input data is multiplied by 2 and output. To simplify the description, the operation of the integrated line hybrid / reverse line hybrid computing device 600 is described below.

MixColumns與InvMixColumns的運算是針對輸入資料中的 每一行資料進行矩陣乘法的運算,若輸入資料的資料型態為4x4 的矩陣,那麼每一行資料中會有4個元素資料(element),為便 於說明起見,可將這4個元素資料依序標記為資料(a)、資料(b)、 資料(c)與資料(d),並分別與圖式中的a,b,c,d對應。請同 時參照表(3 ),首先說明MixCo 1 umns的運算步驟··步驟1可利用 互斥或閘61將資料(a)與資料(b)進行互斥或運算後再將資料W1 27 1235582 =^以貫現。步驟2可利用互斥或閘62將資料(8)與 ::互斥或運算後再將資料W2輸出而予以實現。步 =或閘63將資料⑹與資料⑷進行互斥或運算後再將 輸出而予以實現。步驟4可利用倍增器621將互斥或㈣ 出資料W1乘2後再將資料W4輸出而予以實現。牛 別 貝現步驟5可先利用 互斥或閘64將資料⑹與資料W3進行互斥或運算後再利用互 =或閘65將互斥或閘64的輸出資料與倍增器621之輸出資㈣ 仃互斥或運算後輸出,其中互斥或閘65之輸出資料即為整合 i仃混合/逆行混合運算裝置咖針對行資料進行行混合運算後 之結果。 接著說明執行InvMixColumns運算時的資料處理步驟: I_ixCol_s運算的前五個步驟與MixC〇lu_運算相同步驟 6可利用倍增器622將互斥或閘63之輸出資料^乘2後再將資 料W5輪出而予以實現。步驟7可先利用互斥或閘66將資料⑽ 與資料W5進行互斥或運算後,再利用互斥或閑67將互斥或間66 的輪出資料與倍增器621之輸出資料W4進行互斥或運算後將資 料W6輸出而予以實現。步驟8可利用倍增器奶將互斥或間π 之輸出資料W6乘2後再將資料W7輸出而予以實現;步驟9可利 用倍增器624將倍增器623之輸出資料W7$2後再將資料卵輸 出而予以實現。步驟10可利用互斥或閘68將互斥或閘65之輸 出^斗與資料W8進行互斥或運算後輸出,其中互斥或㈣8之輸 出資料即為整合型行混合/逆行混合運算裝置6〇〇針對行資料進 行逆行混合運算後之結果。 、 需要注意的是,由於前五個步驟可為MixC〇lumns與 InvMixColunms所共用,因此可大幅減少不必要的硬體浪費。 本例是提供一種次金錄更迭運算裝置,可依據目I所輸入的 28 1235582The operation of MixColumns and InvMixColumns is a matrix multiplication operation for each row of data in the input data. If the data type of the input data is a 4x4 matrix, there will be 4 element data in each row of data. For the sake of convenience, these four element data can be labeled as data (a), data (b), data (c), and data (d) in sequence, and respectively correspond to a, b, c, and d in the drawing. Please also refer to table (3) at the same time, first explain the calculation steps of MixCo 1 umns. · Step 1 can use the mutex or gate 61 to mutually exclusive or calculate the data (a) and the data (b), and then the data W1 27 1235582 = ^ To be realized. Step 2 can be implemented by using the mutex or gate 62 to output the data (2) after the mutex or operation :: is mutually exclusive. Step = OR gate 63 performs mutual exclusion or operation on data ⑹ and data 再 and then outputs it to realize. Step 4 can be implemented by using the multiplier 621 to multiply the mutually exclusive or extracted data W1 and then output the data W4. In Step 5, Niu Beibei can first use the mutex or gate 64 to mutually exclusive or calculate with the data W3 and then use the mu = or gate 65 to combine the output of the mutex or gate 64 with the output of the multiplier 621输出 Mutual exclusion or output after operation, where the output data of the mutex or gate 65 is the result of the integrated mixing operation of the i / hybrid / retrograde hybrid operation device for the row data. The following describes the data processing steps when performing the InvMixColumns operation: The first five steps of the I_ixCol_s operation are the same as the MixC0__ operation. Step 6 The output data of the mutex or gate 63 can be multiplied by a multiplier 622. Multiply the data by W5 Out to achieve. In step 7, the data 或 and the data W5 are mutually exclusive or calculated by using the mutex or gate 66, and then the mutually exclusive or idle 66 is used to mutually rotate the data of the mutex or interval 66 with the output data W4 of the multiplier 621 The data W6 is output after the exclusive OR operation. Step 8 can be achieved by multiplying the mutually exclusive or indirect π output data W6 by 2 and then outputting the data W7; step 9 can be performed by using the multiplier 624 to multiply the output data of the multiplier 623 by W7 $ 2. Output. In step 10, the output of the mutex or gate 65 and the data W8 are mutually exclusive or calculated by using the mutex or gate 68. The output data of the mutex or ㈣8 is an integrated line hybrid / reverse line hybrid computing device 6 〇〇 The results of backward blending operations on row data. It should be noted that, since the first five steps can be shared by MixClumns and InvMixColunms, unnecessary hardware waste can be greatly reduced. This example is to provide a sub-golden record change operation device, which can be entered according to 28 I 3535

SubKey來決定輸出為上一把SubKey或下一把SubKey,而目前所 輸入的SubKey稱之為已知次金鑰,所欲輸出的SubKey稱之為待 解次金鑰,首先將說明運算原理。請參照第7A圖,其繪示依據 輸入的SubKey輸出下一把如沭”的資料處理方法示意圖。目前 的 SubKey 記為 SubKey(i),下一把 SubKey 記為 SubKey(i + 1);The SubKey determines whether the output is the previous SubKey or the next SubKey. The currently entered SubKey is called a known secondary key, and the SubKey to be output is called a pending secondary key. First, the operation principle will be explained. Please refer to Figure 7A, which shows a schematic diagram of the data processing method of the next subkey output according to the input SubKey. The current SubKey is recorded as SubKey (i), and the next SubKey is recorded as SubKey (i + 1);

SubKey的資料型悲為4x4的矩陣,因此具有4組行資料,^[3:〇] 為行負料(1),k[7:4]為行資料(2),:8]為行資料(3), k[15:12]為打資料⑷,每-行資料中包含4個元素,若每一元 素的大小為8位元,則SubKey的長度即為128位元。首先將 SubKey(i)的行資料(4)經行資料轉換器75〇轉換為特殊行資料 752後輸出,打資料轉換器750之動作會先將input資料作一個 rotate byte right的動作,之後其第_個byte會再跟一個回合 常數RC〇n[i]做互斥或運算,然後將4個byte的結果輸出。在回 合常數Rcon[i]方面,1為回合數,而不同的回合數有不同的Rc〇n 值’依據AES標準的定義:Rcon[0;] = 1, Rcon[i]=Xtime(Rcon[i-1])。接著,特殊行資料 752 與 SubKey(i) 的行責料(1)藉互斥或閘71進行互斥或運算後即可得到 SubKey(i + l)的行貢料(1)。很明顯地,SubKey(i)的行資料(2)與 SubKey(i + l)的行資料(1)藉互斥或閘72進行互斥或運算後即可 得到SubKey(i + l)的行資料(2),SubKey(i)的行資料(3)與 SubKey(i + l)的行資料(2)藉互斥或閘73進行互斥或運算後即可 得到SubKey(i + l)的行資料,SubKey(i)的行資料(4)與 SubKey(i + l)的行資料(3)藉互斥或閘74進行互斥或運算後即可 得到SubKey(i + l)的行資料(4)。 接著请參照第7B圖,其繪示依據輸入的SubKey輸出上一把 SubKey的資料處理方法示意圖。首先將3汕!^7(丨+ 1)的行資料(3) 29 1235582 與SubKey(i + l)的行資料(4)藉互斥或閘74進行互斥或運算以得 到SubKey(i)的行資料(4),而後將SubKey(i)的行資料(4)經行 資料轉換器750轉換為特殊行資料752後饋入互斥或閘71並與 SubKey(i + l)的行資料(1)進行互斥或運算以得到SubKey(i)的行 資料(1)。很明顯地,SubKey(i + l)的行資料(1)與§ubKey(i + i) 的行資料(2)藉互斥或閘72進行互斥或運算後即可得到SubKey(i) 的行資料(2),SubKey(i + l)的行資料(2)與SubKey(i + l)的行資料 (3)藉互斥或閘73進行互斥或運算後即可得到SubKey(i)的行資 料(3) 〇 接著請參照第8圖,其繪示依照本發明所提供的次金鑰更迭 運算裝置方塊圖。次金鑰更迭運算裝置800包括行資料轉換器 750、數個互斥或閘及數個多工器。輸入資料h為目前的 SubKey(即已知次金鑰),輸出資料〇ut為上一把或下一把 SubKey(即待解次金鑰),當選擇信號ec為丨時待解次金鑰為下 一把SubKey,當選擇信號ec為0時待解次金鑰為上一把SubKey。 次金餘更迭運算裝置800包括互斥或閘71,72,73,74、多工器 710, 720,730,740以及行資料轉換器750,每一多工器都具有 輸入端(0)及輸入端(1),並依據選擇信號ec的值自兩輸入資料 中擇輸出’各元件間的搞接關係如圖中所繪示。已知次金鑰之 行資料(1)係饋入互斥或閘71與多工器710之輸入端(0),已知 次金鑰之行資料(2)係饋入互斥或閘72與多工器720之輸入端 (0),已知次金鑰之行資料(3)係饋入互斥或閘73與多工器730 之輸入^(〇),已知次金鑰之行資料(4)係饋入互斥或閘與多 工器740之輪入端(1)。另一方面,互斥或閘以之輸出資料為待 解次金鑰之行資料(1)並饋入多工器710之輸入端(1),互斥或閘 72之輸出資料為待解次金鑰之行資料(2)並饋入多工器720之輸 1235582 入端(1),互斥或閘73之輸出資料為待解次金鑰之行資料(3)並 饋入多工器730之輸入端(1),互斥或閘74之輸出資料為待解次 金鑰之行資料(4)並饋入多工器740之輸入端(0)。下文將分別說 明以次金鑰更迭運算裝置 800實現KeyExpansion及 InvKeyExpansion 運算的情形。SubKey's data type is a 4x4 matrix, so it has 4 sets of row data, ^ [3: 〇] is the row negative (1), k [7: 4] is the row data (2), and: 8] is the row data (3), k [15:12] is a data block, and each line contains 4 elements. If the size of each element is 8 bits, the length of the SubKey is 128 bits. First, the row data (4) of SubKey (i) is converted into special row data 752 by the row data converter 75 and output. The action of hitting the data converter 750 will first make the input data a rotate byte right action. The _th byte will perform an exclusive OR operation with a round constant RCON [i], and then output the result of 4 bytes. In terms of the round constant Rcon [i], 1 is the number of rounds, and different rounds have different values of Rcon 'according to the definition of the AES standard: Rcon [0;] = 1, Rcon [i] = Xtime (Rcon [ i-1]). Then, the special line data 752 and the SubKey (i) line data (1) are mutually exclusive or calculated by the mutual exclusion or gate 71 to obtain the SubKey (i + l) line data (1). Obviously, the row data of SubKey (i) (2) and the row data of SubKey (i + l) (1) can be obtained by performing a mutual exclusion or operation by using a mutex or gate 72. Data (2), row data of SubKey (i) (3) and row data of SubKey (i + l) (2) After the mutex or operation is performed by the mutex or gate 73, the SubKey (i + l) can be obtained. Row data, row data of SubKey (i) (4) and row data of SubKey (i + l) (3) After mutual exclusion or operation by mutual exclusion or gate 74, the row data of SubKey (i + l) can be obtained (4). Please refer to FIG. 7B for a schematic diagram of the data processing method of a SubKey output based on the input SubKey. First of all, the 3 Shan! ^ 7 (丨 +1) row data (3) 29 1235582 and the SubKey (i + l) row data (4) use a mutex or gate 74 to perform a mutex or operation to obtain SubKey (i) (4), and then convert the SubKey (i) row data (4) to the special row data 752 via the bank data converter 750, and then feed it into the exclusive OR gate 71 and link with the SubKey (i + l) row data (1) Perform a mutually exclusive OR operation to obtain the row data (1) of SubKey (i). Obviously, the row data of SubKey (i + l) (1) and the row data of §ubKey (i + i) (2) can be obtained by performing a mutual exclusion or operation by using a mutex or gate 72. Row data (2), Row data (2) of SubKey (i + l) and Row data (3) of SubKey (i + l) (3) After the mutual exclusion or operation is performed by a mutex or gate 73, SubKey (i) can be obtained Row data (3) 〇 Next, please refer to FIG. 8, which shows a block diagram of a secondary key update operation device provided according to the present invention. The secondary key replacement operation device 800 includes a row data converter 750, a plurality of mutually exclusive OR gates, and a plurality of multiplexers. The input data h is the current SubKey (that is, the known secondary key), and the output data 0ut is the previous or next SubKey (that is, the secondary key to be resolved). When the selection signal ec is 丨, the secondary key to be resolved is For the next SubKey, when the selection signal ec is 0, the key to be solved is the previous SubKey. The sub-golden surplus replacement computing device 800 includes mutually exclusive OR gates 71, 72, 73, 74, multiplexers 710, 720, 730, 740, and row data converter 750. Each multiplexer has an input terminal (0) and The input terminal (1) is used to select and output the two components according to the value of the selection signal ec. The connection relationship between the components is shown in the figure. The data of the known secondary key (1) is fed into the mutex OR gate 71 and the input (0) of the multiplexer 710, and the data of the known secondary key (2) is fed into the mutex OR gate 72 With the input terminal (0) of the multiplexer 720, the row data of the known secondary key (3) is fed into the mutex OR gate 73 and the input of the multiplexer 730 ^ (〇), the row of the known secondary key The data (4) refers to the wheel-in end (1) fed into the mutex or gate and multiplexer 740. On the other hand, the output data of the mutex or gate is the row data of the key to be resolved (1) and fed to the input terminal (1) of the multiplexer 710, and the output data of the mutex or gate 72 is the unresolved time. The key data (2) is fed to the input 1235582 of the multiplexer 720 (1). The output data of the mutex or gate 73 is the data of the key to be solved (3) and fed to the multiplexer. The input terminal (1) of 730, the output data of the mutex or gate 74 is the row data (4) of the secondary key to be resolved, and is fed to the input terminal (0) of the multiplexer 740. The following will describe the cases where the secondary key replacement operation device 800 implements KeyExpansion and InvKeyExpansion operations.

KeyExpansion運算(依據輸入的SubKey輸出下一把 SubKey): 令選擇信號ec為1,已知次金鑰的行資料(4)可透過多工器 740經行資料轉換器750轉換為特殊行資料752後輸出,而後, 特殊行資料752與已知次金鑰的行資料(1)藉互斥或閘71進行互 斥或運算後即可得到下一把SubKey的行資料(1)。很明顯地,下 一把SubKey的行資料(1)可經多工器710饋入互斥或閘72並與 已知次金鑰的行資料(2)進行互斥或運算後得到下一把SubKey的 行資料(2),下一把SubKey的行資料(2)可經多工器720饋入互 斥或閘73並與已知次金鑰的行資料(3)進行互斥或運算後得到下 一把SubKey的行資料(3 ),下一把SubKey的行資料(3 )可經多工 器730饋入互斥或閘74並與已知次金鑰的行資料(4)進行互斥或 運算後得到下一把SubKey的行資料(4)。KeyExpansion operation (output the next SubKey according to the input SubKey): Let the selection signal ec be 1, the row data of the known secondary key (4) can be converted to the special row data 752 by the row data converter 750 through the multiplexer 740 After the output, then, the special row data 752 and the row data of the known secondary key (1) are mutually exclusive or calculated by the mutual exclusion or gate 71 to obtain the row data of the next SubKey (1). Obviously, the row data (1) of the next SubKey can be fed into the mutex or gate 72 via the multiplexer 710 and mutually exclusive or calculated with the row data (2) of the known secondary key. SubKey's row data (2), the next SubKey's row data (2) can be fed into the mutex or gate 73 via the multiplexer 720 and mutually exclusive or calculated with the row data (3) of the known secondary key The row data (3) of the next SubKey is obtained, and the row data (3) of the next SubKey can be fed into the mutex or gate 74 through the multiplexer 730 and interacted with the row data (4) of the known secondary key. After the exclusive OR operation, the row data of the next SubKey is obtained (4).

InvKeyExpansion運算(依據輸入的SubKey輸出上一把 SubKey): 令選擇信號ec為0,首先將已知次金鑰的行資料(3)經多工 器730饋入互斥或閘74並與已知次金鑰的行資料(4)進行互斥或 運算以得到上一把SubKey的行資料(4),而後將上一把SubKey 的行資料(4)經多工器740輸出並饋入行資料轉換器750將其轉 換為特殊行資料752後饋入互斥或閘71並與已知次金鑰的行資 料(1)進行互斥或運算以得到上一把SubKey的行資料(1)。很明 31 1235582 顯地,已知次金鑰的行資料(1)可經多工器710饋入互斥或閘72 並與已知次金鑰的行資料(2)進行互斥或運算以得到上一把 SubKey的行資料(2),已知次金鑰的行資料(2)可經多工器720 饋入互斥或閘73並與已知次金鑰的行資料(3)進行互斥或運算以 得到上一把SubKey的行資料(3)。 本發明上述實施例所揭露之可支援先進加密標準之簡化後 之整合型次位元/逆次位元運算裝置,具有以下優點: 在執行SubBytes與InvSubBytes運算時可共用查表資料以 節省運算資源,而且因為採用了本發明之簡化電路架構,整體之 關鍵路徑(critical paths)變短,其電路運算之複雜度也低,速 度因此可以提昇。 也因此,支援先進加密標準之循環運算裝置,及AES加解密 裝置,也可獲得以上的優點,再者,循環運算裝具有整合型的 MixColumns與InvMixColumns運算硬體以節省運算資源。故此, 整體來說,AES加解密裝置的運算資源因此得到節省而且電路複 雜度也降低,運算速度也可增加。 綜上所述,雖然本發明已以一較佳實施例揭露如上,然其並 非用以限定本發明,任何熟習此技藝者,在不脫離本發明之精神 和範圍内,當可作各種之更動與潤飾,因此本發明之保護範圍當 視後附之申請專利範圍所界定者為準。 32 1235582 【圖式簡單說明】 第1圖繪示AddRoundKey的資料處理情形。 第2圖繪示ShiftRows的資料處理情形。 第3圖繪示MixColumns/InvMixColumns的資料處理情形。 第4圖繪示SubBytes/InvSubBytes的資料處理情形。 第5A圖繪示一種可支援先進加密標準之整合型次位元/逆 次位元運算裝置方塊圖。 第5B至5D圖繪示依照本發明之精神以減化第5A圖之整合 型次位元/逆次位元運算裝置。 第5E圖繪示依照本發之實施例一所提供的一種可支援先進 加密標準之整合型次位元/逆次位元運算裝置之方塊圖。 第6圖繪示依照本發明所提供的一種可支援先進加密標準 之整合型行混合/逆行混合運算裝置方塊圖。 第7A圖繪示依據輸入的SubKey輸出下一把SubKey的資料 處理方法示意圖。 第7B圖繪示依據輸入的SubKey輸出上一把SubKey的資料 處理方法示意圖。 第8圖繪示依照本發明之次金鑰更迭運算裝置方塊圖。 第9圖繪示依照本發明之實施例二所提供的一種可支援先 進加密標準之循環運算裝置之方塊圖。 第10圖繪示依照本發明之實施例三所提供的一種先進加密 標準之加解密裝置。 圖式標號說明 61,62,63,64,65,66,67,68:互斥或閘 71, 72,73,74 :互斥或閘 33 1235582 90 :互斥或閘 93 :待解密資料 95 :次位元/逆次位元運算裝置 97:列移轉/逆列移轉運算裝置 99 :行混合/逆行混合運算裝置 500A,500B,500C,500D :整合型次位元/逆次位元運算裝置 500E:整合型次位元/逆次位元運算裝置 510 :矩陣運算器 520 :多工器 530 :乘法反向運算裝置 540 :矩陣運算器 550 :多工器 561 :第一矩陣運算器 565 :第一互斥或運算模組 571 :第二矩陣運算器 575 :第二互斥或運算模組 590 :查表運算裝置 600 ··整合型行混合/逆行混合運算裝置 621,622,623,624 :倍增器 710,720,730,740 :多工器 750 :行資料轉換器 752 :特殊行資料 800 :次金鑰更迭運算裝置 900 :循環運算裝置 910,920,930,940,950 :多工器 1000 : AES加解密裝置 34 1235582 1100 :金鑰儲存裝置 1110,1120,1130 :記憶裝置 ec :選擇信號InvKeyExpansion operation (based on the input of the SubKey to output a previous SubKey): Let the selection signal ec be 0, and first feed the row data of the known secondary key (3) into the mutex or gate 74 via the multiplexer 730 and compare with The row data of the secondary key (4) are mutually exclusive or calculated to obtain the row data of the previous SubKey (4), and then the row data of the previous SubKey (4) are output by the multiplexer 740 and fed into the row data conversion The converter 750 converts it into special row data 752, feeds it into the mutex OR gate 71, and performs a mutex or operation with the row data (1) of the known secondary key to obtain the row data (1) of the previous SubKey. Obviously 31 1235582 Obviously, the row data (1) of the known secondary key can be fed into the mutex or gate 72 via the multiplexer 710 and be mutually exclusive or calculated with the row data (2) of the known secondary key to Obtain the row data of the previous SubKey (2). The row data of the known secondary key (2) can be fed into the mutex or gate 73 through the multiplexer 720 and performed with the row data of the known subkey (3). Mutual exclusion or operation to get the row data of the previous SubKey (3). The simplified integrated sub-bit / inverse-bit computing device that can support the advanced encryption standard disclosed in the above embodiments of the present invention has the following advantages: When performing SubBytes and InvSubBytes operations, table lookup data can be shared to save computing resources Moreover, because the simplified circuit architecture of the present invention is adopted, the critical path as a whole is shortened, and the complexity of the circuit operation is also low, so the speed can be increased. Therefore, loop computing devices supporting advanced encryption standards and AES encryption and decryption devices can also obtain the above advantages. Furthermore, the loop computing device has integrated MixColumns and InvMixColumns computing hardware to save computing resources. Therefore, on the whole, the computing resources of the AES encryption and decryption device are saved, the circuit complexity is also reduced, and the computing speed can be increased. In summary, although the present invention has been disclosed as above with a preferred embodiment, it is not intended to limit the present invention. Any person skilled in the art can make various changes without departing from the spirit and scope of the present invention. And retouching, so the scope of protection of the present invention shall be determined by the scope of the appended patent application. 32 1235582 [Schematic description] Figure 1 shows the data processing of AddRoundKey. Figure 2 shows the data processing situation of ShiftRows. Figure 3 shows the data processing situation of MixColumns / InvMixColumns. Figure 4 shows the data processing situation of SubBytes / InvSubBytes. FIG. 5A shows a block diagram of an integrated sub-bit / inverse bit-computing device that supports advanced encryption standards. Figures 5B to 5D show the integrated sub-bit / inverse bit-computing device of Figure 5A in accordance with the spirit of the invention. FIG. 5E shows a block diagram of an integrated sub-bit / inverse bit-computing device supporting an advanced encryption standard provided according to the first embodiment of the present invention. FIG. 6 is a block diagram of an integrated line-mixing / reverse-mixing computing device supporting an advanced encryption standard according to the present invention. Figure 7A shows a schematic diagram of the data processing method for the next SubKey based on the input SubKey. Fig. 7B shows a schematic diagram of the data processing method of the last SubKey according to the input SubKey. FIG. 8 is a block diagram of a secondary key update operation device according to the present invention. FIG. 9 is a block diagram of a cyclic operation device supporting an advanced encryption standard according to the second embodiment of the present invention. FIG. 10 illustrates an encryption / decryption device of an advanced encryption standard according to the third embodiment of the present invention. Description of figure numbers 61, 62, 63, 64, 65, 66, 67, 68: Mutual exclusion or gate 71, 72, 73, 74: Mutual exclusion or gate 33 1235582 90: Mutual exclusion or gate 93: Data to be decrypted 95 : Sub-bit / inverse bit-computing device 97: Column shift / Inverse-column-shift computation device 99: Row-mixing / reverse-batch computing device 500A, 500B, 500C, 500D: Integrated sub-bit / inverse Computing device 500E: Integrated subbit / inverse bit computing device 510: Matrix operator 520: Multiplexer 530: Multiplication inverse computing device 540: Matrix operator 550: Multiplexer 561: First matrix operator 565: the first mutex or operation module 571: the second matrix or operation module 575: the second mutex or operation module 590: the table lookup computing device 600 · · integrated line hybrid / reverse line hybrid computing device 621, 622, 623 , 624: multipliers 710, 720, 730, 740: multiplexer 750: row data converter 752: special row data 800: secondary key replacement operation device 900: loop operation device 910, 920, 930, 940, 950: Multiplexer 1000: AES encryption and decryption device 34 1235582 1100: Key storage device 1110, 1120, 1130: Memory device ec: Selection letter

3535

Claims (1)

1235582 拾、申請專利範圍: 1. 一種可支援先進加密標準(Advanced Encryption Standard,AES)之整合型次位元(SubBytes) /逆次位元 (InvSubBytes)運算裝置,用以針對一輸入資料碼,選擇性地進 行次位元和逆次位元運算後輸出一欲求之輸出資料碼,該整合型 次位元/逆次位元運算裝置包括: 一第一矩陣運算器,用以針對該輸入資料碼進行一第一矩陣 運算,並輸出該第一矩陣運算之結果; 一第一互斥或(exclusive-〇R)運算模組,用以針對該輸入資 料碼進行一第一互斥或運算,並輸出該第一互斥或運算之結果; 一第一多工器,與該第一矩陣運算器及該第一互斥或運算模 組耦接,該第一多工器係依據一選擇信號,自該第一矩陣運算之 結果及該第一互斥或運算之結果二者間擇一輸出,以作為該第一 多工器之輸出資料碼; 一查表運算裝置,與該第一多工器耦接,用以依據該第一多 工器之輸出資料碼,進行一查表運算後輸出一查表資料碼; 一第二矩陣運算器,耦接至該查表運算裝置,用以針對該查 表資料碼進行一第二矩陣運算,並輸出該第二矩陣運算之結果; 一第二互斥或運算模組,用以針對該查表資料碼進行一第二 互斥或運算,並輸出該第二互斥或運算之結果;以及 一第二多工器,與該第二矩陣運算模組及該第二互斥或運算 模組耦接,該第二多工器係依據該選擇信號自該第二矩陣運算之 結果及該第二互斥或運算之結果二者間擇一輸出,以作為該第二 多工器之輸出資料碼; 其中,該第二多工器之輸出資料碼即為該欲求之輸出資料碼。 2.如申請專利範圍第1項所述之可支援先進加密標準之整 36 1235582 合型次位元/逆次位元運算裝 加密時’進行次位元運算,其中該^^選擇信號代表需要進行 運算之结果,兮策X夕工器選擇該第一互斥或 果象多工器選擇該第二互斥或運算…。 3·如申請專利範圍第丨項所述 、° 合型次位元/逆纽元運料置,#先進加《準之整 解密時,進行逆次位元運算,㈠=該,擇信號代表需要進行 運算之壯果,^ /、千該第一多工器選擇該第一矩陣 °果5玄第-多工器選擇該第二矩陣運算之社果。 4·如”專利範圍^項所述之可支㈣進=標準 5型乂位7G/逆次位元運算裝置, 陣運算實質上相同。 第—矩陣運算與第二矩 5如中請專職圍第丨項所述之可支援先進加密標準之整 位元/逆次位元運算裝置,其中該第—互斥或運算包含一 者該運算元之值係基於該第—矩陣運算及該第二互斥或運 6.如申請專利範圍第i項所述之可支援先進加密標準之整 合型次位元/逆次位元運算裝置,其中該查表運算模組包含一對 照表,該對絲絲於-乘法反向運算(_邮加-operation)、該第一互斥或運算,及該第一矩陣運算所得者。 7· —種可支援先進加密標準之循環運算模組(^und module),用以依據一輸入資料碼及一次金鑰選擇性地進行加密/ 解密運算後產生一輸出資料碼,該循環運算模組包括: 一互斥或閘,用以將該輸入資料碼與該次金鑰進行互斥或運 异後產生該互斥或閘之輸出碼; 一第一多工器,與該互斥或閘耦接,該第一多工器具有一第 一輸入端及一第二輸入端,該第一輸入端係用以接收一待解密資 料碼且該第一輸入端用以接收該互斥或閘之輸出碼,其中,該第 37 1235582 幹出:Γ依據4擇信號自該待解密資料碼與該互斥或閘之 輸出碼二者間擇—輪出該第―多卫器之輸出碼; 之 將該^Γ7"/逆:欠位元運算裝置,耦接至該卜多卫器,用以 代運算鈐:工器之輪出碼進行次位元/逆次位元運算後輸出-替 代運异輸出碼L元/逆纽元運算裝置包括: 進行一第-矩I運=運异11 ’用以針對該第一多工11之輸出喝 車運"r,並輸出該第一矩陣運算之結果; 第互斥或(exciusive—〇R)運算模組,用以針對兮 或;輸出碼進行-第-互斥或運算,並輸出該第-互:1235582 Patent application scope: 1. An integrated SubBytes / InvSubBytes computing device that supports Advanced Encryption Standard (AES), which is used to input a data code. After performing sub-bit and inverse bit operations selectively, outputting a desired output data code, the integrated sub-bit / inverse bit operation device includes: a first matrix operator for responding to the input data The code performs a first matrix operation and outputs the result of the first matrix operation. A first exclusive-OR operation module is configured to perform a first exclusive-exclusive OR operation on the input data code. And output the result of the first mutex or operation; a first multiplexer coupled to the first matrix operator and the first mutex or operation module, the first multiplexer is based on a selection signal Selecting an output from the result of the first matrix operation and the result of the first mutual exclusion or operation as the output data code of the first multiplexer; a table lookup computing device and the first multiplier Coupling, using According to the output data code of the first multiplexer, a table lookup calculation code is output after performing a table lookup calculation; a second matrix operator is coupled to the table lookup calculation device and is used for performing the table lookup data code. A second matrix operation and outputting the result of the second matrix operation; a second mutex or operation module for performing a second mutex or operation on the table lookup data code and outputting the second mutex The result of the OR operation; and a second multiplexer coupled to the second matrix operation module and the second mutually exclusive OR operation module, the second multiplexer is selected from the second matrix according to the selection signal Choose an output between the result of the operation and the result of the second mutex or operation as the output data code of the second multiplexer; where the output data code of the second multiplexer is the desired one Output data code. 2. As described in item 1 of the scope of the patent application, the whole 36 1235582 combined sub-bit / inverse bit-bit operation with encryption can be used to perform sub-bit operations, where the ^^ selection signal represents the need As a result of the operation, the X multiplexer selects the first mutex or operation multiplexer selects the second mutex or operation ... 3. As described in item 丨 of the scope of patent application, ° Integral sub-bit / inverse element transport, # advanced plus "quasi-integer decryption, inverse bit operation, ㈠ = this, select the signal representative The strong result of the operation is needed. The first multiplexer selects the first matrix, and the 5th first multiplexer selects the social effect of the second matrix operation. 4. · As mentioned in the “Patent Scope ^”, the supportable advancement = standard 5 type 7G / inverse bit operation device, the matrix operation is essentially the same. The first-matrix operation and the second moment 5 as in the middle The whole bit / inverse bit operation device capable of supporting the advanced encryption standard described in item 丨, wherein the first mutually exclusive OR operation includes one of the values of the operands based on the first matrix operation and the second Mutual exclusion or operation 6. The integrated sub-bit / reverse bit-bit computing device capable of supporting advanced encryption standards as described in item i of the patent application scope, wherein the table lookup computing module includes a lookup table, and the pair Silky-multiplication inverse operation (_Post Plus-operation), the first mutex or operation, and the first matrix operation. 7 · — a cyclic operation module (^ und module) that supports advanced encryption standards ) Is used to generate an output data code after selective encryption / decryption operation according to an input data code and a key. The loop computing module includes: a mutual exclusion or gate for connecting the input data code with the After the secondary key is mutually exclusive or different, the mutual exclusion or gate loss is generated. Code; a first multiplexer coupled to the mutex or gate, the first multiplexer has a first input end and a second input end, the first input end is used to receive a data code to be decrypted And the first input end is used to receive the output code of the mutex or gate, wherein the 37th 1235582 is outputted: Γ between the data code to be decrypted and the output code of the mutex or gate according to the 4 selection signal. Option—Rotate out the output code of the first multi-server; it will couple the ^ Γ7 " / inverse: underbit arithmetic device to the multi-server, to perform calculations on behalf of: After performing the sub-bit / inverse bit-calculation operation, the output-replacement output code L-element / inverse button operation device includes: performing a first-moment I-transport = transport difference 11 'for the first multiplex 11 Output the "car", and output the result of the first matrix operation; the second exclusive or (exciusive-0R) operation module, which is used to perform the -first-exclusive or operation on the output code; and Output the first-mutual: 一第一選擇器,與該第-矩陣運算器及該第-互斥或 運f模組耗接,4第—選擇器係依據該選擇信號,自該第一矩陣 運异之結果及該第-互斥或運算之結果二者間擇_輸出,以作為 該第一選擇器之輸出碼; 一查表運算裝置,㈣至該第-選擇器,用以依據該 第-選擇器之輸出碼,進行_查表運算後輸出—查表資料碼;A first selector is connected to the -matrix operator and the -mutex or f-module, and the 4th-selector is based on the selection signal, the result of the difference from the first matrix and the first -The result of the mutex or operation selects _ output as the output code of the first selector; a table lookup computing device goes to the -selector to use according to the output code of the -selector , Output _ lookup table operation code-lookup table data code; 第一矩陣運异器,用以針對該查表資料碼進行一第 二矩陣運算,並輸出該第二矩陣運算之結果; 一第二互斥或運算模組,用以針對該查表資料碼進行 一第二互斥或運算,並輸出該第二互斥或運算之結果;以及 一第二選擇器,與該第二矩陣運算器及該第二互斥或 運鼻模組耦接,該第二選擇器係依據該選擇信號自該第二矩陣運 算之結果及該第二互斥或運算之結果二者間擇一輪出,則乍為該 替代運算輸出碼; Λ 一列移轉(Shif tRows)/逆列移轉(InvShi f tR〇ws)運算裝 置,麵接至孩次位元/逆次位元運算裝置,用以將該替代運算輸 38 1235582 出碼進行列移轉/逆列移轉運算後輸出一移轉運算輸出碼; 一第二多工器,與該互斥或閘及該列移轉/逆列移轉運算裝 置耦接,該第一多工器具有一第一輸入端及一第二輸入端,該第 一輸入端係用以接收該互斥或閘之輸出碼且該第二輸入端用以 接收該移轉運异輸出碼,其中,該第二多工器係依據該選擇信號 自該互斥或閘之輸出碼與該移轉運算輸出碼二者間擇一輸出該 第二多工器之輸出碼; 一行混合/逆行混合運算裝置,與該第二多工器耦接,用以 將該第-多工器之輸出碼進行行混合/逆行混合運算後輸出一混 合運算輸出碼; 一第三多工器,與該第二多工器及該行混合/逆行混合運算 裝置麵接’㈣二多工器具有—第—輸人端及—第二輸入端,該 第-輸入端係用以接收”二多工器之輸出碼且該第二輸人端 =以接收該混合運算輸出碼,其中,該第三多工㈣依據一加解 密盡判號自該第二多工器之輸出碼與該混合運算輸出碼二 者間擇-輸出夕,且該第三多工器之輸出碼即為該待解密資料碼; 第四多工器,與該第三多工器及該列移轉/逆列移 裝置柄接,該第目士 第夕益具有一第一輸入端及一第二輸入端,該 认端係、用以接收該移轉運算輸出碼且該第二輸入端用以 密資料碼’其中,該第四多工器係依據該選擇信號自 二,輸*碼與該待解㈣料碼二者間擇—輸出 工裔之輸出碼;以及 夕 多工器2多工器,與該第四多工器及該互斥或閉耦接,該第五 接收該第四;第工一二端:―第二輸入端’該第一輸入端係用以 間之輸出碼,1中=碼且該第二輸人端用以接收該互斥或 八中,4第五多工器係依據一回合盡判斷信號自該 39 Ϊ235582 ::多工器之輸出碼與該互斥或間之輪 作為該第五多工器之輸出碼; 馬—者間擇-輪出,以 8、中如,二第直五多:器之輸出碼即為該輪出資料碼。 .如申研專利乾圍第7項所述之 環運算模組,其中,當支杈先進加#標準之循 w ^ 擇代表需要進行加密時m 二=運算裝置進行次位元運算,其中該心= 之結h 選擇該第二互斥或運算 严運Ir”:專利範圍第7項所述之可支援先進加密標準之循 衣運异u,其中,當該選擇信號代表需要進行解 =逆次位元運算裝置進行逆次位元運算,其中該第—選擇器選 擇-亥第-矩陣運异之結果,該第二選擇器選擇該第二矩陣 結果。 …^如巾請專利範圍第7項所述之可支援先進加密標準之 循環運算模組’其中該第—矩陣運算與第二矩陣運算實質上相 同0 11·如申請專利範圍第7項所述之可支援先進加密標準之 循環運算模組,其中該第—互斥或運算包含—運算元,該運算元 之值係基於該第一矩陣運算及該第二互斥或運算所得者。 12·如申請專利範圍第7項所述之可支援先進加密標準之 循環運算模組,其中該查表運算模組包含一對照表,該對照表係 基於一乘法反向運算(muHipiicative inverse 〇pera1^〇n)、該 第一互斥或運算,及該第一矩陣運算所得者。 13· —種先進加密標準之加解密裝置,用以選擇性的針對一 輸入資料碼進行先進加密標準之加密或解密的動作,以輸出一輸 出資料碼,該加解密裝置包括: 1235582 一循環運算裝置,與該金鑰儲存裝置耦接,用以撰擇性地進 行加密及解密之一在進行中所需之循環運算,依據輸入該循環運 算裝置之一輸入碼及一次金鑰以輸出一循環運算之輸出碼; 一次金鑰更迭運算裝置,與該循環運算裝置耦接,用以撰擇 性地產生進行加密及解密之一時,循環運算所需之該次金鑰,其 中該次金鑰係基於輸該次金鑰更迭運算裝置之一已知次金鑰而 得之一待解次金鑰;以及 一金鑰儲存裝置,與該循環運算裝置及該次金鑰更迭運算裝 置耦接,用以作次金鑰的暫存及分配,以便該次金鑰更迭運算裝 置及該循環運算裝置進行循環運算; 其中,該循環運算裝置包括一次位元/逆次位元運算裝置, 該次位元/逆次位元運算裝置用以將基於該循環運算裝置之該輸 入碼及該次金输之一運算輸入碼進行次位元/逆次位元運算後輸 出一替代運算輸出碼,該次位元/逆次位元運算裝置包括: 一第一矩陣運算器,用以針對該運算輸入碼進行一第 一矩陣運算,並輸出該第一矩陣運算之結果; 一第一互斥或(exclusi ve-OR)運算模組,用以針對該 運算輸入碼進行一第一互斥或運算,並輸出該第一互斥或運算之 結果; 一第一選擇器,與該第一矩陣運算器及該第一互斥或 運算模組耦接,該第一選擇器係依據該選擇信號,自該第一矩陣 運算之結果及該第一互斥或運算之結果二者間擇一輸出,以作為 該第一選擇器之輸出碼; 一查表運算裝置,耦接至該第一選擇器,用以依據該 第一選擇器之輸出碼,進行一查表運算後輸出一查表資料碼; 一第二矩陣運算器,用以針對該查表資料碼進行一第 41 1235582 二矩陣運算,並輸出該第二矩陣運算之結果; 一第二互斥或運算模組,用以針對該查表資料碼進行 一第二互斥或運算,並輸出該第二互斥或運算之結果;以及 一第二選擇器,與該第二矩陣運算器及該第二互斥或 運算模組耦接,該第二選擇器係依據該選擇信號自該第二矩陣運 算之結果及該第二互斥或運算之結果二者間擇一輸出,以作為該 替代運算輸出碼; 其中,該金鑰儲存裝置接收該循環運算輸出碼及該次金鑰更迭運 算裝置輸出之該次金鑰;該次金鑰更迭運算裝置之該已知次金鑰 及該循環運算裝置之該輸入碼係為該金鑰儲存裝置所輸出;該金 鑰儲存裝置暫存該輸入資料碼,進行金鑰之分配及暫存,接收該 循環運算裝置及該次金鑰更迭運算裝置之輸出以進行循環運 算,並輸出該輸出資料碼。 14.如申請專利範圍第13項所述之先進加密標準之加解密 裝置,其中該次金鑰更迭運算裝置,用以依據該已知次金鑰求得 該待解次金鑰,其中該已知次金鑰與該待解次金鑰係兩相鄰之次 金鑰,且該已知次金鑰與該待解次金鑰各具有一行資料(1)、一 行資料(2)、一行資料(3)及一行資料(4),該次金鑰更迭運算裝 置包括: 一行資料轉換器,用以將一行資料轉換為一特殊行資料後輸 出; 一互斥或閘(1),用以將該已知次金鑰之行資料(1)與該特殊 行資料進行互斥或運算後輸出,其中該互斥或閘(1)之輸出資料 即為該待解次金鑰之行資料(1); 一多工器(1),與該互斥或閘(1)耦接,該多工器(1)具有一 第一輸入端及一輸入端(1),該第一輸入端係用以接收該已知次 42 1235582 金鑰之行資料(1)且該輸入端(1)用以接收該待解次金鑰之行資 料(1),該多工器(1)係依據一選擇信號自該已知次金鑰之行資料 (1)與該待解次金鑰之行資料(1)二者間擇一輸出; 互斥或閘(2 )’用以將該已知次金鑰之行資料(2)與該多工 器(1)、之輸出資料進行互斥或運算後輸出,其中該互斥或閘(2)之 輸出資料即為該待解次金鑰之行資料(2); 夕工裔(2),與該互斥或閘(2)耗接,該多工器(2)具有一 =一輸入端及一輸入端⑴,該多工器⑵之第一輸入端係用以 =收該已知次錢之行資料⑵且該多η⑵之輸人端⑴用以 妾收该待解次金鍮之行資料⑵,該多卫器⑵係依據該選擇信號 该已知次金鑰之行資料(2)與該待解次金鑰之行資料(2)二者 間擇一輸出; 、互斥或閘⑶’用以將該已知次金鑰之行資料⑶與該多工 二(2)之輸出資料進行互斥或運算後輸出,其中該互斥或閘⑶之 翰出資料即為該待解次金鑰之行資料(3); 於入二^器⑶,與該互斥或閘(3)㈣,該多具有一 ⑻及-輸人端⑴,該多卫器⑶之輸人端⑻係用以接 J二2餘之行資料(3)且該多工器⑶之輸人端⑴用以接 之行’該多工器⑶係依據該選擇信號自 擇—輸餘之仃貧料⑶與該待解次金錄之行資料⑶二者間 器斥或閘⑷’用以將該已知次金錄之行資料⑷與該多工 輸出料進行互斥或運算後輸出,其中該互斥或閘⑷之 /、+ Ρ為该待解次金鑰之行資料(4);以及 輪入端一二工rt與該互斥或間⑷執接’該多工器⑷具有-及一輸入端(1),該多工器⑷之輸入端⑴係用以接 43 1235582 鑰之行資料⑷且該多工器⑷之輸入端⑻用以接 守已,錄之行資料⑷’該多工器⑷係依據該選擇信號自 餘之行資料⑷與該待解次金鑰之行資料⑷二者間 3 且该多工器(4)之輸出資料即為該行資料。 ^如中請專利第13項所述之先進加密標準之加解密 ,置::、:,當該選擇信號代表需要進行加密時,該次位元/逆 :::::裝置進行次位元運算,其中該第一選擇器選擇該第- 果斥或運算之結果,該第二選擇器選擇該第二互斥或運算之結 獎署巾請專利範圍第13項所述之先進加密標準之加解密 A、,當該選擇信號代表需要進行解密時,該次位元/逆 :==行逆次位元運算,其中該第一選擇器選擇該第 車异之、‘果’該第二選擇器選擇該第二矩陣運算之杜果。 17. 如巾請專利_第13項所述之先進加密標準之加解密 裝置,其中該第-矩陣運算與第二矩陣運算實質上 18. 如中請專利範圍第13項所叙先進加密 裝置’其中該第-互斥或運算包含—運算元,該運算元之值= 於該第一矩陣運算及該第二互斥或運算所得者。 19. 如申請專利範圍第13項所述之先進加密標準之加解密 裝置’其中該查表運算模組包含—對照表,該對照表係基於一乘 法反向運算〇nultiplicative inv⑽啊—η)、該第一 或運算,及該第一矩陣運算所得者。 44A first matrix operator for performing a second matrix operation on the table lookup data code and outputting a result of the second matrix operation; a second mutex or operation module for the table lookup data code Performing a second mutex or operation and outputting the result of the second mutex or operation; and a second selector coupled to the second matrix operator and the second mutex or nose module, the The second selector selects a round from the result of the second matrix operation and the result of the second mutex or operation according to the selection signal, and then outputs a code for the alternative operation at first; Λ one column transfer (Shif tRows ) / InvShi f tRows (InvShi f tRows) computing device, connected to the child bit / inverse bit computing device, used to input 38 1235582 output code for column shift / inverse column shift A transfer operation output code is output after the conversion operation; a second multiplexer is coupled to the mutually exclusive OR gate and the column transfer / inverse column transfer operation device, and the first multiplexer has a first input terminal And a second input terminal, the first input terminal is used to receive the mutex or gate Output code and the second input end is used to receive the transfer output code, wherein the second multiplexer is between the output code of the mutex or the gate and the output code of the transfer operation according to the selection signal Choose one to output the output code of the second multiplexer; a one-line hybrid / reverse-line hybrid computing device is coupled to the second multiplexer to perform line-mixing / reverse-mixing operation on the output code of the first multiplexer Output a hybrid operation output code; a third multiplexer, which is connected to the second multiplexer and the line hybrid / reverse hybrid operation device; the second multiplexer has a first input terminal and a second Input terminal, the first input terminal is used to receive the output code of two multiplexers and the second input terminal is to receive the mixed operation output code, wherein the third multiplexer is judged based on one encryption and decryption. Number from the output code of the second multiplexer to the output code of the hybrid operation-and the output code of the third multiplexer is the data code to be decrypted; the fourth multiplexer, and The third multiplexer and the row shifting / reverse row shifting device are connected to each other. There is a first input terminal and a second input terminal, the identification terminal is used for receiving the transfer operation output code and the second input terminal is used for the secret data code, wherein the fourth multiplexer is based on the The selection signal is from two, the input * code and the material code to be solved are selected-the output code of the worker; and the multiplexer 2 multiplexer, and the fourth multiplexer and the mutually exclusive or closed Coupling, the fifth receives the fourth; the first and second ends: ―the second input end ', the first input end is used to output the code, 1 in = code and the second input end is used to receive The mutex or the eighth, 4th and 5th multiplexers are based on a round-of-judgment signal from the 39 582 235582 :: the output code of the multiplexer and the round of the mutex as the output code of the fifth multiplexer ; Horse-to-people selection-turn out, with 8, in the example, the second straight five more: the output code of the device is the round out data code. The ring computing module as described in item 7 of the Shenyan patent, wherein, when the branch is advanced by the # standard, w ^ selects the representative when encryption is needed. M == the computing device performs the sub-bit operation, where Mind = knot h Select this second mutex or operation strictly "Ir": The differentiating u that can support the advanced encryption standard as described in item 7 of the patent scope, where when the selection signal represents the need to perform a solution = inverse The sub-bit arithmetic device performs an inverse sub-bit operation, in which the first selector selects the result of the-matrix-differential operation, and the second selector selects the result of the second matrix. ^^ Please refer to the seventh patent range. The cyclic operation module capable of supporting the advanced encryption standard as described in the above item, wherein the first matrix operation is substantially the same as the second matrix operation. 0 11 · The cyclic operation that can support the advanced encryption standard as described in item 7 of the scope of patent application A module in which the first mutually exclusive OR operation includes an operand whose value is based on the first matrix operation and the second mutually exclusive OR operation. 12. As described in item 7 of the scope of patent application Supports advanced encryption standards A loop operation module, wherein the table lookup operation module includes a lookup table, the lookup table is based on a multiplication inverse operation (muHipiicative inverse 〇pera1 ^ 〇n), the first mutual exclusion or operation, and the first The result of the matrix operation. 13 · —An encryption and decryption device of the advanced encryption standard is used to selectively perform the encryption or decryption of the advanced encryption standard on an input data code to output an output data code. The encryption and decryption device includes : 1235582 A loop computing device, coupled to the key storage device, is used to programmatically perform one of the loop computing operations required for encryption and decryption, according to the input code and one-time gold input to one of the loop computing devices. The key is used to output an output code of a cyclic operation; a key update operation device is coupled to the cyclic operation device, and is used to selectively generate the secondary key required for the cyclic operation when one of encryption and decryption is generated, wherein The secondary key is a secondary key to be solved based on inputting a known secondary key of the secondary key replacement computing device; and a key storage device and the cycle The computing device and the secondary key change computing device are coupled to temporarily store and distribute the secondary key so that the secondary key change computing device and the loop computing device can perform cyclic operations; wherein the loop computing device includes one time Bit / inverse bit operation device, the sub / inverse bit operation device is used to perform bit / inverse operation based on the input code of the loop operation device and one of the input inputs of the second gold loss operation After the bit operation, a substitute operation output code is output. The sub-bit / inverse bit operation device includes: a first matrix operator for performing a first matrix operation on the operation input code and outputting the first matrix operation; The result of the matrix operation; a first mutually exclusive OR (exclusi ve-OR) operation module for performing a first mutual exclusion or operation on the operation input code and outputting the result of the first mutual exclusion or operation; a A first selector is coupled to the first matrix operator and the first mutex or operation module. The first selector is based on the selection signal, from the result of the first matrix operation and the first mutex. OR result Choose one of the two outputs as the output code of the first selector; a table lookup computing device is coupled to the first selector to perform a table lookup operation based on the output code of the first selector Output a lookup table data code; a second matrix operator for performing a 41st 1235582 two matrix operation on the lookup table data code and output the result of the second matrix operation; a second mutually exclusive OR operation mode A group for performing a second mutex or operation on the table lookup data code and outputting the result of the second mutex or operation; and a second selector, the second matrix operator and the second mutual operation The exclusive OR operation module is coupled, and the second selector selects an output from the result of the second matrix operation and the result of the second mutual exclusion or operation according to the selection signal, as the alternative operation output code. ; Wherein the key storage device receives the cyclic operation output code and the secondary key output by the secondary key replacement operation device; the known secondary key of the secondary key replacement operation device and the cyclic operation device The input code is Output by the key storage device; the key storage device temporarily stores the input data code, allocates and temporarily stores the key, receives the output of the loop computing device and the secondary key replacement computing device for loop computing, and outputs The output data code. 14. The encryption and decryption device of the advanced encryption standard according to item 13 of the scope of the patent application, wherein the secondary key replacement operation device is used to obtain the secondary key to be solved according to the known secondary key, wherein the The known secondary key and the pending secondary key are two adjacent secondary keys, and the known secondary key and the pending secondary key each have a row of data (1), a row of data (2), and a row of data (3) and a row of data (4). The key-changing operation device includes: a row of data converter for converting a row of data into a special row of data and outputting it; a mutex or gate (1) for converting The row data of the known secondary key (1) and the special row data are mutually exclusive or calculated and output, wherein the output data of the mutex or gate (1) is the row data of the secondary key to be solved (1 ); A multiplexer (1), coupled with the mutex or gate (1), the multiplexer (1) has a first input terminal and an input terminal (1), the first input terminal is used for In order to receive the row data (1) of the known secondary 42 1235582 key and the input terminal (1) is used to receive the row data (1) of the secondary key to be solved, the multiple The device (1) selects an output from the row data (1) of the known secondary key and the row data (1) of the secondary key to be resolved according to a selection signal; a mutually exclusive OR gate (2) ' It is used to perform mutual exclusion or operation on the row data (2) of the known secondary key and the output data of the multiplexer (1), where the output data of the mutex or gate (2) is the Data of the second key to be solved (2); Xi Gongzu (2), which is connected to the mutex or gate (2), and the multiplexer (2) has an input terminal and an input terminal, The first input terminal of the multiplexer is used to receive the travel data of the known time money, and the input terminal of the multiple η is used to receive the travel data of the time money to be solved. The security device is based on the selection signal of the row data of the known secondary key (2) and the row data of the secondary key to be resolved (2). Select one of the two outputs; The row data of the known secondary key ⑶ and the output data of the multiplex two (2) are mutually exclusive or calculated, and the output data of the mutual exclusion or gate ⑶ is the row of the secondary key to be solved. Information (3); The mutex or gate (3), the multi-portion has an input port and an input port, and the input port of the multi-sensor device CU is used to receive the travel information of J 2 2 (3) and the multiplexer The input terminal of the device ⑶ is used to connect to the line. The multiplexer ⑶ is based on the selection signal-the remaining data of the poor ⑶ and the line data of the second gold record to be resolved. The gate 'is used to output the mutually exclusive OR operation of the known secondary record and the multiplexed output, where // + of the mutual exclusion or gate is the key of the secondary key to be resolved. Line data (4); and the one-to-two rt on the turn-on side is connected to the mutex or indirectly. The multiplexer has-and an input (1), the input of the multiplexer is used. It is used to access 43 1235582 key row data, and the input terminal of the multiplexer is used to receive the recorded data. 'The multiplexer' is the remaining row data based on the selection signal and the waiter. Decipher the row data of the secondary key: 3 between them and the output data of the multiplexer (4) is the row data. ^ As stated in the patent, the encryption and decryption of the advanced encryption standard described in Item 13 is set to ::,:, when the selection signal represents the need for encryption, the sub-bit / inverse ::::: device performs sub-bit Operation, in which the first selector selects the result of the first-exclusion or operation, and the second selector selects the result of the second mutual exclusion or operation. The advanced encryption standard described in item 13 of the patent scope is requested. Encryption and decryption A. When the selection signal represents the need to perform decryption, the sub-bit / inverse: == line inverse sub-bit operation, where the first selector selects the car difference, 'fruit' the second The selector selects the duo of the second matrix operation. 17. Please apply for the encryption and decryption device of the advanced encryption standard described in the patent _ item 13, wherein the first matrix operation and the second matrix operation are substantially 18. As described in the patent application, the advanced encryption device described in item 13 The -mutex exclusive OR operation includes an -operator, and the value of the operand = is obtained from the first matrix operation and the second mutual exclusion OR operation. 19. The encryption and decryption device of the advanced encryption standard described in item 13 of the scope of the patent application, wherein the look-up table operation module includes-a comparison table, which is based on a multiplication inverse operation (nultiplicative inv⑽ah-η), The first OR operation and the result of the first matrix operation. 44
TW92134464A 2001-10-04 2003-12-05 Apparatus for supporting advanced encryption standard encryption and decryption TWI235582B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
TW92134464A TWI235582B (en) 2003-12-05 2003-12-05 Apparatus for supporting advanced encryption standard encryption and decryption
US10/839,168 US20040202318A1 (en) 2001-10-04 2004-05-06 Apparatus for supporting advanced encryption standard encryption and decryption
US11/892,454 US20070291935A1 (en) 2001-10-04 2007-08-23 Apparatus for supporting advanced encryption standard encryption and decryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW92134464A TWI235582B (en) 2003-12-05 2003-12-05 Apparatus for supporting advanced encryption standard encryption and decryption

Publications (2)

Publication Number Publication Date
TW200520496A TW200520496A (en) 2005-06-16
TWI235582B true TWI235582B (en) 2005-07-01

Family

ID=36637719

Family Applications (1)

Application Number Title Priority Date Filing Date
TW92134464A TWI235582B (en) 2001-10-04 2003-12-05 Apparatus for supporting advanced encryption standard encryption and decryption

Country Status (1)

Country Link
TW (1) TWI235582B (en)

Also Published As

Publication number Publication date
TW200520496A (en) 2005-06-16

Similar Documents

Publication Publication Date Title
EP1271839B1 (en) AES Encryption circuit
US7860240B2 (en) Native composite-field AES encryption/decryption accelerator circuit
Banik et al. Atomic-AES: A compact implementation of the AES encryption/decryption core
US8346839B2 (en) Efficient advanced encryption standard (AES) datapath using hybrid rijndael S-box
US8731188B2 (en) Cryptographic processing apparatus and cryptographic processing method, and computer program
Rodriguez-Henriquez et al. 4.2 Gbits/sec Single-Chip FPGA Implementation of the AES Algorithm.
GB2383860A (en) Apparatus for encryption and decrytion, capable of use in encryption and decryption of Advanced Encryption Standard (RIJNDAEL)
CN106921487A (en) Reconfigurable S-box circuit structure
CN105007154B (en) A kind of encrypting and decrypting device based on aes algorithm
JP4025722B2 (en) Method and apparatus for data encryption
CN104852798B (en) A kind of data encrypting and deciphering system and method
US20050169463A1 (en) Hardware cryptographic engine and hardware cryptographic method using an efficient S-BOX implementation
Banik et al. Atomic-AES v2. 0
Tay et al. Compact and low power aes block cipher using lightweight key expansion mechanism and optimal number of s-boxes
El-meligy et al. 130nm Low power asynchronous AES core
JP3088337B2 (en) Cryptographic processing device, IC card and cryptographic processing method
Nadjia et al. Aes ip for hybrid cryptosystem rsa-aes
US20040202318A1 (en) Apparatus for supporting advanced encryption standard encryption and decryption
JP2010245881A (en) Cipher processor
US7257229B1 (en) Apparatus and method for key scheduling
CN105049203B (en) A kind of configurable 3DES enciphering and deciphering algorithms circuit for supporting multi-operation mode
CN101588234B (en) Encryption and decryption multiplexing method of row mixing conversion module in AES
TWI235582B (en) Apparatus for supporting advanced encryption standard encryption and decryption
US8565421B1 (en) Block cipher improvements
US20240097880A1 (en) High-speed circuit combining aes and sm4 encryption and decryption

Legal Events

Date Code Title Description
MM4A Annulment or lapse of patent due to non-payment of fees