TWI804439B - Apparatus and method for detecting errors during data encryption - Google Patents

Abstract

The invention relates to an apparatus and a method for detecting errors during data encryption. The apparatus includes: key generation circuitry; and key error-detection circuitry. The key generation circuitry is arranged operably to realize a expand-key operation in an encryption algorithm, which uses a root key to generate multiple round keys, where the encryption algorithm uses one round key to encode plaintext or encryption intermediate in each corresponding round. The key error-detection circuitry is arranged operably to predict redundant data corresponding to each round key, and issue an error signal when detecting that any round key does not match corresponding redundant data. With the arrangement of key error-detection circuitry, the error detection can be achieved by circuitry smaller than the key generation circuitry.

Description

Error detection device and method for data encryption

The present invention relates to data encryption, in particular to an error detection device and method for data encryption.

Since current storage devices (eg, NAND flash memory) are commonly used to store system codes, application codes, drivers, and user privacy data, etc., data security is an important issue. Advanced Encryption Standard (AES) is a block encryption standard currently adopted by the US federal government, and has been verified by multiple parties and widely adopted. However, malicious attacks may occur during the operation of AES, and the AES encoder may generate incorrect calculation results. Or, there are some defects in the chip manufacturing process, so that the AES encoder will produce unexpected calculation results after running for a period of time. Or, the storage device is in a harsh environment, which causes some components in the AES encoder to fail and produce unexpected calculation results. Wrong encryption process will make the original user data irrecoverable, resulting in huge losses. Therefore, the present invention proposes a data encryption error detection device and method to avoid writing wrong encrypted data to the storage device.

In view of this, how to alleviate or eliminate the deficiencies in the above-mentioned related fields is a problem to be solved.

This specification relates to an error detection device for data encryption, including: a key generating circuit; and a key error checking circuit. a key generation circuit configured to implement extended key operations in an encryption algorithm for generating a plurality of round keys using a base key, wherein the encryption algorithm uses one of the round keys in a corresponding round to Encode plaintext or intermediate encrypted results. The key error checking circuit is set to predict the corresponding Redundant data of the key; and sending an error signal to the processing unit when any round key and corresponding redundant data are found not to match at a specified intermediate point in the process of expanding the key.

This specification also relates to an error detection device for data encryption, which includes: a search circuit; and a replacement verification circuit. The search circuit is configured to convert the input first value corresponding to 1 byte of the round key into a second value according to the look-up table. The replacement verification circuit is configured to use a formula corresponding to the look-up table to determine whether an error occurs during the process of converting the first value into the second value, and when an error is found, an error signal is sent.

One of the advantages of the above-mentioned embodiment is that by setting the above-mentioned key error checking circuit, the error detection can be completed with a circuit with a smaller area than the key generation circuit.

Other advantages of the present invention will be explained in more detail with the following description and drawings.

10: Electronic device

110: Host side

130: Flash memory controller

131: host interface

132: busbar

134: processing unit

136: random access memory

137: Advanced Encryption Standard Encoder

138: Direct memory access controller

139: Flash interface

150: Flash memory module

151: interface

153#0~153#15: NAND flash memory unit

CH#0~CH#3: channel

CE#0~CE#3: enable signal

R#0: Initial round

R#1~R#9: Middle round

R#10: Final Round

S310#1~S310#10: Substitute byte step

S320#1~S320#10: shift sequence steps

S330#1~S330#9: mixed line steps

S340#1~S340#10: Steps of adding round key

S350: Extended key steps

w[0,3]: basic key

w[4,7],w[36,39],w[40,43]: the expanded key

400:AES Encoder

410,430: AES encoding circuit

450: Comparator

500: AES encoder

510: AES encoding circuit

530: Error detection circuit

550: redundant data generation circuit

570: redundant key generation circuit

S ₀ ~S ₁₅ : Body

P ₀ ~P ₁₅ : Internal parity bits

Q ₀ ~Q ₃ : 9 bits of cross-body parity check

k ₀ ~k ₃₁ : small key

R ₀ ~R ₃₁ : parity bits in the small key

V ₀ ~V ₇ : 9-bit cross-key parity check

810: AES data processing circuit

813: encoding circuit

815: Coding error checking circuit

830: AES key scheduling circuit

833: key generation circuit

835: key error check circuit

850: OR gate

870:Controller

912: data register

914: parity check code register

920: Enhanced Alternative Byte Circuits

930: shift column circuit

940: mixed row circuit

950: add round key circuit

960: parity check circuit

970: Parity prediction circuit

980: multiplexer

1010: Internal parity bit prediction circuit

1030: Cross-body parity 9-bit prediction circuit

1110: Internal parity bit generating circuit

1120: displacement column prediction circuit

1130: Hybrid row prediction circuit

1140: multiplexer

1150: Add round key prediction circuit

1160: shift column circuit

1210: multiplexer

1230: internal mutex or gate

1310: cross-body parity byte generation circuit

1330: Inter-small key parity byte segmentation circuit

1350: Span parity byte prediction circuit

1370: Cross-body parity 1-bit prediction circuit

1390: 9-bit merging circuit for cross-body parity

1410: Cross-body parity byte segmentation circuit

1430#0~1430#15: enhanced look-up table circuit

1450: Cross-body parity bit combination combination circuit

1510: search circuit

1530: Alternative calibration circuit

1610: Calculation Circuit

1630: multiplier

1650: Comparator

1710,1750: key splitting circuit

1712, 1714: Register

1720,1730: key word processing circuit

1725, 1727, 1729: mutex or gate

1742, 1744: key parity code generation circuit

1752, 1754, 1782, 1784: registers

1762, 1764: Key parity check circuit

1772, 1774: key parity prediction circuit

1810: key word segmentation circuit

1820: Rotary key word circuit

1830: Alternative key circuit

1840: Rounding off the constant circuit

1850: key word combination circuit

1860: Key word parity check generation circuit

1870: Key Word Parity Prediction Circuit

1880: Key word cross parity prediction circuit

1890: Key word parity check 9-bit merge circuit

1930#0~1930#3: enhanced look-up table circuit

2010: Mutual exclusion or gate

2110: key word segmentation circuit

2130: Alternative key word circuit

2150: key combination circuit

2160: key word parity check generation circuit

2180: key word cross parity prediction circuit

2190: keyword parity check 9-bit merge circuit

FIG. 1 is a system architecture diagram of an electronic device according to an embodiment of the invention.

FIG. 2 is a schematic diagram of a flash memory module according to an embodiment of the invention.

FIG. 3 is a high-level schematic diagram of an algorithm using 10 rounds with a 128-bit key.

FIG. 4 is a block diagram of an Advanced Encryption Standard (AES) encoder in accordance with some implementations.

FIG. 5 is a block diagram of an AES encoder according to an embodiment of the present invention.

FIG. 6 is a schematic diagram of a body, body parity bits, and cross-body parity 9 bits according to an embodiment of the present invention.

Fig. 7 is a schematic diagram of a small key, parity bits within a small key, and 9 bits of parity across small keys according to an embodiment of the present invention.

FIG. 8 is a block diagram of an AES encoder according to an embodiment of the present invention.

FIG. 9 is a block diagram of an AES data processing circuit according to an embodiment of the present invention.

FIG. 10 is a block diagram of a parity prediction circuit according to an embodiment of the present invention.

FIG. 11 is a block diagram of an in-body parity bit prediction circuit according to an embodiment of the present invention.

FIG. 12 is a block diagram of an internal parity bit generating circuit according to an embodiment of the present invention.

FIG. 13 is a block diagram of a 9-bit prediction circuit for cross-body parity according to an embodiment of the present invention.

FIG. 14 is a block diagram of an enhanced replacement byte circuit according to an embodiment of the present invention.

FIG. 15 is a block diagram of an enhanced look-up table circuit according to an embodiment of the present invention.

FIG. 16 is a block diagram of an alternative verification circuit according to an embodiment of the present invention.

FIG. 17 is a block diagram of an AES key scheduling circuit according to an embodiment of the present invention.

FIG. 18 is a block diagram of a key word processing circuit according to an embodiment of the present invention.

FIG. 19 is a block diagram of an alternative key circuit according to an embodiment of the present invention.

FIG. 20 is a schematic diagram of a rounding constant circuit according to an embodiment of the present invention.

FIG. 21 is a block diagram of a key word processing circuit according to an embodiment of the present invention.

The following description is a preferred implementation mode of the invention, and its purpose is to describe the basic spirit of the invention, but not to limit the invention. For the actual content of the invention, reference must be made to the scope of the claims that follow.

It must be understood that words such as "comprising" and "including" used in this specification are used to indicate the existence of specific technical features, values, method steps, operations, components and/or components, but do not exclude the possibility of adding More technical characteristics, numerical values, method steps, operation processes, components, components, or any combination of the above.

Words such as "first", "second", and "third" used in the claims are used to modify the elements in the claims, and are not used to indicate that there is a priority order, a pre-relationship, or an element An element preceding another element, or a chronological order in performing method steps, is only used to distinguish elements with the same name.

It should be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element, intervening elements may be present. In contrast, when an element is described as being "directly connected" or "directly coupled" to another element, there are no intervening elements present. Other words used to describe the relationship between elements may be interpreted in a similar manner, such as "between" versus "directly between," or "adjacent" versus "directly adjacent," and so on.

Refer to Figure 1. The electronic device 10 includes a host side (Host Side) 110, a flash memory controller 130 and the flash memory module 150, and the flash memory controller 130 and the flash memory module 150 may be collectively referred to as a device side (Device Side). The electronic device 10 can be implemented in electronic products such as personal computers, notebook computers (Laptop PC), tablet computers, mobile phones, digital cameras, digital video cameras, smart TVs, smart refrigerators, and automotive electronic systems (Automotive Electronics System). middle. The host interface (Host Interface) 137 between the host terminal 110 and the flash memory controller 130 can be a Universal Serial Bus (USB), an advanced technology attachment (ATA), a serial advanced technology attachment, SATA), peripheral component interconnect express (PCI-E), universal flash storage (Universal Flash Storage UFS), embedded multimedia card (Embedded Multi-Media Card eMMC) and other communication protocols communicate with each other. The flash memory interface (Flash Interface) 139 of the flash memory controller 130 and the flash memory module 150 can communicate with each other with a double data rate (Double Data Rate DDR) communication protocol, for example, open NAND flash (Open NAND Flash Interface ONFI), double data rate DDR rate switch (DDR Toggle) or other communication protocols. The flash memory controller 130 includes a processing unit 134, which can be implemented in various ways, such as using general-purpose hardware (for example, a single processor, multiple processors with parallel processing capabilities, graphics processing units, or other processors with computing capabilities), and The functions described later are provided when the software and/or firmware instructions are executed. The processing unit 134 receives host commands, such as read commands (Read Command), write commands (Write Command), erase commands (Erase Command), etc., through the host interface 131, and schedules and executes these commands. The flash controller 130 further includes a random access memory (Random Access Memory, RAM) 136, which can be implemented as a dynamic random access memory (Dynamic Random Access Memory, DRAM), a static random access memory (Static Random Access Memory, SRAM) or a combination of the above two, used to configure the space as a data buffer, store the host data that is read from the host end 110 and is about to be written into the flash memory module 150, and is read from the flash memory module 150 and is about to be output to the host computer The host information of terminal 110. random access memory 136 can also store data needed during execution, such as variables, data tables, Host-to-Flash H2F Table, Flash-to-Host F2H Table, etc. The flash interface 139 includes a NAND flash controller (NAND Flash Controller NFC), which provides functions required for accessing the flash memory module 150, such as command sequencer (Command Sequencer), low density parity check (Low Density Parity Check LDPC) and so on.

A bus architecture (Bus Architecture) 132 can be configured in the flash memory controller 130, which is used to couple components to each other to transmit data, addresses, control signals, etc. These components include a host interface 131, a processing unit 134, a RAM 136, An advanced encryption standard (Advanced Encryption Standard, AES) encoder 137, a direct memory access (Direct Memory Access, DMA) controller 138, a flash memory interface 139, and the like. The DMA controller 138 can transfer data between components through the bus architecture 132 according to the instructions of the processing unit 134, for example, move the data in the specific data buffer of the RAM 136 to a specific register (Register) of the AES encoder 137, and transfer The data in the specific register of the AES encoder 137 is moved to the specific data register of the RAM 136 and the like.

The flash memory module 150 provides a large amount of storage space, usually hundreds of gigabytes (Gigabytes, GB), or even several trillion bytes (Terabytes, TB), for storing a large amount of host data, such as High-resolution pictures, videos, and more. The flash memory module 150 includes a control circuit and a memory array. The memory cells in the memory array can be configured as Single Level Cells (SLCs) or Multiple Level Cells (MLCs) after erasing. Three-level cells (Triple Level Cells, TLCs), four-level cells (Quad-Level Cells, QLCs), or any combination of the above. The processing unit 134 writes host data to a specified address (destination address) in the flash memory module 150 through the flash memory interface 139 and reads host data from a specified address (source address) in the flash memory module 150 . The flash memory interface 139 uses several electronic signals to coordinate the data and command transmission between the flash memory controller 130 and the flash memory module 150, including the data line (Data Line), clock signal (Clock Signal) and control signal (Control Signal). Signal). Data lines can be used to transmit commands, addresses, read and write data; control signal lines can be used to transmit chip enable (Chip Enable, CE), address extraction enable (Address Latch Enable, ALE), command extraction enable Control signals such as Command Latch Enable (CLE) and Write Enable (WE).

Referring to FIG. 2, the interface 151 in the flash memory module 150 may include four input/output channels (I/O channels, hereinafter referred to as channels) CH#0 to CH#3, and each channel is connected to four NAND flash memory units, for example, the channel CH#0 is connected to NAND flash memory units 153#0, 153#4, 153#8 and 153#12. Each NAND flash memory unit can be packaged as an independent chip (Die). The flash memory interface 139 can send one of the enable signals CE#0 to CE#3 through the interface 151 to enable the NAND flash memory units 153#0 to 153#3, 153#4 to 153#7, 153#8 to 153#11 , or 153#12 to 153#15, and then read the host data from the enabled NAND flash memory unit in parallel, or write the host data to the enabled NAND flash memory unit.

AES加密中使用的密鑰大小決定了轉換回合的數目，此加密用以將輸入訊息(稱為明文)轉換成為最後輸出(稱為密文)。例如，128位元密鑰使用10個回合(n=10)加密，192位元密鑰使用12個回合(n=12)加密，256位元密鑰使用14個回合(n=14)加密。每個回合包含數個處理步驟(或者稱為操作)，其中包含一個取決於加 密密鑰本身的步驟。參考圖3所示的以128位元密鑰使用10個回合的演算法的高階示意圖。演算法使用擴展密鑰的步驟S350(也稱為AES密鑰排程)，根據128位元基礎密鑰(Root Key)w[0,3]來擴展出多個回合所需要的密鑰。初始回合包含加上回合密鑰(Add-Round-Key)的步驟S340#0，用於加上回合密鑰，每個體使用逐位元的XOR運算合併上基礎密鑰w[0,3]中的相應位元組。接下來的9個回合，每個回合包含替代位元組(Substitute-Bytes)的步驟S310#i、位移列(Shift-Rows)的步驟S320#i、混合行(Mix-Columns)的步驟S330#i、加上回合密鑰的步驟S340#i，其中i為1到9之間的任意正整數。步驟S310#i是一個非線性替代的步驟，根據查找表(又可稱為Rijndael S-box)將每個體的值替換為另一個值，其中的查找表使用以下公式建立：SB_i=Affine((i)^-1)SB_i代表i的輸出結果，Affine()代表Affine轉換函數，i為從0到127的正整數。步驟S320#i是一個調換位置的步驟，將下面三列的每一者向左或向右循環位移指定步數。步驟S330#i執行線性混合操作，作用於行，用於將每一行的四個體進行合併。步驟S340#i用於加上回合密鑰，每個體使用逐位元的XOR運算合併上基礎密鑰w[i*4,i*4+3]中的相應位元組。最後回合(也就是第10回合)包含步驟S310#10、S320#10、S340#10，其功能分別類似於步驟S310#i、S320#i、S340#i。雖然圖3只介紹了128位元密鑰使用10個回合的演算法，所屬技術領域人員理解192位元密鑰使用12個回合及256位元密鑰使用14個回合的演算法的技術細節，可從美國國家標準與技術研究院(National Institute of Standard and Technology，NIST)發表的標準文件中獲取。 The AES encoder 137 implements a variant of Rijndael using a fixed 128-bit size block and a base key size of 128, 192 or 256 bits. The AES encoder 137 operates on a 4x4 column-major order array (4x4 Column-major Order Array) of bytes, and each byte is called a body (State). Most of the AES calculations are done in a specific finite field (Finite Field). For example, 16 individuals S ₀ , S ₁ to S ₁₅ can be represented by the following two-dimensional array (Two-dimensional Array):

The key size used in AES encryption determines the number of conversion rounds used to convert an input message (called plaintext) into a final output (called ciphertext). For example, a 128-bit key is encrypted using 10 rounds (n=10), a 192-bit key is encrypted using 12 rounds (n=12), and a 256-bit key is encrypted using 14 rounds (n=14). Each round consists of several processing steps (or operations), including one that depends on the encryption key itself. Refer to Figure 3 for a high-level schematic diagram of the algorithm using 10 rounds with a 128-bit key. The algorithm uses the step S350 of expanding the key (also called AES key scheduling) to expand the keys needed for multiple rounds according to the 128-bit root key (Root Key) w[0,3]. The initial round includes the step S340#0 of adding a round key (Add-Round-Key), which is used to add a round key, and each body uses a bitwise XOR operation to combine the basic key w[0,3] corresponding bytes of the . Next 9 rounds, each round includes step S310#i of Substitute-Bytes, step S320#i of Shift-Rows, step S330# of Mix-Columns i. Step S340#i of adding a round key, wherein i is any positive integer between 1 and 9. Step S310#i is a non-linear substitution step, replacing the value of each volume with another value according to a lookup table (also called Rijndael S-box), wherein the lookup table is established using the following formula: SB _i =Affine( (i) ^-1 )SB _i represents the output of i, Affine() represents the Affine conversion function, and i is a positive integer from 0 to 127. Step S320#i is a step of exchanging positions, cyclically shifting each of the following three columns to the left or right by a specified number of steps. Step S330#i executes a linear blending operation, acting on rows, for merging four volumes in each row. Step S340#i is used to add the round key, each body uses the bitwise XOR operation to combine the corresponding bytes in the basic key w[i*4, i*4+3]. The last round (that is, the tenth round) includes steps S310#10, S320#10, and S340#10, the functions of which are similar to steps S310#i, S320#i, and S340#i respectively. Although Fig. 3 only introduces the algorithm using 10 rounds for the 128-bit key, those skilled in the art understand the technical details of the algorithm using 12 rounds for the 192-bit key and 14 rounds for the 256-bit key, Available from standards documents published by the National Institute of Standards and Technology (NIST).

Due to malicious attacks, chip defects, harsh environments, etc., errors will occur during the AES encryption process, which will cause major damage to user data that cannot be recovered. reference image 4. In some implementations, the AES encoder 400 includes two sets of identical AES encoding circuits 410 and 430 for implementing the algorithm shown above. The AES encoder 400 is further provided with a comparator 450 for receiving the ciphertext C#1 of each body from the AES encoding circuit 410 and the ciphertext C#2 of each body from the AES encoding circuit 430, and comparing whether they are the same. If they are the same, the comparator 450 outputs the ciphertext C#1 and the message that the encryption is successful. If not, the comparator 450 outputs an encryption failure message, which is used to notify the firmware running in the processing unit that an error management program needs to be executed. However, the area of the AES encoder 400 in the above embodiment is larger than the area of the two sets of AES encoding circuits, resulting in increased manufacturing costs.

In order to make the area of the AES encoder smaller than the area of the two sets of AES encoding circuits, from one aspect, referring to FIG. In addition to the circuit 510, an error detection circuit 530 with a smaller area than a complete set of AES encoding circuit 510 is also provided to detect whether an error occurs during the encryption process. During the encryption process of each block, the error detection circuit 530 uses less information than 16 blocks and their associated round keys to determine whether an error occurs during the entire encryption process. If it is determined that there is no error, the error detection circuit 530 may output an encryption success message. If it is determined that an error occurs, the error detection circuit 530 outputs an encryption failure message for notifying the firmware running in the processing unit that an error management program needs to be executed.

P_i代表第i個體的體內奇偶校驗位元的值，S_i,j代表第i個體中的第j個位元的值，i為從0到15的正整數。當公式的兩邊相等時，代表第i個體和第i個體內奇偶校驗位元是匹配的。否則，代表兩者間不匹配。冗餘資料產生電路550可預測相應於每行的體的值及其體內奇偶校驗位元的一個跨體奇偶校驗9位元(Across-state Parity 9-bit)。例如，冗餘資料產生電路550可預測相應於體S₀及其體內奇偶校驗位元P₀、體S₁及其體內奇偶校驗位元P₁、體S₂及其體內奇偶校驗位元P₂和體S₃及其體內奇偶校驗位元P₃的跨體奇偶校驗9位元Q₀，依此類推。每個行的多個體及其體內奇偶校驗位元和相應跨體奇偶校驗9位元之間的匹配可使用以下範例公式表示：

,for j=0~8 Redundant data generating circuit 550 can add redundant data for allowing error detection circuit 530 to judge whether an error occurs in the encryption process in 16 units, and redundant data is a kind of value based on 16 units or intermediate encryption result and AES The predicted result of the encryption algorithm. Referring to FIG. 6 , in some embodiments, a redundant-data generation circuit (Redundant-data Generation Circuitry) 550 can predict an internal parity bit (In-state Parity Bit), and convert the internal parity bit (when as the 8th bit) is appended after the body (0~7 bits). It should be noted that those skilled in the art should not interpret the 8-bit body and 1-bit body parity bits to be actually stored in a 9-bit continuous space based on the above additional operations, different but equivalent data structures are allowed. For example, the redundant data generating circuit 550 can predict the internal parity bit P ₀ of the bank S ₀ , predict the internal parity bit P ₁ of the bank S ₁ , and so on. A match between a body and the corresponding body parity bits can be expressed using the following example formula:

P _i represents the value of the internal parity bit of the i-th individual, S _i,j represents the value of the j-th bit in the i-th individual, and i is a positive integer from 0 to 15. When both sides of the formula are equal, it means that the i-th individual and the parity bits in the i-th individual match. Otherwise, there is a mismatch between the two. The redundant data generation circuit 550 can predict an Across-state Parity 9-bit corresponding to the bank value of each row and its bank parity bit. For example, _the redundant data _{generating circuit 550} may _predict the corresponding Element P ₂ and bank S ₃ and its body parity bit P ₃ 's cross-body parity 9-bit Q ₀ , and so on. The matching between multiple banks of each row and its internal parity bits and the corresponding straddle parity 9 bits can be expressed using the following example formula:

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8 Q_0,j代表第0個跨體奇偶校驗9位元的第j個位元的值，Q_1,j代表第1個跨體奇偶校驗9位元的第j個位元的值，Q_2,j代表第2個跨體奇偶校驗9位元的第j個位元的值，Q_3,j代表第3個跨體奇偶校驗9位元的第j個位元的值，S_i,j代表第i個體中的第j個位元的值，j為從0至8的任意整數。當第i個跨體奇偶校驗9位元中的每個位元等於第i行中的相應位元的加總(或者互斥或運算的結果)時，代表第i行的體及體內奇偶校驗位元和第i個跨體奇偶校驗9位元之間是匹配的。否則，代表兩者間不匹配。

,for j =0~8 Q _0,j represents the value of the jth bit of the 0th straddle parity 9-bit, Q _1,j represents the value of the 1st straddle parity 9-bit The value of j bits, Q _2,j represents the value of the jth bit of the second spanning parity 9-bit, Q _3,j represents the value of the third spanning parity 9-bit The value of j bits, S _{i, j} represents the value of the jth bit in the i-th individual, and j is any integer from 0 to 8. When each of the 9 bits of the i-th cross-body parity check is equal to the sum of the corresponding bits in the i-th row (or the result of a mutually exclusive OR operation), it represents the body and body parity of the i-th row There is a match between the parity bit and the i-th span parity 9 bits. Otherwise, there is a mismatch between the two.

From one aspect, the AES encoding circuit 510 and the redundant data generating circuit 550 are independent And running in parallel, there will be no data and message exchange between the two. The redundant data generation circuit 550 generates predicted redundant data using a redundant data update algorithm, and the redundant data update algorithm is derived from the AES encryption algorithm, so that the intermediate encryption result and redundant data generated by the AES encoding circuit 510 The redundant data predicted by the data generation circuit 550 can maintain the specified mathematical relationship at each specific intermediate point in the process of encrypting plaintext without errors.

R_i代表第i個小鑰的小鑰內奇偶校驗位元的值，k_i,j代表第i個小鑰中的第j個位元的值，i為從0到15的正整數。當公式的兩邊相等時，代表第i個小鑰和第i個小鑰內奇偶校驗位元是匹配的。否則，代表兩者間不匹配。冗餘密鑰產生電路570可預測相應於每行的小鑰的值 及其小鑰內奇偶校驗位元的一個跨小鑰奇偶校驗9位元(Across-subkey Parity 9-bit)。例如，冗餘密鑰產生電路570可預測相應於小鑰k₀及其小鑰內奇偶校驗位元R₀、小鑰k₁及其體內奇偶校驗位元R₁、小鑰k₂及其小鑰內奇偶校驗位元R₂和小鑰k₃及其小鑰內奇偶校驗位元R₃的跨小鑰奇偶校驗9位元V₀，依此類推。每個行的多個小鑰及其小鑰內奇偶校驗位元和相應跨小鑰奇偶校驗9位元之間的匹配可使用以下範例公式表示：

,for j=0~8 Redundant-key Generation Circuitry (Redundant-key Generation Circuitry) 570 adds redundant data for allowing error detection circuit 530 to determine whether an error occurs in the key generation process to each basic key or round key, and redundant The remaining data is a prediction based on the value in the base key or round key and the AES key scheduling algorithm. Referring to FIG. 7, taking the 256-bit basic key as an example, the redundant key generation circuit 570 can first divide the basic key into 32 bytes in sequence (each byte can be called a small key, Subkey ), and organized as a matrix of 8 rows and 4 columns. Redundant key generating circuit 570 can predict the parity check bit (In-subkey Parity Bit) in a small key, and attach the parity check bit (as the 8th bit) in the small key to the small key ( After the 0~7 bits). It should be noted that those skilled in the art cannot interpret the parity bits in the 8-bit small key and the 1-bit small key to be actually stored in a 9-bit continuous space based on the above additional operations, which are different but equivalent data structures are allowed. For example, the redundant key generation circuit 570 can predict the parity bit R ₀ of the small key k ₀ , predict the parity bit R ₁ of the small key k ₁ , and so on. The match between the keylet and the parity bits within the keylet can be expressed using the following example formula:

R _i represents the value of the parity bit in the i-th small key, ki _,j represents the value of the j-th bit in the i-th small key, and i is a positive integer from 0 to 15. When both sides of the formula are equal, it means that the i-th small key matches the parity bits in the i-th small key. Otherwise, there is a mismatch between the two. The redundant key generation circuit 570 can predict an Across-subkey Parity 9-bit (Across-subkey Parity 9-bit) corresponding to the value of the subkey of each row and the parity bits within the subkey. For example, the redundant key generation circuit 570 can predict that corresponding to the small key k ₀ and its internal parity bit R ₀ , small key k ₁ and its internal parity bit R ₁ , small key k ₂ and The parity check bit R ₂ in the small key and the parity check bit R 3 in the small key k ₃ and the parity check bit R ₃ in the small key 9-bit V ₀ , and so on. Multiple keys per row and the matching between their intra-keylet parity bits and the corresponding cross-keylet parity 9 bits can be expressed using the following example formula:

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8

, for j =0~8

,for j=0~8 V_0,j代表第0個跨小鑰奇偶校驗9位元的第j個位元的值，V_1,j代表第1個跨小鑰奇偶校驗9位元的第j個位元的值，V_2,j代表第2個跨小鑰奇偶校驗9位元的第j個位元的值，V_3,j代表第3個跨小鑰奇偶校驗9位元的第j個位元的值，V_4,j代表第4個跨小鑰奇偶校驗9位元的第j個位元的值，V_5,j代表第5個跨小鑰奇偶校驗9位元的第j個位元的值，V_6,j代表第6個跨小鑰奇偶校驗9位元的第j個位元的值，V_7,j代表第7個跨小鑰奇偶校驗9位元的第j個位元的值，k_i,j代表第i個小鑰中的第j個位元的值，j為從0至8的任意整數。當第i個跨小鑰奇偶校驗9位元中的每個位元等於第i行中的相應位元的加總(或者互斥或運算的結果)時，代表第i行的小鑰及小鑰內奇偶校驗位元和第i個跨小鑰奇偶校驗9位元之間是匹配的。否則，代表兩者間不匹配。

,for j =0~8 V _0,j represents the value of the jth bit of the 0th 9-bit cross-key parity check, V _1,j represents the first 9-bit cross-key parity check V _2,j represents the value of the jth bit of the second cross-key parity 9-bit, V _3,j represents the third cross-key parity 9 The value of the jth bit of the bit, V _4,j represents the value of the jth bit of the 4th cross-key parity check 9 bits, V _5,j represents the fifth cross-key parity Check the value of the jth bit of the 9-bit, V _6,j represents the value of the jth bit of the 6th cross-key parity check 9-bit, V _7,j represents the 7th cross-key The value of the j-th bit of the 9-bit parity check, ki _,j represents the value of the j-th bit in the i-th small key, and j is any integer from 0 to 8. When each bit in the 9-bit parity check across the i-th small key is equal to the sum of the corresponding bits in the i-th row (or the result of a mutually exclusive OR operation), it represents the i-th row's small key and There is a match between the parity bit in the small key and the i-th 9-bit parity across the small key. Otherwise, there is a mismatch between the two.

From one aspect, the AES encoding circuit 510 and the redundant key generation circuit 570 are independent And running in parallel, there will be no data and message exchange between the two. The redundant key generating circuit 570 generates predicted redundant data using a redundant key update algorithm, and the redundant key update algorithm is derived from the AES key schedule in the AES encryption algorithm, so that the AES encoding The round key generated by the circuit 510 and the redundant data predicted by the redundant key generation circuit 570 can maintain the specified mathematical relationship at each specific intermediate point in the process of generating the round key without errors .

Although FIG. 5 shows the AES encoding circuit 510, the error detection circuit 530, the redundant data generation circuit 550 and the redundant key generation circuit 570 in different blocks, this is only for the sake of easy understanding by readers, and those skilled in the art can use them in practice During implementation, the AES encoding circuit 510 , the error detection circuit 530 , the redundant data generating circuit 550 and the redundant key generating circuit 570 are integrated together in an appropriate manner, and the present invention is not limited thereto.

From another aspect, referring to FIG. 8 , the embodiment of the present invention proposes setting an AES Data Processing Circuit (AES Data Processing Circuit) 810 and an AES Key Schedule Circuit (AES Key Schedule Circuit) 830 in the AES encoder 137 . The AES key scheduling circuit 830 includes a key generation circuit 833 for completing the key expansion step S350 shown in FIG. 3 . The controller 870 sends a control signal to the AES key scheduling circuit 830, which is used to drive the AES key scheduling circuit 830 to generate a new round key according to the basic key K ₀ or the previous round key K _i-2 , and output The round key K _i of the designated round and its corresponding redundant data (for example, the parity bit R within the small key and the 9-bit parity V across small keys) are sent to the AES data processing circuit 810 . The AES key scheduling circuit 830 includes a key error checking circuit 835 arranged to calculate redundant information corresponding to each round key; When the remaining data do not match, an error signal ERR_KEY=1 is issued. The round key can be divided into 16 small keys and organized as a 4x4 byte array, each small key is 1 byte; redundant data includes parity bits in the small key corresponding to each small key, and 9 bits of parity across keylets corresponding to each row. When key error checking circuit 835 finds any keylet that does not match a parity bit in the corresponding keylet at a specified intermediate point in the keying process, or finds a keylet corresponding to any row plus 4 corresponding keylets When the inner parity bit does not match the corresponding 9-bit parity across the small key, an error signal ERR_KEY=1 is sent.

The AES data processing circuit 810 includes an encoding circuit 813, which is configured to implement the byte replacement step S310, column displacement step S320, row mixing step S330 and round key addition step S340 in the AES algorithm shown in FIG. The AES algorithm consists of multiple rounds, and in each round is used to encode plaintext or intermediate encryption results using the round key. The controller 870 sends a control signal to the AES data processing circuit 810 for driving the AES data processing circuit 810 to arrange the execution sequence of the above steps to meet the round setting of the AES algorithm. The AES data processing circuit 810 includes an encoding error checking circuit 815, which is configured to calculate redundant data corresponding to plaintext or intermediate encryption results; when a specified intermediate point in the encryption process finds a mismatch between the intermediate encryption results and the redundant data, Issue encoding error signal ERR_ENC=1. The plaintext can be divided into 16 individuals and organized as a 4x4 array, each body is 1 byte, and the redundant data includes the body parity bits corresponding to each body, and the cross-body parity corresponding to each row in the plaintext Check 9 bits. Encoding error checking circuit 815 at a specified point in the encryption process when it finds that the intermediate encrypted result of any of the bodies does not match the corresponding body parity bit, or finds that the intermediate encrypted result corresponds to any line in the plaintext plus 4 When a corresponding internal parity bit does not match the corresponding spanning parity 9 bits, an encoding error signal ERR_ENC=1 is sent.

The OR gate 850 is coupled to the output terminals of the encoding error checking circuit 815 and the key error checking circuit 835 . When the encoding error checking circuit 815 outputs the encoding error signal ERR_ENC=1 and/or the key error checking circuit 835 outputs the key error signal ERR_KEY=1, the OR gate 850 outputs the AES error signal ERR_AES=1 to the processing unit 134 .

Refer to the block diagram of the AES data processing circuit 810 shown in FIG. 9 . The data register 912 is used to store the intermediate or final result of the 16-byte group (that is, 128 bits) generated in the AES encryption process, and the parity register (Parity Registers) 914 is used to store the generated data in the AES encryption process. The body parity bits and the span parity 9 bits corresponding to the intermediate or final result of the 16-byte group. Shift column circuit (Shift-row Circuitry) 930 is used to execute the step S320 of shifting the sequence as shown in FIG. 3 , and its structure is well known to those skilled in the art, and will not be repeated for simplicity. A Mix-column Circuitry (Mix-column Circuitry) 940 is used to execute the step S330 of mixing columns as shown in FIG. 3 , and its structure is well known to those skilled in the art, and will not be repeated for brevity. Adding a round key circuit (Add-round-key Circuit) 950 is used to perform the step S340 of adding a round key as shown in FIG. 3 , and its structure is well known to those skilled in the art. repeat.

The controller 870 can send a selection signal R_sel to the multiplexer 980 and the parity prediction circuit (Parity Prediction Circuit) 970 in each round for controlling the data flow through the designated circuit. The multiplexer 980 includes three input terminals I ₀ , I ₁ and I ₂ and one output terminal O. The input terminal I ₀ is coupled to the input pin of the AES encoder 137 to receive the 16-byte plain text, the input terminal I ₁ is coupled to the output of the mixing row circuit 940 to receive the 16-byte operation result, and the input terminal I ₂ is coupled to The output of the column shift circuit 930 is connected to receive the 16-byte operation result, and the output terminal O is coupled to the input of the adding round key circuit 950 . In detail, in the initial round, the controller 870 can use the control signal R_sel to control the multiplexer 980 to connect the input terminal _I0 to the output terminal O, so that the 16-byte received from the input pin of the AES encoder 137 The plaintext S can be fed into the adding round key circuit 950 . In the middle round (for example, the 1st to 13th rounds using a 256-bit key), the controller 870 can use the control signal R_sel to control the multiplexer 980 to connect the input terminal _I1 to the output terminal O, so that the hybrid row circuit 940 The output can be fed into plus round key circuit 950 . In the final round (for example, the 14th round using a 256-bit key), the controller 870 can use the control signal R_sel to control the multiplexer 980 to connect the input terminal _I2 to the output terminal O, so that the output of the column shift circuit 930 can be fed to Add the round key circuit 950. In addition, in the initial round, the controller 870 can use the control signal R_sel to control the parity prediction circuit 970, so that the 16-byte plaintext S received from the input pin of the AES encoder 137 can be fed into the parity prediction circuit 970, used to generate body parity bit P and straddle body parity bit Q corresponding to the plaintext. In the intermediate and final rounds, the controller 870 can use the control signal R_sel to control the parity prediction circuit 970, so that the output of the enhanced surrogate byte circuit 920 can be fed into the parity prediction circuit 970 for generating the corresponding intermediate encryption The body parity bit P and the cross body parity 9 bits Q of the result.

Refer to the block diagram of the parity prediction circuit 970 shown in FIG. 10 . The parity prediction circuit 970 includes an In-state Parity-bit Prediction Circuitry 1010 and an Across-state Parity-9-bit Prediction Circuitry 1030 . The internal parity bit prediction circuit 1010 selects the input plaintext S (corresponding to the initial round) or the intermediate encrypted result S' (corresponding to the intermediate or final round) according to the control signal R_sel, and according to the plaintext S/intermediate encrypted result S' and small The parity bits R in the key generate the parity bits P in the key. The cross-body parity 9-bit prediction circuit 1030 selects the input plaintext S (corresponding to the initial round) or the intermediate encryption result S' (corresponding to the intermediate or final round) according to the control signal R_sel, and according to the plaintext S/intermediate encryption result S' And cross-key parity 9-bit V produces cross-body parity 9-bit Q.

Refer to the block diagram of the internal parity bit prediction circuit 1010 shown in FIG. 11 . The controller 870 can send a selection signal R_sel to the multiplexer 1140 and the internal parity bit generating circuit 1110 in each round to control the data flow through the designated circuit. The multiplexer 1140 includes three input terminals I ₀ , I ₁ and I ₂ and one output terminal O. The input terminal _I0 is coupled to the output of the internal parity bit generation circuit 1110 to receive the 16-bit internal parity code corresponding to the plaintext, and the input terminal _I1 is coupled to the output of the hybrid row prediction circuit 1130 to receive the 16-bit internal parity code. The input terminal _I2 is coupled to the output of the shift column prediction circuit 1120 to receive the 16-bit calculation result, and the output terminal O is coupled to the input of the plus round key prediction circuit 1150 . In detail, in the initial round, the controller 870 can use the control signal R_sel to drive the internal parity bit generation circuit 1110 to receive 16-byte plaintext from the input pin of the AES encoder 137, and control the multiplexer 1140 to The input terminal _I0 is connected to the output terminal O, so that the 16-bit internal parity code corresponding to the plaintext S received from the output of the internal parity check bit generation circuit 1110 can be fed into plus the round key prediction circuit 1150. In the middle round (for example, the 1st to 13th rounds using a 256-bit key), the controller 870 can use the control signal R_sel to drive the internal parity bit generation circuit 1110 to obtain the 16-byte intermediate encryption from the data register 912 result S', and the multiplexer 1140 is controlled to connect the input terminal _I1 to the output terminal O, so that the 16-bit body parity received from the output of the hybrid row prediction circuit 1130 corresponding to the intermediate encryption result S' The code can be fed into plus round key prediction circuit 1150 . In the final round (for example, the 14th round using a 256-bit key), the controller 870 can use the control signal R_sel to drive the internal parity bit generation circuit 1110 to obtain the 16-byte intermediate encryption result S' from the data register 912 , and control the multiplexer 1140 to connect the input terminal _I2 to the output terminal O, so that the 16-bit internal parity code corresponding to the intermediate encryption result S' received from the output of the shift column prediction circuit 1120 can be fed to Add the round key prediction circuit 1150.

Refer to the block diagram of the internal parity bit generation circuit 1110 shown in FIG. 12 . The controller 870 can send a selection signal R_sel to the multiplexer 1210 in each round to control the data flow through the designated circuit. The multiplexer 1210 includes two input terminals I ₀ and I ₁ and one output terminal O. In detail, in the initial round, the controller 870 can use the control signal R_sel to control the multiplexer 1210 to connect the input terminal _I0 to the output terminal O, so that the 16 bytes received from the input pin of the AES encoder 137 The plaintext S can be fed into the mutex OR gate 1230 in the body. In the middle and final rounds (such as the 1st to 14th rounds using a 256-bit key), the controller 870 can use the control signal R_sel to control the multiplexer 1210 to connect the input terminal _I1 to the output terminal O, so that the slave data register 912 obtains the 16-byte intermediate encryption result S′ that can be fed into the internal exclusive OR gate 1230 . The internal exclusive OR gate 1230 comprises a plurality of exclusive OR gates arranged to generate the internal parity bits P ₀ to _P15 .

位移列電路1160用於將第一列向左循環位移一個體，將第二列向左循環位移兩個體，以及將第三列向左循環位移三個體。位移結果如下所示：

Referring back to Fig. 11, the plaintext S or the intermediate encryption result S' is organized as an array of 4x4 entities. The column shift circuit 1160 is used to cyclically shift each of the lower three columns to the left by a specified number of steps. For example, the plaintext S is expressed as follows:

The column shift circuit 1160 is used to cyclically shift the first column to the left by one bank, the second column to the left by two banks, and the third column to the left by three banks. The displacement results are as follows:

位移列預測電路1120用於將第一列向左循環位移一個位元，將第二列向左循環位移兩個位元，以及將第三列向左循環位移三個位元。位移結果如下所示：

The body parity bits corresponding to the plaintext S or the intermediate encrypted result S' are organized as an array of 4x4 bits. The shift column prediction circuit 1120 is used to cyclically shift each of the lower three columns to the left by a specified number of steps. For example, the body parity bits corresponding to the plaintext S are expressed as follows:

The column shift prediction circuit 1120 is used to cyclically shift the first column to the left by one bit, the second column to the left by two bits, and the third column to the left by three bits. The displacement results are as follows:

The hybrid row prediction circuit 1130 is coupled to the output of the displacement column prediction circuit 1120 and the displacement column circuit 1160, using 16 formulas known to those skilled in the art, and each formula sums the shifted plaintext S or the intermediate encrypted result S' The 4x4 array of bytes and the values of the specified portion of the 4x4 array of shifted internal parity bits yield the specified values of the mixed matrix of internal parity bits.

In addition, the round key prediction circuit 1150 uses the following formula to calculate the encrypted result of the parity check bit in the body: P ^(out) _i =P ⁽ⁱⁿ⁾ _i +R _i P ^(out) _i represents the body of the output i individual Parity bit, P ⁽ⁱⁿ⁾ _i represents the internal parity bit of the i-th individual input, R _i represents the parity bit in the i-th small key, and i is any integer from 0 to 15. It should be noted that at this time, the positions in the matrix corresponding to P ⁽ⁱⁿ⁾ _i and P ^(out) _i refer to the positions in the matrix output by the hybrid row prediction circuit 1130, not corresponding to the parity bits in the body The positions in the matrix output by the generation circuit 1110 are generated.

Refer to the block diagram of the 9-bit prediction circuit 1030 for cross-body parity shown in FIG. 13 . The controller 870 can send a selection signal R_sel to the span parity generating circuit 1310 in each round for controlling the input data flow of the span parity generating circuit 1310 . Specifically, in the initial round, the controller 870 can use the control signal R_sel to drive the straddle parity generating circuit 1310 to receive 16-byte plaintext from the input pin of the AES encoder 137, so that the straddle parity The parity byte generation circuit 1310 generates a cross-body parity byte according to the 16-byte group of the plaintext S. During intermediate rounds (e.g., rounds 1 to 13 using a 256-bit key) or final rounds (e.g., round 14 using a 256-bit key), the controller 870 can drive cross-body parity using the control signal R_sel The byte group generation circuit 1310 obtains the intermediate encryption result S' of 16 bytes from the data register 912, so that the straddle parity check byte group generation circuit 1310 generates a span parity check according to the 16 bytes of the intermediate encryption result S' Parity group.

The straddle parity check byte generation circuit 1310 comprises a plurality of exclusive OR gates, arranged in the initial round to complete the straddle parity check bit as shown in Figure 6 according to the plaintext S of the 16-byte group received Groups (excluding the 8th bit corresponding to the parity bit in the body) Q _0,0..7 to Q _3,0..7 . In the middle round or the final round, the arrangement is based on the received intermediate encryption result S' of the 16-byte group, and the following formula is used to calculate the cross-body parity bit (excluding the 8th bit corresponding to the body parity bit) bits) Q _0,0..7 to Q _3,0..7 : Q _{0 ,j} = S' _{0 ,j} + S' _{5 ,j} + S' _{10 ,j} + S' _{15 ,j} ,for j =0~7

Q _{1 ,j} = S' _{4 ,j} + S' _{9 ,j} + S' _{14 ,j} + S' _{3 ,j} ,for j =0~7

Q _{2 ,j} = S' _{8 ,j} + S' _{13 ,j} + S' _{2 ,j} + S' _{7 ,j} ,for j =0~7

Q _{3 ,j} = S' _{12 ,j} + S' _{1 ,j} + S' _{6 ,j} + S' _{11 ,j} ,for j =0~7 Q _0,j to Q _3,j represent the 0th to The value of the jth bit of the third spanning parity byte group, S' _{0, j} to S' _{15, j} respectively represent the jth corresponding to the 0th to the 15th intermediate encryption results bit value.

Across-subkey Parity-byte Split Circuitry (Across-subkey Parity-byte Split Circuitry) 1330 removes the 8th bit of each 9-bit cross-subkey parity to become a cross-subkey parity bit and feed the cross-key parity bytes into the cross-body parity prediction circuit 1350.

,for j=0~7 The span parity byte prediction circuit 1350 calculates the prediction result for each span parity byte using the following formula:

, for j =0~7

,for j=0~7

, for j =0~7

,for j=0~7

, for j =0~7

,for j=0~7 Q^(out) _0,j代表輸出的第0個跨體奇偶校驗位元組的第j個位元的值，Q^(out) _1,j代表輸出的第1個跨體奇偶校驗位元組的第j個位元的值，Q^(out) _2,j代表輸出的第2個跨體奇偶校驗位元組的第j個位元的值，Q^(out) _3,j代表輸出的第3個跨體奇偶校驗位元組的第j個位元的值，Q⁽ⁱⁿ⁾ _i,j代表輸入的第i個跨體奇偶校驗位元組的第j個位元的值，V_i,j代表第i個跨小鑰奇偶校驗位元組中的第j個位元的值。

,for j =0~7 Q ^(out) _{0, j} represents the value of the jth bit of the 0th straddle parity bit group output, Q ^(out) _{1, j} represents the first output The value of the jth bit of the straddle body parity check byte, Q ^(out) _{2, j} represents the value of the jth bit of the 2nd straddle body parity check byte of output, Q ^{(out )} _3,j represents the value of the jth bit of the 3rd straddle parity byte group output, Q ⁽ⁱⁿ⁾ _i,j represents the value of the ith straddle parity byte group input The value of j bits, V _i,j represents the value of the jth bit in the ith inter-key parity byte group.

The straddle parity 1 bit prediction circuit 1370 calculates the prediction result of the 8th bit of each span parity 9 bits using the following formula:

Q_0,8代表第0個行的跨體奇偶校驗9位元的第8個位元的值，Q_1,8代表第1個行的跨體奇偶校驗9位元的第8個位元的值，Q_2,8代表第2個行的跨體奇偶校驗9位元的第8個位元的值，Q_3,8代表第3個行的跨體奇偶校驗9位元的第8個位元的值，P_i,8代表相應於第i個體的體內奇偶校驗位元(也就是第8個位元)的值。

Q _0,8 represents the value of the 8th bit of the 9-bit straddle parity of the 0th row, and Q _1,8 represents the 8th bit of the 9-bit straddle parity of the 1st row The value of the element, Q _{2, 8} represents the value of the 8th bit of the 9-bit straddle parity check of the second row, and Q _{3, 8} represents the 9-bit straddle parity check of the 3rd row The value of the 8th bit, Pi _,8 represents the value of the internal parity bit (that is, the 8th bit) corresponding to the i-th individual.

Across-state Parity-9-bit Concatenation Circuitry (Across-state Parity-9-bit Concatenation Circuitry) 1390 adds each of the Across-state Parity-check bytes output from the Across-state Parity-9-bit prediction circuit 1350 The corresponding 8th bit output from the straddle parity 1 bit prediction circuit 1370 becomes the complete straddle parity 9 bits.

Referring back to FIG. 9 , a parity check circuit (Parity Check Circuitry) 960 checks whether an error occurs in the execution result of the previous round. The parity check circuit 960 obtains the intermediate encrypted result S' from the data register 912, and obtains the internal parity bit P and the cross-body parity 9 bits corresponding to the intermediate encrypted result S' from the parity register 914 Q. The parity check circuit 960 judges whether the intermediate encryption result S' matches the internal parity bit P, and if not, sends a linear error signal err_L=1 to the processing unit 134, so that the processing unit 134 performs any response A hypervisor for AES encryption errors. The parity check circuit 960 also judges whether the middle encryption result S', the middle body parity bit P, and the straddle parity 9-bit Q match, and if they do not match, a linear error signal err_L= is issued. 1 to the processing unit 134.

The Enhanced Substitute-byte Circuit (Enhanced Substitute-byte Circuit) 920, in addition to completing the byte-substitute step S310 in the algorithm, also checks whether the execution result of this step is correct. Refer to the block diagram of the enhanced replacement byte circuit 920 shown in FIG. 14 . The cross-body parity byte segmentation circuit 1410 obtains the 128-bit intermediate result S' from the data register 912, divides it into 16 byte groups, and feeds these 16 byte groups into the enhanced look-up table circuit respectively 1430#0 to 1430#15. Enhanced look-up table circuit 1430#0 to Each of 1430#15 completes the byte replacement step S310, and judges whether the operation is correct. If any one of the enhanced look-up table circuits 1430#0 to 1430#15 finds the operation error, it outputs a non-linear error signal err_nl_i=1, where i is a positive integer from 0 to 15. As long as any enhanced look-up circuit outputs the non-linear error signal err_nl_i, the enhanced substituting byte circuit 920 outputs the non-linear error signal err_nL=1 to the processing unit 134, so that the processing unit 134 executes any management procedures in response to AES encryption errors . The cross-body parity bit combining circuit 1450 collects the table look-up results of the enhanced look-up table circuits 1430 #0 to 1430 #15, and outputs the converted 128 bits to the shift column circuit 930 .

Referring to the block diagram of the enhanced look-up table circuit 1430 #i shown in FIG. 15 , i is a positive integer ranging from 0 to 15. The search circuit 1510 converts the input byte S' ⁽ⁱⁿ⁾ into a byte S' ^(out) according to the above-mentioned lookup table. Substitution Check Circuitry (Substitution Check Circuitry) 1530 receives converted 1 byte S' ^(out) from search circuit 1510, and uses the formula corresponding to the look-up table to judge that S' ⁽ⁱⁿ⁾ is converted to S' ^(out) whether an error occurred during the process. If an error is found, the substitution check circuit 1530 outputs a non-linear error signal err_nl_i=1.

Refer to the block diagram of the alternative verification circuit 1530 shown in FIG. 16 . Calculation circuit 1610 obtains converted bytes S' ^(out) _i from search circuit 1510, calculates Affine(S' ^(out) _i ) ^-1 , Affine () ^-1 represents the inverse function of Affine conversion, and calculates the result Output to multiplier 1630 and comparator 1650. The multiplier 1630 multiplies S' ⁽ⁱⁿ⁾ by Affine(S' ^(out) _i ) ^-1 to generate S' ^(mul) _i . The comparator 1650 implements the following logical operation formula to generate a judgment result: err_nl_i=0, if(S' ^(mul) _i ==1)&&(S' ⁽ⁱⁿ⁾ _i !=0)&&(Affine(S' ^(out) _i ) ^-1 !=0)

err_nl_i=0,if(S' ^(mul) _i ==0)&&(S' ⁽ⁱⁿ⁾ _i ==0)&&(Affine(S' ^(out) _i ) ^-1 ==0)

err_nl_i=1, otherwise when err_nl_i is equal to 1, it means a non-linear error signal occurs.

The data register 912, the search circuit 1510, the column shift circuit 930, the mixed row circuit 940, the multiplexer 980 and the adding round key circuit 950 can be regarded as an AES encoding circuit. The parity code register 914, the substitution check circuit 1530, the parity check circuit 960, and the parity prediction circuit 970 may be considered as error checking circuits.

Refer to the block diagram of the AES key scheduling circuit 830 shown in FIG. 17 . The key division circuit 1750 divides the 256-bit basic key K ₀ into two keys K#0 and K#1, and the length of each key word is 128 bits, which is the same as the length of an individual. The Key Parity Generation Circuit (Key Parity Generation Circuitry) 1742 includes a plurality of exclusive OR gates, arranged to generate parity bits in the small key as shown in Figure 7 according to the received key K#0 R ₀ to R ₁₅ (collectively referred to as R#0), and the 9-bit parity across the small key V ₀ to V ₃ (collectively referred to as V#0), and the parity bit R# in the small key 0 and cross key parity 9 bits V#0 are stored to register 1752. The key parity code generating circuit 1744 includes a plurality of exclusive OR gates, arranged to generate parity bits R ₁₆ to R ₃₁ ( can be collectively referred to as R#1), and the 9-bit parity across small keys V ₄ to V ₇ (collectively referred to as V#1), and the parity bit R#1 in the small key and the parity across small keys The parity 9-bit V#1 is stored in register 1754. The registers 1752 and 1754 can also be called current cycle parity registers (Current Cycle Parity Registers).

Key parity check circuits (Key Parity Check Circuitry) 1762 and 1764 respectively check whether an error occurs in the generation of keys K#0 and K#1. The key parity check circuit 1762 obtains the key K#0 from the key split circuit 1750, and obtains the parity bit R#0 within the small key corresponding to the key K#0 and the parity across small keys from the register 1752. Check 9 bits V#0. The key parity check circuit 1762 judges whether the key K#0 matches the parity bit R#0 in the small key, and if not, sends a key error signal err_kc=1. The key parity check circuit 1762 also judges whether the key K#0, the parity bit R#0 in the small key and the 9-bit parity V#0 across the small key match, if not, then Issue key error signal err_kc=1. The key parity check circuit 1764 obtains the key K#1 from the key split circuit 1750, and obtains the parity bit R#1 within the small key corresponding to the key K#1 and the parity across small keys from the register 1754. Check 9 bits V#1. The key parity check circuit 1764 judges whether the key K#1 matches the parity bit R#1 in the small key, and if not, sends a key error signal err_kd=1. The key parity check circuit 1764 also judges the key K#1, the parity bit R#1 within the small key and the cross small key Whether the 9-bit V#1 of the parity check matches, if not, a key error signal err_kd=1 is issued. The key error signal err_kc=1 or err_kd=1 can trigger the processing unit 134 to execute any management procedures in response to AES key errors.

The key division circuit 1710 divides the 256-bit basic key K ₀ into 8 key words (Word) W _0,0 to W _0,3 and W _1,0 to W _1,3 , each key word The length is 4 bytes, and 8 keys are stored in register 1712. The key word processing circuit 1720 generates an intermediate operation result of a key word according to the last key word W _1,3 , and this operation result is used to perform bit-by _- bit logical exclusive OR operation (Bitwise Logical XOR Operation) to generate the first key word W _2,0 of key K#2. In addition to generating the intermediate operation result, the key word processing circuit 1720 can also check whether an error occurs in the generation process of the intermediate operation result. If yes, the key word processing circuit 1720 outputs a key error signal err_ka=1. The key error signal err_ka=1 can trigger the processing unit 134 to execute any management procedures in response to AES key errors.

Refer to the block diagram of the key word processing circuit 1720 shown in FIG. 18 . The key word segmentation circuit 1810 reads the last key word W _1,3 from the register 1712 and divides it into 4 small keys, each of which is 1 byte. Rotate-Word Circuit (Rotate-Word Circuitry) 1820 cyclically shifts the 4 small keys to the left by 1 small key. Substitute-Word Circuitry (Substitute-Word Circuitry) 1830 replaces the value of each shifted small key with another value according to a lookup table (also called Rijndael S-box), wherein the lookup table is established using the following formula: SB _i =Affine((i) ^-1 ), for i=0~127 SB _i represents the output result of i, Affine() represents the Affine conversion function, and i is a positive integer from 0 to 127. In addition to converting the value of each input byte, the substitution key circuit 1830 also checks whether the conversion result is correct.

Referring to the block diagram of the replacement key circuit 1830 shown in FIG. 19 . Each of the enhanced look-up table circuits 1930#0 to 1930#3 completes the replacement operation of the value of the corresponding byte group, and judges whether the operation is correct. If any one of the enhanced look-up table circuits 1930#0 to 1930#3 finds this operation error, then output the look-up table error signal err_w_i=1, i is 0 to 3 positive integer of . As long as any enhanced table look-up circuit outputs the table look-up error signal err_w_i, the substitute key circuit 1830 outputs the key error signal err_ka=1 to the processing unit 134, so that the processing unit 134 executes any management procedures for AES encryption errors. Since the enhanced look-up table circuit 1930#0 to 1930#3 has any circuit structure, function and operation details similar to the enhanced look-up table circuit 1430#i, so the reader can refer to the description of Fig. 15 and Fig. 16, for seeking Concise and no more details.

Referring back to FIG. 18 , the round-constant circuit (Round-Constant Circuitry) 1840 performs a bitwise exclusive OR (XOR) operation on the key word w#0 ⁽ⁱⁿ⁾ and the constant C. Refer to the schematic diagram of the truncation constant circuit 1840 shown in FIG. 20 . The XOR gate 2010 is set to perform a logical exclusive OR operation between each bit of the key word w#0 ⁽ⁱⁿ⁾ and the corresponding bit of the constant C.

The word concatenation circuit (Word Concatenation Circuitry) 1850 obtains 4 small keys w#0 to w#3 from the rounding constant circuit 1840, merges the small keys w#0 to w#3 into a complete key word W ^(out) , and Output key word W ^(out) to exclusive OR gate 1725 .

The key word parity generation circuit (Word Parity Generation Circuitry) 1860 includes a small-key intra-key parity generation circuit and an inter-small-key parity generation circuit. The parity generation circuit in the keylet includes a plurality of exclusive OR gates arranged to generate 4 parity bits rt1 in the keylet according to the keylets w#0 to w#3 received from the substitute key word circuit 1830 ₀ to rt1 ₃ . The cross-keylet parity generation circuit comprises a plurality of exclusive OR gates arranged to generate 1 cross-keylet parity byte according to the keylets w#0 to w#3 received from the substitute key word circuit 1830 vt1 _0..7 .

rt1₀ ^(out)代表計算後的第0個小鑰內奇偶校驗位元，rt1₀ ⁽ⁱⁿ⁾代表從鑰字奇偶校驗產生電路1860接收到的第0個小鑰內奇偶校驗位元，C_i代表捨去常數電路1840中使用的常數C中的第i個位元。此外，小鑰內奇偶校驗預測電路直接輸出從鑰字奇偶校驗產生電路1860接收到的小鑰內奇偶校驗位元rt1₁至rt1₃到鑰字跨奇偶校驗預測電路1880和密鑰奇偶校驗預測電路1772。跨小鑰奇偶校驗預測電路使用以下公式預測跨小鑰奇偶校驗位元組，並且輸出到鑰字奇偶校驗9位元合併電路(Word Parity 9-bit Concatenation Circuit)1890：vt1_0..7 ^(out)=vt1_0..7 ⁽ⁱⁿ⁾+C vt1_0..7 ^(out)代表輸出的跨小鑰奇偶校驗位元組，vt1_0..7 ⁽ⁱⁿ⁾代表從鑰字奇偶校驗產生電路1860接收到的跨小鑰奇偶校驗位元組，C代表捨去常數電路1840中使用的常數。 The key word parity prediction circuit (Word Parity Prediction Circuit) 1870 includes a parity prediction circuit within a small key and a parity prediction circuit across small keys. The parity prediction circuit in the small key uses the following formula to predict the parity bit rt1 ₀ ^(out) in the small key, and outputs to the word cross-parity prediction circuit (Word Cross-parity Prediction Circuit) 1880 and the key parity Check prediction circuit (Key Parity Prediction Circuit) 1772:

rt1 ₀ ^(out) represents the calculated parity bit in the 0th small key, and rt1 ₀ ⁽ⁱⁿ⁾ represents the parity bit in the 0th small key received from the key word parity generation circuit 1860 , C _i represents the ith bit of the constant C used in the rounding constant circuit 1840 . In addition, the parity prediction circuit in the small key directly outputs the parity bits rt1 ₁ to rt1 ₃ in the small key received from the parity generation circuit 1860 to the inter-key parity prediction circuit 1880 and the key Parity prediction circuit 1772. The cross-small-key parity prediction circuit uses the following formula to predict cross-small-key parity bytes, and outputs to the word parity 9-bit merging circuit (Word Parity 9-bit Concatenation Circuit) 1890: vt1 _{0.. 7} ^(out) =vt1 _0..7 ⁽ⁱⁿ⁾ +C vt1 _0..7 ^(out) represents the output cross-key parity bytes, vt1 _0..7 ⁽ⁱⁿ⁾ represents the slave key parity C represents the constant used in the truncation constant circuit 1840.

vt1₈代表跨小鑰奇偶校驗9位元vt的最後一個位元，rt1_i代表第i個小鑰內奇偶校驗位元。 The key word cross-parity prediction circuit 1880 uses the following formula to calculate the last bit of the cross-small key parity 9-bit vt:

vt1 ₈ represents the last bit of the 9-bit parity across the small key vt, and rt1 _i represents the parity bit in the ith small key.

The key word parity check 9-bit merging circuit 1890 combines the calculation result vt1 _0..7 of the key word parity check prediction circuit 1870 with the calculation result vt1 ₈ of the key word cross parity check prediction circuit 1880 to become the cross key word parity The 9 bits vt1 _0..8 are checked and output to the key parity circuit 1772.

Referring back to FIG. 17, the key word processing circuit 1730 generates an intermediate operation result of a key word according to the operation result of the exclusive OR gate 1727 (that is, the key word W _2,3 ), and this operation result is used to combine the key word W _{1, 0} to perform a bit-by-bit logical exclusive OR operation to generate the first key word W _3,0 of the key K#3. In addition to generating the intermediate operation result, the key word processing circuit 1730 can also check whether an error occurs in the generation process of the intermediate operation result. If yes, the key word processing circuit 1730 outputs a key error signal err_kb=1. The key error signal err_kb=1 can trigger the processing unit 134 to execute any management procedures in response to AES key errors.

Refer to the block diagram of the key word processing circuit 1730 shown in FIG. 21 . The key word segmentation circuit 2110 reads the operation result (that is, the key word W _2,3 ) from the exclusive OR gate 1727 and divides it into 4 bytes. The substitution key word circuit 2130 replaces the value of each byte with another value according to a look-up table, wherein the look-up table is established using the following formula: SB _i =Affine((i) ^-1 ), for i=0~127 SB _i represents the output result of i, Affine() represents the Affine conversion function, and i is a positive integer from 0 to 127. In addition to converting the value of each input byte, the substitution key circuit 2130 also checks whether the conversion result is correct. Since the circuit structure, function and operation results of the substitution key circuit 2130 are similar to those of the substitution key circuit 1830, readers may refer to the descriptions in FIG. 15, FIG. 16 and FIG. 19, and will not repeat them for simplicity. As long as any enhanced look-up table circuit in the replacement key circuit 2130 outputs the table look-up error signal err_w_i, the replacement key circuit 2130 outputs the key error signal err_kb=1 to the processing unit 134, so that the processing unit 134 executes any corresponding AES encryption Faulty hypervisor.

The key combination circuit 2150 obtains the substituted four small keys w#0 to w#3 from the replacement key circuit 2130, merges the small keys w#0 to w#3 into a complete key W ^(out) , and outputs the key Word W ^(out) to exclusive OR gate 1729.

The key word parity generation circuit 2160 includes an intra-key parity generation circuit and an inter-small-key parity generation circuit. The parity generation circuit in the small key comprises a plurality of exclusive OR gates, arranged to generate the corresponding small keys w#0 to w#3 according to the small keys w#0 to w#3 received from the substitute key word circuit 2130 The parity bits rt2 ₀ to rt2 ₃ in the four keylets. The parity bits rt2 ₀ to rt2 ₃ in the four small keys are output to the key cross parity prediction circuit 2180 and the key parity prediction circuit 1774 . The cross-key parity generation circuit comprises a plurality of exclusive OR gates arranged to generate corresponding keylets w#0 to w#3 according to the keylets w#0 to w#3 received from the substitute key word circuit 2130 A cross-key parity byte vt2 _0..7 (that is, the 8th bit of the cross-key parity 9-bit vt2 is missing). This cross-key parity byte vt2 _0..7 is output to the key word parity 9-bit merge circuit 2190 .

vt2₈代表相應於小鑰w#0至w#3的一個跨小鑰奇偶校驗9位元的最後一個位元，rt2_i代表相應於小鑰w#i的小鑰內奇偶校驗位元。 The key word cross-parity prediction circuit 2180 uses the following formula to calculate the last bit of the 9 bits of parity across small keys corresponding to small keys w#0 to w#3:

vt2 ₈ represents the last bit of a 9-bit cross-key parity corresponding to key w#0 to w#3, and rt2 _i represents the parity bit within the key corresponding to key w#i .

The key word parity 9-bit merging circuit 2190 combines the calculation result vt2 _0..7 of the key word parity generation circuit 2160 with the calculation result vt2 ₈ of the key word cross parity prediction circuit 2180, as the cross key word parity Check 9 bits vt2 _0..8 and output to key parity prediction circuit 1774.

Referring back to FIG. 17, the Key Parity Prediction Circuit (Key Parity Prediction Circuit) 1772 includes a plurality of adders, arranged to use the following formula to calculate the parity bit R# in the small key corresponding to the key K#2 2 ₀ to R#2 ₁₅ : R#2 _i =rt1 _i +R#0 _i , for i=0~3

R#2 _i =R#2 _i-4 +R#0 _i , for i=4~15 R#2 _i represents the parity bit in the i-th small key corresponding to the key K#2, rt1 _i Represents the parity bit in the i-th small key obtained from the key word processing circuit 1720, R#0 _i represents the parity bit in the i-th small key corresponding to the key K#0 read from the register 1752 R#2 _i-4 represents the parity bit in the i-4th small key corresponding to the key K#2 read from the register 1752. The key parity prediction circuit 1772 further includes a plurality of adders arranged to calculate the 9-bit parity across small keys V#2 ₀ to V#2 ₃ corresponding to the key K#2 using the following formula: V #2 _i =vt1+V#0 _i , for i=0

V#2 _i =V#2 _i-1 +V#0 _i , for i=1~3 V#2 _i represents the 9-bit cross-key parity corresponding to key K#2, vt1 Represent the 9-bit cross-key parity obtained from the key word processing circuit 1720, and V#0 _i represents the i-th cross-key parity 9-bit corresponding to the key K#0 read from the register 1752 , V#2 _i-1 represents the i-1 th cross-key parity 9 bits read from the register 1752 corresponding to the key K#2. The key parity prediction circuit 1772 stores the prediction results R#2, V#2 into the register 1782 for checking by the key parity check circuit 1762 in the next iteration.

The key parity prediction circuit 1774 comprises a plurality of adders arranged to calculate the parity bits R#3 ₀ to R#3 ₁₅ within the keylet corresponding to the key K#3 using the following formula: R#3 _i =rt2 _i +R#1 _i ,for i=0~3

R#3 _i =R#3 _i-4 +R#1 _i , for i=4~15 R#3 _i represents the parity bit in the i-th small key corresponding to the key K#3, rt2 _i Represent the parity bit in the i-th small key obtained from the key word processing circuit 1730, R#1 _i represents the parity bit in the i-th small key corresponding to the key K#1 read from the register 1754 R#3 _i-4 represents the parity bit in the i-4th small key corresponding to the key K#3 read from the register 1754. The key parity prediction circuit 1774 further includes a plurality of adders arranged to calculate the 9-bit cross-small-key parity V#3 ₀ to V#3 ₃ corresponding to the key K#3 using the following formula: V #3 _i =vt2+V#1 _i , for i=0

V#3 _i =V#3 _i-1 +V#1 _i , for i=1~3 V#3 _i represents the 9-bit cross-key parity corresponding to key K#3, vt2 Represent the 9-bit cross-key parity obtained from the key word processing circuit 1730, and V#1 _i represents the i-th cross-key parity 9-bit corresponding to the key K#1 read from the register 1754 , V#3 _i-1 represents the i-1 th cross-key parity 9 bits read from the register 1754 corresponding to the key K#3. The key parity prediction circuit 1774 stores the prediction results R#3, V#3 into the register 1784 for checking by the key parity check circuit 1764 in the next iteration.

Although Fig. 17 only describes the generation of keys K#2 and K#3 and the error detection of the generation process, but because keys K#2 and K#3 are the keys K#4 and K#5 are generated The key used (that is, the key used in the next iteration), and so on, those skilled in the art can refer to the above technical content to deduce the generation of other round keys and the error detection of the generation process.

In some embodiments, registers 1712 and 1714 may be physically distinct registers. In other embodiments, the registers 1712 and 1714 may refer to the same register, but store the base key and the subsequently generated round key sequentially in a specified time sequence.

In some embodiments, registers 1752 and 1782 may be physically distinct registers. In other embodiments, registers 1752 and 1782 may refer to the same register, but sequentially store the first intra-keylet parity bit R#0 and the cross-keylet parity 9 bits sequentially in a specified time order V#0, as well as the parity bits within the small key and the 9 bits of parity across small keys generated subsequently.

In some embodiments, registers 1754 and 1784 may be physically distinct registers. In other embodiments, registers 1754 and 1784 may refer to the same register, but store the second intra-key parity bit R#1 and the cross-key parity 9 bits sequentially in a specified time order V#1, as well as the parity bits within the small key and the 9 bits of parity across small keys generated subsequently.

Although the elements described above are included in FIGS. 1 to 2 , 5 , and 8 to 21 , it is not excluded to use more other additional elements to achieve better technical effects without violating the spirit of the invention.

Although the present invention is described using the above examples, it should be noted that these descriptions are not intended to limit the present invention. On the contrary, the invention covers modifications and similar arrangements obvious to those skilled in the art. Therefore, the claims of the application must be interpreted in the broadest manner to include all obvious modifications and similar arrangements.

810: AES data processing circuit

813: encoding circuit

815: Coding error checking circuit

830: AES key scheduling circuit

833: key generation circuit

835: key error check circuit

850: OR gate

870:Controller

Claims (13)

An error detection device for data encryption, comprising: a key generation circuit, configured to implement an extended key operation in an encryption algorithm, for generating a plurality of round keys using a basic key, wherein the encryption algorithm uses one of said round keys encodes plaintext or an intermediate encryption result in a corresponding round; and a key error checking circuit, coupled to said key generation circuit, arranged to predict the redundancy corresponding to each of said round keys and sending an error signal to the processing unit when any mismatch between the round key and the corresponding redundant data is found at a specified intermediate point in the process of expanding the key. The error detection device for data encryption according to claim 1, wherein the encryption algorithm includes an initial round, a plurality of intermediate rounds, and a final round; the initial round performs a round key operation; each of the an intermediate round sequentially performs the substitution byte operation, the shift column operation, the mixed row operation, and the add round key operation; and the final round performs the substitution byte operation, the shift column operation, and the Plus round key operations. The error detection device for data encryption according to claim 2, wherein the basic key is 256 bits. The error detection device for data encryption according to claim 1, wherein the round key is divided into 16 small keys and organized as a 4x4 byte array, and each small key is 1 byte; said redundant data includes intra-keylet parity bits corresponding to each of said keylets, and 9 bits of cross-keylet parity corresponding to each row; Wherein, when said error checking circuit finds at a specified intermediate point in said key extension process that any of said keylets does not match a parity bit in the corresponding keylet, or finds a keylet corresponding to any row plus When the parity bits within the corresponding four small keys do not match the corresponding nine parity bits across small keys, the error signal is sent to the processing unit. The error detection device for data encryption according to claim 4, wherein the matching between each of the small keys and the parity bits in the corresponding small keys can be expressed by the following formula:

R _i represents the value of the parity bit in the i-th small key, ki _,j represents the value of the j-th bit in the i-th small key, i is a positive integer from 0 to 15, Wherein, the matching between the small key and the parity bit in the small key of each row and the corresponding parity 9 bits across the small key can be expressed by the following formula:

, for j =0~8

, for j =0~8

, for j =0~8

,for j =0~8 V _0,j represents the value of the jth bit of the 0th 9-bit cross-key parity check, V _1,j represents the first 9-bit cross-key parity check V _2,j represents the value of the jth bit of the second cross-key parity 9-bit, V _3,j represents the third cross-key parity 9 The value of the j-th bit of the bit, ki _,j represents the value of the j-th bit in the i-th small key, and j is any integer from 0 to 8. The error detection device for data encryption according to claim 4, wherein the round key is divided into 4 key words, each of which contains 4 small keys, and each of the small keys is 1 Bytes, wherein, the key error checking circuit includes: a key word processing circuit configured to generate 4 intermediate small key inner parity bits and intermediate cross small key parity bits corresponding to the last key word 9 bits; the key parity prediction circuit is set to use the following formula to calculate the parity bit corresponding to the small key in the round key: R#j _i =rt1 _i +R#(j-2 ) _i , for i=0~3 R#j _i =R#j _i-4 +R#(j-2) _i , for i=4~15 R#j _i represents the key corresponding to the jth round key The parity check bit in the i-th small key, rt1 _i represents the parity check bit in the i-th intermediate small key obtained from the key word processing circuit, and R#(j-2) _i represents the parity bit corresponding to the jth - The parity check bit in the i-th small key of the 2 round keys, R#j _i-4 represents the parity check bit in the i-4th small key corresponding to the j-th round key , j is an even number greater than or equal to 2; and use the following formula to calculate the 9-bit parity check corresponding to the round key: V#j _i =vt1+V#(j-2) _i , for i=0 V#j _i =V#j _i-1 +V#(j-2) _i , for i=1~3 V#j _i represents the i-th key corresponding to the j-th round key 9 bits of parity across small keys, vt1 represents the 9 bits of parity across small keys obtained from the key word processing circuit in the middle, and V#(j-2) _i represents the corresponding j-2th The i-th cross-small-key parity check 9-bit of the round key, V#j _i-1 represents the i-1-th cross-small-key parity check 9-bit corresponding to the j-th round key, j is an even number greater than or equal to 2; a key parity check circuit, coupled to the key parity prediction circuit, is configured to find that any of the small keys of the round key do not match the corresponding internal parity When checking bits, or when it is found that the small key corresponding to any row plus the parity bits in the 4 corresponding small keys do not match the 9 bits of parity in the corresponding cross small key, send The error signal is sent to the processing unit. The error detection device for data encryption according to claim 6, wherein the key word processing circuit includes: a rotating key word circuit configured to rotate the four small keys of the last key word to the left Displacing 1 small key; replacing the key word circuit, coupled to the rotating key word circuit, and setting to replace the first value of each shifted small key with the second value according to the look-up table; key word parity check generation circuit, Coupled to the replacement key word circuit, set to generate 4 parity bits in the small key according to the second values of the 4 shifted small keys, and according to the second values of the 4 shifted small keys, The second value generates 1 inter-small key parity byte group; the key word parity prediction circuit, coupled to the key word parity generation circuit, is configured to predict the parity within the 0th intermediate small key using the following formula Check code:

rt1 ₀ ^(out) represents the parity code in the 0th intermediate small key, and rt1 ₀ ⁽ⁱⁿ⁾ represents the parity code in the 0th small key received from the key word parity generation circuit, C _i represents the i-th bit in the constant used in the constant circuit; the parity code in the first to the third small key received from the key word parity generation circuit is regarded as the first 1st to 3rd inter-keylet intra-parity code; use the following formula to predict inter-keylet parity bits: vt1 _0..7 ^(out) =vt1 _0..7 ⁽ⁱⁿ⁾ +C vt1 _0..7 ^(out) represents the middle cross small key parity byte group, vt1 _0..7 ⁽ⁱⁿ⁾ represents the cross small key parity received from the key word parity generating circuit A check bit group, C represents the constant used in the rounding constant circuit; the key word cross parity prediction circuit, coupled to the key word parity prediction circuit, is set to use the following formula to calculate the intermediate The last bit of the 9-bit parity across the small key:

vt1 ₈ represents the last bit of the 9-bit parity check in the intermediate key, rt1 _i represents the parity check bit in the ith intermediate key; and the 9-bit parity merging circuit of the key word , coupled to the key word parity prediction circuit and the key word cross parity prediction circuit, configured to merge the intermediate cross small key parity bits and the intermediate cross small key parity 9 The last bit of the bits becomes the 9 bits of parity in the middle span keylet. The error detection device for data encryption according to claim 4, wherein the round key is divided into 4 key words, each of which contains 4 small keys, and each of the small keys is 1 Bytes, wherein the key error checking circuit includes: a key word processing circuit, configured to generate 4 intermediate small key internal parity bits and intermediate span small bits corresponding to the intermediate operation result of the last key word Key parity 9 bits; key parity prediction circuit, set to use the following formula to calculate the parity bit corresponding to the small key in the round key: R#j _i =rt2 _i +R# (j-2) _i , for i=0~3 R#j _i =R#j _i-4 +R#(j-2) _i , for i=4~15 R#j _i represents the jth The parity bit in the ith small key of the round key, rt2 _i represents the parity bit in the ith intermediate small key obtained from the key word processing circuit, and R#(j-2) _i represents The parity bit in the i-th small key corresponding to the j-2th round key, R#j _i-4 represents the parity in the i-4th small key corresponding to the j-th round key Check bits, j is an odd number greater than or equal to 3; and use the following formula to calculate the 9 bits of parity check corresponding to the round key: V#j _i =vt2+V#( j-2) _i , for i=0 V#j _i =V#j _i-1 +V#(j-2) _i , for i=1~3 V#j _i represents the key corresponding to the jth round The i-th small-key parity check 9-bit, vt2 represents the 9-bit parity check in the middle of the small key obtained from the key word processing circuit, and V#(j-2) _i represents the 9-bit parity corresponding to the first The i-th cross-key parity of j-2 round keys is 9 bits, and V#j _i-1 represents the i-1-th cross-key parity corresponding to the j-th round key 9 bits, j is an odd number greater than or equal to 3; the key parity check circuit, coupled to the key parity prediction circuit, is configured to find that any of the small keys of the round key do not match the When the parity bit in the corresponding body is found, or it is found that the keylet plus the 4 corresponding parity bits in the keylet corresponding to any row does not match the 9 bits of parity in the corresponding cross keylet sending the error signal to the processing unit. The error detection device for data encryption as described in any one of claims 6 and 8, wherein the key word processing circuit includes: a substitute key word circuit, configured to replace the key corresponding to the last key according to the look-up table The first value of each small key of the word is replaced by the second value; the key word parity check generation circuit, coupled to the replacement key word circuit, is set to generate 4 according to the second value of the 4 small keys respectively The parity check bits in the middle small key, and according to the second value of the 4 small keys, generate 1 middle cross small key parity check bit group; the key word cross parity check prediction circuit is coupled to the The key word parity check generation circuit is configured to use the following formula to calculate the last bit of the 9-bit parity check in the middle of the small key:

vt2 ₈ represents the last bit of the 9-bit parity check in the intermediate key, rt2 _i represents the parity check bit in the ith intermediate key; and the 9-bit parity merging circuit of the key word , coupled to the key word parity generation circuit and the key word cross parity prediction circuit, configured to merge the intermediate cross small key parity bits and the intermediate cross small key parity 9 The last bit of the bits becomes the 9 bits of parity in the middle span keylet. An error detection device for data encryption, comprising: a search circuit, configured to convert an input first value of 1 byte corresponding to a round key into a second value according to a look-up table; and a replacement check circuit, coupled Connected to the search circuit, configured to use a formula corresponding to the look-up table to determine whether an error occurs during the conversion of the first value into the second value, and to send an error signal when an error is found. The error detection device for data encryption as described in claim item 10, wherein, the look-up table is established using the following formula: SB _i =Affine((i) ^-1 ) SB _i represents the output result of i, and Affine() represents Affine Conversion function, i is a positive integer from 0 to 127. The error detection device for data encryption according to claim 11, wherein the substitution check circuit includes: a calculation circuit, coupled to the search circuit, configured to obtain the second value, and calculate Affine(S ' ^(out) ) ^-1 to generate a third value, wherein, S' ^(out) represents the second value, Affine () ^-1 represents the inverse function of Affine conversion; a multiplier, coupled to the search circuit and the The calculation circuit is configured to multiply the second value by the third value to generate a fourth value; and a comparator, coupled to the search circuit and the multiplier, is configured to implement the following logical operation formula to generate Judgment result: err_nl=0,if(S' ^(mul) ==1)&&(S' ⁽ⁱⁿ⁾ !=0)&&(Affine(S' ^(out) ) ^-1 !=0) err_nl=0,if (S' ^(mul) ==0)&&(S' ⁽ⁱⁿ⁾ ==0)&&(Affine(S' ^(out) ) ^-1 ==0) err_nl=1, otherwise when err_nl is equal to 1, it means discovery Error, S' ^(mul) represents the fourth value, S' ⁽ⁱⁿ⁾ represents the first value, and S' ^(out) represents the second value. The device for detecting errors in data encryption according to claim 10, wherein the search circuit is configured to perform a key substitution operation in the Advanced Encryption Standard algorithm.

Images