WO2008061395A1

WO2008061395A1 - Aes encryption circuit for data stream executed in desequencing

Info

Publication number: WO2008061395A1
Application number: PCT/CN2006/003151
Authority: WO
Inventors: Yihe Sun; Xiangyu Li
Original assignee: Tsinghua University
Priority date: 2006-11-23
Filing date: 2006-11-23
Publication date: 2008-05-29

Abstract

A Rijindael encryption circuit for data stream executed in desequencing is disclosed. The circuit belongs to cipher integrated circuit in the field of resisting analytical attack of difference power. The circuit structure integrated in a chip contains an input part and an output part to accomplish cryptographic-key expansion and cryptographic-key expansion loop including a channel switch unit, an initial cryptographic-key register, a AK temporary storage unit of arithmetic unit for cryptographic-key expansion, and a matching check unit. A circle transforming loop for converting circled cryptographic-key includes a switch unit for circled updating channel, an AddKey arithmetic unit, an EU arithmetic unit, an AK temporary storage unit and a relevant check unit. Using bit-by-bit hybrid operation, row shift operation, column hybrid transforming operation and circled iterated operation between the circled cryptographic-key and the state information obtains cipher text, which is output through the output part. Compared with the prior state, the invention lowers 50% difference power consumption so as to raise difficulty of attack.

Description

Outgoing data flow AES encryption circuit

Technical field

The invention belongs to the field of cryptographic integrated circuits and anti-differential power analysis attacks, and relates to a circuit for solving a cryptographic integrated circuit anti-differential power analysis attack problem, in particular to a data stream AES encryption circuit for out-of-order execution. . current technology

With the widespread use of key storage data security integrated circuits such as smart cards and pay TV cards, power analysis attacks, especially differential power analysis attacks (DPA), have emerged and quickly become an important threat to data storage crypto chips. A power analysis attack is a hardware-oriented attack that analyzes the power consumption (or power supply current) during processing of the data to obtain data information from it. Among them, the most common differential power analysis attack is used to perform statistical hypothesis testing on multiple working power consumption curve samples to find the most likely value of the key. Making the execution time of each operation of the circuit random is one of the important ways to combat differential power analysis. The existing timing randomness methods are divided into two types: random delay insertion and out-of-order execution. The order of execution of the former is fixed, but the delay is randomly inserted between the operations of the steps; the latter is performed in a random order in which the execution order is independent, and its execution time is higher than the former. Certainty. The currently published out-of-order execution techniques are: Random register renaming techniques. See: May, D., HL Muller et al., "Random register renaming to foil DPA, Paris, France, Springer-Verlag."("Randomized registers Renamed to counter differential power analysis attacks), and "Irwin, J" D. Page, et al., 2002""Directive stream mutation for non-deterministic processors, San Jose, CA, USA, IEEE Comput. Soc """Instruction Stream Variation for Uncertain Processors" introduces an "indeterminate processor" technique. Both of these techniques are applied to universal cryptographic processors. The "random register renaming technique" introduces random selection only in the register renaming process; the uncertainty processor mines the instruction-level parallelism inside the program, and executes the instructions that can be executed in parallel at random. The former only introduces uncertainty locally, while the uncertainty of the latter is limited to adjacent instructions and is limited by the description of the original program. The data stream out-of-order execution technique of the present invention is applicable to an ASIC chip. The data stream mode is an operation mode that performs operations according to data dependencies. It does not attach any other execution order restrictions, so it can mine the maximum parallelism of the algorithm itself, and can control the execution order to change in a large space. Moreover, the data flow mode adopts distributed control, so the load capacitance of the internal bus is small, according to the formula of the power consumption difference: Δ - ^ - ₂ ) C ² , the power consumption difference is proportional to the load capacitance, so a small load capacitance is beneficial. Reduce power consumption differential. The following describes the basic principles of data flow and out-of-order execution of anti-differential power analysis attacks:

1. Out-of-order execution against differential power analysis attacks The power consumption of the integrated circuit is related to the processed data. When a bit (b) in the data takes 0 or 1, the power consumption distribution at each moment is different, and the random process Po (t) and ? ₁ (t) indicates that t represents time. DPA uses the mean test to determine whether the power consumption curve sample belongs to Po (t) or Pi (t). When designing b, t, the corresponding power consumption mean difference is s = |P _Q (0- (0, measured) The power consumption contains noise. According to the DPA theory, the number of samples required to determine the correctness should satisfy:

2σ, 2

Ν >

ε J

For integrated circuits that are executed out of order, the operation of calculating b may occur randomly at multiple times. Now assume that the probability that the operation is performed at time t is, then the power consumption mean at time t = _A + (l- where ^ is the average power consumption of other operations performed at time t, assuming that it is independent of the value of b. Power difference

■P,

P _b P ₀ + (i - p _b )P _olher - Lft + d ]

That is, the power consumption difference becomes i3⁄4 times the original, and accordingly, the number of samples is increased by a factor of two. therefore

Out-of-order execution can increase the cost of DPA attacks, and the higher the uncertainty, the smaller the ^, the larger the number of samples required.

Flow mode

First introduce the concept of data dependencies. For an algorithm, there is a series of operations. Assuming that the output of operation A is the input of operation B, then B and A have data dependencies, and B must be executed after A is executed.

A data flow pattern is a computational mode that has no control flow and has no execution order restrictions other than data dependencies. It encapsulates the processed data into tokens. A token is a fixed-length binary string that conforms to a certain format, each of which has a specific meaning. For example, the following token contains three fields: data field, source address, and destination address. Their position in the token is agreed: the lower 32 bits are the data field; the 37th to the 35th and 34th bits. The 32nd bit is the 3-bit target address and source address.

Destination address I source address I data

37 35 34 32 31 0 The data flow circuit implements token passing between various operations and operations of the algorithm. When all the input tokens of a manipulation arrive (that is, the operations on which the operation depends have been executed), they can be "activated" - start processing the data, and package the resulting result into a successor passed to the new token. operating. Control information is also communicated through tokens—for example, the data address in the example indicates the source of the data and the destination that should be sent after processing; some control commands are also encapsulated into tokens (control tokens) that are passed to the controlled Operation.

The data stream circuit has no central control circuit, and the data exchange has locality. Accordingly, the data bus and the storage unit are also distributed. The triggering of data operations is conditional on whether or not the operand tokens are all arrived, and is a data-driven asynchronous operation. Its operations without data dependencies have no effect on each other and naturally implement parallel execution.

In summary, data stream computation has parallelism and functionality (that is, each operation is relatively independent, and irrelevant operations can be performed in any order.), distributed, and asynchronous.

Step circuit and different channel:

An asynchronous circuit system, each part of the circuit is connected through an asynchronous communication interface, called an all-in-one transmission channel. The interface between the transmission channel and the outside is called a channel port, which is an abstraction of a set of signals: it consists of a set of data buses and request and response signals. An asynchronous transfer channel includes the control terminals of the data latches and latches, as shown in Figure 1. The way it works is a communication protocol called a "handshake protocol":

An asynchronous integrated circuit has no clock, and the handshake protocol contains two types of control signals: a request signal and an acknowledge signal. The request signal initiates a job and the response signal indicates that the job is complete. These two signals complete the timing control of all the operations in the system. To implement the handshake signal with the circuit, it is necessary to encode the alternate request and response signals into level or level changes on the control line. The following is a typical 4-phase handshake protocol (see Figure 2):

The rising edge of the request signal informs the receiver that the data arrives, and the receiver is ready to accept the data and raises the response signal, indicating that it is ready to start reading data at the same time, the request signal is reset by the response signal, and the falling edge of the request signal is answered again. The signal is reset and ready to accept the next data. The data on the transfer channel is stored in a latch. (The latch has a control terminal. When the control terminal is low, the output changes with the input. When the control terminal is high, the data of the output remains unchanged.) In the asynchronous transmission channel of the 4-phase handshake, the control of the latch The terminal is connected to the response signal, that is, the data of the sender is latched into the latch when the response signal is raised, and the data of the input terminal can be accepted after the communication process ends.

In the asynchronous circuit, a timing control circuit called C unit is often used. This circuit has 2 inputs and 1 output, and generally has a reset terminal. When both inputs are all 1, the output is 1; Both inputs are all

0 is output 0; when the two inputs are different, the output remains in its original state. The asynchronous transmission channel of the 4-phase handshake protocol implemented by the C unit is shown in Fig. 3.

Anti-DPA security based on streaming and cryptographic chips

The data flow mode does not explicitly define the execution order, so the execution order has maximum flexibility. Functionality makes out-of-order execution more convenient. The load of the distributed bus is small, and the corresponding power consumption characteristics are small. Asynchrony makes data Streaming is easier to implement in asynchronous circuits, and Simon Moore's paper "Balanced Self-Checking Asynchronous Logic for Smart Card Applications" discusses asynchronous circuits in implementing cryptographic chips. Aspects have advantages. Therefore, the present invention utilizes the above features of the data stream to implement an AES integrated circuit implementation of the data stream.

5. Data flow The basic working principle of AES

(1) Rijndael algorithm and AES encryption standard:

AES is the new Advanced Encryption Standard specification developed by the National Institute of Standards and Technology (NIST). This standard began public collection in 1997 to replace DES. In 2002, it was finally determined to adopt 128. The Rijndael algorithm with a plain packet length supports three key lengths: 128 bits, 192 bits, and 256 bits. The present invention can implement three key length AES encryption algorithms.

i. AES algorithm design principle

The Rijndael algorithm supports packet lengths of any 32-bit span between 128 bits and 256 bits, but the AES standard only supports 128-bit plaintext lengths, 128, 192 or 256-bit key lengths.

The operation of the AES algorithm is defined on the finite field GF ( ²⁸ ). The so-called GF (2 ⁸ ) refers to a set of values from (00) ₁₆ to (FF) _I6 and defines the number field of addition and multiplication. GF ( 2 ⁸ ) addition is an exclusive OR (XOR) operation. The multiplication of GF ( 2 ⁸ ) can be calculated as follows: First, any value multiplied by (01) ₁₆ is equal to itself; for multiplication (02) ₁₆ , then when the multiplied value is less than (80) ₁₆ , the result is the value Move 1 bit to the left, otherwise the result is to shift left by 1 bit and then XOR with (lb) ₁₆ . It prevents "domain overflow" and keeps the product of multiplication within the range. And multiplying (03) _16, it may be (03) ₁₆ is decomposed into the sum of powers of _{2, g bX (03) 16 =} bX ((02) 16 + (01) 16) = (bX (02) 16) + (bX (01) ₁₆ ).

Ii. Encryption process

The data processing unit of the Rijndael algorithm is byte, and a plaintext grouping information is divided into 4 XN6 bytes. For the AES standard Nb=4, they are put into a 4×) matrix in order. This matrix is called “ State ("). A column of states is called a "status word." The cryptographic key is a 4 ΧΛ 3⁄4 matrix, which is allowed by the AES standard: the values are 4, 6, and 8, and the corresponding columns (4 bytes) are called "key words." According to the need of out-of-order execution, the state word and the key word are used as basic operations in the invention, that is, the data field of each token is composed of a status word or a key word, and these two types of tokens are respectively referred to as Status token and key token.

All transformations of the Rijndael algorithm are state-based transformations. The AES transformation is implemented by multiple iterations of the round function, and the number of iterations is different depending on the length of the key. The iteration round is denoted by N", and Nk is equal to 4, 6, and 8 corresponding to NT" are 10, 12, and 14, respectively.

The flow of the encryption algorithm can be represented by Figure 4. Among them, the operations in the dashed box constitute a round transformation function.

The following explains the meaning of each module in the figure:

Iii. Round key mixing an AddKey Corresponding to the "+" operation in the figure, it is XORed with the corresponding byte of the current state and the corresponding byte of the corresponding round key. Iv. Byte substitution operation - Srd

The byte substitution operation is a reversible non-linear byte substitution operation. This conversion is performed for each byte in the packet, and the operation of the byte follows a substitution table, that is, the S box. For a byte, take the first 4 bits as the X coordinate and the last 4 bits as the y coordinate, you can find a corresponding item in the S box to replace the original data. This is what Srd〇 does. The contents of the S box are as follows:

v. Line displacement transformation - ShiftRow

The row transformation is to rotate each row of the state to the left, and the number of bytes of the 0th to the 3rd row of the AES standard is sequentially expressed by Co, d, C ₂ , and C ₃ . They are in turn equal to 0, 1, 2, 3, and Figure 5 shows the ShiftRow effect of =4.

Vi. Column blending one MixCol

The column mix replaces the column status word with a value obtained by multiplying a constant matrix by the status word. The transformation relationship is expressed in the form of a matrix operation as shown in Equation 1. In the formula 1, _αι , α ₂ , which are the bytes of the 0th row to the 3rd row in turn, the 4 bytes of the obtained result are b ₀ , bi, b ₂ , b in order.

X '02 03 01 01, one " ₀

01 02 03 01 α _λ

( 1 )

01 01 02 03

03 01 01 02 _{y It} should be stated that the addition and multiplication in this matrix operation are addition and multiplication in the finite field GF ( 2 ^s ).

Vii. Key Extension KeyExpansion

Key expansion is the process of extending an initial cryptographic key into a round key. The extended keys are arranged in an extended order. The Rijndael algorithm requires 4×4 round key bytes per round. Each column of 4 bytes is called an extended key word, and the round key of the ith round is the 4th of the extended key sequence. 'Column to 4' + 1) - 1 column gives, the total number of extended keys is 4 (N/-+1) words. The key extension function depends on the value of: The first M: column of the extended key sequence is the cryptographic key (or initial key), and the subsequent columns are determined recursively from the previous columns. The recursive function depends on the position of the column. If ζ 'is not a multiple of :, the column is a bitwise XOR of the ZM column and the _Ζ ·-1 column; otherwise, the / column is the /-: column and column A bitwise XOR of a nonlinear function (represented by the letter f). This non-linear function can be implemented in the following way: Srd is applied to the 4 bytes of the column, and a cyclic shift of the bytes in the column is added, and a round constant is added. This round constant is independent of: and is defined by a recursion rule in GF(2 ⁸ ) -

RC[l]=x° (ie 01)

RC[2]=x (ie 02)

RC x ' RCLj-l^x*- ¹ , j>2

The multiplication 2 operation here is also an operation in the finite field GF (2 ⁸ ).

For the case of >6, when / m ₀ cH4, the Zth column is also a bitwise XOR of a nonlinear function of the column and the -1 column. This nonlinear function is the 4 words that apply Srd to the column. On the section, it is indicated by the letter _g .

(2) Temporary storage of the token - Match - Launch (HMF):

The content of the data stream calculation is the processing of the token, including the creation (transmission), parsing, processing, and temporary storage of the token and the matching of the tokens. For the operation of multiple operands, the tokens of each operand often do not arrive at the same time, so a temporary storage unit is needed to temporarily store the arrived token, and then "match" all the arrived tokens. The (or more) ready operand tokens are packaged into new tokens that are transmitted to the processing unit.

The present invention employs a new circuit for token matching, referred to as a token temporary-match-transmit structure, represented by HMF. The out-of-order execution control is implemented in the HMF structure. When there are multiple or more sets of successfully matched tokens in the temporary storage unit, the circuit randomly selects one of the transmissions, if only one or a group of tokens is successfully matched. Then send a token that matches successfully.

Each of the arithmetic unit and ciphertext output unit in the present invention has its own temporary storage-matching-emission structure.

(3) A special key extension structure - if each round of the round key sequence described in subsection (1) is grouped into a group called "key grouping", then each key grouping The calculation relationship can be represented by Figure 6. The "+" in the figure is a bitwise XOR operation, kj, i=0, 1, ..., 4 (Nr ₊ l ), j=0, 1 , ■··, M: -l indicates the _/column key word of the first key group, ][and 8

Nk

Is a nonlinear transformation in key expansion. For convenience of description, the intermediate result / and g of the extended key are named as intermediate key words. As shown in FIG. 6, each key grouping can be divided into two parts: the first four key words of the serial number are low (the right part in the figure), and the remaining (Λ%-4) key words belong to The high segment (left part of the figure), when Μ = 4, each key group has only the calculation of the low segment. Thus, the key expansion can be iteratively implemented using the arithmetic structure shown in FIG. This structure contains continuous XOR operations and nonlinear transformations f and g, we will lose 5 The continuous-OR operation of the -4 output is implemented by the circuit shown in Figure 8, and is named KeySch operation, where /, k ₂ , k, , ^ and f are input key words, y ₃ , y ₂ , y _x , : F. Is the output key word.

The specific implementation algorithm for different values of Nk is shown in Figure 9, where the operation marked with * is the operation starting at each iteration. When Nk>4, the result of the low-level KeySch calculation is taken as the low section of the new group, and the result of the high-level KeySch calculation is taken as the high section of the new group; when Nk=4, the result of the low-level KeySch calculation is the high section of the new group, high The result of the segment KeySch calculation is taken as the low segment of the new packet. When Nk=6, the result directly participates in the KeySch operation, without the g transform, but for the unified representation, we also use g to represent, in which case the meaning of g is directly copied.

For convenience of description, the extended key named in this paper to generate the intermediate key word is the transformed key word, and the transformed key words for generating f and g respectively are the transformed key word 1 and the transformed key word 2.

In the present invention, the nonlinear transformation of the key extension is also performed in the round function execution unit, and the Srd operation unit is shared. The token processing flow of the above key expansion method is as shown in FIG. 10a. After the initial key is saved to the cache unit, it is checked first. If the key is found, it is forwarded to the "round transform loop", and after the corresponding nonlinear transformation, f or g, the result is written to the key. Intermediate key word unit in the memory. On the other hand, in the key conversion ring, the tokens in the key buffer are repeatedly checked, and the token group to be executed by the KeySch operation is subjected to a KeySch operation, and the result is written back to the corresponding address of the key buffer unit. If it is found that the key expansion has been completed, the stop condition is that the token round of the round change ring reaches the last round.

(4) Round function part

The processing flow of the state token in the present invention is as shown in Fig. 10b. A list of tokens first performs an AddKey operation with the corresponding round key sequence, and then checks the round of the resulting token. If the round is equal to Nr, the token data is cached in the output buffer unit, when the output buffer unit is full. After the ciphertext is output, the operation ends; if the round is less than Nr, it is checked whether the token completing the AddKey operation can constitute a new token that performs the MixCol operation (known by the AES algorithm, the MkCol operation of a column state depends on 4 columns) The AddKey result.), if the match is successful, the relevant 4 status bytes are repackaged into a new status word token, and the Srd and MixCol operations are performed in sequence. The addresses of the four status words are reversed according to their relationship in the same column after ShiftRow. So the token being sent is the result of ShiftRow. For the last round of tokens, only the Srd operation is performed. The result state after the round transformation is executed is returned to the status token temporary storage unit, and a new round of calculation is started. Summary of the invention

It is an object of the present invention to provide a circuit for solving the problem of a cryptographic integrated circuit against differential power analysis attack, and more particularly to a data stream AES encryption circuit that performs out-of-order execution. In order to achieve the above object, the present invention is a data stream mode AES encryption integrated circuit structure with out-of-order execution characteristics and capable of resisting differential power analysis attacks. This structure processes one data packet at a time, and the next packet can be processed after the previous packet is processed.

The data stream AES encryption circuit of the out-of-order execution of the present invention is mainly characterized in that the circuit structure is implemented on a data stream encryption application specific integrated circuit, and the circuit structure complies with the advanced data encryption standard using the Rijndael algorithm as the final algorithm. Recorded as AES, using the data stream mode to achieve out-of-order encryption, the circuit structure contains:

a. The transmission channel is the data transmission interface between the two components. The transmitted data is the corresponding numbered token, including a token input data bus, a data output bus and input request and response signals, and output requests and responses. Signal, the interface of the transmission channel and the external is a channel port;

b. The input unit is an interface between the chip core and the external, and realizes the function of inputting the plaintext and the key according to the timing required by the protocol and sending the plaintext to the kernel part through the 4# transmission channel, and writing the key into the initial key memory. At the same time, the reset signal InterR _S t_ and the initial key placement signal load required for each unit of the kernel in the circuit structure are generated; the token transmitted by the 4# channel is named as token 4 and includes a 32-bit data. Domain, a 2-bit column field;

c channel switching unit Switch, is a switching switch of 2 transmission channel input-2 transmission channel output, in addition to receiving input signal WK from working status register, when WK), the channel switching unit is in idle state, receiving the input After clearing the plaintext data sent by the unit via the 4# channel, the data is repackaged into a status word token and sent to the 5# channel, and the token transmitted by the 5# channel is named as token 5 A 32-bit data field, a 4-bit color field representing a round and a 2-bit address field. When packing according to token 4, the data field of token 5 directly copies the data field of token 4, token 5 The color field is set to 0, the address field of token 5 is copied to the column field of token 4; when WK=1, it is in working state, after parsing the token sent from channel 3, according to different types, the state is The token is repackaged into a token and sent to the 5# channel, and the key token is repackaged into a token and sent to channel 6; the token transmitted by the 3# channel is named token 3 including one 1 person The attribute field and a 32-bit data field. When the attribute field is equal to 0, it is a status word token. It also includes a 1-bit operator field, a 2-bit column field, and a 4-bit color field. When packaged into token 5, the data field directly replicates the data field of token 3, the color field directly replicates the color field of token 3, and the address domain directly replicates the column domain of token 3, when the token 3 attribute domain is equal to 1 When it is a key word token, it also includes a 1-bit fadd bit and 6 bits of data that are not of interest. The token sent to the 6# channel, named token 6, is the intermediate key word described below. The token, including a 32-bit data field and a 1-bit address field, is packaged into token 6, the data field of token 3 is directly copied to the data field of token 6, and the fadd domain is copied to token 6. Address field

d. The initial key storage is a 256-bit register set, receives a clock signal and input cryptographic key data from the input unit, and directly receives the cryptographic key from the input unit; e. AK temporary storage Unit, which is a token temporary storage unit to be executed, including a key word memory, State word memory and token parsing and packing circuit, wherein the key word memory has 8 key word storage units, 2 intermediate key word storage units, and two 5-bit internal memories: BLOCKH and BLOCKL and a 2-bit state The register KES has a 3-bit address in the storage area of the key word, and the address space represented by the binary is 000-111, and sequentially stores the extended key words of the sequence number modulo key group number Nk equal to 0-7, and the high segment is 100-111. The lower segment is 000-011, and each of the storage records includes a 32-bit data field, a round conversion flag bit, and an extension flag bit; the data stored in the unit of the key word memory having an address equal to Nlc-1 is called Transform key word 1, when Nk is not equal to 4, the record data whose address is equal to 3 is called transform key word 2, and when Nk is equal to 4, the transform key word 2 is record data whose address is equal to 7; the state word storage area has 2 The bit address, the address space represented by the binary is 00-11, and sequentially stores the 0-3th column in the state, and each record includes a 32-bit data field and a 4-bit color field; the intermediate key word storage area, There is an address space: 0-1, in turn Storing an intermediate key word from channel port 6, which is a calculation result of a nonlinear function defined in the AES key expansion algorithm, each storage record including a 32-bit data field; Each memory location of the temporary memory location of the memory and intermediate key word memory area corresponds to a "full/empty" flag bit labeled flag. When the cell is written, the flag is set to 1, indicating full, and the flag is read after the data is read. Set to 0, indicating null; the "full/empty" flag of each memory location of the key word memory is set to 1 when the unit round conversion bit and the extension bit are both equal to 0, and both bits are equal to 1 is set to 0, indicating null; the BLOCKH stores the "packet value" of the high segment key word, BLOCKL stores the "packet value" of the low segment key word, and the "packet value" refers to all round extended key sequences After the Nk groups are grouped, the sequence number of the obtained group is expanded by the initial key, and the total length of the extended key is 4 (Nr+l), and Nr is the number of iteration rounds; The AK register unit has three input channel ports: channel 5 port receives token 5 and writes The word storage area, the address written is the value of the address field of the token 5, the data field and the color field of the status word record are equal to the data field and the color field of the token 5, respectively, and the channel 6 port receives the token 6, which is written in the middle. The key word area, the write address is the value of the address field of the token 6, the data field of the write record is equal to the data field of the token 6, and the channel 9 port receives the new extended key word token and writes the key word. a storage area, in addition, the key word storage area further has a set port connected to the output end of the initial key register, 256 bits wide, and the load signal is used as a signal; the AK register unit has Two output channel ports; the channel 7 port sends an operand token for the AddKey operation or the conversion key word forwarding, and the channel 10 port transmits the operand token for the key expansion operation;

El. The channel 9 port transmitted token, named token 9, includes four 32-bit data fields k ₀ -k ₃ , a 5-bit BLOCK field and a 1-bit part field, part equal to 0 Then k ₀ -k _{3 are} sequentially written into the unit of the key word storage area address 000-011, the address is represented by binary, the BLOCK value of the token 9 is assigned to BLOCKL, and the round transformation flag bits of all the low-level units are simultaneously And the extension flag bit is reset to 0, part is equal to 1 then k _Q -k _{3 is} sequentially written into the unit of the address word storage area binary representation of 100-111, and the BLOCK value of the token 9 is assigned to BLOCKH, At the same time, the round transform flag bit and the extended flag bit of all the high segment units are reset to 0;

E2. The token sent by the port 7 port is named token 7. It includes two 32-bit data fields datal and data2, and a 1-bit attribute field. The value of the attribute field is equal to the following AorT signal when transmitting. Value: When AorT is equal to 0, the AddKey operation is performed. Token 7 is a status word token. It also includes a 4-bit color field and a 2-bit column field. When packing, copy the value of the ssel signal described below. The data field to its column field, the address equal to the ssel's status word storage record is copied to the datal field of token 7, the color field of the status record is copied to the color field of token 7, and the address is equal to the key of the following ksel value The data field of the stored record is copied to the data2 field of token 7, the response signal of the channel 7 port will read the status word record, and the rounded bit of the read key word record will be changed to 1; when AorT is equal to 1 When performing the transform key word forwarding operation, the token 7 is a key token, and includes a 1-bit operator field, a 1-bit fadd field, and 4 bits of unintentional data in addition to the data field and the attribute domain. When dat The al domain is equal to 0, the data field of the key storage record whose address is equal to the ksel value described below is copied to its data2 field; when ksel is equal to Nk-1, the forwarding transform key word 1, fadd is equal to 0, and the operator field is equal to 0. Indicates that this token will perform the following f-transformation. When Nk is equal to 4, if ksel is equal to 7, it means forwarding the translation key word 2, the fadd field is equal to 1, and the operator field is equal to 0, indicating that this token will perform the following f Transformation, if Nk is not equal to 4 and ksel is equal to 3, it means forwarding the transformation key word 2, fadd is equal to 1, the operator field is equal to 1, indicating that the token will perform the following g transformation; the response signal of the channel 7 port will be read The status word record taken is cleared;

E3. The token sent by the channel 10 port is named token 10, and includes a 32-bit intermediate key field, four 32-bit key fields k _Q -k ₃ , a 5-bit BLOCK field, and A 1-bit step field, the step field of the token 10 is equal to the value of the step signal when the token is sent, and the intermediate key field of the token 10 when the step signal is equal to 0 when the token is sent. Equal to the recorded data in the intermediate key word storage area whose address is equal to 0, the value of the BLOCK field of the token 10 is equal to the value of the BLOCKL register, and the response signal of the channel 10 port is the 4 keys of the lower part of the key storage area. The extension bit of the word is set to 1. When the step signal is equal to 1 at the time of token transmission, the intermediate key word field of the token 10 is equal to the recorded data of the address equal to 1 in the intermediate key word storage area, the token 10 The value of the BLOCK field is equal to the value of the BLOCKH register, and the response signal of the channel 10 port sets the extension bits of all key words in the high section of the key storage area to 1;

E4. The timing of the KES control key extension, the state is represented by binary code, the initial state binary code of KES is 00, that is, the state of preparation/calculation, after performing the transformation key word 1 forwarding in this state, KES binary coding When it is changed to 01, the state in which the f-transformation is performed is performed. When the low-segment key is read in the 01 state to perform key expansion, the state of the ES changes to 11, the state in which the calculation g is prepared, and the transformation key is executed in the state of 11. KES status change after word 2 operation 10, enter the state of performing g transformation, and when the key is read in 10 state for key expansion, the state of KES changes to 00;

a working status register, transmitting a WK signal to the input unit, transmitting a WK signal to the channel switch unit Switch, receiving an OK signal from a Matcher OK unit described below; and resetting the WK when the OK signal rises;

The Matcher II matching unit checks the status word storage area and the key word storage area in the AK register unit, and finds that the ready status word-key word pair or the ready conversion key is randomly selected one of them. The address selection signal is transmitted to the AK register unit, and then the token transmission signal fetch_II is triggered. The selection signal includes an AddKey status word read address marked for ssel, and a key word read address labeled ksd. The signal labeled AOTT indicating the operation to be performed by the transmitting token - 0 indicates the AddKey operation, 1 indicates the conversion key word forwarding, and is labeled Trans; the input of the Matcher II matching unit includes: the status word of the AK register unit The observation signal of the memory area and the key word storage area, including the color bit and flag bits of the status word record, the round conversion flag bit and the extended flag bit of the key word record, the flag field, BLOCKL and BLOCKH, KES, and The number of key grouping columns Nlc; the "ready" means: calculating the sequence numbers of all observed status words and key words, looking for the same sequence number and flag is 1. a word-key pair, or detecting and finding a corresponding transform key word according to the KES state; when the fetch_II signal arrives, triggering the AK temporary storage unit to send the token to the 7# channel; when being sent The status word is cleared, or the KES status changes, then fetch-II is reset;

Matcher K matching unit, checking the observation signal of the key word storage area and the intermediate key word storage area: round transformation flag bit and extension flag bit, flag and KES state; when KES is in key extension state, and corresponding key When the field and intermediate key fields are ready, the key extended read address marked as step becomes the corresponding value: 1 is the high segment extension, 0 is the low segment extension, and triggers the token transmit signal fetch — K, The AK register unit packs the corresponding data of the key area and the BLOCK value into a token waiting for transmission according to the step signal, and when the fetchJ signal comes, triggers the AK temporary storage unit to send the token through the channel 10; The following exp-stop signal is valid, and the Matcher K matching unit stops working. The key expansion operation unit, which is marked with Key Schedule, receives and parses the token from channel 10, and is packaged into an inclusion after the following Key Schedule processing. The token of the new extended key is sent via channel 9, and the processing of the Key Schedule contains the following operations:

把. Taking the intermediate key field and the k _Q -k ₃ field of the token 10 as input, performing a KeySch operation - the intermediate key word is XORed with k _Q , and the result is output as the 1 field of the token 9 And XOR bit by bit with token 10, the result is output as ki of token 9, and XORed with 1 of token 10, the result is output as 1 of token 9, and with k of token 10 ₃ bitwise XOR, the result is output as k _{3 of} token 9 _;

12. The result of adding 1 to the BLOCK field of the token 10 is taken as the BLOCK value of the token 9; π 13. When Nk=4, the logical reverse of the step field of the token 10 is used as the part field of the token 9, and if Nk>4, the step field of the token 10 is directly copied to the The part field of the token 9; after receiving and parsing the operand token sent by the channel 7, the AddKey operation unit performs the AddKey operation on the data therein, and then packs it into a round key hybrid token, which is sent through the channel 8. The AddKey operation, that is, the round key addition operation defined by the AES algorithm acts on a column of states; the token sent via the channel 8 is named as token 8, and includes a 32-bit data field and a 1-bit attribute field. When the attribute field is equal to 0, it is a status word token, and also includes a 4-bit color field and a bit column field. When the attribute field is equal to 1, it is a key token and also includes a 1-bit operand field. And a 1-bit fadd field, when packing, the result of bitwise XOR of the data1 and data2 of the token 7 is the result of the token 8, and the remaining fields of the token 7 are directly copied to the domain of the same name in the token 8. In the wheel; update the channel switch unit, perform a round check on the token from channel 8, if The status word token and the round has reached the iteration round Nr, then it is forwarded to the following output temporary storage unit via channel 11; otherwise, its round plus 1 is forwarded via channel 1 to the following EU register unit for subsequent processing If the arrived token is Nr, and the above-mentioned extended key belongs to the high segment of the key packet, indicating that the key extension has been completed, the exp_stop signal is triggered; if it is the key word token Directly forwarded by channel 1 to the following EU register unit to perform subsequent processing; the token processing includes the following three cases:

Id. The token transmitted by channel 11, named token 11, includes a 32-bit data field and a 2-bit column field. When packing, the data field of token 8 is directly copied to the data field of token 11, The column field of the card 8 is directly copied to the column field of the token 11;

K2. When the attribute field of token 8 is 0, the token sent by channel 1 is named token 1, which is a status word token, including a 32-bit data field, a 4-bit color field, and a When the 2-bit column field is packed with a 1-bit operator field and a 1-bit attribute field, the data field and the column field of token 8 are directly copied to the domain of the same name in token 1, and the color field of token 8 is added. The result after 1 is the color field of token 1, the attribute field of token 1 is equal to 0, and if the color field of token 8 is equal to Nr-1, the operator field of token 1 is marked as Srd operation, otherwise token 1 Operator field flag bit SM operation;

K3. If the attribute field of token 8 is equal to 1, the token 1 sent by channel 1 is a transformed key word token, including a 32-bit data field, a 1-bit operator field, and a 1-bit fadd. Domain and 5 bits of data that are not of interest. When packing, the fields of token 8 are directly copied to the domain of the same name in token 1;

The output temporary storage unit is a ciphertext rearrangement temporary storage unit, which is composed of a 4×32-bit storage unit and a token parsing circuit, and the unit receives the denseness carried by the result token of the out-of-order arrival of the channel 11. The text data is temporarily stored, and the written address is the column field of the token 11, and the written data is the data field of the token 11, and the corresponding secret is output after receiving the read address signal of the output unit described below. a status word to the following output unit; each of the storage units of the temporary storage unit corresponds to a flag The "full/empty" flag bit, when the unit is written, the flag is set to 1, indicating full. When the data is read, the flag is reset, indicating that it is empty;

m. an output unit, the unit is an interface between the chip and the external, and realizes a function of outputting the ciphertext according to a required timing, and the output is sequentially generated from 00 to 11 every time it detects that the OK signal is high level a read address of the temporary storage unit, the address is a binary representation, the secret text of the output temporary storage unit is read, and the ciphertext packet is output according to the output protocol;

n. Matcher OK matching unit, check all the flag signals in the output temporary storage unit, when all the flags are 1, it means that all the secret words have arrived, then the end signal OK becomes high, at the notification station The working state memory is also notified to the output unit to read the ciphertext status word of the output temporary storage unit, and when the flag is reset, the OK signal becomes a low potential;

0. The EU register unit is composed of a key word storage area and two identical state storage areas, which are sequentially labeled as key store, storeO, and storel; wherein, the key store stores the key expansion conversion key word, A storage record consists of a 32-bit data field, a 1-bit fadd field, and a 1-bit operator field. storeO/storel stores the 0th to 3rd columns in the "state" before the row shift, and each column stores The unit is further divided into 4 lines, and the record of the 0th line includes an 8-bit data field, a 4-bit color field, and a 1-bit operator field, and the records of the 1st line to the 3rd line contain an 8-bit field. Data field; the two state storage units work in a pipeline mode of ping-pong type reading and writing: according to the round mark of the input token, when the round is even, the storeO is written, and the data in the storel must be the state of the previous round. Read data processing from storel; when the token round is odd, write to storel, sto _re 0 must be the pending data of the previous round state, read data processing from storeO; the EU register The unit has a transmission channel port, receiving station The round update channel switch unit sends a token 1 via channel 1, from which the token type is parsed: a status token or a key token, a write address and a record data, and writes the record to the corresponding storage unit; an output The transmission channel port is connected to channel 2, and outputs the corresponding status word or conversion key word according to the read address input by the Matcher I matching unit, the storeO/storel selection signal, and the state/transform key selection signal, together with other control signals. Packaged into tokens, sent to the following EU operation unit via channel 2; each of the above three temporary storage areas corresponds to a "full/empty" flag bit labeled flag, and flag is set when the unit is written. , indicates full, flag is reset after data is read, indicating empty;

The token resolution method is: when the attribute field of the token 1 is 0, it is a status word token, the write address is the column field of the token 1, and the data of the 0th line of the record is written. The field is the 7 to 0 bit of the token 1 data field, the color field of the 0th line is the color field of the token 1, the operator field of the 0th line is the operator field of the token 1, and the first line of the record is written. The data to the third row are respectively 15 bits to 8 bits, 23 bits to 16 bits, and 31 to 24 bits of the token 1 data field; when the attribute field of the token 1 is 1, it is a key token. The data field of the token 1 is copied to the data field of the transformed key word storage record, and the fadd field and the operator field of the token 1 are directly copied to the variable Change the key word to store the record in the same name field;

02. The token sent via channel 2 is named token 2, and its packing method is: when the state/transform key selection signal is equal to 0, token 2 is a state word token, attribute The field is equal to 0, the 7 to 0 bits of the data field are the data fields of the 0th row of the address equal to the read address of the Matcher I matching unit input, and the 15 to 8 bits of the data field are the row shifts defined by the AES algorithm. The calculated address is equal to the data field of the first row of the read address, and the 23 to 16 bits of the data field are the data after the row shift operation defined by the AES algorithm is equal to the data recorded in the second row of the read address. Domain, the 31 to 24 bits of the data field are the data fields of the third row of the read address after the row shift operation defined by the AES algorithm, and the color field and the operator field of the token 2 are equal to the address respectively. The color field and the operator field of the 0th line of the read address, the column field of the token 2 is the value of the read address; when the state/transform key selection signal is equal to 0, the token 2 is Key from token, domain equal to 1, According domain is a domain key stored in the transformation data records, fadd operator domain and domain are fadd operator domain and transform domain key stored records;

The Matcher I matching unit checks the token information in the key store and storeO/storel, finds the ready status word or finds the transformation key after considering the row shift transformation, and randomly selects one, and sends the address information to the EU temporary storage. a unit, and triggering a trigger signal of the channel 2 port by a fetch_I signal, and transmitting the token 2 of the EU temporary storage unit to the EU operation unit; the input of the Matcher I matching unit includes the EU temporary a signal of the observation port of the memory unit, a response signal of the channel 2 port, and a random signal of the control selection; meanwhile, outputting the fetch_I token transmission signal to the EU register unit;

The global memory stores the key grouping number Nk, the number of iterations Nr, and outputs Nk to the EU register, the following EU operation unit, the Matcher II unit, and the key extension operation unit, and updates the channel switching unit to the wheel. Output Nr,

The EU operation unit receives the token 2 from the channel 2, and after parsing, performs corresponding calculation on the data domain according to the attribute domain and the operator domain of the token 2 and the number of key grouping columns Nk, and the operation result is packaged into the token 3 The data field is sent through channel 3. The token 3 has a 1-bit attribute field in addition to the data field, and its value is equal to the attribute field value of the token 2: when the attribute field is equal to 0, The status word token, there is also a 4-bit color field and a 2-bit column field; when the attribute field is equal to 1, it is a key word token, there is also a 1-bit fadd field, and 5 bits do not care. Data, when packaged, the fadd field of token 2 is directly copied to the fadd field of token 3; the calculation for the token data field includes:

Rl. Srd operation, when the attribute field of token 2 is equal to 0 and the operator field is the Srd flag or when the attribute field of token 2 is equal to 1 and the operator field is 1 and the key grouping number is Nk Executed when greater than 6, that is, performing an ARS algorithm-defined Srd lookup table operation for each byte of the data field; The operation when the Token 2 attribute field is equal to 1 and the operator field is 1 is the operation of the _g conversion described above when Nk is greater than 6.

R2. The Srd-MkCol operation is performed when the attribute field of the token 2 is equal to 0 and the operator field is the SM tag, that is, the Srd table lookup operation defined by the AES algorithm is performed on each byte of the data field, and then The 4-byte result vector is left-multiplied by a 4×4 constant matrix, wherein the constant matrix is a constant matrix corresponding to the column mixing operation defined in the AES algorithm;

R3. Srd-cyclic shift-round constant addition calculation is the above-mentioned f-transformation when the attribute field of token 2 is equal to 1 and the operator field of the key token is 0, that is, the data field first Each byte performs the Srd lookup table operation defined by the AES algorithm, and then shifts the result of 4 bytes to the left by 8 bits. Finally, the lower 8 bits of the obtained result are XORed with an 8-bit round constant RC; The initial value of the round constant is 0. After each round of constant addition, the value is multiplied by 2, and the multiplied 2 operation is defined on the GF (2 ⁸ ) domain;

R4. The direct forwarding operation is performed when the attribute field of the token 2 is equal to 1 and the operator field of the status token is 1 and Nk is less than or equal to 6, that is, the data field of the token 2 is directly copied to the token 3 Data field; the operation when the token 2 attribute field is equal to 1 and the operator field is 1 is the operation of the above g transform under Nk and equal to 6;

a Matcher II random control code generating circuit randomly generates a 3-bit random selection code for controlling an arbitration circuit in the Matcher II matching unit, and generates a new random control code each time fetch-II falls; a Matcher I random control code generating circuit, Randomly generating a 3-bit random selection code for controlling the arbitration circuit in the Matcher I matching unit, and generating a new random control code each time fetch_I falls; the above-mentioned Matcher II unit and the AK temporary storage unit constitute an AddKey operation unit. The token temporary storage-matching-transmitting structure, referred to as the HMF structure, the Matcher I unit and the EU temporary storage unit constitute the HMF structure of the EU computing unit, and the key storage area of the Matcher K and AK temporary storage unit constitutes the HMF of the KeySchedule unit. The structure, the Matcher OK and the output temporary storage unit constitute an output HMF structure; the HMF structure has the following characteristics:

Ul. Contains an input channel port, which is also the write port of the token temporary storage unit described below; contains an output channel port;

U2. Contains a token temporary storage unit, implemented by the register file, the write port uses the asynchronous handshake protocol; the write address and write data are parsed by the input token, and the write clock is triggered by the request signal of the input channel port; The address is determined by the selection signal output by the matching unit described below, and the output data changes instantaneously with the read address; the output data port and the read address port are connected to the data port of the output channel port of the HMF via a token packing circuit described below; internal storage The unit corresponds to a "full/empty" flag indicating whether the record exists. Only when the record is "empty", the address can be written, the full-empty flag of all cells and the data of the domain associated with the following matching conditions are recorded. The observed signal can be read by the following matching unit; the output data can be packed by the following token Logic read; the full-empty flag bit is generated by a c-unit, one end of the c-unit is connected to the write clock corresponding to the record, and the other input is connected to the inverted signal of the recorded clear signal signal; The clock is generated by the write response of the write port by the write address, and the clear signal of each record is generated by the read signal of the HMF output channel port by the read address;

U3. Contains a matching unit, which is composed of two parts: matching logic and selection logic circuit. The observation signal input matching logic circuit of each record of the temporary storage unit calculates the matching result value according to the Boolean expression corresponding to the matching condition, and the matching result is successful. Is 1, otherwise equal to 0; each matching result signal is output to the input of the selection logic through the primary C unit as a request signal, and the other input of the c unit is connected to the OR signal of all request signals, only the request When the signal is all 0, the matching result equal to 1 can be passed to the selection logic circuit. When there is a valid request in the request signal, the request signal is 1, and the established matching result generated after it cannot pass the C unit; After the token is sent, the request is reset, and the C unit is turned on for the established matching result; the selection logic of the Matcher I and Matcher II units is an arbitration logic circuit, and the request signal of each detected token group is randomized. Select, output the serial number of the selected request, and generate the token register Reading the address; the selection circuit of the Matcher K unit is to calculate the step signal corresponding to the request for successful matching; the Matcher OK has no selection circuit; the request sequence output by the selection unit of the matching unit is output as a token through the latch a selection signal; selecting the corresponding request signal according to the selection of the selection signal to become a token transmission trigger signal, such as the fetch_II, fetch_I, fetch_K signal; u4. the token transmission trigger signal passes the length a control terminal that triggers the latch of the selection signal after the delay of the longest time required to select the circuit output is stable, latches the latch, and simultaneously triggers a request signal for transmitting the token; the request signal and the selection signal The sum signal of the control signal of the stored device is the request signal of the HMF output channel port; the token packing circuit is a combined circuit whose input is the output data and the read address of the token temporary storage unit, and the output thereof is in accordance with the output channel order Data defined by the card; a reset response signal of the temporary storage unit will latch the selection signal A control terminal to reset the latch is turned on, re-select signal matching with the change in output select logic unit.

In each of the above units, the asynchronous handshake protocol is used for all transmission channels; the data processing and token packing of all the arithmetic units are implemented by the combinational logic circuit; the channel switching unit Switch, the initial key register, the AK register unit, The Matcher K matching unit and the key expansion operation unit together constitute a key extension ring, and the channel switching unit Switch, the Matcher II matching unit, the AddKey operation unit, the round update channel switch unit, the EU register unit, the Matcher I matching unit, The EU arithmetic unit constitutes a wheel change ring, and the ring is connected by a transmission channel, and the ring is connected by a switch unit Switch.

The simulation results of the present invention are as follows - a) Functional verification:

Verilog and circuit and simulation of the final streamer circuit. The verilog test covers all known answer verifications provided by the AES standard official website, all passed.

b) Security estimate:

The following test is performed on the experimental chip: In the case where all bits of the key are equal to 0 and all bits of the key are equal to 1, respectively, the same 128-bit plaintext packet is encrypted, and the sequential control code is randomly generated, and in each case, each acquisition 40 The power consumption curve is used to obtain the absolute difference curve of the samples of the two groups of samples; the two power consumption curves obtained by encrypting the all-zero key and the all-one key under the same sequence control code are used to obtain the absolute difference curves of the samples. The two differential curves are shown in Figure 11. In the figure, it is determined that the maximum power consumption difference obtained by sequential execution is larger than the maximum power consumption difference obtained by out-of-order execution. The maximum power consumption difference obtained by the experimental execution sequence is approximately equal to 0.059 W, and the maximum power consumption difference obtained by out-of-order execution is approximately equal to 0.030 W. , is 50% of the former.

c) Other indicators

In the case of a 128-bit key, the kernel's throughput rate ranges from 59M to 63Mbps, and the energy consumption of encrypting a packet is 52.9nJ (less than the energy consumption of similarly announced chips). DRAWINGS

Figure 1 4 phase handshake protocol transmission channel.

Figure 2 4 phase asynchronous handshake protocol.

Figure 3 4 phase handshake protocol asynchronous transmission channel implementation circuit.

Figure 4 Rijndael's round transformation definition.

Figure 5 ShiftRow diagram (128 bit).

Figure 6 The calculation relationship between the key groups of the Rijndael algorithm.

Figure 7 Rijndael key extension structure.

Figure 8 KeySch unit logic diagram.

Figure 9 Flow chart of key expansion implementation method (a) Nk=4(b)Nk=6 (c) Nk=8.

Figure 10 Flow chart of the AES implementation algorithm of the present invention (a) Key token processing flow; (b) State token exit flow. Figure 11 Power consumption differential curve for all 0 keys and all 1 keys UES-128.

Figure 12 is a block diagram.

Figure 13 Input module circuit structure.

Figure 14 Output module circuit structure.

Figure 15 Schematic diagram of the HMF structure.

Figure 16 The basic structure of the token register (4 units).

Figure 17 Matching unit structure.

Figure 18 4 select 1 arbiter circuit (a) R-boxO (b) R-boxl (c) overall circuit. Figure 19 is a logic diagram of the transmit circuit.

Figure 20 Key Expansion State Machine.

Figure 21 pp signal generation circuit.

Figure 22 Switch circuit structure.

Figure 23 Wheel update unit structure.

Figure 24 Transfer relationship of token 1 to EU temporary storage unit (a) Status token (b) Key token.

Figure 25 EU temporary storage unit stores the transfer relationship recorded to token 2 (a) status token (b) key token.

Figure 26 Transfer relationship from token 2 to token 3 (a) status token (b) key token.

Figure 27 Flow of various operations of the EU unit: (a) Srd operation (b) SM operation (c) RC operation.

Figure 28 Transfer relationship between token 3 to token 5 and token 3 to token 6 (a) token 3 to token 5 (b) token 3 to token 6.

Figure 29 Transfer relationship from token 4 to token 5.

Figure 30 Transfer relationship of token 5 to SR.

Figure 31 Transfer relationship of token 6 to the KR of the AK temporary storage unit.

Figure 32 Transfer relationship of data stored by the AK temporary storage unit to token 7 (a) AddKey operation token transmission (b) Transformation key word token forwarding (Nk>4) (c) Transformation key word token forwarding ( Nk=4).

Figure 33 Transfer relationship from token 7 to token 8.

Figure 34 Transfer relationship between token 8 to token 1 and token 11 (a) ciphertext token transmission (b) status token round update (C) key token forwarding.

Figure 35 Transfer relationship between token 10 and token 9.

Best mode for carrying out the invention

In accordance with the present invention, we implemented a data stream AES encryption chip (THDFAES04) and conducted a filming experiment. The following is an example to introduce the specific implementation method:

Working style

Each time the chip processes a packet, the input and output data buses are all 32 bits. The input and output modules are easily embedded in the synchronous circuit system by means of a synchronous circuit. The key column number (Nlc) and the initial key are first sent to the chip's internal setup register and initial key register via the data input bus before starting the encryption. The plaintext packet is then sent to the chip. The encryption operation is then initiated by an external signal. The ciphertext status word is first stored in the output register. When the entire ciphertext packet is generated, the end signal (OK) goes high and the resulting data can be read from the data output bus. Each time a new packet is entered, the data in the initial key register is rewritten to the internal key register. 2. Circuit structure

Its overall circuit structure is shown in Figure 12. The behavior and connection relationship of each module in the THDFAES04 structure is exactly the same as that described in the present invention, and two asynchronous pipeline loops of "round change loop" and "key extension loop" Composition. Each transmission channel in the figure is marked with a number, and each channel transmits a fixed token format, which is the corresponding token number. In addition, a global register storing the WK, the Nk and the Nr is further included, and there are two identical and independent random control code generating circuits in the circuit, respectively, and random control codes are provided for the arbitration circuits of the Matcher I and the Matcher II respectively. , named random sequence control sequence register I and incoming random sequence control sequence register II. The specific implementation of each component in the implementation is as follows - 5.1 transmission channel and channel port:

In Figure 12, the transmission channel is indicated by a hollow wide arrow and the arrow indicates the direction of data transmission. The data transmitted is the corresponding numbered token. THDFAES04 uses the asynchronous transmission channel of the 4-phase bundled data handshake protocol.

5.2 input module:

Figure 13 is a circuit diagram of the input module, wherein the CKIN signal is an input clock, and the external input signal further includes an input data bus, a start signal, a reset signal, an address signal, and an enable signal. The reset signal resets the entire chip. The control circuit controls the input data distribution logic according to the input address, and stores the input data into the corresponding register: The plaintext is stored in the plaintext buffer, which is a serial input, parallel output shift register, which can store 32-bit plaintext data; The key is stored in the initial key register of the kernel portion; the Nk value is stored in the Nk register; the random sequence control sequence is stored in the random sequence control sequence register I and the incoming random sequence control sequence register II of the kernel portion, respectively. Enables the signal to control whether the input to the chip is valid. The control circuit includes a counter for recording the current plaintext number, and the output of the plaintext buffer is connected to the packing logic circuit, the lower 2 bits of the counter are used as the column field of the token 4, and the output of the plaintext buffer is used as the data field of the token 4. When the number of plaintexts written reaches 32 bits, the trigger channel 4 port sends the token 4 output from the packet circuit to channel 4. The start signal triggers the load signal to place the data in the initial key register into the key storage area of the AK register unit, and the load signal triggers the WK signal to go high. The InterRst-signal of the invention is generated by the control circuit. When the external reset signal is valid or the input of the plaintext data is started (the enable signal effective address signal is directed to the plaintext buffer) InterRst - a negative pulse appears in the signal to reset the core circuit, ready to execute New encryption task, but the initial key is still retained.

5.3 Output Module - The output module is a synchronous circuit. The input signal includes the data output of the output temporary storage unit, the OK signal and the external reading clock CKOUT. The output port includes the output data bus, the 2-bit read address of the output temporary storage unit and the read erase. In addition to the signal (OUTACK:).

Figure 14 is a circuit diagram of the output module. The control circuit triggers the cpl signal after receiving the rising edge of OK, causing the address accumulator to start working - adding 1 every 2 clock cycles from 0, the output of the address accumulator is Is the read address of the output buffer unit, the output buffer is a shift register for the parallel input serial output, and the ren signal is its set control terminal. Ren is valid before each address change. When ren is valid, the output of the output buffer unit is placed in the output buffer on the falling edge, then ren is reset, and the rising edge of each CKOUT serially outputs the output buffer data to the output data port. . Each time the ren signal is reset, a positive pulse of the OUTACK signal is triggered, and the record in the output buffer unit is cleared.

5.4 Initial Key Register: The initial key register is a 256-bit register bank that holds the key written by the input module. Its clock terminal is the load signal.

5.5 HMF structure:

The typical structure of the HMF circuit used in THDFAES04 is shown in Figure 15:

It consists of a token register, a matching unit, and a transmitting circuit, where rand is the random selection code described in the invention, referred to herein as a sequential control code. The solid wide arrow in the figure indicates the transmission path between the HMF and the outside. WA and WD represent the write address and input data port of the scratchpad, and RA and RD represent the read address and the output data port, respectively.

The way it works is: The externally entered token is first stored in the scratchpad. Each token record in the scratchpad has a corresponding "full/empty" flag (flag), which is set to 1 when data is written. The high level of the CLR signal after reading out clears the record pointed to by RA. (The corresponding flag bit is reset). CLR_done is the acknowledge signal of the CLR signal, and its falling edge indicates that the flag reset is complete.

The matching unit reads the _fla g bit of all tokens inside the scratchpad and the token label field associated with the matching condition

(Tags) thereby calculating their matching function (propositional formula of matching condition) as the matching result of the invention. Fetch is the token emission trigger signal of the invention. Select is the selection signal of the invention, address is the read address of the token temporary storage unit of the invention, and data is the output data of the token temporary storage unit of the invention. The packet is sent to the execution unit as a new token. The response signal from the execution unit triggers the clear drive CLR port, at which point the transmit circuit enters the idle state again. The transmitting circuit does not process the new transmission request during the transmitting operation.

5.5.1 Token Register

The memory location of the token register in THDFAES04 is implemented by a register. Figure 16 is a schematic diagram of a 4-cell register with only one memory cell drawn. Each group of cells consists of a set of registers and a flag flag circuit. The rising edge of the register clock (elk) sets flag to 1 when clr is 0. The positive pulse of the clear signal (clr) resets the flag when elk is 0. WA and WD are parsed by the input token, and reqin and ackin represent the write request and write acknowledge signal for the input channel port, respectively. The request can only be accepted when the flag signal is 0, and the data is written to the register after the write request is accepted. The output data is directly output through the primary multiplexer (MUX), and the RD changes instantaneously with the RA. The selection of the CLR signal by the RA triggers the clr signal of the corresponding unit. When all the clr signals are lowered, the CLR_done falls as a flag for the end of the record clearing process.

5.5.2 Matching unit

Figure 17 is a basic 4 request matching unit structure consisting of a matching logic portion, a request arbitration portion, and a selection hold-request blocking circuit.

The matching logic part implements the matching function calculation, which is implemented by the combination circuit, and the calculation result is sent to the arbiter through the C unit to become the request signal.

The arbiter in THDFAES04 uses the R-box circuit in the May D. paper, as shown in Figure 18, which is a 4-to-1 arbitration logic. 10~13 indicates the input request, and A0 and A1 are the serial numbers of the selected request.

The time when the scratchpad reads and writes data is uncertain. When designing, the signal of the observation port may change at any time, and the output of the arbiter also changes continuously. Therefore, it is necessary to synchronize the select signal and the token data to ensure the output channel. The output data of the transmitting circuit is stable when the request signal is valid. Therefore, a select latch is provided at the output of the arbiter. The latch signal is lock, and the latch is transparent when lock=0. After the corresponding token of the select is emptied, the corresponding request signal is reset - at this time, the selection still has not changed - ^ fetch is also reset. On the other hand, the C unit and the 4 input OR gates in the figure constitute a feedback blocking circuit. As long as there is a valid request in the request signal, the passage of the new request is blocked, and the C unit is re-conducted only after all valid requests of the arbitration input are reset. The blocking circuit makes the arbiter output stable after a certain period of time. After the fetch rises, the same delay is used to resample the select to avoid "adventure".

5.5.3 Transmitting circuit

Figure 19 is a logic diagram and main signal waveform diagram of the transmitting circuit portion.

In Figure 19a, the registers R and C are the receiving channels of the token; the shaded circuit is the generation circuit of the address latch signal lock; req and ack are the request and response signals of the output channel port, respectively, ackout is the next stage circuit Response signal. The remaining signals correspond to Figure 15; are delay units for delay matching.

The initial state of all timing elements in the circuit is all 0, and the rising edge of fetch becomes the fetch_d signal after the delay of (select stable time). The rising edge of fetch_d first triggers the lock signal, latching the sequence number of the valid request. Req is output by the lock gate. The lock signal remains at the 髙 level for the time between the rising edge of req and the falling edge of clr-ack.

The HMF structure in THDFAES04 is slightly changed based on the above typical structure, and the transmitting circuits are incorporated into the register output part of each temporary storage unit. The specific parameters and changes thereof are specifically described below. Where – what is not specifically stated below is the same as the above typical structure:

AddKey's HMF structure:

a) AK temporary storage unit:

The AK temporary storage unit port includes: three input channel ports, channel 5 ports receive status word tokens; channel 6 ports receive non-linearly transformed intermediate key words f, g tokens; channel 9 ports receive new extended keys Word; There are two output channel ports: Channel 7 port sends the AddKey operand token (Token 7); Channel 10 port sends the key extended operand token. The packing function of each token is shown in the token transmission part. In addition, there are also number ports: including initial key input bus, load, WK signals.

(1) The key word storage area has eight key word record storage units and two intermediate key word storage units.

The address space of the key word storage space is (000) ₂ -(111) ₂ .

The key words of the aforementioned "key grouping" modulo Nk equal to 0-7 are sequentially stored, and if Nk < 8, the 髙 address unit is idle;

The intermediate key word part has a 1-bit address, and the address space is 0-1; and / and ^ are stored in order.

There are also two 5-bit internal memories: BL0CKH3L0CKL and a 2-bit operation flag register, KES.

The inputs to the BLOCKL and BLOCKH registers are connected to the data output corresponding to channel 9 port. The clock is triggered by the channel 9 port write signal. The part signal of token 9 determines which clock is valid (see the Token Transmission Protocol section below). KES is used to control the timing of key expansion, and its state machine is shown in Figure 20. Corresponding each time The state of the KES changes when the key word is fig transformed and the key is read for key expansion. Its initial state is 00, which is the state of preparation for calculation.

The record format of the key word part and the intermediate key word part is as follows:

Keyword Record (KR):

The flag of each record's full/empty flag is set when the data is written (op = (00) ₂ ), and is reset when op = (ll) ₂ .

Intermediate Key Word Record (FR):

It contains two write ports, which are the write port of the key word and the intermediate key word, respectively, including the write data bus and the write address; two read ports, corresponding to the data fields of the token 7 and the token 10, respectively. It contains the data bus and the read address. The bus width of the data field corresponding to the token 7 is 32 bits, the read address is the kse of the Matoherll, the bus width of the data field corresponding to the token 10 is 160 bits, and the read address is the step from the MatcherK. Signal, read one key segment and one intermediate key word at a time. The write signal of the key word port will reset the op written to the record; the acknowledge signal of channel 7 will read the round change position of the key word record 1, and the acknowledge signal of channel 10 will read the extended position of the record 1.

(2) The status word memory area has 4 status word storage units:

Address space: (00) ₂ - (11:) ₂ .

Store the 0th - 3rd columns in "Status" in order.

Recording format (SR)

The status word area has a write port, including the data bus (width 36), write address, write signal; a set port, connected to the output of the initial key register, 256 bits wide, with the load signal as the set signal; A read port, the read address is connected to the ssel signal of the Matcher II, and the data bus is 36 bits, which is connected to the datal and color field data inputs of channel 7. When AorT is 1, the status word indicated by ssel is output. When AorT is 0, 0 is output.

b) Matcherll: It checks the status area and key area in the AK scratchpad. The observation signal read by Matcher II includes the color field and flag flag of the status word record, and the op field of the key word. The matching condition expression is shown in the following token transmission relationship part; its arbitration logic is divided into two levels, the first level. Select one from the request that satisfies the AddKey operation condition. The second level selects whether to perform the AddKey operation or the transfer key conversion. The corresponding transmit token receiving channel is channel 7, and the output request selection signal includes the status word read address. (ssel) and key word read address (ksel) and token type flag signal AorT, the corresponding token transmit signal is fetch_II signal; if exp_stop=l, then Matcher II does not send the transform key word forwarded Operation request.

The random control code of the arbiter in the above matching unit is provided by the random sequence control sequence register 1.

Key extension HMF structure

The key extension HMF structure of the token register shares the key area of the AK temporary storage unit with the HMF structure of the AddKey. In addition, its register also includes the intermediate key unit of the AK temporary storage unit.

The matcher's observation signals include: the op field of the key word, the flag flag of the intermediate key word, KES, BLOCKL, and BLOCKH; the matching condition is shown in the following token transfer relationship part; the output request selection signal is the segment mark step, and the packing logic is based on Step, the corresponding data of the key area and the BLOCK value are packaged into the token 10 to be sent, and the specific packing logic is seen in the token transmission relationship part; since the key expansion operation does not have multiple token groups to be executed at the same time, There is no arbitration circuit inside; the token transmit signal is fetch_k; when Wk is 0, that is, inactive, the rising edge of the l _oa d signal writes the data in the initial key register to the key word area.

HMF structure of the EU unit

a) EU temporary storage unit:

The EU temporary storage unit contains a transformation key word storage unit key store and two identical state storage units storeO, store 1.

(1) storeO/storel:

Write address space: (00) ₂ - (11) ₂ , in order to store the 0th - 3rd column in the "state" before ShiftRow, each column is further divided into 4 rows, corresponding to the rows and columns in the state;

The first line (row address is 0) storage record (HDR) format is as follows:

storeO and storel each contain a read port and a write port, each with its own address and data bus. The write port has another write signal. The input signal also has a ping-pong selection signal pp from Matcher I. The address of each row is the same when writing, and there is an address offset circuit inside. The circuit input is external (from Matcherl) to output the read address of each row, and the address of each row is equal to the external row minus the corresponding row displacement constant. The read ports of the two registers are connected to the transmit circuit via a multiplexer.

(2) key store: There is only one storage unit. The intermediate result of storing key extensions. The record format (KR) is as follows:

The state of storeO and storel is determined by the pp signal, pp is 0 multiplexer selects the output of storeO; pp is the output of storel for 1 multiplexer. When the token is written, it is written to storeO when the round is even, and when the token's round is odd, it is written to storel.

The EU temporary storage unit has an input transmission channel port connected to channel 1; an output transmission channel port connected to channel 2, and the token packing function is shown in the token transmission relationship portion. The function of the EU temporary storage unit is to receive the token 1 sent from channel 1, from which the token type (state token or key token), write address and record data are parsed, and the record is written into the corresponding storage unit. According to pp, s_f, raddr output corresponding state word or transformation key word, together with other control information is packaged into token 2; fetch-I signal triggers the request signal of 2# channel port, and sends the packaged token to Channel 2.

b) Matcher I

Matcher I internally includes two identical state token matching units and one key token matching unit. The matching result of storeO (corresponding to the matched signal in Fig. 17) The matching result of matchedO and storel is matched to the generating circuit of the ping-pong control signal pp, and the generating circuit of pp is as shown in Fig. 21. The observation signal of storeO/storel includes: the flag bit of each unit, and the color field and op field of each HDR; the output request selection signal includes the read address raddr (2 bits) of storeO/storel; the specific matching condition is seen in token transmission. The relationship portion; the arbitration circuit inside the state matching unit is a 4-to-1 circuit as shown in FIG.

The observation signal of the key matching unit is the flag flag of the key storage unit; the matching condition is flag=l. There is also a 2-to-1 arbitration circuit in Matcherl, which randomly selects one from the request of the state matching unit and the request of the key matching unit, and the corresponding operation selection signal is s_f; the corresponding token transmission signal is fetch_I.

Output HMF:

a) Output temporary storage unit:

The output temporary storage unit is a ciphertext rearrangement temporary storage unit, and the storage unit described above is composed of four sets of 4-byte registers. It has an input channel port: connected to the transmission channel 11; other input signals have a 2-bit read address from the output module and a clear signal OUTACK (corresponding to the CLR signal in Figure 16), and other output signals are lost. Out data (32 bits) and 4-bit flag flag signal. A typical circuit configuration same as FIG. 16, but which does not generate a reset acknowledge signal (CLR- d _0ne). The address bit of the output data bus of channel 11 is directly connected to the write address of the temporary storage unit, and the data bit is directly connected to the data input bus of the temporary storage unit.

b) Matcher OK:

The input signal is the four flag signals of the output temporary storage unit, and the output is the OK signal. OK is equal to 4 and the signal 'and'.

5.6 Key Expansion Unit (KeySchedule):

The KeySchedule unit has an input channel port (connected to channel 10), an output channel port (connected to channel 9), and a circuit structure in which the input channel port-logic portion-output channel port is cascaded. It enters token 10, which is processed by the logical section to output token 9 from the output channel port. The specific functions of the logical part are shown in the "Token Transfer Protocol Part" below.

5.7 AddKey:

The AddKey unit has an input channel port (connected to channel 7), an output channel port (connected to channel 8), and a circuit structure in which the input channel port-logic portion-output channel port is cascaded. It enters token 7, which is processed by the logical part to output token 8 from the output channel port. The specific functions of the logical part can be found in the "Token Transmission Protocol Part" below.

5.8 EU:

The EU unit has an input channel port (connected to channel 2), an output channel port (connected to channel 3), and a circuit structure in which the input channel port-logic portion-output channel port is cascaded. It enters token 2, which is processed by the logical part to output token 3 from the output channel port. The specific functions of the logic section can be found in the "License Transmission Protocol Part" below.

5.9 Switch:

The Switch is a 2-channel input-2 channel output switch. The two input channel open ports are the 3# channel port from the wheel change wheel and the 4# channel port from the input module. There is also an input signal: WK. After parsing the token 4 sent from the 4# channel port in the idle state (WK=0), the data is repackaged into token 5 and sent to channel 5; in the working state (WK=1), the 3# channel is After the token 3 is parsed, the status token is repackaged into token 5 and sent to channel 5 according to the type _; the intermediate key token is repackaged into token 6 and sent to channel 6. The circuit structure is shown in Figure 22. The arrow indicates the asynchronous transmission channel. The DEMUX and MUX in the figure are also the asynchronous control unit DEMUX. When the data of the transmitted Key is equal to 1, the input token data is copied to the channel. 6, otherwise copied to the MUX input channel, MUX in WK = 0, the channel 4 data is transferred to channel 5, otherwise pass DEMUX 0 output data to channel 5; at the input, channel 3 attribute domain and request - The acknowledge signal is connected to the DEMUX control channel port. The other data lines and request-response signals of channel 3 are connected to the data input channel port of the DEMUX; the control terminal of the MUX is the WK signal. For the mapping of each domain between tokens, see the Token Transfer Protocol section below. 5.10 round update unit:

Figure 23 is a circuit configuration of the wheel updating unit. The first level DEMUX is the same as that of FIG. 22. If the attribute field of token 8 is equal to 1, the token is directly copied to channel 1. If it is equal to 0, the second level DEMUX is passed. If the color field of the input token is equal to Nr, Then copy part of the token to channel 11, and check the column field of the token (that is, the exp_stop? element in the figure). If column>3, it means that all the extended keys have been generated, triggering exp- The stop signal goes high (the exp-stop signal is reset at the start of a new round of operations.); If the color<Nr of the token is added to the color field of the token, it is copied to channel 1; the rectangle connected to channel 1 in the figure It is the basic component of an asynchronous circuit - the "Join" control component: its two inputs do not have a token arrive at the same time, it copies the arriving token to the output channel.

5.11 Random Sequence Control Sequence Register I

The random sequence control sequence of THDFAES04 adopts an external input method, and the random sequence control sequence register I in FIG. 12 corresponds to the Matcher I random control code generating circuit in the invention, which is a ring shift register, which is externally external before the operation starts. The input data port inputs a random sequence into the random sequence control sequence register I; during the working process, the data in the register is cyclically shifted - each time the falling edge of fetch_I is shifted once, and the output connection of the primary register is connected. Go to the random code input of Matcher I.

5.12 Random Sequence Control Sequence Register II

The random sequence control sequence of THDFAES04 adopts an external input method, and the random sequence control sequence register II in FIG. 12 corresponds to the Matcher II random control code generating circuit in the invention, and its circuit is the same as the random sequence control sequence register I, each fetch – The falling edge of II is shifted once and the output data is connected to the random code input of Matcher II. Supplementary note: In order to highlight the connection relationship of the reset signal InterRst—not mentioned in the above description, in fact, except for the input module generating InterRst one, the other modules have InterRst—input for circuit initialization.

3. Token Transport Protocol

The following token transport protocol is implemented on the above components and structures to implement the AES encryption algorithm:

5.13 Token Definition:

Token 1 :

Field (number of bits) value Description

Data (32 bits) arbitrary data

Key(l) key/state 1-key token; 0-state token

Data token key token data token key token data token key token

Column(2) fadd ( 1 ) 0-3 0/1 Column number in intermediate state Key address color (4) DC 0- Nr Round tag random number Op(l) remain(l) SM/Srd; 0/1 1— Srd; 0— SM 0-RC; 1-Direct Forward Token 2: Same Token 1

Today Token 3:

Field (number of bits) value Description

Data (32 bits) arbitrary data

Key(l) 1/0 1-key token; 0-state token

Data Token Key Token Data Token Key Token Data Token Key Token column(2) 0-3 Column Number in Status

Color (4) fadd ( 1 ) 0- Nr 0/1 same token 1 same token 1

Today Token 4:

Field (number of bits) value Description

Data (32 bits) arbitrary data

Column(2) column number in 0-3 state

令牌 Token 5:

Field (number of bits) value Description

Data (32 bits) arbitrary data

Address(2) 0-3 Matches the storage address in the scratchpad

Color (4) 0- Nr with token 1

Today Token 6:

Field (number of bits) value Description

Data (32 bits) arbitrary data

Address(l) 0/1 Storage address of intermediate key word Token 7:

Field (number of bits) value Description

Datal (32-bit) arbitrary operand 1 (corresponding to the status word output of the matching temporary storage unit)

Data2 (32 bits) Any Operand 2 (corresponds to the key word output of the matching temporary storage unit)

AorT(l) 0/1 Execute AddKey or change key word forwarding, 0—AddKey, 1-transform key word forwarding

AorT=0 AorT=l AorT=0 AorT=l AorT=0 AorT=l column(3) fadd(l) 0-7 0/1 The column in the state is the same as the token 1. Remain(l) 0/1 is the same as token 1.

Color (4) DC(5) 0- Nr random number same token 1 token 8:

Today token 9

5.14 Data, Token Transfer Relationship

Today Token 1 to EU temporary storage unit record conversion protocol

If the key of token 1 is equal to 0, write to store0 when color is even, write to storel when the color is odd, write the value of the column field with address 1 of token 1, and the domain of token 1 with HDR, DR1- 3 The mapping relationship of each domain is as shown in Fig. 24 (a), in which the lowest byte (7th to 0th bit) to the highest byte (31st to 24th bits) of the data field of token 1 are sequentially written separately. In the storage unit of the 0th row to the 3rd row; if the key field of the token 1 is equal to 1, the token is written in the key store of the EU temporary storage unit, and the mapping relationship between each domain of the token 1 and the KR domain is as shown in the figure 24 (b) is shown.

This EU temporary storage unit records to token 2

Matclir I matches the data in storeO or storel. The matching condition is: There are column i, which satisfies: the first row, the i-th column, the second row, the i-Cl column, the third row, the i-C2 column, the fourth The storage records in row i-C3 are all "full", and the corresponding matching unit outputs, that is, the read addresses of storeO and storel are equal to i. It also matches the transform key words in the key store. The matching condition is: The FR record is "full". When more than one data meets the above conditions, a random transmission is selected. For the singular token, if pp=l, when the data in the storel satisfies the matching condition, the corresponding data of the storel is packaged into the token 2, otherwise When the data in storeO satisfies the matching condition, the corresponding data of storeO is packaged into token 2 transmission; if the state storage area selected by pp does not have the token data satisfying the condition, and another state storage area has the order satisfying the matching condition Card data, then pp is reversed. The mapping between HDR, DR records in the state store and the fields of token 2 is shown in Figure 25 (a). The mapping relationship between each domain of FR record and each domain of token 2 is shown in Figure 25 (b).

Today Token 2->Token 3

The mapping relationship between token 2 and token 3 is shown in Figure 26. The data field of token 2 is calculated by the EU unit, and the result is used as the data field of token 3.

The specific operation of the EU calculation depends on the values of other fields of token 2:

When key=0 and op=Srd, the Srd operation is performed;

When key=0 and op=SM, perform SM operation;

When key=l and remain=0, perform RC operation;

When key=l and remaining=l, if Nk>6, the Srd operation is performed; if Nk<=6, the result is equal to the data field of token 2. A flowchart of each of the above operations is shown in FIG. The wheel constant RC used in the RC operation is generated online, that is, the RC register is reset to the initial value "(01) ₁₆ " during the initialization of the chip, and each time the RC operation is performed (the rising edge of the channel 3 port response signal indicates the end of the operation) When the register clock rises, the current RC value is multiplied by 2 and stored in the RC register (the multiplication here is the multiplication defined in the GF (2 ⁸ ) domain); Srd uses the ROM to implement the S-box lookup operation described in Appendix A; MixCol That is, the calculation of Equation 1 of Appendix A is implemented;

Token 3 -> Token 5 and Token 6

When the key 3 of the token 3 is 0, the token 5 is generated, and when the key 3 of the token 3 is 1, the token 6 is generated. The mapping relationship between the token 3 and the token 5 and the token 6 is shown in Fig. 28.

Token 4-> Token 5

The mapping relationship between the domains of the token 4 and the domains of the token 5 is as shown in FIG. SR in today's token 5->AK temporary storage unit

The content of the token 5 is stored in the state temporary storage area of the AK temporary storage unit, and the storage address is the address of the token 5, and the mapping relationship between the other domains and the various domains of the SR is as shown in FIG.

Token 6->KR in the AK temporary storage unit

The data of the token 6 is stored in the intermediate key word storage area of the AK temporary storage unit, and the address is its address field. The mapping relationship between the other domains and the KR domains is as shown in FIG.

Today AK Temporary Unit -> Token 7

There are two matching conditions for Matcher II. The AddKey matching condition is: There is a pair of status tokens (represented by SR[i]) and a key token (represented by KR[j]) whose storage addresses are respectively i And j, satisfy:

SR[i]. color · Nb+i-BLOCKX · Nk+j and SR[i] has op=0 and KR[j] has a round-shift bit equal to 0,

Where SR[i] .color represents the color field of SR[i], for j<4, BLOCKX=BLOCKL, j 4 , BLOCKX=BLOCKH. Corresponding matching output ssel=i, ksel=j, AorT=0;

The Trans match condition is: KES=(00) ₂ and the key storage unit with address equal to Nk-1 is not empty, and exp_stop=0. Corresponding matching output ssel=0, ksel=Nk-l, AorT=l; or KES=(11) ₂ when Nk > 4 and the key storage unit with address equal to 3 is not empty, the corresponding matching output ssel=0, ksel =3, AorT=l; or KES=(11) ₂ when Nk=4 and the key storage unit with address equal to 7 is not empty and exp_stop=0, the corresponding matching output ssel=0, ksel=7, AorT= l;

If more than one token (or token pair) meets the above conditions at the same time, randomly select one. When the status token is sent, that is, the token 7 packet mapping relationship when the AddKey operation token is sent is as shown in FIG. 32a; when the key token is transmitted, that is, the token 7 packet mapping relationship when the transform key word is forwarded is as shown in FIG. As shown in 32b-c, they correspond to the case of Nk>4 and Nk=4, respectively.

Today Token 7->Token 8

The mapping relationship between the token 7 and each domain of the token 8 is as shown in FIG. The result of bitwise XOR of datal and data2 of token 7 is used as the data field of token 8.

Token ₈ _>token 1 or token n

When the token 8 has key=0 and color=Nr, the token 11 is generated, and the mapping relationship of each domain is as shown in FIG. 34a; when the token 8 has key=0 and color<Nr, the round update is executed. Card 1, the mapping relationship of each domain is shown in Figure 34 (b), in which the color field of token 8 is added as 1 as the color value of token 1, and when color=Nr-l of token 8 is used, token 1 Op=Srd, otherwise op=SM; When the key of the token 8=l, that is, the key token, the token 1 is generated, and the content of the token 8 is directly copied to the token, and the mapping relationship is as shown in Fig. 34c. Show.

Today Token 10->Token 9

The mapping relationship between the tokens 10 and the tokens of each domain is as shown in FIG. Where token 10 is f, k0, Id, k2 ₅ k3 The result of KeySch calculation is used as the data field of token 9, and BLOCK is incremented by 1 as the BLOCK value of token 9. When Nk=4, the part of token 9 is equal to the inverse of the step of token 10, and when Nk>4, the part of token 9 is the step of token 10.

Today Token 9-> KR

If the part 9 of token 9 is 0, the data of token 9 is written to the lower part of the key temporary storage area, token 9

The BLOCK value is assigned to BLOCKL, and both bits of the op field of the low-order temporary storage unit are reset to 0 at the same time; if part=l of the token 9 is written, the data of the token 9 is written into the key temporary storage area. In the high segment, the BLOCK value of token 9 is assigned to BLOCKH, and both bits of the op field of the high segment temporary storage unit are reset to 0 at the same time.

When the token 9 is written, the state of the KES is updated. The specific state transition relationship is:

When KES=(01) ₂ , if Nk>4 and part=0 of token 9, or Nk=4 and part=l of token 9, KES becomes (11) ₂ ;

When KES=(10) ₂ , if Nk>4 and part=l of token 9, or Nk=4 and part=0 of token 9, then KES becomes (00) ₂ ;

MatchingUnit->Token 10

Matcher matches the data in the key temporary storage area of the AK temporary storage unit. The matching condition is - the lower bits of the op of all the low-level key records are 0 and the intermediate key word 1 exists, and the corresponding matching unit outputs step= 0; or storing the address 4 to the storage address Nk-1 key record op lower low bit is 0 and the intermediate key word 2 exists, the corresponding matching unit output step = l;

When step=0, the f of the token 10 is equal to the data of the intermediate key word 1, k ₀ , k _ls k ₂ , k ₃ are respectively equal to the data of the KR storing the address 0, 1, 2, 3, respectively, BLOCK is equal to BLOCKL; When step=l, f of token 10 is equal to data of intermediate key word 2, k0, kl, k2, k3 are respectively equal to the data of KR storing address 4, 5, 6, 7 respectively, BLOCK is equal to BLOCKH . Industrial Applicability Through the design of the present invention, the present invention has the advantages of being resistant to power analysis attacks, redundant operations, and fewer redundant circuits, thereby achieving low power consumption in the field of information security, particularly in the field of cryptographic chip implementation security. High security effect, the invention can be applied to smart cards, such as ID cards, financial cards, pay TV cards, digital mobile certificates, mobile personal terminals, such as PDAs, mobile phones, portable computers, etc. In the field of application.

Claims

Rights request

An out-of-order data stream AES encryption circuit, characterized in that the circuit structure is implemented on a data stream encryption application specific integrated circuit, the circuit structure conforms to the advanced data encryption standard using the Rijndad algorithm as a final algorithm. Recorded as AES, using data stream mode to achieve out-of-order encryption, the circuit structure contains - a. transmission channel, is the data transmission interface between the two components, the transmitted data is the corresponding number of tokens, including a token input a data bus, a data output bus and an input request and response signal, an output request and an acknowledge signal, and the interface between the transmission channel and the external is a channel port;

b. The input unit is an interface between the chip core and the external, and realizes the function of inputting the plaintext and the key according to the timing required by the protocol and sending the plaintext to the kernel part through the 4# transmission channel, and writing the key into the initial key memory. At the same time, the reset signal InterRstJ3⁄4 required for each unit of the core in the circuit structure is generated. The initial key is placed into the signal load; the token transmitted by the 4# channel is named as token 4, which includes a 32-bit data field, a 2 Bit of the column field;

c channel switching unit Switch, is a switching switch of 2 transmission channel input-2 transmission channel output, and also receives input signal WK from working status register, when WIO0, the channel switching unit is in idle state, receiving the input unit After the plaintext data sent by the 4# channel is parsed, the data is repackaged into a status word token, and sent to the 5# channel, and the token transmitted by the 5# channel is named as token 5 including one 32-bit data field, a 4-bit color field representing a round and a 2-bit address field. When packing according to token 4, the data field of token 5 directly copies the data field of token 4, token 5 The color field is set to 0, the address field of token 5 is copied to the column field of token 4; when WK=1, it is in working state, after parsing the token sent from channel 3, according to different types, the status word is The token is repackaged into a token and sent to the 5# channel, and the key word token is repackaged into a token and sent to channel 6. The token transmitted by the 3# channel is named as token 3 including a 1 The attribute field and a 32-bit data field. When the attribute field is equal to 0, it is a status word token. It also includes a 1-bit operator field, a 2-bit column field, and a 4-bit color field. When repackaging into token 5, the data field directly replicates the data field of token 3, the color field directly replicates the color field of token 3, and the address domain directly replicates the column domain of token 3, when the token 3 attribute domain is equal to 1 is a key word token, and further includes a 1-bit fadd bit and 6 bits of data that are not of interest. The token sent to the 6# channel, named token 6, is the intermediate key described below. The word token includes a 32-bit data field and a 1-bit address field. When it is packaged into token 6, the data field of token 3 is directly copied to the data field of token 6, and the fadd domain is copied to the token. Address field of 6;

d. The initial key storage is a 256-bit register set, receives a clock signal and input cryptographic key data from the input unit, and directly receives the cryptographic key from the input unit; e. AK temporary storage Unit, is the token temporary storage unit to be executed, including key word storage The device, the status word memory, and the token parsing and packing circuit, wherein the key word memory has 8 key word storage units, 2 intermediate key word storage units, and two 5-bit internal memories: BLOCKH and BLOCKL and one 2 Bit status register KES, the key word storage area has a 3-bit address, the binary represented address space is 000-111, and sequentially stores the extended key words of the sequence number modulo key grouping column number Nk equal to 0-7, and the 髙 segment is 100 -111, the low segment is 000-011, and each storage record includes a 32-bit data field, a 1-bit fadd field, a round-change flag bit, and an extended flag bit; the address in the key word memory is equal to Nk The data stored in the unit of -1 is called transform key word 1, the record data whose address is equal to 3 when Nk is not equal to 4 is called transform key word 2, and the transform key word 2 when Nk is equal to 4 is the record with address equal to 7. Data; The status word storage area has a 2-bit address, the binary representation of the address space is 00-11, and sequentially stores the 0-3th column in the state, and each record includes a 32-bit data field and a 4-bit color field. ; the intermediate key word storage , there is an address space: 0-1, which stores the intermediate key words from channel port 6 in sequence, which is the calculation result of the nonlinear function defined in the AES key expansion algorithm, and each storage record includes one 32-bit data field; each memory cell of the temporary storage unit corresponds to a "full/empty" flag bit labeled flag, and flag is set to 1 when the cell is written, indicating full, when the data is read, flag Reset, indicating null; the BLOCKH stores the "packet value" of the segment key word, BLOCKL stores the "packet value" of the low segment key word, and the "packet value" refers to all round extended key sequences according to the Nk After grouping, the serial number of the obtained group is expanded by the initial key, the total length of the extended key is 4 (Nr+1), and Nr is the number of iterations; the AK register The unit has three input channel ports: Channel 5 port receives token 5 and writes to the status word storage area, the address written is the value of the address field of token 5, and the data field and color field of the status word record are equal to token 5, respectively. Data field and color field, channel 6 port receives token 6, written in The key word area, the write address is the value of the address field of the token 6, the data field written in the record directly copies the data field of the token 6, and the channel 9 port receives the new extended key word token and writes the secret a key word storage area, in addition, the key word storage area further has a set port connected to the output end of the initial key register, 256 bits wide, and the load signal is used as a set signal; the AK register The unit has two output channel ports; the channel 7 port sends an operand token for the AddKey operation or the conversion key word forwarding, and the channel 10 port transmits the operand token for the key expansion operation;

El. The channel 9 port transmitted token, named token 9, includes four 32-bit data fields k ₀ -k ₃ , a 5-bit BLOCK field and a 1-bit part field, token 9part Equal to 0 then 13⁄4)-13⁄4 is sequentially written to the unit with the key word storage area address 000-011, the address is represented by binary, the BLOCK value of token 9 is assigned to BLOCKL, and the round transformation of all low-level units is marked. The bit and extension flag bits are reset to 0, and the token 9part is equal to 1 then k()-k _{3 is} sequentially written into the unit of the address word storage area binary representation of 100-111, and the BLOCK value of token 9 is assigned to BLOCKH. At the same time, all the high segment units are rotated and marked with extended flag bits. Reset to 0;

E2. The token sent by the port 7 port is named token 7. It includes two 32-bit data fields datal and data2, and a 1-bit attribute field. The value of the attribute field is equal to the following AorT signal when transmitting. Value: When AorT is equal to 0, the AddKey operation is performed. Token 7 is a status word token. It also includes a 4-bit color field and a 2-bit column field. When packing, copy the value of the ssel signal described below. The data field to its column field, the address equal to the ssel's status word storage record is copied to the datal field of token 7, the color field of the status record is copied to the color field of token 7, and the address is equal to the key of the following ksel value The data field of the stored record is copied to the data2 field of token 7, the response signal of the channel 7 port will read the status word record, and the rounded bit of the read key word record will be changed to 1; when AorT is equal to 1 When performing the transformation key word forwarding operation, the token 7 is a key token, and includes a 1-bit operator field, a 1-bit fadd field, and 4 bits of unintentional data in addition to the data field and the attribute domain, and packaging When, datal The data field of the key storage record equal to 0, the address is equal to the ksel value described below is copied to its data2 field; when ksel is equal to Nk-1, the forwarding transform key word 1, fadd is equal to 0, and the operator field is equal to 0, indicating this The token will perform the following f-transformation. When Nk is equal to 4, if ksel is equal to 7, it means forwarding the transformation key word 2, the fadd field is equal to 1, and the operator field is equal to 0, indicating that the token will perform the following f-transformation. If Nk is not equal to 4 and ksd is equal to 3, it means forwarding the translation key word 2, fadd is equal to 1, and the operator field is equal to 1, indicating that the token will perform the following g transformation; the response signal of the channel 7 port will be read. The status word record is cleared;

E3. The token sent by the channel 10 port is named token 10, and includes a 32-bit intermediate key field, four 32-bit key fields k _Q -k ₃ , a 5-bit BLOCK field, and A 1-bit step field, the step field of the token 10 is equal to the value of the step signal when the token is sent, and the intermediate key field of the token 10 when the step signal is equal to 0 when the token is sent. Equal to the recorded data in the intermediate key word storage area whose address is equal to 0, the value of the BLOCK field of the token 10 is equal to the value of the BLOCKL register, and the response signal of the channel 10 port is the 4 keys of the lower part of the key storage area. The extension bit of the word is set to 1, when the step signal is equal to 1 at the time of token transmission, the intermediate key word field of the token 10 is equal to the recorded data of the address equal to 1 in the intermediate key word storage area, the token 10 The value of the BLOCK field is equal to the value of the BLOCKH register, and the response signal of the channel 10 port sets the extension bits of all key words in the high section of the key storage area to 1;

E4. The timing of the KES control key extension, the state is represented by binary code, the initial state binary code of KES is 00, that is, the state of preparation/calculation, after performing the transformation key word 1 forwarding in this state, KES binary coding When it becomes 01, it enters the state in which the f-transformation is performed. When the low-segment key is read in the 01 state to perform key expansion, the state of the KES changes to 11, the state in which the calculation g is prepared, and the transformation key is executed in the state of 11. After word 2 operation, KES The state changes to 10, enters the state of performing g transformation, and when the high-segment key is read in 10 state for key expansion, the state of KES changes to 00;

a working status register, transmitting a WK signal to the input unit, transmitting a WK signal to the channel switch unit Switch, receiving an OK signal from a Matcher OK unit described below; WK resetting when the OK signal is raised;

The Matcher II matching unit checks the status word storage area and the key word storage area in the AK register unit, and finds that the ready status word-key pair or the ready conversion key is randomly selected one of them. The address selection signal is transmitted to the AK register unit, and then the token transmission signal fetch_II is triggered, and the selection signal includes an AddKey status word read address marked for ssel, and a key word read address marked as ksel The signal labeled AorT indicating the operation that the token will perform: 0 for the AddKey operation, 1 for the conversion key word forwarding, labeled Trans; the input to the Matcher II matching unit includes: the status word of the AK register unit The observation signal of the memory area and the key word storage area, including the color bit and flag bits of the status word record, the round conversion flag bit and the extended flag bit of the key word record, the flag field, BLOCKL and BLOCKH, KES, and Nk of the key grouping _columns; the "ready" means: calculate all the sequence numbers and the observed status word key word, to find the same sequence number and a state flag are 1 word - word key pair Or detecting and discovering a corresponding transform key word according to the KES state; when the fetch-II signal arrives, triggering the AK temporary storage unit to send the token to the 7# channel; when the sent status word is cleared, or KES The state changes, then fetch — II resets;

Matcher K matching unit, check the observation signal of the key word storage area and the intermediate key word storage area: round transformation flag bit and extension flag bit, flag and KES state; when KES is in key extension state, and the corresponding key When the field and intermediate key fields are ready, the key extended read address marked as step becomes the corresponding value: 1 for the high segment extension, 0 for the low segment extension, and triggering the token to emit the signal fetch — K:, The AK register unit packs the corresponding data of the key area and the BLOCK value into a token waiting for transmission according to the step signal. When the fetch_K signal comes, the AK temporary storage unit is triggered to pass the token through the channel 10. Issue; if the exp_stop signal described below is valid, the Matcher K matching unit stops working;

a key expansion operation unit, which receives and parses a token from the channel 10 by using a Key Schedule, and is packaged into a token containing the new extended key and sent out through the channel 9 through the Key Schedule processing described below. The processing of Key Schedule contains the following operations:

Il. Performing the KeySch operation by taking the intermediate key field and the k _Q -k ₃ field of the token 10 as input: the intermediate key word is XORed with ko, and the result is output as the k _Q field of the token 9. 10 l of the token and the bit-wise XOR ki 9 outputs the result as a token, the token 10 and the k bit-wise exclusive-oR ₂ outputs the result as a token. 9 k is _2, and the token 10 k ₃ bitwise XOR, the result is output as k _{3 of} token 9 _;

12. The result of adding 1 to the BLOCK field of the token 10 is taken as the BLOCK value of the token 9;

13. When Nk=4, the logical reverse of the step field of the token 10 is used as the part field of the token 9, and if Nk>4, the step field of the token 10 is directly copied to the Part field of token 9;

The AddKey operation unit, after receiving and parsing the operand token sent by the channel 7, performs an AddKey operation on the data therein, and then is packaged into a round key hybrid token, which is sent through the channel 8, and the AddKey operation is defined by the AES algorithm. The round key addition operation acts on a column of states; the token sent via channel 8 is named token 8, and includes a 32-bit data field and a 1-bit attribute field. When the attribute field is equal to 0, Is a status word token, also includes a 4-bit color field and a 2-bit column field. When the attribute field is equal to 1, it is a key token, and also includes a 1-bit operand field and a 1-bit fadd. Domain, when packing, the result of bitwise XOR of datal and data2 of token 7 is the result of token 8, and the remaining fields of token 7 are directly copied to the domain of token 8 with the same name; Unit, performing a round check on the token from channel 8, if it is a status word token and the round has reached the iteration round Nr, then forwarded to the following output temporary storage unit via channel 11; otherwise, add its round 1 via channel 1 Sending to the following EU register unit to perform subsequent processing; if the arrived token round is Νι·, and the above-mentioned extended key belongs to the high segment of the key group, indicating that the key expansion has been completed, Trigger exp-stop signal; if it is a key word token, it is directly forwarded by channel 1 to the following EU register unit to perform subsequent processing; the token processing includes the following three cases: kl. Channel 11 transmitted token, named For token 11, including a 32-bit data field and a 2-bit column domain, when packing, the data field of token 8 is directly copied to the data field of token 11, and the column field of token 8 is directly copied to the token. 11 column field;

K3. If the attribute field of token 8 is equal to 1, token 1 sent by channel 1 is a transform key word token, including a 32-bit data field, a 1-bit operator field, and a 1-bit fadd. Domain and 5 bits of data that are not of interest. When packing, the fields of token 8 are directly copied to the domain of the same name in token 1;

The output temporary storage unit is a ciphertext rearrangement temporary storage unit, which is composed of a 4×32-bit storage unit and a token parsing circuit, and the unit receives the denseness carried by the result token of the out-of-order arrival of the channel 11. The text data is temporarily stored, and the address written is the column field of the token 11, and the data written is 8/061395 The data field of the token 11 outputs a corresponding ciphertext status word after receiving the read address signal of the receiving unit described below; each storage unit of the temporary storage unit corresponds to a flag labeled "flag" The full/empty flag bit, when the unit is written, the flag is set to 1, indicating full. When the data is read, the flag is reset, indicating null; m. The output unit, the unit is the interface between the chip and the external, and the ciphertext is implemented. Function output at the required timing;

n. Matcher OK matching unit, check all the flag signals in the output temporary storage unit, when all the flags are 1, it means that all the secret characters have arrived, then the end signal OK becomes high, at the notification station The working state memory is also notified to the output unit to read the ciphertext status word of the output temporary storage unit, and when the flag is reset, the OK signal becomes a low potential;

0. The EU register unit is composed of a key word storage area and two identical state storage areas, which are sequentially labeled as key store, storeO, and storel; wherein, the key store stores the key expansion conversion key word, A storage record consists of a 32-bit data field, a 1-bit fadd field, and a 1-bit operator field. storeO/storel stores the 0th to 3rd columns in the "state" before the row shift, and each column stores The unit is further divided into 4 lines, and the record of the 0th line includes an 8-bit data field, a 4-bit color field, and a 1-bit operator field, and the records of the 1st line to the 3rd line contain an 8-bit field. Data field; the two state storage units work in a pipeline mode of ping-pong type reading and writing: according to the round mark of the input token, when the round is even, the storeO is written, and the data in the storel must be the state of the previous round. , read data processing from storel; when the token round is odd, write to storel, store0 must be the previous round of state pending data, read data processing from storeO; the EU register unit set Have a biography The channel port receives the token 1 sent by the round update channel switch unit via channel 1, and parses out the token type from: the status token or the key token, the write address and the record data, and writes the record to the corresponding storage In the unit; an output transmission channel port, connected to the channel 2, according to the following Reader address input unit read address, storeO / storel selection signal and state / transformation key selection signal output corresponding state word or transformation key word, Packed together with other control signals as tokens, sent to the following EU operation unit via channel 2; each of the above three temporary storage areas corresponds to a "full/empty" flag bit labeled flag, when the unit writes The incoming flag is set to 1, indicating full. When the data is read, the flag is reset, indicating that it is empty;

The token resolution method is: when the attribute field of the token 1 is 0, it is a status word token, the write address is a column field of the token 1, and the data of the 0th line of the record is written. The domain is the 7 to 0 bit of the token 1 data field, the color field of the 0th row is the color field of the token 1, the operator field of the 0th row is the operator field of the token 1, and the first row of the record is written. The data to the third row are respectively 15 bits to 8 bits, 23 bits to 16 bits, and 31 to 24 bits of the token 1 data field; when the attribute field of the token 1 is 1, it is a key token. The data field of the token 1 is copied to the data field of the transformed key word storage record, and the fadd field and the operator field of the token 1 are directly copied to the same-named domain of the translation key word storage record; O2. The token sent via channel 2 is named token 2, and its packing method is: when the state/transform key selection signal is equal to 0, token 2 is a state word token, attribute The field is equal to 0, the 7 to 0 bits of the data field are the data fields of the 0th row of the address equal to the read address input by the Matcher I matching unit, and the 15 to 8 bits of the data field are the row shifts defined by the AES algorithm. The calculated address is equal to the data field of the first row of the read address, and the 23 to 16 bits of the data field are the data after the row shift operation defined by the AES algorithm is equal to the data recorded in the second row of the read address. Domain, the 31 to 24 bits of the data field are the data fields of the third row of the read address after the row shift operation defined by the AES algorithm, and the color field and the operator field of the token 2 are equal to the address respectively. The color field and the operator field of the 0th line of the read address, the column field of the token 2 is the value of the read address; when the state/transform key selection signal is equal to 0, the token 2 is The key is from the token, the attribute field is equal to 1, and the data field is the number of the transformed key storage record. Domain, fadd operator domain and transform domain are recorded fadd key storage domain and domain operator;

The Matcher I matching unit checks the token information in the key store and storeO/storel, finds the ready status word or finds the transformation key after considering the row shift transformation, and randomly selects one, and sends the address information to the EU temporary storage. a unit, and triggering a trigger signal of the channel 2 port by a fetch_I signal, and transmitting the token 2 of the EU temporary storage unit to the EU operation unit; the input of the Matcher I matching unit includes the EU temporary a signal of the observation port of the memory unit, a response signal of the channel 2 port, and the random signal of the control selection; meanwhile, outputting the fetch_I token transmission signal to the EU register unit;

Rl. Srd operation, when the attribute field of token 2 is equal to 0 and the operator field is the Srd flag or when the attribute field of token 2 is equal to 1 and the operator field is 1 and the key grouping number is Nk Executed when it is greater than 6, that is, the Srd table lookup operation defined by the AES algorithm is performed on each byte of the data field; the operation when the token 2 attribute field is equal to 1 and the operator field is 1 is the g transform described above. Operation when Nk is greater than 6;

R2. The Srd-MixCol operation is performed when the attribute field of the token 2 is equal to 0 and the operator field is the SM tag, that is, the Srd table lookup operation defined by the AES algorithm is performed on each byte of the data field, and then Multiplying the result vector of 4 bytes by a constant matrix of 4×4, wherein the constant matrix is a constant matrix corresponding to the column mixing operation defined in the AES algorithm;

R3. Srd-cyclic shift-round constant addition calculation, which is the above-mentioned f-transformation when the attribute field of token 2 is equal to 1 and the operator field of the key token is 0, that is, the data field first Each byte performs the Srd lookup table operation defined by the AES algorithm, and then shifts the result of 4 bytes to the left by 8 bits. Finally, the lower 8 bits of the obtained result are XORed with an 8-bit round constant RC. The initial value of the round constant is 0. After each round of constant addition, the value is multiplied by 2, and the multiplied 2 operation is defined on the GF (2 ⁸ ) domain;

R4. Direct private operation, when the attribute field of token 2 is equal to 1 and the operator field of the status token is 1 and Nk is less than or equal to 6, that is, the data field of token 2 is directly copied to the token. The data field of 3; the operation when the token 2 attribute field is equal to 1 and the operator field is 1, that is, the operation of the g transform described above under Nk and equal to 6;

a Matcher II random control code generating circuit randomly generates a 3-bit random selection code for controlling an arbitration circuit in the Matcher II matching unit, and generates a new random control code each time fetch-II falls; a Matcher I random control code generating circuit, Randomly generating a 3-bit random selection code for controlling the arbitration circuit in the Matcher I matching unit, and generating a new random control code each time fetch_I falls; 2. The above-mentioned Matcher II unit and the AK temporary storage unit constitute an AddKey operation The token temporary storage-matching-transmitting structure of the unit, referred to as HMF structure for short, the Matcher I unit and the EU temporary storage unit constitute the HMF structure of the EU operation unit, and the key storage area of the Matcher K and AK temporary storage unit constitutes the KeySchedule unit. The HMF structure, the Matcher OK and the output temporary storage unit constitute an output HMF structure; the HMF structure has the following characteristics:

Ill. Contains a token temporary storage unit, implemented by the register file, the write port uses the asynchronous handshake protocol; the write address and write data are parsed by the input token, and the write clock is triggered by the request signal of the input channel port; The address is determined by the selection signal output by the matching unit below, and the output data changes instantaneously with the read address; the internal storage unit corresponds to the "full/empty" flag indicating whether the record exists, the full-empty flag of all units and the record and the lower The data composition observation signal of the matching condition related domain may be read by the following matching unit; the output data may be read by the following token packing logic; the full empty flag bit is generated by a C unit, the C One end of the unit is connected to the write clock corresponding to the record, and the other input end is connected to the reverse signal of the recorded clear signal signal; the write clock of each record is generated by the write response of the write port by the write address, the respective records The clear signal is generated by the read signal of the read port through the read address selection; U2. Contains a matching unit, which is composed of two parts: the matching logic and the selection logic circuit. The observation signal input matching logic of each record of the temporary storage unit calculates the matching result value according to the Boolean expression corresponding to the matching condition, and the matching value is successful. Is 1, otherwise equal to 0; each matching result signal is output to the input of the selection logic through the primary C unit as a request signal, and the other input of the C unit is connected to the OR signal of all request signals, only the request When the signal is all 0, the matching result equal to 1 can be passed to the selection logic circuit. When there is a valid request in the request signal, the request signal is 1, and the established matching result generated after it cannot pass the C unit; After the token is sent, the request is reset, and the C unit turns on the matching result; the selection logic of the Matcher I and Matcher II units is an arbitration logic circuit, and the request signal of each detected token group is randomized. Selecting, outputting the serial number of the selected request, and thereby generating the read address of the token register; said Ma The selection circuit of the tcher K unit is to calculate the step signal corresponding to the request for successful matching; the Matcher OK has no selection circuit; the request sequence output by the selection unit of the matching unit is outputted as a selection signal of the token through the latch; The request signal corresponding to the selection of the selection signal is a token transmission trigger signal, such as the fetch — II, fetch — I, fetch — K signal;

U3. The token transmitting trigger signal latches the latch by the control terminal of the latch that triggers the selection signal after the delay of the longest time required to stabilize the output of the selection circuit, and triggers the request to transmit the token a reset signal of the temporary storage unit resets a control terminal of the latch of the selection signal to turn on the latch, and the selection signal re-changes with the selection logic of the matching unit.

2. The out-of-order data stream AES encryption circuit of claim 1 wherein: all of the transmission channels employ an asynchronous handshake protocol.

3. The out-of-order data stream AES encryption circuit according to claim 1 or 2, characterized in that the data processing and token packing of all the arithmetic units are implemented by a combinational logic circuit.

4. The out-of-order data stream AES encryption circuit according to claim 1 or 2, wherein: the channel switch unit Switch, an initial key register, an AK register unit, a Matcher K matching unit, a key The extended arithmetic unit together constitutes a key expansion ring, and the channel switch unit Switch, the Matcher II matching unit, the AddKey operation unit, the round update channel switch unit, the EU register unit, the Matcher I matching unit, and the EU operation unit constitute a round conversion loop. The ring is connected by a transmission channel, and the ring is connected by a switch unit Switch.

5. The out-of-order data stream AES encryption circuit according to claim 3, wherein: said channel switch unit Switch, initial key register, AK register unit, Matcher K matching unit, key expansion operation The units together form a key expansion ring, and the channel switch unit Switch, the Matcher II matching unit, the AddKey operation unit, the round update channel switch unit, the EU register unit, the Matcher I matching unit, and the EU operation unit form a round conversion loop, and the ring The internal transmission channels are connected, and the rings are connected by a switch unit Switch.