WO2014129610A1 - Hash value generating device - Google Patents

Hash value generating device Download PDF

Info

Publication number
WO2014129610A1
WO2014129610A1 PCT/JP2014/054245 JP2014054245W WO2014129610A1 WO 2014129610 A1 WO2014129610 A1 WO 2014129610A1 JP 2014054245 W JP2014054245 W JP 2014054245W WO 2014129610 A1 WO2014129610 A1 WO 2014129610A1
Authority
WO
WIPO (PCT)
Prior art keywords
processing
processing means
axis direction
bits
hash value
Prior art date
Application number
PCT/JP2014/054245
Other languages
French (fr)
Inventor
Shinya Yamada
Original Assignee
Canon Kabushiki Kaisha
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Canon Kabushiki Kaisha filed Critical Canon Kabushiki Kaisha
Priority to EP14753948.0A priority Critical patent/EP2959469B1/en
Priority to KR1020157025717A priority patent/KR101749528B1/en
Priority to US14/767,896 priority patent/US9985780B2/en
Priority to CN201480009745.2A priority patent/CN105074799B/en
Publication of WO2014129610A1 publication Critical patent/WO2014129610A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • the present invention relates to technique for generating a hash value.
  • a hash value which is calculated by using a cryptographic hash algorithm, is utilized for checking data alteration. It has been already verified that Secure Hash Algorithm 1 (SHA-1) , which is a cryptographic hash algorithm (cryptographic hash), is not capable of securing safety. It has been pointed out that SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512) may lack security. Therefore, National Institute of Standards and Technology (NIST) asked the public to come up with a new algorithm to establish a next-generation cryptographic hash algorithm (SHA-3) . Then, the KECCAK algorithm (“The KECCAK reference”, Version 3.0, January 14, 2011, (http: //keccak. noekeon. org/Keccak-reference-3.0.pdf) ) was assigned as the SHA-3 in December 2012.
  • SHA-1 Secure Hash Algorithm 1
  • SHA-2 family SHA-224, SHA-256, SHA-384, and SHA-512
  • NIST National
  • the SHA-3 outputs a cryptographic hash value of a fixed length from an input message (data) of any length.
  • a permutation function is used, and in the permutation function, round processing of five sequential steps ( ⁇ , p, ⁇ , x, and t) is repeated twenty-four times. The round processing is performed on data called a "state" data piece having a length of 1600 bits.
  • the present invention is directed to a technique to improve throughput for generating hash values.
  • a hash value generating device for generating a hash value based on KECCAK algorithm includes a ⁇ processing means, a p processing means, a n processing means, a ⁇ processing means, and an ⁇ processing means for performing processing of five steps ⁇ , p, ⁇ , ⁇ , and ⁇ included in round processing of the KECCAK algorithm
  • the ⁇ processing means includes a ⁇ 1 processing means for performing column sum calculation processing and a ⁇ 2 processing means for performing column sum addition processing, in the round processing, the n processing means performs processing before the ⁇ 2 processing means and the p processing means perform processing, and the p processing means performs processing on a lane on which rearrangement processing has been performed by the n processing means.
  • FIGs. 1A, IB, and 1C are diagrams illustrating the KECCAK algorithm.
  • FIGs. 2A, 2B, 2C, 2D, 2E, and 2F are diagrams illustrating data structures.
  • FIGs. 3A and 3B are diagrams illustrating processing in step ⁇ .
  • FIGs. 4A, 4B, and 4C are diagrams illustrating processing in step p.
  • FIGs. 5A and 5B are diagrams illustrating processing in step n.
  • Fig. 6 is a diagram illustrating processing in step X ⁇
  • Fig. 7 is a diagram illustrating processing in step L .
  • Fig. 8 is a diagram illustrating round constants in step c .
  • FIGs. 9A and 9B are diagrams illustrating an overview of round processing R' .
  • FIGs.10A, 10B, and IOC are diagrams illustrating processing in step p' .
  • Fig. 11 is a diagram illustrating processing in step ⁇ 1.
  • FIGs. 12A, 12B, and 12C are diagrams illustrating processing in step ⁇ 2.
  • Fig. 13 is a diagram illustrating a schematic configuration of an implementation example of the KECCAK algorithm according to a first exemplary embodiment.
  • Figs. 14A and 14B are output timing charts .
  • Fig. 15 is a diagram illustrating a schematic configuration of an implementation example when processing is performed on a lane as a unit by the KECCAK algorithm.
  • a hash value generating device As a hash value generating device according to an exemplary embodiment of the present invention, a device configured to generate a hash value of SHA-3 (KECCAK algorithm) will be hereinafter described as an example .
  • SHA-3 SHA-3
  • a specific data length or a specific bit value may be provided, but the present invention is not limited to the specific length or value.
  • Fig. 1A is a diagram illustrating a whole of the KECCAK algorithm.
  • message blocks 101 (mi to m t ) are illustrated.
  • the message blocks 101 (mi to m t ) are generated by dividing an input message, for which a hash value is generated, into units of 1024-bit blocks.
  • all bits of initial values 102 and 103 are zeros in the present exemplary embodiment .
  • the length of the initial value 102 is 1024 bits, which is the same as that of the message blocks described above, and the total length of the initial values 102 and 103 is 1600 bits.
  • a bitwise exclusive OR (XOR) operator 104 is also illustrated. That is, the XOR operator 104 calculates exclusive OR for each bit of the two 1024-bit input data pieces and outputs the results as a 1024-bit data piece.
  • a KECCAK-f 105 which is a permutation function, receives two input data pieces and outputs two data pieces. The detail of the KECCAK-f 105 will be described below with reference to Fig. IB.
  • a cut-out section 106 cuts out a necessary size from the 1024-bit input data pieces, and outputs the cut out data.
  • a cryptographic hash value (i.e., hash value) 107 is calculation results of this algorithm.
  • Fig. IB is a diagram illustrating an overview of the KECCAK-f 105, which is a permutation function.
  • Round processing R 201 is performed twenty-four times. The detail of the round processing R will be described below.
  • Input data pieces 202 and 203 are illustrated. The length of the input data piece 202 is 1024 bits. The total length of the input data pieces 202 and 203 is 1600 bits. The two input data pieces 202 and 203 are coupled and then input to the round processing R 201.
  • Output data pieces 204 and 205 are illustrated. The length of the output data piece 204 is 1024 bits. The total length of the output data pieces 204 and 205 is 1600 bits.
  • Fig. 1C is a diagram illustrating an overview of the round processing R 201.
  • the lengths of the input data piece and the output data piece are both 1600 bits.
  • processing of five steps ⁇ processing unit 301, p processing unit 302, n processing unit 303, ⁇ processing unit 304, and ⁇ processing unit 305) to be described below is sequentially performed on the input data piece to generate the output data piece.
  • Fig. 2A is a diagram illustrating a "state", which is a data structure upon input/output of the round processing R 201. As described above, both of the input data piece and the output data piece have 1600-bit length. Each of these 1600-bit data pieces is expressed as a rectangular
  • the rectangular parallelepiped data structure is called a "state".
  • a 1600-bit data piece is allocated to the state structure expressed as a rectangular parallelepiped in the order of the z axis direction, the x axis direction, and the y axis direction. The detail will be described below with reference to Fig. 2F.
  • Fig. 2B is a diagram illustrating a data structure "plane".
  • the plane structure is expressed as a planar structure that is parallel to the x-z plane and that has a width of five bits, a height of one bit, and a depth of sixty-four bits. That is, the above "state” structure can be considered as five plane structures that are stacked in the y axis direction.
  • Fig. 2C is a diagram illustrating a data structure "sheet".
  • the sheet structure is expressed as a planar structure that is parallel to the y-z plane and that has a width of one bit, a height of five bits, and a depth of sixty-four bits . That is, the above "state” structure can be considered as five sheet structures arranged horizontally in line in the x axis direction.
  • Fig. 2D is a. diagram illustrating a data structure "lane".
  • the lane structure is expressed as a linear structure that is parallel to the z axis and that has a width of one bit, a height of one bit, and a depth of sixty-four bits. That is, the above "state" structure can be considered as twenty-five lane structures gathered along the x-y plane.
  • Fig. 2F is a diagram illustrating the order of twenty-five lanes included in one state structure.
  • Fig. 2E is a diagram illustrating a data structure "column".
  • the column structure is expressed as a linear structure that is parallel to the y axis and that has a width of one bit, a height of five bits, and a depth of one bit. That is, the above "sheet” structure can be considered as sixty-four column structures arranged in line in the z axis direction.
  • the present invention is not limited to the case.
  • data of the state structure is handled as a rectangular parallelepiped data structure having a width (x axis direction) of five bits, a height (y axis direction) of five bits, and a depth (z axis direction) of sixty-four bits
  • an input data piece may have 800 bits
  • the state structure data may be handled as a rectangular parallelepiped data structure having a width of five bits, a height of five bits, and a depth of thirty-two bits.
  • the plane structure, the sheet structure, the lane structure, and the column structure can be modified according to the respective numbers of bits in the width (x axis direction) , in the height (y axis direction) , and in the depth (z axis direction) of the state structure. More specifically, when the state structure data has m bits in the x axis direction, n bits in the y axis direction, and s bits in the z axis direction, the plane structure is a planar structure having m bits in the x axis direction, one bit in the y axis direction, and s bits in the z axis direction.
  • the sheet structure is a planar structure having one bit in the x axis direction, n bits in the y axis direction, and s bits in the z axis direction.
  • the lane structure is a linear structure having one bit in the x axis direction, one bit in the y axis direction, and s bits in the z axis direction.
  • the column structure is a linear structure having one bit in the x axis direction, n bits in the y axis direction, and one bit in the z axis direction.
  • the input data pieces 202 and 203 are coupled in this order to form a 1600-bit data block.
  • the 1600-bit data block is divided into units of sixty-four bit block to form twenty-five lanes.
  • the twenty-five lanes are arranged in the order illustrated in Fig. 2F along the x-y plane to build one state.
  • the thus generated state structure is input to the round processing R 201.
  • a method of forming the output data pieces 204 and 205 from an output data piece of the twenty-fourth round processing R 201 is similar, and thus the description thereof is not provided.
  • step ⁇ , p, ⁇ , ⁇ , and i included in the round processing R 201 will be described.
  • the data structure of an input data piece and an output data piece is the state structure.
  • Fig. 3A is a diagram illustrating processing in the step ⁇ ( ⁇ processing unit 301) .
  • the step ⁇ is processing of adding the sum of two columns to each bit, the two columns being adjacent to the bit. More specifically, the ⁇ processing unit calculates each bit of the output state as follows. That is, the each bit is calculated as the sum of three values obtained from the input state: "a value of a bit at the same position”; “the sum of bits of a column at a position of -1 in the x axis direction”; and “the sum of bits of a column at a position of +1 in the x axis direction and -1 in the z axis direction” .
  • the sum means the sum on GF(2) , and the result will be the same as that of the exclusive OR operation.
  • the processing can be expressed by the following expression.
  • x is 0 to 4
  • y is 0 to 4
  • z is 0 to63.
  • a coordinate beyond the state is regarded as a position that is opposite in the state. That is, coordinate values are cyclically shifted in the same state. This rule is similarly applied to x coordinate, y coordinate, and z coordinate and to four other steps.
  • Figs. 4A, 4B, and 4C are diagrams illustrating processing in the step p ( p processing unit 302) .
  • the step p is processing of shifting values of respective bits in the z axis direction. More specifically, the p processing unit 302 cyclically shifts values in each lane of the state in the z direction by the specified number of bits as illustrated in Fig. 4A and outputs the shifted values. The number of bits by which the values are shifted in each lane is previously determined as the number illustrated in Fig. 4B. Note that, in order to perform the p processing, a holding section previously holds a table listing shifting amounts as illustrated in Fig. 4C and the p processing unit 302 performs the p processing using the table being held.
  • Figs. 5A and 5B are diagrams illustrating processing in the step n (n processing unit 303) .
  • the step n is processing of rearranging each of the respective bits in the x-y plane (also referred to as a slice") , that is, processing of rearranging twenty-five lanes in a single state. More specifically, when respective lanes in the input state are numbered as illustrated in the upper part of Fig. 5A, the output state is illustrated in the lower part thereof.
  • the holding section previously holds a table listing rearrangement destinations as illustrated in Fig. 5B and the n processing unit 303 performs the n processing using the table being held.
  • Fig. 6 is a diagram illustrating processing in the step ⁇ ( ⁇ processing unit 304) .
  • the step ⁇ is processing of converting a bit using bits in a line in the x axis direction (also referred to as a "row") , and each bit in the output row is derived based on three bits in the same input row. More specifically, setting is made such that when a bit at a position of +1 in the x axis direction from each bit of the input row is zero and a bit at a position of +2 in the x axis direction from the bit is one, the ⁇ processing unit 304 inverts the value of the each corresponding bit of the output row.
  • Fig. 7 is a diagram illustrating processing in the step L (L processing unit 305).
  • the step L is processing of adding a round constant to each bit.
  • Fig. 8 is a diagram illustrating round constants used in the step L .
  • the ⁇ processing unit 301 uses a sheet data piece at -1 and a sheet data piece at +1 in the x axis direction to calculate each lane in the state. Therefore, when the first three sheets are completed, that is, when the ⁇ processing unit 301 receives twenty-three lanes out of the twenty-five lanes from a preceding stage, the ⁇ processing unit 301 can start the processing in the step ⁇ .
  • the step p is calculation for each of lanes independent of each other. Therefore, when one lane of calculation results of the preceding stage (step ⁇ ) is output, the p processing unit
  • step n respective lanes in a state are rearranged. Therefore, when one whole state of calculation results of the preceding stage (step p) is output, that is, when twenty-five lanes are output, the n processing unit 303 can start the processing in the step n.
  • the ⁇ processing unit 304 uses a lane at +1 in the x axis direction and a lane at +2 in the x axis direction. Therefore, upon receiving three lane data pieces, the ⁇ processing unit 304 can start the processing in the step ⁇ .
  • the step ⁇ is calculation for each of lanes independent of each other. Therefore, when one lane of calculation results of the preceding stage (step ⁇ ) is output, the L processing unit 305 can start the processing in the step ⁇ .
  • start of processing has to wait until the steps at the respective preceding stages output calculation results of twenty-three lanes, twenty-five lanes, and three lanes respectively.
  • the processing of the two steps ⁇ and n can be started when a long time has passed after the start of processing of their preceding stages.
  • round processing R' 901 is processing used in the present exemplary embodiment and designed such that the result is the same as that of the round processing R 201. However, processing contents of the round processing R' 901 are different from the specifications of the KECCAK algorithm.
  • Fig. 9A is a diagram illustrating an overview of the round processing R' 901.
  • the round processing R' 901 is designed such that the processing result is the same as that of the round processing R 201.
  • processing of six steps is performed (by a ⁇ 1 processing unit 902, a n processing unit 903, a ⁇ 2 processing unit 904, a p' processing unit 905, a ⁇ processing unit 906, and an L processing unit 907 ) on an input data piece to generate an output data piece .
  • the n processing unit 903, the ⁇ processing unit 906, and the L processing unit 907 performs processing similar to those performed by the n processing unit 303, the x processing unit 304, and the ⁇ processing unit 305 of the round processing R 201.
  • the ' processing unit 905 performs processing of shifting values of respective bits in the z axis direction similarly to the p processing unit 302 of the round processing R 201, but the number of bits by which the values are shifted is different.
  • the ⁇ 1 processing unit 902 and the ⁇ 2 processing unit 904 are obtained by dividing the ⁇ processing unit 301 in the round processing R 201.
  • n processing, the ⁇ processing, and the L processing in the round processing R' 901 are similar to those in the round processing R 201, the description thereof is not provided.
  • the p ' processing, the ⁇ 1 processing, and the ⁇ 2 processing will be described below.
  • Fig. 10A is a diagram illustrating processing in the step p ' ( p ' processing unit 905) .
  • the p ' processing unit 905 performs processing of cyclically shifting a value of each bit in the z axis direction similarly to the step p .
  • the number of bits by which the values are cyclically shifted in each lane is different from that of the step p , and is illustrated in Fig. 10B.
  • a holding section previously holds a table listing shifting amounts as illustrated in Fig. IOC and the p' processing unit 905 performs the p ' processing using the table being held. This table is determined in consideration of the n processing. The detail will be described below.
  • FIG. 9B is a diagram of the round processing R' ' 911.
  • processing of five steps is performed (by a ⁇ processing unit 912, a n processing unit 913, a p' processing unit 915, a ⁇ processing unit 916, and an ⁇ processing unit 917) on the input data piece to generate an output data piece.
  • the ⁇ processing unit 912, the n processing unit 913, the ⁇ processing unit 916, and the ⁇ processing unit 917 are respectively similar to the ⁇ processing unit 301, the n processing unit 303, the ⁇ processing unit 304, and the ⁇ processing unit 305 of the round processing R 201.
  • the p' processing unit 915 is similar to the p' processing unit 905 of the round processing R' 901.
  • the p processing unit 302 shifts values in the z axis direction according to rules determined for respective lanes, and the n processing unit 303 rearranges the respective lanes.
  • the n processing unit 913 rearranges the respective lanes (processing in the. step ⁇ )
  • the p' processing unit 915 shifts values in the z axis direction according to rules determined for the respective lanes in consideration of the rearrangement processing (processing in the step p' ) .
  • the step n is performed before the step p' , but the shifting amount by which values are shifted in the z axis direction by the p' processing unit 915 is changed in consideration of the processing in the step n, whereby the processing result of the round processing R' ' 911 becomes the same as that of the round processing R 201.
  • Fig. IOC is a table listing shifting amounts for respective lanes used in the step p' .
  • FIG. 4B A method of generating the table illustrated in Fig. IOC will be specifically described.
  • the round processing R 201 will be considered.
  • the p processing unit 302 and the n processing unit 303 perform the processing in this order.
  • the numbers in Fig. 4B are shifting amounts in the step p.
  • the round processing R' ' 911 will be considered.
  • the table listing the shifting amounts for the respective lanes used in the step p' illustrated in Fig. IOC is a table determined in consideration of the rearrangement processing of the n processing.
  • the n processing unit 903, the p' processing unit 905, the ⁇ processing unit 906, and the ⁇ processing unit 907 respectively perform the processing similarly to the n processing unit 913, the p' processing unit 915, the ⁇ processing unit 916, and the L processing unit 917 of the round processing R' ' 911.
  • the ⁇ 1 processing unit 902 and the ⁇ 2 processing unit 904 are obtained by dividing the ⁇ processing unit 912.
  • the step ⁇ is a step of adding the sum of two columns to each bit, the two columns being adjacent to the bit
  • the step n is a step of rearranging the respective lanes.
  • the ⁇ 1 processing unit 902 calculates the sum of two columns that are adjacent to each bit (the step ⁇ 1) .
  • the n processing unit 903 rearranges the respective lanes (the step ⁇ )
  • the ⁇ 2 processing unit 904 adds the sum of the columns to a bit in consideration of the rearrangement of the respective lanes (the step ⁇ 2) .
  • Fig. 11 is a diagram illustrating processing in the step ⁇ 1.
  • the step ⁇ 1 corresponds to the operation of the first half of the step ⁇ and is a step of performing column sum calculation processing. More specifically, the processing is for calculating, for each column, the sum (to be referred to as ⁇ mean value) of two values: "the sum of bits in a column at a position of -1 in the x axis direction" and "the sum of bits in a column at a position of + 1 in the x axis direction and -1 in the z axis direction".
  • the ⁇ 1 processing unit 902 After receiving twenty-five lane data pieces, the ⁇ 1 processing unit 902 outputs a ⁇ intermediate value of one bit for each column that totals up to ⁇ intermediate values of five times sixty-four bits.
  • a structure for all of the ⁇ intermediate values will be expressed as a planar structure that is parallel to the x-z plane and that has a width of five bits, a height of one bit, and a depth of sixty-four bits.
  • Fig. 12A is a diagram illustrating processing in the step ⁇ 2.
  • the step ⁇ 2 corresponds to the operation of the second half of the step ⁇ and is a step of performing column sum addition processing. That is, the step ⁇ 2 is a step of adding ⁇ intermediate values calculated in the step ⁇ 1 to the respective bits .
  • step n has been already performed before the step ⁇ 2. More specifically, in the step ⁇ of the round processing R' ' 911 (i.e., the step ⁇ of the round processing R 201) , an x coordinate of each bit and an x coordinate of a ⁇ intermediate value used for calculation of the bit is the same. However, in the step ⁇ 2 of the round processing R' 901, an x coordinate of each bit and an x coordinate of a ⁇ intermediate value used for calculation of the bit is different and the x coordinate is determined in consideration of the rearrangement of the respective lanes in the step n.
  • the x coordinates of ⁇ intermediate values used for calculation of respective bits are illustrated in Fig. 12B. Note that, a holding section previously holds a table in Fig. 12C providing x coordinates of ⁇ intermediate values used for calculation of respective bits in the ⁇ 2 processing, and the ⁇ 2 processing unit 904 performs the ⁇ 2 processing using the table being held.
  • a method of generating the table illustrated in Fig. 12C will be specifically described.
  • the round processing R' ' 911 will be considered.
  • the x coordinates of ⁇ intermediate values needed to calculate respective bits in the step ⁇ are the same as the x coordinates of the respective bits.
  • the x coordinates of ⁇ intermediate values for other bits can be similarly obtained to be the other numbers in Fig. 12B.
  • the table in Fig. 12C providing the x coordinates of ⁇ intermediate values when the ⁇ 2 processing unit 904 performs the step ⁇ 2 is a table determined in consideration of the rearrangement processing of the n processing .
  • the processing result of the round processing R 201 and that of the round processing R' ' 911 are the same.
  • the processing result of the round processing R' ' 911 and the processing result of the round processing R' 901 are the same. Therefore, the processing result of the round processing R' 901 and the processing result of the round processing R 201 are the same.
  • step ⁇ 1 the ⁇ 1 processing unit 902 calculates the sum, and thus, the ⁇ 1 processing unit 902 updates a ⁇ intermediate value in the process of calculation every time when each lane in the state is input. Therefore, when the preceding stage outputs calculation results of one lane data piece, the ⁇ 1 processing unit 902 can start the processing in the step ⁇ 1.
  • the ⁇ 2 processing unit 904 adds a ⁇ intermediate value calculated in the step ⁇ 1 in calculation of each lane in the state. Since the step ⁇ 1 has been completed at the time of starting the step ⁇ 2, the ⁇ 2 processing unit 904 can start to output the processing result of the step ⁇ 2 when the preceding stage (step n) outputs calculation results of one lane data piece .
  • the step p' is calculation for each of lanes independent of each other. Therefore, when the ⁇ 2 processing unit 904 outputs calculation results of the preceding stage (step ⁇ 2) of one lane data piece, the p' processing unit 905 can start the processing in the step p' .
  • processing can be started when one lane data piece out of calculation results of a step of the preceding stage is output.
  • step n respective lanes in a state are rearranged. Therefore, when the preceding stage (step ⁇ 1) outputs one whole state, that is, twenty-five lanes of calculation results of, the n processing unit 903 can start the processing in the step n .
  • the X processing unit 906 uses a lane at +1 and a lane at +2 in the x axis direction. Therefore, upon receiving the third lane data piece, the ⁇ processing unit 906 can start the processing in the step ⁇ .
  • the step ⁇ is calculation for each of lanes independent of each other. Therefore, when one lane of calculation results of the preceding stage (step ⁇ ) is output, the ⁇ processing unit 907 can start the processing in the step L .
  • step n start of processing has to wait until the step of the preceding stage outputs twenty-five data pieces of calculation results.
  • steps ⁇ and L processing can be started when the steps of the preceding stages output three lane data pieces and one lane data piece out of calculation results respectively.
  • the processing can be started without waiting a long time after the start of processing of their preceding stages.
  • Fig. 13 is a diagram illustrating a schematic configuration of an implementation example of the KECCAK algorithm according to the first exemplary embodiment .
  • an input data piece 2101 is illustrated.
  • a lane data piece out of an input data piece 2101 is input as a unit.
  • An exclusive OR (XOR) operator 2102 calculates exclusive OR of a message block and internal data each time of performing the round processing twenty-four times.
  • a register 2103 holds the whole of the internal data expressed as a state data piece.
  • a circuit ( ⁇ 1 circuit) 2104 performs processing in the step ⁇ 1.
  • the circuit 2104 adds columns each time a lane is input and outputs ⁇ intermediate values of five times sixty-four bits after receiving input of twenty-five lanes as a result.
  • a circuit (n circuit) 2105 performs processing in the step n.
  • the n circuit 2105 performs the processing after the register 2103 holds twenty-five lanes, that is, one state.
  • the data width upon input and output is 1600 bits.
  • a circuit ( ⁇ 2 circuit) 2106 performs processing in the step ⁇ 2.
  • a circuit ( ⁇ ' circuit) 2107 performs processing in the step p' .
  • a circuit ( ⁇ circuit) 2108 performs processing in the step ⁇ .
  • a circuit (i circuit) 2109 performs processing in the step L.
  • the ⁇ 2 circuit 2106, the p' circuit 2107, and the i circuit 2109 respectively perform the processing in units of lanes, and thus perform the processing every time when a lane is input.
  • the ⁇ circuit 2108 performs the processing when three lanes are input, but the ⁇ circuit 2108 performs every time when a lane is input from the fourth lane.
  • Fig. 14A is an output timing chart of the respective modules of the implementation example according to the first exemplary embodiment.
  • Fig. 14A illustrates an output timing chart when the round processing R' 901 is performed twice. It takes on average twenty-eight clocks for one-time round processing.
  • Fig. 15 is a diagram illustrating a schematic configuration of the implementation example when processing is performed on a lane as a unit by the KECCAK algorithm according to specifications.
  • the processing of the five steps ( ⁇ , p, n, X, and L ) is similar to that described above, and thus the description thereof is not provided.
  • the KECCAK-f 105 receives one lane data piece (data having a length of sixty-four bits) from an input data piece 1801 at every clock.
  • the KECCAK-f 105 receives lane data pieces in one state data piece in the order illustrated in Fig. 2F.
  • An Exclusive OR processing unit 1802 is an operator that calculates exclusive OR of a message block and an internal data piece upon each time of performing the round processing twenty-four times.
  • a register 1803 holds the whole of the internal data expressed as a state data piece .
  • a processing block (n circuit) 1804 performs the step n. However, as described above, the processing in the step n can be performed only after the processing in the step p is completed.
  • a processing block ( ⁇ circuit) 1805 performs the step ⁇ , and a processing block (p circuit) 1806 performs the step p.
  • a processing block ( ⁇ circuit) 1807 performs the step
  • a processing block ( L circuit) 1808 performs the step L
  • a multiplexer 1809 outputs data having been input from the processing block 1806 in the first half of round processing and outputs data from the processing block 1808 in the second half thereof.
  • the KECCAK-f outputs an output data piece 1810 of one lane when calculation is completed.
  • Fig. 14B is an output timing chart of the respective modules when processing is performed on a lane as a unit by the algorithm according to specifications.
  • a pair of the ⁇ circuit 1805 and the p circuit 1806 and a pair of the ⁇ circuit 1807 and the L circuit 1808 operate in different time-periods and do not operate at the same time. It takes fifty-one clocks for one-time round processing.
  • Fig. 13 illustrates an example in which the p processing performed after the ⁇ 2 processing, but similar effect can be obtained even when the p processing is performed before the ⁇ 2 processing is performed.
  • bits to be added in the ⁇ 2 processing should be determined in consideration of the fact that the p processing has been performed.
  • Embodiments of the present invention can also be realized by a computer of a system or apparatus that reads out and executes computer executable instructions recorded on a storage medium (e.g., non-transitory computer-readable storage medium) to perform the functions of one or more of the above-described embodiment (s) of the present invention, and by a method performed by the computer of the system or apparatus by, for example, reading out and executing the computer executable instructions from the storage medium to perform the functions of one or more of the above-described embodiment (s) .
  • the computer may comprise one or more of a central processing unit (CPU) , micro processing unit (MPU) , or other circuitry, and may include a network of separate computers or separate computer processors.
  • CPU central processing unit
  • MPU micro processing unit
  • the computer executable instructions may be provided to the computer, for example, from a network or the storage medium.
  • the storage medium may include, for example, one or more of a hard disk, a random-access memory (RAM) , a read only memory (ROM) , a storage of distributed computing systems, an optical disk (such as a compact disc (CD) , digital versatile disc (DVD), or Blu-ray Disc (BD)TM), a flash memory device, a memory card, and the like.

Landscapes

  • Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Image Processing (AREA)
  • Apparatus Associated With Microorganisms And Enzymes (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A hash value generating device for generating a hash value based on the KECCAK algorithm includes a θ processing unit, a ρ processing unit, a п processing unit, a χ processing unit, and an ɩ processing unit for performing processing of five steps θ, ρ, п, χ, and ɩ, included in round processing of the KECCAK algorithm. The θ processing unit includes a θ1 processing unit for performing column sum calculation processing and a θ2 processing unit for performing column sum addition processing. In the round processing, the п processing unit performs processing before the θ2 processing unit and the ρ processing unit performs processing, and the ρ processing unit performs processing on a lane after rearrangement processing by the п processing unit.

Description

DESCRIPTION
Title of Invention
HASH VALUE GENERATING DEVICE
Technical Field
[0001] The present invention relates to technique for generating a hash value. Background Art
[0002] A hash value, which is calculated by using a cryptographic hash algorithm, is utilized for checking data alteration. It has been already verified that Secure Hash Algorithm 1 (SHA-1) , which is a cryptographic hash algorithm (cryptographic hash), is not capable of securing safety. It has been pointed out that SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512) may lack security. Therefore, National Institute of Standards and Technology (NIST) asked the public to come up with a new algorithm to establish a next-generation cryptographic hash algorithm (SHA-3) . Then, the KECCAK algorithm ("The KECCAK reference", Version 3.0, January 14, 2011, (http: //keccak. noekeon. org/Keccak-reference-3.0.pdf) ) was assigned as the SHA-3 in December 2012.
[0003] The SHA-3 outputs a cryptographic hash value of a fixed length from an input message (data) of any length. In the KECCAK algorithm, a permutation function is used, and in the permutation function, round processing of five sequential steps (Θ, p, π, x, and t) is repeated twenty-four times. The round processing is performed on data called a "state" data piece having a length of 1600 bits.
[0004] A lot of results of preceding processing has to be once stored in a memory for the Θ processing and the n processing out of the five steps of the round processing. Therefore, when the round processing is performed in the order of the steps Θ, p, n, x, and i , a lot of results of preceding processing has to be once stored in a memory twice within one-time round processing, and thus speedup has been difficult.
Summary of Invention.
[0005] The present invention is directed to a technique to improve throughput for generating hash values.
[0006] According to an aspect of the present invention, a hash value generating device for generating a hash value based on KECCAK algorithm includes a Θ processing means, a p processing means, a n processing means, a χ processing means, and an ι processing means for performing processing of five steps Θ, p, π, χ, and ι included in round processing of the KECCAK algorithm, the Θ processing means includes a Θ1 processing means for performing column sum calculation processing and a Θ2 processing means for performing column sum addition processing, in the round processing, the n processing means performs processing before the Θ2 processing means and the p processing means perform processing, and the p processing means performs processing on a lane on which rearrangement processing has been performed by the n processing means.
[0007] Further features of the present invention will become apparent from the following description of exemplary embodiments with reference to the attached drawings.
Brief Description of Drawings
[0008]
[Figs. 1A, IB, and 1C] Figs. 1A, IB, and 1C are diagrams illustrating the KECCAK algorithm.
[Figs. 2A, 2B, 2C, 2D, 2E, and 2F] Figs. 2A, 2B, 2C, 2D, 2E, and 2F are diagrams illustrating data structures.
[Figs. 3A and 3B] Figs. 3Ά and 3B are diagrams illustrating processing in step Θ.
[Figs. 4A, 4B, and 4C] Figs. 4A, 4B, and 4C are diagrams illustrating processing in step p.
[Figs. 5A and 5B] Figs. 5A and 5B are diagrams illustrating processing in step n.
[Fig. 6] Fig. 6 is a diagram illustrating processing in step X·
[Fig. 7] Fig. 7 is a diagram illustrating processing in step L .
[Fig. 8] Fig. 8 is a diagram illustrating round constants in step c .
[Figs. 9A and 9B] Figs. 9A and 9B are diagrams illustrating an overview of round processing R' .
[Figs.10A, 10B, and IOC] Figs.10A, 10B, and IOC are diagrams illustrating processing in step p' . [Fig. 11] Fig. 11 is a diagram illustrating processing in step Θ1.
[Figs. 12A, 12B, and 12C] Figs. 12A, 12B, and 12C are diagrams illustrating processing in step Θ2.
[Fig. 13] Fig. 13 is a diagram illustrating a schematic configuration of an implementation example of the KECCAK algorithm according to a first exemplary embodiment.
[Figs. 14A and 14B] Figs. 14A and 14B are output timing charts .
[Fig. 15] Fig. 15 is a diagram illustrating a schematic configuration of an implementation example when processing is performed on a lane as a unit by the KECCAK algorithm.
Description f Embodiments
[0009] Various exemplary embodiments, features, and aspects of the invention will be described in detail below with reference to the drawings.
[0010] As a hash value generating device according to an exemplary embodiment of the present invention, a device configured to generate a hash value of SHA-3 (KECCAK algorithm) will be hereinafter described as an example . In the description below, a specific data length or a specific bit value may be provided, but the present invention is not limited to the specific length or value.
[0011] First, the KECCAK algorithm will be described. Note that, specifications in more detail can be found in "The KECCAK reference", Version 3.0, January 14, 2011, (http : //keccak . noekeon . org/Keccak-reference-3.0. pdf) .
[0012] Fig. 1A is a diagram illustrating a whole of the KECCAK algorithm. In Fig. 1A, message blocks 101 (mi to mt) are illustrated. The message blocks 101 (mi to mt) are generated by dividing an input message, for which a hash value is generated, into units of 1024-bit blocks.
[0013] As illustrated in Fig. 1A, all bits of initial values 102 and 103 are zeros in the present exemplary embodiment . Here, an example where all bits of initial values are zeros is described as an example, but the present invention is not limited to this example. The length of the initial value 102 is 1024 bits, which is the same as that of the message blocks described above, and the total length of the initial values 102 and 103 is 1600 bits. A bitwise exclusive OR (XOR) operator 104 is also illustrated. That is, the XOR operator 104 calculates exclusive OR for each bit of the two 1024-bit input data pieces and outputs the results as a 1024-bit data piece.
[0014] A KECCAK-f 105, which is a permutation function, receives two input data pieces and outputs two data pieces. The detail of the KECCAK-f 105 will be described below with reference to Fig. IB. A cut-out section 106 cuts out a necessary size from the 1024-bit input data pieces, and outputs the cut out data. A cryptographic hash value (i.e., hash value) 107 is calculation results of this algorithm.
[0015] Fig. IB is a diagram illustrating an overview of the KECCAK-f 105, which is a permutation function. Round processing R 201 is performed twenty-four times. The detail of the round processing R will be described below. Input data pieces 202 and 203 are illustrated. The length of the input data piece 202 is 1024 bits. The total length of the input data pieces 202 and 203 is 1600 bits. The two input data pieces 202 and 203 are coupled and then input to the round processing R 201. Output data pieces 204 and 205 are illustrated. The length of the output data piece 204 is 1024 bits. The total length of the output data pieces 204 and 205 is 1600 bits.
[0016] Fig. 1C is a diagram illustrating an overview of the round processing R 201. As described above, for the round processing R 201, the lengths of the input data piece and the output data piece are both 1600 bits. In the round processing R 201, processing of five steps (Θ processing unit 301, p processing unit 302, n processing unit 303, χ processing unit 304, and ι processing unit 305) to be described below is sequentially performed on the input data piece to generate the output data piece.
[0017] Data structures used in the round processing of the KECCAK algorithm and the above five steps will be described in detail below.
[0018] Fig. 2A is a diagram illustrating a "state", which is a data structure upon input/output of the round processing R 201. As described above, both of the input data piece and the output data piece have 1600-bit length. Each of these 1600-bit data pieces is expressed as a rectangular
parallelepiped having a width (x axis direction) of five bits, a height (y axis direction) of five bits, and a depth (z axis direction) of sixty-four bits in three-dimensional arrangement. The rectangular parallelepiped data structure is called a "state". A 1600-bit data piece is allocated to the state structure expressed as a rectangular parallelepiped in the order of the z axis direction, the x axis direction, and the y axis direction. The detail will be described below with reference to Fig. 2F.
[0019] Fig. 2B is a diagram illustrating a data structure "plane". The plane structure is expressed as a planar structure that is parallel to the x-z plane and that has a width of five bits, a height of one bit, and a depth of sixty-four bits. That is, the above "state" structure can be considered as five plane structures that are stacked in the y axis direction.
[0020] Fig. 2C is a diagram illustrating a data structure "sheet". The sheet structure is expressed as a planar structure that is parallel to the y-z plane and that has a width of one bit, a height of five bits, and a depth of sixty-four bits . That is, the above "state" structure can be considered as five sheet structures arranged horizontally in line in the x axis direction.
[0021] Fig. 2D is a. diagram illustrating a data structure "lane". The lane structure is expressed as a linear structure that is parallel to the z axis and that has a width of one bit, a height of one bit, and a depth of sixty-four bits. That is, the above "state" structure can be considered as twenty-five lane structures gathered along the x-y plane. Fig. 2F is a diagram illustrating the order of twenty-five lanes included in one state structure.
[0022] Fig. 2E is a diagram illustrating a data structure "column". The column structure is expressed as a linear structure that is parallel to the y axis and that has a width of one bit, a height of five bits, and a depth of one bit. That is, the above "sheet" structure can be considered as sixty-four column structures arranged in line in the z axis direction.
[0023] In the first exemplary embodiment, a case where the input data piece is 1600 bits are described, but the present invention is not limited to the case. In addition, an example where data of the state structure is handled as a rectangular parallelepiped data structure having a width (x axis direction) of five bits, a height (y axis direction) of five bits, and a depth (z axis direction) of sixty-four bits will be described, but the present invention is not limited thereto. For example, an input data piece may have 800 bits, and the state structure data may be handled as a rectangular parallelepiped data structure having a width of five bits, a height of five bits, and a depth of thirty-two bits.
[0024] Further, the plane structure, the sheet structure, the lane structure, and the column structure can be modified according to the respective numbers of bits in the width (x axis direction) , in the height (y axis direction) , and in the depth (z axis direction) of the state structure. More specifically, when the state structure data has m bits in the x axis direction, n bits in the y axis direction, and s bits in the z axis direction, the plane structure is a planar structure having m bits in the x axis direction, one bit in the y axis direction, and s bits in the z axis direction. The sheet structure is a planar structure having one bit in the x axis direction, n bits in the y axis direction, and s bits in the z axis direction. The lane structure is a linear structure having one bit in the x axis direction, one bit in the y axis direction, and s bits in the z axis direction. The column structure is a linear structure having one bit in the x axis direction, n bits in the y axis direction, and one bit in the z axis direction.
[0025] Next, a method of forming an input data piece for the first round processing R 201 from the input data pieces 202 and 203 that have been input to the KECCAK-f 105 will be described. First, the input data pieces 202 and 203 are coupled in this order to form a 1600-bit data block. Next, the 1600-bit data block is divided into units of sixty-four bit block to form twenty-five lanes. Last, the twenty-five lanes are arranged in the order illustrated in Fig. 2F along the x-y plane to build one state. The thus generated state structure is input to the round processing R 201. A method of forming the output data pieces 204 and 205 from an output data piece of the twenty-fourth round processing R 201 is similar, and thus the description thereof is not provided.
[0026] Next, five steps (steps Θ, p, π, χ, and i) included in the round processing R 201 will be described. In each of the steps, the data structure of an input data piece and an output data piece is the state structure.
[0027] Fig. 3A is a diagram illustrating processing in the step θ (Θ processing unit 301) . The step Θ is processing of adding the sum of two columns to each bit, the two columns being adjacent to the bit. More specifically, the Θ processing unit calculates each bit of the output state as follows. That is, the each bit is calculated as the sum of three values obtained from the input state: "a value of a bit at the same position"; "the sum of bits of a column at a position of -1 in the x axis direction"; and "the sum of bits of a column at a position of +1 in the x axis direction and -1 in the z axis direction" . Here, the sum means the sum on GF(2) , and the result will be the same as that of the exclusive OR operation. The processing can be expressed by the following expression.
Figure imgf000011_0001
In the expression, x is 0 to 4, y is 0 to 4, z is 0 to63.
[0028] Fig. 3B is a diagram illustrating processing in the step Θ upon calculation of a bit in an end part (x = 0, for example) . In order to calculate a bit at x = 0, "a column at a position of -1 in the x axis direction" corresponds to a column opposite in the state, that is, "the column at a position of x = 4". As described above, a coordinate beyond the state is regarded as a position that is opposite in the state. That is, coordinate values are cyclically shifted in the same state. This rule is similarly applied to x coordinate, y coordinate, and z coordinate and to four other steps.
[0029] Figs. 4A, 4B, and 4C are diagrams illustrating processing in the step p ( p processing unit 302) . The step p is processing of shifting values of respective bits in the z axis direction. More specifically, the p processing unit 302 cyclically shifts values in each lane of the state in the z direction by the specified number of bits as illustrated in Fig. 4A and outputs the shifted values. The number of bits by which the values are shifted in each lane is previously determined as the number illustrated in Fig. 4B. Note that, in order to perform the p processing, a holding section previously holds a table listing shifting amounts as illustrated in Fig. 4C and the p processing unit 302 performs the p processing using the table being held.
[0030] Figs. 5A and 5B are diagrams illustrating processing in the step n (n processing unit 303) . The step n is processing of rearranging each of the respective bits in the x-y plane (also referred to as a slice") , that is, processing of rearranging twenty-five lanes in a single state. More specifically, when respective lanes in the input state are numbered as illustrated in the upper part of Fig. 5A, the output state is illustrated in the lower part thereof. Note that, in order to perform the n processing, the holding section previously holds a table listing rearrangement destinations as illustrated in Fig. 5B and the n processing unit 303 performs the n processing using the table being held.
[0031] Fig. 6 is a diagram illustrating processing in the step χ (χ processing unit 304) . The step χ is processing of converting a bit using bits in a line in the x axis direction (also referred to as a "row") , and each bit in the output row is derived based on three bits in the same input row. More specifically, setting is made such that when a bit at a position of +1 in the x axis direction from each bit of the input row is zero and a bit at a position of +2 in the x axis direction from the bit is one, the χ processing unit 304 inverts the value of the each corresponding bit of the output row.
[0032] Fig. 7 is a diagram illustrating processing in the step L (L processing unit 305). The step L is processing of adding a round constant to each bit. Fig. 8 is a diagram illustrating round constants used in the step L . In the step L, the L processing unit 305 performs exclusive OR (XOR) on a bit line of a lane at x = y = 0 with a round constant (64-bit value) predetermined for each round. More specifically, the ι processing unit 305 calculates bitwise exclusive OR of a 64-bit value of a lane at x = y = 0 (when a bit at z = 63 is MSB and a bit at z = 0 is LSB) and a round constant illustrated in Fig. 8. Then, the ι processing unit 305 sets the result as a bit line of a lane at x = y = 0 in the output state.
[0033] From the processing contents of the above respective steps (steps Θ, p, π, χ, and ι ) , it can be understood that there are following limitations regarding start of the processing of the respective steps.
In the step Θ, the Θ processing unit 301 uses a sheet data piece at -1 and a sheet data piece at +1 in the x axis direction to calculate each lane in the state. Therefore, when the first three sheets are completed, that is, when the Θ processing unit 301 receives twenty-three lanes out of the twenty-five lanes from a preceding stage,, the Θ processing unit 301 can start the processing in the step Θ.
The step p is calculation for each of lanes independent of each other. Therefore, when one lane of calculation results of the preceding stage (step Θ) is output, the p processing unit
302 can start the processing in the step p.
In the step n, respective lanes in a state are rearranged. Therefore, when one whole state of calculation results of the preceding stage (step p) is output, that is, when twenty-five lanes are output, the n processing unit 303 can start the processing in the step n.
In the step χ, in calculation of each lane in a state, the χ processing unit 304 uses a lane at +1 in the x axis direction and a lane at +2 in the x axis direction. Therefore, upon receiving three lane data pieces, the χ processing unit 304 can start the processing in the step χ.
The step ι is calculation for each of lanes independent of each other. Therefore, when one lane of calculation results of the preceding stage (step χ) is output, the L processing unit 305 can start the processing in the step ι .
[0034] In other words, in the steps Θ, n, and χ, start of processing has to wait until the steps at the respective preceding stages output calculation results of twenty-three lanes, twenty-five lanes, and three lanes respectively. As described above, particularly the processing of the two steps Θ and n can be started when a long time has passed after the start of processing of their preceding stages.
[0035] This means that throughput can be improved when the starting time of the step Θ or the step n can be hastened. However, the operation order of the specifications of the KECCAK algorithm does not allow improvement of throughput. Thus, the operation order has to be different from that of the KECCAK algorithm in order to improve throughput.
[0036] Next, round processing R' 901 will be described. The round processing R' 901 is processing used in the present exemplary embodiment and designed such that the result is the same as that of the round processing R 201. However, processing contents of the round processing R' 901 are different from the specifications of the KECCAK algorithm.
[0037] Fig. 9A is a diagram illustrating an overview of the round processing R' 901. The round processing R' 901 is designed such that the processing result is the same as that of the round processing R 201. In the round processing R' 901, processing of six steps is performed (by a Θ1 processing unit 902, a n processing unit 903, a Θ2 processing unit 904, a p' processing unit 905, a χ processing unit 906, and an L processing unit 907 ) on an input data piece to generate an output data piece .
[0038] Note that, the n processing unit 903, the χ processing unit 906, and the L processing unit 907 performs processing similar to those performed by the n processing unit 303, the x processing unit 304, and the ι processing unit 305 of the round processing R 201. The ' processing unit 905 performs processing of shifting values of respective bits in the z axis direction similarly to the p processing unit 302 of the round processing R 201, but the number of bits by which the values are shifted is different. The Θ1 processing unit 902 and the Θ2 processing unit 904 are obtained by dividing the Θ processing unit 301 in the round processing R 201.
[0039] Since the n processing, the χ processing, and the L processing in the round processing R' 901 are similar to those in the round processing R 201, the description thereof is not provided. The p ' processing, the Θ1 processing, and the Θ2 processing will be described below.
[0040] Fig. 10A is a diagram illustrating processing in the step p ' ( p ' processing unit 905) . In the step p ' , the p ' processing unit 905 performs processing of cyclically shifting a value of each bit in the z axis direction similarly to the step p . However, the number of bits by which the values are cyclically shifted in each lane is different from that of the step p , and is illustrated in Fig. 10B. Note that, in order to perform the p ' processing, a holding section previously holds a table listing shifting amounts as illustrated in Fig. IOC and the p' processing unit 905 performs the p ' processing using the table being held. This table is determined in consideration of the n processing. The detail will be described below.
[0041] In order to describe that the processing result of the round processing R' 901 and that of the round processing R 201 are the same, first, there will be described that the processing result of the round processing R 201 and the processing result of round processing ' ' 911 are the same. [0042] Fig. 9B is a diagram of the round processing R' ' 911. In the round processing R' ' 911, processing of five steps is performed (by a Θ processing unit 912, a n processing unit 913, a p' processing unit 915, a χ processing unit 916, and an ι processing unit 917) on the input data piece to generate an output data piece. Here, the Θ processing unit 912, the n processing unit 913, the χ processing unit 916, and the ι processing unit 917 are respectively similar to the Θ processing unit 301, the n processing unit 303, the χ processing unit 304, and the ι processing unit 305 of the round processing R 201. The p' processing unit 915 is similar to the p' processing unit 905 of the round processing R' 901.
[0043] When the round processing R 201 is compared with the round processing R' ' 911, they are different in a point that the n processing unit 913 and the ' processing unit 915 perform the processing in this order in the round processing R' ' 911 while the p processing unit 302 and the n processing unit 303 perform the processing in this order in the round processing R 201.
[0044] Here, in the step p of the round processing R 201, the p processing unit 302 shifts values in the z axis direction according to rules determined for respective lanes, and the n processing unit 303 rearranges the respective lanes. On the other hand, in the round processing R' ' 911, the n processing unit 913 rearranges the respective lanes (processing in the. step π) , and thereafter the p' processing unit 915 shifts values in the z axis direction according to rules determined for the respective lanes in consideration of the rearrangement processing (processing in the step p' ) . More specifically, in the round processing R' ' 911, the step n is performed before the step p' , but the shifting amount by which values are shifted in the z axis direction by the p' processing unit 915 is changed in consideration of the processing in the step n, whereby the processing result of the round processing R' ' 911 becomes the same as that of the round processing R 201.
[0045] Fig. IOC is a table listing shifting amounts for respective lanes used in the step p' .
[0046] A method of generating the table illustrated in Fig. IOC will be specifically described. First, the round processing R 201 will be considered. In the round processing R 201, the p processing unit 302 and the n processing unit 303 perform the processing in this order. The numbers in Fig. 4B are shifting amounts in the step p. For example, the shifting amount for a lane at the position of x = 0 and y = 4 is eighteen bits. Next, the lane rearrangement by the n processing is confirmed using Figs. 5A and 5B. It can be seen that the n processing unit 303 moves the lane at the position of x = 0 and y = 4 to the position of x = 4, y = 2.
[0047] Next, the round processing R' ' 911 will be considered. In the round processing R' ' 911, the n processing unit 913 and the p' processing unit 915 perform the processing in this order. Since the n processing is performed before the p' processing, a lane for which the p' processing unit 915 should shift values by eighteen bits is a lane at the position of x = 4, y = 2. Therefore, the number at the position of x = 4, y = 2 in Fig. 10B is eighteen. Shifting amounts of the other lanes can be similarly obtained to be the other numbers in Fig. 10B.
[0048] That is, the table listing the shifting amounts for the respective lanes used in the step p' illustrated in Fig. IOC is a table determined in consideration of the rearrangement processing of the n processing.
[0049] Next, there will be described that the processing result of the round processing R' ' 911 is the same as that of the round processing R' 901.
[0050] Note that, the n processing unit 903, the p' processing unit 905, the χ processing unit 906, and the ι processing unit 907 respectively perform the processing similarly to the n processing unit 913, the p' processing unit 915, the χ processing unit 916, and the L processing unit 917 of the round processing R' ' 911. The Θ1 processing unit 902 and the Θ2 processing unit 904 are obtained by dividing the Θ processing unit 912.
[0051] When the round processing R' ' 911 is compared with the round processing R' 901, they are different in a point that the Θ processing unit 912 and the n processing unit 913 perform the processing in this order in the round processing R' ' 911 while the Θ1 processing unit 902, the n processing unit 903, and the Θ2 processing unit 904 perform the processing in this order in the round processing R' 901.
[0052] Here, in the round processing R' ' 911, the step Θ is a step of adding the sum of two columns to each bit, the two columns being adjacent to the bit, and the step n is a step of rearranging the respective lanes. On the other hand, in the round processing R' 901, the Θ1 processing unit 902 calculates the sum of two columns that are adjacent to each bit (the step Θ1) . Then, the n processing unit 903 rearranges the respective lanes (the step π) , and the Θ2 processing unit 904 adds the sum of the columns to a bit in consideration of the rearrangement of the respective lanes (the step Θ2) .
[0053] Fig. 11 is a diagram illustrating processing in the step Θ1. The step Θ1 corresponds to the operation of the first half of the step Θ and is a step of performing column sum calculation processing. More specifically, the processing is for calculating, for each column, the sum (to be referred to as Θ mean value) of two values: "the sum of bits in a column at a position of -1 in the x axis direction" and "the sum of bits in a column at a position of + 1 in the x axis direction and -1 in the z axis direction". After receiving twenty-five lane data pieces, the Θ1 processing unit 902 outputs a Θ intermediate value of one bit for each column that totals up to Θ intermediate values of five times sixty-four bits. A structure for all of the Θ intermediate values will be expressed as a planar structure that is parallel to the x-z plane and that has a width of five bits, a height of one bit, and a depth of sixty-four bits.
[0054] Fig. 12A is a diagram illustrating processing in the step Θ2. The step Θ2 corresponds to the operation of the second half of the step Θ and is a step of performing column sum addition processing. That is, the step Θ2 is a step of adding Θ intermediate values calculated in the step Θ1 to the respective bits .
[0055] However, it should be noted that the step n has been already performed before the step Θ2. More specifically, in the step Θ of the round processing R' ' 911 (i.e., the step Θ of the round processing R 201) , an x coordinate of each bit and an x coordinate of a Θ intermediate value used for calculation of the bit is the same. However, in the step Θ2 of the round processing R' 901, an x coordinate of each bit and an x coordinate of a Θ intermediate value used for calculation of the bit is different and the x coordinate is determined in consideration of the rearrangement of the respective lanes in the step n. The x coordinates of Θ intermediate values used for calculation of respective bits are illustrated in Fig. 12B. Note that, a holding section previously holds a table in Fig. 12C providing x coordinates of Θ intermediate values used for calculation of respective bits in the Θ2 processing, and the Θ2 processing unit 904 performs the Θ2 processing using the table being held.
[0056] A method of generating the table illustrated in Fig. 12C will be specifically described. First, the round processing R' ' 911 will be considered. The x coordinates of Θ intermediate values needed to calculate respective bits in the step Θ are the same as the x coordinates of the respective bits. For example, a bit at the position of x = 0, y = 4 is calculated using a Θ intermediate value at the position of x = 0 in the step Θ. Next, the lane rearrangement in the step n is confirmed using Figs. 5A and 5B. It can be seen that the n processing unit 913 moves the bit at the position of x = 0, y = 4 to the position of x = 4, y = 2.
[0057] Next, the round processing R' 901 will be considered. Since the n processing unit 903 has already performed the step n when the Θ2 processing unit 904 performs the step Θ2, it can be seen that an x coordinate of a Θ intermediate value needed for calculation of a bit at the position of x = 4, y = 2 in the step Θ2 is x = 0. Therefore, a number at the position of x = , y - 2 out of the numbers provided in Fig. 12B becomes zero. The x coordinates of Θ intermediate values for other bits can be similarly obtained to be the other numbers in Fig. 12B.
[0058] That is, the table in Fig. 12C providing the x coordinates of Θ intermediate values when the Θ2 processing unit 904 performs the step Θ2 is a table determined in consideration of the rearrangement processing of the n processing .
[0059] As described above, the processing result of the round processing R 201 and that of the round processing R' ' 911 are the same. In addition, the processing result of the round processing R' ' 911 and the processing result of the round processing R' 901 are the same. Therefore, the processing result of the round processing R' 901 and the processing result of the round processing R 201 are the same.
[0060] From the processing contents of the above respective steps (steps Θ1, Θ2, and ' ) , it can be understood that there are following limitations regarding start of the processing of the respective steps. In the step Θ1, the Θ1 processing unit 902 calculates the sum, and thus, the Θ1 processing unit 902 updates a Θ intermediate value in the process of calculation every time when each lane in the state is input. Therefore, when the preceding stage outputs calculation results of one lane data piece, the Θ1 processing unit 902 can start the processing in the step Θ1.
In the step Θ2, the Θ2 processing unit 904 adds a Θ intermediate value calculated in the step Θ1 in calculation of each lane in the state. Since the step Θ1 has been completed at the time of starting the step Θ2, the Θ2 processing unit 904 can start to output the processing result of the step Θ2 when the preceding stage (step n) outputs calculation results of one lane data piece .
The step p' is calculation for each of lanes independent of each other. Therefore, when the Θ2 processing unit 904 outputs calculation results of the preceding stage (step Θ2) of one lane data piece, the p' processing unit 905 can start the processing in the step p' .
[0061] That is, in the steps Θ1, 92, and p' , processing can be started when one lane data piece out of calculation results of a step of the preceding stage is output.
[0062] In addition, from the processing contents of the steps n, x, and L, there are following limitations regarding start of the processing of the respective steps.
· In the step n, respective lanes in a state are rearranged. Therefore, when the preceding stage (step Θ1) outputs one whole state, that is, twenty-five lanes of calculation results of, the n processing unit 903 can start the processing in the step n .
In the step χ, in calculation of each lane in a state, the X processing unit 906 uses a lane at +1 and a lane at +2 in the x axis direction. Therefore, upon receiving the third lane data piece, the χ processing unit 906 can start the processing in the step χ.
• The step ι is calculation for each of lanes independent of each other. Therefore, when one lane of calculation results of the preceding stage (step χ) is output, the ι processing unit 907 can start the processing in the step L .
[0063] In other words, in the step n, start of processing has to wait until the step of the preceding stage outputs twenty-five data pieces of calculation results. However, in the steps χ and L, processing can be started when the steps of the preceding stages output three lane data pieces and one lane data piece out of calculation results respectively.
[0064] That is, in the steps excluding the step n, the processing can be started without waiting a long time after the start of processing of their preceding stages.
[0065] Thus, throughput can be improved by using the round processing R' 901 instead of the round processing R 201. Hereinafter, a configuration of the round processing R' 901 will be described.
[0066] Fig. 13 is a diagram illustrating a schematic configuration of an implementation example of the KECCAK algorithm according to the first exemplary embodiment . In Fig . 13, an input data piece 2101 is illustrated. Here, a lane data piece out of an input data piece 2101 is input as a unit. An exclusive OR (XOR) operator 2102 calculates exclusive OR of a message block and internal data each time of performing the round processing twenty-four times. A register 2103 holds the whole of the internal data expressed as a state data piece.
[0067] A circuit (Θ1 circuit) 2104 performs processing in the step Θ1. In the present exemplary embodiment, the circuit 2104 adds columns each time a lane is input and outputs Θ intermediate values of five times sixty-four bits after receiving input of twenty-five lanes as a result.
[0068] A circuit (n circuit) 2105 performs processing in the step n. The n circuit 2105 performs the processing after the register 2103 holds twenty-five lanes, that is, one state. The data width upon input and output is 1600 bits.
[0069] A circuit (Θ2 circuit) 2106 performs processing in the step Θ2. A circuit (ρ' circuit) 2107 performs processing in the step p' . A circuit (χ circuit) 2108 performs processing in the step χ. A circuit (i circuit) 2109 performs processing in the step L. The Θ2 circuit 2106, the p' circuit 2107, and the i circuit 2109 respectively perform the processing in units of lanes, and thus perform the processing every time when a lane is input. The χ circuit 2108 performs the processing when three lanes are input, but the χ circuit 2108 performs every time when a lane is input from the fourth lane.
[0070] Fig. 14A is an output timing chart of the respective modules of the implementation example according to the first exemplary embodiment. Fig. 14A illustrates an output timing chart when the round processing R' 901 is performed twice. It takes on average twenty-eight clocks for one-time round processing.
[0071] Hereinafter, an implementation example in which processing is performed on a lane data piece as a unit by the algorithm according to the specifications will be described for comparison with the implementation example of the above first exemplary embodiment.
[0072] Fig. 15 is a diagram illustrating a schematic configuration of the implementation example when processing is performed on a lane as a unit by the KECCAK algorithm according to specifications. The processing of the five steps (Θ, p, n, X, and L ) is similar to that described above, and thus the description thereof is not provided.
[0073] The KECCAK-f 105 receives one lane data piece (data having a length of sixty-four bits) from an input data piece 1801 at every clock. The KECCAK-f 105 receives lane data pieces in one state data piece in the order illustrated in Fig. 2F.
[0074] An Exclusive OR processing unit 1802 is an operator that calculates exclusive OR of a message block and an internal data piece upon each time of performing the round processing twenty-four times.
[0075] A register 1803 holds the whole of the internal data expressed as a state data piece . A processing block (n circuit) 1804 performs the step n. However, as described above, the processing in the step n can be performed only after the processing in the step p is completed. A processing block (Θ circuit) 1805 performs the step Θ, and a processing block (p circuit) 1806 performs the step p.
[0076] A processing block (χ circuit) 1807 performs the step , and a processing block ( L circuit) 1808 performs the step L . A multiplexer 1809 outputs data having been input from the processing block 1806 in the first half of round processing and outputs data from the processing block 1808 in the second half thereof. The KECCAK-f outputs an output data piece 1810 of one lane when calculation is completed.
[0077] Fig. 14B is an output timing chart of the respective modules when processing is performed on a lane as a unit by the algorithm according to specifications. A pair of the Θ circuit 1805 and the p circuit 1806 and a pair of the χ circuit 1807 and the L circuit 1808 operate in different time-periods and do not operate at the same time. It takes fifty-one clocks for one-time round processing.
[0078] As can be seen from comparison of Fig. 14A and Fig. 14B, throughput of the processing can be improved by using the configuration of the implementation example according to the first exemplary embodiment.
More specifically, the followings can be said.
All processing circuits other than the n circuit 2404 operate in parallel, and thus utilization efficiency of the circuits can be improved.
One-time round processing can be performed within a smaller number of clocks (less time) . [0079] As described above, the n processing is performed before the Θ2 processing and the p processing are performed, and data is held for the n processing during the Θ1 processing is performed. Thus, time for holding data similarly to the conventional technique is reduced. Incidentally, Fig. 13 illustrates an example in which the p processing performed after the Θ2 processing, but similar effect can be obtained even when the p processing is performed before the Θ2 processing is performed. When the p processing is performed before the Θ2 processing, bits to be added in the Θ2 processing should be determined in consideration of the fact that the p processing has been performed.
[0080] According to the exemplary embodiments described above, a technique capable of improving throughput for generating hash values can be provided.
[0081] Embodiments of the present invention can also be realized by a computer of a system or apparatus that reads out and executes computer executable instructions recorded on a storage medium (e.g., non-transitory computer-readable storage medium) to perform the functions of one or more of the above-described embodiment (s) of the present invention, and by a method performed by the computer of the system or apparatus by, for example, reading out and executing the computer executable instructions from the storage medium to perform the functions of one or more of the above-described embodiment (s) . The computer may comprise one or more of a central processing unit (CPU) , micro processing unit (MPU) , or other circuitry, and may include a network of separate computers or separate computer processors. The computer executable instructions may be provided to the computer, for example, from a network or the storage medium. The storage medium may include, for example, one or more of a hard disk, a random-access memory (RAM) , a read only memory (ROM) , a storage of distributed computing systems, an optical disk (such as a compact disc (CD) , digital versatile disc (DVD), or Blu-ray Disc (BD)™), a flash memory device, a memory card, and the like.
[0082] While the present invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications and equivalent structures and functions.
[0083] This application claims the benefit of Japanese Patent Applications No.2013-032036 filed February 21, 2013 and No. 2014-017414 filed January 31, 2014, which are hereby incorporated by reference herein in their entirety.

Claims

[Claim 1]
A hash value generating device comprising:
a Θ processing means for performing Θ processing included in round processing of Secure Hash Algorithm 3 (SHA-3 algorithm) ;
a p processing means for performing p processing included in the round processing;
a n processing means for performing n processing included in the round processing;
a χ processing means for performing χ processing included in the round processing; and
an L processing means for performing L processing included in the round processing,
wherein the Θ processing means includes a Θ1 processing means for calculating column sum and a Θ2 processing means for adding the calculated column sum to a predetermined bit, and wherein, in the round processing, the n processing means performs processing before the Θ2 processing means and the p processing means perform processing.
[Claim 2]
The hash value generating device according to claim 1, wherein the n processing means performs processing after a holding means holds twenty-five lanes.
[Claim 3]
The hash value generating device according to claim 2, wherein the Θ1 processing means performs processing during a period in which the holding means holds the lanes.
[Claim 4]
The hash value generating device according to claim 1, wherein the Θ2 processing means performs processing using a table determined in consideration of processing by the n processing means.
[Claim 5]
The hash value generating device according to claim 1, wherein the p processing means performs processing using a table determined in consideration of processing of by n processing means .
[Claim 6]
The hash value generating device according to claim 1, wherein the Θ1 processing means, the Θ2 processing means, the p processing means , χ processing means, and the L processing means perform processing in units of lanes.
[Claim 7]
The hash value generating device according to claim 1, wherein the Θ2 processing means and the p processing means perform processing after the n processing means performs processing.
[Claim 8]
The hash value generating device according to claim 1, further comprising an output means for outputting a hash value obtained by performing the round processing using the Θ means, the p means, the n means, the χ means, and the ι means.
[Claim 9]
The hash value generating device according to claim 1, wherein the Θ processing means calculates a sum of bits along an x axis direction and adds the calculated sum to a predetermined bit, wherein the p processing means shifts values of respective bits in a z axis direction,
wherein the n processing means rearranges values of respective bits in an x-y plane,
wherein the χ processing means converts a bit using bits in a line in the x axis direction, and
wherein the ι processing means adds predetermined values to respective bits.
[Claim 10]
A hash value generating device that performs round processing of hash algorithm in which a data piece of a structure having m bits in an x axis direction, n bits in a y axis direction, and s bits in a z axis direction is processed, the hash value generating device comprising:
a first processing means for calculating a sum of bits in the x axis direction and adding the calculated sum to a predetermined bit;
a second processing means for shifting a bit in the z axis direction;
a third processing means for rearranging respective bits in an x-y plane;
a fourth processing means for converting a bit using bits in a line in the x axis direction; and
a fifth processing means for adding predetermined values to respective bits,
wherein the first processing means includes a sixth processing means for calculating the sum of the bits in the x axis direction and a seventh processing means for adding the calculated sum to the predetermined bit, and
wherein, in the round processing, the third processing means performs processing before the seventh and second processing means perform processing.
[Claim 11]
The hash value generating device according to claim 10, wherein the third processing means performs processing after a holding means holds twenty-five data pieces of a structure having one bit in the x axis direction, n bits in the y axis direction, and one bit in the z axis direction.
[Claim 12]
The hash value generating device according to claim wherein the sixth processing means performs processing during a period in which the holding means holds data of a structure having one bit in the x axis direction, n bits in the y axis direction, and one bit in the z axis direction.
[Claim 13]
The hash value generating device according to claim 10, wherein the seventh processing means performs processing using a table determined in consideration of processing by the third processing means.
[Claim 14]
The hash value generating device according to claim 10, wherein the second processing means performs processing using a table determined in consideration of processing by the third processing means.
[Claim 15]
The hash value generating device according to claim 10, further comprising an output means for outputting a hash value obtained by performing the round processing using the first processing means, the second processing means, the third processing means, the fourth processing means, and the fifth processing means.
PCT/JP2014/054245 2013-02-21 2014-02-17 Hash value generating device WO2014129610A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
EP14753948.0A EP2959469B1 (en) 2013-02-21 2014-02-17 Hash value generating device
KR1020157025717A KR101749528B1 (en) 2013-02-21 2014-02-17 Hash value generating device
US14/767,896 US9985780B2 (en) 2013-02-21 2014-02-17 Hash value generating device that performs round processing of a hash algorithm
CN201480009745.2A CN105074799B (en) 2013-02-21 2014-02-17 Hash value generation device

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
JP2013032036 2013-02-21
JP2013-032036 2013-02-21
JP2014-017414 2014-01-31
JP2014017414A JP6238774B2 (en) 2013-02-21 2014-01-31 Hash value generator

Publications (1)

Publication Number Publication Date
WO2014129610A1 true WO2014129610A1 (en) 2014-08-28

Family

ID=51391390

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/054245 WO2014129610A1 (en) 2013-02-21 2014-02-17 Hash value generating device

Country Status (6)

Country Link
US (1) US9985780B2 (en)
EP (1) EP2959469B1 (en)
JP (1) JP6238774B2 (en)
KR (1) KR101749528B1 (en)
CN (1) CN105074799B (en)
WO (1) WO2014129610A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6113091B2 (en) 2013-03-07 2017-04-12 キヤノン株式会社 Hash value generator
EP3681094B1 (en) * 2019-01-09 2021-11-10 British Telecommunications public limited company Impeding data access
US11924327B2 (en) * 2019-01-09 2024-03-05 British Telecommunications Public Limited Company Variable data protection
US11985226B2 (en) * 2020-12-23 2024-05-14 Intel Corporation Efficient quantum-attack resistant functional-safe building block for key encapsulation and digital signature
US20220416998A1 (en) * 2021-06-23 2022-12-29 Intel Corporation Side channel protection for sha3 cryptographic functions

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013089682A1 (en) * 2011-12-13 2013-06-20 Intel Corporation Method and apparatus to process keccak secure hashing algorithm

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH04148372A (en) 1990-10-11 1992-05-21 Fujitsu Ltd Hash value calculation processing system
WO2001029775A1 (en) 1999-10-18 2001-04-26 Stamps.Com Cryptographic module for secure processing of value-bearing items
US7489779B2 (en) 2001-03-22 2009-02-10 Qstholdings, Llc Hardware implementation of the secure hash standard
US7249255B2 (en) 2001-06-13 2007-07-24 Corrent Corporation Apparatus and method for a hash processing system using multiple hash storage areas
JP5055993B2 (en) 2006-12-11 2012-10-24 ソニー株式会社 Cryptographic processing apparatus, cryptographic processing method, and computer program
EP2120227B1 (en) 2007-01-19 2015-04-15 Mitsubishi Electric Corporation Cryptogram generating device, cryptogram communication system, and group parameter generating device
US8275125B2 (en) 2008-04-21 2012-09-25 Tata Consultancy Services Ltd Method for designing a secure hash function and a system thereof
JP5414346B2 (en) 2009-04-28 2014-02-12 三菱電機株式会社 Data processing device
US8543820B2 (en) * 2009-05-11 2013-09-24 Nec Corporation Tag generation apparatus, tag verification apparatus, communication system, tag generation method, tag verification method, and recording medium
US20110040977A1 (en) 2009-08-11 2011-02-17 Apple Inc. Sponge and hash functions using a rubik's cube puzzle process
CN102725737B (en) 2009-12-04 2016-04-20 密码研究公司 The encryption and decryption of anti-leak can be verified
US8441391B2 (en) 2010-05-05 2013-05-14 Roundtrip Llc Ultra-secure communication methods and apparatus
CN101872338B (en) 2010-06-04 2012-08-29 杭州电子科技大学 Method for obtaining safe information abstract in authentication header
JP5269137B2 (en) 2011-04-07 2013-08-21 三菱電機株式会社 Arithmetic unit
WO2013095521A1 (en) 2011-12-22 2013-06-27 Intel Corporation Instructions processors, methods, and systems to process blake secure hashing algorithm
JP6113091B2 (en) 2013-03-07 2017-04-12 キヤノン株式会社 Hash value generator

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013089682A1 (en) * 2011-12-13 2013-06-20 Intel Corporation Method and apparatus to process keccak secure hashing algorithm

Non-Patent Citations (6)

* Cited by examiner, † Cited by third party
Title
BERTONI, G. ET AL.: "KECCAK implementation overview", 29 May 2012 (2012-05-29), XP055281916, Retrieved from the Internet <URL:http://keccak.noekeon.org/files.html> [retrieved on 20140411] *
KAPS, J.-P. ET AL.: "Lightweight Implementations of SHA-3 Candidates on FPGAs", LECTURE NOTES IN COMPUTER SCIENCE, vol. 7107, December 2011 (2011-12-01), pages 270 - 289, XP019170596 *
KAVUN, E. B. ET AL.: "A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications", LECURE NOTES IN COMPUTER SCIENCE, vol. 6370, June 2010 (2010-06-01), pages 258 - 269, XP019156687 *
KERCKHOF, S. ET AL.: "Compact FPGA Implementations of the Five SHA-3 Finalists", LECTURE NOTES IN COMPUTER SCIENCE, vol. 7079, September 2011 (2011-09-01), pages 217 - 233, XP047335201 *
LATIF, K. ET AL.: "Novel Arithmetic Architecture for High Performance Implementation of SHA-3 Finalist Keccak on FPGA Platforms", LECTURE NOTES IN COMPUTER SCIENCE, vol. 7199, March 2012 (2012-03-01), pages 372 - 378, XP019174740 *
SAN, I.: "Compact Keccak Hardware Architecure for Data Integrity and Authentication on FPGAs", INFORMATION SECURITY JOURNAL: A GLOBAL PERSPECTIVE, vol. 21, no. 5, 2012, pages 231 - 242, XP055279875 *

Also Published As

Publication number Publication date
CN105074799A (en) 2015-11-18
KR101749528B1 (en) 2017-06-21
US20150381354A1 (en) 2015-12-31
EP2959469A4 (en) 2016-11-16
KR20150120473A (en) 2015-10-27
JP2014186310A (en) 2014-10-02
US9985780B2 (en) 2018-05-29
JP6238774B2 (en) 2017-11-29
EP2959469A1 (en) 2015-12-30
CN105074799B (en) 2017-12-01
EP2959469B1 (en) 2020-10-14

Similar Documents

Publication Publication Date Title
US9973336B2 (en) Hash value generating device
US9985780B2 (en) Hash value generating device that performs round processing of a hash algorithm
JP5710460B2 (en) Encryption key generation apparatus and program
KR20160106570A (en) Block mining methods and apparatus
EP3384406A1 (en) Combining hashes of data blocks
US9875362B2 (en) Hash value generation apparatus
US9614667B2 (en) Information processing apparatus and method therefor
Chandran et al. Performance analysis of modified SHA-3
CN107534449B (en) Decoding device, decoding method, and program
JP2012252281A (en) Arithmetic processing device and method, and information processor
JP2016091488A (en) Data sorting method and program
CN114327901A (en) Decentralized federal learning method and device based on block chain and electronic equipment
US20110302422A1 (en) Hash function using a repeated function with shifts
JP2015114429A (en) Hash value generation device and control method thereof
RU2380838C1 (en) Method for creation and authentication of electronic digital signature confirming electronic document
RU2401513C2 (en) Method for generating and verification electronic digital signature authenticating electronic document
JP3205276U (en) Multiplicative congruence method for generating uniform independent random numbers
KR20150025209A (en) Apparatus and method for decoding data
RU2369974C1 (en) Method for generation and authentication of electronic digital signature that certifies electronic document
US20140067891A1 (en) Pseudo random number generator and method for providing a pseudo random sequence
Han Construct a perfect hash function in time independent of the size of integers
Sýkorová Some remarks on mixed approximation problem
JPS59161152A (en) Error correcting and encoding system
JPWO2014041783A1 (en) Character string detection circuit and character string detection method

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480009745.2

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14753948

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 14767896

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 20157025717

Country of ref document: KR

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 2014753948

Country of ref document: EP