WO2016026287A1 - 一种加密装置、加密方法及计算机存储介质 - Google Patents

一种加密装置、加密方法及计算机存储介质 Download PDF

Info

Publication number
WO2016026287A1
WO2016026287A1 PCT/CN2015/074127 CN2015074127W WO2016026287A1 WO 2016026287 A1 WO2016026287 A1 WO 2016026287A1 CN 2015074127 W CN2015074127 W CN 2015074127W WO 2016026287 A1 WO2016026287 A1 WO 2016026287A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
encryption
parameter
processing module
encrypted
Prior art date
Application number
PCT/CN2015/074127
Other languages
English (en)
French (fr)
Inventor
万贤明
冯奎景
周阳
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2016026287A1 publication Critical patent/WO2016026287A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0457Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic

Definitions

  • the present invention relates to wireless communication technologies, and in particular, to an encryption device, an encryption method, and a computer storage medium.
  • Wireless communication systems are widely used in various types of communication such as voice, video, and data.
  • the integrity calculation of transmitted data is an effective means to protect data security and prevent unauthorized tampering.
  • LTE Long Term Evolution
  • the EIA3 integrity algorithm is one of Zu Chong's algorithm sets; the Zu Chong's algorithm set is an encryption and integrity algorithm designed by Chinese researchers, including Zu Chongzhi (ZUC) algorithm, encryption algorithm 128-EEA3 and integrity algorithm 128-EIA3. This set of algorithms has been recognized as the third set of algorithms for international encryption and integrity standards for LTE wireless communications.
  • the embodiments of the present invention provide an encryption device, an encryption method, and a computer storage medium, which can solve the problem of no hardware system support by using the ZUC algorithm for encryption.
  • the problem can solve the problem of no hardware system support by using the ZUC algorithm for encryption.
  • An embodiment of the present invention provides an encryption apparatus, where the encryption apparatus includes: a data storage module, a key stream processing module, and an encryption processing module;
  • the data storage module is configured to acquire a first parameter, and send a key and an encryption parameter in the first parameter to the key stream processing module when the first preset condition is met; the first parameter
  • the method includes: a key, an encryption parameter, a source address, a destination address, and a data length; and configured to read the data to be encrypted according to the source address and the data length in the first parameter, and send the data to be encrypted to the
  • the encryption processing module is further configured to receive the encrypted data sent by the encryption processing module according to the destination address and the data length in the first parameter, and output the encrypted data;
  • the key stream processing module is configured to receive a key and an encryption parameter in the first parameter sent by the data storage module, generate a key stream according to the key and the encryption parameter, and use the key stream Sended to the encryption processing module;
  • the encryption processing module is configured to receive the data to be encrypted sent by the data storage module and the key stream sent by the key stream processing module, and the data to be encrypted and the key The stream is processed in a first encryption manner to obtain encrypted data, and the encrypted data is sent to the data storage module.
  • the data storage module includes: a bus slave processing module, a finite state machine (FSM) control module, and a bus master processing module;
  • FSM finite state machine
  • the bus slave processing module is configured to acquire a first parameter, and send the first parameter to the FSM control module;
  • the first parameter includes: a key, an encryption parameter, a source address, a destination address, and a data length information. ;
  • the FSM control module is configured to send the key and the encryption parameter to the key stream processing mode according to the first parameter sent by the processing module from the processing module when the first preset condition is met Block, sending the source address, destination address, and data length information to the bus main processing module;
  • the bus main processing module is configured to read data to be encrypted according to the source address and data length information sent by the FSM control module, and send the data to be encrypted to the encryption processing module; And receiving, according to the destination address and the data length information sent by the FSM control module, the encrypted data sent by the encryption processing module, and outputting the encrypted data.
  • the bus main processing module includes: a first cache module and a second cache module; wherein
  • the first cache module is configured to read data to be encrypted according to the source address and data length information sent by the FSM control module, and send the data to be encrypted when the second preset condition is met.
  • the second cache module is configured to receive the encrypted data sent by the encryption processing module according to the destination address and data length information sent by the FSM control module, and output the encryption when the third preset condition is met. data.
  • the interface used by the bus main processing module includes, but is not limited to, an Advanced EXtensible Interface (AXI) main interface or an Advanced High-performance Bus (AHB) main interface.
  • AXI Advanced EXtensible Interface
  • ABB Advanced High-performance Bus
  • the interface employed by the bus from the processing module includes, but is not limited to, an AXI slave interface or an AHB slave interface.
  • the key stream processing module is configured to generate a multiple key stream in parallel according to the key and the encryption parameter.
  • An embodiment of the present invention further provides an encryption method, where the method includes:
  • the first parameter includes: a key, an encryption parameter, a source address, a destination address, and a data length;
  • Reading the data to be encrypted, and pressing the data to be encrypted and the key stream according to the first encryption side The processing is performed to obtain encrypted data, and the encrypted data is output.
  • the generating the key stream according to the key and the encryption parameter in the first parameter comprises: generating a multiple key stream in parallel according to the key and the encryption parameter in the first parameter.
  • the obtaining the first parameter comprises: acquiring the first parameter by using an AXI primary interface or an AHB primary interface including but not limited to.
  • the reading data to be encrypted includes: reading data to be encrypted by using an AXI main interface or an AHB main interface including but not limited to;
  • the outputting the encrypted data comprises: outputting the encrypted data by using an AXI main interface or an AHB main interface including but not limited to.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used in the encryption method according to the embodiment of the invention.
  • the encryption device includes: a data storage module, a key stream processing module, and an encryption processing module; the data storage module is configured to acquire the first parameter, where When the first preset condition is met, the key and the encryption parameter in the first parameter are sent to the key stream processing module; the first parameter includes: a key, an encryption parameter, a source address, a destination address, and The data length is further configured to: read the data to be encrypted according to the source address and the data length in the first parameter, and send the data to be encrypted to the encryption processing module; and further configured to: according to the first parameter Receiving the encrypted data sent by the encryption processing module, and outputting the encrypted data; the key stream processing module is configured to receive the secret in the first parameter sent by the data storage module a key and an encryption parameter, generating a key stream according to the key and the encryption parameter, and sending the key stream to the encryption processing module; a module, configured to receive the data to be encrypted sent by the data storage module and
  • the encrypted data is sent to the data storage module.
  • a hardware system for performing encryption by the ZUC algorithm is proposed, which solves the problem that the ZUC algorithm has no hardware system support in the prior art; and the technical solution provided by the embodiment of the present invention is implemented.
  • the data is processed at high speed and high efficiency, which solves the problem that the original ZUC algorithm has low processing efficiency and is not suitable for hardware system implementation, and at the same time reduces power consumption as much as possible, and greatly improves data processing speed.
  • FIG. 1 is a schematic diagram of a first component structure of an encryption apparatus according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of a second component structure of an encryption apparatus according to an embodiment of the present invention.
  • FIG. 3 is a schematic diagram of a initialization process in a key stream generation process according to an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a key stream generation process in an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart diagram of an encryption method according to an embodiment of the present invention.
  • FIG. 1 is a schematic diagram of a first component structure of an encryption apparatus according to an embodiment of the present invention; as shown in FIG. 1, the encryption apparatus includes: a data storage module 11 and a key stream processing. Module 12 and encryption processing module 13; wherein
  • the data storage module 11 is configured to acquire a first parameter, and when the first preset condition is met, send the key and the encryption parameter in the first parameter to the key stream processing module 12;
  • the parameter includes: a key, an encryption parameter, a source address, a destination address, and a data length; and is configured to read the data to be encrypted according to the source address and the data length in the first parameter, and send the data to be encrypted.
  • the encryption processing module 13 is further configured to receive the encrypted data sent by the encryption processing module 13 according to the destination address and the data length in the first parameter, and output the encrypted data;
  • the key stream processing module 12 is configured to receive a key and an encryption parameter in the first parameter sent by the data storage module 11, and generate a key stream according to the key and the encryption parameter, and the secret The key stream is sent to the encryption processing module 13;
  • the encryption processing module 13 is configured to receive the data to be encrypted sent by the data storage module 11 and the key stream sent by the key stream processing module 12, and the data to be encrypted and the The key stream is processed in a first encryption manner to obtain encrypted data, and the encrypted data is sent to the data storage module 11.
  • the data storage module includes: a bus slave processing module 111, an FSM control module 112, and a bus master processing module 113. ;among them,
  • the bus slave processing module 111 is configured to acquire a first parameter, and send the first parameter to the FSM control module 112; the first parameter includes: a key, an encryption parameter, a source address, a destination address, and a data. Length information
  • the FSM control module 112 is configured to send the key and the encryption parameter to the key stream processing module 12 when the first preset condition is met according to the first parameter sent by the processing module 111 by the bus. Transmitting the source address, the destination address, and the data length information to the bus main processing module 113;
  • the bus main processing module 113 is configured to read data to be encrypted according to the source address and data length information sent by the FSM control module 112, and send the data to be encrypted to the encryption processing module 13 And configured to receive the encrypted data sent by the encryption processing module 13 according to the destination address and data length information sent by the FSM control module 112, and output the encrypted data.
  • the bus slave processing module 111 is an interface module on the control side, configured to acquire various parameters required for the encryption process.
  • the parameter is the first parameter, which includes: a key, an encryption parameter, a source address, and a destination.
  • the interface adopted by the bus from the processing module 111 includes, but is not limited to, an AXI slave interface or an AHB slave interface.
  • the FSM control module 112 is a control center of the encryption device.
  • each processing module in the encryption device includes: a bus main processing module 113, a key stream processing module 12, and an encryption processing module 13 Setting a timer clock, and determining that the processing module is in an operating mode when the timer clock of each processing module is turned on, that is, the first preset condition is met; at this time, the FSM control module 112 Sending a key and an encryption parameter to the key stream processing module 12, so that the key stream processing module 12 generates a key stream according to the key and the encryption parameter; and the source address, the destination address, and Data length information is sent to the bus main processing module 113 to cause the bus main processing module 113 to start reading data to be encrypted from the external memory;
  • the bus main processing module 113 includes: a first cache module and a second cache module; wherein
  • the first cache module is configured to read data to be encrypted according to the source address and data length information sent by the FSM control module 112, and to encrypt the data to be encrypted when the second preset condition is met. Sended to the encryption processing module 13;
  • the second cache module is configured to receive the encrypted data sent by the encryption processing module 13 according to the destination address and data length information sent by the FSM control module 112, and output the output when the third preset condition is met. Describe the encrypted data.
  • the bus main processing module 113 starts reading data to be encrypted from the external memory, and writes the data to be encrypted according to the source address and data length information sent by the FSM control module 112.
  • a first cache module when the first cache module is not full or the data to be encrypted is not all read, continuously reading the to-be-added from the external memory The data is encrypted until the first cache module is full or the data to be encrypted is all read.
  • the second preset condition is that the data to be encrypted is all read in or When the first cache module is full, the data to be encrypted is sent to the encryption processing module 13; the bus main processing module 113 is further configured according to the destination address and data length information sent by the FSM control module 112.
  • the third preset condition is that the encrypted data is all written or the second cache module is full, and the encrypted data is used. Output to external memory.
  • the interface used by the bus main processing module 113 includes but is not limited to an AXI main interface or an AHB main interface; specifically, the bus main processing module 113 can adopt an AXI master interface of AMBA3.0. It facilitates the reading and writing of data and greatly improves the speed of data storage.
  • the key stream processing module 12 is configured to generate a key stream according to the secret key and the encryption parameter sent by the FSM control module 112. Specifically, the process of generating the secret key stream is divided into two parts: an initialization phase and a key stream generation phase.
  • 3 is a schematic diagram of an initialization process in a key stream generation process according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a key stream generation process according to an embodiment of the present invention; as shown in FIG. 3 and FIG.
  • the key stream processing module 12 is composed of three logical levels: a top level is a 16-level linear feedback shift register (LFSR) 31, an intermediate layer is a bit recombination (BR) 32, and a bottom layer is a non-linear function (F) layer 33.
  • LFSR 16-level linear feedback shift register
  • BR bit recombination
  • F non-linear function
  • the LFSR 31 is composed of 16 31-bit registers such as S 0 to S 15 ; the BR 32 extracts 128 bits from the register of the LFSR 31 to form four 32-bit words (X 0 , X 1 ). , X 2 and X 3 ), the first three 32-bit words X 0 to X 2 are used for the F layer 33, and the last word X 3 is used to generate a key stream; wherein the F layer 33 is composed of two 32 bits The registers R 1 and R 2 are composed, and the output is a 32-bit word W.
  • the process of generating the key stream is divided into two parts, firstly, an initialization stage.
  • the key (KEY), the encryption parameter, and the constant string D transmitted by the FSM control module 112 are subjected to a certain period.
  • the following process repeats the loop execution 32 times: the upper bits of registers S 15 (bits 30-15) and the lower bits of registers S 14 (bits 15 to 0) are recombined into X 0 , the lower bits of register S 11 and the register S 9
  • the upper bits are recombined into X 1
  • the lower bits of register S 7 and the upper bits of register S 5 are recombined into X 2
  • the lower bits of register S 2 and the upper bits of register S 0 are recombined into X 3
  • the F layer 33 pairs are from the BR X 32 1 1 R & lt modulo register 32 assigned plus W 1
  • the register BR X 2 and R 32 is XOR-assigned from 2 W is 2
  • Register S 16 is assigned to register S 15 , register S 15 is assigned to register S 14 , and so on, until register S 1 is assigned to register S 0 , completing a loop.
  • the key stream is generated. As shown in Figure 4.
  • the conversion is assigned to the register R 1 , the lower bits of W 2 and the upper bits of W 1 are recombined, and the L 2 linear transformation is performed first, and then the S box conversion is applied to the register R 2 ; the X 0 is XORed with the register R 1 and then the register R is 2 modulo 32 is added to W, discarding this value; at the same time, register S 0 is rotated left by 8 bits, register S 4 is rotated left by 20 bits, register S 10 is rotated left by 21 bits, and register S 13 is cycled left.
  • the key stream processing module 12 is configured to generate a multiple key stream in parallel according to the key and the encryption parameter.
  • the initialization phase is first performed. Specifically, the initial values are preset for the 16 registers S0-S15 of the LFSR, and the initial values of the 16 registers are preset to the following 16 character strings, as follows:
  • D be a 240-bit constant string consisting of 16 15-bit character substrings, including: d0, D1 to d15; the 16 substrings set in this embodiment are only a preferred embodiment, and in a specific practical application, they may be set according to actual conditions;
  • IV[4] BEARER
  • register R 1 and the register R 2 are each assigned an initial value of zero.
  • S 15H represents the upper bit of the register S 15 ;
  • S 14L represents the lower bit of the register S 14 ;
  • S 11L represents the lower bit of the register S 11 ;
  • S 9H represents the upper bit of the register S 9 ;
  • S 7L represents the lower bit of the register S 7 ;
  • S 5H represents The upper bit of the register S 5 ;
  • S 2L represents the lower bit of the register S 2 ;
  • S 0H represents the upper bit of the register S 0 ; wherein the high bit described above is the 30th to 15th bits, and the low bit described above is the 15th to the 0th bit.
  • processing is performed by sending X 0 to X 3 to F, respectively, including:
  • R 1 S(L 1 (W 1L
  • R 2 S(L 2 (W 2L
  • S denotes an S-box transform, which converts a 32-bit input into a 32-bit output through a lookup table S 0 or S 1 ;
  • L 1 and L 2 respectively represent a linear transform, which is 32 bits The input is linearly transformed into a 32-bit output, specifically:
  • the encryption device After the initialization is complete, the encryption device begins to generate a key stream.
  • the process is as follows:
  • S 15H represents the upper bit of the register S 15 ;
  • S 14L represents the lower bit of the register S 14 ;
  • S 11L represents the lower bit of the register S 11 ;
  • S 9H represents the upper bit of the register S 9 ;
  • S 7L represents the lower bit of the register S 7 ;
  • S 5H represents The upper bit of the register S 5 ;
  • S 2L represents the lower bit of the register S 2 ;
  • S 0H represents the upper bit of the register S 0 ; wherein the high bit described above is the 30th to 15th bits, and the low bit described above is the 15th to the 0th bit.
  • X 0 ⁇ X 3 are sent to F for processing, except that the first run discards W and directly enters the fourth step, and each of the remaining runs retains W to the third step, specifically including:
  • R 1 S(L 1 (W 1L
  • R 2 S (L 2 (W 2L
  • S denotes an S-box transform, which converts a 32-bit input into a 32-bit output through a lookup table S 0 or S 1 ;
  • L 1 and L 2 respectively represent a linear transform, which will be 32 bits The input is linearly transformed into a 32-bit output, specifically:
  • the third step is to generate a LFSR key stream, which specifically includes:
  • the fourth step is to update the register in the LRSR key stream generation process, which specifically includes:
  • the encryption processing module 13 needs the key stream processing module 12 to generate 32bit key stream, where Indicates that the integer is taken up.
  • the encryption processing module 13 processes the data to be encrypted and the key stream in a first encryption manner to obtain encrypted data, where the first encryption mode is an integrity algorithm;
  • the data to be encrypted and the key stream are processed by the integrity algorithm into a prior art process, and details are not described herein again.
  • MAC check code
  • the determining process of the MAC includes:
  • z i represents the key stream generated by the key stream processing module 12; M[i] represents data to be encrypted by the encryption processing module 13, wherein i represents a bit, for example, M[0] represents data. Bit 0; T is an intermediate variable with an initial value of zero.
  • the encryption device may be applied to each node network element of the data transmission, such as an evolved node (eNB), etc., and the data storage module 11 in the encryption device may be implemented by an interface and a memory in an actual application.
  • the key stream processing module 12 in the encryption device may be implemented by a central processing unit (CPU, Central Processing Unit), a digital signal processor (DSP, Digital Signal Processor) or programmable in the encryption device.
  • the Field-Programmable Gate Array (FPGA) is implemented in combination with a register; the encryption processing module 13 in the encryption device can be implemented by a CPU, a DSP or an FPGA in practical applications.
  • FIG. 5 is a schematic flowchart of an encryption method according to an embodiment of the present invention; as shown in FIG. 5, the method includes:
  • Step 501 Acquire a first parameter.
  • the first parameter includes: a key, an encryption parameter, a source address, a destination address, and a data length.
  • the obtaining the first parameter includes: acquiring the first parameter by using an AXI primary interface or an AHB primary interface including but not limited to.
  • Step 502 Generate a key stream according to the key and the encryption parameter in the first parameter.
  • the generating the key stream according to the key and the encryption parameter in the first parameter comprises: generating a multiple key stream in parallel according to the key and the encryption parameter in the first parameter.
  • Step 503 Read data to be encrypted, process the data to be encrypted and the key stream in a first encryption manner, obtain encrypted data, and output the encrypted data.
  • the reading the data to be encrypted includes: reading data to be encrypted by using an AXI main interface or an AHB main interface including but not limited to;
  • the outputting the encrypted data includes: outputting the encrypted data by using an AXI main interface or an AHB main interface, including but not limited to; specifically, the AXI main interface may adopt an AXI master interface of AMBA3.0, Facilitate data read and write operations, greatly improving the speed of data storage.
  • the embodiment of the invention further provides a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used in the encryption method according to the embodiment of the invention.
  • embodiments of the invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) including computer usable program code.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded into a computer or other programmable data processing device Having a series of operational steps performed on a computer or other programmable device to produce computer-implemented processing such that instructions executed on a computer or other programmable device are provided for implementing one or more processes in a flowchart and/or Or block diagram the steps of a function specified in a box or multiple boxes.
  • the embodiment of the invention provides a hardware system for performing encryption by the ZUC algorithm, which solves the problem that the ZUC algorithm has no hardware system support in the prior art; and the technical solution provided by the embodiment of the invention realizes high-speed and high-efficiency data.
  • the processing solves the problem that the original ZUC algorithm has low processing efficiency and is not suitable for hardware system implementation, and at the same time reduces power consumption as much as possible, and greatly improves data processing speed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例公开了一种加密装置、加密方法及计算机存储介质;其中,所述加密方法包括:获取第一参数;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;根据所述第一参数中的密钥及加密参数生成密钥流;读入待加密的数据,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据,输出所述加密数据。

Description

一种加密装置、加密方法及计算机存储介质 技术领域
本发明涉及无线通信技术,具体涉及一种加密装置、加密方法及计算机存储介质。
背景技术
无线通信系统正广泛应用于语音、视频、数据等各种类型的通信中,对所传输的数据进行完整性计算是一种保护数据安全、防止非授权篡改的有效手段。
在长期演进(LTE,Long Term Evolution)通信系统中,为满足高速、安全的数据传输,出现了EIA3完整性算法。
EIA3完整性算法是祖冲之算法集之一;祖冲之算法集是由中国学者自主设计的加密和完整性算法,包括祖冲之(ZUC)算法、加密算法128-EEA3和完整性算法128-EIA3。这套算法集已被认可为LTE无线通信的第三套国际加密和完整性标准的算法。
但是,现有技术中只提出了算法原理和软件实现;而在实际应用的LTE通信系统中,数据传输速率很高,通过ZUC算法产生密钥流的计算过程非常复杂,并且需要将数据从存储器中读出,通过产生的密钥流与数据进行完整性计算后,再将数据存入存储器中;整个过程仅凭软件是无法实现处理需求的。而目前尚未提出一种能够支持ZUC算法加密的硬件系统。
发明内容
为解决现有存在的技术问题,本发明实施例提供一种加密装置、加密方法及计算机存储介质,能够解决通过ZUC算法进行加密无硬件系统支持 的问题。
为达到上述目的,本发明实施例的技术方案是这样实现的:
本发明实施例提供了一种加密装置,所述加密装置包括:数据存储模块、密钥流处理模块和加密处理模块;其中,
所述数据存储模块,配置为获取第一参数,在满足第一预设条件时,将所述第一参数中的密钥及加密参数发送至所述密钥流处理模块;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;还配置为根据所述第一参数中的源地址及数据长度读入待加密的数据,将所述待加密的数据发送至所述加密处理模块;还配置为根据所述第一参数中的目的地址及数据长度接收所述加密处理模块发送的加密数据,输出所述加密数据;
所述密钥流处理模块,配置为接收所述数据存储模块发送的所述第一参数中的密钥及加密参数,根据所述密钥及加密参数生成密钥流,将所述密钥流发送至所述加密处理模块;
所述加密处理模块,配置为接收所述数据存储模块发送的所述待加密的数据和所述密钥流处理模块发送的所述密钥流,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据,将所述加密数据发送至所述数据存储模块。
在另一实施例中,所述数据存储模块包括:总线从处理模块、有限状态机(FSM,Finite State Machine)控制模块和总线主处理模块;其中,
所述总线从处理模块,配置为获取第一参数,将所述第一参数发送至所述FSM控制模块;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度信息;
所述FSM控制模块,配置为根据所述总线从处理模块发送的第一参数,在满足第一预设条件时,将所述密钥和加密参数发送至所述密钥流处理模 块,将所述源地址、目的地址及数据长度信息发送至所述总线主处理模块;
所述总线主处理模块,配置为根据所述FSM控制模块发送的所述源地址及数据长度信息,读入待加密的数据,将所述待加密的数据发送至所述加密处理模块;还配置为根据所述FSM控制模块发送的所述目的地址及数据长度信息,接收所述加密处理模块发送的加密数据,输出所述加密数据。
在另一实施例中,所述总线主处理模块包括:第一缓存模块和第二缓存模块;其中,
所述第一缓存模块,配置为根据所述FSM控制模块发送的所述源地址及数据长度信息,读入待加密的数据,并在满足第二预设条件时将所述待加密的数据发送至所述加密处理模块;
所述第二缓存模块,配置为根据所述FSM控制模块发送的所述目的地址及数据长度信息,接收所述加密处理模块发送的加密数据,并在满足第三预设条件时输出所述加密数据。
在另一实施例中,所述总线主处理模块采用的接口包括但不限于高级可扩展接口(AXI,Advanced eXtensible Interface)主接口或高级高性能总线(AHB,Advanced High-performance Bus)主接口。
在另一实施例中,所述总线从处理模块采用的接口包括但不限于AXI从接口或AHB从接口。
在另一实施例中,所述密钥流处理模块,配置为根据所述密钥及加密参数并行生成多路密钥流。
本发明实施例还提供了一种加密方法,所述方法包括:
获取第一参数;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;
根据所述第一参数中的密钥及加密参数生成密钥流;
读入待加密的数据,将所述待加密的数据和所述密钥流按第一加密方 式进行处理,获得加密数据,输出所述加密数据。
在另一实施例中,所述根据所述第一参数中的密钥及加密参数生成密钥流,包括:根据所述第一参数中的密钥及加密参数并行生成多路密钥流。
在另一实施例中,所述获取第一参数,包括:采用包括但不限于的AXI主接口或AHB主接口获取第一参数。
在另一实施例中,所述读入待加密的数据,包括:采用包括但不限于的AXI主接口或AHB主接口读入待加密的数据;
相应的,所述输出所述加密数据,包括:采用包括但不限于的AXI主接口或AHB主接口输出所述加密数据。
本发明实施例还提供了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于本发明实施例所述的加密方法。
本发明实施例提供的加密装置、加密方法及计算机存储介质,所述加密装置包括:数据存储模块、密钥流处理模块和加密处理模块;所述数据存储模块,配置为获取第一参数,在满足第一预设条件时,将所述第一参数中的密钥及加密参数发送至所述密钥流处理模块;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;还配置为根据所述第一参数中的源地址及数据长度读入待加密的数据,将所述待加密的数据发送至所述加密处理模块;还配置为根据所述第一参数中的目的地址及数据长度接收所述加密处理模块发送的加密数据,输出所述加密数据;所述密钥流处理模块,配置为接收所述数据存储模块发送的所述第一参数中的密钥及加密参数,根据所述密钥及加密参数生成密钥流,将所述密钥流发送至所述加密处理模块;所述加密处理模块,配置为接收所述数据存储模块发送的所述待加密的数据和所述密钥流处理模块发送的所述密钥流,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据, 将所述加密数据发送至所述数据存储模块。采用本发明实施例的技术方案,提出了一种通过ZUC算法进行加密的硬件系统,解决了现有技术中ZUC算法无硬件系统支持的问题;并且,本发明实施例提供的技术方案实现了对数据进行高速、高效的处理,解决了原有的ZUC算法处理效率低下,不适于硬件系统实现的问题,同时尽可能的降低了功耗,大大提升了数据处理速度。
附图说明
图1为本发明实施例的加密装置的第一种组成结构示意图;
图2为本发明实施例的加密装置的第二种组成结构示意图;
图3为本发明实施例中密钥流生成过程中的初始化过程的逻辑示意图;
图4为本发明实施例中密钥流生成过程的逻辑示意图;
图5为本发明实施例的加密方法的流程示意图。
具体实施方式
下面结合附图及具体实施例对本发明作进一步详细的说明。
本发明实施例提供了一种加密装置;图1为本发明实施例的加密装置的第一种组成结构示意图;如图1所示,所述加密装置包括:数据存储模块11、密钥流处理模块12和加密处理模块13;其中,
所述数据存储模块11,配置为获取第一参数,在满足第一预设条件时,将所述第一参数中的密钥及加密参数发送至所述密钥流处理模块12;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;还配置为根据所述第一参数中的源地址及数据长度读入待加密的数据,将所述待加密的数据发送至所述加密处理模块13;还配置为根据所述第一参数中的目的地址及数据长度接收所述加密处理模块13发送的加密数据,输出所述加密数据;
所述密钥流处理模块12,配置为接收所述数据存储模块11发送的所述第一参数中的密钥及加密参数,根据所述密钥及加密参数生成密钥流,将所述密钥流发送至所述加密处理模块13;
所述加密处理模块13,配置为接收所述数据存储模块11发送的所述待加密的数据和所述密钥流处理模块12发送的所述密钥流,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据,将所述加密数据发送至所述数据存储模块11。
图2为本发明实施例的加密装置的第二种组成结构示意图;如图2所示,具体的,所述数据存储模块包括:总线从处理模块111、FSM控制模块112和总线主处理模块113;其中,
所述总线从处理模块111,配置为获取第一参数,将所述第一参数发送至所述FSM控制模块112;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度信息;
所述FSM控制模块112,配置为根据所述总线从处理模块111发送的第一参数,在满足第一预设条件时,将所述密钥和加密参数发送至所述密钥流处理模块12,将所述源地址、目的地址及数据长度信息发送至所述总线主处理模块113;
所述总线主处理模块113,配置为根据所述FSM控制模块112发送的所述源地址及数据长度信息,读入待加密的数据,将所述待加密的数据发送至所述加密处理模块13;还配置为根据所述FSM控制模块112发送的所述目的地址及数据长度信息,接收所述加密处理模块13发送的加密数据,输出所述加密数据。
结合图1和图2所示的加密装置,具体的,所述总线从处理模块111是控制侧的接口模块,配置为获取用于加密处理所需的各种参数,在本实施例中,所述参数为第一参数,具体包括:密钥、加密参数、源地址、目 的地址以及数据长度信息;其中,所述源地址为所述数据存储模块11读入待加密的数据的缓存地址;所述目的地址为所述数据存储模块11接收到的加密数据的缓存地址。优选地,所述总线从处理模块111采用的接口包括但不限于AXI从接口或AHB从接口。
所述FSM控制模块112是所述加密装置的控制中心;在实际应用中,所述加密装置中的各处理模块(具体包括:总线主处理模块113、密钥流处理模块12、加密处理模块13)设置定时器时钟,并在上述每个处理模块的定时器时钟开启时,确定上述处理模块处于工作模式,即满足所述第一预设条件;此时,所述FSM控制模块112将所述密钥和加密参数发送至所述密钥流处理模块12,以使所述密钥流处理模块12根据所述密钥和所述加密参数生成密钥流;将所述源地址、目的地址及数据长度信息发送至所述总线主处理模块113,以使所述总线主处理模块113启动从外部存储器读入待加密的数据;
具体的,所述总线主处理模块113包括:第一缓存模块和第二缓存模块;其中,
所述第一缓存模块,配置为根据所述FSM控制模块112发送的所述源地址及数据长度信息,读入待加密的数据,并在满足第二预设条件时将所述待加密的数据发送至所述加密处理模块13;
所述第二缓存模块,配置为根据所述FSM控制模块112发送的所述目的地址及数据长度信息,接收所述加密处理模块13发送的加密数据,并在满足第三预设条件时输出所述加密数据。
具体的,所述总线主处理模块113启动从外部存储器读入待加密的数据,根据所述FSM控制模块112发送的所述源地址及数据长度信息,将所述待加密的数据写入所述第一缓存模块,当所述第一缓存模块没有写满或者所述待加密的数据没有全部读入时,就不断从外部存储器读入所述待加 密的数据,直至所述第一缓存模块写满或者所述待加密的数据全部读入,则在本实施例中,所述第二预设条件为所述待加密的数据全部读入或者所述第一缓存模块写满时,将所述待加密的数据发送至所述加密处理模块13;所述总线主处理模块113还根据所述FSM控制模块112发送的所述目的地址及数据长度信息,将所述加密数据写入所述第二缓存模块,当所述第二缓存模块没有写满或者所述加密数据没有全部读入时,继续写入所述加密数据,直至所述第二缓存模块写满或者所述加密数据全部写入,则在本实施例中,所述第三预设条件为所述加密数据全部写入或者所述第二缓存模块写满时,将所述加密数据输出至外部存储器。
具体的,在本实施例中,所述总线主处理模块113采用的接口包括但不限于AXI主接口或AHB主接口;具体的,所述总线主处理模块113可采用AMBA3.0的AXI master接口,便于数据的读写操作,极大的提高了数据存储的速度。
所述密钥流处理模块12,配置为根据所述FSM控制模块112发送的所述秘钥和加密参数生成密钥流。具体的,生成秘钥流的过程分为初始化阶段和密钥流产生阶段两个部分。图3为本发明实施例中密钥流生成过程中的初始化过程的逻辑示意图;图4为本发明实施例中密钥流生成过程的逻辑示意图;如图3和图4所示,所述密钥流处理模块12由三个逻辑层次组成:顶层是16级的线性反馈移位寄存器(LFSR)31,中间层是比特重组(BR)32,底层是非线性函数(F)层33。其中,所述LFSR 31由S0~S15等16个31位寄存器组成;所述BR 32从所述LFSR 31的寄存器中抽取128位组成4个32比特(bit)字(X0、X1、X2和X3),前三个32bit字X0~X2用于所述F层33,最后一个字X3用于产生密钥流;其中,所述F层33由2个32位寄存器R1和R2组成,输出为32位字W。
产生密钥流的过程分为两部分,首先是初始化阶段,如图3所示,利 用所述FSM控制模块112发送的所述密钥(KEY)、所述加密参数及常数串D经过一定的变换写入LFSR的寄存器S0~S15,其中,所述加密参数包括:COUNT、BEARER、DIRECTION;所述寄存器R1和R2初始化为0,且所述F层33的输出W移位后反馈给所述LFSR 31。以下过程重复循环执行32次:将寄存器S15的高位(第30~15位)和寄存器S14的低位(第15~0位)重组成X0,将寄存器S11的低位和寄存器S9的高位重组成X1,将寄存器S7的低位和寄存器S5的高位重组成X2,将寄存器S2的低位和寄存器S0的高位重组成X3;所述F层33对来自所述BR 32的X1与寄存器R1进行模32加赋给W1,对来自所述BR 32的X2与寄存器R2进行异或赋给W2;将W1的低位和W2的高位重组后先进行L1线性变换后进行S盒变换赋给寄存器R1,将W2的低位和W1的高位重组后先进行L2线性变换后进行S盒变换赋给寄存器R2;将X0与R1异或后再与R2进行模32加赋给W,将W右移1位后送到所述LFSR 31至寄存器S0,将寄存器S0循环左移8位,将寄存器S4循环左移20位,将寄存器S10循环左移21位,将寄存器S13循环左移17位,将寄存器S15循环左移15位相加后模(231-1)赋给寄存器S16,将寄存器S16赋给寄存器S15,将寄存器S15赋给寄存器S14,以此类推,直到寄存器S1赋给寄存器S0,完成一次循环。
在初始化阶段完成之后,开始生成密钥流。如图4所示。将寄存器S15的高位(30~15位)和寄存器S14的低位(15~0位)重组成X0,将寄存器S11的低位和寄存器S9的高位重组成X1,将寄存器S7的低位和寄存器S5的高位重组成X2,将寄存器S2的低位和寄存器S0的高位重组成X3;所述F层33对来自所述BR 32的X1与寄存器R1进行模32加赋给W1,对来自所述BR 32的X2与寄存器R2进行异或赋给W2;将W1的低位和W2的高位重组后先进行L1线性变换后进行S盒变换赋给寄存器R1,将W2的低位和W1的高位重组后先进行L2线性变换后进行S盒变换赋给寄存器R2;将X0 与寄存器R1异或后再与寄存器R2进行模32加赋给W,丢弃这个值;同时将寄存器S0循环左移8位,将寄存器S4循环左移20位,将寄存器S10循环左移21位,将寄存器S13循环左移17位,将寄存器S15循环左移15位相加后模(231-1)赋给寄存器S16,将寄存器S16赋给寄存器S15,将寄存器S15赋给寄存器S14,以此类推,直到将寄存器S1赋给寄存器S0。重复以下步骤,以不断产生秘钥流:将寄存器S15的高位(30~15位)和寄存器S14的低位(15~0位)重组成X0,将寄存器S11的低位和寄存器S9的高位重组成X1,将寄存器S7的低位和寄存器S5的高位重组成X2,将寄存器S2的低位和寄存器S0的高位重组成X3;所述F层33对来自所述BR 32的X1与寄存器R1进行模32加赋给W1,对来自所述BR 32的X2与寄存器R2进行异或赋给W2;将W1的低位和W2的高位重组后先进行L1线性变换后进行S盒变换赋给寄存器R1,将W2的低位和W1的高位重组后先进行L2线性变换后进行S盒变换赋给寄存器R2;将X0与寄存器R1异或后再与寄存器R2进行模32加赋给W,将W与X3异或产生秘钥流;同时将寄存器S0循环左移8位,将寄存器S4循环左移20位,将寄存器S10循环左移21位,将寄存器S13循环左移17位,将寄存器S15循环左移15位相加后模(231-1)赋给寄存器S16,将寄存器S16赋给寄存器S15,将寄存器S15赋给寄存器S14,以此类推,直至将寄存器S1赋给寄存器S0
在本发明实施例中,所述密钥流处理模块12,配置为根据所述密钥及加密参数并行生成多路密钥流。
下面以具体实例对本发明实施例中的密钥流的生成作进一步详细的说明。
首先进行初始化阶段。具体的,为LFSR的16个寄存器S0~S15预置初值,所述16个寄存器的初值预设为下述16个字符字串,如下所示:
设D为240bit的常数串,由16个15bit的字符子串组成,包括:d0、 d1至d15;本实施例中的设置的16个子串仅为一优选实施例,在具体实际应用中,可按实际情况自行设置;
则D=d0||d1||…||d15;
其中,
d0=1000100110101112;
d1=0100110101111002;
d2=1100010011010112;
d3=0010011010111102;
d4=1010111100010012;
d5=0110101111000102;
d6=1110001001101012;
d7=0001001101011112;
d8=1001101011110002;
d9=0101111000100112;
d10=1101011110001002;
d11=0011010111100012;
d12=1011110001001102;
d13=0111100010011012;
d14=1111000100110102;
d15=1000111101011002。
当0≤i≤15时,Si=ki||di||ivi;其中,ki和ivi均为中间参数,以字节为单位。
其中,IV[0]=COUNT[0];
IV[1]=COUNT[1];
IV[2]=COUNT[2];
IV[3]=COUNT[3];
IV[4]=BEARER||0002
IV[5]=IV[6]=IV[7]=000000002
Figure PCTCN2015074127-appb-000001
IV[9]=IV[1];
IV[10]=IV[2];
IV[11]=IV[3];
IV[12]=IV[4];
IV[13]=IV[5];
IV[14]=(DIRECTION<<7);
IV[15]=IV[7];
其中,||表示拼接,
Figure PCTCN2015074127-appb-000002
表示按位异或,
Figure PCTCN2015074127-appb-000003
表示模32加,SiH为寄存器i的高位,具体为寄存器i的30~15位;SiL为寄存器i的低位,具体为寄存器i的15~0位,(a1,a2,…,an)→(b1,b2,…,bn)表示a到b的赋值是并行的;0002和000000002分别表示2进制数值0;COUNT、BEARER和DIRECTION分别表示加密参数。
进一步地,寄存器R1和寄存器R2分别赋初值为0。
以下过程重复32次:
首先抽取LFSR中的寄存器比特重组为字X0~字X3
具体的,X0=S15H||S14L
X1=S11L||S9H
X2=S7L||S5H
X3=S2L||S0H
其中,S15H表示寄存器S15的高位;S14L表示寄存器S14的低位;S11L表示寄存器S11的低位;S9H表示寄存器S9的高位;S7L表示寄存器S7的低位; S5H表示寄存器S5的高位;S2L表示寄存器S2的低位;S0H表示寄存器S0的高位;其中,上述所述的高位为第30~15位,上述所述的低位为第15~0位。
进一步地,将X0~X3分别送入F进行处理,具体包括:
Figure PCTCN2015074127-appb-000004
Figure PCTCN2015074127-appb-000005
Figure PCTCN2015074127-appb-000006
R1=S(L1(W1L||W2H));
R2=S(L2(W2L||W1H)).
其中,S表示S盒变换,所述S盒变换是将32比特的输入通过查找表S0或S1变换为32比特的输出;L1和L2分别表示一种线性变换,是将32比特的输入线性变换成32比特的输出,具体为:
Figure PCTCN2015074127-appb-000007
Figure PCTCN2015074127-appb-000008
最后,F产生的W送到LFSR初始化阶段,进行寄存器的更新:
v=215S15+217S13+221S10+220S4+(1+28)S0mod(231-1);
S16=(v+u)mod(231-1);
其中,v和u均为中间参数;mod为求模函数。
当S16=0时,则S16=231-1;
(S1、S2、…、S15、S16)→(S0、S1、…、S14、S15)。
初始化完成之后,加密装置开始产生密钥流。过程如下:
首先,抽取LFSR中的寄存器比特重组为X0~X3为:
X0=S15H||S14L
X1=S11L||S9H
X2=S7L||S5H
X3=S2L||S0H
其中,S15H表示寄存器S15的高位;S14L表示寄存器S14的低位;S11L表 示寄存器S11的低位;S9H表示寄存器S9的高位;S7L表示寄存器S7的低位;S5H表示寄存器S5的高位;S2L表示寄存器S2的低位;S0H表示寄存器S0的高位;其中,上述所述的高位为第30~15位,上述所述的低位为第15~0位。
第二步,将X0~X3送入F进行处理,除第一次运行丢弃W直接进入第四步之外,其余每次运行保留W送到第三步,具体包括:
Figure PCTCN2015074127-appb-000009
Figure PCTCN2015074127-appb-000010
Figure PCTCN2015074127-appb-000011
R1=S(L1(W1L||W2H));
R2=S(L2(W2L||W1H)。
其中,S表示S盒变换,所述S盒变换是将32比特的输入通过查找表S0或S1变换为32比特的输出;L1和L2分别表示一种线性变换,将32比特的输入线性变换成32比特的输出,具体为:
Figure PCTCN2015074127-appb-000012
Figure PCTCN2015074127-appb-000013
第三步,LFSR密钥流产生,具体包括:
Figure PCTCN2015074127-appb-000014
第四步,在LRSR密钥流生成过程中寄存器更新,具体包括:
S16=215S15+217S13+221S10+220S4+(1+28)S0mod(231-1);
如果S16=0,那么S16=231-1;
(S1、S2、…、S15、S16)→(S0、S1、…、S14、S15)。
重复上述步骤,在每次重复后皆生成32bit的秘钥流。
其中,所述加密处理模块13需要所述密钥流处理模块12产生
Figure PCTCN2015074127-appb-000015
Figure PCTCN2015074127-appb-000016
个32bit密钥流,其中,
Figure PCTCN2015074127-appb-000017
表示向上取整数。产生的密钥流可以用zi表示,在本实施例中所述zi可以是z[0]、z[1]、…、z[32L-1]; 其中,所述z[0]是第一个32bit密钥流的最重要的,z[31]是第一个32bit密钥流的最不重要的。对于i=0、1、2、…、32L-1,设zi=z[i]||z[i+1]||…||z[i+31],每个zi都是32bit。
具体的,所述加密处理模块13将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据;其中,所述第一加密方式为完整性算法;所述将所述待加密的数据和所述密钥流按完整性算法进行处理为现有技术过程,此处不再赘述。
作为另一实施方式,所述加密处理模块13将数据通过完整性算法进行处理后,需要在数据末尾加上校验码(MAC),将携带有MAC的数据作为加密数据。
具体的,所述MAC的确定过程包括:
设T为32比特0,i的取值范围为i=0、1、2、…、LENGTH-1、LENGTH、32(L-1);
当i=0时,如果M[i+n-1]、…、M[i+1]、M[i]中的某一位为1,则相对应的zi+n-1、…、zi+1、zi设置有效值(可设定zi=z[i]||z[i+1]||…||z[i+31],每个zi都是32bit);否则相对应的zi+n-1、…、zi+1、zi设置为0,代入
Figure PCTCN2015074127-appb-000018
Figure PCTCN2015074127-appb-000019
中得到T在i=0时一次并行计算的结果;
当i=1时,如果M[i+2n-1]、…、M[i+n+1]、M[i+n]的某一位为1,则相对应的zi+2n-1、…、zi+n+1、zi+n取有效值(可设定zi=z[i]||z[i+1]||…||z[i+31],每个zi都是32bit);否则相对应的zi+2n-1、…、zi+n+1、zi+n取0,代入
Figure PCTCN2015074127-appb-000020
Figure PCTCN2015074127-appb-000021
中得到T在i=1时一次并行计算的结果;
以此类推。当i=LENGTH时,不论M[i]的值,
Figure PCTCN2015074127-appb-000022
最终当i=32(L-1)时,
Figure PCTCN2015074127-appb-000023
其中,zi表示所述密钥流处理模块12生成的密钥流;M[i]表示所述加密处理模块13待进行加密处理的数据,其中,i表示比特,例如M[0]表示 数据的第0比特;T为中间变量,其初始值为0。
本实施例中,所述加密装置可应用在数据传输的各个节点网元中,如演进节点(eNB)等等,所述加密装置中的数据存储模块11在实际应用中,可由接口及存储器实现;所述加密装置中的密钥流处理模块12在实际应用中,可由所述加密装置中的中央处理器(CPU,Central Processing Unit)、数字信号处理器(DSP,Digital Signal Processor)或可编程门阵列(FPGA,Field-Programmable Gate Array)结合寄存器实现;所述加密装置中的加密处理模块13在实际应用中,可由CPU、DSP或FPGA实现。
基于上述加密装置,本发明实施例还提供了一种加密方法;图5为本发明实施例的加密方法的流程示意图;如图5所示,所述方法包括:
步骤501:获取第一参数;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度。
这里,所述获取第一参数,包括:采用包括但不限于的AXI主接口或AHB主接口获取第一参数。
步骤502:根据所述第一参数中的密钥及加密参数生成密钥流。
这里,所述根据所述第一参数中的密钥及加密参数生成密钥流,包括:根据所述第一参数中的密钥及加密参数并行生成多路密钥流。
步骤503:读入待加密的数据,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据,输出所述加密数据。
这里,所述读入待加密的数据,包括:采用包括但不限于的AXI主接口或AHB主接口读入待加密的数据;
相应的,所述输出所述加密数据,包括:采用包括但不限于的AXI主接口或AHB主接口输出所述加密数据;具体的,所述AXI主接口可采用AMBA3.0的AXI master接口,便于数据的读写操作,极大的提高了数据存储的速度。
本领域技术人员应当理解,本发明实施例的加密方法,可参照图1和图2所示加密装置的相关描述而理解。本发明实施例所述的加密方法中的密钥流的初始化过程及生成过程的逻辑可分别依据图3和图4所示,这里不再赘述。
本发明实施例还提供了一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于本发明实施例所述的加密方法。
本领域内的技术人员应明白,本发明的实施例可提供为方法、装置、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。
本发明是参照根据本发明实施例的方法、装置、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备 上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。
工业实用性
本发明实施例提出了一种通过ZUC算法进行加密的硬件系统,解决了现有技术中ZUC算法无硬件系统支持的问题;并且,本发明实施例提供的技术方案实现了对数据进行高速、高效的处理,解决了原有的ZUC算法处理效率低下,不适于硬件系统实现的问题,同时尽可能的降低了功耗,大大提升了数据处理速度。

Claims (11)

  1. 一种加密装置,所述加密装置包括:数据存储模块、密钥流处理模块和加密处理模块;其中,
    所述数据存储模块,配置为获取第一参数,在满足第一预设条件时,将所述第一参数中的密钥及加密参数发送至所述密钥流处理模块;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;还配置为根据所述第一参数中的源地址及数据长度读入待加密的数据,将所述待加密的数据发送至所述加密处理模块;还配置为根据所述第一参数中的目的地址及数据长度接收所述加密处理模块发送的加密数据,输出所述加密数据;
    所述密钥流处理模块,配置为接收所述数据存储模块发送的所述第一参数中的密钥及加密参数,根据所述密钥及加密参数生成密钥流,将所述密钥流发送至所述加密处理模块;
    所述加密处理模块,配置为接收所述数据存储模块发送的所述待加密的数据和所述密钥流处理模块发送的所述密钥流,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据,将所述加密数据发送至所述数据存储模块。
  2. 根据权利要求1所述的装置,其中,所述数据存储模块包括:总线从处理模块、有限状态机FSM控制模块和总线主处理模块;其中,
    所述总线从处理模块,配置为获取第一参数,将所述第一参数发送至所述FSM控制模块;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度信息;
    所述FSM控制模块,配置为根据所述总线从处理模块发送的第一参数,在满足第一预设条件时,将所述密钥和加密参数发送至所述密钥流处理模块,将所述源地址、目的地址及数据长度信息发送至所述总线主处理模块;
    所述总线主处理模块,配置为根据所述FSM控制模块发送的所述源地址及数据长度信息,读入待加密的数据,将所述待加密的数据发送至所述加密处理模块;还配置为根据所述FSM控制模块发送的所述目的地址及数据长度信息,接收所述加密处理模块发送的加密数据,输出所述加密数据。
  3. 根据权利要求2所述的装置,其中,所述总线主处理模块包括:第一缓存模块和第二缓存模块;其中,
    所述第一缓存模块,配置为根据所述FSM控制模块发送的所述源地址及数据长度信息,读入待加密的数据,并在满足第二预设条件时将所述待加密的数据发送至所述加密处理模块;
    所述第二缓存模块,配置为根据所述FSM控制模块发送的所述目的地址及数据长度信息,接收所述加密处理模块发送的加密数据,并在满足第三预设条件时输出所述加密数据。
  4. 根据权利要求2所述的装置,其中,所述总线主处理模块采用的接口包括但不限于高级可扩展接口AXI主接口或高级高性能总线AHB主接口。
  5. 根据权利要求2所述的装置,其中,所述总线从处理模块采用的接口包括但不限于AXI从接口或AHB从接口。
  6. 根据权利要求1所述的装置,其中,所述密钥流处理模块,配置为根据所述密钥及加密参数并行生成多路密钥流。
  7. 一种加密方法,所述方法包括:
    获取第一参数;所述第一参数包括:密钥、加密参数、源地址、目的地址以及数据长度;
    根据所述第一参数中的密钥及加密参数生成密钥流;
    读入待加密的数据,将所述待加密的数据和所述密钥流按第一加密方式进行处理,获得加密数据,输出所述加密数据。
  8. 根据权利要求7所述的方法,其中,所述根据所述第一参数中的密钥及加密参数生成密钥流,包括:根据所述第一参数中的密钥及加密参数并行生成多路密钥流。
  9. 根据权利要求7所述的方法,其中,所述获取第一参数,包括:采用包括但不限于的AXI主接口或AHB主接口获取第一参数。
  10. 根据权利要求7所述的方法,其中,所述读入待加密的数据,包括:采用包括但不限于的AXI主接口或AHB主接口读入待加密的数据;
    相应的,所述输出所述加密数据,包括:采用包括但不限于的AXI主接口或AHB主接口输出所述加密数据。
  11. 一种计算机存储介质,所述计算机存储介质中存储有计算机可执行指令,所述计算机可执行指令用于执行权利要求7至10任一项所述的加密方法。
PCT/CN2015/074127 2014-08-19 2015-03-12 一种加密装置、加密方法及计算机存储介质 WO2016026287A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410413320.X 2014-08-19
CN201410413320.XA CN105472602A (zh) 2014-08-19 2014-08-19 一种加密装置及加密方法

Publications (1)

Publication Number Publication Date
WO2016026287A1 true WO2016026287A1 (zh) 2016-02-25

Family

ID=55350156

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/074127 WO2016026287A1 (zh) 2014-08-19 2015-03-12 一种加密装置、加密方法及计算机存储介质

Country Status (2)

Country Link
CN (1) CN105472602A (zh)
WO (1) WO2016026287A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625843A (zh) * 2019-07-23 2020-09-04 方盈金泰科技(北京)有限公司 一种适用于大数据平台的数据透明加解密系统
CN118074907A (zh) * 2024-04-02 2024-05-24 湖北大学 一种针对zuc算法的高性能硬件优化设计实现电路

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108377180A (zh) * 2018-03-29 2018-08-07 哈尔滨理工大学 一种基于stm32的无线保密通信系统
CN109255245A (zh) * 2018-08-13 2019-01-22 海南新软软件有限公司 一种本地密钥保护方法、装置及系统
CN112199325A (zh) * 2020-10-27 2021-01-08 南京大学 一种3des加密解密算法可重构计算实现装置及其可重构计算方法

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102647711A (zh) * 2011-02-17 2012-08-22 中兴通讯股份有限公司 一种数据加密系统及方法
CN103517269A (zh) * 2012-06-19 2014-01-15 中兴通讯股份有限公司 数据加解密方法及系统
CN103731822A (zh) * 2012-10-15 2014-04-16 中国科学院微电子研究所 一种祖冲之算法的实现系统及其方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8509424B2 (en) * 2009-11-15 2013-08-13 Ante Deng Fast key-changing hardware apparatus for AES block cipher
CN103874060B (zh) * 2012-12-13 2019-04-30 深圳市中兴微电子技术有限公司 数据的加/解密方法和装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102647711A (zh) * 2011-02-17 2012-08-22 中兴通讯股份有限公司 一种数据加密系统及方法
CN103517269A (zh) * 2012-06-19 2014-01-15 中兴通讯股份有限公司 数据加解密方法及系统
CN103731822A (zh) * 2012-10-15 2014-04-16 中国科学院微电子研究所 一种祖冲之算法的实现系统及其方法

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625843A (zh) * 2019-07-23 2020-09-04 方盈金泰科技(北京)有限公司 一种适用于大数据平台的数据透明加解密系统
CN118074907A (zh) * 2024-04-02 2024-05-24 湖北大学 一种针对zuc算法的高性能硬件优化设计实现电路

Also Published As

Publication number Publication date
CN105472602A (zh) 2016-04-06

Similar Documents

Publication Publication Date Title
WO2016026287A1 (zh) 一种加密装置、加密方法及计算机存储介质
WO2016119625A1 (zh) 乱码本有限单向变换及其加解密应用的方法、装置和电路
US20100246828A1 (en) Method and system of parallelized data decryption and key generation
CN105324956A (zh) 加密明文数据的方法及设备
US8675865B2 (en) Method and apparatus for a high bandwidth stream cipher
CN106034021B (zh) 轻量级双模兼容aes加解密模块及其方法
EP4152681A1 (en) Low overhead side channel protection for number theoretic transform
WO2020168627A1 (zh) 基于拉链式动态散列和nlfsr的加密解密方法及装置
CN107534549B (zh) 可读存储介质、用于数据流字块加密的方法及系统
JP2022058872A (ja) コンピュータセキュリティを強化するための技術、可変語長エンコーディング、および可変長デコーディング
WO2019043921A1 (ja) 暗号化装置、復号装置、暗号化方法、復号方法、暗号化プログラム及び復号プログラム
US20150058639A1 (en) Encryption processing device and storage device
CN104219045A (zh) Rc4 流密码生成器
CN117857008A (zh) 基于整数自举的环面全同态加密算法的数据处理方法
CN107733634A (zh) 一种基于置换耦合的轻量化混沌认证加密方法
CN101924630B (zh) 一种应用于无线局域网的快速加解密方法
CN115632782B (zh) 基于sm4计数器模式的随机数生成方法、系统及设备
CN104244011A (zh) 一种基于混沌的图像压缩加密算法
CN107835070B (zh) 一种简单的嵌入式加密方法
Cui et al. A new image encryption algorithm based on DNA dynamic encoding and hyper-chaotic system
CN108322305A (zh) 用于aes加密硬件系统的量子字节替换硬件模块的实现方法
RU120303U1 (ru) Устройство для преобразования блоков данных при шифровании
CN110071927B (zh) 一种信息加密方法、系统及相关组件
CN106059748B (zh) 一种基于块安全再生码的轻量级数据安全存储方法
JP4857230B2 (ja) 疑似乱数生成装置及びそれを用いた暗号化処理装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15834381

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15834381

Country of ref document: EP

Kind code of ref document: A1