WO2024114264A1 - Encryption and decryption architecture, method, processor, and server - Google Patents

Encryption and decryption architecture, method, processor, and server Download PDF

Info

Publication number
WO2024114264A1
WO2024114264A1 PCT/CN2023/128627 CN2023128627W WO2024114264A1 WO 2024114264 A1 WO2024114264 A1 WO 2024114264A1 CN 2023128627 W CN2023128627 W CN 2023128627W WO 2024114264 A1 WO2024114264 A1 WO 2024114264A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
register
flow control
encryption
controller
Prior art date
Application number
PCT/CN2023/128627
Other languages
French (fr)
Chinese (zh)
Inventor
赵新宇
孙旭
周玉龙
刘刚
Original Assignee
苏州元脑智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 苏州元脑智能科技有限公司 filed Critical 苏州元脑智能科技有限公司
Publication of WO2024114264A1 publication Critical patent/WO2024114264A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Definitions

  • the present application relates to the field of encryption and decryption architecture design, and in particular to an encryption and decryption architecture, method, processor and server.
  • the existing BMC chip supports multiple symmetric algorithms, such as AES, DES and RC4, and multiple algorithm working modes, such as ECB, CBC, CTR, OFB, etc.
  • the external interface is connected to the AHB bus and supports independent configuration of the algorithm.
  • the software configures the relevant parameters required by the algorithm before the algorithm operation starts, such as the key, initial vector, etc., and finally starts the operation. After the operation is completed, the interrupt, interrupt status and related instruction registers are cleared. The same operation is performed before the next operation. Repetitive configuration is required before each operation, and the algorithm operation cannot be started before the parameters are configured.
  • the internal encryption and decryption module of the existing BMC chip is based on the cryptographic algorithm.
  • the DES algorithm and the RC4 algorithm cannot resist replay attacks, and the key is easy to be cracked.
  • the computing speed of the DES algorithm and the RC4 algorithm is lower than the mainstream level in the industry; the national secret algorithm such as SM4 has a higher computing speed and security than the DES algorithm and the RC4 algorithm, but the existing BMC chip does not support SM4 or other national secret algorithms. If a replay attack is carried out on them, it may cause the leakage of privacy data or even national secrets, which greatly threatens the data security of users and the country.
  • the present application provides an encryption and decryption architecture, method, processor and server.
  • the present application provides an encryption and decryption architecture, including: a controller, which is connected to the outside through a bus and is used to communicate with the outside through the bus; a data flow control module, which is connected to the controller; an algorithm engine core module, which is connected to the data flow control module; and a register stack module, which is connected to the outside through a bus and is also connected to the data flow control module; wherein the algorithm engine core module uses the grouped data to be operated provided by the data flow control module and the key and initial vector required for the encryption and decryption operation configured in the register stack module to perform encryption and decryption operations and feed back the operation result data of the encryption and decryption operations to the data flow control module, and the data flow control module outputs the operation result data through the controller.
  • the algorithm engine core module integrates the SM4 algorithm engine and the AES algorithm engine which can independently complete their respective algorithm operations.
  • the SM4 algorithm engine includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit, and an SM4 key expansion unit.
  • the SM4 byte replacement unit is used to perform a byte replacement operation, and replaces the input data with the corresponding data in bytes by searching the first lookup table and outputs it;
  • the SM4 encryption/decryption operation unit integrates a 32-level pipeline round function, which can realize the input and output of a single clock cycle, and the round key generated by the SM4 key expansion module is used for the SM4 encryption/decryption operation unit.
  • the AES algorithm engine unit integrates the three independent AES encryption/decryption operation units and AES key expansion units of AES-128, AES-192 and AES-256 algorithms, AES column obfuscation unit and AES byte replacement unit.
  • the AES byte replacement unit is mainly used for byte replacement operations.
  • the controller internally integrates a DMA register and a DMA read-write data flow control unit; the DMA register is connected to the AHB bus via an AHB slave interface; the DMA read-write data flow control unit is connected to the AHB bus via an AHB master interface, and the DMA read-write data flow control unit is connected to the data flow control module; the DMA read-write data flow control unit obtains the data to be calculated through the AHB bus according to the configuration in the DMA register and transmits it to the data flow control module.
  • the register stack module is connected to the externally connected AHB bus through an AHB slave interface, and the register stack module is connected to the data flow control module via an internal bus; the register stack module configures the first key register and the first initial vector register for the AES algorithm implemented by the algorithm engine core module, and the register stack module configures the second key register and the second initial vector register for the SM4 algorithm implemented by the algorithm engine core module; the register stack module configures multiple groups of channel status registers for recording the operation status; the register stack module configures a group of instruction registers.
  • the AHB slave interface corresponding to the register stack module and the DMA register is connected to the CPU of the corresponding AHB master interface via the AHB bus.
  • the data flow control module includes an internal cache and a flow control unit; wherein the internal cache includes an input FIFO cache and an output FIFO cache, the input FIFO cache is used to cache the data to be calculated read by the controller using the bus, and the output FIFO is used to cache the calculation result data output by the algorithm engine core module to the data to be calculated;
  • the flow control unit includes: a serial-to-parallel conversion logic circuit for serial-to-parallel conversion of data in the input FIFO cache, a parallel-to-serial conversion logic circuit for parallel-to-serial conversion of the calculation result data, an instruction decoder for decoding instructions in an instruction register, an instruction parser for parsing instructions, a flow controller for controlling the reading and writing of controller data according to the data cache status in the internal cache, a data sending and recycling interface for interacting with the algorithm engine core module, a debug tracking signal output interface connected to the register stack module, a state machine FSM state output interface and a channel state
  • the flow control unit implements a state machine FSM, which starts the algorithm engine corresponding to the algorithm engine core module according to the type of algorithm.
  • the state machine FSM controls the reading of data in the input FIFO cache, and after serial-to-parallel conversion by the serial-to-parallel conversion logic circuit, writes it into the algorithm engine core module through the data sending and recovery interface for encryption and decryption business operations.
  • the state machine FSM obtains the operation result data and recovers it to the flow control unit through the data sending and recovery interface, and writes it into the output FIFO cache after parallel-to-serial conversion to wait for the controller to read it from the output FIFO cache.
  • the flow controller requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable for the output FIFO buffer according to the response signal of the controller; the flow control unit generates a pulse to start the read enable of the input FIFO buffer when the input FIFO buffer is not empty, and reads the data in the input FIFO buffer; when the data in the input FIFO buffer is full, the flow controller sends a stop data reading to the DMA read-write data flow control unit of the controller.
  • Information
  • the data buffer when the data received by the flow control unit cannot form a group, temporarily stores the data that is less than a group.
  • the flow control unit receives subsequent data, it extracts the temporarily stored data and combines it with the subsequent data into a group.
  • the present application provides an encryption and decryption control method, which is applied to an encryption and decryption architecture, including:
  • the data flow control module determines the algorithm type according to the configuration of the register stack module.
  • the data flow control module controls the serial-to-parallel conversion of the data to be operated and writes it into the algorithm engine core module through the data sending and recovery interface to perform encryption and decryption business operations corresponding to the corresponding algorithm type; the data flow control module recovers the operation result data of the algorithm engine core module and sends it to the controller after parallel-to-serial conversion.
  • the controller outputs the operation result data to the corresponding storage location according to the configuration of the controller.
  • the configuration of the controller includes: configuring the data starting address register, data length register, data flag register, operation result starting address register and DMA start register in the DMA register of the controller; the controller is started according to the start indication of the DMA start register, and the controller obtains the data to be calculated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the calculation is completed, the controller obtains the calculation result data after the calculation from the data flow control module according to the address of the calculation result starting address register and writes it back to the corresponding storage address through the AHB master interface output channel.
  • the configuration of the register stack module includes: configuring the first key register, the first initial vector register, the second key register, the second initial vector register and the instruction register of the register stack module, configuring the key and the initial vector required for the SM4 algorithm and the AES algorithm in the first key register, the first initial vector register, the second key register and the second initial vector register; configuring the number of encryption and decryption operations, the type of algorithm used, the algorithm mode and the algorithm start bit in the instruction register.
  • detecting whether the encryption and decryption architecture is idle includes: the data flow control module configures a debug trace signal output interface, a state machine FSM state output interface and a channel status monitor connected to a channel status register in a register stack module, outputs the debug trace signal state machine FSM state and the channel status to the channel status register, and obtains the channel status monitor data in the channel status register to detect whether the encryption and decryption architecture is idle.
  • the flow control unit of the data flow control module determines whether the algorithm needs key expansion based on the configuration of the register stack module. If key expansion is required, key expansion is performed first and then encryption and decryption processing is performed.
  • the flow controller of the flow control unit of the data flow control module requests the controller to read the output FIFO cache when there is data in the output FIFO cache, and generates a read enable for the output FIFO cache based on a response signal from the controller; the flow control unit generates a pulse to start the read enable of the input FIFO cache and read the data in the input FIFO cache when the input FIFO cache is not empty; when the input FIFO cache is full of data, the flow controller sends information to stop reading data to the DMA read-write data flow control unit of the controller.
  • the flow control unit of the data flow control module treats the operation data according to the set data length.
  • the data that cannot form a complete group is temporarily stored in the data buffer to wait for subsequent data, and the waiting group data is timed by the timeout detector.
  • the flow control unit of the data flow control module monitors errors and packet data timeouts during the processing of operation data and key processing and generates corresponding interrupts.
  • the present application provides a processor, wherein the processor configuration includes an encryption and decryption architecture.
  • the present application provides a server, the server comprising: at least one CPU, at least one processor configured with an encryption and decryption architecture, the processor being connected to the CPU via an AHB bus.
  • the controller of this application is connected to the data flow control module, and the controller starts and transmits the data to be calculated to the data flow control module according to the configuration in the DMA register; the data flow control module sends the data to be calculated to the algorithm engine core module in groups according to the AES and/or SM4 encryption algorithm.
  • the algorithm engine core module integrates the SM4 algorithm engine and the AES algorithm engine that can independently complete their respective algorithm operations. After the data flow control module determines the type of algorithm to be executed, it controls the algorithm engine core module to start the corresponding algorithm engine.
  • the algorithm engine core module uses the data to be calculated provided by the data flow control module and the key and initial vector required for the encryption and decryption operation configured in the register stack module to perform encryption and decryption operations, and feeds back the operation result data to the data flow control module.
  • the data flow control module outputs the operation result data through the controller, and the controller outputs the operation result data to the specified storage location according to the configuration in the DMA register.
  • the encryption and decryption architecture can automatically perform encryption and decryption processing on the data to be calculated under the CPU configuration, supporting both the SM4 algorithm and the AES algorithm. When the encryption and decryption architecture of this application is connected to the CPU, the CPU only needs to configure the encryption and decryption architecture to perform calculations, without the CPU participating in the calculation process, liberating the CPU's computing power and enhancing the competitiveness of the product.
  • FIG1 is a schematic diagram of an encryption and decryption architecture provided in an embodiment of the present application.
  • FIG2 is a schematic diagram of the architecture of a controller provided in an embodiment of the present application.
  • FIG3 is a schematic diagram of the architecture of a register file module provided in an embodiment of the present application.
  • FIG4 is a schematic diagram of the architecture of a data flow control module provided in an embodiment of the present application.
  • FIG5 is a schematic diagram of the architecture of the algorithm engine core module provided in an embodiment of the present application.
  • FIG6 is a schematic diagram of the states, state transitions, and state transition conditions of a state machine FSM provided in an embodiment of the present application.
  • an encryption and decryption architecture including: a controller, a register stack module, an algorithm engine core module, and a data flow control module.
  • the controller is connected to the outside through a bus and the controller is connected to the data flow control module, and the controller transmits the data to be operated to the data flow control module;
  • the data flow control module sends the data to be operated to the algorithm engine core module in groups according to the grouping method of the AES and/or SM4 encryption algorithm
  • the algorithm engine core module integrates the SM4 algorithm engine and the AES algorithm engine that can independently complete their respective algorithm operations.
  • the data flow control module determines the type of algorithm to be executed, it controls the algorithm engine core module to start the corresponding algorithm engine, and the algorithm engine core module uses the data to be operated provided by the data flow control module and the key and initial vector required for the encryption and decryption operation configured in the register stack module to perform encryption and decryption operations and feeds back the operation results to the data flow control module, and the data flow control module outputs the operation result data through the controller.
  • the controller internally integrates a DMA register and a DMA read/write data flow control unit; the DMA register is connected to the AHB bus via an AHB slave interface; and the DMA read/write data flow control unit is connected to the AHB bus via an AHB master interface.
  • the DMA read/write data flow control unit of the controller reads the corresponding storage address to the data to the internal cache of the data flow control module through the AHB master interface input channel according to the configuration in the DMA register.
  • the DMA read/write data flow control unit of the controller obtains the encrypted or decrypted data after the operation from the internal cache, and writes the encrypted or decrypted data after the operation back to the corresponding storage address through the AHB master interface output channel.
  • the DMA register includes a data start address register for recording the start bit of the data to be operated, a data length register for recording the length of the data to be operated, a data flag register, a calculation result start address register for recording the start bit of the calculation result data, and a DMA start register for starting the controller.
  • the CPU configures the corresponding AHB master interface corresponding to the AHB slave interface of the DMA register, and the CPU controls the controller by configuring the DMA register through the AHB bus.
  • the configuration of the controller by the CPU includes: configuring the data starting address register, the data length register, the data flag register in the DMA register of the controller, the operation result starting address register and the DMA start register to start the controller; the controller starts according to the start indication of the DMA start register, and the controller obtains the data to be operated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the operation is completed, the controller obtains the encrypted or decrypted data after the operation from the data flow control module according to the address of the operation result starting address register, and writes the operation result data back to the corresponding storage address through the AHB master interface output channel.
  • the register stack module is connected to the AHB bus based on the AHB slave interface, and the CPU configures the corresponding AHB master interface corresponding to the AHB slave interface of the register stack module, which is used by the CPU to configure the key and initial vector required for encryption and decryption operations in the register stack module, and the CPU obtains the operation status from the register stack module.
  • the register stack module configures the first key register and the first initial vector register for the AES algorithm, and the register The stack module configures the second key register and the second initial vector register for the SM4 algorithm; the register stack module provides multiple groups of channel status registers for recording the operation status.
  • the CPU can access the channel status registers through the AHB bus to obtain the operation status.
  • the operation status includes the completion status of the encryption and decryption business, the interrupt status, the channel abnormal status and the debugging and tracking status information;
  • the register stack module provides a group of shared instruction registers.
  • the instruction registers are used to provide the data flow control module with algorithm instructions that distinguish the algorithm type.
  • the data flow control module controls the algorithm engine core module to start the corresponding algorithm engine according to the identified algorithm type.
  • the instruction register configures the number of encryption and decryption operations, the type of algorithm used, the algorithm mode, and starts the encryption and decryption business through the algorithm start bit.
  • the data flow control module includes an internal cache and a flow control unit.
  • the internal cache includes an input FIFO cache and an output FIFO cache.
  • the input FIFO cache is used to cache the data to be calculated read by the controller from the AHB bus, and the output FIFO is used to cache the calculation results of the data to be calculated.
  • the flow control unit includes a serial-to-parallel conversion logic circuit for serial-to-parallel conversion of the data in the input FIFO cache, a parallel-to-serial conversion logic circuit for parallel-to-serial conversion of the calculation result data in the output FIFO cache, an instruction decoder for decoding instructions in the instruction register, an instruction parser for parsing instructions, a flow controller for controlling the reading and writing of controller data according to the data cache state in the internal cache, a data sending and recycling interface for interacting with the algorithm engine core module, a debug tracking signal output interface connected to the channel status register, a state machine FSM state output interface and a channel status monitor, a data temporary register for temporarily storing data less than one packet in the calculation data, and a timeout detector for detecting whether the data waiting for a packet length in the internal cache has timed out.
  • the flow controller requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable for the output FIFO buffer according to the response signal of the controller; when the data in the input FIFO buffer is full, the flow controller sends information to stop data reading to the DMA read-write data flow control unit of the controller; when the input FIFO buffer is not empty, the flow control unit generates a pulse to start the read enable of the input FIFO buffer and read the data in the input FIFO buffer.
  • the flow control unit of the data flow control module groups the data to be operated according to the set data length, temporarily stores the data that cannot form a complete group through the data register to wait for subsequent data, and times the waiting group data through the timeout detector.
  • the flow control unit of the data flow control module monitors errors and group data timeouts during the operation data and key processing and generates corresponding interrupts.
  • the flow control unit realizes the state machine FSM, which controls the reading of the data in the input FIFO buffer, and after the serial-to-parallel conversion by the serial-to-parallel conversion logic circuit, writes it into the algorithm engine core module through the data sending and recycling interface for encryption and decryption business operation.
  • the state machine FSM obtains the operation result data and recycles it to the flow control unit through the data sending and recycling interface, and writes it into the output FIFO buffer after the parallel-to-serial conversion to wait for the controller to read it from the output FIFO buffer.
  • the data storage situation in the input FIFO buffer is monitored by the flow controller.
  • the flow controller sends a message to stop data reading to the DMA read-write data flow control unit of the controller.
  • the DMA read-write data flow control unit of the controller responds to the message to stop data reading and stops reading the data to be operated, thereby realizing flow control.
  • the SM4 algorithm and the AES algorithm are block cipher algorithms.
  • the block length of the SM4 algorithm is 128 bits.
  • the SM4 encryption algorithm and the key expansion algorithm both adopt 32 rounds of nonlinear iterative structure, and perform encryption operations in units of words (32 bits). Each iterative operation is a round of transformation function F.
  • the structure of the SM4 algorithm encryption/decryption algorithm is the same, but the round keys used are opposite.
  • the decryption round key is the reverse order of the encryption round key.
  • the interface sends the packet data to the algorithm engine core module. Under the control of the state machine FSM, the data buffer temporarily stores data that is less than a packet. When the flow control unit receives subsequent data, it extracts the temporarily stored data and combines it with the subsequent data into a packet.
  • states, state transitions, and state transition conditions of the state machine FSM are as follows:
  • the SM4 algorithm engine internally includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit, and an SM4 key expansion unit.
  • the SM4 byte replacement unit is used to perform a byte replacement operation, and replaces the input data with the corresponding data in bytes by searching the first lookup table and outputs the data;
  • the SM4 encryption/decryption operation unit internally includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit, and an SM4 key expansion unit. It forms a 32-stage pipeline round function, which can realize the input and output of a single clock cycle.
  • the round key generated by the SM4 key expansion module is used by the SM4 encryption/decryption operation unit; the AES algorithm engine unit integrates the three independent AES encryption/decryption operation units and AES key expansion units of AES-128, AES-192, and AES-256 algorithms, AES column confusion unit, and AES byte replacement unit.
  • the AES byte replacement unit is mainly used for byte replacement operations.
  • an encryption and decryption control method which is applied to an encryption and decryption architecture, including:
  • the controller and register stack module are configured.
  • the configuration of the controller includes: configuring the data starting address register, data length register, data flag register, operation result starting address register and DMA start register in the controller's DMA register; the controller starts according to the start indication of the DMA start register, and the controller obtains the data to be operated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the operation is completed, the controller obtains the encrypted or decrypted data after the operation from the data flow control module according to the address of the operation result starting address register, and writes the operation result data back to the corresponding storage address through the AHB master interface output channel.
  • the configuration of the register stack module includes: configuring the first key register, the first initial vector register, the second key register, the second initial vector register and the instruction register of the register stack module, configuring the key and initial vector required by the SM4 algorithm and the AES algorithm in the first key register, the first initial vector register, the second key register and the second initial vector register; configuring the number of encryption and decryption operations, the type of algorithm used, the algorithm mode and the algorithm start bit in the instruction register.
  • Detect whether the encryption and decryption architecture is idle includes: the data flow control module configures the debug tracking signal output interface, the state machine FSM state output interface and the channel state monitor connected to the channel state register in the register stack module, outputs the debug tracking signal state machine FSM state and the channel state to the channel state register, and obtains the channel state monitor data in the channel state register to detect whether the encryption and decryption architecture is idle.
  • the data flow control module determines the algorithm type according to the configuration of the register stack module.
  • the data flow control module controls the serial-to-parallel conversion of the data to be operated and writes it into the algorithm engine core module through the data sending and recycling interface to perform encryption and decryption business operations corresponding to the corresponding algorithm type.
  • the flow control unit of the data flow control module determines whether the algorithm needs key expansion based on the configuration of the register stack module. If key expansion is required, key expansion is performed first and then encryption and decryption processing is performed.
  • the flow controller of the flow control unit of the data flow control module requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable of the output FIFO buffer according to the response signal of the controller; the flow control unit generates a pulse to start the read enable of the input FIFO buffer when the input FIFO buffer is not empty, and reads the data in the input FIFO buffer; when the data in the input FIFO buffer is full, the flow controller sends a message to stop data reading to the DMA read-write data flow control unit of the controller.
  • the flow control unit of the data flow control module groups the data to be calculated according to the set data length, temporarily stores the data that cannot form a complete group through the data temporary register to wait for subsequent data, and times the waiting grouped data through the timeout detector.
  • the flow control unit of the data flow control module monitors errors and grouped data timeouts in the process of processing the calculated data and the key, and generates corresponding interrupts.
  • the data flow control module realizes the processing of the data to be calculated and/or the key through the state machine FSM of Example 1.
  • the data flow control module recycles the operation result data of the algorithm engine core module and sends it to the controller after parallel-to-serial conversion.
  • the controller outputs the operation result data to the corresponding storage location according to the configuration of the controller.
  • a processor is provided, and an encryption and decryption architecture configured by the processor performs SM4 algorithm or AES algorithm encryption and decryption operations on data at a set storage location and returns the result.
  • the processor of this embodiment can be a BMC or an FPGA.
  • a server compatible with AES and SM4 encryption algorithms including at least one CPU and at least one processor configured with an encryption and decryption architecture.
  • a feasible processor uses a BMC.
  • the processor is connected to the CPU via the AHB bus.
  • the CPU is connected to the DMA register of the controller via the AHB bus, and the CPU is connected to the first key register, the second key register, the first initial vector register, the second initial vector register and the instruction register of the register stack module via the AHB bus.
  • the CPU controls the processor to implement encryption and decryption business operations: the CPU queries the channel status register. If the data monitored by the channel status monitor in the channel status register shows that the channel status is idle, it executes: the CPU configures the DMA register, including the data starting address register, data length register, data flag register, and operation result starting address register in the DMA register, and finally configures the DMA start register to start the controller.
  • the CPU configures the instruction register to determine the number of encryption and decryption operations, the type of algorithm used, the algorithm mode, and start the encryption and decryption business.
  • the controller obtains the data to be calculated according to the values of the data start address register and the data length register.
  • the data flow control module controls the algorithm engine core module to perform the corresponding operation according to the applicable algorithm type provided by the instruction register, and recovers the operation result data calculated by the algorithm engine core module, and then transmits it to the controller.
  • the controller After the encryption and decryption business operation result data is transmitted to the controller, the controller writes the data to the corresponding position according to the previously configured operation result start address, and issues an interrupt to inform the CPU after the write-back is completed. After receiving the interrupt, the CPU clears the interrupt and obtains the operation result data at the corresponding address.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to an encryption and decryption architecture, a method, a processor, and a server. According to the encryption and decryption architecture, a controller is connected to a data stream control module and transmits data to be operated to the data stream control module; the data stream control module groups said data and sends same to an algorithm engine core module; an SM4 algorithm engine and an AES algorithm engine capable of independently completing respective algorithm operations are integrated in the algorithm engine core module; after determining the type of an algorithm to be performed, the data stream control module controls the algorithm engine core module to start the corresponding algorithm engine; the algorithm engine core module performs encryption and decryption operations by using said data provided by the data stream control module, and keys and initial vectors that are required by the encryption and decryption operations and configured in a register file module and feeds back the operation results to the data stream control module; and the data stream control module outputs operation result data by means of the controller. Thus, encryption and decryption processing integrating an SM4 algorithm and an AES algorithm is achieved.

Description

一种加解密架构、方法、处理器和服务器An encryption and decryption architecture, method, processor and server
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
本申请要求于2022年11月28日提交中国专利局,申请号为202211496168.7,申请名称为“一种加解密架构、方法、处理器和服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on November 28, 2022, with application number 202211496168.7 and application name “An encryption and decryption architecture, method, processor and server”, all contents of which are incorporated by reference in this application.
技术领域Technical Field
本申请涉及加解密架构设计领域,尤其涉及一种加解密架构、方法、处理器和服务器。The present application relates to the field of encryption and decryption architecture design, and in particular to an encryption and decryption architecture, method, processor and server.
背景技术Background technique
现有BMC芯片支持多种对称算法,如AES算法、DES算法及RC4算法,支持多种算法工作模式,如ECB、CBC、CTR、OFB模式等,外部接口挂接在AHB总线上,支持算法独立配置,软件在算法运算开始前配置算法所需的相关参数,如密钥、初始向量等,最后启动运算,待运算结束后清除中断、中断状态和相关指令寄存器,待下一次运算开始前在进行同样的操作,每次运算前都需要重复性配置,在参数没有配置完之前不得启动算法运算。现有的BMC芯片内部加解密模块,其理论基础是密码算法,从算法的安全性方面考虑,DES算法和RC4算法无法抵御重放攻击,密钥易被破解,从运算效率考虑,DES算法和RC4算法的运算速率已低于业界主流水平;国密算法如SM4,算法运算速率和安全性均高于DES算法和RC4算法,而现有的BMC芯片并不支持SM4或其它国密算法,若对其进行重放攻击可能会造成隐私数据甚至国家机密泄露,极大的威胁到用户和国家的数据安全。The existing BMC chip supports multiple symmetric algorithms, such as AES, DES and RC4, and multiple algorithm working modes, such as ECB, CBC, CTR, OFB, etc. The external interface is connected to the AHB bus and supports independent configuration of the algorithm. The software configures the relevant parameters required by the algorithm before the algorithm operation starts, such as the key, initial vector, etc., and finally starts the operation. After the operation is completed, the interrupt, interrupt status and related instruction registers are cleared. The same operation is performed before the next operation. Repetitive configuration is required before each operation, and the algorithm operation cannot be started before the parameters are configured. The internal encryption and decryption module of the existing BMC chip is based on the cryptographic algorithm. From the perspective of algorithm security, the DES algorithm and the RC4 algorithm cannot resist replay attacks, and the key is easy to be cracked. From the perspective of computing efficiency, the computing speed of the DES algorithm and the RC4 algorithm is lower than the mainstream level in the industry; the national secret algorithm such as SM4 has a higher computing speed and security than the DES algorithm and the RC4 algorithm, but the existing BMC chip does not support SM4 or other national secret algorithms. If a replay attack is carried out on them, it may cause the leakage of privacy data or even national secrets, which greatly threatens the data security of users and the country.
发明内容Summary of the invention
为了解决上述技术问题或者至少部分地解决上述技术问题,本申请提供一种加解密架构、方法、处理器和服务器。In order to solve the above technical problems or at least partially solve the above technical problems, the present application provides an encryption and decryption architecture, method, processor and server.
第一方面,本申请提供一种加解密架构,包括:控制器,控制器通过总线与外部连接,用于通过总线实现与外部通信;数据流控制模块,数据流控制模块连接控制器;算法引擎核模块,算法引擎核模块连接数据流控制模块;以及寄存器堆模块,寄存器堆模块通过总线与外部连接,且寄存器堆模块还与数据流控制模块连接;其中,算法引擎核模块利用数据流控制模块提供的分组待运算数据和寄存器堆模块中配置的加解密运算所需要的密钥和初始向量进行加解密运算并将加解密运算的运算结果数据反馈给数据流控制模块,数据流控制模块通过控制器将运算结果数据输出。In the first aspect, the present application provides an encryption and decryption architecture, including: a controller, which is connected to the outside through a bus and is used to communicate with the outside through the bus; a data flow control module, which is connected to the controller; an algorithm engine core module, which is connected to the data flow control module; and a register stack module, which is connected to the outside through a bus and is also connected to the data flow control module; wherein the algorithm engine core module uses the grouped data to be operated provided by the data flow control module and the key and initial vector required for the encryption and decryption operation configured in the register stack module to perform encryption and decryption operations and feed back the operation result data of the encryption and decryption operations to the data flow control module, and the data flow control module outputs the operation result data through the controller.
在本申请一些实施例中,算法引擎核模块内部集成了能独立完成各自的算法运算的SM4算法引擎与AES算法引擎。In some embodiments of the present application, the algorithm engine core module integrates the SM4 algorithm engine and the AES algorithm engine which can independently complete their respective algorithm operations.
在本申请一些实施例中,SM4算法引擎内部包括SM4字节替换单元、SM4加密/解密运算单元和SM4密钥扩展单元,SM4字节替换单元用来做字节替换操作,通过查找第一查找表将输入数据以字节为单位替换为对应的数据并输出;SM4加密/解密运算单元内部集成了32级流水的轮函数,可实现单个时钟周期的输入输出,SM4密钥扩展模块产生的轮密钥供SM4加 密/解密运算单元使用;AES算法引擎单元集成了AES-128、AES-192、AES-256这3种算法独立的AES加密/解密运算单元和AES密钥扩展单元,AES列混淆单元、AES字节替换单元,AES字节替换单元主要用来做字节替换操作,通过查找第二查找表将输入数据以字节为单位替换为对应的数据并输出,AES列混淆单元经行移位后的状态矩阵与固定的矩阵相乘,得到混淆后的状态矩阵来实列混淆变换。In some embodiments of the present application, the SM4 algorithm engine includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit, and an SM4 key expansion unit. The SM4 byte replacement unit is used to perform a byte replacement operation, and replaces the input data with the corresponding data in bytes by searching the first lookup table and outputs it; the SM4 encryption/decryption operation unit integrates a 32-level pipeline round function, which can realize the input and output of a single clock cycle, and the round key generated by the SM4 key expansion module is used for the SM4 encryption/decryption operation unit. The AES algorithm engine unit integrates the three independent AES encryption/decryption operation units and AES key expansion units of AES-128, AES-192 and AES-256 algorithms, AES column obfuscation unit and AES byte replacement unit. The AES byte replacement unit is mainly used for byte replacement operations. By looking up the second lookup table, the input data is replaced with the corresponding data in bytes and output. The state matrix of the AES column obfuscation unit after row shifting is multiplied with the fixed matrix to obtain the obfuscated state matrix to implement column obfuscation transformation.
在本申请一些实施例中,控制器内部集成包括DMA寄存器和DMA读写数据流控制单元;DMA寄存器经一AHB从接口连接AHB总线;DMA读写数据流控制单元经一AHB主接口连接AHB总线,DMA读写数据流控制单元连接数据流控制模块;DMA读写数据流控制单元根据DMA寄存器中的配置通过AHB总线获取待运算数据并传输给数据流控制模块。In some embodiments of the present application, the controller internally integrates a DMA register and a DMA read-write data flow control unit; the DMA register is connected to the AHB bus via an AHB slave interface; the DMA read-write data flow control unit is connected to the AHB bus via an AHB master interface, and the DMA read-write data flow control unit is connected to the data flow control module; the DMA read-write data flow control unit obtains the data to be calculated through the AHB bus according to the configuration in the DMA register and transmits it to the data flow control module.
在本申请一些实施例中,寄存器堆模块通过一AHB从接口连接对外连接的AHB总线,寄存器堆模块经内部总线连接数据流控制模块;寄存器堆模块针对算法引擎核模块实现的AES算法配置第一密钥寄存器、第一初始向量寄存器,寄存器堆模块针对算法引擎核模块实现的SM4算法配置第二密钥寄存器、第二初始向量寄存器;寄存器堆模块配置多组通道状态寄存器,用于记录运算状态;寄存器堆模块配置一组指令寄存器。In some embodiments of the present application, the register stack module is connected to the externally connected AHB bus through an AHB slave interface, and the register stack module is connected to the data flow control module via an internal bus; the register stack module configures the first key register and the first initial vector register for the AES algorithm implemented by the algorithm engine core module, and the register stack module configures the second key register and the second initial vector register for the SM4 algorithm implemented by the algorithm engine core module; the register stack module configures multiple groups of channel status registers for recording the operation status; the register stack module configures a group of instruction registers.
在本申请一些实施例中,对应寄存器堆模块和DMA寄存器的AHB从接口经AHB总线连接设置相应AHB主接口的CPU。In some embodiments of the present application, the AHB slave interface corresponding to the register stack module and the DMA register is connected to the CPU of the corresponding AHB master interface via the AHB bus.
在本申请一些实施例中,数据流控制模块包括内部缓存和流控制单元;其中,内部缓存包括输入FIFO缓存和输出FIFO缓存,输入FIFO缓存用于缓存控制器利用总线读取的待运算数据,输出FIFO用于缓存算法引擎核模块输出到待运算数据的运算结果数据;流控制单元包括:用于将输入FIFO缓存中数据串并转换的串并转换逻辑电路,用于将运算结果数据进行并串转换的并串转换逻辑电路,用于对指令寄存器中指令进行译码的指令译码器,用于对指令进行解析的指令解析器,用于根据内部缓存中数据缓存状态控制控制器数据读写的流量控制器,用于与算法引擎核模块交互的数据下发回收接口,连接到寄存器堆模块的调试追踪信号输出接口、状态机FSM状态输出接口和通道状态监控器,用于对待运算数据中不足一个分组的数据进行暂存的数据暂存器,用于检测内部缓存中等待一个分组长度的数据是否超时的超时检测器。In some embodiments of the present application, the data flow control module includes an internal cache and a flow control unit; wherein the internal cache includes an input FIFO cache and an output FIFO cache, the input FIFO cache is used to cache the data to be calculated read by the controller using the bus, and the output FIFO is used to cache the calculation result data output by the algorithm engine core module to the data to be calculated; the flow control unit includes: a serial-to-parallel conversion logic circuit for serial-to-parallel conversion of data in the input FIFO cache, a parallel-to-serial conversion logic circuit for parallel-to-serial conversion of the calculation result data, an instruction decoder for decoding instructions in an instruction register, an instruction parser for parsing instructions, a flow controller for controlling the reading and writing of controller data according to the data cache status in the internal cache, a data sending and recycling interface for interacting with the algorithm engine core module, a debug tracking signal output interface connected to the register stack module, a state machine FSM state output interface and a channel state monitor, a data register for temporarily storing data less than one packet in the data to be calculated, and a timeout detector for detecting whether the waiting data of a packet length in the internal cache has timed out.
在本申请一些实施例中,流控制单元实现状态机FSM,状态机FSM根据算法种类启动算法引擎核模块相应的算法引擎,状态机FSM控制读取输入FIFO缓存中的数据,并经过串并转换逻辑电路串并转换后通过数据下发回收接口写入到算法引擎核模块中进行加解密业务运算,运算完成后状态机FSM获取运算结果数据经数据下发回收接口回收到流控制单元,并经过并串转换后写入到输出FIFO缓存中等待控制器从输出FIFO缓存中读取。In some embodiments of the present application, the flow control unit implements a state machine FSM, which starts the algorithm engine corresponding to the algorithm engine core module according to the type of algorithm. The state machine FSM controls the reading of data in the input FIFO cache, and after serial-to-parallel conversion by the serial-to-parallel conversion logic circuit, writes it into the algorithm engine core module through the data sending and recovery interface for encryption and decryption business operations. After the operation is completed, the state machine FSM obtains the operation result data and recovers it to the flow control unit through the data sending and recovery interface, and writes it into the output FIFO cache after parallel-to-serial conversion to wait for the controller to read it from the output FIFO cache.
在本申请一些实施例中,流量控制器在输出FIFO缓存有数据时请求控制器读输出FIFO缓存,并根据控制器的响应信号产生输出FIFO缓存的读使能;流控制单元在输入FIFO缓存非空时产生一个脉冲用来启动输入FIFO缓存的读使能,读取输入FIFO缓存的数据;在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入 的信息。In some embodiments of the present application, the flow controller requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable for the output FIFO buffer according to the response signal of the controller; the flow control unit generates a pulse to start the read enable of the input FIFO buffer when the input FIFO buffer is not empty, and reads the data in the input FIFO buffer; when the data in the input FIFO buffer is full, the flow controller sends a stop data reading to the DMA read-write data flow control unit of the controller. Information.
在本申请一些实施例中,流控制单元收到的数据无法实现一个分组时,数据暂存器将不足一个分组的数据进行暂存,流控制单元收到后续数据时,提取暂存的数据与后续数据组合成一个分组。In some embodiments of the present application, when the data received by the flow control unit cannot form a group, the data buffer temporarily stores the data that is less than a group. When the flow control unit receives subsequent data, it extracts the temporarily stored data and combines it with the subsequent data into a group.
第二方面,本申请提供一种加解密控制方法,应用于的加解密架构,包括:In a second aspect, the present application provides an encryption and decryption control method, which is applied to an encryption and decryption architecture, including:
对控制器和寄存器堆模块进行配置;Configure the controller and register file modules;
检测加解密架构是否空闲;空闲则启动控制器,控制器根据控制器的配置获取待运算数据传输给数据流控制模块;Detect whether the encryption and decryption architecture is idle; if idle, start the controller, and the controller obtains the data to be calculated according to the configuration of the controller and transmits it to the data flow control module;
数据流控制模块根据寄存器堆模块的配置确定算法类型,数据流控制模块控制对待运算数据进行串并转换后通过数据下发回收接口写入到算法引擎核模块中进行对应相应算法类型的加解密业务运算;数据流控制模块回收算法引擎核模块的运算结果数据并经并串转换后发送给控制器,控制器根据控制器的配置将运算结果数据输出到相应的存储位置。The data flow control module determines the algorithm type according to the configuration of the register stack module. The data flow control module controls the serial-to-parallel conversion of the data to be operated and writes it into the algorithm engine core module through the data sending and recovery interface to perform encryption and decryption business operations corresponding to the corresponding algorithm type; the data flow control module recovers the operation result data of the algorithm engine core module and sends it to the controller after parallel-to-serial conversion. The controller outputs the operation result data to the corresponding storage location according to the configuration of the controller.
在本申请一些实施例中,对控制器的配置包括:配置控制器的DMA寄存器中的数据起始地址寄存器、数据长度寄存器、数据标志位寄存器,运算结果起始地址寄存器和DMA启动寄存器;控制器根据DMA启动寄存器的启动指示而启动,控制器根据数据起始地址寄存器的数据起始地址和数据长度寄存器的数据长度通过总线获取待运算数据;当运算结束,控制器根据运算结果起始地址寄存器的地址将从数据流控制模块获取运算后的运算结果数据通过AHB主接口输出通道写回到对应的存储地址。In some embodiments of the present application, the configuration of the controller includes: configuring the data starting address register, data length register, data flag register, operation result starting address register and DMA start register in the DMA register of the controller; the controller is started according to the start indication of the DMA start register, and the controller obtains the data to be calculated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the calculation is completed, the controller obtains the calculation result data after the calculation from the data flow control module according to the address of the calculation result starting address register and writes it back to the corresponding storage address through the AHB master interface output channel.
在本申请一些实施例中,对寄存器堆模块的配置包括:配置寄存器堆模块的第一密钥寄存器、第一初始向量寄存器,第二密钥寄存器、第二初始向量寄存器和指令寄存器,在第一密钥寄存器、第一初始向量寄存器,第二密钥寄存器、第二初始向量寄存器配置SM4算法和AES算法所需的密钥和初始向量;在指令寄存器配置加解密运算次数、使用的算法类型、算法模式和算法启动比特位。In some embodiments of the present application, the configuration of the register stack module includes: configuring the first key register, the first initial vector register, the second key register, the second initial vector register and the instruction register of the register stack module, configuring the key and the initial vector required for the SM4 algorithm and the AES algorithm in the first key register, the first initial vector register, the second key register and the second initial vector register; configuring the number of encryption and decryption operations, the type of algorithm used, the algorithm mode and the algorithm start bit in the instruction register.
在本申请一些实施例中,检测加解密架构是否空闲包括:数据流控制模块配置连接到寄存器堆模块中通道状态寄存器的调试追踪信号输出接口、状态机FSM状态输出接口和通道状态监控器,将调试追踪信号状态机FSM状态和通道状态输出到通道状态寄存器中,获取通道状态寄存器中的通道状态监控器数据检测加解密架构是否空闲。In some embodiments of the present application, detecting whether the encryption and decryption architecture is idle includes: the data flow control module configures a debug trace signal output interface, a state machine FSM state output interface and a channel status monitor connected to a channel status register in a register stack module, outputs the debug trace signal state machine FSM state and the channel status to the channel status register, and obtains the channel status monitor data in the channel status register to detect whether the encryption and decryption architecture is idle.
在本申请一些实施例中,数据流控制模块的流控制单元基于寄存器堆模块的配置判断算法是否需要进行密钥拓展,若需要进行密钥拓展则先进行密钥拓展再进行加解密处理。In some embodiments of the present application, the flow control unit of the data flow control module determines whether the algorithm needs key expansion based on the configuration of the register stack module. If key expansion is required, key expansion is performed first and then encryption and decryption processing is performed.
在本申请一些实施例中,数据流控制模块的流控制单元的流量控制器在输出FIFO缓存有数据时请求控制器读输出FIFO缓存,并根据控制器的响应信号产生输出FIFO缓存的读使能;流控制单元在输入FIFO缓存非空时产生一个脉冲用来启动输入FIFO缓存的读使能,读取输入FIFO缓存的数据;在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入的信息。In some embodiments of the present application, the flow controller of the flow control unit of the data flow control module requests the controller to read the output FIFO cache when there is data in the output FIFO cache, and generates a read enable for the output FIFO cache based on a response signal from the controller; the flow control unit generates a pulse to start the read enable of the input FIFO cache and read the data in the input FIFO cache when the input FIFO cache is not empty; when the input FIFO cache is full of data, the flow controller sends information to stop reading data to the DMA read-write data flow control unit of the controller.
在本申请一些实施例中,数据流控制模块的流控制单元按设定数据长度对待运算数据进 行分组,对无法组成完整分组的数据通过数据暂存器暂存以等待后续数据,并通过超时检测器对等待分组数据进行计时。In some embodiments of the present application, the flow control unit of the data flow control module treats the operation data according to the set data length. The data that cannot form a complete group is temporarily stored in the data buffer to wait for subsequent data, and the waiting group data is timed by the timeout detector.
在本申请一些实施例中,数据流控制模块的流控制单元对待运算数据和密钥处理过程中错误和分组数据等到超时进行监测并产生相应中断。In some embodiments of the present application, the flow control unit of the data flow control module monitors errors and packet data timeouts during the processing of operation data and key processing and generates corresponding interrupts.
第三方面,本申请提供一种处理器,处理器配置包括的加解密架构。In a third aspect, the present application provides a processor, wherein the processor configuration includes an encryption and decryption architecture.
第四方面,本申请提供一种服务器,服务器包括:至少一CPU,至少一配置的加解密架构的处理器,处理器通过AHB总线连接CPU。In a fourth aspect, the present application provides a server, the server comprising: at least one CPU, at least one processor configured with an encryption and decryption architecture, the processor being connected to the CPU via an AHB bus.
本申请实施例提供的上述技术方案与现有技术相比具有如下优点:The above technical solution provided by the embodiment of the present application has the following advantages compared with the prior art:
本申请控制器连接数据流控制模块,控制器根据DMA寄存器中配置启动并将待运算数据传输给数据流控制模块;数据流控制模块按AES和/或SM4加密算法的分组方式将待运算数据分组发送给算法引擎核模块,算法引擎核模块内部集成了能独立完成各自的算法运算的SM4算法引擎与AES算法引擎,数据流控制模块判断执行算法种类后控制算法引擎核模块启动相应算法引擎,算法引擎核模块利用数据流控制模块提供的待运算数据和寄存器堆模块中配置的加解密运算所需要的密钥和初始向量进行加解密运算,并将运算结果数据反馈给数据流控制模块,数据流控制模块通过控制器将运算结果数据输出,控制器根据DMA寄存器中配置将运算结果数据输出到指定存储位置。加解密架构能够在CPU配置下自动对待运算数据进行加解密处理,既支持SM4算法又支持AES算法。本申请加解密架构与CPU连接时,CPU仅仅对加解密架构进行配置即可进行计算,无需CPU参与计算过程,解放CPU的算力,增强产品的竞争力。The controller of this application is connected to the data flow control module, and the controller starts and transmits the data to be calculated to the data flow control module according to the configuration in the DMA register; the data flow control module sends the data to be calculated to the algorithm engine core module in groups according to the AES and/or SM4 encryption algorithm. The algorithm engine core module integrates the SM4 algorithm engine and the AES algorithm engine that can independently complete their respective algorithm operations. After the data flow control module determines the type of algorithm to be executed, it controls the algorithm engine core module to start the corresponding algorithm engine. The algorithm engine core module uses the data to be calculated provided by the data flow control module and the key and initial vector required for the encryption and decryption operation configured in the register stack module to perform encryption and decryption operations, and feeds back the operation result data to the data flow control module. The data flow control module outputs the operation result data through the controller, and the controller outputs the operation result data to the specified storage location according to the configuration in the DMA register. The encryption and decryption architecture can automatically perform encryption and decryption processing on the data to be calculated under the CPU configuration, supporting both the SM4 algorithm and the AES algorithm. When the encryption and decryption architecture of this application is connected to the CPU, the CPU only needs to configure the encryption and decryption architecture to perform calculations, without the CPU participating in the calculation process, liberating the CPU's computing power and enhancing the competitiveness of the product.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请的实施例,并与说明书一起用于解释本申请的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and, together with the description, serve to explain the principles of the present application.
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,对于本领域普通技术人员而言,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, for ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative labor.
图1为本申请实施例提供的一种加解密架构的架构示意图;FIG1 is a schematic diagram of an encryption and decryption architecture provided in an embodiment of the present application;
图2为本申请实施例提供的控制器的架构示意图;FIG2 is a schematic diagram of the architecture of a controller provided in an embodiment of the present application;
图3为本申请实施例提供的寄存器堆模块的架构示意图;FIG3 is a schematic diagram of the architecture of a register file module provided in an embodiment of the present application;
图4为本申请实施例提供的数据流控制模块的架构的示意图;FIG4 is a schematic diagram of the architecture of a data flow control module provided in an embodiment of the present application;
图5为本申请实施例提供的算法引擎核模块的架构示意图;FIG5 is a schematic diagram of the architecture of the algorithm engine core module provided in an embodiment of the present application;
图6为本申请实施例提供的一种状态机FSM的状态、状态转换以及状态转换条件的示意图。FIG6 is a schematic diagram of the states, state transitions, and state transition conditions of a state machine FSM provided in an embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请 的一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solution and advantages of the embodiments of the present application clearer, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are the embodiments of the present application. All other embodiments obtained by ordinary technicians in this field based on the embodiments in this application without creative work are within the scope of protection of this application.
需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also includes other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the presence of other identical elements in the process, method, article or device including the element.
参阅图1所示,在本申请一些实施例中,提供一种加解密架构,包括:控制器、寄存器堆模块、算法引擎核模块和数据流控制模块。控制器通过总线连接外部且控制器连接数据流控制模块,控制器将待运算数据传输给数据流控制模块;数据流控制模块按AES和/或SM4加密算法的分组方式将待运算数据分组发送给算法引擎核模块,算法引擎核模块内部集成了能独立完成各自的算法运算的SM4算法引擎与AES算法引擎,数据流控制模块判断执行算法种类后控制算法引擎核模块启动相应算法引擎,算法引擎核模块利用数据流控制模块提供的待运算数据和寄存器堆模块中配置的加解密运算所需要的密钥和初始向量进行加解密运算并将运算结果反馈给数据流控制模块,数据流控制模块通过控制器将运算结果数据输出。Referring to FIG. 1 , in some embodiments of the present application, an encryption and decryption architecture is provided, including: a controller, a register stack module, an algorithm engine core module, and a data flow control module. The controller is connected to the outside through a bus and the controller is connected to the data flow control module, and the controller transmits the data to be operated to the data flow control module; the data flow control module sends the data to be operated to the algorithm engine core module in groups according to the grouping method of the AES and/or SM4 encryption algorithm, and the algorithm engine core module integrates the SM4 algorithm engine and the AES algorithm engine that can independently complete their respective algorithm operations. After the data flow control module determines the type of algorithm to be executed, it controls the algorithm engine core module to start the corresponding algorithm engine, and the algorithm engine core module uses the data to be operated provided by the data flow control module and the key and initial vector required for the encryption and decryption operation configured in the register stack module to perform encryption and decryption operations and feeds back the operation results to the data flow control module, and the data flow control module outputs the operation result data through the controller.
其中,参阅图2所示,控制器内部集成了包括DMA寄存器和DMA读写数据流控制单元;DMA寄存器经一AHB从接口连接AHB总线;DMA读写数据流控制单元经一AHB主接口连接AHB总线。待DMA启动后,控制器的DMA读写数据流控制单元根据DMA寄存器中的配置通过AHB主接口输入通道将对应存储地址到数据读到数据流控制模块的内部缓存,当运算结束,控制器的DMA读写数据流控制单元从内部缓存获取运算后的加密或解密数据后,通过AHB主接口输出通道将运算后的加密或解密数据写回到对应的存储地址。DMA寄存器包括用于记录待运算数据起始位的数据起始地址寄存器、记录待运算数据长度的数据长度寄存器、数据标志位寄存器,记录运算结果数据起始位的运算结果起始地址寄存器和用于启动控制器的DMA启动寄存器。具体实施过程中,CPU对应DMA寄存器的AHB从接口配置相应的AHB主接口,CPU通过AHB总线配置DMA寄存器的来控制控制器。CPU对控制器的配置包括:在控制器的DMA寄存器中配置数据起始地址寄存器、数据长度寄存器、数据标志位寄存器,运算结果起始地址寄存器和DMA启动寄存器启动控制器;控制器根据DMA启动寄存器的启动指示启动,控制器根据数据起始地址寄存器的数据起始地址和数据长度寄存器的数据长度通过总线获取待运算数据;当运算结束,控制器根据运算结果起始地址寄存器的地址将从数据流控制模块获取运算后的加密或解密数据通过AHB主接口输出通道将运算结果数据写回到对应的存储地址。As shown in FIG. 2 , the controller internally integrates a DMA register and a DMA read/write data flow control unit; the DMA register is connected to the AHB bus via an AHB slave interface; and the DMA read/write data flow control unit is connected to the AHB bus via an AHB master interface. After DMA is started, the DMA read/write data flow control unit of the controller reads the corresponding storage address to the data to the internal cache of the data flow control module through the AHB master interface input channel according to the configuration in the DMA register. When the operation is completed, the DMA read/write data flow control unit of the controller obtains the encrypted or decrypted data after the operation from the internal cache, and writes the encrypted or decrypted data after the operation back to the corresponding storage address through the AHB master interface output channel. The DMA register includes a data start address register for recording the start bit of the data to be operated, a data length register for recording the length of the data to be operated, a data flag register, a calculation result start address register for recording the start bit of the calculation result data, and a DMA start register for starting the controller. In the specific implementation process, the CPU configures the corresponding AHB master interface corresponding to the AHB slave interface of the DMA register, and the CPU controls the controller by configuring the DMA register through the AHB bus. The configuration of the controller by the CPU includes: configuring the data starting address register, the data length register, the data flag register in the DMA register of the controller, the operation result starting address register and the DMA start register to start the controller; the controller starts according to the start indication of the DMA start register, and the controller obtains the data to be operated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the operation is completed, the controller obtains the encrypted or decrypted data after the operation from the data flow control module according to the address of the operation result starting address register, and writes the operation result data back to the corresponding storage address through the AHB master interface output channel.
参阅图3所示,寄存器堆模块基于AHB从接口连接AHB总线,且CPU对应寄存器堆模块的AHB从接口配置相应的AHB主接口,用于CPU在寄存器堆模块配置加解密运算所需要的密钥、初始向量,CPU从寄存器堆模块获取运算状态。为满足单次配置运行AES算法和SM4算法的需求,寄存器堆模块针对AES算法配置第一密钥寄存器、第一初始向量寄存器,寄存器 堆模块针对SM4算法配置第二密钥寄存器、第二初始向量寄存器;寄存器堆模块提供了多组通道状态寄存器,用于记录运算状态,CPU可通过AHB总线访问通道状态寄存器获取运算状态,运算状态包括加解密业务完成状态、中断状态、通道异常状态和调试追踪状态信息;寄存器堆模块提供了一组共用的指令寄存器,指令寄存器用于给数据流控制模块提供区分算法类型的算法指令,数据流控制模块根据识别的算法类型控制算法引擎核模块启动相应算法引擎。具体的,指令寄存器配置加解密运算次数、使用的算法类型、算法模式并通过算法启动比特位启动加解密业务。As shown in Figure 3, the register stack module is connected to the AHB bus based on the AHB slave interface, and the CPU configures the corresponding AHB master interface corresponding to the AHB slave interface of the register stack module, which is used by the CPU to configure the key and initial vector required for encryption and decryption operations in the register stack module, and the CPU obtains the operation status from the register stack module. In order to meet the requirements of running the AES algorithm and the SM4 algorithm in a single configuration, the register stack module configures the first key register and the first initial vector register for the AES algorithm, and the register The stack module configures the second key register and the second initial vector register for the SM4 algorithm; the register stack module provides multiple groups of channel status registers for recording the operation status. The CPU can access the channel status registers through the AHB bus to obtain the operation status. The operation status includes the completion status of the encryption and decryption business, the interrupt status, the channel abnormal status and the debugging and tracking status information; the register stack module provides a group of shared instruction registers. The instruction registers are used to provide the data flow control module with algorithm instructions that distinguish the algorithm type. The data flow control module controls the algorithm engine core module to start the corresponding algorithm engine according to the identified algorithm type. Specifically, the instruction register configures the number of encryption and decryption operations, the type of algorithm used, the algorithm mode, and starts the encryption and decryption business through the algorithm start bit.
参阅图4所示,数据流控制模块包括内部缓存和流控制单元。内部缓存包括输入FIFO缓存和输出FIFO缓存,输入FIFO缓存用于缓存控制器从AHB总线读取的待运算数据,输出FIFO用于缓存待运算数据运算结果。流控制单元包括用于将输入FIFO缓存中数据串并转换的串并转换逻辑电路,用于将输出FIFO缓存中运算结果数据进行并串转换的并串转换逻辑电路,用于对指令寄存器中指令进行译码的指令译码器,用于对指令进行解析的指令解析器,用于根据内部缓存中数据缓存状态控制控制器数据读写的流量控制器,用于与算法引擎核模块交互的数据下发回收接口,连接到通道状态寄存器的调试追踪信号输出接口、状态机FSM状态输出接口和通道状态监控器,用于对待运算数据中不足一个分组的数据进行暂存的数据暂存器,用于检测内部缓存中等待一个分组长度的数据是否超时的超时检测器。Referring to FIG. 4 , the data flow control module includes an internal cache and a flow control unit. The internal cache includes an input FIFO cache and an output FIFO cache. The input FIFO cache is used to cache the data to be calculated read by the controller from the AHB bus, and the output FIFO is used to cache the calculation results of the data to be calculated. The flow control unit includes a serial-to-parallel conversion logic circuit for serial-to-parallel conversion of the data in the input FIFO cache, a parallel-to-serial conversion logic circuit for parallel-to-serial conversion of the calculation result data in the output FIFO cache, an instruction decoder for decoding instructions in the instruction register, an instruction parser for parsing instructions, a flow controller for controlling the reading and writing of controller data according to the data cache state in the internal cache, a data sending and recycling interface for interacting with the algorithm engine core module, a debug tracking signal output interface connected to the channel status register, a state machine FSM state output interface and a channel status monitor, a data temporary register for temporarily storing data less than one packet in the calculation data, and a timeout detector for detecting whether the data waiting for a packet length in the internal cache has timed out.
具体实施过程中,流量控制器在输出FIFO缓存有数据时请求控制器读输出FIFO缓存,并根据控制器的响应信号产生输出FIFO缓存的读使能;在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入的信息;流控制单元在输入FIFO缓存非空时产生一个脉冲用来启动输入FIFO缓存的读使能,读取输入FIFO缓存的数据。数据流控制模块的流控制单元按设定数据长度对待运算数据进行分组,对无法组成完整分组的数据通过数据暂存器暂存以等待后续数据,并通过超时检测器对等待分组数据进行计时。数据流控制模块的流控制单元对待运算数据和密钥处理过程中错误和分组数据等到超时进行监测并产生相应中断。During the specific implementation process, the flow controller requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable for the output FIFO buffer according to the response signal of the controller; when the data in the input FIFO buffer is full, the flow controller sends information to stop data reading to the DMA read-write data flow control unit of the controller; when the input FIFO buffer is not empty, the flow control unit generates a pulse to start the read enable of the input FIFO buffer and read the data in the input FIFO buffer. The flow control unit of the data flow control module groups the data to be operated according to the set data length, temporarily stores the data that cannot form a complete group through the data register to wait for subsequent data, and times the waiting group data through the timeout detector. The flow control unit of the data flow control module monitors errors and group data timeouts during the operation data and key processing and generates corresponding interrupts.
为实现上述控制过程,参阅图6所示,流控制单元实现状态机FSM,状态机FSM控制读取输入FIFO缓存中的数据,并经过串并转换逻辑电路串并转换后通过数据下发回收接口写入到算法引擎核模块中进行加解密业务运算,运算完成后状态机FSM获取运算结果数据经数据下发回收接口回收到流控制单元,并经过并串转换后写入到输出FIFO缓存中等待控制器从输出FIFO缓存中读取。状态机FSM的控制下通过流量控制器监测输入FIFO缓存中数据存储情况,在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入的信息,控制器的DMA读写数据流控制单元响应停止数据读入的信息停止待运算数据的读入,从而实现流量控制。SM4算法和AES算法是分组密码算法,如:SM4算法的分组长度为128bit,SM4加密算法与密钥扩展算法均采用32轮非线性迭代结构,以字(32位)为单位进行加密运算,每一次迭代运算均为一轮变换函数F。SM4算法加/解密算法的结构相同,只是使用轮密钥相反,其中解密轮密钥是加密轮密钥的逆序,数据下发回收 接口将分组数据下发给算法引擎核模块,在状态机FSM控制下,数据暂存器将不足一个分组的数据进行暂存,流控制单元收到后续数据时,提取暂存的数据与后续数据组合成一个分组。To realize the above control process, as shown in FIG6 , the flow control unit realizes the state machine FSM, which controls the reading of the data in the input FIFO buffer, and after the serial-to-parallel conversion by the serial-to-parallel conversion logic circuit, writes it into the algorithm engine core module through the data sending and recycling interface for encryption and decryption business operation. After the operation is completed, the state machine FSM obtains the operation result data and recycles it to the flow control unit through the data sending and recycling interface, and writes it into the output FIFO buffer after the parallel-to-serial conversion to wait for the controller to read it from the output FIFO buffer. Under the control of the state machine FSM, the data storage situation in the input FIFO buffer is monitored by the flow controller. When the data in the input FIFO buffer is full, the flow controller sends a message to stop data reading to the DMA read-write data flow control unit of the controller. The DMA read-write data flow control unit of the controller responds to the message to stop data reading and stops reading the data to be operated, thereby realizing flow control. The SM4 algorithm and the AES algorithm are block cipher algorithms. For example, the block length of the SM4 algorithm is 128 bits. The SM4 encryption algorithm and the key expansion algorithm both adopt 32 rounds of nonlinear iterative structure, and perform encryption operations in units of words (32 bits). Each iterative operation is a round of transformation function F. The structure of the SM4 algorithm encryption/decryption algorithm is the same, but the round keys used are opposite. The decryption round key is the reverse order of the encryption round key. The interface sends the packet data to the algorithm engine core module. Under the control of the state machine FSM, the data buffer temporarily stores data that is less than a packet. When the flow control unit receives subsequent data, it extracts the temporarily stored data and combines it with the subsequent data into a packet.
具体实施过程中,状态机FSM的状态、状态转换以及状态转换条件如下所示:


During the specific implementation process, the states, state transitions, and state transition conditions of the state machine FSM are as follows:


具体实施过程中,参阅图5所示,SM4算法引擎内部包括SM4字节替换单元、SM4加密/解密运算单元和SM4密钥扩展单元,SM4字节替换单元用来做字节替换操作,通过查找第一查找表将输入数据以字节为单位替换为对应的数据并输出;SM4加密/解密运算单元内部集 成了32级流水的轮函数,可实现单个时钟周期的输入输出,SM4密钥扩展模块产生的轮密钥供SM4加密/解密运算单元使用;AES算法引擎单元集成了AES-128、AES-192、AES-256这3种算法独立的AES加密/解密运算单元和AES密钥扩展单元,AES列混淆单元、AES字节替换单元,AES字节替换单元主要用来做字节替换操作,通过查找第二查找表将输入数据以字节为单位替换为对应的数据并输出,AES列混淆单元经行移位后的状态矩阵与固定的矩阵相乘,得到混淆后的状态矩阵来实列混淆变换。In the specific implementation process, referring to FIG5 , the SM4 algorithm engine internally includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit, and an SM4 key expansion unit. The SM4 byte replacement unit is used to perform a byte replacement operation, and replaces the input data with the corresponding data in bytes by searching the first lookup table and outputs the data; the SM4 encryption/decryption operation unit internally includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit, and an SM4 key expansion unit. It forms a 32-stage pipeline round function, which can realize the input and output of a single clock cycle. The round key generated by the SM4 key expansion module is used by the SM4 encryption/decryption operation unit; the AES algorithm engine unit integrates the three independent AES encryption/decryption operation units and AES key expansion units of AES-128, AES-192, and AES-256 algorithms, AES column confusion unit, and AES byte replacement unit. The AES byte replacement unit is mainly used for byte replacement operations. By looking up the second lookup table, the input data is replaced with the corresponding data in bytes and output. The state matrix of the AES column confusion unit after row shifting is multiplied with the fixed matrix to obtain the confused state matrix to implement column confusion transformation.
在本申请一些实施例中,还提供一种加解密控制方法,应用于的加解密架构,包括:In some embodiments of the present application, there is also provided an encryption and decryption control method, which is applied to an encryption and decryption architecture, including:
对控制器和寄存器堆模块进行配置。具体实施过程中,对控制器的配置包括:配置控制器的DMA寄存器中的数据起始地址寄存器、数据长度寄存器、数据标志位寄存器,运算结果起始地址寄存器和DMA启动寄存器;控制器根据DMA启动寄存器的启动指示启动,控制器根据数据起始地址寄存器的数据起始地址和数据长度寄存器的数据长度通过总线获取待运算数据;当运算结束,控制器根据运算结果起始地址寄存器的地址将从数据流控制模块获取运算后的加密或解密数据通过AHB主接口输出通道将运算结果数据写回到对应的存储地址。对寄存器堆模块的配置包括:配置寄存器堆模块的第一密钥寄存器、第一初始向量寄存器,第二密钥寄存器、第二初始向量寄存器和指令寄存器,在第一密钥寄存器、第一初始向量寄存器,第二密钥寄存器、第二初始向量寄存器配置SM4算法和AES算法所需的密钥和初始向量;在指令寄存器配置加解密运算次数、使用的算法类型、算法模式和算法启动比特位。The controller and register stack module are configured. In the specific implementation process, the configuration of the controller includes: configuring the data starting address register, data length register, data flag register, operation result starting address register and DMA start register in the controller's DMA register; the controller starts according to the start indication of the DMA start register, and the controller obtains the data to be operated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the operation is completed, the controller obtains the encrypted or decrypted data after the operation from the data flow control module according to the address of the operation result starting address register, and writes the operation result data back to the corresponding storage address through the AHB master interface output channel. The configuration of the register stack module includes: configuring the first key register, the first initial vector register, the second key register, the second initial vector register and the instruction register of the register stack module, configuring the key and initial vector required by the SM4 algorithm and the AES algorithm in the first key register, the first initial vector register, the second key register and the second initial vector register; configuring the number of encryption and decryption operations, the type of algorithm used, the algorithm mode and the algorithm start bit in the instruction register.
检测加解密架构是否空闲;空闲则启动控制器,控制器根据控制器的配置获取待运算数据传输给数据流控制模块。具体实施过程中,检测加解密架构是否空闲包括:数据流控制模块配置连接到寄存器堆模块中通道状态寄存器的调试追踪信号输出接口、状态机FSM状态输出接口和通道状态监控器,将调试追踪信号状态机FSM状态和通道状态输出到通道状态寄存器中,获取通道状态寄存器中的通道状态监控器数据检测加解密架构是否空闲。Detect whether the encryption and decryption architecture is idle; if idle, start the controller, and the controller obtains the data to be calculated and transmits it to the data flow control module according to the configuration of the controller. In the specific implementation process, detecting whether the encryption and decryption architecture is idle includes: the data flow control module configures the debug tracking signal output interface, the state machine FSM state output interface and the channel state monitor connected to the channel state register in the register stack module, outputs the debug tracking signal state machine FSM state and the channel state to the channel state register, and obtains the channel state monitor data in the channel state register to detect whether the encryption and decryption architecture is idle.
数据流控制模块根据寄存器堆模块的配置确定算法类型,数据流控制模块控制对待运算数据进行串并转换后通过数据下发回收接口写入到算法引擎核模块中进行对应相应算法类型的加解密业务运算;具体实施过程中,数据流控制模块的流控制单元基于寄存器堆模块的配置判断算法是否需要进行密钥拓展,若需要进行密钥拓展则先进行密钥拓展再进行加解密处理。The data flow control module determines the algorithm type according to the configuration of the register stack module. The data flow control module controls the serial-to-parallel conversion of the data to be operated and writes it into the algorithm engine core module through the data sending and recycling interface to perform encryption and decryption business operations corresponding to the corresponding algorithm type. In the specific implementation process, the flow control unit of the data flow control module determines whether the algorithm needs key expansion based on the configuration of the register stack module. If key expansion is required, key expansion is performed first and then encryption and decryption processing is performed.
数据流控制模块处理待运算数据过程中,数据流控制模块的流控制单元的流量控制器在输出FIFO缓存有数据时请求控制器读输出FIFO缓存,并根据控制器的响应信号产生输出FIFO缓存的读使能;流控制单元在输入FIFO缓存非空时产生一个脉冲用来启动输入FIFO缓存的读使能,读取输入FIFO缓存的数据;在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入的信息。数据流控制模块的流控制单元按设定数据长度对待运算数据进行分组,对无法组成完整分组的数据通过数据暂存器暂存以等待后续数据,并通过超时检测器对等待分组数据进行计时。数据流控制模块的流控制单元对待运算数据和密钥处理过程中错误和分组数据等到超时进行监测并产生相应中断。 When the data flow control module processes the data to be calculated, the flow controller of the flow control unit of the data flow control module requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable of the output FIFO buffer according to the response signal of the controller; the flow control unit generates a pulse to start the read enable of the input FIFO buffer when the input FIFO buffer is not empty, and reads the data in the input FIFO buffer; when the data in the input FIFO buffer is full, the flow controller sends a message to stop data reading to the DMA read-write data flow control unit of the controller. The flow control unit of the data flow control module groups the data to be calculated according to the set data length, temporarily stores the data that cannot form a complete group through the data temporary register to wait for subsequent data, and times the waiting grouped data through the timeout detector. The flow control unit of the data flow control module monitors errors and grouped data timeouts in the process of processing the calculated data and the key, and generates corresponding interrupts.
具体实施过程中,数据流控制模块通过实施例1的状态机FSM实现待运算数据和/或密钥处理。During the specific implementation process, the data flow control module realizes the processing of the data to be calculated and/or the key through the state machine FSM of Example 1.
数据流控制模块回收算法引擎核模块的运算结果数据并经并串转换后发送给控制器,控制器根据控制器的配置将运算结果数据输出到相应的存储位置。The data flow control module recycles the operation result data of the algorithm engine core module and sends it to the controller after parallel-to-serial conversion. The controller outputs the operation result data to the corresponding storage location according to the configuration of the controller.
在本申请一些实施例中,还提供一种处理器,处理器配置的加解密架构,对设定存储位置的数据进行SM4算法或和AES算法加解密运算并将结果返回。具体实施过程中,本实施例处理器可以为BMC,可以为FPGA。In some embodiments of the present application, a processor is provided, and an encryption and decryption architecture configured by the processor performs SM4 algorithm or AES algorithm encryption and decryption operations on data at a set storage location and returns the result. In the specific implementation process, the processor of this embodiment can be a BMC or an FPGA.
在本申请一些实施例中,还提供一种兼容AES和SM4加密算法的服务器,包括至少一CPU,至少一配置的加解密架构的处理器,在服务器中,一种可行的处理器采用BMC。In some embodiments of the present application, a server compatible with AES and SM4 encryption algorithms is also provided, including at least one CPU and at least one processor configured with an encryption and decryption architecture. In the server, a feasible processor uses a BMC.
具体实施过程中,处理器通过AHB总线连接CPU,具体的,CPU通过AHB总线连接控制器的DMA寄存器,CPU通过AHB总线连接寄存器堆模块的第一密钥寄存器、第二密钥寄存器、第一初始向量寄存器、第二初始向量寄存器和指令寄存器。CPU控制处理器实现加解密业务运算:CPU查询通道状态寄存器,若在通道状态寄存器中的通道状态监控器监测的数据显示通道状态为空闲状态则执行:CPU配置DMA寄存器,配置包括DMA寄存器中的数据起始地址寄存器、数据长度寄存器、数据标志位寄存器,运算结果起始地址寄存器,最后配置DMA启动寄存器启动控制器。配置第一密钥寄存器和或第二密钥寄存器、第一初始向量寄存器和或第二初始向量寄存器,准备好运算所需的密钥或初始向量。CPU配置指令寄存器,确定加解密运算次数、使用的算法类型、算法模式并启动加解密业务。控制器根据数据起始地址寄存器和数据长度寄存器的值获取待运算数据,数据流控制模块根据指令寄存器提供的适用算法类型控制算法引擎核模块执行相应的运算,并回收算法引擎核模块计算的运算结果数据,进而传输给控制器,加解密业务运算结果数据传输到控制器后,控制器根据之前配置的运算结果起始地址将数据写到相应位置,回写完成后发出中断告知CPU。CPU收到中断后清除中断,并在对应地址取到运算结果数据。During the specific implementation process, the processor is connected to the CPU via the AHB bus. Specifically, the CPU is connected to the DMA register of the controller via the AHB bus, and the CPU is connected to the first key register, the second key register, the first initial vector register, the second initial vector register and the instruction register of the register stack module via the AHB bus. The CPU controls the processor to implement encryption and decryption business operations: the CPU queries the channel status register. If the data monitored by the channel status monitor in the channel status register shows that the channel status is idle, it executes: the CPU configures the DMA register, including the data starting address register, data length register, data flag register, and operation result starting address register in the DMA register, and finally configures the DMA start register to start the controller. Configure the first key register and/or the second key register, the first initial vector register and/or the second initial vector register, and prepare the key or initial vector required for the operation. The CPU configures the instruction register to determine the number of encryption and decryption operations, the type of algorithm used, the algorithm mode, and start the encryption and decryption business. The controller obtains the data to be calculated according to the values of the data start address register and the data length register. The data flow control module controls the algorithm engine core module to perform the corresponding operation according to the applicable algorithm type provided by the instruction register, and recovers the operation result data calculated by the algorithm engine core module, and then transmits it to the controller. After the encryption and decryption business operation result data is transmitted to the controller, the controller writes the data to the corresponding position according to the previously configured operation result start address, and issues an interrupt to inform the CPU after the write-back is completed. After receiving the interrupt, the CPU clears the interrupt and obtains the operation result data at the corresponding address.
在本申请所提供的几个实施例中,应该理解到,所揭露的模块和单元,可以通过其它的方式实现。例如,以上所描述的结构实施例仅仅是示意性的,例如,单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,系统或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in the present application, it should be understood that the disclosed modules and units can be implemented in other ways. For example, the structural embodiments described above are only schematic. For example, the division of units is only a logical function division. There may be other division methods in actual implementation, such as multiple units or components can be combined or integrated into another system, or some features can be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed can be an indirect coupling or communication connection through some interfaces, systems or units, which can be electrical, mechanical or other forms.
作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
尽管通过参考附图并结合优选实施例的方式对本申请进行了详细描述,但本申请并不限 于此。在不脱离本申请的精神和实质的前提下,本领域普通技术人员可以对本申请的实施例进行各种等效的修改或替换,而这些修改或替换都应在本申请的涵盖范围内/任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。 Although the present application has been described in detail with reference to the accompanying drawings and in conjunction with the preferred embodiments, the present application is not limited to Hereby. Without departing from the spirit and essence of this application, ordinary technicians in this field can make various equivalent modifications or substitutions to the embodiments of this application, and these modifications or substitutions should be within the scope of this application. Any technician familiar with this technical field can easily think of changes or substitutions within the technical scope disclosed in this application, which should be included in the protection scope of this application. Therefore, the protection scope of this application shall be based on the protection scope of the claims.

Claims (20)

  1. 一种加解密架构,其特征在于,包括:控制器,所述控制器通过总线与外部连接,实现与外部通信;数据流控制模块,所述数据流控制模块连接所述控制器;算法引擎核模块,所述算法引擎核模块连接所述数据流控制模块;以及寄存器堆模块,所述寄存器堆模块通过总线与外部连接,且所述寄存器堆模块还与所述数据流控制模块连接;其中,所述算法引擎核模块利用所述数据流控制模块提供的分组待运算数据和所述寄存器堆模块中配置的加解密运算所需要的密钥和初始向量进行加解密运算并将所述加解密运算的运算结果数据反馈给所述数据流控制模块,所述数据流控制模块通过所述控制器将所述运算结果数据输出。A cryptographic architecture, characterized in that it comprises: a controller, which is connected to the outside through a bus to achieve communication with the outside; a data flow control module, which is connected to the controller; an algorithm engine core module, which is connected to the data flow control module; and a register stack module, which is connected to the outside through a bus and is also connected to the data flow control module; wherein the algorithm engine core module performs cryptographic operations using the grouped data to be operated provided by the data flow control module and the key and initial vector required for the cryptographic operations configured in the register stack module, and feeds back the operation result data of the cryptographic operations to the data flow control module, and the data flow control module outputs the operation result data through the controller.
  2. 根据权利要求1所述的加解密架构,其特征在于,算法引擎核模块内部集成了能独立完成各自的算法运算的SM4算法引擎与AES算法引擎。According to the encryption and decryption architecture of claim 1, it is characterized in that the algorithm engine core module integrates an SM4 algorithm engine and an AES algorithm engine that can independently complete their respective algorithm operations.
  3. 根据权利要求2所述的加解密架构,其特征在于,SM4算法引擎内部包括SM4字节替换单元、SM4加密/解密运算单元和SM4密钥扩展单元,SM4字节替换单元用来做字节替换操作,通过查找第一查找表将输入数据以字节为单位替换为对应的数据并输出;SM4加密/解密运算单元内部集成了32级流水的轮函数,可实现单个时钟周期的输入输出,SM4密钥扩展模块产生的轮密钥供SM4加密/解密运算单元使用;AES算法引擎单元集成了AES-128、AES-192、AES-256这3种算法独立的AES加密/解密运算单元和AES密钥扩展单元,AES列混淆单元、AES字节替换单元,AES字节替换单元主要用来做字节替换操作,通过查找第二查找表将输入数据以字节为单位替换为对应的数据并输出,AES列混淆单元经行移位后的状态矩阵与固定的矩阵相乘,得到混淆后的状态矩阵来实列混淆变换。According to the encryption and decryption architecture of claim 2, it is characterized in that the SM4 algorithm engine internally includes an SM4 byte replacement unit, an SM4 encryption/decryption operation unit and an SM4 key expansion unit, the SM4 byte replacement unit is used to perform byte replacement operations, and the input data is replaced with corresponding data in bytes by searching the first lookup table and output; the SM4 encryption/decryption operation unit internally integrates a 32-level pipeline round function, which can realize the input and output of a single clock cycle, and the round key generated by the SM4 key expansion module is used by the SM4 encryption/decryption operation unit; the AES algorithm engine unit integrates three independent AES encryption/decryption operation units and AES key expansion units of AES-128, AES-192, and AES-256 algorithms, an AES column confusion unit, and an AES byte replacement unit. The AES byte replacement unit is mainly used to perform byte replacement operations, and the input data is replaced with corresponding data in bytes by searching the second lookup table and output, and the state matrix of the AES column confusion unit after row shifting is multiplied by a fixed matrix to obtain the obfuscated state matrix to implement column obfuscation transformation.
  4. 根据权利要求1所述的加解密架构,其特征在于,所述控制器内部集成包括DMA寄存器和DMA读写数据流控制单元;DMA寄存器经一AHB从接口连接AHB总线;DMA读写数据流控制单元经一AHB主接口连接AHB总线,DMA读写数据流控制单元连接数据流控制模块;DMA读写数据流控制单元根据DMA寄存器中的配置通过AHB总线获取待运算数据并传输给数据流控制模块。According to the encryption and decryption architecture of claim 1, it is characterized in that the controller internally integrates a DMA register and a DMA read-write data flow control unit; the DMA register is connected to the AHB bus via an AHB slave interface; the DMA read-write data flow control unit is connected to the AHB bus via an AHB master interface, and the DMA read-write data flow control unit is connected to the data flow control module; the DMA read-write data flow control unit obtains the data to be calculated through the AHB bus according to the configuration in the DMA register and transmits it to the data flow control module.
  5. 根据权利要求1所述的加解密架构,其特征在于,所述寄存器堆模块通过一AHB从接口连接对外连接的AHB总线,所述寄存器堆模块经内部总线连接数据流控制模块;寄存器堆模块针对算法引擎核模块实现的AES算法配置第一密钥寄存器、第一初始向量寄存器,寄存器堆模块针对算法引擎核模块实现的SM4算法配置第二密钥寄存器、第二初始向量寄存器;寄存器堆模块配置多组通道状态寄存器,用于记录运算状态;寄存器 堆模块配置一组指令寄存器。The encryption and decryption architecture according to claim 1 is characterized in that the register stack module is connected to the AHB bus connected to the outside through an AHB slave interface, and the register stack module is connected to the data flow control module through the internal bus; the register stack module configures the first key register and the first initial vector register for the AES algorithm implemented by the algorithm engine core module, and the register stack module configures the second key register and the second initial vector register for the SM4 algorithm implemented by the algorithm engine core module; the register stack module configures multiple groups of channel status registers for recording the operation status; the register The stack module configures a set of instruction registers.
  6. 根据权利要求4或5所述的加解密架构,其特征在于,对应寄存器堆模块和DMA寄存器的AHB从接口经AHB总线连接设置相应AHB主接口的CPU。The encryption and decryption architecture according to claim 4 or 5 is characterized in that the AHB slave interface corresponding to the register stack module and the DMA register is connected to the CPU of the corresponding AHB master interface via the AHB bus.
  7. 根据权利要求1所述的加解密架构,其特征在于,所述数据流控制模块包括内部缓存和流控制单元;其中,内部缓存包括输入FIFO缓存和输出FIFO缓存,输入FIFO缓存用于缓存控制器利用总线读取的待运算数据,输出FIFO用于缓存算法引擎核模块输出到待运算数据的运算结果数据;流控制单元包括:用于将输入FIFO缓存中数据串并转换的串并转换逻辑电路,用于将运算结果数据进行并串转换的并串转换逻辑电路,用于对指令寄存器中指令进行译码的指令译码器,用于对指令进行解析的指令解析器,用于根据内部缓存中数据缓存状态控制控制器数据读写的流量控制器,用于与算法引擎核模块交互的数据下发回收接口,连接到所述寄存器堆模块的调试追踪信号输出接口、状态机FSM状态输出接口和通道状态监控器,用于对待运算数据中不足一个分组的数据进行暂存的数据暂存器,用于检测内部缓存中等待一个分组长度的数据是否超时的超时检测器。The encryption and decryption architecture according to claim 1 is characterized in that the data flow control module includes an internal cache and a flow control unit; wherein the internal cache includes an input FIFO cache and an output FIFO cache, the input FIFO cache is used to cache the data to be calculated read by the controller using the bus, and the output FIFO is used to cache the calculation result data output by the algorithm engine core module to the data to be calculated; the flow control unit includes: a serial-to-parallel conversion logic circuit for serial-to-parallel conversion of data in the input FIFO cache, a parallel-to-serial conversion logic circuit for parallel-to-serial conversion of the calculation result data, an instruction decoder for decoding instructions in the instruction register, an instruction parser for parsing instructions, a flow controller for controlling the reading and writing of controller data according to the data cache state in the internal cache, a data sending and recovery interface for interacting with the algorithm engine core module, a debug tracking signal output interface connected to the register stack module, a state machine FSM state output interface and a channel state monitor, a data temporary register for temporarily storing data less than one packet in the data to be calculated, and a timeout detector for detecting whether the waiting data of one packet length in the internal cache has timed out.
  8. 根据权利要求7所述的加解密架构,其特征在于,流控制单元实现状态机FSM,状态机FSM根据算法种类启动算法引擎核模块相应的算法引擎,状态机FSM控制读取输入FIFO缓存中的数据,并经过串并转换逻辑电路串并转换后通过数据下发回收接口写入到算法引擎核模块中进行加解密业务运算,运算完成后状态机FSM获取运算结果数据经数据下发回收接口回收到流控制单元,并经过并串转换后写入到输出FIFO缓存中等待控制器从输出FIFO缓存中读取。According to the encryption and decryption architecture of claim 7, it is characterized in that the flow control unit implements a state machine FSM, the state machine FSM starts the algorithm engine corresponding to the algorithm engine core module according to the algorithm type, the state machine FSM controls the reading of data in the input FIFO cache, and after serial-to-parallel conversion by the serial-to-parallel conversion logic circuit, writes it into the algorithm engine core module through the data sending and recycling interface to perform encryption and decryption business operations, after the operation is completed, the state machine FSM obtains the operation result data and recovers it to the flow control unit through the data sending and recycling interface, and writes it into the output FIFO cache after parallel-to-serial conversion to wait for the controller to read it from the output FIFO cache.
  9. 根据权利要求7所述的加解密架构,其特征在于,流量控制器在输出FIFO缓存有数据时请求控制器读输出FIFO缓存,并根据控制器的响应信号产生输出FIFO缓存的读使能;流控制单元在输入FIFO缓存非空时产生一个脉冲用来启动输入FIFO缓存的读使能,读取输入FIFO缓存的数据;在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入的信息。According to the encryption and decryption architecture of claim 7, it is characterized in that the flow controller requests the controller to read the output FIFO cache when there is data in the output FIFO cache, and generates a read enable of the output FIFO cache according to the response signal of the controller; the flow control unit generates a pulse to start the read enable of the input FIFO cache when the input FIFO cache is not empty, and reads the data in the input FIFO cache; when the data in the input FIFO cache is full, the flow controller sends a message to stop data reading to the DMA read and write data flow control unit of the controller.
  10. 根据权利要求7所述的加解密架构,其特征在于,流控制单元收到的数据无法实现一个分组时,数据暂存器将不足一个分组的数据进行暂存,流控制单元收到后续数据时,提取暂存的数据与后续数据组合成一个分组。According to the encryption and decryption architecture of claim 7, it is characterized in that when the data received by the flow control unit cannot realize a group, the data temporary storage will temporarily store the data that is less than a group, and when the flow control unit receives subsequent data, it extracts the temporarily stored data and combines it with the subsequent data into a group.
  11. 一种加解密控制方法,应用于如权利要求1-10任一所述的加解密架构,其特征在于,包括:An encryption and decryption control method, applied to the encryption and decryption architecture according to any one of claims 1 to 10, characterized in that it comprises:
    对控制器和寄存器堆模块进行配置;Configure the controller and register file modules;
    检测加解密架构是否空闲;空闲则启动控制器,控制器根据控制器的配置获取待运 算数据传输给数据流控制模块;Detect whether the encryption and decryption architecture is idle; if idle, start the controller, and the controller obtains the waiting state according to the configuration of the controller. The calculation data is transmitted to the data flow control module;
    数据流控制模块根据寄存器堆模块的配置确定算法类型,数据流控制模块控制对待运算数据进行串并转换后通过数据下发回收接口写入到算法引擎核模块中进行对应相应算法类型的加解密业务运算;数据流控制模块回收算法引擎核模块的运算结果数据并经并串转换后发送给控制器,控制器根据控制器的配置将运算结果数据输出到相应的存储位置。The data flow control module determines the algorithm type according to the configuration of the register stack module. The data flow control module controls the serial-to-parallel conversion of the data to be operated and writes it into the algorithm engine core module through the data sending and recovery interface to perform encryption and decryption business operations corresponding to the corresponding algorithm type; the data flow control module recovers the operation result data of the algorithm engine core module and sends it to the controller after parallel-to-serial conversion. The controller outputs the operation result data to the corresponding storage location according to the configuration of the controller.
  12. 根据权利要求11所述的加解密控制方法,其特征在于,对控制器的配置包括:配置控制器的DMA寄存器中的数据起始地址寄存器、数据长度寄存器、数据标志位寄存器,运算结果起始地址寄存器和DMA启动寄存器;控制器根据DMA启动寄存器的启动指示而启动,控制器根据数据起始地址寄存器的数据起始地址和数据长度寄存器的数据长度通过总线获取待运算数据;当运算结束,控制器根据运算结果起始地址寄存器的地址将从数据流控制模块获取运算后的运算结果数据通过AHB主接口输出通道写回到对应的存储地址。According to the encryption and decryption control method of claim 11, it is characterized in that the configuration of the controller includes: configuring the data starting address register, data length register, data flag register, operation result starting address register and DMA start register in the DMA register of the controller; the controller is started according to the start indication of the DMA start register, and the controller obtains the data to be operated through the bus according to the data starting address of the data starting address register and the data length of the data length register; when the operation is completed, the controller obtains the operation result data after the operation from the data flow control module according to the address of the operation result starting address register and writes it back to the corresponding storage address through the AHB master interface output channel.
  13. 根据权利要求11所述的加解密控制方法,其特征在于,对寄存器堆模块的配置包括:配置寄存器堆模块的第一密钥寄存器、第一初始向量寄存器,第二密钥寄存器、第二初始向量寄存器和指令寄存器,在第一密钥寄存器、第一初始向量寄存器,第二密钥寄存器、第二初始向量寄存器配置SM4算法和AES算法所需的密钥和初始向量;在指令寄存器配置加解密运算次数、使用的算法类型、算法模式和算法启动比特位。According to the encryption and decryption control method of claim 11, it is characterized in that the configuration of the register stack module includes: configuring the first key register, the first initial vector register, the second key register, the second initial vector register and the instruction register of the register stack module, configuring the key and initial vector required for the SM4 algorithm and the AES algorithm in the first key register, the first initial vector register, the second key register and the second initial vector register; configuring the number of encryption and decryption operations, the type of algorithm used, the algorithm mode and the algorithm start bit in the instruction register.
  14. 根据权利要求11所述的加解密控制方法,其特征在于,检测加解密架构是否空闲包括:数据流控制模块配置连接到寄存器堆模块中通道状态寄存器的调试追踪信号输出接口、状态机FSM状态输出接口和通道状态监控器,将调试追踪信号状态机FSM状态和通道状态输出到通道状态寄存器中,获取通道状态寄存器中的通道状态监控器数据检测加解密架构是否空闲。According to the encryption and decryption control method of claim 11, it is characterized in that detecting whether the encryption and decryption architecture is idle includes: the data flow control module configures a debug trace signal output interface, a state machine FSM state output interface and a channel status monitor connected to the channel status register in the register stack module, outputs the debug trace signal state machine FSM state and the channel status to the channel status register, and obtains the channel status monitor data in the channel status register to detect whether the encryption and decryption architecture is idle.
  15. 根据权利要求11所述的加解密控制方法,其特征在于,数据流控制模块的流控制单元基于寄存器堆模块的配置判断算法是否需要进行密钥拓展,若需要进行密钥拓展则先进行密钥拓展再进行加解密处理。According to the encryption and decryption control method of claim 11, it is characterized in that the flow control unit of the data flow control module determines whether the algorithm needs to perform key expansion based on the configuration of the register stack module. If key expansion is required, key expansion is performed first and then encryption and decryption processing is performed.
  16. 根据权利要求10所述的加解密控制方法,其特征在于,数据流控制模块的流控制单元的流量控制器在输出FIFO缓存有数据时请求控制器读输出FIFO缓存,并根据控制器的响应信号产生输出FIFO缓存的读使能;流控制单元在输入FIFO缓存非空时产生一个脉冲用来启动输入FIFO缓存的读使能,读取输入FIFO缓存的数据;在输入FIFO缓存中数据满时,流量控制器向控制器的DMA读写数据流控制单元发送停止数据读入的信 息。The encryption and decryption control method according to claim 10 is characterized in that the flow controller of the flow control unit of the data flow control module requests the controller to read the output FIFO buffer when there is data in the output FIFO buffer, and generates a read enable of the output FIFO buffer according to the response signal of the controller; the flow control unit generates a pulse to start the read enable of the input FIFO buffer when the input FIFO buffer is not empty, and reads the data in the input FIFO buffer; when the data in the input FIFO buffer is full, the flow controller sends a signal to stop data reading to the DMA read-write data flow control unit of the controller. interest.
  17. 根据权利要求10所述的加解密控制方法,其特征在于,数据流控制模块的流控制单元按设定数据长度对待运算数据进行分组,对无法组成完整分组的数据通过数据暂存器暂存以等待后续数据,并通过超时检测器对等待分组数据进行计时。According to the encryption and decryption control method of claim 10, it is characterized in that the flow control unit of the data flow control module groups the data to be operated according to the set data length, temporarily stores the data that cannot form a complete group through the data buffer to wait for subsequent data, and times the waiting group data through the timeout detector.
  18. 根据权利要求17所述的加解密控制方法,其特征在于,数据流控制模块的流控制单元对待运算数据和密钥处理过程中错误和分组数据等到超时进行监测并产生相应中断。According to the encryption and decryption control method of claim 17, it is characterized in that the flow control unit of the data flow control module monitors errors and packet data timeouts during the processing of operation data and key and generates corresponding interrupts.
  19. 一种处理器,其特征在于,所述处理器配置如权利要求1-10任一所述的加解密架构。A processor, characterized in that the processor is configured with the encryption and decryption architecture as described in any one of claims 1-10.
  20. 一种服务器,其特征在于,所述服务器包括:至少一CPU,至少一配置如权利要求1-10任一所述的加解密架构的处理器,所述处理器通过AHB总线连接CPU。 A server, characterized in that the server comprises: at least one CPU, at least one processor configured with the encryption and decryption architecture as described in any one of claims 1-10, and the processor is connected to the CPU via an AHB bus.
PCT/CN2023/128627 2022-11-28 2023-10-31 Encryption and decryption architecture, method, processor, and server WO2024114264A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211496168.7A CN115549911B (en) 2022-11-28 2022-11-28 Encryption and decryption system, method, processor and server
CN202211496168.7 2022-11-28

Publications (1)

Publication Number Publication Date
WO2024114264A1 true WO2024114264A1 (en) 2024-06-06

Family

ID=84722599

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/128627 WO2024114264A1 (en) 2022-11-28 2023-10-31 Encryption and decryption architecture, method, processor, and server

Country Status (2)

Country Link
CN (1) CN115549911B (en)
WO (1) WO2024114264A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115549911B (en) * 2022-11-28 2023-03-14 苏州浪潮智能科技有限公司 Encryption and decryption system, method, processor and server
CN115994106B (en) * 2023-02-17 2023-09-05 广州万协通信息技术有限公司 Mass data encryption and decryption method, data security device and electronic equipment
CN116070292B (en) * 2023-03-07 2023-06-16 苏州宏存芯捷科技有限公司 SM4 encryption heterogeneous acceleration system based on FPGA
CN116204911B (en) * 2023-04-27 2023-08-04 苏州浪潮智能科技有限公司 Encryption and decryption system, encryption and decryption control method, computer device and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243344A (en) * 2015-11-02 2016-01-13 上海兆芯集成电路有限公司 Chipset with hard disk encryption function and host computer controller
CN108092760A (en) * 2016-11-22 2018-05-29 北京同方微电子有限公司 A kind of co-processor device of block cipher and non-linear transformation method
US20210216665A1 (en) * 2018-05-30 2021-07-15 Nordic Semiconductor Asa Memory-efficient hardware cryptographic engine
CN113722702A (en) * 2021-09-01 2021-11-30 上海兆芯集成电路有限公司 Processor with block cipher algorithm and processing method thereof
CN114969849A (en) * 2022-05-30 2022-08-30 无锡沐创集成电路设计有限公司 Information security chip
CN115549911A (en) * 2022-11-28 2022-12-30 苏州浪潮智能科技有限公司 Encryption and decryption architecture, method, processor and server

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431407B (en) * 2008-12-15 2012-03-28 西安电子科技大学 Cipher processor supporting thread-level encryption and decryption and its cipher operation method
CN103679061A (en) * 2013-11-22 2014-03-26 北京民芯科技有限公司 Implementation method and device for extendable throughput rate of SM4 cryptographic algorithm

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243344A (en) * 2015-11-02 2016-01-13 上海兆芯集成电路有限公司 Chipset with hard disk encryption function and host computer controller
CN108092760A (en) * 2016-11-22 2018-05-29 北京同方微电子有限公司 A kind of co-processor device of block cipher and non-linear transformation method
US20210216665A1 (en) * 2018-05-30 2021-07-15 Nordic Semiconductor Asa Memory-efficient hardware cryptographic engine
CN113722702A (en) * 2021-09-01 2021-11-30 上海兆芯集成电路有限公司 Processor with block cipher algorithm and processing method thereof
CN114969849A (en) * 2022-05-30 2022-08-30 无锡沐创集成电路设计有限公司 Information security chip
CN115549911A (en) * 2022-11-28 2022-12-30 苏州浪潮智能科技有限公司 Encryption and decryption architecture, method, processor and server

Also Published As

Publication number Publication date
CN115549911A (en) 2022-12-30
CN115549911B (en) 2023-03-14

Similar Documents

Publication Publication Date Title
WO2024114264A1 (en) Encryption and decryption architecture, method, processor, and server
US20230110230A1 (en) Technologies for secure i/o with memory encryption engines
US11405179B2 (en) Multimode cryptographic processor
US6101255A (en) Programmable cryptographic processing system and method
US5961626A (en) Method and processing interface for transferring data between host systems and a packetized processing system
CN111400732B (en) USB channel-based encryption and decryption module and equipment
CN102724035B (en) Encryption and decryption method for encrypt card
CN112329038B (en) Data encryption control system and chip based on USB interface
WO2017045484A1 (en) Xts-sm4-based storage encryption and decryption method and apparatus
US12010209B2 (en) Memory-efficient hardware cryptographic engine
JP2008500638A (en) Data mover controller with multiple registers to support cryptographic operations
JP2008310832A (en) Apparatus and method for distributing signal from high level data link controller to a plurality of digital signal processor cores
CN112035900B (en) High-performance password card and communication method thereof
US20230071723A1 (en) Technologies for establishing secure channel between i/o subsystem and trusted application for secure i/o data transfer
CN112417522A (en) Data processing method, security chip device and embedded system
CN103077362B (en) There is the GPIO IP kernel of security mechanism
CN114547663B (en) Method for realizing data encryption, decryption and reading of high-speed chip based on USB interface
CN210836072U (en) Bridge chip for converting stream encryption USB interface into FIFO interface
CN102314563A (en) Computer hardware system structure
KR100420555B1 (en) Block encrypting device for fast session switching and method of operating the same
Anderson et al. High-Performance Interface Architectures for Cryptographic Hardware
CN113127901B (en) Processing method, device and chip for data encryption transmission
US20230208821A1 (en) Method and device for protecting and managing keys
US20220374530A1 (en) Processing system and corresponding method of operation
Cao et al. A core-based multi-function security processor with GALS Wrapper