CN101827107A - IEEE802.1AE protocol-based GCM high-speed encryption and decryption equipment - Google Patents

Abstract

The invention discloses IEEE802.1AE protocol-based galois/counter mode (GCM) high-speed encryption and decryption equipment. The encryption and decryption equipment comprises an information extraction module, an advanced encryption standard (AES) module and a Ghash module, wherein the information extraction module is used for extracting a safety protocol key, a safety channel identifier, a data packet number, a destination address and a source address from the input data, converting the safety protocol key, the safety channel identifier, the data packet number, the destination address and the source address into a corresponding primary key K, an initial vector IV, additional information A and a plain text P/cipher text C and transmitting the data to the AES module; the AES module finishes the encryption/decryption of the data and outputs the cipher text/plain text; and the Ghash module generates an authentication tag T through a Ghash function according to the additional information A and the cipher text C. The high-speed encryption and decryption equipment can process a plurality of groups of data at the same time without previously determining the total number of the grouped data to be processed and has high processing speed and low complexity of the hardware.

Description

A kind of GCM high-speed encryption and decryption device based on the IEEE802.1AE agreement

Technical field

The present invention relates to a kind of high-speed encryption and decryption device, specifically a kind of GCM high-speed encryption and decryption device that is applicable to the IEEE802.1AE agreement.

Background technology

IEEE802.1AE medium access control safety (MACsec) agreement of announcing in May, 2005 provides encapsulation and has encrypted framework for the Ethernet protection; it is integrated into safeguard protection in the wired ethernet; by the unauthorized website on the identification local area network (LAN), the protection local area network (LAN) is not subjected to the attack of passive wiring, personation, go-between and some denial of service etc.

GCM (Galois/Counter Mode) is the authenticated encryption pattern of a high speed, uses CTR (Counter) pattern of AES (Advanced Encryption Sandard) respectively and is defined in GF (2 ¹²⁸) Ghash function on the territory, produce ciphertext and authenticating tag simultaneously.The IEEE802.1AE agreement adopts the GCM algorithm that frame is carried out the enciphering/deciphering processing and completeness check is handled, and ensures communication safety better.

When the GCM algorithm is encrypted data, four input signals are arranged: encryption key K, initialization vector IV, expressly P, and additional authentication information A; Two output signal: ciphertext C are arranged and differentiate sign T.P and A are pressed 128 groupings, be designated as respectively: P1, P2, P3 ..., P (n-1), Pn ^*And A1, A2, A3 ..., A (m-1), Am ^*Wherein, Pn ^*And Am ^*Length be respectively u and v (1≤u, v≤128); Other block length is all 128.

The definition of GCM cryptographic algorithm as the formula (1).

Wherein, || the expression serial data connects; Len () returns the serial data length of 64-bit; E (K, Y) expression is carried out the AES enciphering/deciphering with key K to Y; Function incr () is that minimum 32 with parameter regard a unsigned number as, and it is added 1 back and delivery 2 ³²

The definition of GCM decipherment algorithm as the formula (2).

Comparison expression (1), (2) as can be known, the GCM decipher circuit can be multiplexing.

The GHASH function definition is: GHASH (H, A, C)=and Xm+n+1, and Xi, i=0 ... m+n+1 is as the formula (3).

$X_i=\left\{\begin{array}{cc}0,& i=0\\ (X_{i-1}\⊕A_i)\·H,& i=1,...m-1\\ (X_{m-1}\⊕\left(A_m^{*}\right|\left|0^{128-v}\right))\·H,& i=m\\ (X_{i-1}\⊕C_{i-m})\·H,& i=m+1,...m+n-1\\ (X_{m+n-1}\⊕\left(C_n^{*}\right|\left|0^{128-u}\right))\·H,& i=m+n\\ (X_{m+n}\⊕\left(\mathrm{len}\left(A\right)\right|\left|\mathrm{len}\left(C\right)\right))\·H,& i=m+n+1\end{array}\right.---\left(3\right)$

Multiplication is to be defined in GF (2 ¹²⁸) on computing, the reduction multinomial is formula (4).

P(α)＝1+α+α ²+α ⁷+α ¹²⁸ (4)

The computing of GHASH function is an iterative process, and order is carried out and taken advantage of add operation, and multiplier unit has bigger time-delay, is the bottleneck that improves throughput.So still lacking the high speed GCM hardware that is applicable to the IEEE802.1AE agreement at present realizes.

2007, Satoh A designed a GCM encryption equipment.In the GHASH modular design a kind of parallel adder and multiplier, make the throughput of GCM break through 100Gbps, reach 162.56Gbps (0.13 μ m technology), be the best design of delivering at present of performance.Yet further research can find that the GCM hardware configuration of this design can not be applicable to the IEEE802.1AE agreement.Because Ghash module that should design such as will determine at pending grouped data sum when transfer of data begins, controlling the concurrent operation process, the actual conditions of this and data transmission procedure are not inconsistent.

Summary of the invention

The purpose of this invention is to provide a kind of GCM high-speed encryption and decryption device based on the IEEE802.1AE agreement, this encryption and decryption device adopts novel parallel adder and multiplier, can handle multi-group data simultaneously, and pending grouped data sum such as does not need to pre-determine.Data processing speed of the present invention is fast, hardware complexity is low.

Goal of the invention of the present invention is achieved through the following technical solutions:

A kind of GCM high-speed encryption and decryption device based on the IEEE802.1AE agreement is characterized in that: this GCM high-speed encryption and decryption device comprises information extraction modules, AES module and Ghash module; Information extraction modules is used for from input extracting data security protocol key, escape way sign, packet numbers, destination address and source address, and according to the corresponding initial key K of different working mode change one-tenth, initial vector IV, additional information A and plaintext P/ ciphertext C, and transfer data to the AES module; The AES module is finished the data enciphering/deciphering, and the output ciphertext/expressly; The Ghash module produces discriminating sign T according to additional information A and ciphertext C by the Ghash function.

Among the present invention, the Ghash module adopts parallel adder and multiplier, handles multi-group data simultaneously, pending grouped data sum such as does not need to pre-determine; During Ghash function input (pq+n) group data, the expression formula of output Xpq+n is applicable to that promptly the parallel adder and multiplier expression formula of novel q degree of IEEE802.1AE agreement is as follows:

$X_{\mathrm{pq}+n}=(L(((A_1{H}^q\⊕A_2{H}^{q-1}\⊕L\⊕A_{q}H)\⊕$

$A_{q+1})H^q\⊕A_{q+2}{H}^{q-1}\⊕L\⊕A_{2q}H)\⊕$

$L$

$A_{(p-1)q+1})H^q\⊕A_{(p-1)q+2}{H}^{q-1}\⊕L\⊕A_{\mathrm{pq}}H)\⊕$

$A_{\mathrm{pq}+1})H^n\⊕A_{\mathrm{pq}+2}{H}^{n-1}\⊕L\⊕A_{\mathrm{pq}+n}H$

P wherein, q, n are positive integer, 1≤n≤q.

Among the present invention, described AES module comprises cipher key expansion module and AES enciphering/deciphering module; Wherein, AES enciphering/deciphering module adopts Fully-pipelined structure, and the inner loop of this process is all launched, insert a level production line at every repeating query interannular, have streamline between 10 step cones, every level production line inside is adopted 6 grades of sub-pipeline organizations again simultaneously, amounts to comprise 60 level production lines; Cipher key expansion module is the loop unrolling structure.

Ghash modular design among the present invention a kind of novel parallel adder and multiplier, can handle multi-group data simultaneously, and pending grouped data sum such as not need to pre-determine.For further improving enciphering/deciphering speed, AES enciphering/deciphering module has adopted Fully-pipelined structure.In addition, constantly change in order to support each clock cycle of key, cipher key expansion module has designed the loop unrolling structure among the AES.The present invention has at a high speed, the characteristics of low hardware complexity.

Method for designing of the present invention is applicable in the similar high speed circuit design; If adopt multichannel technology, throughput of the present invention is expected to be further enhanced.

Description of drawings

Fig. 1 is a structured flowchart of the present invention;

Fig. 2 is the circuit structure diagram of AES enciphering/deciphering module among the present invention;

Fig. 3 is the circuit structure diagram of cipher key expansion module among the present invention;

Fig. 4 is the circuit structure diagram (q=2) of Ghash module among the present invention;

Fig. 5 (a) is five input instance graphs of Ghash module among the present invention to Fig. 5 (c);

Fig. 6 is a circuit structure diagram of the present invention.

Embodiment

A kind of GCM high-speed encryption and decryption device based on the IEEE802.1AE agreement of the present invention, Fig. 1 is a structured flowchart of the present invention.This encryption and decryption device comprises information extraction modules 1, AES module 2 and Ghash module 5, and wherein AES module 2 comprises cipher key expansion module 3 and AES enciphering/deciphering module 4 again.Information extraction modules 1 is used for from input extracting data security protocol key, escape way sign, packet numbers, destination address and source address, and becomes corresponding initial key K, initial vector IV, additional information A and plaintext P/ ciphertext C according to different working mode change.AES module 2 is finished the data enciphering/deciphering, the output ciphertext/expressly.Ghash module 5 produces discriminating sign T according to additional information A and ciphertext C by the Ghash function.

To introduce the hardware designs of AES module 2 and Ghash module 5 and the overall hardware of GCM below respectively realizes.

AES enciphering/deciphering module is used for realizing GCM-128 enciphering/deciphering function, imports 128 plain/cipher text, 128 ciphertexts of process enciphering/deciphering output/expressly.The GCM-128 encryption/decryption algorithm is shown in expression formula (1) and (2).

For further improving enciphering/deciphering speed, AES enciphering/deciphering module of the present invention has adopted Fully-pipelined structure, as shown in Figure 2.The inner loop of this process is all launched, insert a level production line at every repeating query interannular, have streamline between 10 step cones, every level production line inside is adopted 6 grades of sub-pipeline organizations again simultaneously, total comprises 60 grades of flowing water, can handle 60 groups of data simultaneously at most, adds the one-period that initial round key adds, through after initial 61 clock cycle, each clock can both be exported 1 group 128 ciphertext/expressly.

The cipher key expansion module input initial key K of AES exports 11 groups 128 round key (comprising initial key K) through cipher key spreading.

Because in network transmission process, each user data may use different key K.Cipher key expansion module of the present invention has designed the loop unrolling structure, to support each clock cycle of key constantly to change.As shown in Figure 3, this structure comprises 11 key expansion unit, AES enciphering/deciphering module has also comprised identical flowing water design, guaranteed that two modules can coordinate computing at a high speed, 9 grades of key expansion unit of the zero level to the of cipher key expansion module have identical structure, and the structure of the 10th grade of key expansion unit with preceding 10 grades different.Wherein, SubBytes represents 4 byte datas are carried out the computing of S box; ShiftLeft is with one of each byte data ring shift left.

Initial key K of each clock cycle input of cipher key expansion module, through after initial 61 clock cycle, each clock can both be exported 11 groups 128 key, has guaranteed the AES module when key K constantly changes, still can high speed operation.

The computing of Ghash function is an iterative process, and order is carried out and taken advantage of add operation, shown in expression formula (3).And multiplier unit has bigger time-delay, is the bottleneck that improves throughput.The key that improves Ghash functional operation speed is to adopt parallel multiplying alternate orders computing.

Existing parallel adder and multiplier is not suitable for the IEEE802.1AE agreement, because adopt the Ghash module of this parallel adder and multiplier, pending grouped data sum such as will determine when transfer of data begins, with control concurrent operation process, the actual conditions of this and data transmission procedure are not inconsistent.At this point, the present invention has designed a kind of novel parallel adder and multiplier, can be applicable to the IEEE802.1AE agreement fully.

Earlier the formula (3) with the Ghash function launches, and shown in expression formula (6), Xi no longer is variable expression but constant expression, for concurrent operation provides may.

$\left.\begin{array}{c}{\mathrm{<figure-callout\; id="0"\; label="X"\; filenames="HSA00000115209700021.png,HSA00000115209700022.png"\; state="\{\{state\}\}">X</figure-callout>}}_0=0\\ {\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000115209700011.png,HSA00000115209700012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1=({\mathrm{<figure-callout\; id="0"\; label="X"\; filenames="HSA00000115209700021.png,HSA00000115209700022.png"\; state="\{\{state\}\}">X</figure-callout>}}_0\&CirclePlus;A_1)\&CenterDot;H=A_1\&CenterDot;\mathrm{<figure-callout\; id="2"\; label="H\; X"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">H</figure-callout>}& \\ X_{}{}_2=({\mathrm{<figure-callout\; id="1"\; label="X"\; filenames="HSA00000115209700011.png,HSA00000115209700012.png"\; state="\{\{state\}\}">X</figure-callout>}}_1\&CirclePlus;A_2)\&CenterDot;H=A_1\&CenterDot;{\mathrm{<figure-callout\; id="2"\; label="H"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">H</figure-callout>}}^2\&CirclePlus;A_2\&CenterDot;H\\ M\\ X_i=(X_{i-1}\&CirclePlus;A_i)\&CenterDot;H=A_1\&CenterDot;H^i\&CirclePlus;{\mathrm{<figure-callout\; id="2"\; label="A"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">A</figure-callout>}}_2\&CenterDot;H^{i-1}\&CirclePlus;L\&CirclePlus;A_i\&CenterDot;H,i<m\\ M\end{array}\right\}---\left(6\right)$

Can further be summed up by formula (6), during Ghash function input (pq+n) group data, the expression formula of output Xpq+n is formula (5), p wherein, and q, n are positive integer, 1≤n≤q.

Can design a kind of parallel adder and multiplier of novel q degree of the IEEE802.1AE of being applicable to agreement by formula (5).With q=2 is example, the circuit structure of Ghash module as shown in Figure 4, this structure designs at actual conditions, pending grouped data sum such as do not need to pre-determine, as long as one group of data of last input are judged, the control logic of concurrent operation process is simple: if import two data at last, then MUX1 exports H2, and MUX2 exports H; If have only data, then MUX1 exports H, MUX2 output 0.

When Fig. 5 is 5 data A1-A5 of input, Ghash module five input instance graphs.Among Fig. 5 (a), import two data A1, A2, MUX1 gets H2, MUX2 gets H, through two cycles output X2 suc as formula (7a); X2 and input data A3 make XOR, and the result deposits register Reg1 in, and A4 deposits register Reg2 in, and MUX1 gets H2, and MUX2 gets H, through two cycles output X4 suc as formula (7b), shown in Fig. 5 (b); Import one 128 bit data A5 at last, MUX1 gets H, and MUX2 gets 0, through two cycles output X5 suc as formula (7c), shown in Fig. 5 (c).

$\left\{\begin{array}{cc}{\mathrm{<figure-callout\; id="2"\; label="X"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">X</figure-callout>}}_2={\mathrm{<figure-callout\; id="1"\; label="A"\; filenames="HSA00000115209700011.png,HSA00000115209700012.png"\; state="\{\{state\}\}">A</figure-callout>}}_1\&CenterDot;{\mathrm{<figure-callout\; id="2"\; label="H"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">H</figure-callout>}}^2\&CirclePlus;{\mathrm{<figure-callout\; id="2"\; label="A"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">A</figure-callout>}}_2\&CenterDot;H& \left(7a\right)\\ {\mathrm{<figure-callout\; id="4"\; label="X"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">X</figure-callout>}}_4=({\mathrm{<figure-callout\; id="2"\; label="X"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">X</figure-callout>}}_2\&CirclePlus;A_3)\&CenterDot;{\mathrm{<figure-callout\; id="2"\; label="H"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">H</figure-callout>}}^2\&CirclePlus;A_4\&CenterDot;H={\mathrm{<figure-callout\; id="1"\; label="A"\; filenames="HSA00000115209700011.png,HSA00000115209700012.png"\; state="\{\{state\}\}">A</figure-callout>}}_1\&CenterDot;{\mathrm{<figure-callout\; id="4"\; label="H"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">H</figure-callout>}}^4\&CirclePlus;A_2\&CenterDot;{\mathrm{<figure-callout\; id="3"\; label="H"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">H</figure-callout>}}^3\&CirclePlus;A_3\&CenterDot;{\mathrm{<figure-callout\; id="2"\; label="H"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">H</figure-callout>}}^2\&CirclePlus;{\mathrm{<figure-callout\; id="4"\; label="A"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">A</figure-callout>}}_4\&CenterDot;H& \left(7b\right)\\ {\mathrm{<figure-callout\; id="5"\; label="X"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">X</figure-callout>}}_5=({\mathrm{<figure-callout\; id="4"\; label="X"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">X</figure-callout>}}_4\&CirclePlus;A_5)\&CenterDot;H={\mathrm{<figure-callout\; id="1"\; label="A"\; filenames="HSA00000115209700011.png,HSA00000115209700012.png"\; state="\{\{state\}\}">A</figure-callout>}}_1\&CenterDot;{\mathrm{<figure-callout\; id="5"\; label="H"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">H</figure-callout>}}^5\&CirclePlus;{\mathrm{<figure-callout\; id="2"\; label="A"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">A</figure-callout>}}_2\&CenterDot;{\mathrm{<figure-callout\; id="4"\; label="H"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">H</figure-callout>}}^4\&CirclePlus;A_3\&CenterDot;{\mathrm{<figure-callout\; id="3"\; label="H"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">H</figure-callout>}}^3\&CirclePlus;A_4\&CenterDot;{\mathrm{<figure-callout\; id="2"\; label="H"\; filenames="HSA00000115209700011.png,HSA00000115209700022.png"\; state="\{\{state\}\}">H</figure-callout>}}^2\&CirclePlus;{\mathrm{<figure-callout\; id="5"\; label="A"\; filenames="HSA00000115209700011.png"\; state="\{\{state\}\}">A</figure-callout>}}_5\&CenterDot;H& \left(7c\right)\end{array}\right.$

Adopt Synopsys DC instrument to carry out logic synthesis, the critical path time-delay that draws multiplier among the present invention is the twice of AES module approximately.Therefore Ghash module of the present invention adopts the parallel structure of two degree among Fig. 4, and two multiplier unit concurrent workings reduce by half the critical path time-delay of Ghash module, balance the critical path time-delay of Ghash module and AES module, improved circuit speed.Each clock of GCM is imported one group of data, first row cache, and through two clock cycle input Ghash modules, two clock cycle of the multiplier unit among the Ghash are finished multiplication operation, thereby have broken through the restriction of the bigger time-delay of multiplier unit to speed.According to the above analysis, when carrying out logic synthesis with DC, notice that the multicycle route method is adopted in the multiplication path in the Ghash module, promptly two clock cycle are finished multiplication operation.

In sum, based on the GCM high-speed encryption and decryption device of IEEE802.1AE agreement, its integrated circuit structure comprises cipher key expansion module (KEYEXP) as shown in Figure 6, AES enciphering/deciphering module (Enc/Dec) and the parallel Ghash module of two degree.128 register Y is as counter, and each clock cycle adds 1.When the length of last group data less than 128 the time, 128 register MASK is used for data mask.Reg1, Reg2 are that the degree of depth is 128 register, the data that each clock cycle input is 128, and Reg1, two clock cycle such as Reg2 are filled with 128 bit data successively; After if the data that input earlier is 128 deposit Reg1 in, wait a clock cycle not have data input, then Reg2 zero setting; If discontented 128 of input data are then added 0 polishing.

The present invention uses Fujitsu 0.13 μ m 1.2V 1P8M CMOS technology library to carry out logic synthesis, and obtaining clock frequency is 764.5MHz, and maximum throughput rate is 97.9Gbps, and area is the 547K door.Introduce the hardware efficiency performance parameter, be defined as follows:

Hardware efficiency of the present invention is the 178.9Kbps/ door, and the design hardware efficiency more best than the performance of delivering at present is slightly high.The present invention adopts novel parallel adder and multiplier, can handle multi-group data simultaneously, and pending grouped data sum such as does not need to pre-determine.For further improving enciphering/deciphering speed, AES enciphering/deciphering module has adopted Fully-pipelined structure.In addition, constantly change in order to support each clock cycle of key, cipher key expansion module has designed the loop unrolling structure among the AES.The present invention has at a high speed, the characteristics of low hardware complexity.

Method for designing of the present invention is applicable in the similar high speed circuit design; If adopt multichannel technology, throughput of the present invention is expected to be further enhanced.

Claims (3)

1. GCM high-speed encryption and decryption device based on the IEEE802.1AE agreement, it is characterized in that: this GCM high-speed encryption and decryption device comprises information extraction modules (1), AES module (2) and Ghash module (5); Information extraction modules (1) is used for from input extracting data security protocol key, escape way sign, packet numbers, destination address and source address, and according to the corresponding initial key K of different working mode change one-tenth, initial vector IV, additional information A and plaintext P/ ciphertext C, and transfer data to AES module (2); AES module (2) is finished the data enciphering/deciphering, and the output ciphertext/expressly; Ghash module (5) produces discriminating sign T according to additional information A and ciphertext C by the Ghash function.

2. a kind of GCM high-speed encryption and decryption device based on the IEEE802.1AE agreement according to claim 1 is characterized in that: Ghash module (5) adopts parallel adder and multiplier, handles multi-group data simultaneously, pending grouped data sum such as does not need to pre-determine; During Ghash function input (pq+n) group data, the expression formula of output Xpq+n is applicable to that promptly the parallel adder and multiplier expression formula of novel q degree of IEEE802.1AE agreement is as follows:

$X_{\mathrm{pq}+n}=(L(((A_1{H}^q\&CirclePlus;A_2{H}^{q-1}\&CirclePlus;L\&CirclePlus;A_{q}H)\&CirclePlus;$

$A_{q+1})H^q\&CirclePlus;A_{q+2}{H}^{q-1}\&CirclePlus;L\&CirclePlus;A_{2q}H)\&CirclePlus;$

$L$

$A_{(p-1)q+1})H^q\&CirclePlus;A_{(p-1)q+2}{H}^{q-1}\&CirclePlus;L\&CirclePlus;A_{\mathrm{pq}}H)\&CirclePlus;$

$A_{\mathrm{pq}+1})H^n\&CirclePlus;A_{\mathrm{pq}+2}{H}^{n-1}\&CirclePlus;L\&CirclePlus;A_{\mathrm{pq}+n}H$

P wherein, q, n are positive integer, 1≤n≤q.

3. a kind of GCM high-speed encryption and decryption device according to claim 1 based on the IEEE802.1AE agreement, it is characterized in that: described AES module (2) comprises cipher key expansion module (3) and AES enciphering/deciphering module (4); Wherein, AES enciphering/deciphering module (4) adopts Fully-pipelined structure, and the inner loop of this process is all launched, insert a level production line at every repeating query interannular, have streamline between 10 step cones, every level production line inside is adopted 6 grades of sub-pipeline organizations again simultaneously, amounts to comprise 60 level production lines; Cipher key expansion module (3) is the loop unrolling structure.

Images