WO2004112309A1 - Rijndael block cipher apparatus and encryption/decryption method thereof - Google Patents

Rijndael block cipher apparatus and encryption/decryption method thereof Download PDF

Info

Publication number
WO2004112309A1
WO2004112309A1 PCT/KR2004/001296 KR2004001296W WO2004112309A1 WO 2004112309 A1 WO2004112309 A1 WO 2004112309A1 KR 2004001296 W KR2004001296 W KR 2004001296W WO 2004112309 A1 WO2004112309 A1 WO 2004112309A1
Authority
WO
WIPO (PCT)
Prior art keywords
bit
round
key
bit data
inverse
Prior art date
Application number
PCT/KR2004/001296
Other languages
French (fr)
Other versions
WO2004112309B1 (en
Inventor
Yun Kyung Lee
Young Soo Park
Young Sae Kim
Sang Woo Lee
Sung Ik Jun
Original Assignee
Electronics And Telecommunications Research Institue
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020030064737A external-priority patent/KR100710455B1/en
Application filed by Electronics And Telecommunications Research Institue filed Critical Electronics And Telecommunications Research Institue
Priority to JP2006516910A priority Critical patent/JP2006527865A/en
Priority to CN2004800224469A priority patent/CN1833399B/en
Priority to US10/560,220 priority patent/US7688974B2/en
Publication of WO2004112309A1 publication Critical patent/WO2004112309A1/en
Publication of WO2004112309B1 publication Critical patent/WO2004112309B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/122Hardware reduction or efficient architectures

Definitions

  • the present invention relates generally to a rijndael block cipher apparatus and an encryption/decryption method thereof, and more particularly to a rijndael block cipher apparatus which is mounted in a cellular phone, PDA, smart card, and so on, and which can encrypt and decrypt important data that requires security at high speed, and an encryption/decryption method thereof.
  • Rijndael algorithm is a symmetric secret-key encryption algorithm that was developed by Joan Daemen and Vincent Rijmen who are Belgian encryption developers, and then selected as a new AES (Advanced Encryption Standard) by American NIST (National Institute Standards and Technology) in October, 2000 or thereabouts.
  • substitution-Permutation Network structure, and enables the use of 128-bit, 192-bit, and 256-bit keys with respect to respective block lengths.
  • the number of rounds in the rijndael algorithm is determined by key lengths, and in the case of using the 128-bit block, it is recommended to use 10, 12 and 14 rounds with respect to the 128-bit, 192-bit and 256-bit keys, respectively.
  • the encryption process of a rijndael block cipher is different from the decryption process thereof.
  • a round operation for the encryption process of the rijndael block cipher is composed of four transforms of substitution, shift_row, mixcobmn and add-round-key
  • a round operation for the decryption process is composed o four transforms of inverse- shift_row, inverse substitution, add-round-key and inverse mixcobmn.
  • times required for the round operation for the rijndael block cipher and hardware resources to be used differ, and further the method of performing the transform is vital to the performance of a rijndael cipher processor. Accordingly, it is important to reduce the amount of hardware resource required for the implementation of the round operation and the time required for performing of the round operation.
  • a rijndael block cipher apparatus including an operational unit that efficiently performs a round operation for encrypting/ decrypting the rijndael block cipher and an encryption/decryption method thereof.
  • It is an object of the present invention is to solve the problems involved in the prior art and to provide a rijndael block cipher apparatus which is mounted in a mobile terminal such as a cellular phone and a PDA or a smart card, which requires a high- rate and small- sized cipher processor, and which can encrypt and decrypt important data that requires security at high speed, and an encryption/decryption method thereof.
  • a rijndael block cipher apparatus comprises a round operation unit for transforming a 128-bit input key into a 128-bit round key for encryption or decryption, and storing the 128-bit round key according to a value of a mode signal from a time when a round operation start signal, a round number signal and a bit selection signal for dividing the 128-bit input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits are inputted after an encryption or decryption operation start signal and the mode signal are inputted, encrypting the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and by performing a round operation which is composed of transforms of shift_row, substitution, mixcolumn and add-round-key with respect to the divided upper 64 bits and lower b4 bits, respectively, and decrypting the 128-bit input data by dividing the
  • a rijndael block encryption method comprises the steps of if a four-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T, and storing the 128-bit round key in an internal 128-bit round key register; if the four-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data
  • a rijndael block decryption method comprises the steps of if a four-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the four-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte- inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting
  • a rijndael block encryption method comprises the steps of if a three-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the three- clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit
  • a rijndael block decryption method comprises the steps of if a three-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the three- clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte- inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and out
  • a rijndael block encryption method comprises the steps of if a two-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the two-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit
  • a rijndael block decryption method comprises the steps of if a two-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the two-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte- inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and out
  • FIG. 1 is a view illustrating the construction of a rijndael block cipher apparatus according to the present invention.
  • FIG. 2 is a view illustrating the construction of a round operation unit.
  • FIG. 3 is a view illustrating the construction of a round key generation unit.
  • FIG. 4 is a first timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
  • FIG. 5 is a first timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
  • FIG. 6 is a second timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
  • FIG. 7 is a second timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
  • FIG. 8 is a third timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
  • FIG. 9 is a third timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
  • the rijndael block cipher apparatus is primary intended to perform all round operations for encrypting and decrypting input data for rijndael block encryption/decryption in the unit of 64 bits, and to generate round keys required for the round operations simultaneously with performing the round operations.
  • a round operation unit 100 transforms a 128-bit input key into a 128-bit round key RK for encryption or decryption and stores the 128-bit round key according to a value of a mode signal from a time when a round operation start signal Round_start, a round number signal Round_number and a bit selection signal sel for dividing the 128-bit input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits for each round operation are inputted after an encryption or decryption operation start signal start and the mode signal are inputted through a bus 200 for rijndael block encryption/decryption.
  • the round operation unit 100 encrypts the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and performing a round operation which is composed of transforms of shift_row, substitution, mixcolumn and add-round-key with respect to the divided upper 64 bits and lower b4 bits, respectively.
  • the round operation unit 100 decrypts the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and performing a round operation which is composed of transforms of inverse shift_row, inverse substitution, add-round-key and inverse mixcolumn with respect to the divided upper 64 bits and lower b4 bits, respectively.
  • a round operation control unit 300 if the encryption or decryption operation start signal and the mode signal are inputted through the bus 200, controls the round operation of the round operation unit 100 by transmitting the round operation start signal Round_start, the round number signal Round_number and the bit selection signal for dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and selecting the divided upper or lower 64 bits for each round operation to the round operation unit 100 from the time when the encryption or decryption operation start signal and the mode signal are inputted.
  • a 64-bit data register 400 stores intermediate encryption or decryption data of the upper 64-bit input data generated during each round operation performed by the round operation unit 100.
  • a 128-bit data register 500 stores intermediate encryption or decryption data of the lower 64-bit input data generated during each round operation performed by the round operation unit 100 as its lower 64 bits, and stores the encryption or decryption data generated as a result of a last round operation and stored in the 64-bit data register 400 as its upper 64 bits.
  • a round key generation unit 110 of the round operation unit 100 transforms the 128-bit input key into the 128-bit round key RK according to the value of the mode signal inputted through the bus 200 and stores the 128-bit round key in an internal 128-bit round key register if the round operation start signal and the round number signal are inputted from the round operation control unit 300.
  • a shift/in verse-shift_row transform unit 120 of the round operation unit 100 if the round operation start signal and a bit selection signal are inputted from the round operation control unit 300, performs a byte-shift of the upper 64 bits and the lower 64 bits divided from the 128-bit input data inputted through the bus 200 by different numbers according to the value of the mode signal inputted through the bus 200, and outputs the byte-shifted upper 64 bits and lower 64 bits through a first multiplexer 121 the output of which is controlled according to the value of the bit selection signal
  • substitution box S-box
  • Si-box inverse-substitution box
  • a first demultiplexer 140 of the round operation unit 100 outputs the upper 64-bit data or the lower 64-bit data outputted from the substitution/inverse-substitution transform unit 130 through either of its encryption output terminal '0' and its decryption output terminal T according to the value of the mode signal
  • a mix/inverse-mixcolumn transform unit 150 of the round operation unit 100 performs a mixcolumn of the upper 64-bit data or the lower 64-bit data inputted through the encryption output terminal '0' of the first demultiplexer 140, or performs an inverse mixcolumn of the upper 64-bit data or the lower 64-bit data that has been add-round-key-transformed.
  • a second demultiplexer 160 of the round operation unit 100 outputs the upper
  • An add-round-key transform unit 170 of the round operation unit 100 performs an addition of the upper 64-bit data or the lower 64-bit data inputted through the decryption output terminal T of the first demultiplexer 140 or the encryption output terminal '0' of the second demultiplexer 160 to the 128-bit round key RK for encryption or decryption outputted from the round key generation unit 110.
  • a third demultiplexer 180 of the round operation unit 100 outputs the upper 64-bit data or the lower 64-bit data outputted from the add-round-key transform unit 170 through either of its encryption output terminal '0' and its decryption output terminal T according to the value of the mode signal
  • the 110 stores the 128-bit input key inputted through the bus 200 as a prekey for transforming the 128-bit input key into the 128-bit round key RK for encryption or decryption, and stores the 128-bit round key RK generated after each round operation as a prekey for generating the round key used in the next round operation.
  • a 128-bit round key register 11 la of the round key generation unit 110 stores the
  • the 128-bit round key RK for encryption or decryption for each round operation is backed up to the 128-bit prekey register 111 after each round operation, and is used as a round key (i.e., prekey) of the previous round in the next round operation.
  • a constant storage unit 112 of the round key generation unit 110 stores constant values Rcon determined according to the order of the round indicated by the round number signal inputted from the round operation control unit 300. It is preferable that the constant storage unit 112 comprises a ROM.
  • a second multiplexer 113 of the round key generation unit 110 is controlled according to the value of the mode signal inputted through the bus 200, and selects and outputs either of 32-bit keys for encryption or decryption inputted from the 128-bit prekey register 111 and the 128-bit round key register 11 la.
  • a shifter 114 of the round key generation unit 110 performs a cyclic shift of the
  • a substitution transform unit 115 of the round key generation unit 110 is composed of substitution boxes (S-boxes) for performing the substitution operation, and performs a substitution of the 32-bit key shifted by the shifter 114.
  • a first XOR gate 116 of the round key generation unit 110 performs an XOR operation of the most significant byte of the 32-bit key outputted from the substitution transform unit 115 with the constant value stored in the constant storage unit 112.
  • a round XOR operation unit 117 of the round key generation unit 110 newly generates the 128-bit round key RK for encryption or decryption to be stored in the 128-bit round key register I l ia for each round of the round operation by performing an XOR operation using a 32-bit value obtained by adding output bits of the first XOR gate 116 to the remaining 24 bits except for the most significant byte of the substitution transform unit 115, the 128-bit round key (i.e., prekey) of the previous round stored in the 128-bit prekey register 111, and the 128-bit round key RK of the new round stored in the 128-bit round key register 11 la.
  • the 128-bit round key i.e., prekey
  • a second XOR gate 118 of the round XOR operation unit 117 generates the most significant 32-bit round key RKO of the 128-bit round key for encryption or decryption of the new round by performing an XOR operation of the 32-bit value obtained by adding the output bits of the first XOR gate 116 to the remaining 24 bits except for the most significant byte of the substitution transform unit 115, with the most significant 32-bit round key PKO of the 128-bit round key of the previous round.
  • a third XOR gate 118a of the round XOR operation unit 117 generates a 32-bit
  • the third XOR gate 118a also generates a 32-bit (i.e., 95 bit to 64 bit) round key
  • RK1 of the 128-bit round key for decryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key PKO of the 128-bit round key of the previous round with a 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits.
  • a third multiplexer 119 of the round XOR operation unit 117 is controlled according to the value of the mode signal inputted through the bus 200, and selectively determines input signals of the third XOR gate 118a.
  • a fourth XOR gate 118b of the round XOR operation unit 117 generates a 32-bit
  • round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a 32-bit (i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key of the new round with a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round.
  • a 32-bit (i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key of the new round with a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round.
  • the fourth XOR gate 118b also generates a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for decryption of the new round by performing an XOR operation of a 32-bit (i.e., 95* bit to 64* bit) round key PKl of the 128-bit round key of the previous round with a next 32-bit (i.e., 63 bit to 32 bit) round key PK2.
  • a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for decryption of the new round by performing an XOR operation of a 32-bit (i.e., 95* bit to 64* bit) round key PKl of the 128-bit round key of the previous round with a next 32-bit (i.e., 63 bit to 32 bit) round key PK2.
  • a fourth multiplexer 119a of the round XOR operation unit 117 is controlled according to the value of the mode signal inputted through the bus 200, and selectively determines input signals of the fourth XOR gate 118b.
  • a fifth XOR gate 118c of the round XOR operation unit 117 generates a 32-bit (i.e.,
  • a fifth XOR gate 118c also generates a 32-bit (i.e., 31 st bit to 0* bit) round key RK3 of the 128-bit round key for decryption of the new round by performing an XOR operation of a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round with a next 32-bit (i.e., 31 bit to 0 bit) round key PK3.
  • a 32-bit i.e., 31 st bit to 0* bit
  • RK3 of the 128-bit round key for decryption of the new round by performing an XOR operation of a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round with a next 32-bit (i.e., 31 bit to 0 bit) round key PK3.
  • a fifth multiplexer 119b of the round XOR operation unit 117 is controlled according to the value of the mode signal inputted through the bus 200, and selectively determines input signals of the fifth XOR gate 118c.
  • the rijndael block cipher apparatus as constructed above according to the present invention performs the encryption and decryption processes as follows:
  • a round key generation process is performed as the initial 128-bit input key is inputted to the round key generation unit 100 through the bus 200, and 128-bit input data is inputted to the shift/inverse- shift_row transform unit 120.
  • the shift/in verse-shift_row transform unit 120 performs a shift/ inverse-shift by different numbers of bytes as defined in the rijndael block cipher algorithm.
  • the substitution/inverse-substitution transform unit 130 After the byte shift/inverse- shift_row operation as described above is performed, the upper or lower 64-bit data is inputted to the substitution/inverse-substitution transform unit 130, and the substitution or inverse substitution of the data is performed by a substitution box (S-box) or an inverse-substitution box (Si-box).
  • S-box substitution box
  • Si-box inverse-substitution box
  • the S-box and the Si-box serve as a substitution transform unit that outputs a one-byte output with respect to a one-byte input as defined in a specification of the rijndael algorithm.
  • the substitution/inverse-substitution transform unit 130 proposed according to the present invention processes only 64-bit data at a time, it requires only 8 S-boxes or 8 Si-boxes.
  • the round key generation unit 110 starts to generate a round key RK of a new round using the 128-bit round key (i.e., prekey) of the previous round stored in the 128-bit prekey register 111.
  • the least significant 32 bits (PK3) of the 128-bit round key of the previous round of the 128-bit prekey register 111 is inputted to the shifter 114 through the second mulitplexer 113.
  • the fifth XOR gate 118c performs an XOR operation of the lower 64 bits PK2 and PK3 of the round key of the previous round, and temporarily stores the XORed 32 bits as the least significant 32 bits RK3 of a new round key. Simultaneously, this value RK3 is inputted to the shifter 114 through the second multiplexer 113.
  • 32-bit keys is XORed by the first XOR gate 116 with the constant value Rcon determined according to the order of the round indicated by the round number signal inputted from the round operation control unit 300.
  • the resultant 8 bits outputted from the first XOR gate 116 are added to the remaining 24 bits outputted from the substitution transform unit 115, and the added bits are inputted to the second XOR gate 118 of the round XOR operation unit 117.
  • the rijndael algorithm specification describes the structure that makes 32-bit constant value that is related to the round number by padding '0' of 24 bits to the 8-bit constant value, and then performs an XOR operation of the32-bit constant value with the 32-bit value that has passed through the substitution transform unit 115.
  • the second XOR gate 118 performs an XOR operation of the 32 bits, which are obtained by adding the resultant 8 bits outputted from the first XOR gate 116 to the remaining 24 bits outputted from the substitution transform unit 115, with the most significant 32 bits PKO of the round key of the previous round, and stores the resultant value of the XOR operation as the most significant 32-bit round key RKO of the new round.
  • the third XOR gate 118a in the case of encryption process, generates the next 32-bit round key RK1 of the new round by performing an XOR operation of the most significant 32-bit round key RKO of the new round with the upper 32-bit (i.e., 95 bit to 64 bit) round key PKl of the previous round.
  • the third XOR gate 118a generates the next 32-bit round key RK1 of the new round by performing an XOR operation of the most significant 32-bit round key PKO of the previous round with the next upper 32-bit round key PKl of the previous round.
  • the third multiplexer 119 determines the input values of the third XOR gate 118a according to the mode signal that is inputted through the bus 200 and that indicates the encryption process or the decryption process.
  • the next 32-bit round key RK2 and the least significant 32-bit round key RK3 for encryption or decryption are generated by the fourth XOR gate 118b and the fifth XOR gate 118c which operate in the same manner as the third XOR gate 118a.
  • the fourth multiplexer 119a determines the input values of the fourth XOR gate 118b
  • the fifth multiplexer 119b determines the input values of the fifth XOR gate 118c.
  • the time required to generate the 128-bit round key of the new round in the unit of 32 bits corresponds to the whole 4-clock period of the round operation start signal inputted from the round operation control unit 300 in the case of encryption process, and corresponds to the whole 2-clock period in the case of decryption process.
  • the most significant 32-bit round key RKO of the new round is generated through the second XOR gate 118, and when the second clock becomes T, the 32-bit round keys RK1, RK2 and RK3 of the new round are simultaneously generated through the third XOR gate 118a, fourth XOR gate 118b and fifth XOR gate 118c.
  • the round key generation unit 110 generates the encryption round key during the 2-clock period. [91] At this time, the process of generating the most significant 32-bit (i.e., 127 bit to
  • the third XOR gate 118a If the second clock of the round operation start signal becomes T, the third XOR gate 118a generates the 32-bit (i.e., 95 th bit to 64 th bit) round key RK1 of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit round key PKl next to the most significant 32bits of the 128-bit round key of the previous round.
  • the most significant 32-bit i.e., 127 bit to 96 bit
  • the fourth XOR gate 118b generates a 32-bit (i.e., 63 r bit to 32° bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO ⁇ PKl), which is obtained by the third XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round.
  • a 32-bit (i.e., 63 r bit to 32° bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value
  • the fifth XOR gate 118c generates a 32-bit (i.e., 31 st bit to 0* bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO ⁇ PKl), which is obtained by the fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round that has been XORed by the third XOR gate 118a with the 32-bit (i.e., 95* bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round to produce a resultant value (RKO ⁇ PKl ⁇ PK2) of XOR operation, and
  • 118a generates the 32-bit (i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit round key PKl next to the most significant 32bits of the 128-bit round key of the previous round.
  • the 32-bit (i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit round key PKl next to the most significant 32bits of the 128-bit round key of the previous round.
  • the fourth XOR gate 118b generates a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO ⁇ PKl), which is obtained by the third XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round.
  • a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO ⁇
  • the fifth XOR gate 118c generates a 32-bit (i.e., 31 st bit to 0 th bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO ⁇ PKl), which is obtained by the fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round that has been XORed by the third XOR gate 118a with the 32-bit (i.e., 95* bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round to produce a resultant value (RKO ⁇ PKl ⁇ PK2) of XOR operation,
  • FIG. 4 is a first timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
  • step S400 if the four-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S400), the byte-shift transform and the substitution operation are successively performed with respect to the upper 64-bit data of the 128-bit round operation input data at the moment when the first clock becomes T (step S401), and these two processes are performed within one clock.
  • the results of these processes are stored in the 64-bit data register 400.
  • step S401a the 128-bit round key generation process using the 128-bit round input key starts.
  • the mixcolumn transform using the 64-bit data stored in the 64-bit data register 400 is performed with its resultant values stored in the 64-bit data register 400 (step S402), and simultaneously, the byte-shift transform and the substitution operation of the lower 64-bit data of the round operation input data are successively performed (step S402). These two processes are formed in one clock. Also, the resultant data of the byte-shift transform and the substitution operation of the lower 64-bit data are stored in a lower 64-bit position of the 128-bit data register 500 that stores the round operation results.
  • the 64 bits stored in the 64-bit data register 400 are inputted to the add-round-key transform unit 170 so as to be added to the upper 64 bits of the round key generated by the round key generation unit 110, and the resultant value is stored in the upper 64-bit position of the 128-bit data register 500 (step S403). Also, the mixcolumn transform of the lower 64-bit data of the 128-bit data register 500 is performed, and the resultant value is stored in the lower 64-bit position of the 128-biat data register 500 (step S403).
  • the lower 64 bits of the 128-bit data register 500 are inputted to the add-round-key transform unit 170 so as to be added to the lower 64 bits of the round key generated by the round key generation unit 110, and the resultant value is stored in the lower 64-bit position of the 128-bit data register 500 (step S404).
  • the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next round, and the round key RK newly generated by the round key generation unit 110 and then stored in the 128-bit round key register 11 la is also stored in the 128-bit prekey register 111 to be used as the 128-bit round input key of the next round. Consequently, the encryption operation of one round is completed within a period of four clocks.
  • the round key generation unit 110 completes the round key generation process within a period of four clocks of the round operation start signal That is, as shown in FIG. 4, the add- round-key transform process (step S403), which is the process of adding the upper 64-bit data to the round key, is performed after the third clock from the start of the round operation. After the second clock from the start of the round operation, only the upper 64-bit round key of the new round is generated, and at this time point, there is no problem in performing the encryption operation of the round operation since only the upper 64-bit round key is used.
  • step S404 since the time point when the fourth clock starts after third clock for the round operation coincides with the time point when all the 128-bit round keys are generated, there is no problem in performing the add-round-key transform process (step S404) for adding the lower 64-bit data to the lower 64-bit round key.
  • the 64-bit data register 400 is used as the storage space of the intermediate data generated during the encryption process, and thus the result of the byte-shift transform of the upper 64-bit data does not affect the byte-shift transform of the lower 64-bit data. Also, since the upper 64-bit data and the lower 64-bit data are simultaneously transformed, but are not transformed in the same manner during the same clock period, the number of hardware modules required for the transform can be reduced by half. Especially, the data generated for each clock is updated and stored in one storage space, and thus no additional storage space is required.
  • this case is directed to the structure that applies a pipeline structure but requires no additional hardware, and this structure will be applied in the same manner to methods of encrypting and decrypting the rijndael block cipher according to other embodiment of the present invention to be explained later.
  • FIG. 5 is a first timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
  • step S501 if the four-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S500), the byte-inverse-shift transform and the inverse- substitution operation are successively performed with respect to the upper 64-bit data of the 128-bit round operation input data at the moment when the first clock becomes T (step S501), and these two processes are performed within one clock. At this time, the resultant data is stored in the 64-bit data register 400. Also, if the first clock of the round operation start signal becomes T, the 128-bit round key generation process using the 128-bit round input key starts (step S501a).
  • the add-round-key transform for adding the 64-bit data stored in the 64-bit data register 400 to the upper 64 bits of the round key generated through the round key generation unit 110 is performed, and the resultant data is stored in the 64-bit data register 400 (step S502).
  • the byte-inverse-shift transform and the inverse-substitution of the lower 64-bit data of the round operation input data are successively performed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register (step S502).
  • the lower 64-bit data that has passed through the add-round-key transform is inputted to the mix/inverse-mixcolumn transform unit 150 to be inverse- mixcolumn-transformed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S504).
  • the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next decryption round operation, and the 128-bit round key RK that is the result of the round key generation is stored in the 128-bit prekey register 111 so as to be used as the 128-bit round input key of the next round operation. Consequently, the decryption operation of one round is completed within a period of four clocks.
  • the round key generation unit 110 completes the round key generation process within a period of two clocks of the round operation start signal That is, as shown in FIG. 5, since the add- round-key transform process (step S502), which is the process of adding the upper 64-bit round key to the 64-bit data, is performed after the second clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the second clock, and thus there is no problem in performing the round operation.
  • step S502 which is the process of adding the upper 64-bit round key to the 64-bit data
  • FIG. 6 is a second timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
  • step S600 if the three-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S600), the byte-shift operation and the substitution operation of the upper 64-bit data are successively performed at the moment when the first clock becomes T, and the resultant data is stored in the 64-bit data register (step S601). Also, the round key generation process is simultaneously performed (step S601a). [121] At the moment when the second clock of the round operation start signal becomes
  • the 64-bit data stored in the 64-bit data register 400 is mixcolumn-transformed, and then added to the upper 64-bkt round key of the resultant data of the add-round-key transform unit 110.
  • the resultant data of the add-round-key transform is stored in the 64-bit data register 400 (step S602).
  • the byte-shift transform and the substitution operation of the lower 64-bit data are successively performed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S602).
  • the 64-bit data stored in the 64-bit data register 400 is inputted to the upper 64-bit position of the 128-bit data register 500, and the lower 64-bit data of the 128-bit data register 500 is mixcolumn-transformed and then added to lower 64-bit round key of the round key generated by the round key generation unit 110.
  • the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S603).
  • the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next round operation, and the round key RK generated by the round key generation unit 110 is stored in the 128-bit prekey register 111 and then used as the 128-bit round input key of the next round. Consequently, the encryption operation of one round is completed within a period of three clocks.
  • the round key generation unit 110 completes the round key generation process within a period of two clocks of the round operation start signal That is, as shown in FIG. 6, since the add- round-key transform process (step S602), which is the process of adding the upper 64-bit round key to the upper 64-bit data, is performed after the second clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the second clock, and thus there is no problem in performing the round operation.
  • step S602 which is the process of adding the upper 64-bit round key to the upper 64-bit data
  • FIG. 7 is a second timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
  • step S700 if the three-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S700), the byte-inverse-shift transform and the inverse- substitution operation are successively performed with respect to the upper 64-bit data of the 128-bit round operation input data at the moment when the first clock becomes T, and the resultant data is stored in the 64-bit data register 400 (step S701). Also, the round key generation process starts simultaneously with these transforms (step S701a). [127] When the second clock of the round operation start signal becomes T, the add- round-key transform for adding the 64-bit data stored in the 64-bit data register 400 to the upper 64-bit round key of the round key generated by the round key generation unit
  • step S702 the byte-inverse-shift transform and the inverse-substitution transform of the lower 64-bit data of the round operation input data are successively performed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register (step S702).
  • the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit position of the 128-bit data register 500, and the add-round-key transform for adding the lower 64-bit data of the 128-bit data register 500 to the lower 64-bit round key of the round key generation unit 110 is performed.
  • the resultant data of the add- round-key transform is then inverse-mixcolumn-transformed, and the resultant data of the inverse-mixcolumn transform is stored in the lower 64-bit position of the 128-bit data register 500 (step S703).
  • the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next round operation, and the 128-bit round key RK generated by the round key generation unit 110 is stored in the 128-bit prekey register
  • the round key generation unit 110 completes the round key generation process within a period of two clocks of the round operation start signal That is, as shown in FIG. 7, since the add- round-key transform process (step S702) for adding the upper 64-bit round key to the upper 64-bit data is performed after the second clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the second clock, and thus there is no problem in performing the round operation.
  • FIG. 8 is a third timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
  • step S800 if the two-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S800), the byte-shift transform, the substitution transform, the mixcolumn transform and the add-round-key transform are successively performed with respect to the upper 64-bit data of the round input data when the first clock becomes T, and the resultant data is stored in the 64-bit data register 400 (step S801). Simultaneously, the round key generation process (step S801a) is performed, and the add-round-key transform of the upper 64-bit round key of the generated round key is performed. These processes are performed in a period of one clock.
  • the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit position of the 128-bit data register 500, and the 128-bit round key RK newly generated by the round key generation unit 110 is stored in the 128-bit round key register I l ia and backed up in the 128-bit prekey register 111. Consequently, the encryption operation of one round is completed within a period of two clocks.
  • the round key generation unit 110 completes the round key generation process within a period of one clock of the round operation start signal That is, as shown in FIG. 8, since the add- round-key transform process (step S801) for adding the upper 64-bit round key to the upper 64-bit data is performed after the first clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the first clock, and thus there is no problem in performing the round operation.
  • the round key generation unit 110 as illustrated in FIG. 3 generates RKl using RKO, and RK2 using RKl.
  • the round key generation unit 110 does not generate RK3 using RK2, but generates RKO in a state that the round operation start signal is inputted and the clock becomes '0' simultaneously.
  • the round key generation unit 110 When the first clock becomes T, the round key generation unit 110 generates RKl by XORing RKO with PKl, RK2 by XORing RKO with PKl and PK2, and RK3 by XORing RKO with PKl, PK2 and PK3, simultaneously.
  • FIG. 9 is a third timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
  • step S900 if the two-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S900), the byte-inverse-shift transform, the inverse-substitution transform, the add-round-key transform and the inverse-mixcolumn transform are successively performed with respect to the upper 64-bit data of the round input data when the first clock becomes T , and the resultant data is stored in the 64-bit data register 400 (step S901). These processes are performed in a period of one clock. Simultaneously, the round key generation process (step S901a) for decryption is performed, and the add-round-key transform of the upper 64-bit round key of the round key generated by the round key generation unit 110 is performed.
  • the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit position of the 128-bit data register 500, and the 128-bit round key RK newly generated by the round key generation unit 110 is stored in the 128-bit round key register I l ia and backed up in the 128-bit prekey register 111. Consequently, the decryption operation of one round is completed within a period of two clocks.
  • the round key generation unit 110 completes the round key generation process within a period of one clock of the round operation start signal That is, as shown in FIG. 9, the add- round-key transform process (step S901) for adding the upper 64-bit round key to the upper 64-bit data is performed after the first clock from the start of the round operation, but all the 128-bit round keys have already been generated at the time point of the first clock, and thus there is no problem in performing the round operation.
  • the round key generation unit 110 as illustrated in FIG. 3 generates RKO in a state that the round operation start signal is inputted and the clock becomes '0' simultaneously.
  • the round key generation unit 110 generates RKl by XORing RKO with PKl, RK2 by XORing PKl with PK2, and RK3 by XORing PK2 with PK3, simultaneously.
  • the rijndael block cipher apparatus according to the encryption method as illustrated in FIG. 8 and the decryption method as illustrated in FIG. 9 is a model suitable to be applied to a smart card, a USIM (User Subscriber Identity Module) card, a SIM card, etc., that have a small size, a low power consumption, and a low operational frequency characteristic.
  • a smart card a USIM (User Subscriber Identity Module) card
  • SIM card Seser Subscriber Identity Module
  • the rijndael block cipher apparatus and the encryption/decryption method thereof according to the present invention can encrypt and decrypt important data that requires security at high speed by being mounted in a mobile terminal such as a cellular phone and a PDA or a smart card, which requires a high-rate and small-sized cipher processor, and can perform a round operation with respect to upper 64 bits and lower 64 bits which are divided from 128-bit input data.
  • the present invention has the following effects:
  • the cipher apparatus has a small size and can encrypt/decrypt real-time data at high speed by repeatedly using the round operation device in the apparatus.
  • the cipher apparatus since the cipher apparatus according to the present invention encrypts/ decrypts block cipher data in real time using the round operation device applying a rijndael algorithm, it can provide a higher-graded security in comparison to an operation device applying the existing DES (Data Encryption Standard).
  • DES Data Encryption Standard
  • the rijndael encryption/decryption round operation device of the cipher apparatus has the advantage that it can encrypt/ decrypt block cipher data in real time by adding a simple controller that repeats the round operation for a predetermined number of times.
  • the round operation device of the cipher apparatus can rapidly encrypt/decrypt data in real time although it has a small size that is almost half the size of the existing round operation device in the unit of 128 bits.
  • the round operation device of the cipher apparatus can be implemented using a proper method according to its application fields, and in the case of applying to a system that is irrespective of the amount of hardware resource used, it can obtain a two-times high speed of data encryption/ decryption by applying a round process in the unit of 128 bits instead of a round process in the unit of 64 bits.
  • the forgoing embodiments are merely exemplary and are not to be construed as limiting the present invention.
  • the present teachings can be readily applied to other types of apparatuses.
  • the description of the present invention is intended to be illustrative, and not to limit the scope of the claims. Many alternatives, modifications, and variations will be apparent to those skilled in the art.

Abstract

A rijndael block cipher apparatus including an operational unit that efficiently performs a round operation for encrypting/decrypting a rijndael block cipher and an encryption/decryption method thereof are disclosed. The rijndael block cipher apparatus is mounted in a mobile terminal such as a cellular phone and a PDA or a smart card, which requires a high-rate and small-sized cipher processor, and can encrypt and decrypt important data that requires security at high speed and perform the round operation with respect to upper 64 bits and lower 64 bits which are divided from 128-bit input data. Thus, the cipher apparatus can reduce the time required for encryption/decryption of the rijndael block cipher and the size of the apparatus.

Description

Description
[ 1 ] RIJNDAEL BLOCK CIPHER APPARATUS AND ENCRYPTION/
DECRYPTION METHOD THEREOF
[2] Technical Field
[3] The present invention relates generally to a rijndael block cipher apparatus and an encryption/decryption method thereof, and more particularly to a rijndael block cipher apparatus which is mounted in a cellular phone, PDA, smart card, and so on, and which can encrypt and decrypt important data that requires security at high speed, and an encryption/decryption method thereof.
[4] Background Art
[5] Rijndael algorithm is a symmetric secret-key encryption algorithm that was developed by Joan Daemen and Vincent Rijmen who are Belgian encryption developers, and then selected as a new AES (Advanced Encryption Standard) by American NIST (National Institute Standards and Technology) in October, 2000 or thereabouts.
[6] The rijndael algorithm supports a variable block length of an SPN
(Substitution-Permutation Network) structure, and enables the use of 128-bit, 192-bit, and 256-bit keys with respect to respective block lengths.
[7] The number of rounds in the rijndael algorithm is determined by key lengths, and in the case of using the 128-bit block, it is recommended to use 10, 12 and 14 rounds with respect to the 128-bit, 192-bit and 256-bit keys, respectively.
[8] Recently, it is known that the rijndael algorithm causes no problem in security even if the 128-bit key is used, and thus researches for hardware implementation of the rijndael algorithm using the key having a length of 128 bits has already been under way.
[9] Since the rijndael algorithm encrypts/decrypts data for the rijndael block encryption/decryption by repeating round operations, and is especially provided for supporting the variable block length of the SPN structure, the encryption process of a rijndael block cipher is different from the decryption process thereof. Typically, a round operation for the encryption process of the rijndael block cipher is composed of four transforms of substitution, shift_row, mixcobmn and add-round-key, and a round operation for the decryption process is composed o four transforms of inverse- shift_row, inverse substitution, add-round-key and inverse mixcobmn. According to methods of performing these transforms, times required for the round operation for the rijndael block cipher and hardware resources to be used differ, and further the method of performing the transform is vital to the performance of a rijndael cipher processor. Accordingly, it is important to reduce the amount of hardware resource required for the implementation of the round operation and the time required for performing of the round operation.
[10] Disclosure of the Invention
[11] Therefore, the applicant has developed a rijndael block cipher apparatus including an operational unit that efficiently performs a round operation for encrypting/ decrypting the rijndael block cipher and an encryption/decryption method thereof.
[12] It is an object of the present invention is to solve the problems involved in the prior art and to provide a rijndael block cipher apparatus which is mounted in a mobile terminal such as a cellular phone and a PDA or a smart card, which requires a high- rate and small- sized cipher processor, and which can encrypt and decrypt important data that requires security at high speed, and an encryption/decryption method thereof.
[13] In order to accomplish the above-mentioned object, a rijndael block cipher apparatus according to an embodiment of the present invention comprises a round operation unit for transforming a 128-bit input key into a 128-bit round key for encryption or decryption, and storing the 128-bit round key according to a value of a mode signal from a time when a round operation start signal, a round number signal and a bit selection signal for dividing the 128-bit input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits are inputted after an encryption or decryption operation start signal and the mode signal are inputted, encrypting the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and by performing a round operation which is composed of transforms of shift_row, substitution, mixcolumn and add-round-key with respect to the divided upper 64 bits and lower b4 bits, respectively, and decrypting the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and by performing a round operation which is composed of transforms of inverse-shift_row, inverse substitution, add-round-key and inverse mixcolumn with respect to the divided upper 64 bits and lower b4 bits, respectively; a round operation control unit for controlling the round operation of the round operation unit by transmitting the round operation start signal, the round number signal and the bit selection signal for dividing the 128-bit input data into the upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits to the round operation unit from a time when the encryption or decryption operation start signal and the mode signal are inputted; a 64-bit data register for storing intermediate encryption or decryption data of the upper 64-bit input data generated during each round operation performed by the round operation unit; and a 128-bit data register for storing intermediate encryption or decryption data of the lower 64-bit input data generated during each round operation performed by the round operation unit as its lower 64 bits, and storing the encryption or decryption data generated as a result of a last round operation and stored in the 64-bit data register as its upper 64-bit data. [14] In order to accomplish the above-mentioned object, a rijndael block encryption method according to a first embodiment of the present invention comprises the steps of if a four-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T, and storing the 128-bit round key in an internal 128-bit round key register; if the four-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes T , and a substitution/inverse-substitution transform unit successively performing a substitution of the upper 64-bit data, outputting the substituted upper 64-bit data to a first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T , a mix/ inverse-mixcolumn transform unit performing a mixcolumn of the upper 64-bit data outputted through an encryption output terminal of the first demultiplexer and stored in the 64-bit data register, outputting the mixcolumn-transformed upper 64-bit data to a second demultiplexer, and storing the mixcolumn-transformed upper 64-bit data in the 64-bit data register, the shift/inverse-shift_row transform unit simultaneously performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through the bus and outputting the byte-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing a substitution of the lower 64-bit data, outputting the substituted lower 64-bit data to the first demultiplexer, and storing the substituted lower 64-bit data in lower 64 bits of a 128-bit data register; when a third clock of the round operation start signal becomes T , an add-round-key transform unit performing an addition of the upper 64-bit data outputted through an encryption output terminal of the second demultiplexer and stored in the 64-bit data register to upper 64-bit round key generated by the round key generation unit and storing the added upper 64-bit data in upper 64 bits of the 128-bit data register, and a mix/inverse-mixcolumn transform unit simultaneously performing a mixcolumn of the lower 64-bit data outputted through the encryption output terminal of the first demultiplexer and stored in the 128-bit data register, outputting the mixcolumn-transformed lower 64-bit data to the second demultiplexer, and storing the mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data register; and when a fourth clock of the round operation start signal becomes T , the add-round-key transform unit performing an addition of the lower 64-bit data outputted through the encryption output terminal of the second demultiplexer and stored in the 128-bit data register to lower 64-bit round key generated by the round key generation unit and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data register. [15] In order to accomplish the above-mentioned object, a rijndael block decryption method according to a first embodiment of the present invention comprises the steps of if a four-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the four-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte- inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when the first clock becomes , T and a substitution/inverse-substitution transform unit successively performing an inverse substitution of the upper 64-bit data, outputting the inverse-substituted upper 64-bit data to a first demultiplexer, and storing the inverse- substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T , an add-round-key transform unit performing an addition of the upper 64-bit data outputted through a decryption output terminal of the first demultiplexer and stored in the 64-bit data register to upper 64-bit round key generated by the round key generation unit, outputting the added upper 64-bit data to a third demultiplexer, and storing the added upper 64-bit data in the 64-bit data register, the shift/inverse- shift_row transform unit simultaneously performing a byte- inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing an inverse substitution of the lower 64-bit data, outputting the inverse-substituted lower 64-bit data to the first demultiplexer, and storing the inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit data register; when a third clock of the round operation start signal becomes T , a mix/in verse-mixcolumn transform unit performing an inverse mixcolumn of the upper 64-bit data outputted through a decryption output terminal of the third demultiplexer and stored in the 64-bit data register, outputting the inverse-mixcolumn-transformed upper 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in upper 64 bits of the 128-bit data register, and the add-round-key transform unit simultaneously performing an addition of the lower 64-bit data outputted through the decryption output terminal of the first demultiplexer and stored in the 128-bit data register to lower 64-bit round key generated by the round key generation unit, outputting the added lower 64-bit data through the third demultiplexer, and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data register; and when a fourth clock of the round operation start signal becomes T , the mix/ inverse-mixcolumn transform unit performing an inverse mixcolumn of the lower 64-bit data outputted through the decryption output terminal of the third demultiplexer and stored in the 128-bit data register, outputting the inverse-mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing the inverse- mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data register. [16] In order to accomplish the above-mentioned object, a rijndael block encryption method according to a second embodiment of the present invention comprises the steps of if a three-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the three- clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes T , and a substitution/inverse-substitution transform unit successively performing a substitution of the upper 64-bit data, outputting the substituted upper 64-bit data to a first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T , a mix/ inverse-mixcolumn transform unit performing a mixcolumn of the upper 64-bit data outputted through an encryption output terminal of the first demultiplexer and stored in the 64-bit data register, and outputting the mixcolumn-transformed upper 64-bit data to a second demultiplexer, an add-round-key transform unit successively performing an addition of this upper 64-bit data to an upper 64-bit round key generated by the round key generation unit, and storing the added upper 64-bit data in the 64-bit data register, the shift/inverse- shift_row transform unit simultaneously performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through the bus, and outputting the byte-shifted lower 64-bit data through the first multiplexer, and the substitution/ inverse-substitution transform unit successively performing a substitution of the lower 64-bit data, outputting the substituted lower 64-bit data to the first demultiplexer, and storing the substituted lower 64-bit data in lower 64 bits of a 128-bit data register; and when a third clock of the round operation start signal becomes T , storing the 64-bit data added and then stored in the 64-bit data register in upper 64 bits of the 128-bit data register, the mix/inverse-mixcolumn transform unit simultaneously performing a mixcolumn of the lower 64-bit data outputted through the encryption output terminal of the first demultiplexer and stored in the 128-bit data register, and outputting the mixcolumn-transformed lower 64-bit data to the second demultiplexer, and the add- round-key transform unit successively performing an addition of the lower 64-bit data to lower 64-bit round key generated by the round key generation unit, and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data register. [17] In order to accomplish the above-mentioned object, a rijndael block decryption method according to a second embodiment of the present invention comprises the steps of if a three-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the three- clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte- inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when the first clock becomes T , and a substitution/inverse-substitution transform unit successively performing an inverse substitution of the upper 64-bit data, outputting the inverse-substituted upper 64-bit data to a first demultiplexer, and storing the inverse- substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T , an add-round-key transform unit performing an addition of the upper 64-bit data outputted through a decryption output terminal of the first demultiplexer and stored in the 64-bit data register to upper 64-bit round key generated by the round key generation unit, and outputting the added upper 64-bit data to a third demultiplexer, a mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added upper 64-bit data, outputting the inverse-mixcolumn-transformed upper 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in the 64-bit data register, the shift/inverse-shift_row transform unit simultaneously performing a byte- inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing an inverse substitution of the lower 64-bit data, outputting the inverse-substituted lower 64-bit data to the first demultiplexer, and storing the inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit data register; and when a third clock of the round operation start signal becomes T , the add-round-key transform unit performing an addition of the lower 64-bit data outputted through the decryption output terminal of the first demultiplexer and stored in the 128-bit data register to lower 64-bit round key generated by the round key generation unit and outputting the added lower 64-bit data to the third demultiplexer, the mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added lower 64-bit data, outputting the inverse-mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data register. [18] In order to accomplish the above-mentioned object, a rijndael block encryption method according to a third embodiment of the present invention comprises the steps of if a two-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the two-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes T , a substitution/inverse-substitution transform unit successively performing a substitution of the upper 64-bit data, and outputting the substituted upper 64-bit data through a first demultiplexer, a mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 64-bit data outputted through an encryption output terminal of the first demultiplexer, and outputting the mixcolumn-transformed upper 64-bit data to a second demultiplexer, and an add-round-key transform unit successively performing an addition of this upper 64-bit data to an upper 64-bit round key generated by the round key generation unit, and storing the added upper 64-bit data in a 64-bit data register; and when a second clock of the round operation start signal becomes T , the shift/inverse-shift_row transform unit performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through the bus and outputting the byte-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing a substitution of the lower 64-bit data, and outputting the substituted lower 64-bit data to the first demultiplexer, the mix/ inverse-mixcolumn transform unit successively performing a mixcolumn of the lower 64-bit data, and outputting the mixcolumn-transformed lower 64-bit data to the second demultiplexer, the add-round-key transform unit successively performing an addition of this lower 64-bit data to lower 64-bit round key generated by the round key generation unit, and storing the added lower 64-bit data in lower 64 bits of a 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data register. [19] In order to accomplish the above-mentioned object, a rijndael block decryption method according to a second embodiment of the present invention comprises the steps of if a two-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the two-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse-shift_row transform unit performing a byte- inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when the first clock becomes T , a substitution/inverse-substitution transform unit successively performing an inverse substitution of the upper 64-bit data, and outputting the inverse-substituted upper 64-bit data to a first demultiplexer, an add-round-key transform unit successively performing an addition of the upper 64-bit data outputted through a decryption output terminal of the first demultiplexer to an upper 64-bit round key generated by the round key generation unit, and outputting the added upper 64-bit data to a third demultiplexer, and a mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added upper 64-bit data, outputting the inverse-mixcolumn-transformed upper 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in a 64-bit data register; and when a second clock of the round operation start signal becomes T , the shift/inverse-shift_row transform unit performing a byte-inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus and outputting the byte- inverse-shifted lower 64-bit data through the first multiplexer, the substitution/ inverse-substitution transform unit successively performing an inverse substitution of the lower 64-bit data, and outputting the inverse-substituted lower 64-bit data to the first demultiplexer, the add-round-key transform unit successively performing an addition of the lower 64-bit data outputted through the decryption output terminal of the first demultiplexer to a lower 64-bit round key generated by the round key generation unit, and outputting the added lower 64-bit data to the third demultiplexer, the mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added lower 64-bit data, outputting the inverse- mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data in lower 64 bits of a 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data register.
[20] Brief Description of the Drawings
[21] The above object, other features and advantages of the present invention will become more apparent by describing the preferred embodiments thereof with reference to the accompanying drawings, in which:
[22] FIG. 1 is a view illustrating the construction of a rijndael block cipher apparatus according to the present invention.
[23] FIG. 2 is a view illustrating the construction of a round operation unit.
[24] FIG. 3 is a view illustrating the construction of a round key generation unit.
[25] FIG. 4 is a first timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
[26] FIG. 5 is a first timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
[27] FIG. 6 is a second timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
[28] FIG. 7 is a second timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
[29] FIG. 8 is a third timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
[30] FIG. 9 is a third timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
[31] Best Mode for Carrying Out the Invention
[32] Now, a rijndael block cipher apparatus and an encryption/decryption method thereof according to preferred embodiments of the present invention will be described in detail with reference to the annexed drawings.
[33] Referring to FIG. 1, the rijndael block cipher apparatus according to the present invention is primary intended to perform all round operations for encrypting and decrypting input data for rijndael block encryption/decryption in the unit of 64 bits, and to generate round keys required for the round operations simultaneously with performing the round operations.
[34] A round operation unit 100 transforms a 128-bit input key into a 128-bit round key RK for encryption or decryption and stores the 128-bit round key according to a value of a mode signal from a time when a round operation start signal Round_start, a round number signal Round_number and a bit selection signal sel for dividing the 128-bit input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits for each round operation are inputted after an encryption or decryption operation start signal start and the mode signal are inputted through a bus 200 for rijndael block encryption/decryption.
[35] If the value of the mode signal indicates '0', the round operation unit 100 encrypts the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and performing a round operation which is composed of transforms of shift_row, substitution, mixcolumn and add-round-key with respect to the divided upper 64 bits and lower b4 bits, respectively.
[36] If the value of the mode signal indicates T , the round operation unit 100 decrypts the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and performing a round operation which is composed of transforms of inverse shift_row, inverse substitution, add-round-key and inverse mixcolumn with respect to the divided upper 64 bits and lower b4 bits, respectively.
[37] A round operation control unit 300, if the encryption or decryption operation start signal and the mode signal are inputted through the bus 200, controls the round operation of the round operation unit 100 by transmitting the round operation start signal Round_start, the round number signal Round_number and the bit selection signal for dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and selecting the divided upper or lower 64 bits for each round operation to the round operation unit 100 from the time when the encryption or decryption operation start signal and the mode signal are inputted.
[38] A 64-bit data register 400 stores intermediate encryption or decryption data of the upper 64-bit input data generated during each round operation performed by the round operation unit 100.
[39] A 128-bit data register 500 stores intermediate encryption or decryption data of the lower 64-bit input data generated during each round operation performed by the round operation unit 100 as its lower 64 bits, and stores the encryption or decryption data generated as a result of a last round operation and stored in the 64-bit data register 400 as its upper 64 bits.
[40] Referring to FIG. 2, a round key generation unit 110 of the round operation unit 100 transforms the 128-bit input key into the 128-bit round key RK according to the value of the mode signal inputted through the bus 200 and stores the 128-bit round key in an internal 128-bit round key register if the round operation start signal and the round number signal are inputted from the round operation control unit 300.
[41] A shift/in verse-shift_row transform unit 120 of the round operation unit 100, if the round operation start signal and a bit selection signal are inputted from the round operation control unit 300, performs a byte-shift of the upper 64 bits and the lower 64 bits divided from the 128-bit input data inputted through the bus 200 by different numbers according to the value of the mode signal inputted through the bus 200, and outputs the byte-shifted upper 64 bits and lower 64 bits through a first multiplexer 121 the output of which is controlled according to the value of the bit selection signal
[42] A substitution/inverse-substitution transform unit 130 of the round operation unit
100 performs a substitution or an inverse substitution of the upper 64-bit data and the lower 64-bit data outputted from the shift/inverse- shift_row transform unit 120 using a substitution box (S-box) or an inverse-substitution box (Si-box) that provides a one- byte output with respect to a one-byte input.
[43] A first demultiplexer 140 of the round operation unit 100 outputs the upper 64-bit data or the lower 64-bit data outputted from the substitution/inverse-substitution transform unit 130 through either of its encryption output terminal '0' and its decryption output terminal T according to the value of the mode signal
[44] A mix/inverse-mixcolumn transform unit 150 of the round operation unit 100 performs a mixcolumn of the upper 64-bit data or the lower 64-bit data inputted through the encryption output terminal '0' of the first demultiplexer 140, or performs an inverse mixcolumn of the upper 64-bit data or the lower 64-bit data that has been add-round-key-transformed.
[45] A second demultiplexer 160 of the round operation unit 100 outputs the upper
64-bit data or the lower 64-bit data outputted from the mix/inverse-mixcolumn transform unit 150 through either of its encryption output terminal '0' and its decryption output terminal T according to the value of the mode signal
[46] An add-round-key transform unit 170 of the round operation unit 100 performs an addition of the upper 64-bit data or the lower 64-bit data inputted through the decryption output terminal T of the first demultiplexer 140 or the encryption output terminal '0' of the second demultiplexer 160 to the 128-bit round key RK for encryption or decryption outputted from the round key generation unit 110.
[47] A third demultiplexer 180 of the round operation unit 100 outputs the upper 64-bit data or the lower 64-bit data outputted from the add-round-key transform unit 170 through either of its encryption output terminal '0' and its decryption output terminal T according to the value of the mode signal
[48] Referring to FIG. 3, a 128-bit prekey register 111 of the round key generation unit
110 stores the 128-bit input key inputted through the bus 200 as a prekey for transforming the 128-bit input key into the 128-bit round key RK for encryption or decryption, and stores the 128-bit round key RK generated after each round operation as a prekey for generating the round key used in the next round operation.
[49] A 128-bit round key register 11 la of the round key generation unit 110 stores the
128-bit round key RK for encryption or decryption for each round operation. In FIG. 3, the 128-bit round key RK to be stored in the 128-bit round key register 11 la is backed up to the 128-bit prekey register 111 after each round operation, and is used as a round key (i.e., prekey) of the previous round in the next round operation.
[50] A constant storage unit 112 of the round key generation unit 110 stores constant values Rcon determined according to the order of the round indicated by the round number signal inputted from the round operation control unit 300. It is preferable that the constant storage unit 112 comprises a ROM.
[51] A second multiplexer 113 of the round key generation unit 110 is controlled according to the value of the mode signal inputted through the bus 200, and selects and outputs either of 32-bit keys for encryption or decryption inputted from the 128-bit prekey register 111 and the 128-bit round key register 11 la.
[52] A shifter 114 of the round key generation unit 110 performs a cyclic shift of the
32-bit key inputted through the second multiplexer 113 to the left by one byte.
[53] A substitution transform unit 115 of the round key generation unit 110 is composed of substitution boxes (S-boxes) for performing the substitution operation, and performs a substitution of the 32-bit key shifted by the shifter 114.
[54] A first XOR gate 116 of the round key generation unit 110 performs an XOR operation of the most significant byte of the 32-bit key outputted from the substitution transform unit 115 with the constant value stored in the constant storage unit 112.
[55] A round XOR operation unit 117 of the round key generation unit 110 newly generates the 128-bit round key RK for encryption or decryption to be stored in the 128-bit round key register I l ia for each round of the round operation by performing an XOR operation using a 32-bit value obtained by adding output bits of the first XOR gate 116 to the remaining 24 bits except for the most significant byte of the substitution transform unit 115, the 128-bit round key (i.e., prekey) of the previous round stored in the 128-bit prekey register 111, and the 128-bit round key RK of the new round stored in the 128-bit round key register 11 la.
[56] A second XOR gate 118 of the round XOR operation unit 117 generates the most significant 32-bit round key RKO of the 128-bit round key for encryption or decryption of the new round by performing an XOR operation of the 32-bit value obtained by adding the output bits of the first XOR gate 116 to the remaining 24 bits except for the most significant byte of the substitution transform unit 115, with the most significant 32-bit round key PKO of the 128-bit round key of the previous round.
[57] A third XOR gate 118a of the round XOR operation unit 117 generates a 32-bit
(i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key for encryption of the th new round by performing an XOR operation of the most significant 32-bit (i.e., 127
Λh bit to 96 bit) round key RKO of the 128-bit round key of the new round with a 32-bit
( (ii..ee..,, 9955th bbiitt ttoo 6644* bbiitt)) rroouunndd kkeeyy PPKKll nneext to the most significant 32bits of the 128-bit round key of the previous round.
[58] The third XOR gate 118a also generates a 32-bit (i.e., 95 bit to 64 bit) round key
RK1 of the 128-bit round key for decryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key PKO of the 128-bit round key of the previous round with a 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits.
[59] A third multiplexer 119 of the round XOR operation unit 117 is controlled according to the value of the mode signal inputted through the bus 200, and selectively determines input signals of the third XOR gate 118a.
[60] A fourth XOR gate 118b of the round XOR operation unit 117 generates a 32-bit
(i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a 32-bit (i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key of the new round with a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round.
[61] The fourth XOR gate 118b also generates a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for decryption of the new round by performing an XOR operation of a 32-bit (i.e., 95* bit to 64* bit) round key PKl of the 128-bit round key of the previous round with a next 32-bit (i.e., 63 bit to 32 bit) round key PK2.
[62] A fourth multiplexer 119a of the round XOR operation unit 117 is controlled according to the value of the mode signal inputted through the bus 200, and selectively determines input signals of the fourth XOR gate 118b.
[63] A fifth XOR gate 118c of the round XOR operation unit 117 generates a 32-bit (i.e.,
31 bit to 0 bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key of the new round with a 32-bit (i.e., 31 bit to 0 bit) round key PK3 of the 128-bit round key of the previous round.
[64] A fifth XOR gate 118c also generates a 32-bit (i.e., 31st bit to 0* bit) round key RK3 of the 128-bit round key for decryption of the new round by performing an XOR operation of a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round with a next 32-bit (i.e., 31 bit to 0 bit) round key PK3.
[65] A fifth multiplexer 119b of the round XOR operation unit 117 is controlled according to the value of the mode signal inputted through the bus 200, and selectively determines input signals of the fifth XOR gate 118c.
[66] The rijndael block cipher apparatus as constructed above according to the present invention performs the encryption and decryption processes as follows:
[67] First, referring to FIGs. 1 and 2, the encryption and decryption operation of the rijndael block cipher apparatus will be explained.
[68] If a round operation starts, a round key generation process is performed as the initial 128-bit input key is inputted to the round key generation unit 100 through the bus 200, and 128-bit input data is inputted to the shift/inverse- shift_row transform unit 120.
[69] At this time, the shift/in verse-shift_row transform unit 120 performs a shift/ inverse-shift by different numbers of bytes as defined in the rijndael block cipher algorithm.
[70] If the round operation control unit 300 sends a signal that selects upper 64 bits
(sel=T), the shift/inverse- shift_row transform unit 120 outputs the upper 64 bits through the first multiplexer 121, while if the round operation control unit 300 sends a signal that selects lower 64 bits (sel='0'), it outputs the lower 64 bits through the first multiplexer 121.
[71] After the byte shift/inverse- shift_row operation as described above is performed, the upper or lower 64-bit data is inputted to the substitution/inverse-substitution transform unit 130, and the substitution or inverse substitution of the data is performed by a substitution box (S-box) or an inverse-substitution box (Si-box). At this time, the S-box and the Si-box serve as a substitution transform unit that outputs a one-byte output with respect to a one-byte input as defined in a specification of the rijndael algorithm. Also, since it is enough that the substitution/inverse-substitution transform unit 130 proposed according to the present invention processes only 64-bit data at a time, it requires only 8 S-boxes or 8 Si-boxes. [72] If a mode signal that selects the encryption process (mode='0') is inputted through the bus 200 after the substitution/inverse-substitution operation is performed as described above, the upper or lower 64-bit data is inputted to the mix/ inverse-mixcolumn transform unit 150 through the encryption output terminal '0' of the first demultiplexer 140, while if a mode signal that selects the decryption process (mode=T) is inputted through the bus 200, the upper or lower 64-bit data is inputted to the add-round-key transform unit 170 through the c mix/inverse-mixcolumn transform unit 150 through the decryption output terminal T of the first demultiplexer 140.
[73] If the mode signal that selects the encryption process (mode='0') is inputted through the bus 200, the 64-bit data that has passed through the mix/inverse-mixcolumn transform unit is inputted to the add-round-key transform unit 170 through the encryption output terminal '0' of the second demultiplexer 160, while if the mode signal that selects the decryption process (mode=T) is inputted through the bus 200, the 64-bit data is outputted through the decryption output terminal T of the second demultiplexer 160 as a resultant data of the round operation.
[74] Also, if the mode signal that selects the encryption process (mode='0') is inputted through the bus 200, the 64-bit data that has passed through the add-round-key transform unit is outputted through the encryption output terminal '0' of the third demultiplexer 180 as a resultant output of the round operation, while if the mode signal that selects the decryption process (mode=T) is inputted through the bus 200, the 64-bit data is inputted to the mix/inverse-mixcolumn transform unit 150 through the decryption output terminal T of the third demultiplexer 180.
[75] As described above, since the present invention is intended to reduce the use of hardware resources by sharing constituent elements commonly used in the encryption process and the decryption process, the respective transform units have both functions of encryption and decryption.
[76] Meanwhile, referring to FIG. 3, the generation of round keys for encryption or decryption required for the encryption and decryption operation of the rijndael block cipher apparatus according to the present invention and performed by the round key generation unit 100 will be explained.
[77] If the 4-clock or 3-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100, the round operation starts.
[78] If the round operation starts, the round key generation unit 110 starts to generate a round key RK of a new round using the 128-bit round key (i.e., prekey) of the previous round stored in the 128-bit prekey register 111.
[79] If the mode signal that selects the encryption (mode='0') is inputted through the bus
200, the least significant 32 bits (PK3) of the 128-bit round key of the previous round of the 128-bit prekey register 111 is inputted to the shifter 114 through the second mulitplexer 113.
[80] By contrast, if the mode signal that selects the decryption (mode=T) is inputted through the bus 200, the fifth XOR gate 118c performs an XOR operation of the lower 64 bits PK2 and PK3 of the round key of the previous round, and temporarily stores the XORed 32 bits as the least significant 32 bits RK3 of a new round key. Simultaneously, this value RK3 is inputted to the shifter 114 through the second multiplexer 113.
[81] The 32-bit key inputted to the shifter 114 is shifted to the left by one byte, and then substituted by the substitution transform unit 115 composed of 4 S-boxes.
[82] As described above, the most significant 8-bit key of the substitution-transformed
32-bit keys is XORed by the first XOR gate 116 with the constant value Rcon determined according to the order of the round indicated by the round number signal inputted from the round operation control unit 300. The resultant 8 bits outputted from the first XOR gate 116 are added to the remaining 24 bits outputted from the substitution transform unit 115, and the added bits are inputted to the second XOR gate 118 of the round XOR operation unit 117.
[83] Especially, by limiting the part in which the constant values related to the round numbers are XORed during the round key generation process only to the upper 8 bits of the 32-bit data that has passed through the substitution transform unit 115, the effect of reduction of the hardware size can be obtained. For this, the rijndael algorithm specification describes the structure that makes 32-bit constant value that is related to the round number by padding '0' of 24 bits to the 8-bit constant value, and then performs an XOR operation of the32-bit constant value with the 32-bit value that has passed through the substitution transform unit 115.
[84] Then, the second XOR gate 118 performs an XOR operation of the 32 bits, which are obtained by adding the resultant 8 bits outputted from the first XOR gate 116 to the remaining 24 bits outputted from the substitution transform unit 115, with the most significant 32 bits PKO of the round key of the previous round, and stores the resultant value of the XOR operation as the most significant 32-bit round key RKO of the new round.
[85] After the most significant 32-bit round key RKO required for encryption or decryption of the new round is generated as described above, the third XOR gate 118a, in the case of encryption process, generates the next 32-bit round key RK1 of the new round by performing an XOR operation of the most significant 32-bit round key RKO of the new round with the upper 32-bit (i.e., 95 bit to 64 bit) round key PKl of the previous round. In the case of decryption process, the third XOR gate 118a generates the next 32-bit round key RK1 of the new round by performing an XOR operation of the most significant 32-bit round key PKO of the previous round with the next upper 32-bit round key PKl of the previous round.
[86] At this time, the third multiplexer 119 determines the input values of the third XOR gate 118a according to the mode signal that is inputted through the bus 200 and that indicates the encryption process or the decryption process.
[87] After the 32-bit round key RK1 next to the most significant 32-bit round key RKO of the new round is generated as described above, the next 32-bit round key RK2 and the least significant 32-bit round key RK3 for encryption or decryption are generated by the fourth XOR gate 118b and the fifth XOR gate 118c which operate in the same manner as the third XOR gate 118a. The fourth multiplexer 119a determines the input values of the fourth XOR gate 118b, and the fifth multiplexer 119b determines the input values of the fifth XOR gate 118c.
[88] Especially, the time required to generate the 128-bit round key of the new round in the unit of 32 bits corresponds to the whole 4-clock period of the round operation start signal inputted from the round operation control unit 300 in the case of encryption process, and corresponds to the whole 2-clock period in the case of decryption process.
[89] In practice, when the first clock of the encryption round operation start signal becomes T, the most significant 32-bit round key RKO of the new round is generated through the second XOR gate 118, and whenever the second, third and fourth clocks become T, the 32-bit round keys RK1, RK2 and RK3 of the new round are generated through the third XOR gate 118a, fourth XOR gate 118b and fifth XOR gate 118c, respectively. Also, when the first clock of the decryption round operation start signal becomes T, the most significant 32-bit round key RKO of the new round is generated through the second XOR gate 118, and when the second clock becomes T, the 32-bit round keys RK1, RK2 and RK3 of the new round are simultaneously generated through the third XOR gate 118a, fourth XOR gate 118b and fifth XOR gate 118c.
[90] In the case that the 3-clock round operation start signal is inputted from the round operation control unit 300 to the round operation unit 100, the round key generation unit 110 generates the encryption round key during the 2-clock period. [91] At this time, the process of generating the most significant 32-bit (i.e., 127 bit to
96 bit) round key RKO of the 128-bit round key of the new round is performed when the first clock of the round operation start signal becomes T.
[92] If the second clock of the round operation start signal becomes T, the third XOR gate 118a generates the 32-bit (i.e., 95th bit to 64th bit) round key RK1 of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit round key PKl next to the most significant 32bits of the 128-bit round key of the previous round.
[93] Simultaneously, the fourth XOR gate 118b generates a 32-bit (i.e., 63 r bit to 32° bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO Θ PKl), which is obtained by the third XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round.
[94] Simultaneously, the fifth XOR gate 118c generates a 32-bit (i.e., 31 st bit to 0* bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO Θ PKl), which is obtained by the fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round that has been XORed by the third XOR gate 118a with the 32-bit (i.e., 95* bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round to produce a resultant value (RKO θ PKl θ PK2) of XOR operation, and then performing an XOR operation of the resultant value (RKO θ PKl θ PK2) with the 32-bit (31 bit to 0 bit) round key PK3 of the previous round. [95] In the case that the 2-clock round operation start signal is inputted from the round operation control unit 300 to the round operation unit 100, the round key generation unit 110 generates the encryption round key during the one-clock period.
[96] At this time, the process of generating the most significant 32-bit (i.e., 127 bit to
96 bit) round key RKO of the 128-bit round key of the new round through the second XOR gate 118 is performed when the round operation start signal is inputted and the clock is simultaneously in a 'O'state.
[97] If the first clock of the round operation start signal becomes T, the third XOR gate
118a generates the 32-bit (i.e., 95 bit to 64 bit) round key RK1 of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit round key PKl next to the most significant 32bits of the 128-bit round key of the previous round.
[98] Simultaneously, the fourth XOR gate 118b generates a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO Θ PKl), which is obtained by the third XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round.
[99] Simultaneously, the fifth XOR gate 118c generates a 32-bit (i.e., 31 st bit to 0th bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of a resultant value (RKO Θ PKl), which is obtained by the fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round that has been XORed by the third XOR gate 118a with the 32-bit (i.e., 95* bit to 64 bit) round key PKl next to the most significant 32-bit round key of the 128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round to produce a resultant value (RKO θ PKl θ PK2) of XOR operation, and then performing an XOR operation of the resultant value (RKO θ PKl θ PK2) with the 32-bit (31 bit to 0 bit) round key PK3 of the previous round. [100] In the case that the 2-clock round operation start signal is inputted from the round operation control unit 300 to the round operation unit 100, the round key generation unit 110 generates the decryption round key during the one-clock period.
[101] At this time, the process of generating the most significant 32-bit (i.e., 127 bit to
96 bit) round key RKO of the 128-bit round key of the new round through the second XOR gate 118 is performed when the round operation start signal is inputted and the clock is simultaneously in a 'O'state.
[102] If the first clock of the round operation start signal becomes T, the third XOR gate
118a generates the next 32-bit round key RK1 of the new round by performing an XOR operation of the most significant 32 bits PKO of the previous round with the next upper 32 bits PKl of the previous round, and in succession the fourth XOR gate 118b and the fifth XOR gate 118c, which operate in the same manner as the third XOR gate 118a, generate the next 32-bit round key RK2 for decryption and the least significant 32-bit round key RK3. These processes are simultaneously performed during the first clock period.
[103] Now, the operation of the rijndael block cipher apparatus that performs the encryption and decryption process as described above will be explained in more detail in accordance with the number of clocks of the round operation start signal inputted from the round operation control unit 300 to the round operation unit 100.
[104] FIG. 4 is a first timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
[105] Referring to FIG. 4, if the four-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S400), the byte-shift transform and the substitution operation are successively performed with respect to the upper 64-bit data of the 128-bit round operation input data at the moment when the first clock becomes T (step S401), and these two processes are performed within one clock. The results of these processes are stored in the 64-bit data register 400. Also, at the moment when the first clock of the round operation start signal becomes T, the 128-bit round key generation process using the 128-bit round input key starts (step S401a).
[106] At the moment when the second clock of the round operation start signal becomes
T, the mixcolumn transform using the 64-bit data stored in the 64-bit data register 400 is performed with its resultant values stored in the 64-bit data register 400 (step S402), and simultaneously, the byte-shift transform and the substitution operation of the lower 64-bit data of the round operation input data are successively performed (step S402). These two processes are formed in one clock. Also, the resultant data of the byte-shift transform and the substitution operation of the lower 64-bit data are stored in a lower 64-bit position of the 128-bit data register 500 that stores the round operation results.
[107] At the moment when the third clock of the round operation start signal becomes T, the 64 bits stored in the 64-bit data register 400 are inputted to the add-round-key transform unit 170 so as to be added to the upper 64 bits of the round key generated by the round key generation unit 110, and the resultant value is stored in the upper 64-bit position of the 128-bit data register 500 (step S403). Also, the mixcolumn transform of the lower 64-bit data of the 128-bit data register 500 is performed, and the resultant value is stored in the lower 64-bit position of the 128-biat data register 500 (step S403).
[108] At the moment when the fourth clock of the round operation start signal becomes
T, the lower 64 bits of the 128-bit data register 500 are inputted to the add-round-key transform unit 170 so as to be added to the lower 64 bits of the round key generated by the round key generation unit 110, and the resultant value is stored in the lower 64-bit position of the 128-bit data register 500 (step S404).
[109] Accordingly, in the rijndael block cipher apparatus that performs the above- described encryption process, the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next round, and the round key RK newly generated by the round key generation unit 110 and then stored in the 128-bit round key register 11 la is also stored in the 128-bit prekey register 111 to be used as the 128-bit round input key of the next round. Consequently, the encryption operation of one round is completed within a period of four clocks.
[110] In the case that the encryption method as illustrated in FIG. 4 is performed by the rijndael block cipher apparatus according to the present invention, the round key generation unit 110 completes the round key generation process within a period of four clocks of the round operation start signal That is, as shown in FIG. 4, the add- round-key transform process (step S403), which is the process of adding the upper 64-bit data to the round key, is performed after the third clock from the start of the round operation. After the second clock from the start of the round operation, only the upper 64-bit round key of the new round is generated, and at this time point, there is no problem in performing the encryption operation of the round operation since only the upper 64-bit round key is used. Also, since the time point when the fourth clock starts after third clock for the round operation coincides with the time point when all the 128-bit round keys are generated, there is no problem in performing the add-round-key transform process (step S404) for adding the lower 64-bit data to the lower 64-bit round key.
[I l l] Also, in the in the rijndael block cipher apparatus that performs the above-described encryption process, the 64-bit data register 400 is used as the storage space of the intermediate data generated during the encryption process, and thus the result of the byte-shift transform of the upper 64-bit data does not affect the byte-shift transform of the lower 64-bit data. Also, since the upper 64-bit data and the lower 64-bit data are simultaneously transformed, but are not transformed in the same manner during the same clock period, the number of hardware modules required for the transform can be reduced by half. Especially, the data generated for each clock is updated and stored in one storage space, and thus no additional storage space is required. That is, this case is directed to the structure that applies a pipeline structure but requires no additional hardware, and this structure will be applied in the same manner to methods of encrypting and decrypting the rijndael block cipher according to other embodiment of the present invention to be explained later.
[112] FIG. 5 is a first timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
[113] Referring to FIG. 5, if the four-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S500), the byte-inverse-shift transform and the inverse- substitution operation are successively performed with respect to the upper 64-bit data of the 128-bit round operation input data at the moment when the first clock becomes T (step S501), and these two processes are performed within one clock. At this time, the resultant data is stored in the 64-bit data register 400. Also, if the first clock of the round operation start signal becomes T, the 128-bit round key generation process using the 128-bit round input key starts (step S501a).
[114] At the moment when the second clock of the round operation start signal becomes
T, the add-round-key transform for adding the 64-bit data stored in the 64-bit data register 400 to the upper 64 bits of the round key generated through the round key generation unit 110 is performed, and the resultant data is stored in the 64-bit data register 400 (step S502). Simultaneously, the byte-inverse-shift transform and the inverse-substitution of the lower 64-bit data of the round operation input data are successively performed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register (step S502).
[115] At the moment when the third clock of the round operation start signal becomes T, the 64-bit data stored in the 64-bit data register 400 is inputted to the mix/ inverse-mixcolumn transform unit 150, and the resultant data of the inverse- mixcolumn transform is stored in the upper 64-bit position of the 128-bit data register 500 (step S503). Simultaneously, the add-round-key transform for adding the lower 64-bit data that has passed through the inverse-substitution operation to the round key generated from the round key generation unit 110 is performed, and the resultant data is stored in the lower 64-bit position of the 128-biat data register (step S503).
[116] At the moment when the fourth clock of the round operation start signal becomes
T, the lower 64-bit data that has passed through the add-round-key transform is inputted to the mix/inverse-mixcolumn transform unit 150 to be inverse- mixcolumn-transformed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S504).
[117] At this time, the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next decryption round operation, and the 128-bit round key RK that is the result of the round key generation is stored in the 128-bit prekey register 111 so as to be used as the 128-bit round input key of the next round operation. Consequently, the decryption operation of one round is completed within a period of four clocks.
[118] In the case that the decryption method as illustrated in FIG. 5 is performed by the rijndael block cipher apparatus according to the present invention, the round key generation unit 110 completes the round key generation process within a period of two clocks of the round operation start signal That is, as shown in FIG. 5, since the add- round-key transform process (step S502), which is the process of adding the upper 64-bit round key to the 64-bit data, is performed after the second clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the second clock, and thus there is no problem in performing the round operation.
[119] FIG. 6 is a second timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention.
[120] Referring to FIG. 6, if the three-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S600), the byte-shift operation and the substitution operation of the upper 64-bit data are successively performed at the moment when the first clock becomes T, and the resultant data is stored in the 64-bit data register (step S601). Also, the round key generation process is simultaneously performed (step S601a). [121] At the moment when the second clock of the round operation start signal becomes
T, the 64-bit data stored in the 64-bit data register 400 is mixcolumn-transformed, and then added to the upper 64-bkt round key of the resultant data of the add-round-key transform unit 110. The resultant data of the add-round-key transform is stored in the 64-bit data register 400 (step S602). Simultaneously, the byte-shift transform and the substitution operation of the lower 64-bit data are successively performed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S602).
[122] At the moment when the third clock of the round operation start signal becomes T, the 64-bit data stored in the 64-bit data register 400 is inputted to the upper 64-bit position of the 128-bit data register 500, and the lower 64-bit data of the 128-bit data register 500 is mixcolumn-transformed and then added to lower 64-bit round key of the round key generated by the round key generation unit 110. The resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S603).
[123] At this time, the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next round operation, and the round key RK generated by the round key generation unit 110 is stored in the 128-bit prekey register 111 and then used as the 128-bit round input key of the next round. Consequently, the encryption operation of one round is completed within a period of three clocks.
[124] In the case that the encryption method as illustrated in FIG. 6 is performed by the rijndael block cipher apparatus according to the present invention, the round key generation unit 110 completes the round key generation process within a period of two clocks of the round operation start signal That is, as shown in FIG. 6, since the add- round-key transform process (step S602), which is the process of adding the upper 64-bit round key to the upper 64-bit data, is performed after the second clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the second clock, and thus there is no problem in performing the round operation.
[125] FIG. 7 is a second timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
[126] Referring to FIG. 7, if the three-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S700), the byte-inverse-shift transform and the inverse- substitution operation are successively performed with respect to the upper 64-bit data of the 128-bit round operation input data at the moment when the first clock becomes T, and the resultant data is stored in the 64-bit data register 400 (step S701). Also, the round key generation process starts simultaneously with these transforms (step S701a). [127] When the second clock of the round operation start signal becomes T, the add- round-key transform for adding the 64-bit data stored in the 64-bit data register 400 to the upper 64-bit round key of the round key generated by the round key generation unit
110 is performed, and the resultant data is inputted to the mix/inverse-mixcolumn transform unit 150. The inverse-mixcolumn-transformed data is stored in the 64-bit data register 400 (step S702). Simultaneously, the byte-inverse-shift transform and the inverse-substitution transform of the lower 64-bit data of the round operation input data are successively performed, and the resultant data is stored in the lower 64-bit position of the 128-bit data register (step S702).
[128] At the moment when the third clock of the round operation start signal becomes T, the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit position of the 128-bit data register 500, and the add-round-key transform for adding the lower 64-bit data of the 128-bit data register 500 to the lower 64-bit round key of the round key generation unit 110 is performed. The resultant data of the add- round-key transform is then inverse-mixcolumn-transformed, and the resultant data of the inverse-mixcolumn transform is stored in the lower 64-bit position of the 128-bit data register 500 (step S703).
[129] At this time, the 128-bit data of the 128-bit data register 500 is used as the 128-bit round operation input data of the next round operation, and the 128-bit round key RK generated by the round key generation unit 110 is stored in the 128-bit prekey register
111 so as to be used as the 128-bit round input key of the next round operation. Consequently, the decryption operation of one round is completed within a period of three clocks.
[130] In the case that the decryption method as illustrated in FIG. 7 is performed by the rijndael block cipher apparatus according to the present invention, the round key generation unit 110 completes the round key generation process within a period of two clocks of the round operation start signal That is, as shown in FIG. 7, since the add- round-key transform process (step S702) for adding the upper 64-bit round key to the upper 64-bit data is performed after the second clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the second clock, and thus there is no problem in performing the round operation.
[131] FIG. 8 is a third timing diagram illustrating a method of encrypting a rijndael block cipher according to the present invention. [132] Referring to FIG. 8, if the two-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S800), the byte-shift transform, the substitution transform, the mixcolumn transform and the add-round-key transform are successively performed with respect to the upper 64-bit data of the round input data when the first clock becomes T, and the resultant data is stored in the 64-bit data register 400 (step S801). Simultaneously, the round key generation process (step S801a) is performed, and the add-round-key transform of the upper 64-bit round key of the generated round key is performed. These processes are performed in a period of one clock.
[133] When the second clock of the round operation start signal becomes' 1', the byte-shift transform, the substitution transform, the mixcolumn transform and the add-round-key transform are successively performed with respect to the lower 64-bit data of the round input data, and the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S802). Also, the add-round-key transform of the lower 64-bit round key of the round key generated in the round key generation process is performed. At this time, the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit position of the 128-bit data register 500, and the 128-bit round key RK newly generated by the round key generation unit 110 is stored in the 128-bit round key register I l ia and backed up in the 128-bit prekey register 111. Consequently, the encryption operation of one round is completed within a period of two clocks.
[134] In the case that the encryption method as illustrated in FIG. 8 is performed by the rijndael block cipher apparatus according to the present invention, the round key generation unit 110 completes the round key generation process within a period of one clock of the round operation start signal That is, as shown in FIG. 8, since the add- round-key transform process (step S801) for adding the upper 64-bit round key to the upper 64-bit data is performed after the first clock from the start of the round operation, all the 128-bit round keys have already been generated at the time point of the first clock, and thus there is no problem in performing the round operation.
[135] Actually, the round key generation unit 110 as illustrated in FIG. 3 generates RKl using RKO, and RK2 using RKl. The round key generation unit 110 does not generate RK3 using RK2, but generates RKO in a state that the round operation start signal is inputted and the clock becomes '0' simultaneously. When the first clock becomes T, the round key generation unit 110 generates RKl by XORing RKO with PKl, RK2 by XORing RKO with PKl and PK2, and RK3 by XORing RKO with PKl, PK2 and PK3, simultaneously.
[136] FIG. 9 is a third timing diagram illustrating a method of decrypting a rijndael block cipher according to the present invention.
[137] Referring to FIG. 9, if the two-clock round operation start signal and the round number signal are inputted from the round operation control unit 300 to the round operation unit 100 (step S900), the byte-inverse-shift transform, the inverse-substitution transform, the add-round-key transform and the inverse-mixcolumn transform are successively performed with respect to the upper 64-bit data of the round input data when the first clock becomes T , and the resultant data is stored in the 64-bit data register 400 (step S901). These processes are performed in a period of one clock. Simultaneously, the round key generation process (step S901a) for decryption is performed, and the add-round-key transform of the upper 64-bit round key of the round key generated by the round key generation unit 110 is performed.
[138] When the second clock of the round operation start signal becomes T, the byte- inverse-shift transform, the inverse-substitution transform, the add-round-key transform and the inverse-mixcolumn transform are successively performed with respect to the lower 64-bit data of the round input data, and the resultant data is stored in the lower 64-bit position of the 128-bit data register 500 (step S902). These processes are performed in a period of one clock. Also, the lower 64-bit round key of the round key generated prior to one clock by the round key generation unit 110 is used for the add-round-key transform. At this time, the 64-bit data stored in the 64-bit data register 400 is stored in the upper 64-bit position of the 128-bit data register 500, and the 128-bit round key RK newly generated by the round key generation unit 110 is stored in the 128-bit round key register I l ia and backed up in the 128-bit prekey register 111. Consequently, the decryption operation of one round is completed within a period of two clocks.
[139] In the case that the decryption method as illustrated in FIG. 9 is performed by the rijndael block cipher apparatus according to the present invention, the round key generation unit 110 completes the round key generation process within a period of one clock of the round operation start signal That is, as shown in FIG. 9, the add- round-key transform process (step S901) for adding the upper 64-bit round key to the upper 64-bit data is performed after the first clock from the start of the round operation, but all the 128-bit round keys have already been generated at the time point of the first clock, and thus there is no problem in performing the round operation.
[140] Actually, the round key generation unit 110 as illustrated in FIG. 3 generates RKO in a state that the round operation start signal is inputted and the clock becomes '0' simultaneously. When the first clock becomes T, the round key generation unit 110 generates RKl by XORing RKO with PKl, RK2 by XORing PKl with PK2, and RK3 by XORing PK2 with PK3, simultaneously.
[141] As described above, the rijndael block cipher apparatus according to the encryption method as illustrated in FIG. 8 and the decryption method as illustrated in FIG. 9 is a model suitable to be applied to a smart card, a USIM (User Subscriber Identity Module) card, a SIM card, etc., that have a small size, a low power consumption, and a low operational frequency characteristic.
[ 142] Industrial Applicability
[143] As apparent from the above description, the rijndael block cipher apparatus and the encryption/decryption method thereof according to the present invention can encrypt and decrypt important data that requires security at high speed by being mounted in a mobile terminal such as a cellular phone and a PDA or a smart card, which requires a high-rate and small-sized cipher processor, and can perform a round operation with respect to upper 64 bits and lower 64 bits which are divided from 128-bit input data. The present invention has the following effects:
[144] First, the cipher apparatus according to the present invention has a small size and can encrypt/decrypt real-time data at high speed by repeatedly using the round operation device in the apparatus.
[145] Second, since the cipher apparatus according to the present invention encrypts/ decrypts block cipher data in real time using the round operation device applying a rijndael algorithm, it can provide a higher-graded security in comparison to an operation device applying the existing DES (Data Encryption Standard).
[146] Third, the rijndael encryption/decryption round operation device of the cipher apparatus according to the present invention has the advantage that it can encrypt/ decrypt block cipher data in real time by adding a simple controller that repeats the round operation for a predetermined number of times.
[147] Fourth, the round operation device of the cipher apparatus according to the present invention can rapidly encrypt/decrypt data in real time although it has a small size that is almost half the size of the existing round operation device in the unit of 128 bits.
[148] Fifth, the round operation device of the cipher apparatus according to the present invention can be implemented using a proper method according to its application fields, and in the case of applying to a system that is irrespective of the amount of hardware resource used, it can obtain a two-times high speed of data encryption/ decryption by applying a round process in the unit of 128 bits instead of a round process in the unit of 64 bits. The forgoing embodiments are merely exemplary and are not to be construed as limiting the present invention. The present teachings can be readily applied to other types of apparatuses. The description of the present invention is intended to be illustrative, and not to limit the scope of the claims. Many alternatives, modifications, and variations will be apparent to those skilled in the art.

Claims

Claims
[1] A rijndael block cipher apparatus comprising: a round operation unit for transforming a 128-bit input key into a 128-bit round key for encryption or decryption, and storing the 128-bit round key according to a value of a mode signal from a time when a round operation start signal, a round number signal and a bit selection signal for dividing the 128-bit input data into upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits are inputted after an encryption or decryption operation start signal and the mode signal are inputted, encrypting the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and by performing a round operation which is composed of transforms of shift_row, substitution, mixcolumn and add-round-key with respect to the divided upper 64 bits and lower b4 bits, respectively, and decrypting the 128-bit input data by dividing the 128-bit input data into the upper 64 bits and the lower 64 bits and by performing a round operation which is composed of transforms of inverse- shift_row, inverse substitution, add-round-key and inverse mixcolumn with respect to the divided upper 64 bits and lower b4 bits, respectively; a round operation control unit for controlling the round operation of the round operation unit by transmitting the round operation start signal, the round number signal and the bit selection signal for dividing the 128-bit input data into the upper 64 bits and lower 64 bits and selecting the upper or lower 64 bits to the round operation unit from a time when the encryption or decryption operation start signal and the mode signal are inputted; a 64-bit data register for storing intermediate encryption or decryption data of the upper 64-bit input data generated during each round operation performed by the round operation unit; and a 128-bit data register for storing intermediate encryption or decryption data of the lower 64-bit input data generated during each round operation performed by the round operation unit as its lower 64 bits, and storing the encryption or decryption data generated as a result of a last round operation and stored in the 64-bit data register as its upper 64-bit data.
[2] The apparatus as claimed in claim 1, wherein the round operation unit comprises: a round key generation unit for transforming the 128-bit input key into the 128-bit round key RK for encryption or decryption according to the value of the mode signal inputted through a bus and storing the 128-bit round key in an internal 128-bit round key register if the round operation start signal and the round number signal are inputted from the round operation control unit; a shift/inverse- shift_row transform unit for performing a byte-shift of the upper 64 bits and the lower 64 bits divided from the 128-bit input data inputted through the bus by different numbers according to the value of the mode signal inputted through the bus if the round operation start signal and the bit selection signal are inputted from the round operation control unit, and outputting the byte-shifted upper 64 bits and lower 64 bits through a first multiplexer the output of which is controlled according to the value of the bit selection signal; a substitution/inverse-substitution transform unit for performing a substitution or an inverse substitution of the upper 64-bit data and the lower 64-bit data outputted from the shift/inverse- shift_row transform unit using a substitution box (S-box) or an inverse-substitution box (Si-box) that provides a one -byte output with respect to a one-byte input; a first demultiplexer for outputting the upper 64-bit data or the lower 64-bit data outputted from the substitution/inverse-substitution transform unit through either of its encryption output terminal and its decryption output terminal according to the value of the mode signal; a mix/inverse-mixcolumn transform unit for performing a mixcolumn of the upper 64-bit data or the lower 64-bit data inputted through the encryption output terminal of the first demultiplexer, or performing an inverse mixcolumn of the upper 64-bit data or the lower 64-bit data that has been add- round-key-transformed; a second demultiplexer for outputting the upper 64-bit data or the lower 64-bit data outputted from the mix/inverse-mixcolumn transform unit through either of its encryption output terminal and its decryption output terminal according to the value of the mode signal; an add-round-key transform unit for performing an addition of the upper 64-bit data or the lower 64-bit data inputted through the decryption output terminal of the first demultiplexer or through the encryption output terminal of the second demultiplexer to the 128-bit round key RK for encryption or decryption outputted from the round key generation unit; and a third demultiplexer for outputting the upper 64-bit data or the lower 64-bit data outputted from the add-round-key transform unit through either of its encryption output terminal and its decryption output terminal according to the value of the mode signal
[3] The apparatus as claimed in claim 1 or 2, wherein if the four-clock or three-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data outputted from the substitution/ inverse-substitution transform unit to the first demultiplexer is stored in the 64-bit data register, and the lower 64-bit data outputted is stored as lower 64-bit data of the 128-bit data register.
[4] The apparatus as claimed in claim 1 or 2, wherein if the four-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data outputted from the mix/ inverse-mixcolumn transform unit to the second demultiplexer is stored in the 64-bit data register, and the lower 64-bit data outputted is stored as lower 64-bit data of the 128-bit data register.
[5] The apparatus as claimed in claim 1 or 2, wherein if the four-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data for encryption outputted from the add-round-key transform unit to the third demultiplexer is stored as upper 64-bit data of the 128-bit data register, and the lower 64-bit data for encryption is stored as lower 64-bit data of the 128-bit data register.
[6] The apparatus as claimed in claim 1 or 2, wherein if the four-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data for decryption outputted from the add-round-key transform unit to the third demultiplexer is stored in the 64-bit data register, and the lower 64-bit data for decryption is stored as lower 64-bit data of the 128-bit data register.
[7] The apparatus as claimed in claim 1 or 2, wherein if the four-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the inverse-mixcolumn-transformed upper 64-bit data outputted from the mix/inverse-mixcolumn transform unit to the second demultiplexer is stored as upper 64-bit data of the 128-bit data register, and the inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit data of the 128-bit data register.
[8] The apparatus as claimed in claim 1 or 2, wherein if the three-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data for encryption inverse- mixcolumn-transformed and then outputted from the add-round-key transform unit to the third demultiplexer is stored in the 64-bit data register, and then if a last third clock becomes T, the upper 64-bit data for encryption is stored as upper 64-bit data of the 128-bit data register, and the lower 64-bit data for encryption is stored as lower 64-bit data of the 128-bit data register.
[9] The apparatus as claimed in claim 1 or 2, wherein if the three-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data add-round-key-transformed, inverse- mixcolumn-transformed, and then outputted from the mix/inverse-mixcolumn transform unit to the second demultiplexer is stored in the 64-bit data register, and then if a last third clock becomes T, the inverse-mixcolumn-transformed upper 64-bit data is stored as upper 64-bit data of the 128-bit data register, and the inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit data of the 128-bit data register.
[10] The apparatus as claimed in claim 1 or 2, wherein if the two-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data for encryption shift_row-trasnformed, substitution-transformed, mixcolumn-transformed, and then outputted from the add-round-key transform unit to the third demultiplexer is stored in the 64-bit data register, and then if a last second clock becomes T, the upper 64-bit data for encryption is stored as upper 64-bit data of the 128-bit data register, and the lower 64-bit data for encryption is stored as lower 64-bit data of the 128-bit data register.
[11] The apparatus as claimed in claim 1 or 2, wherein if the two-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the upper 64-bit data inverse-shift_row-trasnformed, inverse-substitution-transformed, add-round-key-transformed, and then inverse- mixcolumn-transformed and outputted from the mix/inverse-mixcolumn transform unit to the second demultiplexer is stored in the 64-bit data register, and then if a last second clock becomes T, the inverse-mixcolumn-transformed upper 64-bit data is stored as upper 64-bit data of the 128-bit data register, and the inverse-mixcolumn-transformed lower 64-bit data is stored as lower 64-bit data of the 128-bit data register.
[12] The apparatus as claimed in claim 2, wherein the round key generation unit comprises: a 128-bit prekey register for storing the 128-bit input key inputted through the bus as a prekey for transforming the 128-bit input key into the 128-bit round key RK for encryption or decryption, and storing the 128-bit round key RK generated after each round operation as a prekey for generating a round key RK used in a next round operation; a 128-bit key register for storing the 128-bit round key RK for encryption or decryption for each round operation; a constant storage unit for storing constant values Rcon determined according to the order of the round indicated by the round number signal inputted from the round operation control unit; a second multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selecting and outputting one of 32-bit keys for encryption or decryption inputted from the 128-bit prekey register and the 128-bit round key register; a shifter for performing a cyclic shift of the 32-bit key inputted through the second multiplexer to the left by one byte; a substitution transform unit, composed of substitution boxes (S-boxes) for performing a substitution operation, for performing the substitution of the 32-bit key shifted by the shifter; a first XOR gate for performing an XOR operation of the most significant byte of the 32-bit key outputted from the substitution transform unit with the constant value stored in the constant storage unit; and a round XOR operation unit for newly generating the 128-bit round key RK for encryption or decryption to be stored in the 128-bit round key register for each round of the round operation by performing an XOR operation using a 32-bit value obtained by adding output bits of the first XOR gate to the remaining 24 bits except for the most significant byte of the substitution transform unit, the 128-bit prekey of the previous round stored in the 128-bit prekey register 111, and the 128-bit round key RK of the new round stored in the 128-bit round key register.
[13] The apparatus as claimed in claim 12, wherein if the four-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the round XOR operation unit of the round key generation unit generates the encryption round key in a period of four clocks; and wherein the round XOR operation unit comprises: a second XOR gate for generating the most significant 32-bit round key RKO of the 128-bit round key for encryption or decryption of the new round by performing an XOR operation of the 32-bit value obtained by adding the output bits of the first XOR gate to the remaining 24 bits except for the most significant byte of the substitution transform unit, with the most significant 32-bit value PKO of the 128-bit round key of the previous round, if the first clock of the encryption round operation start signal becomes T; a third XOR gate for generating a 32-bit (i.e., 95 bit to 64 bit) round key RKl of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with a 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits of the 128-bit round key of the previous round, and generating the 32-bit (i.e., 95 bit to 64 bit) round key RKl of the 128-bit round key for decryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key PKO of the 128-bit round key of the previous round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits, if the second clock of the encryption round operation start signal becomes T; a third multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the third XOR gate; a fourth XOR gate for generating a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for encryption of the new round by performing an XOR operation of the 32-bit (i.e., 95* bit to 64* bit) round key RKl of the 128-bit round key of the new round with a 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round, and generating a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for decryption of the new round by performing an XOR operation of the 32-bit (i.e., 95 bit to 64 bit) round key PKl of the 128-bit round key of the previous round with the next 32-bit (i.e., 63 bit to 32 bit) round key PK2, if the third clock of the encryption round operation start signal becomes T; a fourth multiplexer for being is controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the fourth XOR gate; a fifth XOR gate for generating a 32-bit (i.e., 31 bit to 0 bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of the 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key of the new round with a 32-bit (i.e., 31 bit to 0 bit) round key PK3 st of the 128-bit round key of the previous round, and generating a 32-bit (i.e., 31 bit to 0 bit) round key RK3 of the 128-bit round key for decryption of the new round by performing an XOR operation of the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the 128-bit round key of the previous round with the next 32-bit (i.e., 31 bit to 0 bit) round key PK3, if the fourth clock of the encryption round operation start signal becomes T; and a fifth multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the fifth XOR gate.
[14] The apparatus as claimed in claim 12, wherein if the three-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the round XOR operation unit of the round key generation unit generates the encryption round key in a period of two clocks; and wherein the round XOR operation unit comprises: a second XOR gate for generating the most significant 32-bit round key RKO of the 128-bit round key for encryption or decryption of the new round by performing an XOR operation of the 32-bit value obtained by adding the output bits of the first XOR gate to the remaining 24 bits except for the most significant byte of the substitution transform unit, with the most significant 32-bit value PKO of the 128-bit round key of the previous round, if the first clock of the encryption round operation start signal becomes T ; a third XOR gate for generating a 32-bit (i.e., 95 bit to 64 bit) round key RKl of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with a 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits of the 128-bit round key of the previous round, and generating the 32-bit (i.e., 95 bit to 64 bit) round key RKl of the 128-bit round key for decryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key PKO of the 128-bit round key of the previous round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits, if the second clock of the encryption round operation start signal becomes T ; a third multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the third
XOR gate; a fourth XOR gate for generating a 32-bit (i.e., 63 bit to 32 bit) round key
RK2 of the 128-bit round key for encryption of the new round by performing an
XOR operation of a resultant value
(RKO Θ PKl), which is obtained by the third XOR gate's XOR operation of the most significant
32-bit (i.e., 127* bit to 96* bit) round key RKO of the 128-bit round key of the new round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32 bits of the 128-bit round key of the previous round, with the
32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round, and generating a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for decryption of the new round by performing an XOR operation of the
32-bit (i.e., 95* bit to 64* bit) round key PKl of the 128-bit round key of the previous round with the next 32-bit (i.e., 63 bit to 32 bit) round key PK2, if the second clock of the encryption round operation start signal becomes T ; a fourth multiplexer for being is controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the fourth XOR gate; a fifth XOR gate for generating a 32-bit (i.e., 31 bit to 0 bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of the resultant value
(RKO Θ PKl), which is obtained by the fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round that has been XORed by the third XOR gate with the 32-bit
(i.e., 95 bit to 64 bit) round key PKl next to the most significant 32 bits of the
128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round to produce a resultant value
(RKO θ PKl θ PK2) of XOR operation, and then by performing an XOR operation of the resultant value (RKO θ PKl θ PK2) with the 32-bit (31 bit to 0 bit) round key PK3 of the previous round, and generating the 32-bit (i.e., 31 bit to 0 bit) round key RK3 of the 128-bit round key for decryption of the new round by performing an XOR operation of the 32-bit (i.e., 63rd bit to 32nd bit) round key PK2 of the 128-bit round key of the previous round with the next 32-bit (i.e., 31 bit to 0 bit) round key PK3, if the second clock of the encryption round operation start signal becomes T ; and a fifth multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the fifth XOR gate.
[15] The apparatus as claimed in claim 12, wherein if the two-clock round operation start signal is inputted from the round operation control unit to the round operation unit, the round XOR operation unit of the round key generation unit generates the encryption round key in a period of one clock; and wherein the round XOR operation unit comprises: a second XOR gate for generating the most significant 32-bit round key RKO of the 128-bit round key for encryption or decryption of the new round by performing an XOR operation of the 32-bit value obtained by adding the output bits of the first XOR gate to the remaining 24 bits except for the most significant byte of the substitution transform unit, with the most significant 32-bit value PKO of the 128-bit round key of the previous round, in a state that the encryption round operation start signal is inputted and simultaneously, the clock becomes '0' ; a third XOR gate for generating a 32-bit (i.e., 95 bit to 64 bit) round key RKl of the 128-bit round key for encryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round with a 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits of the 128-bit round key of the previous round, and generating the 32-bit (i.e., 95 bit to 64 bit) round key RKl of the 128-bit round key for decryption of the new round by performing an XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key PKO of the 128-bit round key of the previous round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32bits, if the first clock of the encryption round operation start signal becomes T ; a third multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the third
XOR gate; a fourth XOR gate for generating a 32-bit (i.e., 63 bit to 32 bit) round key
RK2 of the 128-bit round key for encryption of the new round by performing an
XOR operation of a resultant value
(RKO Θ PKl), which is obtained by the third XOR gate's XOR operation of the most significant
32-bit (i.e., 127* bit to 96* bit) round key RKO of the 128-bit round key of the new round with the 32-bit (i.e., 95 bit to 64 bit) round key PKl next to the most significant 32 bits of the 128-bit round key of the previous round, with the
32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round, and generating a 32-bit (i.e., 63 bit to 32 bit) round key RK2 of the 128-bit round key for decryption of the new round by performing an XOR operation of the
32-bit (i.e., 95* bit to 64* bit) round key PKl of the 128-bit round key of the previous round with the next 32-bit (i.e., 63 bit to 32 bit) round key PK2, if the first clock of the encryption round operation start signal becomes T ; a fourth multiplexer for being is controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the fourth XOR gate; a fifth XOR gate for generating a 32-bit (i.e., 31 bit to 0 bit) round key RK3 of the 128-bit round key for encryption of the new round by performing an XOR operation of the resultant value
(RKO Θ PKl), which is obtained by the fourth XOR gate's XOR operation of the most significant 32-bit (i.e., 127 bit to 96 bit) round key RKO of the 128-bit round key of the new round that has been XORed by the third XOR gate with the 32-bit
(i.e., 95 bit to 64 bit) round key PKl next to the most significant 32 bits of the
128-bit round key of the previous round, with the 32-bit (i.e., 63 bit to 32 bit) round key PK2 of the previous round to produce a resultant value
(RKO θ PKl Φ PK2) of XOR operation, and then by performing an XOR operation of the resultant value
(RKO θ PKl θ PK2) with the 32-bit (31 bit to 0 bit) round key PK3 of the previous round, and generating the 32-bit (i.e., 31 bit to 0 bit) round key RK3 of the 128-bit round key for decryption of the new round by performing an XOR operation of the 32-bit (i.e., 63rd bit to 32nd bit) round key PK2 of the 128-bit round key of the previous round with the next 32-bit (i.e., 31 bit to 0 bit) round key PK3, if the first clock of the encryption round operation start signal becomes T ; and a fifth multiplexer for being controlled according to the value of the mode signal inputted through the bus, and selectively determining input signals of the fifth XOR gate.
[16] A rijndael block encryption method comprising the steps of: if a four-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T, and storing the 128-bit round key in an internal 128-bit round key register; if the four-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse- shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes T, and a substitution/ inverse-substitution transform unit successively performing a substitution of the upper 64-bit data, outputting the substituted upper 64-bit data to a first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T, a mix/ inverse-mixcolumn transform unit performing a mixcolumn of the upper 64-bit data outputted through an encryption output terminal of the first demultiplexer and stored in the 64-bit data register, outputting the mixcolumn-transformed upper 64-bit data to a second demultiplexer, and storing the mixcolumn- transformed upper 64-bit data in the 64-bit data register, the shift/ inverse-shift_row transform unit simultaneously performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through the bus and outputting the byte-shifted lower 64-bit data through the first multiplexer, and the substitution/ inverse-substitution transform unit successively performing a substitution of the lower 64-bit data, outputting the substituted lower 64-bit data to the first demultiplexer, and storing the substituted lower 64-bit data in lower 64 bits of a 128-bit data register; when a third clock of the round operation start signal becomes T, an add- round-key transform unit performing an addition of the upper 64-bit data outputted through an encryption output terminal of the second demultiplexer and stored in the 64-bit data register to upper 64-bit round key generated by the round key generation unit and storing the added upper 64-bit data in upper 64 bits of the 128-bit data register, and a mix/inverse-mixcolumn transform unit simultaneously performing a mixcolumn of the lower 64-bit data outputted through the encryption output terminal of the first demultiplexer and stored in the 128-bit data register, outputting the mixcolumn-transformed lower 64-bit data to the second demultiplexer, and storing the mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data register; and when a fourth clock of the round operation start signal becomes T, the add- round-key transform unit performing an addition of the lower 64-bit data outputted through the encryption output terminal of the second demultiplexer and stored in the 128-bit data register to lower 64-bit round key generated by the round key generation unit and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data register.
[17] The encryption method as claimed in claim 16, wherein at the step of the round key generation unit transforming the 128-bit input key into the 128-bit round key for encryption in accordance with the value of the mode signal inputted through the bus, and storing the 128-bit round key in the internal 128-bit round key register, the 128-bit round key for encryption is generated in a period of four clocks of the round operation start signal
[18] A rijndael block decryption method comprising the steps of: if a four-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the four-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse- shift_row transform unit performing a byte-inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when the first clock becomes T, and a substitution/inverse-substitution transform unit successively performing an inverse substitution of the upper 64-bit data, outputting the inverse-substituted upper 64-bit data to a first demultiplexer, and storing the inverse-substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T, an add-r ound-key transform unit performing an addition of the upper 64-bit data outputted through a decryption output terminal of the first demultiplexer and stored in the 64-bit data register to upper 64-bit round key generated by the round key generation unit, outputting the added upper 64-bit data to a third demultiplexer, and storing the added upper 64-bit data in the 64-bit data register, the shift/inverse- shift_row transform unit simultaneously performing a byte- inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing an inverse substitution of the lower 64-bit data, outputting the inverse-substituted lower 64-bit data to the first demultiplexer, and storing the inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit data register; when a third clock of the round operation start signal becomes T, a mix/ inverse-mixcolumn transform unit performing an inverse mixcolumn of the upper 64-bit data outputted through a decryption output terminal of the third demultiplexer and stored in the 64-bit data register, outputting the inverse- mixcolumn-transformed upper 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in upper 64 bits of the 128-bit data register, and the add-round-key transform unit simultaneously performing an addition of the lower 64-bit data outputted through the decryption output terminal of the first demultiplexer and stored in the 128-bit data register to lower 64-bit round key generated by the round key generation unit, outputting the added lower 64-bit data through the third demultiplexer, and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data register; and when a fourth clock of the round operation start signal becomes T, the mix/ inverse-mixcolumn transform unit performing an inverse mixcolumn of the lower 64-bit data outputted through the decryption output terminal of the third demultiplexer and stored in the 128-bit data register, outputting the inverse- mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data register.
[19] The decryption method as claimed in claim 18, wherein at the step of the round key generation unit transforming the 128-bit input key into the 128-bit round key for decryption in accordance with the value of the mode signal inputted through the bus, and storing the 128-bit round key in the internal 128-bit round key register, the 128-bit round key for decryption is generated in a period of two clocks of the round operation start signal
[20] A rijndael block encryption method comprising the steps of: if a three-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T, and storing the 128-bit round key in an internal 128-bit round key register; if the three-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse- shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes T, and a substitution/ inverse-substitution transform unit successively performing a substitution of the upper 64-bit data, outputting the substituted upper 64-bit data to a first demultiplexer, and storing the substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T, a mix/ inverse-mixcolumn transform unit performing a mixcolumn of the upper 64-bit data outputted through an encryption output terminal of the first demultiplexer and stored in the 64-bit data register, and outputting the mixcolumn-transformed upper 64-bit data to a second demultiplexer, an add-round-key transform unit successively performing an addition of this upper 64-bit data to an upper 64-bit round key generated by the round key generation unit, and storing the added upper 64-bit data in the 64-bit data register, the shift/inverse-shift_row transform unit simultaneously performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through the bus, and outputting the byte-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing a substitution of the lower 64-bit data, outputting the substituted lower 64-bit data to the first demultiplexer, and storing the substituted lower 64-bit data in lower 64 bits of a 128-bit data register; and when a third clock of the round operation start signal becomes T, storing the 64-bit data added and then stored in the 64-bit data register in upper 64 bits of the 128-bit data register, the mix/inverse-mixcolumn transform unit simultaneously performing a mixcolumn of the lower 64-bit data outputted through the encryption output terminal of the first demultiplexer and stored in the 128-bit data register, and outputting the mixcolumn-transformed lower 64-bit data to the second demultiplexer, and the add-round-key transform unit successively performing an addition of the lower 64-bit data to lower 64-bit round key generated by the round key generation unit, and storing the added lower 64-bit data in the lower 64 bits of the 128-bit data register.
[21] The encryption method as claimed in claim 20, wherein at the step of the round key generation unit transforming the 128-bit input key into the 128-bit round key for encryption in accordance with the value of the mode signal inputted through the bus, and storing the 128-bit round key in the internal 128-bit round key register, the 128-bit round key for encryption is generated in a period of two clocks of the round operation start signal
[22] A rijndael block decryption method comprising the steps of: if a three-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T, and storing the 128-bit round key in an internal 128-bit round key register; if the three-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse- shift_row transform unit performing a byte-inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when the first clock becomes T, and a substitution/inverse-substitution transform unit successively performing an inverse substitution of the upper 64-bit data, outputting the inverse-substituted upper 64-bit data to a first demultiplexer, and storing the inverse-substituted upper 64-bit data in a 64-bit data register; when a second clock of the round operation start signal becomes T, an add- round-key transform unit performing an addition of the upper 64-bit data outputted through a decryption output terminal of the first demultiplexer and stored in the 64-bit data register to upper 64-bit round key generated by the round key generation unit, and outputting the added upper 64-bit data to a third demultiplexer, a mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added upper 64-bit data, outputting the inverse- mixcolumn-transformed upper 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in the 64-bit data register, the shift/inverse- shift_row transform unit simultaneously performing a byte-inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted lower 64-bit data through the first multiplexer, and the substitution/inverse-substitution transform unit successively performing an inverse substitution of the lower 64-bit data, outputting the inverse-substituted lower 64-bit data to the first demultiplexer, and storing the inverse-substituted lower 64-bit data in lower 64 bits of a 128-bit data register; and when a third clock of the round operation start signal becomes T, the add- round-key transform unit performing an addition of the lower 64-bit data outp utted through the decryption output terminal of the first demultiplexer and stored in the 128-bit data register to lower 64-bit round key generated by the round key generation unit and outputting the added lower 64-bit data to the third demultiplexer, the mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added lower 64-bit data, outputting the inverse- mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data in the lower 64 bits of the 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data register.
[23] The decryption method as claimed in claim 22, wherein at the step of the round key generation unit transforming the 128-bit input key into the 128-bit round key for decryption in accordance with the value of the mode signal inputted through the bus, and storing the 128-bit round key in the internal 128-bit round key register, the 128-bit round key for decryption is generated in a period of two clocks of the round operation start signal
[24] A rijndael block encryption method comprising the steps of: if a two-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for encryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T , and storing the 128-bit round key in an internal 128-bit round key register; if the two-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse- shift_row transform unit performing a byte-shift of upper 64-bit data of 128-bit input data inputted through the bus and outputting the byte-shifted upper 64-bit data through a first multiplexer when the first clock becomes T , a substitution/ inverse-substitution transform unit successively performing a substitution of the upper 64-bit data, and outputting the substituted upper 64-bit data through a first demultiplexer, a mix/inverse-mixcolumn transform unit performing a mixcolumn of the upper 64-bit data outputted through an encryption output terminal of the first demultiplexer, and outputting the mixcolumn-transformed upper 64-bit data to a second demultiplexer, and an add-round-key transform unit successively performing an addition of this upper 64-bit data to an upper 64-bit round key generated by the round key generation unit, and storing the added upper 64-bit data in a 64-bit data register; and when a second clock of the round operation start signal becomes T , the shift/ inverse-shift_row transform unit performing a byte-shift of lower 64-bit data of the 128-bit input data inputted through the bus and outputting the byte-shifted lower 64-bit data through the first multiplexer, and the substitution/ inverse-substitution transform unit successively performing a substitution of the lower 64-bit data, and outputting the substituted lower 64-bit data to the first de- multiplexer, the mix/inverse-mixcolumn transform unit successively performing a mixcolumn of the lower 64-bit data, and outputting the mixcolumn- transformed lower 64-bit data to the second demultiplexer, the add-round-key transform unit successively performing an addition of this lower 64-bit data to lower 64-bit round key generated by the round key generation unit, and storing the added lower 64-bit data in lower 64 bits of a 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data register.
[25] The encryption method as claimed in claim 24, wherein at the step of the round key generation unit transforming the 128-bit input key into the 128-bit round key for encryption in accordance with the value of the mode signal inputted through the bus, and storing the 128-bit round key in the internal 128-bit round key register, the 128-bit round key for encryption is generated in a period of one clock of the round operation start signal
[26] A rijndael block decryption method comprising the steps of: if a two-clock round operation start signal and a round number signal are inputted from a round operation control unit after an encryption or decryption operation start signal and a mode signal are inputted through a bus, a round key generation unit of a round operation unit transforming a 128-bit input key into a 128-bit round key for decryption in accordance with a value of the mode signal inputted through the bus from a time when a first clock of the round operation start signal becomes T, and storing the 128-bit round key in an internal 128-bit round key register; if the two-clock round operation start signal and a bit selection signal are inputted from the round operation control unit, a shift/inverse- shift_row transform unit performing a byte-inverse-shift of upper 64-bit data of 128-bit input data inputted through the bus, and outputting the byte-inverse-shifted upper 64-bit data through a first multiplexer when the first clock becomes T, a substitution/inverse-substitution transform unit successively performing an inverse substitution of the upper 64-bit data, and outputting the inverse-substituted upper 64-bit data to a first demultiplexer, an add-round-key transform unit successively performing an addition of the upper 64-bit data outputted through a decryption output terminal of the first demultiplexer to an upper 64-bit round key generated by the round key generation unit, and outputting the added upper 64-bit data to a third demultiplexer, and a mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added upper 64-bit data, outputting the inverse-mixcolumn-transformed upper 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed upper 64-bit data in a 64-bit data register; and when a second clock of the round operation start signal becomes T , the shift/ inverse-shift_row transform unit performing a byte-inverse-shift of lower 64-bit data of the 128-bit input data inputted through the bus and outputting the byte- inverse-shifted lower 64-bit data through the first multiplexer, the substitution/ inverse-substitution transform unit successively performing an inverse substitution of the lower 64-bit data, and outputting the inverse-substituted lower 64-bit data to the first demultiplexer, the add-round-key transform unit successively performing an addition of the lower 64-bit data outputted through the decryption output terminal of the first demultiplexer to a lower 64-bit round key generated by the round key generation unit, and outputting the added lower 64-bit data to the third demultiplexer, the mix/inverse-mixcolumn transform unit successively performing an inverse mixcolumn of the added lower 64-bit data, outputting the inverse-mixcolumn-transformed lower 64-bit data through a second demultiplexer, and storing the inverse-mixcolumn-transformed lower 64-bit data in lower 64 bits of a 128-bit data register, and simultaneously storing the upper 64-bit data stored in the 64-bit data register in upper 64 bits of the 128-bit data register. [27] The decryption method as claimed in claim 26, wherein at the step of the round key generation unit transforming the 128-bit input key into the 128-bit round key for decryption in accordance with the value of the mode signal inputted through the bus, and storing the 128-bit round key in the internal 128-bit round key register, the 128-bit round key for decryption is generated in a period of one clock of the round operation start signal
PCT/KR2004/001296 2003-06-16 2004-06-01 Rijndael block cipher apparatus and encryption/decryption method thereof WO2004112309A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2006516910A JP2006527865A (en) 2003-06-16 2004-06-01 Line doll block encryption apparatus and encryption and decryption method thereof
CN2004800224469A CN1833399B (en) 2003-06-16 2004-06-01 Rijndael block cipher apparatus and encryption/decryption method thereof
US10/560,220 US7688974B2 (en) 2003-06-16 2004-06-01 Rijndael block cipher apparatus and encryption/decryption method thereof

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2003-0038892 2003-06-16
KR20030038892 2003-06-16
KR10-2003-0064737 2003-09-18
KR1020030064737A KR100710455B1 (en) 2003-06-16 2003-09-18 Apparatus for rijndael block cipher and encryption/decryption method thereof

Publications (2)

Publication Number Publication Date
WO2004112309A1 true WO2004112309A1 (en) 2004-12-23
WO2004112309B1 WO2004112309B1 (en) 2005-04-14

Family

ID=36640465

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2004/001296 WO2004112309A1 (en) 2003-06-16 2004-06-01 Rijndael block cipher apparatus and encryption/decryption method thereof

Country Status (3)

Country Link
US (1) US7688974B2 (en)
JP (1) JP2006527865A (en)
WO (1) WO2004112309A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117014208A (en) * 2023-08-09 2023-11-07 海光信息技术股份有限公司 Data encryption method, device, system, electronic equipment and storage medium

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20050087271A (en) * 2004-02-26 2005-08-31 삼성전자주식회사 Key schedule apparatus for generating an encryption round key and a decryption round key selectively corresponding to initial round key having variable key length
US7783037B1 (en) * 2004-09-20 2010-08-24 Globalfoundries Inc. Multi-gigabit per second computing of the rijndael inverse cipher
DE102004062825B4 (en) * 2004-12-27 2006-11-23 Infineon Technologies Ag Cryptographic unit and method for operating a cryptographic unit
US8379841B2 (en) * 2006-03-23 2013-02-19 Exegy Incorporated Method and system for high throughput blockwise independent encryption/decryption
US8185751B2 (en) * 2006-06-27 2012-05-22 Emc Corporation Achieving strong cryptographic correlation between higher level semantic units and lower level components in a secure data storage system
US20080019524A1 (en) * 2006-06-29 2008-01-24 Kim Moo S Apparatus and method for low power aes cryptographic circuit for embedded system
US8155308B1 (en) * 2006-10-10 2012-04-10 Marvell International Ltd. Advanced encryption system hardware architecture
US7949130B2 (en) * 2006-12-28 2011-05-24 Intel Corporation Architecture and instruction set for implementing advanced encryption standard (AES)
US8538012B2 (en) 2007-03-14 2013-09-17 Intel Corporation Performing AES encryption or decryption in multiple modes with a single instruction
US8520845B2 (en) * 2007-06-08 2013-08-27 Intel Corporation Method and apparatus for expansion key generation for block ciphers
WO2009029842A1 (en) * 2007-08-31 2009-03-05 Exegy Incorporated Method and apparatus for hardware-accelerated encryption/decryption
US9191197B2 (en) * 2007-10-10 2015-11-17 Canon Kabushiki Kaisha AES encryption/decryption circuit
US8194854B2 (en) 2008-02-27 2012-06-05 Intel Corporation Method and apparatus for optimizing advanced encryption standard (AES) encryption and decryption in parallel modes of operation
US20090245510A1 (en) * 2008-03-25 2009-10-01 Mathieu Ciet Block cipher with security intrinsic aspects
EP2109314A1 (en) * 2008-04-11 2009-10-14 Gemalto SA Method for protection of keys exchanged between a smartcard and a terminal
WO2010109516A1 (en) * 2009-03-23 2010-09-30 富士通株式会社 Data processing device and data processing method
US9143938B2 (en) 2013-03-15 2015-09-22 Tyfone, Inc. Personal digital identity device responsive to user interaction
US9154500B2 (en) 2013-03-15 2015-10-06 Tyfone, Inc. Personal digital identity device with microphone responsive to user interaction
US20140270175A1 (en) * 2013-03-15 2014-09-18 Tyfone, Inc. Personal digital identity device with imager
US9448543B2 (en) 2013-03-15 2016-09-20 Tyfone, Inc. Configurable personal digital identity device with motion sensor responsive to user interaction
US9207650B2 (en) 2013-03-15 2015-12-08 Tyfone, Inc. Configurable personal digital identity device responsive to user interaction with user authentication factor captured in mobile device
US9781598B2 (en) 2013-03-15 2017-10-03 Tyfone, Inc. Personal digital identity device with fingerprint sensor responsive to user interaction
US9319881B2 (en) 2013-03-15 2016-04-19 Tyfone, Inc. Personal digital identity device with fingerprint sensor
US9215592B2 (en) 2013-03-15 2015-12-15 Tyfone, Inc. Configurable personal digital identity device responsive to user interaction
US9086689B2 (en) 2013-03-15 2015-07-21 Tyfone, Inc. Configurable personal digital identity device with imager responsive to user interaction
US9183371B2 (en) 2013-03-15 2015-11-10 Tyfone, Inc. Personal digital identity device with microphone
US9231945B2 (en) 2013-03-15 2016-01-05 Tyfone, Inc. Personal digital identity device with motion sensor
US9436165B2 (en) 2013-03-15 2016-09-06 Tyfone, Inc. Personal digital identity device with motion sensor responsive to user interaction
KR101593169B1 (en) 2014-08-20 2016-02-15 한국전자통신연구원 Feistel-based variable length block cipher apparatus and method thereof
CN104253684B (en) * 2014-09-23 2018-02-02 深圳市汇顶科技股份有限公司 Encryption method and encryption device
US10341090B2 (en) * 2014-10-14 2019-07-02 Sony Corporation Cipher processing apparatus and cipher processing method
US9960908B1 (en) * 2015-06-19 2018-05-01 Amazon Technologies, Inc. Reduced-latency packet ciphering
JP7383985B2 (en) * 2019-10-30 2023-11-21 富士電機株式会社 Information processing device, information processing method and program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020191784A1 (en) * 2001-06-08 2002-12-19 Nhu-Ha Yup Circuit and method for implementing the advanced encryption standard block cipher algorithm in a system having a plurality of channels
US20030059054A1 (en) * 2001-09-08 2003-03-27 Yi Hu Apparatus for generating encryption or decryption keys
US20030072444A1 (en) * 2001-09-08 2003-04-17 Yi Hu Data encryption/decryption apparatus
KR20030051111A (en) * 2001-12-18 2003-06-25 신경욱 Round processing circuit and on-line round key generation circuit for the hardware implementation of AES Rijndael cipher algorithm

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6230257B1 (en) * 1998-03-31 2001-05-08 Intel Corporation Method and apparatus for staggering execution of a single packed data instruction using the same circuit
KR100296958B1 (en) * 1998-05-06 2001-09-22 이석우 Apparatus for encoding block data
KR100525389B1 (en) * 2001-01-17 2005-11-02 엘지전자 주식회사 Scrambler/descrambler of real time input stream
ATE286636T1 (en) * 2001-03-27 2005-01-15 Amphion Semiconductor Ltd DEVICE FOR SELECTABLE USE OR DECODING OF DATA
JP3851115B2 (en) * 2001-06-28 2006-11-29 富士通株式会社 Cryptographic circuit
TW527783B (en) * 2001-10-04 2003-04-11 Ind Tech Res Inst Encryption/deciphering device capable of supporting advanced encryption standard
JP3818263B2 (en) * 2003-01-28 2006-09-06 日本電気株式会社 AES encryption processing device, AES decryption processing device, AES encryption / decryption processing device, AES encryption processing method, AES decryption processing method, and AES encryption / decryption processing method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020191784A1 (en) * 2001-06-08 2002-12-19 Nhu-Ha Yup Circuit and method for implementing the advanced encryption standard block cipher algorithm in a system having a plurality of channels
US20030059054A1 (en) * 2001-09-08 2003-03-27 Yi Hu Apparatus for generating encryption or decryption keys
US20030072444A1 (en) * 2001-09-08 2003-04-17 Yi Hu Data encryption/decryption apparatus
KR20030051111A (en) * 2001-12-18 2003-06-25 신경욱 Round processing circuit and on-line round key generation circuit for the hardware implementation of AES Rijndael cipher algorithm

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117014208A (en) * 2023-08-09 2023-11-07 海光信息技术股份有限公司 Data encryption method, device, system, electronic equipment and storage medium
CN117014208B (en) * 2023-08-09 2024-04-09 海光信息技术股份有限公司 Data encryption method, device, system, electronic equipment and storage medium

Also Published As

Publication number Publication date
US20060147040A1 (en) 2006-07-06
WO2004112309B1 (en) 2005-04-14
US7688974B2 (en) 2010-03-30
JP2006527865A (en) 2006-12-07

Similar Documents

Publication Publication Date Title
US7688974B2 (en) Rijndael block cipher apparatus and encryption/decryption method thereof
McLoone et al. High performance single-chip FPGA Rijndael algorithm implementations
AU2008201156B2 (en) Precalculated Encryption Key
US7295671B2 (en) Advanced encryption standard (AES) hardware cryptographic engine
EP2197144A1 (en) Methods and devices for a chained encryption mode
US20110255689A1 (en) Multiple-mode cryptographic module usable with memory controllers
US20030059054A1 (en) Apparatus for generating encryption or decryption keys
US20070286416A1 (en) Implementation of AES encryption circuitry with CCM
US20060177052A1 (en) S-box encryption in block cipher implementations
Karthigaikumar et al. Simulation of image encryption using AES algorithm
US20070291935A1 (en) Apparatus for supporting advanced encryption standard encryption and decryption
Gouvêa et al. High speed implementation of authenticated encryption for the MSP430X microcontroller
CN103427981B (en) A kind of realize encryption, deciphering method and device
US11057193B2 (en) Enhanced randomness for digital systems
KR100710455B1 (en) Apparatus for rijndael block cipher and encryption/decryption method thereof
Balamurugan et al. High speed low cost implementation of advanced encryption standard on fpga
JP2000209195A (en) Cipher communication system
Cook et al. Elastic block ciphers
Mohan et al. Revised aes and its modes of operation
JP4395527B2 (en) Information processing device
Oikonomou et al. An Encryption Scheme using Dynamic Keys and Stream Ciphers for Embedded Devices
Rohiem et al. FPGA implementation of reconfigurable parameters AES algorithm
RadiHamade Survey: Block cipher Methods
JP2001285281A (en) Encryption system
KR20040045517A (en) Real time block data encryption/decryption processor using Rijndael block cipher and method therefor

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200480022446.9

Country of ref document: CN

AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
B Later publication of amended claims

Effective date: 20041101

WWE Wipo information: entry into national phase

Ref document number: 2006516910

Country of ref document: JP

ENP Entry into the national phase

Ref document number: 2006147040

Country of ref document: US

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 10560220

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 10560220

Country of ref document: US

122 Ep: pct application non-entry in european phase