1. Field of the Invention
The present invention relates generally to a mobile communication system, and in particular, to a method of designing an optimum encryption function for hardware implementations and an optimized encryption apparatus.
2. Description of the Related Art
As the analog first analog communication systems developed into subsequent digital communication systems, mobile subscribers expected stable high-rate data transmissions. Accordingly, service providers have made efforts to satisfy the user demand by presenting more reliable, advanced ciphering methods. The 3rd generation communication system, which provides multimedia service (including voice and video data) for a highly sophisticated information-based society, requires standardization of encryption algorithms that ensures the confidentiality, security, and reliability of multimedia signals. The use of 11 encryption algorithms, f0 to f10 is under consideration for implementation in a universal mobile telecommunication system (UMTS). The UMTS is a global system for mobile communication (GSM) core network-based 3rd generation system proposed by the 3rd generation project partnership (3GPP). Among the encryption algorithms, the 3GPP confidentiality algorithm f8 and the 3GPP integrity algorithm f9 have already been standardized. These two algorithms are based on KASUMI, which is a modified version of the MISTY1 crypto algorithm developed by Mitsubishi Electronic Corporation from Japan.
The KASUMI is a Feistel block cipher that outputs a 64-bit ciphertext from a 64-bit input plaintext with 8 round operations. Plaintext is defined as cleartext messages that are not encrypted, and ciphertext is defined as text that has been encrypted with an encryption algorithm and key and thus ensures confidentiality.
FIG. 1 is a block diagram of a conventional KASUMI hardware. Referring to FIG. 1, the KASUMI encryption block is comprised of a plurality of multiplexers (MUX1, MUX2 and MUX3) 101, 103, and 107, a demultiplexer (DEMUX) 109, registers (register A1 and register A2) 102 and 104, a plurality of function blocks (FL1, FL2, and FO) 106, 110 and 108, a controller 100 for controlling the components of the KASUMI encryption block, and a key scheduler 105 for providing cipher keys.
An 64-bit plaintext input is divided into two 32-bit strings L0 and R0, which are applied to the input of the MUX 1 100 and the MUX 2 103, respectively. The MUX1 101 outputs the 32-bit string L0 to the register A1 102 under the control of the controller 100, and the MUX2 103 outputs the 32-bit string R0 to the register A2 104 under the control of the controller 100. The register A1 102 and register A2 104 temporarily store the 32-bit strings L0 and R0 and output them upon receipt of a control signal from the controller 100.
The KASUMI encryption block takes different encryption paths depending on whether it is an odd round or an even round. For an odd round, the FL1 block 106 encrypts the bit string L0 received from the register A1 102 with first cipher keys KLi,1 and KLi,2 received from the key scheduler 105 and outputs a ciphertext L01 to the MUX3 107. The MUX3 107 outputs the ciphertext L01 to the FO block 108 according to a control signal from the controller 100. The FO block 108 encrypts the 32-bit string L01 with a second cipher key KIi,j and a third cipher key KOi,j received from the key scheduler 105 and outputs a ciphertext L02 to the DEMUX 109 under the control of the controller 100. The DMUX 109 outputs the 32-bit string L02 under the control of the controller 100. The bit string L02 is exclusive-ORed with the bit string R0 from the register A2 104, resulting in a ciphertext R1. The signal R1 is fed back to the MUX2 103.
For an even round, the MUX 3 107 feeds the 32-bit string R0 received from the register A2 104 to the FO block 108 under the control of the controller 100. The FO block 108 encrypts the 32-bit string R0 with the second and third cipher keys KIi,j and KOi,j received from the key scheduler 105 and outputs a ciphertext R01 to the DEMUX 109 under the control of the controller 100. The DMUX 109 outputs the 32-bit string R01 to the FL2 block 110 under the control of the controller 100. The FL2 block 110 encrypts the bit string R01 with a first cipher key KLi,j received from the key scheduler 105 and outputs a ciphertext R02. The bit string R02 is exclusive-ORed with the bit string L0 from the register A1 102, resulting in a ciphertext L1. The signal L1 is fed back to the MUX1 101. As the round increases, i and j in the cipher keys KLi,j, KIi,j and KOi,j are increased.
The two FL blocks 106 and 110 perform the same cryptographic function in the conventional KASUMI encryption. The redundant use of the function blocks decreases user efficiency of the device and increases power consumption.
FIG. 2 depicts the 3GPP confidentiality function f8 with conventional KASUMI computations. Referring to FIG. 2, the confidentiality function f8 stores a plaintext to be transmitted in an input memory 270. A ciphertext is produced by repeated KASUMI computations on the plaintext and stored in an output memory 280. A register C 220 temporarily stores the 64-bit input data under the control of a controller 200. BLKCNT denotes a block counter for processing the input 64-bit data, CK denotes a 128-bit cipher key, and KM denotes a key modifier, which is a 128-bit constant. Each KASUMI can encrypt a maximum of 5114 bits, which is equivalent to 80 rounds. The controller 200 controls the input and output memories 260 and 280 by control signals. The control signals include an address signal for assigning an address to the memories 260 and 280, an enable/disable signal for enabling/disabling them, a read/write signal for reading/writing stored data or ciphertext, and a data signal for storing a data unit at an assigned address. Thus, the memories 260 and 280 store or output data units at or from assigned addresses.
A KASUMI encryption block 230 encrypts the initial input 64-bit data string with the exclusive-OR of a 128-bit CK and a 128-bit KM (CK⊕KM) and outputs an initial ciphertext K00. The register C 220 temporarily stores the signal K00 and outputs it under the control of an encryption block controller (not shown). The signal K00 is exclusive-ORed with a block count value 0 (BLKCNT 0) and applied to the input of a KASUMI encryption block 230. The KASUMI encryption block 230 encrypts the received signal with a CK and outputs a ciphertext K01. At the same time, the controller 200 reads a plaintext D1 from the first address in the input memory 270. The signals K01 and D1 are exclusive-ORed to a ciphertext K1. The output memory 280 stores the final ciphertext K1 at its first address under the control of the controller 280. The f8 function repeats this encryption according to the length of plaintext.
In the f8 function as described above, the controller 200 reads a plaintext from each address in the input memory 270, encrypts it with the output of a KASUMI encryption block, and stores the resulting ciphertext in the output memory 280. The use of the separate input and output memories leads to inefficient hardware implementation of the f8 function and increases power consumption.