1. Field of the Invention
The present invention relates to a high-speed Galois Counter Mode-Advanced Encryption Standard (GCM-AES) block cipher apparatus and method, which makes it possible to operate at a low clock frequency of 125 MHz and provide a 2 Gbps link security function in an Optical Line Termination (OLT) and an Optical Network Unit (ONU) of an Ethernet Passive Optical Network (EPON).
2. Description of the Related Art
The US NIST (National Institute of Standards and Technology) has selected a next-generation symmetric key block cipher algorithm “Rijndael” as an Advanced Encryption Standard (AES) algorithm. The AES is an encryption standard in which encryption is performed for a fixed block size of 128 bits during 11 rounds using respective round keys of 128 bits. Processing and computation of the AES is performed through 9 repetitive rounds and the final round after AddRound-Key. Each of the rounds other than the final round includes ByteSub, ShiftRow, MixColumn, and AddRound-key module. The AES block cipher algorithm supports the Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), Offset Feedback (OFB), or Counter (CTR) modes according to an operation mode. The CTR mode provides the fastest encryption function and provides the encryption function even for a variable-length data.
IEEE802.3ah EFM complies with the MAC security standard proposed in the IEEE802.1AE working group to provide a link security function in an Ethernet Passive Optical Networks (EPON). The IEEE802.1AE working group has adopted the operation mode of a GCM-AES block cipher to provide both data encryption and frame authentication functions in the link layer.
The adopted GCM-AES block cipher can provide either the authenticated encryption/decryption or authentication tag generation/verification function according to an operation. The GCM-AES block cipher provides a high-speed encryption function for a variable-length MAC frames using a 128-bit CTR-AES block cipher algorithm, and provides a frame authentication function using a universal hashing algorithm. Also, current the GCM-AES is free of intellectual property restrictions.
FIG. 1 is a block diagram of a conventional GCM-AES block cipher apparatus.
As shown in FIG. 1, the conventional GCM-AES block cipher apparatus B100 comprises an 11-round key expansion module 101, an 11-round CTR-AES block cipher module 102, and an 8-round GF multiplication module 103.
In FIG. 1, a 32/128-bit converter 100 and a 128/32-bit converter 104 are data conversion interface modules for providing an interface between a MAC module and a MAC controller module.
The key expansion module 101 generates 11 round keys of 128 bits (s102) for use in CTR-AES block cipher using a 128-bit key that is received every MAC frame. The CTR-AES block cipher module 102 encrypts a 128-bit data block s101 of a MAC frame received from the 32/128-bit converter 100 using the 128-bit round keys s102 received from the key expansion module 101 (s103). Here, the GF multiplication module 103 generates an authentication value of the MAC frame using a hash key calculated from the round keys.
A clock frequency Fio of input/output data is used to pass data in an EPON OLT/ONU, and a clock frequency Fc, which is four times the clock frequency Fio, is used in the GCM-AES block cipher apparatus B100.
32-bit data s100 are input to the 32/128-bit converter 100 at the Fio clock frequency. The 32/128-bit converter 100 multiplexes the four input 32-bit data s100 to convert them into a 128-bit data s101 at the Fc clock frequency. Such 128-bit data s101 are encrypted in the GCM-AES block encryption apparatus B100 at the Fc clock frequency. The encrypted 128-bit data are input to the 128/32-bit converter 104. The 128/32-bit converter 104 demultiplexes the input 128-bit data into 32-bit data s104 at the Fio clock frequency.
The GCM-AES block encryption apparatus B100 performs its processing during 11 rounds in a pipeline manner. However, in order to encrypt consecutively input data blocks, the converters 100 and 104 requires an Fc clock frequency, which is four times the input/output data clock frequency Fio according to an inequality shown in Expression 1, since the converters 100 and 104 must maintain the relationship of multiples of 4 between Fio clock frequency and Fc clock frequency for clock synchronization.
                                                        Fc              Fio                        ×            cycle                    ≥                      11            ⁢                                                  ⁢            rounds                          ,                            [                  Expression          ⁢                                          ⁢          1                ]            
where
      cycle    =          128      Wd        ,Fio×Wd=EPON Data Rate, “Fc” is the clock frequency of the GCM-AES block cipher module, “Fio” is the input/output data clock frequency, “Wd” is an input/output data bus width, and “cycle” is the number of clock cycles required to input 128 bits.
Accordingly, as shown in FIG. 2, if 62.5 MHz is used as the input/output data clock frequency in a 2 Gbps EPON OLT/ONU, a GCM-AES block cipher apparatus 201 uses a clock frequency of 250 MHz, which is four times the input/output data clock frequency.
In the conventional GCM-AES block cipher apparatus, the relationship between the data bus width and the clock frequency in the 1 Gbps or 2 Gbps EPON OLT/ONU is shown in Table 1.
TABLE 1Data RateFcFioWdFc/Fio(a)Cycle(b)Round(a)*(b)1 Gbps125 MHz31.25MHz32bits4416125 MHz62.5MHz16bits2816125 MHz125MHz 8bits116162 Gbps250 MHz31.25MHz64bits8216250 MHz62.5MHz32bits4416250 MHz125MHz16bits2816250 MHz250MHz 8bits11616125 MHz125MHz16bits188125 MHz62.5MHz32bits248125 MHz31.25MHz64bits428
As shown in Table 1, the conventional GCM-AES block cipher structure must use a clock frequency of 250 MHz in the 2 Gbps EPON system environment in order to meet a requirement of more than 11 rounds under any circumstance. Using such a high clock frequency causes much difficulty in actual hardware implementation.
FIG. 3 is a signal process diagram illustrating an encryption method in the conventional GCM-AES block cipher apparatus. In FIG. 3, a conventional GCM-AES block cipher module B300 performs three main steps of processing (B301, B302 and B303) for a variable-length MAC frames.
At the first step (B301), the key expansion module 101 expands a 128-bit key s300 received together with a MAC frame to produce 11 round keys for use s301 in encryption of the MAC frame (300), and the 11-round CTR-AES encryption module 102 generates a hash key value s307 from the generated round keys s301 (301).
The hash key value is calculated using an equation expressed in Expression 2.H=E11rounds(K,0128),   [Expression 2]
Where “K” denotes the round key and “H” denotes the hash key value.
While the first step (B301) is performed, 32-bit input data of the MAC frame are multiplexed into a 128-bit data in the 32/128-bit converter 100.
Next, at the second step (B302), 128-bit data blocks of the MAC frame are encrypted or decrypted, and an authentication value of the encrypted data blocks is also produced or an authentication value of the decrypted data blocks is compared with input authentication value.
In order to generate the authentication value, the GE multiplication module 103 receives the first 128-bit data block of the MAC frame as an Additional Authenticated Data (AAD) value s308, and computes a product s309 of the received ADD value and the hash key value s307 produced at the first step (B301) (305). The product s309 is XORed with an encrypted value s306 of the input data block (306), and the XOR result value is feedback to the GF multiplication module 103 to repeat the computation.
In addition, in order to perform encryption, a 96-bit random Initial Vector (IV) value s302 is combined with a 32-bit data block counter (302) to produce a 128-bit counter value s303. The 128-bit counter value s303 is input to the 11-round CTR-AES block encryption module 102 and is then encrypted using the round key s301 calculated at the first step (B301) (303). The encrypted value s304 is XORed with a 128-bit data block s305 (304) to be output as an encrypted value s306 of the input data blocks.
This second step (B302) is repeated for all 128-bit data blocks of the MAC frame as shown in Expression 3.Yo=IV∥031,Yi=INCR(Yi-1) for i=1, . . . , n Ci=Pi⊕E11rounds(K,Yi) for i=1, . . . , n−1C*n=P*n⊕MSB(E11rounds(K,Yn))   [Expression 3]
where “Yi” denotes the 128-bit counter value, “Pi” denotes the 128-bit input data block, “Ci” denotes the encrypted value of the input data block Pi, and “C*n” denotes data encryption of a final bit string remaining after the MAC frame is divided into 128-bit data blocks.
Finally, at the third step (B303), the GF multiplication module 103 receives the authentication value s310 repeatedly calculated for the data block s306 encrypted at the second step (B302), and performs two multiplications of the received authentication value s310 and the hash key value to calculate a final authentication value s316.
Specifically, the 11-round CTR-AES block cipher module 102 receives the 128-bit counter value s311 obtained by combining a 96-bit IV value and a 32-bit zero value, and encrypts the received 128-bit counter value s311 into a round key s301 (s312). Then, the GF multiplication module 103 computes a product of the hash key value s307 and the authentication value s310 calculated at the second step B302 (308), and then performs an XOR operation between the product and a value s314 obtained by combining the encrypted value of the last data block and the AAD value (309). The GF multiplication module 103 again computes a product of the XOR result value and the hash key value s307 (310), and then performs an XOR operation (311) between the product and the encrypted value s312 obtained at the third step (B303) to calculate a final authentication value ICV (s316).
The calculated final authentication value ICV is expressed by an equation shown in Expression 4.ICV=MSB(GHASH(H,A,C)⊕MSB(E11rounds(K,Y0))  [Expression 4]
As described above, since the conventional GCM-AES cipher apparatus must operate at a frequency, which is four times the input/output data clock frequency, it must operate at a high clock frequency of 250 MHz in a 2 Gbps EPON environment. This makes it difficult to implement an EPON OLT/ONU through an FPGA. In addition, even if an EPON OLT/ONU is developed through an ASIC, a 0.13 μm process must be performed to guarantee the processing of data at a high clock frequency, which increases chip costs and makes it difficult to implement hardware.
Thus, to easily implement the module in the hardware of an EPON OLT/ONU, it is necessary to provide a new structure of the GCM-AES block cipher module that can operate at a lower frequency.