1. Technical Field
The present invention relates to an encryption circuit for implementing in hardware the Rijndael algorithm, which is the next generation common key block encryption standard, known as the AES (advanced encryption standard), and will replace the current common key block encryption standard in the US, called DES.
2. Description of Related Art
A great variety of services are being considered that involve the Internet, including electronic commerce and electronic money. These technologies are used not just in the daily lives of individuals, but also in a wide range of fields, including transactions among corporations and improving productivity. In particular, it is expected that encryption functions will be loaded onto smart cards and mobile handsets, for the purpose of verifying the identity of individuals, and that these technologies will be widely used for authentication, digital signatures, and data encryption.
Common key cryptography is used in these applications to prevent third parties from tapping on the Internet. The current standard adopted in the US for common key cryptography is DES; as its replacement, the AES (advanced encryption standard), known as the Rijndael algorithm, has been selected to be next generation common key block cryptography standard, and this algorithm is becoming the new standard. (The AES draft is available at http://csrc.nist.gov/publications/drafts/dfips-AES.pdf)
AES is a block cipher for processing in block lengths of 128 bits, and the encryption algorithm, as shown in FIG. 1, is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule unit 10. The round function unit 20 comprises an input register 21 that temporarily stores input data, an XOR processing unit 22 that XORs the input data and expanded key segment, a round processing unit 23, a final round processing unit 24 and an output register 25 that temporarily stores output data.
The round processing unit 23 comprises a Byte Sub transformation unit 31, a Shift Row transformation unit 32, a Mix Column transformation unit 33 and a Round Key Addition unit 34; the final round processing unit 24 performs the processing of the round processing unit 23 except for the Mix Column transformation 33; it comprises a Byte Sub transformation unit 35, a Shift Row transformation unit 36 and a Round Key Addition unit 37.
Round processing iterated; the number of rounds Nr including the final round depends on the key length inputted into the key schedule unit 10, and is defined as shown in Table 1.
TABLE 1Key Length and Number of RoundsKey LengthNr128 bit10192 bit12256 bit14
Thus for each key length round processing is executed Nr-1 times, and at the end the final round processing is executed. When the key length is 128 bits, round processing is executed 9 times; when 192 bits, 11 times; and when 256 bits, 13 times; and then in each case the final round processing is executed. Round keys generated at the key schedule unit 10 are inputted into the XOR processing unit 22, round processing unit 23 and final round processing unit 24.
The key schedule unit 10 generates round keys based on the key generation schedule specified in the AES draft; that algorithm is shown in FIG. 2.
The AES Proposal specification (AES Proposal: Rijndael, at http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf) introduces 2 hardware implementations for AES block cipher circuits.
One of these is a method for hardware implementation, in 128 bit units, of all the functions shown in FIG. 1 as they are (hereinafter, “conventional example 1”). In this case, for encryption and decryption, the order of processing of the functions is reversed, and thus it is necessary to prepare separate processing circuits for encryption and decryption.
Also, because, as shown in Table 1, it is necessary to change the number of times round processing is executed depending upon the key length, it is necessary to create circuits for each key length.
Furthermore, because of the reversal of order between encryption and decryption, the order of key generation in the key schedule unit 10 for the round keys used in the round function unit 20 has to be reversed between encryption and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or a method has to be devised for using the key schedule unit 10 for both encryption and decryption.
The second method, as shown in FIG. 3, involves creating a coprocessor 50 that has a Byte Sub transformation unit 51 and a Mix Column transformation unit 52, and implementing in hardware only the Byte Sub transformation and the Mix Column transformation functions, and having all other functions incorporated as software into a program 41, and then processing with a CPU 40 (hereinafter, “conventional example 2”).
In this case, Byte Sub transformation and Mix Column transformation, which are unsuited for processing by the CPU 40 for reasons of processing time, are implemented in hardware as the coprocessor 50, and the other processing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced.
If we suppose that the AES block cipher is to be incorporated into a smart card or the like, the functions required of an encryption circuit would be to maintain a certain level of processing speed, while keeping the scale of the circuit small. With these requirements, the conventionally proposed method of implementing all the functions in 128-bit units results in the scale of circuit being too large, making the loading thereof onto a smart card difficult. With the method of implementing in hardware only the Byte Sub transformation and the Mix Column transformation, and processing the other functions with software, there is the problem of the processing speed requirements not being fulfilled.
Moreover, with the key schedule unit 10 that generates the round keys, if all the round keys are stored in memory, a large-capacity memory is needed, and this would make the scale of circuit large. Therefore, in order to reduce the scale of circuit without reducing processing speed, it is desirable to generate round keys with a circuit constitution that does not require storing the entire expanded key in memory.