data are converted between an unencrypted and an encrypted format according to the Rijndael algorithm, including a plurality of rounds. Each round is comprised of a fixed set of transformations applied to a two-dimensional array, designating states, of rows and columns of bit words. At least a part of the transformations are applied on a transposed version of the state, wherein rows and columns are transposed for the columns and rows, respectively.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE44594
Priority
Oct 10 2001
Filed
May 29 2012
Issued
Nov 12 2013
Expiry
Oct 10 2021
Inventors
Bertoni, G…
Assg.orig
STMicroele…
Assg.curr
STMicroele…
Entity
Large
Referenced by
0
References
4
Maint.:
all paid
FIELD OF THE INVENTI…
BACKGROUND OF THE IN…
9. A device for converting data between an unencrypted format and an encrypted format, the device comprising:
at least one register configured to store the data in the form of bit words; and
a circuit configured to convert the data by at least
performing a plurality of transformation rounds, each transformation round having a respective round key and comprising
applying at least one transformation to a two-dimensional array of rows and columns of bit words defining a state array,
exchanging each of the rows with a respective column of the state array to form a transposed state array for at least one of the transformation rounds so that at least one transformation is applied to the transposed state array,
transposing the respective round key, and
applying the respective transposed round key to the state array in at least one of the transformation rounds, and
transposing an output of a final round from the plurality of transformation rounds.
0. 33. A device for converting data between an unencrypted format and an encrypted format, the device comprising:
at least one storage element configured to store the data in the form of bit words; and
a circuit configured to convert the data by at least
performing a plurality of transformation rounds, each transformation round having a respective round key and comprising
applying at least one transformation to a two-dimensional array of rows and columns of bit words defining a state array,
exchanging each of the rows with a respective column of the state array to form a transposed state array for at least one of the transformation rounds so that at least one transformation is applied to the transposed state array,
transposing the respective round key, and
applying the respective transposed round key to the state array in at least one of the transformation rounds, and
transposing an output of a final round from the plurality of transformation rounds.
1. A method of converting data between an unencrypted format and an encrypted format, the data being organized in bit words and being stored in at least one register, the method comprising:
using a circuit cooperating with the at least one register to convert the data by at least performing a plurality of transformation rounds, each transformation round having a respective round key and comprising applying at least one transformation to a two-dimensional array of rows and columns of bit words defining a state array,
exchanging each of the rows with a respective column of the state array to form a transposed state array for at least one of the transformation rounds so that the at least one transformation is applied to the transposed state array,
transposing the respective round key, and
applying the respective transposed round key to the state array in at least one of the transformation rounds; and
using the circuit to transpose an output of a final round from the plurality of transformation rounds.
0. 25. A method of converting data between an unencrypted format and an encrypted format, the data being organized in bit words and being stored in at least one storage element, the method comprising:
using a circuit cooperating with the at least one storage element to convert the data by at least performing a plurality of transformation rounds, each transformation round having a respective round key and comprising
applying at least one transformation to a two-dimensional array of rows and columns of bit words defining a state array,
exchanging each of the rows with a respective column of the state array to form a transposed state array for at least one of the transformation rounds so that the at least one transformation is applied to the transposed state array,
transposing the respective round key, and
applying the respective transposed round key to the state array in at least one of the transformation rounds; and
using the circuit to transpose an output of a final round from the plurality of transformation rounds.
22. A method of converting data between an unencrypted format and an encrypted format, the data being organized in 8-bit words and being stored in at least one register, the method comprising:
using a circuit cooperating with the at least one register to convert the data by at least performing a plurality of transformation rounds for converting the data, each transformation round having a respective round key and comprising
applying at least one transformation to a two-dimensional array of rows and columns of 8-bit words defining a state array comprising a 4×4 matrix of 8-bit words,
exchanging each of the rows with a respective column of the state array to form a transposed state array for at least one of the transformation rounds so that the at least one transformation is applied to the transposed state array,
transposing the respective round key, and
applying the respective transposed round key to the state array in at least one of the transformation rounds; and
using the circuit to transpose an output of a final round from the plurality of transformation rounds.
2. A method according to claim 1 wherein the bit words are 8-bit words.
3. A method according to claim 1 wherein the state array is a 4×4 matrix of bit words.
4. A method according to claim 1 wherein the plurality of transformation rounds comprises at least 10 transformation rounds.
5. A method according to claim 1 wherein performing further comprises performing at least one transformation round on a non-transposed state array.
6. A method according to claim 1 further comprising adding code to transpose the respective round key for each of the plurality of transformation rounds.
7. A method according to claim 1 wherein each respective round key is applied according to a round key schedule.
8. A method according to claim 7 wherein the round key schedule comprises a transposed round key schedule.
10. A device according to claim 9 wherein said at least one register is configured to store bit words as 8-bit words.
11. A device according to claim 9 wherein said circuit is a decoder for converting data from an encrypted data format to an unencrypted data format.
12. A device according to claim 9 wherein said circuit is configured to operate on a state array comprising a 4×4 matrix of bit words.
13. A device according to claim 9 wherein said circuit is configured to perform a plurality of transformation rounds performs at least 10 transformation rounds.
14. A device according to claim 9 wherein said circuit comprises at least one S-box processing module, said at least one S-box processing module being configured to operate on a group of bit words defining a cell of a column of the state array.
15. A device according to claim 14 wherein the at least one S-box processing module comprises a plurality of S-box modules, each of the plurality of S-box modules being configured to operate on a corresponding cell of a column of the state array.
16. A device according to claim 15 wherein the colunm of the state array comprises four cells.
17. A device according to claim 9 wherein the circuit further comprises a plurality of shift column modules, each of said plurality of shift column modules being configured to perform a column shift operation on a column of the state array.
18. A device according to claim 17 wherein a column shift operation performed by each of said plurality of shift column modules generates shift column data, and wherein said circuit further comprises a single mix column module to perform column mix operations on shift column data.
19. A device according to claim 9 wherein said circuit is an encoder for converting data from an unencrypted data format to an encrypted data format.
20. A device according to claim 19 wherein said circuit is an embedded system for use in a smart card.
21. A device according to claim 11 wherein said circuit is an embedded system for use in a smart card.
23. A method according to claim 22 further comprising adding code to transpose the respective round key for each of the plurality of transformation rounds.
24. A method according to claim 22 wherein each respective round key is applied according to a round key schedule.
0. 26. A method according to claim 25 wherein the bit words are 8-bit words.
0. 27. A method according to claim 25 wherein the state array is a 4×4 matrix of bit words.
0. 28. A method according to claim 25 wherein the plurality of transformation rounds comprises at least 10 transformation rounds.
0. 29. A method according to claim 25 wherein performing further comprises performing at least one transformation round on a non-transposed state array.
0. 30. A method according to claim 25 further comprising adding code to transpose the respective round key for each of the plurality of transformation rounds.
0. 31. A method according to claim 25 wherein each respective round key is applied according to a round key schedule.
0. 32. A method according to claim 31 wherein the round key schedule comprises a transposed round key schedule.
0. 34. A device according to claim 33 wherein said at least one storage element is configured to store bit words as 8-bit words.
0. 35. A device according to claim 33 wherein said circuit is configured to operate on a state array comprising a 4×4 matrix of bit words.
0. 36. A device according to claim 33 wherein said circuit is configured to perform a plurality of transformation rounds performs at least 10 transformation rounds.
0. 37. A device according to claim 33 wherein said circuit comprises at least one S-box processing module, said at least one S-box processing module being configured to operate on a group of bit words defining a cell of a column of the state array.
0. 38. A device according to claim 37 wherein the at least one S-box processing module comprises a plurality of S-box modules, each of the plurality of S-box modules being configured to operate on a corresponding cell of a column of the state array.
0. 39. A device according to claim 38 wherein the column of the state array comprises four cells.
0. 40. A device according to claim 33 wherein the circuit further comprises a plurality of shift column modules, each of said plurality of shift column modules being configured to perform a column shift operation on a column of the state array.
0. 41. A device according to claim 40 wherein a column shift operation performed by each of said plurality of shift column modules generates shift column data, and wherein said circuit further comprises a single mix column module to perform column mix operations on shift column data.
0. 42. A device according to claim 33 wherein said circuit is an encoder for converting data from an unencrypted data format to an encrypted data format.
0. 43. A device according to claim 42 wherein said circuit is an embedded system for use in a smart card.
0. 44. A device according to claim 33 wherein said circuit is a decoder for converting data from an encrypted data format to an unencrypted data format.
0. 45. A device according to claim 44 wherein said circuit is an embedded system for use in a smart card.
FIELD OF THE INVENTION

The invention relates to encryption/decryption techniques and more specifically refers to Advanced Encryption Standard (AES) cryptosystems based e.g. on the so-called Rijndael algorithm.

BACKGROUND OF THE INVENTION

The Rijndael algorithm is a block cipher algorithm operating on blocks of data. The algorithm reads an entire block of data, processes the block and then outputs the encrypted data. The Rijndael algorithm needs a key, which is another block of data. The proposed AES standard will include only a 128-bit standard length for plaintext blocks and 128, 192 and 256-bit standard lengths for the key material.

For a general review of the Rijndael/AES algorithms reference may be made to the following documents
y1=x0+({02}·x1)+({03}·x2)+x3
y2=x0+x1+({02}·x2)+({03}·x3)
y3=({03}·x0)+x1+x2+({02}·x3)

Transposed Form xi=S0,i S1,i S2,i S3,i

where xi, 0≦i≦3 are the words of the transposed state, and yi, 0≦i≦3 are the words of the transposed state after mix column transformation.

In the foregoing, operator means a multiplication in a Galois field applied to each of the four 8-bit terms comprising the 32-bit words being processed (i.e. {02}·x0 means {02}·S0,0 {02}·S1,0 {02}·S2,0 {02}·S3,0) while the operator+is a sum in Galois Fields, a logic XOR between two 32-bit words.

Such a transposition requires a redefinition of most of the operations performed in a round of the algorithm, and also if the key schedule. Therefore, also the round keys must be transposed before being applied to a round providing for the use of a transposed state.

A trivial solution for that purpose is simply to apply the original key schedule unchanged and then add code to transpose every created round key. In that way, a large overhead would be introduced.

For that reason, the preferred embodiment of the invention provides for the key schedule being applied directly in the transposed manner.

This means that the internal behavior of the system is modified, and simplified, the only requirement to obtain compatibility with the standard being that the state must be retransposed before being outputs.

The block diagram of FIG. 6 shows how the prior art arrangement shown in FIG. 4 is simplified and rendered faster by resorting to the invention.

In FIG. 6 parts and components which are identical or equivalent to those already described in connection with FIG. 4 have been indicated with the same reference numerals.

Essentially, the solution of the invention has a basic impact on the shift row block 16 and the mix column blocks 18a, 18b, 18c and 18d of FIG. 4.

In the solution of the invention, four shift column modules 16a, 16b, 16c and 16d—each acting on a respective flow from one of the S-box modules 34a, 34b, 34c and 34d—are substituted for shift row module 16.

By referring to the two tables reproduced in the foregoing, it will become apparent that in the solution of the invention generation of each of the components y0 y1 y2 y3 essentially derives from a linear combination of words x0 x1 x2 x3. This makes it possible to implement the respective transformation simply by means of adder modules (and shift registers).

In the block diagram of FIG. 6 a single mix column module 18 is provided jointly operating on all of the sixteen 8-bit words output from shift column modules 16a, 16b, 16c, 16d is substituted for mix column modules 18a, 18b, 18c and 18d of the prior art arrangement of FIG. 4.

Experimentation carried out by the applicants demonstrates that the invention significantly increases the speed of implementing the Rijndael algorithm, even if the overhead due to the initial and final transpositions of the state array is taken into account.

Direct comparison of the solution of the invention with the so-called Gladman's implementation (reportedly the fastest soft implementation of the Rijndael algorithm currently available) shows that the invention leads to improvements in terms of encryption and decryption speeds of 46% and 33%, respectively, for a 128-bit key size.

Improvements demonstrated in encryption and decryption speeds with a 192-bit key size are 39% and 25%, respectively.

Finally, improvements in encryption and decryption speed of 45% and 32%, respectively were demonstrated for a 256-bit key size.

It will be appreciated that advantages in terms of latency are primarily felt at the level of software implementation, while the main advantage at the hardware level lies (even with identical performance in terms of latency) in the smaller amount of functional units required. This leads to simpler and less expensive systems, which is a particularly relevant factor in the case of decryption systems.

The solution of transposing the state matrix can be applied to all cases contemplated by the Rijndael algorithm, advantages being significant especially for 128 and 256 bit words. As indicated, if no initial and final transpositions to ensure compatibility with the existing standards are effected, a thoroughly novel cryptographic systems is obtained.

The present invention has been described with reference to the preferred embodiments. However, the present invention is not limited to those embodiments. Various changes and modifications may be made within the spirit and scope of the amended claims.

INVENTORS:

Bertoni, Guido, Fragneto, Pasqualina, Marchesin, Stefano, Macchetti, Marco, Breveglieri, Luca, Bondi, Umberto

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5533127, Mar 18 1994 Canon Kabushiki Kaisha Encryption system
20010024502,
20020157009,
20020191784,
ASSIGNMENT RECORDS    Assignment records on the USPTO
/
Executed onAssignorAssigneeConveyanceFrameReelDoc
May 29 2012STMicroelectronics S.r.l.(assignment on the face of the patent)
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Feb 28 2014M1551: Payment of Maintenance Fee, 4th Year, Large Entity.
Feb 23 2018M1552: Payment of Maintenance Fee, 8th Year, Large Entity.
Feb 18 2022M1553: Payment of Maintenance Fee, 12th Year, Large Entity.


Date Maintenance Schedule
Nov 12 20164 years fee payment window open
May 12 20176 months grace period start (w surcharge)
Nov 12 2017patent expiry (for year 4)
Nov 12 20192 years to revive unintentionally abandoned end. (for year 4)
Nov 12 20208 years fee payment window open
May 12 20216 months grace period start (w surcharge)
Nov 12 2021patent expiry (for year 8)
Nov 12 20232 years to revive unintentionally abandoned end. (for year 8)
Nov 12 202412 years fee payment window open
May 12 20256 months grace period start (w surcharge)
Nov 12 2025patent expiry (for year 12)
Nov 12 20272 years to revive unintentionally abandoned end. (for year 12)