Cryptography – Particular algorithmic function encoding – Nbs/des algorithm
Reexamination Certificate
1998-10-05
2001-11-27
Hayes, Gail (Department: 2131)
Cryptography
Particular algorithmic function encoding
Nbs/des algorithm
C380S037000
Reexamination Certificate
active
06324286
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to an encryption-decryption processor, particularly to a DES cipher processor (DCP) for executing 16 rounds of data encryption standard (DES) operations in four encryption modes and four decryption modes, namely: Electronic Code Book (ECB) mode, Cipher BlockChaining (CBC) mode, Cipher Feedback (CFB) mode and Output Feedback (OFB) mode for both encryption and decryption. DES stands for Data Encryption Standard, an encryption and decryption standard adopted by the United States Government Details concerning DES can be found in FIPS (Federal Information Processing) Publication 46-2 and 74 published by the National Institute of Standards and Technology.
2. Description of the Related Art
When encrypted communication is undertaken using high speed communication equipment, such as full duplex E1, T1, and V.35 services, among others, two DCPs will be needed in an encryption-decryption module: one DCP for encryption, and another for decryption.
A DCP is composed of a data I/O unit, an IV/key storage unit, a control unit, and an algorithm unit. The algorithm unit is used to encrypt/decrypt the incoming text message.
FIG. 1
(Prior Art) is a block diagram illustrating the algorithm unit of a conventional DES cipher processor. The crypto engine
2
receives a modified input IN
1
from the mode selection sub-unit
1
and encrypts it according to subkeys provided by the key generation sub-unit
3
to obtain an encrypted text OUT
1
. The mode selection sub-unit
1
processes an input IN to be encrypted, an initial vector for encryption IVE corresponding to a selected encryption mode, such as CBC mode, and the encrypted text OUT
1
of the crypto engine
2
to obtain the modified input IN
1
or the encrypted text OUT
2
. The multiplexor
4
then selects OUT
1
or OUT
2
as an encrypted output OUT of the algorithm unit according to the selected encryption mode. In this case, only one buffer (not shown) is needed in the crypto engine
2
to store intermediate encrypted texts during the sixteen rounds of DES operations. The results of the sixteenth round of DES operation is therefore also be stored in this buffer.
FIGS. 2A and 2B
(Prior Art) illustrate the data path of a single-port simplex encryption processor and a dual port simplex encryption processor, respectively. The input and the output of the single-port encryption processor are delivered through the same data port, that is, the data to be encrypted/decrypted are inputted to the DES cipher processor DCP
1
through data port Port
1
, and the encrypted outcome thus obtained is outputted from the same data port Port
1
. The input and the output of the dual-port simplex encryption processor DES cipher processor DCP
2
are delivered through different data ports, that is, the data to be encrypted/decrypted are inputted to the DES cipher processor DCP
2
through data port Port
1
, and the encrypted/decrypted outcome thus obtained is outputted from another data port Port
2
, and vice versa.
A decryption processor for executing sixteen rounds of DES operations has a structure similar to the encryption processor described above. The initial vector for encryption IVE is replaced by the initial vector for decryption IVD and the key generation sub-unit
3
rearranges the subkeys to allow the original crypto engine to perform decryption. The IVE and IVD are used for the CBC mode, CFB mode, and OFB mode only and are only employed at the beginning of the processing of the text message.
A DCP that dissects a text message into various blocks, each of which is encrypted or decrypted according to prescribed sequence, can perform a decryption operation only after the whole previous plain text message is completely encrypted, or can perform an encryption operation only after the whole previous cipher text message is decrypted. For the CBC mode, CFB mode, or OFB mode, the values of the sixteen-round DES encryption operation, stored in the sole data buffer, have to be fed back to the mode selection sub-unit to interact with the next incoming block of plain text message, namely, the values of sixteen-round DES encryption operation cannot be used to interact the next block of incoming ciphered text message and vice versa. Also, the algorithm unit has a long wait between the operation of two blocks of text message since I/O port is the bottleneck of the throughput. Therefore, the idle time for the algorithm unit can be much longer than the time required for the actual encryption or decryption operation.
Consequently, an encryption-decryption module for full duplex operation needs either two DCPs or two crypto engines, one for encryption and the other for decryption. This results in an increase in cost and required space. Alternatively, the mode selection sub-unit
1
and the key generation sub-unit (as shown in
FIG. 1
) are modified to enable the crypto engine
2
to perform DES in four encryption modes and four decryption modes.
SUMMARY OF THE INVENTION
Accordingly, an object of the present invention is to provide a full duplex algorithm unit, which can execute DES operations in four encryption modes and four decryption modes while reducing the required space and cost.
Another object of the present invention is to provide a crypto engine for executing DES operations by providing two data buffers for storing the interim data for data encryption and data decryption, respectively, in order to perform the encryption process and the decryption process simultaneously, thereby enhancing the efficiency of the algorithm unit by reducing the idle time.
To realize the above and other objects, the present invention provides a algorithm unit for executing the DES modes which comprises a key generation sub-unit, a crypto engine, a mode selection sub-unit, and an output multiplexor. The key generation sub-unit generates subkeys for DES operations. The crypto engine includes an input buffer for registering the data to be encrypted/decrypted and an n-round DES device for performing sixteen-round DES operation according to the aforementioned subkeys to obtain a corresponding cipher text/plain text. The n-round DES device can be a two-round, four-round, eight-round, or sixteen-round DES device. The number of the subkeys for the crypto engine depends on the n of n-round DES device. For example, a two-round DES device needs two corresponding subkeys, and a four-round DES device needs four corresponding subkeys. Further, the crypto engine also includes a cipher text buffer (CTB) and a plain text buffer (PTB) for registering the ciphered text and the plain text obtained from the n-round DES device, respectively. The mode selection sub-unit sequentially processes an input to be encrypted/decrypted and the cipher text/plain text of the cipher/plain text buffer according to a selected encryption/decryption mode to obtain a encrypted/decrypted output for the next encryption/decryption. The output multiplexor then selects the output of the mode selection sub-unit or the ciphered text/plain text of the CTB/PTB.
Moreover, the DCP of the present invention may also include an encryption data port, a decryption data port, an input port de-multiplexor and an output port multiplexor, wherein the encrypting port processes the plain text message and the decrypting port processes the ciphered text message.
REFERENCES:
patent: 3958081 (1976-05-01), Ehrsam et al.
patent: 4195200 (1980-03-01), Feistel
patent: 4229818 (1980-10-01), Matyas et al.
patent: 4262358 (1981-04-01), Marino, Jr.
patent: 4543646 (1985-09-01), Ambrosius, III et al.
patent: 4731843 (1988-03-01), Holmquist
patent: 5003597 (1991-03-01), Merkle
patent: 5317638 (1994-05-01), Kao et al.
patent: 5404402 (1995-04-01), Sprunk
patent: 5513262 (1996-04-01), van Rumpt et al.
patent: 5631960 (1997-05-01), Likens et al.
patent: 5671284 (1997-09-01), Buer
patent: 5835599 (1998-11-01), Buer
“Announcing the Standard for DES Modes of Operation”,Federal Information Processing Standards Publication, Computer Systems Laboratory, National Institute of Standards and
Chiou Bor-Wen
Chuang I-Yao
Lai Yi-Sern
Yang Chin-Ning
DiLorenzo Anthony
Hayes Gail
Industrial Technology Research Institute
Ladas & Parry
LandOfFree
DES cipher processor for full duplex interleaving... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with DES cipher processor for full duplex interleaving..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and DES cipher processor for full duplex interleaving... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2618224