Authentication engine architecture and method
First Claim
1. An authentication engine architecture for an multi-loop, multi-round authentication algorithm, comprising:
- a first instantiation of a multi-round authentication algorithm hash round logic in an inner hash engine;
a second instantiation of a multi-round authentication algorithm hash round logic in an outer hash engine;
a dual-frame payload data input buffer configured for loading one new data block while another data block one is being processed in the inner hash engine;
an initial hash state input buffer configuration for loading initial hash states to the inner and outer hash engines for concurrent inner hash and outer hash operations; and
a dual-ported ROM configured for concurrent constant lookups for both inner and outer hash engines.
7 Assignments
0 Petitions
Accused Products
Abstract
Provided is an architecture (hardware implementation) for an authentication engine to increase the speed at which multi-loop and/or multi-round authentication algorithms may be performed on data packets transmitted over a computer network. Authentication engines in accordance with the present invention apply a variety of techniques that may include, in various applications, collapsing two multi-round authentication algorithm (e.g., SHA1 or MD5 or variants) processing rounds into one; reducing operational overhead by scheduling the additions required by a multi-round authentication algorithm in such a matter as to reduce the overall critical timing path (“hiding the ads”); and, for a multi-loop (e.g., HMAC) variant of a multi-round authentication algorithm, pipelining the inner and outer loops. In one particular example of applying the invention in an authentication engine using the HMAC-SHA1 algorithm of the IPSec protocol, collapsing of the conventional 80 SHA1 rounds into 40 rounds, hiding the ads, and pipelining the inner and outer loops allows HMAC-SHA1 to be conducted in approximately the same time as conventional SHA1.
72 Citations
31 Claims
-
1. An authentication engine architecture for an multi-loop, multi-round authentication algorithm, comprising:
-
a first instantiation of a multi-round authentication algorithm hash round logic in an inner hash engine;
a second instantiation of a multi-round authentication algorithm hash round logic in an outer hash engine;
a dual-frame payload data input buffer configured for loading one new data block while another data block one is being processed in the inner hash engine;
an initial hash state input buffer configuration for loading initial hash states to the inner and outer hash engines for concurrent inner hash and outer hash operations; and
a dual-ported ROM configured for concurrent constant lookups for both inner and outer hash engines. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An authentication engine architecture for a multi-round authentication algorithm, comprising:
a hash engine configured to implement hash round logic for a multi-round authentication algorithm, said hash round logic implementation including at least one addition module comprising, a plurality of carry save adders for computation of partial products, and a carry look-ahead adder for computation and propagation of a final sum. - View Dependent Claims (10, 11, 12, 13)
-
14. An authentication engine architecture for an SHA1 authentication algorithm, comprising:
-
at least one hash engine configured to implement hash round logic comprising;
five hash state registers;
one critical and four non-critical data paths associated with the five registers, such that in successive SHA1 rounds, registers having the critical path are alternative. - View Dependent Claims (15)
-
-
16. A method of authenticating data transmitted over a computer network, comprising:
-
receiving a data packet stream;
splitting the packet data stream into fixed-size data blocks; and
processing the fixed-size data blocks using a multi-loop, multi-round authentication engine architecture having a hash engine core comprising an inner hash engine and an outer hash engine, said architecture configured to, pipeline hash operations of said inner hash and outer hash engines, collapse and rearrange multi-round logic to reduce rounds of hash operations, and implement multi-round logic to schedule addition computations to be conducted in parallel with round operations. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of authenticating data transmitted over a computer network, comprising:
-
receiving a data packet stream;
splitting the packet data stream into fixed-size data blocks; and
processing the fixed-size data blocks using a multi-round authentication engine architecture, said architecture implementing hash round logic for a multi-round authentication algorithm configured to schedule addition computations to be conducted in parallel with round operations. - View Dependent Claims (28)
-
-
29. A method of authenticating data transmitted over a computer network using an SHA1 authentication algorithm, comprising:
-
providing five hash state registers; and
providing data paths from said five state registers such that four of the five data paths from the registers in any SHA1 round are not timing critical. - View Dependent Claims (30, 31)
-
Specification