Multi-data rate cryptography architecture for network security

US 20080130889A1
Filed: 11/30/2006
Published: 06/05/2008
Est. Priority Date: 11/30/2006
Status: Active Grant

First Claim

Patent Images

1. A microchip security architecture comprising:

a plurality of stages of cipher round logic, each stage configured to perform cryptographic processing of plaintext data in a counter mode and output ciphertext data;

a plurality of multipliers, each multiplier configured to receive the ciphertext data output from at least one associated stage of the plurality of stages of cipher round logic and continue the cryptographic processing to output at least a portion of an integrity check value (ICV); and

control logic configured to provide a selection between a first option of performing the cryptographic processing at a first data rate using a first number of the plurality of stages and a first number of the plurality of multipliers, and a second option of performing the cryptographic processing at a second data rate using a second number of the plurality of stages and a second number of the plurality of multipliers.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An architecture and associated methods and devices are described that include a plurality of stages of cipher round logic, each stage configured to perform cryptographic processing of plaintext data in a counter mode and output ciphertext data, a plurality of multipliers, each multiplier configured to receive the ciphertext data output from at least one associated stage of the plurality of stages of cipher round logic and continue the cryptographic processing to output at least a portion of an integrity check value (ICV), and control logic configured to provide a selection between a first option of performing the cryptographic processing at a first data rate using a first number of the plurality of stages and a first number of the plurality of multipliers, and a second option of performing the cryptographic processing at a second data rate using a second number of the plurality of stages and a second number of the plurality of multipliers.

60 Citations

View as Search Results

20 Claims

1. A microchip security architecture comprising:
- a plurality of stages of cipher round logic, each stage configured to perform cryptographic processing of plaintext data in a counter mode and output ciphertext data;
  
  a plurality of multipliers, each multiplier configured to receive the ciphertext data output from at least one associated stage of the plurality of stages of cipher round logic and continue the cryptographic processing to output at least a portion of an integrity check value (ICV); and
  
  control logic configured to provide a selection between a first option of performing the cryptographic processing at a first data rate using a first number of the plurality of stages and a first number of the plurality of multipliers, and a second option of performing the cryptographic processing at a second data rate using a second number of the plurality of stages and a second number of the plurality of multipliers.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The microchip security architecture of claim 1 wherein the control logic is configured to provide the second option by providing a selectable data path in which the second number of the plurality of stages are pipelined together.
  - 3. The microchip security architecture of claim 1 wherein the control logic is configured to provide the second option by providing a selectable data path in which the second number of the plurality of multipliers are connected in parallel.
  - 4. The microchip security architecture of claim 1 wherein the plurality of stages are equivalent in number to a number of available ports of a network switching device, and wherein the first option provides the cryptographic processing at the first data rate where each of the available ports are configured to process data at the first data rate.
  - 5. The microchip security architecture of claim 1 wherein subsets of the plurality of stages and of the plurality of multipliers are used for performing cryptographic processing at the second data rate that is higher than the first data rate, in association with an additional port of the network switching device.
  - 6. The microchip security architecture of claim 1 wherein the second option provides the cryptographic processing at the second data rate in conjunction with a single port of a network switching device that is configured to process data at the second data rate.
  - 7. The microchip security architecture of claim 1 wherein the control logic is configured to provide the selection between the first option and the second option by configuring a multiplexer having a first input associated with the first option and a second input associated with the second option.
  - 8. The microchip security architecture of claim 1 wherein the control logic is configured to cause the plurality of multipliers each to output a portion of the ICV for aggregation into a complete ICV as part of the second option.
  - 9. The microchip security architecture of claim 1 wherein the plurality of stages of cipher round logic and plurality of multipliers are used to perform the cryptographic processing by implementing the advanced encryption standard (AES) in Galois counter mode (GCM).
  - 10. The microchip security architecture of claim 1 wherein the plurality of stages of cipher round logic and plurality of multipliers are used to implement a MAC security protocol (MACSec).

11. A method comprising:
- providing a plurality of stages of cipher round logic, each stage configured to perform counter mode cryptographic processing of plaintext data and output ciphertext data;
  
  providing a plurality of multipliers, each multiplier configured to receive ciphertext data output from an associated stage of the plurality of stages of cipher round logic and output at least a portion of an integrity check value (ICV);
  
  providing a first option of performing cryptographic processing of the plaintext data and the ciphertext data at a first data rate using a first number of the plurality of stages and a first number of the plurality of multipliers;
  
  providing a second option of performing the cryptographic processing of the plaintext data and the ciphertext data at a second data rate using a second number of the plurality of stages and a second number of the plurality of multipliers; and
  
  providing control logic for selection between the first option and the second option.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11 wherein providing the second option comprises:
    - pipelining the second number of the plurality of stages of cipher round logic.
  - 13. The method of claim 11 wherein providing the second option comprises:
    - connecting the second number of the plurality of multipliers in parallel.
  - 14. The method of claim 11 wherein providing the first option comprises:
    - providing the first option of performing the cryptographic processing in association with at least a first port of a network switching device operating at the first data rate.
  - 15. The method of claim 11 wherein providing the first option comprises:
    - providing the second option of performing the cryptographic processing in association with at least a second port of a network switching device operating at the second data rate that is higher than the first data rate.
  - 16. The method of claim 11 wherein providing the first option comprises:
    - providing register access control logic configured to provide a selection between the first option and the second option by configuring a multiplexer having a first input associated with the first option and a second input associated with the second option.

17. A network device comprising:
- a plurality of ports associated with a first data rate;
  
  an additional port associated with a second data rate that is higher than the first data rate;
  
  a microchip including a plurality of stages of cipher round logic, each stage configured to perform counter mode cryptographic processing of plaintext data and output ciphertext data, and a plurality of multipliers, each multiplier configured to receive ciphertext data output from an associated stage of the plurality of stages of cipher round logic and output at least a portion of an integrity check value (ICV); and
  
  an interface configured to provide for selection between a first option of performing cryptographic processing of the plaintext data and the ciphertext data at the first data rate for at least one of the plurality of ports using a first number of the plurality of stages and a first number of the plurality of multipliers, and a second option of performing the cryptographic processing of the plaintext data and the ciphertext data at a second data rate for the additional port using a second number of the plurality of stages and a second number of the plurality of multipliers.
- View Dependent Claims (18, 19, 20)
- - 18. The network device of claim 17 wherein the second option includes having the second number of the plurality of stages pipelined together and having the second number of multipliers connected in parallel.
  - 19. The network device of claim 17 wherein the interface is configured to access register access control logic to set one or more control registers for the selection between the first option and the second option.
  - 20. The network device of claim 17 wherein the plurality of stages of cipher round logic and plurality of multipliers are used to perform the cryptographic processing by implementing the advanced encryption standard (AES) in Galois counter mode (GCM).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies General IP PTE Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Lin, Meg, Qi, Zheng

Granted Patent

US 7,886,143 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/257
CPC Class Codes

G09C 1/00   Apparatus or methods whereb...

H04L 2209/125   Parallelization or pipelini...

H04L 63/0435   wherein the sending and rec...

H04L 63/0464   using hop-by-hop encryption...

H04L 63/08   for authentication of entit...

H04L 9/0631   Substitution permutation ne...

Multi-data rate cryptography architecture for network security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-data rate cryptography architecture for network security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links