Method and system for high throughput blockwise independent encryption/decryption
First Claim
1. A method of encrypting a data segment, the data segment comprising a plurality of data blocks, each data block comprising a plurality of data bits, the method comprising:
- encrypting a first plurality of data blocks of the data segment by (1) generating a first plurality of bit vectors, (2) reversibly combining each of the first plurality of data blocks with a corresponding one of the first plurality of bit vectors to thereby generate a first plurality of data block-bit vector combinations, and (3) performing an encryption operation on the first plurality of data block-bit vector combinations, wherein the first plurality of bit vectors have values that are independent of the encryption operations performed on the first plurality of data blocks; and
encrypting a second plurality of data blocks of the data segment by (1) generating a second plurality of bit vectors based at least in part upon a value of one of the first plurality of encrypted data block-bit vector combinations, (2) reversibly combining each of the second plurality of data blocks with a corresponding one of the second plurality of bit vectors to thereby generate a second plurality of data block-bit vector combinations, and (3) performing an encryption operation on the second plurality of data block-bit vector combinations; and
wherein the method steps are performed by a circuit, wherein the circuit comprises a block cipher circuit and a sequence generator circuit, the block cipher circuit comprising a plurality m of pipelined stages, the block cipher circuit pipelined stages simultaneously performing, in a pipelined fashion, a portion of the encrypting steps on a plurality m of different data block-bit vector combinations corresponding to m data blocks of the data segment, the sequence generator circuit performing the steps of generating the first and second plurality of bit vectors, the sequence generator circuit comprising counter control logic, the method further comprising the counter control logic (1) generating a count value indicative of how many data blocks of the same data segment have been processed by the block cipher circuit, (2) determining whether a condition corresponding to a feedback stride has been met such that the counter control logic determines that the feedback stride condition has been met in response to at least m data blocks of the same data segment having been processed by the block cipher circuit, (3) in response to a determination that the condition corresponding to the feedback stride has not been met, selectively controlling the generating step to generate the first plurality of bit vectors, and (4) in response to a determination that the condition corresponding to the feedback stride has been met, selectively controlling the generating step to generate the second plurality of bit vectors.
4 Assignments
0 Petitions
Accused Products
Abstract
An encryption technique is disclosed for encrypting a data segment comprising a plurality of data blocks, wherein the security and throughput of the encryption is enhanced by using blockwise independent bit vectors for reversible combination with the data blocks prior to key encryption. Preferably, the blockwise independent bit vectors are derived from a data tag associated with the data segment. Several embodiments are disclosed for generating these blockwise independent bit vectors. In a preferred embodiment, the data tag comprises a logical block address (LBA) for the data segment. Also disclosed herein is a corresponding decryption technique as well as a corresponding symmetrical encryption/decryption technique.
-
Citations
57 Claims
-
1. A method of encrypting a data segment, the data segment comprising a plurality of data blocks, each data block comprising a plurality of data bits, the method comprising:
-
encrypting a first plurality of data blocks of the data segment by (1) generating a first plurality of bit vectors, (2) reversibly combining each of the first plurality of data blocks with a corresponding one of the first plurality of bit vectors to thereby generate a first plurality of data block-bit vector combinations, and (3) performing an encryption operation on the first plurality of data block-bit vector combinations, wherein the first plurality of bit vectors have values that are independent of the encryption operations performed on the first plurality of data blocks; and encrypting a second plurality of data blocks of the data segment by (1) generating a second plurality of bit vectors based at least in part upon a value of one of the first plurality of encrypted data block-bit vector combinations, (2) reversibly combining each of the second plurality of data blocks with a corresponding one of the second plurality of bit vectors to thereby generate a second plurality of data block-bit vector combinations, and (3) performing an encryption operation on the second plurality of data block-bit vector combinations; and wherein the method steps are performed by a circuit, wherein the circuit comprises a block cipher circuit and a sequence generator circuit, the block cipher circuit comprising a plurality m of pipelined stages, the block cipher circuit pipelined stages simultaneously performing, in a pipelined fashion, a portion of the encrypting steps on a plurality m of different data block-bit vector combinations corresponding to m data blocks of the data segment, the sequence generator circuit performing the steps of generating the first and second plurality of bit vectors, the sequence generator circuit comprising counter control logic, the method further comprising the counter control logic (1) generating a count value indicative of how many data blocks of the same data segment have been processed by the block cipher circuit, (2) determining whether a condition corresponding to a feedback stride has been met such that the counter control logic determines that the feedback stride condition has been met in response to at least m data blocks of the same data segment having been processed by the block cipher circuit, (3) in response to a determination that the condition corresponding to the feedback stride has not been met, selectively controlling the generating step to generate the first plurality of bit vectors, and (4) in response to a determination that the condition corresponding to the feedback stride has been met, selectively controlling the generating step to generate the second plurality of bit vectors. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of encrypting a data segment, said data segment comprising a plurality of data block groups, each of said data block groups comprising a plurality of data blocks, the method comprising:
-
a sequence generator circuit creating a first plurality of bit vectors, wherein the bit vectors of the first plurality of bit vectors comprise blockwise independent bit vectors, the sequence generator circuit comprising counter control logic; a block cipher circuit encrypting the data blocks of a first data block group based at least in part upon the first plurality of bit vectors that are combined with the data blocks of the first data block group, the block cipher circuit comprising a plurality m of pipelined stages, the block cipher circuit pipelined stages simultaneously performing, in a pipelined fashion, a portion of the first data block group encrypting step on a plurality m of different data blocks corresponding to the data blocks of the first data group; the sequence generator circuit creating a second plurality of bit vectors based at least at part on one of the previously encrypted data blocks; the block cipher circuit encrypting the data blocks of a data block group after the first data block group based at least in part upon the second plurality of bit vectors that are combined with the data blocks of the data block group after the first data block group, the data block groups belonging to the same data segment, and the block cipher circuit pipelined stages simultaneously performing, in a pipelined fashion, a portion of the second data block group encrypting step on a plurality m of different data blocks corresponding to m data blocks of the second data block group; and the counter control logic (1) generating a count value indicative of how many data blocks of the same data block group have been processed by the block cipher circuit, (2) determining whether a condition corresponding to a feedback stride has been met such that the counter control logic determines that the feedback stride condition has been met in response to at least m data blocks of the first data block group having been processed by the block cipher circuit, (3) in response to a determination that the condition corresponding to the feedback stride has not been met, selectively controlling the sequence generator to create the first plurality of bit vectors, and (4) in response to a determination that the condition corresponding to the feedback stride has been met, selectively controlling the sequence generator to create the second plurality of bit vectors. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A system for encrypting a plurality of data block groups, at least some of said data block groups comprising a plurality of data blocks, said system comprising:
-
an encryptor circuit; and a sequence generator circuit configured to generate at least two types of bit vectors for use by the encryptor circuit, a first type of bit vector being blockwise independent and a second type of bit vector being dependent on at least one encrypted data block of a prior data block group; wherein the encryptor circuit is configured to reversibly combine the data blocks of at least two of the data block groups with a plurality of bit vectors generated by the sequence generator to thereby generate a plurality of data block-bit vector combinations; wherein the encryptor circuit comprises a block cipher circuit for encrypting the data block-bit vector combinations, the block cipher circuit comprising a plurality m of pipelined stages for simultaneously processing, in a pipelined fashion, a plurality m of different data block-bit vector combinations corresponding to m data blocks of the data block groups;
wherein the sequence generator circuit comprises counter control logic, the counter control logic configured to (1) generate a count value indicative of how many data block-bit vector combinations corresponding to data blocks belonging to the same data block group have been processed by the block cipher circuit, (2) determine whether a condition corresponding to a feedback stride has been met in response to the count value indicating that at least m data block-bit vector combinations corresponding to m data blocks belonging to the same data block group have been processed by the block cipher circuit, (3) in response to a determination that the feedback stride condition has not been met, selectively control the sequence generator circuit to output a bit vector of the first type, and (4) in response to a determination that the feedback stride condition has been met, selectively control the sequence generator circuit to output a bit vector of the second type. - View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. An apparatus comprising:
-
an encryption circuit for encrypting a plurality of data blocks of a data segment, the encryption circuit comprising a combiner circuit, a block cipher circuit, and a sequence generator circuit; wherein, for each of the data blocks of the data segment, the sequence generator circuit is configured to generate a bit vector for delivery to the combiner circuit; the combiner circuit is configured to (1) receive the bit vector generated by the sequence generator circuit for delivery thereto, and (2) reversibly combine the received bit vector with a data block of the data segment to thereby generate a bit vector-data block combination; the block cipher circuit comprising a plurality m of pipelined stages for simultaneously processing, in a pipelined fashion, a plurality m of different bit vector-data block combinations corresponding to m data blocks of the data segment that are generated by the combiner circuit to thereby generate a plurality of encrypted data blocks; and the sequence generator circuit is further configured to (1) receive a feedback input of an encrypted data block from the block cipher circuit, (2) track a configurable feedback stride condition as the plurality of data blocks are processed by the encryption circuit by generating a count value such that the sequence generator circuit determines that the feedback stride condition has been met in response to at least m data blocks of the same data segment having been processed by the block cipher circuit, (3) selectively control the generation of the bit vector in response to the feedback stride condition being met such that the generated bit vector for delivery to the combiner circuit comprises a blockwise dependent bit vector based on the feedback input, and (4) selectively control the generation of the bit vector in response to the feedback stride condition not being met such that the generated bit vector for delivery to the combiner circuit comprises a blockwise independent bit vector, the sequence generator circuit thereby being configured to generate a plurality of the blockwise dependent bit vectors and a plurality of the blockwise independent bit vectors for combination with a plurality of the data blocks of the same data segment prior to encryption by the block cipher circuit. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
-
-
51. An apparatus comprising:
-
an encryption circuit for encrypting a plurality of data blocks of a data segment, the encryption circuit comprising a combiner circuit, a block cipher circuit, and a sequence generator circuit; the block cipher circuit comprising a plurality m of pipelined stages for simultaneously processing, in a pipelined fashion, a plurality m of different bit vector-data block combinations corresponding to m data blocks of the data segment that are generated by the combiner circuit to thereby generate a plurality of encrypted data blocks; and the sequence generator configured to selectively switch between a blockwise independent randomized (BIR) mode and a cipher block chaining (CBC) mode based on a configurable feedback stride condition, the configurable feedback stride condition corresponding to the block cipher circuit completing encryption of at least the bit vector-data block combination corresponding to the first of the m data blocks, wherein the sequence generator circuit comprises counter control logic configured to track when the feedback stride condition is met, and wherein the sequence generator is further configured to (1) generate and output a plurality of randomized blockwise independent bit vectors while in the BIR mode, and (2) generate and output a plurality of blockwise dependent bit vectors while in the CBC mode, the blockwise dependent bit vectors being based on a previously encrypted bit vector-data block combination fed back from the block cipher circuit; the combiner circuit being configured to (1) receive a streaming input of the data blocks, (2) receive an input of the bit vectors output by the sequence generator circuit, and (3) reversibly combine the received bit vectors with the received streaming data blocks to generate a plurality of bit vector-data block combinations for delivery to the block cipher circuit; and wherein the sequence generator is further configured to (1) operate in the BIR mode while the block cipher circuit is processing the bit vector-data block combinations corresponding to the first m data blocks of the same data segment, and (2) switch to the CBC mode in response to the feedback stride condition being met, the block cipher circuit thereby being configured to generate the plurality of encrypted data blocks wherein at least the first m encrypted data blocks of the same data segment are encrypted in combination with blockwise independent bit vectors and wherein a plurality of the other encrypted data blocks of the same data segment are encrypted in combination with blockwise dependent bit vectors. - View Dependent Claims (52, 53, 54, 55, 56, 57)
-
Specification