Data encryption and decryption system and method based on domestic cryptographic algorithm
By introducing hardware acceleration technologies for parallel and chained computing into the GmSSL cryptographic toolkit, the problem of slow encryption/decryption and digest calculation speeds was solved, enabling efficient parallel processing of the encryption/decryption system and improving system performance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- MONTAGE TECHNOLOGY CO LTD
- Filing Date
- 2022-01-07
- Publication Date
- 2026-07-14
AI Technical Summary
In existing encryption and decryption systems based on domestic cryptographic algorithms, cryptographic toolkits such as GmSSL have a significant speed disadvantage in encryption, decryption, and digest calculation processes, especially in secure and reliable network transmission scenarios, where traditional serial and independent calculation methods lead to low efficiency.
It employs parallel and chained computing methods, using a hardware processor to control multiple cryptographic engines to process encryption, decryption, and digest calculations in parallel. It utilizes a direct memory access module to achieve parallel data transmission and processing, supporting both parallel and chained encryption/decryption methods to generate ciphertext and plaintext digest values or plaintext and ciphertext digest values, respectively.
It significantly improves the performance of encryption and decryption systems, especially in the case of parallel computing, where the performance is improved by at least 100%, thus increasing the efficiency and speed of data processing.
Smart Images

Figure CN116415273B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of information security technology, and more particularly to a data encryption and decryption system and method based on domestically developed cryptographic algorithms. Background Technology
[0002] OpenSSL is an open-source software library that includes SSL and TLS. It has become a de facto standard in the field of information security, with most servers and clients using the OpenSSL cryptographic toolkit. In practical applications, OpenSSL provides a dynamic engine framework to facilitate hardware acceleration using cryptographic devices. The corresponding open-source project in China is GmSSL. This project provides a dynamic engine framework and adds support for domestic cryptographic algorithms such as SM2, SM3, SM4, and SM9. Users only need to implement the corresponding engine interface and driver to use cryptographic devices to perform hardware acceleration of the GmSSL cryptographic toolkit.
[0003] In traditional hardware-accelerated solutions implemented in GmSSL or similar cryptographic toolkits, the computation of the symmetric encryption / decryption algorithm (SM4) and the digest / HMAC algorithm (SM3) is performed separately. For example, in scenarios requiring secure and reliable network transmission, the encryptor first calls SM3 to calculate the plaintext digest, then calls SM4 to calculate the ciphertext based on the plaintext and its digest, and finally transmits both the ciphertext and its digest to the decryptor. Similarly, during decryption, the decryptor first calls SM4 to decrypt the ciphertext to obtain the plaintext, then calls SM3 to calculate the plaintext digest to verify message integrity. This serial, independent computational approach suffers from a significant speed disadvantage. Summary of the Invention
[0004] The purpose of this application is to provide a data encryption and decryption system and method based on domestic cryptographic algorithms, thereby improving the encryption and decryption speed and system performance of cryptographic toolkits such as GmSSL.
[0005] This application discloses a data encryption and decryption system based on domestic cryptographic algorithms, including: a host system, a sequencer, a hardware processor, multiple direct memory access modules and multiple cryptographic engines, each cryptographic engine including an input buffer, an output buffer, a symmetric encryption and decryption algorithm module and a digest algorithm module;
[0006] The command generation module in the host system determines the encryption / decryption and / or digest calculation method and generates the corresponding encryption / decryption and / or digest calculation command.
[0007] The sequencer parses the encryption / decryption and / or digest calculation commands to generate control flow commands that control the plurality of cryptographic engines and the plurality of direct memory access modules. Furthermore, the sequencer controls one or more of the plurality of direct memory access modules to perform direct memory access to send encrypted / decrypted data to the input buffer of one or more of the plurality of cryptographic engines.
[0008] The hardware processor controls the symmetric encryption / decryption algorithm module to perform encryption / decryption calculations on the encrypted / decrypted data and / or controls the digest algorithm module to perform digest calculations on the encrypted / decrypted data according to the encryption / decryption and / or digest calculation commands. The calculation results are cached in the output buffer of the corresponding cryptographic engine and sent to the memory of the host system via the direct memory access module corresponding to the cryptographic engine.
[0009] In some embodiments, the hardware processor includes a scheduler and a command buffer. The command buffer receives the encryption / decryption and / or digest calculation commands, and the scheduler assigns encryption / decryption tasks or digest calculation tasks to one or more symmetric encryption / decryption algorithm modules or digest algorithm modules to execute the corresponding tasks according to the encryption / decryption and / or digest calculation commands.
[0010] In some embodiments, the scheduler controls the selection of the direct memory access module to transmit data, the selection of a cryptographic engine for encryption and decryption, and the encryption and decryption mode of the cryptographic engine.
[0011] In some embodiments, the encryption / decryption mode includes parallel encryption / decryption and chained encryption / decryption.
[0012] During the encryption process, when the cryptographic engine determines to use parallel encryption, the direct memory access module simultaneously sends the data packet to be encrypted from the encryption / decryption data to the symmetric encryption / decryption algorithm module and the digest algorithm module, so that the symmetric encryption / decryption algorithm module and the digest algorithm module can perform calculations simultaneously to generate the ciphertext and plaintext digest values of the data packet to be encrypted, respectively. When the cryptographic engine determines to use chain encryption, the direct memory access module first sends the data packet to be encrypted from the encryption / decryption data to the symmetric encryption / decryption algorithm module to generate the ciphertext of the data packet to be encrypted, and the symmetric encryption / decryption algorithm module automatically transmits the ciphertext to the digest algorithm module to generate the ciphertext digest value.
[0013] During the decryption process, when the cryptographic engine determines to use a parallel decryption method, the direct memory access module simultaneously sends the data packets to be decrypted from the encrypted / decrypted data to the symmetric encryption / decryption algorithm module and the digest algorithm module, so that the symmetric encryption / decryption algorithm module and the digest algorithm module can perform calculations simultaneously to generate plaintext and ciphertext digest values of the data to be decrypted, respectively. When the cryptographic engine determines to use a chained decryption method, the direct memory access module first sends the data packets to be decrypted from the encrypted / decrypted data to the symmetric encryption / decryption algorithm module to generate the plaintext of the data to be decrypted, and the symmetric encryption / decryption algorithm module automatically transmits the plaintext to the digest algorithm module to generate a plaintext digest value.
[0014] In some embodiments, the data packet to be encrypted includes multiple data packets. When the chain encryption method is used to encrypt the multiple data packets of the data packet to be encrypted in sequence, the digest algorithm module calculates the ciphertext digest of the previous data packet while the symmetric encryption / decryption algorithm module calculates the ciphertext of the next data packet.
[0015] In some embodiments, the data packet to be decrypted includes multiple data packets. When the chained decryption method is used to decrypt the multiple data packets of the data packet to be decrypted in sequence, the digest algorithm module calculates the plaintext digest value of the previous data packet while the symmetric encryption and decryption algorithm module calculates the plaintext of the next data packet.
[0016] In some embodiments, when a data packet is encrypted using the parallel encryption method, the encrypted data packet is decrypted using the chain decryption method; when a data packet is encrypted using the chain encryption method, the encrypted data packet is decrypted using the parallel decryption method.
[0017] In a preferred embodiment, the cryptographic engine further includes an asymmetric encryption / decryption algorithm module coupled to the input buffer and the output buffer.
[0018] This application also discloses a data encryption and decryption method based on domestically developed cryptographic algorithms. The method is applied to a data encryption and decryption system based on domestically developed cryptographic algorithms. The system includes a host system, a sequencer, a hardware processor, multiple direct memory access modules, and multiple cryptographic engines. Each cryptographic engine includes an input buffer, an output buffer, a symmetric encryption / decryption algorithm module, and a digest algorithm module. The method includes:
[0019] The command generation module in the host system is used to determine the encryption / decryption and / or digest calculation method and generate the corresponding encryption / decryption and / or digest calculation command;
[0020] The sequencer parses the encryption / decryption and / or digest calculation commands to generate control flow commands, and these control flow commands control one or more of a plurality of direct memory access modules to perform direct memory access to send encrypted / decrypted data to the input buffers of one or more of a plurality of cryptographic engines; and
[0021] The hardware processor controls the encryption and / or digest calculation of the encrypted data according to the encryption and / or digest calculation command. The calculation result is cached in the output buffer of the corresponding cryptographic engine and sent to the memory of the host system via the direct memory access module corresponding to the cryptographic engine.
[0022] In some embodiments, the method further includes:
[0023] The encryption and decryption modes of the cryptographic engine are determined using the hardware processor, including parallel encryption and decryption and chained encryption and decryption.
[0024] During the encryption process, when the cryptographic engine determines to use a parallel encryption method, the direct memory access module simultaneously performs symmetric encryption calculation and digest calculation on the data packet to be encrypted in the encryption / decryption data, generating ciphertext and plaintext digest values for the data packet to be encrypted, respectively; when the chained encryption method is determined to be used, the direct memory access module first performs symmetric encryption calculation on the data packet to be encrypted in the encryption / decryption data to generate ciphertext for the data packet to be encrypted, and then automatically performs digest calculation and generates ciphertext digest values;
[0025] During the decryption process, when the cryptographic engine determines to use a parallel decryption method, the direct memory access module simultaneously performs symmetric decryption calculation and digest calculation on the data packets to be decrypted in the encrypted / decrypted data, generating plaintext and ciphertext digest values for the data packets to be decrypted, respectively. When the cryptographic engine determines to use a chained decryption method, the direct memory access module first performs symmetric decryption calculation on the data packets to be decrypted in the encrypted / decrypted data to generate plaintext, and then automatically performs a digest algorithm to generate a plaintext digest value.
[0026] Compared to traditional technical solutions, this application's embodiments extend the hardware acceleration of cryptographic toolkits such as GmSSL with parallel and chained computation capabilities, enabling GmSSL-like cryptographic toolkits to perform parallel and chained encryption / decryption and digest computation. This invention offers a significant performance improvement over current hardware-accelerated systems like GmSSL that can only perform encryption / decryption and digest computation individually and sequentially, with the performance improvement being at least doubled after parallel computation of encryption / decryption and digest computation. Attached Figure Description
[0027] Figure 1 This is a block diagram of a data encryption / decryption system based on a domestically developed cryptographic algorithm in one embodiment of this application.
[0028] Figure 2 This is a flowchart of a data encryption / decryption method based on a domestic cryptographic algorithm in one embodiment of this application. Detailed Implementation
[0029] In the following description, many technical details are presented to help the reader better understand this application. However, those skilled in the art will understand that the technical solutions claimed in this application can be implemented even without these technical details and various variations and modifications based on the following embodiments.
[0030] Explanation of some concepts:
[0031] GmSSL is an open-source cryptographic toolkit that supports Chinese national cryptographic algorithms (SM2 / SM3 / SM4 / SM9 / ZUC), SM2 national cryptographic digital certificates, and SSL / TLS secure communication protocols based on SM2 certificates. It supports Chinese national cryptographic hardware devices and provides programming interfaces and command-line tools compliant with Chinese cryptographic standards. It can be used to build secure applications conforming to Chinese cryptographic standards, such as PKI / CA, secure communication, and data encryption. The GmSSL project is a fork of the OpenSSL project and maintains interface compatibility with OpenSSL. Therefore, GmSSL can replace OpenSSL components in applications and automatically endow applications with Chinese cryptographic security capabilities.
[0032] To make the objectives, technical solutions, and advantages of this application clearer, the embodiments of this application will be described in further detail below with reference to the accompanying drawings.
[0033] This application discloses a data encryption and decryption system based on domestically developed cryptographic algorithms. Figure 1 A block diagram of a data encryption / decryption system 100 is shown. The data encryption / decryption system 100 includes a host system 101 and a cryptographic accelerator 120. The cryptographic accelerator 120 includes a sequencer 109, a hardware processor 110, multiple direct memory access (DMA) modules (not shown), and multiple cryptographic engines 113. For simplicity, Figure 1Only one cryptographic engine is shown, but this application is not limited to this. Each cryptographic engine 113 includes an input buffer 117, an output buffer 118, a symmetric encryption / decryption algorithm (SM4) module 114, and a digest algorithm (SM3) module 115. Both the symmetric encryption / decryption algorithm (SM4) module 114 and the digest algorithm (SM3) module 115 are coupled to the input buffer 117 and the output buffer 118. In some embodiments, the cryptographic engine 113 further includes an asymmetric encryption / decryption algorithm (SM2) module 116, which is coupled to the input buffer 117 and the output buffer 118. The host system 101 includes a command generation module 102, a GmSSL layer 103, a Crypto Library 104, an operating system (OS) 105, a central processing unit (CPU) 107, and a memory (or RAM) 108. The command generation module 102 can be implemented by an application program, but this application is not limited to this; it can also be implemented by a combination of software and hardware or by hardware. The GmSSL layer 103 includes an extended API 1031, an engine interface 1032, and an engine unit 1033. The operating system (OS) 105 includes a cryptographic device driver module 106.
[0034] The aforementioned data encryption / decryption system based on domestically developed cryptographic algorithms, consisting of host system 101 and cryptographic accelerator 120, possesses the capabilities for parallel and / or chained computation of symmetric encryption / decryption (SM4) and digest (SM3). This means it can perform two cryptographic operations simultaneously, such as calling SM4 and SM3 to calculate ciphertext and digest at the same time, or performing one cryptographic computation first and then automatically performing the other. Furthermore, this cryptographic device can also independently perform symmetric encryption / decryption, asymmetric encryption / decryption, and digest calculations using tools such as the GMSSL cryptographic toolkit.
[0035] Since this application enhances hardware acceleration capabilities within cryptographic toolkits such as GmSSL, cryptographic applications use it similarly to other hardware-accelerated functions within cryptographic toolkits like GmSSL. For typical standalone cryptographic algorithms (such as SM2, SM3, and SM4), usage is the same as other systems, simply calling standard APIs such as those in the GmSSL cryptographic toolkit. To utilize the parallel and chained cryptographic computations of this application, extended APIs such as those in the GmSSL cryptographic toolkit are called.
[0036] For example, if a cryptographic application needs to compute ciphertext and digest in parallel, the command generation module (such as application 102) only needs to call the corresponding extended API, such as in the GmSSL cryptographic toolbox. After the extended API is called, the plaintext data calls the operating system driver (such as cryptographic device driver module 106) through the GmSSL cryptographic toolbox engine interface and controls the DMA path to simultaneously transfer the plaintext data to be encrypted to the encryption / decryption algorithm (SM3) module 114 and the digest algorithm (SM4) module 115 in the cryptographic engine 113. After SM3 and SM4 operations, the resulting digest and ciphertext data are transferred to the memory of the host system 101 through the DMA path and returned to application 102. The difference between chained and parallel cryptographic computation is that in chained cryptographic computation, the data undergoes a cryptographic computation within the cryptographic device first, and then the result is used as input for the next cryptographic computation. For example, SM4 first computes the ciphertext data, then the ciphertext is automatically input into SM3 to compute the digest, and then the ciphertext and ciphertext digest result are returned to application 102.
[0037] The following section provides a detailed description of the parallel and chained computation of the data encryption and decryption system based on domestic cryptographic algorithms.
[0038] The command generation module 102 in the host system 101 determines the encryption / decryption and / or digest calculation method and generates the corresponding encryption / decryption and / or digest calculation command.
[0039] The sequencer 109 parses the encryption / decryption and / or digest calculation commands to generate control flow commands that control the plurality of cryptographic engines 113 and the plurality of direct memory access modules. The sequencer 109 uses the control flow commands to control one or more of the plurality of direct memory access modules to perform direct memory access to send encrypted / decrypted data to the input buffer 117 of one or more of the plurality of cryptographic engines 113.
[0040] The hardware processor 110 controls the symmetric encryption / decryption algorithm module 114 to perform encryption / decryption calculations on the encrypted / decrypted data and / or controls the digest algorithm module 115 to perform digest calculations on the encrypted / decrypted data according to the encryption / decryption and / or digest calculation commands. The calculation results are cached in the output buffer 118 of the corresponding cryptographic engine (i.e., the cryptographic engine that received the encryption / decryption data) and sent to the memory 108 of the host system 101 via the direct memory access module corresponding to the cryptographic engine.
[0041] In some embodiments, the hardware processor 110 includes a scheduler 111 and a command buffer 112 (i.e., Figure 1The command buffer 112 receives the encryption / decryption and / or digest calculation commands, and the scheduler 111 assigns the encryption / decryption and / or digest calculation tasks to one or more symmetric encryption / decryption algorithm modules 114 and / or one or more digest algorithm modules 115 to execute the corresponding tasks according to the encryption / decryption and / or digest calculation commands.
[0042] In some embodiments, the scheduler 111 controls the selection of direct memory access for data transmission, the selection of a cryptographic engine for encryption and decryption, and the selection of the encryption and decryption mode of the cryptographic engine. The encryption and decryption modes include parallel encryption / decryption and chained encryption / decryption.
[0043] During the encryption process, when the cryptographic engine 113 determines to use parallel encryption, the direct memory access module simultaneously sends the data packet to be encrypted from the encryption / decryption data to the symmetric encryption / decryption algorithm module 114 and the digest algorithm module 115, so that the symmetric encryption / decryption algorithm module 114 and the digest algorithm module 115 can perform calculations simultaneously to generate the ciphertext and plaintext digest values of the data packet to be encrypted, respectively. When the cryptographic engine 113 determines to use chain encryption, the direct memory access module first sends the data packet to be encrypted from the encryption / decryption data to the symmetric encryption / decryption algorithm module 114 to generate the ciphertext of the data packet to be encrypted, and the symmetric encryption / decryption algorithm module 114 automatically transmits the ciphertext to the digest algorithm module 115 to generate the ciphertext digest value.
[0044] During the decryption process, when the cryptographic engine 113 determines to use parallel decryption, the direct memory access module simultaneously sends the data packet to be decrypted from the encrypted / decrypted data to the symmetric encryption / decryption algorithm module 114 and the digest algorithm module 115, so that the symmetric encryption / decryption algorithm module 114 and the digest algorithm module 115 can perform calculations simultaneously, generating plaintext and ciphertext digest values for the data to be decrypted, respectively. When the cryptographic engine 113 determines to use chained decryption, the direct memory access module first sends the data packet to be decrypted from the encrypted / decrypted data to the symmetric encryption / decryption algorithm module 114 to generate the plaintext of the data to be decrypted, and the symmetric encryption / decryption algorithm module 114 automatically transmits the plaintext to the digest algorithm module 115 to generate a plaintext digest value.
[0045] It should be understood that when data packets are encrypted using the parallel encryption method, the encrypted data packets are decrypted using the chain-based decryption method. When data packets are encrypted using the chain-based encryption method, the encrypted data packets are decrypted using the parallel decryption method.
[0046] In some embodiments, the data packet to be encrypted includes multiple data blocks. When the chained encryption method is used to encrypt the multiple data blocks of the data packet to be encrypted sequentially, the digest algorithm module 115 calculates the ciphertext digest of the previous data block while the symmetric encryption / decryption algorithm module 114 calculates the ciphertext of the next data block. Similarly, the data packet to be decrypted includes multiple data blocks. When the chained decryption method is used to decrypt the multiple data blocks of the data packet to be decrypted sequentially, the digest algorithm module 115 calculates the plaintext digest of the previous data block while the symmetric encryption / decryption algorithm module 114 calculates the plaintext of the next data block.
[0047] In this application, by implementing parallel and chained computation extensions to hardware acceleration systems such as the GmSSL cryptographic toolkit, the GmSSL cryptographic toolkit gains the ability to perform parallel and chained encryption / decryption and digest computation. This invention offers a significant performance improvement over current hardware acceleration systems such as the GmSSL cryptographic toolkit, which can only perform encryption / decryption and digest computation individually and sequentially. In particular, the performance improvement is at least double after performing parallel computation for encryption / decryption and digest computation.
[0048] This application discloses a data encryption and decryption method based on a domestically developed cryptographic algorithm. Figure 2 A flowchart of a data encryption / decryption method based on domestically developed cryptographic algorithms is shown. This method is applied to the data encryption / decryption system based on domestically developed cryptographic algorithms described above, and includes the following steps:
[0049] Step 201: Use the command generation module in the host system to determine the encryption / decryption and / or digest calculation method and generate the corresponding encryption / decryption and / or digest calculation command.
[0050] Step 202: The sequencer is used to parse the encryption / decryption and / or digest calculation commands to generate control flow commands. The control flow commands are used to control one or more direct memory access modules among the multiple direct memory access modules to perform direct memory access to send the encryption / decryption data to the input buffer of one or more cryptographic engines among the multiple cryptographic engines.
[0051] Step 203: The hardware processor controls the encryption and / or digest calculation of the encrypted data according to the encryption and / or digest calculation command, and caches the calculation result in the output buffer of the corresponding cryptographic engine and sends the calculation result to the memory of the host system via the direct memory access module corresponding to the cryptographic engine.
[0052] In some embodiments, the method further includes: using the hardware processor to determine the encryption / decryption mode of the cryptographic engine, the encryption / decryption mode including parallel encryption / decryption and chained encryption / decryption. Specifically, the hardware processor 110 may include a scheduler 111 and a command buffer 112, the command buffer 112 receiving the encryption / decryption and / or digest calculation commands, and the scheduler 111 allocating encryption / decryption tasks and / or digest calculation tasks to one or more symmetric encryption / decryption algorithm modules 114 and / or one or more digest algorithm modules 115 to execute the corresponding tasks according to the encryption / decryption and / or digest calculation commands. In some embodiments, the scheduler 111 controls the selection of direct memory access for data transmission, the selection of a cryptographic engine for encryption / decryption, and the selection of the encryption / decryption mode of the cryptographic engine.
[0053] During the encryption process, when the cryptographic engine determines to use parallel encryption, the direct memory access module simultaneously performs symmetric encryption and digest calculations on the data packets to be encrypted in the encryption / decryption data, generating ciphertext and plaintext digest values for the data packets to be encrypted, respectively. When chained encryption is determined to be used, the direct memory access module first performs symmetric encryption calculations on the data packets to be encrypted in the encryption / decryption data to generate ciphertext, and then automatically performs digest calculations to generate ciphertext digest values.
[0054] During the decryption process, when the cryptographic engine determines to use a parallel decryption method, the direct memory access module simultaneously performs symmetric decryption and digest calculations on the data packets to be decrypted in the encrypted / decrypted data, generating plaintext and ciphertext digest values for the data to be decrypted, respectively. When the cryptographic engine determines to use a chained decryption method, the direct memory access module first performs symmetric decryption calculations on the data packets to be decrypted in the encrypted / decrypted data to generate plaintext, and then automatically performs a digest algorithm to generate a plaintext digest value.
[0055] The above system embodiments correspond to the method embodiments described herein. The relevant technical nodes described in the system embodiments can be applied to the method embodiments, and the technical details in the method embodiments can also be applied to the system embodiments, which will not be repeated here.
[0056] It should be noted that in this patent application, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitations, an element defined by the phrase "comprising one" does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element. In this patent application, if it refers to performing an action according to an element, it means performing the action at least according to that element, including two cases: performing the action only according to that element, and performing the action according to that element and other elements. Expressions such as "multiple," "repeatedly," and "various" include two, two times, two kinds, and more than two, more than two times, and more than two kinds.
[0057] All references to this specification are considered to be incorporated integrally into the disclosure herein so that they can serve as a basis for modifications where necessary. Furthermore, it should be understood that the above descriptions are merely preferred embodiments of this specification and are not intended to limit the scope of protection of this specification. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of one or more embodiments of this specification should be included within the scope of protection of one or more embodiments of this specification.
[0058] In some cases, the actions or steps described in the claims can be performed in a different order than that shown in the embodiments and still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require a specific or sequential order to achieve the desired result. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Claims
1. A data encryption and decryption system based on domestically developed cryptographic algorithms, characterized in that, include: The system includes a host system, a sequencer, a hardware processor, multiple direct memory access modules, and multiple cryptographic engines. The multiple direct memory access modules and multiple cryptographic engines correspond one-to-one. Each cryptographic engine includes an input buffer, an output buffer, a symmetric encryption / decryption algorithm module, and a digest algorithm module. The command generation module in the host system determines the encryption / decryption and digest calculation methods and generates corresponding encryption / decryption and digest calculation commands. The sequencer parses the encryption, decryption, and digest calculation commands to generate control flow commands that control the plurality of cryptographic engines and the plurality of direct memory access modules. Furthermore, the sequencer controls one or more of the plurality of direct memory access modules to perform direct memory access in order to send the encryption and decryption data to the input buffer of the corresponding cryptographic engine. The hardware processor determines the encryption / decryption mode according to the encryption / decryption and digest calculation commands, and controls the cryptographic engine to perform encryption / decryption and digest calculations according to the determined encryption / decryption mode. The calculation results are cached in the output buffer of the corresponding cryptographic engine and sent to the memory of the host system via the direct memory access module corresponding to the cryptographic engine. The encryption / decryption modes include parallel encryption / decryption and chained encryption / decryption. In parallel encryption, the symmetric encryption / decryption algorithm module and the digest algorithm module simultaneously perform encryption and digest calculations on the data packets to be encrypted in the encryption / decryption data. In chained encryption, the symmetric encryption / decryption algorithm module first performs encryption calculations on the data packets to be encrypted, and then automatically transmits the ciphertext obtained from the encryption calculation to the digest algorithm module for digest calculation. In parallel decryption, the symmetric encryption / decryption algorithm module and the digest algorithm module simultaneously perform decryption and digest calculations on the data packets to be decrypted in the encryption / decryption data. In chained decryption, the symmetric encryption / decryption algorithm module first performs decryption calculations on the data packets to be decrypted, and then automatically transmits the plaintext obtained from the decryption calculation to the digest algorithm module for digest calculation.
2. The data encryption and decryption system based on domestically developed cryptographic algorithms according to claim 1, characterized in that, The hardware processor includes a scheduler and a command buffer. The command buffer receives the encryption, decryption, and digest calculation commands. The scheduler allocates the encryption and decryption tasks and digest calculation tasks to one or more symmetric encryption and decryption algorithm modules and digest algorithm modules of the cryptographic engine to execute the corresponding tasks according to the encryption, decryption, and digest calculation commands.
3. The data encryption and decryption system based on domestic cryptographic algorithms according to claim 2, characterized in that, The scheduler transmits the encryption / decryption data to the corresponding cryptographic engine via the direct memory access module.
4. The data encryption and decryption system based on domestic cryptographic algorithms according to claim 3, characterized in that, in, During the encryption process, when parallel encryption is selected, the direct memory access module simultaneously sends the data packet to be encrypted from the encryption / decryption data to both the symmetric encryption / decryption algorithm module and the digest algorithm module, so that the symmetric encryption / decryption algorithm module and the digest algorithm module can perform calculations simultaneously to generate the ciphertext and plaintext digest values of the data packet to be encrypted, respectively. When chain encryption is selected, the direct memory access module first sends the data packet to be encrypted from the encryption / decryption data to the symmetric encryption / decryption algorithm module to generate the ciphertext of the data packet to be encrypted, and the symmetric encryption / decryption algorithm module automatically transmits the ciphertext to the digest algorithm module to generate the ciphertext digest value. During the decryption process, when a parallel decryption method is determined, the direct memory access module simultaneously sends the data packets to be decrypted from the encrypted / decrypted data to both the symmetric encryption / decryption algorithm module and the digest algorithm module, so that the symmetric encryption / decryption algorithm module and the digest algorithm module can perform calculations simultaneously to generate plaintext and ciphertext digest values for the data to be decrypted, respectively. When a chained decryption method is determined, the direct memory access module first sends the data packets to be decrypted from the encrypted / decrypted data to the symmetric encryption / decryption algorithm module to generate the plaintext of the data to be decrypted, and the symmetric encryption / decryption algorithm module automatically transmits the plaintext to the digest algorithm module to generate a plaintext digest value.
5. The data encryption and decryption system based on domestically developed cryptographic algorithms according to claim 4, characterized in that, The data packet to be encrypted includes multiple data packets. When the chain encryption method is used to encrypt the multiple data packets of the data packet to be encrypted in sequence, the digest algorithm module calculates the ciphertext digest of the previous data packet while the symmetric encryption / decryption algorithm module calculates the ciphertext of the next data packet.
6. The data encryption and decryption system based on domestic cryptographic algorithms according to claim 4, characterized in that, The data packet to be decrypted includes multiple data packets. When the chained decryption method is used to decrypt the multiple data packets of the data packet to be decrypted in sequence, the digest algorithm module calculates the plaintext digest value of the previous data packet while the symmetric encryption and decryption algorithm module calculates the plaintext of the next data packet.
7. The data encryption and decryption system based on domestically developed cryptographic algorithms according to claim 4, characterized in that, When a data packet is encrypted using the parallel encryption method, the encrypted data packet is decrypted using the chain decryption method; when a data packet is encrypted using the chain encryption method, the encrypted data packet is decrypted using the parallel decryption method.
8. The data encryption and decryption system based on domestically developed cryptographic algorithms according to claim 1, characterized in that, The cryptographic engine also includes an asymmetric encryption / decryption algorithm module, which is coupled to the input buffer and the output buffer.
9. A data encryption and decryption method based on domestically developed cryptographic algorithms, characterized in that, The method is applied to a data encryption / decryption system based on domestically developed cryptographic algorithms. The system includes a host system, a sequencer, a hardware processor, multiple direct memory access modules (DMIs), and multiple cryptographic engines. Each DMI corresponds one-to-one with a cryptographic engine, and each cryptographic engine includes an input buffer, an output buffer, a symmetric encryption / decryption algorithm module, and a digest algorithm module. The method includes: The command generation module in the host system is used to determine the encryption / decryption and digest calculation methods and generate the corresponding encryption / decryption and digest calculation commands; The sequencer parses the encryption / decryption and digest calculation commands to generate control flow commands. These control flow commands then control one or more of the multiple direct memory access modules to perform direct memory access, sending the encrypted / decrypted data to the input buffer of the corresponding cryptographic engine. The hardware processor determines the encryption / decryption mode according to the encryption / decryption and digest calculation commands, so as to control the cryptographic engine to perform encryption / decryption calculation and digest calculation according to the determined encryption / decryption mode. The calculation result is cached in the output buffer of the corresponding cryptographic engine and directly accessed through the direct memory access module corresponding to the cryptographic engine to send the calculation result to the memory of the host system. The encryption / decryption modes include parallel encryption / decryption and chained encryption / decryption. In parallel encryption, the symmetric encryption / decryption algorithm module and the digest algorithm module simultaneously perform encryption and digest calculations on the data packets to be encrypted in the encryption / decryption data. In chained encryption, the symmetric encryption / decryption algorithm module first performs encryption calculations on the data packets to be encrypted, and then automatically transmits the ciphertext obtained from the encryption calculation to the digest algorithm module for digest calculation. In parallel decryption, the symmetric encryption / decryption algorithm module and the digest algorithm module simultaneously perform decryption and digest calculations on the data packets to be decrypted in the encryption / decryption data. In chained decryption, the symmetric encryption / decryption algorithm module first performs decryption calculations on the data packets to be decrypted, and then automatically transmits the plaintext obtained from the decryption calculation to the digest algorithm module for digest calculation.
10. The data encryption and decryption method based on domestic cryptographic algorithms according to claim 9, characterized in that, The method also include: In the encryption process, when parallel encryption is selected, the direct memory access module simultaneously sends the data packet to be encrypted from the encryption / decryption data to both the symmetric encryption / decryption algorithm module and the digest algorithm module, so that the symmetric encryption / decryption algorithm module and the digest algorithm module can perform calculations simultaneously to generate the ciphertext and plaintext digest values of the data packet to be encrypted, respectively. When chain encryption is selected, the direct memory access module first sends the data packet to be encrypted from the encryption / decryption data to the symmetric encryption / decryption algorithm module to generate the ciphertext of the data packet to be encrypted, and the symmetric encryption / decryption algorithm module automatically transmits the ciphertext to the digest algorithm module to generate the ciphertext digest value. During the decryption process, when a parallel decryption method is determined, the direct memory access module simultaneously sends the data packets to be decrypted from the encrypted / decrypted data to both the symmetric encryption / decryption algorithm module and the digest algorithm module, so that the symmetric encryption / decryption algorithm module and the digest algorithm module can perform calculations simultaneously to generate plaintext and ciphertext digest values for the data to be decrypted, respectively. When a chained decryption method is determined, the direct memory access module first sends the data packets to be decrypted from the encrypted / decrypted data to the symmetric encryption / decryption algorithm module to generate the plaintext of the data to be decrypted, and the symmetric encryption / decryption algorithm module automatically transmits the plaintext to the digest algorithm module to generate a plaintext digest value.