Advanced Encryption Standard Cryptographic IP
The Advanced Encryption Standard (AES) is an encryption algorithm originally intended for securing sensitive but unclassified material by US Government agencies. Since its publication FIPS-197 (Federal Information Processing Standards Publication 197) it has been widely adopted by commercial and private organizations and included in many international standards, most notably 802.11 WLAN, IPsec and IEEE 1619 for hard disks.
The Rijndael algorithm was chosen above other candidates to form the final AES standard, which was ratified by NIST. The AES algorithm is capable of using cryptographic keys of 128, 192 and 256 bits to encrypt and decrypt data in blocks of 128 bits. In the terminology of encryption the input data is called Plaintext, the ciphered data is Ciphertext and the key is termed the Cipher Key.
The ciphering of Plaintext progresses as a series of Rounds and the Cipher Key generates a set of Round Keys in a process known as Key Expansion. Key Expansion can either generate Round Keys and store them for several encryption/decryption operations or generate them on-the-fly.
- AES GCM for MACsec IEEE Std.802.1 AE-2006
- AES GCM for IPsec ESP RFC 4106
- AES GMAC for IPsec RFC 4543
- AES XCBC for IPsec RFC 3566
- AES CCM for IPsec ESP RFC 4309 and RFC 3610
- AES CCM for WiMax and WLAN
NIST Special Publication 800-38A details different cryptographic modes ECB, CBC, CFB, OFB and CTR that make use of the AES algorithm. The standard mode of AES is called Electronic Code Book (ECB), and this is the simplest of all the modes, from which the other modes are derived. Although the AES-ECB provides confidentiality through a large codebook it needs additional components to provide security against attacks. For instance if the key is not changed then the same Plaintext will always be encrypted to the same Ciphertext. This can be exploited if the attacker has specific knowledge of the type of information being transmitted and any repetitions present. To overcome this AES-CBC (Cipher Block Chaining) adds an initialization vector IV and a feedback loop to AES-ECB, which ensures that the ciphered data is mixed back with the input data to form a stream with the absence of repetition.
AES-CBC can also provide authentication that the data has not been tampered with between encryption and reception. This is called AES-CBC MAC (Message Authentication Code) which is described in NIST Special Publication 800-38B. If the data has been tampered with the MAC calculated at the receiver will be incorrect.
Other popular modes include the Counter mode AES-CTR which is particularly suited to high data rates. The combination of AES-CTR with AES-CBC-MAC is called AES-CCM (Counter with cipher block Chaining Message authentication code) and is fully described in NIST Special Publication 800-38C. There are variations on the Counter including one where the count is generated from a Galois field and this is called AES-GCM. EnSilica supports ECB, CTR, CBC and GCM with message authentication (GMAC).
EnSilica provide a sophisticated range of AES related IP for use in ASIC or FPGA target technologies. As each configuration is specific to customer requirements we have prepared individual IP modules that enable a flexible trade-off of throughput with area to get the most optimized solution. The base suite consists of Encryption, Decryption, Key Expansion and Cryptographic Mode modules that together cover all the combinations required for encryption and authentication. All modules support the three key sizes, selectable dynamically per-packet. For the lowest gatecount the modules can be configured to support only one key size. In addition the AES modules are available as eSi-RISC peripherals.
The Encryption module has 128-bit input and output buses for both Plaintext and Ciphertext respectively. It makes single cycle accesses to a 128-bit Round Key memory during the encryption process. Encryption using a 128-bit key therefore takes just 11 clock cycles. EnSilica also have a pipelined high throughput variant that can start a new encryption every clock cycle. The Round Keys can either be generated on-the-fly or stored in a memory.
The Decryption module also has 128-bit input and output buses for both Ciphertext and Plaintext respectively. Decryption using a 128-bit key also takes just 11 clock cycles. The Round Keys must be pre-stored in a memory because they are read out in reverse order, and cannot be generated on-the-fly.
The Key Expansion module works in synchronization with the encryption module and produces a new Round Key every clock cycle. The Key Expansion module may not be needed in some applications if a processor is available to calculate the Round Keys offline.
For FPGA targets the IP makes full use of block memory for intermediate results storage and round keys. Where appropriate for simultaneous encryption and decryption it instances a dual-ported Round Key memory, which can be shared for efficiency.
EnSilica’s AES implementations are amongst the most efficient on the market and supplied with full documentation, testbenches and synthesis scripts.
- Mix and match Encryption, Decryption, Key Expansion and Modes
- Maximum flexibility: Run time support for all three key sizes
- Lowest gatecount: Configure only for the key size required by your application
- Standard Thoughput all-in-one Encryption, Decryption, Key Expansion and chaining modes ECB, CBC, CTR, GCM
- TSMC 65nm GP: 60k gates, 100 MHz, 1 Gbps
- High Throughput Encryption only
- Stratix III: 2776 ALUTs, 224 M9k, 250 MHz, 32 Gbps
- Virtex 6: 1787 Slices, 112 RAMB18, 250 MHz, 35 Gbps
- TSMC 65nm GP: 360k gates, 500 MHz, 64 Gbps