ACTEL COREAES128-UR

CoreAES128
Product Summary
–
•
Intended Use
•
•
•
•
Whenever Data is Transmitted Across an Accessible
Medium (Wires, Wireless, etc.)
E-commerce Transactions Where Dedicated
Encryption/Decryption Hardware Can Ease the
Load on Servers
Personal Security Devices
Bank
Transactions
where
State-of-the-Art
Financial Security Is Mandatory
•
Compiled RTL Simulation
Supported in Actel Libero IDE
Model
Fully
RTL Version
–
Verilog and VHDL Core Source Code
–
Core Synthesis Scripts
Actel-Developed Testbench (Verilog and VHDL)
Synthesis and Simulation Support
•
Synthesis: Synplicity®, Synopsys® (Design Compiler®
/ FPGA Compiler™ / FPGA Express™), Exemplar™
•
Simulation: OVI-Compliant Verilog Simulators and
Vital-Compliant VHDL Simulators
Key Features
Core Verification
•
Compliant with FIPS PUB 197
•
ECB (Electronic Codebook) Implementation per
NIST SP 800-38A
•
Example Source Code Provided for CBC, CFB, OFB,
and CTR Modes
•
128-bit Cipher Key
•
Encryption and Decryption Possible with the Same
Core
•
44-Clock Cycle Operation to Encrypt or Decrypt
128 Bits of Data
•
Pause/Resume
Functionality
Encryption or Decryption at Will
•
Provides Redundant Security
to
Fusion
•
ProASIC3/E
•
ProASICPLUS®
•
Axcelerator®
Continue
Evaluation Version
–
•
Compiled RTL Simulation Model Fully
Supported in Actel Libero® Integrated Design
Environment (IDE)
Netlist Version
–
•
User Can Easily Modify Testbench Using Existing
Format to Add Custom Tests
General Description ................................................... 2
CoreAES128 Device Requirements ............................ 4
CoreAES128 Verification ............................................ 4
I/O Signal Descriptions ............................................... 4
CoreAES128 Initialization .......................................... 4
CoreAES128 Operation .............................................. 4
Cipher Key Expansion ................................................ 6
Encryption .................................................................. 7
Decryption .................................................................. 8
Pause/Resume ............................................................. 9
Clear/Abort ............................................................... 10
Modes of Operation ................................................ 10
Ordering Information .............................................. 11
Export Restrictions ................................................... 11
List of Changes ......................................................... 12
Datasheet Categories ............................................... 12
Core Deliverables
•
Actel-Developed Simulation Testbench Verifies
CoreAES128 against Tests Available on the
National Institute of Standards and Technology
(NIST) Website:
http://csrc.nist.gov/encryption/aes/rijndael/
Contents
Supported Families
•
•
Structural Verilog and VHDL Netlists (with and
without I/O Pads) Compatible with the Actel
Designer Software Place-and-Route Tool
December 2005
© 2005 Actel Corporation
v 4 .0
1
CoreAES128
General Description
The CoreAES128 macro implements the Advanced
Encryption Standard (AES), which provides a means of
securing data. AES utilizes the Rijndael algorithm, which
is described in detail in the Federal Information
Processing Standards (FIPS) Publication (PUB) 197 and is
shown in Figure 1 on page 2.
The AES (Rijndael) algorithm takes as input 128 bits of
plaintext data and 128 bits of a cipher key. After several
rounds of computation, it produces a 128-bit ciphered
version of the original plaintext data as output.1 During
the rounds of the algorithm, the data bits are subjected
to byte substitution, data shift operations, data mixing
operations, and addition (XOR) operations, with an
expanded version of the original 128-bit cipher key.
Data input
Cipher key
Expand key into
schedules for each
round of computation
Add
round key
Byte
substitution
Repeat
9 times
Row
shift
Column
mix
Add
round key
Byte
substitution
Row
shift
Add
round key
Data output
Figure 1 • AES Algorithm (128-bit Cipher Key)
CoreAES128 consists of four main blocks (Figure 2 on
page 3).
3. Key schedule logic – controls the intermediate key
schedules at each round of the AES algorithm.
1. Data schedule logic – computes the intermediate
data values at each round of the AES algorithm.
4. Key expansion logic – expands the original 128-bit
key for use in encryption or decryption operations.
2. State correlator logic – maintains coherency
between data and key schedule logic.
1. FIPS PUB 197 allows for key sizes of 128, 192, and 256 bits; however, this implementation supports a cipher key size of 128
bits only.
2
v4.0
CoreAES128
Data In
Cipher Key
Key
Expansion
Logic
Data
Schedule
Logic
Data Out
State
Correlator
Data Valid
Key
Schedule
Logic
Key Expanded
Figure 2 • CoreAES128 Block Diagram
Design Security
devices use FuseLock™ technology, each of which secures
the cipher key and the rest of the logic. The output of
the CoreAES128 macro should be connected to registers
or FIFOs, since it is only valid for one clock cycle, as
shown by example in the "Encryption" section on page 7
and the "Decryption" section on page 8.
Figure 3 shows a typical system diagram.
Note that the cipher key, which is the
"secret" key, can be made up of FPGA logic cells,
preventing the possibility of design and data theft. Actel
Flash-based (ProASICPLUS) devices employ FlashLock™
technology, and Actel antifuse-based (Axcelerator)
Actel FPGA
Registers or
FIFO
Local Device
Plaintext
(Unencrypted)
Data
Source
To other logic or
global distribution,
e.g., Internet, etc.
Other
Logic
CoreAES128
Other
Logic
Encrypted
Data
Output
Cipher
Key
Figure 3 • Typical CoreAES128 System
v4.0
3
CoreAES128
CoreAES128 Device Requirements
The CoreAES128 macro has been implemented into the Actel ProASIC3/E, ProASICPLUS and Axcelerator device families.
A summary of the implementation data is listed in Table 1.
Table 1 • CoreAES128 Device Utilization and Performance
Cells or Tiles
Family
Fusion
Sequential Combinatorial
Utilization
Total
RAM blocks
Device
Total
Performance Throughput
529
4664
5193
20
AFS600-2
38%
75 MHz
224 Mbps
529
4664
5193
20
A3PE600-2
38%
75 MHz
224 Mbps
ProASIC
316
5239
5555
24
APA450-STD
46%
35 MHz
102 Mbps
Axcelerator
425
2687
3112
10
AX500-3
39%
100 MHz
291 Mbps
ProASIC3/E
PLUS
Note: Data in this table achieved using typical synthesis and layout settings.
Data throughput is computed by taking the bit width of
the data (128 bits), dividing by the number of cycles (44),
and multiplying by the clock rate (performance); the
result is listed in Mbps (millions of bits per second).
CoreAES128 Verification
The comprehensive verification simulation testbench
(included with the Netlist and RTL versions of the core)
verifies the CoreAES128 macro against test cases listed
on the NIST website for AES:
http://csrc.nist.gov/encryption/aes/rijndael/.
The verification testbench applies several tests to the
CoreAES128 macro, including variable text tests, variable
key tests, table tests, and Monte Carlo tests. Using the
supplied user testbench as a guide, the user can easily
customize the verification of the core by adding or
removing tests.
I/O Signal Descriptions
The port signals for the CoreAES128 macro are defined in
Table 2 and illustrated in Figure 4 on page 5. All signals
are either "Input" (input only) or "Output" (output
only).
CoreAES128 Initialization
After a reset condition, as illustrated in Figure 5 on page
5, the CoreAES128 macro performs a self-initialization
process. This initialization process takes 1,024 clock cycles
to perform, after which the READY signal becomes active
at logic '1'. Once READY is active, the CoreAES128 macro
is ready for cipher key expansion, followed by encrypt or
decrypt operations.
CoreAES128 Operation
As shown on the left side of Figure 1 on page 2, the AES
algorithm requires an expanded version of the original
cipher key for use in encrypting or decrypting data. Upon
a power-up condition, the cipher key and the expanded
version of the cipher key are undefined. Therefore, they
must be setup after the initialization process, described
in the "CoreAES128 Initialization" section on page 4, and
before encryption or decryption operations can take
place. The following procedures (located in the "Cipher
Key Expansion" section on page 6) for writing and
expanding the cipher key must be repeated any time a
new 128-bit cipher key is required, such as after a reset
or power-up condition. Note: if the same cipher key is to
be used for all encryption and decryption operations, the
following procedures for writing and expanding the
cipher key only need to be performed once.
Table 2 • CoreAES128 I/O Signal Descriptions
Name
Type
Description
NRESET
Input
Active-low asynchronous reset
CLK
Input
System clock: reference clock for all internal logic
EN
Input
Enable signal: set to '1' for normal continuous encrypt/decrypt operation, set to '0' to pause
CLR
Input
Synchronous clear signal: set to '1' to clear logic at any time
ED
Input
Encrypt/decrypt: '1' to encrypt, '0' to decrypt
4
v4.0
CoreAES128
Table 2 • CoreAES128 I/O Signal Descriptions (Continued)
Name
Type
Description
D[127:0]
Input
Data in: 128-bit data input bus
K[31:0]
Input
Key: 32-bit cipher key input bus
KSEL[1:0]
Input
Key select: selection bits to direct K[31:0] to one of four 32-bit words comprising internal 128-bit cipher
key
KWR
Input
Key write: set to '1' to write K[31:0] to one of four 32-bit words comprising internal 128-bit cipher key
KEXP
Input
Key expand: set to '1' to expand the 128-bit internal key
Q[127:0]
Output
Data out: 128-bit ciphertext (encrypt operation)/plaintext (decrypt operation) output bus
QVAL
Output
Q Valid: '1' indicates that valid encrypt/decrypt data is available on Q[127:0]
READY
Output
Ready: '1' indicates that CoreAES128 has finished its initialization sequence 1,024 clock cycles after the
rising edge of NRESET
KRDY
Output
Key ready: '1' indicates that the internal 128-bit cipher key was expanded and the macro is ready for
encryption/decryption
NRESET
CLK
EN
CLR
ED
D[127:0]
K[31:0]
KSEL[1:0]
KWR
KEXP
CoreAES128
Q[127:0]
QVAL
READY
KRDY
Figure 4 • CoreAES128 I/O Signal Diagram
cycle
1
2
3
...
1022 1023 1024
CLK
NRESET
READY
Don't care
Undefined
Figure 5 • CoreAES128 Initialization
v4.0
5
CoreAES128
Cipher Key Expansion
Prior to any encryption or decryption operation, the 128bit cipher key needs to be written to CoreAES128 and
expanded, as illustrated in Figure 6. Refer to FIPS PUB
197 for the algorithmic details of the key expansion
process.
11. Set KSEL[1:0] to '11' to select the highest 32 bits
(MSB word) of the internal 128-bit cipher key.
12. Set K[31:0] to the value of the highest 32-bit word
of the desired 128-bit cipher key.
13. Set KWR to logic '1' for one clock cycle.
To write the four 32-bit words that make up the 128-bit
cipher key, and to expand the 128-bit cipher key, the
following procedures need to be performed:
14. Set KWR back to logic '0'.
15. Set KEXP to logic '1' for one clock cycle.
1. Set EN to logic '0'.
16. Set KEXP back to logic '0'.
2. Set KSEL[1:0] to '00' to select the lowest 32 bits
(LSB word) of the internal 128-bit cipher key.
17. Wait for 52 clock cycles.
Note that the four 32-bit words which comprise the 128bit cipher key can be written in any order. It is not
necessary to write them in sequential order; i.e., lowest
32-bit word to highest 32-bit word.
3. Set K[31:0] to the value of the lowest 32-bit word
of the desired 128-bit cipher key.
4. Set KWR to logic '1' for one clock cycle.
If the KRDY signal was active at a logic '1' value prior to
setting the KWR signal to logic '1' (from a previously
expanded cipher key), it becomes inactive on the next
rising clock edge after performing step 4 in the list
above. After 52 clock cycles, the KRDY signal becomes
active; i.e., logic '1', to indicate that the 128-bit cipher
key was expanded internally; and the CoreAES128 macro
is now ready for encryption or decryption operations.
The KRDY signal initializes to the inactive state of logic
'0' after a reset condition, as illustrated in Figure 6, prior
to the key expansion process.
5. Set KSEL[1:0] to '01' to select the second lowest 32
bits of the internal 128-bit cipher key.
6. Set K[31:0] to the value of the second lowest 32bit word of the desired 128-bit cipher key.
7. Set KWR to logic '1' for one clock cycle.
8. Set KSEL[1:0] to '10' to select the second highest
32 bits of the internal 128-bit cipher key.
9. Set K[31:0] to the value of the second highest 32bit word of the desired 128-bit cipher key.
10. Set KWR to logic '1' for one clock cycle.
cycle
1
2
3
...
49
50
51
52
CLK
K[31:0]
k1a
k1b
k1c
k1d
KSEL[1:0]
00
01
10
11
KWR
KEXP
EN
KRDY
Don't care
Figure 6 • Cipher Key Write and Expand
6
v4.0
Undefined
CoreAES128
Encryption
To begin the process of encrypting data as shown in
Figure 7, perform the following procedures:
transition from logic '0' to logic '1' and remain valid for
one clock cycle. This indicates that valid ciphered
(encrypted) data (q1 in Figure 7) is available on the
Q[127:0] outputs. Note that the encrypted data is only
available during clock cycle 44, thus the user must
register or latch the data on Q[127:0] using the QVAL
signal as a qualifying register enable or latch enable.
1. Write and expand the 128-bit cipher key, if not
already done (refer to the "Cipher Key Expansion"
section on page 6).
2. Set D[127:0] to the plaintext data (d1 in Figure 7)
to be encrypted.
As shown in Figure 7, continuous encryption is possible.
For example, the second 128-bit plaintext data word (d2
in Figure 7) can be immediately encrypted by setting the
D[127:0] input to d2 on the rising clock edge of clock
cycle 45.
3. Set ED to logic '1'.
4. Set EN to logic '1'.
5. Wait for 44 clock cycles.
After 44 clock cycles of the EN input being held
continuously at a logic '1' value, the QVAL signal will
cycle
1
2
3
...
42
43
44
45
46
CLK
D[127:0]
d1
d2
ED
EN
q1
Q[127:0]
QVAL
KRDY
Don't care
Undefined
Figure 7 • Example Encryption Sequence
v4.0
7
CoreAES128
Decryption
To begin the process of decrypting data as shown in
Figure 8, perform the following procedures:
transition from logic '0' to logic '1' and remain valid for
one clock cycle, indicating that valid plaintext
(unencrypted data, shown as q1 in Figure 8) is available
on the Q[127:0] outputs. Note that the decrypted
plaintext data is only available during clock cycle 44, thus
the user must register or latch the data on Q[127:0] using
the QVAL signal as a qualifying register enable or latch
enable.
1. Write and expand the 128-bit cipher key if not
already done (refer to the "Cipher Key Expansion"
section on page 6).
2. Set D[127:0] to the ciphertext data (d1 in Figure 8)
to be decrypted.
3. Set ED to logic '0'.
As shown in Figure 8, continuous decryption is possible.
For example, the second 128-bit ciphertext data word
(d2 in Figure 8) can be immediately decrypted by setting
the D[127:0] inputs to d2 on the rising clock edge of
clock cycle 45.
4. Set EN to logic '1'.
5. Wait for 44 clock cycles.
After 44 clock cycles of the EN input being held
continuously at a logic '1' value, the QVAL signal will
cycle
1
2
3
...
42
43
44
45
46
CLK
D[127:0]
d1
d2
ED
EN
q1
Q[127:0]
QVAL
KRDY
Don't care
Figure 8 • Example Decryption Sequence
8
v4.0
Undefined
CoreAES128
Pause/Resume
For normal operation, the EN input is held at a logic '1'
value. The core can be paused by holding the EN input at
a logic '0' value indefinitely, as shown by the example in
Figure 9 where cycle 3 of an encryption operation is
paused. To resume operation, bring the EN input back to
a logic '1' value. This functionality applies to either
encryption or decryption. Note that the ED input must
remain at logic '1' throughout an entire encryption cycle
or at logic '0' throughout an entire decryption cycle;
otherwise, unpredictable results on the Q[127:0] outputs
will occur.
clock cycles to encrypt the next block. After all blocks of
data are encrypted, the user would then need to hold
the EN input at a logic '0' value. If it is left at a logic '1',
data will continue to be encrypted ad infinitum. When
ready for the next blocks of data, the user can then
resume the encryption process by holding the EN input
at a logic '1' value. Another possibility occurs if the user
has an elastic buffer (FIFO) connected to the Q[127:0]
output. If the FIFO is filling up with encrypted data faster
than the encrypted data is being read out of the FIFO,
the user may want to pause the CoreAES128 macro by
setting the EN input to a logic '0' when the full or
almost-full flag logic from the FIFO is active. When the
FIFO full or almost-full flag logic clears, the CoreAES128
macro can then resume operation by again setting the
EN input to a logic '1' value.
The pause/resume functionality is provided as an aid to
the user. One possible use for the pause functionality is a
case where many blocks of data are encrypted one after
another. For example, if the EN input is held statically at
a logic '1' value, the data inputs need to change every 44
cycle 3
"paused"
cycle
1
2
3a
3b
3c
4
5
...
43
44
45
46
CLK
D[127:0]
d1
d2
ED
EN
q1
Q[127:0]
QVAL
KRDY
Don't care
Undefined
Figure 9 • Example Encryption Pause/Resume Sequence
v4.0
9
CoreAES128
Clear/Abort
At any point in the process of encrypting or decrypting
data, the user can abort the current operation by setting
the CLR input to logic '1'. This will clear all current
calculations within the key schedule and data schedule
logic. Then the user can immediately begin to write and
expand a different cipher key, as described in "Cipher
Key Expansion" on page 6, or use a different data input
on the very next cycle, as shown in Figure 10, with d2 as
the next 128-bit data block to be encrypted.
The clear/abort functionality is provided as another aid
to the user. An example of its use occurs when the user
wants to change the cipher key, possibly in the middle of
an encryption or decryption sequence. The user can stop
the current operation immediately by holding the CLR
input at a logic '1' value for at least one clock cycle and
immediately commencing on the following clock cycle
with writing and expanding a new cipher key. After the
new cipher key is expanded, new data can be encrypted.
If the CoreAES128 macro is integrated into a system
containing a processor, the processor may wish to abort
the encryption or decryption operation for some specific
event (e.g., low or failing power condition).
Note that the CLR signal does not clear the 128-bit cipher
key, the expanded version of the cipher key, or the KRDY
signal. Only the signals NRESET, K[31:0], KWR, and KEXP
affect the value of the 128-bit cipher key, the expanded
version of the cipher key, and the KRDY output signal.
cycle
1
2
3
1
2
...
43
44
45
46
CLK
D[127:0]
d1
d2
d3
ED
EN
CLR
q2
Q[127:0]
QVAL
KRDY
Internal logic cleared/flushed;
data (d1) calculations aborted
Encrypted data using data (d2)
Don't care
Undefined
Figure 10 • Example Encryption Abort Sequence
Modes of Operation
CoreAES128 is implemented using the ECB (Electronic
Codebook) mode of operation, per NIST SP 800-38A.
Depending on the application, other modes of operation
for AES may be desireable. For this reason, Actel provides
example VHDL and Verilog source code for the CBC
(Cipher Block Chaining), CFB (Cipher Feedback), OFB
(Output Feedback), and CTR (Counter) modes. For
10
v4.0
detailed information on specific modes of operation,
refer to NIST SP 800-38A.
CoreAES128
Ordering Information
Export Restrictions
Order CoreAES128 through your local Actel sales
representative. Use the following number convention
when ordering: CoreAES128-XX, where XX is listed in
Table 3.
CoreAES128 is subject to strict export controls and is
licensable under the U.S. Department of Commerce's
Export Administration Regulations, the U.S. Department
of State's International Traffic in Arms Regulations, or
other laws, government regulations or restrictions. Actel
is in the process of obtaining additional permissions to
ship CoreAES128 to a wider audience. The licensee will
not import, export, reexport, divert, transfer or disclose
CoreAES128 without complying strictly with the export
control laws and all legal requirements in the relevant
jurisdictions, including, without limitation, obtaining the
prior approval of the U.S. Department of Commerce or
the U.S. Department of State, as applicable.
Table 3 •
XX
Description
EV
Evaluation Version
SN
Netlist for single-use on Actel devices
AN
Netlist for unlimited use on Actel devices
SR
RTL for single-use on Actel devices
AR
RTL for unlimited use on Actel devices
UR
RTL for unlimited use and not restricted to Actel devices
v4.0
11
CoreAES128
List of Changes
The following table lists critical changes that were made in the current version of the document.
Previous Version Changes in Current Version (v 4. 0 )
v3.0
v2.0
Page
The "Supported Families" section was updated to include Fusion.
1
Table 1 was updated to include Fusion data.
4
The "Supported Families" section has been updated to include ProASIC3/E.
1
Table 1 was updated to include ProASIC3/E data.
4
The "Modes of Operation" section was added.
10
Datasheet Categories
In order to provide the latest information to designers, some datasheets are published before data has been fully
characterized. Datasheets are designated as "Product Brief," "Advanced," and "Production." The definitions of these
categories are as follows:
Product Brief
The product brief is a summarized version of an advanced or production datasheet containing general product
information. This brief summarizes specific device and family information for unreleased products.
Advanced
This datasheet version contains initial estimated information based on simulation, other products, devices, or speed
grades. This information can be used as estimates, but not for production.
Unmarked (production)
This datasheet version contains information that is considered to be final.
12
v4.0
Actel and the Actel logo are registered trademarks of Actel Corporation.
All other trademarks are the property of their owners.
www.actel.com
Actel Corporation
Actel Europe Ltd.
Actel Japan
www.jp.actel.com
Actel Hong Kong
www.actel.com.cn
2061 Stierlin Court
Mountain View, CA
94043-4655 USA
Phone 650.318.4200
Fax 650.318.4600
Dunlop House, Riverside Way
Camberley, Surrey GU15 3YL
United Kingdom
Phone +44 (0) 1276 401 450
Fax +44 (0) 1276 401 490
EXOS Ebisu Bldg. 4F
1-24-14 Ebisu Shibuya-ku
Tokyo 150 Japan
Phone +81.03.3445.7671
Fax +81.03.3445.7668
Suite 2114, Two Pacific Place
88 Queensway, Admiralty
Hong Kong
Phone +852 2185 6460
Fax +852 2185 6488
51700011-2/12.05