# Helion Technology

## FULL DATASHEET - AES-GCM Core family for FPGA



#### **Features**

- Implements Galois/Counter (GCM) authenticated encryption mode to NIST 800-38D
- Supports all AES key sizes (128,192, and 256 bits) with integrated key expansion
- 96-bit Nonce/IV support
- Performs AES and GHASH functions needed for GCM including final block padding, tag appending and checking
- Simple 8-bit data interface for easy system integration
- Suitable for use in IPsec, MACsec, IEEE1619.1 and other applications
- Now available in multiple versions providing optimal area/performance AES-GCM solution

#### **Deliverables**

- Target specific netlist or fully synthesisable RTL VHDL/Verilog
- VHDL/Verilog simulation model and testbench
- User documentation

#### Overview

AES-GCM is an authenticated encryption block cipher mode which provides data confidentiality, integrity and origin authentication at potentially very high data rates, and is therefore an alternative to modes such as CCM, EAX & OCB. It is described formally in NIST Special Publication 800-38D. This particular implementation of GCM targets medium throughput applications with emphasis on low resource usage, and ease of use via a byte-wide interface.

The Helion AES-GCM core integrates all of the underlying functions required to implement AES in GCM mode including round-key expansion, counter mode logic, hash length counters, final block padding, and tag appending and checking features. The only external logic required is to form the Nonce block from various application specific packet header fields. Support is provided for both optional header and zero-length payload, and configurable tag length, making the core suitable for IPsec (RFC4106), MACsec (IEEE802.1ae) and Tape Storage (IEEE1619.1) applications.

## **Helion Technology Limited**

Ash House, Breckenwood Road, Fulbourn, Cambridge CB21 5DQ, England



## **Functional Description**

The Helion AES-GCM core uses AES-CTR operations to provide data encryption or decryption, and GHASH operations to provide message authentication. The master AES key is loaded into the core using the byte-writable 32-bit key interface. Key processing to derive the internal GHASH key is then initiated by the user issuing an EXEC\_KEY command to the core (via aes engine exec) and indicating the AES key size to be used (aes key size).

Before the start of the message, the Nonce/IV must also be loaded by issuing an EXEC\_INIT command to the core. The 128-bit Nonce/IV (96 bits used) is transferred into the core using the byte-wide data input interface. Message data processing is performed using multiple 128-bit block encrypt/decrypt operations which are initiated by issuing one or more EXEC\_DATA commands to the core. Control inputs are used to indicate the direction (encrypt\_decryptn) and data type (header\_payloadn). The input block is transferred into the core using the byte-wide data input interface (inputtext\_byte\_data), and the resulting output block is transferred from the core using the byte-wide data output interface (outputtext\_byte\_data).

The last header or payload block may be less than 128 bits, and so its presence and length in bytes is indicated to the core using the last\_block control inputs. Once the last message block has been encrypted/decrypted, the tag will either be appended to the output data (encrypt direction), or will be checked against the received tag (decrypt direction) and the tag check output flag (decrypt\_tag\_ok) driven accordingly.

#### Core Choice

Helion always offer a range of solutions so that the throughput requirements of any application can be closely matched with optimum area efficiency. In this case, Helion have three levels of performance available; we name them to reflect the minimum number of clock cycles taken to process each 16-byte data block. NOTE. The actual number of cycles taken by the core to process this block varies with exact core choice and the keysize selected.

The smallest member of the family is the "218-cycle" AES-GCM core which takes a minimum 218 clock cycles to encrypt or decrypt each 16-byte data block using a 128-bit key.

For higher throughputs, the "48-cycle" AES-GCM core offers over four times the performance of the 218-cycle core while using less than twice its logic area. It takes a minimum 48 clock cycles to encrypt or decrypt each 16-byte data block using a 128-bit key.

The highest performance member of the family is the **"19-cycle" AES-GCM** core, which offers over twice the performance of the 48-cycle core while using approximately twice its logic area. It takes a minimum 19 clock cycles to encrypt or decrypt each 16-byte data block using any key size.

Each version of the core is available with support for one, two and (in most cases) all three AES key sizes (128, 192 and 256-bit).



The tables below show the number of cycles and the maximum data throughput for each version of the AES-GCM core, for each supported key size.

|                                        | ——AES-GCM 218-cycle— |     |      | ——AES-GCM 48-cycle—— |     |     | ——AES-GCM 19-cycle—— |     |     |
|----------------------------------------|----------------------|-----|------|----------------------|-----|-----|----------------------|-----|-----|
| key size                               | 128                  | 192 | 256  | 128                  | 192 | 256 | 128                  | 192 | 256 |
| clock cycles used<br>per 16-byte block | 218                  | n/a | 298  | 48                   | 56  | 64  | 19                   | 19  | 19  |
| max throughput<br>(Mbps per MHz)       | 0.58                 | n/a | 0.43 | 2.6                  | 2.2 | 2.0 | 6.7                  | 6.7 | 6.7 |

The 19-cycle version is available with a choice of standard or fast key expansion, which affects the overhead time of setting up a new key. The standard expansion is preferred in FPGA, especially when support for all three key sizes is required, as considerable area savings can be made.

For even higher data throughput requirements, Helion also have faster AES-GCM core families which have wider data ports to ensure the throughput is not constrained by the I/O bandwidth. Please contact Helion for more information on these faster AES-GCM solutions.



## **Ordering Information**

Before ordering it is necessary to decide which of our family of AES-GCM cores will best fit your application. First decide between the 218-cycle, 48-cycle, and 19-cycle cores according to the data throughput required and logic resources available. Then determine which AES key sizes you would like to support as well as any other special requirements your application may have.

If some of these choices are unclear, or you would just like to go over the options available, we are always happy to discuss the alternatives and help select the best solution for your application.

| AES-GCM core | Logic Area | Throughput | Encryption/<br>Decryption | Authentication | 128-bit<br>keys | 192-bit<br>keys | 256-bit<br>keys |
|--------------|------------|------------|---------------------------|----------------|-----------------|-----------------|-----------------|
| 218-cycle    | lowest     | low        | ✓                         | ✓              | ✓               | ×               | ✓               |
| 48-cycle     | low        | mid        | ✓                         | ✓              | ✓               | ✓               | ✓               |
| 19-cycle     | mid-high   | highest    | ✓                         | ✓              | ✓               | ✓               | ✓               |

## Logic Utilisation and Performance

Helion has a long history in high-end FPGA design, and we therefore take great care when implementing our IP cores. As a result they have been designed from the ground up to be highly optimal for each individual FPGA technology - they are not simply based on a synthesised generic RTL ASIC design. The Helion AES-GCM core family makes use of the architectural features available in each FPGA technology to achieve the highest performance combined with the most efficient logic resource utilisation.

The latest logic area, performance figures, and datasheets for the Helion AES-GCM core family in a range of different technologies are available at <a href="http://www.heliontech.com/aes\_gcm.htm">http://www.heliontech.com/aes\_gcm.htm</a>. Please feel free to contact us should you require further details.

### **About Helion**

Helion is a long established British company based in Cambridge, England, offering a range of product-proven Data Security silicon IP cores backed up by our highly experienced and professional design service capabilities. Although we specialise in providing the highest performance data encryption and authentication IP, our interest does not stop there. Unlike broadline IP vendors who try to supply a very diverse range of solutions, being specialists we can offer much more than just the IP core itself.

For instance, we are pleased to be able to supply up-front expert advice on any security applications which might take advantage of our technology. Many of our customers are adding data security into their existing systems for the first time, and are looking for a little assistance with how best to achieve this. We are pleased to help with suitable advice and support where necessary, and pride ourselves in our highly personal approach.

The quality of our IP is however the main reason our customers keep coming back for more. We passionately believe that if you are buying IP, it should have been designed with the ultimate in care, crafted to achieve the ultimate performance in each target technology, and thoroughly tested to ensure compliance with any associated standards. All this comes as standard with IP from Helion.

## More Information

For more detailed information on this or any of our other products and services, please contact Helion and we will be pleased to discuss how we can assist with your individual requirements.



# **Helion Technology Limited**

Ash House, Breckenwood Road, Fulbourn, Cambridge CB21 5DQ, England tel: +44 (0)1223 500 924 email: info@heliontech.com fax: +44 (0)1223 500 923 web: www.heliontech.com