secworks / aes Goto Github PK

Verilog implementation of the symmetric block cipher AES (Advanced Encryption Standard) as specified in NIST FIPS 197. This implementation supports 128 and 256 bit keys.

License: BSD 2-Clause "Simplified" License

Python 30.76% Verilog 67.61% Makefile 1.55% Tcl 0.08%

aes encryption asic fpga block-cipher

aes's Introduction

aes

Verilog implementation of the symmetric block cipher AES (NIST FIPS 197).

Status

The core is completed, has been used in several FPGA and ASIC designs. The core is well tested and mature.

Introduction

This implementation supports 128 and 256 bit keys. The implementation is iterative and process one 128 block at a time. Blocks are processed on a word level with 4 S-boxes in the data path. The S-boxes for encryption are shared with the key expansion and the core can thus not do key update in parallel with block processing.

The encipher and decipher block processing datapaths are separated and basically self contained given access to a set of round keys and a block. This makes it possible to hard wire the core to only encipher or decipher operation. This allows the synthesis/build tools to optimize away the other functionality which will reduce the size to about 50%. This has been tested to verify that decryption is removed and the core still works.

For cipher modes such as CTR, CCM, CMAC, GCM the decryption functionality in the AES core will never be used and thus the decipher block processing can be removed.

This is a fairly compact implementation. Further reduction could be achived by just having a single S-box. Similarly the performane can be increased by having 8 or even 16 S-boxes which would reduce the number of cycles to two cycles for each round.

Branches

There are several branches available that provides different versions of the core. The branches are not planned to be merged into master. The branches available that provides versions of the core are:

on-the-fly-keygen

This version of AES implements the key expansion using an on-the-fly mechanism. This allows the initial key expansion to be removed. This saves a number of cycles and also remove almost 1800 registers needed to store the round keys. Note that this version of AES only supports encryption. On-the-fly key generation does not work with decryption. Decryption must be handled by the block cipher mode - for example CTR.

dual-keys

This version of AES supports two separate banks of expanded keys to allow fast key switching between two keys. This is useful for example in an AEAD mode with CBC + CMAC implemented using a single AES core.

cmt-sbox

An experimental version of the core in which the S-box is implemented using circuit minimized logic functions of a ROM table. The specific table used is the 113 gate circuit by the CMT team at Yale.

Some area and performance results using the cmt_sbox compared to master.

Altera

Tool: Quartus Prime 19.1.0
Device: Cyclone V (5CGXFC7C7F23C8)
master (S-box implemented with a table)
- ALMs: 2599
- Regs: 3184
- Fmax: 93 MHz
- aes_sbox: 160 ALUTs
cmt_sbox
- ALMs: 2759
- Regs: 3147
- Fmax: 69 MHz
- aes_sbox: 363 ALUTs

Xilinx

Tool: Vivado 2019.2
Device: Kintex-7 (7k70tfbv676-1)
master:
- LUTs: 3020
- FFs: 2992
- Fmax: 125 MHz
cmt_sbox:
- LUTs: 2955
- FFs: 2992
- Fmax: 105 MHz

Core Usage

Usage sequence:

Load the key to be used by writing to the key register words.
Set the key length by writing to the config register.
Initialize key expansion by writing a one to the init bit in the control register.
Wait for the ready bit in the status register to be cleared and then to be set again. This means that the key expansion has been completed.
Write the cleartext block to the block registers.
Start block processing by writing a one to the next bit in the control register.
Wait for the ready bit in the status register to be cleared and then to be set again. This means that the data block has been processed.
Read out the ciphertext block from the result registers.

FuseSoC

This core is supported by the FuseSoC core package manager and build system. Some quick FuseSoC instructions:

install FuseSoC

pip install fusesoc

Create and enter a new workspace

mkdir workspace && cd workspace

fusesoc library add aes /path/to/aes

...if repo is available locally or... ...to get the upstream repo

fusesoc library add aes https://github.com/secworks/aes

To run lint

fusesoc run --target=lint secworks:crypto:aes

Run tb_aes testbench

fusesoc run --target=tb_aes secworks:crypto:aes

Run with modelsim instead of default tool (icarus)

fusesoc run --target=tb_aes --tool=modelsim secworks:crypto:aes

List all targets

fusesoc core show secworks:crypto:aes

Implementation results - ASIC

The core has been implemented in standard cell ASIC processes.

TSMC 180 nm

Target frequency: 20 MHz Complete flow from RTL to placed gates. Automatic clock gating and scan insertion.

8 kCells
Aera: 520 x 520 um
Good timing margin with no big cells and buffers.

Implementation results - FPGA

The core has been implemented in Altera and Xilinx FPGA devices.

Altera Cyclone V GX

2624 ALMs
3123 Regs
96 MHz
46 cycles/block

Altera Cyclone IV GX

7426 LEs
2994 Regs
96 MHz fmax
46 cycles/block

This means that we can do more than 2 Mblocks/s or 256 Mbps performance.

Removing the decipher module yields:

5497 LEs
2855 Regs
106 MHz fmax
46 cycles/block

Microchip IGLOO 2

Tool: Libero v 12.4
Device: M2GL090TS-1FG484I
LUTs: 6335
SLEs: 1376
BRAMs: 8
Fmax: 98.5 MHz

Xilinx Spartan6LX-3

2576 slices
3000 regs
100 MHz
46 cycles/block

Xilinx Artix 7 200T-3

2298 slices
2989 regs
97 MHz
46 cycles/block

aes's People

Contributors

Stargazers

Watchers

Forkers

reconf-design-hw-aes vinitbakare swanandm aksiksi falwat bo-n prateek-sri qingchenyuan erkkel fengkai314 holodnak alirezashiravand hotelzululima mickey4 hyperpicc yinxx hex55 acad2 sqf-ice amaterasu33 charudatta10 marius-pop0 giri010 yluo39github mickey20111111 tgiang1 sidneysc zewei kkkora dandymon2600 wanming2008 amirzainol zhuhuifeng-wustl zsipos didima7777 cecijyx np95 jens-na asusmacbookair hanbin00 weikengchen alvislin iceshy xcz0513 peng-hu kuangr5950 annaswing stepin104276 tanghh740 simpsoneric recogni tomhuangsrc victorkliu jaswanthjashu jackiezeng01 goodluckming mr1victor vennela707 ivarsdzalbs hongshui3000 jangwonpark74 ckdur bongtaocai ryan-swann jerryd0501 redzhou1 olofk paperfanz asnecemnnit moustafamd zjarci gk17544 aaroncheng820 curliph mfkiwl creative-e98 chipyard loesterfranco vaishnavi25-hub 8m-m8 00mjk wiglejwg dev1699 thulasiramvarma capkuke canerbulduk shuvagatauf chenhaishan daniel009988 ykmaheshwari jessicapretty tszhou1989 justina0331 haocat bsaberla ajunlonglive lapnd happys1mple hjc19951212 rammber

aes's Issues

Use aes_encipher_block component for one AES round

Hi,
is it possible to use aes_encipher_block for exactly one AES round like the AES-NI instruction __m128i _mm_aesenc_si128(__m128i a, __m128i RoundKey)? [Link]
If I have to update a few lines in the component this would be totally fine.

From the documentation of the AES-NI instruction _mm_aesenc_si128:

state := a
a[127:0] := ShiftRows(a[127:0])
a[127:0] := SubBytes(a[127:0])
a[127:0] := MixColumns(a[127:0])
dst[127:0] := a[127:0] XOR RoundKey[127:0]

The encipher component does exactly that, but also does the initial round key addition and the final round (without mixing). Is there a way to avoid the initial key addition? I tried to modify the code in this line so the round key does not get xor'd to the block, but it didn't get me the expected result. Is there something else I could do/might try?

Here is an example of a software AES-NI that I use to generate my expected values. [Link]. You can also see the expected values it produces as a comment in the gist.

After the first round (without key addition) with the following parameters:
block = 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f and
round_key = 06 84 70 4c e6 20 c0 0a b2 c5 fe f0 75 81 7b 9d
keylen = 0
I expect new_block to be: f7 11 dd 30 dc 93 f6 e3 ba 19 7d 87 6b ec a5 5a

The goal of all this is to use the aes_encipher_block component for a hardware implementation of Haraka.

TEST BENCH

Sir, the test bench file has errors. Can you please send the updated file?

Add simple description of usage

Add a simple description of how the core is to be used to the README.md
Something like:
1. Load the key to be used by writing to the key register words.
2. Set the key length by writing to the config register.
3. Initialize key expansion by writing a one to the init bit in the control register.
4. Wait for the ready bit in the status register to be cleared and then to be set again. This means that the key expansion has been completed.
5. Write the cleartext block to the block registers.
6. Start block processing by writing a one to the next bit in the control register.
7. Wait for the ready bit in the status register to be cleared and then to be set again. This means that the data block has been processed.
8. Read out the ciphertext block from the result registers.

Endianity

[question] How to load key to the AES core

Hi, I am very new here, and I am still very confused here after reviewing the AES core. I am not sure if the key is stored in one of local parameters on the AES core, or it is stored outside the AES core.
If the key is stored beyond the core, I donot know how to load it to the core according to the port definition on the top file. It is just write_data/read_data for encrypted/decrypted data, and address for registers.

Specification mismatch in decipher algorithm

FYI, Lubis (@ludwigatlubis) is doing FPV to verify the AES right now and they found a bug according to the NIST specification.

Module that contains the bug:
src/rtl/aes_decipher_block.v

The bug is in line 326 invs_shift_rows_block() function should not get executed in the init_update state, as it is repeated in the next state again.

Reproduce the bug:
A simple formal assertion shows the bug.

Solution:
Removing that line fixes the bug.

We are working on it here: chipsalliance/caliptra-rtl#165

design

Hello,
May you upload schematic block diagram of the module?
Thank you very much!

Fix CI build for skywater using edalize

It seems the edalize based CI build for skywater is broken (again):

`Error: : during executing openroad script /openlane/scripts/openroad/groute.tcl
Error: : Exit code: 1
Error: : Last 10 lines:

ERROR: Unable to find image 'edalize/openlane-sky130:mpw4' locally

...
...

Status: Downloaded newer image for edalize/openlane-sky130:mpw4
no such variable
(read trace on "::env(PWD)")
invoked from within
"relpath $::env(PWD) $reproducible_dir"
(procedure "run_openroad_script" line 38)
invoked from within
"run_openroad_script $::env(SCRIPTS_DIR)/openroad/groute.tcl -indexed_log $saveLOG"
(procedure "global_routing_fastroute" line 5)
invoked from within
"global_routing_fastroute"
(procedure "global_routing" line 13)
invoked from within
"global_routing"
(procedure "run_routing" line 35)
invoked from within
"run_routing"
(procedure "run_routing_step" line 7)
invoked from within
"[lindex $step_exe 0] [lindex $step_exe 1] "
(procedure "run_non_interactive_mode" line 54)
invoked from within
"run_non_interactive_mode {*}$argv"
invoked from within
"if { [info exists flags_map(-interactive)] || [info exists flags_map(-it)] } {
puts_info "Running interactively"
if { [info exists arg_values(-file)..."
(file "/openlane/flow.tcl" line 346)
make: *** [Makefile:4: all] Error 1

ERROR: Failed to build secworks:crypto:aes:0 : '['make']' exited with an error: 2

Error: Process completed with exit code 1.
`

Any idea what the error is @olofk ?

Input Text File

May I know where to input text file in this series of Verilog codes?
Thank you.