You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: hw/ip/aes/README.md
+11-8
Original file line number
Diff line number
Diff line change
@@ -28,10 +28,13 @@ The AES unit supports the following features:
28
28
- Electronic Codebook (ECB) mode,
29
29
- Cipher Block Chaining (CBC) mode,
30
30
- Cipher Feedback (CFB) mode (fixed data segment size of 128 bits, i.e., CFB-128),
31
-
- Output Feedback (OFB) mode, and
32
-
- Counter (CTR) mode.
31
+
- Output Feedback (OFB) mode,
32
+
- Counter (CTR) mode, and
33
+
- Galois/Counter Mode (GCM) (fixed IV length of 96 bits, fixed tag length of 128 bits) including support for context switching (via saving and restoring).
34
+
- Support for GCM can be removed to save area, and is enabled/disabled using a compile-time Verilog parameter
33
35
- Support for AES-192 can be removed to save area, and is enabled/disabled using a compile-time Verilog parameter
34
36
- First-order masking of the cipher core using domain-oriented masking (DOM) to deter side-channel analysis (SCA), can optionally be disabled using compile-time Verilog parameters (for more details see [Security Hardening](./doc/theory_of_operation.md#side-channel-analysis))
37
+
- First-order masking of the GHASH operation involved in GCM (for more details see [Security Hardening](./doc/theory_of_operation.md#side-channel-analysis))
35
38
- Latency per 16 byte data block of 12/14/16 clock cycles (unmasked implementation) and 56/66/72 clock cycles (DOM) in AES-128/192/256 mode
36
39
- Automatic as well as software-initiated reseeding of internal pseudo-random number generators (PRNGs) with configurable reseeding rate resulting in max entropy consumption rates ranging from 343 Mbit/s to 0.042 Mbit/s (at 100 MHz).
37
40
- Countermeasures for deterring fault injection (FI) on the control path (for more details see [Security Hardening](./doc/theory_of_operation.md#fault-injection))
@@ -42,19 +45,19 @@ The AES unit supports the following features:
42
45
This AES unit targets medium performance (16 parallel S-Boxes, \~1 cycle per round for the unmasked implementation, \~5 cycles per round for the DOM implementation).
43
46
High-speed, single-cycle operation for high-bandwidth data streaming is not required.
44
47
45
-
Cipher modes other than ECB, CBC, CFB, OFBand CTR are beyond this version of the AES unit but might be supported in future versions.
46
-
Galois/Counter Mode (GCM) can be implemented by leveraging [Ibex](../rv_core_ibex/README.md) for the GHASH operation as demonstrated in [OpenTitan's library of cryptographic implementations](https://github.com/lowRISC/opentitan/tree/master/sw/device/lib/crypto).
48
+
Cipher modes other than ECB, CBC, CFB, OFB, CTR and GCM are beyond this version of the AES unit but might be supported in future versions.
49
+
If hardware support for GCM is disabled, it can be implemented by leveraging [Ibex](../rv_core_ibex/README.md) for the GHASH operation as demonstrated in [OpenTitan's library of cryptographic implementations](https://github.com/lowRISC/opentitan/tree/master/sw/device/lib/crypto).
47
50
48
51
49
52
## Description
50
53
51
54
The AES unit is a cryptographic accelerator that accepts requests from the processor to encrypt or decrypt 16B blocks of data.
52
-
It supports AES-128/192/256 in Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode (fixed data segment size of 128 bits, i.e., CFB-128), Output Feedback (OFB) mode and Counter (CTR) mode.
55
+
It supports AES-128/192/256 in Electronic Codebook (ECB) mode, Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode (fixed data segment size of 128 bits, i.e., CFB-128), Output Feedback (OFB) mode, Counter (CTR) mode and Galois/Counter Mode (GCM) (fixed IV length of 96 bits, fixed tag length of 128 bits).
53
56
For more information on these cipher modes, refer to [Recommendation for Block Cipher Modes of Operation](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf).
54
-
Galois/Counter Mode (GCM) can be implemented using [Ibex](../rv_core_ibex/README.md) for the GHASH operation as demonstrated in the [OpenTitan Cryptography Library](../../../doc/security/cryptolib/README.md).
55
-
To improve the performance of GCM, instructions of the [RISC-V Bit-Manipulation Extension of Ibex](https://ibex-core.readthedocs.io/en/latest/03_reference/instruction_decode_execute.html#arithmetic-logic-unit-alu) can be leveraged.
56
-
In particular, carry-less multiply instructions can help to speed up the GHASH operation.
57
57
For details on GCM, refer to [Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf).
58
+
If hardware support for GCM is disabled, it can be implemented using [Ibex](../rv_core_ibex/README.md) for the GHASH operation as demonstrated in the [OpenTitan Cryptography Library](../../../doc/security/cryptolib/README.md).
59
+
To improve the performance of such an implementation, instructions of the [RISC-V Bit-Manipulation Extension of Ibex](https://ibex-core.readthedocs.io/en/latest/03_reference/instruction_decode_execute.html#arithmetic-logic-unit-alu) can be leveraged.
60
+
In particular, carry-less multiply instructions can help to speed up the GHASH operation.
58
61
Other cipher modes might be added in future versions.
59
62
60
63
The AES unit is attached to the chip interconnect bus as a peripheral module.
0 commit comments