Conforms to the Advanced En-

AES-P
Programmable AES Encrypt/Decrypt Megafunction
The AES-P core implements hardware data encryption and decryption using Rijndael encoding in compliance with the FIPS-197 Advanced Encryption Standard (AES). The versatile core can be run-time programmed to: perform either encryption or decryption; run in any of the common block-cipher modes (ECB, CBC, CFB, OFB, and CTR); and use a 128-bit, 192-bit or 256-bit cipher key. Two architectural versions are available to suit system requirements. The Standard version (AES32-P) is more compact, using a 32-bit datapath and requiring 44/52/60 clock cycles for each data block (128/192/256-bit cipher key, respectively). The Fast version (AES128-P) achieves higher throughput, using a 128-bit datapath and requiring 11/13/15 clock cycles for each data block. The Fast version can achieve rates of 2 Gbps or more in FPGAs, and 5 Gbps or more in ASICs. The core includes an internal round key table in which expanded AES encryption and decryption key values are stored. An optional Key Expander module can automatically generate the round keys and fill the table, or this can be handled externally by the user. Fully-stallable input and output interfaces simplify AES integration for different applications. These enable system software to stop the input stream according to a specific data arrival rate, or to stop the output stream when the core is not able to receive data. The core has been verified against the AES FIPS 197 standard using the NIST AES Algorithm Validation Suite (AESAVS), NIST document SP800-38A, and additional random test vectors. Deliverables include all these tests, plus a bit-accurate model (BAM) for generating additional test vectors. The AES-P core has been evaluated in a variety of technologies, and is available optimized for ASICs or FPGAs.

cryption Standard (AES) standard (FIPS PUB 197)

Single module efficiently inte-

grates multiple AES functions and modes

Run-time programmable for: Encryption or Decryption Cipher Key length:

128- 192- or 256-bits

Cipher Mode:

ECB (Electronic Codebook) CBC (Cipher Block Chaining) CFB (Cipher Feedback) OFB (Output Feedback) CTR (Counter)
Two architectural versions avail-

able:
Standard is more compact:

32-bit data path size Processes each 128-bit data block in 44/52/60 clock cycles for 128/192/256-bit cipher keys, respectively
Fast yields higher transmis-

sion rates: 128-bit data path Processes each 128-bit block in 11/13/15 clock cycles for 128/192/256-bit cipher keys, respectively
Optional Key Expander automat-

ically generates and stores Round Keys for AES processing

Optimized design for ASIC or

FPGA implementations
Verified against the AES FIPS

197 standard using:

Known Answer Tests (KAT) of

Applications
The AES-P core is suitable for a variety of applications, including: secure networking routers; wireless communications; encrypted data storage; secure video surveillance systems; and electronic financial transactions.

the NIST AES Algorithm Validation Suite (AESAVS),

Block cipher modes tests of

NIST document SP800-38A,

Additional random test vec-

Block Diagram

tors
Fully-stallable input and output

interfaces, ideal for streaming applications, e.g. system software can:

pause input processing to

match slow transmission, or

pause output processing to

allow a slower application to catch up with decrypted data

Deliverables include bit-accurate

software model (BAM) for easy user-generation of tests

November 2010

Functional Description
The core performs standard AES processing, efficiently combining some steps into a single look-up table operation. The round key values for the current cipher key must be calculated prior to any encryption or decryption operation, by system software, or with the optional Key Expander to save processing time. The values are stored in the Round Key Table and accessed by the AES CoDec Engine. Both the round key for encryption and the inverse round key for decryption are stored; the inverse round key is obtained by using the Inverse MixColumns function. The core can encrypt or decrypt a stream of 128-bit blocks of data until a new cipher key has to be used and the round key values recalculated. The cipher key size and whether the core will encrypt or decrypt the data block are controlled by the state of input control signals, and may be changed on the beginning of each block without any performance penalty. A powerful input/output interface permits fully-stallable data streaming through the core. The application receiving the output of the core can arbitrarily pause the generation of output data. In a similar way, the application that feeds data to the input can arbitrarily pause the data stream to the core. The core can also stall the application feeding its input, when the core is busy processing, or when the output cannot receive any more processed data.

Export Permits
This encryption technology is governed internationally by export regulations. Immediate export of the megfunction is permitted to the following countries for uses not related to weapons of mass destruction:
Argentina Australia Canada European Union Member States Japan New Zealand Norway Russia South Korea Switzerland Turkey Ukraine United States

Please contact CAST to discuss delivery to other destinations; approval is subject to the applicable export licenses being granted. The license can be generated from either the EU or the USA. Please note that licensees are responsible for complying with the applicable requirements for re-export of electronics containing strong encryption technology.

Support
The AES-P core as delivered is warranted against defects for ninety days from purchase. Thirty days of phone and email technical support are included, starting with the first interaction. Additional maintenance and support options are available.

Verification
The core has been verified through extensive synthesis, place and route and simulation runs. It has also been embedded in several products, and is proven in FPGA technologies.

Implementation Results
AES-P reference designs have been evaluated in a variety of technologies. The following are sample Altera results for the fast version running ECB mode, with the round key table, no key expander, and optimized for speed.
Altera LEs/ Fmax Throughput Memory I/Os Quartus Device ALUTs (MHz) (Gbps) Arria 2110 36 M4Ks 275 102 1.18 8.0 EP1AGX50-6 Cyclone 2365 36 M4Ks 275 90 1.11 8.0 EP1C20-6 Cyclone-II 2296 36 M4Ks 275 112 1.30 8.0 EP2C20-6 Cyclone-III 2288 20 M9Ks 275 140 1.63 8.0 EP3C40-6 Stratix 2365 36 M4Ks 275 102 1.19 8.0 EP1S10-5 Stratix-II 2186 36 M4Ks 275 162 1.88 8.0 EP2S30-3 Stratix-III 2133 22 M9Ks 275 186 2.16 8.0 EP3S50-2

Deliverables
The core is available in ASIC (synthesizable HDL) and FPGA (netlist) forms, and includes everything required for successful implementation. The Altera version includes: Post-synthesis EDIF netlist Sophisticated self-checking Testbench (Verilog versions use Verilog 2001) Software (C++) Bit-Accurate Model and test vector generator Simulation scripts NIST KAT test vectors, SP800-38A test vectors, additional vectors for block cipher modes Place and route scripts

Related Cores
The CAST AES-C core executes just a single AES mode (selected prior to synthesis) for an encryption and decryption implementation that is typically smaller and faster.

CAST, Inc. 11 Stonewall Court Woodcliff Lake, NJ 07677 USA tel 201-391-8300 fax 201-391-8694 Copyright CAST, Inc. 2010, All Rights Reserved. Contents subject to change without notice. Trademarks are the property of their respective owners.

The AES-P megafunction is sourced from Technology Partner Alma Technologies.