Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Transcription

1 Lecture 2B RTL Design Methodology Transition from Pseudocode & Interface to a Corresponding Block Diagram

2 Structure of a Typical Digital Data Inputs Datapath (Execution Unit) Data Outputs System Control Signals Status Signals Control & Status Inputs Controller (Control Unit) Control & Status Outputs

3 Hardware Design with RTL VHDL Pseudocode Interface Datapath Controller Block diagram ASM chart VHDL code VHDL code

4 Steps of the Design Process Introduced in Class Today 1. Text description 2. Interface 3. Pseudocode 4. Block diagram of the Datapath 5. Interface divided into Datapath and Controller 6. ASM chart of the Controller 7. RTL VHDL code of the Datapath, Controller, and Toplevel Unit 8. Testbench for the Datapath, Controller, and Top-Level Unit 9. Functional simulation and debugging 10. Synthesis and post-synthesis simulation 11. Implementation and timing simulation 12. Experimental testing using FPGA board 4

5 Class Exercise 2 CIPHER

6 Pseudocode Split input I into four words, I3, I2, I1, I0, of the size of w bits each A = I3; B = I2; C = I1; D=I0 B = B + S[0] D = D + S[1] for i = 1 to r do { T = (B*(2B + 1)) <<< k U = (D*(2D + 1)) <<< k A = ((A T) <<< U) + S[2i] C = ((C U) <<< T) + S[2i + 1] (A, B, C, D) = (B, C, D, A) } A = A + S[2r + 2] C = C + S[2r + 3] O = (A, B, C, D)

7 Notation w: word size, e.g., w=8 (constant) k: log 2 (w) (constant) A, B, C, D, U, T: w-bit variables I3, I2, I1, I0: Four w-bit words of the input I r: number of rounds (constant) O: output of the size of 4w bits S[j] : 2r+4 round keys stored in two RAMs. Each key is a w-bit word. The first RAM stores values of S[j=2i], i.e., only round keys with even indices. The second memory stores values of S[j=2i+1], i.e., only round keys with odd indices.

8 Operations : XOR + : addition modulo 2 w : subtraction modulo 2 w * : multiplication modulo 2 w X <<< Y : rotation of X to the left by the number of positions given in Y X >>> Y : rotation of X to the right by the number of positions given in Y (A, B, C, D) : Concatenation of A, B, C, and D.

9 Circuit Interface clk reset I write_i 4w CIPHER 4w O DONE Sj w Write_Sj j m

10 Interface Table Note: m is a size of index j. It is a minimum integer, such that 2 m -1 2r+3.

11 Protocol (1) An external circuit first loads all round keys S[0], S[1], S[2],, S[2r+2], [2r+3] to the two internal memories of the CIPHER unit. The first memory stores values of S[j=2i], i.e., only round keys with even indices. The second memory stores values of S[j=2i+1], i.e. only round keys with odd indices. Loading round keys is performed using inputs: Sj, j, write_sj, clk. Then, the external circuits, loads an input block I to the CIPHER unit, using inputs: I, write_i, clk. After the input block I is loaded to the CIPHER unit, the encryption starts automatically.

12 Protocol (2) When the encryption is completed, signal DONE becomes active, and the output O changes to the new value of the ciphertext. The output O keeps the last value of the ciphertext at the output, until the next encryption is completed. Before the first encryption is completed, this output should be equal to zero.

13 Assumptions 2r+4 clock cycles are used to load round keys to internal RAMs one round of the main for loop of the pseudocode executes in one clock cycle you can access only one position of each internal memory of round keys per clock cycle As a result, the encryption of a single input block I should last r+2 clock cycles.

14 Typical Internal Structure of a Secret-Key Block Cipher Round Key[0] Initial Transformation i:=1 Round Key[i] Cipher Round i<#rounds? i:=i+1 #rounds times Round Key[#rounds+1] Final Transformation

15 Basic iterative architecture (no Initial Transformation, no Final Transformation) input multiplexer register round key combinational logic one round output

16 Basic architecture: Timing CLK IN OUT P1 P2 C1 #rounds clock_period P3 C2

17 Primary parameters of hardware implementations of secret-key block ciphers Latency Throughput M i+2 M i Encryption/ decryption C i Time to encrypt/decrypt a single block of data M i+1 M i Encryption/ decryption C i+2 C i+1 C i Number of bits encrypted/decrypted in a unit of time

18 Advanced Encryption Standard AES

19 AES Encryption

20 AES Decryption

21 Basic Iterative Architecture of AES (Encryption and Decryption) round key Data input Encryption circuit Decryption circuit R1 SubBytes" &" InvSubBytes ShiftRows MixColumns round key round key InvShiftRows round key InvMixColumns Data output

22 Data input Initial Transformation round key round key Encryption input Encryption round Decryption input Decryption round round key Encryption feedback output Encryption final output Decryption final output Decryption feedback output Data output

23 Top Level Block Diagram control input key Control unit input interface encryption/decryption output interface key scheduling memory of round keys output

24 Modes of Operation

25 Block vs. stream ciphers M 1, M 2,, M n m 1, m 2,, m n K Block cipher K Internal state - IS Stream cipher C 1, C 2,, C n c 1, c 2,, c n C i =f K (M i ) c i = f K (m i, IS i ) IS i+1 =g K (m i, IS i ) Every block of ciphertext is a function of only one corresponding block of plaintext Every block of ciphertext is a function of the current block of plaintext and the current internal state of the cipher

26 Typical stream cipher Sender key initialization vector (seed) Receiver key initialization vector (seed) Pseudorandom Key Generator Pseudorandom Key Generator k i keystream k i keystream m i plaintext c i ciphertext c i ciphertext m i plaintext

27 Standard modes of operation of block ciphers Block cipher Block cipher turned into a stream ciphers ECB mode Counter mode CFB mode CBC mode

28 ECB (Electronic CodeBook) mode

29 Electronic CodeBook Mode ECB Encryption M 1 M 2 M 3 M N-1 M N K K K K K E E E E E... C 1 C 2 C 3 C N-1 C N C i = E K (M i ) for i=1..n

30 Electronic CodeBook Mode ECB Decryption C 1 C 2 C 3 C N-1 C N K K K K K D D D D D... M 1 M 2 M 3 M N-1 M N C i = E K (M i ) for i=1..n

31 Counter Mode

32 E Counter Mode - CTR Encryption IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i = E K (IV+i-1) for i=1..n

33 E Counter Mode - CTR Decryption IV IV+1 IV+2 IV+N-2 IV+N-1... K K K K K E E E E... k 1 k 2 k 3 k N-1 k N c 1 c 2 c 3 c N-1 c N m 1 m 2 m 3 m N-1 m N m i = c i k i k i = E K (IV+i-1) for i=1..n

34 IV Counter Mode CTR (simplified block diagram) IV counter counter IS i IS i IN IN K E K E OUT OUT c i c i IS 1 = IV m i m i c i = E K (IS i ) m i IS i+1 = IS i +1

35 Counter Mode Potential for Parallel Processing IV IV+1 IV+2 IV+N-1 IV+N... E E E E E... M 0 M 1 M 2 M N-1 M N C 1 C 2 C 3 C N-1 C N C i = M i AES(IV+i) for i=0..n

36 Increasing speed by parallel processing Encryption/ decryption unit Encryption/ decryption unit Encryption/ decryption unit Encryption/ decryption unit Encryption/ decryption unit Encryption/ decryption unit

37 Increasing speed using pipelining Cipher 1 Cipher 2 round 1 round 1 round 2 target clock period, e.g., 20 ns round 10 round 16 block size Throughput = target_clock_period

38 CFB (Cipher FeedBack) Mode

39 IV E Cipher Feedback Mode - CFB Encryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N c i = m i k i k i =E K (c i-1 ) for i=1..n, and c 0 = IV

40 IV E Cipher Feedback Mode - CFB Decryption... E E E E... k 1 k 2 k 3 k N-1 k N m 1 m 2 m 3 m N-1 m N c 1 c 2 c 3 c N-1 c N m i = c i k i k i =E K (c i-1 ) for i=1..n, and c 0 = IV

41 IV Cipher Feedback Mode CFB (simplified block diagram) IV register register IS i IS i IN IN K E IS 1 = IV K E OUT OUT c i = E K (IS i ) m i IS i+1 = c i c i c i m i m i

42 CBC (Cipher Block Chaining) Mode

43 Cipher Block Chaining Mode - CBC Encryption IV m 1 m 2 m 3... m N-1 m N E E E E E... c 1 c 2 c 3 c N-1 c N c i = E K (m i c i-1 ) for i=1..n c 0 =IV

44 Cipher Block Chaining Mode - CBC Decryption c 1 c 2 c 3 c N-1 c N IV D D D... D D... m 1 m 2 m 3 m N-1 m N m i = D K (c i ) c i-1 for i=1..n c 0 =IV