NIST SHA-3 ASIC Datasheet

Transcription

1 NIST SHA-3 ASIC Datasheet -- NIST SHA-3 Competition Five Finalists on a Chip (Version 1.1) Technology: IBM MOSIS 0.13µm CMR8SF-RVT Standard-Cell Library: ARM s Artisan SAGE-X V2.0 Area: 5mm 2 (Core: 1.656mm x 1.656mm) Package: 160-pin 28mmx28mm QFP Open Cavity Voltage: 3.3V I/O and 1.2V Core Hash Modules: BLAKE-256, GrØ stl-256, JH-256, Keccak-256, Skein-256, and SHA256 (reference) Compatible Test Platform: SASEBO-R Board Project Sponsor: National Institute of Standards and Technology (NIST) Contact: sha3vt@gmail.com 1 / 18 Datasheet (V1.1) Nov. 29, 2011

2 I Overview This chip was developed as part of the NIST sponsored project, Environment for Fair and Comprehensive Performance Evaluation of Cryptographic Hardware and Software. The SHA-3 ASIC is manufactured using IBM MOSIS 0.13µm CMR8SF-RVT process with ARM s Artisan SAGE-X V2.0 standard-cell library. It contains all the SHA-3 five finalists, BLAKE-256, GrØ stl-256, JH-256, Keccak-256, Skein-256 using the latest Round 3 tweaks (updated in January 2011) and a reference SHA256. The SHA-3 ASIC is packaged with 160-pin QFP and designed to be compatible with the SASEBO-R platform. SHA-3 ASIC@VT Fig. 1 The SHA-3 ASIC mounted on the 160-pin QFP Socket on SASEBO-R platform 2 / 18 Datasheet (V1.1) Nov. 29, 2011

3 II I/O Assignments Type System (3) Bus Control (9) Bus Data (32) Test Pins (6) Signal Name # of Pins Table 1 List of I/O signals Active H/L Direction Descriptions fclk 1 -- IN Clock input for intra-chip core module. Must be at least 2 times higher than chip interface sclk frequency. sclk 1 -- IN Clock input for chip interface logic. rst_n 1 Low IN init 1 -- IN Rest signal generated by on-board reset circuit. Asynchronous reset input. Initialize the internal states and parameters for hash operations. load 1 -- IN Load input data enable signal. fetch 1 -- IN Fetch output data enable signal. algsel 4 -- IN Select the sub-design under test. mode 1 -- IN Select the mode of testing. ack 1 -- OUT Load and fetch acknowledge signal. idata IN Input data. odata OUT Output data. blake_busy 1 HIGH OUT Indicate the Blake core hashing period. groestl_busy 1 HIGH OUT Indicate the Groestl core hashing period. jh_busy 1 HIGH OUT Indicate the JH core hashing period. keccak_busy 1 HIGH OUT Indicate the Keccak core hashing period. skein_busy 1 HIGH OUT Indicate the Skein core hashing period. sha256_busy 1 HIGH OUT Indicate the SHA256 core hashing period. osc_sel 2 -- IN Select which ring oscillator to use divider_sel 4 -- IN Select divisor of the clk generator Clock Bias the current mirror that controls Pins pbias 1 Analog IN the rate of oscillation of the clock (8) generator (range from 0.0V to 0.8V) Gives a representation of the clock that clk_out 1 -- OUT is used in the circuit Total 58 3 / 18 Datasheet (V1.1) Nov. 29, 2011

4 Center for Embedded Systems for Critical Applications NC NC SHA-3 ASIC@VT Fig. 2 The SHA-3 ASIC chip bonding diagram for 160-pin QFP package. (Note: The top left is pin number #1 with two extra unconnected (NC) pins and pins are counted counter-clockwise) Table 2 I/O Pin Assignment of the 160-Pin QFP package Package Pin Die Pad I/O Signal Name No. No. Direction Function 1 1 PVSS1DGZ core GND 2 NC 3 NC 4 2 SWIN[3] IN 5 3 SWIN[2] IN 6 4 SWIN[1] IN Divider select 7 5 SWIN[0] IN 8 NC 9 6 PHIN[1] IN Oscillator select 4 / 18 Datasheet (V1.1) Nov. 29, 2011

5 10 7 PHIN[0] IN 11 NC 12 NC 13 NC 14 NC 15 NC 16 NC 17 NC 18 NC 19 NC 20 8 PVDD1DGZ core 1.2V 21 9 PVSS1DGZ core GND 22 NC 23 NC 24 NC 25 NC keccak_busy OUT Keccak core hash busy skein_busy OUT Skein core hash busy. 28 NC init IN Initialize hash module load IN Input data load signal fetch IN Output data fetch signal mode IN Select the hash mode. 33 NC ack OUT Load and fetch acknowledge signal blake_busy OUT Blake core hashing busy groestl_busy OUT Groestl core hashing busy jh_busy OUT JH core hashing busy PVSS1DGZ core GND PVSS1DGZ core GND 41 NC 42 NC 43 NC 44 NC sha256_busy OUT SHA256 core hash busy. 46 NC 47 NC PVDD1DGZ core 1.2V Clk_Switch IN algsel[2] IN algsel[1] IN Select the design under test algsel[0] IN 53 NC 5 / 18 Datasheet (V1.1) Nov. 29, 2011

6 54 NC PVSS2DGZ I/O GND sclk IN Slow interface clock PVSS2DGZ I/O GND fclk IN Fast clock for chip core PVSS2DGZ I/O GND PVDD1DGZ core 1.2V 61 NC 62 NC rst_n IN Reset chip. 64 NC 65 NC 66 NC 67 NC 68 NC odata[15] OUT odata[14] OUT odata[13] OUT Output data odata[12] OUT 73 NC 74 NC odata[11] OUT odata[10] OUT odata[9] OUT Output data odata[8] OUT 79 NC 80 NC 81 NC 82 NC 83 NC odata[7] OUT odata[6] OUT odata[5] OUT Output data odata[4] OUT PVDD2DGZ I/O 3.3V odata[3] OUT odata[2] OUT odata[1] OUT Output data odata[0] OUT 93 NC 94 NC 95 NC 96 NC 97 NC 98 NC 6 / 18 Datasheet (V1.1) Nov. 29, 2011

7 99 52 PVDD2DGZ I/O 3.3V PVDD1DGZ core 1.2V PVSS1DGZ core GND 102 NC 103 NC 104 NC 105 NC 106 NC 107 NC 108 NC idata[0] IN idata[1] IN idata[2] IN Input data idata[3] IN 113 NC idata[4] IN idata[5] IN idata[6] IN Input data idata[7] IN 118 NC 119 NC PVSS1DGZ core GND PVDD1DGZ core 1.2V PVDD2DGZ I/O 3.3V idata[8] IN idata[9] IN idata[10] IN Input data idata[11] IN 127 NC PVDD1DGZ core 1.2V idata[12] IN idata[13] IN idata[14] IN Input data idata[15] IN PVDD2DGZ I/O 3.3V PVSS1DGZ core GND 135 NC 136 NC 137 NC 138 NC 139 NC PVDD1DGZ core 1.2V PVSS1DGZ core GND PVSS2DGZ I/O GND 143 NC 7 / 18 Datasheet (V1.1) Nov. 29, 2011

8 144 NC 145 NC 146 NC 147 NC PVSS1DGZ core GND 149 NC Clk_out OUT Monitor the clock Pbias IN Rate of oscillation control 152 NC 153 NC PVDD1DGZ core 1.2V 155 NC 156 NC 157 NC 158 NC 159 NC PVDD1DGZ core 1.2V 8 / 18 Datasheet (V1.1) Nov. 29, 2011

9 III Design Notes sclk RST sinit sload sfetch smode Gated Inputs sclk_0 RST sload_0 sack_0 slow fast sinit_0 to JH to sfetch_0 fast ~250MHz slow sdout_0 sdin_0 16 sync sync 16 smode_0 fclk_0 SHA-3 ASIC Gated Outputs 3 AlgSel sack sdout 16 sdin AlgSel 16 3 Clk_Switch EXT_fClk CLK_DIV_Sel 4 VCO_CLK_Sel 2 CLK_OUT Clock Management CLK Gating fclk_0 fclk_5 CLK Divider VCO Ring-Oscillators JH ~250MHz Grostl ~200MHz BLAKE ~125MHz Keccak ~250MHz SHA256 ~200MHz Skein ~125MHz Fig. 3 The block diagram of SHA-3 ASIC A. Clock Management For signal integrity issues associated with the on-board wire transfers, the ASIC interface clock used to synchronize all the data and control signals from/to the control FPGA should only run at relatively low frequency. The SHA-3 ASIC chip can operate at 250 MHz for some candidates, so additional stable fast clock is required, which will be gated and shared by all the hash modules. Clock Generation. For high frequency testing purpose, an on-chip clock generation module is integrated. We used the custom-cell design approach to integrate a ring oscillator (RO) based voltage-controlled oscillator (VCO) into the chip. The VCO takes four input ports PBIAS, VCO-EN- 7, 9, 11, and three output frequencies, VCO-RO-7, 9, 11. The PBIAS voltage can be varied to produce a range of clock frequencies. The voltage can be varied from 0V to 0.8V. The EN is used to turn on/off the clock outputs of VCO. VCO-RO-7, 9, 11 are the three frequencies produced by the block for any particular PBIAS voltage. FREQ-7 is the clock from a 7-stage RO. The clock generation module also includes standard cell based ring-oscillators, and together with the VCO clocks and a standard cell based clock divider they can support a wide range of clock frequencies to fill our need for performance testing. Fig. 5 shows averaged measurements of on-chip clock speed for a batch of 10 fabricated chips. 9 / 18 Datasheet (V1.1) Nov. 29, 2011

10 VDD PBIAS VDD PBIAS NBIAS IN OUT NBIAS Current Mirror (CM) Current Starved Inverter (CSI) PBIAS CM NBIAS CSI CSI CSI CSI CSI CSI VCO-RO-7 VCO-EN-7 Fig. 4 The diagram of a 7-stage VCO-RO clock design Fig. 5 The range of on-chip generated clock frequencies Clock Configurations. The on-chip generated clocks are also MUXed with the external fast clock input and can be configured through dedicated ports. The external fast clock can be fed through a SMA connector from a signal generator or it can be provided through the control FPGA. Clock gating is implemented to guarantee that only one hash module is enabled at a time. B. Chip Interface Standard Hash Interface. As shown in Fig. 3, the chip interface adopted the standard hash interface proposal by Chen et al. [1] and extended it to add mode selection and dual-clock support [5,6]. 10 / 18 Datasheet (V1.1) Nov. 29, 2011

11 Clock Domain Crossing (CDC) Synchronizer. There are two clock domains in the chip: the slow one is for the interfacing logic and the fast one is for hash modules. The clock synchronizer design requires that the internal hash clock be at least two times faster than the interface clock. The area numbers reported for each hash core include the overhead of the synchronizer module. C. SHA-3 Finalists Implementations Table 3 summarizes the major implementation aspects of each SHA-3 finalist. The design decisions are made to achieve the primary optimization for Throughput-to-Area ratio. For details on the SHA-3 candidates please refer to the related specification documents on NIST SHA-3 web sites. For hardware architectures, we have looked into several public available reference implementations [2] [4] and optimized them for our system architecture. Implementation details for each hash module can be consulted in [5]. Table 3 The summary of design specifications of SHA-3 finalists Algorithm BLAKE-256 Grøstl-256 JH-256 Keccak-256 Skein Implementation Descriptions 4 parallel G functions; 1-stage pipeline in permutation Parallel P and Q with 128 GF-based AES SBoxes SBoxes S0 and S1 are implemented in LUT One clock cycle per round Unrolled 4 Threefish rounds D. SHA-3 Configurations (1) Select Design Under Test (DUT): AlgSel[2:0] ASIC Pins Functions Notes 000 [50,51,52] Enable BLAKE [50,51,52] Enable GrØ stl-256 Only one hash module is enabled each 010 [50,51,52] Enable JH-256 time. When one hash module is enabled, 011 [50,51,52] Enable Keccak-256 the inputs/outputs and clock will be 100 [50,51,52] Enable Skein-256 gated for all the rest candidates. 101 [50,51,52] Enable SHA256 (2) Select clock sources: Clk_Switch ASIC Pins Functions Notes 0 49 External clock This can be clock from FPGA-DCM or external clock from SMA (J6) socket Internal clock This can be clock from internal standardcell RO based clock or VCO based clock. 11 / 18 Datasheet (V1.1) Nov. 29, 2011

12 (3) Select the SHA-3 ASIC internal clock resources: VCO_CLK_Sel [1:0] ASIC Pins Functions Notes 00,01,10 [6,7] Select VCO clock 11 [6,7] Select standardcell RO clock Select from 3 custom-cell ROs with different stages (7, 9, and 11). Select from 3 standard-cell ROs with different stages (25, 33, and 43). (4) Select the clock division ratios: Custom-cell VCO Clock DIV Select ASIC Pins Notes 0000~1111 [4,5,6,7] C0 VCO CLK: (CLK_SEL=00) C1 VCO CLK: (CLK_SEL=01) C2 VCO CLK: (CLK_SEL=10) Divisions: 1,2,3,4,6,8,12,16,24,32,48,64,96,128,192,384 Standard-cell RO Clock DIV Select ASIC Pins Notes [4,5,6,7] [4,5,6,7] [4,5,6,7] S0 SC-RO CLK Divisions: 1,2,4,8,128 S1 SC-RO CLK Divisions: 1,2,4,8,128 S2 SC-RO CLK Divisions: 1,2,4,8,16, / 18 Datasheet (V1.1) Nov. 29, 2011

13 E. Shmoo Plot of SHA-3 ASIC BLAKE-256 Grostl-256 JH Frequency [MHz] (10MHz/Div.) Core Supply Voltage [V] (0.2V/Div., Standard: 1.2 V) Passed Failed Target Freq. 13 / 18 Datasheet (V1.1) Nov. 29, 2011

14 Keccak-256 Skein-256 SHA Frequency [MHz] (10MHz/Div.) Core Supply Voltage [V] (0.2V/Div., Standard: 1.2 V) Passed Failed Target Freq. F. SHA-3 Finalists Testing Results Table 4 ASIC characterization of the SHA-3 ASIC chip Block Core Lat. Area a Max Freq. Tp [bits] [cycles] [KGEs] [MHz] [Gbps] BLAKE Grøstl JH Keccak Skein SHA / 18 Datasheet (V1.1) Nov. 29, 2011

15 Tp/Area Power b Energy b Power c Energy c [kbps/ge] [mw] [mj/gbits] [mw] [mj/gbits] BLAKE Grøstl JH Keccak Skein SHA a: the Gate Equivalent count is calculated by dividing the post-layout die area by the area of a NAND2XLTF (5.76 µm2). b: numbers are based on chip measurements of SHA-3 ASIC with slow chip interface clock at 1.5MHz and fast hash core clock at 50MHz. c: numbers are based on post-layout simulation of SHA-3 ASIC with slow chip interface clock at 1.5MHz and fast hash core clock at 50MHz. Note: 1: All five SHA-3 candidates are implemented with NIST SHA-3 Round 3 Specifications by January, : Each design s static power is estimated by multiplying the whole chip static power, 1.92mW, with the area ratio of each design. 15 / 18 Datasheet (V1.1) Nov. 29, 2011

16 IV Further Information Further inquiries can be send to Dr. Patrick Schaumont or Dr. Leyla Nazhandali Center for Embedded Systems for Critical Applications (CESCA) Bradley Department of Electrical and Computer Engineering, Virginia Tech Blacksburg, VA 24060, USA Related publications can be consulted online at This chip should be referred to in publications as X. Guo, M. Srivistav, S. Huang, D. Ganta, M. B. Henry, L. Nazhandali, and P. Schaumont, "ASIC Implementations of Five SHA-3 Finalists," Design, Automation and Test in Europe (DATE2012), March X. Guo, M. Srivistav, S. Huang, D. Ganta, M. B. Henry, L. Nazhandali, and P. Schaumont, "Pre-silicon Characterization of NIST SHA-3 Final Round Candidates," 14th Euromicro Conference on Digital System Design Architectures, Methods and Tools (DSD 2011), August / 18 Datasheet (V1.1) Nov. 29, 2011

17 V References [1] Z. Chen, S. Morozov, and P. Schaumont, A Hardware Interface for Hashing Algorithms, Cryptology eprint Archive, Report 2008/529, 2008, [2] AIST-RCIS, SHA-3 hardware project, May 2011, [3] X. Guo, Meeta Srivastava, Sinan Huang, Dinesh Ganta, Michael B. Henry, Leyla Nazhandali, and Patrick Schaumont, Performance Evaluation of Cryptographic Hardware and Software Performance Evaluation of SHA-3 Candidates in ASIC and FPGA, May 2011, [4] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche, The Keccak sponge function family Updated VHDL package, May 2011, html [5] X. Guo, M. Srivastav, S. Huang, D. Ganta, M. B. Henry, L. Nazhandali, and P. Schaumont, Silicon Implementation of SHA-3 Finalists: BLAKE, Grøstl, JH, Keccak and Skein, in ECRYPT II Hash Workshop 2011, May [6] X. Guo, M. Srivistav, S. Huang, Dinesh Ganta, M. B. Henry, L. Nazhandali, and P. Schaumont, "Pre-silicon Characterization of NIST SHA-3 Final Round Candidates", 14th Euromicro Conference on Digital System Design Architectures, Methods and Tools (DSD 2011), August [7] X. Guo, M. Srivistav, S. Huang, Dinesh Ganta, M. B. Henry, L. Nazhandali, and P. Schaumont, "ASIC Implementations of Five SHA-3 Finalists," Design, Automation and Test in Europe (DATE2012), March / 18 Datasheet (V1.1) Nov. 29, 2011

18 Revision History The following table shows the revision history for this document. Date Author Version Revision 08/14/2011 Xu Guo 1.0 Initial release. 11/29/2011 Xu Guo 1.1 Update with new related publications. 18 / 18 Datasheet (V1.1) Nov. 29, 2011