Symmetric Cryptographic Intel FPGA Hard IP User Guide

Download PDF
ID 714305
Date 10/31/2022
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents
Document Table of Contents x
1. Introduction 2. Interface Overview 3. Parameters 4. Designing with the IP Core 5. Block Description 6. Cryptographic IP Data Profiles 7. Configuration Registers 8. Design Example 9. Symmetric Cryptographic Intel FPGA Hard IP User Guide Archives 10. Document Revision History for the Symmetric Cryptographic Intel FPGA Hard IP User Guide
1. Introduction x
1.1. Terminology 1.2. IP Core Overview 1.3. Release Information 1.4. Device Family Support 1.5. Resource Utilization
1.2. IP Core Overview x
1.2.1. IP Core Applications
2. Interface Overview x
2.1. Clock Signals 2.2. Reset Signals 2.3. AXI-ST Interface 2.4. AXI-Lite Interface
4. Designing with the IP Core x
4.1. Installing and Licensing Intel® FPGA IP Cores 4.2. Specifying the IP Core Parameters and Options 4.3. Generated File Structure 4.4. Symmetric Cryptographic IP Core Flow 4.5. Dynamically Disabling SM4 Capability 4.6. Error Handling 4.7. Error Reporting 4.8. Resetting the IP Core 4.9. Channel Definition and Allocation 4.10. Byte Ordering 4.11. AXI-ST Single Packet Mode 4.12. AXI-ST Multiple Packet Mode
4.1. Installing and Licensing Intel® FPGA IP Cores x
4.1.1. Intel® FPGA IP Evaluation Mode
4.6. Error Handling x
4.6.1. Detected Error Handling 4.6.2. Key RAM ECC Error Handling
5. Block Description x
5.1. Reset Sequencer 5.2. AXI-ST Ready Latency 5.3. AXI Adapter 5.4. Integrity Check Value Comparison
5.3. AXI Adapter x
5.3.1. MAC Packing 5.3.2. Data Last Indicator 5.3.3. Stream and Channel ID Buffering 5.3.4. TKEEP and LAST_SEGMENT Signals Generation 5.3.5. MAC Dropping on Decryption
6. Cryptographic IP Data Profiles x
6.1. MAC Security Profile (MACsec) 6.2. IP Security Profile (IPsec) 6.3. Generic GCM Profile (GCM) 6.4. Generic XTS Profile (XTS)
6.1. MAC Security Profile (MACsec) x
6.1.1. MACsec Flow 6.1.2. AXI-ST Interface Using MAC Security (MACsec) Profile Pattern
6.2. IP Security Profile (IPsec) x
6.2.1. AXI-ST Interface Using IP Security (IPsec) Profile Pattern
6.3. Generic GCM Profile (GCM) x
6.3.1. AXI- ST Interface Using Generic GCM Profile Pattern
6.4. Generic XTS Profile (XTS) x
6.4.1. AXI-ST Interface Using Generic XTS Profile Pattern
7. Configuration Registers x
7.1. Cryptographic Primary Control Register 7.2. Cryptographic Secondary Control Register 7.3. Cryptographic Primary Status Register 7.4. Cryptographic Error Status Register 7.5. Cryptographic Error Control Register 7.6. Cryptographic Packet Error Control 1 Register 7.7. Cryptographic Packet Error Control 2 Register 7.8. Cryptographic Error Code Control 1 Register 7.9. Cryptographic Error Code Control 2 Register 7.10. Cryptographic Error Code Internal Control Register 7.11. Cryptographic Internal Error Control Register 7.12. Cryptographic First Error Log Register 7.13. Cryptographic Packet Error Log 1 Register 7.14. Cryptographic Packet Error Log 2 Register 7.15. Cryptographic Internal Error Log Register 7.16. Cryptographic Wall Clock LSB Register 7.17. Cryptographic Wall Clock MSB Register 7.18. Ternary Control Register
8. Design Example x
8.1. Functional Description 8.2. Crypto VSIP Top Block Descriptions 8.3. Test Configurations 8.4. Software Requirements 8.5. Simulation Requirements 8.6. Steps to Generate the Design Example 8.7. Running Simulation Tests 8.8. Running Hardware Tests
8.2. Crypto VSIP Top Block Descriptions x
8.2.1. Clock and Reset 8.2.2. Host Interface
8.7. Running Simulation Tests x
8.7.1. Steps to Simulate the Design Example
8.8. Running Hardware Tests x
8.8.1. Supported Boards 8.8.2. Steps to Compile the Design Example for Hardware 8.8.3. Steps to Run the Design Example on Hardware
1. Introduction
2. Interface Overview
3. Parameters
4. Designing with the IP Core
5. Block Description
6. Cryptographic IP Data Profiles
7. Configuration Registers
8. Design Example
9. Symmetric Cryptographic Intel FPGA Hard IP User Guide Archives
10. Document Revision History for the Symmetric Cryptographic Intel FPGA Hard IP User Guide

1.2. IP Core Overview

The Symmetric Cryptographic Intel FPGA IP consists of the Advanced Encryption Standard (AES) and SM4 Inline Cryptographic Accelerator (ICA) subsystems. Each device supports two identical IP subsystems, located at the north and the south of the device periphery. You can also instantiate the IP as a standalone cryptographic accelerator engine.
Table 2.  Symmetric Cryptographic Intel FPGA IP Features
Features Description
AES-GCM Mode
  • 128-bit and 256-bit key size
  • Encryption and decryption data paths
  • 128-bit authentication tag (MAC) using GMAC
  • Supports up to 1,024 multiple channels with zero latency switching between the states
  • Supports Auto Increment Logic for the AES counter based on the initial value
  • Meets NIST 800-38D standard
AES-XTS Mode
  • 256-bit and 512-bit key size. Includes the keys for the Tweak and the Data.
  • Encryption and decryption data paths
  • Generates hardware-based tweak encryption for the first and subsequent tweak keys based on the block or sequence inputs embedded in the initialization vector (IV).
  • Supports Ciphertext stealing for unaligned last data block sizes
  • Meets NIST 800-38E standard
SM4 Algorithm
  • 128-bit key size
  • Encryption and decryption data paths
  • Supports GCM and XTS modes
  • Meets OSCCA GB/T 32907-2016 standard
Interfaces
  • AXI Streaming (AXI-ST) interface protocol compliance on data streaming interface.
  • AXI4-Lite (AXI-Lite) interface protocol compliance on configuration interface.
  • Data streaming interface implements a single 512-bit interface full-duplex.
Performance
  • Cumulative throughput of 200 Gbps for AES encryption, decryption, or mixed encryption and decryption in GCM and XTS modes
  • Cumulative throughput of 200 Gbps for SM4 encryption and decryption in GCM and XTS modes
Other features
  • Supports AES cryptographic operations required for higher layer security applications such as TLS, MACSec, and IPsec.
  • Compatible with DTLS, TLS1.3, QUIC, secure computing and storage device encryption
  • Supports export compliance within the IP with fuses to disable the cryptographic modes or the entire IP
  • Error logging debug capabilities in registers

Section Content
IP Core Applications

Related Information
Level Two Title