Symmetric Cryptographic Intel FPGA Hard IP User Guide

ID 714305
Date 10/02/2023
Public
Document Table of Contents

1.2. IP Core Overview

The Symmetric Cryptographic Intel FPGA IP consists of the Advanced Encryption Standard (AES) and SM4 Inline Cryptographic Accelerator (ICA) subsystems. Each device supports two identical IP subsystems, located at the north and the south of the device periphery. You can also instantiate the IP as a standalone cryptographic accelerator engine.
Table 2.  Symmetric Cryptographic Intel FPGA IP Features
Features Description
AES-GCM Mode
  • 128-bit and 256-bit key size
  • Encryption and decryption data paths
  • 128-bit authentication tag (MAC) using GMAC
  • Supports up to 1,024 multiple channels with zero latency switching between the states
  • Supports Auto Increment Logic for the AES counter based on the initial value
  • Meets NIST 800-38D standard
AES-XTS Mode
  • 256-bit and 512-bit key size. Includes the keys for the Tweak and the Data.
  • Encryption and decryption data paths
  • Generates hardware-based tweak encryption for the first and subsequent tweak keys based on the block or sequence inputs embedded in the initialization vector (IV).
  • Supports Ciphertext stealing for unaligned last data block sizes
  • Meets NIST 800-38E standard
SM4 Algorithm
  • 128-bit key size
  • Encryption and decryption data paths
  • Supports GCM and XTS modes
  • Meets OSCCA GB/T 32907-2016 standard
Interfaces
  • AXI Streaming (AXI-ST) interface protocol compliance on data streaming interface.
  • AXI4-Lite (AXI-Lite) interface protocol compliance on configuration interface.
  • Data streaming interface implements a single 512-bit interface full-duplex.
Performance
  • Cumulative throughput of 200 Gbps for AES encryption, decryption, or mixed encryption and decryption in GCM and XTS modes
  • Cumulative throughput of 200 Gbps for SM4 encryption and decryption in GCM and XTS modes
Certifications NIST CAVP:
  • AES-ECB
  • AES-GCM
  • AES-XTS
Other features
  • Supports AES cryptographic operations required for higher layer security applications such as TLS, MACSec, and IPsec.
  • Compatible with DTLS, TLS1.3, QUIC, secure computing and storage device encryption
  • Supports export compliance within the IP with fuses to disable the cryptographic modes or the entire IP
  • Error logging debug capabilities in registers