lecture 2b rtl design methodology transition from pseudocode & interface to a corresponding...
TRANSCRIPT
Lecture 2B
RTL Design Methodology
Transition from
Pseudocode & Interface
to a Corresponding Block Diagram
Structure of a Typical Digital System
Datapath(Execution
Unit)
Controller(Control
Unit)
Data Inputs
Data Outputs
Control & Status Inputs
Control & Status Outputs
Control Signals
StatusSignals
Hardware Design with RTL VHDL
Pseudocode
Datapath Controller
Block
diagram
ASM
chart
VHDL code VHDL code
Interface
1. Text description2. Interface3. Pseudocode4. Block diagram of the Datapath5. Interface divided into Datapath and Controller6. ASM chart of the Controller
7. RTL VHDL code of the Datapath, Controller, and Top-level Unit
8. Testbench for the Datapath, Controller, and Top-Level Unit
9. Functional simulation and debugging10. Synthesis and post-synthesis simulation11. Implementation and timing simulation12. Experimental testing using FPGA board
Steps of the Design ProcessIntroduced in Class Today
4
Class Exercise 2
CIPHER
PseudocodeSplit input I into four words, I3, I2, I1, I0, of the size of w bits each
A = I3; B = I2; C = I1; D=I0B = B + S[0]D = D + S[1] for i = 1 to r do { T = (B*(2B + 1)) <<< k U = (D*(2D + 1)) <<< k A = ((A T) <<< U) + S[2i]⊕ C = ((C U) <<< T) + S[2i + 1] ⊕ (A, B, C, D) = (B, C, D, A) }A = A + S[2r + 2]C = C + S[2r + 3]O = (A, B, C, D)
Notation
w: word size, e.g., w=8 (constant)
k: log2(w) (constant)
A, B, C, D, U, T: w-bit variables
I3, I2, I1, I0: Four w-bit words of the input I
r: number of rounds (constant)
O: output of the size of 4w bits
S[j] : 2r+4 round keys stored in two RAMs.
Each key is a w-bit word.
The first RAM stores values of S[j=2i], i.e., only round keys
with even indices. The second memory stores values of
S[j=2i+1], i.e., only round keys with odd indices.
Operations
⊕ : XOR
+ : addition modulo 2w
– : subtraction modulo 2w
* : multiplication modulo 2w
X <<< Y : rotation of X to the left by the number of positions
given in Y
X >>> Y : rotation of X to the right by the number of positions
given in Y
(A, B, C, D) : Concatenation of A, B, C, and D.
4w
clk
reset
I
write_I
Sj
DONE
O
CIPHER
4w
Write_Sj
w
j m
Circuit Interface
Interface Table
Note:m is a size of index j. It is a minimum integer, such that 2m -1 2r+3.
Protocol (1)An external circuit first loads all round keys S[0], S[1], S[2], …, S[2r+2], [2r+3]to the two internal memories of the CIPHER unit.
The first memory stores values of S[j=2i], i.e., only round keys with even indices. The second memory stores values of S[j=2i+1], i.e. only round keys with odd indices.
Loading round keys is performed using inputs: Sj, j, write_Sj, clk.
Then, the external circuits, loads an input block I to the CIPHER unit, using inputs: I, write_I, clk.
After the input block I is loaded to the CIPHER unit, the encryption starts automatically.
Protocol (2)
When the encryption is completed, signal DONE becomes active, and the output O changes to the new value of the ciphertext.
The output O keeps the last value of the ciphertext at the output, until the next encryption is completed. Before the first encryption is completed, this output should be equal to zero.
Assumptions
• 2r+4 clock cycles are used to load round keys to internal RAMs
• one round of the main for loop of the pseudocode executes in one clock cycle
• you can access only one position of each internal memory of round keys per clock cycle
As a result, the encryption of a single input block I
should last r+2 clock cycles.
Initial Transformation
Final Transformation
#rounds times
Round Key[i]
i:=i+1
Round Key[0]
i:=1
i<#rounds?
Cipher Round
Round Key[#rounds+1]
Typical Internal Structure of a Secret-Key Block Cipher
Basic iterative architecture(no Initial Transformation, no Final Transformation)
register
combinationallogic
one round
multiplexer
round key
input
output
IN
OUT
P1
C1
P2
C2
P3
Basic architecture: Timing
#rounds · clock_period
CLK
Primary parameters of hardware implementationsof secret-key block ciphers
Latency Throughput
Encryption/decryption
Time to encrypt/decrypt
a single block of data
Mi
Ci
Number of bits encrypted/decrypted
in a unit of time
Encryption/decryption
Mi
Mi+1
Mi+2
Ci
Ci+1
Ci+2
Advanced Encryption StandardAES
AES Encryption
AES Decryption
SubBytes&
InvSubBytes
ShiftRows
MixColumns
InvShiftRows
InvMixColumns
round key
round key
round key
round key
Data input
Data output
Encryption circuit Decryption circuit
R1
Basic Iterative Architecture of AES(Encryption and Decryption)
Encryption round Decryption round
Data input
Data output
round key
Encryption input
Decryption input
Encryptionfeedbackoutput
Encryptionfinaloutput
Decryptionfinaloutput
Decryptionfeedbackoutput
round key
round key
Initial Transformation
keyscheduling
encryption/decryption
memory of round keys
output
input
input interface
output interface
Control unit
control
Top Level Block Diagram
key
Modes of Operation
Block vs. stream ciphers
Stream cipher
Internal state - ISBlock cipher
KK
M1, M2, …, Mn m1, m2, …, mn
C1, C2, …, Cn c1, c2, …, cn
Ci=fK(Mi) ci = fK(mi, ISi) ISi+1=gK(mi, ISi)
Every block of ciphertext is a function of only one
corresponding block of plaintext
Every block of ciphertext is a function of the current block
of plaintext and the current internal state of the cipher
Typical stream cipher
Sender Receiver
PseudorandomKeyGenerator
mi
plaintext
ci
ciphertext
kikeystream
keyinitialization vector (seed)
PseudorandomKeyGenerator
mi
plaintext
ci
ciphertext
ki keystream
key initializationvector (seed)
Standard modes of operation of block ciphers
Block cipher Block cipherturned into
a stream ciphers
ECB mode Counter modeCFB modeCBC mode
ECB (Electronic CodeBook) mode
Electronic CodeBook Mode – ECBEncryption
M1 M2 M3
E
Ci = EK(Mi) for i=1..N
MN-1 MN
E E E E. . .
C1 C2 C3 CN-1 CN
K K K K K
Electronic CodeBook Mode – ECBDecryption
C1 C2 C3
D
Ci = EK(Mi) for i=1..N
CN-1 CN
D D D D. . .
M1 M2 M3 MN-1 MN
K K K K K
Counter Mode
Counter Mode - CTREncryption
m1m2 m3
E
ci = mi ki
ki = EK(IV+i-1) for i=1..N
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1k2 k3
kN-1 kN
K K K K K
Counter Mode - CTRDecryption
c1c2 c3
E
mi = ci ki
ki = EK(IV+i-1) for i=1..N
cN-1 cN
. . .
E E E E. . .
m1 m2 m3 mN-1 mN
IV IV+1 IV+2 IV+N-2 IV+N-1
k1k2 k3
kN-1 kN
K K K K K
Counter Mode – CTR(simplified block diagram)
EK
IN
OUT
counter
IV
ci
mi
EK
IN
OUT
counter
IV
ci
mi
IS1 = IV
ci = EK(ISi) mi
ISi+1 = ISi+1
ISi ISi
Counter Mode – Potential for Parallel Processing
M0 M1 M2
E
Ci = Mi AES(IV+i) for i=0..N
MN-1 MN
. . .
E E E E. . .
C1 C2 C3 CN-1 CN
IV IV+1 IV+2 IV+N-1 IV+N
Increasing speed by parallel processing
Encryption/decryption
unit
Encryption/decryption
unit
Encryption/decryption
unit
Encryption/decryption
unit
Encryption/decryption
unit
Encryption/decryption
unit
Increasing speed using pipelining
Cipher 1 Cipher 2
round 1round 1
round 2
round 10
. . .
round 16
. . .
Throughput =target_clock_period
block size
targetclock period,e.g., 20 ns
CFB (Cipher FeedBack) Mode
Cipher Feedback Mode - CFBEncryption
m1 m2 m3
E
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV
ci = mi ki
ki =EK(ci-1) for i=1..N, and c0 = IV
k1 k2 k3 kN-1kN
Cipher Feedback Mode - CFBDecryption
m1 m2 m3
E
mN-1 mN
. . .
E E E E. . .
c1 c2 c3 cN-1 cN
IV
mi = ci ki
ki =EK(ci-1) for i=1..N, and c0 = IV
k1 k2 k3 kN-1kN
Cipher Feedback Mode – CFB(simplified block diagram)
EK
IN
OUT
ci
mi
EK
IN
OUT
ci
mi
IV
IS1 = IV
ci = EK(ISi) mi
ISi+1 = ci
IV
ISi ISi
register register
CBC (Cipher Block Chaining) Mode
Cipher Block Chaining Mode - CBCEncryption
m1 m2 m3
E
IV
ci = EK(mi ci-1) for i=1..N c0=IV
mN-1 mN
. . .
E E E E. . .
c1 c2 c3cN-1
cN
Cipher Block Chaining Mode - CBCDecryption
mi = DK(ci) ci-1 for i=1..N c0=IV
m1 m2 m3 mN-1 mN
IV . . .
D D D D D. . .
c1 c2 c3cN-1
cN