# **AES-GCM** # AES-GCM Authenticated Encrypt/Decrypt Core The AES-GCM encryption IP core implements hardware Rijndael encoding and decoding in compliance with the NIST Advanced Encryption Standard. It processes 128-bit blocks, and is programmable for 128-, 192-, and 256-bit key lengths. Four architectural versions are available to suit system requirements. The **Standard** version (AES-GCM-S) is more compact, using a 32-bit datapath and requiring 44/52/60 clock cycles for each data block (128/192/256-bit cipher key, respectively). The **Fast** version (AES-GCM-F) achieves higher throughput using a 128-bit datapath and requiring 11/13/15 clock cycles for each data block depending on key size. For applications where throughput is critical there are two additional versions. The **High Throughput** AES-GCM-X can process 128 bits/cycle and the **Higher Throughput** AES-GCM-X2 can process 256 bits/cycle respectively independent of the key size. GCM stands for Galois Counter. GCM is a generic authenticate-and-encrypt block cipher mode. A Galois Field (GF) multiplier/accumulator is utilized to generate an authentication tag while CTR (Counter) mode is used to encrypt. # **Block Diagram** #### **FEATURES** - Encrypts and decrypts using the AES Rijndael Block Cipher Algorithm - NIST-Validated - Implemented according to the National Institute of Standards and Technology (NIST) Special Publication 800-38D - Processes 128-bit data in 32-bit blocks - Employs user-programmable key size of 128, 192, or 256 bits - Any size IV length - Easy integration & implementation - Works with a pre-expanded key or can integrate the optional key expansion function - Fully synchronous, uses only the rising clock-edge, singleclock domain, no false or multicycle timing paths, scanready, LINT-clean, reusable design - Simple input and output interface, optionally bridged to AMBA™ interfaces or integrated with a DMA engine. - Available in VHDL or Verilog source code format, or as a targeted FPGA # **Applications** The AES-GCM can be utilized for a variety of encryption applications including protected network routers, electronic financial transactions, secure wireless communications, secure video surveillance systems, and encrypted data storage. # Verification The core has been verified through extensive synthesis, place and route and simulation runs. It has also been embedded in several products, and is proven in FPGA technologies. #### Support The core as delivered is warranted against defects for ninety days from purchase. Thirty days of phone and email technical support are included, starting with the first interaction. Additional maintenance and support options are available. #### **Key Expander** The AES algorithm requires an expanded key for encryption or decryption. The KEXP AES key expander core is available as an AES-GCM core for all architectural versions but is not included. During encryption, the key expander can produce the expanded key on the fly while the AES core is consuming it. For decryption, though, the key must be pre-expanded and stored in an appropriate memory before being used by the AES core. This is because the core uses the expanded key backwards during decryption. In some cases a key expander is not required. This might be the case when the key does not need to be changed (and so it can be stored in its expanded form) or when the key does not change very often (and thus it can be expanded more slowly in software). # Implementation Results The AES-GCM can be mapped to any ASIC technology or FPGA device (provided sufficient silicon resources are available). The following are sample ASIC pre-layout results reported from synthesis with a silicon vendor design kit under typical conditions, with all core I/Os assumed to be routed on-chip and throughput for a 128-bit key size. # **AES-GCM Standard (-S)** | ASIC<br>Technology | Number of eq. gates | Memory<br>bits | Freq.<br>(MHz) | Throughput<br>(Gbps) | |--------------------|---------------------|----------------|----------------|----------------------| | TSMC 7nm | 11,421 | 0 | 1,000 | 2.91 | | TSMC 16nm | 11,550 | 0 | 800 | 2.33 | | TSMC 28nm HPC | 11,378 | 0 | 700 | 2.04 | #### AES-GCM Fast (-F) | ASIC<br>Technology | Number of eq. gates | Memory<br>bits | Freq.<br>(MHz) | Throughput<br>(Gbps) | |--------------------|---------------------|----------------|----------------|----------------------| | TSMC 7nm | 27,631 | 0 | 1,700 | 19.78 | | TSMC 16nm | 30,000 | 0 | 1,400 | 16.29 | | TSMC 28nm HPC | 33,679 | 0 | 1,200 | 13.96 | # **AES-GCM High Throughput (-X)** | ASIC<br>Technology | Number of eq. gates | Memory<br>bits | Freq.<br>(MHz) | Throughput<br>(Gbps) | |--------------------|---------------------|----------------|----------------|----------------------| | TSMC 7nm | 257,711 | 0 | 1,700 | 217.6 | | TSMC 16nm | 287,008 | 0 | 1,500 | 192.0 | | TSMC 28nm HPC | 330,414 | 0 | 1,300 | 166.4 | # **AES-GCM Higher Throughput (-X2)** | ASIC<br>Technology | Number of eq. gates | Memory<br>bits | Freq.<br>(MHz) | Throughput<br>(Gbps) | |--------------------|---------------------|----------------|----------------|----------------------| | TSMC 7nm | 496,217 | 0 | 1,700 | 435.2 | | TSMC 16nm | 517,915 | 0 | 1,300 | 332.8 | | TSMC 28nm HPC | 631,607 | 0 | 1,200 | 307.2 | The provided figures <u>do not</u> represent the higher speed or smaller area for the core. Please contact CAST to get characterization data for your target configuration and technology. #### **Related Products** AES in CBC, CFB, CTR, ECB, GCM, LRW, OFB and XTS modes are also available as stand-alone cores. AES-P: run-time programmable AES core supporting ECB, CBC, CFB, OFB and CTR modes. #### **Export Permits** This core implements encryption functions and as such it is subject to export control regulations. Export to your country may or may not require a special export license. Please contact CAST to determine what applies in your specific case. #### **Deliverables** The core is available in ASIC (RTL) or FPGA (netlist) formats, and includes everything required for successful implementation. The ASIC version includes - HDL RTL source - Sophisticated HDL Testbench (self-checking) - C Model & test vector generator - · Simulation script, vectors & expected results - · Synthesis script - User documentation