MANHASSET, N.Y. With subtle distinctions, intellectual-property (IP) core vendors are readying implementations of the Advanced Encryption Standard (AES) security algorithm.
The vendors, established and startup, are banking on applications from miniature wireless devices to massively parallel Web servers to support the rapid and pervasive deployment of encryption-enabled devices and systems.
Available in both ASIC and FPGA format, the plug-and-play cores are portrayed as the ultimate answer to user worries over privacy for everything from bank transactions to telephone calls. But they are only now finding a home as the IEEE 802.11i task group for wireless LANs prepares to become the first body to officially call for AES encryption as part of a standard.
The plethora of available AES solutions "is not particularly surprising," said Duncan Kitchin, product architect in the wireless LAN operation at Intel Corp. (Hillsboro, Ore.). "After all, the whole point of choosing AES was that it was pretty efficient in software, and easily implementable in hardware," he said. "It's perfectly possible it's just a matter of doing it."
AES which uses the Rijndael algorithm was chosen by the National Institute of Standards and Technology (NIST) to replace the highly popular but less-efficient data encryption standard (DES). It's the efficiency of AES and its stronger encryption overall that makes it attractive across a wide swath of applications.
DES hangs in
But as Graeme Durant, founder and chief technology officer of Helion Technology Ltd. (Cambridge, England), said, "There's still a lot of interest in DES, as people are familiar with it." Also, he pointed out, AES isn't fully ratified by NIST, "but it's due any day now."
Durant said NIST's delay fuels the fears of conspiracy theorists going back to the original approval of DES, an IBM technology. After DES had been "agreed to by everyone," he said, NIST made subtle changes in the algorithm, prompting skeptics to charge that the government was creating "some back door." The same logic is now being applied by many, said Durant, to NIST's current delay. "Anyway, it'll take time before it's finally ratified, supposedly this summer," he said.
In addition, AES-enabled devices face export/import restrictions. "Export is no problem for friendly countries but there are strict guidelines for elsewhere," said Durant. The European Union, Australia, the United States and a handful of other countries count as friendly. "But there are some you cannot export to China, for example and it doesn't matter what level of AES: 128, 192, 256 bits," he said. But some exceptions, such as the software AES encryption allowed for Web browsers, are exported.
Regardless, AES development is rapidly taking place. "AES is suitable to both software and hardware implementations, and compared to triple DES [3-DES, a more advanced version], it's less expensive to im plement as it's less complicated," said Ron Sailors, director of marketing at Amphion Semiconductor's San Jose, Calif., office. Amphion (Belfast, Northern Ireland) a developer of intellectual property, is sometimes compared with Dublin-based Parthus, its better-known counterpart, though Amphion has yet to create a specific platform.
Amphion got into AES IP after a sponsored student at Queens University (Belfast), Maire McCloone, did a very-high-speed implementation of AES on a Xilinx FPGA. "It was the fastest in published literature," said Sailors. "With this in hand and given the context of convergence in both the wireless and wired worlds, we decided to productize McCloone's invention to answer the security requirement for these applications."
Sailor said AES will soon be a standard feature across "a huge array of electronics." While banking and secure messages are the tip of the iceberg, Sailors said, he envisions AES on cellular phones too, playing into user paranoia over eavesdroppers. "Once you get it into one phone as a feature and a user can go into encrypted mode with a user on another similar model, everyone will rush in, and in 18 to 24 months everyone will have it and it'll become default," said Sailors. "Once that happens, every application, from video surveillance to smart cards to corporate security [will have it]."
Amphion took McCloone's original FPGA pipelined implementation and broke it out into standard, compact and fast versions, each with different size, cost, power and performance. The implementations from 26-Gbit/second encryption for parallel servers down to 500-Mbit/s processing for handheld devices. "While this is adequate for mobile phones and PDAs," said Sailors, "as media data streams converge, you'll need the higher bandwidths." The 26-Mbit/s version is a TSMC 0.18-micron iteration for ASICs.
Intel's Kitchin argues that since AES is relatively straightforward to implement, Intel will do its AES in-house. But Sailors and Amphion's coun terparts in the industry disagree. "It's all about time-to-market," said Helion's Durant. "It took us six months to do these cores, and we're not new to the business." Both Sailors and Durant argue that, given the range of applications AES is targeting, it doesn't make sense for manufacturers to roll their own.
"Our way is a cheaper way to go if someone wants to get up and running right away," said Durant. "Also, distilling the requirements which are actually straightforward from the specification is not so easy. That requires some heavy-duty math," he said. "It's easy to implement into a system once done, though. Buying the core allows the manufacturer to get on with their core competency."
Helion is a relative newcomer to IP, with just three people all designers on the payroll. "That's our strength," said Durant, "as we offer personal service. A customer talks to the actual designer."
But personal service isn't the only differentiator for Helion. The company disting uishes itself in how it actually implements AES. Where both Amphion and Germany's Sci-Works put both the encryption and the round-key generation on a single core, Helion splits this out into two separate cores "so you can eliminate the second through the use of host processing," said Durant.
In AES, the incoming key is expanded into a much larger data structure using round keys that are a 128-bit string of data that's fed into the algorithm at every step. Depending on whether the incoming key is 128, 192 or 256 bits, the number of rounds can be 10, 12 or 14.
Typically, the round-key generation is done on the same core as the algorithm. "However," said Durant, "there are cases where you don't need to change the round key very often, so we give the option of generating the keys in software using the host processor to run the expansion algorithm and store the round keys in RAM." That, Durant said, allows the elimination of the round-key core altogether.
In total, this leaves Helion's lowest gate count, with the encryption alone, at 8.5 kgates, vs. 18 kgates for Amphion's lowest-cost version.
"Even if you add on the 7 kgates for round-key generation, we're still only at 16 kgates," said Durant.