Implementation and Comparison of OCB-AES128 and GCM-AES128 Student: Anne-Marie Cressin

Using Xilinx FPGAs ECE 646 – Fall 2012 Hardware Project HW-4

1. List of Team Members Anne-Marie Cressin

2. Exact Title Implementation and comparison of OCB-AES128 and GCM-AES128 using Xilinx FPGAs

3. Introduction - Motivation OCB and GCM are two distinct modes of operation for cryptographic block ciphers [1] [2]. Both modes perform confidentiality and authentication. However, of the two modes, NIST currently only approves of GCM [3]. There only exist a few comparisons between OCB-AES and GCM-AES, for which conclusions do not converge [4]. This project will compare maximum throughput to area ratio for a single stream of data for OCB-AES128 and GCM-AES128, on the same optimization target, under matching assumptions.

4. Design Entry Method Language used: VHDL Target Platform: Xilinx Spartan 3 CAD tools used to specify, implement and verify the design: Xilinx ISE, ISim (optional: ModelSim)

5. Additional Libraries and/ or earlier developed codes to be used in the project The source code for AES128 will be adapted from existing AES code available online at the Athena source code repository (George Mason University) [5] [6].

6. Assumptions For performance comparison, a tool available online developed by George Mason University will be used: ATHENa, “Automated Tool for Hardware EvaluatioN” [7].

Hardware Project HW-4 1

7. Circuit Interface Interface of OCB or GCM cores and typical configurations with surrounding input and output FIFOs.

The green arrows represent words. The blue arrows represent Boolean values.

8. References to the detailed descriptions of the implemented functions Specifications for OCB3: The software performance of authenticated-encryption modes, Krovetz, T., Rogaway, P. March 2011 [8]. Specifications for GCM: The Galois/Counter Mode of Operation, McGrew, D., Viega, J. May 2005 [9].

9. List and initial analysis of similar designs A few comparisons were made by Dave McGrew and Philipp Rogaway – the respective authors of GCM and OCB, others by Milind Parelkar (George Mason University, U.S.A) [10] and Petr Svenda (Masaryk University, Czech Republic) [11].

10. Procedures for testing the functionality and performance of the circuits Both modes of operations, OCB-AES128 and GCM-AES128, will have their implementations tested through simulations and comparison with known test vectors.

Their performance will be tested using the Athena tool (from George Mason University), which aims to perform “fair, comprehensive, and automated evaluation of cryptographic cores developed using hardware description languages, such as VHDL and Verilog.”

11. Plan of simulation experiments to be performed using the circuits. Plans regarding verification of the designs using prototyping boards The formula for execution time (in clock cycles) will be confirmed using functional simulation. The minimum clock period returned by the tools will be confirmed using timing simulation.

Hardware Project HW-4 2

12. Time Schedule

Oct. 15-17 Understand in depth OCB and GCM. Respective block diagrams finalized. AES128 core code ready and tested. Understand OCB C or Ruby source code. All VHDL files must be drafted.

Oct. 29-31 GCM and OCB VHDL code for encryption written 70%. Athena tool installed and tested.

Nov. 12-14 GCM and OCB VHDL code finished. Simulation, verification in progress. Compute formulas for execution time in clock cycles. Draft of Project Report.

Nov. 26-28 Project report to submit, due No. 27th. Prepare for oral presentation. Make slide presentation.

Dec. 4-7 Oral presentation on Dec. 4th. Final project Report due Dec. 7th.

Hardware Project HW-4 3

13. Possible areas, where the specification can change depending on project progress Performance while varying clock frequencies for a single mode of operation may be investigated if the VHDL code is only fully functional for one particular mode (GCM or OCB).

14. Tentative table of contents

1. Introduction

1.1 Overview of GCM mode

1.2 Overview of OCB mode

2. Implementations of both modes

2.1 Datapath (block diagram)

2.2 Controller (top-level ASM chart)

2.3 Initialization, Assumptions, Test Vectors

2.4 Execution time, minimum clock period formulas inferred

3. Comparison of maximum throughput to area ratio for a single stream of data

3.1 Comparison Setup

3.1.1 Testbench

3.1.2 Athena Configuration

3.2 Table of results

3.3 Interpretation of results

4. Conclusion

Hardware Project HW-4 4

15. List of Literature

1. The Galois/Counter mode, Wikipedia, available at http://en.wikipedia.org/wiki/Galois/Counter_Mode 2. The Offset Codebook mode, Wikipedia, available at http://en.wikipedia.org/wiki/OCB_mode 3. Block Cipher Modes, NIST, available at http://csrc.nist.gov/groups/ST/toolkit/BCM/index.html 4. The evolution of Authenticated Encryption, Rogaway, P., DIAC 2012 presentation, available at http://hyperelliptic.org/DIAC/ 5. Source code for SHA-3 Round 3 Candidates & SHA-2, Athena GMU website, available at http://cryptography.gmu.edu/athena/index.php?id=source_codes 6. NIST, FIPS Publication 197, Specification for the Advanced Encryption Standard (AES), November 26, 2001, available at http://csrc.nist.gov/encryption/aes/ 7. ATHENa: Automated Tool for Hardware EvaluatioN, George Mason University, http://cryptography.gmu.edu/athena/index.php?id=about 8. The software performance of authenticated-encryption modes, Krovetz, T., Rogaway, P. March 2011, available a3. Block Cipher Modest http://www.cs.ucdavis.edu/~rogaway/papers/ae.pdf 9. The Galois/Counter Mode of Operation, McGrew, D., Viega, J. May 2005, available at http://www.mindspring.com/~dmcgrew/gcm-nist-6.pdf 10. Authenticated Encryption in Hardware, Parelkar, M., 2005, available at http://ece.gmu.edu/crypto_resources/web_resources/theses/GMU_theses/Parelkar/Parelkar_Fall_20 05.pdf 11. Basic Comparisons of Modes for Authenticated Encryption, Svenda, P., 2004, available at http://www.fi.muni.cz/~xsvenda/docs/AE_comparison_ipics04.pdf

Hardware Project HW-4 5